CIS 5371 Cryptography
4a. Message Authentication Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Message Authentication
Codes
Encryption vs message authentication
• Different functionalities
 Encryption does not provide message
authentication!
• Encryption with stream ciphers
 For c ≔ 𝐺∞ (𝑘) ⊕ 𝑚 one just needs to flip a bit
of the ciphertext.
• Encryption with block ciphers
 Same attack (flipping bits) works, only this
time blocks are affected.
2
Definition 4.2
Message Authentication Code
A message authentication code (MAC) is a tuple
(𝐆𝐞𝐧, 𝐌𝐚𝐜, 𝐕𝐫𝐟𝐲) such that:
•
𝐆𝐞𝐧 takes input the security parameter 1𝑛 and outputs
a key 𝑘 with |𝑘| ≥ 𝑛.
•
𝐌𝐚𝐜 takes as input a key 𝑘 and a message 𝑚 ∈ {0,1}∗
and outputs a tag 𝑡.
We write: 𝑡  Mac𝑘 (𝑚) (the algorithm may be randomized).
•
𝐕𝐫𝐟𝐲 takes as input a key 𝑘, a message 𝑚 ∈ {0,1}∗
and a tag 𝑡 and outputs a bit 𝑏: 𝑏 = 1 means valid,
while 𝑏 = 0 means 𝑖𝑛𝑣𝑎𝑙𝑖𝑑.
We write: 𝑏 :=Vrfy(𝑚, 𝑡).
3
Message authentication experiment
𝐌𝐚𝐜-𝐟𝐨𝐫𝐠𝐞(A,) (𝒏)
1.
2.
3.
A random key 𝑘 is generated running Gen 1𝑛 .
The adversary A is given input 1𝑛 and oracle access
to Ma𝑐𝑘 ∙ .
The adversary eventually outputs a pair 𝑚, 𝑡 .
Let Q be the set of all queries A asked the oracle.
The output of the experiment i𝑠 1 if and only if
a.
Vrf𝑦𝑘 𝑚, 𝑡 = 1, and
b. .𝑚𝑄.
4
Definition 4.3 -- Secure MAC
A message authentication code = (Gen, Mac, Vrfy)
is existentially unforgeable under adaptive chosen
message attack, or just secure, if for all probabilistic
polynomial-time adversaries 𝐴, there exists a
negligible function negl such that:
Pr[Mac-forge(A,) 𝑛 = 1] ≤ negl.
5
Construction 4.5
A fixed length MAC from any PRF
Let 𝐹 be a pseudorandom function. Define a fixed
length MAC on messages of length 𝑚 as follows:
• Gen: on input 1𝑛 choose 𝑘  {0,1}𝑛 uniformly at
random.
• Mac: on input a key 𝑘  {0,1}𝑛 and a message
𝑚{0,1}𝑛 , output tag
𝑡 ≔ 𝐹𝑘 𝑚 .
(If 𝑚 ≠ |𝑘| then output nothing.)
• Vrfy: on input a key 𝑘  {0,1}𝑛 and a message
𝑚{0,1}𝑛 , output 1 if and only if 𝑡 = 𝐹𝑘 𝑚 .
(If 𝑚 ≠ |𝑘| then output 0.)
6
Theorem 4.6
Let 𝐹 be a pseudorandom function.
Then Construction 4.3 is a fixed-length MAC
for messages of length n that is existentially
unforgeable under an adaptive chosen message
attack.
7
A secure fixed length MAC
Proof
Let A be a probabilistic polynomial time adversary.
Define:
𝜀 𝑛 ≝ Pr[Mac-forge(A,) 𝑛 = 1]
Let Π be a MAC that is the same as Π = (Gen, Mac, Vrfy)
except that a truly random function 𝑓 is used instead of
a PRF 𝐹𝑘 .
Then
Pr[Mac-forge(𝐴,Π) 𝑛 = 1] = 2−𝑛 .
8
Distinguisher D
𝐷 is given access to an oracle O ∶ {0,1}𝑛 → {0,1}𝑛
1. Run A 1𝑛 : whenever A queries its MAC oracle on a
message 𝑚, answer as follows:
• Query O with 𝑚 to get response 𝑡. Return t to A.
2. When A outputs (𝑚, 𝑡) at the end of its execution do:
a) Query O with 𝑚 to get 𝑡′.
b) If 𝑡 ′ = 𝑡 and A never queried its MAC oracle with 𝑚
then output 1; else output 0.
9
Distinguisher D
If the oracle is a PRF then,
Pr 𝐷𝐹𝑘
∙
1𝑛 = 1 = Pr[Mac−forge A, Π) 𝑛 = 1 = 𝜀(𝑛)
If the oracle is a random function then,
Pr
𝐷𝑓 ∙
1𝑛
= 1 = Pr[Mac-forge 𝐴, Π 𝑛 = 1] =
1
2𝑛
Therefore,
|Pr
𝐷 𝐹𝑘 ∙
1𝑛
= 1 − Pr
𝐷𝑓 ∙
1𝑛
1
=1|  𝜀 𝑛 + 𝑛
2
10
Distinguisher D
Since 𝐹 is a PRF it follows that there is a negligible
function negl with
𝜀 𝑛 + 2−𝑛 = negl 𝑛 .
and so 𝜀 𝑛 is negligible.
11
Replay attacks
MACs do not protect against replay attacks.
This is because the definition of a MAC does not
incorporate any notion of state in the verification
algorithm.
• Two common techniques for preventing replay attacks
involve the use of 𝑠𝑒𝑞𝑢𝑒𝑛𝑐𝑒 𝑛𝑢𝑚𝑏𝑒𝑟𝑠 and 𝑡𝑖𝑚𝑒 𝑠𝑡𝑎𝑚𝑝𝑠.
12
Construction 4.7
A variable length MAC
Let Π′ = (Gen′, Mac′, Vrfy′) be a fixed length MAC for messages
of length 𝑛. Define the MAC Π = (Gen, Mac, Vrfy) as follows:
• Gen: identical to Gen’.
• Mac: on input key 𝑘  {0,1}𝑛 and message 𝑚{0,1}∗ of
length 𝑙 < 2 𝑛/4 parse 𝑚 = 𝑚1    𝑚𝑑 into blocks of
length 𝑛/4 and choose a random identifier 𝑟 in {0,1}𝑛/4 .
Compute 𝑡𝑖 ← M𝐴𝐶𝑘 ′ 𝑟 ∥ 𝑖 ∥ 𝑙 ∥ 𝑚𝑖 , for 𝑖 = 1, … , 𝑑, and
output 𝑡 ≔ (𝑟, 𝑡1 , … , 𝑡𝑑 )
• Vrfy: parse 𝑚 into 𝑑 blocks and re-compute the MAC.
Output 1 if and only if the answer is the same for all 𝑡𝑖 ,
𝑖 = 1, … , 𝑑, of the 𝑟 ∥ 𝑖 ∥ 𝑙 ∥ 𝑚𝑖 .
13
Theorem 4.6
If Π’ is a secure fixed length MAC for messages of
length 𝑛, then Construction 4.6 is a MAC that is
existentially unforgeable under an adaptive chosen
message attack.
14
Construction 4.9 Fixed length CBC-MAC
Let 𝐹 be a pseudorandom function. Fix a length function 𝑙.
The CBC-MAC construction is as follows:
• Gen: on input 1𝑛 choose 𝑘  {0,1}𝑛 uniformly at random.
• Mac: on input a key 𝑘{0,1}𝑛 and message 𝑚{0,1}𝑙 𝑛 ∙𝑛
1. Parse 𝑚 = 𝑚1 ∙∙∙ 𝑚𝑙 into blocks of length 𝑛, and set
𝑡0 ≔ 0𝑛 .
2. Compute 𝑡𝑖 ← 𝐹𝑘 𝑡𝑖−1  𝑚𝑖 , for 𝑖 = 1, … , 𝑙 .
Output 𝑡 ≔ 𝑡𝑙
• Vrfy: on input a key 𝑘  {0,1}𝑛 , a message 𝑚{0,1}𝑛 ,
and a tag 𝑡 output 1 if and only if 𝑡 = MAC𝑘 𝑚 .
15
Theorem 4.10
Let 𝑙 be a polynomial.
If F is a pseudorandom function then Construction 4.9
is a fixed length MAC for messages of length 𝑙(𝑛) ∙ 𝑛
that is existentially unforgeable under an adaptive
chosen message attack.
16
CBC-MAC vs CBC-mode encryption
1. CBC-mode encryption uses a random IV.
If we use a random IV for CBS-MAC then we lose
security.
2. In CBC-mode encryption all encrypted blocks
are output as part of the ciphertext.
This is not the case with CBC-MAC.
If we do so we lose security.
17
CBC-MAC
𝑚1
𝐹𝑘
𝑚2
𝑚3


𝐹𝑘
𝐹𝑘
𝑡
18
CBC-MAC – however …
𝑚0
𝐹𝑘
𝑚1
𝑚2
𝑚3



𝐹𝑘
𝐹𝑘
𝐹𝑘
𝑡
19
Secure CBC-MAC for variable
length messages – three options
1. Apply the pseudorandom function to the length 𝑙 of the
input message 𝑚 to get a key 𝑘𝑙, e.g. set 𝑘𝑙 ≔ 𝐹𝑘 (𝑙). Then
compute the CBC-MAC with this key.
2. Prepend the message 𝑚 with length |𝑚| and then
compute the basic CBC-MAC.
If we append 𝑚 instead of prepending it we lose
security.
3. Choose two keys 𝑘1 , 𝑘2 . Compute the CBC-MAC with the
first key to get 𝑡. The tag is 𝑡 ≔ 𝐹𝑘2 (𝑡).
20
Variable length CBC-MAC
|𝑚|
𝐹𝑘
𝑚1
𝑚2
𝑚3



𝐹𝑘
𝐹𝑘
𝐹𝑘
𝑡
21