3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound

Zhang, Liting; Wu, Wenling; Sui, Han; Wang, Peng

doi:10.1007/978-3-642-34961-4_19

Cited by 37 publications

(25 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2 σn/(σ+1) , where n is the size of the blockcipher and σ is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2 σn/(σ+1) is the best one can get without tweak-rekeying, optimal 2 n provable security with tweak-rekeying is impossible.

show abstract

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

show abstract

“…Our third attack is applicable to 3kf9 [44] and similar constructions. We have a universal forgery attack with O(2 3n/4 ) queries andÕ(2 5n/4 ) operations using memory O(2 n ), with a possible time-memory trade-offs.…”

Section: Attacking F9-like Constructionsmentioning

confidence: 99%

“…However, this construction has rate 1/2 and later Yasuda himself proposed one of the most popular BBB secure MAC PMAC+ [43] achieving rate 1. Later several other constructions like 3kf9 [44], LightMAC+ [33], GCM-SIV2 [20], and single key PMAC+ [9] have been proposed. Interestingly, all the above designs share a common structure: a double-block universal hash function outputs a 2nbit hash value (seen as two n-bit halves), and a finalization function generates the tag by XORing encrypted values of the two n-bit hash values.…”

Section: Introductionmentioning

confidence: 99%

“…We focus on the security of deterministic block-cipher based MACs with security beyond the birthday bound and double-block hash construction. Several previous works have been focused on security proofs, showing that they are secure up to 2 2n/3 queries [43,44,20,9,42,33]. For most of these constructions, the advantage of an adversary making q short queries is bounded by O(q 3 /2 2n ).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Generic Attacks Against Beyond-Birthday-Bound MACs

Leurent

Nandi

Sibleyras

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In this work, we study the security of several recent MAC constructions with provable security beyond the birthday bound. We consider block-cipher based constructions with a double-block internal state, such as SUM-ECBC, PMAC+, 3kf9, GCM-SIV2, and some variants (LightMAC+, 1kPMAC+). All these MACs have a security proof up to 2 2n/3 queries, but there are no known attacks with less than 2 n queries. We describe a new cryptanalysis technique for double-block MACs based on finding quadruples of messages with four pairwise collisions in halves of the state. We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(2 3n/4) queries, and how to build a forgery attack with the same query complexity. The time complexity of these attacks is above 2 n , but it shows that the schemes do not reach full security in the information theoretic model. Surprisingly, our attack on LightMAC+ also invalidates a recent security proof by Naito. Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexityÕ(2 6n/7). As far as we know, this is the first attack with complexity below 2 n against a deterministic beyondbirthday-bound secure MAC. As a side result, we also give a birthday attack against 1kf9, a single-key variant of 3kf9 that was withdrawn due to issues with the proof.

show abstract

“…Algorithm 6 of ISO 9797-1 was proven to be secure against O(2 2n/3 ) queries with restrictions on the message length [47]. In 2012, Zhang et al [51] proposed a 3key version of f9 MAC (3kf9) that achieves BBB security. In 2011, Yasuda improved the number of keys and rate over SUM-ECBC and proposed a 3-key rate-1 PMAC Plus construction [48] with beyond birthday security.…”

Section: Nmac and Hmac Nmac And Its Variant Hmacmentioning

confidence: 99%

Information Security and Privacy

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Mobile social apps have been changing the way people interact with each other in the physical world. To help people extend their social networks, Location-Based Social Network (LBSN) apps (e.g., Wechat, SayHi, Momo) that encourage people to make friends with nearby strangers have gained their popularity recently. They provide a "Nearby" feature for a user to find other users near him/her. While seeing other users, the user, as well as his/her coarse-grained relative location, will also be visible in the "Nearby" feature of other users. Leveraging this observation, in this paper, we model the location probing attacks, and propose three approaches to perform large-scale such attacks on LBSN apps. Moreover, we apply the new approaches in the risk assessment of eight popular LBSN apps, each of which has millions of installation. The results demonstrate the severity of such attacks. More precisely, our approaches can collect a huge volume of users' location information effectively and automatically, which can be exploited to invade users' privacy. This study sheds light on the research of protecting users' private location information.

show abstract

3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound

Cited by 37 publications

References 26 publications

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Generic Attacks Against Beyond-Birthday-Bound MACs

Information Security and Privacy

Contact Info

Product

Resources

About