Introduction to Cryptography

Similar documents
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 10: NMAC, HMAC and Number Theory

Notes for Lecture 9. 1 Combining Encryption and Authentication

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Lecture 10: NMAC, HMAC and Number Theory

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Leftovers from Lecture 3

Introduction to Information Security

2 Message authentication codes (MACs)

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Foundations of Network and Computer Security

Avoiding collisions Cryptographic hash functions. Table of contents

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Introduction to Cryptography Lecture 4

CPSC 467: Cryptography and Computer Security

Authentication. Chapter Message Authentication

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Foundations of Network and Computer Security

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Message Authentication Codes (MACs) and Hashes

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

12 Hash Functions Defining Security

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

ECS 189A Final Cryptography Spring 2011

Provable Security in Symmetric Key Cryptography

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Block Ciphers/Pseudorandom Permutations

Introduction to Cryptography

SPCS Cryptography Homework 13

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Breaking H 2 -MAC Using Birthday Paradox

Lecture 18: Message Authentication Codes & Digital Signa

Week 12: Hash Functions and MAC

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 5, CPA Secure Encryption from PRFs

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Message Authentication

Foundations of Network and Computer Security

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Modern Cryptography Lecture 4

II. Digital signatures

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Avoiding collisions Cryptographic hash functions. Table of contents

1 Cryptographic hash functions

CPSC 467: Cryptography and Computer Security

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Provable Chosen-Target-Forced-Midx Preimage Resistance

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Lecture 7: CPA Security, MACs, OWFs

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Attacks on hash functions. Birthday attacks and Multicollisions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CTR mode of operation

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

New Attacks on the Concatenation and XOR Hash Combiners

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Perfectly-Crafted Swiss Army Knives in Theory

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

CPA-Security. Definition: A private-key encryption scheme

Lecture 15: Message Authentication

Cryptographic Hash Functions

1 Number Theory Basics

MESSAGE AUTHENTICATION 1/ 103

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

A survey on quantum-secure cryptographic systems

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Digital Signatures. Adam O Neill based on

Security without Collision-Resistance

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Attacks on hash functions: Cat 5 storm or a drizzle?

Symmetric Crypto Systems

Lecture 14: Cryptographic Hash Functions

Improved Generic Attacks Against Hash-based MACs and HAIFA

SIS-based Signatures

Solution of Exercise Sheet 7

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Notes on Property-Preserving Encryption

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Transcription:

B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12

Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2 MAC k (m 2 ) t 2 t n MAC k (m n ) m n t n m n M {m} (m,t) 2 Let E be the event that (m,t) {(m 1,t 1 ),,(m n,t n )} yet Ver k (m,t)=1 Define A s advantage to be Adv MAC-strong-ex-forge (A) Pr[E]

Recall: Naïve CBC-MAC Let {f k } k {0,1} * be a PRF family Gen(1 n ) outputs a uniform random key k {0,1} n MAC k (m) does the following: 1. Split m into n-bit blocks m 1,,m n 2. Initialize t 0 ={0} n 3. Compute t i =F k (t i-1 m i ) 4. Output the tag t t n Ver k (m,t) outputs 1 if t=mac k (m) and 0 otherwise 3

Recall: Naïve CBC-MAC m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k 0ⁿ t 1 t 2 t l t l 4

Recall: Attacking naïve CBC-MAC Challenger (C) Forger (A) 1 n 1 n k Gen(1 n ) m m {0,1} n t MAC k (m) t m m (m t) (m,t) 5 A s output is a valid forgery because F k (m )=F k ((m t) t)=f k (m)=t

CBC-MAC fix #1: Prepend the block-length m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k F k (l) t 1 t 2 t l 6 Intuitively, MAC on n-block message is useless for forging MACs on n -block messages t l

CBC-MAC fix #2: Length-specific key m m 1 m 2 m l k l k l k l m 1 m 2 m l Π kl Π kl Π kl 0ⁿ t 1 t 2 t l 7 Again, MAC on n-block message is useless for forging MACs on n -block messages t l

CBC-MAC fix #3: Nested CBC-MAC (NMAC) m m 1 m 2 m l k 1 k 1 k 1 m 1 m 2 m l Π k1 Π k1 Π k1 0ⁿ t 1 t 2 k 2 Π k2 8 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key t

CBC-MAC versus CBC mode encryption CBC mode encryption requires uniform random IV Otherwise, it is not IND-CPA secure! CBC-MAC requires fixed IV Otherwise, it is not existentially unforgeable! CBC mode encryption outputs each block Otherwise, it is not correct! CBC-MAC only outputs a single block (the last one) Otherwise, it is not existentially unforgeable! 9 CBC mode encryption requires a PRP Otherwise, it is not correct! CBC-MAC only requires a PRF

Hash functions 10 Def n : A hash function is a PPT function H: {0, 1} * {0, 1} s that maps arbitrary-length bit strings into fixed-length bit strings. The output of a hash function is called a hash, digest, or fingerprint of the input Alice Bob Charlie Eve Hash function Fingerprints 00 03 05 15 01 02 04 13 14

Hash function collisions Def n : Let H be a function taking on values in {0, 1} *. A collision for H is an ordered pair (m 0, m 1 ) {0, 1} * of distinct inputs such that H(m 0 ) = H(m 1 ). Pigeon-hole principle: If the domain of H is (much) larger than its range, then (many) collisions must exist! more pigeons more collisions 11 "TooManyPigeons" by en:user:mckay - Transferred from en.wikipedia; Original text : Edited from Image:Pigeons-in-holes.jpg by en:user:benfrantzdale. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/file:toomanypigeons.jpg#mediaviewer/file:toomanypigeons.jpg

Collision resistance Intuitively, we want to say that no PPT algorithm can find a collision for H, except with a probability that is negligible in s (the length of the output) Q: How do we formalize this notion? A: Very carefully Difficulty: once H is fixed, it is trivial to define a PPT algorithm that has a collision for H hard-coded 12

Keyed hash functions Def n : A keyed hash function with output length l(s) is a pair of PPT algorithms (Gen, H) such that Gen(1 s ) outputs a uniform random key in k {0, 1} s H(k, x) outputs a fingerprint y {0, 1} l( 1k1) x {0, 1} * 13 Idea: Define collision resistance to require that no PPT algorithm can find a collision for H when the key is selected at random, except with probability negligible in s.

Collision-finding game Challenger (C) 1 s k Gen(1 s k ) Attacker (A) 1 s (m 0, m 1 ) 14 Let E be the event that m 0 m 1 and H(k, m 0 ) = H(k, m 1 ) Define A s advantage to be Adv collision (A) := Pr[E] Def n : A keyed hash function (Gen, H) is collision resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv collision (A) ε(s).

Second preimage resistance Informally, a keyed hash function (Gen, H) is second preimage resistant if no PPT attacker can, given m 0 {0, 1 } * and k Gen(1 s ), output m 1 {0, 1}* such that m 0 m 1 and H(k,m 0 ) = H(k, m 1 ) except with probability negligible in s. 15

Second-preimage-finding game Challenger (C) 1 s k Gen(1 s k ) Attacker (A) 1 s, m 0 {0, 1} * m 1 Let E be the event that m 0 m 1 and H(k, m 0 ) = H(k, m 1 ) Define A s advantage to be Adv 2-preimage (A) := Pr[E] 16 Def n : A keyed hash function (Gen, H) is second preimage resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv 2-preimage (A) ε(s).

Second preimage resistance Thm: If (Gen, H) is collision resistant, then it is also second preimage resistant. Proof: Just note that a second preimage is a collision. Q: Is the converse of this theorem true? A: No! (But why?) 17

Preimage resistance Informally, a keyed hash function (Gen, H) is preimage resistant if no PPT attacker can, given k Gen(1 s ) and y {0, 1} l(s) output m {0, 1}* such that H(k, m) = y except with probability negligible in s. 18

Preimage-finding game Challenger (C) 1 n k Gen(1 n k ) Attacker (A) 1 n, y {0,1} l(n m Let E be the event that H(k, m) = y Define A s advantage to be Adv preimage (A) := Pr[E] 19 Def n : A keyed hash function (Gen, H) is preimage resistant if, for every PPT attacker A, there exists a negligible function ε: N R + such that Adv preimage (A) ε(s).

Preimage resistance Thm: If (Gen, H) is preimage resistant for randomly selected inputs, then it is also second preimage resistant. Proof (sketch): Suppose that A breaks preimage resistance. - Given k and m, compute y = H(k, m) - Now use A to find a preimage of y. - Since y has many preimages, with high probability that preimage that A finds will not be m! Q: Is the converse of this theorem true? 20 A: No! (But why?)

(One-way) compression functions Intuitively, a (one-way) compression function is a keyed function h with three properties: Efficient: There exists a PPT algorithm that evaluates h Compression: h maps 2s-bit strings and to s-bit strings One-way: Given an output of h, it is difficult to find any input that maps to that output Q: On average, how many inputs map to each output? A: About 2 s 21

Merkle-Damgård construction m m 1 m 2 m n m 1 m 2 m n h k h k... h k z 1 z n 1 H k (m) := zn 0 s 22

Davies-Meyer compression function m i Thm: If F is a PRF, then the Davies-Meyer compression function is collision resistant. In particular, finding a collision requires O(2 n/2 ) evaluations of F on average. Fm i (z i-1 ) := F mi (z i-1 ) z i-1 z i-1 z i 23

Recall: Nested CBC-MAC (NMAC) m m 1 m 2 m n m 1 m 2 k 1 k 1 k 1 m n F k1 F k1... F k1 0 s k 2 F k2 t 24 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

Hash-based MAC (HMAC) The most widely used MAC algorithm in practice HMAC s,k (m) := H s ( (k opad) 11 H s ( (k ipad) 11 m ) ) H s is a collision-resistant (keyed) hash function k is the secret MAC key opad = 0x5c5c5c... 5c ipad = 0x363636... 36 25

HMAC m m 1 m 2 m n k ipad m 1 m n h s h s... h s 0 s k opad 0 s h s h s t 26

Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A: No! (But why?) Suppose H is constructed using Merkle-Damgård construction Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well...sort of!? It's not as secure as HMAC! (But why?) If H(m 0 ) = H(m 1 ) then H(m 0 11 k) = H(m 1 11 k) Weakness in collision-resistance of H implies weakness in HMAC 27

Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? This is essentially HMAC without ipad and opad Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! H(k 11 m 11 k) falls to "target prefix collision" attacks against H 28

Generic birthday attack Let H: {0, 1} * {0, 1} s and consider the following algorithm: Choose N := (5/4) 2 s/2 distinct messages, m 1,..., m N, each uniformly at random For i = 1,..., N, compute y i := H(m i ) If y i = y j for some i j, then output (m i, m j ) Thm (birthday paradox): Let r 1,..., r N be independently and identically distributed random variables taking on values in {0, 1} s. If N = (5/4) 2 s/2, then Pr[ i j, r i = r j ] 1/2. 29

Generic birthday attack Thm (birthday paradox): Let r 1,..., r N be independently and identically distributed random variables taking on values in {0, 1} s. If N = (5/4) 2 s/2, then Pr[ i j, r i = r j ]> 1/2. 30 Proof (for uniform random variables): Pr[ i j, r i = r j ]= 1 - Pr[ i j, r i r j ] = 1 - ((2 s -1)/2 s ) ((2 s -2)/2 s )... ((2 s -N+1)/2 s ) n 1 = 1 - ς i = 1 (1 i/2 s ) n 1 e -i/2 s (1-x e -x ) 1 - ς i = 1 = 1 - e -1/2s i 1 - e -(N2 /2)/2 s = 1 - e -((5/4 2s/2 ) 2 /2)/2 s = 1-e -25/32 0.54

Generic birthday attack Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Adv collision (A) > 1/2 in O(s 2 s/2 ) time (albeit with O(s 2 s/2 ) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) Real hash functions have fixed-length outputs Need to ensure that 2 s/2 work is infeasible...or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s 2 s/2 bits? A: Perhaps surprisingly, no! 31

"Small-space" birthday attack Consider an attacker A that works as follows: 1. Choose a random initial value m 0 2. Set m := m 0 and m' := m 0 3. For i = 1, 2, 3,..., do the following Compute m := H(m) and m' := H(H(m')) // now m = H (i) (m 0 ) and m' = H (2i) (m 0 ) If m == m', break from loop 4. Set m' := m and m := m 0 5. For j = 1,..., i, do the following If H(m) == H(m'), return (m, m') Else, set m := H(m) and m' := H(m') // now m = H (j) (m 0 ) and m' = H (i+j) (m 0 ) 32 Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s 2 s/2 ) time using O(1) storage.

That s all for today, folks! 33

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback