19
1 CIS 5371 Cryptograph 4. Message Authentication Codes Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
| Date post: | 05-Jan-2016 |
| Category: |
Documents |
| Upload: | martin-skinner |
| View: | 227 times |
| Download: | 0 times |
1
CIS 5371 Cryptography
4. Message Authentication Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
2
Message Authentication Codes
Encryption vs message authentication• Different functionalities • Encryption does not provide message
authentication!• Encryption with stream ciphers• For one just needs to flip a bit of the
ciphertext.• Encryption with block ciphers• Same attack (flipping bits) works, only this
time blocks are affected.
3
Definition 4.1 Message Authentication Code
A message authentication code (MAC) is a tuple such that:• takes input the security parameter and outputs a key with .• takes as input a key and a message and We write: .• takes as input a key a message and and outputs a bit We write, :=Vrfy(.
4
Message authentication experiment -(A,)
a. b. ..
5
Definition 4.2 -- Secure MAC
A message authentication code is existentially unforgeable under adaptive chosen
message attack, or just secure, if for all probabilistic polynomial-time adversaries there exists a negligible function such that: -
6
Construction 4.3A fixed length MAC from any PRF
Let be a pseudorandom function. Define a fixed length MAC on messages of length as follows:
• Gen: on input choose uniformly at random.
• Mac: on input a key and a message , output tag
(If then output nothing.)
• Vrfy: on input a key and a message , output 1 if and only if
(If then output 0.)
7
Theorem 4.4
Let be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC for
messages of length n that is existentially
unforgeable under an adaptive chosen message attack.
8
A secure fixed length MAC Proof
: -) LetMAC that is the same as except that a truly random function is used instead of a PRF . Then -.
9
Distinguisher D
is given access to and oracle O 1. Run : whenever queries its MAC oracle on a message , answer as follows:
• Query O. Return t to A.2. When A outputs at the end of its execution do:a) Query O with to get .b) If and A never queried its MAC oracle with then output 1; else output 0.
10
Distinguisher D
If oracle is a PRF then,If the oracle is a random function then, -Therefore,
11
Distinguisher D
Since is a PRF it follows that there is a negligible function with Then and so is negligible.
12
Replay attacks
MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm.
13
Construction 4.5A variable length MAC
Let be fixed length MAC for messages of length . • Gen’: identical to Gen.
• Mac’: on input a key and a message of length parse into blocks of length and choose a random identifier in .
Compute , for and output
• Vrfy: parse into blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all
14
Theorem 4.6
If ’ is a secure fixed length MAC for messages of length , then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack.
15
Construction 4.9 CBC-MACLet be a pseudorandom function. Fix a length function The CBC-MAC construction is as follows:
• Gen: on input choose uniformly at random.
• Mac: on input a key and message 1. Parse into blocks of length , and set .
2. Compute for
Output
• Vrfy: on input a key , a message of length and a tag of length output 1 if and only if .
16
Theorem 4.10
Let be a polynomial. If F is a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length that is existentially unforgeable under an adaptive chosen message attack.
17
CBC-MAC vs CBC-mode encryption
1. CBC-mode encryption uses a random IV. If we use a random IV for CBS-MAC then we lose security.2. In CBC-mode encryption all encrypted blocks
are output as part of the ciphertext. This is not the case with CBC-MAC.
If we do so we loose security.
18
Secure CBC-MAC for variable length messages – three options
1. Apply the pseudorandom function to the length of the input message to get a key , e.g. set . Then compute the CBC-MAC with this key.
2. Prepend the message with length and then compute the basic CBC-MAC.
If we append instead of prepending it we lose security.2. Choose two keys Compute the CBC-MAC with the first
key to get . The tag is .
19
Variable length CBC-MAC
𝐹 𝑘
¿𝑚∨¿
𝐹 𝑘
𝑚1
𝐹 𝑘
𝑚2
𝐹 𝑘
𝑡
𝑚3
