On families of hash functions via geometric codes and concatenation
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Proceedings of the 4th International Workshop on Fast Software Encryption
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
On Fast and Provably Secure Message Authentication Based on Universal Hashing
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
MMH: Software Message Authentication in the Gbit/Second Rates
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
Software-optimized universal hashing and message authentication
Software-optimized universal hashing and message authentication
New classes and applications of hash functions
SFCS '79 Proceedings of the 20th Annual Symposium on Foundations of Computer Science
The Poly1305-AES message-authentication code
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Improved MACs from Differentially-Uniform Permutations
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Information Security and Cryptology
On protecting integrity and confidentiality of cryptographic file system for outsourced storage
Proceedings of the 2009 ACM workshop on Cloud computing security
Message authentication on 64-bit architectures
SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
On efficient message authentication via block cipher design techniques
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
How to thwart birthday attacks against MACs via small randomness
FSE'10 Proceedings of the 17th international conference on Fast software encryption
A variant of poly1305 MAC and its security proof
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
The Poly1305-AES message-authentication code
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Improving the security of MACs via randomized message preprocessing
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
New bounds for PMAC, TMAC, and XCBC
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Γ-MAC[H, P]: a new universal MAC scheme
WEWoRC'11 Proceedings of the 4th Western European conference on Research in Cryptology
Cycling attacks on GCM, GHASH and other polynomial MACs and hashes
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
On security of universal hash function based multiple authentication
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
A new multi-linear universal hash family
Designs, Codes and Cryptography
| Hi-index | 0.00 |
Shoup proved that various message-authentication codes of the form (n,m) ↦ h(m) + f(n) are secure against all attacks that see at most $\sqrt{1/\epsilon}$ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ε is a differential probability associated with h. Shoup's result implies that if AES is secure then various state-of-the-art message-authentication codes of the form (n,m) ↦h(m)+AESk(n) are secure up to $\sqrt{ 1/\epsilon}$ authenticated messages. Unfortunately, $\sqrt{ 1/\epsilon}$ is only about 250 for some state-of-the-art systems, so Shoup's result provides no guarantees for long-term keys. This paper proves that security of the same systems is retained up to $\sqrt{\#G}$ authenticated messages. In a typical state-of-the-art system, $\sqrt{\#G}$ is 264. The heart of the paper is a very general “one-sided” security theorem: (n,m) ↦ h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f.