exact security analysis of hash then mask type
play

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC - PowerPoint PPT Presentation

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th


  1. Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th September, 2016 A.Dutta Exact Security Analysis of HtM Construction

  2. Message Authentication Code HtM Construction Contributions Conclusion Outline of the talk 1 Message Authentication Code. 2 HtM Construction. 3 Contributions. 4 Conclusion A.Dutta Exact Security Analysis of HtM Construction

  3. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . A.Dutta Exact Security Analysis of HtM Construction

  4. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . 2 Alice sends a message M with a tag T = MAC K ( M ) corresponding to the message M to Bob. A.Dutta Exact Security Analysis of HtM Construction

  5. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . 2 Alice sends a message M with a tag T = MAC K ( M ) corresponding to the message M to Bob. 3 Data Integrity: Bob verifies the sender and the message by computing VER K ( M , T ) = 1. A.Dutta Exact Security Analysis of HtM Construction

  6. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateless and Deterministic): The Popular Story 1 Alice and Bob share a secret key K . 2 Alice sends a message M with a tag T = MAC K ( M ) corresponding to the message M to Bob. 3 Data Integrity: Bob verifies the sender and the message by computing VER K ( M , T ) = 1. Unforgeability Adversary asks for tags for queries of his choice. Goal is to generate any fresh, valid (message, tag) pair. Security Requirement: It should be HARD A.Dutta Exact Security Analysis of HtM Construction

  7. Message Authentication Code HtM Construction Contributions Conclusion MAC (Stateful or Probabilistic): The Popular Story • Alice sends a message M , an auxiliary variable IV with a tag T = MAC K ( M , IV ) corresponding to the message M and IV to Bob. • Data Integrity: Bob verifies the sender and the message by computing VER K ( M , IV , T ) = 1. Stateful MAC : When IV is a counter / nonce. (e.g XMACC, PCS) Probabilistic MAC : When IV is random. (e.g XMACR, EHtM) Unforgeability Adversary asks for T for queries M (Signing Query). Adversary asks fresh ( M , IV , T ) triplet and obtains 1 or 0. Succeed if the response is 1 (Verification Query). Security: Should be HARD to obtain response 1 A.Dutta Exact Security Analysis of HtM Construction

  8. Message Authentication Code HtM Construction Contributions Conclusion Pseudo Random Function (PRF) PRF Keyed function which is indistinguishable from a Random Function (RF) Indistinguishability Responses of adversary queries are given either using the function or a RF. Goal is to distinguish the function from a RF. Security Requirement: It should be HARD A.Dutta Exact Security Analysis of HtM Construction

  9. Message Authentication Code HtM Construction Contributions Conclusion Universal and AXU-Hash Universal Hash H is a n bit Universal Hash, if for all distinct values, the collision probability of H is negligible. Almost-XOR-Universal Hash H is a n bit AXU Hash, if for all distinct values x , x ′ and for all y , Pr[ H ( x ) ⊕ H ( x ′ ) = y ] is negligible. A.Dutta Exact Security Analysis of HtM Construction

  10. Message Authentication Code HtM Construction Contributions Conclusion Existing Result on Probablistic MAC Candidate Construction Rand Eff. Bound O ( q 2 XMACR[BGR’95] ( r , H ( m ) ⊕ f ( r )) n 1 H xu , 1 F [ n , n ] 2 n + q v ǫ ) O ( q 3 MACRX 3 [BGK’99] ( r 1 , r 2 , r 3 , 3 n 1 H xu , 3 F [ n , n ] 2 3 n + q v ǫ ) 3 � f ( r i ) ⊕ H ( m )) i =1 O ( ℓ ( q + q v ) ( r , f r RMAC[JJV’02] 2 (CBC f 1 ( m )) ( ℓ + 1) P [ n ] ) n 2 n FRMAC[JJ’04] ( r , π r ( H ( m ))) 1 H u , 1 P [ n , n ] O ( ℓ ( q + q v ) ǫ ) n O ( q 2 ǫ RWMAC[M’10] ( r , g ( r , H ( m ))) n 1 H u , 1 F [2 n , n ] 2 n + q v ǫ ) O ( q 3 ǫ EHtM[M’10] ( r , f ( r ) ⊕ g ( r ⊕ H ( m )) n 1 H xu , 2 F [ n , n ] 2 n + q v ǫ ) A.Dutta Exact Security Analysis of HtM Construction

  11. Message Authentication Code HtM Construction Contributions Conclusion HtM: Probabilistic MAC r m – n – n r m r m – n – n – n – n g g f f f – n – n – n – n – n t t t – – – n n n C1 : t := f ( r ) ⊕ m C3 : t := f ( r ) ⊕ g ( m ) C5 : t := f ( r ) ⊕ g ( r ⊕ m ) r m – ℓ – n r m – ℓ – n H – n H r m – ℓ – n – n g g f H f f – n – n – n – n – n – n t t t – – – n n n C2 : t := f ( r ) ⊕ H ( m ) C4 : t := f ( r ) ⊕ g ( H ( m )) C6 : t := f ( r ) ⊕ g ( r ⊕ H ( m )) A.Dutta Exact Security Analysis of HtM Construction

  12. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Our Contribution 1. Tight PRF, pPRF and MAC Security Analysis of Different Types of HtM Constructions. 2. An Impossibility Result on Probabilistic MAC: Unlike deterministic MAC, in probabilistic MAC, there is no such ideal system, indistinguishable to which, ensures forging advantage. C1 C2 C3 C4 C5 C6 Θ(2 n / 2 ) PRF X X X X X n n n n 3 n 3 n 2 ) 2 ) 2 ) 2 ) 4 ) 4 ) pPRF Θ(2 Θ(2 Θ(2 Θ(2 Θ(2 Θ(2 n n n 2 n 3 n 2 ) 2 ) 2 ) 3 ) 4 ) MAC X Θ(2 Θ(2 Θ(2 Θ(2 Θ(2 A.Dutta Exact Security Analysis of HtM Construction

  13. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C1,C2,C3,C4 ( r 1 , y 1 ) ( r 1 , y 2 ) ( r 2 , y 1 ) ( r 2 , y 2 ) SUM f , g ( r , y ) = f ( r ) ⊕ g ( y ) A.Dutta Exact Security Analysis of HtM Construction

  14. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C1,C2,C3,C4 ( r 1 , y 1 ) ( r 1 , y 2 ) ( r 2 , y 1 ) ( r 2 , y 2 ) SUM f , g ( r , y ) = f ( r ) ⊕ g ( y ) Alternating Cycle (Alt-Cycle) 4 SUM C • For an Alt-Cycle C , � f , g ( r i , y i ) = 0 (distinguishing event) i =1 • For C1, C2 : g is identity function. • For C1, C3 : y is m ; For C2, C4 : y is H ( m ); For C5 : y is r + m A.Dutta Exact Security Analysis of HtM Construction

  15. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C5 and C6 Attack Algorithm C5 : f ( r ) ⊕ g ( r ⊕ m ) • Choose ( r 1 , m 1 ) , ( r 2 , m 2 ) s.t r 1 + m 1 = r 2 + m 2 • Query Phase : t 1 ← ( r 1 , m 1 ) , t 2 ← ( r 2 , m 2 ) , t 3 ← ( r 1 , m 2 ) , t 4 ← ( r 2 , m 1 ) 4 • Distinguishing Event : If � t i = 0, return 1. i =1 A.Dutta Exact Security Analysis of HtM Construction

  16. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion PRF Attack Idea of C5 and C6 Attack Algorithm C5 : f ( r ) ⊕ g ( r ⊕ m ) • Choose ( r 1 , m 1 ) , ( r 2 , m 2 ) s.t r 1 + m 1 = r 2 + m 2 • Query Phase : t 1 ← ( r 1 , m 1 ) , t 2 ← ( r 2 , m 2 ) , t 3 ← ( r 1 , m 2 ) , t 4 ← ( r 2 , m 1 ) 4 • Distinguishing Event : If � t i = 0, return 1. i =1 Attack Algorithm C6 : f ( r ) ⊕ g ( r ⊕ H ( m )) • Query Phase : t 1 ← ( r , m 1 ) , t 2 ← ( r , m 2 ) , . . . , t 2 n / 2 ← ( r , m 2 n / 2 ) • If H ( m i ) = H ( m j ), query t ′ i ← ( r ′ , m i ) , t ′ j ← ( r ′ , m j ), output 1 if t ′ i = t ′ j • Else, collision in g . A.Dutta Exact Security Analysis of HtM Construction

  17. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Probabilistic PRF (pPRF) Definition and Security Game Keyed function that takes two inputs ( r , M ) is indistinguishable from RF Adversary can only query the oracle with M . Goal is to distinguish the function from a RF; secure if it is hard A.Dutta Exact Security Analysis of HtM Construction

  18. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Probabilistic PRF (pPRF) Definition and Security Game Keyed function that takes two inputs ( r , M ) is indistinguishable from RF Adversary can only query the oracle with M . Goal is to distinguish the function from a RF; secure if it is hard pPRF Attack Algorithm of C1 : f ( r ) ⊕ m • Query Phase : t 1 ← m 1 , t 2 ← m 1 , . . . , t 2 n / 2 ← m 1 • W.h.p ∃ i , j ∈ { 1 , 2 , . . . , 2 n / 2 } s.t r i = r j • If t i = t j , return 1. A.Dutta Exact Security Analysis of HtM Construction

  19. Message Authentication Code HtM Construction Attack Idea Contributions Proof Idea Conclusion Probabilistic PRF (pPRF) Definition and Security Game Keyed function that takes two inputs ( r , M ) is indistinguishable from RF Adversary can only query the oracle with M . Goal is to distinguish the function from a RF; secure if it is hard pPRF Attack Algorithm of C1 : f ( r ) ⊕ m • Query Phase : t 1 ← m 1 , t 2 ← m 1 , . . . , t 2 n / 2 ← m 1 • W.h.p ∃ i , j ∈ { 1 , 2 , . . . , 2 n / 2 } s.t r i = r j • If t i = t j , return 1. pPRF Attack for C2, C3, C4 is same as that of C1 A.Dutta Exact Security Analysis of HtM Construction

Recommend


More recommend