Message authentication

Message authentication codes provide message integrity by appending a checksum to the message which receiver on decryption calculates again and verify whether message was tampered or not. Provides 2 properties:

Authentication: Message was really created by sender
Integrity: Message was not tempered during transmission.

But any middle man can create a new message with a new MAC, how does receiver know whether it's sent by original sender or adversary?

Nope, as you study further, you discover that MAC is actually realised using a tag whose only requirement is that it can only be generated with a secret key.

how is MAC different from signatures?

consists of following algorithms:
- $KeyGen (1^{n}) \to k$
- $MAC (k, m \in M) \to t$
- $Vrfy_{k} (m, t) \to b$
Canonical Verification: when receiver computes $\tilde{t} := Mac_{k} (m)$ and verifies that $\tilde{t} = t$ .
MAC’s, $Π := (KeyGen,Mac,Vrfy)$ security definition: adversary should be able to verify MAC of message that it doesn’t have, i.e. forgery of MAC happens when adversary can produce valid MAC tag.
- $Mac-forge_{A, Π} (n)$ : PPT adversary $A$ has access to oracle $Mac_{k} (\cdot)$ , and can request tag t for any message of its choice.
- $O$ maintains a set $Q$ of messages $M \in {m_{0}, m_{1}, \dots}$ containing all previously queries messages.
- $A$ succeeds if it can produce forgery of MAC, i.e. produces valid $(m, t)$ , where tag for $m$ wasn’t requested previously, and when $(m, t)$ is given to a third party, $Vrfy$ succeeds.
- Mac which has no efficient adversary is said to be ==existentially unforgeable under an adaptive chosen-message attack==.
- $Pr [Mac-Forge_{A, Π (n)} = 1] \leq negl (n)$
Strength of definition: for most scenarios, this definition of MAC seems too strong, because even though adversary can request tag for messages of its choice any number of times, it still can’t forge a new tag for unauthenticated message.

Examples

Browser Cookies: stored user side in browser to authenticate a user in a session. TCP handshake: calculated server side during second TCP syn+ack to authenticate the user.

2FA & TOTP: timed one-time passwords are an excellent example of real-world usage of MACs. user calculate mac $t := Mac_{k} (m ∥ T)$ , sends $m, t$ to server, and server verifies with key, $Vrfy_{k} (m ∥ T)$ .

Replay attacks: Mac doesn’t provide replay attack prevention guarantees, i.e. adversary can send same (message, tag) and receiver won’t be able to detect whether this message has been sent previously or not.
- This is done to ensure usability of MACs in different scenarios and should be handled by higher-level application.
Strong security: $A$ forges $t^{'} \neq = t$ for MAC $(m, t)$ where $m \in Q$ .
- Denote $Pr [Mac-sforge_{A, Π} = 1] \leq negl (n)$ . Now, $O$ maintains tuple of $(m, t)$ in set $Q$ .
- Prove: secure MAC with canonical verification is strongly secure.
Timing attacks: side channel attacks which can determine value of mac using timing attacks on verification oracle.

Secure-MAC using PRF

Construct a MAC using PRF where $t := Mac_{k} (m) = F_{k} (m)$ , where $F_{k}$ is a PRF, and canonical verification happens using $t^{'} := Vrfy_{k} (m); t^{'} ? t$ .
Prove: $Pr [Mac-forge_{A, Π} (n) = 1] - Pr [M a c - f or g e_{A, Π} = 1] \leq negl (n)$
- To prove above construction is secure, create a Polynomial-time distinguisher $D$ that is given oracle access to $O$ , and needs to determine whether $O$ is PRF or not.
- $D$ simulates message authentication experiment for adversary $A$ by answering $Mac$ queries and returning $t := O (m)$ to $A$ .
- After all queries, $A$ outputs $(m, t)$ . $D$ queries $t^{'} := O (m)$ , and obtain $t^{'}$ .
- If $t^{'} = t$ and $m \neq \in Q$ , $D$ outputs 1.

sequenceDiagram
loop Oracle queries
A->>+D: message: m_i
D->>+O: message: m_i
Note right of O: calculates $t=O(m)$
O->>-D: tag: t
D->>-A: tag: t
end
A->>D: (m,t)
D->>O: m
Note right of O: calculates $t'=O(m)$
O->>D: t'
Note over D: checks $t'=t$ and m was not sent before, output 1

Now, when $O$ is a PRF, then adversary’s view is equal to $A$ in $Mac-forge_{A, Π} (n)$ experiment, thus, $Pr [D^{F_{k} (\cdot)} (1^{n}) = 1] = Pr [Mac-forge_{A, Π} (n) = 1]$ .
Similarly, when $O$ is uniform random function: $Pr [D^{f (\cdot)} (1^{n}) = 1] = Pr [Mac-forge_{A, Π} (n) = 1]$
Next prove that: $Pr [Mac-forge_{A, Π} (n) = 1] \leq 2^{- n} + negl (n)$

MAC for arbitrary length messages

Construct a simple mac for arbitrary length message by dividing $m = (m_{1}, m_{2}, \dots)$ and computing $Mac_{k}^{'} (r ∥ l ∥ i ∥ m_{i})$ .
Construction: let $Π^{'} = (Mac^{'}, Vrfy^{'})$ be fixed length MAC of length $n$ , then
- $Mac$ : On input of key $k \in {0, 1}^{n}$ message $m \in {0, 1}^{*}$ , parse $m = (m_{1}, \dots, m_{d})$ of length $\frac{n}{4}$ and choose a uniform $r \in {0, 1}^{n /4}$ . Compute $\forall i \in [1, d]; t_{i} \leftarrow Mac^{'} (r ∥ l ∥ i ∥ m_{i})$ . Output $⟨ r, t_{1}, \dots, t_{d} ⟩$ .
- $Vrfy$ : On input key $k \in {0, 1}^{n}$ , a message $m \in {0, 1}^{*}$ and tag $t$ , output $\forall i \in [1, d]; t_{i} = Vrfy^{'} (r ∥ l ∥ i ∥ m_{i})$ .C
Prove this is secure MAC.
- Basic idea is to prove $Pr [Mac-forge_{A, Π} = 1]$ by proving two events:
  - $repeat$ : $r$ is used for some other message during oracle queries
  - $NewBlock$ : $A$ tries to forge a block $r ∥ l ∥ i ∥ m_{i}$ which was authenticated by $Mac^{'}$ before during answering $A^{'} s$ queries to oracle.
- So, $Pr [Mac-forge_{A, Π}] \leq Pr [repeat] + Pr [Mac-forge \land \overline{repeat} \land NewBlock] + Pr [Mac-forge \land \overline{repeat} \land \overline{NewBlock}]$ .

CBC-MAC

constructing a MAC using pseudorandom function $F_{k}$ for $k \in {0, 1}^{n}$ and length function $l (n) > n$ , and message length $l (n) \cdot n$ .
- $Mac$ : parse m as $m_{1}, \dots, m_{l}$ and $t_{0} = {0}^{n}$ , then $t_{i} = F_{k} (t_{i - 1} \oplus m_{i})$ .
- $Vrfy$ : output 1 if $t ? Mac_{k} (m)$ .
Prove this is a secure Mac.

Mac from difference-universal function

Let $h : K_{n} \times M_{n} \to T_{n}$ be a keyed function where $k \in K_{n}$ and message $m \in M_{n}$ and output $t \in T_{n}$ , where $T_{n}$ is a group. For $h$ to be $ε -$ difference universal function, take $m, m^{'} \in M_{n}$ and any $\Updelta \in T_{n}$ such that $Pr [h_{k} (m) - h_{k} (m^{'}) = \Updelta] \leq ε (n)$ , where $ε (n) \geq \frac{1}{∣ T _{n} ∣}$ .

Let’s construct a MAC from DUF, take $h$ to be $ε -$ DUF and $F$ to be a PRF, then following is a strongly secure MAC for messages in $M_{n}$ :

$Gen$ : output key $k_{h} \in K_{n}$ and $k_{F} \in {0, 1}^{n}$ .
$Mac$ : for key, $m \in M_{n}$ , choose uniform $r \in {0, 1}^{n}$ , output $t = ⟨ r, h_{k_{h}} (m) + F_{k_{F}} (r)⟩$
$Vrfy$ : for key, $m \in M_{n}$ , parse $t = (r, s)$ , output 1 if $s ? h_{k_{h}} (m) + F_{k_{F}} (r)$

Prove that above construction is strongly secure MAC, $Pr [Mac-sforge_{A, Π} = 1] - Pr [Mac-sforge_{A, Π}] \leq negl (n)$

take two events required to model the security:
- $repeat$ : $r$ is not repeated by $O$ in any of the oracle queries by $A$ .
- $new-r$ : $A$ outputs $⟨ m, (r, s)⟩$ where $r$ was not used in any of the previous oracle query.
study for uniform function first, i.e. $Pr [Mac-sforge_{A, Π}] = Pr [repeat] + Pr [Mac = 1 \land new-r] + Pr [Mac = 1 \land \overline{repeat} \land \overline{new-r}]$ .
- probability of repeat is $\frac{q ( n ) ^{2}}{2 ^{n + 1}}$
- Probability of new-r is $\frac{1}{∣ T _{n} ∣}$ because $f$ is a uniform function is $A$ ‘s view.
- prob of neither repeat, nor r-new is $\leq ε (n)$ by taking two distinct $(r, s), (r, s_{i})$ , where $m_{i}$ was ith oracle query and their $r^{'} s$ match (because new-r doesn’t occur) and equating their $s$
a common DUF is taking a finite field $F_{q}$ , $k_{h}$ to be a point in $F$ , and $m \in F [X]^{< l}$ is a polynomial of degree < l (constant) in $F$ . Now, $h_{k} (m) = m (k)$ , i.e. evaluation of $m$ on $k$ . This is $\frac{l}{∣ F ∣}$ -DUF.

GMAC

TODO

Poly1305

TODO

Information-Theoretic MACs

until now all MAC constructions are computational secure, i.e. efficient adversary that runs in polynomial time, and thus, we need a security parameter $n$ that is used to model the asymptotic behaviour of both the construction and the adversary.
Now, we look at conditions that are required to create MAC that are secure for unbounded adversary, i.e. Information Theoretic MAC
Max probability that we can reach for an unbounded adversary to correctly output a tag that works is $max (\frac{1}{∣ K ∣}, \frac{1}{∣ T ∣})$ , and only restriction on adversary is number of times it can access the oracle.
Construct a one-time MAC:
- A gives $m^{'}$ and gets $t^{'} = Mac_{k} (m^{'})$
- A outputs $(m, t)$ , output 1 if $Vrfy_{k} (m, t) = 1$ and $m \neq = m^{'}$ .
$Pr [Mac-forge_{A, Π}^{1-time}] \leq ε$
Strongly universal functions (SUF): or also called pairwise independent functions. Function $h : K \times M \to T$ , where $m, m^{'} \in M$ and $t, t^{'} \in T$ , such that $Pr [h_{k} (m) = t \land h_{k} (m^{'}) = t^{'}] = \frac{1}{∣ T ∣ ^{2}}$ .
Construct MAC using SUF: simply output $t := Mac_{k} (m)$ , and output 1 if $Vrfy (m, t) := t^{'}; t ? t^{'}$ .
Prove above construction is $\frac{1}{∣ T ∣}$ secure MAC.
A simple example of SUF is $h_{a, b} (m) = a \cdot m + b mod p$
One-time MAC from DUF: can be constructed as simply taking $k \in K$ and $r \in T$ and $Mac (m) = h_{k} (m) + r$ .

Mac using hash functions

Let $H^{s} = (Gen, H)$ be a arbitrary length hash function

Hash-and-MAC: $t \leftarrow Mac_{K_{m}} (H^{s} (m))$ , and verify using $Vrfy_{K_{m}} (H^{s} (m), t) ? 1$ .

This can be proven as secure MAC by modelling two adversaries, i.e. $Pr [Mac-forge_{A^{'}, Π^{'}} = 1] = Pr [Mac-forge_{A^{'}, Π^{'}} \land coll] + Pr [Mac-forge_{A^{'}, Π^{'}} \land \overline{coll}]$ . Now, prove that both terms are negligible.
- first can be proven secure by formulating a reduction proof on collision resistance property of $H^{s}$ with adversary $A$ that attacks $Π^{'}$ and $C$ attacking $H^{s}$ .
- second is secure using secure MAC

HMAC: $Mac(m) : t \leftarrow H^{s} ((k \oplus opad) ∥ H^{s} ((k \oplus ipad) ∥ m))$ , and verified using $Vrfy (m, t) : H^{s} ((k \oplus opad) ∥ H^{s} ((k \oplus ipad) ∥ m)) ? t$ .

can be seen as Hash-and-MAC approach where inner pad is used to hash mac to $n^{'}$ length string $\overset{m}{^}$
and $\overset{m}{^}$ again hashed with outer pad to create a tag $t$ .
and $k_{in}, k_{o u t}$ are generated using a pseudorandom generator

one question that arises is why ipad and opad is needed at all? why can't you just use $k$ to generate a pseudorandom string of $k_{in} ∥ k_{o u t}$ ?

This is because $∣ k ∣$ is typically less than $n^{'}$ , and IV is concatenated with $k_{in} \oplus ipad$ to increase key length. Moreover, $k_{in}, k_{o u t}$ need to be uniform, thus, a PRG is used to decrease key length to $∣ k ∣$ and derive two pseudorandom keys from that.

Questions

4.1: adversary’s success remains same, and canonical verification MAC will always satisfy this.
4.2: can i use a MAC that doesn’t use canonical verification? so just use vrfy oracle to determine a pair (m,t) and then output that pair.
4.3: if secure MAC uses canonical verification that it’s easy to see that its also strongly secure because adversary won’t be able to forge a tag with substantial probability.
4.4:

lonerapier.xyz

Explorer

Message authentication

Secure-MAC using PRF

MAC for arbitrary length messages

CBC-MAC

Mac from difference-universal function

GMAC

Poly1305

Information-Theoretic MACs

Mac using hash functions

Questions

References

Graph View

Table of Contents

Backlinks