![Page 1: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/1.jpg)
1
CIS 5371 Cryptography
4. Message Authentication Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
![Page 2: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/2.jpg)
2
Message Authentication Codes
Encryption vs message authentication• Different functionalities • Encryption does not provide message
authentication!• Encryption with stream ciphers• For one just needs to flip a bit of the
ciphertext.• Encryption with block ciphers• Same attack (flipping bits) works, only this
time blocks are affected.
![Page 3: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/3.jpg)
3
Definition 4.1 Message Authentication Code
A message authentication code (MAC) is a tuple such that:• takes input the security parameter and outputs a key with .• takes as input a key and a message and We write: .• takes as input a key a message and and outputs a bit We write, :=Vrfy(.
![Page 4: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/4.jpg)
4
Message authentication experiment -(A,)
a. b. ..
![Page 5: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/5.jpg)
5
Definition 4.2 -- Secure MAC
A message authentication code is existentially unforgeable under adaptive chosen
message attack, or just secure, if for all probabilistic polynomial-time adversaries there exists a negligible function such that: -
![Page 6: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/6.jpg)
6
Construction 4.3A fixed length MAC from any PRF
Let be a pseudorandom function. Define a fixed length MAC on messages of length as follows:
• Gen: on input choose uniformly at random.
• Mac: on input a key and a message , output tag
(If then output nothing.)
• Vrfy: on input a key and a message , output 1 if and only if
(If then output 0.)
![Page 7: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/7.jpg)
7
Theorem 4.4
Let be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC for
messages of length n that is existentially
unforgeable under an adaptive chosen message attack.
![Page 8: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/8.jpg)
8
A secure fixed length MAC Proof
: -) LetMAC that is the same as except that a truly random function is used instead of a PRF . Then -.
![Page 9: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/9.jpg)
9
Distinguisher D
is given access to and oracle O 1. Run : whenever queries its MAC oracle on a message , answer as follows:
• Query O. Return t to A.2. When A outputs at the end of its execution do:a) Query O with to get .b) If and A never queried its MAC oracle with then output 1; else output 0.
![Page 10: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/10.jpg)
10
Distinguisher D
If oracle is a PRF then,If the oracle is a random function then, -Therefore,
![Page 11: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/11.jpg)
11
Distinguisher D
Since is a PRF it follows that there is a negligible function with Then and so is negligible.
![Page 12: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/12.jpg)
12
Replay attacks
MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm.
![Page 13: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/13.jpg)
13
Construction 4.5A variable length MAC
Let be fixed length MAC for messages of length . • Gen’: identical to Gen.
• Mac’: on input a key and a message of length parse into blocks of length and choose a random identifier in .
Compute , for and output
• Vrfy: parse into blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all
![Page 14: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/14.jpg)
14
Theorem 4.6
If ’ is a secure fixed length MAC for messages of length , then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack.
![Page 15: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/15.jpg)
15
Construction 4.9 CBC-MACLet be a pseudorandom function. Fix a length function The CBC-MAC construction is as follows:
• Gen: on input choose uniformly at random.
• Mac: on input a key and message 1. Parse into blocks of length , and set .
2. Compute for
Output
• Vrfy: on input a key , a message of length and a tag of length output 1 if and only if .
![Page 16: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/16.jpg)
16
Theorem 4.10
Let be a polynomial. If F is a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length that is existentially unforgeable under an adaptive chosen message attack.
![Page 17: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/17.jpg)
17
CBC-MAC vs CBC-mode encryption
1. CBC-mode encryption uses a random IV. If we use a random IV for CBS-MAC then we lose security.2. In CBC-mode encryption all encrypted blocks
are output as part of the ciphertext. This is not the case with CBC-MAC.
If we do so we loose security.
![Page 18: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/18.jpg)
18
Secure CBC-MAC for variable length messages – three options
1. Apply the pseudorandom function to the length of the input message to get a key , e.g. set . Then compute the CBC-MAC with this key.
2. Prepend the message with length and then compute the basic CBC-MAC.
If we append instead of prepending it we lose security.2. Choose two keys Compute the CBC-MAC with the first
key to get . The tag is .
![Page 19: 1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649f295503460f94c42955/html5/thumbnails/19.jpg)
19
Variable length CBC-MAC
𝐹 𝑘
¿𝑚∨¿
𝐹 𝑘
𝑚1
𝐹 𝑘
𝑚2
𝐹 𝑘
𝑡
𝑚3