Escolar Documentos
Profissional Documentos
Cultura Documentos
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
Gen takes input the security parameter 1 and outputs a key with || .
Mac takes as input a key and a message *0,1+ and outputs a tag . We write: Mac (). Vrfy takes as input a key , a message *0,1+ and a tag and outputs a bit : = 1 means valid, while = 0 means . We write, :=Vrfy(, ).
3
3.
Construction 4.3
Theorem 4.4
Let be a pseudorandom function. Then Construction 4.3 is a fixed-length MAC
for messages of length n that is existentially unforgeable under an adaptive chosen message attack.
Distinguisher D
is given access to and oracle O *0,1+ *0,1+
1. Run (1 ): whenever queries its MAC oracle on a message , answer as follows:
Query O with to get response . Return t to A.
Distinguisher D
If oracle is a PRF then,
Pr
1 = 1 = Pr,Macforge A, ) = 1 = ()
Therefore, |Pr 1 = 1 Pr 1 1 = 1 | 2
10
Distinguisher D
Since is a PRF it follows that there is a negligible function negl with () 2 = negl . Then
negl + 2
and so is negligible.
11
Replay attacks
MACs do not protect against replay attacks. This is because the definition of a MAC does not incorporate any notion of state in the verification algorithm.
Two common techniques for preventing replay attacks involve the use of and .
12
Construction 4.5
Mac: on input a key *0,1+ and a message *0,1+ of length < 2 /4 parse = 1 into blocks of length /4 and choose a random identifier in *0,1+/4 . Compute MAC | ||| , for = 1, , , and output (, 1 , , ) Vrfy: parse into blocks and re-compute the MAC. Output 1 if and only if the answer is the same for all ||
13
Theorem 4.6
If is a secure fixed length MAC for messages of length , then Construction 4.6 is a MAC that is existentially unforgeable under an adaptive chosen message attack.
14
Vrfy: on input a key *0,1+ , a message *0,1+ , and a tag output 1 if and only if = MAC .
15
Theorem 4.10
Let be a polynomial. If F is a pseudorandom function then Construction 4.9 is a fixed length MAC for messages of length () that is existentially unforgeable under an adaptive chosen message attack.
16
18
19