2. Now consider building a MAC from h() (where h() is once again formed via the Merkle-Damgaard construction and has a b-bit output) using the construction MACk(M) = h(M || k). This is still insecure, but a bit harder to crack. Show that in expected time O(2b/2) you can find two distinct messages M and M' such that given MACk(M), you can find MACk(M') without knowing k.
3. Assume RSA. The public key is (411816231521, 5). The encoding method is to take 8 characters of plaintext and convert to an integer M1. Then encrypt under the public key as usual, to obtain C1. Then we take the next 8 characters of plaintext and convert to M2, which we encrypt to C2. And so forth.
The conversion works as follows: we treat a string of 8 alphabetical characters as a vector of 8 coordinates, each of which is between 0 and 25. (A is 0, B is 1, ..., Z is 25). For example, HEYTHERE converts to (7,4,24,19,7,4,17,4). We then convert this to an integer by taking these coordinates as the digits of a base-26 number. So HEYTHERE converts to the integer 7*267 + 4*266 + 24*265 + 19*264 + 7*263 + 4*262 + 17*26 + 4 = 57752296086.
225803654487 27035345731 318496681005 222309193242 128671002039
4. Let C(N,r,g) be the probability that if you throw r red balls and g green balls into N bins, each ball being randomly and independently thrown, then at least one red ball and one green ball land in the same bin.
5. Let's suppose we're using a cryptographic hash function hash() which outputs 64 bits. As usual, we hash-then-sign messages rather than sign them directly. Consider the following setup: