This action might not be possible to undo. Are you sure you want to continue?

# G22.

3033-003 Introdu tion to Cryptography

November 15th , 2001

Le
ture 11

Le
turer: Yevgeniy Dodis

S ribe: Yevgeniy Tovshteyn

**This le
ture we will be dedi
ated to the problem of message authenti
ation. First, we
**

de

Then we de.ne the problem of message authenti ation and show how it is dierent from the problem of en ryption.

ne the notion of message authenti ation s hemes. We will examine goals and apabilities of the intruder and will de. and the sub ase of those | message authenti ation odes (MAC).

Then we will see how MAC an be implemented using PRF (and the other way around). The se ond approa h will lead us to the de.ne the strongest se urity notion for MACs. Then we will examine the problem with long messages and two approa hes solving it.

When a sender sends a message to a re eiver. At the end we will see examples of universal hashing fun tions. and the usage of su h family to enhan e the eÆ ien y of PRF and MAC for long inputs.? Is there a way for the re ipient to be \sure" that the message indeed ame from the supposed sender. et . and was not modi. 1 Introdu tion to Authenti ation While En ryption is a topi of ryptography that deals with priva y. or tampers with the real messages being sent. how does a re eiver know if it omes from appropriate sender? What if the intruder tries to imitate a sender.nition of a spe ial family of universal hash fun tions. Authenti ation is a topi of ryptography that deals with trust.

To summarize. the se urity of Authenti ation would imply inability by the intruder to produ e a valid T 0 (in other words to send to the re eiver something it would a ept). Thus. In this le ture we start with the se ret-key setting. Re eiver re eives this envelope T 0 . and in fa t m0 = m. He alls up his s-fun tionality that validates whether envelope T 0 was stued by s-fun tionality on the sender's side. re eiver an extra t m0 from T 0 as a valid authenti ated message. the goal is to establish authenti ated ommuni ation between a dedi ated sender/re eiver pair. Otherwise re eiver reje ts T 0 as invalid. Then it goes through open ommuni ation. the sender and the re ipient share a se ret key s (not known to the atta ker). Thus. it alls up his s-fun tionality that put the message m into the \envelope" T . so that the re ipient (only) an verify the validity of the \tag". not produ ed by the sender. In this s enario. we are trying to design the following \s-fun tionality". a essible to intruders. we are not solving en ryption problem at the moment). Let's say sender is to send message m (in the lear. This key helps the sender to \tag" the message. but nobody an \forge" a valid tag.ed in the transit? Similar to the en ryption s enario. there are two approa hes to solving this problem: the se ret-key and the publi -key. The above is very lose to a formal de. we an be \sure" that T 0 = T . So. If it does. so by the time it gets to the re eiver it ould hange from T to some T 0 .

L11-1 .nition of a message authenti ation s heme.

1 Message Authenti ation S hemes The above dis ussion leads to the following general de.1.

nition (below we only de.

g. and not the se urity). 1g .ne the syntax. M = f0. Below M is the orresponding message spa e. e. ` De.

It ould be deterministi . Later we an examine stateful message authenti ation s hemes as well. for any m 2 M. i. m. de.Auth. k b) The message authenti ation algorithm Auth is used to produ e a value (\envelop") T Auth (m). where ? means that the message was improperly authenti ated. Before moving any further (in parti ular.nition 1 (Message Authenti ation S heme) Message Authenti ation S heme is a triple (Gen. s The orre tness property states that m ~ = m.Re ) of PPT algorithms: a) The key generating algorithm Gen outputs the shared se ret key: s Gen(1 ). s s Lets for now assume our message authenti ation s hemes are stateless. s ) The deterministi message re overy algorithm Re re overs the message from the envelope T : Re (T ) = m ~ 2 M [ f?g. as we will see. Re (Auth (m)) = m.e. 8s.

let's see that En ryption is not solving (and is not intended to solve) authenti ity at all. and the re ipient will de rypt it into a valid (albeit probably \useless") message. ounter s heme will have the same atta k). Conversely. 1. In fa t. Similar atta ks will apply to other en ryption s hemes we studied so far (e.1 To emphasize this point even further. or insert bogus messages. and say the one-time pad is used over ASCII alphabet. To summarize. the en ryption will reveal the one-time pad.2 Authenti ation vs. In this ase. let us ompare (se ret-key) en ryption and authenti ation. in many en ryption s hemes every string is a legal en ryption is some valid message. 1 Later we will study the problem of authenti ated en ryption. He an easily \ ip" the 1 for a 9 for example. E an send any \garbage" string. En ryption Just to see how dierent the problem of Authenti ation is from the problem of En ryption. Lets say intruder E knows format of the message where the sender says \please redit 100 dollars to E ". whi h simultaneously provides priva y and authenti ity. For example. authenti ation be itself does not solve priva y. was not addressing the issue. for the rest of this le ture we will talk about a spe ial lass of message authenti ation s hemes.. L11-2 .ne the se urity of message authenti ation s hemes). but might allow E to tamper with it. one time pad for one message. nothing prevents the envelop to have the message m in the lear.g. by simply ipping several bits of the en rypted message (in fa t. Even the best en ryption s hema. and E an en rypt anything he wants with it now). en ryption s hemes are designed so that E annot understand the ontents of the en ryption. This should not be possible in a \se ure" message authenti ation s heme.

sin e it learly illustrates our goal of message authenti ation. As we will see. dealing with this spe ial ase is more intuitive. whi h always ontain the message in the lear.1 De. alled message authenti ation odes (MACs). 2 Message Authenti ation Codes (MAC) 2.

It implies sending message m in the lear along with a tag t.nition As we said. envelope T = (m. and the message re overy only he ks if the tag t is \valid". the re eiver's goal is to validate message m by verifying whether she/he an trust that tag t is a valid tag for m. MAC is a spe ial ase of message authenti ation s hemes. In ase of su essful validation re eiver outputs \a ept". otherwise \reje t". Namely. Thus. De. t).

MAC.Ver) of PPT algorithms: a) The key generating algorithm Gen outputs the shared se ret key: s b) The tagging algorithm Tag is produ es a tag t be deterministi . It ould s ) The deterministi veri. as we will see. for any m 2 M. is a triple (Gen. k Tag (m).Tag.nition 2 (Message Authenti ation Code) Message Authenti ation Code. Gen(1 ).

Similar to the en ryption s enario. A more reasonable goal is to ome up with the message-tag pair (m. t) that triggers Ver to \a ept". Existential forgery is the least ambitious of these goals. i. This atta k is alled a forgery. so the strongest se urity de. Universal forgery implies that A an ome up with trusted tag t for any message m that A wants. t) = \a ept". this is too ambitious (e.e. Existential forgery implies that A an produ e at least a single pair (m. reje tg indi ating if t is a valid tag for m. Having that pair..g. But what is the goal of A? The most ambitious goal is to re over se ret key s. t) 2 fa ept. Ver (m. t) su h that Ver (m.2 Se urity The se urity as usual is measured by the probability of unauthorized PPT adversary A to su eed. s s 2. so it is not a big deal to prevent A from re overing s). There are two kinds of forgery: universal and existential. A an masquerade as a valid sender of m by simply sending (m. Tag (m)) = a ept. part of s an be never used. even if the message m is \useless". s The orre tness property states that m ~ = m. m. ation algorithm Ver produ es a value Ver (m. 8s. t) to the re eiver.

Moreover. L11-3 . s .e. Next. A annot intrude into ommuni ation between sender and re eiver and has no ora le a ess to any of MAC algorithms. what an A do to try to a hieve its goal? There are several options. I.nition would imply that no A an a hieve even this.. in many appli ations su h (strong) se urity is indeed needed.The weakest atta k mode to to give A no spe ial apabilities. easiest of the goals.

. on e we allow this. Looking at the above. Of ourse. we have to restri t A from outputting a \forgery" (m. Alternatively. t) for the message m that it already observed. Namely. we an assume A has ora le a ess to the re eiver.2 Taken to the extreme.Finally. and wins the moment the re ipient a epts su h a pair. we now make the strongest de. we an allow A observe valid tags for any message m that A wants. so that it an learn whether any message-tag pair (m.A more reasonable assumption is that A has some a ess to ommuni ation between sender and re eiver. t) that it observes. s . t) is valid. and an try to analyze valid message-tag pairs (m. This is alled (adaptive) hosen message atta k (CMA). we may think that A keeps sending \fake" message/tag pairs. we an give A ora le a ess to the tagging fun tion Tag ().

existential forgery.nition of se urity. su h that prevent A from its easiest goal. but lets A use both the tagging and the veri.

ation ora le. De.

(m. if 8 PPT A. t) su h that m has never been queried to ora le Tag (). i. k s Vers () (1k )) negl(k ) For ompleteness. Tag.e. Ver) is \se ure". t) = a ept j s ATags Gen(1 ). existentially unforgeable against CMA. s Pr(Ver (m. who outputs a \forgery" (m.nition 3 (MAC's Se urity) A MAC = (Gen. t) ( ). we also give the orresponding (more general de.

De.nition) for any message authenti ation s heme (even though we will mainly work with MACs).

ora le a ess to Ver () is not needed. t0 ) A an all Tag (m0 ) and ompare its output with t0 . even though we loose a large polynomial fa tor in the se urity. if 8 PPT A. In fa t. i. similar on lusion an be made about a general message authenti ation s heme: if Auth is deterministi . Remark 5 a) Usually. existentially unforgeable against CMA. Gen just outputs a random string as a key. Instead of alling Ver (m0 . ora le a ess to Re () is not needed (why?). s s s A marginally stronger de. Auth. s Pr(Re (T ) = 6 ?js Gen(1 ). We will see examples of this later. who outputs a \forgery" T su h that Re (T ) has never been queried to oras le Auth ().nition 4 (Se urity of Message Authenti ation S heme) A message authenti ation s heme (Gen. b) When Tag is deterministi .e. T k s AAuth s Re s () (1k )) negl(k ) ( ). Re ) is \se ure". from the asymptoti perspe tive.

most MAC's are deterministi . However.nition forbids A to output a pair (m. First. in many appli ations su h \dupli ation" is anyway forbidden and is enfor ed by other means like time-stamps. A is allowed to forge a \new" tag t for the message m whose tag t = 6 t it already observed. so there is no value to even hange t to t 6= t. 2 0 0 0 L11-4 . it will do it with the \old" tag t as well. Se ond. et . Finally. this strengthening is not that ru ial for several reasons. In other words. t) that it already observed. in whi h ase there is no dieren e between the two notions. if m was legally sent and the re eiver is \allowed" to a ept m again.

we restri t our attention to deterministi (stateless) MAC's. In fa t. Hen e and without loss of generality.2. Unpredi table Fun tions and PRF s In this se tion we will build a se ure MAC. whose keys (\seeds") are random strings of some length. the veri.3 MACs.

let us assume jsj = k. where x was not submitted to the f () ora le. t) simply he ks if t = Tag (m). for a random (unknown) s. the family F is alled an unpredi table family of for any PPT A. For simpli ity. predi ting the value f (x) for a \new" x. Not surprisingly. s Gen(1j j)g. so we do not need to expli itly spe ify it.e. Tag (m) is now a deterministi fun tion indexed by the seed s. ation algorithm Ver (m. Moreover. we an view su h a MAC as a family of fun tions F = ff f0. to onstru t our . su h. f (x)). (x. 1gj j . MAC is alled an unpredi table fun tion. in some sense \ anoni al". Pr(f (x) = y j s f0. The su ess orresponds to outputting a orre t pair (x. y) A s () (1 )) negl(k) s s s s k k f s where x is not allowed to be queried to the ora le f (). 1g . i. The hosen message atta k (with no unne essary ora le to Ver ) orresponds to s s s tag ` s s s s s ora le a ess to f (). 1g ! f0. Hen e. More formally. where f = Tag . Thus.

rst se ure MAC it suÆ es to onstru t an unpredi table fum tion family. s b Theorem 6 (PRF ) MAC) If F is a PRF family with non-trivial output length. then F is unpredi table. provided its output length b is \non-trivial" (i. so that 2 = negl(k)). Not suprisingly.e. !(log k). a PRF family is an unpredi table family. and thus de..

Sin e b is \non-trivial" and x has to be \new". Given unpredi table F . But does the onverse hold? It turns out the answer is \yes". Proof: By the random fun tion model. 1g ! f0. ompleting the proof. 1g j s 2 f0. s Hen e. we onstru t the following family G with output length 1 bit (from the properties of PRF's. very similar to the Goldre ih-Levin onstru tion. Goldrei h-Levin) Let F = ff : f0. any adversary has a negligible probability to predi t f (x). but the onstru tion is quite tri ky.nes a se ure deterministi MAC. \pseudorandomness implies unpredi tability". Theorem 7 (Naor-Reingold. we an repla e f with a truly random fun tion f with output length b. 1g g be an unpredi table family. su h \short" output is not a problem and an be easily stret hed). De.

1g g as follows: g (x) = f (x) r mod 2. 1g . where . r 2 f0. 1g j s 2 f0.ne G = fg : f0. 1g ! f0.

. for . denotes the inner produ t modulo 2.

Then G is a PRF family. all these primitives are equivalent! 2. 2 f0.4 Dealing with Long Messages In pra ti e.r b s. i.e. s k s. we now know that OWF ) PRF ) MAC ) OWF. on rete PRF have short .r ` ` b k s b Noti e. 1g .

g. in pra ti e we want to be able to sign messages of length L ` (e.. There are two approa hes to deal with this problem.xed input length ` (for example. when implemented using a blo k ipher). one wants to sign a book using 128-bit blo k ipher modelled as a PRF). One the other hand. L11-5 .

Split m into n blo ks m1 : : : m of length ` ea h (let's not worry about messages whose lenth is not a multiple of `). The simplest approa h would be to just output f (m1 ) Æ : : : Æ f (m ) as a tag. However. there is a problem (whi h?). a few more \. However. one an try f (1 Æ m1 ) Æ : : : Æ f (n Æ m ). Again.1. one an easily see that this is inse ure (why?). Somehow separately tag ea h blo k using f . Using more advan ed suggestion.

1g and use f (h(m)) as the tag. this is more general than building a \long-input" MAC out of a \short-input" PRF: we a tually build a \long-input" PRF! The idea is to design a spe ial shrinking (hash) fun tion h : f0. t 2 Kg L t ` where K is the orrespinding key spa e for t. ) as the forgery of a \new" message m2 . the output of the resulting PRF is as short as that of the original PRF (implying that tags as still very short!). Lu kily. 1g . 1g ! f0. However. to produ e a forgery of the resulting \pseudo-MAC". F (H) = ff (h ())g. sin e f (h(m1 )) = f (h(m2 )). n s s s s s n n 2.xes" an make this approa h work. the knowledge of any two su h messages m1 and m2 allow the adversary to produ e break the resulting \pseudoPRF". in fa t. similar to the fa t that one publi fun tion annot be a PRF: we need a family of hash fun tions h: L L s s s ` ` s H = fh : f0. m2 ) whi h \ ollide" under h: h(m1 ) = h(m2 ). this negative news only mean that one publi h is not enough. the length of the tag now is quite large (proportional to nb = Lb=`.e. Noti e. and the key t for h . Can we make it smaller? This is what the se ond approa h below does. however. Indeed. Moreover. i. 1g ! f0. there are many pairs of messages (m1 . Now. Unfortunately. we pi k two independent keys for our resulting family F (H): the key s for f . sin e there are 2 times more possible messages than there are possible hash value. The main question is: s s t t What properties of H make F (H) is a PRF family when F is su h? We answer this question in the next se tion. Noti e. whi h ould be large). 3 PRF and Universal Hashing As the . A an ask for the tag = f (h(m1 )) of m1 and output (m2 . The se ond approa h involves a general eÆ ient onstru tion of a PRF family on L bit inputs from the one on l L bit inputs.

whi h breaks the se urity of the PRF.rst observation. It turns out that this ne essary ondition is also suÆ ient! t t t s t s t De. Namely. no two elements are likely to ollide. noti e that for no two messages m1 6= m2 an we have Pr (h (m1 ) = h (m2 )) ". Indeed. where " is non-negligible. otherwise the adversary who learns = f (h (m1 )) has probability " that f (h (m2 )) = .

s.nition 8 ("-universal family of hash fun tions) H is alled "-universal if 8 x. 1g . x 6= x0 =) Pr(h (x) = h (x0 )) " L H is alled (weakly) universal if " = negl(jtj). L11-6 t t t .t. x0 2 f0.

F (H) = ff (h ())g is a PRF(and thus de.

Proof: We have to show that 8 PPT A. 1g to f0. 1g to f0. A s t A . The . 1g . We will use two-step hybrid argument: A s t A t A where R is random fun tion from f0.nes a MAC) if F is a PRF family H is (weakly) universal. where Z is random fun tion from f0. 1g .

rst step immediately follows from the de.

A also gets q totally Theorem 9 s and t f L (h ( )) Z( ) b f R(h (h ( )) ( )) ` Z( b R(h 1 ) ( )) Z( ) q t i random and independent value. the probability that A an tell apart the \Z -world" and the \R(h )-world" is at most the probability of X (de. if X does not happen. the values R(h (m1 )) : : : R(h (m )) are all random and independent from ea h other. sin e R is a radnom fun tion. it suÆ es to show that the probability h (m) = h (m ) for some i and j is negl(k). Let m : : : m be (wlog. distin t) queries A makes to its ora le (whatever it is). the intuitive laim above follows. Thus. A gets q totally random and independent values. Hen e. First. it suÆ es to show that A t A . as long as no two values h (m ) ollide. When given ora le a ess to Z (). and there are at most q2 poly (k) pairs of i and j . Hen e.nition of PRF. even though making it formal is slightly tri ky. exa tly as the Z -ora le would return. a ollision happened among h (m1 ) : : : h (m ). sin e q2 " = negl(k). Intuitively. Let X be the event that during A's run with R(h )-ora le. where " = negl(k). The above intuition is almost formal. Sin e H is "-unversal.

ned in the \R(h )-world"). However. sin e X has already happened! Spe i. and this is the tri ky point. on e a ollision happens in \R(h )-world". it does not matter how we answer the ora le queries of A.

ally. we an imagine the modi.

where all the queries of A are answered ompletely at random and independently from ea h other. sin e R is a random fun tion. But now we run A in a manner independent from t. we an imagine that we . up to the point a ollision happened (if it ever happens). all the queries are simply answered at random.ed \R(h )-world". Indeed. What happens after X happens is irrelevant. We laim that this does not alter the probability of X . Thus. all the queries are supposed to be answered at random. Indeed. irrespe tive of whether of not X happened.

e. and only then sele ted t and he ked if X (i.. a ollision among h (m1 ) : : : h (m )) happened! But this means that m1 : : : m are de.rst ran A to ompletion.

this primitive is quite easy to onstru t. A an serve as a key to the family of hash fun tions as de. By the "-universality of H. As will will see. and sin e there are at most q2 pairs of indi es i < j . we get that Pr(X ) q2 " = negl(k). Let A be a random L ` zero-one matrix. 3.ned before (and independently from) t. t t j t t t q t t q t t t t t t q q We now give a variety of (weakly) universal families H. This argument ompletes the proof. both information-theoreti ally and omputationally. sin e q is polynomial and " is negligible.1 Information-Theoreti Examples Matrix-Constru tion.

ned below: h (x) = Ax A L11-7 .

and Ax denotes the matrix-ve tor produ t over Z2. Sin e A is random. and hen e the probability of ollision is: L Pr(Az = 0) = A 1 2 ` This is negligible. ea h of ` entries of Az is a random bit. 8x1 6= x2 . independent of the size of the message. and z 6= ~0. it is independent of L). ` Polynomial Constru tion.where x 2 f0. 1g is viewed as a zero-one ve tor. where z = x1 x2 6= ~0. a ollision means that Ax1 = Ax2 () A(x1 x2 ) = 0 or Az = 0. even though the probability of ollision is the best we an hope for: 1=2 (in parti ular. Let's examine the probability of ollision. We would like the key to be O(`). so this family of hashing fun tions is (weakly) universal. Let F be a . The biggest problem of this family is that key is quite enormously long (albeit still polynomially).

nite .

Z .eld of size roughly 2 . is an example of su h a . where p is `-bit long.

nite .

eld. but it is more onvenient to use GF [2 ℄ | a .

nite .

eld of size 2 . sin e it takes exa tly ` bits to represent an element in this .

Spe i. m (i. : : : . where ea h m 2 F ..e. as n oeÆ ients of a degree (n 1) polynomial over F (see below). jmj = L n`). Now. view m = m1 .eld.

de. ally. sele t a random point x 2 F as the key to a fun tion h in the hash family.

we will have to ombine it with another independently sele ted PRF f . q () is a non-zero polynomial of degree at most (n 1). We are using \short-input" PRF f to build \long-input" (weakly) universal H = fh g. 1g g. This is negligible sin e jF j 2 . As we will see. sa ri. however. the probability that x is one of these at most (n 1) roots of q () is at most j j1 . Noti e. Noti e. It is a well known fa t that any polynomial of degree d an have at most d roots in F . A ollision here means h (m) = h (v) () q (x) = q (x) () q x x m u m u X (m n (x) = 0 () i u )x i i 1 =0 i=1 where at least one m u 6= 0. i.e. Let's examine the probability of a ollision between two distin t \polynomials" m and u. Sin e the point (our key) x 2 F was hosen at random. i i m m u n u ` F 3. : : : . 1g ! f0. we are not \ heating" here. the key size is indeed only ` bits. a ` s ` t t s s t simple general tri k allows us to avoid making s and t independent. m ) = q (x) = m x x n x 1 n i m i 1 i=1 where all the operations are done in F . via f (h ()). Namely. independent of the message length L = n` (instead. In prin iple.2 Computational Examples and the CBC-MAC The next several examples use a PRF family F = ff : f0.ned as l p ` ` n i X h (m . to build of our \long-input" PRF. the error depends on L).

ze 1 bit in `. and always apply f (1. and use f (0. ) and f (1. h ()) on the outer layer. ) indeed look s s s L11-8 s s s . Using the \random fun tion paradigm". f (0. ) when onstru ting the hash fun tion h ().

like two independent random fun tion. in spe i. In fa t.

to prove the universality of the hash fun tion. ase will not even have to do that (see below). Below. As a downside. To summarize. Namely. we des ribe the hash fun tion without the \tri k" above. we . and will depend on the \ omputational loseness" of our PRF to a truly random fun tion. the error probabilities will be worse. the advantage of using a PRF in bulding H is saving on the key size + making the onstru tion possibly very eÆ ient (sin e \pra ti al" PRF's are very heap). even though it is a very inexpensive \loss" anyway.

the number of blo ks n is .3 In all the example below. we assume that: m = m1 : : : m .rst assume that f is a truly random fun tion (by the \random fun tion paradigm"). `0 ` (see below for details). and then prove the information-theoreti se urity as before. L = `0 n. where all jm j = `0 .

t n i Using XOR Mode. and t is a random key for our \base" PRF. De.4 .xed.

i) = ℄ n f n i f i 1 2 where is some string independent5 of f (m . : : : . if m 6= u. f (1. here is the . m ). As we indi ated. say m 6= u . m1 .h.ne h (m1 : : : m ) = f (m1 . the values h (m) and h (u) \diverge on e and for all" w. Theoreti ally. Therefore.. i) f (u . when making it into a PRF. We an view this onstru tion as simply applying the CBC mode of operation with IV being 0 (a string of ` zeros) and outputting the last ` blo k only (remember. i) f (u . 2) f (m . The main ideas are similar to what we have done earlier with CBC-en ryption: intuitively. starting at the i-th appli ation of the f . n) = f (u1 . say m 6= u we get that n i n i Pr[f (m1 . but a areful dire t analysis shows that this is not needed (we omit the proof). n) t n t t t n (so that the input to the PRF is slightly longer | ` = `0 + log n bits long). whi h in turn is random sin e u 6= m . : : : . and if (u1 . we do not need to \de rypt". it seems like we need to apply the tri k with prepending 0 and 1. to build a PRF out of it.p. Assuming f is now a truly random fun tion from ` to ` bits. only to \tag"): h (m1 : : : m ) = m t n n f (m t n 1 f (: : : f (m f (m )) : : :)) t t 2 t 1 The proof of universality of this H is a bit tri ky. 1) f (m2 . 1) f (1. we a tually use = i i ` i i f (0. n)) s s s n Using CBC Mode (CBC-MAC). 1) f (u . n)℄ = Pr[f (m . u ) 6= (m1 . m . 1) f (m . so we omit it. i). and f is a truly random fun tion.

also known as the CBC-MAC (with s = t): i t f (h (m1 : : : m )) = f (m s s n s n f (m s i t n 1 3 f (: : : f (m f (m )) : : :))) s s 2 s 1 Of ourse. 4 It is possible to extend the onstru tion for variable number of blo ks. L11-9 .nal PRF. only the proof uses a random fun tion. the onstru tion will be ineÆ ient with a truly random fun tion. 5 That is why we used the blo k number inside f . but this does not on ern us: the eÆ ient PRF onstru tion is what we are using. but we will not do it for simpli ity.

The veri. and is used a lot in pra ti e. we do not a tually need F be a PRP family here (unlike for the en ryption where we need to re over the message). let F be the PRF family and H be a hash family from L to ` bits. Rather than making the MAC output f (h (m)). 4 XOR-MAC We on lude the treatment of MAC's by mentioning another popular MAC onstru tion using PRF's and the XOR operation. whose properties will be given in a se ond.CBC-MAC is extremely popular. Namely. but it should be a length-preserving PRF family. f (non e) h (m)). Noti e. we now let it output (non e.

the adversary an try to output a \forgery" (non e. or stateful (non e is a ounter). Noti e. unlike our previous method. the latter riti ism is typi ally not a big deal. this method is typi ally either randomized (non e is random). In parti ular. v a) for some m0 6= m. one has to either know or transmit the non e. Sin e a. sin e many universal families are a tually xor-universal. it is used only to make a MAC. and not a (more general) \long-input" PRF. Also. regular universality orresponds to a = 0 sin e h (m) = h (m0 ) i h (m) h (m0 ) = 0. we have s t s s t t t t ` Pr(h (m) h (m0 ) = a) " t t t (where " is negligible). m0 are arbitrary. at the very least we must have that for any m 6= m0 . It turns out that xor-universality is suÆ ient: t t t t Theorem 10 f (non e) h () de. It is easy to see that this will be su essful if and only if h (m) h (m0 ) = a. given a valid tag (non e. what are the properties of H that make this method go through? As a simple atta k. m. Thus. v) of m and a value a. like a random string.p. v) he ks that v = f (non e) h (m). Finally. ation of (non e. Still. Su h families are alled (weakly) "-xor-universal. or a ounter (noti e the similarity with en ryption). and any a 2 f0. a further disadvantage of this method is that it uses more restri tive lasses of hash fun tions! However.h. Here non e is the value that w. never repeats again. 1g .

we have to use the tri k with prepending 0 and 1 to make the . The most used xor-universal family omes from the XOR mode of the previous se tion (and uses PRF to build h ): t h (m1 : : : m ) = f (m1 . s t F is a PRF family and H is (weakly) xor-universal.nes a se ure MAC whenever all the non es are unique w.p. n) t n t t t n It is easy to see that our proof from the previous se tion in fa t showed that H is (weakly) xor-universal ( he k it).h. 1) f (m2 . 2) f (m .. As in the previous se tion.

L11-10 . m1 . or is a ounter (in the later ase the non e need not be expli itly sent over). it has a randomized or ounter avor depending on whether the non e is random.nal MAC onstru tion and use the same key: Tag (m) = (non e. f (0. non e) f (1. 1) f (1. Naturally. n)) s s s s n This is alled the XOR-MAC. m .