scholarly journals The Exact Security of PMAC

2017 ◽  
pp. 145-161
Author(s):  
Peter Gaži ◽  
Krzysztof Pietrzak ◽  
Michal Rybár
Keyword(s):  
Random Function ◽  
Block Cipher ◽  
Gray Code ◽  
Random Permutation ◽  
Simple Extension ◽  
Original Distribution ◽  
Mode Of Operation ◽  
Independent Distribution ◽  
Exact Security ◽  
Provably Secure

PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.

scholarly journals On Length Independent Security Bounds for the PMAC Family

2021 ◽  
pp. 423-445
Author(s):  
Bishwajit Chakraborty ◽  
Soumya Chattopadhyay ◽  
Ashwin Jha ◽  
Mridul Nandi
Keyword(s):  
Block Cipher ◽  
Block Size ◽  
Gray Code ◽  
Tight Bound ◽  
Simple Modification ◽  
Security Proof ◽  
Tight Security ◽  
Pseudorandom Function ◽  
Exact Security ◽  
Query Length

At FSE 2017, Gaži et al. demonstrated a pseudorandom function (PRF) distinguisher (Gaži et al., ToSC 2016(2)) on PMAC with Ω(lq2/2n) advantage, where q, l, and n, denote the number of queries, maximum permissible query length (in terms of n-bit blocks), and block size of the underlying block cipher. This, in combination with the upper bounds of Ο(lq2/2n) (Minematsu and Matsushima, FSE 2007) and Ο(qσ/2n) (Nandi and Mandal, J. Mathematical Cryptology 2008(2)), resolved the long-standing problem of exact security of PMAC. Gaži et al. also showed that the dependency on l can be dropped (i.e. O(q2/2n) bound up to l ≤ 2n/2) for a simplified version of PMAC, called sPMAC, by replacing the Gray code-based masking in PMAC with any 4-wise independent universal hash-based masking. Recently, Naito proposed another variant of PMAC with two powering-up maskings (Naito, ToSC 2019(2)) that achieves l-free bound of O(q2/2n), provided l ≤ 2n/2. In this work, we first identify a flaw in the analysis of Naito’s PMAC variant that invalidates the security proof. Apparently, the flaw is not easy to fix under the existing proof setup. We then formulate an equivalent problem which must be solved in order to achieve l-free security bounds for this variant. Second, we show that sPMAC achieves O(q2/2n) bound for a weaker notion of universality as compared to the earlier condition of 4-wise independence. Third, we analyze the security of PMAC1 (a popular variant of PMAC) with a simple modification in the linear combination of block cipher outputs. We show that this simple modification of PMAC1 has tight security O(q2/2n) provided l ≤ 2n/4. Even if l < 2n/4, we still achieve same tight bound as long as total number of blocks in all queries is less than 22n/3.

scholarly journals The Exact Security of PMAC with Two Powering-Up Masks

2019 ◽  
pp. 125-145 ◽  
Author(s):  
Yusuke Naito
Keyword(s):  
Lower Bound ◽  
Upper Bound ◽  
Open Problem ◽  
Random Function ◽  
Block Cipher ◽  
Random Permutation ◽  
Authentication Code ◽  
Open Problems ◽  
Main Research ◽  
Main Research Topic

PMAC is a rate-1, parallelizable, block-cipher-based message authentication code (MAC), proposed by Black and Rogaway (EUROCRYPT 2002). Improving the security bound is a main research topic for PMAC. In particular, showing a tight bound is the primary goal of the research, since Luykx et al.’s paper (EUROCRYPT 2016). Regarding the pseudo-random-function (PRF) security of PMAC, a collision of the hash function, or the difference between a random permutation and a random function offers the lower bound Ω(q2/2n) for q queries and the block cipher size n. Regarding the MAC security (unforgeability), a hash collision for MAC queries, or guessing a tag offers the lower bound Ω(q2m /2n + qv/2n) for qm MAC queries and qv verification queries (forgery attempts). The tight upper bound of the PRF-security O(q2/2n) of PMAC was given by Gaži et el. (ToSC 2017, Issue 1), but their proof requires a 4-wise independent masking scheme that uses 4 n-bit random values. Open problems from their work are: (1) find a masking scheme with three or less random values with which PMAC has the tight upper bound for PRF-security; (2) find a masking scheme with which PMAC has the tight upper bound for MAC-security.In this paper, we consider PMAC with two powering-up masks that uses two random values for the masking scheme. Using the structure of the powering-up masking scheme, we show that the PMAC has the tight upper bound O(q2/2n) for PRF-security, which answers the open problem (1), and the tight upper bound O(q2m /2n + qv/2n) for MAC-security, which answers the open problem (2). Note that these results deal with two-key PMACs, thus showing tight upper bounds of PMACs with single-key and/or with one powering-up mask are open problems.

scholarly journals Close to Optimally Secure Variants of GCM

2018 ◽  
Vol 2018 ◽  
pp. 1-12
Author(s):  
Ping Zhang ◽  
Hong-Gang Hu ◽  
Qian Yuan
Keyword(s):  
Block Cipher ◽  
Positive Response ◽  
Block Size ◽  
Hybrid Technique ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Pseudorandom Permutation ◽  
Mode Of Operation ◽  
Universal Hash Function ◽  
Provably Secure

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about 2n/2 adversarial queries if all nonces used in the encryption oracle are never repeated, where n is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately 2n/67(n-1)2 and 2n/67 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works.

scholarly journals Cryptanalysis of PMACx, PMAC2x, and SIVx

2017 ◽  
pp. 162-176
Author(s):  
Kazuhiko Minematsu ◽  
Tetsu Iwata
Keyword(s):  
Provable Security ◽  
Block Cipher ◽  
Query Complexity ◽  
Block Length ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Building a block cipher mode of operation with feedback keys

2013 ◽  
Author(s):  
Yi-Li Huang ◽  
Fang-Yie Leu ◽  
Jung-Chun Liu ◽  
Jing-Hao Yang ◽  
Chih-Wei Yu ◽  
...  
Keyword(s):  
Block Cipher ◽  
Mode Of Operation

scholarly journals A New Design of Cryptographic Hash Function: Gear

2016 ◽  
Vol 1 (1) ◽  
Author(s):  
Abdulaziz M Alkandari ◽  
Khalil Ibrahim Alkandari ◽  
Imad Fakhri Alshaikhli ◽  
Mohammad A. AlAhmad
Keyword(s):  
Hash Function ◽  
Block Cipher ◽  
Hash Functions ◽  
Fixed Size ◽  
Compression Function ◽  
Cryptographic Hash Function ◽  
Mode Of Operation ◽  
Main Components ◽  
Map Data ◽  
And Diffusion

A hash function is any function that can be used to map data of arbitrary sizeto data of fixed size. A hash function usually has two main components: a permutationfunction or compression function and mode of operation. We will propose a new concretenovel design of a permutation based hash functions called Gear in this paper. It is a hashfunction based on block cipher in Davies-Meyer mode. It uses the patched version ofMerkle-Damgård, i.e. the wide pipe construction as its mode of operation. Thus, theintermediate chaining value has at least twice larger length than the output hash. Andthe permutations functions used in Gear are inspired from the SHA-3 finalist Grøestl hashfunction which is originally inspired from Rijndael design (AES). There is a very strongconfusion and diffusion in Gear as a result.

scholarly journals On the semantic security of cellular automata based pseudo-random permutation using results from the Luby-Rackoff construction

2015 ◽  
Vol 15 (1) ◽  
pp. 21
Author(s):  
Kamel Mohammed Faraoun
Keyword(s):  
Cellular Automata ◽  
Block Cipher ◽  
Random Permutation ◽  
Block Ciphers ◽  
Random Permutations ◽  
Semantic Security ◽  
Transition Rules ◽  
Reversible Cellular Automata ◽  
Symmetric Block ◽  
Number Of Iterations

This paper proposes a semantically secure construction of pseudo-random permutations using second-order reversible cellular automata. We show that the proposed construction is equivalent to the Luby-Rackoff model if it is built using non-uniform transition rules, and we prove that the construction is strongly secure if an adequate number of iterations is performed. Moreover, a corresponding symmetric block cipher is constructed and analysed experimentally in comparison with popular ciphers. Obtained results approve robustness and efficacy of the construction, while achieved performances overcome those of some existing block ciphers.

scholarly journals A Block Cipher Mode of Operation with Two Keys

2013 ◽  
pp. 392-398 ◽  
Author(s):  
Yi-Li Huang ◽  
Fang-Yie Leu ◽  
Jung-Chun Liu ◽  
Jing-Hao Yang
Keyword(s):  
Block Cipher ◽  
Mode Of Operation

scholarly journals The Area-Latency Symbiosis: Towards Improved Serial Encryption Circuits

2020 ◽  
pp. 239-278
Author(s):  
Fatih Balli ◽  
Andrea Caforio ◽  
Subhadeep Banik
Keyword(s):  
Block Cipher ◽  
Block Ciphers ◽  
Significant Loss ◽  
Authenticated Encryption ◽  
End User ◽  
Maximum Throughput ◽  
Mode Of Operation ◽  
Encryption Schemes ◽  
Bit Serial

The bit-sliding paper of Jean et al. (CHES 2017) showed that the smallest-size circuit for SPN based block ciphers such as AES, SKINNY and PRESENT can be achieved via bit-serial implementations. Their technique decreases the bit size of the datapath and naturally leads to a significant loss in latency (as well as the maximum throughput). Their designs complete a single round of the encryption in 168 (resp. 68) clock cycles for 128 (resp. 64) bit blocks. A follow-up work by Banik et al. (FSE 2020) introduced the swap-and-rotate technique that both eliminates this loss in latency and achieves even smaller footprints.In this paper, we extend these results on bit-serial implementations all the way to four authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of the swap-and-rotate technique. Our block cipher implementations have the most efficient round operations in the sense that a round function of an n-bit block cipher is computed in exactly n clock cycles. This leads to implementations that are similar in size to the state of the art, but have much lower latency (savings up to 20 percent). We then extend our technique to 4- and 8-bit implementations. Although these results are promising, block ciphers themselves are not end-user primitives, as they need to be used in conjunction with a mode of operation. Hence, in the second part of the paper, we use our serial block ciphers to bootstrap four active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus, SAEAES and SKINNY-AEAD. In the wake of this effort, we provide the smallest block-cipher-based authenticated encryption circuits known in the literature so far.

Sign in / Sign up

Export Citation Format

Share Document