Advertisement

MergeMAC: A MAC for Authentication with Strict Time Constraints and Limited Bandwidth

  • Ralph Ankele
  • Florian Böhl
  • Simon Friedberger
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)

Abstract

This paper presents MergeMAC, a MAC that is particularly suitable for environments with strict time requirements and extremely limited bandwidth. MergeMAC computes the MAC by splitting the message into two parts. We use a pseudorandom function (PRF) to map messages to random bit strings and then merge them with a very efficient keyless function. The advantage of this approach is that the outputs of the PRF can be cached for frequently needed message parts. We demonstrate the merits of MergeMAC for authenticating messages on the CAN bus where bandwidth is extremely limited and caching can be used to recover parts of the message counter instead of transmitting it. We recommend an instantiation of the merging function Merge and analyze the security of our construction. Requirements for a merging function are formally defined and the resulting EUF-CMA security of MergeMAC is proven.

Keywords

Symmetric-key cryptography Message Authentication Code Lightweight Efficient Automotive CAN bus 

References

  1. [AS09]
    Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04159-4_7CrossRefGoogle Scholar
  2. [BCK96]
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_1CrossRefGoogle Scholar
  3. [Ber16]
    Bernstein, D.J.: Supercop (2016). https://bench.cr.yp.to/supercop.html
  4. [BGR95]
    Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-44750-4_2CrossRefGoogle Scholar
  5. [BL16]
    Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 456–467. ACM, New York (2016)Google Scholar
  6. [BR02]
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_25CrossRefGoogle Scholar
  7. [BR11]
    Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19574-7_16CrossRefzbMATHGoogle Scholar
  8. [BS91]
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-38424-3_1CrossRefGoogle Scholar
  9. [BW99]
    Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48519-8_18CrossRefGoogle Scholar
  10. [BW00]
    Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_41CrossRefGoogle Scholar
  11. [CMK+11]
    Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium, San Francisco (2011)Google Scholar
  12. [DH77]
    Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
  13. [DR05]
    Daemen, J., Rijmen, V.: A new MAC construction ALRED and a specific instance ALPHA-MAC. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 1–17. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_1CrossRefGoogle Scholar
  14. [DS09]
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_16CrossRefGoogle Scholar
  15. [Dwo16]
    Dworkin, M.J.: Recommendation for block cipher modes of operation: the CMAC mode for authentication. Special Publication (NIST SP)-800-38B (2016)Google Scholar
  16. [IK03]
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-39887-5_11CrossRefGoogle Scholar
  17. [ISO11]
    Message Authentication Codes (MACs) - Part 1: Mechanisms Using a Block Cipher. Standard, International Organization for Standardization, Geneva, CH, March 2011Google Scholar
  18. [KCR+10]
    Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462. IEEE (2010)Google Scholar
  19. [KN10]
    Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13858-4_19CrossRefGoogle Scholar
  20. [KNR10]
    Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced skein. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 1–19. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_1CrossRefGoogle Scholar
  21. [Knu95]
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-60590-8_16CrossRefGoogle Scholar
  22. [KRS12]
    Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_15CrossRefGoogle Scholar
  23. [Lai94]
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography, pp. 227–233. Springer, Boston (1994).  https://doi.org/10.1007/978-1-4615-2694-0_23CrossRefGoogle Scholar
  24. [Lan11]
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)CrossRefGoogle Scholar
  25. [Leu16]
    Leurent, G.: Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 344–371. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_14CrossRefGoogle Scholar
  26. [LM91]
    Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46877-3_35CrossRefGoogle Scholar
  27. [LMM91]
    Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46416-6_2CrossRefGoogle Scholar
  28. [MK08]
    Maximov, A., Khovratovich, D.: New state recovery attack on RC4. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 297–316. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_17CrossRefGoogle Scholar
  29. [MMVH+14]
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13051-4_19CrossRefGoogle Scholar
  30. [MRH04]
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_2CrossRefGoogle Scholar
  31. [MRST09]
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_16CrossRefGoogle Scholar
  32. [RS04]
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_24CrossRefGoogle Scholar
  33. [RSWO17]
    Ronen, E., Shamir, A., Weingarten, A.O., O’Flynn, C.: IoT goes nuclear: creating a ZigBee chain reaction. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 195–212, May 2017Google Scholar
  34. [Ste15]
    Kölbl, S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives (2015). https://github.com/kste/cryptosmt
  35. [Tur08]
    Turner, J.M.: The keyed-hash message authentication code (HMAC). Federal Information Processing Standards Publication (2008)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Ralph Ankele
    • 1
  • Florian Böhl
    • 2
  • Simon Friedberger
    • 2
  1. 1.Royal Holloway University of LondonEghamUK
  2. 2.NXP SemiconductorsLeuvenBelgium

Personalised recommendations