Another Look at Security Theorems for 1-Key Nested MACs

نویسندگان

  • Neal Koblitz
  • Alfred Menezes
چکیده

We prove a security theorem without collision-resistance for a class of 1-key hash-function-based MAC schemes that includes HMAC and Envelope MAC. The proof has some advantages over earlier proofs: it is in the uniform model, it uses a weaker related-key assumption, and it covers a broad class of MACs in a single theorem. However, we also explain why our theorem is of doubtful value in assessing the real-world security of these MAC schemes. In addition, we prove a theorem assuming collision-resistance. From these two theorems we conclude that from a provable security standpoint there is little reason to prefer HMAC to Envelope MAC or similar schemes.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Constructing Rate-1 MACs from Related-Key Unpredictable Block Ciphers: PGV Model Revisited

Almost all current block-cipher-based MACs reduce their security to the pseudorandomness of their underlying block ciphers, except for a few of them to the unpredictability, a strictly weaker security notion than pseudorandomness. However, the latter MACs offer relatively low efficiency. In this paper, we investigate the feasibility of constructing rate-1 MACs from related-key unpredictable blo...

متن کامل

Another Look at PMAC

We can view an existing Message Authentication Code (MAC) as a Carter-Wegman MAC in spite of the fact it may not have been designed as one. This will make the analysis easier than it has been when considered from other viewpoints. In this paper, we can look PMAC with two keys as a Carter-Wegman MAC and get a simple security proof for it. Using this viewpoint to look at PMAC, we will learn not o...

متن کامل

Impact of ANSI X9.24-1: 2009 Key Check Value on ISO/IEC 9797-1: 2011 MACs

ANSI X9.24-1:2009 specifies the key check value, which is used to verify the integrity of the blockcipher key. This value is defined as the most significant bits of the ciphertext of the zero block, and is assumed to be publicly known data for verification. ISO/IEC 9797-1:2011 illustrates a total of ten CBC MACs, where one of these MACs, the basic CBC MAC, is widely known to be insecure. In thi...

متن کامل

Lecture 2 : Optimality of One - time MACs and Shannon Impossibility

Today we conclude with our study with one-time message authentication codes. In Lecture 1, we defined one-time secure MACs and constructed these MACs using δ − AXU functions. Furthermore, we showed that the security of this construction lost security exponentially with as the min-entropy of the key decreased. We show that the constructions achieved in Lecture 1 were essentially tight. We will d...

متن کامل

Lecture 2 : Optimality of One - time MACs and Shannon Impossibility

Today we conclude with our study with one-time message authentication codes. In Lecture 1, we defined one-time secure MACs and constructed these MACs using δ − AXU functions. Furthermore, we showed that the security of this construction lost security exponentially with as the min-entropy of the key decreased. We show that the constructions achieved in Lecture 1 were essentially tight. We will d...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2013