Crytography Message Authentication, Lecture Notes - Computer Science, Study notes of Cryptography and System Security

Prof. Salil Vadhan, Prof. Alon Rosen, Computer Science, Cryptography, Message Authentication, Harvard, Lecture Notes

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/ E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Nov. 22, 2006
Lecture Notes 16:
Message Authentication
Recommended Reading.
Katz-Lindell 4.14.5
1 The Problem
Data authenticity:
How do you know whether a message you receive actually came from who
you think it did? And was not tampered with?
Telephone: their voice, Written letters: handwriting, signature, Electronic communications?
E-mail headers?
Not provided by encryption! The authenticity problem is dierent from the privacy problem.
Here we want data integrity, but many encryption schemes are malleable (i.e. the plaintext
can easily be modied by modifying the ciphertext).
Idea: attach a tag or signature to every message that authenticates it as coming from a
particular party.
Message Authentication Codes: private-key version. The two parties, sender and receiver,
share a private key to verify that the message comes from the person whom the key is
shared with.
Digital Signatures: public-key version. anyone can verify.
2 The Denition
Denition 1
A
message authentication code
consists of three algorithms
(G, M, V )
such that:
The
key generation
algorithm
G
is a randomized algorithm that returns a
key
k
; we write
k
R
G(1n)
.
The
tagging
algorithm
M
is a (possibly) randomized algorithm that takes a key
k
and a
message
m
and outputs a tag
t
; we write
t
R
Mk(m)
.
The
verication
algorithm
V
is a deterministic algorithm that takes a key
k
, a message
m
,
and a tag
t
, and outputs
Vk(m, t) {accept,reject}
.
Associated with the scheme is a
message space
P
from which
m
is allowed to be drawn. We require
Vk(m, Mk(m)) = accept
for all
m P
,
k
R
G(1n)
.
May allow randomized or stateful tagging algorithms, but (unlike) encryption, deterministic stateless
schemes are possible.
1
pf3
pf4

Partial preview of the text

Download Crytography Message Authentication, Lecture Notes - Computer Science and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/ E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Nov. 22, 2006

Lecture Notes 16:

Message Authentication

Recommended Reading.

  • Katz-Lindell 4.14.

1 The Problem

  • Data authenticity: How do you know whether a message you receive actually came from who you think it did? And was not tampered with?
  • Telephone: their voice, Written letters: handwriting, signature, Electronic communications? E-mail headers?
  • Not provided by encryption! The authenticity problem is dierent from the privacy problem. Here we want data integrity, but many encryption schemes are malleable (i.e. the plaintext can easily be modied by modifying the ciphertext).
  • Idea: attach a tag or signature to every message that authenticates it as coming from a particular party.

 Message Authentication Codes: private-key version. The two parties, sender and receiver, share a private key to verify that the message comes from the person whom the key is shared with.  Digital Signatures: public-key version. anyone can verify.

2 The Denition

Denition 1 A message authentication code consists of three algorithms (G, M, V ) such that:

  • The key generation algorithm G is a randomized algorithm that returns a key k; we write k ←R G(1n).
  • The tagging algorithm M is a (possibly) randomized algorithm that takes a key k and a message m and outputs a tag t; we write t ←R Mk(m).
  • The verication algorithm V is a deterministic algorithm that takes a key k, a message m, and a tag t, and outputs Vk(m, t) ∈ {accept, reject}.

Associated with the scheme is a message space P from which m is allowed to be drawn. We require Vk(m, Mk(m)) = accept for all m ∈ P, k ←R G(1n).

May allow randomized or stateful tagging algorithms, but (unlike) encryption, deterministic stateless schemes are possible.

Dening security:

  • The adversary's goal is to produce a forgery, i.e. produce any pair (m, t) such that Vk(m, t) = accept. We will not make any assumptions on the formatting of messages, so even if m is nonsensical, it still counts as a forgery.
  • Attack model: chosen message attack. The adversary selects messages mi and gets to see their tags ti before trying to produce a forgery. We allow an adaptive attack, i.e. the adversary can select mi+1 based on (m 1 , t 1 ),... , (mi, ti).
  • Unavoidable attacks: we will not protect against replay attacks in our denition (though there are various ways of accomplishing this, through a stateful verication algorithm). We will require that the forgery (m, t) is not one of the adversary's queries.

Denition 2 (unforgeability under adaptive chosen message attack) A message authenti- cation scheme (G, M, V ) is secure if for every PPT A, there is a negligible function ε such that

Pr

[

AMk^ (·)(1n) forges

]

≤ ε(n) ∀n,

A forges ≡ A produces a pair (m, t) for which (a) Vk(m, t) = accept, and (b) m is dierent from all of A's queries to the Mk-oracle.

  • Preventing Replay Attacks: time stamps, counters, unique identiers.
  • As usual, denition is conservative, errs on safe side.

3 MACs for Fixed Length

Simple construction: Mk(m) def = fk(m) where Fn = {fk : { 0 , 1 }n^ → { 0 , 1 }n} is a pseudorandom function family.

Vk(m, t) =

accept i fk(m) = t reject otherwise

Note that the construction is deterministic and stateless.

Theorem 3 If F =

n Fn^ is a pseudorandom function family, then the MAC dened above is secure.

Proof Sketch: Let A be any PPT.

Claim 4 The probability that A forges when a truly random function is used (i.e., in the Ideal MAC) is ≤ 2 −n.

We use the dynamic view of the truly random function f : the values of f are generated on the y. f (m) is chosen at random so Pr [t = f (m)] = (^21) n.

Claim 5 The probability that A forges when a pseudorandom function is used is at most 2 −n^ + neg(n).

  1. The forgery t = (r, t 1 , · · · , td) does not contain a new" r. Here we have two sub-cases:

(a) r has appeared in only one MAC m′^ = m′ 1 , · · · , m′ d, t′^ = (r, t′ 1 · · · t′ d) that A′^ has seen. Since m′^6 = m (by denition of a forgery), it must be the case that m′ i 6 = mi for some i. Again, one can use this fact to transform A′^ into a forger A for (G, M, V ). (b) r has appeared more than once. This even happens with probability smaller than q^2 / 2 n/^3 , where q is the number of MAC queries made by A′^ (which is negligible in n). 

CBC MAC : The previous construction involves d applications of (G, M, V ) and the size of the resulting tag is dn. For practical purposes it would be desirable to have a shorter tag. One example for a more ecient MAC is the CBC MAC, which we describe next. Let F = {fk : { 0 , 1 }n^ → { 0 , 1 }n} be a family of pseudorandom functions (or pseudorandom per- mutations). Dene a MAC over message space { 0 , 1 }d·n^ = ({ 0 , 1 }n)d^ by dening Mk(m 1 , · · · , md) = yd, where yi = fk(mi ⊕ yi− 1 ) and y 0 = 0n.

Theorem 7 CBC MAC is secure for message space { 0 , 1 }d·k.

  • DES CBC MAC used extensively in practice.
  • There are other ways to convert xed-length MACs into arbitrary-length MACs, e.g. hash- then-MAC which we'll see next time.