On the Unprovable Security of 2-Key XCBC

There has been extensive research focusing on improving CBC-MAC to operate on variable length messages with less keys and less blockcipher invocations. After Black and Rogaway's XCBC, Moriai and Imai proposed 2-Key XCBC, which replaced the third key of XCBC with its first key. Moriai and Imai "proved" that 2-Key XCBC is secure if the underling blockcipher is a pseudorandom permutation (PRP). Our research shows that it is not the case. The security of 2-Key XCBC can not be proved under the solo assumption of PRP, even if it is a RPR-RK secure against some related-key attack. We construct a special PRP (PRP-RK) to show that the main lemma in [14] is not true and 2-Key XCBC using this PRP (PRP-RK) is totally insecure.

[1]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[2]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[3]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[4]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[5]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[6]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[7]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[8]  John Black,et al.  The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function , 2006, FSE.

[9]  Jongin Lim,et al.  Information Security and Cryptology - ICISC 2003 , 2003, Lecture Notes in Computer Science.

[10]  Eli Biham,et al.  Advances in Cryptology — EUROCRYPT 2003 , 2003, Lecture Notes in Computer Science.

[11]  Joos Vandewalle,et al.  Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[12]  Kouichi Sakurai,et al.  Risks with Raw-Key Masking - The Security Evaluation of 2-Key XCBC , 2002, ICICS.

[13]  Kaoru Kurosawa,et al.  TMAC: Two-Key CBC MAC , 2003, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[14]  Kaoru Kurosawa,et al.  On the Security of a New Variant of OMAC , 2003, ICISC.

[15]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[16]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[17]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[18]  Kaoru Kurosawa,et al.  On the Correctness of Security Proofs for the 3GPP Confidentiality and Integrity Algorithms , 2003, IMACC.

[19]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, CRYPTO.