Modern Cryptography

www.dziembowski.net/Studenti/BISS09
Lecture 3
Message Authentication and
Hash Functions

Stefan
Dziembowski
University of Rome
La Sapienza

BiSS 2009
Bertinoro International
Spring School
2-6 March 2009
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 Message Authentication
Integrity:

Alice interferes with the Bo

transmission b
(modifies the message, or
inserts a new one)
How can Bob be sure that

M really comes from

Alice?

3
 Sometimes: more important than
secrecy!

transfer 1000 $ to
Bob
transfer 1000 $ to
Alice Ban
Eve
k

Of course: usually we want both secrecy and integrity.

4
 Does encryption guarantee message
integrity?
Idea:

1. Alice encrypts m and sends c=Enc(k,m) to Bob.

2. Bob computes Dec(k,m), and if it makes sense
accepts it.

Intuiton: only Alice knows k, so nobody else can produce a

valid ciphertext.

It does not work!

Example: one-time pad. Eve xor Bob

plaintext transfer 1000 $ to transfer 1000 $ to

Bob Eve
key K
xor
ciphertext C
5
 Message authentication

verifies if
m
(m, t=Tagk(m))
t=Tagk(m)
Alice Bo
b

k k

Eve can see (m,

t=Tagk(m))

She should not be able to

compute a valid tag t on
any other message m.

6
 Message authentication multiple
messages
m1 (m1, t=Tagk(m1))

m2 (m2, t=Tagk(m2))
...

...
Alice Bo
mt (mw, t=Tagk(mw)) b

k k

Eve should not be able to

compute a valid tag t on
any other message m.

7
 Message Authentication Codes
the idea

m {0,1}* (m, t=Tagk(m)) Vrfyk(m) {yes,no}

Alice Bo
b

k k

k is chosen randomly
from some set T

8
 A mathematical view
K key space
M plaintext space
T - set of tags

A MAC scheme is a pair (Tag, Vrfy), where

Tag : K M T is an tagging algorithm,
Ver: K M T {yes, no} is an decryption algorithm.

We will sometimes write Tagk(m) and Vrfyk(m,t)

instead of Tag(k,m) and Vrfy(k,m,t).

Correctness
it should always holds that:
Vrfyk(m,Tagk(m)) = yes.
 Conventions
If Vrfyk(m,t) = yes then we say that t
is a valid tag on the message m.

If Tag is deterministic, then Vrfy just

computes Tag and compares the
result.

In this case we do not need to define

Vrfy explicitly.
 How to define security?
We need to specify:

1. how the messages m1,...,mw are chosen,

2. what is the goal of the adversary.

Good tradition: be as pessimistic as possible!

Therefore we assume that

1. The adversary is allowed to chose m1,...,mw.

2. The goal of the adversary is to produce a valid tag on

some m such that m m1,...,mw.
11
 security parameter selects random a k
1n {0,1}n

m1
adversary
(m1, t=Tagk(m1))
oracle

...
mw

(mw, t=Tagk(mw))

We say that the adversary breaks the MAC

scheme at the end she outputs (m,t) such
that
Vrfy(m,t) = yes
and
m m1,...,mw 12
 The security definition
We say that (Tag,Vrfy) is secure if

A P(A breaks it) is negligible (in n)

polynomial-time
adversary A

13
 Arent we too paranoid?
Maybe it would be enough to require that:

the adversary succeds only if he forges a

message that makes sense.

(e.g.: forging a message that consists of random

noise should not count)

Bad idea:

hard to define,
is application-dependent.

14
 Warning: MACs do not offer protection against the replay
attacks.

(m, t)

Alice Bo
) b
,t
(m t)
,
(m )
,t Since Vrfy has no state
(m.. (or memory) there is no
way to detect that (m,t)
is not fresh!
.

problem has to be solved by the higher-level applic

thods: time-stamping, sequence numbers...). 15
 Authentication and
Encryption
Usually we want to authenticate and encrypt at
the same time.

What is the right way to do it? There are several

options:

Encrypt-and-authenticate: wrong
c Enck1(m) and t Mack2 (m)
Authenticate-then-encrypt: better
t Mack2 (m) and c Enck1(m||t)
Encrypt-then-authenticate: the best
c Enck1(m) and t Mack2 (c)

By the way: never use the same key for Enc

and Mac:
k1 and k2 have to be independent! 16
 Constructing a MAC
1. There exist MACs that are secure even if the
adversary is infinitely-powerful.
These constructions are not practical.

2. MACs can be constructed from the block-ciphers.

We will now discuss to constructions:

simple (and not practical),
a little bit more complicated (and practical) a CBC-
MAC

3. MACs can also be constructed from the hash

functions (NMAC, HMAC).

17
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 Information-theoretically secure
MACs
We now show a construction of
information-theoretically secure MACs,
i.e.:

MACs that are secure against an

infinitely-powerful adversary

Our construction will be secure only if

the key is never reused.
like in the one-time pad
encryption...
 Observation
(m, t=Tagk(m))
m

Alice Bo
b

Eve can see (m, t=Tagk(m))

She should not be able to compute a valid tag t on any other

message m.
It is enough that any pair of variables in the set
{Tm}m M where Tm := TagK(m)
is independent.

This is called a set of pairwise independent

variables.
 Pairwise independence
A set
{Tm}m M
of variables is pairwise independent if for
every m0, m1 the variables
Tm0 and Tm1
are independent.

This is not the same as saying that

{Tm}m M are independent.
ea: Linear function over Zp (where p is a large prime)

= Zp
= Zp Z p for
for example
example
p
p==2 107- 1
2107 -1
= Zp

Tag((a,b), m) = am + b mod p

Intuition:

...
?

b
...

m0 m1 m0 m1 22
emma. Let (A,B) be distributed uniformly over Zp Zp. Then for every distinct
nd m1 the following variables are independent
(A m0 + B) and (A m1 + B) .

arly, each of those variables is distributed uniformly over Zp and hence of every
have
P (A m0 + B = x) P(A m1 + B = y) = 1/p 1/p = 1/p2

Therefore it suffices to show that

P (A m0 + B = x and A m1 + B = y) = 1/p2

is is equivalent to the fact that the following system of linear equations (over Zp
actly one solution (where a and b are the unknowns):

{ a m0 + b = x
a m1 + b = y

Clearly if m0 m1 then

det
[ m
0
1
] 0
Thus we are done
23
 Can we reuse the same key many
times?
After seeing two values:
Tag(k,m0) = A m0 + B
Tag(k,m1) = A m0 + B
(for m0 m1) the adversary can
compute (A,B) by solving a system of
linear equations.

It can be shown that in general the length of

the key has to be proportional to the total
length of authenticated messages.
24
 How to encrypt more messages with
one short key k?
Simple idea:
For every new message mi generate pseudorandomly
a new key ki for the one-time MAC.

PRG G

k1 k2 k3
...
Tag(k1,m1) Tag(k2,m2) Tag(k3,m3)

This can be proven secure!

A new member of Minicrypt

one-way functions
exist

this can be proven this we already knew

computationally-secure cryptographic PRGs

MACs exist exist
proven
this we have just
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 A simple construction from a block
cipher
Let
F : {0,1}n {0,1}n {0,1}n
F(k,m)
be a block cipher.

We can now define a MAC

k Fk
scheme that works only for
messages m {0,1}n as
follows:

Mac(k,m) = F(k,m) m

It can be proven that it is a secure

MAC.

How to generalize it to longer 28

messages?
 Idea 1
divide the message in blocks m1,...,md
and authenticate each block separately

F(k,m1) F(k,md)

...
Fk Fk

m1 md

This doesnt work!

29
 What goes wrong?

m:

t=
Tagk(m):
perm

m =
perm(m):
t = perm(t):

Then t is a valid tag on m.

30
 Idea 2
Add a counter to each block.

F(k,x1) F(k,xd)

...
Fk Fk

1 m1 d md

x1 xd

This doesnt work either!

31
 i mi

xi

m:

t=
Tagk(m):

m = a prefix of
m:

t = a prefix
of t:

Then t is a valid tag on m.

32
 Idea 3
Add l := |m| to each
block
F(k,x1) F(k,xd)

...
Fk Fk

l 1 m1 l d md

x1 xd

This doesnt work either!33

 l 1 m1

xi

What goes wrong?

m: m:

t= t =
Tagk(m): Tagk(m):

m = first half from m || second half from m

t = first half from t || second half from t

Then t is a valid tag on m.
34
 Idea 4
Add a fresh random value to each block!

F(k,x1) F(k,xd)

...
Fk Fk

r l d md r l d md

x1 xd

This works!
35
 tagk(m)

r F(k,x1) F(k,x2) F(k,xd)

Fk Fk ... Fk

r l 1 m1 r l 2 m2 ... r l d md

x1 x2 xd

r is chosen randomly m1 m2 ... md

m 000
n block length l

|mi| = n/4 pad with zeroes if 36

 This construction can be proven
secure
Theorem
Assuming that
F : {0,1}n {0,1}n {0,1}n is a
pseudorandom permutation
the construction from the previous slide is a
secure MAC.

Proof idea:
Suppose it is not a secure MAC.
Let A be an adversary that breaks it with a non-
negligible probability.
We construct a distinguisher D that distinguishes
37
F from a random permutation.
 This construction is not
practical

Problem:

The tag is 4 times longer than the message...

We can do much better!

38
 CBC-MAC
F : {0,1}n {0,1}n {0,1}n - a block cipher
tagk(m)

Fk Fk Fk Fk Fk

m1 m2 m3 ... md
|m|

m 0000

pad with zeroes if

needed
Other variants exist!

39
 tagk(m)

Fk Fk Fk Fk Fk

m1 m2 m3 ... md
|m|

Why is this
needed?

Suppose we do not prepend |m|...

40
 t1=tagk(m1) t2=tagk(m2)
the
adversary
chooses: Fk Fk

m1 m2

t= tagk(m)
t1

now she can

Fk Fk t =
compute: t2
m1 m2 xor t1

m 41
 Some practictioners dont like the
CBC-MAC
We dont want to
authenticate using the block
ciphers!
What do you want to use
instead?
Hash functions!

Why?

Because:
1. they are more efficient,
2. they are not protected by
the export regulations.
42
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
Another idea for authenticating long messages

Fk(h(m))

a block cipher
k Fk

h(m)
a hash function h

long m

By the way: a similar method is used in the

public-key cryptography (it is called hash-
and-sign). 44
 How to formalize it?
We need to define what is a hash
function.

The basic property that we require is:

collision resistance
 Collision-resistant hash
functions
short H(m)

H : {0,1}* {0,1}L
a hash function

long m

collision-resistance a collision

Requirement: it should be hard to find a pair (m,m)

such that
H(m) =H(m) 46
Collisions always exist

domain
range
m

Since the domain is

larger than the
range the collisions
have to exist. 47
 Hash functions are a bit simillar to
the error-correcting codes
Difference between the hash functions and the
error correcting codes:

error-correcting codes are secure against the

random errors.

collision-resistant hash functions are secure

against the intentional errors.

A bit like:
pseudorandom generators
vs.
cryptographic pseudorandom generators.
48
 Practical definition
H is a collision-resistant hash function if it is
practically impossible to find collisions in H.

Popular hash funcitons:

MD5 (now considered broken)

SHA1
...

49
 How to formally define collision
resitance?
Idea
Say something like: H is a collision-
resistant hash function if
A P(A finds a collision in H) is
small
efficient
adversary A

Problem
For a fixed H there always exist a constant-time
algorithm that finds a collision in H in constant
time.
It may be hard to find such an algorithm, but it 50
 Solution
When we prove theorems we will
always consider

families of hash functions

indexed by a key s

{Hs} s keys

51
 informal description:
knows H a protocol

H H

s is chosen formal model:

randomly
a protocol
s
Hs Hs

Hs

52
 informal description:
knows H a protocol

H H

real-life implementation (example):

knows SHA1
a protocol

SHA1 SHA1

SHA1

53
 Hash functions the functional
definition
A hash function is a probabilistic
polynomial-time algorithm H such that:

takes as input a key s {0,1}n and a messa

{0,1}* and outputs a string
Hs(x) {0,1}L(n)
where L(n) is some fixed function.

54
 Hash functions the security
definition [1/2]
1n

selects a
s random
s {0,1}n

outputs (m,m)

We say that adversary A breaks the

function H if Hs(m) = Hs(m).
55
 Hash functions the security
definition [2/2]

H is a collision-resistant hash function if

A P(A breaks H) is negligible

polynomial-time
adversary A

56
How to formalize our idea?

Fk(h(m))

a block cipher
k Fk

h(m)
a hash function h

long m

57
 Authentication scheme -
formally
A key for the MAC is a pair:
a key for the hash function
H (s,k) a key for the PRF F

Tag((k,s),m) = Fk(Hs(m))

eorem. If H and F are secure then Tag is secure.

proven as follows.
se we have an adversary that breaks Tag. Then we can cons

a distinguisher for F an adversary for H

or
simulates simulates
 Do collision-resilient hash functions
belong to minicrypt?
collision-resilient hash
functions exist

easy exercise
? open problem

one-way functions
exist

[D. Simon: Finding Collisions on a One-Way

Street: Can Secure Hash Functions Be
Based on General Assumptions? 1998]:
there is no black-box reduction.
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 A common method for
constructing hash functions
1. Construct a fixed-input-length collision-
resistant hash function
L

h(m)

h : {0,1}2L {0,1}L

m
2L

Call it: a collision-resistant compression

function.
2. Use it to construct a hash function. 61
 An idea pad with
zeroes
t if needed
m 0000

m1 m2 ... mB

mi {0,1}L

...
h h h
IV H(m)

can be
arbitrary
This doesnt work...
62
 Why is it wrong?
t

m 0000

m1 m2 ... mB

we set m = m || 0000 then H(m) = H(m).

olution: add a block encoding t.

t

m 0000

m1 m2 ... mB mB+1 := t

63
 Merkle-Damgrd
2L transform
given h : {0,1} {0,1} L
doesnt need to
we construct H : {0,1}* {0,1}L be know in
advance
t (nice!)

m 0000

m1 m2 mB mB+1 := t

mi {0,1} L

...

h h h h
IV H(m)

64
 This construction is secure
We would like to prove the following:

Theore
m
If
h : {0,1}2L {0,1}L
is a collision-resistant compression
function
then
H : {0,1}* {0,1}L
is a collision-resistant hash function.

But wait.
It doesnt make sense 65
 We need to consider the hash
function families
Suppose (gen,h) is a collision-resistant hash
function such that for every s {0,1}n
we have
hs : {0,1}2L(n) {0,1}L(n)
L(n)

h(m)

m
2L(n)
66
We now show how to transform such
an h into a hash function H.

How?

1. The key s is the same in H as in

h.
2. Use the same construction as
before
67
 Merkle-Damgrd
given h : {0,1}
transform
{0,1}
2L(n) L(n)

we construct H : {0,1}* {0,1}L(n)

m 0000

m1 m2 mB mB+1 := t

mi {0,1} L(n)

...

h h h h H(m)
IV

68
This construction is secure
Theorem
If
h
is a collision-resistant hash function
then
H
is a collision-resistant hash function.

Proof
Suppose A is a polynomial-time adversary
that breaks H with a non-negligible
probability.

We construct a polynomial-time adversary a

that breaks h with a non-negligible 69
probability.
 s {0,1}n

a breaks hs by
simulating A (m,m)

A breaks Hs

now a should output a

collision (x,y) in h a collision in Hs

70
How to compute a collision (x,y) in h
from a collision (m,m) in H?

We consider two options:

1. |m| = |m|

2. |m| |m|

71
Option 1: |m| = |m|
t

m 0000

m1 m2 mB mB+1 := t

m 0000

m1 m2 mB mB+1 := t

72
 |m| = |m|
Some notation:

m 0000

m1 m2 mB mB+1 := t

...

h h h h
IV z1 z2 z3 zB zB+1 H(m)

73
 |m| = |m|
For m:

m 0000

m1 m2 mB mB+1 := t

...

h h h h
IV z1 z2 z3 zB zB+1 H(m)

74
 zB+2=H(m) equal zB+2=H(m)

mB+1 zB+1 mB+1 zB+1

mB zB mB zB

...
.
..

z3 z3

m2 z2 not equal m2 z2

m1 z1 = IV m1 z1 = IV
75
 zB+2=H(m) equal zB+2=H(m)

mB+1 zB+1 mB+1 zB+1

Let i* be the
mB zB least i such mB zB
that
...

...
(mi,zi) =
(mi,zi)
m2 z2 m2 z2

(because m
m1 z1 = IV m such an m1 z1 = IV
i* > 1 76
 So, we have found a
collision!

zi* equal zi*

h h

mi*-1 zi*-1 not equal mi*-1 zi*-1

77
 Option 2: |m| |m|
H(m) equal H(m)

mB+1 zB+1 mB+1 zB+1

...

...
the last block encodes
the length on the message
so these values
cannot be equal!

So, again we have found a collision!

78
 Finalizing the proof
So, if A breaks H with probability (n),
then a breaks h with probability
(n).

If A runs in polynomial time, then a

also runs in polynomial time.

QED
79
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 Generic attacks on hash
functions
Remember the brute-force attacks on
the encryption schemes?

For the hash functions we can do

something slightly smarter...

It is called a birthday attack.

81
 The birthday paradox
Suppose we have a random function
H:AB
Take n values
x1,...,xn
Let p(n) be the probability that there exist distinct i,j
such that
H(xi) = H(xj).
If n |B| then trivially p(n) = 1.

Question: How large n needs to be to get p(n)

= 1/2
Answer:
n | B|

2
More precisely we n(n-1)
have: p(n) n
4| B| 2 |B|
82
 Why is it called a birthday
paradox?
Set:
H : people birthdays

Q: How many random people you need to

take to know that with probability 0.5 at
least 2 of them have birthday on the
same day?

A: 23 is enough!

Counterintuitive... 83
 How does the birthday attack
work?
For a hash function
H : {0,1}* {0,1}L

Take a random X a subset of {0,1}2L, such that |

X| = 2L/2.

With probability around 0.5 there exists x,x X,

such that
H(x) = H(x).

A pair (x,x) can be found in time O(|X| log |X|)

and space O(|X|).

Moral
L has to be such that an attack that needs 2L/2 84
steps is infeasible.
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 Concrete functions
MD5,
SHA-1, SHA-256,...
....
all use (variants of) Merkle-Damgrd
transformation.

Hash functions can also be constructed

using the number theory.
86
 MD5 (Message-Digest Algorithm 5)
output length: 128 bits,
designed by Rivest in 1991,
in 1996, Dobbertin found collisions in the
compresing function of MD5,
in 2004 a group of Chinese mathematicians
designed a method for finding collisions in MD5,
there exist a tool that finds collisions in MD5 with a
speed
1 collision / minute (on a laptop-computer)

Is MD5 completely broken?

The attack would be practical if the colliding

documents made sense...

In 2005 A. Lenstra, X. Wang, and B. de Weger

found X.509 certificates with different public keys 87
and the same MD5 hash.
 SHA-1 (Secure Hash
Algorithm)
output length: 160 bits,
designed in 1993 by the NSA,
in 2005 Xiaoyun Wang, Andrew Yao
and Frances Yao presented an attack
that runs in time 263.
Still rather secure, but new hash
algorithms are needed!

A US National Institute of Standards

and Technology is currently running a
competition for a new hash algorithm.
88
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
What the industry says about the
hash and authenticate method?

the block cipher is still there...

Why dont we just hash a

message together with a key:
MACk(m) = H(k || m)
?

Its not secure!

90
Suppose H was constructed using the
MD-transform
she can fab
ricate this
sh
ec MACk(m||t)
an
se
e thi
s

MACk(m) t+L MACk(m)

t zB t zB

m z2 m z2

k IV k IV
L 91
 A better idea
M. Bellare, R. Canetti, and H. Krawczyk
(1996):

NMAC (Nested MAC)

HMAC (Hash based MAC)

have some provable properites

They both use the Merkle-Damgrd transform.

Again, let h : {0,1}2L {0,1}L be a compression function.

92
 NMAC
m 0000

m1 mB mB+1 := |m|

...
h h h
k1

h
k2 NMAC(k1,k2) (m)

93
 What can be proven
Suppose that
1. h is collision-resistant
2. the following function is a secure
MAC:

h
k2 MACk2(m)

Then NMAC is a secure MAC. 94

 Looks better, but

1. our libraries do not

permit to change the IV
2. the key is too long:
(k1,k2)

HMAC is the
solution!
95
 HMAC
k xor ipad m1 mB+1 := |m|

ipad = 0x36 repeated

opad = 0x5C repeated

...
h h h
IV

h
IV h HMACk (m)

k xor opad

96
 HMAC the properties

Looks complicated, but it is very easy to

implement (given an implementation of
H):

HMACk(m) = H((k xor opad) || H(k xor

ipad || m))

It has some provable properties

We like it! (slightly
weaker than NMAC).

Widely used in practice. 97

 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 Other uses of hash
functions
Hash functions are used by practicioners to convert
non-uniform randomness into a uniform one.

Example: shorter uniformly random H(m)

a hash function
H : {0,1}* {0,1}L
user generated randomness X (key strokes, mouse movements, etc.)

How to formalize it?

 Random oracle model
[Bellare, Rogaway, Random Oracles are
Practical: A Paradigm for Designing
Efficient Protocols, 1993]
Idea: model the hash function as a random
oracle.

H(x)

a completely random
H : {0,1}* {0,1}L function
Remember the pseudorandom
functions?

F( x
x)
A random )
x
function F(
F: {0,1}m
{0,1}m

x

)
x

Crucial difference:
F(

Also the adversary can

query the oracle
 informal description:
knows H
a protocol
H

formal model: Every call to

H is
replaced
with a query
H : {0,1}* a protocol to the
{0,1}L oracle.
also the
adversary is
allowed to
query the
oracle.
102
How would we use it in the
proof?
shorter uniformly random H(X)

a hash function
H : {0,1}* {0,1}L
user generated randomness X

As long as the adversary never queried the oracle on

X
the value H(X) looks completely random to him.
 Criticism of the Random Oracle Model
[Canetti, Goldreich, Halevi: The random oracle
methodology, revisited. 1998]
There exists a signature scheme that is

secure in ROM

but

is not secure if the random oracle is replaced with

any real hash function.

This example is very artificial. No realistic example

of this type is know.
 Terminology
Model without the random oracles:
plain model
cryptographic model

Random Oracle Model is also called:

the Random Oracle Heuristic.

Common view: a ROM proof is better than

nothing.
 Plan
1. Introduction to message authentication
codes (MACs).
2. Constructions of MACs:
1. from pairwise independent functions
2. from block ciphers
3. Hash functions
1. a definition
2. constructions
3. the birthday attack
4. concrete functions
5. a construction of MACs from hash functions
6. the random oracle model
 Let us look again at the plan of the course

plan of the course:

encryption authentication

private key private key private key

1 encryption 2authentication

public key public key

3 4 signatures
encryption

5advanced cryptographic protocols

 Outlook
cryptograp
hy

information-
computational
theoretic,
unconditional
one time pad, based on 2 simultanious
quantum assumptions:
cryptography, 1. some problems are
... computationally difficult
2. our understanding of
what computational
difficulty means is
correct.
Symmetric cryptography

symmetric
cryptograp
hy

encryptio authenticati
n on
 Basic information-theoretic
tools

xor (one-time pad)

two-wise independent functions
 Basic tools from the computational
cryptography

one-way functions
pseudorandom generators
pseudorandom functions/permutations
hash functions
 A method for proving security:
reductions
minicrypt P NP

hash functions

one-way
functions

pseudorandom
generators

pseudorandom
functions/permutations

computationally-secure authentication
in general the
computationally-secure encryption picture is much
more
complicated!
 Plan for the next lectures

plan of the course:

encryption authentication

private key private key private key

1 encryption 2authentication

public key public key

3 4 signatures
encryption

we will now go here

5advanced cryptographic protocols
but first we need to have
some number theory
brush-up
2009 by Stefan Dziembowski. Permission to make digital or hard
copies of part or all of this material is currently granted without fee
provided that copies are made only for personal or classroom use, are
not distributed for profit or commercial advantage, and that new copies
bear this notice and the full citation.