Cryptography Reference
In-Depth Information
In other words, r can be used to randomize the key in every authentication call.
Assume the same attack described in Example 1 and let M = m 2 ||
αm 1 passes
Z p . This time, however,
the verification test, for some α
k 1
βk 2
mod p,
(14)
where k 1 = k 1
m 2 ) 1 is the relation
revealed to the adversary. For any future authentication, the sender will generate
a new random number r that is independent of r . Thus, the keys that will be
used for authentication will be k 1 and k 2 ,where k i
r , k 2 = k 2
r ,and β =( αm 1
m 2 )( m 1
r for i =1 , 2. That
is, from the standpoint of key-recovery attacks, by using equation (13) instead
of equation (12), different authentication tags are computed with different keys.
Therefore, finding a collision in the message compression phase does not lead
to information leakage about the keys, as long as the same nonce does not
authenticate different messages. (Note that there is no need to randomize k B
since it is independent of the message to be authenticated.)
= k i
Remark 6. This shows how the system can be designed to utilize the authenti-
cated encryption application to increase the robustness of universal hash func-
tions based
-MACs. This could not have been achieved without the use of the
fresh random number r that was secretly delivered to the verifier as part of the
ciphertext.
E
7
Conclusion and Future Work
In this work, we studied the encrypt-and-authenticate generic composition of
secure channels. We introduced
-MACs, a new symmetric-key cryptographic
primitive that can be used in the construction of E & A compositions. By taking
advantage of the E & A structure, the use of
E
-MACs is shown to improve the
e ciency and security of the authentication operation. More precisely, since
the message to be authenticated is encrypted, universal hash functions based
E
E
-MACs can designed without the need to apply cryptographic operations on
the compressed image, since this can be replaced by operations performed by
the encryption algorithm. Further, by appending a random string at the end
of the plaintext message, two security objectives have been achieved. First, the
random string is used to encrypt the authentication tag so that the secrecy of
the plaintext is not compromised by its tag. Second, the random string can be
used to randomize the secret key of the used
E
-MAC so that it will be secure
against key-recovery attacks.
Since this is only the first work in this direction, bringing more research can
only contribute positively towards the design of more ecient and more secure
authentication. One specific direction that is yet to be investigated is the use
of encryption algorithms that provide more than just semantic security. In par-
ticular, since most secure block ciphers are pseudorandom permutations, using
block ciphers operated in different modes is a promising direction for more im-
provements in the design of
E
-MACs.
 
Search WWH ::




Custom Search