On the Adaptive Security of MACs and PRFs

We consider the security of two of the most commonly used cryptographic primitives— message authentication codes (MACs) and pseudorandom functions (PRFs)—in a multi-user setting with adaptive corruption. Whereas is it well known that any secure MAC or PRF is also multi-user secure under adaptive corruption, the trivial reduction induces a security loss that is linear in the number of users. Our main result shows that black-box reductions from “standard” assumptions cannot be used to provide a tight, or even a linear-preserving, security reduction for adaptive multi-user secure deterministic stateless MACs and thus also PRFs. In other words, a security loss that grows with the number of users is necessary for any such black-box reduction.

[1]  Mihir Bellare,et al.  Multi-instance Security and Its Application to Password-Based Cryptography , 2012, CRYPTO.

[2]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[3]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[4]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[5]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[6]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[7]  Marc Fischlin,et al.  Notions of Black-Box Reductions, Revisited , 2013, IACR Cryptol. ePrint Arch..

[8]  Kartik Nayak,et al.  Communication complexity of byzantine agreement, revisited , 2018, Distributed Computing.

[9]  Tibor Jager,et al.  Waters Signatures with Optimal Security Reduction , 2012, Public Key Cryptography.

[10]  Stefano Tessaro,et al.  The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization , 2018, CCS.

[11]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[12]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[13]  Michael Luby,et al.  Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[14]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[15]  Rafael Pass,et al.  Limits of provable security from standard assumptions , 2011, STOC '11.

[16]  Tibor Jager,et al.  Multi-key Authenticated Encryption with Corruptions: Reductions Are Lossy , 2017, TCC.

[17]  Jacques Stern,et al.  Extended Notions of Security for Multicast Public Key Cryptosystems , 2000, ICALP.

[18]  Emmanuel Bresson,et al.  Separation Results on the "One-More" Computational Problems , 2008, CT-RSA.

[19]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[20]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[21]  Eike Kiltz,et al.  Optimal Security Proofs for Full Domain Hash, Revisited , 2012, Journal of Cryptology.

[22]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[23]  Stefano Tessaro,et al.  Optimally Secure Block Ciphers from Ideal Primitives , 2015, ASIACRYPT.

[24]  Marc Fischlin,et al.  On the Hardness of Proving CCA-Security of Signed ElGamal , 2016, Public Key Cryptography.

[25]  Marc Fischlin,et al.  On the Impossibility of Three-Move Blind Signature Schemes , 2010, EUROCRYPT.

[26]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[27]  Stefano Tessaro,et al.  Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds , 2018, IACR Cryptol. ePrint Arch..

[28]  Kenneth G. Paterson,et al.  Analyzing Multi-key Security Degradation , 2017, ASIACRYPT.

[29]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[30]  Ronen Shaltiel,et al.  On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols , 2009, TCC.

[31]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[32]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[33]  Elaine B. Barker Guideline for using cryptographic standards in the federal government: , 2016 .

[34]  Jens Groth,et al.  Separating Short Structure-Preserving Signatures from Non-interactive Assumptions , 2011, ASIACRYPT.

[35]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[36]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[37]  Andrew Morgan,et al.  On the Security Loss of Unique Signatures , 2018, IACR Cryptol. ePrint Arch..

[38]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.