Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈|M|/n⌉} applications of the underlying n-bit block cipher. Our favorite construction, XCBC, works like this: if |M | is a positive multiple of n then XOR the n-bit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the n-bit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1

We initiate the cryptographic study of order-preserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al. (SIGMOD ’04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosen-plaintext attack (IND-CPA) is unachievable by a practical OPE scheme. Instead, we propose a security notion in the spirit of pseudorandom functions (PRFs) and related primitives asking that an OPE scheme look “as-random-as-possible ” subject to the order-preserving constraint. We then design an efficient OPE scheme and prove its security under our notion based on pseudorandomness of an underlying blockcipher. Our construction is based on a natural relation we uncover between a random order-preserving function and the hypergeometric probability distribution. In particular, it makes black-box use of an efficient sampling algorithm for the latter. 1

OMAC, TMAC and XCBC are CBC-type MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of an adversary to the MAC generation oracle while the previous bounds are expressed in terms of the maximum length of each query. In particular, a significant improvement occurs if the lengths of queries are heavily unbalanced.

Abstract. A formal treatment to the privacy of concealed data aggregation (CDA) is given. While there exist a handful of constructions, rigorous security models and analyses for CDA are still lacking. Standard security notions for public key encryption schemes, including semantic security and indistinguishability against chosen ciphertext attacks, are refined to cover the multi-sender nature and aggregation functionality of CDA in the security model. A generic CDA construction based on public key homomorphic encryption is given, along with a proof of its security in the proposed model. The security of two existing schemes is also analyzed in the proposed model. 1

In this note, we present a comparison of the following CBC MAC variants: • RMAC by Jaulmes, Joux and Valette [9, 10, 5, 6], • EMAC from ISO 9797-1 [1, 13], • XCBC by Black and Rogaway [3, 4], • TMAC by Kurosawa and Iwata [12], and • OMAC by Iwata and Kurosawa [7]. We consider two RMACs. One is RMAC defined in NIST’s draft [5], which we write RMAC1, with parameter set IV or V, where AES is used as the underlying block cipher, and uses a nonce R. The other one is RMAC mode 2 stated in NIST’s consultation paper [6], which we write RMAC2, where AES128 is used to compute the CBC MAC tag, AES256 is used to encrypt it, and uses a nonce R. We write RMAC to mean both RMAC1 and RMAC2 1. 2

Abstract—In data aggregation, multiple source nodes send their data to a sink along a concast tree with aggregation done en route so that the sink can obtain the aggregate (which could be the sum, average, etc.) of all these data. End-to-end privacy and aggregate integrity are the two main goals of secure data aggregation. While the privacy goal has been widely studied, providing end-to-end aggregate integrity in the presence of possibly compromised aggregating nodes remains largely an open problem. Message Authentication Codes (MAC) are commonly used to provide end-to-end data integrity in two party settings. Natural extensions of MAC for the data aggregation scenario are considered. It is shown that a straightforward and intuitive refinement of the MAC security model (for the data aggregation setting) is not achievable. A weaker security notion is proposed; whether this notion is achievable remains unclear. I.

Any secured system can be modeled as a capability-based access control system in which each user is given a set of secret keys of the resources he is granted access to. In some large systems with resource-constrained devices, such as sensor networks and RFID systems, the design is sensitive to memory or key storage cost. With a goal to minimize the maximum users’ key storage, key compression based on key linking, that is, deriving one key from another without compromising security, is studied. A lower bound on key storage needed for a general access structure with key derivation is derived. This bound demonstrates the theoretic limit of any systems which do not trade off security and can be treated as a negative result to provide ground for designs with security tradeoff. A concrete, provably secure key linking scheme based on pseudorandom functions is given. Using the key linking framework, a number of key predistribution schemes in the literature are analyzed. I.

Abstract. The congestion control algorithm in TCP relies on correct feedback from the receiver to determine the rate at which packets should be sent into the network. Hence, correct receiver feedback (in the form of acknowledgements in TCP) is essential to the goal of sharing the scarce bandwidth resources fairly and avoiding congestion collapse in the Internet. However, the assumption that a TCP receiver can always be trusted (to generate feedback correctly) no longer holds as there are plenty of incentives for a receiver to deviate from the protocol. In fact, it has been shown that a misbehaving receiver (whose aim is to bring about congestion collapse) can easily generate acknowledgements to conceal loss and drive a number of honest, innocent senders arbitrary fast to create a significant number of non-responsive packet flows leading to denial of service to other Internet users. We give two efficient, provably secure mechanisms to force a receiver to generate feedback correctly; any incorrect acknowledgement will be detected at the sender. The first scheme is based on an ideal cryptographic hash, and the second one on aggregate authenticators. We also show variants of the second scheme which can (partially) solve the problem of man-in-the-middle attacks, which is not achievable previously. 1

Any secured system can be modeled as a capability-based access control system in which each user is given a set of secret keys of the resources he is granted access to. In some large systems with resource-constrained devices, such as sensor networks and RFID systems, the design is sensitive to memory or key storage cost. With a goal to minimize the maximum users’ key storage, key compression based on key linking, that is, deriving one key from another without compromising security, is studied. A lower bound on key storage needed for a general access structure with key derivation is derived. This bound demonstrates the theoretic limit of any systems which do not trade off security and can be treated as a negative result to provide ground for designs with security tradeoff. A concrete, provably secure key linking scheme based on pseudorandom functions is given. Using the key linking framework, a number of key predistribution schemes in the literature are analyzed. I.