Results 1  10
of
10
The Security of Cipher Block Chaining
, 1994
"... The Cipher Block Chaining  Message Authentication Code (CBC MAC) specifies that a message x = x 1 \Delta \Delta \Delta xm be authenticated among parties who share a secret key a by tagging x with a prefix of f (m) a (x) def = f a (f a (\Delta \Delta \Delta f a (f a (x 1 )\Phix 2 )\Phi \Delta ..."
Abstract

Cited by 144 (26 self)
 Add to MetaCart
The Cipher Block Chaining  Message Authentication Code (CBC MAC) specifies that a message x = x 1 \Delta \Delta \Delta xm be authenticated among parties who share a secret key a by tagging x with a prefix of f (m) a (x) def = f a (f a (\Delta \Delta \Delta f a (f a (x 1 )\Phix 2 )\Phi \Delta \Delta \Delta \Phix m\Gamma1 )\Phix m ) ; where f is some underlying block cipher (eg. f = DES). This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random mlbit to lbit function and the CBC MAC of a random lbit to lbit function. Advanced Networking Laboratory, IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. em...
CBC MAC for RealTime Data Sources
 JOURNAL OF CRYPTOLOGY
, 1997
"... The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the naive use of CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of CBC MAC are known by folklore. ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the naive use of CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of CBC MAC are known by folklore. The first rigorous proof of the security of CBC MAC, when used on fixed length messages, was given only recently by Bellare, Kilian and Rogaway [3]. They also suggested variants of CBC MAC that handle variable length messages but in these variants the length of the message has to be known in advance (i.e., before the message is processed). We study CBC authentication of real time applications in which the length of the message is not known until the message ends, and furthermore, since the application is realtime, it is not possible to start processing the authentication only after the message ends. We first present a variant of CBC MAC, called double MAC (DMAC) which handles messages of variable unknown lengths. Computing DMAC on a message is virtually as simple and as efficient as computing the standard CBC MAC on the message. We provide a rigorous proof that its security is implied by the security of the underlying block cipher. Next, we argue that the basic CBC MAC is secure when applied to prefix free message space. A message space can be made prefix free by authenticating also the (usually hidden) last character which marks the end of the message.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
Proofs of security for the Unix password hashing algorithm
 Proceedings of Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture
, 2000
"... . We give the rst proof of security for the full Unix password hashing algorithm (rather than of a simplied variant). Our results show that it is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for condence in the U ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
. We give the rst proof of security for the full Unix password hashing algorithm (rather than of a simplied variant). Our results show that it is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for condence in the Unix construction. 1 Introduction This paper examines the security of the Unix password hashing algorithm, the core of the Unix password authentication protocol [14]. Although the algorithm has been conjectured cryptographically secure, after two decades and deployment in millions of systems worldwide it still has not been proven to resist attack. In this paper, we provide the rst practical proof of security (under some reasonable cryptographic assumptions) for the Unix algorithm. The hashing algorithm is a fairly simple application of DES, perhaps the bestknown block cipher available to the public. Since DES has seen many manyears of analysis, in an ideal world we might hope for a pr...
More Efficient Software Implementations of (Generalized) DES
, 1990
"... By preserving the macro structure of the Data Encryption Standard (DES), but by allowing the user to choose 1. 16.48 independent key bits instead of generating them all using only 56 key bits, 2. arbitrary substitutions S 1 , ..., S 8 and 3. arbitrary permutations IP and P, and 4. an arbitra ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
By preserving the macro structure of the Data Encryption Standard (DES), but by allowing the user to choose 1. 16.48 independent key bits instead of generating them all using only 56 key bits, 2. arbitrary substitutions S 1 , ..., S 8 and 3. arbitrary permutations IP and P, and 4. an arbitrary expanding permutation E, we obtain a very general and presumably much stronger cipher called generalized DES, or GDES for short. A cipher having the first three extensions is called GDES with nonarbitrary E. We choose, in an unorthodox way, from some well known equivalent representations of GDES and some well suited table combinations and implementations. Concatenations of substitutions and permutations are precomputed and tabulated. Since direct tabulation of e.g. a permutation of 32 bits requires 2 32 entries of 4 bytes each, which clearly exceeds the main memories of today, the big table is split into smaller ones that permute disjoint and compact parts of the input bits at the...
Hardness Preserving Constructions of Pseudorandom Functions, Revisited
"... We revisit hardnesspreserving constructions of a PRF from any length doubling PRG when there is a nontrivial upper bound q on the number of queries that the adversary can make to the PRF. Very recently, Jain, Pietrzak, and Tentes (TCC 2012) gave a hardnesspreserving construction of a PRF that mak ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We revisit hardnesspreserving constructions of a PRF from any length doubling PRG when there is a nontrivial upper bound q on the number of queries that the adversary can make to the PRF. Very recently, Jain, Pietrzak, and Tentes (TCC 2012) gave a hardnesspreserving construction of a PRF that makes only O(log q) calls to the underlying PRG when q = 2nɛ and ɛ ≥ 1 2. This dramatically improves upon the efficiency of the GGM construction. However, they explicitly left open the question of whether such constructions exist when ɛ < 1 2. In this work, we make progress towards answering this question. In particular we give constructions of PRFs that make only O(log q) calls to the underlying PRG even when q = 2nɛ, for 0 < ɛ < 1 2. Our constructions present a tradeoff between the output length of the PRF and the level of hardness preserved. We obtain our construction through the use of almost αwise independent hash functions coupled with a novel proof strategy.
Proofs of security for the Unix password hashing algorithm
"... . We give the rst proof of security for the full Unix password hashing algorithm (rather than of a simplied variant). Our results show that it is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for condence in the Un ..."
Abstract
 Add to MetaCart
. We give the rst proof of security for the full Unix password hashing algorithm (rather than of a simplied variant). Our results show that it is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for condence in the Unix construction. 1 Introduction This paper examines the security of the Unix password hashing algorithm, the core of the Unix password authentication protocol [11]. Although the algorithm has been conjectured cryptographically secure, after two decades and deployment in millions of systems worldwide it still has not been proven to resist attack. In this paper, we provide the rst practical proof of security (under some reasonable cryptographic assumptions) for the Unix algorithm. The hashing algorithm is a fairly simple application of DES, perhaps the bestknown block cipher available to the public. Since DES has seen many manyears of analysis, in an ideal world we might hope for a p...