Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key 푘, 퐹푘 must be a permutation and it must be indistinguishable from a random permutation. Strong Pseudorandom Permutation Definition: Let 퐹: 0,1 ∗ × 0,1 ∗ → 0,1 ∗ be an efficient, length-preserving, keyed permutation. We say that 퐹 is a strong pseudorandom permutation if for all ppt distinguishers 퐷, there exists a negligible function 푛푒푔푙 such that: 퐹 ⋅ ,퐹−1 ⋅ −1 Pr 퐷 푘 푘 1푛 = 1 − Pr 퐷푓 ⋅ ,푓 ⋅ 1푛 = 1 ≤ 푛푒푔푙 푛 . where 푘 ← 0,1 푛 is chosen uniformly at random and 푓 is chosen uniformly at random from the set of all permutations mapping 푛-bit strings to 푛-bit strings. Modes of Operation—Stream Cipher If sender and receiver are willing to maintain state, can encrypt multiple messages. Modes of Operation—Block Cipher Modes of Operation—Block Cipher Message Integrity • Secrecy vs. Integrity • Encryption vs. Message Authentication Message Authentication Codes Definition: A message authentication code (MAC) consists of three probabilistic polynomial-time algorithms (퐺푒푛, 푀푎푐, 푉푟푓푦) such that: 1. The key-generation algorithm 퐺푒푛 takes as input the security parameter 1푛 and outputs a key 푘 with 푘 ≥ 푛. 2. The tag-generation algorithm 푀푎푐 takes as input a key 푘 and a message 푚 ∈ 0,1 ∗, and outputs a tag 푡. 푡 ← 푀푎푐푘(푚). 3. The deterministic verification algorithm 푉푟푓푦 takes as input a key 푘, a message 푚, and a tag 푡. It outputs a bit 푏 with 푏 = 1 meaning valid and 푏 = 0 meaning invalid. 푏 ≔ 푉푟푓푦푘(푚, 푡). It is required that for every 푛, every key 푘 output by 퐺푒푛(1푛), ∗ and every 푚 ∈ 0,1 , it holds that 푉푟푓푦푘 푚, 푀푎푐푘 푚 = 1. Security of MACs The message authentication experiment 푀퐴퐶푓표푟푔푒퐴,Π 푛 : 1. A key 푘 is generated by running 퐺푒푛(1푛). 2. The adversary 퐴 is given input 1푛 and oracle access to 푀푎푐푘 ⋅ . The adversary eventually outputs 푚, 푡 . Let 푄 denote the set of all queries that 퐴 asked its oracle. 3. 퐴 succeeds if and only if (1) 푉푟푓푦푘 푚, 푡 = 1 and (2) 푚 ∉ 푄. In that case, the output of the experiment is defined to be 1. Security of MACs Definition: A message authentication code Π = (퐺푒푛, 푀푎푐, 푉푟푓푦) is existentially unforgeable under an adaptive chosen message attack if for all probabilistic polynomial-time adversaries 퐴, there is a negligible function 푛푒푔 such that: Pr 푀퐴퐶푓표푟푔푒퐴,Π 푛 = 1 ≤ 푛푒푔 푛 . Strong MACs The strong message authentication experiment 푀퐴퐶푠푓표푟푔푒퐴,Π 푛 : 1. A key 푘 is generated by running 퐺푒푛(1푛). 2. The adversary 퐴 is given input 1푛 and oracle access to 푀푎푐푘 ⋅ . The adversary eventually outputs 푚, 푡 . Let 푄 denote the set of all pairs 푚, 푡 that 퐴 asked its oracle. 3. 퐴 succeeds if and only if (1) 푉푟푓푦푘 푚, 푡 = 1 and (2) (푚, 푡) ∉ 푄. In that case, the output of the experiment is defined to be 1. Strong MACs Definition: A message authentication code Π = (퐺푒푛, 푀푎푐, 푉푟푓푦) is a strong MAC if for all probabilistic polynomial-time adversaries 퐴, there is a negligible function 푛푒푔 such that: Pr 푀퐴퐶푠푓표푟푔푒퐴,Π 푛 = 1 ≤ 푛푒푔 푛 . Constructing Secure Message Authentication Codes A Fixed-Length MAC Let 퐹 be a pseudorandom function. Define a fixed-length MAC for messages of length 푛 as follows: • 푀푎푐: on input a key 푘 ∈ 0,1 푛 and a message 푚 ∈ 0,1 푛, output the tag 푡 ≔ 퐹푘 푚 . • 푉푟푓푦: on input a key 푘 ∈ 0,1 푛, a message 푚 ∈ 0,1 푛, and a tag 푡 ∈ 0,1 푛, output 1 if and only if 푡 = 퐹푘 푚 . Security Analysis Theorem: If 퐹 is a pseudorandom function, then the construction above is a secure fixed-length MAC for messages of length 푛. Security Analysis Let 퐴 be a ppt adversary trying to break the security of the construction. We construct a distinguisher 퐷 that uses 퐴 as a subroutine to break the security of the PRF. Distinguisher 퐷: 퐷 gets oracle access to oracle 푂, which is either 퐹푘, where 퐹 is pseudorandom or 푓 which is truly random. 1. Instantiate 퐴푀푎푐푘(⋅)(1푛). 2. When 퐴 queries its oracle with message 푚, output 푂(푚). 3. Eventually, 퐴 outputs (푚∗, 푡∗) where 푚∗, 푡∗ ∈ 0,1 푛. 4. If 푚∗ ∈ 푄, output 0. 5. If 푚∗ ∉ 푄, query 푂(푚∗) to obtain output 푧∗. 6. If 푡∗ = 푧∗ output 1. Otherwise, output 0. Security Analysis Consider the probability 퐷 outputs 1 in the case that 푂 is truly random function 푓 vs. 푂 is a pseudorandom function 퐹푘. • When 푂 is pseudorandom, 퐷 outputs 1 with probability Pr 푀퐴퐶푓표푟푔푒퐴,Π 푛 = 1 = 휌(푛), where 휌 is non-negligible. • When 푂 is random, 퐷 outputs 1 with 1 probability at most . Why? 2푛 Security Analysis 퐷’s distinguishing probability is: 1 1 − 휌 푛 = 휌 푛 − . 2푛 2푛 1 Since, is negligible and 휌 푛 is non-negligible, 2푛 1 휌 푛 − is non-negligible. 2푛 This is a contradiction to the security of the PRF. Domain Extension for MACs CBC-MAC Let 퐹 be a pseudorandom function, and fix a length function ℓ. The basic CBC-MAC construction is as follows: • 푀푎푐: on input a key 푘 ∈ 0,1 푛 and a message 푚 of length ℓ 푛 ⋅ 푛, do the following: 1. Parse 푚 as 푚 = 푚1, … , 푚ℓ where each 푚푖 is of length 푛. 푛 2. Set 푡0 ≔ 0 . Then, for 푖 = 1 푡표 ℓ: Set 푡푖 ≔ 퐹푘(푡푖−1 ⊕ 푚푖). Output 푡ℓ as the tag. • 푉푟푓푦: on input a key 푘 ∈ 0,1 푛, a message 푚, and a tag 푡, do: If 푚 is not of length ℓ 푛 ⋅ 푛 then output 0. Otherwise, output 1 if and only if 푡 = 푀푎푐푘(푚). CBC-MAC .