message authentication codes - umd
TRANSCRIPT
Message Authentication Codes Definition: A message authentication code (MAC) consists of three probabilistic polynomial-time algorithms (πΊππ, πππ, ππππ¦) such that: 1. The key-generation algorithm πΊππ takes as input the
security parameter 1π and outputs a key π with π β₯ π. 2. The tag-generation algorithm πππ takes as input a key π
and a message π β 0,1 β, and outputs a tag π‘. π‘ β ππππ(π).
3. The deterministic verification algorithm ππππ¦ takes as input a key π, a message π, and a tag π‘. It outputs a bit π with π = 1 meaning valid and π = 0 meaning invalid. π β ππππ¦π(π, π‘).
It is required that for every π, every key π output by πΊππ(1π), and every π β 0,1 β, it holds that ππππ¦π π, ππππ π = 1.
Existential Unforgeability under CMA Attacker
Challenger π β πΊππ()
π‘ β πππ(π,π)
π
π‘ β¦
(πβ, π‘β)
Set of queries π
forgery
Attacker βwinsβ if : 1. πβ β π 2. ππππ¦ π,πβ, π‘β = 1 Security Requirement: Any efficient attacker wins with probability at most ππππππππππ
CBC-MAC Let πΉ be a pseudorandom function, and fix a length function β. The basic CBC-MAC construction is as follows:
β’ πππ: on input a key π β 0,1 π and a message π of length β π β π, do the following: 1. Parse π as π = π1, β¦ , πβ where each ππ is of length π.
2. Set π‘0 β 0π. Then, for π = 1 π‘π β:
Set π‘π β πΉπ(π‘πβ1 β ππ).
Output π‘β as the tag.
β’ ππππ¦: on input a key π β 0,1 π, a message π, and a tag π‘, do: If π is not of length β π β π then output 0. Otherwise, output 1 if and only if π‘ = ππππ(π).
CBC-MAC
Authenticated Encryption
β’ Definition: A private-key encryption scheme is an authenticated encryption scheme if it is CCA-secure and unforgeable.
CCA Security Attacker
Challenger π β πΊππ()
π β {0,1} πβ β πΈππ(π, π)
β¦
π0, π1
πβ
β¦
queries to Enc/Dec
queries to Enc/Dec (cannot query πβ)
challenge
πβ²
Attacker βwinsβ if πβ² = π.
CCA Security: Any efficient attacker wins with probability at most 1
2+ ππππππππππ
Generic Constructions
Encrypt-and-authenticate
Encryption and message authentication are computed independently in parallel.
π β πΈππππΈπ π‘ β πππππ
π
π, π‘
Is this secure? NO!
Authenticate-then-encrypt
Here a MAC tag π‘ is first computed, and then the message and tag are encrypted together.
π‘ β ππππππ π β πΈππππΈ
(π| π‘
π is sent
Is this secure? NO! Encryption scheme may not be CCA-secure.
Encrypt-then-authenticate
The message π is first encrypted and then a MAC tag is computed over the result
π β πΈππππΈπ π‘ β πππππ
π
π, π‘
Is this secure? YES! As long as the MAC is strongly secure.
Examples Consider multiplication modulo 23.
23 is a βsafe primeβ since 23 = 2*11 +1, where 11 is a prime.
20 πππ 23 1
21 πππ 23 2
22 πππ 23 4
23 πππ 23 8
24 πππ 23 16
25 πππ 23 32 β 9
26 πππ 23 18
27 πππ 23 36 β 13
28 πππ 23 26 β 3
29 πππ 23 6
210 πππ 23 12
211 πππ 23 24 β 1
Consider the following cyclic group generated by 2:
Actually, all of 2, 4, 8, 16, 9, 18, 13, 3, 6, 12 are generators and each of them raised to the 11 will be equal to 1 modulo 23.
Key Agreement
The key-exchange experiment πΎπΈπππ£π΄,Ξ
π :
1. Two parties holding 1π execute protocol Ξ . This results in a transcript π‘ππππ containing all the messages sent by the parties, and a key π output by each of the parties.
2. A uniform bit π β {0,1} is chosen. If π = 0 set π β π, and if π = 1 then choose π β 0,1 π uniformly at random.
3. π΄ is given π‘ππππ and π , and outputs a bit πβ². 4. The output of the experiment is defined to be 1 if πβ² = π and 0
otherwise. Definition: A key-exchange protocol Ξ is secure in the presence of an eavesdropper if for all ppt adversaries π΄ there is a negligible function πππ such that
Pr πΎπΈπππ£π΄,Ξ
π = 1 β€1
2+ πππ π .
Diffie-Hellman Key Exchange
Example for the group we saw above with generator π = 2:
Alice:
π₯ β 0,β¦ , 10 Say π₯ = 8 28 πππ 23 = 3 Output: 98 πππ 23
= 316 πππ 23 = 311 β 35 πππ 23 = 1 β 35 πππ 23 = 27 β 9 πππ 23 = 4 β 9 πππ 23
= 36 πππ 23 = ππ
Bob:
π¦ β 0,β¦ , 10 Say π¦ = 5 25 πππ 23 = 9 Output: 35 πππ 23
= 27 β 9 πππ 23 = 4 β 9 πππ 23
= 36 πππ 23 = ππ
3
9