Single-Path Authenticated-Encryption Scheme Based on Universal Hashing
An authenticated-encryption scheme is frequently used to provide a communication both with confidentiality and integrity. For stream ciphers, i.e., an encryption scheme using a cryptographic pseudorandom-number generator, this objective can be achieved by the simple combination of encryption and MAC generation. This naive approach, however, introduces the following drawbacks; the implementation is likely to require two scans of the data, and independent keys for the encryption and MAC generations must be exchanged. The single-path construction of an authenticated-encryption scheme for a stream cipher is advantageous in these two aspects but non-trivial design. In this paper we propose a single-path authenticated-encryption scheme with provable security. This scheme is based on one of the well-known ∈-almost-universal hash functions, the evaluation hash. The encryption and decryption of the scheme can be calculated by single-path operation on a plaintext and a ciphertext. We analyze the security of the proposed scheme and give a security proof, which claims that the security of the proposed scheme can be reduced to that of an underlying PRNG in the indistinguishability from random bits. The security model we use, realor-random, is one of the strongest notions amongst the four well-known notions for confidentiality, and an encryption scheme with real-or-random sense security can be efficiently reduced to the other three security notions. We also note that the security of the proposed scheme is tight.
KeywordsStream cipher mode of operation provable security message authentication real-or-random security
- [BDJR97]M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation,” Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997, full paper is available at http://www-cse.ucsd.edu/users/mihir/.
- [BGV96]A. Bosselaers, R. Govaerts, and J. Vandewalle, “Fast Hashing on the Pentium,” Advances in Cryptology, —CRYPTO’96, LNCSVol. 1109, Springer-Verlag, 1996.Google Scholar
- [BKR94]M. Bellare, J. Kilian, and P. Rogaway, “The Security of Cipher Block Chaining,” Advances in Cryptology, —CRYPTO’94, LNCS Vol. 839, Springer-Verlag, 1994.Google Scholar
- [BHKKR99]J. Black and S. Halevi, H. Krawczyk, T. Krovets, P. Rogaway, “UMAC: Fast and Secure Message Authentication,” Advances in Cryptology, — CRYPTO’99, LNCS Vol. 1666, Springer-Verlag, 1999.Google Scholar
- [CW79]L. Carter and M. Wegman, “Universal Hash Functions,” Journal of Computer and System Sciences, Vol. 18, 1979.Google Scholar
- [FS01]S. Furuya, D. Watanabe, Y. Seto, and K. Takaragi, “Integrity-Aware Mode of Stream Cipher,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E85-A No.1, pp.58–65, 2002.Google Scholar
- [GD01]V. D. Gligor and P. Donescu, “Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes,” In Preproceedings of FSE 2001, 8th Fast Software Encryption Workshop, Yokohama Japan, 2001.Google Scholar
- [JV98]M. H. Jakubowski and R. Venkatesan, “The Chain & Sum Primitive and Its Applications to MACs and Stream Ciphers,” Advances in Cryptology, — EUROCRYPT’98, LNCS Vol. 1403, Springer-Verlag, 1998.Google Scholar
- [J97]T. Johansson, “Bucket Hashing with Small Key Size,” Advances in Cryptology, —EUROCRYPT’97, LNCS Vol. 1233, Springer-Verlag, 1997.Google Scholar
- [J01]C. S. Jutla, “Encryption Modes with Almost Free Message Integrity,” Advances in Cryptology, —EUROCRYPT2001, LNCS Vol. 2045, Springer-Verlag, 2001.Google Scholar
- [NP99]W. Nevelsteen and B. Preneel, “Software Performance of Universal Hash Functions,” Advances in Cryptology, —EUROCRYPT’99, LNCS Vol. 1592, Springer-Verlag, 1999.Google Scholar
- [PR99]S. Patel and Z. Ramzan, “Square Hash: Fast Message Authentication via Optimized Universal Hash Functions,” Advances in Cryptology, —CRYPTO’99, LNCS Vol. 1666, Springer-Verlag, 1999.Google Scholar
- [PvO96]B. Preneel and P. van Oorschot, “On The Security of Two MAC Algorithms,” Advances in Cryptology, —EUROCRYPT’96, LNCS Vol. 1070, Springer-Verlag, 1996.Google Scholar
- [R97]M. Roe, “Cryptography and Evidence,” Doctoral Dissertation with the University of Cambridge, 1997. available at http://www.ccsr.cam.ac.uk/techreports/index.html.
- [RBBK01]P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption,” Eights ACM conference on computer and communications security CCS-8, ACM Press, 2001.Google Scholar
- [S49]C. E. Shannon, “A Mathematical Theory of Communication,” Bell Systems Technical Journal, Vol.28, No.4, 1949.Google Scholar
- [S96]V. Shoup, “On Fast And Provably Secure Message Authentication Based on Universal Hashing,” Advances in Cryptology, —CRYPTO’96, LNCS Vol. 1109, Springer-Verlag, 1996.Google Scholar
- [T93]R. Taylor, “An Integrity Check Value Algorithm for Stream Ciphers,” Advances in Cryptology, —CRYPTO’93, LNCS Vol. 773, Springer-Verlag, 1993.Google Scholar
- [WC81]M. Wegman and L. Carter, “New Hash Functions And Their Use in Authentication And Set Equality,” Journal of Computer and System Sciences, Vol. 22, 1981.Google Scholar