The Internet of Broken Protocols: Showcase #8

(complete list of showcases:

In cryptography, a construction consisting of multiple encryption algorithms in a sequential order is called a cascade. For example, TripleSec by Keybase encrypts data with XSalsa20 then AES in counter mode. Contrary to popular belief, cascading may not always improve security. Matthew Green wrote a nice blog post explaining why.

In this showcase, you're asked to analyze a cascade of MAC and digital signature algorithms. Please send your solutions to


The Hooli Photos app wanted to protect the integrity of media files stored in SSD card. Initially, they used GMAC (the MAC of AES-GCM) with a secret key. Later on, the requirement was changed. They wanted other apps to be able to verify the integrity of the media files produced by the Photos app. Toward that end, they applied a digital signature on top of the existing MAC, and settled on this construction:

ECDSA_sign(ecdsa_private_key, GMAC(gmac_key, file_content))

That is, they signed the GMAC value of the file content. The GMAC key was made public. They reasoned that since a MAC is a PRF, it should be collision-resistant, hence nobody should be able to forge any signatures.

Can you prove them wrong?

Bonus questions:
- Replacing GMAC with Poly1305.
- Replacing GMAC with HMAC.


Quang Nguyễn said…
Mình là dân không chuyên nhưng nếu họ lập luận rằng They reasoned that since a MAC is a PRF thì có vẻ sai sai