Fast and Secure CBC-type MACs Online Cipher Mridul Nandi Mridul Nandi Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi mridul.nandi@gmail.com 25th Feb 2009 FSE 1 Indocrypt-2008
Outline of the talk Introduction Broad categories of known MACs Mridul Nandi Outline of the talk Introduction Broad categories of known MACs CBC-type MACs Generalization of CBC-type MACs New proposals: GCBC1 and GCBC2 Comparison and Summary 25th Feb 2009 FSE 2
Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M Ideal Solution: Secure without noise channel 25th Feb 2009 FSE
Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M M M’ Statistical Noise Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. 25th Feb 2009 FSE
Message Authentication Code Role of a successful attacker: Modify (M,T) s.t. T’ = MACK(M’), more precisely, . . . M Secret key : K MACK M’ T’’ T’’ = T’ ? Alice Bob MACK (M,T) (M,T) (M’,T’) T Human Noise : Oscar insecure channel with human noise 25th Feb 2009 FSE
Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. M1 Secret key : K Alice Bob MACK M1,T1 T1 M1 Oscar 25th Feb 2009 FSE
Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. M2 Secret key : K Alice Bob MACK M2,T2 M2 T2 Oscar 25th Feb 2009 FSE
Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Mq Secret key : K Alice Bob MACK Mq,Tq Mq Tq Oscar 25th Feb 2009 FSE
Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC. Secret key : K M Alice Bob MACK M,T T Oscar 25th Feb 2009 FSE
Distinguishing Attack Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. M1 T1 Finally, Oscar has to distinguish T = (T1, … ,Tq) from a q-tuple of random strings. MACK Oscar Mq Tq 25th Feb 2009 FSE
PRF-Advnatage Definition prf-AdvMAC (O) = |PrK[O (T) =1 | MACK] - PrT[O (T) =1 | uniform T] | O is interacting with MACK/ random function prf-AdvMAC (q,t,…) = max prf-AdvMAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,… , etc. 25th Feb 2009 FSE
A small domain PRF Suppose, message size is less than 128 bits. Apply an injective padding (e.g., 10d) Compute T = AESK(M*), M* is the padded message PRF/forgery-security depends on the corresponding security for AESK(.) One may use any good compression function (instead of AES) with the chaining value as key 25th Feb 2009 FSE
A small domain PRF comp Msg size at most 127-bits 512 M10d comp AESK M10d tag 128 tag 256 K 256 Msg size at most 127-bits Key-size 128, 256, etc. Tag-size at most 128 Msg size at most 511-bits Key-size 256 or less Tag-size at most 256 How one can authenticate for longer and variable length messages? 25th Feb 2009 FSE
Braod Categories of MACs (arbitrary domain) Universal Hash-based: with/without Nonce Poly1305, UMAC, MMH, etc. Block cipher based Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. Parallel : PMAC, XOR, DAG-based-PRF, etc. Hash function (also compression function) based HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc. 25th Feb 2009 FSE
(1) Universal Hash based MAC PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. Usually very efficient in software Some drawbacks: Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. Some constructions are nonce-based: reuse of nonce makes them insecure. Usually hash-key is large Hash-Key or Should be generated from the underlying PRF or from some PRBG. 25th Feb 2009 FSE
(2) Hash based MAC PRF-security depends on PRF-security underlying keyed compression function. Sometimes additional assumptions are required (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) Serves both Hash and MAC together. Less PRF-security analysis for Keyed compression function than collision-security. 25th Feb 2009 FSE
(3) Blockcipher based MAC PRF-security depends on PRP-security of the underlying blockcipher. PRP-security of blockcipher is widely studied AES is so far good candidate for PRP Sometimes MACs come with encryption (also called authentication encryption) The talk is about this category 25th Feb 2009 FSE
CBC: Block Cipher based MAC EK EK EK tag CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain 25th Feb 2009 FSE
CBC: Block Cipher based MAC T1 + M1 EK EK T1 T1 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain 25th Feb 2009 FSE
ECBC: Encrypted CBC Encrypted by same key K? Secure? M1 M2 M3 EK EK EK tag 25th Feb 2009 FSE
ECBC: Encrypted CBC Encrypted by same key K? Not secure EK T+M1 T M1 Encrypted by same key K? Not secure Length extension attack… If MACK(M1) = T then MACK(M1 0 (T +M)) = T EK EK T 25th Feb 2009 FSE
ECBC: Encrypted CBC Encrypted by key L? Secure? Yes M1 M2 M3 Encrypted by key L? Secure? Yes Length extension attack is not possible EK EK EK EK tag EL tag 25th Feb 2009 FSE
Block Cipher based MAC M1 M2 M*3 XCBC: K, L1, L2 independent keys TMAC: K, L1 independent keys, L2 = a . L1 OMAC: L1 = a.EK(0), L2 = a . L1 L1 / L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages M3 10d if |M3| < n M3 if |M3| = n M*3 = 25th Feb 2009 FSE
Block Cipher based MAC M1 M2 M*3 XCBC: K, L1, L2 independent keys TMAC: K, L1 independent keys, L2 = a . L1 OMAC: L1 = a.EK(0), L2 = a . L1 L1 / L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages M3 10d if |M3| < n M3 if |M3| = n M*3 = Xor commutes each other 25th Feb 2009 FSE
Block Cipher based MAC M1 M2 M*3 EK EK EK tag <<1 / << 2 Simple one/two-bit left shift operation is sufficient: GCBC1 Length ext attack is not valid for more than one message block A simple trick can handle single message blocks: GCBC2 25th Feb 2009 FSE
Block Cipher based MAC Why secure? M1 M2 M*3 Any changes will effect h in a random manner Difficult to find collision on Final input EK EK EK h tag <<1 / << 2 Prevents extension attack Why secure? 25th Feb 2009 FSE
Generalized CBC or GCBC 25th Feb 2009 FSE
Prefix-free Function A function pad: MsgSp ([0..t] x B)+ is called prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’). MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1}n (message block space) Example: pad(M) = 0 M1 0 M2 … d Ms is prefix-free where d = 1 if no padding, otherwise d = 2. 25th Feb 2009 FSE
EK h v0 = 0 vs-1 v1 u1 u2 us vs d1 M1 d2 M2 ds Ms M = msg pad 25th Feb 2009 FSE
Generalized CBC h(d, x) a tweak, d = 0 => identity function, Msg d1 M1 d2 M2 d3 M3 pad h(d, x) a tweak, d = 0 => identity function, di not completely controlled by attacker d-bit shift of x, xor with key (auxiliary) need some properties on both pad and h pad is prefix-free and h is weakly universal. EK tag M1 M2 M3 d2 d3 h d1=0 FSE 25th Feb 2009
Generalized CBC Generalized CBC includes CBC, XCBC, TMAC, etc. XCBC and TMAC has prefix-free padding pad(M) = 0 M1 0 M2 … d Ms where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x<<1 h(2,x) = x<<2 25th Feb 2009 FSE
Generalized CBC h is called weakly universal if the followings are true. Pr [h(d,R) = c] is negligible for all d Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x<<d or x<<<d 25th Feb 2009 FSE
Generalized CBC Theorem: (GCBC main theorem) If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF. 25th Feb 2009 FSE
GCBC1 EK Last message block M3 is not complete EK EK EK u1 v1 v0 EK M2 u2 v2 M310* u3 v3 <<2 Last message block M3 is not complete u1 u2 u3 EK EK EK <<1 v0 v1 v2 v3 Last message block M3 is complete 25th Feb 2009 FSE
GCBC2 One-block message m1, |M1| < n-3 d1 = 0, M’1 = M110d n-3 ≤ |M1| ≤ n, M1 = x1 y1 , |x1| = n-3 d1= 0 = d2, M’1 = x1001, M*2 = y1* EK M110d EK x1001 y110d 25th Feb 2009 FSE
GCBC2 Message: M1 M2 … Ms is 1 or 2 depending on size of Ms. u1 EK <<d2 v1 Ms-1 us-1 vs--1 us vs << v0 = 0 n M2 u2 v2 Message: M1 M2 … Ms is 1 or 2 depending on size of Ms. Need to define M’1 M*s and d2 message M1 || M2 , M1 = x1 y1 y1 = 000 M’1 = x1* , M*2 = M2 , d1 = d2 = 0 y1 ≠ 000 M’1 = m1 M*2 = M2 d1 = 0, d2= δ More-than two blocks Y1 = 000 d1 = 0, m’1 = x1*, d2= 4, …, ds= δ Y1 ≠ 000 d1 = 0, m’1 = m1, d2= 3, …, ds= δ
Comparison Study 25th Feb 2009 FSE
Mode #BC Keys Keysch security CBC m k 1 Pf-free, σq ECBC m+1 2k 2 q2 XCBC k+2n σq TMAC k+n OMAC m+1 * GCBC1 m * σ2 GCBC2 25th Feb 2009 FSE
In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM micro-sec (1-15 bytes) (16 bytes) (17-32 bytes) XCBC 43.7 78.46 TMAC 43.98 44.05 78.80 OMAC 78.72 113.80 GCBC1 77.9 77.92 77.95 GCBC2 43.58 78.26 78.37 In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM AES as Block cipher 25th Feb 2009 FSE
Summary Questions and Comments? We study CBC-type MAC We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments? 25th Feb 2009 FSE 40