OMAC: One-Key CBC MAC
|
|
- Ethelbert Dennis
- 5 years ago
- Views:
Transcription
1 OMAC: One-Key CBC MAC etsu Iwata and Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University Nakanarusawa, Hitachi, Ibaraki , Japan {iwata, kurosawa}@cis.ibaraki.ac.jp March 10, 003 Abstract. In this paper, we present One-key CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k +n) bits in total, and MAC requires two keys, (k + n) bits in total, where n denotes the block length of E. he saving of the key length makes the security proof of OMAC substantially harder than those of XCBC and MAC. Key words: CBC MAC, block cipher, provable security 1 Introduction 1.1 Background he CBC MAC [6, 7] is a well-known method to generate a message authentication code (MAC) based on a block cipher. Bellare, Kilian, and Rogaway proved the security of the CBC MAC for fixed message length mn bits, where n is the block length of the underlying block cipher E [1]. However, it is well known that the CBC MAC is not secure unless the message length is fixed. herefore, several variants of CBC MAC have been proposed for variable length messages. First Encrypted MAC (EMAC) was proposed. It is obtained by encrypting the CBC MAC value by E again with a new key K. hat is, EMAC K1,K (M) =E K (CBC K1 (M)), where M is a message, K 1 is the key of the CBC MAC and CBC K1 (M) isthe CBC MAC value of M []. Petrank and Rackoff then proved that EMAC is secure if the message length is a positive multiple of n [11] (Vaudenay showed another proof by using decorrelation theory [14]). Note that, however, EMAC requires two key schedulings of the underlying block cipher E. Next Black and Rogaway proposed XCBC which requires only one key scheduling of the underlying block cipher E [3]. XCBC takes three keys: one block cipher key K 1, and two n-bit keys K and K 3. XCBC is described as follows (see Fig. 1).
2 K 1 M[1] M[] M[3] M[1] M[] M[3] 10 }{{ i } K K3 E K 1 E K 1 E K 1 E K 1 E K 1 E Fig. 1. Illustration of XCBC. able 1. Comparison of key length. XCBC [3] MAC [9] OMAC (his paper) key length (k +n) bits (k + n) bits k bits If M = mn for some m>0, then XCBC computes exactly the same as the CBC MAC, except for XORing an n-bit key K before encrypting the last block. Otherwise, 10 i padding (i = n 1 M mod n) is appended to M and XCBC computes exactly the same as the CBC MAC for the padded message, except for XORing another n-bit key K 3 before encrypting the last block. However, drawback of XCBC is that it requires three keys, (k +n) bits in total. Finally Kurosawa and Iwata proposed wo-key CBC MAC (MAC) [9]. MAC takes two keys, (k + n) bits in total: a block cipher key K 1 and an n-bit key K. MAC is obtained from XCBC by replacing (K,K 3 ) with (K u,k ), where u is some non-zero constant and denotes multiplication in GF( n ). 1. Our Contribution In this paper, we present One-key CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K of a block cipher E. he key length, k bits, is the minimum because the underlying block cipher must have a k-bit key K anyway. See able 1 for a comparison with XCBC and MAC (See Appendix A for a detailed comparison). OMAC is a generic name for OMAC1 and OMAC. OMAC1 is obtained from XCBC by replacing (K,K 3 ) with (L u,l u ) for some non-zero constant u in GF( n ), where L is given by L = E K (0 n ). OMAC is similarly obtained by using (L u,l u 1 ). We can compute L u, L u 1 and L u =(L u) u efficiently by one shift and one conditional XOR from L, L and L u, respectively. OMAC1 (resp. OMAC) is described as follows (see Fig. ).
3 M[1] M[] M[3] M[1] M[] M[3] 10 }{{ i } L u L u K E K E K E K E K E K E Fig.. Illustration of OMAC1. Note that L = E K(0 n ). OMAC is obtained by replacing L u with L u 1 in the right figure. If M = mn for some m>0, then OMAC computes exactly the same as the CBC MAC, except for XORing L u before encrypting the last block. Otherwise, 10 i padding (i = n 1 M mod n) is appended to M and OMAC computes exactly the same as the CBC MAC for the padded message, except for XORing L u (resp. L u 1 ) before encrypting the last block. Note that in MAC, K is a part of the key while in OMAC, L is not a part of the key and is generated from K. his saving of the key length makes the security proof of OMAC substantially harder than that of MAC, as shown below. In Fig., suppose that M[1] = 0 n. hen the output of the first E K is L. he same L always appears again at the last block. In general, such reuse of L would get one into trouble in the security proof. (In OCB mode [13] and PMAC [5], L = E K (0 n ) is also used as a key of a universal hash function. However, L appears as an output of some internal block cipher only with negligible probability.) Nevertheless we prove that OMAC is as secure as XCBC, where the security analysis is in the concrete-security paradigm [1]. Further OMAC has all other nice properties which XCBC (and MAC) has. hat is, the domain of OMAC is {0, 1}, it requires one key scheduling of the underlying block cipher E and max{1, M /n } block cipher invocations. 1.3 Other Related Work Jaulmes, Joux and Valette proposed RMAC [8] which is an extension of EMAC. RMAC encrypts the CBC MAC value with K R, where R is an n-bit random string and it is a part of the tag. hat is, RMAC K1,K (M) =(E K R(CBC K1 (M)),R). hey showed that the security of RMAC is beyond the birthday paradox limit. (XCBC, MAC and OMAC are secure up to the birthday paradox limit.) 3
4 Preliminaries.1 Notation We use similar notation as in [13, 5]. For a set A, x R A means that x is chosen from A uniformly at random. If a, b {0, 1} are equal-length strings then a b is their bitwise XOR. If a, b {0, 1} are strings then a b denote their concatenation. For simplicity, we sometimes write ab for a b if there is no confusion. For an n-bit string a = a n 1 a 1 a 0 {0, 1} n, let a < 1=a n a 1 a 0 0 denote the n-bit string which is a left shift of a by 1 bit, while a > 1 = 0a n 1 a a 1 denote the n-bit string which is a right shift of a by 1 bit. If a {0, 1} is a string then a denotes its length in bits. For any bit string a {0, 1} such that a n, we let pad n (a) = { a10 n a 1 if a <n, a if a = n. (1) Define a n = max{1, a /n }, where the empty string counts as one block. In pseudocode, we write Partition M into M[1] M[m] as shorthand for Let m = M n, and let M[1],...,M[m] be bit strings such that M[1] M[m] =M and M[i] = n for 1 i<m.. CBC MAC he block cipher E is a function E : K E {0, 1} n {0, 1} n, where each E(K, ) =E K ( ) is a permutation on {0, 1} n, K E is the set of possible keys and n is the block length. he CBC MAC [6, 7] is the simplest and most well-known algorithm to make a MAC from a block cipher E. Let M = M[1] M[] M[m] be a message string, where M[1] = M[] = = M[m] = n. hen CBC K (M), the CBC MAC of M under key K, is defined as Y [m], where Y [i] =E K (M[i] Y [i 1]) for i =1,...,mand Y [0]=0 n. Bellare, Kilian and Rogaway proved the security of the CBC MAC for fixed message length mn bits [1]..3 he Field with n Points We interchangeably think of a point a in GF( n ) in any of the following ways: (1) as an abstract point in a field; () as an n-bit string a n 1 a 1 a 0 {0, 1} n ; (3) as a formal polynomial a(u) =a n 1 u n 1 + +a 1 u+a 0 with binary coefficients. o add two points in GF( n ), take their bitwise XOR. We denote this operation by a b. o multiply two points, fix some irreducible polynomial f(u) having binary coefficients and degree n. o be concrete, choose the lexicographically first polynomial among the irreducible degree n polynomials having a minimum number 4
5 of coefficients. We list some indicated polynomials (See [10, Chapter 10] for other polynomials). f(u) =u 64 + u 4 + u 3 + u + 1 for n = 64, f(u) =u 18 + u 7 + u + u + 1 for n = 18, and f(u) =u 56 + u 10 + u 5 + u + 1 for n = 56. o multiply two points a GF( n ) and b GF( n ), regard a and b as polynomials a(u) =a n 1 u n a 1 u + a 0 and b(u) =b n 1 u n b 1 u + b 0, form their product c(u) where one adds and multiplies coefficients in GF(), and take the remainder when dividing c(u) byf(u). Note that it is particularly easy to multiply a point a {0, 1} n by u. For example, if n = 18, { a < 1 if a17 =0, a u = (a < 1) 0 10 () otherwise. Also, note that it is easy to divide a point a {0, 1} n by u, meaning that one multiplies a by the multiplicative inverse of u in the field: a u 1. For example, if n = 18, { a > 1 if a u 1 a0 =0, = (a > 1) (3) otherwise. 3 Basic Construction In this section, we show a basic construction of OMAC-family. OMAC-family is defined by a block cipher E : K E {0, 1} n {0, 1} n,an n-bit constant Cst, a universal hash function H : {0, 1} n X {0, 1} n, and two distinct constants Cst 1, Cst X, where X is the finite domain of H. H, Cst 1 and Cst must satisfy the following conditions while Cst is arbitrary. We write H L ( ) for H(L, ). 1. For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 )=y is at most ɛ 1 n for some sufficiently small ɛ 1.. For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst )=y is at most ɛ n for some sufficiently small ɛ. 3. For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 ) H L (Cst )=y is at most ɛ 3 n for some sufficiently small ɛ For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 ) L = y is at most ɛ 4 n for some sufficiently small ɛ For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst ) L = y is at most ɛ 5 n for some sufficiently small ɛ For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 ) H L (Cst ) L = y is at most ɛ 6 n for some sufficiently small ɛ 6. Remark 3.1. Property 1 and says that H L (Cst 1 ) and H L (Cst ) are almost uniformly distributed. Property 3 is satisfied by AXU (almost XOR universal) hash functions [1]. Property 4, 5, 6 are new requirements introduced here. 5
6 Algorithm OMAC-family K (M) L E K(Cst) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K(X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H L(Cst 1) else X[m] X[m] H L(Cst ) E K(X[m]) return M[1] M[] M[3] K E K E K E Fig. 3. Definition of OMAC-family. HL(Cst 1) M[1] M[] M[3] 10 }{{ i } HL(Cst ) K E K E K E Fig. 4. Illustration of OMAC-family. he algorithm of OMAC-family is described in Fig. 3 and illustrated in Fig. 4, where pad n ( ) is defined in (1). he key space K of OMAC-family is K = K E. It takes a key K K E and a message M {0, 1}, and returns a string in {0, 1} n. 4 Proposed Specification In this section, we present two specifications of OMAC-family: OMAC1 and OMAC. We use OMAC as a generic name for OMAC1 and OMAC. In OMAC1 we let Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Equivalently, L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u. OMAC is the same as OMAC1 except for Cst = u 1 instead of Cst = u. Equivalently, L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u 1. Note that L u, L u 1 and L u =(L u) u can be computed efficiently by one shift and one conditional XOR from L, L and L u, respectively as shown in () and (3). It is easy to see that the conditions in Sec. 3 are satisfied for ɛ 1 = = ɛ 6 = n in OMAC1 and OMAC. OMAC1 and OMAC are described in Fig. 5 and illustrated in Fig.. 6
7 Algorithm OMAC1 K(M) Algorithm OMAC K(M) L E K(0 n ) L E K(0 n ) Y [0] 0 n Y [0] 0 n Partition M into M[1] M[m] Partition M into M[1] M[m] for i 1 to m 1 do for i 1 to m 1 do X[i] M[i] Y [i 1] X[i] M[i] Y [i 1] Y [i] E K(X[i]) Y [i] E K(X[i]) X[m] pad n (M[m]) Y [m 1] X[m] pad n (M[m]) Y [m 1] if M[m] = n if M[m] = n then X[m] X[m] L u then X[m] X[m] L u else X[m] X[m] L u else X[m] X[m] L u 1 E K(X[m]) E K(X[m]) return return Fig. 5. Description of OMAC1 and OMAC. 5 Security of OMAC-Family 5.1 Security Definitions Let Perm(n) denote the set of all permutations on {0, 1} n. We say that P is a random permutation if P is randomly chosen from Perm(n). he security of a block cipher E can be quantified as Adv prp E (t, q), the maximum advantage that an adversary A can obtain when trying to distinguish E K ( ) (with a randomly chosen key K) from a random permutation P ( ), when allowed computation time t and q queries to an oracle (which is either E K ( ) or P ( )). his advantage is defined as follows. Adv prp def E (A) = Pr(K K R E : A EK( ) =1) Pr(P R Perm(n) :A P ( ) =1) Adv prp def E (t, q) = max {Advprp E (A)} A We say that a block cipher E is secure if Adv prp E (t, q) is sufficiently small. Similarly, a MAC algorithm is a map F : K F {0, 1} {0, 1} n, where K F is a set of keys and we write F K ( ) for F (K, ). We say that an adversary A FK( ) forges if A outputs (M,F K (M)) where A never queried M to its oracle F K ( ). hen we define the advantage as Adv mac def F (A) =Pr(K K R F : A FK ( ) forges) Adv mac F (t, q, µ) def = max {Advmac F (A)} A where the maximum is over all adversaries who run in time at most t, make at most q queries, and each query is at most µ bits. We say that a MAC algorithm is secure if Adv mac F (t, q, µ) is sufficiently small. Let Rand(,n) denote the set of all functions from {0, 1} to {0, 1} n. his set is given a probability measure by asserting that a random element R of 7
8 Rand(,n) associates to each string M {0, 1} a random string R(M) {0, 1} n. hen we define the advantage as Adv viprf def F (A) = Pr(K K R F : A FK( ) =1) Pr(R R Rand(,n):A R( ) =1) { } Adv viprf def F (t, q, µ) = max Adv viprf F (A) A where the maximum is over all adversaries who run in time at most t, make at most q queries, and each query is at most µ bits. We say that a MAC algorithm is pseudorandom if Adv viprf F (t, q, µ) is sufficiently small (viprf stands for Variablelength Input PseudoRandom Function). Without loss of generality, adversaries are assumed to never ask a query outside the domain of the oracle, and to never repeat a query. 5. heorem Statements We first prove that OMAC-family is pseudorandom if the underlying block cipher is a random permutation P (information-theoretic result). his proof is much harder than the previous works because of the reuse of L as explained Sec. 1.. Lemma 5.1 (Main Lemma for OMAC-family). Suppose that H, Cst 1 and Cst satisfy the conditions in Sec. 3 for some sufficiently small ɛ 1,...,ɛ 6, and let Cst be an arbitrarily n-bit constant. Suppose that a random permutation P Perm(n) is used in OMAC-family as the underlying block cipher. Let A be an adversary which asks at most q queries, and each query is at most nm bits (m is the maximum number of blocks in each query). Assume m n /4. hen Pr(P R Perm(n) :A OMAC-family P ( ) =1) ( Pr(R R Rand(,n):A R( ) =1) q 7m ) + (4) n +3m ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. A proof is given in the next section. he following results hold for both OMAC1 and OMAC. First, we obtain the following lemma by substituting ɛ = n in Lemma 5.1. Lemma 5. (Main Lemma for OMAC). Suppose that a random permutation P Perm(n) is used in OMAC as the underlying block cipher. Let A be an adversary which asks at most q queries, and each query is at most nm bits. Assume m n /4. hen Pr(P R Perm(n) :A OMAC P ( ) =1) Pr(R R Rand(,n):A R( ) =1) (5m +1)q n. 8
9 We next show that OMAC is pseudorandom if the underlying block cipher E is secure. It is standard to pass to this complexity-theoretic result from Lemma 5.. (For example, see [1, Section 3.] for the proof technique. In [1, Section 3.], it is shown that a complexity-theoretic advantage of the CBC MAC is obtained from its information-theoretic advantage.) Corollary 5.1. Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC. hen Adv viprf OMAC (t, q, nm) (5m +1)q n + Adv prp E (t,q ), where t = t + O(mq) and q = mq +1. Finally we show that OMAC is secure as a MAC algorithm from Corollary 5.1 in the usual way. (For example, see [1, Proposition.7] for the proof technique. In [1, Proposition.7], it is shown that pseudorandom functions are secure MACs.) heorem 5.1. Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC. hen Adv mac OMAC (t, q, nm) (5m +1)q +1 n + Adv prp E (t,q ), where t = t + O(mq) and q = mq Proof of Main Lemma for OMAC-family Let H, Cst 1 and Cst satisfy the conditions in Sec. 3 for some sufficiently small ɛ 1,...,ɛ 6, and Cst be an arbitrarily n-bit constant. For a random permutation P Perm(n) and a random n-bit string Rnd {0, 1} n, define Q 1 (x) def = P (x) Rnd, Q (x) def = P (x Rnd) Rnd, Q 3 (x) def = P (x Rnd H L (Cst 1 )), Q 4 (x) def = P (x Rnd H L (Cst )), Q 5 (x) def = P (x H L (Cst 1 )) and Q 6 (x) def = P (x H L (Cst )), where L = P (Cst). See Fig. 6 for illustrations. We first show that Q 1 ( ), Q ( ), Q 3 ( ), Q 4 ( ), Q 5 ( ), Q 6 ( ) are indistinguishable from a pair of six independent random permutations P 1 ( ), P ( ), P 3 ( ), P 4 ( ), P 5 ( ), P 6 ( ). Lemma 5.3. Let A be an adversary which asks at most q queries in total. hen Pr(P R Perm(n); Rnd {0, R 1} n : A Q1( ),...,Q6( ) =1) ( ) R Pr(P 1,...,P 6 Perm(n) :A P 1( ),...,P 6( ) =1) 3q 1 n + ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. (5) 9
10 x x x x x x P Rnd Q 1(x) Rnd P Rnd Q (x) Rnd H L(Cst 1) P Q 3(x) Rnd H L(Cst ) P Q 4(x) HL(Cst 1) P Q 5(x) HL(Cst ) P Q 6(x) Fig. 6. Illustrations of Q 1, Q Q 3, Q 4, Q 5 and Q 6. Note that L = P (Cst). A proof is given in Appendix B. Next we define MOMAC (Modified OMAC). It uses six independent random permutations P 1,P,P 3,P 4,P 5,P 6 Perm(n). he algorithm MOMAC P1,...,P 6 ( ) is described in Fig. 7 and illustrated in Fig. 8 and Fig. 9. We prove that MOMAC is pseudorandom. Lemma 5.4. Let A be an adversary which asks at most q queries, and each query is at most nm bits. Assume m n /4. hen R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr(R R Rand(,n):A R( ) =1) (m +1)q n. A proof is given in Appendix C. he next lemma shows that OMAC-family P ( ) and MOMAC P1,...,P 6 ( ) are indistinguishable. Lemma 5.5. Let A be an adversary which asks at most q queries, and each query is at most nm bits. Assume m n /4. hen Pr(P R Perm(n) :A OMAC-family P ( ) =1) R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) 3m q Proof. Suppose that there exists an adversary A such that Pr(P R Perm(n) :A OMAC-family P ( ) =1) R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) > 3m q By using A, we show a construction of an adversary B A such that: B A asks at most mq queries, and Pr(P R Perm(n) :B Q1( ),...,Q6( ) A =1) R P Pr(P 1,...,P 6 Perm(n) :B 1( ),...,P 6( ) A =1) > 3m q 10 ( ) 1 n + ɛ ( ) 1 n + ɛ ( ) 1 n + ɛ,..
11 Algorithm MOMAC P1,P,P 3,P 4,P 5,P 6 (M) Partition M into M[1] M[m] if m then X[1] M[1] Y [1] P 1(X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P 3(X[m]) else P 4(X[m]) if m =1then X[m] pad n (M[m]) if M[m] = n then P 5(X[m]) else P 6(X[m]) return Fig. 7. Definition of MOMAC. M[1] M[] M[3] P 1 P P 3 M[1] M[] M[3] 10 }{{ i } P 1 P P 4 Fig. 8. Illustration of MOMAC for M >n. M P 5 M 10 }{{ i } P 6 Fig. 9. Illustration of MOMAC for M n. which contradicts Lemma 5.3. Let O 1 ( ),...,O 6 ( ) be B A s oracles. he construction of B A is given in Fig. 10. When A asks M (r), then B A computes (r) = MOMAC O1,...,O 6 (M (r) )asif the underlying random permutations are O 1,...,O 6, and returns (r). When A halts and outputs b, then B A outputs b. Now we see that: B A asks at most mq queries to its oracles, since A asks at most q queries, and each query is at most nm bits. Pr(P 1,...,P 6 R Perm(n) :B P 1( ),...,P 6( ) A =1) =Pr(P 1,...,P 6 R Perm(n) :A MOMAC P1,...,P 6 ( ) = 1), 11
12 Algorithm B O 1,...,O 6 A 1: When A asks its r-th query M (r) : : (r) MOMAC O1,...,O 6 (M (r) ) 3: return (r) 4: When A halts and outputs b: 5: output b Fig. 10. Algorithm B A. Note that for 1 i 6, O i is either P i or Q i M[1] M[] Rnd P P Rnd Rnd M[3] Rnd HL(Cst 1) P Rnd M[1] M[] Rnd P P Rnd Fig. 11. Computation of B A when O i = Q i for 1 i 6, and M >n. M[3] 10 }{{ i } Rnd HL(Cst ) P M M 10 }{{ i } HL(Cst 1) HL(Cst ) P P Fig. 1. Computation of B A when O i = Q i for 1 i 6, and M n. since B A gives A a perfect simulation of MOMAC P1,...,P 6 ( ) ifo i ( ) =P i ( ) for 1 i 6. Pr(P R Perm(n) :B Q1( ),...,Q6( ) A =1) =Pr(P R Perm(n) :A OMACP ( ) = 1), since B A gives A a perfect simulation of OMAC P ( ) ifo i ( ) =Q i ( ) for 1 i 6. See Fig. 11 and Fig. 1. Note that Rnd is canceled in Fig. 11. his concludes the proof of the lemma. We finally give a proof of Main Lemma for OMAC-family. Proof (of Lemma 5.1). By the triangle inequality, the left hand side of (4) is at most R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr(R R Rand(,n):A R( ) (6) =1) + Pr(P R Perm(n) :A OMAC-family P ( ) =1) R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1). (7) 1
13 Lemma 5.4 gives us an upper bound on (6) and Lemma 5.5 gives us an upper bound on (7). herefore the bound follows since (m +1)q n + 3m q ( ) ( 1 n + ɛ = q 7m ) + n +3m ɛ. his concludes the proof of the lemma. Acknowledgement he authors would like to thank Phillip Rogaway of UC Davis for useful comments. References 1. M. Bellare, J. Kilian, and P. Rogaway. he security of the cipher block chaining message authentication code. JCSS, vol. 61, no. 3, 000. Earlier version in Advances in Cryptology CRYPO 94, LNCS 839, pp , Springer-Verlag, A. Berendschot, B. den Boer, J. P. Boly, A. Bosselaers, J. Brandt, D. Chaum, I. Damgård, M. Dichtl, W. Fumy, M. van der Ham, C. J. A. Jansen, P. Landrock, B. Preneel, G. Roelofsen, P. de Rooij, and J. Vandewalle. Final Report of RACE Integrity Primitives. LNCS 1007, Springer-Verlag, J. Black and P. Rogaway. CBC MACs for arbitrary-length messages: he three key constructions. Advances in Cryptology CRYPO 000, LNCS 1880, pp , Springer-Verlag, J. Black and P. Rogaway. Comments to NIS concerning AES modes of operations: A suggestion for handling arbitrary-length messages with the CBC MAC. Second Modes of Operation Workshop. Available at 5. J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable message authentication. Advances in Cryptology EUROCRYP 00, LNCS 33, pp , Springer-Verlag, FIPS 113. Computer data authentication. Federal Information Processing Standards Publication 113, U. S. Department of Commerce / National Bureau of Standards, National echnical Information Service, Springfield, Virginia, ISO/IEC Information technology security techniques data integrity mechanism using a cryptographic check function employing a block cipher algorithm. International Organization for Standards, Geneva, Switzerland, Second edition. 8. É. Jaulmes, A. Joux, and F. Valette. On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction. Fast Software Encryption, FSE 00, LNCS 365, pp , Springer-Verlag, 00. Full version is available at Cryptology eprint Archive, Report 001/074, 9. K. Kurosawa and. Iwata. MAC: wo-key CBC MAC. Cryptology eprint Archive, Report 00/09, o appear in Cryptographers rack RSA Conference 003, C-RSA
14 10. R. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Press, E. Petrank and C. Rackoff. CBC MAC for real-time data sources. J.Cryptology, vol. 13, no. 3, pp , Springer-Verlag, P. Rogaway. Bucket hashing and its application to fast message authentication. Advances in Cryptology CRYPO 95, LNCS 963, pp. 9 4, Springer-Verlag, P. Rogaway, M. Bellare, J. Black, and. Krovetz. OCB: a block-cipher mode of operation for efficient authenticated encryption. Proceedings of ACM Conference on Computer and Communications Security, ACM CCS 001, ACM, S. Vaudenay. Decorrelation over infinite domains: he encrypted CBC-MAC case. Communications in Information and Systems (CIS), vol. 1, pp , 001. Earlier version in Selected Areas in Cryptography, SAC 000, LNCS 01, pp , Springer-Verlag, 001. A Discussions A.1 Design Rationale Our choice for OMAC1 is Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Similarly, our choice for OMAC is Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u 1. Below, we list reasons of this choice. One might try to use Cst 1 = 1 instead of Cst 1 = u. In this case, the fourth condition in Sec. 3 is not satisfied, and in fact, the scheme can be easily attacked. Similarly, if one uses Cst = 1 instead of Cst = u or Cst = u 1, the fifth condition in Sec. 3 is not satisfied, and the scheme can be easily attacked. herefore, we can not use 1 as a constant. For OMAC1, we adopted u and u as Cst 1 and Cst, since L u and L u = (L u) u can be computed efficiently by one left shift and one conditional XOR from L and L u, respectively, as shown in (). Note that this choice requires only a left shift. his would ease the implementation of OMAC1, especially in hardware. For OMAC, we adopted u 1 instead of u as Cst. It requires one right shift to compute L u 1 instead of one left shift to compute (L u) u. his would allow to compute both L u and L u 1 from L simultaneously if both left shift and right shift are available (for example, the underlying block cipher uses both shifts). A. On Standard Key Separation echnique For XCBC, assume that we want to use a single key K of E, where E is the AES. 14
15 hen the following key separation technique is suggested in [4]. Let K be a k-bit AES key. hen K 1 = the first k bits of AES K (C 1a ) AES K (C 1b ), K = AES K (C ), and K 3 = AES K (C 3 ) for some distinct constants C 1a, C 1b, C and C 3. We call it XCBC+kst (key separation technique). XCBC+kst uses one k-bit key. However, it requires additional one key scheduling of AES and additional 3 or 4 AES invocations during the pre-processing time. Similar discussion can be applied to MAC. For example, we can let { K1 = the first k bits of AES K (C 1a ) AES K (C 1b ), and K = AES K (C ) for some distinct constants C 1a, C 1b and C. We call it MAC+kst. We note that OMAC does not need such a key separation technique since its key length is k bits in its own form (without using any key separation technique). his saves storage space and pre-processing time compared to XCBC+kst and MAC+kst. A.3 Comparison Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher, and M {0, 1} be a message. We show an efficiency comparison of CBC MAC and its variants in able, where: ({0, 1} n ) + denotes the set of bit strings whose lengths are positive multiples of n. K len. denotes the key length. #K sche. denotes the number of block cipher key schedulings. For RMAC, it requires one block cipher key scheduling each time generating a tag. #M denotes the number messages which the sender has MACed. #E invo. denotes the number of block cipher invocations to generate a tag for a message M, assuming M > 0. #E pre. denotes the number of block cipher invocations during the preprocessing time. hese block cipher invocations can be done without the message. For XCBC+kst and MAC+kst, the block cipher is assumed to be the AES. Next, let E : {0, 1} k {0, 1} n {0, 1} n be the underlying block cipher used XCBC, MAC and OMAC. In able 3, we show a security comparison of XCBC, MAC and OMAC. We see that there is no significant difference among them. hey are equally secure up to the birthday paradox limit. 15
16 able. Efficiency comparison of CBC MAC and its variants. Name Domain K len. #K sche. #E invo. #E pre. CBC MAC ({0, 1} n ) m k 1 M /n 0 EMAC ({0, 1} n ) + k 1+ M /n 0 RMAC {0, 1} k 1+#M 1+ ( M +1)/n 0 XCBC {0, 1} k +n 1 M /n 0 MAC {0, 1} k + n 1 M /n 0 XCBC+kst {0, 1} k M /n 3or4 MAC+kst {0, 1} k M /n or3 OMAC {0, 1} k 1 M /n 1 able 3. Security comparison of XCBC, MAC and OMAC. Name Security Bound XCBC Adv mac XCBC(t, q, nm) (4m +1)q Adv prp n E (t,q ), [3, Corollary ] where t = t + O(mq) and q = mq. MAC Adv mac MAC(t, q, nm) (3m +1)q +1 + Adv prp n E (t,q ), [9, heorem 5.1] where t = t + O(mq) and q = mq. OMAC Adv mac OMAC(t, q, nm) (5m +1)q +1 + Adv prp n E (t,q ), [heorem 5.1] where t = t + O(mq) and q = mq +1. B Proof of Lemma 5.3 If A is a finite multiset then #A denotes the number of elements in A. Let {a,b,c,...} be a finite multiset of bit strings. hat is, a {0, 1},b {0, 1},c {0, 1},... hold. We say {a,b,c,...} are distinct if there exists no element occurs twice or more. Equivalently, {a,b,c,...} are distinct if any two elements in {a,b,c,...} are distinct. Before proving Lemma 5.3, we need the following lemma. Lemma B.1. Let q 1,q,q 3,q 4,q 5,q 6 be six non-negative integers. For 1 i 6, let x (1) i,...,x (qi) i be fixed n-bit strings such that {x (1) i,...,x (qi) i } are distinct. Similarly, for 1 i 6, let y (1) i,...,y (qi) i be fixed n-bit strings such that 6,...,y(q6) 6 } are dis- {y (1) 1,...,y(q1) 1 } {y (1),...,y(q) } are distinct, and {y (1) 3,...,y(q3) 3 } {y (1) 4,...,y(q4) 4 } {y (1) 5,...,y(q5) tinct. 5 } {y (1) 16
17 Let P Perm(n) and Rnd {0, 1} n. hen the number of (P, Rnd) which satisfies Q 1 (x (i) 1 )=y(i) 1 for 1 i q 1, Q (x (i) )=y(i) for 1 i q, Q 3 (x (i) 3 )=y(i) 3 for 1 i q 3, Q 4 (x (i) 4 )=y(i) 4 for 1 i q 4, Q 5 (x (i) 5 )=y(i) 5 for 1 i q 5 and Q 6 (x (i) 6 )=y(i) 6 for 1 i q 6 is at least ( n (q + q /) (1 + ɛ n )) ( n q)!, where q = q q 6 and ɛ = max{ɛ 1,...,ɛ 6 }. Proof. At the top level, we consider two cases: Cst {x (1) 1,...,x(q1) 1 } and Cst {x (1) 1,...,x(q1) 1 }. Case 1: Cst {x (1) 1,...,x(q1) 1 }. Let c be a unique integer such that 1 c q 1 and Cst = x (c) 1. Let l be an n-bit variable. First, observe that: #{l 1 i q 1, 1 j q,x (i) 1 = x (j) y (c) 1 l} q 1 q, #{l 1 i q 1, 1 j q 3,x (i) 1 = x (j) 3 y(c) 1 l H l (Cst 1 )} q 1 q 3 ɛ 4 n, #{l 1 i q 1, 1 j q 4,x (i) 1 = x (j) 4 y(c) 1 l H l (Cst )} q 1 q 4 ɛ 5 n, #{l 1 i q 1, 1 j q 5,x (i) 1 = x (j) 5 H l (Cst 1 )} q 1 q 5 ɛ 1 n, #{l 1 i q 1, 1 j q 6,x (i) 1 = x (j) 6 H l (Cst )} q 1 q 6 ɛ n, #{l 1 i q, 1 j q 3,x (i) = x (j) 3 H l (Cst 1 )} q q 3 ɛ 1 n, #{l 1 i q, 1 j q 4,x (i) = x (j) 4 H l (Cst )} q q 4 ɛ n, #{l 1 i q, 1 j q 5,x (i) y(c) 1 l = x (j) 5 H l(cst 1 )} q q 5 ɛ 4 n, #{l 1 i q, 1 j q 6,x (i) y(c) 1 l = x (j) 6 H l(cst )} q q 6 ɛ 5 n, #{l 1 i q 3, 1 j q 4,x (i) 3 H l(cst 1 )=x (j) 4 H l(cst )} q 3 q 4 ɛ 3 n, #{l 1 i q 3, 1 j q 5,x (i) 3 y(c) 1 l = x (j) 5 } q 3q 5, #{l 1 i q 3, 1 j q 6,x (i) 3 y(c) 1 l H l (Cst 1 )=x (j) 6 H l (Cst )} q 3 q 6 ɛ 6 n, #{l 1 i q 4, 1 j q 5,x (i) 4 y(c) 1 l H l (Cst )=x (j) 5 H l (Cst 1 )} q 4 q 5 ɛ 6 n, #{l 1 i q 4, 1 j q 6,x (i) 4 y(c) 1 l = x (j) 6 } q 4q 6, #{l 1 i q 5, 1 j q 6,x (i) 5 H l(cst 1 )=x (j) 6 H l(cst )} q 5 q 6 ɛ 3 n, #{l 1 i q 1, 1 j q 3,y (i) 1 y (c) 1 l = y (j) 3 } q 1q 3, #{l 1 i q 1, 1 j q 4,y (i) 1 y (c) 1 l = y (j) 4 } q 1q 4, #{l 1 i q 1, 1 j q 5,y (i) 1 y (c) 1 l = y (j) 5 } q 1q 5, #{l 1 i q 1, 1 j q 6,y (i) 1 y (c) 1 l = y (j) 6 } q 1q 6, #{l 1 i q, 1 j q 3,y (i) y (c) 1 l = y (j) 3 } q q 3, #{l 1 i q, 1 j q 4,y (i) y (c) 1 l = y (j) 4 } q q 4, 17 (8)
18 #{l 1 i q, 1 j q 5,y (i) y (c) 1 l = y (j) 5 } q q 5, and #{l 1 i q, 1 j q 6,y (i) y (c) 1 l = y (j) 6 } q q 6, from the conditions in Sec. 3. Wenowfixanyl which is not included in any of the above twenty-three sets. We have at least ( n (q 1 q +q 1 q 3 ɛ 4 n +q 1 q 4 ɛ 5 n +q 1 q 5 ɛ 1 n +q 1 q 6 ɛ n + q q 3 ɛ 1 n +q q 4 ɛ n +q q 5 ɛ 4 n +q q 6 ɛ 5 n +q 3 q 4 ɛ 3 n +q 3 q 5 +q 3 q 6 ɛ 6 n + q 4 q 5 ɛ 6 n +q 4 q 6 +q 5 q 6 ɛ 3 n +q 1 q 3 +q 1 q 4 +q 1 q 5 +q 1 q 6 +q q 3 +q q 4 +q q 5 +q q 6 )) ( n q ɛ n / q /) choice of such l. Now we let L l and Rnd l y (c) 1. hen we have: the inputs to P, {x (1) 1,...,x(q1) 1,x (1) Rnd,...,x (q) Rnd,x (1) 3 Rnd H L (Cst 1 ),...,x (q3) 3 Rnd H L (Cst 1 ),x (1) 4 Rnd H L(Cst ),...,x (q4) 4 Rnd H L (Cst ),x (1) 5 H L(Cst 1 ),...,x (q5) 5 H L (Cst 1 ),x (1) 6 H L(Cst ),...,x (q6) 6 H L (Cst )}, are distinct, and the corresponding outputs, {y (1) 1 Rnd,...,y (q1) 1 Rnd,y (1) Rnd,...,y (q) Rnd,y (1) 3,...,y(q3) 3,y (1) 4,...,y(q4) 4,y (1) 5,...,y(q5) 5,y (1) 6,...,y(q6) 6 }, are distinct. In other words, for P, the above q 1 + q + q 3 + q 4 + q 5 + q 6 input-output pairs are determined. he remaining n (q 1 +q +q 3 +q 4 +q 5 +q 6 ) input-output pairs are undetermined. herefore we have ( n (q 1 + q + q 3 + q 4 + q 5 + q 6 ))! = ( n q)! possible choice of P for any such fixed (L, Rnd). Case : Cst {x (1) 1,...,x(q1) 1 }. In this case, we count the number of Rnd and L independently. hen similar to Case 1, observe that: #{Rnd 1 i q, Cst = x (i) Rnd} q, #{Rnd 1 i q 1, 1 j q,x (i) 1 = x (j) #{Rnd 1 i q 3, 1 j q 5,x (i) 3 #{Rnd 1 i q 4, 1 j q 6,x (i) 4 Rnd} q 1 q, Rnd = x(j) 5 } q 3q 5, Rnd = x(j) 6 } q 4q 6, #{Rnd 1 i q 1, 1 j q 3,y (i) 1 Rnd = y (j) 3 } q 1q 3, #{Rnd 1 i q 1, 1 j q 4,y (i) 1 Rnd = y (j) 4 } q 1q 4, #{Rnd 1 i q 1, 1 j q 5,y (i) 1 Rnd = y (j) 5 } q 1q 5, #{Rnd 1 i q 1, 1 j q 6,y (i) 1 Rnd = y (j) 6 } q 1q 6, #{Rnd 1 i q, 1 j q 3,y (i) Rnd = y (j) 3 } q q 3, #{Rnd 1 i q, 1 j q 4,y (i) Rnd = y (j) 4 } q q 4, #{Rnd 1 i q, 1 j q 5,y (i) Rnd = y (j) 5 } q q 5, and #{Rnd 1 i q, 1 j q 6,y (i) Rnd = y (j) 6 } q q 6. We fix any Rnd which is not included in any of the above twelve sets. We have at least ( n (q + q 1 q + q 3 q 5 + q 4 q 6 + q 1 q 3 + q 1 q 4 + q 1 q 5 + q 1 q 6 + q q 3 + q q 4 + q q 5 + q q 6 )) ( n q q /) choice of such Rnd. Next we see that: 18
19 #{L 1 i q 3, Cst = x (i) 3 Rnd H L(Cst 1 )} q 3 ɛ 1 n, #{L 1 i q 4, Cst = x (i) 4 Rnd H L(Cst )} q 4 ɛ n, #{L 1 i q 5, Cst = x (i) 5 H L(Cst 1 )} q 5 ɛ 1 n, #{L 1 i q 6, Cst = x (i) 6 H L(Cst )} q 6 ɛ n, #{L 1 i q 1, 1 j q 3,x (i) 1 = x (j) 3 Rnd H L (Cst 1 )} q 1 q 3 ɛ 1 n, #{L 1 i q 1, 1 j q 4,x (i) 1 = x (j) 4 Rnd H L (Cst )} q 1 q 4 ɛ n, #{L 1 i q 1, 1 j q 5,x (i) 1 = x (j) 5 H L (Cst 1 )} q 1 q 5 ɛ 1 n, #{L 1 i q 1, 1 j q 6,x (i) 1 = x (j) 6 H L (Cst )} q 1 q 6 ɛ n, #{L 1 i q, 1 j q 3,x (i) = x (j) 3 H L (Cst 1 )} q q 3 ɛ 1 n, #{L 1 i q, 1 j q 4,x (i) = x (j) 4 H L (Cst )} q q 4 ɛ n, #{L 1 i q, 1 j q 5,x (i) Rnd = x(j) 5 H L (Cst 1 )} q q 5 ɛ 1 n, #{L 1 i q, 1 j q 6,x (i) Rnd = x(j) 6 H L (Cst )} q q 6 ɛ n, #{L 1 i q 3, 1 j q 4,x (i) 3 H L(Cst 1 )=x (j) 4 H L (Cst )} q 3 q 4 ɛ 3 n, #{L 1 i q 3, 1 j q 6,x (i) 3 Rnd H L(Cst 1 )=x (j) 6 H L (Cst )} q 3 q 6 ɛ 3 n, #{L 1 i q 4, 1 j q 5,x (i) 4 Rnd H L(Cst )=x (j) 5 H L (Cst 1 )} q 4 q 5 ɛ 3 n, #{L 1 i q 5, 1 j q 6,x (i) 5 H L(Cst 1 )=x (j) 6 H L (Cst )} q 5 q 6 ɛ 3 n, #{L 1 i q 1,L= y (i) 1 Rnd} q 1, #{L 1 i q,l= y (i) Rnd} q, #{L 1 i q 3,L= y (i) 3 } q 3, #{L 1 i q 4,L= y (i) 4 } q 4, #{L 1 i q 5,L= y (i) 5 } q 5, and #{L 1 i q 6,L= y (i) 6 } q 6, from the conditions in Sec. 3. WenowfixanyL which is not included in any of the above twenty-two sets. We have at least ( n (q 3 ɛ 1 n +q 4 ɛ n +q 5 ɛ 1 n +q 6 ɛ n +q 1 q 3 ɛ 1 n +q 1 q 4 ɛ n +q 1 q 5 ɛ 1 n +q 1 q 6 ɛ n +q q 3 ɛ 1 n +q q 4 ɛ n +q q 5 ɛ 1 n +q q 6 ɛ n +q 3 q 4 ɛ 3 n +q 3 q 6 ɛ 3 n +q 4 q 5 ɛ 3 n +q 5 q 6 ɛ 3 n +q 1 +q +q 3 +q 4 +q 5 +q 6 )) ( n q ɛ n q ɛ n / q) choice of such L. hen we have: the inputs to P, {Cst,x (1) 1,...,x(q1) 1,x (1) Rnd,...,x (q) Rnd,x (1) 3 Rnd H L (Cst 1 ),...,x (q3) 3 Rnd H L (Cst 1 ),x (1) 4 Rnd H L(Cst ),...,x (q4) 4 Rnd H L (Cst ),x (1) 5 H L(Cst 1 ),...,x (q5) 5 H L (Cst 1 ),x (1) 6 H L(Cst ),...,x (q6) 6 H L (Cst )}, are distinct, and the corresponding outputs, {L, y (1) 1 Rnd,...,y(q1) 1 Rnd,y (1) Rnd,...,y(q) Rnd,y (1) 3,...,y(q3) 3,y (1) 4,...,y(q4) 4,y (1) 5,...,y(q5) 5,y (1) 6,...,y(q6) 6 }, are distinct. 19
20 In other words, for P, the above 1 + q 1 + q + q 3 + q 4 + q 5 + q 6 input-output pairs are determined. he remaining n (1 + q 1 + q + q 3 + q 4 + q 5 + q 6 ) input-output pairs are undetermined. herefore we have ( n (1+q 1 +q +q 3 +q 4 +q 5 +q 6 ))! = ( n (1 + q))! possible choice of P for any such fixed (L, Rnd). Completing the Proof. In Case 1, we have at least ( n (q /) (1+ɛ n )) ( n q)! choice of (P, Rnd) which satisfies (8). In Case, we have at least ( n q q /) ( n q ɛ n q ɛ n / q) ( n (1 + q))! choice of (P, Rnd) which satisfies (8). his bound is at least ( n (q + q /) (1 + ɛ n )) ( n q)!. his concludes the proof of the lemma. We now prove Lemma 5.3. Proof (of Lemma 5.3). For 1 i 6, let O i be either Q i or P i. he adversary A has oracle access to O 1,...,O 6. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. here are six types of queries A can make: (O j,x) which denotes the query what is O j (x)? For the i-th query A makes to O j, define the query-answer pair ) {0, 1}n {0, 1} n, where A s query was (O j,x (i) ) and the answer it (x (i) j,y(i) j j got was y (i) j. Suppose that we run A with oracles O 1,...,O 6. For this run, assume that A made q j queries to O j ( ), where q q 6 = q. For this run, we define view v of A as v def = (y (1) 1,...,y(q1) 1 ), (y (1),...,y(q) ), (y (1) 3,...,y(q3) 3 ), (y (1) 4,...,y(q4) 4 ), (y (1) 5,...,y(q5) 5 ), (y (1) 6,...,y(q6) 6 ). (9) For this view, we always have: For 1 j 6, {y (1) j,...,y (qj) } are distinct. We note that since A never repeats a query, for the corresponding queries, we have: For 1 j 6, {x (1) j,...,x (qj) j } are distinct. Since A is deterministic, the i-th query A makes is fully determined by the first i 1 query-answer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracles), then A s queries are uniquely determined, q 1,...,q 6 are uniquely determined, the parsing of V into the format defined in (9) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. j 0
21 Let V one be a set of all qn-bit strings V such that A outputs 1. We let def N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good then the corresponding parsing v satisfies: 6,...,y(q6) 6 } are dis- {y (1) 1,...,y(q1) 1 } {y (1),...,y(q) } are distinct, and {y (1) 3,...,y(q3) 3 } {y (1) 4,...,y(q4) 4 } {y (1) 5,...,y(q5) tinct. 5 } {y (1) Now observe that the number of V which is not in the set V good is at most ( q ) qn n. herefore, we have #{V V (V one V good )} N one Evaluation of p rand. We first evaluate ( ) q qn n. (10) def R p rand =Pr(P 1,...,P 6 Perm(n) :A P 1( ),...,P 6( ) =1) = #{(P 1,...,P 6 ) A P1( ),...,P6( ) =1} {( n )!} 6. For each V V one, the number of (P 1,...,P 6 ) such that For 1 j 6, P j (x (i) j )=y(i) j for 1 i q j, (11) is exactly 1 j 6 (n q j )!, which is at most ( n q)! {( n )!} 5. herefore, we have p rand = V Vone ( n q)! ( n )! V Vone = N one (n q)! ( n )! Evaluation of p real. We next evaluate #{(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (11)} {( n )!} 6. def p real =Pr(P R Perm(n); Rnd {0, R 1} n : A Q1( ),...,Q6( ) =1) = #{(P, Rnd) AQ1( ),...,Q6( ) =1} ( n )! n. hen from Lemma B.1, we have 1
22 p real V (Vone V good ) V (Vone V good ) # {(P, Rnd) (P, Rnd) satisfying (8)} ( n )! n ( n q)! ( n )! ( 1 (q + q /) (1 + ɛ n ) ) n. Completing the Proof. From (10) we have p real ( N one ( p rand ( ) q qn n ( ) q qn ) (n q)! ( n )! n (n q)! ( n )! ( 1 (q + q /) (1 + ɛ n ) n ) ( 1 (q + q /) (1 + ɛ n ) n ) ). Since qn (n q)! ( n )! 1, we have p real ( p rand ) ( q(q 1) n 1 (q + q /) (1 + ɛ n ) ) n p rand (q + q)+(q +q) ɛ n ( ) n p rand 3q 1 n + ɛ. (1) Applying the same argument to 1 p real and 1 p rand yields that ( ) 1 p real 1 p rand 3q 1 n + ɛ. (13) Finally, (1) and (13) give p real p rand 3q ( 1 n + ɛ ). C Proof of Lemma 5.4 Let S and S be distinct bit strings such that S = sn for some s 1, and S = s n for some s 1. Define V n (S, S ) def R =Pr(P Perm(n) : CBCP (S) = CBC P (S )). hen the following proposition is known [3]. Proposition C.1 (Black and Rogaway [3]). Let S and S be distinct bit strings such that S = sn for some s 1, and S = s n for some s 1. Assume that s, s n /4. hen V n (S, S ) (s + s ) n.
23 Now let M and M be distinct bit strings such that M = mn for some m, and M = m n for some m. Define W n (M,M ) def R =Pr(P 1,...,P 6 Perm(n) : MOMAC P1,...,P 6 (M) = MOMAC P1,...,P 6 (M )). We note that P 5 and P 6 are irrelevant in the event MOMAC P1,...,P 6 (M) = MOMAC P1,...,P 6 (M ) since M and M are both longer than n bits. Also, P 4 is irrelevant in the above event since M and M are both multiples of n. Further, P 3 is irrelevant in the above event since it is invertible, and thus, there is a collision if and only if there is a collision at the input to the last encryption. We show the following lemma. Lemma C.1 (MOMAC Collision Bound). Let M and M be distinct bit strings such that M = mn for some m, and M = m n for some m. Assume that m, m n /4. hen W n (M,M ) (m + m ) n. Proof. Let M[1] M[m] and M [1] M [m ] be partitions of M and M respectively. We consider two cases: M[1] = M [1] and M[1] M [1]. Case 1: M[1] = M [1]. In this case, Let P 1 be any permutation in Perm(n), and let S (P 1 (M[1]) M[]) M[3] M[m] and S (P 1 (M [1]) M []) M [3] M [m ]. Observe that MOMAC P1,...,P 6 (M) = MOMAC P1,...,P 6 (M ) if and only if CBC P (S) = CBC P (S ), since we may ignore the last encryptions in CBC P (S) and CBC P (S ). herefore W n (M,M ) V n (S, S ) (m + m ) n. Case : M[1] M [1]. In this case, we split into two cases: P 1 (M[1]) M[] P 1 (M [1]) M [] and P 1 (M[1]) M[] = P 1 (M [1]) M []. he former event will occur with probability at most 1. he later one will occur with probability at most 1 n 1, which is at most n. hen it is not hard to see that W n (M,M ) 1 V n (S, S )+ (m + m ) n n + n (m + m ) n by applying the similar argument as in Case 1. Let m be an integer such that m n /4. We consider the following four sets. def D 1 = {M M {0, 1}, n< M mn and M is a multiple of n} def D = {M M {0, 1}, n< M mn and M is not a multiple of n} def D 3 = {M M {0, 1} and M = n} def D 4 = {M M {0, 1} and M <n} We next show the following lemma. 3
24 Lemma C.. Let q 1,q,q 3,q 4 be four non-negative integers. For 1 i 4, let M (1) i,...,m (qi) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (qi) i } are distinct. Similarly, for 1 i 4, let (1) i,..., (qi) i be fixed n-bit strings such that { (1) i,..., (qi) i } are distinct. hen the number of P 1,...,P 6 Perm(n) such that MOMAC P1,...,P 6 (M (i) (i) 1 )= 1 for 1 i q 1, MOMAC P1,...,P 6 (M (i) (i) )= for 1 i q, MOMAC P1,...,P 6 (M (i) (i) (14) 3 )= 3 for 1 i q 3 and MOMAC P1,...,P 6 (M (i) (i) 4 )= 4 for 1 i q 4 ( ) is at least {( n )!} 6 1 q m 1 n, where q = q qn q 4. Proof. We first consider M (1) 1,...,M(q1) 1. he number of (P 1,P ) such that MOMAC P1,...,P 6 (M (i) 1 ) = MOMAC P 1,...,P 6 (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} (q 1 4m ) from Lemma C.1. Note that P n 3,...,P 6 are irrelevant in the above event. We next consider M (1),...,M(q). he number of (P 1,P ) such that MOMAC P1,...,P 6 (M (i) ) = MOMAC P 1,...,P 6 (M (j) ) for 1 i< j q is at most {( n )!} (q ) 4m from Lemma C.1. n Now ( we fix any (P 1,P ) which is not like the above. We have at least {( n )!} 1 ( q 1 ) 4m ( q ) ) 4m n choice. n Now P 1 and P are fixed in such a way that the inputs to P 3 are distinct and the inputs to P 4 are distinct. Also, the corresponding outputs { (1) 3,..., (q3) 3 } are distinct, and { (1) 4,...,(q4) 4 } are distinct. We know that the inputs to P 5 are distinct, and the corresponding outputs { (1) 3,..., (q3) 3 } are distinct. Also, the inputs to P 6 are distinct, and and the corresponding outputs { (1) 4,..., (q4) 4 ) } n ( are distinct. herefore, we have at least {( n )!} 1 ( q 1 ) 4m ( q ) 4m n ( n q 1 )! ( n q )! ( n q 3 )! ( n q 4 )! choice of P 1,...,P 6 which satisfies (14). his bound is at least {( n )!} 6 ( 1 q m his concludes the proof of the lemma. We now prove Lemma 5.4. n ) 1 qn since ( n q i )! (n )! q i n. Proof (of Lemma 5.4). Let O be either MOMAC P1,...,P 6 or R. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Similar to the proof of Lemma 5.3, for the query A makes to the oracle O, define the query-answer pair (M (i) j, (i) j ) D j {0, 1} n, where A s i-th query in D j was M (i) j D j and the answer it got was (i) j {0, 1} n. 4
25 Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j 4 and q q 4 = q. For this run, we define view v of A as v def = ( (1) 1,..., (q1) 1 ), ( (1),..., (q) ), ( (1) 3,..., (q3) 3 ), ( (1) 4,..., (q4) 4 ). (15) Since A is deterministic, the i-th query A makes is fully determined by the first i 1 query-answer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then A s queries are uniquely determined, q 1,...,q 4 are uniquely determined, the parsing of V into the format defined in (15) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. Let V one be a set of all qn-bit strings V such that A outputs 1. We let def N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q1) 1 } are distinct, { (1),...,(q) } are distinct, { (1) 3,..., (q3) 3 } are distinct and { (1) 4,..., (q4) 4 } are distinct. Now observe that the number of V which is not in the set V good is at most ( q ) qn. herefore, we have n ( ) q qn #{V V (V one V good )} N one n. (16) Evaluation of p rand. We first evaluate hen it is not hard to see p rand def =Pr(R R Rand(,n):A R( ) =1). p rand = V Vone Evaluation of p real. We next evaluate 1 qn = N one qn. def R p real =Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) = #{(P 1,...,P 6 ) A MOMACP 1,...,P 6 ( ) =1} {( n )!} 6. hen from Lemma C., we have 5
26 p real V (Vone V good ) V (Vone V good ) # {(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (14)} {( n )!} 6 (1 q m n ) 1 qn. Completing the Proof. From (16) we have ( ( ) ) q qn p real N one n (1 q m n ( ( ) ) q 1 = p rand n (1 q m n ( ) q 1 p rand n q m n ) 1 qn ) p rand q m + q n. (17) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand q m + q n. (18) Finally, (17) and (18) give p real p rand q m +q n. 6
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions J. Black P. Rogaway July 21, 2004 Abstract We suggest some simple variants of the CBC MAC that enable the efficient authentication of
More informationCBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions J. Black P. ogaway May 24, 2000 Abstract We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationImproved security analysis of OMAC
Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate
More informationCBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions J. Black P. Rogaway December 3, 2003 Abstract We suggest some simple variants of the CBC MAC that enable the efficient authentication
More informationFast and Secure CBC-Type MAC Algorithms
Fast and Secure CBC-Type MAC Algorithms Mridul Nandi National Institute of Standards and Technology mridul.nandi@gmail.com Abstract. The CBC-MAC or cipher block chaining message authentication code, is
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationA Block-Cipher Mode of Operation for Parallelizable Message Authentication. J. Black P. Rogaway February 15, 2002
Appears in Advances in Cryptology Eurocrypt 02, Lecture Notes in Computer Science, Vol.????, L. Knudsen, ed., Springer-Verlag. This is the full version. A Block-Cipher Mode of Operation for Parallelizable
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationNew Attacks against Standardized MACs
New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org
More informationCBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an
CBC MAC for Real-Time Data Sources Erez Petrank Charles Racko y Abstract The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice.
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationFRMAC, a Fast Randomized Message Authentication Code
, a Fast Randomized Message Authentication Code Éliane Jaulmes 1 and Reynald Lercier 2 1 DCSSI Crypto Lab, 51 Bd de Latour Maubourg, F-75700 Paris 07 SP, France eliane.jaulmes@wanadoo.fr, 2 CELAR, Route
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationA Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs
A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs Mridul Nandi National Institute of Standards and Technology mridulnandi@gmailcom Abstract This paper provides a unified framework
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationImproved Security Analysis for OMAC as a Pseudo Random Function
c de Gruyter 2007 J. Math. Crypt. 1 (2007), 1 16 DOI 10.1515 / JMC.2007. Improved Security Analysis for OMAC as a Pseudo Random Function Mridul Nandi Communicated by Abstract. This paper shows that the
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationProvably Secure MACs From Differentially-uniform Permutations and AES-based Implementations
Provably Secure MACs From Differentially-uniform Permutations and AES-based Implementations azuhiko Minematsu 1 and Yukiyasu Tsunoo 1 NEC Corporation, 1753 Shimonumabe, Nakahara-u, awasaki 11-8666, Japan
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationConstructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs
Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationOCB Mode. Proposal to NIST for a block-cipher mode of operation which simultaneously provides privacy and authenticity
OCB Mode Proposal to NIST for a block-cipher mode of operation which simultaneously provides privacy and authenticity Submitted on April 1, 2001 Revised on April 18, 2001 Submitter: Phillip Rogaway rogaway@cs.ucdavis.edu
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationEasyChair Preprint. Formal Security Proof of CMAC and its Variants
EasyChair Preprint 104 Formal Security Proof of CMAC and its Variants Cécile Baritel-Ruet, François Dupressoir, Pierre-Alain Fouque and Benjamin Grégoire EasyChair preprints are intended for rapid dissemination
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More informationTweakable Blockciphers with Beyond Birthday-Bound Security
Tweakable Blockciphers with Beyond Birthday-Bound Security Will Landecker, Thomas Shrimpton, and R. Seth Terashima Dept. of Computer Science, Portland State University {landeckw,teshrim,robert22}@cs.pdx.edu
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationRelated-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationBlockcipher-based MACs: Beyond the Birthday Bound without Message Length
Blockcipher-based MACs: Beyond the Birthday Bound without Message Length Yusuke Naito Mitsubishi Electric Corporation, Kanagawa, Japan Naito.Yusuke@ce.MitsubishiElectric.co.jp Abstract. We present blockcipher-based
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationThe Sum of PRPs is a Secure PRF
The Sum of PRPs is a Secure PRF Stefan Lucks Theoretische Informatik, Universität Mannheim 68131 Mannheim, Germany lucks@th.informatik.uni-mannheim.de Abstract. Given d independent pseudorandom permutations
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationTweakable Block Ciphers
Tweakable Block Ciphers Moses Liskov 1, Ronald L. Rivest 1, and David Wagner 2 1 Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139, USA mliskov@theory.lcs.mit.edu,
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationTweakable Enciphering Schemes From Stream Ciphers With IV
Tweakable Enciphering Schemes From Stream Ciphers With IV Palash Sarkar Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. We
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationImproving the Security of MACs via Randomized Message Preprocessing
Improving the Security of MACs via Randomized Message Preprocessing Yevgeniy Dodis dodis@cs.nyu.edu New York University Krzysztof Pietrzak pietrzak@cwi.nl CWI February 5, 2007 Abstract Hash then encrypt
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationAES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.
AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION. ED KNAPP Abstract. We give a framework for construction and composition of universal hash functions. Using this framework,
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationAES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:
AES-OTR v3 Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address: k-minematsu@ah.jp.nec.com Date: April 4, 2016 1 Specification OTR, which stands for Offset Two-Round, is a blockcipher
More informationISO/IEC Revisited: Beyond Birthday Bound
ISO/IEC 9797-1 Revisited: Beyond Birthday Bound Yaobin Shen, Lei Wang, and Dawu Gu Shanghai Jiao Tong University {yb shen, wanglei hb, dwgu}@sjtu.edu.cn Abstract. The international standard ISO/IEC 9797-1:2011
More informationExact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta, Ashwin Jha and Mridul Nandi Applied Statistics Unit, Indian Statistical Institute, Kolkata. avirocks.dutta13@gmail.com,
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationThe Security of One-Block-to-Many Modes of Operation
The Security of One-Block-to-Many Modes of Operation Henri Gilbert France Télécom R&D henri.gilbert@francetelecom.com Abstract. In this paper, we investigate the security, in the Luby-Rackoff security
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More information