(The exact security of) Message Authentication Codes (Record no. 373536)

000 -LEADER
fixed length control field 03629nam a22001697a 4500
003 - CONTROL NUMBER IDENTIFIER
control field AT-ISTA
005 - DATE AND TIME OF LATEST TRANSACTION
control field 20180627092029.0
008 - FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION
fixed length control field 180627b xxu||||| |||| 00| 0 eng d
040 ## - CATALOGING SOURCE
Transcribing agency IST
100 ## - MAIN ENTRY--PERSONAL NAME
Personal name Rybar, Michal
9 (RLIN) 4264
245 ## - TITLE STATEMENT
Title (The exact security of) Message Authentication Codes
260 ## - PUBLICATION, DISTRIBUTION, ETC. (IMPRINT)
Name of publisher, distributor, etc. IST Austria
Date of publication, distribution, etc. 2017
500 ## - GENERAL NOTE
General note Thesis
505 ## - FORMATTED CONTENTS NOTE
Formatted contents note Abstract
About the author
List of publications
List of abbreviations
1 Introduction
2 Preliminaries
3 Message Authentication Codes
4 Exact Security of HMAC
5 Exact Security of PMAC
6 Paper 1
7 paper 2
Bibliography
520 ## - SUMMARY, ETC.
Summary, etc. In this thesis we discuss the exact security of message authentications codes HMAC,
NMAC, and PMAC. NMAC is a mode of operation which turns a fixed input-length keyed
hash function f into a variable input-length function. A practical single-key variant of
NMAC called HMAC is a very popular and widely deployed message authentication code
(MAC). PMAC is a block-cipher based mode of operation, which also happens to be the
most famous fully parallel MAC.
NMAC was introduced by Bellare, Canetti and Krawczyk Crypto’96, who proved it to
be a secure pseudorandom function (PRF), and thus also a MAC, under two assumptions.
Unfortunately, for many instantiations of HMAC one of them has been found to be wrong.
To restore the provable guarantees for NMAC, Bellare [Crypto’06] showed its security
without this assumption.
PMAC was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with
a pseudorandom permutation over n-bit strings, PMAC constitutes a provably secure
variable input-length PRF. For adversaries making q queries, each of length at most ` (in
n-bit blocks), and of total length σ ≤ q`, the original paper proves an upper bound on
the distinguishing advantage of O(σ 2 /2 n ), while the currently best bound is O(qσ/2 n ). In
this work we show that this bound is tight by giving an attack with advantage Ω(q 2 `/2 n ).
In the PMAC construction one initially XORs a mask to every message block, where the
mask for the ith block is computed as τ i := γ i · L, where L is a (secret) random value,
and γ i is the i-th codeword of the Gray code. Our attack applies more generally to any
sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ).
As for NMAC, our first contribution is a simpler and uniform proof: If f is an ε-secure
PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries), then
NMAC f is an (ε + `qδ)-secure PRF against q queries of length at most ` blocks each. We
also show that this ε + `qδ bound is basically tight by constructing an f for which an
attack with advantage `qδ exists.
Moreover, we analyze the PRF-security of a modification of NMAC called NI by An and
Bellare that avoids the constant rekeying on multi-block messages in NMAC and allows
for an information-theoretic analysis. We carry out such an analysis, obtaining a tight
`q 2 /2 c bound for this step, improving over the trivial bound of ` 2 q 2 /2 c .
Finally, we investigate, if the security of PMAC can be further improved by using τ i ’s
that are k-wise independent, for k > 1 (the original has k = 1). We observe that the
security of PMAC will not increase in general if k = 2, and then prove that the security
increases to O(q 2 /2 n ), if the k = 4. Due to simple extension attacks, this is the best
bound one can hope for, using any distribution on the masks. Whether k = 3 is already
sufficient to get this level of security is left as an open problem.
942 ## - ADDED ENTRY ELEMENTS (KOHA)
Source of classification or shelving scheme
Holdings
Withdrawn status Lost status Source of classification or shelving scheme Damaged status Not for loan Permanent Location Current Location Date acquired Barcode Date last seen Price effective from Koha item type
  Not Lost       Library Library 2018-06-27 AT-ISTA#001526 2018-11-06 2018-06-27 Book

Powered by Koha