Lecture 4 β Message authentication, UF-CMA,
CBC-MAC, CMAC
TEK4500
15.09.2020
HΓ₯kon Jacobsen
What is cryptography?
2
InternetAlice
Bob
M
AdversarySecurity goals:
β’ Data privacy: adversary should not be able to read message M
What is cryptography?
3
InternetAlice
Bob
M
AdversarySecurity goals:
β’ Data privacy: adversary should not be able to read message M
β’ Data integrity: adversary should not be able to modify message M
β’ Data authenticity: message M really originated from Alice
M'
Basic goals of cryptography
4
Message privacyMessage integrity /
authentication
Symmetric keys Symmetric encryptionMessage authentication
codes (MAC)
Asymmetric keys
Asymmetric encryption
(a.k.a. public-key
encryption)
Digital signatures
Motivation
β’ Goal: integrity, but not privacy
β’ Examples:
β’ Protecting OS system files against tampering
β’ Browser cookies stored by web servers
β’ Control signals in network management
5
Encryption β integrity
6
"Send Bob $10"
Encryption β integrity
7
0001110 0100 100101101100
1001010 1010 000000001010
1000100 1110 100101100110
"Bob""Send" "$10"
CTR. Dec(πΎ,β )CTR. Enc(πΎ,β )
Encryption β integrity
8
1000100 1110 100101100110
0001110 0100 011001101100
0001110 0100 100101101100
"Send"
"Bob"
"$3850"
"Send" "$10"
"Bob"
CTR. Dec(πΎ,β )CTR. Enc(πΎ,β )
1001010 1010 000000001010
1001010 1010 111100001010
Message authentication β idea
9
π π
Generate tag π
π
Verify message-tag pair π,π
π
Sender Receiver
INVALID
VALID
β₯
Authentication from error-checking codes
10
π π
π β CRC32(π) πβ² β CRC32(π)
πβ² =?π
π
Sender Receiver
π
Keyless message integrity doesn't work
11
π π
π β CRC32(π) πβ² β CRC32(πβ²)
πβ² =?π
πβ²
Sender Receiver
πβ² πβ²
πβ² β CRC32(πβ²)
π
Message authentication schemes β syntax
β’ A message authentication scheme Ξ£ = KeyGen, Tag, Vrfy consists of three
algorithms:
β’ Associated to Ξ£:
β’ Key space π¦
β’ Message space β³
β’ Tag space π―
β’ KeyGen and Tag may be randomized ($), but Vrfy must be deterministic12
Tagπ,π
π 1 / 0
(VALID/INVALID)
KeyGen
Vrfy$
πΎ
$
Correctness requirement: For all
πΎ β KeyGen and all π β β³
Vrfy πΎ,π, Tag πΎ,π = 1
UF-CMA β Unforgability against chosen-message attacks
13
π1, π2, β¦
π1, π2, β¦
Tag(πΎ,β )
π1β² , π1
β² , π2β² , π2
β² , β¦
1/0, 1/0, β¦
VF(πΎ,β ,β )
Challenger
Adversary wins if a pair ππβ², ππ
β² is valid,
and was not among the pairs π1, π1 , π2, π2 , β¦
UF-CMA β Unforgability against chosen-message attacks
14
Definition: The UF-CMA-advantage of an
adversary π΄ is
πππ―Ξ£ufβcma π΄ = Pr ππ±π©Ξ£
ufβcma π΄ β 1
π1, π2, β¦
π1, π2, β¦
Tag(πΎ,β )
π1β² , π1
β² , π2β² , π2
β² , β¦
1/0, 1/0, β¦
VF(πΎ,β ,β )
Challenger ππ±π©Ξ£ufβcma π΄
1. πΎβ$Ξ£. KeyGen
2. π β [ ]3. π€ππ β 0
4. π΄TagπΎ β , VFπΎ(β ,β )
5. return π€ππ
TagπΎ(π)---------------------------------1. π β Ξ£. Tag(πΎ,π)
2. π. add π, π
3. return π
VFπΎ(π, π)---------------------------------1. π β Ξ£. Vrfy(πΎ,π, π)2. if π = 1 and π,π β π then:3. π€ππ β 14. return π
UF-CMA β Unforgability against chosen-message attacks
15
ππ±π©Ξ£ufβcma π΄
1. πΎβ$Ξ£. KeyGen
2. π β [ ]3. π€ππ β 0
4. π΄πΎTagπΎ β , VFπΎ(β ,β )
5. return π€ππ
TagπΎ(π)---------------------------------1. π β Ξ£. Tag(πΎ,π)
2. π. add π, π
3. return π
VFπΎ(π, π)---------------------------------1. π β Ξ£. Vrfy(πΎ,π, π)2. if π = 1 and π,π β π then:3. π€ππ β 14. return π
π1, π2, β¦
π1, π2, β¦
Tag(πΎ,β )
π1β² , π1
β² , π2β² , π2
β² , β¦
1/0, 1/0, β¦
VF(πΎ,β ,β )
Challenger
πππ―Ξ£ufβcma π΄ β 1 = adversary is doing well
πππ―Ξ£ufβcma π΄ β 0 = adversary is doing poorly
Definition: The UF-CMA-advantage of an
adversary π΄ is
πππ―Ξ£ufβcma π΄ = Pr ππ±π©Ξ£
ufβcma π΄ β 1
Properties of UF-CMA definition
β’ UF-CMA security implies:
β’ Hard to recover πΎ
β’ Hard to do selective forgery: forge a tag on a specific
message chosen by the adversary
β’ Hard to forge a new tag on an old message (and tag)
β’ If each message has a unique tag βΉ forgery must be on a
new message
β’ Tag lengths must be long enough!
β’ Suppose π = 10; then adversary who simply guesses π
has advantage πππ―Ξ£ufβcma π΄ =
1
210β
1
1000
β’ Does not give protection against replay attacks
β’ Message counters
β’ Nonces
β’ Timestamps
16
ππ±π©Ξ£ufβcma π΄
1. πΎβ$Ξ£. KeyGen
2. π β [ ]; π€ππ β 0
3. π΄πΎTagπΎ β , VFπΎ(β ,β )
4. returnπ€ππ
TagπΎ(π)---------------------------------1. π β Ξ£. Tag(πΎ,π)
2. π. add π, π
3. return π
VFπΎ(π, π)---------------------------------1. π β Ξ£. Vrfy(πΎ,π, π)2. if π = 1 and π,π β π then:3. π€ππ β 14. return π
πππ―Ξ£ufβcma π΄ = Pr ππ±π©Ξ£
ufβcma π΄ β 1
Message authentication codes (MACs)
β’ Special class of message authentication schemes:
Ξ£. Tag βΆ π¦ Γβ³ β π― is a deterministic function
Ξ£. Vrfy βΆ π¦ Γβ³ Γ π― β 0,1 simply recomputes tag and compares:
Ξ£. Vrfy πΎ,π, π =def
1, if π = Ξ£. Tag(πΎ,π)0, otherwise
β’ Most common in practice
β’ MAC βΉ unique tags βΉ forgeries must be on new messages
17
PRFs are good MACs
18
π
πΉπΎ
π
Alg Ξ£PRF. Tag πΎ,π---------------------------------1. if π β 0,1 ππ then2. return β₯3. return πΉπΎ(π)
Alg Ξ£PRF. Vrfy πΎ,π, π---------------------------------1. πβ² β πΉπΎ π
2. return πβ² =?π
πΉ βΆ 0,1 π Γ 0,1 ππ β 0,1 ππ’π‘
Theorem: If πΉ is a secure PRF then Ξ£PRF is UF-CMA secure for fixed-length messages π β 0,1 ππ
Detailed: for any UF-CMA adversary π΄ against Ξ£PRF asking π£ Vrfy queries, there is a PRF-
adversary π΅ against πΉ such that
πππ―Ξ£PRFufβcma π΄ β€ πππ―πΉ
prfπ΅ +
π£
2ππ’π‘
PRF
PRFs are good MACs β proof sketch
Theorem: For any UF-CMA adversy π΄, asking π£ Vrfy queries, there is a PRF-adversary π΅ such that
πππ―Ξ£PRFufβcma π΄ β€ πππ―πΉ
prfπ΅ +
π£
2ππ’π‘
π
πΉπΎ
π
π
π
π
βPRF-security
πβ$Func ππ, ππ’π‘
PRFs are good MACs β proof sketch
Theorem: For any UF-CMA adversy π΄, asking π£ Vrfy queries, there is a PRF-adversary π΅ such that
πππ―Ξ£PRFufβcma π΄ β€ πππ―πΉ
prfπ΅ +
π£
2ππ’π‘
π
πΉπΎ
π
π
π
π
βPRF-security
πβ$Func ππ, ππ’π‘
PRFs are good MACs β proof sketch
Theorem: For any UF-CMA adversy π΄, asking π£ Vrfy queries, there is a PRF-adversary π΅ such that
πππ―Ξ£PRFufβcma π΄ β€ πππ―πΉ
prfπ΅ +
π£
2ππ’π‘
π
πΉπΎ
π
π
π
π
βPRF-security
πβ²
π
πβ²
Pr π πβ² = πβ² =1
2ππ’π‘
PRFs are good MACs β proof sketch
Theorem: For any UF-CMA adversy π΄, asking π£ Vrfy queries, there is a PRF-adversary π΅ such that
πππ―Ξ£PRFufβcma π΄ β€ πππ―πΉ
prfπ΅ +
π£
2ππ’π‘
π
πΉπΎ
π
π
π
π
βPRF-security
π1β²
π
π1β²
π2β²
π
π2β²
ππ£β²
πβ―
ππ£β²
Pr π π1β² = π1
β² β¨ β―β¨ π ππ£β² = ππ£
β² = π£ β 1
2ππ’π‘β€
π=1
π£
Pr[π ππβ² = ππ
β²]
Pr π πβ² = πβ² =1
2ππ’π‘
πβ²
π
πβ²
PRFs are good MACs β proof sketch
π
πΉπΎ
π
π
π
π
βPRF-security
π1β²
π
π1β²
π2β²
π
π2β²
ππ£β²
πβ―
ππ£β²
Theorem: For any UF-CMA adversy π΄, asking π£ Vrfy queries, there is a PRF-adversary π΅ such that
πππ―Ξ£PRFufβcma π΄ β€ πππ―πΉ
prfπ΅ +
π£
2ππ’π‘
Pr π π1β² = π1
β² β¨ β―β¨ π ππ£β² = ππ£
β² = π£ β 1
2ππ’π‘β€
π=1
π£
Pr[π ππβ² = ππ
β²]
MACs for long messages
24
Attempt 1
25
π1
TagπΎ
π2 π3 π4
TagπΎ TagπΎ TagπΎ
π1 π2 π3 π4
π = π1||π2||π3||π4
π
Attempt 1 β an attack
26
π1
TagπΎ
π3 π2 π4
TagπΎ TagπΎ TagπΎ
π1 π3 π2 π4
π = π1||π3||π2||π4
Attempt 2
27
π1
TagπΎ
π2 π3 π4
π
π
Attempt 2 β an attack
28
π1
TagπΎ
π3 π2 π4
π
Attempt 3
29
1||π1
TagπΎ
2||π2 3||π3 4||π4
TagπΎ TagπΎ TagπΎ
π1 π2 π3 π4
π = π1||π2||π3||π4
π
Attempt 3 β an attack
30
1||π1
TagπΎ
2||π2β² 3||π3 4||π4
TagπΎ TagπΎ TagπΎ
π1 π2β² π3 π4
π = π1||π2β²||π3||π4
π = π1||π2||π3||π4
TagKπ1||π2||π3||π4
πβ² = π1β² ||π2
β² ||π3β² ||π4
β²TagK
π1β²||π2
β²||π3β²||π4
β²
CBC-MAC
31
π1
πΈπΎ
π2 π3 π4
πΈπΎ πΈπΎ πΈπΎ
π
π
CBC-MAC β security
β’ CBC-MAC is secure if you only MAC messages of length 4 β π
β’ CBC-MAC is secure if you only MAC messages of length 23 β π
β’ CBC-MAC is not secure if you MAC messages of lengths 4 β π and 23 β π
32
Theorem: If πΈ βΆ 0,1 π Γ 0,1 π β 0,1 π is a secure block cipher, then for
any fixed β CBC-MAC is UF-CMA secure for messages π β 0,1 ββ π.
CBC-MAC β pitfalls; variable-length messages
33
π
πΈπΎ
π
π
πΈπΎ
πβπ
πΈπΎ
π
CBC. Tag πΎ,π||πβ π = πΈπΎ πΈπΎ π β πβπ
= πΈπΎ π β πβπ
= πΈπΎ π
= π
πππ―CBCβMACufβcma π΄ = 1
CBC-MAC vs. CBC$-encryption
34
π1
πΈπΎ
π
π2
πΈπΎ
π3
πΈπΎ
π4
πΈπΎ
πΌπ π1
πΈπΎ
π2
πΈπΎ
π3
πΈπΎ
πΆ0 πΆ1 πΆ2 πΆ3
CBC-MAC CBC$-encryption
CBC$-MAC β pitfalls; randomized IV
35
πΌπ
π
π1
πΈπΎ
π2
πΈπΎ
π3
πΈπΎ
πΌπ
0π
π
πΈπΎ
π2
πΈπΎ
π3
πΈπΎ
0π
π1βπΌπ
Allowing variable-length messages
β’ Want to support different-length messages simultaneously
β’ Want to MAC messages of length 4 β π and 23 β π
β’ Could use different keys for each length βΉ not practical
β’ Want to support message not a multiple of the block length
β’ Padding needed
36
π1 π2 1000
π1 π2 π1 π2 100000000
π1 π2
CBC-MAC for variable-length messages
37
|π|
πΈπΎ
π1 π2 π3
πΈπΎ πΈπΎ πΈπΎ
π
π
What if you append the length of π at the end rather than at the beginning?
Theorem: If πΈ is a secure PRP then length-prepended CBC-MAC is UF-CMA secure
ECBC-MAC
38
π1
πΈπΎ1
π2 π3
πΈπΎ1πΈπΎ1
π3 pad
πΈπΎ2
π
π1
πΈπΎ1
π2
πΈπΎ1πΈπΎ1
πΈπΎ3
ππΎ1, πΎ2, πΎ3
FCBC-MAC
39
π1
πΈπΎ1
π
π2 π3
πΈπΎ1πΈπΎ2
π1
πΈπΎ1
π
π2
πΈπΎ1πΈπΎ3
π3 pad
πΎ1, πΎ2, πΎ3
XCBC-MAC
40
π1
πΈπΎ1
π
π2 π3
πΈπΎ1πΈπΎ1
π1
πΈπΎ1
π
π2
πΈπΎ1πΈπΎ1
π3 pad
πΎ3πΎ2
πΎ1, πΎ2, πΎ3
CMAC a.k.a. One-key MAC (OMAC)
41
π1
πΈπΎ
π
π2 π3
πΈπΎ πΈπΎ
π1
πΈπΎ
π
π2
πΈπΎ πΈπΎ
π3 pad
πΎ3πΎ2
πΎ2 = 2 β πΈπΎ 0π
πΎ3 = 4 β πΈπΎ 0π
CMAC
β’ 1 πΈ-call per message block + 1 πΈ-call to derive πΎ2, πΎ3
β’ Fully sequential
β’ Cannot utilize parallel AES cores
β’ Only one key
β’ Standardized by NIST
42
πΎ2 = 2 β πΉπΎ 0π
πΎ3 = 4 β πΉπΎ 0π
CMAC security
β’ Example:
β’ πΈ = AES (π = 128)
β’ Number of Tag-queries: π = 240 β 1 trillion queries
β’ Max π-bit blocks per message: β = 216 β 1 MB
β’ Number of Vrfy-queries: π£ = 240
β’ πππ―πΈprp
π΅ β 0
43
Theorem: If πΈ βΆ 0,1 π Γ 0,1 π β 0,1 π is a secure PRP then CMAC is UF-CMA secure.
Detailed: (Nandi '09) For any UF-CMA adversary making π Tag-queries, each of max length βπ-bit blocks, and π£ Vrfy-queries, there is a PRP-adversary π΅ such that
πππ―CMACufβcma π΄ β€ πππ―πΈ
prpπ΅ +
5 β β β π2
2π+
π£
2π
πππ―AESβMACufβcma π΄ β€
5 β 216 β 240 2
2128+
240
2128β
23+16+80
2128=
1
229
CMAC security
β’ Example:
β’ πΈ = DES (π = 64)
β’ Number of Tag-queries: π = 240 β 1 trillion queries
β’ Max π-bit blocks per message: β = 216 β 1 MB
β’ Number of Vrfy-queries: π£ = 240
β’ πππ―πΈprp
π΅ β 0
44
Theorem: If πΈ βΆ 0,1 π Γ 0,1 π β 0,1 π is a secure PRP then CMAC is UF-CMA secure.
Detailed: (Nandi '09) For any UF-CMA adversary making π Tag-queries, each of max length βπ-bit blocks, and π£ Vrfy-queries, there is a PRP-adversary π΅ such that
πππ―CMACufβcma π΄ β€ πππ―πΈ
prpπ΅ +
5 β β β π2
2π+
π£
2π
πππ―DESβCMACufβcma π΄ β€
5 β 216 β 240 2
264+240
264β
23+16+80
264= 235
Prob. > π!
CMAC security
β’ Example:
β’ πΈ = DES (π = 64)
β’ Number of Tag-queries: π = 216 β 65,000 queries
β’ Max π-bit blocks per message: β = 210 β 1 kB
β’ Number of Vrfy-queries: π£ = 240
β’ πππ―πΈprp
π΅ β 0
45
Theorem: If πΈ βΆ 0,1 π Γ 0,1 π β 0,1 π is a secure PRP then CMAC is UF-CMA secure.
Detailed: (Nandi '09) For any UF-CMA adversary making π Tag-queries, each of max length βπ-bit blocks, and π£ Vrfy-queries, there is a PRP-adversary π΅ such that
πππ―CMACufβcma π΄ β€ πππ―πΈ
prpπ΅ +
5 β β β π2
2π+
π£
2π
πππ―DESβCMACufβcma π΄ β€
5 β 210 β 216 2
264+240
264β
23+10+32
264=
1
219
PMAC
46
π1
πΈπΎ
πΎ1 β πΏ
π2
πΈπΎ
πΎ2 β πΏ
π3
πΈπΎ
πΎ3 β πΏ
π4 pad
πΈπΎ
π
π½ β πΏ (if |pad| = 0)
πΏ = πΉπΎ 0π
πΎπ = Gray codes
PMAC properties
β’ Fully parallelizable
β’ Incremental
β’ One key
β’ UF-CMA secure
β’ β¦not used in practice
47
PMAC πΎ,π1||π2|| β¦ ||π1000 = π
PMAC πΎ,π1||π2β² || β¦ ||π1000 = πΈπΎ πΈπΎ
β1 π β π2 βπ2β²
π2 = πΈπΎ π2 βπΎ2 β πΏ
π2β² = πΈπΎ π2
β² βπΎ2 β πΏ
π2π2β²
Summary
β’ UF-CMA the right security notion for message integrity
β’ Does not cover replay attacks
β’ PRFs are good MACs
β’ But usually of short (fixed) input length
β’ CBC-MAC good MAC for messages of a single fixed length
β’ CMAC upgrades CBC-MAC to variable-length messages
48