1 of 17

Lecture 4: Message Authentication Codes (I)

2 of 17

Recall hash functions

  •  

 

 

 

 

don’t need to

trust this channel

 

3 of 17

  • What if you don’t have a trusted broadcast channel??

  • Have to have some other trusted setup
    • Otherwise whatever honest party can do, adversary can also do (impersonate an honest party)

  • Lesson: Cannot do authentication without any trusted setup
  • Setup for MACs: shared secret key between honest parties

 

 

accept

4 of 17

  •  

 

 

 

 

 

0: reject

1: accept

 

5 of 17

  •  

 

 

 

 

 

0: reject

1: accept

 

6 of 17

  •  

 

 

 

 

 

0: reject

1: accept

 

7 of 17

MAC security

  • Want to prevent:

  • (If this happens then adversary wins)
  • Security property: unforgeability (adversary cannot “forge” a tag s.t. verification outputs 1)

 

 

 

 

 

 

8 of 17

MAC security definition: first attempt

  •  

 

 

 

 

 

 

9 of 17

MAC security definition: first attempt

  •  

 

 

 

 

 

 

10 of 17

Oracles

  •  

11 of 17

MAC security definition

  •  

12 of 17

Example of an Insecure MAC Scheme

13 of 17

Exclusive or (XOR)

  •  

0

0

0

0

1

1

1

0

1

1

1

0

14 of 17

Properties of XOR

  •  

15 of 17

Insecure MAC scheme

  •  

16 of 17

  •  

17 of 17

  • DO NOT FORGET TO CHECK SECOND CONDITION (ADVERSARY’S OUTPUT MESSAGE WAS NOT QUERIED)