Cryptography Reference
In-Depth Information
ISO/IEC 9797-1 [29]. CMAC, a modified version of CBC-MAC, is presented in
the NIST special publication 800-38B [15], which was based on OMAC of Iwata
and Kurosawa[31]. Other block cipher based MACs include, but are not limited
to, XOR-MAC [2] and PMAC [46]. The security of different MACs has been
exhaustively studied (see, e.g., [3, 43]).
HMAC is a popular example of the use of iterated cryptographic hash functions
to design MACs [1], which was adopted as a standard [20]. Another cryptographic
hash function based MAC is the MDx-MAC of Preneel and Oorschot [42]. HMAC
and two variants of MDx-MAC are specified in the International Organization
for Standardization ISO/IEC 9797-2 [30]. Bosselaers
et al.
described how crypto-
graphic hash functions can be carefully coded to take advantage of the structure
of the Pentium processor to speed up the authentication process [11].
The use of universal hash families was pioneered by Wegman and Carter
[13, 49] in the context of designing unconditionally secure authentication. The
use of universal hash functions for the design of computationally secure MACs
appeared in [7, 8, 9, 17, 26, 33, 40]. The basic concept behind the design of
computationally secure universal hash functions based MACs is to compress the
message using universal hash functions and then process the compressed output
using a cryptographic function. The key idea is that processing messages using
universal hash functions is faster than processing them block by block using
block ciphers. Then, since the hashed image is typically much shorter than the
message itself, processing the hashed image with a cryptographic function is
faster then processing the entire message.
Since in many practical applications both message confidentiality and authen-
ticity are sought, the design of authenticated encryption schemes has attracted a
lot of attention historically. Variety of earlier schemes based on adding some re-
dundancy to messages before cipher block chaining (CBC) encryption were found
vulnerable to attacks [5]. Establishing secure channels by means of generic con-
structions of authenticated encryption schemes was of particular interest. The
security relations among different notions of security in authenticated encryp-
tion schemes was studied in detail in [5]. In [12], it was shown that
EtA
schemes
build secure channels and, in [38], the security of the three generic construction
methods is analyzed.
In a different direction, block ciphers that combine encryption and message
authentication have been proposed in the literature. Proposals that use simple
checksum or manipulation detection code (MDC) have appeared in [22, 34, 41].
Such simple schemes, however, are known to be vulnerable to attacks [32]. Other
dedicated schemes that combine encryption and message authenticity include
[6, 18, 23, 32, 35, 45]. In [32], Jutla proposed the integrity aware parallelizable
mode (IAPM), an encryption scheme with authentication. Gligor and Donescu
proposed the XECB-MAC [23]. Rogaway
et al.
[45] proposed OCB: a block-
cipher mode of operation for ecient authenticated encryption. Kohno
et al.
[35] proposed a high-performance conventional authenticated encryption mode
(CWC), which the NIST standard Galois/Counter Mode (GCM) was based
on [16].
Search WWH ::
Custom Search