Security Analysis of DRBG Using HMAC in NIST SP

Size: px
Start display at page:

Download "Security Analysis of DRBG Using HMAC in NIST SP 800-90"

Transcription

1 Security Analysis of DRBG Using MAC in NIST SP Shoichi irose Graduate School of Engineering, University of Fukui hrs Abstract. MAC DRBG is a deterministic random bit generator using MAC specified in NIST SP The document claims that MAC DRBG is a pseudorandom bit generator if MAC is a pseudorandom function. owever, no proof is given in the document. This article provides a security analysis of MAC DRBG and confirms the claim. ey words: NIST SP , pseudorandom bit generator, MAC, pseudorandom function 1 Introduction Background. Random bits are indispensable to every cryptographic application. owever, it is not easy to prepare sufficient amount of truly random bits in general. Thus, most applications use a cryptographic mechanism that is called a pseudorandom bit generator (PRBG). It stretches a short sequence of random bits to a long sequence of bits that are indistinguishable from truly random bits in practice. MAC DRBG is a deterministic random bit generator (DRBG) specified in NIST SP [3]. It is claimed in NIST SP that MAC DRBG is a PRBG if MAC is a pseudorandom function (PRF). owever, no proof is made public as far as the authors know. Contribution. This article presents a security analysis of MAC DRBG. The result supports the claim in NIST SP mentioned above. This article does not provide new techniques and just uses well-known ones in the analysis. In spite of this fact, the contribution of this paper is still important since MAC DRBG is expected to be widely used in practice. MAC DRBG consists of three algorithms. They are instantiate, reseed and generate algorithms. The instantiate/reseed algorithm is used to produce/refresh a secret key. The generate algorithm produces a binary sequence from a secret key given by the instantiate or reseed algorithms. This article gives a proof for the pseudorandomness of MAC DRBG on the assumption that the instantiate and reseed algorithms are ideal. Namely, a secret key given to the generate algorithm is selected uniformly at random by each of them.

2 2 S. irose Related Work. NIST SP specifies four DRBG mechanisms: ash DRBG, MAC DRBG, CTR DRBG and Dual EC DRBG. ash DRBG and MAC DRBG are based on hash functions. CTR DRBG uses a block cipher in the counter mode. Dual EC DRBG is based on the elliptic curve discrete logarithm problem. A security analysis of these DRBGs was presented in [9]. owever, the discussion was quite informal. A security analysis of CTR DRBG was also presented in [7]. Brown and Gjøsteen [6] provided a detailed security analysis of Dual EC DRBG. There also exist some other approved DRBGs in ANSI X.9.31 [2], ANSI X [1] and FIPS PUB [11]. The security of these algorithms was discussed in [8] and [10]. MAC was proposed by Bellare, Canetti and rawczyk [5]. It was proved to be a PRF on the assumption that the compression function of the underlying iterated hash function is a PRF with two keying strategies[4]. Actually, MAC is used as a PRF in many cryptographic schemes. Organization. This article is organized as follows. Definitions of a pseudorandom bit generator and a pseudorandom function are given in Sect. 2. A description of MAC DRBG is presented in Sect. 3. Results on security analysis of MAC DRBG are shown in Sect. 4. Concluding remarks are given in Sect Preliminaries Let a $ A represent that an element a is selected uniformly at random from a set A. 2.1 A Pseudorandom Bit Generator Let G be a function such that G : {0, 1} n {0, 1} l. Let D be a probabilistic algorithm which outputs 0 or 1 for a given input in {0, 1} l. The goal of D is to tell whether a given input is G(k) for k selected uniformly at random or it is selected uniformly at random. The advantage of D against G is defined as follows: Pr[D(G(k)) G (D) = $ = 1 k {0, 1} n ] Pr[D(s) = 1 s $ {0, 1} l ], where the probabilities are taken over the coin tosses by D and the uniform distributions on {0, 1} n or {0, 1} l. G is called a pseudorandom bit generator (PRBG) if l > n and G (D) is negligible for any efficient D. 2.2 A Pseudorandom Function Let be a keyed function such that : D R, where is a key space, D is a domain, and R is a range. (k, ) is denoted by k ( ). Let A be a probabilistic algorithm which has oracle access to a function from D to R. The goal of A is to tell whether the oracle is k for k selected uniformly at random or it is a

3 Security Analysis of DRBG Using MAC in NIST SP function selected uniformly at random. A first asks elements in D and obtains the corresponding elements in R with respect to the function, and then outputs 0 or 1. A makes the queries adaptively: A makes a new query after receiving an answer to the current query. Let F be the set of all functions from D to R. The advantage of A for is defined as follows: Adv prf Pr[A (A) = k = 1 k $ ] Pr[A ρ = 1 ρ $ F ], where the probabilities are taken over the coin tosses by A and the uniform distributions on or F. is called a pseudorandom function (PRF) if Adv prf (A) is negligible for any efficient A. 3 MAC DRBG MAC DRBG is a DRBG using MAC in NIST SP [3]. It consists of three algorithms: an instantiate algorithm, a reseed algorithm and a generate algorithm. The instantiate algorithm is used to produce a secret key. The reseed algorithm is used to refresh it. These algorithms are out of the scope of the article. They also use MAC to produce the secret keys. owever, the security of the outputs is not based on the secrecy and randomness of the keys given to MAC but the data given to MAC via message input. From this viewpoint, we may say that they abuse MAC. We only assume that the keys produced by the instantiate and reseed algorithms are ideal. Namely, we assume that a secret key given to the generate algorithm is selected uniformly at random. The generate algorithm produces a binary sequence for a given secret key. A description of this algorithm is given in the following part. The instantiate and reseed algorithms are given in Appendix A for reference. Notation. MAC is simply denoted by. Let n denote the output length of. Let null denote an empty sequence. Concatenation of binary sequences x and y is denoted by x y. The symbol is sometimes omitted. 3.1 Internal State The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d 1. and are assumed to be secret. The reseed counter d is an integer variable indicating the number of requests for pseudorandom bits since instantiation or reseeding. 3.2 The Function Update The function Update is used in the generate algorithm to produce a secret key (, ) for the next invocation of the generate algorithm. It is described as follows.

4 4 S. irose Update(,, adin): 1. = (, 0x00 adin) 2. = (, ) 3. If adin = null, then return (, ) 4. = (, 0x01 adin) 5. = (, ) 6. Return (, ) adin is an optional additional input. Update is shown in Fig. 1. 0x00 (a) If adin is an empty sequence 0x00 adin 0x01 adin (b) If adin is not an empty sequence Fig. 1. The function Update 3.3 The Algorithm Generate The generate algorithm Generate produces a binary sequence s for given secret (, ) and an optional additional input adin. It is described as follows.

5 Security Analysis of DRBG Using MAC in NIST SP Generate(,, adin): 1. If d > w, then return an indication that a reseed is required. 2. (, ) = Update(,, adin) if adin null 3. tmp = null 4. While tmp < l do: (a) = (, ) (b) tmp = tmp 5. s = the leftmost l bits of tmp 6. (, ) = Update(,, adin) 7. d = d Return s and (, ) The maximum sizes of parameters are given in Table 1. w is called a reseed interval. It represents the total number of requests for pseudorandom bits between reseeding. If adin is not supported, then the step 6 is executed with adin = null. Generate is given in Fig. 2. null Update adin s (a) If adin is not given or not supported Update Update s (b) If adin is given Fig. 2. The algorithm Generate. The update of the reseed counter d is omitted.

6 6 S. irose Table 1. The maximum sizes of parameters parameter maximum size adin 2 35 bits l 2 19 bits w Security Analysis For simplicity, we assume that l is a multiple of n. Thus, the output length of Generate is l+2n. We analyze the security of a generator G : {0, 1} 2n {0, 1} wl defined as follows: G(, ): 1. ( 0, 0 ) = (, ) 2. s = null 3. for i = 1 to w do (a) (s i, i, i ) = Generate( i 1, i 1, adin i 1 ) (b) s = s s i (c) Return s We make adin i implicit in the notation of G(, ), because the analysis given in the remaining parts does not depend on the value of adin i. It depends only on whether adin i = null or not. 4.1 If adin = null First, notice that we cannot prove the pseudorandomness of G directly from that of Generate. Generate is not a PRBG if adin = null. Let q = l/n and Generate(, ) = s 1 s 2 s q, where s j {0, 1} n for 1 j q. Then, = (s q ). Thus, it is easy to distinguish s 1 s 2 s q from a truly random sequence of length l + 2n. We introduce two generators G 01 and G 02. G 01 : {0, 1} 2n {0, 1} l+2n is described as follows: G 01 (, ): 1. s = 2. tmp = null 3. While tmp < l do: (a) = (, ) (b) tmp = tmp 4. s = s tmp 5. = (, 0x00) 6. s = s 7. Return s

7 Security Analysis of DRBG Using MAC in NIST SP G 02 : {0, 1} 2n {0, 1} l+3n is described as follows: G 02 (, ) : 1. s = 2. = (, ) 3. s = s G 01 (, ) 4. Return s The only difference between G 01 and G 02 is that G 02 calls MAC more than G 01 by one time. Let G 0 : {0, 1} 2n {0, 1} w(l+n)+n be a generator which, for a given (, ), produces a sequence { s 1 0 s 1 1 s 1 q+1 if w = 1 s 1 0s 1 1 s 1 q 1 s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1 if w 2, where 1. s i j {0, 1}n, 2. s 1 0s 1 1 s 1 q+1 = G 01 (, ), and 3. s i 1s i 0s i 1 s i q+1 = G 02 (s i 1 q+1, si 1 q ) for 2 i w. A diagram of G 0 is given in Fig. 3. Notice that G(, ) is a part of G 0 (, ). It is obvious if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 1s 2 1s 2 2 s 2 q 1 s 1 w 1 sw 1 1 s w 1 2 s w 1 q 1 sw 1s w 1 s w 2 s w q = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s2 w 1 s w 1 q s w 1 s w 2 s w q, where s i+1 1 = si q for 1 i w 1. Thus, G is a PRBG if G 0 is a PRBG. We will discuss the security of G 0 in the remaining part. c c G 01 G 02 G 02 G Fig. 3. A diagram of the generator G 0. c represents the concatenation with 0x00. The Update functions are surrounded by dashed rectangles. We first show that both G 01 and G 02 are PRBGs if MAC is a PRF. For an algorithm A, let t A be the running time of A.

8 8 S. irose Lemma 1. Let D be a distinguisher for G 01 which runs in t D. Then, there exists an adversary A for MAC such that G 01 (D) Adv prf q(q 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 1 queries. Proof. Let F,n be the set of all functions from {0, 1} to {0, 1} n. Let Ĝ01(ρ, ) be a generator obtained from G 01 by replacing MAC with a function ρ F,n. Let Then, P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 01 (, )], P 1 = Pr[D(s) = 1 ρ $ F,n $ {0, 1} n s Ĝ01(ρ, )], P 2 = Pr[D(s) = 1 s $ {0, 1} l+2n ]. G (D) = P 0 P 2 P 0 P 1 + P 1 P 2. Let Ĝ01(ρ, ) = ŝ 0 ŝ 1 ŝ q+1, where ŝ j {0, 1} n for 0 j q + 1. If ρ $ F,n, then Ĝ01(ρ, ) and a random sequence of length l + 2 n is completely indistinguishable as far as ŝ j1 ŝ j2 for every j 1 and j 2 such that 0 j 1 < j 2 q 1. Notice that ŝ j ŝ q 0x00 for every 0 j q 1. Thus, P 1 P 2 q(q 1) 2 n+1. On the other hand, for P 0 P 1, it is easy to see that we can construct an adversary A for MAC, using D as a subroutine, such that Adv prf MAC (A) P 0 P 1, where A runs in t D + O(l) and asks at most q + 1 queries. Lemma 2. Let D be a distinguisher for G 02 which runs in t D. Then, there exists an adversary A such that G 02 (D) Adv prf q(q + 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 2 queries. Proof. The proof is similar to that of Lemma 1. For w 2, let G (w 1) 02 be a generator which calls G 02 (w 1) times successively. Namely, G (w 1) 02 (s 1 q+1, s 1 q) = s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1.

9 Security Analysis of DRBG Using MAC in NIST SP Lemma 3. Let D be a distinguisher for G (w 1) 02 which runs in t D. Then, there exists a distinguisher D of G 02 such that G (w 1) 02 D runs in t D + (w 2) t G02 + O(wl). (D) (w 1) G 02 (D ). Proof. For a given input s {0, 1} l+3n, the distinguisher D behaves as follows: 1. Select 2 r w uniformly at random. 2. If r 3, then select s 2 1s 2 0 s 2 q 1,..., s r 1 1 sr 1 0 s r 1 q 1 uniformly at random. 3. Let s r 1s r 0 s r q+1 = s. 4. If r < w, s i 1s i 0 s i q+1 = G 02 (s i 1 q ) for r + 1 i w. 5. Call D with s = s 2 1s 2 0 s 2 q 1 s w Output D s output. Then, q+1, si 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1. G 02 (D ) = Pr[D (G 02 (, )) = 1 (, ) $ {0, 1} 2n ] Pr[D (s) = 1 s $ {0, 1} l+3n ] = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] Pr[D(s) = 1 s $ {0, 1} l+3n ]. Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] w = Pr[r = u D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] = u=2 w u=2 Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G (w 1) 02 (, )] + w 1 w Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 u=3. Pr[D(s) = 1 s $ {0, 1} l+3n ] = w 1 u=2 Pr[D(s) = 1 s $ {0, 1} l+3n r = u] w 1 + Pr[D(s) = 1 s $ {0, 1} (w 1)(l+n)+2n ] w 1.

10 10 S. irose There may exist a better distinguisher for G 02 than D with the same running time. Thus, we have G 02 (D ) 1 w 1 Advprbg G (w 1) 02 (D). The running time of D is at most t D + (w 2) t G02 + O(wl). Lemma 4. Let D be a distinguisher for G 0 which runs in t D. Then, there exist distinguishers D for G 01 and D for G (w 1) 02 such that D runs in t D + t G (w 1) 02 Proof. Let G 0 (D) G 01 (D ) + G (w 1) 02 (D ). + O(wl), and D runs in t D + O(wl). P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 0 (, )], P 1 = Pr[D(s) = 1 s 1 0 s 1 q+1 P 2 = Pr[D(s) = 1 s $ {0, 1} w(l+n)+n ]. Then, there exist D and D such that $ {0, 1} l+2n s s 1 0 s 1 q 1 G (w 1) 02 (s 1 q+1, s 1 q)], G 0 (D) = P 0 P 2 P 0 P 1 + P 1 P 2 The running time of D is t D + t (w 1) G 02 t D + O(wl). G 01 (D ) + G (w 1) 02 (D ). + O(wl). The running time of D is The following theorem directly follows from Lemmas 1, 2, 3 and 4. It implies that G 0 is a PRBG if MAC is a PRF. Theorem 1. Let D be a distinguisher for G 0 which runs in t D. Then, there exists an adversary A for MAC such that G 0 (D) w Adv prf wq(q + 1) MAC (A) + 2 n+1. A runs in t D + w(q + 2) t MAC + O(wl) and asks at most q + 2 queries, where the length of each query is at most n + 8. Remark 1. Suppose that SA-1 is the underlying hash function of MAC. Then, n = 160. Suppose that w = 2 48 and l = ( 2 19 ). Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC +O( ) and makes at most 2050 queries. The big-o notation is abused here. O( ) is upper bounded by c for some positive constant c.

11 Security Analysis of DRBG Using MAC in NIST SP Remark 2. Suppose that SA-256 is the underlying hash function of MAC. Then, n = 256. Suppose that w = 2 48 and l = Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC + O(2 67 ) and makes at most 2050 queries. 4.2 If adin null If adin null, then the analysis is similar but tedious. We first define several generators. Let g 10 : {0, 1} 2n {0, 1} 2n be a generator such that g 10 (, ) = (, 0x00 adin). Let g 11 : {0, 1} 2n {0, 1} 3n be a generator such that g 11 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x01 adin) 3. s = 1 2 Let g 12 : {0, 1} 2n {0, 1} 3n be a generator such that g 12 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x00 adin) 3. s = 1 2 The generators g 10, g 11 and g 12 are depicted in Fig. 4. Let G 10 : {0, 1} 2n {0, 1} l+3n be a generator equivalent to G 02 defined in the previous subsection. c0 c1 c0 g 10 g 11 g 12 Fig. 4. A diagram of the generators g 10, g 11 and g 12. The Update functions are surrounded by dashed rectangles. c0 represents the concatenation with 0x00 adin, and c1 represents the concatenation with 0x01 adin. Using the generators defined above, we further define two generators G 11 and G 12. G 11 : {0, 1} 2n {0, 1} l+4n is described as follows: G 11 (, ) = s 2 s 1 s q+1, where

12 12 S. irose = g 10 (, ) 2. s = g 11 ( 1, 1 ) 3. s 1 s 0 s q s q+1 = G 10 ( 2, 2 ) G 12 : {0, 1} 2n {0, 1} l+6n is described as follows: G 12 (, ) = s 4 s 3 s q+1, where 1. s = g 11 (, ) 2. s = g 12 ( 1, 1 ) 3. s = g 11 ( 2, 2 ) 4. s 1 s 0 s q s q+1 = G 10 ( 3, 3 ) Now, we are ready to discuss the pseudorandomness of G(, ). Let G 1 : {0, 1} 2n {0, 1} w(l+4n) be a generator which, for a given (, ), produces a sequence where { s 1 2 s 1 1 s 1 q+1 if w = 1 s 1 2s 1 1 s 1 q 1 s 2 4 s 2 q 1 s 4 w 1 s w 1 q 1 sw 4 s w q+1 if w 2, 1. s i j {0, 1}n, 2. s 1 2s 1 1 s 1 q+1 = G 11 (, ), and 3. s i 4 s i q+1 = G 12 (sq+1 i 1, si 1 q ) for 2 i w. Notice that G(, ) is a part of G 1 (, ). It is easy to see if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 4s 2 1s 2 2 s 2 q 1 s w 1 4 sw 1 1 s w 1 2 s w 1 q 1 sw 4s w 1 s w 2 s w q+1 = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s w 1 2 s w 1 q s w 1 s w 2 s w q, where s i+1 4 = si q for 1 i w 1. Thus, we discuss the pseudorandomness of G 1 in the remaining part. We only present the results since the proofs are similar. Lemma 5. Let D be a distinguisher for g 10 which runs in t D. Then, there exists an adversary A for MAC such that A runs in t D + O(n) and asks 1 query. g 10 (D) Adv prf MAC (A). Lemma 6. Let g be g 11 or g 12. Let D be a distinguisher for g which runs in t D. Then, there exists an adversary A for MAC such that g (D) Adv prf MAC (A). A runs in t D + O(n) and asks at most 2 queries.

13 Security Analysis of DRBG Using MAC in NIST SP Lemma 7. Let D be a distinguisher for G 11 which runs in t D. Then, there exist D 0, D 1 and D such that g 10 G 11 (D) (D 0 ) + g 11 (D 1 ) + G 10 (D ). D 0 runs in t D + t g11 + t G10 + O(n). D 1 runs in t D + t G10 + O(n). D runs in t D + O(n). Lemma 8. Let D be a distinguisher for G 12 which runs in t D. Then, there exist D 1, D 2 and D such that g 11 G 12 (D) 2 (D 1 ) + g 12 (D 2 ) + G 10 (D ). D 1 runs in t D + t g11 + t g12 + t G10 + O(n). D 2 runs in t D + t g11 + t G10 + O(n). D runs in t D + O(n). The following theorem directly follows from Lemmas 5, 6, 7 and 8. It implies that G 1 is a PRBG if MAC is a pseudorandom function. Theorem 2. Let D be a distinguisher for G 1 which runs in t D. Then, there exist adversaries A 1 and A 2 such that G 1 (D) w Adv prf MAC (A 1) + 3 w Adv prf MAC (A wq(q 1) 2) + 2 n+1. A 1 runs in t D + w(q + 8) t MAC + O(wl) and asks at most q + 1 queries, and A 2 runs in t D + (w + 1)(q + 8) t MAC + O(wl) and asks at most 2 queries. 5 Conclusion We have shown that the binary sequence generation algorithm of MAC DRBG is a PRBG if MAC is a PRF. Future work includes analysis of the instantiate and reseed algorithms of MAC DRBG. Acknowledgements The author would like to thank anonymous reviewers for their valuable comments. This research was supported in part by the National Institute of Information and Communications Technology, Japan. References 1. American National Standards Institute. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). ANSI X (1998) 2. American National Standards Institute. Digital signatures using reversible public key cryptography for the financial services industry (rdsa). ANSI X (1998)

14 14 S. irose 3. Barker, E., elsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication (2007) 4. Bellare, M.: New proofs for NMAC and MAC: Security without collisionresistance. In: Dwork, C. (ed.) CRYPTO LNCS, vol. 4117, pp Springer (2006). The full version is Cryptology eprint Archive: Report 2006/043 at 5. Bellare, M., Canetti, R., rawczyk,.: eying hash functions for message authentication. In: oblitz, N. (ed.) CRYPTO 96. LNCS, vol. 1109, pp Springer (1996) 6. Brown, D.R., Gjøsteen,.: A security analysis of the NIST SP elliptic curve random number generator. In: Menezes, A. (ed.) CRYPTO LNCS, vol. 4622, pp Springer (2007) 7. Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. Cryptology eprint Archive: Report 2006/379, iacr.org/ 8. Desai, A., evia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: nudsen, L.R. (ed.) EUROCRYPT LNCS, vol. 2332, pp Springer (2002) 9. an, W.: Analysis of underlying assumptions in NIST DRBGs. Cryptology eprint Archive: Report 2007/345, 10. elsey, J., Schneier, B., Wagner, D., all, C.: Cryptanalytic attacks on pseudorandom number generators. In: audenay, S. (ed.) FSE 98. LNCS, vol. 1372, pp Springer (1998) 11. U.S. Department of Commerce/National Institute of Standards and Technology. Digital signature standard (DSS). Federal Information Processing Standards Publication (+Change Notice) (2000) A The Instantiate and Reseed Algorithms of MAC DRBG The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d. data is the entropy source. adin is an optional additional input. The Instantiate Algorithm. The instantiate algorithm Instantiate is described as follows: Instantiate(data, nonce, adin): 1. seed = data nonce adin 2. = 0x = 0x (, ) = Update(seed,, ) 5. d = 1 6. Return (, ) and d. If adin is not supported, then the first step of the procedure is replaced by seed = data nonce.

15 Security Analysis of DRBG Using MAC in NIST SP The Reseed Algorithm. The reseed algorithm Reseed is described as follows: Reseed(,, d, data, adin): 1. seed = data adin 2. (, ) = Update(seed,, ) 3. d = 1 4. Return (, ) and d. The input (, ) to Reseed is given by the latest Generate. If adin is not supported, then the first step of the procedure is replaced by seed = data.

Network Security. Chapter 6 Random Number Generation

Network Security. Chapter 6 Random Number Generation Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation

More information

The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)

The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS) The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS) Updated: March 21, 2012 Previous Update: September 2, 2011 Original: March 10, 2009 Timothy A. Hall National Institute

More information

Yale University Department of Computer Science

Yale University Department of Computer Science Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

More information

C O M P U T E R S E C U R I T Y

C O M P U T E R S E C U R I T Y NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T

More information

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

More information

Recommendation for Applications Using Approved Hash Algorithms

Recommendation for Applications Using Approved Hash Algorithms NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

More information

On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

More information

Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle Network Security Chapter 6 Random Number Generation Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/

More information

Randomized Hashing for Digital Signatures

Randomized Hashing for Digital Signatures NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

Recommendation for Cryptographic Key Generation

Recommendation for Cryptographic Key Generation NIST Special Publication 800-133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800-133 C O M P U T E R S E C U R I T Y NIST Special Publication

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Recommendation for Applications Using Approved Hash Algorithms

Recommendation for Applications Using Approved Hash Algorithms NIST Special Publication 800-107 Revision 1 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C

More information

The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

ARCHIVED PUBLICATION

ARCHIVED PUBLICATION ARCHIVED PUBLICATION The attached publication, FIPS Publication 186-3 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision

More information

Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation

Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation Specification of Cryptographic Technique PC-MAC-AS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information

More information

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

More information

Digital Signature Standard (DSS)

Digital Signature Standard (DSS) FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute

More information

The Keyed-Hash Message Authentication Code (HMAC)

The Keyed-Hash Message Authentication Code (HMAC) FIPS PUB 198-1 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

More information

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Length extension attack on narrow-pipe SHA-3 candidates

Length extension attack on narrow-pipe SHA-3 candidates Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no

More information

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

Remotely Keyed Encryption Using Non-Encrypting Smart Cards THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

More information

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) NIST Special Publication 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631 Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

More information

CMSS An Improved Merkle Signature Scheme

CMSS An Improved Merkle Signature Scheme CMSS An Improved Merkle Signature Scheme Johannes Buchmann 1, Luis Carlos Coronado García 2, Erik Dahmen 1, Martin Döring 1, and Elena Klintsevich 1 1 Technische Universität Darmstadt Department of Computer

More information

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

More information

ETSI TS 102 176-2 V1.2.1 (2005-07)

ETSI TS 102 176-2 V1.2.1 (2005-07) TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

A novel deniable authentication protocol using generalized ElGamal signature scheme

A novel deniable authentication protocol using generalized ElGamal signature scheme Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur

More information

An Approach to Shorten Digital Signature Length

An Approach to Shorten Digital Signature Length Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based

More information

Algorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001

Algorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001 Title: Algorithms and Parameters for Secure Electronic Signatures Source: This document is the outcome of the work of the Algorithms group (ALGO) working under the umbrella of - SG (European Electronic

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Strengthening Digital Signatures via Randomized Hashing

Strengthening Digital Signatures via Randomized Hashing Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

More information

Predictive Models for Min-Entropy Estimation

Predictive Models for Min-Entropy Estimation Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. McKay Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015 Overview Cryptographic

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

More information

Recommendation for Digital Signature Timeliness

Recommendation for Digital Signature Timeliness NIST Special Publication 800-102 Recommendation for Digital Signature Timeliness Elaine Barker Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y September 2009

More information

Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

More information

Cryptography in AllJoyn

Cryptography in AllJoyn Cryptography in AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November 2015 AllSeen Alliance 1 Agenda 1. Review of AllJoyn security features 2. Authentication and security protocols 3. Comparison

More information

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11 - Secure

More information

Security Arguments for Digital Signatures and Blind Signatures

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

More information

Notes from Week 1: Algorithms for sequential prediction

Notes from Week 1: Algorithms for sequential prediction CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

More information

SkyRecon Cryptographic Module (SCM)

SkyRecon Cryptographic Module (SCM) SkyRecon Cryptographic Module (SCM) FIPS 140-2 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 140-2.

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

SD12 REPLACES: N19780

SD12 REPLACES: N19780 ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

National Security Agency Perspective on Key Management

National Security Agency Perspective on Key Management National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

More information

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

More information

Stronger Security Bounds for OMAC, TMAC and XCBC

Stronger Security Bounds for OMAC, TMAC and XCBC Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,

More information

Hash-based Digital Signature Schemes

Hash-based Digital Signature Schemes Hash-based Digital Signature Schemes Johannes Buchmann Erik Dahmen Michael Szydlo October 29, 2008 Contents 1 Introduction 2 2 Hash based one-time signature schemes 3 2.1 Lamport Diffie one-time signature

More information

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana Univ. at Bloomington Bloomington, IN 47405 Philippe Golle Palo Alto

More information

Chapter 3. Network Domain Security

Chapter 3. Network Domain Security Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

More information

Democratic Group Signatures on Example of Joint Ventures

Democratic Group Signatures on Example of Joint Ventures Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization

More information

Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

More information

Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier

Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel Smith-Tone Abstract A hash function secure in the indifferentiability framework

More information

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

More information

Analysis of a Database and Index Encryption Scheme Problems and Fixes

Analysis of a Database and Index Encryption Scheme Problems and Fixes Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme

More information

DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan

More information

Elliptic Curve Hash (and Sign)

Elliptic Curve Hash (and Sign) Elliptic Curve Hash (and Sign) (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43

More information