Create Presentation
Download Presentation

Download Presentation
## Fast and Secure CBC-type MACs

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Fast and Secure CBC-type MACs**National Institute of Standards and Technology Mridul Nandi mridul.nandi@gmail.com FSE 1**Outline of the talk**• Introduction • Broad categories of known MACs • CBC-type MACs • Generalization of CBC-type MACs • New proposals: GCBC1 and GCBC2 • Comparison and Summary FSE 2**Message Authentication Code**Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M Ideal Solution: Secure without noise channel FSE**Message Authentication Code**Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob M M M’ Statistical Noise Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. FSE**M’**MACK T’’ ? T’’ = T’ Message Authentication Code Role of a successful attacker: Modify (M,T) s.t. T’ = MACK(M’), more precisely, . . . M Secret key : K Alice Bob MACK (M,T) (M’,T’) (M,T) T Human Noise : Oscar insecure channel with human noise FSE**Forging MAC**Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Secret key : K M1 Alice Bob MACK M1,T1 M1 T1 Oscar FSE**Forging MAC**Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Secret key : K M2 Alice Bob MACK M2,T2 M2 T2 Oscar FSE**Forging MAC**Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Secret key : K Mq Alice Bob MACK Mq,Tq Mq Tq Oscar FSE**Forging MAC**Role of a successful attacker: For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC. Secret key : K M Alice Bob MACK M,T T Oscar FSE**Distinguishing Attack**Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. M1 Finally, Oscar has to distinguish T = (T1, … ,Tq) from a q-tuple of random strings. T1 MACK Oscar Mq Tq FSE**PRF-Advnatage Definition**prf-AdvMAC (O) = |PrK[O (T) =1 | MACK] - PrT[O (T) =1 | uniform T] | O is interacting with MACK/ random function prf-AdvMAC (q,t,…) = max prf-AdvMAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,… , etc. FSE**A small domain PRF**• Suppose, message size is less than 128 bits. • Apply an injective padding (e.g., 10d) • Compute T = AESK(M*), M* is the padded message • PRF/forgery-security depends on the corresponding security for AESK(.) • One may use any good compression function (instead of AES) with the chaining value as key FSE**A small domain PRF**128 128 M10d tag AESK comp 512 M10d tag 256 256 K • Msg size at most 127-bits • Key-size 128, 256, etc. • Tag-size at most 128 • Msg size at most 511-bits • Key-size 256 or less • Tag-size at most 256 How one can authenticate for longer and variable length messages? FSE**Braod Categories of MACs (arbitrary domain)**• Universal Hash-based: with/without Nonce • Poly1305, UMAC, MMH, etc. • Block cipher based • Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. • Parallel : PMAC, XOR, DAG-based-PRF, etc. • Hash function (also compression function) based • HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc. FSE**(1) Universal Hash based MAC**• PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. • Usually very efficient in software • Some drawbacks: • Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. • Some constructions are nonce-based: reuse of nonce makes them insecure. • Usually hash-key is large Hash-Key or • Should be generated from the underlying PRF or from some PRBG. FSE**(2) Hash based MAC**• PRF-security depends on PRF-security underlying keyed compression function. • Sometimes additional assumptions are required • (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) • Serves both Hash and MAC together. • Less PRF-security analysis for Keyed compression function than collision-security. FSE**(3) Blockcipher based MAC**• PRF-security depends on PRP-security of the underlying blockcipher. • PRP-security of blockcipher is widely studied • AES is so far good candidate for PRP • Sometimes MACs come with encryption (also called authentication encryption) • The talk is about this category FSE**CBC: Block Cipher based MAC**M2 M3 M1 EK EK EK tag • CBC MAC secure for prefix-free message space only. • Secure for fixed length • Length extension attack is valid for arbitrary domain FSE**CBC: Block Cipher based MAC**T1 + M1 M1 EK EK T1 T1 • CBC MAC secure for prefix-free message space only. • Secure for fixed length • Length extension attack is valid for arbitrary domain FSE**ECBC: Encrypted CBC**M2 M3 M1 Encrypted by same key K? Secure? EK EK EK EK EK tag FSE**ECBC: Encrypted CBC**0 T+M1 M1 Encrypted by same key K? Not secure Length extension attack… If MACK(M1) = T then MACK(M1 0 (T +M)) = T M1 EK EK EK EK T EK T FSE**ECBC: Encrypted CBC**M2 M3 M1 Encrypted by key L? Secure? Yes Length extension attack is not possible EK EK EK EK tag EL tag FSE**Block Cipher based MAC**• XCBC: K, L1, L2 independent keys • TMAC: K, L1 independent keys, L2 = a . L1 • OMAC: L1 = a.EK(0), • L2 = a.L1 M3 10d if |M3| < n M3 if |M3| = n M*3 = M2 M*3 M1 L1/ L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages FSE**Block Cipher based MAC**• XCBC: K, L1, L2 independent keys • TMAC: K, L1 independent keys, L2 = a . L1 • OMAC: L1 = a.EK(0), • L2 = a.L1 M3 10d if |M3| < n M3 if |M3| = n M*3 = M2 M*3 M1 L1/ L2 EK EK EK tag Why two keys? M*3 can be obtained from two different messages Xor commutes each other FSE**Block Cipher based MAC**M2 M*3 M1 EK EK EK tag <<1 / << 2 Simple one/two-bit left shift operation is sufficient: GCBC1 Length ext attack is not valid for more than one message block A simple trick can handle single message blocks: GCBC2 FSE**Block Cipher based MAC**M2 M*3 M1 Any changes will effect h in a random manner Difficult to find collision on Final input EK EK EK tag h <<1 / << 2 Prevents extension attack Why secure? FSE**Generalized CBC**or GCBC FSE**Prefix-free Function**• A function pad: MsgSp ([0..t] x B)+is called • prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’). • MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1}n (message block space) • Example: pad(M) = 0 M1 0 M2 … d Ms is prefix-free where d = 1 if no padding, otherwise d = 2. FSE**M = msg**pad d1 M1 d2 M2 ds Ms u1 u2 us h h h EK EK EK v0 = 0 v1 vs-1 vs FSE**Generalized CBC**• h(d, x) a tweak, d = 0 => identity function, • di not completely controlled by attacker • d-bit shift of x, xor with key (auxiliary) • need some properties on both pad and h • pad is prefix-free and h is weakly universal. M2 M3 M1 EK EK EK tag d1=0 h h d3 d2 Msg pad M2 M3 d1 M1 d2 d3 FSE**Generalized CBC**Generalized CBC includes CBC, XCBC, TMAC, etc. XCBC and TMAC has prefix-free padding pad(M) = 0 M1 0 M2 … d Ms where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x<<1 h(2,x) = x<<2 FSE**Generalized CBC**• h is called weakly universal if the followings are true. • Pr [h(d,R) = c] is negligible for all d • Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ • Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block • Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) • One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x<<d or x<<<d FSE**Generalized CBC**Theorem: (GCBC main theorem) If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF. FSE**GCBC1**M1 M2 M3 M1 M2 M310* u1 u2 u3 u1 u2 u3 EK EK EK EK EK EK <<2 <<1 v0 v1 v2 v0 v1 v2 v3 v3 Last message block M3 is not complete Last message block M3 is complete FSE**GCBC2**One-block message m1, |M1| < n-3 d1 = 0, M’1 = M110d n-3 ≤ |M1| ≤ n, M1 = x1 y1 , |x1| = n-3 d1= 0 = d2, M’1 = x1001, M*2 = y1* y110d x1001 EK EK M110d EK FSE**GCBC2**M’1 M2 Ms-1 M*s Message: M1 M2 … Ms is 1 or 2 depending on size of Ms. Need to define M’1 M*s and d2 v0 = 0n u1 u2 us-1 us EK EK EK EK v1 v2 vs--1 vs << <<d2 • message M1 || M2 , M1 = x1 y1 • y1 = 000 M’1 = x1* , M*2 = M2 , d1 = d2 = 0 • y1 ≠ 000 M’1 = m1 M*2 = M2 d1 = 0, d2= δ • More-than two blocks • Y1 = 000 d1 = 0, m’1 = x1*, d2= 4, …, ds= δ • Y1 ≠ 000 d1 = 0, m’1 = m1, d2= 3, …, ds= δ**Comparison Study**FSE**In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM**• AES as Block cipher FSE**Summary**We study CBC-type MAC We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments? FSE 40