Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
About Open Problems Kapitel lesen Erstes Kapitel lesen

2014 | OriginalPaper | Buchkapitel

Another Look at Security Theorems for 1-Key Nested MACs

verfasst von : Neal Koblitz, Alfred Menezes

Erschienen in: Open Problems in Mathematics and Computational Science

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

We prove a security theorem without collision resistance for a class of 1-key hash function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision resistance. From these two theorems, we conclude that from a provable security standpoint, there is little reason to prefer HMAC to Envelope MAC or similar schemes.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Isogenies in Theory and Praxis
Nächstes Kapitel Non-extendable -Quadratic Perfect Nonlinear Maps
Fußnoten
1
Fischlin [10] has a uniform proof of a security theorem for HMAC without collision resistance, but its usefulness is questionable because of the extremely large tightness gap in his result.
 
2
The theorem’s query bound for the related-key property is 2q because A rka makes two queries for each query of A MAC.
 
3
If \(A_{\tilde{f}h}\) fails to produce a guess about the oracle \(O_{\tilde{f}h}\) in time t, as can happen if the simulation is imperfect, then \(A_{\tilde{f}}\) guesses that \(O_{\tilde{f}}\) is a random function. Note that the simulation is perfect if \(O_{\tilde{f}}\) is \(\tilde{f}\) with hidden key.
 
4
The term “over all possible coin tosses” means over all possible runs of the algorithm with each weighted by 2s , where s is the number of random bits in a given run.
 
5
The tightness gap in our theorem, bad as it is, is not nearly as extreme as the one in Fischlin’s theorem [10], which establishes the secure-MAC property for NMAC and HMAC based on assumptions that are slightly weaker than the prf property. The gap in success probabilities in that theorem is roughly qn 2. In [10] this gap is compared to the q 2 n gap in Bellare’s Theorem 3.3 in [2]. However, any comparison based solely on success probabilities is misleading, since the factor q 2 n in Bellare’s theorem is multiplied by the advantage of a very low-resource adversary A 2 with running time ≤ nT, much less than that of Fischlin’s adversary. One must always include running time comparisons when evaluating tightness gaps, and this is not done in [10].
 
6
Note that the inner compression function needs to be strongly (ε 1, t, q)-secure for a quite small value of ε 1, since the theorem loses content if ε 1 > 1∕(2n).
 
7
Note that A rka can verify that A MAC has a valid forgery using the same procedure that was used to respond to its queries. This means that A rka needs to be allowed two more queries of O rka, and for this reason, the query bound for A rka is 2q + 2 rather than 2q, and the time bounds have the term (q + 1)nT rather than qnT.
 
8
In the prf test for f, the adversary gets the values f(K, M) (with K a c-bit hidden key and M a b-bit queried message); in the test for \(\tilde{f}\) in HMAC, he gets the values \(f(K,M\|p)\) (with M a c-bit message and p a fixed (bc)-bit padding); and in the test for \(\tilde{f}\) in Envelope MAC, he gets the values \(f(M,K\|p)\). Thus, the only difference is whether the key occurs in the first c bits or in the next c bits.
 
9
How can something be a necessary component, but play no role in the selection? By analogy, when one looks for an apartment, a functioning toilet is a requirement; however, one doesn’t normally choose which apartment to rent based on which has the nicest toilet.
 
Literatur
1.
M. Bellare, Practice-oriented provable-security, in Proceedings of First International Workshop on Information Security (ISW ’97). Lecture Notes in Computer Science, vol. 1396 (Springer, Berlin, 1998), pp. 221–231
2.
3.
M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—Eurocrypt 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Heidelberg, 2003), pp. 491–506
4.
M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedings of First Annual Conference on Computer and Communications Security (ACM, New York, 1993), pp. 62–73
5.
M. Bellare, R. Rogaway, Optimal asymmetric encryption—how to encrypt with RSA, in Advances in Cryptology—Eurocrypt ’94. Lecture Notes in Computer Science, vol. 950 (Springer, Heidelberg, 1994), pp. 92–111
6.
M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—Crypto ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Heidelberg, 1996), pp. 1–15. Extended version available at http://​cseweb.​ucsd.​edu/​mihir/​papers/​kmd5.​pdf
7.
M. Bellare, R. Canetti, H. Krawczyk, HMAC: Keyed-hashing for message authentication, Internet RFC 2104 (1997)
8.
D. Bernstein, T. Lange, Non-uniform cracks in the concrete: the power of free precomputation, in Advances in Cryptology—Asiacrypt 2013. Lecture Notes in Computer Science, vol. 8270 (Springer, Heidelberg, 2013), pp. 321–340
9.
D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 275–291
10.
M. Fischlin, Security of NMAC and HMAC based on non-malleability, in Topics in Cryptology—CT-RSA 2008. Lecture Notes in Computer Science, vol. 4064 (Springer, Heidelberg, 2008), pp. 138–154
11.
12.
B. Kaliski, M. Robshaw, Message authentication with MD5. CryptoBytes 1(1), 5–8 (1995)
13.
J. Katz, Y. Lindell, Introduction to Modern Cryptography (Chapman and Hall/CRC, Boca Raton, 2007)
14.
15.
16.
17.
18.
19.
A.H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: the serpentine course of a paradigm shift. J. Number Theory 131, 781–814 (2011)CrossRefMATHMathSciNet
20.
H. Krawczyk, Koblitz’s arguments disingenuous. Not. Am. Math. Soc. 54(11), 1455 (2007)
21.
National Institute of Standards and Technology, The keyed-hash message authentication code (HMAC). FIPS Publication 198 (2002)
22.
National Institute of Standards and Technology, Third-round report of the SHA-3 cryptographic hash algorithm competition. Interagency Report 7896 (2012)
23.
P. Piermont, W. Simpson, IP authentication using keyed MD5, IETF RFC 1828 (1995)
24.
25.
B. Preneel, P. van Oorschot, MDx-MAC and building fast MACs from hash functions, in Advances in Cryptology—Crypto ’95. Lecture Notes in Computer Science, vol. 963 (Springer, Heidelberg, 1995), pp. 1–14
26.
B. Preneel, P. van Oorschot, On the security of iterated message authentication codes. IEEE Trans. Inf. Theory 45, 188–199 (1999)CrossRefMATH
27.
V. Shoup, OAEP reconsidered, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Heidelberg, 2001), pp. 239–259
28.
G. Tsudik, Message authentication with one-way hash functions. ACM SIGCOMM Comput. Commun. Rev. 22(5), 29–38 (1992)CrossRef
29.
K. Yasuda, “Sandwich” is indeed secure: how to authenticate a message with just one hashing, in Information Security and Privacy—ACISP 2007. Lecture Notes in Computer Science, vol. 4586 (Springer, Heidelberg, 2007), pp. 355–369
Metadaten
Titel
Another Look at Security Theorems for 1-Key Nested MACs
verfasst von
Neal Koblitz
Alfred Menezes
Copyright-Jahr
2014
Buch
Open Problems in Mathematics and Computational Science

Print ISBN: 978-3-319-10682-3

Electronic ISBN: 978-3-319-10683-0

Copyright-Jahr: 2014

DOI
https://doi.org/10.1007/978-3-319-10683-0_4