+ All Categories
Home > Documents > crypto4a

crypto4a

Date post: 01-Dec-2015
Category:

Documents
Upload: mbscribd2011
View: 10 times
Download: 0 times
Download Report this document
Share this document with a friend
Description:
crypto
19
1 CIS 5371 Cryptograph 4. Message Authentication Codes Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
Transcript
Page 1: crypto4a

1

CIS 5371 Cryptography

4. Message Authentication Codes

Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

Page 2: crypto4a

2

Message Authentication Codes

Encryption vs message authentication• Different functionalities • Encryption does not provide message

authentication!• Encryption with stream ciphers• For one just needs to flip a bit of the

ciphertext.• Encryption with block ciphers• Same attack (flipping bits) works, only this

time blocks are affected.

Page 3: crypto4a

3

Definition 4.1 Message Authentication Code

A message authentication code (MAC) is a tuple such that:• takes input the security parameter and outputs a key with .• takes as input a key and a message and We write: .• takes as input a key a message and and outputs a bit We write, :=Vrfy(.

Page 4: crypto4a

4

Message authentication experiment -(A,)

a. b. ..

Page 5: crypto4a

5

Definition 4.2 -- Secure MAC

A message authentication code is existentially unforgeable under adaptive chosen

message attack, or just secure, if for all probabilistic polynomial-time adversaries there exists a negligible function such that: -

Page 6: crypto4a

6

Construction 4.3A fixed length MAC from any PRF

Let be a pseudorandom function. Define a fixed length MAC on messages of length as follows:

• Gen: on input choose uniformly at random.

• Mac: on input a key and a message , output tag

(If then output nothing.)

• Vrfy: on input a key and a message , output 1 if and only if

(If then output 0.)

Page 7: crypto4a

7

Theorem 4.4

Let be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC for

messages of length n that is existentially

unforgeable under an adaptive chosen message attack.

Page 8: crypto4a

8

A secure fixed length MAC Proof

: -) LetMAC that is the same as except that a truly random function is used instead of a PRF . Then -.

Page 9: crypto4a

9

Distinguisher D

is given access to and oracle O 1. Run : whenever queries its MAC oracle on a message , answer as follows:

• Query O. Return t to A.2. When A outputs at the end of its execution do:a) Query O with to get .b) If and A never queried its MAC oracle with then output 1; else output 0.

Page 10: crypto4a

10

Distinguisher D

If oracle is a PRF then,If the oracle is a random function then, -Therefore,

Page 11: crypto4a

11

Distinguisher D

Since is a PRF it follows that there is a negligible function with Then and so is negligible.

Page 12: crypto4a

12

Replay attacks

MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm.

Page 13: crypto4a

13

Construction 4.5A variable length MAC

Let be fixed length MAC for messages of length . • Gen’: identical to Gen.

• Mac’: on input a key and a message of length parse into blocks of length and choose a random identifier in .

Compute , for and output

• Vrfy: parse into blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all

Page 14: crypto4a

14

Theorem 4.6

If ’ is a secure fixed length MAC for messages of length , then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack.

Page 15: crypto4a

15

Construction 4.9 CBC-MACLet be a pseudorandom function. Fix a length function The CBC-MAC construction is as follows:

• Gen: on input choose uniformly at random.

• Mac: on input a key and message 1. Parse into blocks of length , and set .

2. Compute for

Output

• Vrfy: on input a key , a message , and a tag output 1 if and only if .

Page 16: crypto4a

16

Theorem 4.10

Let be a polynomial. If F is a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length that is existentially unforgeable under an adaptive chosen message attack.

Page 17: crypto4a

17

CBC-MAC vs CBC-mode encryption

1. CBC-mode encryption uses a random IV. If we use a random IV for CBS-MAC then we lose security.2. In CBC-mode encryption all encryted blocks are

output as part of the ciphertext. This is not the case with CBC-MAC.

If we do so we loose security.

Page 18: crypto4a

18

Secure CBC-MAC for variable length messages

1. Prepend the message with length and then compute the basic CBC-MAC.

If we append instead of prepending it we lose security.2. Choose two keys Compute the CBC-MAC with

the first key to get . The tag is .

Page 19: crypto4a

19

Variable length CBC-MAC

𝐹 𝑘

¿𝑚∨¿

𝐹 𝑘

𝑚1

𝐹 𝑘

𝑚2

𝐹 𝑘

𝑡

𝑚3