The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC
نویسندگان
چکیده
We prove (nearly) tight bounds on the concrete PRF-security of two constructions of message-authentication codes (MACs): (1) The truncated CBC-MAC construction, which operates as plain CBC-MAC (without prefix-free encoding of messages), but only returns a subset of the output bits. (2) The MAC derived from the sponge hash-function family by pre-pending a key to the message, which is the de-facto standard method for SHA-3-based message authentication. The tight analysis of keyed sponges is our main result and we see this as an important step in validating SHA-3-based authentication before its deployment. Still, our analysis crucially relies on the one for truncated CBC as an intermediate step of independent interest. Indeed, no previous security analysis of truncated CBC was known, whereas only significantly weaker bounds have been proved for keyed sponges following different approaches. Our bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) ` ď mint2n{4, 2ru blocks, where n is the state size and r is the desired output length; and for q ě ` queries. Our proofs rely on a novel application of Patarin’s H-coefficient method to iterated MAC constructions.
منابع مشابه
Tight Bounds for Keyed Sponges and Truncated CBC
We prove (nearly) tight bounds on the concrete PRF-security of two constructions of message-authentication codes (MACs): (1) The truncated CBC-MAC construction, which operates as plain CBC-MAC (without prefix-free encoding of messages), but only returns a subset of the output bits. (2) The MAC derived from the sponge hash-function family by pre-pending a key to the message, which is the de-fact...
متن کاملOn The Exact Security of Message Authentication Using Pseudorandom Functions
Traditionally, modes of Message Authentication Codes(MAC) such as Cipher Block Chaining (CBC) are instantiated using block ciphers or keyed Pseudo Random Permutations(PRP). However, one can also use domain preserving keyed Pseudo Random Functions(PRF) to instantiate MAC modes. The very first security proof of CBC-MAC [BKR00], essentially modeled the PRP as a PRF. Until now very little work has ...
متن کاملNew Bounds for Keyed Sponges with Extendable Output: Independence Between Capacity and Message Length
We provide new bounds for the pseudo-random function security of keyed sponge constructions. For the case c ≤ b/2 (c the capacity and b the permutation size), our result improves over all previouslyknown bounds. A remarkable aspect of our bound is that dependence between capacity and message length is removed, partially solving the open problem posed by Gaži et al. at CRYPTO 2015. Our bound is ...
متن کاملRevisiting Structure Graph and Its Applications to CBC-MAC and EMAC
In Crypto’05, Bellare et al. proved O(`q/2) bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation Π, provided ` < 2. Here an adversary can make at most q prefix-free queries each having at most ` “blocks” (elements of {0, 1}). In the same paper O(`q/2) bound for EMAC (or encrypted CBC-MAC) was proved, provided ` < 2. Both proofs are based on stru...
متن کاملRevisiting structure graphs: Applications to CBC-MAC and EMAC
In Crypto’05, Bellare et al. proved an O(lq/2) bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation Π, provided l < 2. Here an adversary can make at most q prefix-free queries each having at most l many “blocks” (elements of {0, 1}). In the same paper an O(lq/2) bound for EMAC (or encrypted CBC-MAC) was proved, provided l < 2. Both proofs are ba...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2015 شماره
صفحات -
تاریخ انتشار 2015