Prev: RSA side-channel attack
Next: Bear Bottoms Lectures On Encryption !!!
From: Mok-Kong Shen on 5 Mar 2010 18:16

Employing CBC MAC means that one encrypts the message in two steps
with two independent keys: In one step the message is processed in
CBC mode with one key but only the last ciphertext block is retained
(the CBC MAC) and appended to the given plaintext. In the second
step the other key is used to encrypt the thus extended plaintext to
generate the proper ciphertext to be sent to the communication partner.

In my humble view, one could use one single key K to encrypt n blocks
of plaintext P_i to ciphertext C_i (i=0..n-1) and simultaneously obtain
a MAC as follows:

H_(-1) = IV; C_(-1) = 0; (definition)

for (i=0; i<n; i++)
{
H_i = E( K, H_(i-1) ^ C_(i-1) );

C_i = E( K, H_i ^ P_i );
}

MAC = H_n = E( K, H_(n-1) ^ C_(n-1) );

A conceivable variants of H_i is (^ could be replaced by wordwise +):

H_i = E( K, H_(i-1) ^ P_(i-1) ^ C_(i-1) );

It may be noted that the chaining value H_i is unknown to the analyst
(in contrast to encryption in CBC mode).

For comments and critiques I should be very grateful.

M. K. Shen
 | 
Pages: 1
Prev: RSA side-channel attack
Next: Bear Bottoms Lectures On Encryption !!!