BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and - - PowerPoint PPT Presentation

Introduction Motivation Security Result Attack Security Proof

BBB Secure Nonce Based MAC Using Public Permutation

Avijit Dutta and Mridul Nandi

Indian Institute of Technology, Kharagpur, India.

AFRICACRYPT, 2020

June 30, 2020

Introduction Motivation Security Result Attack Security Proof

Nonce Based MAC

MAC

• Sign. Algorithm
• Ver. Algorithm

Signk

N M

Verk

(N, M, T) ⊤/⊥

Introduction Motivation Security Result Attack Security Proof

Security Model

(N, M) T = Signk(N, M)

q = the number

• f tagging queries

Introduction Motivation Security Result Attack Security Proof

Security Model

(N, M) T = Signk(N, M)

q = the number

• f tagging queries

(N, M, T) ⊤/⊥

v = the number of verification queries

Introduction Motivation Security Result Attack Security Proof

Security Model

(N, M) T = Signk(N, M)

q = the number

• f tagging queries

(N, M, T) ⊤/⊥

v = the number of verification queries (Nonce Respecting): Nonce is unique in MAC query; it can repeat in verification query

Introduction Motivation Security Result Attack Security Proof

Security Model

(N, M) T = Signk(N, M)

q = the number

• f tagging queries

(N, M, T) ⊤/⊥

v = the number of verification queries Can Eve forge a valid tag for a message that Alice never saw ?

Introduction Motivation Security Result Attack Security Proof

Nonce Based MAC Build on Public Permutations

MAC

• Sign. Algorithm
• Ver. Algorithm

SignP

k

N M

VerP

k

(N, M, T) ⊤/⊥

Introduction Motivation Security Result Attack Security Proof

Security Model of Nonce Based MAC Build on Public Permutations

(P, P−1)

SignP

k

N T M T N M T

VerP

k

⊤/⊥ p q v

Introduction Motivation Security Result Attack Security Proof

MAC Based on (Tweakable) Block Cipher

MAC Birthday Beyond Birthday BC TBC BC TBC

• CBC
• PMAC
• GCBC
• LightMAC
• Tbc
• WC
• PMAC+
• EWCDM
• LightMAC+
• PMAC TBC3k
• ZMAC
• DoveMAC

Introduction Motivation Security Result Attack Security Proof

MAC Based on (Tweakable) Block Cipher

MAC Birthday Beyond Birthday BC TBC BC TBC

• CBC
• PMAC
• GCBC
• LightMAC
• Tbc
• WC
• PMAC+
• EWCDM
• LightMAC+
• PMAC TBC3k
• ZMAC
• DoveMAC

Other MAC includes Cryptographic Hash-based MACs (e.g., HMAC) Compression function based MAC (e.g., NMAC, NI, NI+)

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ?

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction).

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction). It gives security upto c/2-bits, c is the capacity part of sponge

Introduction Motivation Security Result Attack Security Proof

MAC Based on Public Permutations

Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction). It gives security upto c/2-bits, c is the capacity part of sponge Can we do better ?

Introduction Motivation Security Result Attack Security Proof

Outline for the Rest of the Talk

Motivation of the construction Security Result Forging Attack A Glimpse of the idea of the security proof.

Introduction Motivation Security Result Attack Security Proof

PRF Build from Public Permutations: Sparking Interest

SoEM21, SoEM1 – Chen et al., CRYPTO’19. P P M M ⊕ ⊕ ⊕ ⊕ k1 k2 k1 k2 ⊕ C P1 P2 M M ⊕ ⊕ ⊕ ⊕ k k k k ⊕ C

Introduction Motivation Security Result Attack Security Proof

PRF Build from Public Permutations: Sparking Interest

SoEM21, SoEM1 – Chen et al., CRYPTO’19. P P M M ⊕ ⊕ ⊕ ⊕ k1 k2 k1 k2 ⊕ C P1 P2 M M ⊕ ⊕ ⊕ ⊕ k k k k ⊕ C Birthday Bound Security

Introduction Motivation Security Result Attack Security Proof

BBB PRF Build from Public Permutations

SoEM22 – Chen et al., CRYPTO’19. P1 P2 M M ⊕ ⊕ ⊕ ⊕ k1 k2 k1 k2 ⊕ C

Introduction Motivation Security Result Attack Security Proof

BBB PRF Build from Public Permutations

SoEM22 – Chen et al., CRYPTO’19. P1 P2 M M ⊕ ⊕ ⊕ ⊕ k1 k2 k1 k2 ⊕ C Can we use this design to build a MAC that process arbitrary length message from Public Permutation ?

Introduction Motivation Security Result Attack Security Proof

Nonce Based EHtM (Dutta et al. EUROCRYPT’19)

N Ek

⊕

M Ek

1

Hkh

n − 1 n − 1

⊕

T Properties of nEHtM Nonce based MAC 2n/3-bit security Secure under faulty nonce model Gives birthday bound security when the number of faulty nonce reaches to 2n/2

Introduction Motivation Security Result Attack Security Proof

Nonce Based EHtM (Dutta et al. EUROCRYPT’19)

N Ek

⊕

M Ek

1

Hkh

n − 1 n − 1

⊕

T Properties of nEHtM Nonce based MAC 2n/3-bit security Secure under faulty nonce model Gives birthday bound security when the number of faulty nonce reaches to 2n/2 Can we use this design to make a Permutation based MAC ?

Introduction Motivation Security Result Attack Security Proof

A Naive Approach

2-round Iterated Even Mansour (Chen et al., CRYPTO’14) Ek C M ≈2n/3 P P M ⊕ ⊕ ⊕

γ0(k) γ1(k) γ2(k)

C

Introduction Motivation Security Result Attack Security Proof

A Naive Approach

2-round Iterated Even Mansour (Chen et al., CRYPTO’14) Ek C M ≈2n/3 P P M ⊕ ⊕ ⊕

γ0(k) γ1(k) γ2(k)

C Instantiate Ek of nEHtM with 2-round Iterated Even Mansour.

Introduction Motivation Security Result Attack Security Proof

A Naive Approach

2-round Iterated Even Mansour (Chen et al., CRYPTO’14) Ek C M ≈2n/3 P P M ⊕ ⊕ ⊕

γ0(k) γ1(k) γ2(k)

C Instantiate Ek of nEHtM with 2-round Iterated Even Mansour. Drawback Gives BBB Security but requires 4 permutation Calls.

Introduction Motivation Security Result Attack Security Proof

A Naive Approach

2-round Iterated Even Mansour (Chen et al., CRYPTO’14) Ek C M ≈2n/3 P P M ⊕ ⊕ ⊕

γ0(k) γ1(k) γ2(k)

C Instantiate Ek of nEHtM with 2-round Iterated Even Mansour. Drawback Gives BBB Security but requires 4 permutation Calls. Can we improve the number of permutation calls ?

Introduction Motivation Security Result Attack Security Proof

nEHtMp: Public Permutation Based BBB Secure Nonce Based MAC

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T

Introduction Motivation Security Result Attack Security Proof

nEHtMp: Public Permutation Based BBB Secure Nonce Based MAC

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T N Ek

⊕

M Ek

1

Hkh

n − 1 n − 1

⊕

T k is an n − 1 bit random key P is an n-bit public random permutation Masking of key is neccessary, otherwise, one can easily attack the system using offline queries to the public permutation

Introduction Motivation Security Result Attack Security Proof

Security Result of nEHtMp

q = # of signing queries, v = # of verification queries, p = # of primitive queries. # of faulty nonces ≤ 2n/3 H is 2−(n−1)-almost-xor universal and 2−(n−1)-almost regular hash function Security Advantage AdvMAC

nEHtMp(q, v, p) ≤ O( q+v+p) 22n/3 ) + O( pq2+qp2+vp2 22n

) Interpretation: if q ≈ 22n/3, v ≈ 22n/3 and p ≈ 22n/3, then the scheme is secure.

Introduction Motivation Security Result Attack Security Proof

Security Result of nEHtMp

q = # of signing queries, v = # of verification queries, p = # of primitive queries. # of faulty nonces ≤ 2n/3 H is 2−(n−1)-almost-xor universal and 2−(n−1)-almost regular hash function Security Advantage AdvMAC

nEHtMp(q, v, p) ≤ O( q+v+p) 22n/3 ) + O( pq2+qp2+vp2 22n

) Interpretation: if q ≈ 22n/3, v ≈ 22n/3 and p ≈ 22n/3, then the scheme is secure. Is the above bound tight ?

Introduction Motivation Security Result Attack Security Proof

Security Result of nEHtMp

q = # of signing queries, v = # of verification queries, p = # of primitive queries. # of faulty nonces ≤ 2n/3 H is 2−(n−1)-almost-xor universal and 2−(n−1)-almost regular hash function Security Advantage AdvMAC

nEHtMp(q, v, p) ≤ O( q+v+p) 22n/3 ) + O( pq2+qp2+vp2 22n

) Interpretation: if q ≈ 22n/3, v ≈ 22n/3 and p ≈ 22n/3, then the scheme is secure. Is the above bound tight ? Yes! the bound is tight

Introduction Motivation Security Result Attack Security Proof

Idea of the Matching Attack

Adversary A makes MAC queries (Ni, Mi) and obtains Ti. Adversary A makes primitive queries 0x1

j and obtains y1 j

Adversary A makes primitive queries 1x2

j and obtains y2 j

Introduction Motivation Security Result Attack Security Proof

Idea of the Matching Attack

Adversary A makes MAC queries (Ni, Mi) and obtains Ti. Adversary A makes primitive queries 0x1

j and obtains y1 j

Adversary A makes primitive queries 1x2

j and obtains y2 j

Event: If A can finds a triplet (Ni, Mi), (0x1

j , y1 j ), (1x2 l , y2 l ) such

that Ni ⊕ k = x1

j , Ni ⊕ Hkh(Mi) = x2 l

then Ti = y1

j ⊕ y2 l .

Introduction Motivation Security Result Attack Security Proof

Idea of the Matching Attack

Adversary A makes MAC queries (Ni, Mi) and obtains Ti. Adversary A makes primitive queries 0x1

j and obtains y1 j

Adversary A makes primitive queries 1x2

j and obtains y2 j

Event: If A can finds a triplet (Ni, Mi), (0x1

j , y1 j ), (1x2 l , y2 l ) such

that Ni ⊕ k = x1

j , Ni ⊕ Hkh(Mi) = x2 l

then Ti = y1

j ⊕ y2 l .

If the above event is satisfied, then for any non-zero ∆ ∈ {0, 1}n−1, (Ni ⊕ ∆)

• N∗

⊕k = (x1

j ⊕ ∆)

• x1

∗

, (Ni ⊕ ∆) ⊕ Hkh(Mi) = (x2

l ⊕ ∆)

• x2

∗

then T∗ = y1

∗ ⊕ y2 ∗

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A chooses a single block message M = 0n

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A chooses a single block message M = 0n A makes 22n/3 signing queries (Ni, M), N =

• 0 0 . . . 0
• n/3−1

⋆ ⋆ . . . ⋆

• n/3

⋆ ⋆ . . . ⋆

• n/3
• .

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A chooses a single block message M = 0n A makes 22n/3 signing queries (Ni, M), N =

• 0 0 . . . 0
• n/3−1

⋆ ⋆ . . . ⋆

• n/3

⋆ ⋆ . . . ⋆

• n/3
• .

A makes 22n/3−1 primitive queries x1

j ,

x1 =

• 0 ⋆ ⋆ . . . ⋆
• n/3−1

⋆ ⋆ . . . ⋆

• n/3

0 0 . . . 0

• n/3
• .

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A makes 22n/3−1 primitive queries x2

j , x2 =

• 1 ⋆ ⋆ . . . ⋆
• n/3−1

0 0 . . . 0

• n/3

⋆ ⋆ . . . ⋆

• n/3
• .

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A makes 22n/3−1 primitive queries x2

j , x2 =

• 1 ⋆ ⋆ . . . ⋆
• n/3−1

0 0 . . . 0

• n/3

⋆ ⋆ . . . ⋆

• n/3
• .

Find a tripet (i, j, l) such that Ti = y1

j ⊕ y1 l .

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A makes 22n/3−1 primitive queries x2

j , x2 =

• 1 ⋆ ⋆ . . . ⋆
• n/3−1

0 0 . . . 0

• n/3

⋆ ⋆ . . . ⋆

• n/3
• .

Find a tripet (i, j, l) such that Ti = y1

j ⊕ y1 l .

A makes aditional primitive queries x1

⋆ = x1 j ⊕ 01n−1 and

x2

⋆ = x2 l ⊕ 01n−1.

Introduction Motivation Security Result Attack Security Proof

Matching Attack

PolyHash: Polykh(M) = kl+1

h

⊕

i=1 ki h · Mi

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T A makes 22n/3−1 primitive queries x2

j , x2 =

• 1 ⋆ ⋆ . . . ⋆
• n/3−1

0 0 . . . 0

• n/3

⋆ ⋆ . . . ⋆

• n/3
• .

Find a tripet (i, j, l) such that Ti = y1

j ⊕ y1 l .

A makes aditional primitive queries x1

⋆ = x1 j ⊕ 01n−1 and

x2

⋆ = x2 l ⊕ 01n−1.

Forge with (Ni ⊕ 1n−1, M, y1

⋆ ⊕ y2 ⋆ )

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

N P

⊕

M P

1

Hkh

n − 1 n − 1

⊕ k

⊕

T

• 1. P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti for all i
• 2. Want to estimate probability of

P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

1 nEHtMp is secure roughly up to 22n/3 authentication queries.

verification queries and primitive queries in the faulty nonce model.

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

1 nEHtMp is secure roughly up to 22n/3 authentication queries.

verification queries and primitive queries in the faulty nonce model.

2 Security proof is based on Expectation Method by Hoang and

Tessaro.

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

1 nEHtMp is secure roughly up to 22n/3 authentication queries.

verification queries and primitive queries in the faulty nonce model.

2 Security proof is based on Expectation Method by Hoang and

Tessaro.

3 Find the number of solutions to

P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti P(0(N′

j ⊕ k)) ⊕ P(1(N′ j ⊕ Hkh(M′ j))) = T ′ j

given P(xj) = yj.

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

1 nEHtMp is secure roughly up to 22n/3 authentication queries.

verification queries and primitive queries in the faulty nonce model.

2 Security proof is based on Expectation Method by Hoang and

Tessaro.

3 Find the number of solutions to

P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti P(0(N′

j ⊕ k)) ⊕ P(1(N′ j ⊕ Hkh(M′ j))) = T ′ j

given P(xj) = yj.

4 Extended Mirror Theory : Find the number of injective

solutions to the pair of systems of linear equations and non-equations – (Dutta et al., EC 19).

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

1 nEHtMp is secure roughly up to 22n/3 authentication queries.

verification queries and primitive queries in the faulty nonce model.

2 Security proof is based on Expectation Method by Hoang and

Tessaro.

3 Find the number of solutions to

P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti P(0(N′

j ⊕ k)) ⊕ P(1(N′ j ⊕ Hkh(M′ j))) = T ′ j

given P(xj) = yj.

4 Extended Mirror Theory : Find the number of injective

solutions to the pair of systems of linear equations and non-equations – (Dutta et al., EC 19).

5 Multicollision : Give a bound on the number of multicollisions

• f the value Ni ⊕ Hkh(Mi) – (Dutta et al., EC 19).

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

MAC Eqn. {P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti}i∈[q]. Ver Eqn. {P(0(N′

i ⊕ k)) ⊕ P(1(N′ i ⊕ Hkh(M′ i ))) = T ′ i }i∈[v]

Primitive Query. {P(xj) = yj}j∈[p] Main Idea of Bad Events We want both P(0(Ni ⊕ k)) and P(1(Ni ⊕ Hkh(Mi))) to be fresh, so that we can apply mirror theory.

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

MAC Eqn. {P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti}i∈[q]. Ver Eqn. {P(0(N′

i ⊕ k)) ⊕ P(1(N′ i ⊕ Hkh(M′ i ))) = T ′ i }i∈[v]

Primitive Query. {P(xj) = yj}j∈[p] Main Idea of Bad Events We want both P(0(Ni ⊕ k)) and P(1(Ni ⊕ Hkh(Mi))) to be fresh, so that we can apply mirror theory. As a result, we do not allow the following type of collisions

Introduction Motivation Security Result Attack Security Proof

Glimpse of the Security Proof

MAC Eqn. {P(0(Ni ⊕ k)) ⊕ P(1(Ni ⊕ Hkh(Mi))) = Ti}i∈[q]. Ver Eqn. {P(0(N′

i ⊕ k)) ⊕ P(1(N′ i ⊕ Hkh(M′ i ))) = T ′ i }i∈[v]

Primitive Query. {P(xj) = yj}j∈[p] Main Idea of Bad Events We want both P(0(Ni ⊕ k)) and P(1(Ni ⊕ Hkh(Mi))) to be fresh, so that we can apply mirror theory. As a result, we do not allow the following type of collisions

Collision b/w const. query i /p and prim. query i/p Collision b/w const. query o /p and sum of prim. query o/p Collision b/w two const. queries

Introduction Motivation Security Result Attack Security Proof

To Conclude

Proposed Beyond Birthday Bound Secure Nonce Based MAC

• ut of Public Permutations.

Introduction Motivation Security Result Attack Security Proof

To Conclude

Proposed Beyond Birthday Bound Secure Nonce Based MAC

• ut of Public Permutations.

It is secure upto 22n/3 signing, verification and primitive queries.

Introduction Motivation Security Result Attack Security Proof

To Conclude

Proposed Beyond Birthday Bound Secure Nonce Based MAC

• ut of Public Permutations.

It is secure upto 22n/3 signing, verification and primitive queries. Unlike nEHtM, security bound of nEHtMp is tight.

Introduction Motivation Security Result Attack Security Proof

To Conclude

Proposed Beyond Birthday Bound Secure Nonce Based MAC

• ut of Public Permutations.

It is secure upto 22n/3 signing, verification and primitive queries. Unlike nEHtM, security bound of nEHtMp is tight.

Thank you and Stay Safe!