# Stronger Security Bounds for OMAC, TMAC and XCBC

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University Nakanarusawa, Hitachi, Ibaraki , Japan {iwata, April 30, 003 Abstract. OMAC, MAC and XCBC are CBC-type MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of an adversary to the MAC generation oracle while the previous bounds are expressed in terms of the maximum length of each query. In particular, a significant improvement occurs if the lengths of queries are heavily unbalanced. Key words: OMAC, MAC, XCBC, modes of operation, block cipher, provable security.

2 Contents 1 Introduction Background Our Contribution Our Collision Bound Preliminaries 4.1 Notation CBC MAC XCBC, MAC and OMAC XCBC MAC-family and MAC OMAC-family, OMAC1 and OMAC Stronger Security Bounds Definitions of Security heorem Statements Proof for OMAC-family Q 1,...,Q 6 and MOMAC [8] MOMAC is Pseudorandom From MOMAC to OMAC-family Proof of Main Lemma for OMAC-family Proof for MAC-family Q 1,Q,Q 3 [9] and FCBC [3] FCBC is Pseudorandom From FCBC to MAC-family Proof of Main Lemma for MAC-family Proof for XCBC Q 1,Q,Q From FCBC to XCBC Proof of Main Lemma for XCBC eferences 6 A he Field with Ò Points 7

3 1 Introduction 1.1 Background he CBC MAC [5, 7] is a well-known method to generate a message authentication code (MAC) based on a block cipher E. We denote the CBC MAC value of a message M by CBC K (M), where K is the key of E. While Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1], it is not secure for variable length messages. herefore, several variants of CBC MAC have been proposed which are provably secure for variable length messages. hey include EMAC, XCBC, MAC and then OMAC. EMAC (Encrypted MAC) is obtained by encrypting CBC K1 (M) bye again with a new key K []. hat is, EMAC K1,K (M) =E K (CBC K1 (M)). Petrank and ackoff proved that EMAC is secure if the message length is a multiple of n, where n is the block length of E [1]. For arbitrary length messages, we can simply append the minimal 10 i to a message M so that the length is a multiple of n. In this method, however, we must append an entire extra block 10 n 1 if the size of the message is already a multiple of n. his is a wasting of one block cipher invocation. Black and ogaway next proposed XCBC to solve the above problem [3]. XCBC takes three keys: K 1 for E, and K and K 3. In XCBC, we do not append 10 n 1 if the size of the message is already a multiple of n. Only if this is not the case, we append the minimal 10 i. In order to distinguish them, K or K 3 is XOed before encrypting the last block. XCBC is now described as follows (see Fig. 1). If M = mn for some m>0, then XCBC computes exactly the same as the CBC MAC, except for XOing an n-bit key K before encrypting the last block. Otherwise, 10 i padding (i = n M 1modn) is appended to M and XCBC computes exactly the same as the CBC MAC for the padded message, except for XOing another n-bit key K 3 before encrypting the last block. M[1] K 1 E K 1 M[] M[3] M[1] M[] M[3] 10 } {{ i } K E K 1 E K 1 E K 1 E K 1 E Fig. 1. Illustration of XCBC. K3 Kurosawa and Iwata then proposed MAC which requires two keys, K 1 and K [9]. MAC is obtained from XCBC by replacing (K,K 3 ) with (K u,k ), where u is some non-zero constant and denotes multiplication in GF( n ). Finally, Iwata and Kurosawa proposed OMAC which requires only one key K of the block cipher E [8]. OMAC is a generic name for OMAC1 and OMAC. Let L = E K (0 n ). hen 1

5 able 3. Security bounds of XCBC, MAC and OMAC obtained in this paper. Name Security Bound XCBC Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), MAC OMAC where t = t + O(σ) and q = σ. Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1. A significant improvement occurs if all queries are very short (say, 1 block) except for one very long query (m blocks). For example, suppose that n = 64 (for example, riple DES [4]), m = 16 and q = It is easy to see that σ = = 17. In this case, our bounds shown in able 3 are still meaningful while the previous bounds shown in able are useless because they become larger than one. 1.3 Our Collision Bound o show our security bounds, we derive upper bounds on some collision probabilities. For q distinct messages M (1),...,M (q) such that each M (i) is a multiple of n, let σ = M (1) + + M (q). For XCBC and MAC, we consider a collision such that CBC P (M (i) ) = CBC P (M (j) ) for some i j, where CBC P denotes the CBC MAC with a randomly chosen permutation P as the underlying block cipher E. We then prove that Pr(1 i< j q, CBC P (M (i) ) = CBC P (M (j) )) σ n for any M (1),...,M (q). It is formally stated in Lemma 5. and proved in Sec. 5.. For OMAC, we consider MOMAC-E, a variant of the CBC MAC, as follows. Let a message be M = M[1] M[] M[m], where M[1] = M[] = = M[m] = n and m. Let P 1 and P be two independent randomly chosen permutations. hen 1. Let Y [1] = P 1 (M[1]). For i =,...,m 1, compute Y [i] =P (M[i] Y [i 1]) 3. Finally define MOMAC-E P1,P (M) =M[m] Y [m 1]. We show that Pr(1 i< j q, MOMAC-E P1,P (M (i) ) = MOMAC-E P1,P (M (j) )) It is formally stated in Lemma 4. and proved in Sec. 4.. (σ q) n. 3

6 Preliminaries.1 Notation For a set A, x A means that x is chosen from A uniformly at random. If a, b {0, 1} are equal-length strings then a b is their bitwise XO. If a, b {0, 1} are strings then a b denote their concatenation. For simplicity, we sometimes write ab for a b if there is no confusion. For an n-bit string a = a n 1 a 1 a 0 {0, 1} n, let a < 1=a n a 1 a 0 0 denote the n-bit string which is a left shift of a by 1 bit, while a > 1=0a n 1 a a 1 denote the n-bit string which is a right shift of a by 1 bit. If a {0, 1} is a string then a denotes its length in bits. For any bit string a {0, 1} such that a n, we let pad n (a) = { a10 n a 1 if a <n, a if a = n. (1) Define a n = max{1, a /n }, where the empty string counts as one block. In pseudocode, we write Partition M into M[1] M[m] as shorthand for Let m = M n, and let M[1],...,M[m] be bit strings such that M[1] M[m] =M and M[i] = n for 1 i<m.. CBC MAC A block cipher E is a function E : K E {0, 1} n {0, 1} n, where K E is the set of keys and E(K, ) =E K ( ) is a permutation on {0, 1} n. n is called the block length of E. he CBC MAC [5, 7] is the simplest and most well-known MAC scheme based on block ciphers E. For a message M = M[1] M[] M[m] such that M[1] = M[] = = M[m] = n, let Y [0] = 0 n and Y [i] =E K (M[i] Y [i 1]) for i =1,...,m. hen the CBC MAC of M under key K is defined as CBC K (M) =Y [m]. Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1]. However, it is well known that CBC MAC is not secure for variable length messages..3 XCBC, MAC and OMAC XCBC, MAC and OMAC are CBC-type MAC schemes which are provably secure for arbitrary message length. Each scheme takes a message M {0, 1} and produces a tag in {0, 1} n. Each scheme is defined by using a block cipher E : K E {0, 1} n {0, 1} n. 4

7 Algorithm XCBC K1,K,K 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] K else X[m] X[m] K 3 E K1 (X[m]) return Fig.. Definition of XCBC..3.1 XCBC XCBC takes three keys (K 1,K,K 3 ) K E {0, 1} n {0, 1} n. he algorithm of XCBC is described in Fig. and illustrated in Fig. 1, where pad n ( ) is defined in (1)..3. MAC-family and MAC MAC takes two keys (K 1,K ) K E {0, 1} n. In general, MAC-family is defined by not only a block cipher E but also (1) a universal hash function H : K H X {0, 1} n where K H is the set of keys and X is the domain and () two distinct constants Cst 1, Cst X. hey must satisfy the following three conditions for sufficiently small ɛ 1,ɛ,ɛ 3. (We write H K ( ) for H(K, ).) 1. y {0, 1} n,#{k K H H K (Cst 1 )=y} ɛ 1 #K H. y {0, 1} n,#{k K H H K (Cst )=y} ɛ #K H 3. y {0, 1} n,#{k K H H K (Cst 1 ) H K (Cst )=y} ɛ 3 #K H he algorithm of MAC-family is described in Fig. 3 and illustrated in Fig. 4. MAC is obtained by letting K H = {0, 1} n, H K (x) =K x, Cst 1 = u and Cst = 1, where denotes multiplication over GF( n ) (See Appendix A for details). Equivalently, MAC is obtained by letting H K (Cst 1 )=K u and H K (Cst )=K. he above three conditions are satisfied with ɛ 1 = ɛ = ɛ 3 = n..3.3 OMAC-family, OMAC1 and OMAC OMAC is a generic name for OMAC1 and OMAC, where OMAC1 and OMAC take just one key K K E. In general, OMAC-family is defined by not only a block cipher E but also (1) a universal hash function H : {0, 1} n X {0, 1} n 5

8 M[1] K 1 E K 1 Algorithm MAC-family K1,K (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H K (Cst 1 ) else X[m] X[m] H K (Cst ) E K1 (X[m]) return M[] Fig. 3. Definition of MAC-family. M[3] M[1] M[] HK (Cst 1 ) E K 1 E K 1 E K 1 E K 1 E Fig. 4. Illustration of MAC-family. M[3] 10 } {{ i } HK (Cst ) where X is the domain, () two distinct constants Cst 1, Cst X and (3) an arbitrary n-bit constant Cst {0, 1} n. (he set of keys of H is {0, 1} n.) hey must satisfy the following six conditions for sufficiently small ɛ 1,ɛ,...,ɛ y {0, 1} n,#{l {0, 1} n H L (Cst 1 )=y} ɛ 1 n. y {0, 1} n,#{l {0, 1} n H L (Cst )=y} ɛ n 3. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst )=y} ɛ 3 n 4. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) L = y} ɛ 4 n 5. y {0, 1} n,#{l {0, 1} n H L (Cst ) L = y} ɛ 5 n 6. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst ) L = y} ɛ 6 n he algorithm of OMAC-family is described in Fig. 5 and illustrated in Fig. 6. OMAC1 is obtained by letting Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Equivalently, OMAC1 is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u. OMAC is the same as OMAC1 except for Cst = u 1. Equivalently, OMAC is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u 1. he above six conditions are satisfied with ɛ 1 = = ɛ 6 = n for both OMAC1 and OMAC. 6

12 Algorithm MOMAC P1,P,P 3,P 4,P 5,P 6 (M) Partition M into M[1] M[m] if m then X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P 3 (X[m]) else P 4 (X[m]) if m =1then X[m] pad n (M[m]) if M[m] = n then P 5 (X[m]) else P 6 (X[m]) return Fig. 7. Definition of MOMAC. M[1] P 1 M[] P M[3] P 3 M[1] P 1 M[] P M[3] 10 } {{ i } P 4 Fig. 8. Illustration of MOMAC for M >n. M P 5 M 10 } {{ i } P 6 Fig. 9. Illustration of MOMAC for M n. A proof is given in [8]. Next, we recall MOMAC (Modified OMAC) [8]. It uses six independent random permutations P 1,P,P 3,P 4,P 5,P 6 Perm(n). he algorithm MOMAC P1,...,P 6 ( ) is described in Fig. 7 and illustrated in Fig. 8 and Fig MOMAC is Pseudorandom We prove that MOMAC is pseudorandom (information-theoretic result). Lemma 4.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 4.1, we first define MOMAC-E (MOMAC without final encryption). It takes a message M such that M = mn for some m. It is obtained from MOMAC by 10

13 removing the final encryption, that is, it uses two independent random permutations P 1,P Perm(n). More precisely, the algorithm MOMAC-E P1,P ( ) is described in Fig. 10. Algorithm MOMAC-E P1,P (M) Partition M into M[1] M[m] X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 10. Definition of MOMAC-E. Note that M = mn for some m. We first show the following lemma. Lemma 4. (MOMAC-E Collision Bound) Let q, m 1,...,m q and σ be integers such that m i, σ = m m q, and σ n /. LetM (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen the probability of collision, Pr(P 1,P Perm(n) :1 i< j q, MOMAC-E P1,P (M (i) )=MOMAC-E P1,P (M (j) )) is at most (σ q) n. Proof. We view the computation of MOMAC-E P1,P (M (i) ) as playing the game given in Fig. 11. In Fig. 11, M (i) [1] M (i) [m i ] is a partition of M (i). We initially set each range point of P 1 and P as undefined. he notation Domain(P i ) denotes the set of points x where P i (x) is no longer undefined. We use ange(p i ) to denote the set of points P i (x) which are no longer undefined. We use ange(p i ) to denote {0, 1} n \ ange(p i ). During the game, the X (i) [j] are those values produced after XOing with the current message block M (i) [j], Y (i) [1] values are P 1 (X (i) [1]) and, for j, Y (i) [j] values are P (X (i) [j]). he game has two parts: computation of X (1) [],...,X (q) [] (line 11 3) and computation of X (1) [m 1 ],...,X (q) [m q ] (line 31 45). We examine the probability that P 1 and P cause a collision, which will occur in our game if and only if X (i) [m i ]=X (j) [m j ] for some 1 i<j q. his condition will set bad 1 or bad to true. However, we set bad i to true in many other cases in order to simplify the analysis. he idea behind the variable bad i is as follows: throughout the game (line 13 and 35), we randomly choose a range value for P 1 and P at some undefined domain point. Since P 1 and P have not yet been determined at this point, the choice of our range value will be an independent uniform selection: there is no dependence on any prior choice. If the range value for P i were already determined by some earlier choice, the analysis would become more involved. We avoid the latter condition by setting bad i to true whenever such interdependencies are detected. he detection mechanism works as follows: throughout the processing of M (1),...,M (q), we will require P 1 be evaluated at q domain point X (1) [1],...,X (q) [1] and P be evaluated at σ q domain point X (1) [],...,X (1) [m 1 ],...,X (q) [],...,X (q) [m q ] (ignoring duplications due to any common prefix of M (1),...,M (q) ), we can rest assured that we are free to assign their 11

16 since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. Also, suppose that the game terminates after s process of line 35. hen we have Pr (bad true) line 35 1 t s V (t )= (l 0 + l l t 1 )l t n (t 1) 1 t s. Now we can bound the above by (l 0 + l l t 1 )l t n (t 1) 1 t s n (l 0 + l l t 1 )l t (σ q) l 0 n, 1 t s where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ q l 0 + l l s and (l 0 + l l t 1)l t (σ q) l 0 l 1 l s 1 t s (σ q) l 0. Completing the Proof. Finally, we obtain the stated bound since Pr (bad 1 true)+ line 13 Pr (bad true) l 0 line 35 n + (σ q) l 0 n = (σ q) n. Q.E.D. We next consider the following four sets. def D 1 = {M M {0, 1}, n< M and M is a multiple of n} def D = {M M {0, 1}, n< M and M is not a multiple of n} def D 3 = {M M {0, 1} and M = n} def D 4 = {M M {0, 1} and M <n} We show the following lemma. Lemma 4.3 Let q 1,q,q 3,q 4 be four non-negative integers. For 1 i 4, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i 4, let (1) i,..., (q i) i be fixed n-bit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,...,P 6 Perm(n) such that ( is at least {( n )!} 6 1 (σ q) σ = σ σ 4. MOMAC P1,...,P 6 (M (i) (i) 1 )= MOMAC P1,...,P 6 (M (i) MOMAC P1,...,P 6 (M (i) 3 MOMAC P1,...,P 6 (M (i) 4 n ) (i) )= (i) )= (i) )= 1 for 1 i q 1, for 1 i q, 3 for 1 i q 3 and 4 for 1 i q 4 1 qn, where q = q q 4, σ i = 1 j q i M (j) i n and (6) 14

17 Proof. We first consider M (1) 1,...,M(q 1) 1. he number of (P 1,P ) such that MOMAC-E P1,P (M (i) 1 ) = MOMAC-E P 1,P (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} (σ 1 q 1 ) from Lemma 4.. n We next consider M (1),...,M(q ). Let M (i) denote the padded message of M (i). hen the number of (P 1,P ) such that MOMAC-E P1,P (M (i) ) = MOMAC-EP1,P (M (j) ) for 1 i< j q is at most {( n )!} (σ q ) from Lemma 4.. n herefore, we have at least ( {( n )!} 1 (σ 1 q 1 ) n (σ ) q ) n choice of (P 1,P ) such that { MOMAC-EP1,P (M (i) 1 ) MOMAC-E P 1,P (M (j) 1 ) for 1 i< j q 1 and MOMAC-E P1,P (M (i) ) MOMAC-E P1,P (M (j) ) for 1 i< j q (7) We fix any (P 1,P ) which satisfies (7). Now P 1 and P are fixed in such a way that the inputs to P 3 are distinct and the inputs to P 4 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. We know that the inputs to P 5 are distinct, and the corresponding outputs { (1) 3,..., (q 3) 3 } are distinct. Also, the inputs to P 6 are distinct, and and the corresponding outputs { (1) 4,..., (q 4) 4 } are distinct. herefore, we have at least ( ) {( n )!} ( n q 1 )! ( n q )! ( n q 3 )! ( n q 4 )! 1 (σ 1 q 1 ) n (σ q ) n ( ) choice of P 1,...,P 6 which satisfies (6). his bound is at least {( n )!} 6 1 (σ q) 1 n since qn (σ q) (σ 1 q 1 ) +(σ q ) and ( n q i )! (n )! q i. n his concludes the proof of the lemma. Q.E.D. We now prove Lemma 4.1. Proof (of Lemma 4.1). Let O be either MOMAC P1,...,P 6 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the query-answer pair (M (i) j, (i) j ) D j {0, 1} n, where A s i-th query in D j was M (i) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j 4 and q q 4 = q. Also, for 1 i 4, let σ i = 1 j q i M (j) i n (therefore, q 3 = σ 3 and q 4 = σ 4 ). For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ), ( (1) 3,..., (q 3) 3 ), ( (1) 4,..., (q (8) 4) 4 ). Since A is deterministic, the i-th query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then 15

18 A s queries are uniquely determined, q 1,...,q 4 are uniquely determined, σ 1,...,σ 4 are uniquely determined, the parsing of V into the format defined in (8) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. Let V one be a set of all qn-bit strings V such that A outputs 1. We let N one def =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct, { (1),..., (q ) } are distinct, { (1) 3,..., (q 3) 3 } are distinct and { (1) 4,..., (q 4) 4 } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn herefore, we have #{V V (V one V good )} N one n. ( ) q qn n. (9) Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) = #{(P 1,...,P 6 ) A MOMAC P 1,...,P ( ) 6 =1} {( n )!} 6. hen from Lemma 4.3, we have p real # {(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (6)} {( n )!} 6 V (Îone Î good ) ( ) (σ q) 1 1 n qn. V (Îone Î good ) 16

19 Completing the Proof. p real From (9) we have ( ( ) ) ( ) q qn (σ q) 1 N one n 1 n qn ( ( ) ) ( ) q 1 (σ q) = p rand n 1 n ( ) q 1 (σ q) p rand n n p rand q +(σ q) n p rand σ n. (10) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (11) Finally, (10) and (11) give p real p rand σ. n Q.E.D. 4.3 From MOMAC to OMAC-family he next lemma shows that OMAC-family P ( ) and MOMAC P1,...,P 6 ( ) are indistinguishable. Lemma 4.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) 3σ ( 1 n + ɛ ) Proof. We prove through a contradiction argument. Suppose that there exists an adversary A such that Pr(P Perm(n) :A OMAC-family P ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) > 3σ 1 n + ɛ. By using A, we show a construction of an adversary B A such that: B A asks at most σ queries, and Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) ( ) P Pr(P 1,...,P 6 Perm(n) :B 1 ( ),...,P 6 ( ) A =1) > 3σ 1 n + ɛ, which contradicts Proposition 4.1. Let O 1 ( ),...,O 6 ( ) beb A s oracles. he construction of B A is given in Fig. 1. When A asks M (r), then B A computes (r) = MOMAC O1,...,O 6 (M (r) ) as if the underlying random permutations are O 1,...,O 6, and returns (r). When A halts and outputs b, then B A outputs b. Now we see that:. 17

20 Algorithm B O 1,...,O 6 A 1: When A asks its r-th query M (r) : : (r) MOMAC O1,...,O 6 (M (r) ) 3: return (r) 4: When A halts and outputs b: 5: output b Fig. 1. Algorithm B A. Note that for 1 i 6, O i is either P i or Q i M[1] P nd M[] nd P M[3] nd H L (Cst 1 ) M[1] M[] M[3] 10 i } {{ } nd P P nd nd nd H L (Cst ) P P nd Fig. 13. Computation of B A when O i = Q i for 1 i 6, and M >n. M M 10 } {{ i } HL (Cst 1 ) HL (Cst ) P P Fig. 14. Computation of B A when O i = Q i for 1 i 6, and M n. B A asks at most σ queries to its oracles, since A asks at most q queries having aggregate length of at most σ blocks. Pr(P 1,...,P 6 Perm(n) :B P 1 ( ),...,P 6 ( ) A =1) = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P 6 ( ) = 1), since B A gives A a perfect simulation of MOMAC P1,...,P 6 ( ) ifo i ( ) =P i ( ) for 1 i 6. Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) = Pr(P Perm(n) :A OMAC P ( ) = 1), since B A gives A a perfect simulation of OMAC P ( ) ifo i ( ) =Q i ( ) for 1 i 6. See Fig. 13 and Fig. 14. Note that nd is canceled in Fig. 13. his concludes the proof of the lemma. Q.E.D. 4.4 Proof of Main Lemma for OMAC-family We finally give a proof of Main Lemma for OMAC-family. Proof (of Lemma 3.1). By the triangle inequality, the left hand side of () is at most Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) (1) 18

21 + Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1). (13) Lemma 4.1 gives us an upper bound on (1) and Lemma 4.4 gives us an upper bound on (13). herefore the bound follows since σ ( ) ( ) n + 3σ 1 n + ɛ = σ 5 n +3ɛ. his concludes the proof of the lemma. Q.E.D. 5 Proof for MAC-family 5.1 Q 1,Q,Q 3 [9] and FCBC [3] Let H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. For a random permutation P Perm(n) and a random string K K H, define Q 1 (x) def = P (x), Q (x) def = P (x H K (Cst 1 )), Q 3 (x) def = P (x H K (Cst )). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 5.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K KH : A Q 1( ),Q ( ),Q 3 ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q 1 n + ɛ, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. A proof is given in [9]. Next we recall FCBC [3]. It uses three independent random permutations P 1,P,P 3 Perm(n). he algorithm FCBC P1,P,P 3 ( ) is described in Fig. 15 and illustrated in Fig FCBC is Pseudorandom We prove that FCBC is pseudorandom (information-theoretic result). Lemma 5.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 5.1, we define CBC-E (CBC MAC without final encryption). It takes a message M such that M = mn for some m 1. It is obtained from the CBC MAC by removing the final encryption. More precisely, the algorithm CBC-E P ( ) is described in Fig. 17, where P Perm(n) is a random permutation. We first show the following lemma. (14) 19

22 Algorithm FCBC P1,P,P 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P 1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P (X[m]) else P 3 (X[m]) return Fig. 15. Definition of FCBC. M[1] P 1 M[] P 1 M[3] P M[1] P 1 M[] P 1 M[3] 10 } {{ i } P 3 Fig. 16. Illustration of FCBC. Algorithm CBC-E P (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 17. Definition of CBC-E. 0

24 Also, suppose that the game terminates after s process of line 15. hen we have Pr (bad true) V (t) = (l 0 + l l t 1 )l t line 15 1 t s 1 t s n (t 1). Now we can bound the above by 1 t s (l 0 + l l t 1 )l t n (t 1) n 1 t s (l 0 + l l t 1 )l t σ n, where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ l 0 + l l s and (l 0 + l l t 1 )l t σ l 0 l 1 l s 1 t s σ. Q.E.D. We next consider the following two sets. { def D1 = {M M {0, 1} and M is a positive multiple of n} def D = {M M {0, 1} and M is not a positive multiple of n} We show the following lemma. Lemma 5.3 Let q 1,q be two non-negative integers. For 1 i, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i, let (1) i,..., (q i) i be fixed n-bit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,P,P 3 Perm(n) such that { FCBCP1,P,P 3 (M (i) (i) 1 )= FCBC P1,P,P 3 (M (i) 1 for 1 i q 1 and (i) (15) )= for 1 i q is at least {( n )!} 3 ( 1 σ n ) 1 qn, where q = q 1 + q, σ i = 1 j q i M (j) i n and σ = σ 1 + σ. Proof. We first consider M (1) 1,...,M(q 1) 1. he number of P 1 such that CBC-E P1 (M (i) 1 ) = CBC-E P 1 (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} σ 1 from Lemma 5.. n We next consider M (1),...,M(q ) number of P 1 such that. Let M (i) denote the padded message of M (i). hen the CBC-E P1 (M (i) ) = CBC-EP1 (M (j) ) for 1 i< j q is at most {( n )!} σ n from Lemma 5.. herefore, we have at least ( {( n )!} 1 σ 1 n σ n )

25 choice of P 1 such that { CBC-EP1 (M (i) 1 ) CBC-E P 1 (M (j) 1 ) for 1 i< j q 1 and CBC-E P1 (M (i) ) CBC-E P1 (M (j) ) for 1 i< (16) j q We fix any P 1 which satisfies (16). Now P 1 is fixed in such a way that the inputs to P are distinct and the inputs to P 3 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. herefore, we have at least ( ) {( n )!} 1 σ 1 n σ n ( n q 1 )! ( n q )! ( ) choice of P 1,P,P 3 which satisfies (15). his bound is at least {( n )!} 3 1 σ 1 n since qn σ σ1 + σ and (n q i )! (n )! q i n. his concludes the proof of the lemma. Q.E.D. We now prove Lemma 5.1 Proof (of Lemma 5.1). We proceed similarly to the proof of Lemma 4.1. Let O be either FCBC P1,P,P 3 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the query-answer pair (M (i) j D j {0, 1} n, where A s i-th query in D j was M (i), (i) j ) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j and q 1 + q = q. Also, for 1 i, let σ i = 1 j q i M (j) i n. For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ). (17) Since A is deterministic, the i-th query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then A s queries are uniquely determined, q 1,q are uniquely determined, σ 1,σ are uniquely determined, the parsing of V into the format defined in (17) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. def Let V one be a set of all qn-bit strings V such that A outputs 1. We let N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct and { (1),..., (q ) } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn. herefore, we have n ( ) q qn #{V V (V one V good )} N one n. (18) 3

26 Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) = #{(P 1,P,P 3 ) A FCBC P 1,P,P ( ) 3 =1} {( n )!} 3. hen from Lemma 5.3, we have p real # {(P 1,P,P 3 ) (P 1,P,P 3 ) satisfying (15)} {( n )!} 3 V (Îone Î good ) ( ) 1 σ 1 n qn. V (Îone Î good ) Completing the Proof. p real From (18) we have ( ( ) ) ( ) q qn N one n 1 σ 1 n qn ( ( ) ) ( ) q 1 = p rand n 1 σ n ( ) q 1 p rand n σ n p rand q + σ n p rand σ n. (19) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (0) Finally, (19) and (0) give p real p rand σ n. Q.E.D. 5.3 From FCBC to MAC-family he next lemma shows that MAC-family P,K ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. 4

27 Lemma 5.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ 1 n + ɛ. By using Proposition 5.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for MAC-family We finally give a proof of Main Lemma for MAC-family. Proof (of Lemma 3.). By the triangle inequality, the left hand side of (3) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 () =1). Lemma 5.1 gives us an upper bound on (1) and Lemma 5.4 gives us an upper bound on (). herefore the bound follows since σ ( ) ( ) n + σ 1 n + ɛ = σ 5 n + ɛ. his concludes the proof of the lemma. Q.E.D. 6 Proof for XCBC 6.1 Q 1,Q,Q 3 For a random permutation P Perm(n) and two random n-bit strings K,K 3 {0, 1} n, define Q 1 (x) def = P (x), Q (x) def = P (x K ), (3) Q 3 (x) def = P (x K 3 ). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 6.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K,K 3 {0, 1} n : A Q 1( ),Q ( ),Q 3 ( ) =1) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q n, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. It can be proved by extending the proof of [3, Lemma 4]. Also, it can be proved similar to Proposition 5.1. (1) 5

28 6. From FCBC to XCBC he next lemma shows that XCBC P,K,K 3 ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. Lemma 6.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ n. By using Proposition 6.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for XCBC We finally give a proof of Main Lemma for XCBC. Proof (of Lemma 3.3). By the triangle inequality, the left hand side of (4) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1). (4) (5) Lemma 5.1 gives us an upper bound on (4) and Lemma 6.1 gives us an upper bound on (5). herefore the bound follows since σ n + σ n = 3σ n. his concludes the proof of the lemma. Q.E.D. eferences [1] M. Bellare, J. Kilian, and P. ogaway. he security of the cipher block chaining message authentication code. JCSS, vol. 61, no. 3, pp , 000. Earlier version in Advances in Cryptology CYPO 94, LNCS 839, pp , Springer-Verlag, [] A. Berendschot, B. den Boer, J. P. Boly, A. Bosselaers, J. Brandt, D. Chaum, I. Damgård, M. Dichtl, W. Fumy, M. van der Ham, C. J. A. Jansen, P. Landrock, B. Preneel, G. oelofsen, P. de ooij, and J. Vandewalle. Final eport of ACE Integrity Primitives. LNCS 1007, Springer-Verlag, [3] J. Black and P. ogaway. CBC MACs for arbitrary-length messages: he three key constructions. Advances in Cryptology CYPO 000, LNCS 1880, pp , Springer- Verlag, 000. [4] FIPS Publication Data Encryption Standard (DES). U. S. Department of Commerce / National Institute of Standards and echnology, October 5,

29 [5] FIPS 113. Computer data authentication. Federal Information Processing Standards Publication 113, U. S. Department of Commerce / National Bureau of Standards, National echnical Information Service, Springfield, Virginia, [6] O. Goldreigh, S. Goldwasser and S. Micali. How to construct random functions. J. ACM, vol. 33, no. 4, pp , October [7] ISO/IEC Information technology security techniques data integrity mechanism using a cryptographic check function employing a block cipher algorithm. International Organization for Standards, Geneva, Switzerland, Second edition. [8]. Iwata and K. Kurosawa. OMAC: One-Key CBC MAC. Pre-proceedings of Fast Software Encryption, FSE 003, pp , 003. o appear in LNCS, Springer-Verlag. [9] K. Kurosawa and. Iwata. MAC: wo-key CBC MAC. opics in Cryptology C-SA 003, LNCS 61, pp , Springer-Verlag, 003. [10]. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Press, [11] M. Luby and C. ackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput., vol. 17, no., pp , April [1] E. Petrank and C. ackoff. CBC MAC for real-time data sources. J.Cryptology, vol. 13, no. 3, pp , Springer-Verlag, 000. A he Field with n Points We interchangeably think of a point a in GF( n ) in any of the following ways: 1. as an abstract point in a field;. as an n-bit string a n 1 a 1 a 0 {0, 1} n ; 3. as a formal polynomial a(u) =a n 1 u n a 1 u + a 0 with binary coefficients. o add two points in GF( n ), take their bitwise XO. We denote this operation by a b. o multiply two points, fix some irreducible polynomial f(u) having binary coefficients and degree n. o be concrete, choose the lexicographically first polynomial among the irreducible degree n polynomials having a minimum number of coefficients. We list some indicated polynomials (See [10, Chapter 10] for other polynomials). f(u) =u 64 + u 4 + u 3 + u + 1 for n = 64, f(u) =u 18 + u 7 + u + u + 1 for n = 18, and f(u) =u 56 + u 10 + u 5 + u + 1 for n = 56. o multiply two points a GF( n ) and b GF( n ), regard a and b as polynomials a(u) = a n 1 u n a 1 u + a 0 and b(u) =b n 1 u n b 1 u + b 0, form their product c(u) where one adds and multiplies coefficients in GF(), and take the remainder when dividing c(u) by f(u). Note that it is particularly easy to multiply a point a {0, 1} n by u. We show a method for n = 18, where f(u) =u 18 + u 7 + u + u + 1. hen multiplying a = a 17 a 1 a 0 by u yields a 7

### Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

### Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation

Specification of Cryptographic Technique PC-MAC-AS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Self-evaluation Report PC-MAC-AES. NEC Corporation

Self-evaluation Report PC-MAC-AES NEC Corporation Contents 1 Contents 1 Overview 2 2 Summary of Security Evaluation 2 3 Security Evaluation 3 3.1 Preliminaries...........................................

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Security of the Misty Structure Beyond the Birthday Bound

Security of the Misty Structure Beyond the Birthday Bound Jooyoung Lee Faculty of Mathematics and Statistics Sejong University, Seoul, Korea 143-747 jlee05@sejong.ac.kr Abstract. In this paper, we first

### AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4

Submission to the CAESAR competition AES-COPA v.2 Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Affiliation: 1 Dept.

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3

CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has

### Analysis of a Database and Index Encryption Scheme Problems and Fixes

Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Length extension attack on narrow-pipe SHA-3 candidates

Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Chapter 7. Message Authentication. 7.1 The setting

Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

### Strengthening Digital Signatures via Randomized Hashing

Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### Code-Based Game-Playing Proofs and the Security of Triple Encryption

Code-Based Game-Playing Proofs and the Security of Triple Encryption Mihir Bellare Phillip Rogaway February 27, 2006 (Draft 2.2) Abstract The game-playing technique is a powerful tool for analyzing cryptographic

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier

Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel Smith-Tone Abstract A hash function secure in the indifferentiability framework

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### A Formalization of the Turing Test Evgeny Chutchev

A Formalization of the Turing Test Evgeny Chutchev 1. Introduction The Turing test was described by A. Turing in his paper [4] as follows: An interrogator questions both Turing machine and second participant

### Chapter 6. Hash Functions. 6.1 The hash function SHA1

Chapter 6 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length

### Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.

Some Polynomial Theorems by John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.com This paper contains a collection of 31 theorems, lemmas,

### Subsets of Euclidean domains possessing a unique division algorithm

Subsets of Euclidean domains possessing a unique division algorithm Andrew D. Lewis 2009/03/16 Abstract Subsets of a Euclidean domain are characterised with the following objectives: (1) ensuring uniqueness

### Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

### Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances

Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances Jialin Zhang Tsinghua University zhanggl02@mails.tsinghua.edu.cn Wei Chen Microsoft Research Asia weic@microsoft.com Abstract

### The Goldberg Rao Algorithm for the Maximum Flow Problem

The Goldberg Rao Algorithm for the Maximum Flow Problem COS 528 class notes October 18, 2006 Scribe: Dávid Papp Main idea: use of the blocking flow paradigm to achieve essentially O(min{m 2/3, n 1/2 }

### Remotely Keyed Encryption Using Non-Encrypting Smart Cards

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

### Lecture 9. Lecturer: Yevgeniy Dodis Spring 2012

CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Macrh 21, 2012 Lecture 9 Lecturer: Yevgeniy Dodis Spring 2012 Last time we introduced the concept of Pseudo Random Function Family (PRF),

### Notes from Week 1: Algorithms for sequential prediction

CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

### The finite field with 2 elements The simplest finite field is

The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0

### COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

### Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Keying Hash Functions for Message Authentication

An abridged version of this paper appears in Advances in Cryptology Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. Keying Hash Functions for

### MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu

Integer Polynomials June 9, 007 Yufei Zhao yufeiz@mit.edu We will use Z[x] to denote the ring of polynomials with integer coefficients. We begin by summarizing some of the common approaches used in dealing

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### Cryptographic treatment of CryptDB s Adjustable Join

Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Integers: applications, base conversions.

CS 441 Discrete Mathematics for CS Lecture 14 Integers: applications, base conversions. Milos Hauskrecht milos@cs.pitt.edu 5329 Sennott Square Modular arithmetic in CS Modular arithmetic and congruencies

### Chapter 6 Finite sets and infinite sets. Copyright 2013, 2005, 2001 Pearson Education, Inc. Section 3.1, Slide 1

Chapter 6 Finite sets and infinite sets Copyright 013, 005, 001 Pearson Education, Inc. Section 3.1, Slide 1 Section 6. PROPERTIES OF THE NATURE NUMBERS 013 Pearson Education, Inc.1 Slide Recall that denotes

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Digital Signatures out of Second-Preimage Resistant Hash Functions

Digital Signatures out of Second-Preimage Resistant Hash Functions Erik Dahmen 1, Katsuyuki Okeya 2, Tsuyoshi Takagi 3, and Camille Vuillaume 2 1 Technische Universität Darmstadt dahmen@cdc.informatik.tu-darmstadt.de

### Good luck, veel succes!

Final exam Advanced Linear Programming, May 7, 13.00-16.00 Switch off your mobile phone, PDA and any other mobile device and put it far away. No books or other reading materials are allowed. This exam

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Mathematical Induction

Chapter 2 Mathematical Induction 2.1 First Examples Suppose we want to find a simple formula for the sum of the first n odd numbers: 1 + 3 + 5 +... + (2n 1) = n (2k 1). How might we proceed? The most natural

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### Theorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that. a = bq + r and 0 r < b.

Theorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that a = bq + r and 0 r < b. We re dividing a by b: q is the quotient and r is the remainder,

### The Conference Call Search Problem in Wireless Networks

The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,