Lecture 2 Message Authentication


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lecture 2 Message Authentication

  1. 1. Lecture 2Message Authentication<br />StefanDziembowski<br />UniversityofRome<br />La Sapienza<br />
  2. 2. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />a construction of MACs from hash functions<br />the random oracle model <br />
  3. 3. Secure communication<br />1<br />2<br />3<br />4<br />
  4. 4. 4<br />Message Authentication<br />Integrity:<br />M<br />Alice<br />Bob<br />interferes with the transmission<br />(modifies the message, or inserts a new one)<br />How can Bob be sure that M really comes from Alice?<br />
  5. 5. 5<br />Sometimes: more importantthansecrecy!<br />transfer 1000 $ to Bob<br />transfer 1000 $ to Eve<br />Alice<br />Bank<br />Of course: usually we want both secrecy and integrity.<br />
  6. 6. 6<br />Does encryption guarantee message integrity?<br />Idea:<br />Alice encrypts m and sends c=Enc(k,m) to Bob.<br />Bob computes Dec(k,m), and if it “makes sense” accepts it.<br />Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext.<br />It does not work!<br />Example: one-time pad.<br />transfer 1000 $ to Bob<br />plaintext M<br />If Eve knows M and C then she can calculate K and produce a ciphertext of any other message <br />key K<br />xor<br />ciphertext C<br />
  7. 7. 7<br />Message authentication<br />verifies if<br />t=Tagk(m)<br />(m, t=Tagk(m))<br />m<br />Alice<br />Bob<br />k<br />k<br />Eve can see (m, t=Tagk(m))<br />She should not be able to compute a valid tag t’ on any other message m’.<br />
  8. 8. 8<br />Message authentication – multiple messages<br />(m1, t1 =Tagk(m1))<br />m1<br />(m2, t2=Tagk(m2))<br />m2<br />. . .<br />. . .<br />Alice<br />Bob<br />(mw, tw=Tagk(mw))<br />mt<br />k<br />k<br />Eve should not be able to compute a valid tag t’ on any other message m’.<br />
  9. 9. 9<br />Message Authentication Codes – the idea<br />(m, t=Tagk(m))<br />m є {0,1}*<br />Vrfyk(m,t)є {yes,no}<br />Alice<br />Bob<br />k<br />k<br />k ischosenrandomlyfrom some set K<br />
  10. 10. A mathematical view<br />K– key space<br />M– plaintext space<br />T - set oftags<br />A MAC schemeis a pair (Tag, Vrfy), where<br /><ul><li>Tag : K × M → Tis an taggingalgorithm,
  11. 11. Vrfy:K× M × T→ {yes, no}is a verificationalgorithm.</li></ul>We will sometimes write Tagk(m) and Vrfyk(m,t) instead of Tag(k,m) and Vrfy(k,m,t).<br />Correctness<br />it shouldalways holds that:Vrfyk(m,Tagk(m)) = yes.<br />
  12. 12. Conventions<br />If Vrfyk(m,t) = yesthen we say that tis a valid tag on the message m.<br />If Tag is deterministic, then Vrfyjust computes Tagand compares the result.<br />In this case we do not need to define Vrfyexplicitly.<br />
  13. 13. 12<br />How to define security?<br />We need to specify:<br />how the messages m1,...,mware chosen,<br />what is the goal of the adversary.<br />Good tradition:be as pessimistic as possible!<br />Therefore we assume that<br />The adversary is allowed to chose m1,...,mw.<br />The goal of the adversary is to produce a valid tag onsome m’ such that m’ ≠m1,...,mw.<br />
  14. 14. 13<br />security parameter<br />1n<br />selects random ak Є{0,1}n<br />m1<br />adversary<br />(m1, t=Tagk(m1))<br />oracle<br />. . .<br />mw<br />(mw, t=Tagk(mw))<br />We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that<br />Vrfy(m’,t’) = yes<br />and<br /> m’ ≠m1,...,mw<br />
  15. 15. 14<br />The security definition<br />We say that (Tag,Vrfy) is secure if<br />A<br />P(A breaks it) is negligible (inn)<br />polynomial-timeadversary A<br />
  16. 16. 15<br />Aren’t we too paranoid?<br />Maybe it would be enough to require that: <br />the adversary succeds only if he forges a message that “makes sense”.<br />(e.g.: forging a message that consists of random noise should not count)<br />Bad idea:<br />hard to define,<br />is application-dependent.<br />
  17. 17. 16<br />(m, t)<br />(m, t)<br />(m, t)<br />Warning: MACs do not offer protection against the “replay attacks”.<br />(m, t)<br />Alice<br />Bob<br />Since Vrfyhas no state (or “memory”) there is no way to detect that (m,t) is not fresh!<br />. . .<br />This problem has to be solved by the higher-level application<br />(methods: time-stamping, sequence numbers...).<br />
  18. 18. Authentication and Encryption<br />Options:<br />Encrypt-and-authenticate:<br />c := Enck1(m) and t:= Tagk2 (m), send (c,t)<br />Authenticate-then-encrypt:<br />t:= Tagk2 (m) and c := Enck1(m||t), send (c,t)<br />Encrypt-then-authenticate:<br />c := Enck1(m) and t:= Tagk2 (c), send (c,t)<br />c := Enck1(m)<br />c := Enck1(m ||t)<br />m<br />t:= Tagk2 (m)<br />m<br />t:= Tagk2 (m)<br />wrong<br />better<br />the best<br />t:= Tagk2 (c)<br />m<br />c := Enck1(m)<br />
  19. 19. 18<br />Constructing a MAC<br />There exist MACs that are secure even if the adversary is infinitely-powerful.These constructions are not practical.<br />MACs can be constructed from the block-ciphers. We will now discuss to constructions:<br />simple (and not practical),<br />a little bit more complicated (and practical) – a CBC-MAC<br />MACs can also be constructed from the hash functions (NMAC, HMAC). <br />
  20. 20. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  21. 21. A simple construction from a block cipher<br />Let <br />F : {0,1}n× {0,1}n -> {0,1}n<br />be a block cipher. <br />We can now define a MAC scheme that works only for messages m Є{0,1}n as follows:<br />Tag(k,m) = F(k,m)<br />It can be proven that it is a secure MAC.<br />How to generalize it to longer messages?<br />F(k,m)<br />Fk<br />k<br />m<br />20<br />
  22. 22. 21<br />Idea 1<br /><ul><li> divide the message in blocksm1,...,md
  23. 23. and authenticateeach block separately</li></ul>F(k,m1)<br />F(k,md)<br />Fk<br />Fk<br />. . .<br />m1<br />md<br />Thisdoesn’t work!<br />
  24. 24. 22<br />What goes wrong?<br />m:<br />t = Tagk(m):<br />perm<br />m’ = perm(m):<br />t’ = perm(t):<br />Then t’ is a valid tag on m’. <br />
  25. 25. 23<br />Idea 2<br />Add a counter to each block.<br />F(k,x1)<br />F(k,xd)<br />Fk<br />Fk<br />. . .<br />m1<br />md<br />1<br />d<br />x1<br />xd<br />This doesn’t work either!<br />
  26. 26. 24<br />mi<br />i<br />xi<br />m:<br />t = Tagk(m):<br />m’ = a prefix of m:<br />t’ = a prefix of t:<br />Then t’ is a valid tag on m’. <br />
  27. 27. 25<br />Idea 3<br />Addl := |m|toeach block<br />F(k,x1)<br />F(k,xd)<br />Fk<br />Fk<br />. . .<br />m1 <br />md <br />1<br />d<br />l<br />l<br />x1<br />xd<br />This doesn’t work either!<br />
  28. 28. 26<br />m1 <br />1<br />l<br />xi<br />What goes wrong? <br />m:<br />m’:<br />t = Tagk(m):<br />t’ = Tagk(m’):<br />m’’= first half from m|| second half from m’<br />t’’ = first half from t || second half from t’<br />Then t’’ is a valid tag on m’’.<br />
  29. 29. 27<br />Idea 4<br />Add a freshrandomvaluetoeach block!<br />F(k,x1)<br />F(k,xd)<br />Fk<br />Fk<br />. . .<br />md<br />d<br />l<br />r<br />md<br />d<br />l<br />r<br />x1<br />xd<br />Thisworks!<br />
  30. 30. 28<br />tagk(m)<br />F(k,x1)<br />F(k,x2)<br />F(k,xd)<br />r<br />Fk<br />Fk<br />Fk<br />. . . <br />. . . <br />1<br />l<br />r<br />m2<br />2<br />r<br />md<br />d<br />r<br />m1<br />l<br />l<br />x2<br />x1<br />xd<br />. . . <br />r is chosen randomly<br />m1<br />m2<br />md<br />m<br />000<br />n – block length<br />l<br />|mi| = n/4<br />pad with zeroes if needed<br />
  31. 31. 29<br />This construction can be proven secure<br />Theorem<br />Assuming that<br />F : {0,1}n× {0,1}n -> {0,1}n is a pseudorandompermutation<br />the construction from the previous slide is a secure MAC.<br />Proof idea:<br />Suppose it is not a secure MAC. <br />Let A be an adversary that breaks it with a non-negligible probability.<br />We construct a distinguisher D that distinguishes F from a random permutation.<br />
  32. 32. A new member of “Minicrypt”<br />one-way functions<br />exist<br />this can be proven<br />this we already knew<br />computationally-secure<br />MACs exist<br />cryptographic PRGs<br />exist<br />this we have just proven<br />
  33. 33. 31<br />Problem:<br />The tag is 4 times longer than the message...<br />This construction is not practical<br />We can do much better!<br />
  34. 34. 32<br />CBC-MAC<br />F : {0,1}n× {0,1}n -> {0,1}n- a block cipher<br />tagk(m)<br />Fk<br />Fk<br />Fk<br />Fk<br />Fk<br />. . . <br />m1<br />m2<br />m3<br />md<br />|m|<br />m<br />0000<br />pad with zeroes if needed<br />Other variants exist!<br />
  35. 35. 33<br />tagk(m)<br />Fk<br />Fk<br />Fk<br />Fk<br />Fk<br />. . . <br />m1<br />m2<br />m3<br />md<br />|m|<br />Why is this needed?<br />Suppose we donot prepend |m|...<br />
  36. 36. 34<br />t1=tagk(m1)<br />t2=tagk(m2)<br />the adversarychooses:<br />Fk<br />Fk<br />m1<br />m2<br />t’= tagk(m’)<br />t1<br />t’ = t2<br />Fk<br />Fk<br />now she can compute:<br />m2<br />m1<br />m2xor t1<br />m’<br />
  37. 37. 35<br />Some practictioners don’t like the CBC-MAC<br />We don’t want to authenticate using the block ciphers!<br />What do you want to use instead?<br />Hash functions!<br />Why?<br />Because:<br />they are more efficient,<br />they are notprotectedby the export regulations.<br />
  38. 38. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  39. 39. 37<br />Another idea for authenticating long messages<br />Fk(h(m))<br />a block cipher<br />Fk<br />k<br />h(m)<br />a “hashfunction” h<br />long m<br />By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).<br />
  40. 40. How to formalize it?<br />We need to define what is a “hash function”.<br />The basic property that we require is:<br />“collision resistance”<br />
  41. 41. 39<br />Collision-resistant hash functions<br />short H(m)<br />a hash function<br />H : {0,1}* -> {0,1}L<br />longm<br />collision-resistance<br />a “collision”<br />Requirement: itshouldbe hard tofind a pair(m,m’)suchthat<br />H(m) =H(m’)<br />
  42. 42. 40<br />Collisions always exist<br />domain<br />m<br />range<br />m’<br />Since the domain islargerthan the range the collisionshavetoexist.<br />
  43. 43. 41<br />“Practical definition”<br />H is a collision-resistanthashfunctionifitis “practicallyimpossibletofindcollisions in H”.<br />Popularhashfuncitons:<br /><ul><li>MD5 (nowconsideredbroken)
  44. 44. SHA1
  45. 45. ...</li></li></ul><li>42<br />How to formally define “collision resitance”?<br />Idea<br />Saysomethinglike: His a collision-resistanthashfunctionif<br />A<br />P(A finds a collision in H) is small<br />efficientadversary A<br />Problem<br />For a fixedHtherealwaysexist a constant-timealgorithmthat “finds a collision in H” in constanttime.<br />Itmaybe hard tofindsuchanalgorithm, butitalwaysexists!<br />
  46. 46. 43<br />Solution<br />Whenwe prove theoremswewillalwaysconsider<br />familiesofhashfunctions<br />indexedby a key s<br />{Hs} s є keys<br />
  47. 47. 44<br />informal description:<br />“knows H”<br />a protocol<br />H<br />H<br />H<br />formal model:<br />sis chosen<br />randomly<br />a protocol<br />s<br />Hs<br />Hs<br />Hs<br />
  48. 48. 45<br />informal description:<br />“knows H”<br />a protocol<br />H<br />H<br />H<br />H<br />real-life implementation (example):<br />“knows SHA1”<br />a protocol<br />SHA1<br />SHA1<br />SHA1<br />
  49. 49. 46<br />Hash functions – the functional definition<br />A hashfunctionis a probabilisticpolynomial-time algorithmH such that:<br />H takes as input a key sє {0,1}nand a message x є {0,1}*and outputs a string<br />Hs(x)є {0,1}L(n)<br /> where L(n)is some fixed function.<br />
  50. 50. 47<br />Hashfunctions – the security definition [1/2]<br />1n<br />selects a random<br /> s є {0,1}n<br />s<br />outputs (m,m’)<br />WesaythatadversaryAbreaks the functionHifHs(m) = Hs(m’).<br />
  51. 51. 48<br />Hash functions – the security definition [2/2]<br />His a collision-resistanthashfunctionif<br />A<br />P(A breaks H)is negligible<br />polynomial-timeadversary A<br />
  52. 52. 49<br />How to formalize our idea?<br />Fk(h(m))<br />a block cipher<br />Fk<br />k<br />h(m)<br />a “hashfunction” h<br />long m<br />
  53. 53. Authentication scheme - formally<br />A key for the MAC is a pair:<br />(s,k)<br />a key for the hash function H<br />a key for the PRP F<br />Tag((k,s),m) = Fk(Hs(m))<br />Theorem. If H and F are secure then Tag is secure.<br />This is proven as follows. <br />Suppose we have an adversary that breaks Tag. Then we can construct:<br />a distinguisher for F<br />an adversary for H<br />or<br />simulates <br />simulates <br />
  54. 54. Do collision-resilient hash functions belong to minicrypt?<br />collision-resilient hash functions exist<br />?<br />open problem<br />easy exercise<br />one-way functions<br />exist<br />[D. Simon: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? 1998]:<br />there is no “black-box reduction”.<br />
  55. 55. 52<br />A common method for constructing hash functions<br />Construct a “fixed-input-length” collision-resistanthashfunctionCallit: a collision-resistantcompressionfunction.<br />Useittoconstruct a hashfunction. <br />L<br />h(m)<br />h : {0,1}2·L-> {0,1}L<br />m<br />2·L<br />
  56. 56. 53<br />h<br />h<br />h<br />An idea<br />pad with zeroes<br />if needed<br />t<br />m<br />0000<br />. . .<br />m1<br />m2<br />mB<br />miє {0,1}L<br />. . .<br />IV<br />H(m)<br />can be arbitrary<br />This doesn’t work...<br />
  57. 57. 54<br />Why is it wrong?<br />t<br />m<br />0000<br />. . .<br />m1<br />m2<br />mB<br />If we set m’ = m || 0000 then H(m’) = H(m).<br />Solution: add a block encoding “t”.<br />t<br />m’<br />0000<br />. . .<br />m’1<br />m’2<br />m’B<br />m’B+1 := t<br />
  58. 58. 55<br />Merkle-Damgård transform<br />h<br />h<br />h<br />h<br />given h : {0,1}2L-> {0,1}Lwe construct H : {0,1}*-> {0,1}L<br />doesn’t need to be know in advance<br />(nice!)<br />t<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />miє {0,1} L<br />. . .<br />IV<br />H(m)<br />
  59. 59. 56<br />This construction is secure<br />Wewouldliketo prove the following:<br />Theorem<br />If<br />h : {0,1}2L-> {0,1}L<br />is a collision-resistant compression function<br />then <br /> H : {0,1}*-> {0,1}L<br />is a collision-resistant hash function.<br />But wait….<br />It doesn’t make sense…<br />
  60. 60. What to do?<br />To be formal, we would need to consider <br />families of functionsh and Hindexed by key s<br />Let’s stay on the informal level and “argue” that:<br />“if one can find a collision in H then one can find a collision in h”<br />
  61. 61. 58<br />abreaksh<br />(m,m’)<br />AbreaksH<br />a collision in H<br />outputsa collision(x,y) in h<br />
  62. 62. 59<br />How to compute a collision (x,y) in h from a collision (m,m’) in H?<br />Weconsidertwooptions:<br />|m| = |m’|<br />|m| ≠ |m’|<br />
  63. 63. 60<br />Option 1: |m| = |m’|<br />t<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />t<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />
  64. 64. |m| = |m’|<br />h<br />h<br />h<br />h<br />Some notation:<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />. . .<br />IV<br />zB+1<br />z2<br />z1<br />z3<br />zB<br />H(m)<br />61<br />
  65. 65. 62<br />|m| = |m’|<br />h<br />h<br />h<br />h<br />For m’:<br />m’<br />0000<br />m’1<br />m’2<br />m’B<br />m’B+1 := t<br />. . .<br />IV<br />z’2<br />z’1<br />z’3<br />z’B+1<br />H(m’)<br />z’B<br />
  66. 66. 63<br />equal<br />zB+2=H(m)<br />zB+2=H(m’)<br />zB+1<br />mB+1<br />z’B+1<br />m’B+1<br />zB<br />mB<br />z’B<br />m’B<br />. . .<br />. . .<br />z3<br />z3<br />notequal<br />z2<br />m2<br />z’2<br />m’2<br />z1 = IV<br />m1<br />z’1 = IV<br />m’1<br />
  67. 67. 64<br />equal<br />zB+2=H(m)<br />zB+2=H(m’)<br />zB+1<br />mB+1<br />z’B+1<br />m’B+1<br />Leti*be the leasti suchthat<br />(mi,zi) = (m’i,z’i) <br />(becausem ≠ m’suchani* &gt; 1alwaysexists!)<br />zB<br />mB<br />z’B<br />m’B<br />. . .<br />. . .<br />z2<br />m2<br />z’2<br />m’2<br />z1 = IV<br />m1<br />z’1 = IV<br />m’1<br />
  68. 68. 65<br />So, we have found a collision!<br />equal<br />zi*<br />z’i*<br />h<br />h<br />notequal<br />zi*-1<br />mi*-1<br />z’i*-1<br />m’i*-1<br />
  69. 69. 66<br />Option 2: |m| ≠ |m’|<br />equal<br />H(m)<br />H(m’)<br />zB+1<br />mB+1<br />z’B’+1<br />m’B’+1<br />. . .<br />. . .<br />the last block encodesthe length on the messageso thesevaluescannotbeequal!<br />So, again we have found a collision!<br />
  70. 70. 67<br />Concrete functions<br />MD5,<br />SHA-1, SHA-256,...<br />....<br />all use (variants of) Merkle-Damgårdtransformation. <br />Hashfunctions can alsobeconstructedusing the numbertheory.<br />
  71. 71. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  72. 72. 69<br />What the industry says about the “hash and authenticate” method?<br />the block cipher is still there...<br />Why don’t we just hash a message together with a key:<br />MACk(m) = H(k || m)<br />?<br />It’s not secure!<br />
  73. 73. 70<br />Suppose H was constructed using the MD-transform<br />she can fabricate this<br />MACk(m||t)<br />she can see this<br />t + L<br />MACk(m)<br />MACk(m)<br />zB<br />t<br />zB<br />t<br />z2<br />m<br />z2<br />m<br />IV<br />k<br />IV<br />k<br />L<br />
  74. 74. 71<br />A better idea<br />M. Bellare, R. Canetti, and H. Krawczyk (1996):<br />NMAC (Nested MAC)<br />HMAC (Hash based MAC)<br />have some “provable properites”<br />They both use the Merkle-Damgårdtransform.<br /> Again, let h : {0,1}2L-> {0,1}L be a compression function.<br />
  75. 75. 72<br />NMAC<br />h<br />h<br />h<br />h<br />m<br />0000<br />m1<br />mB<br />mB+1 := |m|<br />. . .<br />k1<br />k2<br />NMAC(k1,k2) (m)<br />
  76. 76. 73<br />h<br />What can be proven<br />Suppose that<br />his collision-resistant<br />the following function is a secure MAC:<br />ThenNMAC is a secure MAC.<br />m<br />k2<br />MACk2(m)<br />
  77. 77. 74<br />Looks better, but <br />our libraries do not permit to change the IV<br />the key is too long: (k1,k2)<br />HMAC is the solution!<br />
  78. 78. 75<br />HMAC<br />h<br />h<br />h<br />h<br />k xor ipad<br />m1<br />mB+1 := |m|<br />ipad = 0x36 repeated<br />opad = 0x5C repeated<br />. . .<br />IV<br />IV<br />h<br />HMACk (m)<br />k xoropad<br />
  79. 79. 76<br />HMAC – the properties<br />Looks complicated, but it is very easy to implement (given an implementation of H):<br />HMACk(m) = H((k xoropad) || H(k xoripad || m))<br />It has some “provable properties” (slightly weaker than NMAC).<br />Widely used in practice.<br />We like it!<br />
  80. 80. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  81. 81. Other uses of “hash functions”<br />Hash functions are used by practicioners to convert “non-uniform randomness” into a uniform one. <br />Example:<br />shorter “uniformlyrandom” H(m)<br />a hashfunction<br />H : {0,1}* -> {0,1}L<br />usergeneratedrandomnessX (key strokes, mouse movements, etc.)<br />
  82. 82. Example: password-based encryption<br />H – hash function<br />(E,D) – encryption scheme<br />messagem<br />m = D(H(π),c)<br />c = E(H(π),m)<br />Alice<br />Bob<br />shared password π<br />shared password π<br />Informally:<br />The only thing that Eve can do is to examine all possible passwords .<br />Warning:<br />there exist much better solutions for this problem<br />
  83. 83. Random oracle model<br />[Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993]<br />Idea: model the hash function as a random oracle.<br />x<br />H(x)<br />a completely random function<br />H : {0,1}* -> {0,1}L<br />
  84. 84. Remember the pseudorandom functions?<br />x<br />x’<br />F(x)<br />F(x’)<br />A random function<br />F: {0,1}m->{0,1}m <br />x’’<br />F(x’’)<br />Crucial difference:<br />Also the adversary can query the oracle<br />
  85. 85. 82<br />informal description:<br />“knows H”<br />a protocol<br />H<br />formal model:<br />Every call to H is replaced with a query to the oracle.<br />H : {0,1}* -> {0,1}L<br />a protocol<br />also the adversary is allowed to query the oracle.<br />
  86. 86. How would we use it in the proof?<br />shorter “uniformlyrandom” H(X)<br />a hashfunction<br />H : {0,1}* -> {0,1}L<br />usergeneratedrandomnessX<br />As long as the adversary never queried the oracle on Xthe value H(X) “lookscompletelyrandomtohim”.<br />
  87. 87. Criticism of the Random Oracle Model<br />[Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998]<br />There exists a signature scheme that is <br />secure in ROM <br />but<br />is not secure if the random oracle is replaced with any real hash function.<br />This example is very artificial. No “realistic” example of this type is know.<br />
  88. 88. Terminology<br />Model without the random oracles:<br /><ul><li>“plain model”
  89. 89. “cryptographic model”</li></ul>Random Oracle Model is also called:<br />the “Random Oracle Heuristic”.<br />Common view: a ROM proof is better than nothing.<br />
  90. 90. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  91. 91. Secure communication<br />1<br />2<br />3<br />4<br />
  92. 92. Outlook<br />cryptography<br /> “information-theoretic”,<br /> “unconditional”<br />“computational”<br /><ul><li> one time pad,
  93. 93. quantum cryptography,
  94. 94. ...</li></ul>based on 2 simultaniousassumptions:<br />some problems are computationally difficult<br />our understanding of what “computational difficulty” means is correct.<br />
  95. 95. Symmetric cryptography<br />symmetric cryptography<br />encryption<br />authentication<br />
  96. 96. The basic information-theoretic tool<br />xor(one-time pad)<br />
  97. 97. Basic tools from the computational cryptography<br />one-way functions<br />pseudorandom generators<br />pseudorandom functions/permutations<br />hash functions<br />
  98. 98. A method for proving security: reductions<br />minicrypt<br />P ≠ NP<br />hash functions<br />one-way functions<br />pseudorandom generators<br />pseudorandom functions/permutations<br />computationally-secure authentication<br />in general the picture is much more complicated!<br />computationally-secure encryption<br />