Lecture 8 - Message Authentication Codes

Similar documents
Lecture 18 - Chosen Ciphertext Security

Homework 3: Solution

Message Authentication ( 消息认证 )

Authenticated encryption

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 4: Authentication and Hashing

Lecture 10, Zero Knowledge Proofs, Secure Computation

1 Achieving IND-CPA security

1 Defining Message authentication

On Symmetric Encryption with Distinguishable Decryption Failures

Proofs for Key Establishment Protocols

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

CSC 5930/9010 Modern Cryptography: Digital Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Concrete cryptographic security in F*

Authenticated Encryption

CS 495 Cryptography Lecture 6

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography. Andreas Hülsing. 6 September 2016

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Authenticated Encryption

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

: Practical Cryptographic Systems March 25, Midterm

Introduction to Cryptography. Lecture 3

11 Message Authentication Codes

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Lecture 3.4: Public Key Cryptography IV

On the Security of a Certificateless Public-Key Encryption

2018: Problem Set 1

Applied Cryptography and Computer Security CSE 664 Spring 2018

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Overview of Cryptography

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Lecture 8: Cryptography in the presence of local/public randomness

Random Oracles - OAEP

ISA 562: Information Security, Theory and Practice. Lecture 1

2 What does it mean that a crypto system is secure?

What Can Be Proved About Security?

CS408 Cryptography & Internet Security

Cryptographically Sound Implementations for Typed Information-Flow Security

Symmetric Encryption 2: Integrity

Data Integrity & Authentication. Message Authentication Codes (MACs)

Refresher: Applied Cryptography

CS 395T. Formal Model for Secure Key Exchange

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Computational Security, Stream and Block Cipher Functions

Introduction to Cryptography Lecture 10

Refining Computationally Sound Mech. Proofs for Kerberos

Cryptography: More Primitives

Information Security CS526

Security of Cryptosystems

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Definitions and Notations

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Katz, Lindell Introduction to Modern Cryptrography

Chapter 6. Message Authentication. 6.1 The setting

Computer Security CS 526

Automated Security Proofs with Sequences of Games

CS Computer Networks 1: Authentication

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Data Integrity & Authentication. Message Authentication Codes (MACs)

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Lecture 1: Perfect Security

IND-CCA2 secure cryptosystems, Dan Bogdanov

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Cryptographic Hash Functions

Introduction to Cryptography. Lecture 3

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Non-Interactive Conference Key Distribution and Its Applications

CS408 Cryptography & Internet Security

Real-time protocol. Chapter 16: Real-Time Communication Security

Plaintext Awareness via Key Registration

Chapter 7. Message Authentication. 7.1 The setting

Security & Indistinguishability in the Presence of Traffic Analysis

Information Security CS526

Secure Multiparty Computation

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

CPSC 467: Cryptography and Computer Security

CS 494/594 Computer and Network Security

Kurose & Ross, Chapters (5 th ed.)

Feedback Week 4 - Problem Set

1 A Tale of Two Lovers

Brief Introduction to Provable Security

Uses of Cryptography

Failure Localization in the Internet

Certificateless Onion Routing

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

Transcription:

Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care about is integrity. Maintaining integrity is about preventing an adversary from tampering with the data that was sent or stored by the legitimate users. For example, often people are not worried so much about secrecy of their email, but they definitely want to be assured that the email they received was indeed the one being sent. Encryption and integrity Does encryption guarantee integrity? It might seem at first that yes: if an attacker can t read the message, how can she change it? However, this is not the case. For example, suppose that we encrypt the message x with the PRF-based CPA-secure scheme to r, f s (r) x. The attacker can flip the last bit of f s (r) x causing the receiver to believe the sent message was x 1,..., x n 1, x n. Checksums etc. A common device used for correcting errors is adding redundancy or checksums. A simple example is adding to x as a last bit the parity of x, that is i x i (mod 2). 1 When receiving a message, the receiver checks the parity, and if the check fails, considers the message corrupted (and if appropriate asks to resend it). This works against random errors but not against malicious errors: the attacker can change also parity check bit. In fact, as we saw above, the attacker can do this even if the message (including the parity check bit) is encrypted. Message Authentication Codes (MAC) The cryptographic primitive that we use for this is a message authentication code (MAC). A message authentication code (MAC) consists of two algorithms (Sign, Ver) (for signing and verifying). There is a shared key k between the signer and the verifier. The sender of a message x computes s = Sign k (x), s is often called a signature or a tag. Then, it sends (x, s) to the receiver. The receiver accepts the pair (x, s) as valid only if Ver k (x, s) = 1. Security for MACs We define a MAC secure if it withstands a chosen message attack. (Notation: n - key length, m - message length, t - tag length) Definition 1 (CMA secure MAC). A pair of algorithms (Sign, Ver) (with Sign : {0, 1} n {0, 1} m {0, 1} t, Ver : {0, 1} n {0, 1} m {0, 1} t {0, 1}) is a (T, ɛ)-cma-secure MAC if: Validity For every x, k, Ver k (x, Sign k (x)) = 1. Security For every T -time Adv, consider the following experiment: 1 Sometimes this is generalized to more bits, say, parity mod 2 16. 1

Choose k R {0, 1} n Give adversary access to black boxes for Sign k ( ) and Ver k ( ). Adversary wins if it comes up with a pair x, s such that (a) x is not one of the messages that the adversary gave to the black box Sign k ( ) and (b) Ver k (x, s ) = 1. Then the probability Adv wins is at most ɛ. Naturally, we define (Sign, Ver) to be CMA-secure if for every n it is (T (n), ɛ(n))-cma-secure for super-polynomial T, ɛ. In other words, there is no polynomial-time Adv that succeeds with polynomial probability to break it. Example As discussed above, the following are not MACs: A CPA-secure encryption scheme. A cyclic redundancy code (CRC) Construction for a message authentication code. We prove the following theorem: Theorem 1. Let {f k } be a PRF. Then the following is a MAC: Sign k (x) = f k (x). Ver k (x, s) = 1 iff f k (x) = s. Proof. We prove this in the typical way we prove constructions using PRFs are secure: we define an ideal MAC scheme that uses a truly random function, prove it secure, and then derive security for our real scheme. Proof of security for ideal scheme. Let A be an adversary running a chosen-message attack against the ideal scheme. At the end of the attack it outputs a string x that was not asked by it before from the signing oracle and some supposed tag t. Since this is a random function, we can think of the oracle at this point choosing the tag t for x at random and we have that Pr[t = t ] = 2 n. Using Authentication to get CCA security As we saw last time, CPA secure encryption is not always strong enough. For this purpose we defined CCA security as follows: Definition 2 (CCA security). An encryption (E, D) is said to be (T, ɛ)-cca secure if it s valid (D k (E k (x)) = x) and for every T -time A if we consider the following game: Sender and receiver choose shared k R {0, 1} n. A gets access to black boxes for E k ( ) and D k ( ). A chooses x 1, x 2. Sender chooses i R {1, 2} and gives A y = E k (x i ). A gets more access to black boxes for E k ( ) and D k ( ) but is restricted not to ask y to the decryption box. More formally, A gets access to the following function D k ( ) instead of D k ( ) 2

D k (y ) = { D k (y ) y y y = y ( is a symbol that signifies failure or invalid input ) A outputs j {1, 2}. A is successful if j = i, the scheme is (T, ɛ) secure if the probability that A is successful is at most 1 2 + ɛ. Order of Encryption and Authentication A natural approach to get CCA security is to add authentication. There are three natural constructions: Encrypt and then Authenticate (EtA): Compute y = E k (x) and t y = Sign k (y) and send (y, t y ). (IPSec-style) Authenticate and then Encrypt (AtE): Compute t x = Sign k (x) and then E k (t x ). (SSL style) Encrypt and Authenticate (E& A): Compute y = E k (x) and t x = Sign k (x) and send (y, t x ). (SSH style) (Don t encrypt is WEP-style) Note that in all these methods we use independent keys for encryption and authentication. It turns out that generically there is only one right choice. Theorem 2. 1. If (E, D) is CPA-secure and (Sign, Ver) is CMA-secure then the the EtA protocol gives a CCA secure encryption scheme. 2. There is a CPA-secure encryption such that for every CMA-secure MAC the AtE protocol is not a CCA secure encryption scheme. 3. There is a CMA-secure MAC such that for every CPA-secure encryption, the AtE protocol is not a CCA secure encryption scheme. Note: This does not by itself mean that, say, SSL is not secure. But it does mean that it is not generically secure. That is, the SSL protocol relies on specific (and not explicitly stated) properties of the encryption scheme used. This theorem and its proof can be found in Hugo Krawczyk s CRYPTO 2001 paper The order of encryption and authentication for protecting communications (Or: how secure is SSL?), see http://eprint.iacr.org/2001/045. Construction of a CCA secure scheme. We ll now show how to construct a CCA-secure encryption scheme. That is, we prove the following theorem: Theorem 3. Assuming Axiom 1, there exists a CCA secure (private key) encryption scheme. 3

Proof. The proof is actually to use the EtA construction, assuming some extra condition on the MAC (which is satisfied by the PRF-based construction). We say that a MAC has unique signatures if for every x there s at most one tag t such that Ver k (x, t) = 1. This is equivalent to saying that Ver k (x, t) outputs 1 if and only if t = Sign k (x, t) (note that this is how Ver worked in the PRF-based construction). Let (Sign, Ver) be such a MAC and let (E, D ) be a CPA-secure scheme. Our CCA-secure scheme (E, D) will be the following: Key: k, k with k, k R {0, 1} n. Encryption: To encrypt x compute y = E k (x), t = Sign k (y) and send y, t. Decryption: To decrypt y, t first verify that Ver k (y, t) = 1, otherwise abort (i.e., output ). If check passes, compute D k (y). Security: Suppose that A is a T -time algorithm attacking the encryption scheme (E, D). We ll convert A to an algorithm A that breaks the CPA-secure scheme (E, D). First, we need to remember what does it mean to have a CPA attack against (E, D ). The algorithm A gets black-box access to E k ( ) but not to D k ( ). The algorithm A will do the following: Choose k R {0, 1} n. Run A in its belly Whenever A asks for an encryption of x, pass the request to the encryption box E k to obtain y = E k (x), compute t = Sign k (y) and give y, t to A. Also record this query in a table. If A asks for a decryption of y, t which was previously returned to it as an encryption of x then return x to A. If A asks for a decryption of y, t which was not previously returned to from the encryption oracle, then check if Ver k (y, t) = 1. If check fails then return to A. If check succeeds then abort the computation. In this case we say that A failed to simulate A. When A sends the challenge x 1, x 2 pass it on to the sender to obtain y = E k (x i) and give y, t to A, where t = Sign k (y). When A outputs a guess j, output the same guess j. We see that the only case that A fails to simulate the CCA attack of A is when A manages to produce a pair y, t such that 1. y, t was not obtained as a previous response to a query x of the encryption oracle. 2. y, t is not the encryption of the challenge. 3. V er k (y, t) = 1 However, if A does that then he breaks the MAC. Indeed, because of the unique signatures property of the MAC, Properties 1 and 2 imply that y was not previously signed by the MAC, and hence it should not be possible for A to find a t such that Ver k (y, t) = 1. Note that the unique signatures property is indeed crucial. Suppose that the MAC had the property that it had an extra unused bit. That is, the tag is of the form t b where b is 4

a single bit, but verification only looks at the tag t. Thus, Ver k (y, t0) = 1 if and only if Ver k (y, t1) = 1. In this case the encryption scheme will be clearly not CCA secure. (If the adversary gets the challenge y, t0 it will give y, t1 to the decryption oracle.) This sensitivity of CCA security to extra unused bits is one reason why some people feel CCA security is a bit too strong, but the research community has yet to find a clean definition that is still sufficient for all the applications of CCA security. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback