New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

Slides:



Advertisements
Similar presentations
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Advertisements

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
“Advanced Encryption Standard” & “Modes of Operation”
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Beyond-birthday-bound Security Based on Tweakable Block Ciphers Kazuhiko Minematsu NEC Corporation Fast Software Encryption 2009, Leuven, Belgium.
25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
1 On the Benefits of Adaptivity in Property Testing of Dense Graphs Joint work with Mira Gonen Dana Ron Tel-Aviv University.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
ISEP / Fakulta Elektrotecknika 1 Project Of Telecommunication Subject: Describe following “ MAC - Message Authentication Code " modes: Describe following.
Slide 1 PMAC: A Parallelizable Message Authentication Code Phillip Rogaway Department of Computer Science UC Davis + CMU
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
Alternative Wide Block Encryption For Discussion Only.
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Hashing 1 Hashing. Hashing 2 Hashing … * Again, a (dynamic) set of elements in which we do ‘search’, ‘insert’, and ‘delete’ n Linear ones: lists, stacks,
Lecture 5.1: Message Authentication Codes, and Key Distribution
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Doc.: IEEE /634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,
XCBC: A Version of the CBC MAC for Handling Arbitrary-Length Messages
Randomness and Computation
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 13.
Cryptography Lecture 12.
Cryptography Lecture 10.
The Curve Merger (Dvir & Widgerson, 2008)
Fast and Secure CBC-type MACs
Cryptography Lecture 11.
Cryptography Lecture 8.
Cryptography Lecture 9.
Topic 13: Message Authentication Code
Lecture 4.1: Hash Functions, and Message Authentication Codes
Two Simple Composition Theorems with H-Coefficients
Cryptography Lecture 14.
Hashing.
Cryptography Lecture 13.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 10.
Cryptography Lecture 13.
Presentation transcript:

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28, Luxembourg City, Luxembourg

1 Introduction  Message authentication code (MAC) from block ciphers (BCs)  “ BC-only ” modes: no special function other than a block cipher Ex. Encrypted CBC-MAC (EMAC)

2 Security notion of MACs  Advantage in distinguishing MAC from the (keyed) random oracle (RO),, using CPA  Small advantage implies small MAC forgery prob. Note: We only consider the info-theoretic security, but our results have simple computational counterparts : number of queries : max. message length (in n-bit) : total number of queried blocks can contain (but not vice versa)

3 Related works on EMAC  Previous EMAC security bound is:  when it is implemented w/ two n-bit uniform random permutations (URPs), and EMAC w/ two URPs [BR00] room for improvement?

4 Related works on EMAC (contd.)  Bellare, Pietrzak, and Rogaway [BPR05] is a function that grows very slowly with Note: Pietrzak [P06] obtained a tighter bound for a range of parameters (much smaller than )  If, the bound is roughly

5 Our contribution  New security bounds for  PMAC (a parallelizable MAC)  TMAC and XCBC (successors of EMAC)  Old: or  New: for PMAC, and for TMAC & XCBC  compared w/, from quadratic to (almost) linear degradation wrt  compared w/, better in most (but not all) cases

6 Analysis of PMAC

7 PMAC (Black-Rogaway[BR02], Rogaway[R04])  Hashing with mask-encrypt-sum (PHASH)  still BC-only: masks are generated w/ few bitshifts and XORs PMAC ([R04] version w/ 128 bit block size) PHASH input

8 Overview of old proof [R04]  “ Perfect ” PMAC using independent URPs as an intermediate function  Use triangle inequality Perfect PMAC PMAC RO  Old bound: (also, as )

9 Overview of new proof  A different intermediate function, the modified PMAC (MPMAC)  PHASH + independent finalization MPMACPMAC RO

10 MPMAC vs. Random Oracle  What we need is: (a stronger form of ) differential probability of PHASH... used for MPMAC vs. RO used for PMAC vs. MPMAC...

11 Diff. probability of PHASH  A subset of input blocks may generate the same URP input  Odd (Even) collision involves odd (even) number of input blocks  Let denote odd collisions with non- zero URP inputs  Then, c ritical event is, as it implies the sum = 0 or w/ prob. 1 (as )... even collisionodd collision...

12 Diff. probability of PHASH (contd.)  is at most  Given, PHASH sum is almost uniform (point probability is at most ) for any Lemma 2  From Lemma 2, the advantage between MPMAC and RO is:

13 PMAC vs. MPMAC  Four “ good ” events defined as: the sets of URP inputs in PHASH and in the finalization (+ dummy mask for MPMAC) have no intersection  Using Maurer ’ s method [M02], the advantage is at most the max. prob. of “ bad ” events in MPMAC, denoted by

14 New bound for PMAC  A careful analysis using Lemma 2 provides if MPMACPMACRO Theorem 2

15  As long as there is a small (but not too small) fraction of long messages, the new bound is better  Much better under some practical cases (e.g., all messages have similar lengths) Comparison of new and old bounds  New ( ) < old ( ) iff  Ex: New bound is 2 -32, old bound is ~2 -16 If 99.9% messages are one-block, old bound is better If at least 1% messages are -block, new bound is better (if we ignore constants)

16 Analysis of TMAC and XCBC

17 TMAC [KI03] and XCBC [BR00]  Successors of EMAC  fewer BC calls (no double encryption)  one BC key + one or two n-bit keys is independent of TMAC

18 Proof sketch for TMAC (XCBC is the same)  Modified TMAC (MTMAC) and bad events similar to those for PMAC  Adv. between TMAC and MTMAC is  much simpler analysis due to the independence of  Adv. between MTMAC and RO is EMAC bound of [BPR05], i.e.,

19 New bounds for TMAC and XCBC  Old bounds are or for  TMAC ’ s new bound is: Theorem 3 (XCBC ’ s bound is the same) [BR00][KI03][IK03s]  Bound comparison is almost the same as PMAC ’ s case, in case the second term is negligible

20 Short comments on OMAC [IK03o]  OMAC (aka CMAC) is one-key CBC-MAC  improvement to TMAC and XCBC mask is or, where  MOMAC and bad events are similarly defined  however, the probabilities of some new bad events have to be evaluated such as an extension of CBC collision analysis [BPR05] is needed (open problem)

21 Conclusion  New bounds for PMAC, TMAC, and XCBC  from quadratic to (almost) linear degradation wrt the max. message length  Future directions  OMAC  further improvement (still far from the lower bound )

22 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.