TY - GEN
T1 - Risks with raw-key masking – The security evaluation of 2-key XCBC
AU - Furuya, Soichi
AU - Sakurai, Kouichi
N1 - Publisher Copyright:
© Springer-Verlag Berlin Heidelberg 2002.
PY - 2002
Y1 - 2002
N2 - There are extensive researches on how CBC-MAC can be modified in order to efficiently deal with messages of arbitrary lengths. Based on the three-key construction of XCBC by Black and Rogaway, Moriai and Imai improved the scheme and proposed an optimally efficient CBC-MAC variants with two key materials, that is called 2-key XCBC. They give a proof of the security in the same manner as 3-key XCBC. In this paper, we study 2-key XCBC, and discuss the security of 2-key XCBC used with real replacement to an ideal PRP. We show (1) a forgery based on the raw-key masking technique used in 2-key XCBC for a particular instance where Even-Mansour PRP construction is used, and (2) an attack that violates the provable security of DESX construction. Therefore, the raw-key masking technique, which is the core improvement of 2-key CBC, must be avoided unless an overall implementation is considered in detail. Moreover, we discuss 2-key XCBC with two promising real block ciphers AES and Camellia and note important security consideration concerning their uses with 2-key XCBC.
AB - There are extensive researches on how CBC-MAC can be modified in order to efficiently deal with messages of arbitrary lengths. Based on the three-key construction of XCBC by Black and Rogaway, Moriai and Imai improved the scheme and proposed an optimally efficient CBC-MAC variants with two key materials, that is called 2-key XCBC. They give a proof of the security in the same manner as 3-key XCBC. In this paper, we study 2-key XCBC, and discuss the security of 2-key XCBC used with real replacement to an ideal PRP. We show (1) a forgery based on the raw-key masking technique used in 2-key XCBC for a particular instance where Even-Mansour PRP construction is used, and (2) an attack that violates the provable security of DESX construction. Therefore, the raw-key masking technique, which is the core improvement of 2-key CBC, must be avoided unless an overall implementation is considered in detail. Moreover, we discuss 2-key XCBC with two promising real block ciphers AES and Camellia and note important security consideration concerning their uses with 2-key XCBC.
UR - http://www.scopus.com/inward/record.url?scp=33646824984&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33646824984&partnerID=8YFLogxK
U2 - 10.1007/3-540-36159-6_28
DO - 10.1007/3-540-36159-6_28
M3 - Conference contribution
AN - SCOPUS:33646824984
SN - 3540001646
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 327
EP - 341
BT - Information and Communications Security - 4th International Conference, ICICS 2002, Proceedings
A2 - Deng, Robert
A2 - Bao, Feng
A2 - Zhou, Jianying
A2 - Qing, Sihan
PB - Springer Verlag
T2 - 4th International Conference on Information and Communications Security, ICICS 2002
Y2 - 9 December 2002 through 12 December 2002
ER -