Cryptography Reference
In-Depth Information
attack and the question arises whether such an attack should be regarded as a break
of the system. It is clear that these attacks are dangerous and should not be allowed
in real life; for example, a message such as the one in the last section ordering the
transfer of an amount of money to Eve's account could be replayed by Eve with the
effect of increasing the amount of money that she would receive. But it is also clear
that a MAC by itself does not have the capability to protect against such attacks since
the definition does not include any notion of state in the verification algorithm. This
problem can be solved by making the verification algorithm stateful or by letting a
higher-level application deal with it. Bearing this in mind, we shall not consider a
replay attack as a break of the system and the security definition we are going to give
will not include protection against such attacks.
The security definition for MACs will be based on the protection against forgeries
under an adaptive chosen message attack in which the adversary not only obtains
valid pairs
but is allowed to choose the messages m in such pairs. Allowing the
adversary to mount this kind of attack may seem too generous but there are situations
in which such attacks are realistic and, as in the case of encryption, if anything it is
best to err on the side of caution and allow the adversary more power than it might
have in practice.
As in the case of security for encryption schemes, we start by defining an experi-
ment for a MAC
(
m
,
t
)
I = (
Gen
,
Mac
,
Ve r
)
, an adversary (i.e., PPT algorithm)
A
, and
a positive integer n for the security parameter:
Definition 5.2 The authentication unforgeability experiment under an adaptive
chosen message attack Mac uf-cma
A , I (
n
)
is the following:
1 n
1. A key k is generated by running Gen
(
)
.
is given input 1 n and oracle access to Mac
2. The adversary
A
(
k
, )
.
A
asks a set of
queries
Q
(where each query is a message) to the oracle and outputs a message/tag
.
3. The output of the experiment is defined to be 1 if and only if the following two
conditions hold:
pair
(
m
,
t
)
a.
Ve r
(
k
,
m
,
t
) =
1
Q
b.
m
.
Now, the definition of security formalizes the fact that the adversary cannot suc-
ceed in the previous experiment with non-negligible probability:
Definition 5.3 Amessage authentication code
is existentially
unforgeable under an adaptive chosen-message attack (UF-CMAsecure or just CMA
secure, for short) if, for every PPT adversary
I = (
Gen
,
Mac
,
Ve r
)
A
, there exists a negligible function
negl such that:
Mac uf-cma
Pr
(
A , I (
n
) =
1
) negl (
n
).
Remark 5.1 The advantage of
in the CMA authentication unforgeability exper-
iment may be defined as the quantity Adv uf-cma
A
Mac uf-cma
A,I (
n
) =
Pr
(
A,I (
n
) =
1
)
and
 
Search WWH ::




Custom Search