Constructing Rate-1 MACs from Related-Key Unpredictable Block Ciphers: PGV Model Revisited

  • Liting Zhang
  • Wenling Wu
  • Peng Wang
  • Lei Zhang
  • Shuang Wu
  • Bo Liang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6147)

Abstract

Almost all current block-cipher-based MACs reduce their security to the pseudorandomness of their underlying block ciphers, except for a few of them to the unpredictability, a strictly weaker security notion than pseudorandomness. However, the latter MACs offer relatively low efficiency. In this paper, we investigate the feasibility of constructing rate-1 MACs from related-key unpredictable block ciphers. First, we show all the existing rate-1 MACs are insecure when instantiated with a special kind of related-key unpredictable block cipher. The attacks on them inspire us to propose an assumption that all the chaining values are available to adversaries for theoretically analyzing such MACs. Under this assumption, we study the security of 64 rate-1 MACs in keyed PGV model, and find that 1) 15 MACs are meaningless; 2) 25 MACs are vulnerable to three kinds of attacks respectively and 3) 24 MACs are provably secure when their underlying block ciphers are related-key unpredictable. Furthermore, we refine these 24 provably secure rate-1 MACs in Compact PGV model by removing a useless parameter away, and find that the resulting 6 provably secure MACs are in fact equivalent to each other. In the aspect of efficiency, however, the low rate of these secure MACs does not necessarily mean they can run faster than none rate-1 one MACs, due to their large number of key schedules.

Keywords

Message Authentication Code Block Cipher Mode of Operation Provable Security 

References

  1. 1.
    FIPS 197. Advanced Encryption Standard (AES). National Institute of Standards and Technology (2001)Google Scholar
  2. 2.
    FIPS 113. Computer Data Authentiaction. National Institute of Standards and Technology (1985)Google Scholar
  3. 3.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    ISO/IEC 9797 – 1, Information Technology – Security Techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms Using A Block Cipher. International Organization for Standardization (1999)Google Scholar
  5. 5.
    Petrank, E., Rackoff, C.: CBC MAC for Real-Time Data Sources. J. Cryptology 13(3), 315–338 (2000)MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Jaulmes, É., Joux, A., Valette, F.: On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P.: CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Kurosawa, K., Iwata, T.: TMAC: Two-Key CBC MAC. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 33–49. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)Google Scholar
  10. 10.
    Special Publication 800-38B. Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. National Institute of Standards and Technology, http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html
  11. 11.
    Nandi, M.: Fast and Secure CBC-Type MAC Algorithms. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 375–393. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 1: f8 and f9 Specifications, http://www.3gpp.org/ftp/Specs/archive/35_series/35.201/
  13. 13.
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Dodis, Y., Pietrzak, K., Puniya, P.: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 198–219. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Dodis, Y., Steinberger, J.: Message Authentication Codes from Unpredictable Block Ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 267–285. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Biham, E., Dunkelman, O., Keller, N.: A Related-Key Rectangle Attack on the Full KASUMI. In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    An, J.H., Bellare, M.: Constructing VIL-MACs from FIL-MACs: Message Authentication under Weakened Assumptions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 252–269. Springer, Heidelberg (1999)Google Scholar
  19. 19.
    Maurer, U.M., Sjödin, J.: Single-Key AIL-MACs from Any FIL-MAC. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 472–484. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Bellare, M.: New Proofs for NMAC and HMAC Security Without Collision-Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Bellare, M., Ristenpart, T.: Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 399–410. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Hirose, S., Park, J.H., Yun, A.: A Simple Variant of the Merkle-Damgård Scheme with a Permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 113–129. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Yasuda, K.: A Single-Key Domain Extender for Privacy-Preserving MACs and PRFs. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 268–285. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Yasuda, K.: A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 242–259. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
  26. 26.
    Wang, P., Feng, D., Wu, W., Zhang, L.: On the Unprovable Security of 2-Key XCBC. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 230–238. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Phan, R.C.W., Siddiqi, M.U.: Related-Mode Attacks on Block Cipher Modes of Operation. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3482, pp. 661–671. Springer, Heidelberg (2005)Google Scholar
  28. 28.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  29. 29.
    Luby, M., Rackoff, C.: How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract). In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, p. 447. Springer, Heidelberg (1986)Google Scholar
  30. 30.
    Bellare, M., Kohno, T.: A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. 31.
    Lucks, S.: Ciphers Secure against Related-Key Attacks. In: Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004)Google Scholar
  32. 32.
    Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)Google Scholar
  33. 33.
    Shannon, C.E.: Communication Theory of Secrecy Systems. Bell Systems Technical Journal 28(4), 656–715 (1949)MATHMathSciNetGoogle Scholar
  34. 34.
    Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401, standards track, the Internet Society (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Liting Zhang
    • 1
    • 2
  • Wenling Wu
    • 1
    • 2
  • Peng Wang
    • 1
    • 2
  • Lei Zhang
    • 1
    • 2
  • Shuang Wu
    • 1
    • 2
  • Bo Liang
    • 1
    • 2
  1. 1.State Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingP.R. China
  2. 2.Graduate University of Chinese Academy of SciencesBeijingP.R. China

Personalised recommendations