CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Similar documents
CTR mode of operation

Block Ciphers/Pseudorandom Permutations

Solution of Exercise Sheet 7

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Block ciphers And modes of operation. Table of contents

2 Message authentication codes (MACs)

CPA-Security. Definition: A private-key encryption scheme

Avoiding collisions Cryptographic hash functions. Table of contents

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Constructing secure MACs Message authentication in action. Table of contents

Introduction to Cryptography

1 Number Theory Basics

Lecture 7: CPA Security, MACs, OWFs

Modern Cryptography Lecture 4

1 Cryptographic hash functions

Computational security & Private key encryption

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 15: Message Authentication

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 5, CPA Secure Encryption from PRFs

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

1 Cryptographic hash functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Lecture 13: Private Key Encryption

John Hancock enters the 21th century Digital signature schemes. Table of contents

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

CS 6260 Applied Cryptography

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Message Authentication

Leftovers from Lecture 3

Authentication. Chapter Message Authentication

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Scribe for Lecture #5

A survey on quantum-secure cryptographic systems

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 10 - MAC s continued, hash & MAC

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

Lecture 10: NMAC, HMAC and Number Theory

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Lecture 5: Pseudorandom functions from pseudorandom generators

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Homework 7 Solutions

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

III. Pseudorandom functions & encryption

Notes for Lecture 9. 1 Combining Encryption and Authentication

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Modern symmetric-key Encryption

Lecture 18: Message Authentication Codes & Digital Signa

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Cryptographic Security of Macaroon Authorization Credentials

Katz, Lindell Introduction to Modern Cryptrography

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

CPSC 467: Cryptography and Computer Security

CS 6260 Applied Cryptography

El Gamal A DDH based encryption scheme. Table of contents

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

1 Basic Number Theory

Lecture 9 - Symmetric Encryption

Introduction to Cryptography Lecture 4

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Lecture 10: NMAC, HMAC and Number Theory

From Non-Adaptive to Adaptive Pseudorandom Functions

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

On the Security of CTR + CBC-MAC

Advanced Topics in Cryptography

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Provable Security in Symmetric Key Cryptography

Lecture 4: Computationally secure cryptography

Breaking H 2 -MAC Using Birthday Paradox

Chapter 2 : Perfectly-Secret Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Characterization of EME with Linear Mixing

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Building Secure Cryptographic Transforms, or How to Encrypt and MAC

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

10 Concrete candidates for public key crypto

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Tight Security Analysis of EHtM MAC

Lectures 2+3: Provable Security

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Transcription:

CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication Code (CBC- MAC) which is a standardized MAC widely used in practice. We will see construction of a basic version of CBC-MAC which is secure when authenticating messages of any fixed length. We will highlight why such MAC is insecure for arbitrary-length messages, discuss ways to handle it and also prove security of such variants of CBC-MAC. 2 Construction of Basic CBC-MAC The schematic representation of basic version of CBC-MAC constructed using a pseudorandom function (PRF) F is illustrated below. This version is secure when authenticating messages of any fixed length, however it is not secure in cases when messages of different lengths need to be authenticated. Fig 2.1: Basic CBC-MAC for fixed length messages The construction of basic CBC-MAC, = (Gen, Mac, V rfy) as illustrated in Fig 2.1 using PRF F and a fixed length function l > 0 is as follows:- 1. Gen : It takes as input the security parameter 1 n and outputs a key k with k = n. 2. Mac : On input a key k {0, 1} n and a message m of length l(n) n, does the following:- (a) Parse m as m = m 1,..., m l where each m i is of length n. (b) Set t 0 := 0 n. Then, for i = 1 to l, set t i := F k (t i 1 m i ). Output t l as the tag. 3. V rfy : On input a key k {0, 1} n, a message m, a tag t; outputs 1 if and only if t = Mac k (m) and m is of length l(n).n. Otherwise, it outputs 0. 3-1

3 CBC-MAC vs. CBC-mode Encryption Following are the salient differences between CBC-MAC as illustrated at Fig 2.1 above and CBC-mode of encryption:- 1. CBC-mode encryption uses a random IV for security. However, CBC-MAC uses no IV (can be viewed as using the fixed IV = 0 n ). Moreover, if CBC-MAC uses a random IV, it will not be secure. This is so because if we XOR the first block with random IV before it first comes into contact with the block cipher, then changing only the first block together with a corresponding change in IV may yield into same authentication tag as earlier, thus breaking the CBC-MAC scheme. Additionally, we have to transfer one extra block of data that results with MAC = (IV, t). Also, if the IV is fixed as 0 (or some other constant), there is no way for the attacker to change it together with the first block. 2. In CBC-mode encryption all intermediate values c i (equivalent to t i in CBC-MAC) are output by the encryption algorithm as part of the ciphertext, whereas in CBC-MAC only the final block is output as the tag. 4 Failure of basic CBC-MAC for arbitrary length messages Following simple MAC forgery attack demonstrates why basic CBC-MAC is not secure against arbitrary length messages:- Choose an arbitrary one block message, m X. Request tag t = F k (m) for message m. Output t as the forged tag for new 2 block message, m = (m t m). Clearly, CBC k (m, t m) = F k (F k (m) (t m)) = F k (t t m) = F k (m) = t As a valid forged message tag pair, (m, t) could be generated, we conclude that basic CBC-MAC is not secure against arbitrary length messages. 5 Variants of CBC-MAC for arbitrary length messages CBC-MAC can be modified in many ways to handle arbitrary length messages. We introduce two such ways (concepts) that can be used as such or built upon to generate more efficient schemes. 1. Utilize two independent uniform keys, k 1, k 2 {0, 1} n. First compute basic CBC- MAC of message m using k 1 to obtain tag t and then compute final tag, t := F k2 (t ). 2. Prepend the message m with its length m (encoded as an n-bit string), and then compute basic CBC-MAC on the resulting message. We however note that appending m to the end of the message and then computing basic CBC-MAC is not secure. We illustrate a possible attack over such construction in succeeding section. 3-2

6 Failure of CBC-MAC construction having length of message appended to it Following MAC forgery attack utilizing mix and match attack methodology demonstrates why the variant of basic CBC-MAC having length m of message m appended to it is still insecure in handling arbitrary length messages:- Let t 1 be the tag of message m1 = AAA4B6. We note that the length of message 6 has been appended to it. Similarly let t 2 be the tag of message AAA4, and t 3 be the tag of message CCC4. Let D := t 2 t 3. Also, E := B D = B t 2 t 3 We now output t 1 as a valid tag for message m = CCC4E6. Clearly, while calculating CBC-MAC value of m, we get intermediate tag value, t 3 for CCC4 which further evaluates to = t 3 E = t 3 B t 2 t 3 = t 2 B, which appended with message length, 6 equates to t 2 B6 that yield same tag value as t 1. Thus, a forged valid message tag pair can be generated for such scheme. However, such attack cannot be done if message length, m is prepended with the message. This scheme has a drawback that the message length needs to be known apriori. 7 Security proof of basic CBC-MAC We first define that a set of strings P ({0, 1} n ) is prefix-free if it does not contain the empty string, and no string X P is a prefix of any other string X P. We also observe from forgery attacks illustrated at Sections 4 and 6 above that the basic CBC-MAC and its variants are essentially secure against fixed length and arbitrary length messages respectively if the set of inputs on which they are queried is prefix free. If we fix the length of message l, we get the set of legal messages {0, 1} l(n)n. Since, one string cannot be a prefix of a different string of the same length, it is trivially implied that basic CBC-MAC is secure for messages of any fixed length. Towards this, we thus state the following theorem: Theorem 1 Let l be a polynomial. If F is a PRF, then construction given at section 2 for basic CBC-MAC is a secure MAC for messages of length nl(n). A trivial generalization statement supporting the above theorem has been specified above. However, to establish it rigorously, we need to establish Theorem 8.1 which also guarantees that the variants of CBC-MAC listed at Section 5 are also secure for arbitrary length messages. 3-3

8 Security proof of variants of CBC-MAC Theorem 2 If F is a PRF, then CBC is a PRF as long as the set of inputs on which it is queried is prefix-free. Formally, for all probabilistic polynomial time (p.p.t.) distinguishers D that query their oracle on a prefix-free set of inputs, there is a negligible function negl() such that Pr[D CBC k(.) (1 n ) = 1] P r[d f(.) (1 n ) = 1] negl(n) (1) where k is chosen uniformly from {0, 1} n and f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n (i.e., the value of f at each input is uniform and independent of the values of f at all other inputs). Proof 1. We start with the proof of security by assuming that the set of inputs to CBC k (.) contains prefix free strings. In other words if m 1 and m 2 are two input messages to CBC k (.), if m 1 < m 2 then m 1 should not be prefix of m 2 and if m 2 < m 1 then m 2 should not be prefix of m 1. 2. In proving the theorem, we analyze CBC when it is keyed with a random function g rather than a random key k for some underlying PRF F. We will thus write CBC g (.) instead of CBC k (.) to reflect this change. That is, we consider the keyed function CBC g (.) defined as CBC g (x 1,..., x l ) = g(g(... g(g(x1) 2)... ) x l where, for security parameter n, the function g maps n-bit input to n-bit output, and x 1 =... = x l = n. 3. Claim 8.1: Fix any n 1. For all distinguishers D that query their Oracle on a prefix-free set of q inputs, where the longest such input contains l blocks, it holds that: P r[d CBCg(.) (1 n ) = 1] P r[d f(.) (1 n ) = 1] q2 l 2 2 n (2) where g is chosen uniformly from F unc n, and f is chosen uniformly from the set of functions mapping ({0, 1} n ) to {0, 1} n. 4. Proof of Claim 8.1: To prove this (Equation 2), we define a notion of smoothness and prove that CBC is smooth; we then show that smoothness implies this claim. Let P = {X 1,..., X q } be a prefix free set of q inputs, where each X i is in ({0, 1} n ) and the longest string in P contains l blocks. Note that t 1,... t q {0, 1} n, it holds that P r[ i : f(x i ) = t i ] = 2 nq where the probability is over uniform choice of g. The argument in succeeding paras would assert that CBC is indeed smooth and in turn prove Claim 8.1. 5. Claim 8.2: CBC g is (q, l, δ) smooth, for δ = q2 l 2 2 n. 3-4

6. Proof of Claim 8.2: For any X ({0, 1} n ), with X = x 1,... and x i {0, 1} n, let C g (X) denote the set of inputs on which g is evaluated during the computation of CBC g (X); i.e., C g (X) = (x 1, CBC g (x 1 ) x 2,..., CBC g (x 1,..., x m 1 ) x m ) For X, X ({0, 1} n ) m, with C g (X) = (I 1,..., I m ) and C g (X ) = (I 1,..., I m), say there is a non trivial collision in X if I i = I j for some i j, and say there is a non trivial collision between X and X if I i = I j but (x 1,..., x i ) (x 1,..., x i ) (in this latter case i may equal j). We prove Claim 8.2 in two steps. First, we show that if no trivial collision occurs, CBC g (X i ) = t i for all i is exactly 2 nq. Next, we show that the probability that there is a non trivial collision in P is less than δ = q 2 l 2.2 n (a) Step I: Let Coll be the event that there is a non-trivial collision in P, i.e. in some X P or between some pair of strings X, X P. A non trivial collision between two strings X, X P can be determined by first choosing the values of g(i 1 ) and g(i 1 ), and continuing in this way until we choose values of g(i m 1) and g(i m 1 ). In particular, we need not choose values of g(i m) and g(i m) or else X = X. It is thus possible to determine whether Coll occurs by choosing the values of g on all but final entries of each of C g (X 1 ),..., C g (X q ) for q queries. Assuming Coll has not occurred, the result is immediate that final entries in each of C g (X 1 ),..., C g (X q ) are distinct. Since, g is a random function, it implies that CBC g (X 1 ),..., CBC g (X q ) are uniform and independent of each other as well as other values of g that have already been fixed. Thus, for any t 1,..., t q {0, 1} n we have P r[ i : CBC g (X i ) = t i Coll] = 2 nq (3) (b) Step II: We next show that Coll occurs with high probability by upper bounding P r[coll]. For distinct X i, X j P, let Coll i,j denote the event that there is a non trivial collision in X or X, or a non-trivial collision between X and X. We have Coll = i,j Coll i,j and so a union bound gives P r[coll] P r[coll i,j ] = i,j:i<j P r[coll i,j ] = ( q )P r[coll i,j ] q2 2 2. P r[coll i,j] (4) Now let X = (x 1,..., x l ) and X = (x 1,..., x l ) and let t be the largest integer such that (x 1,..., x t ) = (x 1,..., x t). Computation of g on these fields yields (I 1.... I t ) = (I 1.... I t). We fix the values of g in following 2l 2 steps:- i. Steps 1 through t 1 (if t > 1): In each step i, choose a uniform value for g(i i ), thus defining I i+1 and I i+1 (which are equal). ii. Step t: Choose a uniform value for g(i t ), thus defining I t+1 and I t+1. 3-5

iii. Steps t + 1 to l 1 (if t < l 1): Choose, in turn, uniform values for each of g(i t+1 ), g(i t+2 ),..., g(i l 1 ), thus defining I t+2, I i+3,..., I l. iv. Steps l to 2l 2 (if t < l 1): Choose, in turn, uniform values for each of g(i t+1 ), g(i t+2 ),..., g(i l 1 ), thus defining I t+2, I t+3,..., I l. Let Coll(k) be the event that a non-trivial collision occurs by step k. Then, 2l 2 P r[coll i,j ] = P r[ k Coll(k)] P r[coll(1)]+ P r[coll(k) Coll(k 1)] (5) For k < t, we claim P r[coll(k) Coll(k 1)] = k/2 n because if no collision has occured by step k 1, then g(i k ) is chosen uniformly in step k. Also, a non trivial collision occurs only if it happens that I k=1 = g(i k ) x k+1 is equal to one of {I 1,..., I k } which are all distinct. Similarly, for k > t, we have that P r[coll(k) Coll(k 1)] = (k + 1)/2 n. By similar reasoning, we have that P r[coll(t) Coll(t 1)] = 2t/2 n. Using equation (5), we have From (4) and (6), we get P r[coll i,j ] 2 n. ( t 1 k=2 k + 2t + k=1 2l 1 = 2 n. k k=2 2l 2 k=t+1 (k + 1) = 2 n. (2l + 1). (l 1) < 2l 2. 2 n ) (6) Using (3) and (7), we get P r[coll] < q2 l 2 2 n = δ. (7) P r[ i : CBC g (X i ) = t i ] P r[ i : CBC g (X i ) = t i Coll]. P r[coll] = 2 nq. P r[coll] (1 δ). 2 nq (8) This proves claim 8.2. 3-6

7. We now show that the smoothness implies Theorem 8.1. For distinct X 1,..., X q ({0, 1} n ) and arbitrary t 1,..., t q {0, 1} n, we have This implies that P r[d CBCg(.) (1 n ) = 1] = q P r[ i : CBC g (X i ) = t i ] i=1 (1 δ). q P r[ i : f(x i ) = t i ] i=1 = (1 δ). P r[d f(.) (1 n ) = 1] P r[d f(.) (1 n ) = 1] P r[d CBCg(.) (1 n ) = 1] δ. P r[d f(.) (1 n ) = 1] δ. This proves our Theorem 8.1. 3-7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback