1. Cryptography
Lecture 11

2. A fixed-length MAC

3. Construction
Let F be a length-preserving pseudorandom function (aka block cipher)
Construct the following MAC :
Gen: choose a uniform key k for F
Mack(m): output Fk(m)
Vrfyk(m, t): output 1 iff Fk(m)=t
Theorem:  is a secure MAC

4. Proof by reduction m1 m1 D t1 t1 … … mi mi PRF/random ti ti m m, t t*
if (m is new and t=t*) output 1

5. Analysis
When D interacts with Fk for uniform k, the view of the adversary is identical to its view in the real MAC experiment
Pr[DFk outputs 1] = Pr[ForgeAdv, (n) = 1]
When D interacts with uniform f, then seeing f(m1), …, f(mi) does not help predict f(m) for any m {m1, …, mi}
Pr[Df outputs 1] ≤ 2-n

6. Analysis Since F is a pseudorandom function,
| Pr[DFk outputs 1] - Pr[Df outputs 1] | < negl(n)
 Pr[ForgeAdv, (n) = 1] = Pr[DFk outputs 1] ≤ 2-n + negl(n)

7. Drawbacks? This only works for fixed-length messages
This only works for short messages
E.g., AES has a 128-bit block size (shorter than a tweet!)
So the previous construction is limited to authenticating short, fixed-length messages

8. Suggestions?
Can you construct a secure MAC for variable-length messages from a MAC for fixed-length messages?
One natural idea:
Mac’k(m1, …, ml) = Mack(m1), …, Mack(ml)
Vrfy’k(m1, …, ml, t1, …, tl) = 1 iff Vrfyk(mi, ti) = 1 for all i
Is this secure?

9. A construction Need to prevent (at least) One solution:
Block reordering
Truncation
“Mixing-and-matching” blocks from multiple messages
One solution:
Mac’k(m1, …, ml) = r, Mack(r | l | 1 | m1), Mack(r | l | 2 | m2), …
Not very efficient – can we do better?

10. (Basic) CBC-MAC m1 m2 ml   … Fk Fk Fk t

11. CBC-MAC vs. CBC-mode CBC-MAC is deterministic (no IV)
MACs do not need to be randomized to be secure
Verification is done by re-computing the result
In CBC-MAC, only the final value is output
Both are essential for security
Exercise: show attacks

12. Security of (basic) CBC-MAC?
If F is a pseudorandom function with block length n, then for any fixed l basic CBC-MAC is a secure MAC for messages of length l·n
The sender and receiver must agree on the length parameter l in advance
Basic CBC-MAC is not secure if this is not done!
Attacks?

13. CBC-MAC extensions Several ways to handle variable-length messages
One of the simplest: prepend the message length before applying (basic) CBC-MAC

14. CBC-MAC l m1 m2 ml    … Fk Fk Fk Fk t

15. CBC-MAC extensions Several ways to handle variable length messages
One of the simplest: prepend the message length before applying (basic) CBC-MAC
Can also be adapted to handle messages whose length is not a multiple of the block length

16. Authenticated encryption

17. Secrecy + integrity?
We have shown primitives for achieving secrecy and integrity in the private-key setting
What if we want to achieve both?

18. Authenticated encryption
An encryption scheme that achieves both secrecy and integrity
Secrecy notion: CCA-security
Integrity notion: unforgeability
Adversary cannot generate ciphertext that decrypts to a previously unencrypted message

19. Constructions? Generic constructions Direct constructions
Encrypt and authenticate
Authenticate then encrypt
Encrypt then authenticate
Direct constructions

20. Generic constructions
Generically combine an encryption scheme and a MAC
Useful when these are already available in some library
Goal: the combination should be an authenticated encryption scheme when instantiated with any CPA-secure encryption scheme and any secure MAC

21. Encrypt and authenticate
c, t
k1, k2
k1, k2 m
c  Enck1(m)
t = Mack2(m)
m = Deck1(c)
Vrfyk2(m, t) = 1?

22. Problems The tag t might leak information about m!
Nothing in the definition of security for a MAC implies that it hides information about m
So the combination may not even be EAV-secure
If the MAC is deterministic (as is CBC-MAC), then the tag leaks whether the same message is encrypted twice
I.e., the combination will not be CPA-secure