on the composition of single keyed tweakable even mansour
play

On the Composition of Single-Keyed Tweakable Even-Mansour for - PowerPoint PPT Presentation

Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik Chakraborti, Mridul Nandi, Suprita Talnikar , Kan Yasuda


  1. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik Chakraborti, Mridul Nandi, Suprita Talnikar , Kan Yasuda

  2. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Message Authentication Codes (MAC) Symmetric Key: Alice and Bob share the same secret key. Active Attacker: Eve may intercept and manipulate the message. Authentication: Alice computes and appends a tag, which Bob recomputes and matches with the received tag. Correct Tag. Will read. “I accept” � T

  3. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Message Authentication Codes (MAC) Verification: Bob verifies the tag with the shared key and only reads the message if tags match. Forgery: Eve cannnot modify the message without forging a new and correct tag. Incorrect Tag. Won’t read. “ I r e j e c t ” � T “I accept” � T

  4. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Forgery Game valid / invalid MAC( m ) m m � T q m = number of q v = number of authentication queries verification queries Can Eve forge a valid tag for a message that Alice never saw?

  5. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Why is Beyond Birthday Security Required? BBB security is useful in lightweight cryptography. Consider the following security advantages for ǫ = 2 − 10 , n = 64 and ℓ = 2 16 blocks. Construction Security # of queries 16 q 2 ≈ 2 25 m / 2 n ECBC 5 ℓ q 2 m / 2 n ≈ 2 18 PMAC Table: Data limit of constructions acheiving birthday bound security. BBB security allows processing of a larger number of blocks per session key.

  6. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Block-Ciphers Vs Random Permutations as Primitives Block Ciphers or Random Permutations Tweakable Block Ciphers Oracles: Oracles: M , N , t , ··· M , N , t , ··· T T Re K , B 1 , B 2 , ··· Re K ,π 1 ,π 2 , ··· M , N , t , ··· M , N , t , ··· T T Id Id Q P π 1 , π 2 , · · · Q P

  7. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Even-Mansour, with and without Tweak EM K [ π ]( M ) := π ( M ⊕ K 1 ) ⊕ K 2 Round keys replaced by functions f i ( K i , t ) of tweaks t , resulting in the tweakable Even-Mansour ( TEM ) construction: 2 t · K 2 t · K π ⊕ ⊕ M C Figure: TEM [ π ]( M ) := π ( M ⊕ 2 t · K ) ⊕ 2 t · K .

  8. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Sum of Even-Mansour M M K 1 K 2 π 1 π 2 K 1 ⊕ K 2 C

  9. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Attack on SoEM Key-recovery attack on SoEM22: Verify keys by repeatedly checking – C ⊕ C ′ = v ⊕ v ′ ⊕ y ⊕ y ′ . M M u x K 1 K 2 π 1 π 1 π 2 π 2 y v K 1 ⊕ K 2 C

  10. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Sum of Key Alternating Ciphers K 1 K 2 K 1 π 1 π 2 ⊕ ⊕ ⊕ M C y u v x

  11. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Attack on SoKAC1 Check the following for each key value: v ⊕ x ⊕ v ′ ⊕ x ′ = 0 . K 1 K 2 K 1 π π ⊕ ⊕ ⊕ M C π π y u v x

  12. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Attack on SoKAC21

  13. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Comparision with Existing Constructions

  14. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion PDMMAC � 2 2 n / 3 � Constructions with O -Tight Security: 2 2 n / 3 � � ( O -Query Attacks Exist) Permutation-based Davies-Meyer MAC: K ⊕ M 3 K ⊕ M 2 K π ⊕ π − 1 ⊕ T y u v x Figure: PDMMAC - A single-permutation π and single-key K based PRF.

  15. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion PDM*MAC and 1K-PDM*MAC Permutation-based Davies-Meyer MAC with Nonce: K ⊕ N 3 K ⊕ N ⊕ H ( M ) 2 K π ⊕ π − 1 ⊕ T y u v x Figure: PDM*MAC - A one key K -, one RP π - and hash H -based PRF. Single-Keyed Permutation-based Davies-Meyer MAC with Nonce: The hash key H is initialized using the construction key K and primitive π as H = π ( K ) in the singled-keyed 1K-PDM*MAC .

  16. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Attack on PDM*MAC Check for each key value, whether the following equation is satisfied: N ⊕ v ⊕ y ⊕ N ′ ⊕ v ′ ⊕ y ′ = 0 . 3 K ⊕ N ⊕ H ( M ) K ⊕ N 2 K π ⊕ π − 1 ⊕ T π π y u v x

  17. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Design Rationale behind PDMMAC DDM (Decrypted Davies-Meyer): TEM − 1 (1 , · ) TEM (0 , · ) K K 2 · K 2 · K ⊕ π ⊕ ⊕ ⊕ π − 1 ⊕ M T

  18. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Design Rationale behind PDM*MAC DWCDM (Decrypted Wegman-Carter with Davies-Meyer): TEM − 1 TEM K (0 , · ) K (1 , · ) H K h ( M ) K K 2 · K 2 · K ⊕ π ⊕ ⊕ ⊕ π − 1 ⊕ N T

  19. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion T i = T j λ i λ j B1. π π π − 1 π − 1 There exist i � = j ∈ [ q m ] such that ( T i = T j ) ∧ ( N i ⊕ H i = N j ⊕ H j ). Pr [ B 1] ≤ q 2 m ǫ 2 n . T j ⊕ N k = 3 K π π − 1 B5. π π − 1 T i ⊕ N j = 3 K π π − 1 There exist i , j , k ∈ [ q m ] such that T i ⊕ N j = T j ⊕ N k = 3 K . √ 6 npq m Pr [ B 5] ≤ pq 2 + 2 2 2 n + m 2 n . 2 n

  20. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion There exist i � = j ∈ [ q m ] , k ∈ [ p ] such that u k ). Pr [ B 8] ≤ pq 2 ( N i ⊕ T j = 3 K ) ∧ (2 K ⊕ T i = ˜ 2 2 n . m There exist i � = j ∈ [ q m ] , k ∈ [ p ] such that u k ). Pr [ B 8] ≤ pq 2 ( N i ⊕ T j = 3 K ) ∧ (2 K ⊕ T i = ˜ 2 2 n . m

  21. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion N i = N ′ a π π − 1 λ ′ a λ i B12. π π − 1 T i = T ′ a There exist i ∈ [ q m ] , a ∈ [ q v ] such that ( N i = N ′ a ) ∧ ( H i = H ′ a ) ∧ ( T i = T ′ a ). Pr [ B 12] ≤ q v ǫ . T i ⊕ 2 K = N j ⊕ K π π − 1 ⊕ λ = 0 B13. π π − 1 T j = T ′ a N i = N ′ a π π − 1 There exist i , j ∈ [ q m ] , a ∈ [ q v ] such that a ). Pr [ B 13] ≤ q 2 m 2 q v ǫ ( N ′ a = N i ) ∧ ( T i ⊕ N j = 3 K ) ∧ ( T j = T ′ . 2 n

  22. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Good Transcripts – Weak Bound Lemma The total number of injective solutions chosen from a set Z of size 2 n − c, for some c ≥ 0 , for the induced system of equations and non-equations G eq , neq is at least: � k � w i � 6 σ 2 � − 2( q v + c α ) � i − 1 2 (2 n ) α 1 − , 2 2 n 2 n i =1 provided σ k w max ≤ 2 n / 4 , and assuming σ 0 = 0 .

  23. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Results on Mirror Theory Corollary (1) Let S ′ ⊆ { 0 , 1 } n be a subset of size (2 n − p ′ ) and $ wor S ′ ( X 1 , X 2 , . . . , X t , Y 1 , Y 2 , . . . , Y t , Z 1 , Z 2 , . . . Z t ) ← − − be a WOR sample of size 3 t drawn from S ′ (3) . Then for constants λ 1 , λ 2 , . . . , λ 2 t in { 0 , 1 } n , t · p ′ 2 Pr [ ( X 1 ⊕ Y 1 = λ 1 ) ∧ ( X 2 ⊕ Y 2 = λ 2 ) ∧ ... ∧ ( X t ⊕ Y t = λ t ) ] ≥ 1 � � 1 − , (2 n − p ′ ) 2 2 n �� � � � � �� X 1 ⊕ Y 1 = λ 1 , X 2 ⊕ Y 2 = λ 3 , X t ⊕ Y t = λ 2 t − 1 , and Pr ∧ ∧ . . . ∧ ≥ Z 1 ⊕ Y 1 = λ 2 Z 2 ⊕ Y 2 = λ 4 Z t ⊕ Y t = λ 2 t 1 − 3 t · 2 n · p ′ 2 � � 1 . (2 n − p ′ ) 3 2 2 nt

  24. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion Results on Mirror Theory Corollary (2) Let G eq , neq = (V , E eq ⊔ E neq , L ) be an equations-and-non-equations-inducing graph such that the subgraph G eq only has components of size 2 or 3 . If | V \ V eq | = q v and λ i ( i ∈ [ q m ]) are edge-labels of the edges in E eq in the same order as the components, then the probability of the induced systems of equations and non-equations attaining any solution from a set S ′ ⊆ { 0 , 1 } n of size (2 n − p ′ ) for all the variables represented only by the vertices in V eq is bounded by- m + 312( p ′ + 3 q v ) q 2 m + 2( p ′ + 3 q v ) 2 q m 1 − 1200 q 3 1 � � � 1 − q v � . 2 nq m 2 2 n 2 n

  25. Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion MACs and forgery games. BBB security. Permutation-based MACs. Even-Mansour, SoEM, SoKAC. PDMMAC (and variants). Transcript-inducing graph (for use in security proof by extended Mirror Theory). Final bound of 2 n / 3.

Recommend


More recommend