New Bounds for PMAC, TMAC, and XCBCKazuhiko Minematsu andToshiyasu Matsushima,NEC Corp. and Waseda University
Fast Software Encryption 2007, March 26-28, Luxembourg City, Luxembourg
2
Introduction
Message authentication code (MAC) from block ciphers (BCs)
“BC-only” modes: no special function other than a block cipher
Ex. Encrypted CBC-MAC (EMAC)
3
Security notion of MACs
Advantage in distinguishing MAC from the (keyed) random oracle (RO), , using CPA Small advantage implies small MAC forgery prob.
Note: We only consider the info-theoretic security, but our results have simple computational counterparts
: number of queries: max. message length (in n-bit): total number of queried blocks
can contain
(but not vice versa)
4
Related works on EMAC
Previous EMAC security bound is:
when it is implemented w/ two n-bit uniform random permutations (URPs), and
EMAC w/ two URPs
[BR00]
room for improvement?
5
Related works on EMAC (contd.)
Bellare, Pietrzak, and Rogaway [BPR05]
is a function that grows very slowly with
Note: Pietrzak [P06] obtained a tighter bound for a range of parameters
(much smaller than )
If , the bound is roughly
6
Our contribution
New security bounds for PMAC (a parallelizable MAC)TMAC and XCBC (successors of EMAC)
Old: or New: for PMAC, and for TMAC & XCBC
compared w/ , from quadratic to (almost) linear degradation wrt
compared w/ , better in most (but not all) cases
7
Analysis of PMAC
8
PMAC (Black-Rogaway[BR02], Rogaway[R04])
Hashing with mask-encrypt-sum (PHASH) still BC-only: masks are generated w/ few bitshifts
and XORs
PMAC ([R04] version w/ 128 bit block size)
PHASH
input
9
Overview of old proof [R04]
“Perfect” PMAC using independent URPs as an intermediate function
Use triangle inequality
Perfect PMACPMAC RO
Old bound: (also , as )
10
Overview of new proof
A different intermediate function, the modified PMAC (MPMAC)PHASH + independent finalization
MPMACPMAC RO
11
MPMAC vs. Random Oracle
What we need is: (a stronger form of ) differential probability of PHASH
...
.........
used for MPMAC vs. RO
used for PMAC vs. MPMAC
... ...
12
Diff. probability of PHASH
A subset of input blocks may generate the same URP input Odd (Even) collision involves odd (even) number of input blocks
Let denote odd collisions with non-zero URP inputs
Then, critical event is , as it implies the sum = 0 or w/ prob. 1 (as )
...
.........
even collision
odd collision... ...
13
Diff. probability of PHASH (contd.)
is at most Given , PHASH sum is almost uniform (point
probability is at most )
for any
Lemma 2
From Lemma 2, the advantage between MPMAC and RO is:
14
PMAC vs. MPMAC
Four “good” events defined as:
the sets of URP inputs in PHASH and in the finalization (+ dummy mask for MPMAC) have no intersection
Using Maurer’s method [M02], the advantage is at most the max. prob. of “bad” events in MPMAC, denoted by
15
New bound for PMAC
A careful analysis using Lemma 2 provides
if
MPMACPMAC RO
Theorem 2
16
As long as there is a small (but not too small) fraction of long messages, the new bound is better
Much better under some practical cases (e.g., all messages have similar lengths)
Comparison of new and old bounds
New ( ) < old ( ) iff Ex:
New bound is 2-32 , old bound is 2-48~2-16 If 99.9% messages are one-block, old bound is better If at least 1% messages are -block, new bound is better
(if we ignore constants)
17
Analysis of TMAC and XCBC
18
TMAC [KI03] and XCBC [BR00]
Successors of EMACfewer BC calls (no double encryption)one BC key + one or two n-bit keys
is independent of
TMAC
19
Proof sketch for TMAC (XCBC is the same)
Modified TMAC (MTMAC) and bad events similar to those for PMAC
Adv. between TMAC and MTMAC is
much simpler analysis due to the independence of
Adv. between MTMAC and RO is EMAC bound of [BPR05], i.e.,
20
New bounds for TMAC and XCBC
Old bounds are or forTMAC’s new bound is:
Theorem 3(XCBC’s bound is the same)
[BR00][KI03][IK03s]
Bound comparison is almost the same as PMAC’s case, in case the second term is negligible
21
Short comments on OMAC [IK03o]
OMAC (aka CMAC) is one-key CBC-MACimprovement to TMAC and XCBC
mask is or , where
MOMAC and bad events are similarly definedhowever, the probabilities of some new
bad events have to be evaluated such as
an extension of CBC collision analysis [BPR05] is needed (open problem)
22
Conclusion
New bounds for PMAC, TMAC, and XCBCfrom quadratic to (almost) linear
degradation wrt the max. message lengthFuture directions
OMACfurther improvement (still far from the
lower bound )
23
Thank you!