A Block-Cipher Mode of Operation for Parallelizable Message Authentication

1
A Block-Cipher Mode of Operation for
Parallelizable Message Authentication

• John Black
• University of Nevada, Reno, USA
• Phillip Rogaway
• University of California, Davis, USA
• and Chiang Mai University, Thailand

EUROCRYPT May 1, 2002 Amsterdam, The Netherlands
2
What is a MAC?
BK
AK

• Most MACs are deterministicthey need no
  nonce/state/IV/
• Stateless MACs are more practical

3
The ACMA Model GMR, BKR
MAC Oracle (K)
Adversary
// forgery attempt
4
A Precise Definition
We define the advantage of a MAC adversary A
over a particular MAC algorithm M as
We define the maximum advantage of any MAC
adversary making at most q queries totaling at
most m blocks as
Our goal is to bound this quantity by a function
in q and m which is small for reasonable
values of q and m
5
CBC MAC (ANSI X9.19, FIPS 113, ISO
9797-1)

• Known to be secure for messages of one fixed
  length

• Uses d M/n e block cipher invocations
• Inherently sequential

6
Parallelizable MACs Important?

• In some settings, MAC performance is paramount
• Eg, a web server handling thousands of
  requests/sec
• Extracting parallelism is a simple way to achieve
  dramatic increases in performance
• Algorithm design governs to what extent we can
  parallelize
• Parallelism is the only way to achieve extreme
  speeds in hardware or software
• No disadvantage provided we do not surrender too
  much serial efficiency

7
A First Attempt XOR MAC
BGR 95

• Not a PRF
• c ¼ 2 times as many block cipher calls as CBC MAC

k
k
n-1
k
. . .
M1
M2
Mm
Nonce
n
n
n
n
. . .
lt1, M1gt
ltm, Mmgt
lt2, M2gt
lt0, Noncegt
E
E
E
E
. . .
K
K
K
K

Tag
8
Protected Counter Sums
Be 99

• A PRF variant of the XOR MAC

k
k
k
. . .
M1
M2
Mm
n
n
n
. . .
lt1, M1gt
ltm, Mmgt
lt2, M2gt
F
. . .
E
E
E
K
K
K
K
k
k
k
Ym
Y1
Y2

k
n
S
lt0,
S
gt
F
E
K
K
k
Tag
9
Gligor-Donescu MAC
GD 01

• XOR MAC with better method for block offsets
• But no longer a PRF

...
Nonce
M1
M2
Mm

R

mR

2R
X1
Xm
X2
...
E
E
E
E
K
K
K
K
Y2
R
Ym
Y1
Å
Tag
10
PMAC A Parallelizable MAC

• A Fully-Parallelizable VIL PRF 0,1 ? 0,1n
• Cannot distinguish PMACK() from a random
  function R()
• Can be used as a (stateless, deterministic) MAC
• Efficient
• uses dM/ne block cipher calls, like basic CBC
  MAC
• uses a single block cipher key
• low session-startup cost about one block cipher
  call
• essentially endian neutral
• Simple
• no n-bit addition or mod p operationsjust xors
  and shifts
• much simpler than any known Carter-Wegman MAC
• Provably Secure
• if E is a secure block cipher then PMACE is a
  good PRF

11
n
n
n
possibly short
...
M
1
M
2
M
m-1
M
m
Å
Å
Å
L
2L
(m-1)L
...
E
E
E
Pad
K
K
K
Å
S
0
if Mm lt n then
Å
if Mm n then -L
'
S
K -L L 2L 3L as implicit
on next slide
E
K
FullTag

t

first
bits
PMAC
t
Tag
12
Definition of PMAC E, t
algorithm PMACK( M ) L(0) EK (0) L(-1)
lsb(L(0)) ? (L(0) gtgt 1) Å Const43 (L(0)
gtgt1) for i 1, 2, do L(i) msb(L(i-1)) ?
(L(i-1) ltlt 1) Å Const87 (L(i-1) ltlt1)
Partition M into M1 ... Mm //
each n bits, except Mm may be shorter Offset
0 for i1 to m-1 do Offset Offset Å
L(ntz(i)) S S Å EK (Mi Å
Offset) S S Å pad (Mm) if Mm n
then S S Å L(-1) FullTag EK ( S ) Tag
first t bits of FullTag return Tag
13
PMACs Security
GGM, BKR
Security as a VIL PRF
PMACK oracle
Rand func oracle, R
xi
xi
A
PMACK (xi)
R (xi)
Advprf (A) PrAPMACK 1 PrAR 1
14
Block-Cipher Security
GGM, LR, BKR
Security as a FIL PRP
Enciphering oracle EK
Rand perm oracle, p
xi
xi
B
EK (xi)
p (xi)
Advprp (B) PrBEK 1 PrBp 1
15
PMAC Theorem
Suppose an adversary A that breaks PMACE
with time t total-num-of-blocks s adv
Advprf (A)
Then an adversary B that breaks block cipher E
with time t num-of-queries s Advprp (B)
Advprf (A) s2 / 2n-1

• To wrap up,
• it is a standard result that any
  t-bit-output PRF can be used as a MAC, where the
  forging probability will be at most Advprf(A)
  2-t

16
Proof Idea
M2
M2
M2
M2
17
PMAC as a PRF

• Structure Lemma and PMAC Theorem
• Fix n, t 1. Let A be any adversary who asks q
  queries, these having an aggregate length of s
  blocks. Then

where m1 L mq s.
18
PMAC Performance (Serial)

• A moderately-optimized implementation of
  PMACAES (Krovetz) runs in 18.4 cpb. Compare
  with 17.1 cpb for AES.
• P3, Cassembly, gcc, 2KB, data in L1 cache
• Aggressively-optimized basic CBC MAC runs on a
  Pentium at 15.5 cpb Lipmaa
• We guess that an aggressively-optimized PMACAES
  should run at about 16.5 cpb.

19
Comparisons
/ blk overhead
MAC length
PRF
Parallelizable
Key length
Domain
(0,1n)m ü t M / n k 1 xor
0,1 ü t éM / nù k 2n 1 xor
0,1 tn ü éM / nù varies varies 1 xor 2 add
0,1 ü t ü éM / nù k 3 xor
CBC MAC
XCBC
BR 00
XECB-MAC
(3 versions)
GD 00,01
PMAC
BR 02
20
Implementation Effort
Object Effort (John-Time)
Basic CBC MAC 30 mins
XCBC 1 hour
PMAC 3 hours
OCB 4 hours
AES 8 hours
DES 8 hours
UMAC 3 days
21
More Information on PMAC

• Visit the PMAC web page
• www.cs.ucdavis.edu/rogaway/pmac
• Web page contains
• Reference Code (by Ted Krovetz and me)
• Test Vectors
• FAQ
• Full version of the PMAC paper