improving the security of macs via randomized message
play

improving the security of MACs via randomized message preprocessing - PowerPoint PPT Presentation

Dec 10, 2023 •310 likes •617 views

improving the security of MACs via randomized message preprocessing Yevgeniy Dodis (New York University) Krzysztof Pietrzak (CWI Amsterdam) March 26, 2007 FSE 2007 March 27, 2007 Symmetric Authentication: Message Authentication Codes M M

  1. improving the security of MACs via randomized message preprocessing Yevgeniy Dodis (New York University) Krzysztof Pietrzak (CWI Amsterdam) March 26, 2007 FSE 2007 March 27, 2007

  2. Symmetric Authentication: Message Authentication Codes M M ′ M ′ M FSE 2007 March 27, 2007

  3. Symmetric Authentication: Message Authentication Codes M , K K φ ′ ? φ = MAC ( K , M ) = MAC ( K , M ′ ) M ′ , φ ′ M , φ ◮ Kermit and Peggy share a secret key K . ◮ Kermit sends an authentication tag φ = MAC ( K , M ) together with message M . ◮ Peggy accepts M ′ iff φ ′ = MAC ( K , M ′ ). FSE 2007 March 27, 2007

  4. Symmetric Authentication: Message Authentication Codes M , K K φ ′ ? φ = MAC ( K , M ) = MAC ( K , M ′ ) M ′ , φ ′ M , φ ◮ Kermit and Peggy share a secret key K . ◮ Kermit sends an authentication tag φ = MAC ( K , M ) together with message M . ◮ Peggy accepts M ′ iff φ ′ = MAC ( K , M ′ ). ◮ Security: It should be hard for Beeker (who does not know K ) to come up with a pair ( M ′ , φ ′ ) where ◮ φ ′ = MAC ( K , M ′ ) ◮ Kermit did not already send ( M ′ , φ ) FSE 2007 March 27, 2007

  5. Asymmetric Authentication: Digital Signatures M M ′ M FSE 2007 March 27, 2007

  6. Asymmetric Authentication: Digital Signatures M , Sk , Pk Pk Pk Verify ( Pk , φ ′ , M ′ ) φ = Sign ( Sk , M ) M ′ , φ ′ M , φ ◮ Kermit generates a secret/public-key par Sk , Pk and send Pk to Peggy over an authentic chanell. ◮ Kermit sends Signature φ = Sign ( Sk , M ) together with message M . ◮ Peggy accepts M ′ iff Verify ( Pk , φ ′ , M ′ ) = accept . FSE 2007 March 27, 2007

  7. Asymmetric Authentication: Digital Signatures M , Sk , Pk Pk Pk Verify ( Pk , φ ′ , M ′ ) φ = Sign ( Sk , M ) M ′ , φ ′ M , φ ◮ Kermit generates a secret/public-key par Sk , Pk and send Pk to Peggy over an authentic chanell. ◮ Kermit sends Signature φ = Sign ( Sk , M ) together with message M . ◮ Peggy accepts M ′ iff Verify ( Pk , φ ′ , M ′ ) = accept . ◮ Security: It should be hard for Beeker (who does not know Sk ) to come up with a pair ( M ′ , φ ′ ) where ◮ Verify ( Pk , φ ′ , M ′ ) = accept ◮ Kermit did not already send ( M ′ , φ ) FSE 2007 March 27, 2007

  8. Hash then Sign/MAC/Encrypt M M CRHF CRHF Sk Sign K MAC φ φ hash & Sign hash & MAC ◮ CRHF: Pr [ A → X , X ′ : H ( X ) = H ( X ′ )] = small FSE 2007 March 27, 2007

  9. Hash then Sign/MAC/Encrypt M M M CRHF R UOWHF CRHF Sk Sign Sk Sign K MAC φ φ φ, R hash & Sign hash & MAC hash & Sign ◮ CRHF: Pr [ A → X , X ′ : H ( X ) = H ( X ′ )] = small ◮ UOWHF: max X Pr R [ A ( R ) → X ′ : H R ( X ) = H R ( X ′ )] = small FSE 2007 March 27, 2007

  10. Hash then Sign/MAC/Encrypt M M M M CRHF R UOWHF CRHF K hash XUH Sk Sign Sk Sign K MAC K enc Enc φ φ φ, R φ hash & Sign hash & MAC hash & Sign hash & encrypt ◮ CRHF: Pr [ A → X , X ′ : H ( X ) = H ( X ′ )] = small ◮ UOWHF: max X Pr R [ A ( R ) → X ′ : H R ( X ) = H R ( X ′ )] = small ◮ ǫ -XUH: max X , X ′ Pr K hash [ H K hash ( X ) = H K hash ( X ′ )] ≤ ǫ FSE 2007 March 27, 2007

  11. Hash then Encrypt M K hash XUH K enc Enc φ FSE 2007 March 27, 2007

  12. Hash then Encrypt M K XUH E φ To analyze the security we replace Enc with a uniformly random permutation E : { 0 , 1 } k → { 0 , 1 } k . FSE 2007 March 27, 2007

  13. Sample K and E at random MAC queries Forgery queries M ′ M i j K H H K E E φ ′ φ ′′ φ i j j Beeker wins if for some j , φ ′′ j = φ ′ j . Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. FSE 2007 March 27, 2007

  14. Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Proof. Pr[ Beeker wins ] ≤ Pr[ collision ] + Pr[ forgery | no collision ] ǫ · q 2 ≤ + ǫ · q forge mac FSE 2007 March 27, 2007

  15. Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . FSE 2007 March 27, 2007

  16. Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . Can we get O ( q 2 / 2 k ) security using O ( | M | / 2 k ) universal hashing? FSE 2007 March 27, 2007

  17. Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . Can we get O ( q 2 / 2 k ) security using O ( | M | / 2 k ) universal hashing? Yes, by randomizing the message FSE 2007 March 27, 2007

  18. Theorem (security of hash then encrypt) If H is ǫ -universal then Pr[ Beeker wins ] ≤ ǫ · q 2 mac + ǫ · q forge where q mac / q forge is the number of MAC / forgery queries. Corollary q = q mac + q forge If H is O (1 / 2 k ) universal, then the security is O ( q 2 / 2 k ) . If H is O ( | M | / 2 k ) universal, then the security is O ( | M | q 2 / 2 k ) . Can we get O ( q 2 / 2 k ) security using O ( | M | / 2 k ) universal hashing? Yes, by randomizing the message using only O (log( | M | )) random bits. FSE 2007 March 27, 2007

  19. almost universal hash-functions Definition ( ǫ -universal hash function) H : K × M → T is ǫ universal if ∀ M � = M ′ ∈ M : Pr K ∈K [ H ( K , M ) = H ( K , M ′ )] ≤ ǫ ◮ H : Z 2 L × Z L → Z ℓ where H x , y ( M ) = ( x · M + y mod L ) mod ℓ is 1 /ℓ universal. ◮ H : Z ℓ × Z d ℓ → Z ℓ where H x ( M 1 , . . . , M d ) = x · M 1 + x 2 · M 2 + · · · + x d · M d is d /ℓ -universal FSE 2007 March 27, 2007

  20. the salted hash-function paradigm A salted hash function H is ( ǫ forge , ǫ mac ) universal if ◮ Inputs collide with probability ≤ ǫ forge if salt is not random. ◮ Inputs collide with probability ≤ ǫ mac if salt is random. Definition (( ǫ forge , ǫ mac )-universal salted hash function) H : P × K × M → T is ( ǫ forge , ǫ mac ) universal if ∀ ( M , P ) � = ( M ′ , P ′ ) : K ∈K , [ H ( K , P , M ) � = H ( K , P ′ , M ′ )] ≤ ǫ forge Pr ∀ ( M , M ′ , P ) : K ∈K , P ′ ∈P [ H ( K , P , M ) � = H ( K , P ′ , M ′ )] ≤ ǫ mac Pr FSE 2007 March 27, 2007

  21. salted hash then encrypt M M K , P ( ǫ forge , ǫ mac ) − XUH K ǫ − XUH E E φ φ, P hash then encrypt salted hash then encrypt on each invocation a random salt P is chosen by the MAC FSE 2007 March 27, 2007

  22. Sample K and E at random MAC queries Forgery queries P , M ′ j M i K H H K , P ∈ P E E φ ′ φ ′′ φ i , P j j Beeker wins if for some j , φ ′′ j = φ ′ j . Theorem (security of salted hash then encrypt) If H is ( ǫ forge , ǫ mac ) -universal then Pr[ Beeker wins ] ≤ ǫ mac · q 2 mac + ǫ forge · q forge where q mac / q forge is the number of MAC / forgery queries. FSE 2007 March 27, 2007

  23. Theorem (security of salted hash then encrypt) If H is ( ǫ forge , ǫ mac ) -universal then Pr[ Beeker wins ] ≤ ǫ mac · q 2 mac + ǫ forge · q forge where q mac / q forge is the number of MAC / forgery queries. To achieve optimal O ( q 2 / 2 k ) security ( q = q mac + q forge ), we just need ǫ mac ∈ Θ(1 / 2 k ) but ǫ forge can be much bigger. As the salt is part of the output, we want the domain P for the salt to be small. FSE 2007 March 27, 2007

  24. the generic result, proof of concept [1] M � P ∈ { 0 , 1 } L × { 0 , 1 } log L ∈ { 0 , 1 } L M g H H ⇒ { 0 , 1 } k { 0 , 1 } k Theorem (generic construction) Let H : { 0 , 1 } L → { 0 , 1 } k be L / 2 k universal & balanced ∃ permutation over g : { 0 , 1 } L +log( L ) such that with P ∈ { 0 , 1 } log L H ′ ( K , P , M ) := H ( K , g ( M � P )) is ( ǫ forge , ǫ mac ) universal with ǫ forge = ( L + log( L )) / 2 k ǫ mac = 2 / 2 k FSE 2007 March 27, 2007

  25. the generic result, proof of concept [2] Generic Construction ◮ Optimal ǫ mac = 2 / 2 k . ◮ Salt of length log( L ) if H is L / 2 k universal. In general: If H is L c / 2 k -universal, then salt will be c · log( L ) ◮ Non-constructive. FSE 2007 March 27, 2007

  26. a concrete example: polynomial evaluation [1] H : Z ℓ × Z d ℓ → Z ℓ where H x ( M 1 , . . . , M d ) = x · M 1 + x 2 · M 2 + · · · + x d · M d is d /ℓ -universal Theorem (set constant coefficient completely random) H ′ : Z ℓ × Z ℓ × Z d ℓ → Z ℓ where x ( P , M 1 , . . . , M d ) = P + x · M 1 + x 2 · M 2 + · · · + x d · M d is H ′ ( ǫ forge , ǫ mac ) universal ǫ forge = d /ℓ and optimal ǫ mac = 1 /ℓ . Proof. H ′ x ( P , M ) = H ′ x ( P ′ , M ′ ) for exactly one possible P ∈ Z ℓ , thus ǫ mac = 1 /ℓ . FSE 2007 March 27, 2007

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar & Pelzl Jim Royer Message

224 views • 3 slides
Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x)

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x)

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x) Alice Bob h K = K Attack at Dawn!! Message Digest h K K unsecure channel Message Message Attack at Dawn!! MACs allow Bob to be

696 views • 35 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K (x) Alice Bob h K = K A=ack at Dawn!! Message Digest h K K unsecure channel Message A=ack at Dawn!! MACs allow Bob to be certain

701 views • 37 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication

1.25k views • 89 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Message Integrity CBC-MAC and NMAC Dan Boneh MACs and

Message Integrity CBC-MAC and NMAC Dan Boneh MACs and

Online Cryptography Course

158 views • 13 slides
Wegman-Carter Style MACs from TBCs Jooyoung Lee School of Computing(GSIS), KAIST Jooyoung Lee

Wegman-Carter Style MACs from TBCs Jooyoung Lee School of Computing(GSIS), KAIST Jooyoung Lee

Wegman-Carter Style MACs from TBCs Jooyoung Lee School of Computing(GSIS), KAIST Jooyoung Lee Wegman-Carter Style MACs from TBCs Message Authentication Codes http://en.wikipedia.org/wiki/File:MAC.svg Block cipher-based: CMAC, OMAC etc.

219 views • 19 slides
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands

Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands

Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein

1.16k views • 104 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Security Public key (e.g., RSA) Message digest (e.g., MD5) Security services

Security Public key (e.g., RSA) Message digest (e.g., MD5) Security services

Overview Cryptography functions Secret key (e.g., DES) Security Public key (e.g., RSA) Message digest (e.g., MD5) Security services Privacy: preventing unauthorized release of information Outline Authentication:

883 views • 5 slides
Investigating the security properties of MACs based on stream ciphers Leonie Simpson, Mufeed Al

Investigating the security properties of MACs based on stream ciphers Leonie Simpson, Mufeed Al

Investigating the security properties of MACs based on stream ciphers Leonie Simpson, Mufeed Al Mashrafi, Harry Bartlett, Ed Dawson and Kenneth Wong Institute for Future Environments Science and Engineering Faculty Queensland University of

650 views • 35 slides
News Recap: Classes, Methods, Objects Recap: Declare vs. Construct Object CPSC 111, Intro to

News Recap: Classes, Methods, Objects Recap: Declare vs. Construct Object CPSC 111, Intro to

University of British Columbia News Recap: Classes, Methods, Objects Recap: Declare vs. Construct Object CPSC 111, Intro to Computation 2009W2: Jan-Apr 2010 Midterm location announced: FSC 1005 Class: complex data type public static

145 views • 3 slides
Fermilab Status Don Holmgren USQCD All-Hands Meeting Fermilab May 14, 2009 Outline Current

Fermilab Status Don Holmgren USQCD All-Hands Meeting Fermilab May 14, 2009 Outline Current

Fermilab Status Don Holmgren USQCD All-Hands Meeting Fermilab May 14, 2009 Outline Current Hardware FY10/FY11 Deployment Storage/Filesystems Statistics User Authentication User Support 5/14/2009 USQCD 2009 All Hands

722 views • 27 slides
SAS Data Loader for Hadoop Agenda Intro What is Hadoop? What do I get from Hadoop?

SAS Data Loader for Hadoop Agenda Intro What is Hadoop? What do I get from Hadoop?

SAS Data Loader for Hadoop Agenda Intro What is Hadoop? What do I get from Hadoop? Hadoop components Why SAS Data Loader for Hadoop? SAS Data Loader for Hadoop overview Demo Introduction Doug Cutting, creator of Hadoop

285 views • 11 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
A two-step method to incorporate task features spaces for large output spaces Michiel Stock

A two-step method to incorporate task features spaces for large output spaces Michiel Stock

KERMIT A two-step method for large output A two-step method to incorporate task features spaces for large output spaces Michiel Stock twitter: @michielstock Motivation Introductory Michiel Stock 1 , Tapio Pahikkala 2 , Antti Airola 2 ,

287 views • 27 slides
U-Boot from Scratch Jagan Teki FOSDEM - 2019 Jagan Teki Jagan nadhaSutradharudu Teki

U-Boot from Scratch Jagan Teki FOSDEM - 2019 Jagan Teki Jagan nadhaSutradharudu Teki

U-Boot from Scratch Jagan Teki FOSDEM - 2019 Jagan Teki Jagan nadhaSutradharudu Teki Enthusiastic Linux kernel hacker U-Boot Maintainer for SPI, SPI-FLASH, Allwinner sunXi SoC Buildroot, Yocto contributor Heading to Amarula

858 views • 63 slides
Crafting an Elevator Pitch Sarah E. Fancher - @fanchidon SLRLN Summer Workshop - July 12, 2016

Crafting an Elevator Pitch Sarah E. Fancher - @fanchidon SLRLN Summer Workshop - July 12, 2016

Crafting an Elevator Pitch Sarah E. Fancher - @fanchidon SLRLN Summer Workshop - July 12, 2016 What is an elevator pitch? Origins in business Strategic communication technique Use active language; appeal to listeners goals, values

353 views • 7 slides
Unit VII - More realistic SRM scenarios prepared by Martin Radicke & Owen Synge 2 nd

Unit VII - More realistic SRM scenarios prepared by Martin Radicke & Owen Synge 2 nd

Unit VII - More realistic SRM scenarios prepared by Martin Radicke & Owen Synge 2 nd Hands-on dCache workshop April 2008, Cologne VM Preparations to start this unit from a clean state, either go back to the snapshot from yesterday

141 views • 10 slides

More recommend