Merkle- Suppose H is a Damgaord hash function built from a secure compression function

: several to build a function ways keyed

: m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain

= : m : 2 . FCK ) 11k) Append key , Hlm

↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the

- - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they

↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix )

' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g ,

: = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key ,

- of these constructions are secure PRFS on a variable size domain

hash- based MAC ✓

a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys)

: = m H H ka m HMACCK ( K H ( , )) , ) ,

where k ← k ④ and kz ← k to , ipad opad

and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated

: k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack)

Instantiations : denoted HMAC- H where H is the hash function Typically ,

HMAC- SHAI %"

- - HMAC SHA256 one of the most - used MAC on the web (used in IPsec SSH and more widely SSLITLS, , , )

: Recall that under reasonable HMAC is a secure PRF HMACy¥ahi assumptions ,

In we need to derive from a master derived from a ) many protocols, multiple keys single key leg, password

↳ : To derive a PRF is a natural multiple independent cryptographic keys , primitive ← " " Keno H MAC (k master eric ) PRF derived are from , security says keys computationally indistinguishable

← " " mac ) k mac HMAC (kmaster uniform , ) T derived master ( has to be unique) keys key ttag just This approach is used in TLS and IPsec to derive session keys durin session setup " " ↳ - General - based - derivation (HKDF RFC paradigm is the expand step in hash key 5869) ↳ Consists of two procedures :

- : derive a master from Extract key entropy

source a user ) leg, password

- Expand: derive sub- keys from the master key Both steps rely on HMAC ? How do we combine confidentiality and integrity

↳ with schemes - Systems both guarantees are called encryptionoutdated gold standard for symmetric encryption touring : ← - - to secure l. then MAC (TLS 1.2T IPsec be secure if we instantiate CPA Encrypt , ) guaranteed using encryption and a secure MAC - - 2. MAC then (SSL 301%510 802 . "i ) encrypt , T as we will see secure , not always

scheme :( is an authenticated scheme satisfies the two : . An if it Definition encryption The Encrypt,Decrypt) encryption following properties

- CPA security ( confidentiality] - ( ciphertext integrity integrity ]

- challenger adversary KEK mi -

C - ←Entmf§ L to denote - invalid f- special symbol ciphertext

1 c {Ci Cz . . . if . } output ¢ , [ and (k =L I Decrypt , c)

CI Define Adv CA Tse ] to be the that of above is 1 . The scheme TISE satisfies , probability output experiment it for all efficient adversaries A ciphertext integrity , CIAdv CA THE ] = ) , negkx ← determines security parameter key length

cannot with a : it can are those that are ciphertext integrity says adversary come up new ciphertext only ciphertext generate

valid . do ? already Why we want this property Encrypted under KA KA KB KE , Consider the following active attack scenario: IE mail server - with Each user shares a key a mail server ( c) KA x. - /To:BoT/ -Message To send mail user and send to mail server Alice ... , encrypts contents under - Encrypted Mail server the email re- it under 's and delivers email , recipient kB decrypts encrypts key Eve intercepts and modifies message Encrypted under Kp If Eve is able to with the , KA KE tamper encrypted message , KB Eve / if mail server then she is able to learn the encrypted contents (even

the - scheme is CPA secure) [m°e/¥ ke ka k, ↳ peed More an can and 's Alice Bob , tamper inject ciphertext broadly adversary under KE into a system and observe the user's behavior to learn information

- the values active attackers we need notion of about decrypted against , stronger security - scheme ( is secure chosen- attacks (CCA secure all efficient . An Definition encryption Tls Encrypt, Decrypt) against ciphertext ) if for

= : adversaries A CCAAdv CA TSE . where we define TSE] as follows , , ] negl CCAADVCA,

b. C- {on} adversary I

" ← k ) Ci Encrypt ( , mi ±÷:¥"¥tc- b' Eloi) [ make and adversary can arbitrary encryption decryption queries,

but cannot it received from the decrypt any ciphertext otherwise break ) ( , can security

- challenger - trivially = b' = l b - o] adversary CCAADRLA , Tse] /Pr[ l prfbi.si/b=z ]) " ↳ " called an admissibility criterion

CCA - scenario security captures above attack where adversary can tamper with ciphertext ↳ Rules out of of XHZ of Hz possibility transforming encryption to encryption y ↳ adversaries ( CPA- is for adversaries ] Necessary for security against active security security against passive ↳ We of a real CCA HWI will see an example attack in

- scheme . . If an THE authenticated then it is CCA secure teen encryption provide encryption,

- A in the . Tse the 's . Consider an CCA Since ProofLI→ adversary security game provides ciphertext integrity , challenger response

the 's be with all but This means we the to will . adversary decryption query 1 negligible probability can implement " "

- the function . is the . decryption oracle with output L But then this equivalent to CPA security game " " [ Formalize a counter- : concatenate unused bits to end using hybrid argument ) simple example of ciphertext - scheme in a CCA secure (stripped away during f decryption) : of is not - Note converse the above true since CCA security ⇒ ciphertext integrity. ↳ However CCA- t ⇒ authenticated , security plaintext integrity encryption

: Authenticated + -a¥ay encryption captures meaningful confidentiality integrity properties ; provides active security

a - be a : Let be scheme and ) secure . ( , ) CPA secure ( MAC We define Encrypt-Af Encrypt Verity encryption sign , Verify Encrypt - then- MAC to be the following scheme : ' : ← ( ) m ) c m ( ke km (ke , ) Encrypt , , Encrypt T T t ← (km c Sign , ) ind¥t keys (c t) output , ' (KE ) Cc t)) : if (km c -4=0 t ( , km , , , Decrypt , Verify , output

c else (ke , ) , output Decrypt ' ' If ( is - a MAC . CPA secure is secure then ) is an authenticated Theorem , ) and ( , ) , ( Encrypt Decrypt sign Verify Encrypt , Verify

encryption scheme.

- - . on Protect CPA follows CPA of ( , ). the MAC is texts and nod security by security Encrypt Decrypt Specifically, computed cipher

-

the cannot . . MAC is of so messages key independent encryption key compromise CPA security

follows from MAC lie valid must contain a new on some Ciphertext integrity directly security , any ciphertext tag

was not to the the .) ciphertext that given adversary by challenger

: - t MAC be this in the formal reduction need to be able to . ( tmportantnotese Encryption keys must independent Above proof required ,

simulate - can ciphertext / MACS only possible if reduction choose its own key). ↳ Can also constructions that are same is used ( ie both fail to give explicit completelybnkg.it key , properties hold)

↳ in schemes instead ! In never different fresh, general , reuse cryptographic keys ; , sample independent keys

- to over the MAC needs be entire ciphertext - computed means first

← " - " version of ISO 19772 for did not MAC IV CBC used for CPA secure ) block lie header Early AE ( encryption , )

- is malleable RN in iOS for data also HMAC not to IV µ - Crypto Apple ( encryption) problematic ( applied encryption )

a - be a Let be scheme and ) secure . : ( . ) CPA secure ( MAC We define MA_Encrypt Encrypt Verify encryption sign , Verify MAC- then- Encrypt to be the following scheme : ' : ← ( (ke km) m ) t (km m) Encrypt , , Sign ,

← c (KE cm , -4 Encrypt , ) output c ' : ← (KE ) Cc t)) (mt) ( c) ( , km , Decrypt , compute Decrypt ke,

- if ( km m t) - I m else I Verify , , , output , , output

Not secure! SSL 3.0 ( to TLS) used randomized CBC t MAC generally precursor secure ↳ attack scheme Simple CCA on (by exploiting padding in CBC encryption)

(POODLE attack on SSL 3.0 can traffic a CCA attack] decrypt all encrypted using

source - then- see for Padding is a common of problems with MAC Encrypt systems ( HWI an example]

- In the libraries t MAC interfaces common source of errors past , provided separate encryption ↳ for Good should minimize for users to make errors net more library design crypto ways , provide flexibility

there are standard block modes of that Today , cipher operation provide

- authenticatedencryption-One.atthe most widely used is GCM (Galois counter model. standardized by NIST in 2007

- GCMm_ode: follows encrypt- then MAC paradigm - in with AES - used action - Most CPA secure encryption is nonce based counter mode commonly conj - AES - MAC is Carter - MAC ( GCM authenticated ) a Wegman } provides encryption " " Carter - MAC ( MAC ) : randomized MAC : Wegman encrypted very lightweight , - " : X → H M 90,13 be a hash function relies on a mild the hash function Let KH keyed security assumption on " - t → Let F : KF R {0,13 be a PRF and can be realized unconditionally ↳ - The Carter Wegman MAC is defined as follows : security relies only on PRF security

: E = r ( Cr t : r to ( (KH KF) m) R ( kn km) , ) 1 ) t H( m) , , ) if kn , , FCKF sign Verify output , ,

- t s H m) to Fl KF r) and 0 otherwise (ku , ,

(r t) construction ! output , (Very simple

but are need both a nonce and tags longer ( a PRF output)

: Galois Hash message with AES in counter mode key derived from PRF GCyptio encrypt f ✓ " evaluation at O Carter- MAC on as hash compute Wegman resulting message using GHASH the underlying function [ as G blocks of 128- bits and the block cipher underlying PRF HASH operates on operations can be expressed as operations over

- - 2128 use ALIEN for authenticated GF (2128 ) Galoisfield with elements Typically , encryption

- fast ! | implemented in harder very +

28 GF(2128 ) is defined the (x) = x' t X't X't X t 1 by polynomial g " " ↳ 't X t X't X t I . x ] elements are polynomials over Az with degree less than 128 ( e.g

can be 128 - : is of ( represented by bit string each bit coefficient polynomial) ↳ - in can add xor and hardware elements ( ) multiply them (as polynomials) implemented (also used for evaluating the AES round function) . . . . ]) MED me ] . , mee ( , [ "

↳ - - - t GHASH ( k m) : = make t mask t m le) k , frayed;n.mn?aY;..e;a,mu%afivegoeffigientsot )

Oftentimes of the needs to be hidden but still needs to be authenticated , only part payload ,

↳ : e. over a network desire but for headers ( otherwise cannot route ! ) for , g. , sending packets confidentiality packet body, only integrity packet

: with data AEAD authenticated encryption associated ↳ scheme with additional ensures for associated data but not augment encryption plaintext input ; resulting ciphertext integrity , confidentiality (will not define formally here but follows straightforwardly from AE definitions) " ↳ " can construct via - then- MAC : and MAC the t associated data directly encrypt namely, encrypt payload ciphertext ↳ AES- GCM is an AEAD scheme