generic attacks against beyond birthday bound macs
play

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , - PowerPoint PPT Presentation

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian


  1. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria équipe SECRET, Paris, France 2 Indian Statistical Institute, Kolkata, India GT SECRET 1 / 30

  2. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Introduction • Symmetric cryptography: Alice and Bob share the same key. • Active attacker: Eve might intercept and manipulate Alice’s messages... • Authentication: Alice computes and appends a keyed MAC or tag T . Correct tag. Will read. Plz come back! || T 2 / 30

  3. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion ECBC-MAC m ℓ − 1 m 1 m 2 m ℓ 0 E k 1 E k 1 • • • E k 1 E k 1 MAC ( m ) E k 2 Σ( m ) The plaintext m is padded and split into n -bit blocks. � � MAC ( m ) = E k 2 Σ( m ) Alice sends MAC ( m ) along with m to guarantee authenticity. 3 / 30

  4. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T 4 / 30

  5. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T Direct attacks won’t work but is it secure? Can Eve still mount an attack? 4 / 30

  6. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game 5 / 30

  7. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m MAC ( m ) 5 / 30

  8. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) 5 / 30

  9. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number of tagging queries. 5 / 30

  10. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. 5 / 30

  11. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. Can Eve forge a valid tag for a message that Alice never saw? 5 / 30

  12. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ 6 / 30

  13. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ Simple collision approach Look for a pair of messages X,Y that satisfies: Σ( X ) = Σ( Y ) ⇐ ⇒ MAC ( X ) ⊕ MAC ( Y ) = 0 6 / 30

  14. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion MAC ( m 1 ) Birthday Bound Attack MAC ( m 2 ) MAC ( m 3 ) m 1 ... m 2 m 3 m 4 m 5 m 6 Eve Alice Looking for collisions Eve looks for MAC ( m i ) = MAC ( m j ) for some i � = j . She has ≃ q 2 t pairs for an n -bit relationship so chances grow as: Adv ( A ) ≃ q 2 t 2 n 7 / 30

  15. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Can you come back? || T 0 8 / 30

  16. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Correct tag. Will read. Can you come back? || T 0 8 / 30

  17. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Tell Bob he must Collision found: come back! MAC ( You must ) = MAC ( No, don’t ) Oh you are right! 8 / 30

  18. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) You must come back! || T 8 / 30

  19. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T 8 / 30

  20. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T Forgery requires q t ≃ 2 n / 2 and q v = 1. Not secure beyond birthday bound (2 n / 2 ) 8 / 30

  21. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. 9 / 30

  22. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. Idea: Double the size of the internal state to 2 n bits. Double-Block-Hash-Then-Sum Approach XOR the two half-states at the end to recover an n -bit MAC. Important research effort exploring this idea including: SUM-ECBC, PMAC+, 3kf9, LightMAC+, GCM-SIV2, 1kPMAC+ 9 / 30

  23. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Example: SUM-ECBC [Yasuda; CT-RSA’10] m 1 m 2 m ℓ − 1 m ℓ ... Σ( m ) E k 1 E k 1 E k 1 E k 1 E k 2 m 1 m 2 m ℓ − 1 m ℓ ... MAC ( m ) Θ( m ) E k 3 E k 3 E k 3 E k 3 E k 4 � � � � MAC ( m ) = E k 2 Σ( m ) ⊕ E k 4 Θ( m ) 10 / 30

  24. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? 11 / 30

  25. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? Results A generic approach leading to an attack on all cited schemes using q v = 1 and q t ≃ 2 3 n / 4 . 11 / 30

  26. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion 4-way collision for double-hash-then-sum schemes Look for a quadruple of messages X , Y , Z , T that satisfies:  Σ( X ) = Σ( Y )     Θ( Y ) = Θ( Z )  R ( X , Y , Z , T ) := Σ( Z ) = Σ( T )     Θ( T ) = Θ( X )  R ( X , Y , Z , T ) = ⇒ MAC ( X ) ⊕ MAC ( Y ) ⊕ MAC ( Z ) ⊕ MAC ( T ) = 0 = MAC ( X ) = E (Σ( X )) ⊕ E ′ (Θ( X )) E ′ (Θ( T )) ⊕ E (Σ( T )) = MAC ( T ) = = MAC ( Y ) = E (Σ( Y )) ⊕ E ′ (Θ( Y )) E ′ (Θ( Z )) ⊕ E (Σ( Z )) = MAC ( Z ) = 12 / 30

  27. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion 4-way collision for double-hash-then-sum schemes With carefully crafted sets of messages for X , Y , Z , T :  Σ( X ) = Σ( Y )   Θ( Y ) = Θ( Z ) = ⇒ Θ( T ) = Θ( X ) .  Σ( Z ) = Σ( T )   Σ( X ) = Σ( Y )   Thus R ( X , Y , Z , T ) ⇐ ⇒ Θ( Y ) = Θ( Z ) a 3 n -bit condition.  Σ( Z ) = Σ( T )  13 / 30

Recommend


More recommend