Message Authentication Codes 133


 Arthur Hines
 2 years ago
 Views:
Transcription
1 Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in outputting a valid forgery on a previously unauthenticated message with probability Pr[Macforge A,Π (n) = 1] Pr[Macforge A,Π(n) = 1 NewBlock]. (4.3) Security of Π means that the lefthand side is negligible, proving the claim. The construction of A is the obvious one and so we describe it briefly. A runs A as a subroutine, and answers the request by A for a tag on m by choosing r {0, 1} n/4 itself, parsing m appropriately, and making the necessary queries to its own MAC oracle Mac k( ). When A outputs (m, t = r, t 1,... ), then A checks whether NewBlock occurs (this is easy to do since A can keep track of all the queries it makes to its own oracle). If so, then A finds the first block r l i m i that was never previously authenticated by Mac and outputs (r l i m i, t i ). (If not, A outputs nothing.) The view of A when run as a subroutine by A is distributed identically to the view of A in experiment Macforge A,Π (n), and so the probabilities of events Macforge A,Π (n) = 1 and NewBlock do not change. If NewBlock occurs then A outputs a block r l i m i that was never previously authenticated by its own MAC oracle; if Macforge A,Π (n) = 1 then the tag on every block is valid (with respect to Π ), and so in particular this is true for the bock output by A. This means that whenever Macforge A,Π (n) = 1 and NewBlock occur we have Macforge A,Π (n) = 1, proving Equation (4.3). 4.4 CBCMAC Theorems 4.4 and 4.6 show that it is possible to construct a secure message authentication code for arbitrarylength messages from a pseudorandom function taking inputs of a fixed length. This demonstrates, in principle, that secure MACs can be constructed from block ciphers. Unfortunately, the resulting construction is extremely inefficient: to compute a tag on a message of length O(dn), the block cipher is evaluated O(d) times; the tag is O(dn) bits long. Fortunately, far more efficient constructions are available. We explore one such construction here that relies solely on block ciphers, and another in Section?? that uses an additional cryptographic primitive The Basic Construction CBCMAC is a standardized message authentication code used widely in practice. A basic version of CBCMAC, secure when authenticating messages
2 134 of any fixed length, is given as Construction 4.9. (See also Figure 4.1.) We caution that this basic scheme is not secure in the general case when messages of different lengths may be authenticated; see further discussion below. CONSTRUCTION 4.9 Let F be a pseudorandom function, and fix a length function l. The basic CBCMAC construction is as follows: Gen: on input 1 n, choose k {0, 1} n uniformly at random. Mac: on input a key k {0, 1} n and a message m of length l(n) n, do the following (we set l = l(n) in what follows): 1. Parse m as m = m 1,..., m l where each m i is of length n. 2. Set t 0 := 0 n. Then, for i = 1 to l: Set t i := F k (t i 1 m i). Output t l as the tag. Vrfy: on input a key k {0, 1} n, a message m, and a tag t, do: If m is not of length l(n) n then output 0. Otherwise, output 1 if and only if t? = Mac k (m). Basic CBCMAC (for fixedlength messages). THEOREM 4.10 Let l be a polynomial. If F is a pseudorandom function, then Construction 4.9 is a secure fixedlength MAC for messages of length l(n) n. The proof of Theorem 4.10 is somewhat involved. In the following section m 1 m 2 m 3 F k F k F k t FIGURE 4.1: Basic CBCMAC (for fixedlength messages).
3 Message Authentication Codes 135 we will prove a more general result from which the above theorem follows. We stress that even though Construction 4.9 can be extended in the obvious way to handle messages whose length is an arbitrary multiple of n, the construction is only secure when the length of the messages being authenticated is fixed and agreed upon in advance by the sender and receiver. (See Exercise 4.11.) The advantage of this construction over Construction 4.3, which also gives a fixedlength MAC, is that the present construction can authenticate longer messages. Compared to Construction 4.5, CBCMAC is much more efficient. CBCMAC vs. CBCmode encryption. CBCMAC is similar to the CBC mode of encryption. There are, however, some important differences: 1. CBCmode encryption uses a random IV and this is crucial for security. In contrast, CBCMAC uses no IV (alternately, it can be viewed as using the fixed value IV = 0 n ) and this is also crucial for security. Specifically, CBCMAC using a random IV is not secure. 2. In CBCmode encryption all intermediate values t i (called c i in the case of CBCmode encryption) are output by the encryption algorithm as part of the ciphertext, whereas in CBCMAC only the final block is output as the tag. If CBCMAC is modified to output all the {t i } obtained during the course of the computation then it is no longer secure. In Exercise 4.12 you are asked to verify that the modifications of CBCMAC discussed above are insecure. These examples illustrate the fact that harmlesslooking modifications to cryptographic constructions can render them insecure. One should always implement a cryptographic construction exactly as specified, and not introduce any variations (unless the variations themselves can be proven secure). Furthermore, it is essential to understand the construction being used. In many cases a cryptographic library provides a programmer with a CBC function, but does not distinguish between the use of this function for encryption or message authentication. Secure CBCMAC for variablelength messages. We briefly describe two ways Construction 4.9 can be modified, in a provably secure fashion, to handle variablelength messages. (Here for simplicity we assume that all messages being authenticated have length a multiple of n, and that Vrfy rejects any message whose length is not a multiple of n. In the following section we treat the more general case of arbitrarylength messages.) 1. Prepend the message m with its length m (encoded as an nbit string), and then compute the basic CBCMAC on the result. (See Figure 4.2.) Security of this modification follows from the results proved in the following section. Note that appending m to the end of the message and then computing the basic CBCMAC is not secure.
4 136 m m 1 m 2 m 3 F k F k F k F k t FIGURE 4.2: A variant of CBCMAC secure for authenticating variablelength messages. 2. Change the scheme so that key generation chooses two independent keys k 1 {0, 1} n and k 2 {0, 1} n. Then to authenticate a message m, first compute the basic CBCMAC of m using k 1 and let t be the result; output the tag ˆt := F k2 (t). The second option has the advantage of not needing to know the message length in advance (i.e., when beginning to compute the tag). It has the drawback of using two keys for F * Proof of Security In this section we prove security of different variants of CBCMAC. We begin by summarizing the results, and then give the details of the proof. Throughout this section, fix a keyed function F that, for security parameter n, maps nbit keys and nbit inputs to nbit outputs. We define a keyed function CBC that, for security parameter n, maps nbit keys and inputs in ({0, 1} n ) (i.e., strings whose length is a multiple of n) to nbit outputs. This function is defined as CBC k (x 1,..., x l ) = F k (F k ( F k (F k (x 1 ) x 2 ) ) x l ), where x 1 = = x l = k = n. (We leave CBC k undefined on the empty string.) We call l the blocklength of the input. Note that CBC is exactly basic CBCMAC, though here we consider inputs having different block lengths. A set of strings P ({0, 1} n ) is prefixfree if it does not contain the empty string, and no string X P is a prefix of any other string X P. We show: THEOREM 4.11 If F is a pseudorandom function, then CBC is a pseudorandom function as long as the set of inputs on which it is queried is prefixfree. Formally, for all probabilistic polynomialtime distinguishers D
5 Message Authentication Codes 137 that query their oracle on a prefixfree set of inputs, there is a negligible function negl such that Pr[D CBCk( ) (1 n ) = 1] Pr[D f( ) (1 n ) = 1] negl(n), where k {0, 1} n is chosen uniformly at random and f is chosen uniformly at random from the set of functions mapping ({0, 1} n ) to {0, 1} n. Thus, we have a way to convert a pseudorandom function F on fixedlength inputs into a pseudorandom function CBC on variablelength inputs! To use this for message authentication, we adapt the idea of Construction 4.3 in the following way: to authenticate a message m, first apply some encoding function enc to m to obtain a (nonempty) string enc(m) ({0, 1} n ) ; then output the tag CBC k (enc(m)). For this to be secure (cf. the proof of Theorem 4.4), the encoding needs to be prefixfree, namely, to have the property that for any distinct (legal) messages m 1, m 2, the string enc(m 1 ) is not a prefix of enc(m 2 ). This implies that for any set of (legal) messages {m 1,...}, the set of encoded messages {enc(m 1 ),...} is prefixfree. We now examine two concrete applications of this idea: Fix l, and let the set of legal messages be {0, 1} l(n) n. Then we can take the trivial encoding enc(m) = m, which is prefixfree in this case since a string m 1 cannot be a prefix of a different string m 2 of the same length. This is exactly the basic CBCMAC construction, and what we have said above implies that it is a secure fixedlength MAC (cf. Theorem 4.10). One way of handling arbitrarylength (nonempty) messages 5 is to encode a string m {0, 1} by prepending its length m (encoded as an nbit string), and then appending as many 0s as needed to make the length of the resulting string a multiple of n. (This is essentially what is shown in Figure 4.2.) This encoding is prefixfree, and we therefore obtain a secure MAC for arbitrarylength messages. The rest of this section is devoted to a proof of Theorem In proving the theorem, we analyze CBC when it is keyed with a random function rather than a random key k for some underlying pseudorandom function F. That is, we consider the keyed function CBC defined as CBC g (x 1,...,x l ) = g (g ( g(g(x 1 ) x 2 ) ) x l ) where, for security parameter n, the function g maps nbit inputs to nbit outputs, and x 1 = = x l = n. Note that CBC as defined here is not efficient (since the representation of g requires space exponential in n); nevertheless, it is still a welldefined, keyed function. 5 Technically, we only handle messages of length less than 2 n.
6 138 We show that if g is chosen uniformly from Func n, then CBC g is indistinguishable from a random function mapping ({0, 1} n ) to nbit strings as long as it is queried on a prefixfree set of inputs. More precisely: CLAIM 4.12 Fix any n 1. For all distinguishers D that query their oracle on a prefixfree set of q inputs, where the longest such input has blocklength l, it holds that Pr[D CBCg( ) (1 n ) = 1] Pr[D f( ) (1 n ) = 1] q 2 l 2 2 n, where g is chosen uniformly from Func n, and f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. (The claim is unconditional, and does not impose any constraints on the running time of D. Thus we may take D to be deterministic.) The above implies Theorem 4.11 using standard techniques that we have already seen. In particular, for any D running in polynomial time we must have q(n), l(n) = poly(n) and so q(n) 2 l(n) 2 2 n is negligible. PROOF (of Claim 4.12) Fix some n 1. The proof proceeds in two steps: We first define a notion of smoothness and prove that CBC is smooth; we then show that smoothness implies the claim. Let P = {X 1,..., X q } denote a prefixfree set of q inputs, where each X i ({0, 1} n ) and the longest string in P has blocklength l. Note that for any t 1,...,t q {0, 1} n, we have Pr[ i : f(x i ) = t i ] = 2 nq if f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. We say that CBC is (q, l, δ)smooth if for any such P and t 1,...,t q {0, 1} n, we have Pr[ i : CBC g (X i ) = t i ] (1 δ) 2 nq, where the probability is over uniform choice of g Func n. LEMMA 4.13 CBC is (q, l, δ)smooth, with δ = q 2 l 2 2 n. PROOF For any X ({0, 1} n ), with X = x 1,... and x i {0, 1} n, let C g (X) denote the set of inputs on which g is evaluated during the computation of CBC g (X); i.e., if X ({0, 1} n ) m then C g (X) def = (x 1, CBC g (x 1 ) x 2,..., CBC g (x 1,..., x m 1 ) x m ). For X ({0, 1} n ) m and X ({0, 1} n ) m, with C g (X) = (I 1,..., I m ) and C g (X ) = (I 1,..., I m ), say there is a nontrivial collision if (1) I i = I j or I i = I j for some i j, or (2) I i = I j but (x 1,...,x i ) (x 1,..., x j ). Let Coll be the event that there is a nontrivial collision for some strings X, X P.
7 Message Authentication Codes 139 Consider choosing a random g by choosing, onebyone, random values for the outputs of g on different inputs. Determining whether there is a nontrivial collision for two strings X, X P as above can be done by first choosing the values of g(i 1 ) and g(i 1 ) (if I 1 = I 1, these are the same), then choosing values for g(i 2 ) and g(i 2) (note that I 2 = g(i 1 ) x 2 and I 2 = g(i 1 ) x 2 are defined once g(i 1), g(i 1 ) are fixed), and continuing in this way until we choose values for g(i m 1 ) and g(i m 1 ). In particular, the values of g(i m ), g(i m ) do not need to be chosen. Similarly, one can determine whether Coll occurs by choosing the values of g on allbutthelast entries of each of C g (X 1 ),..., C g (X q ). Assuming Coll does not occur, we claim that in the process of fixing all those values of g, the values of the last entries of each of C g (X 1 ),..., C g (X q ) are distinct and have, in fact, not been fixed. Distinctness is immediate from the fact that Coll has not occurred, and the only way some last entry could possibly have been fixed is due to a trivial collision where, say, I m = I m and (x 1,..., x m ) = (x 1,..., x m ). But that would mean X is a prefix of X, violating the assumption that P is prefixfree. We thus see that conditioned on the event that Coll does not occur, the values CBC g (X 1 ),..., CBC g (X q ) (which are equal to the values of g on the last entries of each of C g (X 1 ),..., C g (X q )) are uniform and independent. So Pr [ i : CBC g (X i ) = t i Coll ] = 2 nq. (4.4) We next show that Coll occurs with high probability by upperbounding Pr[Coll]. Letting Coll i,j denote the event of a nontrivial collision between (distinct) X i, X j P, we have Coll = i,j Coll i,j and so a union bound gives Pr[Coll] i,j: i<j Pr[Coll i,j ] = ( ) q Pr[Coll i,j ] q2 2 2 Pr[Coll i,j]. (4.5) Fixing distinct X = X i and X = X j in P, we now bound Coll i,j. As will be clear from the analysis, the probability is maximized when X and X are both as long as possible; we assume they both have blocklength l. Let X = (x 1,..., x l ) and X = (x 1,..., x l ), and let t be the largest integer such that (x 1,..., x t ) = (x 1,..., x t). We assume t > 0, but the analysis below can be easily modified (to give the same result) if t = 0. We continue to let I 1,... (resp., I 1,...) denote the inputs to g during the course of computing CBC g (X) (resp., CBC g (X )); note that (I 1,..., I t) = (I 1,..., I t ). As above, consider choosing a random g by choosing random values for the outputs of g, onebyone. Here we do this in 2l 2 steps as follows: Steps 1 through t 1: (These steps are run only if t > 1.) In step i, choose a random value for g(i i ), defining I i+1 = I i+1. Step t: Choose a random value for g(i t ), defining I t+1 and I t+1. Steps t + 1 to l 1: In step i, choose a random value for g(i i ), defining I i+1.
8 140 Steps l to 2l 2: Choose, in turn, random values for g(i t+1 ),..., g(i l 1 ); in each case, choosing g(i i ) defines I i+1. Let Coll(i) be the event that a nontrivial collision occurs by step i. Then Pr[Coll i,j ] = Pr[ 2l 2 i Coll(i)] Pr[Coll(1)] + i=2 Pr[Coll(i) Coll(i 1)], (4.6) using Proposition A.9. For i < t, we claim that Pr[Coll(i) Coll(i 1)] = i/2 n : indeed, if no nontrivial collision has occurred by step i 1, the value of g(i i ) is chosen uniformly at random in step i; a nontrivial collision occurs only if I i+1 = g(i i ) x i+1 is equal to one of {I 1,..., I i }. By similar reasoning, we have Pr[Coll(t) Coll(t 1)] 2t/2 n. (Now we have two values I t+1, I t+1 to consider; note they cannot be equal to each other.) Finally, for i > t we have Pr[Coll(i) Coll(i 1)] = (i + 1)/2 n by an analogous argument. Using Equation (4.6), we thus have Pr[Coll i,j ] 2 n ( t 1 i + 2t + i=1 2l 2 i=t+1 (i + 1) 2l 1 = 2 n i = 2 n (2l + 1) (l 1) < 2l 2 2 n. i=2 From Equation (4.5) we get Pr[Coll] < q 2 l 2 2 n = δ. Finally, using Equation (4.4) we see that as claimed. Pr[ i : CBC g (X i ) = t i ] Pr [ i : CBC g (X i ) = t i Coll ] Pr[Coll] ) = 2 nq Pr[Coll] (1 δ) 2 nq, We now show that smoothness implies the theorem. Fix a deterministic distinguisher D and assume without loss of generality that D always makes q (distinct) queries, the longest of which has blocklength l. We stress that D may choose its queries adaptively (i.e., depending on the answers to previous queries), however the set of D s queries must be prefixfree. For distinct X 1,...,X q ({0, 1} n ) and arbitrary t 1,...,t q {0, 1} n, define α(x 1,..., X q ; t 1,..., t q ) to be 1 if and only if D outputs 1 when making queries X 1,...,X q and getting responses t 1,..., t q. (If, say, D does not make query X 1 as its first query, then α(x 1,...;...) = 0.) Letting
9 Message Authentication Codes 141 X = (X 1,...,X q ) and t = (t 1,..., t q ), we then have Pr[D CBCg( ) (1 n ) = 1] = X prefixfree; t X prefixfree; t = (1 δ) Pr[D f( ) (1 n ) = 1], α( X, t) Pr[ i : CBC g (X i ) = t i ] α( X, t) (1 δ) Pr[ i : f(x i ) = t i ] where, above, g is chosen uniformly from Func n, and f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. This implies Pr[D f( ) (1 n ) = 1] Pr[D CBCg( ) (1 n ) = 1] δ Pr[D f( ) (1 n ) = 1] δ. A symmetric argument for when D outputs 0 completes the proof. 4.5 Authenticated Encryption In Chapter 3, we studied how it is possible to obtain secrecy in the privatekey setting using encryption. In this chapter, we have shown how to ensure integrity using message authentication codes. One might naturally want to achieve both goals simultaneously, and it is this problem we turn to now. We remark that it is best practice to always ensure secrecy and integrity by default in the privatekey setting. Indeed, in many applications where secrecy is required it turns out that integrity is essential also. Moreover, a lack of integrity can sometimes lead to a breach of secrecy Definitions We begin, as usual, by defining precisely what we wish to achieve. At an abstract level, our goal is to realize an ideally secure communication channel that provides both secrecy and integrity. Pursuing a definition of this sort is beyond the scope of this book. Instead, we provide a simpler though more cumbersome set of definitions that treat secrecy and integrity separately. This definition and the resulting analysis suffice for understanding the key issues at hand. (We caution the reader, however, that in contrast to encryption and message authentication codes the field has not yet settled on standard terminology and definitions for authenticated encryption.) Let Π = (Gen, Enc, Dec) be a privatekey encryption scheme. As mentioned already, we define security by separately defining secrecy and integrity. The notion of secrecy we consider is one we have seen before: we require that
10 142 Π be secure against chosenciphertext attacks (i.e., CCAsecure). (Refer to Section 3.7 for a discussion and definition of CCAsecurity. We are concerned about chosenciphertext attacks here because we are explicitly considering an active adversary who can modify the data sent from one honest party to the other.) Our notion of integrity will be essentially that of existential unforgeability under an adaptive chosenmessage attack. Since Π does not satisfy the syntactic requirements of a message authentication code, however, we introduce a definition specific to this case. Consider the following experiment defined for a privatekey encryption scheme Π = (Gen, Enc, Dec), adversary A, and value n for the security parameter: The authenticated communication experiment Auth A,Π (n): 1. Run Gen(1 n ) to obtain a key k. 2. The adversary A is given input 1 n and access to an encryption oracle Enc k ( ). The adversary outputs a ciphertext c. 3. Let m := Dec k (c), and let Q denote the set of all queries that A asked to its oracle. The output of the experiment is defined to be 1 if and only if (1) m and (2) m Q. DEFINITION 4.14 A privatekey encryption scheme Π achieves authenticated communication if for all probabilistic polynomialtime adversaries A, there exists a negligible function negl such that: Pr[Auth A,Π (n) = 1] negl(n). (Paralleling our discussion about verification queries following Definition 4.2, here one could also consider a stronger definition in which A is additionally given access to a decryption oracle. One can verify that the secure construction we present below would satisfy that stronger definition.) We now define a (secure) authenticated encryption scheme. DEFINITION 4.15 A privatekey encryption scheme is said to be an authenticated encryption scheme if it is CCAsecure and achieves authenticated communication Generic Constructions It may be tempting to think that any reasonable combination of a secure encryption scheme and a secure message authentication code should result in an authenticated encryption scheme. In this section we show that this is not the case. This demonstrates that even secure cryptographic tools can be combined in such a way that the result is insecure, and highlights once again
11 Message Authentication Codes 143 the importance of definitions and proofs of security. On the positive side, we show how encryption and message authentication can be combined properly to achieve joint secrecy and integrity. Throughout, let Π E = (Enc, Dec) be an encryption scheme and let Π M = (Mac, Vrfy) denote a message authentication code, where key generation in both schemes simply involves choosing a uniform nbit key. There are three natural approaches to combining encryption and message authentication using independent keys 6 k E and k M for Π E and Π M, respectively: 1. Encryptandauthenticate: In this method, encryption and message authentication are computed independently in parallel. That is, given a plaintext message m, the sender transmits the ciphertext c, t where: c Enc ke (m) and t Mac km (m). The receiver decrypts c to recover m, and then verifies the tag t. If Vrfy km (m, t) = 1, the receiver outputs m; otherwise, it outputs. 2. Authenticatethenencrypt: Here a MAC tag t is first computed, and then the message and tag are encrypted together. That is, the ciphertext c is computed as: t Mac km (m) and c Enc ke (m t). The receiver decrypts c to obtain m t, and then verifies the tag t on m. As before, if Vrfy km (m, t) = 1 the receiver outputs m; otherwise, it outputs. 3. Encryptthenauthenticate: In this case, the message m is first encrypted and then a MAC tag is computed over the result. That is, the ciphertext is the pair c, t where: c Enc ke (m) and t Mac km (c). (See also Construction 4.16.) If Vrfy km (c, t) = 1, then the receiver decrypts c and outputs the result; otherwise, it outputs. We analyze each of the above approaches when they are instantiated with generic secure components, i.e., an arbitrary CPAsecure encryption scheme and an arbitrary secure MAC (with an additional technical property we define later). We want an approach that provides joint secrecy and integrity when using any (secure) components, and we will therefore reject as unsafe any approach for which there exists even a single counterexample of a secure encryption scheme/mac for which the combination is insecure. This allornothing approach reduces the likelihood of implementation flaws. In more 6 Independent cryptographic keys should always be used when different schemes are combined. We return to this point at the end of this section.
12 144 detail: An authenticated encryption scheme might be implemented by making calls to an encryption subroutine and a message authentication subroutine, and the implementation of those subroutines may be changed at some later point in time. (This commonly occurs when cryptographic libraries are updated, or when standards are modified.) Implementing an approach whose security depends on how its components are implemented (rather than on the security they provide) is therefore dangerous. We stress that if an approach is rejected this does not mean that it is insecure for all possible instantiations of the components; it does, however, mean that any instantiation of the approach must be analyzed and proven secure before it should be used. Encryptandauthenticate. Recall that in this approach encryption and message authentication are done independently. Given a message m, the transmitted value is c, t where c Enc ke (m) and t Mac km (m). This approach is not sound, as it may not achieve even the most basic level of secrecy. To see this, note that a secure MAC does not guarantee any secrecy and so it is possible for the tag Mac km (m) to leak information about m to an eavesdropper. (As a trivial example, consider a secure message authentication code where the first bit of the tag is always equal to the first bit of the message.) So the encryptandauthenticate approach may yield a scheme that does not even have indistinguishable encryptions in the presence of an eavesdropper, the most basic level of secrecy. Moreover, the encryptandauthenticate approach is likely to be insecure against chosenplaintext attacks even when instantiated with standard components. (The counterexample in the previous paragraph was contrived.) If a deterministic MAC is used, then the tag computed on a message (for some fixed key k M ) is the same every time; this allows an eavesdropper to identify when the same message is sent twice, and so is not CPAsecure. Most MACs used in practice are deterministic, so this represents a real concern. Authenticatethenencrypt. Here, a MAC tag t Mac km (m) is first computed; then m t is encrypted and the resulting value Enc ke (m t) is transmitted. We show that this combination also does not necessarily yield a good authenticated encryption scheme. In fact, we have already encountered a CPAsecure encryption scheme for which this approach is insecure: the CBCmodewithpadding scheme discussed in Section (We assume in what follows that the reader is familiar with that section.) Recall that this scheme works by first padding the plaintext (which in our case will be m t) in a specific way so the result is a multiple of the block length, and then encrypting the result using CBC mode. During decryption, if an error in the padding is detected after performing the CBCmode decryption, then a bad padding error is returned. With regard to
13 Message Authentication Codes 145 authenticatethenencrypt, this means there are now two sources of potential decryption failure: the padding may be incorrect, or the MAC tag may not verify. Schematically, then, the decryption algorithm Dec in the combined scheme works as follows: Dec k E,k M (c): 1. Compute m = Dec ke (c). If an error in the padding is detected, return bad padding and stop. 2. Parse m as m t. If Vrfy km (m, t) = 1 return m; else, output authentication failure. Assuming the attacker can distinguish between the two error messages, the attacker can apply the same chosenciphertext attack described in Section to the authenticatethenencrypt scheme to recover the entire original plaintext given a single ciphertext. Exactly this type of attack has been carried out successfully on versions of IPsec that (mistakenly) use authenticatethenencrypt to provide authenticated communication. One way to fix the above scheme would be to ensure that only a single error message is returned, regardless of the source of decryption failure. This is an unsatisfying solution for several reasons: (1) there may be legitimate reasons (e.g., usability, debugging) to have multiple error messages; furthermore, (2) forcing the error messages to be the same means that the combination is no longer truly generic, i.e., it requires the implementer of the authenticatethenencrypt approach to be aware of what error messages are returned by the underlying CPAsecure encryption scheme. In any case, there are also other (arguably less natural) examples showing attacks on the authenticatethenencrypt approach. Encryptthenauthenticate. In this approach, the message is first encrypted and then a MAC is computed over the result. That is, the message is the pair c, t where c Enc ke (m) and t Mac km (c). Decryption of c, t is done by outputting if Vrfy km (c, t) 1, and otherwise outputting Dec ke (c). See Construction 4.16 for a formal description. This approach is sound, as long as the MAC satisfies an additional technical property. Say (Mac, Vrfy) has unique tags if for every key k M and every m there is a unique tag t for which Vrfy km (m, t) = 1. The requirement of unique tags is not hard to achieve, and any deterministic MAC with canonical verification will satisfy it. (Construction 4.5 is the only construction we will see that does not satisfy this property.) As intuition for the security of this approach, say a ciphertext c, t is valid if t is a valid MAC tag on c. Security of the MAC ensures that an adversary will be unable to generate any valid ciphertext that it did not receive from its encryption oracle. This immediately implies that Construction 4.16 achieves
14 146 CONSTRUCTION 4.16 Let Π E = (Enc,Dec) be a privatekey encryption scheme and let Π M = (Mac, Vrfy) be a message authentication code, where in each case key generation is done by simply choosing a uniform nbit key. Define a privatekey encryption scheme (Gen, Enc,Dec ) as follows: Gen : on input 1 n, choose independent, uniform k E, k M {0, 1} n and output the key (k E, k M). Enc : on input a key (k E, k M) and a plaintext message m, compute c Enc ke (m) and t Mac km (c). Output the ciphertext c, t. Dec : on input a key (k E, k M) and a ciphertext c, t, first check whether Vrfy km (c, t)? = 1. If yes, then output Dec ke (c); if no, then output. A generic construction of an authenticated encryption scheme. authenticated communication. Moreover, it has the effect of rendering the decryption oracle useless since for every ciphertext c, t the adversary submits to its decryption oracle, the adversary either already knows the decryption (if it received c, t from its own encryption oracle) or else can expect the result to be an error (since the adversary cannot generate any new, valid ciphertexts). This means that CCAsecurity of the combined scheme reduces to the CPAsecurity of Π E. We prove this rigorously below. THEOREM 4.17 Let Π E be a CPAsecure privatekey encryption scheme, and let Π M be a secure message authentication code with unique tags. Then Construction 4.16 is an authenticated encryption scheme. PROOF Let Π denote the scheme resulting from Construction We need to show that Π achieves authenticated communication, and that it is CCAsecure. Following the intuition given above, say a ciphertext c, t is valid (with respect to secret key (k E, k M )) if Vrfy km (c, t) = 1. We will argue that security of Π M as a message authentication code implies that (except with negligible probability) any new ciphertexts the adversary gives the decryption oracle will be invalid and so the decryption oracle will simply return. Since the decryption oracle is essentially useless, security of Π = (Gen, Enc, Dec ) is reduced to the CPAsecurity of Π E. Let A be a probabilistic polynomialtime adversary attacking Construction 4.16 in a chosenciphertext attack (cf. Definition 3.30). Say a ciphertext c, t is new if A did not receive any ciphertext of the form c, from its encryption oracle or as the challenge ciphertext. Let ValidQuery be the event that A submits a new ciphertext c, t to its decryption oracle which is valid, i.e., for which Vrfy km (c, t) = 1. We prove:
15 Message Authentication Codes 147 CLAIM 4.18 Pr[ValidQuery] is negligible. PROOF Intuitively, this is due to the fact that if ValidQuery occurs then the adversary has forged a valid tag t on a new message c. Formally, let q( ) be a polynomial upper bound on the number of decryptionoracle queries made by A, and consider the following adversary A M attacking the message authentication code Π M (i.e., running in experiment Macforge AM,Π M (n)): Adversary A M : A M is given input 1 n and has access to a MAC oracle Mac km ( ). 1. Choose k E {0, 1} n uniformly at random. 2. Choose i {1,...,q(n)} uniformly at random. 3. Run A on input 1 n. When A makes an encryptionoracle query for the message m, answer it as follows: (i) Compute c Enc ke (m). (ii) Query c to the MAC oracle and receive t in response. Return c, t to A. The challenge ciphertext is prepared in the exact same way (with a random bit b {0, 1} being chosen to select the message m b that gets encrypted). When A makes a decryptionoracle query for the ciphertext c, t, answer it as follows: If this is the ith decryptionoracle query, output (c, t). Otherwise: (i) If c, t was a response to a previous encryptionoracle query for a message m, return m. (ii) Otherwise, return. In essence, A M is hoping that the ith decryptionoracle query of A will be the first new, valid query A makes. In that case, A M outputs a valid forgery on a message c that it had never previously submitted to its own MAC oracle. Clearly A M runs in probabilistic polynomial time. We now analyze the probability that A M produces a good forgery. The key point is that the view of A when run as a subroutine by A M is distributed identically to the view of A in experiment PrivK cca A,Π (n) until event ValidQuery occurs. To see this, note that the encryptionoracle queries of A (as well as computation of the challenge ciphertext) are simulated perfectly by A M. As for the decryptionoracle queries of A, until ValidQuery occurs these are all simulated properly. In case (i) this is obvious. As for case (ii), if the ciphertext c, t submitted to the decryption oracle is new, then as long as ValidQuery has not yet occurred then the correct answer to the decryptionoracle query is indeed. If c, t is not new, then A has received a ciphertext c, t from its decryption oracle; because we are not in case (i) we must have t t. But then the uniquetags property implies that Vrfy km (c, t ) = 0, and so the correct answer to the
16 148 decryptionoracle query is once again. Recall also that A is disallowed from submitting the challenge ciphertext to the decryption oracle. Because the view of A when run as a subroutine by A M is distributed identically to the view of A in experiment PrivK cca A,Π (n) until event ValidQuery occurs, the probability of event ValidQuery in experiment Macforge AM,Π M (n) is the same as the probability of that event in experiment PrivK cca A,Π (n). If A M correctly guesses the first index i when ValidQuery occurs, then A M outputs (c, t) for which Vrfy km (c, t) = 1 (since c, t is valid) and for which it never requested a tag on c (since c, t is new). In this case, then, A M succeeds in experiment Macforge AM,Π M (n). The probability that A M guesses correctly is 1/q(n). Therefore Pr[Macforge AM,Π M (n) = 1] Pr[ValidQuery]/q(n). Since Π M is a secure MAC and q is polynomial, we conclude that Pr[ValidQuery] is negligible. We use this claim to prove security of Π. The easier case is to prove that Π achieves authenticated communication. This follows immediately from the claim, and so we just provide informal reasoning rather than a completely formal proof. Observe first that the adversary A in the authenticated communication experiment is a restricted version of the adversary in the chosenciphertext experiment: in the former, the adversary only has access to an encryption oracle. When A outputs a ciphertext c, t at the end of its experiment, it succeeds only if c, t is valid and new. But the previous claim shows precisely that the probability of such an event is negligible. It is slightly more involved to prove that Π is CCAsecure. Let A again be a probabilistic polynomialtime adversary attacking Π in a chosenciphertext attack. We have Pr[PrivK cca A,Π (n) = 1] Pr[ValidQuery] + Pr[PrivK cca A,Π (n) = 1 ValidQuery]. (4.7) We have already shown that Pr[ValidQuery] is negligible. The following claim thus completes the proof of the theorem. CLAIM 4.19 There exists a negligible function negl such that Pr[PrivK cca A,Π (n) = 1 ValidQuery] negl(n). We now use the CPAsecurity of Π E. Consider the following adversary A E attacking Π E in a chosenplaintext attack: Adversary A E : A E is given input 1 n and has access to Enc ke ( ).
17 Message Authentication Codes Choose k M {0, 1} n uniformly at random. 2. Run A on input 1 n. When A makes an encryptionoracle query for the message m, answer it as follows: (i) Query m to Enc ke ( ) and receive c in response. (ii) Compute t Mac km (c), and return c, t to A. When A makes a decryptionoracle query for the ciphertext c, t, answer it as follows: (i) If c, t was a response to a previous encryptionoracle query for a message m, return m. Otherwise, return. 3. When A outputs messages (m 0, m 1 ), output these same messages and receive a challenge ciphertext c in response. Compute t Mac km (c), and return c, t as the challenge ciphertext for A. Continue answering A s oracle queries as above. 4. Output the same bit b that is output by A. Notice that A E does not need a decryption oracle because it simply assumes that any decryption query by A that was not the result of a previous encryptionoracle query is invalid. Clearly, A E runs in probabilistic polynomial time. Furthermore, the view of A when run as a subroutine by A E is distributed identically to the view of A in experiment PrivK cca A,Π (n) as long as event ValidQuery never occurs. Therefore, the probability that A E succeeds when ValidQuery does not occur is the same as the probability that A succeeds when ValidQuery does not occur; i.e., Pr[PrivK cpa A E,Π E (n) = 1 ValidQuery] = Pr[PrivK cca A,Π (n) = 1 ValidQuery], implying that Pr[PrivK cpa A E,Π E (n) = 1] Pr[PrivK cpa A E,Π E (n) = 1 ValidQuery] = Pr[PrivK cca A,Π (n) = 1 ValidQuery]. Since Π E is CPAsecure, there exists a negligible function negl such that Pr[PrivK cpa A E,Π E (n) = 1] negl(n). This proves the claim. The need for independent keys. We conclude this section by stressing a basic principle of cryptography: different instances of cryptographic primitives should always use independent keys. To illustrate this here, consider what can happen to the encryptthenauthenticate methodology when the same key k is used for both encryption and authentication. Let F be a strong pseudorandom permutation. It follows that F 1 is a strong pseudorandom permutation also. Define Enc k (m) = F k (m r) for m {0, 1} n/2 and a random r {0, 1} n/2, and define Mac k (c) = F 1 k (c). It can be shown that the given encryption scheme is CPAsecure (in fact, it is even CCAsecure), and we know that the
18 150 given message authentication code is a secure MAC. However, the encryptthenauthenticate combination applied to the message m with the same key k yields: Enc k (m), Mac k (Enc k (m)) = F k (m r), F 1 k (F k(m r)) = F k (m r), m r, and the message m is revealed in the clear! This does not in any way contradict Theorem 4.17, since Construction 4.16 expressly requires that k M, k E are chosen (uniformly and) independently Secure Communication Sessions We briefly describe the application of authenticated encryption to the setting of two parties who wish to communicate securely namely, with joint secrecy and integrity over the course of a communication session. (For the purposes of this section, a communication session is simply a period of time during which the communicating parties are willing to maintain state.) In our treatment here we are deliberately informal; a formal definition is quite involved, and this topic arguably lies more in the area of network security than cryptography. Let Π = (Gen, Enc, Dec) be an authenticated encryption scheme. Consider two parties A and B who share a key k and wish to use this key to secure their communication over the course of a session. The obvious thing to do here is to use Π: Whenever A, say, wants to transmit a message m to B, it computes c Enc k (m) and sends c to B; in turn, B decrypts c to recover the result (ignoring the result if decryption returns ). This simple approach, however, does not suffice, as there are two potential attacks: Replay attack As noted previously, an attacker can replay a (valid) ciphertext c sent previously by one of the parties. This can cause a mismatch between what is sent by one party and received by the other, e.g., causing B to output a message m twice, even though A only sent this message once. Reflection attack An attacker can take a ciphertext c sent from A to B, and send it back to A! This again can cause a mismatch between the two parties transcripts of their communication session: A may output a message m, even though B never sent such a message. Fortunately, the above attacks are relatively easy to prevent using counters to address the first attack and a directionality bit to prevent the second. We describe these in tandem. Each party will maintain two counters ctr A,B and ctr B,A keeping track of the number of messages sent from A to B (resp., B to A) during the session. These counters are both initialized to 0 at each party, and are incremented each time a party sends or receives a (valid) message. The parties also agree on a bit b A,B, and define b B,A to be its complement. (One
19 Message Authentication Codes 151 natural way to do this is to set b A,B = 0 iff the identity of A is lexicographically smaller than the identity of B.) When A wants to transmit a message m to B, she computes the ciphertext c Enc k (b A,B ctr A,B m) and sends c; she then increments ctr A,B. Upon receiving c, party B decrypts; if the result is, he immediately rejects. Otherwise, he parses the decrypted message as b ctr m. If b = b A,B and ctr = ctr A,B, then B outputs m and increments ctr A,B ; otherwise, B rejects. The above steps, mutatis mutandis, are applied when B sends a message to A CCASecure Encryption It follows directly from the definition that any authenticated encryption scheme is also secure against chosenciphertext attacks. Can there be CCAsecure privatekey encryption schemes that do not achieve authenticated communication? Indeed, there are; see Exercise One can imagine applications where CCAsecurity is needed but authenticated encryption is not. One example might be when privatekey encryption is used for key transport. As a concrete example, say a server gives a tamperproof hardware token to a user, where embedded in the token is a longterm key k. The server can upload a fresh, shortterm key k to this token by giving the user Enc k (k ); the user is supposed to give this ciphertext to the token, which will decrypt it and use k for the next time period. A chosenciphertext attack in this setting could allow the user to learn k, something the user is not supposed to be able to do. (Note that here a paddingoracle attack, which only relies on the user s ability to determine whether a decryption failure occurs, could potentially be carried out rather easily.) On the other hand, not much harm is done if the user can generate a valid ciphertext that causes the token to use an arbitrary (unrelated) key k for the next time period. (Of course, this depends on what the token does with this shortterm key.) Notwithstanding the above, for privatekey encryption most natural constructions of CCAsecure schemes that we know anyway satisfy the stronger definition of authenticated encryption. Put differently, there is no real reason to ever use a CCAsecure scheme that is not an authenticated encryption scheme, simply because we don t really have any constructions satisfying the former that are more efficient than constructions achieving the latter. From a conceptual point of view, however, it is important to keep the notions of CCA security and authenticated communication distinct. With regard to CCAsecurity we are not necessarily interested in obtaining message integrity; rather, we wish to ensure privacy even against an active adversary who can interfere with the communication as it goes from sender to receiver. In contrast, with regard to authenticated communication we are interested in the twin goals of secrecy and integrity. We stress this here because in the publickey setting that we study later in the book, the difference between authenticated communication and CCAsecurity will be more pronounced.
20 * InformationTheoretic MACs In previous sections we have explored message authentication codes with computational security, i.e., where bounds on the attacker s running time are assumed. Recalling the results of Chapter 2, it is natural to ask whether message authentication in the presence of an unbounded adversary is possible. We study here conditions under which such informationtheoretic (as opposed to computational) security is attainable. A first observation is that it is impossible to achieve perfect security in this context: namely, we cannot hope to have a message authentication code for which the probability that an adversary outputs a valid tag on a previously unauthenticated message is 0. The reason is that an adversary can simply guess a valid tag t on any message; the guess will be correct with probability (at least) 1/2 t, where t denotes the taglength of the scheme. The above example tells us what we can hope to achieve: a MAC with tags of length t where the probability of forgery is at most 1/2 t, even for unbounded adversaries. We will see in the next few sections that this is achievable, but only under restrictions on how many messages are authenticated by the honest parties The Definition A starting point is to take experiment Macforge A,Π (n) that is used to define security for computationally secure MACs (cf. Definition 4.2), but to drop the security parameter n and require that Pr[Macforge A,Π (n) = 1] should be small for all adversaries A (and not just adversaries running in polynomial time). As mentioned above (and as will be proved formally in Section 4.6.3), though, such a definition is impossible to achieve. Rather, informationtheoretic security can be achieved only if we place some bound on the number of messages authenticated by the honest parties. We look here at the most basic setting, where the parties authenticate just a single message. We refer to this as onetime message authentication. The following experiment modifies Macforge A,Π (n) following the above discussion: The onetime message authentication experiment Macforge 1time A,Π : 1. A random key k is generated by running Gen. 2. The adversary A outputs a message m, and is given in return a tag t Mac k (m ). 3. A outputs (m, t). 4. The output of the experiment is defined to be 1 if and only if (1) Vrfy k (m, t) = 1 and (2) m m.
21 Message Authentication Codes 153 DEFINITION 4.20 A message authentication code Π = (Gen, Mac, Vrfy) is onetime εsecure, or just εsecure, if for all adversaries A: Pr[Macforge A,Π = 1] ε A Construction In this section we show how to build an εsecure MAC based on any strongly universal 7 function. We then show a simple construction of the latter. Let h : K M T be a keyed function whose first input is a key k K and whose second input is taken from some domain M. As usual, we write h k (m) instead of h(k, m). A function is strongly universal (or pairwiseindependent) if for any two distinct inputs m, m the values h k (m) and h k (m ) are uniformly and independently distributed in T when k is a uniform key. Note that if h k (m), h k (m ) are uniformly and independently distributed in T then the probability that they take on any particular values t, t is exactly 1/ T 2. We thus have: DEFINITION 4.21 A function h : K M T is strongly universal if for all distinct m, m M and all t, t T we have Pr[h k (m) = t h k (m ) = t ] = 1/ T 2, where the probability is taken over uniform choice of k K. CONSTRUCTION 4.22 Let h : K M T be a strongly universal function. Define a MAC for messages in M as follows: Gen: choose k K uniformly at random. Mac: on input a key k K and a message m M, output the tag t := h k (m). Vrfy: on input a key k K, a message m M, and a tag t T, output 1 if and only if t? = h k (m). (If m M, then output 0.) A MAC from any strongly universal function. The above should motivate the construction of a onetime message authentication code from any strongly universal function h. The tag t on a message 7 These are often called strongly universal hash functions, but in cryptographic contexts the term hash has another meaning that we will see later in the book.
22 154 m is obtained by computing h k (m), where the key k is (of course) chosen at random. (See Construction 4.22.) Intuitively, even after an adversary observes the tag t := h k (m ) for any message m, the correct tag h k (m) for any other message m is still uniformly distributed in T from the adversary s point of view. The adversary can only hope to guess the right tag, and this guess will be correct only with probability 1/ T. The above construction can be viewed as analogous to Construction 4.3, if we view a strongly universal function h as an informationtheoretic pseudorandom function as long as h is only evaluated twice. THEOREM 4.23 Let h : K M T be a strongly universal function. Then Construction 4.22 is a 1/ T secure MAC for messages in M. PROOF Let A be an adversary. As usual in the informationtheoretic setting, we may assume A is deterministic without loss of generality. So the message m that A outputs at the outset of the experiment is fixed. Furthermore, the (m, t) that A outputs at the end of the experiment is a deterministic function A(t ) of the tag t on m that A receives. We thus have Pr[Macforge A,Π = 1] = Pr[Macforge A,Π = 1 h k (m ) = t ] This proves the theorem. = = t T t T (m, t) := A(t ) t T (m, t) := A(t ) = 1/ T. Pr[h k (m) = t h k (m ) = t ] 1/ T 2 We now turn to a classical construction of a strongly universal function. We assume some basic knowledge about arithmetic modulo a prime number; readers may refer to Sections and for the necessary background. def Fix some prime p, and let Z p = {0,...,p 1}. We take as our message space M = Z p ; the space of possible tags will also be T = Z p. A key (a, b) will consist of a pair of elements from Z p ; thus, K = Z p Z p. Define h as h a,b (m) = [a m + b mod p], where the notation [X mod p] refers to the reduction of the integer X modulo p (and so [X mod p] Z p always). THEOREM 4.24 For any prime p, the function h is strongly universal.
Message Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPAsecure encryption
More informationMAC. SKE in Practice. Lecture 5
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationPostQuantum Cryptography #4
PostQuantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertextonly attack: This is the most basic type of attack
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationLeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives
LeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B1348, Belgium olivier.pereira@uclouvain.be
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationCiphertext verification security of symmetric encryption schemes
www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationDesigning Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:
Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using publickey encryption in interactive
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationCryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.
Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as ecash, remote authentication, faulttolerant
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationSimulationBased Security with Inexhaustible Interactive Turing Machines
SimulationBased Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik ChristianAlbrechtsUniversität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.unikiel.de
More informationIdentitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen  Huawei, Singapore Ye Zhang  Pennsylvania State University, USA Siu Ming
More informationOnLine/OffLine Digital Signatures
J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research OnLine/OffLine Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationSecure Computation Without Authentication
Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. Email: {canetti,talr}@watson.ibm.com
More informationFactoring & Primality
Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount
More informationError oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm
Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationChapter 7. Message Authentication. 7.1 The setting
Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may
More informationOverview of Symmetric Encryption
CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.14 and 4.2 slide 2 Basic Problem   ? Given: both parties already know the same secret Goal: send
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationNetwork Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1
Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBCMAC Digital signatures 2 Encryption/Decryption
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationLimits of Computational Differential Privacy in the Client/Server Setting
Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA ParisRocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUFCMA
More informationOn the Security of CTR + CBCMAC
On the Security of CTR + CBCMAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBCMAC (CCM) encryption mode.
More informationSymmetric Crypto MAC. PierreAlain Fouque
Symmetric Crypto MAC PierreAlain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More information11 Ideals. 11.1 Revisiting Z
11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer
More informationKey Agreement from Close Secrets over Unsecured Channels Winter 2010
Key Agreement from Close Secrets over Unsecured Channels Winter 2010 Andreas Keller Contens 1. Motivation 2. Introduction 3. Building Blocks 4. Protocol Extractor Secure Sketches (MAC) message authentication
More informationlundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal
Symmetric Crypto PierreAlain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Postquantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationStronger Security Bounds for OMAC, TMAC and XCBC
Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 3168511, Japan {iwata,
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationModes of Operation of Block Ciphers
Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationCryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53
Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationDepartment Informatik. PrivacyPreserving Email Forensics. Technical Reports / ISSN 21915008. Frederik Armknecht, Andreas Dewald
Department Informatik Technical Reports / ISSN 21915008 Frederik Armknecht, Andreas Dewald PrivacyPreserving Email Forensics Technical Report CS201503 April 2015 Please cite as: Frederik Armknecht,
More informationMessage Authentication Codes. Lecture Outline
Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCAsecure publickey encryption schemes
More informationSFWR ENG 4C03  Computer Networks & Computer Security
KEY MANAGEMENT SFWR ENG 4C03  Computer Networks & Computer Security Researcher: Jayesh Patel Student No. 9909040 Revised: April 4, 2005 Introduction Key management deals with the secure generation, distribution,
More informationNoninteractive and Reusable Nonmalleable Commitment Schemes
Noninteractive and Reusable Nonmalleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider nonmalleable (NM) and universally composable (UC) commitment schemes in the
More informationGCMSIV: Full Nonce MisuseResistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell BarIlan University
GCMSIV: Full Nonce MisuseResistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell BarIlan University Appeared at ACM CCS 2015 How to Encrypt with
More informationCounter Expertise Review on the TNO Security Analysis of the Dutch OVChipkaart. OVChipkaart Security Issues Tutorial for NonExpert Readers
Counter Expertise Review on the TNO Security Analysis of the Dutch OVChipkaart OVChipkaart Security Issues Tutorial for NonExpert Readers The current debate concerning the OVChipkaart security was
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationA Proposal for an ISO Standard for Public Key Encryption (version 2.1)
A Proposal for an ISO Standard for Public Key Encryption (version 2.1) Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com December 20, 2001 Abstract This
More informationDiagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.
Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity
More informationComputational Complexity: A Modern Approach
i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationScalable Protocols for Authenticated Group Key Exchange
Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public
More informationU.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra
U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationNotes on Factoring. MA 206 Kurt Bryan
The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationCMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma
CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma Please Note: The references at the end are given for extra reading if you are interested in exploring these ideas further. You are
More information