A tight bound for exhaustive key search attacks against Message Authentication Codes (original) (raw)
Related papers
Tight Bounds for Unconditional Authentication Protocols in the Manual Channel and Shared Key Models
IEEE Transactions on Information Theory, 2008
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually" authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < < 1 there exists a log * n-round protocol for authenticating n-bit messages, in which only 2 log(1/) + O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/) − 6 on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. Once again, we apply our proof technique, and prove a lower bound of 2 log(1/) − 2 on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO '93). Finally, we prove that one-way functions are essential (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting. A longer version, including proofs of all claims, appears as [15].
PAPER Coding Theorems for Secret-Key Authentication Systems
SUMMARY This paper provides the Shannon theoretic cod- ing theorems on the success probabilities of the impersonation attack and the substitution attack against secret-key authentica- tion systems. Though there are many studies that develop lower bounds on the success probabilities, their tight upper bounds are rarely discussed. This paper characterizes the tight upper bounds in an extended secret-key authentication system that in- cludes blocklength K and permits the decoding error probability tending to zero as K →∞ . In the extended system an encoder encrypts K source outputs to K cryptograms under K keys and transmits K cryptograms to a decoder through a public chan- nel in the presence of an opponent. The decoder judges whether K cryptograms received from the public channel are legitimate or not under K keys shared with the encoder. It is shown that 2−KI(W ;E) is the minimal attainable upper bound of the success probability of the impersonation attack, where I(W ; E) denotes th...
FRMAC, a Fast Randomized Message Authentication Code
2004
We revisit the randomized approach followed in the design of the RMAC message authentication code in order to construct a MAC with similar properties, but based on Wegman- Carter's "-universal hash families instead of a classical CBC chain. This yields a new message authentication code called FRMAC whose security bounds are, as in RMAC, beyond the birthday paradox limit. With ecient hash functions in software, the performance of FRMAC for large messages is similar to those of the fastest previously known schemes. FRMAC can also be more ecient for small messages. Furthermore, due to relaxed requirements about the nonces in the security proof, the implementation of FRMAC in real applications tends to be easier.
2015
Abstract. We revisit the randomized approach followed in the design of the RMAC message authentication code in order to construct a MAC with similar properties, but based on Wegman-Carter’s ε-universal hash families instead of a classical CBC chain. This yields a new message authentication code called FRMAC whose security bounds are, as in RMAC, beyond the birthday paradox limit. With efficient hash functions in software, the performance of FRMAC for large messages is similar to those of the fastest previously known schemes. FRMAC can also be more efficient for small messages. Furthermore, due to relaxed requirements about the nonces in the security proof, the implementation of FRMAC in real applications tends to be easier.
Coding theorems for secret-key authentication systems
This paper provides Shannon theoretic coding theorems on the impersonation attack and the substitution attack against authentication systems constructed by secret key cryptography. Though several lower bounds on the success probability of the impersonation attack and the substitution attack have been developed, their upper bounds are rarely discussed. This paper treats an extended authentication system including blocklength K and permits the decoding error probability tending to zero as K→∞. It is shown that 2-KI(W:E) is the smallest attainable upper bound of the success probability of the impersonation attack, where I(W;E) denotes the mutual information between cryptogram W and key E. A relationship between the success probability of the substitution attack and H(E|W) is also characterized, where H(E|W) denotes the conditional entropy of E given W
NMACA: a novel methodology for message authentication code algorithms
2009
For objects stored in long-term digital archives, checking the integrity of the information stored is a prime necessity in the field of secure storage systems. Objects in a digital archive may include documents, images, databases, ..., etc. In a long-term archive those objects could be transferred in many various ways. In many cases, users are required to verify the authentication of the archived information. The goal of all authentication algorithmic techniques is to verify that information in the archive is authentic and has not been unintentionally or maliciously altered. Integrity checks not only detect malicious attacks but also identify data corrupted information. Keyed hash functions whose specific purpose is message authentication are called message authentication code (MAC) algorithms. Many iterated MACs can be described as iterated hash functions. In this case, the MAC key is fed as an input to the compression function, and be involved in the compression function f at ever...
Computationally complete symbolic attacker and key exchange
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13, 2013
We show that the recent technique of computationally complete symbolic attackers proposed by Bana and Comon-Lundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and Comon-Lundh presented only the general framework, but they did not introduce sufficiently many axioms to actually prove protocols. We present a set of axioms-some generic axioms that are computationally sound for all PPT algorithms, two specific axioms that are sound for CCA2 secure encryptions, and a further minimal parsing assumption for pairing-and illustrate the power of this technique by giving the first computationally sound verification (secrecy and authentication) via symbolic attackers of the NSL Protocol that does not need any further restrictive assumptions about the computational implementation. In other words, all implementations for which the axioms are sound-namely, implementations using CCA2 encryption, and satisfying the parsing requirement for pairing-exclude the possibility of successful computational attacks. Furthermore, the axioms are entirely modular and not particular to the NSL protocol (except for the parsing assumption without which there is an attack).
V.: Provable-security analysis of authenticated encryption
2013
Kerberos is a widely-deployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol’s evolution. Several recent results present successful formal-methods-based verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to be meaningful, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos ’ encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formal-methods-based analysis of Kerberos that justifies its current design.
Information-Theoretic Bounds for Authentication Frauds
Lecture Notes in Computer Science, 1993
&tract, Several properties of authentication codes depend on a mathematical structure, called below a lraud scheme, which is much simplcr than the one originally given. Relying on this fact, we present a powerful lower bound, which is a sort of mould to painlessly derive a whole range of information-theoretic bounds to fraud probabilities in authentication coding.
The exact security of) Message authentication codes
2017
I hereby declare that this thesis is my own work and that it does not contain other people's work without this being so stated; this thesis does not contain my previous work without this being stated, and the bibliography contains all the literature that I used in writing the dissertation. I declare that this is a true copy of my thesis, including any final revisions, as approved by my thesis committee, and that this thesis has not been submitted for a higher degree to any other university or institution. I certify that any republication of materials presented in this thesis has been approved by the relevant publishers and co-authors.