Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.

Published byShavonne Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore."— Presentation transcript:

1 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore

2 2 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

3 3 Introduction

4 4 Modes of operation (domain extension type) We only have “small” primitive (block cipher, compression function) Small primitives have fixed-length input To process large data, we need to iterate our small primitives in some way Modes of operation are constructions that specify how to iterate our small primitives

5 5 Examples data CBC-MAC data fff f Mekle-Damgård

6 6 Provable security Want to prove:  Our construction is secure (in some sense) if the underlying small primitive is secure (in some sense) Steps 1. Make an assumption about the security of the small primitive (The notion of security depends on the definition) 2. Reduce the security of the entire construction to that of the underlying primitive

7 7 Examples CBC-MAC  If the underlying block cipher is a secure pseudo-random permutation, then its CBC-MAC mode is a secure MAC Merkle-Damgård construction  If the underlying compression function is collision-resistant, then the entire Merkle- Damgård hash function is also collision- resistant

8 8 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

9 9 “A new variant of PMAC: Beyond the birthday bound” (CRYPTO 2011)

10 10 Introduction MAC (Message Authentication Code)  Symmetric-key primitive  Input: a secret key and (possibly large) data  Output: a fixed-length value (called tag)  Used for integrity check of data data (message) secret key Tag (64-bit, 128-bit, etc.)

11 11 4 ways to make a MAC 1. design from scratch (dedicated MAC) 2. use a cryptographic hash function (e.g., HMAC) 3. use a universal hash function 4. use a block cipher (e.g., CMAC, PMAC)

12 12 4 ways to make a MAC 1. design from scratch (dedicated MAC) 2. use a cryptographic hash function (e.g., HMAC) 3. use a universal hash function 4. use a block cipher (e.g., CMAC, PMAC) This work

13 13 Blockcipher-based MACs (2 types of iteration) data CBC data PMAC data mask Mask needs to be updated at each iteration

14 14 CBC vs. PMAC CBCPMAC SequentialParallelizable Only XORRequires mask update and XOR

15 15 Why PMAC? PMAC seems to have a structure easier to analyze (for security proofs) In fact, some of the proof techniques are not applicable to CBC iteration

16 16 Intuition behind the choice data mask $ $$$ $$$$ Order of execution does matter Can be executed in any order Easier to manipulate events and to evaluate probabilities

17 17 MAC security Unforgeability  Adversary (without knowing the key) should not be able to produce a valid tag for a new message Pseudo-random  Randomness implies unforgeability  If a MAC is a secure PRF (pseudo-random function), then it is also a secure MAC.

18 18 MAC security Unforgeability  Adversary (without knowing the key) should not be able to produce a valid tag for a new message Pseudo-random  Randomness implies unforgeability  If a MAC is a secure PRF (pseudo-random function), then it is also a secure MAC. PRF-based MACs are “standard”

19 19 Birthday problems Ordinary MACs usually provide security only half the block size (n bit) of the underlying cipher For n-bit cipher, only 2^(n/ 2) security For n = 64, 2^32 blocks = 32GBytes 64-bit block ciphers? Triple-DES, HIGHT, PRESENT, LED,... n-bit security 0.5n-bit security

20 20 2 diffenent birthday problems exist for block-cipher-based MACs Birthday attacks on iterated MACs  Existential forgery is possible on any iterated MACs after 2^(n/2) queries (n the state size)  For CBC-type MACs, even universal forgery is possible PRP – PRF switching lemma  PRP – pseudo-random permutation  A (pseudo-random) permutation can be considered as a function only up to 2^(n/2) queries

21 21 Security result The new construction achieves 2^(2n/3) security  For n = 64, 2^42.7 blocks = 51TBytes The new MAC is a secure PRF based on the assumption that the underlying block cipher is a secure PRP  Avoid using PRP-PRF switching lemma

22 22 ISO 9797 (The only) previous construction that achieves security beyond the birthday bound  Achieves (Slightly worse than) 2^(2n/3) security  Rate-1/2 construction, twice as slow (as CMAC, PMAC)

23 23 ISO 9797 – sum of two CBC MACs Requires 2 encryptions to process a block Block iBlock i+1Block i+2 Block iBlock i+1Block i+2 Different keys

24 24 Solution – basic idea Want rate-1 construction; only 1 encryption per block...

25 25 Solution – basic idea Want rate-1 construction; only 1 encryption per block... Double everything but block cipher calls

26 26 Original PMAC data mask tag finalization

27 27 Doubling the masking data mask0 tag finalization mask1

28 28 Doubling the state data mask0 tag finalization mask1 mult. by 2

29 29 mult. by 2 Doubling the finalization data mask0 tag finalization mask1

30 30 mult. by 2 The new construction data mask0 tag finalization mask1

31 31 Open problem: 1-key construction mult. by 2 data mask0 tag finalization mask1 These 2 keys can be made the same by tweaking here (e.g., mult. by 2)... But still a 2-key construction

32 32 Open problem: Full 2^n security Tripling everything instead of doubling  Possibly 2^(3n/4) security, but not 2^n  4 times, 5 times,... would result in 2^(4n/5), 2^(5n/6) security (at best)  May call them still rate-1, but more and more inefficient The 2^(2n/3) bound may not be tight  No attacks (of this complexity) known  The proofs may be improved

33 33 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

34 34 Ristenpart, Shacham and Shrimpton: “Careful with composition: Limitation of indifferentiability and …” (Eurocrypt 2011)

35 35 Indifferentiability Introduced by Maurer, Renner, and Holenstein (TCC2004) Notion of security stronger than indistinguishability / pseudo-randomness The adversary has oracle access to (internal) small components as well as the entire scheme

36 36 Indifferentiability and (keyless) hash functions The indifferentiability framework was applied to modes of operation for keyless hash functions Coron, Dodis, Malinaud and Puniya CRYPTO 2005 Secure (indifferentiable) hash constructions:  If the compression function is ideal (random), then so is the entire hash function

37 37 Composability Suppose you have a cryptographic system which is secure in the random oracle model (Interpretation) Composability says:  The random oracle can be safely replaced (instantiated) with an indifferentiable hash function  The system with the indifferentiable hash must be secure if the internal compression function is ideal

38 38 “Counterexample” (Ristenpart et al. Eurocrypt 2011) Hash-based storage auditing 1. Client sends a random challenge C to the server 2. Server proves possession of the file M by computing and sending Z <- Hash(M|C) Secure if Hash is a random oracle

39 39 chopMD―Indifferentiable hash Proven by Coron, Dodis, Malinaud and Puniya at CRYPTO 2005 IV X[1]X[2]X[3]X[m] Hash value d bits n bits Truncated to n/2 bits (d > n) ffff

40 40 “Counterexample” (again) Hash-based storage auditing 1. Client sends a random challenge C to the server 2. Server proves possession of the file M by computing and sending Z <- Hash(M|C) Insecure if Hash is chopMD

41 41 The server can: -forget M, store Y instead -on challenge C, return f(Y,C) (truncated) We have f(Y,C) (truncated) = Z How to cheat Hash(M|C) -> Z IV M C Z d bits n bits Truncated to n/2 bits (d > n) Y ff chopMD insecure?

42 42 What is going on? Ristenpart et al. showed that the composability of indifferentiability may not hold true for security notions with multistage adversaries Seems quite difficult to find a “good” solution to fix the problem Limitation of the indifferentiability framework

43 43 Outline Introduction to modes of operation and to provable security Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2011) Some thoughts on MACs and on indifferentiability

44 44 Some thoughts on MACs and on indifferentiability

45 45 MACs: Three notions of security Unforgeable (minimum requirement) MAC-secure pseudo-random (“standard”) PRF (pseudo-random function) Indifferentiable (strongest)  The notion makes perfect sense in the secret-key setting  Indifferentiability is not only for keyless hash functions

46 46 MACs: Provable security Assumptions about block cipher / compression function MAC-secure PRF / PRP Goals of MAC scheme MAC-secure PRF Indifferentiable MAC construction PRF construction Indifferentiable construction

47 47 Some observations PRF construction MAC construction Indifferentiable construction Most PRF constructions are -efficient, and -insecure if state values leaked -Many common constructions -Only inefficient ones known -“transparent”―some security against side-channel attacks Connection? Gap?

48 48 Conclusion The application of indifferentiability is not limited to keyless hash functions Indifferentiability might be related to MAC security (unforgeability) in some way

49 49 Thank you

Download ppt "1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore."

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 17 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 17 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.

Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
CS 4/585: Cryptography Tom Shrimpton FAB 120-04 725-5392.

CS 4/585: Cryptography Tom Shrimpton FAB
Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

Similar presentations

Ads by Google