Security of Hash-then-CBC Key Wrapping Revisited
Summary :
Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. In [17], Osaki and Iwata showed that the UCC-then-CBC key wrapping scheme, a key wrapping scheme that uses the UCC hash function and CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. Furthermore, we consider the scheme that incorporates the use of headers. To handle such a setting, we generalize the previous definition of the UCC hash function to the variable input length setting and to take the header as its input, and show an efficient construction that meets the definition.
- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E96-A No.1 pp.25-34
- Publication Date
- 2013/01/01
- Publicized
- Online ISSN
- 1745-1337
- DOI
- 10.1587/transfun.E96.A.25
- Type of Manuscript
- Special Section PAPER (Special Section on Cryptography and Information Security)
- Category
- Symmetric Key Cryptography
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Yasushi OSAKI, Tetsu IWATA, "Security of Hash-then-CBC Key Wrapping Revisited" in IEICE TRANSACTIONS on Fundamentals,
vol. E96-A, no. 1, pp. 25-34, January 2013, doi: 10.1587/transfun.E96.A.25.
Abstract: Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. In [17], Osaki and Iwata showed that the UCC-then-CBC key wrapping scheme, a key wrapping scheme that uses the UCC hash function and CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. Furthermore, we consider the scheme that incorporates the use of headers. To handle such a setting, we generalize the previous definition of the UCC hash function to the variable input length setting and to take the header as its input, and show an efficient construction that meets the definition.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E96.A.25/_p
Copy
@ARTICLE{e96-a_1_25,
author={Yasushi OSAKI, Tetsu IWATA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Security of Hash-then-CBC Key Wrapping Revisited},
year={2013},
volume={E96-A},
number={1},
pages={25-34},
abstract={Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. In [17], Osaki and Iwata showed that the UCC-then-CBC key wrapping scheme, a key wrapping scheme that uses the UCC hash function and CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. Furthermore, we consider the scheme that incorporates the use of headers. To handle such a setting, we generalize the previous definition of the UCC hash function to the variable input length setting and to take the header as its input, and show an efficient construction that meets the definition.},
keywords={},
doi={10.1587/transfun.E96.A.25},
ISSN={1745-1337},
month={January},}
Copy
TY - JOUR
TI - Security of Hash-then-CBC Key Wrapping Revisited
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 25
EP - 34
AU - Yasushi OSAKI
AU - Tetsu IWATA
PY - 2013
DO - 10.1587/transfun.E96.A.25
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E96-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2013
AB - Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. In [17], Osaki and Iwata showed that the UCC-then-CBC key wrapping scheme, a key wrapping scheme that uses the UCC hash function and CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. Furthermore, we consider the scheme that incorporates the use of headers. To handle such a setting, we generalize the previous definition of the UCC hash function to the variable input length setting and to take the header as its input, and show an efficient construction that meets the definition.
ER -
English
