The Research And Design Of Authenticated Encryption Scheme Based On Improved Merkle-Damg(?)rd Construction

Authenticated encryption technology is developed by the combination of encryption technology and authentication technology,which simultaneously provides confidentiality,integrity and authenticity assurance on the data.In recent years,CAESAR(Competition for Authenticated Encryption: Security,Applicability,and Robustness)competition is initiated to call authenticated encryption scheme with high performance,which attracts a lot of interest to design authenticated encryption schemes based on symmetric-key schemes.At present,there are three ways to design authenticated encryption scheme,namely schemes based on block cipher,random permutation and compression function.Most of these schemes are designed based on block cipher,but the widely used CCM(Counter with CBC-MAC Mode)and GCM(Galois/Counter Mode)are not ideal.CCM simply combines the CTR(Counter Mode)with the CBC-MAC(Cipher Block Chaining-Message Authentication Code),which can not run in parallel with low efficiency;Although GCM can run in parallel with the improved reliability and efficiency,GCM must introduce the bits representing the lengths of associated data and ciphertext,which is a shortage in GCM especially for short message.In CAESAR submissions,there are many algorithms constructed based on random permutation and compression function.This paper integrates good performance advocated by CAESAR to study and design authenticated encryption scheme based on the MD(Merkle-Damg(?)rd)construction iterated by the compression function,which is mainly studied from the following aspects:(1)The basic theory of authenticated encryption scheme is described.Based on the algorithm of symmetric-key encryption,the algorithm and basic mode of block cipher are described,and the CPA(Chosen-Plaintext Attack)and CCA(Chosen-Ciphertext Attack)under Kerckhoffs hypothesis and the effective attack on block cipher is analyzed.We describe the stream cipher and its pseudorandomness,and then introduce construction method of hash function,focusing on the security requirements of hash function.We discuss the authentication principle of MAC(Message Authentication Code),and analyze the authentication code algorithm HMAC(Hashed Message Authentication Code)based on keyed hash function and PMAC(Parallelizable Message Authentication Code)based on block cipher.(2)The construction and related property of MD structure are introduced.We analyze the series of attacks on the MD structure,and focus on modified and improved MD structure.The proposed MDP(Merkle-Damg(?)rd with a Permutation)scheme is against the length extended attack faced by MD construction.The permutation is introduced cleverly to avoid the extended attack,and the MDP may produce multiple independent PRFs(Pseudorandom Functions)using a single secret key and multiple permutations if the underlying compression function is a PRF against related-key attacks with respect to the permutations.Following we analyze the security of MDP and use MDP to generate the message authentication code,which can process the block safely and effectively.(3)We presented the authenticated encryption scheme FCM(compression Function/Counter Mode)based on the MD construction,which has the features of parallelizable online operation,precomputable,relatively efficient for short message,simple decryption and verification,and provable security.We adopt the underlying compression function which is a PRF against related-key attack to design parallelizable online encryption scheme referring to the CTR mode in GCM,and improve the processing speed.In the authentication part,we design two parallel MDP structures to produce corresponding MACs of the associated data and ciphertext,and then the two MACs do XOR operation to get the final MAC.At last we prove the confidentiality boundary against CPA and certification boundary against CCA of the new scheme FCM according to the theory of provable security,and demonstrate that FCM is secure against the length extended attack.