Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Section 1 Message Authentication Code (MAC)
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3 Consistency: Vrfy k ( m , t ) = 1 for any k ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } n and t = Mac k ( m )
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3 Consistency: Vrfy k ( m , t ) = 1 for any k ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } n and t = Mac k ( m ) Definition 2 (Existential unforgability) A MAC ( Gen , Mac , Vrfy ) is existential unforgeable (EU), if for any oracle-aided PPT A: � k ← Gen ( 1 n ); ( m , t ) ← A Mac k , Vrfy k ( 1 n ): Pr � Vrfy k ( m , t ) = 1 ∧ Mac k was not asked on m = neg ( n )
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong?
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier?
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier? “Replay attacks"
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier? “Replay attacks" strong MACS
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Length-restricted MACs Definition 3 (Length-restricted MAC) Same as in Definition 1, but for k ∈ Supp ( G ( 1 n )) , Mac k and Vrfy k only accept messages of length n .
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Bounded-query MACs Definition 4 ( ℓ -time MAC) A MAC scheme is existential unforgeable against ℓ queries (for short, ℓ -time MAC), if it is existential unforgeable as in Definition 2, but A can only ask for ℓ queries.
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Section 2 Constructions
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Zero-time, restricted length, MAC Construction 5 (Zero-time, restricted length, MAC) Gen ( 1 n ) : outputs k ← { 0 , 1 } n Mac k ( m ) = k Vrfy k ( m , t ) = 1, iff t = k
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Zero-time, restricted length, MAC Construction 5 (Zero-time, restricted length, MAC) Gen ( 1 n ) : outputs k ← { 0 , 1 } n Mac k ( m ) = k Vrfy k ( m , t ) = 1, iff t = k Claim 6 The above scheme is a length-restricted, zero-time MAC
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -wise independent hash Definition 7 ( ℓ -wise independent) A function family H from { 0 , 1 } n to { 0 , 1 } m is ℓ -wise independent, where ℓ ∈ N , if for every distinct x 1 , . . . , x ℓ ∈ { 0 , 1 } n and every y 1 , . . . , y ℓ ∈ { 0 , 1 } m , it holds that Pr h ←H [ h ( x 1 ) = y 1 ∧ · · · ∧ h ( x ℓ ) = y ℓ ] = 2 − ℓ m .
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m )
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m ) Claim 9 The above scheme is a length-restricted, ℓ -time MAC
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m ) Claim 9 The above scheme is a length-restricted, ℓ -time MAC Proof : HW
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC.
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC. Proof :
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC. Proof : Easy to prove if F is a family of random functions. Hence, also holds in case F is a PRF .
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Collision Resistant Hash Family Definition 12 (collision resistant hash family (CRH)) A function family H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } is collision resistant, if Pr [ h ← H n , ( x , x ′ ) ← A ( 1 n , h ): x � = x ′ ∈ { 0 , 1 } ∗ ∧ h ( x ) = h ( x ′ )] = neg ( n ) for any PPT A.
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Collision Resistant Hash Family Definition 12 (collision resistant hash family (CRH)) A function family H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } is collision resistant, if Pr [ h ← H n , ( x , x ′ ) ← A ( 1 n , h ): x � = x ′ ∈ { 0 , 1 } ∗ ∧ h ( x ) = h ( x ′ )] = neg ( n ) for any PPT A. Not known to be implied by OWF
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m ))
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC.
Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC. Proof : ?
Recommend
More recommend