Stronger Security Bounds for Wegman-Carter-Shoup Authenticators

  • Daniel J. Bernstein
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3494)


Shoup proved that various message-authentication codes of the form (n,m) ↦ h(m) + f(n) are secure against all attacks that see at most \(\sqrt{1/\epsilon}\) authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ε is a differential probability associated with h.

Shoup’s result implies that if AES is secure then various state-of-the-art message-authentication codes of the form (n,m) ↦h(m) + AESk(n) are secure up to \(\sqrt{ 1/\epsilon}\) authenticated messages. Unfortunately, \(\sqrt{ 1/\epsilon}\) is only about 250 for some state-of-the-art systems, so Shoup’s result provides no guarantees for long-term keys.

This paper proves that security of the same systems is retained up to \(\sqrt{\#G}\) authenticated messages. In a typical state-of-the-art system, \(\sqrt{\#G}\) is 264. The heart of the paper is a very general “one-sided” security theorem: (n,m) ↦ h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  1. 1.Department of Mathematics, Statistics, and Computer Science (M/C 249)The University of Illinois at ChicagoChicago

Personalised recommendations