25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

25th Feb 2009FSE22 Outline of the talk Introduction Broad categories of known MACs CBC-type MACs Generalization of CBC-type MACs New proposals: GCBC1 and GCBC2 Comparison and Summary

25th Feb 2009FSE3 Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. AliceBob M Ideal Solution: Secure without noise channel

25th Feb 2009FSE4 Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. AliceBob M Statistical Noise M’ Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. M

25th Feb 2009FSE5 AliceBob (M,T) Human Noise : Oscar (M’,T’) Secret key : K MAC K M T M’ T’’ T’’ = T’ ? Modify (M,T) s.t. T’ = MAC K (M’), more precisely,... insecure channel with human noise Message Authentication Code Role of a successful attacker: (M,T)

25th Feb 2009FSE6 Forging MAC AliceBob Oscar M 1,T 1 Secret key : K MAC K M1M1 T1T1 M1M1 Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

25th Feb 2009FSE7 Forging MAC AliceBob Oscar M 2,T 2 Secret key : K MAC K M2M2 T2T2 M2M2 Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

25th Feb 2009FSE8 Forging MAC AliceBob Oscar M q,T q Secret key : K MAC K MqMq TqTq MqMq Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

25th Feb 2009FSE9 Forging MAC AliceBob Oscar Secret key : K Role of a successful attacker: M,T MAC K M T For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC.

25th Feb 2009FSE10 Distinguishing Attack Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. Oscar M1M1 T1T1 MqMq TqTq MAC K Finally, Oscar has to distinguish T = (T 1, …,T q ) from a q-tuple of random strings.

25th Feb 2009FSE11 PRF-Advnatage Definition prf-Adv MAC (O) = |Pr K [O (T) =1 | MAC K ] - Pr T [O (T) =1 | uniform T] | prf-Adv MAC (q,t,…) = max prf-Adv MAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,…, etc. O is interacting with MAC K / random function

25th Feb 2009FSE12 A small domain PRF Suppose, message size is less than 128 bits. Apply an injective padding (e.g., 10 d ) Compute T = AES K (M*), M* is the padded message PRF/forgery-security depends on the corresponding security for AES K (.) One may use any good compression function (instead of AES) with the chaining value as key

25th Feb 2009FSE13 A small domain PRF M10 d tag comp K AES K M10 d tag 128 Msg size at most 127-bits Key-size 128, 256, etc. Tag-size at most 128 Msg size at most 511-bits Key-size 256 or less Tag-size at most 256 How one can authenticate for longer and variable length messages?

25th Feb 2009FSE14 Braod Categories of MACs (arbitrary domain) Universal Hash-based: with/without Nonce Poly1305, UMAC, MMH, etc. Block cipher based Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. Parallel : PMAC, XOR, DAG-based-PRF, etc. Hash function (also compression function) based HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc.

25th Feb 2009FSE15 (1) Universal Hash based MAC PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. Usually very efficient in software Some drawbacks: Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. Some constructions are nonce-based: reuse of nonce makes them insecure. Usually hash-key is large Hash-Key or Should be generated from the underlying PRF or from some PRBG.

25th Feb 2009FSE16 (2) Hash based MAC PRF-security depends on PRF-security underlying keyed compression function. Sometimes additional assumptions are required  (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) Serves both Hash and MAC together. Less PRF-security analysis for Keyed compression function than collision-security.

25th Feb 2009FSE17 (3) Blockcipher based MAC PRF-security depends on PRP-security of the underlying blockcipher. PRP-security of blockcipher is widely studied AES is so far good candidate for PRP Sometimes MACs come with encryption (also called authentication encryption) The talk is about this category

25th Feb 2009FSE18 CBC: Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M3M3 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain

25th Feb 2009FSE19 CBC: Block Cipher based MAC EKEK EKEK M1M1 T 1 + M 1 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain T1T1 T1T1

25th Feb 2009FSE20 ECBC: Encrypted CBC EKEK EKEK EKEK M1M1 M2M2 M3M3 Encrypted by same key K? Secure? EKEK tag EKEK

25th Feb 2009FSE21 ECBC: Encrypted CBC EKEK EKEK M1M1 0 Encrypted by same key K? Not secure Length extension attack… If MAC K (M 1 ) = T then MAC K (M 1 0 (T +M)) = T T EKEK T+M 1 EKEK T EKEK M1M1

25th Feb 2009FSE22 ECBC: Encrypted CBC EKEK EKEK EKEK M1M1 M2M2 M3M3 Encrypted by key L? Secure?Yes Length extension attack is not possible ELEL tag EKEK

25th Feb 2009FSE23 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 1.XCBC: K, L1, L2 independent keys 2.TMAC: K, L1 independent keys, L2 = a. L1 3.OMAC: L1 = a.E K (0), L2 = a. L1 Why two keys? M * 3 can be obtained from two different messages M 3 10 d if |M 3 | < n M 3 if |M 3 | = n M * 3 = L1 / L2

25th Feb 2009FSE24 Block Cipher based MAC EKEK EKEK EKEK tag L1 / L2 M1M1 M2M2 M*3M*3 1.XCBC: K, L1, L2 independent keys 2.TMAC: K, L1 independent keys, L2 = a. L1 3.OMAC: L1 = a.E K (0), L2 = a. L1 Xor commutes each other M 3 10 d if |M 3 | < n M 3 if |M 3 | = n M * 3 = Why two keys? M * 3 can be obtained from two different messages

25th Feb 2009FSE25 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 <<1 / << 2 a)Simple one/two-bit left shift operation is sufficient: GCBC1 b)Length ext attack is not valid for more than one message block c)A simple trick can handle single message blocks: GCBC2

25th Feb 2009FSE26 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 <<1 / << 2 Why secure? Difficult to find collision on Final input Any changes will effect h in a random manner h Prevents extension attack

25th Feb 2009FSE27 Generalized CBC or GCBC

25th Feb 2009FSE28 Prefix-free Function  A function pad: MsgSp  ([0..t] x B) + is called prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’).  MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1} n (message block space)  Example: pad(M) = 0 M 1 0 M 2 … d M s is prefix-free where d = 1 if no padding, otherwise d = 2.

25th Feb 2009FSE29 EKEK hh v 0 = 0 EKEK EKEK h v s-1 v1v1 u1u1 u2u2 usus vsvs d1d1 M1M1 d2d2 M2M2 dsds MsMs M = msg pad

25th Feb 2009 FSE30 Generalized CBC EKEK EKEK EKEK tag M1M1 M2M2 M3M3 d2d2 d3d3 h h 1. h(d, x) a tweak, d = 0 => identity function, d i not completely controlled by attacker 2.d-bit shift of x, xor with key (auxiliary) 3. need some properties on both pad and h pad is prefix-free and h is weakly universal. Msg d1d1 M1M1 d2d2 M2M2 d3d3 M3M3 pad d 1 =0

25th Feb 2009FSE31 Generalized CBC Generalized CBC includes CBC, XCBC, TMAC, etc. XCBC and TMAC has prefix-free padding pad(M) = 0 M 1 0 M 2 … d M s where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x <<1 h(2,x) = x <<2

25th Feb 2009FSE32 Generalized CBC h is called weakly universal if the followings are true. (1)Pr [h(d,R) = c] is negligible for all d (2)Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ (3)Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x <<d or x <<<d

25th Feb 2009FSE33 Generalized CBC Theorem: (GCBC main theorem) If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF.

25th Feb 2009FSE34 M1M1 u1u1 v1v1 v0v0 EKEK M2M2 u2u2 v2v2 EKEK M3M3 u3u3 v3v3 EKEK <<1 GCBC1 Last message block M 3 is complete M1M1 u1u1 v1v1 v0v0 EKEK M2M2 u2u2 v2v2 EKEK M 3 10* u3u3 v3v3 EKEK <<2 Last message block M 3 is not complete

25th Feb 2009FSE35 GCBC2 One-block message m 1, |M 1 | < n-3  d 1 = 0, M’ 1 = M 1 10 d n-3 ≤ |M 1 | ≤ n, M 1 = x 1 y 1, |x 1 | = n-3  d 1 = 0 = d 2, M’ 1 = x 1 001, M* 2 = y 1 * EKEK M 1 10 d EKEK EKEK x y 1 10 d

36 GCBC2 M* s M’ 1 u1u1 EKEK <<d 2 v1v1 M s-1 u s-1 v s--1 EKEK usus vsvs EKEK <<  v 0 = 0 n M2M2 u2u2 EKEK v2v2 1.message M 1 || M 2, M 1 = x 1 y1  y 1 = 000  M’ 1 = x 1 *, M* 2 = M 2, d 1 = d 2 = 0  y 1 ≠ 000  M’ 1 = m 1 M* 2 = M 2 d 1 = 0, d 2 = δ 2.More-than two blocks  Y 1 = 000  d 1 = 0, m’1 = x1*, d 2 = 4, …, d s = δ  Y 1 ≠ 000  d 1 = 0, m’1 = m 1, d 2 = 3, …, d s = δ Message: M 1 M 2 … M s  is 1 or 2 depending on size of M s. Need to define M’ 1 M* s and d 2

25th Feb 2009FSE37 Comparison Study

25th Feb 2009FSE38 Mode#BCKeysKeyschsecurity CBCmk1Pf-free, σq ECBCm+12k2q2q2 XCBCmk+2n1σqσq TMACmk+n1σqσq OMACm+1 * k1σqσq GCBC1m * k1σ2σ2 GCBC2m * k1σ2σ2

25th Feb 2009FSE39 micro-sec (1-15 bytes) micro-sec (16 bytes) micro-sec (17-32 bytes) XCBC TMAC OMAC GCBC GCBC In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM AES as Block cipher

25th Feb 2009FSE40 Summary We study CBC-type MAC We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments?