Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class, which is awesome!

Recap so far Information theoretically secure encryption: ciphertext reveals nothing about the plaintext Secure PRNG: Given first k output bits, adversary should do not better than guessing bit k+1 – Principle: next bit is secure, not just “random looking” output Secure PRF: Adversary can’t tell the difference between real random function and PRF – Principle: computationally indistinguishable functions Semantic security (computationally secure encryption): Adversary picks m 0,m 1, receives encryption of one of them, can’t do better than guessing on which messages was encrypted. – Principle: ciphertext reveals no information about plaintext – Security is not just about keeping key private 2

Message Integrity Goal: integrity (not secrecy) Examples: – Protecting binaries on disk. – Protecting banner ads on web pages Security Principles: – Integrity means no one can forge a signature 3

CRC Is this Secure? No! Attacker can easily modify message m and re-compute CRC. CRC designed to detect random errors, not malicious attacks. Generate tag: tag  CRC(m) Verify tag: CRC(m, tag) ?= ‘yes’ 4 Alice Bob S V messagetag

Message Authentication Codes (MAC) Defn: A Message Authentication Code (MAC) MAC = (S,V) defined over (K,M,T) is a pair of algorithms: – S(k,m) outputs t in T – V(k,m,t) outputs `yes’ or `no’ – V(k, m, S(k,m)) = ‘yes’ (consistency req.) 5 Alice Bob S V messagetag kk secret key required

Example 6 Authorized Stock Ticker Publisher 1. k = KeyGen(l) 2. For each price update: t = S(stock||price,k) Publish Adversary t = A(stock||price up) e.g., to cause a buying frenzy A secure MAC should prevent this ConsumeV

Example: Tripwire At install time, generate a MAC on all files: F1F1 t 1 = S(k,F 1 ) F2F2 t 2 = S(k,F 2 ) FnFn t n = S(k,F n ) ⋯ filename Later a virus infects system and modifies system files User reboots into clean OS and supplies password – Then: secure MAC ⇒ all modified files will be detected

Secure MAC Game Security goal: A cannot produce a valid tag on a message – Even if the message is gibberish 8 Challenger 1. k = KeyGen(l) 3. Compute i in 1...q: t i = S(m i, k) 5. b = V(m,t,k) Adversary A 2. Picks m 1,..., m q 4. picks m not in m 1,...,m q Generates t m 1,...,m q t 1,...,t q m,t b = {yes,no} existential forgery if b=“yes”

Secure MAC Game Def: I=(S,V) is a secure MAC if for all “ efficient ” A: Adv MAC [A,I] = Pr[Chal. Outputs “yes”] < ε 9 Challenger 1. k = KeyGen(l) 3. Compute i in 1...q: t i = S(m i, k) 5. b = V(m,t,k) Adversary A 2. Picks m 1,..., m q 4. picks m not in m 1,...,m q Generates t m 1,...,m q t 1,...,t q m,t b = {yes,no}

Let I = (S,V) be a MAC. Suppose an attacker is able to find m 0 ≠ m 1 such that S(k, m 0 ) = S(k, m 1 ) for ½ of the keys k in K Can this MAC be secure? 1.Yes, the attacker cannot generate a valid tag for m 0 or m 1 2.No, this MAC can be broken using a chosen msg attack 3.It depends on the details of the MAC 1.A sends m 0, receives (m 0, t 0 ) 2.A wins with (m 1, t 0 ) 3.Adv[A,I] = ½ since prob. of key is ½.

MACs from PRFs 11

Secure PRF implies secure MAC For a PRF F: K × X ⟶ Y, define a MAC I F = (S,V) as: – S(k,m) = F(k,m) – V(k,m,t): if t = F(k,m), output ‘yes’ else ‘no’ tag  F(k,m) accept msg if tag = F(k,m) Attacker who knows F(k,m 1 ), F(k,m 2 ),..., F(k, m q ) has no better than 1/|Y| chance of finding valid tag for new m 12 Alice Bob S V m, tag

Security Thm: If F: K×X⟶Y is a secure PRF and 1/|Y| is negligible (i.e., |Y| is large), then I F is a secure MAC. In particular, for every eff. MAC adversary A attacking I F, there exists an eff. PRF adversary B attacking F s.t.: Adv MAC [A, I F ] = Adv PRF [B, F] + 1/|Y| 13 A can’t do better than brute forcing

Proof Sketch A wins iff t=f(k,m) and m not in m 1,...,m q PR[A wins] = Pr[A guesses value of rand. function on new pt] = 1/|Y| 14 b Let f be a truly random function m 1,...,m q Adversary A 1. Picks m 1,..., m q 4. picks m not in m 1,...,m q. Generates t t 1,...,t x m,t Challenger 2. f from FUNS[X,Y] 3. Calculates t i = f(k, m i )

Question Suppose F: K × X ⟶ Y is a secure PRF with Y = {0,1} 10 Is the derived MAC I F a practically secure MAC system? 1. Yes, the MAC is secure because the PRF is secure 2. No tags are too short: guessing tags isn’t hard 3. It depends on the function F Adv[A,F] = 1/1024 (we need |Y| to be large) 15

Secure PRF implies secure MAC S(k,m) = F(k,m) 16 Assuming output domain Y is large So AES is already a secure MAC but AES is only defined on 16-byte messages

Given: a PRF for shorter messages (e.g., 16 bytes) Goal: build a MAC for longer messages (e.g., gigabytes) Construction examples: – CBC-MAC: Turn small PRF into big PRF – HMAC: Build from collision resistance – (Others not covered: NMAC/PMAC) 17 Building Secure MACs

raw CBC Construction 1: Encrypted CBC-MAC (ECBC-MAC) F(k,  ) m[0]m[1]m[3]m[4]  F(k,  )  F(k 1,  ) tag Let F: K × X ⟶ X be a PRP Define new PRF F ECBC : K 2 × X ≤L ⟶ X Why? <= L means any length  IV assume 0 18

Attack Suppose we define a MAC I RAW = (S,V) where S(k,m) = rawCBC(k,m) Then I RAW is easily broken using a 1-chosen msg attack. Adversary works as follows: 1.Choose an arbitrary one-block message m  X 2.Request tag for m. Get t = F(k,m) 3.Output t as MAC forgery for the 2-block message m|| t  m 19

Attack t F(k,  ) m Break in 1-chosen message attack Problem: rawCBC(k, m|| t  m ) = F(k, F(k,m)  (t  m) ) = F(k, t  (t  m) ) = F(k,m) = t  IV F(k,  ) m tmtm  m t  IV 20

ECBC-MAC analysis Recall: We built ECBC-MAC from a PRP (e.g., block cipher) F: K x X -> X Theorem: For any L>0, For every eff. q-query PRF adv. A attacking F ECBC there exists an eff. adversary B s.t.: Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| CBC-MAC is secure as long as q << |X| 1/2 21 After signing |X| 1/2 messages, rekey

Implications Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| # msgs MAC’ed with key Suppose we want AdvPRF[A, F ECBC ] ≤ 1/2 32 – then (2q 2 /|X|) < 1/2 32 – AES: |X| = ⇒ q < 2 48 – 3DES: |X| = 2 64 ⇒ q < 2 16 Must change key after 2 48, 2 16 msgs = 96 q 2 = 2 48*2 = 2 96.

Extension Attack Suppose the underlying PRF F is a PRP (e.g., AES). Let F BIG be ECBC. Then F BIG has the following extension property: ∀x,y,w: F BIG (k, x) = F BIG (k, y) ⇒ F BIG (k, x||w ) = F BIG (k, y||w ) 23 FFF m[0]...w k0k0 F(k,x) = F(k,y) here F(k,x||w) = F(k,y||w) here Attacker just needs to find such an x and y

Collisions and the Birthday Paradox 24

Birthday Paradox Put n people in a room. What is the probability that 2 of them have the same birthday? 25 P1P1 P2P2 P3P3 P4P4 PnPn PR[P i = P j ] >.5 with 23 people. (Think: n 2 different pairs) Rule of Thumb: N possibilities, and j random samples Pr[collision]≈ 50% when j = sqrt(N)

Generic attack on hash functions Let H: M  {0,1} n be a hash function ( |M| >> 2 n ) Generic alg. to find a collision in time O(2 n/2 ) hashes Algorithm: 1.Choose 2 n/2 random messages in M: m 1, …, m 2 n/2 (distinct w.h.p ) 2.For i = 1, …, 2 n/2 compute t i = H(m i ) ∈{0,1} n 3.Look for a collision (t i = t j ). If not found, got back to step 1. How well will this work? 26

The birthday paradox Let r 1, …, r i ∈ {1,…,n} be indep. identically distributed integers. Thm: when i = 1.2 × n 1/2 then Pr[ ∃i≠j: r i = r j ] ≥ ½ 27 If H: M-> {0,1} n, then Pr[collision] ~ ½ with n 1/2 hashes

B=10 6 # samples n 50% prob of collision with ~1200 hashes 28

Recall Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| # msgs MAC’ed with key Suppose we want AdvPRF[A, F ECBC ] ≤ 1/2 32 – then (2q 2 /|X|) < 1/2 32 – AES: |X| = ⇒ q < 2 47 – 3DES: |X| = 2 64 ⇒ q < 2 15 Must change key after 2 47, 2 15 msgs Reason: the Birthday Paradox. 29

Generic attack Let F BIG : K x M  Y be a MAC with the extension property (e.g., CBC-MAC): F BIG (k, x) = F BIG (k, y) ⇒ F BIG (k, x||w) = F BIG (k, y||w) 1.For i = 1, …, 2 n/2 get t i = F(k, m i, ) 2.Look for a collision (t i = t j ). (birthday paradox) If not found, got back to step 1. 3.Choose some w and for query t = F BIG (m i || w) 4.Output forgery (m j ||w, t) 30

Implications Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| Suppose we want AdvPRF[A, F ECBC ] ≤ 1/2 32 – then (2q 2 /|X|) < 1/2 32 – AES: |X| = ⇒ q < 2 47 – 3DES: |X| = 2 64 ⇒ q < 2 15 Need PRF that can quickly change keys. 31

Padding 32

F(k,  ) m[0]m[1]m[3]m[4]  F(k,  )  F(k 1,  ) tag What if msg not a multiple of block size? Recall CBC-MAC ??? 33

CBC MAC padding Yes, the MAC is secure No It depends on the underlying MAC m[0] m[1] m[0] 0000 m[1] Idea: pad m with 0 ’ s Is the resulting MAC secure? Problem: given tag on msg m attacker obtains tag on m||0 because pad(m) = pad(m||0) Same Tag $10000 $

CBC MAC padding For security, padding must be one-to-one (i.e., invertible)! m 0 ≠ m 1 ⇒ pad(m 0 ) ≠ pad(m 1 ) ISO: pad with “ 1000  00 ”. Add new dummy block if needed. – The “ 1 ” indicates beginning of pad. m[0]m[1]m[0]m[1]1000 m[0]m[1]m[0]m[1] If m is same as block size, add 1 block pad for security two distinct messages map to two distinct paddings 35

CMAC (NIST standard) Variant of CBC-MAC where key = (k, k 1, k 2 ) No final encryption step (extension attack thwarted by last keyed xor) No dummy block (ambiguity resolved by use of k 1 or k 2 ) F(k,  ) m[0]  m[1]m[w] F(k,  )  ⋯ tag 100 k1k1 F(k,  ) m[0]  m[1]m[w] F(k,  )  ⋯ tag k2k2 k1 != multiple B.S, k2 = multiple BA. k1 != multiple B.S, k2 = multiple B.S. 36

HMAC (Hash-MAC) Most widely used MAC on the Internet. … but, we first we need to discuss hash function. 37

Hash Functions 38

Collision Resistance Let H: X  Y be a hash function ( |X| >> |Y| ) A collision for H is a pair m 0, m 1  M such that: H(m 0 ) = H(m 1 ) and m 0  m 1 A function H is collision resistant if for all (explicit) “ eff ” algs. A: Adv CR [A,H] = Pr[ A outputs collision for H] is “ negligible ”. Example: SHA-256 (outputs 256 bits) 39

General Idea 40 m h k1k1 PRF k2k2 tag Hash then PRF construction

MACs from Collision Resistance Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES) Let H: X  Y and S: K x Y  T (|X| >> |Y|) Def: I big = (S big, V big ) over (K, X big, Y) as: S big (k,m) = S(k,H(m)) ; V big (k,m,t) = V(k,H(m),t) Thm: If I is a secure MAC and H is collision resistant, then I big is a secure MAC. Example: S(k,m) = AES 2-block-cbc (k, SHA-256(m)) is secure. 41

MACs from Collision Resistance Collision resistance is necessary for security: Suppose: adversary can find m 0  m 1 s.t. H(m 0 ) = H(m 1 ). Then: S big is insecure under a 1-chosen msg attack step 1: adversary asks for t ⟵S(k, m 0 ) step 2: output (m 1, t) as forgery S big (k, m) = S(k, H(m)) ; V big (k, m, t) = V(k, H(m), t) 42

AMD Opteron, 2.2 GHz ( Linux) digest generic functionsize (bits)Speed (MB/sec) attack time SHA SHA SHA Whirlpool Sample Speeds Crypto [ Wei Dai ] NIST standards * best known collision finder for SHA-1 requires 2 51 hash evaluations 43

Collision Resistance and Passwords 44

Passwords How do we save passwords on a system? – Idea 1: Store in cleartext – Idea 2: Hash Enrollment: store h(password), where h is collision resistant Verification: Check h(input) = stored passwd 45 Is this enough to be secure

Brute Force Online Brute Force Attack: input: hp = hash(password) to crack for each i in dictionary file if(h(i) == hp) output success; Time Space Tradeoff Attack: precompute: h(i) for each i in dict file in hash tbl input: hp = hash(password) check if hp is in hash tbl 46 “rainbow tables”

Salts Enrollment: 1.compute hp=h(password + salt) 2.store salt || hp Verification: 1.Look up salt in password file 2.Check h(input||salt) == hp What is this good for security, given that the salt is public? 47 Salt doesn’t increase security against online attack, but does make tables much bigger.

Merkle-Damgard How to construct collision resistant hash functions 48

Compression Function A compression function mixes two fixed length inputs and produces a single fixed length output of the same size as one of the inputs 49 h K M M

The Merkle-Damgard iterated construction Given h: T × X  T (compression function) we obtain H: X ≤L  T. H i - chaining variables PB: padding block m[0]m[1]m[2]m[3] ll PB IV (fixed) H(m) H0H0 H1H1 H2H2 H3H3 H4H4 1000…0 ll msg len 64 bits If no space for PB add another block h h h h 50

Security of Merkle-Damgard 51 Thm: if h is collision resistant then so is H. Proof Idea: via contrapositive. Collisions on H ⇒ collision on h Suppose H(M) = H(M’). We build collision for h.

Compression from a block cipher E: K× {0,1} n  {0,1} n a block cipher. The Davies-Meyer compression function h(H, m) = E(m, H) H Thm: Suppose E is an ideal cipher (collection of |K| random perms.). Finding a collision h(H,m)=h(H’,m’) takes O(2 n/2 ) evaluations of (E,D). E mimi HiHi ⨁ Best possible !! 52 ⨁

Hash MAC (HMAC) Most widely used approach on the internet, e.g., SSL, SSH, TLS, etc. 53

Recall Merkel-Damgard Thm: h collision resistant implies H collision resistant m[0]m[1]m[2] m[3] || pad IV (fixed) H(m) H0H0 H1H1 H2H2 H3H3 H4H4 h h h h Can we build a MAC out of H? 54

Attempt 1: Create MAC from Merkle-Damgard 55 Let H: X ≤L ⟶ T be a Merkle-Damgard hash, and: S(k,m) = H(k||m) is this secure? no! why? m[0]m[1]m[2]m[3] || pad IV (fixed) H(m) H0H0 H1H1 H2H2 H3H3 H4H4 h h h h Existential forgery: H(k||m[0..3]) = H(H(k||m[0...3])||w) (just one more h)

Build MAC out of a hash Example: H = SHA-256 HMAC: S( k, m ) = H( k  opad, H( k  ipad || m ) ) Hash Mac (HMAC) 56

HMAC PB: Padding Block m[0]m[1]m[2] || PB h0h0 h1h1 h2h2 h3h3 h4h4 h h h h IV k ⨁ ipad IV (fixed) h h k⨁opad tag 57

Authenticated Encryption and Cryptographic Protocols

Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a Bob (port = 25) msg b k k IV 1, dest=25msg b IV 2, Example Tampering Attack 59 Source

Example Tampering Attack Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a k IV 1, dest=25msg a IV 2, Eve can change destination (easy with CBC and rand IV) 60 k Source Bob (port = 25)

Example Tampering Attack Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a k IV 1, dest=25msg a IV 2, Eve can change destination (easy with CBC and rand IV) 61 k Source Bob (port = 25) Active Attacker

How? 62 dest=80msg a IV 1, dest=1026msg a IV 2, CBC encryption: D(k, c[0]) ⨁ IV 1 = “dest=80” Attack: IV 2 = IV 1 ⨁ ⨁ xor out “80” and xor in “1026” Eve

The Story So Far Confidentiality: semantic security against a CPA attack – Examples: Using CBC with a PRP, AES Integrity: security against existential forgery – Examples: CBC-MAC, NMAC, PMAC, HMAC Now: security against tampering – Integrity + Confidentiality! 63 But you need to be careful in how you compose primitives

Motivating Question: Which is Best? E(k E, m||tag) S(k I, m) m Encryption Key = k E ; MAC key = k I Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag 64

An authenticated encryption system (E,D) is a cipher where As usual: E: K × M × N ⟶ C but D: K × C × N ⟶ M ∪{ ⊥ } Security: the system must provide – Semantic security under CPA attack, and – ciphertext integrity. The attacker cannot create a new ciphertext that decrypts properly. reject ciphertext as invalid 65

Chal.Adv A. kKkK c m 1  M c 1  E(k,m 1 ) b=1 if D(k,c) ≠ ⊥ and c  { c 1, …, c q } b=0 otherwise b m2m2, …, m q c2c2, …, c q 66 Ciphertext Integrity Game For b ={0,1}, define EXP(0) and EXP(1) as:

Authenticated Encryption Def: cipher (E,D) provides authenticated encryption (AE) if it is (1) semantically secure under CPA, and (2) has ciphertext integrity Counter-example: CBC with rand. IV does not provide AE – D(k, ⋅ ) never outputs ⊥, hence adv. always wins ciphertext integrity game 67

Implication 1: Authenticity Attacker cannot fool Bob with a novel message purporting to be from Alice AliceBob k k m 1, …, m q c i = E(k, m i ) c Cannot create valid c ∉ { c 1, …, c q } ⇒ if D(k,c) ≠ ⊥ Bob guaranteed message is from someone who knows k (but could be a replay) Eve 68

Implication 2 Authenticated encryption ⇒ Security against chosen ciphertext attack 69

Chosen Ciphertext Attacks Def: A CCA adversary has the capability to get ciphertexts of their choosing decrypted. 70 AliceBob k Eve k VPN c = E(k,m) m Eve sees c and m c’ m’

CCA Game Definition 71 b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c j  C : c j ∉ {c 1, …, c q } m j  D(k, c j ) for j=1,…,r: (2) CCA query: Ex: could query a changed c i

CCA Game Definition 72 b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i ) (2) CCA query: ENC = (E,D) is CCA secure iff the Adversary does not do statistically better than guessing.

Example: CBC is not CCA Secure 73 Chal. k  K b Adv. m 0, m 1 : |m 0 | = |m 1 |=1 c  E(k, m b ) = (IV, c[0]) c’ = (IV⨁1, c[0]) D(k, c’) = m b ⨁1 b learns b

Thm: Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure. 74 AE implies CCA security!

So What? Authenticated encryption assures security against: – A passive adversary (CPA security) – An active adversary that can even decrypt some ciphertexts (CCA security) Limitations: – Does not protect against replay – Assumes no other information other than message/ciphertext pairs can be learned. Timing attacks out of scope Power attacks out of scope... 75

AE Constructions Cipher + MAC = security 76

History Pre 2000: Crypto API’s provide separate MAC and encrypt primitives – Example: Microsoft Cryptographic Application Programming Interface (MS-CAPI) provided HMAC and CBC + IV – Every project had to combine primitives in their own way 2000: Authenticated Encryption – Bellare and Namprempre in Crypto, 2000 – Katz and Yung in FSE,

Theorems Let (E,D) by a CPA secure cipher and (S,V) a MAC secure against existential forgery. Then: 1.Encrypt-then-MAC always provides authenticated encryption 2.MAC-then-encrypt may be insecure against CCA attacks – however, when (E,D) is rand-CTR mode or rand- CBC, MAC-then-encrypt provides authenticated encryption 78

Motivating Question: Which is Best? Encryption Key = k E ; MAC key = k I E(k E, m||tag) S(k I, m) m Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag ✓ Always Correct 79

Standards GCM:CTR mode encryption then CW-MAC CCM:CBC-MAC then CTR mode (802.11i) EAX:CTR mode encryption then CMAC All are nonce-based. All support Authenticated Encryption with Associated Data (AEAD). 80 Associated Data Encrypted Data Authenticated

MAC Security -- an explanation Recall: MAC security required an attacker given (m, t) couldn’t find a different t’ such that (m,t’) is a valid MAC Why? Suppose not: (m, t) ⟶ (m, t’) Then Encrypt-then-MAC would not have Ciphertext Integrity !! Chal. k  K b Adv. m 0, m 1 c  E(k, m b ) = (c 0, t) c’ = (c 0, t’ ) ≠ c D(k, c’ ) = m b b (c 0, t) (c 0, t’) 81

Summary Encrypt-then-MAC Provides integrity of CT Plaintext integrity If cipher is malleable, we detect invalid CT MAC provides no information about PT since it’s over the encryption MAC-then-Encrypt No integrity of CT Plaintext integrity If cipher is malleable, can change message w/o detection MAC provides no information on PT since encrypted 82 Encrypt-and-MAC No integrity on CT Integrity of PT can be verified If cipher is malleable, contents of CT can be altered; should detect at PT level May reveal info about PT in the MAC (e.g., MAC of same messages are the same)

Recap 1 MACs from PRF – CBC-MAC – Others: N(ested)MAC, P(arallel)MAC MACs from collision resistant hash functions – Make CRF with merkle-damgard from PRF Attackers goal: existential forgery 83

Recap 2 Authenticated Encryption – Chosen Ciphertext Attack (CCA) and CCA-secure ciphers – AE game = CCA + CPA secure Encrypt-then-MAC always right – Don’t roll your own 84

Further reading J. Black, P. Rogaway: CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions. J. Cryptology 18(2): (2005) K. Pietrzak: A Tight Bound for EMAC. ICALP (2) 2006: J. Black, P. Rogaway: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. EUROCRYPT 2002: M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision-Resistance. CRYPTO 2006: Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. EUROCRYPT 2008:

86 Questions?