Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,

Publish Modified over 9 years ago

Similar presentations

Presentation on theme: "A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,"— Presentation transcript:

1 A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California, Davis, USA and Chiang Mai University, Thailand EUROCRYPT – May 1, 2002 Amsterdam, The Netherlands

2 2 What is a MAC? Most MACs are deterministic—they need no nonce/state/IV/$ Stateless MACs are more practical AKAK MAC G : generate authentication tag  = MAC K ([IV,] M) G M.  BKBK MAC V : verify authentication tag MAC K (M,  ) V

3 3 The ACMA Model [GMR, BKR] MAC Oracle (K) M1M1 MAC K (M 1 ) Adversary M2M2 MAC K (M 2 ) MqMq MAC K (M q ) Adversary (M*,  * ) // forgery attempt

4 4 A Precise Definition We define the advantage of a “MAC adversary” A over a particular MAC algorithm M as We define the maximum advantage of any MAC adversary making at most q queries totaling at most m blocks as Our goal is to bound this quantity by a function in q and m which is “small” for “reasonable” values of q and m

5 5 CBC MAC (ANSI X9.19, FIPS 113, ISO 9797-1) Known to be secure for messages of one fixed length EKEK M1M1 EKEK EKEK M2M2 MmMm tag Uses d |M|/n e block cipher invocations Inherently sequential

6 6 Parallelizable MACs: Important? In some settings, MAC performance is paramount – Eg, a web server handling thousands of requests/sec Extracting parallelism is a simple way to achieve dramatic increases in performance – Algorithm design governs to what extent we can parallelize Parallelism is the only way to achieve extreme speeds in hardware or software No disadvantage provided we do not surrender too much serial efficiency

7 7 A First Attempt: XOR MAC Not a PRF c ¼ 2 times as many block cipher calls as CBC MAC [BGR 95] M[1]M[2]M[m] Nonce E K E K E K E K... + Tag kk k nn n n n-1

8 8 Protected Counter Sums A PRF variant of the XOR MAC [Be 99] M[1]M[2]M[m] F K... + E K E K E K S F K E K <0,S> Y[1] Y[m] Y[2] k kk n nn k k k k n Tag k

9 9 Gligor-Donescu MAC XOR MAC with better method for block offsets But no longer a PRF [GD 01] Nonce E K M[1]M[2]M[m] + R + 2R + mR E K E K E K  R Tag... X[1] X[m]X[2] Y[m] Y[2] Y[1]

10 10 PMAC: A Parallelizable MAC A Fully-Parallelizable VIL PRF: {0,1} *  {0,1} n Cannot distinguish PMAC K ( ¢ ) from a random function R( ¢ ) Can be used as a (stateless, deterministic) MAC Efficient – uses d |M|/n e block cipher calls, like basic CBC MAC – uses a single block cipher key – low session-startup cost: about one block cipher call – essentially endian neutral Simple – no n-bit addition or mod p operations—just xors and shifts – much simpler than any known Carter-Wegman MAC Provably Secure – if E is a secure block cipher then PMAC[E] is a good PRF

11 L Tag E K first  bits M[1]M[2]M[m-1] M[m]... E K E K Pad FullTag  2L  (m-1)L    E K if |M[m]| < n then 0 if |M[m]| = n then -L   ' possibly short nnn  PMAC K  -L L 2L 3L … as implicit on next slide

12 Definition of PMAC [E,  ] algorithm PMAC K ( M ) L(0) = E K (0) L(-1) = lsb(L(0)) ? (L(0) >> 1)  Const43 : (L(0) >>1) for i = 1, 2, … do L(i) = msb(L(i-1)) ? (L(i-1) << 1)  Const87 : (L(i-1) <<1) Partition M into M[1]... M[m] // each n bits, except M[m] may be shorter Offset = 0 for i=1 to m-1 do Offset = Offset  L(ntz(i))  =   E K (M[i]  Offset)  =   pad (M[m]) if |M[m]| = n then  =   L(-1) FullTag = E K (  ) Tag = first  bits of FullTag return Tag

13 [GGM, BKR] A PMAC K (x i ) PMAC K oracle xixi Rand func oracle, R R (x i ) xixi PMAC’s Security Security as a VIL PRF Adv prf (A) = Pr[A PMAC K = 1] – Pr[A R = 1]

14 Security as a FIL PRP [GGM, LR, BKR] B E K (x i ) Enciphering oracle E K xixi Rand perm oracle,   (x i ) Adv prp (B) = Pr[B E K = 1] – Pr[B  = 1] xixi Block-Cipher Security

15 15 PMAC Theorem To wrap up, it is a standard result that any  -bit-output PRF can be used as a MAC, where the forging probability will be at most Adv prf (A) + 2 -  Suppose  an adversary A that breaks PMAC[E] with: time = t total-num-of-blocks =  adv = Adv prf (A) Then  an adversary B that breaks block cipher E with: time  t num-of-queries   Adv prp (B)  Adv prf (A) –  2 / 2 n-1

16 Proof Idea M: M[1]M[2]M[3]M[m] M’: M’[1]M’[2]M’[3]M’[m’] M[2] M’[2] distinct M[2] M’[2] 2L Other Stuff X[2] X’[2] Y’[2] Y[2] tag   T T’    

17 17 PMAC as a PRF Structure Lemma and PMAC Theorem: Fix n,  ¸ 1. Let A be any adversary who asks q queries, these having an aggregate length of  blocks. Then where m 1 +  + m q = .

18 18 PMAC Performance (Serial) A moderately-optimized implementation of PMAC[AES] (Krovetz) runs in 18.4 cpb. Compare with 17.1 cpb for AES. – P3, C+assembly, gcc, 2KB, data in L1 cache Aggressively-optimized basic CBC MAC runs on a Pentium at 15.5 cpb [Lipmaa] – We guess that an aggressively-optimized PMAC[AES] should run at about 16.5 cpb.

19 PMAC XCBC XECB-MAC ({0,1} n ) m  |M| / nk1 xor {0,1}*   |M| / n  k + 2n1 xor {0,1}*   |M| / n  varies 1 xor 2 add {0,1}*   |M| / n  k3 xor CBC MAC [BR 00] [GD 00,01] [BR 02] Domain PRF Parallelizable / blk overhead MAC length (3 versions) Comparisons Key length

20 20 Implementation Effort ObjectEffort (John-Time) Basic CBC MAC30 mins XCBC1 hour PMAC3 hours OCB4 hours AES8 hours DES8 hours UMAC3 days

21 21 More Information on PMAC Visit the PMAC web page www.cs.ucdavis.edu/~rogaway/pmac Web page contains: Reference Code (by Ted Krovetz and me) Test Vectors FAQ Full version of the PMAC paper

Download ppt "A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,"

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis

Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Goal Ensure integrity of messages, even in presence of

Goal Ensure integrity of messages, even in presence of
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Slide 1 OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis

Slide 1 OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Similar presentations

Ads by Google