Badger is a message authentication code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner.[1] It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH (see below), where the value of ϵ is
1/(232-5)
The Badger MAC processes a message of length up to
264-1
u ⋅ 32
1\leu\le5
u
264
The key setup has to be run only once per key in order to run the Badger algorithm under a given key, since the resulting internal state of the MAC can be saved to be used with any other message that will be processed later.
Hash families can be combined in order to obtain new hash families. For the ϵ-AU, ϵ-A∆U, and ϵ-ASU families, the latter are contained in the former. For instance, an A∆U family is also an AU family, an ASU is also an A∆U family, and so forth. On the other hand, a stronger family can be reduced to a weaker one, as long as a performance gain can be reached. A method to reduce ∆-universal hash function to universal hash functions will be described in the following.
Theorem 2[1]
Let
H\triangle
(m,mb)\inA x B
h(m,mb)=H\triangle(m)+mb
If
m\nem'
h(m,mb)=h(m',m'b)
H\triangle
m=m'
mb\nemb'
The ENH-family is constructed based on the universal hash family NH (which is also used in UMAC):
NHK(M)=
| ||||
\sum | ||||
i=1 |
(k(2i-1)+wm(2i-1)) x (k2i+wm2i)\mod22w
Where '
+w
2w
mi,ki\in\{0,\ldots,2w-1\}
2-w
Lemma 1[1]
The following version of NH is
2-w
NHK(M)=(k1+wm1) x (k2+wm2)\mod22w
Choosing w=32 and applying Theorem 1, one can obtain the
2-32
ENH | |
k1,k2 |
(m1,m2,m3,m4)=(m1+32k1)(m2+32k2)+64m3+64232m4
where all arguments are 32-bits long and the output has 64-bits.
Badger is constructed using the strongly universality hash family and can be described as
l{H}=H* x F,
where an
\epsilon | |
H* |
\epsilonF
264-1
2-32
2-26.14
There are two steps that have to be executed for every message: processing phase and finalize phase.[3]
In this phase, the data is hashed to a 64-bit string. A core function :
\left\{0,1\right\}64 x \left\{0,1\right\}128\to\left\{0,1\right\}64
m2\parallelm1
h(k,m2,m1)
h(k,m2,m1)=(L(m1)+32L(k)) ⋅ (U(m1)+32U(k))+64m2
for any n,
+n
2n
A message can be processed by using this function. Denote by
i | |
k | |
j |
Pseudo-code of the processing phase is as follow.
L = |M| if L = 0
M1= … =Mu=0
M=064-r\parallelM
Mi=M
v'=max\{1,\lceillog2L\rceil-6\}
In this phase, the 64-string resulting from the processing phase is transformed into the desired MAC tag. This finalization phase uses the Rabbit stream cipher and uses both key setup and IV setup by taking the finalization key as
i | |
k | |
j |
Pseudo-code of the finalization phase
RabbitKeySetup(K) RabbitIVSetup(N) for i = 1 to u:
Qi=07\parallelL\parallelMi
i | |
Q | |
5 |
\parallel … \parallel
i | |
q | |
1 |
Si
5 | |
=(\sum | |
j=1 |
i | |
(q | |
j |
i | |
K | |
6 |
\bmodp
S=Su\parallel … \parallelS1
From the pseudocode above, k denotes the key in the Rabbit Key Setup(K) which initializes Rabbit with the 128-bit key k. M denotes the message to be hashed and |M| denotes the length of the message in bits. denotes a message M that is divided into i blocks. For the given -bit string x then and respectively denoted its least significant n bits and most significant n bits.
Boesgard, Christensen and Zenner report the performance of Badger measured on a 1.0 GHz Pentium III and on a 1.7 GHz Pentium 4 processor.[1] The speed-optimized versions were programmed in assembly language inlined in C and compiled using the Intel C++ 7.1 compiler.
The following table presents Badger's properties for various restricted message lengths. "Memory req." denotes the amount of memory required to store the internal state including key material and the inner state of the Rabbit stream cipher . "Setup" denotes the key setup, and "Fin." denotes finalization with IV-setup.
Max. Message Size | Forgery Bound | Memory Reg. | Setup Pentium III | Fin. Pentium III | Setup Pentium III | Fin. Pentium III | |
---|---|---|---|---|---|---|---|
211 | 2-57.7 | 400 bytes | 1133 cycles | 409 cycles | 1774 cycles | 776 cycles | |
215 | 2-56.6 | 528 bytes | 1370 cycles | 421 cycles | 2100 cycles | 778 cycles | |
232 | 2-54.2 | 1072 bytes | 2376 cycles | 421 cycles | 3488 cycles | 778 cycles | |
261-1 | 2-52.2 | 2000 bytes | 4093 cycles | 433 cycles | 5854 cycles | 800 cycles |
The name MMH stands for Multilinear-Modular-Hashing. Applications in Multimedia are for example to verify the integrity of an on-line multimedia title. The performance of MMH is based on the improved support of integer scalar products in modern microprocessors.
p
Fp
p
MMH* involves a construction of a family of hash functions consisting of multilinear functions on
k | |
F | |
p |
k | |
F | |
p |
Fp
MMH*=\{gx:
k | |
F | |
p |
→ Fp|x\in
k | |
F | |
p |
\}
where x, m are vectors, and the functions
gx
gx(m)=mx\bmodp=
n | |
\sum | |
i=1 |
mixi\bmodp
In the case of MAC, is a message and is a key where
m=(m1,\ldots,mk)
x=(x1,\ldots,xk),xi,mi\inFp
MMH* should satisfy the security requirements of a MAC, enabling say Ana and Bob to communicate in an authenticated way. They have a secret key . Say Charles listens to the conversation between Ana and Bob and wants to change the message into his own message to Bob which should pass as a message from Ana. So, his message and Ana's message will differ in at least one bit (e.g.
m1\nem'1
Assume that Charles knows that the function is of the form
gx(m)
Theorem 1[4] :The family MMH* is ∆-universal.
Proof:
Take
a\inFp
m,m'
m1\nem'1
x2,x3,\ldots,xs
\begin{align} {\Pr} | |
x1 |
[gx(m)-gx(m')\equiva\modp]&=
{\Pr} | |
x1 |
[(m1x1+m2x2+ … +mkxk)-(m'1x1+m'2x2+ … +m'kxk)\equiva\modp]\\ &=
{\Pr} | |
x1 |
[(m1-m'1)x1+(m2-m'2)x2+ … +(mk-m'k)xk]\equiva\modp]\\ &=
{\Pr} | |
x1 |
[(m1-m'1)x1+style\sum
s(m | |
k-m' |
k)xk\equiva\modp]\\ &=
{\Pr} | |
x1 |
[(m1-m'1)x1\equiva-
s(m | |
style\sum | |
k-m' |
k)xk\modp]\\ &=
1 | |
p |
\end{align}
To explain the theorem above, take
Fp
p
Fp=\underbrace{\{0,1,\ldots,p-1\}}p
Fp
0\inFp
x1=0
{\Pr} | |
x1\in{Fp |
So, what one actually needs to compute is
{\Pr} | |||||||||||||
|
But,
\begin{align} {\Pr} | |||||||||||||
|
From the proof above,
1 | |
p |
1 | |
pn |
Halevi and Krawczyk[4] construct a variant called
* | |
MMH | |
32 |
p=232+15
232<p<232+216
216+1
231-1
* | |
MMH | |
32 |
* | |
MMH | |
32 |
=\left\{gx(\left\{0,1\right\}32)k\right\}\toFp,
where
\left\{0,1\right\}32
\left\{0,1,\ldots,232-1\right\}
The functions
gx
\begin{align} gx(m)& \overset{\underset{def
where
x=(x1,\ldots,xk), m=(m,\ldots,mk)
By theorem 1, the collision probability is about
\epsilon=2-32
* | |
MMH | |
32 |
\epsilon=2-32
The value of k that describes the length of the message and key vectors has several effects:
1/p
p ≈ 2k
Below are the timing results for various implementations of MMH[4] in 1997, designed by Halevi and Krawczyk.
150 MHz PowerPC 604 | Message in Memory | Message in Cache | |
---|---|---|---|
64-bit | 390 Mbit/second | 417 Mbit/second | |
32-bit output | 597 Mbit/second | 820 Mbit/second |
150 MHz PowerPC 604 | Message in Memory | Message in Cache | |
---|---|---|---|
64-bit | 296 Mbit/second | 356 Mbit/second | |
32-bit output | 556 Mbit/second | 813 Mbit/second |
150 MHz PowerPC 604 | Message in Memory | Message in Cache | |
---|---|---|---|
64-bit | 380 Mbit/second | 500 Mbit/second | |
32-bit output | 645 Mbit/second | 1080 Mbit/second |