Results 1 
3 of
3
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1
Improving the Security of MACs via Randomized Message Preprocessing
, 2007
"... “Hash then encrypt ” is a popular approach to message authentication: first the message is hashed down using an εuniversal hash function, and then the resulting kbit value is encrypted, say with a blockcipher. The security of this scheme is proportional to εq 2, where q is the number of MACs the ..."
Abstract
 Add to MetaCart
“Hash then encrypt ” is a popular approach to message authentication: first the message is hashed down using an εuniversal hash function, and then the resulting kbit value is encrypted, say with a blockcipher. The security of this scheme is proportional to εq 2, where q is the number of MACs the adversary can request. As ε is at least 2 −k, the best one can hope for is O(q 2 /2 k) security. Unfortunately, such small ε is not achieved by simple constructions used in practice, such as the polynomial evaluation or the MerkleDamg˚ard construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p, we can use the “hash then encrypt ” paradigm with suboptimal “practical ” εuniversal hash functions, and still improve its exact security to optimal O(q 2 /2 k). Specifically, by using at most an O(log L)bit salt p, one can always regain the optimal exact security O(q 2 /2 k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for the “suboptimal ” hash functions used in practice, namely polynomial evaluation and the MerkleDamg˚ard construction.
Improving the Security of MACs via Randomized Message Preprocessing
, 2007
"... Abstract "Hash then encrypt " is a popular approach to message authentication: first the message ishashed down using an "universal hash function, and then the resulting kbit value is encrypted,say with a blockcipher. The security of this scheme is proportional to &q ..."
Abstract
 Add to MetaCart
Abstract &quot;Hash then encrypt &quot; is a popular approach to message authentication: first the message ishashed down using an &quot;universal hash function, and then the resulting kbit value is encrypted,say with a blockcipher. The security of this scheme is proportional to &quot;q2, where q is thenumber of MACs the adversary can request. As &quot; is at least 2k, the best one can hope for is O(q2/2k) security. Unfortunately, such small &quot; is not achieved by simple constructions used inpractice, such as the polynomial evaluation or the MerkleDamg*ard construction, where &quot; growswith the message length L.The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p, we can use the &quot;hash then encrypt &quot; paradigm with suboptimal&quot;practical&quot; &quot;universal hash functions, and still improve its exact security to optimal O(q2/2k).Specifically, by using at most an O(log L)bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where &quot; grows polynomially with L. We also give very simplepreprocessing maps for the &quot;suboptimal &quot; hash functions used in practice, namely polynomial