Message Authentication Codes (MACs) Tung Chou Technische - - PowerPoint PPT Presentation

Message Authentication Codes (MACs)

Tung Chou

Technische Universiteit Eindhoven, The Netherlands

October 8, 2015

1 / 22

About Me

2 / 22

About Me

Tung Chou (Tony)

2 / 22

About Me

Tung Chou (Tony)

• Ph.D. student of Daniel J. Bernstein & Tanja Lange

2 / 22

About Me

Tung Chou (Tony)

• Ph.D. student of Daniel J. Bernstein & Tanja Lange
• Research topics: Post-quantum crypto, ECC, MAC design.

2 / 22

About Me

Tung Chou (Tony)

• Ph.D. student of Daniel J. Bernstein & Tanja Lange
• Research topics: Post-quantum crypto, ECC, MAC design.
• Email: t.chou@tue.nl

2 / 22

Outline

3 / 22

Outline

• Introduction

3 / 22

Outline

• Introduction
• HMAC

3 / 22

Outline

• Introduction
• HMAC
• Universal-hash based MACs
• Poly1305
• security issues
• software implementation issues

3 / 22

Outline

• Introduction
• HMAC
• Universal-hash based MACs
• Poly1305
• security issues
• software implementation issues
• Diffie–Hellman key exchange

3 / 22

What are MACs?

4 / 22

What are MACs?

• On Wikipedia:

“a message authentication code (often MAC) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message’s

• rigin”

4 / 22

Digital Signatures

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:
• S computes h and the SIGNsk(h).
• S sends (m, s).

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:
• S computes h and the SIGNsk(h).
• S sends (m, s).
• V gets (m′, s′).

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:
• S computes h and the SIGNsk(h).
• S sends (m, s).
• V gets (m′, s′).
• V computes and check hash(m′) = VERIFYpk(s′).

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:
• S computes h and the SIGNsk(h).
• S sends (m, s).
• V gets (m′, s′).
• V computes and check hash(m′) = VERIFYpk(s′).
• Security

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:
• S computes h and the SIGNsk(h).
• S sends (m, s).
• V gets (m′, s′).
• V computes and check hash(m′) = VERIFYpk(s′).
• Security
• attacker should not be able to forge a valid (m, s) pair

5 / 22

Digital Signatures

• Construction:

message (m) hash h TP signature (s) sk pk

• Usage:
• S computes h and the SIGNsk(h).
• S sends (m, s).
• V gets (m′, s′).
• V computes and check hash(m′) = VERIFYpk(s′).
• Security
• attacker should not be able to forge a valid (m, s) pair
• attacker might have collected many (m, s) pairs

5 / 22

Message Authentication Codes

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:
• S computes t = MACr(m) and sends (m, t).

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:
• S computes t = MACr(m) and sends (m, t).
• R gets (m′, t′).

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:
• S computes t = MACr(m) and sends (m, t).
• R gets (m′, t′).
• R computes and checks MACr(m′) = t′.

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:
• S computes t = MACr(m) and sends (m, t).
• R gets (m′, t′).
• R computes and checks MACr(m′) = t′.
• Security

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:
• S computes t = MACr(m) and sends (m, t).
• R gets (m′, t′).
• R computes and checks MACr(m′) = t′.
• Security
• attacker should not be able to forge a valid (m, t) pair

6 / 22

Message Authentication Codes

• “Keyed hash function”:

message (m) shared secret key (r) MAC algorithm tag/authenticator (t)

• Usage:
• S computes t = MACr(m) and sends (m, t).
• R gets (m′, t′).
• R computes and checks MACr(m′) = t′.
• Security
• attacker should not be able to forge a valid (m, t) pair
• attacker might have collected many (m, t) pairs

6 / 22

MACs vs Signatures

✖

7 / 22

MACs vs Signatures

MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key ✖

7 / 22

MACs vs Signatures

MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key “Non-repudiation is about Alice showing to Bob a proof that some data really comes from Alice, such that not

• nly Bob is convinced, but Bob also gets the assurance

that he could show the same proof to Charlie, and Charlie would be convinced, too” ✖

7 / 22

MACs vs Signatures

MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key “Non-repudiation is about Alice showing to Bob a proof that some data really comes from Alice, such that not

• nly Bob is convinced, but Bob also gets the assurance

that he could show the same proof to Charlie, and Charlie would be convinced, too” ✖ secret-key crypto is “fast”

7 / 22

HMAC

8 / 22

HMAC

• Build MAC from hash functions

8 / 22

HMAC

• Build MAC from hash functions
• A naive construction:

t = H(r || m)

8 / 22

HMAC

• Build MAC from hash functions
• A naive construction:

t = H(r || m)

• Merkle–Damg˚

ard construction based hashes (e.g., MD5, SHA1)

IV m1 m2 mℓ f f · · · f h

8 / 22

HMAC

• Build MAC from hash functions
• A naive construction:

t = H(r || m)

• Merkle–Damg˚

ard construction based hashes (e.g., MD5, SHA1)

IV m1 m2 mℓ f f · · · f h

• Length extension attack: h′ = f(h, mℓ+1)

8 / 22

HMAC (cont.)

✖

9 / 22

HMAC (cont.)

• Another construction:

t = H(m || r) ✖

9 / 22

HMAC (cont.)

• Another construction:

t = H(m || r)

• HMAC:

t = H ((r ⊕ po)||H((r ⊕ pi)||m)) ✖

9 / 22

HMAC (cont.)

• Another construction:

t = H(m || r)

• HMAC:

t = H ((r ⊕ po)||H((r ⊕ pi)||m))

• HMAC-SHA1

✖

9 / 22

HMAC (cont.)

• Another construction:

t = H(m || r)

• HMAC:

t = H ((r ⊕ po)||H((r ⊕ pi)||m))

• HMAC-SHA1
• widely used in Internet applications

✖

9 / 22

HMAC (cont.)

• Another construction:

t = H(m || r)

• HMAC:

t = H ((r ⊕ po)||H((r ⊕ pi)||m))

• HMAC-SHA1
• widely used in Internet applications
• 5.18 Sandy Bridge cycles/byte

✖

9 / 22

HMAC (cont.)

• Another construction:

t = H(m || r)

• HMAC:

t = H ((r ⊕ po)||H((r ⊕ pi)||m))

• HMAC-SHA1
• widely used in Internet applications
• 5.18 Sandy Bridge cycles/byte

✖ Reality: the most commonly used scheme might not be the best

9 / 22

SHA3

The “Sponge” construction:

http://en.wikipedia.org/wiki/SHA-3

10 / 22

The Wegman–Carter construction

11 / 22

The Wegman–Carter construction

• Why?

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic
• better performance than HMAC

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic
• better performance than HMAC

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic
• better performance than HMAC
• Construction

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic
• better performance than HMAC
• Construction
• “universal” hash function + one-time pad:

hr(mn) ⊕ sn

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic
• better performance than HMAC
• Construction
• “universal” hash function + one-time pad:

hr(mn) ⊕ sn

• universal hash: low differential probability

11 / 22

The Wegman–Carter construction

• Why?
• provides information theoretic security
• usually involves field/ring arithmetic
• better performance than HMAC
• Construction
• “universal” hash function + one-time pad:

hr(mn) ⊕ sn

• universal hash: low differential probability
• one-time pad hides all information about the key

11 / 22

Poly1305

12 / 22

Poly1305

• Construction:

t = (((m1rℓ+m2rℓ−1+· · ·+mℓr) mod 2130−5)+s) mod 2128

12 / 22

Poly1305

• Construction:

t = (((m1rℓ+m2rℓ−1+· · ·+mℓr) mod 2130−5)+s) mod 2128

• 2130 − 5 is a prime
• r, s are shared secret 128-bit values

12 / 22

Poly1305

• Construction:

t = (((m1rℓ+m2rℓ−1+· · ·+mℓr) mod 2130−5)+s) mod 2128

• 2130 − 5 is a prime
• r, s are shared secret 128-bit values
• mi<ℓ is the ith 128-bit block of m padded by 1.
• mℓ is the “remainder” of m padded by 1.

12 / 22

Poly1305

• Construction:

t = (((m1rℓ+m2rℓ−1+· · ·+mℓr) mod 2130−5)+s) mod 2128

• 2130 − 5 is a prime
• r, s are shared secret 128-bit values
• mi<ℓ is the ith 128-bit block of m padded by 1.
• mℓ is the “remainder” of m padded by 1.
• Without proper padding?

12 / 22

Poly1305

• Construction:

t = (((m1rℓ+m2rℓ−1+· · ·+mℓr) mod 2130−5)+s) mod 2128

• 2130 − 5 is a prime
• r, s are shared secret 128-bit values
• mi<ℓ is the ith 128-bit block of m padded by 1.
• mℓ is the “remainder” of m padded by 1.
• Without proper padding?
• m = ’FF’, m′ = ’FF’,’00’
• zero-pad the message obtain a 128-bit block

m1 = m′

1 = ’FF’, ’00’, ..., ’00’

12 / 22

Poly1305

• Construction:

t = (((m1rℓ+m2rℓ−1+· · ·+mℓr) mod 2130−5)+s) mod 2128

• 2130 − 5 is a prime
• r, s are shared secret 128-bit values
• mi<ℓ is the ith 128-bit block of m padded by 1.
• mℓ is the “remainder” of m padded by 1.
• Without proper padding?
• m = ’FF’, m′ = ’FF’,’00’
• zero-pad the message obtain a 128-bit block

m1 = m′

1 = ’FF’, ’00’, ..., ’00’

• Speed: 1.22 Sandy Bridge cycles/byte

12 / 22

Poly1305: avoiding security issue

13 / 22

Poly1305: avoiding security issue

• What is wrong with “real” polynomial evaluation?

t = m1rℓ−1 + m2rℓ−2 + · · · + mℓ + s

13 / 22

Poly1305: avoiding security issue

• What is wrong with “real” polynomial evaluation?

t = m1rℓ−1 + m2rℓ−2 + · · · + mℓ + s

• The attacker forges a valid message–tag pair easily:

t + ∆ = m1rℓ−1 + m2rℓ−2 + · · · + (mℓ + ∆) + s

13 / 22

Poly1305: avoiding security issue

• What is wrong with “real” polynomial evaluation?

t = m1rℓ−1 + m2rℓ−2 + · · · + mℓ + s

• The attacker forges a valid message–tag pair easily:

t + ∆ = m1rℓ−1 + m2rℓ−2 + · · · + (mℓ + ∆) + s

• This does not provide low differential probability

13 / 22

Poly1305: avoiding security issue

14 / 22

Poly1305: avoiding security issue

• What is wrong with using the same pad twice?

t = m1rℓ + m2rℓ−1 + · · · + mℓr + s t′ = m′

1rℓ + m′ 2rℓ−1 + · · · + m′ ℓr + s

14 / 22

Poly1305: avoiding security issue

• What is wrong with using the same pad twice?

t = m1rℓ + m2rℓ−1 + · · · + mℓr + s t′ = m′

1rℓ + m′ 2rℓ−1 + · · · + m′ ℓr + s

• The attacker gets information of r by finding roots of

t − t′ = (m1 − m′

1)rℓ + (m2 − m′ 2)rℓ−1 + · · · + (mℓ − m′ ℓ)r

14 / 22

Poly1305: avoiding security issue

• What is wrong with using the same pad twice?

t = m1rℓ + m2rℓ−1 + · · · + mℓr + s t′ = m′

1rℓ + m′ 2rℓ−1 + · · · + m′ ℓr + s

• The attacker gets information of r by finding roots of

t − t′ = (m1 − m′

1)rℓ + (m2 − m′ 2)rℓ−1 + · · · + (mℓ − m′ ℓ)r

• “nonce-misuse” issue

14 / 22

Poly1305: avoiding security issue

• What is wrong with using the same pad twice?

t = m1rℓ + m2rℓ−1 + · · · + mℓr + s t′ = m′

1rℓ + m′ 2rℓ−1 + · · · + m′ ℓr + s

• The attacker gets information of r by finding roots of

t − t′ = (m1 − m′

1)rℓ + (m2 − m′ 2)rℓ−1 + · · · + (mℓ − m′ ℓ)r

• “nonce-misuse” issue
• In practice s is usually replaced by stream cipher output, e.g.,

AESk(n) for mn

14 / 22

Poly1305: avoiding security issue

• What is wrong with using the same pad twice?

t = m1rℓ + m2rℓ−1 + · · · + mℓr + s t′ = m′

1rℓ + m′ 2rℓ−1 + · · · + m′ ℓr + s

• The attacker gets information of r by finding roots of

t − t′ = (m1 − m′

1)rℓ + (m2 − m′ 2)rℓ−1 + · · · + (mℓ − m′ ℓ)r

• “nonce-misuse” issue
• In practice s is usually replaced by stream cipher output, e.g.,

AESk(n) for mn

• HMAC does not use nonce

14 / 22

Poly1305: polynomial evaluation

15 / 22

Poly1305: polynomial evaluation

Consider m1r8 + m2r7 + · · · + m8r

15 / 22

Poly1305: polynomial evaluation

Consider m1r8 + m2r7 + · · · + m8r

• Horner’s rule:

r m1 m2 m3 m4 m5 m6 m7 m8 + + + + + + + × × × × × × × ×

15 / 22

Poly1305: polynomial evaluation

Consider m1r8 + m2r7 + · · · + m8r

• Horner’s rule:

r m1 m2 m3 m4 m5 m6 m7 m8 + + + + + + + × × × × × × × ×

• n multiplications (and n − 1 additions)

15 / 22

Poly1305: polynomial evaluation

Consider m1r8 + m2r7 + · · · + m8r

• Horner’s rule:

r m1 m2 m3 m4 m5 m6 m7 m8 + + + + + + + × × × × × × × ×

• n multiplications (and n − 1 additions)
• The issue of being “on-line”

15 / 22

GMAC

✖

16 / 22

GMAC

• The NIST-standard authenticated encryption scheme GCM

✖

16 / 22

GMAC

• The NIST-standard authenticated encryption scheme GCM
• Galois Counter Mode

✖

16 / 22

GMAC

• The NIST-standard authenticated encryption scheme GCM
• Galois Counter Mode
• Special hardware support for AES-GCM in high-end CPUs

✖

16 / 22

GMAC

• The NIST-standard authenticated encryption scheme GCM
• Galois Counter Mode
• Special hardware support for AES-GCM in high-end CPUs
• Polynomial evaluation MAC:

t = (m1rℓ + m2rℓ−1 + · · · + mℓr) + s ✖

16 / 22

GMAC

• The NIST-standard authenticated encryption scheme GCM
• Galois Counter Mode
• Special hardware support for AES-GCM in high-end CPUs
• Polynomial evaluation MAC:

t = (m1rℓ + m2rℓ−1 + · · · + mℓr) + s

• Based on arithmetic in

F2128 = F2[x]/(x128 + x7 + x2 + x + 1) ✖

16 / 22

GMAC

• The NIST-standard authenticated encryption scheme GCM
• Galois Counter Mode
• Special hardware support for AES-GCM in high-end CPUs
• Polynomial evaluation MAC:

t = (m1rℓ + m2rℓ−1 + · · · + mℓr) + s

• Based on arithmetic in

F2128 = F2[x]/(x128 + x7 + x2 + x + 1) ✖ Binary fields: better in hardware

16 / 22

GCM

http://en.wikipedia.org/wiki/Galois/Counter_Mode

17 / 22

GMAC: speeds

reference platform PCLMUQDQ cycles per byte K¨ asper–Schwabe 2009 Core 2 no 14.40 Sandy Bridge no 13.10 Krovetz–Rogaway 2011 Westmere yes 2.00 Gueron 2013 Sandy Bridge yes 1.79 Haswell yes 0.40

18 / 22

Auth256∗

19 / 22

Auth256∗

• Construction

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

• base field F2256 = F28[x]/(φ). Tower field construction for F28.

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

• base field F2256 = F28[x]/(φ). Tower field construction for F28.
• Compared to GMAC

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

• base field F2256 = F28[x]/(φ). Tower field construction for F28.
• Compared to GMAC
• higher security level

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

• base field F2256 = F28[x]/(φ). Tower field construction for F28.
• Compared to GMAC
• higher security level
• 0.5/1 multiplications per block

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

• base field F2256 = F28[x]/(φ). Tower field construction for F28.
• Compared to GMAC
• higher security level
• 0.5/1 multiplications per block
• larger key size

19 / 22

Auth256∗

• Construction
• a pseudo-dot-product MAC:

t = (m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + s

• base field F2256 = F28[x]/(φ). Tower field construction for F28.
• Compared to GMAC
• higher security level
• 0.5/1 multiplications per block
• larger key size
• very different field construction for low bit operation count

19 / 22

Wegman–Carter construction: security

• “δ-xor-universal hash”: For all distinct (m, m′) and ∆, we

have Pr

• Hashr(m) = Hashr(m′) ⊕ ∆
• ≤ δ

20 / 22

Wegman–Carter construction: security

• “δ-xor-universal hash”: For all distinct (m, m′) and ∆, we

have Pr

• Hashr(m) = Hashr(m′) ⊕ ∆
• ≤ δ
• The one-time pad hides all information about the key r.
• The best strategy for the attacker is to guess.

20 / 22

Auth256: Security Proof

Hash values:

h =(m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + (m2ℓ−1 + r2ℓ−1)(m2ℓ + r2ℓ), h′ =(m′

1 + r1)(m′ 2 + r2) + (m′ 3 + r3)(m′ 4 + r4) + · · · + (m′ 2ℓ−1 + r2ℓ−1)(m′ 2ℓ + r2ℓ). 21 / 22

Auth256: Security Proof

Hash values:

h =(m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + (m2ℓ−1 + r2ℓ−1)(m2ℓ + r2ℓ), h′ =(m′

1 + r1)(m′ 2 + r2) + (m′ 3 + r3)(m′ 4 + r4) + · · · + (m′ 2ℓ−1 + r2ℓ−1)(m′ 2ℓ + r2ℓ).

Then h = h′ + ∆ if and only if

r1(m2 − m′

2) + r2(m1 − m′ 1) + r3(m4 − m′ 4) + r4(m3 − m′ 3) + · · ·

= ∆ + m′

1m′ 2 − m1m2 + m′ 3m′ 4 − m3m4 + · · · . 21 / 22

Auth256: Security Proof

Hash values:

h =(m1 + r1)(m2 + r2) + (m3 + r3)(m4 + r4) + · · · + (m2ℓ−1 + r2ℓ−1)(m2ℓ + r2ℓ), h′ =(m′

1 + r1)(m′ 2 + r2) + (m′ 3 + r3)(m′ 4 + r4) + · · · + (m′ 2ℓ−1 + r2ℓ−1)(m′ 2ℓ + r2ℓ).

Then h = h′ + ∆ if and only if

r1(m2 − m′

2) + r2(m1 − m′ 1) + r3(m4 − m′ 4) + r4(m3 − m′ 3) + · · ·

= ∆ + m′

1m′ 2 − m1m2 + m′ 3m′ 4 − m3m4 + · · · .

m = m′ implies that there are at most |K|2ℓ−1 solutions for r.

21 / 22

CBC-MAC

http://en.wikipedia.org/wiki/CBC-MAC

22 / 22