View
219
Download
1
Embed Size (px)
Citation preview
A Block-Cipher Mode of Operation for Parallelizable Message Authentication
John Black
University of Nevada, Reno, USA
Phillip Rogaway
University of California, Davis, USA
and Chiang Mai University, ThailandEUROCRYPT – May 1, 2002Amsterdam, The Netherlands
2
What is a MAC?
Most MACs are deterministic—they need no nonce/state/IV/$Stateless MACs are more practical
AK
MACG: generateauthentication tag = MACK ([IV,] M)G
M . BK
MACV: verifyauthentication tagMACK (M, )V
3
The ACMA Model [GMR, BKR]
MACOracle
(K)
M1
MACK(M1)Adversary
M2
MACK(M2)
Mq
MACK(Mq)
Adversary(M*, *)
// forgery attempt
4
A Precise Definition
We define the advantage of a “MAC adversary” A over a particular MAC algorithm M as
We define the maximum advantage of any MAC adversary making at most q queries totaling at most m blocks as
Our goal is to bound this quantity by a function in q and m which is “small” for “reasonable” values of q and m
5
CBC MAC (ANSI X9.19, FIPS 113, ISO 9797-1)
Known to be secure for messages of one fixed length
EK
M1
EK EK
M2 Mm
tag
Uses d |M|/n e block cipher invocations Inherently sequential
6
Parallelizable MACs: Important?
In some settings, MAC performance is paramount– Eg, a web server handling thousands of requests/sec
Extracting parallelism is a simple way to achieve dramatic increases in performance
– Algorithm design governs to what extent we can parallelize
Parallelism is the only way to achieve extreme speeds in hardware or software
No disadvantage provided we do not surrender too much serial efficiency
7
A First Attempt: XOR MAC
Not a PRF c ¼ 2 times as many block cipher calls as CBC MAC
[BGR 95]
M[1] M[2] M[m]
<1, M[1]> <m, M[m]><2, M[2]>
Nonce
<0, Nonce>
EK EK EK EK
. . .
. . .
. . .
+
Tag
k kk
n nnn
n-1
8
Protected Counter Sums
A PRF variant of the XOR MAC
[Be 99]
M[1] M[2] M[m]
<1, M[1]> <m, M[m]><2, M[2]>
FK
. . .
. . .
. . .
+
EKEK EK
S
FKEK
<0, S >
Y[1] Y[m]Y[2]
k kk
n nn
k k k
k n
Tag
k
9
Gligor-Donescu MAC
XOR MAC with better method for block offsets But no longer a PRF
[GD 01]
Nonce
EK
M[1] M[2] M[m]
+ R + 2R + mR
EK EK EK
R
Tag
...
...
X[1] X[m]X[2]
Y[m]Y[2]Y[1]
10
PMAC: A Parallelizable MAC
A Fully-Parallelizable VIL PRF: {0,1}* {0,1}n
Cannot distinguish PMACK(¢) from a random function R(¢)Can be used as a (stateless, deterministic) MAC
Efficient– uses d|M|/ne block cipher calls, like basic CBC MAC– uses a single block cipher key– low session-startup cost: about one block cipher call– essentially endian neutral
Simple – no n-bit addition or mod p operations—just xors and shifts – much simpler than any known Carter-Wegman MAC
Provably Secure– if E is a secure block cipher then PMAC[E] is a good PRF
L
Tag
EK
firstbits
M[1] M[2] M[m-1] M[m]
...
...
EK EK Pad
FullTag
2L (m-1)L
EK
if |M[m]| < n then 0if |M[m]| = n then -L
'
possibly shortnnn
PMAC
K -L L 2L 3L …
as implicit on next slide
Definition of PMAC [E, ]
algorithm PMACK( M )L(0) = EK (0)
L(-1) = lsb(L(0)) ? (L(0) >> 1) Const43 : (L(0) >>1)for i = 1, 2, … do L(i) = msb(L(i-1)) ? (L(i-1) << 1) Const87 : (L(i-1) <<1)
Partition M into M[1] ... M[m] // each n bits, except M[m] may be shorter
Offset = 0for i=1 to m-1 do Offset = Offset L(ntz(i)) = EK (M[i] Offset)
= pad (M[m])if |M[m]| = n then = L(-1)FullTag = EK ( )
Tag = first bits of FullTagreturn Tag
[GGM, BKR]
A PMACK (xi)
PMACK
oraclexi
Rand funcoracle, R
R (xi)
xi
PMAC’s SecuritySecurity as a VIL PRF
Advprf (A) = Pr[APMACK = 1] – Pr[AR = 1]
Security as a FIL PRP
[GGM, LR, BKR]
B EK (xi)
Enciphering
oracle EKxi
Rand perm oracle,
(xi)
Advprp (B) = Pr[BEK = 1] – Pr[B = 1]
xi
Block-Cipher Security
15
PMAC Theorem
To wrap up, it is a standard result that any -bit-output PRF can be used as a
MAC, where the forging probability will be at most Advprf(A) + 2-
Suppose an adversary Athat breaks PMAC[E] with:time = t total-num-of-blocks = adv = Advprf (A)
Then an adversary B that breaks block cipher E with:time t num-of-queries
Advprp (B) Advprf (A) – 2 / 2n-1
Proof Idea
M: M[1] M[2] M[3] M[m]
M’: M’[1] M’[2] M’[3] M’[m’]
M[2]
M’[2]
distinct
M[2]
M’[2]
2L Other Stuff
X[2]
X’[2] Y’[2]
Y[2]tag
tag
T
T’
17
PMAC as a PRF
Structure Lemma and PMAC Theorem:Fix n, ¸ 1. Let A be any adversary who asks q queries, these having an aggregate length of blocks. Then
where m1 + + mq = .
18
PMAC Performance (Serial)
A moderately-optimized implementation of PMAC[AES] (Krovetz) runs in 18.4 cpb. Compare with 17.1 cpb for AES.– P3, C+assembly, gcc, 2KB, data in L1 cache
Aggressively-optimized basic CBC MAC runs on a Pentium at 15.5 cpb [Lipmaa]– We guess that an aggressively-optimized
PMAC[AES] should run at about 16.5 cpb.
PMAC
XCBC
XECB-MAC
({0,1}n)m |M| / n k 1 xor
{0,1}* |M| / n k + 2n 1 xor
{0,1}* |M| / nvaries
varies 1 xor
2 add
{0,1}* |M| / n k 3 xor
CBC MAC
[BR 00]
[GD 00,01]
[BR 02]
Dom
ain
PRF
Para
lleliz
able
/ blk
ove
rhea
d
MAC
leng
th(3 versions)
Comparisons
Key
leng
th
20
Implementation Effort
Object Effort (John-Time)
Basic CBC MAC 30 mins
XCBC 1 hour
PMAC 3 hours
OCB 4 hours
AES 8 hours
DES 8 hours
UMAC 3 days
21
More Information on PMAC
Visit the PMAC web pagewww.cs.ucdavis.edu/~rogaway/pmac
Web page contains:
Reference Code (by Ted Krovetz and me)
Test Vectors
FAQ
Full version of the PMAC paper