## A Block-Cipher Mode of Operation for Parallelizable Message Authentication (2002)

### Cached

### Download Links

- [www.cs.ucdavis.edu]
- [www.cs.ucdavis.edu]
- [www.cs.unr.edu]
- [www.iacr.org]
- [eprint.iacr.org]
- [www.cs.colorado.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology - EUROCRYPT 2002. Lecture Notes in Computer Science |

Citations: | 58 - 7 self |

### BibTeX

@INPROCEEDINGS{Black02ablock-cipher,

author = {John Black and Phillip Rogaway},

title = {A Block-Cipher Mode of Operation for Parallelizable Message Authentication},

booktitle = {Advances in Cryptology - EUROCRYPT 2002. Lecture Notes in Computer Science},

year = {2002},

pages = {384--397},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We define and analyze a simple and fully parallelizable block-cipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a Carter-Wegman MAC), works for strings of any bit length, employs a single block-cipher key, and uses just max{1, #|M |/n#} block-cipher calls to MAC a string M # {0, 1} # using an n-bit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: block-cipher modes, message authentication codes, modes of operation, provable security. 1

### Citations

477 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...gery probability in terms of the quality of the block cipher as a pseudorandom permutation. 1 Introduction Background. Many popular message authentication codes (MACs), like the CBC MAC [17] and HMAC =-=[1]-=-, are inherently sequential: one cannot process the i-th message block until all previous message blocks have been processed. This serial bottleneck becomes increasingly an issue as commodity processo... |

193 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...s to generically construct a more parallelizable MAC from an arbitrary one. For example, one could begin with breaking the message M[1] · · · M[2m] into M ′ = M[1]M[3] · · · M[2m − 1] and M ′′ = M[2]M=-=[4]-=- · · · M[2m] then separately MAC each half. But such an approach requires one to anticipate the maximal amount of parallelism one aims to extract. In the current work we are instead interested in full... |

122 | XOR MAC’s: New methods for message authentication using finite pseudorandom functions
- Bellare, Guerin, et al.
- 1995
(Show Context)
Citation Context ... to the design of such an MAC. One is to generically construct a more parallelizable MAC from an arbitrary one. For example, one could begin with breaking the message M[1] · · · M[2m] into M ′ = M[1]M=-=[3]-=- · · · M[2m − 1] and M ′′ = M[2]M[4] · · · M[2m] then separately MAC each half. But such an approach requires one to anticipate the maximal amount of parallelism one aims to extract. In the current wo... |

118 | LFSR based hashing and authentication - Krawczyk - 1994 |

111 | UMAC: Fast and secure message authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...sted are fully parallelizable. This approach is elegantand can lead to a nice MAC, but constructions for fast universal hash-functions have proven to be quite complex to specify or to implement well =-=[7, 9]-=-, and may be biased either towards hardware or towards software. Twenty years after the paradigm was introduced, we still do not know of a single Carter-Wegman MAC that actually gets used. So the curr... |

106 | Encryption modes with almost free message integrity - Jutla - 2001 |

84 |
Universal hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... interested in fully parallelizable MACs: the amount of parallelism that can be extracted is effectively unbounded. One idea for making a fully parallelizable MAC is to use the Carter-Wegman paradigm =-=[13, 23]-=-, as in [12, 16, 19], making sure to select a universal hashfunction family that is fully parallelizable. In fact, most universal hash functions that have been suggested are fully parallelizable. This... |

65 | CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
- Black, Rogaway
- 2000
(Show Context)
Citation Context ...as to be included). PMAC. Unlike the XOR MAC, our new algorithm, PMAC, doesn’t waste any block-cipher invocations because of block-indices (nor for a counter or random values). Also, in the spirit of =-=[11]-=-, we optimally deal with short final blocks; we correctly MAC messages of arbitrary and varying bit lengths. The result is that PMAC makes do with just ⌈|M|/n⌉ block-cipher calls to MAC a nonempty mes... |

62 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
- Bellare, Rogaway
- 2000
(Show Context)
Citation Context ... i − |x| + 1 bits], where |M| ≥ i + |x| − 1). For each operation it is easy to see how to update the MAC of M in time proportional to |x|, ∆, or |x|, respectively.PMAC is parsimonious, as defined in =-=[5]-=-. Partition M into M[1] · · · M[m] and assume |M| ≥ n and τ = n. For i ∈ [1..m] such that |M[i]| = n, there is a simple algorithm to recover M[i] from K, M ′ = M[1] · · · M[i − 1] M[i + 1] · · · M[m],... |

59 | Fast encryption and authentication: XCBC encryption and XECB authentication modes
- Gligo, Donescu
(Show Context)
Citation Context ...er versions of this writeup were submitted to NIST and posted to their website (Oct 2000, Apr 2001). Additional related work. Building on [3], Gligor and Donescu describe a MAC they call the XECB MAC =-=[14]-=-. That MAC is not deterministic, it uses more block-cipher invocations, and it was not designed for messages of arbitrary bit length. But, like PMAC, it goes beyond the XOR MAC by combining a message ... |

40 | MMH: Software message authentication in the Gbit/second rates - Halevi, Krawczyk - 1997 |

35 | Incremental cryptography and application to virus protection
- BELLARE, GOLDREICH, et al.
- 1995
(Show Context)
Citation Context ...s still used as a key. Normally such “lazy key-derivation” would get one into trouble, in proofs if nothing else. For PMAC we prove that this form of lazy key-derivation works fine.M[1] ❢ ✛❄ γ1 · L M=-=[2]-=- M[m − 1] M[m] � � � ❢ ✛❄ ❢ ❄✛ ❄ γ2 · L γm−1 · L pad X[1] ❄ EK X[2] ❄ EK � � � X[m − 1] ❄ EK Y [1] Y [2] Y [m − 1] ✲ ❢ ✲ ❄ � � � ✲ ❢ ❄ ✲ ❄❢ 0n if |M[m]| < n L · x−1 } if |M[m]| = n Σ ✲ ❢ ❄ ❄ EK Fig. 2... |

35 |
On computationally secure authentication tags requiring short secret shared keys.InD.Chaum,R.L.Rivest,andA.T.Sherman
- Brassard
- 1983
(Show Context)
Citation Context ...ully parallelizable MACs: the amount of parallelism that can be extracted is effectively unbounded. One idea for making a fully parallelizable MAC is to use the Carter-Wegman paradigm [13, 23], as in =-=[12, 16, 19]-=-, making sure to select a universal hashfunction family that is fully parallelizable. In fact, most universal hash functions that have been suggested are fully parallelizable. This approach is elegant... |

28 | Floating-point arithmetic and message authentication
- Bernstein
- 2004
(Show Context)
Citation Context ...sted are fully parallelizable. This approach is elegantand can lead to a nice MAC, but constructions for fast universal hash-functions have proven to be quite complex to specify or to implement well =-=[7, 9]-=-, and may be biased either towards hardware or towards software. Twenty years after the paradigm was introduced, we still do not know of a single Carter-Wegman MAC that actually gets used. So the curr... |

2 |
Integrity primitives for secure information systems, Final report of RACE integrity primitives evaluation
- Berendschot, Boer, et al.
- 1995
(Show Context)
Citation Context ... that even the traditional CBC MAC uses between one and four additional block-cipher calls, as well as additional key material, once it has been enriched to take care of messages of arbitrary lengths =-=[6, 11, 17, 21]-=-. Of course avoiding this overhead doesn’t matter much on long messages, but it is significant on short ones. And in many environments, short messages are common. We prove PMAC secure, in the sense of... |

1 | Available at URL www-cse.ucsd.edu/users/mihir [2 - Bellare, Goldwasser, et al. - 1996 |

1 | Available at URL www.cs.ucdavis.edu/#rogaway [4 - Bellare, Kilian, et al. - 1995 |

1 | Available at URL www.cs.ucdavis.edu/#rogaway [6 - Berendschot, Boer, et al. - 2000 |

1 | Available at URL cr.yp.to/djb.html [9 - Black, Halevi, et al. - 1999 |

1 | Available at URL www.cs.ucdavis.edu/#rogaway [12 - Brassard - 2000 |

1 | 2001. Further information available at www.tcs.hut.fi/#helger [21] E. Petrank and C. Rackoff. CBC MAC for real-time data sources - Lipmaa - 2001 |

1 | http://www-cse.ucsd.edu/users/mihir/ [2 - Bellare, Goldwasser, et al. - 1996 |

1 | http://www.cs.ucdavis.edu/#rogaway/ [4 - Springer-Verlag, Ed - 1995 |

1 | Available from http://www.cs.ucdavis.edu/#rogaway/ [6 - Okamoto, ed - 2000 |

1 | http://cr.yp.to/djb.html [8 - Black, Rogaway - 1999 |

1 | Full version of paper from Advances in Cryptology -- CRYPTO 2000 - Black, Halevi, et al. - 2000 |