Revisiting Structure Graphs: Applications to CBC-MAC and EMAC

In Crypto\u2705, Bellare et al. proved an $O(\ell q^2 /2^n)$ bound for the PRF (pseudorandom function) security of the CBC-MAC based on an $n$-bit random permutation $\Pi$, provided $\ell < 2^{n/3}$. Here an adversary can make at most $q$ prefix-free queries each having at most $\ell$ many ``blocks\u27\u27 (elements of $\{0,1\}^n$). In the same paper an $O(\ell^{o(1)} q^2 /2^n)$ bound for EMAC (or encrypted CBC-MAC) was proved, provided $\ell < 2^{n/4}$. Both proofs are based on {\bf structure graphs} representing all collisions among ``intermediate inputs\u27\u27 to $\Pi$ during the computation of CBC. The problem of bounding PRF-advantage is shown to be reduced to bounding the number of structure graphs satisfying certain collision patterns. In the present paper, we show that the Lemma 10 in the Crypto \u2705 paper, stating an important result on structure graphs, is incorrect. This is due to the fact that the authors overlooked certain structure graphs. This invalidates the proofs of the PRF bounds. In ICALP \u2706, Pietrzak improved the bound for EMAC by showing a tight bound $O(q^2/2^n)$ under the restriction that $\ell < 2^{n/8}$. As he used the same flawed lemma, this proof also becomes invalid. In this paper, we have revised and sometimes simplified these proofs. We revisit structure graphs in a slightly different mathematical language and provide a complete characterization of certain types of structure graphs. Using this characterization, we show that PRF security of CBC-MAC is about $\sigma q /2^n$ provided $\ell < 2^{n/3}$ where $\sigma$ is the total number of blocks in all queries. We also recover tight bound for PRF security of EMAC with a much relaxed constraint ($\ell < 2^{n/4}$) than the original ($\ell < 2^{n/8}$)

Pseudo-Random Functions and Parallelizable Modes of Operations of a Block Cipher

This paper considers the construction and analysis of pseudo-random functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a ``small\u27\u27 domain to build a PRF with a ``large\u27\u27 domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called {\iPMAC}, is based on a block cipher and improves upon the well-known PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called {\VPMAC}, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. {\VPMAC} improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and later Rogaway had suggested that this analysis is simplified by using a primitive called a tweakable block cipher (TBC). In contrast, we take a direct approach. We prove a general result which shows that the authentication security of an AE scheme can be proved from the privacy of the scheme and by showing a certain associated function to be a PRF. Two new AE schemes \sym{PAE} and \sym{PAE}-1 are described and analysed using this approach. In particular, it is shown that the authentication security of \sym{PAE} follows easily from the security of {\iPMAC}. As a result, no separate extensive analysis of the authentication security of \sym{PAE} is required. An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in contrast to the TBC based approach, we take a direct approach based on a simple masking strategy. Our idea uses double encryption of a fixed string and achieves the same effect of mask separation as in the TBC based approach. Using this idea, two new AEAD schemes \sym{PAEAD} and \sym{PAEAD}-1 are described. An important application of AEAD schemes is in the encryption of IP packets. The new schemes offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode. These improvements include providing a wider variety of easily reconfigurable family of schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and uniform processing of only full-block messages

PRF Domain Extension Using DAGs

We prove a general domain extension theorem for pseudo-random functions (PRFs). Given a PRF F from n bits to n bits, it is well known that employing F in a chaining mode (CBC-MAC) yields a PRF on the bigger domain of mn bits. One can view each application of F in this chaining mode to be a node in a graph, and the chaining as the edges between the node. The resulting graph is just a line graph. In this paper, we show that the underlying graph can be an arbitrary directed acyclic graph (DAG), and the resulting function on the larger domain is still a PRF. The only requirement on the graph is that it have unique source and sink nodes, and no two nodes have the same set of incident nodes. A new highly parallelizable MAC construction follows which has a critical path of only m applications of F . If we allow Galois field arithmetic, we can consider edge-colored DAGs, where the colors represent multiplication in the field by the color. We prove an even more general theorem, where the only restriction on the colored DAGs is that if two nodes (u and v) have the same set of incident nodes W , then at least one w in W is incident on u and v with a different colored edge. PMAC (parallelizable message authentication [5]) is a simple example of such graphs. Finally, to handle variable length domain extension, we extend our theorem to a collection of DAGs. The general theorem allows one to have further optimizations over PMAC, and many modes which deal with variable lengths. All the results proven are under the adaptive adversary model. Keywords: PRF, MAC, DAG, partial order, Galois field