exact security analysis of hash then mask type
play

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC - PowerPoint PPT Presentation

Dec 03, 2023 •43 likes •463 views

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th

  1. Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th September, 2016 A.Dutta Exact Security Analysis of HtM Construction

  2. Message Authentication Code HtM Construction Contributions Conclusion Outline of the talk 1 Message Authentication Code. 2 HtM Construction. 3 Contributions. 4 Conclusion A.Dutta Exact Security Analysis of HtM Construction

  3. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . A.Dutta Exact Security Analysis of HtM Construction

  4. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . 2 Alice sends a message M with a tag T = MAC K ( M ) corresponding to the message M to Bob. A.Dutta Exact Security Analysis of HtM Construction

  5. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . 2 Alice sends a message M with a tag T = MAC K ( M ) corresponding to the message M to Bob. 3 Data Integrity: Bob verifies the sender and the message by computing VER K ( M , T ) = 1. A.Dutta Exact Security Analysis of HtM Construction

  6. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . 2 Alice sends a message M with a tag T = MAC K ( M ) corresponding to the message M to Bob. 3 Data Integrity: Bob verifies the sender and the message by computing VER K ( M , T ) = 1. Unforgeability Adversary asks for tags for queries of his choice. Goal is to generate any fresh, valid (message, tag) pair. Security Requirement: It should be HARD A.Dutta Exact Security Analysis of HtM Construction

  7. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateful or Probabilistic): The Popular Story • Alice sends a message M , an auxiliary variable IV with a tag T = MAC K ( M , IV ) corresponding to the message M and IV to Bob. • Data Integrity: Bob verifies the sender and the message by computing VER K ( M , IV , T ) = 1. Stateful MAC : When IV is a counter / nonce. (e.g XMACC, PCS) Probabilistic MAC : When IV is random. (e.g XMACR, EHtM) Unforgeability Adversary asks for T for queries M (Signing Query). Adversary asks fresh ( M , IV , T ) triplet and obtains 1 or 0. Succeed if the response is 1 (Verification Query). Security: Should be HARD to obtain response 1 A.Dutta Exact Security Analysis of HtM Construction

  8. Message Authentication Code HtM Construction Contributions Conclusion Pseudo Random Function (PRF) PRF Keyed function which is indistinguishable from a Random Function (RF) Indistinguishability Responses of adversary queries are given either using the function or a RF. Goal is to distinguish the function from a RF. Security Requirement: It should be HARD A.Dutta Exact Security Analysis of HtM Construction

  9. Message Authentication Code HtM Construction Contributions Conclusion Universal and AXU-Hash Universal Hash H is a n bit Universal Hash, if for all distinct values, the collision probability of H is negligible. Almost-XOR-Universal Hash H is a n bit AXU Hash, if for all distinct values x , x ′ and for all y , Pr[ H ( x ) ⊕ H ( x ′ ) = y ] is negligible. A.Dutta Exact Security Analysis of HtM Construction

  10. Message Authentication Code HtM Construction Contributions Conclusion Existing Result on Probablistic MAC Candidate Construction Rand Eff. Bound O ( q 2 XMACR[BGR’95] ( r , H ( m ) ⊕ f ( r )) n 1 H xu , 1 F [ n , n ] 2 n + q v ǫ ) O ( q 3 MACRX 3 [BGK’99] ( r 1 , r 2 , r 3 , 3 n 1 H xu , 3 F [ n , n ] 2 3 n + q v ǫ ) 3 � f ( r i ) ⊕ H ( m )) i =1 O ( ℓ ( q + q v ) ( r , f r RMAC[JJV’02] 2 (CBC f 1 ( m )) ( ℓ + 1) P [ n ] ) n 2 n FRMAC[JJ’04] ( r , π r ( H ( m ))) 1 H u , 1 P [ n , n ] O ( ℓ ( q + q v ) ǫ ) n O ( q 2 ǫ RWMAC[M’10] ( r , g ( r , H ( m ))) n 1 H u , 1 F [2 n , n ] 2 n + q v ǫ ) O ( q 3 ǫ EHtM[M’10] ( r , f ( r ) ⊕ g ( r ⊕ H ( m )) n 1 H xu , 2 F [ n , n ] 2 n + q v ǫ ) A.Dutta Exact Security Analysis of HtM Construction

  11. Message Authentication Code HtM Construction Contributions Conclusion HtM: Probabilistic MAC r m – n – n r m r m – n – n – n – n g g f f f – n – n – n – n – n t t t – – – n n n C1 : t := f ( r ) ⊕ m C3 : t := f ( r ) ⊕ g ( m ) C5 : t := f ( r ) ⊕ g ( r ⊕ m ) r m – ℓ – n r m – ℓ – n H – n H r m – ℓ – n – n g g f H f f – n – n – n – n – n – n t t t – – – n n n C2 : t := f ( r ) ⊕ H ( m ) C4 : t := f ( r ) ⊕ g ( H ( m )) C6 : t := f ( r ) ⊕ g ( r ⊕ H ( m )) A.Dutta Exact Security Analysis of HtM Construction

  12. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Our Contribution 1. Tight PRF, pPRF and MAC Security Analysis of Different Types of HtM Constructions. 2. An Impossibility Result on Probabilistic MAC: Unlike deterministic MAC, in probabilistic MAC, there is no such ideal system, indistinguishable to which, ensures forging advantage. C1 C2 C3 C4 C5 C6 Θ(2 n / 2 ) PRF X X X X X n n n n 3 n 3 n 2 ) 2 ) 2 ) 2 ) 4 ) 4 ) pPRF Θ(2 Θ(2 Θ(2 Θ(2 Θ(2 Θ(2 n n n 2 n 3 n 2 ) 2 ) 2 ) 3 ) 4 ) MAC X Θ(2 Θ(2 Θ(2 Θ(2 Θ(2 A.Dutta Exact Security Analysis of HtM Construction

  13. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C1,C2,C3,C4 ( r 1 , y 1 ) ( r 1 , y 2 ) ( r 2 , y 1 ) ( r 2 , y 2 ) SUM f , g ( r , y ) = f ( r ) ⊕ g ( y ) A.Dutta Exact Security Analysis of HtM Construction

  14. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C1,C2,C3,C4 ( r 1 , y 1 ) ( r 1 , y 2 ) ( r 2 , y 1 ) ( r 2 , y 2 ) SUM f , g ( r , y ) = f ( r ) ⊕ g ( y ) Alternating Cycle (Alt-Cycle) 4 SUM C • For an Alt-Cycle C , � f , g ( r i , y i ) = 0 (distinguishing event) i =1 • For C1, C2 : g is identity function. • For C1, C3 : y is m ; For C2, C4 : y is H ( m ); For C5 : y is r + m A.Dutta Exact Security Analysis of HtM Construction

  15. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C5 and C6 Attack Algorithm C5 : f ( r ) ⊕ g ( r ⊕ m ) • Choose ( r 1 , m 1 ) , ( r 2 , m 2 ) s.t r 1 + m 1 = r 2 + m 2 • Query Phase : t 1 ← ( r 1 , m 1 ) , t 2 ← ( r 2 , m 2 ) , t 3 ← ( r 1 , m 2 ) , t 4 ← ( r 2 , m 1 ) 4 • Distinguishing Event : If � t i = 0, return 1. i =1 A.Dutta Exact Security Analysis of HtM Construction

  16. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C5 and C6 Attack Algorithm C5 : f ( r ) ⊕ g ( r ⊕ m ) • Choose ( r 1 , m 1 ) , ( r 2 , m 2 ) s.t r 1 + m 1 = r 2 + m 2 • Query Phase : t 1 ← ( r 1 , m 1 ) , t 2 ← ( r 2 , m 2 ) , t 3 ← ( r 1 , m 2 ) , t 4 ← ( r 2 , m 1 ) 4 • Distinguishing Event : If � t i = 0, return 1. i =1 Attack Algorithm C6 : f ( r ) ⊕ g ( r ⊕ H ( m )) • Query Phase : t 1 ← ( r , m 1 ) , t 2 ← ( r , m 2 ) , . . . , t 2 n / 2 ← ( r , m 2 n / 2 ) • If H ( m i ) = H ( m j ), query t ′ i ← ( r ′ , m i ) , t ′ j ← ( r ′ , m j ), output 1 if t ′ i = t ′ j • Else, collision in g . A.Dutta Exact Security Analysis of HtM Construction

  17. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Probabilistic PRF (pPRF) Definition and Security Game Keyed function that takes two inputs ( r , M ) is indistinguishable from RF Adversary can only query the oracle with M . Goal is to distinguish the function from a RF; secure if it is hard A.Dutta Exact Security Analysis of HtM Construction

  18. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Probabilistic PRF (pPRF) Definition and Security Game Keyed function that takes two inputs ( r , M ) is indistinguishable from RF Adversary can only query the oracle with M . Goal is to distinguish the function from a RF; secure if it is hard pPRF Attack Algorithm of C1 : f ( r ) ⊕ m • Query Phase : t 1 ← m 1 , t 2 ← m 1 , . . . , t 2 n / 2 ← m 1 • W.h.p ∃ i , j ∈ { 1 , 2 , . . . , 2 n / 2 } s.t r i = r j • If t i = t j , return 1. A.Dutta Exact Security Analysis of HtM Construction

  19. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Probabilistic PRF (pPRF) Definition and Security Game Keyed function that takes two inputs ( r , M ) is indistinguishable from RF Adversary can only query the oracle with M . Goal is to distinguish the function from a RF; secure if it is hard pPRF Attack Algorithm of C1 : f ( r ) ⊕ m • Query Phase : t 1 ← m 1 , t 2 ← m 1 , . . . , t 2 n / 2 ← m 1 • W.h.p ∃ i , j ∈ { 1 , 2 , . . . , 2 n / 2 } s.t r i = r j • If t i = t j , return 1. pPRF Attack for C2, C3, C4 is same as that of C1 A.Dutta Exact Security Analysis of HtM Construction

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

N-type Transistor CS/EE 6710 CMOS Processing D + G Vds i electrons S - +Vgs N-type from

N-type Transistor CS/EE 6710 CMOS Processing D + G Vds i electrons S - +Vgs N-type from

N-type Transistor CS/EE 6710 CMOS Processing D + G Vds i electrons S - +Vgs N-type from the top Diffusion Mask Top view shows patterns that make up the Mask for just the diffused regions transistor Polysilicon Mask Combine

243 views • 11 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Dictionaries 1/19/2005 11:37 PM Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to Dictionaries and Hash Tables integers in a fixed interval [0, N 1] Example: h ( x ) = x mod N 0 is a hash function for

503 views • 4 slides
On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction

1.45k views • 117 slides
Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash algorithms NIST SHA-3 Competition MD6 Algorithm and Mode of Operation Research Objective Approach Introduction to hash algorithms Hash

454 views • 14 slides
13 - Computer Security Hashing 1 Solution : hash

13 - Computer Security Hashing 1 Solution : hash

13 - Computer Security Hashing 1 Solution : hash function 0 1 n - h x 0 1 - h x is the hash/digest of x Context Goal - Represent large/sensitive message by a smaller one - Numerous

1.14k views • 68 slides
1. procedure ONE TO ALL BC( d , my id , X ) 2. begin mask := 2 d 1; 3. /* Set all d bits of

1. procedure ONE TO ALL BC( d , my id , X ) 2. begin mask := 2 d 1; 3. /* Set all d bits of

1. procedure ONE TO ALL BC( d , my id , X ) 2. begin mask := 2 d 1; 3. /* Set all d bits of mask to 1 */ 4. for i := d 1 downto 0 do /* Outer loop */ mask := mask XOR 2 i ; 5. /* Set bit i of mask to 0 */ 6. if ( my id AND mask ) = 0

494 views • 10 slides
Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing Side Channel Analysis

1.14k views • 75 slides
Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum

Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum

Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum load factor? It is especially important to know the average behavior of a hashing method, because we are committed to trusting in the laws of

579 views • 22 slides
Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services Authentication Codes Authentication Codes Confidentiality : Symmetric encryption solves Integrity Ahmet Burak Can Authentication Hacettepe

341 views • 4 slides
LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg LUX Hash Function Outline 1 Design 2 Security Analysis 3 Implementation 4 Advantages LUX Hash Function Design Design LUX Hash

539 views • 28 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
Hash Tables LAST TODAY NEXT Hashing Unbounded arrays Implementing Genericity

Hash Tables LAST TODAY NEXT Hashing Unbounded arrays Implementing Genericity

Hash Tables LAST TODAY NEXT Hashing Unbounded arrays Implementing Genericity Amortized analysis Hash tables Introduction to C1 (genericity) Implicit contract for casting (void*) x where x has type tp* //@ensures

703 views • 20 slides
MEDICAL FACE MASK BFE 95% AT 3 MICRONS | PFE 95% AT 0.1 MICRONS Our standard 3-ply face

MEDICAL FACE MASK BFE 95% AT 3 MICRONS | PFE 95% AT 0.1 MICRONS Our standard 3-ply face

MEDICAL FACE MASK BFE 95% AT 3 MICRONS | PFE 95% AT 0.1 MICRONS Our standard 3-ply face masks provide basic Product Type : 3-Ply Disposable Medical Face Mask (Non-Sterile) protection for medical staff. They are suitable Quality

238 views • 3 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad

Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad

Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare

1.18k views • 80 slides
Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication

1.25k views • 89 slides
Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 December 19, 2014 1 / 44 Overview Engineering Perspective Design, analysis,

873 views • 84 slides
Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University of Technology This is joint work with Ahto Buldas and Risto Laanoja The presenter has received the Skype and IT Academy PhD Students Scholarship

318 views • 15 slides
Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A combination of the two? Hashing 1 Problem RT&T is a large phone company, and they want to provide caller ID capability: - given a phone number,

267 views • 14 slides
Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal

Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal

Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal hashing Rapha el Clifford Slides by Benjamin Sach and Markus Jalsenius Dictionaries In a dictionary data structure we store ( key , value ) -pairs

1.56k views • 98 slides
Week 9 Oliver Kullmann Generalising arrays Hash tables Direct addressing Hashing in

Week 9 Oliver Kullmann Generalising arrays Hash tables Direct addressing Hashing in

CS 270 Algorithms Week 9 Oliver Kullmann Generalising arrays Hash tables Direct addressing Hashing in general Generalising arrays 1 Hashing through chaining Direct addressing 2 Hash functions Hashing in general 3 Tutorial

558 views • 33 slides
CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Hashing Wouldnt it be wonderful if... Search through a

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Hashing Wouldnt it be wonderful if... Search through a

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Hashing Wouldnt it be wonderful if... Search through a collection could be accomplished in (1) with relatively small memory needs? Lets try this: Assume we have an array of length m (call

714 views • 23 slides

More recommend