Online Cryptography Course Dan Boneh

Message integrity

Message Auth. Codes

Dan Boneh
 Message Integrity
Goal: integrity, no confidentiality.

Examples:
– Protecting public binaries on disk.
– Protecting banner ads on web pages.

Dan Boneh
 Message integrity: MACs
k message m tag
k
Alice Bob

Generate tag: Verify tag:

?
tag  S(k, m) V(k, m, tag) = `yes’

Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs:

– S(k,m) outputs t in T
– V(k,m,t) outputs `yes’ or `no’
Dan Boneh
 Integrity requires a secret key
message m tag
Alice Bob

Generate tag: Verify tag:

?
tag  CRC(m) V(m, tag) = `yes’

• Attacker can easily modify message m and re-compute CRC.

• CRC designed to detect random, not malicious errors.

Dan Boneh
 Secure MACs
Attacker’s power: chosen message attack
• for m1,m2,…,mq attacker is given ti  S(k,mi)

Attacker’s goal: existential forgery

• produce some new valid message/tag pair (m,t).
(m,t)  { (m1,t1) , … , (mq,tq) }

⇒ attacker cannot produce a valid tag for a new message

⇒ given (m,t) attacker cannot even produce (m,t’) for t’ ≠ t
Dan Boneh
 Secure MACs
• For a MAC I=(S,V) and adv. A define a MAC game as:

m1  M m2 , …, mq
Chal. Adv.
kK t1  S(k,m1) t2 , …, tq

(m,t)
b
b=1 if V(k,m,t) = `yes’ and (m,t)  { (m1,t1) , … , (mq,tq) }
b=0 otherwise

Def: I=(S,V) is a secure MAC if for all “efficient” A:

Dan Boneh
Let I = (S,V) be a MAC.
Suppose an attacker is able to find m0 ≠ m1 such that
S(k, m0) = S(k, m1) for ½ of the keys k in K

Can this MAC be secure?

Yes, the attacker cannot generate a valid tag for m0 or m1
No, this MAC can be broken using a chosen msg attack
It depends on the details of the MAC
Let I = (S,V) be a MAC.
Suppose S(k,m) is always 5 bits long

Can this MAC be secure?

No, an attacker can simply guess the tag for messages

It depends on the details of the MAC
Yes, the attacker cannot generate a valid tag for any message
 Example: protecting system files
Suppose at install time the system computes:
filename filename filename
F1 F2 ⋯ Fn k derived from
user’s password

t1 = S(k,F1) t2 = S(k,F2) tn = S(k,Fn)

Later a virus infects system and modifies system files

User reboots into clean OS and supplies his password
– Then: secure MAC ⇒ all modified files will be detected
Dan Boneh
Online Cryptography Course Dan Boneh

Message Integrity

MACs based on PRFs

Dan Boneh
 Abstractly: PRPs and PRFs
• Pseudo Random Function (PRF) defined over (K,X,Y):
F: K  X  Y
such that exists “efficient” algorithm to evaluate F(k,x)

• Pseudo Random Permutation (PRP) defined over (K,X):

E: K  X  X
such that:
1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
2. The function E( k,  ) is one-to-one
Dan Boneh
 Secure PRFs
• Let F: K  X  Y be a PRF
Funs[X,Y]: the set of all functions from X to Y
SF = { F(k,) s.t. k  K }  Funs[X,Y]

• Intuition: a PRF is secure if

a random function in Funs[X,Y] is indistinguishable from
a random function in SF
SF
Funs[X,Y]
|X|
Size |K| Size |Y|
Dan Boneh
 Secure PRF: definition
• For b=0,1 define experiment EXP(b) as:
b

Chal. b=0: kK, f F(k,) Adv. A

b=1: fFuns[X,Y] x1  X , x2 , …, xq
f
f(x1) , f(x2) , …, f(xq)

b’  {0,1}
• Def: F is a secure PRF if for all “efficient” A: EXP(b)

AdvPRF[A,F] := |Pr[EXP(0)=1] – Pr[EXP(1)=1] |

Dan Boneh
 Secure PRP (secure block cipher)
• For b=0,1 define experiment EXP(b) as:
b

Chal. b=0: kK, f E(k,) Adv. A

b=1: fPerms[X] x1  X , x2, …, xq
f
f(x1) , f(x2), …, f(xq)

b’  {0,1}
• Def: E is a secure PRP if for all “efficient” A:
AdvPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] |
Dan Boneh
Let X = {0,1}. Perms[X] contains two functions

Consider the following PRP:

key space K={0,1}, input space X = {0,1},
0⨁0=0
PRP defined as:
E(k,x) = x⨁k 1⨁0=1

Is this a secure PRP?

Yes 0⨁1=1
0 1 1⨁1=0
No 0 1
It depends
0 1
0 1

Dan Boneh
Consider the 1-bit PRP from the previous question: E(k,x) = x⨁k

Is it a secure PRF?

Note that Funs[X,X] contains four functions

Yes
No
Attacker A:
It depends (1) query f(⋅) at x=0 and x=1
(2) if f(0) = f(1) output “1”, else “0”
AdvPRF[A,E] = |0-½| = ½
Dan Boneh
 Secure PRF ⇒ Secure MAC
For a PRF F: K × X ⟶ Y define a MAC IF = (S,V) as:
– S(k,m) := F(k,m)
– V(k,m,t): output `yes’ if t = F(k,m) and `no’ otherwise.

message m tag
Alice Bob

tag  F(k,m) accept msg if

tag = F(k,m)
Dan Boneh
 A bad example
Suppose F: K × X ⟶ Y is a secure PRF with Y = {0,1}10

Is the derived MAC IF a secure MAC system?

Yes, the MAC is secure because the PRF is secure
No tags are too short: anyone can guess the tag for any msg
It depends on the function F
 Security
Thm: If F: K×X⟶Y is a secure PRF and 1/|Y| is negligible
(i.e. |Y| is large) then IF is a secure MAC.

In particular, for every eff. MAC adversary A attacking IF

there exists an eff. PRF adversary B attacking F s.t.:

AdvMAC[A, IF]  AdvPRF[B, F] + 1/|Y|

 IF is secure as long as |Y| is large, say |Y| = 280 .

Dan Boneh
 Proof Sketch
Suppose f: X ⟶ Y is a truly random function
Then MAC adversary A must win the following game:

m1  X m2 , …, mq
Chal. Adv.
t1  f(m1) f(m2) , …, f(mq)
f in
Funs[X,Y] (m,t)

A wins if t = f(m) and m  { m1 , … , m q }

⇒ Pr[A wins] = 1/|Y| same must hold for F(k,x)

Dan Boneh
 Examples
• AES: a MAC for 16-byte messages.

• Main question: how to convert Small-MAC into a Big-MAC ?

• Two main constructions used in practice:

– CBC-MAC (banking – ANSI X9.9, X9.19, FIPS 186-3)
– HMAC (Internet protocols: SSL, IPsec, SSH, …)

• Both convert a small-PRF into a big-PRF.

Dan Boneh
 Truncating MACs based on PRFs
Easy lemma: suppose F: K × X ⟶ {0,1}n is a secure PRF.
Then so is Ft(k,m) = F(k,m)[1…t] for all 1 ≤ t ≤ n

⇒ if (S,V) is a MAC is based on a secure PRF outputting n-bit tags

the truncated MAC outputting w bits is secure
… as long as 1/2w is still negligible (say w64)

Dan Boneh
Online Cryptography Course Dan Boneh

Message Integrity

CBC-MAC and NMAC

Dan Boneh
 MACs and PRFs
Recall: secure PRF F ⇒ secure MAC, as long as |Y| is large
S(k, m) = F(k, m)

Our goal:
given a PRF for short messages (AES)
construct a PRF for long messages

From here on let X = {0,1}n (e.g. n=128)

Dan Boneh
 Construction 1: encrypted CBC-MAC
raw CBC
m[0] m[1] m[3] m[4]

  
F(k,) F(k,) F(k,) F(k,)

Let F: K × X ⟶ X be a PRP tag

F(k1,)
Define new PRF FECBC : K2 × X≤L ⟶ X
Dan Boneh
Dan Boneh
 Construction 2: NMAC (nested MAC)

cascade
m[0] m[1] m[3] m[4]

k t
> F > F > F > F t ll fpad

> F
Let F: K × X ⟶ K be a PRF k1
tag
Define new PRF FNMAC : K2 × X≤L ⟶ K
Dan Boneh
Why the last encryption step in ECBC-MAC and NMAC?

NMAC: suppose we define a MAC I = (S,V) where

S(k,m) = cascade(k, m)

This MAC is secure

This MAC can be forged without any chosen msg queries
This MAC can be forged with one chosen msg query
This MAC can be forged, but only with two msg queries
 Why the last encryption step in ECBC-MAC?
Suppose we define a MAC IRAW = (S,V) where

S(k,m) = rawCBC(k,m)

Then IRAW is easily broken using a 1-chosen msg attack.

Adversary works as follows:

– Choose an arbitrary one-block message mX
– Request tag for m. Get t = F(k,m)
– Output t as MAC forgery for the 2-block message (m, tm)

Indeed: rawCBC(k, (m, tm) ) = F(k, F(k,m)(tm) ) = F(k, t(tm) ) =

Dan Boneh
Online Cryptography Course Dan Boneh

Message Integrity

MAC padding

Dan Boneh
 Recall: ECBC-MAC

m[0] m[1] m[3] m[4]

  
F(k,) F(k,) F(k,) F(k,)

Let F: K × X ⟶ X be a PRP tag

F(k1,)
Define new PRF FECBC : K2 × X≤L ⟶ X
Dan Boneh
What if msg. len. is not multiple of block-size?

m[0] m[1] m[3] m[4] ???

  
F(k,) F(k,) F(k,) F(k,)

tag
F(k1,)

Dan Boneh
 CBC MAC padding
Bad idea: pad m with 0’s
m[0] m[1] m[0] m[1] 0000

Is the resulting MAC secure?

Yes, the MAC is secure

It depends on the underlying MAC
No, given tag on msg m attacker obtains tag on mll0

Problem: pad(m) = pad(mll0)

 CBC MAC padding
For security, padding must be invertible !
m0 ≠ m 1 ⇒ pad(m0) ≠ pad(m1)

ISO: pad with “100000”. Add new dummy block if needed.

– The “1” indicates beginning of pad.

m[0] m[1] m[0] m[1] 100

m’[0] m’[1] m’[0] m’[1] 1000…000

Dan Boneh
 CMAC (NIST standard)

Variant of CBC-MAC where key = (k, k1, k2)

• No final encryption step (extension attack thwarted by last keyed xor)
• No dummy block (ambiguity resolved by use of k1 or k2)

m[0] m[1] ⋯m[w] 100 m[0] m[1] ⋯ m[w]

  k1   k2

F(k,) F(k,) F(k,) F(k,) F(k,) F(k,)

tag tag

Dan Boneh
Online Cryptography Course Dan Boneh

Message Integrity

PMAC and
Carter-Wegman MAC

Dan Boneh
• ECBC and NMAC are sequential.

• Can we build a parallel MAC from a small PRF ??

Dan Boneh
 Construction 3: PMAC – parallel MAC
P(k, i): an easy to compute function
m[0] m[1] m[2] m[3]
key = (k, k1)
P(k,0)  P(k,1)  P(k,2)  P(k,3) 
Padding similar
to CMAC F(k1,) F(k1,) F(k1,)


Let F: K × X ⟶ X be a PRF
Define new PRF FPMAC : K2 × X≤L ⟶ X F(k1,) tag
Dan Boneh
 PMAC is incremental
Suppose F is a PRP. m[0] m[1] m[3] m[4]

P(k,0)  P(k,1)  P(k,2)  P(k,3) 

When m[1] ⟶ m’[1] F(k1,) F(k1,) F(k1,)

can we quickly update tag? 

F(k1,) tag

no, it can’t be done

do F-1(k1,tag) ⨁ F(k1, m’[1] ⨁ P(k,1))
do F-1(k1,tag) ⨁ F(k1, m[1] ⨁ P(k,1)) ⨁ F(k1, m’[1] ⨁ P(k,1))
do tag ⨁ F(k1, m[1] ⨁ P(k,1)) ⨁ F(k1, m’[1] ⨁ P(k,1))
Then apply F(k1, ⋅)
 One time MAC (analog of one time pad)

• For a MAC I=(S,V) and adv. A define a MAC game as:

m1  M
Chal. Adv.
kK t1  S(k,m1)
(m,t)
b
b=1 if V(k,m,t) = `yes’ and (m,t) ≠ (m1,t1)
b=0 otherwise

Def: I=(S,V) is a secure MAC if for all “efficient” A:

Adv [A,I] = Pr[Chal. outputs 1] is “negligible.” Dan Boneh

 One-time MAC ⇒ Many-time MAC
Let (S,V) be a secure one-time MAC over (KI,M, {0,1}n ) .
Let F: KF × {0,1}n ⟶ {0,1}n be a secure PRF.
slow but fast
short inp long inp

Carter-Wegman MAC: CW( (k1,k2), m) = (r, F(k1,r) ⨁ S(k2,m) )

for random r ⟵ {0,1}n .

Thm: If (S,V) is a secure one-time MAC and F a secure PRF

then CW is a secure MAC outputting tags in {0,1}2n .
Dan Boneh
 CW( (k1,k2), m) = (r, F(k1,r) ⨁ S(k2,m) )

How would you verify a CW tag (r, t) on message m ?

Recall that V(k2,m,.) is the verification alg. for the one time MAC.

Run V( k2, m, F(k1, t) ⨁r) )

Run V( k2, m, r )
Run V( k2, m, t )
Run V( k2, m, F(k1, r) ⨁ t) )
 Construction 4: HMAC (Hash-MAC)

Most widely used MAC on the Internet.

… but, we first we need to discuss hash function.

Dan Boneh
 Further reading
• J. Black, P. Rogaway: CBC MACs for Arbitrary-Length Messages: The Three-
Key Constructions. J. Cryptology 18(2): 111-131 (2005)
• K. Pietrzak: A Tight Bound for EMAC. ICALP (2) 2006: 168-179

• J. Black, P. Rogaway: A Block-Cipher Mode of Operation for Parallelizable

Message Authentication. EUROCRYPT 2002: 384-397
• M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision-
Resistance. CRYPTO 2006: 602-619
• Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Operation for Block Ciphers
and Length-Preserving MACs. EUROCRYPT 2008: 198-219
Dan Boneh