Ryan Henry I 538 /B 609 : Introduction to Cryptography
Ryan Henry 1 Last Thursday’s lecture: Message authentication codes (MACs) Today’s lecture: Secure variants of CBC-MAC Hash functions
Ryan Henry Assignment 3 is on Tuesday, October 13 2 (That’s one week from today!) Please seek help before 2:30pm on Friday!
Ryan Henry Recall: MAC existential forgery game 3 Challenger (C) Forger (A) k ← Gen(1 s ) t 1 ← MAC k (m 1 ) 1 s1 s 1 s1 s m 1 t 1 t 2 ← MAC k (m 2 ) m 2 t 2 t n ← MAC k (m n ) m n t n
Ryan Henry Recall: Naïve CBC-MAC 4 m1m1 k k k... Q: Is naïve CBC-MAC existentially unforgeable? A: No! (By why?)
Ryan Henry CBC-MAC fix #1: Prepend the block-length 5 m1m1 k kk F k (n)... I V = F k ( b l o c k l e n g t h ) ( i n p u t p a d d e d t o b l o c k s i z e ) Intuitively, MAC on n-block message is useless for forging MACs on n’-block messages
Ryan Henry 6 m1m1 knkn knkn knkn... k e y = F k ( b l o c k l e n g t h ) ( i n p u t p a d d e d t o b l o c k s i z e ) CBC-MAC fix #2: Length-specific key Again, MAC on n-block message is useless for forging MACs on n’-block messages
Ryan Henry CBC-MAC fix #3: Nested CBC-MAC (NMAC) 7 m1m1 k1k1 k1k1 k1k1... k2k2 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key
Ryan Henry CBC-MAC versus CBC mode encryption ▪C▪CBC mode encryption requires uniform random IV –O–Otherwise, it is not IND-CPA secure! ▪C▪CBC-MAC requires fixed IV –O–Otherwise, it is not existentially unforgeable! ▪C▪CBC mode encryption outputs each block –O–Otherwise, it is not correct! ▪C▪CBC-MAC only outputs a single block (the last one) –O–Otherwise, it is not existentially unforgeable ! ▪C▪CBC mode encryption requires a PRP –O–Otherwise, it is not correct! ▪C▪CBC-MAC only requires a PRF 8
Ryan Henry Hash functions Def n : A hash function is a PPT function H: {0, 1} * → {0, 1} s that maps arbitrary-length bit strings into fixed-length bit strings. 9 (Non-cryptographic) The output of a hash function is called a ”hash”, ”digest”, or ”fingerprint” of the input Alice Bob Charlie Eve … Hash function Fingerprints
Ryan Henry Hash function collisions 10 Pigeon-hole principle: If the domain of H is (much) larger than its range, then (many) collisions must exist! c o l l i s i o n more pigeons → more collisions "TooManyPigeons" by en:User:McKay - Transferred from en.wikipedia; Original text : Edited from Image:Pigeons-in-holes.jpg by en:User:BenFrantzDale. Licensed under CC BY-SA 3.0 via Wikimedia Commons -
Ryan Henry Collision resistance ▪I▪Intuitively, we want to say that no PPT algorithm can find a collision for H, except with a probability that is negligible in s (the length of the output) Q: How do we formalize this notion? A: Very carefully… –D–Difficulty: once H is fixed, it is trivial to define a PPT algorithm that has a collision for H “hard-coded” 11
Ryan Henry Keyed hash functions 12 Idea: Define collision resistance to require that no PPT algorithm can find a collision for H when the key is selected at random, except with probability negligible in s.
Ryan Henry Collision-finding game 13 Challenger (C) Attacker (A) k ← Gen(1 s ) (m 0, m 1 ) 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv collision (A) := Pr[E] 1 s1 s
Ryan Henry Second preimage resistance 14 a.k.a target collision resistance
Ryan Henry Second-preimage-finding game 15 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv 2-preimage (A) := Pr[E]
Ryan Henry Second preimage resistance Thm: If (Gen, H) is collision resistant, then it is also second preimage resistant. 16 Proof: Just note that a second preimage is a collision. Q: Is the converse of this theorem true? A: No! (But why?)
Ryan Henry Preimage resistance 17 a.k.a one-wayness
Ryan Henry Preimage-finding game 18 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 s1 s k Let E be the event that H(k, m) = y Define A’s advantage to be Adv preimage (A) := Pr[E]
Ryan Henry Preimage resistance 19 Thm: If (Gen, H) is preimage resistant for randomly selected inputs, then it is also second preimage resistant. Proof (sketch): Suppose that A breaks preimage resistance. - Given k and m, compute y = H(k, m) - Now use A to find a preimage of y. - Since y has many preimages, with high probability that preimage that A finds will not be m! Q: Is the converse of this theorem true? A: No! (But why?)
Ryan Henry That’s all for today, folks! 20