Message Authentication

Transcription

1 Motivation Message Authentication I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives a message saying credit $128 to Carol s Account Alice, it originates from the ATM Bob is concerned with the authenticity of the message He also wants to now that Carol has not modified the message from credit $16 to Carol s Account Alice This concerns the integrity of the message Authentication and Encryption Message Authentication Codes (MACs Should we expect to get good message authentication via encryption? ie, is it enough to guarantee authenticity of M by transmitting E K (M? No! eg, if E K is CTR from lecture 6, then it is easy for Carol to change E K (16 to E K (128 via E K (128 = E K ( In general, good encryption does not necessarily imply integrity ormally: A MAC is a trio of algorithms (G,T,V such that: G(1 generates a -bit ey K T K (M generates a L(-bit tag σ V K (M, σ verifies the tag σ for the message M Require that for all K, M, random choices or states of T, V K (M,T K (M = 1 If T K is deterministic and stateless, V K is trivial Security of MACs The adversary s goal might be to sign some specific message m We want it to be hard to produce any (M,σ pair such that V K (M,σ=1 This should be true even if the adversary has seen several M,T K (M pairs Should be conservative: Allow the adversary to choose the M messsages Existential Unforgeability Notation: let Q(A O denote the list of oracle queries that A maes with O as its oracle Define the chosen-message attac ( advantage of A against MAC = (G,T,V by: Adv A, MAC ( = Pr[ V K G(1,( M, σ A K ( M, σ = 1 M L : (1, L = Q( TK T A K (1 Say that MAC is existentially unforgeable under chosen message attac if every ppt A has negligible advantage

2 MAC Insecurity or a fixed security parameter, define the Insecurity of MAC=(G,T,V against time-t adversaries which mae q queries with total message length l by: uf - MAC ( t, l = max A: A( t, l { Adv ( } A, MAC PRs are good MACs Let : K {0,1} d {0,1} s be a function family Then if K is pseudorandom, K is a good MAC for the message space {0,1} d : uf - ( t, dq ( t, q + 2 s Proof: Let A be a chosen-message forger for as a MAC We show how to construct a PR distinguisher D for that has almost the same advantage as A, and runs in the same time PRs are good MACs D f (1 : Run A(1 : respond to q with f( add q to Q Set (M,σ = output of A If f(m = σ and M Q, return 1, else return 0 Notice: Pr[D (1 = 1 = Adv A, ( And since M was never queried, Pr[D (1 = 1 1/2 s So Adv A, ( Adv A, ( 2 -s Almost-XOR-Universal 2 (AXU 2 Hash unctions Let H: K D {0,1} L be a family of functions Define the XOR-2-Universality of H by { Pr [ H ( a H ( a b } xuh Adv ( H = max K K 1 K 2 = L a1, a2 D, b {0,1} We say H is ε-almost-xor-universal 2 (ε- AXU 2 if Adv xuh (H ε H is XOR-Universal 2 if it is 1/2 L -AXU 2 Notice that Pairwise-independent hash functions are XOR-Universal 2 ε-axu 2 Hash amilies for large domains AXU 2 -MAC Let h: K {0,1} 2L {0,1} L be ε AXU 2 Define the family H : K n {0,1} 2 nl {0,1} L as follows: H K1 Kn, n = H K2 Kn (h K1,h K1 (a 3,a 4,,h K1 (a 2 n-1 n; H K = h K Claim: H is (nε-axu 2 Proof: If the inputs to h Kn are not the same, then the xor-probability is at most ε The probability that the inputs to h Kn are the same is at most ε given that not all inputs to h K(n-1 are the same, and so on Let : K {0,1} l {0,1} L be a PR Let H : K D {0,1} L be ε-axu 2 Define the MAC C-UHM as follows: G: Select K K, κ K Return (K, κ T (K, κ (M = Let x = H κ (M; τ = K (ctr x;σ=(ctr,τ Set ctr = ctr+1 Return σ V (K, κ (M,(s,τ = 1 iff K (s τ = H κ (M

3 C-UHM theorem Theorem: for any q 2 l, uf- C-UHM (t,l ε + (t,q+1 Proof: Let A be any MAC adversary Suppose we choose ƒ and run A against UHM instantiated with ƒ in place of K Denote the queries that A maes by M i, 1 i q; denote the responses by σ i = (i,τ i inally, A returns some message M {M 1,,M q }, and a tag (s,τ C-UHM Theorem, continued Let NEW be the event that s > q-1, that is, the s returned by A was not a value input to ƒ in C- UHM Let OLD be the event s < q Claim 1: Pr[V κƒ (M,(s,τ = 1 OLD ε Proof: Pr[V κƒ (M,(s,τ = 1 = Pr[H κ (M H κ (M s = τ τ s ε Claim 2: Pr[V κƒ (M,(s,τ = 1 NEW 2 -L Proof: = Pr[H κ (M τ = ƒ(s = 2 -L C-UHM Theorem, continued Thus: Pr[V κƒ (M,(s,τ = 1 = Pr[V κƒ (M,(s,τ = 1 OLD Pr[OLD + Pr[V κƒ (M,(s,τ = 1 NEW(1-Pr[OLD εq + 2 -L (1-q εq + ε(1-q = ε The theorem follows, since we can distinguish K from ƒ by trying to use A to forge a MAC and then checing if A was successful R-UHM Let : K {0,1} l {0,1} L be a PR Let H : K D {0,1} L be ε-axu 2 Define the MAC R-UHM as follows: G: Select K K, κ K Return (K, κ T (K, κ (M = Choose s {0,1} l Let x = H κ (M; τ = K (s x Return σ=(s,τ V (K, κ (M,(s,τ = 1 iff K (s τ = H κ (M R-UHM theorem CBC-MAC Theorem: for any q 2 l/2, uf- R-UHM (t,l ε + (t,q+1 + q(q-1/2 l+1 Proof: Consider the same experiment as before Clearly when there are no collisions in the values s 1,,s q, the same argument upper bounds the success probability of A And when there is a collision, the success probability of A is at most 1 The probability of a collision is q(q-1/2 l+1 Let : {0,1} {0,1} l {0,1} l be a PR Define the MAC (m on ml-bit messages as follows: T K,,x m = Let y 0 = 0 l or i = 1,,m y i = K (M i y i-1 return y m Theorem: Insec (m (t,q Insec (t+o(qml,qm + 3q 2 m 2 /2 l+1 So (m is a secure MAC if is a secure PR

4 CBC-MAC Proof CBC-MAC proof Lemma 1: If ƒ l,l then Insec ƒ (m (q 3m 2 q 2 /2 l+1 Consider the 2 l -ary tree of depth m A sequence of strings X =,,x n {0,1} nl uniquely specifies a node in this tree Let f: {0,1} l {0,1} l, denote the labeling of a sequence x 1 x n by Z f ( = 0 l, Y f,,x n = x n Z f,,x n-1, Z f (X=f(Y f (X Call,,X n a query sequence if every X i has parent either the root or X j for some j < i Consider an (unbounded adversary A trying to distinguish ƒ (m from a sample from ml,l with q queries We let A mae qm queries X 1 X qm in the form of a query tree, and whenever X i is at depth m, A learns Z ƒ (X i We let Z n be the depth-m labels A has learned after the n th query, and V n =,,X n ; Z n denotes the View of A after the n th query If the labeling Z f is collision-free, then A s view is identical to its view on a random function from ml bits to l bits So we only need to bound the probability of a collision in Z f CBC-MAC Proof Lemma 2: Let Z n1 and Z n2 be collision-free output labelings consistent with a depth-m labeling Z n, Then: Pr[Z n = Z n1 V n =,,X n ; Z n = Pr[Z n = Z n2 V n =,,X n ; Z n Proof: By induction Obviously true for n=1, since the first node in a query tree is not at depth m Lemma 2 proof, con t Two cases for n>1: X n at depth < m Then the view is independent of Z Thus Pr[Z n = Z ni V n = Pr[Z n =Z ni Pr[Z n = Z ni Z n-1, V n-1 2 -l These are equal for i=1,2 by IH X at depth m Then Pr[Z n = Z ni V n = Z n-1i V n-1,z n = z = Pr[Z n = z Z n-1,v n-1 Pr[Z n-1 V n- 1 /Pr[Z n = z = 2 -l Pr[Z n-1 /Pr[Z n = z Lemma 3 Lemma 3: Let C(Z denote the event that Z is collision-free Let [E denote the quantity Pr[E V n =,,X n ;Z n, C(Z n Let n 2 /4 + n -1 2 l /2 Let {X 1,,X m } and i<m; let z S be a collision-free label of the nodes in S = {X 1,,X n } \ { } consistent with Z n Then (1 or any x i+1 S, any y* {0,1} l : [Y n x i+1 = y* Z ns = z S 2 2 -l (2 or any z* {0,1} l, [Z n =z* Z ns =z S 2 2 -l Proof of Lemma 3(1 Let y {0,1} l be some fixed string Define the labeling Z z,y = z S x 1, and y x i+1 otherwise Let Y z,y be the labeling induced by Z z,y : Y z,y = y S children y x i+1 x i+1 if X j x i+1 Let Y(z S be the set of all strings y such that Z z,y is collision-free y Y(z S iff either: y x i+1 {z S : 0 < j < n+1 and X j }; or for some x i+1, y x i+1 x i+1 {y S, X j children, and 0 < j < n+1} Thus {0,1} l \ Y(z S (n-1 + (n-s(s n-1 + n 2 /4 2 l /2 This proves (1

5 Proof of Lemma 3(2 Let z {0,1} l be some fixed string Define the labeling Z z,y = z S x 1, and z otherwise Let Y z be the labeling induced by Z,z : Y z = y S children z x i+1 if X j x i+1 Let Z(z S be the set of all strings z such that Z z is collision-free z Z(z S iff either: z {z S : 0 < j < n+1 and X j }; or for some x i+1, z x i+1 {y S, X j children, and 0 < j < n+1} Thus {0,1} l \ Y(z S (n-1 + (n-s(s n-1 + n 2 /4 2 l /2 This proves (2 Lemma 4: Pr[not C(Z Let n 2 /4 + n-1 < 2 l /2 Let X 1 X n be a query sequence and Z be the labeling of depth-m nodes Then Pr[not C(Z n+1 V n,c(z n 3n 2 -l Proof: Denote Pr[E V n,c(z n by [E Case 1: X n+1 is at depth 1 Then let X n+1 * Y+1 * by definition Now for each 1 t n, [Y n (X t = x 1 * This is because if X t is at level 1, Pr[Y(X t = x 1 * = 0 Otherwise X t is at depth at least 2, and is the child of some {X 1 X n } and so the equation follows because of lemma 3 Then [not C(Z n [x 1 * {Y n,,y n } + [Z n+1 +1 {Z n Z n } x 1 * {Y n,,y n } 2n/2 l + n/2 l = 3n/2 l Lemma 4: Case 2 Case 2: X n+1 = x 1 x i+1, i > 0, is the child of some x 1 {X 1,,X n } Let S = {X 1,,X n } \ {x 1 } Notice that for any X t {X 1,,X n }, [Y n+1 +1 = Y n (X t 2/2 l Since if X n+1 and X t are siblings, the probability is 0, and otherwise any collision free labeling z S determines Y n (X t ; thus [Y n+1 +1 = Y n (X t = Σ z [Y n+1 +1 = Y n (X t Z ns = z S Pr[Z ns =z S = Σ z [Z n = Y n (X t x i+1 Z ns = z S Pr[Z ns =z S 2/2 l Σ z Pr[Z ns =z S 2/2 l This gives us that [not C(Z n+1 [Y n+1 +1 {Y n,,y n } + [Z n+1 +1 {Z n Z n } Y n+1 +1 {Y n,,y n } 2n/2 l + n/2 l = 3n/2 l Pr[C(Z So Pr[not C(Z Σ n Pr[not C(Z n C(Z n-1 3/2 l (qm(qm-1/2 = 3/2 q 2 m 2 /2 l