Security Analysis of DRBG Using HMAC in NIST SP
|
|
- Owen Wood
- 8 years ago
- Views:
Transcription
1 Security Analysis of DRBG Using MAC in NIST SP Shoichi irose Graduate School of Engineering, University of Fukui hrs Abstract. MAC DRBG is a deterministic random bit generator using MAC specified in NIST SP The document claims that MAC DRBG is a pseudorandom bit generator if MAC is a pseudorandom function. owever, no proof is given in the document. This article provides a security analysis of MAC DRBG and confirms the claim. ey words: NIST SP , pseudorandom bit generator, MAC, pseudorandom function 1 Introduction Background. Random bits are indispensable to every cryptographic application. owever, it is not easy to prepare sufficient amount of truly random bits in general. Thus, most applications use a cryptographic mechanism that is called a pseudorandom bit generator (PRBG). It stretches a short sequence of random bits to a long sequence of bits that are indistinguishable from truly random bits in practice. MAC DRBG is a deterministic random bit generator (DRBG) specified in NIST SP [3]. It is claimed in NIST SP that MAC DRBG is a PRBG if MAC is a pseudorandom function (PRF). owever, no proof is made public as far as the authors know. Contribution. This article presents a security analysis of MAC DRBG. The result supports the claim in NIST SP mentioned above. This article does not provide new techniques and just uses well-known ones in the analysis. In spite of this fact, the contribution of this paper is still important since MAC DRBG is expected to be widely used in practice. MAC DRBG consists of three algorithms. They are instantiate, reseed and generate algorithms. The instantiate/reseed algorithm is used to produce/refresh a secret key. The generate algorithm produces a binary sequence from a secret key given by the instantiate or reseed algorithms. This article gives a proof for the pseudorandomness of MAC DRBG on the assumption that the instantiate and reseed algorithms are ideal. Namely, a secret key given to the generate algorithm is selected uniformly at random by each of them.
2 2 S. irose Related Work. NIST SP specifies four DRBG mechanisms: ash DRBG, MAC DRBG, CTR DRBG and Dual EC DRBG. ash DRBG and MAC DRBG are based on hash functions. CTR DRBG uses a block cipher in the counter mode. Dual EC DRBG is based on the elliptic curve discrete logarithm problem. A security analysis of these DRBGs was presented in [9]. owever, the discussion was quite informal. A security analysis of CTR DRBG was also presented in [7]. Brown and Gjøsteen [6] provided a detailed security analysis of Dual EC DRBG. There also exist some other approved DRBGs in ANSI X.9.31 [2], ANSI X [1] and FIPS PUB [11]. The security of these algorithms was discussed in [8] and [10]. MAC was proposed by Bellare, Canetti and rawczyk [5]. It was proved to be a PRF on the assumption that the compression function of the underlying iterated hash function is a PRF with two keying strategies[4]. Actually, MAC is used as a PRF in many cryptographic schemes. Organization. This article is organized as follows. Definitions of a pseudorandom bit generator and a pseudorandom function are given in Sect. 2. A description of MAC DRBG is presented in Sect. 3. Results on security analysis of MAC DRBG are shown in Sect. 4. Concluding remarks are given in Sect Preliminaries Let a $ A represent that an element a is selected uniformly at random from a set A. 2.1 A Pseudorandom Bit Generator Let G be a function such that G : {0, 1} n {0, 1} l. Let D be a probabilistic algorithm which outputs 0 or 1 for a given input in {0, 1} l. The goal of D is to tell whether a given input is G(k) for k selected uniformly at random or it is selected uniformly at random. The advantage of D against G is defined as follows: Pr[D(G(k)) G (D) = $ = 1 k {0, 1} n ] Pr[D(s) = 1 s $ {0, 1} l ], where the probabilities are taken over the coin tosses by D and the uniform distributions on {0, 1} n or {0, 1} l. G is called a pseudorandom bit generator (PRBG) if l > n and G (D) is negligible for any efficient D. 2.2 A Pseudorandom Function Let be a keyed function such that : D R, where is a key space, D is a domain, and R is a range. (k, ) is denoted by k ( ). Let A be a probabilistic algorithm which has oracle access to a function from D to R. The goal of A is to tell whether the oracle is k for k selected uniformly at random or it is a
3 Security Analysis of DRBG Using MAC in NIST SP function selected uniformly at random. A first asks elements in D and obtains the corresponding elements in R with respect to the function, and then outputs 0 or 1. A makes the queries adaptively: A makes a new query after receiving an answer to the current query. Let F be the set of all functions from D to R. The advantage of A for is defined as follows: Adv prf Pr[A (A) = k = 1 k $ ] Pr[A ρ = 1 ρ $ F ], where the probabilities are taken over the coin tosses by A and the uniform distributions on or F. is called a pseudorandom function (PRF) if Adv prf (A) is negligible for any efficient A. 3 MAC DRBG MAC DRBG is a DRBG using MAC in NIST SP [3]. It consists of three algorithms: an instantiate algorithm, a reseed algorithm and a generate algorithm. The instantiate algorithm is used to produce a secret key. The reseed algorithm is used to refresh it. These algorithms are out of the scope of the article. They also use MAC to produce the secret keys. owever, the security of the outputs is not based on the secrecy and randomness of the keys given to MAC but the data given to MAC via message input. From this viewpoint, we may say that they abuse MAC. We only assume that the keys produced by the instantiate and reseed algorithms are ideal. Namely, we assume that a secret key given to the generate algorithm is selected uniformly at random. The generate algorithm produces a binary sequence for a given secret key. A description of this algorithm is given in the following part. The instantiate and reseed algorithms are given in Appendix A for reference. Notation. MAC is simply denoted by. Let n denote the output length of. Let null denote an empty sequence. Concatenation of binary sequences x and y is denoted by x y. The symbol is sometimes omitted. 3.1 Internal State The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d 1. and are assumed to be secret. The reseed counter d is an integer variable indicating the number of requests for pseudorandom bits since instantiation or reseeding. 3.2 The Function Update The function Update is used in the generate algorithm to produce a secret key (, ) for the next invocation of the generate algorithm. It is described as follows.
4 4 S. irose Update(,, adin): 1. = (, 0x00 adin) 2. = (, ) 3. If adin = null, then return (, ) 4. = (, 0x01 adin) 5. = (, ) 6. Return (, ) adin is an optional additional input. Update is shown in Fig. 1. 0x00 (a) If adin is an empty sequence 0x00 adin 0x01 adin (b) If adin is not an empty sequence Fig. 1. The function Update 3.3 The Algorithm Generate The generate algorithm Generate produces a binary sequence s for given secret (, ) and an optional additional input adin. It is described as follows.
5 Security Analysis of DRBG Using MAC in NIST SP Generate(,, adin): 1. If d > w, then return an indication that a reseed is required. 2. (, ) = Update(,, adin) if adin null 3. tmp = null 4. While tmp < l do: (a) = (, ) (b) tmp = tmp 5. s = the leftmost l bits of tmp 6. (, ) = Update(,, adin) 7. d = d Return s and (, ) The maximum sizes of parameters are given in Table 1. w is called a reseed interval. It represents the total number of requests for pseudorandom bits between reseeding. If adin is not supported, then the step 6 is executed with adin = null. Generate is given in Fig. 2. null Update adin s (a) If adin is not given or not supported Update Update s (b) If adin is given Fig. 2. The algorithm Generate. The update of the reseed counter d is omitted.
6 6 S. irose Table 1. The maximum sizes of parameters parameter maximum size adin 2 35 bits l 2 19 bits w Security Analysis For simplicity, we assume that l is a multiple of n. Thus, the output length of Generate is l+2n. We analyze the security of a generator G : {0, 1} 2n {0, 1} wl defined as follows: G(, ): 1. ( 0, 0 ) = (, ) 2. s = null 3. for i = 1 to w do (a) (s i, i, i ) = Generate( i 1, i 1, adin i 1 ) (b) s = s s i (c) Return s We make adin i implicit in the notation of G(, ), because the analysis given in the remaining parts does not depend on the value of adin i. It depends only on whether adin i = null or not. 4.1 If adin = null First, notice that we cannot prove the pseudorandomness of G directly from that of Generate. Generate is not a PRBG if adin = null. Let q = l/n and Generate(, ) = s 1 s 2 s q, where s j {0, 1} n for 1 j q. Then, = (s q ). Thus, it is easy to distinguish s 1 s 2 s q from a truly random sequence of length l + 2n. We introduce two generators G 01 and G 02. G 01 : {0, 1} 2n {0, 1} l+2n is described as follows: G 01 (, ): 1. s = 2. tmp = null 3. While tmp < l do: (a) = (, ) (b) tmp = tmp 4. s = s tmp 5. = (, 0x00) 6. s = s 7. Return s
7 Security Analysis of DRBG Using MAC in NIST SP G 02 : {0, 1} 2n {0, 1} l+3n is described as follows: G 02 (, ) : 1. s = 2. = (, ) 3. s = s G 01 (, ) 4. Return s The only difference between G 01 and G 02 is that G 02 calls MAC more than G 01 by one time. Let G 0 : {0, 1} 2n {0, 1} w(l+n)+n be a generator which, for a given (, ), produces a sequence { s 1 0 s 1 1 s 1 q+1 if w = 1 s 1 0s 1 1 s 1 q 1 s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1 if w 2, where 1. s i j {0, 1}n, 2. s 1 0s 1 1 s 1 q+1 = G 01 (, ), and 3. s i 1s i 0s i 1 s i q+1 = G 02 (s i 1 q+1, si 1 q ) for 2 i w. A diagram of G 0 is given in Fig. 3. Notice that G(, ) is a part of G 0 (, ). It is obvious if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 1s 2 1s 2 2 s 2 q 1 s 1 w 1 sw 1 1 s w 1 2 s w 1 q 1 sw 1s w 1 s w 2 s w q = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s2 w 1 s w 1 q s w 1 s w 2 s w q, where s i+1 1 = si q for 1 i w 1. Thus, G is a PRBG if G 0 is a PRBG. We will discuss the security of G 0 in the remaining part. c c G 01 G 02 G 02 G Fig. 3. A diagram of the generator G 0. c represents the concatenation with 0x00. The Update functions are surrounded by dashed rectangles. We first show that both G 01 and G 02 are PRBGs if MAC is a PRF. For an algorithm A, let t A be the running time of A.
8 8 S. irose Lemma 1. Let D be a distinguisher for G 01 which runs in t D. Then, there exists an adversary A for MAC such that G 01 (D) Adv prf q(q 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 1 queries. Proof. Let F,n be the set of all functions from {0, 1} to {0, 1} n. Let Ĝ01(ρ, ) be a generator obtained from G 01 by replacing MAC with a function ρ F,n. Let Then, P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 01 (, )], P 1 = Pr[D(s) = 1 ρ $ F,n $ {0, 1} n s Ĝ01(ρ, )], P 2 = Pr[D(s) = 1 s $ {0, 1} l+2n ]. G (D) = P 0 P 2 P 0 P 1 + P 1 P 2. Let Ĝ01(ρ, ) = ŝ 0 ŝ 1 ŝ q+1, where ŝ j {0, 1} n for 0 j q + 1. If ρ $ F,n, then Ĝ01(ρ, ) and a random sequence of length l + 2 n is completely indistinguishable as far as ŝ j1 ŝ j2 for every j 1 and j 2 such that 0 j 1 < j 2 q 1. Notice that ŝ j ŝ q 0x00 for every 0 j q 1. Thus, P 1 P 2 q(q 1) 2 n+1. On the other hand, for P 0 P 1, it is easy to see that we can construct an adversary A for MAC, using D as a subroutine, such that Adv prf MAC (A) P 0 P 1, where A runs in t D + O(l) and asks at most q + 1 queries. Lemma 2. Let D be a distinguisher for G 02 which runs in t D. Then, there exists an adversary A such that G 02 (D) Adv prf q(q + 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 2 queries. Proof. The proof is similar to that of Lemma 1. For w 2, let G (w 1) 02 be a generator which calls G 02 (w 1) times successively. Namely, G (w 1) 02 (s 1 q+1, s 1 q) = s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1.
9 Security Analysis of DRBG Using MAC in NIST SP Lemma 3. Let D be a distinguisher for G (w 1) 02 which runs in t D. Then, there exists a distinguisher D of G 02 such that G (w 1) 02 D runs in t D + (w 2) t G02 + O(wl). (D) (w 1) G 02 (D ). Proof. For a given input s {0, 1} l+3n, the distinguisher D behaves as follows: 1. Select 2 r w uniformly at random. 2. If r 3, then select s 2 1s 2 0 s 2 q 1,..., s r 1 1 sr 1 0 s r 1 q 1 uniformly at random. 3. Let s r 1s r 0 s r q+1 = s. 4. If r < w, s i 1s i 0 s i q+1 = G 02 (s i 1 q ) for r + 1 i w. 5. Call D with s = s 2 1s 2 0 s 2 q 1 s w Output D s output. Then, q+1, si 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1. G 02 (D ) = Pr[D (G 02 (, )) = 1 (, ) $ {0, 1} 2n ] Pr[D (s) = 1 s $ {0, 1} l+3n ] = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] Pr[D(s) = 1 s $ {0, 1} l+3n ]. Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] w = Pr[r = u D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] = u=2 w u=2 Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G (w 1) 02 (, )] + w 1 w Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 u=3. Pr[D(s) = 1 s $ {0, 1} l+3n ] = w 1 u=2 Pr[D(s) = 1 s $ {0, 1} l+3n r = u] w 1 + Pr[D(s) = 1 s $ {0, 1} (w 1)(l+n)+2n ] w 1.
10 10 S. irose There may exist a better distinguisher for G 02 than D with the same running time. Thus, we have G 02 (D ) 1 w 1 Advprbg G (w 1) 02 (D). The running time of D is at most t D + (w 2) t G02 + O(wl). Lemma 4. Let D be a distinguisher for G 0 which runs in t D. Then, there exist distinguishers D for G 01 and D for G (w 1) 02 such that D runs in t D + t G (w 1) 02 Proof. Let G 0 (D) G 01 (D ) + G (w 1) 02 (D ). + O(wl), and D runs in t D + O(wl). P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 0 (, )], P 1 = Pr[D(s) = 1 s 1 0 s 1 q+1 P 2 = Pr[D(s) = 1 s $ {0, 1} w(l+n)+n ]. Then, there exist D and D such that $ {0, 1} l+2n s s 1 0 s 1 q 1 G (w 1) 02 (s 1 q+1, s 1 q)], G 0 (D) = P 0 P 2 P 0 P 1 + P 1 P 2 The running time of D is t D + t (w 1) G 02 t D + O(wl). G 01 (D ) + G (w 1) 02 (D ). + O(wl). The running time of D is The following theorem directly follows from Lemmas 1, 2, 3 and 4. It implies that G 0 is a PRBG if MAC is a PRF. Theorem 1. Let D be a distinguisher for G 0 which runs in t D. Then, there exists an adversary A for MAC such that G 0 (D) w Adv prf wq(q + 1) MAC (A) + 2 n+1. A runs in t D + w(q + 2) t MAC + O(wl) and asks at most q + 2 queries, where the length of each query is at most n + 8. Remark 1. Suppose that SA-1 is the underlying hash function of MAC. Then, n = 160. Suppose that w = 2 48 and l = ( 2 19 ). Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC +O( ) and makes at most 2050 queries. The big-o notation is abused here. O( ) is upper bounded by c for some positive constant c.
11 Security Analysis of DRBG Using MAC in NIST SP Remark 2. Suppose that SA-256 is the underlying hash function of MAC. Then, n = 256. Suppose that w = 2 48 and l = Then, G 0 (D) 2 48 Adv prf MAC (A) , where A runs in time t D t MAC + O(2 67 ) and makes at most 2050 queries. 4.2 If adin null If adin null, then the analysis is similar but tedious. We first define several generators. Let g 10 : {0, 1} 2n {0, 1} 2n be a generator such that g 10 (, ) = (, 0x00 adin). Let g 11 : {0, 1} 2n {0, 1} 3n be a generator such that g 11 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x01 adin) 3. s = 1 2 Let g 12 : {0, 1} 2n {0, 1} 3n be a generator such that g 12 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x00 adin) 3. s = 1 2 The generators g 10, g 11 and g 12 are depicted in Fig. 4. Let G 10 : {0, 1} 2n {0, 1} l+3n be a generator equivalent to G 02 defined in the previous subsection. c0 c1 c0 g 10 g 11 g 12 Fig. 4. A diagram of the generators g 10, g 11 and g 12. The Update functions are surrounded by dashed rectangles. c0 represents the concatenation with 0x00 adin, and c1 represents the concatenation with 0x01 adin. Using the generators defined above, we further define two generators G 11 and G 12. G 11 : {0, 1} 2n {0, 1} l+4n is described as follows: G 11 (, ) = s 2 s 1 s q+1, where
12 12 S. irose = g 10 (, ) 2. s = g 11 ( 1, 1 ) 3. s 1 s 0 s q s q+1 = G 10 ( 2, 2 ) G 12 : {0, 1} 2n {0, 1} l+6n is described as follows: G 12 (, ) = s 4 s 3 s q+1, where 1. s = g 11 (, ) 2. s = g 12 ( 1, 1 ) 3. s = g 11 ( 2, 2 ) 4. s 1 s 0 s q s q+1 = G 10 ( 3, 3 ) Now, we are ready to discuss the pseudorandomness of G(, ). Let G 1 : {0, 1} 2n {0, 1} w(l+4n) be a generator which, for a given (, ), produces a sequence where { s 1 2 s 1 1 s 1 q+1 if w = 1 s 1 2s 1 1 s 1 q 1 s 2 4 s 2 q 1 s 4 w 1 s w 1 q 1 sw 4 s w q+1 if w 2, 1. s i j {0, 1}n, 2. s 1 2s 1 1 s 1 q+1 = G 11 (, ), and 3. s i 4 s i q+1 = G 12 (sq+1 i 1, si 1 q ) for 2 i w. Notice that G(, ) is a part of G 1 (, ). It is easy to see if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 4s 2 1s 2 2 s 2 q 1 s w 1 4 sw 1 1 s w 1 2 s w 1 q 1 sw 4s w 1 s w 2 s w q+1 = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s w 1 2 s w 1 q s w 1 s w 2 s w q, where s i+1 4 = si q for 1 i w 1. Thus, we discuss the pseudorandomness of G 1 in the remaining part. We only present the results since the proofs are similar. Lemma 5. Let D be a distinguisher for g 10 which runs in t D. Then, there exists an adversary A for MAC such that A runs in t D + O(n) and asks 1 query. g 10 (D) Adv prf MAC (A). Lemma 6. Let g be g 11 or g 12. Let D be a distinguisher for g which runs in t D. Then, there exists an adversary A for MAC such that g (D) Adv prf MAC (A). A runs in t D + O(n) and asks at most 2 queries.
13 Security Analysis of DRBG Using MAC in NIST SP Lemma 7. Let D be a distinguisher for G 11 which runs in t D. Then, there exist D 0, D 1 and D such that g 10 G 11 (D) (D 0 ) + g 11 (D 1 ) + G 10 (D ). D 0 runs in t D + t g11 + t G10 + O(n). D 1 runs in t D + t G10 + O(n). D runs in t D + O(n). Lemma 8. Let D be a distinguisher for G 12 which runs in t D. Then, there exist D 1, D 2 and D such that g 11 G 12 (D) 2 (D 1 ) + g 12 (D 2 ) + G 10 (D ). D 1 runs in t D + t g11 + t g12 + t G10 + O(n). D 2 runs in t D + t g11 + t G10 + O(n). D runs in t D + O(n). The following theorem directly follows from Lemmas 5, 6, 7 and 8. It implies that G 1 is a PRBG if MAC is a pseudorandom function. Theorem 2. Let D be a distinguisher for G 1 which runs in t D. Then, there exist adversaries A 1 and A 2 such that G 1 (D) w Adv prf MAC (A 1) + 3 w Adv prf MAC (A wq(q 1) 2) + 2 n+1. A 1 runs in t D + w(q + 8) t MAC + O(wl) and asks at most q + 1 queries, and A 2 runs in t D + (w + 1)(q + 8) t MAC + O(wl) and asks at most 2 queries. 5 Conclusion We have shown that the binary sequence generation algorithm of MAC DRBG is a PRBG if MAC is a PRF. Future work includes analysis of the instantiate and reseed algorithms of MAC DRBG. Acknowledgements The author would like to thank anonymous reviewers for their valuable comments. This research was supported in part by the National Institute of Information and Communications Technology, Japan. References 1. American National Standards Institute. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). ANSI X (1998) 2. American National Standards Institute. Digital signatures using reversible public key cryptography for the financial services industry (rdsa). ANSI X (1998)
14 14 S. irose 3. Barker, E., elsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication (2007) 4. Bellare, M.: New proofs for NMAC and MAC: Security without collisionresistance. In: Dwork, C. (ed.) CRYPTO LNCS, vol. 4117, pp Springer (2006). The full version is Cryptology eprint Archive: Report 2006/043 at 5. Bellare, M., Canetti, R., rawczyk,.: eying hash functions for message authentication. In: oblitz, N. (ed.) CRYPTO 96. LNCS, vol. 1109, pp Springer (1996) 6. Brown, D.R., Gjøsteen,.: A security analysis of the NIST SP elliptic curve random number generator. In: Menezes, A. (ed.) CRYPTO LNCS, vol. 4622, pp Springer (2007) 7. Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. Cryptology eprint Archive: Report 2006/379, iacr.org/ 8. Desai, A., evia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: nudsen, L.R. (ed.) EUROCRYPT LNCS, vol. 2332, pp Springer (2002) 9. an, W.: Analysis of underlying assumptions in NIST DRBGs. Cryptology eprint Archive: Report 2007/345, elsey, J., Schneier, B., Wagner, D., all, C.: Cryptanalytic attacks on pseudorandom number generators. In: audenay, S. (ed.) FSE 98. LNCS, vol. 1372, pp Springer (1998) 11. U.S. Department of Commerce/National Institute of Standards and Technology. Digital signature standard (DSS). Federal Information Processing Standards Publication (+Change Notice) (2000) A The Instantiate and Reseed Algorithms of MAC DRBG The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d. data is the entropy source. adin is an optional additional input. The Instantiate Algorithm. The instantiate algorithm Instantiate is described as follows: Instantiate(data, nonce, adin): 1. seed = data nonce adin 2. = 0x = 0x (, ) = Update(seed,, ) 5. d = 1 6. Return (, ) and d. If adin is not supported, then the first step of the procedure is replaced by seed = data nonce.
15 Security Analysis of DRBG Using MAC in NIST SP The Reseed Algorithm. The reseed algorithm Reseed is described as follows: Reseed(,, d, data, adin): 1. seed = data adin 2. (, ) = Update(seed,, ) 3. d = 1 4. Return (, ) and d. The input (, ) to Reseed is given by the latest Generate. If adin is not supported, then the first step of the procedure is replaced by seed = data.
The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)
The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS) Updated: March 21, 2012 Previous Update: September 2, 2011 Original: March 10, 2009 Timothy A. Hall National Institute
More informationNetwork Security. Chapter 6 Random Number Generation
Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation
More informationC O M P U T E R S E C U R I T Y
NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October
More informationComparison of CBC MAC Variants and Comments on NIST s Consultation Paper
Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,
More informationRecommendation for Applications Using Approved Hash Algorithms
NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationOn the Security of the CCM Encryption Mode and of a Slight Variant
On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationRandomized Hashing for Digital Signatures
NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department
More informationNetwork Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle
Network Security Chapter 6 Random Number Generation Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/
More informationLecture 5 - CPA security, Pseudorandom functions
Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationRecommendation for Applications Using Approved Hash Algorithms
NIST Special Publication 800-107 Revision 1 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C
More informationProvable-Security Analysis of Authenticated Encryption in Kerberos
Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationNon-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationBreaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring
Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,
More informationRecommendation for Cryptographic Key Generation
NIST Special Publication 800-133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800-133 C O M P U T E R S E C U R I T Y NIST Special Publication
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview
More informationARCHIVED PUBLICATION
ARCHIVED PUBLICATION The attached publication, FIPS Publication 186-3 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision
More informationTransitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information
More informationConcrete Security of the Blum-Blum-Shub Pseudorandom Generator
Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator
More informationSpecification of Cryptographic Technique PC-MAC-AES. NEC Corporation
Specification of Cryptographic Technique PC-MAC-AS NC Corporation Contents 1 Contents 1 Design Criteria 2 2 Specification 2 2.1 Notations............................................. 2 2.2 Basic Functions..........................................
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key
More informationDigital Signature Standard (DSS)
FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute
More informationThe Keyed-Hash Message Authentication Code (HMAC)
FIPS PUB 198-1 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationRecommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)
NIST Special Publication 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationLength extension attack on narrow-pipe SHA-3 candidates
Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no
More informationRemotely Keyed Encryption Using Non-Encrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationMESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationCMSS An Improved Merkle Signature Scheme
CMSS An Improved Merkle Signature Scheme Johannes Buchmann 1, Luis Carlos Coronado García 2, Erik Dahmen 1, Martin Döring 1, and Elena Klintsevich 1 1 Technische Universität Darmstadt Department of Computer
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption
More informationETSI TS 102 176-2 V1.2.1 (2005-07)
TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms
More informationA novel deniable authentication protocol using generalized ElGamal signature scheme
Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationAn Approach to Shorten Digital Signature Length
Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationAlgorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001
Title: Algorithms and Parameters for Secure Electronic Signatures Source: This document is the outcome of the work of the Algorithms group (ALGO) working under the umbrella of - SG (European Electronic
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique
More informationInformation Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay
Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding
More informationStrengthening Digital Signatures via Randomized Hashing
Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended
More informationGCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University
GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationRecommendation for Digital Signature Timeliness
NIST Special Publication 800-102 Recommendation for Digital Signature Timeliness Elaine Barker Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y September 2009
More informationPredictive Models for Min-Entropy Estimation
Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. McKay Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015 Overview Cryptographic
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationLimits of Computational Differential Privacy in the Client/Server Setting
Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu
More informationOne-Way Encryption and Message Authentication
One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School
More informationSecurity Arguments for Digital Signatures and Blind Signatures
Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures
More informationCS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email
CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11 - Secure
More informationSkyRecon Cryptographic Module (SCM)
SkyRecon Cryptographic Module (SCM) FIPS 140-2 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 140-2.
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationSECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationSD12 REPLACES: N19780
ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing
More informationNational Security Agency Perspective on Key Management
National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationEXAM questions for the course TTM4135 - Information Security May 2013. Part 1
EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question
More informationStronger Security Bounds for OMAC, TMAC and XCBC
Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationLeakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives
Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationSimulation-Based Security with Inexhaustible Interactive Turing Machines
Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de
More informationHASH CODE BASED SECURITY IN CLOUD COMPUTING
ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security
More informationTamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Dept. of Computer Science Indiana Univ. at Bloomington Bloomington, IN 47405 Philippe Golle Palo Alto
More informationImplementation of Elliptic Curve Digital Signature Algorithm
Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India
More informationIndifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier
Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier Dustin Moody Souradyuti Paul Daniel Smith-Tone Abstract A hash function secure in the indifferentiability framework
More informationshmqv: An Efficient Key Exchange Protocol for Power-limited Devices
shmqv: An Efficient Key Exchange Protocol for Power-limited Devices Shijun Zhao and Qianying Zhang Institute of Software Chinese Academy of Sciences, ISCAS, Beijing, China. zqyzsj@gmail.com, zsjzqy@gmail.com
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationNotes from Week 1: Algorithms for sequential prediction
CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationAnalysis of a Database and Index Encryption Scheme Problems and Fixes
Analysis of a Database and Index Encryption Scheme Problems and Fixes Ulrich Kühn Deutsche Telekom Laboratories Technische Universität Berlin, Germany ukuehn@acm.org Abstract. The database encryption scheme
More informationAn Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
More informationHash-based Digital Signature Schemes
Hash-based Digital Signature Schemes Johannes Buchmann Erik Dahmen Michael Szydlo October 29, 2008 Contents 1 Introduction 2 2 Hash based one-time signature schemes 3 2.1 Lamport Diffie one-time signature
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationElliptic Curve Hash (and Sign)
Elliptic Curve Hash (and Sign) (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43
More information