In this lab we'll do some exercises with Message Authentication Codes.

In this exercise we will attack an insecure MAC algorithm by showing that an adversary can forge a (message, tag) pair without first querying a $\mathsf{Tag}$ oracle with the message.

Let $F$ be a $\mathsf{PRF}$. Show that the following MAC is insecure by constructing an efficient adversary with non-negligible advantage. The key is $k \in \{0, 1\}^n$, and for any message $m = m1 \| m2$ with $\left|m_1\right| = \left|m_2\right| = n$, the MAC is computed as:

$\mathsf{Tag}(k, m_1 \| m_2) = F_k(m_1) \| F_k(F_k(m_2)) $

In this exercise you will implement the Birthday attack on SHA-1 using OpenSSL. The goal is to obtain a collision in the first four bytes of the hash.

Your goal is to obtain a collision by finding two messages, $M_1$ and $M_2$, such that for the first four bytes $\mathsf{SHA1}(M_1) = \mathsf{SHA1}(M_2)$.

The collision will be $32$ bits long, which means you will need $2^{16}$ random messages in your attack. Note that the attack is not guaranteed to succeed; on average, two iterations of the attack are required to find a collision.

In contrast to previous labs, this time we'll use C. You can implement the attack from scratch, or start from our archive here.

To compute a digest, you might find the code below useful:

    SHA_CTX context;
    SHA1_Init(&context);
    SHA1_Update(&context, buffer, length);
    SHA1_Final(md, &context); /* md must point to at least 20 bytes of valid memory */

$ ./config --prefix=your_working_dir --openssldir=your_working_dir/openssl
$ make
$ make install_sw

LDFLAGS=-Lyour_working_dir/lib -lcrypto
CFLAGS=-Wall -g -Iyour_working_dir/include