- Source: MMH-Badger MAC
Badger is a message authentication code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH (see below), where the value of ϵ is
1
/
(
2
32
−
5
)
{\displaystyle 1/(2^{32}-5)}
. Since Badger is a MAC function based on the universal hash function approach, the conditions needed for the security of Badger are the same as those for other universal hash functions such as UMAC.
Introduction
The Badger MAC processes a message of length up to
2
64
−
1
{\displaystyle 2^{64}-1}
bits and returns an authentication tag of length
u
⋅
32
{\displaystyle u\cdot 32}
bits, where
1
≤
u
≤
5
{\displaystyle 1\leq u\leq 5}
. According to the security needs, user can choose the value of
u
{\displaystyle u}
, that is the number of parallel hash trees in Badger. One can choose larger values of u, but those values do not influence further the security of MAC. The algorithm uses a 128-bit key and the limited message length to be processed under this key is
2
64
{\displaystyle 2^{64}}
.
The key setup has to be run only once per key in order to run the Badger algorithm under a given key, since the resulting internal state of the MAC can be saved to be used with any other message that will be processed later.
ENH
Hash families can be combined in order to obtain new hash families. For the ϵ-AU, ϵ-A∆U, and ϵ-ASU families, the latter are contained in the former. For instance, an A∆U family is also an AU family, an ASU is also an A∆U family, and so forth. On the other hand, a stronger family can be reduced to a weaker one, as long as a performance gain can be reached. A method to reduce ∆-universal hash function to universal hash functions will be described in the following.
Theorem 2
Let
H
△
{\displaystyle H^{\triangle }}
be an ϵ-AΔU hash family from a set A to a set B. Consider a message
(
m
,
m
b
)
∈
A
×
B
{\displaystyle (m,m_{b})\in A\times B}
. Then the family H consisting of the functions
h
(
m
,
m
b
)
=
H
△
(
m
)
+
m
b
{\displaystyle h(m,m_{b})=H^{\triangle }(m)+m_{b}}
is ϵ-AU.
If
m
≠
m
′
{\displaystyle m\neq m'}
, then the probability that
h
(
m
,
m
b
)
=
h
(
m
′
,
m
b
′
)
{\displaystyle h(m,m_{b})=h(m',m'_{b})}
is at most ϵ,
since
H
△
{\displaystyle H^{\triangle }}
is an ϵ-A∆U family. If
m
=
m
′
{\displaystyle m=m'}
but
m
b
≠
m
b
′
{\displaystyle m_{b}\neq m_{b}'}
, then the probability is trivially 0.
The proof for Theorem 2 was described in
The ENH-family is constructed based on the universal hash family NH (which is also used in UMAC):
N
H
K
(
M
)
=
∑
i
=
1
ℓ
2
(
k
(
2
i
−
1
)
+
w
m
(
2
i
−
1
)
)
×
(
k
2
i
+
w
m
2
i
)
mod
2
2
w
{\displaystyle NH_{K}(M)=\sum _{i=1}^{\frac {\ell }{2}}(k_{(2i-1)}+_{w}m_{(2i-1)})\times (k_{2i}+_{w}m_{2i})\mod 2^{2w}}
Where '
+
w
{\displaystyle +_{w}}
' means 'addition modulo
2
w
{\displaystyle 2^{w}}
', and
m
i
,
k
i
∈
{
0
,
…
,
2
w
−
1
}
{\displaystyle m_{i},k_{i}\in {\big \{}0,\ldots ,2^{w}-1{\big \}}}
. It is a
2
−
w
{\displaystyle 2^{-w}}
-A∆U hash family.
Lemma 1
The following version of NH is
2
−
w
{\displaystyle 2^{-w}}
-A∆U:
N
H
K
(
M
)
=
(
k
1
+
w
m
1
)
×
(
k
2
+
w
m
2
)
mod
2
2
w
{\displaystyle NH_{K}(M)=(k_{1}+_{w}m_{1})\times (k_{2}+_{w}m_{2})\mod 2^{2w}}
Choosing w=32 and applying Theorem 1, one can obtain the
2
−
32
{\displaystyle 2^{-32}}
-AU function family ENH, which will be the basic building block of the badger MAC:
E
N
H
k
1
,
k
2
(
m
1
,
m
2
,
m
3
,
m
4
)
=
(
m
1
+
32
k
1
)
(
m
2
+
32
k
2
)
+
64
m
3
+
64
2
32
m
4
{\displaystyle ENH_{k_{1},k_{2}}(m_{1},m_{2},m_{3},m_{4})=(m_{1}+_{32}k_{1})(m_{2}+_{32}k_{2})+_{64}m_{3}+_{64}2^{32}m_{4}}
where all arguments are 32-bits long and the output has 64-bits.
Construction
Badger is constructed using the strongly universality hash family and can be described as
H
=
H
∗
×
F
,
{\displaystyle {\mathcal {H}}=H^{*}\times F,}
where an
ϵ
H
∗
{\displaystyle \epsilon _{H^{*}}}
-AU universal function family H* is used to hash messages of any size onto a fixed size and an
ϵ
F
{\displaystyle \epsilon _{F}}
-ASU function family F is used to guarantee the strong universality of the overall construction. NH and ENH are used to construct H*. The maximum input size of the function family H* is
2
64
−
1
{\displaystyle 2^{64}-1}
and the output size is 128 bits, split into 64 bits each for the message and the hash. The collision probability for the H*-function ranges from
2
−
32
{\displaystyle 2^{-32}}
to
2
−
26.14
{\displaystyle 2^{-26.14}}
. To construct the strongly universal function family F, the ∆-universal hash family MMH* is transformed into a strongly universal hash family by adding another key.
Two steps on Badger
There are two steps that have to be executed for every message: processing phase and finalize phase.
= Processing phase
=In this phase, the data is hashed to a 64-bit string. A core function h :
{
0
,
1
}
64
×
{
0
,
1
}
128
→
{
0
,
1
}
64
{\displaystyle \left\{0,1\right\}^{64}\times \left\{0,1\right\}^{128}\to \left\{0,1\right\}^{64}}
is used in this processing phase, that hashes a 128-bit string
m
2
∥
m
1
{\displaystyle m_{2}\parallel m_{1}}
to a 64-bit string
h
(
k
,
m
2
,
m
1
)
{\displaystyle h(k,m_{2},m_{1})}
as follows:
h
(
k
,
m
2
,
m
1
)
=
(
L
(
m
1
)
+
32
L
(
k
)
)
⋅
(
U
(
m
1
)
+
32
U
(
k
)
)
+
64
m
2
{\displaystyle h(k,m_{2},m_{1})=(L(m_{1})+_{32}L(k))\cdot (U(m_{1})+_{32}U(k))+_{64}m_{2}\,}
for any n,
+
n
{\displaystyle +_{n}}
means addition modulo
2
n
{\displaystyle 2^{n}}
. Given a
2
n
{\displaystyle 2n}
-bit string x,
L
(
x
)
{\displaystyle L(x)}
means least significant n bits, and
U
(
x
)
{\displaystyle U(x)}
means most significant n bits.
A message can be processed by using this function. Denote level_key[j][i] by
k
j
i
{\displaystyle k_{j}^{i}}
.
Pseudo-code of the processing phase is as follow.
L = |M|
if L = 0
M
1
=
⋯
=
M
u
=
0
{\displaystyle M^{1}=\cdots =M^{u}=0}
Go to finalization
r = L mod 64
if r ≠ 0:
M
=
0
64
−
r
∥
M
{\displaystyle M=0^{64-r}\parallel M}
for i = 1 to u:
M
i
=
M
{\displaystyle M^{i}=M}
v
′
=
max
{
1
,
⌈
log
2
L
⌉
−
6
}
{\displaystyle v'=\max\{1,\lceil \log _{2}L\rceil -6\}}
for j = 1 to v′:
divide
M
i
{\displaystyle M^{i}}
into 64-bit blocks,
M
i
=
m
t
i
∥
⋯
∥
m
1
i
{\displaystyle M^{i}=m_{t}^{i}\parallel \cdots \parallel m_{1}^{i}}
if t is even:
M
i
=
h
(
k
j
i
,
m
t
i
,
m
t
−
1
i
)
∥
⋯
∥
h
(
k
j
i
,
m
2
i
,
m
1
i
)
{\displaystyle M^{i}=h(k_{j}^{i},m_{t}^{i},m_{t-1}^{i})\parallel \cdots \parallel h(k_{j}^{i},m_{2}^{i},m_{1}^{i})}
else
M
i
=
m
t
i
∥
h
(
k
j
i
,
m
t
−
1
i
,
m
t
−
2
i
)
∥
⋯
∥
h
(
k
j
i
,
m
2
i
,
m
1
i
)
{\displaystyle M^{i}=m_{t}^{i}\parallel h(k_{j}^{i},m_{t-1}^{i},m_{t-2}^{i})\parallel \cdots \parallel h(k_{j}^{i},m_{2}^{i},m_{1}^{i})}
= Finalize phase
=In this phase, the 64-string resulting from the processing phase is transformed into the desired MAC tag. This finalization phase uses the Rabbit stream cipher and uses both key setup and IV setup by taking the finalization key final_key[j][i] as
k
j
i
{\displaystyle k_{j}^{i}}
.
Pseudo-code of the finalization phase
RabbitKeySetup(K)
RabbitIVSetup(N)
for i = 1 to u:
Q
i
=
0
7
∥
L
∥
M
i
{\displaystyle Q^{i}=0^{7}\parallel L\parallel M^{i}}
divide
Q
i
{\displaystyle Q^{i}}
into 27-bit blocks,
Q
i
=
q
5
i
∥
⋯
∥
q
1
i
{\displaystyle Q^{i}=q_{5}^{i}\parallel \cdots \parallel q_{1}^{i}}
S
i
=
(
∑
j
=
1
5
(
q
j
i
K
j
i
)
)
+
K
6
i
mod
p
{\displaystyle S^{i}=(\sum _{j=1}^{5}(q_{j}^{i}K_{j}^{i}))+K_{6}^{i}{\bmod {p}}}
S
=
S
u
∥
⋯
∥
S
1
{\displaystyle S=S^{u}\parallel \cdots \parallel S^{1}}
S = S ⨁ RabbitNextbit(u∙32)
return S
= Notation
=From the pseudocode above, k denotes the key in the Rabbit Key Setup(K) which initializes Rabbit with the 128-bit key k. M denotes the message to be hashed and |M| denotes the length of the message in bits.
q
i
{\displaystyle q_{i}}
denotes a message M that is divided into i blocks. For the given
2
n
{\displaystyle 2n}
-bit string x then L(x) and U(x) respectively denoted its least significant n bits and most significant n bits.
Performance
Boesgard, Christensen and Zenner report the performance of Badger measured on a 1.0 GHz Pentium III and on a 1.7 GHz Pentium 4 processor. The speed-optimized versions were programmed in assembly language inlined in C and compiled using the Intel C++ 7.1 compiler.
The following table presents Badger's properties for various restricted message lengths. "Memory req." denotes the amount of memory required to store the internal state including key material and the inner state of the Rabbit stream cipher . "Setup" denotes the key setup, and "Fin." denotes finalization with IV-setup.
MMH (Multilinear Modular Hashing)
The name MMH stands for Multilinear-Modular-Hashing. Applications in Multimedia are for example to verify the integrity of an on-line multimedia title. The performance of MMH is based on the improved support of integer scalar products in modern microprocessors.
MMH uses single precision scalar products as its most basic operation. It consists of a (modified) inner product between the message and a key modulo a prime
p
{\displaystyle p}
. The construction of MMH works in the finite field
F
p
{\displaystyle F_{p}}
for some prime integer
p
{\displaystyle p}
.
= MMH*
=MMH* involves a construction of a family of hash functions consisting of multilinear functions on
F
p
k
{\displaystyle F_{p}^{k}}
for some positive integer k. The family MMH* of functions from
F
p
k
{\displaystyle F_{p}^{k}}
to
F
p
{\displaystyle F_{p}}
is defined as follows.
M
M
H
∗
=
{
g
x
:
F
p
k
→
F
p
|
x
∈
F
p
k
}
{\displaystyle \mathrm {MMH} ^{*}=\{g_{x}:F_{p}^{k}\rightarrow F_{p}|x\in F_{p}^{k}\}}
where x, m are vectors, and the functions
g
x
{\displaystyle g_{x}}
are defined as follows.
g
x
(
m
)
=
m
x
mod
p
=
∑
i
=
1
n
m
i
x
i
mod
p
{\displaystyle g_{x}(m)=mx{\bmod {p}}=\sum _{i=1}^{n}m_{i}\,x_{i}{\bmod {p}}}
In the case of MAC, m is a message and x is a key where
m
=
(
m
1
,
…
,
m
k
)
{\displaystyle m=(m_{1},\ldots ,m_{k})}
and
x
=
(
x
1
,
…
,
x
k
)
,
x
i
,
m
i
∈
F
p
{\displaystyle x=(x_{1},\ldots ,x_{k}),x_{i},m_{i}\in \!F_{p}}
.
MMH* should satisfy the security requirements of a MAC, enabling say Ana and Bob to communicate in an authenticated way. They have a secret key x. Say Charles listens to the conversation between Ana and Bob and wants to change the message into his own message to Bob which should pass as a message from Ana. So, his message m' and Ana's message m will differ in at least one bit (e.g.
m
1
≠
m
1
′
{\displaystyle m_{1}\neq m'_{1}}
).
Assume that Charles knows that the function is of the form
g
x
(
m
)
{\displaystyle g_{x}(m)}
and he knows Ana's message m but he does not know the key x then the probability that Charles can change the message or send his own message can be explained by the following theorem.
Theorem 1:The family MMH* is ∆-universal.
Proof:
Take
a
∈
F
p
{\displaystyle a\in F_{p}}
, and let
m
,
m
′
{\displaystyle m,m'}
be two different messages. Assume without loss of generality that
m
1
≠
m
1
′
{\displaystyle m_{1}\neq m'_{1}}
. Then for any choice of
x
2
,
x
3
,
…
,
x
s
{\displaystyle x_{2},x_{3},\ldots ,x_{s}}
, there is
Pr
x
1
[
g
x
(
m
)
−
g
x
(
m
′
)
≡
a
mod
p
]
=
Pr
x
1
[
(
m
1
x
1
+
m
2
x
2
+
⋯
+
m
k
x
k
)
−
(
m
1
′
x
1
+
m
2
′
x
2
+
⋯
+
m
k
′
x
k
)
≡
a
mod
p
]
=
Pr
x
1
[
(
m
1
−
m
1
′
)
x
1
+
(
m
2
−
m
2
′
)
x
2
+
⋯
+
(
m
k
−
m
k
′
)
x
k
]
≡
a
mod
p
]
=
Pr
x
1
[
(
m
1
−
m
1
′
)
x
1
+
∑
k
=
2
s
(
m
k
−
m
k
′
)
x
k
≡
a
mod
p
]
=
Pr
x
1
[
(
m
1
−
m
1
′
)
x
1
≡
a
−
∑
k
=
2
s
(
m
k
−
m
k
′
)
x
k
mod
p
]
=
1
p
{\displaystyle {\begin{aligned}{\Pr }_{x_{1}}[g_{x}(m)-g_{x}(m')\equiv a\mod p]&={\Pr }_{x_{1}}[(m_{1}x_{1}+m_{2}x_{2}+\cdots +m_{k}x_{k})-(m'_{1}x_{1}+m'_{2}x_{2}+\cdots +m'_{k}x_{k})\equiv a\mod p]\\&={\Pr }_{x_{1}}[(m_{1}-m'_{1})x_{1}+(m_{2}-m'_{2})x_{2}+\cdots +(m_{k}-m'_{k})x_{k}]\equiv a\mod p]\\&={\Pr }_{x_{1}}[(m_{1}-m'_{1})x_{1}+\textstyle \sum _{k=2}^{s}(m_{k}-m'_{k})x_{k}\equiv a\mod p]\\&={\Pr }_{x_{1}}[(m_{1}-m'_{1})x_{1}\equiv a-\textstyle \sum _{k=2}^{s}(m_{k}-m'_{k})x_{k}\mod p]\\&={\frac {1}{p}}\end{aligned}}}
To explain the theorem above, take
F
p
{\displaystyle F_{p}}
for
p
{\displaystyle p}
prime represent the field as
F
p
=
{
0
,
1
,
…
,
p
−
1
}
⏟
p
{\displaystyle F_{p}=\underbrace {{\big \{}0,1,\ldots ,p-1{\big \}}} _{p}}
. If one takes an element in
F
p
{\displaystyle F_{p}}
, let say
0
∈
F
p
{\displaystyle 0\in F_{p}}
then the probability that
x
1
=
0
{\displaystyle x_{1}=0}
is
Pr
x
1
∈
F
p
(
x
1
=
0
)
=
1
p
{\displaystyle {\Pr }_{x_{1}\in \!{F_{p}}}(x_{1}=0)={\frac {1}{p}}}
So, what one actually needs to compute is
Pr
(
x
1
,
…
,
x
k
)
∈
F
p
k
(
g
x
(
m
)
≡
g
x
(
m
′
)
mod
p
)
{\displaystyle {\Pr }_{(x_{1},\ldots ,x_{k})\in \!{F_{p}^{k}}}(g_{x}(m)\equiv g_{x}(m')\mod p)}
But,
Pr
(
x
1
,
…
,
x
k
)
∈
F
p
k
(
g
x
(
m
)
≡
g
x
(
m
′
)
mod
p
)
=
∑
(
x
2
,
…
,
x
k
)
∈
F
p
k
−
1
Pr
(
x
2
′
⋯
,
x
k
′
)
∈
F
p
k
−
1
(
x
2
=
x
2
′
,
…
,
x
k
=
x
k
′
)
⋅
Pr
x
1
∈
F
p
(
g
x
(
m
)
≡
g
x
(
m
′
)
mod
p
)
=
∑
(
x
2
,
…
,
x
k
)
∈
F
p
k
−
1
1
p
k
−
1
⋅
1
p
=
p
k
−
1
⋅
1
p
k
−
1
⋅
1
p
=
1
p
{\displaystyle {\begin{aligned}{\Pr }_{(x_{1},\ldots ,x_{k})\in \!{F_{p}^{k}}}(g_{x}(m)\equiv g_{x}(m')\mod p)&=\sum _{(x_{2},\ldots ,x_{k})\in \!{F_{p}^{k-1}}}{\Pr }_{(x_{2}^{'}\cdots ,x_{k}^{'})\in \!{F_{p}^{k-1}}}({x_{2}=x_{2}^{'}},\ldots ,{x_{k}=x_{k}^{'}})\cdot {\Pr }_{x_{1}\in \!F_{p}}(g_{x}(m)\equiv g_{x}(m')\mod p)\\&=\sum _{(x_{2},\ldots ,x_{k})\in \!{F_{p}^{k-1}}}{\frac {1}{p^{k-1}}}\cdot {\frac {1}{p}}\\&=p^{k-1}\cdot {\frac {1}{p^{k-1}}}\cdot {\frac {1}{p}}\\&={\frac {1}{p}}\end{aligned}}}
From the proof above,
1
p
{\displaystyle {\frac {1}{p}}}
is the collision probability of the attacker in 1 round, so on average p verification queries will suffice to get one message accepted. To reduce the collision probability, it is necessary to choose large p or to concatenate n such MACs using n independent keys so that the collision probability] becomes
1
p
n
{\displaystyle {\frac {1}{p^{n}}}}
. In this case the number of keys are increased by a factor of n and the output is also increased by n.
= MMH*32
=Halevi and Krawczyk construct a variant called
M
M
H
32
∗
{\displaystyle \mathrm {MMH} _{32}^{*}}
. The construction works with 32-bit integers and with the prime integer
p
=
2
32
+
15
{\displaystyle p=2^{32}+15}
. Actually the prime p can be chosen to be any prime which satisfies
2
32
<
p
<
2
32
+
2
16
{\displaystyle 2^{32}
. This idea is adopted from the suggestion by Carter and Wegman to use the primes
2
16
+
1
{\displaystyle 2^{16}+1}
or
2
31
−
1
{\displaystyle 2^{31}-1}
.
M
M
H
32
∗
{\displaystyle \mathrm {MMH} _{32}^{*}}
is defined as follows:
M
M
H
32
∗
=
{
g
x
(
{
0
,
1
}
32
)
k
}
→
F
p
,
{\displaystyle \mathrm {MMH} _{32}^{*}=\left\{g_{x}(\left\{0,1\right\}^{32})^{k}\right\}\to F_{p},}
where
{
0
,
1
}
32
{\displaystyle \left\{0,1\right\}^{32}}
means
{
0
,
1
,
…
,
2
32
−
1
}
{\displaystyle \left\{0,1,\ldots ,2^{32}-1\right\}}
(i.e., binary representation)
The functions
g
x
{\displaystyle g_{x}}
are defined as follows.
g
x
(
m
)
=
d
e
f
m
⋅
x
mod
(
2
32
+
15
)
=
∑
i
=
1
k
m
i
⋅
x
i
mod
(
2
32
+
15
)
{\displaystyle {\begin{aligned}g_{x}(m)&\ {\overset {\underset {\mathrm {def} }{}}{=}}\ m\cdot x{\bmod {(}}2^{32}+15)\\&=\textstyle \sum _{i=1}^{k}m_{i}\cdot x_{i}{\bmod {(}}2^{32}+15)\end{aligned}}}
where
x
=
(
x
1
,
…
,
x
k
)
,
m
=
(
m
,
…
,
m
k
)
{\displaystyle x=(x_{1},\ldots ,x_{k}),\ m=(m,\ldots ,m_{k})}
By theorem 1, the collision probability is about
ϵ
=
2
−
32
{\displaystyle \epsilon =2^{-32}}
, and the family of
M
M
H
32
∗
{\displaystyle \mathrm {MMH} _{32}^{*}}
can be defined as ϵ-almost ∆ Universal with
ϵ
=
2
−
32
{\displaystyle \epsilon =2^{-32}}
.
= The value of k
=The value of k that describes the length of the message and key vectors has several effects:
Since the costly modular reduction over k is multiply and add operations increasing k should decrease the speed.
Since the key x consist of k 32-bit integers increasing k will results in a longer key.
The probability of breaking the system is
1
/
p
{\displaystyle 1/p}
and
p
≈
2
k
{\displaystyle p\approx 2^{k}}
so increasing k makes the system harder to break.
= Performance
=Below are the timing results for various implementations of MMH in 1997, designed by Halevi and Krawczyk.
A 150 MHz PowerPC 604 RISC machine running AIX
A 150 MHz Pentium-Pro machine running Windows NT
A 200 MHz Pentium-Pro machine running Linux
See also
UMAC
VMAC
Poly1305-AES
References
Kata Kunci Pencarian:
- MMH-Badger MAC
- Badger (disambiguation)
- Message authentication code
- UMAC (cryptography)
- El Capitan
- Free Solo
- Yosemite National Park
- The Nose (El Capitan)