One-Way Encryption and Message Authentication



Similar documents
Cryptographic Hash Functions Message Authentication Digital Signatures

Message Authentication Codes. Lecture Outline

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Introduction to Computer Security

Signature Schemes. CSG 252 Fall Riccardo Pucella

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Hash Functions. Integrity checks

Message Authentication

Authentication requirement Authentication function MAC Hash function Security of

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Length extension attack on narrow-pipe SHA-3 candidates

Cryptography and Network Security Chapter 11

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Introduction to Cryptography CS 355

Computer Security: Principles and Practice

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Symmetric Crypto MAC. Pierre-Alain Fouque

Public Key Cryptography Overview

CIS433/533 - Computer and Network Security Cryptography

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptography Lecture 8. Digital signatures, hash functions

Practice Questions. CS161 Computer Security, Fall 2008

Lecture 6 - Cryptography

Data integrity and data origin authentication

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Message Authentication Code

Recommendation for Applications Using Approved Hash Algorithms

Message Authentication Codes

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Lecture 15 - Digital Signatures

CS155. Cryptography Overview

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

CS 758: Cryptography / Network Security

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

1 Signatures vs. MACs

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Crittografia e sicurezza delle reti. Digital signatures- DSA

Lecture 9 - Message Authentication Codes

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Lecture 9: Application of Cryptography

CSCE 465 Computer & Network Security

1 Message Authentication

Digital Signature For Text File

CRYPTOGRAPHY IN NETWORK SECURITY

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Cryptography & Network Security

Message authentication

Introduction. Digital Signature

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

2. Cryptography 2.4 Digital Signatures

DIGITAL SIGNATURES 1/1

Capture Resilient ElGamal Signature Protocols

Fundamentals of Computer Security

SECURITY IN NETWORKS

MACs Message authentication and integrity. Table of contents

Cryptography and Network Security Chapter 12

Talk announcement please consider attending!

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Evaluation of Digital Signature Process

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Provable-Security Analysis of Authenticated Encryption in Kerberos

Security and Authentication Primer

The Keyed-Hash Message Authentication Code (HMAC)

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

7! Cryptographic Techniques! A Brief Introduction

Improved Online/Offline Signature Schemes

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Efficient construction of vote-tags to allow open objection to the tally in electronic elections

Elliptic Curve Hash (and Sign)

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

1 Construction of CCA-secure encryption

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Digital Signatures. What are Signature Schemes?

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Chapter 6. Hash Functions. 6.1 The hash function SHA1

Hash Function JH and the NIST SHA3 Hash Competition

EXAM questions for the course TTM Information Security May Part 1

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Authentication and Encryption: How to order them? Motivation

Cryptography Overview

Chapter 7 Transport-Level Security

Transcription:

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School (JASS) St. Petersburg, March 30 April 9, 2005 Course 1: Algorithms for IT Security Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 1 / 35

Outline 1 Introduction 2 Security of Hash Functions Generic Attacks in the Random Oracle Model Comparison of Security Criteria 3 Iterated Hash Functions The Merkle-Damgård Construction The Secure Hash Algorithm (SHA-1) 4 Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC Unconditionally Secure MACs Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 2 / 35

Hash Functions Introduction h : {0, 1} {0, 1} m hash function constructs short fingerprint of an arbitrarily long message x computation of h(x) should be easy small change of x should change h(x) completely it should be hard to find (second) preimages collisions Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 3 / 35

Introduction Applications of Hash Functions verification of data integrity authentication of data origin optimization of digital signature schemes digital timestamping schemes hashcash password protection pseudo-random numbers generation... Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 4 / 35

Definitions Introduction Definition A hash family is a four-tuple (X, Y, K, H), where: 1 X is a set of possible messages 2 Y is a finite set of possible message digests or authentication tags 3 K, the keyspace, is a finite set of possible keys 4 for each K K, there is a hash function h K H, h K : X Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 5 / 35

Definitions Introduction Definition A hash family is a four-tuple (X, Y, K, H), where: 1 X is a set of possible messages 2 Y is a finite set of possible message digests or authentication tags 3 K, the keyspace, is a finite set of possible keys 4 for each K K, there is a hash function h K H, h K : X Y. X finite: compression function (x, y) X Y is valid pair under the key K h K (x) = y (N, M)-hash family, where N = X, M = Y Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 5 / 35

Security of Hash Functions Cryptographic Properties Preimage Resistance (One-Wayness) Instance: hash function h : X Y and y Y. Find: x X such that h(x) = y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 6 / 35

Security of Hash Functions Cryptographic Properties Preimage Resistance (One-Wayness) Instance: hash function h : X Y and y Y. Find: x X such that h(x) = y. Second Preimage Resistance Instance: hash function h : X Y and x X. Find: x X such that x x and h(x ) = h(x). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 6 / 35

Security of Hash Functions Cryptographic Properties Preimage Resistance (One-Wayness) Instance: hash function h : X Y and y Y. Find: x X such that h(x) = y. Second Preimage Resistance Instance: hash function h : X Y and x X. Find: x X such that x x and h(x ) = h(x). Collision Resistance Instance: hash function h : X Y. Find: x, x X such that x x and h(x ) = h(x). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 6 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model The Random Oracle Model mathematical model of an ideal hash function hash function h : X Y is chosen randomly from Y X only oracle access (ɛ, q)-algorithm: Las Vegas algorithm with average-case success probability ɛ and at most q oracle queries Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 7 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model The Random Oracle Model mathematical model of an ideal hash function hash function h : X Y is chosen randomly from Y X only oracle access (ɛ, q)-algorithm: Las Vegas algorithm with average-case success probability ɛ and at most q oracle queries Theorem (independence property) Let h Y X be chosen at random, and let X 0 X. Suppose that the values h(x) have been determined iff x X 0. Then Pr [h(x) = y] = 1 M x X \ X 0 y Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 7 / 35

Security of Hash Functions Algorithm for Preimage Generic Attacks in the Random Oracle Model Algorithm: FindPreimage(h, y, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do 3: if h(x) = y then return x 4: end for 5: return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 8 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm for Preimage Algorithm: FindPreimage(h, y, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do 3: if h(x) = y then return x 4: end for 5: return failure Theorem For any X 0 X with X 0 = q, the average-case success probability of FindPreimage(h, y, q) is ( ɛ = 1 1 1 ) q. M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 8 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm for Second Preimage Algorithm: FindSecondPreimage(h, x, q) 1: y h(x) 2: choose X 0 X \ {x}, X 0 = q 1 3: for all x 0 X 0 do 4: if h(x 0 ) = y then return x 0 5: end for 6: return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 9 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm for Second Preimage Algorithm: FindSecondPreimage(h, x, q) 1: y h(x) 2: choose X 0 X \ {x}, X 0 = q 1 3: for all x 0 X 0 do 4: if h(x 0 ) = y then return x 0 5: end for 6: return failure Theorem For any X 0 X \ {x} with X 0 = q 1, the success probability of FindSecondPreimage(h, x, q) is ( ɛ = 1 1 1 ) q 1. M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 9 / 35

Security of Hash Functions Random (Second) Preimage Attack Generic Attacks in the Random Oracle Model 1 ɛ = ( 1 1 M ) q = 1 q M. q i=0 ( ) ( q 1 ) i i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 10 / 35

Security of Hash Functions Random (Second) Preimage Attack Generic Attacks in the Random Oracle Model 1 ɛ = ( 1 1 M ) q = 1 q M. q ɛm. q i=0 ( ) ( q 1 ) i i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 10 / 35

Security of Hash Functions Random (Second) Preimage Attack Generic Attacks in the Random Oracle Model 1 ɛ = ( 1 1 M ) q = 1 q M. q ɛm. q i=0 ( ) ( q 1 ) i i M = (ɛ, O(M))-algorithm Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 10 / 35

Algorithm for Collision Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm: FindCollision(h, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do y x h(x) 3: if y x = y x for some x x then return (x, x ) 4: else return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 11 / 35

Algorithm for Collision Security of Hash Functions Generic Attacks in the Random Oracle Model Algorithm: FindCollision(h, q) 1: choose X 0 X, X 0 = q 2: for all x X 0 do y x h(x) 3: if y x = y x for some x x then return (x, x ) 4: else return failure Theorem For any X 0 X with X 0 = q, the success probability of Collision(h, q) is q 1 ( ɛ = 1 1 i ). M i=1 Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 11 / 35

Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp ( 1 i ) q 1 M i=1 ) ( q(q 1) 2M ( exp i ) ( = exp M exp ) ( q2. 2M q 1 i=1 ) i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp q ( 1 i ) q 1 M i=1 ) ( 2M log q(q 1) 2M 1 1 ɛ. ( exp i ) ( = exp M exp ) ( q2. 2M q 1 i=1 ) i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp q ( 1 i ) q 1 M i=1 ) ( 2M log q(q 1) 2M 1 1 ɛ. ( exp i ) ( = exp M exp ) ( q2. 2M = (ɛ, O( M))-algorithm q 1 i=1 ) i M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

Security of Hash Functions Birthday (Collision) Attack Generic Attacks in the Random Oracle Model 1 ɛ = q 1 i=1 = exp q ( 1 i ) q 1 M i=1 ) ( 2M log q(q 1) 2M 1 1 ɛ. ( exp i ) ( = exp M exp ) ( q2. 2M = (ɛ, O( M))-algorithm q 1 i=1 ) i M Example (Birthday Paradox) ɛ = 0.5, M = 365 = q 1.17 M 22.3. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 12 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model Generic Attacks on Cryptographic Hash Functions attack random (second) preimage birthday (collision) algorithm (ɛ, O(M)) (ɛ, O( M)) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 13 / 35

Security of Hash Functions Generic Attacks in the Random Oracle Model Generic Attacks on Cryptographic Hash Functions attack random (second) preimage birthday (collision) algorithm (ɛ, O(M)) (ɛ, O( M)) attacks are optimal in the random oracle model minimum acceptable size of a message digest: 128 bits 160-bit message digest (or larger) recommended Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 13 / 35

Security of Hash Functions Reduce Collision to Second Preimage Comparison of Security Criteria Algorithm: CollisionTo2ndPreimage(h) 1: choose x X uniformly at random 2: if Oracle2ndPreimage(h, x) = x and x x and h(x ) = h(x) then return (x, x ) 3: else return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 14 / 35

Security of Hash Functions Reduce Collision to Second Preimage Comparison of Security Criteria Algorithm: CollisionTo2ndPreimage(h) 1: choose x X uniformly at random 2: if Oracle2ndPreimage(h, x) = x and x x and h(x ) = h(x) then return (x, x ) 3: else return failure Oracle2ndPreimage is (ɛ, q)-algorithm for Second Preimage = CollisionTo2ndPreimage is (ɛ, q + 2)-algorithm for Collision collision resistance = second preimage resistance Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 14 / 35

Security of Hash Functions Reduce Collision to Preimage Comparison of Security Criteria Algorithm: CollisionToPreimage(h) Require: OraclePreimage is (1, q)-algorithm 1: choose x X uniformly at random 2: y h(x) 3: if OraclePreimage(h, y) = x and x x then return (x, x ) 4: else return failure Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 15 / 35

Security of Hash Functions Reduce Collision to Preimage Comparison of Security Criteria Algorithm: CollisionToPreimage(h) Require: OraclePreimage is (1, q)-algorithm 1: choose x X uniformly at random 2: y h(x) 3: if OraclePreimage(h, y) = x and x x then return (x, x ) 4: else return failure Theorem Let h : X Y be a compression function, where X 2 Y. Suppose OraclePreimage is a (1, q)-algorithm that solves Preimage for h. Then CollisionToPreimage is a (1/2, q + 1)-algorithm for Collision, for the fixed compression function h. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 15 / 35

Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X C := X /, so C = Y Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X C := X /, so C = Y for x X the probability of success is ( [x] 1)/ [x] Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

Security of Hash Functions Comparison of Security Criteria Proof. x x h(x) = h(x ) is equivalence relation on X C := X /, so C = Y for x X the probability of success is ( [x] 1)/ [x] Pr[success] = 1 [x] 1 = 1 X [x] X x X C C = 1 X C C X X /2 X ( C 1) = = 1 2. X Y X x C C 1 C Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 16 / 35

Iterated Hash Functions Iterated Hash Functions Compress : {0, 1} m+t {0, 1} m, t 1. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 17 / 35

Iterated Hash Functions Iterated Hash Functions Compress : {0, 1} m+t {0, 1} m, t 1. 1 preprocessing input string x, x m + t + 1 construct y = y 1 y 2 y r, x y(x) injection y i = t y = x Pad(x) padding function Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 17 / 35

Iterated Hash Functions Design of Iterated Hash Functions 2 processing z 0 IV, IV = m z 1 Compress(z 0 y 1 ). z r Compress(z r 1 y r ) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 18 / 35

Iterated Hash Functions Design of Iterated Hash Functions 2 processing z 0 IV, 3 optional output transformation g : {0, 1} m {0, 1} l IV = m z 1 Compress(z 0 y 1 ). z r Compress(z r 1 y r ) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 18 / 35

Iterated Hash Functions Design of Iterated Hash Functions 2 processing z 0 IV, 3 optional output transformation g : {0, 1} m {0, 1} l h : i=m+t+1 IV = m z 1 Compress(z 0 y 1 ). z r Compress(z r 1 y r ) {0, 1} i {0, 1} l, h(x) = g(z r ). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 18 / 35

Iterated Hash Functions The Merkle-Damgård Construction The Merkle-Damgård Construction Theorem (Merkle-Damgård) Suppose Compress : {0, 1} m+t {0, 1} m is a collision resistant compression function, where t 1. Then there exists a collision resistant hash function h : {0, 1} i {0, 1} m. i=m+t+1 The number of times Compress is computed in the evaluation of h is at most 1 + n t 1 if t 2, where x = n. 2n + 2 if t = 1, Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 19 / 35

Iterated Hash Functions The Secure Hash Algorithm (SHA-1) The Secure Hash Algorithm (SHA-1) Ron Rivest: 128-bit hash function MD4 and strengthened version MD5 design goals: (direct) security speed simplicity and compactness collisions for MD4 (Dobbertin) and compression function of MD5 (Boer/Bosselaers) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 20 / 35

Iterated Hash Functions The Secure Hash Algorithm (SHA-1) The Secure Hash Algorithm (SHA-1) Ron Rivest: 128-bit hash function MD4 and strengthened version MD5 design goals: (direct) security speed simplicity and compactness collisions for MD4 (Dobbertin) and compression function of MD5 (Boer/Bosselaers) NIST & NSA: 160-bit hash function SHA-1 Feb. 13, 2005: collisions with < 2 69 hash operations (Wang/Yin/Yu) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 20 / 35

Padding Scheme Iterated Hash Functions The Secure Hash Algorithm (SHA-1) Algorithm: SHA-1-Pad(x) Require: x 2 64 1 Ensure: y = 0 (mod 512) 1: d (447 x ) mod 512 2: l the binary representation of x, where l = 64 3: return y x 1 0 d l x 1 0 0 l Figure: MD-Strengthening Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 21 / 35

SHA-1 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) BC ( B)D, B C D, f t (B, C, D) = BC BD CD, B C D, 5A827999, if 0 t 19, 6ED9EBA1, if 20 t 39, K t = 8F1BBCDC, if 40 t 59, CA62C1D6, if 60 t 79. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 22 / 35

SHA-1 Iterated Hash Functions The Secure Hash Algorithm (SHA-1) BC ( B)D, B C D, f t (B, C, D) = BC BD CD, B C D, 5A827999, if 0 t 19, 6ED9EBA1, if 20 t 39, K t = 8F1BBCDC, if 40 t 59, CA62C1D6, if 60 t 79. Cryptosystem: SHA-1(x) 1: y SHA-1-Pad(x) 2: denote y = M 1 M 2 M n, where each M i is a 512-bit block 3: H 0 67452301, H 1 EFCDAB89, H 2 98BADCFE 4: H 3 10325476, H 4 C3D2E1F0... Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 22 / 35

Iterated Hash Functions The Secure Hash Algorithm (SHA-1) Cryptosystem: SHA-1(x)... (continued) 1: for i 1 to n do 2: denote M i = W 0 W 1 W 15, where each W i is a word 3: for t 16 to 79 do W t (W t 3 W t 8 W t 14 W t 16 ) 1 4: A H 0, B H 1, C H 2 5: D H 3, E H 4 6: for t 0 to 79 do 7: temp (A 5) + f t (B, C, D) + E + W t + K t 8: E D, D C 9: C B 30 10: B A, A temp 11: end for 12: H 0 H 0 + A, H 1 H 1 + B, H 2 H 2 + C 13: H 3 H 3 + D, H 4 H 4 + E 14: end for 15: return H 0 H 1 H 2 H 3 H 4 Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 23 / 35

Message Authentication Codes (MACs) Message Authentication Codes (MACs) MAC = keyed hash function h K + security properties Alice and Bob share secret key K (x, h K (x)) is transmitted over insecure channel Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 24 / 35

Message Authentication Codes (MACs) Message Authentication Codes (MACs) MAC = keyed hash function h K + security properties Alice and Bob share secret key K (x, h K (x)) is transmitted over insecure channel (Existential) Forgery Instance: valid pairs (x 1, y 1 ),..., (x q, y q ) under unknown key K. Find: valid pair (x, y) such that x {x 1,..., x q }. (ɛ, q)-forger: forgery with worst-case success probability ɛ Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 24 / 35

Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. x = x Pad(x) w. y = x Pad(x) w Pad(x ), y = r t, r > r. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. x = x Pad(x) w. y = x Pad(x) w Pad(x ), y = r t, r > r. z r+1 Compress(h K (x) y r+1 ). z r Compress(z r 1 y r ). h K (x ) = z r. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

Message Authentication Codes (MACs) Example (Iterated hash function h K with IV = K) Compress : {0, 1} m+t {0, 1} m. Given: (x, h K (x)) y = x Pad(x), y = rt. x = x Pad(x) w. y = x Pad(x) w Pad(x ), y = r t, r > r. z r+1 Compress(h K (x) y r+1 ). z r Compress(z r 1 y r ). h K (x ) = z r. = (1, 1) forger Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 25 / 35

Nested MACs Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC Hash families (X, Y, L, H) and (Y, Z, K, G), X < Y Z. (X, Z, M, G H) nested MAC, M = K L, G H = { (g h) (K,L) : g K G, h L H }. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 26 / 35

Nested MACs Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC Hash families (X, Y, L, H) and (Y, Z, K, G), X < Y Z. (X, Z, M, G H) nested MAC, M = K L, G H = { (g h) (K,L) : g K G, h L H }. Theorem Let (X, Z, M, G H) be a nested MAC. Suppose there does not exist an (ɛ 1, q + 1)-collision attack for a h L H (L secret), and there does not exist an (ɛ 2, q)-forger for a g K G. Further suppose there exists an (ɛ, q)-forger for (g h) (K,L) G H. Then ɛ ɛ 1 + ɛ 2. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 26 / 35

HMAC Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC 512-bit key K. ipad = 3636 36, opad = 5C5C 5C. (512-bit) Cryptosystem: HMAC(x, K) HMAC K (x) = SHA-1((K opad) SHA-1((K ipad) x)) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 27 / 35

Message Authentication Codes (MACs) Nested MACs, HMAC and CBC-MAC CBC-MAC (P, C, K, E, D) endomorphic cryptosystem, P = C = {0, 1} t. K K, e K E. Cryptosystem: CBC-MAC(x, K) 1: denote x = x 1 x n, x i = t 2: y 0 00 0 initial value 3: for i 1 to n do y i e K (y i 1 x i ) 4: return y n Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 28 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Unconditionally Secure MACs a key is used to produce only one authentication tag impersonation: (ɛ, 0)-forger substitution: (ɛ, 1)-forger deception probability Pd q : maximum value of ɛ such that (ɛ, q)-forger exists (q = 0, 1) Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 29 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Example X = Y = Z 3, K = Z 3 Z 3, H = { h (a,b) : (a, b) K } h (a,b) (x) = ax + b (mod 3). Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 30 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Example X = Y = Z 3, K = Z 3 Z 3, H = { h (a,b) : (a, b) K } h (a,b) (x) = ax + b (mod 3). key 0 1 2 (0, 0) 0 0 0 (0, 1) 1 1 1 (0, 2) 2 2 2 (1, 0) 0 1 2 (1, 1) 1 2 0 (1, 2) 2 0 1 (2, 0) 0 2 1 (2, 1) 1 0 2 (2, 2) 2 1 0 Figure: Authentication Matrix Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 30 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Example X = Y = Z 3, K = Z 3 Z 3, H = { h (a,b) : (a, b) K } h (a,b) (x) = ax + b (mod 3). = Pd 0 = Pd 1 = 1 3 key 0 1 2 (0, 0) 0 0 0 (0, 1) 1 1 1 (0, 2) 2 2 2 (1, 0) 0 1 2 (1, 1) 1 2 0 (1, 2) 2 0 1 (2, 0) 0 2 1 (2, 1) 1 0 2 (2, 2) 2 1 0 Figure: Authentication Matrix Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 30 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. payoff(x, y ; x, y) = Pr [ y = h K0 (x ) y = h K0 (x) ] = Pr [y = h K0 (x ) y = h K0 (x)] Pr [y = h K0 (x)] = {K K : h K (x ) = y, h K (x) = y}. {K K : h K (x) = y} Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. payoff(x, y ; x, y) = Pr [ y = h K0 (x ) y = h K0 (x) ] = Pr [y = h K0 (x ) y = h K0 (x)] Pr [y = h K0 (x)] = {K K : h K (x ) = y, h K (x) = y}. {K K : h K (x) = y} V = {(x, y) : {K K : h K (x) = y} 1}. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Computation of Deception Probabilities payoff(x, y) = Pr [y = h K0 (x)] = {K K : h K (x) = y}. K Pd 0 = max {payoff(x, y) : x X, y Y}. payoff(x, y ; x, y) = Pr [ y = h K0 (x ) y = h K0 (x) ] = Pr [y = h K0 (x ) y = h K0 (x)] Pr [y = h K0 (x)] = {K K : h K (x ) = y, h K (x) = y}. {K K : h K (x) = y} V = {(x, y) : {K K : h K (x) = y} 1}. Pd 1 = max { payoff(x, y ; x, y) : x x X, y, y Y, (x, y) V }. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 31 / 35

Message Authentication Codes (MACs) Strongly Universal Hash Families Unconditionally Secure MACs Definition Let (X, Y, K, H) be an (N, M)-hash family. This hash family is strongly universal, if { K K : h K (x) = y, h K (x ) = y } = K M 2 for all x, x X such that x x, and for all y, y Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 32 / 35

Message Authentication Codes (MACs) Strongly Universal Hash Families Unconditionally Secure MACs Definition Let (X, Y, K, H) be an (N, M)-hash family. This hash family is strongly universal, if { K K : h K (x) = y, h K (x ) = y } = K M 2 for all x, x X such that x x, and for all y, y Y. Lemma Let (X, Y, K, H) be a strongly universal (N, M)-hash family. Then {K K : h K (x) = y} = K M x X y Y. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 32 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x, x X such that x x, and let y Y. {K K : h K (x) = y} = y Y { K K : h K (x) = y, h K (x ) = y } = y Y K M 2 = K M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 33 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x, x X such that x x, and let y Y. {K K : h K (x) = y} = y Y { K K : h K (x) = y, h K (x ) = y } = y Y K M 2 = K M. Theorem Let (X, Y, K, H) be a strongly universal (N, M)-hash family. Then (X, Y, K, H) is an authentication code with Pd 0 = Pd 1 = 1 M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 33 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x X and y Y. payoff(x, y) = {K K : h K (x) = y} K = K /M K = 1 M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 34 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x X and y Y. payoff(x, y) = {K K : h K (x) = y} K = K /M K = 1 M. Now let x, x X such that x x, and let y, y Y, where (x, y) V. payoff(x, y ; x, y) = {K K : h K (x ) = y, h K (x) = y} {K K : h K (x) = y} = K /M2 K /M = 1 M. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 34 / 35

Message Authentication Codes (MACs) Unconditionally Secure MACs Proof. Let x X and y Y. payoff(x, y) = {K K : h K (x) = y} K = K /M K = 1 M. Now let x, x X such that x x, and let y, y Y, where (x, y) V. payoff(x, y ; x, y) = {K K : h K (x ) = y, h K (x) = y} {K K : h K (x) = y} = K /M2 K /M = 1 M. = Pd 0 = Pd 1 = 1 M Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 34 / 35

Thanks for listening! References For further reading: Douglas R. Stinson Cryptography: Theory and Practice 2 nd ed., Chapman & Hall/CRC, 2002. Bruce Schneier Applied Cryptography: Protocols, Algorithms, and Source Code in C John Wiley & Sons, Inc., 1994. Bart van Rompay Analysis and Design of Cryptographic Hash Functions, MAC Algorithms and Block Ciphers Ph. D. thesis, Katholieke Universiteit Leuven, 2004. Johannes Mittmann (TU München) One-Way Encryption JASS 2005 IT Security 35 / 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information