Almost universal forgery attacks on AES-based MAC’s

A message authentication code (MAC) computes for each (arbitrarily long) message $$m$$m and key $$k$$k a short authentication tag which is hard to forge when $$k$$k is unknown. One of the most popular ways to process $$m$$m in such a scheme is to use some variant of AES in CBC mode, and to derive the tag from the final ciphertext block. In this paper, we analyze the security of several proposals of this type, and show that they are vulnerable to a new type of attack which we call almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it.

[1]  Paulo S. L. M. Barreto,et al.  The MARVIN message authentication code and the LETTERSOUP authenticated encryption scheme , 2009, Secur. Commun. Networks.

[2]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[3]  Vincent Rijmen,et al.  Refinements of the ALRED construction and MAC security claims , 2010, IET Inf. Secur..

[4]  John P. Steinberger,et al.  Domain Extension for MACs Beyond the Birthday Barrier , 2011, EUROCRYPT.

[5]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[6]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.

[7]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[8]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[9]  Lars R. Knudsen,et al.  Practical Pseudo-collisions for Hash Functions ARIRANG-224/384 , 2009, Selected Areas in Cryptography.

[10]  Thomas Peyrin,et al.  Cryptanalysis of Zorro , 2013, IACR Cryptol. ePrint Arch..

[11]  Sasaki Yu Cryptanalyses on a Merkle-Damgard Based MAC -- Almost Universal Forgery and Distinguishing-H Attacks , 2012 .

[12]  Wei Wang,et al.  New Birthday Attacks on Some MACs Based on Block Ciphers , 2009, CRYPTO.

[13]  Stefan Lucks,et al.  Western European Workshop on Research in Cryptology , 2005 .

[14]  Adi Shamir,et al.  ALRED Blues: New Attacks on AES-Based MAC's , 2011, IACR Cryptol. ePrint Arch..

[15]  Vincent Rijmen,et al.  A New MAC Construction ALRED and a Specific Instance ALPHA-MAC , 2005, FSE.

[16]  Kazuhiko Minematsu,et al.  Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations , 2006, FSE.

[17]  Jongsung Kim,et al.  New Impossible Differential Attacks on AES , 2008, INDOCRYPT.

[18]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[19]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[20]  Vincent Rijmen,et al.  The Pelican MAC Function , 2005, IACR Cryptol. ePrint Arch..

[21]  Donald Ervin Knuth,et al.  The Art of Computer Programming, 2nd Ed. (Addison-Wesley Series in Computer Science and Information , 1978 .

[22]  Kazuo Sakiyama,et al.  Security Evaluation of PC-MAC-AES , 2011 .

[23]  Yvo Desmedt,et al.  Complementation-Like and Cyclic Properties of AES Round Functions , 2004, AES Conference.

[24]  Eli Biham,et al.  Cryptanalysis of reduced variants of RIJNDAEL , 2000 .

[25]  Yu Sasaki Cryptanalyses on a Merkle-Damgård Based MAC - Almost Universal Forgery and Distinguishing-H Attacks , 2012, EUROCRYPT.

[26]  Thomas Peyrin,et al.  Generic Related-Key Attacks for HMAC , 2012, ASIACRYPT.

[27]  Chris J. Mitchell,et al.  Key Recovery and Forgery Attacks on the MacDES MAC Algorithm , 2000, CRYPTO.

[28]  Vincent Rijmen,et al.  ALE: AES-Based Lightweight Authenticated Encryption , 2013, FSE.

[29]  Bart Preneel,et al.  Practical Collisions for SHAMATA-256 , 2009, Selected Areas in Cryptography.

[30]  Paulo S. L. M. Barreto,et al.  Revisiting the Security of the Alred Design , 2010, ISC.

[31]  Vincent Rijmen,et al.  Improved Impossible Differential Cryptanalysis of 7-Round AES-128 , 2010, INDOCRYPT.

[32]  Pierre-Alain Fouque,et al.  Automatic Search of Attacks on round-reduced AES and Applications , 2011, IACR Cryptol. ePrint Arch..

[33]  Orr Dunkelman,et al.  Another Look at Complementation Properties , 2010, FSE.