Software-Optimized Universal Hashing and Message Authentication by THEODORE D. KROVETZ B.S. (Stanford University) 1988 M.Sc. (University of Oxford) 1990 DISSERTATION Submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Computer Science in the OFFICE OF GRADUATE STUDIES of the UNIVERSITY OF CALIFORNIA DAVIS Approved: Phillip Rogaway, Chair Daniel Gusfield Daniel Boneh Committee in Charge September 2000 i To Emma, Hannah and Avery, the milk in my coconut. ii Abstract We describe a message authentication algorithm, UMAC, which can authenticate messages in software, on contemporary machines, at a rate faster than one Pentium cycle per byte of authenticated message. This is roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1 or CBC-MAC-RC6). We explore three designs, all variations on the style of Wegman and Carter [39], which achieve such speeds. As a first step, all three designs utilize NH, a universal hash-function family which allows effective exploitation of SIMD parallelism. Unlike conventional, inherently serial authentication algorithms, UMAC will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. UMAC was designed and analyzed in a “provable-security” framework which has allowed its design to be minimal and therefore conducive to high-speeds. Along with the description of UMAC, we develop some new concepts. We introduce “verifier-selectable assurance” for message authentication, where the receiver of a message and authentication tag can verify the message up to a level of their own choosing, trad- ing computation time for assurance level. Also introduced is the notion of “variationally- universal” hash-function families, a relaxation of strongly-universal which measures univer- sal hash-function families in terms of variational distance from the uniform distribution. Also described is an almost-universal hash-function family based on polynomial evaluation that hashes arbitrary-length messages into short strings using short keys. iii iv Contents 1 Introduction and Background 1 1.1SummaryofResults............................... 3 1.2MACModel.................................... 7 1.3SomeMACExamples.............................. 9 1.4Wegman-CarterMACs.............................. 12 1.5Complexity-TheoreticReductions........................ 15 2 UMAC (1999) 16 2.1Introduction.................................... 17 2.1.1 Universal-HashingApproach...................... 18 2.1.2 OurContributions............................ 19 2.1.3 RelatedWork............................... 22 2.2OverviewofUMAC............................... 24 2.2.1 AnIllustrativeSpecialCase....................... 25 2.2.2 UMAC Parameters . .................... 26 2.3UMACPerformance............................... 29 2.4TheNHHashFamily............................... 34 2.4.1 Preliminaries............................... 34 2.4.2 DefinitionofNH............................. 35 2.4.3 Analysis.................................. 36 2.4.4 TheSignedConstruction:NHS..................... 39 2.5 Reducing the Collision Probability: Toeplitz Extensions . ...... 43 2.5.1 TheToeplitzApproach......................... 43 2.5.2 TheUnsignedCase............................ 44 2.5.3 TheSignedCase............................. 46 2.5.4 ShorterKeys:T2............................. 47 2.6Padding,Concatenation,andLengthAnnotation............... 48 2.7FinalExtensions:Stride,Endianness,KeyShifts............... 51 2.8FromHashtoMAC............................... 52 2.8.1 SecurityDefinitions........................... 52 2.8.2 DefinitionofthePRF(HASH,Nonce)Construction.......... 55 2.8.3 Discussion................................. 58 2.8.4 RealizingthePRF............................ 60 3 Improving UMAC 62 3.1 A First Attempt . .............................. 64 3.1.1 HashingtoaFixedLength....................... 65 3.1.2 t-WiseUniversality............................ 67 3.2MovingOn.................................... 69 4 Fast Polynomial Hashing 70 4.1Introduction.................................... 70 4.1.1 RelatedWork............................... 72 4.1.2 Notation.................................. 73 4.1.3 Organization............................... 74 4.2Carter-WegmanPolynomialHashing:PolyCW................ 75 4.3 Making PolyCW [F]Fast............................. 75 4.4ExpandingtheDomaintoArbitraryStrings.................. 79 4.5 RPHash:OvercomingPolynomialHashLengthLimitations......... 84 4.5.1 SecurityNotes.............................. 89 4.6 Fully Parameterized: Poly, RPHash ....................... 89 5 Variationally Universal Hashing 92 5.1Introduction.................................... 92 5.2 -VUHashFunctions............................... 95 5.2.1 SomeCommonHashFunctions..................... 97 5.3 -VUConstructions................................ 98 6 UMAC (2000) 105 6.1Introduction.................................... 105 6.1.1 UMACBasicDescription........................ 108 6.1.2 RelatedWork............................... 110 6.2Performance.................................... 111 6.3UMACDescription................................ 113 6.4Security...................................... 118 6.4.1 UHash32Differences........................... 120 6.5Proofs....................................... 120 6.5.1 ProofofTheorem6.4.1......................... 121 6.5.2 ProofofTheorem6.4.2......................... 124 6.5.3 ProofofTheorem6.4.3......................... 125 6.5.4 ProofofTheorem6.4.4......................... 126 6.5.5 ProofofTheorem6.4.5......................... 127 Bibliography 130 A UMAC (2000) Specification 133 B UMAC (2000) Implementation 174 B.1UMACANSICHeader............................. 175 B.2UMACANSICSource.............................. 177 B.3 UMAC Accelleration File for Intel IA-32 Architectures . ...... 216 C UMAC (1999) Specification 243 v Acknowledgements I have lived a blessed life, and for that I owe many thanks to many people. Ever supportive and encouraging, my wife and children, parents and siblings, have been a constant source of love and affection. From an early age my parents have taught me the value of education and have provided me with a supportive environment in which to thrive. I now have the great fortune to offer those same lessons, with my marvelous wife Emma, to our own children, Hannah and Avery. I believe most thoroughly that I could not have accomplished my goals without such a wonderful family, and for their help I am thankful. Having chosen to attend the University of California at Davis for mostly logistical reasons, I stumbled into a situation that could not have been better. As a new graduate student, I had the notion that I would research computer architecture. But luckily I was as- signed to be Phillip Rogaway’s teaching assistant during my first quarter at the University, and he quickly changed my mind. He opened my eyes to the beautiful world of computa- tional theory and cryptography, and I was soon over my head in that world. In the ensuing months and years, I have learned a great deal from Phil, and not only academically. Phil’s generosity of time and spirit has been inspirational. I thank him for always being available and for working so hard on helping me make sense of it all. I was also lucky to have been paired in my research with John Black, one of the most clever and pleasant people I have yet to meet. Although I did not choose to come to U.C. Davis because of its academic environment, I might as well have. My teachers have been enthusiastic, knowledgeable and available. Davis has been a wonderful place to be. None of my research was done alone, and I have had the great fortune to work with some of the best cryptographers around. I appreciate very much their patience and brilliance: Mihir Bellare, John Black, Shai Halevi, Hugo Krawczyk and, of course, Phillip Rogaway. vi Finally, thanks are owed to Dan Boneh, Dan Gusfield and Phillip Rogaway for taking the time to review this tome and offer valuable feedback. This research was partially supported by Phillip Rogaway’s CAREER award CCR- 962540, and by MICRO grants 97-150, 98-129, and 99-103 funded by RSA Data Security Inc., ORINCON Corporation, Certicom Corporation, and the State of California. Also supporting this research was the GAANN fellowship program underwritten by the U.S. Department of Education and participating universities, including U.C. Davis. vii 1 Chapter 1 Introduction and Background One of the most common uses of cryptography is message authentication. When Alice receives a message purportedly to be from Bob, how can she know that the message received is actually from Bob and has not been tampered with during transport? Reliable systems exist for ensuring the authenticity of messages written and delivered on paper — these messages can be sealed with a signature in a tamper-resistant envelope. But what about electronic messages delivered by digital computer networks? Each day billions of messages, from IP packets at the network level to bulk file-transfers at the application level, are delivered by the Internet and other networks. The open nature of many of these networks, however, leave them vulnerable to mischief. Clever adversaries have the ability to read any message being transported across the network and to delete, interject or alter any desired message. To combat these adversaries, cryptography can be used to ensure message privacy and authenticity. Ensuring that a message remains private is done with the use of encryption. An encrypted message intercepted by