Simple Message Authentication Codes

December 30 2024 Home | Cryptography by Hand | Prev | Next ·

Now that we know what message authentication codes (MACs) are, we'll start with a MAC that's easy to do by hand and provides moderate assurance. It's based on an algorithm called Encrypt-Last-Block Cipher Block Chaining MAC (ECBC-MAC).

• Simple Message Authentication Keys
• Creating Keys
• Signing Encrypted Messages
• Verifying Encrypted Messages
• Why These MACs Work

# Simple Message Authentication Keys

You need two copies of a MAC key: One copy for you and one for your partner. The key has one or more random permutations of the digits 0 to 9 (that is, the digits 0 to 9 shuffled). Here is an example with three permutations:

MAC Key

p1: 0 8 4 2 3 1 5 7 9 6
p2: 9 8 2 5 4 6 1 0 7 3
p3: 4 7 8 3 1 0 6 2 9 5

Additionally, you must create p random digits for every message you intend to sign with your MAC key, where p is the number of permutations the MAC key has. If you encrypt messages using the one-time pad, you can conveniently write these groups of p digits on the bottoms and backs of your one-time pad encryption keys. For ease, label the p digits z₁, z₂, and so on to z_p. For example, if your MAC key has three permutations, the bottom or back of a one-time pad encryption key might contain:

z1: 4
z2: 0
z3: 7

Another one-time pad encryption key might contain:

z1: 6
z2: 2
z3: 2

Different one-time pad encryption keys MUST have their own random z numbers.

The probability that a message is genuine depends on how many permutations its MAC key has. If an attacker changes a single message digit:

If the attacker changes multiple message digits:

# Creating Keys

MAC keys contain random permutations of the digits 0 to 9, inclusive. There are two easy ways to create such permutations: poker cards and 10-sided dice. Either way, you'll also need a piece of paper and a pen or pencil.

To create a random permutation with a deck of poker cards:

1. Thoroughly shuffle the cards.
2. Draw a card. If it's a jack, queen, or king, ignore it and repeat this step.
3. If the card is an ace, treat it like a 1. If it is a 10, treat it like a 0. Treat 2 through 9 as 2 to 9. Suits are irrelevant.
4. If your permutation already has the digit that the drawn card represents, ignore the card. Otherwise, append the digit to the permutation.
5. Go back to step (2) until you complete the permutation.

For example, drawing these cards:

1. jack
2. 4
3. 10
4. 8
5. 4
6. queen
7. queen
8. 3
9. ace
10. 7
11. 9
12. king
13. 6
14. 2
15. 2
16. 5

creates the permutation 4 0 8 3 1 7 9 6 2 5.

To create a random permutation with a 10-sided die:

1. List 0 to 9 in order: 0 1 2 3 4 5 6 7 8 9
2. Do this until only one uncrossed number remains in the list:
   1. Roll the 10-sided die until it shows a number that has not been crossed out yet.
   2. Cross the number the die shows out from the list and append it to the permutation.
3. Append the last uncrossed number to the permutation.

For example, your sheet of paper starts out looking like this:

0 1 2 3 4 5 6 7 8 9

If your first roll of the die shows 4, you would cross 4 out and append it to the permutation:

0 1 2 3 - 5 6 7 8 9
4

If the next die roll shows 0, you would cross 0 out and append it to the permutation:

- 1 2 3 - 5 6 7 8 9
4 0

If the next die roll shows 4, you would roll again because 4 is already crossed out. If the re-roll shows 8, you would cross 8 out and append it to the permutation:

- 1 2 3 - 5 6 7 - 9
4 0 8

And so on. The final permutation might look like 4 0 8 3 1 7 9 6 2 5.

There are ways to speed this process up. You could use other means, such as picking numbered balls out of a basket. Whichever method you use, every permutation must be equally likely.

# Signing Encrypted Messages

Once you and your partner have a MAC key, sign (add a MAC to) a message thus:

1. Encrypt your message as usual.
2. Get scratch paper or the paper you used to encrypt the message if there is sufficient space.
3. For each permutation p in the MAC key:
   1. Write "0" on the scratch paper. Call this zero m.
   2. Look at your encrypted message's digits first to last. For each digit d:
      1. Calculate m + d modulo 10 (if the sum is greater than or equal to 10, subtract 10). Call the result v.
      2. Set m to the vth digit in the permutation p, where v = 0 refers to the permutation's first digit, v = 1 refers to the second, and so on. Write the new value of m on the scratch paper.
   3. Find z_p on the encryption key. Calculate m + z_p modulo 10 (if the sum is greater than or equal to 10, subtract 10). The result is the pth digit of the message's MAC.
4. Include the p-digit MAC with your encrypted message. Clearly separate it from the rest of the message so your partner will know it's the MAC.
5. Start a fire!
   1. Burn the scratch paper.
   2. If your encryption key is a one-time pad key, burn it, too.
   3. If you haven't already, burn the z numbers you used to sign the message (see step 3.3).
   4. Keep your MAC key for future use.

For example, suppose you encrypt a message using the one-time pad. The resulting message is:

21956 85864 91266 53163 62122

(This message includes the encryption key's ID, 21956.)

Suppose your MAC key is:

MAC Key

p1: 0 8 4 2 3 1 5 7 9 6
p2: 9 8 2 5 4 6 1 0 7 3
p3: 4 7 8 3 1 0 6 2 9 5

Suppose further that the encryption key you used contains these z numbers:

z1: 4
z2: 0
z3: 7

To ease step 3, copy the encrypted message (plus the key ID) to your scratch paper, but leave space underneath it for your signing calculations.

The MAC key has three permutations, so we'll do step 3 three times, once for each permutation. For the first permuatation (p = 1), we start by writing 0 on the scratch paper underneath and just to the left of the encrypted message:

 21956 85864 91266 53163 62122
0

For step 3.2, read the encrypted message's digits from left to right (first to last). The first is 2:

 21956 85864 91266 53163 62122
0

so for step 3.2.1, calculate 0 + 2 modulo 10. The result is 2, so find the permutation's 3rd digit. (Remember, the permutation's digits start at index 0, so 2 means the 3rd digit.) The permutation's 3rd digit is 4, so write it underneath the 2 in the encrypted message:

 21956 85864 91266 53163 62122
04

The encrypted message's next digit is 1. 4 + 1 modulo 10 is 5, so find the permutation's 6th digit, which is 1. Write it underneath the 1 in the encrypted message:

 21956 85864 91266 53163 62122
041

The encrypted message's next digit is 9. 1 + 9 modulo 10 is 0, so find the permutation's 1st digit, which is 0. Write it underneath the 9 in the encrypted message:

 21956 85864 91266 53163 62122
0410

Repeat this process (step 3.2) until you go through all of the encrypted message's digits. Your scratch paper should look like this:

 21956 85864 91266 53163 62122
041017 15292 86917 47913 69045

Notice that the final result is 5. For step 3.3, find z₁ on the encryption key, which is 4, and add it to the final result 5, modulo 10, which is 9. Thus 9 is the first digit of the message's MAC:

 21956 85864 91266 53163 62122
041017 15292 86917 47913 69045 9

We've only used the first permutation. Repeat step 3 for the second and third permutations. Your scratch paper should look like this:

 21956 85864 91266 53163 62122
041017 15292 86917 47913 69045 9
025433 85582 83627 26014 98367 7
085168 67064 31357 87903 52308 5

The encrypted message's MAC is 975. Include it with the message, but clearly separate it so your partner knows it's the MAC:

21956 85864 91266 53163 62122
MAC 975

Then burn the scratch paper and encryption key.

# Verifying Encrypted Messages

When you receive a signed encrypted message, verify it thus:

1. Separate the message's MAC from the rest of the message.
2. Get a piece of scratch paper and calculate the message's MAC. This is the same procedure your partner used.
3. Compare the MAC you calculated with the one that came with the message:
   • If they are equal, the message is probably authentic: Decrypt it as usual.
   • If they differ, then either:
     1. Your partner calculated an incorrect MAC.
     2. You calculated an incorrect MAC.
     3. The message was garbled in transmission.
     4. Someone altered the message in transit.
     You can recalculate the MAC to check your math. If it still differs, do not trust the message. If you and your partner use one-time pads, burn the message's encryption key.

# Why These MACs Work

Encrypt-Last-Block Cipher Block Chaining MAC (ECBC-MAC), which underpins this MAC procedure, is provably secure even when attackers have infinite time and resources. I won't show proofs here because they're complicated, but if you're curious, read these papers:

1. "The Security of the Cipher Block Chaining Message Authentication Code" by Mihir Bellare, Joe Kilian, and Philip Rogaway (published online September 8 2000)
2. "A short proof of the unpredictability of cipher block chaining" by Daniel J. Bernstein (published January 9 2005)

According to the papers, when considering a single permutation in the MAC key, attackers have an advantage of 3q²m²/2^l+1 over simply guessing the permutation, where:

• q is the number of oracle queries the attacker can make
• m is the number of digits in the signed message; and
• l is the number of digits in the MAC (given that this is a single permutation, l is 1).

(m and l are actually bits instead of digits, but this is irrelevant for our purposes.)

An oracle query is security-speak for tricking you into calculating and revealing a MAC for a message of the attacker's choice. If attackers see multiple MACs produced by the same MAC key, they might gather clues about the key's contents, giving them tremendous advantage over purely guessing.

However, short of capturing you, attackers cannot make oracle queries for your MAC key. True, you use the same key for multiple messages, but you encrypt each message's MAC with its own random z numbers (a one-time pad key, which you never reuse). Therefore, q = 0, which means attackers must either guess the key's permutations (absurdly unlikely) or fake MACs when they alter your messages (doable, but still hard). Either way, it's pure guesswork.

If an attacker alters a message, he must correctly guess the new message's MAC to deceive the receiver. His chances depend on how he alters the message:

• If he alters one digit in the encrypted message, every digit in the MAC will change. The MAC has p digits, so the probability he correctly guesses the new MAC is (1/9)^p in this case.
• If he alters two or more digits in the encrypted message, each MAC digit might change, but it might not. Although altering a single message digit changes the whole MAC, altering another message digit might change any MAC digit back to its original value. The attacker can't know whether a MAC digit will change because he doesn't have the MAC key: Every digit value is equally likely in his eyes. Therefore, the probability he correctly guesses the new MAC is (1/10)^p in this case.

Each set of z numbers is a one-time pad key for a MAC. Even if you use the same MAC key for identical messages, each message gets its own z numbers, which produce different MACs. Attackers cannot determine the values that the z numbers encrypt, so you can sign as many messages as you want with the same MAC key.