On the Influence of Message Length in PMAC s Security Bounds

Size: px

Start display at page:

Download "On the Influence of Message Length in PMAC s Security Bounds"

Frederick Spencer
6 years ago
Views:

1 1 On the Influence of Message Length in PMAC s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016

2 2 Security Bounds Factors: 1. Adversarial Resources

3 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters

4 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level

5 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level Message Length l Secure Number of Queries q

6 2 Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level TLS 1.3: GCM, ChaCha20 + Poly1305 ISO/IEC SC27 WG2: 48 bit block size? Message Length l Secure Number of Queries q

7 3 Example : EMAC m 1 m 2 m 3 m π 1 π 1 π 1 π 1 π 2 c 1 T

8 3 Example : EMAC m 1 m 2 m 3 m π 1 π 1 π 1 π 1 π 2 c 1 q 2 l 2 2 n ɛ T n q l ɛ Block size Number of queries Query length in blocks Confidence

9 3 Example : EMAC m 1 m 2 m 3 m π 1 π 1 π 1 π 1 π 2 n q l ɛ c 1 q 2 l 2 2 n ɛ Block size Number of queries Query length in blocks Confidence T Table: ɛ = 1/2 20, l = 1KB Cipher Block Size Limit AES PRESENT KATAN

10 4 EMAC Bounds Message Length l Number of Queries q

11 4 EMAC Bounds Message Length l Number of Queries q

12 4 EMAC Bounds Message Length l Number of Queries q

13 4 EMAC Bounds Message Length l ? Number of Queries q

14 4 EMAC Bounds Message Length l ? Number of Queries q

15 4 EMAC Bounds Message Length l ? Number of Queries q

16 5 Switching Schemes Message Length l EMAC Number of Queries q

17 5 Switching Schemes Message Length l Sum of CBCs EMAC PMAC Plus 3kf Number of Queries q

18 5 Switching Schemes PMAC w Parity Message Length l LightMAC PMACX Sum of CBCs EMAC PMAC Plus 3kf Number of Queries q

19 6 XOR-Style PRF PMAC w Parity PMACX LightMAC

20 6 XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + +

21 6 XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + +

22 7 PMAC and PHASH 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m)

23 7 PMAC and PHASH 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) ( ) PMAC(m) = OutputTransform PHASH(m)

24 7 PMAC and PHASH 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) ( ) PMAC(m) = OutputTransform PHASH(m) 1. Gray codes 2. Powering up

25 8 PMAC Bounds Message Length l PMAC Number of Queries q

26 8 PMAC Bounds Message Length l PMAC Number of Queries q

27 8 PMAC Bounds Message Length l PMAC w Parity LightMAC PMACX PMAC Number of Queries q

28 8 PMAC Bounds Message Length l PMAC w Parity LightMAC PMACX? PMAC Number of Queries q

29 9 Focusing on Collisions PHASH(m 1 ) = PHASH(m 2 ) PMAC(m 1 ) = PMAC(m 2 )

30 9 Focusing on Collisions PHASH(m 1 ) = PHASH(m 2 ) PMAC(m 1 ) = PMAC(m 2 ) PHASH collision implies a PMAC attack

31 10 Results Message length dependence changes according to masks

32 10 Results Message length dependence changes according to masks PHASH Instances

33 10 Results Message length dependence changes according to masks Gray Codes PHASH Instances

34 10 Results Message length dependence changes according to masks Gray Codes Powering Up PHASH Instances

35 10 Results Message length dependence changes according to masks Infinitely many with collision upper bound 2/2 n or Gray Codes Powering Up PHASH Instances

36 10 Results Message length dependence changes according to masks Infinitely many with collision upper bound 2/2 n or Computationally hard to find high probability collision (based on conjecture) Powering Up Gray Codes PHASH Instances

37 10 Results Message length dependence changes according to masks Infinitely many with collision upper bound 2/2 n or Computationally hard to find high probability collision (based on conjecture) Powering Up Gray Codes Gray codes instances depend on message length PHASH Instances

38 11 Results in Context Message Length l PMAC w Parity LightMAC PMACX PMAC Number of Queries q

39 11 Results in Context Message Length l PMAC w Parity LightMAC PMACX PMAC Number of Queries q

40 12 PHASH vs XOR Hash 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 π π π π XOR Hash(m) 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m)

41 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π

42 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π

43 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π

44 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π

45 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π

46 13 XOR Hash Collision 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 4 n/2 m 4 1 n/2 m 1 2 n/2 m 2 3 n/2 m 3 π π π π π π π

47 14 PHASH Collision m 1 m 2 m 3 m 4 m 1 m 2 m 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω π π π π π π π

48 14 PHASH Collision m 1 m 2 m 3 m 4 m 1 m 2 m 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω π π π π π π π

49 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) X 2

50 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 1 c 1

51 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4

52 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4

53 15 Approach 0 m 1 m 2 m 3 m 4 c 1 ω c 2 ω c 3 ω c 4 ω π π π π π ω PHASH(m) m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4

54 16 Conclusions and Open Problems PMAC message length dependence is non-trivial

55 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up?

56 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks?

57 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent?

58 16 Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent? Thank you for your attention.

59 17 Connection With PHASH Collision Probability Two messages m 1 and m 2 collide with probability k/2 n if the corresponding set in X 2 is evenly covered by k slopes. Simple proof of l-bound:

60 18 Set Evenly Covered by Two Slopes 0 a a 1 0 Figure: A set of four points evenly covered by the slopes 0 and a 1. The x-coordinates of the points are 0 and a, and the y-coordinates are 0 and 1. Guarantees a collision with probability 2/2 n.

61 19 Set Evenly Covered by Three Slopes b 1 0 a b c a 1 0 Figure: A set of four points evenly covered by the slopes 0, a 1, and b 1. The x-coordinates of the points are 0, a, b, and c, and the y-coordinates are 0 and 1. Exists if and only if a + b + c = 0.

62 20 Another Set Evenly Covered by Three Slopes 0 a b c w v u Figure: A set of points evenly covered by the slopes u, v, and w. Each point is accompanied by another point with the same x-coordinate. The x-coordinates of the pairs are indicated below the lower points. Exists if and only if a 2 + b 2 + c 2 + ab + ac = 0.

63 21 Evenly Covered Sets in General The x-coordinates of evenly covered sets satisfy one of the following: 1. They contain a subset summing to zero (NP-complete) 2. They are the solution to a non-trivial binary quadratic form (similar problem NP-complete) Conjecture Given S X, finding a subset of S satisfying either of the above requirements is computationally hard.

64 22 Searching for Evenly Covered Sets Proposition An evenly covered set with distinct x-coordinates forms a complete graph if and only if the x-coordinates are an additive subgroup of X. 1. For sufficiently long messages, the masks will always contain an additive subgroup 2. Finding additive subgroups in Gray codes is easy for every power of two. Success probability of Gray code attack: 2 k n for l = 2 k

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24