Cryptography Reference
In-Depth Information
out to be the case, removing such redundancy can improve the eciency of the
overall composition.
One class of MACs that is of a particular interest, due its fast implementa-
tion, is the class of MACs based on universal hash-function families. In universal
hash-function families based MACs, the message to be authenticated is first com-
pressed using a universal hash function in the Wegman-Carter style [13, 49] and,
then, the compressed image is processed with a cryptographic function. Indeed,
processing messages using universal hash functions is faster than processing them
block by block using block ciphers. Combined with the fact that processing short
strings is faster than processing longer ones, it becomes evident why universal
hash functions based MACs are the fastest for message authentication [48].
Recently, however, Handschuh and Preneel [27] discovered a vulnerability in
universal hashing based MACs. They demonstrated that once a collision in the
hashing phase occurs, secret key information can be exposed, allowing subse-
quent forgeries to succeed with high probabilities. Their attack is not directed
to a specific universal hash family and can be applied to all such MACs. The
recommendations of the work in [27] are not to reuse the universal hash func-
tion key, thus going back to the impractical use of universal hash families for
unconditionally secure authentication, or proceeding with the less ecient, yet
more secure, block cipher based MACs.
Contributions. In this paper, we propose the deployment of a new crypto-
graphic primitive for the construction of secure channels using the E & A com-
position. We introduce the design of
E
-MACs, Message Authentication Codes
for
-MACs, we show
how the structure of the E & A system can be utilized to increase the eciency
and security of the authentication process. In particular, we show how a univer-
sal hash function based
E
ncrypted messages. By proposing the first instance of
E
-MAC can be computed with fewer operations than
what standard universal hash functions based MACs require. That is, we will
demonstrate that universal hash functions based
E
E
-MACs can be implemented
without the need to apply any cryptographic operation to the compressed image.
Moreover, we will also show how E -MACs can further utilize the special struc-
ture of the E & A system to improve the security of the authentication process.
More specifically, we will show how universal hash functions based E -MACs can
be secured against the key-recovery attack, to which standard universal hash
functions based MACs are vulnerable. Finally, we will show that the extra confi-
dentiality requirement on
-MACs can be achieved rather easily, again, by taking
advantage of the E & A structure.
E
2
Related Work
Many standard MACs that can be used in the construction of authenticated
encryption schemes have appeared in the literature. Standard MACs can be block
ciphers based, cryptographic hash functions based, or universal hash functions
based. CBC-MAC is one of the most known block cipher based MACs specified in
FIPS publication 113 [19] and the International Organization for Standardization
 
Search WWH ::




Custom Search