Score:1

Using CMAC instead of hash function for message signing

us flag

Generally, when we want to generate a signature for message M we use hash function H, and sign the result of H(M) with the private key. What if instead of hash function H we would use a CMAC with key K, and then sign the result of CMAC(M, K) with private key? Is such operation cryptographically secure? If so, does the key K need to be keep secret?

I have got a device with hardware accelerator for AES-CMAC, and wonder if I could make use of it, instead of implementing hashing algorithm in the software.

kelalaka avatar
in flag
Welcome to Cryptography.SE. Hashing then signing will be much faster. You can find many implementations for any good hash function. What is your digital signature algorithm? Usually, they come together with a hash function. Are you implementing a digital signature on your own? What about side-channel attacks?
morsisko avatar
us flag
Hello, my signature algorithm is ECDSA. I've got a microcontroller with hardware AES-CMAC accelerator. I'm using open-source digital signature implementation of the ECDSA provided by micro-ecc project. I'm aware I could implement the hashing algorithm in software, but wondered what are the side effects of using CMAC instead of hash
kelalaka avatar
in flag
Do you encrypt the messages, too? Then with which algortihm?
morsisko avatar
us flag
No, the messages aren't encrypted. In fact the message is the content of firmware. During boot the device calculates hash/cmac of the firmware, and then verify whether the ECDSA signature generated offline (on the computer) is valid for the current firmware using the embedded public key
Score:5
my flag

What if instead of hash function H we would use a CMAC with key K, and then sign the result of CMAC(M, K) with private key? Is such operation cryptographically secure?

If the $K$ used for a specific signature is public (which it'll have to be for the signature to be verified by someone holding the public key and the signature and nothing secret), then it is easy to find a second message $M'$ such that $\text{CMAC}(M, K) = \text{CMAC}(M', K)$; that is, the signature would also verify with that second message $M'$.

In fact, the attacker would have a great deal of flexibility in choosing that $M'$; he can specify the entire $M'$ message except for a 16 byte aligned block anywhere in that message - he can then efficiently compute what that 16 byte value has to be; that gives him the entire $M'$.

On the other hand, if $K$ is secret, the above does not apply. Of course, that begs the obvious question: if the signer and the verifier do share a secret (and you can trust that verifier would not attempt to generate forgeries), why don't you just use CMAC, and not bother with the signing operation?

morsisko avatar
us flag
Thanks for your answer. Does such attack have a name to read more about this? I thought that finding collision for CMAC with known key is no easier than finding a collision for a hash function
poncho avatar
my flag
@morsisko: where did you read that? I don't know if the attack has a name - it's so simple, I don't know if anyone bothered to name it. All the attacker needs to do is compute the CMAC forward up until the unspecified block (that's easy if you know k), and compute it backwards from the target value until the unspecified block (again, easy if you know k and CMAC is based on an invertible block cipher) - the xor of the two state values in the two directions is the value the unspecified block needs to be.
morsisko avatar
us flag
Thanks. Now I get it
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.