zmac specification security proof and
play

ZMAC: Specification, Security Proof, and Instantiation Updates Tetsu - PowerPoint PPT Presentation

ZMAC: Specification, Security Proof, and Instantiation Updates Tetsu Iwata Nagoya University, Japan Joint work with Kazuhiko Minematsu, Thomas Peyrin, and Yannick Seurin ASK 2017 Fenglin Hotel, Changsha, China December 10, 2017


  1. ZMAC: Specification, Security Proof, and Instantiation Updates ∗ Tetsu Iwata † Nagoya University, Japan Joint work with Kazuhiko Minematsu, Thomas Peyrin, and Yannick Seurin ASK 2017 Fenglin Hotel, Changsha, China December 10, 2017 ∗ Based on: Iwata, Minematsu, Peyrin, and Seurin. ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication. CRYPTO 2017 † Supported by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045 1 / 36

  2. Introduction: Message Authentication Code (MAC) • Symmetric-key Crypto for tampering detection • MAC : K × { 0 , 1 } ∗ → T • Alice computes Tag = MAC ( K, M ) = MAC K ( M ) and sends ( M, Tag ) to Bob • Bob checks if ( M, Tag ) is authentic by computing tag locally • If MAC K ( ∗ ) is a variable-input-length PRF , it is secure 2 / 36

  3. Tweakable Block Cipher (TBC) Extension of ordinal Block Cipher (BC), formalized by Liskov et al. [LRW02] • � E : K × T × M → M , tweak T ∈ T is a public input • ( K, T ) ∈ K × T specifies a permutation over M • Let M = { 0 , 1 } n and T = { 0 , 1 } t We implicitly assume additional small tweak i = 1 , 2 , . . . , used for domain separation , and write as � E i K ( T, X ) when necessary 3 / 36

  4. Building TBC Block cipher modes for TBC: LRW [LRW02] and XEX [Rog04] • Efficient but security is up to the birthday bound ( O (2 64 ) attack when AES is used) • Beyond-the-birthday-bound (BBB) security is possible (e.g. [Min09][LST12][LS15]) but not really efficient Dedicated designs: • HPC [Sch98] • Threefish in Skein hash function [FLS+10] • Deoxys-BC, Joltik-BC, KIASU-BC [JNP14a], SCREAM [GLS+14], – in the CAESAR submissions • SKINNY [BJK+16], QARMA [Ava17], . . . 4 / 36

  5. Security notions of TBC [LRW02] • Indistinguishable from the set of independent uniform random permutations indexed by tweak – Tweakable uniform random permutation (TURP) denoted by � P – Tweak is chosen by the adversary • CCA-secure TBC = TSPRP � � E − 1 − 1 � E K � P P K A 5 / 36

  6. Security notions of TBC [LRW02] • Indistinguishable from the set of independent uniform random permutations indexed by tweak – Tweakable uniform random permutation (TURP) denoted by � P – Tweak is chosen by the adversary • CCA-secure TBC = TSPRP • CPA-secure TBC = TPRP � � E K P A 5 / 36

  7. Building MAC with TBC : PMAC1 PMAC1 by Rogaway [Rog04], introduced in the proof of PMAC • Parallel • Security is up to the birthday bound wrt the block size ( n ) – Adv tprp PMAC1 ( σ ) = O ( σ 2 / 2 n ) for σ queried blocks – Thus n/ 2 -bit security M [1] M [2] M [3] M [4] � � � 1 2 3 E K E K E K � 4 E K 0 n Tag PMAC1 6 / 36

  8. Building MAC with TBC: PMAC TBC1k PMAC TBC1k by Naito [Nai15] • 2 n -bit chaining similar to PMAC Plus [Yas11] – Finalization by 2 n -bit PRF built from TBC • BBB-secure: improve security of PMAC1 to n bits • Same computation cost as PMAC1 (except for the finalization) M [1] M [2] M [3] � 1 � 2 � 3 E K E K E K 0 n 2 2 2 2 2 2 0 n � �� � multiplication by 2 over GF(2 n ) PMAC TBC1k (message hashing part) 7 / 36

  9. Efficiency of MAC These TBC-based MACs are not optimally efficient • They process n -bit input per 1 TBC call • t -bit tweak does not process message – reserved for block index 8 / 36

  10. Efficiency of MAC These TBC-based MACs are not optimally efficient • They process n -bit input per 1 TBC call • t -bit tweak does not process message – reserved for block index Optimally-efficient TBC-based MAC? 8 / 36

  11. Our proposal: ZMAC (“The MAC”) [IMPS17] ZMAC is • The first optimally efficient TBC-based MAC – ( n + t ) -bit input per 1 TBC call • Parellel, and BBB-secure – min { n, ( n + t ) / 2 } -bit security, e.g. n -bit-secure when t ≥ n It uses TBC as a sole primitive, and secure if TBC is a TPRP 9 / 36

  12. Structure of ZMAC A simple composition of message hashing and finalization (Carter-Wegman MAC): • ZMAC = ZFIN ◦ ZHASH • ZHASH : M → { 0 , 1 } n + t is a computational universal hash function • ZFIN : { 0 , 1 } n + t → { 0 , 1 } 2 n is a PRF – Output truncation if needed Unified specs for any t ( t = n or t < n or t > n ) 10 / 36

  13. Structure of ZMAC A simple composition of message hashing and finalization (Carter-Wegman MAC): • ZMAC = ZFIN ◦ ZHASH • ZHASH : M → { 0 , 1 } n + t is a computational universal hash function • ZFIN : { 0 , 1 } n + t → { 0 , 1 } 2 n is a PRF – Output truncation if needed Unified specs for any t ( t = n or t < n or t > n ) We focus on ZHASH 10 / 36

  14. How ZHASH works: tweak extension Optimal efficiency implies t -bit tweak of � E must be extended to incorporate block index This can be done by XTX [MI15], an extension of LRW and XEX: • Global tweak G ∈ G , |G| > 2 t • Keyed function H : L × G → ( { 0 , 1 } n × { 0 , 1 } t ) • XTX [ � E, H ] K,L ( G, X ) = � E K ( W t , W n ⊕ X ) ⊕ W n with ( W n , W t ) = H L ( G ) 11 / 36

  15. How ZHASH works: security of XTX/XT XTX is secure if H is ǫ -partial AXU (pAXU) [MI15] : $ ← L : H L ( G ) ⊕ H L ( G ′ ) = ( δ, 0 t )] ≤ ǫ G � = G ′ ,δ ∈{ 0 , 1 } n Pr[ L max that is, n -bit part is close to differentially uniform and t -bit part has a small collision probability 12 / 36

  16. How ZHASH works: security of XTX/XT { 0 , 1 } t † , and block index is a counter In our case, G ∈ × N ���� � �� � block index message part Then XTX can be instantiated and optimized by • Using the “doubling” trick as XEX • Omitting the outer mask to Y (as decryption is not needed) † Omitting domain separation variable 13 / 36

  17. How ZHASH works: security of XTX/XT The resulting scheme is XT , using H L ( G ) defined as H ( L ℓ ,L r ) ( T, i ) = (2 i − 1 L ℓ , 2 i − 1 L r ⊕ t T ) , using two n -bit keys ( L ℓ , L r ) Details: • 2 i X is X multiplied by 2 over GF (2 n ) for i times – Computation is easy by caching 2 i − 1 X as done in XEX • X ⊕ t Y = msb t ( X ) ⊕ Y if t ≤ n , ( X � 0 t − n ) ⊕ Y if t > n – Chop-or-pad before sum 14 / 36

  18. How ZHASH works: security of XTX/XT Lemma P : T × { 0 , 1 } n → { 0 , 1 } n be a TURP and H is ǫ -pAXU. Then, Let � P ,H ] ( q ) ≤ q 2 ǫ Adv tprp 2 . XT [ � and our H is 1 / 2 n +min { n,t } -pAXU. Thus, q 2 Adv tprp P ,H ] ( q ) ≤ 2 n +min { n,t } +1 . XT [ � Therefore, XT has min { n, ( n + t ) / 2 } -bit, BBB-security 15 / 36

  19. How ZHASH works: chaining scheme Given XT, it’s easy to apply it in the PMAC-like single-chaining hashing scheme • Message is divided into ( n + t ) -bit blocks, ( X ℓ [ i ] , X r [ i ]) for i = 1 , 2 , . . . • This is optimally efficient, but security is up to the birthday bound ... Collision w/ 2 (n/2) queries 16 / 36

  20. How ZHASH works: chaining scheme Given XT, it’s easy to apply it in the PMAC-like single-chaining hashing scheme • Message is divided into ( n + t ) -bit blocks, ( X ℓ [ i ] , X r [ i ]) for i = 1 , 2 , . . . • This is optimally efficient, but security is up to the birthday bound • Need a larger chaining value ... Collision w/ 2 (n/2) queries 16 / 36

  21. How ZHASH works: chaining scheme • Naive use of 2 n -bit chaining scheme [Nai15][Yas11] doesn’t work – XT output collision still breaks the scheme ... ... Collision w/ 2 (n/2) queries 17 / 36

  22. How ZHASH works: chaining scheme • Key observation: to avoid these collision attacks, the process of ( X ℓ , X r ) (the dotted box) must be a permutation • A Feistel-like 1-round permutation works ( ZHASH ) ... ... ZHASH 18 / 36

  23. How ZHASH works: chaining scheme • Key observation: to avoid these collision attacks, the process of ( X ℓ , X r ) (the dotted box) must be a permutation • A Feistel-like 1-round permutation works ( ZHASH ) ... ... ZHASH Lemma ZHASH (w/ XT using TURP) is ǫ -almost universal for ǫ = 4 / 2 n +min { n,t } 18 / 36

  24. Full ZHASH Input: X = ( X [1] , . . . , X [ m ]) , | X [ i ] | = n + t Output ( U, V ) , | U | = n , | V | = t X [1] X [2] X [ m ] X ℓ X r X ℓ X r X ℓ X r 2 m − 1 · L ℓ L ℓ 2 · L ℓ 2 m − 1 · L r L r 2 · L r . . . � � � E 8 E 8 E 8 K K K t t t t t t 0 t V . . . 2 2 2 0 n U Details: • X ⊕ t Y = msb t ( X ) ⊕ Y if t ≤ n , ( X � 0 t − n ) ⊕ Y if t > n • 2 · X : multiplication by 2 • L ℓ and L r : two n -bit masks from � E K w/ domain separation 19 / 36

  25. ZFIN ZFIN simply encrypts U with tweak V twice (for each n -bit output) and takes a sum (with domain separation) U U U U E i � E i +1 � E i +2 � E i +3 � V V V V K K K K Y [1] Y [2] PRF security of ZFIN • ZFIN is essentially “Sum of Permutations” [Luc00, BI99, Pat08a, Pat13, CLP14, MN17] • From a recent result by Dai et al. [DHT17], ZFIN is n -bit secure Lemma � q � 3 / 2 Adv prf P ] ( q ) ≤ 2 ZFIN [ � 2 n 20 / 36

  26. Security of ZMAC Combining all lemmas, Theorem For q ≤ 2 n − 4 queries of total σ ( n + t ) -bit blocks, � q � 3 / 2 2 . 5 σ 2 Adv prf P ] ( q, σ ) ≤ 2 n +min { n,t } + 4 . ZMAC [ � 2 n Thus ZMAC is min { n, ( n + t ) / 2 } -bit secure 21 / 36

  27. Security Proof ... ... ZHASH • ZHASH is ǫ -almost universal for ǫ = 4 / 2 n +min { n,t } XT [ ZHASH XT ( X ) = ZHASH XT ( X ′ )] ≤ ǫ • max Pr X ∈ ( { 0 , 1 } n + t ) m X ′ ∈ ( { 0 , 1 } n +1 ) m ′ X � = X ′ 22 / 36

Recommend


More recommend