25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology...

25th Feb 2009 FSE 11

Fast and Secure CBC-type MACs

National Institute of Standards and Technology

Mridul [email protected]


Outline of the talk

• Introduction

• Broad categories of known MACs

• CBC-type MACs

• Generalization of CBC-type MACs

• New proposals: GCBC1 and GCBC2

• Comparison and Summary

25th Feb 2009 FSE 3

Message Authentication Code

Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob

M

Ideal Solution: Secure without noise channel

25th Feb 2009 FSE 4


Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob

M

Statistical Noise

M’

Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0.

M

25th Feb 2009 FSE 5

Alice Bob

(M,T)

Human Noise : Oscar

(M’,T’)

Secret key : K

MACK

M

T

MACK

M’

T’’

T’’ = T’?

Modify (M,T) s.t. T’ = MACK(M’), more precisely, . . .

insecure channel with human noise


Role of a successful attacker:

(M,T)

25th Feb 2009 FSE 6

Forging MAC

Alice Bob

Oscar

M1,T1

Secret key : K

MACK

M1

T1M1

Role of a successful attacker:For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags.

25th Feb 2009 FSE 7

Forging MAC

Alice Bob

Oscar

M2,T2

Secret key : K

MACK

M2

T2

M2


25th Feb 2009 FSE 8

Forging MAC

Alice Bob

Oscar

Mq,T

q

Secret key : K

MACK

Mq

Tq

Mq


25th Feb 2009 FSE 9

Forging MAC

Alice Bob

Oscar

Secret key : K

Role of a successful attacker:

M,T

MACK

M

T

For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags.

Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC.


Distinguishing AttackStronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis.

Osc

ar

M1

T1

Mq

Tq

MA

CK

Finally, Oscar has to distinguish T = (T1, … ,Tq) from a q-tuple of random strings.


PRF-Advnatage Definition

prf-AdvMAC (O)

= |PrK[O (T) =1 | MACK] - PrT[O (T) =1 | uniform T] |

prf-AdvMAC (q,t,…) = max prf-AdvMAC (O),

maximum over all distinguishers O which makes at most q queries, runs in time t,… , etc.

O is interacting with MACK/ random function


A small domain PRF• Suppose, message size is less than 128 bits.

• Apply an injective padding (e.g., 10d)

• Compute T = AESK(M*), M* is the padded message

• PRF/forgery-security depends on the corresponding security for AESK(.)

• One may use any good compression function (instead of AES) with the chaining value as key


A small domain PRF

M10d

tagcompK

512

256 256AESK

M10d tag

128 128

• Msg size at most 127-bits• Key-size 128, 256, etc.• Tag-size at most 128

• Msg size at most 511-bits• Key-size 256 or less• Tag-size at most 256

How one can authenticate for longer and variable length messages?


Braod Categories of MACs (arbitrary domain)

• Universal Hash-based: with/without Nonce

•Poly1305, UMAC, MMH, etc.

• Block cipher based

•Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc.

•Parallel : PMAC, XOR, DAG-based-PRF, etc.

• Hash function (also compression function) based

• HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc.


(1) Universal Hash based MAC

• PRF-security depends on PRF-security assumption of block-cipher or keyed compression function.

• Usually very efficient in software

• Some drawbacks:• Collision helps to find hash-key recovery attack and

hence cheap multiple-forgery and key-recovery attack.• Some constructions are nonce-based: reuse of nonce

makes them insecure. • Usually hash-key is large Hash-Key or• Should be generated from the underlying PRF or from

some PRBG.


(2) Hash based MAC

• PRF-security depends on PRF-security underlying keyed compression function.

• Sometimes additional assumptions are required (HMAC, KMDP require related key

security, sandwich-MD requires PRF with key in message block, etc.)

• Serves both Hash and MAC together.

• Less PRF-security analysis for Keyed compression function than collision-security.


(3) Blockcipher based MAC

• PRF-security depends on PRP-security of the underlying blockcipher.

• PRP-security of blockcipher is widely studied• AES is so far good candidate for PRP

• Sometimes MACs come with encryption (also called authentication encryption)

• The talk is about this category


CBC: Block Cipher based MAC

EK EK EK

tag

M1M2 M3

• CBC MAC secure for prefix-free message space only.• Secure for fixed length• Length extension attack is valid for arbitrary domain


CBC: Block Cipher based MAC

EK EK

M1T1 + M1

• CBC MAC secure for prefix-free message space only.• Secure for fixed length• Length extension attack is valid for arbitrary domain

T1 T1


ECBC: Encrypted CBC

EK EK EK

M1M2 M3

Encrypted by same key K?Secure?

EK

tag

EK


ECBC: Encrypted CBC

EK EK

M10

Encrypted by same key K?

Not secureLength extension attack…

If MACK(M1) = T then MACK(M1 0 (T +M)) = T

T

EK

T+M1

EK

T

EK

M1


ECBC: Encrypted CBC

EK EK EK

M1M2 M3

Encrypted by key L?Secure? YesLength extension attack is not possible

EL

tag

EK

tag


Block Cipher based MAC

EK EK EK

tag

M1M2 M*

31. XCBC: K, L1, L2

independent keys

2. TMAC: K, L1 independent keys, L2 = a . L1

3. OMAC: L1 = a.EK(0), L2 = a . L1

Why two keys?

M*3 can be obtained from

two different messages

M3 10d if |M3| < n

M3 if |M3| = n

M*3 =

L1 / L2



EK EK EK

tag

L1 / L2

M1M2 M*

31. XCBC: K, L1, L2

independent keys

2. TMAC: K, L1 independent keys, L2 = a . L1

3. OMAC: L1 = a.EK(0), L2 = a . L1

Xor commutes each other

M3 10d if |M3| < n

M3 if |M3| = n

M*3 =

Why two keys?

M*3 can be obtained from

two different messages



EK EK EK

tag

M1M2 M*

3

<<1 / << 2

a) Simple one/two-bit left shift operation is sufficient: GCBC1

b) Length ext attack is not valid for more than one message block

c) A simple trick can handle single message blocks: GCBC2



EK EK EK

tag

M1M2 M*

3

<<1 / << 2

Why secure?

Difficult to find collision on Final input

Any changes will effect h in a random manner

h

Prevents extension attack


Generalized CBC or GCBC


Prefix-free Function A function pad: MsgSp ([0..t] x B)+ is called prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’).

MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1}n (message block space)

Example: pad(M) = 0 M1 0 M2 … d Ms is prefix-free where d = 1 if no padding, otherwise d = 2.


EK hh

v0 = 0

EK EKh

vs-1v1

u1 u2 us

vs

d1 M1 d2 M2 ds Ms

M = msg

pad

25th Feb 2009

FSE 30

Generalized CBC

EK EK EK

tag

M1M2 M3

d2 d3

h h

1. h(d, x) a tweak, d = 0 => identity function, • di not completely

controlled by attacker

2. d-bit shift of x, xor with key (auxiliary)

3. need some properties on both pad and h• pad is prefix-free and

h is weakly universal.

Msg

d1 M1 d2M2 d3

M3

pad

d1=0


Generalized CBCGeneralized CBC includes CBC, XCBC, TMAC, etc.

XCBC and TMAC has prefix-free padding pad(M) = 0 M1 0 M2 … d Ms where d = 1 if no padding, o.w. d = 2.

XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X

TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element).

GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x<<1 h(2,x) = x<<2


Generalized CBCh is called weakly universal if the followings are true.

(1) Pr [h(d,R) = c] is negligible for all d

(2) Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’

(3) Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block

Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key)

One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x<<d or x<<<d


Generalized CBC

Theorem: (GCBC main theorem)

If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF.


M1

u1

v1v0

EK

M2

u2

v2

EK

M3

u3

v3

EK

<<1

GCBC1

Last message block M3 is complete

M1

u1

v1v0

EK

M2

u2

v2

EK

M310*

u3

v3

EK

<<2

Last message block M3 is not complete


GCBC2One-block message m1,

|M1| < n-3 d1 = 0, M’1 = M110d

n-3 ≤ |M1| ≤ n, M1 = x1 y1 , |x1| = n-3 d1= 0 = d2, M’1 = x1001, M*2 = y1*

EK

M110d

EK EK

x1001 y110d

36

GCBC2M*sM’1

u1

EK

<<d2

v1

Ms-1

us-1

vs--1

EK

us

vs

EK

<<

v0 = 0 n

M2

u2

EK

v2

1. message M1 || M2 , M1 = x1 y1 y1 = 000 M’1 = x1* , M*2 = M2 , d1 = d2 = 0 y1 ≠ 000 M’1 = m1 M*2 = M2 d1 = 0, d2=

δ

2. More-than two blocks Y1 = 000 d1 = 0, m’1 = x1*, d2= 4, …, ds= δ Y1 ≠ 000 d1 = 0, m’1 = m1, d2= 3, …, ds= δ

Message: M1 M2 … Ms

is 1 or 2 depending on size of Ms.

Need to define M’1 M*s and d2


Comparison Study


Mode #BC Keys Keysch security

CBC m k 1 Pf-free, σq

ECBC m+1 2k 2 q2

XCBC m k+2n 1 σq

TMAC m k+n 1 σq

OMAC m+1 * k 1 σq

GCBC1 m * k 1 σ2

GCBC2 m * k 1 σ2


micro-sec

(1-15 bytes)

micro-sec

(16 bytes)

micro-sec

(17-32 bytes)

XCBC 43.7 43.7 78.46

TMAC 43.98 44.05 78.80

OMAC 78.72 78.80 113.80

GCBC1 77.9 77.92 77.95

GCBC2 43.58 78.26 78.37

•In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM

•AES as Block cipher

25th Feb 2009 FSE 4040

Summary• We study CBC-type MAC

• We view most of CBC-type in a common framework

• We study PRF-security of the generalized CBC

• We propose two new efficient constructions and compare with known constructions.

Questions and Comments?

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology...

Documents

Transcript of 25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology...