## The chain sum primitive and its applications to MACs and stream ciphers (1998)

Venue: | in (K. Nyberg, Ed) Advances in Cryptology | Proc. EUROCRYPT '98, Lecture Notes in Computer Science 1403 |

Citations: | 5 - 0 self |

### BibTeX

@INPROCEEDINGS{Jakubowski98thechain,

author = {Mariusz Jakubowski and Ramarathnam Venkatesan},

title = {The chain sum primitive and its applications to MACs and stream ciphers},

booktitle = {in (K. Nyberg, Ed) Advances in Cryptology | Proc. EUROCRYPT '98, Lecture Notes in Computer Science 1403},

year = {1998},

pages = {281--293},

publisher = {Society}

}

### OpenURL

### Abstract

We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBC-type encryption along with a summing step, and can be used as a front end to stream ciphers to encrypt pages or blocks of data (e.g., in an encrypted file system or in a video stream). Under standard assumptions, the resulting encryption scheme provably acts as a random permutation on the blocks, and has message integrity features of standard CBC encryption. The primitive also yields a very fast message authentication code (MAC), which is a multivariate polynomial evaluation hash. The multivariate feature and the summing aspect are novel parts of the design. Our tests show that the chain & sum primitive adds approximately 20 percent overhead to the fastest stream ciphers. 1

### Citations

500 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ... model. However, CBC is very slow in software; in the applications mentioned earlier, CBC leads to an unacceptable performance hit. Another approach is to use collision-resistant hash functions (see (=-=[3]-=- for techniques and references). However, our schemes are faster than those methods; in addition, such methods do not offer a way to add local integrity at block level and to enhance the security of t... |

348 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ..., such methods do not offer a way to add local integrity at block level and to enhance the security of the stream cipher, as our scheme does. Universal hash constructions are due to Carter and Wegman =-=[16]-=-, and were used by Krawczyk [10], Rogaway [14], Shoup [15] and Halevi and Krawczyk [9]. Shoup's paper gives a comprehensive survey of all technical definitions needed here. Our contributions: We intro... |

155 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...etailed version of this paper will be available from the authors, or at http://www.cs.princeton.edu/~mj/. Prior Work: One commonly uses a block cipher in CBC mode, which has been recently analyzed in =-=[5]-=- and shown to be secure in the ideal cipher model. However, CBC is very slow in software; in the applications mentioned earlier, CBC leads to an unacceptable performance hit. Another approach is to us... |

134 |
LFSR-based Hashing and Authentication
- Krawczyk
(Show Context)
Citation Context ...y to add local integrity at block level and to enhance the security of the stream cipher, as our scheme does. Universal hash constructions are due to Carter and Wegman [16], and were used by Krawczyk =-=[10]-=-, Rogaway [14], Shoup [15] and Halevi and Krawczyk [9]. Shoup's paper gives a comprehensive survey of all technical definitions needed here. Our contributions: We introduce a new method for combining ... |

126 | XOR MACs: new methods for message authentication using block ciphers
- Bellare, GuÂ¶erin, et al.
- 1995
(Show Context)
Citation Context ...as e m X k=0 ff k+1 ffi 2m\Gamma2k + ce 0 m X k=0 ff k ffi 2m\Gamma2k+1 =\Omega (3) where the values of\Omega and ffi i ; 0sism, are fixed. We may represent eq. 3 as eP 1 (ff) + ce 0 P 2 (ff) =\Omega =-=(4)-=- where the polynomials P 1 and P 2 correspond to the summations in eq. 3. For technical reasons mentioned later, we assume that our choice of ff satisfies P 3 (ff) = ff m+1 \Gamma 1 6= 0. In addition,... |

74 | On fast and provably secure message authentication based on universal hashing
- Shoup
- 1996
(Show Context)
Citation Context ...t block level and to enhance the security of the stream cipher, as our scheme does. Universal hash constructions are due to Carter and Wegman [16], and were used by Krawczyk [10], Rogaway [14], Shoup =-=[15]-=- and Halevi and Krawczyk [9]. Shoup's paper gives a comprehensive survey of all technical definitions needed here. Our contributions: We introduce a new method for combining encryption and authenticat... |

55 | Bucket hashing and its application to fast message authentication
- Rogaway
- 1995
(Show Context)
Citation Context ... integrity at block level and to enhance the security of the stream cipher, as our scheme does. Universal hash constructions are due to Carter and Wegman [16], and were used by Krawczyk [10], Rogaway =-=[14]-=-, Shoup [15] and Halevi and Krawczyk [9]. Shoup's paper gives a comprehensive survey of all technical definitions needed here. Our contributions: We introduce a new method for combining encryption and... |

51 | MMH: Software message authentication in the Gbit/second rates
- Halevi, Krawczyk
- 1997
(Show Context)
Citation Context ...the security of the stream cipher, as our scheme does. Universal hash constructions are due to Carter and Wegman [16], and were used by Krawczyk [10], Rogaway [14], Shoup [15] and Halevi and Krawczyk =-=[9]-=-. Shoup's paper gives a comprehensive survey of all technical definitions needed here. Our contributions: We introduce a new method for combining encryption and authentication, which also has the bene... |

43 | Fast Hash on the Pentium
- Bosselaers, Govaerts, et al.
- 1996
(Show Context)
Citation Context ...at ffi i are fixed for 0sisn. Since P 3 (ff) 6= 0, we can pick b and d to satisfy yn = \Psi as follows. By eq. 2, we have yn = m X k=0 ff k (d + bc) + C (6) = (d + bc) ff m+1 \Gamma 1 ff \Gamma 1 + C =-=(7)-=- where C is a constant. Thus, if ff m+1 \Gamma 1 6= 0, we can choose values of b and d to set yn to any value. It is easily seen that the choices we made for the values of the parameters will occur wi... |

40 |
On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys
- Brassard
- 1983
(Show Context)
Citation Context ...s of yn and y 0 n are strongly correlated with those of c n\Gamma1 and c 0 n\Gamma1 : Pr[cn = c 0 n jc n\Gamma1 = c 0 n\Gamma1 ; ffi n = 0] = Pr[cn\Gamma1 = c 0 n\Gamma1 jc n = c 0 n ; ffi n = 0] = 1 =-=(8)-=- Decoupling the correlations Given that c n = c 0 n , and thus ffi n = 0, our addition construction will hope to produce yn ; yn\Gamma1 so that these variables have their collision probabilities decou... |

35 |
New hash functions for message authentication
- Krawczyk
- 1995
(Show Context)
Citation Context ... 2i+1 \Gamma c 0 2i+1 =\Omega (10) which is equivalent to m X r=0 / fi ffi 2r + r X k=1 ff k (fi ffi 2r\Gamma2k + ffi 2r\Gamma2k+1 ) + c r X k=0 ff k (fi ffi 2r\Gamma2k + ffi 2r\Gamma2k+1 ) ! =\Omega =-=(11)-=- The above can be rewritten as m X r=0 / fi ffi 2r + fi r X k=1 ff k ffi 2r\Gamma2k + r X k=1 ff k ffi 2r\Gamma2k+1 + cfi r X k=0 ff k ffi 2r\Gamma2k + c r X k=0 ff k ffi 2r\Gamma2k+1 ! =\Omega (12) w... |

12 |
Oorschot, "MD-x MAC and building fast MACs from hash functions
- Preneel, van
- 1995
(Show Context)
Citation Context ... ffi 2r\Gamma2k + r X k=1 ff k ffi 2r\Gamma2k+1 + cfi r X k=0 ff k ffi 2r\Gamma2k + c r X k=0 ff k ffi 2r\Gamma2k+1 ! =\Omega (12) which can be expressed as fi(C 0 + C 1 + cC 3 ) + C 2 + cC 4 =\Omega =-=(13)-=- where C 0 = m X r=0 ffi 2r ; C 1 = m X r=0 r X k=1 ff k ffi 2r\Gamma2k ; C 2 = m X r=0 r X k=1 ff k ffi 2r\Gamma2k+1 C 3 = m X r=0 r X k=0 ff k ffi 2r\Gamma2k ; C 4 = m X r=0 r X k=0 ff k ffi 2r\Gamm... |

3 |
Foiling birthday attacks in output-doubling transformations
- Aiello, Vanketesan
- 1996
(Show Context)
Citation Context ...he analysis of the addition step's effect is quite novel, and the addition permits us to build 2l-bit valued MACs from l-bit operations. This output-doubling problem is usually not easy to solve (see =-=[15, 2]-=-). Our primitive differs from related schemes in a striking way. This in turn allows us to construct random permutations from nl bits to nl bits, given a 2l-bit to 2l-bit ideal cipher and a stream cip... |

2 |
How to Protect DES against Exhaustive Search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ...a (11) The above can be rewritten as m X r=0 / fi ffi 2r + fi r X k=1 ff k ffi 2r\Gamma2k + r X k=1 ff k ffi 2r\Gamma2k+1 + cfi r X k=0 ff k ffi 2r\Gamma2k + c r X k=0 ff k ffi 2r\Gamma2k+1 ! =\Omega =-=(12)-=- which can be expressed as fi(C 0 + C 1 + cC 3 ) + C 2 + cC 4 =\Omega (13) where C 0 = m X r=0 ffi 2r ; C 1 = m X r=0 r X k=1 ff k ffi 2r\Gamma2k ; C 2 = m X r=0 r X k=1 ff k ffi 2r\Gamma2k+1 C 3 = m ... |

1 |
Design and analysis of provably good random number generators
- Aiello, Rajagopalan, et al.
(Show Context)
Citation Context ...lled the pre-MAC, are encrypted with a block cipher; this encrypted value is implicitly a MAC value for the input data. We use the pre-MAC directly or indirectly to synchronize a stream cipher (e.g., =-=[1]-=-), or to generate a stream-cipher key, compute a pseudorandom one-time pad with the stream cipher, and encrypt the rest of the words with this pad. We describe our main scheme and prove its security p... |

1 |
Linear Statistical Weaknesses
- Golic
(Show Context)
Citation Context ... or blocks. With a simple incremental scheme, one can easily compute MAC values for the entire stream. Heuristic considerations can be given to argue how C&S may remove weaknesses in existing ciphers =-=[6]-=- and strengthen the security of the stream cipher itself. We omit them for lack of space. Our construction has the side effect of yielding ciphers that seem stronger than the stream cipher with which ... |