A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California, Davis, USA and Chiang Mai University, Thailand EUROCRYPT – May 1, 2002 Amsterdam, The Netherlands

2 What is a MAC? Most MACs are deterministic—they need no nonce/state/IV/$ Stateless MACs are more practical AKAK MAC G : generate authentication tag  = MAC K ([IV,] M) G M.  BKBK MAC V : verify authentication tag MAC K (M,  ) V

3 The ACMA Model [GMR, BKR] MAC Oracle (K) M1M1 MAC K (M 1 ) Adversary M2M2 MAC K (M 2 ) MqMq MAC K (M q ) Adversary (M*,  * ) // forgery attempt

4 A Precise Definition We define the advantage of a “MAC adversary” A over a particular MAC algorithm M as We define the maximum advantage of any MAC adversary making at most q queries totaling at most m blocks as Our goal is to bound this quantity by a function in q and m which is “small” for “reasonable” values of q and m

5 CBC MAC (ANSI X9.19, FIPS 113, ISO ) Known to be secure for messages of one fixed length EKEK M1M1 EKEK EKEK M2M2 MmMm tag Uses d |M|/n e block cipher invocations Inherently sequential

6 Parallelizable MACs: Important? In some settings, MAC performance is paramount – Eg, a web server handling thousands of requests/sec Extracting parallelism is a simple way to achieve dramatic increases in performance – Algorithm design governs to what extent we can parallelize Parallelism is the only way to achieve extreme speeds in hardware or software No disadvantage provided we do not surrender too much serial efficiency

7 A First Attempt: XOR MAC Not a PRF c ¼ 2 times as many block cipher calls as CBC MAC [BGR 95] M[1]M[2]M[m] Nonce E K E K E K E K... + Tag kk k nn n n n-1

8 Protected Counter Sums A PRF variant of the XOR MAC [Be 99] M[1]M[2]M[m] F K... + E K E K E K S F K E K <0,S> Y[1] Y[m] Y[2] k kk n nn k k k k n Tag k

9 Gligor-Donescu MAC XOR MAC with better method for block offsets But no longer a PRF [GD 01] Nonce E K M[1]M[2]M[m] + R + 2R + mR E K E K E K  R Tag... X[1] X[m]X[2] Y[m] Y[2] Y[1]

10 PMAC: A Parallelizable MAC A Fully-Parallelizable VIL PRF: {0,1} *  {0,1} n Cannot distinguish PMAC K ( ¢ ) from a random function R( ¢ ) Can be used as a (stateless, deterministic) MAC Efficient – uses d |M|/n e block cipher calls, like basic CBC MAC – uses a single block cipher key – low session-startup cost: about one block cipher call – essentially endian neutral Simple – no n-bit addition or mod p operations—just xors and shifts – much simpler than any known Carter-Wegman MAC Provably Secure – if E is a secure block cipher then PMAC[E] is a good PRF

L Tag E K first  bits M[1]M[2]M[m-1] M[m]... E K E K Pad FullTag  2L  (m-1)L    E K if |M[m]| < n then 0 if |M[m]| = n then -L   ' possibly short nnn  PMAC K  -L L 2L 3L … as implicit on next slide

Definition of PMAC [E,  ] algorithm PMAC K ( M ) L(0) = E K (0) L(-1) = lsb(L(0)) ? (L(0) >> 1)  Const43 : (L(0) >>1) for i = 1, 2, … do L(i) = msb(L(i-1)) ? (L(i-1) << 1)  Const87 : (L(i-1) <<1) Partition M into M[1]... M[m] // each n bits, except M[m] may be shorter Offset = 0 for i=1 to m-1 do Offset = Offset  L(ntz(i))  =   E K (M[i]  Offset)  =   pad (M[m]) if |M[m]| = n then  =   L(-1) FullTag = E K (  ) Tag = first  bits of FullTag return Tag

[GGM, BKR] A PMAC K (x i ) PMAC K oracle xixi Rand func oracle, R R (x i ) xixi PMAC’s Security Security as a VIL PRF Adv prf (A) = Pr[A PMAC K = 1] – Pr[A R = 1]

Security as a FIL PRP [GGM, LR, BKR] B E K (x i ) Enciphering oracle E K xixi Rand perm oracle,   (x i ) Adv prp (B) = Pr[B E K = 1] – Pr[B  = 1] xixi Block-Cipher Security

15 PMAC Theorem To wrap up, it is a standard result that any  -bit-output PRF can be used as a MAC, where the forging probability will be at most Adv prf (A)  Suppose  an adversary A that breaks PMAC[E] with: time = t total-num-of-blocks =  adv = Adv prf (A) Then  an adversary B that breaks block cipher E with: time  t num-of-queries   Adv prp (B)  Adv prf (A) –  2 / 2 n-1

Proof Idea M: M[1]M[2]M[3]M[m] M’: M’[1]M’[2]M’[3]M’[m’] M[2] M’[2] distinct M[2] M’[2] 2L Other Stuff X[2] X’[2] Y’[2] Y[2] tag   T T’    

17 PMAC as a PRF Structure Lemma and PMAC Theorem: Fix n,  ¸ 1. Let A be any adversary who asks q queries, these having an aggregate length of  blocks. Then where m 1 +  + m q = .

18 PMAC Performance (Serial) A moderately-optimized implementation of PMAC[AES] (Krovetz) runs in 18.4 cpb. Compare with 17.1 cpb for AES. – P3, C+assembly, gcc, 2KB, data in L1 cache Aggressively-optimized basic CBC MAC runs on a Pentium at 15.5 cpb [Lipmaa] – We guess that an aggressively-optimized PMAC[AES] should run at about 16.5 cpb.

PMAC XCBC XECB-MAC ({0,1} n ) m  |M| / nk1 xor {0,1}*   |M| / n  k + 2n1 xor {0,1}*   |M| / n  varies 1 xor 2 add {0,1}*   |M| / n  k3 xor CBC MAC [BR 00] [GD 00,01] [BR 02] Domain PRF Parallelizable / blk overhead MAC length (3 versions) Comparisons Key length

20 Implementation Effort ObjectEffort (John-Time) Basic CBC MAC30 mins XCBC1 hour PMAC3 hours OCB4 hours AES8 hours DES8 hours UMAC3 days

21 More Information on PMAC Visit the PMAC web page Web page contains: Reference Code (by Ted Krovetz and me) Test Vectors FAQ Full version of the PMAC paper