Wegman-Carter construction which takes advantage of provable security. ... Section 3 describes a new hash function family, based on latin squares, that.
A Message Authentication Code based on Latin Squares S. Bakhtiari, R. Safavi-Naini, J. Pieprzyk
Centre for Computer Security Research Department of Computer Science University of Wollongong, Wollongong NSW 2522, Australia
Abstract. This is a proposal on the construction of a Message Authen-
tication Code (MAC) based on Latin Squares. The design is inspired by Wegman-Carter construction which takes advantage of provable security. The MAC is described and its security is examined. It is also compared with other MACs and its advantages are shown.
1 Introduction Message Authentication Code (MAC) is one of the most common cryptographic
tools for providing authentication in a wide range of applications. A MAC takes a secret key to generate a checksum for a given message or to verify an existing (previously generated) checksum. In most designs, a MAC is constructed from an existing hash function. A checksum is a xed length string that follows a message to provide its integrity. We refer to the process of generating a checksum of a given message as signing and the process of verifying an existing checksum as verifying. A MAC uses a symmetric key that will be used in both signing and verifying processes, and therefore, should be shared between the sender and the receiver only. Message authentication between two or among multiple parties, password checking, and software protection are instance applications in which a MAC
can be used to provide authentication. A MAC can also be used for constructing other primitives, such as encryption algorithms [1]. In this paper, we use a well-known combinatorial design called Latin Squares to construct a MAC, based on Wegman and Carter's work [2, 20]. This design is motivated from the previous works by Denes and Keedwell [12], Krawczyk [14, 15], Rogaway [16], and Shoup [17]. We basically follow Rogaway's representation of MAC construction (which is based on Wegman-Carter construction), but use Denes and Keedwell's latin square based quasigroup as the kernel of our design. Section 2 gives the background and the required de nitions used in the paper. Section 3 describes a new hash function family, based on latin squares, that can be used for MAC construction. The MAC design speci cation and its implementation e�ciency are given in Section 4. Section 5 concludes the paper.
2 Background A family of hash functions is a collection of hash functions mapping elements of one space to a smaller space. Suppose H is a family of hash functions mapping m-bit strings to n-bit strings. That is, H = fh : � m ! � ng; where � m and � n denote the set of all binary strings of length m and n, respectively. Let Prh [event] denote the probability of `event' when h is randomly selected from H. (The selection, itself, is denoted by h 2 H.) Prh [event] is equal to the number of hash functions satisfying `event', divided by the total number of hash functions in H. R
De nition1. [18] H is �-ASU if for all x 2 � m and c 2 � n, we have 2
Pr [h(x) = c] = 2?n; h
and furthermore, for all x 6= x0 2 � m and c;c0 2 � n , we have Pr [h(x) = c; h(x0 ) = c0 ] � � � 2?n : h
De nition2. [16] H is �-AXU if for all x 6= x0 2 � m and c 2 � n, we have Pr [h(x) � h(x0 ) = c] � �: h 2
De nition3. [16] H is �-AU if for all x 6= x0 2 � m , we have Pr [h(x) = h(x0 )] � �: h 2
Wegman and Carter [20] gave a method to construct a secure MAC if an �-ASU family exists. It was later proved that a hash function family only needs to be �-AXU when used for MAC construction [14]. On the other hand, Stinson [18] showed that the composition of an � -AU and an � -AXU family results in an (� + � )-AXU family. Therefore, if one can construct an e�cient � -AU family, then any � -AXU family can be used to generate an e�cient MAC (cf. Section 4). That is, construction of a secure MAC is reduced to the construction of an �-AU hash function family. In the next section we present such family in which a combinatorial design, called latin squares, is used. A latin square of order q is a q � q matrix whose elements are q-ary numbers f1;:: :; qg and each element is occurred exactly once in each row and each column. An example of a latin square of order 4 is give below. 2 3 1234 6 2 3 4 17 6 43 4 1 27 5 4123 2
2
1
1
1
2
2
2
2
2
2
2
2
2
Properties of latin squares are extensively studied by several authors [4, 10, 11]. A nice property of latin squares is that they can be represented by their critical sets [3, 5, 6, 7]. A critical set of a latin square has less than q � q elements and can uniquely determine the latin square. Removing an element of a critical set should destroy such property, and so, they have least information one needs to represent a latin square. We denote by f(i ;j ;k );: :: ;(it ; jt; kt)g a critical set (with t elements) of a latin square, where (ix ; jx ;kx ), the xth element of the critical set, indicates that kx is the element of the latin square in row ix and column jx . A minimal critical set is a critical set with minimum number of elements. 1
1
1
3 Constructing an �-AU2 family In this section we propose an �-AU family H based on latin squares. This family can be used to construct an e�cient MAC. Let q, which represents the order of latin squares, be a power of two. For a given latin square LS of order q, 2 3 l ; ��� l ;q LS = 64 ... ... ... 75 ; lq; ��� lq;q we de ne b = q=2 variations of LS (called LS to LS b ) to provide an instance of the family H. LS to LS b are derived from LS by applying, in order, row/column/label permutations on elements of LS. Hence, LS and LS to LS b k the element of LS k in row r fall into the same isotopy class [10]. Denote by lr;c b and column c. LS to LS should satisfy the following property: i 6= lj ; 8 1 � i; j � b; 8 1 � r;c � q: lr;c r;c b g, for 1 � r;c � q. Since l k , Further de ne the sets Sr;c = flr;c ;: :: ;lr;c r;c k = 1;:: :; b are q-ary numbers, there exist at most Cbq (= b qq?b ) distinct Sr;c sets. In other words, there exist some 1 � r;r0 ;c;c0 � q so that Sr;c = Sr 0 ;c0 , where r 6= r0 and/or c 6= c0 . LS to LS b should satisfy a second property, because it is not desirable to have many Sr;c sets with the same elements: The maximum number of same Sr;c sets is minimized. In the best situation, this number is upper bounded by q =Cbq which is the number of all possible Sr;c sets divided by the number of possible distinct Sr;c sets. The above two properties are useful when we de ne an instance of H, which is based on LS and LS to LS b. Notice that LS and its variations can be represented by much smaller information. Suppose K = f(i ;j ;k );: ::; (it ;jt ; kt)g is a critical set of LS (preferably a minimal one). Let K be the row/column/label permutation information needed to derive LS to LS b from LS. (K ; K ) will 2
1 1
1
1
1
1
1
1
1
!
!(
)!
1
2
1
1
1
1
1
2
1
1
2
uniquely determine the latin square and its all variations. Obviously, (K ;K ) is much shorter than LS and LS to LS b . We de ne our hash function family as follows. Let m = q log q and n = q log q, where q is a power of two (as de ned earlier). De ne H = fh : � m ! � n g, where every h 2 H corresponds to a unique pair (K ;K ) which in turn represents a latin square and its variations. For a given message M 2 � m , 2 3 m ; �� � m ;q M = 64 ... ... ... 75 ; mq; �� � mq;q 1
2
1
2
2
2
1
2
1
1 1
1
1
where each mi;j (1 � i; j � q) is a q-ary number, we calculate the hash value D 2 � n , a string of q q-ary numbers [d �� � dq ], as follows. First initialize D to all one elements (di = 1; i = 1;: :: ;q). Add each message b , based of LS. That is: element mi;j to b elements of D at positions li;j ;: ::; li;j 1
1
dl
mi;j ? dl ; k = 1;:: :; b;
k i;j
k i;j
where ` ' denotes assignment and ? is an operator which takes two operands o and o (q-ary numbers) and results in lo1 ;o2 ; this is the element of LS in row o and column o . The pseudo-code for our hashing scheme can be described as follows. 1
2
1
2
for k from 1 to q begin dk 1 end for i from 1 to q begin for j from 1 to q begin for k from 1 to b begin dl lm ;d end end end k i;j
i;j
(Note that, lm ;d i;j
lk i;j
lk i;j
= mi;j ? dl ) k i;j
The checksum will be D = [d ;: :: ;dq ], which is n = q log q bits. An example of this hashing is given in Appendix A. The above de ned ? operation on q-ary numbers results in a quasigroup Q that can be easily implemented in computers (table look-up) [12]. 1
1
2
Note that since the number of latin squares increases exponentially when q increases, one might restrict them to a smaller collection such as Isotopy or Isomorphism classes of latin squares (cf. [10])
Theorem4. [12] if a ? x = y and b ? x = y, then a = b. In [12], Denes and Keedwell proposed an authentication scheme based on latin squares which was not secure. Some weaknesses of their scheme were studied by Dawson et al. in [9]. Their method seems to be the only (previously proposed) message authentication scheme based on latin squares. Our work is in the same line of theirs, but the design of our MAC is completely di�erent. Their proposed scheme is very simple which allows message forgery by an intruder. We claim that our method is a good option for practical message authentication.
Conjecture 5 H de ned as above is �-AU with � = 2
q? b+1 . 1
(
1)
Due to the large size of latin square space and the lake of the required structure in that space, we are not able to give a proof for the above claim, at this point. Our claim has been con rmed for small q, but giving a general statement for any q demands more research and requires further study on the structure of latin squares, when used as a universal hash function family. In the next section, we show how one can use the above hash function family and construct a secure MAC.
4 De ning a New MAC Using universal hash functions, one can construct an unconditionally secure MAC. Such MAC constructions are especially important because they result in e�cient authentication systems with provable properties. Security of a MAC system in this approach is the best chance of an active spoofer, who has seen a sequence of p authenticated message constructed by legitimate transmitters, to successfully construct a fraudulent message that will be accepted by the receiver.
De nition6. [20] A MAC for which the best chance of the enemy in the above attack is at most � is called �-secure.
Let H be an �-AXU class of hash function from A to B . The transmitter and the receiver share a secret key K that consists of two parts. The rst part identi es an element h 2 H and the second part is a randomly generated sequence r ;: :: ;rn 2 B . Transmitter and receiver maintain a counter, count, which is initialized to one and is incremented after each MAC process. The tag value for the `th message, M` , is h(M` ) � r`, where `�' denotes bitwise exclusive-or (XOR). Receiver can reconstruct this tag to verify the authenticity of the message, using MAC process again. It is proved that this construction is �-secure and the key size is asymptotically optimal (the enemy's chance is limited to �jBj? ). The construction is especially attractive because by repeated application of hashing from A to B, it is possible to nd the hash value of arbitrary length messages. Hence, 2
2
1
1
2
It is assumed that the sequence is obtained from a truly random function, such as the output of tossing a balanced coin.
in practice, by using one of the random masks r ;: :: ;rn for every message, it is possible to generate a provably secure MAC. Replacing one-time-pad with a pseudo-random sequence generator reduces unconditional security to computational security in which security is upper bounded by the total size of the key information used for the hash function and pseudo-random generator [17]. 1
De nition7. [14] A class of hash functions is called �-otp-secure if it is �-secure in the above one-time-pad construction.
Theorem 8. [14] A class of hash functions, in the above scenario, is �-otpsecure if and only if it is �-AXU . 2
Stinson proved that composition of hash functions can be e�ectively used to replace construction of �-ASU (and similarly �-AXU ) by �-AU hash functions. 2
2
2
Theorem 9. [16] Let H = fh : A ! Bg be � -AU and H = fh : B ! Cg be � -AXU . Then H = H � H = fh : A ! Cg is (� + � )-AXU . 1
2
2
3
1
1
2
2
2
1
2
2
The main advantage of this result is that for computationallye�cient hashing only e�cient � -AU classes must be constructed. Using this result the emphasis of research in the recent years has been on the construction of computationally e�cient �-AU families. Johansson [13], Taylor [19], Krawczyk [14, 15], Rogaway [16], and Shoup [17] have all been interested in computationally e�cient MACs that have relatively small key size. The most e�cient construction is bucket hashing [16]. Now let H be the �-AU hash function family de ned in Section 3 (A = � m and B = � n ). Based on the above theorems, we need an existing (and not necessarily e�cient) �0-AXU family to construct an (� + �0 )-secure MAC. Suppose that a r-bit MAC value is safe for the current computing technology and n > r. We need an �0-AXU that map n-bit strings to r-bit strings. As an example, let H0 = fh0 : � n ! � r g, where n = q log q, as before, and r is a desirable digest length (eg. 60 bits). De ne an instance h0 2 H0 as an irreducible polynomial of degree r over Galois Field GF(2). For a given M 2 � n , form a polynomial P so that its coe�cients are given by sequence of bits in M. De ne h0 (M) by concatenation of the binary coe�cients of P(x)xr mod h0(x), where x is the formal variable of the polynomials. 1
2
2
2
2
2
2
Theorem 10. [14] H0 de ned as above is �0 -AXU with �0 = n ?r1 . Now based on Theorem 9, Hnew = H�H0 is (�+�0 )-AXU , and so, WegmanCarter construction results in an (� + �0)-secure MAC. Note that Hnew and H0 are both almost XOR universal families, but Hnew is more e�cient, because H is e�cient. Applying H0 on m-bit strings will be time consuming due to the modular division required in H0. On contrast, applying H on m-bit strings only needs table look-up which can be e�ciently implemented. Then, H0 only needs to be applied on n-bit strings (result of H) which can be +
2r
2
2
2
as short as 64 bits.
4.1 Implementation of the Proposed MAC In the above construction, the security (�) directly depends on q, the order of latin squares, and b, the number of LS variations. Many di�erent choices for q and b result in gaining the required security needed for a MAC. For instance, if q = 16 and b = 8, then Hnew will be 2? -AXU which would be considered as a good choice for the current technology. (Note that � + �0 = q? +1 + n ?r1 = ? ? 9 + 59 � 2 .) Similarly, if q = 32 and b = 10, then Hnew will be 2 -AXU which is very secure with larger key and hashing rate. The rate of hashing in H is q which is very high. The key consists of a bit string for one-time-pad encryption, a latin square critical set, and some latin square row/column/label permutation information (also 60 bits to represent an instance of H0 ). In practice, one should use a secure pseudo-random bit generator to provide a long key bit string (especially for one-time-pad). Comparing our system with other nice designs such as bucket hashing [16], in our design the key length is smaller and meanwhile the hashing rate and the security are higher. Also our system does not require any complex computations and, similar to bucket hashing, only needs table look-up and memory manipulations (load, store). However, our scheme needs much smaller table look-up (key) and will be faster when same security is obtained. Similar to other proposals, this design provides only one-block hashing. To hash arbitrary length messages, one can use Wegman-Carter [20] or Damgard's [8] chaining method before encrypting the digest by one-time-pad. 32
2
1
(
1
15
124
36
2
+
2r
1)b
55
2
5 Conclusion We constructed a Message Authentication Code (MAC) based on latin squares and showed that it is provably �-secure. The design takes advantages of fast and easy implementation of a hash function family which needs a small key, compared to the previously proposed fast MACs. We showed that our design have a high rate which results in a fast hashing process.
A Examples In this appendix we give an example of the run of our hashing scheme. In this example, we choose q = 8 and b = 4, and consider the following latin square. 2 3 17385642 6 2 5 4 6 7 8 3 1 77 6 6 3 8 1 7 6 5 2 4 77 6 6 7 LS = 66 47 61 28 53 84 72 15 36 77 6 7 6 8 3 7 1 2 4 6 5 77 6 45 2 6 4 3 1 7 85 64521387
The variations of LS are constructed by rotating rows only: 2 3 71834256 66 5 2 6 4 3 1 7 8 7 66 1 7 3 8 5 6 4 2 7 7 66 3 8 1 7 6 5 2 4 7 7 LS = 6 8 3 7 1 2 4 6 5 77 66 7 64 6 4 5 2 1 3 8 7 7 7 5
2 3 83712465 6 4 6 2 5 8 7 1 3 77 6 6 5 2 6 4 3 1 7 8 77 6 6 7 LS = 66 17 71 38 83 54 62 45 26 77 6 7 6 3 8 1 7 6 5 2 4 77 6 4 5
2 3 17385642 66 3 8 1 7 6 5 2 4 7 66 7 1 8 3 4 2 5 6 7 7 66 5 2 6 4 3 1 7 8 7 7 LS = 6 2 5 4 6 7 8 3 1 77 66 7 64 4 6 2 5 8 7 1 3 7 7 5
2 3 46258713 6 2 5 4 6 7 8 3 1 77 6 6 6 4 5 2 1 3 8 7 77 6 6 7 LS = 66 83 38 71 17 26 45 62 54 77 6 7 6 1 7 3 8 5 6 4 2 77 6 4 5
1
25467831 46258713
3
83712465 64521387
2
64521387 25467831
4
52643178 71834256
Assume that the following message is given. 2 3 32541216 6 7 8 4 5 2 3 3 1 77 6 6 4 8 6 7 5 4 3 2 77 6 6 7 M = 66 17 41 52 78 87 63 64 65 77 6 7 6 7 8 1 1 8 2 6 5 77 6 4 5
34812376 24533687
We set the digest D to [11 11 1 11 1] and follow our hashing scheme given in Section 3 to calculate the digest for the above given message. The corresponding hash value will be [17 54 4 58 1]. The following 64 steps show the intermediate results, where the last result is the hash value. Note that, for example from step 16 to step 17, we apply m ; = 4 to digest positions 1, 5, 6, and 7 which are elements of LS to LS b in row 3 and column 1, respectively. 3 1
1
d 3 4 4 5 5 5 5 5 5 5 8 8 8 4 7 4 5 1 1 1 7 1 1 1 1 1 7 7 7 6 6 6
1
d 1 1 7 7 4 6 6 4 4 2 6 6 6 6 5 5 5 1 1 5 5 8 8 1 1 4 4 4 2 2 3 7
2
d 1 2 1 4 4 4 4 1 5 5 5 5 7 7 2 7 7 7 6 1 7 1 1 1 1 4 3 3 5 5 5 5
3
d 3 3 3 3 3 4 8 8 8 8 3 8 8 8 8 2 2 4 4 4 3 3 1 1 1 1 1 5 5 2 3 7
4
d 1 1 1 4 8 8 2 3 6 3 3 8 8 4 4 4 5 5 2 2 1 1 3 3 3 3 3 3 5 2 2 3
5
d 1 2 2 2 2 5 5 2 2 4 5 4 6 6 6 6 7 7 6 6 6 7 7 3 3 3 8 8 7 6 4 4
6
d 3 4 3 3 3 4 4 4 4 4 4 3 4 7 2 2 6 3 3 3 3 3 1 2 2 6 2 2 2 2 3 3
7
d 3 3 8 3 3 3 3 3 3 5 5 5 7 2 2 7 7 7 6 1 1 1 3 4 8 3 3 6 6 6 6 4
8
Step d d d d d d d d Step
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
1
6 6 8 7 7 7 7 5 3 3 3 3 5 5 2 2 2 2 2 7 3 1 1 8 8 3 3 3 1 1 6 1
2
7 7 7 7 7 2 6 6 6 6 6 6 6 6 4 3 1 4 4 8 1 1 1 1 2 2 1 3 3 7 7 7
3
3 3 3 5 5 5 8 8 8 8 2 2 2 5 5 4 4 5 5 5 7 2 2 2 2 2 2 8 8 5 1 5
4
7 7 3 3 6 5 5 4 4 2 2 2 2 2 3 8 8 3 5 5 5 6 6 6 8 3 8 8 4 4 4 4
5
3 3 3 3 3 1 4 3 3 3 3 3 5 7 7 7 2 6 3 3 3 3 3 7 7 1 7 2 2 2 4 4
6
4 4 4 2 2 2 6 2 2 4 4 4 2 5 5 5 6 6 3 3 3 3 6 6 8 3 3 1 1 1 1 5
7
6 6 8 7 7 7 7 7 7 8 8 2 2 5 5 4 4 4 2 2 5 5 3 7 3 3 3 3 1 8 8 8
8
4 8 1 1 1 3 3 3 3 5 5 5 1 1 8 8 4 4 4 4 4 7 7 6 6 6 2 2 8 5 1 1
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
References 1. S. Bakhtiari, R. Safavi-Naini, and J. Pieprzyk, \Cryptographic Hash Functions: A Survey," Tech. Rep. 95-09, Department of Computer Science, University of Wollongong, July 1995. 2. J. L. Carter and M. N. Wegman, \Universal Class of Hash Functions," Journal of Computer and System Sciences, vol. 18, no. 2, pp. 143{154, 1979. 3. C. J. Colbourn, M. J. Colbourn, and D. R. Stinson, \The Computational Complexity of Recognizing Critical Sets," in First Southeast Asian Graph Theory Colloquium, vol. 1073 of Lecture Notes in Mathematics, pp. 248{253, 1984.
4. C. J. Colbourn and J. H. Dinitz, The CRC Handbook of Combinatorial Designs, ch. 2, pp. 95{182. CRC, 1996. 5. J. Cooper, D. Donovan, and J. Seberry, \Latin Squares and Critical Sets of Minimal Size," Australasian Journal of Combinatorics, vol. 4, pp. 113{120, 1991. 6. J. A. Cooper, T. P. McDonough, and V. C. Mavron, \Critical Sets in Nets and Latin Squares," Journal of Statistical Planning and Inference, vol. 41, pp. 241{ 256, 1994. 7. D. Curran and G. H. J. V. Rees, \Critical Sets in Latin Squares," in Eighth Manitoba Conference on Numerical Mathematics and Computing, pp. 165{168, 1978. 8. I. B. Damg�ard, \A Design Principle for Hash Functions," in Advances in Cryptology, Proceedings of CRYPTO '89, vol. 435 of Lecture Notes in Computer Science (LNCS), pp. 416{427, Springer-Verlag, Aug. 1989. 9. E. Dawson, D. Donovan, and A. O�er, \Quasigroups, Isotopisms and Authenication Schemes," The Australasian Journal of Combinatorics, vol. 13, pp. 75{88, Mar. 1996. 10. J. Denes and A. D. Keedwell, Latin Squares and their applications. Academic Press Inc., 1974. 11. J. Denes and A. D. Keedwell, Latin Squares : New Developments in the theory and Applications. 1981. 12. J. Denes and A. D. Keedwell, \A New Authentication Scheme based on Latin Squares," Descrete Mathematics, no. 106/107, pp. 157{161, 1992. 13. T. Johansson, \Authentication Codes for Nontrusting Parties Obtained from Rank Metric Codes," Design, Codes and Cryptography, no. 6, pp. 205{218, 1995. 14. H. Krawczyk, \LFSR-based Hashing and Authentication," in Advances in Cryptology, Proceedings of CRYPTO '94, vol. 839 of Lecture Notes in Computer Science (LNCS), pp. 129{139, Springer-Verlag, Aug. 1994. 15. H. Krawczyk, \New Hash Functions for Message Authentication," in Advances in Cryptology, Proceedings of EUROCRYPT '95, vol. 921 of Lecture Notes in Computer Science (LNCS), pp. 301{310, Springer-Verlag, May 1995. 16. P. Rogaway, \Bucket Hashing and its Application to Fast Message Authentication," in Advances in Cryptology, Proceedings of CRYPTO '95, vol. 963 of Lecture Notes in Computer Science (LNCS), pp. 30{42, Springer-Verlag, Aug. 1995. 17. V. Shoup, \On Fast and Provably Secure Message Authentication Based on Universal Hashing," in Advances in Cryptology, Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science (LNCS), pp. 313{328, Springer-Verlag, Aug. 1996. 18. D. R. Stinson, \Universal Hashing and Authentication Codes," Design, Codes and Cryptography, vol. 4, pp. 369{380, 1994. 19. R. Taylor, \Near Optimal Unconditionally Secure Authentication," in Advances in Cryptology, Proceedings of EUROCRYPT '94, vol. 950 of Lecture Notes in Computer Science (LNCS), pp. 245{255, Springer-Verlag, May 1994. In the preproceedings. 20. M. N. Wegman and J. L. Carter, \New Hash Functions and Their Use in Authentication and Set Equality," Journal of Computer and System Sciences, vol. 22, pp. 265{279, 1981.
This article was processed using the LaTEX macro package with LLNCS style
