Message Authentication Codes Quiz

Questions and Answers

What are the three PPT algorithms that a message authentication code (MAC) consists of?

Gen, Mac, Vrfy

What is the output of the tag-generation algorithm Mac when it takes as input a key $k$ and a message $m$?

It outputs a tag $t$

What does the verification algorithm Vrfy output when it takes as input a key $k$, a message $m$, and a tag $t$?

It outputs a bit $b = 1$ meaning valid and $b = 0$ meaning invalid

What is the purpose of a message authentication code (MAC)?

To ensure that a message was sent by the claimed party and not modified in transit

What characteristic is not provided by encryption schemes according to the text?

Message integrity

What is the upper bound for coll(q, N)?

$4N$

What does NewBlock denote?

The event that at least one of the blocks was never previously authenticated by Mac while answering A’s queries

What is the output of the CBC-MAC for a message-tag pair (m, t)?

The tag $t_d$

When is the above construction of CBC-MAC secure for messages of length $dn$?

When $d = l(n)$ for some polynomial $l$ and $F$ is a pseudorrandom function

What is the tag length for CBC-MAC?

Equal to the message block length

What is the canonical way to perform verification for deterministic message authentication codes?

Recompute the tag and check for equality

What does the security of a MAC depend on?

No efficient adversary can succeed in forging a valid pair with non-negligible probability

What type of attacks can a secure MAC construction protect against?

Replay attacks

What does the security proof for a fixed-length MAC construction involve?

Constructing a distinguisher and showing that the construction is secure if F is a pseudorandom function

What does the Birthday Problem demonstrate in the context of message authentication codes?

The probability of collision when choosing elements from a set, and the collision probability increases significantly with the number of elements chosen

Study Notes

Message Authentication Codes and MAC Security

• The canonical way to perform verification for deterministic message authentication codes is to recompute the tag and check for equality.
• The Message Authentication Experiment involves generating a key, providing oracle access to Mack(⋅) to an adversary, and checking if the adversary can forge a valid pair (m, t).
• A MAC is considered secure if no efficient adversary can succeed in the above experiment with non-negligible probability.
• MACs that satisfy the security definition offer no protection against replay attacks, and protection must be handled by higher-level applications using techniques like sequence numbers or timestamps.
• Timing attacks exploit the time taken by the receiver to verify the tag and can be used to forge a valid tag.
• A fixed-length MAC construction for messages of length n can be achieved using a pseudorandom function F.
• The security of the fixed-length MAC construction is based on the assumption that F is pseudorandom.
• The security proof for the fixed-length MAC construction involves constructing a distinguisher D and showing that the construction is secure if F is a pseudorandom function.
• Insecure MAC constructions for arbitrary-length messages can be vulnerable to block reordering, truncation, and mix-and-match attacks.
• To prevent mix-and-match attacks, a secure MAC construction includes a random message identifier in the authentication of each block.
• A secure MAC construction involves parsing the message into blocks, choosing a random identifier, and computing the tag for each block using the pseudorandom function.
• The Birthday Problem demonstrates the probability of collision when choosing elements from a set, and the collision probability increases significantly with the number of elements chosen.