CIS 5371 Cryptography 4a. Message Authentication Codes Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography 1 Message Authentication Codes Encryption vs message authentication • Different functionalities ο Encryption does not provide message authentication! • Encryption with stream ciphers ο For c β πΊ∞ (π) ⊕ π one just needs to flip a bit of the ciphertext. • Encryption with block ciphers ο Same attack (flipping bits) works, only this time blocks are affected. 2 Definition 4.2 Message Authentication Code A message authentication code (MAC) is a tuple (πππ§, πππ, ππ«ππ²) such that: • πππ§ takes input the security parameter 1π and outputs a key π with |π| ≥ π. • πππ takes as input a key π and a message π ∈ {0,1}∗ and outputs a tag π‘. We write: π‘ ο¬ Macπ (π) (the algorithm may be randomized). • ππ«ππ² takes as input a key π, a message π ∈ {0,1}∗ and a tag π‘ and outputs a bit π: π = 1 means valid, while π = 0 means πππ£ππππ. We write: π :=Vrfy(π, π‘). 3 Message authentication experiment πππ-ππ¨π«π π(A,ο) (π) 1. 2. 3. A random key π is generated running Gen 1π . The adversary A is given input 1π and oracle access to Maππ β . The adversary eventually outputs a pair π, π‘ . Let Q be the set of all queries A asked the oracle. The output of the experiment iπ 1 if and only if a. Vrfπ¦π π, π‘ = 1, and b. .ποπ. 4 Definition 4.3 -- Secure MAC A message authentication code ο= (Gen, Mac, Vrfy) is existentially unforgeable under adaptive chosen message attack, or just secure, if for all probabilistic polynomial-time adversaries π΄, there exists a negligible function negl such that: Pr[Mac-forge(A,ο) π = 1] ≤ negl. 5 Construction 4.5 A fixed length MAC from any PRF Let πΉ be a pseudorandom function. Define a fixed length MAC on messages of length π as follows: • Gen: on input 1π choose π ο¬ {0,1}π uniformly at random. • Mac: on input a key π ο {0,1}π and a message πο{0,1}π , output tag π‘ β πΉπ π . (If π ≠ |π| then output nothing.) • Vrfy: on input a key π ο {0,1}π and a message πο{0,1}π , output 1 if and only if π‘ = πΉπ π . (If π ≠ |π| then output 0.) 6 Theorem 4.6 Let πΉ be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC for messages of length n that is existentially unforgeable under an adaptive chosen message attack. 7 A secure fixed length MAC Proof Let A be a probabilistic polynomial time adversary. Define: π π β Pr[Mac-forge(A,ο) π = 1] Let Π be a MAC that is the same as Π = (Gen, Mac, Vrfy) except that a truly random function π is used instead of a PRF πΉπ . Then Pr[Mac-forge(π΄,Π) π = 1] = 2−π . 8 Distinguisher D π· is given access to an oracle O βΆ {0,1}π → {0,1}π 1. Run A 1π : whenever A queries its MAC oracle on a message π, answer as follows: • Query O with π to get response π‘. Return t to A. 2. When A outputs (π, π‘) at the end of its execution do: a) Query O with π to get π‘′. b) If π‘ ′ = π‘ and A never queried its MAC oracle with π then output 1; else output 0. 9 Distinguisher D If the oracle is a PRF then, Pr π·πΉπ β 1π = 1 = Pr[Mac−forge A, Π) π = 1 = π(π) If the oracle is a random function then, Pr π·π β 1π = 1 = Pr[Mac-forge π΄, Π π = 1] = 1 2π Therefore, |Pr π· πΉπ β 1π = 1 − Pr π·π β 1π 1 =1| ο£ π π + π 2 10 Distinguisher D Since πΉ is a PRF it follows that there is a negligible function negl with π π + 2−π = negl π . and so π π is negligible. 11 Replay attacks MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm. • Two common techniques for preventing replay attacks involve the use of π πππ’ππππ ππ’πππππ and π‘πππ π π‘ππππ . 12 Construction 4.7 A variable length MAC Let Π′ = (Gen′, Mac′, Vrfy′) be a fixed length MAC for messages of length π. Define the MAC Π = (Gen, Mac, Vrfy) as follows: • Gen: identical to Gen’. • Mac: on input key π ο {0,1}π and message πο{0,1}∗ of length π < 2 π/4 parse π = π1 ο ο ο ππ into blocks of length π/4 and choose a random identifier π in {0,1}π/4 . Compute π‘π ← Mπ΄πΆπ ′ π β₯ π β₯ π β₯ ππ , for π = 1, … , π, and output π‘ β (π, π‘1 , … , π‘π ) • Vrfy: parse π into π blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all π‘π , π = 1, … , π, of the π β₯ π β₯ π β₯ ππ . 13 Theorem 4.6 If Π’ is a secure fixed length MAC for messages of length π, then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack. 14 Construction 4.9 Fixed length CBC-MAC Let πΉ be a pseudorandom function. Fix a length function π. The CBC-MAC construction is as follows: • Gen: on input 1π choose π ο¬ {0,1}π uniformly at random. • Mac: on input a key πο¬{0,1}π and message πο{0,1}π π βπ 1. Parse π = π1 βββ ππ into blocks of length π, and set π‘0 β 0π . 2. Compute π‘π ← πΉπ π‘π−1 ο ππ , for π = 1, … , π . Output π‘ β π‘π • Vrfy: on input a key π ο¬ {0,1}π , a message πο{0,1}π , and a tag π‘ output 1 if and only if π‘ = MACπ π . 15 Theorem 4.10 Let π be a polynomial. If F is a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length π(π) β π that is existentially unforgeable under an adaptive chosen message attack. 16 CBC-MAC vs CBC-mode encryption 1. CBC-mode encryption uses a random IV. If we use a random IV for CBS-MAC then we lose security. 2. In CBC-mode encryption all encrypted blocks are output as part of the ciphertext. This is not the case with CBC-MAC. If we do so we lose security. 17 CBC-MAC π1 πΉπ π2 π3 ο ο πΉπ πΉπ π‘ 18 CBC-MAC – however … π0 πΉπ π1 π2 π3 ο ο ο πΉπ πΉπ πΉπ π‘ 19 Secure CBC-MAC for variable length messages – three options 1. Apply the pseudorandom function to the length π of the input message π to get a key ππ, e.g. set ππ β πΉπ (π). Then compute the CBC-MAC with this key. 2. Prepend the message π with length |π| and then compute the basic CBC-MAC. If we append π instead of prepending it we lose security. 3. Choose two keys π1 , π2 . Compute the CBC-MAC with the first key to get π‘. The tag is π‘ β πΉπ2 (π‘). 20 Variable length CBC-MAC |π| πΉπ π1 π2 π3 ο ο ο πΉπ πΉπ πΉπ π‘ 21