Abstract
Shoup proved that various message-authentication codes of the form (n,m) ↦ h(m) + f(n) are secure against all attacks that see at most \(\sqrt{1/\epsilon}\) authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ε is a differential probability associated with h.
Shoup’s result implies that if AES is secure then various state-of-the-art message-authentication codes of the form (n,m) ↦h(m) + AES k (n) are secure up to \(\sqrt{ 1/\epsilon}\) authenticated messages. Unfortunately, \(\sqrt{ 1/\epsilon}\) is only about 250 for some state-of-the-art systems, so Shoup’s result provides no guarantees for long-term keys.
This paper proves that security of the same systems is retained up to \(\sqrt{\#G}\) authenticated messages. In a typical state-of-the-art system, \(\sqrt{\#G}\) is 264. The heart of the paper is a very general “one-sided” security theorem: (n,m) ↦ h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
20th annual symposium on foundations of computer science. IEEE Computer Society, New York (1979) MR 82a:68004
Announcing request for candidate algorithm nominations for the Advanced Encryption Standard, AES (1997), http://csrc.nist.gov/CryptoToolkit/aes/pre-round1/aes_9709.htm
Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption (2004), http://eprint.iacr.org/2004/309
Bernstein, D.J.: Floating-point arithmetic and message authentication, to be incorporated into author’s High-speed cryptography book, http://cr.yp.to/papers.html#hash127 ID dabadd3095644704c5cbe9690ea3738e.
Bernstein, D.J.: The poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005), http://cr.yp.to/papers.html#poly1305 ID 0018d9551b5546d97c340e0dd8cb5750
Bernstein, D.J.: A short proof of the unpredictability of cipher block chaining (2005), http://cr.yp.to/papers.html#easycbc ID 24120a1f8b92722b5e15fbb6a86521a0
Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: [20], pp. 331–342 (1994), http://cr.yp.to/bib/entries.html#1994/bierbrauer
Biham, E. (ed.): FSE 1997. LNCS, vol. 1267. Springer, Heidelberg (1997)
Black, J., Halevi, S., Hevia, A., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: message authentication code using universal hashing (2004), http://www.cs.ucdavis.edu/~rogaway/umac/index.html
Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: [11], pp. 79–86 (1983), http://cr.yp.to/bib/entries.html#1983/brassard
Chaum, D., Rivest, R.L., Sherman, A.T. (eds.): Advances in cryptology: proceedings of Crypto 1982. Plenum Press, New York (1983)
Gilbert, E.N., MacWilliams, F.J., Sloane, N.J.A.: Codes which detect deception. Bell System Technical Journal 53, 405–424 (1974), http://cr.yp.to/bib/entries.html#1974/gilbert
Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: [8], pp. 172–189 (1997), http://www.research.ibm.com/people/s/shaih/pubs/mmh.html
Koblitz, N. (ed.): CRYPTO 1996. LNCS, vol. 1109. Springer, Heidelberg (1996)
Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode (2004), http://www.cs.ucsd.edu/users/tkohno/papers/CWC/
Krovetz, T.: Software-optimized universal hashing and message authentication, Ph.D. thesis, University of California at Davis (2000), http://www.cs.ucdavis.edu/~rogaway/umac/
Nechvatal, J., Barker, E., Bassham, L., Burr, W., Dworkin, M., Foti, J., Roback, E.: Report on the development of the Advanced Encryption Standard (AES). Journal of Research of the National Institute of Standards and Technology 106 (2001), http://nvl.nist.gov/pub/nistpubs/jres/106/3/cnt106-3.htm
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: [14], pp. 313–328 (1996); see also newer version [19]
Shoup, V.: On fast and provably secure message authentication based on universal hashing (1996); see also older version [18], http://www.shoup.net/papers
Stinson, D.R. (ed.): CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994)
Wegman, M.N., Carter, J.L.: New classes and applications of hash functions. In: [1], pp. 175–182 (1979); see also newer version [22], http://cr.yp.to/bib/entries.html#1979/wegman
Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981); see also older version [21], http://cr.yp.to/bib/entries.html#1981/wegman ISSN 0022-0000. MR 82i:68017
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bernstein, D.J. (2005). Stronger Security Bounds for Wegman-Carter-Shoup Authenticators. In: Cramer, R. (eds) Advances in Cryptology – EUROCRYPT 2005. EUROCRYPT 2005. Lecture Notes in Computer Science, vol 3494. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11426639_10
Download citation
DOI: https://doi.org/10.1007/11426639_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25910-7
Online ISBN: 978-3-540-32055-5
eBook Packages: Computer ScienceComputer Science (R0)