Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang - - PowerPoint PPT Presentation

β–Ά
tight prf security of double block
SMART_READER_LITE
LIVE PREVIEW

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang - - PowerPoint PPT Presentation

Dec 22, 2023 143 likes β€’394 views

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

slide-1
SLIDE 1

Tight PRF-Security of Double-block Hash-then-Sum MACs

Seongkwang Kim, Byeonghak Lee, Jooyoung Lee KAIST

slide-2
SLIDE 2

Outline

  • Introduction
  • Message Authentication Code
  • Double-block Hash-then-Sum paradigm
  • Our Contribution
  • Tight security proof of DbHtS MACs
  • Refining Mirror theory
  • Conclusion

2

slide-3
SLIDE 3

Message Authentication Code (MAC)

  • Symmetric key functions to guarantee message integrity
  • Alice computes tag π‘ˆ = MAC𝐿(𝑁) and sends (𝑁, π‘ˆ) to Bob
  • Bob checks whether the tag is valid or not by computing MAC𝐿(𝑁)

3

Alice Bob π‘ˆ = MAC𝐿(𝑁) (𝑁, π‘ˆ)

?

π‘ˆ MAC𝐿(𝑁)

slide-4
SLIDE 4

Message Authentication Code (MAC)

  • Symmetric key functions to guarantee message integrity
  • Alice computes tag π‘ˆ = MAC𝐿(𝑁) and sends (𝑁, π‘ˆ) to Bob
  • Bob checks whether the tag is valid or not by computing MAC𝐿(𝑁)

4

Alice Bob π‘ˆ = MAC𝐿(𝑁) (𝑁, π‘ˆ)

?

π‘ˆ MAC𝐿(𝑁) Eve (𝑁′, π‘ˆβ€²)

slide-5
SLIDE 5

MAC Security

  • Unforgeability
  • Infeasible to generate a new valid message/tag pair
  • PRF-Security
  • Infeasible to distinguish from a random variable-input-length (VIL) function
  • Secure variable-input-length PRF β‡’ Secure MAC

Alice Bob π‘ˆ = MAC𝐿(𝑁) (𝑁, π‘ˆ)

?

π‘ˆ MAC𝐿(𝑁) Eve (𝑁′, π‘ˆβ€²)

5

slide-6
SLIDE 6

Distinguishing Game

  • Adversary 𝒝 makes π‘Ÿ queries to oracle (MAC𝐿 or 𝐺)
  • Each query has length at most π‘š blocks
  • Transcript 𝜐 =

𝑁1, π‘ˆ

1 , … , π‘π‘Ÿ, π‘ˆ π‘Ÿ

  • Adv π‘Ÿ, π‘š ∢ Pr[𝒝 correctly determine the interacting world] βˆ’

1 2

6

MAC𝐿 Random VIL-function 𝐺 Adversary 𝒝 Real World Ideal World Real? or Ideal?

slide-7
SLIDE 7

Why BBB-Security?

  • Most popular MACs provides birthday-bound security
  • With π‘œ-bit block cipher, only 2π‘œ/2 security
  • In lightweight cryptography, small blocks (64bits / 80bits) are preferred
  • birthday-bound security is insufficient
  • Beyond-Birthday-Bound secure MACs needed!

Construction key bits # of allowed queries ECBC 64 225 PMAC 128 218 Table*: Data limits of MACs using 64-bit blocks to ensure that the advantage is less than 2βˆ’10 where each message is shorter than 512KB

7

*Example chosen by Datta et al., in β€œDouble-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF”

slide-8
SLIDE 8

BBB-Secure MACs

  • Ideal cipher / tweakable block cipher based MACs
  • ZMAC[IMPS17], ZMAC+[LN17], HaT, HaK[CLS17]
  • Highly secure MACs from strong primitives
  • Block cipher based MACs?
  • UHF-then-PRF* style MACs with π‘œ-bit internal state provides π‘œ/2-bit security
  • Idea: use 2π‘œ-bit state β‡’ Double-block Hash-then-Sum (DbHtS) paradigm [DDNP19]
  • SUM-ECBC, 3kf9, PMAC-Plus, LightMAC-Plus
  • Their security has been proved up to O 22π‘œ/3 queries

𝐹𝐿1 𝐹𝐿2 𝑁 π‘ˆ πΊπΏβ„Ž π»πΏβ„Ž

8

*Universal Hash Function then Pseudorandom Function

slide-9
SLIDE 9

Double-Block Hash-then-Sum

  • The first BBB-secure MACs

SUM-ECBC [Yasuda, CT-RSA 2010]

9

PMAC-Plus [Yasuda, CRYPTO 2011]

  • Parallelizable, Rate-1 with BBB-security
slide-10
SLIDE 10

Double-Block Hash-then-Sum

LightMAC-Plus [Naito, ASIACRYPT 2017]

  • Message-length-independent security

10

3kf9 [Zhang et al., ASIACRYPT 2012]

  • 3GPP-MAC + ECBC
  • Rate-1 without field operation
slide-11
SLIDE 11

Generic Attacks on DbHtS MACs

  • Generic attacks with O 23π‘œ/4 queries [LNS18]
  • Exploited the difference between Xor of Permutations (XoP)

and the ideal 2π‘œ-to-π‘œ bit function

11

𝐹𝐿1 𝐹𝐿2 𝑁 π‘ˆ πΊπΏβ„Ž π»πΏβ„Ž

𝐹𝐿1 𝐺 𝑁1 βŠ• 𝐹𝐿2 𝐻 𝑁1 = π‘ˆ

1

𝐹𝐿1 𝐺 𝑁2 βŠ• 𝐹𝐿2 𝐻 𝑁2 = π‘ˆ2 𝐹𝐿1 𝐺 𝑁3 βŠ• 𝐹𝐿2 𝐻 𝑁3 = π‘ˆ3 𝐹𝐿1 𝐺 𝑁4 βŠ• 𝐹𝐿2 𝐻 𝑁4 = π‘ˆ

4

π‘ˆ

1 βŠ• π‘ˆ2 βŠ• π‘ˆ3 βŠ• π‘ˆ 4 = 0

Gap exists between the best known attacks and their provable security!

slide-12
SLIDE 12

Outline

  • Introduction
  • Message Authentication Code
  • Double-block Hash-then-Sum paradigm
  • Our Contribution
  • Tight security proof of DbHtS MACs
  • Refining Mirror theory
  • Conclusion

12

slide-13
SLIDE 13

Tight Security of DbHtS MACs

  • Proved 3π‘œ/4-bit security of DbHtS MACs
  • Closed the gap between generic attacks and provable security bounds
  • Identify the required properties of the underlying hash functions

13

Table: Security bound of DbHtS MACs. π‘Ÿ denotes the number of queries, π‘š denotes maximum block length, and 𝑑 denotes the length of prefix for LightMAC-Plus Construction # Keys Rate Old Bound New Bound PolyMAC 4

  • π‘š2π‘Ÿ3/22π‘œ

π‘š3π‘Ÿ4/23π‘œ SUM-ECBC 4 1/2 π‘š2π‘Ÿ/2π‘œ + π‘Ÿ3/22π‘œ π‘š3π‘Ÿ4/23π‘œ PMAC-Plus 3 1 π‘šπ‘Ÿ3/22π‘œ π‘š2π‘Ÿ4/23π‘œ + π‘š2π‘Ÿ/2π‘œ 3kf9 3 1 π‘š4π‘Ÿ3/22π‘œ π‘š6π‘Ÿ4/23π‘œ LightMAC-Plus 3 1 βˆ’ 𝑑/π‘œ π‘Ÿ3/22π‘œ π‘Ÿ4/23π‘œ

slide-14
SLIDE 14

Comparison of Security Bounds for PMAC-Plus

14

Figure: Upper bounds on distinguishing advantage for PMAC and PMAC-Plus. 𝑦-axis gives the log of number of queries, and 𝑧-axis gives the security bounds.

PMAC PMAC-Plus (old) PMAC-Plus (new)

slide-15
SLIDE 15

H-Coefficient Technique

15

  • SPRP switch
  • Replace 𝐹𝐿1 and 𝐹𝐿2 by random permutations 𝑄 and 𝑅 up to the to the pseudorandomness of 𝐹
  • Transcript 𝜐 =

𝑁1, π‘ˆ

1 , … , π‘π‘Ÿ, π‘ˆ π‘Ÿ , πΏβ„Ž

β‡’ 𝜐 = 𝑉1, π‘Š

1, π‘ˆ 1 , … , (π‘‰π‘Ÿ, π‘Š π‘Ÿ, π‘ˆ π‘Ÿ)

  • Tid : Probability distribution of 𝜐 in the ideal world
  • Tre : Probability distribution of 𝜐 in the real world

MAC𝐿 Random VIL-function Adversary 𝒝 Real World Ideal World 𝑄 𝑅 𝑁 π‘ˆ πΊπΏβ„Ž π»πΏβ„Ž 𝑉 π‘Š 𝑉𝑗 = πΊπΏβ„Ž 𝑁𝑗 π‘Š

𝑗 = π»πΏβ„Ž(𝑁𝑗)

slide-16
SLIDE 16

H-Coefficient Technique

16

  • Define a proper set of bad transcripts then upper bound πœ—π‘π‘π‘’ and πœ—π‘ π‘π‘’π‘—π‘
  • Pr Tid = 𝜐 is easy to compute, while Pr Tre = 𝜐 is challenging

H-coefficient lemma (informal) If there exists πœ—π‘π‘π‘’, πœ—π‘ π‘π‘’π‘—π‘ such that 1) for a set of bad transcripts 𝒰

𝑐𝑏𝑒, Pr Tid ∈ 𝒰 𝑐𝑏𝑒 ≀ πœ—π‘π‘π‘’

2) with 𝜐 βˆ‰ 𝒰

𝑐𝑏𝑒, Pr Tre=𝜐 Pr Tid=𝜐 β‰₯ 1 βˆ’ πœ—π‘ π‘π‘’π‘—π‘

Then, Adv ≀ πœ—π‘π‘π‘’ + πœ—π‘ π‘π‘’π‘—π‘

slide-17
SLIDE 17

Proof Sketch

  • Step 1: Represent the transcript by a graph
  • Each query makes an affine equation between two variables
  • Since we target BBB-security, hash collisions are allowed

β‡’ edges might be connected each other

𝑄 𝑅

𝑁 π‘ˆ 𝐺

πΏβ„Ž

π»πΏβ„Ž

𝑦 = 𝑄 𝑉 𝑧 = 𝑅 π‘Š π‘ˆ = 𝑦 ⨁ 𝑧

17

𝑉 = πΊπΏβ„Ž 𝑁 π‘Š = π»πΏβ„Ž(𝑁)

slide-18
SLIDE 18
  • Step 2: Identify bad graphs
  • Some transcript graphs might lead to a contradiction!
  • When the graph contains a cycle
  • When the graph contains a path of even length whose tag sum is 0 (degeneracy)

Proof Sketch

π‘ˆ π‘ˆ π‘ˆ π‘ˆβ€²

18

β‹―

This event was used to break DbHtS in [LNS18] 𝑄 𝑉 𝑅 π‘Š 𝑄 𝑉 βŠ• 𝑅 π‘Š = π‘ˆ 𝑄 𝑉 βŠ• 𝑅 π‘Šβ€² = π‘ˆ 𝑄 𝑉 βŠ• 𝑅 π‘Š = π‘ˆ 𝑄 𝑉 βŠ• 𝑅 π‘Š = π‘ˆβ€²

slide-19
SLIDE 19

Proof Sketch

  • Step 3: Upper bound the probability of obtaining bad graphs (= πœ—π‘π‘π‘’)

19

Bad1 : 𝑉𝑗 = 𝑉

π‘˜ & π‘Š 𝑗 = π‘Š π‘˜

Bad2 : 𝑉𝑗 = 𝑉

π‘˜ & π‘ˆπ‘— = π‘ˆ π‘˜

Bad3 : π‘Š

𝑗 = π‘Š π‘˜ & π‘ˆπ‘— = π‘ˆ π‘˜

Bad5 : 𝑉𝑗 = 𝑉

π‘˜ & π‘Š π‘˜ = π‘Š 𝑙 & 𝑉𝑙 = π‘‰π‘š

No Bad1 & Bad5 β‡’ No cycle No Bad2 - Bad5 β‡’ No even length trail of zero tag sum Bad4 : π‘Š

𝑗 = π‘Š π‘˜ & 𝑉 π‘˜ = 𝑉𝑙 & π‘Š 𝑙 = π‘Š π‘š & Οƒ π‘ˆ = 0

slide-20
SLIDE 20

Proof Sketch

  • Step 4: Apply Patarin’s Mirror theory to upper bound πœ—π‘ π‘π‘’π‘—π‘
  • Mirror theory: evaluates the number of solutions of affine systems β‡’ evaluates Pr Tre = 𝜐
  • Mirror theory should be extended!
  • The original Mirror theory can be used when the maximum component size is bounded
  • This is not the case for DbHtS
  • We relaxed the constraints to allow a component of an arbitrary size
  • Instead, the ratio of the number of connected edges to the number of all the edges should

be bounded

20

slide-21
SLIDE 21

Refined Mirror Theory

  • Patarin’s Mirror theory
  • The first refinement allows a component of an arbitrary size up to 3n/4-bit security

(concurrent work with [JN20])

Authors Publication Application Max Comp Size Security Patarin eprint 2010/287 XoP 2 n Patarin eprint 2010/293 Feistel 2π‘œ/π‘Ÿ n Mennink, Neves Crypto 17 EWCDM 2 n Datta, Dutta, Nandi, Yasuda Crypto 18 DWCDM 3 2n/3 Dutta, Nandi, Talnikar EC 19 CWC+ 2π‘œ/π‘Ÿ 2n/3 Mennink TCC 18 CLRW2 4 3n/4 Jha, Nandi JoC 20 CLRW2 Any1) 3n/4 This work EC 20 DbHtS Any2) 3n/4

1) Without path of length 3 2) With bounded number of connected edges

21

slide-22
SLIDE 22

Result

  • Security of DbHtS MACs with two independent πœ€-universal hash functions 𝐺

and 𝐻

  • Security of PMAC-Plus

22

slide-23
SLIDE 23

Conclusion

  • Proved tight security bounds for DbHtS MACs
  • PolyMAC, SUM-ECBC, 3kf9, PMAC-Plus, LightMAC-Plus are PRF up to 23π‘œ/4 queries
  • All the security bounds are tight in terms of the threshold number of queries
  • Future Works
  • Find better security bounds considering the influence of message length β„“
  • Find tight security of key-reduced variants of DbHtS MACs

23

slide-24
SLIDE 24

Thank you

Q&A : lbh0307@kaist.ac.kr