12345678901234567890123456789012345678901234567890123456789012345678901234567890 -------------------------------------------------------------------------- CSE 227 - Lecture 8 - November 19, 2001 -------------------------------------------------------------------------- Announcements - Last time: introduced MACs Today: o MACs, lecture 3. o Authenticated encryption o Turbo number-theory 1. Message authentication codes 1.1 Review definition of MAC and \e-AU hash function Give a different viewpoint to the AU definition 1.2 Finish/correct proof of F'(M) = E_K(H_K'(M)) is a good PRF 1.3 Constructions of \e-AU hash function a. Polynomial evaluation b. NH construction and UMAC c. XORMAC construction d. CBCMAC construction, and XCBC optimization 1.4 SHA1 1.5 HMAC 2. Definition of an authenticated-encryption scheme 2.1 Generic-composition paradigm 2.2 OCB -------------------------------------------------------------------------- 1. MESSAGE AUTHENTICATION CODES, cont 1.1 Review Define Adv^mac_Pi(A) = Pr[A^MAC_K forges] H={H_K: D->R} is \e-AU if for all distinct M,M' in D, Pr[H_K(M) = H_K(M')] <= \e. Different viewpoint: ask adversary for M ask adversary for M' * K <- \K; tell adversary K ------------------------------------ Adversary wins if H_K(M) = H_K(M'), M\ne M'. Adv^univ(A) = Pr[M,M' <- A; K<-\K; M\ne M' and H_K(M)=H_K(M')] Adv^univ(t,mu) = max {...} ................................ Variants: collision-intractable hash function: * K <- \K; tell adversary K ask adversary for M ask adversary for M' ------------------------------------ Adversary wins if H_K(M) = H_K(M') Adv^coll(A) ................................ "target-collision intractable" (TCR), "weakly collision-intractable" ask adversary for M * K <- \K; tell adversary K ask adversary for M' ------------------------------------ Adversary wins if H_K(M) = H_K(M') These two variants NEED complexity-theoretic assumption, but AU doesn't ................................ 1.2 Finish/correct proof of F'(M) = E_K(H_K'(M)) is a good PRF Given H: \K1 x D -> {0,1}^n universal hash function E: \K2 x {0,1}^n -> {0,1}^n prf Define: F_{K1,K2}(M) = E_{K2}(H_{K1}(M)) Claim that this is a good PRF. ------------ Proposition: Let H: D -> {0,1}^n be \delta-AU, and let E: {0,1}^n -> {0,1}^n be a PRF. Suppose A attacks E[H] in time t, asking q queries, these totaling mu bits, achieving advantage \e = Adv^prf_F[H](A). Then there is an adversary B that attacks E in time t', asks q' queries, achieving advantage \delta', where t' = t + TimeHKey(K1) + TimeHcompute(mu) q' = q \e' = \e - q\choose 2 \delta --------- A^f has oracle f; B^g has oracle g. Construct B^g as follows: K1 <- \K1 Run A. When A makes an oracle query of M, compute m=H_K1(M). Call oracle g(M) and return this to A When A halts, outputting some bit b return b Adv^prf(A) = \e = Pr[A^{E_K1(H_K2(.))}=1] - Pr[A^R=1] we know that this is big. Want to show that Adv^prf(B) will then be big, too. Adv^prf(B) = Pr[B^E_K=1] - Pr[B^rho=1] = Pr[A^{E_K1(H_K2(.))} - Pr[A^{rho(H_K2(.))} = Pr[A^{E_K1(H_K2(.))} - Pr[A^R=1] + Pr[A^R=1] - Pr[A^{rho(H_K2(.))} = Adv^prp(A) + Pr[A^R=1] - Pr[A^{rho(H_K2(.))}] = \e + Pr[A^R=1] - Pr[A^{rho(H_K2(.))} | !COLL] Pr[!COLL] - Pr[A^{rho(H_K2(.))} | COLL] Pr[COLL] >= \e + Pr[A^R=1] - Pr[A^{rho(H_K2(.))} | !COLL] - Pr[COLL] = \e - Pr[COLL] >= \e - q\choose 2 \delta --------------------------------------------------------------------------- 1.3 Constructions of \e-AU hash function Lots of constructions known. a. Polynomial evaluation Think of M = M[m-1] ... M[1], the message we want to hash, as n-bit strings (where n=128, say). Think of K as a random n-bit string. Form the polynomial M(x) = x^{m} + M[m-1]x^{m-1} + M[m-2]x^{m-2} + ... + M[1]x + M[0] Now evaluate this polynomial, over GF(2^n), at K. That is the hash H_K(M) = M(K) (in GF(2^n)). If M and M' are distinct, each of m-1 or fewer blocks, what is Pr_K[H_K(M) = H_K(M')] ?? = Pr[M(K) = M'(K)] for distinct degree-n polynomials M, M' Fundamental theorem of algebra: if two polynomials of degree d agree on d+1 points, then they are identical (a degree d polynomial is determined by d+1 points). So M(x) and M'(x) can agree on at most m out of 2^n points, so if a random point K is chosen Pr[M(K)=M'(K)] <= m/2^n. Lots of other such constructions. b. NH construction and UMAC OMIT --------------------------- Let M=M[1] ... M[2m] where each M[i] is 16 bits. Let K=K[1] ... K[2m] where each K[i] is 16 bits. To hash M using K: (M[1] +16 K[1]) *s32 (M[2] +16 K[2]) +32 (M[3] +16 K[3]) *s32 (M[4] +16 K[4]) +32 ... +32 (M[2m-1] +16 K[2m-1]) *s32 (M[2m] +16 K[2m]) +32 Explain a little bit about UMAC. c. XORMAC construction ---------------------- Let rho be a random function from n-bits to n-bits (n even). Let M = M[1]... M[m] where each M[i] is n/2 bits and m < 2^{n/2}. Define H_rho (M) = rho([1] M[1]) xor rho([2] M[2]) xor ... xor rho([m] M[m]) Claim: If M, M' are messages (having fewer than 2^{n/2} n/2-bit blocks) then Pr[H_rho(M) = H_rho(M')] =2^{-n} Proof. case 1: one message has more blocks than the other, say M[1] M[2] M[3] M[4] M[5] m[1] m[2] m[3] Then Pr[H_rho(M) = H_rho(M')] = Pr[H_rho([5] M[5]) = random-something] where something is independent of rho([5],.)]. 2^{-n} case 2: same number of blocks, one M[i] \ne m[i]. Then Pr[H_rho(M) = H_rho(M')] = Pr[H_rho([i] M[i]) = random-something] where something is independent of rho([i] M[i]). So 2^{-n}. d. CBCMAC construction ---------------------- Explain that the raw CBC MAC is a good universal hash function. Lemma [Black,Rogaway] Let M and M' be distinct messages of m and m' n-bit blocks. Then Pr[pi\getsr\Perm{n}: CBCMAC_pi(M)=CBCMAC_pi(M')] <= (m+m')^2/2^n Thus we get a good MAC by E_K1 (CBCMAC_K2(M)) First analyzed by Petrank-Rackoff. A nicer variant of this suggested by Black, Rogaway. Extends domain to {0,1}* and avoids rekeying. MAC_{K1 K2 K3}(M) : Draw picture for a 3-block message: Left side, M[3] full, xor last block with K2 Right side, M[3] partial, xor last block with K3 Explain as sequence of optimizations: Realize with permutations. Collapse last two as single permutation. General lemma that pi, pi(K xor .) looks like pi_1, pi_2 -- if ask q queries, can't distinguish better than q^2/2^n. 1.7 SHA1 Go through spec, SHA1(M) 1. Pad M by appending a 1 bit, 0-bits, then the length of M, encoded in 64 bits. 2. H_0 H_1 H_2 H_3 H_5 = constant 3. Do Merkle-Damgard iteration over the compression function M[1] M[2] | | | ---- | ---- ----| \ ----| \ CONST ----| |------| |----- ... ------ ------ Compression function sha1(H_0 H_1 H_2 H_3 H_4, W_0 W_1 ... W_15) 1. for 1 = 16 to 79 do W_i + (X_i-3 xor W_i-8 xor W_i-14 xor W_i-16)<<<1 2. A B C D E = H_0 H_1 H_2 H_3 H_4 H_5 3. For t = 0 to 79 do TEMP = A<<<5 + f_t(B,C,D) + E + W_t + CONST_t E=D; D=C; C = B<<<30; B=A; A=TEMP 4. return A + H_0 || B + H_1 || C + H_2 || D + H_3 || E + H_4 1.8 HMAC HMAC_K (M) = SHA1(K0* xor C2 || SHA1(K0* xor C1 || M) Explain as: F_K1 (H_K2 (M)) ---- collision-intractable hash function ---- PRF 2. AUTHENTICATED ENCRYPTION --------------------------- 2.1 Achieving both privacy and authenticity encrypt-and-mac encrypt-then-mac mac-then-encrypt 2.2 What is "authenticity of ciphertexts". Define it, for nonce-using schemes. 2.3 Claim that mac-then-encrypt achieves it. 2.4 Show OCB, and explain it, as an example of a more wholly "combined" authenticated-encryption scheme.