X-Git-Url: https://git.distorted.org.uk/~mdw/doc/ips/blobdiff_plain/6606ff41fcf6918d7aee5d4da006e57dffee35c9..56c48de4fa0f5e92773fe5b7c0989005a4426218:/auth-mac.tex

diff --git a/auth-mac.tex b/auth-mac.tex
index 60e0034..67489f0 100644
--- a/auth-mac.tex
+++ b/auth-mac.tex
@@ -522,11 +522,10 @@
   Now we turn our attention to $T^1$.  It's clear that we can't simulate
   $T^1$ very easily using an oracle for $F$, since we don't know $K$
   (and indeed there might not be a key $K$).  The intuitive reason why
-  $T^1$ is insecure is that $F$ might have leak useful information if
-  its input matches its key.  This doesn't affect the strength of $F$ as
-  a PRF because you have to know the key before you can exploit this
-  leakage; but $T^1$ already knows the key, and this can be exploited to
-  break the MAC.
+  $T^1$ is insecure is that $F$ might leak useful information if  its input
+  matches its key.  This doesn't affect the strength of $F$ as a PRF
+  because you have to know the key before you can exploit this leakage; but
+  $T^1$ already knows the key, and this can be exploited to break the MAC.
 
   To show that this is insecure formally, let $F'$ be defined as
   follows:
@@ -853,7 +852,7 @@
   \next
     Algorithm $\Xid{V}{XUH}^{H, F}_{K, K'}(m, \tau)$: \+ \\
       $(s, \sigma) \gets \tau$; \\
-      \IF $\sigma = H_K(m) \xor F_{K'}(i)$ \THEN \RETURN $1$; \\
+      \IF $\sigma = H_K(m) \xor F_{K'}(s)$ \THEN \RETURN $1$; \\
       \ELSE \RETURN $0$;
   \end{program}
   Note that verification is stateless.
@@ -883,7 +882,7 @@
   \next
     Algorithm $\Xid{V}{XUH$\$$}^{H, F}_{K, K'}(m, \tau)$: \+ \\
       $(s, \sigma) \gets \tau$; \\
-      \IF $\sigma = H_K(m) \xor F_{K'}(i)$ \THEN \RETURN $1$; \\
+      \IF $\sigma = H_K(m) \xor F_{K'}(s)$ \THEN \RETURN $1$; \\
       \ELSE \RETURN $0$;
   \end{program}
   \begin{eqnarray*}[Ll]