Improving the security of MACs via randomized message preprocessing

Yevgeniy Dodis, Krzysztof Pietrzak

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

"Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq2, where q is the number of MACs the adversary can request. As ε is at least 2-k, the best one can hope for is O(q2 /2k) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgård construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" ε-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgård construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability ε.

Original languageEnglish (US)
Title of host publicationFast Software Encryption - 14th International Workshop, FSE 2007
Pages414-433
Number of pages20
Volume4593 LNCS
StatePublished - 2007
Event14th International Workshop on Fast Software Encryption, FSE 2007 - Luxembourg, Luxembourg
Duration: Mar 26 2007Mar 28 2007

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4593 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other14th International Workshop on Fast Software Encryption, FSE 2007
CountryLuxembourg
CityLuxembourg
Period3/26/073/28/07

Fingerprint

Hash functions
Hash Function
Preprocessing
Salts
Polynomial Evaluation
Universal Function
Random Allocation
Salt
Authentication
Collision
Paradigm
Polynomials
Message Authentication
Regain
Block Cipher
Randomisation
Directly proportional

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., & Pietrzak, K. (2007). Improving the security of MACs via randomized message preprocessing. In Fast Software Encryption - 14th International Workshop, FSE 2007 (Vol. 4593 LNCS, pp. 414-433). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4593 LNCS).

Improving the security of MACs via randomized message preprocessing. / Dodis, Yevgeniy; Pietrzak, Krzysztof.

Fast Software Encryption - 14th International Workshop, FSE 2007. Vol. 4593 LNCS 2007. p. 414-433 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4593 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Pietrzak, K 2007, Improving the security of MACs via randomized message preprocessing. in Fast Software Encryption - 14th International Workshop, FSE 2007. vol. 4593 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4593 LNCS, pp. 414-433, 14th International Workshop on Fast Software Encryption, FSE 2007, Luxembourg, Luxembourg, 3/26/07.
Dodis Y, Pietrzak K. Improving the security of MACs via randomized message preprocessing. In Fast Software Encryption - 14th International Workshop, FSE 2007. Vol. 4593 LNCS. 2007. p. 414-433. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Dodis, Yevgeniy ; Pietrzak, Krzysztof. / Improving the security of MACs via randomized message preprocessing. Fast Software Encryption - 14th International Workshop, FSE 2007. Vol. 4593 LNCS 2007. pp. 414-433 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{bc43319e9190467a8d1399bb900d2f2e,
title = "Improving the security of MACs via randomized message preprocessing",
abstract = "{"}Hash then encrypt{"} is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq2, where q is the number of MACs the adversary can request. As ε is at least 2-k, the best one can hope for is O(q2 /2k) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damg{\aa}rd construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the {"}hash then encrypt{"} paradigm with suboptimal {"}practical{"} ε-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular {"}suboptimal{"} hash functions, namely polynomial evaluation and the Merkle-Damg{\aa}rd construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller {"}average-case{"} collision probability in place of the {"}worst-case{"} collision probability ε.",
author = "Yevgeniy Dodis and Krzysztof Pietrzak",
year = "2007",
language = "English (US)",
isbn = "354074617X",
volume = "4593 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "414--433",
booktitle = "Fast Software Encryption - 14th International Workshop, FSE 2007",

}

TY - GEN

T1 - Improving the security of MACs via randomized message preprocessing

AU - Dodis, Yevgeniy

AU - Pietrzak, Krzysztof

PY - 2007

Y1 - 2007

N2 - "Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq2, where q is the number of MACs the adversary can request. As ε is at least 2-k, the best one can hope for is O(q2 /2k) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgård construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" ε-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgård construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability ε.

AB - "Hash then encrypt" is an approach to message authentication, where first the message is hashed down using an ε-universal hash function, and then the resulting k-bit value is encrypted, say with a block-cipher. The security of this scheme is proportional to εq2, where q is the number of MACs the adversary can request. As ε is at least 2-k, the best one can hope for is O(q2 /2k) security. Unfortunately, such small ε is not achieved by simple hash functions used in practice, such as the polynomial evaluation or the Merkle-Damgård construction, where ε grows with the message length L. The main insight of this work comes from the fact that, by using randomized message preprocessing via a short random salt p (which must then be sent as part of the authentication tag), we can use the "hash then encrypt" paradigm with suboptimal "practical" ε-universal hash functions, and still improve its exact security to optimal O(q2/2k). Specifically, by using at most an 0(logL)-bit salt p, one can always regain the optimal exact security O(q2/2k), even in situations where ε grows polynomially with L. We also give very simple preprocessing maps for popular "suboptimal" hash functions, namely polynomial evaluation and the Merkle-Damgård construction. Our results come from a general extension of the classical Carter-Wegman paradigm, which we believe is of independent interest. On a high level, it shows that public randomization allows one to use the potentially much smaller "average-case" collision probability in place of the "worst-case" collision probability ε.

UR - http://www.scopus.com/inward/record.url?scp=38349029412&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=38349029412&partnerID=8YFLogxK

M3 - Conference contribution

SN - 354074617X

SN - 9783540746171

VL - 4593 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 414

EP - 433

BT - Fast Software Encryption - 14th International Workshop, FSE 2007

ER -