1. B504/I538: Introduction to Cryptography
Spring • Lecture 11
(2017—02—14)

2. Assignment 2* is due! Assignment 3 is out and is due in two weeks!
* modulo the 1-week extension on problems 3 & 4
Assignment 2* is due! Assignment 3 is out and is due in two weeks!
(2017—02—28)
(Please get started early!!)

3. About crypto!
Free pizza+brownies!
1 week from Thursday

4. Secrecy vs. integrity and authenticity
(has the
message changed?)
(from whom did the
message originate?)
Secrecy vs. integrity and authenticity
So far we have only worried about secrecy of messages
However, secrecy⇏integrity, authenticity
Q: What happens if attacker flips a ciphertext bit in OTP / stream cipher / OBF mode / CTR mode?
A: The corresponding plaintext bit also flips!
Q: What happens if an attacker duplicates, removes, or permutes ciphertext blocks in ECB mode?
A: The corresponding plaintext blocks are duplicated, removed, or permuted!
Q: Are authenticity attacks possible in CBC mode?
A: Yes!
“confidentiality”

5. Malleability of CBC mode
m≔m1∥m2∥⋯∥mℓ k m1 k m2 k mℓ ⋯ Πk Πk Πk c1 c2 cℓ IV
c≔IV∥c1∥c2∥⋯∥cℓ
truncate blocks
flip IV bit
flip ci bit
⇒ truncate correspond plaintext blocks
⇒ flip corresponding bit of m1
⇒ randomize mi and flip corresponding mi+1 bit

6. Non-cryptographic integrity checks
Cyclic redundancy check (CRC)
Detects random errors due to noisy channel
Not intended to detect attacker-induced (intentional) errors
A straw-man proposal:
Alice computes c≔Enck(m) using CTR mode
Alice computes t≔CRC(c)
Ciphertext is the pair (c，t)
Q: What could possibly go wrong?
A: Attacker changes c to c’, then changes t to t’ = CRC(c’)!
that’s excitement,
not factorial!

7. Non-cryptographic integrity checks
An improved proposal (?):
Compute t≔CRC(m)
Ciphertext is c≔Enck(m∥t)
Q: What could possibly go wrong now?
A: CRC is a “linear” code: ∀x，y, CRC(x⊕y) = CRC(x)⊕CRC(y)
Integrity in presence of attackers requires a secret key!

8. Message authentication codes (MACs)
Intuitively, a message authentication code (MAC) is a short piece of information used to verify the integrity and authenticity of a message
input a secret key and an arbitrary-length message and outputs a short value called a tag
no efficient algorithm should be able to “forge” a valid MAC tag (under an unknown key) on any message, except with negligible probability

9. Message authentication codes (MACs)
Defⁿ: A message authentication code (MAC) is a triple of efficient algorithms (Gen，MAC，Ver) such that
Gen：1ℕ→{0，1}* is a randomized “key generation” algorithm
MAC：Ｋ×Ｍ→Ｔ is a “tagging” algorithm
Ver：Ｋ×Ｍ×Ｔ→{0，1} is a “tag verification” algorithm
Usually write MACk(m) and Verk(m, t) instead of MAC(k, m) and Ver(k, m, t)
Ｋ is the key space
Ｍ is the message space
Ｔ is the tag space
(the set of possible keys)
(the set of possible messages)
(the set of possible “tags”)

10. Pr[Verk(m，MACk(m))=1]=1
Correctness
Intuitively: Correctness is the property of being able to verify a tag (given knowledge of the correct key)
Note: it is possible (but uncommon) to allow correctness with probability p < 1
Defⁿ: A MAC scheme (Gen，MAC，Ver) with key space Ｋ and message space Ｍ is correct if ∀k∈Ｋ and ∀m∈Ｍ,
Pr[Verk(m，MACk(m))=1]=1

11. MAC ”forgery” games
We have seen a number of indistinguishability games
Attacker gets oracle access to (or receives a signal from) the challenger, and must guess which of two versions of the game is being played
Attacker outputs either 0 or 1
Attacker advantage is Pr[“correct guess”]−1/2
MAC scheme security uses a forgery game
Attacker gets oracle access to MAC algorithms
Attacker outputs a message-tag pair not provided by the oracle
Attacker advantage is Pr[“tag is valid”]

12. MAC selective forgery game
Challenger (C)
Forger (Ａ) 1n 1n
k←Gen(1n)
m∈Ｍ m1
m1∈M∖{m} t1
t1←MACk(m1) m2
m2∈M∖{m} t2
t2←MACk(m2) ⋮ mn
mn∈M∖{m} tn
t∈Ｔ
tn←MACk(mn)
Let E be the event that Verk(m, t)=1
Define Ａ’s advantage to be AdvMAC-selective-forge(Ａ)≔Pr[E]

13. Selective unforgeability
Defⁿ: A MAC scheme (Gen，MAC，Ver) is selectively unforgeable under adaptive chosen message attacks if, for every PPT attacker Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that for all m∈Ｍ, AdvMAC-selective-forge(Ａ)≤ε(s).
The message m is chosen by the attacker prior to the attack; it may have interesting mathematical properties with respect to the MAC algorithms

14. MAC existential forgery game (weak version)
Challenger (C)
Forger (Ａ) 1n 1n
k←Gen(1n)
m∈Ｍ m1
m1∈M∖{m} t1
t1←MACk(m1) m2
m2∈M∖{m} t2
t2←MACk(m2) ⋮ mn
mn∈M∖{m} tn
(m，t)
tn←MACk(mn)
Let E be the event that m∉{m1,…,mn} yet Verk(m，t)=1
Define Ａ’s advantage to be AdvMAC-weak-ex-forge(Ａ)≔Pr[E]

15. MAC existential forgery game (strong version)
Challenger (C)
Forger (Ａ) 1n 1n
k←Gen(1n)
m∈Ｍ m1
m1∈M∖{m} t1
t1←MACk(m1) m2
m2∈M∖{m} t2
t2←MACk(m2) ⋮ mn
mn∈M∖{m} tn
(m，t)
tn←MACk(mn)
Let E be the event that (m，t)∉{(m1，t1),…,(mn,tn)} yet Verk(m，t)=1
Define Ａ’s advantage to be AdvMAC-strong-ex-forge(Ａ)≔Pr[E]

16. Existential unforgeability
Defⁿ: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that AdvMAC-strong-ex-forge (Ａ)≤ε(s).
The message m is chosen arbitrarily by the attacker at the end of the attack
Existential unforgeability is the “default” unforgeability property

17. MAC universal forgery game
Challenger (C)
Forger (Ａ) 1n 1n
k←Gen(1n)
m∈Ｍ m1
m1∈M∖{m} t1
t1←MACk(m1) ⋮ mn
mn∈M∖{m} m
m∈Ｍ∖{m1,…,mn}
(m，t)
Let E be the event that Verk(m，t)=1
Define Ａ’s advantage to be AdvMAC-universal-forge(Ａ)≔Pr[E]

18. Universal unforgeability
Defⁿ: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that AdvMAC-universal-forge (Ａ)≤ε(s).
An attacker capable of universal forgery can sign messages it chose itself (selective forgery), messages chosen at random, or even specific messages chosen by an opponent

19. Notions of unforgeability
weakest
attacker
Existential unforgeability ⇑ Selective unforgeability ⇑ Universal unforgeability
“default” level of
unforgeability
strongest
attacker

20. Fixed-length MAC scheme from any PRF
Messages, tags, and keys are all n-bit longs
Gen(1n) outputs a uniform random key k∊{0，1}n
MACk(m) outputs t≔Fk(m)
Verk(m，t) outputs 1 if t=Fk(m) and 0 otherwise
Is this selectively unforgeable?
Is this existentially unforgeable?
IS this universally unforgeable?
Yes!
Yes!
how do we prove it?
Yes!

21. Fixed-length MAC to PRF reduction
Distinguisher (D)
Assume MAC is not existentially unforgeable
Construct distinguisher D for F that uses forger Ａ as a subroutine
Prove that D is efficient and has non-negligible advantage
Conclude that F is not a PRF, a contradiction
1n, OF
Attacker (Ａ) 1n
truly random
or pseudorandom? m1
t1≔OF(m1) ⋮ mn
tn≔OF(mn)
(m, t)
1 if t=OF(m) 0 otherwise
( m∈Ｍ∖{m1,…,mn} )

22. Replay attacks
MACs guarantee authenticity and integrity of messages in most cases
Notable exception: MACs do not prevent “replay attacks”
In a replay attack, the attacker simply re-sends a legitimate message that it observed in the past

23. Naïve CBC-MAC Let {fk}k∈{0，1}* be a PRF family
Gen(1n) outputs a uniform random key k∊{0，1}n
MACk(m) does the following:
Split m into n-bit blocks m1,…,mn
Initialize t0={0}n
Compute ti=Fk(ti-1⊕mi)
Output the tag t≔tn
Verk(m，t) outputs 1 if t=MACk(m) and 0 otherwise

24. ⋯ Πk Πk Πk k k k m≔m1∥m2∥⋯∥mℓ m1 m2 mℓ t1 t2 tℓ IV tℓ
Q: Is naïve CBC-MAC existentially unforgeable?
A: No! (But why?)

25. Attacking naïve CBC-MAC
existential unforgeability of
Attacking naïve CBC-MAC
Challenger (C)
Forger (Ａ) 1n 1n
k←Gen(1n) m
m ∈ {0，1}n t
t←MACk(m)
m‘≔m∥(m⊕t)
(m’, t)
Ａ’s output is a valid forgery because Fk(m’)=Fk((m⊕t)⊕t)=Fk(m)=t

26. That’s all for today, folks!