Cryptography

1
Cryptography

• Lecture 5Stefan Dziembowskiwww.dziembowski.net
• stefan_at_dziembowski.net

2
Plan

• Introduciton to authentication
• CBC-MAC
• Introduction to the collision-resistant hash
  functions
• NMAC and HMAC
• Authentication Encryption

3
Message Authentication

• Integrity

M
Alice
Bob
interferes with the transmission
How can Bob be sure that M really comes from
Alice?
4
Sometimes more imprtant than secrecy!
transfer 1000 to Bob
transfer 1000 to Eve
Alice
Bank
Of course usually we want both secrecy and
integrity.
5
Does encryption guarantee message integrity?

• Idea
• Alice encrypts m and sends cEnc(k,m) to Bob.
• Bob computes Dec(k,m), and if it makes sense
  accepts it.
• Intuiton only Alice knows k, so nobody else can
  produce a valid ciphertext.
• It does not work!
• Example one-time pad.

Eve xor Bob
transfer 1000 to Bob
transfer 1000 to Eve
plaintext
key K
xor
ciphertext C
6
Message authentication
verifies if tTagk(m)
(m, tTagk(m))
m
Alice
Bob
k
k
Eve can see (m, tTagk(m)) She should not be
able to compute a valid tag t on any other
message m.
7
Message authentication multiple messages
(m1, tTagk(m1))
m1
(m2, tTagk(m2))
m2
. . .
. . .
Alice
Bob
(m1, tTagk(mt))
mt
k
k
Eve should not be able to compute a valid tag t
on any other message m.
8
Message Authentication Codes the idea
(m, tTagk(m))
m ? 0,1
Vrfyk(m) ? yes,no
Alice
Bob
k
k
Gen(1n)
1n
9
Message Authentication Codes

• A message authentication code (MAC) is a tuple
  (Gen,Mac,Vrfy) of poly-time algorithms, such
  that
• the key-generation algorithm Gen takes as input a
  security parameter 1n and outputs a key k,
• the tagging algorithm Mac takes as input a key k
  and a message m?0,1 and outputs a tag t,
• the verification algorithm Vrfy takes as input a
  key k, a message m and a tag t, and outputs a bit
  b ? yes, no.If Vrfyk(m,t) yes then we say
  that t is a valid tag on the message m.
• If Mac is deterministic, then Vrfy just
  computes Mac and compares the result.

10
Correctness

• We require that it always holds that
• Vrfyk(m,Mack(m)) yes
• What remains is to define security of a MAC.

11
How to define security?

• We need to specify
• how the messages m1,...,mt are chosen,
• what is the goal of the adversary.
• Good tradition be as pessimistic as possible!
• Therefore we assume that
• The adversary is allowed to chose m1,...,mt.
• The goal of the adversary is to produce a valid
  tag on some m such that m ? m1,...,mt.

12
security parameter 1n
selects random k Gen(1n)
m1
adversary
(m1, tTagk(m1))
oracle
. . .
mt
(m1, tTagk(m1))

• We say that the adversary breaks the MAC scheme
  at the end she outputs (m,t) such that
• Vrfy(m,t) yes
• m ? m1,...,mt

13
The security definition

• We say that (Gen,Mac,Vrfy) is secure if

A
P(A breaks it) is negligible (in n)
polynomial-timeadversary A
14
Arent we too paranoid? 1/2

• No! Sometimes the adversary may have influence
  on the messages that the parties are sending.
• (remember the story about Midway?)
• Another example routing

(m, tTagk(m))
k
k
m
t
15
Arent we too paranoid? 2/2

• Maybe it would be enough to require that
• the adversary succeds only if he forges a message
  that makes sense.
• (e.g. forging a message that consists of random
  noise should not count)
• Bad idea
• hard to define,
• is application-dependent.

16
Warning MACs do not offer protection against the
replay attacks.
(m, t)
Alice
Bob
Since Vrfy has no state (or memory) there is no
way to detect that (m,t) is not fresh!
. . .
17
Constructing a MAC

• There exist MACs that are secure even if the
  adversary is infinitely-powerful.(we discussed
  them on the first lecture)These constructions
  are not practical.
• MACs can be constructed from the block-ciphers.
  We will now discuss to constructions
• simple (and not practical),
• a little bit more complicated (and practical) a
  CBC-MAC
• MACs can also be constructed from the hash
  functions (NMAC, HMAC).

18
A simple construction from a block cipher

• Let
• F 0,1n 0,1n ? 0,1n
• be a block cipher.
• We can now define a MAC scheme that works only
  for messages m e 0,1n as follows
• Gen(1n) simply chose a random key from 0,1n.
• Mac(k,m) F(k,m)
• It can be proven that it is a secure MAC.
• How to generalize it to longer messages?

F(k,m)
Fk
k
m
19
Idea 1

• divide the message in blocks m1,...,md
• and authenticate each block separately

F(k,m1)
F(k,md)
Fk
Fk
. . .
m1
md
This doesnt work!
20
What goes wrong?
m
t Tagk(m)
perm
m perm(m)
t perm(t)
Then t is a valid tag on m.
21
Idea 2
Add a counter to each block.
F(k,x1)
F(k,xd)
Fk
Fk
. . .
m1
md
1
d
x1
xd
This doesnt work either!
22
mi
i
xi
m
t Tagk(m)
m a prefix of m
t a prefix of t
Then t is a valid tag on m.
23
Idea 3
Add l m to each block
F(k,x1)
F(k,xd)
Fk
Fk
. . .
m1
md
1
d
l
l
x1
xd
This doesnt work either!
24
m1
1
l
xi

• What goes wrong?

m
m
t Tagk(m)
t Tagk(m)
m first half from m second half from m
t first half from t second half from t
Then t is a valid tag on m.
25
Idea 4
Add a fresh random value to each block!
F(k,x1)
F(k,xd)
Fk
Fk
. . .
md
d
l
r
md
d
l
r
x1
xd
This works!
26
tagk(m)
n
n
n
F(k,x1)
F(k,x2)
F(k,xd)
r
Fk
Fk
Fk
. . .
. . .
r
1
l
m2
2
r
md
d
r
m1
l
l
x2
x1
xd
. . .
r is chosen randomly
m1
m2
m3
md
m
000
l
n block length
mi n/4
pad with zeroes if needed
27
tagk(m)
F(k,x1)
F(k,x2)
F(k,xd)
r
Fk
Fk
Fk
. . .
. . .
1
l
r
m2
2
r
md
d
r
m1
l
l
x2
x1
xd
. . .
r is chosen randomly
m1
m2
md
m
000
l
n block length
mi n/4
pad with zeroes if needed
28
This construction can be proven secure

• Theorem
• Assuming that
• F 0,1n 0,1n ? 0,1n is a pseudorandom
  permutation
• the construction from the previous slide is a
  secure MAC.
• Proof idea
• Suppose it is not a secure MAC.
• Let A be an adversary that breaks it with a
  non-negligible probability.
• We construct a distinguisher D that distinguishes
  F from a random permutation.

29
This construction is not practical

• Problem
• The tag is 4 times longer than the message...
• We can do much better!

30
CBC-MAC
F 0,1n 0,1n ? 0,1n - a block
cipher Gen just chooses a random key k ? 0,1n.
tagk(m)
Fk
Fk
Fk
Fk
Fk
. . .
m1
m2
m3
md
m
m
0000
pad with zeroes if needed
Other variants exist!
31
tagk(m)
Fk
Fk
Fk
Fk
Fk
. . .
m1
m2
m3
md
m
Why is this needed?
Suppose we dont prepend m...
32
t1tagk(m1)
t2tagk(m2)
the adversarychooses
Fk
Fk
m1
m2
t tagk(m)
t1
Fk
Fk
t t2
now she can compute
m1
m2 xor t1
m
33
Some practictioners dont like the CBC-MAC
We dont want to authenticate using the block
ciphers!
What do you want to use instead?
Hash functions!
Why?

• Because
• they are more efficient,
• they are not protected by the export regulations.

34
Collision-resistant hash functions
short H(m)
a hash function H 0,1 ? 0,1L
long m
colision-resistance
a collision
Requirement it should be hard to find a pair
(m,m) such that H(m) H(m)
35
Collisions always exist
domain
m
range
m
Since the domain is larger than the range the
collisions have to exist.
36
Hash functions an example of an application
a voice phone link
H(m)
a long message m
Bob
Alice
a fast insecure link (e.g. internet)
If Bob can recognize Alices voice then the
integrity of m is guranteed.
37
Another example
File F can be downloaded by an insecure
connection. If we can learn H(F) in a secure
way, we can verify authenticity of F.
38
Hash functions are a bit simillar to the
error-correcting codes

• Difference between the hash functions and the
  error correcting codes
• error-correcting codes are secure against the
  random errors.
• collision-resistant hash functions are secure
  against the intentional errors.
• A bit like
• pseudorandom generators
• vs.
• cryptographic pseudorandom generators.

39
Practical definition

• H is a collision-resistant hash function if it is
  practically impossible to find collisions in H.
• Popular hash funcitons
• MD5 (now cosidered broken)
• SHA1
• ...

40
How to formally define collision resitance?

• Idea
• Say something like H is a collision-resistant
  hash function if

A
P(A finds a collision in H) is small
efficientadversary A
Problem For a fixed H there always exist a
constant-time algorithm that finds a collision
in H in constant time. It may be hard to find
such an algorithm, but it always exists!
41
Solution

• When we prove theorems we will always consider
• families of hash functions
• indexed by a key s.
• Hs s ? keys

42
informal description
knows H
a protocol
H
H
H
formal model
s is chosen randomly
a protocol
s
Hs
Hs
Hs
43
informal description
knows H
a protocol
H
H
H
H
real-life implementation (example)
knows SHA1
a protocol
SHA1
SHA1
SHA1
44
Hash functions the functional definition

• A hash function is a pair of probabilistic
  polynomial-time algorithms (Gen,H) where
• Gen takes as input a security parameter 1n and
  outputs a key s.
• H takes as input a key s and a message x ?
  0,1 and outputs a string
• Hs(x) ? 0,1L(n),
• where L(n) is some fixed function.

45
Hash functions the security definition 1/2
1n
s ? Gen(1n)
s
outputs (m,m)
We say that adversary A breaks the function
(Gen,H) if Hs(m) Hs(m).
46
Hash functions the security definition 2/2

• (Gen, H) is a collision-resistant hash function
  if

A
P(A breaks (Gen,H)) is negligible
polynomial-timeadversary A
47
How to construct the hash functions?

• Idea
• Construct a fixed-input-length a hash function.
• Use it to construct a normal hash function.

L(n)
h(m)
h
m
2L(n)
48
A common method for constructing hash functions

1. Construct a fixed-input-length
   collision-resistant hash functionCall
   it a collision-resistant compression function.
2. Use it to construct a hash function.

L
h(m)
h 0,12L ? 0,1L
m
2L
49
An idea
pad with zeroes if needed
t
m
0000
. . .
m1
m2
mB
mi ? 0,1L
. . .
IV
H(m)
can be arbitrary
This doesnt work...
50
Why is it wrong?
t
m
0000
. . .
m1
m2
mB
If we set m m 0000 then H(m)
H(m). Solution add a block encoding t.
t
m
0000
. . .
m1
m2
mB
mB1 t
51
Merkle-Damgård transform
given h 0,12L ? 0,1Lwe construct H
0,1? 0,1L
doesnt need to be know in advance (nice!)
t
m
0000
m1
m2
mB
mB1 t
mi ? 0,1 L
. . .
IV
H(m)
52
This construction is secure

• We would like to prove the following
• Theorem
• If
• h 0,12L ? 0,1L
• is a collision-resistant compression function
• then
• H 0,1? 0,1L
• is a collision-resistant hash function.
• But wait.
• It doesnt make sense

53
We need to consider the hash function families

• Suppose (gen,h) is a collision-resistant hash
  function such that for every s ? gen(1n) we have
• hs 0,12L(n) ? 0,1L(n)

L(n)
h(m)
h
m
2L(n)
54

• We now show how to transform such a (gen,h) into
  a hash function (Gen,H).
• How?
• Gen(1n) ? gen(1n)
• Use the same construction as before

55
Merkle-Damgård transform
given h 0,12L(n) ? 0,1L(n) we construct H
0,1 ? 0,1L(n)
t
m
0000
m1
m2
mB
mB1 t
mi ? 0,1 L(n)
. . .
IV
H(m)
56
This construction is secure

• Theorem
• If
• (gen,h)
• is a collision-resistant hash function
• then
• (Gen,H)
• is a collision-resistant hash function.
• Proof
• Suppose A is a polynomial-time adversary that
  breaks (Gen,H) with a non-negligible probability.
• We construct a polynomial-time adversary a that
  breaks (gen,h) with a non-negligible probability.

57
s ? gen(1n)
s
s
a breaks hs by simulating A
(m,m)
A breaks Hs
now a should output a collision (x,y) in h
a collision in Hs
58
How to compute a collision (x,y) in h from a
collision (m,m) in H?

• We consider two options
• m m
• m ? m

59
Option 1 m m
t
m
0000
m1
m2
mB
mB1 t
t
m
0000
m1
m2
mB
mB1 t
60
m m
Some notation
m
0000
m1
m2
mB
mB1 t
. . .
IV
z2
z1
z3
zB1
zB
H(m)
61
m m
For m
m
0000
m1
m2
mB
mB1 t
. . .
IV
z2
z1
z3
zB1
H(m)
zB
62
equal
zB2H(m)
zB2H(m)
zB1
mB1
zB1
mB1
Let i be the largest i such that (mi,zi)
(mi,zi) (because m ? m such i gt 1 always
exists!)
zB
mB
zB
mB
. . .
. . .
z2
m2
z2
m2
z1 IV
m1
z1 IV
m1
63
So, we have found a collision!
equal
zi
zi
h
h
not equal
zi-1
mi-1
zi-1
mi-1
64
Option 2 m ? m
equal
H(m)
H(m)
zB1
mB1
zB1
mB1
. . .
. . .
the last block encodesthe length on the
messageso these valuescannot be equal!
So, again we have found a collision!
65
Finlizng the proof

• So, if A breaks H with probability e(n), then a
  breaks h with probability e(n).
• If A runs in polynomial time, then a also runs in
  polynomial time.
• QED

66
Generic attacks on hash functions

• Remember the brute-force attacks on the
  encryption schemes?
• For the hash functions we can do something
  slightly smarter...
• It is called a birthday attack.

67
The birthday paradox

• Suppose we have a random function
• H A ? B
• Take q values
• x1,...,xq
• Let p(q) be the probability that there exist
  distinct i,j such that
• H(xi) H(xj).
• If q A then trivially p(q) 1.

68
Why is it called a birthday paradox?

• Set
• H people ? birthdays
• Q How many random people you need to take to
  know that with probability 0.5 at least 2 of them
  have birthday on the same day?
• A 23 is enough!
• Counterintuitive...

69
How does the birthday attack work?

• For a hash function
• H 0,1 ? 0,1L
• Take a random X a subset of 0,12L, such that
  X 2L/2.
• With probability around 0.5 there exists x,x ?
  X, such that
• H(x) H(x).
• A pair (x,x) can be found in time O(X log X)
  and space O(X).
• Moral
• L has to be such that an attack that needs 2L/2
  steps is infeasible.

70
Concrete functions

• MD5,
• SHA-1, SHA-256,...
• ....
• all use (variants of) Merkle-Damgård
  transformation.

71
MD5 (Message-Digest Algorithm 5)

• output length 128 bits,
• designed by Rivest in 1991,
• in 1996, Dobbertin found collisions in the
  compresing function of MD5,
• in 2004 a group of Chinese mathematicians
  designed a method for finding collisions in MD5,
• there exist a tool that finds collisions in MD5
  with a speed 1 collision / minute (on a
  laptop-computer)
• Is MD5 completely broken?
• The attack would be practical if the colliding
  documents made sense...
• In 2005 A. Lenstra, X. Wang, and B. de Weger
  found X.509 certificates with different public
  keys and the same MD5 hash.

72
SHA-1 (Secure Hash Algorithm)

• output length 128 bits,
• designed in 1993 by the NSA,
• in 2005 Xiaoyun Wang, Andrew Yao and Frances Yao
  presented an attack that runs in time 263.
• Still rather secure, but new hash algorithms are
  needed!
• A US National Institute of Standards and
  Technology announced a competition for a new hash
  function (deadline October 31, 2008).
• Go to http//csrc.nist.gov/groups/ST/hash/sha-3/
• and submit!

73
How to authenticate with hash functions?

• A simple idea

Fk(h(m))
a block cipher Fk
k
h(m)
h
long m
By the way a similar method is used in the
public-key cryptography (it is called
hash-and-sign).
74
What the industry says?
the block cipher is still there...
Why dont we just hash a message together with a
key MACk(m) H(k m) ?
Its not secure!
75
Suppose H was constructed using the MD-transform
she can fabricate this
MACk(mt)
she can see this
MACk(m)
t L
MACk(m)
zB
t
zB
t
z2
m
z2
m
IV
k
IV
k
L
76
A better idea

• M. Bellare, R. Canetti, and H. Krawczyk (1996)
• NMAC (Nested MAC)
• HMAC (Hash based MAC)
• have some provable properites
• They both use the Merkle-Damgård transform.
• Again, let h 0,12L ? 0,1L be a compression
  function.

77
NMAC
m
0000
m1
mB
mB1 m
. . .
k1
k2
NMAC(k1,k2) (m)
78
What can be proven

• Suppose that
• h is collision-resistant
• the following function is a secure MAC
• Then NMAC is a secure MAC.

m
k2
MACk2(m)
79

• Looks better, but
• our libraries do not permit to change the IV
• the key is too long (k1,k2)

HMAC is the solution!
80
HMAC
k xor ipad
m1
mB1 m
ipad 0x36 repeated opad 0x5C repeated
. . .
IV
IV
h
HMACk (m)
k xor opad
81
HMAC the properties

• Looks complicated, but it is very easy to
  implement (given an implementation of H)
• HMACk(m) H((k xor opad) H(k xor ipad m))
• It has some provable properties (slightly
  weaker than NMAC).
• Widely used in practice.

We like it!
82
Authentication and Encryption

• Usually we want to authenticate and encrypt at
  the same time.
• What is the right way to do it? There are
  several options
• Encrypt-and-authenticate
• c ? Enck1(m) and t ? Mack2 (m)
• Authenticate-then-encrypt
• t ? Mack2 (m) and c ? Enck1(mt)
• Encrypt-then-authenticate
• c ? Enck1(m) and t ? Mack2 (c)
• By the way never use the same key for Enc and
  Mac
• k1 and k2 have to be independent!

wrong
better
the best