Lecture 10: NMAC, HMAC and Number Theory

Transcription

1 CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication Code (MAC) is a piece of information used to authenticate a message. MACs are generated using deterministic symmetric key MAC functions, as shown in figure 1. Figure 1: MAC Notation Pseudo Random Function i.e. PRF can be used to construct the MAC schemes. Theorem 1 Any PRF that works on l bit long inputs can be used to authenticate l bit long messages. Any MAC scheme which is constructed using PRF is secured against chosen message attack(cma).for e.g. CBC-MAC scheme. The game in figure 2 captures the notion of an existential forgery with an adaptively chosen message attack. CBC-MAC scheme is secured against such attack. 1.2 CBC MACs with PRFs Architecture of CBC MAC is shown in figure 3. The advantages of adversaries trying to attack these properties is given in equation below. 10-1

2 Figure 2: CMA Attack Experiment Figure 3: CBC MAC Adv CMA (A) Adv PRF (B) + q(q 1)/2.2 l (1) Thus a MAC using a secure PRF is secure when 1/2 l is negligible. However there are some disadvantages of CBC MAC. Deterministic:As shown in figure 3, first block of message, m1 is always encrypted with 0 intialization vector(iv). Each time random value for IV is not used. If each time random IV is chosen then verification will be difficult. Fixed Length is required:cbc MAC can only be used on messages of a fixed length. Which works with some schemes such as American Encryption Standard(AES). There are 2 solutions to overcome the restriction on CBC MAC. Incorporate the number of message blocks(or length of the message) into the block computation. Use Hash-based Message Authentication Code (HMAC): HMAC(K,m). HMAC can be used to authenticate arbitrarily long messages. HMAC is also CMA secure. 10-2

3 2 Nested MAC (NMAC) NMAC function is a hash function with two keys First the message is compressed using a cascading hash function, H k 2 (x), then the output of the cascading hash function is input into a compression function h k 1 (x). These functions are illustrated in figure 4. NMAC K1,K 2 (x) = h k 1 (H k 2 (x)) (2) Figure 4: Architecture NMAC Note that the only difference between H k 2 (x) and H(x) is that in the former the fixed IV is replaced with key k 2. Essentially, the purpose of H is to pare the message down to a size that can be handled by h. Theorem 2 NMAC is CMA secure MAC if H is collision-resistant h is secure as a MAC 10-3

4 Proof. If NMAC can be broken then h can be broken. If an adversary A who can break NMAC w.r.t. CMA security then we can create an adversary B who can break h w.r.t. CMA security. This construction is depicted in the figure 5 Figure 5: CMA attack on NMAC As shown in figure A is trying to break NMAC scheme w.r.t. CMA and B is trying to break h* function w.r.t. CMA security. Steps : 1. Adversary A send message m i to adversary B. A thinks that B is signing oracle. 2. B has to pretend like signing oracle, so he needs key k 2 to hash the message. Therefore it generates keyk 2 and hashes the message to get the value of y. 3. B sends value of y calculated in earlier step to challanger C. 4. C possess the key k 1, so it calculates the h k1 (y)=µ i. 5. B sends the µ i to A. Steps 1 to 5 are repeated few times. After 4-5 cycles A comes up with the forgery µ for message M 1 such that M 1 m i. 6. A sends the value of µ to B. 10-4

5 7. µ is forgery for NMAC therefore A can use it as forgery of h k1 function. Therefore B simply finds out the value of f Hk2 (M 1) using the same key k 2 from step 2. Then he sends the pair of (M,HMAC(M)) (Hk2 (M 1),µ) to C. 8. Finally C does the verification process. It checks if µ=h k1 (H k2 (M 1))? and returns 1 if it is true else returns 0. The advantage of adversary B in this experiment is as follows: Adv h CMA(B) = P r[(h k2 (M 1) H k2 (M i), i) and µ = h k1 (H k2 (M 1))] Writing above equation in statement. = Pr(B is able to create valid forgery on h*). = 1-Pr(B is not able to create valid forgery on h*) = 1-[Pr(A) fails + P r(h k2 (M 1) = H k2 (M i)forsome i) ] = 1-[Pr(A) fails + P r(h ) had a collision ] = 1-[(1-Pr(A) wins) + Pr( a which collides on H a collision) ] = Pr(A) wins-pr( a which collides on H a collision) = Adv h CMA (A)- Pr( a which collides on H a collision ) AdvCMA h (B)= Advh CMA (A)- Pr( a which collides on H a collision ) Adv h CMA (A)=Advh CMA (B)+Pr( a which collides on H a collision ) Adv h CMA (A)= ɛ h + ɛ H We have slight loss of security if both the values given above i.e. ɛ h, ɛ H are 1/2 80. However there are some disadvantages of this scheme. In NMAC scheme intuitively also we have loss of security because outer function h works on smaller size M and NMAC is trying to MAC large message. Also in NMAC keys k 1, k 2 have to be randomized. Therefore NMAC is hard to practice. 10-5

6 3 HMAC Definition 1 (Hashed Message Authentication Code(HMAC): Figure 6 ) where HMAC K (x) = NMAC k1,k2 (x) = h k1(h k2(m 1 ) k1 = h(k opad) and k2 = h(k ipad) The default values of opad and ipad are :opad = 0x5c5c5c... 5c5cipad = 0x Figure 1 depicts the architecture of HMAC. Figure 6: HMAC. So, HMAC K (x) = H(k opad, H(k ipad, x)) Here, k= pad(k). Theorem 3 HMAC is secure if NMAC is secure. 10-6

7 Note that HMAC is quite efficient because its cost is equal to cost of hashing entire message only once. This makes HMAC a very fast construction. Also keys k 1,k 2 are derived in HMAC while in NMAC they were randomized. These values are included in HMAC mainly to increase the hamming distance between the keying data in the inner and outer calls to H(). This ensures that the two key values are as distinct as possible while using the same key in both locations. 4 Public Key Cryptography This cryptographic approach involves the use of asymmetric key algorithms. The person who anticipates receiving messages first creates both a public key and an associated private key, and publishes the public key. When someone wants to send a secure message to the creator of these keys, the sender encrypts it (transforms it to secure form) using the intended recipient s public key; to decrypt the message, the recipient uses the private key. Figure 7: Public key encryption. 4.1 Number Theory Groups In cryptography, we work with specialized sets which have special properties. These special sets are known as groups. Formal defintion of a group can be given as follows. Definition 2 (G, ) (where G is a set and : G G G) is called a group if the following properties are satisfied: 1. Closure: a,b G, a b G 10-7

8 2. Associativity: a,b,c G, (a b) c = a (b c) 3. Identity: an identity element e G such that a G, a e = e a = a 4. Inverse: an element a 1 G such that a G, a a 1 = a 1 a = e Group: Examples We know Z= Set of all integers. e.g. Z={...,-3,-2,-1,0,1,2,3,...} Z m = Set of all integers (modulo m) e.g. Z 9 ={0,1,2,3,4,5,6,7,8} Z p = Set of all integers less than prime p e.g. Z 7 ={0,1,2,3,4,5,6} Z p= Set of all integers less than prime except 0 p e.g. Z 7 ={1,2,3,4,5,6} Z n= Set of all numbers less than and relatively prime to n. e.g. Z 10={1,3,7,9} Let us consider whether or not the following sets are groups: 1. (Z, addition ) is a group because it satisfies all the 4 properties of group. For e.g. a=3,b=7,c=-9. a,b,c Z. Closure: 3+7=10 Z. Associative: (3+7)-9=1, 3+(7-9)=1. Identity: Identity element for addition 0 Z. Inverse: -3 is inverse of 3 and 3+-3=0.-3 Z. 2. (Z, multiplication ) isn t a group because it does not satisfy the inverse property. Inverse: 1/3 is inverse of 3 and 1/3 / Z. 3. (Z m, modular addition ) is a group. Z m is defined as f(a,b)=a+b mod m. e.g.z 9, f(3,2)=(3+2) mod 9=5. (Z m, modular addition ) is a group because it satisfies all the 4 properties of group. 4. (Z m, modular multiplication ) isn t a group, again due to the lack of inverses for all integers in the set. 5. (Z p, modular addition ) is a group. 10-8

9 6. (Z p, modular multiplication ) is a group. 7. (Z n, modular addition ) is not a group, because it does not satisfy closure property. Closure: e.g. Z 10 ={1,3,7,9}, if a=3, b=9 then a.b=a+b mod n = 3+9 mod 10=2 / Z (Z n, modular multiplication ) is a group Modular Arithmetic Domain used in public key cryptography is very large. Therefore function used in algorithm becomes bulky. Therefore modular arithmetic is used to see whether keys are feasible or not. 1. Modulo: (a mod N) where a = (a p 1, a p 2,..., a 1, a 0 ) Thus, N = (N q 1, N q 2,..., N 1, N 0 ) a = (a p 1 2 p 1 + a p 2 2 p a a ) N = (N q 1 2 q 1 + N q 2 2 q N N ) So the run time complexity of (a mod N) is O( a N ). If ( a = N ) then complexity is quadratic i.e. O[N 2 ]. It is efficient algorithm since it depends on length of the blocks not on the value of the message. For e.g. length of 1000 and 1111 is 4. So algorithm runs equally efficient for both the values. 2. Modular Addition: (a + b) mod N. Using addition and then modulo operation we can say the cost of modular addition: =O(max( a, b )) + O(max( a, b ) N ); Also in special case of modular addition a < N, b < N and thus a + b < 2N. (a+b) mod N= (a+b-n) Taking a = b = N, run time complexity of (a + b) mod N is O( N ). Hence we can say that Modular addition is linear. 10-9

10 3. Modular Multiplication: (a. b mod N) has running time complexity of = O( a b )+O(( a + b ) N ). = O(( a + b )) N ). = O( N 2 ) if a=b=n Hence we can say that Modular Multiplication is quadratic. 4. Modular Exponentiation: (a n mod N) has a run time complexity of =O(n a N ) Such complexity algorithms are trivial because these algorithms are cost inefficient since they deal with value of n rather length of n. An efficient algorithm such as square and multiply can be used to improve the cost. z=a n mod N, n= [n k 1, n k 2, n k 3,..., n 1, n 0 ] z = 1 for i = k 1 down to 0 do z = z 2 mod N if (n i == 1) z = (z a mod N) This algorithm has a run time complexity of = O( n a N ). = O( n N 2 ) (taking a = N ) = O( N 3 ) Intuitively we can also prove the cost of square and multiply algorithm as below z=a n mod N, n= [n k 1, n k 2, n k 3,..., n 1, n 0 ] z = a n k 1.2 k 1 +n k 2.2 k z=(a n k 1 ) 2 k 1.(a n k 2 ) 2 k 2... From above given equation we can concude that cost of the algorithm will be at least N 3. Therefore we can denote the time complexity of square and multiply algorithm as O( N 3 )