beyond birthday bound secure macs
play

Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France - PowerPoint PPT Presentation

Mar 28, 2023 •249 likes •1.21k views

Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44 Generalities Stateless Deterministic

  1. Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44

  2. Generalities Stateless Deterministic MACs Nonce-Based MACs Introduction • we survey recent results on MAC constructions which are • based on a block cipher (BC) or a tweakable block cipher (TBC) • secure beyond the birthday bound (BBB-secure) • most (T)BC-based MACs are secure only up to the birthday-bound w.r.t. to the block size n : they become insecure when ∼ 2 n / 2 (blocks of) messages have been treated • BBB-security is important for lightweight crypto (small blocks, inconvenient re-keying,. . . ) • we highlight some open problems along the way Y. Seurin BBB Secure MACs January 2018 2 / 44

  3. Generalities Stateless Deterministic MACs Nonce-Based MACs Introduction • we survey recent results on MAC constructions which are • based on a block cipher (BC) or a tweakable block cipher (TBC) • secure beyond the birthday bound (BBB-secure) • most (T)BC-based MACs are secure only up to the birthday-bound w.r.t. to the block size n : they become insecure when ∼ 2 n / 2 (blocks of) messages have been treated • BBB-security is important for lightweight crypto (small blocks, inconvenient re-keying,. . . ) • we highlight some open problems along the way Y. Seurin BBB Secure MACs January 2018 2 / 44

  4. Generalities Stateless Deterministic MACs Nonce-Based MACs Introduction • we survey recent results on MAC constructions which are • based on a block cipher (BC) or a tweakable block cipher (TBC) • secure beyond the birthday bound (BBB-secure) • most (T)BC-based MACs are secure only up to the birthday-bound w.r.t. to the block size n : they become insecure when ∼ 2 n / 2 (blocks of) messages have been treated • BBB-security is important for lightweight crypto (small blocks, inconvenient re-keying,. . . ) • we highlight some open problems along the way Y. Seurin BBB Secure MACs January 2018 2 / 44

  5. Generalities Stateless Deterministic MACs Nonce-Based MACs Introduction • we survey recent results on MAC constructions which are • based on a block cipher (BC) or a tweakable block cipher (TBC) • secure beyond the birthday bound (BBB-secure) • most (T)BC-based MACs are secure only up to the birthday-bound w.r.t. to the block size n : they become insecure when ∼ 2 n / 2 (blocks of) messages have been treated • BBB-security is important for lightweight crypto (small blocks, inconvenient re-keying,. . . ) • we highlight some open problems along the way Y. Seurin BBB Secure MACs January 2018 2 / 44

  6. Generalities Stateless Deterministic MACs Nonce-Based MACs Introduction • we survey recent results on MAC constructions which are • based on a block cipher (BC) or a tweakable block cipher (TBC) • secure beyond the birthday bound (BBB-secure) • most (T)BC-based MACs are secure only up to the birthday-bound w.r.t. to the block size n : they become insecure when ∼ 2 n / 2 (blocks of) messages have been treated • BBB-security is important for lightweight crypto (small blocks, inconvenient re-keying,. . . ) • we highlight some open problems along the way Y. Seurin BBB Secure MACs January 2018 2 / 44

  7. Generalities Stateless Deterministic MACs Nonce-Based MACs Introduction • we survey recent results on MAC constructions which are • based on a block cipher (BC) or a tweakable block cipher (TBC) • secure beyond the birthday bound (BBB-secure) • most (T)BC-based MACs are secure only up to the birthday-bound w.r.t. to the block size n : they become insecure when ∼ 2 n / 2 (blocks of) messages have been treated • BBB-security is important for lightweight crypto (small blocks, inconvenient re-keying,. . . ) • we highlight some open problems along the way Y. Seurin BBB Secure MACs January 2018 2 / 44

  8. Generalities Stateless Deterministic MACs Nonce-Based MACs Outline Generalities Stateless Deterministic MACs The UHF-then-PRF Paradigm Constructing BBB-Secure Output Functions from (T)BCs Constructing BBB-Secure UHFs from (T)BCs Nonce-Based MACs State of Art Open Problems Y. Seurin BBB Secure MACs January 2018 3 / 44

  9. Generalities Stateless Deterministic MACs Nonce-Based MACs Outline Generalities Stateless Deterministic MACs The UHF-then-PRF Paradigm Constructing BBB-Secure Output Functions from (T)BCs Constructing BBB-Secure UHFs from (T)BCs Nonce-Based MACs State of Art Open Problems Y. Seurin BBB Secure MACs January 2018 4 / 44

  10. Generalities Stateless Deterministic MACs Nonce-Based MACs MAC Definition MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . Y. Seurin BBB Secure MACs January 2018 5 / 44

  11. Generalities Stateless Deterministic MACs Nonce-Based MACs MAC Definition ( N , M ) T MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . Y. Seurin BBB Secure MACs January 2018 5 / 44

  12. Generalities Stateless Deterministic MACs Nonce-Based MACs MAC Definition ( N , M ) ( N ′ , M ′ , T ′ ) 0 / 1 T MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . Y. Seurin BBB Secure MACs January 2018 5 / 44

  13. Generalities Stateless Deterministic MACs Nonce-Based MACs Three types of MAC • stateless and deterministic: MAC function only takes the key and the message as input (Variable-input-length PRF ⇒ stateless deterministic MAC) • nonce-based: • MAC function takes as input a non-repeating nonce N in addition to the key and the message M • sec. model: the nonce is chosen by the adversary • the adversary is said nonce-respecting if it does not repeat nonces in MAC queries and nonce-misusing otherwise • randomized: MAC function takes as input random coins R (generated by the sender) in addition to the key and the message Y. Seurin BBB Secure MACs January 2018 6 / 44

  14. Generalities Stateless Deterministic MACs Nonce-Based MACs Three types of MAC • stateless and deterministic: MAC function only takes the key and the message as input (Variable-input-length PRF ⇒ stateless deterministic MAC) • nonce-based: • MAC function takes as input a non-repeating nonce N in addition to the key and the message M • sec. model: the nonce is chosen by the adversary • the adversary is said nonce-respecting if it does not repeat nonces in MAC queries and nonce-misusing otherwise • randomized: MAC function takes as input random coins R (generated by the sender) in addition to the key and the message Y. Seurin BBB Secure MACs January 2018 6 / 44

  15. Generalities Stateless Deterministic MACs Nonce-Based MACs Three types of MAC • stateless and deterministic: MAC function only takes the key and the message as input (Variable-input-length PRF ⇒ stateless deterministic MAC) • nonce-based: • MAC function takes as input a non-repeating nonce N in addition to the key and the message M • sec. model: the nonce is chosen by the adversary • the adversary is said nonce-respecting if it does not repeat nonces in MAC queries and nonce-misusing otherwise • randomized: MAC function takes as input random coins R (generated by the sender) in addition to the key and the message Y. Seurin BBB Secure MACs January 2018 6 / 44

  16. Generalities Stateless Deterministic MACs Nonce-Based MACs Graceful Nonce-Misuse Security Degradation • the security of some nonce-based MACs collapses if a single nonce is repeated (e.g. GMAC) • ideally, security should degrade gracefully in case nonces are repeated • any BBB-secure nonce-based MAC with graceful security degradation can be turned into a BBB-secure randomized MAC by choosing n -bit nonces uniformly at random: q µ + 1 Adv rand-MAC + Adv nonce-MAC ( q , v ) ≤ ( q , v , µ ) F F 2 µ ( n + 1 ) � �� � µ -multicoll. proba. where µ is the maximal number of nonce repetitions. Y. Seurin BBB Secure MACs January 2018 7 / 44

  17. Generalities Stateless Deterministic MACs Nonce-Based MACs Graceful Nonce-Misuse Security Degradation • the security of some nonce-based MACs collapses if a single nonce is repeated (e.g. GMAC) • ideally, security should degrade gracefully in case nonces are repeated • any BBB-secure nonce-based MAC with graceful security degradation can be turned into a BBB-secure randomized MAC by choosing n -bit nonces uniformly at random: q µ + 1 Adv rand-MAC + Adv nonce-MAC ( q , v ) ≤ ( q , v , µ ) F F 2 µ ( n + 1 ) � �� � µ -multicoll. proba. where µ is the maximal number of nonce repetitions. Y. Seurin BBB Secure MACs January 2018 7 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List 2 Stefan Lucks 2 Jakob Wenzel 2 1 Hochschule Schmalkalden, 2 Bauhaus-Universitt Weimar eik.list (at) uni-weimar.de 18 July 2016 18 July 2016

561 views • 53 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

854 views • 47 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1 Tweakable blockciphers (TBCs) Tweak T Input block X ( bits) ( n bits) Add an extra input, a

732 views • 21 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements intermission Introduction to Computer Security Crypto combined slides Public-key crypto basics Public key encryption and signatures Stephen McCamant

588 views • 9 slides
Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides
Imperative Programming by Stepwise Refinement in Coq Boubacar Demba Sall Emmanuel Chailloux

Imperative Programming by Stepwise Refinement in Coq Boubacar Demba Sall Emmanuel Chailloux

Imperative Programming by Stepwise Refinement in Coq Boubacar Demba Sall Emmanuel Chailloux (Doctoral Advisor) Fr ed eric Peschanski (Doctoral Advisor) Sorbonne University, LIP6 UMR 7606 4 place Jussieu 75005 Paris, France. Journ ee

534 views • 16 slides
National Foster Care Month 2020 Collaborating with Courts to Promote Foster Care as a Support to

National Foster Care Month 2020 Collaborating with Courts to Promote Foster Care as a Support to

National Foster Care Month 2020 Collaborating with Courts to Promote Foster Care as a Support to Collaborating w it h e Co urt S s t u o P bsti r o te mo te ar Fa mi li s, Not a tu for P ents Foster Care as a Support to Families,

170 views • 14 slides
Does De-identification Work ? Khaled El Emam, CHEO RI & uOttawa Key Points Progress

Does De-identification Work ? Khaled El Emam, CHEO RI & uOttawa Key Points Progress

Does De-identification Work ? Khaled El Emam, CHEO RI & uOttawa Key Points Progress The evidence that it is easy to re-identify health data Th id th t it i t id tif h lth d t Intro Reid or that current de-identification

292 views • 17 slides
INDUSTRY 4.0 AND ITS FUTURE STAFF. Matching millennials perceptions of a perfect job with the

INDUSTRY 4.0 AND ITS FUTURE STAFF. Matching millennials perceptions of a perfect job with the

INDUSTRY 4.0 AND ITS FUTURE STAFF. Matching millennials perceptions of a perfect job with the requirements of digitalization. Andr Calero Valdez Anne Kathrin Schaar, Tatjana Hamann, Martina Ziefle Human-Computer Interaction Center, RWTH

405 views • 16 slides
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n > k noisy channel noisy codeword

916 views • 74 slides
Search for Gravitational Wave Transients Florent Robinet On behalf of the LSC and Virgo

Search for Gravitational Wave Transients Florent Robinet On behalf of the LSC and Virgo

Search for Gravitational Wave Transients Florent Robinet On behalf of the LSC and Virgo Collaborations Rencontres de Moriond - March 2011 1 Gravitational Waves Gravitational Waves Gravitational waves = "ripples" in space-time

528 views • 33 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Coin Branch and Cut A tutorial J ohn Forrest J uly 18 2006 Outline of Cbc tutorial

Coin Branch and Cut A tutorial J ohn Forrest J uly 18 2006 Outline of Cbc tutorial

Coin Branch and Cut A tutorial J ohn Forrest J uly 18 2006 Outline of Cbc tutorial Background Some concepts Stand- alone solver and AMPL interface Example C+ + code Less structured part: Q & A More examples Future -

892 views • 35 slides

More recommend