Top Banner
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore

1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.

Jan 05, 2016



Shavonne Heath
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Page 1: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Message authentication codes,modes of operation, andindifferentiability

Kan Yasuda (NTT, Japan)ASK 2011Aug. 31, Singapore

Page 2: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Introduction to modes of operation and to provable security

Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2

011) Some thoughts on MACs and on indifferentiab


Page 3: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Page 4: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Modes of operation (domain extension type)

We only have “small” primitive (block cipher, compression function)

Small primitives have fixed-length input

To process large data, we need to iterate our small primitives in some way

Modes of operation are constructions that specify how to iterate our small primitives

Page 5: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



CBC-MACdata data

f f f f

data data data dataMekle-Damgård

Page 6: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Provable security

Want to prove: Our construction is secure (in some

sense) if the underlying small primitive is secure (in some sense)

Steps1. Make an assumption about the security of

the small primitive (The notion of security depends on the definition)

2. Reduce the security of the entire construction to that of the underlying primitive

Page 7: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



CBC-MAC If the underlying block cipher is a secure pseudo-r

andom permutation, then its CBC-MAC mode is a secure MAC

Merkle-Damgård construction If the underlying compression function is collision-r

esistant, then the entire Merkle-Damgård hash function is also collision-resistant

Page 8: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Introduction to modes of operation and to provable security

Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2

011) Some thoughts on MACs and on indifferentiab


Page 9: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


“A new variant of PMAC: Beyond the birthday bound”

(CRYPTO 2011)

Page 10: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



MAC (Message Authentication Code) Symmetric-key primitive Input: a secret key and (possibly large)

data Output: a fixed-length value (called

tag) Used for integrity check of data

data (message)

secret key

Tag (64-bit, 128-bit, etc.)

Page 11: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


4 ways to make a MAC

1. design from scratch (dedicated MAC)

2. use a cryptographic hash function (e.g., HMAC)

3. use a universal hash function 4. use a block cipher (e.g., CMAC,


Page 12: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


4 ways to make a MAC

1. design from scratch (dedicated MAC)

2. use a cryptographic hash function (e.g., HMAC)

3. use a universal hash function 4. use a block cipher (e.g., CMAC,


This work

Page 13: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Blockcipher-based MACs(2 types of iteration)


data data dataPMAC

data data

mask mask mask

Mask needs to be updated at each iteration

Page 14: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.




Sequential Parallelizable

Only XOR Requires mask update and XOR

Page 15: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



PMAC seems to have a structure easier to analyze (for security proofs)

In fact, some of the proof techniques are not applicable to CBC iteration

Page 16: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Intuition behind the choicedata

data data data

data data

mask mask mask

$ $ $ $

$ $ $ $

Order of execution does matter

Can be executed in any order

Easier to manipulate events and to evaluate probabilities

Page 17: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


MAC security

Unforgeability Adversary (without knowing the key) should not be

able to produce a valid tag for a new message Pseudo-random

Randomness implies unforgeability If a MAC is a secure PRF (pseudo-random functio

n), then it is also a secure MAC.

Page 18: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


MAC security

Unforgeability Adversary (without knowing the key) should not be

able to produce a valid tag for a new message Pseudo-random

Randomness implies unforgeability If a MAC is a secure PRF (pseudo-random functio

n), then it is also a secure MAC.

PRF-based MACs are “standard”

Page 19: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Birthday problems

Ordinary MACs usually provide security only half the block size (n bit) of the underlying cipher

For n-bit cipher, only 2^(n/ 2) security

For n = 64, 2^32 blocks = 32GBytes 64-bit block ciphers? Triple-DES, HIGHT, PRESENT,

LED, . . .

n-bit security0.5n-bit security

Page 20: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


2 diffenent birthday problemsexist for block-cipher-based MACs Birthday attacks on iterated MACs

Existential forgery is possible on any iterated MACs after 2^(n/2) queries (n the state size)

For CBC-type MACs, even universal forgery is possible

PRP – PRF switching lemma PRP – pseudo-random permutation A (pseudo-random) permutation can be considered

as a function only up to 2^(n/2) queries

Page 21: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Security result

The new construction achieves 2^(2n/3) security For n = 64, 2^42.7 blocks = 51TBytes

The new MAC is a secure PRF based on the assumption that the underlying block cipher is a secure PRP Avoid using PRP-PRF switching lemma

Page 22: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


ISO 9797

(The only) previous construction that achieves security beyond the birthday bound Achieves (Slightly worse than)

2^(2n/3) security Rate-1/2 construction, twice as

slow (as CMAC, PMAC)

Page 23: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


ISO 9797 – sum of two CBC MACs

Requires 2 encryptions to process a block

Block i Block i+1 Block i+2

Block i Block i+1 Block i+2Different keys

Page 24: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Solution – basic idea

Want rate-1 construction; only 1 encryption per block . . .

Page 25: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Solution – basic idea

Want rate-1 construction; only 1 encryption per block . . .

Double everything but block cipher calls

Page 26: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Original PMAC

data data data

mask mask mask



Page 27: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Doubling the masking

data data data

mask0 mask0 mask0



mask1 mask1 mask1

Page 28: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Doubling the state

data data data

mask0 mask0 mask0



mask1 mask1 mask1

mult. by 2 mult. by 2

Page 29: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


mult. by 2mult. by 2

Doubling the finalization

data data data

mask0 mask0 mask0



mask1 mask1 mask1

Page 30: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


mult. by 2mult. by 2

The new construction

data data data

mask0 mask0 mask0



mask1 mask1 mask1

Page 31: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Open problem: 1-key construction

mult. by 2mult. by 2

data data data

mask0 mask0 mask0



mask1 mask1 mask1These 2 keys can be made the same

by tweaking here (e.g., mult. by 2)

. . . But still a 2-key construction

Page 32: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Open problem: Full 2^n security Tripling everything instead of

doubling Possibly 2^(3n/4) security, but not 2^n 4 times, 5 times, . . . would result in

2^(4n/5), 2^(5n/6) security (at best) May call them still rate-1, but more and

more inefficient The 2^(2n/3) bound may not be tight

No attacks (of this complexity) known The proofs may be improved

Page 33: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Introduction to modes of operation and to provable security

Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2

011) Some thoughts on MACs and on indifferentiab


Page 34: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Ristenpart, Shacham and Shrimpton:

“Careful with composition: Limitation of indifferentiability and …”

(Eurocrypt 2011)

Page 35: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Introduced by Maurer, Renner, and Holenstein (TCC2004)

Notion of security stronger than indistinguishability / pseudo-randomness

The adversary has oracle access to (internal) small components as well as the entire scheme

Page 36: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Indifferentiability and (keyless) hash functions The indifferentiability framework was applied t

o modes of operation for keyless hash functions Coron, Dodis, Malinaud and Puniya CRYPTO 2005

Secure (indifferentiable) hash constructions: If the compression function is ideal (random), then

so is the entire hash function

Page 37: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Suppose you have a cryptographic system which is secure in the random oracle model

(Interpretation) Composability says: The random oracle can be safely replaced (instanti

ated) with an indifferentiable hash function The system with the indifferentiable hash must be

secure if the internal compression function is ideal

Page 38: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


“Counterexample” (Ristenpart et al. Eurocrypt 2011) Hash-based storage auditing

1. Client sends a random challenge C to the server2. Server proves possession of the file M by comput

ing and sending Z <- Hash(M|C)

Secure if Hash is a random oracle

Page 39: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


chopMD―Indifferentiable hash

Proven by Coron, Dodis, Malinaud and Puniya at CRYPTO 2005


X[1] X[2] X[3] X[m]


d bits

n bitsTruncated to

n/2 bits(d > n)

f f f f

Page 40: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


“Counterexample” (again)

Hash-based storage auditing1. Client sends a random challenge C to the server2. Server proves possession of the file M by comput

ing and sending Z <- Hash(M|C)

Insecure if Hash is chopMD

Page 41: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


The server can:-forget M, store Y instead-on challenge C, return f(Y,C) (truncated)

We have f(Y,C) (truncated) = Z

How to cheat Hash(M|C) -> Z




d bits

n bitsTruncated to

n/2 bits(d > n)Y

f f

chopMD insecure?

Page 42: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


What is going on?

Ristenpart et al. showed that the composability of indifferentiability may not hold true for security notions with multistage adversaries

Seems quite difficult to find a “good” solution to fix the problem

Limitation of the indifferentiability framework

Page 43: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



Introduction to modes of operation and to provable security

Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2

011) Some thoughts on MACs and on indifferentiab


Page 44: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Some thoughts on MACs and on indifferentiability

Page 45: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


MACs: Three notions of security

Unforgeable (minimum requirement) MAC-secure

pseudo-random (“standard”) PRF (pseudo-random function)

Indifferentiable (strongest) The notion makes perfect sense in the secret-key setting Indifferentiability is not only for keyless hash functions

Page 46: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


MACs: Provable securityAssumptions aboutblock cipher / compression function



Goals of MAC scheme




MAC construction

PRF construction

Indifferentiable construction

Page 47: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Some observationsPRF construction

MAC constructio


Indifferentiable construction

Most PRF constructions are-efficient, and-insecure if state values leaked

-Many common constructions-Only inefficient ones known-“transparent”―some security against side-channel attacks



Page 48: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.



The application of indifferentiability is not limited to keyless hash functions

Indifferentiability might be related to MAC security (unforgeability) in some way

Page 49: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.


Thank you