Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Similar documents
Introduction to Cryptography Lecture 4

Topics in Cryptography. Lecture 5: Basic Number Theory

Introduction to Cryptography. Lecture 6

Leftovers from Lecture 3

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptography. Lecture 8

Lecture 10: HMAC and Number Theory

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Introduction to Information Security

Discrete Mathematics GCD, LCM, RSA Algorithm

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture 10: NMAC, HMAC and Number Theory

CS483 Design and Analysis of Algorithms

Foundations of Network and Computer Security

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Foundations of Network and Computer Security

Chapter 8 Public-key Cryptography and Digital Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Introduction to Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Week 12: Hash Functions and MAC

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Mathematical Foundations of Public-Key Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Chapter 4 Finite Fields

CSC 5930/9010 Modern Cryptography: Number Theory

Number Theory & Modern Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Lecture 10 - MAC s continued, hash & MAC

Computational Number Theory. Adam O Neill Based on

Lecture 1: Introduction to Public key cryptography

Public Key Cryptography

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Lecture 10: NMAC, HMAC and Number Theory

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Security II: Cryptography exercises

Applied Cryptography and Computer Security CSE 664 Spring 2017

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Introduction to Information Security

Asymmetric Encryption

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Cryptographic Hash Functions

1 Number Theory Basics

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Exam Security January 19, :30 11:30

Mathematical Foundations of Cryptography

Introduction to Public-Key Cryptosystems:

Public Key Algorithms

Notes for Lecture 9. 1 Combining Encryption and Authentication

1 Cryptographic hash functions

Introduction to Modern Cryptography Lecture 5

Integers and Division

Foundations of Network and Computer Security

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Lecture 1. Crypto Background

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Ma/CS 6a Class 2: Congruences

Security II: Cryptography

Public Key Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Numbers. Çetin Kaya Koç Winter / 18

Number Theory. Modular Arithmetic

3 The fundamentals: Algorithms, the integers, and matrices

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Parallel Implementation of Proposed One Way Hash Function

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Message Authentication Codes (MACs)

Foundations of Network and Computer Security

Lecture 6: Cryptanalysis of public-key algorithms.,

Introduction to Elliptic Curve Cryptography. Anupam Datta

Public-key Cryptography: Theory and Practice

CPSC 467b: Cryptography and Computer Security

Number theory (Chapter 4)

ECS 189A Final Cryptography Spring 2011

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

Number Theory and Group Theoryfor Public-Key Cryptography

basics of security/cryptography

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Attacks on hash functions: Cat 5 storm or a drizzle?

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture 3.1: Public Key Cryptography I

Transcription:

Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve does not know k page 1 page 3 Data Integrity, Message Authentication Requirements Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M Eve Bob Authentication is orthogonal to secrecy. A relevant challenge regardless of whether encryption is applied. A one-time pad alone cannot prevent an adversary from changing the message. M page 2 Security: The adversary, Knows the MAC algorithm (but not K). Is given many pairs (m i, MAC K (m i )), where the m i values might also be chosen by the adversary (chosen plaintext). Cannot compute (m, MAC K (m)) for any new m ( i m m i ). The adversary must not be able to compute MAC K (m) even for a message m which is meaningless (since we don t know the context of the attack). Efficiency: output must be of fixed length, and as short as possible. The MAC function is not 1-to-1. An n bit MAC can be broken with prob. of at least 2 -n. page 4 1

Constructing MACs Security definitions for hash functions Based on block ciphers (CBC-MAC) or, Based on hash functions More efficient At the time, encryption technology was controlled (export restricted) and it was preferable to use other means when possible. 1. Weak collision resistance: for any x X, it is hard to find x x such that h(x)=h(x ). (Also known as universal one-way hash, or second preimage resistance ). 2. Strong collision resistance: it is hard to find any x,x for which h(x)=h(x ). It s easier to find collisions. (Namely, under reasonable assumptions it holds that if it is possible to achieve (2) then it is also possible to achieve (1).) Therefore strong collision resistance is a stronger assumption. Real world hash functions: MD5, SHA-1, SHA-256. Hmm.. page 5 page 7 Hash functions The Birthday Phenomenon (Paradox) MACs can be constructed based on hash functions. A hash function h:x Y maps long inputs to fixed size outputs. ( X > Y ) No secret key. The hash function algorithm is public. (We will use it to construct MACs which use keys.) If X > Y there are collisions (x x for which h(x)=h(x )). For 23 people chosen at random, the probability that two of them have the same birthday is ½. Compare to: the prob. that one or more of them have the same birthday as Alan Turing is 23/365 (actually, 1-(1-1/365) 23.) More generally, for a random h:x Z, if we choose about Z ½ elements of X at random (1.17 Z ½ to be exact), the probability that two of them are mapped to the same image is > ½. Implication: it is harder to achieve strong collision resistance A random function with an n bit output Given y, can find x y s.t. h(x)=h(y) after about 2 n tries. Can find x,x with h(x)=h(x ) after about 2 n/2 tries. page 6 page 8 2

From collision-resistance for fixed length inputs, to collision-resistance for arbitrary input lengths Hash function: Input block length is usually 512 bits ( X =512) Output length is at least 160 bits (birthday attacks) Extending the domain to arbitrary inputs (Damgard-Merkle) Suppose h:{0,1} 512 -> {0,1} 160 Input: M=m 1 m s, m i =512-160=352. (what if M 352 i bits?) Define: y 0 =0 160. y i =h(y i-1,m i ). y s+1 =h(y s,s). h(m)=y s+1. Why is it secure? What about different length inputs? The implication of collisions Given a hash function with 2 n possible outputs. Collisions can be found after a search of 2 n/2 values even faster if the function is weak (MD5, SHA-1) We find x, x such that h(x)=h(x ), but we cannot control the value of x, x. 0 160 h m 1 m 2 m s h s h h(m) Can we find meaningful colliding values x, x? The case of pdf files page 9 page 11 Proof Show that if we can find M M for which H(M)=H(M ), we can find blocks m m for which h(m)=h(m ). Case 1: suppose M =s, M =s, and s s Then, collision: H(M)=h(y s,s) = h(y s,s )=H(M ) Case 2: M = M =s Suppose that H(M)=h(y s,s)=h(y s,s)=h(m ) If y s y s then we found a collision in h. Otherwise, go from i=s-1 to i=1: y i+1 = y i+1 implies h(y i,m i+1 ) = h(y I,m i+1 ). If m i+1 m i+1, then we found a collision. M M and therefore there is an i for which m i+1 m i+1 Basing MACs on Hash Functions Hash functions are not keyed. MAC K uses a key. Best attack should not succeed with prob > max(2 - k,2 - MAC() ). Idea: MAC combines message and a secret key, and hashes them with a collision resistant hash function. E.g. MAC K (m) = h(k,m). (insecure.., given MAC K (m) can compute MAC K (m, m,m ), if using the Damgard-Merkle construction) MAC K (m) = h(m,k). (insecure.., regardless of key length, use a birthday attack to find m,m such that h(m)=h(m ).) How should security be proved?: Show that if MAC is insecure than so is hash function h. Insecurity of MAC: adversary can generate MAC K (m) without knowing k. Insecurity of h: adversary finds collisions (x x, h(x)=h(x ).) page 10 page 12 3

HMAC Input: message m, a key K, and a hash function h. HMAC K (m) = h( K opad, h(k ipad, m)) where ipad, opad are 64 byte long fixed strings K is 64 byte long (if shorter, append 0s to get 64 bytes). Overhead: the same as that of applying h to m, plus an additional invocation to a short string. It was proven [BCK] that if HMAC is broken then either h is not collision resistant (even when the initial block is random and secret), or The output of h is not unpredcitable (when the initial block is random and secret) HMAC is used everywhere (SSL, IPSec). Plan Basic number theory Divisors, modular arithmetic The GCD algorithm Groups References: Many books on number theory Almost all books on cryptography Cormen, Leiserson, Rivest, (Stein), Introduction to Algorithms, chapter on Number-Theoretic Algorithms. page 13 page 15 Divisors, prime numbers Basic Number Theory We work over the integers A non-zero integer b divides an integer a if there exists an integer c s.t. a=c b. Denoted as b a I.e. b divides a with no remainder Examples Trivial divisors: 1 a, a a Each of {1,2,3,4,6,8,12,24} divides 24 5 does not divide 24 Prime numbers An integer a is prime if it is only divisible by 1 and by itself. 23 is prime, 24 is not. page 14 page 16 4

Modular Arithmetic Modular operator: a mod b, (or a%b) is the remainder of a when divided by b I.e., the smallest r 0 s.t. integer q for which a = qb+r. (Thm: there is a single choice for such q,r) Examples 12 mod 5 = 2 10 mod 5 = 0-5 mod 5 = 0-1 mod 5 = 4 Greatest Common Divisor (GCD) d is a common divisor of a and b, if d a and d b. gcd(a,b) (Greatest Common Divisor), is the largest integer that divides both a and b. (a,b >= 0) gcd(a,b) = max k s.t. k a and k b. Examples: gcd(30,24) = 6 gcd(30,23) = 1 If gcd(a,b)=1 then a and b are denoted relatively prime. page 17 page 19 Modular congruency a is congruent to b modulo n (a b mod n) if (a-b) = 0 mod n Namely, n divides a-b In other words, (a mod n) = (b mod n) Facts about the GCD gcd(a,b) = gcd(b, a mod b) (interesting when a>b) Since (e.g., a=33, b=15) If c a and c b then c (a mod b) If c b and c (a mod b) then c a E.g., 23 12 mod 11 4-1 mod 5 There are n equivalence classes modulo n [3] 7 = {,-11,-4,3,10,17, } If a mod b = 0, then gcd(a,b)=b. Therefore, gcd(19,8) = gcd(8, 3) = gcd(3,2) = gcd(2,1) = 1 gcd(20,8) = gcd(8, 4) = 4 page 18 page 20 5

Euclid s algorithm Input: a>b>0 Output: gcd(a,b) Algorithm: 1. if (a mod b) = 0 return (b) 2. else return( gcd(b, a mod b) ) Complexity: O(log a) rounds Each round requires O(log 2 a) bit operations Actually, the total overhead can be shown to be O(log 2 a) Groups Definition: a set G with a binary operation :G G G is called a group if: (closure) a,b G, it holds that a b G. (associativity) a,b,c G, (a b) c = a (b c). (identity element) e G, s.t. a G it holds that a e =a. (inverse element) a G a -1 G, s.t. a a -1 = e. A group is Abelian (commutative) if a,b G, it holds that a b = b a. Examples: Integers under addition (Z,+) = {,-3,-2,-1,0,1,2,3, } page 21 page 23 The extended gcd algorithm Finding s, t such that gcd(a,b) = a s + b t Extended-gcd(a,b) / output is (gcd(a,b), s, t) 1. If (a mod b=0) then return(b,0,1) 2. (d,s,t ) = Extended-gcd(b, a mod b) 3. (d,s,t) = (d, t, s - a/b t ) 4. return(d,s,t) Note that the overhead is as in the basic GCD algorithm More examples of groups Addition modulo N (G, ) = ({0,1,2,,N-1}, +) Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7 = ( {1,2,3,4,5,6}, ) Z p Trivial: closure (the result of the multiplication is never divisible by p), associativity, existence of identity element. The extended GCD algorithm shows that an inverse always exists: s a+t p = 1 s a = 1-t p s a 1 mod p page 22 page 24 6

More examples of groups Z N Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10 = ( {1,3,7,9}, ) Closure: s a+t N = 1 s b+t N = 1 ss (ab)+(sat +s bt+ tt N) N = 1 Associativity: trivial Existence of identity element: 1. Inverse element: as in Z p Cyclic Groups Exponentiation is repeated application of a 3 = a a a. a 0 = 1. a -x = (a -1 ) x A group G is cyclic if there exists a generator g, s.t. a G, i s.t. g i =a. I.e., G= <g> = {1, g, g 2, g 3, } For example Z 7 = <3> = {1,3,2,6,4,5} Not all a G are generators of G, but they all generate a subgroup of G. E.g. 2 is not a generator of Z 7 The order of a is the smallest j>0 s.t. a j =1. Lagrange s theorem for x Z p, ord(x) p-1. page 25 page 27 Subgroups Fermat s theorem Let (G, ) be a group. (H, ) is a subgroup of G if (H, ) is a group H G For example, H = ( {1,2,4}, ) is a subgroup of Z 7. Lagrange s theorem: If (G, ) is finite and (H, ) is a subgroup of (G, ), then H divides G For example: 3 6. Corollary of Lagrange s theorem: if (G, ) is a finite group, then a G, a G =1. Corollary (Fermat s theorem): a Z p, a p-1 =1 mod p. E.g., for all a Z 7, a 6 =1, a 7 =a. Computing inverses: Given a G, how to compute a -1? Fermat s theorem: a -1 = a G -1 (= a p-2 in Z p ) Or, using the extended gcd algorithm (for Z p or Z N ): gcd(a,p) = 1 s a + t p = 1 s a = -t p + 1 s is a -1!! Which is more efficient? page 26 page 28 7

Computing in Z p P is a huge prime (1024 bits) Easy tasks (measured in bit operations): Adding in O(log p) (linear n the length of p) Multiplying in O(log 2 p) (and even in O(log 1.7 p) ) Inverting (a to a -1 ) in O(log 2 p) Exponentiations: x r mod p in O(log r log 2 p), using repeated squaring page 29 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback