on the influence of message length in pmac s security
play

On the Influence of Message Length in PMACs Security Bounds Atul - PowerPoint PPT Presentation

On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016 1 Security Bounds Factors: 1.


  1. On the Influence of Message Length in PMAC’s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016 1

  2. Security Bounds Factors: 1. Adversarial Resources 2

  3. Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 2

  4. Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level 2

  5. Security Bounds Factors: 1. Adversarial Resources Message Length — ℓ 2. Scheme parameters 3. Confidence level Secure Number of Queries — q 2

  6. Security Bounds Factors: 1. Adversarial Resources Message Length — ℓ 2. Scheme parameters 3. Confidence level TLS 1.3: GCM, ChaCha20 + Poly1305 Secure Number of Queries — q ISO/IEC SC27 WG2: 48 bit block size? 2

  7. Example : EMAC m 1 m 2 m 3 m 4 + + + π 1 π 1 π 1 π 1 π 2 π T c 1 3

  8. Example : EMAC m 1 m 2 m 3 m 4 + + + π 1 π 1 π 1 π 1 π 2 π T c 1 q 2 ℓ 2 ≤ ǫ 2 n Block size n q Number of queries ℓ Query length in blocks ǫ Confidence 3

  9. Example : EMAC m 1 m 2 m 3 m 4 + + + π 1 π 1 π 1 π 1 π 2 π T c 1 q 2 ℓ 2 ≤ ǫ Table: ǫ = 1 / 2 20 , ℓ = 1KB 2 n Cipher Block Size Limit Block size n 2 51 AES128 128 q Number of queries 2 18 . 5 PRESENT 64 ℓ Query length in blocks KATAN32 32 4 ǫ Confidence 3

  10. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  11. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  12. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  13. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 ? 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  14. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 ? 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  15. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 ? 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  16. Switching Schemes 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 EMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 5

  17. Switching Schemes 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 Sum of CBCs 2 4 PMAC Plus EMAC 3kf9 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 5

  18. Switching Schemes 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 Sum of CBCs 2 4 PMAC Plus EMAC 3kf9 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 5

  19. XOR-Style PRF PMAC w Parity PMACX LightMAC 6

  20. XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + + 6

  21. XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + + 6

  22. PMAC and PHASH m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + 7

  23. PMAC and PHASH m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + � � PMAC( m ) = OutputTransform PHASH( m ) 7

  24. PMAC and PHASH m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + � � PMAC( m ) = OutputTransform PHASH( m ) 1. Gray codes 2. Powering up 7

  25. PMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  26. PMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  27. PMAC Bounds 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  28. PMAC Bounds 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 ? 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  29. Focusing on Collisions PHASH( m 1 ) = PHASH( m 2 ) PMAC( m 1 ) = PMAC( m 2 ) 9

  30. Focusing on Collisions PHASH( m 1 ) = PHASH( m 2 ) PMAC( m 1 ) = PMAC( m 2 ) PHASH collision implies a PMAC attack 9

  31. Results Message length dependence changes according to masks 10

  32. Results Message length dependence changes according to masks PHASH Instances 10

  33. Results Message length dependence changes according to masks Gray Codes PHASH Instances 10

  34. Results Message length dependence changes according to masks Gray Codes Powering Up PHASH Instances 10

  35. Results Message length dependence changes according to masks Infinitely many with collision upper bound 2 / 2 n or Gray Codes Powering Up PHASH Instances PHASH Instances 10

  36. Results Message length dependence changes according to masks Infinitely many with collision upper bound 2 / 2 n or Gray Codes Computationally hard to find high probability collision Powering Up (based on conjecture) PHASH Instances 10

  37. Results Message length dependence changes according to masks Infinitely many with collision upper bound 2 / 2 n or Gray Codes Computationally hard to find high probability collision Powering Up (based on conjecture) Gray codes instances depend on PHASH Instances message length 10

  38. Results in Context 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 11

  39. Results in Context 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 11

  40. PHASH vs XOR Hash 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 π π π π XOR Hash( m ) + + + m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + 12

  41. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  42. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  43. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  44. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  45. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  46. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  47. PHASH Collision m ′ m ′ m ′ m 1 m 2 m 3 m 4 1 2 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω + + + + + + + π π π π π π π 0 + + + + + + 14

  48. PHASH Collision m ′ m ′ m ′ m 1 m 2 m 3 m 4 1 2 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω + + + + + + + π π π π π π π 0 + + + + + + 14

  49. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + X 2 15

  50. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 1 c 1 15

  51. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4 15

  52. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4 15

  53. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4 15

  54. Conclusions and Open Problems PMAC message length dependence is non-trivial 16

  55. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 16

  56. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 16

  57. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent? 16

  58. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent? Thank you for your attention. 16

  59. Connection With PHASH Collision Probability m 2 collide with probability k / 2 n if the Two messages � m 1 and � corresponding set in X 2 is evenly covered by k slopes. Simple proof of ℓ -bound: 17

Recommend


More recommend