Variants of Wegman-Carter message authentication code supporting variable tag lengths

Abstract

In this work, we study message authentication code (MAC) schemes supporting variable tag lengths. We provide a formalisation of such a scheme. Several variants of the classical Wegman-Carter MAC scheme are considered. Most of these are shown to be insecure by pointing out detailed attacks. One of these schemes is highlighted and proved to be secure. We further build on this scheme to obtain single-key variable tag length MAC schemes utilising either a stream cipher or a short-output pseudo-random function. These schemes can be efficiently instantiated using practical well known primitives.

Attack on \({\textsf {nvMAC\text{- }t}} 6\)

The attack is described in Algorithm 2.

Proposition 4

The attack given in Algorithm 2 on the scheme \({\textsf {nvMAC\text{- }t}} 6\) produces a forgery for tag length \(\lambda \) which is correct with probability 1. It requires at most \(2^{\lambda _1+1}+2^{n-\lambda _1}\) verification queries on tag length \(\lambda _1\) and one tag generation query and at most \(2^{n - \lambda _1}\) verification queries on tag length \(\lambda \).

Proof

That the attack mentioned in Algorithm 2 forges with probability 1 is proved if it can be shown that there is an iteration of the do-while loop in Steps 17 to 24 such that \({\mathcal {R}}_v^{(5)} = {\textsf {true}} \), i.e. there is a verification query in Step 23 which succeeds.

From Steps 4 and 5, we get that

$$\begin{aligned} {\textsf {msb}} _{\lambda _1}({\textsf {F}} _{K}(N_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_1))= & {} {\textsf {tag}} ^{(1)}. \end{aligned}$$

(34)

$$\begin{aligned} {\textsf {msb}} _{\lambda _1}({\textsf {F}} _{K}(N_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_2))= & {} {\textsf {tag}} ^{(2)}. \end{aligned}$$

(35)

So,

$$\begin{aligned} {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{\lambda _1}}(x_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_2)) = {\textsf {tag}} ^{(1)} \oplus {\textsf {tag}} ^{(2)}. \end{aligned}$$

(36)

Here \({\textsf {tag}} ^{(1)} \oplus {\textsf {tag}} ^{(2)}\) is a \(\lambda _1\)-bit binary string.

Following Proposition 2, for each choice of \(c_1\) in the do-while loop in Steps 17 to 24, the equation in Step 10 can be solved to get \(\tau _{c_1}\) and \(x_{c_1}\). The fact that \({\textsf {Hash}} _{\tau _{\lambda _1}}(x_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_2) \in \{0,1\}^n\) and (36) suggest that there is a correct \(c_1\), such that the equation in Step 10 holds and we consider that iteration of the do-while loop which deals with this particular \(c_1\). The \(\tau _{c_1}\) obtained in this iteration is the actual hash key used in the scheme. So,

$$\begin{aligned}&{\textsf {nvMAC\text{- }t}} 6(N_1,x_3,\lambda _1) \nonumber \\&\quad = {\textsf {msb}} _{\lambda _1}({\textsf {F}} _{K}(N_1)\oplus {\textsf {Hash}} _{\tau _{c_1}}(x_3)) \nonumber \\&\quad = {\textsf {tag}} ^{(1)} \oplus {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{c_1}}(x_1)) \oplus {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{c_1}}(x_3)) \end{aligned}$$

(37)

$$\begin{aligned}&\quad = x_{c_1} \oplus {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{c_1}}(x_3)) . \end{aligned}$$

(38)

The expression in (37) comes from (34) and that in (38) comes from Step 12 in Algorithm 2. Hence, in this particular iteration of the do-while loop, \({\mathcal {R}}_v^{(3)} = {\textsf {true}} \) and the loop terminates.

Noting that \(\lambda =n\), from Step 15, we get

$$\begin{aligned} {\textsf {F}} _K(N_1)\oplus {\textsf {Hash}} _{\tau _{\lambda }}(x_4) = {\textsf {tag}} ^{(4)}\Rightarrow & {} {\textsf {Hash}} _{\tau _{\lambda }}(x_4) = {\textsf {tag}} ^{(4)} \oplus {\textsf {F}} _K(N_1). \end{aligned}$$

(39)

Here, the n bits of \({\textsf {tag}} ^{(4)}\) and \({\textsf {msb}} _{\lambda _1}(\cdot )\) of \({\textsf {F}} _K(N_1)\), which is \(x_{c_1}\), are known. As \({\textsf {Hash}} _{\tau _{\lambda }}(x_4)\in \{0,1\}^n\), there is a \(c_2\in \{0,1\}^{n-\lambda _1}\), such that,

$$\begin{aligned} {\textsf {Hash}} _{\tau _{\lambda }}(x_4) = {\textsf {msb}} _{\lambda _1}({\textsf {tag}} ^{(4)} \oplus {\textsf {F}} _K(N_1))||c_2 = ({\textsf {msb}} _{\lambda _1}({\textsf {tag}} ^{(4)}) \oplus x_{c_1}) || c_2. \end{aligned}$$

(40)

For the correct choice of \(c_2\), the correct values of \(\tau _{c_2}\) and \(x_{c_2}\) are obtained in Steps 21 and 22 respectively. For the correct \(c_2\), from (39) and (40), we get,

$$\begin{aligned} {\textsf {F}} _K(N_1) = {\textsf {Hash}} _{\tau _{\lambda }}(x_4) \oplus {\textsf {tag}} ^{(4)} = (({\textsf {msb}} _{\lambda _1}({\textsf {tag}} ^{(4)}) \oplus x_{c_1}) || c_2) \oplus {\textsf {tag}} ^{(4)}, \end{aligned}$$

(41)

which equals \(x_{c_2}\) according to Step 22 in Algorithm 2. Hence,

$$\begin{aligned} {\textsf {nvMAC\text{- }t}} 6(N_1,x,\lambda )= & {} {\textsf {F}} _K(N_1)\oplus {\textsf {Hash}} _{\tau _{c_2}}(x) = x_{c_2} \oplus {\textsf {Hash}} _{\tau _{c_2}}(x). \end{aligned}$$

(42)

The last equality follows from (41). From (42), it is clear that for the iteration of the do-while loop in Steps 17 to 24, in which the correct \(c_2\) is used, \({\mathcal {R}}_v^{(5)} = {\textsf {true}} \) with probability 1, which proves the first part of the Lemma.

Steps 4 and 5 each require at most \(2^{\lambda _1}\) verification queries for tag length \(\lambda _1\). Step 13 requires at most \(2^{n-\lambda _1}\) verification queries for tag length \(\lambda _1\). A tag generation query for tag length \(\lambda \) is made in Step 15 and at most \(2^{n-\lambda _1}\) verification queries are made for tag length \(\lambda \) in Step 23. This shows the complexity of the attack. \(\square \)

Remarks

1. 1.

   With \(\lambda =n\) suppose \(\lambda _1=n/2\). Then the adversary makes a maximum of \(3\cdot 2^{n/2}\) verification queries for tag length n/2, one tag generation query and at most \(2^{n/2}\) verification queries for tag length n. It produces a forgery for tag length n which is correct with probability 1. So, this is a valid forgery attack for tag length n.

2. 2.

   Algorithm 2 makes a single tag generation query. Hence, the issue of repeating nonces in tag generation queries does not arise.