Message Authentication

Similar documents
Block Ciphers/Pseudorandom Permutations

Lecture 15: Message Authentication

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Solution of Exercise Sheet 7

2 Message authentication codes (MACs)

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Homework 7 Solutions

Introduction to Cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Constructing secure MACs Message authentication in action. Table of contents

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Authentication. Chapter Message Authentication

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 5, CPA Secure Encryption from PRFs

Notes for Lecture 9. 1 Combining Encryption and Authentication

Question 1. The Chinese University of Hong Kong, Spring 2018

Tight Security Analysis of EHtM MAC

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

II. Digital signatures

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Lecture 9 - Symmetric Encryption

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Leftovers from Lecture 3

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Lecture 10 - MAC s continued, hash & MAC

1 Cryptographic hash functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPA-Security. Definition: A private-key encryption scheme

1 Cryptographic hash functions

CS 6260 Applied Cryptography

Katz, Lindell Introduction to Modern Cryptrography

MESSAGE AUTHENTICATION 1/ 103

Introduction to Cryptography Lecture 4

Lecture 13: Private Key Encryption

Block ciphers And modes of operation. Table of contents

Symmetric Encryption

Lecture 14: Cryptographic Hash Functions

A survey on quantum-secure cryptographic systems

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Lecture 5: Pseudorandom functions from pseudorandom generators

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

CTR mode of operation

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Lecture 10: NMAC, HMAC and Number Theory

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC

ECS 189A Final Cryptography Spring 2011

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPSC 91 Computer Security Fall Computer Security. Assignment #2

Digital Signatures. Adam O Neill based on

Cryptography and Security Final Exam

Lecture 7: CPA Security, MACs, OWFs

1 Indistinguishability for multiple encryptions

From Non-Adaptive to Adaptive Pseudorandom Functions

1 Number Theory Basics

Modern Cryptography Lecture 4

Notes on Property-Preserving Encryption

Lecture 3,4: Multiparty Computation

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Digital Signatures. p1.

CS 6260 Applied Cryptography

VI. The Fiat-Shamir Heuristic

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Transitive Signatures Based on Non-adaptive Standard Signatures

Message Authentication Codes from Unpredictable Block Ciphers

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Message Authentication Codes from Unpredictable Block Ciphers

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Modern symmetric-key Encryption

Quantum-Secure Message Authentication Codes

Symmetric Encryption. Adam O Neill based on

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Lecture 5: February 21, 2017

Solution of Exercise Sheet 6

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Foundations of Cryptography

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Lecture 10: NMAC, HMAC and Number Theory

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Scribe for Lecture #5

Introduction to Cybersecurity Cryptography (Part 4)

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

Cryptographic Security of Macaroon Authorization Credentials

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Lecture 11: Key Agreement

Transcription:

Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives a message saying credit $128 to Carol s Account Alice, it originates from the ATM Bob is concerned with the authenticity of the message He also wants to now that Carol has not modified the message from credit $16 to Carol s Account Alice This concerns the integrity of the message Authentication and Encryption Message Authentication Codes (MACs Should we expect to get good message authentication via encryption? ie, is it enough to guarantee authenticity of M by transmitting E K (M? No! eg, if E K is CTR from lecture 6, then it is easy for Carol to change E K (16 to E K (128 via E K (128 = E K (16 144 In general, good encryption does not necessarily imply integrity ormally: A MAC is a trio of algorithms (G,T,V such that: G(1 generates a -bit ey K T K (M generates a L(-bit tag σ V K (M, σ verifies the tag σ for the message M Require that for all K, M, random choices or states of T, V K (M,T K (M = 1 If T K is deterministic and stateless, V K is trivial Security of MACs The adversary s goal might be to sign some specific message m We want it to be hard to produce any (M,σ pair such that V K (M,σ=1 This should be true even if the adversary has seen several M,T K (M pairs Should be conservative: Allow the adversary to choose the M messsages Existential Unforgeability Notation: let Q(A O denote the list of oracle queries that A maes with O as its oracle Define the chosen-message attac ( advantage of A against MAC = (G,T,V by: Adv A, MAC ( = Pr[ V K G(1,( M, σ A K ( M, σ = 1 M L : (1, L = Q( TK T A K (1 Say that MAC is existentially unforgeable under chosen message attac if every ppt A has negligible advantage

MAC Insecurity or a fixed security parameter, define the Insecurity of MAC=(G,T,V against time-t adversaries which mae q queries with total message length l by: uf - MAC ( t, l = max A: A( t, l { Adv ( } A, MAC PRs are good MACs Let : K {0,1} d {0,1} s be a function family Then if K is pseudorandom, K is a good MAC for the message space {0,1} d : uf - ( t, dq ( t, q + 2 s Proof: Let A be a chosen-message forger for as a MAC We show how to construct a PR distinguisher D for that has almost the same advantage as A, and runs in the same time PRs are good MACs D f (1 : Run A(1 : respond to q with f( add q to Q Set (M,σ = output of A If f(m = σ and M Q, return 1, else return 0 Notice: Pr[D (1 = 1 = Adv A, ( And since M was never queried, Pr[D (1 = 1 1/2 s So Adv A, ( Adv A, ( 2 -s Almost-XOR-Universal 2 (AXU 2 Hash unctions Let H: K D {0,1} L be a family of functions Define the XOR-2-Universality of H by { Pr [ H ( a H ( a b } xuh Adv ( H = max K K 1 K 2 = L a1, a2 D, b {0,1} We say H is ε-almost-xor-universal 2 (ε- AXU 2 if Adv xuh (H ε H is XOR-Universal 2 if it is 1/2 L -AXU 2 Notice that Pairwise-independent hash functions are XOR-Universal 2 ε-axu 2 Hash amilies for large domains AXU 2 -MAC Let h: K {0,1} 2L {0,1} L be ε AXU 2 Define the family H : K n {0,1} 2 nl {0,1} L as follows: H K1 Kn, n = H K2 Kn (h K1,h K1 (a 3,a 4,,h K1 (a 2 n-1 n; H K = h K Claim: H is (nε-axu 2 Proof: If the inputs to h Kn are not the same, then the xor-probability is at most ε The probability that the inputs to h Kn are the same is at most ε given that not all inputs to h K(n-1 are the same, and so on Let : K {0,1} l {0,1} L be a PR Let H : K D {0,1} L be ε-axu 2 Define the MAC C-UHM as follows: G: Select K K, κ K Return (K, κ T (K, κ (M = Let x = H κ (M; τ = K (ctr x;σ=(ctr,τ Set ctr = ctr+1 Return σ V (K, κ (M,(s,τ = 1 iff K (s τ = H κ (M

C-UHM theorem Theorem: for any q 2 l, uf- C-UHM (t,l ε + (t,q+1 Proof: Let A be any MAC adversary Suppose we choose ƒ and run A against UHM instantiated with ƒ in place of K Denote the queries that A maes by M i, 1 i q; denote the responses by σ i = (i,τ i inally, A returns some message M {M 1,,M q }, and a tag (s,τ C-UHM Theorem, continued Let NEW be the event that s > q-1, that is, the s returned by A was not a value input to ƒ in C- UHM Let OLD be the event s < q Claim 1: Pr[V κƒ (M,(s,τ = 1 OLD ε Proof: Pr[V κƒ (M,(s,τ = 1 = Pr[H κ (M H κ (M s = τ τ s ε Claim 2: Pr[V κƒ (M,(s,τ = 1 NEW 2 -L Proof: = Pr[H κ (M τ = ƒ(s = 2 -L C-UHM Theorem, continued Thus: Pr[V κƒ (M,(s,τ = 1 = Pr[V κƒ (M,(s,τ = 1 OLD Pr[OLD + Pr[V κƒ (M,(s,τ = 1 NEW(1-Pr[OLD εq + 2 -L (1-q εq + ε(1-q = ε The theorem follows, since we can distinguish K from ƒ by trying to use A to forge a MAC and then checing if A was successful R-UHM Let : K {0,1} l {0,1} L be a PR Let H : K D {0,1} L be ε-axu 2 Define the MAC R-UHM as follows: G: Select K K, κ K Return (K, κ T (K, κ (M = Choose s {0,1} l Let x = H κ (M; τ = K (s x Return σ=(s,τ V (K, κ (M,(s,τ = 1 iff K (s τ = H κ (M R-UHM theorem CBC-MAC Theorem: for any q 2 l/2, uf- R-UHM (t,l ε + (t,q+1 + q(q-1/2 l+1 Proof: Consider the same experiment as before Clearly when there are no collisions in the values s 1,,s q, the same argument upper bounds the success probability of A And when there is a collision, the success probability of A is at most 1 The probability of a collision is q(q-1/2 l+1 Let : {0,1} {0,1} l {0,1} l be a PR Define the MAC (m on ml-bit messages as follows: T K,,x m = Let y 0 = 0 l or i = 1,,m y i = K (M i y i-1 return y m Theorem: Insec (m (t,q Insec (t+o(qml,qm + 3q 2 m 2 /2 l+1 So (m is a secure MAC if is a secure PR

CBC-MAC Proof CBC-MAC proof Lemma 1: If ƒ l,l then Insec ƒ (m (q 3m 2 q 2 /2 l+1 Consider the 2 l -ary tree of depth m A sequence of strings X =,,x n {0,1} nl uniquely specifies a node in this tree Let f: {0,1} l {0,1} l, denote the labeling of a sequence x 1 x n by Z f ( = 0 l, Y f,,x n = x n Z f,,x n-1, Z f (X=f(Y f (X Call,,X n a query sequence if every X i has parent either the root or X j for some j < i Consider an (unbounded adversary A trying to distinguish ƒ (m from a sample from ml,l with q queries We let A mae qm queries X 1 X qm in the form of a query tree, and whenever X i is at depth m, A learns Z ƒ (X i We let Z n be the depth-m labels A has learned after the n th query, and V n =,,X n ; Z n denotes the View of A after the n th query If the labeling Z f is collision-free, then A s view is identical to its view on a random function from ml bits to l bits So we only need to bound the probability of a collision in Z f CBC-MAC Proof Lemma 2: Let Z n1 and Z n2 be collision-free output labelings consistent with a depth-m labeling Z n, Then: Pr[Z n = Z n1 V n =,,X n ; Z n = Pr[Z n = Z n2 V n =,,X n ; Z n Proof: By induction Obviously true for n=1, since the first node in a query tree is not at depth m Lemma 2 proof, con t Two cases for n>1: X n at depth < m Then the view is independent of Z Thus Pr[Z n = Z ni V n = Pr[Z n =Z ni Pr[Z n = Z ni Z n-1, V n-1 2 -l These are equal for i=1,2 by IH X at depth m Then Pr[Z n = Z ni V n = Z n-1i V n-1,z n = z = Pr[Z n = z Z n-1,v n-1 Pr[Z n-1 V n- 1 /Pr[Z n = z = 2 -l Pr[Z n-1 /Pr[Z n = z Lemma 3 Lemma 3: Let C(Z denote the event that Z is collision-free Let [E denote the quantity Pr[E V n =,,X n ;Z n, C(Z n Let n 2 /4 + n -1 2 l /2 Let {X 1,,X m } and i<m; let z S be a collision-free label of the nodes in S = {X 1,,X n } \ { } consistent with Z n Then (1 or any x i+1 S, any y* {0,1} l : [Y n x i+1 = y* Z ns = z S 2 2 -l (2 or any z* {0,1} l, [Z n =z* Z ns =z S 2 2 -l Proof of Lemma 3(1 Let y {0,1} l be some fixed string Define the labeling Z z,y = z S x 1, and y x i+1 otherwise Let Y z,y be the labeling induced by Z z,y : Y z,y = y S children y x i+1 x i+1 if X j x i+1 Let Y(z S be the set of all strings y such that Z z,y is collision-free y Y(z S iff either: y x i+1 {z S : 0 < j < n+1 and X j }; or for some x i+1, y x i+1 x i+1 {y S, X j children, and 0 < j < n+1} Thus {0,1} l \ Y(z S (n-1 + (n-s(s n-1 + n 2 /4 2 l /2 This proves (1

Proof of Lemma 3(2 Let z {0,1} l be some fixed string Define the labeling Z z,y = z S x 1, and z otherwise Let Y z be the labeling induced by Z,z : Y z = y S children z x i+1 if X j x i+1 Let Z(z S be the set of all strings z such that Z z is collision-free z Z(z S iff either: z {z S : 0 < j < n+1 and X j }; or for some x i+1, z x i+1 {y S, X j children, and 0 < j < n+1} Thus {0,1} l \ Y(z S (n-1 + (n-s(s n-1 + n 2 /4 2 l /2 This proves (2 Lemma 4: Pr[not C(Z Let n 2 /4 + n-1 < 2 l /2 Let X 1 X n be a query sequence and Z be the labeling of depth-m nodes Then Pr[not C(Z n+1 V n,c(z n 3n 2 -l Proof: Denote Pr[E V n,c(z n by [E Case 1: X n+1 is at depth 1 Then let X n+1 * Y+1 * by definition Now for each 1 t n, [Y n (X t = x 1 * 2 2-1 This is because if X t is at level 1, Pr[Y(X t = x 1 * = 0 Otherwise X t is at depth at least 2, and is the child of some {X 1 X n } and so the equation follows because of lemma 3 Then [not C(Z n [x 1 * {Y n,,y n } + [Z n+1 +1 {Z n Z n } x 1 * {Y n,,y n } 2n/2 l + n/2 l = 3n/2 l Lemma 4: Case 2 Case 2: X n+1 = x 1 x i+1, i > 0, is the child of some x 1 {X 1,,X n } Let S = {X 1,,X n } \ {x 1 } Notice that for any X t {X 1,,X n }, [Y n+1 +1 = Y n (X t 2/2 l Since if X n+1 and X t are siblings, the probability is 0, and otherwise any collision free labeling z S determines Y n (X t ; thus [Y n+1 +1 = Y n (X t = Σ z [Y n+1 +1 = Y n (X t Z ns = z S Pr[Z ns =z S = Σ z [Z n = Y n (X t x i+1 Z ns = z S Pr[Z ns =z S 2/2 l Σ z Pr[Z ns =z S 2/2 l This gives us that [not C(Z n+1 [Y n+1 +1 {Y n,,y n } + [Z n+1 +1 {Z n Z n } Y n+1 +1 {Y n,,y n } 2n/2 l + n/2 l = 3n/2 l Pr[C(Z So Pr[not C(Z Σ n Pr[not C(Z n C(Z n-1 3/2 l (qm(qm-1/2 = 3/2 q 2 m 2 /2 l

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback