Presentation is loading. Please wait.

Presentation is loading. Please wait.

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

Published byBrooke Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi"— Presentation transcript:

1 25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi mridul.nandi@gmail.com

2 25th Feb 2009FSE22 Outline of the talk Introduction Broad categories of known MACs CBC-type MACs Generalization of CBC-type MACs New proposals: GCBC1 and GCBC2 Comparison and Summary

3 25th Feb 2009FSE3 Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. AliceBob M Ideal Solution: Secure without noise channel

4 25th Feb 2009FSE4 Message Authentication Code Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. AliceBob M Statistical Noise M’ Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0. M

5 25th Feb 2009FSE5 AliceBob (M,T) Human Noise : Oscar (M’,T’) Secret key : K MAC K M T M’ T’’ T’’ = T’ ? Modify (M,T) s.t. T’ = MAC K (M’), more precisely,... insecure channel with human noise Message Authentication Code Role of a successful attacker: (M,T)

6 25th Feb 2009FSE6 Forging MAC AliceBob Oscar M 1,T 1 Secret key : K MAC K M1M1 T1T1 M1M1 Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

7 25th Feb 2009FSE7 Forging MAC AliceBob Oscar M 2,T 2 Secret key : K MAC K M2M2 T2T2 M2M2 Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

8 25th Feb 2009FSE8 Forging MAC AliceBob Oscar M q,T q Secret key : K MAC K MqMq TqTq MqMq Role of a successful attacker: For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags.

9 25th Feb 2009FSE9 Forging MAC AliceBob Oscar Secret key : K Role of a successful attacker: M,T MAC K M T For adaptively chosen messages M 1, M 2, …, M q, Oscar obtains their corresponding tags. Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC.

10 25th Feb 2009FSE10 Distinguishing Attack Stronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis. Oscar M1M1 T1T1 MqMq TqTq MAC K Finally, Oscar has to distinguish T = (T 1, …,T q ) from a q-tuple of random strings.

11 25th Feb 2009FSE11 PRF-Advnatage Definition prf-Adv MAC (O) = |Pr K [O (T) =1 | MAC K ] - Pr T [O (T) =1 | uniform T] | prf-Adv MAC (q,t,…) = max prf-Adv MAC (O), maximum over all distinguishers O which makes at most q queries, runs in time t,…, etc. O is interacting with MAC K / random function

12 25th Feb 2009FSE12 A small domain PRF Suppose, message size is less than 128 bits. Apply an injective padding (e.g., 10 d ) Compute T = AES K (M*), M* is the padded message PRF/forgery-security depends on the corresponding security for AES K (.) One may use any good compression function (instead of AES) with the chaining value as key

13 25th Feb 2009FSE13 A small domain PRF M10 d tag comp K 512 256 AES K M10 d tag 128 Msg size at most 127-bits Key-size 128, 256, etc. Tag-size at most 128 Msg size at most 511-bits Key-size 256 or less Tag-size at most 256 How one can authenticate for longer and variable length messages?

14 25th Feb 2009FSE14 Braod Categories of MACs (arbitrary domain) Universal Hash-based: with/without Nonce Poly1305, UMAC, MMH, etc. Block cipher based Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc. Parallel : PMAC, XOR, DAG-based-PRF, etc. Hash function (also compression function) based HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc.

15 25th Feb 2009FSE15 (1) Universal Hash based MAC PRF-security depends on PRF-security assumption of block-cipher or keyed compression function. Usually very efficient in software Some drawbacks: Collision helps to find hash-key recovery attack and hence cheap multiple-forgery and key-recovery attack. Some constructions are nonce-based: reuse of nonce makes them insecure. Usually hash-key is large Hash-Key or Should be generated from the underlying PRF or from some PRBG.

16 25th Feb 2009FSE16 (2) Hash based MAC PRF-security depends on PRF-security underlying keyed compression function. Sometimes additional assumptions are required  (HMAC, KMDP require related key security, sandwich-MD requires PRF with key in message block, etc.) Serves both Hash and MAC together. Less PRF-security analysis for Keyed compression function than collision-security.

17 25th Feb 2009FSE17 (3) Blockcipher based MAC PRF-security depends on PRP-security of the underlying blockcipher. PRP-security of blockcipher is widely studied AES is so far good candidate for PRP Sometimes MACs come with encryption (also called authentication encryption) The talk is about this category

18 25th Feb 2009FSE18 CBC: Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M3M3 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain

19 25th Feb 2009FSE19 CBC: Block Cipher based MAC EKEK EKEK M1M1 T 1 + M 1 CBC MAC secure for prefix-free message space only. Secure for fixed length Length extension attack is valid for arbitrary domain T1T1 T1T1

20 25th Feb 2009FSE20 ECBC: Encrypted CBC EKEK EKEK EKEK M1M1 M2M2 M3M3 Encrypted by same key K? Secure? EKEK tag EKEK

21 25th Feb 2009FSE21 ECBC: Encrypted CBC EKEK EKEK M1M1 0 Encrypted by same key K? Not secure Length extension attack… If MAC K (M 1 ) = T then MAC K (M 1 0 (T +M)) = T T EKEK T+M 1 EKEK T EKEK M1M1

22 25th Feb 2009FSE22 ECBC: Encrypted CBC EKEK EKEK EKEK M1M1 M2M2 M3M3 Encrypted by key L? Secure?Yes Length extension attack is not possible ELEL tag EKEK

23 25th Feb 2009FSE23 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 1.XCBC: K, L1, L2 independent keys 2.TMAC: K, L1 independent keys, L2 = a. L1 3.OMAC: L1 = a.E K (0), L2 = a. L1 Why two keys? M * 3 can be obtained from two different messages M 3 10 d if |M 3 | < n M 3 if |M 3 | = n M * 3 = L1 / L2

24 25th Feb 2009FSE24 Block Cipher based MAC EKEK EKEK EKEK tag L1 / L2 M1M1 M2M2 M*3M*3 1.XCBC: K, L1, L2 independent keys 2.TMAC: K, L1 independent keys, L2 = a. L1 3.OMAC: L1 = a.E K (0), L2 = a. L1 Xor commutes each other M 3 10 d if |M 3 | < n M 3 if |M 3 | = n M * 3 = Why two keys? M * 3 can be obtained from two different messages

25 25th Feb 2009FSE25 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 <<1 / << 2 a)Simple one/two-bit left shift operation is sufficient: GCBC1 b)Length ext attack is not valid for more than one message block c)A simple trick can handle single message blocks: GCBC2

26 25th Feb 2009FSE26 Block Cipher based MAC EKEK EKEK EKEK tag M1M1 M2M2 M*3M*3 <<1 / << 2 Why secure? Difficult to find collision on Final input Any changes will effect h in a random manner h Prevents extension attack

27 25th Feb 2009FSE27 Generalized CBC or GCBC

28 25th Feb 2009FSE28 Prefix-free Function  A function pad: MsgSp  ([0..t] x B) + is called prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’).  MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1} n (message block space)  Example: pad(M) = 0 M 1 0 M 2 … d M s is prefix-free where d = 1 if no padding, otherwise d = 2.

29 25th Feb 2009FSE29 EKEK hh v 0 = 0 EKEK EKEK h v s-1 v1v1 u1u1 u2u2 usus vsvs d1d1 M1M1 d2d2 M2M2 dsds MsMs M = msg pad

30 25th Feb 2009 FSE30 Generalized CBC EKEK EKEK EKEK tag M1M1 M2M2 M3M3 d2d2 d3d3 h h 1. h(d, x) a tweak, d = 0 => identity function, d i not completely controlled by attacker 2.d-bit shift of x, xor with key (auxiliary) 3. need some properties on both pad and h pad is prefix-free and h is weakly universal. Msg d1d1 M1M1 d2d2 M2M2 d3d3 M3M3 pad d 1 =0

31 25th Feb 2009FSE31 Generalized CBC Generalized CBC includes CBC, XCBC, TMAC, etc. XCBC and TMAC has prefix-free padding pad(M) = 0 M 1 0 M 2 … d M s where d = 1 if no padding, o.w. d = 2. XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element). GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x <<1 h(2,x) = x <<2

32 25th Feb 2009FSE32 Generalized CBC h is called weakly universal if the followings are true. (1)Pr [h(d,R) = c] is negligible for all d (2)Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’ (3)Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key) One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x <<d or x <<<d

33 25th Feb 2009FSE33 Generalized CBC Theorem: (GCBC main theorem) If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF.

34 25th Feb 2009FSE34 M1M1 u1u1 v1v1 v0v0 EKEK M2M2 u2u2 v2v2 EKEK M3M3 u3u3 v3v3 EKEK <<1 GCBC1 Last message block M 3 is complete M1M1 u1u1 v1v1 v0v0 EKEK M2M2 u2u2 v2v2 EKEK M 3 10* u3u3 v3v3 EKEK <<2 Last message block M 3 is not complete

35 25th Feb 2009FSE35 GCBC2 One-block message m 1, |M 1 | < n-3  d 1 = 0, M’ 1 = M 1 10 d n-3 ≤ |M 1 | ≤ n, M 1 = x 1 y 1, |x 1 | = n-3  d 1 = 0 = d 2, M’ 1 = x 1 001, M* 2 = y 1 * EKEK M 1 10 d EKEK EKEK x 1 001 y 1 10 d

36 36 GCBC2 M* s M’ 1 u1u1 EKEK <<d 2 v1v1 M s-1 u s-1 v s--1 EKEK usus vsvs EKEK <<  v 0 = 0 n M2M2 u2u2 EKEK v2v2 1.message M 1 || M 2, M 1 = x 1 y1  y 1 = 000  M’ 1 = x 1 *, M* 2 = M 2, d 1 = d 2 = 0  y 1 ≠ 000  M’ 1 = m 1 M* 2 = M 2 d 1 = 0, d 2 = δ 2.More-than two blocks  Y 1 = 000  d 1 = 0, m’1 = x1*, d 2 = 4, …, d s = δ  Y 1 ≠ 000  d 1 = 0, m’1 = m 1, d 2 = 3, …, d s = δ Message: M 1 M 2 … M s  is 1 or 2 depending on size of M s. Need to define M’ 1 M* s and d 2

37 25th Feb 2009FSE37 Comparison Study

38 25th Feb 2009FSE38 Mode#BCKeysKeyschsecurity CBCmk1Pf-free, σq ECBCm+12k2q2q2 XCBCmk+2n1σqσq TMACmk+n1σqσq OMACm+1 * k1σqσq GCBC1m * k1σ2σ2 GCBC2m * k1σ2σ2

39 25th Feb 2009FSE39 micro-sec (1-15 bytes) micro-sec (16 bytes) micro-sec (17-32 bytes) XCBC43.7 78.46 TMAC43.9844.0578.80 OMAC78.7278.80113.80 GCBC177.977.9277.95 GCBC243.5878.2678.37 In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM AES as Block cipher

40 25th Feb 2009FSE40 Summary We study CBC-type MAC We view most of CBC-type in a common framework We study PRF-security of the generalized CBC We propose two new efficient constructions and compare with known constructions. Questions and Comments?

Download ppt "25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Goal Ensure integrity of messages, even in presence of

Goal Ensure integrity of messages, even in presence of
A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,

A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google