1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.

Slides:



Advertisements
Similar presentations
Merkle Damgard Revisited: how to Construct a hash Function
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 456 Introduction to Cryptography
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 17 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
CS 4/585: Cryptography Tom Shrimpton FAB
Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
ISEP / Fakulta Elektrotecknika 1 Project Of Telecommunication Subject: Describe following “ MAC - Message Authentication Code " modes: Describe following.
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.
Chapter 11 Message Authentication and Hash Functions.
Lecture 5.1: Message Authentication Codes, and Key Distribution
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
1 HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan)
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Cryptographic Hash Functions
Cryptographic Hash Functions
Topic 14: Random Oracle Model, Hashing Applications
Cryptography Lecture 13.
Cryptography Lecture 12.
Cryptography Lecture 19.
Cryptography Lecture 10.
Fast and Secure CBC-type MACs
Cryptography Lecture 11.
Block Ciphers (Crypto 2)
Cryptography Lecture 14.
Cryptography Lecture 11.
Cryptography Lecture 12.
Topic 13: Message Authentication Code
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 14.
Cryptography Lecture 13.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Cryptography Lecture 13.
Cryptography Lecture 15.
Cryptography Lecture 18.
Collapse-binding quantum commitments without random oracles
Blockchains Lecture 4.
Presentation transcript:

1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore

2 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

3 Introduction

4 Modes of operation (domain extension type) We only have “small” primitive (block cipher, compression function) Small primitives have fixed-length input To process large data, we need to iterate our small primitives in some way Modes of operation are constructions that specify how to iterate our small primitives

5 Examples data CBC-MAC data fff f Mekle-Damgård

6 Provable security Want to prove:  Our construction is secure (in some sense) if the underlying small primitive is secure (in some sense) Steps 1. Make an assumption about the security of the small primitive (The notion of security depends on the definition) 2. Reduce the security of the entire construction to that of the underlying primitive

7 Examples CBC-MAC  If the underlying block cipher is a secure pseudo-random permutation, then its CBC-MAC mode is a secure MAC Merkle-Damgård construction  If the underlying compression function is collision-resistant, then the entire Merkle- Damgård hash function is also collision- resistant

8 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

9 “A new variant of PMAC: Beyond the birthday bound” (CRYPTO 2011)

10 Introduction MAC (Message Authentication Code)  Symmetric-key primitive  Input: a secret key and (possibly large) data  Output: a fixed-length value (called tag)  Used for integrity check of data data (message) secret key Tag (64-bit, 128-bit, etc.)

11 4 ways to make a MAC 1. design from scratch (dedicated MAC) 2. use a cryptographic hash function (e.g., HMAC) 3. use a universal hash function 4. use a block cipher (e.g., CMAC, PMAC)

12 4 ways to make a MAC 1. design from scratch (dedicated MAC) 2. use a cryptographic hash function (e.g., HMAC) 3. use a universal hash function 4. use a block cipher (e.g., CMAC, PMAC) This work

13 Blockcipher-based MACs (2 types of iteration) data CBC data PMAC data mask Mask needs to be updated at each iteration

14 CBC vs. PMAC CBCPMAC SequentialParallelizable Only XORRequires mask update and XOR

15 Why PMAC? PMAC seems to have a structure easier to analyze (for security proofs) In fact, some of the proof techniques are not applicable to CBC iteration

16 Intuition behind the choice data mask $ $$$ $$$$ Order of execution does matter Can be executed in any order Easier to manipulate events and to evaluate probabilities

17 MAC security Unforgeability  Adversary (without knowing the key) should not be able to produce a valid tag for a new message Pseudo-random  Randomness implies unforgeability  If a MAC is a secure PRF (pseudo-random function), then it is also a secure MAC.

18 MAC security Unforgeability  Adversary (without knowing the key) should not be able to produce a valid tag for a new message Pseudo-random  Randomness implies unforgeability  If a MAC is a secure PRF (pseudo-random function), then it is also a secure MAC. PRF-based MACs are “standard”

19 Birthday problems Ordinary MACs usually provide security only half the block size (n bit) of the underlying cipher For n-bit cipher, only 2^(n/ 2) security For n = 64, 2^32 blocks = 32GBytes 64-bit block ciphers? Triple-DES, HIGHT, PRESENT, LED,... n-bit security 0.5n-bit security

20 2 diffenent birthday problems exist for block-cipher-based MACs Birthday attacks on iterated MACs  Existential forgery is possible on any iterated MACs after 2^(n/2) queries (n the state size)  For CBC-type MACs, even universal forgery is possible PRP – PRF switching lemma  PRP – pseudo-random permutation  A (pseudo-random) permutation can be considered as a function only up to 2^(n/2) queries

21 Security result The new construction achieves 2^(2n/3) security  For n = 64, 2^42.7 blocks = 51TBytes The new MAC is a secure PRF based on the assumption that the underlying block cipher is a secure PRP  Avoid using PRP-PRF switching lemma

22 ISO 9797 (The only) previous construction that achieves security beyond the birthday bound  Achieves (Slightly worse than) 2^(2n/3) security  Rate-1/2 construction, twice as slow (as CMAC, PMAC)

23 ISO 9797 – sum of two CBC MACs Requires 2 encryptions to process a block Block iBlock i+1Block i+2 Block iBlock i+1Block i+2 Different keys

24 Solution – basic idea Want rate-1 construction; only 1 encryption per block...

25 Solution – basic idea Want rate-1 construction; only 1 encryption per block... Double everything but block cipher calls

26 Original PMAC data mask tag finalization

27 Doubling the masking data mask0 tag finalization mask1

28 Doubling the state data mask0 tag finalization mask1 mult. by 2

29 mult. by 2 Doubling the finalization data mask0 tag finalization mask1

30 mult. by 2 The new construction data mask0 tag finalization mask1

31 Open problem: 1-key construction mult. by 2 data mask0 tag finalization mask1 These 2 keys can be made the same by tweaking here (e.g., mult. by 2)... But still a 2-key construction

32 Open problem: Full 2^n security Tripling everything instead of doubling  Possibly 2^(3n/4) security, but not 2^n  4 times, 5 times,... would result in 2^(4n/5), 2^(5n/6) security (at best)  May call them still rate-1, but more and more inefficient The 2^(2n/3) bound may not be tight  No attacks (of this complexity) known  The proofs may be improved

33 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

34 Ristenpart, Shacham and Shrimpton: “Careful with composition: Limitation of indifferentiability and …” (Eurocrypt 2011)

35 Indifferentiability Introduced by Maurer, Renner, and Holenstein (TCC2004) Notion of security stronger than indistinguishability / pseudo-randomness The adversary has oracle access to (internal) small components as well as the entire scheme

36 Indifferentiability and (keyless) hash functions The indifferentiability framework was applied to modes of operation for keyless hash functions Coron, Dodis, Malinaud and Puniya CRYPTO 2005 Secure (indifferentiable) hash constructions:  If the compression function is ideal (random), then so is the entire hash function

37 Composability Suppose you have a cryptographic system which is secure in the random oracle model (Interpretation) Composability says:  The random oracle can be safely replaced (instantiated) with an indifferentiable hash function  The system with the indifferentiable hash must be secure if the internal compression function is ideal

38 “Counterexample” (Ristenpart et al. Eurocrypt 2011) Hash-based storage auditing 1. Client sends a random challenge C to the server 2. Server proves possession of the file M by computing and sending Z <- Hash(M|C) Secure if Hash is a random oracle

39 chopMD―Indifferentiable hash Proven by Coron, Dodis, Malinaud and Puniya at CRYPTO 2005 IV X[1]X[2]X[3]X[m] Hash value d bits n bits Truncated to n/2 bits (d > n) ffff

40 “Counterexample” (again) Hash-based storage auditing 1. Client sends a random challenge C to the server 2. Server proves possession of the file M by computing and sending Z <- Hash(M|C) Insecure if Hash is chopMD

41 The server can: -forget M, store Y instead -on challenge C, return f(Y,C) (truncated) We have f(Y,C) (truncated) = Z How to cheat Hash(M|C) -> Z IV M C Z d bits n bits Truncated to n/2 bits (d > n) Y ff chopMD insecure?

42 What is going on? Ristenpart et al. showed that the composability of indifferentiability may not hold true for security notions with multistage adversaries Seems quite difficult to find a “good” solution to fix the problem Limitation of the indifferentiability framework

43 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

44 Some thoughts on MACs and on indifferentiability

45 MACs: Three notions of security Unforgeable (minimum requirement) MAC-secure pseudo-random (“standard”) PRF (pseudo-random function) Indifferentiable (strongest)  The notion makes perfect sense in the secret-key setting  Indifferentiability is not only for keyless hash functions

46 MACs: Provable security Assumptions about block cipher / compression function MAC-secure PRF / PRP Goals of MAC scheme MAC-secure PRF Indifferentiable MAC construction PRF construction Indifferentiable construction

47 Some observations PRF construction MAC construction Indifferentiable construction Most PRF constructions are -efficient, and -insecure if state values leaked -Many common constructions -Only inefficient ones known -“transparent”―some security against side-channel attacks Connection? Gap?

48 Conclusion The application of indifferentiability is not limited to keyless hash functions Indifferentiability might be related to MAC security (unforgeability) in some way

49 Thank you