


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Lecture notes from Introduction to Cryptography. This lecture includes: Message Authentication, Data Authenticity, DeNition, Security, Attack Model, Fixed Length, Arbitrary Length
Typology: Study notes
1 / 4
This page cannot be seen from the preview
Don't miss anything!



Recommended Reading.
Message Authentication Codes: private-key version. The two parties, sender and receiver, share a private key to verify that the message comes from the person whom the key is shared with. Digital Signatures: public-key version. anyone can verify.
Denition 1 A message authentication code consists of three algorithms (G, M, V ) such that:
Associated with the scheme is a message space P from which m is allowed to be drawn. We require Vk(m, Mk(m)) = accept for all m ∈ P, k ←R G(1n).
May allow randomized or stateful tagging algorithms, but (unlike) encryption, deterministic stateless schemes are possible.
Dening security:
Denition 2 (unforgeability under adaptive chosen message attack) A message authenti- cation scheme (G, M, V ) is secure if for every PPT A, there is a negligible function ε such that
Pr
AMk^ (·)(1n) forges
≤ ε(n) ∀n,
A forges ≡ A produces a pair (m, t) for which (a) Vk(m, t) = accept, and (b) m is dierent from all of A's queries to the Mk-oracle.
Simple construction: Mk(m) def = fk(m) where Fn = {fk : { 0 , 1 }n^ → { 0 , 1 }n} is a pseudorandom function family.
Vk(m, t) =
accept i fk(m) = t reject otherwise
Note that the construction is deterministic and stateless.
Theorem 3 If F =
n Fn^ is a pseudorandom function family, then the MAC dened above is secure.
Proof Sketch: Let A be any PPT.
Claim 4 The probability that A forges when a truly random function is used (i.e., in the Ideal MAC) is ≤ 2 −n.
We use the dynamic view of the truly random function f : the values of f are generated on the y. f (m) is chosen at random so Pr [t = f (m)] = (^21) n.
Claim 5 The probability that A forges when a pseudorandom function is used is at most 2 −n^ + neg(n).
(a) r has appeared in only one MAC m′^ = m′ 1 , · · · , m′ d, t′^ = (r, t′ 1 · · · t′ d) that A′^ has seen. Since m′^6 = m (by denition of a forgery), it must be the case that m′ i 6 = mi for some i. Again, one can use this fact to transform A′^ into a forger A for (G, M, V ). (b) r has appeared more than once. This even happens with probability smaller than q^2 / 2 n/^3 , where q is the number of MAC queries made by A′^ (which is negligible in n).
CBC MAC : The previous construction involves d applications of (G, M, V ) and the size of the resulting tag is dn. For practical purposes it would be desirable to have a shorter tag. One example for a more ecient MAC is the CBC MAC, which we describe next. Let F = {fk : { 0 , 1 }n^ → { 0 , 1 }n} be a family of pseudorandom functions (or pseudorandom per- mutations). Dene a MAC over message space { 0 , 1 }d·n^ = ({ 0 , 1 }n)d^ by dening Mk(m 1 , · · · , md) = yd, where yi = fk(mi ⊕ yi− 1 ) and y 0 = 0n.
Theorem 7 CBC MAC is secure for message space { 0 , 1 }d·k.