foundation of cryptography 0368 4162 01 lecture 7
play

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and - PowerPoint PPT Presentation

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication


  1. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011

  2. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Section 1 Message Authentication Code (MAC)

  3. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3

  4. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3 Consistency: Vrfy k ( m , t ) = 1 for any k ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } n and t = Mac k ( m )

  5. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3 Consistency: Vrfy k ( m , t ) = 1 for any k ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } n and t = Mac k ( m ) Definition 2 (Existential unforgability) A MAC ( Gen , Mac , Vrfy ) is existential unforgeable (EU), if for any oracle-aided PPT A: � k ← Gen ( 1 n ); ( m , t ) ← A Mac k , Vrfy k ( 1 n ): Pr � Vrfy k ( m , t ) = 1 ∧ Mac k was not asked on m = neg ( n )

  6. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition

  7. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong?

  8. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier?

  9. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier? “Replay attacks"

  10. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier? “Replay attacks" strong MACS

  11. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Length-restricted MACs Definition 3 (Length-restricted MAC) Same as in Definition 1, but for k ∈ Supp ( G ( 1 n )) , Mac k and Vrfy k only accept messages of length n .

  12. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Bounded-query MACs Definition 4 ( ℓ -time MAC) A MAC scheme is existential unforgeable against ℓ queries (for short, ℓ -time MAC), if it is existential unforgeable as in Definition 2, but A can only ask for ℓ queries.

  13. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Section 2 Constructions

  14. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Zero-time, restricted length, MAC Construction 5 (Zero-time, restricted length, MAC) Gen ( 1 n ) : outputs k ← { 0 , 1 } n Mac k ( m ) = k Vrfy k ( m , t ) = 1, iff t = k

  15. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Zero-time, restricted length, MAC Construction 5 (Zero-time, restricted length, MAC) Gen ( 1 n ) : outputs k ← { 0 , 1 } n Mac k ( m ) = k Vrfy k ( m , t ) = 1, iff t = k Claim 6 The above scheme is a length-restricted, zero-time MAC

  16. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -wise independent hash Definition 7 ( ℓ -wise independent) A function family H from { 0 , 1 } n to { 0 , 1 } m is ℓ -wise independent, where ℓ ∈ N , if for every distinct x 1 , . . . , x ℓ ∈ { 0 , 1 } n and every y 1 , . . . , y ℓ ∈ { 0 , 1 } m , it holds that Pr h ←H [ h ( x 1 ) = y 1 ∧ · · · ∧ h ( x ℓ ) = y ℓ ] = 2 − ℓ m .

  17. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m )

  18. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m ) Claim 9 The above scheme is a length-restricted, ℓ -time MAC

  19. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m ) Claim 9 The above scheme is a length-restricted, ℓ -time MAC Proof : HW

  20. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC.

  21. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC. Proof :

  22. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC. Proof : Easy to prove if F is a family of random functions. Hence, also holds in case F is a PRF .

  23. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Collision Resistant Hash Family Definition 12 (collision resistant hash family (CRH)) A function family H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } is collision resistant, if Pr [ h ← H n , ( x , x ′ ) ← A ( 1 n , h ): x � = x ′ ∈ { 0 , 1 } ∗ ∧ h ( x ) = h ( x ′ )] = neg ( n ) for any PPT A.

  24. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Collision Resistant Hash Family Definition 12 (collision resistant hash family (CRH)) A function family H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } is collision resistant, if Pr [ h ← H n , ( x , x ′ ) ← A ( 1 n , h ): x � = x ′ ∈ { 0 , 1 } ∗ ∧ h ( x ) = h ( x ′ )] = neg ( n ) for any PPT A. Not known to be implied by OWF

  25. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m ))

  26. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC.

  27. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC. Proof : ?

Recommend


More recommend