A New Look at Counters: Don’t Run Like Marathon in a Hundred Meter Race

In cryptography, counters (classically encoded as bit strings of fixed size for all inputs) are employed to prevent collisions on the inputs of the underlying primitive which helps us to prove the security. In this paper we present a unified notion for counters, called <italic>counter function family</italic>, and identify some necessary and sufficient conditions on counters which give (possibly) simple proof of security for various counter-based cryptographic schemes. We observe that these conditions are trivially true for the classical counters. We also identify and study two variants of the classical counter which satisfy the security conditions. The first variant has message length dependent counter size, whereas the second variant uses universal coding to generate message length independent counter size. Furthermore, these variants provide better performance for shorter messages. For instance, when the message size is <inline-formula><tex-math notation="LaTeX">$2^{19}$</tex-math><alternatives> <inline-graphic xlink:href="jha-ieq1-2710125.gif"/></alternatives></inline-formula> bits, AES-LightMAC with <inline-formula><tex-math notation="LaTeX">$64$</tex-math><alternatives> <inline-graphic xlink:href="jha-ieq2-2710125.gif"/></alternatives></inline-formula>-bit (classical) counter takes <inline-formula><tex-math notation="LaTeX">$1.51$</tex-math><alternatives> <inline-graphic xlink:href="jha-ieq3-2710125.gif"/></alternatives></inline-formula> cycles per byte (cpb), whereas it takes <inline-formula><tex-math notation="LaTeX">$0.81$</tex-math><alternatives> <inline-graphic xlink:href="jha-ieq4-2710125.gif"/></alternatives></inline-formula> cpb and <inline-formula> <tex-math notation="LaTeX">$0.89$</tex-math><alternatives><inline-graphic xlink:href="jha-ieq5-2710125.gif"/> </alternatives></inline-formula> cpb for the first and second variant, respectively. We benchmark the software performance of these variants against the classical counter by implementing them in MACs and HAIFA hash function.

[1]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[2]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[3]  Victor Shoup,et al.  A Composition Theorem for Universal One-Way Hash Functions , 2000, EUROCRYPT.

[4]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[5]  Toshiyasu Matsushima,et al.  New Bounds for PMAC, TMAC, and XCBC , 2007, FSE.

[6]  Hugo Krawczyk,et al.  Stateless Evaluation of Pseudorandom Functions: Security beyond the Birthday Barrier , 1999, CRYPTO.

[7]  Pierre-Alain Fouque,et al.  Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound , 2010 .

[8]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[9]  Shmuel Tomi Klein,et al.  Robust Universal Complete Codes for Transmission and Compression , 1996, Discret. Appl. Math..

[10]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[11]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[12]  John Kelsey,et al.  New Second-Preimage Attacks on Hash Functions , 2016, Journal of Cryptology.

[13]  John Black,et al.  MAC Reforgeability , 2006, FSE.

[14]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[15]  Kazuhiko Minematsu,et al.  How to Thwart Birthday Attacks against MACs via Small Randomness , 2010, FSE.

[16]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[17]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[18]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[19]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[20]  David A. Huffman,et al.  A method for the construction of minimum-redundancy codes , 1952, Proceedings of the IRE.

[21]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[22]  Phillip Rogaway Bucket Hashing and its Application to Fast Message Authentication , 1995, CRYPTO.

[23]  Bart Preneel,et al.  A MAC Mode for Lightweight Block Ciphers , 2016, FSE.

[24]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[25]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[26]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[27]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[28]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[29]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[30]  Donghoon Chang,et al.  A Short Proof of the PRP/PRF Switching Lemma , 2008, IACR Cryptol. ePrint Arch..

[31]  Benoit Cogliati,et al.  EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC , 2016, CRYPTO.

[32]  Peter Elias,et al.  Universal codeword sets and representations of the integers , 1975, IEEE Trans. Inf. Theory.

[33]  Peter Elias Minimum Times and Memories Needed to Compute the Values of a Function , 1974, J. Comput. Syst. Sci..

[34]  Daniel J. Bernstein,et al.  How to Stretch Random Functions: The Security of Protected Counter Sums , 1999, Journal of Cryptology.

[35]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[36]  Mill Johannes G.A. Van,et al.  Transmission Of Information , 1961 .

[37]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[38]  Palash Sarkar,et al.  A new multi-linear universal hash family , 2013, IACR Cryptol. ePrint Arch..

[39]  Ted Krovetz,et al.  Message Authentication on 64-Bit Architectures , 2006, Selected Areas in Cryptography.

[40]  Daniel J. Bernstein,et al.  Stronger Security Bounds for Wegman-Carter-Shoup Authenticators , 2005, EUROCRYPT.

[41]  Shmuel Winograd,et al.  A New Algorithm for Inner Product , 1968, IEEE Transactions on Computers.

[42]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[43]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[44]  Éliane Jaulmes,et al.  FRMAC, a Fast Randomized Message Authentication Code , 2004, IACR Cryptol. ePrint Arch..

[45]  Antoine Joux,et al.  On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction , 2002, FSE.