improving the security of MACs via randomized message preprocessing - PowerPoint PPT Presentation

improving the security of MACs via randomized message preprocessing Yevgeniy Dodis (New York University) Krzysztof Pietrzak (CWI Amsterdam) March 26, 2007 FSE 2007 March 27, 2007

Symmetric Authentication: Message Authentication Codes M M ′ M ′ M FSE 2007 March 27, 2007

Symmetric Authentication: Message Authentication Codes M , K K φ ′ ? φ = MAC ( K , M ) = MAC ( K , M ′ ) M ′ , φ ′ M , φ ◮ Kermit and Peggy share a secret key K . ◮ Kermit sends an authentication tag φ = MAC ( K , M ) together with message M . ◮ Peggy accepts M ′ iff φ ′ = MAC ( K , M ′ ). FSE 2007 March 27, 2007

Symmetric Authentication: Message Authentication Codes M , K K φ ′ ? φ = MAC ( K , M ) = MAC ( K , M ′ ) M ′ , φ ′ M , φ ◮ Kermit and Peggy share a secret key K . ◮ Kermit sends an authentication tag φ = MAC ( K , M ) together with message M . ◮ Peggy accepts M ′ iff φ ′ = MAC ( K , M ′ ). ◮ Security: It should be hard for Beeker (who does not know K ) to come up with a pair ( M ′ , φ ′ ) where ◮ φ ′ = MAC ( K , M ′ ) ◮ Kermit did not already send ( M ′ , φ ) FSE 2007 March 27, 2007

Asymmetric Authentication: Digital Signatures M M ′ M FSE 2007 March 27, 2007

Asymmetric Authentication: Digital Signatures M , Sk , Pk Pk Pk Verify ( Pk , φ ′ , M ′ ) φ = Sign ( Sk , M ) M ′ , φ ′ M , φ ◮ Kermit generates a secret/public-key par Sk , Pk and send Pk to Peggy over an authentic chanell. ◮ Kermit sends Signature φ = Sign ( Sk , M ) together with message M . ◮ Peggy accepts M ′ iff Verify ( Pk , φ ′ , M ′ ) = accept . FSE 2007 March 27, 2007

Asymmetric Authentication: Digital Signatures M , Sk , Pk Pk Pk Verify ( Pk , φ ′ , M ′ ) φ = Sign ( Sk , M ) M ′ , φ ′ M , φ ◮ Kermit generates a secret/public-key par Sk , Pk and send Pk to Peggy over an authentic chanell. ◮ Kermit sends Signature φ = Sign ( Sk , M ) together with message M . ◮ Peggy accepts M ′ iff Verify ( Pk , φ ′ , M ′ ) = accept . ◮ Security: It should be hard for Beeker (who does not know Sk ) to come up with a pair ( M ′ , φ ′ ) where ◮ Verify ( Pk , φ ′ , M ′ ) = accept ◮ Kermit did not already send ( M ′ , φ ) FSE 2007 March 27, 2007

Hash then Sign/MAC/Encrypt M M CRHF CRHF Sk Sign K MAC φ φ hash & Sign hash & MAC ◮ CRHF: Pr [ A → X , X ′ : H ( X ) = H ( X ′ )] = small FSE 2007 March 27, 2007

Hash then Sign/MAC/Encrypt M M M CRHF R UOWHF CRHF Sk Sign Sk Sign K MAC φ φ φ, R hash & Sign hash & MAC hash & Sign ◮ CRHF: Pr [ A → X , X ′ : H ( X ) = H ( X ′ )] = small ◮ UOWHF: max X Pr R [ A ( R ) → X ′ : H R ( X ) = H R ( X ′ )] = small FSE 2007 March 27, 2007

Hash then Sign/MAC/Encrypt M M M M CRHF R UOWHF CRHF K hash XUH Sk Sign Sk Sign K MAC K enc Enc φ φ φ, R φ hash & Sign hash & MAC hash & Sign hash & encrypt ◮ CRHF: Pr [ A → X , X ′ : H ( X ) = H ( X ′ )] = small ◮ UOWHF: max X Pr R [ A ( R ) → X ′ : H R ( X ) = H R ( X ′ )] = small ◮ ǫ -XUH: max X , X ′ Pr K hash [ H K hash ( X ) = H K hash ( X ′ )] ≤ ǫ FSE 2007 March 27, 2007

Hash then Encrypt M K hash XUH K enc Enc φ FSE 2007 March 27, 2007

Hash then Encrypt M K XUH E φ To analyze the security we replace Enc with a uniformly random permutation E : { 0 , 1 } k → { 0 , 1 } k . FSE 2007 March 27, 2007

Sample K and E at random MAC queries Forgery queries M ′ M i j K H H K E E φ ′ φ ′′ φ i j j Beeker wins if for some j , φ ′′ j = φ ′ j . Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. FSE 2007 March 27, 2007

Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Proof. Pr[ Beeker wins ] ≤ Pr[ collision ] + Pr[ forgery | no collision ] ǫ · q 2 ≤ + ǫ · q forge mac FSE 2007 March 27, 2007

Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . FSE 2007 March 27, 2007

Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . Can we get O ( q 2 / 2 k ) security using O ( | M | / 2 k ) universal hashing? FSE 2007 March 27, 2007

Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . Can we get O ( q 2 / 2 k ) security using O ( | M | / 2 k ) universal hashing? Yes, by randomizing the message FSE 2007 March 27, 2007

Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . Can we get O ( q 2 / 2 k ) security using O ( | M | / 2 k ) universal hashing? Yes, by randomizing the message using only O (log( | M | )) random bits. FSE 2007 March 27, 2007

almost universal hash-functions Definition ( ǫ -universal hash function) H : K × M → T is ǫ universal if ∀ M � = M ′ ∈ M : Pr K ∈K [ H ( K , M ) = H ( K , M ′ )] ≤ ǫ ◮ H : Z 2 L × Z L → Z ℓ where H x , y ( M ) = ( x · M + y mod L ) mod ℓ is 1 /ℓ universal. ◮ H : Z ℓ × Z d ℓ → Z ℓ where H x ( M 1 , . . . , M d ) = x · M 1 + x 2 · M 2 + · · · + x d · M d is d /ℓ -universal FSE 2007 March 27, 2007

the salted hash-function paradigm A salted hash function H is ( ǫ forge , ǫ mac ) universal if ◮ Inputs collide with probability ≤ ǫ forge if salt is not random. ◮ Inputs collide with probability ≤ ǫ mac if salt is random. Definition (( ǫ forge , ǫ mac )-universal salted hash function) H : P × K × M → T is ( ǫ forge , ǫ mac ) universal if ∀ ( M , P ) � = ( M ′ , P ′ ) : K ∈K , [ H ( K , P , M ) � = H ( K , P ′ , M ′ )] ≤ ǫ forge Pr ∀ ( M , M ′ , P ) : K ∈K , P ′ ∈P [ H ( K , P , M ) � = H ( K , P ′ , M ′ )] ≤ ǫ mac Pr FSE 2007 March 27, 2007

salted hash then encrypt M M K , P ( ǫ forge , ǫ mac ) − XUH K ǫ − XUH E E φ φ, P hash then encrypt salted hash then encrypt on each invocation a random salt P is chosen by the MAC FSE 2007 March 27, 2007

Sample K and E at random MAC queries Forgery queries P , M ′ j M i K H H K , P ∈ P E E φ ′ φ ′′ φ i , P j j Beeker wins if for some j , φ ′′ j = φ ′ j . Theorem (security of salted hash then encrypt) If H is ( ǫ forge , ǫ mac ) -universal then Pr[ Beeker wins ] ≤ ǫ mac · q 2 mac + ǫ forge · q forge where q mac / q forge is the number of MAC / forgery queries. FSE 2007 March 27, 2007

Theorem (security of salted hash then encrypt) If H is ( ǫ forge , ǫ mac ) -universal then Pr[ Beeker wins ] ≤ ǫ mac · q 2 mac + ǫ forge · q forge where q mac / q forge is the number of MAC / forgery queries. To achieve optimal O ( q 2 / 2 k ) security ( q = q mac + q forge ), we just need ǫ mac ∈ Θ(1 / 2 k ) but ǫ forge can be much bigger. As the salt is part of the output, we want the domain P for the salt to be small. FSE 2007 March 27, 2007

the generic result, proof of concept [1] M � P ∈ { 0 , 1 } L × { 0 , 1 } log L ∈ { 0 , 1 } L M g H H ⇒ { 0 , 1 } k { 0 , 1 } k Theorem (generic construction) Let H : { 0 , 1 } L → { 0 , 1 } k be L / 2 k universal & balanced ∃ permutation over g : { 0 , 1 } L +log( L ) such that with P ∈ { 0 , 1 } log L H ′ ( K , P , M ) := H ( K , g ( M � P )) is ( ǫ forge , ǫ mac ) universal with ǫ forge = ( L + log( L )) / 2 k ǫ mac = 2 / 2 k FSE 2007 March 27, 2007

the generic result, proof of concept [2] Generic Construction ◮ Optimal ǫ mac = 2 / 2 k . ◮ Salt of length log( L ) if H is L / 2 k universal. In general: If H is L c / 2 k -universal, then salt will be c · log( L ) ◮ Non-constructive. FSE 2007 March 27, 2007

a concrete example: polynomial evaluation [1] H : Z ℓ × Z d ℓ → Z ℓ where H x ( M 1 , . . . , M d ) = x · M 1 + x 2 · M 2 + · · · + x d · M d is d /ℓ -universal Theorem (set constant coefficient completely random) H ′ : Z ℓ × Z ℓ × Z d ℓ → Z ℓ where x ( P , M 1 , . . . , M d ) = P + x · M 1 + x 2 · M 2 + · · · + x d · M d is H ′ ( ǫ forge , ǫ mac ) universal ǫ forge = d /ℓ and optimal ǫ mac = 1 /ℓ . Proof. H ′ x ( P , M ) = H ′ x ( P ′ , M ′ ) for exactly one possible P ∈ Z ℓ , thus ǫ mac = 1 /ℓ . FSE 2007 March 27, 2007