B504/I538: Introduction to Cryptography Spring 2017 • Lecture 11 (2017—02—14)

Assignment 2* is due! Assignment 3 is out and is due in two weeks! * modulo the 1-week extension on problems 3 & 4 Assignment 2* is due! Assignment 3 is out and is due in two weeks! (2017—02—28) (Please get started early!!)

About crypto! Free pizza+brownies! 1 week from Thursday

Secrecy vs. integrity and authenticity (has the message changed?) (from whom did the message originate?) Secrecy vs. integrity and authenticity So far we have only worried about secrecy of messages However, secrecy⇏integrity, authenticity Q: What happens if attacker flips a ciphertext bit in OTP / stream cipher / OBF mode / CTR mode? A: The corresponding plaintext bit also flips! Q: What happens if an attacker duplicates, removes, or permutes ciphertext blocks in ECB mode? A: The corresponding plaintext blocks are duplicated, removed, or permuted! Q: Are authenticity attacks possible in CBC mode? A: Yes! “confidentiality”

Malleability of CBC mode m≔m1∥m2∥⋯∥mℓ k m1 k m2 k mℓ ⋯ Πk Πk Πk c1 c2 cℓ IV c≔IV∥c1∥c2∥⋯∥cℓ truncate blocks flip IV bit flip ci bit ⇒ truncate correspond plaintext blocks ⇒ flip corresponding bit of m1 ⇒ randomize mi and flip corresponding mi+1 bit

Non-cryptographic integrity checks Cyclic redundancy check (CRC) Detects random errors due to noisy channel Not intended to detect attacker-induced (intentional) errors A straw-man proposal: Alice computes c≔Enck(m) using CTR mode Alice computes t≔CRC(c) Ciphertext is the pair (c，t) Q: What could possibly go wrong? A: Attacker changes c to c’, then changes t to t’ = CRC(c’)! that’s excitement, not factorial!

Non-cryptographic integrity checks An improved proposal (?): Compute t≔CRC(m) Ciphertext is c≔Enck(m∥t) Q: What could possibly go wrong now? A: CRC is a “linear” code: ∀x，y, CRC(x⊕y) = CRC(x)⊕CRC(y) Integrity in presence of attackers requires a secret key!

Message authentication codes (MACs) Intuitively, a message authentication code (MAC) is a short piece of information used to verify the integrity and authenticity of a message input a secret key and an arbitrary-length message and outputs a short value called a tag no efficient algorithm should be able to “forge” a valid MAC tag (under an unknown key) on any message, except with negligible probability

Message authentication codes (MACs) Defⁿ: A message authentication code (MAC) is a triple of efficient algorithms (Gen，MAC，Ver) such that Gen：1ℕ→{0，1}* is a randomized “key generation” algorithm MAC：Ｋ×Ｍ→Ｔ is a “tagging” algorithm Ver：Ｋ×Ｍ×Ｔ→{0，1} is a “tag verification” algorithm Usually write MACk(m) and Verk(m, t) instead of MAC(k, m) and Ver(k, m, t) Ｋ is the key space Ｍ is the message space Ｔ is the tag space (the set of possible keys) (the set of possible messages) (the set of possible “tags”)

Pr[Verk(m，MACk(m))=1]=1 Correctness Intuitively: Correctness is the property of being able to verify a tag (given knowledge of the correct key) Note: it is possible (but uncommon) to allow correctness with probability p < 1 Defⁿ: A MAC scheme (Gen，MAC，Ver) with key space Ｋ and message space Ｍ is correct if ∀k∈Ｋ and ∀m∈Ｍ, Pr[Verk(m，MACk(m))=1]=1

MAC ”forgery” games We have seen a number of indistinguishability games Attacker gets oracle access to (or receives a signal from) the challenger, and must guess which of two versions of the game is being played Attacker outputs either 0 or 1 Attacker advantage is Pr[“correct guess”]−1/2 MAC scheme security uses a forgery game Attacker gets oracle access to MAC algorithms Attacker outputs a message-tag pair not provided by the oracle Attacker advantage is Pr[“tag is valid”]

MAC selective forgery game Challenger (C) Forger (Ａ) 1n 1n k←Gen(1n) m∈Ｍ m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) ⋮ mn mn∈M∖{m} tn t∈Ｔ tn←MACk(mn) Let E be the event that Verk(m, t)=1 Define Ａ’s advantage to be AdvMAC-selective-forge(Ａ)≔Pr[E]

Selective unforgeability Defⁿ: A MAC scheme (Gen，MAC，Ver) is selectively unforgeable under adaptive chosen message attacks if, for every PPT attacker Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that for all m∈Ｍ, AdvMAC-selective-forge(Ａ)≤ε(s). The message m is chosen by the attacker prior to the attack; it may have interesting mathematical properties with respect to the MAC algorithms

MAC existential forgery game (weak version) Challenger (C) Forger (Ａ) 1n 1n k←Gen(1n) m∈Ｍ m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) ⋮ mn mn∈M∖{m} tn (m，t) tn←MACk(mn) Let E be the event that m∉{m1,…,mn} yet Verk(m，t)=1 Define Ａ’s advantage to be AdvMAC-weak-ex-forge(Ａ)≔Pr[E]

MAC existential forgery game (strong version) Challenger (C) Forger (Ａ) 1n 1n k←Gen(1n) m∈Ｍ m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) ⋮ mn mn∈M∖{m} tn (m，t) tn←MACk(mn) Let E be the event that (m，t)∉{(m1，t1),…,(mn,tn)} yet Verk(m，t)=1 Define Ａ’s advantage to be AdvMAC-strong-ex-forge(Ａ)≔Pr[E]

Existential unforgeability Defⁿ: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that AdvMAC-strong-ex-forge (Ａ)≤ε(s). The message m is chosen arbitrarily by the attacker at the end of the attack Existential unforgeability is the “default” unforgeability property

MAC universal forgery game Challenger (C) Forger (Ａ) 1n 1n k←Gen(1n) m∈Ｍ m1 m1∈M∖{m} t1 t1←MACk(m1) ⋮ mn mn∈M∖{m} m m∈Ｍ∖{m1,…,mn} (m，t) Let E be the event that Verk(m，t)=1 Define Ａ’s advantage to be AdvMAC-universal-forge(Ａ)≔Pr[E]

Universal unforgeability Defⁿ: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that AdvMAC-universal-forge (Ａ)≤ε(s). An attacker capable of universal forgery can sign messages it chose itself (selective forgery), messages chosen at random, or even specific messages chosen by an opponent

Notions of unforgeability weakest attacker Existential unforgeability ⇑ Selective unforgeability ⇑ Universal unforgeability “default” level of unforgeability strongest attacker

Fixed-length MAC scheme from any PRF Messages, tags, and keys are all n-bit longs Gen(1n) outputs a uniform random key k∊{0，1}n MACk(m) outputs t≔Fk(m) Verk(m，t) outputs 1 if t=Fk(m) and 0 otherwise Is this selectively unforgeable? Is this existentially unforgeable? IS this universally unforgeable? Yes! Yes! how do we prove it? Yes!

Fixed-length MAC to PRF reduction Distinguisher (D) Assume MAC is not existentially unforgeable Construct distinguisher D for F that uses forger Ａ as a subroutine Prove that D is efficient and has non-negligible advantage Conclude that F is not a PRF, a contradiction 1n, OF Attacker (Ａ) 1n truly random or pseudorandom? m1 t1≔OF(m1) ⋮ mn tn≔OF(mn) (m, t) 1 if t=OF(m) 0 otherwise ( m∈Ｍ∖{m1,…,mn} )

Replay attacks MACs guarantee authenticity and integrity of messages in most cases Notable exception: MACs do not prevent “replay attacks” In a replay attack, the attacker simply re-sends a legitimate message that it observed in the past

Naïve CBC-MAC Let {fk}k∈{0，1}* be a PRF family Gen(1n) outputs a uniform random key k∊{0，1}n MACk(m) does the following: Split m into n-bit blocks m1,…,mn Initialize t0={0}n Compute ti=Fk(ti-1⊕mi) Output the tag t≔tn Verk(m，t) outputs 1 if t=MACk(m) and 0 otherwise

⋯ Πk Πk Πk k k k m≔m1∥m2∥⋯∥mℓ m1 m2 mℓ t1 t2 tℓ IV tℓ Q: Is naïve CBC-MAC existentially unforgeable? A: No! (But why?)

Attacking naïve CBC-MAC existential unforgeability of Attacking naïve CBC-MAC Challenger (C) Forger (Ａ) 1n 1n k←Gen(1n) m m ∈ {0，1}n t t←MACk(m) m‘≔m∥(m⊕t) (m’, t) Ａ’s output is a valid forgery because Fk(m’)=Fk((m⊕t)⊕t)=Fk(m)=t

That’s all for today, folks!