Stronger Security Bounds for OMAC, TMAC and XCBC

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Stronger Security Bounds for OMAC, TMAC and XCBC"

Transcription

1 Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University Nakanarusawa, Hitachi, Ibaraki , Japan {iwata, April 30, 003 Abstract. OMAC, MAC and XCBC are CBC-type MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of an adversary to the MAC generation oracle while the previous bounds are expressed in terms of the maximum length of each query. In particular, a significant improvement occurs if the lengths of queries are heavily unbalanced. Key words: OMAC, MAC, XCBC, modes of operation, block cipher, provable security.

2 Contents 1 Introduction Background Our Contribution Our Collision Bound Preliminaries 4.1 Notation CBC MAC XCBC, MAC and OMAC XCBC MAC-family and MAC OMAC-family, OMAC1 and OMAC Stronger Security Bounds Definitions of Security heorem Statements Proof for OMAC-family Q 1,...,Q 6 and MOMAC [8] MOMAC is Pseudorandom From MOMAC to OMAC-family Proof of Main Lemma for OMAC-family Proof for MAC-family Q 1,Q,Q 3 [9] and FCBC [3] FCBC is Pseudorandom From FCBC to MAC-family Proof of Main Lemma for MAC-family Proof for XCBC Q 1,Q,Q From FCBC to XCBC Proof of Main Lemma for XCBC eferences 6 A he Field with Ò Points 7

3 1 Introduction 1.1 Background he CBC MAC [5, 7] is a well-known method to generate a message authentication code (MAC) based on a block cipher E. We denote the CBC MAC value of a message M by CBC K (M), where K is the key of E. While Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1], it is not secure for variable length messages. herefore, several variants of CBC MAC have been proposed which are provably secure for variable length messages. hey include EMAC, XCBC, MAC and then OMAC. EMAC (Encrypted MAC) is obtained by encrypting CBC K1 (M) bye again with a new key K []. hat is, EMAC K1,K (M) =E K (CBC K1 (M)). Petrank and ackoff proved that EMAC is secure if the message length is a multiple of n, where n is the block length of E [1]. For arbitrary length messages, we can simply append the minimal 10 i to a message M so that the length is a multiple of n. In this method, however, we must append an entire extra block 10 n 1 if the size of the message is already a multiple of n. his is a wasting of one block cipher invocation. Black and ogaway next proposed XCBC to solve the above problem [3]. XCBC takes three keys: K 1 for E, and K and K 3. In XCBC, we do not append 10 n 1 if the size of the message is already a multiple of n. Only if this is not the case, we append the minimal 10 i. In order to distinguish them, K or K 3 is XOed before encrypting the last block. XCBC is now described as follows (see Fig. 1). If M = mn for some m>0, then XCBC computes exactly the same as the CBC MAC, except for XOing an n-bit key K before encrypting the last block. Otherwise, 10 i padding (i = n M 1modn) is appended to M and XCBC computes exactly the same as the CBC MAC for the padded message, except for XOing another n-bit key K 3 before encrypting the last block. M[1] K 1 E K 1 M[] M[3] M[1] M[] M[3] 10 } {{ i } K E K 1 E K 1 E K 1 E K 1 E Fig. 1. Illustration of XCBC. K3 Kurosawa and Iwata then proposed MAC which requires two keys, K 1 and K [9]. MAC is obtained from XCBC by replacing (K,K 3 ) with (K u,k ), where u is some non-zero constant and denotes multiplication in GF( n ). Finally, Iwata and Kurosawa proposed OMAC which requires only one key K of the block cipher E [8]. OMAC is a generic name for OMAC1 and OMAC. Let L = E K (0 n ). hen 1

4 able 1. Comparison of the key lengths. XCBC [3] MAC [9] OMAC [8] key length (k + n) bits (k + n) bits k bits OMAC1 is obtained by replacing (K,K 3 ) with (L u,l u ) in XCBC. Similarly, OMAC is obtained from XCBC by replacing (K,K 3 ) with (L u,l u 1 ). See able 1 for the comparison of the key lengths, where k denotes the key length of E. 1. Our Contribution XCBC, MAC and OMAC are all provably secure against chosen message attack. Indeed, the authors showed an upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. In this paper, we present a more tight upper bound on Adv mac for each scheme by using a more specific parameter. Consider adversaries who run in time at most t and query at most q messages to the MAC generation oracle. 1. he previous bounds are expressed in terms of the maximum length of each query.. Our bounds are expressed in terms of the total length of all queries. More precisely, 1. able shows the previous bounds on Adv mac F (t, q, m) which is defined as the maximum forgery probability of adversaries such that each query is at most m blocks, where 1 block is n bits, and. able 3 shows our bounds on Adv mac F (t, q, σ) which is defined as the maximum forgery probability of adversaries such that the total length of all queries are at most σ blocks, where F is XCBC, MAC or OMAC and n is the block length of the underlying block cipher E. In these tables, Adv prp E (t,q ) is the the maximum distinguishing probability between the block cipher E and a randomly chosen permutation, where the maximum is over all adversaries who run in time at most t and make at most q queries. able. Previous security bounds of XCBC, MAC and OMAC. Name Security Bound XCBC Adv mac XCBC (t, q, m) (4m +1)q +1 n +3 Adv prp E (t,q ), [3, Corollary ] where t = t + O(mq) and q = mq. MAC Adv mac MAC (t, q, m) (3m +1)q +1 n + Adv prp E (t,q ), [9, heorem 5.1] where t = t + O(mq) and q = mq. OMAC Adv mac OMAC (t, q, m) (5m +1)q +1 n + Adv prp E (t,q ), [8, heorem 5.1] where t = t + O(mq) and q = mq +1. In general, σ mq, where σ is the total block length of all queries, q is the number of queries, and m is the the maximum block length among all queries.

5 able 3. Security bounds of XCBC, MAC and OMAC obtained in this paper. Name Security Bound XCBC Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), MAC OMAC where t = t + O(σ) and q = σ. Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1. A significant improvement occurs if all queries are very short (say, 1 block) except for one very long query (m blocks). For example, suppose that n = 64 (for example, riple DES [4]), m = 16 and q = It is easy to see that σ = = 17. In this case, our bounds shown in able 3 are still meaningful while the previous bounds shown in able are useless because they become larger than one. 1.3 Our Collision Bound o show our security bounds, we derive upper bounds on some collision probabilities. For q distinct messages M (1),...,M (q) such that each M (i) is a multiple of n, let σ = M (1) + + M (q). For XCBC and MAC, we consider a collision such that CBC P (M (i) ) = CBC P (M (j) ) for some i j, where CBC P denotes the CBC MAC with a randomly chosen permutation P as the underlying block cipher E. We then prove that Pr(1 i< j q, CBC P (M (i) ) = CBC P (M (j) )) σ n for any M (1),...,M (q). It is formally stated in Lemma 5. and proved in Sec. 5.. For OMAC, we consider MOMAC-E, a variant of the CBC MAC, as follows. Let a message be M = M[1] M[] M[m], where M[1] = M[] = = M[m] = n and m. Let P 1 and P be two independent randomly chosen permutations. hen 1. Let Y [1] = P 1 (M[1]). For i =,...,m 1, compute Y [i] =P (M[i] Y [i 1]) 3. Finally define MOMAC-E P1,P (M) =M[m] Y [m 1]. We show that Pr(1 i< j q, MOMAC-E P1,P (M (i) ) = MOMAC-E P1,P (M (j) )) It is formally stated in Lemma 4. and proved in Sec. 4.. (σ q) n. 3

6 Preliminaries.1 Notation For a set A, x A means that x is chosen from A uniformly at random. If a, b {0, 1} are equal-length strings then a b is their bitwise XO. If a, b {0, 1} are strings then a b denote their concatenation. For simplicity, we sometimes write ab for a b if there is no confusion. For an n-bit string a = a n 1 a 1 a 0 {0, 1} n, let a < 1=a n a 1 a 0 0 denote the n-bit string which is a left shift of a by 1 bit, while a > 1=0a n 1 a a 1 denote the n-bit string which is a right shift of a by 1 bit. If a {0, 1} is a string then a denotes its length in bits. For any bit string a {0, 1} such that a n, we let pad n (a) = { a10 n a 1 if a <n, a if a = n. (1) Define a n = max{1, a /n }, where the empty string counts as one block. In pseudocode, we write Partition M into M[1] M[m] as shorthand for Let m = M n, and let M[1],...,M[m] be bit strings such that M[1] M[m] =M and M[i] = n for 1 i<m.. CBC MAC A block cipher E is a function E : K E {0, 1} n {0, 1} n, where K E is the set of keys and E(K, ) =E K ( ) is a permutation on {0, 1} n. n is called the block length of E. he CBC MAC [5, 7] is the simplest and most well-known MAC scheme based on block ciphers E. For a message M = M[1] M[] M[m] such that M[1] = M[] = = M[m] = n, let Y [0] = 0 n and Y [i] =E K (M[i] Y [i 1]) for i =1,...,m. hen the CBC MAC of M under key K is defined as CBC K (M) =Y [m]. Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1]. However, it is well known that CBC MAC is not secure for variable length messages..3 XCBC, MAC and OMAC XCBC, MAC and OMAC are CBC-type MAC schemes which are provably secure for arbitrary message length. Each scheme takes a message M {0, 1} and produces a tag in {0, 1} n. Each scheme is defined by using a block cipher E : K E {0, 1} n {0, 1} n. 4

7 Algorithm XCBC K1,K,K 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] K else X[m] X[m] K 3 E K1 (X[m]) return Fig.. Definition of XCBC..3.1 XCBC XCBC takes three keys (K 1,K,K 3 ) K E {0, 1} n {0, 1} n. he algorithm of XCBC is described in Fig. and illustrated in Fig. 1, where pad n ( ) is defined in (1)..3. MAC-family and MAC MAC takes two keys (K 1,K ) K E {0, 1} n. In general, MAC-family is defined by not only a block cipher E but also (1) a universal hash function H : K H X {0, 1} n where K H is the set of keys and X is the domain and () two distinct constants Cst 1, Cst X. hey must satisfy the following three conditions for sufficiently small ɛ 1,ɛ,ɛ 3. (We write H K ( ) for H(K, ).) 1. y {0, 1} n,#{k K H H K (Cst 1 )=y} ɛ 1 #K H. y {0, 1} n,#{k K H H K (Cst )=y} ɛ #K H 3. y {0, 1} n,#{k K H H K (Cst 1 ) H K (Cst )=y} ɛ 3 #K H he algorithm of MAC-family is described in Fig. 3 and illustrated in Fig. 4. MAC is obtained by letting K H = {0, 1} n, H K (x) =K x, Cst 1 = u and Cst = 1, where denotes multiplication over GF( n ) (See Appendix A for details). Equivalently, MAC is obtained by letting H K (Cst 1 )=K u and H K (Cst )=K. he above three conditions are satisfied with ɛ 1 = ɛ = ɛ 3 = n..3.3 OMAC-family, OMAC1 and OMAC OMAC is a generic name for OMAC1 and OMAC, where OMAC1 and OMAC take just one key K K E. In general, OMAC-family is defined by not only a block cipher E but also (1) a universal hash function H : {0, 1} n X {0, 1} n 5

8 M[1] K 1 E K 1 Algorithm MAC-family K1,K (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H K (Cst 1 ) else X[m] X[m] H K (Cst ) E K1 (X[m]) return M[] Fig. 3. Definition of MAC-family. M[3] M[1] M[] HK (Cst 1 ) E K 1 E K 1 E K 1 E K 1 E Fig. 4. Illustration of MAC-family. M[3] 10 } {{ i } HK (Cst ) where X is the domain, () two distinct constants Cst 1, Cst X and (3) an arbitrary n-bit constant Cst {0, 1} n. (he set of keys of H is {0, 1} n.) hey must satisfy the following six conditions for sufficiently small ɛ 1,ɛ,...,ɛ y {0, 1} n,#{l {0, 1} n H L (Cst 1 )=y} ɛ 1 n. y {0, 1} n,#{l {0, 1} n H L (Cst )=y} ɛ n 3. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst )=y} ɛ 3 n 4. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) L = y} ɛ 4 n 5. y {0, 1} n,#{l {0, 1} n H L (Cst ) L = y} ɛ 5 n 6. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst ) L = y} ɛ 6 n he algorithm of OMAC-family is described in Fig. 5 and illustrated in Fig. 6. OMAC1 is obtained by letting Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Equivalently, OMAC1 is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u. OMAC is the same as OMAC1 except for Cst = u 1. Equivalently, OMAC is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u 1. he above six conditions are satisfied with ɛ 1 = = ɛ 6 = n for both OMAC1 and OMAC. 6

9 M[1] K E Algorithm OMAC-family K (M) L E K (Cst) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H L (Cst 1 ) else X[m] X[m] H L (Cst ) E K (X[m]) return M[] Fig. 5. Definition of OMAC-family. M[3] M[1] M[] HL (Cst 1 ) K E K E K E K E K E Fig. 6. Illustration of OMAC-family. M[3] 10 } {{ i } HL (Cst ) 3 Stronger Security Bounds 3.1 Definitions of Security Our definitions follow from [1, 6, 11]. Let Perm(n) denote the set of all permutations on {0, 1} n. We say that P is a random permutation if P is randomly chosen from Perm(n). he security of a block cipher E can be quantified as Adv prp E (t, q), the maximum advantage that an adversary A can obtain when trying to distinguish E K ( ) (with a randomly chosen key K) from a random permutation P ( ), where the maximum is over all adversaries who run in time at most t, and make at most q queries to an oracle (which is either E K ( ) orp ( )). his advantage is defined as follows. Adv prp def E (A) = Pr(K K E : A EK( ) =1) Pr(P Perm(n) :A P ( ) =1) Adv prp def { E (t, q) = max Adv prp E (A)} A We say that a block cipher E is secure if Adv prp E (t, q) is sufficiently small (prp stands for Pseudoandom Permutation). Similarly, a MAC algorithm is a map F : K F {0, 1} {0, 1} n, where K F is a set of keys and we write F K ( ) for F (K, ). We say that an adversary A FK( ) forges if A outputs (M,F K (M)) where A never queried M to its oracle F K ( ). hen we define the advantage as Adv mac def F (A) =Pr(K K F : A FK( ) forges) Adv mac F (t, q, σ) def = max A {Advmac F (A)} where the maximum is over all adversaries who run in time at most t, and make at most q queries, having aggregate length of at most σ blocks, where the aggregate length of q queries 7

10 M (1),...,M (q) is σ = 1 i q M (i) n. We say that a MAC algorithm is secure if Adv mac F (t, q, σ) is sufficiently small. Let and(,n) denote the set of all functions from {0, 1} to {0, 1} n. his set is given a probability measure by asserting that a random element of and(,n) associates to each string M {0, 1} a random string (M) {0, 1} n. hen we define the advantage as Adv viprf F (A) def = Pr(K K F : A FK( ) =1) Pr( and(,n):a ( ) =1) Adv viprf F (t, q, σ) def { } = max Adv viprf F (A) A where the maximum is over all adversaries who run in time at most t, make at most q queries, having aggregate length of at most σ blocks. We say that a MAC algorithm is pseudorandom if Adv viprf F (t, q, σ) is sufficiently small (viprf stands for Variable-length Input Pseudoandom Function). Without loss of generality, adversaries are assumed to never ask a query outside the domain of the oracle, and to never repeat a query. 3. heorem Statements We first prove that OMAC-family, MAC-family and XCBC are pseudorandom if the underlying block cipher is a random permutation P (information-theoretic result). Lemma 3.1 (Main Lemma for OMAC-family) Suppose that H, Cst 1 and Cst satisfy the conditions in Sec..3.3 for some sufficiently small ɛ 1,...,ɛ 6, and let Cst be an arbitrarily n-bit constant. Suppose that a random permutation P Perm(n) is used in OMAC-family as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen where ɛ = max{ɛ 1,...,ɛ 6 }. Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr( and(,n):a ( ) =1) σ ( 5 n +3ɛ ) Lemma 3. (Main Lemma for MAC-family) Suppose that H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. Suppose that a random permutation P Perm(n) is used in MAC-family as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1), () where ɛ = max{ɛ 1,ɛ,ɛ 3 }. Pr( and(,n):a ( ) =1) σ ( 5 n + ɛ ), (3) Lemma 3.3 (Main Lemma for XCBC) Suppose that a random permutation P Perm(n) is used in XCBC as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr( and(,n):a ( ) =1) 3σ (4) n. 8

11 Proofs are given in Sec. 4, Sec. 5, and Sec. 6, respectively. Given the above three lemmas, it is standard to pass to the following complexity-theoretic result (For example, see [1, Section 3.]). It shows that OMAC, MAC and XCBC are pseudorandom if the underlying block cipher is secure. Corollary 3.1 Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC, MAC and XCBC. hen Adv viprf 4σ OMAC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ +1, Adv viprf 3σ MAC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ, and Adv viprf 3σ XCBC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ. Finally, we obtain the following theorem in the usual way (For example, see [1, Proposition.7]). It shows that OMAC, MAC and XCBC are secure as MACs if the underlying block cipher is secure. heorem 3.1 Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC, MAC and XCBC. hen Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1, Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ, and Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. 4 Proof for OMAC-family 4.1 Q 1,...,Q 6 and MOMAC [8] Let H, Cst 1 and Cst satisfy the conditions in Sec..3.3 for some sufficiently small ɛ 1,...,ɛ 6, and Cst be an arbitrarily n-bit constant. For a random permutation P Perm(n) and a random n-bit string nd {0, 1} n, define Q 1 (x) def = P (x) nd, Q (x) def = P (x nd) nd, Q 3 (x) def = P (x nd H L (Cst 1 )), Q 4 (x) def = P (x nd H L (Cst )), Q 5 (x) def = P (x H L (Cst 1 )) and Q 6 (x) def = P (x H L (Cst )), where L = P (Cst). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ), Q 4 ( ), Q 5 ( ), Q 6 ( ) are indistinguishable from a pair of six independent random permutations P 1 ( ), P ( ), P 3 ( ), P 4 ( ), P 5 ( ), P 6 ( ). Proposition 4.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); nd {0, 1} n : A Q 1( ),...,Q 6 ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A P 1 ( ),...,P 6 ( ) =1) 3q 1 n + ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. (5) 9

12 Algorithm MOMAC P1,P,P 3,P 4,P 5,P 6 (M) Partition M into M[1] M[m] if m then X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P 3 (X[m]) else P 4 (X[m]) if m =1then X[m] pad n (M[m]) if M[m] = n then P 5 (X[m]) else P 6 (X[m]) return Fig. 7. Definition of MOMAC. M[1] P 1 M[] P M[3] P 3 M[1] P 1 M[] P M[3] 10 } {{ i } P 4 Fig. 8. Illustration of MOMAC for M >n. M P 5 M 10 } {{ i } P 6 Fig. 9. Illustration of MOMAC for M n. A proof is given in [8]. Next, we recall MOMAC (Modified OMAC) [8]. It uses six independent random permutations P 1,P,P 3,P 4,P 5,P 6 Perm(n). he algorithm MOMAC P1,...,P 6 ( ) is described in Fig. 7 and illustrated in Fig. 8 and Fig MOMAC is Pseudorandom We prove that MOMAC is pseudorandom (information-theoretic result). Lemma 4.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 4.1, we first define MOMAC-E (MOMAC without final encryption). It takes a message M such that M = mn for some m. It is obtained from MOMAC by 10

13 removing the final encryption, that is, it uses two independent random permutations P 1,P Perm(n). More precisely, the algorithm MOMAC-E P1,P ( ) is described in Fig. 10. Algorithm MOMAC-E P1,P (M) Partition M into M[1] M[m] X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 10. Definition of MOMAC-E. Note that M = mn for some m. We first show the following lemma. Lemma 4. (MOMAC-E Collision Bound) Let q, m 1,...,m q and σ be integers such that m i, σ = m m q, and σ n /. LetM (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen the probability of collision, Pr(P 1,P Perm(n) :1 i< j q, MOMAC-E P1,P (M (i) )=MOMAC-E P1,P (M (j) )) is at most (σ q) n. Proof. We view the computation of MOMAC-E P1,P (M (i) ) as playing the game given in Fig. 11. In Fig. 11, M (i) [1] M (i) [m i ] is a partition of M (i). We initially set each range point of P 1 and P as undefined. he notation Domain(P i ) denotes the set of points x where P i (x) is no longer undefined. We use ange(p i ) to denote the set of points P i (x) which are no longer undefined. We use ange(p i ) to denote {0, 1} n \ ange(p i ). During the game, the X (i) [j] are those values produced after XOing with the current message block M (i) [j], Y (i) [1] values are P 1 (X (i) [1]) and, for j, Y (i) [j] values are P (X (i) [j]). he game has two parts: computation of X (1) [],...,X (q) [] (line 11 3) and computation of X (1) [m 1 ],...,X (q) [m q ] (line 31 45). We examine the probability that P 1 and P cause a collision, which will occur in our game if and only if X (i) [m i ]=X (j) [m j ] for some 1 i<j q. his condition will set bad 1 or bad to true. However, we set bad i to true in many other cases in order to simplify the analysis. he idea behind the variable bad i is as follows: throughout the game (line 13 and 35), we randomly choose a range value for P 1 and P at some undefined domain point. Since P 1 and P have not yet been determined at this point, the choice of our range value will be an independent uniform selection: there is no dependence on any prior choice. If the range value for P i were already determined by some earlier choice, the analysis would become more involved. We avoid the latter condition by setting bad i to true whenever such interdependencies are detected. he detection mechanism works as follows: throughout the processing of M (1),...,M (q), we will require P 1 be evaluated at q domain point X (1) [1],...,X (q) [1] and P be evaluated at σ q domain point X (1) [],...,X (1) [m 1 ],...,X (q) [],...,X (q) [m q ] (ignoring duplications due to any common prefix of M (1),...,M (q) ), we can rest assured that we are free to assign their 11

14 Initialization: 1: for i 1 to q do X (i) [1] M (i) [1]; : for all x {0, 1} n do P 1 (x),p (x) undefined; 3: bad 1, bad false; BAD ; Computation of X (1) [],...,X (q) []: 11: for i 1 to q do 1: if X (i) [1] Domain(P 1 ) then 13: Y (i) [1] ange(p 1 ); 14: P 1 (X (i) [1]) Y (i) [1]; 15: X (i) [] Y (i) [1] M (i) []; 16: BAD {X (i) []}; 17: Index {k i +1 k q and X (i) [1] = X (k) [1]}; 18: for all k Index do 19: Y (k) [1] Y (i) [1]; 0: X (k) [] Y (k) [1] M (k) []; 1: BAD BAD {X (k) []}; : if BAD BAD then bad 1 true; 3: else BAD BAD BAD; Computation of X (1) [m 1 ],...,X (q) [m q ]: 31: for j to σ do 3: for i 1 to q do 33: if j<m i then 34: if X (i) [j] Domain(P ) then 35: Y (i) [j] ange(p ); 36: P (X (i) [j]) Y (i) [j]; 37: X (i) [j +1] Y (i) [j] M (i) [j +1]; 38: BAD {X (i) [j +1]}; 39: Index {k i +1 k q, j<m k and X (i) [j] =X (k) [j]}; 40: for all k Index do 41: Y (k) [j] Y (i) [j]; 4: X (k) [j +1] Y (k) [j] M (k) [j +1]; 43: BAD BAD {X (k) [j +1]}; 44: if BAD BAD then bad true; 45: else BAD BAD BAD; Fig. 11. Game used in the proof of Lemma 4.. 1

15 corresponding range points without constraint. We maintain a set BAD to track which domain points of P have already been determined. Next we begin randomly choosing range points for X (i) [j]; if any such choice leads to a value already contained in BAD, we set bad i to true. Note that the choice of Y (i) [j] for X (i) [j] may automatically determines some other Y (k) [j] for X (k) [j] due to common prefix of M (1),...,M (q). We maintain sets Index and BAD to track such points. We now bound the probability of the event that bad 1 true and bad true by analyzing our game. Bounding the probability of bad 1 true. In line, it is required that some Y (i) [1] was selected in line 13 such that Y (i) [1] M (i) [] BAD, ory (i) [1] M (k) [] BAD for some k Index. he set BAD begins with the empty set and then grows by the number of points in BAD with each random choice of Y (i) [1]. Now, suppose that for the t-th process of line 13, the corresponding BAD after line 1 has l t points, assuming that bad 1 is false for the first t 1 process of line 13. Define V (t) def = Pr (bad 1 true at the t-th choice of Y (i) [1] bad 1 is false before choosing Y (i) [1]), line 13 where Pr ( ) shows that the probability is taken over the random choice in line 13. hen we line 13 have V (t) = (l l t 1 )l t n, (t 1) since P 1 has n (t 1) undefined domain points, BAD has (l l t 1 ) points, and BAD has l t points. Also, suppose that line 11 3 terminates after s process of line 13. hen we have Pr (bad 1 true) V (t) = (l l t 1 )l t line 13 1 t s 1 t s n. (t 1) Now we can bound the above by 1 t s (l l t 1 )l t n (t 1) n 1 t s (l l t 1 )l t = n l 0 l1 l s l 0 n, where l 0 def = l l s. he first inequality follows since s is at most q, which is at most n /. Bounding the probability of bad true. Next, in line 44, it is required that some Y (i) [j] was selected in line 35 such that Y (i) [j] M (i) [j +1] BAD, ory (i) [j] M (k) [j +1] BAD for some k Index. he set BAD begins with l 0 points. It grows by the number of points in BAD with each random choice of Y (i) [j]. Now, suppose that for the t -th process of line 35, the corresponding BAD after line 43 has l t points, assuming that bad is false for the first t 1 process of line 35. Define V (t ) def = Pr (bad true at the t -th choice of Y (i) [j] bad is false before choosing Y (i) [j]), line 35 where Pr ( ) shows that the probability is taken over the random choice in line 35. hen we line 35 have V (t )= (l 0 + l l t 1 )l t n (t, 1) 13

16 since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. Also, suppose that the game terminates after s process of line 35. hen we have Pr (bad true) line 35 1 t s V (t )= (l 0 + l l t 1 )l t n (t 1) 1 t s. Now we can bound the above by (l 0 + l l t 1 )l t n (t 1) 1 t s n (l 0 + l l t 1 )l t (σ q) l 0 n, 1 t s where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ q l 0 + l l s and (l 0 + l l t 1)l t (σ q) l 0 l 1 l s 1 t s (σ q) l 0. Completing the Proof. Finally, we obtain the stated bound since Pr (bad 1 true)+ line 13 Pr (bad true) l 0 line 35 n + (σ q) l 0 n = (σ q) n. Q.E.D. We next consider the following four sets. def D 1 = {M M {0, 1}, n< M and M is a multiple of n} def D = {M M {0, 1}, n< M and M is not a multiple of n} def D 3 = {M M {0, 1} and M = n} def D 4 = {M M {0, 1} and M <n} We show the following lemma. Lemma 4.3 Let q 1,q,q 3,q 4 be four non-negative integers. For 1 i 4, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i 4, let (1) i,..., (q i) i be fixed n-bit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,...,P 6 Perm(n) such that ( is at least {( n )!} 6 1 (σ q) σ = σ σ 4. MOMAC P1,...,P 6 (M (i) (i) 1 )= MOMAC P1,...,P 6 (M (i) MOMAC P1,...,P 6 (M (i) 3 MOMAC P1,...,P 6 (M (i) 4 n ) (i) )= (i) )= (i) )= 1 for 1 i q 1, for 1 i q, 3 for 1 i q 3 and 4 for 1 i q 4 1 qn, where q = q q 4, σ i = 1 j q i M (j) i n and (6) 14

17 Proof. We first consider M (1) 1,...,M(q 1) 1. he number of (P 1,P ) such that MOMAC-E P1,P (M (i) 1 ) = MOMAC-E P 1,P (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} (σ 1 q 1 ) from Lemma 4.. n We next consider M (1),...,M(q ). Let M (i) denote the padded message of M (i). hen the number of (P 1,P ) such that MOMAC-E P1,P (M (i) ) = MOMAC-EP1,P (M (j) ) for 1 i< j q is at most {( n )!} (σ q ) from Lemma 4.. n herefore, we have at least ( {( n )!} 1 (σ 1 q 1 ) n (σ ) q ) n choice of (P 1,P ) such that { MOMAC-EP1,P (M (i) 1 ) MOMAC-E P 1,P (M (j) 1 ) for 1 i< j q 1 and MOMAC-E P1,P (M (i) ) MOMAC-E P1,P (M (j) ) for 1 i< j q (7) We fix any (P 1,P ) which satisfies (7). Now P 1 and P are fixed in such a way that the inputs to P 3 are distinct and the inputs to P 4 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. We know that the inputs to P 5 are distinct, and the corresponding outputs { (1) 3,..., (q 3) 3 } are distinct. Also, the inputs to P 6 are distinct, and and the corresponding outputs { (1) 4,..., (q 4) 4 } are distinct. herefore, we have at least ( ) {( n )!} ( n q 1 )! ( n q )! ( n q 3 )! ( n q 4 )! 1 (σ 1 q 1 ) n (σ q ) n ( ) choice of P 1,...,P 6 which satisfies (6). his bound is at least {( n )!} 6 1 (σ q) 1 n since qn (σ q) (σ 1 q 1 ) +(σ q ) and ( n q i )! (n )! q i. n his concludes the proof of the lemma. Q.E.D. We now prove Lemma 4.1. Proof (of Lemma 4.1). Let O be either MOMAC P1,...,P 6 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the query-answer pair (M (i) j, (i) j ) D j {0, 1} n, where A s i-th query in D j was M (i) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j 4 and q q 4 = q. Also, for 1 i 4, let σ i = 1 j q i M (j) i n (therefore, q 3 = σ 3 and q 4 = σ 4 ). For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ), ( (1) 3,..., (q 3) 3 ), ( (1) 4,..., (q (8) 4) 4 ). Since A is deterministic, the i-th query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then 15

18 A s queries are uniquely determined, q 1,...,q 4 are uniquely determined, σ 1,...,σ 4 are uniquely determined, the parsing of V into the format defined in (8) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. Let V one be a set of all qn-bit strings V such that A outputs 1. We let N one def =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct, { (1),..., (q ) } are distinct, { (1) 3,..., (q 3) 3 } are distinct and { (1) 4,..., (q 4) 4 } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn herefore, we have #{V V (V one V good )} N one n. ( ) q qn n. (9) Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) = #{(P 1,...,P 6 ) A MOMAC P 1,...,P ( ) 6 =1} {( n )!} 6. hen from Lemma 4.3, we have p real # {(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (6)} {( n )!} 6 V (Îone Î good ) ( ) (σ q) 1 1 n qn. V (Îone Î good ) 16

19 Completing the Proof. p real From (9) we have ( ( ) ) ( ) q qn (σ q) 1 N one n 1 n qn ( ( ) ) ( ) q 1 (σ q) = p rand n 1 n ( ) q 1 (σ q) p rand n n p rand q +(σ q) n p rand σ n. (10) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (11) Finally, (10) and (11) give p real p rand σ. n Q.E.D. 4.3 From MOMAC to OMAC-family he next lemma shows that OMAC-family P ( ) and MOMAC P1,...,P 6 ( ) are indistinguishable. Lemma 4.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) 3σ ( 1 n + ɛ ) Proof. We prove through a contradiction argument. Suppose that there exists an adversary A such that Pr(P Perm(n) :A OMAC-family P ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) > 3σ 1 n + ɛ. By using A, we show a construction of an adversary B A such that: B A asks at most σ queries, and Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) ( ) P Pr(P 1,...,P 6 Perm(n) :B 1 ( ),...,P 6 ( ) A =1) > 3σ 1 n + ɛ, which contradicts Proposition 4.1. Let O 1 ( ),...,O 6 ( ) beb A s oracles. he construction of B A is given in Fig. 1. When A asks M (r), then B A computes (r) = MOMAC O1,...,O 6 (M (r) ) as if the underlying random permutations are O 1,...,O 6, and returns (r). When A halts and outputs b, then B A outputs b. Now we see that:. 17

20 Algorithm B O 1,...,O 6 A 1: When A asks its r-th query M (r) : : (r) MOMAC O1,...,O 6 (M (r) ) 3: return (r) 4: When A halts and outputs b: 5: output b Fig. 1. Algorithm B A. Note that for 1 i 6, O i is either P i or Q i M[1] P nd M[] nd P M[3] nd H L (Cst 1 ) M[1] M[] M[3] 10 i } {{ } nd P P nd nd nd H L (Cst ) P P nd Fig. 13. Computation of B A when O i = Q i for 1 i 6, and M >n. M M 10 } {{ i } HL (Cst 1 ) HL (Cst ) P P Fig. 14. Computation of B A when O i = Q i for 1 i 6, and M n. B A asks at most σ queries to its oracles, since A asks at most q queries having aggregate length of at most σ blocks. Pr(P 1,...,P 6 Perm(n) :B P 1 ( ),...,P 6 ( ) A =1) = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P 6 ( ) = 1), since B A gives A a perfect simulation of MOMAC P1,...,P 6 ( ) ifo i ( ) =P i ( ) for 1 i 6. Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) = Pr(P Perm(n) :A OMAC P ( ) = 1), since B A gives A a perfect simulation of OMAC P ( ) ifo i ( ) =Q i ( ) for 1 i 6. See Fig. 13 and Fig. 14. Note that nd is canceled in Fig. 13. his concludes the proof of the lemma. Q.E.D. 4.4 Proof of Main Lemma for OMAC-family We finally give a proof of Main Lemma for OMAC-family. Proof (of Lemma 3.1). By the triangle inequality, the left hand side of () is at most Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) (1) 18

21 + Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1). (13) Lemma 4.1 gives us an upper bound on (1) and Lemma 4.4 gives us an upper bound on (13). herefore the bound follows since σ ( ) ( ) n + 3σ 1 n + ɛ = σ 5 n +3ɛ. his concludes the proof of the lemma. Q.E.D. 5 Proof for MAC-family 5.1 Q 1,Q,Q 3 [9] and FCBC [3] Let H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. For a random permutation P Perm(n) and a random string K K H, define Q 1 (x) def = P (x), Q (x) def = P (x H K (Cst 1 )), Q 3 (x) def = P (x H K (Cst )). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 5.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K KH : A Q 1( ),Q ( ),Q 3 ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q 1 n + ɛ, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. A proof is given in [9]. Next we recall FCBC [3]. It uses three independent random permutations P 1,P,P 3 Perm(n). he algorithm FCBC P1,P,P 3 ( ) is described in Fig. 15 and illustrated in Fig FCBC is Pseudorandom We prove that FCBC is pseudorandom (information-theoretic result). Lemma 5.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 5.1, we define CBC-E (CBC MAC without final encryption). It takes a message M such that M = mn for some m 1. It is obtained from the CBC MAC by removing the final encryption. More precisely, the algorithm CBC-E P ( ) is described in Fig. 17, where P Perm(n) is a random permutation. We first show the following lemma. (14) 19

22 Algorithm FCBC P1,P,P 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P 1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P (X[m]) else P 3 (X[m]) return Fig. 15. Definition of FCBC. M[1] P 1 M[] P 1 M[3] P M[1] P 1 M[] P 1 M[3] 10 } {{ i } P 3 Fig. 16. Illustration of FCBC. Algorithm CBC-E P (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 17. Definition of CBC-E. 0

23 Lemma 5. (CBC-E Collision Bound) Let q, m 1,...,m q and σ be integers such that m i 1, σ = m m q, and σ n /. Let M (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen Pr(P Perm(n) :1 i< j q, CBC-E P (M (i) ) = CBC-E P (M (j) )) σ n. Proof. We view the computation of CBC-E P (M (i) ) as playing the game given in Fig. 18. Initialization: 1: for i 1 to q do X (i) [1] M (i) [1]; : for all x {0, 1} n do P (x) undefined; 3: bad false; BAD {X (1) [1],...,X (q) [q]}; Computation of X (1) [m 1 ],...,X (q) [m q ]: 11: for j 1 to σ do 1: for i 1 to q do 13: if j<m i then 14: if X (i) [j] Domain(P ) then 15: Y (i) [j] ange(p ); 16: P (X (i) [j]) Y (i) [j]; 17: X (i) [j +1] Y (i) [j] M (i) [j +1]; 18: BAD {X (i) [j +1]}; 19: Index {k i +1 k q, j<m k and X (i) [j] =X (k) [j]}; 0: for all k Index do 1: Y (k) [j] Y (i) [j]; : X (k) [j +1] Y (k) [j] M (k) [j +1]; 3: BAD BAD {X (k) [j +1]}; 4: if BAD BAD then bad true; 5: else BAD BAD BAD; Fig. 18. Game used in the proof of Lemma 5.. Similarly to the proof of Lemma 4., it is enough to bound the probability of the event that bad true. In line 4, it is required that some Y (i) [j] was selected in line 15 such that Y (i) [j] M (i) [j + 1] BAD, ory (i) [j] M (k) [j +1] BAD for some k Index. Suppose that the set BAD begins with l 0 points. hen it grows by the number of points in BAD with each random choice of Y (i) [j]. Now, suppose that for the t-th process of line 15, the corresponding BAD after line 3 has l t points, assuming that bad is false for the first t 1 process of line 15. Define V (t) def = Pr line 15 (bad true at the t-th choice of Y (i) [j] bad is false before choosing Y (i) [j]). hen we have V (t) = (l 0 + l l t 1 )l t n, (t 1) since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. 1

24 Also, suppose that the game terminates after s process of line 15. hen we have Pr (bad true) V (t) = (l 0 + l l t 1 )l t line 15 1 t s 1 t s n (t 1). Now we can bound the above by 1 t s (l 0 + l l t 1 )l t n (t 1) n 1 t s (l 0 + l l t 1 )l t σ n, where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ l 0 + l l s and (l 0 + l l t 1 )l t σ l 0 l 1 l s 1 t s σ. Q.E.D. We next consider the following two sets. { def D1 = {M M {0, 1} and M is a positive multiple of n} def D = {M M {0, 1} and M is not a positive multiple of n} We show the following lemma. Lemma 5.3 Let q 1,q be two non-negative integers. For 1 i, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i, let (1) i,..., (q i) i be fixed n-bit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,P,P 3 Perm(n) such that { FCBCP1,P,P 3 (M (i) (i) 1 )= FCBC P1,P,P 3 (M (i) 1 for 1 i q 1 and (i) (15) )= for 1 i q is at least {( n )!} 3 ( 1 σ n ) 1 qn, where q = q 1 + q, σ i = 1 j q i M (j) i n and σ = σ 1 + σ. Proof. We first consider M (1) 1,...,M(q 1) 1. he number of P 1 such that CBC-E P1 (M (i) 1 ) = CBC-E P 1 (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} σ 1 from Lemma 5.. n We next consider M (1),...,M(q ) number of P 1 such that. Let M (i) denote the padded message of M (i). hen the CBC-E P1 (M (i) ) = CBC-EP1 (M (j) ) for 1 i< j q is at most {( n )!} σ n from Lemma 5.. herefore, we have at least ( {( n )!} 1 σ 1 n σ n )

25 choice of P 1 such that { CBC-EP1 (M (i) 1 ) CBC-E P 1 (M (j) 1 ) for 1 i< j q 1 and CBC-E P1 (M (i) ) CBC-E P1 (M (j) ) for 1 i< (16) j q We fix any P 1 which satisfies (16). Now P 1 is fixed in such a way that the inputs to P are distinct and the inputs to P 3 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. herefore, we have at least ( ) {( n )!} 1 σ 1 n σ n ( n q 1 )! ( n q )! ( ) choice of P 1,P,P 3 which satisfies (15). his bound is at least {( n )!} 3 1 σ 1 n since qn σ σ1 + σ and (n q i )! (n )! q i n. his concludes the proof of the lemma. Q.E.D. We now prove Lemma 5.1 Proof (of Lemma 5.1). We proceed similarly to the proof of Lemma 4.1. Let O be either FCBC P1,P,P 3 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the query-answer pair (M (i) j D j {0, 1} n, where A s i-th query in D j was M (i), (i) j ) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j and q 1 + q = q. Also, for 1 i, let σ i = 1 j q i M (j) i n. For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ). (17) Since A is deterministic, the i-th query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then A s queries are uniquely determined, q 1,q are uniquely determined, σ 1,σ are uniquely determined, the parsing of V into the format defined in (17) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. def Let V one be a set of all qn-bit strings V such that A outputs 1. We let N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct and { (1),..., (q ) } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn. herefore, we have n ( ) q qn #{V V (V one V good )} N one n. (18) 3

26 Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) = #{(P 1,P,P 3 ) A FCBC P 1,P,P ( ) 3 =1} {( n )!} 3. hen from Lemma 5.3, we have p real # {(P 1,P,P 3 ) (P 1,P,P 3 ) satisfying (15)} {( n )!} 3 V (Îone Î good ) ( ) 1 σ 1 n qn. V (Îone Î good ) Completing the Proof. p real From (18) we have ( ( ) ) ( ) q qn N one n 1 σ 1 n qn ( ( ) ) ( ) q 1 = p rand n 1 σ n ( ) q 1 p rand n σ n p rand q + σ n p rand σ n. (19) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (0) Finally, (19) and (0) give p real p rand σ n. Q.E.D. 5.3 From FCBC to MAC-family he next lemma shows that MAC-family P,K ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. 4

27 Lemma 5.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ 1 n + ɛ. By using Proposition 5.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for MAC-family We finally give a proof of Main Lemma for MAC-family. Proof (of Lemma 3.). By the triangle inequality, the left hand side of (3) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 () =1). Lemma 5.1 gives us an upper bound on (1) and Lemma 5.4 gives us an upper bound on (). herefore the bound follows since σ ( ) ( ) n + σ 1 n + ɛ = σ 5 n + ɛ. his concludes the proof of the lemma. Q.E.D. 6 Proof for XCBC 6.1 Q 1,Q,Q 3 For a random permutation P Perm(n) and two random n-bit strings K,K 3 {0, 1} n, define Q 1 (x) def = P (x), Q (x) def = P (x K ), (3) Q 3 (x) def = P (x K 3 ). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 6.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K,K 3 {0, 1} n : A Q 1( ),Q ( ),Q 3 ( ) =1) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q n, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. It can be proved by extending the proof of [3, Lemma 4]. Also, it can be proved similar to Proposition 5.1. (1) 5

28 6. From FCBC to XCBC he next lemma shows that XCBC P,K,K 3 ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. Lemma 6.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ n. By using Proposition 6.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for XCBC We finally give a proof of Main Lemma for XCBC. Proof (of Lemma 3.3). By the triangle inequality, the left hand side of (4) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1). (4) (5) Lemma 5.1 gives us an upper bound on (4) and Lemma 6.1 gives us an upper bound on (5). herefore the bound follows since σ n + σ n = 3σ n. his concludes the proof of the lemma. Q.E.D. eferences [1] M. Bellare, J. Kilian, and P. ogaway. he security of the cipher block chaining message authentication code. JCSS, vol. 61, no. 3, pp , 000. Earlier version in Advances in Cryptology CYPO 94, LNCS 839, pp , Springer-Verlag, [] A. Berendschot, B. den Boer, J. P. Boly, A. Bosselaers, J. Brandt, D. Chaum, I. Damgård, M. Dichtl, W. Fumy, M. van der Ham, C. J. A. Jansen, P. Landrock, B. Preneel, G. oelofsen, P. de ooij, and J. Vandewalle. Final eport of ACE Integrity Primitives. LNCS 1007, Springer-Verlag, [3] J. Black and P. ogaway. CBC MACs for arbitrary-length messages: he three key constructions. Advances in Cryptology CYPO 000, LNCS 1880, pp , Springer- Verlag, 000. [4] FIPS Publication Data Encryption Standard (DES). U. S. Department of Commerce / National Institute of Standards and echnology, October 5,

29 [5] FIPS 113. Computer data authentication. Federal Information Processing Standards Publication 113, U. S. Department of Commerce / National Bureau of Standards, National echnical Information Service, Springfield, Virginia, [6] O. Goldreigh, S. Goldwasser and S. Micali. How to construct random functions. J. ACM, vol. 33, no. 4, pp , October [7] ISO/IEC Information technology security techniques data integrity mechanism using a cryptographic check function employing a block cipher algorithm. International Organization for Standards, Geneva, Switzerland, Second edition. [8]. Iwata and K. Kurosawa. OMAC: One-Key CBC MAC. Pre-proceedings of Fast Software Encryption, FSE 003, pp , 003. o appear in LNCS, Springer-Verlag. [9] K. Kurosawa and. Iwata. MAC: wo-key CBC MAC. opics in Cryptology C-SA 003, LNCS 61, pp , Springer-Verlag, 003. [10]. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Press, [11] M. Luby and C. ackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput., vol. 17, no., pp , April [1] E. Petrank and C. ackoff. CBC MAC for real-time data sources. J.Cryptology, vol. 13, no. 3, pp , Springer-Verlag, 000. A he Field with n Points We interchangeably think of a point a in GF( n ) in any of the following ways: 1. as an abstract point in a field;. as an n-bit string a n 1 a 1 a 0 {0, 1} n ; 3. as a formal polynomial a(u) =a n 1 u n a 1 u + a 0 with binary coefficients. o add two points in GF( n ), take their bitwise XO. We denote this operation by a b. o multiply two points, fix some irreducible polynomial f(u) having binary coefficients and degree n. o be concrete, choose the lexicographically first polynomial among the irreducible degree n polynomials having a minimum number of coefficients. We list some indicated polynomials (See [10, Chapter 10] for other polynomials). f(u) =u 64 + u 4 + u 3 + u + 1 for n = 64, f(u) =u 18 + u 7 + u + u + 1 for n = 18, and f(u) =u 56 + u 10 + u 5 + u + 1 for n = 56. o multiply two points a GF( n ) and b GF( n ), regard a and b as polynomials a(u) = a n 1 u n a 1 u + a 0 and b(u) =b n 1 u n b 1 u + b 0, form their product c(u) where one adds and multiplies coefficients in GF(), and take the remainder when dividing c(u) by f(u). Note that it is particularly easy to multiply a point a {0, 1} n by u. We show a method for n = 18, where f(u) =u 18 + u 7 + u + u + 1. hen multiplying a = a 17 a 1 a 0 by u yields a 7

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

More information

Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation

Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation Specification of Cryptographic Technique PC-MAC-AS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Self-evaluation Report PC-MAC-AES. NEC Corporation

Self-evaluation Report PC-MAC-AES. NEC Corporation Self-evaluation Report PC-MAC-AES NEC Corporation Contents 1 Contents 1 Overview 2 2 Summary of Security Evaluation 2 3 Security Evaluation 3 3.1 Preliminaries...........................................

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

More information

On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

More information

1 Pseudorandom Permutations

1 Pseudorandom Permutations Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

More information

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

More information

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

More information

Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information

Security of the Misty Structure Beyond the Birthday Bound

Security of the Misty Structure Beyond the Birthday Bound Security of the Misty Structure Beyond the Birthday Bound Jooyoung Lee Faculty of Mathematics and Statistics Sejong University, Seoul, Korea 143-747 jlee05@sejong.ac.kr Abstract. In this paper, we first

More information

AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4

AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Submission to the CAESAR competition AES-COPA v.2 Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Affiliation: 1 Dept.

More information

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

More information

On-Line/Off-Line Digital Signatures

On-Line/Off-Line Digital Signatures J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3

CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3 CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has

More information

Analysis of a Database and Index Encryption Scheme Problems and Fixes

Analysis of a Database and Index Encryption Scheme Problems and Fixes Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

Length extension attack on narrow-pipe SHA-3 candidates

Length extension attack on narrow-pipe SHA-3 candidates Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

More information

MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

More information

Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

More information

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

More information

Chapter 7. Message Authentication. 7.1 The setting

Chapter 7. Message Authentication. 7.1 The setting Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

More information

Strengthening Digital Signatures via Randomized Hashing

Strengthening Digital Signatures via Randomized Hashing Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended

More information

Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12. Digital signatures. 12.1 Digital signature schemes Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

More information

Code-Based Game-Playing Proofs and the Security of Triple Encryption

Code-Based Game-Playing Proofs and the Security of Triple Encryption Code-Based Game-Playing Proofs and the Security of Triple Encryption Mihir Bellare Phillip Rogaway February 27, 2006 (Draft 2.2) Abstract The game-playing technique is a powerful tool for analyzing cryptographic

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier

Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel Smith-Tone Abstract A hash function secure in the indifferentiability framework

More information

Ciphertext verification security of symmetric encryption schemes

Ciphertext verification security of symmetric encryption schemes www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

More information

A Formalization of the Turing Test Evgeny Chutchev

A Formalization of the Turing Test Evgeny Chutchev A Formalization of the Turing Test Evgeny Chutchev 1. Introduction The Turing test was described by A. Turing in his paper [4] as follows: An interrogator questions both Turing machine and second participant

More information

Chapter 6. Hash Functions. 6.1 The hash function SHA1

Chapter 6. Hash Functions. 6.1 The hash function SHA1 Chapter 6 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length

More information

Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.

Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom. Some Polynomial Theorems by John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.com This paper contains a collection of 31 theorems, lemmas,

More information

Subsets of Euclidean domains possessing a unique division algorithm

Subsets of Euclidean domains possessing a unique division algorithm Subsets of Euclidean domains possessing a unique division algorithm Andrew D. Lewis 2009/03/16 Abstract Subsets of a Euclidean domain are characterised with the following objectives: (1) ensuring uniqueness

More information

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

More information

Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances

Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances Jialin Zhang Tsinghua University zhanggl02@mails.tsinghua.edu.cn Wei Chen Microsoft Research Asia weic@microsoft.com Abstract

More information

The Goldberg Rao Algorithm for the Maximum Flow Problem

The Goldberg Rao Algorithm for the Maximum Flow Problem The Goldberg Rao Algorithm for the Maximum Flow Problem COS 528 class notes October 18, 2006 Scribe: Dávid Papp Main idea: use of the blocking flow paradigm to achieve essentially O(min{m 2/3, n 1/2 }

More information

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

Remotely Keyed Encryption Using Non-Encrypting Smart Cards THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

More information

Lecture 9. Lecturer: Yevgeniy Dodis Spring 2012

Lecture 9. Lecturer: Yevgeniy Dodis Spring 2012 CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography Macrh 21, 2012 Lecture 9 Lecturer: Yevgeniy Dodis Spring 2012 Last time we introduced the concept of Pseudo Random Function Family (PRF),

More information

Notes from Week 1: Algorithms for sequential prediction

Notes from Week 1: Algorithms for sequential prediction CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

More information

The finite field with 2 elements The simplest finite field is

The finite field with 2 elements The simplest finite field is The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0

More information

COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

More information

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

More information

Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Keying Hash Functions for Message Authentication

Keying Hash Functions for Message Authentication An abridged version of this paper appears in Advances in Cryptology Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. Keying Hash Functions for

More information

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu Integer Polynomials June 9, 007 Yufei Zhao yufeiz@mit.edu We will use Z[x] to denote the ring of polynomials with integer coefficients. We begin by summarizing some of the common approaches used in dealing

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Factoring & Primality

Factoring & Primality Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

More information

Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

More information

Cryptographic treatment of CryptDB s Adjustable Join

Cryptographic treatment of CryptDB s Adjustable Join Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

2.1 Complexity Classes

2.1 Complexity Classes 15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Integers: applications, base conversions.

Integers: applications, base conversions. CS 441 Discrete Mathematics for CS Lecture 14 Integers: applications, base conversions. Milos Hauskrecht milos@cs.pitt.edu 5329 Sennott Square Modular arithmetic in CS Modular arithmetic and congruencies

More information

Chapter 6 Finite sets and infinite sets. Copyright 2013, 2005, 2001 Pearson Education, Inc. Section 3.1, Slide 1

Chapter 6 Finite sets and infinite sets. Copyright 2013, 2005, 2001 Pearson Education, Inc. Section 3.1, Slide 1 Chapter 6 Finite sets and infinite sets Copyright 013, 005, 001 Pearson Education, Inc. Section 3.1, Slide 1 Section 6. PROPERTIES OF THE NATURE NUMBERS 013 Pearson Education, Inc.1 Slide Recall that denotes

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Digital Signatures out of Second-Preimage Resistant Hash Functions

Digital Signatures out of Second-Preimage Resistant Hash Functions Digital Signatures out of Second-Preimage Resistant Hash Functions Erik Dahmen 1, Katsuyuki Okeya 2, Tsuyoshi Takagi 3, and Camille Vuillaume 2 1 Technische Universität Darmstadt dahmen@cdc.informatik.tu-darmstadt.de

More information

Good luck, veel succes!

Good luck, veel succes! Final exam Advanced Linear Programming, May 7, 13.00-16.00 Switch off your mobile phone, PDA and any other mobile device and put it far away. No books or other reading materials are allowed. This exam

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Mathematical Induction

Mathematical Induction Chapter 2 Mathematical Induction 2.1 First Examples Suppose we want to find a simple formula for the sum of the first n odd numbers: 1 + 3 + 5 +... + (2n 1) = n (2k 1). How might we proceed? The most natural

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information

Theorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that. a = bq + r and 0 r < b.

Theorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that. a = bq + r and 0 r < b. Theorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that a = bq + r and 0 r < b. We re dividing a by b: q is the quotient and r is the remainder,

More information

The Conference Call Search Problem in Wireless Networks

The Conference Call Search Problem in Wireless Networks The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,

More information

ECEN 5682 Theory and Practice of Error Control Codes

ECEN 5682 Theory and Practice of Error Control Codes ECEN 5682 Theory and Practice of Error Control Codes Convolutional Codes University of Colorado Spring 2007 Linear (n, k) block codes take k data symbols at a time and encode them into n code symbols.

More information

HASH CODE BASED SECURITY IN CLOUD COMPUTING

HASH CODE BASED SECURITY IN CLOUD COMPUTING ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security

More information