Professional Documents
Culture Documents
CBC-MAC, CMAC
What is cryptography?
Alice Internet
Bob
Adversary
Security goals:
2
What is cryptography?
Alice Internet
Bob
M M'
Adversary
Security goals:
3
Basic goals of cryptography
Message integrity /
Message privacy
authentication
Message authentication
Symmetric keys Symmetric encryption
codes (MAC)
Asymmetric encryption
Asymmetric keys (a.k.a. public-key Digital signatures
encryption)
4
Motivation
• Examples:
• Protecting OS system files against tampering
5
Encryption ≠ integrity
=
1001010 1010 111100001010
6
Message authentication – idea
Sender Receiver
VALID
𝑀 𝑇 𝑀
𝑀
⊥
INVALID
7
Message authentication – idea
Sender Receiver
VALID
𝑀 𝑇 𝑀
𝑀
⊥
INVALID
𝑇 ← SHA2‐ 256 𝑀 𝑇 ′ ← SHA2‐ 256 𝑀
?
𝑇′ = 𝑇
8
Message authentication – idea
Sender Receiver
VALID
𝑀 𝑇 𝑀
𝑀
⊥
𝑀′ 𝑇 INVALID
𝑇 ← SHA2‐ 256 𝑀 𝑇 ′ ← SHA2‐ 256 𝑀
?
𝑇′ = 𝑇
𝑇 ← SHA2‐ 256(𝑀′)
9
Message authentication schemes – syntax
A message authentication scheme is a triple Σ = KeyGen, Tag, Vrfy of algorithms:
Tag ∶ 𝒦 × ℳ → 𝒯
$
Tag 𝐾, 𝑀 = Tag 𝐾 𝑀 = 𝑇 Correctness: ∀𝐾 ← KeyGen and ∀𝑀 ∈ ℳ:
Vrfy ∶ 𝒦 × ℳ × 𝒯 → 0,1
$ Vrfy 𝐾, 𝑀, Tag 𝐾, 𝑀 =1
KeyGen
Vrfy 𝐾, 𝑀, 𝑇 = Vrfy𝐾 𝑀, 𝑇 = 1/0
$ $
𝑇 𝑀, 𝑇
𝑀 Tag Vrfy 1/0
Challenger
𝐄𝐱𝐩uf–cma
Σ 𝐴
$
1. 𝐾 ← Σ. KeyGen Tag(𝐾,⋅)
2. 𝒮 ←[] 𝑀1 , 𝑀2 , …
3. forge ← 0
4. 𝐴TA G ⋅ , VF (⋅,⋅) 𝑇1 , 𝑇2 , …
5. return forge
𝐀𝐝𝐯Σuf–cma 𝐴 = Pr 𝐄𝐱𝐩uf–cma
Σ 𝐴 ⇒1
11
Properties of UF-CMA definition
𝐄𝐱𝐩uf–cma
Σ 𝐴
• UF-CMA security implies: 1.
$
𝐾 ← Σ. KeyGen
• Hard to recover 𝐾 2. 𝒮 ←[]
3. forge ← 0
• Hard forge a specific message chosen by the adversary 4. 𝐴TA G ⋅ , VF (⋅,⋅)
5. return forge
• Tag lengths must be long enough!
• Suppose 𝑇 = 10; then TA G (𝑀)
---------------------------------
1. 𝑇 ← Σ. Tag(𝐾, 𝑀)
1 1
𝐀𝐝𝐯Σuf–cma "Guess 𝑇" = ≈ 2. 𝒮. add 𝑀
210 1000 3. return 𝑇
VF (𝑀, 𝑇)
---------------------------------
1. 𝑑 ← Σ. Vrfy(𝐾, 𝑀, 𝑇)
• Does not give protection against replay attacks 2. if 𝑑 = 1 and 𝑀 ∉ 𝒮 then:
3. forge ← 1
• Message counters 4. return 𝑑
• Nonces
• Timestamps 𝐀𝐝𝐯Σuf–cma 𝐴 = Pr 𝐄𝐱𝐩uf–cma
Σ 𝐴 ⇒1
12
Message authentication codes (MACs)
deterministic function
Tag 𝐾 𝑀 = 𝑇
?
Vrfy𝐾 𝑀, 𝑇′ = “ Tag 𝐾 𝑀 = 𝑇 ′ ”
13
PRFs are good MACs
𝑘 𝑛 𝜏
𝐹 ∶ 0,1 × 0,1 → 0,1
Tag 𝐾, 𝑀 ∈ 0,1 𝑛
---------------------------------
1. return 𝐹𝐾 (𝑀)
𝑀
Vrfy 𝐾, 𝑀, 𝑇
---------------------------------
1. 𝑇 ′ ← 𝐹𝐾 𝑀
𝐹𝐾 2. return 𝑇 ′ = 𝑇
?
Theorem: If 𝐹 is a secure PRF then ΣPRF is UF-CMA secure for fixed-length messages
14
PRFs are good MACs – proof sketch
Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that
prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏
𝐹𝐾
Pr 𝐹𝐾 𝑀 = 𝑇 = ?
PRFs are good MACs – proof sketch
Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that
prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏
$
𝜌 ← Func 𝑛, 𝜏
PRFs are good MACs – proof sketch
Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that
prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏
$ 1
𝜌 ← Func 𝑛, 𝜏 Pr 𝜌 𝑀 = 𝑇 =
2𝜏
PRFs are good MACs – proof sketch
Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that
prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏
𝑀1 𝑀2 𝑀𝑣
𝜌 𝜌 ⋯ 𝜌
𝑇1 𝑇2 𝑇𝑣
𝑣
𝑣
Pr 𝜌 𝑀1 = 𝑇1 ∨ ⋯ ∨ 𝜌 𝑀𝑣 = 𝑇𝑣 ≤ Pr[𝜌 𝑀𝑖 = 𝑇𝑖 ] = 𝜏
2
𝑖=1
PRFs are good MACs – proof sketch
Theorem: For any UF-CMA adversy 𝐴, asking 𝑣 VF queries, there is a PRF-adversary 𝐵 such that
prf 𝑣
𝐀𝐝𝐯Σuf–cma 𝐴 ≤ 𝐀𝐝𝐯𝐹 𝐵 +
PRF 2𝜏
𝑀1 𝑀2 𝑀𝑣
𝜌 𝜌 ⋯ 𝜌
𝑇1 𝑇2 𝑇𝑣
𝑣
𝑣
Pr 𝜌 𝑀1 = 𝑇1 ∨ ⋯ ∨ 𝜌 𝑀𝑣 = 𝑇𝑣 ≤ Pr[𝜌 𝑀𝑖 = 𝑇𝑖 ] = 𝜏
2
𝑖=1
PRFs are good MACs
AES𝐾
20
MACs for long messages
21
MACs from block ciphers – Attempt 1
𝑀1 𝑀2 𝑀3 𝑀4
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇1 𝑇2 𝑇3 𝑇4
22
Attempt 1 – an attack
𝑀1 𝑀3 𝑀2 𝑀4
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇1 𝑇3 𝑇2 𝑇4
23
Attempt 2
𝑀1 𝑀2 𝑀3 𝑀4
𝐸𝐾
24
Attempt 2 – an attack
𝑀1 𝑀3 𝑀2 𝑀4
𝐸𝐾
25
Attempt 3
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇1 𝑇2 𝑇3 𝑇4
26
Attempt 3 – an attack
𝑀′
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇1 𝑇2 𝑇3 𝑇4
27
Attempt 4
Size in bits
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇𝐿 𝑇1 𝑇2 𝑇3
28
Attempt 4 – an attack
𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇𝐿 𝑇1 𝑇2
𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇𝐿 𝑇1 𝑇2
𝐸𝐾 𝐸𝐾 𝐸𝐾 In example:
Block size: 128
Block counter size: 32
𝑇𝐿 𝑇1 𝑇2 Block message size: 96
|𝑀1 | = 96 ⋅ 2 = 192
29
CBC-MAC
𝑀1 𝑀2 𝑀3 𝑀4
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇
Theorem: secure if all messages have the same length
30
CBC-MAC
𝑀1 𝑀1 𝑀1 ⊕ 𝑇
uf–cma
𝐀𝐝𝐯CBC–MAC 𝐴 =1
𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝑇
31
CBC-MAC vs. CBC$-ENC
𝑀1 𝑀2 𝑀3 𝐼𝑉 𝑀1 𝑀2 𝑀3
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝐶0 𝐶1 𝐶2 𝐶3
32
Allowing variable-length messages
pad
𝑀1 𝑀2 𝑀1
pad
𝑀1 𝑀2 𝑀1 𝑀2 100000000
33
Length-prepended CBC-MAC
𝑀 𝑀1 𝑀2 𝑀3
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑀 𝑀 𝑀⊕𝑇
Forgery!
𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝑇
𝑇 𝑇
35
ECBC-MAC
𝑀1 𝑀2 𝑀3 𝑀1 𝑀2
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝐸𝑇𝐾 𝐸𝐾
𝐾
𝑇 𝑇
𝐾
Use of K2 and K3 in E requires one additional run of key expansion function (say in AES) => bad for pipelining
36
CBC-MAC vs ECBC-MAC
CBC-MAC ECBC-MAC
𝑀 𝑀 𝑀⊕𝑇 𝑀 𝑀 𝑀⊕𝑇
𝑇′ ≠ 𝑇
≠𝑀
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝑇 𝐸𝐾 𝐸𝐾
𝑇 𝑇
37
ECBC-MAC
𝑀1 𝑀2 𝑀3 𝑀1 𝑀2
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝐸𝑇𝐾 𝐸𝐾
a permutation
𝐾 a permutation
𝑇 𝑇
𝐾
38
FCBC-MAC
𝑀1 𝑀2 𝑀3 𝑀1 𝑀2
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝑇
𝐾
𝐾
39
XCBC-MAC
𝑀1 𝑀2 𝑀3 𝑀1 𝑀2
𝐾 𝐾
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝑇
𝐾
𝐾
40
CMAC a.k.a One-key MAC
𝑀1 𝑀2 𝑀3 𝑀1 𝑀2
𝐾 𝐾
𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇 𝑇
𝐾 = 2 ⋇ 𝐸𝐾 0𝑛
Theorem: secure for messages of all lengths
𝑛
𝐾 = 4 ⋇ 𝐸𝐾 0
41
CMAC
• Fully sequential 𝑇
• Cannot utilize parallel AES cores
𝑀1 𝑀2
𝐸𝐾 𝐸𝐾 𝐸𝐾
• Standardized by NIST
• Widely used 𝑇
𝐾 = 2 ⋇ 𝐹𝐾 0𝑛
𝐾 = 4 ⋇ 𝐹𝐾 0𝑛
42
CMAC security
Theorem: For any UF-CMA adversary making 𝑞 TA G -queries (each having ℓ blocks), and 𝑣 VF -queries,
there is a PRP-adversary 𝐵 such that
uf–cma prp 5 ⋅ ℓ ⋅ 𝑞2 𝑣
𝐀𝐝𝐯CMAC 𝐴 ≤ 𝐀𝐝𝐯𝐸 𝐵 + 𝑛
+ 𝑛
2 2
• Example:
• 𝐸 = AES (𝑛 = 128)
• Number of Tag-queries: 𝑞 = 240 ≈ 1 trillion queries
• Max blocks per message: ℓ = 210 ≈ 16 kB
• Number of Vrfy-queries: 𝑣 = 220
prp
• 𝐀𝐝𝐯𝐸 𝐵 ≈0
uf–cma 5 ⋅ 210 ⋅ 240 2
220 23+10+80 1
𝐀𝐝𝐯CMAC AES 𝐴 ≤ + 128 ≈ = 35
2128 2 2128 2
43
CMAC security
Theorem: For any UF-CMA adversary making 𝑞 TA G -queries, each having blocks, and 𝑣 VF -queries,
there is a PRP-adversary 𝐵 such that
uf–cma prp 5 ⋅ ℓ ⋅ 𝑞2 𝑣
𝐀𝐝𝐯CMAC 𝐴 ≤ 𝐀𝐝𝐯𝐸 𝐵 + 𝑛
+ 𝑛
2 2
• Example:
• 𝐸 = DES (𝑛 = 64)
• Number of Tag-queries: 𝑞 = 240 ≈ 1 trillion queries
Prob. > 𝟏!
• Max blocks per message: ℓ = 210 ≈ 16 kB
• Number of Vrfy-queries: 𝑣 = 220
prp
• 𝐀𝐝𝐯𝐸 𝐵 ≈0
uf–cma 5 ⋅ 210 ⋅ 240 2
220 23+10+80
𝐀𝐝𝐯CMAC DES 𝐴 ≤ + 64 ≈ = 229
264 2 264
44
CMAC security
Theorem: For any UF-CMA adversary making 𝑞 TA G -queries, each having blocks, and 𝑣 VF -queries,
there is a PRP-adversary 𝐵 such that
uf–cma prp 5 ⋅ ℓ ⋅ 𝑞2 𝑣
𝐀𝐝𝐯CMAC 𝐴 ≤ 𝐀𝐝𝐯𝐸 𝐵 + 𝑛
+ 𝑛
2 2
• Example:
• 𝐸 = DES (𝑛 = 64)
• Number of Tag-queries: 𝑞 = 216 ≈ 65 000 queries
• Max blocks per message: ℓ = 210 ≈ 16 kB
• Number of Vrfy-queries: 𝑣 = 220
prp
• 𝐀𝐝𝐯𝐸 𝐵 ≈0
uf–cma 1
𝐀𝐝𝐯CMAC DES 𝐴 ≤ 19
2
45
PMAC
𝑀1 𝑀2 𝑀3 𝑀3
𝛾1 ⋇ 𝐿 𝛾2 ⋇ 𝐿 𝛾3 ⋇ 𝐿
𝐸𝐾 𝐸𝐾 𝐸𝐾
𝐸𝐾
𝐿 = 𝐹𝐾 0𝑛
𝛾𝑖 = Gray codes 𝑇
46
PMAC properties
𝛾1 ⋇ 𝐿 𝛾2 ⋇ 𝐿 𝛾3 ⋇ 𝐿
• One key 𝐸𝐾 𝐸𝐾 𝐸𝐾
𝑇2′
𝑇2
𝐸𝐾
• Incremental
𝑇
𝑇2 = 𝐸𝐾 𝑀2 ⊕ 𝛾2 ⋇ 𝐿
𝑇2′ = 𝐸𝐾 𝑀2′ ⊕ 𝛾2 ⋇ 𝐿
47
Summary
48