On the security of XCBC, TMAC and OMAC

The security provided by the XCBC, TMAC and OMAC schemes is analysed and compared with other MAC schemes. The results imply that there is relatively little to be gained practically through the introduction of these schemes by comparison with other well-established MAC functions. Moreover, TMAC and OMAC possess design weaknesses which enable part of the secret key to be recovered much more easily than would ideally be the case — design changes are suggested which alleviate this problem. Whether or not the proofs of security are retrievable for the modified designs remains an open question, although the need for change would appear to be clear

Towards Tight Security Bounds for OMAC, XCBC and TMAC

OMAC -- a single-keyed variant of CBC-MAC by Iwata and Kurosawa -- is a widely used and standardized (NIST FIPS 800-38B, ISO/IEC 29167-10:2017) message authentication code (MAC) algorithm. The best security bound for OMAC is due to Nandi who proved that OMAC's pseudorandom function (PRF) advantage is upper bounded by O(q^2\ell/2^n), where n, q, and \ell, denote the block size of the underlying block cipher, the number of queries, and the maximum permissible query length (in terms of n-bit blocks), respectively. In contrast, there is no attack with matching lower bound. Indeed, the best known attack on OMAC is the folklore birthday attack achieving a lower bound of \Omega(q^2/2^n). In this work, we close this gap for a large range of message lengths. Specifically, we show that OMAC's PRF security is upper bounded by O(q^2/2^n + q\ell^2/2^n). In practical terms, this means that for a 128-bit block cipher, and message lengths up to 64 Gigabyte, OMAC can process up to 264 messages before rekeying (same as the birthday bound). In comparison, the previous bound only allows 248 messages. As a side-effect of our proof technique, we also derive similar tight security bounds for XCBC (by Black and Rogaway) and TMAC (by Kurosawa and Iwata). As a direct consequence of this work, we have established tight security bounds (in a wide range of \ell) for all the CBC-MAC variants, except for the original CBC-MAC

On The Exact Security of Message Authentication Using Pseudorandom Functions

Traditionally, modes of Message Authentication Codes(MAC) such as Cipher Block Chaining (CBC) are instantiated using block ciphers or keyed Pseudo Random Permutations(PRP). However, one can also use domain preserving keyed Pseudo Random Functions(PRF) to instantiate MAC modes. The very first security proof of CBC-MAC [BKR00], essentially modeled the PRP as a PRF. Until now very little work has been done to investigate the difference between PRP vs PRF instantiations. Only known result is the rather loose folklore PRP-PRF transition of any PRP based security proof, which looses a factor of Ο( σ2/2n ) (domain of PRF/PRP is {0, 1}n and adversary makes σ many PRP/PRF calls in total). This loss is significant, considering the fact tight Θ( q2/2n ) security bounds have been known for PRP based EMAC and ECBC constructions (where q is the total number of adversary queries). In this work, we show for many variations of encrypted CBC MACs (i.e. EMAC, ECBC, FCBC, XCBC and TCBC), random function based instantiation has a security bound Ο( qσ/2n ). This is a significant improvement over the folklore PRP/PRF transition. We also show this bound is optimal by providing an attack against the underlying PRF based CBC construction. This shows for EMAC, ECBC and FCBC, PRP instantiations are substantially more secure than PRF instantiations. Where as, for XCBC and TMAC, PRP instantiations are at least as secure as PRF instantiations

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs

This paper provides a unified framework for {\em improving} \PRF(pseudorandom function) advantages of several popular MACs (message authentication codes) based on a blockcipher modeled as \tx{RP} (random permutation). In many known MACs, the inputs of the underlying blockcipher are defined to be some deterministic affine functions of previously computed outputs of the blockcipher. Keeping the similarity in mind, we introduce a class of \tx{ADE}s (affine domain extensions) and a wide subclass of \tx{SADE}s (secure \tx{ADE}) containing \mathcal{C} = \{ \tx{CBC-MAC},\ \tx{GCBC}^*,\ \tx{OMAC},\ \tx{PMAC} \}. We define a parameter $N(t,q)$ for each domain extension and show that all \tx{SADE}s have \PRF advantages $O(tq/2^n + N(t,q)/2^n)$ where $t$ is the total number of blockcipher computations needed for all $q$ queries. We prove that \PRF advantage of any \tx{SADE} is $O(t^2/2^n)$ by showing that $N(t,q)$ is always at most ${t \choose 2}$. We provide a better estimate $O(tq)$ of $N(t,q)$ for all members of $\mathcal{C}$ and hence these MACs have {\em improved advantages $O(tq / 2^n)$}. Our proposed bounds for \tx{CBC-MAC} and \tx{GCBC}^* are better than previous best known bounds

MAC Constructions: Security Bounds and Distinguishing Attacks

We provide a simple and improved security analysis of PMAC, a Parallelizable MAC (Message Authentication Code) defined over arbitrary messages. A similar kind of result was shown by Bellare, Pietrzak and Rogaway at Crypto 2005, where they have provided an improved bound for CBC (Cipher Block Chaining) MAC, which was introduced by Bellare, Killan and Rogaway at Crypto 1994. Our analysis idea is much more simpler to understand and is borrowed from the work by Nandi for proving Indistinguishability at Indocrypt 2005 and work by Bernstein. It shows that the advantage for any distinguishing attack for n-bit PMAC based on a random function is bounded by O(σq / 2^n), where σ is the total number of blocks in all q queries made by the attacker. In the original paper by Black and Rogaway at Eurocrypt 2002 where PMAC was introduced, the bound is O(σ^2 / 2^n). We also compute the collision probability of CBC MAC for suitably chosen messages. We show that the probability is Ω( lq^2 / N) where l is the number of message blocks, N is the size of the domain and q is the total number of queries. For random oracles the probability is O(q^2 / N). This improved collision probability will help us to have an efficient distinguishing attack and MAC-forgery attack. We also show that the collision probability for PMAC is Ω(q^2 / N) (strictly greater than the birthday bound). We have used a purely combinatorial approach to obtain this bound. Similar analysis can be made for other CBC MAC extensions like XCBC, TMAC and OMAC

Revisiting Structure Graphs: Applications to CBC-MAC and EMAC

In Crypto\u2705, Bellare et al. proved an $O(\ell q^2 /2^n)$ bound for the PRF (pseudorandom function) security of the CBC-MAC based on an $n$-bit random permutation $\Pi$, provided $\ell < 2^{n/3}$. Here an adversary can make at most $q$ prefix-free queries each having at most $\ell$ many ``blocks\u27\u27 (elements of $\{0,1\}^n$). In the same paper an $O(\ell^{o(1)} q^2 /2^n)$ bound for EMAC (or encrypted CBC-MAC) was proved, provided $\ell < 2^{n/4}$. Both proofs are based on {\bf structure graphs} representing all collisions among ``intermediate inputs\u27\u27 to $\Pi$ during the computation of CBC. The problem of bounding PRF-advantage is shown to be reduced to bounding the number of structure graphs satisfying certain collision patterns. In the present paper, we show that the Lemma 10 in the Crypto \u2705 paper, stating an important result on structure graphs, is incorrect. This is due to the fact that the authors overlooked certain structure graphs. This invalidates the proofs of the PRF bounds. In ICALP \u2706, Pietrzak improved the bound for EMAC by showing a tight bound $O(q^2/2^n)$ under the restriction that $\ell < 2^{n/8}$. As he used the same flawed lemma, this proof also becomes invalid. In this paper, we have revised and sometimes simplified these proofs. We revisit structure graphs in a slightly different mathematical language and provide a complete characterization of certain types of structure graphs. Using this characterization, we show that PRF security of CBC-MAC is about $\sigma q /2^n$ provided $\ell < 2^{n/3}$ where $\sigma$ is the total number of blocks in all queries. We also recover tight bound for PRF security of EMAC with a much relaxed constraint ($\ell < 2^{n/4}$) than the original ($\ell < 2^{n/8}$)

A MAC Mode for Lightweight Block Ciphers

status: accepte

LNCS

This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output

On Internal Re-keying

In this paper we introduce a classification of existing re-keying-based approaches to increase the security of block cipher operation modes. We introduce the concepts of external and internal re-keying putting the focus on the second one. Whereas the external re-keying approach is widely used and provides the mechanism of key usage control on a message stream processing level, the internal re-keying approach is the first known mechanism providing such a control on a single message processing level. These approaches can be applied completely independently. The internal re-keying approach was already applied to the CTR encryption mode and yielded the CTR-ACPKM mode. This mode is currently being standardized in ISO and in IETF/IRTF (CFRG). In the current paper we apply the internal re-keying approach to the well-known GCM authenticated encryption mode. The main results of this paper are a new internally re-keyed GCM-ACPKM mode and its security bounds. The proposed mode is also passing through the last formal standardization stages in IETF (CFRG). We estimate the security of the GCM-ACPKM mode respecting standard security notions. We compare both security and performance of the GCM-ACPKM and GCM modes. The results show that changing GCM mode by integrating the ACPKM internal re-keying procedure increases security, significantly extending the lifetime of a key with a negligible loss in performance. Also we show how the re-keying approaches could increase the security of TLS 1.3 cipher suites