Cryptography Lecture 5 Stefan Dziembowski
2 Plan 1.Introduciton to authentication 2.CBC-MAC 3.Introduction to the collision-resistant hash functions 4.NMAC and HMAC 5.Authentication + Encryption
3 Message Authentication Integrity: M interferes with the transmission AliceBob How can Bob be sure that M really comes from Alice?
4 Sometimes: more imprtant than secrecy! AliceBank transfer 1000 $ to Eve transfer 1000 $ to Bob Of course: usually we want both secrecy and integrity.
5 Does encryption guarantee message integrity? Idea: 1.Alice encrypts m and sends c=Enc(k,m) to Bob. 2.Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad. transfer 1000 $ to Bob key K ciphertext C transfer 1000 $ to Eve “Eve” xor “Bob” plaintext xor
6 Message authentication AliceBob (m, t=Tag k (m)) Eve can see (m, t=Tag k (m)) She should not be able to compute a valid tag t’ on any other message m’. k k m verifies if t=Tag k (m)
7 Message authentication – multiple messages AliceBob (m 1, t=Tag k (m 1 )) Eve should not be able to compute a valid tag t’ on any other message m’. k k (m 2, t=Tag k (m 2 )) m2m2 m1m1 (m 1, t=Tag k (m t )) mtmt...
8 Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Gen(1 n ) Vrfy k (m) є {yes,no} 1n1n Message Authentication Codes – the idea
9 Message Authentication Codes A message authentication code (MAC) is a tuple (Gen,Mac,Vrfy) of poly-time algorithms, such that the key-generation algorithm Gen takes as input a security parameter 1 n and outputs a key k, the tagging algorithm Mac takes as input a key k and a message mє{0,1}* and outputs a tag t, the verification algorithm Vrfy takes as input a key k, a message m and a tag t, and outputs a bit b є {yes, no}. If Vrfy k (m,t) = yes then we say that t is a valid tag on the message m. If Mac is deterministic, then Vrfy just computes Mac and compares the result.
10 Correctness We require that it always holds that: Vrfy k (m,Mac k (m)) = yes What remains is to define security of a MAC.
11 How to define security? We need to specify: 1.how the messages m 1,...,m t are chosen, 2.what is the goal of the adversary. Good tradition: be as pessimistic as possible! Therefore we assume that 1.The adversary is allowed to chose m 1,...,m t. 2.The goal of the adversary is to produce a valid tag on some m’ such that m’ ≠ m 1,...,m t.
12 security parameter 1 n selects random k = Gen(1 n ) oracle m1m1 mtmt... (m 1, t=Tag k (m 1 )) We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that 1. Vrfy(m’,t’) = yes 2. m’ ≠ m 1,...,m t adversary
13 The security definition We say that (Gen,Mac,Vrfy) is secure if A polynomial-time adversary A P(A breaks it) is negligible (in n)
14 Aren’t we too paranoid? [1/2] No! Sometimes the adversary may have influence on the messages that the parties are sending. (remember the story about Midway?) Another example: routing (m, t=Tag k (m)) m t kk
15 Aren’t we too paranoid? [2/2] Maybe it would be enough to require that: the adversary succeds only if he forges a message that “makes sense”. (e.g.: forging a message that consists of random noise should not count) Bad idea: hard to define, is application-dependent.
16 Warning: MACs do not offer protection against the “replay attacks”. AliceBob (m, t)... Since Vrfy has no state (or “memory”) there is no way to detect that (m,t) is not fresh! This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...).
17 Constructing a MAC 1.There exist MACs that are secure even if the adversary is infinitely-powerful. (we discussed them on the first lecture) These constructions are not practical. 2.MACs can be constructed from the block-ciphers. We will now discuss to constructions: –simple (and not practical), –a little bit more complicated (and practical) – a CBC-MAC 1.MACs can also be constructed from the hash functions (NMAC, HMAC).
18 A simple construction from a block cipher Let F : {0,1} n × {0,1} n → {0,1} n be a block cipher. We can now define a MAC scheme that works only for messages m ε {0,1} n as follows: Gen(1 n ) simply chose a random key from {0,1} n. Mac(k,m) = F(k,m) It can be proven that it is a secure MAC. How to generalize it to longer messages? FkFk k m F(k,m)
19 Idea 1 FkFk m1m1 F(k,m 1 ) FkFk mdmd F(k,m d )... divide the message in blocks m 1,...,m d and authenticate each block separately This doesn’t work!
20 t = Tag k (m): m: t’ = perm(t): m’ = perm(m): perm Then t’ is a valid tag on m’. What goes wrong?
21 Idea 2 FkFk m1m1 F(k,x 1 ) FkFk mdmd F(k,x d )... Add a counter to each block. This doesn’t work either! 1d x1x1 xdxd
22 xixi m: t = Tag k (m): m’ = a prefix of m: t’ = a prefix of t: Then t’ is a valid tag on m’. mimi i
23 Idea 3 FkFk m1m1 F(k,x 1 ) FkFk mdmd F(k,x d )... Add l := |m| to each block This doesn’t work either! 1d ll x1x1 xdxd
24 What goes wrong? xixi m:m: t = Tag k (m): m’: t’ = Tag k (m’): m’’ = first half from m || second half from m’ t’’ = first half from t || second half from t’ Then t’’ is a valid tag on m’’. m1m1 1 l
25 Idea 4 FkFk F(k,x 1 ) FkFk m d F(k,x d )... Add a fresh random value to each block! This works! d l x1x1 xdxd r m d d l r
26 pad with zeroes if needed FkFk F(k,x 1 ) m 1 l r FkFk F(k,x 2 ) m2m2 2r FkFk F(k,x d ) mdmd dr m1m1 m2m2 m3m3 mdmd... m1m1 l ll x1x1 nnn x2x2 xdxd |m i | = n/4 r is chosen randomly r tag k (m) 000 n – block length
27 pad with zeroes if needed FkFk F(k,x 1 ) m 1 l r FkFk F(k,x 2 ) m2m2 2r FkFk F(k,x d ) mdmd dr m1m1 m2m2 mdmd... m1m1 l ll x1x1 x2x2 xdxd |m i | = n/4 r is chosen randomly r tag k (m) 000 n – block length
28 This construction can be proven secure Theorem Assuming that F : {0,1} n × {0,1} n → {0,1} n is a pseudorandom permutation the construction from the previous slide is a secure MAC. Proof idea: Suppose it is not a secure MAC. Let A be an adversary that breaks it with a non-negligible probability. We construct a distinguisher D that distinguishes F from a random permutation.
29 This construction is not practical Problem: The tag is 4 times longer than the message... We can do much better!
30 CBC-MAC m m1m1 m2m2 m3m3 mdmd... pad with zeroes if needed 0000 |m| FkFk FkFk FkFk FkFk FkFk tag k (m) F : {0,1} n × {0,1} n → {0,1} n - a block cipher Gen just chooses a random key k ← {0,1} n. Other variants exist!
31 m1m1 m2m2 m3m3 mdmd... |m| FkFk FkFk FkFk FkFk FkFk Why is this needed? Suppose we don’t prepend |m|... tag k (m)
32 m1m1 FkFk t 1 =tag k (m 1 ) m2m2 FkFk t 2 =tag k (m 2 ) m1m1 m 2 xor t 1 FkFk FkFk t’= tag k ( m’ ) m’ t’ = t 2 t1t1 the adversary chooses: now she can compute:
33 Some practictioners don’t like the CBC-MAC We don’t want to authenticate using the block ciphers! What do you want to use instead? Because: 1.they are more efficient, 2.they are not protected by the export regulations. Why? Hash functions!
34 Collision-resistant hash functions a hash function H : {0,1}* → {0,1} L short H(m) long m Requirement: it should be hard to find a pair (m,m’) such that H(m) =H(m’) a “collision” colision-resistance
35 Collisions always exist domain range m m’ Since the domain is larger than the range the collisions have to exist.
36 Hash functions – an example of an application Alice Bob a long message m H(m) a fast insecure link (e.g. internet) a voice phone link If Bob can recognize Alice’s voice then the integrity of m is guranteed.
37 Another example File F can be downloaded by an insecure connection. If we can learn H(F) in a secure way, we can verify authenticity of F.
38 Hash functions are a bit simillar to the error-correcting codes Difference between the hash functions and the error correcting codes: error-correcting codes are secure against the random errors. collision-resistant hash functions are secure against the intentional errors. A bit like: pseudorandom generators vs. cryptographic pseudorandom generators.
39 “Practical definition” H is a collision-resistant hash function if it is “practically impossible to find collisions in H”. Popular hash funcitons: MD5 (now cosidered broken) SHA1...
40 How to formally define “collision resitance”? Idea Say something like: H is a collision-resistant hash function if A efficient adversary A P(A finds a collision in H) is small Problem For a fixed H there always exist a constant-time algorithm that “finds a collision in H” in constant time. It may be hard to find such an algorithm, but it always exists!
41 Solution When we prove theorems we will always consider families of hash functions indexed by a key s. {H s } s є keys
42 H H H HsHs HsHs HsHs s formal model: informal description: “knows H” s is chosen randomly a protocol
43 H H H SHA1 real-life implementation (example): informal description: “knows H” “knows SHA1” H a protocol
44 Hash functions – the functional definition A hash function is a pair of probabilistic polynomial-time algorithms (Gen,H) where Gen takes as input a security parameter 1 n and outputs a key s. H takes as input a key s and a message x є {0,1}* and outputs a string H s (x) є {0,1} L(n), where L(n) is some fixed function.
45 Hash functions – the security definition [1/2] 1n1n s ← Gen(1 n ) s outputs (m,m’) We say that adversary A breaks the function (Gen,H) if H s (m) = H s (m’).
46 (Gen, H) is a collision-resistant hash function if Hash functions – the security definition [2/2] A polynomial-time adversary A P(A breaks (Gen,H)) is negligible
47 How to construct the hash functions? Idea: 1.Construct a “fixed-input-length” a hash function. 2.Use it to construct a normal hash function. h h(m) m L(n) 2·L(n)
48 A common method for constructing hash functions 1.Construct a “fixed-input-length” collision-resistant hash function Call it: a collision-resistant compression function. 2.Use it to construct a hash function. h : {0,1} 2·L → {0,1} L h(m) m L 2·L2·L
49 An idea m hh m1m1 h m2m2 mBmB IV 0000 pad with zeroes if needed... t m i є {0,1} L H(m) can be arbitrary This doesn’t work......
50 Why is it wrong? m m1m1 m2m2 mBmB 0000 t If we set m’ = m || 0000 then H(m’) = H(m). Solution: add a block encoding “t”. m m1m1 m2m2 mBmB 0000 t m B+1 := t...
51 Merkle-Damgård transform m hhh m1m1 h m2m2 mBmB m B+1 := t IV t given h : {0,1} 2L → {0,1} L we construct H : {0,1}*→ {0,1} L m i є {0,1} L H(m) doesn’t need to be know in advance (nice!)
52 This construction is secure We would like to prove the following: Theorem If h : {0,1} 2L → {0,1} L is a collision-resistant compression function then H : {0,1}*→ {0,1} L is a collision-resistant hash function. But wait…. It doesn’t make sense…
53 We need to consider the hash function families Suppose (gen,h) is a collision-resistant hash function such that for every s ← gen(1 n ) we have h s : {0,1} 2L(n) → {0,1} L(n) h h(m) m L(n) 2·L(n)
54 We now show how to transform such a (gen,h) into a hash function (Gen,H). How? 1.Gen(1 n ) ← gen(1 n ) 2.Use the same construction as before
55 Merkle-Damgård transform m hhh m1m1 h m2m2 mBmB m B+1 := t IV t given h : {0,1} 2L(n) → {0,1} L(n) we construct H : {0,1}* → {0,1} L(n) m i є {0,1} L(n) H(m)
56 This construction is secure Theorem If (gen,h) is a collision-resistant hash function then (Gen,H) is a collision-resistant hash function. Proof Suppose A is a polynomial-time adversary that breaks (Gen,H) with a non-negligible probability. We construct a polynomial-time adversary a that breaks (gen,h) with a non-negligible probability.
57 A breaks H s a breaks h s by simulating A s ← gen(1 n ) s s (m,m’) a collision in H s now a should output a collision (x,y) in h
58 How to compute a collision (x,y) in h from a collision (m,m’) in H? We consider two options: 1.|m| = |m’| 2.|m| ≠ |m’|
59 Option 1: |m| = |m’| m m1m1 m2m2 mBmB m B+1 := t 0000 t m m1m1 m2m2 mBmB m B+1 := t 0000 t
60 |m| = |m’| m hhh m1m1 h m2m2 mBmB m B+1 := t z2z2 IV H(m) z1z1 z3z3 z B+1 zBzB Some notation:
61 |m| = |m’| m’ hhh m’ 1 h m’ 2 m’ B m’ B+1 := t z’ 2 IV H(m’) z’ 1 z’ 3 z’ B+1 z’ B For m’:
62 z 1 = IVm1m1 z2z2 m2m2 zBzB mBmB z B+1 m B+1... z’ 1 = IVm’ 1 z’ 2 m’ 2 z’ B m’ B z’ B+1 m’ B+1... equal z B+2 =H(m) Let i* be the largest i such that (m i,z i ) = (m’ i,z’ i ) (because m ≠ m’ such i* > 1 always exists!) z B+2 =H(m’)
63 So, we have found a collision! z i*-1 m i*-1 z i* z’ i*-1 m’ i*-1 z’ i* not equal equal hh
64 Option 2: |m| ≠ |m’| z B+1 m B+1 z’ B’+1 m’ B’+1 equal H(m)H(m’)... the last block encodes the length on the message so these values cannot be equal! So, again we have found a collision!
65 Finlizng the proof So, if A breaks H with probability ε(n), then a breaks h with probability ε(n). If A runs in polynomial time, then a also runs in polynomial time. QED
66 Generic attacks on hash functions Remember the brute-force attacks on the encryption schemes? For the hash functions we can do something slightly smarter... It is called a “birthday attack”.
67 The birthday paradox Suppose we have a random function H : A → B Take q values x 1,...,x q Let p(q) be the probability that there exist distinct i,j such that H(x i ) = H(x j ). If q ≥ |A| then trivially p(q) = 1.
68 Why is it called “a birthday paradox”? Set: H : people → birthdays Q: How many random people you need to take to know that with probability 0.5 at least 2 of them have birthday on the same day? A: 23 is enough! Counterintuitive...
69 How does the birthday attack work? For a hash function H : {0,1}* → {0,1} L Take a random X – a subset of {0,1} 2L, such that |X| = 2 L/2. With probability around 0.5 there exists x,x’ є X, such that H(x) = H(x’). A pair (x,x’) can be found in time O(|X| log |X|) and space O(|X|). Moral L has to be such that an attack that needs 2 L/2 steps is infeasible.
70 Concrete functions MD5, SHA-1, SHA-256, all use (variants of) Merkle-Damgård transformation.
71 MD5 (Message-Digest Algorithm 5) output length: 128 bits, designed by Rivest in 1991, in 1996, Dobbertin found collisions in the compresing function of MD5, in 2004 a group of Chinese mathematicians designed a method for finding collisions in MD5, there exist a tool that finds collisions in MD5 with a speed 1 collision / minute (on a laptop-computer) Is MD5 completely broken? The attack would be practical if the colliding documents “made sense”... In 2005 A. Lenstra, X. Wang, and B. de Weger found X.509 certificates with different public keys and the same MD5 hash.
72 SHA-1 (Secure Hash Algorithm) output length: 128 bits, designed in 1993 by the NSA, in 2005 Xiaoyun Wang, Andrew Yao and Frances Yao presented an attack that runs in time Still rather secure, but new hash algorithms are needed! A US National Institute of Standards and Technology announced a competition for a new hash function (deadline: October 31, 2008). Go to and submit!
73 How to authenticate with hash functions? A simple idea: h h(m) long m a block cipher F k k F k (h(m)) By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).
74 What the industry says? the block cipher is still there... Why don’t we just hash a message together with a key: MAC k (m) = H(k || m) ? It’s not secure!
75 Suppose H was constructed using the MD-transform IVk z2z2 m zBzB t MAC k (m) IVk z2z2 m zBzB t MAC k (m||t) t + LMAC k (m) L she can see this she can fabricate this
76 A better idea M. Bellare, R. Canetti, and H. Krawczyk (1996): NMAC (Nested MAC) HMAC (Hash based MAC) have some “provable properites” They both use the Merkle-Damgård transform. Again, let h : {0,1} 2L → {0,1} L be a compression function.
77 NMAC m hh m1m1 h mBmB m B+1 := |m| k1k h k2k2 NMAC (k1,k2) (m)
78 What can be proven Suppose that 1.h is collision-resistant 2.the following function is a secure MAC: Then NMAC is a secure MAC. h k2k2 MAC k2 (m) m
79 Looks better, but 1.our libraries do not permit to change the IV 2.the key is too long: (k 1,k 2 ) HMAC is the solution!
80 HMAC hh k xor ipad h m1m1 m B+1 := |m| IV... h IV HMAC k (m) h k xor opad ipad = 0x36 repeated opad = 0x5C repeated
81 HMAC – the properties Looks complicated, but it is very easy to implement (given an implementation of H): HMAC k (m) = H((k xor opad) || H(k xor ipad || m)) It has some “provable properties” (slightly weaker than NMAC). Widely used in practice. We like it!
82 Authentication and Encryption Usually we want to authenticate and encrypt at the same time. What is the right way to do it? There are several options: Encrypt-and-authenticate: c ← Enc k1 (m) and t ← Mac k2 (m) Authenticate-then-encrypt: t ← Mac k2 (m) and c ← Enc k1 (m||t) Encrypt-then-authenticate: c ← Enc k1 (m) and t ← Mac k2 (c) By the way: never use the same key for Enc and Mac: k 1 and k 2 have to be “independent”! wrong better the best