Lecture 13: Message Authentication Codes

Similar documents
Lecture 9 - Message Authentication Codes

Authentication and Encryption: How to order them? Motivation

Message Authentication Code

Authenticated encryption

Talk announcement please consider attending!

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

MAC. SKE in Practice. Lecture 5

1 Construction of CCA-secure encryption

MACs Message authentication and integrity. Table of contents

Message Authentication Codes 133

1 Message Authentication

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Symmetric Crypto MAC. Pierre-Alain Fouque

Ciphertext verification security of symmetric encryption schemes

Provable-Security Analysis of Authenticated Encryption in Kerberos

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Lecture 5 - CPA security, Pseudorandom functions

1 Domain Extension for MACs

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Lecture 3: One-Way Encryption, RSA Example

Chosen-Ciphertext Security from Identity-Based Encryption

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Message Authentication Codes

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

1 Signatures vs. MACs

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Message Authentication Codes. Lecture Outline

Overview of Symmetric Encryption

CS 758: Cryptography / Network Security

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Modes of Operation of Block Ciphers

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Lecture 15 - Digital Signatures

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Computational Soundness of Symbolic Security and Implicit Complexity

Security Analysis of DRBG Using HMAC in NIST SP


On the Security of CTR + CBC-MAC

Introduction to Cryptography CS 355

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Reconsidering Generic Composition

Cryptography and Network Security Chapter 12

CryptoVerif Tutorial

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Fundamentals of Computer Security

Recommendation for Applications Using Approved Hash Algorithms

Digital Signatures. Prof. Zeph Grunschlag

Chosen-Ciphertext Security from Identity-Based Encryption

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures

Digital Signatures. What are Signature Schemes?

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Introduction. Digital Signature

Lecture 2: Complexity Theory Review and Interactive Proofs

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Symmetric Key cryptosystem

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Authentication requirement Authentication function MAC Hash function Security of

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Cyber Security Workshop Encryption Reference Manual

Public Key Encryption that Allows PIR Queries

Computer Networks - CS132/EECS148 - Spring

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

First Semester Examinations 2011/12 INTERNET PRINCIPLES

Advanced Cryptography

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Vulnerabilità dei protocolli SSL/TLS

CIS433/533 - Computer and Network Security Cryptography

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Cryptography: Authentication, Blind Signatures, and Digital Cash

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Chapter 12. Digital signatures Digital signature schemes

The Mathematics of the RSA Public-Key Cryptosystem

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

A CLOUD SECURITY APPROACH FOR DATA AT REST USING FPE

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Analysis of a Database and Index Encryption Scheme Problems and Fixes

Network Security Technology Network Management

Client Server Registration Protocol

Chapter 17. Transport-Level Security

Chapter 3. Network Domain Security

Practice Questions. CS161 Computer Security, Fall 2008

Authentic Digital Signature Based on Quantum Correlation

Transcription:

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts honestly generated by the library using the encryption key, there are maliciously crafted ciphertexts also floating around. Towards achieving CCA security, it would be helpful to provide a mechanism to the decryption algorithm to distinguish honestly-generated ciphertexts from all other ciphertexts. We re not interested in the problem of privacy (hiding information from an adversary); rather we are interested here in the problem of authenticity. We want a way to enforce that only someone with the secret key could have generated a particular piece of information (in this case a ciphertext). The tool for the job is called a message authentication code, or MAC for short. It consists of two algorithms: KeyGen: samples a secret key for the MAC MAC(k, m): given the secret key k and a plaintext m M, output a MAC (sometimes called a tag ) t. Typically MAC is deterministic. Confusingly, we use the term MAC to sometimes refer to the scheme itself, and sometimes just the tag associated with the message (i.e., the MAC of m ). Think of a MAC as a kind of signature that will be appended to a piece of data. Only someone with the secret key can generate a valid MAC. Our intuitive security requirement is that: an adversary who sees many valid MACs (m, MAC(k, m)) cannot produce a forgery a valid MAC of a different message. 13.1 Security Definition This is a totally new kind of security requirement. It has nothing to do with hiding information. Rather, it is about whether the adversary can actually generate a particular piece of data (e.g., a MAC forgery). To express such a requirement in a security definition, we need some new tricks in our repertoire. We want to talk about the inability of an adversary to generate a particular piece of data. So let s start with a much simpler statement: no adversary should be able to guess a uniformly chosen value. We formalize this idea with the following two libraries: L left : r {0, 1} n GUESS(g): if g = r return 1 else return 0 L right : GUESS(g): return 0 c Copyright 2015 Mike Rosulek. Licensed under Creative Commons BY-NC-SA 4.0. Latest version at http://eecs.orst.edu/~rosulekm/crypto

110 LECTURE 13. MESSAGE AUTHENTICATION CODES The left library allows the calling program to attempt to guess a uniformly chosen string. The right library doesn t even bother to verify the calling program s guess it doesn t even bother to sample a random target string! Focus on the difference between these two libraries. Their GUESS subroutines give the same output on nearly all inputs. There is only one input r on which they disagree. If a calling program can manage to find that input r, then it can easily distinguish the libraries. Therefore, if the libraries are indistinguishable, it means that the adversary cannot find/generate one of these special inputs! That s the kind of property we want to express. Indeed, in this case, an adversary who makes q queries to the GUESS subroutine achieves a bias of at most q/2 n. For polynomial-time adversaries, this is a negligible bias. The MAC security definition. Let s follow the pattern from the simple example above. We want to say that no adversary can generate a MAC forgery. So our libraries will provide a mechanism to let the adversary check whether it has a forgery. One library will actually perform the check, and the other library will simply say no. The two libraries are different only in how they behave when the adversary calls a subroutine on a true forgery. So by demanding that the two libraries be indistinguishable, we are actually demanding that no adversary can generate forgeries (except with negligible probability). The formal definition is below: Definition: Let Σ be a MAC scheme, and let L Σ mac-real and LΣ mac-fake be defined as below. Then Σ is a secure MAC if L Σ mac-real = L Σ mac-fake. k Σ.KeyGen k Σ.KeyGen T = L Σ mac-real : GETMAC(m Σ.M): return Σ.MAC(k, m) VER(m Σ.M, t): if t = Σ.MAC(k, m): rue else return false L Σ mac-fake : GETMAC(m Σ.M): t := Σ.MAC(k, m) T := T {(m, t)} VER(m Σ.M, t): if (m, t) T : rue else return false We do allow the adversary to request MACs of chosen messages, hence the GETMAC subroutine. This means that the adversary is always capable of obtaining valid MACs. However, MACs that were generated by GETMAC don t count as forgeries only a MAC of a different message would be a forgery. For this reason, the L mac-fake library keeps track of which MACs were generated by GETMAC, in the set T. It is clear that these MACs will always be judged valid by VER. But for all other inputs to VER, L mac-fake simply answers false. TODO: discuss: adversary wins by doing any forgery we don t care whether it s a forgery on some particular (meaningful) message

13.2. A PRF IS A MAC 111 13.2 A PRF is a MAC The definition of a PRF says (more or less) that even if you ve seen the output of the PRF on several chosen inputs, all other outputs look independently uniformly random. And, as we saw in our earlier example, uniformly random values are hard to guess. Putting these two observations together, and we re awfully close to to the MAC definition. Indeed, a PRF is a secure MAC. There is one subtlety worth pointing out. An adversary might make call VER on (m, t) trying to produce a forgery, and then later call GETMAC(m) (on the same m) to learn the true value of MAC(k, m). This idea is not captured by our simple guess-the-random number libraries from above. To make that example more relevant, we have to extend it as follows: r := undefined L left : r {0, 1} n GUESS(g): if g = r return 1 else return 0 PEEK(): return r L right : GUESS(g): if r undefined: return 0 else: if g = r return 1 else return 0 PEEK() : r {0, 1} n return r Now the libraries allow the calling program to actually see the secret value r via the PEEK subroutine. Intuitively, if you haven t yet PEEK ed, then it should be hard to guess the secret value. The L right library waits until the adversary PEEK s to actually sample r. Before that time, GUESS simply answers no. TODO: expand, give more of a formal proof Claim: The scheme MAC(k, m) = F (k, m) is a secure MAC, when F is a secure pseudorandom function. 13.3 CBC-MAC A PRF typically supports only messages of a fixed length, but we will soon see that it s useful to have a MAC that supports longer messages. A classical approach to extend the input size of a MAC involves the CBC block cipher mode applied to a PRF. The result is shown in Figure 13.1. CBC-MAC differs from CBC encryption mode in two important ways: First, there is no initialization vector. Indeed, CBC-MAC is deterministic (you can think of it as CBC encryption but with the initialization vector fixed to all zeroes). Second, CBC-MAC outputs only the last block. Claim: If F is a secure PRF, then for every fixed l, CBC-MAC is a secure MAC for message space M = {0, 1} nl. TODO: The proof of this claim is slightly beyond the scope of these notes. Maybe I will eventually find a way to incorporate it.

112 LECTURE 13. MESSAGE AUTHENTICATION CODES m 1 m 2 m l CBCMAC F (k, m 1 m l ): t := 0 n : for i = 1 to l: t := F (k, m i t) F k F k F k t Figure 13.1. CBC-MAC Note that we have restricted the message space to messages of exactly l blocks. Unlike CBC encryption, CBC-MAC is not suitable for messages of variable lengths. If the adversary is allowed to request the CBC-MAC of messages of different lengths, then it is possible for the adversary to generate a forgery (see the homework). 13.4 Encrypt-Then-MAC It is possible to achieve CCA security in a modular way, combining any CPA-secure encryption scheme with a secure MAC. One must be careful, though, to combine these two components in the right way! Let E denote an encryption scheme, and M denote a MAC scheme. Then let EtM denote the encrypt-then-mac construction given below: EtM.KeyGen: return (k e, k m ) EtM.Enc((k e, k m ), m): c E.Enc(k e, m) t := M.MAC(k m, c) EtM.Dec((k e, k m ), (c, t)): if t M.MAC(k m, c): In the Dec algorithm, we are interpreting err as a special symbol that will never be confused with a valid plaintext. Claim: Encrypt-then-MAC has CCA security if its underlying encryption scheme has CPA security and its underlying MAC scheme is a secure MAC (with message space of the MAC containing the ciphertext space of the encryption scheme). Proof: As usual, we start with an arbitrary adversary A linked to L EtM cca-l. In this interaction, the CHALLENGE subroutine will encrypt m L under E.Enc. Our goal is to therefore find a way to apply the CPA security of E to switch m L with m R. What is preventing us from doing just that? The difficulty arises in the fact that E.Dec appears in the code of L cca-l. If we were to factor out the E-encryption statements in terms of L E cpa-l, we would also have to make k local to the LE cpa-l library. Then there would be no way to carry out the E.Dec that remain in L cca-l, since L E cpa-l provides no way to perform decryptions using the (local) secret key k. However, our use of a MAC provides a path to writing the interaction in terms of L cpa-l. After applying the security of the MAC, we will obtain an interaction in which the E.Dec statement is unreachable. Hence, it can be safely removed! What remains is an interaction involving only E.KeyGen and E.Enc, which can be written in terms of L cpa-l. At that point, we can switch E.Enc(k, m L ) with E.Enc(k, m R ) and the rest of the proof follows as a mirror image.

13.4. ENCRYPT-THEN-MAC 113 c E.Enc(k e, m L ) t M.MAC(k m, c) S := S { (c, t) } if (c, t) S if t M.MAC(k m, c): c E.Enc(k e, m L ) t := GETMAC(c) S := S {(c, t)} if (c, t) S if not VER(c, t) : GETMAC(c): return M.MAC(k m, c) VER(c, t): if t = M.MAC(k m, c): rue else return false (a) (b) c E.Enc(k e, m L ) t := GETMAC(c) S := S {(c, t)} if (c, t) S if not VER(c, t): T = GETMAC(c): t := M.MAC(k m, c) T := T {(c, t)} VER(c, t): if (c, t) T : rue else return false c E.Enc(k e, m L ) t := M.MAC(k m, c) S := S {(c, t)} if (c, t) S if (c, t) S : (c) (d) Figure 13.2. Some steps in the CCA-security proof of encrypt-then-mac.

114 LECTURE 13. MESSAGE AUTHENTICATION CODES c := CHALLENGE (m L, m R ) t := M.MAC(k m, c) S := S {(c, t)} if (c, t) S if (c, t) S: CHALLENGE (m L, m R ): c := E.Enc(k e, m L ) return c Figure 13.3. Some steps in the CCA-security proof of encrypt-then-mac, continued. (e) The formal steps of the proof are described in Figures 13.2 & 13.3. In diagram (a), the details of the EtM construction have been filled in for A L EtM cca-l. Justification for each of the steps is given below: (a) (b) We factor out all of the statements involving the MAC scheme. No effect on the program s output distribution. (b) (c) In (b) we have some program linked with L M mac-real. By the MAC security of scheme M we can replace that library with L M mac-fake to obtain (c). The program s output distribution changes by at most a negligible amount. (c) (d) We inline subroutines, with no effect on the output distribution. We have simplified variables to some extent, since sets S and T are always identical. (d) (e) In program (d) the final statement of the DEC subroutine is unreachable! In other words, the Dec algorithm of the CPA-secure scheme E is never used. Now it is possible to factor out all of the statements involving the CPA-secure encryption scheme E in terms of library L M cpa-l. No effect on the program s distribution. With program (e) we are stopping just before the half-way point of the proof. It should be clear that we can now replace L cpa-l with L cpa-r to begin obtaining encryptions of m R. Then reversing the steps (a) (b) (c) (d) in the normal way, we will eventually arrive at L EtM cca-r as desired.

13.5. PROBLEMS 115 13.5 Problems 1. (B&R) Consider the following MAC scheme, where F is a secure PRF: KeyGen: k {0, 1} n return k MAC(k, m 1 m l ): // each m i is n bits t := 0 n for i = 1 to l: t := t F (k, m i ) Show that the scheme is not a secure MAC. Describe a distinguisher and compute its bias. 2. (B&R) Consider the following MAC scheme, where F is a secure PRF: KeyGen: k {0, 1} n return k MAC(k, m 1 m l ): // each m i is n bits t := 0 n for i = 1 to l: t := t F (k, i m i ) In the above, F (k, i m i ) denotes calling the PRF on an input consisting of the number i encoded in binary, followed by block m i. Assume that F supports inputs of arbitrary length. Show that the scheme is not a secure MAC. Describe a distinguisher and compute its bias. 3. Suppose we expand the message space of CBC-MAC to M = ({0, 1} n ). In other words, the adversary can request a MAC on a message consisting of any number of blocks. Show that the result is not a secure MAC. Construct a distinguisher and compute its bias. Hint: Request a MAC on two single-block messages, then use the result to forge the MAC of a two-block message. 4. CBC-MAC is similar to CBC encryption, except that it outputs the last block only. For this problem, define a new variant of CBC encryption which outputs the XOR of all of the blocks. NEWMAC F (k, m 1 m l ): t := 0 n : for i = 1 to l: t := t F (k, m i t) (a) Is NEWMAC a secure MAC for message space M = ({0, 1} n )? (b) Is NEWMAC a secure MAC for message space M = {0, 1} nl (with fixed l)? 5. Let E be a CPA-secure encryption scheme and M be a secure MAC. Show that the following encryption scheme (encrypt & MAC) is not CCA-secure:

116 LECTURE 13. MESSAGE AUTHENTICATION CODES E&M.KeyGen: return (k e, k m ) E&M.Enc((k e, k m ), m): c E.Enc(k e, m) t := M.MAC(k m, m) E&M.Dec((k e, k m ), (c, t)): m := E.Dec(k e, c) if t M.MAC(k m, m): return m Describe a distinguisher and compute its bias.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information