Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
14 views

Message Authentication Code Mac

Uploaded by

bartolomeo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

Message Authentication Code Mac

Uploaded by

bartolomeo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Message Authentication Code (MAC)

July 20, 2024

Contents
1 Fixed-Length 2

2 Limitations 2

3 Arbitrary-Length 2
3.1 Vulnerable alternatives . . . . . . . . . . . . . . . . . . . . . . 2
3.2 CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.3 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4 Authenticated Encryption 3
A Message Authentication Code Π = (Gen, Mac, Vrfy) has the fol-
lowing elements:
Gen(1n ) outputs k
Mac(k, m) outputs tag t
Vrfy(k, m, t) outputs bit b
A MAC Π is secure if such that
P r[MacForgeΠ,A (n) = 1] ≤ negl(n)
where
(
1 if vrfy(m∗ , t∗ ) = 1 ∧ m∗ , t∗ ̸∈ Q := {queried m}
MacForgeΠ,A =
0 otherwise
Flaw Adversary may forge a tag for a message that is not meaningful
A MAC Π is strongly secure if such that
P r[MacForgeΠ,A (n) = 1] ≤ negl(n)
where
(
1 if vrfy(m∗ , t∗ ) = 1 ∧ m∗ , t∗ ̸∈ Q := {queried m and t}
M acF orgeΠ,A =
0 otherwise

1
1 Fixed-Length
Let F : {0, 1}n × {0, 1}n → {0, 1}n be a PRF. Then, we can define the MAC
Π such that

• Gen(1n ) : k ← {0, 1}n

• MAC(k, m) = Fk (m)

• Vrfy(k, m) = 1 if t = Fk (m) otherwise 0

If F is a PRF then Π is a secure MAC

2 Limitations
Replay Attacks Barebone MACs cannot prevent an adversary resending
messages

• Signing timestamp
• Counter
• Challenge

3 Arbitrary-Length
3.1 Vulnerable alternatives
Divide message into same-length blocks Can drop blocks

Divide and authenticate length Can change blocks’ order

Divide and authenticate length and index Can mix and match block
from messages of the same length

Use random tag for each MAC It is secure, but the tag must be very
long

3.2 CBC-MAC
For every l(·), the plain CBC-MAC is a secure MAC for messages of length
l(n)
To extend it to arbitrary length, the message length must be included in
the first block

2
../../images/screenshots/20240412_cbcmac.png

3.3 HMAC

Let (GenH , H) be an arbitrary-length hash function and opad, ipad ∈ {0, 1}n
be two constants. Then, we define the following MAC:

Gen(1n ) 1. k ← {0, 1}n


2. s ← GenH (1n )
3. (s, k)
 
MAC(⟨s, k⟩, m) 1. t := H s (k ⊕ opad)||H s (k ⊕ ipad)||m
 
?
Vrfy(k, m) 1. output 1 iff t = H s (k ⊕ opad)||H s (k ⊕ ipad)||m

4 Authenticated Encryption
Encrypt-and-Authenticate Tag may reveal the message (many MACs
are deterministic)

3
Authenticate-then-Encrypt It works for some schemes, but it can alter
the ciphertext to check if it’s well-formed

Encrypt-then-Authenticate This is CCA-secure when the encryption scheme


is CPA-secure and the authentication scheme is a strong MAC.

You might also like