Message Authentication Codes

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

August 23, 2024

Message Integrity

Encryption schemes achieve secrecy
But an active adversary can modify the ciphertext or inject new ciphertexts
We need mechanisms to ensure that
- a message was sent by the party claiming to send it and that
- it was not modified in transit
All the schemes we have seen so far do not provide message integrity

Syntax of a Message Authentication Code

We will assume that the communicating parties share a secret key k
When Alice wants to send a message m to Bob, she computes a tag t based m and k
Let \textsf{Mac} denote the tag-generation algorithm
Alice computes tag t \leftarrow \textsf{Mac}_k(m) and sends (m,t) to Bob
Upon receiving (m,t), Bob verifies that t is a valid tag on m using a verification algorithm \textsf{Vrfy} which depends on k
\textsf{Vrfy}_k(m,t) = 1 if t is a valid tag for m and 0 otherwise

Formal Definition of a MAC

A message authentication code (MAC) consists of three PPT algorithms (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) such that:
1. \textsf{Gen} takes as input the security parameter 1^n and outputs a key k with |k| \ge n.
2. The tag-generation algorithm \textsf{Mac} takes as input a key k and a message m \in \{0,1\}^*, and outputs a tag t. We write t \leftarrow \textsf{Mac}_k(m).
3. The deterministic verification algorithm \textsf{Vrfy} takes as input a key k, a message m, and a tag t. It outputs a bit b with b=1 meaning valid and b=0 meaning invalid. We write this as b \coloneqq \textsf{Vrfy}_k(m,t).
It is required that for every n, every key k output by \textsf{Gen}(1^n), and every m \in \{0,1\}^*, it holds that \textsf{Vrfy}_k(m, \textsf{Mac}_k(m))=1.

Canonical Verification

For deterministic message authentication codes, the canonical way to perform verification is to simply re-compute the tag and check for equality
\textsf{Vrfy}_k(m,t) computes \tilde{t} \coloneqq \textsf{Mac}_k(m) and then outputs 1 if and only if \tilde{t} = t

Message Authentication Experiment

Consider the experiment \textsf{Mac-forge}_{\mathcal{A},\Pi}(n):
- A key k is generated by running \textsf{Gen}(1^n)
- The adversary \mathcal{A} is given input 1^n and oracle access to \textsf{Mac}_k(\cdot)
- The adversary eventually outputs (m,t)
- Let \mathcal{Q} denote the set of all queries that \mathcal{A} asked its oracle
- \mathcal{A} succeeds if and only if
  1. \textsf{Vrfy}_k(m,t) = 1 and
  2. m \notin \mathcal{Q}
- If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.

Security Definition

A MAC is secure if no efficient adversary can succeed in the above experiment with non-negligible probability
A message authentication code \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n).

Replay Attacks

MACs which satisfy previous security definition offer no protection against replay attacks
In current setting, verification is stateless
- \textsf{Vrfy} outputs 1 every time a valid pair (m,t) is presented
Protection against replay attacks must be handled by some higher-level application
- Common techniques use sequence numbers or timestamps

Timing Attacks

Timing attacks use the time taken by the receiver to verify the tag to forge a valid tag
Consider a MAC that uses canonical verification
- On receiving (m, t), the receiver computes t' \coloneqq \textsf{Mac}_k(m) and checks if t' = t
- Suppose t and t' are compared one byte at a time
An attacker can incrementally learn a valid tag on m by measuring time to rejection

Fixed-Length MAC Construction

We will construct a MAC for messages of length n using a pseudorandom function F
Security of the MAC will follow from the assumption that F is pseudorandom

Fixed-Length MAC Construction

Let F be a length-preserving pseudorandom function
Define a fixed-length MAC for messages of length n as follows:
- \textsf{Mac}: on input a key k \in \{0,1\}^n and a message m \in \{0,1\}^n, output the tag t \coloneqq F_k(m).
- \textsf{Vrfy}: on input a key k, message m, and a tag t all in \{0,1\}^n, output a 1 if and only if t = F_k(m). If t \neq F_k(m), output 0.

Security Proof

Theorem: If F is a pseudorandom function, then the above construction is a secure fixed-length MAC for messages of length n.
Proof strategy
- Let \widetilde{\Pi} = (\widetilde{\textsf{Gen}}, \widetilde{\textsf{Mac}}, \widetilde{\textsf{Vrfy}}) be the same as \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) with F_k replaced with f \leftarrow \textsf{Func}_n
- Construct a distinguisher D that uses \mathcal{A} as a subroutine and show that \begin{align*} & \bigg| \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1 \right] \\ & \quad\quad - \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \widetilde{\Pi}}(n) = 1 \right]\bigg| \le \textsf{negl}(n) \end{align*}
- Then show that \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \widetilde{\Pi}}(n) = 1 \right] = 2^{-n}

Distinguisher Definition

D is given 1^n and access to an oracle \mathcal{O}: \{0,1\}^n \rightarrow \{0,1\}^n. It uses \mathcal{A} as a subroutine

Whenever \mathcal{A} queries its MAC oracle on message m\in \{0,1\}^n, answer as follows
- Query \mathcal{O} with m and obtain response t; return t to \mathcal{A}
When \mathcal{A} outputs (m,t):
- Query \mathcal{O} with m and obtain response t'
- If t'=t and m \not\in \mathcal{Q}, then output 1. Else, output 0.

Finishing the Proof

\Pr\left[ D^{F_k(\cdot)}(1^n) = 1 \right] = \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1 \right]
\Pr\left[ D^{f(\cdot)}(1^n) = 1 \right] = \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \widetilde{\Pi}}(n) = 1 \right]
Since F is pseudorandom \bigg| \Pr\left[ D^{F_k(\cdot)}(1^n) = 1 \right] - \Pr\left[ D^{f(\cdot)}(1^n) = 1 \right] \bigg| \\ \quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad\quad \le \textsf{negl}(n)
\Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \widetilde{\Pi}}(n) = 1 \right] = 2^{-n}
\Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1 \right] \le 2^{-n} + \textsf{negl}(n)

Domain Extension for MACs

The secure MAC construction we saw can only handle messages of length n
How can we authenticate arbitrary-length messages?
Before seeing a secure construction, let us reject some insecure ones

Insecure MAC 1

Suppose message m can be broken up into d blocks m_1, m_2, \ldots, m_d \in \{0,1\}^n
Ignore efficiency in terms of the tag length for now
Let \Pi' = (\textsf{Mac}', \textsf{Vrfy}') be a secure fixed-length MAC for messages of length n
We want to construct a secure MAC \Pi = (\textsf{Mac}, \textsf{Vrfy}) for messages of length dn
Suppose we compute a per-block tag t_i = \textsf{Mac}'_k(m_i) and output \langle t_1,\ldots,t_d\rangle as the tag for m
An adversary can perform a block reordering attack

Insecure MAC 2

Block reordering attacks can be prevented by authenticating the block index
After reducing the size of the blocks, we can compute t_i= \textsf{Mac}'_k( i \| m_i)
But this does not prevent a truncation attack
An attacker can simply drop blocks from the end of the message

Insecure MAC 3

Truncation attacks can be prevented by authenticating the message length
After further reducing the size of the blocks, we compute t_i = \textsf{Mac}'_k(l \| i \| m_i) and output \langle t_1,\ldots,t_d\rangle as the tag for m
- Here l is the length of the message in bits
This is still vulnerable to a mix-and-match attack

Secure MAC Construction

To prevent mix-and-match attacks, we include a random message identifier in the authentication of each block

Secure MAC Construction

The following is a secure MAC if \Pi' is a secure MAC.
- Let m \in \{0,1\}^* be a message of length l < 2^{n/4}
- Parse m into d blocks m_1, m_2, \ldots, m_d of length n/4 bits each
- Choose r uniformly from \{0,1\}^{n/4}
- For i=1,2,\dots,d, compute t_i \leftarrow \textsf{Mac}'_k(r \| l \| i \| m_i) where i and l are encoded as n/4-bit strings
- Output the tag t \coloneqq \langle r, t_1, t_2, \dots, t_d \rangle

The Birthday Problem

If we choose q elements y_1,\ldots,y_q uniformly from a set of size N, what is the probability of collision?
- By collision, we mean the event when y_i = y_j for distinct i,j
- Let \textsf{coll}(q, N) denote the collision probability
Birthday problem: How many people do we need such that with probability \frac{1}{2} we can find a pair who share a birthday?
It turns out that \textsf{coll}(q, 365) \ge \frac{1}{2} for q \ge 23

Birthday Problem Lemma

Lemma: Fix a positive integer N, and let q \le \sqrt{2N}. IF y_1, y_2, \ldots, y_q are chosen uniformly and independently from a set of size N. Then \frac{q(q-1)}{4N} \le \textsf{coll}(q, N) \le \frac{q(q-1)}{2N}.
See section A.4 of Katz & Lindell for the proof

Security Proof (1/5)

We need to show that \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1\right] is negligible
Let \textsf{repeat} denote the event that the same random identifier appears in more than one MAC oracle response
Let \mathcal{A}’s final output be (m,t) where m = \langle m_1, m_2, \ldots, m_d \rangle and t = \langle r, t_1, \ldots, t_d \rangle
Let \textsf{NewBlock} denote the event that at least one of the blocks r \| l \|i \| m_i was never previously authenticated by \textsf{Mac}' while answering \mathcal{A}’s queries

Security Proof (2/5)

Let \textsf{Forge} denote the event \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1
We have \begin{align*} & \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1\right] = \\ %& =\Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}\right] +\Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}^c\right] \\ & =\Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}\right] \\ &\quad+\Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}^c \bigcap \textsf{NewBlock}\right] \\ &\quad+\Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}^c \bigcap \textsf{NewBlock}^c\right] \\ & \le \Pr\left[\textsf{repeat}\right] \\ &\quad+\Pr\left[ \textsf{Forge} \bigcap \textsf{NewBlock}\right] \\ &\quad+\Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}^c \bigcap \textsf{NewBlock}^c\right] \end{align*}

Security Proof (3/5)

\Pr[\textsf{repeat}] \le \frac{[q(n)]^2}{2^{\frac{n}{4}+1}} where q(n) is the number of MAC oracle queries
Claim: \Pr\left[ \textsf{Forge} \bigcap \textsf{repeat}^c \bigcap \textsf{NewBlock}^c\right] = 0
In words, if the adversary succeeds and \textsf{repeat} did not occur, then \textsf{NewBlock} must have occurred
If \textsf{repeat} does not occur then the values r_1,\ldots,r_q are distinct
If r \notin \{r_1,\ldots,r_q\}, then \textsf{NewBlock} clearly occurs

Security Proof (4/5)

If r \in \{r_1,\ldots,r_q\}, then r = r_j for a unique j
Only the jth query to the MAC oracle could have authenticated one of r\| l \| 1 \| m_1,\ldots, r\| l \| d \| m_d
Let m^{(j)} be the message that \mathcal{A} used in its jth oracle query
Let l_j be the length of m^{(j)}
- Case 1: l \neq l_j
- Case 2: l = l_j

Security Proof (5/5)

We need to show that \Pr\left[ \textsf{Forge} \bigcap \textsf{NewBlock}\right] is negligible
We construct an adversary \mathcal{A}' that attacks \Pi' by using \mathcal{A} as a subroutine
We will have \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1 \bigcap \textsf{NewBlock}\right] \\ \le \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}', \Pi'}(n) = 1 \right]
Since \Pi' is secure, the RHS is negligible

CBC-MAC

The previous construction is inefficient because the tag is more than four times longer than the message length
CBC-MAC is a secure MAC with tag length equal to message block length

CBC-MAC for Fixed-Length Messages

Let F be a length-preserving pseudorandom function with length n bits
Let m \in \{0,1\}^{dn} be a message for a fixed d > 0.
\textsf{Mac}:
1. Parse the message m in to d blocks m_1,\dots,m_d of length n bits each.
2. Set t_0 = 0^n. For i=1,\dots,d, set t_i = F_k(t_{i-1} \oplus m_i).
3. Output t_d as the tag.
\textsf{Vrfy}: For a message-tag pair (m,t) output 0, if the message is not of length dn.

Otherwise, output 1 if and only if t = \textsf{Mac}_k(m).

CBC-MAC for Fixed-Length Messages

Theorem: If d = l(n) for some polynomial l and F is a pseudorandom function, then the above construction is secure for messages of length dn.

Message Authentication Codes

Message Integrity

Syntax of a Message Authentication Code

Formal Definition of a MAC

Canonical Verification

Message Authentication Experiment

Security Definition

Replay Attacks

Timing Attacks

Fixed-Length MAC Construction

Fixed-Length MAC Construction

Security Proof

Distinguisher Definition

Finishing the Proof

Domain Extension for MACs

Insecure MAC 1

Insecure MAC 2

Insecure MAC 3

Secure MAC Construction

Secure MAC Construction

The Birthday Problem

Birthday Problem Lemma

Security Proof (1/5)

Security Proof (2/5)

Security Proof (3/5)

Security Proof (4/5)

Security Proof (5/5)

CBC-MAC

CBC-MAC for Fixed-Length Messages

CBC-MAC for Fixed-Length Messages

CBC-MAC for Arbitrary Length Messages

Further Reading