### Abstract

"Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq^{2}, where q is the number of MACs the adversary can request. As ε is at least 2^{-k}, the best one can hope for is O(q^{2} /2^{k}) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgård construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" ε-universal hash functions, and still improve its exact security to optimal O(q^{2}/2^{k}). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q^{2}/2^{k}), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgård construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability ε.

Original language | English (US) |
---|---|

Title of host publication | Fast Software Encryption - 14th International Workshop, FSE 2007 |

Pages | 414-433 |

Number of pages | 20 |

Volume | 4593 LNCS |

State | Published - 2007 |

Event | 14th International Workshop on Fast Software Encryption, FSE 2007 - Luxembourg, Luxembourg Duration: Mar 26 2007 → Mar 28 2007 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 4593 LNCS |

ISSN (Print) | 03029743 |

ISSN (Electronic) | 16113349 |

### Other

Other | 14th International Workshop on Fast Software Encryption, FSE 2007 |
---|---|

Country | Luxembourg |

City | Luxembourg |

Period | 3/26/07 → 3/28/07 |

### Fingerprint

### ASJC Scopus subject areas

- Computer Science(all)
- Biochemistry, Genetics and Molecular Biology(all)
- Theoretical Computer Science

### Cite this

*Fast Software Encryption - 14th International Workshop, FSE 2007*(Vol. 4593 LNCS, pp. 414-433). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4593 LNCS).

**Improving the security of MACs via randomized message preprocessing.** / Dodis, Yevgeniy; Pietrzak, Krzysztof.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Fast Software Encryption - 14th International Workshop, FSE 2007.*vol. 4593 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4593 LNCS, pp. 414-433, 14th International Workshop on Fast Software Encryption, FSE 2007, Luxembourg, Luxembourg, 3/26/07.

}

TY - GEN

T1 - Improving the security of MACs via randomized message preprocessing

AU - Dodis, Yevgeniy

AU - Pietrzak, Krzysztof

PY - 2007

Y1 - 2007

N2 - "Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq2, where q is the number of MACs the adversary can request. As ε is at least 2-k, the best one can hope for is O(q2 /2k) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgård construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" ε-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgård construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability ε.

AB - "Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq2, where q is the number of MACs the adversary can request. As ε is at least 2-k, the best one can hope for is O(q2 /2k) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgård construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" ε-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgård construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability ε.

UR - http://www.scopus.com/inward/record.url?scp=38349029412&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=38349029412&partnerID=8YFLogxK

M3 - Conference contribution

SN - 354074617X

SN - 9783540746171

VL - 4593 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 414

EP - 433

BT - Fast Software Encryption - 14th International Workshop, FSE 2007

ER -