12 Aug Consider the following variants of Merkle–Damgård, where we start with the original construction and make a small change
Problem 3. (20 points) Consider the following variants of Merkle–Damgård, where we start with
the original construction and make a small change. Do the resulting constructions remain secure?
Justify your answers. You may assume that ? and ℓ are at least reasonably large numbers, say at
least 8.
(a) Variant 1: The first bit of the padding block is removed, i.e. ?? := 00…00||⟨?⟩.
(b) Variant 2: Instead of outputting ??, output (??−1,??), i.e. we output the hash of the first (?−1)
blocks along with the last block in plain text.
Problem 4. (20 points) Show that truncating the output of a CRHF even by one bit does not
necessarily result in a CRHF. That is, assume there exists a collision-resistant hash function ? : {0, 1}* → {0, 1}?.
Use ? to construct ?′ : {0, 1}* → {0, 1}^? such that ?′ is a CRHF, but ?′′(?) := ?′(?)[: −1] (in Python notation) is not a CRHF.
Hint: The easiest solution is to artificially modify ? so that it has a collision on the first ? − 1
bits of the output for some messages.
Problem 5. (15 points) Let (?,?) be a CPA-secure cipher defined over (?,ℳ, ?) and let ? : ? → ? be a CRHF.
Define the following cipher (?′,?′) over (?,ℳ, ? × ? ):
?′(?,?) := (?,?(?)) where ? ? ←− ?(?,?);
?′(?, (?1, ?2)) := {︃?(?, ?1), if ?(?1) = ?2; reject, otherwise}.
