Unconditionally secure MACs - Computer Science
Big MACs attacks
Unconditionally secure MACs
CS349 Cryptography
Department of Computer Science
Wellesley College
Message Authentication Codes
o
Message authentication
codes are keyed hash
functions satisfying
certain security
requirements.
o
These requirements are
different from those
required by unkeyed hash
functions.
Unconditionally secure MACs
16-2
1
A common approach to MACs*
*Attempts to turn an unkeyed hash function into a MAC.
Unconditionally secure MACs
16-3
Recall the main steps of an iterated hash
Preprocessing
Given input string x, where |x| ≥ m+t+1, construct string
y = y1 || y2 || . . . || yr,
where |yi| = t for 1 ≤ i ≤ r using a public algorithm.
Processing
Let IV be a public initial bitstring of length m. Compute
z0 ¨ IV
z1 ¨ compress(z0 || y1)
...
zr ¨ compress(zr-1 || yr).
Optional output transformation
Define h(x) = g(zr), where g : {0,1}m Æ {0,1}l is a public function.
Unconditionally secure MACs
16-4
2
Turning our hash into a MAC
o
Assume that h does not have a preprocessing step or an
output transformation. In this case, the message x is a
multiple of t, where compress : {0,1}t+m Æ {0,1}m is the
compression function.
o
Let IV = K be the secret key bitstring of length m. Compute
z0 ¨ IV
z1 ¨ compress(z0 || x1)
...
zr ¨ compress(zr-1 || xr).
Return hK(x) = zr.
o
Let x’ be any string of length t, and consider the message
x || x’.
Unconditionally secure MACs
16-5
Unconditionally secure MACs
16-6
Forgery
o
The adversary obtains a
list of valid pairs
(x1,y1), (x2,y2), . . ., (xq,yq),
by querying the oracle.
Later, the adversary
outputs the pair (x,y),
where x œ {x1, …, xq}.
o
If (x,y) is a valid pair, it is
said to be forgery.
o
An adversary that
produces a forgery with
probability e, is said to be
an (e,q)-forger.
3
Nested Macs
o
Suppose (X, Y, K, G) and
(Y, Z, L, H) are hash
families.
o
The composition is the hash
family (Y, Z, M, G o H)
in which M = K x L and
G o H = {g o h : fŒG, hŒH},
where g o h(K,L)(x) = hL(gK(x))
for all x ΠX.
Unconditionally secure MACs
16-7
Attacks on nested MACs
Big MAC attack
The adversary is allowed to choose value for x and query a
big MAC oracle for values of hL(gK(x)). The adversary
attempts to output a pair (x’,z) such that z = hL(gK(x’)).
Little MAC attack
The adversary is allowed to choose value for y and query a
little MAC oracle for values of hL(y). The adversary
attempts to output a pair (y’,z) such that z = hL(y’).
Unknown-key collision attack
The adversary is allowed to choose values for x and query
a hash oracle for value of gK(x). The adversary attempts
to output a pair x’, x’’ such that x’ ≠ x’’ and gK(x’) = gK(x’’).
Unconditionally secure MACs
16-8
4
Probability of a big MAC attack
Theorem.
Suppose (Y, Z, M, G o H) is a nested MAC.
o
Suppose there does not exist an (e1, q+1)-collision attack for
a randomly chosen function gK ΠG, when the key K is secret.
o
Further, suppose that there does not exist an (e2, q)-forger
for a randomly chosen function hL ΠH, where L is secret.
o
Finally, suppose there exists an (e, q)-forger for the nested
MAC, for a randomly chosen function (g o h)(K,L) ΠG o H.
then e ≤ e1 + e2.
Unconditionally secure MACs
16-9
Unconditionally secure MACs
16-10
HMAC
o
HMAC is a nested MAC
algorithm constructed
from an hash function (in
e.g., SHA-1) using a secret
key, K.
o
ipad and opad are 512-bit
constants defined in
hexadecimal to be
ipad = 3636…36
opad = 5C5C…5C
5
Unconditionally secure MACs
o
o
Assuming each key is used
only once, we construct a
MAC for which there
provably does not exist
either an
o
(0,e)-forger, known as an
impersonation; or
o
(1, e)-forgers, known as a
substitution.
Define the deception
probability Pdq to be the
maximum e such that an
(e, q)-forgery exists.
Unconditionally secure MACs
16-11
Unconditionally secure MACs
16-12
Authentication matrix
o
Consider the hash family
(X, Y, K, H) where X = Y = Z3
and K = Z3 x Z3.
o
For each K = (a, b) ΠK and
each x ΠX, define
h(a,b) (x) = ax + b mod 3
and define
H = {h(a,b) : (a,b) ΠZ3 x Z3}.
6
Impersonation and payoff
o
Let K0 denote the chosen key.
For x ΠX and y ΠY, define
payoff(x, y) to be the
probability that the pair (x, y)
is valid.
o
payoff(x, y) = Pr[y = hK 0 (x)]
=
|{K ΠK : hK (x) = y} |
|K |
and
Pd0 = max{payoff(x,y) : x ΠX and y ΠY}.
†
Unconditionally secure MACs
16-13
Substitution and payoff
o
Define payoff(x’, y’ : x, y) to be the probability that (x’, y’) is
a valid pair, given that (x, y) is. Then,
payoff(x', y': x, y) = Pr[y'= hK 0 (x') | y = hK 0 (x)]
=
=
o
†
Pr[y'= hK 0 (x') Ÿ y = hK 0 (x)]
Pr[y = hK 0 (x)]
|{K ΠK : hK (x') = y', hK (x) = y} |
|{K ΠK : hK (x) = y} |
Pd1 = max{payoff(x’,y’; x,y) : x,x’ Œ X; y, y’ Œ Y; (x,y) Œ V; x≠x’’}
where V = {(x,y) : K Œ K : hK(x) = y}| ≥ 1}.
Unconditionally secure MACs
16-14
7
Strongly universal hash families
Definition
An (N, M) hash family (X, Y, K, H) is strongly universal if and
only if for all x, x’ Œ X such that x ≠ x’, and for every y, y’ Œ Y:
|{K ΠK : hK (x) = y, hK (x') = y'} | =
|K |
M2
†
Unconditionally secure MACs
16-15
Secure hash families
Lemma.
Suppose that (X, Y, K, H) is a strongly universal (N, M)-hash
family. Then
|{K ΠK : hK (x) = y} | =
|K |
M
for every x ΠX and for every y ΠY.
†
Theorem.
Any strongly universal (N, M)-hash family (X, Y, K, H) is an
authentication code with Pd0 = Pd1 = 1/M.
Unconditionally secure MACs
16-16
8
Sum of the payoffs is 1
o
Suppose that (X, Y, K, H) is an (N, M)-hash family. Fix x ΠX.
Then
|{K ΠK : hK (x) = y} |
|K |
y ŒY
 payoff(x, y) = Â
y ŒY
|K |
|K |
=1
=
o
Hence, for every x ΠX there exists an authentication tag y
such that payoff(x, y) ≥ 1/M.
†
Unconditionally secure MACs
16-17
Pd0 optimal hash families
Theorem.
Suppose that (X, Y, K, H) is an (N, M)-hash family.
Then Pd0 ≥ 1/M. Further, Pd0 = 1/M if and only if
|{K ΠK : hK (x) = y} | =
|K |
M
†
Unconditionally secure MACs
16-18
9
Turning to substitution
o
Fix x, x’ Œ X and y, y’ Œ Y, where x ≠ x’ and (x, y) Œ V.
|{K ΠK; hK (x') = y', hK (x) = y} |
|{K ΠK : hK (x) = y} |
y ŒY
 payoff(x', y': x, y) = Â
y ŒY
|{K ΠK : hK (x) = y} |
|{K ΠK : hK (x) = y} |
=1
=
o
†
Hence, for every (x, y) Œ V and each x’ such that x’ ≠ x,
there exists an authentication tag y such that
payoff(x,y’ ; x,y) ≥ 1/M.
Unconditionally secure MACs
16-19
Strongly universal hash families
are Pd1 optimal
Theorem.
Suppose that (X, Y, K, H) is an (N, M)-hash family.
Then Pd1 ≥ 1/M.
Theorem.
Suppose that (X, Y, K, H) is an (N, M)-hash family.
Then Pd1 = 1/M if and only if the hash family is strongly
universal.
Unconditionally secure MACs 16-20
10
© Copyright 2024