25th feb 2009fse1 1 fast and secure cbc-type macs national institute of standards and technology...
Post on 17-Dec-2015
215 Views
Preview:
TRANSCRIPT
25th Feb 2009 FSE 11
Fast and Secure CBC-type MACs
National Institute of Standards and Technology
Mridul Nandimridul.nandi@gmail.com
25th Feb 2009 FSE 22
Outline of the talk
• Introduction
• Broad categories of known MACs
• CBC-type MACs
• Generalization of CBC-type MACs
• New proposals: GCBC1 and GCBC2
• Comparison and Summary
25th Feb 2009 FSE 3
Message Authentication Code
Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob
M
Ideal Solution: Secure without noise channel
25th Feb 2009 FSE 4
Message Authentication Code
Alice wants to send a message M. Bob should receive the same message and should know that only Alice can send the message. Alice Bob
M
Statistical Noise
M’
Secure channel but with noise: d-error correcting code can be used if changing d-bits or more with probability almost 0.
M
25th Feb 2009 FSE 5
Alice Bob
(M,T)
Human Noise : Oscar
(M’,T’)
Secret key : K
MACK
M
T
MACK
M’
T’’
T’’ = T’?
Modify (M,T) s.t. T’ = MACK(M’), more precisely, . . .
insecure channel with human noise
Message Authentication Code
Role of a successful attacker:
(M,T)
25th Feb 2009 FSE 6
Forging MAC
Alice Bob
Oscar
M1,T1
Secret key : K
MACK
M1
T1M1
Role of a successful attacker:For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags.
25th Feb 2009 FSE 7
Forging MAC
Alice Bob
Oscar
M2,T2
Secret key : K
MACK
M2
T2
M2
Role of a successful attacker:For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags.
25th Feb 2009 FSE 8
Forging MAC
Alice Bob
Oscar
Mq,T
q
Secret key : K
MACK
Mq
Tq
Mq
Role of a successful attacker:For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags.
25th Feb 2009 FSE 9
Forging MAC
Alice Bob
Oscar
Secret key : K
Role of a successful attacker:
M,T
MACK
M
T
For adaptively chosen messages M1, M2, …, Mq, Oscar obtains their corresponding tags.
Finally he should be able to produce a valid message tag pair (M,T). If not then good MAC.
25th Feb 2009 FSE 10
Distinguishing AttackStronger security notion than forging (difficult for attackers, easier for designers). Popular in the security analysis.
Osc
ar
M1
T1
Mq
Tq
MA
CK
Finally, Oscar has to distinguish T = (T1, … ,Tq) from a q-tuple of random strings.
25th Feb 2009 FSE 11
PRF-Advnatage Definition
prf-AdvMAC (O)
= |PrK[O (T) =1 | MACK] - PrT[O (T) =1 | uniform T] |
prf-AdvMAC (q,t,…) = max prf-AdvMAC (O),
maximum over all distinguishers O which makes at most q queries, runs in time t,… , etc.
O is interacting with MACK/ random function
25th Feb 2009 FSE 12
A small domain PRF• Suppose, message size is less than 128 bits.
• Apply an injective padding (e.g., 10d)
• Compute T = AESK(M*), M* is the padded message
• PRF/forgery-security depends on the corresponding security for AESK(.)
• One may use any good compression function (instead of AES) with the chaining value as key
25th Feb 2009 FSE 13
A small domain PRF
M10d
tagcompK
512
256 256AESK
M10d tag
128 128
• Msg size at most 127-bits• Key-size 128, 256, etc.• Tag-size at most 128
• Msg size at most 511-bits• Key-size 256 or less• Tag-size at most 256
How one can authenticate for longer and variable length messages?
25th Feb 2009 FSE 14
Braod Categories of MACs (arbitrary domain)
• Universal Hash-based: with/without Nonce
•Poly1305, UMAC, MMH, etc.
• Block cipher based
•Sequential (CBC-type): ECBC, XCBC, TMAC, OMAC, etc.
•Parallel : PMAC, XOR, DAG-based-PRF, etc.
• Hash function (also compression function) based
• HMAC, NMAC, EMD, NI, sandwich-MD, variants of cascade etc.
25th Feb 2009 FSE 15
(1) Universal Hash based MAC
• PRF-security depends on PRF-security assumption of block-cipher or keyed compression function.
• Usually very efficient in software
• Some drawbacks:• Collision helps to find hash-key recovery attack and
hence cheap multiple-forgery and key-recovery attack.• Some constructions are nonce-based: reuse of nonce
makes them insecure. • Usually hash-key is large Hash-Key or• Should be generated from the underlying PRF or from
some PRBG.
25th Feb 2009 FSE 16
(2) Hash based MAC
• PRF-security depends on PRF-security underlying keyed compression function.
• Sometimes additional assumptions are required (HMAC, KMDP require related key
security, sandwich-MD requires PRF with key in message block, etc.)
• Serves both Hash and MAC together.
• Less PRF-security analysis for Keyed compression function than collision-security.
25th Feb 2009 FSE 17
(3) Blockcipher based MAC
• PRF-security depends on PRP-security of the underlying blockcipher.
• PRP-security of blockcipher is widely studied• AES is so far good candidate for PRP
• Sometimes MACs come with encryption (also called authentication encryption)
• The talk is about this category
25th Feb 2009 FSE 18
CBC: Block Cipher based MAC
EK EK EK
tag
M1M2 M3
• CBC MAC secure for prefix-free message space only.• Secure for fixed length• Length extension attack is valid for arbitrary domain
25th Feb 2009 FSE 19
CBC: Block Cipher based MAC
EK EK
M1T1 + M1
• CBC MAC secure for prefix-free message space only.• Secure for fixed length• Length extension attack is valid for arbitrary domain
T1 T1
25th Feb 2009 FSE 20
ECBC: Encrypted CBC
EK EK EK
M1M2 M3
Encrypted by same key K?Secure?
EK
tag
EK
25th Feb 2009 FSE 21
ECBC: Encrypted CBC
EK EK
M10
Encrypted by same key K?
Not secureLength extension attack…
If MACK(M1) = T then MACK(M1 0 (T +M)) = T
T
EK
T+M1
EK
T
EK
M1
25th Feb 2009 FSE 22
ECBC: Encrypted CBC
EK EK EK
M1M2 M3
Encrypted by key L?Secure? YesLength extension attack is not possible
EL
tag
EK
tag
25th Feb 2009 FSE 23
Block Cipher based MAC
EK EK EK
tag
M1M2 M*
31. XCBC: K, L1, L2
independent keys
2. TMAC: K, L1 independent keys, L2 = a . L1
3. OMAC: L1 = a.EK(0), L2 = a . L1
Why two keys?
M*3 can be obtained from
two different messages
M3 10d if |M3| < n
M3 if |M3| = n
M*3 =
L1 / L2
25th Feb 2009 FSE 24
Block Cipher based MAC
EK EK EK
tag
L1 / L2
M1M2 M*
31. XCBC: K, L1, L2
independent keys
2. TMAC: K, L1 independent keys, L2 = a . L1
3. OMAC: L1 = a.EK(0), L2 = a . L1
Xor commutes each other
M3 10d if |M3| < n
M3 if |M3| = n
M*3 =
Why two keys?
M*3 can be obtained from
two different messages
25th Feb 2009 FSE 25
Block Cipher based MAC
EK EK EK
tag
M1M2 M*
3
<<1 / << 2
a) Simple one/two-bit left shift operation is sufficient: GCBC1
b) Length ext attack is not valid for more than one message block
c) A simple trick can handle single message blocks: GCBC2
25th Feb 2009 FSE 26
Block Cipher based MAC
EK EK EK
tag
M1M2 M*
3
<<1 / << 2
Why secure?
Difficult to find collision on Final input
Any changes will effect h in a random manner
h
Prevents extension attack
25th Feb 2009 FSE 27
Generalized CBC or GCBC
25th Feb 2009 FSE 28
Prefix-free Function A function pad: MsgSp ([0..t] x B)+ is called prefix-free if for any distinct M and M’, pad(M) is not prefix of pad(M’).
MsgSp = {0,1}*, [0..t] = {0,1,…,t}, B = {0,1}n (message block space)
Example: pad(M) = 0 M1 0 M2 … d Ms is prefix-free where d = 1 if no padding, otherwise d = 2.
25th Feb 2009 FSE 29
EK hh
v0 = 0
EK EKh
vs-1v1
u1 u2 us
vs
d1 M1 d2 M2 ds Ms
M = msg
pad
25th Feb 2009
FSE 30
Generalized CBC
EK EK EK
tag
M1M2 M3
d2 d3
h h
1. h(d, x) a tweak, d = 0 => identity function, • di not completely
controlled by attacker
2. d-bit shift of x, xor with key (auxiliary)
3. need some properties on both pad and h• pad is prefix-free and
h is weakly universal.
Msg
d1 M1 d2M2 d3
M3
pad
d1=0
25th Feb 2009 FSE 31
Generalized CBCGeneralized CBC includes CBC, XCBC, TMAC, etc.
XCBC and TMAC has prefix-free padding pad(M) = 0 M1 0 M2 … d Ms where d = 1 if no padding, o.w. d = 2.
XCBC: h(1,x) = L1 + X, h(2,x) = L2 + X
TMAC: h(1,x) = L1 + X, h(2,X) = a.L1 + X (a is a primitive element).
GCBC1 (for more than one message blocks) has same padding rule with h(1,x) = x<<1 h(2,x) = x<<2
25th Feb 2009 FSE 32
Generalized CBCh is called weakly universal if the followings are true.
(1) Pr [h(d,R) = c] is negligible for all d
(2) Pr [h(d,R) + h(d’,R) = c] is negligible for all d,d’
(3) Pr [h(d,0) + h(d’,0) = c] is negligible, for all d,d’ appear with the first block
Probability is computed over uniform distribution of R and (probably) auxiliary key (present in e.g., XCBC, TMAC, but in case of GCBC1 no auxiliary key)
One can prove that simple shift or rotation function is weakly universal, i.e., h(d,x) = x<<d or x<<<d
25th Feb 2009 FSE 33
Generalized CBC
Theorem: (GCBC main theorem)
If the tweaking function h is weakly universal, pad is prefix-free and the underlying block cipher is PRP then the generalized CBC based on the padding rule pad with tweaking function h is PRF.
25th Feb 2009 FSE 34
M1
u1
v1v0
EK
M2
u2
v2
EK
M3
u3
v3
EK
<<1
GCBC1
Last message block M3 is complete
M1
u1
v1v0
EK
M2
u2
v2
EK
M310*
u3
v3
EK
<<2
Last message block M3 is not complete
25th Feb 2009 FSE 35
GCBC2One-block message m1,
|M1| < n-3 d1 = 0, M’1 = M110d
n-3 ≤ |M1| ≤ n, M1 = x1 y1 , |x1| = n-3 d1= 0 = d2, M’1 = x1001, M*2 = y1*
EK
M110d
EK EK
x1001 y110d
36
GCBC2M*sM’1
u1
EK
<<d2
v1
Ms-1
us-1
vs--1
EK
us
vs
EK
<<
v0 = 0 n
M2
u2
EK
v2
1. message M1 || M2 , M1 = x1 y1 y1 = 000 M’1 = x1* , M*2 = M2 , d1 = d2 = 0 y1 ≠ 000 M’1 = m1 M*2 = M2 d1 = 0, d2=
δ
2. More-than two blocks Y1 = 000 d1 = 0, m’1 = x1*, d2= 4, …, ds= δ Y1 ≠ 000 d1 = 0, m’1 = m1, d2= 3, …, ds= δ
Message: M1 M2 … Ms
is 1 or 2 depending on size of Ms.
Need to define M’1 M*s and d2
25th Feb 2009 FSE 37
Comparison Study
25th Feb 2009 FSE 38
Mode #BC Keys Keysch security
CBC m k 1 Pf-free, σq
ECBC m+1 2k 2 q2
XCBC m k+2n 1 σq
TMAC m k+n 1 σq
OMAC m+1 * k 1 σq
GCBC1 m * k 1 σ2
GCBC2 m * k 1 σ2
25th Feb 2009 FSE 39
micro-sec
(1-15 bytes)
micro-sec
(16 bytes)
micro-sec
(17-32 bytes)
XCBC 43.7 43.7 78.46
TMAC 43.98 44.05 78.80
OMAC 78.72 78.80 113.80
GCBC1 77.9 77.92 77.95
GCBC2 43.58 78.26 78.37
•In the platform Intel(R) Pentium(R) 4 CPU 3.60 GHz, 1GB RAM
•AES as Block cipher
25th Feb 2009 FSE 4040
Summary• We study CBC-type MAC
• We view most of CBC-type in a common framework
• We study PRF-security of the generalized CBC
• We propose two new efficient constructions and compare with known constructions.
Questions and Comments?
top related