Cryptography Reference
In-Depth Information
Digital signatures can be used to provide nonrepudiation services, whereas
MACs cannot be used for this purpose;
A digital signature can typically be verified by everybody, 1 whereas a MAC
can be verified only by somebody who knows the secret key (or can perform
specific attacks).
These differences are fundamental, and it must be decided for a specific appli-
cation whether digital signatures or MACs better meet the security requirements.
In Definition 2.8, we said that a message authentication system consists of the
following five components:
A message space
M
;
An authentication tag space
T
;
K
A key space
;
A family
A
=
{
A k : k
∈K}
of authentication functions A k :
M−→T
;
A family
V
=
{
V k : k
∈K}
of verification functions V k :
M×T −→
{
. V k ( m, t ) must return valid if and only if t is a valid
authentication tag for message m
valid, invalid
}
∈M
and key k
∈K
(i.e., t = A k ( m )).
} ,
l tag
Furthermore, we noted that in a typical setting
M
=
{
0 , 1
T
=
{
0 , 1
}
l key for some fixed key length l key ,
and that l tag = l key = 128 bits is frequently used in practice.
Informally speaking, a message authentication system is secure if an adversary
has no better possibility to generate a valid MAC than to guess. To more specifically
define the notion of a secure message authentication system, we must first say what
types of attacks are feasible and what an adversary is required to perform in order
to be successful (i.e., to break the security of the system). The following types of
attacks must be distinguished:
for some fixed tag length l tag ,and
K
=
{
0 , 1
}
In a known-message attack , the adversary knows one (or several) message(s)
and corresponding MAC(s);
In a chosen-message attack , the adversary not only knows certain message-
MAC pairs, but he or she is also able to obtain such pairs in one way or
another. In fact, he or she is able to obtain the MAC(s) of one (or several)
message(s) of his or her choice. Again, one must distinguish whether the
adversary can adaptively choose the message(s) for which he or she is able
1
Note that there are also digital signature systems that limit the verifiability of the signatures
to specific entities. The corresponding signatures are sometimes also referred to as undeniable
signatures .
Search WWH ::




Custom Search