How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
The security of the cipher block chaining message authentication code
Journal of Computer and System Sciences
HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption
Fast Software Encryption
Selected Areas in Cryptography
BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption
Selected Areas in Cryptography
One-pass HMQV and asymmetric key-wrapping
PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
A provable-security treatment of the key-wrap problem
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
The security of triple encryption and a framework for code-based game-playing proofs
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Hi-index | 0.00 |
Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. At SKEW 2011, Osaki and Iwata showed that the U CC -then-CBC key wrapping scheme, a key wrapping scheme that uses the U CC hash function and the CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. To handle such a setting, we generalize the previous definition of the U CC hash function to the variable input length setting, and show an efficient construction that meets the definition. We next consider linear-then-CBC, 2nd-preimage-resistant-then-CBC, and universal-then-CBC schemes. At SAC 2009, Gennaro and Halevi noted that these schemes do not achieve DAE-security. However, details were not presented, and we show concrete and efficient chosen plaintext attacks on these schemes, and confirm that they do not achieve DAE-security.