Notes for Lecture 9. 1 Combining Encryption and Authentication

Similar documents
U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 14: Cryptographic Hash Functions

Introduction to Cryptography

Avoiding collisions Cryptographic hash functions. Table of contents

1 Cryptographic hash functions

Avoiding collisions Cryptographic hash functions. Table of contents

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 15: Message Authentication

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

12 Hash Functions Defining Security

Block Ciphers/Pseudorandom Permutations

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

CPSC 467: Cryptography and Computer Security

Leftovers from Lecture 3

CPSC 467: Cryptography and Computer Security

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

2 Message authentication codes (MACs)

CPSC 467: Cryptography and Computer Security

Foundations of Network and Computer Security

Lecture 10: NMAC, HMAC and Number Theory

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

1 Cryptographic hash functions

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Solution of Exercise Sheet 7

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Foundations of Network and Computer Security

ECS 189A Final Cryptography Spring 2011

Notes for Lecture 17

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Introduction to Cybersecurity Cryptography (Part 4)

Authentication. Chapter Message Authentication

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Lecture 10: NMAC, HMAC and Number Theory

New Attacks on the Concatenation and XOR Hash Combiners

An introduction to Hash functions

Foundations of Network and Computer Security

Introduction to Cryptography Lecture 4

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Lecture 10 - MAC s continued, hash & MAC

Lecture 5, CPA Secure Encryption from PRFs

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

CTR mode of operation

Notes for Lecture 25

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

SPCS Cryptography Homework 13

Block ciphers And modes of operation. Table of contents

Breaking H 2 -MAC Using Birthday Paradox

Lecture 9 - Symmetric Encryption

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Attacks on hash functions. Birthday attacks and Multicollisions

Modern Cryptography Lecture 4

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 1. Crypto Background

Public-key Cryptography: Theory and Practice

Constructing secure MACs Message authentication in action. Table of contents

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

1 Maintaining a Dictionary

Chapter 5. Hash Functions. 5.1 The hash function SHA1

Computational security & Private key encryption

CPA-Security. Definition: A private-key encryption scheme

Cryptographic Hash Functions

Provable Security in Symmetric Key Cryptography

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

CS 6260 Applied Cryptography

Lecture 7: CPA Security, MACs, OWFs

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Week 12: Hash Functions and MAC

On High-Rate Cryptographic Compression Functions

Lecture 5: Pseudorandom functions from pseudorandom generators

Perfectly-Crafted Swiss Army Knives in Theory

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

5199/IOC5063 Theory of Cryptology, 2014 Fall

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Notes on Zero Knowledge

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

A survey on quantum-secure cryptographic systems

Cryptographic Protocols Notes 2

A Composition Theorem for Universal One-Way Hash Functions

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Post-quantum security models for authenticated encryption

Introduction to Information Security

Lattice Cryptography

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Transcription:

U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure encryption with a secure MAC gives a CCA-secure encryption scheme. Today we shall see that such a combination has to be done carefully, or the security guarantee on the combined encryption scheme will not hold. We then begin to talk about cryptographic hash functions, and their construction via the Merkle-Damgård transform. 1 Combining Encryption and Authentication 1.1 Encrypt-Then-Authenticate Let (E, D) be an encryption scheme and (T ag, V ) be a MAC. Last time we considered their encrypt-then-authenticate combination defined as follows: Construction (E 1, D 1 ) Key: a pair (K 1, K 2 ) where K 1 is a key for (E, D) and K 2 is a key for (T ag, V ) E 1 ((K 1, K 2 ), M): C := E(K 1, M) T := T ag(k 2, C) return (C, T ) D 1 ((K 1, K 2 ), (C, T ): if V (K 2, C, T ) then return D(K 1, C) else return ERROR and we proved that if (E, D) is CPA-secure and (T ag, V ) is existentially unforgeable under a chosen message attack then (E 1, D 1 ) is CCA-secure. Such a result is not provable if (E, D) and (T ag, V ) are combined in different ways. 1

1.2 Encrypt-And-Authenticate Consider the following alternative composition: Construction (E 2, D 2 ) Key: a pair (K 1, K 2 ) where K 1 is a key for (E, D) and K 2 is a key for (T ag, V ) E 2 ((K 1, K 2 ), M) := E(K 1, M), T ag(k 2, M) D 2 ((K 1, K 2 ), (C, T ): M := D(K 1, C) if V (K 2, M, T ) then return M else return ERROR The problem with this construction is that a MAC (T ag, V ) can be secure even if T ag() is deterministic. (E.g. CBC-MAC.) But if the construction (E 2, D 2 ) is instantiated with a deterministic T ag(), then it cannot even guarantee security for 2 encryptions (much less CPA-security or CCA security). A more theoretical problem with this construction is that a MAC (T ag, V ) can be secure even if T ag(k, M) completely gives away M, and in such a case (E 2, D 2 ) is completely broken. 1.3 Authenticate-Then-Encrypt Finally, consider the following scheme: Construction (E 3, D 3 ) Key: a pair (K 1, K 2 ) where K 1 is a key for (E, D) and K 2 is a key for (T ag, V ) E 3 ((K 1, K 2 ), M) : T := T ag(k 2, M) return E(K 1, (M, T )) D 3 ((K 1, K 2 ), C: (M, T ) := D(K 1, C) if V (K 2, M, T ) then return M else return ERROR 2

The problem with this construction is rather subtle. First of all, the major problem of the construction (E 2, D 2 ), in which we lost even security for two encryptions, does not occur. Exercise 1 Show that if (E, D) is (t, ɛ) CPA-secure and E, D, T ag, V all have running time at most r, then (E 3, D 3 ) is (t/o(r), ɛ) CPA secure It is possible, however, that (E, D) is CPA-secure and (T ag, V ) is existentially unforgeable under chosen message attack, and yet (E 3, D 3 ) is not CCA-secure. Suppose that (T ag, V ) is such that, in T ag(k, M), the first bit is ignored in the verification. This seems reasonable in the case that some padding is needed to fill out a network protocol, for example. Further, suppose (E, D) is counter mode with a pseudo-random function, F K1. Take the encryption of M 1,..., M l with keys K 1 and K 2 for E and V, respectively. Pick a random r. Then, by the definition of the encryption scheme in counter mode, the encryption of E, T will be: r, F K1 (r) M 1, F K1 (r+1) M 2,..., F K1 (r+l 1) M l, F K1 (r+l) T 1, F K1 (r+l+1) T 2,... Consider this CCA attack. Let e 1 = (1, 0,..., 0). The attacker sees r, C 1, C 2,..., C l, C l+1,..., C l+c Take e 1 C l+1 (or any of the other tags). Clearly, this is not the original message encryption, as a bit has been changed, so the Oracle will give you a decryption of it in a CCA attack. Since all that was modified in the ciphertext was the first bit, which was padding, the attacker has just used the Oracle to get the original message. 2 Cryptographic Hash Functions 2.1 Definition and Birthday Attack Definition 1 (Collision-Resistant Hash Function) A function H : {0, 1} k {0, 1} L {0, 1} l is a (t, ɛ) secure collision resistant hash function if L > l and for every algorithm A of complexity t we have P[A(s) = (x, x ) : H s (x) = H s (x )] ɛ (1) 3

The idea is that, for every key (or seed) s {0, 1} k we have a length-decreasing function H s : {0, 1} L {0, 1} l. By the pigeon-hole principle, such functions cannot be injective. An efficient algorithm, however, cannot find collisions (pairs of inputs that produce the same output) even given the seed s. The main security parameter in a construction of collision-resistent hash functions (that is, the parameter that one needs to increase in order to hope to achieve larger t and smaller ɛ) is the output length l. It is easy to see that if H has running time r and output length l then we can find collisions in time O(r 2 l ) by computing values of H in any order until we find a collision. (By the pigeon-hole principle, a collision will be found in 2 l + 1 attempts or fewer.) If, specifically, we attack H by trying a sequence of randomly chosen inputs until we find a collision, then we can show that with only 2 l/2 attempts we already have a constant probability of finding a collision. (The presence of a collision can be tested by sorting the outputs. Overall, this takes time O(2 l/2 l + 2 l/2 r) = O(r 2 l/2 ).) The calculation can be generalized to the following: Consider A given H s ( ). Define A as picking m random strings x 1...x m and generating their respective outputs from H s. We want to check the probability P[collision] that H s (x 1 )...H s (x m ) contains a repeated value. However, it is easier to begin by checking the probability of whether the m choices do not contain a collision, P[no collision]: P[no collision] = 1 (1 12 ) l Note that this is a constant if m 2 l/2. (1 22 ) ( 1 l P[collision] = 1 P[no collision] P[no collision] e = e 1 2 l e 2 2 l... e (m 1) 2 l = e 1+2+...+(m 1) 2 l e m2 2 l+1 ) (m 1) 2 l (This calculation is called the birthday paradox, because it establishes that in a set of n elements uniformly distributed, if you pick elements x 1...x n, where x i is uniformally distributed in the set and x i is independent, then there is a constant probability that i, j : x i = x j. Specifically, in the case of birthdays, if there are 23 people in a room, then there is a probability over 1 that two of the people in the 2 room have the same birthday.) Exercise 2 If H : {0, 1} k {0, 1} L {0, 1} l is a (t, ɛ) secure collision resistant hash 4

function computable in time r, then t 2 ɛ O(r 2l ) (2) This should be contrasted with the case of pseudorandom generators and pseudorandom functions, where the security parameter is the seed (or key) length k, and the only known generic attack is the one described in a previous exercise which gives t ɛ O(m2l ) (3) This means that if one wants a (t, ɛ) secure pseudorandom generator or function where, say, t = 2 80 and ɛ = 2 40, then it is somewhat plausible that a key of 128 bits might suffice. The same level of security for a collision-resistant hash function, however, requires a key of at least about 200 bits. To make matters worse, attacks which are significantly faster than the generic birthday attack have been found for the two constructions of hash functions which are most used in practice: MD5 and SHA-1. MD5, which has l = 128, is completely broken by such new attacks. Implementing the new attacks on SHA-1 (which has l = 160) is not yet feasible but is about 1,000 times faster than the birthday attack. There is a process under way to define new standards for collision-resistant hash functions. 2.2 The Merkle-Damgård Transform In practice, it is convenient to have collision-resistant hash functions H : {0, 1} k {0, 1} {0, 1} l in which the input is allowed to be (essentially) arbitrarily long. The Merkle-Damgård transform is a generic way to transform a hash function that has L = 2l into one that is able to handle messages of arbitrary length. Let H : {0, 1} k {0, 1} 2l {0, 1} l a hash functions that compresses by a factor of two. Then HMD s (M) is defined as follows (IV is a fixed l-bit string, for example the all-zero string): Let L be the length of M divide M into blocks M 1,..., M B of length l, where B = L/l h 0 := IV 5

for i := 1 to B : h i := H s (M i, h i 1 ) return H s (L, h B ) We can provide the following security analysis: Theorem 2 If H is (t, ɛ)-secure and has running time r, then H MD (t O(rL/l), ɛ) when used to hash messages of length up to L. has security Proof: Suppose that A, given s, has a probability ɛ of finding messages M, M where M = M 1,..., M B, M = M 1,..., M B and Hs MD (M) = Hs MD (M ), where B = L/l, B = L /l. Let us construct an algorithm A which: 1. Given s, runs A to find collisions for M, M in HMD s. Assume that running A takes time t MD. 2. Computes both H s MD (M)andHs MD (M ). We know that this takes time on the order of r 2L/l, where r is the time of running H s and assuming without loss of generality that L L since the Merkle-Damgård Transform, by definition, runs H s once for each of the L/l blocks of M and M. 3. Finds a collision of H s that is guaranteed to exist (we will prove this below) in the Merkle-Damgård algorithm. This will take the time of running the algorithm once for each message M, M, which is on the order of r 2L/l, as above. In order to show that there must be a collision in H s if there is a collision in H s MD, recall that the last computation of the MD algorithm hashes M B+1 = L. We need to consider two cases: 1. L L : By the definition of the problem, we have HMD s (M) = Hs MD (M ). The last step of the alrogithm for M and M generates, respectively, H s (L, h B ) = HMD s (M) and Hs (L, h B ) = Hs MD (M ) = HMD s (M). This is a collision of Hs on different inputs. 2. L = L : This implies that B = B and h B+1 = h B +1, as well. Because M M but M M, i, 0 i B : h i h i. Let j B + 1 be the largest index where h j h j. If j = B + 1, then h j+1 and h j+1 are two (different) colliding strings because H s (h j ) = h j+1 = H s MD (M) = H s MD (M ) = h j+1 = H s (h j). If j B, then that implies h j+1 = h j+1. Thus, h j and h j are two different strings whose hashes collide. 6

This shows that a collision in H s MD implies a collision in Hs, thus guaranteeing for our proof that by executing each stage of the Merkle-Damgård Transform, we can find a collision in H s if there is a collision in H s MD. Returning to algorithm A, we now have established the steps necessary to find collisions of a hash function H s by finding collisions in HMD s. Note that by the definition of the problem, because it uses algorithm A which finds collisions with probability ɛ, A will also find collisions with probability ɛ. By the definition of a collision-resistant hash function, we also know that it must have time complexity t. Examining the steps of the algorithm, we know that the time complexity of A is t = t MD + 2r L/l + 2r L/l = 4r L/l = t MD + O(rL/l). From this, we solve for t MD and get t MD = t O(rL/l). Thus, we conclude that if A finds a collision with probability ɛ, it is (t O(RL/l), ɛ) secure. 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback