On the Influence of Message Length in PMACs Security Bounds Atul - - PowerPoint PPT Presentation

On the Influence of Message Length in PMAC’s Security Bounds

Atul Luykx1 Bart Preneel1 Alan Szepieniec1 Kan Yasuda2

1COSIC, KU Leuven, Belgium 2NTT Secure Platform Laboratories, Japan

May 11, 2016

1

Security Bounds

Factors:

• 1. Adversarial Resources

2

Security Bounds

Factors:

• 1. Adversarial Resources
• 2. Scheme parameters

2

Security Bounds

Factors:

• 1. Adversarial Resources
• 2. Scheme parameters
• 3. Confidence level

2

Security Bounds

Factors:

• 1. Adversarial Resources
• 2. Scheme parameters
• 3. Confidence level

Secure Number of Queries — q Message Length — ℓ

2

Security Bounds

Factors:

• 1. Adversarial Resources
• 2. Scheme parameters
• 3. Confidence level

TLS 1.3: GCM, ChaCha20 + Poly1305 ISO/IEC SC27 WG2: 48 bit block size?

Secure Number of Queries — q Message Length — ℓ

2

Example : EMAC

m1 π c1 m2 m3 m4

+ + +

π1 π1 π1 π1 π2 T

3

Example : EMAC

m1 π c1 m2 m3 m4

+ + +

π1 π1 π1 π1 π2 T q2ℓ2 2n ≤ ǫ n Block size q Number of queries ℓ Query length in blocks ǫ Confidence

3

Example : EMAC

m1 π c1 m2 m3 m4

+ + +

π1 π1 π1 π1 π2 T q2ℓ2 2n ≤ ǫ n Block size q Number of queries ℓ Query length in blocks ǫ Confidence

Table: ǫ = 1/220, ℓ = 1KB

Cipher Block Size Limit AES128 128 251 PRESENT 64 218.5 KATAN32 32 4

3

EMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 Number of Queries — q Message Length — ℓ

4

EMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 Number of Queries — q Message Length — ℓ

4

EMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 Number of Queries — q Message Length — ℓ

4

EMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213

?

Number of Queries — q Message Length — ℓ

4

EMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213

?

Number of Queries — q Message Length — ℓ

4

EMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213

?

Number of Queries — q Message Length — ℓ

4

Switching Schemes

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 EMAC Number of Queries — q Message Length — ℓ

5

Switching Schemes

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 EMAC 3kf9 Sum of CBCs PMAC Plus Number of Queries — q Message Length — ℓ

5

Switching Schemes

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 EMAC 3kf9 Sum of CBCs PMAC Plus PMACX PMAC w Parity LightMAC Number of Queries — q Message Length — ℓ

5

XOR-Style PRF

PMAC w Parity PMACX LightMAC

6

XOR-Style PRF

PMAC w Parity PMACX LightMAC π π π π m x1 x2 x3 x4

+ + +

6

XOR-Style PRF

PMAC w Parity PMACX LightMAC π π π π m x1 x2 x3 x4

+ + +

6

PMAC and PHASH

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m)

7

PMAC and PHASH

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) PMAC(m) = OutputTransform

• PHASH(m)
• 7

PMAC and PHASH

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) PMAC(m) = OutputTransform

• PHASH(m)
• 1. Gray codes
• 2. Powering up

7

PMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 PMAC Number of Queries — q Message Length — ℓ

8

PMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 PMAC Number of Queries — q Message Length — ℓ

8

PMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 PMAC PMACX PMAC w Parity LightMAC Number of Queries — q Message Length — ℓ

8

PMAC Bounds

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 PMAC PMACX PMAC w Parity LightMAC

?

Number of Queries — q Message Length — ℓ

8

Focusing on Collisions

PHASH(m1) = PHASH(m2) PMAC(m1) = PMAC(m2)

9

Focusing on Collisions

PHASH(m1) = PHASH(m2) PMAC(m1) = PMAC(m2) PHASH collision implies a PMAC attack

9

Results

Message length dependence changes according to masks

10

Results

Message length dependence changes according to masks PHASH Instances

10

Results

Message length dependence changes according to masks PHASH Instances

Gray Codes

10

Results

Message length dependence changes according to masks PHASH Instances

Gray Codes Powering Up

10

Results

Message length dependence changes according to masks Infinitely many with collision upper bound 2/2n

• r

PHASH Instances PHASH Instances

Gray Codes Powering Up

10

Results

Message length dependence changes according to masks Infinitely many with collision upper bound 2/2n

• r

Computationally hard to find high probability collision (based on conjecture) PHASH Instances

Gray Codes Powering Up

10

Results

Message length dependence changes according to masks Infinitely many with collision upper bound 2/2n

• r

Computationally hard to find high probability collision (based on conjecture) Gray codes instances depend on message length PHASH Instances

Gray Codes Powering Up

10

Results in Context

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 PMAC PMACX PMAC w Parity LightMAC Number of Queries — q Message Length — ℓ

11

Results in Context

21 23 25 27 29 211 213 21 24 27 210 213 216 219 222 20 213 PMAC PMACX PMAC w Parity LightMAC Number of Queries — q Message Length — ℓ

11

PHASH vs XOR Hash

π π π π 1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4

+ + +

XOR Hash(m) m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m)

12

XOR Hash Collision

π π π π π π π

1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4 1n/2 m′

1 2n/2 m′ 2 3n/2 m′ 3

+ + + + + +

13

XOR Hash Collision

π π π π π π π

1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4 1n/2 m′

1 2n/2 m′ 2 3n/2 m′ 3

+ + + + + +

13

XOR Hash Collision

π π π π π π π

1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4 1n/2 m′

1 2n/2 m′ 2 3n/2 m′ 3

+ + + + + +

13

XOR Hash Collision

π π π π π π π

1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4 1n/2 m′

1 2n/2 m′ 2 3n/2 m′ 3

+ + + + + +

13

XOR Hash Collision

π π π π π π π

1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4 1n/2 m′

1 2n/2 m′ 2 3n/2 m′ 3

+ + + + + +

13

XOR Hash Collision

π π π π π π π

1n/2 m1 2n/2 m2 3n/2 m3 4n/2 m4 1n/2 m′

1 2n/2 m′ 2 3n/2 m′ 3

+ + + + + +

13

PHASH Collision

m1 m2 m3 m4 m′

1

m′

2

m′

3

+ + + + + + +

π π π π π π π c1ω c2ω c3ω c4ω c1ω c2ω c3ω

+ + + + + +

14

PHASH Collision

m1 m2 m3 m4 m′

1

m′

2

m′

3

+ + + + + + +

π π π π π π π c1ω c2ω c3ω c4ω c1ω c2ω c3ω

+ + + + + +

14

Approach

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) X2

15

Approach

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) c1 m1

15

Approach

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) c1 m1 c2 c3 c4 m2 m3 m4

15

Approach

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) c1 m1 c2 c3 c4 m2 m3 m4

15

Approach

m1 m2 m3 m4

+ + + +

π π π π π c1ω c2ω c3ω c4ω ω

+ + +

PHASH(m) c1 m1 c2 c3 c4 m2 m3 m4

15

Conclusions and Open Problems

PMAC message length dependence is non-trivial

16

Conclusions and Open Problems

PMAC message length dependence is non-trivial

• 1. What happens with powering up?

16

Conclusions and Open Problems

PMAC message length dependence is non-trivial

• 1. What happens with powering up?
• 2. Optimal masks?

16

Conclusions and Open Problems

PMAC message length dependence is non-trivial

• 1. What happens with powering up?
• 2. Optimal masks?
• 3. Relationship between PMAC and PHASH when the output

transform is not independent?

16

Conclusions and Open Problems

PMAC message length dependence is non-trivial

• 1. What happens with powering up?
• 2. Optimal masks?
• 3. Relationship between PMAC and PHASH when the output

transform is not independent? Thank you for your attention.

16

Connection With PHASH Collision Probability

Two messages m1 and m2 collide with probability k/2n if the corresponding set in X2 is evenly covered by k slopes. Simple proof of ℓ-bound:

17

Set Evenly Covered by Two Slopes

a a−1

Figure: A set of four points evenly covered by the slopes 0 and a−1. The x-coordinates of the points are 0 and a, and the y-coordinates are 0 and 1.

Guarantees a collision with probability 2/2n.

18

Set Evenly Covered by Three Slopes

a b c

a−1 b−1

Figure: A set of four points evenly covered by the slopes 0, a−1, and b−1. The x-coordinates of the points are 0, a, b, and c, and the y-coordinates are 0 and 1.

Exists if and only if a + b + c = 0.

19

Another Set Evenly Covered by Three Slopes

a b c u v w

Figure: A set of points evenly covered by the slopes u, v, and w. Each point is accompanied by another point with the same x-coordinate. The x-coordinates of the pairs are indicated below the lower points.

Exists if and only if a2 + b2 + c2 + ab + ac = 0.

20

Evenly Covered Sets in General

The x-coordinates of evenly covered sets satisfy one of the following:

• 1. They contain a subset summing to zero (NP-complete)
• 2. They are the solution to a non-trivial binary quadratic form

(similar problem NP-complete)

Conjecture

Given S ⊂ X, finding a subset of S satisfying either of the above requirements is computationally hard.

21

Searching for Evenly Covered Sets

Proposition

An evenly covered set with distinct x-coordinates forms a complete graph if and only if the x-coordinates are an additive subgroup of X.

• 1. For sufficiently long messages, the masks will always contain

an additive subgroup

• 2. Finding additive subgroups in Gray codes is easy for every

power of two. Success probability of Gray code attack: 2k−1 − 1 2n for ℓ = 2k

22