Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast and Secure CBC-type MACs

Published byAri Agusalim Modified over 5 years ago

Similar presentations

Presentation on theme: "Fast and Secure CBC-type MACs"— Presentation transcript:

1 Fast and Secure CBC-type MACs
Online Cipher Mridul Nandi Mridul Nandi Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi 25th Feb 2009 FSE 1 Indocrypt-2008

2 Outline of the talk Introduction Broad categories of known MACs
Mridul Nandi Outline of the talk Introduction Broad categories of known MACs CBC-type MACs Generalization of CBC-type MACs New proposals: GCBC1 and GCBC2 Comparison and Summary 25th Feb 2009 FSE 2

3 Message Authentication Code
Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M Ideal Solution: Secure without noise channel 25th Feb 2009 FSE

4 Message Authentication Code
Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M M M’ Statistical Noise Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. 25th Feb 2009 FSE

5 Message Authentication Code
Role of a successful attacker: Modify (M,T) s.t. T’ = MACK(M’), more precisely, . . . M Secret key : K MACK M’ T’’ T’’ = T’ ? Alice Bob MACK (M,T) (M,T) (M’,T’) T Human Noise : Oscar insecure channel with human noise 25th Feb 2009 FSE

6 Forging MAC Role of a successful attacker:
For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. M1 Secret key : K Alice Bob MACK M1,T1 T1 M1 Oscar 25th Feb 2009 FSE

7 Forging MAC Role of a successful attacker:
For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. M2 Secret key : K Alice Bob MACK M2,T2 M2 T2 Oscar 25th Feb 2009 FSE

8 Forging MAC Role of a successful attacker:
For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Mq Secret key : K Alice Bob MACK Mq,Tq Mq Tq Oscar 25th Feb 2009 FSE

9 Forging MAC Role of a successful attacker:
For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC. Secret key : K M Alice Bob MACK M,T T Oscar 25th Feb 2009 FSE

10 Distinguishing Attack
Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. M1 T1 Finally, Oscar has to distinguish T = (T1, … ,Tq) from a q-tuple of random strings. MACK Oscar Mq Tq 25th Feb 2009 FSE

11 PRF-Advnatage Definition
prf-AdvMAC (O) = |PrK[O (T) =1 | MACK] PrT[O (T) =1 | uniform T] | O is interacting with MACK/ random function prf-AdvMAC (q,t,…) = max prf-AdvMAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,… , etc. 25th Feb 2009 FSE

12 A small domain PRF Suppose, message size is less than 128 bits.
Apply an injective padding (e.g., 10d) Compute T = AESK(M*), M* is the padded message PRF/forgery-security depends on the corresponding security for AESK(.) One may use any good compression function (instead of AES) with the chaining value as key 25th Feb 2009 FSE

13 A small domain PRF comp Msg size at most 127-bits
512 M10d comp AESK M10d tag 128 tag 256 K 256 Msg size at most 127-bits Key-size 128, 256, etc. Tag-size at most 128 Msg size at most 511-bits Key-size 256 or less Tag-size at most 256 How one can authenticate for longer and variable length messages? 25th Feb 2009 FSE

14 Braod Categories of MACs (arbitrary domain)
Universal Hash-based: with/without Nonce Poly1305, UMAC, MMH, etc. Block cipher based Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. Parallel : PMAC, XOR, DAG-based-PRF, etc. Hash function (also compression function) based HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc. 25th Feb 2009 FSE

15 (1) Universal Hash based MAC
PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. Usually very efficient in software Some drawbacks: Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. Some constructions are nonce-based: reuse of nonce makes them insecure. Usually hash-key is large Hash-Key or Should be generated from the underlying PRF or from some PRBG. 25th Feb 2009 FSE

16 (2) Hash based MAC PRF-security depends on PRF-security underlying keyed compression function. Sometimes additional assumptions are required (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) Serves both Hash and MAC together. Less PRF-security analysis for Keyed compression function than collision-security. 25th Feb 2009 FSE

17 (3) Blockcipher based MAC
PRF-security depends on PRP-security of the underlying blockcipher. PRP-security of blockcipher is widely studied AES is so far good candidate for PRP Sometimes MACs come with encryption (also called authentication encryption) The talk is about this category 25th Feb 2009 FSE

18 CBC: Block Cipher based MAC
EK EK EK tag CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain 25th Feb 2009 FSE

19 CBC: Block Cipher based MAC
T1 + M1 EK EK T1 T1 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain 25th Feb 2009 FSE

20 ECBC: Encrypted CBC Encrypted by same key K? Secure? M1 M2 M3 EK EK EK
tag 25th Feb 2009 FSE

21 ECBC: Encrypted CBC Encrypted by same key K? Not secure
EK T+M1 T M1 Encrypted by same key K? Not secure Length extension attack… If MACK(M1) = T then MACK(M1 0 (T +M)) = T EK EK T 25th Feb 2009 FSE

22 ECBC: Encrypted CBC Encrypted by key L? Secure? Yes
M1 M2 M3 Encrypted by key L? Secure? Yes Length extension attack is not possible EK EK EK EK tag EL tag 25th Feb 2009 FSE

23 Block Cipher based MAC M1 M2 M*3 XCBC: K, L1, L2 independent keys
TMAC: K, L1 independent keys, L2 = a . L1 OMAC: L1 = a.EK(0), L2 = a . L1 L1 / L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages M3 10d if |M3| < n M if |M3| = n M*3 = 25th Feb 2009 FSE

24 Block Cipher based MAC M1 M2 M*3 XCBC: K, L1, L2 independent keys
TMAC: K, L1 independent keys, L2 = a . L1 OMAC: L1 = a.EK(0), L2 = a . L1 L1 / L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages M3 10d if |M3| < n M if |M3| = n M*3 = Xor commutes each other 25th Feb 2009 FSE

25 Block Cipher based MAC M1 M2 M*3 EK EK EK tag <<1 / << 2 Simple one/two-bit left shift operation is sufficient: GCBC1 Length ext attack is not valid for more than one message block A simple trick can handle single message blocks: GCBC2 25th Feb 2009 FSE

26 Block Cipher based MAC Why secure? M1 M2 M*3
Any changes will effect h in a random manner Difficult to find collision on Final input EK EK EK h tag <<1 / << 2 Prevents extension attack Why secure? 25th Feb 2009 FSE

27 Generalized CBC or GCBC
25th Feb 2009 FSE

28 Prefix-free Function A function pad: MsgSp  ([0..t] x B)+ is called
prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’). MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1}n (message block space) Example: pad(M) = 0 M1 0 M2 … d Ms is prefix-free where d = 1 if no padding, otherwise d = 2. 25th Feb 2009 FSE

29 EK h v0 = 0 vs-1 v1 u1 u2 us vs d1 M1 d2 M2 ds Ms M = msg pad
25th Feb 2009 FSE

30 Generalized CBC h(d, x) a tweak, d = 0 => identity function,
Msg d1 M1 d2 M2 d3 M3 pad h(d, x) a tweak, d = 0 => identity function, di not completely controlled by attacker d-bit shift of x, xor with key (auxiliary) need some properties on both pad and h pad is prefix-free and h is weakly universal. EK tag M1 M2 M3 d2 d3 h d1=0 FSE 25th Feb 2009

31 Generalized CBC Generalized CBC includes CBC, XCBC, TMAC, etc.
XCBC and TMAC has prefix-free padding pad(M) = 0 M1 0 M2 … d Ms where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x<< h(2,x) = x<<2 25th Feb 2009 FSE

32 Generalized CBC h is called weakly universal if the followings are true. Pr [h(d,R) = c] is negligible for all d Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x<<d or x<<<d 25th Feb 2009 FSE

33 Generalized CBC Theorem: (GCBC main theorem)
If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF. 25th Feb 2009 FSE

34 GCBC1 EK Last message block M3 is not complete EK EK EK
u1 v1 v0 EK M2 u2 v2 M310* u3 v3 <<2 Last message block M3 is not complete u1 u2 u3 EK EK EK <<1 v0 v1 v2 v3 Last message block M3 is complete 25th Feb 2009 FSE

35 GCBC2 One-block message m1, |M1| < n-3  d1 = 0, M’1 = M110d
n-3 ≤ |M1| ≤ n, M1 = x1 y1 , |x1| = n-3  d1= 0 = d2, M’1 = x1001, M*2 = y1* EK M110d EK x1001 y110d 25th Feb 2009 FSE

36 GCBC2 Message: M1 M2 … Ms  is 1 or 2 depending on size of Ms.
u1 EK <<d2 v1 Ms-1 us-1 vs--1 us vs << v0 = 0 n M2 u2 v2 Message: M1 M2 … Ms  is 1 or 2 depending on size of Ms. Need to define M’1 M*s and d2 message M1 || M2 , M1 = x1 y1 y1 = 000  M’1 = x1* , M*2 = M2 , d1 = d2 = 0 y1 ≠ 000  M’1 = m M*2 = M2 d1 = 0, d2= δ More-than two blocks Y1 = 000  d1 = 0, m’1 = x1*, d2= 4, …, ds= δ Y1 ≠ 000  d1 = 0, m’1 = m1, d2= 3, …, ds= δ

37 Comparison Study 25th Feb 2009 FSE

38 Mode #BC Keys Keysch security CBC m k 1 Pf-free, σq ECBC m+1 2k 2 q2
XCBC k+2n σq TMAC k+n OMAC m+1 * GCBC1 m * σ2 GCBC2 25th Feb 2009 FSE

39 In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM
micro-sec (1-15 bytes) (16 bytes) (17-32 bytes) XCBC 43.7 78.46 TMAC 43.98 44.05 78.80 OMAC 78.72 113.80 GCBC1 77.9 77.92 77.95 GCBC2 43.58 78.26 78.37 In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM AES as Block cipher 25th Feb 2009 FSE

40 Summary Questions and Comments? We study CBC-type MAC
We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments? 25th Feb 2009 FSE 40

Download ppt "Fast and Secure CBC-type MACs"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Message Authentication Code July 2011. Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.

Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.

Similar presentations

Ads by Google