Results 1  10
of
24
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 281 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 113 (9 self)
 Add to MetaCart
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
Tweakable Blockciphers with Beyond BirthdayBound Security
"... Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the bi ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and requires perinvocation blockcipher rekeying. This paper gives the first TBC construction that simultaneously allows for arbitrarily “wide ” tweaks, does not rekey, and delivers provable security beyond the birthday bound. Our construction is built from a blockcipher and an ɛAXU2 hash function. As an application of the TBC primitive, LRW suggest the TBCMAC construction (similar to CBCMAC but chaining through the tweak), but leave open the question of its security. We close this question, both for TBCMAC as a PRF and a MAC. Along the way, we find a noncebased variant of TBCMAC that has a tight reduction to the security of the underlying TBC, and also displays graceful security degradation when nonces are misused. This result is interesting on its own, but it also serves as an application of our new TBC construction, ultimately giving a variable inputlength PRF with beyond birthdaybound security.
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
A Note on the CLRW2 Tweakable Block Cipher Construction. Cryptology ePrint Archive
, 2014
"... Abstract. In this note, we describe an error in the proof for CLRW2 given by Landecker et al. in their paper at CRYPTO 2012 on the beyondbirthdaybound security for tweakable block ciphers. We are able to resolve the issue, give a new bound for the security of CLRW2, and identify a potential limita ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this note, we describe an error in the proof for CLRW2 given by Landecker et al. in their paper at CRYPTO 2012 on the beyondbirthdaybound security for tweakable block ciphers. We are able to resolve the issue, give a new bound for the security of CLRW2, and identify a potential limitation of this proof technique when looking to extend the scheme to provide asymptotic security. 1
Security proofs for the MD6 hash function mode of operation
 Master’s thesis, MIT EECS Department
, 2008
"... In recent years there have been a series of serious and alarming cryptanalytic attacks on several commonlyused hash functions, such as MD4, MD5, SHA0, and SHA1 [13, 38]. These culminated with the celebrated work of Wang, Yin, and Yu from 2005, which demonstrated relatively efficient methods for f ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
In recent years there have been a series of serious and alarming cryptanalytic attacks on several commonlyused hash functions, such as MD4, MD5, SHA0, and SHA1 [13, 38]. These culminated with the celebrated work of Wang, Yin, and Yu from 2005, which demonstrated relatively efficient methods for finding collisions in the SHA1 hash function [37]. Although there are several cryptographic hash functions such as the SHA2 family [28] that have not yet succumbed to such attacks, the U.S. National Institute of Standards and Technology (NIST) put out a call in 2007 for candidate proposals for a new cryptographic hash function family, to be dubbed SHA3 [29]. Hash functions are algorithms for converting an arbitrarily large input into a fixedlength message digest. They are typically composed of a compression function or block cipher that operate on fixedlength pieces of the input and a mode of operation that governs how apply the compression function or block cipher repeatedly on these pieces in order to allow for arbitrarylength inputs. Cryptographic hash functions are furthermore required to have several important and stringent security properties
The exact PRFsecurity of NMAC and HMAC
 In Advances in Cryptology– CRYPTO 2014
, 2014
"... Abstract. NMAC is a mode of operation which turns a fixed inputlength keyed hash function f into a variable inputlength function. A practical singlekey variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typ ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. NMAC is a mode of operation which turns a fixed inputlength keyed hash function f into a variable inputlength function. A practical singlekey variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto’96], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collisionresistant. Unfortunately, HMAC is typically instantiated with cryptographic hash functions like MD5 or SHA1 for which (2) has been found to be wrong. To restore the provable guarantees for NMAC, Bellare [Crypto’06] showed its security based solely on the assumption that f is a PRF, albeit via a nonuniform reduction. – Our first contribution is a simpler and uniform proof: If f is an εsecure PRF (against q queries) and a δnonadaptively secure PRF (against q queries), then NMACf is an (ε + `qδ)secure PRF against q queries of length at most ` blocks each. – We then show that this ε+`qδ bound is basically tight. For the most interesting case where `qδ ≥ ε we prove this by constructing an f for which an attack with advantage `qδ exists. This also violates the bound O(`ε) on the PRFsecurity of NMAC recently claimed by Koblitz and Menezes. – Finally, we analyze the PRFsecurity of a modification of NMAC called NI [An and Bellare, Crypto’99] that differs mainly by using a compression function with an additional keying input. This avoids the constant rekeying on multiblock messages in NMAC and allows for a security proof starting by the standard switch from a PRF to a random function, followed by an informationtheoretic analysis. We carry out such an analysis, obtaining a tight `q2/2c bound for this step, improving over the trivial bound of `2q2/2c. The proof borrows combinatorial techniques originally developed for proving the security of CBCMAC [Bellare et al., Crypto’05]. We also analyze a variant of NI that does not include the message length in the last call to the compression function, proving a `1+o(1)q2/2c bound in this case.
The MD6 hash function A proposal to NIST for SHA3
, 2008
"... This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA3 hash function competition 1. Significant features of MD6 include: • Accepts input messages of any length up to 2 64 − 1 bits, and produces message digests of any desir ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA3 hash function competition 1. Significant features of MD6 include: • Accepts input messages of any length up to 2 64 − 1 bits, and produces message digests of any desired size from 1 to 512 bits, inclusive, including
A Synopsis of FormatPreserving Encryption
 UNPUBLISHED MANUSCRIPT
, 2010
"... Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of the same format—for example, encrypting a socialsecurity number into a socialsecurity number. In this survey we describe FPE and review known techniques for achieving it. These include FFX, a rece ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of the same format—for example, encrypting a socialsecurity number into a socialsecurity number. In this survey we describe FPE and review known techniques for achieving it. These include FFX, a recent proposal made to NIST.
On the Security of the CCM Encryption Mode and of a Slight Variant
"... Abstract. In this paper, we present an analysis of the CCM mode of operations and of a slight variant. CCM is a simple and efficient encryption scheme which combines a CBCMAC authentication scheme with the counter mode of encryption. It is used in several standards. Despite some criticisms (mainly ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present an analysis of the CCM mode of operations and of a slight variant. CCM is a simple and efficient encryption scheme which combines a CBCMAC authentication scheme with the counter mode of encryption. It is used in several standards. Despite some criticisms (mainly this mode is not online, and requires nonrepeating nonces), it has nice features that make it worth to study. One important fact is that, while the privacy of CCM is provably garanteed up to the birthday paradox, the authenticity of CCM seems to be garanteed beyond that. There is a proof by Jonsson up to the birthday paradox bound, but going beyond it seems to be out of reach with current techniques. Nevertheless, by using pseudorandom functions and not permutations in the counter mode and an authentication key different from the privacy key, we prove security beyond the birthday paradox. We also wonder if the main criticisms against CCM can be avoided: what is the security of the CCM mode when the nonces can be repeated, (and) when the length of the associated data or message length is missing to make CCM online. We show generic attacks against authenticity in these cases. The complexity of these attacks is under the birthday paradox bound. It shows that the lengths of the associated data and the message, as well as the nonces that do not repeat are important elements of the security of CCM and cannot be avoided without significantly decreasing the security. Keywords: CCM, CBCMAC, Counter mode 1