Constructing Secure Message Authentication Codes

A natural tool to use for constructing a message authentication code is a pseudorandom function. Intuitively, if the MAC tagtis obtained by applying a pseudorandom function to the message m, then forging a MAC involves guessing the input/output behavior of a pseudorandom function. More for-mally, we know that the probability of guessing the value of a random function on an unobserved point is 2⁻ⁿ when the output length isn. It therefore fol-lows that the probability of guessing such a value for a pseudorandom function (which is equivalent to guessing a MAC tag) can only be negligibly different.

A technicality that arises here is that our definition of pseudorandom func-tions (Definition 3.24) considers messages of a fixed length. Specifically, for a key of lengthn, the function maps inputs of length nto outputs of length n. In contrast, a MAC must be defined for all messages of all lengths. (Of course, security only holds for messages of length that is polynomial in n.

However, this is implicit in the fact that a polynomial-time adversary chooses the messages and such an adversary cannot write down a message that is “too long”.) We therefore first prove that a pseudorandom function constitutes a secure fixed-length MAC with length parameter`(n) =n.

We now prove that Construction 4.3 constitutes a secure MAC.

THEOREM 4.4 Assume that the function F used in Construction 4.3 is a pseudorandom function. Then, Construction 4.3 is a fixed-length mes-sage authentication code with length parameter `(n) = n that is existentially unforgeable under chosen message attacks.

CONSTRUCTION 4.3 Fixed-length MAC.

LetF :{0,1}^∗× {0,1}^∗→ {0,1}^∗ be a function such that for everyk, Fk(·) mapsn-bit strings ton-bit strings. Define a fixed-length MAC as follows:

• Gen(1ⁿ): upon input 1ⁿ, choosek← {0,1}ⁿ

• Mack(m): upon input keyk∈ {0,1}ⁿ and messagem∈ {0,1}ⁿ, computet=Fk(m). (If|m| 6=|k|then output⊥.)

• Vrfy_k(m, t): upon input keyk∈ {0,1}ⁿ, messagem∈ {0,1}ⁿand tagt∈ {0,1}ⁿ, output 1 if and only ift=Fk(m). (If the lengths are incorrect, then output 0.)

PROOF The intuition behind the proof of this theorem was described above. We therefore delve directly into the details. As in previous uses of pseudorandom functions, this proof follows the paradigm of first analyzing the security of the scheme using a truly random function, and then considering the result of replacing the truly random function with a pseudorandom one.

LetAbe a probabilistic polynomial-time adversary and letε(·) be a function so that

Pr[Mac-forge_A,Π(n) = 1] =ε(n) (4.1) We show that this implies the existence of a polynomial-time algorithm that can distinguish the pseudorandom function from a random one with advantage ε(n). This will then imply thatεmust be negligible, as required.

Consider a message authentication code Π = (e Gen,g Enc,g Dec) which is theg same as Π = (Gen,Mac,Vrfy) in Construction 4.3 except that a truly random functionfn is used instead of the pseudorandom functionF. (Of course, this is not a “legal MAC” because it is not efficient. Nevertheless, this is used for the sake of the proof only.) It is straightforward to see that

Pr[Mac-forge_A,eΠ(n) = 1]≤ 1

2ⁿ (4.2)

because for any messagem /∈ Q, the valuet=fn(m) is uniformly distributed in {0,1}ⁿ from the point of view of the adversaryA.

We now construct a polynomial-time distinguisherDthat is given an oracle (that is either of a pseudorandom function or a truly random function) and works as follows. Upon input 1ⁿ, algorithmDinvokesAupon input 1ⁿ. Then, whenAqueries its oracle with a messagem⁰,Dqueries its oracle withm⁰and sets t⁰ to be the oracle reply. D hands t⁰ to A and continues. At the end, when Aoutputs a pair (m, t), distinguisher D checks that m was not asked during the execution (i.e., m /∈ Q) and that tis a “valid” MAC.D does this by queryingmto its oracle and checking that the response equalst. If both of the above checks pass (and soA “succeeded” in the experiment), thenD outputs 1. Otherwise it outputs 0.

¿From the construction of D, and the success of A as shown in Equa-tions (4.1) and (4.2), it follows that:

Prh

By the assumption thatF is a pseudorandom function, it follows thatε(n)− 2⁻ⁿ must be negligible, and so ε(·) must be a negligible function. This im-plies thatAsucceeds inMac-forgewith at most negligible probability, and so Construction 4.3 is existentially unforgeable under chosen message attacks.

Variable-length message authentication codes. Construction 4.3 is im-portant in that it shows a general paradigm for constructing secure message authentication codes. That is, it demonstrates that any pseudorandom func-tion suffices. However, in its current form, this construcfunc-tion is only capable of dealing with messages of a fixed length; a limitation that is unacceptable in many (if not most) applications.¹ We therefore show here how a gen-eral (variable-length) MAC can be constructed from a fixed-length one. The construction here is not very efficient and is unlikely to be used in practice.

Indeed, there are far more efficient constructions that have been proven se-cure. Nevertheless, we include this specific construction due to its simplicity.

Practical constructions will be discussed later in Sections 4.5 and 4.7.

Before presenting the construction, we rule out some simple ideas. In all of the following (and in our secure construction below), the idea is to break the message into blocks and apply a pseudorandom function to the blocks in some way.

1. Apply a pseudorandom function to the first block: This clearly is not a secure MAC because nothing prevents an adversary from changing all the other blocks apart from the first.

1We note that if we had a pseudorandom function that works for variable-length inputs, then the proof of Theorem 4.4 would go through unchanged and so a variable-length MAC would be derived. However, since we did not define pseudorandom functions in this way, and since practical pseudorandom functions are for fixed input lengths, we use a different method of obtaining variable-length MACs.

2. Exlusively-OR all of the blocks and apply a pseudorandom function to the result:In this case, all an adversary needs to do is to change the message so that the XOR of the blocks does not change (thus implying that the MAC tag remains the same). This can be carried out by changing two of the blocks so that their XOR remains the same.

3. Apply a pseudorandom function to each block separately and output the results: This is similar to ECB mode in Section 3.6.4. In this case, no blocks can be easily modified. However, blocks can be removed, repeated and their order can be interchanged. The method is therefore not secure. We also note that blocks from different messages can be combined into a new message.

We leave the details of how to exactly carry out the above attacks in an effective way as an exercise.

Similarly to the above simple ideas, the actual construction (see below) works by breaking the message up into blocks and applying the pseudorandom function separately to each block. However, this must be done carefully so that the order of the blocks cannot be rearranged and so that blocks from signatures on different messages cannot be intertwined. This is achieved by including additional information in every block. Specifically, in addition to part of the message, each block contains an index of its position in the series, in order to prevent rearranging the blocks. Furthermore, all the blocks in a signature contain the same random identifier. This prevents blocks from different signatures from being combined, because they will have different identifiers. Finally, all the blocks in a signature contain the total number of blocks, so that blocks cannot be dropped from the end of the message. This brings us to the actual construction:

We now prove that Construction 4.5 constitutes a secure message authen-ticate code:

THEOREM 4.6 Assume that the functionF used in Construction 4.5 is a pseudorandom function. Then, Construction 4.5 is a message authentication code that is existentially unforgeable under chosen message attacks.

PROOF The intuition behind the proof is that if the random identifierris different in every signature that the adversary receives from the oracle, then a forgery must either contain a new identifier or it must somehow manipulate the blocks of a signed message. In both cases, the adversary must guess the output of the pseudorandom function at a “new point”.

LetAbe a probabilistic polynomial-time adversary and letε(·) be a function so that

Pr[Mac-forge_A,Π(n) = 1] =ε(n) (4.3)

CONSTRUCTION 4.5 Variable-length MAC.

Let F : {0,1}^∗× {0,1}^∗ → {0,1}^∗ be a function such that for every k∈ {0,1}ⁿ,Fk(·) mapsn-bit strings ton-bit strings. Define a variable-length MAC as follows:

• Gen(1ⁿ): upon input 1ⁿ, choosek← {0,1}ⁿ

• Mack(m): upon input a keyk∈ {0,1}ⁿand a messagem∈ {0,1}^∗ of length at most 2ⁿ⁴⁻¹, first parse minto dblocks m1,· · ·, md, each of lengthn/4. (In order to ensure unique encoding, the last block is padded with 10^∗.) Next, choose a random identifierr← {0,1}^n/4.

Then, fori= 1, . . . , d, computeti=Fk(rkdkikmi), whereiandd are uniquely encoded into strings of lengthn/4 and “k” denotes concatenation.^a

Finally, output the tagt= (r, t1, . . . , td).

• Vrfy_k(m, t): Upon input keyk, messagemand tagt, run the MAC-tag generation algorithm Mac except that instead of choosing a random identifier, take the identifier rthat appears int. Output 1 if and only if the tag that is received by runningMacwith this r is identical tot.

aNotice that i and d can be encoded in n/4 bits because the length of the paddedmis at most 2^n/4.

We show that this implies the existence of a polynomial-time algorithm that can distinguish the pseudorandom function from a random one with advantage at leastε(n)−negl(n) for a negligible functionnegl(·). This will then imply thatε(·) must be negligible, as required.

Consider a message authentication code Π = (e Gen,g Enc,g Dec) which is theg same as Π = (Gen,Mac,Vrfy) in Construction 4.5 except that a truly random function fn is used instead of the pseudorandom functionF. We now show that

Pr[Mac-forge_A,eΠ(n) = 1]≤negl(n) (4.4) for a negligible function negl(·). Let Q be the set of queries made by A in Mac-forge with Π and let (m, t) be its output. We analyze the probabilitye thatm /∈ Qand yettis a valid MAC tag form. Recall that our analysis here is in the case that a truly random function is used.

Lett= (r, t1, . . . , td). We have the following cases:

1. The identifierr appearing in the tagt output byA is different from all the identifiers obtained byAfrom its MAC oracle during the experiment:

This implies that the functionfn was never applied to a block of the form (r, ?, ?, ?) during Mac-forge with Π. Sincee fn is truly random, it follows that the probability thatAsucceeds in guessing any single ti is

at most 2⁻ⁿ. (It actually needs to successfully guess all the t1, . . . , td

values because the new identifier r must appear in all of the blocks.

Nevertheless, it suffices to bound its success by 2⁻ⁿ.)

2. The identifier r appearing in the tag t output by A appears in exactly one of the MAC tags obtained by A from its MAC oracle during the experiment: Denote bym⁰ the message thatAqueried to its oracle for which the replyt⁰ contained the identifier r. Sincem /∈ Q it holds that m 6= m⁰, where m is the message output by A. Let d and d⁰ be the number of blocks in the parsing ofm and m⁰, respectively. There are two subcases here:

(a) Case 1: d= d⁰. In this case, the message content of one of the blocks must be different (i.e., for someiit must hold that (mi, i)6= (m⁰_i, i)); let i denote the index of the different block. As in the previous case, this means that the random function fn was never applied to a block with content (r, d, i, mi) duringMac-forgewith Π, and soe A can succeed in guessing ti with probability at most 2⁻ⁿ.

(b) Case 2: d6=d⁰. In this case, each block in the parsed messagem is of the form (r, d, ?, ?). However, r was only used in generating the MAC form⁰ of lengthd⁰. Therefore,fn was never applied to a block of the form (r, d, ?, ?) during the experiment. (The function fn was only applied to blocks with a different r⁰ or of the form (r, d⁰, ?, ?) whered⁰6=d.) Thus,fn was never applied to the blocks appearing in the MAC forgeryt. As above, this means thatAcan succeed with probability at most 2⁻ⁿ.

3. The identifier r appearing in the tag t output by A appears in two or more of the MAC tags obtained by A from its MAC oracle during the experiment: We rule out this case by showing that two MAC tags (gen-erated legally) have the same identifier with at most negligible proba-bility. Now, the length of a random identifier isn/4. Therefore, forN messages, the probability that at least two MAC tags have the same identifier is ^N₂

·2^−n/4 = ^O₂^(Nn/4²⁾ (this calculation is based on the fact that the probability that a single pair has the same identifier is 2^−n/4 and there are ^N₂

possible pairs). SinceN=poly(n), we have that this is negligible, as required.

The above analysis covers all possible cases, and so we have thatAcan suc-ceed in Mac-forgewith Π with at most negligible probability, proving Equa-e tion (4.2).

The remainder of the proof follows by building a distinguisher, exactly as in the proof of Theorem 4.4. (The only difference is that the distinguisher carries out the parsing and then uses its oracle function.) Using the same

arguments, we have that

Prh

D^Fk(·)(1ⁿ) = 1i

−Prh

D^fn(·)(1ⁿ) = 1i≥ε(n)−negl(n) and soε(·) must be a negligible function, as required.

4.5 CBC-MAC

Theorem 4.6 above provides a simple proof that it is possible to construct message authentication codes for messages of any length, given only pseu-dorandom functions that work for a specific input/output length. Thus, for example, it demonstrates that it is possible to useblock ciphers as a basis for constructing secure MACs. The problem, however, with the construction is that in order to compute a MAC tag on a message of length`·n, it is necessary to apply the block cipher 4` times. More seriously, the size of the MAC tag is 4`n. Fortunately, it is possible to achieve far more efficient solutions.

The CBC-MAC construction is based on the CBC mode of encryption and is widely used in practice. It works in a similar way to Construction 4.3 in that the message is broken up into blocks, and a block cipher is then applied.

However, in order to compute a tag on a message of length`·n, wherenis the size of the block, the block cipher is applied ` times. Furthermore, the size of the MAC tag is only nbits (i.e., a single block). We begin by presenting the basic CBC-MAC construction. However, as will be discussed below, this basic scheme isnot secure in the general case.

CONSTRUCTION 4.7 Basic CBC-MAC.

The basic CBC-MAC construction is as follows:

• Gen(1ⁿ): upon input 1ⁿ, choose a uniformly distributed string k← {0,1}ⁿ

• Mack(m): upon input keyk∈ {0,1}ⁿ and a messagemof length

`·n, do the following:

1. Denotem=m1, . . . , m`where each mi is of lengthn, and sett0= 0ⁿ.

2. Fori= 1 to`, setti←Fk(ti−1⊕mi) where F :{0,1}^∗× {0,1}^∗→ {0,1}^∗is a function.

3. Outputt`

• Vrfy_k(m, t): upon input keyk ∈ {0,1}ⁿ, a message mof length

`·nand a tagtof lengthn, output 1 if and only ift=Mac_k(m)

See Figure ?? for a graphical depiction of Construction 4.7. The security of this construction is given in the following theorem:

THEOREM 4.8 Let`be any fixed value. IfF is a pseudorandom function such that for every k ∈ {0,1}ⁿ the function Fk maps n-bit strings to n-bit strings, then Construction 4.7 is a fixed-length MAC with length parameter

`·nthat is existentially unforgeable under a chosen-message attack.

The proof of Theorem 4.8 is very involved and is therefore omitted. We stress that Construction 4.7 is only secure when the length of the messages is fixed. Of course, the advantage of this construction over Construction 4.3 is that any length can be chosen (as long as it is fixed), and we are not limited by the input/output length of the pseudorandom function. We also remark that it is not really necessary to take the length to be a multiple ofnas long as padding is used.

CBC-MAC versus CBC encryption. There are two differences between the basic CBC-MAC and the CBC mode of encryption:

1. CBC encryption uses a random IV and this is crucial for obtaining security. In contrast, CBC-MAC uses no IV – or any fixed IV – and this is also crucial for obtaining security (i.e., a CBC-MAC with a random IV is not a secure MAC).

2. In CBC encryption all blocks are output by the encryption algorithm whereas in CBC-MAC only the last block is output. It may seem that this is a technical difference based on the fact that for encryption all blocks must be output in order to enable decryption, whereas for a MAC this is simply not necessary and so is not done. However, if all blocks are output in the MAC setting, then the result isnot a secure MAC.

In Exercise 4.4 you are asked to demonstrate attacks on a CBC-MAC that uses a random IV or one that outputs all blocks. This is a good example of the fact that harmless-looking modifications to cryptographic constructions can render them insecure. It is crucial to always implement the exact construction, and not some slight variant (unless you have a proof). Furthermore, it is crucial to understand the constructions. For example, in many cases, a cryptographic library provides a programmer with a “CBC function.” However, it does not distinguish between the use of this function for encryption or for message authentication.

Construction 4.7 and variable-length messages. Theorem 4.8 states that the basic CBC-MAC construction is only secure for fixed-length messages.

However, in the general case ofvariable-length messagesit is easy to generate a forgery for the basic CBC construction. We leave the task of finding the

actual attack as an exercise. We remark that the attack that exists does not provide much control to the adversary over the content of the forged message. Nevertheless, as we have discussed, it is crucial that cryptographic constructions be secure for all applications and we have no way of knowing that the attack described above will not harm any application. In addition, we also have no way of knowing that other, possibly more devastating, attacks do not exist. When one attack is known, this often means that many more are possible.

Secure CBC-MAC for variable-length messages. In order to obtain a secure MAC via the CBC construction for variable-length messages, Con-struction 4.7 must be modified. This can be done in a number of ways. Three possible options that have beenproven secure are:

1. Apply the pseudorandom function (block cipher) to the block length ` of the input message in order to obtain a keyk`. Then, compute the basic CBC-MAC using the keyk`and send the resulting tag along with the block length.

2. Prepend the message with its block length `, and then compute the CBC-MAC (the first block contains the number of blocks to follow). We stress that appending the message with its block length isnot secure.

3. Choose two different keysk1 ← {0,1}ⁿ and k2 ← {0,1}ⁿ. Then, com-pute the basic CBC-MAC using k1; let t1 be the result. The output MAC-tag is defined to bet=Fk2(t1).

We note that the third option has the advantage that it is not necessary to know the message length before starting to compute the MAC. Its disadvan-tage is that it requires two keys. However, at the expense of two additional applications of the pseudorandom function, it is possible to store a single key k and then derive keys k1 =Fk(1) and k2 = Fk(2) at the beginning of the computation.