Lecture 3 Message Authentication and Hash Functions
Download
Report
Transcript Lecture 3 Message Authentication and Hash Functions
Modern Cryptography
www.dziembowski.net/Studenti/BISS09
Lecture 3
Message Authentication and Hash
Functions
Stefan Dziembowski
University of Rome
La Sapienza
BiSS 2009
Bertinoro International
Spring School
2-6 March 2009
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Message Authentication
Integrity:
M
Alice
interferes with the transmission
(modifies the message, or inserts
a new one)
Bob
How can Bob be sure that
M really comes from Alice?
3
Sometimes: more important than
secrecy!
transfer 1000 $ to Bob
Alice
transfer 1000 $ to Eve
Bank
Of course: usually we want both secrecy and integrity.
4
Does encryption guarantee message integrity?
Idea:
1.
2.
Alice encrypts m and sends c=Enc(k,m) to Bob.
Bob computes Dec(k,m), and if it “makes sense” accepts it.
Intuiton: only Alice knows k, so nobody else can produce a valid
ciphertext.
It does not work!
Example: one-time pad.
plaintext
transfer 1000 $ to Bob
“Eve” xor “Bob”
transfer 1000 $ to Eve
key K
xor
ciphertext C
5
Message authentication
verifies if
t=Tagk(m)
(m, t=Tagk(m))
m
Alice
Bob
k
k
Eve can see (m, t=Tagk(m))
She should not be able to
compute a valid tag t’ on any
other message m’.
6
Message authentication – multiple
messages
m1
(m1, t=Tagk(m1))
m2
(m2, t=Tagk(m2))
...
...
Alice
mt
Bob
(mw, t=Tagk(mw))
k
k
Eve should not be able to
compute a valid tag t’ on any
other message m’.
7
Message Authentication Codes – the
idea
m є {0,1}*
(m, t=Tagk(m))
Vrfyk(m) є {yes,no}
Alice
Bob
k
k
k is chosen randomly
from some set T
8
A mathematical view
K – key space
M – plaintext space
T - set of tags
A MAC scheme is a pair (Tag, Vrfy), where
Tag : K × M → T is an tagging algorithm,
Ver: K × M × T → {yes, no} is an decryption algorithm.
We will sometimes write Tagk(m) and Vrfyk(m,t) instead of
Tag(k,m) and Vrfy(k,m,t).
Correctness
it should always holds that:
Vrfyk(m,Tagk(m)) = yes.
Conventions
If Vrfyk(m,t) = yes then we say that t is a
valid tag on the message m.
If Tag is deterministic, then Vrfy just computes
Tag and compares the result.
In this case we do not need to define Vrfy
explicitly.
How to define security?
We need to specify:
1.
how the messages m1,...,mw are chosen,
2.
what is the goal of the adversary.
Good tradition: be as pessimistic as possible!
Therefore we assume that
1.
The adversary is allowed to chose m1,...,mw.
2.
The goal of the adversary is to produce a valid tag on
some m’ such that m’ ≠ m1,...,mw.
11
security parameter
1n
adversary
selects random a k Є {0,1}n
m1
(m1, t=Tagk(m1))
oracle
...
mw
(mw, t=Tagk(mw))
We say that the adversary breaks the MAC scheme at the end she
outputs (m’,t’) such that
Vrfy(m’,t’) = yes
and
m’ ≠ m1,...,mw
12
The security definition
We say that (Tag,Vrfy) is secure if
P(A breaks it) is negligible (in n)
A
polynomial-time
adversary A
13
Aren’t we too paranoid?
Maybe it would be enough to require that:
the adversary succeds only if he forges a message that
“makes sense”.
(e.g.: forging a message that consists of random noise should
not count)
Bad idea:
• hard to define,
• is application-dependent.
14
Warning: MACs do not offer protection against the
“replay attacks”.
(m, t)
Alice
Bob
Since Vrfy has no state (or
“memory”) there is no way to
detect that (m,t) is not fresh!
This problem has to be solved by the higher-level application
(methods: time-stamping, sequence numbers...).
15
Authentication and Encryption
Usually we want to authenticate and encrypt at the same
time.
What is the right way to do it? There are several options:
•
•
•
Encrypt-and-authenticate:
c ← Enck1(m) and t ← Mack2 (m)
Authenticate-then-encrypt:
t ← Mack2 (m) and c ← Enck1(m||t)
Encrypt-then-authenticate:
c ← Enck1(m) and t ← Mack2 (c)
wrong
better
the best
By the way: never use the same key for Enc and Mac:
k1 and k2 have to be “independent”!
16
Constructing a MAC
1. There exist MACs that are secure even if the adversary is
infinitely-powerful.
These constructions are not practical.
2. MACs can be constructed from the block-ciphers.
We will now discuss to constructions:
– simple (and not practical),
– a little bit more complicated (and practical) – a CBC-MAC
1. MACs can also be constructed from the hash functions
(NMAC, HMAC).
17
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Information-theoretically secure MACs
We now show a construction of informationtheoretically secure MACs, i.e.:
MACs that are secure against an infinitelypowerful adversary
Our construction will be secure only if the key is
never reused.
like in the one-time pad encryption...
Observation
(m, t=Tagk(m))
m
Alice
Bob
Eve can see (m, t=Tagk(m))
She should not be able to compute a valid tag t’ on any other message m’.
It is enough that any pair of variables in the set
{Tm}m Є M
where Tm := TagK(m)
is independent.
This is called a set of pairwise independent variables.
We are now going to construct such a set...
Pairwise independence
A set
{Tm}m Є M
of variables is pairwise independent if for every m0,
m1 the variables
Tm0 and Tm1
are independent.
This is not the same as saying that
{Tm}m Є M are independent.
Idea: Linear function over Zp (where p is a large prime)
M = Zp
K = Zp × Zp
T = Zp
for example
p = 2107- 1
Tag((a,b), m) = am + b mod p
Intuition:
...
?
a
...
b
m0
m1
m0
m1
22
Lemma. Let (A,B) be distributed uniformly over Zp × Zp. Then for every distinct m0
and m1 the following variables are independent
(A· m0 + B) and (A· m1 + B) .
Clearly, each of those variables is distributed uniformly over Zp and hence of every (x,y)
we have
P (A · m0 + B = x)· P(A· m1 + B = y) = 1/p · 1/p = 1/p2
Therefore it suffices to show that
P (A· m0 + B = x and A· m1 + B = y) = 1/p2
This is equivalent to the fact that the following system of linear equations (over Zp) has
exactly one solution (where a and b are the unknowns):
{
a· m0 + b = x
a· m1 + b = y
Clearly if m0 ≠ m1 then
det
[
m0
1
m1
1
]
≠0
Thus we are done
23
Can we reuse the same key many times?
After seeing two values:
Tag(k,m0) = A· m0 + B
Tag(k,m1) = A· m0 + B
(for m0 ≠ m1) the adversary can compute (A,B)
by solving a system of linear equations.
It can be shown that in general the length of the key
has to be proportional to the total length of
authenticated messages.
24
How to encrypt more messages with
one short key k?
Simple idea:
For every new message mi generate pseudorandomly
a new key ki for the one-time MAC.
k
PRG G
k1
k2
k3
...
Tag(k1,m1)
Tag(k2,m2)
Tag(k3,m3)
This can be proven secure!
A new member of “Minicrypt”
one-way functions
exist
this can be proven
this we already knew
computationally-secure
MACs exist
cryptographic PRGs
exist
this we have just proven
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
A simple construction from a block cipher
Let
F : {0,1}n × {0,1}n → {0,1}n
F(k,m)
be a block cipher.
We can now define a MAC scheme that
works only for messages m Є {0,1}n as
follows:
k
Fk
• Mac(k,m) = F(k,m)
m
It can be proven that it is a secure MAC.
How to generalize it to longer messages?
28
Idea 1
• divide the message in blocks m1,...,md
• and authenticate each block separately
F(k,m1)
F(k,md)
...
Fk
Fk
m1
md
This doesn’t work!
29
What goes wrong?
m:
t = Tagk(m):
perm
m’ = perm(m):
t’ = perm(t):
Then t’ is a valid tag on m’.
30
Idea 2
Add a counter to each block.
F(k,x1)
F(k,xd)
...
Fk
1
m1
x1
Fk
d
md
xd
This doesn’t work either!
31
i
mi
xi
m:
t = Tagk(m):
m’ = a prefix of m:
t’ = a prefix of t:
Then t’ is a valid tag on m’.
32
Idea 3
Add l := |m| to each block
F(k,x1)
F(k,xd)
...
Fk
l
1
Fk
m1
x1
l
d
md
xd
This doesn’t work either!
33
l
1
m1
xi
What goes wrong?
m:
m’:
t = Tagk(m):
t’ = Tagk(m’):
m’’ = first half from m || second half from m’
t’’ = first half from t || second half from t’
Then t’’ is a valid tag on m’’.
34
Idea 4
Add a fresh random value to each block!
F(k,x1)
F(k,xd)
...
Fk
r
l
Fk
d
x1
md
r
l
d
md
xd
This works!
35
tagk(m)
r
r
F(k,x1)
F(k,x2)
Fk
Fk
l
1
m1
r
l
m1
m2
2
...
m2
|mi| = n/4
r
l
d
md
xd
...
md
m
n – block length
Fk
...
x2
x1
r is chosen randomly
F(k,xd)
000
l
pad with zeroes if needed36
This construction can be proven secure
Theorem
Assuming that
F : {0,1}n × {0,1}n → {0,1}n is a pseudorandom permutation
the construction from the previous slide is a secure MAC.
Proof idea:
Suppose it is not a secure MAC.
Let A be an adversary that breaks it with a non-negligible
probability.
We construct a distinguisher D that distinguishes F from a
random permutation.
37
This construction is not practical
Problem:
The tag is 4 times longer than the message...
We can do much better!
38
CBC-MAC
F : {0,1}n × {0,1}n → {0,1}n - a block cipher
tagk(m)
Fk
Fk
Fk
Fk
|m|
m1
m2
m3
Fk
...
m
md
0000
pad with zeroes if needed
Other variants exist!
39
tagk(m)
Fk
Fk
Fk
Fk
|m|
m1
m2
m3
Fk
...
md
Why is this needed?
Suppose we do not prepend |m|...
40
t1=tagk(m1)
t2=tagk(m2)
Fk
Fk
m1
m2
the adversary
chooses:
t’= tagk(m’)
t1
now she can
compute:
Fk
Fk
m1
m2 xor t1
m’
t’ = t2
41
Some practictioners don’t like the CBCMAC
We don’t want to authenticate using
the block ciphers!
What do you want to use instead?
Hash functions!
Why?
1.
2.
Because:
they are more efficient,
they are not protected by the
export regulations.
42
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Another idea for authenticating long messages
Fk(h(m))
k
a block cipher
Fk
h(m)
a “hash function” h
long m
By the way: a similar method is used in the public-key
cryptography (it is called “hash-and-sign”).
44
How to formalize it?
We need to define what is a “hash function”.
The basic property that we require is:
“collision resistance”
Collision-resistant hash functions
short H(m)
a hash function
H : {0,1}* → {0,1}L
long m
collision-resistance
a “collision”
Requirement: it should be hard to find a pair (m,m’) such that
H(m) =H(m’)
46
Collisions always exist
m
domain
range
m’
Since the domain is
larger than the range the
collisions have to exist.
47
Hash functions are a bit simillar to the
error-correcting codes
Difference between the hash functions and the error
correcting codes:
• error-correcting codes are secure against the random
errors.
• collision-resistant hash functions are secure against the
intentional errors.
A bit like:
pseudorandom generators
vs.
cryptographic pseudorandom generators.
48
“Practical definition”
H is a collision-resistant hash function if it is “practically
impossible to find collisions in H”.
Popular hash funcitons:
• MD5 (now considered broken)
• SHA1
• ...
49
How to formally define “collision resitance”?
Idea
Say something like: H is a collision-resistant hash
function if
P(A finds a collision in H) is small
A
efficient
adversary A
Problem
For a fixed H there always exist a constant-time algorithm that
“finds a collision in H” in constant time.
It may be hard to find such an algorithm, but it always exists!
50
Solution
When we prove theorems we will always
consider
families of hash functions
indexed by a key s
{Hs} s є keys
51
informal description:
“knows H”
a protocol
H
H
H
s is chosen
randomly
formal model:
a protocol
s
Hs
Hs
Hs
52
informal description:
“knows H”
a protocol
H
H
H
real-life implementation (example):
“knows SHA1”
a protocol
SHA1
SHA1
SHA1
53
Hash functions – the functional
definition
A hash function is a probabilistic polynomial-time
algorithm H such that:
H takes as input a key s є {0,1}n and a message
x є {0,1}* and outputs a string
Hs(x) є {0,1}L(n)
where L(n) is some fixed function.
54
Hash functions – the security definition
[1/2]
1n
s
selects a random
s є {0,1}n
outputs (m,m’)
We say that adversary A breaks the function H if
Hs(m) = Hs(m’).
55
Hash functions – the security definition
[2/2]
H is a collision-resistant hash function if
P(A breaks H) is negligible
A
polynomial-time
adversary A
56
How to formalize our idea?
Fk(h(m))
k
a block cipher
Fk
h(m)
a “hash function” h
long m
57
Authentication scheme - formally
A key for the MAC is a pair:
a key for the hash function H
(s,k)
a key for the PRF F
Tag((k,s),m) = Fk(Hs(m))
Theorem. If H and F are secure then Tag is secure.
This is proven as follows.
Suppose we have an adversary
that breaks Tag. Then we can construct:
a distinguisher for F
simulates
an adversary for H
or
simulates
Do collision-resilient hash functions
belong to minicrypt?
collision-resilient hash
functions exist
easy exercise
?
open problem
one-way functions
exist
[D. Simon: Finding Collisions on a One-Way
Street: Can Secure Hash Functions Be Based on
General Assumptions? 1998]:
there is no “black-box reduction”.
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
A common method for constructing
hash functions
1.
Construct a “fixed-input-length” collision-resistant hash
function
L
h(m)
h : {0,1}2·L → {0,1}L
m
2·L
Call it: a collision-resistant compression function.
2.
Use it to construct a hash function.
61
An idea
pad with zeroes
if needed
t
m
m1
m2
0000
...
mB
mi є {0,1}L
...
h
IV
h
h
H(m)
can be arbitrary
This doesn’t work...
62
Why is it wrong?
t
m
m1
0000
...
m2
mB
If we set m’ = m || 0000 then H(m’) = H(m).
Solution: add a block encoding “t”.
t
m
m1
m2
0000
...
mB
mB+1 := t
63
Merkle-Damgård transform
given h : {0,1}2L → {0,1}L
we construct H : {0,1}*→ {0,1}L
doesn’t need to be
know in advance
(nice!)
t
m
m1
0000
m2
mB
mB+1 := t
mi є {0,1} L
...
IV
h
h
h
h
H(m)
64
This construction is secure
We would like to prove the following:
Theorem
If
h : {0,1}2L → {0,1}L
is a collision-resistant compression function
then
H : {0,1}*→ {0,1}L
is a collision-resistant hash function.
But wait….
It doesn’t make sense…
65
We need to consider the hash function
families
Suppose (gen,h) is a collision-resistant hash function such
that for every s {0,1}n we have
hs : {0,1}2L(n) → {0,1}L(n)
L(n)
h(m)
h
m
2·L(n)
66
We now show how to transform such an h
into a hash function H.
How?
1. The key s is the same in H as in h.
2. Use the same construction as before
67
Merkle-Damgård transform
given h : {0,1}2L(n) → {0,1}L(n)
we construct H : {0,1}* → {0,1}L(n)
t
m
m1
0000
m2
mB
mB+1 := t
mi є {0,1} L(n)
...
IV
h
h
h
h
H(m)
68
This construction is secure
Theorem
If
h
is a collision-resistant hash function
then
H
is a collision-resistant hash function.
Proof
Suppose A is a polynomial-time adversary that breaks H with
a non-negligible probability.
We construct a polynomial-time adversary a that breaks h
with a non-negligible probability.
69
s ← {0,1}n
s
s
a breaks hs by
simulating A
(m,m’)
A breaks Hs
now a should output a
collision (x,y) in h
a collision in Hs
70
How to compute a collision (x,y) in h from a
collision (m,m’) in H?
We consider two options:
1. |m| = |m’|
2. |m| ≠ |m’|
71
Option 1: |m| = |m’|
t
m
m1
m2
0000
mB
mB+1 := t
t
m
m1
m2
0000
mB
mB+1 := t
72
|m| = |m’|
Some notation:
m
m1
0000
m2
mB
mB+1 := t
...
IV z
1
h
h
z2
h
z3
zB
h
zB+1
H(m)
73
|m| = |m’|
For m’:
m’
m’1
0000
m’2
m’B
m’B+1 := t
...
IV z’
1
h
h
z’2
h
z’3
z’B
h
z’B+1
H(m’)
74
zB+2=H(m)
equal
zB+2=H(m’)
mB+1
zB+1
m’B+1
z’B+1
mB
zB
m’B
z’B
...
...
z3
m2
z2
m1
z1 = IV
z3
not equal
m’2
z’2
m’1
z’1 = IV
75
zB+2=H(m)
mB+1
mB
equal
zB+1
zB
z2
m1
z1 = IV
m’B+1
z’B+1
m’B
z’B
m’2
z’2
m’1
z’1 = IV
...
...
m2
Let i* be the
least i such that
zB+2=H(m’)
(mi,zi) = (m’i,z’i)
(because m ≠ m’
such an i* > 1
always exists!)
76
So, we have found a collision!
zi*
equal
z’i*
h
mi*-1
h
zi*-1
not equal
m’i*-1
z’i*-1
77
Option 2: |m| ≠ |m’|
H(m)
mB+1
equal
zB+1
H(m’)
m’B’+1
z’B’+1
...
...
the last block encodes
the length on the message
so these values
cannot be equal!
So, again we have found a collision!
78
Finalizing the proof
So, if A breaks H with probability ε(n), then a
breaks h with probability ε(n).
If A runs in polynomial time, then a also runs in
polynomial time.
QED
79
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Generic attacks on hash functions
Remember the brute-force attacks on the
encryption schemes?
For the hash functions we can do something
slightly smarter...
It is called a “birthday attack”.
81
The birthday paradox
Suppose we have a random function
H:A→B
Take n values
x1,...,xn
Let p(n) be the probability that there exist distinct i,j such that
H(xi) = H(xj).
If n ≥ |B| then trivially p(n) = 1.
Question: How large n needs to be to get p(n) = 1/2
Answer:
More precisely we have:
n | B|
n(n-1)
n2
p(n)
4| B|
2 |B|
82
Why is it called “a birthday paradox”?
Set:
H : people → birthdays
Q: How many random people you need to take to
know that with probability 0.5 at least 2 of them
have birthday on the same day?
A: 23 is enough!
Counterintuitive...
83
How does the birthday attack work?
For a hash function
H : {0,1}* → {0,1}L
Take a random X – a subset of {0,1}2L, such that |X| = 2L/2.
With probability around 0.5 there exists x,x’ є X, such that
H(x) = H(x’).
A pair (x,x’) can be found in time O(|X| log |X|) and space
O(|X|).
Moral
L has to be such that an attack that needs 2L/2 steps is infeasible.
84
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Concrete functions
• MD5,
• SHA-1, SHA-256,...
• ....
all use (variants of) Merkle-Damgård
transformation.
Hash functions can also be constructed using
the number theory.
86
MD5 (Message-Digest Algorithm 5)
• output length: 128 bits,
• designed by Rivest in 1991,
• in 1996, Dobbertin found collisions in the compresing function of
MD5,
• in 2004 a group of Chinese mathematicians designed a method
for finding collisions in MD5,
• there exist a tool that finds collisions in MD5 with a speed
1 collision / minute (on a laptop-computer)
Is MD5 completely broken?
The attack would be practical if the colliding documents “made
sense”...
In 2005 A. Lenstra, X. Wang, and B. de Weger found X.509
certificates with different public keys and the same MD5 hash.
87
SHA-1 (Secure Hash Algorithm)
• output length: 160 bits,
• designed in 1993 by the NSA,
• in 2005 Xiaoyun Wang, Andrew Yao and
Frances Yao presented an attack that runs in
time 263.
• Still rather secure, but new hash algorithms
are needed!
A US National Institute of Standards and
Technology is currently running a
competition for a new hash algorithm.
88
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
What the industry says about the
“hash and authenticate” method?
the block cipher is still there...
Why don’t we just hash a message
together with a key:
MACk(m) = H(k || m)
?
It’s not secure!
90
Suppose H was constructed using the MDtransform
MACk(m||t)
MACk(m)
t+L
MACk(m)
t
zB
t
zB
m
z2
m
z2
k
IV
k
IV
L
91
A better idea
M. Bellare, R. Canetti, and H. Krawczyk (1996):
• NMAC (Nested MAC)
• HMAC (Hash based MAC)
have some “provable properites”
They both use the Merkle-Damgård transform.
Again, let h : {0,1}2L → {0,1}L be a compression function.
92
NMAC
m
m1
k1
h
0000
mB
...
h
mB+1 := |m|
h
k2
h
NMAC(k1,k2) (m)
93
What can be proven
Suppose that
1. h is collision-resistant
2. the following function is a secure MAC:
m
k2
h
MACk2(m)
Then NMAC is a secure MAC.
94
Looks better, but
1. our libraries do not permit to
change the IV
2. the key is too long: (k1,k2)
HMAC is the
solution!
95
HMAC
k xor ipad
m1
mB+1 := |m|
ipad = 0x36 repeated
opad = 0x5C repeated
IV
h
h
...
IV
h
h
h
HMACk (m)
k xor opad
96
HMAC – the properties
Looks complicated, but it is very easy to implement
(given an implementation of H):
HMACk(m) = H((k xor opad) || H(k xor ipad || m))
It has some “provable properties” (slightly weaker than
NMAC).
We like it!
Widely used in practice.
97
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Other uses of “hash functions”
Hash functions are used by practicioners to convert
“non-uniform randomness” into a uniform one.
Example:
shorter “uniformly random” H(m)
a hash function
H : {0,1}* → {0,1}L
user generated randomness X (key strokes, mouse movements, etc.)
How to formalize it?
Random oracle model
[Bellare, Rogaway, Random Oracles are Practical:
A Paradigm for Designing Efficient Protocols,
1993]
Idea: model the hash function as a random oracle.
x
H(x)
H : {0,1}* → {0,1}L
a completely random
function
Remember the pseudorandom
functions?
A random function
F: {0,1}m → {0,1}m
Crucial difference:
Also the adversary can query the
oracle
informal description:
“knows H”
a protocol
H
formal model:
H : {0,1}* → {0,1}L
Every call to H
is replaced
with a query to
the oracle.
a protocol
also the
adversary is
allowed to
query the
oracle.
102
How would we use it in the proof?
shorter “uniformly random” H(X)
a hash function
H : {0,1}* → {0,1}L
user generated randomness X
As long as the adversary never queried the oracle on X
the value H(X) “looks completely random to him”.
Criticism of the Random Oracle Model
[Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998]
There exists a signature scheme that is
• secure in ROM
but
• is not secure if the random oracle is replaced with any
real hash function.
This example is very artificial. No “realistic” example of
this type is know.
Terminology
Model without the random oracles:
•“plain model”
•“cryptographic model”
Random Oracle Model is also called:
the “Random Oracle Heuristic”.
Common view: a ROM proof is better than nothing.
Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1.
2.
3.
4.
5.
6.
a definition
constructions
the “birthday attack”
concrete functions
a construction of MACs from hash functions
the random oracle model
Let us look again at the plan of the
course
plan of the course:
encryption
private key
public key
authentication
1
private key
encryption
2
private key
authentication
3
public key
encryption
4
signatures
5
advanced cryptographic protocols
Outlook
cryptography
“information-theoretic”,
“unconditional”
• one time pad,
• quantum cryptography,
• ...
“computational”
based on 2 simultanious
assumptions:
1. some problems are
computationally difficult
2. our understanding of what
“computational difficulty”
means is correct.
Symmetric cryptography
symmetric
cryptography
encryption
authentication
Basic information-theoretic tools
• xor (one-time pad)
• two-wise independent functions
Basic tools from the computational
cryptography
•
•
•
•
one-way functions
pseudorandom generators
pseudorandom functions/permutations
hash functions
A method for proving security: reductions
minicrypt
P ≠ NP
hash functions
one-way functions
pseudorandom generators
pseudorandom functions/permutations
computationally-secure authentication
computationally-secure encryption
in general the picture
is much more
complicated!
Plan for the next lectures
plan of the course:
encryption
private key
public key
authentication
1
private key
encryption
2
private key
authentication
3
public key
encryption
4
signatures
5
advanced cryptographic protocols
we will now go here
but first we need to have some
number theory brush-up
©2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of
this material is currently granted without fee provided that copies are made only for
personal or classroom use, are not distributed for profit or commercial advantage, and
that new copies bear this notice and the full citation.