Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions
15 Aug 1999-pp 252-269
TL;DR: This paper considers the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC, and looks at three popular transforms, namely CBC, Feistel and the Merkle-Damgard method, and shows that each preserves unforgeability.
Abstract: Practical MACs are typically designed by iterating applications of some fixed-input-length (FIL) primitive, namely one like a block cipher or compression function that only applies to data of a fixed length. Existing security analyses of these constructions either require a stronger security property from the FIL primitive (eg. pseudorandomness) than the unforgeability required of the final MAC, or, as in the case of HMAC, make assumptions about the iterated function itself. In this paper we consider the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC. We look at three popular transforms, namely CBC, Feistel and the Merkle-Damgard method, and ask for each whether it preserves unforgeability. We show that the answer is no in the first two cases and yes in the third. The last yields an alternative cryptographic hash function based MAC which is secure under weaker assumptions than existing ones, although at a slight increase in cost.
Citations
More filters
TL;DR: A technical lemma of independent interest is bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l- bit to l -bit function.
679 citations
Cites background from "Constructing VIL-MACsfrom FIL-MACs:..."
...Now Rand: f0; 1gk f0; 1gl ! f0; 1gL is a family with key-space f0; 1gk where k = L2, and we interpret a key a = a[1] a[2] in the key space as a sequence of L-bit strings that speci es the value of the associated function at each point in the input domain, meaning Rand(a; x) = a[ordl(x)]....
[...]
...Journal of Computer and System Sciences 61, 362 399 (2000) The Security of the Cipher Block Chaining Message Authentication Code Mihir Bellare1 Department of Computer Science 6 Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 E-mail: mihir cs.ucsd.edu Joe Kilian NEC Research Institute, 4 Independence Way, Princeton, New Jersey 08540 E-mail: joe research.nj.nec.com and Phillip Rogaway2 Department of Computer Science, University of California at Davis, Davis, California 95616 E-mail: rogaway cs.ucdavis.edu Received June 23, 1997; revised August 8, 1999; published online September 8, 2000 Let F be some block cipher (eg., DES) with block length l....
[...]
...On the other hand Perm: Keys(Perm) f0; 1gl ! f0; 1gl has a key space given by Keys(Perm) = f (a[1]; : : : ; a[2]) : a[1]; : : : ; a[2] 2 f0; 1gl are all distinct g ; and for any key a = (a[1]; : : : ; a[2]) in Keys(Perm) and any x 2 f0; 1gl we de ne Perm(a; x) = a[ordl(x)]....
[...]
...One might ask whether the security of CBCm-F as a MAC could be shown to follow from a weaker assumption on F than that it is a PRF. Work of An and Bellare [1] shows that it is not enough to assume that F is a MAC; they give an example of a secure MAC F for which CBCm-F is not a secure MAC....
[...]
...Work of An and Bellare [1] shows that it is not enough to assume that F is a MAC; they give an example of a secure MAC F for which CBC-F is not a secure MAC....
[...]
14 Aug 2005
TL;DR: It is shown that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgard transformation — does not satisfy a new security notion for hash-functions, stronger than collision-resistance.
Abstract: The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgard construction and are easily implementable in practice.
570 citations
Cites background from "Constructing VIL-MACsfrom FIL-MACs:..."
...We remark that domain extenders are well studied for such primitives as collision-resistant hash functions [14, 26], pseudorandom functions [8], MACs [1, 25] and universal one-way hash functions [7, 31]....
[...]
03 Dec 2006
TL;DR: It is suggested that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multi-property preserving, namely that one should have a single transform that is simultaneously at least collision-resistance preserving, pseudorandom function preserving and PRO-Pr.
Abstract: We point out that the seemingly strong pseudorandom oracle preserving (PRO-Pr) property of hash function domain-extension transforms defined and implemented by Coron et. al. [1] can actually weaken our guarantees on the hash function, in particular producing a hash function that fails to be even collision-resistant (CR) even though the compression function to which the transform is applied is CR. Not only is this true in general, but we show that all the transforms presented in [1] have this weakness. We suggest that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multi-property preserving, namely that one should have a single transform that is simultaneously at least collision-resistance preserving, pseudorandom function preserving and PRO-Pr. We present an efficient new transform that is proven to be multi-property preserving in this sense.
198 citations
19 Aug 2012
TL;DR: The first tweakable blockcipher TBC construction with provable security beyond the birthday bound was presented in this paper. But it is not provable in practice, and it requires per-invocation rekeying.
Abstract: Liskov, Rivest and Wagner formalized the tweakable blockcipher TBC primitive at CRYPTO'02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound due to Minematsu severely restricts the tweak size and requires per-invocation blockcipher rekeying.
This paper gives the first TBC construction that simultaneously allows for arbitrarily "wide" tweaks, does not rekey, and delivers provable security beyond the birthday bound. Our construction is built from a blockcipher and an $$\epsilon \text{-AXU }_2$$ hash function.
As an application of the TBC primitive, LRW suggest the TBC-MAC construction similar to CBC-MAC but chaining through the tweak, but leave open the question of its security. We close this question, both for TBC-MAC as a PRF and a MAC. Along the way, we find a nonce-based variant of TBC-MAC that has a tight reduction to the security of the underlying TBC, and also displays graceful security degradation when nonces are misused. This result is interesting on its own, but it also serves as an application of our new TBC construction, ultimately giving a variable input-length PRF with beyond birthday-bound security.
86 citations
02 Dec 2007
TL;DR: A new composition scheme for hash functions is proposed that is a variant of the Merkle-Damgard construction with a permutation applied right before the processing of the last message block and the security of simple MAC constructions is studied.
Abstract: We propose a new composition scheme for hash functions. It is a variant of the Merkle-Damgard construction with a permutation applied right before the processing of the last message block. We analyze the security of this scheme using the indifferentiability formalism, which was first adopted by Coron et al. to the analysis of hash functions. And we study the security of simple MAC constructions out of this scheme. Finally, we also discuss the random oracle indifferentiability of this scheme with a double-block-length compression function or the Davies-Meyer compression function composed of a block cipher.
75 citations
References
More filters
Proceedings Article•
01 Apr 1992
TL;DR: This document describes the MD5 message-digest algorithm, which takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
Abstract: This document describes the MD5 message-digest algorithm. The
algorithm takes as input a message of arbitrary length and produces as
output a 128-bit "fingerprint" or "message digest" of the input. This
memo provides information for the Internet community. It does not
specify an Internet standard.
3,514 citations
TL;DR: A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.
Abstract: We present a digital signature scheme based on the computational difficulty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) cannot later forge the signature of even a single additional message. This may be somewhat surprising, since in the folklore the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations--a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
3,150 citations
IBM1
TL;DR: An input independent average linear time algorithm for storage and retrieval on keys that makes a random choice of hash function from a suitable class of hash functions.
2,886 citations
"Constructing VIL-MACsfrom FIL-MACs:..." refers methods in this paper
...These include block cipher based MACs like the CBC MAC [1] or XOR MACs [8]; hash function based MACs like HMAC [2] or MDx-MAC [19]; and universal hash function based MACs [9, 22]....
[...]
TL;DR: In this paper, a constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented, which is a deterministic polynomial-time algorithm that transforms pairs (g, r), where g is any one-way function and r is a random k-bit string, to computable functions.
Abstract: A constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented. This generator is a deterministic polynomial-time algorithm that transforms pairs (g, r), where g is any one-way function and r is a random k-bit string, to polynomial-time computable functions ƒr: {1, … , 2k} → {1, … , 2k}. These ƒr's cannot be distinguished from random functions by any probabilistic polynomial-time algorithm that asks and receives the value of a function at arguments of its choice. The result has applications in cryptography, random constructions, and complexity theory.
2,043 citations