generic attacks against beyond birthday bound macs
play

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , - PowerPoint PPT Presentation

Sep 06, 2023 •165 likes •771 views

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

  1. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria équipe SECRET, Paris, France 2 Indian Statistical Institute, Kolkata, India CRYPTO 2018 1 / 25

  2. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Introduction • Symmetric cryptography: Alice and Bob share the same key. • Active attacker: Eve might intercept and manipulate Alice’s messages... • Authentication: Alice computes and appends a keyed MAC or tag T . Correct tag. Will read. Plz come back! || T 2 / 25

  3. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion ECBC-MAC m ℓ − 1 m 1 m 2 m ℓ 0 E k 1 E k 1 • • • E k 1 E k 1 MAC ( m ) E k 2 Σ( m ) The plaintext m is padded and split into n -bit blocks. � � MAC ( m ) = E k 2 Σ( m ) Alice sends MAC ( m ) along with m to guarantee authenticity. 3 / 25

  4. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T 4 / 25

  5. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Introduction • Verifying: Bob verifies the tag with the shared key and only reads the message if it is correct. • Forgery: Eve cannot modify the message without forging a new and correct tag. Incorrect tag. P l Won’t read. z s t a y a w a y ! | | T Plz come back! || T Direct attacks won’t work but is it secure? Can Eve still mount an attack? 4 / 25

  6. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game 5 / 25

  7. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m MAC ( m ) 5 / 25

  8. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) 5 / 25

  9. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number of tagging queries. 5 / 25

  10. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. 5 / 25

  11. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion A security game m || T m Valid/Invalid MAC ( m ) q t = the number q v = the number of of tagging queries. verification queries. Can Eve forge a valid tag for a message that Alice never saw? 5 / 25

  12. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ 6 / 25

  13. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Case of ECBC Properties of ECBC for all messages m , m ′ , c : ECBC mode m 1 m 2 m ℓ MAC ( m ) = MAC ( m ′ ) Σ( m ) � � � Σ( m ′ ) � = ⇒ E k 2 Σ( m ) = E k 2 Σ( m ) =Σ( m ′ ) E k 1 ... = ⇒ E k 1 E k 1 E k 2 Σ( m || c ) =Σ( m ′ || c ) = ⇒ MAC ( m ) MAC ( m || c ) = MAC ( m ′ || c ) = ⇒ Simple collision approach Look for a pair of messages X,Y that satisfies: Σ( X ) = Σ( Y ) ⇐ ⇒ MAC ( X ) ⊕ MAC ( Y ) = 0 6 / 25

  14. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion MAC ( m 1 ) Birthday Bound Attack MAC ( m 2 ) MAC ( m 3 ) m 1 ... m 2 m 3 m 4 m 5 m 6 Eve Alice Looking for collisions Eve looks for MAC ( m i ) = MAC ( m j ) for some i � = j . She has ≃ q 2 t pairs for an n -bit relationship so chances grow as: Adv ( A ) ≃ q 2 t 2 n 7 / 25

  15. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Can you come back? || T 0 8 / 25

  16. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) Correct tag. Will read. Can you come back? || T 0 8 / 25

  17. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Tell Bob he must Collision found: come back! MAC ( You must ) = MAC ( No, don’t ) Oh you are right! 8 / 25

  18. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) You must come back! || T 8 / 25

  19. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T 8 / 25

  20. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Forgery from collisions Expansion property MAC ( m ) = MAC ( m ′ ) = ⇒ MAC ( m || c ) = MAC ( m ′ || c ) ∀ c Collision found: MAC ( You must ) = MAC ( No, don’t ) N Correct tag. o , d o n Will read. ’ t c o m e b a c k ! | | T You must come back! || T Forgery requires q t ≃ 2 n / 2 and q v = 1. Not secure beyond birthday bound (2 n / 2 ) 8 / 25

  21. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. 9 / 25

  22. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Going beyond Problem How to build a deterministic MAC scheme secure when q t > 2 n / 2 ? Not so easy: This birthday bound attack is generic to all deterministic iterated MAC constructions with an n -bit internal state [Preneel, van Oorschot, CRYPTO’95]. Idea: Double the size of the internal state to 2 n bits. Double-Block-Hash-Then-Sum Approach XOR the two half-states at the end to recover an n -bit MAC. Important research effort exploring this idea including: SUM-ECBC, PMAC+, 3kf9, LightMAC+, GCM-SIV2, 1kPMAC+ 9 / 25

  23. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Example: SUM-ECBC [Yasuda, CT-RSA’10] m 1 m 2 m ℓ − 1 m ℓ ... Σ( m ) E k 1 E k 1 E k 1 E k 1 E k 2 m 1 m 2 m ℓ − 1 m ℓ ... MAC ( m ) Θ( m ) E k 3 E k 3 E k 3 E k 3 E k 4 � � � � MAC ( m ) = E k 2 Σ( m ) ⊕ E k 4 Θ( m ) 10 / 25

  24. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? 11 / 25

  25. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion This paper Problem Many of those schemes are proven secure when q t < 2 2 n / 3 . What happens when q t ≥ 2 2 n / 3 ? Actual attacks or proof artefact? Results A generic approach leading to an attack on all cited schemes using q v = 1 and q t ≃ 2 3 n / 4 . 11 / 25

  26. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion 4-way collision for double-hash-then-sum schemes Look for a quadruple of messages X , Y , Z , T that satisfies:  Σ( X ) = Σ( Y )     Θ( Y ) = Θ( Z )  R ( X , Y , Z , T ) := Σ( Z ) = Σ( T )     Θ( T ) = Θ( X )  R ( X , Y , Z , T ) = ⇒ MAC ( X ) ⊕ MAC ( Y ) ⊕ MAC ( Z ) ⊕ MAC ( T ) = 0 = MAC ( X ) = E (Σ( X )) ⊕ E ′ (Θ( X )) E ′ (Θ( T )) ⊕ E (Σ( T )) = MAC ( T ) = = MAC ( Y ) = E (Σ( Y )) ⊕ E ′ (Θ( Y )) E ′ (Θ( Z )) ⊕ E (Σ( Z )) = MAC ( Z ) = 12 / 25

  27. Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion 4-way collision for double-hash-then-sum schemes With carefully crafted sets of messages for X , Y , Z , T :  Σ( X ) = Σ( Y )   Θ( Y ) = Θ( Z ) = ⇒ Θ( T ) = Θ( X ) .  Σ( Z ) = Σ( T )   Σ( X ) = Σ( Y )   Thus R ( X , Y , Z , T ) ⇐ ⇒ Θ( Y ) = Θ( Z ) a 3 n -bit condition.  Σ( Z ) = Σ( T )  13 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44 Generalities Stateless Deterministic

1.21k views • 95 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
M&amp;M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas

M&amp;M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas

M&amp;M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen B ACK TO THE 90 S Differential Power Analysis (DPA) Paul Kocher et al. 1999 [KJJ99]

322 views • 28 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of Illinois at Chicago Motivation A hashing structure proposed by Bellare/Micciancio, 1996: f 1 ; f 2 ; : : : Standardize functions from, e.g.,

297 views • 17 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

854 views • 47 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1 Tweakable blockciphers (TBCs) Tweak T Input block X ( bits) ( n bits) Add an extra input, a

732 views • 21 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

3.43k views • 42 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
The Leaders Role: Forging New Paths for Racial and Health Equity CAPC Leadership Series

The Leaders Role: Forging New Paths for Racial and Health Equity CAPC Leadership Series

The Leaders Role: Forging New Paths for Racial and Health Equity CAPC Leadership Series Panel: Betty Ferrell, PhD, FAAN, FHPN Michael Fratkin, MD Tammy Kang, MD, MSCE Sherika Newman, DO September 29, 2020 Donna Stevens, MHA Facilitated

328 views • 3 slides
Marketing Committee Mission Statement: Increase demand for North American forged products.

Marketing Committee Mission Statement: Increase demand for North American forged products.

Marketing Committee Mission Statement: Increase demand for North American forged products. Marketing Committee Projects For Internal Education Information Benchmarking Services Annual/Monthly O&amp;S Annual Profits Marketing

761 views • 22 slides
Curriculum Night Junior High School Counselor Assignments for 2018 - 2019 Ms. Bawarski Mrs. Truax

Curriculum Night Junior High School Counselor Assignments for 2018 - 2019 Ms. Bawarski Mrs. Truax

Welcome to Curriculum Night Junior High School Counselor Assignments for 2018 - 2019 Ms. Bawarski Mrs. Truax Grade 7: A Kh Grade 7: Ki Z Grades 8 &amp; 9: A - K Grades 8 &amp; 9: L-Z Senior High School Counselor Assignments 2018 -

845 views • 25 slides
Advising the Federal Government Susan L. Graham University of California, Berkeley LISPI

Advising the Federal Government Susan L. Graham University of California, Berkeley LISPI

Advising the Federal Government Susan L. Graham University of California, Berkeley LISPI November 21, 2019 How does the Government Learn about Science and Technology (Policy)? Hires experts Workshops (e.g. CCC-sponsored) Mark

415 views • 14 slides
Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical

Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical

Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in August 23, 2014 DIAC, UCSB Mridul Nandi XLS-COPA Introduction and Overview. 1 Domain Extension and domain

576 views • 16 slides
Magnet properties D. Chateigner CRISMAT-ENSICAEN, Caen, France M. Morales SIFCOM-ENSICAEN, Caen,

Magnet properties D. Chateigner CRISMAT-ENSICAEN, Caen, France M. Morales SIFCOM-ENSICAEN, Caen,

2 nd International Conference Texture and Anisotropy of Polycrystals, Metz, France, July 2004 Texture development in Nd-Fe-B and Nd-Fe-V alloys by hot forging in view of improving permanent Magnet properties D. Chateigner CRISMAT-ENSICAEN, Caen,

703 views • 30 slides
the Oilfield Services Industry Authors: Clayton Mealer &amp; Sung Hwan Park Advisor: Dr. Shardul

the Oilfield Services Industry Authors: Clayton Mealer &amp; Sung Hwan Park Advisor: Dr. Shardul

A Simplified and Scalable Should-Cost Tool in the Oilfield Services Industry Authors: Clayton Mealer &amp; Sung Hwan Park Advisor: Dr. Shardul Phadnis MIT SCM Research Fest May 22-23, 2013 Agenda Background Problem Statement

167 views • 13 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides

More recommend