| Message authentication codes based on the block cipher are researched, including the security analysis of some message authentication codes, the improvement of some message authentication codes, improving the security analysis of message authentication codes in order to obtain better upper bounds etc. We obtain the main results as follows:(1) OMAC1`` is an improvement of OMAC for avoiding the simple algebraic relationship between the last two keys and enhancing the resistance of OMAC to the key recovery attack and forgery attack. But some research result shows that OMAC1`` is not provable secure even if the underlying block cipher is a pseudorandom permutation. A pseudorandom permutation with some property can be constructed and if this pseudorandom permutation is used in OMAC1``, then OMAC1`` is completely insecure and simple forgery attacks can be obtained by using only one oracle query. So, the security of OMAC is not really improved by OMAC1``. OMAC1`` is less secure than the original OMAC. As the use of keys related by some fixed xor difference in the OMAC1``, under the stronger assumption that the underlying block cipher is a RKA-PRP against a certain class of related key attacks, OMAC1`` is proved to be a pseudorandom function.(2) Although existing block ciphers are still secure against known related key attacks, the assumption of RKA-PRP against a certain class of related key attacks on the block cipher is still stronger than the standard pseudorandom permutation assumption. Actually, almost all block cipher based message authentication codes proved their securities under the assumption of the underlying block cipher as a pseudorandom permutation. By setting the fixed xor difference of the keys to all zeros and using the encryption of some constant in the CBC computation, OMAC1`` is improved. The improved OMAC1`` can be proved to be secure under the standard pseudorandom permutation assumption. Also, the rationality of the modification is analyzed.(3) A message authentication code based on the DAG construction uses a sequence of colored graphs that are PRF-preserving. It includes many known constructions like XCBC, TMAC, OMAC, PMAC etc. An improved security analysis of the message authentication code using DAG construction is presented. The newly obtained bound is O ( qσ2 n), where an adversary can make at most q queries with at mostσmany blocks.(4) PMAC is a parallelizable message authentication code. The message blocks are masked before they are encrypted by the block cipher in order to avoid the attacks using the properties of the messages. But some useful information is issued in this process. Using this side channel, a new attack is proposed against PMAC. It is very practical in the setting where long messages are authenticated.(5) Originally, OPMAC is only proved to be unforgeable. Now, it is proved that OPMAC is also a pseudorandom function. For a message authentication code, PRF is a stronger security definition than unforgeability. So, OPMAC is not only unforgeable, but also it is a pseudorandom function. Furthermore, the new bound is expressed in terms of the total blocks in all the queries of an adversary, while the previous bound is expressed in terms of the maximum length of each query. This new bound is better than the original bound, if the lengths of queries are heavily unbalanced.(6) In some security protocols, there is usually a need to authenticate a group of data. But ordinary message authentication codes only take a single string as input, so it is necessary to design a message authentication code accepting a vector of strings as input. We present two constructions for vector-input message authentication codes. The first one makes use of the composition of universal hash families. First, the vector of strings is processed by a parallel universal hash function, the result is put into another universal hash function, and then it is encrypted. Under the assumption that the underlying block cipher is a pseudorandom permutation, its security is proved. But it needs three keys. The second construction uses only block ciphers. It simulates the structure of PMAC, the resultant vector-input message authentication code is two-level parallelizable. It needs only one key. At last, its security is proved.
|
PDF Full Text Request