New Bounds for PMAC, TMAC, and XCBCKazuhiko Minematsu andToshiyasu Matsushima,NEC Corp. and Waseda University

Fast Software Encryption 2007, March 26-28, Luxembourg City, Luxembourg

2

Introduction

Message authentication code (MAC) from block ciphers (BCs)

“BC-only” modes: no special function other than a block cipher

Ex. Encrypted CBC-MAC (EMAC)

3

Security notion of MACs

Advantage in distinguishing MAC from the (keyed) random oracle (RO), , using CPA Small advantage implies small MAC forgery prob.

Note: We only consider the info-theoretic security, but our results have simple computational counterparts

: number of queries: max. message length (in n-bit): total number of queried blocks

can contain

(but not vice versa)

4

Related works on EMAC

Previous EMAC security bound is:

when it is implemented w/ two n-bit uniform random permutations (URPs), and

EMAC w/ two URPs

[BR00]

room for improvement?

5

Related works on EMAC (contd.)

Bellare, Pietrzak, and Rogaway [BPR05]

is a function that grows very slowly with

Note: Pietrzak [P06] obtained a tighter bound for a range of parameters

(much smaller than )

If , the bound is roughly

6

Our contribution

New security bounds for PMAC (a parallelizable MAC)TMAC and XCBC (successors of EMAC)

Old: or New: for PMAC, and for TMAC & XCBC

compared w/ , from quadratic to (almost) linear degradation wrt

compared w/ , better in most (but not all) cases

7

Analysis of PMAC

8

PMAC (Black-Rogaway[BR02], Rogaway[R04])

Hashing with mask-encrypt-sum (PHASH) still BC-only: masks are generated w/ few bitshifts

and XORs

PMAC ([R04] version w/ 128 bit block size)

PHASH

input

9

Overview of old proof [R04]

“Perfect” PMAC using independent URPs as an intermediate function

Use triangle inequality

Perfect PMACPMAC RO

Old bound: (also , as )

10

Overview of new proof

A different intermediate function, the modified PMAC (MPMAC)PHASH + independent finalization

MPMACPMAC RO

11

MPMAC vs. Random Oracle

What we need is: (a stronger form of ) differential probability of PHASH

...

.........

used for MPMAC vs. RO

used for PMAC vs. MPMAC

... ...

12

Diff. probability of PHASH

A subset of input blocks may generate the same URP input Odd (Even) collision involves odd (even) number of input blocks

Let denote odd collisions with non-zero URP inputs

Then, critical event is , as it implies the sum = 0 or w/ prob. 1 (as )

...

.........

even collision

odd collision... ...

13

Diff. probability of PHASH (contd.)

is at most Given , PHASH sum is almost uniform (point

probability is at most )

for any

Lemma 2

From Lemma 2, the advantage between MPMAC and RO is:

14

PMAC vs. MPMAC

Four “good” events defined as:

the sets of URP inputs in PHASH and in the finalization (+ dummy mask for MPMAC) have no intersection

Using Maurer’s method [M02], the advantage is at most the max. prob. of “bad” events in MPMAC, denoted by

15

New bound for PMAC

A careful analysis using Lemma 2 provides

if

MPMACPMAC RO

Theorem 2

16

As long as there is a small (but not too small) fraction of long messages, the new bound is better

Much better under some practical cases (e.g., all messages have similar lengths)

Comparison of new and old bounds

New ( ) < old ( ) iff Ex:

New bound is 2-32 , old bound is 2-48~2-16 If 99.9% messages are one-block, old bound is better If at least 1% messages are -block, new bound is better

(if we ignore constants)

17

Analysis of TMAC and XCBC

18

TMAC [KI03] and XCBC [BR00]

Successors of EMACfewer BC calls (no double encryption)one BC key + one or two n-bit keys

is independent of

TMAC

19

Proof sketch for TMAC (XCBC is the same)

Modified TMAC (MTMAC) and bad events similar to those for PMAC

Adv. between TMAC and MTMAC is

much simpler analysis due to the independence of

Adv. between MTMAC and RO is EMAC bound of [BPR05], i.e.,

20

New bounds for TMAC and XCBC

Old bounds are or forTMAC’s new bound is:

Theorem 3(XCBC’s bound is the same)

[BR00][KI03][IK03s]

Bound comparison is almost the same as PMAC’s case, in case the second term is negligible

21

Short comments on OMAC [IK03o]

OMAC (aka CMAC) is one-key CBC-MACimprovement to TMAC and XCBC

mask is or , where

MOMAC and bad events are similarly definedhowever, the probabilities of some new

bad events have to be evaluated such as

an extension of CBC collision analysis [BPR05] is needed (open problem)

22

Conclusion

New bounds for PMAC, TMAC, and XCBCfrom quadratic to (almost) linear

degradation wrt the max. message lengthFuture directions

OMACfurther improvement (still far from the

lower bound )

23

Thank you!