Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms
- 49 Citations
- 3.3k Downloads
Abstract
This paper discusses key recovery and universal forgery attacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives.
Keywords
Hash Function Block Cipher Message Authentication Code Message Authentication Side Channel AttackReferences
- 1.3GPP TS 35.216, Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2; Document 2: SNOW 3G specification (March 2006)Google Scholar
- 2.Bellare, M.: New Proofs for NMAC and HMAC: Security without Collision-Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
- 3.Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
- 4.Bellare, M., Goldreich, O., Mityagin, A.: The Power of Verification Queries in Message Authentication and Authenticated Encryption. November 18 (2004), http://eprint.iacr.org/2004/309
- 5.Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
- 6.Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005), http://cr.yp.to/talks/2005.02.15/slides.pdf Google Scholar
- 7.Bernstein, D.J.: Polynomial Evaluation and Message Authentication, October 22 (2007) http://cr.yp.to/papers.html#pema
- 8.Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On Families of Hash Functions via Geometric Codes and Concatenation. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 331–342. Springer, Heidelberg (1994)Google Scholar
- 9.Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and Secure Message Authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999)Google Scholar
- 10.Black, J., Cochran, M.: MAC Reforgeability, November 27 (2007), http://eprint.iacr.org/2006/095
- 11.Brassard, G.: On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Crypto 1982, pp. 79–86. Plenum Press, New York (1983)Google Scholar
- 12.Carter, J.L., Wegman, M.N.: Universal classes of hash functions. Journal of Computer and System Sciences 18, 143–154 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
- 13.den Boer, B.: A Simple and Key-Economical Unconditional Authentication Scheme. Journal of Computer Security 2, 65–71 (1993)Google Scholar
- 14.Dodis, Y., Pietrzak, K.: Improving the Security of MACs via Randomized Message Preprocessing. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 414–433. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 15.Etzel, M., Patel, S., Ramzan, Z.: Square Hash: Fast Message Authentication via Optimized Universal Hash Functions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 234–251. Springer, Heidelberg (1999)Google Scholar
- 16.Ferguson, N.: Authentication Weaknesses in GCM (May 20, 2005), http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf
- 17.Halevi, S., Krawczyk, H.: MMH: Software Message Authentication in the Gbit/second Rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997)CrossRefGoogle Scholar
- 18.ISO/IEC 9797, Information Technology – Security Techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a Block Cipher, ISO/IEC (1999)Google Scholar
- 19.Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)Google Scholar
- 20.Johansson, T.: Bucket Hashing with a Small Key Size. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 149–162. Springer, Heidelberg (1997)Google Scholar
- 21.Joux, A.: Authentication Failures in NIST Version of GCM (2006), http://csrc.nist.gov/CryptoToolkit/modes/
- 22.Kabatianskii, G.A., Johansson, T., Smeets, B.: On the Cardinality of Systematic A-codes via Error Correcting Codes. IEEE Trans. on Information Theory IT42(2), 566–578 (1996)CrossRefMathSciNetGoogle Scholar
- 23.Kaps, J.-P., Yüksel, K., Sunar, B.: Energy Scalable Universal Hashing. IEEE Trans. on Computers 54(12), 1484–1495 (2005)CrossRefGoogle Scholar
- 24.Knudsen, L.: Chosen-text Attack on CBC-MAC. Electronics Letters 33(1), 48–49 (1997)CrossRefGoogle Scholar
- 25.Kohno, T., Viega, J., Whiting, D.: CWC: A High-Performance Conventional Authenticated Encryption Mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004)Google Scholar
- 26.Krawczyk, H.: LFSR-based Hashing and Authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
- 27.Krovetz, T.: UMAC: Message Authentication Code using Universal Hashing. IETF, RFC 4418 (informational) (March 2006)Google Scholar
- 28.Krovetz, T.: Message Authentication on 64-bit Architectures. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 327–341. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 29.McGrew, D.A., Fluhrer, S.: Multiple Forgery Attacks against Message Authentication Codes, http://eprint.iacr.org/2005/161
- 30.McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)Google Scholar
- 31.National Institute of Standards and Technology (NIST), SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007 (earlier drafts published in May 2005, April 2006, June 2007)Google Scholar
- 32.Petrank, E., Rackoff, C.: CBC MAC for Real-time Data Sources. Journal of Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
- 33.Preneel, B., Bosselaers, A., Govaerts, R., Vandewalle, J.: A Chosen Text Attack on The Modified Cryptographic Checksum Algorithm of Cohen and Huang. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 154–163. Springer, Heidelberg (1990)Google Scholar
- 34.Preneel, B., van Oorschot, P.C.: On the Security of Iterated Message Authentication Codes. IEEE Trans. on Information Theory IT-45(1), 188–199 (1999)CrossRefGoogle Scholar
- 35.Simmons, G.J.: A Survey of Information Authentication. In: Simmons, G.J. (ed.) Contemporary Cryptology: The Science of Information Integrity, pp. 381–419. IEEE Press, Los Alamitos (1991)Google Scholar
- 36.Stinson, D.R.: Universal Hashing and Authentication Codes. Designs, Codes, and Cryptography 4(4), 369–380 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
- 37.Wegman, M.N., Carter, J.L.: New Hash Functions and their Use in Authentication and Set Equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar