Parallelizable MAC/hash value stored securely

Melab

7/24/24, 7:03 PM

Assume the following:

$E: \{0, 1\}^k \times \{0, 1\}^b \rightarrow \{0, 1\}^b$ is a block cipher with a $k$-bit key size and a $b$-bit block size.
$T$ is a $b$-bit authentication tag that is guaranteed to be untampered with (e.g., by being calculated abd stored by a trusted system).
$X_i$ represents the $i$^th of a string of data blocks that $T$ is calculated against.
$X_i \in \{0, 1\}^b$.
$K_1$ and $K_2$ are keys that both $k$ bits long.

If $T_i = E(K_1, X_i \oplus E(K_2, i))$ and $T = T_0 \oplus \ldots \oplus T_{n-1}$, then is $T$ secure as a MAC if it's stored by the party who wants to use it to verify some data? If so, can the calculation of $T_i$ be replaced by a difficult-to-reverse public function that takes $X_i$ and $i$ as input while still remaining secure?

I was driven to design this as an improvement on Apple's anti-replay scheme for their Secure Enclave's memory.

0 + 3

Maarten Bodewes

7/24/24, 8:39 PM

In above I think we can presume that $X_i$ is the specific block of plaintext. That's not indicated and I thought that you would use it to represent ciphertext, but no cipher is actually indicated to achieve confidentiality. Note that this is basically CTR followed by ECB mode encryption using a different key, after which the ciphertext is the XOR of all the calculated ECB blocks. That doesn't feel right to me, but I'll have a deeper look.

Melab

7/24/24, 9:06 PM

@MaartenBodewes-onstrike It doesn't matter what $X_i$ is. It's just data stored to be authenticated at a later time, like upon accessing a byte in RAM. It's meant as an improvement upon Apple's replay protection scheme for the Secure Enclave's memory.

kodlu

7/24/24, 9:23 PM

can you explain the difference with Apple replay protection scheme and why you think it's an improvement? You have linked to a very long document that you expect people to have the patience to read through.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Parallelizable MAC/hash value stored securely

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.