Introduction to Cryptography

Transcription

1 B504 / I538: Introduction to Cryptography Spring 2017 Lecture 11

2 * modulo the 1-week extension on problems 3 & 4 Assignment 2 * is due! Assignment 3 is out and is due in two weeks! 1

3

4 Secrecy vs. integrity and authenticity So far we have only worried about secrecy of messages However, secrecy integrity, authenticity Q: What happens if attacker flips a ciphertext bit in OTP / stream cipher / OBF mode / CTR mode? A: The corresponding plaintext bit also flips! Q: What happens if an attacker duplicates, removes, or permutes ciphertext blocks in ECB mode? A: The corresponding plaintext blocks are duplicated, removed, or permuted! 4 Q: Are authenticity attacks possible in CBC mode? A: Yes!

5 Malleability of CBC mode m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k IV c 1 c 2 c l 5 - truncate blocks - flip IV bit - flip c i bit truncate correspond plaintext blocks flip corresponding bit of m 1 randomize m i and flip corresponding m i+1 bit c IV c 1 c 2 c l

6 Non-cryptographic integrity checks Cyclic redundancy check (CRC) Detects random errors due to noisy channel Not intended to detect attacker-induced (intentional) errors A straw-man proposal: Alice computes c Enc k (m) using CTR mode Alice computes t CRC(c) Ciphertext is the pair (c,t) 6 Q: What could possibly go wrong? A: Attacker changes c to c, then changes t to t = CRC(c )!

7 Non-cryptographic integrity checks An improved proposal (?): Compute t CRC(m) Ciphertext is c Enc k (m t) Q: What could possibly go wrong now? A: CRC is a linear code: x,y, CRC(x y) = CRC(x) CRC(y) 7 Integrity in presence of attackers requires a secret key!

8 Message authentication codes (MACs) Intuitively, a message authentication code (MAC) is a short piece of information used to verify the integrity and authenticity of a message input a secret key and an arbitrary-length message and outputs a short value called a tag no efficient algorithm should be able to forge a valid MAC tag (under an unknown key) on any message, except with negligible probability 8

9 Message authentication codes (MACs) Defⁿ: A message authentication code (MAC) is a triple of efficient algorithms (Gen,MAC,Ver) such that Gen:1 N {0,1} * is a randomized key generation algorithm MAC:K M T is a tagging algorithm Ver:K M T {0,1} is a tag verification algorithm Usually write MAC k (m) and Ver k (m, t) instead of MAC(k, m) and Ver(k, m, t) K is the key space (the set of possible keys) M is the message space (the set of possible messages) 9 T is the tag space (the set of possible tags )

10 Correctness Intuitively: Correctness is the property of being able to verify a tag (given knowledge of the correct key) Defⁿ: A MAC scheme (Gen,MAC,Ver) with key space K and message space M is correct if k K and m M, Pr[Ver k (m,mac k (m))=1]=1 Note: it is possible (but uncommon) to allow correctness with probability p < 1 10

11 MAC forgery games We have seen a number of indistinguishability games 1. Attacker gets oracle access to (or receives a signal from) the challenger, and must guess which of two versions of the game is being played 2. Attacker outputs either 0 or 1 3. Attacker advantage is Pr[ correct guess ] 1/2 11 MAC scheme security uses a forgery game 1. Attacker gets oracle access to MAC algorithms 2. Attacker outputs a message-tag pair not provided by the oracle 3. Attacker advantage is Pr[ tag is valid ]

12 MAC selective forgery game Challenger (C) Forger (A) 1 n k Gen(1 n 1 ) n t 1 MAC k (m 1 ) t 2 MAC k (m 2 ) m 1 t 1 m 2 t 2 m 1 M {m} m 2 M {m} m M t n MAC k (m n ) m n t n m n M {m} t T 12 Let E be the event that Ver k (m, t)=1 Define A s advantage to be Adv MAC-selective-forge (A) Pr[E]

13 Selective unforgeability Defⁿ: A MAC scheme (Gen,MAC,Ver) is selectively unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:n R+ such that for all m M, Adv MAC-selective-forge (A) ε(s). The message m is chosen by the attacker prior to the attack; it may have interesting mathematical properties with respect to the MAC algorithms 13

14 MAC existential forgery game (weak version) Challenger (C) Forger (A) 1 n k Gen(1 n 1 ) n t 1 MAC k (m 1 ) t 2 MAC k (m 2 ) m 1 t 1 m 2 t 2 m 1 M {m} m 2 M {m} m M t n MAC k (m n ) m n t n m n M {m} (m,t) 14 Let E be the event that m {m 1,,m n } yet Ver k (m,t)=1 Define A s advantage to be Adv MAC-weak-ex-forge (A) Pr[E]

15 MAC existential forgery game (strong version) Challenger (C) Forger (A) 1 n k Gen(1 n 1 ) n t 1 MAC k (m 1 ) t 2 MAC k (m 2 ) m 1 t 1 m 2 t 2 m 1 M {m} m 2 M {m} m M t n MAC k (m n ) m n t n m n M {m} (m,t) 15 Let E be the event that (m,t) {(m 1,t 1 ),,(m n,t n )} yet Ver k (m,t)=1 Define A s advantage to be Adv MAC-strong-ex-forge (A) Pr[E]

16 Existential unforgeability Defⁿ: A MAC scheme (Gen,MAC,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:n R+ such that Adv MAC-strong-ex-forge (A) ε(s). The message m is chosen arbitrarily by the attacker at the end of the attack Existential unforgeability is the default unforgeability property 16

17 MAC universal forgery game Challenger (C) Forger (A) 1 n k Gen(1 n 1 ) n t 1 MAC k (m 1 ) m 1 t 1 m 1 M {m} m M m n m n M {m} m M {m 1,,m n } m (m,t) 17 Let E be the event that Ver k (m,t)=1 Define A s advantage to be Adv MAC-universal-forge (A) Pr[E]

18 Universal unforgeability Defⁿ: A MAC scheme (Gen,MAC,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:n R+ such that Adv MAC-universal-forge (A) ε(s). An attacker capable of universal forgery can sign messages it chose itself (selective forgery), messages chosen at random, or even specific messages chosen by an opponent 18

19 Notions of unforgeability Existential unforgeability default level of unforgeability Selective unforgeability Universal unforgeability 19

20 Fixed-length MAC scheme from any PRF Messages, tags, and keys are all n-bit longs Gen(1 n ) outputs a uniform random key k {0,1} n MAC k (m) outputs t F k (m) Ver k (m,t) outputs 1 if t=f k (m) and 0 otherwise Is this selectively unforgeable? Is this existentially unforgeable? IS this universally unforgeable? Yes! Yes! Yes! how do we prove it? 20

21 Fixed-length MAC to PRF reduction 1. Assume MAC is not existentially unforgeable 2. Construct distinguisher D for F that uses forger A as a subroutine 3. Prove that D is efficient and has non-negligible advantage 4. Conclude that F is not a PRF, a contradiction Distinguisher (D) 1 n, O F 1 n t 1 OF(m1) t n O F (m n ) 1 if t=of (m) 0 otherwise Attacker (A) m 1 m n (m, t) 21

22 Replay attacks MACs guarantee authenticity and integrity of messages in most cases Notable exception: MACs do not prevent replay attacks In a replay attack, the attacker simply re-sends a legitimate message that it observed in the past 22

23 Naïve CBC-MAC Let {f k } k {0,1} * be a PRF family Gen(1 n ) outputs a uniform random key k {0,1} n MAC k (m) does the following: 1. Split m into n-bit blocks m 1,,m n 2. Initialize t 0 ={0} n 3. Compute t i =F k (t i-1 m i ) 4. Output the tag t t n Ver k (m,t) outputs 1 if t=mac k (m) and 0 otherwise 23

24 m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k IV t 1 t 2 t l 24 Q: Is naïve CBC-MAC existentially unforgeable? A: No! (But why?) t l

25 Attacking naïve CBC-MAC Challenger (C) Forger (A) 1 n 1 n k Gen(1 n ) m m {0,1} n t MAC k (m) t m m (m t) (m,t) 25 A s output is a valid forgery because F k (m )=F k ((m t) t)=f k (m)=t

26 That s all for today, folks!