B504/I538: Introduction to Cryptography

Slides:



Advertisements
Similar presentations
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Advertisements

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Lecture 2: Introduction to Cryptography
Lecture 5.1: Message Authentication Codes, and Key Distribution
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Message Authentication Codes
Updated Office Hours Tuesday: 10:30 AM-11:30 AM
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Authenticated encryption
Homework 1 Due: Thursday at 9 AM (beginning of class)
Secrecy of (fixed-length) stream ciphers
Digital signatures.
Presented by: Dr. Munam Ali Shah
B504/I538: Introduction to Cryptography
Cryptography Lecture 9.
Digital Signature Schemes and the Random Oracle Model
Introduction to modern cryptology
Topic 11: Authenticated Encryption + CCA-Security
MAC: Message Authentication Code
B504/I538: Introduction to Cryptography
Cryptography Lecture 12.
B504/I538: Introduction to Cryptography
Topic 5: Constructing Secure Encryption Schemes
Cryptography Lecture 16.
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
مروري برالگوريتمهاي رمز متقارن(كليد پنهان)
Cryptography Lecture 6.
Cryptography Lecture 10.
Topic 7: Pseudorandom Functions and CPA-Security
B504/I538: Introduction to Cryptography
Cryptography Lecture 11 Arpita Patra © Arpita Patra.
Cryptography Lecture 7 Arpita Patra © Arpita Patra.
Fast and Secure CBC-type MACs
B504/I538: Introduction to Cryptography
Cryptography Lecture 11.
Security Of Wireless Sensor Networks
Symmetric-Key Encryption
Homework 1 Due: Thursday at 3PM (beginning of class)
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 5.
Cryptography Lecture 8.
Security of Wireless Sensor Networks
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 12.
Topic 13: Message Authentication Code
Cryptography Lecture 6.
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
CRYPTOGRAPHY & NETWORK SECURITY
Cryptography Lecture 23.
Cryptography Lecture 26.
Presentation transcript:

B504/I538: Introduction to Cryptography Spring 2017 • Lecture 11 (2017—02—14)

Assignment 2* is due! Assignment 3 is out and is due in two weeks! * modulo the 1-week extension on problems 3 & 4 Assignment 2* is due! Assignment 3 is out and is due in two weeks! (2017—02—28) (Please get started early!!)

About crypto! Free pizza+brownies! 1 week from Thursday

Secrecy vs. integrity and authenticity (has the message changed?) (from whom did the message originate?) Secrecy vs. integrity and authenticity So far we have only worried about secrecy of messages However, secrecy⇏integrity, authenticity Q: What happens if attacker flips a ciphertext bit in OTP / stream cipher / OBF mode / CTR mode? A: The corresponding plaintext bit also flips! Q: What happens if an attacker duplicates, removes, or permutes ciphertext blocks in ECB mode? A: The corresponding plaintext blocks are duplicated, removed, or permuted! Q: Are authenticity attacks possible in CBC mode? A: Yes! “confidentiality”

Malleability of CBC mode m≔m1∥m2∥⋯∥mℓ k m1 k m2 k mℓ ⋯ Πk Πk Πk c1 c2 cℓ IV c≔IV∥c1∥c2∥⋯∥cℓ truncate blocks flip IV bit flip ci bit ⇒ truncate correspond plaintext blocks ⇒ flip corresponding bit of m1 ⇒ randomize mi and flip corresponding mi+1 bit

Non-cryptographic integrity checks Cyclic redundancy check (CRC) Detects random errors due to noisy channel Not intended to detect attacker-induced (intentional) errors A straw-man proposal: Alice computes c≔Enck(m) using CTR mode Alice computes t≔CRC(c) Ciphertext is the pair (c,t) Q: What could possibly go wrong? A: Attacker changes c to c’, then changes t to t’ = CRC(c’)! that’s excitement, not factorial!

Non-cryptographic integrity checks An improved proposal (?): Compute t≔CRC(m) Ciphertext is c≔Enck(m∥t) Q: What could possibly go wrong now? A: CRC is a “linear” code: ∀x,y, CRC(x⊕y) = CRC(x)⊕CRC(y) Integrity in presence of attackers requires a secret key!

Message authentication codes (MACs) Intuitively, a message authentication code (MAC) is a short piece of information used to verify the integrity and authenticity of a message input a secret key and an arbitrary-length message and outputs a short value called a tag no efficient algorithm should be able to “forge” a valid MAC tag (under an unknown key) on any message, except with negligible probability

Message authentication codes (MACs) Defⁿ: A message authentication code (MAC) is a triple of efficient algorithms (Gen,MAC,Ver) such that Gen:1ℕ→{0,1}* is a randomized “key generation” algorithm MAC:K×M→T is a “tagging” algorithm Ver:K×M×T→{0,1} is a “tag verification” algorithm Usually write MACk(m) and Verk(m, t) instead of MAC(k, m) and Ver(k, m, t) K is the key space M is the message space T is the tag space (the set of possible keys) (the set of possible messages) (the set of possible “tags”)

Pr[Verk(m,MACk(m))=1]=1 Correctness Intuitively: Correctness is the property of being able to verify a tag (given knowledge of the correct key) Note: it is possible (but uncommon) to allow correctness with probability p < 1 Defⁿ: A MAC scheme (Gen,MAC,Ver) with key space K and message space M is correct if ∀k∈K and ∀m∈M, Pr[Verk(m,MACk(m))=1]=1

MAC ”forgery” games We have seen a number of indistinguishability games Attacker gets oracle access to (or receives a signal from) the challenger, and must guess which of two versions of the game is being played Attacker outputs either 0 or 1 Attacker advantage is Pr[“correct guess”]−1/2 MAC scheme security uses a forgery game Attacker gets oracle access to MAC algorithms Attacker outputs a message-tag pair not provided by the oracle Attacker advantage is Pr[“tag is valid”]

MAC selective forgery game Challenger (C) Forger (A) 1n 1n k←Gen(1n) m∈M m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) ⋮ mn mn∈M∖{m} tn t∈T tn←MACk(mn) Let E be the event that Verk(m, t)=1 Define A’s advantage to be AdvMAC-selective-forge(A)≔Pr[E]

Selective unforgeability Defⁿ: A MAC scheme (Gen,MAC,Ver) is selectively unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ⁺ such that for all m∈M, AdvMAC-selective-forge(A)≤ε(s). The message m is chosen by the attacker prior to the attack; it may have interesting mathematical properties with respect to the MAC algorithms

MAC existential forgery game (weak version) Challenger (C) Forger (A) 1n 1n k←Gen(1n) m∈M m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) ⋮ mn mn∈M∖{m} tn (m,t) tn←MACk(mn) Let E be the event that m∉{m1,…,mn} yet Verk(m,t)=1 Define A’s advantage to be AdvMAC-weak-ex-forge(A)≔Pr[E]

MAC existential forgery game (strong version) Challenger (C) Forger (A) 1n 1n k←Gen(1n) m∈M m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) ⋮ mn mn∈M∖{m} tn (m,t) tn←MACk(mn) Let E be the event that (m,t)∉{(m1,t1),…,(mn,tn)} yet Verk(m,t)=1 Define A’s advantage to be AdvMAC-strong-ex-forge(A)≔Pr[E]

Existential unforgeability Defⁿ: A MAC scheme (Gen,MAC,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ⁺ such that AdvMAC-strong-ex-forge (A)≤ε(s). The message m is chosen arbitrarily by the attacker at the end of the attack Existential unforgeability is the “default” unforgeability property

MAC universal forgery game Challenger (C) Forger (A) 1n 1n k←Gen(1n) m∈M m1 m1∈M∖{m} t1 t1←MACk(m1) ⋮ mn mn∈M∖{m} m m∈M∖{m1,…,mn} (m,t) Let E be the event that Verk(m,t)=1 Define A’s advantage to be AdvMAC-universal-forge(A)≔Pr[E]

Universal unforgeability Defⁿ: A MAC scheme (Gen,MAC,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ⁺ such that AdvMAC-universal-forge (A)≤ε(s). An attacker capable of universal forgery can sign messages it chose itself (selective forgery), messages chosen at random, or even specific messages chosen by an opponent

Notions of unforgeability weakest attacker Existential unforgeability ⇑ Selective unforgeability ⇑ Universal unforgeability “default” level of unforgeability strongest attacker

Fixed-length MAC scheme from any PRF Messages, tags, and keys are all n-bit longs Gen(1n) outputs a uniform random key k∊{0,1}n MACk(m) outputs t≔Fk(m) Verk(m,t) outputs 1 if t=Fk(m) and 0 otherwise Is this selectively unforgeable? Is this existentially unforgeable? IS this universally unforgeable? Yes! Yes! how do we prove it? Yes!

Fixed-length MAC to PRF reduction Distinguisher (D) Assume MAC is not existentially unforgeable Construct distinguisher D for F that uses forger A as a subroutine Prove that D is efficient and has non-negligible advantage Conclude that F is not a PRF, a contradiction 1n, OF Attacker (A) 1n truly random or pseudorandom? m1 t1≔OF(m1) ⋮ mn tn≔OF(mn) (m, t) 1 if t=OF(m) 0 otherwise ( m∈M∖{m1,…,mn} )

Replay attacks MACs guarantee authenticity and integrity of messages in most cases Notable exception: MACs do not prevent “replay attacks” In a replay attack, the attacker simply re-sends a legitimate message that it observed in the past

Naïve CBC-MAC Let {fk}k∈{0,1}* be a PRF family Gen(1n) outputs a uniform random key k∊{0,1}n MACk(m) does the following: Split m into n-bit blocks m1,…,mn Initialize t0={0}n Compute ti=Fk(ti-1⊕mi) Output the tag t≔tn Verk(m,t) outputs 1 if t=MACk(m) and 0 otherwise

⋯ Πk Πk Πk k k k m≔m1∥m2∥⋯∥mℓ m1 m2 mℓ t1 t2 tℓ IV tℓ Q: Is naïve CBC-MAC existentially unforgeable? A: No! (But why?)

Attacking naïve CBC-MAC existential unforgeability of Attacking naïve CBC-MAC Challenger (C) Forger (A) 1n 1n k←Gen(1n) m m ∈ {0,1}n t t←MACk(m) m‘≔m∥(m⊕t) (m’, t) A’s output is a valid forgery because Fk(m’)=Fk((m⊕t)⊕t)=Fk(m)=t

That’s all for today, folks!