Results 1  10
of
16
CBC MACs for arbitrarylength messages: The threekey constructions
 Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science
, 2000
"... Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. O ..."
Abstract

Cited by 82 (19 self)
 Add to MetaCart
(Show Context)
Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. Our favorite construction, XCBC, works like this: if M  is a positive multiple of n then XOR the nbit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the nbit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1
OMAC: OneKey CBC MAC
 Preproceedings of Fast Software Encryption, FSE 2003
, 2002
"... In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block l ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block length of E.
SECURITY AND COOPERATION IN WIRELESS NETWORKS  Thwarting Malicious and Selfish Behavior in the Age of Ubiquitous Computing
, 2007
"... ..."
(Show Context)
Efficient Cryptographic Protocols Preventing “ManintheMiddle” Attacks
 COLUMBIA UNIVERSITY
, 2002
"... In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary inserts, deletes, or arbitrarily modifies messages sent from one user to another. Passive attacks are well characterized (the adversary’s choices are inherently limited) and techniques for achieving security against passive attacks are relatively well understood. Indeed, cryptographers have long focused on methods for countering passive eavesdropping attacks, and much work in the 1970’s and 1980’s has dealt with formalizing notions of security and providing provablysecure solutions for this setting. On the other hand, active attacks are not well characterized and precise modeling has been difficult. Few techniques exist for dealing with active attacks, and designing practical protocols secure against such attacks remains a challenge. This dissertation considers active attacks in a variety of settings and provides new, provablysecure protocols preventing such attacks. Proofs of security are in the standard cryptographic model and rely on wellknown cryptographic assumptions. The protocols presented here are efficient and
A Suggestion for Handling ArbitraryLength Messages with the CBC MAC
, 2000
"... Introduction The CBC MAC is the customary way to make a message authentication code (MAC) from a block cipher. It is the subject of several standards, including [1, 5, 6]. It is wellknown and wellunderstood. Given all this, it seems likely that the CBC MAC will be standardized as an AES mode of o ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Introduction The CBC MAC is the customary way to make a message authentication code (MAC) from a block cipher. It is the subject of several standards, including [1, 5, 6]. It is wellknown and wellunderstood. Given all this, it seems likely that the CBC MAC will be standardized as an AES mode of operation. In this note we suggest a nice version of the CBC MAC that one might select for this purpose. We recall that the CBC MAC actually comes in a number of different versions. These versions differ in details involving padding (what to do when a message is not a nonzero multiple of the block length), lengthvariability (how to properly authenticate messages that come in a variety of lengths), and keysearch strengthening (making the mode more secure against keysearch attacks). Our CBC MAC variant is described in [4], where it is called XCBC. Let us now review this MAC's definition, as well as the definition for
Stronger Security Bounds for OMAC, TMAC and XCBC
, 2003
"... OMAC, TMAC and XCBC are CBCtype MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
OMAC, TMAC and XCBC are CBCtype MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of an adversary to the MAC generation oracle while the previous bounds are expressed in terms of the maximum length of each query. In particular, a significant improvement occurs if the lengths of queries are heavily unbalanced.
TMAC: TwoKey CBC MAC
, 2002
"... In this paper, we propose TMAC, TwoKey CBC Message Authentication Code. TMAC is a re nement of XCBC (which is a variant of CBC MAC) shown by Black and Rogaway. We use only (k + n)bit key for TMAC while XCBC uses (k + 2n)bit key, where k is the key length of the underlying block cipher and n is i ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
In this paper, we propose TMAC, TwoKey CBC Message Authentication Code. TMAC is a re nement of XCBC (which is a variant of CBC MAC) shown by Black and Rogaway. We use only (k + n)bit key for TMAC while XCBC uses (k + 2n)bit key, where k is the key length of the underlying block cipher and n is its block length. The cost for reducing the size of secret keys is almost negligible; only one shift and one conditional XOR. Similarly to XCBC, our algorithm correctly and eciently handles messages of arbitrary bit length. 1
On The Security of Two New OMAC Variants
, 2003
"... Abstract. OMAC is a provably secure MAC scheme which NIST currently intends to specify as the modes recommendation. In August 2003, Mitchell proposed two variants of OMAC. We call them OMAC1 " and OMAC1 " ". In this paper, we prove that: – OMAC1 " is completely insecure. There ar ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. OMAC is a provably secure MAC scheme which NIST currently intends to specify as the modes recommendation. In August 2003, Mitchell proposed two variants of OMAC. We call them OMAC1 " and OMAC1 " ". In this paper, we prove that: – OMAC1 " is completely insecure. There are forgery attacks by using only one oracle query, and – OMAC1 " " is less secure than original OMAC1. We show a security gap between them. As a result, we obtain a negative answer to Mitchell’s open question — OMAC1 " and OMAC1 " " are not provably secure even if the underlying block cipher is a PRP.
Correction
, 2003
"... we wrote that Mitchell proposed two new variants of OMAC, OMAC1 " and OMAC1 " ". In this paper, we correct this sentence as follows. Mitchell proposed a new variant of OMAC (not two variants). a a Mitchell recently informed us that he proposes only OMAC1 in his paper. We now agree thi ..."
Abstract
 Add to MetaCart
(Show Context)
we wrote that Mitchell proposed two new variants of OMAC, OMAC1 " and OMAC1 " ". In this paper, we correct this sentence as follows. Mitchell proposed a new variant of OMAC (not two variants). a a Mitchell recently informed us that he proposes only OMAC1 in his paper. We now agree this after careful reading of his paper. Earlier, we thought that the first paragraph of [12, Sect. 5.4] is OMAC1 " and the second paragraph is OMAC1 " ". Abstract. OMAC is a provably secure MAC scheme which NIST currently intends to specify as the modes recommendation. In August 2003, Mitchell proposed a variant of OMAC. We call it OMAC1 " ". In this paper, we prove that OMAC1 " " is less secure than original OMAC1. We show a security gap between them. As a result, we obtain a negative answer to Mitchell’s open question — OMAC1 " " is not provably secure even if the underlying block cipher is a PRP.