Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria équipe SECRET, Paris, France 2 Indian Statistical Institute, Kolkata, India CRYPTO 2018 1 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Introduction • Symmetric cryptography: Alice and Bob share the same key. • Active attacker: Eve might intercept and manipulate Alice’s messages... • Authentication: Alice computes and appends a keyed MAC or tag T . Correct tag. Will read. Plz come back! || T 2 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion ECBC-MAC m ℓ − 1 m 1 m 2 m ℓ 0 E k 1 E k 1 • • • E k 1 E k 1 MAC ( m ) E k 2 Σ( m ) The plaintext m is padded and split into n -bit blocks. � � MAC ( m ) = E k 2 Σ( m ) Alice sends MAC ( m ) along with m to guarantee authenticity. 3 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T 4 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T Direct attacks won’t work but is it secure? Can Eve still mount an attack? 4 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game 5 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m MAC ( m ) 5 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) 5 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number of tagging queries. 5 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. 5 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. Can Eve forge a valid tag for a message that Alice never saw? 5 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ 6 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ Simple collision approach Look for a pair of messages X,Y that satisfies: Σ( X ) = Σ( Y ) ⇐ ⇒ MAC ( X ) ⊕ MAC ( Y ) = 0 6 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion MAC ( m 1 ) Birthday Bound Attack MAC ( m 2 ) MAC ( m 3 ) m 1 ... m 2 m 3 m 4 m 5 m 6 Eve Alice Looking for collisions Eve looks for MAC ( m i ) = MAC ( m j ) for some i � = j . She has ≃ q 2 t pairs for an n -bit relationship so chances grow as: Adv ( A ) ≃ q 2 t 2 n 7 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Can you come back? || T 0 8 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Correct tag. Will read. Can you come back? || T 0 8 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Tell Bob he must Collision found: come back! MAC ( You must ) = MAC ( No, don’t ) Oh you are right! 8 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) You must come back! || T 8 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T 8 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T Forgery requires q t ≃ 2 n / 2 and q v = 1. Not secure beyond birthday bound (2 n / 2 ) 8 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. 9 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. Idea: Double the size of the internal state to 2 n bits. Double-Block-Hash-Then-Sum Approach XOR the two half-states at the end to recover an n -bit MAC. Important research effort exploring this idea including: SUM-ECBC, PMAC+, 3kf9, LightMAC+, GCM-SIV2, 1kPMAC+ 9 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Example: SUM-ECBC [Yasuda, CT-RSA’10] m 1 m 2 m ℓ − 1 m ℓ ... Σ( m ) E k 1 E k 1 E k 1 E k 1 E k 2 m 1 m 2 m ℓ − 1 m ℓ ... MAC ( m ) Θ( m ) E k 3 E k 3 E k 3 E k 3 E k 4 � � � � MAC ( m ) = E k 2 Σ( m ) ⊕ E k 4 Θ( m ) 10 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? 11 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? Results A generic approach leading to an attack on all cited schemes using q v = 1 and q t ≃ 2 3 n / 4 . 11 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion 4-way collision for double-hash-then-sum schemes Look for a quadruple of messages X , Y , Z , T that satisfies: Σ( X ) = Σ( Y ) Θ( Y ) = Θ( Z ) R ( X , Y , Z , T ) := Σ( Z ) = Σ( T ) Θ( T ) = Θ( X ) R ( X , Y , Z , T ) = ⇒ MAC ( X ) ⊕ MAC ( Y ) ⊕ MAC ( Z ) ⊕ MAC ( T ) = 0 = MAC ( X ) = E (Σ( X )) ⊕ E ′ (Θ( X )) E ′ (Θ( T )) ⊕ E (Σ( T )) = MAC ( T ) = = MAC ( Y ) = E (Σ( Y )) ⊕ E ′ (Θ( Y )) E ′ (Θ( Z )) ⊕ E (Σ( Z )) = MAC ( Z ) = 12 / 25
Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion 4-way collision for double-hash-then-sum schemes With carefully crafted sets of messages for X , Y , Z , T : Σ( X ) = Σ( Y ) Θ( Y ) = Θ( Z ) = ⇒ Θ( T ) = Θ( X ) . Σ( Z ) = Σ( T ) Σ( X ) = Σ( Y ) Thus R ( X , Y , Z , T ) ⇐ ⇒ Θ( Y ) = Θ( Z ) a 3 n -bit condition. Σ( Z ) = Σ( T ) 13 / 25
Recommend
More recommend