Paper 2014/107

Key-Indistinguishable Message Authentication Codes

Joel Alwen, Martin Hirt, Ueli Maurer, Arpita Patra, and Pavel Raykov

Abstract

While standard message authentication codes (MACs) guarantee authenticity of messages, they do not, in general, guarantee the anonymity of the sender and recipient. For example it may be easy for an observer to determine whether or not two authenticated messages were sent by the same party even without any information about the secret key used. However preserving any uncertainty an attacker may have about the identities of honest parties engaged in authenticated communication is an important goal of many cryptographic applications. For example this is stated as an explicit goal of modern cellphone authentication protocols~\cite{3GPP} and RFID based authentication systems\cite{Vaudenay10}. In this work we introduce and construct a new fundamental cryptographic primitive called \emph{key indistinguishable} (KI) MACs. These can be used to realize many of the most important higher-level applications requiring some form of anonymity and authenticity~\cite{AHMPR14}. We show that much (though not all) of the modular MAC construction framework of~\cite{DodisKPW12} gives rise to several variants of KI MACs. On the one hand, we show that KI MACs can be built from hash proof systems and certain weak PRFs allowing us to base security on such assumption as DDH, CDH and LWE. Next we show that the two direct constructions from the LPN assumption of~\cite{DodisKPW12} are KI, resulting in particularly efficient constructions based on structured assumptions. On the other hand, we also give a very simple and efficient construction based on a PRF which allows us to base KI MACs on some ideal primitives such as an ideal compression function (using HMAC) or block-cipher (using say CBC-MAC). In particular, by using our PRF construction, many real-world implementations of MACs can be easily and cheaply modified to obtain a KI MAC. Finally we show that the transformations of~\cite{DodisKPW12} for increasing the domain size of a MAC as well as for strengthening the type of unforgeability it provides also preserve (or even strengthen) the type of KI enjoyed by the MAC. All together these results provide a wide range of assumptions and construction paths for building various flavors of this new primitive.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
authentication codesanonymity
Contact author(s)
raykov pavel @ gmail com
History
2014-02-15: received
Short URL
https://ia.cr/2014/107
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/107,
      author = {Joel Alwen and Martin Hirt and Ueli Maurer and Arpita Patra and Pavel Raykov},
      title = {Key-Indistinguishable Message Authentication Codes},
      howpublished = {Cryptology ePrint Archive, Paper 2014/107},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/107}},
      url = {https://eprint.iacr.org/2014/107}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.