The Chain Sum Primitive and Its Applications to MACs and Stream Ciphers,” EUROCRYPT’98.pdf

下载文档

2
0
约3.01万字
约 13页
2017-04-09 发布于江苏
举报
版权申诉
保障服务

The Chain Sum Primitive and Its Applications to MACs and Stream Ciphers,” EUROCRYPT’98.pdf

1、本文档共13页，可阅读全部内容。
2、有哪些信誉好的足球投注网站（book118）网站文档一经付费（服务费），不意味着购买了该文档的版权，仅供个人/单位学习、研究之用，不得用于商业用途，未经授权，严禁复制、发行、汇编、翻译或者网络传播等，侵权必究。
3、本站所有内容均由合作方或网友上传，本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺！文档内容仅供研究参考，付费前请自行鉴别。如您付费，意味着您自己接受本站规则且自行承担风险，本站不退款、不进行额外附加服务；查看《如何避免下载的几个坑》。如果您已付费下载过本站文档，您可以点击这里二次下载。
4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等，请点击“版权申诉”（推荐），也可以打举报电话：400-050-0827(电话支持时间：9:00-18:30)。

TheChain

The chain sum primitive and its applicationsto MACs and stream ciphersMariusz H. Jakubowski1 and Ramarathnam Venkatesan21 Princeton University, mj@2 Microsoft Research, Redmond, WA 98052, USA, venkie@Abstract. We present a new scheme called universal block chaining withsum (or chain sum primitive (CS) for short), and show its applicationto the problem of combined encryption and authentication of data. Theprimitive is a weak CBC-type encryption along with a summing step,and can be used as a front end to stream ciphers to encrypt pages orblocks of data (e.g., in an encrypted le system or in a video stream).Under standard assumptions, the resulting encryption scheme provablyacts as a random permutation on the blocks, and has message integrityfeatures of standard CBC encryption. The primitive also yields a very fastmessage authentication code (MAC), which is a multivariate polynomialevaluation hash. The multivariate feature and the summing aspect arenovel parts of the design. Our tests show that the chain sum primitiveadds approximately 20 percent overhead to the fastest stream ciphers.1 IntroductionFor combined encryption and authentication of data, one often uses stream ci-phers because of their speed in comparison to block ciphers; one then appendsa separately computed MAC value. However, in some applications, data mustbe accessed in pages or blocks, and stored encrypted, as in some encrypted lesystems or video streams. For this purpose, it is customary to use CBC en-cryption on the blocks, and compute an integrity check for the entire streamseparately from these individual encrypted blocks. Alternately, one may com-pute and store one MAC value separately per block, but this causes the size ofthe MAC data to expand in proportion to the number of blocks, and is thusundesirable. Certain applications, such as encrypted le systems and video, taxthe CPU rather harshly, and using a block cipher can cause a noticeable per-formance hit. For backward compatibility and m