Results 1  10
of
81
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 281 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract

Cited by 153 (4 self)
 Add to MetaCart
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 113 (9 self)
 Add to MetaCart
(Show Context)
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
SIGMA: the ‘SIGnandMAc’ Approach to Authenticated DiffieHellman and its
 Use in the IKE Protocols”, full version. http://www.ee.technion.ac.il/~hugo/sigma.html
"... Abstract. We present the SIGMA family of keyexchange protocols and the “SIGnandMAc ” approach to authenticated DiffieHellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a DiffieHellman exchange authenticated with digital signatures, and are specifically design ..."
Abstract

Cited by 100 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We present the SIGMA family of keyexchange protocols and the “SIGnandMAc ” approach to authenticated DiffieHellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a DiffieHellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and tradeoffs required in practical scenarios (such as optional identity protection and reduced number of protocol rounds). As a consequence, the SIGMA protocols are very well suited for use in actual applications and for standardized key exchange. In particular, SIGMA serves as the cryptographic basis for the signaturebased modes of the standardized Internet Key Exchange (IKE) protocol (versions 1 and 2). This paper describes the design rationale behind the SIGMA approach and protocols, and points out to many subtleties surrounding the design of secure keyexchange protocols in general, and identityprotecting protocols in particular. We motivate the design of SIGMA by comparing it to other protocols, most notable the STS protocol and its variants. In particular, it is shown how SIGMA solves some of the security shortcomings found in previous protocols. 1
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequentia ..."
Abstract

Cited by 79 (13 self)
 Add to MetaCart
(Show Context)
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1
A Theoretical Treatment of RelatedKey Attacks: RKAPRPs, RKAPRFs, and Applications
 Advances in Cryptology – EUROCRYPT ’03, Lecture Notes in Computer Science
, 2003
"... We initiate a theoretical investigation of the popular blockcipher designgoal of security against “relatedkey attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “relatedke ..."
Abstract

Cited by 70 (11 self)
 Add to MetaCart
(Show Context)
We initiate a theoretical investigation of the popular blockcipher designgoal of security against “relatedkey attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “relatedkey deriving (RKD) functions. ” Then for some such classes of attacks, we prove impossibility results, showing that no blockcipher can resist these attacks while, for other, related classes of attacks that include popular targets in the block cipher community, we prove possibility results that provide theoretical support for the view that security against them is achievable. Finally we prove security of various blockcipher based constructs that use related keys, including a tweakable block cipher given in [17]. We believe this work helps blockcipher designers and cryptanalysts by clarifying what classes of attacks can and cannot be targets of design. It helps blockcipher users by providing guidelines about the kinds of related keys that are safe to use in constructs, and by enabling them to prove the security of such constructs. Finally, it puts forth a new primitive for consideration by theoreticians with regard to open questions about constructs based on minimal assumptions.
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 50 (12 self)
 Add to MetaCart
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality
 NIST Special Publication
, 2004
"... ..."
(Show Context)
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
(Show Context)
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1