Join Log in
Score:1
morsisko avatar Crypto

Using CMAC instead of hash function for message signing

us flag
morsisko

Generally, when we want to generate a signature for message M we use hash function H, and sign the result of H(M) with the private key. What if instead of hash function H we would use a CMAC with key K, and then sign the result of CMAC(M, K) with private key? Is such operation cryptographically secure? If so, does the key K need to be keep secret?

I have got a device with hardware accelerator for AES-CMAC, and wonder if I could make use of it, instead of implementing hashing algorithm in the software.

90
0 + 0
kelalaka avatar
in flag
kelalaka
Welcome to Cryptography.SE. Hashing then signing will be much faster. You can find many implementations for any good hash function. What is your digital signature algorithm? Usually, they come together with a hash function. Are you implementing a digital signature on your own? What about side-channel attacks?
0
Reply
morsisko avatar
us flag
morsisko
Hello, my signature algorithm is ECDSA. I've got a microcontroller with hardware AES-CMAC accelerator. I'm using open-source digital signature implementation of the ECDSA provided by micro-ecc project. I'm aware I could implement the hashing algorithm in software, but wondered what are the side effects of using CMAC instead of hash
0
Reply
kelalaka avatar
in flag
kelalaka
Do you encrypt the messages, too? Then with which algortihm?
0
Reply
morsisko avatar
us flag
morsisko
No, the messages aren't encrypted. In fact the message is the content of firmware. During boot the device calculates hash/cmac of the firmware, and then verify whether the ECDSA signature generated offline (on the computer) is valid for the current firmware using the embedded public key
0
Reply
Score:5
poncho avatar Crypto
my flag
poncho

What if instead of hash function H we would use a CMAC with key K, and then sign the result of CMAC(M, K) with private key? Is such operation cryptographically secure?

If the $K$ used for a specific signature is public (which it'll have to be for the signature to be verified by someone holding the public key and the signature and nothing secret), then it is easy to find a second message $M'$ such that $\text{CMAC}(M, K) = \text{CMAC}(M', K)$; that is, the signature would also verify with that second message $M'$.

In fact, the attacker would have a great deal of flexibility in choosing that $M'$; he can specify the entire $M'$ message except for a 16 byte aligned block anywhere in that message - he can then efficiently compute what that 16 byte value has to be; that gives him the entire $M'$.

On the other hand, if $K$ is secret, the above does not apply. Of course, that begs the obvious question: if the signer and the verifier do share a secret (and you can trust that verifier would not attempt to generate forgeries), why don't you just use CMAC, and not bother with the signing operation?

0 + 0
morsisko avatar
us flag
morsisko
Thanks for your answer. Does such attack have a name to read more about this? I thought that finding collision for CMAC with known key is no easier than finding a collision for a hash function
0
Reply
poncho avatar
my flag
poncho
@morsisko: where did you read that? I don't know if the attack has a name - it's so simple, I don't know if anyone bothered to name it. All the attacker needs to do is compute the CMAC forward up until the unspecified block (that's easy if you know k), and compute it backwards from the target value until the unspecified block (again, easy if you know k and CMAC is based on an invertible block cipher) - the xor of the two state values in the two directions is the value the unspecified block needs to be.
4
Reply
morsisko avatar
us flag
morsisko
Thanks. Now I get it
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.