Hash functions : MAC / HMAC Outline Message Authentication Codes - PDF document

Hash functions : MAC / HMAC Outline • Message Authentication Codes • Keyed hash family • Unconditionally Secure MACs • Ref: D Stinson: Cryprography – Theory and Practice (3 rd ed), Chap 4. Universal hash family • Notations: – X is a set of possible messages – Y is a finite set of possible message digests or authentication tags? – F X,Y is the set of all functions from X to Y : • Definition 4.1: A keyed hash family is a four-tuple F = ( X, Y, K,H ), where the following condition are satisfied: – K , the keyspace , is a finite set of possible keys – H , the hash family , a finite set of at most | K | hash functions. For each K ∈ K , there is a hash function h K ∈ H . Each h k : X → Y • Compression function: • X is a finite set, N=| X |. Eg X = {0,1} k+r N = 2 k+r • Y is a finite set M=| Y |. Eg Y = {0,1} r M=2 r • | F X,Y | = M N • F is denoted (N,M)-hash family 19 1

Random Oracle Model – Model to analyze the probability of computing preimage, second pre-image or collisions: – In this model, • a hash function h K : X → Y is chosen randomly from F • The only way to compute a value h K (x) is to query the oracle. – THEOREM 4.1 Suppose that h ∈ F X,Y is chosen randomly, and let X 0 ⊆ X . Suppose that the values h(x) have been determined (by querying an oracle for h) if and only if x ∈ X 0 . Then, for all x ∈ X \ X 0 and all y ∈ Y , Pr[h(x)=y] = 1/M 20 Algorithms in the Random Oracle Model – Randomized algorithms make random choices during their execution. – A Las Vegas algorithm is a randomized algorithm • may fail to give an answer • if the algorithm does return an answer, then the answer must be correct. – A randomized algorithm has average-case success probability ε if the probability that the algorithm returns a correct answer, averaged over all problem instances of a specified size , is at least ε (0 ≤ε <1). For all x (randomly chosen among all inputs of size s): Pr( Algo(x) is correct) ≥ ε – ( ε ,q)-algorithm : terminology to design a Las Vegas algorithm that: • the average-case success probability ε 21 • the number of oracle queries made by algorithms is at most q. 2

Example of ( ε ,q)-algorithm • Algorithm 4.1: FIND PREIMAGE (h, y, q) – choose any X 0 ⊆ X ,| X 0 | = q – for each x ∈ X 0 do { if h(x) = y then return (x) ; } – return (failure) • THEOREM 4.2 For any X 0 ⊆ X with | X 0 | = q, the average-case success probability of Algorithm 4.1 is ε =1 - (1-1/M) q . Algorithm 4.1 is a ( 1 - (1-1/M) q ; q ) – algorithm • Proof Let y ∈ Y be fixed. Let Χ 0 = {x 1 ,x 2 ..,x q }. The Algo is successful iff there exists i such that h(x i ) = y. • For 1 ≤ i ≤ q, let E i denote the event “h(x i ) = y”. The E i ’s are independent events; from Theo. 4.1, Pr[E i ] = 1/M for all 1 ≤ i ≤ q. q Therefore, Pr[ E 1 ∨ E 2 ∨ ... ∨ E q ] = 1 − 1 − 1      M  The success probability of Algorithm 4.1, for any fixed y, is constant. Therefore, the success probability averaged over all y ∈ Y is identical, too. 22 Message Authentication Codes • One common way of constructing a MAC is to incorporate a secret key into an unkeyed hash function. • Suppose we construct a keyed hash function h K from an unkeyed iterated hash function h, by defining IV=K and keeping this initial value secret. • Attack: the adversary can easily compute hash without knowing K (so IV) with a (1-1)–algorithm: – Let t = size of the blocks in the iterated scheme – Choose x and compute z r = h(x || pad(x)) (one oracle call) – Let x’= x || pad(x) || w, where w is any bitstring of length t Let y’ = x’ || pad(x’) = x || pad(x) || w || pad(x’) (since padding is known) – Now compute y’ = IteratedScheme( y, w || pad(x’) ) (iterated scheme is known) 23 – Return y’ ; 3

Message Authentication Codes – Assume MD iterated scheme is used, let z r = h K (x) The adversary computes z r+1 ← compress(h K (x)||y r+1 ) z r+2 ← compress(z r+1 ||y r+2 ) … z r’ ← compress((z r’-11 || y r’ ) and returns z r’ that verifies z r’ =h K (x’). • Def: an ( ε ,q)-forger is an adversary who – queries message x 1 ,…,x q , – gets a valid (x, y), x ! ∈ {x 1 ,…,x q } – with a probability at least ε that the adversary outputs a forgery (ie a correct couple (x,h(x)) 24 Nested MACs and HMAC – A nested MAC builds a MAC algorithm from the composition of two hash families • ( X,Y,K,G ), ( Y,Z,L,H ) • composition: ( X,Z,M,G ° H ) • M = K × L • G ° H = { g ° h: g ∈ G , h ∈ H } • (g ° h) (K,L) (x) = h L ( g K (x) ) for all x ∈ X – The nested MAC is secure if • ( Y,Z,L,H ) is secure as a MAC, given a fixed key • ( X,Y,K,G ) is collision-resistant, given a fixed key 25 4

Nested MACs and HMAC 3 adversaries: • a forger for the nested MAC (big MAC attack) – (K,L) is chosen and kept secret – The adversary chooses x and query a big (nested) MAC oracle for values of h L (g K (x)) – output (x’,z) such that z = h L (g K (x’)) (x’ was not query) • a forger for the little MAC (little MAC attack) ( Y,Z,L,H ) – L is chosen and kept secret – The adversary chooses y and query a little MAC oracle for values of h L (y) – output (y’,z) such that z = h L (y’) (y’ was not query) 26 Nested MACs and HMAC • a collision-finder for the hash function, when the key is secret (unknown-key collision attack) ( X,Y,K,G ) – K is secret – The adversary chooses x and query a hash oracle for values of g K (x) – output x’, x’’ such that x’ ≠ x’’ and g K (x’) = g K (x’’) 27 5

Nested MACs and HMAC • THEOREM 4.9 Suppose ( X,Z,M,G ° H ) is a nested MAC. Suppose there does not exist an ( ε 1 ,q+1)-collision attack for a randomly chosen function g K ∈ G , when the key K is secret. Further, suppose that there does not exist an ( ε 2 ,q)-forger for a randomly chosen function h L ∈ H , where L is secret. Finally, suppose there exists an ( ε ,q)-forger for the nested MAC, for a randomly chosen function (g ° h ) (K,L) ∈ G ° H. Then ε ≤ ε 1 + ε 2 • Proof Adversary queries x 1 ,..,x q to a big MAC oracle and get 28 (x 1 , z 1 )..(x q , z q ) and outputs valid (x, z) Proof • x, x 1 ,.., x q make q+1 queries to a hash oracle. • y = g K (x), y 1 = g K (x 1 ),..., y q = g K (x q ) • if y ∈ {y 1 ,..,y q }, say y = y i , then x, x i is solution to Collision • if y ! ∈ {y 1 ,..,y q }, output (y, z) which is a valid pair for the little MAC. • make q little MAC queries and get (y 1 ,z 1 ), ..., (y q ,z q ) • probability that (x, z) is valid and y ! ∈ {y 1 ,..,y q } is at least ε - ε 1 . • Success probability of any little MAC attack is most ε 2 • so ε 2 ≥ ε - ε 1  ε ≤ ε 1 + ε 2 29 6

Nested MACs and HMAC • HMAC is a nested MAC algorithm that is proposed FIPS standard. • HMAC K (x) = SHA-1( (K ⊕ opad) || SHA-1( (K ⊕ ipad) || x ) ) – x is a message – K is a 512-bit key – ipad = 3636…..36 (512 bit) – opad = 5C5C….5C (512 bit) 30 CBC-MAC(x, K) Cryptosystem 4.2: CBC-MAC (x, K) • denote x = x 1 ||…|| x n ,x i is a bitstring of length t • IV ← 00..0 (t zeroes) • y 0 ← IV • for i ← 1 to n do y i ← e K (y i-1 ⊕ x i ) • return (y n ) 31 7

CBC-MAC(x, K) • (1/2, O(2 t/2 ))-forger attack – n ≥ 3, q ≈ 1.17 × 2 t/2 – x 3 ,…, x n are fixed bitstrings of length t. – choose any q distinct bitstrings of length t, x 1 1 , …, x 1 q , and randomly choose x 2 1 , …, x 2 q – define x l i = x l , for 1 ≤ i ≤ q and 3 ≤ l ≤ n – define x i = x 1 i ||…|| x n i for 1 ≤ i ≤ q – x i ≠ x j if i ≠ j , because x 1 i ≠ x 1 j . – The adversary requests the MACs of x 1 , x 2 ,…, x q 32 CBC-MAC(x, K) – In the computation of MAC of each x i , values y 0 i … y n i are computed, and y n i is the resulting MAC. Now suppose that and x i have x i identical MACs. – h K (x i ) = h K (x j ) if and only if y 2 i = y 2 j , which happens if and only if y 1 i ⊕ x 2 i = y 1 j ⊕ x 2 j . – Let x δ be any bitstring of length t – v = x 1 i || (x 2 i ⊕ x δ ) ||…||x n i – w = x 1 j || (x 2 j ⊕ x δ ) ||…||x n j – The adversary requests the MAC of v – It is not difficult to see that v and w have identical MACs, so the adversary is successfully able to construct the MAC of w, i.e. h K (w) = h K (v)!!! 33 8

4.5 Unconditionally Secure MACs (Skip this section!!) • Unconditionally secure MACs – a key is used to produce only one authentication tag – an adversary make at most one query. • Deception probability Pd q – maximum value of ε such that ( ε ,q)-forger for q = 0, 1 • payoff (x, y) = Pr[y = h K0 (x)] • Impersonation attack (( ε ,0)-forger) – Pd 0 = max{ payoff(x,y): x ∈ X , y ∈ Y } (4.1) 34 Unconditionally Secure MACs • Substitution attack (( ε ,1)-forger) – query x and y is reply, x ∈ X , y ∈ Y – probability that (x’, y’) is a valid is payoff(x’,y’;x,y), x’ ∈ X and x ≠ x’ – payoff(x’,y’;x,y) = Pr[y’ = h K0 (x’)) | y = h K0 (x)] = – V = {(x, y): | {K ∈ K : h K (x) = y} | ≥ 1} – Pd 1 = max{ payoff(x’, y’; x, y): x, x’ ∈ X , y, y’ ∈ Y , (x,y) ∈ V , x ≠ x’} (4.2) 35 9