MAC Precomputation with Applications to Secure Memory

  • Juan Garay
  • Vladimir Kolesnikov
  • Rae McLellan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)


We present ShMAC (Shallow MAC), a fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC’s message-dependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation (PRP), and can be implemented by a small shallow circuit, while its precomputation consists of one PRP evaluation.

A main building block for ShMAC is the notion of strong differential uniformity (SDU), which we introduce, and which may be of independent interest. We present an efficient SDU construction built from previously considered differentially uniform functions.

Our motivating application is a system where a hardware-secured processor uses memory controlled by an adversary. We present in technical detail a novel, more efficient approach to encrypting and authenticating memory and discuss the associated trade-offs, while paying special attention to minimizing hardware costs and the reduction of DRAM latency.


Smart Card Replay Attack Message Authentication Code Integrity Check Cryptology ePrint Archive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Gonsalves, A.: Hackers report breaking Phone 2.0. InformationWeek (03.12.2008)Google Scholar
  2. 2.
    ARM: ARM advanced microcontroller bus architecture rev 2.0 (1999)Google Scholar
  3. 3.
    IBM: IBM 128-bit processor local bus version 4.7 (2007)Google Scholar
  4. 4.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  5. 5.
    Minematsu, K., Tsunoo, Y.: Provably secure MACs from differentially-uniform permutations and AES-based implementations. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 226–241. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. System Sci. 22, 265–279 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Krawczyk, H., Bellare, M., Canetti, R.: RFC2104 - HMAC: Keyed-hashing for message authentication,
  8. 8.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992)Google Scholar
  9. 9.
    Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: Advances in Cryptology – CRYPTO 1982, pp. 79–86 (1982)Google Scholar
  10. 10.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
  11. 11.
    Weisstein, E.W.: Universal hash function. From MathWorld–a Wolfram web resource,
  12. 12.
    Jakimoski, G., Subbalakshmi, K.P.: On efficient message authentication via block cipher design techniques. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 232–248. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Trusted Computing Group: TCG Specification Architecture Overview. Revision 1 edn. (July 2007)Google Scholar
  14. 14.
    Chevallier-Mames, B., Naccache, D., Paillier, P., Pointcheval, D.: How to disembed a program? Cryptology ePrint Archive, Report 2004/138 (2004)Google Scholar
  15. 15.
    Lie, D., Thekkath, C.A., Mitchell, M., Lincoln, P., Boneh, D., Mitchell, J.C., Horowitz, M.: Architectural support for copy and tamper resistant software. In: ASPLOS, pp. 168–177. ACM, New York (2000)Google Scholar
  16. 16.
    Hall, W.E., Jutla, C.S.: Parallelizable authentication trees. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 95–109. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Suh, G.E.: AEGIS: A Single-Chip Secure Processor. PhD thesis, MIT (2005)Google Scholar
  18. 18.
    Suh, G., O’Donnell, C., Devadas, S.: Aegis: A single-chip secure processor. IEEE Design and Test of Computers 24(6), 570–580 (2007)CrossRefGoogle Scholar
  19. 19.
    Duc, G.: Cryptopage. Master’s thesis, ENST, Bretagne (June 2004)Google Scholar
  20. 20.
    Elbaz, R., Champagne, D., Lee, R.B., Torres, L., Sassatelli, G., Guillemin, P.: Tec-tree: A low-cost, parallelizable tree for efficient defense against memory replay attacks. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 289–302. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Gassend, B., Suh, G.E., Clarke, D., Dijk, M.V., Devadas, S.: Caches and hash trees for efficient memory integrity verification. In: 9th Intl. Symp. on High Performance Computer Architecture (2003)Google Scholar
  22. 22.
    Blum, M., Evans, W., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. In: FOCS 1991, pp. 90–99 (1991)Google Scholar
  23. 23.
    Dwork, C., Naor, M., Rothblum, G.N., Vaikuntanathan, V.: How efficient can memory checking be? In: TCC 2009 (2009)Google Scholar
  24. 24.
    Vaslin, R., Gogniat, G., Netto, E.W., Tessier, R., Burleson, W.P.: Low latency solution for confidentiality and integrity checking in embedded systems with off-chip memory. In: ReCoSoC, pp. 146–153 (2007)Google Scholar
  25. 25.
    Elbaz, R., Torres, L., Sassatelli, G., Guillemin, P., Bardouillet, M., Martinez, A.: A parallelized way to provide data encryption and integrity checking on a processor-memory bus. In: DAC 2006, pp. 506–509 (2006)Google Scholar
  26. 26.
    Garay, J., Kolesnikov, V., McLellan, R.: MAC precomputation with applications to secure memory. Cryptology ePrint Archive (2009)Google Scholar
  27. 27.
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive, Report 2004/309 (2004),
  28. 28.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear cryptanalysis for two-round Advanced Encryption Standard. IET Information Security 1(2), 53–57 (2007)CrossRefGoogle Scholar
  29. 29.
    Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78–94. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael,
  31. 31.
    Daemen, J.: Annex to AES proposal Rijndael. Chapter 5. Propagation and correlation,
  32. 32.
    Merkle, R.: Secrecy, authentication, and public key systems. PhD thesis, Stanford Univeristy (1979)Google Scholar
  33. 33.
    Hunt, G.D.H.: Secure processors for secure devices and secure end-to-end infrastructure,

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Juan Garay
    • 1
  • Vladimir Kolesnikov
    • 2
  • Rae McLellan
    • 2
  1. 1.AT&T Labs – ResearchFlorham Park
  2. 2.Bell LabsMurray HillUSA

Personalised recommendations