Message authentication codes from unpredictable block ciphers

Yevgeniy Dodis, John Steinberger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variable-length, keyed hash function H: (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long as f is unpredictable. (2) PRF Preservation. H is a secure pseudorandom function (PRF) with birthday security, as long as f is pseudorandom. (3) Security against Side-Channels. As long as the block cipher f does not leak side-channel information about its internals to the attacker, properties (1) and (2) hold even if the remaining implementation of H is completely leaky. In particular, if the attacker can learn the transcript of all block cipher calls and other auxiliary information needed to implement our mode of operation. Our mode is the first to satisfy the MAC preservation property (1) with birthday security, solving the main open problem of Dodis et al. [7] from Eurocrypt 2008. Combined with the PRF preservation (2), our mode provides a hedge against the case when the block cipher f is more secure as a MAC than as a PRF: if it is false, as we hope, we get a secure variable-length PRF; however, even if true, we still "salvage" a secure MAC, which might be enough for a given application. We also remark that no prior mode of operation offered birthday security against side channel attacks, even if the block cipher was assumed pseudorandom. Although very efficient, our mode is three times slower than many of the prior modes, such as CBC, which do not enjoy properties (1) and (3). Thus, our work motivates further research to understand the gap between unpredictability and pseudorandomness of the existing block ciphers, such as AES.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings
Pages267-285
Number of pages19
Volume5677 LNCS
DOIs
StatePublished - 2009
Event29th Annual International Cryptology Conference, CRYPTO 2009 - Santa Barbara, CA, United States
Duration: Aug 16 2009Aug 20 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5677 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other29th Annual International Cryptology Conference, CRYPTO 2009
CountryUnited States
CitySanta Barbara, CA
Period8/16/098/20/09

Fingerprint

Message Authentication Code
Pseudorandom Function
Block Ciphers
Block Cipher
Authentication
Preservation
Modes of Operation
Pseudorandomness
Salvaging
Auxiliary Information
Side Channel Attacks
Hash functions
Hash Function
Open Problems
Internal

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., & Steinberger, J. (2009). Message authentication codes from unpredictable block ciphers. In Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings (Vol. 5677 LNCS, pp. 267-285). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5677 LNCS). https://doi.org/10.1007/978-3-642-03356-8_16

Message authentication codes from unpredictable block ciphers. / Dodis, Yevgeniy; Steinberger, John.

Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. Vol. 5677 LNCS 2009. p. 267-285 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5677 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Steinberger, J 2009, Message authentication codes from unpredictable block ciphers. in Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. vol. 5677 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5677 LNCS, pp. 267-285, 29th Annual International Cryptology Conference, CRYPTO 2009, Santa Barbara, CA, United States, 8/16/09. https://doi.org/10.1007/978-3-642-03356-8_16
Dodis Y, Steinberger J. Message authentication codes from unpredictable block ciphers. In Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. Vol. 5677 LNCS. 2009. p. 267-285. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-03356-8_16
Dodis, Yevgeniy ; Steinberger, John. / Message authentication codes from unpredictable block ciphers. Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. Vol. 5677 LNCS 2009. pp. 267-285 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{6a4b13165736483d99b9920633a32820,
title = "Message authentication codes from unpredictable block ciphers",
abstract = "We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variable-length, keyed hash function H: (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long as f is unpredictable. (2) PRF Preservation. H is a secure pseudorandom function (PRF) with birthday security, as long as f is pseudorandom. (3) Security against Side-Channels. As long as the block cipher f does not leak side-channel information about its internals to the attacker, properties (1) and (2) hold even if the remaining implementation of H is completely leaky. In particular, if the attacker can learn the transcript of all block cipher calls and other auxiliary information needed to implement our mode of operation. Our mode is the first to satisfy the MAC preservation property (1) with birthday security, solving the main open problem of Dodis et al. [7] from Eurocrypt 2008. Combined with the PRF preservation (2), our mode provides a hedge against the case when the block cipher f is more secure as a MAC than as a PRF: if it is false, as we hope, we get a secure variable-length PRF; however, even if true, we still {"}salvage{"} a secure MAC, which might be enough for a given application. We also remark that no prior mode of operation offered birthday security against side channel attacks, even if the block cipher was assumed pseudorandom. Although very efficient, our mode is three times slower than many of the prior modes, such as CBC, which do not enjoy properties (1) and (3). Thus, our work motivates further research to understand the gap between unpredictability and pseudorandomness of the existing block ciphers, such as AES.",
author = "Yevgeniy Dodis and John Steinberger",
year = "2009",
doi = "10.1007/978-3-642-03356-8_16",
language = "English (US)",
isbn = "3642033555",
volume = "5677 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "267--285",
booktitle = "Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings",

}

TY - GEN

T1 - Message authentication codes from unpredictable block ciphers

AU - Dodis, Yevgeniy

AU - Steinberger, John

PY - 2009

Y1 - 2009

N2 - We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variable-length, keyed hash function H: (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long as f is unpredictable. (2) PRF Preservation. H is a secure pseudorandom function (PRF) with birthday security, as long as f is pseudorandom. (3) Security against Side-Channels. As long as the block cipher f does not leak side-channel information about its internals to the attacker, properties (1) and (2) hold even if the remaining implementation of H is completely leaky. In particular, if the attacker can learn the transcript of all block cipher calls and other auxiliary information needed to implement our mode of operation. Our mode is the first to satisfy the MAC preservation property (1) with birthday security, solving the main open problem of Dodis et al. [7] from Eurocrypt 2008. Combined with the PRF preservation (2), our mode provides a hedge against the case when the block cipher f is more secure as a MAC than as a PRF: if it is false, as we hope, we get a secure variable-length PRF; however, even if true, we still "salvage" a secure MAC, which might be enough for a given application. We also remark that no prior mode of operation offered birthday security against side channel attacks, even if the block cipher was assumed pseudorandom. Although very efficient, our mode is three times slower than many of the prior modes, such as CBC, which do not enjoy properties (1) and (3). Thus, our work motivates further research to understand the gap between unpredictability and pseudorandomness of the existing block ciphers, such as AES.

AB - We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variable-length, keyed hash function H: (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long as f is unpredictable. (2) PRF Preservation. H is a secure pseudorandom function (PRF) with birthday security, as long as f is pseudorandom. (3) Security against Side-Channels. As long as the block cipher f does not leak side-channel information about its internals to the attacker, properties (1) and (2) hold even if the remaining implementation of H is completely leaky. In particular, if the attacker can learn the transcript of all block cipher calls and other auxiliary information needed to implement our mode of operation. Our mode is the first to satisfy the MAC preservation property (1) with birthday security, solving the main open problem of Dodis et al. [7] from Eurocrypt 2008. Combined with the PRF preservation (2), our mode provides a hedge against the case when the block cipher f is more secure as a MAC than as a PRF: if it is false, as we hope, we get a secure variable-length PRF; however, even if true, we still "salvage" a secure MAC, which might be enough for a given application. We also remark that no prior mode of operation offered birthday security against side channel attacks, even if the block cipher was assumed pseudorandom. Although very efficient, our mode is three times slower than many of the prior modes, such as CBC, which do not enjoy properties (1) and (3). Thus, our work motivates further research to understand the gap between unpredictability and pseudorandomness of the existing block ciphers, such as AES.

UR - http://www.scopus.com/inward/record.url?scp=70350340322&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350340322&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-03356-8_16

DO - 10.1007/978-3-642-03356-8_16

M3 - Conference contribution

SN - 3642033555

SN - 9783642033551

VL - 5677 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 267

EP - 285

BT - Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings

ER -