 The second tool of this session is secure message authentication and can be used to create a key to attack. My name is Suresh, I'm from Sharanthia and I'm from Tabla Bari. Work is about secure message authentication. And the address model that we consider here is in a related key framework. So the outline of the talk will be a very quick background about what exactly we mean by related key attack here and what the model will follow for the security of message authentication codes. And then we show the sum attacks on the well-known max. And then we'll have some look at the previously known results and what are the related key functions that we're deriving functions that were considered in previous results. And then the main results and the constructions will follow. So in a related key framework the adversary is not only allowed to query the encryption of the function of course I mean a key function here. It will also be able to make a query with some modified key and this modification function that's defined by the adversary. That means it is allowed to change some key bits and then allowed to make a query to the encryption model itself. So apart from the, if the function is F then apart from making the normal queries we'll also have some part which is changing the key bits and actually getting the answer for the modified key also. And this class of functions is well known as related key deriving functions and it can include from very simple functions to complicated functions also like in case of AES related key attacks they've used quite complicated functions like round key, some GI function from the round key generation function. So if you look at some previous results there have been very extensive works on this related key attacks on Cypher's or Mac. This was introduced by PM and then followed by many attacks on block cypher's and even I think till then we are having many related key attacks on the recently proposed Cypher's. So the question here we try to address is not exactly that just to consider the security of a message authentication code. But say suppose you have a block cypher and you have a related key attack on that. So if I use this block cypher to construct a message authentication code what can you tell about the security of the message authentication code stream? You really need the related key security analysis which has been considered before and even in a theoretical treatment by Miller and Cash they have considered how they can construct a related key security function. But the question we try to address here isn't really required to have such a strong criteria when you are considering a Mac. So as it turns out that it's not really required to have such a strong criteria in fact we can live with all these cypher's which has related key attacks but as long as you cannot predict and the cypher cannot be forged in the sense that if you consider the cypher as a key function you can make related key queries but you cannot forge the cypher that means you cannot predict on a message with the army. So let's look at the security that we consider for message authentication codes here. So you query the work with some message with the unknown key and you can make any number of queries and at the end you come up with a forgery and the forgery that the message on which the forgery is given that should not be in the query list. So next what exactly we mean by the security of a message authentication code what exactly is our model here? So again the adversary is allowed to make a query with some related key function with some chosen message. Of course I have got a function pi as I said it will be chosen by the adversary. And after some key number of queries it gives some message mstar on which it gives some forgery. Now here we face two different things. This forgery mstar you can have either you can restrict the adversary that it cannot be like as in a MAC it may not be in the query list that means the adversary has never queried it with the unknown security or we can have a criteria that it has not been queried with the modified key. So depending on that we have two notions of related security of MAC here. So the second one we call as the weak notion of related security. So if you look at the archaic class in previously known ways I will say we had this very key driving classes were taken to be very strong. They were taken as clock free and they were able to make this class of functions as to be unpredictable and it may not be even constant functions. But as it turns out that in case of a message authentication codes the restriction is not so much. In fact if you have a constant function all the message authentication codes which are secured they are inherent to secure against the related key attack also. So that is if you have a MAC and if it is related key then it is actually related can't possible against a constant archaic class. And this proof is very simple. If you say consider an adversary which actually can give under constant function of arbitrary to the MAC then you can have an adversary which will actually want for some MAC itself when the function is just constant. So this turns out that in case of related security of MAC we do not really need such strong conditions of related key driving class. So we can exclude the constant functions. That means we can allow constant function queries to that version. So first let's have a look at what are the attacks that we can give on the existing MAC. On XCBC it's pretty simple to give an attack. So here at the last block you see there is an independent key XR going on. And if I make a query with a simple XR of the key say K1 XR of some date or some I then this XR with that query I can actually make this I shift to here and I can have a forging very forging. So it's really following this relation. So the adversary can make a query like this with a very simple related key driving function and it will come up with a forgery which looks like this. And by the definition it's a valid forgery because this message has never occurred in the query list of the password state. So and the class here chosen is pretty simple. It's just a short class. Just with one class of related key driving function it can be a forgery. So it turns out that XCBC is not related to Secure. As in terms of even in case of team MAC the last block is following the same kind of criteria that in the last block is doing some linear pre-watching with the key. Some linear not exactly X on but it can be transformed into a linear pre-watching of the key. And so you can have a similar kind of attack with a little modification of the same as. Then we look at these two MACs. So ECBC and FCBC. So in terms of the equivalent of any restrictions on the RKD class of course you can have constant functions but in ECBC and FCBC we actually have two keys instead of one key construction like CBC MAC. So if you allow them to transform in any way the first the K0 and K1 these two functions if I look at it component wise and if I allow it's a K0 if I can map to K1 if the adversary is allowed to do that then it can turn this entire MAC into CBC like construction and it's very easy to develop at that. So what is the next step? Since we have attacked against some MACs the next idea will be to look at how to make it secure or does there exist any secure MAC construction? So instead of trying to look at a new construction first we try to actually look at the existing constructions that whether we can whether they are secure against some RKD class from now. But in order to show that it's secured by a reduction technique we need some technical tools which I will describe in the following slide. So first one is we need an idea of this ICTP or a hash function. So it really turns out this stands for the identity collision and target pre-image resistance hash function. So what exactly is meant by identity collision identity collision resistant hash? In a relative framework again the adversary is making query with some relative periodic function and say after few queries it can have collision. So if you get some message mj which turns out to be the last query and it can be a collision on some message i which was squared with some relative periodic function previous. So you can give a message mj like this then the adversary remains this way. So that is how identity collision resistant hash was defined and similarly we define a target pre-image resistant hash function. In this game the adversary first defines, first declares a set of zi. So these are in the range of the hash function and of course a set file. And then it makes query as in before and then as a pointer here as a pre-image it gives a message m star so that the mapping under age exactly matches with one of these things. If it happens then this adversary works. So with this hash function what we can do is that if h is an ICT pure hash function and f is said with really really unfortunate that means even the adversary is not allowed to produce the forgery which it has queried with a relative periodic function also. So it's the second criteria that the adversary model of MAC. Then this function that means this f which is defined here with k1 and if I hash it with this thing then it turns out that this function is actually unfortunate in a relative key session against chosen message data. Now here what are these WIs? WIs are well known as key fingerprinting and there's a very well known idea which has been used in a relative key to show that something is related to ECT or even in the case of PRN. The idea is that if you consider this function if you take a set of values of w1 to wd then against this set of values you cannot find any collision with f under relative key under relative key queries that means f of k1 w1 will not be equal to f of 5k1 wI for any file but it will happen only for this set of values but one thing I would like to stress here that in the previous constructions they used a very strong criteria that it will not happen against any key instead of k1 if you consider some k prime then it will also not collide but here we restrict ourselves only to the modified keys according to this we restrict ourselves only against this under the modification under this five class of functions. So next, so how do these constructions is really a very very generic construction but it's very similar to one of the previous proposed constructions but what is the difference here in the previous proposed constructions as I said they assumed something very strong as a result they had to restrict the domain of this range of this hash function so that it does not have a collision it does not result into a collision in case of f when we try to launch a relative key attack so this was again the same by the same authors weller and guess they proposed because they were trying to prove it prf in a relative key model and they assumed something very strong but in our case we are trying to prove it in a different framework that means we do not need a prn assumption it turns out that even in much weaker conditions are sufficient to show that this function is very relatively secure so next what we do is that this is from the generic construction we try to go into detail and we try to prove that we try to prove in a reduction way that this function is in fact secure and this is done in two way first we show that how to construct this hash function that means this ICT query hash function so if you have some say relatively unfortable function which is a fixed length that means you can take it as any block cycle also which is for which you have some relative factor but it may not be a relative key may not be a relative key prn but it is enough to be relatively unfortable so the first step will be from our fixed input length ICT query hash compression function or say hash we try to construct a variable input length hash function and the next step we show how to construct this fixed input length ICT prn from the minimal assumption that is you have an RK unfortable function which is a fixed input length so what we have to do is we find a mode of operation so the mode of operation looks something like this suppose you have say L blocks of messages then you each of the message block length has to be at minus 1 you are tended to be the previous to be the 0 make it of length L and then go through with this MD mode of construction and at the end we put the length and also this thing to this really comes handy when we try to prove that this is actually secure in our model so if each of these H prn if they are actually ICT prn then under this mode of operation this entire function is also ICT prn hash function and here also the proof is not very complicated because if you assume there is some collision then there has to be a collision either here or IV and by reduction you can actually show if you have an adversary for this entire thing then you can actually have an adversary for each prn which will break either it will produce a target payment or it will come up with some identity condition under related data so next week we try to go to the next step that means we now actually have a domain extension that means from fixing input length we can produce variable input length and how to have this fixing so for that we take the we start with the minimal thing that means now you have this function which may not be RK prn but RK are foldable and with this very simple operation if we exert under two different keys then it turns out that this thing is actually fixed input length ICT prn hash function and of course here the assumption is that we have to have this identity fingerprint which was in the generic construction before now if you look at the the MAC constructions which are already been proposed which have been proposed in different different works previously in terms of we already have a compression function like this which is N cycle CVC so what N cycle CVC does is that it actually exhausts two different block cycles and of course then it changes in a MD box but here you can in the inside of CVC mode these are really messages but in our case we have to instead of making it of the same block length as the decipher we just make it N minus 1 and we just prepare it with a 0 and everything is as as previous slide that our mode of functions so the messages are exactly like that so because of the previous theorem it turns out that this modified structure of N cycle CVC is actually secure under layer E mode so next we try to look at if you this is a construction which was proposed in a previous one by Bellar and Cash where they assume something very strong it is actually this hash used by them was actually collision resistant instead of our hash of them and it turns out that it actually preserves this hash function actually with the function F it actually preserves the related structure or related unfortability structure of the of the underlying function that means again if you start with the related unfortability function you will get a related unfortability map and we also give to construction depending on so this is just to show that this construction also won't but again this hash has really very weird looking range because you cannot allow all the values to be in the range of this hash function because of the construction so to summarize that what we do is that we first define this what exactly is meant by the related unfortability we actually prove that there exists related unfortability under a reduction technique of course that if you can come up with an approach which breaks the related unfortability of the underlying function you are using it will also not be secure so this is kind of a contradiction related to unfortability unfortability function you can construct a related unfortability map and for that we use this model of operations and one important thing is that the condition of the related class is not very very strict here in fact it works for any related class in our case I mean you can prove it unfortability