Abstract
Traditionally, modes of Message Authentication Codes(MAC) such as Cipher Block Chaining (CBC) are instantiated using block ciphers or keyed Pseudo Random Permutations(PRP). However, one can also use domain preserving keyed Pseudo Random Functions(PRF) to instantiate MAC modes. The very first security proof of CBC-MAC [BKR00], essentially modeled the PRP as a PRF. Until now very little work has been done to investigate the difference between PRP vs PRF instantiations. Only known result is the rather loose folklore PRP-PRF transition of any PRP based security proof, which looses a factor of Ο( σ2/2n ) (domain of PRF/PRP is {0, 1}n and adversary makes σ many PRP/PRF calls in total). This loss is significant, considering the fact tight Θ( q2/2n ) security bounds have been known for PRP based EMAC and ECBC constructions (where q is the total number of adversary queries). In this work, we show for many variations of encrypted CBC MACs (i.e. EMAC, ECBC, FCBC, XCBC and TCBC), random function based instantiation has a security bound Ο( qσ/2n ). This is a significant improvement over the folklore PRP/PRF transition. We also show this bound is optimal by providing an attack against the underlying PRF based CBC construction. This shows for EMAC, ECBC and FCBC, PRP instantiations are substantially more secure than PRF instantiations. Where as, for XCBC and TMAC, PRP instantiations are at least as secure as PRF instantiations.
Highlights
Message Authentication Codes or MACs are indispensable symmetric key cryptographic primitives for providing communication integrity
We show for many variations of encrypted Cipher Block Chaining (CBC) MACs (i.e. EMAC, ECBC, FCBC, XCBC and TCBC), random function based instantiation has a security bound
One can use 10∗ padding to convert the input message length to multiple of block size. This padded EMAC is known as EMAC∗, which suffers from the drawback - even when the message is exact multiple of block length one extra block cipher call is required
Summary
Message Authentication Codes or MACs are indispensable symmetric key cryptographic primitives for providing communication integrity. MAC queries of length at most blocks and block length is n-bits) This is a non trivial result which shows the gap between PRP vs PRF instantiation, because for PRP instantiation of CBC-MACs such attacks are ruled out by Bellare et al [BPR05] which shows the upper bound is . As it turns out this attack can be translated to attack against PRF based EMAC, ECBC, FCBC, XCBC and TMAC.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
