Abstract
This article presents universal forgery and multiple forgeries against MergeMAC that has been recently proposed to fit scenarios where bandwidth is limited and where strict time constraints apply. MergeMAC divides an input message into two parts, \(m\Vert \tilde{m}\), and its tag is computed by \(\mathcal {F}( \mathcal {P}_1(m) \oplus \mathcal {P}_2(\tilde{m}) )\), where \(\mathcal {P}_1\) and \(\mathcal {P}_2\) are PRFs and \(\mathcal {F}\) is a public function. The tag size is 64 bits. The designers claim 64-bit security and mention that it might be insecure to accept beyond-birthday-bound queries.
This paper presents the first third-party analysis of MergeMAC. Firstly, it is shown that limiting the number of queries up to the birthday bound is crucial, because a generic universal forgery against CBC-like MAC can be applied. Afterwards another attack is presented that works with very few queries, 3 queries and \(2^{58.6}\) computations of \(\mathcal {F}\), by applying a preimage attack against weak \(\mathcal {F}\). This breaks the claimed security. The analysis is then generalized to a MergeMAC variant where \(\mathcal {F}\) is replaced with a one-way function \(\mathcal {H}\).
Finally, multiple forgeries are discussed in which the attacker’s goal is to improve the ratio of the number of queries to the number of forged tags. It is shown that the number of achievable forgeries is quadratic in the number of queries in the sense of existential forgery, and this is tight when messages have a particular structure. For universal forgery, tags for 3q arbitrary chosen messages can be obtained by making 5q queries.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We refer to [7] for a thorough review of lightweight constructions.
- 2.
The CAN bus is the standard system used in most modern cars to connect together the different components (engine control unit, airbags, audio system, doors, etc.).
- 3.
We refer to the specification [1] for details.
- 4.
As we will show later in the paper, this argument turns wrong.
References
Ankele, R., Böhl, F., Friedberger, S.: MergeMAC: a MAC for authentication with strict time constraints and limited bandwidth. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 381–399. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_20
Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_7
Aumasson, J.-P., Bernstein, D.J.: SipHash: a fast short-input PRF. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 489–508. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_28
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptology ePrint Archive 2013, 404 (2013)
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 456–467 (2016)
Biryukov, A., Perrin, L.: State of the Art in Lightweight Symmetric Cryptography. IACR Cryptology ePrint Archive 2017, 511 (2017)
Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_21
Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_14
Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. IEEE Comput, 10(6), 74–84 (1977)
Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of authenticated encryption schemes. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017, Part II. LNCS, vol. 10343, pp. 19–37. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59870-3_2
Jia, K., Wang, X., Yuan, Z., Xu, G.: Distinguishing and second-preimage attacks on CBC-like MACs. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 349–361. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10433-6_23
Luykx, A., Preneel, B., Tischhauser, E., Yasuda, K.: A MAC mode for lightweight block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 43–59. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_3
Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_19
Sasaki, Y.: Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 378–396. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_22
Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_8
Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_12
Acknowledgments
The authors would like to thank organizers of Japan Days 2018 to provide us with an opportunity of the collaboration. We also would like to thank the anonymous reviewers of CT-RSA 2019 for helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Iwata, T., Lallemand, V., Leander, G., Sasaki, Y. (2019). Universal Forgery and Multiple Forgeries of MergeMAC and Generalized Constructions. In: Matsui, M. (eds) Topics in Cryptology – CT-RSA 2019. CT-RSA 2019. Lecture Notes in Computer Science(), vol 11405. Springer, Cham. https://doi.org/10.1007/978-3-030-12612-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-12612-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12611-7
Online ISBN: 978-3-030-12612-4
eBook Packages: Computer ScienceComputer Science (R0)