Constructing secure MACs Message authentication in action. Table of contents

Similar documents
Block Ciphers/Pseudorandom Permutations

John Hancock enters the 21th century Digital signature schemes. Table of contents

Avoiding collisions Cryptographic hash functions. Table of contents

Lecture 15: Message Authentication

CPA-Security. Definition: A private-key encryption scheme

1 Number Theory Basics

Block ciphers And modes of operation. Table of contents

Katz, Lindell Introduction to Modern Cryptrography

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 7: CPA Security, MACs, OWFs

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

III. Pseudorandom functions & encryption

El Gamal A DDH based encryption scheme. Table of contents

Homework 7 Solutions

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

II. Digital signatures

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

2 Message authentication codes (MACs)

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

CTR mode of operation

Computational security & Private key encryption

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

SIS-based Signatures

1 Basic Number Theory

Notes for Lecture 9. 1 Combining Encryption and Authentication

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Modern Cryptography Lecture 4

1 Cryptographic hash functions

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Message Authentication

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 5, CPA Secure Encryption from PRFs

Lecture 4: Computationally secure cryptography

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Authentication. Chapter Message Authentication

1 Cryptographic hash functions

Digital Signatures. p1.

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

10 Concrete candidates for public key crypto

VI. The Fiat-Shamir Heuristic

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Avoiding collisions Cryptographic hash functions. Table of contents

ECS 189A Final Cryptography Spring 2011

Transitive Signatures Based on Non-adaptive Standard Signatures

Memory Lower Bounds of Reductions Revisited

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Lecture 10 - MAC s continued, hash & MAC

Foundations of Cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Modern symmetric-key Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Schnorr Signature. Schnorr Signature. October 31, 2012

Introduction to Cryptography

Proofs of Storage from Homomorphic Identification Protocols

Digital signature schemes

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Scribe for Lecture #5

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Advanced Topics in Cryptography

Chapter 11 : Private-Key Encryption

Tight Security Analysis of EHtM MAC

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Cryptographic Security of Macaroon Authorization Credentials

Lecture 13: Private Key Encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

A survey on quantum-secure cryptographic systems

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Lecture 10: NMAC, HMAC and Number Theory

1 Indistinguishability for multiple encryptions

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Uninstantiability of Full-Domain Hash

Unconditionally Secure Signature Schemes Revisited

Lectures 2+3: Provable Security

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

14 Diffie-Hellman Key Agreement

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Lecture 11: Key Agreement

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Simple Unpredictable Pseudo-Random Number Generator

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Leftovers from Lecture 3

Tightly-Secure Signatures From Lossy Identification Schemes

Lecture 14: Cryptographic Hash Functions

Solution of Exercise Sheet 7

BEYOND POST QUANTUM CRYPTOGRAPHY

Transcription:

Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents

From last time Recall the definition of message authentication codes from last time: Definition 4.1. A message authentication code (MAC) is a tuple of probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key-generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm MAC takes as input a key k and a message m 2 {0, 1}, and output a tag t. Sincethis algorithm may be randomized, we write t Mac k (m). 3. The verification algorithm Vrfy takes as input a key k, a message m, andatagt. It outputs a bit b with b =1 meaning valid and b =0meaninginvalid. WeassumeWLOG that Vrfy is deterministic and so write this as b := Vrfy k (m, t). It is required that for every n, k, m Vrfy k (m, Mac k (m)) = 1. Secure MACs The message authentication experiment Mac-forge A, (n): 1. A random key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k ( ). The adversary eventually outputs a pair (m, t). Let Q denote the set of all queries that A asked to its oracle. 3. The output of the experiment is defined to be 1 if and only if (1) Vrfy(m, t) = 1; and (2) m 62 Q. Definition 4.2. A message authentication code =(Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[Mac-forge A, (n) = 1] apple negl(n).

Hold on All well and good, but is there such a beast? Well, maybe, if there is such a thing as a pseudorandom function.* We show how to construct a secure fixed-length MAC under this assumption.** *And maybe a few other assumptions as well. **Nice, but falls short of our goal. We show later how to convert any fixed length MAC into MAC that handles any length. Constructing secure message authentication codes Construction 4.5. Let F be a pseudorandom function. Define a fixed-length MAC for messages of length n as follows: Gen: On input 1 n, choose k {0, 1} n uniformly at random. Mac: On input a key k 2 {0, 1} n and a message m 2 {0, 1} n, output the tag t := F k (m). (If m 6= k then output nothing.) Vrfy: On input a key k 2 {0, 1} n, a message m 2 {0, 1} n,and atagt 2 {0, 1} n, output 1 if and only if t? = F k (m). (If m 6= k then output 0.)

Our MAC is secure Theorem 4.6 If F is a pseudorandom function, then Construction 4.5 is a fixed-length MAC for messages of length n that is existentially unforgeable under an adaptive chose-message attack. Proof. Let A be a PPT adversary. Consider a message authentication code e =( g Gen, g Mac, g Vrfy) which is the same as =(Gen, Mac, Vrfy) except that a truly random function f is used instead of the function F k.certainly, Pr[Mac-forge A, e (n) = 1] apple 2 n since for any message m 62 Q, thevaluet = f (m) isuniformly distributed in {0, 1} n. Then... Next we show that there is a negligible function negl such that Pr[Mac-forge A, (n) = 1] Pr[Mac-forge A, e(n) = 1] apple negl. Putting this together with our inequality from the previous page: Pr[Mac-forge A, e(n) = 1] apple 1 2 n we obtain Pr[Mac-forge A, (n) = 1] apple 1 2 n + negl(n) proving the theorem (modulo proving the second inequality).

Proving our second inequality Consider the following PPT distinguisher for distinguishing pseudorandom from truly random functions: Distinguisher D. D is given input 1 n and access to an oracle O : {0, 1} n! {0, 1} n and works are follows: 1. Run A(1 n ). Whenever A queries its MAC oracle on a message m, answer as follows: Query O with m and obtain response t; returnt to A 2. When A outputs (m, t) at the end of its execution, do: 2.1 Query O with m and obtain response ˆt. 2.2 If (1) ˆt = t; and (2) A never queried its MAC oracle on m, then output 1; otherwise output 0. It is clear the D runs in polynomial time since A does. D s oracle is a pseudorandom function If D s oracle is a pseudorandom function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, (n). Furthermore, D outputs 1 exactly when Mac-forge A, (n) = 1. We conclude h i Pr D Fk( ) (1 n )=1 = Pr[Mac-forge A, (n) = 1] where k {0, 1} n is chosen uniformly at random.

D s oracle is a truly random function If D s oracle is a random function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, e (n). Once again D outputs 1 exactly when Mac-forge A, e (n) = 1. Thus, h i Pr D f ( ) (1 n )=1 = Pr[Mac-forge A, e(n) = 1] where f Func n is chosen uniformly at random. Really and truly done Since F is a pseudorandom function and D runs in polynomial time, there exists a negligible function negl such that Pr[Mac-forge A, (n) = 1] Pr[Mac-forge A, e(n) = 1] = h i h i Pr D Fk( ) (1 n )=1 Pr D f ( ) (1 n )=1 apple negl(n).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback