60 research outputs found
A MAC Mode for Lightweight Block Ciphers
status: accepte
A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs
This paper provides a unified framework for {\em improving} \PRF(pseudorandom function) advantages of several popular MACs (message authentication codes) based on a blockcipher modeled as \tx{RP} (random permutation). In many known MACs, the inputs of the underlying blockcipher are defined to be some deterministic affine functions of previously computed outputs of the blockcipher. Keeping the similarity in mind, we introduce a class of \tx{ADE}s (affine domain extensions) and a wide subclass of \tx{SADE}s (secure \tx{ADE}) containing \mathcal{C} = \{ \tx{CBC-MAC},\ \tx{GCBC}^*,\ \tx{OMAC},\ \tx{PMAC} \}. We define a parameter for each domain extension and show that all \tx{SADE}s have \PRF advantages where is the total number of blockcipher computations needed for all queries. We prove that \PRF advantage of any \tx{SADE} is by showing that is always at most . We provide a better estimate of for all members of and hence these MACs have {\em improved advantages }. Our proposed bounds for \tx{CBC-MAC} and \tx{GCBC}^* are better than previous best known bounds
Towards Tight Security Bounds for OMAC, XCBC and TMAC
OMAC -- a single-keyed variant of CBC-MAC by Iwata and
Kurosawa -- is a widely used and standardized (NIST FIPS 800-38B, ISO/IEC 29167-10:2017) message authentication code (MAC) algorithm. The best security bound for OMAC is due to Nandi who proved that OMAC's pseudorandom function (PRF) advantage is upper bounded by O(q^2\ell/2^n), where n, q, and \ell, denote the block size of the underlying block cipher, the number of queries, and the maximum permissible query length (in terms of n-bit blocks), respectively. In contrast, there
is no attack with matching lower bound. Indeed, the best known attack on OMAC is the folklore birthday attack achieving a lower bound of \Omega(q^2/2^n). In this work, we close this gap for a large range of message lengths. Specifically, we show that OMAC's PRF security is upper bounded by O(q^2/2^n + q\ell^2/2^n). In practical terms, this means that for a 128-bit block cipher, and message lengths up to 64 Gigabyte, OMAC
can process up to 264 messages before rekeying (same as the birthday bound). In comparison, the previous bound only allows 248 messages. As a side-effect of our proof technique, we also derive similar tight security bounds for XCBC (by Black and Rogaway) and TMAC (by Kurosawa and Iwata). As a direct consequence of this work, we have established tight security bounds (in a wide range of \ell) for all the CBC-MAC variants, except for the original CBC-MAC
Notions and relations for RKA-secure permutation and function families
The theory of designing block ciphers is mature, having seen signi¯cant
progress since the early 1990s for over two decades, especially during the AES devel-
opment e®ort. Nevertheless, interesting directions exist, in particular in the study of
the provable security of block ciphers along similar veins as public-key primitives, i.e.
the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore,
recent cryptanalytic progress has shown that block ciphers well designed against known
cryptanalysis techniques including related-key attacks (RKA) may turn out to be less
secure against related-key attacks than expected. The notion of provable security of
block ciphers against related-key attacks was initiated by Bellare and Kohno, and sub-
sequently treated by Lucks. Concrete block cipher constructions were proposed therein
with provable security guarantees. In this paper, we are interested in the security no-
tions for RKA-secure block ciphers
On The Exact Security of Message Authentication Using Pseudorandom Functions
Traditionally, modes of Message Authentication Codes(MAC) such as Cipher Block Chaining (CBC) are instantiated using block ciphers or keyed Pseudo Random Permutations(PRP). However, one can also use domain preserving keyed Pseudo Random Functions(PRF) to instantiate MAC modes. The very first security proof of CBC-MAC [BKR00], essentially modeled the PRP as a PRF. Until now very little work has been done to investigate the difference between PRP vs PRF instantiations. Only known result is the rather loose folklore PRP-PRF transition of any PRP based security proof, which looses a factor of Ο( σ2/2n ) (domain of PRF/PRP is {0, 1}n and adversary makes σ many PRP/PRF calls in total). This loss is significant, considering the fact tight Θ( q2/2n ) security bounds have been known for PRP based EMAC and ECBC constructions (where q is the total number of adversary queries). In this work, we show for many variations of encrypted CBC MACs (i.e. EMAC, ECBC, FCBC, XCBC and TCBC), random function based instantiation has a security bound Ο( qσ/2n ). This is a significant improvement over the folklore PRP/PRF transition. We also show this bound is optimal by providing an attack against the underlying PRF based CBC construction. This shows for EMAC, ECBC and FCBC, PRP instantiations are substantially more secure than PRF instantiations. Where as, for XCBC and TMAC, PRP instantiations are at least as secure as PRF instantiations
LNCS
This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output
Revisiting Structure Graphs: Applications to CBC-MAC and EMAC
In Crypto\u2705, Bellare et al. proved an bound for the PRF (pseudorandom function) security of the CBC-MAC based on an -bit random permutation , provided . Here an adversary can make at most prefix-free queries each having at most many ``blocks\u27\u27 (elements of ). In the same paper an bound for EMAC (or encrypted CBC-MAC) was proved, provided . Both proofs are based on {\bf structure graphs} representing all collisions among ``intermediate inputs\u27\u27 to during the computation of CBC. The problem of bounding PRF-advantage is shown to be reduced to bounding the number of structure graphs satisfying certain collision patterns. In the present paper, we show that the Lemma 10 in the Crypto \u2705 paper, stating an important result on structure graphs, is incorrect. This is due to the fact that the authors overlooked certain structure graphs. This invalidates the proofs of the PRF bounds. In ICALP \u2706, Pietrzak improved the bound for EMAC by showing a tight bound under the restriction that . As he used the same flawed lemma, this proof also becomes invalid. In this paper, we have revised and sometimes simplified these proofs. We revisit structure graphs in a slightly different mathematical language and provide a complete characterization of certain types of structure graphs. Using this characterization, we show that PRF security of CBC-MAC is about provided where is the total number of blocks in all queries. We also recover tight bound for PRF security of EMAC with a much relaxed constraint () than the original ()
EHE: nonce misuse-resistant message authentication
We propose a nonce misuse-resistant message authentication scheme called EHE (Encrypt-Hash-Encrypt). In EHE, a message-dependent polynomial is evaluated at the point which is an encrypted nonce. The resulting polynomial hash value is encrypted again and becomes an authentication tag. We prove the prf-security of the EHE scheme and extend it to two authenticated encryption modes which follow the “encrypt-then-authenticate” paradigm
MAC Constructions: Security Bounds and Distinguishing Attacks
We provide a simple and improved security analysis of PMAC, a
Parallelizable MAC (Message Authentication Code) defined over
arbitrary messages. A similar kind of result was shown by Bellare,
Pietrzak and Rogaway at Crypto 2005, where they have provided an
improved bound for CBC (Cipher Block Chaining) MAC, which was
introduced by Bellare, Killan and Rogaway at Crypto 1994. Our
analysis idea is much more simpler to understand and is borrowed
from the work by Nandi for proving Indistinguishability at
Indocrypt 2005 and work by Bernstein. It shows that the advantage
for any distinguishing attack for n-bit PMAC based on a random
function is bounded by O(σq / 2^n), where
σ is the total number of blocks in all q queries made by
the attacker. In the original paper by Black and Rogaway at
Eurocrypt 2002 where PMAC was introduced, the bound is
O(σ^2 / 2^n).
We also compute the collision probability of CBC MAC for suitably
chosen messages. We show that the probability is Ω( lq^2 / N) where l is the number of message blocks, N is the
size of the domain and q is the total number of queries. For
random oracles the probability is O(q^2 / N). This improved
collision probability will help us to have an efficient
distinguishing attack and MAC-forgery attack. We also show that the
collision probability for PMAC is Ω(q^2 / N) (strictly greater
than the birthday bound). We have used a purely combinatorial
approach to obtain this bound. Similar analysis can be made for
other CBC MAC extensions like XCBC, TMAC and OMAC
Universal Forgery and Key Recovery Attacks: Application to FKS, FKD and Keyak
In this paper, we provide a security analysis of the Full-State Keyed Sponge (FKS), Full-State Keyed Duplex (FKD) and Keyak, one of the third-round CAESAR candidates, in the classic setting and the quantum model, respectively. In the classic setting, we present an universal forgery attack that can be implemented in queries, where is the capacity.
In the quantum model, by utilizing the Simon\u27s algorithm, we propose an efficient universal forgery attack to FKS, FKD and Keyak with complexity of . Moreover, we also propose an efficient key recovery attack that can be implemented in . Such attacks show that FKS, FKD and Keyak is completely broken in the quantum model
- …