VMAC

Last updated

VMAC is a block cipher-based message authentication code (MAC) algorithm using a universal hash proposed by Ted Krovetz and Wei Dai in April 2007. The algorithm was designed for high performance backed by a formal analysis. [ citation needed ]

Contents

VMAC is designed to have exceptional performance in software on 64-bit CPU architectures while still performing well on 32-bit architectures. [ citation needed ] Measured speeds are as fast as one-half CPU cycle per byte (cpb) on 64-bit architectures, under five cpb on desktop 32-bit processors, and around ten cpb on embedded 32-bit architectures. [1] A closely related variant of VMAC that is optimized for 32-bit architectures is given by UMAC.

Overview

VMAC is a MAC in the style of Wegman and Carter. [2] [3] A fast "universal" hash function is used to hash an input message M into a short string. [ citation needed ] This short string is then combined by addition with a pseudorandom pad, resulting in the VMAC tag. Security depends on the sender and receiver sharing a randomly chosen secret hash function and pseudorandom pad. This is achieved by using keyed hash function H and pseudorandom function F. A tag is generated by performing the computation

    Tag = HK1(M) + FK2(Nonce)

where K1 and K2 are secret random keys shared by sender and receiver, and Nonce is a value that changes with each generated tag. The receiver needs to know which nonce was used by the sender, so some method of synchronizing nonces needs to be used. This can be done by explicitly sending the nonce along with the message and tag, or agreeing upon the use of some other non-repeating value such as a sequence number. The nonce need not be kept secret, but care needs to be taken to ensure that, over the lifetime of a VMAC key, a different nonce is used with each message.

VMAC uses a function, called VHASH (also specified in this document), as the keyed hash function H and uses a pseudorandom function F whose default implementation uses the AES block cipher. VMAC allows for tag lengths of any 64-bit multiple up to the block size of the block cipher in use. When using AES, this means VMAC can produce 64- or 128-bit tags.

The theory of Wegman-Carter MACs and the analysis of VMAC show that if one "instantiates" VMAC with truly random keys and pads then the probability that an attacker (even a computationally unbounded one) produces a correct tag for messages of its choosing is less than 1/260 or 1/2120 when the tags are of length 64 or 128 bits, respectively. When an attacker makes N forgery attempts the probability of getting one or more tags right increases linearly to less than N/260 or N/2120. In an applied implementation of VMAC, using AES to produce keys and pads, these forgery probabilities increase by a small amount related to the security of AES. As long as AES is secure, this small additive term is insignificant for any practical attack. See specification for more details. Analysis of VMAC security has been carried out by authors Wei Dai and Ted Krovetz. [ citation needed ] [4]

Implementations

Related Research Articles

<span class="mw-page-title-main">Stream cipher</span> Type of symmetric key cipher

A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation is an exclusive-or (XOR).

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

CRYPTREC is the Cryptography Research and Evaluation Committees set up by the Japanese Government to evaluate and recommend cryptographic techniques for government and industrial use. It is comparable in many respects to the European Union's NESSIE project and to the Advanced Encryption Standard process run by National Institute of Standards and Technology in the U.S.

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender and has not been changed. The MAC value allows verifiers to detect any changes to the message content.

In cryptography, MULTI-S01, is an encryption algorithm based on a pseudorandom number generator (PRNG). MULTI-S01 is an encryption scheme preserving both confidentiality and data integrity. The scheme defines a pair of algorithms; the encryption, the corresponding decryption with verification. Coupling with an efficient keystream generator, such as Panama, MUGI, and RC4, the algorithm efficiently encrypts a message in the manner of a single path process, i.e. online algorithm. The decryption function cannot be used in such manner for keeping whole resultant data until successful verification.

In cryptography, a universal hashing message authentication code, or UMAC, is a message authentication code (MAC) calculated using universal hashing, which involves choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function that was used. A variation of the scheme was first published in 1999. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. In contrast to traditional MACs, which are serializable, a UMAC can be executed in parallel. Thus, as machines continue to offer more parallel-processing capabilities, the speed of implementing UMAC can increase.

Poly1305 is a universal hash family designed by Daniel J. Bernstein in 2002 for use in cryptography.

<span class="mw-page-title-main">Salsa20</span> Stream ciphers

Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.

<span class="mw-page-title-main">CBC-MAC</span> Message authentication code algorithm

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code (MAC) from a block cipher. The message is encrypted with some block cipher algorithm in cipher block chaining (CBC) mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

<span class="mw-page-title-main">Cryptographic nonce</span> Concept in cryptography

In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that each communication session is unique, and therefore that old communications cannot be reused in replay attacks. Nonces can also be useful as initialization vectors and in cryptographic hash functions.

The following outline is provided as an overview of and topical guide to cryptography:

Crypto++ is a free and open-source C++ class library of cryptographic algorithms and schemes written by Wei Dai. Crypto++ has been widely used in academia, student projects, open-source, and non-commercial projects, as well as businesses. Released in 1995, the library fully supports 32-bit and 64-bit architectures for many major operating systems and platforms, including Android, Apple, BSD, Cygwin, IBM AIX, Linux, MinGW, Solaris, Windows, Windows Phone and Windows RT. The project also supports compilation using C++03, C++11, C++14, and C++17 runtime libraries; and a variety of compilers and IDEs, including Borland Turbo C++, Borland C++ Builder, Clang, CodeWarrior Pro, GCC, Intel C++ Compiler (ICC), Microsoft Visual C/C++, and Sun Studio.

Badger is a message authentication code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH, where the value of ϵ is . Since Badger is a MAC function based on the universal hash function approach, the conditions needed for the security of Badger are the same as those for other universal hash functions such as UMAC.

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

Wei Dai is a computer engineer known for contributions to cryptography and cryptocurrencies. He developed the Crypto++ cryptographic library, created the b-money cryptocurrency system, and co-proposed the VMAC message authentication algorithm.

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

  1. T. Krovetz and W. Dai (2007). "VMAC: Message Authentication Code using Universal Hashing". CFRG Working Group. IETF. Retrieved 2010-08-12.
  2. J. Carter; M. Wegman (1977). "Universal classes of hash functions (Extended Abstract)". Proceedings of the ninth annual ACM symposium on Theory of computing - STOC '77. ACM. pp. 106–112. doi: 10.1145/800105.803400 . S2CID   1302091.
  3. J. Carter; M. Wegman (1981). "New hash functions and their use in authentication and set equality". Journal of Computer and System Sciences. 22 (3): 265–279. doi: 10.1016/0022-0000(81)90033-7 .
  4. T. Krovetz (2007). "Message Authentication on 64-Bit Architectures" (PDF). Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 4356. Springer-Verlag. pp. 327–341. doi:10.1007/978-3-540-74462-7_23. ISBN   978-3-540-74461-0. ISSN   0302-9743.
  5. "vmac.h (source code)" . Retrieved 2022-11-13.
  6. "vmac.c (source code)" . Retrieved 2022-11-13.
  7. "Crypto++: vmac.h Source File". www.cryptopp.com.
  8. "Crypto++: vmac.cpp Source File". www.cryptopp.com.
  9. Krovetz, Ted (2007-04-22). "An unoptimized, straightforward reference implementation of VMAC" . Retrieved 2022-11-13.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.