Variants of Wegman-Carter message authentication code supporting variable tag lengths

Abstract

In this work, we study message authentication code (MAC) schemes supporting variable tag lengths. We provide a formalisation of such a scheme. Several variants of the classical Wegman-Carter MAC scheme are considered. Most of these are shown to be insecure by pointing out detailed attacks. One of these schemes is highlighted and proved to be secure. We further build on this scheme to obtain single-key variable tag length MAC schemes utilising either a stream cipher or a short-output pseudo-random function. These schemes can be efficiently instantiated using practical well known primitives.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    Bernstein’s proof in [5] for nonce-based MAC considers simulation of the first forgery attempt with the simulator returning \({\textsf {true}} \) if the provided tag is equal to the tag returned by a previous tag generation query on the same nonce and message, and \({\textsf {false}} \) otherwise. In our case, since we are disallowing useless queries, there could not have been a previous tag generation query for the tag length \(\lambda _0\) with the same nonce and message as that of the first verification query for tag length \(\lambda _0\). So, in our case, such a simulator would always return.\({\textsf {false}} \).

References

  1. 1.

    Aumasson J.-P., Bernstein D.J.: Siphash: A fast short-input PRF. In: Galbraith S.D., Nandi M. (eds.) Progress in Cryptology - INDOCRYPT 2012, 13th International Conference on Cryptology in India, Kolkata, India, December 9–12, 2012. Proceedings, volume 7668 of Lecture Notes in Computer Science, pages 489–508. Springer, (2012).

  2. 2.

    Berbain C., Gilbert H.: On the security of IV dependent stream ciphers. In: Biryukov, Alex (ed.) FSE, volume 4593 of Lecture Notes in Computer Science, pp. 254–273. Springer, (2007).

  3. 3.

    Bernstein D.J.: The Salsa20 family of stream ciphers. http://cr.yp.to/papers.html#salsafamily. Document ID: 31364286077dcdff8e4509f9ff3139ad. Date: 2007.12.25.

  4. 4.

    Bernstein D.J.: The poly1305-aes message-authentication code. In: Gilbert H., Handschuh H. (eds.) Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Revised Selected Papers, volume 3557 of Lecture Notes in Computer Science, pp. 32–49. Springer, (2005).

  5. 5.

    Bernstein D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer R. (ed.) EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pp. 164–180. Springer, (2005).

  6. 6.

    Bernstein D.J.: Polynomial evaluation and message authentication (2007). http://cr.yp.to/papers.html#pema.

  7. 7.

    Bernstein D.J., Chou T.: Faster binary-field multiplication and faster binary-field macs. In: Joux, Antoine, Youssef, Amr M. (eds), Selected Areas in Cryptography - SAC 2014 - 21st International Conference, Montreal, QC, Canada, August 14-15, 2014, Revised Selected Papers, volume 8781 of Lecture Notes in Computer Science, pp. 92–111. Springer, (2014).

  8. 8.

    Black J., Halevi S., Krawczyk H., Krovetz T., Rogaway P.: UMAC: Fast and secure message authentication. In: Wiener M.J. (ed.) CRYPTO, volume 1666 of Lecture Notes in Computer Science, pages 216–233. Springer, (1999).

  9. 9.

    CAESAR. Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html.

  10. 10.

    Chakraborty D., Ghosh S., Sarkar P.: A fast single-key two-level universal hash function. IACR Trans. Symmetric Cryptol. 2017(1), 106–128 (2017).

    Article  Google Scholar 

  11. 11.

    Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Remark on variable tag lengths and OMD. https://groups.google.com/g/crypto-competitions/c/sekKDsIJvwU/m/5_V_TzZQaWYJ?pli=1. Accessed 15 Nov 2019 (2014).

  12. 12.

    Finney H.: CFRG discussion on UMAC. https://marc.info/?l=cfrg&m=143336318427069&w=2. Accessed 15 Nov 2019 (2005).

  13. 13.

    Finney H.: CFRG discussion on UMAC. https://marc.info/?l=cfrg&m=143336318527072&w=2. Accessed 15 Nov 2019 (2005).

  14. 14.

    Gilbert E.N., MacWilliams F., Jessie S., Neil J.A.: Codes which detect deception. Bell Syst. Tech. J. 53, 405–424 (1974).

    MathSciNet  Article  Google Scholar 

  15. 15.

    Krovetz T.: UMAC: Message authentication code using universal hashing. https://tools.ietf.org/html/draft-krovetz-umac-05.html. Accessed 15 Nov 2019, (2005).

  16. 16.

    Krovetz T., Rogaway P.: The software performance of authenticated-encryption modes. In: Joux, Antoine (ed.) FSE, volume 6733 of Lecture Notes in Computer Science, pages 306–327. Springer, (2011).

  17. 17.

    Luykx A., Preneel B.: Optimal forgeries against polynomial-based macs and GCM. In: Nielsen J.B., Rijmen V. (eds.) Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I, volume 10820 of Lecture Notes in Computer Science, pages 445–467. Springer, (2018).

  18. 18.

    Manger J.H.: Attacker changing tag length in OCB. https://mailarchive.ietf.org/arch/msg/cfrg/gJtV9FCw92MguqqhxrSNUyIDZIw. Accessed 15 Nov 2019, (2013).

  19. 19.

    McGrew D.A., Viega J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT, volume 3348 of Lecture Notes in Computer Science, pages 343–355. Springer (2004).

  20. 20.

    Nandi M.: Bernstein bound on WCS is tight—repairing luykx-preneel optimal forgeries. In: Shacham H., Boldyreva A. (eds.) Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part II, volume 10992 of Lecture Notes in Computer Science, pp. 213–238. Springer (2018).

  21. 21.

    Ounsworth M.: Footguns as an axis of security analysis. https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/l2iYk-8sGnI. Accessed 15 Nov 2019, (2019).

  22. 22.

    Reyhanitabar R., Vaudenay S., Vizár D.: Authenticated encryption with variable stretch. In: Cheon J.H., Takagi T. (eds.) Advances in Cryptology—ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I, volume 10031 of Lecture Notes in Computer Science, pp. 396–425 (2016).

  23. 23.

    Rogaway P., Wagner D.: A critique of ccm. Cryptology ePrint Archive, Report 2003/070, (2003). https://eprint.iacr.org/2003/070.

  24. 24.

    Safavi-Naini R., Lisý V., Desmedt Y.: Economically optimal variable tag length message authentication. In: Kiayias A. (ed.) Financial Cryptography and Data Security - 21st International Conference, FC 2017, Sliema, Malta, April 3–7, 2017, Revised Selected Papers, volume 10322 of Lecture Notes in Computer Science, pp. 204–223. Springer (2017).

  25. 25.

    Shoup V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, Neal (ed.) CRYPTO, volume 1109 of Lecture Notes in Computer Science, pages 313–328. Springer (1996).

  26. 26.

    UMAC. CFRG discussion on UMAC. http://marc.info/?l=cfrg&m=143336318427068&w=2. Accessed 15 Nov 2019, (2005).

  27. 27.

    Wagner D.: CFRG discussion on UMAC. https://marc.info/?l=cfrg&m=143336318527073&w=2. Accessed 15 Nov 2019, (2005).

  28. 28.

    Wang P., Feng D., Wenling W.: HCTR: A variable-input-length enciphering mode. In: Feng D., Lin D., Yung M. (eds.) CISC, volume 3822 of Lecture Notes in Computer Science, pp. 175–188. Springer, (2005).

  29. 29.

    Wegman Mark N.: Carter, Larry: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981).

    Article  Google Scholar 

  30. 30.

    Winograd S.: A new algorithm for inner product. IEEE Trans. Comput. 17, 693–694 (1968).

    Article  Google Scholar 

Download references

Acknowledgements

We are grateful to the reviewers for their detailed reading of the paper and for providing helpful comments.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Palash Sarkar.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Communicated by F. Mendel.

Attack on \({\textsf {nvMAC\text{- }t}} 6\)

Attack on \({\textsf {nvMAC\text{- }t}} 6\)

The attack is described in Algorithm 2.

figurec

Proposition 4

The attack given in Algorithm 2 on the scheme \({\textsf {nvMAC\text{- }t}} 6\) produces a forgery for tag length \(\lambda \) which is correct with probability 1. It requires at most \(2^{\lambda _1+1}+2^{n-\lambda _1}\) verification queries on tag length \(\lambda _1\) and one tag generation query and at most \(2^{n - \lambda _1}\) verification queries on tag length \(\lambda \).

Proof

That the attack mentioned in Algorithm 2 forges with probability 1 is proved if it can be shown that there is an iteration of the do-while loop in Steps 17 to 24 such that \({\mathcal {R}}_v^{(5)} = {\textsf {true}} \), i.e. there is a verification query in Step 23 which succeeds.

From Steps 4 and 5, we get that

$$\begin{aligned} {\textsf {msb}} _{\lambda _1}({\textsf {F}} _{K}(N_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_1))= & {} {\textsf {tag}} ^{(1)}. \end{aligned}$$
(34)
$$\begin{aligned} {\textsf {msb}} _{\lambda _1}({\textsf {F}} _{K}(N_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_2))= & {} {\textsf {tag}} ^{(2)}. \end{aligned}$$
(35)

So,

$$\begin{aligned} {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{\lambda _1}}(x_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_2)) = {\textsf {tag}} ^{(1)} \oplus {\textsf {tag}} ^{(2)}. \end{aligned}$$
(36)

Here \({\textsf {tag}} ^{(1)} \oplus {\textsf {tag}} ^{(2)}\) is a \(\lambda _1\)-bit binary string.

Following Proposition 2, for each choice of \(c_1\) in the do-while loop in Steps 17 to 24, the equation in Step 10 can be solved to get \(\tau _{c_1}\) and \(x_{c_1}\). The fact that \({\textsf {Hash}} _{\tau _{\lambda _1}}(x_1)\oplus {\textsf {Hash}} _{\tau _{\lambda _1}}(x_2) \in \{0,1\}^n\) and (36) suggest that there is a correct \(c_1\), such that the equation in Step 10 holds and we consider that iteration of the do-while loop which deals with this particular \(c_1\). The \(\tau _{c_1}\) obtained in this iteration is the actual hash key used in the scheme. So,

$$\begin{aligned}&{\textsf {nvMAC\text{- }t}} 6(N_1,x_3,\lambda _1) \nonumber \\&\quad = {\textsf {msb}} _{\lambda _1}({\textsf {F}} _{K}(N_1)\oplus {\textsf {Hash}} _{\tau _{c_1}}(x_3)) \nonumber \\&\quad = {\textsf {tag}} ^{(1)} \oplus {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{c_1}}(x_1)) \oplus {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{c_1}}(x_3)) \end{aligned}$$
(37)
$$\begin{aligned}&\quad = x_{c_1} \oplus {\textsf {msb}} _{\lambda _1}({\textsf {Hash}} _{\tau _{c_1}}(x_3)) . \end{aligned}$$
(38)

The expression in (37) comes from (34) and that in (38) comes from Step 12 in Algorithm 2. Hence, in this particular iteration of the do-while loop, \({\mathcal {R}}_v^{(3)} = {\textsf {true}} \) and the loop terminates.

Noting that \(\lambda =n\), from Step 15, we get

$$\begin{aligned} {\textsf {F}} _K(N_1)\oplus {\textsf {Hash}} _{\tau _{\lambda }}(x_4) = {\textsf {tag}} ^{(4)}\Rightarrow & {} {\textsf {Hash}} _{\tau _{\lambda }}(x_4) = {\textsf {tag}} ^{(4)} \oplus {\textsf {F}} _K(N_1). \end{aligned}$$
(39)

Here, the n bits of \({\textsf {tag}} ^{(4)}\) and \({\textsf {msb}} _{\lambda _1}(\cdot )\) of \({\textsf {F}} _K(N_1)\), which is \(x_{c_1}\), are known. As \({\textsf {Hash}} _{\tau _{\lambda }}(x_4)\in \{0,1\}^n\), there is a \(c_2\in \{0,1\}^{n-\lambda _1}\), such that,

$$\begin{aligned} {\textsf {Hash}} _{\tau _{\lambda }}(x_4) = {\textsf {msb}} _{\lambda _1}({\textsf {tag}} ^{(4)} \oplus {\textsf {F}} _K(N_1))||c_2 = ({\textsf {msb}} _{\lambda _1}({\textsf {tag}} ^{(4)}) \oplus x_{c_1}) || c_2. \end{aligned}$$
(40)

For the correct choice of \(c_2\), the correct values of \(\tau _{c_2}\) and \(x_{c_2}\) are obtained in Steps 21 and 22 respectively. For the correct \(c_2\), from (39) and (40), we get,

$$\begin{aligned} {\textsf {F}} _K(N_1) = {\textsf {Hash}} _{\tau _{\lambda }}(x_4) \oplus {\textsf {tag}} ^{(4)} = (({\textsf {msb}} _{\lambda _1}({\textsf {tag}} ^{(4)}) \oplus x_{c_1}) || c_2) \oplus {\textsf {tag}} ^{(4)}, \end{aligned}$$
(41)

which equals \(x_{c_2}\) according to Step 22 in Algorithm 2. Hence,

$$\begin{aligned} {\textsf {nvMAC\text{- }t}} 6(N_1,x,\lambda )= & {} {\textsf {F}} _K(N_1)\oplus {\textsf {Hash}} _{\tau _{c_2}}(x) = x_{c_2} \oplus {\textsf {Hash}} _{\tau _{c_2}}(x). \end{aligned}$$
(42)

The last equality follows from (41). From (42), it is clear that for the iteration of the do-while loop in Steps 17 to 24, in which the correct \(c_2\) is used, \({\mathcal {R}}_v^{(5)} = {\textsf {true}} \) with probability 1, which proves the first part of the Lemma.

Steps 4 and 5 each require at most \(2^{\lambda _1}\) verification queries for tag length \(\lambda _1\). Step 13 requires at most \(2^{n-\lambda _1}\) verification queries for tag length \(\lambda _1\). A tag generation query for tag length \(\lambda \) is made in Step 15 and at most \(2^{n-\lambda _1}\) verification queries are made for tag length \(\lambda \) in Step 23. This shows the complexity of the attack. \(\square \)

Remarks

  1. 1.

    With \(\lambda =n\) suppose \(\lambda _1=n/2\). Then the adversary makes a maximum of \(3\cdot 2^{n/2}\) verification queries for tag length n/2, one tag generation query and at most \(2^{n/2}\) verification queries for tag length n. It produces a forgery for tag length n which is correct with probability 1. So, this is a valid forgery attack for tag length n.

  2. 2.

    Algorithm 2 makes a single tag generation query. Hence, the issue of repeating nonces in tag generation queries does not arise.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ghosh, S., Sarkar, P. Variants of Wegman-Carter message authentication code supporting variable tag lengths. Des. Codes Cryptogr. (2021). https://doi.org/10.1007/s10623-020-00840-w

Download citation

Keywords

  • MAC
  • Variable tag length
  • Wegman-Carter
  • Security bound

Mathematics Subject Classification

  • 94A60