Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang - PowerPoint PPT Presentation

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST

Outline • Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm • Our Contribution - Tight security proof of DbHtS MACs - Refining Mirror theory • Conclusion 2

Message Authentication Code (MAC) • Symmetric key functions to guarantee message integrity • Alice computes tag 𝑈 = MAC 𝐿 (𝑁) and sends (𝑁, 𝑈) to Bob • Bob checks whether the tag is valid or not by computing MAC 𝐿 (𝑁) (𝑁, 𝑈) ? 𝑈 MAC 𝐿 (𝑁) 𝑈 = MAC 𝐿 (𝑁) Alice Bob 3

Message Authentication Code (MAC) • Symmetric key functions to guarantee message integrity • Alice computes tag 𝑈 = MAC 𝐿 (𝑁) and sends (𝑁, 𝑈) to Bob • Bob checks whether the tag is valid or not by computing MAC 𝐿 (𝑁) (𝑁, 𝑈) ? 𝑈 MAC 𝐿 (𝑁) 𝑈 = MAC 𝐿 (𝑁) Alice Bob (𝑁′, 𝑈′) Eve 4

MAC Security • Unforgeability - Infeasible to generate a new valid message/tag pair • PRF-Security - Infeasible to distinguish from a random variable-input-length (VIL) function - Secure variable-input-length PRF ⇒ Secure MAC (𝑁, 𝑈) ? 𝑈 MAC 𝐿 (𝑁) 𝑈 = MAC 𝐿 (𝑁) Alice Bob (𝑁′, 𝑈′) Eve 5

Distinguishing Game Real World Ideal World MAC 𝐿 Random VIL-function 𝐺 Real? or Ideal? Adversary 𝒝 • Adversary 𝒝 makes 𝑟 queries to oracle ( MAC 𝐿 or 𝐺 ) • Each query has length at most 𝑚 blocks • Transcript 𝜐 = 𝑁 1 , 𝑈 1 , … , 𝑁 𝑟 , 𝑈 𝑟 1 • Adv 𝑟, 𝑚 ∶ Pr[𝒝 correctly determine the interacting world ] − 2 6

Why BBB-Security? • Most popular MACs provides birthday-bound security - With 𝑜 -bit block cipher, only 2 𝑜/2 security • In lightweight cryptography, small blocks (64bits / 80bits) are preferred - birthday-bound security is insufficient Construction key bits # of allowed queries 2 25 ECBC 64 2 18 PMAC 128 Table*: Data limits of MACs using 64-bit blocks to ensure that the advantage is less than 2 −10 where each message is shorter than 512KB • Beyond-Birthday-Bound secure MACs needed! *Example chosen by Datta et al., in “Double -block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF” 7

BBB-Secure MACs 𝑁 • Ideal cipher / tweakable block cipher based MACs - ZMAC[IMPS17], ZMAC+[LN17], HaT, HaK[CLS17] 𝐺 𝐿 ℎ 𝐻 𝐿 ℎ - Highly secure MACs from strong primitives 𝐹 𝐿 1 𝐹 𝐿 2 • Block cipher based MACs? - UHF-then-PRF* style MACs with 𝑜 -bit internal state provides 𝑜/2 -bit security 𝑈 - Idea: use 2𝑜 -bit state ⇒ Double-block Hash-then-Sum (DbHtS) paradigm [DDNP19] • SUM-ECBC, 3kf9, PMAC-Plus, LightMAC-Plus Their security has been proved up to O 2 2𝑜/3 queries • * Universal Hash Function then Pseudorandom Function 8

Double-Block Hash-then-Sum SUM-ECBC [Yasuda, CT-RSA 2010] PMAC-Plus [Yasuda, CRYPTO 2011] • • The first BBB-secure MACs Parallelizable, Rate-1 with BBB-security 9

Double-Block Hash-then-Sum 3kf9 [Zhang et al., ASIACRYPT 2012] LightMAC-Plus [Naito, ASIACRYPT 2017] • 3GPP-MAC + ECBC • Message-length-independent security • Rate-1 without field operation 10

Generic Attacks on DbHtS MACs 𝑁 • Generic attacks with O 2 3𝑜/4 queries [LNS18] - Exploited the difference between Xor of Permutations (XoP) 𝐺 𝐿 ℎ 𝐻 𝐿 ℎ and the ideal 2𝑜 -to- 𝑜 bit function 𝐹 𝐿 1 𝐺 𝑁 1 ⊕ 𝐹 𝐿 2 𝐻 𝑁 1 = 𝑈 1 𝐹 𝐿 1 𝐹 𝐿 2 𝐹 𝐿 1 𝐺 𝑁 2 ⊕ 𝐹 𝐿 2 𝐻 𝑁 2 = 𝑈 2 𝑈 1 ⊕ 𝑈 2 ⊕ 𝑈 3 ⊕ 𝑈 4 = 0 𝐹 𝐿 1 𝐺 𝑁 3 ⊕ 𝐹 𝐿 2 𝐻 𝑁 3 = 𝑈 3 𝑈 𝐹 𝐿 1 𝐺 𝑁 4 ⊕ 𝐹 𝐿 2 𝐻 𝑁 4 = 𝑈 4 Gap exists between the best known attacks and their provable security! 11

Outline • Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm • Our Contribution - Tight security proof of DbHtS MACs - Refining Mirror theory • Conclusion 12

Tight Security of DbHtS MACs • Proved 3𝑜/4 -bit security of DbHtS MACs - Closed the gap between generic attacks and provable security bounds - Identify the required properties of the underlying hash functions Construction # Keys Rate Old Bound New Bound 𝑚 2 𝑟 3 /2 2𝑜 𝑚 3 𝑟 4 /2 3𝑜 PolyMAC 4 - 𝑚 2 𝑟/2 𝑜 + 𝑟 3 /2 2𝑜 𝑚 3 𝑟 4 /2 3𝑜 1/2 SUM-ECBC 4 𝑚 2 𝑟 4 /2 3𝑜 + 𝑚 2 𝑟/2 𝑜 𝑚𝑟 3 /2 2𝑜 PMAC-Plus 3 1 𝑚 4 𝑟 3 /2 2𝑜 𝑚 6 𝑟 4 /2 3𝑜 3kf9 3 1 𝑟 3 /2 2𝑜 𝑟 4 /2 3𝑜 LightMAC-Plus 3 1 − 𝑡/𝑜 Table: Security bound of DbHtS MACs. 𝑟 denotes the number of queries, 𝑚 denotes maximum block length, and 𝑡 denotes the length of prefix for LightMAC-Plus 13

Comparison of Security Bounds for PMAC-Plus PMAC PMAC-Plus (old) PMAC-Plus (new) Figure: Upper bounds on distinguishing advantage for PMAC and PMAC-Plus. 𝑦 -axis gives the log of number of queries, and 𝑧 -axis gives the security bounds. 14

𝑁 H-Coefficient Technique 𝐺 𝐿 ℎ 𝐻 𝐿 ℎ Real World Ideal World 𝑉 𝑊 MAC 𝐿 Random VIL-function 𝑄 𝑅 Adversary 𝒝 • 𝑈 SPRP switch - Replace 𝐹 𝐿 1 and 𝐹 𝐿 2 by random permutations 𝑄 and 𝑅 up to the to the pseudorandomness of 𝐹 • Transcript 𝜐 = 𝑁 1 , 𝑈 1 , … , 𝑁 𝑟 , 𝑈 𝑟 , 𝐿 ℎ ⇒ 𝜐 = 𝑉 1 , 𝑊 1 , 𝑈 1 , … , (𝑉 𝑟 , 𝑊 𝑟 , 𝑈 𝑟 ) - T id : Probability distribution of 𝜐 in the ideal world 𝑉 𝑗 = 𝐺 𝐿 ℎ 𝑁 𝑗 - T re : Probability distribution of 𝜐 in the real world 𝑊 𝑗 = 𝐻 𝐿 ℎ (𝑁 𝑗 ) 15

H-Coefficient Technique H-coefficient lemma (informal) If there exists 𝜗 𝑐𝑏𝑒 , 𝜗 𝑠𝑏𝑢𝑗𝑝 such that 1) for a set of bad transcripts 𝒰 𝑐𝑏𝑒 , Pr T id ∈ 𝒰 𝑐𝑏𝑒 ≤ 𝜗 𝑐𝑏𝑒 𝑐𝑏𝑒 , Pr T re =𝜐 2) with 𝜐 ∉ 𝒰 Pr T id =𝜐 ≥ 1 − 𝜗 𝑠𝑏𝑢𝑗𝑝 Then, Adv ≤ 𝜗 𝑐𝑏𝑒 + 𝜗 𝑠𝑏𝑢𝑗𝑝 • Define a proper set of bad transcripts then upper bound 𝜗 𝑐𝑏𝑒 and 𝜗 𝑠𝑏𝑢𝑗𝑝 • Pr T id = 𝜐 is easy to compute, while Pr T re = 𝜐 is challenging 16

Proof Sketch • Step 1: Represent the transcript by a graph 𝑁 𝑦 = 𝑄 𝑉 𝑉 = 𝐺 𝐿 ℎ 𝑁 𝐺 𝐻 𝐿 ℎ 𝑊 = 𝐻 𝐿 ℎ (𝑁) 𝐿 ℎ 𝑈 = 𝑦 ⨁ 𝑧 𝑄 𝑅 𝑧 = 𝑅 𝑊 𝑈 - Each query makes an affine equation between two variables - Since we target BBB-security, hash collisions are allowed ⇒ edges might be connected each other 17

Proof Sketch • Step 2: Identify bad graphs - Some transcript graphs might lead to a contradiction! • When the graph contains a cycle • When the graph contains a path of even length whose tag sum is 0 (degeneracy) 𝑄 𝑉 This event was used to ⋯ break DbHtS in [LNS18] 𝑈 𝑈′ 𝑈 𝑈 𝑅 𝑊 𝑄 𝑉 ⊕ 𝑅 𝑊 = 𝑈 𝑄 𝑉 ⊕ 𝑅 𝑊 = 𝑈 𝑄 𝑉 ⊕ 𝑅 𝑊′ = 𝑈 𝑄 𝑉 ⊕ 𝑅 𝑊 = 𝑈′ 18

Proof Sketch • Step 3: Upper bound the probability of obtaining bad graphs ( = 𝜗 𝑐𝑏𝑒 ) Bad2 : 𝑉 𝑗 = 𝑉 𝑘 & 𝑈 𝑗 = 𝑈 Bad3 : 𝑊 𝑗 = 𝑊 𝑘 & 𝑈 𝑗 = 𝑈 Bad1 : 𝑉 𝑗 = 𝑉 𝑘 & 𝑊 𝑗 = 𝑊 𝑘 𝑘 𝑘 No Bad1 & Bad5 ⇒ No cycle No Bad2 - Bad5 ⇒ No even length trail of zero tag sum 𝑚 & σ 𝑈 = 0 Bad4 : 𝑊 𝑗 = 𝑊 𝑘 & 𝑉 𝑘 = 𝑉 𝑙 & 𝑊 𝑙 = 𝑊 Bad5 : 𝑉 𝑗 = 𝑉 𝑘 & 𝑊 𝑘 = 𝑊 𝑙 & 𝑉 𝑙 = 𝑉 𝑚 19

Proof Sketch • Step 4: Apply Patarin’s Mirror theory to upper bound 𝜗 𝑠𝑏𝑢𝑗𝑝 - Mirror theory: evaluates the number of solutions of affine systems ⇒ evaluates Pr T re = 𝜐 • Mirror theory should be extended! - The original Mirror theory can be used when the maximum component size is bounded • This is not the case for DbHtS - We relaxed the constraints to allow a component of an arbitrary size - Instead, the ratio of the number of connected edges to the number of all the edges should be bounded 20

Refined Mirror Theory • Patarin’s Mirror theory Authors Publication Application Max Comp Size Security Patarin eprint 2010/287 XoP 2 n 2 𝑜 /𝑟 Patarin eprint 2010/293 Feistel n Mennink, Neves Crypto 17 EWCDM 2 n Datta, Dutta, Nandi, Yasuda Crypto 18 DWCDM 3 2n/3 2 𝑜 /𝑟 Dutta, Nandi, Talnikar EC 19 CWC+ 2n/3 Mennink TCC 18 CLRW2 4 3n/4 Any 1) Jha, Nandi JoC 20 CLRW2 3n/4 Any 2) This work EC 20 DbHtS 3n/4 - The first refinement allows a component of an arbitrary size up to 3n/4-bit security (concurrent work with [JN20]) 1) Without path of length 3 2) With bounded number of connected edges 21

Result • Security of DbHtS MACs with two independent 𝜀 -universal hash functions 𝐺 and 𝐻 • Security of PMAC-Plus 22

Conclusion • Proved tight security bounds for DbHtS MACs - PolyMAC, SUM-ECBC, 3kf9, PMAC-Plus, LightMAC-Plus are PRF up to 2 3𝑜/4 queries - All the security bounds are tight in terms of the threshold number of queries • Future Works - Find better security bounds considering the influence of message length ℓ - Find tight security of key-reduced variants of DbHtS MACs 23

Thank you Q&A : lbh0307@kaist.ac.kr