generic attacks against beyond birthday bound macs
play

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , - PowerPoint PPT Presentation

Mar 27, 2024 •362 likes •1.05k views

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

  1. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria équipe SECRET, Paris, France 2 Indian Statistical Institute, Kolkata, India GT SECRET 1 / 30

  2. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Introduction • Symmetric cryptography: Alice and Bob share the same key. • Active attacker: Eve might intercept and manipulate Alice’s messages... • Authentication: Alice computes and appends a keyed MAC or tag T . Correct tag. Will read. Plz come back! || T 2 / 30

  3. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion ECBC-MAC m ℓ − 1 m 1 m 2 m ℓ 0 E k 1 E k 1 • • • E k 1 E k 1 MAC ( m ) E k 2 Σ( m ) The plaintext m is padded and split into n -bit blocks. � � MAC ( m ) = E k 2 Σ( m ) Alice sends MAC ( m ) along with m to guarantee authenticity. 3 / 30

  4. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T 4 / 30

  5. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T Direct attacks won’t work but is it secure? Can Eve still mount an attack? 4 / 30

  6. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game 5 / 30

  7. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m MAC ( m ) 5 / 30

  8. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) 5 / 30

  9. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number of tagging queries. 5 / 30

  10. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. 5 / 30

  11. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. Can Eve forge a valid tag for a message that Alice never saw? 5 / 30

  12. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ 6 / 30

  13. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ Simple collision approach Look for a pair of messages X,Y that satisfies: Σ( X ) = Σ( Y ) ⇐ ⇒ MAC ( X ) ⊕ MAC ( Y ) = 0 6 / 30

  14. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion MAC ( m 1 ) Birthday Bound Attack MAC ( m 2 ) MAC ( m 3 ) m 1 ... m 2 m 3 m 4 m 5 m 6 Eve Alice Looking for collisions Eve looks for MAC ( m i ) = MAC ( m j ) for some i � = j . She has ≃ q 2 t pairs for an n -bit relationship so chances grow as: Adv ( A ) ≃ q 2 t 2 n 7 / 30

  15. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Can you come back? || T 0 8 / 30

  16. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Correct tag. Will read. Can you come back? || T 0 8 / 30

  17. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Tell Bob he must Collision found: come back! MAC ( You must ) = MAC ( No, don’t ) Oh you are right! 8 / 30

  18. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) You must come back! || T 8 / 30

  19. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T 8 / 30

  20. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T Forgery requires q t ≃ 2 n / 2 and q v = 1. Not secure beyond birthday bound (2 n / 2 ) 8 / 30

  21. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. 9 / 30

  22. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. Idea: Double the size of the internal state to 2 n bits. Double-Block-Hash-Then-Sum Approach XOR the two half-states at the end to recover an n -bit MAC. Important research effort exploring this idea including: SUM-ECBC, PMAC+, 3kf9, LightMAC+, GCM-SIV2, 1kPMAC+ 9 / 30

  23. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Example: SUM-ECBC [Yasuda; CT-RSA’10] m 1 m 2 m ℓ − 1 m ℓ ... Σ( m ) E k 1 E k 1 E k 1 E k 1 E k 2 m 1 m 2 m ℓ − 1 m ℓ ... MAC ( m ) Θ( m ) E k 3 E k 3 E k 3 E k 3 E k 4 � � � � MAC ( m ) = E k 2 Σ( m ) ⊕ E k 4 Θ( m ) 10 / 30

  24. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? 11 / 30

  25. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? Results A generic approach leading to an attack on all cited schemes using q v = 1 and q t ≃ 2 3 n / 4 . 11 / 30

  26. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion 4-way collision for double-hash-then-sum schemes Look for a quadruple of messages X , Y , Z , T that satisfies:  Σ( X ) = Σ( Y )     Θ( Y ) = Θ( Z )  R ( X , Y , Z , T ) := Σ( Z ) = Σ( T )     Θ( T ) = Θ( X )  R ( X , Y , Z , T ) = ⇒ MAC ( X ) ⊕ MAC ( Y ) ⊕ MAC ( Z ) ⊕ MAC ( T ) = 0 = MAC ( X ) = E (Σ( X )) ⊕ E ′ (Θ( X )) E ′ (Θ( T )) ⊕ E (Σ( T )) = MAC ( T ) = = MAC ( Y ) = E (Σ( Y )) ⊕ E ′ (Θ( Y )) E ′ (Θ( Z )) ⊕ E (Σ( Z )) = MAC ( Z ) = 12 / 30

  27. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion 4-way collision for double-hash-then-sum schemes With carefully crafted sets of messages for X , Y , Z , T :  Σ( X ) = Σ( Y )   Θ( Y ) = Θ( Z ) = ⇒ Θ( T ) = Θ( X ) .  Σ( Z ) = Σ( T )   Σ( X ) = Σ( Y )   Thus R ( X , Y , Z , T ) ⇐ ⇒ Θ( Y ) = Θ( Z ) a 3 n -bit condition.  Σ( Z ) = Σ( T )  13 / 30

Recommend

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44 Generalities Stateless Deterministic

1.21k views • 95 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
M&amp;M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas

M&amp;M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas

M&amp;M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen B ACK TO THE 90 S Differential Power Analysis (DPA) Paul Kocher et al. 1999 [KJJ99]

322 views • 28 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of Illinois at Chicago Motivation A hashing structure proposed by Bellare/Micciancio, 1996: f 1 ; f 2 ; : : : Standardize functions from, e.g.,

297 views • 17 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

854 views • 47 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1 Tweakable blockciphers (TBCs) Tweak T Input block X ( bits) ( n bits) Add an extra input, a

732 views • 21 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

3.43k views • 42 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List 2 Stefan Lucks 2 Jakob Wenzel 2 1 Hochschule Schmalkalden, 2 Bauhaus-Universitt Weimar eik.list (at) uni-weimar.de 18 July 2016 18 July 2016

561 views • 53 slides
A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

590 views • 42 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides

More recommend