Cryptography Lecture - PowerPoint Presentation

Cryptography Lecture 1 0

A fixed-length MAC

Construction Let F be a length-preserving pseudorandom function (aka block cipher) Construct the following MAC  : Gen: choose a uniform key k for F Mac k (m): output F k (m) Vrfy k (m, t): output 1 iff F k (m)=t Theorem:  is a secure MAC

Proof by reduction m 1 m, t if (m is new and t=t * ) output 1 PRF/random D m 1 t 1 t 1 m i m i t i t i m t * … …

Analysis When D interacts with F k for uniform k, the view of the adversary is identical to its view in the real MAC experimentPr[DFk outputs 1] = Pr[ForgeAdv, (n) = 1]When D interacts with uniform f, then seeing f(m1), …, f(mi) does not help predict f(m) for any m {m1 , …, mi} Pr[Df outputs 1] ≤ 2-n

Analysis Since F is a pseudorandom function, | Pr [ D Fk outputs 1] - Pr[Df outputs 1] | < negl(n) Pr[ForgeAdv, (n) = 1] = Pr[DFk outputs 1] ≤ 2-n + negl(n)

Drawbacks? This only works for fixed-length messages This only works for short messagesE.g., AES has a 128-bit block size (shorter than a tweet!)So the previous construction is limited to authenticating short, fixed-length messages

Suggestions? Can you construct a secure MAC for variable-length messages from a MAC for fixed-length messages? One natural idea: Mac’ k (m 1, …, ml) = Mack(m1), …, Mack(ml)Vrfy’k(m1, …, ml, t1, …, t l) = 1 iff Vrfyk(mi, ti) = 1 for all i Is this secure?

A construction Need to prevent (at least) Block reordering Truncation “Mixing-and-matching” blocks from multiple messages One solution: Mac’k(m1, …, ml) = r, Mack(r | l | 1 | m1), Mack(r | l | 2 | m2), … Not very efficient – can we do better?

(Basic) CBC-MAC F k m 1 F k m 2  F k m l t  …

CBC-MAC vs. CBC-mode CBC-MAC is deterministic (no IV) MACs do not need to be randomized to be secure Verification is done by re-computing the resultIn CBC-MAC, only the final value is outputBoth are essential for securityExercise: show attacks

Security of (basic) CBC-MAC? If F is a pseudorandom function with block length n, then for any fixed l basic CBC-MAC is a secure MAC for messages of length l·nThe sender and receiver must agree on the length parameter l in advanceBasic CBC-MAC is not secure if this is not done!Attacks?

CBC-MAC extensions Several ways to handle variable-length messages One of the simplest: prepend the message length before applying (basic) CBC-MAC

CBC-MAC F k m 1  F k m 2  F k m l t  … l F k

CBC-MAC extensions Several ways to handle variable length messages One of the simplest: prepend the message length before applying (basic) CBC-MAC Can also be adapted to handle messages whose length is not a multiple of the block length

Authenticated encryption

Secrecy + integrity? We have shown primitives for achieving secrecy and integrity in the private-key setting What if we want to achieve both?

Authenticated encryption An encryption scheme that achieves both secrecy and integrity Secrecy notion: CCA-security Integrity notion: unforgeability Adversary cannot generate ciphertext that decrypts to a previously unencrypted message

Constructions? Generic constructions Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate Direct constructions

Generic constructions Generically combine an encryption scheme and a MAC Useful when these are already available in some library Goal: the combination should be an authenticated encryption scheme when instantiated with any CPA-secure encryption scheme and any secure MAC

m c  Enc k1 (m) t = Mack2(m) k 1, k2 m = Deck1(c)Vrfyk2(m, t) = 1? c, tk1, k2Encrypt and authenticate

Problems The tag t might leak information about m! Nothing in the definition of security for a MAC implies that it hides information about m So the combination may not even be EAV-secure If the MAC is deterministic (as is CBC-MAC), then the tag leaks whether the same message is encrypted twice I.e., the combination will not be CPA-secure