Add to collection(s) Add to saved
  1. No category

Lecture 8: Message Authentication Code (Continued) 1 Construction

advertisement 
CS 6903 Modern Cryptography
March 30, 2011
Lecture 8: Message Authentication Code (Continued)
Instructor: Nitesh Saxena Scribes: Khushabu Patil, Ankit Shah, Varun Potdar
1
Construction of MAC Schemes
There are many ways of constructing MAC Schemes, with each scheme having its own
advantage and disadvantage.
1.1
PRF - based MAC
A PRF, using a key k, can be used as a (deterministic) MAC using following steps:
Figure 1: PRF used on message of length l to generate a MAC of length l
KeyGen: K ← KeysSpace
MAC: Input m
µ = Fk (m)
Output (m, µ)
Verify: Input (m, µ)
If Fk (m) == µ
Theorem 1 (Fk -PRF ⇒ PRF-MAC-CMA) PRF based MAC is CMA secure. If Fk
is a PRF, then PRF-MAC is CMA.
Proof. We will prove the contrapositive, ¬PRF-MAC-CMA ⇒ ¬Fk -PRF. See Figure 2.
8-1
If there exists an adversary A who can break PRF-MAC with respect to CMA security
then we can construct B who can break Fk with respect to PRF property. The adversary
A assumes that it is interacting with Signing and Verification oracles of the MAC scheme,
where in fact it is communicating with adversary B. A sends message mi to B . B forwards
mi to the Challenger. The Challenger chooses a world, and returns M ACi = g(mi ), where
g() depends on the world the Challenger chooses. B forwards M ACi to A (this way B
simulates the signing oracle to A). A produces a possible forgery: a message M , and
it’s corresponding message authentication code M ACnew , and sends it to B. B sends
message M to the challenger. The challenger takes M , and returns M AC 0 = g(M ). B
compares if M ACnew equals to M AC 0 . If they are equal, then it sends d = 1 to A (this
simulates the verfication oracle to A) and the Challenger, otherwise sends d = 0 to A
and the Challenger.
Figure 2: ¬PRF-MAC-CMA ⇒ ¬Fk -PRF
AdvPf RF (B) = P r(ExpPf RF −1 (B) = 1) − P r(ExpP RF −0 (B) = 1)
A
= AdvCM
(A) −
fk
1
2l
A
P RF
(B) +
⇒ AdvCM
P RF −M AC (A) = Advf
1
2l
≤+
8-2
1
2l
Thus we have proved the theorem.
1.2
How to generate MACs on arbitrarily long messages?
Chaining mechanism is used to create MACs on arbitrarily long messages. This cascading
effect securely guards against 2 similar blocks of messages. See figure 3.
Figure 3: Is this CMA secure?
µi = Fk (µi ) (m1 , m2 , ...., mn , µ1 , µ2 , ...., µn ) This scheme is inefficient because of the
size of the output. This method is not secure because we can make different permutations of the message blocks : (m1 , m2 , ...., mn , µ1 , µ2 , ...., µn ) can be changed to
(m2 , m1 , ...., mn , µ2 , µ1 , ...., µn )
1.3
CBC-MAC
One can generate MACs on arbitrarily long messages by dividing the message into blocks
and then chaining them, similar to CBC-DES.
This chaining is different than CBC-DES; there is no IV value (and therefore the MAC
is deterministic) and also the output is only one block. In CBC-MAC, IV is a sequence
of all zeros.
Theorem 2 (Fk -PRF ⇒ CBC-MAC-CMA) If Fk is a PRF, then CBC-MAC is CMA
secure.
8-3
Figure 4: CBC-MAC
Proof. We’ll prove the contrapositive ¬CBC-MAC-CMA ⇒ ¬ Fk -PRF.
If there exists an adversary A who can break CBC-MAC with respect to CMA security
then we can construct adversary B who can break Fk with respect to PRF property. A
sends a query message mi , which is divided into blocks mi1 , mi2 , ..., min , to B. B then
sends mi1 to the challenger, and repetedly XORs the value received from the challenger
with the next block and send it to the challenger. The response corresponding to the
last block will be the (simulated) MAC on the message mi . B sends back the M AC
to A. A continues to send q such messages to B. Eventually, A decides it is ready to
create a forgery. A then sends message M , consisting of n blocks M11 , M12 , ..., M1n , and
a message authenticated code M ACnew , to B. B forwards the message blocks in the
same manner as was done was previously querioed messages mi , and finally obtains the
corresponding MAC M AC 0 on M . If M ACnew equals M AC 0 , then B sends d = 1 to A
and the Challenger. Otherwise, it sends d = 0 to both of them. See figure 5.
AdvPg RF (B) = P r(ExpPf RF −1 (B) = 1) − P r(ExpP RF −0 (B) = 1)
A
= AdvCM
CBC−M AC (A) − 4
The factor 4 above will be determined as follows:
Proof. Adversary A recorded q responses (µ1 , µ2 , ..., µq ), when it queried the signing
oracle on messages m1 , m2 , ..., mq .
Note that we are concerned with the case when the challenger was in World 0, i.e., when
g was set to be a random function denoted by F .
If any of the two responses collide, i.e., if µi = µj (for some i, j), then
F (mi,n ⊕ F (mi,n−1 )) = F (mj,n ⊕ F (mj,n−1 ))
Since F is a random, the above equality will hold if and only if mi,n ⊕ F (mi,n−1 ) =
8-4
Figure 5: Fk -PRF ⇒ CBC-MAC-CMA
8-5
mj,n ⊕ F (mj,n−1 )
Then, for any binary string B of length l-bits, we have mi,n ⊕ B ⊕ F (mi,n−1 ) = mj,n ⊕
B ⊕ F (mj,n−1 )
The adversary can make another query mi,1 , mi,2 , ..., mi,n ⊕B, and receive in return MAC
µ0i
And then the adversary can create a forgery by sending mj,1 , mj,2 , ..., mj,n ⊕ B ⊕ B as
the message and µ0i as the corresponding MAC.
Therefore, if the responses of any two previously queried q messages collide, then the
adversary can produce a valid forgery. This means that the probability that the adversary
.
wins even when it is fed the responses of a random function is 4 ≤ q(q−1)
2·2l
Completing the proof:
AdvPg RF (B) = P r(ExpPf RF −1 (B) = 1) − P r(ExpP RF −0 (B))
A
≤ AdvCM
CBC−M AC (A) −
q(q−1)
2·2l
A
P RF
⇒ AdvCM
(B) +
CBC−M AC (A)) ≤ Advf
q(q−1)
2·2l
Fact. CBC-MAC can only work with fixed number of blocks. In other words CBC-MAC
can not be used to authenticate arbitrarily long messages of variable lengths.
Proof. If the oracle accepted arbitrarily long messages , the adversary A can create
a forgery by performing the concatenation (m11 , m12 , M AC12 ) as shown in the figure 6
(Extension Attack).
Solution to Fixed-Length Restriction on CBC MAC:
To prevent forgery for arbitrarily long messages, we will incorporate the number of message blocks (or the length of the message) into the block computation. The key used for
PRF computation can be set to Fk (l) instead of K, where l is the number of message
blocks. This variant remains CMA secure and it allows to authenticate variable length
messages.
From the figure 7, we see that the new authenticator is µ = FFl (l) (m) where l is the
number of message blocks with equal size.
If the adversary attempts to create a forgery (m11 , m12 , M AC12 ), the oracle will not
aceept because the MAC is now computed as M AC12 = FFk(2) (FFk(2) (m11 ) ⊕ m12 ).
8-6
Figure 6: Fixed-length restriction on CBC-MAC (Extension Attack)
Figure 7: Solution to fixed-length restriction on CBC-MAC
8-7
Related documents
Citation: Ellen E. Sward, Values, Ideology, and the Evolution of the
Citation: Ellen E. Sward, Values, Ideology, and the Evolution of the
Part IV
Part IV
CSE 207 Homework 1
CSE 207 Homework 1
Slides for lecture 5
Slides for lecture 5
PPT for MACs Based On PRFs
PPT for MACs Based On PRFs
Digital Literacy Testing
Digital Literacy Testing
Download
advertisement