A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of...

A Block-Cipher Mode of Operation for Parallelizable Message Authentication

John Black

University of Nevada, Reno, USA

Phillip Rogaway

University of California, Davis, USA

and Chiang Mai University, ThailandEUROCRYPT – May 1, 2002Amsterdam, The Netherlands

2

What is a MAC?

Most MACs are deterministic—they need no nonce/state/IV/$Stateless MACs are more practical

AK

MACG: generateauthentication tag = MACK ([IV,] M)G

M . BK

MACV: verifyauthentication tagMACK (M, )V

3

The ACMA Model [GMR, BKR]

MACOracle

(K)

M1

MACK(M1)Adversary

M2

MACK(M2)

Mq

MACK(Mq)

Adversary(M*, *)

// forgery attempt

4

A Precise Definition

We define the advantage of a “MAC adversary” A over a particular MAC algorithm M as

We define the maximum advantage of any MAC adversary making at most q queries totaling at most m blocks as

Our goal is to bound this quantity by a function in q and m which is “small” for “reasonable” values of q and m

5

CBC MAC (ANSI X9.19, FIPS 113, ISO 9797-1)

Known to be secure for messages of one fixed length

EK

M1

EK EK

M2 Mm

tag

Uses d |M|/n e block cipher invocations Inherently sequential

6

Parallelizable MACs: Important?

In some settings, MAC performance is paramount– Eg, a web server handling thousands of requests/sec

Extracting parallelism is a simple way to achieve dramatic increases in performance

– Algorithm design governs to what extent we can parallelize

Parallelism is the only way to achieve extreme speeds in hardware or software

No disadvantage provided we do not surrender too much serial efficiency

7

A First Attempt: XOR MAC

Not a PRF c ¼ 2 times as many block cipher calls as CBC MAC

[BGR 95]

M[1] M[2] M[m]

<1, M[1]> <m, M[m]><2, M[2]>

Nonce

<0, Nonce>

EK EK EK EK

. . .

. . .

. . .

+

Tag

k kk

n nnn

n-1

8

Protected Counter Sums

A PRF variant of the XOR MAC

[Be 99]

M[1] M[2] M[m]

<1, M[1]> <m, M[m]><2, M[2]>

FK

. . .

. . .

. . .

+

EKEK EK

S

FKEK

<0, S >

Y[1] Y[m]Y[2]

k kk

n nn

k k k

k n

Tag

k

9

Gligor-Donescu MAC

XOR MAC with better method for block offsets But no longer a PRF

[GD 01]

Nonce

EK

M[1] M[2] M[m]

+ R + 2R + mR

EK EK EK

R

Tag

...

...

X[1] X[m]X[2]

Y[m]Y[2]Y[1]

10

PMAC: A Parallelizable MAC

A Fully-Parallelizable VIL PRF: {0,1}* {0,1}n

Cannot distinguish PMACK(¢) from a random function R(¢)Can be used as a (stateless, deterministic) MAC

Efficient– uses d|M|/ne block cipher calls, like basic CBC MAC– uses a single block cipher key– low session-startup cost: about one block cipher call– essentially endian neutral

Simple – no n-bit addition or mod p operations—just xors and shifts – much simpler than any known Carter-Wegman MAC

Provably Secure– if E is a secure block cipher then PMAC[E] is a good PRF

L

Tag

EK

firstbits

M[1] M[2] M[m-1] M[m]

...

...

EK EK Pad

FullTag

2L (m-1)L

EK

if |M[m]| < n then 0if |M[m]| = n then -L

'

possibly shortnnn

PMAC

K -L L 2L 3L …

as implicit on next slide

Definition of PMAC [E, ]

algorithm PMACK( M )L(0) = EK (0)

L(-1) = lsb(L(0)) ? (L(0) >> 1) Const43 : (L(0) >>1)for i = 1, 2, … do L(i) = msb(L(i-1)) ? (L(i-1) << 1) Const87 : (L(i-1) <<1)

Partition M into M[1] ... M[m] // each n bits, except M[m] may be shorter

Offset = 0for i=1 to m-1 do Offset = Offset L(ntz(i)) = EK (M[i] Offset)

= pad (M[m])if |M[m]| = n then = L(-1)FullTag = EK ( )

Tag = first bits of FullTagreturn Tag

[GGM, BKR]

A PMACK (xi)

PMACK

oraclexi

Rand funcoracle, R

R (xi)

xi

PMAC’s SecuritySecurity as a VIL PRF

Advprf (A) = Pr[APMACK = 1] – Pr[AR = 1]

Security as a FIL PRP

[GGM, LR, BKR]

B EK (xi)

Enciphering

oracle EKxi

Rand perm oracle,

(xi)

Advprp (B) = Pr[BEK = 1] – Pr[B = 1]

xi

Block-Cipher Security

15

PMAC Theorem

To wrap up, it is a standard result that any -bit-output PRF can be used as a

MAC, where the forging probability will be at most Advprf(A) + 2-

Suppose an adversary Athat breaks PMAC[E] with:time = t total-num-of-blocks = adv = Advprf (A)

Then an adversary B that breaks block cipher E with:time t num-of-queries

Advprp (B) Advprf (A) – 2 / 2n-1

Proof Idea

M: M[1] M[2] M[3] M[m]

M’: M’[1] M’[2] M’[3] M’[m’]

M[2]

M’[2]

distinct

M[2]

M’[2]

2L Other Stuff

X[2]

X’[2] Y’[2]

Y[2]tag

tag

T

T’

17

PMAC as a PRF

Structure Lemma and PMAC Theorem:Fix n, ¸ 1. Let A be any adversary who asks q queries, these having an aggregate length of blocks. Then

where m1 + + mq = .

18

PMAC Performance (Serial)

A moderately-optimized implementation of PMAC[AES] (Krovetz) runs in 18.4 cpb. Compare with 17.1 cpb for AES.– P3, C+assembly, gcc, 2KB, data in L1 cache

Aggressively-optimized basic CBC MAC runs on a Pentium at 15.5 cpb [Lipmaa]– We guess that an aggressively-optimized

PMAC[AES] should run at about 16.5 cpb.

PMAC

XCBC

XECB-MAC

({0,1}n)m |M| / n k 1 xor

{0,1}* |M| / n k + 2n 1 xor

{0,1}* |M| / nvaries

varies 1 xor

2 add

{0,1}* |M| / n k 3 xor

CBC MAC

[BR 00]

[GD 00,01]

[BR 02]

Dom

ain

PRF

Para

lleliz

able

/ blk

ove

rhea

d

MAC

leng

th(3 versions)

Comparisons

Key

leng

th

20

Implementation Effort

Object Effort (John-Time)

Basic CBC MAC 30 mins

XCBC 1 hour

PMAC 3 hours

OCB 4 hours

AES 8 hours

DES 8 hours

UMAC 3 days

21

More Information on PMAC

Visit the PMAC web pagewww.cs.ucdavis.edu/~rogaway/pmac

Web page contains:

Reference Code (by Ted Krovetz and me)

Test Vectors

FAQ

Full version of the PMAC paper