1 / 40

Fast and Secure CBC-type MACs

This talk provides an outline of CBC-type MACs, including a generalization of CBC-type MACs and new proposals such as GCBC1 and GCBC2. A comparison and summary of these MACs will also be discussed.

cparker
Download Presentation

Fast and Secure CBC-type MACs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi mridul.nandi@gmail.com FSE 1

  2. Outline of the talk • Introduction • Broad categories of known MACs • CBC-type MACs • Generalization of CBC-type MACs • New proposals: GCBC1 and GCBC2 • Comparison and Summary FSE 2

  3. Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M Ideal Solution: Secure without noise channel FSE

  4. Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M M M’ Statistical Noise Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. FSE

  5. M’ MACK T’’ ? T’’ = T’ Message Authentication Code Role of a successful attacker: Modify (M,T) s.t. T’ = MACK(M’), more precisely, . . . M Secret key : K Alice Bob MACK (M,T) (M’,T’) (M,T) T Human Noise : Oscar insecure channel with human noise FSE

  6. Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Secret key : K M1 Alice Bob MACK M1,T1 M1 T1 Oscar FSE

  7. Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Secret key : K M2 Alice Bob MACK M2,T2 M2 T2 Oscar FSE

  8. Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Secret key : K Mq Alice Bob MACK Mq,Tq Mq Tq Oscar FSE

  9. Forging MAC Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC. Secret key : K M Alice Bob MACK M,T T Oscar FSE

  10. Distinguishing Attack Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. M1 Finally, Oscar has to distinguish T = (T1, … ,Tq) from a q-tuple of random strings. T1 MACK Oscar Mq Tq FSE

  11. PRF-Advnatage Definition prf-AdvMAC (O) = |PrK[O (T) =1 | MACK] - PrT[O (T) =1 | uniform T] | O is interacting with MACK/ random function prf-AdvMAC (q,t,…) = max prf-AdvMAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,… , etc. FSE

  12. A small domain PRF • Suppose, message size is less than 128 bits. • Apply an injective padding (e.g., 10d) • Compute T = AESK(M*), M* is the padded message • PRF/forgery-security depends on the corresponding security for AESK(.) • One may use any good compression function (instead of AES) with the chaining value as key FSE

  13. A small domain PRF 128 128 M10d tag AESK comp 512 M10d tag 256 256 K • Msg size at most 127-bits • Key-size 128, 256, etc. • Tag-size at most 128 • Msg size at most 511-bits • Key-size 256 or less • Tag-size at most 256 How one can authenticate for longer and variable length messages? FSE

  14. Braod Categories of MACs (arbitrary domain) • Universal Hash-based: with/without Nonce • Poly1305, UMAC, MMH, etc. • Block cipher based • Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. • Parallel : PMAC, XOR, DAG-based-PRF, etc. • Hash function (also compression function) based • HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc. FSE

  15. (1) Universal Hash based MAC • PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. • Usually very efficient in software • Some drawbacks: • Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. • Some constructions are nonce-based: reuse of nonce makes them insecure. • Usually hash-key is large Hash-Key or • Should be generated from the underlying PRF or from some PRBG. FSE

  16. (2) Hash based MAC • PRF-security depends on PRF-security underlying keyed compression function. • Sometimes additional assumptions are required • (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) • Serves both Hash and MAC together. • Less PRF-security analysis for Keyed compression function than collision-security. FSE

  17. (3) Blockcipher based MAC • PRF-security depends on PRP-security of the underlying blockcipher. • PRP-security of blockcipher is widely studied • AES is so far good candidate for PRP • Sometimes MACs come with encryption (also called authentication encryption) • The talk is about this category FSE

  18. CBC: Block Cipher based MAC M2 M3 M1 EK EK EK tag • CBC MAC secure for prefix-free message space only. • Secure for fixed length • Length extension attack is valid for arbitrary domain FSE

  19. CBC: Block Cipher based MAC T1 + M1 M1 EK EK T1 T1 • CBC MAC secure for prefix-free message space only. • Secure for fixed length • Length extension attack is valid for arbitrary domain FSE

  20. ECBC: Encrypted CBC M2 M3 M1 Encrypted by same key K? Secure? EK EK EK EK EK tag FSE

  21. ECBC: Encrypted CBC 0 T+M1 M1 Encrypted by same key K? Not secure Length extension attack… If MACK(M1) = T then MACK(M1 0 (T +M)) = T M1 EK EK EK EK T EK T FSE

  22. ECBC: Encrypted CBC M2 M3 M1 Encrypted by key L? Secure? Yes Length extension attack is not possible EK EK EK EK tag EL tag FSE

  23. Block Cipher based MAC • XCBC: K, L1, L2 independent keys • TMAC: K, L1 independent keys, L2 = a . L1 • OMAC: L1 = a.EK(0), • L2 = a.L1 M3 10d if |M3| < n M3 if |M3| = n M*3 = M2 M*3 M1 L1/ L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages FSE

  24. Block Cipher based MAC • XCBC: K, L1, L2 independent keys • TMAC: K, L1 independent keys, L2 = a . L1 • OMAC: L1 = a.EK(0), • L2 = a.L1 M3 10d if |M3| < n M3 if |M3| = n M*3 = M2 M*3 M1 L1/ L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages Xor commutes each other FSE

  25. Block Cipher based MAC M2 M*3 M1 EK EK EK tag <<1 / << 2 Simple one/two-bit left shift operation is sufficient: GCBC1 Length ext attack is not valid for more than one message block A simple trick can handle single message blocks: GCBC2 FSE

  26. Block Cipher based MAC M2 M*3 M1 Any changes will effect h in a random manner Difficult to find collision on Final input EK EK EK tag h <<1 / << 2 Prevents extension attack Why secure? FSE

  27. Generalized CBC or GCBC FSE

  28. Prefix-free Function • A function pad: MsgSp  ([0..t] x B)+is called • prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’). • MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1}n (message block space) • Example: pad(M) = 0 M1 0 M2 … d Ms is prefix-free where d = 1 if no padding, otherwise d = 2. FSE

  29. M = msg pad d1 M1 d2 M2 ds Ms u1 u2 us h h h EK EK EK v0 = 0 v1 vs-1 vs FSE

  30. Generalized CBC • h(d, x) a tweak, d = 0 => identity function, • di not completely controlled by attacker • d-bit shift of x, xor with key (auxiliary) • need some properties on both pad and h • pad is prefix-free and h is weakly universal. M2 M3 M1 EK EK EK tag d1=0 h h d3 d2 Msg pad M2 M3 d1 M1 d2 d3 FSE

  31. Generalized CBC Generalized CBC includes CBC, XCBC, TMAC, etc. XCBC and TMAC has prefix-free padding pad(M) = 0 M1 0 M2 … d Ms where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x<<1 h(2,x) = x<<2 FSE

  32. Generalized CBC • h is called weakly universal if the followings are true. • Pr [h(d,R) = c] is negligible for all d • Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ • Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block • Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) • One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x<<d or x<<<d FSE

  33. Generalized CBC Theorem: (GCBC main theorem) If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF. FSE

  34. GCBC1 M1 M2 M3 M1 M2 M310* u1 u2 u3 u1 u2 u3 EK EK EK EK EK EK <<2 <<1 v0 v1 v2 v0 v1 v2 v3 v3 Last message block M3 is not complete Last message block M3 is complete FSE

  35. GCBC2 One-block message m1, |M1| < n-3  d1 = 0, M’1 = M110d n-3 ≤ |M1| ≤ n, M1 = x1 y1 , |x1| = n-3  d1= 0 = d2, M’1 = x1001, M*2 = y1* y110d x1001 EK EK M110d EK FSE

  36. GCBC2 M’1 M2 Ms-1 M*s Message: M1 M2 … Ms  is 1 or 2 depending on size of Ms. Need to define M’1 M*s and d2 v0 = 0n u1 u2 us-1 us EK EK EK EK v1 v2 vs--1 vs << <<d2 • message M1 || M2 , M1 = x1 y1 • y1 = 000  M’1 = x1* , M*2 = M2 , d1 = d2 = 0 • y1 ≠ 000  M’1 = m1 M*2 = M2 d1 = 0, d2= δ • More-than two blocks • Y1 = 000  d1 = 0, m’1 = x1*, d2= 4, …, ds= δ • Y1 ≠ 000  d1 = 0, m’1 = m1, d2= 3, …, ds= δ

  37. Comparison Study FSE

  38. FSE

  39. In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM • AES as Block cipher FSE

  40. Summary We study CBC-type MAC We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments? FSE 40

More Related