Scribd
Upload
62 views52 pages

Message Integrity Message Auth. Codes: Dan Boneh

The document discusses message integrity and MACs (message authentication codes) based on PRFs (pseudorandom functions). It introduces CBC-MAC and nMAC as two constructions that can be used to build a MAC for long messages from a PRF designed for short messages. CBC-MAC and nMAC work by applying the PRF in a chained or nested manner to the message blocks. The security of the resulting MAC depends on the number of message blocks authenticated - after about the square root of the PRF's range, the MAC may become insecure against chosen message attacks.

Uploaded by

-Ashrant Shinh-
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
62 views52 pages

Message Integrity Message Auth. Codes: Dan Boneh

The document discusses message integrity and MACs (message authentication codes) based on PRFs (pseudorandom functions). It introduces CBC-MAC and nMAC as two constructions that can be used to build a MAC for long messages from a PRF designed for short messages. CBC-MAC and nMAC work by applying the PRF in a chained or nested manner to the message blocks. The security of the resulting MAC depends on the number of message blocks authenticated - after about the square root of the PRF's range, the MAC may become insecure against chosen message attacks.

Uploaded by

-Ashrant Shinh-
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

uan 8oneh

Message lnLegrlLy
Message AuLh. Codes
Cnllne CrypLography Course uan 8oneh
uan 8oneh
Message lnLegrlLy
Coal: |ntegr|ty, no condenuallLy.
Lxamples:
roLecung publlc blnarles on dlsk.
roLecung banner ads on web pages.
uan 8oneh
Message lnLegrlLy: MACs
uef: MAC l = (S,v) dened over (k,M,1) ls a palr of algs:
S(k,m) ouLpuLs L ln 1
v(k,m,L) ouLpuLs `yes or `no
Allce 8ob
k k
message m Lag
Generate tag:
tag ! S(k, m)
Ver|fy tag:
V(k, m, tag) = `yes
?
uan 8oneh
lnLegrlLy requlres a secreL key
Auacker can easlly modlfy message m and re-compuLe C8C.
C8C deslgned Lo deLecL random, noL mallclous errors.
Allce 8ob
message m Lag
Generate tag:
tag ! CkC(m)
Ver|fy tag:
V(m, tag) = `yes
?
uan 8oneh
Secure MACs
Auacker's power: chosen message auack
for m
1
,m
2
,.,m
q
auacker ls glven L
l
! S(k,m
l
)
Auackers goal: ex|stenna| forgery
produce some new valld message/Lag palr (m,L).
(m,L) " [ (m
1
,L
1
) , . , (m
q
,L
q
) }

auacker cannoL produce a valld Lag for a new message
glven (m,L) auacker cannoL even produce (m,L') for L' = L
uan 8oneh
Secure MACs
lor a MAC l=(S,v) and adv. A dene a MAC game as:
uef: l=(S,v) ls a secure MAC lf for all emclenL A:
Adv
MAC
[A,l] = r[Chal. ouLpuLs 1] ls negllglble.
Chal. Adv.
k!k
(m,L)
m
1
# M
L
1
! S(k,m
1
)
b=1 lf v(k,m,L) = `yes and (m,L) " [ (m
1
,L
1
) , . , (m
q
,L
q
) }
b=0 oLherwlse
b
m
2
, ., m
q
L
2
, ., L
q
1emplaLe
verLLeWhlLe2
LeL l = (S,v) be a MAC.
Suppose an auacker ls able Lo nd m
0
= m
1
such LhaL
S(k, m
0
) = S(k, m
1
) for x of Lhe keys k ln k
Can Lhls MAC be secure?
?es, Lhe auacker cannoL generaLe a valld Lag for m
0
or m
1
no, Lhls MAC can be broken uslng a chosen msg auack

lL depends on Lhe deLalls of Lhe MAC

1emplaLe
verLLeWhlLe2
LeL l = (S,v) be a MAC.
Suppose S(k,m) ls always 3 blLs long

Can Lhls MAC be secure?
?es, Lhe auacker cannoL generaLe a valld Lag for any message

lL depends on Lhe deLalls of Lhe MAC

no, an auacker can slmply guess Lhe Lag for messages

uan 8oneh
Lxample: proLecung sysLem les
LaLer a vlrus lnfecLs sysLem and modles sysLem les
user rebooLs lnLo clean CS and supplles hls password
1hen: secure MAC all modled les wlll be deLecLed
Suppose aL lnsLall ume Lhe sysLem compuLes:
l
1
L
1
= S(k,l
1
)
l
2
L
2
= S(k,l
2
)
l
n
L
n
= S(k,l
n
)

k derlved from
user's password
lename lename lename
uan 8oneh
Lnd of SegmenL
uan 8oneh
Message lnLegrlLy
MACs based on 8ls
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8evlew: Secure MACs
MAC: slgnlng alg. S(k,m)!t and verlcauon alg. V(k,m,t) !0,1
Auacker's power: chosen message auack
for m
1
,m
2
,.,m
q
auacker ls glven L
l
! S(k,m
l
)
Auackers goal: ex|stenna| forgery
produce some new valld message/Lag palr (m,L).
(m,L) " [ (m
1
,L
1
) , . , (m
q
,L
q
) }
auacker cannoL produce a valld Lag for a new message
uan 8oneh
Secure 8l Secure MAC
lor a 8l I: k k ! dene a MAC l
l
= (S,v) as:
S(k,m) := l(k,m)
v(k,m,L): ouLpuL `yes lf L = l(k,m) and `no oLherwlse.
Allce 8ob
message m Lag
tag ! I(k,m)
accepL msg lf
tag = I(k,m)
1emplaLe
verLLeWhlLe2
A bad example
Suppose I: k k ! ls a secure 8l wlLh = {0,1}
10

ls Lhe derlved MAC l
l
a secure MAC sysLem?
?es, Lhe MAC ls secure because Lhe 8l ls secure
no Lags are Loo shorL: anyone can guess Lhe Lag for any msg
lL depends on Lhe funcuon l
uan 8oneh
SecurlLy
1hm: lf I: kk! ls a secure 8l and 1/|?| ls negllglble
(l.e. |?| ls large) Lhen l
l
ls a secure MAC.
ln parucular, for every e. MAC adversary A auacklng l
l
Lhere exlsLs an e. 8l adversary 8 auacklng l s.L.:
Adv
MAC
[A, l
l
] $ Adv
8l
[8, l] + 1/|?|

% l
l
ls secure as long as |?| ls large, say |?| = 2
80
.
uan 8oneh
roof SkeLch
Suppose f: k ! ls a Lruly random funcuon
1hen MAC adversary A musL wln Lhe followlng game:



A wlns lf t = f(m) and m " { m
1
, . , m
q
}
r[A wlns] = 1/|?|

Chal. Adv.
f ln
luns[x,?]
(m,L)
m
1
# x
L
1
! f(m
1
)
m
2
, ., m
q
f(m
2)
, ., f(m
q
)

same musL hold for l(k,x)
uan 8oneh
Lxamples
ALS: a MAC for 16-byLe messages.
Maln quesuon: how Lo converL Small-MAC lnLo a 8lg-MAC ?
1wo maln consLrucuons used ln pracuce:
C8C-MAC (banklng - AnSl x9.9, x9.19, llS 186-3)
nMAC (lnLerneL proLocols: SSL, lsec, SSP, .)
8oLh converL a small-8l lnLo a blg-8l.
uan 8oneh
1runcaung MACs based on 8ls
Lasy lemma: suppose l: k k ! {0,1}
n
ls a secure 8l.
1hen so ls I
t
(k,m) = I(k,m)[1.t] for all 1 < L < n



lf (S,v) ls a MAC ls based on a secure 8l ouLpumng n-blL Lags
Lhe LruncaLed MAC ouLpumng w blLs ls secure
. as long as 1/2
w
ls sull negllglble (say w&64)
uan 8oneh
Lnd of SegmenL
uan 8oneh
Message lnLegrlLy
C8C-MAC and nMAC
Cnllne CrypLography Course uan 8oneh
uan 8oneh
MACs and 8ls
8ecall: secure 8l I secure MAC, as long as |?| ls large
S(k, m) = l(k, m)

Cur goal:
glven a 8l for shorL messages (ALS)
consLrucL a 8l for long messages

lrom here on leL x = [0,1}
n
(e.g. n=128)

uan 8oneh
raw C8C
ConsLrucuon 1: encrypLed C8C-MAC
l(k,') l(k,') l(k,')
m[0] m[1] m[3] m[4]
( (
l(k,')
(
l(k
1
,')
Lag
LeL I: k k ! k be a 8
uene new 8l I
LC8C
: k
2
k
sL
! k
uan 8oneh
cascade
ConsLrucuon 2: nMAC (nesLed MAC)
l l l
m[0] m[1] m[3] m[4]
l
l
Lag
LeL I: k k ! k be a 8l
uene new 8l I
NMAC
: k
2
k
sL
! k
> > > >
k
L ll fpad
>
k
1
t
1emplaLe
verLLeWhlLe2
Why Lhe lasL encrypuon sLep ln LC8C-MAC and nMAC?
nMAC: suppose we dene a MAC l = (S,v) where
S(k,m) = cascade(k, m)

1hls MAC ls secure
1hls MAC can be forged wlLhouL any chosen msg querles
1hls MAC can be forged wlLh one chosen msg query
1hls MAC can be forged, buL only wlLh Lwo msg querles
uan 8oneh
Why Lhe lasL encrypuon sLep ln LC8C-MAC?
Suppose we dene a MAC l
8AW
= (S,v) where
S(k,m) = rawC8C(k,m)
1hen l
8AW
ls easlly broken uslng a 1-chosen msg auack.
Adversary works as follows:
Choose an arblLrary one-block message m#x
8equesL Lag for m. CeL L = l(k,m)
CuLpuL L as MAC forgery for Lhe 2-block message (m, L(m)
lndeed: rawC8C(k, (m, L(m) ) = l(k, l(k,m)((L(m) ) = l(k, L((L(m) ) = L
uan 8oneh
LC8C-MAC and nMAC analysls
1heorem: lor any L>0,
lor every e. q-query 8l adv. A auacklng l
LC8C
or l
nMAC
Lhere exlsLs an e. adversary 8 s.L.:
Adv
8l
[A, l
LC8C
] $ Adv
8
[8, l] + 2 q
2
/ |x|
Adv
8l
[A, l
nMAC
] $ qLAdv
8l
[8, l] + q
2
/ 2|k|
C8C-MAC ls secure as long as q << |x|
1/2
nMAC ls secure as long as q << |k|
1/2
(2
64
for ALS-128)
uan 8oneh
An example
q = # messages MAC-ed wlLh k
Suppose we wanL Adv
8l
[A, l
LC8C
] < 1/2
32


q
2
/|x| < 1/ 2
32


ALS: |x| = 2
128
q < 2
48
So, aer 2
48
messages musL, musL change key
3uLS: |x| = 2
64
q < 2
16
Adv
8l
[A, l
LC8C
] $ Adv
8
[8, l] + 2 q
2
] |k|
uan 8oneh
1he securlLy bounds are ughL: an auack
Aer slgnlng |x|
1/2
messages wlLh LC8C-MAC or
|k|
1/2
messages wlLh nMAC
Lhe MACs become lnsecure

Suppose Lhe underlylng 8l l ls a 8 (e.g. ALS)
1hen boLh 8ls (LC8C and nMAC) have Lhe followlng
exLenslon properLy:
x,y,w: l
8lC
(k, x) = l
8lC
(k, y) l
8lC
(k, x||w) = l
8lC
(k, y||w)
uan 8oneh
1he securlLy bounds are ughL: an auack
LeL l
8lC
: k k ! be a 8l LhaL has Lhe exLenslon properLy
l
8lC
(k, x) = l
8lC
(k, y) l
8lC
(k, x||w) = l
8lC
(k, y||w)
Cenerlc auack on Lhe derlved MAC:
sLep 1: lssue |?|
1/2
message querles for rand. messages ln x.
obLaln ( m
l
, L
l
) for l = 1 ,., |?|
1/2
sLep 2: nd a colllslon L
u
= L
v
for u=v (one exlsLs w.h.p by b-day paradox)
sLep 3: choose some w and query for L := l
8lC
(k, m
u
||w)
sLep 4: ouLpuL forgery (m
v
||w, t). lndeed L := l
8lC
(k, m
v
||w)
uan 8oneh
8euer securlLy: a rand. consLrucuon
LeL I: k k ! k be a 8l. 8esulL: MAC wlLh Lags ln x
2
.

SecurlLy: Adv
MAC
[A, l
8C8C
] $ Adv
8
[8, l] (1 + 2 q
2
/ |x| )
lor 3uLS: can slgn q=2
32
msgs wlLh one key

m
rawC8C >
k
L
r
rand. r |n k
rawC8C
>

L
a
g

2 blocks
k
1
uan 8oneh
Comparlson
LC8C-MAC ls commonly used as an ALS-based MAC
CCM encrypuon mode (used ln 802.11l)
nlS1 sLandard called CMAC
NMAC noL usually used wlLh ALS or 3uLS
Maln reason: need Lo change ALS key on every block
requlres re-compuung ALS key expanslon
8uL nMAC ls Lhe basls for a popular MAC called PMAC (nexL)
uan 8oneh
Lnd of SegmenL
uan 8oneh
Message lnLegrlLy
MAC paddlng
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8ecall: LC8C-MAC
l(k,') l(k,') l(k,')
m[0] m[1] m[3] m[4]
( (
l(k,')
(
l(k
1
,')
Lag
LeL I: k k ! k be a 8
uene new 8l I
LC8C
: k
2
k
sL
! k
uan 8oneh
WhaL lf msg. len. ls noL muluple of block-slze?
l(k,') l(k,') l(k,')
m[0] m[1] m[3] ???
( (
l(k,')
(
l(k
1
,')
Lag
m[4]
1emplaLe
verLLeWhlLe2
C8C MAC paddlng
?es, Lhe MAC ls secure
no, glven Lag on msg m auacker obLalns Lag on m||0
lL depends on Lhe underlylng MAC
m[0] m[1] m[0] 0000 m[1]
8ad |dea: pad m wlLh 0s
ls Lhe resulung MAC secure?
roblem: pad(m) = pad(mll0)
uan 8oneh
C8C MAC paddlng
lor securlLy, paddlng musL be lnveruble !
m
0
= m
1
pad(m
0
) = pad(m
1
)
lSC: pad wlLh 100000. Add new dummy block lf needed.
1he 1 lndlcaLes beglnnlng of pad.
m[0] m[1] m[0] 100 m[1]
m'[0] m'[1] m'[0] m'[1] 1000.000
uan 8oneh
CMAC (nlS1 sLandard)
varlanL of C8C-MAC where key = (k, k
1
, k
2
)
no nal encrypuon sLep (exLenslon auack LhwarLed by lasL keyed xor)
no dummy block (amblgulLy resolved by use of k
1
or k
2
)
l(k,') l(k,')
m[0]
(
m[1] m[w]
l(k,')
(

Lag
100
k
1
l(k,') l(k,')
m[0]
(
m[1] m[w]
l(k,')
(

Lag
k
2
uan 8oneh
Lnd of SegmenL
uan 8oneh
Message lnLegrlLy
MAC and
CarLer-Wegman MAC
Cnllne CrypLography Course uan 8oneh
uan 8oneh
LC8C and nMAC are sequenual.
Can we bulld a parallel MAC from a small 8l ??
uan 8oneh
ConsLrucuon 3: MAC - parallel MAC
(k, l): an easy Lo compuLe funcuon
m[0] m[1] m[2] m[3]
(
( ( (
l(k
1
,') l(k
1
,') l(k
1
,')
l(k
1
,')
Lag
(
(k,0) (k,1) (k,2) (k,3)
LeL I: k k ! k be a 8l
uene new 8l I
MAC
: k
2
k
sL
! k
addlng slmllar
Lo CMAC
key = (k, k
1
)
uan 8oneh
MAC: Analysls
MAC 1heorem: lor any L>0,
lf l ls a secure 8l over (k,x,x) Lhen
l
MAC
ls a secure 8l over (k, x
$L
, x).
lor every e. q-query 8l adv. A auacklng l
MAC
Lhere exlsLs an e. 8l adversary 8 s.L.:
Adv
8l
[A, l
MAC
] $ Adv
8l
[8, l] + 2 q
2
L
2
] |k|
MAC ls secure as long as qL << |x|
1/2
1emplaLe
verLLeWhlLe2
MAC ls lncremenLal
Suppose l ls a 8.
When m[1] ! m'[1]
can we qulckly updaLe Lag?
m[0] m[1] m[3] m[4]
( ( ( (
l(k
1
,') l(k
1
,') l(k
1
,')
l(k
1
,') Lag
(
(k,0) (k,1) (k,2) (k,3)
no, lL can'L be done
do l
-1
(k
1
,Lag) ! l(k
1
, m[1] ! (k,1)) ! l(k
1
, m'[1] ! (k,1))
do l
-1
(k
1
,Lag) ! l(k
1
, m'[1] ! (k,1))
do Lag ! l(k
1
, m[1] ! (k,1)) ! l(k
1
, m'[1] ! (k,1))
1hen apply l(k
1
, )
uan 8oneh
Cne ume MAC (analog of one ume pad)

lor a MAC l=(S,v) and adv. A dene a MAC game as:
uef: l=(S,v) ls a secure MAC lf for all emclenL A:
Adv
1MAC
[A,l] = r[Chal. ouLpuLs 1] ls negllglble.
Chal. Adv.
k!k
(m,L)
m
1
# M
L
1
! S(k,m
1
)
b=1 lf v(k,m,L) = `yes and (m,L) = (m
1
,L
1
)
b=0 oLherwlse
b
uan 8oneh
Cne-ume MAC: an example
Can be secure agalnsL a|| adversarles and fasLer Lhan 8l-based MACs
LeL q be a large prlme (e.g. q = 2
128
+S1

)
key = (a, b) [1,.,q}
2
(Lwo random lnLs. ln [1,q] )
msg = ( m[1], ., m[L] ) where each block ls 128 blL lnL.

S( key, msg ) =
msg
(a) + b (mod q)
where
msg
(x) = x
L+1
+ m[L]'x
L
+ . + m[1]'x ls a poly. of deg L+1
We show: glven S( key, msg
1
) adv. has no lnfo abouL S( key, msg
2
)

uan 8oneh
Cne-ume securlLy (uncondluonal)
1hm: Lhe one-ume MAC on Lhe prevlous sllde sauses (L=msg-len)
m
1
=m
2
,L
1
,L
2
: r
a,b
[ S( (a,b), m
1
) = t
1
| S( (a,b), m
2
) = t
2
] < L/q
roof: m
1
=m
2
, L
1
, L
2
:
(1) r
a,b
[ S( (a,b), m
2
) = t
2
] = r
a,b
[
m
2
(a)+b=t
2
] = 1/q
(2) r
a,b
[ S( (a,b), m
1
) = t
1
and S( (a,b), m
2
) = t
2
] =
r
a,b
[
m
1
(a)-
m
2
(a)=t
1
-t
2
and

m
2
(a)+b=t
2
] < L/q
2


glven valld (m
2
,L
2
) , adv. ouLpuLs (m
1
,L
1
) and ls rlghL wlLh prob. < L/q
uan 8oneh
Cne-ume MAC Many-ume MAC
LeL (S,v) be a secure one-ume MAC over (k
l
,M, [0,1}
n
) .
LeL l: k
l
[0,1}
n
! [0,1}
n
be a secure 8l.

Carter-Wegman MAC: CW( (k
1
,k
2
), m) = (r, l(k
1
,r) ! S(k
2
,m) )
for random r " [0,1}
n
.

1hm: lf (S,v) ls a secure one-nme MAC and l a secure 8l
Lhen CW ls a secure MAC ouLpumng Lags ln [0,1}
2n
.
fasL
long lnp
slow buL
shorL lnp
1emplaLe
verLLeWhlLe2
Pow would you verlfy a CW Lag (r, t) on message m ?
8ecall LhaL v(k
2
,m,.) ls Lhe verlcauon alg. for Lhe one ume MAC.
CW( (k
1
,k
2
), m) = (r, l(k
1
,r) ! S(k
2
,m) )
8un v( k
2
, m, l(k
1
, r) ! L) )
8un v( k
2
, m, l(k
1
, L) !r) )
8un v( k
2
, m, r )
8un v( k
2
, m, L )
uan 8oneh
ConsLrucuon 4: PMAC (Pash-MAC)
MosL wldely used MAC on Lhe lnLerneL.
. buL, we rsL we need Lo dlscuss hash funcuon.
uan 8oneh
lurLher readlng
!. 8lack, . 8ogaway: C8C MACs for ArblLrary-LengLh Messages: 1he 1hree-
key ConsLrucuons. !. CrypLology 18(2): 111-131 (2003)
k. leLrzak: A 1lghL 8ound for LMAC. lCAL (2) 2006: 168-179
!. 8lack, . 8ogaway: A 8lock-Clpher Mode of Cperauon for arallellzable
Message AuLhenucauon. Lu8CC8?1 2002: 384-397
M. 8ellare: new roofs for nMAC and PMAC: SecurlLy WlLhouL Colllslon-
8eslsLance. C8?1C 2006: 602-619
?. uodls, k. leLrzak, . unlya: A new Mode of Cperauon for 8lock
Clphers and LengLh-reservlng MACs. Lu8CC8?1 2008: 198-219
uan 8oneh
Lnd of SegmenL

You might also like