bbb secure nonce based mac using public permutation
play

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and - PowerPoint PPT Presentation

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction


  1. Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020

  2. Introduction Motivation Security Result Attack Security Proof Nonce Based MAC MAC Sign. Algorithm Ver. Algorithm ( N , M , T ) N Sign k Ver k ⊤ / ⊥ M

  3. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M ) T = Sign k ( N , M ) q = the number of tagging queries

  4. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M , T ) ( N , M ) T = Sign k ( N , M ) ⊤ / ⊥ q = the number v = the number of of tagging queries verification queries

  5. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M , T ) ( N , M ) T = Sign k ( N , M ) ⊤ / ⊥ q = the number v = the number of of tagging queries verification queries (Nonce Respecting) : Nonce is unique in MAC query; it can repeat in verification query

  6. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M , T ) ( N , M ) T = Sign k ( N , M ) ⊤ / ⊥ q = the number v = the number of of tagging queries verification queries Can Eve forge a valid tag for a message that Alice never saw ?

  7. Introduction Motivation Security Result Attack Security Proof Nonce Based MAC Build on Public Permutations MAC Sign. Algorithm Ver. Algorithm ( N , M , T ) N Sign P Ver P ⊤ / ⊥ k k M

  8. Introduction Motivation Security Result Attack Security Proof Security Model of Nonce Based MAC Build on Public Permutations ( P , P − 1 ) N M N M T T p Sign P Ver P k k q v ⊤ / ⊥ T

  9. Introduction Motivation Security Result Attack Security Proof MAC Based on (Tweakable) Block Cipher MAC Birthday Beyond Birthday BC TBC BC TBC • CBC • Tbc • WC • PMAC TBC3k • PMAC • PMAC+ • ZMAC • GCBC • EWCDM • DoveMAC • LightMAC • LightMAC+

  10. Introduction Motivation Security Result Attack Security Proof MAC Based on (Tweakable) Block Cipher MAC Birthday Beyond Birthday BC TBC BC TBC • CBC • Tbc • WC • PMAC TBC3k • PMAC • PMAC+ • ZMAC • GCBC • EWCDM • DoveMAC • LightMAC • LightMAC+ Other MAC includes Cryptographic Hash-based MACs (e.g., HMAC) Compression function based MAC (e.g., NMAC, NI, NI + )

  11. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives

  12. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion

  13. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives

  14. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ?

  15. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction).

  16. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction). It gives security upto c / 2-bits, c is the capacity part of sponge

  17. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction). It gives security upto c / 2-bits, c is the capacity part of sponge Can we do better ?

  18. Introduction Motivation Security Result Attack Security Proof Outline for the Rest of the Talk Motivation of the construction Security Result Forging Attack A Glimpse of the idea of the security proof.

  19. Introduction Motivation Security Result Attack Security Proof PRF Build from Public Permutations: Sparking Interest SoEM21, SoEM1 – Chen et al., CRYPTO’19. M M M M k 1 ⊕ ⊕ k 2 ⊕ ⊕ k k P 1 P 2 P P k 1 ⊕ ⊕ ⊕ k 2 ⊕ ⊕ ⊕ k k C C

  20. Introduction Motivation Security Result Attack Security Proof PRF Build from Public Permutations: Sparking Interest SoEM21, SoEM1 – Chen et al., CRYPTO’19. M M M M k 1 ⊕ ⊕ k 2 ⊕ ⊕ k k P 1 P 2 P P k 1 ⊕ ⊕ ⊕ k 2 ⊕ ⊕ ⊕ k k C C Birthday Bound Security

  21. Introduction Motivation Security Result Attack Security Proof BBB PRF Build from Public Permutations SoEM22 – Chen et al., CRYPTO’19. M M k 1 ⊕ ⊕ k 2 P 1 P 2 k 1 ⊕ ⊕ ⊕ k 2 C

  22. Introduction Motivation Security Result Attack Security Proof BBB PRF Build from Public Permutations SoEM22 – Chen et al., CRYPTO’19. M M k 1 ⊕ ⊕ k 2 P 1 P 2 k 1 ⊕ ⊕ ⊕ k 2 C Can we use this design to build a MAC that process arbitrary length message from Public Permutation ?

  23. Introduction Motivation Security Result Attack Security Proof Nonce Based EHtM (Dutta et al. EUROCRYPT’19) Properties of nEHtM M Nonce based MAC H k h N 2 n / 3-bit security n − 1 0 1 n − 1 ⊕ Secure under faulty nonce model E k E k Gives birthday bound ⊕ security when the number of faulty nonce T reaches to 2 n / 2

  24. Introduction Motivation Security Result Attack Security Proof Nonce Based EHtM (Dutta et al. EUROCRYPT’19) Properties of nEHtM M Nonce based MAC H k h N 2 n / 3-bit security n − 1 0 1 n − 1 ⊕ Secure under faulty nonce model E k E k Gives birthday bound ⊕ security when the number of faulty nonce T reaches to 2 n / 2 Can we use this design to make a Permutation based MAC ?

  25. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C

  26. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C Instantiate E k of nEHtM with 2-round Iterated Even Mansour.

  27. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C Instantiate E k of nEHtM with 2-round Iterated Even Mansour. Drawback Gives BBB Security but requires 4 permutation Calls.

  28. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C Instantiate E k of nEHtM with 2-round Iterated Even Mansour. Drawback Gives BBB Security but requires 4 permutation Calls. Can we improve the number of permutation calls ?

  29. Introduction Motivation Security Result Attack Security Proof nEHtM p : Public Permutation Based BBB Secure Nonce Based MAC M H k h N n − 1 0 1 n − 1 ⊕ ⊕ k P P ⊕ T

  30. Introduction Motivation Security Result Attack Security Proof nEHtM p : Public Permutation Based BBB Secure Nonce Based MAC M M H k h H k h N N n − 1 n − 1 0 1 0 1 n − 1 n − 1 ⊕ ⊕ ⊕ k E k E k P P ⊕ ⊕ T T k is an n − 1 bit random key P is an n -bit public random permutation Masking of key is neccessary, otherwise, one can easily attack the system using offline queries to the public permutation

  31. Introduction Motivation Security Result Attack Security Proof Security Result of nEHtM p q = # of signing queries, v = # of verification queries, p = # of primitive queries. # of faulty nonces ≤ 2 n / 3 H is 2 − ( n − 1) -almost-xor universal and 2 − ( n − 1) -almost regular hash function Security Advantage nEHtM p ( q , v , p ) ≤ O ( q + v + p ) 2 2 n / 3 ) + O ( pq 2 + qp 2 + vp 2 Adv MAC ) 2 2 n Interpretation : if q ≈ 2 2 n / 3 , v ≈ 2 2 n / 3 and p ≈ 2 2 n / 3 , then the scheme is secure.

Recommend


More recommend