Instructor Alice and TA Bob are working hard to prepare the midterm for class. They communicate via terse message exchanges which are cryptographically protected. Namely:

To protect confidentiality, Alice and Bob encrypt their messages by using symmetric-key encryption, in particular, a block cipher, such as AES, in ECB mode.

To protect integrity, Alice and Bob tag their messages using their own custom-made MAC scheme gk(m1,m2) = fk(m1||m2). That is, they tag messages of the form (m1;m2) that consist of two parts m1 2 {0, 1} and m2 2 {0, 1} (both of arbitrary length) by computing fk() over the concatenated parts, where fk(m) is a secure MAC using shared secret key k.

(1) Eve knows that all assignments for class are decided via brief messages of the form:

Bob: Which topic should problem #1 cover? Alice: Topic 7.

Bob: Which topic should problem #2 cover? Alice: Topic 2.

Bob: Which topic should problem #3 cover? Alice: Topic 8.

Assuming that Eve had previously observed such encrypted communications for the assignments for homework #1, which Alice had characterized in class as preparation for the midterm, how can Eve learn the topics of the upcoming midterm (without knowing the encryption key, say k0)?

(2) Eve has intercepted the MAC tags from the following previous communication :

Bob: status update, please!; are we done with assignments?

Alice: hmmm... no; more homework assignments to come!

How can Eve undetectably aect the assignments for homework#2 that comes after the midterm (without knowing the MAC key k) by manipulating the following MAC-protected communication?

Bob: what do we do for HW2?; please advise!

Alice: make HW2 really hard and give a 2-day deadline; they did not pay attention at all today in class...

(3) For efficiency reasons, Alice and Bob have decided that they should use the same key for both encryption and MACing, i.e., k = k0. Is this a good idea and why?