1 / 0

CIS 5371 Cryptography

CIS 5371 Cryptography. 4 . Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. Message Authentication Codes . Encryption vs message authentication Different functionalities

max
Download Presentation

CIS 5371 Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 5371 Cryptography

    4. Message Authentication Codes Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography
  2. Message Authentication Codes Encryption vs message authentication Different functionalities Encryption does not provide message authentication! Encryption with stream ciphers For  one just needs to flip a bit of the ciphertext. Encryption with block ciphers Same attack (flipping bits) works, only this time blocks are affected.
  3. Definition 4.1 Message Authentication Code A message authentication code (MAC) is a tuple such that: takes input the security parameter and outputs a key with . takes as input a key and a message and We write:  . takes as input a key a message and and outputs a bit We write, :=Vrfy(.
  4. Message authentication experiment -(A,) ..
  5. Definition 4.2 -- Secure MAC A message authentication code is existentially unforgeable under adaptive chosen message attack, or just secure, iffor all probabilistic polynomial-time adversaries there exists a negligible function such that: -
  6. Construction 4.3A fixed length MAC from any PRF Let be a pseudorandom function. Define a fixed length MAC on messages of length as follows: Gen: on input choose  uniformly at random. Mac:on input a key and a message , output tag (If then output nothing.) Vrfy:on input a key and a message , output 1 if and only if (If then output 0.)
  7. Theorem 4.4 Let be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC for messages of length n that is existentially unforgeable under an adaptive chosen message attack.
  8. A secure fixed length MAC Proof : -)LetMAC that is the same as  except that a truly random function is used instead of a PRF . Then -.
  9. Distinguisher D is given access to and oracle O Run : whenever queries its MAC oracle on a message , answer as follows: Query O. Return t to A. When A outputs at the end of its execution do: Query Owith to get . If and A never queried its MAC oracle with then output 1; else output 0.
  10. Distinguisher D If oracle is a PRF then, If the oracle is a random function then, - Therefore,
  11. Distinguisher D Since is a PRF it follows that there is a negligible function with Then and so is negligible.
  12. Replay attacks MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm.
  13. Construction 4.5A variable length MAC Let be fixed length MAC for messages of length . Gen’: identical to Gen. Mac’:on input a key and a message of length parse into blocks of length and choose a random identifier in . Compute , for and output Vrfy: parse into blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all
  14. Theorem 4.6 If ’is a secure fixed length MAC for messages of length , then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack.
  15. Construction 4.9 CBC-MAC Let be a pseudorandom function. Fix a length function The CBC-MAC construction is as follows: Gen: on input choose  uniformly at random. Mac: on input a key  and message Parse into blocks of length , and set . Compute for Output Vrfy: on input a key , a message of length and a tag of length output 1 if and only if .
  16. Theorem 4.10 Let be a polynomial. If Fis a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length that is existentially unforgeable under an adaptive chosen message attack.
  17. CBC-MAC vs CBC-mode encryption CBC-mode encryption uses a random IV. If we use a random IV for CBS-MAC then we lose security. In CBC-mode encryption all encrypted blocks are output as part of the ciphertext. This is not the case with CBC-MAC. If we do so we loose security.
  18. Secure CBC-MAC for variable length messages – three options Apply the pseudorandom function to the length of the input message to get a key , e.g. set . Then compute the CBC-MAC with this key. Prepend the message with length and then compute the basic CBC-MAC. If we append instead of prepending it we lose security. Choose two keys Compute the CBC-MAC with the first key to get . The tag is .
  19. Variable length CBC-MAC   
More Related