DoveMAC Tony Grochow 1 Eik List 1 Mridul Nandi 2 1 Bauhaus-Universitt - PowerPoint PPT Presentation

DoveMAC Tony Grochow 1 Eik List 1 Mridul Nandi 2 1 Bauhaus-Universität Weimar, Germany 2 Indian Statistical Institute, Kolkata, India Nov 2020 Tony Grochow, Eik List, Mridul Nandi Nov 2020 1/32 DoveMAC

Section 1 Motivation Tony Grochow, Eik List, Mridul Nandi Nov 2020 2/32 DoveMAC

Message Authentication Codes Goal: Data authentication via unforgeable authentication tags Stateful, randomized, nonce-based, or stateless deterministic (our focus) Tony Grochow, Eik List, Mridul Nandi Nov 2020 3/32 DoveMAC

Message Authentication Codes MAC and PRF Security MAC security ( A ) def Adv MAC = K և K [ A forges ] Pr F Tony Grochow, Eik List, Mridul Nandi Nov 2020 4/32 DoveMAC

Message Authentication Codes MAC and PRF Security PRF security MAC security ( A ) def ( A ) def Adv MAC Adv PRF = K և K [ A forges ] Pr = ∆ A ( F K ; $) F F ∆ A ( X ; Y ) := � � Pr � A X ⇒ 1 � − Pr � A Y ⇒ 1 �� � over random choice of keys, oracles X and Y , and coins of A if any. $ returns | F K ( M ) | uniform random bits on any input M . Tony Grochow, Eik List, Mridul Nandi Nov 2020 4/32 DoveMAC

Block-cipher-based MACs Sequential Parallel CMAC [Dwo16] PMAC [BR02] Various Standards: CMAC [Dwo16], OMAC [IK03], f9 [ETS01], PMAC [BR02] . . . Tony Grochow, Eik List, Mridul Nandi Nov 2020 5/32 DoveMAC

Tweakable Block Ciphers (TBCs) for MACs TBCs [LRW02]: Keyed families of permutations � E : F k 2 × F t 2 × F n 2 → F n 2 Additional public tweak T (Not only) For MACs, tweaks are useful for: Domain separation = ⇒ security Additional message input = ⇒ efficiency Constructions: PMAC_TBC1k/PMAC_TBC3k [Nai15] HaT [CLS17] ZMAC [IMPS17] Hashes in TBC-based AE schemes Tony Grochow, Eik List, Mridul Nandi Nov 2020 6/32 DoveMAC

TBC-based Parallel MACs: ZMAC [IMPS17] Combines: + High security: ( n + t ) / 2 bits + Parallelizable + High efficiency: n + t bits per primitive call But: Needs relatively much memory May be a obstracle for microcontrollers or constrained environments ZMAC [IMPS17] Tony Grochow, Eik List, Mridul Nandi Nov 2020 7/32 DoveMAC

TBC-based Parallel MACs: ZMAC [IMPS17] Combines: + High security: ( n + t ) / 2 bits + Parallelizable + High efficiency: n + t bits per primitive call But: Needs relatively much memory May be a obstracle for microcontrollers or constrained environments ZMAC [IMPS17] Can we keep the high rate and high security of ZMAC but reduce its state size ? Tony Grochow, Eik List, Mridul Nandi Nov 2020 7/32 DoveMAC

Section 2 DoveMAC Tony Grochow, Eik List, Mridul Nandi Nov 2020 8/32 DoveMAC

DoveMAC Hash Processes ( n + t ) -bit/TBC call Top: t bits, extended or truncated after each call Bottom: n bits TBC output feed-forward to bottom lane after each call Checksum Θ = � m i =1 T i needed for beyond-birthday security Tony Grochow, Eik List, Mridul Nandi Nov 2020 9/32 DoveMAC

DoveMAC Finalization Instance of Hash-as-Tweak (HaT) [CLS17] or its generalization Hash-then-TBC (HtTBC) [LN17] Easily extendable to variable-output-length PRF n -bit-secure if hash function H optimal Single-key version easily obtainable: reserve one tweak domain bit Tony Grochow, Eik List, Mridul Nandi Nov 2020 10/32 DoveMAC

Section 3 Proof Sketch Tony Grochow, Eik List, Mridul Nandi Nov 2020 11/32 DoveMAC

Proof Sketch: PRF Security of DoveMAC Steps: 1 Replace primitives with ideal tweakable permutations 2 Reduce to Hash-then-TBC 3 Upper bound collision probability of DoveHash 4 Upper bound truncated-almost universality of DoveHash Tony Grochow, Eik List, Mridul Nandi Nov 2020 12/32 DoveMAC

Proof Sketch: Notions Definition 1 (Collision Probability) Collision among at most q pairwise distinct messages M � = M ′ of at most m b -bit blocks each and σ b -bit blocks in total: � � M ′ �� coll H ( b, q, m, σ ) def = Pr H K ( M ) = H K . K և K M � = M ′ Tony Grochow, Eik List, Mridul Nandi Nov 2020 13/32 DoveMAC

Proof Sketch: Notions Definition 1 (Collision Probability) Collision among at most q pairwise distinct messages M � = M ′ of at most m b -bit blocks each and σ b -bit blocks in total: � � M ′ �� coll H ( b, q, m, σ ) def = Pr H K ( M ) = H K . K և K M � = M ′ Definition 2 (Truncated Almost-Universality) H : K × M → F t 2 × F n 2 is ( t, n, ǫ ) -truncated-AU if for all M � = M ′ : � � H K ( M ) ⊕ H K ( M ′ ) = (0 t , ∆) � Pr ≤ ǫ . K և K ∆ ∈ F n 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 13/32 DoveMAC

Proof Sketch: (1) Ideal Primitive Replace primitives with ideal tweakable permutations: From � E K 1 , � E K 2 from K 1 , K 2 և K π ′ և � Perm ( F t 2 , F n = ⇒ � π, � 2 ) Adv PRF DoveMAC �� � ( A ) ≤ Adv PRF π ′ ]( A ′ ) + ( σ + q ) · Adv TPRP ( A ′′ ) . E K 1 , � DoveMAC [ � π, � � E K 2 E K Tony Grochow, Eik List, Mridul Nandi Nov 2020 14/32 DoveMAC

Proof Sketch: (2) Reduce to HtTBC DoveMAC �� π ′ � ( A ) ≤ Adv PRF HtTBC �� π ′ , DoveHash �� π �� ( A ′ ) Adv PRF π, � Theorem 3 (PRF Security of HtTBC [LN17]) Let H denote DoveHash [ � π ] . Assume that coll H ( n + t, q, m, σ ) ≤ ǫ 1 , π ′ , H ] that makes at most q and H is ( t, n, ǫ 2 ) -tAU. Let A be a PRF adversary against HtTBC [ � queries consisting at most m ( t + n ) -bit blocks after padding each, that sum to at most σ ( t + n ) -bit blocks in total. Then � q � · ǫ 2 Adv PRF 2 π ]] ( A ) ≤ ǫ 1 + . HtTBC [ � π ′ , DoveHash [ � 2 n Tony Grochow, Eik List, Mridul Nandi Nov 2020 15/32 DoveMAC

Proof Sketch: (3) Upper Bounding The Collision Probability Structure Graphs [BPR05] Vertices V : State values v i = B i = ( U i , S i ) Edges E : transitions ( v i , v i +1 , λ i ) Labels Λ : λ i = ( T i , I i ) Walk: Sequence of vertices v = ( v 0 , . . . , v m ) Tony Grochow, Eik List, Mridul Nandi Nov 2020 16/32 DoveMAC

Proof Sketch: (3) Upper Bounding The Collision Probability Bad structure graphs in a message M : m Pr[ bad 1 ] ≤ 2 n − m m Pr[ bad 2 ] ≤ 2 n − m 2 max(0 ,n − t ) � m � 2 Pr[ bad 3 ] ≤ (2 n − m ) 2 2 max(0 ,n − t ) � m � 2 Pr[ bad 4 ] ≤ (2 n − m ) 2 m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 17/32 DoveMAC

Proof Sketch: (3) Upper Bounding The Collision Probability Bad structure graphs in a message M : m Pr[ bad 1 ] ≤ 2 n − m m Pr[ bad 2 ] ≤ 2 n − m 2 max(0 ,n − t ) � m � 2 Pr[ bad 3 ] ≤ (2 n − m ) 2 2 max(0 ,n − t ) · � m � � q 2 max(0 ,n − t ) � m � m 2 Pr[ bad ] ≤ 2 · 2 n − σ + 2 · (2 n − σ ) 2 2 Pr[ bad 4 ] ≤ (2 n − m ) 2 i =1 4 qm 2 ≤ 4 σ 2 n + 2 n +min( n,t ) m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 17/32 DoveMAC

Proof Sketch: (3) Upper Bounding The Collision Probability Good structure graphs of messages M and M ′ : 2 max(0 ,n − t ) � m � 2 Pr[ good 1 ] ≤ (2 n − 2 m ) 2 2 max(0 ,n − t ) � m � 2 Pr[ good 2 ] ≤ (2 n − 2 m ) 2 2 max(0 ,n − t ) � m � 2 Pr[ good 3 ] ≤ (2 n − 2 m ) 2 2 max(0 ,n − t ) � m � 2 Pr[ good 4 ] ≤ (2 n − 2 m ) 2 m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 18/32 DoveMAC

Proof Sketch: (3) Upper Bounding The Collision Probability Good structure graphs of messages M and M ′ : 2 max(0 ,n − t ) � m � 2 Pr[ good 1 ] ≤ (2 n − 2 m ) 2 2 max(0 ,n − t ) � m � 2 Pr[ good 2 ] ≤ (2 n − 2 m ) 2 2 max(0 ,n − t ) � m � 2 max(0 ,n − t ) � m � 2 Pr[ good 3 ] ≤ � q (2 n − 2 m ) 2 2 Pr[ good ] ≤ 4 · (2 n − 2 σ ) 2 2 max(0 ,n − t ) � m � i =1 2 Pr[ good 4 ] ≤ 4 q 2 m 2 (2 n − 2 m ) 2 ≤ 2 n +min( n,t ) m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 18/32 DoveMAC

Proof Sketch: (3) Upper Bounding The Collision Probability Lemma 4 (Collision Probability of DoveHash [ � π ] ) Let σ < 2 n − 2 . Then, 2 n + 4 qm 2 + 4 q 2 m 2 π ] ( t + n, q, m, σ ) ≤ 4 σ coll DoveHash [ � . 2 n +min( n,t ) Tony Grochow, Eik List, Mridul Nandi Nov 2020 19/32 DoveMAC

Proof Sketch: (4) Upper Bounding Truncated-AU Security Bad walks: output loop or non-trivial output collision m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 20/32 DoveMAC

Proof Sketch: (4) Upper Bounding Truncated-AU Security Bad walks: output loop or non-trivial output collision Collision of X i = X j in M : � m � 2 Pr[ bad 1 ] ≤ 2 n − 2 m Collision X i = X ′ j between M and M ′ : � m � 2 Pr[ bad 2 ] ≤ 2 n − 2 m m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 20/32 DoveMAC

Proof Sketch: (4) Upper Bounding Truncated-AU Security Bad walks: output loop or non-trivial output collision Collision of X i = X j in M : � m � 2 Pr[ bad 1 ] ≤ 2 n − 2 m Collision X i = X ′ j between M and M ′ : � m � 2 Pr[ bad 2 ] ≤ 2 n − 2 m � m � 2 Pr[ bad ] ≤ coll DoveHash [ � π ] ( t + n, 2 , m, 2 m ) + 2 · 2 n − 2 σ π ] ( t + n, 2 , m, 2 m ) + 2 m 2 ≤ coll DoveHash [ � 2 n . m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 20/32 DoveMAC

Proof Sketch: (4) Upper Bounding Truncated-AU Security Good walks: collision in X = X ′ without bad event m, σ < 2 n − 2 Tony Grochow, Eik List, Mridul Nandi Nov 2020 21/32 DoveMAC