Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents
From last time Recall the definition of message authentication codes from last time: Definition 4.1. A message authentication code (MAC) is a tuple of probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key-generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm MAC takes as input a key k and a message m 2 {0, 1}, and output a tag t. Sincethis algorithm may be randomized, we write t Mac k (m). 3. The verification algorithm Vrfy takes as input a key k, a message m, andatagt. It outputs a bit b with b =1 meaning valid and b =0meaninginvalid. WeassumeWLOG that Vrfy is deterministic and so write this as b := Vrfy k (m, t). It is required that for every n, k, m Vrfy k (m, Mac k (m)) = 1. Secure MACs The message authentication experiment Mac-forge A, (n): 1. A random key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k ( ). The adversary eventually outputs a pair (m, t). Let Q denote the set of all queries that A asked to its oracle. 3. The output of the experiment is defined to be 1 if and only if (1) Vrfy(m, t) = 1; and (2) m 62 Q. Definition 4.2. A message authentication code =(Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[Mac-forge A, (n) = 1] apple negl(n).
Hold on All well and good, but is there such a beast? Well, maybe, if there is such a thing as a pseudorandom function.* We show how to construct a secure fixed-length MAC under this assumption.** *And maybe a few other assumptions as well. **Nice, but falls short of our goal. We show later how to convert any fixed length MAC into MAC that handles any length. Constructing secure message authentication codes Construction 4.5. Let F be a pseudorandom function. Define a fixed-length MAC for messages of length n as follows: Gen: On input 1 n, choose k {0, 1} n uniformly at random. Mac: On input a key k 2 {0, 1} n and a message m 2 {0, 1} n, output the tag t := F k (m). (If m 6= k then output nothing.) Vrfy: On input a key k 2 {0, 1} n, a message m 2 {0, 1} n,and atagt 2 {0, 1} n, output 1 if and only if t? = F k (m). (If m 6= k then output 0.)
Our MAC is secure Theorem 4.6 If F is a pseudorandom function, then Construction 4.5 is a fixed-length MAC for messages of length n that is existentially unforgeable under an adaptive chose-message attack. Proof. Let A be a PPT adversary. Consider a message authentication code e =( g Gen, g Mac, g Vrfy) which is the same as =(Gen, Mac, Vrfy) except that a truly random function f is used instead of the function F k.certainly, Pr[Mac-forge A, e (n) = 1] apple 2 n since for any message m 62 Q, thevaluet = f (m) isuniformly distributed in {0, 1} n. Then... Next we show that there is a negligible function negl such that Pr[Mac-forge A, (n) = 1] Pr[Mac-forge A, e(n) = 1] apple negl. Putting this together with our inequality from the previous page: Pr[Mac-forge A, e(n) = 1] apple 1 2 n we obtain Pr[Mac-forge A, (n) = 1] apple 1 2 n + negl(n) proving the theorem (modulo proving the second inequality).
Proving our second inequality Consider the following PPT distinguisher for distinguishing pseudorandom from truly random functions: Distinguisher D. D is given input 1 n and access to an oracle O : {0, 1} n! {0, 1} n and works are follows: 1. Run A(1 n ). Whenever A queries its MAC oracle on a message m, answer as follows: Query O with m and obtain response t; returnt to A 2. When A outputs (m, t) at the end of its execution, do: 2.1 Query O with m and obtain response ˆt. 2.2 If (1) ˆt = t; and (2) A never queried its MAC oracle on m, then output 1; otherwise output 0. It is clear the D runs in polynomial time since A does. D s oracle is a pseudorandom function If D s oracle is a pseudorandom function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, (n). Furthermore, D outputs 1 exactly when Mac-forge A, (n) = 1. We conclude h i Pr D Fk( ) (1 n )=1 = Pr[Mac-forge A, (n) = 1] where k {0, 1} n is chosen uniformly at random.
D s oracle is a truly random function If D s oracle is a random function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, e (n). Once again D outputs 1 exactly when Mac-forge A, e (n) = 1. Thus, h i Pr D f ( ) (1 n )=1 = Pr[Mac-forge A, e(n) = 1] where f Func n is chosen uniformly at random. Really and truly done Since F is a pseudorandom function and D runs in polynomial time, there exists a negligible function negl such that Pr[Mac-forge A, (n) = 1] Pr[Mac-forge A, e(n) = 1] = h i h i Pr D Fk( ) (1 n )=1 Pr D f ( ) (1 n )=1 apple negl(n).