foundation of cryptography 0368 4162 01 lecture 7
play

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and - PowerPoint PPT Presentation

Jul 14, 2023 •350 likes •1.25k views

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication

  1. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011

  2. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Section 1 Message Authentication Code (MAC)

  3. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3

  4. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3 Consistency: Vrfy k ( m , t ) = 1 for any k ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } n and t = Mac k ( m )

  5. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Message Authentication Code (MAC) Definition 1 (MAC) A trippet of PPT ’s ( Gen , Mac , Vrfy ) such that Gen ( 1 n ) outputs a key k ∈ { 0 , 1 } ∗ 1 Mac ( k , m ) outputs a “tag" t 2 Vrfy ( k , m , t ) output 1 (YES) or 0 (NO) 3 Consistency: Vrfy k ( m , t ) = 1 for any k ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } n and t = Mac k ( m ) Definition 2 (Existential unforgability) A MAC ( Gen , Mac , Vrfy ) is existential unforgeable (EU), if for any oracle-aided PPT A: � k ← Gen ( 1 n ); ( m , t ) ← A Mac k , Vrfy k ( 1 n ): Pr � Vrfy k ( m , t ) = 1 ∧ Mac k was not asked on m = neg ( n )

  6. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition

  7. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong?

  8. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier?

  9. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier? “Replay attacks"

  10. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures “Private key" definition Security definition too strong? Any message? Use of Verifier? “Replay attacks" strong MACS

  11. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Length-restricted MACs Definition 3 (Length-restricted MAC) Same as in Definition 1, but for k ∈ Supp ( G ( 1 n )) , Mac k and Vrfy k only accept messages of length n .

  12. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Bounded-query MACs Definition 4 ( ℓ -time MAC) A MAC scheme is existential unforgeable against ℓ queries (for short, ℓ -time MAC), if it is existential unforgeable as in Definition 2, but A can only ask for ℓ queries.

  13. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Section 2 Constructions

  14. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Zero-time, restricted length, MAC Construction 5 (Zero-time, restricted length, MAC) Gen ( 1 n ) : outputs k ← { 0 , 1 } n Mac k ( m ) = k Vrfy k ( m , t ) = 1, iff t = k

  15. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Zero-time, restricted length, MAC Construction 5 (Zero-time, restricted length, MAC) Gen ( 1 n ) : outputs k ← { 0 , 1 } n Mac k ( m ) = k Vrfy k ( m , t ) = 1, iff t = k Claim 6 The above scheme is a length-restricted, zero-time MAC

  16. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -wise independent hash Definition 7 ( ℓ -wise independent) A function family H from { 0 , 1 } n to { 0 , 1 } m is ℓ -wise independent, where ℓ ∈ N , if for every distinct x 1 , . . . , x ℓ ∈ { 0 , 1 } n and every y 1 , . . . , y ℓ ∈ { 0 , 1 } m , it holds that Pr h ←H [ h ( x 1 ) = y 1 ∧ · · · ∧ h ( x ℓ ) = y ℓ ] = 2 − ℓ m .

  17. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m )

  18. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m ) Claim 9 The above scheme is a length-restricted, ℓ -time MAC

  19. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures ℓ -times, restricted length, MAC Construction 8 ( ℓ -time MAC) Let H = {H n : { 0 , 1 } n �→ { 0 , 1 } n } be an efficient ( ℓ + 1 ) -wise independent function family. Gen ( 1 n ) : outputs h ← H n Mac ( h , m ) = h ( m ) Vrfy ( h , m , t ) = 1, iff t = h ( m ) Claim 9 The above scheme is a length-restricted, ℓ -time MAC Proof : HW

  20. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC.

  21. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC. Proof :

  22. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures OWF = ⇒ existential unforgeable MAC Construction 10 Same as Construction 8, but uses function F = {F n : { 0 , 1 } n �→ { 0 , 1 } n } instead of H . Claim 11 Assuming that F is a PRF , then Construction 10 is an existential unforgeable MAC. Proof : Easy to prove if F is a family of random functions. Hence, also holds in case F is a PRF .

  23. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Collision Resistant Hash Family Definition 12 (collision resistant hash family (CRH)) A function family H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } is collision resistant, if Pr [ h ← H n , ( x , x ′ ) ← A ( 1 n , h ): x � = x ′ ∈ { 0 , 1 } ∗ ∧ h ( x ) = h ( x ′ )] = neg ( n ) for any PPT A.

  24. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Collision Resistant Hash Family Definition 12 (collision resistant hash family (CRH)) A function family H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } is collision resistant, if Pr [ h ← H n , ( x , x ′ ) ← A ( 1 n , h ): x � = x ′ ∈ { 0 , 1 } ∗ ∧ h ( x ) = h ( x ′ )] = neg ( n ) for any PPT A. Not known to be implied by OWF

  25. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m ))

  26. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC.

  27. Message Authentication Code (MAC) Constructions Signature Schemes OWFs = ⇒ Signatures Any Length Length restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : k ← Gen ( 1 n ) , h ← H n . Set k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC. Proof : ?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach Haitner, Tel Aviv University November 1, 2011 Administration Course Topics Part I Administration and Course Overview Administration Course Topics

714 views • 24 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function

Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function

The Information Theoretic Case The Computational Case Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function Iftach Haitner, Tel Aviv University November 22, 2011 The Information Theoretic Case The

1.03k views • 85 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Definitions Constructions Active Adversaries Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv University January 3 17, 2012 Definitions Constructions Active Adversaries Section 1

1.33k views • 112 slides
Foundation of Cryptography (0368-4162-01), Lecture 1 One Way Functions Iftach Haitner, Tel Aviv

Foundation of Cryptography (0368-4162-01), Lecture 1 One Way Functions Iftach Haitner, Tel Aviv

Notation One Way Functions Foundation of Cryptography (0368-4162-01), Lecture 1 One Way Functions Iftach Haitner, Tel Aviv University November 1-8, 2011 Notation One Way Functions Section 1 Notation Notation One Way Functions Notation I

988 views • 67 slides
Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel Aviv University Tel Aviv University. February 25, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 25, 2014 1 / 26 Part I

1.38k views • 76 slides
Foundation of Cryptography (0368-4162-01), Intoduction Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Intoduction Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Intoduction Adminstration + Introduction Iftach Haitner, Tel Aviv University Tel Aviv University. February 18, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 18, 2014 1 / 16 Part I

763 views • 34 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University

Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University

Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University Tel Aviv University. March 17, 2013 Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 1 / 39 Part I Message Authentication Codes

1.41k views • 113 slides
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner,

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner,

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 1 / 33 Part I

1.79k views • 152 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy: Secret-Sharing Secrecy Secrecy Cryptography is all about controlling access to information Access to learning and/or influencing

2.01k views • 171 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 December 19, 2014 1 / 44 Overview Engineering Perspective Design, analysis,

873 views • 84 slides
Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University of Technology This is joint work with Ahto Buldas and Risto Laanoja The presenter has received the Skype and IT Academy PhD Students Scholarship

318 views • 15 slides
Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by

Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by

Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively as the true name and the

970 views • 81 slides
Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan Microsoft Research, Cambridge Microsoft Research INRIA Joint Centre, Paris Joint work with C. Fournet and A.D. Gordon + R. Puccella, S. Tse, N.

1.4k views • 122 slides
Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad

Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad

Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare

1.18k views • 80 slides
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th

463 views • 42 slides
Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A combination of the two? Hashing 1 Problem RT&T is a large phone company, and they want to provide caller ID capability: - given a phone number,

267 views • 14 slides
Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal

Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal

Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal hashing Rapha el Clifford Slides by Benjamin Sach and Markus Jalsenius Dictionaries In a dictionary data structure we store ( key , value ) -pairs

1.56k views • 98 slides

More recommend