Modern Cryptography
COMP 443 / 543
Chapter 4
Alptekin K¨up¸c¨u
Computer Science and Engineering Ko¸c University
Main Topics
Message Integrity
Message Authentication Codes Hash Functions
Collision-resistance
Merkle-Damgard transform
Usages
CCA-secure encryption
Message Integrity
Tampering detection vs. prevention
Encryption not enough (e.g., one-time pad) Guessable ciphertext space
MAC: symmetric-key
Message Authentication Code
Gen(1n)→k Mack(m)→t
VerifyMack(m,t)→accept/reject
Correctness: ∀m∈ M
Secure MAC
CPA-like game
Secure MAC = Existentially unforgeable underadaptivechosen message attack.
Mac-forgeA,Π(n) game:
1 Challenger generates keyk upon input 1n
2 Adversary, given 1n and oracle access toMack(.) generates and sends m,t
Adversary wins ifVerifyMack(m,t)→acceptandm was not asked as a query to the oracle.
What about replay attacks ??
Secure MAC
CPA-like game
Secure MAC = Existentially unforgeable under adaptive chosen message attack.
Mac-forgeA,Π(n) game:
1 Challenger generates keyk upon input 1n
2 Adversary, given 1n and oracle access to Mack(.) generates and sends m,t
Adversary wins ifVerifyMack(m,t)→acceptandm was not asked as a query to the oracle.
What about replay attacks ??
Secure MAC
CPA-like game
Secure MAC = Existentially unforgeable under adaptive chosen message attack.
Mac-forgeA,Π(n) game:
1 Challenger generates keyk upon input 1n
2 Adversary, given 1n and oracle access to Mack(.) generates and sends m,t
Adversary wins ifVerifyMack(m,t)→acceptandm was not asked as a query to the oracle.
What about replay attacks ??
PRF-based MAC
For fixed-length messages:
Gen(1n) picks a key for the underlying PRF
Mack(m) outputs t=Fk(m)
VerifyMack(m,t) computest0 =Mack(m) and outputs
accept iff t =t0
Variable-length Messages
Given a MAC secure for fixed-length messages, convert it to one secure for variable-length messages.
Split message into equal-length piecesmi, after padding if necessary.
Several strategies:
1 Set x =m1⊕m2⊕. . .⊕md andt =Mack(x)
2 Authenticate blocks separately, obtaining multiple tags:
ti =Mack(mi)
Variable-length Messages
Given a MAC secure for fixed-length messages, convert it to one secure for variable-length messages.
Split message into equal-length piecesmi, after padding if necessary.
Several strategies:
1 Set x =m1⊕m2⊕. . .⊕md andt =Mack(x)
2 Authenticate blocks separately, obtaining multiple tags:
ti =Mack(mi)
Variable-length Messages
Given a MAC secure for fixed-length messages, convert it to one secure for variable-length messages.
Split message into equal-length piecesmi, after padding if necessary.
Several strategies:
1 Set x =m1⊕m2⊕. . .⊕md andt =Mack(x)
2 Authenticate blocks separately, obtaining multiple tags:
ti =Mack(mi)
Secure Variable-length MAC
Let (Gen0,Mac0,VerifyMac0) be a secure fixed-length MAC.
Gen(1n) runsGen0(1n) and outputs its output
Mack(m):
Letlenbe the length of the message
Parseminto blocksmi of lengthn/4 (after padding if
necessary)
Pickr ← {0,1}n/4
For each block, computeti =Mack0(r||len||i||mi)WHY??
Outputt = (r,{ti})
VerifyMack(m,t)
Letlenbe the length of the message
Parseminto blocksmi of lengthn/4 (after padding if
necessary)
For each block, runVerifyMac0
k(r ||len||i ||mi,ti) and accept
iff all accept
Secure Variable-length MAC
Let (Gen0,Mac0,VerifyMac0) be a secure fixed-length MAC.
Gen(1n) runsGen0(1n) and outputs its output
Mack(m):
Letlenbe the length of the message
Parseminto blocksmi of lengthn/4 (after padding if
necessary)
Pickr ← {0,1}n/4
For each block, computeti =Mack0(r||len||i||mi) WHY??
Outputt = (r,{ti})
VerifyMack(m,t)
Letlenbe the length of the message
Parseminto blocksmi of lengthn/4 (after padding if
necessary)
For each block, runVerifyMac0
k(r ||len||i ||mi,ti) and accept
iff all accept
Hash Functions
Example: hash table
Compressing functions
Adversarial setting
Keyed-hash functions (e.g., family), butkey is public!
Gen(1n)→hk
hash function (we assume hk is built in tohash, i.e.,
hash=hashhk)
Collision-Resistant Hash Function
∀PPT adversary A ∃ negligible functionneg(n) s.t.
Pr[Gen(1n)→hash;A(1n,hash)→(x,x0) :
x 6=x0∧ hash(x) =hash(x0)] =neg(n)
Security of Hash Functions
Pre-image resistance (one-wayness):Pr[Gen(1n)→hash;M →x;hash(x)→y;A(1n,hash,y)→x0 :
hash(x0) =y] =neg(n)
Note: forrandommessage
Second pre-image resistance
Pr[Gen(1n)→hash;M →x;A(1n,hash,x)→x0:
x 6=x0∧ hash(x0) =hash(x)] =neg(n)
Note: the adversary needs to find a different input giving the same output
Other definitions include Universal One-Way Hash Functions (Target Collision Resistance).
Security of Hash Functions
Pre-image resistance (one-wayness):Pr[Gen(1n)→hash;M →x;hash(x)→y;A(1n,hash,y)→x0 :
hash(x0) =y] =neg(n)
Note: for random message
Second pre-image resistance
Pr[Gen(1n)→hash;M →x;A(1n,hash,x)→x0:
x 6=x0∧ hash(x0) =hash(x)] =neg(n)
Note: the adversary needs to find adifferentinput giving the same output
Other definitions include Universal One-Way Hash Functions (Target Collision Resistance).
Security of Hash Functions
Pre-image resistance (one-wayness):Pr[Gen(1n)→hash;M →x;hash(x)→y;A(1n,hash,y)→x0 :
hash(x0) =y] =neg(n)
Note: for random message
Second pre-image resistance
Pr[Gen(1n)→hash;M →x;A(1n,hash,x)→x0:
x 6=x0∧ hash(x0) =hash(x)] =neg(n)
Note: the adversary needs to find a different input giving the same output
Other definitions include Universal One-Way Hash Functions (Target Collision Resistance).
Merkle-Damgard Transform
Figure: Figure from book by Katz and Lindell
CCA-Secure Encryption
Given CPA-secure encryption scheme (GenE,EncCPA,DecCPA) and MAC scheme (GenM,Mac,VerifyMac)
Gen(1n) runsGen
E(1n)→kE andGenM(1n)→kM and sets
k = (kE,kM)
Enck(m) runsEncCPAkE(m)→c0 andt=MackM(c
0) and sets
c = (c0,t)
Deck(c) first checks VerifyMackM(c
0,t) and if it accepts, outputsDecCPAkE(c0)→m0, else outputs⊥
Correctness??
CCA-Secure Encryption
Given CPA-secure encryption scheme (GenE,EncCPA,DecCPA) and MAC scheme (GenM,Mac,VerifyMac)
Gen(1n) runsGen
E(1n)→kE andGenM(1n)→kM and sets
k = (kE,kM)
Enck(m) runsEncCPAkE(m)→c0 andt=MackM(c
0) and sets
c = (c0,t)
Deck(c) first checks VerifyMackM(c
0,t) and if it accepts, outputsDecCPAkE(c0)→m0, else outputs⊥
Correctness??
CCA-Security Proof
Idea: Two reductions: If adversaryAbreaks security of our CCA-secure encryption scheme, we construct:
1 AdversaryBM who breaks security of our MAC scheme (with unique tags)
2 AdversaryBE who breaks security of our CPA-secure encryption scheme
If the adversaryAmanages to submit a valid decryption query on a message that was not encrypted by the oracle, he must have forged MAC.
Properly Combining Cryptographic Primitives
How to obtain message secrecy and integrity together?
1 Encrypt-and-authenticate
EnckE(m)→c
0 and Mac
kM(m)→t
2 Authenticate-then-encrypt
MackM(m)→t andEnckE(m||t)→c
3 Encrypt-then-authenticate
EnckE(m)→c
0 and Mac kM(c
0)→t
IMPORTANT
Never use the same key for multiple primitives! (i.e., kE 6=kM)
How to obtain CCA-Security
GivenanyCPA-secure encryption scheme and anyMAC scheme (with unique tags)
1 Encrypt-and-authenticate not necessarily secure
EnckE(m)→c
0 and Mac
kM(m)→t
2 Authenticate-then-encrypt not necessarily secure
MackM(m)→t andEnckE(m||t)→c
3 Encrypt-then-authenticateprovably secure
EnckE(m)→c
0 and Mac kM(c
0)→t
Not necessarily secure: Thereexists some CPA-secure encryption and MAC schemes that together fail to provide security and integrity at the same time.
Same key problematic example: Given PRPFk, let
How to obtain CCA-Security
GivenanyCPA-secure encryption scheme and anyMAC scheme (with unique tags)
1 Encrypt-and-authenticate not necessarily secure
EnckE(m)→c
0 and Mac
kM(m)→t
2 Authenticate-then-encrypt not necessarily secure
MackM(m)→t andEnckE(m||t)→c
3 Encrypt-then-authenticateprovably secure
EnckE(m)→c
0 and Mac kM(c
0)→t
TODO Next
Solve exercises 4. 1,2,3,4,7,15,17,18.Pay special attention to exercises 4. 5,10,11.
Skim throughChapter5, do not worry about details.
Read Chapter6such that you:
Fully understand definitions of OWF, OWP, and
computational indistinguishability.
Are comfortable with hybrid-argument proofs. Understand the proofs more than the results.
Pay special attention to the proof styles. They are very
