CIS 5371 Cryptography

4. Message Authentication
Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern
Cryptography.

1
 Secrecy vs. integrity
 So far we have been concerned with ensuring secrecy of
communication.
 What about integrity?

This mean that we might want to ensure that a message

received by the receiver originated from the intended
sender and was not modify in transit, note that here were
explicitly concerned with an active attacker who can
modify between sender and receiver as well as inject his
own traffic to be received by the receiver looking as it
came from the other party and were concerned here in
ensuring that any message obtained by receiver came
from the intended sender with whom it shares a key.

2
 Secrecy vs. integrity
 Standard error correction techniques note
enough because we not concerned here with
random errors in what sent from the sender
to receiver we are concerned here with an
attacker who can decide exactly where and
how to modify what’s being sent between the
parties and right cryptographic tool from
ensuring integrity in the symmetric key
setting is called and message authentication
code.

3
 Message Authentication Codes
Encryption vs message authentication
• Different functionalities
• Encryption does not provide message authentication!
• Encryption with stream ciphers
• For  one just needs to flip a bit of the cipher text.
• Encryption with Stream Ciphers:
 Operation: In stream ciphers, a pseudorandom
keystream (generated from a key) is combined with
the plaintext using the XOR operation to produce
the ciphertext.
 Vulnerability: If an attacker flips a bit in the
ciphertext, it will result in flipping the corresponding
bit in the decrypted plaintext. This is a
straightforward attack, and the tampering may not
be immediately evident.

4
• Encryption with block ciphers
• Same attack (flipping bits) works, only this time
blocks are affected.

Explanation:
 Operation: In block ciphers, the plaintext is divided into

fixed-size blocks, and each block is independently

encrypted using a key. Different modes of operation
(e.g., CBC, GCM) dictate how the blocks are processed
and combined.

 Vulnerability: Similar to stream ciphers, if an attacker

flips a bit in the ciphertext, it affects the corresponding
bit in the decrypted block. The impact is localized to
that specific block, but the tampering is still possible.

5
 Definition 4.1
Message Authentication Code
A message authentication code (MAC) is a tuple such
that:
• the key generation algorithm takes input the security
parameter and outputs a key with .
• the tag-generation algorithm takes as input a key
and a message and
We write:  .
• the verification algorithm takes as input a key a
message and and outputs a bit
We write, :=Vrfy(.

6
Explanation:
Key Generation Algorithm (Gen):
Input: The security parameter denoted as ,
where n is the desired level of security.
Output: A secret key k with a length
∣k∣ greater than or equal to n.
Functionality: The key generation algorithm
generates a secret key based on the security
parameter. The key is used in both the tag-
generation and verification algorithms.

7
Explanation
Tag-Generation Algorithm (Mac):
Input: A secret key k and a message
m in the set .
Output: A tag t, typically denoted as
.
Functionality: The tag-generation algorithm
takes a key and a message as input and
produces a fixed-size tag. This tag is
appended to the original message to form the
authenticated message.

8
Explanation
 Verification Algorithm (Vrfy):
 Input: A secret key k, a message m, and a tag t.
 Output: A bit b, where indicates that the message
is valid, and b=0 indicates invalidity. This is often
denoted as :=Vrfy(.

 Functionality: The verification algorithm checks

the validity of the message by precomputing the tag
using the provided key and message and comparing
it to the received tag. If the computed tag matches
the received tag, the message is considered valid;
otherwise, it is deemed invalid.

9
 Message authentication
experiment -(A,)

a.
b. ..
A MAC is secure if no efficient adversary can
succeed in the above experiment with non-
negligible probability.
10
 Definition 4.2 -- Secure
MAC
A message authentication code  is

message attack, or just secure, if for all

existentially unforgeable under adaptive chosen

probabilistic polynomial-time
adversaries there exists a negligible
function such that:
-

11
Is the definition too strong?
1. First, the adversary is allowed to request MAC tags
for any messages of its choice.
2. Second, the adversary is considered to have
“broken” the scheme if it can output a valid tag on
any previously unauthenticated message.
One might object that both these components of the
definition are unrealistic and overly strong: in “real-
world” usage of a MAC, the honest parties would only
authenticate “meaningful” messages (over which the
adversary might have only limited control), and
similarly it should only be considered a breach of
security if the adversary can forge a valid tag on a
“meaningful”message.

12
Replay attacks
 We emphasize that the above definition, and message
authentication codes on their own, offer no protection
against replay attacks whereby a previously sent message
(and its MAC tag) are replayed to an honest party.
Nevertheless, replay attacks are a serious concern!
Consider again the scenario where a user (say, Alice)
sends a request to her bank to transfer $1,000 from her
account to some other user (say, Bob). In doing so, Alice
can compute a MAC tag and append it to the request so
the bank knows the request is authentic. If the MAC is
secure, Bob will be unable to intercept the request and
change the amount to $10,000 because this would involve
forging a valid tag on a previously unauthenticated
message.

13
Stream authentication
Alice and Bob want to exchange a
sequence of messages
They want to verify not just each
message individually, but also the
integrity of the entire sequence
received so far.
One possibility: Alice and Bob
exchange a private key and then
send:

14
Stream authentication
with

with

with

with

with

Mallory can still delay messages or replay old ones. Including in

addition unique transmission timestamps in the messages (in at
least M1 and M2) allows the recipient to verify their \freshness"
(using a secure, accurate local clock).

15
MAC using a Pseudo-random
Function
 Let be a pseudo-random function.
 Gen: on input choose randomly
 Mac: and , then output
 Vrfy: read , then output 1 iff .
If is a pseudo-random function, then (Gen,
Mac, Vrfy) is existentially unforgeable under
an adaptive chosen message attack.

16
 Construction 4.3
A fixed length MAC from any
PRF
Let be a pseudorandom function. Define a fixed
length MAC on messages of length as follows:
• Gen: on input choose  uniformly at
random.
• Mac: on input a key and a message
, output tag

(If then output nothing.)

• Vrfy: on input a key and a message
, output 1 if and only if
(If then output 0.)
17
PROPOSITION 4.4

 Let be a secure MAC that uses

canonical verification. Then is a
strong MAC

18
 Theorem 4.4
Let be a pseudorandom function.
Then Construction 4.3 is a fixed-length MAC for
messages of length n that is existentially
unforgeable under an adaptive chosen
message attack.

19
 A secure fixed length MAC
Proof

:
-) LetMAC that is the same as 
except that a truly random function is used
instead of a PRF .
Then
-.

20
 Distinguisher D
is given access to and oracle
O
1. Run : whenever queries its MAC oracle on a
message , answer as follows:
• Query O. Return t to A.
2. When A outputs at the end of its execution do:
a) Query O with to get .
b) If and A never queried its MAC oracle with
then output 1; else output 0.

21
 Distinguisher D
If oracle is a PRF then,

If the oracle is a random function then,

-
Therefore,

22
 Distinguisher D
Since is a PRF it follows that there is a
negligible function with

Then

and so is negligible.

23
 Replay attacks
MACs do not protect against replay attacks.
This is because the definition of a MAC does not
incorporate any notion of state in the verification
algorithm.

24
 Construction 4.5
A variable length MAC
Let  be fixed length MAC for messages of length .
• Gen’: identical to Gen.
• Mac’: on input a key and a message of length parse into
blocks of length and choose a random identifier in .
Compute , for and
output
• Vrfy: parse into blocks and re-compute the MAC. Output
1 if and only if the answer is the same for all

25
 Theorem 4.6

If ’ is a secure fixed length MAC for messages of

length , then Construction 4.6 is a MAC that is
existentially unforgeable under an adaptive chosen
message attack.

26
Construction 4.7

27
 THEOREM 4.8

 If Π′ is a secure fixed-length MAC for

messages of length n, then
Construction 4.7 is a secure MAC (for
arbitrary-length messages)

28
 Construction 4.9 CBC-MAC
Let be a pseudorandom function. Fix a length function The
CBC-MAC construction is as follows:
• Gen: on input choose  uniformly at random.
• Mac: on input a key  and message
1. Parse into blocks of length , and set .
2. Compute for
Output

• Vrfy: on input a key , a message of length and a tag of

length output 1 if and only if .

29
 Theorem 4.10
Let be a polynomial.
If F is a pseudorandom function then
Construction 4.9 is a fixed length MAC for
messages of length that is existentially
unforgeable under an adaptive chosen message
attack.

30
MAC using a block cipher: CBC-
MAC
Blockcipher

Similar to CBC: , last ciphertext block serves as tag.

Provides existential unforgeability, but only for fixed message length
n:
Adversary asks oracle for and then .

31
 Secure CBC-MAC for variable
length messages – three options

1. Apply the pseudorandom function to the length of the

input message to get a key , e.g. set . Then compute the
CBC-MAC with this key.
2. Prepend the message with length and then compute the
basic CBC-MAC.
If we append instead of prepending it we lose
security.
2. Choose two keys Compute the CBC-MAC with the first
key to get . The tag is .

32
Construction 4.11

33
Theorem 4.12

Let be a polynomial. If F is a
pseudorandom function, then
Construction 4.11 is a secure MAC for
messages of length .

34
 CBC-MAC vs CBC-mode
encryption

1. CBC-mode encryption uses a random IV.

If we use a random IV for CBS-MAC then we lose

security.
2. In CBC-mode encryption all encrypted blocks
are output as part of the ciphertext.
This is not the case with CBC-MAC.
If we do so we loose security.
35
 Variable length CBC-MAC

¿𝑚∨¿ 𝑚1 𝑚2 𝑚3
  

𝐹𝑘 𝐹𝑘 𝐹𝑘 𝐹𝑘

𝑡
36
Theorem 4.13
If F is a pseudorandom function, then CBC is a pseudorandom
function as long as the set of inputs on which it is queried is
prefix-free. Formally, for all probabilistic polynomial-time
distinguishers D that query their oracle on a prefix-free set of
inputs, there is a negligible function negl such that

where k is chosen uniformly from and is chosen uniformly from the

set of functions mapping to (i.e., the value of f at each input is
uniform and independent of the values of f at all other inputs)

37
Variable-length MAC using a block
cipher: ECBC-MAC
 Blockcipher
Padding:

 Disadvantages:
up to two additional applications of
block cipher need to rekey block
cipher
ECBC-MAC added block if divides

38
 Claim 4.14:
 Fix any . For all distinguishers D that
query their oracle on a prefix-free set
of q inputs, where the longest such
input contains ℓ blocks, it holds that:

where g is chosen uniformly from Funcn,

and f is chosen uniformly from the set of
functions mapping to .

39
Notations:
 Probability of an event.
 ​: Distinguisher with an oracle
corresponding to ​.
 : Distinguisher with an oracle
corresponding to .
 : Input of length n.
 Number of queries.
 Length of the longest input in blocks.
 Chosen uniformly from Funcn​.

40
Authenticated encryption
Definition: An encryption scheme (Gen, Enc, Dec) provides
authenticated encryption if it provides both CPA security and
ciphertext integrity. Such an encryption scheme will then also be
CCA secure.
Example:
Private-key encryption scheme , Enc, Dec)
Message authentication code , Vrfy
Encryption scheme :
(1) with and
(2) with and
(3) Dec' on input of and first check if . If yes, output , if no output .
If is a CPA-secure private-key encryption scheme and is a secure
message authentication code with unique tags, then is a CCA-secure
private-key encryption scheme.
A message authentication code has unique tags, if for every and
every there exists a unique value , such that .
Combining Encryption And
Message Authentication
Warning: Not every way of combining a CPA-secure encryption
scheme (to achieve privacy) and a secure message authentication
code (to prevent forgery) will necessarily provide CPA security:
Encrypt-and-authenticate:
Unlikely to be CPA secure: MAC may leak information about .
Authenticate-then-encrypt:
May not be CPA secure: the recipient first decrypts the received
message with , then parses the result into and and finally tries to
verify the latter. A malleable encryption scheme, combined with a
parser that reports syntax errors, may reveal information about .
Encrypt-then-authenticate:
Secure: provides both CCA security and existential unforgeability.
If the recipient does not even attempt to decrypt unless the MAC has
been verified successfully, this method can also prevent some side-
channel attacks.
Note: CCA security alone does not imply existential unforgeability.

42
Galois Counter Mode (GCM)
and used together require different keys, resulting in
two encryptions per block of data.
Galois Counter Mode is a more efficient authenticated
encryption technique that requires only a single
encryption, plus one and one multiplication , per block
of data:

43
Galois Counter Mode (GCM)
 is authenticated, but not encrypted (e.g.,
message header).
The multiplication is over the Galois field :
block bits are interpreted as coefficients of
binary polynomials of degree 127 , and the
result is reduced modulo .
 This is like 128-bit modular integer
multiplication, but without carry bits, and
therefore faster in hardware.

44
Explanation
CBC and CBC-MAC:
CBC (Cipher Block Chaining) is a mode of operation
for block ciphers, where each block of plaintext is
XORed with the previous ciphertext block before
encryption. This introduces a dependency on the
previous block, making it more secure than using the
same key for each block independently.
CBC-MAC (Cipher Block Chaining Message
Authentication Code) is a method to generate a
fixed-size tag for a message using CBC mode.
However, using CBC and CBC-MAC together requires
different keys and involves two encryptions per block
of data.

45
Explanation
 GCM is an authenticated encryption algorithm that provides both
confidentiality and integrity with a single pass through the data.
It is commonly used in protocols like TLS for secure
communication.
 GCM uses a counter mode of operation for encryption, where a
unique counter value is combined with the encryption key to
produce a stream of keystream blocks. This keystream is then
XORed with the plaintext to produce the ciphertext.
 GCM also incorporates the Galois field multiplication (denoted as
⊗) to provide authentication. This multiplication is performed
over the Galois field , treating block bits as coefficients of binary
polynomials of degree 127. The result is reduced modulo .
 The multiplication in GCM is similar to 128-bit modular integer
multiplication but without carry bits, making it faster in
hardware.

46
Definition

47
Definitions
 A private-key encryption scheme Π
is unforgeable if for all probabilistic
polynomial-time adversaries A,
there is a negligible function negl
such that:

48
Definition
 A private-key encryption scheme is
an authenticated encryption
scheme if it is CCA-secure and
unforgeable.

49