EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim - - PowerPoint PPT Presentation

EE817/IS893 CryptographyEngineeringand Cryptocurrency

YongdaeKim 한국과학기술원

Definition

q Ahashfunctionisafunctionh

▹ compression—hmapsaninputxofarbitraryfinitebitlength,toan

• utputh(x)offixedbitlengthn.

▹ easeofcomputation—h(x)iseasytocomputeforgivenxandh

q preimageresistance=one-way

▹ itiscomputationallyinfeasibletofindanyinputwhichhashestothatoutput

q 2nd-preimageresistance=weakcollisionresistance

▹ itiscomputationallyinfeasibletofindanysecondinputwhichhasthesameoutputas

anyspecifiedinput q collisionresistance=strongcollisionresistance

▹ itiscomputationallyinfeasibletofindanytwodistinctinputsx,x’whichhashtothe

sameoutput

Merkle-Damgardscheme

q Themostpopularandstraightforward

methodforcombiningcompression functions

StrengthenedMerkle-Damgard

Collisionresistance

q Ifthecompressionfunctioniscollision

resistant,thenstrengthenedMerkle-Damgard hashfunctionisalsocollisionresistant

q Collisionofcompressionfunction:

f(s,x)=f(s’,x’)but(s,x)≠(s’,x’)

Collisionresistance

q Ifh(,)iscollision

resistant,andif H(M)=H(N),then len(M)shouldbe len(N),andthelast blocksshouldcoincide

Collisionresistance

Collisionresistance

q Andthepenultimate

blocksshouldagree, and,

Collisionresistance

q Andtheonesbefore

thepenultimate, too...

q SoinfactM=N

Extensionproperty

q ForaMerkle-Damgardhashfunction,

H(x,y)=h(H(x),y)

▹ Evenifyoudon’tknowx,ifyouknowH(x),youcan

computeH(x,y)

▹ H(x,y)andH(x)arerelatedbytheformula ▹ WouldthisbepossibleifH()wasarandomfunction?

FixingMerkle-Damgard

q Merkle-Damgard:historicallyimportant,still

relevant,butlikelywillnotbeusedinthefuture (likeinSHA-3)

q Clearlydistinguishablefromarandomoracle q Howtofixit?Simple:dosomethingcompletely

differentintheend

SMD

EMD

q IV1≠IV2

MDP

q π:apermutationwithfewfixedpoints

▹ Forexample,π(x)=x⊕CforsomeC≠0

HashChain

q h:Cryptographicallystronghashfunction q H0=x q Hn=h(Hn-1)=h(h(h(…h(x)))) q Randommappingstatistics

14

Onetimepassword

q Setup

▹ UsergeneratesH0,H1,…Hn. ▹ UseràServer:Hn ▹ ServerstoresHnastheuser’spublicpassword.

q Authentication

▹ Attime0:UseràServer:Hn-1 ▹ Serververifiesh(Hn-1)=Hn ▹ ServerstoredHn-1astheuser’spublicpassword. ▹ Attime1:UseràServer:Hn-2 ▹ …

HashTree

B1 H8 B2 H9 H4 B3 H10 B4 H11 H5 H2 B5 H12 B6 H13 H6 B7 H14 B8 H15 H7 H3 H1

Hi=h(H2i,H2i+1)

MAC&AE

MAC

q MessageAuthenticationCode q ‘keyedhashfunction’Hk(x)

▹ k:secretkey,x:messageofanylength,

Hk(x):fixedlength(say,128bits)

▹ deterministic

q Purpose:to‘prove’tosomeonewhohasthesecret

keyk,thatxiswrittenbysomeonewhoalsohas thesecretkeyk

18

Howtouse?

q A&Bshareasecretkeyk q AsendsthemessagexandtheMACM←Hk(x) q BreceivesxandMfromA q BcomputesHk(x)withreceivedM q BchecksifM=Hk(x)

Attackscenario

q Emayeavesdropmanycommunications(x,M)

betweenA&B

q Ethentries(possiblymanytimes)to‘forge’(x’,

M’)sothatBaccepts:M’=Hk(x’)

q Question:whatifE‘replays’oldtransmission(x,

M)?Isthisasuccessfulforgery?

Capabilitiesofattackers

q Known-textattack

▹ Simpleeavesdropping

q Chosen-textattack

▹ AttackerinfluencesAlice’smessages

q Adaptivechosen-textattack

▹ AttackeradaptivelyinfluencesAlice

Typesofforgery

q Universalforgery:attackercanforgeaMACfor

anymessage

q Selectiveforgery:attackercanforgeaMACfora

messagechosenbeforetheattack

q Existentialforgery:attackercanforgesome

messagexbutingeneralcannotchoosexashe wishes

SecurityofMAC

q Shouldbesecureagainstadaptivelychosen-

messageexistentialforger

▹ Attackermaywatchmanypairs(x,Hk(x)) ▹ Mayeventryxofhischoice ▹ Maytrymanyverificationattempts(x,M) ▹ Stillshouldn’tbeabletoforgeanewmessageatall

Twoeasyattacks

q Exhaustivekeysearch

▹ Givenonepair(x,M),trydifferentkeysuntil

M=Hk(x)

▹ Lesson:keysizeshouldbelargeenough

q Pureguessing:trymanydifferentMwithafixed

messagex

▹ Lesson:MAClengthshouldbealsolarge

q Question:whichoneismoreserious?

24

RandomfunctionasMAC

q SupposeAandBsharearandomfunctionR(x),

whichassignsrandom128-bitvaluetoitsinputx

q EvenifEseesmanymessagesofform(x,R(x)),

foranewy,R(y)canbeanyof2128strings

q Successfulforgeryprob.≤2-128

RandomfunctionasMAC

q ItisaperfectMAC,butthe‘keysize’istoo

large:howmanyfunctionsofform R:{0,1}m→{0,1}n?Answer:2^(n2m)

q Buttherearekeyedfunctionswhichare

‘indistinguishable’fromrandomfunctions:called PRFs(PseudoRandomFunctions)

q DesigningasecurePRFisagoodwaytodesigna

secureMAC

TruncationofMAC

q Hk(x)isasecureMACwith256-bitoutput q H’k(x)=thefirst128bitsofHk(x) q Question:isH’k(x)asecureMAC?

27

• Answer:notingeneral,butsecureifHk(x)isasecurePRF

Practicalconstructions

q BlockcipherbasedMACs

▹ CBC-MAC ▹ CMAC

q HashfunctionbasedMACs

▹ secretprefix,secretsuffix,envelop ▹ HMAC

CBC-MAC

q CBC,withsomefixedIV.Last‘ciphertext’istheMAC q BlockciphersarealreadyPRFs.CBC-MACisjustawaytocombine

them

q SecureasPRF,ifmessagelengthisfixed

CBC-MAC

q SecureasPRF,ifmessagelengthisfixed q Completelyinsecureifthelengthisvariable!!!

CBC-MAC

q ‘Extensionproperty’oncemore! q Howtofixit? ▹ Again,dosomethingdifferentattheend

tobreakthechain

Modification1

▹ Useadifferentkeyattheend ▹ Good:thissolvestheproblem ▹ Bad:switchingblockcipherkeyisbad

Modification2

▹ XORingadifferentkeyattheinputis

indistinguishablefromswitchingtheblockcipher key

CMAC

q NISTstandard(2005) q SolvestwoshortcomingsofCBC-MAC

▹ variablelengthsupport ▹ messagelengthdoesn’thavetobemultipleofthe

blockciphersize

SomeHash-basedMACs

q Secretprefixmethod:Hk(x)=H(k,x) q Secretsuffixmethod:Hk(x)=H(x,k) q Envelopemethodwithpadding:

Hk(x)=H(k,p,x,k)

Secretprefixmethod

q Secretprefixmethod:Hk(x)=H(k,x)

▹ SecureifHisarandomfunction ▹ InsecureifHisaMerkle-Damgardhashfunction

» Hk(x,y)=h(H(k,x),y)=h(Hk(x),y)

Secretsuffixmethod

q Secretsuffixmethod:Hk(x)=H(x,k)

▹ Muchsecurerthansecretprefix,evenifHis

Merkle-Damgard

▹ Anattackofcomplexity2n/2exists:

» AssumethatHisMerkle-Damgard » FindhashcollisionH(x)=H(y) » Hk(x)=h(H(x),k)=h(H(y),k)=Hk(y) » off-line!

37

Envelopemethod

q Envelopemethodwithpadding:

Hk(x)=H(k,p,x,k)

▹ Forsomepaddingptomakek||patleastoneblock

q Preventsbothattacks

HMAC

q NISTstandard(2002) q HMACk(x)=H(K⊕opad||H(K⊕ipad||x)) q ProvensecureasPRF,ifthecompression

functionhofHsatisfiessomeproperties

39

M

1

HMAC Hash

F

M

t

F F

KI KO

IV K ipad

F

IV K

• pad

F

MACvsSignature

q secretkeyvs.publickey q privateverificationvs.publicverification q MACdoesn’tprovidenon-repudiation

▹ BobclaimsthatAlicesends(x,M),showingthat

M=Hk(x).Whoelsecanwritethismessage?

Confidentiality&integrity

q Twosymmetrickeyprimitives

▹ Encryptionscheme:protectsconfidentiality ▹ MAC:protectsintegrity

q Usually,whatwewantistoprotectboth

41

Encryptionnotenough?

q ‘It’sencryptedsonobodycanalterit!’ q C=Ek(P) q Ifanystringisavalidciphertext(e.g.,a

blockcipher),modifyingCtoC’willalteryourP (toP’,perhapsagarbage)

▹ Question:isthisaproblem?

Givingredundancy

q Solution:notallstringsarevalidciphertext

▹ Formatplaintextwithsomeredundancy ▹ Onlycorrectlyformattedplaintextistobeaccepted ▹ Example,C=Ek(P||P),orC=Ek(P||H(P)) ▹ Becareful:whatifEk()isastreamcipher?

Genericcomposition

q Insteadofusinganad-hocmethod, q Combineasecureencryptionscheme(say,CBC,

CTR)andasecureMAC(say,CMAC,HMAC)

▹ Twokeysareneeded ▹ Howtocombinetwo? ▹ ‘Generic’heremeans‘black-box’

Genericcomposition

q MAC-and-Encrypt:Eke(P)||Mkm(P) q MAC-then-Encrypt:Eke(P||Mkm(P)) q Encrypt-then-MAC:Eke(P)||Mkm(Eke(P))

Questions?

q YongdaeKim

▹ email: yongdaek@kaist.ac.kr ▹ Home: http://syssec.kaist.ac.kr/~yongdaek ▹ Facebook: https://www.facebook.com/y0ngdaek ▹ Twitter: https://twitter.com/yongdaek ▹ Google “Yongdae Kim”

46