Lecture 4 – Message authentication, UF-CMA,

CBC-MAC, CMAC
What is cryptography?

Alice Internet
Bob

Adversary
Security goals:

• Data privacy: adversary should not be able to read message M

• Data integrity: adversary should not be able to modify message M
• Data authenticity: message M really originated from Alice

2
What is cryptography?

Alice Internet
Bob

M M'

Adversary
Security goals:

• Data privacy: adversary should not be able to read message M

• Data integrity: adversary should not be able to modify message M
• Data authenticity: message M really originated from Alice

3
Basic goals of cryptography

Message integrity /
Message privacy
authentication

Message authentication
Symmetric keys Symmetric encryption
codes (MAC)

Asymmetric encryption
Asymmetric keys (a.k.a. public-key Digital signatures
encryption)

4
Motivation

• Goal: integrity, but not privacy

• Examples:
• Protecting OS system files against tampering

• Browser cookies stored by web servers

• Control signals in network management

5
Encryption ≠ integrity

0110100 1110 100101100110

CTR. Enc(𝐾,⋅) CTR. Dec(𝐾,⋅)

"Send Bob $10"

1001010 1010 000000001010

1111110 0100 100101101100

011001101100

1111110 0100 011001101100

0110100 1110 100101100110

=
1001010 1010 111100001010

"Send Bob $3850"

6
Message authentication – idea

Sender Receiver
VALID
𝑀 𝑇 𝑀
𝑀
⊥
INVALID

Generate tag 𝑇 Verify 𝑀, 𝑇

7
Message authentication – idea

Sender Receiver
VALID
𝑀 𝑇 𝑀
𝑀
⊥
INVALID
𝑇 ← SHA2‐ 256 𝑀 𝑇 ′ ← SHA2‐ 256 𝑀

?
𝑇′ = 𝑇

8
Message authentication – idea

Sender Receiver
VALID
𝑀 𝑇 𝑀
𝑀
⊥
𝑀′ 𝑇 INVALID
𝑇 ← SHA2‐ 256 𝑀 𝑇 ′ ← SHA2‐ 256 𝑀

?
𝑇′ = 𝑇
𝑇 ← SHA2‐ 256(𝑀′)

9
Message authentication schemes – syntax
A message authentication scheme is a triple Σ = KeyGen, Tag, Vrfy of algorithms:

Tag ∶ 𝒦 × ℳ → 𝒯
$
Tag 𝐾, 𝑀 = Tag 𝐾 𝑀 = 𝑇 Correctness: ∀𝐾 ← KeyGen and ∀𝑀 ∈ ℳ:

Vrfy ∶ 𝒦 × ℳ × 𝒯 → 0,1
$ Vrfy 𝐾, 𝑀, Tag 𝐾, 𝑀 =1
KeyGen
Vrfy 𝐾, 𝑀, 𝑇 = Vrfy𝐾 𝑀, 𝑇 = 1/0

$ $
𝑇 𝑀, 𝑇
𝑀 Tag Vrfy 1/0

Possible integrity security goals:

Adversary
- Hard to recover 𝐾 from 𝑀, 𝑇
- Hard to forge 𝑇 for a specific message 𝑀
- Hard to forge 𝑇 for any 𝑀
- Hard to forge 𝑇 for any chosen 𝑀 after seeing valid tags on (chosen) 𝑀1 , 𝑀2 , … first
10
UF-CMA – Unforgability against chosen-message attacks

Challenger
𝐄𝐱𝐩uf–cma
Σ 𝐴
$
1. 𝐾 ← Σ. KeyGen Tag(𝐾,⋅)
2. 𝒮 ←[] 𝑀1 , 𝑀2 , …
3. forge ← 0
4. 𝐴TA G ⋅ , VF (⋅,⋅) 𝑇1 , 𝑇2 , …
5. return forge

TA G (𝑀) 𝑀1′ , 𝑇1′ , 𝑀2′ , 𝑇2′ , …

Vrfy(𝐾,⋅,⋅)
---------------------------------
1. 𝑇 ← Σ. Tag(𝐾, 𝑀)
2. 𝒮. add 𝑀 1/0, 1/0, …
3. return 𝑇 Adversary wins if:
- one 𝑀𝑖′ , 𝑇𝑖′ is valid, i.e., Vrfy 𝐾, 𝑀𝑖′ , 𝑇𝑖′ = 1
VF (𝑀, 𝑇)
--------------------------------- - and 𝑀𝑖′ ∉ 𝑀1 , 𝑀2 , … ,
1. 𝑑 ← Σ. Vrfy(𝐾, 𝑀, 𝑇)
2. if 𝑑 = 1 and 𝑀 ∉ 𝒮 then:
3. forge ← 1 Definition: The UF-CMA advantage of an adversary 𝐴 is
4. return 𝑑

𝐀𝐝𝐯Σuf–cma 𝐴 = Pr 𝐄𝐱𝐩uf–cma
Σ 𝐴 ⇒1

11
Properties of UF-CMA definition

𝐄𝐱𝐩uf–cma
Σ 𝐴
• UF-CMA security implies: 1.
$
𝐾 ← Σ. KeyGen
• Hard to recover 𝐾 2. 𝒮 ←[]
3. forge ← 0
• Hard forge a specific message chosen by the adversary 4. 𝐴TA G ⋅ , VF (⋅,⋅)
5. return forge
• Tag lengths must be long enough!
• Suppose 𝑇 = 10; then TA G (𝑀)
---------------------------------
1. 𝑇 ← Σ. Tag(𝐾, 𝑀)
1 1
𝐀𝐝𝐯Σuf–cma "Guess 𝑇" = ≈ 2. 𝒮. add 𝑀
210 1000 3. return 𝑇

VF (𝑀, 𝑇)
---------------------------------
1. 𝑑 ← Σ. Vrfy(𝐾, 𝑀, 𝑇)
• Does not give protection against replay attacks 2. if 𝑑 = 1 and 𝑀 ∉ 𝒮 then:
3. forge ← 1
• Message counters 4. return 𝑑

• Nonces
• Timestamps 𝐀𝐝𝐯Σuf–cma 𝐴 = Pr 𝐄𝐱𝐩uf–cma
Σ 𝐴 ⇒1

12
Message authentication codes (MACs)

deterministic function

Tag 𝐾 𝑀 = 𝑇

?
Vrfy𝐾 𝑀, 𝑇′ = “ Tag 𝐾 𝑀 = 𝑇 ′ ”

"recompute and check"

• MAC = special class of message authentication schemes

…actually most common in practice

• MAC ⟹ unique tags ⟹ forgeries must be on new messages

13
PRFs are good MACs
𝑘 𝑛 𝜏
𝐹 ∶ 0,1 × 0,1 → 0,1

Tag 𝐾, 𝑀 ∈ 0,1 𝑛
---------------------------------
1. return 𝐹𝐾 (𝑀)
𝑀
Vrfy 𝐾, 𝑀, 𝑇
---------------------------------
1. 𝑇 ′ ← 𝐹𝐾 𝑀
𝐹𝐾 2. return 𝑇 ′ = 𝑇
?

Theorem: If 𝐹 is a secure PRF then ΣPRF is UF-CMA secure for fixed-length messages

14
PRFs are good MACs – proof sketch

Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that

prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏

𝐹𝐾

Pr 𝐹𝐾 𝑀 = 𝑇 = ?
PRFs are good MACs – proof sketch

Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that

prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏

$
𝜌 ← Func 𝑛, 𝜏
PRFs are good MACs – proof sketch

Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that

prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏

$ 1
𝜌 ← Func 𝑛, 𝜏 Pr 𝜌 𝑀 = 𝑇 =
2𝜏
PRFs are good MACs – proof sketch

Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that

prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏

𝑀1 𝑀2 𝑀𝑣

𝜌 𝜌 ⋯ 𝜌

𝑇1 𝑇2 𝑇𝑣

𝑣
𝑣
Pr 𝜌 𝑀1 = 𝑇1 ∨ ⋯ ∨ 𝜌 𝑀𝑣 = 𝑇𝑣 ≤ Pr[𝜌 𝑀𝑖 = 𝑇𝑖 ] = 𝜏
2
𝑖=1
PRFs are good MACs – proof sketch

Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that

prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏

𝑀1 𝑀2 𝑀𝑣

𝜌 𝜌 ⋯ 𝜌

𝑇1 𝑇2 𝑇𝑣

𝑣
𝑣
Pr 𝜌 𝑀1 = 𝑇1 ∨ ⋯ ∨ 𝜌 𝑀𝑣 = 𝑇𝑣 ≤ Pr[𝜌 𝑀𝑖 = 𝑇𝑖 ] = 𝜏
2
𝑖=1
PRFs are good MACs

AES𝐾

256 128 128

Conclusion: AES˗256 ∶ 0,1 × 0,1 → 0,1 is a good MAC

20
MACs for long messages

21
MACs from block ciphers – Attempt 1

𝑀1 𝑀2 𝑀3 𝑀4

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇1 𝑇2 𝑇3 𝑇4

𝑇 = 𝑇1 ||𝑇2 ||𝑇3 ||𝑇4

22
Attempt 1 – an attack

𝑀1 𝑀3 𝑀2 𝑀4

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇1 𝑇3 𝑇2 𝑇4

𝑇 = 𝑇1 ||𝑇3 ||𝑇2 ||𝑇4

23
Attempt 2

𝑀1 𝑀2 𝑀3 𝑀4

𝐸𝐾

24
Attempt 2 – an attack

𝑀1 𝑀3 𝑀2 𝑀4

𝐸𝐾

25
Attempt 3

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇1 𝑇2 𝑇3 𝑇4

𝑇 = 𝑇1 ||𝑇2 ||𝑇3 ||𝑇4

26
Attempt 3 – an attack

𝑀′

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇1 𝑇2 𝑇3 𝑇4

𝑇 = 𝑇1 ||𝑇2 ||𝑇3 ||𝑇4

27
Attempt 4

Size in bits
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇𝐿 𝑇1 𝑇2 𝑇3

𝑇 = 𝑇𝐿 ||𝑇1 ||𝑇2 ||𝑇3

28
Attempt 4 – an attack

𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇𝐿 𝑇1 𝑇2
𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇𝐿 𝑇1 𝑇2

𝐸𝐾 𝐸𝐾 𝐸𝐾 In example:
Block size: 128
Block counter size: 32
𝑇𝐿 𝑇1 𝑇2 Block message size: 96
|𝑀1 | = 96 ⋅ 2 = 192
29
CBC-MAC

𝑀1 𝑀2 𝑀3 𝑀4

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇
Theorem: secure if all messages have the same length

Warning: not secure if messages have different lengths!

30
CBC-MAC

𝑀1 𝑀1 𝑀1 ⊕ 𝑇

uf–cma
𝐀𝐝𝐯CBC–MAC 𝐴 =1
𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇

Warning: not secure if messages have different lengths!

31
CBC-MAC vs. CBC$-ENC

𝑀1 𝑀2 𝑀3 𝐼𝑉 𝑀1 𝑀2 𝑀3

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝐶0 𝐶1 𝐶2 𝐶3

Warning 1: CBC-MAC is insecure with an IV!

Warning 2: CBC$-ENC is insecure without an IV!

32
Allowing variable-length messages

• Want to support different-length messages

• Could use different keys for each length ⟹ not practical

• Want to support message not a multiple of the block length

• Padding needed

pad
𝑀1 𝑀2 𝑀1

pad
𝑀1 𝑀2 𝑀1 𝑀2 100000000

33
Length-prepended CBC-MAC

𝑀 𝑀1 𝑀2 𝑀3

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

Theorem: Length-prepended CBC-MAC is UF-CMA secure if 𝐸 is a secure PRP

Question: What if you instead add the length to the end?

34
Length-prepended CBC-MAC

𝑀 𝑀 𝑀⊕𝑇

Forgery!
𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇

128 𝑀 256 𝑀 𝑀⊕𝑇

𝑇′ ≠ 𝑇
Not a forgery
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇

35
ECBC-MAC

𝑀1 𝑀2 𝑀3 𝑀1 𝑀2

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝐸𝑇𝐾 𝐸𝐾

𝐾
𝑇 𝑇
𝐾
Use of K2 and K3 in E requires one additional run of key expansion function (say in AES) => bad for pipelining
36
CBC-MAC vs ECBC-MAC

CBC-MAC ECBC-MAC

𝑀 𝑀 𝑀⊕𝑇 𝑀 𝑀 𝑀⊕𝑇

𝑇′ ≠ 𝑇
≠𝑀

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇 𝐸𝐾 𝐸𝐾

𝑇 𝑇

Forgery! Not a forgery

37
ECBC-MAC

𝑀1 𝑀2 𝑀3 𝑀1 𝑀2

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝐸𝑇𝐾 𝐸𝐾
a permutation

𝐾 a permutation
𝑇 𝑇
𝐾

38
FCBC-MAC

𝑀1 𝑀2 𝑀3 𝑀1 𝑀2

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇

𝐾
𝐾

39
XCBC-MAC

𝑀1 𝑀2 𝑀3 𝑀1 𝑀2

𝐾 𝐾

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇

𝐾
𝐾

40
CMAC a.k.a One-key MAC

𝑀1 𝑀2 𝑀3 𝑀1 𝑀2

𝐾 𝐾

𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾

𝑇 𝑇

𝐾 = 2 ⋇ 𝐸𝐾 0𝑛
Theorem: secure for messages of all lengths
𝑛
𝐾 = 4 ⋇ 𝐸𝐾 0

41
CMAC

• Theorem: UF-CMA secure if 𝐸 is a secure PRP 𝑀1 𝑀2

• 1 𝐸-call per message block + 1 𝐸-call to derive 𝐾2 , 𝐾3

𝐸𝐾 𝐸𝐾 𝐸𝐾

• Fully sequential 𝑇
• Cannot utilize parallel AES cores
𝑀1 𝑀2

• Only one key 𝐾

𝐸𝐾 𝐸𝐾 𝐸𝐾
• Standardized by NIST
• Widely used 𝑇

𝐾 = 2 ⋇ 𝐹𝐾 0𝑛

𝐾 = 4 ⋇ 𝐹𝐾 0𝑛

42
CMAC security

Theorem: For any UF-CMA adversary making 𝑞 TA G -queries (each having ℓ blocks), and 𝑣 VF -queries,
there is a PRP-adversary 𝐵 such that

uf–cma prp 5 ⋅ ℓ ⋅ 𝑞2 𝑣
𝐀𝐝𝐯CMAC 𝐴 ≤ 𝐀𝐝𝐯𝐸 𝐵 + 𝑛
+ 𝑛
2 2

• Example:
• 𝐸 = AES (𝑛 = 128)
• Number of Tag-queries: 𝑞 = 240 ≈ 1 trillion queries
• Max blocks per message: ℓ = 210 ≈ 16 kB
• Number of Vrfy-queries: 𝑣 = 220
prp
• 𝐀𝐝𝐯𝐸 𝐵 ≈0
uf–cma 5 ⋅ 210 ⋅ 240 2
220 23+10+80 1
𝐀𝐝𝐯CMAC AES 𝐴 ≤ + 128 ≈ = 35
2128 2 2128 2

43
CMAC security

Theorem: For any UF-CMA adversary making 𝑞 TA G -queries, each having blocks, and 𝑣 VF -queries,
there is a PRP-adversary 𝐵 such that

uf–cma prp 5 ⋅ ℓ ⋅ 𝑞2 𝑣
𝐀𝐝𝐯CMAC 𝐴 ≤ 𝐀𝐝𝐯𝐸 𝐵 + 𝑛
+ 𝑛
2 2

• Example:
• 𝐸 = DES (𝑛 = 64)
• Number of Tag-queries: 𝑞 = 240 ≈ 1 trillion queries
Prob. > 𝟏!
• Max blocks per message: ℓ = 210 ≈ 16 kB
• Number of Vrfy-queries: 𝑣 = 220
prp
• 𝐀𝐝𝐯𝐸 𝐵 ≈0
uf–cma 5 ⋅ 210 ⋅ 240 2
220 23+10+80
𝐀𝐝𝐯CMAC DES 𝐴 ≤ + 64 ≈ = 229
264 2 264

44
CMAC security

Theorem: For any UF-CMA adversary making 𝑞 TA G -queries, each having blocks, and 𝑣 VF -queries,
there is a PRP-adversary 𝐵 such that

uf–cma prp 5 ⋅ ℓ ⋅ 𝑞2 𝑣
𝐀𝐝𝐯CMAC 𝐴 ≤ 𝐀𝐝𝐯𝐸 𝐵 + 𝑛
+ 𝑛
2 2

• Example:
• 𝐸 = DES (𝑛 = 64)
• Number of Tag-queries: 𝑞 = 216 ≈ 65 000 queries
• Max blocks per message: ℓ = 210 ≈ 16 kB
• Number of Vrfy-queries: 𝑣 = 220
prp
• 𝐀𝐝𝐯𝐸 𝐵 ≈0
uf–cma 1
𝐀𝐝𝐯CMAC DES 𝐴 ≤ 19
2

45
PMAC

𝑀1 𝑀2 𝑀3 𝑀3

𝛾1 ⋇ 𝐿 𝛾2 ⋇ 𝐿 𝛾3 ⋇ 𝐿

𝐸𝐾 𝐸𝐾 𝐸𝐾

𝐸𝐾
𝐿 = 𝐹𝐾 0𝑛

𝛾𝑖 = Gray codes 𝑇

46
PMAC properties

• Theorem: UF-CMA secure if 𝐸 a secure PRP 𝑀1 𝑀2 𝑀3 𝑀3

𝛾1 ⋇ 𝐿 𝛾2 ⋇ 𝐿 𝛾3 ⋇ 𝐿

• One key 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇2′
𝑇2

• Fully parallelizable 𝐸𝐾−1 𝑇

𝐸𝐾

• Incremental
𝑇

• …not used in practice

PMAC𝐾 𝑀1 ||𝑀2 || … ||𝑀1000 = 𝑇

PMAC𝐾 𝑀1 ||𝑀2′ || … ||𝑀1000 = 𝐸𝐾 𝐸𝐾−1 𝑇 ⊕ 𝑇2 ⊕ 𝑇2′ = 𝑇

𝑇2 = 𝐸𝐾 𝑀2 ⊕ 𝛾2 ⋇ 𝐿

𝑇2′ = 𝐸𝐾 𝑀2′ ⊕ 𝛾2 ⋇ 𝐿

47
Summary

• UF-CMA the right security notion for message integrity

• Does not cover replay attacks

• PRFs are good MACs

• But only for short (fixed) input length

• CBC-MAC good MAC for messages of a single fixed length

• CMAC upgrades CBC-MAC to variable-length messages

48