1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan)...
-
Upload
shavonne-heath -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan)...
![Page 1: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/1.jpg)
1
Message authentication codes,modes of operation, andindifferentiability
Kan Yasuda (NTT, Japan)ASK 2011Aug. 31, Singapore
![Page 2: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/2.jpg)
2
Outline
Introduction to modes of operation and to provable security
Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2
011) Some thoughts on MACs and on indifferentiab
ility
![Page 3: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/3.jpg)
3
Introduction
![Page 4: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/4.jpg)
4
Modes of operation (domain extension type)
We only have “small” primitive (block cipher, compression function)
Small primitives have fixed-length input
To process large data, we need to iterate our small primitives in some way
Modes of operation are constructions that specify how to iterate our small primitives
![Page 5: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/5.jpg)
5
Examplesdata
CBC-MACdata data
f f f f
data data data dataMekle-Damgård
![Page 6: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/6.jpg)
6
Provable security
Want to prove: Our construction is secure (in some
sense) if the underlying small primitive is secure (in some sense)
Steps1. Make an assumption about the security of
the small primitive (The notion of security depends on the definition)
2. Reduce the security of the entire construction to that of the underlying primitive
![Page 7: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/7.jpg)
7
Examples
CBC-MAC If the underlying block cipher is a secure pseudo-r
andom permutation, then its CBC-MAC mode is a secure MAC
Merkle-Damgård construction If the underlying compression function is collision-r
esistant, then the entire Merkle-Damgård hash function is also collision-resistant
![Page 8: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/8.jpg)
8
Outline
Introduction to modes of operation and to provable security
Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2
011) Some thoughts on MACs and on indifferentiab
ility
![Page 9: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/9.jpg)
9
“A new variant of PMAC: Beyond the birthday bound”
(CRYPTO 2011)
![Page 10: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/10.jpg)
10
Introduction
MAC (Message Authentication Code) Symmetric-key primitive Input: a secret key and (possibly large)
data Output: a fixed-length value (called
tag) Used for integrity check of data
data (message)
secret key
Tag (64-bit, 128-bit, etc.)
![Page 11: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/11.jpg)
11
4 ways to make a MAC
1. design from scratch (dedicated MAC)
2. use a cryptographic hash function (e.g., HMAC)
3. use a universal hash function 4. use a block cipher (e.g., CMAC,
PMAC)
![Page 12: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/12.jpg)
12
4 ways to make a MAC
1. design from scratch (dedicated MAC)
2. use a cryptographic hash function (e.g., HMAC)
3. use a universal hash function 4. use a block cipher (e.g., CMAC,
PMAC)
This work
![Page 13: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/13.jpg)
13
Blockcipher-based MACs(2 types of iteration)
dataCBC
data data dataPMAC
data data
mask mask mask
Mask needs to be updated at each iteration
![Page 14: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/14.jpg)
14
CBC vs. PMAC
CBC PMAC
Sequential Parallelizable
Only XOR Requires mask update and XOR
![Page 15: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/15.jpg)
15
Why PMAC?
PMAC seems to have a structure easier to analyze (for security proofs)
In fact, some of the proof techniques are not applicable to CBC iteration
![Page 16: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/16.jpg)
16
Intuition behind the choicedata
data data data
data data
mask mask mask
$ $ $ $
$ $ $ $
Order of execution does matter
Can be executed in any order
Easier to manipulate events and to evaluate probabilities
![Page 17: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/17.jpg)
17
MAC security
Unforgeability Adversary (without knowing the key) should not be
able to produce a valid tag for a new message Pseudo-random
Randomness implies unforgeability If a MAC is a secure PRF (pseudo-random functio
n), then it is also a secure MAC.
![Page 18: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/18.jpg)
18
MAC security
Unforgeability Adversary (without knowing the key) should not be
able to produce a valid tag for a new message Pseudo-random
Randomness implies unforgeability If a MAC is a secure PRF (pseudo-random functio
n), then it is also a secure MAC.
PRF-based MACs are “standard”
![Page 19: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/19.jpg)
19
Birthday problems
Ordinary MACs usually provide security only half the block size (n bit) of the underlying cipher
For n-bit cipher, only 2^(n/ 2) security
For n = 64, 2^32 blocks = 32GBytes 64-bit block ciphers? Triple-DES, HIGHT, PRESENT,
LED, . . .
n-bit security0.5n-bit security
![Page 20: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/20.jpg)
20
2 diffenent birthday problemsexist for block-cipher-based MACs Birthday attacks on iterated MACs
Existential forgery is possible on any iterated MACs after 2^(n/2) queries (n the state size)
For CBC-type MACs, even universal forgery is possible
PRP – PRF switching lemma PRP – pseudo-random permutation A (pseudo-random) permutation can be considered
as a function only up to 2^(n/2) queries
![Page 21: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/21.jpg)
21
Security result
The new construction achieves 2^(2n/3) security For n = 64, 2^42.7 blocks = 51TBytes
The new MAC is a secure PRF based on the assumption that the underlying block cipher is a secure PRP Avoid using PRP-PRF switching lemma
![Page 22: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/22.jpg)
22
ISO 9797
(The only) previous construction that achieves security beyond the birthday bound Achieves (Slightly worse than)
2^(2n/3) security Rate-1/2 construction, twice as
slow (as CMAC, PMAC)
![Page 23: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/23.jpg)
23
ISO 9797 – sum of two CBC MACs
Requires 2 encryptions to process a block
Block i Block i+1 Block i+2
Block i Block i+1 Block i+2Different keys
![Page 24: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/24.jpg)
24
Solution – basic idea
Want rate-1 construction; only 1 encryption per block . . .
![Page 25: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/25.jpg)
25
Solution – basic idea
Want rate-1 construction; only 1 encryption per block . . .
Double everything but block cipher calls
![Page 26: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/26.jpg)
26
Original PMAC
data data data
mask mask mask
tag
finalization
![Page 27: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/27.jpg)
27
Doubling the masking
data data data
mask0 mask0 mask0
tag
finalization
mask1 mask1 mask1
![Page 28: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/28.jpg)
28
Doubling the state
data data data
mask0 mask0 mask0
tag
finalization
mask1 mask1 mask1
mult. by 2 mult. by 2
![Page 29: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/29.jpg)
29
mult. by 2mult. by 2
Doubling the finalization
data data data
mask0 mask0 mask0
tag
finalization
mask1 mask1 mask1
![Page 30: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/30.jpg)
30
mult. by 2mult. by 2
The new construction
data data data
mask0 mask0 mask0
tag
finalization
mask1 mask1 mask1
![Page 31: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/31.jpg)
31
Open problem: 1-key construction
mult. by 2mult. by 2
data data data
mask0 mask0 mask0
tag
finalization
mask1 mask1 mask1These 2 keys can be made the same
by tweaking here (e.g., mult. by 2)
. . . But still a 2-key construction
![Page 32: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/32.jpg)
32
Open problem: Full 2^n security Tripling everything instead of
doubling Possibly 2^(3n/4) security, but not 2^n 4 times, 5 times, . . . would result in
2^(4n/5), 2^(5n/6) security (at best) May call them still rate-1, but more and
more inefficient The 2^(2n/3) bound may not be tight
No attacks (of this complexity) known The proofs may be improved
![Page 33: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/33.jpg)
33
Outline
Introduction to modes of operation and to provable security
Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2
011) Some thoughts on MACs and on indifferentiab
ility
![Page 34: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/34.jpg)
34
Ristenpart, Shacham and Shrimpton:
“Careful with composition: Limitation of indifferentiability and …”
(Eurocrypt 2011)
![Page 35: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/35.jpg)
35
Indifferentiability
Introduced by Maurer, Renner, and Holenstein (TCC2004)
Notion of security stronger than indistinguishability / pseudo-randomness
The adversary has oracle access to (internal) small components as well as the entire scheme
![Page 36: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/36.jpg)
36
Indifferentiability and (keyless) hash functions The indifferentiability framework was applied t
o modes of operation for keyless hash functions Coron, Dodis, Malinaud and Puniya CRYPTO 2005
Secure (indifferentiable) hash constructions: If the compression function is ideal (random), then
so is the entire hash function
![Page 37: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/37.jpg)
37
Composability
Suppose you have a cryptographic system which is secure in the random oracle model
(Interpretation) Composability says: The random oracle can be safely replaced (instanti
ated) with an indifferentiable hash function The system with the indifferentiable hash must be
secure if the internal compression function is ideal
![Page 38: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/38.jpg)
38
“Counterexample” (Ristenpart et al. Eurocrypt 2011) Hash-based storage auditing
1. Client sends a random challenge C to the server2. Server proves possession of the file M by comput
ing and sending Z <- Hash(M|C)
Secure if Hash is a random oracle
![Page 39: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/39.jpg)
39
chopMD―Indifferentiable hash
Proven by Coron, Dodis, Malinaud and Puniya at CRYPTO 2005
IV
X[1] X[2] X[3] X[m]
Hashvalue
d bits
n bitsTruncated to
n/2 bits(d > n)
f f f f
![Page 40: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/40.jpg)
40
“Counterexample” (again)
Hash-based storage auditing1. Client sends a random challenge C to the server2. Server proves possession of the file M by comput
ing and sending Z <- Hash(M|C)
Insecure if Hash is chopMD
![Page 41: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/41.jpg)
41
The server can:-forget M, store Y instead-on challenge C, return f(Y,C) (truncated)
We have f(Y,C) (truncated) = Z
How to cheat Hash(M|C) -> Z
IV
M C
Z
d bits
n bitsTruncated to
n/2 bits(d > n)Y
f f
chopMD insecure?
![Page 42: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/42.jpg)
42
What is going on?
Ristenpart et al. showed that the composability of indifferentiability may not hold true for security notions with multistage adversaries
Seems quite difficult to find a “good” solution to fix the problem
Limitation of the indifferentiability framework
![Page 43: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/43.jpg)
43
Outline
Introduction to modes of operation and to provable security
Recent work on MAC (CRYPTO 2011) Recent work on indifferentiability (Eurocrypt 2
011) Some thoughts on MACs and on indifferentiab
ility
![Page 44: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/44.jpg)
44
Some thoughts on MACs and on indifferentiability
![Page 45: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/45.jpg)
45
MACs: Three notions of security
Unforgeable (minimum requirement) MAC-secure
pseudo-random (“standard”) PRF (pseudo-random function)
Indifferentiable (strongest) The notion makes perfect sense in the secret-key setting Indifferentiability is not only for keyless hash functions
![Page 46: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/46.jpg)
46
MACs: Provable securityAssumptions aboutblock cipher / compression function
MAC-secure
PRF / PRP
Goals of MAC scheme
MAC-secure
PRF
Indifferentiable
MAC construction
PRF construction
Indifferentiable construction
![Page 47: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/47.jpg)
47
Some observationsPRF construction
MAC constructio
n
Indifferentiable construction
Most PRF constructions are-efficient, and-insecure if state values leaked
-Many common constructions-Only inefficient ones known-“transparent”―some security against side-channel attacks
Connection?
Gap?
![Page 48: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/48.jpg)
48
Conclusion
The application of indifferentiability is not limited to keyless hash functions
Indifferentiability might be related to MAC security (unforgeability) in some way
![Page 49: 1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.](https://reader035.fdocuments.us/reader035/viewer/2022070404/56649f385503460f94c54b1d/html5/thumbnails/49.jpg)
49
Thank you