Stateless Evaluation of Pseudorandom Functions: Security Beyond the Birthday Barrier
Many cryptographic solutions based on pseudorandom functions (for common problems like encryption, message-authentication or challenge-response protocols) have the following feature: There is a stateful (counter based) version of the scheme that has high security, but if, to avoid the use of state, we substitute a random value for the counter, the security of the scheme drops below the birthday bound. In some situations the use of counters or other forms of state is impractical or unsafe. Can we get security beyond the birthday bound without using counters?
This paper presents a paradigm for strengthening pseudorandom function usages to this end, the idea of which is roughly to use the XOR of the values of a pseudorandom function on a small number of distinct random points in place of its value on a single point. We establish two general security properties of our construction, “pseudorandomness” and “integrity”, with security beyond the birthday bound. These can be applied to derive encryption schemes, and MAC schemes (based on universal hash functions), that have security well beyond the birthday bound, without the use of state and at moderate computational cost.
KeywordsHash Function Encryption Scheme Block Cipher Pseudorandom Function Parity Construct
- 1.W. Aiello, and R. Venkatesan. Foiling birthday attacks in length-doubling transformations. Advances in Cryptology-Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
- 2.M. Bellare, A. Desai, E. Jokipii and P. Rogaway. A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.Google Scholar
- 3.M. Bellare, O. Goldreich and h. Krawczyk. Beyond the birthday barrier, without counters. Full version of this paper, available via http://www-cse. ucsd.edu/users/mihir.
- 4.M. Bellare, R. GuÉrin and P. Rogaway. XOR MACs: New Methods for Message Authentication using Finite Pseudorandom Functions. Full version available via http://www-cse.ucsd.edu/users/mihir. Preliminary version in Advances in Cryptology-Crypto 95 Proceedings, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995.Google Scholar
- 5.M. Bellare, J. Kilian and P. Rogaway. The Security of Cipher Block Chaining. Advances in Cryptology-Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
- 6.M. Bellare, T. Krovetz and P. Rogaway. Luby-Rackoff backwards: Increasing security by making block ciphers non-invertible. Advances in Cryptology-Eurocrypt 97 Proceedings, Lecture Notes in Computer Science Vol. 1233, W. Fumy ed., Springer-Verlag, 1997.Google Scholar
- 8.C. Hall, D. Wagner, J. Kelsey and B. Schneier. Building PRFs from PRPs. Advances in Cryptology-Crypto 98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.Google Scholar
- 9.H. Krawczyk. LFSR-based Hashing and Authentication. Advances in Cryptology-Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
- 10.M. Luby and C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Computing, Vol. 17, No. 2, April 1988.Google Scholar
- 12.J. Patarin. Improved security bounds for pseudorandom permutations. Proceedings of the Fourth Annual Conference on Computer and Communications Security, ACM, 1997.Google Scholar
- 15.V. Shoup. On Fast and Provably Secure Message Authentication Based on Universal Hashing. Advances in Cryptology-Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.Google Scholar