Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,"— Presentation transcript:

1 New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28, Luxembourg City, Luxembourg

2 1 Introduction  Message authentication code (MAC) from block ciphers (BCs)  “ BC-only ” modes: no special function other than a block cipher Ex. Encrypted CBC-MAC (EMAC)

3 2 Security notion of MACs  Advantage in distinguishing MAC from the (keyed) random oracle (RO),, using CPA  Small advantage implies small MAC forgery prob. Note: We only consider the info-theoretic security, but our results have simple computational counterparts : number of queries : max. message length (in n-bit) : total number of queried blocks can contain (but not vice versa)

4 3 Related works on EMAC  Previous EMAC security bound is:  when it is implemented w/ two n-bit uniform random permutations (URPs), and EMAC w/ two URPs [BR00] room for improvement?

5 4 Related works on EMAC (contd.)  Bellare, Pietrzak, and Rogaway [BPR05] is a function that grows very slowly with Note: Pietrzak [P06] obtained a tighter bound for a range of parameters (much smaller than )  If, the bound is roughly

6 5 Our contribution  New security bounds for  PMAC (a parallelizable MAC)  TMAC and XCBC (successors of EMAC)  Old: or  New: for PMAC, and for TMAC & XCBC  compared w/, from quadratic to (almost) linear degradation wrt  compared w/, better in most (but not all) cases

7 6 Analysis of PMAC

8 7 PMAC (Black-Rogaway[BR02], Rogaway[R04])  Hashing with mask-encrypt-sum (PHASH)  still BC-only: masks are generated w/ few bitshifts and XORs PMAC ([R04] version w/ 128 bit block size) PHASH input

9 8 Overview of old proof [R04]  “ Perfect ” PMAC using independent URPs as an intermediate function  Use triangle inequality Perfect PMAC PMAC RO  Old bound: (also, as )

10 9 Overview of new proof  A different intermediate function, the modified PMAC (MPMAC)  PHASH + independent finalization MPMACPMAC RO

11 10 MPMAC vs. Random Oracle  What we need is: (a stronger form of ) differential probability of PHASH... used for MPMAC vs. RO used for PMAC vs. MPMAC...

12 11 Diff. probability of PHASH  A subset of input blocks may generate the same URP input  Odd (Even) collision involves odd (even) number of input blocks  Let denote odd collisions with non- zero URP inputs  Then, c ritical event is, as it implies the sum = 0 or w/ prob. 1 (as )... even collisionodd collision...

13 12 Diff. probability of PHASH (contd.)  is at most  Given, PHASH sum is almost uniform (point probability is at most ) for any Lemma 2  From Lemma 2, the advantage between MPMAC and RO is:

14 13 PMAC vs. MPMAC  Four “ good ” events defined as: the sets of URP inputs in PHASH and in the finalization (+ dummy mask for MPMAC) have no intersection  Using Maurer ’ s method [M02], the advantage is at most the max. prob. of “ bad ” events in MPMAC, denoted by

15 14 New bound for PMAC  A careful analysis using Lemma 2 provides if MPMACPMACRO Theorem 2

16 15  As long as there is a small (but not too small) fraction of long messages, the new bound is better  Much better under some practical cases (e.g., all messages have similar lengths) Comparison of new and old bounds  New ( ) < old ( ) iff  Ex: New bound is 2 -32, old bound is 2 -48 ~2 -16 If 99.9% messages are one-block, old bound is better If at least 1% messages are -block, new bound is better (if we ignore constants)

17 16 Analysis of TMAC and XCBC

18 17 TMAC [KI03] and XCBC [BR00]  Successors of EMAC  fewer BC calls (no double encryption)  one BC key + one or two n-bit keys is independent of TMAC

19 18 Proof sketch for TMAC (XCBC is the same)  Modified TMAC (MTMAC) and bad events similar to those for PMAC  Adv. between TMAC and MTMAC is  much simpler analysis due to the independence of  Adv. between MTMAC and RO is EMAC bound of [BPR05], i.e.,

20 19 New bounds for TMAC and XCBC  Old bounds are or for  TMAC ’ s new bound is: Theorem 3 (XCBC ’ s bound is the same) [BR00][KI03][IK03s]  Bound comparison is almost the same as PMAC ’ s case, in case the second term is negligible

21 20 Short comments on OMAC [IK03o]  OMAC (aka CMAC) is one-key CBC-MAC  improvement to TMAC and XCBC mask is or, where  MOMAC and bad events are similarly defined  however, the probabilities of some new bad events have to be evaluated such as an extension of CBC collision analysis [BPR05] is needed (open problem)

22 21 Conclusion  New bounds for PMAC, TMAC, and XCBC  from quadratic to (almost) linear degradation wrt the max. message length  Future directions  OMAC  further improvement (still far from the lower bound )

23 22 Thank you!

Download ppt "New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,"

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Beyond-birthday-bound Security Based on Tweakable Block Ciphers Kazuhiko Minematsu NEC Corporation Fast Software Encryption 2009, Leuven, Belgium.

Beyond-birthday-bound Security Based on Tweakable Block Ciphers Kazuhiko Minematsu NEC Corporation Fast Software Encryption 2009, Leuven, Belgium.
25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,

A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

Similar presentations

Ads by Google