1
CIS 5371 Cryptography
4. Message Authentication Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
2
Message Authentication Codes
Encryption vs message authentication• Different functionalities • Encryption does not provide message
authentication!• Encryption with stream ciphers• For one just needs to flip a bit of the
ciphertext.• Encryption with block ciphers• Same attack (flipping bits) works, only this
time blocks are affected.
3
Definition 4.1 Message Authentication Code
A message authentication code (MAC) is a tuple such that:• takes input the security parameter and outputs a key with .• takes as input a key and a message and We write: .• takes as input a key a message and and outputs a bit We write, :=Vrfy(.
5
Definition 4.2 -- Secure MAC
A message authentication code is existentially unforgeable under adaptive chosen
message attack, or just secure, if for all probabilistic polynomial-time adversaries there exists a negligible function such that: -
6
Construction 4.3A fixed length MAC from any PRF
Let be a pseudorandom function. Define a fixed length MAC on messages of length as follows:
• Gen: on input choose uniformly at random.
• Mac: on input a key and a message , output tag
(If then output nothing.)
• Vrfy: on input a key and a message , output 1 if and only if
(If then output 0.)
7
Theorem 4.4
Let be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC for
messages of length n that is existentially
unforgeable under an adaptive chosen message attack.
8
A secure fixed length MAC Proof
: -) LetMAC that is the same as except that a truly random function is used instead of a PRF . Then -.
9
Distinguisher D
is given access to and oracle O 1. Run : whenever queries its MAC oracle on a message , answer as follows:
• Query O. Return t to A.2. When A outputs at the end of its execution do:a) Query O with to get .b) If and A never queried its MAC oracle with then output 1; else output 0.
11
Distinguisher D
Since is a PRF it follows that there is a negligible function with Then and so is negligible.
12
Replay attacks
MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm.
13
Construction 4.5A variable length MAC
Let be fixed length MAC for messages of length . • Gen’: identical to Gen.
• Mac’: on input a key and a message of length parse into blocks of length and choose a random identifier in .
Compute , for and output
• Vrfy: parse into blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all
14
Theorem 4.6
If ’ is a secure fixed length MAC for messages of length , then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack.
15
Construction 4.9 CBC-MACLet be a pseudorandom function. Fix a length function The CBC-MAC construction is as follows:
• Gen: on input choose uniformly at random.
• Mac: on input a key and message 1. Parse into blocks of length , and set .
2. Compute for
Output
• Vrfy: on input a key , a message , and a tag output 1 if and only if .
16
Theorem 4.10
Let be a polynomial. If F is a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length that is existentially unforgeable under an adaptive chosen message attack.
17
CBC-MAC vs CBC-mode encryption
1. CBC-mode encryption uses a random IV. If we use a random IV for CBS-MAC then we lose security.2. In CBC-mode encryption all encryted blocks are
output as part of the ciphertext. This is not the case with CBC-MAC.
If we do so we loose security.
18
Secure CBC-MAC for variable length messages
1. Prepend the message with length and then compute the basic CBC-MAC.
If we append instead of prepending it we lose security.2. Choose two keys Compute the CBC-MAC with
the first key to get . The tag is .