Stronger Security Bounds for OMAC, TMAC and XCBC


 Eleanor Caldwell
 2 years ago
 Views:
Transcription
1 Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University Nakanarusawa, Hitachi, Ibaraki , Japan {iwata, April 30, 003 Abstract. OMAC, MAC and XCBC are CBCtype MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of an adversary to the MAC generation oracle while the previous bounds are expressed in terms of the maximum length of each query. In particular, a significant improvement occurs if the lengths of queries are heavily unbalanced. Key words: OMAC, MAC, XCBC, modes of operation, block cipher, provable security.
2 Contents 1 Introduction Background Our Contribution Our Collision Bound Preliminaries 4.1 Notation CBC MAC XCBC, MAC and OMAC XCBC MACfamily and MAC OMACfamily, OMAC1 and OMAC Stronger Security Bounds Definitions of Security heorem Statements Proof for OMACfamily Q 1,...,Q 6 and MOMAC [8] MOMAC is Pseudorandom From MOMAC to OMACfamily Proof of Main Lemma for OMACfamily Proof for MACfamily Q 1,Q,Q 3 [9] and FCBC [3] FCBC is Pseudorandom From FCBC to MACfamily Proof of Main Lemma for MACfamily Proof for XCBC Q 1,Q,Q From FCBC to XCBC Proof of Main Lemma for XCBC eferences 6 A he Field with Ò Points 7
3 1 Introduction 1.1 Background he CBC MAC [5, 7] is a wellknown method to generate a message authentication code (MAC) based on a block cipher E. We denote the CBC MAC value of a message M by CBC K (M), where K is the key of E. While Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1], it is not secure for variable length messages. herefore, several variants of CBC MAC have been proposed which are provably secure for variable length messages. hey include EMAC, XCBC, MAC and then OMAC. EMAC (Encrypted MAC) is obtained by encrypting CBC K1 (M) bye again with a new key K []. hat is, EMAC K1,K (M) =E K (CBC K1 (M)). Petrank and ackoff proved that EMAC is secure if the message length is a multiple of n, where n is the block length of E [1]. For arbitrary length messages, we can simply append the minimal 10 i to a message M so that the length is a multiple of n. In this method, however, we must append an entire extra block 10 n 1 if the size of the message is already a multiple of n. his is a wasting of one block cipher invocation. Black and ogaway next proposed XCBC to solve the above problem [3]. XCBC takes three keys: K 1 for E, and K and K 3. In XCBC, we do not append 10 n 1 if the size of the message is already a multiple of n. Only if this is not the case, we append the minimal 10 i. In order to distinguish them, K or K 3 is XOed before encrypting the last block. XCBC is now described as follows (see Fig. 1). If M = mn for some m>0, then XCBC computes exactly the same as the CBC MAC, except for XOing an nbit key K before encrypting the last block. Otherwise, 10 i padding (i = n M 1modn) is appended to M and XCBC computes exactly the same as the CBC MAC for the padded message, except for XOing another nbit key K 3 before encrypting the last block. M[1] K 1 E K 1 M[] M[3] M[1] M[] M[3] 10 } {{ i } K E K 1 E K 1 E K 1 E K 1 E Fig. 1. Illustration of XCBC. K3 Kurosawa and Iwata then proposed MAC which requires two keys, K 1 and K [9]. MAC is obtained from XCBC by replacing (K,K 3 ) with (K u,k ), where u is some nonzero constant and denotes multiplication in GF( n ). Finally, Iwata and Kurosawa proposed OMAC which requires only one key K of the block cipher E [8]. OMAC is a generic name for OMAC1 and OMAC. Let L = E K (0 n ). hen 1
4 able 1. Comparison of the key lengths. XCBC [3] MAC [9] OMAC [8] key length (k + n) bits (k + n) bits k bits OMAC1 is obtained by replacing (K,K 3 ) with (L u,l u ) in XCBC. Similarly, OMAC is obtained from XCBC by replacing (K,K 3 ) with (L u,l u 1 ). See able 1 for the comparison of the key lengths, where k denotes the key length of E. 1. Our Contribution XCBC, MAC and OMAC are all provably secure against chosen message attack. Indeed, the authors showed an upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. In this paper, we present a more tight upper bound on Adv mac for each scheme by using a more specific parameter. Consider adversaries who run in time at most t and query at most q messages to the MAC generation oracle. 1. he previous bounds are expressed in terms of the maximum length of each query.. Our bounds are expressed in terms of the total length of all queries. More precisely, 1. able shows the previous bounds on Adv mac F (t, q, m) which is defined as the maximum forgery probability of adversaries such that each query is at most m blocks, where 1 block is n bits, and. able 3 shows our bounds on Adv mac F (t, q, σ) which is defined as the maximum forgery probability of adversaries such that the total length of all queries are at most σ blocks, where F is XCBC, MAC or OMAC and n is the block length of the underlying block cipher E. In these tables, Adv prp E (t,q ) is the the maximum distinguishing probability between the block cipher E and a randomly chosen permutation, where the maximum is over all adversaries who run in time at most t and make at most q queries. able. Previous security bounds of XCBC, MAC and OMAC. Name Security Bound XCBC Adv mac XCBC (t, q, m) (4m +1)q +1 n +3 Adv prp E (t,q ), [3, Corollary ] where t = t + O(mq) and q = mq. MAC Adv mac MAC (t, q, m) (3m +1)q +1 n + Adv prp E (t,q ), [9, heorem 5.1] where t = t + O(mq) and q = mq. OMAC Adv mac OMAC (t, q, m) (5m +1)q +1 n + Adv prp E (t,q ), [8, heorem 5.1] where t = t + O(mq) and q = mq +1. In general, σ mq, where σ is the total block length of all queries, q is the number of queries, and m is the the maximum block length among all queries.
5 able 3. Security bounds of XCBC, MAC and OMAC obtained in this paper. Name Security Bound XCBC Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), MAC OMAC where t = t + O(σ) and q = σ. Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1. A significant improvement occurs if all queries are very short (say, 1 block) except for one very long query (m blocks). For example, suppose that n = 64 (for example, riple DES [4]), m = 16 and q = It is easy to see that σ = = 17. In this case, our bounds shown in able 3 are still meaningful while the previous bounds shown in able are useless because they become larger than one. 1.3 Our Collision Bound o show our security bounds, we derive upper bounds on some collision probabilities. For q distinct messages M (1),...,M (q) such that each M (i) is a multiple of n, let σ = M (1) + + M (q). For XCBC and MAC, we consider a collision such that CBC P (M (i) ) = CBC P (M (j) ) for some i j, where CBC P denotes the CBC MAC with a randomly chosen permutation P as the underlying block cipher E. We then prove that Pr(1 i< j q, CBC P (M (i) ) = CBC P (M (j) )) σ n for any M (1),...,M (q). It is formally stated in Lemma 5. and proved in Sec. 5.. For OMAC, we consider MOMACE, a variant of the CBC MAC, as follows. Let a message be M = M[1] M[] M[m], where M[1] = M[] = = M[m] = n and m. Let P 1 and P be two independent randomly chosen permutations. hen 1. Let Y [1] = P 1 (M[1]). For i =,...,m 1, compute Y [i] =P (M[i] Y [i 1]) 3. Finally define MOMACE P1,P (M) =M[m] Y [m 1]. We show that Pr(1 i< j q, MOMACE P1,P (M (i) ) = MOMACE P1,P (M (j) )) It is formally stated in Lemma 4. and proved in Sec. 4.. (σ q) n. 3
6 Preliminaries.1 Notation For a set A, x A means that x is chosen from A uniformly at random. If a, b {0, 1} are equallength strings then a b is their bitwise XO. If a, b {0, 1} are strings then a b denote their concatenation. For simplicity, we sometimes write ab for a b if there is no confusion. For an nbit string a = a n 1 a 1 a 0 {0, 1} n, let a < 1=a n a 1 a 0 0 denote the nbit string which is a left shift of a by 1 bit, while a > 1=0a n 1 a a 1 denote the nbit string which is a right shift of a by 1 bit. If a {0, 1} is a string then a denotes its length in bits. For any bit string a {0, 1} such that a n, we let pad n (a) = { a10 n a 1 if a <n, a if a = n. (1) Define a n = max{1, a /n }, where the empty string counts as one block. In pseudocode, we write Partition M into M[1] M[m] as shorthand for Let m = M n, and let M[1],...,M[m] be bit strings such that M[1] M[m] =M and M[i] = n for 1 i<m.. CBC MAC A block cipher E is a function E : K E {0, 1} n {0, 1} n, where K E is the set of keys and E(K, ) =E K ( ) is a permutation on {0, 1} n. n is called the block length of E. he CBC MAC [5, 7] is the simplest and most wellknown MAC scheme based on block ciphers E. For a message M = M[1] M[] M[m] such that M[1] = M[] = = M[m] = n, let Y [0] = 0 n and Y [i] =E K (M[i] Y [i 1]) for i =1,...,m. hen the CBC MAC of M under key K is defined as CBC K (M) =Y [m]. Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1]. However, it is well known that CBC MAC is not secure for variable length messages..3 XCBC, MAC and OMAC XCBC, MAC and OMAC are CBCtype MAC schemes which are provably secure for arbitrary message length. Each scheme takes a message M {0, 1} and produces a tag in {0, 1} n. Each scheme is defined by using a block cipher E : K E {0, 1} n {0, 1} n. 4
7 Algorithm XCBC K1,K,K 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] K else X[m] X[m] K 3 E K1 (X[m]) return Fig.. Definition of XCBC..3.1 XCBC XCBC takes three keys (K 1,K,K 3 ) K E {0, 1} n {0, 1} n. he algorithm of XCBC is described in Fig. and illustrated in Fig. 1, where pad n ( ) is defined in (1)..3. MACfamily and MAC MAC takes two keys (K 1,K ) K E {0, 1} n. In general, MACfamily is defined by not only a block cipher E but also (1) a universal hash function H : K H X {0, 1} n where K H is the set of keys and X is the domain and () two distinct constants Cst 1, Cst X. hey must satisfy the following three conditions for sufficiently small ɛ 1,ɛ,ɛ 3. (We write H K ( ) for H(K, ).) 1. y {0, 1} n,#{k K H H K (Cst 1 )=y} ɛ 1 #K H. y {0, 1} n,#{k K H H K (Cst )=y} ɛ #K H 3. y {0, 1} n,#{k K H H K (Cst 1 ) H K (Cst )=y} ɛ 3 #K H he algorithm of MACfamily is described in Fig. 3 and illustrated in Fig. 4. MAC is obtained by letting K H = {0, 1} n, H K (x) =K x, Cst 1 = u and Cst = 1, where denotes multiplication over GF( n ) (See Appendix A for details). Equivalently, MAC is obtained by letting H K (Cst 1 )=K u and H K (Cst )=K. he above three conditions are satisfied with ɛ 1 = ɛ = ɛ 3 = n..3.3 OMACfamily, OMAC1 and OMAC OMAC is a generic name for OMAC1 and OMAC, where OMAC1 and OMAC take just one key K K E. In general, OMACfamily is defined by not only a block cipher E but also (1) a universal hash function H : {0, 1} n X {0, 1} n 5
8 M[1] K 1 E K 1 Algorithm MACfamily K1,K (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H K (Cst 1 ) else X[m] X[m] H K (Cst ) E K1 (X[m]) return M[] Fig. 3. Definition of MACfamily. M[3] M[1] M[] HK (Cst 1 ) E K 1 E K 1 E K 1 E K 1 E Fig. 4. Illustration of MACfamily. M[3] 10 } {{ i } HK (Cst ) where X is the domain, () two distinct constants Cst 1, Cst X and (3) an arbitrary nbit constant Cst {0, 1} n. (he set of keys of H is {0, 1} n.) hey must satisfy the following six conditions for sufficiently small ɛ 1,ɛ,...,ɛ y {0, 1} n,#{l {0, 1} n H L (Cst 1 )=y} ɛ 1 n. y {0, 1} n,#{l {0, 1} n H L (Cst )=y} ɛ n 3. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst )=y} ɛ 3 n 4. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) L = y} ɛ 4 n 5. y {0, 1} n,#{l {0, 1} n H L (Cst ) L = y} ɛ 5 n 6. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst ) L = y} ɛ 6 n he algorithm of OMACfamily is described in Fig. 5 and illustrated in Fig. 6. OMAC1 is obtained by letting Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Equivalently, OMAC1 is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u. OMAC is the same as OMAC1 except for Cst = u 1. Equivalently, OMAC is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u 1. he above six conditions are satisfied with ɛ 1 = = ɛ 6 = n for both OMAC1 and OMAC. 6
9 M[1] K E Algorithm OMACfamily K (M) L E K (Cst) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H L (Cst 1 ) else X[m] X[m] H L (Cst ) E K (X[m]) return M[] Fig. 5. Definition of OMACfamily. M[3] M[1] M[] HL (Cst 1 ) K E K E K E K E K E Fig. 6. Illustration of OMACfamily. M[3] 10 } {{ i } HL (Cst ) 3 Stronger Security Bounds 3.1 Definitions of Security Our definitions follow from [1, 6, 11]. Let Perm(n) denote the set of all permutations on {0, 1} n. We say that P is a random permutation if P is randomly chosen from Perm(n). he security of a block cipher E can be quantified as Adv prp E (t, q), the maximum advantage that an adversary A can obtain when trying to distinguish E K ( ) (with a randomly chosen key K) from a random permutation P ( ), where the maximum is over all adversaries who run in time at most t, and make at most q queries to an oracle (which is either E K ( ) orp ( )). his advantage is defined as follows. Adv prp def E (A) = Pr(K K E : A EK( ) =1) Pr(P Perm(n) :A P ( ) =1) Adv prp def { E (t, q) = max Adv prp E (A)} A We say that a block cipher E is secure if Adv prp E (t, q) is sufficiently small (prp stands for Pseudoandom Permutation). Similarly, a MAC algorithm is a map F : K F {0, 1} {0, 1} n, where K F is a set of keys and we write F K ( ) for F (K, ). We say that an adversary A FK( ) forges if A outputs (M,F K (M)) where A never queried M to its oracle F K ( ). hen we define the advantage as Adv mac def F (A) =Pr(K K F : A FK( ) forges) Adv mac F (t, q, σ) def = max A {Advmac F (A)} where the maximum is over all adversaries who run in time at most t, and make at most q queries, having aggregate length of at most σ blocks, where the aggregate length of q queries 7
10 M (1),...,M (q) is σ = 1 i q M (i) n. We say that a MAC algorithm is secure if Adv mac F (t, q, σ) is sufficiently small. Let and(,n) denote the set of all functions from {0, 1} to {0, 1} n. his set is given a probability measure by asserting that a random element of and(,n) associates to each string M {0, 1} a random string (M) {0, 1} n. hen we define the advantage as Adv viprf F (A) def = Pr(K K F : A FK( ) =1) Pr( and(,n):a ( ) =1) Adv viprf F (t, q, σ) def { } = max Adv viprf F (A) A where the maximum is over all adversaries who run in time at most t, make at most q queries, having aggregate length of at most σ blocks. We say that a MAC algorithm is pseudorandom if Adv viprf F (t, q, σ) is sufficiently small (viprf stands for Variablelength Input Pseudoandom Function). Without loss of generality, adversaries are assumed to never ask a query outside the domain of the oracle, and to never repeat a query. 3. heorem Statements We first prove that OMACfamily, MACfamily and XCBC are pseudorandom if the underlying block cipher is a random permutation P (informationtheoretic result). Lemma 3.1 (Main Lemma for OMACfamily) Suppose that H, Cst 1 and Cst satisfy the conditions in Sec..3.3 for some sufficiently small ɛ 1,...,ɛ 6, and let Cst be an arbitrarily nbit constant. Suppose that a random permutation P Perm(n) is used in OMACfamily as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen where ɛ = max{ɛ 1,...,ɛ 6 }. Pr(P Perm(n) :A OMACfamily P ( ) =1) Pr( and(,n):a ( ) =1) σ ( 5 n +3ɛ ) Lemma 3. (Main Lemma for MACfamily) Suppose that H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. Suppose that a random permutation P Perm(n) is used in MACfamily as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MACfamily P,K ( ) =1), () where ɛ = max{ɛ 1,ɛ,ɛ 3 }. Pr( and(,n):a ( ) =1) σ ( 5 n + ɛ ), (3) Lemma 3.3 (Main Lemma for XCBC) Suppose that a random permutation P Perm(n) is used in XCBC as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr( and(,n):a ( ) =1) 3σ (4) n. 8
11 Proofs are given in Sec. 4, Sec. 5, and Sec. 6, respectively. Given the above three lemmas, it is standard to pass to the following complexitytheoretic result (For example, see [1, Section 3.]). It shows that OMAC, MAC and XCBC are pseudorandom if the underlying block cipher is secure. Corollary 3.1 Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC, MAC and XCBC. hen Adv viprf 4σ OMAC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ +1, Adv viprf 3σ MAC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ, and Adv viprf 3σ XCBC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ. Finally, we obtain the following theorem in the usual way (For example, see [1, Proposition.7]). It shows that OMAC, MAC and XCBC are secure as MACs if the underlying block cipher is secure. heorem 3.1 Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC, MAC and XCBC. hen Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1, Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ, and Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. 4 Proof for OMACfamily 4.1 Q 1,...,Q 6 and MOMAC [8] Let H, Cst 1 and Cst satisfy the conditions in Sec..3.3 for some sufficiently small ɛ 1,...,ɛ 6, and Cst be an arbitrarily nbit constant. For a random permutation P Perm(n) and a random nbit string nd {0, 1} n, define Q 1 (x) def = P (x) nd, Q (x) def = P (x nd) nd, Q 3 (x) def = P (x nd H L (Cst 1 )), Q 4 (x) def = P (x nd H L (Cst )), Q 5 (x) def = P (x H L (Cst 1 )) and Q 6 (x) def = P (x H L (Cst )), where L = P (Cst). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ), Q 4 ( ), Q 5 ( ), Q 6 ( ) are indistinguishable from a pair of six independent random permutations P 1 ( ), P ( ), P 3 ( ), P 4 ( ), P 5 ( ), P 6 ( ). Proposition 4.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); nd {0, 1} n : A Q 1( ),...,Q 6 ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A P 1 ( ),...,P 6 ( ) =1) 3q 1 n + ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. (5) 9
12 Algorithm MOMAC P1,P,P 3,P 4,P 5,P 6 (M) Partition M into M[1] M[m] if m then X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P 3 (X[m]) else P 4 (X[m]) if m =1then X[m] pad n (M[m]) if M[m] = n then P 5 (X[m]) else P 6 (X[m]) return Fig. 7. Definition of MOMAC. M[1] P 1 M[] P M[3] P 3 M[1] P 1 M[] P M[3] 10 } {{ i } P 4 Fig. 8. Illustration of MOMAC for M >n. M P 5 M 10 } {{ i } P 6 Fig. 9. Illustration of MOMAC for M n. A proof is given in [8]. Next, we recall MOMAC (Modified OMAC) [8]. It uses six independent random permutations P 1,P,P 3,P 4,P 5,P 6 Perm(n). he algorithm MOMAC P1,...,P 6 ( ) is described in Fig. 7 and illustrated in Fig. 8 and Fig MOMAC is Pseudorandom We prove that MOMAC is pseudorandom (informationtheoretic result). Lemma 4.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 4.1, we first define MOMACE (MOMAC without final encryption). It takes a message M such that M = mn for some m. It is obtained from MOMAC by 10
13 removing the final encryption, that is, it uses two independent random permutations P 1,P Perm(n). More precisely, the algorithm MOMACE P1,P ( ) is described in Fig. 10. Algorithm MOMACE P1,P (M) Partition M into M[1] M[m] X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 10. Definition of MOMACE. Note that M = mn for some m. We first show the following lemma. Lemma 4. (MOMACE Collision Bound) Let q, m 1,...,m q and σ be integers such that m i, σ = m m q, and σ n /. LetM (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen the probability of collision, Pr(P 1,P Perm(n) :1 i< j q, MOMACE P1,P (M (i) )=MOMACE P1,P (M (j) )) is at most (σ q) n. Proof. We view the computation of MOMACE P1,P (M (i) ) as playing the game given in Fig. 11. In Fig. 11, M (i) [1] M (i) [m i ] is a partition of M (i). We initially set each range point of P 1 and P as undefined. he notation Domain(P i ) denotes the set of points x where P i (x) is no longer undefined. We use ange(p i ) to denote the set of points P i (x) which are no longer undefined. We use ange(p i ) to denote {0, 1} n \ ange(p i ). During the game, the X (i) [j] are those values produced after XOing with the current message block M (i) [j], Y (i) [1] values are P 1 (X (i) [1]) and, for j, Y (i) [j] values are P (X (i) [j]). he game has two parts: computation of X (1) [],...,X (q) [] (line 11 3) and computation of X (1) [m 1 ],...,X (q) [m q ] (line 31 45). We examine the probability that P 1 and P cause a collision, which will occur in our game if and only if X (i) [m i ]=X (j) [m j ] for some 1 i<j q. his condition will set bad 1 or bad to true. However, we set bad i to true in many other cases in order to simplify the analysis. he idea behind the variable bad i is as follows: throughout the game (line 13 and 35), we randomly choose a range value for P 1 and P at some undefined domain point. Since P 1 and P have not yet been determined at this point, the choice of our range value will be an independent uniform selection: there is no dependence on any prior choice. If the range value for P i were already determined by some earlier choice, the analysis would become more involved. We avoid the latter condition by setting bad i to true whenever such interdependencies are detected. he detection mechanism works as follows: throughout the processing of M (1),...,M (q), we will require P 1 be evaluated at q domain point X (1) [1],...,X (q) [1] and P be evaluated at σ q domain point X (1) [],...,X (1) [m 1 ],...,X (q) [],...,X (q) [m q ] (ignoring duplications due to any common prefix of M (1),...,M (q) ), we can rest assured that we are free to assign their 11
14 Initialization: 1: for i 1 to q do X (i) [1] M (i) [1]; : for all x {0, 1} n do P 1 (x),p (x) undefined; 3: bad 1, bad false; BAD ; Computation of X (1) [],...,X (q) []: 11: for i 1 to q do 1: if X (i) [1] Domain(P 1 ) then 13: Y (i) [1] ange(p 1 ); 14: P 1 (X (i) [1]) Y (i) [1]; 15: X (i) [] Y (i) [1] M (i) []; 16: BAD {X (i) []}; 17: Index {k i +1 k q and X (i) [1] = X (k) [1]}; 18: for all k Index do 19: Y (k) [1] Y (i) [1]; 0: X (k) [] Y (k) [1] M (k) []; 1: BAD BAD {X (k) []}; : if BAD BAD then bad 1 true; 3: else BAD BAD BAD; Computation of X (1) [m 1 ],...,X (q) [m q ]: 31: for j to σ do 3: for i 1 to q do 33: if j<m i then 34: if X (i) [j] Domain(P ) then 35: Y (i) [j] ange(p ); 36: P (X (i) [j]) Y (i) [j]; 37: X (i) [j +1] Y (i) [j] M (i) [j +1]; 38: BAD {X (i) [j +1]}; 39: Index {k i +1 k q, j<m k and X (i) [j] =X (k) [j]}; 40: for all k Index do 41: Y (k) [j] Y (i) [j]; 4: X (k) [j +1] Y (k) [j] M (k) [j +1]; 43: BAD BAD {X (k) [j +1]}; 44: if BAD BAD then bad true; 45: else BAD BAD BAD; Fig. 11. Game used in the proof of Lemma 4.. 1
15 corresponding range points without constraint. We maintain a set BAD to track which domain points of P have already been determined. Next we begin randomly choosing range points for X (i) [j]; if any such choice leads to a value already contained in BAD, we set bad i to true. Note that the choice of Y (i) [j] for X (i) [j] may automatically determines some other Y (k) [j] for X (k) [j] due to common prefix of M (1),...,M (q). We maintain sets Index and BAD to track such points. We now bound the probability of the event that bad 1 true and bad true by analyzing our game. Bounding the probability of bad 1 true. In line, it is required that some Y (i) [1] was selected in line 13 such that Y (i) [1] M (i) [] BAD, ory (i) [1] M (k) [] BAD for some k Index. he set BAD begins with the empty set and then grows by the number of points in BAD with each random choice of Y (i) [1]. Now, suppose that for the tth process of line 13, the corresponding BAD after line 1 has l t points, assuming that bad 1 is false for the first t 1 process of line 13. Define V (t) def = Pr (bad 1 true at the tth choice of Y (i) [1] bad 1 is false before choosing Y (i) [1]), line 13 where Pr ( ) shows that the probability is taken over the random choice in line 13. hen we line 13 have V (t) = (l l t 1 )l t n, (t 1) since P 1 has n (t 1) undefined domain points, BAD has (l l t 1 ) points, and BAD has l t points. Also, suppose that line 11 3 terminates after s process of line 13. hen we have Pr (bad 1 true) V (t) = (l l t 1 )l t line 13 1 t s 1 t s n. (t 1) Now we can bound the above by 1 t s (l l t 1 )l t n (t 1) n 1 t s (l l t 1 )l t = n l 0 l1 l s l 0 n, where l 0 def = l l s. he first inequality follows since s is at most q, which is at most n /. Bounding the probability of bad true. Next, in line 44, it is required that some Y (i) [j] was selected in line 35 such that Y (i) [j] M (i) [j +1] BAD, ory (i) [j] M (k) [j +1] BAD for some k Index. he set BAD begins with l 0 points. It grows by the number of points in BAD with each random choice of Y (i) [j]. Now, suppose that for the t th process of line 35, the corresponding BAD after line 43 has l t points, assuming that bad is false for the first t 1 process of line 35. Define V (t ) def = Pr (bad true at the t th choice of Y (i) [j] bad is false before choosing Y (i) [j]), line 35 where Pr ( ) shows that the probability is taken over the random choice in line 35. hen we line 35 have V (t )= (l 0 + l l t 1 )l t n (t, 1) 13
16 since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. Also, suppose that the game terminates after s process of line 35. hen we have Pr (bad true) line 35 1 t s V (t )= (l 0 + l l t 1 )l t n (t 1) 1 t s. Now we can bound the above by (l 0 + l l t 1 )l t n (t 1) 1 t s n (l 0 + l l t 1 )l t (σ q) l 0 n, 1 t s where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ q l 0 + l l s and (l 0 + l l t 1)l t (σ q) l 0 l 1 l s 1 t s (σ q) l 0. Completing the Proof. Finally, we obtain the stated bound since Pr (bad 1 true)+ line 13 Pr (bad true) l 0 line 35 n + (σ q) l 0 n = (σ q) n. Q.E.D. We next consider the following four sets. def D 1 = {M M {0, 1}, n< M and M is a multiple of n} def D = {M M {0, 1}, n< M and M is not a multiple of n} def D 3 = {M M {0, 1} and M = n} def D 4 = {M M {0, 1} and M <n} We show the following lemma. Lemma 4.3 Let q 1,q,q 3,q 4 be four nonnegative integers. For 1 i 4, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i 4, let (1) i,..., (q i) i be fixed nbit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,...,P 6 Perm(n) such that ( is at least {( n )!} 6 1 (σ q) σ = σ σ 4. MOMAC P1,...,P 6 (M (i) (i) 1 )= MOMAC P1,...,P 6 (M (i) MOMAC P1,...,P 6 (M (i) 3 MOMAC P1,...,P 6 (M (i) 4 n ) (i) )= (i) )= (i) )= 1 for 1 i q 1, for 1 i q, 3 for 1 i q 3 and 4 for 1 i q 4 1 qn, where q = q q 4, σ i = 1 j q i M (j) i n and (6) 14
17 Proof. We first consider M (1) 1,...,M(q 1) 1. he number of (P 1,P ) such that MOMACE P1,P (M (i) 1 ) = MOMACE P 1,P (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} (σ 1 q 1 ) from Lemma 4.. n We next consider M (1),...,M(q ). Let M (i) denote the padded message of M (i). hen the number of (P 1,P ) such that MOMACE P1,P (M (i) ) = MOMACEP1,P (M (j) ) for 1 i< j q is at most {( n )!} (σ q ) from Lemma 4.. n herefore, we have at least ( {( n )!} 1 (σ 1 q 1 ) n (σ ) q ) n choice of (P 1,P ) such that { MOMACEP1,P (M (i) 1 ) MOMACE P 1,P (M (j) 1 ) for 1 i< j q 1 and MOMACE P1,P (M (i) ) MOMACE P1,P (M (j) ) for 1 i< j q (7) We fix any (P 1,P ) which satisfies (7). Now P 1 and P are fixed in such a way that the inputs to P 3 are distinct and the inputs to P 4 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. We know that the inputs to P 5 are distinct, and the corresponding outputs { (1) 3,..., (q 3) 3 } are distinct. Also, the inputs to P 6 are distinct, and and the corresponding outputs { (1) 4,..., (q 4) 4 } are distinct. herefore, we have at least ( ) {( n )!} ( n q 1 )! ( n q )! ( n q 3 )! ( n q 4 )! 1 (σ 1 q 1 ) n (σ q ) n ( ) choice of P 1,...,P 6 which satisfies (6). his bound is at least {( n )!} 6 1 (σ q) 1 n since qn (σ q) (σ 1 q 1 ) +(σ q ) and ( n q i )! (n )! q i. n his concludes the proof of the lemma. Q.E.D. We now prove Lemma 4.1. Proof (of Lemma 4.1). Let O be either MOMAC P1,...,P 6 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the queryanswer pair (M (i) j, (i) j ) D j {0, 1} n, where A s ith query in D j was M (i) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j 4 and q q 4 = q. Also, for 1 i 4, let σ i = 1 j q i M (j) i n (therefore, q 3 = σ 3 and q 4 = σ 4 ). For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ), ( (1) 3,..., (q 3) 3 ), ( (1) 4,..., (q (8) 4) 4 ). Since A is deterministic, the ith query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qnbit string V and return the ith nbit block as the answer for the ith query A makes (instead of the oracle), then 15
18 A s queries are uniquely determined, q 1,...,q 4 are uniquely determined, σ 1,...,σ 4 are uniquely determined, the parsing of V into the format defined in (8) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. Let V one be a set of all qnbit strings V such that A outputs 1. We let N one def =#V one. Also, let V good be a set of all qnbit strings V such that: For 1 i< j q, the ith nbit block of V the jth nbit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct, { (1),..., (q ) } are distinct, { (1) 3,..., (q 3) 3 } are distinct and { (1) 4,..., (q 4) 4 } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn herefore, we have #{V V (V one V good )} N one n. ( ) q qn n. (9) Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) = #{(P 1,...,P 6 ) A MOMAC P 1,...,P ( ) 6 =1} {( n )!} 6. hen from Lemma 4.3, we have p real # {(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (6)} {( n )!} 6 V (Îone Î good ) ( ) (σ q) 1 1 n qn. V (Îone Î good ) 16
19 Completing the Proof. p real From (9) we have ( ( ) ) ( ) q qn (σ q) 1 N one n 1 n qn ( ( ) ) ( ) q 1 (σ q) = p rand n 1 n ( ) q 1 (σ q) p rand n n p rand q +(σ q) n p rand σ n. (10) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (11) Finally, (10) and (11) give p real p rand σ. n Q.E.D. 4.3 From MOMAC to OMACfamily he next lemma shows that OMACfamily P ( ) and MOMAC P1,...,P 6 ( ) are indistinguishable. Lemma 4.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n) :A OMACfamily P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) 3σ ( 1 n + ɛ ) Proof. We prove through a contradiction argument. Suppose that there exists an adversary A such that Pr(P Perm(n) :A OMACfamily P ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) > 3σ 1 n + ɛ. By using A, we show a construction of an adversary B A such that: B A asks at most σ queries, and Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) ( ) P Pr(P 1,...,P 6 Perm(n) :B 1 ( ),...,P 6 ( ) A =1) > 3σ 1 n + ɛ, which contradicts Proposition 4.1. Let O 1 ( ),...,O 6 ( ) beb A s oracles. he construction of B A is given in Fig. 1. When A asks M (r), then B A computes (r) = MOMAC O1,...,O 6 (M (r) ) as if the underlying random permutations are O 1,...,O 6, and returns (r). When A halts and outputs b, then B A outputs b. Now we see that:. 17
20 Algorithm B O 1,...,O 6 A 1: When A asks its rth query M (r) : : (r) MOMAC O1,...,O 6 (M (r) ) 3: return (r) 4: When A halts and outputs b: 5: output b Fig. 1. Algorithm B A. Note that for 1 i 6, O i is either P i or Q i M[1] P nd M[] nd P M[3] nd H L (Cst 1 ) M[1] M[] M[3] 10 i } {{ } nd P P nd nd nd H L (Cst ) P P nd Fig. 13. Computation of B A when O i = Q i for 1 i 6, and M >n. M M 10 } {{ i } HL (Cst 1 ) HL (Cst ) P P Fig. 14. Computation of B A when O i = Q i for 1 i 6, and M n. B A asks at most σ queries to its oracles, since A asks at most q queries having aggregate length of at most σ blocks. Pr(P 1,...,P 6 Perm(n) :B P 1 ( ),...,P 6 ( ) A =1) = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P 6 ( ) = 1), since B A gives A a perfect simulation of MOMAC P1,...,P 6 ( ) ifo i ( ) =P i ( ) for 1 i 6. Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) = Pr(P Perm(n) :A OMAC P ( ) = 1), since B A gives A a perfect simulation of OMAC P ( ) ifo i ( ) =Q i ( ) for 1 i 6. See Fig. 13 and Fig. 14. Note that nd is canceled in Fig. 13. his concludes the proof of the lemma. Q.E.D. 4.4 Proof of Main Lemma for OMACfamily We finally give a proof of Main Lemma for OMACfamily. Proof (of Lemma 3.1). By the triangle inequality, the left hand side of () is at most Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) (1) 18
21 + Pr(P Perm(n) :A OMACfamily P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1). (13) Lemma 4.1 gives us an upper bound on (1) and Lemma 4.4 gives us an upper bound on (13). herefore the bound follows since σ ( ) ( ) n + 3σ 1 n + ɛ = σ 5 n +3ɛ. his concludes the proof of the lemma. Q.E.D. 5 Proof for MACfamily 5.1 Q 1,Q,Q 3 [9] and FCBC [3] Let H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. For a random permutation P Perm(n) and a random string K K H, define Q 1 (x) def = P (x), Q (x) def = P (x H K (Cst 1 )), Q 3 (x) def = P (x H K (Cst )). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 5.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K KH : A Q 1( ),Q ( ),Q 3 ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q 1 n + ɛ, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. A proof is given in [9]. Next we recall FCBC [3]. It uses three independent random permutations P 1,P,P 3 Perm(n). he algorithm FCBC P1,P,P 3 ( ) is described in Fig. 15 and illustrated in Fig FCBC is Pseudorandom We prove that FCBC is pseudorandom (informationtheoretic result). Lemma 5.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 5.1, we define CBCE (CBC MAC without final encryption). It takes a message M such that M = mn for some m 1. It is obtained from the CBC MAC by removing the final encryption. More precisely, the algorithm CBCE P ( ) is described in Fig. 17, where P Perm(n) is a random permutation. We first show the following lemma. (14) 19
22 Algorithm FCBC P1,P,P 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P 1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P (X[m]) else P 3 (X[m]) return Fig. 15. Definition of FCBC. M[1] P 1 M[] P 1 M[3] P M[1] P 1 M[] P 1 M[3] 10 } {{ i } P 3 Fig. 16. Illustration of FCBC. Algorithm CBCE P (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 17. Definition of CBCE. 0
23 Lemma 5. (CBCE Collision Bound) Let q, m 1,...,m q and σ be integers such that m i 1, σ = m m q, and σ n /. Let M (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen Pr(P Perm(n) :1 i< j q, CBCE P (M (i) ) = CBCE P (M (j) )) σ n. Proof. We view the computation of CBCE P (M (i) ) as playing the game given in Fig. 18. Initialization: 1: for i 1 to q do X (i) [1] M (i) [1]; : for all x {0, 1} n do P (x) undefined; 3: bad false; BAD {X (1) [1],...,X (q) [q]}; Computation of X (1) [m 1 ],...,X (q) [m q ]: 11: for j 1 to σ do 1: for i 1 to q do 13: if j<m i then 14: if X (i) [j] Domain(P ) then 15: Y (i) [j] ange(p ); 16: P (X (i) [j]) Y (i) [j]; 17: X (i) [j +1] Y (i) [j] M (i) [j +1]; 18: BAD {X (i) [j +1]}; 19: Index {k i +1 k q, j<m k and X (i) [j] =X (k) [j]}; 0: for all k Index do 1: Y (k) [j] Y (i) [j]; : X (k) [j +1] Y (k) [j] M (k) [j +1]; 3: BAD BAD {X (k) [j +1]}; 4: if BAD BAD then bad true; 5: else BAD BAD BAD; Fig. 18. Game used in the proof of Lemma 5.. Similarly to the proof of Lemma 4., it is enough to bound the probability of the event that bad true. In line 4, it is required that some Y (i) [j] was selected in line 15 such that Y (i) [j] M (i) [j + 1] BAD, ory (i) [j] M (k) [j +1] BAD for some k Index. Suppose that the set BAD begins with l 0 points. hen it grows by the number of points in BAD with each random choice of Y (i) [j]. Now, suppose that for the tth process of line 15, the corresponding BAD after line 3 has l t points, assuming that bad is false for the first t 1 process of line 15. Define V (t) def = Pr line 15 (bad true at the tth choice of Y (i) [j] bad is false before choosing Y (i) [j]). hen we have V (t) = (l 0 + l l t 1 )l t n, (t 1) since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. 1
24 Also, suppose that the game terminates after s process of line 15. hen we have Pr (bad true) V (t) = (l 0 + l l t 1 )l t line 15 1 t s 1 t s n (t 1). Now we can bound the above by 1 t s (l 0 + l l t 1 )l t n (t 1) n 1 t s (l 0 + l l t 1 )l t σ n, where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ l 0 + l l s and (l 0 + l l t 1 )l t σ l 0 l 1 l s 1 t s σ. Q.E.D. We next consider the following two sets. { def D1 = {M M {0, 1} and M is a positive multiple of n} def D = {M M {0, 1} and M is not a positive multiple of n} We show the following lemma. Lemma 5.3 Let q 1,q be two nonnegative integers. For 1 i, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i, let (1) i,..., (q i) i be fixed nbit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,P,P 3 Perm(n) such that { FCBCP1,P,P 3 (M (i) (i) 1 )= FCBC P1,P,P 3 (M (i) 1 for 1 i q 1 and (i) (15) )= for 1 i q is at least {( n )!} 3 ( 1 σ n ) 1 qn, where q = q 1 + q, σ i = 1 j q i M (j) i n and σ = σ 1 + σ. Proof. We first consider M (1) 1,...,M(q 1) 1. he number of P 1 such that CBCE P1 (M (i) 1 ) = CBCE P 1 (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} σ 1 from Lemma 5.. n We next consider M (1),...,M(q ) number of P 1 such that. Let M (i) denote the padded message of M (i). hen the CBCE P1 (M (i) ) = CBCEP1 (M (j) ) for 1 i< j q is at most {( n )!} σ n from Lemma 5.. herefore, we have at least ( {( n )!} 1 σ 1 n σ n )
25 choice of P 1 such that { CBCEP1 (M (i) 1 ) CBCE P 1 (M (j) 1 ) for 1 i< j q 1 and CBCE P1 (M (i) ) CBCE P1 (M (j) ) for 1 i< (16) j q We fix any P 1 which satisfies (16). Now P 1 is fixed in such a way that the inputs to P are distinct and the inputs to P 3 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. herefore, we have at least ( ) {( n )!} 1 σ 1 n σ n ( n q 1 )! ( n q )! ( ) choice of P 1,P,P 3 which satisfies (15). his bound is at least {( n )!} 3 1 σ 1 n since qn σ σ1 + σ and (n q i )! (n )! q i n. his concludes the proof of the lemma. Q.E.D. We now prove Lemma 5.1 Proof (of Lemma 5.1). We proceed similarly to the proof of Lemma 4.1. Let O be either FCBC P1,P,P 3 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the queryanswer pair (M (i) j D j {0, 1} n, where A s ith query in D j was M (i), (i) j ) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j and q 1 + q = q. Also, for 1 i, let σ i = 1 j q i M (j) i n. For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ). (17) Since A is deterministic, the ith query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qnbit string V and return the ith nbit block as the answer for the ith query A makes (instead of the oracle), then A s queries are uniquely determined, q 1,q are uniquely determined, σ 1,σ are uniquely determined, the parsing of V into the format defined in (17) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. def Let V one be a set of all qnbit strings V such that A outputs 1. We let N one =#V one. Also, let V good be a set of all qnbit strings V such that: For 1 i< j q, the ith nbit block of V the jth nbit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct and { (1),..., (q ) } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn. herefore, we have n ( ) q qn #{V V (V one V good )} N one n. (18) 3
26 Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) = #{(P 1,P,P 3 ) A FCBC P 1,P,P ( ) 3 =1} {( n )!} 3. hen from Lemma 5.3, we have p real # {(P 1,P,P 3 ) (P 1,P,P 3 ) satisfying (15)} {( n )!} 3 V (Îone Î good ) ( ) 1 σ 1 n qn. V (Îone Î good ) Completing the Proof. p real From (18) we have ( ( ) ) ( ) q qn N one n 1 σ 1 n qn ( ( ) ) ( ) q 1 = p rand n 1 σ n ( ) q 1 p rand n σ n p rand q + σ n p rand σ n. (19) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (0) Finally, (19) and (0) give p real p rand σ n. Q.E.D. 5.3 From FCBC to MACfamily he next lemma shows that MACfamily P,K ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. 4
27 Lemma 5.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MACfamily P,K ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ 1 n + ɛ. By using Proposition 5.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for MACfamily We finally give a proof of Main Lemma for MACfamily. Proof (of Lemma 3.). By the triangle inequality, the left hand side of (3) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K KH : A MACfamily P,K ( ) =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 () =1). Lemma 5.1 gives us an upper bound on (1) and Lemma 5.4 gives us an upper bound on (). herefore the bound follows since σ ( ) ( ) n + σ 1 n + ɛ = σ 5 n + ɛ. his concludes the proof of the lemma. Q.E.D. 6 Proof for XCBC 6.1 Q 1,Q,Q 3 For a random permutation P Perm(n) and two random nbit strings K,K 3 {0, 1} n, define Q 1 (x) def = P (x), Q (x) def = P (x K ), (3) Q 3 (x) def = P (x K 3 ). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 6.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K,K 3 {0, 1} n : A Q 1( ),Q ( ),Q 3 ( ) =1) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q n, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. It can be proved by extending the proof of [3, Lemma 4]. Also, it can be proved similar to Proposition 5.1. (1) 5
28 6. From FCBC to XCBC he next lemma shows that XCBC P,K,K 3 ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. Lemma 6.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ n. By using Proposition 6.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for XCBC We finally give a proof of Main Lemma for XCBC. Proof (of Lemma 3.3). By the triangle inequality, the left hand side of (4) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1). (4) (5) Lemma 5.1 gives us an upper bound on (4) and Lemma 6.1 gives us an upper bound on (5). herefore the bound follows since σ n + σ n = 3σ n. his concludes the proof of the lemma. Q.E.D. eferences [1] M. Bellare, J. Kilian, and P. ogaway. he security of the cipher block chaining message authentication code. JCSS, vol. 61, no. 3, pp , 000. Earlier version in Advances in Cryptology CYPO 94, LNCS 839, pp , SpringerVerlag, [] A. Berendschot, B. den Boer, J. P. Boly, A. Bosselaers, J. Brandt, D. Chaum, I. Damgård, M. Dichtl, W. Fumy, M. van der Ham, C. J. A. Jansen, P. Landrock, B. Preneel, G. oelofsen, P. de ooij, and J. Vandewalle. Final eport of ACE Integrity Primitives. LNCS 1007, SpringerVerlag, [3] J. Black and P. ogaway. CBC MACs for arbitrarylength messages: he three key constructions. Advances in Cryptology CYPO 000, LNCS 1880, pp , Springer Verlag, 000. [4] FIPS Publication Data Encryption Standard (DES). U. S. Department of Commerce / National Institute of Standards and echnology, October 5,
29 [5] FIPS 113. Computer data authentication. Federal Information Processing Standards Publication 113, U. S. Department of Commerce / National Bureau of Standards, National echnical Information Service, Springfield, Virginia, [6] O. Goldreigh, S. Goldwasser and S. Micali. How to construct random functions. J. ACM, vol. 33, no. 4, pp , October [7] ISO/IEC Information technology security techniques data integrity mechanism using a cryptographic check function employing a block cipher algorithm. International Organization for Standards, Geneva, Switzerland, Second edition. [8]. Iwata and K. Kurosawa. OMAC: OneKey CBC MAC. Preproceedings of Fast Software Encryption, FSE 003, pp , 003. o appear in LNCS, SpringerVerlag. [9] K. Kurosawa and. Iwata. MAC: wokey CBC MAC. opics in Cryptology CSA 003, LNCS 61, pp , SpringerVerlag, 003. [10]. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Press, [11] M. Luby and C. ackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput., vol. 17, no., pp , April [1] E. Petrank and C. ackoff. CBC MAC for realtime data sources. J.Cryptology, vol. 13, no. 3, pp , SpringerVerlag, 000. A he Field with n Points We interchangeably think of a point a in GF( n ) in any of the following ways: 1. as an abstract point in a field;. as an nbit string a n 1 a 1 a 0 {0, 1} n ; 3. as a formal polynomial a(u) =a n 1 u n a 1 u + a 0 with binary coefficients. o add two points in GF( n ), take their bitwise XO. We denote this operation by a b. o multiply two points, fix some irreducible polynomial f(u) having binary coefficients and degree n. o be concrete, choose the lexicographically first polynomial among the irreducible degree n polynomials having a minimum number of coefficients. We list some indicated polynomials (See [10, Chapter 10] for other polynomials). f(u) =u 64 + u 4 + u 3 + u + 1 for n = 64, f(u) =u 18 + u 7 + u + u + 1 for n = 18, and f(u) =u 56 + u 10 + u 5 + u + 1 for n = 56. o multiply two points a GF( n ) and b GF( n ), regard a and b as polynomials a(u) = a n 1 u n a 1 u + a 0 and b(u) =b n 1 u n b 1 u + b 0, form their product c(u) where one adds and multiplies coefficients in GF(), and take the remainder when dividing c(u) by f(u). Note that it is particularly easy to multiply a point a {0, 1} n by u. We show a method for n = 18, where f(u) =u 18 + u 7 + u + u + 1. hen multiplying a = a 17 a 1 a 0 by u yields a 7
Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper
Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 3168511,
More informationSpecification of Cryptographic Technique PCMACAES. NEC Corporation
Specification of Cryptographic Technique PCMACAS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationSelfevaluation Report PCMACAES. NEC Corporation
Selfevaluation Report PCMACAES NEC Corporation Contents 1 Contents 1 Overview 2 2 Summary of Security Evaluation 2 3 Security Evaluation 3 3.1 Preliminaries...........................................
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationOn the Security of the CCM Encryption Mode and of a Slight Variant
On the Security of the CCM Encryption Mode and of a Slight Variant PierreAlain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,
More informationOn the Security of CTR + CBCMAC
On the Security of CTR + CBCMAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBCMAC (CCM) encryption mode.
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationChapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes
Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationEfficient Constructions of VariableInputLength Block Ciphers
Efficient Constructions of VariableInputLength Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@belllabs.com 2 DoCoMo Communications
More information1 Pseudorandom Permutations
Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of
More informationSimulationBased Security with Inexhaustible Interactive Turing Machines
SimulationBased Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik ChristianAlbrechtsUniversität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.unikiel.de
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationError oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm
Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationCryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53
Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old
More informationMultiInput Functional Encryption for Unbounded Arity Functions
MultiInput Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multiinput functional encryption (MIFE) was
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationSecurity of the Misty Structure Beyond the Birthday Bound
Security of the Misty Structure Beyond the Birthday Bound Jooyoung Lee Faculty of Mathematics and Statistics Sejong University, Seoul, Korea 143747 jlee05@sejong.ac.kr Abstract. In this paper, we first
More informationAESCOPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4
Submission to the CAESAR competition AESCOPA v.2 Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Affiliation: 1 Dept.
More informationSymmetric Crypto MAC. PierreAlain Fouque
Symmetric Crypto MAC PierreAlain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people
More informationOnLine/OffLine Digital Signatures
J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research OnLine/OffLine Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationCSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3
CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has
More informationAnalysis of a Database and Index Encryption Scheme Problems and Fixes
Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme
More informationlundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal
Symmetric Crypto PierreAlain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are
More informationLength extension attack on narrowpipe SHA3 candidates
Length extension attack on narrowpipe SHA3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu ILing
More informationMAC. SKE in Practice. Lecture 5
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve
More informationLimits of Computational Differential Privacy in the Client/Server Setting
Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBCMAC Digital signatures 2 Encryption/Decryption
More informationChapter 7. Message Authentication. 7.1 The setting
Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may
More informationStrengthening Digital Signatures via Randomized Hashing
Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationOneWay Encryption and Message Authentication
OneWay Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School
More informationCodeBased GamePlaying Proofs and the Security of Triple Encryption
CodeBased GamePlaying Proofs and the Security of Triple Encryption Mihir Bellare Phillip Rogaway February 27, 2006 (Draft 2.2) Abstract The gameplaying technique is a powerful tool for analyzing cryptographic
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationIndifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier
Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel SmithTone Abstract A hash function secure in the indifferentiability framework
More informationCiphertext verification security of symmetric encryption schemes
www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information
More informationA Formalization of the Turing Test Evgeny Chutchev
A Formalization of the Turing Test Evgeny Chutchev 1. Introduction The Turing test was described by A. Turing in his paper [4] as follows: An interrogator questions both Turing machine and second participant
More informationChapter 6. Hash Functions. 6.1 The hash function SHA1
Chapter 6 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length
More informationSome Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.
Some Polynomial Theorems by John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.com This paper contains a collection of 31 theorems, lemmas,
More informationSubsets of Euclidean domains possessing a unique division algorithm
Subsets of Euclidean domains possessing a unique division algorithm Andrew D. Lewis 2009/03/16 Abstract Subsets of a Euclidean domain are characterised with the following objectives: (1) ensuring uniqueness
More informationConcrete Security of the BlumBlumShub Pseudorandom Generator
Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. SpringerVerlag. Concrete Security of the BlumBlumShub Pseudorandom Generator
More informationBounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances
Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances Jialin Zhang Tsinghua University zhanggl02@mails.tsinghua.edu.cn Wei Chen Microsoft Research Asia weic@microsoft.com Abstract
More informationThe Goldberg Rao Algorithm for the Maximum Flow Problem
The Goldberg Rao Algorithm for the Maximum Flow Problem COS 528 class notes October 18, 2006 Scribe: Dávid Papp Main idea: use of the blocking flow paradigm to achieve essentially O(min{m 2/3, n 1/2 }
More informationRemotely Keyed Encryption Using NonEncrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationLecture 9. Lecturer: Yevgeniy Dodis Spring 2012
CSCIGA.3210001 MATHGA.2170001 Introduction to Cryptography Macrh 21, 2012 Lecture 9 Lecturer: Yevgeniy Dodis Spring 2012 Last time we introduced the concept of Pseudo Random Function Family (PRF),
More informationNotes from Week 1: Algorithms for sequential prediction
CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 2226 Jan 2007 1 Introduction In this course we will be looking
More informationThe finite field with 2 elements The simplest finite field is
The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0
More informationCOM S 687 Introduction to Cryptography October 19, 2006
COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: NonMalleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 NonMalleability Until this point we have discussed
More informationCryptography CS 555. Topic 3: Onetime Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1
Cryptography CS 555 Topic 3: Onetime Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline Onetime pad Perfect secrecy Limitation of perfect secrecy Usages of onetime pad
More informationMidterm Exam Solutions CS161 Computer Security, Spring 2008
Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationKeying Hash Functions for Message Authentication
An abridged version of this paper appears in Advances in Cryptology Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., SpringerVerlag, 1996. Keying Hash Functions for
More informationMOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu
Integer Polynomials June 9, 007 Yufei Zhao yufeiz@mit.edu We will use Z[x] to denote the ring of polynomials with integer coefficients. We begin by summarizing some of the common approaches used in dealing
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationFactoring & Primality
Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount
More informationNoninteractive and Reusable Nonmalleable Commitment Schemes
Noninteractive and Reusable Nonmalleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider nonmalleable (NM) and universally composable (UC) commitment schemes in the
More informationCryptographic treatment of CryptDB s Adjustable Join
Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More information2.1 Complexity Classes
15859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationIntegers: applications, base conversions.
CS 441 Discrete Mathematics for CS Lecture 14 Integers: applications, base conversions. Milos Hauskrecht milos@cs.pitt.edu 5329 Sennott Square Modular arithmetic in CS Modular arithmetic and congruencies
More informationChapter 6 Finite sets and infinite sets. Copyright 2013, 2005, 2001 Pearson Education, Inc. Section 3.1, Slide 1
Chapter 6 Finite sets and infinite sets Copyright 013, 005, 001 Pearson Education, Inc. Section 3.1, Slide 1 Section 6. PROPERTIES OF THE NATURE NUMBERS 013 Pearson Education, Inc.1 Slide Recall that denotes
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationDigital Signatures out of SecondPreimage Resistant Hash Functions
Digital Signatures out of SecondPreimage Resistant Hash Functions Erik Dahmen 1, Katsuyuki Okeya 2, Tsuyoshi Takagi 3, and Camille Vuillaume 2 1 Technische Universität Darmstadt dahmen@cdc.informatik.tudarmstadt.de
More informationGood luck, veel succes!
Final exam Advanced Linear Programming, May 7, 13.0016.00 Switch off your mobile phone, PDA and any other mobile device and put it far away. No books or other reading materials are allowed. This exam
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationMathematical Induction
Chapter 2 Mathematical Induction 2.1 First Examples Suppose we want to find a simple formula for the sum of the first n odd numbers: 1 + 3 + 5 +... + (2n 1) = n (2k 1). How might we proceed? The most natural
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationTheorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that. a = bq + r and 0 r < b.
Theorem (The division theorem) Suppose that a and b are integers with b > 0. There exist unique integers q and r so that a = bq + r and 0 r < b. We re dividing a by b: q is the quotient and r is the remainder,
More informationThe Conference Call Search Problem in Wireless Networks
The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,
More informationECEN 5682 Theory and Practice of Error Control Codes
ECEN 5682 Theory and Practice of Error Control Codes Convolutional Codes University of Colorado Spring 2007 Linear (n, k) block codes take k data symbols at a time and encode them into n code symbols.
More informationHASH CODE BASED SECURITY IN CLOUD COMPUTING
ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security
More information