论文信息 - Lower Bound on Linear Authenticated Encryption

Lower Bound on Linear Authenticated Encryption

We show that any scheme to encrypt m blocks of size n bits each, which assures message integrity, is linear in (GF2) n , uses m+k invocations of random functions (from n bits to n bits) and vn bits of randomness, must have k+v at least Ω(logm). This lower bound is proved in a very general model which rules out many promising linear modes of operations for encryption with message integrity. This lower bound is tight as in an earlier paper “Encryption Models with Almost Free Message Integrity”, Proc. Eurocrypt 2001, we show a linear scheme to encrypt m blocks while assuring message integrity by using only m+2+logm invocations of random permutations.

Charanjit S. Jutla

[1] Hugo Krawczyk,et al. LFSR-based Hashing and Authentication , 1994, CRYPTO.

[2] Mihir Bellare,et al. The Security of Cipher Block Chaining , 1994, CRYPTO.

[3] Mihir Bellare,et al. OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[4] Bart Preneel,et al. Attacks on Fast Double Block Length Hash Functions , 1998, Journal of Cryptology.

[5] Virgil D. Gligor,et al. Integrity-Aware PCBC Encryption Schemes , 1999, Security Protocols Workshop.

[6] Virgil D. Gligor,et al. Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[7] Abraham Bookstein,et al. Cryptography: A new dimension in computer data security ? and ?. Wiley-Interscience, New York (1982). xxi + 775 pp., $43.95. ISBN 0471-04892-5. , 1985 .

[8] Jonathan Katz,et al. Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[9] Michael Luby,et al. Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[10] John T. Kohl,et al. The Kerberos Network Authentication Service (V5 , 2004 .

[11] Stephen M. Matyas,et al. Cryptography: A New Dimension in Computer Data Security--A Guide for the Design and Implementation of Secure Systems , 1982 .

[12] Morris J. Dworkin,et al. SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .