On the Exact Security of Message Authentication using Pseudorandom - PowerPoint PPT Presentation

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption ’17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America, Sunnyvale, USA 1

Overview Preliminary Motivation Contributions 2

Preliminary

0 1 n Cipher Block Chaining in b . • The input space is restricted to pseudorandom permutation/function. is a good • For prefix-free queries: secure MAC/PRF when CBC function 3 in 2 in 1 M b M 2 M 1 For a length-preserving function F : { 0 , 1 } n → { 0 , 1 } n and input M := ( M 1 , M 2 , · · · , M b ) ∈ { 0 , 1 } nb CBC is defined as, M b − 1 · · · · · · in b − 1 F F F F CBC F ( M ) • For all i ∈ { 1 , . . . , b } , in i are called internal inputs.

Cipher Block Chaining in 1 pseudorandom permutation/function. in b CBC function in 2 3 M b M 2 M 1 For a length-preserving function F : { 0 , 1 } n → { 0 , 1 } n and input M := ( M 1 , M 2 , · · · , M b ) ∈ { 0 , 1 } nb CBC is defined as, M b − 1 · · · · · · in b − 1 F F F F CBC F ( M ) • For all i ∈ { 1 , . . . , b } , in i are called internal inputs. • For prefix-free queries: secure MAC/PRF when F is a good • The input space is restricted to ( { 0 , 1 } n ) + .

Some Variants of CBC-MAC Construction Multiple of n Otherwise M M 4 / F ′ = F 2 / not defined EMAC F 1 , F′ ( M ) CBC F 1 F ′ F ′ = F 2 / F 3 ECBC F 1 , F′ ( M ) CBC F 1 F ′

Some Variants of CBC-MAC M b M b M b Construction 5 Multiple of n Otherwise / F ′ = F 2 / F 3 ′ FCBC F 1 , F 2 , F 3 ( M ) CBC F 1 M 1 ,..., b − 1 F K ′ = K 1 / K 2 CBC F 1 F 1 XCBC F 1 , K 1 , K 2 ( M ) M 1 ,..., b − 1 K ′ K ′ = K / u · K TMAC F 1 , K ( M ) CBC F 1 F 1 M 1 ,..., b − 1 K ′

Motivation

PRP based CBC-MACs 2 n [BPR05] EMAC, ECBC, FCBC CBC-MACs q 2 2 n O q 2 [Pie06, JN16] O XCBC, TMAC q 2 2 n O 2 n [IK03b], O 2 n [MM07] 2 n 6 O q 2 Random Permutation Lower Bound Upper Bound q 2 CBC-MAC (Equal Length) 2 n 2 n CBC-MAC (Prefix Free) 2 n [BPR05, JN16] ( ) ( ) ℓ q 2 Ω ( ) ( ) ℓ q 2 Ω ( ) ( ) Ω ( ) ( ) ( ) ℓ q 2 σ 2 Ω

• Berke’s attack doesn’t extend to CBC-MAC variants. • A lower bound of q 2 2 n is trivially achievable. Can we have a better PRF based CBC-MACs bound is rather loose. Can it be reduced? attack? distinguishing advantage. 2 n 2 q 2 • Berke showed an attack on prefix-free CBC-MAC with Lower Bound 7 Upper Bound 2 n . 2 n • PRF-PRP switching gives an upper bound of O ( ) σ 2 ( ) σ 2 • O

PRF based CBC-MACs Upper Bound attack? distinguishing advantage. 2 n Lower Bound bound is rather loose. Can it be reduced? 2 n 2 n . • PRF-PRP switching gives an upper bound of O 7 ( ) σ 2 ( ) σ 2 • O • Berke showed an attack on prefix-free CBC-MAC with ℓ 2 q 2 • Berke’s attack doesn’t extend to CBC-MAC variants. • A lower bound of q 2 2 n is trivially achievable. Can we have a better

Contributions

Summary of Our Results EMAC, ECBC 2 n O 2 n XCBC, TMAC 2 n O 2 n FCBC 2 n • Tight PRF bounds for PRF based EMAC, ECBC, FCBC, XCBC and O 2 n 8 - Length) TMAC. iterated random function. Random Function Lower Bound CBC-MAC (Equal Upper Bound 2 n • Lower bound applicable to CBC-MAC (equal length), OMAC, and ( q σ ) Ω ( q σ ) ( q σ ) Ω ( q σ ) ( q σ ) Ω ( q σ ) ( q σ ) Ω

Upper Bound on PRF Security of MAC 9 For a tuple of q ≥ 2 distinct messages M = ( M 1 , . . . , M q ) , M i , m i − 1 M i , m i M i , 1 M i , 2 · · · · · · in i , m i − 1 in i , 1 in i , 2 in i , m i F F F F CBC F ( M i ) • INcoll F ( M ) denotes the event ∃ i , j , 1 ≤ i < j ≤ q , such that in i , m i = in j , m j . • inCP ( M ) = Pr F [ INcoll F ( M )] and inCP q ,ℓ,σ = max M inCP ( M ) .

Upper Bound on PRF Security of MAC Lemma • 3 is derived by application of Coefficient H technique. • 1 and 2 follows from the (delta) universal property of CBC-MAC. N denotes 2 n . Form here onwards MAC denotes EMAC, ECBC, FCBC, XCBC and TMAC. 2 N 10 2 N 2 N For q , ℓ, σ ≥ 1 we have, 1. Adv EMAC / ECBC ( q , ℓ, σ ) ≤ inCP q ,ℓ,σ + q ( q − 1 ) . 2. Adv FCBC ( q , ℓ, σ ) ≤ inCP q ,ℓ,σ + q ( q − 1 ) . N + q ( q − 1 ) 3. Adv XCBC / TMAC ( q , ℓ, σ ) ≤ inCP q ,ℓ,σ + q σ .

Upper Bound on PRF Security of MAC Lemma • 3 is derived by application of Coefficient H technique. • 1 and 2 follows from the (delta) universal property of CBC-MAC. N denotes 2 n . Form here onwards MAC denotes EMAC, ECBC, FCBC, XCBC and TMAC. 2 N 10 2 N 2 N For q , ℓ, σ ≥ 1 we have, 1. Adv EMAC / ECBC ( q , ℓ, σ ) ≤ inCP q ,ℓ,σ + q ( q − 1 ) . 2. Adv FCBC ( q , ℓ, σ ) ≤ inCP q ,ℓ,σ + q ( q − 1 ) . N + q ( q − 1 ) 3. Adv XCBC / TMAC ( q , ℓ, σ ) ≤ inCP q ,ℓ,σ + q σ .

Upper Bound on CBC Collision Probability Proof Sketch: computation. • Graph [BPR05] based representation of collision pattern in CBC N 11 Theorem: Upper Bound Theorem Let M = ( M 1 , . . . , M q ) be a q -tuple of distinct messages such that M i ∈ { 0 , 1 } nm i , 1 ≤ m i ≤ ℓ for all i ∈ { 1 , . . . , q } , and ∑ q i = 1 m i ≤ σ . For ℓ = O ( q ) , q 2 ℓ N ≤ 1 we have, ( q σ ) inCP q ,ℓ,σ = O . • Internal inputs => vertices and transition from in i to in i + 1 => directed edge from in i to in i + 1 .

min m i m j Upper Bound on CBC Collision Probability D D E F G H in j 4 in j 5 in j 6 C F E B • The probability of collision event over the remaining graphs is bounded by 1 i j q N . • Combining all three we get the result. C A Proof Sketch: in i 1 • bad 1 : all graphs where walk corresponding to any message is m 2 i messages have at least two non-trivial collisions. Bounded in i 6 . N 2 in i 2 in i 3 in i 7 in i 8 in i 9 in i 4 in i 5 12 cyclic. Bounded by ∑ q i = 1 N . • bad 2 : all graphs where walks corresponding to any two ( m i + m j ) 4 ∑ 1 ≤ i < j ≤ q M 1 = ( A , B , C , D , E , F , G , H ) and M 2 = ( A , B , C ′ , D ′ , E ′ , F ′ , G , H )

min m i m j Upper Bound on CBC Collision Probability • The probability of collision event over the remaining graphs is C D E F G H 1 bounded by Proof Sketch: i j q N . • Combining all three we get the result. B A 12 . messages have at least two non-trivial collisions. Bounded m 2 N 2 • bad 1 : all graphs where walk corresponding to any message is i cyclic. Bounded by ∑ q i = 1 N . • bad 2 : all graphs where walks corresponding to any two ( m i + m j ) 4 ∑ 1 ≤ i < j ≤ q M 1 = ( A , B , C , D , E , F , G , H ) and M 2 = ( A , B , C ′ , D ′ , E ′ , F ′ , G , H ) in i , 5 in i , 4 in i , 6 in i , 2 in i , 7 in i , 1 in i , 9 E ′ C ′ F ′ in i , 3 in i , 8 D ′ in j , 4 in j , 6 in j , 5

Upper Bound on CBC Collision Probability Proof Sketch: • Combining all three we get the result. . N • The probability of collision event over the remaining graphs is H G F E D C B A 12 • bad 1 : all graphs where walk corresponding to any message is m 2 i messages have at least two non-trivial collisions. Bounded . N 2 cyclic. Bounded by ∑ q i = 1 N . • bad 2 : all graphs where walks corresponding to any two ( m i + m j ) 4 ∑ 1 ≤ i < j ≤ q M 1 = ( A , B , C , D , E , F , G , H ) and M 2 = ( A , B , C ′ , D ′ , E ′ , F ′ , G , H ) in i , 5 in i , 4 in i , 6 in i , 2 in i , 7 in i , 1 in i , 9 E ′ C ′ F ′ in i , 3 in i , 8 D ′ in j , 4 in j , 6 in j , 5 min { m i , m j } bounded by ∑ 1 ≤ i < j ≤ q

Lower Bound on PRF Security of MAC Collision Distinguisher for MAC Lemma (PRF–CBC Lower Bound) 2 N 13 1. Let M i = x i ∥ 0 n ( ℓ − 1 ) , x i ∈ { 0 , 1 } n . 2. A queries M i and observes the output t i . 3. If t i = t j for some j < i then A returns 1. ( ) 1 − q ( q − 1 ) Adv MAC ( q , ℓ ) ≥ inCP ( M ) .

Lower Bound on CBC Collision Probability • Using Bonferroni Inequality, Pr 2 Pr Theorem: Lower Bound Theorem Pr 14 Proof Sketch: 1 3 For q 2 ℓ 4 we have, inCP ( M ) ≥ q 2 ℓ N ≤ 1 and ℓ ≤ N 12 N . inCP i , j � �� � ∑ F [ INcoll F ( M i ; M j )] inCP ( M ) ≥ i < j inCP i , j , k � �� � ∑ F [ INcoll F ( M i ; M j ) ∩ INcoll F ( M j ; M k )] − 3 i < j < k inCP i , j , k , m � �� � ∑ F [ INcoll F ( M i ; M j ) ∩ INcoll F ( M k ; M m )] − 1 i < j , k < m { i , j }∩{ k , m } = ∅

Lower Bound on CBC Collision Probability x j N 3 N 2 x k Case 2. x i Case 1. x k x j x i 15 Proof Sketch: Bounding inCP i , j , k Pr [ Case 1 ] ≤ 2 ℓ 2 Pr [ Case 2 ] ≤ 6 ℓ 6 inCP i , j , k ≤ 2 ℓ 2 N 2 + 6 ℓ 6 N 3 .

Lower Bound on CBC Collision Probability Case 2. N 3 N 3 N 2 Case 3. x m x k x j x i x m x k x j x i Case 1. x m x k x j x i 16 Proof Sketch: Bounding inCP i , j , k , m Pr [ Case 4 ] ≤ ℓ 2 Pr [ Case 2 ] ≤ 6 ℓ 3 Pr [ Case 3 ] ≤ 2 ℓ 5

Lower Bound on CBC Collision Probability x k N 3 N 4 x i x m Case 5. x j x i Case 4. x m x k x j 17 Pr [ Case 4 ] ≤ 24 ℓ 8 Pr [ Case 5 ] ≤ 4 ℓ 8 N 4 . N 2 + 6 ℓ 3 + 2 ℓ 5 inCP i , j , k , m ≤ ℓ 2 + 28 ℓ 8 N 4 .