-------------------------------------------------------------------------- CSE 227 - Lecture 6 - November 5, 2001 -------------------------------------------------------------------------- Announcdements - o Two hour lecture today, will stop at 8:00 pm, no break o Next Monday is a holiday! Reschedule to next Wednesday? o Homeworks were improved. Today: 1. Security of CBC$ 2. CCA-security and nonmalleability (2.1 Definition 2.2 Claim: ind-cca <==> nm-cca <==> nm-cpa) --------------------------------------------- 3. Message authentication codes 3.1 Problem description, syntax, and definition 3.2 Encrypting-with-redundancy doesn't make a MAC: CBC-with-XOR 3.3 CBCMAC Right or wrong? Length variablity issue. 3.4 Achieving it from a PRF. Length issue. 3.5 Analysis idea: universal hash-function family a. Definition b. Alternative definition 3.6 Constructions of \e-AU hash function a. Polynomial evaluation b. XORMAC construction c. CBCMAC construction d. NH construction and UMAC 3.7 PMAC _____________________________________________________________________________ 1. Security of CBC$ mode 1.1 ind$-cpa -> rr 1.2 the BAD-event approach 1.3 Proof sketch When in doubt: prove something STRONGER than what you're after. When in doubt: prove something WEAKER than what you're after. Adv^ind$_Pi (A) = Pr[K <- \K; A^{E_K(.)} = 1] - Pr[K <- \K; A^{$^E_K(.)}=1] All schemes we're interested in actually have the structure that | E_K(M) | = \ell(|M|) so we can make that assumption if it looks simpler to you: Adv^r$ (A) = Pr[K <- \K; A^{E_K(.)}=1] - Pr[K <- \K; A^{$^ell(|.|)}=1] rr --> r$ ? NO. Consider encryption scheme where ciphertexts always end in 0. r$ --> rr YES. Homework problem A: Let Pi=(K,E,D) be a symmetric encryption scheme. Show that if Pi is secure in the ind$ sense then Pi is secure in the rr-sense. ----------------------------------------------------------------- BAD-event approach Want to show that CBC$ oracles looks just like a $-oracle. Step 1: do for a random function <===== Heart of the matter Step 2: pass to a PRF Step 3: invoke the switching lemma Claim for step 1: If A asks at most q queries that total at most sn bits Pr[rho<-Rand(n,n): A^{CBC$_rho(.)}=1] = Pr[ A^$=1] <= s^2/2^{n+1} Game 1: Real CBC_rho Game 2: Random On input M[1] M[2] ... M[m] where |M[i]|=n Initialization: rho is a partial function from {0,1}^n -> {0,1}^n. Initially UNDEFINED at each domain point. Initially: dom(rho) = EMPTY -------------------------------------------- C[0] <- {0,1}^n for i = 1 to m do X[i] = C[i-1] xor M[i] C[i] <- {0,1}^n if game1 and dom(X[i]) is defined then bad=true, C[i] = rho(X[i]) rho(X[i]) = C[i] return C[0] C[1] ... C[m] -------------------------------------------- game1: identical to CBC -- bad is sometimes set game2: identical to $$ -- bad is never set Pr[A^CBC =1] - Pr[A^$=1] = Pr[A^Game1=1] - Pr[A^Game2=1] = Pr[A^Game1=1 | BAD] Pr[BAD] + Pr[A^Game1=1 | !BAD]Pr[!BAD] - Pr[A^Game2=1] <= Pr[BAD] + Pr[A^Game1=1 | !BAD] - Pr[A^Game2=1] .......these two terms are equal ... <= Pr[Bad] Claim: Suppose asks s queries that result in s blocks being enciphered. Pr[bad gets set to true] <= 1/2^n + 2/2^n + ... + (s-1)/2^n <= s^2/2^n ---------------------------------------------------------------------- 2. CCA-security and nonmalleability Explain idea -- secure even if the adversar can DECRYPT chosen messages. Huh? Lunchtime attack. Contrived. But wait. Give adversary E_K(LR(.,.,b)) and D_K(.) Adversary's job, as before, is to distinguish b=0 and b=1, ie. left_K(.,.) and D_K(.) -vs- right_K(.,.) and D_K(.) But the adversary could just decrypt an answer! Simply disallow decrption of C when C is the result of an earlier E_K(LR(.,.,b)) oracle query. Adv^lr-cca_Pi(A) = Pr[K <- \K; A^{left_K (.,.), D_K(.)}=1] - Pr[K <- \K; A^{right_K(.,.), D_K(.)}=1] Non-malleability ................ A. Definition -------------- Adv^nm-cpa_Pi(A) = Pr[K <- \K; (M,s) <- A(); x<-M; y<-E_K(x); (R,y') <- A(M,s,y); x <- D_K(y): y' \ne y and R(x,x')] - Pr[K<-\K; (M,s)<-A(); x,x*<-M; y<-E_K(x*); (R,y') <- A(M,s,y); x <- D_K(y): y' \ne y and R(x,x')] Claim: ind-cca <==> nm-cca <==> nm-cpa Proof. Not hard, but I'll omit it. -------------------------------------------------------------------------- Message authentication Pi = (K, MACG, MACV) K M MACG_K(M) K S -----------------> R MACV_K(M,sigma) = 0 or 1 1. Encrpyting with redundancy doesn't do the trick. Have student's break CBC-with-XOR-of-blocks-at-end. 2. How to MAC one bit 3. How to MAC a one-block message 4. How to MAC a many-block message -- raw CBC encryption, 0 IV raw CBCMAC CORRECT METHODS: encrypted CBCMAC XORMAC 5. A general approach a. Make a PRF which operates on arbitrary bit length messages b. Proposition [PRFs are good MACs]: --------------------------------- Let F: \K x \M -> \bits^n be a PRF and let A be an adversary that attacks F, as a MAC, achieving advantage Adv^mac_F(A) = delta running in time t and making q oracle queries, these queries, plus length of A's forgery attempt, comprising mu bits. Then there exists an adversary B that attacks F as a PRF, runs in time t', asks q' queries, these totalling mu' bits, and achieves advantage \delta' = Adv^prf_F(B) where t' = t + tiny q'= q+1 mu' = mu delta' >= delta - 2^{-n} Give reduction: Universal-hash-functions ------------------------- A function family is a family of functions H = {H_K: D->R}, one for K\in\K, where there is a distribution on \K (usually it is just] a finite set, in which case the distribution is always the uniform one). Sets D, R\subseteq\bits^* and most often R=\bits^n for some n. Def: H={H_K: D->R} is \e-AU if for all distinct M,M' in D, Pr[H_K(M) = H_K(M')] <= \e. Different viewpoint: ask adversary for M ask adversary for M' * K <- \K; tell adversary K ------------------------------------ Adversary wins if H_K(M) = H_K(M') Adv^univ(A) = Pr[M,M' <- A; K<-\K; M\ne M' and H_K(M)=H_K(M')] Adv^univ(t,mu) = max {...} Variants: collision-intractiable hash function: * K <- \K; tell adversary K ask adversary for M ask adversary for M' ------------------------------------ Adversary wins if H_K(M) = H_K(M') Adv^coll(A) "target-collision intractable" (TCR), "weakly collision-intractiable" ask adversary for M * K <- \K; tell adversary K ask adversary for M' ------------------------------------ Adversary wins if H_K(M) = H_K(M') These two variants NEED cryptography, but AU doesn't Lots of constructions known. Example 1. ---------- Think of M = M[m-1] ... M[1], the message we want to hash, as n-bit strings (where n=128, say). Think of K as a random n-bit string. Form the polynomial M(x) = x^{m} + M[m-1]x^{m-1} + M[m-2]x^{m-2} + ... + M[1]x + M[0] Now evaluate this polynomial, over GF(2^n), at K. That is the hash H_K(M) = M(K) (in GF(2^n)). If M and M' are distinct, each of m-1 or fewer blocks, what is Pr_K[H_K(M) = H_K(M')] ?? = Pr[M(K) = M'(K)] for distinct degree-n polynomials M, M' Fundamental theorem of algebra: if two polynomials of degree d agree on d+1 points, then they are identical (a degree d polynomial is determined by d+1 points). So M(x) and M'(x) can agree on at most m out of 2^n points, so if a random point K is cosen Pr[M(K)=M'(K)] <= m/2^n. Lots of other such constructions. Example 2. (NH hash) --------------------- Let M=M[1] ... M[2m] where each M[i] is 16 bits. Let K=K[1] ... K[2m] where each K[i] is 16 bits. To hash M using K: (M[1] +16 K[1]) *s32 (M[2] +16 K[2]) +32 (M[3] +16 K[3]) *s32 (M[4] +16 K[4]) +32 ... +32 (M[2m-1] +16 K[2m-1]) *s32 (M[2m] +16 K[2m]) +32 Example 3 (xormac-core) ------------------------ Let rho be a random function from n-bits to n-bits (n even). Let M = M[1]... M[m] where each M[i] is n/2 bits and m < 2^{n/2}. Define H_rho (M) = rho([1] M[1]) xor rho([2] M[2]) xor ... xor rho([m] M[m]) Claim: If M, M' are messages (having fewer than 2^{n/2} n/2-bit blocks) then Pr[H_rho(M) = H_rho(M')] =2^{-n} Proof. case 1: one message has more blocks than the other, say M[1] M[2] M[3] M[4] M[5] m[1] m[2] m[3] Then Pr[H_rho(M) = H_rho(M')] = Pr[H_rho([5] M[5]) = random-something] where something is independent of rho([5],.)]. 2^{-n} case 2: same number of blocks, one M[i] \ne m[i]. Then Pr[H_rho(M) = H_rho(M')] = Pr[H_rho([i] M[i]) = random-something] where something is independent of rho([i] M[i]). So 2^{-n}. Example 4 (CBCMAC) ------------------- Using a univeral-hash-function to make a VIL-PRF ------------------------------------------------ Given H: \K1 x D -> {0,1}^n universal hash function F: \K2 x {0,1}^n -> {0,1}^n prf Define: F_{K1,K2}(M) = F_{K2}(H_{K1}(M)) Claim that this is a good PRF. --------- Proposition: Let H:D -> {0,1}^n be \delta-AU, and let F:{0,1}^n -> {0,1}^n be a PRF. Suppose A attacks F[H] in time t, asking q queries, these totalling mu bits, achieving advantage \e = Adv^prf_F[H](A). Then there is an adversary B that attacks H in time t', asks mu' queries, these totalling mu' bits, achieving advantage \delta', where t' = t + TimeHKey(K1) + TimeHcompute(mu) q' = q+1 mu' = qn \e' = \e - q \delta - 1/2^n A has oracle f; B has oracle g. --------- Construct B as follows: K1 <- \K1 Run A. When A makes an oracle query of M, compute m=H_K1(M). If this collides with any earlier value m, then halt (we lose). // don't really have to execute Call oracle g(m) and return this to A When A halts, outputting some pair M, tag. Compute m=H_K1(M). If M is a repeated value from before, halt. //we lose If this collides with any earlier value m, then halt (we lose). // don't really have to execute Compute tag'=g(m). If tag'=tag then return 1 ("real") else returns 0 ("random"). Halts with probability at most q\delta. When doesn't halt, in the real random case we forge with probability 2^-n.