One-Way Encryption and Message Authentication

Transcription

1 One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School (JASS) St. Petersburg, March 30 April 9, 2005 Course 1: Algorithms for IT Security Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 1 / 35

2 Outline 1 Introduction 2 Security of Hash Functions Generic Attacks in the Random Oracle Model Comparison of Security Criteria 3 Iterated Hash Functions The Merkle-Damgård Construction The Secure Hash Algorithm (SHA-1) 4 Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC Unconditionally Secure MACs Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 2 / 35

3 Hash Functions Introduction h : {0, 1} {0, 1} m hash function constructs short fingerprint of an arbitrarily long message x computation of h(x) should be easy small change of x should change h(x) completely it should be hard to find (second) preimages collisions Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 3 / 35

4 Introduction Applications of Hash Functions verification of data integrity authentication of data origin optimization of digital signature schemes digital timestamping schemes hashcash password protection pseudo-random numbers generation... Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 4 / 35

5 Definitions Introduction Definition A hash family is a four-tuple (X, Y, K, H), where: 1 X is a set of possible messages 2 Y is a finite set of possible message digests or authentication tags 3 K, the keyspace, is a finite set of possible keys 4 for each K K, there is a hash function h K H, h K : X Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 5 / 35

6 Definitions Introduction Definition A hash family is a four-tuple (X, Y, K, H), where: 1 X is a set of possible messages 2 Y is a finite set of possible message digests or authentication tags 3 K, the keyspace, is a finite set of possible keys 4 for each K K, there is a hash function h K H, h K : X Y. X finite: compression function (x, y) X Y is valid pair under the key K h K (x) = y (N, M)-hash family, where N = X, M = Y Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 5 / 35

7 Security of Hash Functions Cryptographic Properties Preimage Resistance (One-Wayness) Instance: hash function h : X Y and y Y. Find: x X such that h(x) = y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 6 / 35

8 Security of Hash Functions Cryptographic Properties Preimage Resistance (One-Wayness) Instance: hash function h : X Y and y Y. Find: x X such that h(x) = y. Second Preimage Resistance Instance: hash function h : X Y and x X. Find: x X such that x x and h(x ) = h(x). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 6 / 35

9 Security of Hash Functions Cryptographic Properties Preimage Resistance (One-Wayness) Instance: hash function h : X Y and y Y. Find: x X such that h(x) = y. Second Preimage Resistance Instance: hash function h : X Y and x X. Find: x X such that x x and h(x ) = h(x). Collision Resistance Instance: hash function h : X Y. Find: x, x X such that x x and h(x ) = h(x). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 6 / 35

10 Security of Hash Functions Generic Attacks in the Random Oracle Model The Random Oracle Model mathematical model of an ideal hash function hash function h : X Y is chosen randomly from Y X only oracle access (ɛ, q)-algorithm: Las Vegas algorithm with average-case success probability ɛ and at most q oracle queries Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 7 / 35

11 Security of Hash Functions Generic Attacks in the Random Oracle Model The Random Oracle Model mathematical model of an ideal hash function hash function h : X Y is chosen randomly from Y X only oracle access (ɛ, q)-algorithm: Las Vegas algorithm with average-case success probability ɛ and at most q oracle queries Theorem (independence property) Let h Y X be chosen at random, and let X 0 X. Suppose that the values h(x) have been determined iff x X 0. Then Pr [h(x) = y] = 1 M x X \ X 0 y Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 7 / 35

12 Security of Hash Functions Algorithm for Preimage Generic Attacks in the Random Oracle Model Algorithm: FindPreimage(h, y, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do 3: if h(x) = y then return x 4: end for 5: return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 8 / 35

13 Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm for Preimage Algorithm: FindPreimage(h, y, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do 3: if h(x) = y then return x 4: end for 5: return failure Theorem For any X 0 X with X 0 = q, the average-case success probability of FindPreimage(h, y, q) is ( ɛ = ) q. M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 8 / 35

14 Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm for Second Preimage Algorithm: FindSecondPreimage(h, x, q) 1: y h(x) 2: choose X 0 X \ {x}, X 0 = q 1 3: for all x 0 X 0 do 4: if h(x 0 ) = y then return x 0 5: end for 6: return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 9 / 35

15 Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm for Second Preimage Algorithm: FindSecondPreimage(h, x, q) 1: y h(x) 2: choose X 0 X \ {x}, X 0 = q 1 3: for all x 0 X 0 do 4: if h(x 0 ) = y then return x 0 5: end for 6: return failure Theorem For any X 0 X \ {x} with X 0 = q 1, the success probability of FindSecondPreimage(h, x, q) is ( ɛ = ) q 1. M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 9 / 35

16 Security of Hash Functions Random (Second) Preimage Attack Generic Attacks in the Random Oracle Model 1 ɛ = ( 1 1 M ) q = 1 q M. q i=0 ( ) ( q 1 ) i i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 10 / 35

17 Security of Hash Functions Random (Second) Preimage Attack Generic Attacks in the Random Oracle Model 1 ɛ = ( 1 1 M ) q = 1 q M. q ɛm. q i=0 ( ) ( q 1 ) i i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 10 / 35

18 Security of Hash Functions Random (Second) Preimage Attack Generic Attacks in the Random Oracle Model 1 ɛ = ( 1 1 M ) q = 1 q M. q ɛm. q i=0 ( ) ( q 1 ) i i M = (ɛ, O(M))-algorithm Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 10 / 35

19 Algorithm for Collision Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm: FindCollision(h, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do y x h(x) 3: if y x = y x for some x x then return (x, x ) 4: else return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 11 / 35

20 Algorithm for Collision Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm: FindCollision(h, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do y x h(x) 3: if y x = y x for some x x then return (x, x ) 4: else return failure Theorem For any X 0 X with X 0 = q, the success probability of Collision(h, q) is q 1 ( ɛ = 1 1 i ). M i=1 Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 11 / 35

21 Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp ( 1 i ) q 1 M i=1 ) ( q(q 1) 2M ( exp i ) ( = exp M exp ) ( q2. 2M q 1 i=1 ) i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

22 Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp q ( 1 i ) q 1 M i=1 ) ( 2M log q(q 1) 2M 1 1 ɛ. ( exp i ) ( = exp M exp ) ( q2. 2M q 1 i=1 ) i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

23 Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp q ( 1 i ) q 1 M i=1 ) ( 2M log q(q 1) 2M 1 1 ɛ. ( exp i ) ( = exp M exp ) ( q2. 2M = (ɛ, O( M))-algorithm q 1 i=1 ) i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

24 Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp q ( 1 i ) q 1 M i=1 ) ( 2M log q(q 1) 2M 1 1 ɛ. ( exp i ) ( = exp M exp ) ( q2. 2M = (ɛ, O( M))-algorithm q 1 i=1 ) i M Example (Birthday Paradox) ɛ = 0.5, M = 365 = q 1.17 M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

25 Security of Hash Functions Generic Attacks in the Random Oracle Model Generic Attacks on Cryptographic Hash Functions attack random (second) preimage birthday (collision) algorithm (ɛ, O(M)) (ɛ, O( M)) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 13 / 35

26 Security of Hash Functions Generic Attacks in the Random Oracle Model Generic Attacks on Cryptographic Hash Functions attack random (second) preimage birthday (collision) algorithm (ɛ, O(M)) (ɛ, O( M)) attacks are optimal in the random oracle model minimum acceptable size of a message digest: 128 bits 160-bit message digest (or larger) recommended Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 13 / 35

27 Security of Hash Functions Reduce Collision to Second Preimage Comparison of Security Criteria Algorithm: CollisionTo2ndPreimage(h) 1: choose x X uniformly at random 2: if Oracle2ndPreimage(h, x) = x and x x and h(x ) = h(x) then return (x, x ) 3: else return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 14 / 35

28 Security of Hash Functions Reduce Collision to Second Preimage Comparison of Security Criteria Algorithm: CollisionTo2ndPreimage(h) 1: choose x X uniformly at random 2: if Oracle2ndPreimage(h, x) = x and x x and h(x ) = h(x) then return (x, x ) 3: else return failure Oracle2ndPreimage is (ɛ, q)-algorithm for Second Preimage = CollisionTo2ndPreimage is (ɛ, q + 2)-algorithm for Collision collision resistance = second preimage resistance Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 14 / 35

29 Security of Hash Functions Reduce Collision to Preimage Comparison of Security Criteria Algorithm: CollisionToPreimage(h) Require: OraclePreimage is (1, q)-algorithm 1: choose x X uniformly at random 2: y h(x) 3: if OraclePreimage(h, y) = x and x x then return (x, x ) 4: else return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 15 / 35

30 Security of Hash Functions Reduce Collision to Preimage Comparison of Security Criteria Algorithm: CollisionToPreimage(h) Require: OraclePreimage is (1, q)-algorithm 1: choose x X uniformly at random 2: y h(x) 3: if OraclePreimage(h, y) = x and x x then return (x, x ) 4: else return failure Theorem Let h : X Y be a compression function, where X 2 Y. Suppose OraclePreimage is a (1, q)-algorithm that solves Preimage for h. Then CollisionToPreimage is a (1/2, q + 1)-algorithm for Collision, for the fixed compression function h. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 15 / 35

31 Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

32 Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X C := X /, so C = Y Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

33 Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X C := X /, so C = Y for x X the probability of success is ( [x] 1)/ [x] Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

34 Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X C := X /, so C = Y for x X the probability of success is ( [x] 1)/ [x] Pr[success] = 1 [x] 1 = 1 X [x] X x X C C = 1 X C C X X /2 X ( C 1) = = 1 2. X Y X x C C 1 C Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

35 Iterated Hash Functions Iterated Hash Functions Compress : {0, 1} m+t {0, 1} m, t 1. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 17 / 35

36 Iterated Hash Functions Iterated Hash Functions Compress : {0, 1} m+t {0, 1} m, t 1. 1 preprocessing input string x, x m + t + 1 construct y = y 1 y 2 y r, x y(x) injection y i = t y = x Pad(x) padding function Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 17 / 35

37 Iterated Hash Functions Design of Iterated Hash Functions 2 processing z 0 IV, IV = m z 1 Compress(z 0 y 1 ). z r Compress(z r 1 y r ) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 18 / 35

38 Iterated Hash Functions Design of Iterated Hash Functions 2 processing z 0 IV, 3 optional output transformation g : {0, 1} m {0, 1} l IV = m z 1 Compress(z 0 y 1 ). z r Compress(z r 1 y r ) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 18 / 35

39 Iterated Hash Functions Design of Iterated Hash Functions 2 processing z 0 IV, 3 optional output transformation g : {0, 1} m {0, 1} l h : i=m+t+1 IV = m z 1 Compress(z 0 y 1 ). z r Compress(z r 1 y r ) {0, 1} i {0, 1} l, h(x) = g(z r ). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 18 / 35

40 Iterated Hash Functions The Merkle-Damgård Construction The Merkle-Damgård Construction Theorem (Merkle-Damgård) Suppose Compress : {0, 1} m+t {0, 1} m is a collision resistant compression function, where t 1. Then there exists a collision resistant hash function h : {0, 1} i {0, 1} m. i=m+t+1 The number of times Compress is computed in the evaluation of h is at most 1 + n t 1 if t 2, where x = n. 2n + 2 if t = 1, Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 19 / 35

41 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) The Secure Hash Algorithm (SHA-1) Ron Rivest: 128-bit hash function MD4 and strengthened version MD5 design goals: (direct) security speed simplicity and compactness collisions for MD4 (Dobbertin) and compression function of MD5 (Boer/Bosselaers) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 20 / 35

42 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) The Secure Hash Algorithm (SHA-1) Ron Rivest: 128-bit hash function MD4 and strengthened version MD5 design goals: (direct) security speed simplicity and compactness collisions for MD4 (Dobbertin) and compression function of MD5 (Boer/Bosselaers) NIST & NSA: 160-bit hash function SHA-1 Feb. 13, 2005: collisions with < 2 69 hash operations (Wang/Yin/Yu) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 20 / 35

43 Padding Scheme Iterated Hash Functions The Secure Hash Algorithm (SHA-1) Algorithm: SHA-1-Pad(x) Require: x Ensure: y = 0 (mod 512) 1: d (447 x ) mod 512 2: l the binary representation of x, where l = 64 3: return y x 1 0 d l x l Figure: MD-Strengthening Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 21 / 35

44 SHA-1 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) BC ( B)D, B C D, f t (B, C, D) = BC BD CD, B C D, 5A827999, if 0 t 19, 6ED9EBA1, if 20 t 39, K t = 8F1BBCDC, if 40 t 59, CA62C1D6, if 60 t 79. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 22 / 35

45 SHA-1 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) BC ( B)D, B C D, f t (B, C, D) = BC BD CD, B C D, 5A827999, if 0 t 19, 6ED9EBA1, if 20 t 39, K t = 8F1BBCDC, if 40 t 59, CA62C1D6, if 60 t 79. Cryptosystem: SHA-1(x) 1: y SHA-1-Pad(x) 2: denote y = M 1 M 2 M n, where each M i is a 512-bit block 3: H , H 1 EFCDAB89, H 2 98BADCFE 4: H , H 4 C3D2E1F0... Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 22 / 35

46 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) Cryptosystem: SHA-1(x)... (continued) 1: for i 1 to n do 2: denote M i = W 0 W 1 W 15, where each W i is a word 3: for t 16 to 79 do W t (W t 3 W t 8 W t 14 W t 16 ) 1 4: A H 0, B H 1, C H 2 5: D H 3, E H 4 6: for t 0 to 79 do 7: temp (A 5) + f t (B, C, D) + E + W t + K t 8: E D, D C 9: C B 30 10: B A, A temp 11: end for 12: H 0 H 0 + A, H 1 H 1 + B, H 2 H 2 + C 13: H 3 H 3 + D, H 4 H 4 + E 14: end for 15: return H 0 H 1 H 2 H 3 H 4 Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 23 / 35

47 Message Authentication Codes (MACs) Message Authentication Codes (MACs) MAC = keyed hash function h K + security properties Alice and Bob share secret key K (x, h K (x)) is transmitted over insecure channel Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 24 / 35

48 Message Authentication Codes (MACs) Message Authentication Codes (MACs) MAC = keyed hash function h K + security properties Alice and Bob share secret key K (x, h K (x)) is transmitted over insecure channel (Existential) Forgery Instance: valid pairs (x 1, y 1 ),..., (x q, y q ) under unknown key K. Find: valid pair (x, y) such that x {x 1,..., x q }. (ɛ, q)-forger: forgery with worst-case success probability ɛ Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 24 / 35

49 Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

50 Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. x = x Pad(x) w. y = x Pad(x) w Pad(x ), y = r t, r > r. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

51 Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. x = x Pad(x) w. y = x Pad(x) w Pad(x ), y = r t, r > r. z r+1 Compress(h K (x) y r+1 ). z r Compress(z r 1 y r ). h K (x ) = z r. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

52 Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. x = x Pad(x) w. y = x Pad(x) w Pad(x ), y = r t, r > r. z r+1 Compress(h K (x) y r+1 ). z r Compress(z r 1 y r ). h K (x ) = z r. = (1, 1) forger Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

53 Nested MACs Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC Hash families (X, Y, L, H) and (Y, Z, K, G), X < Y Z. (X, Z, M, G H) nested MAC, M = K L, G H = { (g h) (K,L) : g K G, h L H }. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 26 / 35

54 Nested MACs Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC Hash families (X, Y, L, H) and (Y, Z, K, G), X < Y Z. (X, Z, M, G H) nested MAC, M = K L, G H = { (g h) (K,L) : g K G, h L H }. Theorem Let (X, Z, M, G H) be a nested MAC. Suppose there does not exist an (ɛ 1, q + 1)-collision attack for a h L H (L secret), and there does not exist an (ɛ 2, q)-forger for a g K G. Further suppose there exists an (ɛ, q)-forger for (g h) (K,L) G H. Then ɛ ɛ 1 + ɛ 2. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 26 / 35

55 HMAC Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC 512-bit key K. ipad = , opad = 5C5C 5C. (512-bit) Cryptosystem: HMAC(x, K) HMAC K (x) = SHA-1((K opad) SHA-1((K ipad) x)) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 27 / 35

56 Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC CBC-MAC (P, C, K, E, D) endomorphic cryptosystem, P = C = {0, 1} t. K K, e K E. Cryptosystem: CBC-MAC(x, K) 1: denote x = x 1 x n, x i = t 2: y initial value 3: for i 1 to n do y i e K (y i 1 x i ) 4: return y n Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 28 / 35

57 Message Authentication Codes (MACs) Unconditionally Secure MACs Unconditionally Secure MACs a key is used to produce only one authentication tag impersonation: (ɛ, 0)-forger substitution: (ɛ, 1)-forger deception probability Pd q : maximum value of ɛ such that (ɛ, q)-forger exists (q = 0, 1) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 29 / 35

58 Message Authentication Codes (MACs) Unconditionally Secure MACs Example X = Y = Z 3, K = Z 3 Z 3, H = { h (a,b) : (a, b) K } h (a,b) (x) = ax + b (mod 3). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 30 / 35

59 Message Authentication Codes (MACs) Unconditionally Secure MACs Example X = Y = Z 3, K = Z 3 Z 3, H = { h (a,b) : (a, b) K } h (a,b) (x) = ax + b (mod 3). key (0, 0) (0, 1) (0, 2) (1, 0) (1, 1) (1, 2) (2, 0) (2, 1) (2, 2) Figure: Authentication Matrix Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 30 / 35

60 Message Authentication Codes (MACs) Unconditionally Secure MACs Example X = Y = Z 3, K = Z 3 Z 3, H = { h (a,b) : (a, b) K } h (a,b) (x) = ax + b (mod 3). = Pd 0 = Pd 1 = 1 3 key (0, 0) (0, 1) (0, 2) (1, 0) (1, 1) (1, 2) (2, 0) (2, 1) (2, 2) Figure: Authentication Matrix Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 30 / 35

61 Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

62 Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

63 Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. payoff(x, y ; x, y) = Pr [ y = h K0 (x ) y = h K0 (x) ] = Pr [y = h K0 (x ) y = h K0 (x)] Pr [y = h K0 (x)] = {K K : h K (x ) = y, h K (x) = y}. {K K : h K (x) = y} Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

64 Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. payoff(x, y ; x, y) = Pr [ y = h K0 (x ) y = h K0 (x) ] = Pr [y = h K0 (x ) y = h K0 (x)] Pr [y = h K0 (x)] = {K K : h K (x ) = y, h K (x) = y}. {K K : h K (x) = y} V = {(x, y) : {K K : h K (x) = y} 1}. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

65 Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. payoff(x, y ; x, y) = Pr [ y = h K0 (x ) y = h K0 (x) ] = Pr [y = h K0 (x ) y = h K0 (x)] Pr [y = h K0 (x)] = {K K : h K (x ) = y, h K (x) = y}. {K K : h K (x) = y} V = {(x, y) : {K K : h K (x) = y} 1}. Pd 1 = max { payoff(x, y ; x, y) : x x X, y, y Y, (x, y) V }. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

66 Message Authentication Codes (MACs) Strongly Universal Hash Families Unconditionally Secure MACs Definition Let (X, Y, K, H) be an (N, M)-hash family. This hash family is strongly universal, if { K K : h K (x) = y, h K (x ) = y } = K M 2 for all x, x X such that x x, and for all y, y Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 32 / 35

67 Message Authentication Codes (MACs) Strongly Universal Hash Families Unconditionally Secure MACs Definition Let (X, Y, K, H) be an (N, M)-hash family. This hash family is strongly universal, if { K K : h K (x) = y, h K (x ) = y } = K M 2 for all x, x X such that x x, and for all y, y Y. Lemma Let (X, Y, K, H) be a strongly universal (N, M)-hash family. Then {K K : h K (x) = y} = K M x X y Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 32 / 35

68 Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x, x X such that x x, and let y Y. {K K : h K (x) = y} = y Y { K K : h K (x) = y, h K (x ) = y } = y Y K M 2 = K M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 33 / 35

69 Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x, x X such that x x, and let y Y. {K K : h K (x) = y} = y Y { K K : h K (x) = y, h K (x ) = y } = y Y K M 2 = K M. Theorem Let (X, Y, K, H) be a strongly universal (N, M)-hash family. Then (X, Y, K, H) is an authentication code with Pd 0 = Pd 1 = 1 M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 33 / 35

70 Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x X and y Y. payoff(x, y) = {K K : h K (x) = y} K = K /M K = 1 M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 34 / 35

71 Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x X and y Y. payoff(x, y) = {K K : h K (x) = y} K = K /M K = 1 M. Now let x, x X such that x x, and let y, y Y, where (x, y) V. payoff(x, y ; x, y) = {K K : h K (x ) = y, h K (x) = y} {K K : h K (x) = y} = K /M2 K /M = 1 M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 34 / 35

72 Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x X and y Y. payoff(x, y) = {K K : h K (x) = y} K = K /M K = 1 M. Now let x, x X such that x x, and let y, y Y, where (x, y) V. payoff(x, y ; x, y) = {K K : h K (x ) = y, h K (x) = y} {K K : h K (x) = y} = K /M2 K /M = 1 M. = Pd 0 = Pd 1 = 1 M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 34 / 35

73 Thanks for listening! References For further reading: Douglas R. Stinson Cryptography: Theory and Practice 2 nd ed., Chapman & Hall/CRC, Bruce Schneier Applied Cryptography: Protocols, Algorithms, and Source Code in C John Wiley & Sons, Inc., Bart van Rompay Analysis and Design of Cryptographic Hash Functions, MAC Algorithms and Block Ciphers Ph. D. thesis, Katholieke Universiteit Leuven, Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 35 / 35