Lecture 10: NMAC, HMAC and Number Theory

Transcription

1 CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC) is a piece of information used to authenticate a message. MACs are generated using deterministic symmetric key MAC functions, as shown in figure 1. Figure 1: MAC Notation Theorem 1 Any PRF that works on l bit long inputs can be used to authenticate l bit long messages. The game in figure 2 captures the notion of an existential forgery with an adaptively chosen message attack (CMA). One example of a practical circumstance where the CMA notation applies is when a MAC is used in a challenge-response authentication protocol such as the one in figure 3. In this protocol Alice is effectively acting as a signing oracle. Note that this situation is weaker than the CMA notion because in this protocol the attacker does not have full control over the challenge value. 1.2 MACs and PRFs A secure PRF can be used as a MAC because an attacker who can break the MAC WRT the CMA property can also break the security of the PRF. The advantages of adversaries trying to attack these properties are related as follows: 10-1

2 Figure 2: CMA Attack Experiment Figure 3: A Simple Challenge-Response Authentication Protocol using a MAC Adv CMA (A) Adv PRF (B) + 1/2 l (1) Thus a MAC using a secure PRF is secure when 1/2 l is negligible. A shortcoming of MACs is that they can only be used on messages of a fixed length. Two algorithms which do not have this requirement are: CBC-MAC: The final block of a block cipher in CBC mode can be used as a MAC. Verification proceeds as with MACs in the general sense. A CBC-MAC is secure if the underlying PRF is secure and the number of blocks is fixed. HMAC: An HMAC can be used to authenticate arbitrarily long messages without negotiation the message length as is required by CBC-MAC. 10-2

3 2 Nested MAC (NMAC) An NMAC function is a hash function with two keys First the message is compressed using a cascading hash function, H k 2 (x), then the output of the cascading hash function is input into a compression function h k 1 (x). These functions are respectively illustrated in figures 4 and 5. NMAC K1,K 2 (x) = h k 1 (H k 2 (x)) (2) Figure 4: H k 2 (x) Figure 5: h k 1 (x) Note that the only difference between H k 2 (x) and H(x) is that in the former the fixed IV is replaced with key k 2. Essentially, the purpose of H is to pare the message down to a size that can be handled by h. Theorem 2 If h is a CMA secure MAC (for inputs of size b bits) and H is secure w.r.t. CR3 then NMAC is secure CMA secure MAC Before proving this we will need to define a new collision resistance property, denoted by CR3 (which is some form of a weak collision resistance). Definition 1 CR3 is defined through the adversarial experiment in figure

4 Figure 6: An experiment in which adversary A CR3 attacks the CR3 property of H H will be said to collision resistant wrt CR3 property, if for all A playing the CR3 game with a challenger, the advantage of A CR3 ɛ. Proof. If an adversary A NMAC CMA who can break NMAC WRT CMA then we can create an adversary A h CMA who can break h, given that H is CR3. This construction is visualized in the figure 7 The advantage of A h CMA in this experiment is as follows: Advh CMA (A h CMA) = Pr(A h CMA succeeds) = 1 Pr(A h CMA fails) = 1 (Pr(A NMAC CMA fails) + Pr(Collision in H k) = 1 (1 Pr(A NMAC CMA succeeds) + Pr(Collision in H k) = Pr(A NMAC CMA succeeds) + Pr(Collision in H k) = AdvNMAC(A CMA NMAC CMA ) AdvH CR3 (C) where C is a new adversary that does not directly participate in the CMA experiment but attempts to break H wrt CR3. NMAC(A NMAC ) = Advh CMA (A NMAC) + Adv CR3 h (C) ɛ ANMACCMA + ɛ Ah CMA Adv CMA 10-4

5 Figure 7: An experiment in which adversary A h CMA attacks the CMA property of h. 3 HMAC Definition 2 (Hashed Message Authentication Code(HMAC): Figure 8) where HMAC K (x) = NMAC k1,k2 (x) k1 = h(k opad) and k2 = h(k ipad) So, HMAC K (x) = H(k opad,h(k ipad,x)) Here, k= pad(k). Note that HMAC is quite efficient as it only requires 3 more compression calls than H(x). This makes HMAC a very fast construction. Theorem 3 HMAC is secure if NMAC is secure. 10-5

6 Figure 8: HMAC The default values of opad and ipad are as follows: opad = 0x5c5c5c... 5c5c ipad = 0x These values are included in HMAC mainly to increase the hamming distance between the keying data in the inner and outer calls to H(). This ensures that the two key values are as distinct as possible while using the same key in both locations. 4 Public Key Cryptography 4.1 Number Theory Groups Definition 3 (G, ) (where G is a set and : G G G) is called a group if the following properties are satisfied: 1. Closure: a,b G, a b G 2. Associativity: a,b,c G, (a b) c = a (b c) 3. Identity: an identity element e G such that a G, a b = b a = a 4. Inverse: an element a 1 G such that a G, a a 1 = a 1 a = e 10-6

7 4.1.2 Group: Examples We know Z= Set of all integers Z m = Set of all integers (modulo m) Z p = Set of all integers less than prime p Z n= Set of all numbers less than and relatively prime to n. Let us consider whether or not the following sets are groups: 1. (Z, addition ) is a group. 2. (Z, multiplication ) isn t a group because not all integers have a multiplicative inverse. 3. (Z m, modular addition ) is a group. 4. (Z m, modular multiplication ) isn t a group, again due to the lack of inverses for all integers in the set. 5. (Z p, modular multiplication ) is a group. 6. (Z n, modular addition ) isn t a group because the addition of two integers that are relatively prime to n may produce an integer which is not relatively prime to n. Thus the set lacks closure. 7. (Z n, modular multiplication ) is a group Modular Arithmetic 1. Modulo: (a mod N) where a = (a p 1,a p 2,...,a 1,a 0 ) Thus, N = (N q 1,N q 2,...,N 1,N 0 ) a = (a p 1 2 p 1 + a p 2 2 p a a ) N = (N q 1 2 q 1 + N q 2 2 q N N ) So the runtime complexity of (a mod N) is O( a N ). 10-7

8 2. Modular Addition: (a + b) mod N has time complexity of O(max( a, b )) + O(max( a, b ) N ); using addition and then modulo operation. In modular addition a < N, b < N and thus a + b < 2N. So, (a + b) mod N = (a + b N) Taking a = b = N, runtime complexity of (a + b) mod N is O( N ). 3. Modular Multiplication: (ab mod N) has running time complexity of O( a b )+O(( a + b ) N ). In modular multiplication, a < N, b < N and thus ab < N 2. Taking a = b = N, the runtime complexity of (ab mod N) is O( N 2 ). 4. Modular Exponentiation: (a n mod N) has a runtime complexity of O( n a N ) Taking a = N, the runtime complexity of (a n mod N) is O( n N 2 ) The usual approach to computing a n mod N is inefficient when n is large. Instead, n can be represented as a bit string n= [n k 1,n k 2,n k 3,...,n 1,n 0 ] and input to the square-and-multiply algorithm below to efficiently compute the result of a modular exponentiation operation. z = 1 for i = k 1 down to 0 do z = z 2 mod N if (n i == 1) z = (z a mod N) This algorithm has a runtime complexity of O( n a N ). Taking a = N, the runtime complexity becomes O( n N 2 ) 10-8