Results 1  10
of
68
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 225 (22 self)
 Add to MetaCart
and analysis of the generic composition paradigm
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 85 (8 self)
 Add to MetaCart
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
SIGMA: the ‘SIGnandMAc’ Approach to Authenticated DiffieHellman and its
 Use in the IKE Protocols”, full version. http://www.ee.technion.ac.il/~hugo/sigma.html
"... Abstract. We present the SIGMA family of keyexchange protocols and the “SIGnandMAc ” approach to authenticated DiffieHellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a DiffieHellman exchange authenticated with digital signatures, and are specifically design ..."
Abstract

Cited by 76 (5 self)
 Add to MetaCart
Abstract. We present the SIGMA family of keyexchange protocols and the “SIGnandMAc ” approach to authenticated DiffieHellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a DiffieHellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and tradeoffs required in practical scenarios (such as optional identity protection and reduced number of protocol rounds). As a consequence, the SIGMA protocols are very well suited for use in actual applications and for standardized key exchange. In particular, SIGMA serves as the cryptographic basis for the signaturebased modes of the standardized Internet Key Exchange (IKE) protocol (versions 1 and 2). This paper describes the design rationale behind the SIGMA approach and protocols, and points out to many subtleties surrounding the design of secure keyexchange protocols in general, and identityprotecting protocols in particular. We motivate the design of SIGMA by comparing it to other protocols, most notable the STS protocol and its variants. In particular, it is shown how SIGMA solves some of the security shortcomings found in previous protocols. 1
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequentia ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1
A Theoretical Treatment of RelatedKey Attacks: RKAPRPs, RKAPRFs, and Applications
 Advances in Cryptology – EUROCRYPT ’03, Lecture Notes in Computer Science
, 2003
"... We initiate a theoretical investigation of the popular blockcipher designgoal of security against “relatedkey attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “relatedke ..."
Abstract

Cited by 50 (10 self)
 Add to MetaCart
We initiate a theoretical investigation of the popular blockcipher designgoal of security against “relatedkey attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “relatedkey deriving (RKD) functions. ” Then for some such classes of attacks, we prove impossibility results, showing that no blockcipher can resist these attacks while, for other, related classes of attacks that include popular targets in the block cipher community, we prove possibility results that provide theoretical support for the view that security against them is achievable. Finally we prove security of various blockcipher based constructs that use related keys, including a tweakable block cipher given in [17]. We believe this work helps blockcipher designers and cryptanalysts by clarifying what classes of attacks can and cannot be targets of design. It helps blockcipher users by providing guidelines about the kinds of related keys that are safe to use in constructs, and by enabling them to prove the security of such constructs. Finally, it puts forth a new primitive for consideration by theoreticians with regard to open questions about constructs based on minimal assumptions.
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1
Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality
 NIST Special Publication 80038c, National Institute of Standards and Technology (NIST
, 2004
"... ..."
Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the EncodethenEncryptandMAC Paradigm
 ACM Transactions on Information and System Security
, 2004
"... The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosenciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.
OMAC: OneKey CBC MAC
 Preproceedings of Fast Software Encryption, FSE 2003
, 2002
"... In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block l ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block length of E.