Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Similar documents
Lecture 18: Message Authentication Codes & Digital Signa

Introduction to Cryptography

Solution of Exercise Sheet 7

Lecture 22: RSA Encryption. RSA Encryption

Authentication. Chapter Message Authentication

Block Ciphers/Pseudorandom Permutations

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

CPA-Security. Definition: A private-key encryption scheme

Lecture 14: Cryptographic Hash Functions

Notes for Lecture 9. 1 Combining Encryption and Authentication

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Homework 7 Solutions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

2 Message authentication codes (MACs)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 5, CPA Secure Encryption from PRFs

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Lecture Notes on Secret Sharing

Cryptography and Security Final Exam

Lecture 7: CPA Security, MACs, OWFs

A survey on quantum-secure cryptographic systems

12 Hash Functions Defining Security

Introduction to Cryptology. Lecture 3

Lecture 10 - MAC s continued, hash & MAC

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CTR mode of operation

Leftovers from Lecture 3

Avoiding collisions Cryptographic hash functions. Table of contents

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

CPSC 467: Cryptography and Computer Security

Foundations of Cryptography

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

CPSC 91 Computer Security Fall Computer Security. Assignment #2

Lecture 38: Secure Multi-party Computation MPC

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Introduction to Cryptography Lecture 4

Cryptography and Security Final Exam

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

CS 6260 Applied Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Computational security & Private key encryption

Introduction to Cybersecurity Cryptography (Part 4)

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptology. Lecture 2

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

An introduction to Hash functions

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

1 Cryptographic hash functions

El Gamal A DDH based encryption scheme. Table of contents

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Indistinguishability and Pseudo-Randomness

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture 9 - Symmetric Encryption

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

5199/IOC5063 Theory of Cryptology, 2014 Fall

Chapter 2 : Perfectly-Secret Encryption

Attacks on hash functions. Birthday attacks and Multicollisions

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Doubly half-injective PRGs for incompressible white-box cryptography

Lecture 15: Message Authentication

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

1 Cryptographic hash functions

Lecture 17: Constructions of Public-Key Encryption

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

CS 6260 Applied Cryptography

Lecture 1: Introduction to Public key cryptography

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 10: NMAC, HMAC and Number Theory

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Lecture Notes. Advanced Discrete Structures COT S

CS120, Quantum Cryptography, Fall 2016

1 Number Theory Basics

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Semantic Security of RSA. Semantic Security

Scribe for Lecture #5

Transcription:

Lecture 24: MAC for Arbitrary Length Messages

Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG) G : {0, 1} k {0, 1} 2k We Constructed. PRF F sk (m) using the GGM construction from the domain {0, 1} n to the range {0, 1} k The MAC scheme was provided by (Gen, Mac, Ver) Gen(). Return sk $ {0, 1} k Mac sk (m). Return τ = F sk (m) Ver sk ( m, τ). Return τ == F sk ( m) This construction is secure only for fixed-length messages We need different secret key for every length of the message. Otherwise, we can perform length-extension attacks

Goal of this Lecture Suppose we are given a MAC scheme (Gen, Mac, Ver ) that is secure only for B-bit messages and generates tags of length k We want to construct a MAC scheme (Gen, Mac, Ver) that is secure for arbitrary length messages

First Proposal I The students proposed the following construction Gen(). Return sk = Gen () Mac sk (m). 1 Pad the message m so that the length of m is a multiple of B 2 Break m into n/b blocks (m (1), m (2),..., m (n/b) ) such that each block m (i) has size B 3 For i {1, 2,..., n/b}: Compute τ (i) = Mac sk (m(i) ) 4 Return τ = (τ (1), τ (2),..., τ (n/b) ) Ver sk (, τ). 1 Let m = ( m (1), m (2),..., m (t) ) (each block of length B) 2 Let τ = ( τ (1), τ (2),..., τ (t) ) (each block of length k) 3 Return true if and only if for all i {1,..., t}, the expression Ver sk ( m(i), τ (i) ) is true

First Proposal II Attacks on the Scheme. This scheme is insecure. The students proposed the following attacks. Suppose the adversary sees the message m = (m (1), m (2),..., m (n/b) ) and the tag τ = (τ (1), τ (2),..., τ (n/b) ). 1 Permuting. The adversary can construct m from m by arbitrarily permuting the blocks of the message m. The adversary can construct the corresponding τ from τ by performing the same permutation of blocks on the tag τ.

First Proposal III 2 Shortening/Extending. The adversary can construct m from m by dropping blocks from m. The adversary can construct the corresponding τ from τ by dropping the tags for those blocks in the tag τ. The adversary can also construct m from m by repeating some blocks of m. The adversary can construct the corresponding τ from τ by repeating the tags for those blocks in the tag τ

First Proposal IV 3 Splicing. Suppose the adversary sees another message m = ( m (1), m (2),..., m (n/b) ) and its tag τ = ( τ (1), τ (2),..., τ (n/b) ) The adversary can construct m from the messages m and m by splicing blocks. The adversary can construct the corresponding τ from the tags τ and τ by splicing the corresponding blocks from the tags τ and τ. For example, the tag of the message (m (1), m (2),..., m (n/b) ) is (τ (1), τ (2),..., τ (n/b) )

First Proposal V 4 Combination of the attacks mentioned above. For example, the adversary can splice, extend, and permute!

Preventing the Attacks Students proposed the following fixes. Prevent Permutation. We can include the information in each τ (i) that it is the tag of the message-block at position i, then permutation attacks cannot be performed. Prevent Shortening/Extension. We can include the information in each τ (i) that it is the tag of the message of total length n, then shortening/extension attacks cannot be performed. Prevent Splicing. We can include a time-stamp in each τ (i) so that we cannot splice messages at two different time instances. (We shall use a slightly different technique but I wanted to summarize the proposals of the students)

Secure MAC Scheme for Arbitrary-length Messages I Gen(). Return sk = Gen ()

Secure MAC Scheme for Arbitrary-length Messages II Mac sk (m). 1 Pad m to make its length a multiple of B/4 2 Break m into 4n/B blocks of size B/4 each. We represent this as m = (m (1), m (2),..., m (4n/B) ) $ 3 Pick r {0, 1} B/4 4 Let [n] 2 represent the (B/4)-bit representation of the number n in binary 5 Let [i] 2 represent the (B/4)-bit representation of the number i in binary 6 For each i {1, 2,..., 4n/B} create the following block B/4-bits B/4-bits B/4-bits B/4-bits m +(i) {}}{{}}{{}}{{}}{ = ( r, [n] 2, [i] 2, m (i) ) 7 For each i {1, 2,..., 4n/B} create the tag τ (i) = Mac sk(m +(i) ) 8 Return τ = (r, τ (1), τ (2),..., τ (4n/B) )

Secure MAC Scheme for Arbitrary-length Messages III Ver sk ( m, τ). 1 Interpret m = ( m (1), m (2),..., m (t) ), where each block is of length B 2 Interpret τ = ( r, τ (1), τ (2),..., τ (t) ), where r is of length B/4 and each block τ (i) is of length k 3 Let ñ = t (B/4), the length of the message m 4 For each i {1, 2,..., t} construct the following block m +(i) = ( r, [ñ] 2, [i] 2, m (i) ) 5 Accept ( m, τ) if for each i {1, 2,..., t} the test Ver sk( m +(i), τ (i) ) accepts

Notes Note that we can assume that all random strings r are unique. Because, by birthday bound, we need to tag roughly 2 B/4 = 2 B/8 messages before we can expect one collision. If we choose B = 800, then we will (with high probability) see unique r strings. This, effectively, serves as a time stamp Check that all the attacks that we discussed cannot be performed against this new MAC scheme (Gen, Mac, Ver) Very Important. We emphasize that protecting against known attacks does not imply security of a MAC scheme. We can formally prove the security of the MAC scheme that we have described above. The proof is beyond the scope of this course.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback