Generic Attacks Against Beyond-Birthday-Bound MACs [chapter]

Gaëtan Leurent, Mridul Nandi, Ferdinand Sibleyras
2018 Lecture Notes in Computer Science  
In this work, we study the security of several recent MAC constructions with provable security beyond the birthday bound. We consider block-cipher based constructions with a double-block internal state, such as SUM-ECBC, PMAC+, 3kf9, GCM-SIV2, and some variants (LightMAC+, 1kPMAC+). All these MACs have a security proof up to 2 2n/3 queries, but there are no known attacks with less than 2 n queries. We describe a new cryptanalysis technique for double-block MACs based on finding quadruples of
more » ... sages with four pairwise collisions in halves of the state. We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(2 3n/4 ) queries, and how to build a forgery attack with the same query complexity. The time complexity of these attacks is above 2 n , but it shows that the schemes do not reach full security in the information theoretic model. Surprisingly, our attack on LightMAC+ also invalidates a recent security proof by Naito. Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexityÕ(2 6n/7 ). As far as we know, this is the first attack with complexity below 2 n against a deterministic beyondbirthday-bound secure MAC. As a side result, we also give a birthday attack against 1kf9, a single-key variant of 3kf9 that was withdrawn due to issues with the proof. the internal state, due to Preneel and van Oorschot [37] . Therefore, these MACs only achieve security up to the birthday bound, i.e. when the number of queries by the adversary is bounded by 2 n/2 , with n the state size. This is equivalently called n/2-bit security. One way to increase the security is to use a nonce, a unique value provided by the user (in practice, the nonce is usually a counter). This approach has been pioneered by Wegman and Carter [41] based on an earlier work by Gilbert et al. [15]. Later a few follow ups like EDM and EWCDM [7], and Dual EDM [30] have been proposed to achieve beyond birthday security. Alternatively, a probabilistic MAC uses a random coin for the extra value, which is usually called a salt, and must be transmitted with the MAC. Probabilistic MACs have the advantage that they can stay secure when called with the same input twice, and don't require a state to keep the nonce unique. Some popular probabilistic MAC constructions are XMACR [3], RMAC [22] and EHtM [31]. In particular, RMAC and EHtM have security beyond the birthday bound. However, deterministic MACs are easier to use in practice, and there has been an important research effort to build deterministic MAC with security beyond the birthday bound, using an internal state larger than the primitive size. In particular, several constructions use a 2n-bit internal state so that collisions in the state are only expected after 2 n queries. Yasuda first proposed SUM-ECBC [42], a beyond birthday bound (BBB) secure deterministic MAC that achieves 2n/3bit security. However, this construction has rate 1/2 and later Yasuda himself proposed one of the most popular BBB secure MAC PMAC+ [43] achieving rate 1. Later several other constructions like 3kf9 [44], LightMAC+ [33], GCM-SIV2 [20] , and single key PMAC+ [9] have been proposed. Interestingly, all the above designs share a common structure: a double-block universal hash function outputs a 2nbit hash value (seen as two n-bit halves), and a finalization function generates the tag by XORing encrypted values of the two n-bit hash values. This structure has been called double-block-hash-then-sum, and it will be the focus of our paper. More recently, variants of PMAC+ based on tweakable block-cipher have also been proposed, such as PMAC_TBC [32], PMACx [27], ZMAC [21], and ZMAC+[28]. Our results. We focus on the security of deterministic block-cipher based MACs with security beyond the birthday bound and double-block hash construction. Several previous works have been focused on security proofs, showing that they are secure up to 2 2n/3 queries [43, 44, 20, 9, 42, 33] . For most of these constructions, the advantage of an adversary making q short queries is bounded by O(q 3 /2 2n ). Recently, Naito [34] gave an improved security proof for LighMAC+, with advantage at most O(q 2 t q v /2 2n ), with q t MAC queries and q v verification queries. In particular, this would prove security up to 2 n when the adversary can only do a single verification query. In this work, we take the opposite approach and look for generic attacks against these modes. We use a cryptanalysis technique that can be seen as a generalisation of the collision attack of Preneel and van Oorschot [37] . Instead of looking for a pair of messages so that the full state collides, we look for a quadruple of messages, which can be seen either as two pairs colliding on the first
doi:10.1007/978-3-319-96884-1_11 fatcat:w2awuwcdc5g2nmlnxsbecplxay