12345678901234567890123456789012345678901234567890123456789012345678901234567890
--------------------------------------------------------------------------
CSE 227 - Lecture 7 -  November 14, 2001
--------------------------------------------------------------------------

Last time: introduced MACs
Today:  MACs, lecture 2.   [[ Spend a lot of time today helping the
                          students to attack constructions.  Maybe do
                          some small-group attacks (if break, remember to have
                          video stopped.) ]]

      1. Message authentication codes
          1.1  Review definition (actually two definitions)
          1.2  Encrypting-with-redundancy doesn't make a MAC:
                  CBC-with-XOR
          1.3  CBCMAC
               Right or wrong?  Length variability issue.
          1.4  The PRF-as-a-MAC paradigm
          1.5  Making a VIL PRF: the universal hash-function family approach
               a. Definition
               b. Alternative definition
               c. F'(M) = E_K(H_K'(M)) is a good PRF

   // we only got up until here,  and, in fact, I was not doing the proof for
   // 1.5c properly, I ought to redo it next class.

          1.6  Constructions of \e-AU hash function 
               a. Polynomial evaluation
               b. NH construction and UMAC 
               c. XORMAC construction
               d. CBCMAC construction, and XCBC optimization
          1.7  SHA1 
          1.8  HMAC

       2. Definition of an authenticated-encryption scheme
          2.1 Generic-composition paradigm
          2.2 OCB



--------------------------------------------------------------------------
1.1 Review

Message authentication     Pi = (K, MACG, MACV)


  K     M   MACG_K(M)          K
S     ----------------->      R

                                  MACV_K(M,sigma) = 0 or 1

Usually deterministic; describe how things look in that case.

Define Adv^mac_Pi(A) = Pr[A^MACG_K forges]

    A forges means it outputs M, tag where no earlier query asked M and
    got back tag.


Last time: figured out how to MAC one bit, or
how to MAC using an absolutely enormous shared string. 
Asked you to design a block-cipher-using scheme

1.2  Encrypting-with-redundancy doesn't make a MAC:
      CBC-with-XOR example.
   Have student's break CBC-with-XOR-of-blocks-at-end-IV=0,
   using fixed-length messages.  Use 3 blocks.
        
                 /\      /\
  ask-->   0    /  0    / 0
           |   /   |C1 /  | C2
           |  /    |  /   |
           C1/     C2/    C3


                 /\      /\
  ask-->  C1+C2 /  0    / C1+C2
           |   /   |   /  |
           |  /    |  /   |
           C4/     C5/    C6

 --------------------------------
                 /\      /\
           C1   /  C1   / 0
           |   /   |   /  | C4
           |  /    |  /   |
 forge-->  C2/     C4/    C5




1.3 Raw CBC MAC

    Have students break it using messages of varying lengths.

    Ask: 0, getting C1
    Forge: (0 C1,  C1)

    State [BKR] theorem, in terms of PRP-security.

    CORRECT METHODS:
           encrypted CBCMAC
           XORMAC 




1.4  The PRF-as-a-MAC paradigm.  Length issue.


Proposition [PRFs are good MACs]:     
---------------------------------
    Let F: \K x \M -> \bits^n be a PRF and let
    A be an adversary that attacks F, as a MAC, achieving advantage
         Adv^mac_F(A) = delta
    running in time t and making q oracle queries, these 
    queries, plus length of A's forgery attempt, comprising mu bits.
    Then there exists an adversary B that attacks F as a PRF,
    runs in time t', asks q' queries, these totaling mu' bits, 
    and achieves advantage \delta' = Adv^prf_F(B) where
          t' =  t + tiny
          q'= q+1
          mu' = mu
          delta' >= delta - 2^{-n}

Give reduction:

   Define B^f as follows:
     Run A.
     When A makes a MAC query of M, return f(M).
     When A halts, outputting a forgery attempt (M, sigma), 
        if M was not already asked of A's oracle and
        f(M)=sigma then return 1 else return 0.

 
Instantiate f by a random function: chance to forge is at most 2^{-n}.

     Pr[B^rho forges]  = Pr[A^rho=1] <= 1 / 2^n

     Adv^prf(B)  = Pr[B^{F_K}=1] - Pr[B^rho=1]
                >= Pr[B^{F_K}=1] - 1/2^m

--------------
So: to make a good MAC, make a good PRF.   
But we already have good PRFs directly:  block ciphers.
Why not use them?
The domain is wrong!
We have PRFs with domains of \bits^n, for some fixed n, like 128.  
What we want is a PRF with an big domain, like \bits^*, or (\bits^n)^+.
How to make them?



1.5  Making a VIL PRF: the universal hash-function family approach


a) Universal-hash-functions
---------------------------

A function family is a family of functions H = {H_K: D->R}, one for 
K\in\K, where there is a distribution on \K  (usually it is just
a finite set, in which case the distribution is always the uniform
one).  Sets D, R\subseteq\bits^* and most often R=\bits^n for some n. 

Def:  H={H_K: D->R} is \e-AU if for all distinct M,M' in D,
           Pr[H_K(M) = H_K(M')] <= \e.


b) Different viewpoint:

        ask adversary for M
        ask adversary for M'  
    *   K <- \K; tell adversary K
        ------------------------------------
          Adversary wins if H_K(M) = H_K(M'),   M\ne M'.

   Adv^univ(A) = Pr[M,M' <- A; K<-\K; 
                    M\ne M' and H_K(M)=H_K(M')]

   Adv^univ(t,mu) = max {...} 


................................
Variants:  collision-intractable hash function:

    *   K <- \K; tell adversary K
        ask adversary for M
        ask adversary for M'
        ------------------------------------
          Adversary wins if H_K(M) = H_K(M')

   Adv^coll(A)
................................



   "target-collision intractable" (TCR), "weakly collision-intractable"

        ask adversary for M
    *   K <- \K; tell adversary K
        ask adversary for M'
        ------------------------------------
          Adversary wins if H_K(M) = H_K(M')


These two variants NEED complexity-theoretic assumption, but AU doesn't
................................


c) Using a univeral hash function to make a VIL-PRF  

Given H: \K1 x D  ->  {0,1}^n       universal hash function
      E: \K2 x {0,1}^n -> {0,1}^n   prf

Define:
      F_{K1,K2}(M) =  E_{K2}(H_{K1}(M))


Claim that this is a good PRF.

---------
Proposition: 
   Let H: D -> {0,1}^n be \delta-AU, and let
       E: {0,1}^n -> {0,1}^n be a PRF.  
   Suppose A attacks E[H] in time t, asking q queries, 
   these totaling mu bits, achieving advantage \e = Adv^prf_F[H](A).  
 Then there is an adversary B that attacks E 
   in time t', asks q' queries, achieving advantage \delta', where

        t' = t + TimeHKey(K1) + TimeHcompute(mu)
        q' = q
        \e' = \e - q\choose 2 \delta

   ---------

A^f has oracle f; B^g has oracle g.
Construct B^g as follows:

     K1 <- \K1 
     Run A.  
       When A makes an oracle query of M, compute m=H_K1(M).
       // If this collides with any earlier value M, 
       //  then halt  (we lose).            // don't really have to execute
       Call oracle g(M) and return this to A
     When A halts, outputting some bit b
       return b

Adv^prf(A)  = \e
            = Pr[A^{E_K1(H_K2(.))}=1]   -  Pr[A^R=1] 
            
we know that this is big.  Want to show that Adv^prf(B) will
then be big, too.

Adv^prf(B)  
 = Pr[B^E_K=1]           -  Pr[B^rho=1]
 = Pr[A^{E_K1(H_K2(.))}  -  Pr[A^{rho(H_K2(.))}
 = Pr[A^{E_K1(H_K2(.))} - Pr[A^R=1]   +    Pr[A^R=1] - Pr[A^{rho(H_K2(.))}
 = Adv^prp(A) + Pr[A^R=1]  -  Pr[A^{rho(H_K2(.))}]
 = \e + Pr[A^R=1] - Pr[A^{rho(H_K2(.))} | !COLL] Pr[!COLL]  
      - Pr[A^{rho(H_K2(.))} | COLL] Pr[COLL]  
>= \e + Pr[A^R=1] - Pr[A^{rho(H_K2(.))} | !COLL]  - Pr[COLL]  
 = \e - Pr[COLL]
>= \e - q\choose 2 \delta