That's different and chosen independently of the key K, and finally the output gives us the tag. And this step is actually done using an independent key, K1. And then, I would like to point your attention to the fact that we do one more encryption step. Which is called the CBC outputs of this long chain. So you notice we basically encrypt the first block and then feed the results into the XOR with the second block and then feed that into f again, and we do that again and again and again and finally we get a value out here. Well, we start by taking our message and breaking it into blocks, each block is as long as a block of the underlying function f, and then essentially we run through the CBC chain except that we don't output intermediate values. But just to keep the discussion simple, we up our bounds the maximum length by capital L. It's perfectly fine to give it variable size inputs. So each CBC can process messages that are one block long, two blocks long, ten blocks long, 100 blocks long. In other words, X less than or equal to L means that we allow the input to be messages that contain an arbitrary number of blocks between one and L. But it could also take variable length messages as inputs. Now what is this X to the less than or equal to L? The point here is that in fact CBC MAC can take very long messages up to L blocks. I'm going to denote by X, the set to the N. And the question now is, given a PRF for short messages like AES for sixteen byte messages, can we construct a PRF for long messages that are potentially gigabytes long? And this is shorthand for what's coming. For example, it could be 80 bits or 128 bits, and that would generate a secure MAC Now we also said that because AES is a secure PRF, essentially AES already gives us a secure MAC, except that it can only process sixteen byte messages. The only caveat was that the output of the PRF F had to be large. Recall in the last segment, we said that if you give me a secure PRF, then that secure PRF can actually be used to construct a secure MAC, simply by defining the signature on the message m as the value of the function at the point m. In this segment, we're going to construct two classic MACS, the CBC-MAC and the NMAC.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |