Stronger security bounds for wegman-carter-shoup authenticators

Abstract

Shoup proved that various message-authentication codes of the form (n, m) → h(m) + f(n) are secure against all attacks that see at most ∫1/ε. authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ε is a differential probability associated with h. Shoup's result implies that if AES is secure then various state-of-the-art message-authentication codes of the form (n, m) H → h(m) + AESk(n) are secure up to ∫1/ε authenticated messages. Unfortunately, ∫1/ε is only about 250 for some state-of-the-art systems, so Shoup's result provides no guarantees for long-term keys. This paper proves that security of the same systems is retained up to ∫#G authenticated messages. In a typical state-of-the-art system, ∫#G is 264. The heart of the paper is a very general "one-sided" security theorem: (n, m) → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. © International Association for Cryptologic Research 2005.