edu Abstract In cryptography secure channels enable the con64257dential and authenticated message ex change between authorized users A generic approach of constructing such channels is by combining an encryption primitive with an authentication primi ID: 70923
Download Pdf The PPT/PDF document "MACs Towards More Secure and More Ecient..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
algorithms,suchasstreamciphers,arecombinedwithfastMACs,suchasuniversalhashfunctionsbasedMACs[38].TheE&AcompositionhasaparallelizableadvantageovertheEtAandtheAtEconstructions.Thefactthattheencryptionandauthenticationoperationscanbeperformedsimultaneouslycanfurtherincreasetheeciencyofthegenericcomposition.Ontheotherhand,theE&AcompositionimposesanextrarequirementontheMACalgorithm.AsopposedtotheEtAandAtEcomposi-tions,thetagintheE&Acompositionisafunctionoftheplaintextmessage(nottheciphertextasinEtA)andissentintheclear(notencryptedasinAtE).Therefore,thetagmustbeatleastascondentialastheciphertextsince,otherwise,thesecrecyoftheplaintextcanbecom-promisedbyanadversaryobservingitscorrespondingtag.ThisimpliesthatgenericcompositionsaremoreinvolvedthanjustcombininganencryptionalgorithmandaMACalgorithm.Indeed,in[38]and[5],thesecurityofdierentgenericcompositionsofauthenticatedencryptionsystemsisanalyzed.Usingasecureencryptionalgorithm(secureinthesensethatitprovidesprivacyagainstchosen-plaintextattacks)andasecureMAC(secureinthesensethatitprovidesunforgeabilityagainstchosen-messageattacks),itwasshownthatonlytheEtAwillguaranteetheconstructionofsecurechannels.Therefore,specialattentionmustbepaidtothedesignofsecurechannelsiftheE&AortheAtEcompositionsareused.Althoughsignicanteortshavebeendevotedtothedesignofdedicatedauthenticatedencryp-tionprimitives,andtheanalysisofthegenericcompositions,noeorthasbeenmadetodesignnewprimitivesthatutilizethespecialcharacteristicsofthegenericcompositions.Inthispaper,weprovidetherstsuchwork.Specically,weintroducethedesignofspecialpurposeMACstobeusedintheconstructionofE&Acompositions.ThedrivingmotivebehindthisworkwastheintuitionthatMACsusedinthegenericcompositionofauthenticatedencryptionsystems,unlikestandardMACs,canutilizethefactthatmessagestobeauthenticatedmustalsobeencrypted.Thatis,sinceboththeencryptionandauthenticationalgorithmsareappliedtothesamemessage,theremightbearedundancyinthecomputationsperformedbythetwoprimitives.Ifthisturnedouttobethecase,removingsuchredundancycanimprovetheeciencyoftheoverallcomposition.OneclassofMACsthatisofaparticularinterest,dueitsfastimplementation,istheclassofMACsbasedonuniversalhash-functionfamilies.Inuniversalhash-functionfamiliesbasedMACs,themessagetobeauthenticatedisrstcompressedusingauniversalhashfunctionintheWegman-Carterstyle[13,49]and,then,thecompressedimageisprocessedwithacryptographicfunction.Indeed,processingmessagesusinguniversalhashfunctionsisfasterthanprocessingthemblockbyblockusingblockciphers.Combinedwiththefactthatprocessingshortstringsisfasterthanprocessinglongerones,itbecomesevidentwhyuniversalhashfunctionsbasedMACsarethefastestformessageauthentication[48].Recently,however,HandschuhandPreneel[27]discoveredavulnerabilityinuniversalhashingbasedMACs.Theydemonstratedthatonceacollisioninthehashingphaseoccurs,secretkeyinformationcanbeexposed,allowingsubsequentforgeriestosucceedwithhighprobabilities.TheirattackisnotdirectedtoaspecicuniversalhashfamilyandcanbeappliedtoallsuchMACs.Therecommendationsoftheworkin[27]arenottoreusetheuniversalhashfunctionkey,thusgoingbacktotheimpracticaluseofuniversalhashfamiliesforunconditionallysecureauthentication,orproceedingwiththelessecient,yetmoresecure,blockcipherbasedMACs.Contributions.Inthispaper,weproposethedeploymentofanewcryptographicprimitivefortheconstructionofsecurechannelsusingtheE&Acomposition.WeintroducethedesignofE-MACs,MessageAuthenticationCodesforEncryptedmessages.ByproposingtherstinstanceofE-MACs,weshowhowthestructureoftheE&Asystemcanbeutilizedtoincreasetheeciencyandsecurityoftheauthenticationprocess.Inparticular,weshowhowauniversalhashfunctionbasedE-MACcanbecomputedwithfeweroperationsthanwhatstandarduniversalhashfunctions2 basedMACsrequire.Thatis,wewilldemonstratethatuniversalhashfunctionsbasedE-MACscanbeimplementedwithouttheneedtoapplyanycryptographicoperationtothecompressedimage.Moreover,wewillalsoshowhowE-MACscanfurtherutilizethespecialstructureoftheE&Asystemtoimprovethesecurityoftheauthenticationprocess.Morespecically,wewillshowhowuniversalhashfunctionsbasedE-MACscanbesecuredagainstthekey-recoveryattack,towhichstandarduniversalhashfunctionsbasedMACsarevulnerable.Finally,wewillshowthattheextracondentialityrequirementonE-MACscanbeachievedrathereasily,again,bytakingadvantageoftheE&Astructure.2RelatedWorkManystandardMACsthatcanbeusedintheconstructionofauthenticatedencryptionschemeshaveappearedintheliterature.StandardMACscanbeblockciphersbased,cryptographichashfunctionsbased,oruniversalhashfunctionsbased.CBC-MACisoneofthemostknownblockcipherbasedMACsspeciedinFIPSpublication113[19]andtheInternationalOrganizationforStandardizationISO/IEC9797-1[29].CMAC,amodiedversionofCBC-MAC,ispresentedintheNISTspecialpublication800-38B[15],whichwasbasedonOMACofIwataandKurosawa[31].OtherblockcipherbasedMACsinclude,butarenotlimitedto,XOR-MAC[2]andPMAC[46].ThesecurityofdierentMACshasbeenexhaustivelystudied(see,e.g.,[3,43]).HMACisapopularexampleoftheuseofiteratedcryptographichashfunctionstodesignMACs[1],whichwasadoptedasastandard[20].AnothercryptographichashfunctionbasedMACistheMDx-MACofPreneelandOorschot[42].HMACandtwovariantsofMDx-MACarespeciedintheInternationalOrganizationforStandardizationISO/IEC9797-2[30].Bosselaersetal.describedhowcryptographichashfunctionscanbecarefullycodedtotakeadvantageofthestructureofthePentiumprocessortospeeduptheauthenticationprocess[11].TheuseofuniversalhashfamilieswaspioneeredbyWegmanandCarter[13,49]inthecontextofdesigningunconditionallysecureauthentication.TheuseofuniversalhashfunctionsforthedesignofcomputationallysecureMACsappearedin[7{9,17,26,33,40].ThebasicconceptbehindthedesignofcomputationallysecureuniversalhashfunctionsbasedMACsistocompressthemessageusinguniversalhashfunctionsandthenprocessthecompressedoutputusingacryptographicfunction.Thekeyideaisthatprocessingmessagesusinguniversalhashfunctionsisfasterthanprocessingthemblockbyblockusingblockciphers.Then,sincethehashedimageistypicallymuchshorterthanthemessageitself,processingthehashedimagewithacryptographicfunctionisfasterthenprocessingtheentiremessage.Sinceinmanypracticalapplicationsbothmessagecondentialityandauthenticityaresought,thedesignofauthenticatedencryptionschemeshasattractedalotofattentionhistorically.Varietyofearlierschemesbasedonaddingsomeredundancytomessagesbeforecipherblockchaining(CBC)encryptionwerefoundvulnerabletoattacks[5].Establishingsecurechannelsbymeansofgenericconstructionsofauthenticatedencryptionschemeswasofparticularinterest.Thesecurityrelationsamongdierentnotionsofsecurityinauthenticatedencryptionschemeswasstudiedindetailin[5].In[12],itwasshownthatEtAschemesbuildsecurechannelsand,in[38],thesecurityofthethreegenericconstructionmethodsisanalyzed.Inadierentdirection,blockciphersthatcombineencryptionandmessageauthenticationhavebeenproposedintheliterature.Proposalsthatusesimplechecksumormanipulationdetectioncode(MDC)haveappearedin[22,34,41].Suchsimpleschemes,however,areknowntobevulner-abletoattacks[32].Otherdedicatedschemesthatcombineencryptionandmessageauthenticityinclude[6,18,23,32,35,45].In[32],Jutlaproposedtheintegrityawareparallelizablemode(IAPM),anencryptionschemewithauthentication.GligorandDonescuproposedtheXECB-MAC[23].3 Rogawayetal.[45]proposedOCB:ablock-ciphermodeofoperationforecientauthenticatedencryption.Kohnoetal.[35]proposedahigh-performanceconventionalauthenticatedencryptionmode(CWC),whichtheNISTstandardGalois/CounterMode(GCM)wasbasedon[16].3PreliminariesAmessageauthenticationschemeconsistsofasigningalgorithmSandaverifyingalgorithmV.Thesigningalgorithmmightbeprobabilistic,whiletheverifyingoneisusuallynot.Associatedwiththeschemeareparameters`andNdescribingthelengthofthesharedkeyandtheresultingauthenticationtag,respectively.Oninputan`-bitkeyKandamessageM,algorithmSoutputsanN-bitstringcalledtheauthenticationtag,ortheMACofM.Oninputan`-bitkeyK,amessageM,andanN-bittag,algorithmVoutputsabit,with1standingforacceptand0forreject.Weaskforabasicvaliditycondition,namelythatauthentictagsareacceptedwithprobabilityone.Thatis,if=S(K;M),itmustbethecasethatV(K;M;)=1foranyK,M,and.Ingeneral,anadversaryinamessageauthenticationschemeisaprobabilisticalgorithmA,whichisgivenoracleaccesstothesigningandverifyingalgorithmsS(K;)andV(K;;)forarandombuthiddenchoiceofK.AcanqueryStogenerateatagforaplaintextofitschoiceandasktheverierVtoverifythatisavalidtagfortheplaintext.Formally,A'sattackontheschemeisdescribedbythefollowingexperiment:1.Arandomstringoflength`isselectedasthesharedsecret.2.SupposeAmakesasigningqueryonamessageM.Thentheoraclecomputesanauthenticationtag=S(K;M)andreturnsittoA.(SinceSmaybeprobabilistic,thissteprequiresmakingthenecessaryunderlyingchoiceofarandomstringforS,anewforeachsigningquery.)3.SupposeAmakesaverifyquery(M;).Theoraclereturnsthedecisiond=V(K;M;)toA.Theadversary'sattackisa(qs;qv)-attackifduringthecourseoftheattackAmakesnomorethanqssigningqueriesandnomorethanqvverifyqueries.Theoutcomeofrunningtheexperimentinthepresenceofanadversaryisusedtodenesecurity.Asin[5],wesaythattheMACalgorithmisweaklyunforgeableagainstchosen-messageattacks(WUF-CMA)ifAcannotmakeaverifyquery(M;)whichisacceptedforanMthathasnotbeenqueriedtothesigningoracleS.WesaythattheMACalgorithmisstronglyunforgeableagainstchosen-messageattacks(SUF-CMA)ifAcannotmakeaverifyquery(M;)whichisacceptedregardlessofwhetherornotMisnew,aslongasthetaghasnotbeenattachedtothemessagebythesigningoracle.AsinfastMACs,theproposedE-MACisbasedonuniversalhash-functionfamilies.AfamilyofhashfunctionsHisspeciedbyanitesetofkeysK.Eachkeyk2KdenesamemberofthefamilyHk2H.AsopposedtothinkingofHasasetoffunctionsfromAtoB,itcanbeviewedasasinglefunctionH:KA!B,whoserstargumentisusuallywrittenasasubscript.Arandomelementh2Hisdeterminedbyselectingak2Kuniformlyatrandomandsettingh=Hk.Therehasbeenanumberofdierentdenitionsofuniversalhashfamilies(see,e.g.,[13,26,36,37,44,47,49]).Wegivebelowaformaldenitionofoneclassofuniversalhashfamiliescalled-almostuniversal[9].Denition1.LetH=fh:A!Bgbeafamilyofhashfunctionsandlet0bearealnumber.Hissaidtobe-almostuniversal,denoted-AU,ifforalldistinctM;M02A,wehavethatPrh H[h(M)=h(M0)].Hissaidtobe-almostuniversalonequal-lengthstringsifforalldistinct,equal-lengthstringsM;M02A,wehavethatPrh H[h(M)=h(M0)].4 blocksoflengthN-bits,thatisM=m1jjm2jj:::jjmB1.(Weoverloadmitodenoteboththebi-narystringintheithblockandtheintegerrepresentationoftheithblockasanelementofZp;thedistinctionbetweenthetworepresentationswillbeomittedwhenitisclearfromthecontext.)ForeverymessageMtobeencryptedandauthenticated,thesenderdrawsanintegerruniformlyatrandomfromZpanewforeachmessage(thisrrepresentsthecointossesofS).Weemphasizethatrmustbeindependentofallr'sgeneratedtoauthenticateothermessages.ThesenderencryptsMjjrandtransmitstheresultingciphertextc=E(Mjjr)tothereceiver(thesymbol\jj"denotestheconcatenationoperation),alongwiththetheN-bitlongtagofmessageMcomputedas:=B1Xi=1kimi+kBrmodp;(1)wheremidenotestheithblockofmessageM.Remark1.Amisconceptionaboutuniversalhash-functionfamiliesisthattheauthenticationkeyneedstobeaslongasthelongestmessagetobeauthenticated.Obviously,ifthiswastrue,universalhashingwillbeimpracticalformostapplications.Intheliterature,thereexiststandardtechniquestohasharbitrary-lengthmessagesusingaxed-lengthkey.TherstsuchtechniquewasproposedbyWegmanandCarterin[50],andlaterrenedbyHaleviandKrawczykin[26].TheworkofBlacketal.[9]providesadierentgenericalgorithmtotransformanyhashfunctionthatis-AUonequal-lengthmessages,h,toahashfunctionthatis-AUonarbitrary-lengthmessages,h.However,foralackofspaceandforabettercontinuityofthemainideasofthepaper,weomitgoingintothedetailsofsuchtechniques.(Interestedreadersmayreferto[9,26,50]formoreinformation.)Therefore,weemphasizethatthekeyK=(k1;k2;:::;kB)canbeusedtoauthenticatearbitrary-lengthmessages.Remark2.Clearly,aswillbeformallyproveninSection5,theboundontheprobabilityofsuccessfulforgeryisdependentonthesecurityparameterN.Dependingonapplication,onemightrequirelowerboundsonprobabilityofsuccessfulforgery.Astraightforwardwayistoincreasethesecurityparametertogivelowerprobabilityofsuccessfulforgery.Anothermethodistohashthesamemessagemultipletimeswithindependentkeys.This,however,willrequireamuchlongerkey.Awell-studiedandmoreecientmethodistousetheToeplitz-extensiononthehashfunction[36,39].(See,e.g.,[9]foradetaileduseofToeplitz-extensiontoincreasethesecurityofMACsbasedonuniversalhashfunctions.)Again,weomitdescribingthistopicsinceitisoutofthescopeofthisworkandreferinterestedreadersto[9,26,36,39]formoredetails.Verication.Uponreceivingaciphertext-tagpair,(c;),thereceivercallsthecorrespondingdecryptionalgorithmDtoextracttheplaintextMjjr.ToverifytheintegrityofMjjr,thereceivercomputesPB1i=1kimi+kBrandauthenticatesthemessageonlyifthecomputedvalueiscongruenttothereceivedmodulop.Formally,thefollowingintegritycheckmustbesatisedforthemessagetobeauthenticated:?B1Xi=1kimi+kBrmodp:(2)Remark3.Weemphasizethattherandomnonce,r,requiresnokeymanagement.Itisgeneratedbythesenderasthecointossesofthesigningalgorithmanddeliveredtothereceiverviatheciphertext.Inotherwords,itisnotasharedsecretanditneedsnosynchronization.6 1.Assumethatonlyasinglemessageblockisdierent.Sinceadditioniscommutative,assumewithoutlossofgeneralitythattherstmessageblockisdierent;thatis,m016m1modp.Sinceonlytherstmessageblockisdierent,equation(4)isequivalenttok1m01k1m1modp:(5)Therefore,byLemma1,theprobabilityofsuccessfulforgerygivenasingleblockdierenceiszero.2.Assume,withoutlossofgenerality,thatthersttwomessageblocksaredierent;i.e.,m01m1+16m1modpandm02m2+26m2modp.Then,equation(4)isequivalenttok11+k220modp:(6)Therefore,byLemma2,theprobabilityofsuccessfulforgerygiventhatexactlytwomessageblocksaredierentisatmost1=(p1).3.Assumethatmorethantwomessageblocksaredierent,i.e.,m0imi+i6mimodp;8i2If1;2;;Bg;jIj3.Then,equation(4)isequivalenttokii+Xj2Ij6=ikjj0modp;(7)forsomei2I.Therefore,usingLemma2andthefactthatPj2I;j6=ikjjcanbecongruenttozeromodulop,theprobabilityofsuccessisatmost1=p.(Thedierencebetweenthiscaseandthecaseofexactlytwoblocksisthat,evenifthe'sarechosentobenonzerointegers,Pj2I;j6=ikjjcanstillbecongruenttozeromodulop.)Fromtheabovethreecases,theprobabilityofsuccessfulforgerywhentheforgedtaghasbeenoutputtedbythesigningoracleisatmost1=(p1).Unqueriedtag(M0;0):Assumenowthatthetag0isdierentthanalltherecordedtags;thatis,06=qforallq=1;;qs.If0isindependentoftherecordedtags,thentheprobabilityofsuccessfulforgeryis1=p(usingthefactthatthetagisuniformlydistributedoverZp).Assume,however,that0isafunctionofq,foraq2f1;;qsg.Let0q+ modpforsome 2Zpnf0goftheadversary'schoice.(Notethat, canbeafunctionofanyvaluerecordedbytheadversary.)Then,V(K;M0;0)=1ifandonlyifthefollowingcongruenceholds:BX`=1k`m0`?0q+ BX`=1k`m`+ modp;(8)wherem0`denotesthe`thblockofM0andm`denotesthe`thblockofMq.Bellowweanalyzeequation(8)byconsideringtwocases:M0andMqdierbyasingleblock,orM0andMqdierbymorethanoneblock.1.Withoutlossofgenerality,assumethatM0andMqdierintherstblockonly.Thatism01m1+6m1modpandm0imimodpforalli=2;;B.Then,equation(8)isequivalenttok1 modp:(9)Therefore,byLemma2,theprobabilityofsuccessisatmost1=(p1).9 2.AssumenowthatM0andMqdierbymorethanoneblock.Thatis,m0imi+i6=mimodp;8i2If1;2;;Bg;jIj2.Then,equation(8)isequivalenttoXi2Ikii modp:(10)ByLemma2andthefactthatPi2Ikiicanbecongruenttozeromodulop,theprobabilityofsuccessisatmost1=p.Fromtheabovetwocases,theprobabilityofsuccessfulforgerywhentheforgedtaghasnotbeenoutputtedbythesigningoracleisatmost1=(p1).Therefore,giventhatAhasmadeatleastonesigningquery,A'sprobabilityofsuccessfulforgeryforeachverifyqueryisatmost1=(p1).utRemark5.Observethatthecaseofqueriedtagimpliesthattheusedhashfamilyis(1 p1)-AU.Similarly,thecaseofunqueriedtagimpliesthattheusedhashfamilyis(1 p1)-AU.ObservefurtherthattheproposedE-MACisstronglyunforgeableunderchosenmessageattacks(SUF-CMA).RecallthatSUF-CMArequiresthatitbecomputationallyinfeasiblefortheadversarytondanewmessage-tagpairafterchosen-messageattacksevenifthemessageisnotnew,aslongasthetaghasnotbeenattachedtothemessagebyalegitimateuser[5].Toseethis,let(M;)beavalidmessagetagpair.Assumethattheadversaryisattemptingtoauthenticatethesamemessagewithadierenttag0.Forthe(M;0)pairtobeauthenticated,Pikimi+kBr0modpmustbeequalto0.Thatis,given0,r0mustbesettok1B(0Pikimi)modpforthetagtobeauthenticated.ByTheorem1,however,theadversarycannotexposetheE-MAC'skey.Therefore,Theorem2holdswhetherornotthemessageisnew,aslongasthetaghasnotbeenattachedtothemessagebythesigningoracle.5.2SecurityoftheE&ACompositionIn[5],BellareandNamprempredenedtwonotionsofintegrityinauthenticatedencryptionschemes,integrityofplaintexts(INT-PTXT)andintegrityofciphertexts(INT-CTXT).INT-PTXTimpliesthatitiscomputationallyinfeasibleforanadversarytoproduceaciphertextdecryptingtoamessagewhichthesenderhadneverencrypted,whileINT-CTXTimpliesthatitiscomputa-tionallyinfeasibleforanadversarytoproduceaciphertextnotpreviouslyproducedbythesender,regardlessofwhetherornotthecorrespondingplaintextisnew.Althoughtheworkof[5]showsthattheE&Acompositionisgenerallyinsecure,theresultsdonotapplytoallvariantsofE&Aconstructions.Forinstance,theE&Acompositiondoesnotprovideindistinguishabilityunderchosenplaintextattacks(IND-CPA)becausethereexistsecureMACsthatrevealinformationabouttheplaintext([5]providesadetailedexample).Obviously,ifsuchaMACisusedintheconstructionofanE&Asystem,theresultingcompositionwillnotprovideIND-CPA.UnlikestandardMACs,however,itisabasicrequirementofE-MACstobeassecretastheusedencryptionalgorithm.Indeed,Theorem1guaranteesthattheproposedE-MACdoesnotrevealanyinformationabouttheplaintextthatisnotrevealedbytheciphertext.Anotherresultof[5]isthatthegenericE&AdoesnotprovideINT-CTXT.(AlthoughthenotionofINT-PTXTisthemorenaturalsecurityrequirement[5]whiletheinterestofthestrongerINT-CTXTnotionismoreinthesecurityimplicationsshownin[5].)ThereasonwhyE&AcompositionsgenerallydonotprovideINT-CTXTisthatonecancomeupwithasecureencryptionalgorithmwiththepropertythataciphertextcanbemodiedwithoutchangingitsdecryption[5].Obviously,whensuchanencryptionalgorithmiscombinedwiththeproposedE-MACtoconstructanE&Asystem,sincethetagiscomputedasafunctionoftheplaintext,onlyINT-PTXTisreached.10 AProofofLemma3Proof.Throughoutthisproof,randomvariableswillberepresentedbyboldfontsymbols,whereasthecorrespondingnon-boldfontsymbolsrepresentspecicvaluesthatcanbetakenbytheserandomvariables.LetthesecretkeyK=k1jjk2jjjjkBbexed.Then,foranytag2Zpcomputedaccordingtoequation(1),andanyplaintextmessageM,thefollowingholds:Pr(=jM=M)=Prr=(B1Xi=1kimi)k1B=1 p;(15)wheremidenotestheithblockofthemessageM.Equation(15)holdsbytheassumptionthatrisdrawnuniformlyfromZp.Theexistenceofk1B,themultiplicativeinverseofkBintheintegereldZp,isaguaranteedsincekBisnotthezeroelement.Furthermore,asadirectconsequenceofthefactthatZpisaeld,foranrdrawnuniformlyatrandomfromZp,theresulting(kBrmodp)isuniformlydistributedoverZp.Consequently,foranyplaintextmessageM,sincethetagisaresultofadding(kBrmodp)to(Pikimimodp),andsince(kBrmodp)isuniformlydistributedoverZp,theresultingtagisuniformlydistributedoverZp.Thatis,foranyxedvalue2Zp,theprobabilitythatthetagwilltakethisspecicvalueisgivenby:Pr(=)=1 p:(16)CombiningBayes'theorem[25]withequations(15)and(16)yields:Pr(M=Mj=)=Pr(=jM=M)Pr(M=M) Pr(=)=Pr(M=M):(17)Equation(17)impliesthatthetaggivesnoinformationabouttheplaintextMsinceissta-tisticallyindependentofM.Similarly,onecanshowthatthetagisindependentofthesecretkey.Now,let1through`representthetagsformessagesM1throughM`,respectively.Further,letr1throughr`bethecointossesofthesigningalgorithmSfortheauthenticationofmessagesM1throughM`,respectively.Recallthatri'saremutuallyindependentanduniformlydistributedoverZp.Then,foranypossiblevaluesofthemessagesM1throughM`witharbitraryjointprobabilitymassfunction,andallpossiblevaluesof1through`,weget:Pr(1=1;;`=`)=XM1;;M`Pr(1=1;;`=`jM1=M1;;M`=M`)Pr(M1=M1;;M`=M`)=XM1;;M`Prr1=(1B1Xi=1kim1i)k1B;;r`=(`B1Xi=1kim`i)k1BPr(M1=M1;;M`=M`)(18)=XM1;;M`Prr1=(1B1Xi=1kim1i)k1BPrr`=(`B1Xi=1kim`i)k1BPr(M1=M1;;M`=M`)(19)=XM1;;M`1 p1 pPr(M1=M1;;M`=M`)(20)=Pr(1=1)Pr(`=`);(21)wheremjidenotestheithblockofthejthmessageMj.Equation(19)holdsduetotheindependenceoftheri's;equation(20)holdsduetotheuniformdistributionoftheri's;andequation(21)holdsduetotheuniformdistributionofthei's.Therefore,authenticationtagsaremutuallyindependent,andthelemmafollows.ut15