Security Analysis of DRBG Using HMAC in NIST SP


 Owen Wood
 3 years ago
 Views:
Transcription
1 Security Analysis of DRBG Using MAC in NIST SP Shoichi irose Graduate School of Engineering, University of Fukui hrs Abstract. MAC DRBG is a deterministic random bit generator using MAC specified in NIST SP The document claims that MAC DRBG is a pseudorandom bit generator if MAC is a pseudorandom function. owever, no proof is given in the document. This article provides a security analysis of MAC DRBG and confirms the claim. ey words: NIST SP , pseudorandom bit generator, MAC, pseudorandom function 1 Introduction Background. Random bits are indispensable to every cryptographic application. owever, it is not easy to prepare sufficient amount of truly random bits in general. Thus, most applications use a cryptographic mechanism that is called a pseudorandom bit generator (PRBG). It stretches a short sequence of random bits to a long sequence of bits that are indistinguishable from truly random bits in practice. MAC DRBG is a deterministic random bit generator (DRBG) specified in NIST SP [3]. It is claimed in NIST SP that MAC DRBG is a PRBG if MAC is a pseudorandom function (PRF). owever, no proof is made public as far as the authors know. Contribution. This article presents a security analysis of MAC DRBG. The result supports the claim in NIST SP mentioned above. This article does not provide new techniques and just uses wellknown ones in the analysis. In spite of this fact, the contribution of this paper is still important since MAC DRBG is expected to be widely used in practice. MAC DRBG consists of three algorithms. They are instantiate, reseed and generate algorithms. The instantiate/reseed algorithm is used to produce/refresh a secret key. The generate algorithm produces a binary sequence from a secret key given by the instantiate or reseed algorithms. This article gives a proof for the pseudorandomness of MAC DRBG on the assumption that the instantiate and reseed algorithms are ideal. Namely, a secret key given to the generate algorithm is selected uniformly at random by each of them.
2 2 S. irose Related Work. NIST SP specifies four DRBG mechanisms: ash DRBG, MAC DRBG, CTR DRBG and Dual EC DRBG. ash DRBG and MAC DRBG are based on hash functions. CTR DRBG uses a block cipher in the counter mode. Dual EC DRBG is based on the elliptic curve discrete logarithm problem. A security analysis of these DRBGs was presented in [9]. owever, the discussion was quite informal. A security analysis of CTR DRBG was also presented in [7]. Brown and Gjøsteen [6] provided a detailed security analysis of Dual EC DRBG. There also exist some other approved DRBGs in ANSI X.9.31 [2], ANSI X [1] and FIPS PUB [11]. The security of these algorithms was discussed in [8] and [10]. MAC was proposed by Bellare, Canetti and rawczyk [5]. It was proved to be a PRF on the assumption that the compression function of the underlying iterated hash function is a PRF with two keying strategies[4]. Actually, MAC is used as a PRF in many cryptographic schemes. Organization. This article is organized as follows. Definitions of a pseudorandom bit generator and a pseudorandom function are given in Sect. 2. A description of MAC DRBG is presented in Sect. 3. Results on security analysis of MAC DRBG are shown in Sect. 4. Concluding remarks are given in Sect Preliminaries Let a $ A represent that an element a is selected uniformly at random from a set A. 2.1 A Pseudorandom Bit Generator Let G be a function such that G : {0, 1} n {0, 1} l. Let D be a probabilistic algorithm which outputs 0 or 1 for a given input in {0, 1} l. The goal of D is to tell whether a given input is G(k) for k selected uniformly at random or it is selected uniformly at random. The advantage of D against G is defined as follows: Pr[D(G(k)) G (D) = $ = 1 k {0, 1} n ] Pr[D(s) = 1 s $ {0, 1} l ], where the probabilities are taken over the coin tosses by D and the uniform distributions on {0, 1} n or {0, 1} l. G is called a pseudorandom bit generator (PRBG) if l > n and G (D) is negligible for any efficient D. 2.2 A Pseudorandom Function Let be a keyed function such that : D R, where is a key space, D is a domain, and R is a range. (k, ) is denoted by k ( ). Let A be a probabilistic algorithm which has oracle access to a function from D to R. The goal of A is to tell whether the oracle is k for k selected uniformly at random or it is a
3 Security Analysis of DRBG Using MAC in NIST SP function selected uniformly at random. A first asks elements in D and obtains the corresponding elements in R with respect to the function, and then outputs 0 or 1. A makes the queries adaptively: A makes a new query after receiving an answer to the current query. Let F be the set of all functions from D to R. The advantage of A for is defined as follows: Adv prf Pr[A (A) = k = 1 k $ ] Pr[A ρ = 1 ρ $ F ], where the probabilities are taken over the coin tosses by A and the uniform distributions on or F. is called a pseudorandom function (PRF) if Adv prf (A) is negligible for any efficient A. 3 MAC DRBG MAC DRBG is a DRBG using MAC in NIST SP [3]. It consists of three algorithms: an instantiate algorithm, a reseed algorithm and a generate algorithm. The instantiate algorithm is used to produce a secret key. The reseed algorithm is used to refresh it. These algorithms are out of the scope of the article. They also use MAC to produce the secret keys. owever, the security of the outputs is not based on the secrecy and randomness of the keys given to MAC but the data given to MAC via message input. From this viewpoint, we may say that they abuse MAC. We only assume that the keys produced by the instantiate and reseed algorithms are ideal. Namely, we assume that a secret key given to the generate algorithm is selected uniformly at random. The generate algorithm produces a binary sequence for a given secret key. A description of this algorithm is given in the following part. The instantiate and reseed algorithms are given in Appendix A for reference. Notation. MAC is simply denoted by. Let n denote the output length of. Let null denote an empty sequence. Concatenation of binary sequences x and y is denoted by x y. The symbol is sometimes omitted. 3.1 Internal State The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d 1. and are assumed to be secret. The reseed counter d is an integer variable indicating the number of requests for pseudorandom bits since instantiation or reseeding. 3.2 The Function Update The function Update is used in the generate algorithm to produce a secret key (, ) for the next invocation of the generate algorithm. It is described as follows.
4 4 S. irose Update(,, adin): 1. = (, 0x00 adin) 2. = (, ) 3. If adin = null, then return (, ) 4. = (, 0x01 adin) 5. = (, ) 6. Return (, ) adin is an optional additional input. Update is shown in Fig. 1. 0x00 (a) If adin is an empty sequence 0x00 adin 0x01 adin (b) If adin is not an empty sequence Fig. 1. The function Update 3.3 The Algorithm Generate The generate algorithm Generate produces a binary sequence s for given secret (, ) and an optional additional input adin. It is described as follows.
5 Security Analysis of DRBG Using MAC in NIST SP Generate(,, adin): 1. If d > w, then return an indication that a reseed is required. 2. (, ) = Update(,, adin) if adin null 3. tmp = null 4. While tmp < l do: (a) = (, ) (b) tmp = tmp 5. s = the leftmost l bits of tmp 6. (, ) = Update(,, adin) 7. d = d Return s and (, ) The maximum sizes of parameters are given in Table 1. w is called a reseed interval. It represents the total number of requests for pseudorandom bits between reseeding. If adin is not supported, then the step 6 is executed with adin = null. Generate is given in Fig. 2. null Update adin s (a) If adin is not given or not supported Update Update s (b) If adin is given Fig. 2. The algorithm Generate. The update of the reseed counter d is omitted.
6 6 S. irose Table 1. The maximum sizes of parameters parameter maximum size adin 2 35 bits l 2 19 bits w Security Analysis For simplicity, we assume that l is a multiple of n. Thus, the output length of Generate is l+2n. We analyze the security of a generator G : {0, 1} 2n {0, 1} wl defined as follows: G(, ): 1. ( 0, 0 ) = (, ) 2. s = null 3. for i = 1 to w do (a) (s i, i, i ) = Generate( i 1, i 1, adin i 1 ) (b) s = s s i (c) Return s We make adin i implicit in the notation of G(, ), because the analysis given in the remaining parts does not depend on the value of adin i. It depends only on whether adin i = null or not. 4.1 If adin = null First, notice that we cannot prove the pseudorandomness of G directly from that of Generate. Generate is not a PRBG if adin = null. Let q = l/n and Generate(, ) = s 1 s 2 s q, where s j {0, 1} n for 1 j q. Then, = (s q ). Thus, it is easy to distinguish s 1 s 2 s q from a truly random sequence of length l + 2n. We introduce two generators G 01 and G 02. G 01 : {0, 1} 2n {0, 1} l+2n is described as follows: G 01 (, ): 1. s = 2. tmp = null 3. While tmp < l do: (a) = (, ) (b) tmp = tmp 4. s = s tmp 5. = (, 0x00) 6. s = s 7. Return s
7 Security Analysis of DRBG Using MAC in NIST SP G 02 : {0, 1} 2n {0, 1} l+3n is described as follows: G 02 (, ) : 1. s = 2. = (, ) 3. s = s G 01 (, ) 4. Return s The only difference between G 01 and G 02 is that G 02 calls MAC more than G 01 by one time. Let G 0 : {0, 1} 2n {0, 1} w(l+n)+n be a generator which, for a given (, ), produces a sequence { s 1 0 s 1 1 s 1 q+1 if w = 1 s 1 0s 1 1 s 1 q 1 s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1 if w 2, where 1. s i j {0, 1}n, 2. s 1 0s 1 1 s 1 q+1 = G 01 (, ), and 3. s i 1s i 0s i 1 s i q+1 = G 02 (s i 1 q+1, si 1 q ) for 2 i w. A diagram of G 0 is given in Fig. 3. Notice that G(, ) is a part of G 0 (, ). It is obvious if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 1s 2 1s 2 2 s 2 q 1 s 1 w 1 sw 1 1 s w 1 2 s w 1 q 1 sw 1s w 1 s w 2 s w q = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s2 w 1 s w 1 q s w 1 s w 2 s w q, where s i+1 1 = si q for 1 i w 1. Thus, G is a PRBG if G 0 is a PRBG. We will discuss the security of G 0 in the remaining part. c c G 01 G 02 G 02 G Fig. 3. A diagram of the generator G 0. c represents the concatenation with 0x00. The Update functions are surrounded by dashed rectangles. We first show that both G 01 and G 02 are PRBGs if MAC is a PRF. For an algorithm A, let t A be the running time of A.
8 8 S. irose Lemma 1. Let D be a distinguisher for G 01 which runs in t D. Then, there exists an adversary A for MAC such that G 01 (D) Adv prf q(q 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 1 queries. Proof. Let F,n be the set of all functions from {0, 1} to {0, 1} n. Let Ĝ01(ρ, ) be a generator obtained from G 01 by replacing MAC with a function ρ F,n. Let Then, P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 01 (, )], P 1 = Pr[D(s) = 1 ρ $ F,n $ {0, 1} n s Ĝ01(ρ, )], P 2 = Pr[D(s) = 1 s $ {0, 1} l+2n ]. G (D) = P 0 P 2 P 0 P 1 + P 1 P 2. Let Ĝ01(ρ, ) = ŝ 0 ŝ 1 ŝ q+1, where ŝ j {0, 1} n for 0 j q + 1. If ρ $ F,n, then Ĝ01(ρ, ) and a random sequence of length l + 2 n is completely indistinguishable as far as ŝ j1 ŝ j2 for every j 1 and j 2 such that 0 j 1 < j 2 q 1. Notice that ŝ j ŝ q 0x00 for every 0 j q 1. Thus, P 1 P 2 q(q 1) 2 n+1. On the other hand, for P 0 P 1, it is easy to see that we can construct an adversary A for MAC, using D as a subroutine, such that Adv prf MAC (A) P 0 P 1, where A runs in t D + O(l) and asks at most q + 1 queries. Lemma 2. Let D be a distinguisher for G 02 which runs in t D. Then, there exists an adversary A such that G 02 (D) Adv prf q(q + 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 2 queries. Proof. The proof is similar to that of Lemma 1. For w 2, let G (w 1) 02 be a generator which calls G 02 (w 1) times successively. Namely, G (w 1) 02 (s 1 q+1, s 1 q) = s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1.
9 Security Analysis of DRBG Using MAC in NIST SP Lemma 3. Let D be a distinguisher for G (w 1) 02 which runs in t D. Then, there exists a distinguisher D of G 02 such that G (w 1) 02 D runs in t D + (w 2) t G02 + O(wl). (D) (w 1) G 02 (D ). Proof. For a given input s {0, 1} l+3n, the distinguisher D behaves as follows: 1. Select 2 r w uniformly at random. 2. If r 3, then select s 2 1s 2 0 s 2 q 1,..., s r 1 1 sr 1 0 s r 1 q 1 uniformly at random. 3. Let s r 1s r 0 s r q+1 = s. 4. If r < w, s i 1s i 0 s i q+1 = G 02 (s i 1 q ) for r + 1 i w. 5. Call D with s = s 2 1s 2 0 s 2 q 1 s w Output D s output. Then, q+1, si 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1. G 02 (D ) = Pr[D (G 02 (, )) = 1 (, ) $ {0, 1} 2n ] Pr[D (s) = 1 s $ {0, 1} l+3n ] = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] Pr[D(s) = 1 s $ {0, 1} l+3n ]. Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] w = Pr[r = u D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] = u=2 w u=2 Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G (w 1) 02 (, )] + w 1 w Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 u=3. Pr[D(s) = 1 s $ {0, 1} l+3n ] = w 1 u=2 Pr[D(s) = 1 s $ {0, 1} l+3n r = u] w 1 + Pr[D(s) = 1 s $ {0, 1} (w 1)(l+n)+2n ] w 1.
10 10 S. irose There may exist a better distinguisher for G 02 than D with the same running time. Thus, we have G 02 (D ) 1 w 1 Advprbg G (w 1) 02 (D). The running time of D is at most t D + (w 2) t G02 + O(wl). Lemma 4. Let D be a distinguisher for G 0 which runs in t D. Then, there exist distinguishers D for G 01 and D for G (w 1) 02 such that D runs in t D + t G (w 1) 02 Proof. Let G 0 (D) G 01 (D ) + G (w 1) 02 (D ). + O(wl), and D runs in t D + O(wl). P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 0 (, )], P 1 = Pr[D(s) = 1 s 1 0 s 1 q+1 P 2 = Pr[D(s) = 1 s $ {0, 1} w(l+n)+n ]. Then, there exist D and D such that $ {0, 1} l+2n s s 1 0 s 1 q 1 G (w 1) 02 (s 1 q+1, s 1 q)], G 0 (D) = P 0 P 2 P 0 P 1 + P 1 P 2 The running time of D is t D + t (w 1) G 02 t D + O(wl). G 01 (D ) + G (w 1) 02 (D ). + O(wl). The running time of D is The following theorem directly follows from Lemmas 1, 2, 3 and 4. It implies that G 0 is a PRBG if MAC is a PRF. Theorem 1. Let D be a distinguisher for G 0 which runs in t D. Then, there exists an adversary A for MAC such that G 0 (D) w Adv prf wq(q + 1) MAC (A) + 2 n+1. A runs in t D + w(q + 2) t MAC + O(wl) and asks at most q + 2 queries, where the length of each query is at most n + 8. Remark 1. Suppose that SA1 is the underlying hash function of MAC. Then, n = 160. Suppose that w = 2 48 and l = ( 2 19 ). Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC +O( ) and makes at most 2050 queries. The bigo notation is abused here. O( ) is upper bounded by c for some positive constant c.
11 Security Analysis of DRBG Using MAC in NIST SP Remark 2. Suppose that SA256 is the underlying hash function of MAC. Then, n = 256. Suppose that w = 2 48 and l = Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC + O(2 67 ) and makes at most 2050 queries. 4.2 If adin null If adin null, then the analysis is similar but tedious. We first define several generators. Let g 10 : {0, 1} 2n {0, 1} 2n be a generator such that g 10 (, ) = (, 0x00 adin). Let g 11 : {0, 1} 2n {0, 1} 3n be a generator such that g 11 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x01 adin) 3. s = 1 2 Let g 12 : {0, 1} 2n {0, 1} 3n be a generator such that g 12 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x00 adin) 3. s = 1 2 The generators g 10, g 11 and g 12 are depicted in Fig. 4. Let G 10 : {0, 1} 2n {0, 1} l+3n be a generator equivalent to G 02 defined in the previous subsection. c0 c1 c0 g 10 g 11 g 12 Fig. 4. A diagram of the generators g 10, g 11 and g 12. The Update functions are surrounded by dashed rectangles. c0 represents the concatenation with 0x00 adin, and c1 represents the concatenation with 0x01 adin. Using the generators defined above, we further define two generators G 11 and G 12. G 11 : {0, 1} 2n {0, 1} l+4n is described as follows: G 11 (, ) = s 2 s 1 s q+1, where
12 12 S. irose = g 10 (, ) 2. s = g 11 ( 1, 1 ) 3. s 1 s 0 s q s q+1 = G 10 ( 2, 2 ) G 12 : {0, 1} 2n {0, 1} l+6n is described as follows: G 12 (, ) = s 4 s 3 s q+1, where 1. s = g 11 (, ) 2. s = g 12 ( 1, 1 ) 3. s = g 11 ( 2, 2 ) 4. s 1 s 0 s q s q+1 = G 10 ( 3, 3 ) Now, we are ready to discuss the pseudorandomness of G(, ). Let G 1 : {0, 1} 2n {0, 1} w(l+4n) be a generator which, for a given (, ), produces a sequence where { s 1 2 s 1 1 s 1 q+1 if w = 1 s 1 2s 1 1 s 1 q 1 s 2 4 s 2 q 1 s 4 w 1 s w 1 q 1 sw 4 s w q+1 if w 2, 1. s i j {0, 1}n, 2. s 1 2s 1 1 s 1 q+1 = G 11 (, ), and 3. s i 4 s i q+1 = G 12 (sq+1 i 1, si 1 q ) for 2 i w. Notice that G(, ) is a part of G 1 (, ). It is easy to see if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 4s 2 1s 2 2 s 2 q 1 s w 1 4 sw 1 1 s w 1 2 s w 1 q 1 sw 4s w 1 s w 2 s w q+1 = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s w 1 2 s w 1 q s w 1 s w 2 s w q, where s i+1 4 = si q for 1 i w 1. Thus, we discuss the pseudorandomness of G 1 in the remaining part. We only present the results since the proofs are similar. Lemma 5. Let D be a distinguisher for g 10 which runs in t D. Then, there exists an adversary A for MAC such that A runs in t D + O(n) and asks 1 query. g 10 (D) Adv prf MAC (A). Lemma 6. Let g be g 11 or g 12. Let D be a distinguisher for g which runs in t D. Then, there exists an adversary A for MAC such that g (D) Adv prf MAC (A). A runs in t D + O(n) and asks at most 2 queries.
13 Security Analysis of DRBG Using MAC in NIST SP Lemma 7. Let D be a distinguisher for G 11 which runs in t D. Then, there exist D 0, D 1 and D such that g 10 G 11 (D) (D 0 ) + g 11 (D 1 ) + G 10 (D ). D 0 runs in t D + t g11 + t G10 + O(n). D 1 runs in t D + t G10 + O(n). D runs in t D + O(n). Lemma 8. Let D be a distinguisher for G 12 which runs in t D. Then, there exist D 1, D 2 and D such that g 11 G 12 (D) 2 (D 1 ) + g 12 (D 2 ) + G 10 (D ). D 1 runs in t D + t g11 + t g12 + t G10 + O(n). D 2 runs in t D + t g11 + t G10 + O(n). D runs in t D + O(n). The following theorem directly follows from Lemmas 5, 6, 7 and 8. It implies that G 1 is a PRBG if MAC is a pseudorandom function. Theorem 2. Let D be a distinguisher for G 1 which runs in t D. Then, there exist adversaries A 1 and A 2 such that G 1 (D) w Adv prf MAC (A 1) + 3 w Adv prf MAC (A wq(q 1) 2) + 2 n+1. A 1 runs in t D + w(q + 8) t MAC + O(wl) and asks at most q + 1 queries, and A 2 runs in t D + (w + 1)(q + 8) t MAC + O(wl) and asks at most 2 queries. 5 Conclusion We have shown that the binary sequence generation algorithm of MAC DRBG is a PRBG if MAC is a PRF. Future work includes analysis of the instantiate and reseed algorithms of MAC DRBG. Acknowledgements The author would like to thank anonymous reviewers for their valuable comments. This research was supported in part by the National Institute of Information and Communications Technology, Japan. References 1. American National Standards Institute. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). ANSI X (1998) 2. American National Standards Institute. Digital signatures using reversible public key cryptography for the financial services industry (rdsa). ANSI X (1998)
14 14 S. irose 3. Barker, E., elsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication (2007) 4. Bellare, M.: New proofs for NMAC and MAC: Security without collisionresistance. In: Dwork, C. (ed.) CRYPTO LNCS, vol. 4117, pp Springer (2006). The full version is Cryptology eprint Archive: Report 2006/043 at 5. Bellare, M., Canetti, R., rawczyk,.: eying hash functions for message authentication. In: oblitz, N. (ed.) CRYPTO 96. LNCS, vol. 1109, pp Springer (1996) 6. Brown, D.R., Gjøsteen,.: A security analysis of the NIST SP elliptic curve random number generator. In: Menezes, A. (ed.) CRYPTO LNCS, vol. 4622, pp Springer (2007) 7. Campagna, M.J.: Security bounds for the NIST codebookbased deterministic random bit generator. Cryptology eprint Archive: Report 2006/379, iacr.org/ 8. Desai, A., evia, A., Yin, Y.L.: A practiceoriented treatment of pseudorandom number generators. In: nudsen, L.R. (ed.) EUROCRYPT LNCS, vol. 2332, pp Springer (2002) 9. an, W.: Analysis of underlying assumptions in NIST DRBGs. Cryptology eprint Archive: Report 2007/345, elsey, J., Schneier, B., Wagner, D., all, C.: Cryptanalytic attacks on pseudorandom number generators. In: audenay, S. (ed.) FSE 98. LNCS, vol. 1372, pp Springer (1998) 11. U.S. Department of Commerce/National Institute of Standards and Technology. Digital signature standard (DSS). Federal Information Processing Standards Publication (+Change Notice) (2000) A The Instantiate and Reseed Algorithms of MAC DRBG The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d. data is the entropy source. adin is an optional additional input. The Instantiate Algorithm. The instantiate algorithm Instantiate is described as follows: Instantiate(data, nonce, adin): 1. seed = data nonce adin 2. = 0x = 0x (, ) = Update(seed,, ) 5. d = 1 6. Return (, ) and d. If adin is not supported, then the first step of the procedure is replaced by seed = data nonce.
15 Security Analysis of DRBG Using MAC in NIST SP The Reseed Algorithm. The reseed algorithm Reseed is described as follows: Reseed(,, d, data, adin): 1. seed = data adin 2. (, ) = Update(seed,, ) 3. d = 1 4. Return (, ) and d. The input (, ) to Reseed is given by the latest Generate. If adin is not supported, then the first step of the procedure is replaced by seed = data.
Network Security. Chapter 6 Random Number Generation
Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudorandom generation
More informationThe NIST SP 80090A Deterministic Random Bit Generator Validation System (DRBGVS)
The NIST SP 80090A Deterministic Random Bit Generator Validation System (DRBGVS) Updated: March 21, 2012 Previous Update: September 2, 2011 Original: March 10, 2009 Timothy A. Hall National Institute
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR1466 October
More informationC O M P U T E R S E C U R I T Y
NIST Special Publication 80056C Recommendation for Key Derivation through ExtractionthenExpansion Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T
More informationComparison of CBC MAC Variants and Comments on NIST s Consultation Paper
Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 3168511,
More informationRecommendation for Applications Using Approved Hash Algorithms
NIST Special Publication 800107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationOn the Security of the CCM Encryption Mode and of a Slight Variant
On the Security of the CCM Encryption Mode and of a Slight Variant PierreAlain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,
More informationOn the Security of CTR + CBCMAC
On the Security of CTR + CBCMAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBCMAC (CCM) encryption mode.
More informationNetwork Security. Chapter 6 Random Number Generation. Prof. Dr.Ing. Georg Carle
Network Security Chapter 6 Random Number Generation Prof. Dr.Ing. Georg Carle Chair for Computer Networks & Internet WilhelmSchickardInstitute for Computer Science University of Tübingen http://net.informatik.unituebingen.de/
More informationRandomized Hashing for Digital Signatures
NIST Special Publication 800106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationRecommendation for Cryptographic Key Generation
NIST Special Publication 800133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800133 C O M P U T E R S E C U R I T Y NIST Special Publication
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationRecommendation for Applications Using Approved Hash Algorithms
NIST Special Publication 800107 Revision 1 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.astar.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationARCHIVED PUBLICATION
ARCHIVED PUBLICATION The attached publication, FIPS Publication 1863 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision
More informationSpecification of Cryptographic Technique PCMACAES. NEC Corporation
Specification of Cryptographic Technique PCMACAS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationTransitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
NIST Special Publication 800131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information
More informationConcrete Security of the BlumBlumShub Pseudorandom Generator
Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. SpringerVerlag. Concrete Security of the BlumBlumShub Pseudorandom Generator
More informationDigital Signature Standard (DSS)
FIPS PUB 1864 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute
More informationThe KeyedHash Message Authentication Code (HMAC)
FIPS PUB 1981 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The KeyedHash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511517 HIKARI Ltd, www.mhikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu ILing
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationLength extension attack on narrowpipe SHA3 candidates
Length extension attack on narrowpipe SHA3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no
More informationRemotely Keyed Encryption Using NonEncrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationRecommendation for PairWise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)
NIST Special Publication 80056A Recommendation for PairWise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 PublicKey Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown PublicKey Cryptography
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for Onekey Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationCMSS An Improved Merkle Signature Scheme
CMSS An Improved Merkle Signature Scheme Johannes Buchmann 1, Luis Carlos Coronado García 2, Erik Dahmen 1, Martin Döring 1, and Elena Klintsevich 1 1 Technische Universität Darmstadt Department of Computer
More informationInformation Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay
Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture  17 ShannonFanoElias Coding and Introduction to Arithmetic Coding
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBCMAC Digital signatures 2 Encryption/Decryption
More informationETSI TS 102 1762 V1.2.1 (200507)
TS 102 1762 V1.2.1 (200507) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationA novel deniable authentication protocol using generalized ElGamal signature scheme
Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme WeiBin Lee a, ChiaChun Wu a, WoeiJiunn Tsaur
More informationAn Approach to Shorten Digital Signature Length
Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based
More informationAlgorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001
Title: Algorithms and Parameters for Secure Electronic Signatures Source: This document is the outcome of the work of the Algorithms group (ALGO) working under the umbrella of  SG (European Electronic
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in
More informationStrengthening Digital Signatures via Randomized Hashing
Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationGCMSIV: Full Nonce MisuseResistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell BarIlan University
GCMSIV: Full Nonce MisuseResistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell BarIlan University Appeared at ACM CCS 2015 How to Encrypt with
More informationPredictive Models for MinEntropy Estimation
Predictive Models for MinEntropy Estimation John Kelsey Kerry A. McKay Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015 Overview Cryptographic
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationOneWay Encryption and Message Authentication
OneWay Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School
More informationRecommendation for Digital Signature Timeliness
NIST Special Publication 800102 Recommendation for Digital Signature Timeliness Elaine Barker Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y September 2009
More informationLimits of Computational Differential Privacy in the Client/Server Setting
Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu
More informationCryptography in AllJoyn
Cryptography in AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November 2015 AllSeen Alliance 1 Agenda 1. Review of AllJoyn security features 2. Authentication and security protocols 3. Comparison
More informationCS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email
CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11  Secure
More informationSecurity Arguments for Digital Signatures and Blind Signatures
Journal of Cryptology, Volume 13, Number 3. Pages 361 396, SpringerVerlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationSimulationBased Security with Inexhaustible Interactive Turing Machines
SimulationBased Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik ChristianAlbrechtsUniversität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.unikiel.de
More informationNotes from Week 1: Algorithms for sequential prediction
CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 2226 Jan 2007 1 Introduction In this course we will be looking
More informationSkyRecon Cryptographic Module (SCM)
SkyRecon Cryptographic Module (SCM) FIPS 1402 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 1402.
More informationSECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationSD12 REPLACES: N19780
ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology  Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing
More informationEXAM questions for the course TTM4135  Information Security May 2013. Part 1
EXAM questions for the course TTM4135  Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question
More informationNational Security Agency Perspective on Key Management
National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationLeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives
LeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B1348, Belgium olivier.pereira@uclouvain.be
More informationAn Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
More informationStronger Security Bounds for OMAC, TMAC and XCBC
Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 3168511, Japan {iwata,
More informationHashbased Digital Signature Schemes
Hashbased Digital Signature Schemes Johannes Buchmann Erik Dahmen Michael Szydlo October 29, 2008 Contents 1 Introduction 2 2 Hash based onetime signature schemes 3 2.1 Lamport Diffie onetime signature
More informationTamperEvident Digital Signatures: Protecting Certification Authorities Against Malware
TamperEvident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana Univ. at Bloomington Bloomington, IN 47405 Philippe Golle Palo Alto
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationDemocratic Group Signatures on Example of Joint Ventures
Democratic Group Signatures on Example of Joint Ventures Mark Manulis HorstGörtz Institute RuhrUniversity of Bochum D44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization
More informationImplementation of Elliptic Curve Digital Signature Algorithm
Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India
More informationIndifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier
Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel SmithTone Abstract A hash function secure in the indifferentiability framework
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationAnalysis of a Database and Index Encryption Scheme Problems and Fixes
Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More informationElliptic Curve Hash (and Sign)
Elliptic Curve Hash (and Sign) (and the 1up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 2224 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43
More information