MESSAGE AUTHENTICATION 1 / 103 Integrity and authenticity The goal - PowerPoint PPT Presentation

Example 1 Let T : { 0 , 1 } k × B ∗ → B be defined by T K ( M [1] . . . M [ m ]) = E K ( M [1]) ⊕ · · · ⊕ E K ( M [ m ]) and let MA [ T ] = ( K , T , V ). adversary A T ← Tag (1 n 0 n ) ; d ← Verify (0 n 1 n , T ) Then T K (1 n 0 n ) E K (1 n ) ⊕ E K (0 n ) = E K (0 n ) ⊕ E K (1 n ) = T K (0 n 1 n ) = so Adv uf - cma MA [ T ] ( A ) = 1 29 / 103

Example 2 Let E : { 0 , 1 } k × B n → B n be a block cipher, where B = { 0 , 1 } n . View a message M ∈ B ∗ as a sequence of ℓ -bit blocks, M = M [1] . . . M [ m ] where ℓ = n − 32. Let T : { 0 , 1 } k × B ∗ → B be defined by T K ( M [1] . . . M [ m ]) = E K ( � 1 �|| M [1]) ⊕ · · · ⊕ E K ( � m �|| M [ m ]) � 1 � � M [1] � 2 � � M [2] � m � � M [ m ] Notation: E k E k E k � i � is the 32-bit binary representation of the + block index i T K ( M ) 30 / 103

Example 2 � 1 � � M [1] � 2 � � M [2] � m � � M [ m ] E k E k E k + T K ( M ) T K (0 ℓ || 0 ℓ ) E K ( � 1 �|| 0 ℓ ) ⊕ E K ( � 2 �|| 0 ℓ ) = 0 n � = T K (1 ℓ || 0 ℓ ) E K ( � 1 �|| 1 ℓ ) ⊕ E K ( � 2 �|| 0 ℓ ) = E K ( � 1 �|| 0 ℓ ) ⊕ E K ( � 2 �|| 1 ℓ ) � = T K (0 ℓ || 1 ℓ ) = So previous attacks fail. 31 / 103

Example 2 � 1 � � X � 2 � � Y E K E K + T 32 / 103

Example 2 � 1 � � X � 2 � � Y E K E K + T Weakness: suppose we have T 1 = T K ( X 1 Y 1 ) = E K ( � 1 � � X 1 ) ⊕ E K ( � 2 � � Y 1 ) = T K ( X 1 Y 2 ) = E K ( � 1 � � X 1 ) ⊕ E K ( � 2 � � Y 2 ) T 2 T 3 = T K ( X 2 Y 1 ) = E K ( � 1 � � X 2 ) ⊕ E K ( � 2 � � Y 1 ) Add these and we get T 1 ⊕ T 2 ⊕ T 3 = E K ( � 1 � � X 2 ) ⊕ E K ( � 2 � � Y 2 ) = T K ( X 2 Y 2 ) so we computed the tag of X 2 � Y 2 . 32 / 103

Attack on Example 2 Let T : { 0 , 1 } k × B ∗ → B be defined by T K ( M [1] . . . M [ m ]) = E K ( � 1 �|| M [1]) ⊕ · · · ⊕ E K ( � m �|| M [ m ]) and let MA [ T ] = ( K , T , V ). adversary A Let x 1 , x 2 , y 1 , y 2 be distinct ℓ -bit strings T 1 ← Tag ( x 1 � y 1 ) / / T 1 = E K ( � 1 � � x 1 ) ⊕ E K ( � 2 � � y 1 ) T 2 ← Tag ( x 1 � y 2 ) / / T 2 = E K ( � 1 � � x 1 ) ⊕ E K ( � 2 � � y 2 ) T 3 ← Tag ( x 2 � y 1 ) / / T 3 = E K ( � 1 � � x 2 ) ⊕ E K ( � 2 � � y 1 ) T 4 ← T 1 ⊕ T 2 ⊕ T 3 d ← Verify ( x 2 � y 2 , T 4 ) So T 4 = E K ( � 1 �|| x 2 ) ⊕ E K ( � 2 �|| y 2 ) and Adv uf - cma MA [ T ] ( A ) = 1 33 / 103

UF-CMA Adversary • Is allowed a chosen-message attack (CMA) • Yet should not succeed in existential forgery (UF) M 1 M ′ 1 , T ′ 1 d 1 T 1 Verify A Tag M q s M ′ q v , T ′ q v d 1 T q s We say A wins if ∃ i such that • Verify ( M ′ i , T ′ i ) returned 1, but • A did not query M ′ i to Tag prior to querying M ′ i , T ′ i to Verify . 34 / 103

Plan • Replay • Justifying UF • Justifying CMA 35 / 103

Replay Suppose Alice transmits ( M 1 , T 1 ) to Bank where M 1 =“Pay $100 to Bob”. Adversary • Captures ( M 1 , T 1 ) • Keeps re-transmitting it to bank Result: Bob gets $100, $200, $300,... Our notion of security does not ask for protection against replay. Question: Why not? Answer: Replay is best addressed as an add-on to standard message authentication. 36 / 103

Preventing Replay Using Timestamps Let T A be the time as per Alice’s local clock and T B the time as per Bob’s local clock. • Alice sends ( M , T K ( M ) , T A ) • Bob receives ( M , tag , T ) and accepts iff V K ( M , tag ) = 1 and | T B − T | ≤ ∆ where ∆ is a small threshold. Does this work? 37 / 103

Preventing Replay Using Timestamps Let T A be the time as per Alice’s local clock and T B the time as per Bob’s local clock. • Alice sends ( M , T K ( M ) , T A ) • Bob receives ( M , tag , T ) and accepts iff V K ( M , tag ) = 1 and | T B − T | ≤ ∆ where ∆ is a small threshold. Does this work? Obviously forgery is possible within a ∆ interval. But the main problem is that T A is not authenticated, so adversary can transmit ( M , T K ( M ) , T 1 ) , ( M , T K ( M ) , T 2 ) , . . . for any times T 1 , T 2 , . . . of its choice, and Bob will accept. 37 / 103

Preventing Replay Using Timestamps Let T A be the time as per Alice’s local clock and T B the time as per Bob’s local clock. • Alice sends ( M , T K ( M � T A ) , T A ) • Bob receives ( M , tag , T ) and accepts iff V K ( M � T , tag ) = 1 and | T B − T | ≤ ∆ where ∆ is a small threshold. 38 / 103

Preventing Replay Using Counters Alice maintains a counter ctr A and Bob maintains a counter ctr B . Initially both are zero. • Alice sends ( M , T K ( M � ctr A )) and then increments ctr A • Bob receives ( M , tag ). If V K ( M � ctr B , tag ) = 1 then Bob accepts and increments ctr B . Counters need to stay synchronized. 39 / 103

Types of message authentication schemes Special purpose: Used in a specific setting, to authenticate data of some known format or distribution. Comes with a WARNING! only use under conditions X. General purpose: Used to authenticate in many different settings, where the data format and distribution are not known in advance. We want general purpose schemes because • They can be standardized and broadly used. • Once a scheme is out there, it gets used for everything anyway. • General purpose schemes are easier to use and less subject to mis-use: it is hard for application designers to know whether condition X is met. 40 / 103

Why UF-CMA? A possible critique of existential forgery: • In practice we usually care only that A cannot forge tags for “important” or“meaningful” messages. • Yet the UF-CMA definition declare A successful even if it forges the tag of a “garbage” message 41 / 103

Why UF-CMA? A possible critique of existential forgery: • In practice we usually care only that A cannot forge tags for “important” or“meaningful” messages. • Yet the UF-CMA definition declare A successful even if it forges the tag of a “garbage” message Response: We want general purpose schemes! • We cannot anticipate application contexts and it is dangerous to let security depend on assumptions about message semantics. • In fact, “random” messages are possible, for example • Keys • Executable files • Scientific data being read by sensors 41 / 103

Why UF-CMA? Possible critique of CMAs: They cannot be mounted in practice. 42 / 103

Why UF-CMA? Possible critique of CMAs: They cannot be mounted in practice. Response: • Actually, they sometime can • Security against CMA is important for security of some protocols using MA • Better safe than sorry 42 / 103

CMAs in “real life” • Message forwarding: Charlie sends M to Alice who authenticates it under a key K she shares with Bob, sending ( M , τ ) to the latter • Notary public: Will authenticate any given data 43 / 103

CMAs in Protocols: Example Alice’s smartcard contains a key K also held by Bank. Client Alice Bank Alice Alice K $ ← { 0 , 1 } n C C C T ← T K ( C ) T T If V K ( C , T ) = 1 allow transaction 44 / 103

CMAs in Protocols: Example Adversary card attemps to get Bank to accept under Alice’s name. Adversary Bank Alice Alice ? $ ← { 0 , 1 } n C C C T T If V K ( C , T ) = 1 allow transaction 45 / 103

CMAs in Protocols: Example Trojan horse ATM can mount a CMA to try to find key K . Client Alice Trojan horse ATM Alice K C T ← T K ( C ) T 46 / 103

Strong unforgeability UF - CMA asks that adversary be unable to forge a tag for a “new” message. SUF - CMA asks that adversary be unable to • forge a tag for a “new”message • forge a new tag even for an “old” message “New message”: A message not authenticated by sender “Old message”: A message authenticated by sender “New tag”: Not a tag computed/sent by sender for this message 47 / 103

Definition: SUF - CMA Let MA = ( K , T , V ) be a message authentication scheme and A an adversary, Game SUFCMA MA procedure Initialize procedure Tag ( M ) $ $ ← K ; S ← ∅ ← T K ( M ) K T S ← S ∪ { ( M , T ) } procedure Verify ( M , T ) return T d ← V K ( M , T ) If ( d = 1 ∧ ( M , T ) / ∈ S ) then win ← true procedure Finalize return d return win The suf-cma advantage of adversary A is Adv suf - cma � � SUFCMA A MA ⇒ true ( A ) = Pr MA 48 / 103

SUF - CMA ⇒ UF - CMA Any MA scheme MA = ( K , T , V ) that is SUF - CMA scheme is also UF - CMA scheme. Why? Suppose A ’s Tag queries are M 1 , . . . , M q , resulting in tags $ $ T 1 ← T K ( M 1 ) , . . . , T q ← T K ( M q ) Now suppose A queries Verify ( M , T ). Then M / ∈ { M 1 , . . . , M q } ⇒ ( M , T ) / ∈ { ( M 1 , T 1 ) , . . . , ( M q , T q ) } So if A wins in game UFCMA MA it also wins in game SUFCMA MA . Theorem: For any A , Adv uf - cma ( A ) ≤ Adv suf - cma ( A ) MA MA 49 / 103

Any PRF is a MAC Let F : { 0 , 1 } k × D → { 0 , 1 } n be a family of functions. Proposition: If F is a secure PRF then MA [ F ] is a secure (UF-CMA and SUF-CMA) MAC. 50 / 103

Intuition for why PRFs are good MACs • Random functions make good MACs • PRFs are pretty much as good as random functions 51 / 103

Random functions are good MACs Suppose Fn : D → { 0 , 1 } n is random and consider A who • Can query Fn at any points x 1 , . . . , x q ∈ D it likes • To win, must output x , T such that x / ∈ { x 1 , . . . , x q } but T = Fn ( x ) Then, Pr[ A wins] = 52 / 103

Random functions are good MACs Suppose Fn : D → { 0 , 1 } n is random and consider A who • Can query Fn at any points x 1 , . . . , x q ∈ D it likes • To win, must output x , T such that x / ∈ { x 1 , . . . , x q } but T = Fn ( x ) Then, Pr[ A wins] = 1 2 n because A did not query Fn ( x ). 52 / 103

PRFs are nearly as good MACs as random functions Suppose F : { 0 , 1 } k × D → { 0 , 1 } n and let K $ ← { 0 , 1 } k . Consider A who • Can query F K at any points x 1 , . . . , x q ∈ D it likes • To win, must output x , T such that x / ∈ { x 1 , . . . , x q } but T = F K ( x ) If Pr[ A wins] is significantly more then 2 − n then we are detecting a difference between F K and a random function. 53 / 103

PRFs are good MACs Theorem [GGM86,BKR96]: Let F : { 0 , 1 } k × D → { 0 , 1 } n be a family of functions and let MA [ F ] = ( K , T , V ) be the associated MAC. Let A be a uf-cma adversary making q s Tag queries and q v ≤ 2 n / 2 Verify queries, and having running time t . Then there is a prf-adversary B such that F ( B ) + 2 q v Adv suf - cma MA [ F ] ( A ) ≤ Adv prf 2 n , and B makes q s + q v Fn queries and has running time t plus some overhead. 54 / 103

Games for proof Game G 1 Game G 0 procedure Initialize procedure Initialize S ← ∅ ← { 0 , 1 } k ; S ← ∅ $ K procedure Tag ( M ) procedure Tag ( M ) $ if T [ M ] = ⊥ then T [ M ] ← { 0 , 1 } n if T [ M ] = ⊥ then T [ M ] ← F K ( M ) S ← S ∪ { M } ; return T [ M ] S ← S ∪ { M } ; return T [ M ] procedure Verify ( M , T ′ ) procedure Verify ( M , T ′ ) if T [ M ] = ⊥ then T [ M ] ← F K ( M ) ← { 0 , 1 } n $ if T [ M ] = ⊥ then T [ M ] if T ′ = T [ M ] then d ← 1 else d ← 0 if T ′ = T [ M ] then d ← 1 else d ← 0 if ( d = 1 ∧ M / ∈ S ) then win ← true if ( d = 1 ∧ M / ∈ S ) then win ← true return d return d procedure Finalize procedure Finalize return win return win 55 / 103

Adversary B subroutine TagSim ( M ) if T [ M ] = ⊥ then T [ M ] ← Fn ( M ) adversary B S ← S ∪ { M } ; return T [ M ] S ← ∅ Run A TagSim ( · ) , VerifySim ( · , · ) subroutine VerifySim ( M , T ′ ) if win then return 1 if T [ M ] = ⊥ then T [ M ] ← Fn ( M ) if T ′ = T [ M ] then d ← 1 else d ← 0 else return 0 if ( d = 1 ∧ M / ∈ S ) then win ← true return d If Fn = F K then B is providing A the environment of game G 0 so Pr[ Real B F ⇒ 1] = Pr[ G A 0 ⇒ true] If Fn is random then B is providing A the environment of game G 1 so Pr[ Rand B F ⇒ 1] = Pr[ G A 1 ⇒ true] 56 / 103

Analysis � � � � Adv prf Real B Rand B F ( B ) = Pr F ⇒ 1 − Pr F ⇒ 1 Pr[ G A 0 ⇒ true] − Pr[ G A = 1 ⇒ true] Claim 1: 0 ⇒ true] = Adv suf - cma Pr[ G A MA [ F ] ( A ) Claim 2: 1 ⇒ true] ≤ 2 q v Pr[ G A 2 n 57 / 103

Proof of Claim 1 Game G 0 Game SUFCMA MA [ F ] procedure Initialize procedure Initialize ← { 0 , 1 } k ; S ← ∅ $ K $ ← K ; S ← ∅ K procedure Tag ( M ) procedure Tag ( M ) if T [ M ] = ⊥ then T [ M ] ← F K ( M ) T ← F K ( M ) S ← S ∪ { M } ; return T [ M ] S ← S ∪ { M } ; return T procedure Verify ( M , T ′ ) procedure Verify ( M , T ′ ) if T [ M ] = ⊥ then T [ M ] ← F K ( M ) if ( T ′ = F K ( M ) ∧ M / ∈ S ) then if T ′ = T [ M ] then d ← 1 else d ← 0 win ← true if ( d = 1 ∧ M / ∈ S ) then win ← true return d return d procedure Finalize procedure Finalize return win return win 0 ⇒ true] = Adv suf - cma Claim 1: Pr[ G A MA [ F ] (() A ) Proof: The above games are equivalent. 58 / 103

Proof of Claim 2 Game G 1 procedure Verify ( M , T ′ ) procedure Initialize ← { 0 , 1 } n $ if T [ M ] = ⊥ then T [ M ] if T ′ = T [ M ] then d ← 1 else d ← 0 S ← ∅ if ( d = 1 ∧ M / ∈ S ) then win ← true procedure Tag ( M ) return d if T [ M ] = ⊥ then $ ← { 0 , 1 } n T [ M ] procedure Finalize S ← S ∪ { M } ; return T [ M ] return win � G A � ≤ 2 q v / 2 n Claim 2: Pr 1 ⇒ true Proof: For a call Verify ( M , T ′ ) to set win it must be that T ′ = T [ M ] and M / ∈ S . Assuming the latter, T ′ = T [ M ] � � Pr =? 59 / 103

Proof of Claim 2 procedure Verify ( M , T ′ ) ← { 0 , 1 } n $ if T [ M ] = ⊥ then T [ M ] if T ′ = T [ M ] then d ← 1 else d ← 0 if ( d = 1 ∧ M / ∈ S ) then win ← true return d The probability that T ′ = T [ M ] with M / ∈ S is 2 − n for the first verify call, but what about later? Best strategy for A is to pick some M / ∈ S and then query Verify ( M , T 1 ) , Verify ( M , T 2 ) , . . . where T 1 , T 2 , . . . are distinct. The probability that the i -th call sets win is 1 2 n − ( i − 1) 60 / 103

Proof of Claim 2 Regardless of A ’s strategy, the probability that the i -th Verify ( M , T ′ ) call with M / ∈ S sets win is at most 1 2 n − ( i − 1) q v q v 1 1 q v Pr[ G A � � 1 ⇒ true] ≤ 2 n − ( i − 1) ≤ 2 n − ( q v − 1) ≤ 2 n − q v i =1 i =1 But q v ≤ 2 n / 2 means 2 n − q v ≥ 2 n / 2, so 1 ⇒ true] ≤ 2 q v Pr[ G A 2 n 61 / 103

PRFs are good MACs Theorem [GGM86,BKR96]: Let F : { 0 , 1 } k × D → { 0 , 1 } n be a family of functions and let MA [ F ] = ( K , T , V ) be the associated MAC. Let A be a uf-cma adversary making q s Tag queries and q v ≤ 2 n / 2 Verify queries, and having running time t . Then there is a prf-adversary B such that F ( B ) + 2 q v Adv suf - cma MA [ F ] ( A ) ≤ Adv prf 2 n , and B makes q s + q v Fn queries and has running time t plus some overhead. 62 / 103

Basic CBC MAC Let E : { 0 , 1 } k × B → B be a block cipher, where B = { 0 , 1 } n . View a message M ∈ B ∗ as a sequence of n -bit blocks, M = M [1] . . . M [ m ]. The basic CBC MAC MA [ T ] defines T : { 0 , 1 } k × B ∗ → B by Alg T K ( M ) C [0] ← 0 n for i = 1 , . . . , m do C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) return C [ m ] M [ m − 1] M [ m ] M [1] M [2] E K E K E K E K C [ m ] = T K ( M ) 63 / 103

Splicing attack on basic CBC MAC adversary A Alg T K ( M ) Let x ∈ { 0 , 1 } n C [0] ← 0 n T 1 ← Tag ( x ) for i = 1 , . . . , m do M ← x || T 1 ⊕ x C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) d ← Verify ( M , T 1 ) return C [ m ] Then, T 1 ⊕ x x T K ( M ) = E K ( E K ( x ) ⊕ T 1 ⊕ x ) E K E K = E K ( T 1 ⊕ T 1 ⊕ x ) = E K ( x ) T 1 T 1 = T 1 64 / 103

Preventing the splicing attack If all authenticated messages have the same number m of blocks then the splicing attack does not apply, so in such a setting we could continue to consider the basic CBC MAC. But in many uses, we need to authenticate messages of varying lengths. One popular solution has been the ECBC (encrypted CBC) MAC. 65 / 103

ECBC MAC Let E : { 0 , 1 } k × B → B be a block cipher, where B = { 0 , 1 } n . The encrypted CBC (ECBC) MAC MA [ T ] is obtained by defining T : { 0 , 1 } 2 k × B ∗ → B by M [ m − 1] M [ m ] M [1] M [2] Alg T K in || K out ( M ) C [0] ← 0 n E K in E K in E K in E K in for i = 1 , ..., m do C [ i ] ← E K in ( C [ i − 1] ⊕ M [ i ]) E K out T ← E K out ( C [ m ]) return T T K in || K out ( M ) 66 / 103

MAC security The splicing attack fails against the m -restricted basic CBC MAC and the ECBC MAC. But are there other attacks? Or are these MACs secure? What’s the best attack, and can we prove it is so? 67 / 103

Birthday attacks on MACs There is a large class of MACs, including • The m -restricted basic CBC MAC • ECBC MAC, CMAC, HMAC, ... which are subject to a birthday attack that succeeds in forgery with about q ≈ 2 n / 2 Tag queries and a few verification queries, where n is the tag (output) length of the MAC. Furthermore, we can typically show this is best possible, so the birthday bound is the “true” indication of security. The class of MACs in question are called iterated-MACs and work by iterating some lower level primitive such as a block cipher or compression function. 68 / 103

Security of iterated MACs The number q of m -block messages that can be safely authenticated is about 2 n / 2 / m , where n is the block-length of the blockcipher, or the length of the chaining input of the compression function. MAC n m q 2 22 Basic DES-CBC-MAC 64 1024 2 22 DES-ECBC-MAC 64 1024 2 54 Basic AES-CBC-MAC 128 1024 2 54 AES-ECBC-MAC 128 1024 10 6 2 44 Basic AES-CBC-MAC 128 10 6 2 44 AES-ECBC-MAC 128 10 6 2 60 HMAC-SHA1 160 10 6 2 108 HMAC-SHA256 256 m = 10 6 means message length 16Mbytes when n = 128. 69 / 103

The birthday attack We now illustrate how the birthday attack works in a simple case, namely the 3-restricted basic CBC MAC. Here all messages in the adversary’s queries, both to the Tag oracle and to the Verify oracle, must be exactly 3 blocks long. 70 / 103

Internal collisions Let M i = � 1 �|| r i || 0 n and M j = � 2 �|| r j || 0 n . 0 n 0 n < 1 > r i < 2 > r j E K E K E K E K E K E K C i [1] C i [2] C i [3] C j [1] C j [2] C j [3] Internal Collision: C i [2] = C j [2] Internal collisions can be detected by examining the MAC output, because C i [2] = C j [2] ⇐ ⇒ C i [3] = C j [3] 71 / 103

Exploiting internal collisions to forge Suppose adversary A has the tags C i [3] = C j [3] of messages � 1 � � r i � 0 n , � 2 � � r j � 0 n that have an internal collision, namely C i [2] = C j [2]. 0 n 0 n < 1 > < 2 > r i r j E K E K E K E K E K E K C i [1] C i [2] C i [3] C j [1] C j [2] C j [3] Then if 0 n is changed to some other value x , the tags will continue to be the same. 72 / 103

Exploiting internal collisions to forge Suppose adversary A has the tags C i [3] = C j [3] of messages � 1 � � r i � 0 n , � 2 � � r j � 0 n that have an internal collision, namely C i [2] = C j [2]. < 1 > r i x < 2 > r j x E K E K E K E K E K E K C i [1] C i [2] C i [3] C j [1] C j [2] C j [3] Then for any x we must have C ′ i [3] = C ′ j [3] meaning C ′ i [3] is the correct tag for both messages � 1 � � r i � x and � 2 � � r j � x . Thus A can forge by picking some x � = 0 n and • Requesting tag of � 1 � � r i � x to get C ′ i [3] • Calling Verify on � 2 � � r j � x and C ′ i [3] 72 / 103

Finding internal collisions Query q 3-block messages � 1 �|| r 1 || 0 n , � 2 �|| r 2 || 0 n , � q �|| r q || 0 n , . . . , to get back tags C 1 [3] , C 2 [3] , . . . , C q [3] Hope to find i , j with 1 ≤ i < j ≤ q and C i [3] = C j [3] . It follows that C i [2] = C j [2] . 0 n 0 n < 1 > < 2 > r i r j E K E K E K E K E K E K C i [1] C i [2] C i [3] C j [1] C j [2] C j [3] 73 / 103

Birthday attack on 3-restricted basic CBC MAC adversary A for i = 1 , . . . , q do $ ← { 0 , 1 } n ; C i [3] ← Tag ( � i �|| r i || 0 n ) r i S ← { ( i , j ) : 1 ≤ i < j ≤ q and C i [3] = C j [3] } if S � = ∅ then $ ( i , j ) ← S C ′ i [3] ← Tag ( � i �|| r i || 1 n ) d ← Verify ( � j �|| r j || 1 n , C ′ i [3]) Previous discussion shows that if S � = ∅ then A succeeds, so Adv uf - cma MA [ T ] ( A ) = Pr[ S � = ∅ ] . A birthday analysis can be used to show that Pr[ S � = ∅ ] = C (2 n , q ) ≥ 0 . 3 q ( q − 1) 2 n 74 / 103

Truncation The effectiveness of the birthday attack can be reduced by truncating the MAC output to t ≤ n bits. For example for n = 128 one might use t = 80. The reason it helps is that internal collisions can no longer be unambiguiously identified. (A MAC output collision does not necessarily mean there was an internal collision.) To be effective, truncation must be combined with “throttling,” which restricts the attack to a small number of verification queries. Truncation is an option with many standardized MACs. A rigorous and tight quantitative analysis of the security of truncation is lacking. 75 / 103

Security of basic CBC MAC Question: Are there better-than-birthday attacks when authenticating same-length messages? Answer: NO And we can prove the answer is correct. Basic CBC MAC is a PRF (and hence a SUF-CMA MAC) if all messages authenticated have the same length. 76 / 103

Security of basic CBC MAC Theorem [BKR96]: Let E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n be a family of functions and m ≥ 1 an integer. Let E m : { 0 , 1 } k × { 0 , 1 } nm → { 0 , 1 } n be the family of functions defined by Alg E m K ( M ) C [0] ← 0 n for i = 1 , ..., m do C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) return C [ m ] Let A be a prf-adversary against E m that makes q oracle queries and has running time t . Then there is a prf-adversary B against E such that E ( B ) + q 2 m 2 Adv prf E m ( A ) ≤ Adv prf 2 n and B makes at most qm oracle queries and has running time about t . 77 / 103

ECBC MAC Let E : { 0 , 1 } k × B → B be a block cipher, where B = { 0 , 1 } n . The encrypted CBC (ECBC) MAC MA [ T ] is obtained by defining T : { 0 , 1 } 2 k × B ∗ → B by M [ m − 1] M [ m ] M [1] M [2] Alg T K in || K out ( M ) C [0] ← 0 n E K in E K in E K in E K in for i = 1 , ..., m do C [ i ] ← E K in ( C [ i − 1] ⊕ M [ i ]) E K out T ← E K out ( C [ m ]) return T T K in || K out ( M ) 78 / 103

Security of ECBC • No splicing attack • But birthday attack applies Birthday attack turns out to be best possible: can securely authenticate messages of varying lengths as long as total number of blocks is at most 2 n / 2 79 / 103

Security of ECBC Theorem: Let E : { 0 , 1 } k × B → B be a block cipher where B = { 0 , 1 } n . Define F : { 0 , 1 } 2 k × B ∗ → { 0 , 1 } n by Alg F K in || K out ( M ) C [0] ← 0 n for i = 1 , ..., m do C [ i ] ← E K in ( C [ i − 1] ⊕ M [ i ]) T ← E K out ( C [ m ]) return T Let A be a prf-adversary against F that makes at most q oracle queries, these totalling at most σ blocks, and has running time t . Then there is a prf-adversary B against E such that E ( B ) + σ 2 Adv prf F ( A ) ≤ Adv prf 2 n and B makes at most σ oracle queries and has running time about t . 80 / 103

Non-full messages So far we assumed messages have length a multiple of the block-length of the block cipher. Call such messages full . How do we deal with non-full messages? M[1] M[2] M[3] The obvious approach is padding. M[1] M[2] M[3] 10* This works, but if M was full, an extra block is needed M[1] M[2] M[3] 10* leading to an extra block cipher operation. 81 / 103

Costs Handling length-variablity and non-full messages leads to two extra block cipher invocations in ECBC MAC as compared to basic CBC MAC. Also ECBC uses two block cipher keys and needs to rekey, which is expensive. Can we do better? 82 / 103

CMAC Standards: NIST SP 800-38B, RFCs 4493, 4494, 4615 Features: Handles variable-length and non-full messages with • Minimal overhead • A single block cipher key Security: • Subject to a birthday attack • Security proof shows there is no better attack History: XCBC[BlRo], OMAC/OMAC1[IW] 83 / 103

CMAC Components and Setup • E : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n is a block cipher, in practice AES. • CBC K ( M ) is the basic CBC MAC of a full message M under key K ∈ { 0 , 1 } n and using E . • J ∈ { 0 , 1 } n is a particular fixed constant. CMAC uses its key K ∈ { 0 , 1 } n to derive subkeys K 1 , K 2 via • K 0 ← E K (0) • if msb ( K 0 ) = 0 then K 1 ← ( K 0 ≪ 1) else K 1 ← ( K 0 ≪ 1) ⊕ J • if msb ( K 1 ) = 0 then K 2 ← ( K 1 ≪ 1) else K 2 ← ( K 1 ≪ 1) ⊕ J where x ≪ 1 means x left shifted by 1 bit, so that the msb vanishes and the lsb becomes 0. These bit operations reflect simple finite-field operations. 84 / 103

CMAC Algorithm Alg CMAC K ( M ) M [1] . . . M [ m − 1] M [ m ] ← M / / | M [ m ] | ≤ n ℓ ← | M [ m ] | / / ℓ ≤ n if ℓ = n then M [ m ] ← K 1 ⊕ M [ m ] else M [ m ] ← K 2 ⊕ ( M [ m ] � 10 n − ℓ − 1 ) M ← M [1] . . . M [ m − 1] M [ m ] T ← CBC K ( M ) return T 85 / 103

Parallelizable MACs? The following MAC has the nice feature that the block cipher computations can be done in parallel. M [1] M [2] M [3] M [4] ❄ ❄ ❄ ❄ E K E K E K E K ✐ ✐ ✐ T But we saw earlier that this is not secure! Can we fix it? 86 / 103

PMAC [BlRo] Features: • Minimal overhead • A single block cipher key • Handles variable-length and non-full messages • Parallelizable Security: • Subject to a birthday attack • Security proof shows there is no better attack [BlRo] 87 / 103

Tweakable Block Ciphers [LRW] A tweakable block cipher is a map E : { 0 , 1 } k × TwSp × { 0 , 1 } n → { 0 , 1 } n such that K : { 0 , 1 } n → { 0 , 1 } n E T is a permutation for every K , T , where E T K ( X ) = E ( K , T , X ). With a single key one thus implicitly has a large number of maps ❄ ❄ ❄ ❄ ❄ ❄ E 1 E 2 E 3 E 4 E 5 E 6 K K K K K K ❄ ❄ ❄ ❄ ❄ ❄ These appear to be independent random permutations to an adversary who does not know the key K , even if it can choose the tweaks and inputs. 88 / 103

Tweakable Block Cipher Security, Formally Let E : { 0 , 1 } k × TwSp × { 0 , 1 } n → { 0 , 1 } n be a tweakable block cipher Game Real E Game Rand { 0 , 1 } n procedure Initialize procedure Fn ( T , x ) ← { 0 , 1 } k $ ← { 0 , 1 } n $ K Y Return Y procedure Fn ( T , x ) Return E T K ( x ) Associated to E , A are the probabilities � � � � Real A Rand A Pr E ⇒ 1 Pr { 0 , 1 } n ⇒ 1 that A outputs 1 in each world. The advantage of A is � � � � Adv prf Real A Rand A E ⇒ 1 − Pr { 0 , 1 } n ⇒ 1 E ( A ) = Pr 89 / 103

PMAC Algorithm M [1] M [2] M [3] M [4] ❄ ❄ ❄ E 1 , 0 E 2 , 0 E 3 , 0 K K K ✐ ✐ ✐ ❄ E 4 , 1 T ✲ K Illustrated for a full message of 4 blocks. 90 / 103

Building a Tweakable Block Cipher We want to tweak block ciper E : { 0 , 1 } k × TwSp × { 0 , 1 } n → { 0 , 1 } n with TwSp = { 1 , . . . , 2 64 } . x L ← E K (0) E i K ( x ) = AES K ( x ⊕ 2 i L ) ❄ 2 i L ❧ ✛ L → 2 L → 4 L → · · · ❄ E K � (∆ ≪ 1) if msb (∆) = 0 2∆ = ❄ (∆ ≪ 1) ⊕ 87 16 otherwise E i K ( x ) Doubling is cheap: 0.3–0.8 cpb Intuition: Hard for adversary to find distinct ( x 1 , i 1 ) , ( x 2 , i 2 ) such that x 1 ⊕ 2 i 1 L = x 2 ⊕ 2 i 2 L 91 / 103

PMAC Instantiated M [1] M [2] M [3] M [4] 2 2 L 2 3 L 2 L ✐ ✐ ✐ ✲ ✲ ✲ ✲ ❄ ❄ ❄ E K E K E K ✐ ✐ ✐ 2 4 L ✐ ✲ ❄ E K T ✲ 92 / 103