On Efficient Message Authentication Via Block Cipher Design Techniques

In an effort to design a MAC scheme that is built using block cipher components and runs faster than the modes of operation for message authentication, Daemen and Rijmen have proposed a generic MAC construction ALRED and a concrete ALRED instance Pelican. The Pelican MAC uses four rounds of AES as a building block to compute the authentication tag in a CBC-like manner. It is about 2.5 times faster than a CBC-MAC with AES, but it is not proven secure. Minematsu and Tsunoo observed that one can build almost universal (AU2) hash functions using differentially uniform permutations (e.g., four AES rounds with independent keys), and hence, provably secure MAC schemes as well. They proposed two MAC schemes MT-MAC and PC-MAC. MT-MAC hashes the message using a Wegman-Carter binary tree. Its speedup for long messages approaches 2.5, but it is not very memory efficient. PC-MAC hashes the message in a CBC-like manner. It is more memory efficient. However, its speedup over the message authentication modes is about 1.4. We notice that using a non-linear permutation as a building block, one can construct almost XOR universal (AXU2) hash functions whose security is close to the maximum differential probability of the underlying non-linear permutation. Hence, using four AES rounds as a building block will lead to efficient Wegman-Carter MAC schemes that offer much better security than the modes of operation for message authentication. If the target security is that of the message authentication modes with AES, then one can use non-linear permutations defined on 64-bit blocks and achieve greater speedup and better key agility. For instance, the ideally achievable speedup when using the 64-bit components we suggest is 3.3 to 5.0 as opposed to the 2.5 speedup when using four AES rounds.

[1]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[2]  Sangjin Lee,et al.  Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES , 2003, FSE.

[3]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[4]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[5]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[6]  Bart Preneel,et al.  On the Security of Two MAC Algorithms , 1996, EUROCRYPT.

[7]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[8]  Sarvar Patel,et al.  SQUARE HASH: Fast Message Authenication via Optimized Universal Hash Functions , 1999, CRYPTO.

[9]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[10]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[11]  Daniel J. Bernstein,et al.  Stronger Security Bounds for Wegman-Carter-Shoup Authenticators , 2005, EUROCRYPT.

[12]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[13]  Vincent Rijmen,et al.  A New MAC Construction ALRED and a Specific Instance ALPHA-MAC , 2005, FSE.

[14]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[15]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[16]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[17]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[18]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[19]  Yuliang Zheng,et al.  Advances in Cryptology — ASIACRYPT 2002 , 2002, Lecture Notes in Computer Science.

[20]  Thomas Johansson,et al.  On Families of Hash Functions via Geometric Codes and Concatenation , 1993, CRYPTO.

[21]  Vincent Rijmen,et al.  The Pelican MAC Function , 2005, IACR Cryptol. ePrint Arch..

[22]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[23]  Kazuhiko Minematsu,et al.  Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations , 2006, FSE.

[24]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[25]  Pascal Junod,et al.  STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS , 2005 .

[26]  Kaoru Kurosawa,et al.  TMAC: Two-Key CBC MAC , 2003, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[27]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[28]  Gilles Brassard,et al.  On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys , 1982, CRYPTO.

[29]  Christian Gehrmann,et al.  Fast Message Authentication Using Efficient Polynomial Evaluation , 1997, FSE.

[30]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[31]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[32]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[33]  Antoine Joux,et al.  On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction , 2002, FSE.

[34]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[35]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[36]  Serge Vaudenay Decorrelation over Infinite Domains: The Encrypted CBC-MAC Case , 2000, Selected Areas in Cryptography.

[37]  Mitsuru Matsui,et al.  New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis , 1996, FSE.

[38]  Phillip Rogaway Bucket Hashing and its Application to Fast Message Authentication , 1995, CRYPTO.

[39]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[40]  Jongin Lim,et al.  Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution‐Permutation Networks , 2001 .

[41]  Eli Biham,et al.  Related-Key Impossible Differential Attacks on 8-Round AES-192 , 2006, CT-RSA.

[42]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[43]  Henk Meijer,et al.  Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael , 2001, Selected Areas in Cryptography.

[44]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[45]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[46]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[47]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[48]  Phillip Rogaway,et al.  Fast Universal Hashing with Small Keys and No Preprocessing: The PolyR Construction , 2000, ICISC.

[49]  Henk Meijer,et al.  New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs , 2001, EUROCRYPT.

[50]  Gene Tsudik Message authentication with one-way hash functions , 1992, CCRV.

[51]  Gustavus J. Simmons,et al.  Authentication Theory/Coding Theory , 1985, CRYPTO.

[52]  F. MacWilliams,et al.  Codes which detect deception , 1974 .

[53]  Liam Keliher,et al.  Exact Maximum Expected Differential and Linear Probability for 2-Round Advanced Encryption Standard (AES) , 2005, IACR Cryptol. ePrint Arch..

[54]  Bruce Schneier,et al.  Related-Key Cryptanalysis of 3-WAY , 1997 .

[55]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[56]  Seokhie Hong,et al.  Provable Security against Differential and Linear Cryptanalysis for the SPN Structure , 2000, FSE.

[57]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[58]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[59]  Jongin Lim,et al.  On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis , 2002, ASIACRYPT.