Difficulty of forging MACs based on linear functions over $GF\left(2^n\right)$

Question

This is a homework question, therefore I'm not expecting full solutions, just general guidance.

I want to build a one-time MAC using universal hashing.

I defined my hash functions as:

$h_{a,b}:\begin{array}{lll} \mathbb{F}_{2^{n}} & \to & \mathbb{F}_{2^{n}}\\ x & \mapsto & ax+b \end{array}$ for $a\in\mathbb{F}_{2^{n}}\backslash\left\{ 0\right\} $, $b\in\mathbb{F}_{2^{n}}$

Where $\mathbb{F}_{2^{n}}=GF\left(2^{n}\right)$ means the galois field/finite field of size $2^n$.

These functions have 0 probability of collision for two distinct messages. However, in order to use these functions as a one-time MAC, I need to show security which is defined for the following game with adversary $A$:

An oracle generates a secret key $a,b$, then $A$ can choose exactly one message $m$ to query, that the oracle tags for $A$ with $h_{a,b}\left(m\right)$). Then $A$ has to generate a message $m'\neq m$ and tag $t'$ such that $h_{a,b}\left(m'\right)=t'$.

Security is defined as for any efficient (polynomial) adversary $A$ allowed only one query (as described), there exists a negligible function such that the probabilty of $A$ winning the game is at most that negligible function.

This is where I'm stuck. I have intuition, but can't formulate a formal proof. I know that if $A$ decides to query with message 0, then he knows what b is, since $a\cdot0+b=b$, but then he's left with guessing $a$ (need to show here he can't do it other than randomly guessing). And if he decides to query message $m$ that is not 0, he could at most calculate $\left(a\cdot m+b\right)m^{-1}=a+bm^{-1}$ which is the same problem (more or less) as $am+b$.

I would love some direction on how to approach such proof of showing finding such message with a viable tag, reduces to guessing at best (therefore showing an upper bound that is negligible).

Thanks!

Answer 1

You are in the right direction.

First, some intuition. The idea is that $y = ax+b$ constitutes a line, and if you need two points in order to fully determine it. However, if you only know one point, and if you don't have any additional information, then it is not possible to determine which line is it since there are "infinitely many" lines passing through the given point (of course, since we're on a finite field there are finitely many, but you get the idea).

Now, for the formalization, imagine that $A$ queries the oracle on some $m$ to get $t = a\cdot m + b$ (let's ignore how $A$ chose $m$, maybe it was crafted in some way, perhaps $m=0$ as you said, but this will turn out to be irrelevant). We claim that if $A$ successfully crafts another message-tag pair $(m',t')$ with $m=m'$, then it is because $A$ guessed $a$, which is not possible since it was chosen at random from a large enough domain. Now, this is argued easily by something I already mentioned: given two different points on a line, you can get the line and therefore the coefficients $a,b$. In other words, once you fix $(m,t)$ with $t = a\cdot m+b$, getting a new $(m',t')$ allows an adversary to find $a$ as $a = (m-m')^{-1}\cdot(t-t')$. This finishes the argument.