Message Authentication Codes (MACs) Tung Chou Technische - PowerPoint PPT Presentation

The Wegman–Carter construction • Why? • provides information theoretic security • usually involves field/ring arithmetic • better performance than HMAC • Construction • “universal” hash function + one-time pad: h r ( m n ) ⊕ s n 11 / 22

The Wegman–Carter construction • Why? • provides information theoretic security • usually involves field/ring arithmetic • better performance than HMAC • Construction • “universal” hash function + one-time pad: h r ( m n ) ⊕ s n • universal hash: low differential probability 11 / 22

The Wegman–Carter construction • Why? • provides information theoretic security • usually involves field/ring arithmetic • better performance than HMAC • Construction • “universal” hash function + one-time pad: h r ( m n ) ⊕ s n • universal hash: low differential probability • one-time pad hides all information about the key 11 / 22

Poly1305 12 / 22

Poly1305 • Construction: t = ((( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) mod 2 130 − 5)+ s ) mod 2 128 12 / 22

Poly1305 • Construction: t = ((( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) mod 2 130 − 5)+ s ) mod 2 128 • 2 130 − 5 is a prime • r, s are shared secret 128 -bit values 12 / 22

Poly1305 • Construction: t = ((( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) mod 2 130 − 5)+ s ) mod 2 128 • 2 130 − 5 is a prime • r, s are shared secret 128 -bit values • m i<ℓ is the i th 128 -bit block of m padded by 1 . • m ℓ is the “remainder” of m padded by 1 . 12 / 22

Poly1305 • Construction: t = ((( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) mod 2 130 − 5)+ s ) mod 2 128 • 2 130 − 5 is a prime • r, s are shared secret 128 -bit values • m i<ℓ is the i th 128 -bit block of m padded by 1 . • m ℓ is the “remainder” of m padded by 1 . • Without proper padding? 12 / 22

Poly1305 • Construction: t = ((( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) mod 2 130 − 5)+ s ) mod 2 128 • 2 130 − 5 is a prime • r, s are shared secret 128 -bit values • m i<ℓ is the i th 128 -bit block of m padded by 1 . • m ℓ is the “remainder” of m padded by 1 . • Without proper padding? • m = ’FF’ , m ′ = ’FF’,’00’ • zero-pad the message obtain a 128 -bit block m 1 = m ′ 1 = ’FF’, ’00’, ..., ’00’ 12 / 22

Poly1305 • Construction: t = ((( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) mod 2 130 − 5)+ s ) mod 2 128 • 2 130 − 5 is a prime • r, s are shared secret 128 -bit values • m i<ℓ is the i th 128 -bit block of m padded by 1 . • m ℓ is the “remainder” of m padded by 1 . • Without proper padding? • m = ’FF’ , m ′ = ’FF’,’00’ • zero-pad the message obtain a 128 -bit block m 1 = m ′ 1 = ’FF’, ’00’, ..., ’00’ • Speed: 1.22 Sandy Bridge cycles/byte 12 / 22

Poly1305: avoiding security issue 13 / 22

Poly1305: avoiding security issue • What is wrong with “real” polynomial evaluation? t = m 1 r ℓ − 1 + m 2 r ℓ − 2 + · · · + m ℓ + s 13 / 22

Poly1305: avoiding security issue • What is wrong with “real” polynomial evaluation? t = m 1 r ℓ − 1 + m 2 r ℓ − 2 + · · · + m ℓ + s • The attacker forges a valid message–tag pair easily: t + ∆ = m 1 r ℓ − 1 + m 2 r ℓ − 2 + · · · + ( m ℓ + ∆) + s 13 / 22

Poly1305: avoiding security issue • What is wrong with “real” polynomial evaluation? t = m 1 r ℓ − 1 + m 2 r ℓ − 2 + · · · + m ℓ + s • The attacker forges a valid message–tag pair easily: t + ∆ = m 1 r ℓ − 1 + m 2 r ℓ − 2 + · · · + ( m ℓ + ∆) + s • This does not provide low differential probability 13 / 22

Poly1305: avoiding security issue 14 / 22

Poly1305: avoiding security issue • What is wrong with using the same pad twice? t = m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r + s t ′ = m ′ 1 r ℓ + m ′ 2 r ℓ − 1 + · · · + m ′ ℓ r + s 14 / 22

Poly1305: avoiding security issue • What is wrong with using the same pad twice? t = m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r + s t ′ = m ′ 1 r ℓ + m ′ 2 r ℓ − 1 + · · · + m ′ ℓ r + s • The attacker gets information of r by finding roots of t − t ′ = ( m 1 − m ′ 1 ) r ℓ + ( m 2 − m ′ 2 ) r ℓ − 1 + · · · + ( m ℓ − m ′ ℓ ) r 14 / 22

Poly1305: avoiding security issue • What is wrong with using the same pad twice? t = m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r + s t ′ = m ′ 1 r ℓ + m ′ 2 r ℓ − 1 + · · · + m ′ ℓ r + s • The attacker gets information of r by finding roots of t − t ′ = ( m 1 − m ′ 1 ) r ℓ + ( m 2 − m ′ 2 ) r ℓ − 1 + · · · + ( m ℓ − m ′ ℓ ) r • “ nonce-misuse ” issue 14 / 22

Poly1305: avoiding security issue • What is wrong with using the same pad twice? t = m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r + s t ′ = m ′ 1 r ℓ + m ′ 2 r ℓ − 1 + · · · + m ′ ℓ r + s • The attacker gets information of r by finding roots of t − t ′ = ( m 1 − m ′ 1 ) r ℓ + ( m 2 − m ′ 2 ) r ℓ − 1 + · · · + ( m ℓ − m ′ ℓ ) r • “ nonce-misuse ” issue • In practice s is usually replaced by stream cipher output, e.g., AES k ( n ) for m n 14 / 22

Poly1305: avoiding security issue • What is wrong with using the same pad twice? t = m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r + s t ′ = m ′ 1 r ℓ + m ′ 2 r ℓ − 1 + · · · + m ′ ℓ r + s • The attacker gets information of r by finding roots of t − t ′ = ( m 1 − m ′ 1 ) r ℓ + ( m 2 − m ′ 2 ) r ℓ − 1 + · · · + ( m ℓ − m ′ ℓ ) r • “ nonce-misuse ” issue • In practice s is usually replaced by stream cipher output, e.g., AES k ( n ) for m n • HMAC does not use nonce 14 / 22

Poly1305: polynomial evaluation 15 / 22

Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r 7 + · · · + m 8 r 15 / 22

Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r 7 + · · · + m 8 r • Horner’s rule : m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 r × + × + × + × + × + × + × + × 15 / 22

Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r 7 + · · · + m 8 r • Horner’s rule : m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 r × + × + × + × + × + × + × + × • n multiplications (and n − 1 additions) 15 / 22

Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r 7 + · · · + m 8 r • Horner’s rule : m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 r × + × + × + × + × + × + × + × • n multiplications (and n − 1 additions) • The issue of being “on-line” 15 / 22

✖ GMAC 16 / 22

✖ GMAC • The NIST-standard authenticated encryption scheme GCM 16 / 22

✖ GMAC • The NIST-standard authenticated encryption scheme GCM • Galois Counter Mode 16 / 22

✖ GMAC • The NIST-standard authenticated encryption scheme GCM • Galois Counter Mode • Special hardware support for AES-GCM in high-end CPUs 16 / 22

✖ GMAC • The NIST-standard authenticated encryption scheme GCM • Galois Counter Mode • Special hardware support for AES-GCM in high-end CPUs • Polynomial evaluation MAC: t = ( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) + s 16 / 22

✖ GMAC • The NIST-standard authenticated encryption scheme GCM • Galois Counter Mode • Special hardware support for AES-GCM in high-end CPUs • Polynomial evaluation MAC: t = ( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) + s • Based on arithmetic in F 2 128 = F 2 [ x ] / ( x 128 + x 7 + x 2 + x + 1) 16 / 22

GMAC • The NIST-standard authenticated encryption scheme GCM • Galois Counter Mode • Special hardware support for AES-GCM in high-end CPUs • Polynomial evaluation MAC: t = ( m 1 r ℓ + m 2 r ℓ − 1 + · · · + m ℓ r ) + s • Based on arithmetic in F 2 128 = F 2 [ x ] / ( x 128 + x 7 + x 2 + x + 1) ✖ Binary fields: better in hardware 16 / 22

GCM http://en.wikipedia.org/wiki/Galois/Counter_Mode 17 / 22

GMAC: speeds reference platform cycles per byte PCLMUQDQ K¨ asper–Schwabe 2009 Core 2 no 14.40 Sandy Bridge no 13.10 Krovetz–Rogaway 2011 Westmere yes 2.00 Gueron 2013 Sandy Bridge yes 1.79 Haswell yes 0.40 18 / 22

Auth256 ∗ 19 / 22

Auth256 ∗ • Construction 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s • base field F 2 256 = F 2 8 [ x ] / ( φ ) . Tower field construction for F 2 8 . 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s • base field F 2 256 = F 2 8 [ x ] / ( φ ) . Tower field construction for F 2 8 . • Compared to GMAC 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s • base field F 2 256 = F 2 8 [ x ] / ( φ ) . Tower field construction for F 2 8 . • Compared to GMAC • higher security level 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s • base field F 2 256 = F 2 8 [ x ] / ( φ ) . Tower field construction for F 2 8 . • Compared to GMAC • higher security level • 0.5/1 multiplications per block 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s • base field F 2 256 = F 2 8 [ x ] / ( φ ) . Tower field construction for F 2 8 . • Compared to GMAC • higher security level • 0.5/1 multiplications per block • larger key size 19 / 22

Auth256 ∗ • Construction • a pseudo-dot-product MAC: t = ( m 1 + r 1 )( m 2 + r 2 ) + ( m 3 + r 3 )( m 4 + r 4 ) + · · · + s • base field F 2 256 = F 2 8 [ x ] / ( φ ) . Tower field construction for F 2 8 . • Compared to GMAC • higher security level • 0.5/1 multiplications per block • larger key size • very different field construction for low bit operation count 19 / 22

Wegman–Carter construction: security • “ δ -xor-universal hash”: For all distinct ( m, m ′ ) and ∆ , we have � � Pr Hash r ( m ) = Hash r ( m ′ ) ⊕ ∆ ≤ δ 20 / 22

Wegman–Carter construction: security • “ δ -xor-universal hash”: For all distinct ( m, m ′ ) and ∆ , we have � � Pr Hash r ( m ) = Hash r ( m ′ ) ⊕ ∆ ≤ δ • The one-time pad hides all information about the key r . • The best strategy for the attacker is to guess. 20 / 22