25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

Slides:



Advertisements
Similar presentations
Lecture 5: Cryptographic Hashes
Advertisements

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Digital Signatures and Hash Functions. Digital Signatures.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Goal Ensure integrity of messages, even in presence of
A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Slide 1 PMAC: A Parallelizable Message Authentication Code Phillip Rogaway Department of Computer Science UC Davis + CMU
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Lecture 2: Introduction to Cryptography
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Dan Boneh Message Integrity CBC-MAC and NMAC Online Cryptography Course Dan Boneh.
Lecture 23 Symmetric Encryption
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Lecture 5.1: Message Authentication Codes, and Key Distribution
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
1 HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan)
XCBC: A Version of the CBC MAC for Handling Arbitrary-Length Messages
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
Chapter 12 – Hash Algorithms
Cryptographic Hash Functions
Cryptographic Hash Functions
Cryptography Lecture 12.
Cryptography Lecture 10.
Introduction to Symmetric-key and Public-key Cryptography
Fast and Secure CBC-type MACs
Cryptography Lecture 8.
Cryptography Lecture 11.
Topic 13: Message Authentication Code
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 13.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
CRYPTOGRAPHY & NETWORK SECURITY
Secret-Key Encryption
Presentation transcript:

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

25th Feb 2009FSE22 Outline of the talk Introduction Broad categories of known MACs CBC-type MACs Generalization of CBC-type MACs New proposals: GCBC1 and GCBC2 Comparison and Summary

25th Feb 2009FSE3 Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. AliceBob M Ideal Solution: Secure without noise channel

25th Feb 2009FSE4 Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. AliceBob M Statistical Noise M’ Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. M

25th Feb 2009FSE5 AliceBob (M,T) Human Noise : Oscar (M’,T’) Secret key : K MAC K M T M’ T’’ T’’ = T’ ? Modify (M,T) s.t. T’ = MAC K (M’), more precisely,... insecure channel with human noise Message Authentication Code Role of a successful attacker: (M,T)

25th Feb 2009FSE6 Forging MAC AliceBob Oscar M 1,T 1 Secret key : K MAC K M1M1 T1T1 M1M1 Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

25th Feb 2009FSE7 Forging MAC AliceBob Oscar M 2,T 2 Secret key : K MAC K M2M2 T2T2 M2M2 Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

25th Feb 2009FSE8 Forging MAC AliceBob Oscar M q,T q Secret key : K MAC K MqMq TqTq MqMq Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

25th Feb 2009FSE9 Forging MAC AliceBob Oscar Secret key : K Role of a successful attacker: M,T MAC K M T For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC.

25th Feb 2009FSE10 Distinguishing Attack Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. Oscar M1M1 T1T1 MqMq TqTq MAC K Finally, Oscar has to distinguish T = (T 1, …,T q ) from a q-tuple of random strings.

25th Feb 2009FSE11 PRF-Advnatage Definition prf-Adv MAC (O) = |Pr K [O (T) =1 | MAC K ] - Pr T [O (T) =1 | uniform T] | prf-Adv MAC (q,t,…) = max prf-Adv MAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,…, etc. O is interacting with MAC K / random function

25th Feb 2009FSE12 A small domain PRF Suppose, message size is less than 128 bits. Apply an injective padding (e.g., 10 d ) Compute T = AES K (M*), M* is the padded message PRF/forgery-security depends on the corresponding security for AES K (.) One may use any good compression function (instead of AES) with the chaining value as key

25th Feb 2009FSE13 A small domain PRF M10 d tag comp K AES K M10 d tag 128 Msg size at most 127-bits Key-size 128, 256, etc. Tag-size at most 128 Msg size at most 511-bits Key-size 256 or less Tag-size at most 256 How one can authenticate for longer and variable length messages?

25th Feb 2009FSE14 Braod Categories of MACs (arbitrary domain) Universal Hash-based: with/without Nonce Poly1305, UMAC, MMH, etc. Block cipher based Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. Parallel : PMAC, XOR, DAG-based-PRF, etc. Hash function (also compression function) based HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc.

25th Feb 2009FSE15 (1) Universal Hash based MAC PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. Usually very efficient in software Some drawbacks: Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. Some constructions are nonce-based: reuse of nonce makes them insecure. Usually hash-key is large Hash-Key or Should be generated from the underlying PRF or from some PRBG.

25th Feb 2009FSE16 (2) Hash based MAC PRF-security depends on PRF-security underlying keyed compression function. Sometimes additional assumptions are required  (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) Serves both Hash and MAC together. Less PRF-security analysis for Keyed compression function than collision-security.

25th Feb 2009FSE17 (3) Blockcipher based MAC PRF-security depends on PRP-security of the underlying blockcipher. PRP-security of blockcipher is widely studied AES is so far good candidate for PRP Sometimes MACs come with encryption (also called authentication encryption) The talk is about this category

25th Feb 2009FSE18 CBC: Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M3M3 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain

25th Feb 2009FSE19 CBC: Block Cipher based MAC EKEK EKEK M1M1 T 1 + M 1 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain T1T1 T1T1

25th Feb 2009FSE20 ECBC: Encrypted CBC EKEK EKEK EKEK M1M1 M2M2 M3M3 Encrypted by same key K? Secure? EKEK tag EKEK

25th Feb 2009FSE21 ECBC: Encrypted CBC EKEK EKEK M1M1 0 Encrypted by same key K? Not secure Length extension attack… If MAC K (M 1 ) = T then MAC K (M 1 0 (T +M)) = T T EKEK T+M 1 EKEK T EKEK M1M1

25th Feb 2009FSE22 ECBC: Encrypted CBC EKEK EKEK EKEK M1M1 M2M2 M3M3 Encrypted by key L? Secure?Yes Length extension attack is not possible ELEL tag EKEK

25th Feb 2009FSE23 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 1.XCBC: K, L1, L2 independent keys 2.TMAC: K, L1 independent keys, L2 = a. L1 3.OMAC: L1 = a.E K (0), L2 = a. L1 Why two keys? M * 3 can be obtained from two different messages M 3 10 d if |M 3 | < n M 3 if |M 3 | = n M * 3 = L1 / L2

25th Feb 2009FSE24 Block Cipher based MAC EKEK EKEK EKEK tag L1 / L2 M1M1 M2M2 M*3M*3 1.XCBC: K, L1, L2 independent keys 2.TMAC: K, L1 independent keys, L2 = a. L1 3.OMAC: L1 = a.E K (0), L2 = a. L1 Xor commutes each other M 3 10 d if |M 3 | < n M 3 if |M 3 | = n M * 3 = Why two keys? M * 3 can be obtained from two different messages

25th Feb 2009FSE25 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 <<1 / << 2 a)Simple one/two-bit left shift operation is sufficient: GCBC1 b)Length ext attack is not valid for more than one message block c)A simple trick can handle single message blocks: GCBC2

25th Feb 2009FSE26 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 <<1 / << 2 Why secure? Difficult to find collision on Final input Any changes will effect h in a random manner h Prevents extension attack

25th Feb 2009FSE27 Generalized CBC or GCBC

25th Feb 2009FSE28 Prefix-free Function  A function pad: MsgSp  ([0..t] x B) + is called prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’).  MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1} n (message block space)  Example: pad(M) = 0 M 1 0 M 2 … d M s is prefix-free where d = 1 if no padding, otherwise d = 2.

25th Feb 2009FSE29 EKEK hh v 0 = 0 EKEK EKEK h v s-1 v1v1 u1u1 u2u2 usus vsvs d1d1 M1M1 d2d2 M2M2 dsds MsMs M = msg pad

25th Feb 2009 FSE30 Generalized CBC EKEK EKEK EKEK tag M1M1 M2M2 M3M3 d2d2 d3d3 h h 1. h(d, x) a tweak, d = 0 => identity function, d i not completely controlled by attacker 2.d-bit shift of x, xor with key (auxiliary) 3. need some properties on both pad and h pad is prefix-free and h is weakly universal. Msg d1d1 M1M1 d2d2 M2M2 d3d3 M3M3 pad d 1 =0

25th Feb 2009FSE31 Generalized CBC Generalized CBC includes CBC, XCBC, TMAC, etc. XCBC and TMAC has prefix-free padding pad(M) = 0 M 1 0 M 2 … d M s where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x <<1 h(2,x) = x <<2

25th Feb 2009FSE32 Generalized CBC h is called weakly universal if the followings are true. (1)Pr [h(d,R) = c] is negligible for all d (2)Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ (3)Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x <<d or x <<<d

25th Feb 2009FSE33 Generalized CBC Theorem: (GCBC main theorem) If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF.

25th Feb 2009FSE34 M1M1 u1u1 v1v1 v0v0 EKEK M2M2 u2u2 v2v2 EKEK M3M3 u3u3 v3v3 EKEK <<1 GCBC1 Last message block M 3 is complete M1M1 u1u1 v1v1 v0v0 EKEK M2M2 u2u2 v2v2 EKEK M 3 10* u3u3 v3v3 EKEK <<2 Last message block M 3 is not complete

25th Feb 2009FSE35 GCBC2 One-block message m 1, |M 1 | < n-3  d 1 = 0, M’ 1 = M 1 10 d n-3 ≤ |M 1 | ≤ n, M 1 = x 1 y 1, |x 1 | = n-3  d 1 = 0 = d 2, M’ 1 = x 1 001, M* 2 = y 1 * EKEK M 1 10 d EKEK EKEK x y 1 10 d

36 GCBC2 M* s M’ 1 u1u1 EKEK <<d 2 v1v1 M s-1 u s-1 v s--1 EKEK usus vsvs EKEK <<  v 0 = 0 n M2M2 u2u2 EKEK v2v2 1.message M 1 || M 2, M 1 = x 1 y1  y 1 = 000  M’ 1 = x 1 *, M* 2 = M 2, d 1 = d 2 = 0  y 1 ≠ 000  M’ 1 = m 1 M* 2 = M 2 d 1 = 0, d 2 = δ 2.More-than two blocks  Y 1 = 000  d 1 = 0, m’1 = x1*, d 2 = 4, …, d s = δ  Y 1 ≠ 000  d 1 = 0, m’1 = m 1, d 2 = 3, …, d s = δ Message: M 1 M 2 … M s  is 1 or 2 depending on size of M s. Need to define M’ 1 M* s and d 2

25th Feb 2009FSE37 Comparison Study

25th Feb 2009FSE38 Mode#BCKeysKeyschsecurity CBCmk1Pf-free, σq ECBCm+12k2q2q2 XCBCmk+2n1σqσq TMACmk+n1σqσq OMACm+1 * k1σqσq GCBC1m * k1σ2σ2 GCBC2m * k1σ2σ2

25th Feb 2009FSE39 micro-sec (1-15 bytes) micro-sec (16 bytes) micro-sec (17-32 bytes) XCBC TMAC OMAC GCBC GCBC In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM AES as Block cipher

25th Feb 2009FSE40 Summary We study CBC-type MAC We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments?