Xiaolin Zhang,Dawu Gu

DOI: https://doi.org/10.1360/ssi-2021-0261

2021-01-01

Scientia Sinica Informationis

Abstract:Message authentication code (MAC), widely used in all kinds of information systems, is a symmetric cryptographic algorithm that checks message integrity and source authenticity. However, when the devices running MAC face physical invasion, the attacker can extract the keys inside and generate valid tags by directly reading the memory or adjusting the circuits. In this paper, we propose PUF-MAC, a new MAC algorithm based on the physically unclonable function (PUF), which is constructed from the hash function and PUF. The PUF is a kind of data mapping entity with unclonable internal structures and unpredictable outputs. The difference between mappings preserved by PUF entities originates from minor variations in the physical environment during production. The communicating parties can apply the PUF to form the shared secret key. Under the standard security model, this paper inductively proves that PUF-MAC satisfies the existential unforgeability under a chosen message attack, and the EUF-CMA security of PUF-MAC relies on the (weak) collision resistance of hash and the EUF-CMA security of PUF. Additionally, this paper recasts PUF-MAC into a key agreement protocol with forward/backward security, along with a bilateral authentication protocol by which its practicability is indicated. A comparison with other MAC reveals that PUF-MAC is indeed lightweight and easy to deploy, and PUF-MAC requires no pre-established PUF responses. The involvement of the PUF allows an attacker to forge a valid tag even after retrieving the key, thereby ensuring communication security.

Dayin Wang,Dongdai Lin,Wenling Wu

DOI: https://doi.org/10.1007/11596981_55

2005-01-01

Abstract:We give a variant of Poly1305 MAC and prove its security viewing this MAC as a Carter-Wegman MAC. The proposed variant not only keeps all the good properties of the Poly1305, but also makes Poly1305 deterministic.

Hu Zhenyu,Lin Dongdai,Wu Wenling,Feng Dengguo

IF: 1.019

2007-01-01

Chinese Journal of Electronics

Abstract:A security notion of Message authentication (MAC) named Tag-secrecy was abstracted from the pseudo-randomness of tagging algorithm, to characterize the security that is very different from the unforgeability (which is the traditional security notion of MAC). The Tag-secrecy is weaker than the pseudo-randomness and can be met by widely used authentication schemes. Under the assumption of Tag-secrecy, it is showed that the Encryptand-MAC can preserve Indistinguishability under Chosen-plaintext attacks (IND-CPA) and Integrity of Plaintext (INT-PTXT) in general.A security notion of encryption called Un-trivial forgeability of Ciphertext (UTF-CTXT) was presented to characterize that for any given ciphertext C, the adversary cannot forge a new ciphertext C' to decrypt to the same plaintext as C (named trivial forgery). This UTF-CTXT was to guarantee that any modification about the ciphertext must correspond to some change of the plaintext. It is proved to be much weaker than Integrity of Ciphertext (INT-CTXT) and satisfied by many popular encryption schemes and modes.With a Tag-secrecy MAC and an UTF-CTXT-secure encryption, Encrypt-and-MAC can satisfy the both strongest security requirements-Indistinguishability under Chosen-ciphertext attacks (IND-CCA) and INT-CTXT.

Keting Jia,Xiaoyun Wang,Zheng Yuan,Guangwu Xu

DOI: https://doi.org/10.1007/978-3-642-10433-6_23

2009-01-01

Abstract:This paper first presents a new distinguishing attack on the CBC-MAC structure based on block ciphers in cipher block chaining (CBC) mode. This attack detects a CBC-like MAC from random functions. The second result of this paper is a second-preimage attack on the CBC-MAC, which is an extension of the attack of Brincat and Mitchell. The attack also covers MT-MAC, PMAC and MACs with three-key enciphered CBC mode. Instead of exhaustive search, both types of attacks are of birthday attack complexity.

Jin Xu,Dayin Wang,Dongdai Lin,Wenling Wu

DOI: https://doi.org/10.1109/iccias.2006.295275

2006-01-01

Abstract:In this paper, we present an efficient one-key Carter-Wegman message authentication code, called one-key Galois message authentication code (OGMAC), and prove its security for arbitrary length message. Generally, Carter-Wegman MACs use a universal hash and a block cipher, and require two keys, one for the block cipher and the other for the universal hash. OGMAC, proposed here, uses only one key and gets a good performance through the use of the universal hash over a binary finite field

Dayin Wang,Dongdai Lin,Wenling Wu

DOI: https://doi.org/10.1007/11937807_7

2006-01-01

Abstract:In this paper, we present One-Key Poly1305 MAC(OPMAC) and prove its security for arbitrary length message. OPMAC is deterministic and takes only one 16-byte key. Previously, Poly1305 MAC is nonce-based and requires two 16-byte keys and a 16-byte nonce, 48-byte in total.

Dajiang Chen,Shaoquan Jiang,Zhiguang Qin

DOI: https://doi.org/10.1109/isit.2015.7282866

2015-01-01

Abstract:Message Authentication Code (MAC) is a keyed function f K such that when Alice, who shares the secret K with Bob, sends f K (M) to the latter, Bob will be assured of the integrity and authenticity of M. Traditionally, it is assumed that the channel is noiseless. Unfortunately, Maurer showed that in this case an attacker can succeed with probability equation after authenticating ∓ messages, where H(K) is the entropy of K. In this paper, we consider the setting where the channel is noisy. Specifically, Alice and Bob are connected by a discrete memoryless channel (DMC) W 1 and a noiseless but insecure channel. In addition, there is a DMC W 2 between Alice and attacker Oscar. We regard the noisy channel as an expensive resource and define the authentication rate ρ auth as the ratio of message length to the number n of channel W 1 uses. The security of this model depends on the channel coding for f K (M). A natural coding scheme is to use the secrecy capacity achieving code of Csiszár and Körner. Intuitively, this is also the optimal strategy. However, we propose a coding scheme that achieves a higher ρ auth . Our crucial point is that under a secrecy capacity code, Bob can fully recover f K (M) while in our model this is not necessary as we only need to detect the existence of the modification. How to detect the malicious modification without recovering f K (M) is the main contribution of this work. We achieve this through random coding techniques.

WANG Da-yin,LIN Dong-dai,WU Wen-ling

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.10.014

2006-01-01

Abstract:The most important tool to protect data integrity is Message Authentication Code(MAC),which is widely used in many kinds of secure systems.With the development of the theory of provable security,the MACs,which have security proof,are the first choice of many people.Based on the constructions of XOR MAC and PMAC,we define a deterministic fully parallelizable block-cipher mode of operation for message authentication-DXOR MAC(Deterministic XOR MAC).We prove its security,quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudo-random permutation.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-02620-1_13

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on the LPMAC based on step-reduced SHA-256. The LPMAC is the abbreviation of the secret-prefix MAC with the length prepended to the message before hashing and it's a more secure version of the secret-prefix MAC. In [19], Wang e t al. give the first distinguishing attack on HMAC/NMAC-MD5 without the related key, then they improve the techniques to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [23]. In this paper, we utilize the techniques in [23] combined with our differential path on step-reduced SHA-256 to distinguishing the LPMAC based on 39-step SHA-256 from the LPMAC with a random function. The complexity of our attack is about 2184.5 MAC queries.

Zheng Yuan,Wei Wang,Keting Jia,Guangwu Xu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-03356-8_13

2009-01-01

Abstract:This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts.The first part presents new distinguishers of the MAC construction Alred and its specific instance Alpha-MAC based on AES. For the Alred construction, we first describe a general distinguishing attack which leads to a forgery attack directly with the complexity of the birthday attack. A 2-round collision differential path of Alpha-MAC is adopted to construct a new distinguisher with about 265.5 chosen messages and 265.5 queries. One of the most important results is to use this new distinguisher to recover the internal state, which is an equivalent subkey of Alpha-MAC. Moreover, our distinguisher on Alred construction can be applied to the MACs based on CBC and CFB encryption modes.The second part describes the first impossible differential attack on MACs-Pelican, MT-MAC-AES and PC-MAC-AES. Using the birthday attack, enough message pairs that produce the inner near-collision with some specific differences are detected, then the impossible differential attack on 4-round AES to the above mentioned MACs is performed. For Pelican, our attack recovers its internal state, which is an equivalent subkey. For MT-MAC-AES, the attack turns out to be a subkey recovery attack directly. The complexity of the two attacks is 285.5 chosen messages and 285.5 queries. For PC-MAC-AES, we recover its 256-bit key with 285.5 chosen messages and 2128 queries.

WANG Da-Yin,LIN Dong-Dai,WU Wen-ling,JIANG Zhong-Hua

DOI: https://doi.org/10.3969/j.issn.1002-1175.2006.02.017

2006-01-01

Abstract:Message Authentication Codes are very important tools to protect data integrity.XOR-MAC is defined by Bellare,who also gives a security analysis for it.But the security analysis they gave for XOR-MAC is complex.In this paper,we use the Game-Playing technique to give a new security analysis for XOR-MAC.We prove XOR-MAC secure,quantifying an adversary's success probability of distinguishing XOR-MAC from a purely random function in terms of the quality of the block cipher as a pseudorandom permutation.

Yaobin Shen,Francois-Xavier Standaert,Lei Wang

DOI: https://doi.org/10.1007/978-981-99-8727-6_6

2023-01-01

Abstract:At CRYPTO'18, Datta et al. proposed nPolyMAC and proved the security up to 2(2n/3) authentication queries and 2(n) verification queries. At EUROCRYPT'19, Dutta et al. proposed CWC+ and showed the security up to 2(2n/3) queries. At FSE'19, Datta et al. proposed PolyMAC and its key-reduced variant 2k-PolyMAC, and showed the security up to 2(2n/3) queries. This security bound was then improved by Kim et al. (EUROCRYPT'20) and Datta et al. (FSE'23) respectively to 2(3n/4) and in the multi-user setting. At FSE'20, Chakraborti et al. proposed PDM*MAC and 1k-PDM*MAC, and showed the security up to 2(2n/3) queries. Recently, Chen et al. proposed nEHtM(p)(+) and showed the security up to 2(2n/3) queries. In this paper, we show forgery attacks on nPolyMAC, CWC+, PolyMAC, 2k-PolyMAC, PDM* MAC, 1k-PDM*MAC and nEHtM(p)(+). Our attacks exploit some vulnerability in the underlying polynomial hash function Poly, and (i) require only one authentication query and one verification query; (ii) are nonce-respecting; (iii) succeed with probability 1. Thus, our attacks disprove the provable high security claims of these schemes. We then revisit their security analyses and identify what went wrong. Finally, we propose two solutions that can restore the beyond-birthday-bound security.

Hao Xu,Kai-Kit Wong,Giuseppe Caire

2023-06-21

Abstract:This paper investigates the achievable region and precoder design for multiple access wiretap (MAC-WT) channels, where each user transmits both secret and open (i.e., non-confidential) messages. All these messages are intended for the legitimate receiver (or Bob for brevity) and the eavesdropper (Eve) is interested only in the secret messages of all users. By allowing users with zero secret message rate to act as conventional MAC channel users with no wiretapping, we show that the achievable region of the discrete memoryless (DM) MAC-WT channel given in [1] can be enlarged. In [1], the achievability was proven by considering the two-user case, making it possible to prove a key auxiliary lemma by directly using the Fourier-Motzkin elimination procedure. However, this approach does not generalize to the case with any number of users. In this paper, we provide a new region that generally enlarges that in [1] and provide general achievability proof.

Information Theory

Chenchao Shi,Biqian Feng,Yongpeng Wu,Wenjun Zhang

DOI: https://doi.org/10.1109/wcsp52459.2021.9613277

2021-01-01

Abstract:In this paper, we propose a preamble based medium access control (P-MAC) mechanism in Ad-Hoc network. Different from traditional carrier sense multiple access (CSMA) in Ad-Hoc network, P-MAC uses much shorter preamble to establish the network. First, we propose the P-MAC mechanism to shorten the time of establishing the Ad-Hoc network. Next, focusing on the Ad-Hoc power line communication (PLC) network, we propose a frequency division power line communication (FD-PLC) network architecture to obtain the best communication frequency. Due to the large-scale networks in industry, P-MAC can be exploited to speed up the establishment of the Ad-Hoc PLC network. Finally, we compare our mechanism with CSMA. Numerical results indicate that our strategy greatly shortens the time of establishing the Ad-Hoc network.

Frederik Hauser,Mark Schmidt,Marco Häberle,Michael Menth

DOI: https://doi.org/10.48550/arXiv.1904.07088

2019-04-15

Networking and Internet Architecture

Abstract:We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-662-43414-7_25

2014-01-01

Abstract:This paper presents key recovery attacks on Sandwich-MAC instantiating MD5, where Sandwich-MAC is an improved variant of HMAC and achieves the same provable security level and better performance especially for short messages. The increased interest in lightweight cryptography motivates us to analyze such a MAC scheme. We first improve a distinguishing-H attack on HMAC-MD5 proposed by Wang et al. We then propose key recovery attacks on Sandwich-MAC-MD5 by combining various techniques such as distinguishing-H for HMAC-MD5, IV Bridge for APOP, dBB-near-collisions for related-key NMAC-MD5, meet-in-the-middle attack etc. In particular, we generalize a previous key-recovery technique as a new tool exploiting a conditional key-dependent distribution. Our attack also improves the partial-key (K-1) recovery on MD5-MAC, and extends it to recover both K-1 and K-2.

Jigang Qiu,Yi Long,Xiang Chen,Xiaokang Lin

DOI: https://doi.org/10.1093/ietcom/e90-b.5.1228

2007-01-01

IEICE Transactions on Communications

Abstract:In this paper a multi-channel MAC protocol with dynamic channel allocation (MMAC-DCA) in CDMA Ad Hoc networks is proposed. Under MMAC-DCA, the service sub-channels are dynamically allocated by the RTS/CTS dialogue on the common sub-channel, only when a node has a packet to transmit. In addition, a Markov mode is presented to analyze the performance of MMAC-DCA.

Xie Jun,Sun Wei,Gu Dawu,Guo Zheng,Liu Junrong,Bao Sigang,Ma Bo

DOI: https://doi.org/10.2991/csic-15.2015.24

2015-01-01

Abstract:The HMAC algorithm is widely used to provide authentication and message integrity in digital communications. However, if the HMAC cryptographic algorithm is implemented in cryptographic circuit, it is vulnerable to side-channel attacks. A typical example is that in 2007, McEvoy proposed an attack strategy for hardware-based implementation of HMAC-SHA2. In this paper, we research on SM3 cryptographic hash algorithm and propose a DPA attack strategy for the software-based implementation of HMAC-SM3. In the experiment, we launch a successful DPA attack on the practical cryptographic circuit and then discuss the security issues about the software-based implementation of HMAC-SM3.

WANG Da-Yin,LIN Dong-Dai,WU Wen-Ling

DOI: https://doi.org/10.1360/jos181756

2007-01-01

Journal of Software

Abstract:This paper defines and analyzes a fully deterministic parallelizable block-cipher mode of operation for message authentication— DPMAC (deterministic parallelizable message authentication code). DPMAC is constructed based on a 128-bit block cipher, works for strings of any bit length, and employs a single block-cipher key. Its security is proved, using the Game-Playing technique to quantify an adversary's forgery probability in terms of the quality of the block cipher as a pseudo-random permutation.

He Li,Vireshwar Kumar,Jung-Min Park,Yaling Yang

DOI: https://doi.org/10.48550/arXiv.2001.05211

2020-10-15

Abstract:In resource-constrained IoT networks, the use of conventional message authentication codes (MACs) to provide message authentication and integrity is not possible due to the large size of the MAC output. A straightforward yet naive solution to this problem is to employ a truncated MAC which undesirably sacrifices cryptographic strength in exchange for reduced communication overhead. In this paper, we address this problem by proposing a novel approach for message authentication called \textit{Cumulative Message Authentication Code} (CuMAC), which consists of two distinctive procedures: \textit{aggregation} and \textit{accumulation}. In aggregation, a sender generates compact authentication tags from segments of multiple MACs by using a systematic encoding procedure. In accumulation, a receiver accumulates the cryptographic strength of the underlying MAC by collecting and verifying the authentication tags. Embodied with these two procedures, CuMAC enables the receiver to achieve an advantageous trade-off between the cryptographic strength and the latency in processing of the authentication tags. Furthermore, for some latency-sensitive messages where this trade-off may be unacceptable, we propose a variant of CuMAC that we refer to as \textit{CuMAC with Speculation} (CuMAC/S). In addition to the aggregation and accumulation procedures, CuMAC/S enables the sender and receiver to employ a speculation procedure for predicting future message values and pre-computing the corresponding MAC segments. For the messages which can be reliably speculated, CuMAC/S significantly reduces the MAC verification latency without compromising the cryptographic strength. We have carried out comprehensive evaluation of CuMAC and CuMAC/S through simulation and a prototype implementation on a real car.

Cryptography and Security