Introduction to Modern Cryptography Recitation...
23
Orit Moskovich Tel Aviv University November 30, 2016 Introduction to Modern Cryptography Recitation 5 1
Transcript of Introduction to Modern Cryptography Recitation...
Orit Moskovich
Tel Aviv University
November 30, 2016
Introduction to Modern CryptographyRecitation 5
1
• Goals:▫ Message integrity
▫ Ensure that the message hasn’t been tampered with (detection)
• The parties must share a private key that the adversary does not know
2
Message Authentication Codes (MAC)
• A MAC is an algorithm that is applied to a message 𝑚
• The output of the algorithm is a tag 𝑀𝐴𝐶𝑘 𝑚 that is sent along with the message
• Security: ▫ Any computationally bounded adversary cannot construct a new legal pair
𝑚′, 𝑀𝐴𝐶𝑘 𝑚′
▫ Even after seeing 𝑛 legal pairs 𝑚𝑖 , 𝑀𝐴𝐶𝑘 𝑚𝑖 where 𝑖 = 1, 2, … , 𝑛
3
Message Authentication Codes (MAC)
𝐴
𝑀𝐴𝐶𝑘
𝑚𝑖
𝑀𝐴𝐶𝑘 𝑚𝑖
𝑚′, 𝑀𝐴𝐶𝑘 𝑚′
• A MAC is an algorithm that is applied to a message 𝑚
• The output of the algorithm is a tag 𝑀𝐴𝐶𝑘 𝑚 that is sent along with the message
4
Message Authentication Codes (MAC)
Definition. A message authentication code (MAC) is a tuple of probabilistic polynomial-time algorithms 𝐺𝑒𝑛,𝑀𝐴𝐶, 𝑉𝑟𝑓𝑦 such that:1. 𝐺𝑒𝑛 outputs a uniformly distributed key 𝑘2. 𝑀𝐴𝐶 receives for input a key 𝑘 and a message 𝑚 and outputs a tag
𝑀𝐴𝐶𝑘(𝑚)3. 𝑉𝑟𝑓𝑦 receives for input a key 𝑘 and a tag 𝑡 and a message 𝑚 and
verify its correctness, i.e., 𝑉𝑟𝑓𝑦𝑘 𝑚, 𝑡 = 1 ⟺ 𝑡 = 𝑀𝐴𝐶𝑘(𝑚)(Done by executing authentication algorithm on 𝑚 and 𝑘, and comparing with the value received, 𝑀𝐴𝐶𝑘(𝑚))
5
Message Authentication Codes (MAC)
𝐴
𝑀𝐴𝐶𝑘
𝑚𝑖
𝑀𝐴𝐶𝑘 𝑚𝑖
𝑚′, 𝑀𝐴𝐶𝑘 𝑚′
Definition. A MAC is 𝜀-secure if for any PPT adversary 𝐴:Pr 𝐴 forges a valid MAC < 𝜀
1. A random key 𝑘 is chosen2. The adversary A is given oracle access to 𝑀𝐴𝐶𝑘(∙). Let 𝑄 denote the
queries asked by 𝐴 during the execution.3. 𝐴 outputs a pair (𝑚, 𝑡)
The message authentication experiment for 𝐴:
𝐴 forges a valid MAC ⟺ 𝑡 = 𝑀𝐴𝐶𝑘(𝑚) and 𝑚 ∉ 𝑄
• Start with the all zero seed
• Given a message consisting of 𝑛 blocks, 𝑚 = 𝑚1, 𝑚2, … ,𝑚𝑛
• Apply CBC mode encryption (using the secret key 𝑘)
6
CBC-MAC
0ℓ 𝑚1 𝑚2 𝑚𝑛
𝐹𝑘 𝐹𝑘
…
𝐹𝑘
𝑀𝐴𝐶𝑘(𝑚)
• Not secure for messages of variable length
7
CBC-MAC
0ℓ 0ℓ
𝐹𝑘
𝑀𝐴𝐶𝑘 0ℓ = 𝐹𝑘(0ℓ)
0ℓ 0ℓ
𝐹𝑘
𝐹𝑘(0ℓ)
𝐹𝑘
𝐹𝑘(0ℓ)
𝑀𝐴𝐶𝑘 0ℓ𝐹𝑘(0ℓ) = 𝐹𝑘(0
ℓ)
Adversary outputs 0ℓ𝐹𝑘 0ℓ , 𝐹𝑘(0ℓ)
• Start with the all zero seed
• Given a message consisting of 𝑛 blocks, 𝑚 = 𝑚1, 𝑚2, … ,𝑚𝑛
• Apply CBC mode encryption (using the secret key 𝑘1), then XOR with 𝑘2• (Here the key 𝑘 = 𝑘1, 𝑘2)
8
Modified CBC-MAC?
0ℓ 𝑚1 𝑚2 𝑚𝑛
𝐹𝑘1 𝐹𝑘1
…
𝐹𝑘1
𝑀𝐴𝐶𝑘 𝑚 =𝐶𝐵𝐶−𝑀𝐴𝐶𝑘1 𝑚 ⊕𝑘2
𝑘2
• Not secure for messages of variable length
9
Modified CBC-MAC?
0ℓ 0ℓ
𝐹𝑘1
𝑀𝐴𝐶𝑘 0ℓ = 𝐶𝐵𝐶−𝑀𝐴𝐶𝑘1 0ℓ ⊕𝑘2= 𝐹𝑘1 0ℓ ⊕𝑘2 = 𝑡0
0ℓ 1ℓ
𝐹𝑘1
𝑀𝐴𝐶𝑘 1ℓ = 𝐶𝐵𝐶−𝑀𝐴𝐶𝑘1 1ℓ ⊕𝑘2= 𝐹𝑘1 1ℓ ⊕𝑘2 = 𝑡1
• Not secure for messages of variable length
10
Modified CBC-MAC?
0ℓ 0ℓ
𝐹𝑘1
𝑡0
𝐹𝑘1
𝑀𝐴𝐶𝑘 0ℓ𝑡0 = 𝐶𝐵𝐶−𝑀𝐴𝐶𝑘1 0ℓ𝑡0 ⊕𝑘2= 𝐹𝑘1 𝐹𝑘1 0ℓ ⊕ 𝑡0 ⊕𝑘2= 𝐹𝑘1 𝐹𝑘1 0ℓ ⊕𝐹𝑘1 0ℓ ⊕𝑘2 ⊕𝑘2= 𝐹𝑘1 𝑘2 ⊕𝑘2
• Not secure for messages of variable length
11
Modified CBC-MAC?
Adversary outputs 1ℓ𝑡1, 𝐹𝑘1(𝑘2) ⊕ 𝑘20ℓ 1ℓ
𝐹𝑘1
𝑡1
𝐹𝑘1
𝑀𝐴𝐶𝑘 1ℓ𝑡1 = 𝐶𝐵𝐶−𝑀𝐴𝐶𝑘1 1ℓ𝑡1 ⊕𝑘2= 𝐹𝑘1 𝐹𝑘1 1ℓ ⊕ 𝑡1 ⊕𝑘2= 𝐹𝑘1 𝐹𝑘1 1ℓ ⊕𝐹𝑘1 1ℓ ⊕𝑘2 ⊕𝑘2= 𝐹𝑘1 𝑘2 ⊕𝑘2
• Start with a random seed
• Given a message consisting of 𝑛 blocks, 𝑚 = 𝑚1, 𝑚2, … ,𝑚𝑛
• Apply CBC mode encryption (using the secret key 𝑘)
12
Random IV CBC-MAC?
𝑡 ← 0,1 𝑛 𝑚1 𝑚2 𝑚𝑛
𝐹𝑘 𝐹𝑘
…
𝐹𝑘
𝑀𝐴𝐶𝑘 𝑚 = 𝑡, 𝐶𝐵𝐶−𝑀𝐴𝐶𝑘 𝑚
• Not secure for messages of fixed length
13
Random IV CBC-MAC?
𝑚
𝐹𝑘
𝑡
𝐹𝑘𝑀𝐴𝐶𝑘 𝑚 = 𝑡, 𝐹𝑘 𝑚⊕ 𝑡
𝑀𝐴𝐶𝑘 𝑡 = 𝑚, 𝐹𝑘 𝑚⊕ 𝑡
𝑡 ← 0,1 𝑛
𝑚
Adversary outputs 𝑡, (𝑚, 𝐹𝑘 𝑚⊕ 𝑡 )
• Functions that take arbitrary-length strings and compress them
• Goal: find as few collisions as possible (𝑥 ≠ 𝑥′ such that ℎ 𝑥 = ℎ(𝑥′))
• How do we formalize this requirement?▫ A function ℎ is collision-resistant if it is infeasible for any PPT algorithm to
find a collision in ℎ
14
Collision-Resistant Hash Functions (CRH)
Definition. A hash function ℎ: 0,1 𝑛+𝑠 → 0,1 𝑛 is 𝜺-collision resistant if for any PPT adversary 𝐴:
PrA[𝐴 ℎ = 𝑥, 𝑥′ s.t. 𝑥 ≠ 𝑥′and ℎ 𝑥 = ℎ(𝑥′)] < 𝜀
• Pre-image resistance: ℎ is preimage resistant if for any PPT adversary that is given an input 𝑦, it is hard to find 𝑥 s.t. ℎ 𝑥 = 𝑦
• Second pre-image resistance: ℎ is second preimage resistant if for any PPT adversary that is given an input 𝑥, it is hard to find 𝑥′ ≠ 𝑥 s.t. ℎ 𝑥 = ℎ 𝑥′
• Collision resistance: ℎ is collision resistant if for any PPT adversary, it is hard to find any pair 𝑥′ ≠ 𝑥 s.t. ℎ 𝑥 = ℎ 𝑥′
15
Collision-Resistant Hash Functions (CRH)
• Can consider a family of keyed hash functions
• A family of hash functions indexed by a key 𝑘
• The requirement is that it is hard to find a collision in ℎ𝑘 for a randomly-chosen key 𝑘
• 𝑘 is not a secret key
16
Collision-Resistant Hash Functions (CRH)
Definition. A family of hash functions {ℎ𝑘} is 𝜺-collision resistant if for any PPT adversary 𝐴:
Pr𝐴,𝑘[𝐴 ℎ𝑘 = 𝑥, 𝑥′ s.t. 𝑥 ≠ 𝑥′and ℎ 𝑥 = ℎ(𝑥′)] < 𝜀
17
Collision-Resistant Hash Functions (CRH)
Example. Let ℎ be a CRH. Define 𝐻 𝑠 = ℎ(ℎ 𝑠 ). Prove that 𝐻 is a CRH.
• Assume 𝐻 is not a CRH
• There exists a PPT adversary 𝐴𝐻 such that PrAH[𝐴𝐻 𝐻 = 𝑥, 𝑥′ s.t. 𝑥 ≠ 𝑥′and 𝐻 𝑥 = 𝐻(𝑥′)] > 𝜀
• Construct the following PPT adversary 𝐴ℎ:
1. The adversary 𝐴ℎ runs 𝑥, 𝑥′ ← 𝐴𝐻(𝐻)2. If indeed 𝑥 ≠ 𝑥′ and 𝐻 𝑥 = 𝐻(𝑥′) (𝐴𝐻 succeeded)
• If ℎ(𝑥) ≠ ℎ(𝑥′), return ℎ 𝑥 , ℎ(𝑥′)• Otherwise, return 𝑥, 𝑥′
18
Yet Another Bad MAC
• Let 𝐻: 0,1 ∗ → 0,1 𝑛 be the following hash function, where ℎ: 0,1 2𝑛 → 0,1 𝑛
• 𝐻 is a CRH
• Define 𝑀𝐴𝐶𝑘 𝑚 = 𝐻(𝑘||𝑚)
19
Yet Another Bad MAC
• Define 𝑀𝐴𝐶𝑘 𝑚 = 𝐻(𝑘||𝑚)
• Adversary 𝐴:
▫ Chooses 𝑚 ∈ 0,1 2𝑛− 𝑘 −ℓ
▫ Requests 𝑀𝐴𝐶𝑘 𝑚 = 𝑡 = ℎ(0ℓ ∣∣ 𝑘 ∣∣ 𝑚)
▫ Chooses 𝑚 ≠ 𝑚′ ∈ 0,1 𝑛
▫ Computes ℎ 𝑡 ∣∣ 𝑚′ = ℎ(ℎ(0ℓ ∣∣ 𝑘 ∣∣ 𝑚)||𝑚′)
▫ Outputs 𝑚 ∣∣ 𝑚′, ℎ 𝑡 ∣∣ 𝑚′
• Correctness:
▫ 𝑀𝐴𝐶𝑘(𝑚| 𝑚′ = 𝐻(𝑘 𝑚 𝑚′)
= ℎ(ℎ(0ℓ ∣∣ 𝑘 ∣∣ 𝑚)||𝑚′)
𝒌||𝒎
𝒌||𝒎 𝒎′
• Say we want to store a database DB in the cloud
• When requesting for information (entry), we want to verify its correctness
• Naïve solution:
▫ 𝑑 ∈ 0,1 𝑁
▫ Keep hash of the DB ℎ(𝑑)
▫ Verifying correctness of a single entry is very expensive
20
CRH- Motivation
• We start with a hash function ℎ: 0,1 2𝑛 → 0,1 𝑛
• Consider the following complete binary tree of depth
• All 𝑛-bit blocks 𝑥1, … , 𝑥2ℎ are stored in the leaves
• We define the parent of two nodes 𝑎, 𝑏 to have value ℎ(𝑎, 𝑏)
• The root node has value 𝑦 = 𝐻(𝑥1, … , 𝑥2ℎ)
where 𝐻: 0,1 2ℎ → 0,1 𝑛
21
Merkle Tree
22
• What if we want to retrieve a single block 𝑥𝑖?
• How will we verify its correctness?▫ Only need to send the 𝑖th block 𝑥𝑖 along with the hash outputs
corresponding to all the sibling nodes along the path from the root of the tree to the 𝑖th block
▫ We can then use these values to re-compute the value associated with the root of the tree and verify that this matches 𝑦
Merkle Tree
23
• Proof of security is similar to this of the construction seen in class
Merkle Tree
