B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12
Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2 MAC k (m 2 ) t 2 t n MAC k (m n ) m n t n m n M {m} (m,t) 2 Let E be the event that (m,t) {(m 1,t 1 ),,(m n,t n )} yet Ver k (m,t)=1 Define A s advantage to be Adv MAC-strong-ex-forge (A) Pr[E]
Recall: Naïve CBC-MAC Let {f k } k {0,1} * be a PRF family Gen(1 n ) outputs a uniform random key k {0,1} n MAC k (m) does the following: 1. Split m into n-bit blocks m 1,,m n 2. Initialize t 0 ={0} n 3. Compute t i =F k (t i-1 m i ) 4. Output the tag t t n Ver k (m,t) outputs 1 if t=mac k (m) and 0 otherwise 3
Recall: Naïve CBC-MAC m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k 0ⁿ t 1 t 2 t l t l 4
Recall: Attacking naïve CBC-MAC Challenger (C) Forger (A) 1 n 1 n k Gen(1 n ) m m {0,1} n t MAC k (m) t m m (m t) (m,t) 5 A s output is a valid forgery because F k (m )=F k ((m t) t)=f k (m)=t
CBC-MAC fix #1: Prepend the block-length m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k F k (l) t 1 t 2 t l 6 Intuitively, MAC on n-block message is useless for forging MACs on n -block messages t l
CBC-MAC fix #2: Length-specific key m m 1 m 2 m l k l k l k l m 1 m 2 m l Π kl Π kl Π kl 0ⁿ t 1 t 2 t l 7 Again, MAC on n-block message is useless for forging MACs on n -block messages t l
CBC-MAC fix #3: Nested CBC-MAC (NMAC) m m 1 m 2 m l k 1 k 1 k 1 m 1 m 2 m l Π k1 Π k1 Π k1 0ⁿ t 1 t 2 k 2 Π k2 8 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key t
CBC-MAC versus CBC mode encryption CBC mode encryption requires uniform random IV Otherwise, it is not IND-CPA secure! CBC-MAC requires fixed IV Otherwise, it is not existentially unforgeable! CBC mode encryption outputs each block Otherwise, it is not correct! CBC-MAC only outputs a single block (the last one) Otherwise, it is not existentially unforgeable! 9 CBC mode encryption requires a PRP Otherwise, it is not correct! CBC-MAC only requires a PRF
Hash functions 10 Def n : A hash function is a PPT function H: {0, 1} * {0, 1} s that maps arbitrary-length bit strings into fixed-length bit strings. The output of a hash function is called a hash, digest, or fingerprint of the input Alice Bob Charlie Eve Hash function Fingerprints 00 03 05 15 01 02 04 13 14
Hash function collisions Def n : Let H be a function taking on values in {0, 1} *. A collision for H is an ordered pair (m 0, m 1 ) {0, 1} * of distinct inputs such that H(m 0 ) = H(m 1 ). Pigeon-hole principle: If the domain of H is (much) larger than its range, then (many) collisions must exist! more pigeons more collisions 11 "TooManyPigeons" by en:user:mckay - Transferred from en.wikipedia; Original text : Edited from Image:Pigeons-in-holes.jpg by en:user:benfrantzdale. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/file:toomanypigeons.jpg#mediaviewer/file:toomanypigeons.jpg
Collision resistance Intuitively, we want to say that no PPT algorithm can find a collision for H, except with a probability that is negligible in s (the length of the output) Q: How do we formalize this notion? A: Very carefully Difficulty: once H is fixed, it is trivial to define a PPT algorithm that has a collision for H hard-coded 12
Keyed hash functions Def n : A keyed hash function with output length l(s) is a pair of PPT algorithms (Gen, H) such that Gen(1 s ) outputs a uniform random key in k {0, 1} s H(k, x) outputs a fingerprint y {0, 1} l( 1k1) x {0, 1} * 13 Idea: Define collision resistance to require that no PPT algorithm can find a collision for H when the key is selected at random, except with probability negligible in s.
Collision-finding game Challenger (C) 1 s k Gen(1 s k ) Attacker (A) 1 s (m 0, m 1 ) 14 Let E be the event that m 0 m 1 and H(k, m 0 ) = H(k, m 1 ) Define A s advantage to be Adv collision (A) := Pr[E] Def n : A keyed hash function (Gen, H) is collision resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv collision (A) ε(s).
Second preimage resistance Informally, a keyed hash function (Gen, H) is second preimage resistant if no PPT attacker can, given m 0 {0, 1 } * and k Gen(1 s ), output m 1 {0, 1}* such that m 0 m 1 and H(k,m 0 ) = H(k, m 1 ) except with probability negligible in s. 15
Second-preimage-finding game Challenger (C) 1 s k Gen(1 s k ) Attacker (A) 1 s, m 0 {0, 1} * m 1 Let E be the event that m 0 m 1 and H(k, m 0 ) = H(k, m 1 ) Define A s advantage to be Adv 2-preimage (A) := Pr[E] 16 Def n : A keyed hash function (Gen, H) is second preimage resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv 2-preimage (A) ε(s).
Second preimage resistance Thm: If (Gen, H) is collision resistant, then it is also second preimage resistant. Proof: Just note that a second preimage is a collision. Q: Is the converse of this theorem true? A: No! (But why?) 17
Preimage resistance Informally, a keyed hash function (Gen, H) is preimage resistant if no PPT attacker can, given k Gen(1 s ) and y {0, 1} l(s) output m {0, 1}* such that H(k, m) = y except with probability negligible in s. 18
Preimage-finding game Challenger (C) 1 n k Gen(1 n k ) Attacker (A) 1 n, y {0,1} l(n m Let E be the event that H(k, m) = y Define A s advantage to be Adv preimage (A) := Pr[E] 19 Def n : A keyed hash function (Gen, H) is preimage resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv preimage (A) ε(s).
Preimage resistance Thm: If (Gen, H) is preimage resistant for randomly selected inputs, then it is also second preimage resistant. Proof (sketch): Suppose that A breaks preimage resistance. - Given k and m, compute y = H(k, m) - Now use A to find a preimage of y. - Since y has many preimages, with high probability that preimage that A finds will not be m! Q: Is the converse of this theorem true? 20 A: No! (But why?)
(One-way) compression functions Intuitively, a (one-way) compression function is a keyed function h with three properties: Efficient: There exists a PPT algorithm that evaluates h Compression: h maps 2s-bit strings and to s-bit strings One-way: Given an output of h, it is difficult to find any input that maps to that output Q: On average, how many inputs map to each output? A: About 2 s 21
Merkle-Damgård construction m m 1 m 2 m n m 1 m 2 m n h k h k... h k z 1 z n 1 H k (m) := zn 0 s 22
Davies-Meyer compression function m i Thm: If F is a PRF, then the Davies-Meyer compression function is collision resistant. In particular, finding a collision requires O(2 n/2 ) evaluations of F on average. Fm i (z i-1 ) := F mi (z i-1 ) z i-1 z i-1 z i 23
Recall: Nested CBC-MAC (NMAC) m m 1 m 2 m n m 1 m 2 k 1 k 1 k 1 m n F k1 F k1... F k1 0 s k 2 F k2 t 24 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key
Hash-based MAC (HMAC) The most widely used MAC algorithm in practice HMAC s,k (m) := H s ( (k opad) 11 H s ( (k ipad) 11 m ) ) H s is a collision-resistant (keyed) hash function k is the secret MAC key opad = 0x5c5c5c... 5c ipad = 0x363636... 36 25
HMAC m m 1 m 2 m n k ipad m 1 m n h s h s... h s 0 s k opad 0 s h s h s t 26
Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A: No! (But why?) Suppose H is constructed using Merkle-Damgård construction Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well...sort of!? It's not as secure as HMAC! (But why?) If H(m 0 ) = H(m 1 ) then H(m 0 11 k) = H(m 1 11 k) Weakness in collision-resistance of H implies weakness in HMAC 27
Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? This is essentially HMAC without ipad and opad Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! H(k 11 m 11 k) falls to "target prefix collision" attacks against H 28
Generic birthday attack Let H: {0, 1} * {0, 1} s and consider the following algorithm: Choose N := (5/4) 2 s/2 distinct messages, m 1,..., m N, each uniformly at random For i = 1,..., N, compute y i := H(m i ) If y i = y j for some i j, then output (m i, m j ) Thm (birthday paradox): Let r 1,..., r N be independently and identically distributed random variables taking on values in {0, 1} s. If N = (5/4) 2 s/2, then Pr[ i j, r i = r j ] 1/2. 29
Generic birthday attack Thm (birthday paradox): Let r 1,..., r N be independently and identically distributed random variables taking on values in {0, 1} s. If N = (5/4) 2 s/2, then Pr[ i j, r i = r j ]> 1/2. 30 Proof (for uniform random variables): Pr[ i j, r i = r j ]= 1 - Pr[ i j, r i r j ] = 1 - ((2 s -1)/2 s ) ((2 s -2)/2 s )... ((2 s -N+1)/2 s ) n 1 = 1 - ς i = 1 (1 i/2 s ) n 1 e -i/2 s (1-x e -x ) 1 - ς i = 1 = 1 - e -1/2s i 1 - e -(N2 /2)/2 s = 1 - e -((5/4 2s/2 ) 2 /2)/2 s = 1-e -25/32 0.54
Generic birthday attack Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Adv collision (A) > 1/2 in O(s 2 s/2 ) time (albeit with O(s 2 s/2 ) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) Real hash functions have fixed-length outputs Need to ensure that 2 s/2 work is infeasible...or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s 2 s/2 bits? A: Perhaps surprisingly, no! 31
"Small-space" birthday attack Consider an attacker A that works as follows: 1. Choose a random initial value m 0 2. Set m := m 0 and m' := m 0 3. For i = 1, 2, 3,..., do the following Compute m := H(m) and m' := H(H(m')) // now m = H (i) (m 0 ) and m' = H (2i) (m 0 ) If m == m', break from loop 4. Set m' := m and m := m 0 5. For j = 1,..., i, do the following If H(m) == H(m'), return (m, m') Else, set m := H(m) and m' := H(m') // now m = H (j) (m 0 ) and m' = H (i+j) (m 0 ) 32 Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s 2 s/2 ) time using O(1) storage.
That s all for today, folks! 33