# Message Authentication Codes 133

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in outputting a valid forgery on a previously unauthenticated message with probability Pr[Mac-forge A,Π (n) = 1] Pr[Mac-forge A,Π(n) = 1 NewBlock]. (4.3) Security of Π means that the left-hand side is negligible, proving the claim. The construction of A is the obvious one and so we describe it briefly. A runs A as a sub-routine, and answers the request by A for a tag on m by choosing r {0, 1} n/4 itself, parsing m appropriately, and making the necessary queries to its own MAC oracle Mac k( ). When A outputs (m, t = r, t 1,... ), then A checks whether NewBlock occurs (this is easy to do since A can keep track of all the queries it makes to its own oracle). If so, then A finds the first block r l i m i that was never previously authenticated by Mac and outputs (r l i m i, t i ). (If not, A outputs nothing.) The view of A when run as a sub-routine by A is distributed identically to the view of A in experiment Mac-forge A,Π (n), and so the probabilities of events Mac-forge A,Π (n) = 1 and NewBlock do not change. If NewBlock occurs then A outputs a block r l i m i that was never previously authenticated by its own MAC oracle; if Mac-forge A,Π (n) = 1 then the tag on every block is valid (with respect to Π ), and so in particular this is true for the bock output by A. This means that whenever Mac-forge A,Π (n) = 1 and NewBlock occur we have Mac-forge A,Π (n) = 1, proving Equation (4.3). 4.4 CBC-MAC Theorems 4.4 and 4.6 show that it is possible to construct a secure message authentication code for arbitrary-length messages from a pseudorandom function taking inputs of a fixed length. This demonstrates, in principle, that secure MACs can be constructed from block ciphers. Unfortunately, the resulting construction is extremely inefficient: to compute a tag on a message of length O(dn), the block cipher is evaluated O(d) times; the tag is O(dn) bits long. Fortunately, far more efficient constructions are available. We explore one such construction here that relies solely on block ciphers, and another in Section?? that uses an additional cryptographic primitive The Basic Construction CBC-MAC is a standardized message authentication code used widely in practice. A basic version of CBC-MAC, secure when authenticating messages

2 134 of any fixed length, is given as Construction 4.9. (See also Figure 4.1.) We caution that this basic scheme is not secure in the general case when messages of different lengths may be authenticated; see further discussion below. CONSTRUCTION 4.9 Let F be a pseudorandom function, and fix a length function l. The basic CBC-MAC construction is as follows: Gen: on input 1 n, choose k {0, 1} n uniformly at random. Mac: on input a key k {0, 1} n and a message m of length l(n) n, do the following (we set l = l(n) in what follows): 1. Parse m as m = m 1,..., m l where each m i is of length n. 2. Set t 0 := 0 n. Then, for i = 1 to l: Set t i := F k (t i 1 m i). Output t l as the tag. Vrfy: on input a key k {0, 1} n, a message m, and a tag t, do: If m is not of length l(n) n then output 0. Otherwise, output 1 if and only if t? = Mac k (m). Basic CBC-MAC (for fixed-length messages). THEOREM 4.10 Let l be a polynomial. If F is a pseudorandom function, then Construction 4.9 is a secure fixed-length MAC for messages of length l(n) n. The proof of Theorem 4.10 is somewhat involved. In the following section m 1 m 2 m 3 F k F k F k t FIGURE 4.1: Basic CBC-MAC (for fixed-length messages).

3 Message Authentication Codes 135 we will prove a more general result from which the above theorem follows. We stress that even though Construction 4.9 can be extended in the obvious way to handle messages whose length is an arbitrary multiple of n, the construction is only secure when the length of the messages being authenticated is fixed and agreed upon in advance by the sender and receiver. (See Exercise 4.11.) The advantage of this construction over Construction 4.3, which also gives a fixed-length MAC, is that the present construction can authenticate longer messages. Compared to Construction 4.5, CBC-MAC is much more efficient. CBC-MAC vs. CBC-mode encryption. CBC-MAC is similar to the CBC mode of encryption. There are, however, some important differences: 1. CBC-mode encryption uses a random IV and this is crucial for security. In contrast, CBC-MAC uses no IV (alternately, it can be viewed as using the fixed value IV = 0 n ) and this is also crucial for security. Specifically, CBC-MAC using a random IV is not secure. 2. In CBC-mode encryption all intermediate values t i (called c i in the case of CBC-mode encryption) are output by the encryption algorithm as part of the ciphertext, whereas in CBC-MAC only the final block is output as the tag. If CBC-MAC is modified to output all the {t i } obtained during the course of the computation then it is no longer secure. In Exercise 4.12 you are asked to verify that the modifications of CBC-MAC discussed above are insecure. These examples illustrate the fact that harmlesslooking modifications to cryptographic constructions can render them insecure. One should always implement a cryptographic construction exactly as specified, and not introduce any variations (unless the variations themselves can be proven secure). Furthermore, it is essential to understand the construction being used. In many cases a cryptographic library provides a programmer with a CBC function, but does not distinguish between the use of this function for encryption or message authentication. Secure CBC-MAC for variable-length messages. We briefly describe two ways Construction 4.9 can be modified, in a provably secure fashion, to handle variable-length messages. (Here for simplicity we assume that all messages being authenticated have length a multiple of n, and that Vrfy rejects any message whose length is not a multiple of n. In the following section we treat the more general case of arbitrary-length messages.) 1. Prepend the message m with its length m (encoded as an n-bit string), and then compute the basic CBC-MAC on the result. (See Figure 4.2.) Security of this modification follows from the results proved in the following section. Note that appending m to the end of the message and then computing the basic CBC-MAC is not secure.

4 136 m m 1 m 2 m 3 F k F k F k F k t FIGURE 4.2: A variant of CBC-MAC secure for authenticating variable-length messages. 2. Change the scheme so that key generation chooses two independent keys k 1 {0, 1} n and k 2 {0, 1} n. Then to authenticate a message m, first compute the basic CBC-MAC of m using k 1 and let t be the result; output the tag ˆt := F k2 (t). The second option has the advantage of not needing to know the message length in advance (i.e., when beginning to compute the tag). It has the drawback of using two keys for F * Proof of Security In this section we prove security of different variants of CBC-MAC. We begin by summarizing the results, and then give the details of the proof. Throughout this section, fix a keyed function F that, for security parameter n, maps n-bit keys and n-bit inputs to n-bit outputs. We define a keyed function CBC that, for security parameter n, maps n-bit keys and inputs in ({0, 1} n ) (i.e., strings whose length is a multiple of n) to n-bit outputs. This function is defined as CBC k (x 1,..., x l ) = F k (F k ( F k (F k (x 1 ) x 2 ) ) x l ), where x 1 = = x l = k = n. (We leave CBC k undefined on the empty string.) We call l the block-length of the input. Note that CBC is exactly basic CBC-MAC, though here we consider inputs having different block lengths. A set of strings P ({0, 1} n ) is prefix-free if it does not contain the empty string, and no string X P is a prefix of any other string X P. We show: THEOREM 4.11 If F is a pseudorandom function, then CBC is a pseudorandom function as long as the set of inputs on which it is queried is prefix-free. Formally, for all probabilistic polynomial-time distinguishers D

5 Message Authentication Codes 137 that query their oracle on a prefix-free set of inputs, there is a negligible function negl such that Pr[D CBCk( ) (1 n ) = 1] Pr[D f( ) (1 n ) = 1] negl(n), where k {0, 1} n is chosen uniformly at random and f is chosen uniformly at random from the set of functions mapping ({0, 1} n ) to {0, 1} n. Thus, we have a way to convert a pseudorandom function F on fixed-length inputs into a pseudorandom function CBC on variable-length inputs! To use this for message authentication, we adapt the idea of Construction 4.3 in the following way: to authenticate a message m, first apply some encoding function enc to m to obtain a (non-empty) string enc(m) ({0, 1} n ) ; then output the tag CBC k (enc(m)). For this to be secure (cf. the proof of Theorem 4.4), the encoding needs to be prefix-free, namely, to have the property that for any distinct (legal) messages m 1, m 2, the string enc(m 1 ) is not a prefix of enc(m 2 ). This implies that for any set of (legal) messages {m 1,...}, the set of encoded messages {enc(m 1 ),...} is prefix-free. We now examine two concrete applications of this idea: Fix l, and let the set of legal messages be {0, 1} l(n) n. Then we can take the trivial encoding enc(m) = m, which is prefix-free in this case since a string m 1 cannot be a prefix of a different string m 2 of the same length. This is exactly the basic CBC-MAC construction, and what we have said above implies that it is a secure fixed-length MAC (cf. Theorem 4.10). One way of handling arbitrary-length (non-empty) messages 5 is to encode a string m {0, 1} by prepending its length m (encoded as an n-bit string), and then appending as many 0s as needed to make the length of the resulting string a multiple of n. (This is essentially what is shown in Figure 4.2.) This encoding is prefix-free, and we therefore obtain a secure MAC for arbitrary-length messages. The rest of this section is devoted to a proof of Theorem In proving the theorem, we analyze CBC when it is keyed with a random function rather than a random key k for some underlying pseudorandom function F. That is, we consider the keyed function CBC defined as CBC g (x 1,...,x l ) = g (g ( g(g(x 1 ) x 2 ) ) x l ) where, for security parameter n, the function g maps n-bit inputs to n-bit outputs, and x 1 = = x l = n. Note that CBC as defined here is not efficient (since the representation of g requires space exponential in n); nevertheless, it is still a well-defined, keyed function. 5 Technically, we only handle messages of length less than 2 n.

6 138 We show that if g is chosen uniformly from Func n, then CBC g is indistinguishable from a random function mapping ({0, 1} n ) to n-bit strings as long as it is queried on a prefix-free set of inputs. More precisely: CLAIM 4.12 Fix any n 1. For all distinguishers D that query their oracle on a prefix-free set of q inputs, where the longest such input has blocklength l, it holds that Pr[D CBCg( ) (1 n ) = 1] Pr[D f( ) (1 n ) = 1] q 2 l 2 2 n, where g is chosen uniformly from Func n, and f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. (The claim is unconditional, and does not impose any constraints on the running time of D. Thus we may take D to be deterministic.) The above implies Theorem 4.11 using standard techniques that we have already seen. In particular, for any D running in polynomial time we must have q(n), l(n) = poly(n) and so q(n) 2 l(n) 2 2 n is negligible. PROOF (of Claim 4.12) Fix some n 1. The proof proceeds in two steps: We first define a notion of smoothness and prove that CBC is smooth; we then show that smoothness implies the claim. Let P = {X 1,..., X q } denote a prefix-free set of q inputs, where each X i ({0, 1} n ) and the longest string in P has block-length l. Note that for any t 1,...,t q {0, 1} n, we have Pr[ i : f(x i ) = t i ] = 2 nq if f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. We say that CBC is (q, l, δ)-smooth if for any such P and t 1,...,t q {0, 1} n, we have Pr[ i : CBC g (X i ) = t i ] (1 δ) 2 nq, where the probability is over uniform choice of g Func n. LEMMA 4.13 CBC is (q, l, δ)-smooth, with δ = q 2 l 2 2 n. PROOF For any X ({0, 1} n ), with X = x 1,... and x i {0, 1} n, let C g (X) denote the set of inputs on which g is evaluated during the computation of CBC g (X); i.e., if X ({0, 1} n ) m then C g (X) def = (x 1, CBC g (x 1 ) x 2,..., CBC g (x 1,..., x m 1 ) x m ). For X ({0, 1} n ) m and X ({0, 1} n ) m, with C g (X) = (I 1,..., I m ) and C g (X ) = (I 1,..., I m ), say there is a non-trivial collision if (1) I i = I j or I i = I j for some i j, or (2) I i = I j but (x 1,...,x i ) (x 1,..., x j ). Let Coll be the event that there is a non-trivial collision for some strings X, X P.

7 Message Authentication Codes 139 Consider choosing a random g by choosing, one-by-one, random values for the outputs of g on different inputs. Determining whether there is a nontrivial collision for two strings X, X P as above can be done by first choosing the values of g(i 1 ) and g(i 1 ) (if I 1 = I 1, these are the same), then choosing values for g(i 2 ) and g(i 2) (note that I 2 = g(i 1 ) x 2 and I 2 = g(i 1 ) x 2 are defined once g(i 1), g(i 1 ) are fixed), and continuing in this way until we choose values for g(i m 1 ) and g(i m 1 ). In particular, the values of g(i m ), g(i m ) do not need to be chosen. Similarly, one can determine whether Coll occurs by choosing the values of g on all-but-the-last entries of each of C g (X 1 ),..., C g (X q ). Assuming Coll does not occur, we claim that in the process of fixing all those values of g, the values of the last entries of each of C g (X 1 ),..., C g (X q ) are distinct and have, in fact, not been fixed. Distinctness is immediate from the fact that Coll has not occurred, and the only way some last entry could possibly have been fixed is due to a trivial collision where, say, I m = I m and (x 1,..., x m ) = (x 1,..., x m ). But that would mean X is a prefix of X, violating the assumption that P is prefix-free. We thus see that conditioned on the event that Coll does not occur, the values CBC g (X 1 ),..., CBC g (X q ) (which are equal to the values of g on the last entries of each of C g (X 1 ),..., C g (X q )) are uniform and independent. So Pr [ i : CBC g (X i ) = t i Coll ] = 2 nq. (4.4) We next show that Coll occurs with high probability by upper-bounding Pr[Coll]. Letting Coll i,j denote the event of a non-trivial collision between (distinct) X i, X j P, we have Coll = i,j Coll i,j and so a union bound gives Pr[Coll] i,j: i<j Pr[Coll i,j ] = ( ) q Pr[Coll i,j ] q2 2 2 Pr[Coll i,j]. (4.5) Fixing distinct X = X i and X = X j in P, we now bound Coll i,j. As will be clear from the analysis, the probability is maximized when X and X are both as long as possible; we assume they both have block-length l. Let X = (x 1,..., x l ) and X = (x 1,..., x l ), and let t be the largest integer such that (x 1,..., x t ) = (x 1,..., x t). We assume t > 0, but the analysis below can be easily modified (to give the same result) if t = 0. We continue to let I 1,... (resp., I 1,...) denote the inputs to g during the course of computing CBC g (X) (resp., CBC g (X )); note that (I 1,..., I t) = (I 1,..., I t ). As above, consider choosing a random g by choosing random values for the outputs of g, one-by-one. Here we do this in 2l 2 steps as follows: Steps 1 through t 1: (These steps are run only if t > 1.) In step i, choose a random value for g(i i ), defining I i+1 = I i+1. Step t: Choose a random value for g(i t ), defining I t+1 and I t+1. Steps t + 1 to l 1: In step i, choose a random value for g(i i ), defining I i+1.

8 140 Steps l to 2l 2: Choose, in turn, random values for g(i t+1 ),..., g(i l 1 ); in each case, choosing g(i i ) defines I i+1. Let Coll(i) be the event that a non-trivial collision occurs by step i. Then Pr[Coll i,j ] = Pr[ 2l 2 i Coll(i)] Pr[Coll(1)] + i=2 Pr[Coll(i) Coll(i 1)], (4.6) using Proposition A.9. For i < t, we claim that Pr[Coll(i) Coll(i 1)] = i/2 n : indeed, if no non-trivial collision has occurred by step i 1, the value of g(i i ) is chosen uniformly at random in step i; a non-trivial collision occurs only if I i+1 = g(i i ) x i+1 is equal to one of {I 1,..., I i }. By similar reasoning, we have Pr[Coll(t) Coll(t 1)] 2t/2 n. (Now we have two values I t+1, I t+1 to consider; note they cannot be equal to each other.) Finally, for i > t we have Pr[Coll(i) Coll(i 1)] = (i + 1)/2 n by an analogous argument. Using Equation (4.6), we thus have Pr[Coll i,j ] 2 n ( t 1 i + 2t + i=1 2l 2 i=t+1 (i + 1) 2l 1 = 2 n i = 2 n (2l + 1) (l 1) < 2l 2 2 n. i=2 From Equation (4.5) we get Pr[Coll] < q 2 l 2 2 n = δ. Finally, using Equation (4.4) we see that as claimed. Pr[ i : CBC g (X i ) = t i ] Pr [ i : CBC g (X i ) = t i Coll ] Pr[Coll] ) = 2 nq Pr[Coll] (1 δ) 2 nq, We now show that smoothness implies the theorem. Fix a deterministic distinguisher D and assume without loss of generality that D always makes q (distinct) queries, the longest of which has block-length l. We stress that D may choose its queries adaptively (i.e., depending on the answers to previous queries), however the set of D s queries must be prefix-free. For distinct X 1,...,X q ({0, 1} n ) and arbitrary t 1,...,t q {0, 1} n, define α(x 1,..., X q ; t 1,..., t q ) to be 1 if and only if D outputs 1 when making queries X 1,...,X q and getting responses t 1,..., t q. (If, say, D does not make query X 1 as its first query, then α(x 1,...;...) = 0.) Letting

9 Message Authentication Codes 141 X = (X 1,...,X q ) and t = (t 1,..., t q ), we then have Pr[D CBCg( ) (1 n ) = 1] = X prefix-free; t X prefix-free; t = (1 δ) Pr[D f( ) (1 n ) = 1], α( X, t) Pr[ i : CBC g (X i ) = t i ] α( X, t) (1 δ) Pr[ i : f(x i ) = t i ] where, above, g is chosen uniformly from Func n, and f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. This implies Pr[D f( ) (1 n ) = 1] Pr[D CBCg( ) (1 n ) = 1] δ Pr[D f( ) (1 n ) = 1] δ. A symmetric argument for when D outputs 0 completes the proof. 4.5 Authenticated Encryption In Chapter 3, we studied how it is possible to obtain secrecy in the privatekey setting using encryption. In this chapter, we have shown how to ensure integrity using message authentication codes. One might naturally want to achieve both goals simultaneously, and it is this problem we turn to now. We remark that it is best practice to always ensure secrecy and integrity by default in the private-key setting. Indeed, in many applications where secrecy is required it turns out that integrity is essential also. Moreover, a lack of integrity can sometimes lead to a breach of secrecy Definitions We begin, as usual, by defining precisely what we wish to achieve. At an abstract level, our goal is to realize an ideally secure communication channel that provides both secrecy and integrity. Pursuing a definition of this sort is beyond the scope of this book. Instead, we provide a simpler though more cumbersome set of definitions that treat secrecy and integrity separately. This definition and the resulting analysis suffice for understanding the key issues at hand. (We caution the reader, however, that in contrast to encryption and message authentication codes the field has not yet settled on standard terminology and definitions for authenticated encryption.) Let Π = (Gen, Enc, Dec) be a private-key encryption scheme. As mentioned already, we define security by separately defining secrecy and integrity. The notion of secrecy we consider is one we have seen before: we require that

11 Message Authentication Codes 143 the importance of definitions and proofs of security. On the positive side, we show how encryption and message authentication can be combined properly to achieve joint secrecy and integrity. Throughout, let Π E = (Enc, Dec) be an encryption scheme and let Π M = (Mac, Vrfy) denote a message authentication code, where key generation in both schemes simply involves choosing a uniform n-bit key. There are three natural approaches to combining encryption and message authentication using independent keys 6 k E and k M for Π E and Π M, respectively: 1. Encrypt-and-authenticate: In this method, encryption and message authentication are computed independently in parallel. That is, given a plaintext message m, the sender transmits the ciphertext c, t where: c Enc ke (m) and t Mac km (m). The receiver decrypts c to recover m, and then verifies the tag t. If Vrfy km (m, t) = 1, the receiver outputs m; otherwise, it outputs. 2. Authenticate-then-encrypt: Here a MAC tag t is first computed, and then the message and tag are encrypted together. That is, the ciphertext c is computed as: t Mac km (m) and c Enc ke (m t). The receiver decrypts c to obtain m t, and then verifies the tag t on m. As before, if Vrfy km (m, t) = 1 the receiver outputs m; otherwise, it outputs. 3. Encrypt-then-authenticate: In this case, the message m is first encrypted and then a MAC tag is computed over the result. That is, the ciphertext is the pair c, t where: c Enc ke (m) and t Mac km (c). (See also Construction 4.16.) If Vrfy km (c, t) = 1, then the receiver decrypts c and outputs the result; otherwise, it outputs. We analyze each of the above approaches when they are instantiated with generic secure components, i.e., an arbitrary CPA-secure encryption scheme and an arbitrary secure MAC (with an additional technical property we define later). We want an approach that provides joint secrecy and integrity when using any (secure) components, and we will therefore reject as unsafe any approach for which there exists even a single counterexample of a secure encryption scheme/mac for which the combination is insecure. This all-ornothing approach reduces the likelihood of implementation flaws. In more 6 Independent cryptographic keys should always be used when different schemes are combined. We return to this point at the end of this section.

12 144 detail: An authenticated encryption scheme might be implemented by making calls to an encryption subroutine and a message authentication subroutine, and the implementation of those subroutines may be changed at some later point in time. (This commonly occurs when cryptographic libraries are updated, or when standards are modified.) Implementing an approach whose security depends on how its components are implemented (rather than on the security they provide) is therefore dangerous. We stress that if an approach is rejected this does not mean that it is insecure for all possible instantiations of the components; it does, however, mean that any instantiation of the approach must be analyzed and proven secure before it should be used. Encrypt-and-authenticate. Recall that in this approach encryption and message authentication are done independently. Given a message m, the transmitted value is c, t where c Enc ke (m) and t Mac km (m). This approach is not sound, as it may not achieve even the most basic level of secrecy. To see this, note that a secure MAC does not guarantee any secrecy and so it is possible for the tag Mac km (m) to leak information about m to an eavesdropper. (As a trivial example, consider a secure message authentication code where the first bit of the tag is always equal to the first bit of the message.) So the encrypt-and-authenticate approach may yield a scheme that does not even have indistinguishable encryptions in the presence of an eavesdropper, the most basic level of secrecy. Moreover, the encrypt-and-authenticate approach is likely to be insecure against chosen-plaintext attacks even when instantiated with standard components. (The counterexample in the previous paragraph was contrived.) If a deterministic MAC is used, then the tag computed on a message (for some fixed key k M ) is the same every time; this allows an eavesdropper to identify when the same message is sent twice, and so is not CPA-secure. Most MACs used in practice are deterministic, so this represents a real concern. Authenticate-then-encrypt. Here, a MAC tag t Mac km (m) is first computed; then m t is encrypted and the resulting value Enc ke (m t) is transmitted. We show that this combination also does not necessarily yield a good authenticated encryption scheme. In fact, we have already encountered a CPA-secure encryption scheme for which this approach is insecure: the CBC-mode-with-padding scheme discussed in Section (We assume in what follows that the reader is familiar with that section.) Recall that this scheme works by first padding the plaintext (which in our case will be m t) in a specific way so the result is a multiple of the block length, and then encrypting the result using CBC mode. During decryption, if an error in the padding is detected after performing the CBCmode decryption, then a bad padding error is returned. With regard to

13 Message Authentication Codes 145 authenticate-then-encrypt, this means there are now two sources of potential decryption failure: the padding may be incorrect, or the MAC tag may not verify. Schematically, then, the decryption algorithm Dec in the combined scheme works as follows: Dec k E,k M (c): 1. Compute m = Dec ke (c). If an error in the padding is detected, return bad padding and stop. 2. Parse m as m t. If Vrfy km (m, t) = 1 return m; else, output authentication failure. Assuming the attacker can distinguish between the two error messages, the attacker can apply the same chosen-ciphertext attack described in Section to the authenticate-then-encrypt scheme to recover the entire original plaintext given a single ciphertext. Exactly this type of attack has been carried out successfully on versions of IPsec that (mistakenly) use authenticate-thenencrypt to provide authenticated communication. One way to fix the above scheme would be to ensure that only a single error message is returned, regardless of the source of decryption failure. This is an unsatisfying solution for several reasons: (1) there may be legitimate reasons (e.g., usability, debugging) to have multiple error messages; furthermore, (2) forcing the error messages to be the same means that the combination is no longer truly generic, i.e., it requires the implementer of the authenticatethen-encrypt approach to be aware of what error messages are returned by the underlying CPA-secure encryption scheme. In any case, there are also other (arguably less natural) examples showing attacks on the authenticatethen-encrypt approach. Encrypt-then-authenticate. In this approach, the message is first encrypted and then a MAC is computed over the result. That is, the message is the pair c, t where c Enc ke (m) and t Mac km (c). Decryption of c, t is done by outputting if Vrfy km (c, t) 1, and otherwise outputting Dec ke (c). See Construction 4.16 for a formal description. This approach is sound, as long as the MAC satisfies an additional technical property. Say (Mac, Vrfy) has unique tags if for every key k M and every m there is a unique tag t for which Vrfy km (m, t) = 1. The requirement of unique tags is not hard to achieve, and any deterministic MAC with canonical verification will satisfy it. (Construction 4.5 is the only construction we will see that does not satisfy this property.) As intuition for the security of this approach, say a ciphertext c, t is valid if t is a valid MAC tag on c. Security of the MAC ensures that an adversary will be unable to generate any valid ciphertext that it did not receive from its encryption oracle. This immediately implies that Construction 4.16 achieves

14 146 CONSTRUCTION 4.16 Let Π E = (Enc,Dec) be a private-key encryption scheme and let Π M = (Mac, Vrfy) be a message authentication code, where in each case key generation is done by simply choosing a uniform n-bit key. Define a private-key encryption scheme (Gen, Enc,Dec ) as follows: Gen : on input 1 n, choose independent, uniform k E, k M {0, 1} n and output the key (k E, k M). Enc : on input a key (k E, k M) and a plaintext message m, compute c Enc ke (m) and t Mac km (c). Output the ciphertext c, t. Dec : on input a key (k E, k M) and a ciphertext c, t, first check whether Vrfy km (c, t)? = 1. If yes, then output Dec ke (c); if no, then output. A generic construction of an authenticated encryption scheme. authenticated communication. Moreover, it has the effect of rendering the decryption oracle useless since for every ciphertext c, t the adversary submits to its decryption oracle, the adversary either already knows the decryption (if it received c, t from its own encryption oracle) or else can expect the result to be an error (since the adversary cannot generate any new, valid ciphertexts). This means that CCA-security of the combined scheme reduces to the CPA-security of Π E. We prove this rigorously below. THEOREM 4.17 Let Π E be a CPA-secure private-key encryption scheme, and let Π M be a secure message authentication code with unique tags. Then Construction 4.16 is an authenticated encryption scheme. PROOF Let Π denote the scheme resulting from Construction We need to show that Π achieves authenticated communication, and that it is CCA-secure. Following the intuition given above, say a ciphertext c, t is valid (with respect to secret key (k E, k M )) if Vrfy km (c, t) = 1. We will argue that security of Π M as a message authentication code implies that (except with negligible probability) any new ciphertexts the adversary gives the decryption oracle will be invalid and so the decryption oracle will simply return. Since the decryption oracle is essentially useless, security of Π = (Gen, Enc, Dec ) is reduced to the CPA-security of Π E. Let A be a probabilistic polynomial-time adversary attacking Construction 4.16 in a chosen-ciphertext attack (cf. Definition 3.30). Say a ciphertext c, t is new if A did not receive any ciphertext of the form c, from its encryption oracle or as the challenge ciphertext. Let ValidQuery be the event that A submits a new ciphertext c, t to its decryption oracle which is valid, i.e., for which Vrfy km (c, t) = 1. We prove:

17 Message Authentication Codes Choose k M {0, 1} n uniformly at random. 2. Run A on input 1 n. When A makes an encryption-oracle query for the message m, answer it as follows: (i) Query m to Enc ke ( ) and receive c in response. (ii) Compute t Mac km (c), and return c, t to A. When A makes a decryption-oracle query for the ciphertext c, t, answer it as follows: (i) If c, t was a response to a previous encryption-oracle query for a message m, return m. Otherwise, return. 3. When A outputs messages (m 0, m 1 ), output these same messages and receive a challenge ciphertext c in response. Compute t Mac km (c), and return c, t as the challenge ciphertext for A. Continue answering A s oracle queries as above. 4. Output the same bit b that is output by A. Notice that A E does not need a decryption oracle because it simply assumes that any decryption query by A that was not the result of a previous encryption-oracle query is invalid. Clearly, A E runs in probabilistic polynomial time. Furthermore, the view of A when run as a subroutine by A E is distributed identically to the view of A in experiment PrivK cca A,Π (n) as long as event ValidQuery never occurs. Therefore, the probability that A E succeeds when ValidQuery does not occur is the same as the probability that A succeeds when ValidQuery does not occur; i.e., Pr[PrivK cpa A E,Π E (n) = 1 ValidQuery] = Pr[PrivK cca A,Π (n) = 1 ValidQuery], implying that Pr[PrivK cpa A E,Π E (n) = 1] Pr[PrivK cpa A E,Π E (n) = 1 ValidQuery] = Pr[PrivK cca A,Π (n) = 1 ValidQuery]. Since Π E is CPA-secure, there exists a negligible function negl such that Pr[PrivK cpa A E,Π E (n) = 1] negl(n). This proves the claim. The need for independent keys. We conclude this section by stressing a basic principle of cryptography: different instances of cryptographic primitives should always use independent keys. To illustrate this here, consider what can happen to the encrypt-then-authenticate methodology when the same key k is used for both encryption and authentication. Let F be a strong pseudorandom permutation. It follows that F 1 is a strong pseudorandom permutation also. Define Enc k (m) = F k (m r) for m {0, 1} n/2 and a random r {0, 1} n/2, and define Mac k (c) = F 1 k (c). It can be shown that the given encryption scheme is CPA-secure (in fact, it is even CCA-secure), and we know that the

18 150 given message authentication code is a secure MAC. However, the encryptthen-authenticate combination applied to the message m with the same key k yields: Enc k (m), Mac k (Enc k (m)) = F k (m r), F 1 k (F k(m r)) = F k (m r), m r, and the message m is revealed in the clear! This does not in any way contradict Theorem 4.17, since Construction 4.16 expressly requires that k M, k E are chosen (uniformly and) independently Secure Communication Sessions We briefly describe the application of authenticated encryption to the setting of two parties who wish to communicate securely namely, with joint secrecy and integrity over the course of a communication session. (For the purposes of this section, a communication session is simply a period of time during which the communicating parties are willing to maintain state.) In our treatment here we are deliberately informal; a formal definition is quite involved, and this topic arguably lies more in the area of network security than cryptography. Let Π = (Gen, Enc, Dec) be an authenticated encryption scheme. Consider two parties A and B who share a key k and wish to use this key to secure their communication over the course of a session. The obvious thing to do here is to use Π: Whenever A, say, wants to transmit a message m to B, it computes c Enc k (m) and sends c to B; in turn, B decrypts c to recover the result (ignoring the result if decryption returns ). This simple approach, however, does not suffice, as there are two potential attacks: Replay attack As noted previously, an attacker can replay a (valid) ciphertext c sent previously by one of the parties. This can cause a mismatch between what is sent by one party and received by the other, e.g., causing B to output a message m twice, even though A only sent this message once. Reflection attack An attacker can take a ciphertext c sent from A to B, and send it back to A! This again can cause a mismatch between the two parties transcripts of their communication session: A may output a message m, even though B never sent such a message. Fortunately, the above attacks are relatively easy to prevent using counters to address the first attack and a directionality bit to prevent the second. We describe these in tandem. Each party will maintain two counters ctr A,B and ctr B,A keeping track of the number of messages sent from A to B (resp., B to A) during the session. These counters are both initialized to 0 at each party, and are incremented each time a party sends or receives a (valid) message. The parties also agree on a bit b A,B, and define b B,A to be its complement. (One

19 Message Authentication Codes 151 natural way to do this is to set b A,B = 0 iff the identity of A is lexicographically smaller than the identity of B.) When A wants to transmit a message m to B, she computes the ciphertext c Enc k (b A,B ctr A,B m) and sends c; she then increments ctr A,B. Upon receiving c, party B decrypts; if the result is, he immediately rejects. Otherwise, he parses the decrypted message as b ctr m. If b = b A,B and ctr = ctr A,B, then B outputs m and increments ctr A,B ; otherwise, B rejects. The above steps, mutatis mutandis, are applied when B sends a message to A CCA-Secure Encryption It follows directly from the definition that any authenticated encryption scheme is also secure against chosen-ciphertext attacks. Can there be CCAsecure private-key encryption schemes that do not achieve authenticated communication? Indeed, there are; see Exercise One can imagine applications where CCA-security is needed but authenticated encryption is not. One example might be when private-key encryption is used for key transport. As a concrete example, say a server gives a tamperproof hardware token to a user, where embedded in the token is a long-term key k. The server can upload a fresh, short-term key k to this token by giving the user Enc k (k ); the user is supposed to give this ciphertext to the token, which will decrypt it and use k for the next time period. A chosen-ciphertext attack in this setting could allow the user to learn k, something the user is not supposed to be able to do. (Note that here a padding-oracle attack, which only relies on the user s ability to determine whether a decryption failure occurs, could potentially be carried out rather easily.) On the other hand, not much harm is done if the user can generate a valid ciphertext that causes the token to use an arbitrary (unrelated) key k for the next time period. (Of course, this depends on what the token does with this short-term key.) Notwithstanding the above, for private-key encryption most natural constructions of CCA-secure schemes that we know anyway satisfy the stronger definition of authenticated encryption. Put differently, there is no real reason to ever use a CCA-secure scheme that is not an authenticated encryption scheme, simply because we don t really have any constructions satisfying the former that are more efficient than constructions achieving the latter. From a conceptual point of view, however, it is important to keep the notions of CCA security and authenticated communication distinct. With regard to CCA-security we are not necessarily interested in obtaining message integrity; rather, we wish to ensure privacy even against an active adversary who can interfere with the communication as it goes from sender to receiver. In contrast, with regard to authenticated communication we are interested in the twin goals of secrecy and integrity. We stress this here because in the public-key setting that we study later in the book, the difference between authenticated communication and CCA-security will be more pronounced.

20 * Information-Theoretic MACs In previous sections we have explored message authentication codes with computational security, i.e., where bounds on the attacker s running time are assumed. Recalling the results of Chapter 2, it is natural to ask whether message authentication in the presence of an unbounded adversary is possible. We study here conditions under which such information-theoretic (as opposed to computational) security is attainable. A first observation is that it is impossible to achieve perfect security in this context: namely, we cannot hope to have a message authentication code for which the probability that an adversary outputs a valid tag on a previously unauthenticated message is 0. The reason is that an adversary can simply guess a valid tag t on any message; the guess will be correct with probability (at least) 1/2 t, where t denotes the tag-length of the scheme. The above example tells us what we can hope to achieve: a MAC with tags of length t where the probability of forgery is at most 1/2 t, even for unbounded adversaries. We will see in the next few sections that this is achievable, but only under restrictions on how many messages are authenticated by the honest parties The Definition A starting point is to take experiment Mac-forge A,Π (n) that is used to define security for computationally secure MACs (cf. Definition 4.2), but to drop the security parameter n and require that Pr[Mac-forge A,Π (n) = 1] should be small for all adversaries A (and not just adversaries running in polynomial time). As mentioned above (and as will be proved formally in Section 4.6.3), though, such a definition is impossible to achieve. Rather, information-theoretic security can be achieved only if we place some bound on the number of messages authenticated by the honest parties. We look here at the most basic setting, where the parties authenticate just a single message. We refer to this as one-time message authentication. The following experiment modifies Mac-forge A,Π (n) following the above discussion: The one-time message authentication experiment Mac-forge 1-time A,Π : 1. A random key k is generated by running Gen. 2. The adversary A outputs a message m, and is given in return a tag t Mac k (m ). 3. A outputs (m, t). 4. The output of the experiment is defined to be 1 if and only if (1) Vrfy k (m, t) = 1 and (2) m m.

21 Message Authentication Codes 153 DEFINITION 4.20 A message authentication code Π = (Gen, Mac, Vrfy) is one-time ε-secure, or just ε-secure, if for all adversaries A: Pr[Mac-forge A,Π = 1] ε A Construction In this section we show how to build an ε-secure MAC based on any strongly universal 7 function. We then show a simple construction of the latter. Let h : K M T be a keyed function whose first input is a key k K and whose second input is taken from some domain M. As usual, we write h k (m) instead of h(k, m). A function is strongly universal (or pairwise-independent) if for any two distinct inputs m, m the values h k (m) and h k (m ) are uniformly and independently distributed in T when k is a uniform key. Note that if h k (m), h k (m ) are uniformly and independently distributed in T then the probability that they take on any particular values t, t is exactly 1/ T 2. We thus have: DEFINITION 4.21 A function h : K M T is strongly universal if for all distinct m, m M and all t, t T we have Pr[h k (m) = t h k (m ) = t ] = 1/ T 2, where the probability is taken over uniform choice of k K. CONSTRUCTION 4.22 Let h : K M T be a strongly universal function. Define a MAC for messages in M as follows: Gen: choose k K uniformly at random. Mac: on input a key k K and a message m M, output the tag t := h k (m). Vrfy: on input a key k K, a message m M, and a tag t T, output 1 if and only if t? = h k (m). (If m M, then output 0.) A MAC from any strongly universal function. The above should motivate the construction of a one-time message authentication code from any strongly universal function h. The tag t on a message 7 These are often called strongly universal hash functions, but in cryptographic contexts the term hash has another meaning that we will see later in the book.

22 154 m is obtained by computing h k (m), where the key k is (of course) chosen at random. (See Construction 4.22.) Intuitively, even after an adversary observes the tag t := h k (m ) for any message m, the correct tag h k (m) for any other message m is still uniformly distributed in T from the adversary s point of view. The adversary can only hope to guess the right tag, and this guess will be correct only with probability 1/ T. The above construction can be viewed as analogous to Construction 4.3, if we view a strongly universal function h as an information-theoretic pseudorandom function as long as h is only evaluated twice. THEOREM 4.23 Let h : K M T be a strongly universal function. Then Construction 4.22 is a 1/ T -secure MAC for messages in M. PROOF Let A be an adversary. As usual in the information-theoretic setting, we may assume A is deterministic without loss of generality. So the message m that A outputs at the outset of the experiment is fixed. Furthermore, the (m, t) that A outputs at the end of the experiment is a deterministic function A(t ) of the tag t on m that A receives. We thus have Pr[Mac-forge A,Π = 1] = Pr[Mac-forge A,Π = 1 h k (m ) = t ] This proves the theorem. = = t T t T (m, t) := A(t ) t T (m, t) := A(t ) = 1/ T. Pr[h k (m) = t h k (m ) = t ] 1/ T 2 We now turn to a classical construction of a strongly universal function. We assume some basic knowledge about arithmetic modulo a prime number; readers may refer to Sections and for the necessary background. def Fix some prime p, and let Z p = {0,...,p 1}. We take as our message space M = Z p ; the space of possible tags will also be T = Z p. A key (a, b) will consist of a pair of elements from Z p ; thus, K = Z p Z p. Define h as h a,b (m) = [a m + b mod p], where the notation [X mod p] refers to the reduction of the integer X modulo p (and so [X mod p] Z p always). THEOREM 4.24 For any prime p, the function h is strongly universal.

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Chapter 7. Message Authentication. 7.1 The setting

Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Chapter 3. Network Domain Security

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### 11 Ideals. 11.1 Revisiting Z

11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Key Agreement from Close Secrets over Unsecured Channels Winter 2010 Andreas Keller Contens 1. Motivation 2. Introduction 3. Building Blocks 4. Protocol Extractor Secure Sketches (MAC) message authentication

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Stronger Security Bounds for OMAC, TMAC and XCBC

Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Modes of Operation of Block Ciphers

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald

Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### SFWR ENG 4C03 - Computer Networks & Computer Security

KEY MANAGEMENT SFWR ENG 4C03 - Computer Networks & Computer Security Researcher: Jayesh Patel Student No. 9909040 Revised: April 4, 2005 Introduction Key management deals with the secure generation, distribution,

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

### Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### A Proposal for an ISO Standard for Public Key Encryption (version 2.1)

A Proposal for an ISO Standard for Public Key Encryption (version 2.1) Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com December 20, 2001 Abstract This

### Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity

### Computational Complexity: A Modern Approach

i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Scalable Protocols for Authenticated Group Key Exchange

Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Notes on Factoring. MA 206 Kurt Bryan

The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor