Improving the Security of MACs Via Randomized Message Preprocessing

"Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an e-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to eq2, where q is the number of MACs the adversary can request. As e is at least 2-k, the best one can hope for is O(q2/2k) security. Unfortunately, such small e is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgard construction, where e grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" e-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an O(log L)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where e grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgard construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability e.

[1]  Joos Vandewalle,et al.  Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[2]  Ran Raz,et al.  On the distribution of the number of roots of polynomials and explicit weak designs , 2003, Random Struct. Algorithms.

[3]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[4]  Douglas R. Stinson,et al.  On the Connections Between Universal Hashing, Combinatorial Designs and Error-Correcting Codes , 1995, Electron. Colloquium Comput. Complex..

[5]  Phillip Rogaway,et al.  Bucket Hashing and Its Application to Fast Message Authentication , 1995, Journal of Cryptology.

[6]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[7]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[8]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[9]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[10]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[11]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[12]  E. T. An Introduction to the Theory of Numbers , 1946, Nature.

[13]  Victor Shoup,et al.  A computational introduction to number theory and algebra , 2005 .

[14]  S. Ross A random graph , 1981 .

[15]  Svante Janson,et al.  Random graphs , 2000, ZOR Methods Model. Oper. Res..

[16]  Michael Semanko L-collision Attacks against Randomized MACs , 2000, CRYPTO.

[17]  Svante Janson,et al.  An Exponential Bound for the Probability of a Specified Subgraph in a Random Graph , 1988 .

[18]  Antoine Joux,et al.  On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction , 2002, FSE.

[19]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[20]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[21]  Daniel J. Bernstein,et al.  Stronger Security Bounds for Wegman-Carter-Shoup Authenticators , 2005, EUROCRYPT.

[22]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[23]  Krzysztof Pietrzak,et al.  A Tight Bound for EMAC , 2006, ICALP.

[24]  Mihir Bellare,et al.  Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[25]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[26]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[27]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[28]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[29]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[30]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[31]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[32]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[33]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[34]  Svante Janson,et al.  Random graphs , 2000, Wiley-Interscience series in discrete mathematics and optimization.

[35]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[36]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[37]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[38]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.