1 / 23

New Bounds for PMAC, TMAC, and XCBC

New Bounds for PMAC, TMAC, and XCBC. Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University. Fast Software Encryption 2007, March 26-28, Luxembourg City, Luxembourg. Introduction. Message authentication code (MAC) from block ciphers (BCs)

nigel
Download Presentation

New Bounds for PMAC, TMAC, and XCBC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28, Luxembourg City, Luxembourg

  2. Introduction • Message authentication code (MAC) from block ciphers (BCs) • “BC-only” modes: no special function other than a block cipher Ex. Encrypted CBC-MAC (EMAC)

  3. Security notion of MACs • Advantage in distinguishing MAC from the (keyed) random oracle (RO), , using CPA • Small advantage implies small MAC forgery prob. (but not vice versa) : number of queries : max. message length (in n-bit) can contain : total number of queried blocks Note: We only consider the info-theoretic security, but our results have simple computational counterparts

  4. room for improvement? Related works on EMAC • Previous EMAC security bound is: • when it is implemented w/ two n-bit uniform random permutations (URPs), and [BR00] EMAC w/ two URPs

  5. Related works on EMAC (contd.) • Bellare, Pietrzak, and Rogaway [BPR05] is a function that grows very slowly with (much smaller than ) Note: Pietrzak [P06] obtained a tighter bound for a range of parameters • If , the bound is roughly

  6. Our contribution • New security bounds for • PMAC (a parallelizable MAC) • TMAC and XCBC (successors of EMAC) • Old: or • New: for PMAC, and for TMAC & XCBC • compared w/ , from quadratic to (almost) linear degradation wrt • compared w/ , better in most (but not all) cases

  7. Analysis of PMAC

  8. PMAC (Black-Rogaway[BR02], Rogaway[R04]) • Hashing with mask-encrypt-sum (PHASH) • still BC-only: masks are generated w/ few bitshifts and XORs PHASH input PMAC ([R04] version w/ 128 bit block size)

  9. Overview of old proof [R04] • “Perfect” PMAC using independent URPs as an intermediate function • Use triangle inequality PMAC Perfect PMAC RO • Old bound: (also , as )

  10. Overview of new proof • A different intermediate function, the modified PMAC (MPMAC) • PHASH + independent finalization RO PMAC MPMAC

  11. used for MPMAC vs. RO used for PMAC vs. MPMAC MPMAC vs. Random Oracle • What we need is: (a stronger form of ) differential probability of PHASH ... ... ... ... ... ...

  12. even collision odd collision Diff. probability of PHASH • A subset of input blocks may generate the same URP input • Odd (Even) collision involves odd (even) number of input blocks • Let denote odd collisions with non-zero URP inputs • Then, critical event is , as it implies the sum = 0 or w/ prob. 1 (as ) ... ... ... ... ... ...

  13. Diff. probability of PHASH (contd.) • is at most • Given , PHASH sum is almost uniform (point probability is at most ) Lemma 2 for any • From Lemma 2, the advantage between MPMAC and RO is:

  14. the sets of URP inputs in PHASH and in the finalization (+ dummy mask for MPMAC) have no intersection PMAC vs. MPMAC • Four “good” events defined as: • Using Maurer’s method [M02], the advantage is at most the max. prob. of “bad” events in MPMAC, denoted by

  15. New bound for PMAC • A careful analysis using Lemma 2 provides PMAC MPMAC RO Theorem 2 if

  16. Comparison of new and old bounds • New ( ) < old ( ) iff • Ex: • New bound is 2-32 , old bound is 2-48~2-16 • If 99.9% messages are one-block, old bound is better • If at least 1% messages are -block, new bound is better (if we ignore constants) • As long as there is a small (but not too small) fraction of long messages, the new bound is better • Much better under some practical cases (e.g., all messages have similar lengths)

  17. Analysis of TMAC and XCBC

  18. TMAC [KI03] and XCBC [BR00] • Successors of EMAC • fewer BC calls (no double encryption) • one BC key + one or two n-bit keys is independent of TMAC

  19. Proof sketch for TMAC (XCBC is the same) • Modified TMAC (MTMAC) and bad events similar to those for PMAC • Adv. between TMAC and MTMAC is • much simpler analysis due to the independence of • Adv. between MTMAC and RO is EMAC bound of [BPR05], i.e.,

  20. New bounds for TMAC and XCBC • Old bounds are or for • TMAC’s new bound is: [BR00][KI03][IK03s] Theorem 3 (XCBC’s bound is the same) • Bound comparison is almost the same as PMAC’s case, in case the second term is negligible

  21. Short comments on OMAC [IK03o] • OMAC (aka CMAC) is one-key CBC-MAC • improvement to TMAC and XCBC • mask is or , where • MOMAC and bad events are similarly defined • however, the probabilities of some new bad events have to be evaluated such as • an extension of CBC collision analysis [BPR05] is needed (open problem)

  22. Conclusion • New bounds for PMAC, TMAC, and XCBC • from quadratic to (almost) linear degradation wrt the max. message length • Future directions • OMAC • further improvement (still far from the lower bound )

  23. Thank you!

More Related