Domain Extension for MACs

Construction 4.5 is important in that it shows a general paradigm for con- structing secure message authentication codes from pseudorandom functions. Unfortunately, the construction is only capable of handling fixed-length mes- sages that are furthermore rather short.3 _{These limitations are unacceptable}

3_{Given a pseudorandom function taking arbitrary-length inputs, Construction 4.5 would}

in most applications. We show here how a general MAC, handling arbitrary- length messages, can be constructed from any fixed-length MAC for messages of length n. The construction we show is not very efficient and is unlikely to be used in practice. Indeed, far more efficient constructions of secure MACs are known, as we discuss in Sections 4.4 and 5.3.2. We include the present construction for its simplicity and generality.

Let Π0 = (Mac0, Vrfy0) be a secure fixed-length MAC for messages of length n. Before presenting the construction of a MAC for arbitrary-length messages based on Π0_{, we rule out some simple ideas and describe some canonical}

attacks that must be prevented. Below, we parse the message m to be au- thenticated as a sequence of blocks m1, . . . , md; note that, since our aim is to

handle messages of arbitrary length, d can vary from message to message. 1. A natural first idea is to simply authenticate each block separately, i.e.,

compute ti := Mac0k(mi) for all i, and output ht1, . . . , tdi as the tag.

This prevents an adversary from sending any previously unauthenticated block without being detected. However, it does not prevent a block re- ordering attack in which the attacker shuffles the order of blocks in an authenticated message. Specifically, ifht1, t2i is a valid tag on the mes-

sage m1, m2(with m16= m2), thenht2, t1i is a valid tag on the (different)

message m2, m1(something that is not allowed by Definition 4.2).

2. We can prevent the previous attack by authenticating a block index along with each block. That is, we now compute ti = Mac0k(ikmi) for

all i, and outputht1, . . . , tdi as the tag. (Note that the block length |mi|

will have to change.) This does not prevent a truncation attack whereby an attacker simply drops blocks from the end of the message (and drops the corresponding blocks of the tag as well).

3. The truncation attack can be thwarted by additionally authenticating the message length along with each block. (Authenticating the message length as a separate block does not work. Do you see why?) That is, compute ti = Mac0k(`kikmi) for all i, where ` denotes the length

of the message in bits. (Once again, the block length_|mi| will need to

decrease.) This scheme is vulnerable to a “mix-and-match” attack where the adversary combines blocks from different messages. For example, if the adversary obtains tags _ht1, . . . , tdi and ht01, . . . , t0di on messages

m = m1, . . . , md and m0 = m01, . . . , m0d, respectively, it can output the

valid taght1, t02, t3, t04, . . .i on the message m1, m02, m3, m04, . . ..

We can prevent this last attack by also including a random “message identi- fier” along with each block that prevents blocks from different messages from being combined. This leads us to Construction 4.7.

with a larger domain would yield a secure MAC for longer messages. However, existing practical pseudorandom functions (i.e., block ciphers) take short, fixed-length inputs.

CONSTRUCTION 4.7

Let Π0 _{= (Mac}0_{, Vrfy}0_{) be a fixed-length MAC for messages of length n.}

Define a MAC as follows:

• Mac: on input a key k ∈ {0, 1}n _{and a message m}

∈ {0, 1}∗ _of

(nonzero) length ` < 2n/4_{, parse m into d blocks m}

1, . . . , md, each

of length n/4. (The final block is padded with 0s if necessary.) Choose a uniform identifier r_{∈ {0, 1}}n/4_.

For i = 1, . . . , d, compute ti← Mac0k(rk`kikmi), where i, ` are en-

coded as strings of length n/4.†_{Output the tag t :=}

hr, t1, . . . , tdi.

• Vrfy: on input a key k ∈ {0, 1}n_{, a message m}

∈ {0, 1}∗ _of

length ` < 2n/4_{, and a tag t = hr, t}

1, . . . , td0i, parse m into

d blocks m1, . . . , md, each of length n/4. (The final block is

padded with 0s if necessary.) Output 1 if and only if d0 = d and Vrfy0

k(rk`kikmi, ti) = 1 for 1≤ i ≤ d.

†_{Note that i and ` can be encoded using n/4 bits because i, ` < 2}n/4_.

A MAC for arbitrary-length messages from any fixed-length MAC. (Technically, the scheme only handles messages of length less than 2n/4_.

Asymptotically, since this is an exponential bound, honest parties will not authenticate messages that long and any polynomial-time adversary could not submit messages that long to its MAC oracle. In practice, when a concrete value of n is fixed, one must ensure that this bound is acceptable.)

THEOREM 4.8 If Π0_{is a secure fixed-length MAC for messages of length n,}

then Construction 4.7 is a secure MAC (for arbitrary-length messages). PROOF The intuition is that as long as Π0 _{is secure, an adversary cannot}

introduce a new block with a valid tag. Furthermore, the extra information in- cluded in each block prevents the various attacks (dropping blocks, re-ordering blocks, etc.) sketched earlier. We will prove security by essentially showing that these attacks are the only ones possible.

Let Π be the MAC given by Construction 4.7, and let_{A be a probabilistic} polynomial-time adversary. We show that Pr[Mac-forge_A,Π(n) = 1] is negli- gible. We first introduce some notation that will be used in the proof. Let Repeat denote the event that the same random identifier appears in two of the tags returned by the MAC oracle in experiment Mac-forge_A,Π(n). Let- ting (m, t =_{hr, t}1, . . .i) denote the final output of A, where m = m1, . . . has

length `, we let NewBlock be the event that at least one of the blocks rk`kikmi

was never previously authenticated by Mac0 in the course of answeringA’s Mac queries. (Note that, by construction of Π, it is easy to tell exactly which blocks are authenticated by Mac0k when computing Mack(m).) Informally,

never authenticated by the underlying fixed-length MAC Π0. We have

Pr[Mac-forge_A,Π(n) = 1] = Pr[Mac-forge_A,Π(n) = 1∧ Repeat]

+ Pr[Mac-forge_A,Π(n) = 1_{∧ Repeat ∧ NewBlock]} + Pr[Mac-forge_A,Π(n) = 1_{∧ Repeat ∧ NewBlock]} ≤ Pr[Repeat] (4.3)

+ Pr[Mac-forge_A,Π(n) = 1∧ NewBlock]

+ Pr[Mac-forge_A,Π(n) = 1∧ Repeat ∧ NewBlock]. We show that the first two terms of Equation (4.3) are negligible, and the final term is 0. This implies Pr[Mac-forge_A,Π(n) = 1] is negligible, as desired. CLAIM 4.9 Pr[Repeat] is negligible.

PROOF Let q(n) be the number of MAC oracle queries made by A. To answer the ith oracle query ofA, the oracle chooses ri uniformly from a set

of size 2n/4_{. The probability of event Repeat is exactly the probability that}

ri = rj for some i 6= j. Applying the “birthday bound” (Lemma A.15), we

have that Pr[Repeat]≤ q(n)2n/42. SinceA makes only polynomially many queries,

this value is negligible.

We next consider the final term on the right-hand side of Equation (4.3). We argue that if Mac-forge_A,Π(n) = 1, but Repeat did not occur, then it must be the case that NewBlock occurred. That is, Mac-forge_A,Π(n) = 1_{∧ Repeat} implies NewBlock, and so

Pr[Mac-forge_A,Π(n) = 1∧ Repeat ∧ NewBlock] = 0. This is, in some sense, the heart of the proof.

Again let q = q(n) denote the number of MAC oracle queries made by_A, and let ri denote the random identifier used to answer the ith oracle query

of A. If Repeat does not occur then the values r1, . . . , rq are distinct. Let

(m, t =hr, t1, . . .i) be the output of A, with m = m1, . . .. If r6∈ {r1, . . . , rq},

then NewBlock clearly occurs. If not, then r = rj for some unique j, and the

blocks rk`k1km1, . . . could then not possibly have been authenticated during

the course of answering any Mac queries other than the jth such query. Let m(j) _{be the message that was used by}

A for its jth oracle query, and let `j

be its length. There are two cases to consider:

Case 1: `6= `j. The blocks authenticated when answering the jth Mac query

all have `j 6= ` in the second position. So rk`k1km1, in particular, was

never authenticated in the course of answering the jth Mac query, and NewBlock occurs.

Case 2: ` = `j. If Mac-forge_A,Π(n) = 1, then we must have m6= m(j). Let

m(j)_{= m}(j)

1 , . . .. Since m and m(j) have equal length, there must be at

least one index i for which mi 6= m(j)i . The block rk`kikmi was then

never authenticated in the course of answering the jth Mac query. (Be- cause i is included in the third position of the block, the block r_k`kikmi

could only possibly have been authenticated if r<sub>k`kikm</sub>i= rjk`jkikm(j)i ,

but this is not true since mi6= m(j)i .)

To complete the proof of the theorem, we bound the second term on the right-hand side of Equation (4.3):

CLAIM 4.10 Pr[Mac-forge_A,Π(n) = 1_{∧ NewBlock] is negligible.}

The claim relies on security of Π0_{. We construct a ppt adversaryA}0 _who

attacks the fixed-length MAC Π0 _{and succeeds in outputting a valid forgery}

on a previously unauthenticated message with probability

Pr[Mac-forge_A0_,Π0(n) = 1]≥ Pr[Mac-forge_A,Π(n) = 1∧ NewBlock]. (4.4)

Security of Π0 _{means that the left-hand side is negligible, proving the claim.}

The construction of _A0 _{is the obvious one and so we describe it briefly.}

A0 _{runs A as a sub-routine, and answers the request by A for a tag on m}

by choosing r _{← {0, 1}}n/4 _{itself, parsing m appropriately, and making the}

necessary queries to its own MAC oracle Mac0k(·). When A outputs (m, t =

hr, t1, . . .i), then A0 checks whether NewBlock occurs (this is easy to do since

A0 _{can keep track of all the queries it makes to its own oracle). If so, then}

A0 _{finds the first block rk`kikmithat was never previously authenticated by}

Mac0 and outputs (rk`kikmi, ti). (If not,A0 outputs nothing.)

The view of _{A when run as a sub-routine by A}0 _{is distributed identically}

to the view of_{A in experiment Mac-forgeA,Π}(n), and so the probabilities of events Mac-forge_A,Π(n) = 1 and NewBlock do not change. If NewBlock occurs then _A0 _{outputs a block rk`kikm}

i that was never previously authenticated

by its own MAC oracle; if Mac-forge_A,Π(n) = 1 then the tag on every block is valid (with respect to Π0_{), and so in particular this is true for the block}

output by_A0_{. This means that whenever Mac-forge}

A,Π(n) = 1 and NewBlock

occur we have Mac-forge_A0_,Π0(n) = 1, proving Equation (4.4).