Hash functions : MAC / HMAC

Similar documents
Introduction to Algorithms

Lecture 4: Universal Hash Functions/Streaming Cont d

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Introduction to Algorithms

Provable Security Signatures

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

Calculation of time complexity (3%)

Lecture Space-Bounded Derandomization

Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key

Lecture Notes on Linear Regression

Inner Product. Euclidean Space. Orthonormal Basis. Orthogonal

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

Errors for Linear Systems

First Year Examination Department of Statistics, University of Florida

DISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization

Lecture 3: Shannon s Theorem

Message modification, neutral bits and boomerangs

Learning Theory: Lecture Notes

Week 5: Neural Networks

Min Cut, Fast Cut, Polynomial Identities

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

Google PageRank with Stochastic Matrix

Logarithm Cartesian authentication codes

A 2D Bounded Linear Program (H,c) 2D Linear Programming

Notes on Frequency Estimation in Data Streams

Linear Regression Analysis: Terminology and Notation

Lecture 10: May 6, 2013

Expected Value and Variance

APPENDIX A Some Linear Algebra

Finding Dense Subgraphs in G(n, 1/2)

Lecture 3: Probability Distributions

8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

Problem Set 9 Solutions

Finding Primitive Roots Pseudo-Deterministically

6.842 Randomness and Computation February 18, Lecture 4

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction

1 Matrix representations of canonical matrices

p 1 c 2 + p 2 c 2 + p 3 c p m c 2

Stanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011

THE ARIMOTO-BLAHUT ALGORITHM FOR COMPUTATION OF CHANNEL CAPACITY. William A. Pearlman. References: S. Arimoto - IEEE Trans. Inform. Thy., Jan.

Lecture 5 September 17, 2015

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

RSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]

CS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016

Homework 9 Solutions. 1. (Exercises from the book, 6 th edition, 6.6, 1-3.) Determine the number of distinct orderings of the letters given:

Introduction to Cryptography

Lecture 21: Numerical methods for pricing American type derivatives

Low-Contention Data Structures

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Convexity preserving interpolation by splines of arbitrary degree

EGR 544 Communication Theory

Complete subgraphs in multipartite graphs

First day August 1, Problems and Solutions

Numerical Algorithms for Visual Computing 2008/09 Example Solutions for Assignment 4. Problem 1 (Shift invariance of the Laplace operator)

Lai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)

5199/IOC5063 Theory of Cryptology, 2014 Fall

REAL ANALYSIS I HOMEWORK 1

Singular Value Decomposition: Theory and Applications

arxiv: v1 [math.co] 1 Mar 2014

VQ widely used in coding speech, image, and video

Lecture 10 Support Vector Machines II

Introduction to Information Security

Math 594. Solutions 1

Lecture 14 (03/27/18). Channels. Decoding. Preview of the Capacity Theorem.

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

Maximizing the number of nonnegative subsets

1 The Mistake Bound Model

APPROXIMATE PRICES OF BASKET AND ASIAN OPTIONS DUPONT OLIVIER. Premia 14

Chapter 8 SCALAR QUANTIZATION

Supplement: Proofs and Technical Details for The Solution Path of the Generalized Lasso

Math 261 Exercise sheet 2

2.3 Nilpotent endomorphisms

σ τ τ τ σ τ τ τ σ Review Chapter Four States of Stress Part Three Review Review

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

The Second Anti-Mathima on Game Theory

Lecture 7: Gluing prevarieties; products

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

CHAPTER III Neural Networks as Associative Memory

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 1, July 2013

Tornado and Luby Transform Codes. Ashish Khisti Presentation October 22, 2003

A new construction of 3-separable matrices via an improved decoding of Macula s construction

Information-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes

5 The Rational Canonical Form

18.1 Introduction and Recap

Appendix B. Criterion of Riemann-Stieltjes Integrability

Design and Analysis of Algorithms

Randomness and Computation

MATH 5707 HOMEWORK 4 SOLUTIONS 2. 2 i 2p i E(X i ) + E(Xi 2 ) ä i=1. i=1

SELECTED PROOFS. DeMorgan s formulas: The first one is clear from Venn diagram, or the following truth table:

Foundations of Arithmetic

Circular chosen-ciphertext security with compact ciphertexts

VARIATION OF CONSTANT SUM CONSTRAINT FOR INTEGER MODEL WITH NON UNIFORM VARIABLES

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

Generalized Linear Methods

EXPANSIVE MAPPINGS. by W. R. Utz

Leftovers from Lecture 3

Math 217 Fall 2013 Homework 2 Solutions

Transcription:

Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X s a set of possble messages Y s a fnte set of possble message dgests or authentcaton tags? F X,Y s the set of all functons from X to Y : Defnton 4.1: A keyed hash famly s a four-tuple F =(X, Y, K,H), where the followng condton are satsfed: K, the keyspace, s a fnte set of possble keys H, the hash famly, a fnte set of at most K hash functons. For each K K, there s a hash functon h K H. Each h k : X Y Compresson functon: X s a fnte set, N= X. Eg X = {0,1} k+r N = 2 k+r Y s a fnte set M= Y. Eg Y = {0,1} r M=2 r F X,Y = M N F s denoted (N,M)-hash famly 1

Random Oracle Model Model to analyze the probablty of computng premage, second pre-mage or collsons: In ths model, a hash functon h K : X Y s chosen randomly from F The only way to compute a value h K (x) s to query the oracle. THEOREM 4.1 Suppose that h F X,Y s chosen randomly, and let X 0 X. Suppose that the values h(x) have been determned (by queryng an oracle for h) f and only f x X 0. Then, for all x X \ X 0 and all y Y, Pr[h(x)=y] = 1/M Algorthms n the Random Oracle Model Randomzed algorthms make random choces durng ther executon. A Las Vegas algorthm s a randomzed algorthm may fal to gve an answer f the algorthm does return an answer, then the answer must be correct. A randomzed algorthm has average-case success probablty ε f the probablty that the algorthm returns a correct answer, averaged over all problem nstances of a specfed sze, s at least ε (0 ε<1). For all x (randomly chosen among all nputs of sze s): Pr( Algo(x) s correct) ε (ε,q)-algorthm : termnology to desgn a Las Vegas algorthm that: the average-case success probablty ε the number of oracle queres made by algorthms s at most q. 2

Example of (ε,q)-algorthm Algorthm 4.1: FIND PREIMAGE (h, y, q) choose any X 0 X, X 0 = q for each x X 0 do { f h(x) = y then return (x) ; } return (falure) THEOREM 4.2 For any X 0 X wth X 0 = q, the average-case success probablty of Algorthm 4.1 s ε=1 - (1-1/M) q. Algorthm 4.1 s a (1 - (1-1/M) q ; q ) algorthm Proof Let y Y be fxed. Let Χ 0 = {x 1,x 2..,x q }. The Algo s successful ff there exsts such that h(x ) = y. For 1 q, let E denote the event h(x ) = y. The E s are ndependent events; from Theo. 4.1, Pr[E ] = 1/M for all 1 q. Therefore, Pr[E 1 E 2... E q ] =1 1 1 q M The success probablty of Algorthm 4.1, for any fxed y, s constant. Therefore, the success probablty averaged over all y Y s dentcal, too. Message Authentcaton Codes One common way of constructng a MAC s to ncorporate a secret key nto an unkeyed hash functon. Suppose we construct a keyed hash functon h K from an unkeyed terated hash functon h, by defnng IV=K and keepng ths ntal value secret. Attack: the adversary can easly compute hash wthout knowng K (so IV) wth a (1-1) algorthm: Let t = sze of the blocks n the terated scheme Choose x and compute z r = h(x pad(x)) (one oracle call) Let x = x pad(x) w, where w s any btstrng of length t Let y = x pad(x ) = x pad(x) w pad(x ) (snce paddng s known) Now compute y = IteratedScheme( y, w pad(x ) ) (terated scheme s known) Return y ; 3

Message Authentcaton Codes Assume MD terated scheme s used, let z r = h K (x) The adversary computes z r+1 compress(h K (x) y r+1 ) z r+2 compress(z r+1 y r+2 ) z r compress((z r -11 y r ) and returns z r that verfes z r =h K (x ). Def: an (ε,q)-forger s an adversary who queres message x 1,,x q, gets a vald (x, y), x! {x 1,,x q } wth a probablty at least ε that the adversary outputs a forgery (e a correct couple (x,h(x)) Nested MACs and HMAC A nested MAC bulds a MAC algorthm from the composton of two hash famles (X,Y,K,G), (Y,Z,L,H) composton: (X,Z,M,G H) M = K L G H = { g h: g G, h H } (g h) (K,L) (x) = h L ( g K (x) ) for all x X The nested MAC s secure f (Y,Z,L,H) s secure as a MAC, gven a fxed key (X,Y,K,G) s collson-resstant, gven a fxed key 4

Nested MACs and HMAC 3 adversares: a forger for the nested MAC (bg MAC attack) (K,L) s chosen and kept secret The adversary chooses x and query a bg (nested) MAC oracle for values of h L (g K (x)) output (x,z) such that z = h L (g K (x )) (x was not query) a forger for the lttle MAC (lttle MAC attack) (Y,Z,L,H) L s chosen and kept secret The adversary chooses y and query a lttle MAC oracle for values of h L (y) output (y,z) such that z = h L (y ) (y was not query) Nested MACs and HMAC a collson-fnder for the hash functon, when the key s secret (unknown-key collson attack) (X,Y,K,G) K s secret The adversary chooses x and query a hash oracle for values of g K (x) output x, x such that x x and g K (x ) = g K (x ) 5

Nested MACs and HMAC THEOREM 4.9 Suppose (X,Z,M,G H) s a nested MAC. Suppose there does not exst an (ε 1,q+1)-collson attack for a randomly chosen functon g K G, when the key K s secret. Further, suppose that there does not exst an (ε 2,q)-forger for a randomly chosen functon h L H, where L s secret. Fnally, suppose there exsts an (ε,q)-forger for the nested MAC, for a randomly chosen functon (g h) (K,L) G H. Then ε ε 1 +ε 2 Proof Adversary queres x 1,..,x q to a bg MAC oracle and get (x 1, z 1 )..(x q, z q ) and outputs vald (x, z) Proof x, x 1,.., x q make q+1 queres to a hash oracle. y = g K (x), y 1 = g K (x 1 ),..., y q = g K (x q ) f y {y 1,..,y q }, say y = y, then x, x s soluton to Collson f y! {y 1,..,y q }, output (y, z) whch s a vald par for the lttle MAC. make q lttle MAC queres and get (y 1,z 1 ),..., (y q,z q ) probablty that (x, z) s vald and y! {y 1,..,y q } s at least ε-ε 1. Success probablty of any lttle MAC attack s most ε 2 so ε 2 ε-ε 1 ε ε 1 +ε 2 6

Nested MACs and HMAC HMAC s a nested MAC algorthm that s proposed FIPS standard. HMAC K (x) = SHA-1( (K opad) SHA-1( (K pad) x ) ) x s a message K s a 512-bt key pad = 3636..36 (512 bt) opad = 5C5C.5C (512 bt) CBC-MAC(x, K) Cryptosystem 4.2: CBC-MAC (x, K) denote x = x 1 x n,x s a btstrng of length t IV 00..0 (t zeroes) y 0 IV for 1 to n do y e K (y -1 x ) return (y n ) 7

CBC-MAC(x, K) (1/2, O(2 t/2 ))-forger attack n 3, q 1.17 2 t/2 x 3,, x n are fxed btstrngs of length t. choose any q dstnct btstrngs of length t, x 11,, x 1q, and randomly choose x 21,, x 2 q defne x l = x l, for 1 q and 3 l n defne x = x 1 x n for 1 q x x j f j, because x 1 x 1j. The adversary requests the MACs of x 1, x 2,, x q CBC-MAC(x, K) In the computaton of MAC of each x, values y 0 y n are computed, and y n s the resultng MAC. Now suppose that and x have x dentcal MACs. h K (x ) = h K (x j ) f and only f y 2 = y 2j, whch happens f and only f y 1 x 2 = y j 1 x 2j. Let x δ be any btstrng of length t v = x 1 (x 2 x δ ) x n w = x j 1 (x j 2 x δ ) x j n The adversary requests the MAC of v It s not dffcult to see that v and w have dentcal MACs, so the adversary s successfully able to construct the MAC of w,.e. h K (w) = h K (v)!!! 8

4.5 Uncondtonally Secure MACs (Skp ths secton!!) Uncondtonally secure MACs a key s used to produce only one authentcaton tag an adversary make at most one query. Decepton probablty Pd q maxmum value of ε such that (ε,q)-forger for q = 0, 1 payoff (x, y) = Pr[y = h K0 (x)] Impersonaton attack ((ε,0)-forger) Pd 0 = max{ payoff(x,y): x X, y Y } (4.1) Uncondtonally Secure MACs Substtuton attack ((ε,1)-forger) query x and y s reply, x X, y Y probablty that (x, y ) s a vald s payoff(x,y ;x,y), x X and x x payoff(x,y ;x,y) = Pr[y = h K0 (x )) y = h K0 (x)] = V = {(x, y): {K K : h K (x) = y} 1} Pd 1 = max{ payoff(x, y ; x, y): x, x X, y, y Y, (x,y) V, x x } (4.2) 9

Uncondtonally Secure MACs Example 4.1 X = Y = Z 3 and K = Z 3 Z 3 for each K = (a,b) K and each x X, h (a,b) (x) = ax + b mod 3 H = {h (a,b) : (a,b) Z 3 Z 3 } Pd 0 = 1/3 query x = 0 and answer y = 0 possble key K 0 {(0,0),(1,0),(2,0)} If (1,1) s vald ff K 0 = (1,0) The probablty that K 0 s key s 1/3 Pd 1 = 1/3 Key\x 0 1 2 (0,0) 0 0 0 (0,1) 1 1 1 (0,2) 2 2 2 (1,0) 0 1 2 (1,1) 1 2 0 (1,2) 2 0 1 (2,0) 0 2 1 (2,1) 1 0 2 (2,2) 2 1 0 Authentcaton matrx Strongly Unversal Hash Famles Defnton 4.2: Suppose that (X,Y,K,H) s an (N,M) hash famly. Ths hash famly s strongly unversal provded that the followng condton s satsfed for every x, x X such that x x, and for every y, y Y : {K K : h K (x) = y, h K (x ) = y } = K /M 2 Example 4.1 s a strongly unversal (3,3)-hash famly. 10

Uncondtonally Secure MACs LEMMA 4.10 Suppose that (X,Y,K,H) s a strongly unversal (N,M)-hash famly. Then {K K : h K (x) = y} = K /M for every x X and for every y Y. Proof x, x X and y Y, where x x {K K : h K (x) = y} = Uncondtonally Secure MACs THEOREM 4.11 Suppose that (X,Y,K,H) s a strongly unversal (N,M)-hash famly. Then (X,Y,K,H) s an authentcaton code wth Pd 0 = Pd 1 = 1/M Proof From Lemma 4.10 payoff(x,y) = 1/M for every x X and y Y, and Pd 0 = 1/M x,x X such that x x and y,y Y, where (x,y) V payoff(x,y ;x,y)= Therefore Pd 1 = 1/M 11

Uncondtonally Secure MACs THEOREM 4.12 Let p be prme. For a, b Z p, defne f a,b : Z p Z p by the rule f (a,b) (x) = ax + b mod p Then (Z p, Z p, Z p Z p, {f a,b : Z p Z p }) s a strongly unversal (p,p)-hash famly. Proof x, x, y, y Z p, where x x. ax + b y (mod p), and a x + b y (mod p) a = (y-y )(x -x) -1 mod p, and b = y - x(y -y)(x -x) -1 mod p (note that (x - x) -1 mod p exsts because x! x (mod p) and p s prme) 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback