Hash functions : MAC / HMAC

Transcription

1 Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X s a set of possble messages Y s a fnte set of possble message dgests or authentcaton tags? F X,Y s the set of all functons from X to Y : Defnton 4.1: A keyed hash famly s a four-tuple F =(X, Y, K,H), where the followng condton are satsfed: K, the keyspace, s a fnte set of possble keys H, the hash famly, a fnte set of at most K hash functons. For each K K, there s a hash functon h K H. Each h k : X Y Compresson functon: X s a fnte set, N= X. Eg X = {0,1} k+r N = 2 k+r Y s a fnte set M= Y. Eg Y = {0,1} r M=2 r F X,Y = M N F s denoted (N,M)-hash famly 1

2 Random Oracle Model Model to analyze the probablty of computng premage, second pre-mage or collsons: In ths model, a hash functon h K : X Y s chosen randomly from F The only way to compute a value h K (x) s to query the oracle. THEOREM 4.1 Suppose that h F X,Y s chosen randomly, and let X 0 X. Suppose that the values h(x) have been determned (by queryng an oracle for h) f and only f x X 0. Then, for all x X \ X 0 and all y Y, Pr[h(x)=y] = 1/M Algorthms n the Random Oracle Model Randomzed algorthms make random choces durng ther executon. A Las Vegas algorthm s a randomzed algorthm may fal to gve an answer f the algorthm does return an answer, then the answer must be correct. A randomzed algorthm has average-case success probablty ε f the probablty that the algorthm returns a correct answer, averaged over all problem nstances of a specfed sze, s at least ε (0 ε<1). For all x (randomly chosen among all nputs of sze s): Pr( Algo(x) s correct) ε (ε,q)-algorthm : termnology to desgn a Las Vegas algorthm that: the average-case success probablty ε the number of oracle queres made by algorthms s at most q. 2

3 Example of (ε,q)-algorthm Algorthm 4.1: FIND PREIMAGE (h, y, q) choose any X 0 X, X 0 = q for each x X 0 do { f h(x) = y then return (x) ; } return (falure) THEOREM 4.2 For any X 0 X wth X 0 = q, the average-case success probablty of Algorthm 4.1 s ε=1 - (1-1/M) q. Algorthm 4.1 s a (1 - (1-1/M) q ; q ) algorthm Proof Let y Y be fxed. Let Χ 0 = {x 1,x 2..,x q }. The Algo s successful ff there exsts such that h(x ) = y. For 1 q, let E denote the event h(x ) = y. The E s are ndependent events; from Theo. 4.1, Pr[E ] = 1/M for all 1 q. Therefore, Pr[E 1 E 2... E q ] =1 1 1 q M The success probablty of Algorthm 4.1, for any fxed y, s constant. Therefore, the success probablty averaged over all y Y s dentcal, too. Message Authentcaton Codes One common way of constructng a MAC s to ncorporate a secret key nto an unkeyed hash functon. Suppose we construct a keyed hash functon h K from an unkeyed terated hash functon h, by defnng IV=K and keepng ths ntal value secret. Attack: the adversary can easly compute hash wthout knowng K (so IV) wth a (1-1) algorthm: Let t = sze of the blocks n the terated scheme Choose x and compute z r = h(x pad(x)) (one oracle call) Let x = x pad(x) w, where w s any btstrng of length t Let y = x pad(x ) = x pad(x) w pad(x ) (snce paddng s known) Now compute y = IteratedScheme( y, w pad(x ) ) (terated scheme s known) Return y ; 3

4 Message Authentcaton Codes Assume MD terated scheme s used, let z r = h K (x) The adversary computes z r+1 compress(h K (x) y r+1 ) z r+2 compress(z r+1 y r+2 ) z r compress((z r -11 y r ) and returns z r that verfes z r =h K (x ). Def: an (ε,q)-forger s an adversary who queres message x 1,,x q, gets a vald (x, y), x! {x 1,,x q } wth a probablty at least ε that the adversary outputs a forgery (e a correct couple (x,h(x)) Nested MACs and HMAC A nested MAC bulds a MAC algorthm from the composton of two hash famles (X,Y,K,G), (Y,Z,L,H) composton: (X,Z,M,G H) M = K L G H = { g h: g G, h H } (g h) (K,L) (x) = h L ( g K (x) ) for all x X The nested MAC s secure f (Y,Z,L,H) s secure as a MAC, gven a fxed key (X,Y,K,G) s collson-resstant, gven a fxed key 4

5 Nested MACs and HMAC 3 adversares: a forger for the nested MAC (bg MAC attack) (K,L) s chosen and kept secret The adversary chooses x and query a bg (nested) MAC oracle for values of h L (g K (x)) output (x,z) such that z = h L (g K (x )) (x was not query) a forger for the lttle MAC (lttle MAC attack) (Y,Z,L,H) L s chosen and kept secret The adversary chooses y and query a lttle MAC oracle for values of h L (y) output (y,z) such that z = h L (y ) (y was not query) Nested MACs and HMAC a collson-fnder for the hash functon, when the key s secret (unknown-key collson attack) (X,Y,K,G) K s secret The adversary chooses x and query a hash oracle for values of g K (x) output x, x such that x x and g K (x ) = g K (x ) 5

6 Nested MACs and HMAC THEOREM 4.9 Suppose (X,Z,M,G H) s a nested MAC. Suppose there does not exst an (ε 1,q+1)-collson attack for a randomly chosen functon g K G, when the key K s secret. Further, suppose that there does not exst an (ε 2,q)-forger for a randomly chosen functon h L H, where L s secret. Fnally, suppose there exsts an (ε,q)-forger for the nested MAC, for a randomly chosen functon (g h) (K,L) G H. Then ε ε 1 +ε 2 Proof Adversary queres x 1,..,x q to a bg MAC oracle and get (x 1, z 1 )..(x q, z q ) and outputs vald (x, z) Proof x, x 1,.., x q make q+1 queres to a hash oracle. y = g K (x), y 1 = g K (x 1 ),..., y q = g K (x q ) f y {y 1,..,y q }, say y = y, then x, x s soluton to Collson f y! {y 1,..,y q }, output (y, z) whch s a vald par for the lttle MAC. make q lttle MAC queres and get (y 1,z 1 ),..., (y q,z q ) probablty that (x, z) s vald and y! {y 1,..,y q } s at least ε-ε 1. Success probablty of any lttle MAC attack s most ε 2 so ε 2 ε-ε 1 ε ε 1 +ε 2 6

7 Nested MACs and HMAC HMAC s a nested MAC algorthm that s proposed FIPS standard. HMAC K (x) = SHA-1( (K opad) SHA-1( (K pad) x ) ) x s a message K s a 512-bt key pad = (512 bt) opad = 5C5C.5C (512 bt) CBC-MAC(x, K) Cryptosystem 4.2: CBC-MAC (x, K) denote x = x 1 x n,x s a btstrng of length t IV (t zeroes) y 0 IV for 1 to n do y e K (y -1 x ) return (y n ) 7

8 CBC-MAC(x, K) (1/2, O(2 t/2 ))-forger attack n 3, q t/2 x 3,, x n are fxed btstrngs of length t. choose any q dstnct btstrngs of length t, x 11,, x 1q, and randomly choose x 21,, x 2 q defne x l = x l, for 1 q and 3 l n defne x = x 1 x n for 1 q x x j f j, because x 1 x 1j. The adversary requests the MACs of x 1, x 2,, x q CBC-MAC(x, K) In the computaton of MAC of each x, values y 0 y n are computed, and y n s the resultng MAC. Now suppose that and x have x dentcal MACs. h K (x ) = h K (x j ) f and only f y 2 = y 2j, whch happens f and only f y 1 x 2 = y j 1 x 2j. Let x δ be any btstrng of length t v = x 1 (x 2 x δ ) x n w = x j 1 (x j 2 x δ ) x j n The adversary requests the MAC of v It s not dffcult to see that v and w have dentcal MACs, so the adversary s successfully able to construct the MAC of w,.e. h K (w) = h K (v)!!! 8

9 4.5 Uncondtonally Secure MACs (Skp ths secton!!) Uncondtonally secure MACs a key s used to produce only one authentcaton tag an adversary make at most one query. Decepton probablty Pd q maxmum value of ε such that (ε,q)-forger for q = 0, 1 payoff (x, y) = Pr[y = h K0 (x)] Impersonaton attack ((ε,0)-forger) Pd 0 = max{ payoff(x,y): x X, y Y } (4.1) Uncondtonally Secure MACs Substtuton attack ((ε,1)-forger) query x and y s reply, x X, y Y probablty that (x, y ) s a vald s payoff(x,y ;x,y), x X and x x payoff(x,y ;x,y) = Pr[y = h K0 (x )) y = h K0 (x)] = V = {(x, y): {K K : h K (x) = y} 1} Pd 1 = max{ payoff(x, y ; x, y): x, x X, y, y Y, (x,y) V, x x } (4.2) 9

10 Uncondtonally Secure MACs Example 4.1 X = Y = Z 3 and K = Z 3 Z 3 for each K = (a,b) K and each x X, h (a,b) (x) = ax + b mod 3 H = {h (a,b) : (a,b) Z 3 Z 3 } Pd 0 = 1/3 query x = 0 and answer y = 0 possble key K 0 {(0,0),(1,0),(2,0)} If (1,1) s vald ff K 0 = (1,0) The probablty that K 0 s key s 1/3 Pd 1 = 1/3 Key\x (0,0) (0,1) (0,2) (1,0) (1,1) (1,2) (2,0) (2,1) (2,2) Authentcaton matrx Strongly Unversal Hash Famles Defnton 4.2: Suppose that (X,Y,K,H) s an (N,M) hash famly. Ths hash famly s strongly unversal provded that the followng condton s satsfed for every x, x X such that x x, and for every y, y Y : {K K : h K (x) = y, h K (x ) = y } = K /M 2 Example 4.1 s a strongly unversal (3,3)-hash famly. 10

11 Uncondtonally Secure MACs LEMMA 4.10 Suppose that (X,Y,K,H) s a strongly unversal (N,M)-hash famly. Then {K K : h K (x) = y} = K /M for every x X and for every y Y. Proof x, x X and y Y, where x x {K K : h K (x) = y} = Uncondtonally Secure MACs THEOREM 4.11 Suppose that (X,Y,K,H) s a strongly unversal (N,M)-hash famly. Then (X,Y,K,H) s an authentcaton code wth Pd 0 = Pd 1 = 1/M Proof From Lemma 4.10 payoff(x,y) = 1/M for every x X and y Y, and Pd 0 = 1/M x,x X such that x x and y,y Y, where (x,y) V payoff(x,y ;x,y)= Therefore Pd 1 = 1/M 11

12 Uncondtonally Secure MACs THEOREM 4.12 Let p be prme. For a, b Z p, defne f a,b : Z p Z p by the rule f (a,b) (x) = ax + b mod p Then (Z p, Z p, Z p Z p, {f a,b : Z p Z p }) s a strongly unversal (p,p)-hash famly. Proof x, x, y, y Z p, where x x. ax + b y (mod p), and a x + b y (mod p) a = (y-y )(x -x) -1 mod p, and b = y - x(y -y)(x -x) -1 mod p (note that (x - x) -1 mod p exsts because x! x (mod p) and p s prme) 12