Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Similar documents
Review of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage

Lecture 11: Pseudorandom functions

Cryptographic Hash Functions and Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata

Lecture 11: Hash Functions and Random Oracle Model

Block Ciphers/Pseudorandom Permutations

Perfectly-Secret Encryption

Factoring Algorithms and Other Attacks on the RSA 1/12

Oblivious Transfer using Elliptic Curves

Lecture 9: Pseudo-random generators against space bounded computation,

A Provably Secure Signature Scheme based on Factoring and Discrete Logarithms

Recurrence Relations

7. Modern Techniques. Data Encryption Standard (DES)

The Paillier Cryptosystem

New Definition of Density on Knapsack Cryptosystems

The multiplicative structure of finite field and a construction of LRC

Resampling Methods. X (1/2), i.e., Pr (X i m) = 1/2. We order the data: X (1) X (2) X (n). Define the sample median: ( n.

The picture in figure 1.1 helps us to see that the area represents the distance traveled. Figure 1: Area represents distance travelled

Pseudo-random Functions. PRG vs PRF

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Two-Input Functional Encryption for Inner Products from Bilinear Maps

Introduction to Cryptography Lecture 4

1 Number Theory Basics

PROBABILISTIC SOLUTION OF YAO S MILLIONAIRES PROBLEM

Lecture 2: April 3, 2013

Context-free grammars and. Basics of string generation methods

Identity-Based Cryptography on Hidden-Order Groups

LECTURE 8: ASYMPTOTICS I

Solutions to Math 347 Practice Problems for the final

Polynomial reduction. Outline Lecture. Non deterministic polynomial time. Example 1 : discrete log. Lecture: Polynomial reduction.

2 Message authentication codes (MACs)

The Hidden Graph Model: Communication Locality and Optimal Resiliency with Adaptive Faults

Simon Blackburn. Sean Murphy. Jacques Stern. Laboratoire d'informatique, Ecole Normale Superieure, Abstract

OPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES

Because it tests for differences between multiple pairs of means in one test, it is called an omnibus test.

Product measures, Tonelli s and Fubini s theorems For use in MAT3400/4400, autumn 2014 Nadia S. Larsen. Version of 13 October 2014.

Lecture 4: Unique-SAT, Parity-SAT, and Approximate Counting

Notes for Lecture 5. 1 Grover Search. 1.1 The Setting. 1.2 Motivation. Lecture 5 (September 26, 2018)

DS 100: Principles and Techniques of Data Science Date: April 13, Discussion #10

Ma 530 Infinite Series I

Lecture 9: Expanders Part 2, Extractors

Monte Carlo Integration

Lecture 19: Convergence

Matsubara-Green s Functions

THE combination of quantum mechanics and information science forms a new science quantum information science, in

1 Introduction to reducing variance in Monte Carlo simulations

CSI 2101 Discrete Structures Winter Homework Assignment #4 (100 points, weight 5%) Due: Thursday, April 5, at 1:00pm (in lecture)

0.1. Geometric Series Formula. This is in your book, but I thought it might be helpful to include here. If you have a geometric series

Week 5-6: The Binomial Coefficients

The Maximum-Likelihood Decoding Performance of Error-Correcting Codes

Differentiable Convex Functions

Padding Oracle Attacks on CBC-mode Encryption with Secret and Random IVs

Advanced Stochastic Processes.

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Efficient GMM LECTURE 12 GMM II

Sequences, Series, and All That

Stat 421-SP2012 Interval Estimation Section

An Introduction to Randomized Algorithms

Symmetrization maps and differential operators. 1. Symmetrization maps

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Real Variables II Homework Set #5

Digital Signatures. p1.

Expectation and Variance of a random variable

Sequences, Mathematical Induction, and Recursion. CSE 2353 Discrete Computational Structures Spring 2018

Integrable Functions. { f n } is called a determining sequence for f. If f is integrable with respect to, then f d does exist as a finite real number

Axioms of Measure Theory

International Journal of Advanced Research in Computer Science and Software Engineering

y X F n (y), To see this, let y Y and apply property (ii) to find a sequence {y n } X such that y n y and lim sup F n (y n ) F (y).

Frequency Domain Filtering

Chapter 4. Fourier Series

Lecture 6 Chi Square Distribution (χ 2 ) and Least Squares Fitting

Abstract Vector Spaces. Abstract Vector Spaces

Chapter 2 The Monte Carlo Method

Pseudo-random Functions

PROBLEMS AND SOLUTIONS 2

Lecture 9: Hierarchy Theorems

ASYMMETRIC ENCRYPTION

A Secure Anonymous Proxy Multi-signature Scheme

2.4 - Sequences and Series

Appendix: The Laplace Transform

ECEN 655: Advanced Channel Coding Spring Lecture 7 02/04/14. Belief propagation is exact on tree-structured factor graphs.

Notes 12 Asymptotic Series

Classification of problem & problem solving strategies. classification of time complexities (linear, logarithmic etc)

w (1) ˆx w (1) x (1) /ρ and w (2) ˆx w (2) x (2) /ρ.

Problem 4: Evaluate ( k ) by negating (actually un-negating) its upper index. Binomial coefficient

62. Power series Definition 16. (Power series) Given a sequence {c n }, the series. c n x n = c 0 + c 1 x + c 2 x 2 + c 3 x 3 +

Lecture 2. The Lovász Local Lemma

Machine Learning for Data Science (CS 4786)

Lecture 6 Chi Square Distribution (χ 2 ) and Least Squares Fitting

(A sequence also can be thought of as the list of function values attained for a function f :ℵ X, where f (n) = x n for n 1.) x 1 x N +k x N +4 x 3

2 A bijective proof of Theorem 1 I order to give a bijective proof of Theorem 1, we eed to itroduce the local biary search (LBS) trees, used by Postio

Lecture 14: Randomized Computation (cont.)

Gentry s ideal-lattice based encryption scheme. Gentry s STOC 09 paper - Part III

Fall 2013 MTH431/531 Real analysis Section Notes

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Lecture 10: Universal coding and prediction

ECONOMETRIC THEORY. MODULE XIII Lecture - 34 Asymptotic Theory and Stochastic Regressors

6 Integers Modulo n. integer k can be written as k = qn + r, with q,r, 0 r b. So any integer.

Constructing secure MACs Message authentication in action. Table of contents

CS 270 Algorithms. Oliver Kullmann. Growth of Functions. Divide-and- Conquer Min-Max- Problem. Tutorial. Reading from CLRS for week 2

Transcription:

Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1

Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice. (Data itegrity) whether the message has bee modified. Two solutios: Alice attaches a message autheticatio code (MAC) to the message (usig a symmetric ey to compute the MAC). Or she attaches a sigature to the message (usig a asymmetric ey to compute the sigature). 2

Basic idea of MAC Message autheticatio protocol: 1. Alice ad Bob share a secret ey. 2. To sed a message m, Alice computes a tag t : = MAC ( m) ( m t) ( ) ad seds, to Bob. 3. O receivig m, t, Bob checs whether t = MAC ( m ). If so, he accepts the message; otherwise, he rejects it. The tag t is called a message autheticatio code (MAC). Security requiremet: computatioally ifeasible to forge a valid pair ( x, MAC ( x)) without owig the ey. 3

MAC Scheme (formal defiitio) A MAC scheme is a triple ( Ge, Mac, Vrfy): Key geeratio algorithm: O iput 1, outputs a ey {0,1}. u Tag geeratio algorithm Mac : O iput a ey ad a message m M, Mac outputs a tag t. We write t Mac ( m). l( ) * ( M is the message space. Assume M = {0,1} or M = {0,1}.) Verificatio algorithm Vrfy : O iput a ey, a message m, ad a tag t, algorithm Vrfy outputs 1 (meaig valid) or 0 ( ivalid). Vrfy ( m, t) = 0 or 1. Ge, Mac are probabilistic algorithms. Vrfy is determiistic. Correctess requiremet: for every K ad m M, ( ) Vrfy m, Mac ( m) = 1. 4

Caoical verificatio (used whe Mac is determiistic): Vrfy ( m,) t 1 if Mac ( m) = t = 0 otherwise l( ) If {0,1}, the scheme is said to M = a fixed-le gth MAC scheme for messages of legth l ( ). Fixed-legth MAC schemes are easier to costruct. Geeral MAC schemes for M = fixed-legth schemes. be * {0,1} ca be costructed from 5

Chose-Message Attacs o MAC Schemes Experimet MAC-Forge ( ): A, Π 1. A ey G(1 ) is geerated. 2. The adversary A is give iput 1 ad oracle access to Mac ( ). A may as the oracle to compute tags for messages of its choice. Let Q be the set of all queries A has made to the oracle. 3. A evetually outputs a pair ( m, t). ( A tries to for ge a valid pair of message ad tag. ) 4. MAC-Forge A, Π ( ) = 1 ( A succeeds) if m Q ad Vrfy ( m, t) = 1. Remars: Adversary: a adaptive chose-message attacer. Forgery: a existetia l forgery. 6

MAC security: existetial uforgeability uder a adaptive chose-message attac Defiitio: A MAC scheme ( Ge, Mac, Vrfy) is existetially uforgeable uder a adaptive chose-message attac (or simply secure) if for all polyomial-time adversaries A, there exists a egligible fuctio egl or such that Pr MAC-Forge A, Π ( ) = 1 egl( ) ( Mac ( ) ( )) Pr Vrfy A 1 = 1 : u {0,1} egl( ) where the output of A, ( mt, ), satisfies m Q. 7

Strog MAC security If a MAC scheme is secure, the probability is egligible that Aca forge a valid ( mt, ) with m Q. However, it may be possible for A to forge a d ifferet valid tag t t for some message m Q, where t is the tag retured by the oracle o m. If o adversary is able to do so, the MAC scheme is strogly secure. To formally defie strog security, modify the experimet as follows: { } Let Q = ( mt, ) : m Q, tis the tag retured by the oracle o m. Asucceeds if a oly if it outputs a valid pair ( mt, ) Q. If MAC is determiistic, the "secure" "strogly secure". 8

Costructig secure MAC schemes Let F be a pseudoradom fuctio. We will use F to costruct secure MAC schemes i several steps. Secure fixed-leg th MAC schemes for messages of legt h Secure fixed-legth MAC schemes for messages of legth l ( ) Secure MAC schemes for arbitrary-legth messages For simplicity, assume message legth is a multiple of. (We ca always do paddig to mae this assumptio true.) 9

Secure MAC schemes for M = {0,1} Let F be a pseudoradom fuctio. Fixed-legth MAC scheme for messages of legth : Key geeratio: O iput 1, {0,1}. Tag geeratio: O iput {0,1} ad message m {0,1}, output the tag t: = F ( m). 1 if F ( m) = t Verificatio: O iput ( mt, ), Vrfy ( mt, ) : = 0 otherwise u Theorem: Such a MAC scheme is secure. 10

Basic CBC-MAC Let F be a pseudoradom fuctio. Basic CBC-MAC wors as follows: Key geeratio: {0,1}. u q Tag geeratio: For ey {0,1} ad message m {0,1}, parse m as m= ( m,, m ) // q blocs // apply CBC to m with IV = 0, i.e., let output t 1 t : = 0 ad t : = F ( m t ) for 1 i q 0 i i i 1 as the tag Verificatio: caoical q q Theorem: For ay fixed for messages of legth legth fuctio l, basic CBC-MAC is secure l ( ). 11

Remars It is importat that t ( IV ) is fixed, or the scheme would be isecure. 0 Also, the scheme would be isecure if message legth is variable. Suppose t : = Mac( m1m2 m3) ad t : = Mac( m4). Let m 4 be such that t m 4 = m4. The Mac ( m m m m ) = t. 1 2 3 4 IV = 0 12

CBC-MAC for arbitrary-legth messages A FIPS ad ISO stadard. There are several variats of CBC-MAC. Oe variat of CBC-MAC: Preped the message m with its legth m (as a -bit strig) ad the compute basic CBC-MAC o the result. Remars: There is a limitatio o m. It would be isecure if m is appeded to the ed of m. 13

14

Aother variat of CBC-MAC Geerate two eys, {0,1}. 1 2 To autheticate a message m, let the tag be ( ) t: = F basic-cbc-mac ( m). 2 1 u Oe may use oly oe ey ad geerate 1 2 : = F (1) ad : = F (2) 1 2, from : 15

Security of CBC-MAC (for arbitrary legth) Theorem: CBC-MAC is secure if F is a pseudoradom fuctio. I practice, bloc ciphers (such as DES, AES) are used. 16

Autheticated Ecryptio To esure both secrecy ad itegrity 17

Uforgeable ecryptio Experimet Ec-Forge ( ) : A, Π Ru Ge(1 ) to obtai a ey. The adversary A is give 1 ad access to oracle Ec ( ), ad outputs a ciphertext c. Let m : = Dec ( c). Let Q be the set of all messages that A has ased the oracle for ecryptio. The output of the experimet is 1 ( A succeeds) if ad oly if m is a valid message ( m M ) ad m Q. Defiitio: A ecryptio scheme Π= ( Ge, Ec, Dec) is if for every A, Pr Ec-Forge A, Π ( ) = 1 egl( ). uforgeable 18

Autheticated ecryptio scheme Defiitio: A symmetric-ey ecryptio scheme is a autheticated ecryptio scheme if it is CCA-secure ad uforgeable. We will costruct a autheticated ecryptio scheme from a CPA-secure ecryptio scheme ad a strogly secure MAC scheme. Three atural ways: Ecrypt ad autheticate (isecure) Autheticate the ecrypt (isecure) Ecrypt the autheticate (secure) I the followig slides, let m be a message, a ecryptio ey, ad M a MAC ey. E 19

Ecrypt ad Autheticate Seder: ecrypt ad autheticate m the ciphertext is ct, where idepedetly. That is, c Ec ( m), t Mac ( m) E Receiver: give ciphertext ct,, do Security: m Dec ( c), ad the chec if Vrfy ( m, t) = 1. Not ecessarily EAV-secure, sice t might lea ifo about m. If ot Mac E M is determiistic (e.g., CBC-MAC), the the scheme CPA-secure. M is 20

Autheticate the Ecrypt Seder: autheticate m first ad the ecrypt m ad the tag. Thus, the ciphertext is c computed as: t Mac ( m), c Ec ( m t) Receiver: give ciphertext c, do M m t Dec ( c) ad the chec if Vrfy ( m, t) = 1. A potetial attac: E Suppose PKCS#5 paddig is used. Suppose the receiver does: if the paddig is icorrect the elseif the tag is icorrect the E M retur a "bad paddig" error retur a "bad mac" error. The paddig attac ca be coducted to recover the etire m t. 21

Ecrypt the Autheticate Seder: ecrypt m first ad the autheticate the result. Thus, the ciphertext is c, t where c Ec ( m), t Mac ( c) E M Receiver: o receivig c, t, if Vrfy ( c, t) = 1 the m Dec ( c). M E Theorem: If the ecryptio scheme is CPA-secure ad the MAC scheme is strogly secure, the the ecryptio-the-autheticate costructio yields a autheticated ecryptio scheme. CPA-secure ecryptio + strogly secure MAC CCA-secure ad uforgeable ecryptio 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback