MAC Precomputation with Applications to Secure Memory

We present ShMAC (Shallow MAC), a fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC's message-dependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation (PRP), and can be implemented by a small shallow circuit, while its precomputation consists of one PRP evaluation. A main building block for ShMAC is the notion of strong differential uniformity (SDU), which we introduce, and which may be of independent interest. We present an efficient SDU construction built from previously considered differentially uniform functions. Our motivating application is a system where a hardware-secured processor uses memory controlled by an adversary. We present in technical detail a novel, more efficient approach to encrypting and authenticating memory and discuss the associated trade-offs, while paying special attention to minimizing hardware costs and the reduction of DRAM latency.

[1]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[2]  Liam Keliher,et al.  Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard , 2007, IET Inf. Secur..

[3]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[4]  Gilles Brassard,et al.  On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys , 1982, CRYPTO.

[5]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[6]  David Naccache,et al.  How to Disembed a Program? , 2004, IACR Cryptol. ePrint Arch..

[7]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[8]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.

[9]  Moni Naor,et al.  How Efficient Can Memory Checking Be? , 2009, TCC.

[10]  K. P. Subbalakshmi,et al.  On Efficient Message Authentication Via Block Cipher Design Techniques , 2007, ASIACRYPT.

[11]  Lionel Torres,et al.  TEC-Tree: A Low-Cost, Parallelizable Tree for Efficient Defense Against Memory Replay Attacks , 2007, CHES.

[12]  G. Edward Suh,et al.  Aegis: A Single-Chip Secure Processor , 2007, IEEE Des. Test Comput..

[13]  Kazuhiko Minematsu,et al.  Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations , 2006, FSE.

[14]  Russell Tessier,et al.  Low latency Solution for Confidentiality and Integrity Checking in Embedded Systems with Off-Chip Memory , 2007, ReCoSoC.

[15]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[16]  Manuel Blum,et al.  Checking the correctness of memories , 1991, [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science.

[17]  Lionel Torres,et al.  A parallelized way to provide data encryption and integrity checking on a processor-memory bus , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[18]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[19]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[20]  Charanjit S. Jutla,et al.  Parallelizable Authentication Trees , 2005, IACR Cryptol. ePrint Arch..

[21]  G. Edward Suh,et al.  Aegis: A Single-Chip Secure Processor , 2007, IEEE Design & Test of Computers.

[22]  G. Edward Suh,et al.  Caches and hash trees for efficient memory integrity verification , 2003, The Ninth International Symposium on High-Performance Computer Architecture, 2003. HPCA-9 2003. Proceedings..

[23]  Douglas R. Stinson Universal Hashing and Authentication Codes , 1991, CRYPTO.