ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata∗1 Kazuhiko Minematsu2 Thomas Peyriny3 Yannick Seurinz4 1Nagoya University (Japan) and 2NEC (Japan) 3NTU (Singapore) and 4ANSSI (France) CRYPTO 2017, California USA August 22, 2017 ∗ Supported by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045 y Supported by Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06) and Temasek Labs (DSOCL16194) y Partially supported by French Agence Nationale de la Recherche through the BRUTUS project under Contract ANR-14-CE28-0015 1 / 28 Introduction: Message Authentication Code (MAC) Symmetric-key Crypto for tampering detection • MAC : 0; 1 ∗ • K × f g !T Alice computes Tag = MAC(K; M) = MAC (M) and sends • K (M; Tag) to Bob Bob checks if (M; Tag) is authentic by computing tag locally • If MACK ( ) is a variable-input-length PRF, it is secure • ∗ 2 / 28 Tweakable Block Cipher (TBC) Extension of ordinal Block Cipher (BC), formalized by Liskov et al. [LRW02] E : , tweak T is a public input • K × T × M ! M 2 T (K; T ) specifies a permutation over • e 2 K × T M Let = 0; 1 n and = 0; 1 t • M f g T f g We implicitly assume additional small tweak i = 1; 2;:::; used for i domain separation, and write as EK (T;X) when necessary e 3 / 28 Building TBC Block cipher modes for TBC: LRW [LRW02] and XEX [Rog04] Efficient but security is up to the birthday bound (O(264) attack • when AES is used) Beyond-the-birthday-bound (BBB) security is possible (e.g. • [Min09][LST12][LS15]) but not really efficient Dedicated designs: HPC [Sch98] • Threefish in Skein hash function [FLS+10] • Deoxys-BC, Joltik-BC, KIASU-BC [JNP14a], SCREAM [GLS+14], • – in the CAESAR submissions SKINNY [BJK+16], QARMA [Ava17], ::: • 4 / 28 CPA-secure TBC = TPRP • Security notions of TBC [LRW02] Indistinguishable from the set of independent uniform random • permutations indexed by tweak – Tweakable uniform random permutation (TURP) denoted by P – Tweak is chosen by the adversary CCA-secure TBC = TSPRP e • 1 1 EK EK− P P− e e e e A 5 / 28 Security notions of TBC [LRW02] Indistinguishable from the set of independent uniform random • permutations indexed by tweak – Tweakable uniform random permutation (TURP) denoted by P – Tweak is chosen by the adversary CCA-secure TBC = TSPRP e • CPA-secure TBC = TPRP • EK P e e A 5 / 28 Building MAC with TBC : PMAC1 PMAC1 by Rogaway [Rog04], introduced in the proof of PMAC Parallel • Security is up to the birthday bound wrt the block size (n) • tprp 2 n – AdvPMAC1(σ) = O(σ =2 ) for σ queried blocks – Thus n=2-bit security M[1] M[2] M[3] M[4] EK 1 EK 2 EK 3 EK 4 e e e e 0n Tag PMAC1 6 / 28 Building MAC with TBC: PMAC TBC1k PMAC TBC1k by Naito [Nai15] 2n-bit chaining similar to PMAC Plus [Yas11] • – Finalization by 2n-bit PRF built from TBC BBB-secure: improve security of PMAC1 to n bits • Same computation cost as PMAC1 (except for the finalization) • M[1] M[2] M[3] EK 1 EK 2 EK 3 e e e 0n 2 2 2 0n multiplication by 2 over GF(2n) z }| { PMAC TBC1k (message hashing part) 7 / 28 Optimally-efficient TBC-based MAC? Efficiency of MAC These TBC-based MACs are not optimally efficient They process n-bit input per 1 TBC call • t-bit tweak does not process message – reserved for block index • 8 / 28 Efficiency of MAC These TBC-based MACs are not optimally efficient They process n-bit input per 1 TBC call • t-bit tweak does not process message – reserved for block index • Optimally-efficient TBC-based MAC? 8 / 28 Our proposals: ZMAC (“The MAC”) and ZAE ZMAC is The first optimally efficient TBC-based MAC • – (n + t)-bit input per 1 TBC call Parellel, and BBB-secure • – min n; (n + t)=2 -bit security, e.g. n-bit-secure when t n f g ≥ ZAE is An application of ZMAC to Determinisitic Authenticated Encryption • (DAE) [RS06] Better efficiency and security than SCT presented at CRYPTO • 2016 [PS16] Both using TBC as a sole primitive, and secure if TBC is a TPRP 9 / 28 We focus on ZHASH, the most innovative part in ZMAC Structure of ZMAC A simple composition of message hashing and finalization (Carter-Wegman MAC): ZMAC = ZFIN ZHASH • ◦ ZHASH : 0; 1 n+t is a computational universal hash • function M ! f g ZFIN : 0; 1 n+t 0; 1 2n is a PRF • f g ! f g – Output truncation if needed Unified specs for any t (t = n or t < n or t > n) 10 / 28 Structure of ZMAC A simple composition of message hashing and finalization (Carter-Wegman MAC): ZMAC = ZFIN ZHASH • ◦ ZHASH : 0; 1 n+t is a computational universal hash • function M ! f g ZFIN : 0; 1 n+t 0; 1 2n is a PRF • f g ! f g – Output truncation if needed Unified specs for any t (t = n or t < n or t > n) We focus on ZHASH, the most innovative part in ZMAC 10 / 28 How ZHASH works: tweak extension Optimal efficiency implies t-bit tweak of E must be extended to incorporate block index This can be done by XTX [MI15], an extensione of LRW and XEX: Global tweak G , > 2t • 2 G jGj Keyed function H : ( 0; 1 n 0; 1 t) • L × G ! f g × f g XTX[E; H]K;L(G; X) = EK (Wt;Wn X) Wn with • ⊕ ⊕ (Wn;Wt) = HL(G) e e 11 / 28 How ZHASH works: security of XTX/XT XTX is secure if H is -partial AXU (pAXU) [MI15] : $ 0 t max Pr[L : HL(G) HL(G ) = (δ; 0 )] G6=G0,δ2f0;1gn L ⊕ ≤ that is, n-bit part is close to differentially uniform and t-bit part has a small collision probability 12 / 28 How ZHASH works: security of XTX/XT t y In our case, G 0; 1 N , and block index is a counter 2 f g × message part block index Then XTX can be instantiated and optimized by | {z } |{z} Using the “doubling” trick as XEX • Omitting the outer mask to Y (as decryption is not needed) • y Omitting domain separation variable 13 / 28 How ZHASH works: security of XTX/XT The resulting scheme is XT , using HL(G) defined as i−1 i−1 H (T; i) = (2 L`; 2 Lr t T ); using two n-bit keys (L`;Lr) (L`;Lr) ⊕ Details: 2iX is X multiplied by 2 over GF(2n) for i times • i 1 – Computation is easy by caching 2 − X as done in XEX t−n X t Y = msbt(X) Y if t n, (X 0 ) Y if t > n • ⊕ ⊕ ≤ k ⊕ – Chop-or-pad before sum 14 / 28 How ZHASH works: security of XTX/XT Lemma Let P : 0; 1 n 0; 1 n be a TURP and H is -pAXU. Then, T × f g ! f g q2 e Advtprp (q) : XT[Pe;H] ≤ 2 and our H is 1=2n+minfn;tg-pAXU. Thus, q2 Advtprp (q) : XT[Pe;H] ≤ 2n+minfn;tg+1 Therefore, XT has min n; (n + t)=2 -bit, BBB-security f g 15 / 28 Need a larger chaining value • How ZHASH works: chaining scheme Given XT, it’s easy to apply it in the PMAC-like single-chaining hashing scheme Message is divided into (n + t)-bit blocks, (X [i];X [i]) for • ` r i = 1; 2;::: This is optimally efficient, but security is up to the birthday bound • ... Collision w/ 2(n/2) queries 16 / 28 How ZHASH works: chaining scheme Given XT, it’s easy to apply it in the PMAC-like single-chaining hashing scheme Message is divided into (n + t)-bit blocks, (X [i];X [i]) for • ` r i = 1; 2;::: This is optimally efficient, but security is up to the birthday bound • Need a larger chaining value • ... Collision w/ 2(n/2) queries 16 / 28 How ZHASH works: chaining scheme Naive use of 2n-bit chaining scheme [Nai15][Yas11] doesn’t work • – XT output collision still breaks the scheme ... ... Collision w/ 2(n/2) queries 17 / 28 Lemma n+minfn;tg ZHASH (w/ XT using TURP) is -almost universal for = 4=2 How ZHASH works: chaining scheme Key observation: to avoid these collision attacks, the process of • (X`;Xr) (the dotted box) must be a permutation A Feistel-like 1-round permutation works ( ) • ZHASH ... ... ZHASH 18 / 28 How ZHASH works: chaining scheme Key observation: to avoid these collision attacks, the process of • (X`;Xr) (the dotted box) must be a permutation A Feistel-like 1-round permutation works ( ) • ZHASH ... ... ZHASH Lemma n+minfn;tg ZHASH (w/ XT using TURP) is -almost universal for = 4=2 18 / 28 Full ZHASH Input: X = (X[1];:::;X[m]), X[i] = n + t j j Output (U; V ), U = n, V = t j j j j X[1] X[2] X[m] X` Xr X` Xr X` Xr m 1 L` 2 L` 2 − L` m 1 L · 2 L · 2 − L r · r · r E8 E8 ... E8 K t K t K t e e e t t t 0t V 2 2 ... 2 0n U Details: t−n X ⊕t Y = msbt(X) ⊕ Y if t ≤ n, (X k 0 ) ⊕ Y if t > n • 2 · X : multiplication by 2 • L` and Lr : two n-bit masks from EeK w/ domain separation • 19 / 28 ZFIN ZFIN simply encrypts U with tweak V twice (for each n-bit output) and takes a sum (with domain separation) U U U U i i+1 i+2 i+3 EK V EK V EK V EK V e e e e Y [1] Y [2] PRF security of ZFIN ZFIN is essentially “Sum of Permutations” [Luc00, BI99, Pat08a, • Pat13, CLP14, MN17] From a recent result by Dai et al.