2. Plan Introduction to message authentication codes (MACs). Constructions of MACs block ciphers Hash functions a definition constructions the “birthday attack” a construction of MACs from hash functions the random oracle model
4. 4 Message Authentication Integrity: M Alice Bob interferes with the transmission (modifies the message, or inserts a new one) How can Bob be sure that M really comes from Alice?
5. 5 Sometimes: more importantthansecrecy! transfer 1000 $ to Bob transfer 1000 $ to Eve Alice Bank Of course: usually we want both secrecy and integrity.
6. 6 Does encryption guarantee message integrity? Idea: Alice encrypts m and sends c=Enc(k,m) to Bob. Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad. transfer 1000 $ to Bob plaintext M If Eve knows M and C then she can calculate K and produce a ciphertext of any other message key K xor ciphertext C
7. 7 Message authentication verifies if t=Tagk(m) (m, t=Tagk(m)) m Alice Bob k k Eve can see (m, t=Tagk(m)) She should not be able to compute a valid tag t’ on any other message m’.
8. 8 Message authentication – multiple messages (m1, t1 =Tagk(m1)) m1 (m2, t2=Tagk(m2)) m2 . . . . . . Alice Bob (mw, tw=Tagk(mw)) mt k k Eve should not be able to compute a valid tag t’ on any other message m’.
9. 9 Message Authentication Codes – the idea (m, t=Tagk(m)) m є {0,1}* Vrfyk(m,t)є {yes,no} Alice Bob k k k ischosenrandomlyfrom some set K
10.
11. Vrfy:K× M × T→ {yes, no}is a verificationalgorithm.We will sometimes write Tagk(m) and Vrfyk(m,t) instead of Tag(k,m) and Vrfy(k,m,t). Correctness it shouldalways holds that:Vrfyk(m,Tagk(m)) = yes.
12. Conventions If Vrfyk(m,t) = yesthen we say that tis a valid tag on the message m. If Tag is deterministic, then Vrfyjust computes Tagand compares the result. In this case we do not need to define Vrfyexplicitly.
13. 12 How to define security? We need to specify: how the messages m1,...,mware chosen, what is the goal of the adversary. Good tradition:be as pessimistic as possible! Therefore we assume that The adversary is allowed to chose m1,...,mw. The goal of the adversary is to produce a valid tag onsome m’ such that m’ ≠m1,...,mw.
14. 13 security parameter 1n selects random ak Є{0,1}n m1 adversary (m1, t=Tagk(m1)) oracle . . . mw (mw, t=Tagk(mw)) We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that Vrfy(m’,t’) = yes and m’ ≠m1,...,mw
15. 14 The security definition We say that (Tag,Vrfy) is secure if A P(A breaks it) is negligible (inn) polynomial-timeadversary A
16. 15 Aren’t we too paranoid? Maybe it would be enough to require that: the adversary succeds only if he forges a message that “makes sense”. (e.g.: forging a message that consists of random noise should not count) Bad idea: hard to define, is application-dependent.
17. 16 (m, t) (m, t) (m, t) Warning: MACs do not offer protection against the “replay attacks”. (m, t) Alice Bob Since Vrfyhas no state (or “memory”) there is no way to detect that (m,t) is not fresh! . . . This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...).
18. Authentication and Encryption Options: Encrypt-and-authenticate: c := Enck1(m) and t:= Tagk2 (m), send (c,t) Authenticate-then-encrypt: t:= Tagk2 (m) and c := Enck1(m||t), send (c,t) Encrypt-then-authenticate: c := Enck1(m) and t:= Tagk2 (c), send (c,t) c := Enck1(m) c := Enck1(m ||t) m t:= Tagk2 (m) m t:= Tagk2 (m) wrong better the best t:= Tagk2 (c) m c := Enck1(m)
19. 18 Constructing a MAC There exist MACs that are secure even if the adversary is infinitely-powerful.These constructions are not practical. MACs can be constructed from the block-ciphers. We will now discuss to constructions: simple (and not practical), a little bit more complicated (and practical) – a CBC-MAC MACs can also be constructed from the hash functions (NMAC, HMAC).
20. Plan Introduction to message authentication codes (MACs). Constructions of MACs from block ciphers Hash functions a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model
21. A simple construction from a block cipher Let F : {0,1}n× {0,1}n -> {0,1}n be a block cipher. We can now define a MAC scheme that works only for messages m Є{0,1}n as follows: Tag(k,m) = F(k,m) It can be proven that it is a secure MAC. How to generalize it to longer messages? F(k,m) Fk k m 20
22.
23. and authenticateeach block separatelyF(k,m1) F(k,md) Fk Fk . . . m1 md Thisdoesn’t work!
24. 22 What goes wrong? m: t = Tagk(m): perm m’ = perm(m): t’ = perm(t): Then t’ is a valid tag on m’.
25. 23 Idea 2 Add a counter to each block. F(k,x1) F(k,xd) Fk Fk . . . m1 md 1 d x1 xd This doesn’t work either!
26. 24 mi i xi m: t = Tagk(m): m’ = a prefix of m: t’ = a prefix of t: Then t’ is a valid tag on m’.
27. 25 Idea 3 Addl := |m|toeach block F(k,x1) F(k,xd) Fk Fk . . . m1 md 1 d l l x1 xd This doesn’t work either!
28. 26 m1 1 l xi What goes wrong? m: m’: t = Tagk(m): t’ = Tagk(m’): m’’= first half from m|| second half from m’ t’’ = first half from t || second half from t’ Then t’’ is a valid tag on m’’.
29. 27 Idea 4 Add a freshrandomvaluetoeach block! F(k,x1) F(k,xd) Fk Fk . . . md d l r md d l r x1 xd Thisworks!
30. 28 tagk(m) F(k,x1) F(k,x2) F(k,xd) r Fk Fk Fk . . . . . . 1 l r m2 2 r md d r m1 l l x2 x1 xd . . . r is chosen randomly m1 m2 md m 000 n – block length l |mi| = n/4 pad with zeroes if needed
31. 29 This construction can be proven secure Theorem Assuming that F : {0,1}n× {0,1}n -> {0,1}n is a pseudorandompermutation the construction from the previous slide is a secure MAC. Proof idea: Suppose it is not a secure MAC. Let A be an adversary that breaks it with a non-negligible probability. We construct a distinguisher D that distinguishes F from a random permutation.
32. A new member of “Minicrypt” one-way functions exist this can be proven this we already knew computationally-secure MACs exist cryptographic PRGs exist this we have just proven
33. 31 Problem: The tag is 4 times longer than the message... This construction is not practical We can do much better!
34. 32 CBC-MAC F : {0,1}n× {0,1}n -> {0,1}n- a block cipher tagk(m) Fk Fk Fk Fk Fk . . . m1 m2 m3 md |m| m 0000 pad with zeroes if needed Other variants exist!
35. 33 tagk(m) Fk Fk Fk Fk Fk . . . m1 m2 m3 md |m| Why is this needed? Suppose we donot prepend |m|...
36. 34 t1=tagk(m1) t2=tagk(m2) the adversarychooses: Fk Fk m1 m2 t’= tagk(m’) t1 t’ = t2 Fk Fk now she can compute: m2 m1 m2xor t1 m’
37. 35 Some practictioners don’t like the CBC-MAC We don’t want to authenticate using the block ciphers! What do you want to use instead? Hash functions! Why? Because: they are more efficient, they are notprotectedby the export regulations.
38. Plan Introduction to message authentication codes (MACs). Constructions of MACs: from pairwise independent functions from block ciphers Hash functions a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model
39. 37 Another idea for authenticating long messages Fk(h(m)) a block cipher Fk k h(m) a “hashfunction” h long m By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).
40. How to formalize it? We need to define what is a “hash function”. The basic property that we require is: “collision resistance”
41. 39 Collision-resistant hash functions short H(m) a hash function H : {0,1}* -> {0,1}L longm collision-resistance a “collision” Requirement: itshouldbe hard tofind a pair(m,m’)suchthat H(m) =H(m’)
42. 40 Collisions always exist domain m range m’ Since the domain islargerthan the range the collisionshavetoexist.
46. 43 Solution Whenwe prove theoremswewillalwaysconsider familiesofhashfunctions indexedby a key s {Hs} s є keys
47. 44 informal description: “knows H” a protocol H H H formal model: sis chosen randomly a protocol s Hs Hs Hs
48. 45 informal description: “knows H” a protocol H H H H real-life implementation (example): “knows SHA1” a protocol SHA1 SHA1 SHA1
49. 46 Hash functions – the functional definition A hashfunctionis a probabilisticpolynomial-time algorithmH such that: H takes as input a key sє {0,1}nand a message x є {0,1}*and outputs a string Hs(x)є {0,1}L(n) where L(n)is some fixed function.
50. 47 Hashfunctions – the security definition [1/2] 1n selects a random s є {0,1}n s outputs (m,m’) WesaythatadversaryAbreaks the functionHifHs(m) = Hs(m’).
51. 48 Hash functions – the security definition [2/2] His a collision-resistanthashfunctionif A P(A breaks H)is negligible polynomial-timeadversary A
52. 49 How to formalize our idea? Fk(h(m)) a block cipher Fk k h(m) a “hashfunction” h long m
53. Authentication scheme - formally A key for the MAC is a pair: (s,k) a key for the hash function H a key for the PRP F Tag((k,s),m) = Fk(Hs(m)) Theorem. If H and F are secure then Tag is secure. This is proven as follows. Suppose we have an adversary that breaks Tag. Then we can construct: a distinguisher for F an adversary for H or simulates simulates
54. Do collision-resilient hash functions belong to minicrypt? collision-resilient hash functions exist ? open problem easy exercise one-way functions exist [D. Simon: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? 1998]: there is no “black-box reduction”.
55. 52 A common method for constructing hash functions Construct a “fixed-input-length” collision-resistanthashfunctionCallit: a collision-resistantcompressionfunction. Useittoconstruct a hashfunction. L h(m) h : {0,1}2·L-> {0,1}L m 2·L
56. 53 h h h An idea pad with zeroes if needed t m 0000 . . . m1 m2 mB miє {0,1}L . . . IV H(m) can be arbitrary This doesn’t work...
57. 54 Why is it wrong? t m 0000 . . . m1 m2 mB If we set m’ = m || 0000 then H(m’) = H(m). Solution: add a block encoding “t”. t m’ 0000 . . . m’1 m’2 m’B m’B+1 := t
58. 55 Merkle-Damgård transform h h h h given h : {0,1}2L-> {0,1}Lwe construct H : {0,1}*-> {0,1}L doesn’t need to be know in advance (nice!) t m 0000 m1 m2 mB mB+1 := t miє {0,1} L . . . IV H(m)
59. 56 This construction is secure Wewouldliketo prove the following: Theorem If h : {0,1}2L-> {0,1}L is a collision-resistant compression function then H : {0,1}*-> {0,1}L is a collision-resistant hash function. But wait…. It doesn’t make sense…
60. What to do? To be formal, we would need to consider families of functionsh and Hindexed by key s Let’s stay on the informal level and “argue” that: “if one can find a collision in H then one can find a collision in h”
61. 58 abreaksh (m,m’) AbreaksH a collision in H outputsa collision(x,y) in h
62. 59 How to compute a collision (x,y) in h from a collision (m,m’) in H? Weconsidertwooptions: |m| = |m’| |m| ≠ |m’|
63. 60 Option 1: |m| = |m’| t m 0000 m1 m2 mB mB+1 := t t m 0000 m1 m2 mB mB+1 := t
64. |m| = |m’| h h h h Some notation: m 0000 m1 m2 mB mB+1 := t . . . IV zB+1 z2 z1 z3 zB H(m) 61
65. 62 |m| = |m’| h h h h For m’: m’ 0000 m’1 m’2 m’B m’B+1 := t . . . IV z’2 z’1 z’3 z’B+1 H(m’) z’B
68. 65 So, we have found a collision! equal zi* z’i* h h notequal zi*-1 mi*-1 z’i*-1 m’i*-1
69. 66 Option 2: |m| ≠ |m’| equal H(m) H(m’) zB+1 mB+1 z’B’+1 m’B’+1 . . . . . . the last block encodesthe length on the messageso thesevaluescannotbeequal! So, again we have found a collision!
70. 67 Concrete functions MD5, SHA-1, SHA-256,... .... all use (variants of) Merkle-Damgårdtransformation. Hashfunctions can alsobeconstructedusing the numbertheory.
71. Plan Introduction to message authentication codes (MACs). Constructions of MACs: from pairwise independent functions from block ciphers Hash functions a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model
72. 69 What the industry says about the “hash and authenticate” method? the block cipher is still there... Why don’t we just hash a message together with a key: MACk(m) = H(k || m) ? It’s not secure!
73. 70 Suppose H was constructed using the MD-transform she can fabricate this MACk(m||t) she can see this t + L MACk(m) MACk(m) zB t zB t z2 m z2 m IV k IV k L
74. 71 A better idea M. Bellare, R. Canetti, and H. Krawczyk (1996): NMAC (Nested MAC) HMAC (Hash based MAC) have some “provable properites” They both use the Merkle-Damgårdtransform. Again, let h : {0,1}2L-> {0,1}L be a compression function.
75. 72 NMAC h h h h m 0000 m1 mB mB+1 := |m| . . . k1 k2 NMAC(k1,k2) (m)
76. 73 h What can be proven Suppose that his collision-resistant the following function is a secure MAC: ThenNMAC is a secure MAC. m k2 MACk2(m)
77. 74 Looks better, but our libraries do not permit to change the IV the key is too long: (k1,k2) HMAC is the solution!
78. 75 HMAC h h h h k xor ipad m1 mB+1 := |m| ipad = 0x36 repeated opad = 0x5C repeated . . . IV IV h HMACk (m) k xoropad
79. 76 HMAC – the properties Looks complicated, but it is very easy to implement (given an implementation of H): HMACk(m) = H((k xoropad) || H(k xoripad || m)) It has some “provable properties” (slightly weaker than NMAC). Widely used in practice. We like it!
80. Plan Introduction to message authentication codes (MACs). Constructions of MACs: from pairwise independent functions from block ciphers Hash functions a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model
81. Other uses of “hash functions” Hash functions are used by practicioners to convert “non-uniform randomness” into a uniform one. Example: shorter “uniformlyrandom” H(m) a hashfunction H : {0,1}* -> {0,1}L usergeneratedrandomnessX (key strokes, mouse movements, etc.)
82. Example: password-based encryption H – hash function (E,D) – encryption scheme messagem m = D(H(π),c) c = E(H(π),m) Alice Bob shared password π shared password π Informally: The only thing that Eve can do is to examine all possible passwords . Warning: there exist much better solutions for this problem
83. Random oracle model [Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993] Idea: model the hash function as a random oracle. x H(x) a completely random function H : {0,1}* -> {0,1}L
84. Remember the pseudorandom functions? x x’ F(x) F(x’) A random function F: {0,1}m->{0,1}m x’’ F(x’’) Crucial difference: Also the adversary can query the oracle
85. 82 informal description: “knows H” a protocol H formal model: Every call to H is replaced with a query to the oracle. H : {0,1}* -> {0,1}L a protocol also the adversary is allowed to query the oracle.
86. How would we use it in the proof? shorter “uniformlyrandom” H(X) a hashfunction H : {0,1}* -> {0,1}L usergeneratedrandomnessX As long as the adversary never queried the oracle on Xthe value H(X) “lookscompletelyrandomtohim”.
87. Criticism of the Random Oracle Model [Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998] There exists a signature scheme that is secure in ROM but is not secure if the random oracle is replaced with any real hash function. This example is very artificial. No “realistic” example of this type is know.
88.
89. “cryptographic model”Random Oracle Model is also called: the “Random Oracle Heuristic”. Common view: a ROM proof is better than nothing.
90. Plan Introduction to message authentication codes (MACs). Constructions of MACs: from pairwise independent functions from block ciphers Hash functions a definition constructions a construction of MACs from hash functions the random oracle model
94. ...based on 2 simultaniousassumptions: some problems are computationally difficult our understanding of what “computational difficulty” means is correct.
97. Basic tools from the computational cryptography one-way functions pseudorandom generators pseudorandom functions/permutations hash functions
98. A method for proving security: reductions minicrypt P ≠ NP hash functions one-way functions pseudorandom generators pseudorandom functions/permutations computationally-secure authentication in general the picture is much more complicated! computationally-secure encryption