On the design of message-authentication codes D. J. Bernstein - PDF document

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32 ; 32 ! 32 xor; ! 8 byte extraction; 32 ! 32 inversion box. and 8 ; 16 ! 16 xor; IDEA uses 16 16 ; 16 ! 16 addition; and 16 ; 16 ! 16 multiplication.

! 32 rotation; Rabbit uses 32 32 ; 32 ! 32 addition; 32 ; 32 ! 32 xor; and 32 ; 32 ! 32 ; 32 multiplication. RC6 uses 32 ; 8 ! 32 rotation; 32 ; 32 ! 32 addition; 32 ; 32 ! 32 xor; and 32 ; 32 ! 32 multiplication. ! 32 rotation; Salsa20 uses 32 32 ; 32 ! 32 addition; and 32 ; 32 ! 32 xor.

“Multiplication is slow!” > 10 � as many bit operations as addition. Counterargument: “Multiplication is surprisingly fast!” Has many applications, so CPU designers include big multiplication circuits. Typical CPUs can start a new multiplication every cycle.

“Multiplication scrambles its output as thoroughly as several simple operations!” “No, it doesn’t! Look at these scary attacks. Need many multiplications to achieve confidence.” What if we can prove that multiplication provides the security we need?

An authentication system Let’s use multiplication to authenticate messages. p = 1000003. Standardize a prime Sender rolls 10-sided die to generate independent uniform random secrets r 2 f 0 ; 1 ; : : : ; 999999 g , s 1 2 f 0 ; 1 ; : : : ; 999999 g , s 2 2 f 0 ; 1 ; : : : ; 999999 g , : : : , s 100 2 f 0 ; 1 ; : : : ; 999999 g .

Sender meets receiver in private and tells receiver the same r ; s 1 ; s 2 ; : : : ; s 100 . secrets Later: Sender wants to send m 1 ; : : : ; m 100 , 100 messages each having 5 components m n [1] ; m n [2] ; m n [3] ; m n [4] ; m n [5] m n [ i ] 2 f 0 ; 1 ; : : : ; 999999 g . with Sender transmits 30-digit m n [1] ; m n [2] ; m n [3] ; m n [4] ; m n [5] together with an authenticator m n [1] r + � � � + m n [5] r 5 mod p ) ( s n mod 1000000 + n . and the message number

r = 314159, s 10 = 265358, e.g. m 10 = 000006 000007 000000 000000 000000 : Sender computes authenticator (6 r + 7 r 2 mod p ) s 10 mod 1000000 = + � 314159 + 7 � 314159 2 (6 mod 1000003) + 265358 mod 1000000 = 953311 + 265358 mod 1000000 = 218669. Sender transmits authenticated message 10 000006 000007 000000 000000 000000 21866 9 .

Speed analysis P i . m x ) = m n [ i ] x n ( Notation: m r ) mod p : n ( To compute m r , n [5] by multiply m r , n [4], multiply by add m r , n [3], multiply by add m r , n [2], multiply by add m r . n [1], multiply by add p after each mult. Reduce mod Slightly more time to a n = compute authenticator m r ) mod p ) + s n ( n mod 1000000. (

Reducing mod 1000003 is easy: e.g., 240881099091 = � 1000000 + 99091 � 240881 � 3) + 99091 = 240881( � 722643 + 99091 = � 623552. Easily adjust to range f 0 ; 1 ; : : : ; p � 1 g p ’s. by adding/subtracting a few (Beware timing attacks!) Speedup: Delay the adjustment; p ’s won’t damage extra subsequent field operations.

Main work is multiplication. For each 6-digit message chunk, have to do one multiplication r of the 6-digit secret p . into an accumulator mod Scaled up for serious security: p = 2 130 � 5. “Poly1305” uses For each 128-bit message chunk, have to do one multiplication r of a 128-bit secret � 5. into an accumulator mod 2 130 � 5 cycles per message byte, depending on the CPU.

Security analysis Attacker’s goal: 0 0 0 such that n ; m ; a Find 0 0 = m m a 0 but n 6 = 0 ( m r ) mod p )+ s 0 mod 1000000. n P ( 0 ( 0 [ i ] x i . m x ) = m i Here Obvious attack: 0 m m 1 . Choose any 6 = 0 . a Choose uniform random = 1000000. Success chance 1 Can repeat attack. Each forgery has chance 1 = 1000000 of being accepted.

More subtle attack: 0 m m 1 so that Choose 6 = 0 ( m x ) � m 1 ( x ) the polynomial has 5 distinct roots x 2 f 0 ; 1 ; : : : ; 999999 g 0 = p . Choose a a . modulo m 1 = (100 ; 0 ; 0 ; 0 ; 0), e.g. 0 = (125 m ; 1 ; 0 ; 0 ; 1): 0 ( m x ) � m 1 ( x ) = x 5 + x 2 + 25 x p : which has five roots mod 0 ; 299012 ; 334447 ; 631403 ; 735144. = 1000000. Success chance 5

Actually, success chance = 1000000. can be above 5 m 1 (334885) mod p Example: If 2 f 1000000 ; 1000001 ; 1000002 g 0 ; m ; a 1 ) with then a forgery (1 0 ( m x ) = m 1 ( x ) + x 5 + x 2 + 25 x r = 334885; also succeeds for = 1000000. success chance 6 Reason: 334885 is a root of 0 ( m x ) � m 1 ( x ) + 1000000. Can have as many as 15 roots 0 ( m x ) � m 1 ( x )) � of ( 0 ( m x ) � m 1 ( x ) + 1000000) � ( 0 ( m x ) � m 1 ( x ) � 1000000). (

0 ? a Do better by varying No. Easy to prove: Every choice 0 0 0 ) with 0 n ; m ; a m m 0 n of ( 6 = � 15 = 1000000 has chance of being accepted by receiver. � 15 roots Underlying fact: 0 ( 0 + m x ) � m 1 ( x ) � a a 1 ) � of ( 0 ( 0 + m x ) � m 1 ( x ) � a a 1 + 10 6 ) � ( 0 ( 0 + m x ) � m 1 ( x ) � a a 1 � 10 6 ). ( Warning: very easy to break the oversimplified authenticator m � � � + m n [5] r 4 mod p ) n [1] + ( s n mod 1000000: + 0 ( 0 m x ) � m 1 ( x ) = a � a 1 . solve

Scaled up for serious security: r ’s, Poly1305 uses 128-bit with 22 bits cleared for speed. s n mod 2 128 . Adds � L -byte messages: Assuming Each forgery succeeds for � 8 d L= 16 e choices of r . � 8 d L= 16 e = 2 106 . Probability D forgeries are all rejected with probability � 1 � 8 D d L= 16 e = 2 106 . L = 1536: e.g. 2 64 forgeries, � 0 : 9999999998. Pr[all rejected]

Authenticator is still secure for variable-length messages, if different messages are p . different polynomials mod Split string into 16-byte chunks, maybe with smaller final chunk; append 1 to each chunk; � � view as little-endian integers 1 ; 2 ; 3 ; : : : ; 2 129 in . r , Multiply first chunk by r , add next chunk, multiply by r , etc., last chunk, multiply by � 5, add s n mod 2 128 . mod 2 130

Reducing the key length Like the one-time pad, this authentication system has a security guarantee. One-time pad needs L shared secret bytes L message bytes. to encrypt Authentication system needs 16 shared secret bytes L message bytes. to authenticate Each new message needs new shared secret bytes, used only once. How to handle many messages?

m r ) mod p n ( Authenticator is s n . encrypted with one-time pad Can replace one-time pad with stream-cipher output. Typical stream cipher: AES in counter mode. r ; k ) Sender, receiver share ( k is 16-byte AES key; where s n ). n = AES k ( compute Security proof breaks down s n ’s are dependent, since but can still prove that attack on authenticator implies attack on AES.

unsigned int j; mpz_class rbar = 0; for (j = 0;j < 16;++j) rbar += ((mpz_class) r[j]) << (8 * j); mpz_class h = 0; mpz_class p = (((mpz_class) 1) << 130) - 5; while (mlen > 0) { mpz_class c = 0; for (j = 0;(j < 16) && (j < mlen);++j) c += ((mpz_class) m[j]) << (8 * j); c += ((mpz_class) 1) << (8 * j); m += j; mlen -= j; h = ((h + c) * rbar) % p; } unsigned char aeskn[16]; aes(aeskn,k,n); for (j = 0;j < 16;++j) h += ((mpz_class) aeskn[j]) << (8 * j); for (j = 0;j < 16;++j) { mpz_class c = h % 256; h >>= 8; out[j] = c.get_ui(); }

Another stream cipher: F n ) = MD5( k ; n ). k ( Somewhat slower than AES. “Hasn’t MD5 been broken?” 0 0 ) are known Distinct ( k ; n ) ; ( k ; n 0 0 ). k ; n ) = MD5( k ; n with MD5( (2004 Wang) Still not obvious how to predict n 7! MD5( k ; n ) for secret k . We know AES collisions too! Many other stream ciphers are unbroken, faster than AES.

Alternatives to + � � � � AES n ) k ( Use � � � + AES n )? k ( instead of No! Destroys security analysis; might allow successful forgeries even if AES is secure. � � � ), omitting n ? k ( Use AES No! Broken by known attacks < 2 64 authenticators. using But ok for small # messages. k ; n; � � � )? Use Salsa20( Seems to be massive overkill.

Alternatives to Poly1305 m ) = r ( Notation: Poly1305 m ( r ) mod 2 130 � 5) mod 2 128 . ( 0 : m; m For all distinct messages m ) = r ( Pr[Poly1305 0 )] is very small. m r ( Poly1305 “Small collision probabilities.” 0 m; m For all distinct messages and all 16-byte sequences ∆: m ) = r ( Pr[Poly1305 0 ) + ∆ mod 2 128 ] m r ( Poly1305 is very small. “Small differential probabilities.”

Easy to build other functions that satisfy these properties. Embed messages and outputs into polynomial ring Z [ x 1 ; x 2 ; x 3 ; : : : ]. m 7! m mod r where Use r is a random prime ideal. Small differential probability 0 m � m � ∆ means that r ’s is divisible by very few 0 . m m when 6 = (Addition of ∆ is mod 2 128 ; be careful.)

Example: (1981 Karp Rabin) m as integers, View messages � � specifically multiples of 2 128 . 0 ; 1 ; : : : ; 2 128 � 1 Outputs: . m modulo a uniform Reduce r random prime number between 2 120 and 2 128 . r is slow.) (Problem: generating Low differential probability: 0 then 0 m m m � m � ∆ if 6 = 6 = 0 0 m � m � ∆ is divisible so by very few prime numbers.