Security of Message Authentication Codes in the ... - Cybernetica AS
Designs, Codes and Cryptography manuscript No. (will be inserted by the editor)
Security of Message Authentication Codes in the Presence of Key-Dependent Messages Madeline Gonz´ alez Mu˜ niz · Rainer Steinwandt
Received: date / Accepted: date
Abstract In recent years, the security of encryption and signature schemes in the presence of key-dependent plaintexts received attention, and progress in understanding such scenarios has been made. In this paper we motivate and discuss a setting where an adversary can access tags of a message authentication code (MAC) on key-dependent message inputs, and we propose a way to formalize the security of MACs in the presence of key-dependent messages (KD-EUF). Like signature schemes, MACs have a verification algorithm, and hence the tagging algorithm must be stateful. We present a scheme MAC-ver which offers KD-EUF security and also yields a forward-secure scheme. Keywords message authentication codes · key-dependent message
1 Introduction Established security notions for encryption schemes like IND-CCA refer to scenarios where encrypted plaintexts do not depend on the secret key. For some scenarios—like encrypting a hard disk storing the secret decryption key— such a security model is inadequate. In recent years, significant progress in understanding such cryptographic settings has been made (see [1, 5,8–11], for instance). Here, we explore the scenario of key-dependent messages in message authentication codes (MACs). For example, an adversary may be granted access to a MAC of a (possibly encrypted) backup of a hard disk containing the secret tagging key; this is a scenario not covered by EUF-CMA security. M. Gonz´ alez Mu˜ niz Cybernetica AS, Estonia, E-mail: [email protected] R. Steinwandt Florida Atlantic University, USA, E-mail: [email protected]
2
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
Our contribution. Following the notion of key dependent message security (KDM) as proposed by Black et al. [5], we propose a formalization of security in the presence of key-dependent MACs (KD-EUF). For stateless signers, this level of security is impossible to achieve—even in the random oracle model, where one might be tempted to believe that designing a MAC is not particularly challenging. We present a stateful scheme (MAC-ver) that offers KD-EUF security in the random oracle model. Further related work. In addition to research on encryption and signing in the presence of key-dependent messages, leakage resilience is of interest for the context of our paper (see, for instance, [6, 7, 13, 16, 18]). Leakage functions are used to model leaked information as occurring during a side-channel attack, which may include information about the secret key. Unlike in the case of typical leakage functions, the functions f that we allow the adversary to query may leak a complete secret state. However, in our setting an adversary does not obtain output values of f directly, but rather the result of the tag generation algorithm when being applied to images under f , thus our discussion seems more adequate for dealing with “structural” than with side-channel attacks.
2 Message Authentication Codes and Existential Unforgeability We formalize MACs as in [15], but we interpret the secret value K not as a (static) key but rather as the state of the user; i. e., all secret information of the user is part of the state. The security of MACs has been researched extensively—including the work in [2, 12, 14, 17]. Definition 1 (Message authentication code) A message authentication code Π is a triple of, possibly stateful, polynomial time algorithms (K, T , V): – The randomized key generation algorithm K returns a string K on input of the security parameter 1k . We denote the generation of the initial state $ by K ←K(1k ). – The tag generation algorithm T , which may be randomized or stateful, takes a state K and a message M ∈ {0, 1}∗ to return a tag T ∈ {0, 1}∗ ∪ $
{⊥}, and we denote it by T ←TK (M ). Here ⊥ 6∈ {0, 1}∗ is a dedicated symbol to indicate an error. – The deterministic MAC-verification algorithm V takes a state K, a message M ∈ {0, 1}∗ and a candidate tag T ∈ {0, 1}∗ to return either 1 (Accept) or 0 (Reject). We write d ← VK (M, T ) with d denoting the decision bit returned. $
We require that for K ←K(1k ) with overwhelming probability for any message $
M ∈ {0, 1}∗ and tag T ←TK (M ) the condition VK (M, T ) = 1 holds. An adversary may repeat a transmission of a valid pair (M, T ) and get the receiver to accept it once again; this is known as a replay attack. In the
Title Suppressed Due to Excessive Length
3
definition of security that we present, we do not consider this a valid forgery; existential unforgeability against chosen message attacks (EUF-CMA) is defined as follows. Definition 2 (EUF-CMA) Let Π = (K, T , V) be a message authentication code, and let Aeuf be a probabilistic polynomial time algorithm. Consider the following attack scenario: $
1. Compute a secret state K ←K(1k ). 2. The adversary Aeuf is given unrestricted access to a tag generation oracle OT and verification oracle OV to run TK and VK . 3. Eventually, Aeuf outputs a message/tag pair (M, T ). Let QueriedEarlier be the event that Aeuf outputs a message M that has been queried to the tag generation oracle OT already. The success probability euf euf Succeuf is defined as A = SuccA (k) of A Succeuf A := Pr[VK (M, T ) = 1 and ¬QueriedEarlier], and we refer to the MAC Π as secure in the sense of EUF-CMA if Succeuf A is negligible for all probabilistic polynomial time adversaries Aeuf .
3 MAC Security in the Presence of Key-Dependent Queries Informally, a MAC Π is KD-EUF (key-dependent existentially unforgeable) secure if it is secure despite a forger’s ability to obtain tags on arbitrary (efficiently computable) functions g of the state K. We begin by making this intuition more precise and then show how to achieve this security requirement in the random oracle model. While one may be tempted to think that the use of a random oracle makes the construction of a MAC trivial, the presence of key-dependent queries changes the situation significantly—even with a random oracle there is no stateless KD-EUF-secure MAC (see Remark 1).
3.1 Defining KD-EUF security Unlike a digital signature, the verification of a MAC requires knowledge of the secret key, so we provide our adversary Akd with a verification oracle in addition to the key-dependent tag generation oracle. Definition 3 (KD-EUF) Let Π = (K, T , V) be a message authentication code, and let Akd be a probabilistic polynomial time algorithm. Consider the following attack scenario: $
1. Compute a secret state K ←K(1k ).
4
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
2. The adversary Akd is given unrestricted access to a tag generation oracle bT and verification oracle OV to run TK and VK . The oracle O bT accepts O as input a function g, represented as a boolean circuit of polynomial size, and executes the tag generation algorithm T with the current state K and the message g(K) as input.1 3. Eventually, Akd outputs a message M ∈ {0, 1}∗ and a tag T . Let QueriedEarlier be the event that Akd outputs a message M such that one bT evaluated to g(K) = M . Then the of Akd ’s queries g to the tagging oracle O success probability SuccAkd = SuccAkd (k) of Akd is defined as SuccAkd := Pr[VK (M, T ) = 1 and ¬QueriedEarlier], and we call the MAC Π secure in the sense of KD-EUF if SuccAkd is negligible for all probabilistic polynomial time adversaries Akd . As a negative result, we note that no MAC with a stateless tag generation algorithm can meet the security goal of KD-EUF—this follows with the same argument as used for digital signatures in [8]. Access to a verification oracle resp. verification key is a rather powerful tool for adversaries against MACs resp. signature schemes, when functions of the secret key can be summoned: Remark 1 Let Π = (K, T , V) be a MAC with a stateless tag generation algorithm T ; i. e., the secret state K is not changed by executing T . Then the MAC Π is not secure in the sense of KD-EUF.
3.2 Achieving KD-EUF security In this section, we define a stateful MAC that we prove to be KD-EUF-secure in the random oracle model. As hinted at by Remark 1, even with a random oracle the existence of a KD-EUF-secure MAC is not immediate. Definition 4 (The scheme MAC-ver) We define the stateful message authentication code MAC-ver = (K, T , V) with security parameter k, message space {0, 1}∗ , key space {0, 1}k , and random oracle H : {0, 1}∗ → {0, 1}k as follows. $
– K(1k ) outputs a uniformly at random chosen key K ←{0, 1}k . $
– The sender runs TK (M ), which samples R←{0, 1}k , outputs the tag T := (R, H(0 k M k R k K)) and updates the state K to K := H(K k R). – If the receiver runs VK (M, T ) and verifies that D = H(0 k M k R k K) on input T = (R, D), it sets K := H(K k R) and outputs 1, i. e., the tag is accepted. Otherwise VK (M, T ) outputs 0, i. e., the tag is rejected. 1
In the random oracle model, g may invoke the random oracle.
Title Suppressed Due to Excessive Length
5
Note that in the above scheme, we assume that messages are verified “in order”; the verifier updates its state if and only if a tag verification was successful. We have the following result Theorem 1 If H is a random oracle, the scheme MAC-ver = (K, T , V) as in Definition 4 is secure in the sense of KD-EUF. Proof We will create a series of games in which we alter the environment of the adversary. During each transition, the adversary may only gain a negligible advantage; hence, the probability of creating a forgery differs negligibly. Suppose that a probabilistic polynomial time adversary Akd can forge with non-negligible probability, let qT be a polynomial upper bound on the number of Akd ’s queries to the tagging oracle, and similarly let qH be a polynomial upper bound on the number of queries of Akd to the random oracle H (including indirect queries through verification or tagging queries). Game 0. This is a trivial simulation of the original game in the definition of EUF-CMA security. All needed oracles for Akd can be simulated faithfully. • Random oracle: To simulate Akd ’s random oracle H, we create an empty list LRO . Then, whenever Akd queries its random oracle with a message X such that LRO contains no entry of the form (X, ·), we choose a value H(X) ∈ {0, 1}k uniformly at random, append the pair (X, H(X)) to LRO and send H(X) to Akd . In case Akd queries LRO a second time with the same value X, we return the stored random value H(X). We assume without loss of generality that Akd does not repeat a direct random oracle query. We define Domain(H) to be the set of points X where an entry of the form (X, ·) is in LRO . • Tagging and verification oracle: Knowing the secret key, we can faithbT and verification queries OV , by exefully answer all tag queries O cuting T and V respectively with the appropriate input and using the above simulation of the random oracle H. Game 1. By Collision we denote the event that during the simulation, the pairs (X, H(X)) and (X 0 , H(X 0 )) in LRO are stored, where X 6= X 0 and H(X) = H(X 0 ). Whenever the event Collision occurs, the simulation is restarted. As Akd is polynomially bounded, Collision occurs with negligible probability only, and subsequently, we may assume that the event Collision does not occur. Game 2. In this game, we pick a value j ∈ {0, . . . , qT } uniformly at random. If Akd does not forge after the j th and before the (j + 1)st query to the tagging oracle, we abort. Since qT is polynomial in the security parameter k, Akd can still forge with non-negligible probability. bT : we claim Game 3. Now we change the simulation of the tagging oracle O that providing the adversary with (R, H(R k K)) instead of (R, H(0 k M k bT does not significantly change Akd ’s R k K)) during the j th query to O ability to forge. Denoting by Kj the state after the j th tagging query, there
6
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
are two cases to consider: Akd can (Case 1) or cannot (Case 2) predict2 g(Kj ) with non-negligible probability. • Case 1: Suppose that Akd can predict the value of g(Kj ) with nonnegligible probability. Then we modify Akd and force it to replace g(Kj ) with a key-independent query M , where M is the predicted value. Note that the adversary wins if the verification algorithm accepts a tag for a message not previously summoned from the tagging oracle, and the verification oracle automatically updates the secret key after a successful verification. Thus, without loss of generality, we can assume that Akd does not verify the tag for message M received in the j th query to bT . O Suppose that Akd can distinguish between H(0 k M k R k Kj ) and H(R k Kj ) without using the verification oracle. Since the key Kj has not been used in a previous tag, then Akd could only distinguish between the two values by using direct random oracle queries. Although Akd knows M (with non-negligible probability) and R, this would also imply that Akd knows Kj . Since Kj is chosen fresh for each tag, Akd can guess Kj with probability of at most 1/2k , which is negligible. Since 0 is not prepended in the argument of H(R k Kj ), the latter hash value can only be a valid tag for some message, if the event Collision occurs, which we excluded in Game 1 already. Consequently, substituting the value H(0 k M k R k Kj ) with H(R k Kj ) will not be noticed by Akd . • Case 2: Suppose that Akd has a negligible probability of predicting the value M = g(Kj ). Verifying the tag for message M would contradict Akd being able to forge during the j th query. Since Akd has a negligible probability of predicting the value M , Akd ’s probability of verifying the tag for M is also negligible. Therefore, without loss of generality, we may assume that Akd does not verify the tag for M . Similar to Case 1, Akd can only distinguish between H(0 k M k R k Kj ) and H(R k Kj ) using direct oracle queries with negligible probability. Hence, substituting H(0 k M k R k Kj ) with H(R k Kj ) will not be noticed by Akd . Game 4. In this game, we claim that there is no need to faithfully simulate the key update in the scheme; rather we can choose new keys uniformly at random. Given a tag T = (R, D), the new key H(K k R) should be indistinguishable from a random k-bit string. Given (R, H(R k K)) (instead of (R, H(0 k M k R k K)), due to Game 3), can Akd distinguish between H(K k R) and a random k-bit string where R is given and |K| = k? Since K = R with probability at most 1/2k , which is negligible, we can assume that K 6= R (otherwise distinguishing becomes trivial). Since we assumed from Game 1 that the event Collision does not occur, we have that H(K k R) is not equal to an element previously output by H. As a result,
2 meaning there is a probabilistic polynomial time extractor which derives from the state of Akd the value to be predicted
Title Suppressed Due to Excessive Length
7
Akd cannot distinguish between H(K k R) and a random k-bit string, so there is no need to faithfully simulate the key update in T or V. Suppose that Akd creates a forgery (MF , (RF , DF )) without the event Collision occurring. If 0 k MF k RF k Kj ∈ / Domain(H), then H(0 k MF k RF k Kj ) is a uniformly at random chosen element in {0, 1}k , and the probability that DF = H(0 k MF k RF k Kj ) is 1/2k , which is negligible. If 0 k MF k RF k Kj ∈ Domain(H), then we need to consider two cases: either 0 k MF k RF k Kj has been queried implicitly by a tagging query, or it has not. The former case contradicts a forgery, and hence the hash value for 0 k MF k RF k Kj has been assigned through a direct random oracle query by Akd . In turn, this implies that Akd knows the full key Kj given (R, H(R k Kj )). Since we assumed that the event Collision does not occur, then Akd gets Kj by computing the preimage of H(R k Kj ). Since H(R k Kj ) is a random element and |Kj | = k, then the probability of Akd computing the preimage of H(R k Kj ) is negligible in k. This is a contradiction to Akd forging with non-negligible probability. t u
4 Forward-Secure Message Authentication Codes In [4], Bellare and Yee propose a stateful general construction that lifts any EUF-CMA-secure MAC to one that is forward-secure. By forward-secure, we mean that in the case of key-exposure during some time period j, an adversary cannot forge tags for any time period in the past. Using a variant of the scheme MAC-ver in Definition 4, we will prove that the new scheme is forward-secure as defined below. To do so, we first define the notion of a key-evolving message authentication code. Definition 5 (Key-Evolving Message Authentication Codes) A keyevolving message authentication code Ψ = (Kf , T f , V f , U f , n) consists of four polynomial time algorithms along with a natural number n. – The randomized key generation algorithm Kf returns a string K0 on input $ of the security parameter 1k , and we denote it by K0 ←Kf (1k ). – During each time period j ∈ {1, 2, . . . , n}, the parties use a key denoted Kj (which contains j). The key Kj is obtained by using the deterministic key-update algorithm: Kj ← U f (Kj−1 ). After the update, Kj−1 is deleted. – Within time period j, the tag generation algorithm T f takes a key Kj and a message M ∈ {0, 1}∗ to return a tag T ∈ {0, 1}∗ ∪ {⊥} along with time $
period j, and we denote this by hT, ji←TKfj (M ). Here ⊥ 6∈ {0, 1}∗ is a dedicated symbol to indicate an error. – In time period j, the deterministic MAC-verification algorithm V f takes a key Kj , a message M ∈ {0, 1}∗ and a candidate tag T ∈ {0, 1}∗ to f return either 1 (Accept) or 0 (Reject). We write d ← VK (M, hT, ji) with j d denoting the decision bit returned.
8
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
When defining forward-security, we allow the adversary to query chosen messages adaptively using the provided tagging and verification oracles within a time period j. Once the adversary has moved on to a new time period, messages from the past cannot be queried since using the key-update algorithm deletes the previous key. The adversary, Afwd , can choose a time period during which the current secret key Kj is revealed as long as j ≤ n. Definition 6 (FWD-CMA) Let Ψ = (Kf , T f , V f , U f , n) be a key-evolving message authentication code, and let Afwd be a probabilistic polynomial time algorithm. Let ε be the empty string, and let h be a history kept by the adversary between invocations. Consider the following attack scenario: $
1. Compute a secret state K0 ←Kf (1k ). Set j ← 0 and h ← ε. 2. repeat – j ← j + 1; Kj ← U f (Kj−1 ) – The adversary Afwd is given unrestricted access to a tag generation oracle OT f and verification oracle OV f to run T f and V f . – Afwd outputs (c, h). until (c = breakin) or j = n if c 6= breakin and j = n then j ← n + 1 3. Eventually Afwd will output a message M ∈ {0, 1}∗ and a tag hT, li with 1 ≤ l < j. Let QueriedEarlier be the event that Afwd outputs a message M queried to the tagging oracle OT f in time period l already. Then the success probability SuccAfwd = SuccAfwd (k) of Afwd is defined as f (M, hT, li) = 1 and ¬QueriedEarlier], SuccAfwd := Pr[VK
and we call the key-evolving MAC Ψ secure in the sense of FWD-CMA if SuccAfwd is negligible for all probabilistic polynomial time adversaries Afwd . During each time period, an adversary can query a polynomial number of messages on a fixed key. If these queries are allowed to be key-dependent, the adversary can extract the key for that period bit-by-bit. Hence, forwardsecurity does not imply security in the presence of key-dependent messages. We now propose a variant of the scheme MAC-ver which is secure in the sense of FWD-CMA. Definition 7 (The scheme fMAC-ver) The stateful key-evolving MAC scheme fMAC-ver = (Kf , T f , V f , U f , n) with security parameter k, message space {0, 1}∗ , key space {0, 1}k , and oracle H : {0, 1}∗ → {0, 1}k is specified as follows, where bin(j) is the k-bit binary representation of time period j. – Kf (1k ) selects R ∈ {0, 1}k uniformly at random, and outputs K0 where K0 := H(R) k bin(0). – The update algorithm U f takes as input Kj−1 and sets Kj := H(Kj−1 ) k bin(j).
Title Suppressed Due to Excessive Length
9
– The sender runs the tagging algorithm TKfj (M ) which outputs the pair hT, ji where T := H(0 k M k bin(j) k Kj ), then runs the update algorithm U f (Kj ). f – If the receiver runs VK (M, hT, ji) and verifies that T = H(0 k M k j bin(j) k Kj ), it runs the update algorithm U f (Kj ) and outputs 1. Otherwise VKj (M, hT, ji) outputs 0. Similarly as in the previous section we asssume that tags are verified “in order”. Theorem 2 The scheme fMAC-ver = (Kf , T f , V f , U f , n) as in Definition 7 is secure in the sense of FWD-CMA in the random oracle model. Proof We omit details of the proof that are similar to those in the proof of Theorem 1. Suppose that Afwd creates a forgery (MF , hTF , jF i) during time period jF with non-negligible probability such that jF < jB where jB is the break-in time index. We know that TF = H(0 k MF k bin(jF ) k KjF ); either 0 k MF k bin(jF ) k KjF ∈ Domain(H) or 0 k MF k bin(jF ) k KjF ∈ / Domain(H) when Afwd outputs the forgery. In the latter case, a value from {0, 1}k is selected uniformly at random in the verification and the probability that Afwd will succeed is negligible. Hence, 0 k MF k bin(jF ) k KjF ∈ Domain(H). To be a valid forgery, 0 k MF k bin(jF ) k KjF could not have been queried to the tagging oracle during period jF . Therefore, Afwd evaluated TF via a direct random oracle query. In turn, this implies that Afwd was able to come up with KjF . Without loss of generality, let jF be the smallest index such that Afwd can create a forgery. That is, Afwd knows KjF , but not Kj for any j < jF . If Afwd can distinguish between hashes involving Kj and random elements for j < jF (that end with the correct period representation), then Afwd must know some key with index smaller than jF which would contradict our assumption that jF is the smallest index. So in particular, the keys {K0 , . . . , KjF −1 } are indistinguishable from 2k-bit elements that begin with a random k-bit string and end with the respective k-bit period representation. Without guessing, Afwd must invert KjF +1 at some point, that is, invert H(KjF ) since bin(jF +1) is known. Afwd can invert H(KjF ) with probability at most 1/2k which is a contradiction to Afwd creating a forgery with non-negligible probability. t u 5 Conclusion In the presence of key-dependent messages, there is—even in the random oracle model—no MAC meeting the suggested (seemingly natural) formalization of existential unforgeability. We presented a stateful MAC in the random oracle model which offers strong security guarantees, and also leads to a forwardsecure scheme. While in the one-time signature compiler presented in [8] the signature grows linearly in the security parameter, the scheme MAC-ver has a state of a fixed size and the tag size does not depend on the number of tags already created. For future work it is natural to ask for constructions in the
10
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
standard model, but it seems also interesting to explore which types of security can be achieved with a MAC that has a static key. In general, the composition method Encrypt-and-MAC does not provide both integrity and privacy as shown by Bellare and Namprempre in [3]— by Encrypt-and-MAC, we mean to encrypt the plaintext (using a symmetric key) and append a MAC of the plaintext. It could be interesting to explore combinations of a symmetric encryption scheme and a MAC that share a secret key and when composed by the Encrypt-and-MAC method, the resulting composition is secure in a strong sense despite an adversary’s ability to get key-dependent encryptions and MACs of the shared secret key. Acknowledgements Madeline Gonz´ alez Mu˜ niz’s research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science, EXCS.
References 1. Backes, M., Pfitzmann, B., Scedrov, A.: Key-Dependent Message Security under Active Attacks–BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles. In: CSF 2007: Proceedings of the 20th IEEE Computer Security Foundations Symposium, pp. 112–124. IEEE Computer Society (2007) 2. Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: M. Franklin (ed.) Advances in Cryptology – CRYPTO 1994: Proceedings of the 14th Annual International Cryptology Conference, vol. 839, pp. 341–358. Springer (1994) 3. Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: T. Okamoto (ed.) Advances in Cryptology – ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, pp. 531–545. Springer (2000) 4. Bellare, M., Yee, B.: Forward-Security in Private-Key Cryptography. In: M. Joye (ed.) Topics in Cryptology – CT-RSA 2003, Lecture Notes in Computer Science, vol. 2612, pp. 1–18. Springer (2003) 5. Black, J., Rogaway, P., Shrimpton, T.: Encryption-Scheme Security in the Presence of Key-Dependent Messages. In: K. Nyberg, H.M. Heys (eds.) Selected Areas in Cryptography – SAC 2003: 10th Annual International Workshop, Lecture Notes in Computer Science, vol. 2595, pp. 62–75. Springer-Verlag (2003) 6. Dziembowski, S., Pietrzak, K.: Leakage-Resilient Cryptography. In: FOCS 2008: Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science, pp. 293–302. IEEE Computer Society (2008) 7. Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.: Leakage-Resilient Signatures. In: D. Micciancio (ed.) 7th Theory of Cryptography Conference, TCC 2010, Lecture Notes in Computer Science, vol. 5978, pp. 343–360. Springer (2010) 8. Gonz´ alez Mu˜ niz, M., Steinwandt, R.: Security of Signature Schemes in the Presence of Key-Dependent Messages. Tatra Mountains Mathematical Publications 47, 15–29 (2010) 9. Haitner, I., Holenstein, T.: On the (Im)Possibility of Key Dependent Encryption. In: O. Reingold (ed.) Theory of Cryptography – TCC 2009: Sixth Theory of Cryptography Conference, Lecture Notes in Computer Science, vol. 5444, pp. 202–219. Springer (2009) 10. Halevi, S., Krawczyk, H.: Security Under Key-Dependent Inputs. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 466–475. ACM (2007) 11. Hofheinz, D., Unruh, D.: Towards Key-Dependent Message Security in the Standard Model. In: N. Smart (ed.) Advances in Cryptology – EUROCRYPT 2008: International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, vol. 4965, pp. 108–126. Springer (2008)
Title Suppressed Due to Excessive Length
11
12. Jaulmes, E., Joux, A., Valette, F.: On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction. In: J. Daemen, V. Rijmen (eds.) FSE 2002: Revised Papers from the 9th International Workshop on Fast Software Encryption, vol. 2365, pp. 237–251. Springer (2002) 13. Katz, J., Vaikuntanathan, V.: Signature Schemes with Bounded Leakage Resilience. In: M. Matsui (ed.) Advances in Cryptology – ASIACRYPT 2009, Lecture Notes in Computer Science, vol. 5912, pp. 703–720. Springer (2009) 14. Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: R.D. Prisco, M. Yung (eds.) Security and Cryptography for Networks, 5th International Conference, SCN 2006, Lecture Notes in Computer Science, vol. 4116, pp. 242–256. Springer (2006) 15. Menezes, A., Vanstone, S., Oorschot, P.V.: Handbook of Applied Cryptography. CRC Press (1996) 16. Micali, S., Reyzin, L.: Physically Observable Cryptography (Extended Abstract). In: M. Naor (ed.) Theory of Cryptography – TCC 2004: First Theory of Cryptography Conference, Lecture Notes in Computer Science, vol. 2951, pp. 278–296. Springer (2004) 17. Preneel, B., van Oorschot, P.: On the Security of Iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999) 18. Standaert, F.X., Pereira, O., Y., Y., Quisquater, J.J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. Cryptology ePrint Archive, Report 2009/341 (2009). Available at http://eprint.iacr.org/
Security of Message Authentication Codes in the Presence of Key-Dependent Messages Madeline Gonz´ alez Mu˜ niz · Rainer Steinwandt
Received: date / Accepted: date
Abstract In recent years, the security of encryption and signature schemes in the presence of key-dependent plaintexts received attention, and progress in understanding such scenarios has been made. In this paper we motivate and discuss a setting where an adversary can access tags of a message authentication code (MAC) on key-dependent message inputs, and we propose a way to formalize the security of MACs in the presence of key-dependent messages (KD-EUF). Like signature schemes, MACs have a verification algorithm, and hence the tagging algorithm must be stateful. We present a scheme MAC-ver which offers KD-EUF security and also yields a forward-secure scheme. Keywords message authentication codes · key-dependent message
1 Introduction Established security notions for encryption schemes like IND-CCA refer to scenarios where encrypted plaintexts do not depend on the secret key. For some scenarios—like encrypting a hard disk storing the secret decryption key— such a security model is inadequate. In recent years, significant progress in understanding such cryptographic settings has been made (see [1, 5,8–11], for instance). Here, we explore the scenario of key-dependent messages in message authentication codes (MACs). For example, an adversary may be granted access to a MAC of a (possibly encrypted) backup of a hard disk containing the secret tagging key; this is a scenario not covered by EUF-CMA security. M. Gonz´ alez Mu˜ niz Cybernetica AS, Estonia, E-mail: [email protected] R. Steinwandt Florida Atlantic University, USA, E-mail: [email protected]
2
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
Our contribution. Following the notion of key dependent message security (KDM) as proposed by Black et al. [5], we propose a formalization of security in the presence of key-dependent MACs (KD-EUF). For stateless signers, this level of security is impossible to achieve—even in the random oracle model, where one might be tempted to believe that designing a MAC is not particularly challenging. We present a stateful scheme (MAC-ver) that offers KD-EUF security in the random oracle model. Further related work. In addition to research on encryption and signing in the presence of key-dependent messages, leakage resilience is of interest for the context of our paper (see, for instance, [6, 7, 13, 16, 18]). Leakage functions are used to model leaked information as occurring during a side-channel attack, which may include information about the secret key. Unlike in the case of typical leakage functions, the functions f that we allow the adversary to query may leak a complete secret state. However, in our setting an adversary does not obtain output values of f directly, but rather the result of the tag generation algorithm when being applied to images under f , thus our discussion seems more adequate for dealing with “structural” than with side-channel attacks.
2 Message Authentication Codes and Existential Unforgeability We formalize MACs as in [15], but we interpret the secret value K not as a (static) key but rather as the state of the user; i. e., all secret information of the user is part of the state. The security of MACs has been researched extensively—including the work in [2, 12, 14, 17]. Definition 1 (Message authentication code) A message authentication code Π is a triple of, possibly stateful, polynomial time algorithms (K, T , V): – The randomized key generation algorithm K returns a string K on input of the security parameter 1k . We denote the generation of the initial state $ by K ←K(1k ). – The tag generation algorithm T , which may be randomized or stateful, takes a state K and a message M ∈ {0, 1}∗ to return a tag T ∈ {0, 1}∗ ∪ $
{⊥}, and we denote it by T ←TK (M ). Here ⊥ 6∈ {0, 1}∗ is a dedicated symbol to indicate an error. – The deterministic MAC-verification algorithm V takes a state K, a message M ∈ {0, 1}∗ and a candidate tag T ∈ {0, 1}∗ to return either 1 (Accept) or 0 (Reject). We write d ← VK (M, T ) with d denoting the decision bit returned. $
We require that for K ←K(1k ) with overwhelming probability for any message $
M ∈ {0, 1}∗ and tag T ←TK (M ) the condition VK (M, T ) = 1 holds. An adversary may repeat a transmission of a valid pair (M, T ) and get the receiver to accept it once again; this is known as a replay attack. In the
Title Suppressed Due to Excessive Length
3
definition of security that we present, we do not consider this a valid forgery; existential unforgeability against chosen message attacks (EUF-CMA) is defined as follows. Definition 2 (EUF-CMA) Let Π = (K, T , V) be a message authentication code, and let Aeuf be a probabilistic polynomial time algorithm. Consider the following attack scenario: $
1. Compute a secret state K ←K(1k ). 2. The adversary Aeuf is given unrestricted access to a tag generation oracle OT and verification oracle OV to run TK and VK . 3. Eventually, Aeuf outputs a message/tag pair (M, T ). Let QueriedEarlier be the event that Aeuf outputs a message M that has been queried to the tag generation oracle OT already. The success probability euf euf Succeuf is defined as A = SuccA (k) of A Succeuf A := Pr[VK (M, T ) = 1 and ¬QueriedEarlier], and we refer to the MAC Π as secure in the sense of EUF-CMA if Succeuf A is negligible for all probabilistic polynomial time adversaries Aeuf .
3 MAC Security in the Presence of Key-Dependent Queries Informally, a MAC Π is KD-EUF (key-dependent existentially unforgeable) secure if it is secure despite a forger’s ability to obtain tags on arbitrary (efficiently computable) functions g of the state K. We begin by making this intuition more precise and then show how to achieve this security requirement in the random oracle model. While one may be tempted to think that the use of a random oracle makes the construction of a MAC trivial, the presence of key-dependent queries changes the situation significantly—even with a random oracle there is no stateless KD-EUF-secure MAC (see Remark 1).
3.1 Defining KD-EUF security Unlike a digital signature, the verification of a MAC requires knowledge of the secret key, so we provide our adversary Akd with a verification oracle in addition to the key-dependent tag generation oracle. Definition 3 (KD-EUF) Let Π = (K, T , V) be a message authentication code, and let Akd be a probabilistic polynomial time algorithm. Consider the following attack scenario: $
1. Compute a secret state K ←K(1k ).
4
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
2. The adversary Akd is given unrestricted access to a tag generation oracle bT and verification oracle OV to run TK and VK . The oracle O bT accepts O as input a function g, represented as a boolean circuit of polynomial size, and executes the tag generation algorithm T with the current state K and the message g(K) as input.1 3. Eventually, Akd outputs a message M ∈ {0, 1}∗ and a tag T . Let QueriedEarlier be the event that Akd outputs a message M such that one bT evaluated to g(K) = M . Then the of Akd ’s queries g to the tagging oracle O success probability SuccAkd = SuccAkd (k) of Akd is defined as SuccAkd := Pr[VK (M, T ) = 1 and ¬QueriedEarlier], and we call the MAC Π secure in the sense of KD-EUF if SuccAkd is negligible for all probabilistic polynomial time adversaries Akd . As a negative result, we note that no MAC with a stateless tag generation algorithm can meet the security goal of KD-EUF—this follows with the same argument as used for digital signatures in [8]. Access to a verification oracle resp. verification key is a rather powerful tool for adversaries against MACs resp. signature schemes, when functions of the secret key can be summoned: Remark 1 Let Π = (K, T , V) be a MAC with a stateless tag generation algorithm T ; i. e., the secret state K is not changed by executing T . Then the MAC Π is not secure in the sense of KD-EUF.
3.2 Achieving KD-EUF security In this section, we define a stateful MAC that we prove to be KD-EUF-secure in the random oracle model. As hinted at by Remark 1, even with a random oracle the existence of a KD-EUF-secure MAC is not immediate. Definition 4 (The scheme MAC-ver) We define the stateful message authentication code MAC-ver = (K, T , V) with security parameter k, message space {0, 1}∗ , key space {0, 1}k , and random oracle H : {0, 1}∗ → {0, 1}k as follows. $
– K(1k ) outputs a uniformly at random chosen key K ←{0, 1}k . $
– The sender runs TK (M ), which samples R←{0, 1}k , outputs the tag T := (R, H(0 k M k R k K)) and updates the state K to K := H(K k R). – If the receiver runs VK (M, T ) and verifies that D = H(0 k M k R k K) on input T = (R, D), it sets K := H(K k R) and outputs 1, i. e., the tag is accepted. Otherwise VK (M, T ) outputs 0, i. e., the tag is rejected. 1
In the random oracle model, g may invoke the random oracle.
Title Suppressed Due to Excessive Length
5
Note that in the above scheme, we assume that messages are verified “in order”; the verifier updates its state if and only if a tag verification was successful. We have the following result Theorem 1 If H is a random oracle, the scheme MAC-ver = (K, T , V) as in Definition 4 is secure in the sense of KD-EUF. Proof We will create a series of games in which we alter the environment of the adversary. During each transition, the adversary may only gain a negligible advantage; hence, the probability of creating a forgery differs negligibly. Suppose that a probabilistic polynomial time adversary Akd can forge with non-negligible probability, let qT be a polynomial upper bound on the number of Akd ’s queries to the tagging oracle, and similarly let qH be a polynomial upper bound on the number of queries of Akd to the random oracle H (including indirect queries through verification or tagging queries). Game 0. This is a trivial simulation of the original game in the definition of EUF-CMA security. All needed oracles for Akd can be simulated faithfully. • Random oracle: To simulate Akd ’s random oracle H, we create an empty list LRO . Then, whenever Akd queries its random oracle with a message X such that LRO contains no entry of the form (X, ·), we choose a value H(X) ∈ {0, 1}k uniformly at random, append the pair (X, H(X)) to LRO and send H(X) to Akd . In case Akd queries LRO a second time with the same value X, we return the stored random value H(X). We assume without loss of generality that Akd does not repeat a direct random oracle query. We define Domain(H) to be the set of points X where an entry of the form (X, ·) is in LRO . • Tagging and verification oracle: Knowing the secret key, we can faithbT and verification queries OV , by exefully answer all tag queries O cuting T and V respectively with the appropriate input and using the above simulation of the random oracle H. Game 1. By Collision we denote the event that during the simulation, the pairs (X, H(X)) and (X 0 , H(X 0 )) in LRO are stored, where X 6= X 0 and H(X) = H(X 0 ). Whenever the event Collision occurs, the simulation is restarted. As Akd is polynomially bounded, Collision occurs with negligible probability only, and subsequently, we may assume that the event Collision does not occur. Game 2. In this game, we pick a value j ∈ {0, . . . , qT } uniformly at random. If Akd does not forge after the j th and before the (j + 1)st query to the tagging oracle, we abort. Since qT is polynomial in the security parameter k, Akd can still forge with non-negligible probability. bT : we claim Game 3. Now we change the simulation of the tagging oracle O that providing the adversary with (R, H(R k K)) instead of (R, H(0 k M k bT does not significantly change Akd ’s R k K)) during the j th query to O ability to forge. Denoting by Kj the state after the j th tagging query, there
6
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
are two cases to consider: Akd can (Case 1) or cannot (Case 2) predict2 g(Kj ) with non-negligible probability. • Case 1: Suppose that Akd can predict the value of g(Kj ) with nonnegligible probability. Then we modify Akd and force it to replace g(Kj ) with a key-independent query M , where M is the predicted value. Note that the adversary wins if the verification algorithm accepts a tag for a message not previously summoned from the tagging oracle, and the verification oracle automatically updates the secret key after a successful verification. Thus, without loss of generality, we can assume that Akd does not verify the tag for message M received in the j th query to bT . O Suppose that Akd can distinguish between H(0 k M k R k Kj ) and H(R k Kj ) without using the verification oracle. Since the key Kj has not been used in a previous tag, then Akd could only distinguish between the two values by using direct random oracle queries. Although Akd knows M (with non-negligible probability) and R, this would also imply that Akd knows Kj . Since Kj is chosen fresh for each tag, Akd can guess Kj with probability of at most 1/2k , which is negligible. Since 0 is not prepended in the argument of H(R k Kj ), the latter hash value can only be a valid tag for some message, if the event Collision occurs, which we excluded in Game 1 already. Consequently, substituting the value H(0 k M k R k Kj ) with H(R k Kj ) will not be noticed by Akd . • Case 2: Suppose that Akd has a negligible probability of predicting the value M = g(Kj ). Verifying the tag for message M would contradict Akd being able to forge during the j th query. Since Akd has a negligible probability of predicting the value M , Akd ’s probability of verifying the tag for M is also negligible. Therefore, without loss of generality, we may assume that Akd does not verify the tag for M . Similar to Case 1, Akd can only distinguish between H(0 k M k R k Kj ) and H(R k Kj ) using direct oracle queries with negligible probability. Hence, substituting H(0 k M k R k Kj ) with H(R k Kj ) will not be noticed by Akd . Game 4. In this game, we claim that there is no need to faithfully simulate the key update in the scheme; rather we can choose new keys uniformly at random. Given a tag T = (R, D), the new key H(K k R) should be indistinguishable from a random k-bit string. Given (R, H(R k K)) (instead of (R, H(0 k M k R k K)), due to Game 3), can Akd distinguish between H(K k R) and a random k-bit string where R is given and |K| = k? Since K = R with probability at most 1/2k , which is negligible, we can assume that K 6= R (otherwise distinguishing becomes trivial). Since we assumed from Game 1 that the event Collision does not occur, we have that H(K k R) is not equal to an element previously output by H. As a result,
2 meaning there is a probabilistic polynomial time extractor which derives from the state of Akd the value to be predicted
Title Suppressed Due to Excessive Length
7
Akd cannot distinguish between H(K k R) and a random k-bit string, so there is no need to faithfully simulate the key update in T or V. Suppose that Akd creates a forgery (MF , (RF , DF )) without the event Collision occurring. If 0 k MF k RF k Kj ∈ / Domain(H), then H(0 k MF k RF k Kj ) is a uniformly at random chosen element in {0, 1}k , and the probability that DF = H(0 k MF k RF k Kj ) is 1/2k , which is negligible. If 0 k MF k RF k Kj ∈ Domain(H), then we need to consider two cases: either 0 k MF k RF k Kj has been queried implicitly by a tagging query, or it has not. The former case contradicts a forgery, and hence the hash value for 0 k MF k RF k Kj has been assigned through a direct random oracle query by Akd . In turn, this implies that Akd knows the full key Kj given (R, H(R k Kj )). Since we assumed that the event Collision does not occur, then Akd gets Kj by computing the preimage of H(R k Kj ). Since H(R k Kj ) is a random element and |Kj | = k, then the probability of Akd computing the preimage of H(R k Kj ) is negligible in k. This is a contradiction to Akd forging with non-negligible probability. t u
4 Forward-Secure Message Authentication Codes In [4], Bellare and Yee propose a stateful general construction that lifts any EUF-CMA-secure MAC to one that is forward-secure. By forward-secure, we mean that in the case of key-exposure during some time period j, an adversary cannot forge tags for any time period in the past. Using a variant of the scheme MAC-ver in Definition 4, we will prove that the new scheme is forward-secure as defined below. To do so, we first define the notion of a key-evolving message authentication code. Definition 5 (Key-Evolving Message Authentication Codes) A keyevolving message authentication code Ψ = (Kf , T f , V f , U f , n) consists of four polynomial time algorithms along with a natural number n. – The randomized key generation algorithm Kf returns a string K0 on input $ of the security parameter 1k , and we denote it by K0 ←Kf (1k ). – During each time period j ∈ {1, 2, . . . , n}, the parties use a key denoted Kj (which contains j). The key Kj is obtained by using the deterministic key-update algorithm: Kj ← U f (Kj−1 ). After the update, Kj−1 is deleted. – Within time period j, the tag generation algorithm T f takes a key Kj and a message M ∈ {0, 1}∗ to return a tag T ∈ {0, 1}∗ ∪ {⊥} along with time $
period j, and we denote this by hT, ji←TKfj (M ). Here ⊥ 6∈ {0, 1}∗ is a dedicated symbol to indicate an error. – In time period j, the deterministic MAC-verification algorithm V f takes a key Kj , a message M ∈ {0, 1}∗ and a candidate tag T ∈ {0, 1}∗ to f return either 1 (Accept) or 0 (Reject). We write d ← VK (M, hT, ji) with j d denoting the decision bit returned.
8
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
When defining forward-security, we allow the adversary to query chosen messages adaptively using the provided tagging and verification oracles within a time period j. Once the adversary has moved on to a new time period, messages from the past cannot be queried since using the key-update algorithm deletes the previous key. The adversary, Afwd , can choose a time period during which the current secret key Kj is revealed as long as j ≤ n. Definition 6 (FWD-CMA) Let Ψ = (Kf , T f , V f , U f , n) be a key-evolving message authentication code, and let Afwd be a probabilistic polynomial time algorithm. Let ε be the empty string, and let h be a history kept by the adversary between invocations. Consider the following attack scenario: $
1. Compute a secret state K0 ←Kf (1k ). Set j ← 0 and h ← ε. 2. repeat – j ← j + 1; Kj ← U f (Kj−1 ) – The adversary Afwd is given unrestricted access to a tag generation oracle OT f and verification oracle OV f to run T f and V f . – Afwd outputs (c, h). until (c = breakin) or j = n if c 6= breakin and j = n then j ← n + 1 3. Eventually Afwd will output a message M ∈ {0, 1}∗ and a tag hT, li with 1 ≤ l < j. Let QueriedEarlier be the event that Afwd outputs a message M queried to the tagging oracle OT f in time period l already. Then the success probability SuccAfwd = SuccAfwd (k) of Afwd is defined as f (M, hT, li) = 1 and ¬QueriedEarlier], SuccAfwd := Pr[VK
and we call the key-evolving MAC Ψ secure in the sense of FWD-CMA if SuccAfwd is negligible for all probabilistic polynomial time adversaries Afwd . During each time period, an adversary can query a polynomial number of messages on a fixed key. If these queries are allowed to be key-dependent, the adversary can extract the key for that period bit-by-bit. Hence, forwardsecurity does not imply security in the presence of key-dependent messages. We now propose a variant of the scheme MAC-ver which is secure in the sense of FWD-CMA. Definition 7 (The scheme fMAC-ver) The stateful key-evolving MAC scheme fMAC-ver = (Kf , T f , V f , U f , n) with security parameter k, message space {0, 1}∗ , key space {0, 1}k , and oracle H : {0, 1}∗ → {0, 1}k is specified as follows, where bin(j) is the k-bit binary representation of time period j. – Kf (1k ) selects R ∈ {0, 1}k uniformly at random, and outputs K0 where K0 := H(R) k bin(0). – The update algorithm U f takes as input Kj−1 and sets Kj := H(Kj−1 ) k bin(j).
Title Suppressed Due to Excessive Length
9
– The sender runs the tagging algorithm TKfj (M ) which outputs the pair hT, ji where T := H(0 k M k bin(j) k Kj ), then runs the update algorithm U f (Kj ). f – If the receiver runs VK (M, hT, ji) and verifies that T = H(0 k M k j bin(j) k Kj ), it runs the update algorithm U f (Kj ) and outputs 1. Otherwise VKj (M, hT, ji) outputs 0. Similarly as in the previous section we asssume that tags are verified “in order”. Theorem 2 The scheme fMAC-ver = (Kf , T f , V f , U f , n) as in Definition 7 is secure in the sense of FWD-CMA in the random oracle model. Proof We omit details of the proof that are similar to those in the proof of Theorem 1. Suppose that Afwd creates a forgery (MF , hTF , jF i) during time period jF with non-negligible probability such that jF < jB where jB is the break-in time index. We know that TF = H(0 k MF k bin(jF ) k KjF ); either 0 k MF k bin(jF ) k KjF ∈ Domain(H) or 0 k MF k bin(jF ) k KjF ∈ / Domain(H) when Afwd outputs the forgery. In the latter case, a value from {0, 1}k is selected uniformly at random in the verification and the probability that Afwd will succeed is negligible. Hence, 0 k MF k bin(jF ) k KjF ∈ Domain(H). To be a valid forgery, 0 k MF k bin(jF ) k KjF could not have been queried to the tagging oracle during period jF . Therefore, Afwd evaluated TF via a direct random oracle query. In turn, this implies that Afwd was able to come up with KjF . Without loss of generality, let jF be the smallest index such that Afwd can create a forgery. That is, Afwd knows KjF , but not Kj for any j < jF . If Afwd can distinguish between hashes involving Kj and random elements for j < jF (that end with the correct period representation), then Afwd must know some key with index smaller than jF which would contradict our assumption that jF is the smallest index. So in particular, the keys {K0 , . . . , KjF −1 } are indistinguishable from 2k-bit elements that begin with a random k-bit string and end with the respective k-bit period representation. Without guessing, Afwd must invert KjF +1 at some point, that is, invert H(KjF ) since bin(jF +1) is known. Afwd can invert H(KjF ) with probability at most 1/2k which is a contradiction to Afwd creating a forgery with non-negligible probability. t u 5 Conclusion In the presence of key-dependent messages, there is—even in the random oracle model—no MAC meeting the suggested (seemingly natural) formalization of existential unforgeability. We presented a stateful MAC in the random oracle model which offers strong security guarantees, and also leads to a forwardsecure scheme. While in the one-time signature compiler presented in [8] the signature grows linearly in the security parameter, the scheme MAC-ver has a state of a fixed size and the tag size does not depend on the number of tags already created. For future work it is natural to ask for constructions in the
10
Madeline Gonz´ alez Mu˜ niz, Rainer Steinwandt
standard model, but it seems also interesting to explore which types of security can be achieved with a MAC that has a static key. In general, the composition method Encrypt-and-MAC does not provide both integrity and privacy as shown by Bellare and Namprempre in [3]— by Encrypt-and-MAC, we mean to encrypt the plaintext (using a symmetric key) and append a MAC of the plaintext. It could be interesting to explore combinations of a symmetric encryption scheme and a MAC that share a secret key and when composed by the Encrypt-and-MAC method, the resulting composition is secure in a strong sense despite an adversary’s ability to get key-dependent encryptions and MACs of the shared secret key. Acknowledgements Madeline Gonz´ alez Mu˜ niz’s research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science, EXCS.
References 1. Backes, M., Pfitzmann, B., Scedrov, A.: Key-Dependent Message Security under Active Attacks–BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles. In: CSF 2007: Proceedings of the 20th IEEE Computer Security Foundations Symposium, pp. 112–124. IEEE Computer Society (2007) 2. Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: M. Franklin (ed.) Advances in Cryptology – CRYPTO 1994: Proceedings of the 14th Annual International Cryptology Conference, vol. 839, pp. 341–358. Springer (1994) 3. Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: T. Okamoto (ed.) Advances in Cryptology – ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, pp. 531–545. Springer (2000) 4. Bellare, M., Yee, B.: Forward-Security in Private-Key Cryptography. In: M. Joye (ed.) Topics in Cryptology – CT-RSA 2003, Lecture Notes in Computer Science, vol. 2612, pp. 1–18. Springer (2003) 5. Black, J., Rogaway, P., Shrimpton, T.: Encryption-Scheme Security in the Presence of Key-Dependent Messages. In: K. Nyberg, H.M. Heys (eds.) Selected Areas in Cryptography – SAC 2003: 10th Annual International Workshop, Lecture Notes in Computer Science, vol. 2595, pp. 62–75. Springer-Verlag (2003) 6. Dziembowski, S., Pietrzak, K.: Leakage-Resilient Cryptography. In: FOCS 2008: Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science, pp. 293–302. IEEE Computer Society (2008) 7. Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.: Leakage-Resilient Signatures. In: D. Micciancio (ed.) 7th Theory of Cryptography Conference, TCC 2010, Lecture Notes in Computer Science, vol. 5978, pp. 343–360. Springer (2010) 8. Gonz´ alez Mu˜ niz, M., Steinwandt, R.: Security of Signature Schemes in the Presence of Key-Dependent Messages. Tatra Mountains Mathematical Publications 47, 15–29 (2010) 9. Haitner, I., Holenstein, T.: On the (Im)Possibility of Key Dependent Encryption. In: O. Reingold (ed.) Theory of Cryptography – TCC 2009: Sixth Theory of Cryptography Conference, Lecture Notes in Computer Science, vol. 5444, pp. 202–219. Springer (2009) 10. Halevi, S., Krawczyk, H.: Security Under Key-Dependent Inputs. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 466–475. ACM (2007) 11. Hofheinz, D., Unruh, D.: Towards Key-Dependent Message Security in the Standard Model. In: N. Smart (ed.) Advances in Cryptology – EUROCRYPT 2008: International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, vol. 4965, pp. 108–126. Springer (2008)
Title Suppressed Due to Excessive Length
11
12. Jaulmes, E., Joux, A., Valette, F.: On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction. In: J. Daemen, V. Rijmen (eds.) FSE 2002: Revised Papers from the 9th International Workshop on Fast Software Encryption, vol. 2365, pp. 237–251. Springer (2002) 13. Katz, J., Vaikuntanathan, V.: Signature Schemes with Bounded Leakage Resilience. In: M. Matsui (ed.) Advances in Cryptology – ASIACRYPT 2009, Lecture Notes in Computer Science, vol. 5912, pp. 703–720. Springer (2009) 14. Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: R.D. Prisco, M. Yung (eds.) Security and Cryptography for Networks, 5th International Conference, SCN 2006, Lecture Notes in Computer Science, vol. 4116, pp. 242–256. Springer (2006) 15. Menezes, A., Vanstone, S., Oorschot, P.V.: Handbook of Applied Cryptography. CRC Press (1996) 16. Micali, S., Reyzin, L.: Physically Observable Cryptography (Extended Abstract). In: M. Naor (ed.) Theory of Cryptography – TCC 2004: First Theory of Cryptography Conference, Lecture Notes in Computer Science, vol. 2951, pp. 278–296. Springer (2004) 17. Preneel, B., van Oorschot, P.: On the Security of Iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999) 18. Standaert, F.X., Pereira, O., Y., Y., Quisquater, J.J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. Cryptology ePrint Archive, Report 2009/341 (2009). Available at http://eprint.iacr.org/
