A notion of security

We will first try to build up some intuition about what properties a message authentication scheme should have to call it “secure”, and then distill a formal definition of security.

8.3.1 Issues in security

The goal that we seek to achieve in using a message authentication scheme is to be able to detect any attempt by the adversary to modify the transmitted data. What we are afraid of is that the adversary can produce messages that the receiver accepts as coming from the legitimate senderS when in factSdid not send this message. That is,Acan produceM, σ such thatVK(M, σ) = 1, butM did not originate with the senderS.

This is called aforgery.

Perhaps the first question one might ask is whether one should try to gauge the value of the forgery to the adversary, for example by asking what is the content of the message. For example, say the messages are expected to have certain formats, and the forgery is just a random string. Should this really be viewed as a forgery? The answer isyes. We have seen this general issue before. It would be unwise to make assumptions about how the messages are formatted or interpreted. Good protocol design means the security is guaranteed no matter what is the application. Accordingly we view the adversary as successful if she produces M, σ such that the sender never authenticatedM butVK(M, σ) = 1.

In some discussions of security in the literature, the adversary’s goal is viewed as being to recover the shared secret key K. Certainly if she could do this, it would be a disaster, since she could forge anything. It is important to understand, however, that she might be able to forge without recovering the key. Thus, we are here making the notion of adversarial success more liberal: what counts is forgery, not key recovery. So a secure scheme has a stronger guarantee of security.

In making forgeries we must consider various attacks, of increasing severity. The simplest setting is that the sender has not yet sent any transmissions, and the adversary may simply attempt to concoct a pair M, σ which passes the verification test, namely such thatVK(M, σ) = 1. This is called a no-message attack.

However, the adversary also has the ability to see what is transmitted. She might try to make forgeries based on this information. So suppose the sender sends the transmission M, σ consisting of some message M and its legitimate (correct) tagσ. The receiver will certainly accept this. At once, a simple attack comes to mind. The adversary can just copy this transmission. That is, she stores M, σ, and at some later time re-transmits it. If the receiver accepted it the first time, he will do so again. This is called a replay attack.

Is this a valid forgery? In real life it probably should be so considered. Say the first message was “Transfer

$1000 from my account to the account ofB.” Bsuddenly sees a way of enriching herself. She keeps replaying this message and her bank balance increases.

It is important to protect against replay attacks. But for the moment we will not try to do this. We will say that a replay is NOT a valid forgery. To be valid, a forgery must be of a message M which was not transmitted by the sender. We will later see that we can achieve security against replay by addition of time stamps or counters to any normal message authentication mechanism. At this point, separating the issues results in a cleaner problem and allows greater modularity in protocol design. Namely we will cut up the problem into logical parts and solve them one by one. Accordingly from now on don’t regard replay as a valid attack.

So if the adversary wants to be successful, it must somehow use the valid transmissionM, σ to concoct a pairM⁰, σ⁰ such thatM 6=M⁰ but VK(M⁰, σ⁰) = 1. If she can do this, we say she is successful. Thus, we have a veryliberal notion of adversarial success. So when we say a scheme is secure, it is secure in a very strong sense.

We have allowed the adversary to see an example message. Of course, it may see more than one, and forgery must still be hard. We expect that the adversary’s ability to forge will increase as it sees more examples of legitimately authenticated data, so that as usual we expect the notion of security to be quantitative, with the adversary’s success probability being a function of of the numberq of legitimate pairs seen.

In many settings, it is possible for the adversary to influence the choice of legitimate messages being tagged.

In the worst case, we can think the adversary herself chooses these messages. This is called a chosen plaintext attack. At first glance a chosen plaintext attack may seem unrealistically strong. There are two arguments against this view. First, we will see examples where such an attack is quite realistic. Second, recall our general principles. We want to design schemes which are secure in any usage. This requires that we make

“worst case” notions of security in which if we err, it is on the side of caution, allowing the adversary as

Cryptography: Lecture Notes 143

much power as possible. Since eventually we will be able to design schemes that meet such stringent notions of security, we only gain by the process.

One instance of a chosen-message attack is a setting in whichS is forwarding toB data that it receives from C, and authenticating that data based on a keyK shared between S and B, in the process. IfC wants to play an adversarial role,Ccan choose the data as it wishes, and then see the corresponding tags as sent by S toB. Other scenarios are also possible.

In summary, we want a notion of security to capture the following. We allow an adversary to mount a chosen-message attack on the sender, obtaining from the sender correct tags of messages of the adversary’s choice. Then, the adversary attempts a forgery, and is declared successful if the forgery is valid (meaning accepted by the receiver) and the message in it was never authenticated by the sender.

8.3.2 A notion of security

Let MA= (K,T,V) be an arbitrary message authentication scheme. Our goal is to formalize a measure a insecurity against forgery under chosen-message attack for this scheme. As discussed above, we envision a chosen-message attack mounted on the sender, and then a forgery attempt directed at the receiver. In formalizing this we begin by distilling the key aspects of the model. There is no need, in fact, to think explicitly of the sender and receiver as animate entities. The result of the adversary requesting the sender to authenticate a message M is that the adversary obtains a tagσgenerated via σ← TK(M), whereK is the key shared between sender and receiver. Thus, we may as well simplify the situation and think of the adversary as having oracle access to the algorithm TK(·). It can query this oracle at any point M in the message space and obtain the result. Correspondingly we eliminate the receiver from the picture and focus only on the verification process. The adversary will eventually output a pairM, σ and it is a valid forgery as long asVK(M, σ) = 1 andM was never a query to the tagging oracle.

Note the key K is not directly given to the adversary, and neither are any random choices or counter used by the tagging algorithm; the adversary sees only the generated tag σ. However σis a function of the key and the random choices or counter, so it might provide information about these, to an extent that depends on the scheme. If the tag allows the adversary to infer the key, the scheme will certainly be insecure.

The adversary’s actions are thus viewed as divided into two phases. The first is a “learning” phase in which it is given oracle access toTK(·), where Kwas a priori chosen at random according toK. It can query this oracle up to q times, in any manner it pleases, as long as all the queries are messages in the underlying message space Plaintexts associated to the scheme. Once this phase is over, it enters a “forgery” phases, in which it outputs a pair (M, σ). The adversary is declared successful if VK(M, σ) = 1 andM was never a query made by the adversary to the tagging oracle. Associated to any adversary A is thus a success probability. (The probability is over the choice of keyK, any probabilistic choices thatT might make, and the probabilistic choices, if any, thatAmakes.) The insecurity of the scheme is the success probability of the

“cleverest” possible adversary, amongst all adversaries restricted in their resources to some fixed amount.

We choose as resources the running time of the adversary, the number of queries it makes, and the total bit-length of all queries combined plus the bit-length of the output messageM in the forgery.

Formally we define the “experiment of running the adversary”A in an attack on schemeMA= (K,T,V) as the following.

ExperimentExp^uf-cma MA,A

LetK← K^R

Let (M, σ)←A^TK(·)

IfVK(M, σ) = 1 andM was not a query of Ato its oracle Then return 1 else return 0

Definition 8.3 LetMA= (K,T,V) be a message authentication scheme, and let Abe an adversary that has access to an oracle. LetAdv^uf-cma

MA,A be the probability that experiment Exp^uf-cma

MA,A returns 1. Then for

anyt, q, µlet

Adv^uf-cma

MA (t, q, µ) = max

A {Adv^uf-cma MA,A}

where the maximum is over allArunning in timet, making at mostqoracle queries, and such that the sum of the lengths of all oracle queries plus the length of the messageM in the output forgery is at mostµbits.

In practice, the queries correspond to tagged messages sent by the legitimate sender, and it would make sense that getting these examples is more expensive than just computing on one’s own. That is, we would expectq to be smaller thant. That is whyq, µare resources separate fromt.

8.3.3 Using the definition: Some examples

Let us examine some example message authentication schemes and use the definition to assess their strengths and weaknesses. We fix a PRFF:{0,1}^k× {0,1}^l→ {0,1}^L. Our first schemeMA1= (K,T,V) works like this–

AlgorithmTK(M)

DivideM intol bit blocks,M =x1. . . xn

Fori= 1, . . . , ndoyi←FK(xi) σ←y1⊕ · · · ⊕yn

Returnσ

AlgorithmVK(M, σ)

DivideM intol bit blocks,M =x1. . . xn

Fori= 1, . . . , ndoyi←FK(xi) σ⁰ ←y1⊕ · · · ⊕yn

Ifσ=σ⁰ then return 1 else return 0 Now let us try to assess the security of this message authentication scheme.

Suppose the adversary wants to forge the tag of a certain given messageM. A priori it is unclear this can be done. The adversary is not in possession of the secret keyK, so cannot computeFK and hence will have a hard time computing σ. However, remember that the notion of security we have defined says that the adversary is successful as long as it can produce a correct tag forsomemessage, not necessarily a given one.

We now note that even without a chosen-message attack (in fact without seeing any examples of correctly tagged data) the adversary can do this. It can choose a message M consisting of two equal blocks, say M =xkx where xis some l-bit string, set σ← 0^l, and output M, σ. Notice that VK(M, σ) = 1 because FK(x)⊕FK(x) = 0^l=σ. So the adversary is successful. In more detail, the adversary is:

AdversaryA^T₁^K(·)

Letxbe somel-bit string LetM ←xkx

Letσ←0^l Return (M, σ) ThenAdv^uf-cma

MA1,A1 = 1. FurthermoreA1 makes no oracle queries, uses t=O(l) time, and outputs anl-bit message in its forgery, so we have shown that

Adv^uf-cma

MA1 (t,0, l) = 1. That is, the schemeMA1 is totally insecure.

There are many other attacks. For example we note that if σ = FK(M1)⊕FK(M2) is the tag of M1M2

then σis also the correct tag of M₂M₁. So it is possible, given the tag of a message, to forge the tag of a new message formed by permuting the blocks of the old message. We leave it to the reader to specify the corresponding adversary and compute its advantage.

Let us now try to strengthen the scheme to avoid these attacks. Instead of applyingFK to a data block, we will first prefix the data block with its index. To do this we pick some parametermwith 1≤m≤l−1, and write the index as anm-bit string. The message authentication schemeMA1= (K,T,V) looks like this:

Cryptography: Lecture Notes 145

As the code indicates, we divideM into smaller blocks: not of sizel, but of sizel−m. Then we prefix the i-th message block with the value iitself, the block index, written in binary. Abovehiidenotes the integer iwritten as a binary string ofmbits. It is to this padded block that we applyFK before taking the XOR.

Note that encoding of the block indexi as anm-bit string is only possible if i <2^m. This means that we cannot authenticate a message M having more than 2^m blocks. That is, the message space is confined to strings of length at most (l−m)(2^m−1), and, for simplicity, of length a multiple ofl−m bits. However this is hardly a restriction in practice since a reasonable value ofm, likem= 32, is large enough that typical messages fall in the message space, and sincel is typically at least 64, we have at least 32 bits left for the data itself.

Anyway, the question we are really concerned with is the security. Has this improved with respect toMA1? Begin by noticing that the attacks we found onMA1 no longer work. For example take the adversary A1

above. (It needs a minor modification to make sense in the new setting, namely the chosen block xshould not be of length l but of lengthl−m. Consider this modification made.) What is its success probability when viewed as an adversary attacking MA2? The question amounts to asking what is the chance that VK(M, σ) = 1 whereV is the verification algorithm of our amended scheme and M, σ is the output of A1. The verification algorithm will compute σ⁰ = FK(h1ikx)⊕FK(h2ikx) and test whether this equals 0^l, the value ofσoutput byA. This happens only when

FK(h1ikx) = FK(h2ikx),

and this is rather unlikely. For example if we are using a block cipher it never happens because FK is a permutation. Even whenF is not a block cipher, this event has very low probability as long as F is a good PRF; specifically,Adv^uf-cma

MA2,A1 is at most Adv^prf_F (t,2) wheret=O(l). (A reader might make sure they see why this bound is true.) So the attack has very low success probability.

Similar arguments show that the second attack discussed above, namely that based on permuting of message blocks, also has low success against the new scheme. Why? In the new scheme

TK(M1M2) = FK(h1ikM1)⊕FK(h2ikM2) TK(M2M1) = FK(h1ikM2)⊕FK(h2ikM1).

These are unlikely to be equal for the same reasons discussed above. As an exercise, a reader might upper bound the probability that these values are equal in terms of the value of the insecurity ofF at appropriate parameter values.

However,MA2is still insecure. The attacks however require a more non-trivial usage of the chosen-message attacking ability. The adversary will query the tagging oracle at several related points and combine the responses into the tag of a new message. We call itA₂–

AdversaryA^T₂^K(·)

claim. We use the definition of the tagging algorithm to see that σ1 = FK(h1ikx1)⊕FK(h2ikx2) σ2 = FK(h1ikx1)⊕FK(h2ikx⁰₂) σ₃ = F_K(h1ikx⁰₁)⊕F_K(h2ikx₂).

Now look howA2definedσand do the computation; due to cancellations we get σ = σ1⊕σ2⊕σ3

= FK(h1ikx⁰₁)⊕FK(h2ikx⁰₂).

This is indeed the correct tag ofx⁰₁x⁰₂, meaning the valueσ⁰ thatVK(x⁰₁x⁰₂, σ) would compute, so the latter algorithm returns 1, as claimed. In summary we have shown that

Adv^uf-cma

MA2 (t,3,4(l−m)) = 1, wheret=O(l). So the schemeMA2 is also totally insecure.

Later we will see how a slight modification of the above actually yields a secure scheme. For the moment however we want to stress a feature of the above attacks. Namely that these attacksdid not cryptanalyze the PRFF. The cryptanalysis of the message authentication schemes did not care anything about the structure of F; whether it was DES, RC6, or anything else. They found weaknesses in the message authentication schemes themselves. In particular, the attacks work just as well whenFKis a random function, or a “perfect”

cipher. This illustrates again the point we have been making, about the distinction between a tool (here the PRF) and its usage. We need to make better usage of the tool, and in fact to tie the security of the scheme to that of the underlying tool in such a way that attacks like those illustrated here are provably impossible under the assumption that the tool is secure.