CIS 5371 Cryptography
4. Message Authentication Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Message Authentication
Codes
Encryption vs message authentication
• Different functionalities
• Encryption does not provide message
authentication!
• Encryption with stream ciphers
• For 𝑐 ≔ 𝐺(𝑘)𝑚 one just needs to flip a bit of
the ciphertext.
• Encryption with block ciphers
• Same attack (flipping bits) works, only this
time blocks are affected.
2
Definition 4.1
Message Authentication Code
A message authentication code (MAC) is a tuple
(Gen, Mac, Vrfy) such that:
•
Gen takes input the security parameter 1𝑛 and
outputs a key 𝑘 with |𝑘| ≥ 𝑛.
•
Mac takes as input a key 𝑘 and a message 𝑚 ∈ {0,1}∗
and outputs a tag 𝑡.
We write: 𝑡  Mac𝑘 (𝑚).
•
Vrfy takes as input a key 𝑘, a message 𝑚 ∈ {0,1}∗
and a tag 𝑡 and outputs a bit 𝑏: 𝑏 = 1 means valid,
while 𝑏 = 0 means 𝑖𝑛𝑣𝑎𝑙𝑖𝑑.
We write, 𝑏 :=Vrfy(𝑚, 𝑡).
3
Message authentication experiment
Mac-forge(A,) (𝑛)
1.
2.
3.
A random key 𝑘 is generated running Gen 1𝑛 .
The adversary 𝐴 is given input 1𝑛 and oracle access
to Ma𝑐𝑘 ∙ .
The adversary eventually outputs a pair 𝑚, 𝑡 .
Let Q be the set of all queries of A asked to its oracle.
The output of the experiment i𝑠 1 if and only if
a.
Vrf𝑦𝑘 𝑚, 𝑡 = 1, and
b. .𝑚𝑄.
4
Definition 4.2 -- Secure MAC
A message authentication code = (Gen, Mac, Vrfy)
is existentially unforgeable under adaptive chosen
message attack, or just secure, if for all probabilistic
polynomial-time adversaries 𝐴, there exists a
negligible function negl such that:
Pr[Mac-forge(A,) 𝑛 = 1] ≤ negl.
5
Construction 4.3
A fixed length MAC from any PRF
Let 𝐹 be a pseudorandom function. Define a fixed
length MAC on messages of length 𝑚 as follows:
• Gen: on input 1𝑛 choose 𝑘  {0,1}𝑛 uniformly at
random.
• Mac: on input a key 𝑘  {0,1}𝑛 and a message
𝑚{0,1}𝑛 , output tag
𝑡 ≔ 𝐹𝑘 𝑚 .
(If 𝑚 ≠ |𝑘| then output nothing.)
• Vrfy: on input a key 𝑘  {0,1}𝑛 and a message
𝑚{0,1}𝑛 , output 1 if and only if 𝑡 = 𝐹𝑘 𝑚 .
(If 𝑚 ≠ |𝑘| then output 0.)
6
Theorem 4.4
Let 𝐹 be a pseudorandom function.
Then Construction 4.3 is a fixed-length MAC
for messages of length n that is existentially
unforgeable under an adaptive chosen message
attack.
7
A secure fixed length MAC
Proof
Let A be a probabilistic polynomial time adversary.
Define:
𝜀 𝑛 ≝ Pr[Mac-forge(A,) 𝑛 = 1]
Let  be a MAC that is the same as
= (Gen, Mac, Vrfy) except that a truly random
function 𝑓 is used instead of a PRF 𝐹𝑘 .
Then
Pr[Mac-forge(A, ) 𝑛 = 1] ≤ 2−𝑛 .
8
Distinguisher D
𝐷 is given access to and oracle
O ∶ {0,1}𝑛 → ∶ {0,1}𝑛
1. Run 𝐴(1𝑛 ): whenever 𝐴 queries its MAC oracle on a
message 𝑚, answer as follows:
•
Query O with 𝑚 to get response 𝑡. Return t to A.
2. When A outputs (𝑚, 𝑡) at the end of its execution do:
a) Query O with 𝑚 to get 𝑡′.
b) If 𝑡 ′ = 𝑡 and A never queried its MAC oracle with 𝑚
then output 1; else output 0.
9
Distinguisher D
If 𝐷 oracle is a PRF then,
Pr 𝐷𝐹𝑘
∙
1𝑛 = 1 = Pr[Mac−forge A, ) 𝑛 = 1 = 𝜀(𝑛)
If the oracle is a random function - then,
Pr
𝐷𝑓 ∙
1𝑛
= 1 = Pr[Mac-forge 𝐴,  𝑛 = 1] ≤
1
2𝑛
Therefore,
|Pr
𝐷 𝐹𝑘 ∙
1𝑛
= 1 − Pr
𝐷𝑓 ∙
1𝑛
1
=1 | 𝜀 𝑛 + 𝑛
2
10
Distinguisher D
Since 𝐹 is a PRF it follows that there is a negligible
function negl with
𝜀 𝑛 + 2−𝑛 = negl 𝑛 .
and so 𝜀 𝑛 is negligible.
11
Replay attacks
MACs do not protect against replay attacks.
This is because the definition of a MAC does not
incorporate any notion of state in the verification
algorithm.
• Two common techniques for preventing replay attacks
involve the use of 𝑠𝑒𝑞𝑢𝑒𝑛𝑐𝑒 𝑛𝑢𝑚𝑏𝑒𝑟𝑠 and 𝑡𝑖𝑚𝑒 𝑠𝑡𝑎𝑚𝑝𝑠.
12
Construction 4.5
A variable length MAC
Let ′ = (Gen′, Mac′, Vrfy′) be fixed length MAC for messages
of length 𝑛.
• Gen’: identical to Gen.
• Mac’: on input a key 𝑘  {0,1}𝑛 and a message 𝑚{0,1}∗
of length 𝑙 < 2 𝑛/4 parse 𝑚 = 𝑚1    𝑚𝑑 into blocks of
length 𝑛/4 and choose a random identifier 𝑟 in {0,1}𝑛/4 .
Compute 𝑡𝑖 ← MAC𝑘 ′ 𝑟| 𝑙 |𝑖||𝑚𝑖 , for 𝑖 = 1, … , 𝑑, and
output 𝑡 ≔ (𝑟, 𝑡1 , … , 𝑡𝑑 )
• Vrfy: parse 𝑚 into 𝑑 blocks and re-compute the MAC.
Output 1 if and only if the answer is the same for all
𝑟 𝑙 𝑖||𝑚𝑖
13
Theorem 4.6
If ’ is a secure fixed length MAC for messages of
length 𝑛, then Construction 4.6 is a MAC that is
existentially unforgeable under an adaptive chosen
message attack.
14
Construction 4.9 CBC-MAC
Let 𝐹 be a pseudorandom function. Fix a length function 𝑙.
The CBC-MAC construction is as follows:
• Gen: on input 1𝑛 choose 𝑘  {0,1}𝑛 uniformly at random.
• Mac: on input a key 𝑘{0,1}𝑛 and message 𝑚{0,1}𝑙
𝑛 ∙𝑛
1. Parse 𝑚 = 𝑚1 ∙∙∙ 𝑚𝑙 into blocks of length 𝑛, and set 𝑡0 ≔ 0𝑛 .
2. Compute 𝑡𝑖 ← 𝐹𝑘 𝑡𝑖−1  𝑚𝑖 , for 𝑖 = 1, … , 𝑙 .
Output 𝑡 ≔ 𝑡𝑙
• Vrfy: on input a key 𝑘{0,1}𝑛 , a message 𝑚{0,1}𝑛 ,
and a tag 𝑡 output 1 if and only if 𝑡 = MAC𝑘 𝑚 .
15
Theorem 4.10
Let 𝑙 be a polynomial.
If F is a pseudorandom function then Construction 4.9
is a fixed length MAC for messages of length 𝑙(𝑛) ∙ 𝑛
that is existentially unforgeable under an adaptive
chosen message attack.
16
CBC-MAC vs CBC-mode encryption
1. CBC-mode encryption uses a random IV.
If we use a random IV for CBS-MAC then we lose
security.
2. In CBC-mode encryption all encrypted blocks
are output as part of the ciphertext.
This is not the case with CBC-MAC.
If we do so we loose security.
17
Variable length CBC-MAC
𝑚1
𝐹𝑘
𝑚2
𝑚3


𝐹𝑘
𝐹𝑘
𝑡
18
Secure CBC-MAC for variable
length messages – three options
1. Apply the pseudorandom function to the length 𝑙 of the
input message 𝑚 to get a key 𝑘𝑙, e.g. set 𝑘𝑙 ≔ 𝐹𝑘 (𝑙). Then
compute the CBC-MAC with this key.
2. Prepend the message 𝑚 with length |𝑚| and then
compute the basic CBC-MAC.
If we append 𝑚 instead of prepending it we lose
security.
2. Choose two keys 𝑘1 , 𝑘2 . Compute the CBC-MAC with the
first key to get 𝑡. The tag is 𝑡 ≔ 𝐹𝑘2 (𝑡).
19
Variable length CBC-MAC
|𝑚|
𝐹𝑘
𝑚1
𝑚2
𝑚3



𝐹𝑘
𝐹𝑘
𝐹𝑘
𝑡
20