# Security Analysis of DRBG Using HMAC in NIST SP

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Security Analysis of DRBG Using MAC in NIST SP Shoichi irose Graduate School of Engineering, University of Fukui hrs Abstract. MAC DRBG is a deterministic random bit generator using MAC specified in NIST SP The document claims that MAC DRBG is a pseudorandom bit generator if MAC is a pseudorandom function. owever, no proof is given in the document. This article provides a security analysis of MAC DRBG and confirms the claim. ey words: NIST SP , pseudorandom bit generator, MAC, pseudorandom function 1 Introduction Background. Random bits are indispensable to every cryptographic application. owever, it is not easy to prepare sufficient amount of truly random bits in general. Thus, most applications use a cryptographic mechanism that is called a pseudorandom bit generator (PRBG). It stretches a short sequence of random bits to a long sequence of bits that are indistinguishable from truly random bits in practice. MAC DRBG is a deterministic random bit generator (DRBG) specified in NIST SP [3]. It is claimed in NIST SP that MAC DRBG is a PRBG if MAC is a pseudorandom function (PRF). owever, no proof is made public as far as the authors know. Contribution. This article presents a security analysis of MAC DRBG. The result supports the claim in NIST SP mentioned above. This article does not provide new techniques and just uses well-known ones in the analysis. In spite of this fact, the contribution of this paper is still important since MAC DRBG is expected to be widely used in practice. MAC DRBG consists of three algorithms. They are instantiate, reseed and generate algorithms. The instantiate/reseed algorithm is used to produce/refresh a secret key. The generate algorithm produces a binary sequence from a secret key given by the instantiate or reseed algorithms. This article gives a proof for the pseudorandomness of MAC DRBG on the assumption that the instantiate and reseed algorithms are ideal. Namely, a secret key given to the generate algorithm is selected uniformly at random by each of them.

2 2 S. irose Related Work. NIST SP specifies four DRBG mechanisms: ash DRBG, MAC DRBG, CTR DRBG and Dual EC DRBG. ash DRBG and MAC DRBG are based on hash functions. CTR DRBG uses a block cipher in the counter mode. Dual EC DRBG is based on the elliptic curve discrete logarithm problem. A security analysis of these DRBGs was presented in [9]. owever, the discussion was quite informal. A security analysis of CTR DRBG was also presented in [7]. Brown and Gjøsteen [6] provided a detailed security analysis of Dual EC DRBG. There also exist some other approved DRBGs in ANSI X.9.31 [2], ANSI X [1] and FIPS PUB [11]. The security of these algorithms was discussed in [8] and [10]. MAC was proposed by Bellare, Canetti and rawczyk [5]. It was proved to be a PRF on the assumption that the compression function of the underlying iterated hash function is a PRF with two keying strategies[4]. Actually, MAC is used as a PRF in many cryptographic schemes. Organization. This article is organized as follows. Definitions of a pseudorandom bit generator and a pseudorandom function are given in Sect. 2. A description of MAC DRBG is presented in Sect. 3. Results on security analysis of MAC DRBG are shown in Sect. 4. Concluding remarks are given in Sect Preliminaries Let a \$ A represent that an element a is selected uniformly at random from a set A. 2.1 A Pseudorandom Bit Generator Let G be a function such that G : {0, 1} n {0, 1} l. Let D be a probabilistic algorithm which outputs 0 or 1 for a given input in {0, 1} l. The goal of D is to tell whether a given input is G(k) for k selected uniformly at random or it is selected uniformly at random. The advantage of D against G is defined as follows: Pr[D(G(k)) G (D) = \$ = 1 k {0, 1} n ] Pr[D(s) = 1 s \$ {0, 1} l ], where the probabilities are taken over the coin tosses by D and the uniform distributions on {0, 1} n or {0, 1} l. G is called a pseudorandom bit generator (PRBG) if l > n and G (D) is negligible for any efficient D. 2.2 A Pseudorandom Function Let be a keyed function such that : D R, where is a key space, D is a domain, and R is a range. (k, ) is denoted by k ( ). Let A be a probabilistic algorithm which has oracle access to a function from D to R. The goal of A is to tell whether the oracle is k for k selected uniformly at random or it is a

3 Security Analysis of DRBG Using MAC in NIST SP function selected uniformly at random. A first asks elements in D and obtains the corresponding elements in R with respect to the function, and then outputs 0 or 1. A makes the queries adaptively: A makes a new query after receiving an answer to the current query. Let F be the set of all functions from D to R. The advantage of A for is defined as follows: Adv prf Pr[A (A) = k = 1 k \$ ] Pr[A ρ = 1 ρ \$ F ], where the probabilities are taken over the coin tosses by A and the uniform distributions on or F. is called a pseudorandom function (PRF) if Adv prf (A) is negligible for any efficient A. 3 MAC DRBG MAC DRBG is a DRBG using MAC in NIST SP [3]. It consists of three algorithms: an instantiate algorithm, a reseed algorithm and a generate algorithm. The instantiate algorithm is used to produce a secret key. The reseed algorithm is used to refresh it. These algorithms are out of the scope of the article. They also use MAC to produce the secret keys. owever, the security of the outputs is not based on the secrecy and randomness of the keys given to MAC but the data given to MAC via message input. From this viewpoint, we may say that they abuse MAC. We only assume that the keys produced by the instantiate and reseed algorithms are ideal. Namely, we assume that a secret key given to the generate algorithm is selected uniformly at random. The generate algorithm produces a binary sequence for a given secret key. A description of this algorithm is given in the following part. The instantiate and reseed algorithms are given in Appendix A for reference. Notation. MAC is simply denoted by. Let n denote the output length of. Let null denote an empty sequence. Concatenation of binary sequences x and y is denoted by x y. The symbol is sometimes omitted. 3.1 Internal State The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d 1. and are assumed to be secret. The reseed counter d is an integer variable indicating the number of requests for pseudorandom bits since instantiation or reseeding. 3.2 The Function Update The function Update is used in the generate algorithm to produce a secret key (, ) for the next invocation of the generate algorithm. It is described as follows.

4 4 S. irose Update(,, adin): 1. = (, 0x00 adin) 2. = (, ) 3. If adin = null, then return (, ) 4. = (, 0x01 adin) 5. = (, ) 6. Return (, ) adin is an optional additional input. Update is shown in Fig. 1. 0x00 (a) If adin is an empty sequence 0x00 adin 0x01 adin (b) If adin is not an empty sequence Fig. 1. The function Update 3.3 The Algorithm Generate The generate algorithm Generate produces a binary sequence s for given secret (, ) and an optional additional input adin. It is described as follows.

5 Security Analysis of DRBG Using MAC in NIST SP Generate(,, adin): 1. If d > w, then return an indication that a reseed is required. 2. (, ) = Update(,, adin) if adin null 3. tmp = null 4. While tmp < l do: (a) = (, ) (b) tmp = tmp 5. s = the leftmost l bits of tmp 6. (, ) = Update(,, adin) 7. d = d Return s and (, ) The maximum sizes of parameters are given in Table 1. w is called a reseed interval. It represents the total number of requests for pseudorandom bits between reseeding. If adin is not supported, then the step 6 is executed with adin = null. Generate is given in Fig. 2. null Update adin s (a) If adin is not given or not supported Update Update s (b) If adin is given Fig. 2. The algorithm Generate. The update of the reseed counter d is omitted.

6 6 S. irose Table 1. The maximum sizes of parameters parameter maximum size adin 2 35 bits l 2 19 bits w Security Analysis For simplicity, we assume that l is a multiple of n. Thus, the output length of Generate is l+2n. We analyze the security of a generator G : {0, 1} 2n {0, 1} wl defined as follows: G(, ): 1. ( 0, 0 ) = (, ) 2. s = null 3. for i = 1 to w do (a) (s i, i, i ) = Generate( i 1, i 1, adin i 1 ) (b) s = s s i (c) Return s We make adin i implicit in the notation of G(, ), because the analysis given in the remaining parts does not depend on the value of adin i. It depends only on whether adin i = null or not. 4.1 If adin = null First, notice that we cannot prove the pseudorandomness of G directly from that of Generate. Generate is not a PRBG if adin = null. Let q = l/n and Generate(, ) = s 1 s 2 s q, where s j {0, 1} n for 1 j q. Then, = (s q ). Thus, it is easy to distinguish s 1 s 2 s q from a truly random sequence of length l + 2n. We introduce two generators G 01 and G 02. G 01 : {0, 1} 2n {0, 1} l+2n is described as follows: G 01 (, ): 1. s = 2. tmp = null 3. While tmp < l do: (a) = (, ) (b) tmp = tmp 4. s = s tmp 5. = (, 0x00) 6. s = s 7. Return s

7 Security Analysis of DRBG Using MAC in NIST SP G 02 : {0, 1} 2n {0, 1} l+3n is described as follows: G 02 (, ) : 1. s = 2. = (, ) 3. s = s G 01 (, ) 4. Return s The only difference between G 01 and G 02 is that G 02 calls MAC more than G 01 by one time. Let G 0 : {0, 1} 2n {0, 1} w(l+n)+n be a generator which, for a given (, ), produces a sequence { s 1 0 s 1 1 s 1 q+1 if w = 1 s 1 0s 1 1 s 1 q 1 s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1 if w 2, where 1. s i j {0, 1}n, 2. s 1 0s 1 1 s 1 q+1 = G 01 (, ), and 3. s i 1s i 0s i 1 s i q+1 = G 02 (s i 1 q+1, si 1 q ) for 2 i w. A diagram of G 0 is given in Fig. 3. Notice that G(, ) is a part of G 0 (, ). It is obvious if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 1s 2 1s 2 2 s 2 q 1 s 1 w 1 sw 1 1 s w 1 2 s w 1 q 1 sw 1s w 1 s w 2 s w q = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s2 w 1 s w 1 q s w 1 s w 2 s w q, where s i+1 1 = si q for 1 i w 1. Thus, G is a PRBG if G 0 is a PRBG. We will discuss the security of G 0 in the remaining part. c c G 01 G 02 G 02 G Fig. 3. A diagram of the generator G 0. c represents the concatenation with 0x00. The Update functions are surrounded by dashed rectangles. We first show that both G 01 and G 02 are PRBGs if MAC is a PRF. For an algorithm A, let t A be the running time of A.

8 8 S. irose Lemma 1. Let D be a distinguisher for G 01 which runs in t D. Then, there exists an adversary A for MAC such that G 01 (D) Adv prf q(q 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 1 queries. Proof. Let F,n be the set of all functions from {0, 1} to {0, 1} n. Let Ĝ01(ρ, ) be a generator obtained from G 01 by replacing MAC with a function ρ F,n. Let Then, P 0 = Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G 01 (, )], P 1 = Pr[D(s) = 1 ρ \$ F,n \$ {0, 1} n s Ĝ01(ρ, )], P 2 = Pr[D(s) = 1 s \$ {0, 1} l+2n ]. G (D) = P 0 P 2 P 0 P 1 + P 1 P 2. Let Ĝ01(ρ, ) = ŝ 0 ŝ 1 ŝ q+1, where ŝ j {0, 1} n for 0 j q + 1. If ρ \$ F,n, then Ĝ01(ρ, ) and a random sequence of length l + 2 n is completely indistinguishable as far as ŝ j1 ŝ j2 for every j 1 and j 2 such that 0 j 1 < j 2 q 1. Notice that ŝ j ŝ q 0x00 for every 0 j q 1. Thus, P 1 P 2 q(q 1) 2 n+1. On the other hand, for P 0 P 1, it is easy to see that we can construct an adversary A for MAC, using D as a subroutine, such that Adv prf MAC (A) P 0 P 1, where A runs in t D + O(l) and asks at most q + 1 queries. Lemma 2. Let D be a distinguisher for G 02 which runs in t D. Then, there exists an adversary A such that G 02 (D) Adv prf q(q + 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 2 queries. Proof. The proof is similar to that of Lemma 1. For w 2, let G (w 1) 02 be a generator which calls G 02 (w 1) times successively. Namely, G (w 1) 02 (s 1 q+1, s 1 q) = s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1.

9 Security Analysis of DRBG Using MAC in NIST SP Lemma 3. Let D be a distinguisher for G (w 1) 02 which runs in t D. Then, there exists a distinguisher D of G 02 such that G (w 1) 02 D runs in t D + (w 2) t G02 + O(wl). (D) (w 1) G 02 (D ). Proof. For a given input s {0, 1} l+3n, the distinguisher D behaves as follows: 1. Select 2 r w uniformly at random. 2. If r 3, then select s 2 1s 2 0 s 2 q 1,..., s r 1 1 sr 1 0 s r 1 q 1 uniformly at random. 3. Let s r 1s r 0 s r q+1 = s. 4. If r < w, s i 1s i 0 s i q+1 = G 02 (s i 1 q ) for r + 1 i w. 5. Call D with s = s 2 1s 2 0 s 2 q 1 s w Output D s output. Then, q+1, si 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1. G 02 (D ) = Pr[D (G 02 (, )) = 1 (, ) \$ {0, 1} 2n ] Pr[D (s) = 1 s \$ {0, 1} l+3n ] = Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G 02 (, )] Pr[D(s) = 1 s \$ {0, 1} l+3n ]. Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G 02 (, )] w = Pr[r = u D(s) = 1 (, ) \$ {0, 1} 2n s G 02 (, )] = u=2 w u=2 Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G 02 (, ) r = u] w 1 = Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G (w 1) 02 (, )] + w 1 w Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G 02 (, ) r = u] w 1 u=3. Pr[D(s) = 1 s \$ {0, 1} l+3n ] = w 1 u=2 Pr[D(s) = 1 s \$ {0, 1} l+3n r = u] w 1 + Pr[D(s) = 1 s \$ {0, 1} (w 1)(l+n)+2n ] w 1.

10 10 S. irose There may exist a better distinguisher for G 02 than D with the same running time. Thus, we have G 02 (D ) 1 w 1 Advprbg G (w 1) 02 (D). The running time of D is at most t D + (w 2) t G02 + O(wl). Lemma 4. Let D be a distinguisher for G 0 which runs in t D. Then, there exist distinguishers D for G 01 and D for G (w 1) 02 such that D runs in t D + t G (w 1) 02 Proof. Let G 0 (D) G 01 (D ) + G (w 1) 02 (D ). + O(wl), and D runs in t D + O(wl). P 0 = Pr[D(s) = 1 (, ) \$ {0, 1} 2n s G 0 (, )], P 1 = Pr[D(s) = 1 s 1 0 s 1 q+1 P 2 = Pr[D(s) = 1 s \$ {0, 1} w(l+n)+n ]. Then, there exist D and D such that \$ {0, 1} l+2n s s 1 0 s 1 q 1 G (w 1) 02 (s 1 q+1, s 1 q)], G 0 (D) = P 0 P 2 P 0 P 1 + P 1 P 2 The running time of D is t D + t (w 1) G 02 t D + O(wl). G 01 (D ) + G (w 1) 02 (D ). + O(wl). The running time of D is The following theorem directly follows from Lemmas 1, 2, 3 and 4. It implies that G 0 is a PRBG if MAC is a PRF. Theorem 1. Let D be a distinguisher for G 0 which runs in t D. Then, there exists an adversary A for MAC such that G 0 (D) w Adv prf wq(q + 1) MAC (A) + 2 n+1. A runs in t D + w(q + 2) t MAC + O(wl) and asks at most q + 2 queries, where the length of each query is at most n + 8. Remark 1. Suppose that SA-1 is the underlying hash function of MAC. Then, n = 160. Suppose that w = 2 48 and l = ( 2 19 ). Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC +O( ) and makes at most 2050 queries. The big-o notation is abused here. O( ) is upper bounded by c for some positive constant c.

11 Security Analysis of DRBG Using MAC in NIST SP Remark 2. Suppose that SA-256 is the underlying hash function of MAC. Then, n = 256. Suppose that w = 2 48 and l = Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC + O(2 67 ) and makes at most 2050 queries. 4.2 If adin null If adin null, then the analysis is similar but tedious. We first define several generators. Let g 10 : {0, 1} 2n {0, 1} 2n be a generator such that g 10 (, ) = (, 0x00 adin). Let g 11 : {0, 1} 2n {0, 1} 3n be a generator such that g 11 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x01 adin) 3. s = 1 2 Let g 12 : {0, 1} 2n {0, 1} 3n be a generator such that g 12 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x00 adin) 3. s = 1 2 The generators g 10, g 11 and g 12 are depicted in Fig. 4. Let G 10 : {0, 1} 2n {0, 1} l+3n be a generator equivalent to G 02 defined in the previous subsection. c0 c1 c0 g 10 g 11 g 12 Fig. 4. A diagram of the generators g 10, g 11 and g 12. The Update functions are surrounded by dashed rectangles. c0 represents the concatenation with 0x00 adin, and c1 represents the concatenation with 0x01 adin. Using the generators defined above, we further define two generators G 11 and G 12. G 11 : {0, 1} 2n {0, 1} l+4n is described as follows: G 11 (, ) = s 2 s 1 s q+1, where

12 12 S. irose = g 10 (, ) 2. s = g 11 ( 1, 1 ) 3. s 1 s 0 s q s q+1 = G 10 ( 2, 2 ) G 12 : {0, 1} 2n {0, 1} l+6n is described as follows: G 12 (, ) = s 4 s 3 s q+1, where 1. s = g 11 (, ) 2. s = g 12 ( 1, 1 ) 3. s = g 11 ( 2, 2 ) 4. s 1 s 0 s q s q+1 = G 10 ( 3, 3 ) Now, we are ready to discuss the pseudorandomness of G(, ). Let G 1 : {0, 1} 2n {0, 1} w(l+4n) be a generator which, for a given (, ), produces a sequence where { s 1 2 s 1 1 s 1 q+1 if w = 1 s 1 2s 1 1 s 1 q 1 s 2 4 s 2 q 1 s 4 w 1 s w 1 q 1 sw 4 s w q+1 if w 2, 1. s i j {0, 1}n, 2. s 1 2s 1 1 s 1 q+1 = G 11 (, ), and 3. s i 4 s i q+1 = G 12 (sq+1 i 1, si 1 q ) for 2 i w. Notice that G(, ) is a part of G 1 (, ). It is easy to see if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 4s 2 1s 2 2 s 2 q 1 s w 1 4 sw 1 1 s w 1 2 s w 1 q 1 sw 4s w 1 s w 2 s w q+1 = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s w 1 2 s w 1 q s w 1 s w 2 s w q, where s i+1 4 = si q for 1 i w 1. Thus, we discuss the pseudorandomness of G 1 in the remaining part. We only present the results since the proofs are similar. Lemma 5. Let D be a distinguisher for g 10 which runs in t D. Then, there exists an adversary A for MAC such that A runs in t D + O(n) and asks 1 query. g 10 (D) Adv prf MAC (A). Lemma 6. Let g be g 11 or g 12. Let D be a distinguisher for g which runs in t D. Then, there exists an adversary A for MAC such that g (D) Adv prf MAC (A). A runs in t D + O(n) and asks at most 2 queries.

13 Security Analysis of DRBG Using MAC in NIST SP Lemma 7. Let D be a distinguisher for G 11 which runs in t D. Then, there exist D 0, D 1 and D such that g 10 G 11 (D) (D 0 ) + g 11 (D 1 ) + G 10 (D ). D 0 runs in t D + t g11 + t G10 + O(n). D 1 runs in t D + t G10 + O(n). D runs in t D + O(n). Lemma 8. Let D be a distinguisher for G 12 which runs in t D. Then, there exist D 1, D 2 and D such that g 11 G 12 (D) 2 (D 1 ) + g 12 (D 2 ) + G 10 (D ). D 1 runs in t D + t g11 + t g12 + t G10 + O(n). D 2 runs in t D + t g11 + t G10 + O(n). D runs in t D + O(n). The following theorem directly follows from Lemmas 5, 6, 7 and 8. It implies that G 1 is a PRBG if MAC is a pseudorandom function. Theorem 2. Let D be a distinguisher for G 1 which runs in t D. Then, there exist adversaries A 1 and A 2 such that G 1 (D) w Adv prf MAC (A 1) + 3 w Adv prf MAC (A wq(q 1) 2) + 2 n+1. A 1 runs in t D + w(q + 8) t MAC + O(wl) and asks at most q + 1 queries, and A 2 runs in t D + (w + 1)(q + 8) t MAC + O(wl) and asks at most 2 queries. 5 Conclusion We have shown that the binary sequence generation algorithm of MAC DRBG is a PRBG if MAC is a PRF. Future work includes analysis of the instantiate and reseed algorithms of MAC DRBG. Acknowledgements The author would like to thank anonymous reviewers for their valuable comments. This research was supported in part by the National Institute of Information and Communications Technology, Japan. References 1. American National Standards Institute. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). ANSI X (1998) 2. American National Standards Institute. Digital signatures using reversible public key cryptography for the financial services industry (rdsa). ANSI X (1998)

14 14 S. irose 3. Barker, E., elsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication (2007) 4. Bellare, M.: New proofs for NMAC and MAC: Security without collisionresistance. In: Dwork, C. (ed.) CRYPTO LNCS, vol. 4117, pp Springer (2006). The full version is Cryptology eprint Archive: Report 2006/043 at 5. Bellare, M., Canetti, R., rawczyk,.: eying hash functions for message authentication. In: oblitz, N. (ed.) CRYPTO 96. LNCS, vol. 1109, pp Springer (1996) 6. Brown, D.R., Gjøsteen,.: A security analysis of the NIST SP elliptic curve random number generator. In: Menezes, A. (ed.) CRYPTO LNCS, vol. 4622, pp Springer (2007) 7. Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. Cryptology eprint Archive: Report 2006/379, iacr.org/ 8. Desai, A., evia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: nudsen, L.R. (ed.) EUROCRYPT LNCS, vol. 2332, pp Springer (2002) 9. an, W.: Analysis of underlying assumptions in NIST DRBGs. Cryptology eprint Archive: Report 2007/345, elsey, J., Schneier, B., Wagner, D., all, C.: Cryptanalytic attacks on pseudorandom number generators. In: audenay, S. (ed.) FSE 98. LNCS, vol. 1372, pp Springer (1998) 11. U.S. Department of Commerce/National Institute of Standards and Technology. Digital signature standard (DSS). Federal Information Processing Standards Publication (+Change Notice) (2000) A The Instantiate and Reseed Algorithms of MAC DRBG The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d. data is the entropy source. adin is an optional additional input. The Instantiate Algorithm. The instantiate algorithm Instantiate is described as follows: Instantiate(data, nonce, adin): 1. seed = data nonce adin 2. = 0x = 0x (, ) = Update(seed,, ) 5. d = 1 6. Return (, ) and d. If adin is not supported, then the first step of the procedure is replaced by seed = data nonce.

15 Security Analysis of DRBG Using MAC in NIST SP The Reseed Algorithm. The reseed algorithm Reseed is described as follows: Reseed(,, d, data, adin): 1. seed = data adin 2. (, ) = Update(seed,, ) 3. d = 1 4. Return (, ) and d. The input (, ) to Reseed is given by the latest Generate. If adin is not supported, then the first step of the procedure is replaced by seed = data.

### Network Security. Chapter 6 Random Number Generation

Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation

### The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)

The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS) Updated: March 21, 2012 Previous Update: September 2, 2011 Original: March 10, 2009 Timothy A. Hall National Institute

### Yale University Department of Computer Science

Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

### C O M P U T E R S E C U R I T Y

NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T

### Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

### Recommendation for Applications Using Approved Hash Algorithms

NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

### Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security Chapter 6 Random Number Generation Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/

### Randomized Hashing for Digital Signatures

NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### Recommendation for Cryptographic Key Generation

NIST Special Publication 800-133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800-133 C O M P U T E R S E C U R I T Y NIST Special Publication

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Recommendation for Applications Using Approved Hash Algorithms

NIST Special Publication 800-107 Revision 1 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### ARCHIVED PUBLICATION

ARCHIVED PUBLICATION The attached publication, FIPS Publication 186-3 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision

### Specification of Cryptographic Technique PC-MAC-AES. NEC Corporation

Specification of Cryptographic Technique PC-MAC-AS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information

### Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

### Digital Signature Standard (DSS)

FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute

### The Keyed-Hash Message Authentication Code (HMAC)

FIPS PUB 198-1 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Length extension attack on narrow-pipe SHA-3 candidates

Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no

### Remotely Keyed Encryption Using Non-Encrypting Smart Cards

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

### Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

NIST Special Publication 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

### CMSS An Improved Merkle Signature Scheme

CMSS An Improved Merkle Signature Scheme Johannes Buchmann 1, Luis Carlos Coronado García 2, Erik Dahmen 1, Martin Döring 1, and Elena Klintsevich 1 1 Technische Universität Darmstadt Department of Computer

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### ETSI TS 102 176-2 V1.2.1 (2005-07)

TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms

### A New and Efficient Signature on Commitment Values

International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

### A novel deniable authentication protocol using generalized ElGamal signature scheme

Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur

### An Approach to Shorten Digital Signature Length

Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based

### Algorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001

Title: Algorithms and Parameters for Secure Electronic Signatures Source: This document is the outcome of the work of the Algorithms group (ALGO) working under the umbrella of - SG (European Electronic

### Efficient Unlinkable Secret Handshakes for Anonymous Communications

보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Strengthening Digital Signatures via Randomized Hashing

Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

### Predictive Models for Min-Entropy Estimation

Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. McKay Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015 Overview Cryptographic

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### Recommendation for Digital Signature Timeliness

NIST Special Publication 800-102 Recommendation for Digital Signature Timeliness Elaine Barker Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y September 2009

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### Cryptography in AllJoyn

Cryptography in AllJoyn Greg Zaverucha Software Engineer, Microsoft 10 November 2015 AllSeen Alliance 1 Agenda 1. Review of AllJoyn security features 2. Authentication and security protocols 3. Comparison

### CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email

CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11 - Secure

### Security Arguments for Digital Signatures and Blind Signatures

Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Notes from Week 1: Algorithms for sequential prediction

CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

### SkyRecon Cryptographic Module (SCM)

SkyRecon Cryptographic Module (SCM) FIPS 140-2 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 140-2.

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### SD12 REPLACES: N19780

ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing

### EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

### National Security Agency Perspective on Key Management

National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

### Stronger Security Bounds for OMAC, TMAC and XCBC

Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,

### Hash-based Digital Signature Schemes

Hash-based Digital Signature Schemes Johannes Buchmann Erik Dahmen Michael Szydlo October 29, 2008 Contents 1 Introduction 2 2 Hash based one-time signature schemes 3 2.1 Lamport Diffie one-time signature

### Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware

Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana Univ. at Bloomington Bloomington, IN 47405 Philippe Golle Palo Alto

### Chapter 3. Network Domain Security

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

### Democratic Group Signatures on Example of Joint Ventures

Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization

### Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

### Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier

Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel Smith-Tone Abstract A hash function secure in the indifferentiability framework

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### Analysis of a Database and Index Encryption Scheme Problems and Fixes

Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme