Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
|
|
- Hubert Ray
- 5 years ago
- Views:
Transcription
1 Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance and Communication Security Research Center, Chinese Academy of Sciences University of Chinese Academy of Sciences Institution of Software, Chinese Academy of Sciences FSE 2016 March 23, / 36
2 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 2 / 36
3 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 3 / 36
4 Universal hash functions H : K D R Almost Universal (AU) Definition (AU) H is an ɛ-almost-universal (ɛ-au) hash function, if for any M, M D, M M, Pr[K $ K : H K (M) = H K (M )] ɛ When ɛ is negligible, we say that H is AU. 4 / 36
5 Universal hash functions Almost XOR Universal (AXU) Definition (AXU) Let (R, ) be an abelian group. H is an ɛ-almost-xor- universal (ɛ-axu), if for any M, M D, M M and C R, Pr[K $ K : H K(M) H K(M ) = C] ɛ When ɛ is negligible, we say that H is AXU. 5 / 36
6 Universal hash functions Example H K (M) = MK H K (M) H K (M ) = C MK M K = C (M M )K = C K = C(M M ) 1 1/2 n -AXU Pr[K $ K : H K (M) H K (M ) = C] = 1/2 n 6 / 36
7 Universal hash functions Example H K (M) = MK P oly : {0, 1} n {0, 1} nm {0, 1} n, P oly K (M) = M 1 K m M 2 K m 1 M m K M = M 1 M 2 M m {0, 1} nm, M i {0, 1} n, i = 1,, m. P oly is m/2 n -AXU. 7 / 36
8 Universal hash functions UHF-based schemes Message authentication code (MAC) Tweakable block cipher (TBC) Authenticated encryption (AE) scheme 8 / 36
9 Universal hash functions MAC UHF-based schemes [Wegman and Carter, 1981] [Brassard, 1982] 9 / 36
10 Universal hash functions TBC UHF-based schemes [Liskov et al., 2002] 10 / 36
11 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 11 / 36
12 Related-key attacks firstly applied to block ciphers [Biham, 1993] Bellare and Kohno gave a formal definition of RKA-PRP and RKA-PRF [Bellare and Kohno, 2003] widely applied to MACs, TESes and AE schemes Peyrin, et al: Generic related-key attacks for HMAC. ASIACRYPT Dobraunig, et al: Related-key forgeries for PrØst-OTR. FSE Sun, et al: Weak-key and related-key analysis of hashcounter- hash tweakable enciphering schemes. ACISP / 36
13 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 13 / 36
14 RKA against UHF-based schemes MAC Eg 1. H K (M 1 M 2 ) = M 1 K 2 M 2 K Query: (K M M, K 1) T T = E K (H K 1 (M M)) 2/2 n -AXU = E K (M(K 1) 2 M(K 1)) = E K (MK 2 MK) Forge: (K M M, K) T 14 / 36
15 RKA against UHF-based schemes TBC Eg 2. H K (T ) = T K Query: (T, M) 1/2 n -AXU (K, K 1) C C = E K (M T (K 1)) T (K 1) C T = E K ((M T ) T K) T K Predict: (K (T, M T ), K) C T 15 / 36
16 RKA against UHF-based schemes Problems in the two-key schemes Eg 1. H K 1 (M M) = H K (M M) Eg 2. H K 1 (T ) H K (T ) = T Collisions The attacks have nothing to do with the block cipher. 16 / 36
17 RKA against UHF-based schemes Almost all the existing two-key schemes which based on universal hash function are not related-key secure. 17 / 36
18 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 18 / 36
19 New definitions Definition (RKA-AU) RKA-AU H is an ɛ-related-key-almost-universal (ɛ-rka-au) hash function for the RKD set Φ, if φ, φ Φ, M, M D, (φ, M) (φ, M ), P r[k $ K : H φ(k) (M) = H φ (K)(M )] ɛ. When ɛ is negligible we say that H is RKA-AU. 19 / 36
20 New definitions Definition (RKA-AXU) RKA-AXU Let (R, ) be an abelian group. H is an ɛ-related-key-almost-xor-universal (ɛ-rka-axu) hash function for the RKD set Φ, if φ, φ Φ, M, M D, (φ, M) (φ, M ) and C R, P r[k $ K : H φ(k) (M) H φ (K)(M ) = C] ɛ. When ɛ is negligible we say that H is RKA-AXU. 20 / 36
21 Restrictions on the RKD sets Default RKD set Φ = {XOR : K K, K} 21 / 36
22 Not ideal functions P oly : {0, 1} n {0, 1} nm {0, 1} n, P oly K (M) = M 1 K m M 2 K m 1 M m K M = M 1 M 2 M m {0, 1} nm, M i {0, 1} n, i = 1, 2,, m Let M = M = 0 mn, φ φ. P oly φ(k) (0 mn ) = P oly φ (K)(0 mn ) = 0 P oly is not RKA-AU. 22 / 36
23 Not ideal functions Almost all the existing UHFs are not RKA-AU. MMH : H K(M) = ((( t i=1 MiKi) mod264 ) mod p) mod 2 32, M i, K i Z 2 32 and p = ; Square Hash : H K(M) = t i=1 (Mi + Ki)2 mod p, M i, K i Z p; NMH : H K(M) = ( t/2 i=1 (M2i 1 + K2i 1)(M2i + K2i)) mod p, M i, K i Z 2 32, p = ; NH, WH / 36
24 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 24 / 36
25 Constructions FIL-RKA-AXU: RH1 VIL-RKA-AXU: RH2 25 / 36
26 FIL-RKA-AXU RH1 : {0, 1} n {0, 1} n {0, 1} n, RH1 K (M) = MK + K 3. Proof. Let F (K) = RH1 K 1 (M) RH1 K 2 (M ). F (K) = ( 1 2 )K 2 ( M M )K ( M 1 M 2 ). Case F (K) = C has 2 roots at most. Case 2. 1 = 2. Then M M. F (K) = C has 1 root. Pr[K $ {0, 1} n : F (K) = C] 2/2 n. RH1 is 2/2 n -RKA-AXU over the RKD set Φ. 26 / 36
27 FIL-RKA-AXU Remark from one of reviewers RH1 K (M) = MK + K 3. Φ 0 = {id, f α }. f α (K) = αk, α GF (2 n ), α 3 = 1. RH1 fα(k)(α 1 M) = RH1 K (M) RH1 is not RKA-AU over the RKD set Φ / 36
28 VIL-RKA-AXU P oly K (M) = M 1 K m M 2 K m 1 M m K pad(m) = M 0 i M P oly K (pad(m)) is VIL-AXU but not RKA-AXU. 28 / 36
29 VIL-RKA-AXU P oly K (M) = M 1 K m M 2 K m 1 M m K RH2 : {0, 1} n {0, 1} {0, 1} n, { K l+2 P oly K (pad(m)), RH2 K (M) = K l+3 P oly K (pad(m))k, l is odd l is even l = M /n + 1. RH2 is RKA-AXU over the RKD set Φ. 29 / 36
30 VIL-RKA-AXU RH2 VS Poly RH2 K (M): P oly K (pad(m)) T K 2 T 0 for i = 1 to l for i = 1 to l T (T M i )K T (T M i )K if l is even T T K return T return T 30 / 36
31 Solution Whether it is secure? = 31 / 36
32 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 32 / 36
33 Applications related-key secure MACs MAC1 K,K (N, M) = H K (M) F K (N) over Φ 1 Φ 2 MAC2 K,K (M) = F K (H K (M)) over Φ 1 Φ 2 33 / 36
34 Applications related-key secure MACs related-key secure TBCs TBC1 K,K (T, M) = E K (M H K (T )) H K (T ) over Φ 1 Φ 2 TBC2 K (T, M) = π(m H K (T )) H K (T ) over Φ 1 34 / 36
35 Conclusion 1. Propose a new concept of related-key almost universal hash function: RKA-AXU and RKA-AU. 2. Provide several efficient constructions named RH1, RH2 and RH3. 3. Show related-key secure MACs and TBCs, composed of RKA-AXU (RKA-AU) hash functions and other primitives such as RKA-PRPs and RKA-PRFs. 35 / 36
36 Thanks! 36 / 36
37 Bellare, M. and Kohno, T. (2003). A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In Biham, E., editor, EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages Springer. Biham, E. (1993). New types of cryptoanalytic attacks using related keys (extended abstract). In Helleseth, T., editor, EUROCRYPT, volume 765 of Lecture Notes in Computer Science, pages Springer. Brassard, G. (1982). On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys. In International Crytology Conference, pages Liskov, M., Rivest, R. L., and Wagner, D. (2002). Tweakable block ciphers. In Yung, M., editor, CRYPTO 2012, volume 2442 of Lecture Notes in Computer Science, pages Springer. Wegman, M. N. and Carter, L. (1981). New hash functions and their use in authentication and set equality. 36 / 36
38 J. Comput. Syst. Sci., 22(3): / 36
Fast and Secure CBC-Type MAC Algorithms
Fast and Secure CBC-Type MAC Algorithms Mridul Nandi National Institute of Standards and Technology mridul.nandi@gmail.com Abstract. The CBC-MAC or cipher block chaining message authentication code, is
More informationBadger - A Fast and Provably Secure MAC
Badger - A Fast and Provably Secure MAC Martin Boesgaard, Ove Scavenius, Thomas Pedersen, Thomas Christensen, and Erik Zenner CRYPTICO A/S Fruebjergvej 3 2100 Copenhagen Denmark info@cryptico.com Abstract.
More informationFRMAC, a Fast Randomized Message Authentication Code
, a Fast Randomized Message Authentication Code Éliane Jaulmes 1 and Reynald Lercier 2 1 DCSSI Crypto Lab, 51 Bd de Latour Maubourg, F-75700 Paris 07 SP, France eliane.jaulmes@wanadoo.fr, 2 CELAR, Route
More informationAlain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G.
Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G. Paterson (RHUL) 26 mars 2014 Journées C2 Single-Key Attack on a cryptosystem F k F
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationTweakable Blockciphers with Beyond Birthday-Bound Security
Tweakable Blockciphers with Beyond Birthday-Bound Security Will Landecker, Thomas Shrimpton, and R. Seth Terashima Dept. of Computer Science, Portland State University {landeckw,teshrim,robert22}@cs.pdx.edu
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationMinimum Number of Multiplications of U Hash Functions
Minimum Number of Multiplications of U Hash Functions Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Authentication: The Popular Story 1 Alice and Bob share a secret
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationA Tweak for a PRF Mode of a Compression Function and Its Applications
A Tweak for a PRF Mode of a Compression Function and Its Applications Shoichi Hirose 1 and Atsushi Yabumoto 2 1 Faculty of Engineering, University of Fukui, Japan hrs shch@u-fukui.ac.jp 2 Graduate School
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationTweakable Block Ciphers
Tweakable Block Ciphers Moses Liskov 1, Ronald L. Rivest 1, and David Wagner 2 1 Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139, USA mliskov@theory.lcs.mit.edu,
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationTweakable Enciphering Schemes From Stream Ciphers With IV
Tweakable Enciphering Schemes From Stream Ciphers With IV Palash Sarkar Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. We
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationAn Introduction to Authenticated Encryption. Palash Sarkar
An Introduction to Authenticated Encryption Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata palash@isical.ac.in 20 September 2016 Presented at the Workshop on Authenticated
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationA Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 03, Lecture Notes in Computer Science Vol.??, E. Biham ed., Springer-Verlag, 2003. This is the full version. A Theoretical
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationEfficient Message Authentication Codes with Combinatorial Group Testing
Efficient Message Authentication Codes with Combinatorial Group Testing Kazuhiko Minematsu (NEC Corporation) The paper was presented at ESORICS 2015, September 23-25, Vienna, Austria ASK 2015, October
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)
A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version) Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau ANSSI, France Abstract In this note we show that the
More informationThanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR 9983950 Alfred P. Sloan Foundation The AES function ( Rijndael 1998 Daemen Rijmen; 2001
More informationOn Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model
On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model M.R. Albrecht 1, P. Farshim 2, K.G. Paterson 2, and G.J. Watson 3 1 SALSA Project -INRIA, UPMC, Univ Paris 06 malb@lip6.fr 2 Information
More informationEncrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC
Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC Nilanjan Datta 1, Avijit Dutta 2, Mridul Nandi 2 and Kan Yasuda 3 1 Indian Institute of Technology, Kharagpur 2 Indian Statistical
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationCBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an
CBC MAC for Real-Time Data Sources Erez Petrank Charles Racko y Abstract The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice.
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationMRD Hashing. School of IT and CS, University of Wollongong, Northfields Ave Wollongong 2522, Australia [rei, shahram,
MRD Hashing Rei Safavi-Naini, Shahram Bakhtiari, and Chris Charnes School of IT and CS, University of Wollongong, Northfields Ave Wollongong 2522, Australia [rei, shahram, charnes]@uow.edu.au Abstract.
More informationTight Security Analysis of EHtM MAC
Tight Security Analysis of EHtM MAC Avijit Dutta, Ashwin Jha and Mridul Nandi Applied Statistics Unit, Indian Statistical Institute, Kolkata. avirocks.dutta13@gmail.com,ashwin.jha1991@gmail.com,mridul.nandi@gmail.com
More informationAES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.
AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION. ED KNAPP Abstract. We give a framework for construction and composition of universal hash functions. Using this framework,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationChapter 5. Hash Functions. 5.1 The hash function SHA1
Chapter 5 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length
More informationPolynomial evaluation and message authentication
Contemporary Mathematics Polynomial evaluation and message authentication Daniel J. Bernstein Abstract. The cryptographic literature contains many provably secure highspeed authenticators. Some authenticators
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationImproved security analysis of OMAC
Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationTweak-Length Extension for Tweakable Blockciphers
Tweak-Length Extension for Tweakable Blockciphers Kazuhiko Minematsu 1 and Tetsu Iwata 2 1 NEC Corporation, Japan, k-minematsu@ah.jp.nec.com 2 Nagoya University, Japan, iwata@cse.nagoya-u.ac.jp Abstract.
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationNew Birthday Attacks on Some MACs Based on Block Ciphers
New Birthday Attacks on Some MACs Based on Block Ciphers Zheng Yuan 1,2,,WeiWang 3, Keting Jia 3, Guangwu Xu 4, and Xiaoyun Wang 1,3, 1 Institute for Advanced Study, Tsinghua University, Beijing 100084,
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationBlockcipher-based MACs: Beyond the Birthday Bound without Message Length
Blockcipher-based MACs: Beyond the Birthday Bound without Message Length Yusuke Naito Mitsubishi Electric Corporation, Kanagawa, Japan Naito.Yusuke@ce.MitsubishiElectric.co.jp Abstract. We present blockcipher-based
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationProvably Secure MACs From Differentially-uniform Permutations and AES-based Implementations
Provably Secure MACs From Differentially-uniform Permutations and AES-based Implementations azuhiko Minematsu 1 and Yukiyasu Tsunoo 1 NEC Corporation, 1753 Shimonumabe, Nakahara-u, awasaki 11-8666, Japan
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationExact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta, Ashwin Jha and Mridul Nandi Applied Statistics Unit, Indian Statistical Institute, Kolkata. avirocks.dutta13@gmail.com,
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationOn Fast and Provably Secure Message Authentication Based on. Universal Hashing. Victor Shoup. December 4, 1996.
On Fast and Provably Secure Message Authentication Based on Universal Hashing Victor Shoup Bellcore, 445 South St., Morristown, NJ 07960 shoup@bellcore.com December 4, 1996 Abstract There are well-known
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationA Modular Framework for Building Variable-Input-Length Tweakable Ciphers
A Modular Framework for Building Variable-Input-Length Tweakable Ciphers Thomas Shrimpton and R. Seth Terashima Dept. of Computer Science, Portland State University {teshrim,seth}@cs.pdx.edu Abstract.
More informationNew combinatorial bounds for universal hash functions
New combinatorial bounds for universal hash functions L. H. Nguyen and A. W. Roscoe Oxford University Computing Laboratory Email: {Long.Nguyen,Bill.Roscoe}@comlab.ox.ac.uk Abstract Using combinatorial
More information