Improved Security Analyses for CBC MACs

Transcription

1 Improved Securty nalye for CC MC Mhr ellare 1, Krzyztof Petrzak 2, and Phllp Rogaway 3 1 Dept. of Computer Scence & Engneerng, Unverty of Calforna San Dego, 9500 Glman Drve, La Jolla, C 92093, US. Emal: mhr@c.ucd.edu URL: www-ce.ucd.edu/uer/mhr 2 Dept. of Computer Scence, ETH Zürch, CH-8092 Zürch Swtzerland, E-mal: petrzak@nf.ethz.ch 3 Dept. of Computer Scence, Unverty of Calforna, Dav, Calforna, 95616, US; and Dept. of Computer Scence, Faculty of Scence, Chang Ma Unverty, Chang Ma 50200, Thaland. E-mal: rogaway@c.ucdav.edu URL: rogaway/ btract. We preent an mproved bound on the advantage of any q-query adverary at dtnguhng between the CC MC over a random n-bt permutaton and a random functon outputtng n bt. The reult aume that no meage quered a prefx of any other, a the cae when all meage to be MCed have the ame length. We go on to gve an mproved analy of the encrypted CC MC, where there no retrcton on quered meage. Lettng m be the block length of the longet query, our bound are about mq 2 /2 n for the bac CC MC and m o(1) q 2 /2 n for the encrypted CC MC, mprovng pror bound of m 2 q 2 /2 n. The new bound tranlate nto mproved guarantee on the probablty of forgng thee MC. 1 Introducton Some defnton. The CC functon CC π aocated to a key π: {0, 1} n {0, 1} n take a nput a meage M = M 1 M m that a equence of n-bt block and return the n-bt trng C m computed by ettng C = π(c 1 M ) for each [1..m], where C 0 = 0 n. Conder three type of attack for an adverary gven an oracle: atk = eq mean all quere are exactly m block long; atk = pf mean they have at mot m block and no query a prefx of any another; atk = any mean the quere are arbtrary dtnct trng of at mot m block. Let dv atk CC(q, n, m) denote the maxmum advantage attanable by any q-query adverary, mountng an atk attack, n dtnguhng whether t oracle CC π n for a random permutaton π on n bt, or a random functon that output n bt. We am to upper bound th quantty a a functon of n, m, q. Pat work and our reult on CC. ellare, Klan and Rogaway [2] howed that dv eq CC (q, n, m) 2m2 q 2 /2 n. Maurer reduced the contant 2 to 1 and provded a ubtantally dfferent proof [13]. Petrank and Rackoff [15] howed that the ame bound hold (up to a contant) for dv pf CC (q, n, m). In th paper we how that dv pf CC (q, n, m) 20mq2 /2 n for m 2 n/3. (The reult

2 Contruct atk Prevou bound Our bound CC pf m 2 q 2 /2 n [2, 13, 15] mq 2 /2 n (12 + 8m 3 /2 n ) ECC any 2.5 m 2 q 2 /2 n [7] q 2 /2 n (d (m) + 4m 4 /2 n ) Fg. 1. ound on dv pf CC (q, n, m) and dvany ECC (q, n, m), aumng m 2n/2 1. actually a lttle tronger. See Fg. 1.) Th mple the ame bound hold for (q, n, m). dv eq CC Context and dcuon. When π = E(K, ), where K K a random key for blockcpher E: K {0, 1} n {0, 1} n, the functon CC π a popular meage authentcaton code (MC). umng E a good peudorandom permutaton (PRP), the domnant term n a bound on the probablty of forgery n an atk-type choen-meage attack dv atk CC(q, n, m), where q the um of the number of MC-generaton and MC-verfcaton quere made by the adverary (cf. [1]). Thu the qualty of guarantee we get on the ecurty of the MC a functon of how good an upper bound we can prove on dv atk CC(q, n, m). It well known that the CC MC necure when the meage MCed have varyng length (pecfcally, t forgeable under an any-attack that ue jut one MC-generaton and one MC-verfcaton query, each of at mot two block) o the cae atk = any not of nteret for CC. The cae where all meage MCed have the ame length (atk = eq) the mot bac one, and where potve reult were frt obtaned [2]. The cae atk = pf nteretng becaue one way to get a ecure MC for varyng-length nput to apply a prefx-free encodng to the data before MCng t. The mot common uch encodng to nclude n the frt block of each meage an encodng of t length. We emphaze that our reult are about CC π for a random permutaton π: {0, 1} n {0, 1} n, and not about CC ρ for a random functon ρ: {0, 1} n {0, 1} n. Snce our bound are better than the cot to convert between a random n-bt functon and a random n-bt permutaton ung the wtchng lemma [2], the dtncton gnfcant. Indeed for the prefx-free cae, applyng CC over a random functon on n bt known to admt an attack more effectve than that whch ruled out by our bound [6]. Encrypted CC. The ECC functon ECC π1,π 2 aocated to permutaton π 1, π 2 on n bt take a meage M that a multple of n bt and return π 2 (CC π1 (M)). Defne dv atk ECC(q, n, m) analogouly to the CC cae above (atk {any, eq, pf}). Petrank and Rackoff [15] howed that dv any ECC (q, n, m) 2.5 m 2 q 2 /2 n. better bound, dv eq ECC (q, n, m) q2 /2 n (1 + cm 2 /2 n + cm 6 /2 2n ) for ome contant c, poble for the atk = eq cae baed on a lemma of Dod et al. [9], but the pont of the ECC contructon to acheve any-ecurty. We mprove on the reult of Petrank and Rackoff to how that dv any ECC (q, n, m) q2 /2 n (d (m) + 4m 4 /2 n ) where d (m) the maxmum,

3 over all m m, of the number of dvor of m. (Once agan ee Fg. 1.) Note that the functon d (m) m 1/ ln ln(m) grow lowly. The MC correpondng to ECC (namely ECC π1,π 2 when π 1 = E(K 1, ) and π 2 = E(K 2, ) for random key K 1, K 2 K of a blockcpher E: K {0, 1} n {0, 1} n ) wa developed by the RCE project [5]. Th MC nteretng a a natural and practcal varant of the CC MC that correctly handle meage of varyng length. varant of ECC called CMC wa recently adopted a a NIST-recommended mode of operaton [14]. wth the CC MC, our reult mply mproved guarantee on the forgery probablty of the ECC MC under a choen-meage attack, but th tme of type any rather than merely pf, and wth the mprovement beng numercally more ubtantal. More defnton. The collon-probablty CP atk n,m of the CC MC the maxmum, over all par of meage (M 1, M 2 ) n an approprate atk-dependent range, of the probablty, over random π, that CC π (M 1 ) = CC π (M 2 ). For atk = any the range any par of dtnct trng of length a potve multple of n but at mot mn; for atk = pf t any uch par where nether trng a prefx of the other; and for atk = eq t any par of dtnct trng of exactly mn bt. The full collon probablty FCP atk n,m mlar except that the probablty of the event C m2 2 {C1, 1..., C m1 1, C2, 1..., C m2 1 2 } where, for each b {1, 2}, we have Cb = π(c 1 b Mb ) for m b = M b /n and [1..m b ] and Cb 0 = 0n. Note that thee defnton do not nvolve an adverary and n th ene are mpler than the advantage functon condered above. Reducton to FCP and CP. y vewng ECC a an ntance of the Carter-Wegman paradgm [18], one can reduce boundng dv atk ECC(q, n, m) (for atk {any, eq, pf}) to boundng CP atk n,m (ee [7], tated here a Lemma 3). Th mplfe the analy becaue one now faced wth a combnatoral problem rather than conderaton of a dynamc, adaptve adverary. The frt tep n our analy of the CC MC to provde an analogou reducton (Lemma 1) that reduce boundng dv pf CC (q, n, m) to boundng FCP pf n,m. Unlke the cae of ECC, the reducton not mmedate and doe not rely on the Carter-Wegman paradgm. Rather t proved drectly ung the game-playng approach [4, 16]. ound on FCP and CP. lack and Rogaway [7] how that CP any n,m 2(m 2 + m)/2 n. Dod, Gennaro, Håtad, Krawczyk, and Rabn [9] how that CP eq n,m 2 n + cm 2 /2 2n + cm 3 /2 3n for ome abolute contant c. (The above-mentoned bound on dv eq ECC (q, n, m) obtaned va th.) We buld on ther technque to how (cf. Lemma 4) that CP any n,m 2d (m)/2 n + 8m 4 /2 2n. Our bound on dv any ECC (q, n, m) then follow. We alo how that FCPpf n,m 8m/2 n +8m 4 /2 2n. Our bound on dv pf CC (q, n, m) then follow. We remark that the ecurty proof of RMC [11] had tated and ued a clam that mple CP any n,m 12m/2 n, but the publhed proof wa wrong. Our Lemma 4 both fxe and mprove that reult.

4 Further related work. Other approache to the analy of the CC MC and the encrypted CC MC nclude thoe of Maurer [13] and Vaudenay [17], but they only obtan bound of m 2 q 2 /2 n. 2 Defnton Notaton. The empty trng denoted ε. If x a trng then x denote t length. We let n = {0, 1} n. If x n then x n = x /n denote the number of n-bt block n t. If X {0, 1} then X m denote the et of all non-empty trng formed by concatenatng m or fewer trng from X and X + denote the et of all trng formed by concatenatng one or more trng from X. If M n then M denote t -th n-bt block and M j denote the trng M M j, for 1 j M n. If S a et equpped wth ome probablty dtrbuton then $ S denote the operaton of pckng from S accordng to th dtrbuton. If no dtrbuton explctly pecfed, t undertood to be unform. We denote by Perm(n) the et of all permutaton over {0, 1} n, and by Func(n) the et of all functon mappng {0, 1} to {0, 1} n. (oth thee et are vewed a equpped wth the unform dtrbuton.) blockcpher E (wth blocklength n and key-pace K) dentfed wth the et of permutaton {E K : K K} where E K : {0, 1} n {0, 1} n denote the map pecfed by key K K. The dtrbuton that nduced by a random choce of K from K, o f $ E the ame a K $ K, f E K. Securty. n adverary a randomzed algorthm that alway halt. Let atk q,n,m denote the cla of adverare that make at mot q oracle quere, where f atk = eq, then each query n n m ; f atk = pf, then each query n n m and no query a prefx of another; and f atk = any then each query n n m. We remark that the adverare condered here are computatonally unbounded. In th paper we alway conder determntc, tatele oracle and thu we wll aume that an adverary never repeat an oracle query. We alo aume that an adverary never ak a query outde of the mplctly undertood doman of nteret. Let F : D {0, 1} n be a et of functon and let atk q,n,m be an adverary, where atk {eq, pf, any}. y f 1 we denote the event that output 1 wth oracle f. The advantage of (n dtnguhng an ntance of F from a random functon outputtng n bt) and the advantage of F are defned, repectvely, a dv F () = Pr[f $ F : f 1] Pr[f $ Func(n) : f 1] and dv atk F (q, n, m) = max { dv F () }. atk q,n,m Note that nce eq q,n,m pf q,n,m any q,n,m, we have dv eq F (q, n, m) dvpf F (q, n, m) dvany F (q, n, m). (1)

5 Cbc and Ecbc. Fx n 1. For M n m and π: n n then defne CC M π [] nductvely for [0..m] va CC M π [0] = 0 n and CC M π [] = π(cc M π M ) for [1..m]. We aocate to π the CC MC functon CC π : n + n defned by CC π (M) = CC M π [m] where m = M n. We let CC = {CC π : π Perm(n)}. Th et of functon ha the dtrbuton nduced by pckng π unformly from Perm(n). To functon π 1, π 2 : n n we aocate the encrypted CC MC functon ECC π1,π 2 : n + n defned by ECC π1,π 2 (M) = π 2 (CC π1 (M)) for all M n +. We let ECC = {ECC π1,π 2 : π 1, π 2 Perm(n)}. Th et of functon ha the dtrbuton nduced by pckng π 1, π 2 ndependently and unformly at random from Perm(n). Collon. For M 1, M 2 n we defne the prefx predcate pf(m 1, M 2 ) to be true f ether M 1 a prefx of M 2 or M 2 a prefx of M 1, and fale otherwe. Note that pf(m, M) = true for any M n. Let M eq n,m = {(M 1, M 2 ) m n m n : M 1 M 2 }, M pf n,m = {(M 1, M 2 ) n m n m : pf(m 1, M 2 ) = fale}, and M any n,m = {(M 1, M 2 ) n m n m : M 1 M 2 }. For M 1, M 2 + n and atk {eq, pf, any} we then let CP n (M 1, M 2 ) = Pr[π $ Perm(n) : CC π (M 1 ) = CC π (M 2 )] CP atk n,m = max { CP n (M 1, M 2 ) }. (M 1,M 2) M atk n,m For M 1, M 2 n + we let FCP n (M 1, M 2 ) (the full collon probablty) be the probablty, over π $ Perm(n), that CC π (M 2 ) n the et {CC M1 π [1],..., CC M1 π [m 1 ], CC M2 π [1],..., CC M2 π [m 2 1]} where m b = M b n for b = 1, 2. For atk {eq, pf, any} we then let FCP atk n,m = max { FCP n (M 1, M 2 ) }. (M 1,M 2) M atk n,m 3 Reult on the CC MC We tate reult only for the atk = pf cae; reult for atk = eq follow due to (1). To bound dv pf CC (q, n, m) we mut conder a dynamc adverary that adaptvely quere t oracle. Our frt lemma reduce th problem to that of boundng a more tatc quantty whoe defnton doe not nvolve an adverary, namely the full collon probablty of the CC MC. The proof n Secton 5. Lemma 1. For any n, m, q, dv pf CC (q, n, m) q2 FCP pf n,m + 4mq2 2 n.

6 The next lemma bound the full collon probablty of the CC MC. The proof gven n Secton 8. Lemma 2. For any n, m wth m 2 2 n 2, FCP pf n,m 8m 2 n + 8m4 2 2n. Combnng the above two lemma we bound dv pf CC (q, n, m): Theorem 1. For any n, m, q wth m 2 2 n 2, ) dv pf mq2 CC (q, n, m) (12 2 n + 8m3 2 n. 4 Reult on the Encrypted CC MC Followng [7], we vew ECC a an ntance of the Carter-Wegman paradgm [18]. Th enable u to reduce the problem of boundng dv atk ECC(q, n, m) to boundng the collon probablty of the CC MC, a tated n the next lemma. proof of the followng provded n [3]. Lemma 3. For any n, m, q 1 and any atk {eq, pf, any}, ( dv atk q(q 1) ECC(q, n, m) CP atk n,m + 1 ) 2 2 n. Petrank and Rackoff [15] how that dv any ECC (q, n, m) 2.5 m2 q 2 /2 n. (2) Dod et al. [9] how that CP eq n,m 2 n + cm 2 2 2n + cm 6 2 3n for ome abolute contant c. Combnng th wth Lemma 3 lead to ) dv eq q2 ECC (q, n, m) (1 2 n + cm2 2 n + cm6 2 2n. However, the cae of atk = eq not nteretng here, nce the pont of ECC to gan ecurty even for atk = any. To obtan an mprovement for th, we how the followng, whoe proof n Secton 7: Lemma 4. For any n, m wth m 2 2 n 2, CP any n,m 2d (m) 2 n + 8m4 2 2n where d (m) the maxmum, over all m m, of the number of potve number that dvde m.

7 The functon d (m) grow lowly; n partcular, d (m) < m 0.7/ln ln(m) for all uffcently large m [10, Theorem 317]. We have verfed that d 1.07/ ln ln m (m) m for all m 2 64 (and we aume for all m), and alo that d (m) lg 2 m for all m Combnng the above wth Lemma 3 lead to the followng: Theorem 2. For any n, m, q wth m 2 2 n 2, ) dv any q2 ECC (q, n, m) (d 2 n (m) + 4m4 2 n. 5 oundng FCP ound CC (Proof of Lemma 1) The proof by the game-playng technque [2, 4]. Let be an adverary that ak exactly q quere, M 1,..., M q n m, where no quere M r and M, for r, hare a prefx n n +. We mut how that dv CC () q 2 FCP pf n,m +4mq 2 /2 n. Refer to game D0 D7 a defned n Fg. 2. Set Dom(π) and Ran(π) tart off a empty and automatcally grow a pont are added to the doman and range of the partal functon π. Set Dom(π) and Ran(π) are the complement of thee et relatve to {0, 1} n. They automatcally hrnk a pont jon the doman and range of π. We wrte boolean value a 0 (fale) and 1 (true), and we ometme wrte then a a colon. The flag bad ntalzed to 0 and the map π ntalzed a everywhere undefned. We now brefly explan the equence. D1: Game D1 fathfully mulate the CC MC contructon. Intead of choong a random permutaton π up front, we fll n t value a-needed, o a to not to create a conflct. Oberve that f bad = 0 followng lne then Ĉm = C m and o game D1 alway return C m, regardle of bad. Th make clear that Pr[ D1 1] = Pr[π $ Perm(n) : CCπ 1]. D0: Game D0 obtaned from game D1 by omttng lne 110 and the tatement that mmedately follow the ettng of bad at lne 107 and 108. Thu th game return the random n-bt trng C m = Ĉm n repone to each query M, o Pr[ D0 1] = Pr[ρ $ Func(n) : ρ 1]. Now game D1 and D0 have been defned o a to be yntactcally dentcal except on tatement that mmedately follow the ettng of bad to true or the checkng f bad true, o the fundamental lemma of game-playng [4] ay u that Pr[ D1 1] Pr[ D0 1] Pr[ D0 et bad ]. dv CC () = Pr[ CCπ 1] Pr[ ρ 1] = Pr[ D1 1] Pr[ D0 1], the ret of the proof bound dv CC () by boundng Pr[ D0 et bad ]. D0 D2: We rewrte game D0 a game D2 by droppng the varable Ĉm and ung varable C m n t place, a thee are alway equal. We have that Pr[ D0 et bad ] = Pr[ D2 et bad ]. D2 D3: Next we elmnate lne 209 and then, to compenate, we et bad any tme the value X m or C m would have been acceed. Th account for the new lne 303 and the new djunct on lne 310. To compenate for the removal of lne 209 we mut alo et bad whenever C, choen at lne 204, happen to be a pror value Cr mr. Th done at lne 306. We have that Pr[ D2 et bad ] Pr[ D3 et bad ]. D3 D4: Next we remove the

8 On the th query F (M ) 100 m M n, C 0 0 n Game D1 101 for 1 to m 1 do 102 X C 1 M 103 f X Dom(π) then C π(x) 104 ele π(x) C Ran(π) 105 X m C m 1 M m 106 Ĉm C m $ {0, 1} n Ran(π): bad 1, C m $ 107 f C m 108 f X m 109 π(x m Ran(π) Dom(π): bad 1, C m π(x m ) C m 110 f bad then return C m 111 return Ĉm On the th query F (M ) 300 m M n, C 0 0 n $ ) Game D3 301 for 1 to m 1 do 302 X C 1 M 303 f ( r < )(X = Xr mr ): bad f X Dom(π) then C π(x) 305 ele π(x) C Ran(π), 306 f ( r <)(C =Cr mr ): bad 1 C m 1 M m 307 X m 308 C m 309 f X m $ {0, 1} n 310 ( r <)(X m 311 then bad return C m Dom(π) C m =X mr r $ Ran(π) C m =Cr mr ) 500 for 1 to q do Game D5 501 C 0 0 n 502 for 1 to m 1 do 503 X C 1 M 504 f ( r < )(X = Xr mr ): bad f X Dom(π) then C π(x) 506 ele π(x) C C m 1 M m 507 X m 508 f ( r < ) (X m = X mr 509 X m $ Ran(π) Dom(π) r ) then bad π $ Perm(n) Game D7 701 C 0 1 C n 702 for 1 to m 1 do 703 X1 C 1 1 M 1, C1 π(x1) 704 for 1 to m 2 do 705 X2 C 1 2 M 2, C2 π(x2) 706 bad X m 2 2 {X1 1,..., X m 1 1, 707 X2 1,..., X m } On the th query F (M ) 200 m M n, C 0 0 n Game D2 201 for 1 to m 1 do 202 X C 1 M 203 f X Dom(π) then C π(x) 204 ele π(x) C Ran(π) C m 1 M m 205 X m 206 C m $ {0, 1} n Dom(π) C m 207 f X m 208 then bad π(x m ) C m 210 return C m On the th query F (M ) 400 m M n, C 0 0 n $ Ran(π) Game D4 401 for 1 to m 1 do 402 X C 1 M 403 f ( r <)(X = Xr mr ): bad f X Dom(π) then C π(x) 405 ele π(x) C Ran(π) 406 X m C m 1 M m 407 f X m Dom(π) 408 ( r <)(X m =Xr mr ) then bad C m $ {0, 1} n 410 return C m 600 π $ Perm(n) Game D6 601 for [1.. q] do 602 C 0 0 n 603 for 1 to m 1 do 604 X C 1 M 605 C π(x) 606 X m C m 1 M m 607 bad ( (r, ) (, m )) [Xr = X m $ ] Fg. 2. Game D0 D7 ued n the proof of Lemma 1.

9 tet ( r <)(C =C mr r tet for C m = C mr r ) at lne 306, the tet f C m Ran(π) at lne 309, and the at lne 310, boundng the probablty that bad get et due to any of thee three tet. To bound the probablty of bad gettng et at lne 306: total of at mot mq tme we elect at lne 305 a random ample C from a et of ze at leat 2 n mq 2 n 1. (We may aume that mq 2 n 1 nce the probablty bound gven by our lemma exceed 1 f mq > 2 n 1.) The chance that one of thee pont equal to any of the at mot q pont C mr r thu at mot 2mq 2 /2 n. To bound the probablty of bad gettng et by the C m Ran(π) tet at lne 309: ealy een to be at mot mq 2 /2 n. To bound the probablty of bad gettng et by the C m = Cr mr tet at lne 310: ealy een to be at mot q 2 /2 n. Overall then, Pr[ D3 et bad ] Pr[ D4 et bad ] + 4mq 2 /2 n. D4 D5: The value C m returned to the adverary n repone to a query n game D4 never referred to agan n the code and ha no nfluence on the game and the ettng of bad. ccordngly, we may thnk of thee value a beng choen up-front by the adverary who, correpondngly, make an optmal choce of meage quere M 1,..., M q o a to maxmze the probablty that bad get et n game D4. Quere M 1,..., M q n m are prefx-free (meanng that no two trng from th lt hare a prefx P n + ) and the trng have block length of m 1,..., m q, repectvely, where each m m. We fx uch an optmal vector of meage and meage length n pang to game D5, o that Pr[ D4 et bad ] Pr[D5 et bad ]. The adverary ha effectvely been elmnated at th pont. D5 D6: Next we potpone the evaluaton of bad and undo the lazy defnng of π to arrve at game D6. We have Pr[D5 et bad ] Pr[D6 et bad ]. D6 D7: Next we oberve that n game D6, ome par r, mut contrbute at leat an average amount to the probablty that bad get et. Namely, for any r, [1.. q] where r defne bad r, a (X m = X r for ome [1.. m r ]) (X m = X for ome [1.. m 1]) and note that bad et at lne 607 ff bad r, = 1 for ome r, and o there mut be an r uch that Pr[D6 et bad r, ] (1/q(q 1)) Pr[D6 et bad ]. Fxng uch an r, and renamng M 1 = M r, M 2 = M, m 1 = m r, and m 2 = m, we arrve at game D7 knowng that Pr[D6 et bad ] q 2 Pr[D7 et bad ]. (3) Now Pr[D7 et bad ] = FCP n (M 1, M 2 ) FCP pf n,m by the defnton of FCP and the fact that π a permutaton. Puttng all the above together we are done. 6 Graph-aed Repreentaton of CC In th ecton we decrbe a graph-baed vew of CC computaton and provde ome lemma that wll then allow u to reduce the problem of upper boundng the collon probablte CP any n,m and FCP pf n,m to combnatoral countng problem. We fx for the ret of th ecton a blocklength n 1 and a par of dtnct meage M 1 = M1 1 M m1 1 n m1 and M 2 = M2 1 M m2 2 n m2 where m 1, m 2 1. We let l = max(m 1, m 2 ).

10 algorthm Perm2Graph(M 1, M 2, π) //M 1 m 1 n, M 2 m 2 n, π Perm(n) σ(0) 0 n, ν 0, E for b 1 to 2 do v 0 for 1 to m b do f w.t. (v, w) E and L((v, w)) = Mb then v w ele f w.t. π(σ(v) Mb) = σ(w) then E E {(v, w)}, L((v, w)) Mb, v w ele ν ν + 1, σ(ν) π(σ(v) Mb), E E {(v, ν)}, L((v, ν)) Mb, v ν return G ([0..ν], E, L) algorthm Graph2Prof(G) //G G(M 1, M 2), M 1 m 1 n, M 2 m 2 n Prof 1 Prof 2 Prof 3 ( ), V {0}, E for b 1 to 2 do for 1 to m b do f w V.t. Vb (G) = w then f b = 1 then p (w, ) ele p (w, m 1 + ) Prof 1 Prof 1 p f (V 1 b (G), w) E then Prof 2 Prof 2 p f Cycle G(V, E, V 1 b (G), w) = 0 then Prof 3 Prof 3 p V V {Vb (G)}, E E {(V 1 b (G), Vb (G))} return (Prof 1, Prof 2, Prof 3) algorthm Prof2Graph() // = (( 1, t 1),..., ( a, t a)) Prof 2(M 1, M 2) V {0}, E, c 1, v 1 0 v 2 0 ν 0 for b 1 to 2 do for 1 to m b do f = t c then v b c, c c + 1 ele ν ν + 1, v b ν E E {(v b 1, v b )}, L((v b 1, v b )) M b return G ([0..ν], E, L) Fg. 3. The frt algorthm above buld the tructure graph G M 1,M 2 π aocated to M 1, M 2 and a permutaton π Perm(n). The next aocate to G G(M 1, M 2) t type-1, type-2 and type-3 collon profle. The lat algorthm contruct a graph from t type-2 collon profle Prof 2(M 1, M 2). Structure graph. To M 1, M 2 and any π Perm(n) we aocate the tructure graph G M1,M2 π output by the procedure Perm2Graph (permutaton to graph) of Fg. 3. The tructure graph a drected graph (V, E) together wth an edgelabelng functon L: E {M1 1,..., M m1 1, M2 1,..., M m2 2 }, where V = [0..ν] for ome ν m 1 + m To get ome ene of what gong on here, let C M1,M2 π = {CC M1 π [] : 0 m 1 } {CC M2 π [] : 0 m 2 }. Note that due to collon the ze of the et Cπ M1,M2 could be trctly le than the maxmum poble ze of m 1 + m The tructure graph Gπ M1,M2 ha vertex et V = [0..η] where η = Cπ M1,M2. ocated to a vertex v V a label σ(v) Cπ M1,M2, wth σ(0) = 0 n. (Th label contructed by the code but not part of the fnal graph.) n edge from a to b wth label x ext n the tructure graph ff π(σ(a) x) = σ(b).

11 Let G(M 1, M 2 ) = {G M1,M2 π : π Perm(n)} denote the et of all tructure graph aocated to meage M 1, M 2. Th et ha the probablty dtrbuton nduced by pckng π at random from Perm(n). We aocate to G = (V, E, L) G(M 1, M 2 ) equence Vb 0,..., V m b b V that for b = 1, 2 are defned nductvely a follow: et Vb 0 = 0 and for [1..m b] let Vb 1 be the unque vertex w V uch that there an edge (Vb, w) E wth L(e) = Mb. Note that th defne the followng walk n G: 0 = V = V 0 2 M1 1 V1 1 M2 1 V2 1 M 2 1 V 2 1 V m1 1 M 2 2 V 2 2 V m2 1 2 M m1 1 V m1 1 and M m2 2 V m2 2. If G = G M1,M2 π then oberve that σ(vb ) = CCM1,M2 π [] for [0..m b ] and b = 1, 2, where σ( ) the vertex-labelng functon defned by Perm2Graph(π). We emphaze that Vb depend on G (and thu mplctly on M 1 and M 2 ), and f we want to make the dependence explct we wll wrte Vb (G). Collon. We ue the followng notaton for equence. If = ( 1,..., k ) a equence then = k; y ff y = for ome [1..k]; x = ( 1,..., k, x); and ( ) denote the empty equence. For G = (V, E) G, E E, V V and a, b V we defne Cycle G (V, E, a, b) = 1 f addng edge (a, b) to graph G = (V, E ) cloe a cycle of length at leat four wth drecton of edge on the cycle alternatng. Formally, Cycle G (V, E, a, b) = 1 ff there ext k 2 and vertce a = v 1, v 2,..., v 2k 1, v 2k = b V uch that (v 2 1, v 2 ) E for all [1..k], (v 2+1, v 2 ) E for all [1..k 1], and (b, a) E. To a graph G G we aocate equence Prof 1 (G), Prof 2 (G), Prof 3 (G) called, repectvely, the type-1, type-2 and type-3 collon profle of G. They are returned by the algorthm Graph2Prof (graph to collon profle) of Fg. 3 that refer to the predcate Cycle G we have jut defned. We ay that G ha a type-a (, t)-collon (a {1, 2, 3}) f (, t) Prof a (G). Type-3 collon are alo called accdent, and type-1 collon that are not accdent are called nduced collon. We let col (G) = Prof (G) for = 1, 2, 3. Lemma 5. Let n 1, M 1 n m1, M 2 n m2, l = max(m 1, m 2 ). Let H G(M 1, M 2 ) be a tructure graph. Then Pr[G $ G(M 1, M 2 ) : G = H] 1 (2 n m m ) col3(h) 1 (2 n 2l) col3(h). The lemma buld on an unpublhed technque from [8, 9]. proof gven n [3]. For = 1, 2, 3 let Prof (M 1, M 2 ) = {Prof (G) : G G(M 1, M 2 )}. Note that f = ((w 1, t 1 ),..., (w a, t a )) Prof 2 (M 1, M 2 ) then 1 t 1 < < t a m 1 + m 2 and w < t for all [1..a]. lgorthm Prof2Graph (collon profle to graph) of Fg. 3 aocate to Prof 2 (M 1, M 2 ) a graph n a natural way. We leave the reader to verfy the followng: Lemma 6. Prof2Graph(Prof 2 (G)) = G for any G G(M 1, M 2 ).

12 Th mean that the type-2 collon profle of a graph determne t unquely. Now for = 1, 2, 3 and an nteger a 0 we let G a (M 1, M 2 ) = {G G(M 1, M 2 ) : col (G) = a} and Prof a (M 1, M 2 ) = { Prof (M 1, M 2 ) : = a} Lemma 7. Let n 1, M 1 n m1, M 2 n m2, l = max(m 1, m 2 ), and aume l 2 2 n 2. Then Proof. y Lemma 5 Pr[G $ G(M 1, M 2 ) : col 3 (G) 2] 8l4 2 2n. Pr[G $ G(M 1, M 2 ) : col 3 (G) 2] l = Pr[G $ G(M 1, M 2 ) : G = H] a=2 H G3 a(m1,m2) l G3 a (M 1, M 2 ) (2 n 2l) a. a=2 Snce every type-3 collon a type-2 collon, G a 3 (M 1, M 2 ) G a 2 (M 1, M 2 ). y Propoton 6, G a 2 (M 1, M 2 ) = Prof a 2(M 1, M 2 ). Now Prof a 2(M 1, M 2 ) (l(l + 1)/2) a l 2a, o we have l a=2 G a 3 (M 1, M 2 ) (2 n 2l) a l a=2 l 2a (2 n 2l) a. Let x = l 2 /(2 n 2l), and oberve that the aumpton l 2 2 n 2 made n the lemma tatement mple that x 1/2. Thu the above l l 2 x a = x 2 x a x 2 x a 2x 2 2l 4 = (2 n 2l) 2 8l4 2 2n, a=2 a=0 a=0 where the lat nequalty ued the fact that l 2 n 2. Let P denote a predcate on graph. Then φ M1,M 2 [P ] wll denote the et of all G G3(M 1 1, M 2 ) uch that G atfe P. (That, t the et of tructure graph G havng exactly one type-3 collon and atfyng the predcate.) For example, predcate P mght be V m1 1 ( ) = V m2 2 ( ) and n that cae φ M1,M 2 2 ] {G G 1 3(M 1, M 2 ) : V m1 1 (G) = V m2 2 (G)}. Note that f G ha exactly one accdent then Prof 2 (G) = Prof 3 (G), meanng the accdent wa both a type-2 and a type-3 collon. We wll ue th below. In th cae when we talk of an (, t)-accdent, we mean a type-2 (, t)-collon. Fnally, let n G (v) denote the n-degree of a vertex v n a tructure graph G.

13 7 oundng CP any n,m (Proof of Lemma 4) In th ecton we prove Lemma 4, howng that CP any n,l 2d (l)/2 n + 8l 4 /2 2n for any n, l wth l 2 2 n 2, thereby provng Lemma 4. Lemma 8. Let n 1 and 1 m 1, m 2 l. Let M 1 n m1 dtnct meage and aume l 2 2 n 2. Then and M 2 m2 n be CP any n,l (M 1, M 2 ) 2 φ M 1,M 2 2 ] 2 n + 8l4 2 2n. Proof. Wth the probablty over G $ G(M 1, M 2 ), we have: CP n (M 1, M 2 ) = Pr [ V m1 2 ] = Pr [ V m1 2 col 3 (G) = 1 ] + Pr [ V m1 2 col 3 (G) 2 ] (4) φ M 1,M 2 2 ] 2 n + 8l4 2l 2 2n (5) 2 φ M 1,M 2 2 ] 2 n + 8l4. 22n (6) In (4) above we ued that Pr [ V m1 2 col 3 (G) = 0 ] = 0 a V m1 2 wth M 1 M 2 mple that there at leat one accdent. In (5) we frt ued Lemma 5, and then ued Lemma 7. In (6) we ued the fact that l 2 n 2, whch follow from the aumpton l 2 2 n 2. Next we bound the ze of the et that are above: Lemma 9. Let n, l 1 and 1 m 2 m 1 l. Let M 1 n m1 be dtnct meage. Then and M 2 m2 n φ M1,M 2 2 ] d (l). Puttng together Lemma 8 and 9 complete the proof of Lemma 4. Proof (Lemma 9). Let k 0 be the larget nteger uch that M 1, M 2 have a common uffx of k block. Note that V m1 2 ff V m1 k k 2. Thu, we may conder M 1 to be replaced by M 1 m1 k 1 and M 2 to be replaced by M 1 m2 k 2, wth m 1, m 2 correpondngly replaced by m 1 k, m 2 k repectvely. We now have dtnct meage M 1, M 2 of at mot l block each uch that ether m 2 = 0 or M m1 1 M m2 2. (Note that now m 2 could be 0, whch wa not true before our tranformaton.) Now conder three cae. The frt that m 2 1 and M 2 a prefx of M 1. Th cae covered by Lemma 10. (Note n th cae t mut be that m 1 > m 2 nce M 1, M 2 are dtnct and ther lat block are dfferent.) The econd cae that m 2 = 0 and covered by Lemma 11. (In th cae, m 1 1 nce M 1, M 2 are dtnct.) The thrd cae that m 2 1 and M 2 not a prefx of M 1. Th cae covered by Lemma 12.

14 Lemma 10. Let n 1 and 1 m 2 < m 1 l. Let M 1 n m1, M 2 n m2. ume M 2 a prefx of M 1 and M m1 1 M m2 2. Then φ M1,M 2 2 ] d (l). Proof. ecaue M 2 a prefx of M 1 we have that V m2 2 = V m2 1, and thu φ M1,M 2 2 ] = φ M1,M 2 1 = V m1 1 ]. We now bound the latter. Let G G3(M 1 1, M 2 ). Then V m1 1 (G) = V m2 1 (G) ff t m 2 uch that G ha a type-2 (t, V m2 1 (G))-collon. (Th alo a type-3 (V m2 1 (G), t)-collon nce G ha exactly one accdent.) To ee th note that nce there wa at mot one accdent, we have n G (V1 (G)) 1 for all [1..m 1 ] except one, namely the uch that V1 (G) wa ht by the accdent. nd t mut be that = m 2 nce V m2 1 (G) ha n-gong edge labeled M m2 1 and M m1 1, and thee edge cannot be the ame a M m1 1 M m2 1. Let c 1 be the mallet nteger uch that V m2+c 1 (G) = V m2 1 (G). That, we have a cycle V m2 1 (G), V m2+1 1 (G),..., V m2+c 1 (G) = V m2 1 (G). Now, gven that there only one accdent and V m2 1 (G) = V m1 1 (G), t mut be that m 1 = m 2 +kc for ome nteger k 1. (That, tartng from V m2 1 (G), one travere the cycle k tme before reachng V m1 1 (G) = V m2 1 (G).) Th mean that c mut dvde m 1 m 2. ut φ M1,M 2 1 = V m1 1 ] at mot the number of poble value of c, nce th value unquely determne the graph. So φ M1,M 2 1 = V m1 1 ] d(m 1 m 2 ), where d() the number of potve nteger uch that dvde. ut d(m 1 m 2 ) d (l) by defnton of the latter. Lemma 11. Let n 1 and 1 m 1 l. Let M 1 n m1, let M 2 = ε and let m 2 = 0. Then φ M1,M 2 2 ] d (l). Proof. Ue an argument mlar to that of Lemma 10, notng that Vm 0 1 (G) = V1 0 (G) mple that n G (V1 0 (G)) 1. Lemma 12. Let n 1 and 1 m 2 m 1 l. Let M 1 n m1, M 2 m2 ume M 2 not a prefx of M 1 and M m1 1 M m2 2. Then φ M1,M 2 V m2 2 ] 1. n. 1 = Proof. Let p [0..m 2 1] be the larget nteger uch that M1 1 = M2 1 for all [1..p]. Then V1 = V2 for [1..p] and V p+1 1 V p+1 2. Now to have V m1 2 we need an accdent. Snce M m1 1 M m2 2 and there only one accdent, the only poblty that th a (V m1 1, m 1 + m 2 )-collon. Thu, there only one way to draw the graph. 8 oundng FCP pf n,l (Proof of Lemma 2) In th ecton we how that FCP pf n,l 8l/2n + 8l 4 /2 2n for any n, l wth l 2 2 n 2, thereby provng Lemma 2. Recall that pf(m 1, M 2 ) = fale ff M 1 not a prefx of M 2 and M 2 not a prefx of M 1. The proof of the followng mlar to the proof of Lemma 8 and omtted.

15 ??? Fg. 4. Some hape where the M 1-path (old lne) make a loop. In the frt three cae the M 1-path pae only once through V p 1 (the dot), and we ee that we cannot draw the M 2-path uch that V m 2 2 {V p+1 1,..., V m 1 1 } wthout a econd accdent n any of thoe cae. In the lat graph V m 2 2 {V p+1 1,..., V m 1 1 }, but there alo V p {V 0 1,..., V p 1 1, V p+1 1,..., V m 1 1 }. 1 Lemma 13. Let n 1 and 1 m 1, m 2 l. Let M 1 n m1, M 2 n m2 pf(m 1, M 2 ) = fale. ume l 2 2 n 2. Then FCP pf n,l (M 1, M 2 ) 2 φm1,m 2 2 {V1 1,..., V m1 1, V2 1,..., V m2 1 2 }] 2 n + 8l4 2 2n. Next we bound the ze of the et that are above: Lemma 14. Let n, l 1 and 1 m 1, m 2 l. Let M 1 n m1 pf(m 1, M 2 ) = fale. Then φm1,m 2 2 {V 1 1,..., V m1 1, V 1 2,..., V m2 1 2 }] 4l., M 2 m2 n wth wth Puttng together Lemma 13 and 14 complete the proof of Lemma 2. We denote by cpl(m 1, M 2 ) the number of block n the longet common block-prefx of M 1, M 2. That, cpl(m 1, M 2 ) the larget nteger p uch that M1 = M2 for all [1..p]. Defne the predcate NoLoop(G) to be true for tructure graph G G 1 2(M 1, M 2 ) ff V 0 1 (G),..., V m1 V 0 2 (G),..., V m2 1 (G) are all dtnct and alo 2 (G) are all dtnct. Let Loop be the negaton of NoLoop. Proof (Lemma 14). Let p = cpl(m 1, M 2 ). Snce pf(m 1, M 2 ) = fale, t mut be that p < m 1, m 2 and M p+1 1 M p+1 2. Note then that V1 = V2 for all [0..p] but V p+1 1 V p+1 2. Now we break up the et n whch we are ntereted a φ M1,M 2 2 {V1 1,..., V m1 1, V2 1,..., V m2 1 2 }] = φ M1,M 2 2 {V2 1,..., V m2 1 2 }] φ M1,M 2 2 {V p+1 1,..., V m1 1 }]. Lemma 15 mple that φ M1,M 2 2 {V2 1,..., V m2 1 2 }] m 2 and Lemma 17 ay that φ M1,M 2 2 {V p+1 1,..., V m1 1 } NoLoop] m 1. It reman to bound φ M1,M 2 2 {V p+1 1,..., V m1 1 } Loop]. We ue a cae analy, whch llutrated n Fg. 4. The condton Loop mean that ether the M 1 - or the M 2 -path (or both) mut make a loop. If the M 1 -path make a loop then we can only draw the M 2 -path uch that V m2 2 {V p+1 1,..., V m1 1 } f the loop goe twce through V p 1. The ame argument work f only the M 2-path make a loop. Thu φ M1,M 2 2 {V p+1 1,..., V m1 1 } Loop] S 1 S 2

16 Fg. 5. n example for the proof of Lemma 15 wth m 1 = 5 and M 1 = for dtnct, {0, 1} n. Here we have N 5 = 5 µ 1(M1 5 ) + 1 = 5 µ 1() + 1 = = 3 and N 4 = µ 1(M1 5 ) µ 1(M1 4 5 ) = µ 1() µ 1( ) = 3 2 = 1 and N 3 = µ 1(M1 4 5 ) µ 1(M1 3 5 ) = µ 1( ) µ 1( ) = 2 1 = 1 and N 2 = N 1 = 0. The frt three graph how the N 5 cae, the fourth and the ffth graph how the ngle cae for N 4 and N 3. where S 1 = φ M1,M 2 [V p 1 {V 1 0,..., V p 1 1, V p+1 1,..., V m1 1 }] S 2 = φ M1,M 2 [V p 2 {V 2 0,..., V p 1 2, V p+1 2,..., V m2 2 }]. Lemma 16 ay that S 1 m 1 and S 2 m 2. Puttng everythng together, the lemma follow a 2(m 1 + m 2 ) 4l. Lemma 15. Let n, m 1, m 2 1. Let M 1 m1 n fale. Then for b {1, 2}, φm1,m 2 [V m b b V 0 b, V 1, M 2 m2 n wth pf(m 1, M 2 ) = b,..., V m b 1 }] = mb Proof. We prove the clam for b = 1 and then brefly dcu how to extend the proof to b = 2. If V m1 1 {V1 0,..., V m1 1 1 } then there mut be a (V1, j)- accdent for ome [0..m 1 1] and j [ + 1..m 1 ] and then nduced collon n tep j + 1 to m 1. Thu V j+k 1 = V1 +k for all k [0..m 1 j]. For j [1..m 1 ] let N j be the number of tructure graph G G2(M 1 1, M 2 ) uch that V m1 1 (G) {V1 0 (G),..., V m1 1 1 (G)} and there a (V1 (G), j)-accdent for ome [0..j 1]. Then φ M1,M 2 1 {V1 0,..., V m1 1 1 }] m 1 = N j. Let µ 1 (S) denote the number of block-algned occurrence of the ubtrng S n M 1. (For example, µ 1 ( ) = 2 f M 1 = for ome dtnct, {0, 1} n.) It poble to have a (V1, m 1 )-accdent for any [0..m 1 1] for whch M1 M m1 1 (cf. Fg. 5) and thu N m1 = m 1 µ 1 (M m1 1 ) + 1. It poble to have a (V1, m 1 1)-accdent and alo have V m1 1 {V1 0,..., V m1 1 1 } for any [0..m 1 2] for whch M1 M m1 1 1 and M1 +1 = M m1 1 and thu b j=1

17 D D D D Fg. 6. n example for the proof of Lemma 16 wth m 1 = 5, M 1 = D and r = 1, where,, D {0, 1} n are dtnct. (The large dot V1 r = V1 1.) Here we have N r = m r = µ 2(M1 1 ) = N 1 = m 1 1 µ 2(M1 1 ) = 5 1 µ 2() = = 3. Thoe cae correpond to the frt three graph n the fgure. The fourth graph correpond to N r 1 = N 0 = µ 2( M1 1 r ) = µ 2( ) = 1. N m1 1 = µ 1 (M m1 1 ) µ 1 (M m1 1 m1 1 ). In general for j [1..m 1 1] we have N j = µ 1 (M j+1 m1 1 ) µ 1 (M j m1 1 ). Ung cancellaton of term n the um we have m 1 j=1 N j = m µ 1 (M 1 m1 1 ) = m 1 whch prove the lemma for the cae b = 1. For b = 2 we note that we can effectvely gnore the part of the graph related to M nce t mut be a traght lne, and thu the above countng apple agan wth the (V1, j)-accdent now beng a (V2, m 1 + j)-accdent and M 1, m 1 replaced by M 2, m 2 repectvely. Next we have a generalzaton of Lemma 15. Lemma 16. Let n, m 1, m 2 1. Let M 1 n m1 fale. Then for b {1, 2} and any r [0..m b ], φ M1,M 2 [V r b {V 0 b,..., V r 1 b, V r+1 b, M 2 m2 n wth pf(m 1, M 2 ) =,..., V m b b }] m b. Proof. We prove t for the cae b = 1. (The cae b = 2 analogou.) y Lemma 15 we have φ M1,M 2 [V1 r {V1 0,..., V1 r 1 }) = r. It reman to how that φm1,m 2 [V1 r {V1 r+1,..., V m1 1 } V1 r {V1 0,..., V1 r }] m1 r. We may aume that V1 V j 1 for all 0 < j r 1, a otherwe we have already ued up our accdent and there no way to get V1 r {V1 r+1,..., V m1 1 } any more. If Vr {V1 r+1,..., V m1 1 } then there a (V j 1, )-accdent for ome 0 j r <. For j [0..r] let N j be the number of tructure graph G G2(M 1 1, M 2 ) uch that V1 r (G) {V1 r+1 (G),..., V m1 1 (G)}, V1 r (G) {V1 0 (G),..., V1 r (G)} and there a (V j 1, )-accdent for ome [r + 1..m 1]. Then φm1,m 2 [V1 r {V1 r+1,..., V m1 1 } V1 r {V1 0,..., V1 r }] r = N j. j=0

18 Let µ 2 (S) be the number of block-algned occurrence of the ubtrng S n M r+1 m1 1, and adopt the conventon that µ 2 (M1 0 ) = 0. Snce we can only have an (V1 r, j)-accdent when M j 1 M 1 r we have N r = m r µ 2 (M1 r ). For > r, a (V1 r, )-accdent poble and wll reult n V1 r {V1 r+1,..., V m1 1 } only f M1 +1 = X M r for ome X M1 r 1. Now wth beng a wldcard tandng for an arbtrary block we have N r 1 = µ 2 ( M1 r ) µ 2 (M1 r 1 r ). In general, for j [1..r 1] we have N j = µ 2 ( M j+1 r 1 ) µ 2 (M j r 1 ) and N 0 = µ 2 ( M1 1 r ). Now, a µ 2 ( S) µ 2 (S) for any S, we get r N j m 1 r. j=0 The proof of the followng n [3]. Lemma 17. Let n, m 1, m 2 1. Let M 1 n m1 fale. Let p = cpl(m 1, M 2 ). Then φ M1,M 2 2 {V p+1 1,..., V m1 cknowledgment, M 2 m2 n wth pf(m 1, M 2 ) = 1 } NoLoop] m 1. art Preneel wa the frt we heard to ak, back n 1994, f the m 2 term can be mproved n the CC MC bound of m 2 q 2 /2 n. ellare wa upported by NSF grant NR and CCR , and by an IM Faculty Partnerhp Development ward. Petrzak wa upported by the Sw Natonal Scence Foundaton, project No /1. Rogaway carred out mot of th work whle hoted by the Department of Computer Scence, Faculty of Scence, Chang Ma Unverty, Thaland. He currently hoted by the School of Informaton Technology, Mae Fah Luang Unverty, Thaland. He upported by NSF grant CCR and a gft from Intel Corp. Reference 1. M. ellare, O. Goldrech, and. Mtyagn. The power of verfcaton quere n meage authentcaton and authentcated encrypton. Cryptology eprnt rchve: Report 2004/ M. ellare, J. Klan, and P. Rogaway. The ecurty of the cpher block channg meage authentcaton code. Journal of Computer and Sytem Scence (JCSS), vol. 61, no. 3, pp , Earler veron n Crypto M. ellare, K. Petrzak, and P. Rogaway. Improved ecurty analye for CC MC. Full veron of th paper. valable va author web page. 4. M. ellare and P. Rogaway. The game-playng technque. Cryptology eprnt rchve: Report 2004/ erendchot,. den oer, J. oly,. oelaer, J. randt, D. Chaum, I. Damgård, M. Dchtl, W. Fumy, M. van der Ham, C. Janen, P. Landrock,. Preneel, G. Roelofen, P. de Rooj, and J. Vandewalle. Fnal Report of Race Integrty Prmtve. Lecture Note n Computer Scence, vol. 1007, Sprnger-Verlag, 1995

19 6. R. erke. On the ecurty of terated MC. Dploma The, ETH Zürch, ugut J. lack and P. Rogaway. CC MC for arbtrary-length meage: the three-key contructon. dvance n Cryptology CRYPTO 00, Lecture Note n Computer Scence Vol. 1880, M. ellare ed., Sprnger-Verlag, Y. Dod. Peronal communcaton to K. Petrzak Y. Dod, R. Gennaro, J. Håtad, H. Krawczyk, and T. Rabn. Randomne extracton and key dervaton ung the CC, Cacade, and HMC mode. dvance n Cryptology CRYPTO 04, Lecture Note n Computer Scence Vol. 3152, M. Frankln ed., Sprnger-Verlag, G. Hardy and E. Wrght. n Introducton to the Theory of Number. Oxford Unverty Pre, E. Jaulme,. Joux, and F. Valette. On the ecurty of randomzed CC-MC beyond the brthday paradox lmt: a new contructon. Fat Software Encrypton 02, Lecture Note n Computer Scence Vol. 2365, J. Daemen, V. Rjmen ed., Sprnger-Verlag, J. Klan and P. Rogaway. How to protect DES agant exhautve key earch (an analy of DESX). Journal of Cryptology, vol. 14, no. 1, pp , Earler veron n Crypto U. Maurer. Indtnguhablty of random ytem. dvance n Cryptology EUROCRYPT 02, Lecture Note n Computer Scence Vol. 2332, L. Knuden ed., Sprnger-Verlag, Natonal Inttute of Standard and Technology, U.S. Department of Commerce, M Dworkn, author. Recommendaton for block cpher mode of operaton: the CMC mode for authentcaton. NIST Specal Publcaton , May E. Petrank and C. Rackoff. CC MC for real-tme data ource. Journal of Cryptology, vol. 13, no. 3, pp , V. Shoup. Sequence of game: a tool for tamng complexty n ecurty proof. Cryptology eprnt report 2004/332, S. Vaudenay. Decorrelaton over nfnte doman: the encrypted CC-MC cae. Communcaton n Informaton and Sytem (CIS), vol. 1, pp , M. Wegman and L. Carter. New clae and applcaton of hah functon. Sympoum on Foundaton of Computer Scence (FOCS), pp , 1979.