0

Authentication protocol using a keyed hash function: Alice and Bob share a secret key for a keyed hash function. The protocol is: Alice $\Rightarrow$ $m||h_{k}(m)$ $\Rightarrow$ Bob.

There are the following two methods: $h_{k}=E_{k}\circ h$ and $h_{k}=h\circ E_{k}$.

What are the advantages and disadvantages of the two protocols?

($E_{k}$ is a well designed one-key cipher and $h$ is a well-designed hash function. $\circ$ is function composition).

I was reading another question. And in our lecture notes, only the first one was mentioned, and the lecture notes says that if both components are well-designed, the first method should be secure. I have the following questions:

  1. Why would the first method be secure?
  2. What about the second method? The second was not mentioned in lecture notes, is it because it cannot be secure even if both components are secure?

Thanks!!

Bella
  • 21
  • 5
  • Welcome to [cryptography.se]. You are using a bit less notation, what are the inputs to the $h_{k}=E_{k}\circ h$ and the other? Should one guess it? Yeah, once can guess that they are $m$, but what if not? What is the block-size of $E$, what is the output size of $h$? – kelalaka Oct 30 '20 at 06:53
  • Encrypt-then-MAC Confidentiality, Integrity and Authenticity – kelalaka Oct 30 '20 at 07:24
  • @kelalaka About the sizes of outputs $h$ and $E_{k}$, they are not mentioned in this statement. My understanding is that this is a general question just two compare the two protocols. Regarding the other post that you linked in the comment, I also read it but I am not sure if the points discussed in that post can apply to my problem or not, because my protocols are signature protocols, which the encryption of the message does not matter (? at least according to my understanding) – Bella Oct 30 '20 at 07:33
  • It encrypts than hashes for signature $s = H_k(m) = H(E(k,m))$ – kelalaka Oct 30 '20 at 07:40
  • If the lecture notes really says that with both components well-designed, $h_{k}=E_{k}\circ h$ is secure (in the sense of giving integrity in the protocol Alice $\Rightarrow$ $m||h_{k}(m)$ $\Rightarrow$ Bob), then the lecture note uses a non-standard notion of encryption, and by that non-standard notion AES-CTR and AES-OFB are not secure; or the lecture note is wrong, or got misinterpreted, or is a test of gullibility of the audience. I can hardly believe a modern course on cryto would get that wrong, in any part of the world. – fgrieu Oct 30 '20 at 09:33

0 Answers0