1 / 34

Introduction to Cryptography: Understanding MACs and Hash Functions

This lecture covers the concepts of MACs (Message Authentication Codes) and hash functions, including their properties, usage, and security. It also discusses different attacks and fixes for naive CBC-MAC and introduces the notion of collision resistance and second preimage resistance in hash functions.

jbroyles
Download Presentation

Introduction to Cryptography: Understanding MACs and Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. B504/I538:Introduction to Cryptography Spring 2017•Lecture 12 (2017—02—16)

  2. About crypto! Free pizza+brownies! 1 week from today!

  3. Recall: MAC existential forgery game Challenger (C) Forger (A) 1n 1n k←Gen(1n) m1 m1∈M∖{m} t1 t1←MACk(m1) m2 m2∈M∖{m} t2 t2←MACk(m2) mn mn∈M∖{m} tn (m,t) tn←MACk(mn) LetEbe the event that (m,t)∉{(m1,t1),…,(mn,tn)}yet Verk(m,t)=1 Define A’s advantage to be AdvMAC-strong-ex-forge(A)≔Pr[E]

  4. Recall: Naïve CBC-MAC • Let {fk}k{0,1}*be a PRF family • Gen(1n) outputs a uniform random key k∊{0,1}n • MACk(m) does the following: • Split m into n-bit blocks m1,…,mn • Initialize t0={0}n • Compute ti=Fk(ti-1⊕mi) • Output the tag t≔tn • Verk(m,t) outputs 1 if t=MACk(m) and 0 otherwise

  5. Recall: Naïve CBC-MAC m≔m1∥m2∥⋯∥mℓ k m2 k m1 k mℓ ⋯ Πk Πk Πk t2 t1 tℓ 0ⁿ tℓ

  6. existential unforgeability of Recall: Attacking naïve CBC-MAC Challenger (C) Forger (A) 1n 1n k←Gen(1n) m m {0,1}n t t←MACk(m) m‘≔m∥(m⊕t) (m’,t) A’s output is a valid forgery because Fk(m’)=Fk((m⊕t)⊕t)=Fk(m)=t

  7. CBC-MAC fix #1: Prepend the block-length m≔m1∥m2∥⋯∥mℓ k m2 k m1 k mℓ ⋯ Πk Πk Πk t2 t1 tℓ Fk(ℓ) tℓ IV = Fk(block length) (input padded to block size) Intuitively, MAC on n-block message is useless for forging MACs on n’-block messages

  8. CBC-MAC fix #2: Length-specific key kℓ = Fk(block length) (input padded to block size) m≔m1∥m2∥⋯∥mℓ kℓ m2 kℓ m1 kℓ mℓ ⋯ Πkℓ Πkℓ Πkℓ t2 t1 tℓ 0ⁿ tℓ Again, MAC on n-block message is useless for forging MACs on n’-block messages

  9. CBC-MAC fix #3: Nested CBC-MAC (NMAC) kℓ = Fk(block length) (input padded to block size) m≔m1∥m2∥⋯∥mℓ k1 m2 k1 m1 k1 mℓ ⋯ Πk1 Πk1 Πk1 t2 t1 0ⁿ k2 Πk2 t Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

  10. CBC-MAC versus CBC mode encryption • CBC mode encryption requires uniform random IV • Otherwise, it is not IND-CPA secure! • CBC-MAC requires fixed IV • Otherwise, it is not existentially unforgeable! • CBC mode encryption outputs each block • Otherwise, it is not correct! • CBC-MAC only outputs a single block (the last one) • Otherwise, it is not existentially unforgeable ! • CBC mode encryption requires a PRP • Otherwise, it is not correct! • CBC-MAC only requires a PRF

  11. (Non-cryptographic) Hash functions Defn: A hash function is a PPT function H: {0, 1}*→{0, 1}sthat maps arbitrary-length bit strings intofixed-length bit strings. The output of a hash function is called a ”hash”, ”digest”, or ”fingerprint” of the input Fingerprints Hash function 00 Alice 01 02 03 Bob 04 05 Charlie … 13 Eve 14 15

  12. Hash function collisions Defn: Let H be a function taking on values in {0, 1}*. A collision for H is an ordered pair (m0, m1) {0, 1}* of distinct inputs such that H(m0) = H(m1). Pigeon-hole principle: If the domain of H is (much) larger than its range, then (many) collisions must exist! collision more pigeons → more collisions "TooManyPigeons" by en:User:McKay - Transferred from en.wikipedia; Original text : Edited from Image:Pigeons-in-holes.jpg by en:User:BenFrantzDale. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:TooManyPigeons.jpg#mediaviewer/File:TooManyPigeons.jpg

  13. Collision resistance • Intuitively, we want to say that no PPT algorithm can find a collision for H, except with a probability that is negligible in s (the length of the output) Q: How do we formalize this notion? A: Very carefully… • Difficulty: once H is fixed, it is trivial to define a PPT algorithm that has a collision for H “hard-coded”

  14. Keyed hash functions Defn: A keyed hash function with output length (s) is a pair of PPT algorithms (Gen, H) such that • Gen(1s) outputs a uniform random key in k {0, 1}s • H(k, x) outputs a fingerprint y {0, 1}(1k1) x {0, 1}* Idea: Define collision resistance to require that no PPT algorithm can find a collision for Hwhen the key is selected at random, except with probability negligible in s.

  15. Collision-finding game Challenger (C) Attacker (A) 1s 1s k k ← Gen(1s) (m0, m1) Let E be the event that m0≠ m1and H(k, m0) = H(k, m1) Define A’s advantage to be Advcollision(A) := Pr[E] Defn: A keyed hash function (Gen, H) is collision resistant if, for every PPT attacker A, there exists a negligible function such that Advcollision(A) ≤ (s).

  16. Second preimage resistance a.k.a target collision resistance • Informally, a keyed hash function (Gen, H) is second preimage resistant if no PPT attacker can, given m0 {0, 1 }* and k←Gen(1s), output m1 {0, 1}* such that m0≠ m1and H(k,m0) = H(k, m1) except with probability negligible in s.

  17. Second-preimage-finding game Challenger (C) Attacker (A) 1s k 1s, m0{0, 1}* k ← Gen(1s) m1 Let E be the event that m0≠ m1and H(k, m0) = H(k, m1) Define A’s advantage to be Adv2-preimage(A) := Pr[E] Defn: A keyed hash function (Gen, H) is second preimage resistant if, for every PPT attacker A, there exists a negligible function such that Adv2-preimage(A) ≤ (s).

  18. Second preimage resistance Thm: If (Gen, H) is collision resistant, then it is also second preimage resistant. Proof: Just note that a second preimage is a collision. Q: Is the converse of this theorem true? A: No! (But why?)

  19. Preimage resistance a.k.a one-wayness • Informally, a keyed hash function (Gen, H) is preimage resistant if no PPT attacker can, given k←Gen(1s) and y {0, 1}(s)output m {0, 1}* such that H(k, m) = y except with probability negligible in s.

  20. Preimage-finding game Challenger (C) Attacker (A) 1n 1n, y∈{0,1}ℓ(n) k k←Gen(1n) m Let E be the event that H(k, m) = y Define A’s advantage to be Advpreimage(A) := Pr[E] Defn: A keyed hash function (Gen, H) is preimage resistant if, for every PPT attacker A, there exists a negligible function such that Advpreimage(A) ≤ (s).

  21. Preimage resistance Thm: If (Gen, H) is preimage resistant for randomly selected inputs, then it is also second preimage resistant. Proof (sketch): Suppose that A breaks preimage resistance. - Given k and m, compute y = H(k, m) - Now use A to find a preimage of y. - Since y has many preimages, with high probability that preimage that A finds will not be m! Q: Is the converse of this theorem true? A: No! (But why?)

  22. (One-way) compression functions • Intuitively, a (one-way) compression function is a keyed function h with three properties: • Efficient: There exists a PPT algorithm that evaluates h • Compression: h maps 2s-bit strings and to s-bit strings • One-way: Given an output of h, it is difficult to find any input that maps to that output Q: On average, how many inputs map to each output? A: About 2s (This is the opposite of what you want from non-cryptographic compression functions)

  23. Merkle-Damgård construction m1 . . .

  24. Davies-Meyer compression function Thm: If F is a PRF, then the Davies-Meyer compression function is collision resistant. In particular, finding a collision requires O(2n/2) evaluations of F on average. mi  zi F mi(zi-1) := Fmi(zi-1) zi-1 zi-1

  25. Recall: Nested CBC-MAC (NMAC) k1 k1 k1 m1    . . . k2 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

  26. Hash-based MAC (HMAC) • The most widely used MAC algorithm in practice • Hs is a collision-resistant (keyed) hash function • k is the secret MAC key • opad= 0x5c5c5c...5c • ipad= 0x363636...36 1 block "outer" pad HMACs,k(m) := Hs((k opad) 11Hs((k ipad) 11 m )) "inner" pad n blocks 1 block Chosen so that (opadipad )has large Hamming weight

  27. HMAC k ipad . . . k opad

  28. Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A:No!(But why?) • Suppose H is constructed using Merkle-Damgård construction • Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) • Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well....sort of!? It's not as secure as HMAC! (But why?) • If H(m0) = H(m1) then H(m0 11 k) = H(m1 11 k) • Weakness in collision-resistance of H implies weakness in HMAC

  29. Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? • This is essentially HMAC without ipad and opad • Proof of existential unforgeability for HMAC requires that ipadand opaddiffer in at least one bit! • H(k 11 m 11 k) falls to "target prefix collision" attacks against H

  30. Generic birthday attack • Let H: {0, 1}*→{0, 1}s and consider the following algorithm: • Choose N :=(5/4) · 2s/2distinct messages, m1,..., mN, each uniformly at random • For i = 1,..., N, compute yi := H(mi) • If yi = yjfor some i≠ j, then output (mi, mj) Thm (birthday paradox): Let r1,..., rNbe independently and identically distributed random variables taking on values in {0, 1}s. If N = (5/4)· 2s/2, then Pr[ i≠ j, ri = rj ]≥ 1/2.

  31. Generic birthday attack Thm (birthday paradox): Let r1,..., rNbe independently and identically distributed random variables taking on values in {0, 1}s. If N = (5/4)· 2s/2, then Pr[ i≠ j, ri = rj ]> 1/2. Proof (for uniform random variables): Pr[i≠ j, ri = rj ] = 1 - Pr[i≠ j, ri≠rj ] = 1 - ((2s-1)/2s)((2s-2)/2s) . . . ((2s-N+1)/2s) = 1 - ≥ 1 - -i/2s (1-x ≤ e-x) = 1 - e-1/2s∑i ≥ 1 - e-(N2/2)/2s = 1 - e-((5/4 2s/2)2/2)/2s = 1-e-25/32≥ 0.54

  32. Generic birthday attack • Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Advcollision(A) > 1/2 in O(s·2s/2) time (albeit with O(s·2s/2) storage Q: Is this a problem? A: No!(in theory); Possibly! (in practice) • Real hash functions have fixed-length outputs • Need to ensure that 2s/2work is infeasible....or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s·2s/2 bits? A: Perhaps surprisingly, no!

  33. "Small-space" birthday attack • Consider an attacker A that works as follows: • Choose a random initial value m0 • Set m := m0and m' := m0 • For i = 1, 2, 3,..., do the following • Compute m := H(m) and m' := H(H(m'))//nowm = H(i)(m0) and m' = H(2i)(m0) • If m == m', break from loop • Set m' := m and m := m0 • For j = 1, . . ., i, do the following • If H(m) == H(m'), return (m, m') • Else, set m := H(m) and m' := H(m')//nowm = H(j)(m0) andm' = H(i+j)(m0) Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s·2s/2) time using O(1) storage.

  34. That’s all for today, folks!

More Related