Constructing secure MACs Message authentication in action. Table of contents

Transcription

1 Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents

2 From last time Recall the definition of message authentication codes from last time: Definition 4.1. A message authentication code (MAC) is a tuple of probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key-generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm MAC takes as input a key k and a message m 2 {0, 1}, and output a tag t. Sincethis algorithm may be randomized, we write t Mac k (m). 3. The verification algorithm Vrfy takes as input a key k, a message m, andatagt. It outputs a bit b with b =1 meaning valid and b =0meaninginvalid. WeassumeWLOG that Vrfy is deterministic and so write this as b := Vrfy k (m, t). It is required that for every n, k, m Vrfy k (m, Mac k (m)) = 1. Secure MACs The message authentication experiment Mac-forge A, (n): 1. A random key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k ( ). The adversary eventually outputs a pair (m, t). Let Q denote the set of all queries that A asked to its oracle. 3. The output of the experiment is defined to be 1 if and only if (1) Vrfy(m, t) = 1; and (2) m 62 Q. Definition 4.2. A message authentication code =(Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[Mac-forge A, (n) = 1] apple negl(n).

3 Hold on All well and good, but is there such a beast? Well, maybe, if there is such a thing as a pseudorandom function.* We show how to construct a secure fixed-length MAC under this assumption.** *And maybe a few other assumptions as well. **Nice, but falls short of our goal. We show later how to convert any fixed length MAC into MAC that handles any length. Constructing secure message authentication codes Construction 4.5. Let F be a pseudorandom function. Define a fixed-length MAC for messages of length n as follows: Gen: On input 1 n, choose k {0, 1} n uniformly at random. Mac: On input a key k 2 {0, 1} n and a message m 2 {0, 1} n, output the tag t := F k (m). (If m 6= k then output nothing.) Vrfy: On input a key k 2 {0, 1} n, a message m 2 {0, 1} n,and atagt 2 {0, 1} n, output 1 if and only if t? = F k (m). (If m 6= k then output 0.)

4 Our MAC is secure Theorem 4.6 If F is a pseudorandom function, then Construction 4.5 is a fixed-length MAC for messages of length n that is existentially unforgeable under an adaptive chose-message attack. Proof. Let A be a PPT adversary. Consider a message authentication code e =( g Gen, g Mac, g Vrfy) which is the same as =(Gen, Mac, Vrfy) except that a truly random function f is used instead of the function F k.certainly, Pr[Mac-forge A, e (n) = 1] apple 2 n since for any message m 62 Q, thevaluet = f (m) isuniformly distributed in {0, 1} n. Then... Next we show that there is a negligible function negl such that Pr[Mac-forge A, (n) = 1] Pr[Mac-forge A, e(n) = 1] apple negl. Putting this together with our inequality from the previous page: Pr[Mac-forge A, e(n) = 1] apple 1 2 n we obtain Pr[Mac-forge A, (n) = 1] apple 1 2 n + negl(n) proving the theorem (modulo proving the second inequality).

5 Proving our second inequality Consider the following PPT distinguisher for distinguishing pseudorandom from truly random functions: Distinguisher D. D is given input 1 n and access to an oracle O : {0, 1} n! {0, 1} n and works are follows: 1. Run A(1 n ). Whenever A queries its MAC oracle on a message m, answer as follows: Query O with m and obtain response t; returnt to A 2. When A outputs (m, t) at the end of its execution, do: 2.1 Query O with m and obtain response ˆt. 2.2 If (1) ˆt = t; and (2) A never queried its MAC oracle on m, then output 1; otherwise output 0. It is clear the D runs in polynomial time since A does. D s oracle is a pseudorandom function If D s oracle is a pseudorandom function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, (n). Furthermore, D outputs 1 exactly when Mac-forge A, (n) = 1. We conclude h i Pr D Fk( ) (1 n )=1 = Pr[Mac-forge A, (n) = 1] where k {0, 1} n is chosen uniformly at random.

6 D s oracle is a truly random function If D s oracle is a random function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, e (n). Once again D outputs 1 exactly when Mac-forge A, e (n) = 1. Thus, h i Pr D f ( ) (1 n )=1 = Pr[Mac-forge A, e(n) = 1] where f Func n is chosen uniformly at random. Really and truly done Since F is a pseudorandom function and D runs in polynomial time, there exists a negligible function negl such that Pr[Mac-forge A, (n) = 1] Pr[Mac-forge A, e(n) = 1] = h i h i Pr D Fk( ) (1 n )=1 Pr D f ( ) (1 n )=1 apple negl(n).