/
MACs Towards More Secure and More Ecient Constructions MACs Towards More Secure and More Ecient Constructions

MACs Towards More Secure and More Ecient Constructions - PDF document

mitsue-stanley
mitsue-stanley . @mitsue-stanley
Follow
417 views
Uploaded On 2015-05-20

MACs Towards More Secure and More Ecient Constructions - PPT Presentation

edu Abstract In cryptography secure channels enable the con64257dential and authenticated message ex change between authorized users A generic approach of constructing such channels is by combining an encryption primitive with an authentication primi ID: 70923

edu Abstract cryptography secure

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "MACs Towards More Secure and More Ecient..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

algorithms,suchasstreamciphers,arecombinedwithfastMACs,suchasuniversalhashfunctionsbasedMACs[38].TheE&AcompositionhasaparallelizableadvantageovertheEtAandtheAtEconstructions.Thefactthattheencryptionandauthenticationoperationscanbeperformedsimultaneouslycanfurtherincreasetheeciencyofthegenericcomposition.Ontheotherhand,theE&AcompositionimposesanextrarequirementontheMACalgorithm.AsopposedtotheEtAandAtEcomposi-tions,thetagintheE&Acompositionisafunctionoftheplaintextmessage(nottheciphertextasinEtA)andissentintheclear(notencryptedasinAtE).Therefore,thetagmustbeatleastascon dentialastheciphertextsince,otherwise,thesecrecyoftheplaintextcanbecom-promisedbyanadversaryobservingitscorrespondingtag.ThisimpliesthatgenericcompositionsaremoreinvolvedthanjustcombininganencryptionalgorithmandaMACalgorithm.Indeed,in[38]and[5],thesecurityofdi erentgenericcompositionsofauthenticatedencryptionsystemsisanalyzed.Usingasecureencryptionalgorithm(secureinthesensethatitprovidesprivacyagainstchosen-plaintextattacks)andasecureMAC(secureinthesensethatitprovidesunforgeabilityagainstchosen-messageattacks),itwasshownthatonlytheEtAwillguaranteetheconstructionofsecurechannels.Therefore,specialattentionmustbepaidtothedesignofsecurechannelsiftheE&AortheAtEcompositionsareused.Althoughsigni cante ortshavebeendevotedtothedesignofdedicatedauthenticatedencryp-tionprimitives,andtheanalysisofthegenericcompositions,noe orthasbeenmadetodesignnewprimitivesthatutilizethespecialcharacteristicsofthegenericcompositions.Inthispaper,weprovidethe rstsuchwork.Speci cally,weintroducethedesignofspecialpurposeMACstobeusedintheconstructionofE&Acompositions.ThedrivingmotivebehindthisworkwastheintuitionthatMACsusedinthegenericcompositionofauthenticatedencryptionsystems,unlikestandardMACs,canutilizethefactthatmessagestobeauthenticatedmustalsobeencrypted.Thatis,sinceboththeencryptionandauthenticationalgorithmsareappliedtothesamemessage,theremightbearedundancyinthecomputationsperformedbythetwoprimitives.Ifthisturnedouttobethecase,removingsuchredundancycanimprovetheeciencyoftheoverallcomposition.OneclassofMACsthatisofaparticularinterest,dueitsfastimplementation,istheclassofMACsbasedonuniversalhash-functionfamilies.Inuniversalhash-functionfamiliesbasedMACs,themessagetobeauthenticatedis rstcompressedusingauniversalhashfunctionintheWegman-Carterstyle[13,49]and,then,thecompressedimageisprocessedwithacryptographicfunction.Indeed,processingmessagesusinguniversalhashfunctionsisfasterthanprocessingthemblockbyblockusingblockciphers.Combinedwiththefactthatprocessingshortstringsisfasterthanprocessinglongerones,itbecomesevidentwhyuniversalhashfunctionsbasedMACsarethefastestformessageauthentication[48].Recently,however,HandschuhandPreneel[27]discoveredavulnerabilityinuniversalhashingbasedMACs.Theydemonstratedthatonceacollisioninthehashingphaseoccurs,secretkeyinformationcanbeexposed,allowingsubsequentforgeriestosucceedwithhighprobabilities.Theirattackisnotdirectedtoaspeci cuniversalhashfamilyandcanbeappliedtoallsuchMACs.Therecommendationsoftheworkin[27]arenottoreusetheuniversalhashfunctionkey,thusgoingbacktotheimpracticaluseofuniversalhashfamiliesforunconditionallysecureauthentication,orproceedingwiththelessecient,yetmoresecure,blockcipherbasedMACs.Contributions.Inthispaper,weproposethedeploymentofanewcryptographicprimitivefortheconstructionofsecurechannelsusingtheE&Acomposition.WeintroducethedesignofE-MACs,MessageAuthenticationCodesforEncryptedmessages.Byproposingthe rstinstanceofE-MACs,weshowhowthestructureoftheE&Asystemcanbeutilizedtoincreasetheeciencyandsecurityoftheauthenticationprocess.Inparticular,weshowhowauniversalhashfunctionbasedE-MACcanbecomputedwithfeweroperationsthanwhatstandarduniversalhashfunctions2 basedMACsrequire.Thatis,wewilldemonstratethatuniversalhashfunctionsbasedE-MACscanbeimplementedwithouttheneedtoapplyanycryptographicoperationtothecompressedimage.Moreover,wewillalsoshowhowE-MACscanfurtherutilizethespecialstructureoftheE&Asystemtoimprovethesecurityoftheauthenticationprocess.Morespeci cally,wewillshowhowuniversalhashfunctionsbasedE-MACscanbesecuredagainstthekey-recoveryattack,towhichstandarduniversalhashfunctionsbasedMACsarevulnerable.Finally,wewillshowthattheextracon dentialityrequirementonE-MACscanbeachievedrathereasily,again,bytakingadvantageoftheE&Astructure.2RelatedWorkManystandardMACsthatcanbeusedintheconstructionofauthenticatedencryptionschemeshaveappearedintheliterature.StandardMACscanbeblockciphersbased,cryptographichashfunctionsbased,oruniversalhashfunctionsbased.CBC-MACisoneofthemostknownblockcipherbasedMACsspeci edinFIPSpublication113[19]andtheInternationalOrganizationforStandardizationISO/IEC9797-1[29].CMAC,amodi edversionofCBC-MAC,ispresentedintheNISTspecialpublication800-38B[15],whichwasbasedonOMACofIwataandKurosawa[31].OtherblockcipherbasedMACsinclude,butarenotlimitedto,XOR-MAC[2]andPMAC[46].Thesecurityofdi erentMACshasbeenexhaustivelystudied(see,e.g.,[3,43]).HMACisapopularexampleoftheuseofiteratedcryptographichashfunctionstodesignMACs[1],whichwasadoptedasastandard[20].AnothercryptographichashfunctionbasedMACistheMDx-MACofPreneelandOorschot[42].HMACandtwovariantsofMDx-MACarespeci edintheInternationalOrganizationforStandardizationISO/IEC9797-2[30].Bosselaersetal.describedhowcryptographichashfunctionscanbecarefullycodedtotakeadvantageofthestructureofthePentiumprocessortospeeduptheauthenticationprocess[11].TheuseofuniversalhashfamilieswaspioneeredbyWegmanandCarter[13,49]inthecontextofdesigningunconditionallysecureauthentication.TheuseofuniversalhashfunctionsforthedesignofcomputationallysecureMACsappearedin[7{9,17,26,33,40].ThebasicconceptbehindthedesignofcomputationallysecureuniversalhashfunctionsbasedMACsistocompressthemessageusinguniversalhashfunctionsandthenprocessthecompressedoutputusingacryptographicfunction.Thekeyideaisthatprocessingmessagesusinguniversalhashfunctionsisfasterthanprocessingthemblockbyblockusingblockciphers.Then,sincethehashedimageistypicallymuchshorterthanthemessageitself,processingthehashedimagewithacryptographicfunctionisfasterthenprocessingtheentiremessage.Sinceinmanypracticalapplicationsbothmessagecon dentialityandauthenticityaresought,thedesignofauthenticatedencryptionschemeshasattractedalotofattentionhistorically.Varietyofearlierschemesbasedonaddingsomeredundancytomessagesbeforecipherblockchaining(CBC)encryptionwerefoundvulnerabletoattacks[5].Establishingsecurechannelsbymeansofgenericconstructionsofauthenticatedencryptionschemeswasofparticularinterest.Thesecurityrelationsamongdi erentnotionsofsecurityinauthenticatedencryptionschemeswasstudiedindetailin[5].In[12],itwasshownthatEtAschemesbuildsecurechannelsand,in[38],thesecurityofthethreegenericconstructionmethodsisanalyzed.Inadi erentdirection,blockciphersthatcombineencryptionandmessageauthenticationhavebeenproposedintheliterature.Proposalsthatusesimplechecksumormanipulationdetectioncode(MDC)haveappearedin[22,34,41].Suchsimpleschemes,however,areknowntobevulner-abletoattacks[32].Otherdedicatedschemesthatcombineencryptionandmessageauthenticityinclude[6,18,23,32,35,45].In[32],Jutlaproposedtheintegrityawareparallelizablemode(IAPM),anencryptionschemewithauthentication.GligorandDonescuproposedtheXECB-MAC[23].3 Rogawayetal.[45]proposedOCB:ablock-ciphermodeofoperationforecientauthenticatedencryption.Kohnoetal.[35]proposedahigh-performanceconventionalauthenticatedencryptionmode(CWC),whichtheNISTstandardGalois/CounterMode(GCM)wasbasedon[16].3PreliminariesAmessageauthenticationschemeconsistsofasigningalgorithmSandaverifyingalgorithmV.Thesigningalgorithmmightbeprobabilistic,whiletheverifyingoneisusuallynot.Associatedwiththeschemeareparameters`andNdescribingthelengthofthesharedkeyandtheresultingauthenticationtag,respectively.Oninputan`-bitkeyKandamessageM,algorithmSoutputsanN-bitstringcalledtheauthenticationtag,ortheMACofM.Oninputan`-bitkeyK,amessageM,andanN-bittag,algorithmVoutputsabit,with1standingforacceptand0forreject.Weaskforabasicvaliditycondition,namelythatauthentictagsareacceptedwithprobabilityone.Thatis,if=S(K;M),itmustbethecasethatV(K;M;)=1foranyK,M,and.Ingeneral,anadversaryinamessageauthenticationschemeisaprobabilisticalgorithmA,whichisgivenoracleaccesstothesigningandverifyingalgorithmsS(K;)andV(K;;)forarandombuthiddenchoiceofK.AcanqueryStogenerateatagforaplaintextofitschoiceandasktheveri erVtoverifythatisavalidtagfortheplaintext.Formally,A'sattackontheschemeisdescribedbythefollowingexperiment:1.Arandomstringoflength`isselectedasthesharedsecret.2.SupposeAmakesasigningqueryonamessageM.Thentheoraclecomputesanauthenticationtag=S(K;M)andreturnsittoA.(SinceSmaybeprobabilistic,thissteprequiresmakingthenecessaryunderlyingchoiceofarandomstringforS,anewforeachsigningquery.)3.SupposeAmakesaverifyquery(M;).Theoraclereturnsthedecisiond=V(K;M;)toA.Theadversary'sattackisa(qs;qv)-attackifduringthecourseoftheattackAmakesnomorethanqssigningqueriesandnomorethanqvverifyqueries.Theoutcomeofrunningtheexperimentinthepresenceofanadversaryisusedtode nesecurity.Asin[5],wesaythattheMACalgorithmisweaklyunforgeableagainstchosen-messageattacks(WUF-CMA)ifAcannotmakeaverifyquery(M;)whichisacceptedforanMthathasnotbeenqueriedtothesigningoracleS.WesaythattheMACalgorithmisstronglyunforgeableagainstchosen-messageattacks(SUF-CMA)ifAcannotmakeaverifyquery(M;)whichisacceptedregardlessofwhetherornotMisnew,aslongasthetaghasnotbeenattachedtothemessagebythesigningoracle.AsinfastMACs,theproposedE-MACisbasedonuniversalhash-functionfamilies.AfamilyofhashfunctionsHisspeci edbya nitesetofkeysK.Eachkeyk2Kde nesamemberofthefamilyHk2H.AsopposedtothinkingofHasasetoffunctionsfromAtoB,itcanbeviewedasasinglefunctionH:KA!B,whose rstargumentisusuallywrittenasasubscript.Arandomelementh2Hisdeterminedbyselectingak2Kuniformlyatrandomandsettingh=Hk.Therehasbeenanumberofdi erentde nitionsofuniversalhashfamilies(see,e.g.,[13,26,36,37,44,47,49]).Wegivebelowaformalde nitionofoneclassofuniversalhashfamiliescalled-almostuniversal[9].De nition1.LetH=fh:A!Bgbeafamilyofhashfunctionsandlet0bearealnumber.Hissaidtobe-almostuniversal,denoted-AU,ifforalldistinctM;M02A,wehavethatPrh H[h(M)=h(M0)].Hissaidtobe-almostuniversalonequal-lengthstringsifforalldistinct,equal-lengthstringsM;M02A,wehavethatPrh H[h(M)=h(M0)].4 blocksoflengthN-bits,thatisM=m1jjm2jj:::jjmB�1.(Weoverloadmitodenoteboththebi-narystringintheithblockandtheintegerrepresentationoftheithblockasanelementofZp;thedistinctionbetweenthetworepresentationswillbeomittedwhenitisclearfromthecontext.)ForeverymessageMtobeencryptedandauthenticated,thesenderdrawsanintegerruniformlyatrandomfromZpanewforeachmessage(thisrrepresentsthecointossesofS).Weemphasizethatrmustbeindependentofallr'sgeneratedtoauthenticateothermessages.ThesenderencryptsMjjrandtransmitstheresultingciphertextc=E(Mjjr)tothereceiver(thesymbol\jj"denotestheconcatenationoperation),alongwiththetheN-bitlongtagofmessageMcomputedas:=B�1Xi=1kimi+kBrmodp;(1)wheremidenotestheithblockofmessageM.Remark1.Amisconceptionaboutuniversalhash-functionfamiliesisthattheauthenticationkeyneedstobeaslongasthelongestmessagetobeauthenticated.Obviously,ifthiswastrue,universalhashingwillbeimpracticalformostapplications.Intheliterature,thereexiststandardtechniquestohasharbitrary-lengthmessagesusinga xed-lengthkey.The rstsuchtechniquewasproposedbyWegmanandCarterin[50],andlaterre nedbyHaleviandKrawczykin[26].TheworkofBlacketal.[9]providesadi erentgenericalgorithmtotransformanyhashfunctionthatis-AUonequal-lengthmessages,h,toahashfunctionthatis-AUonarbitrary-lengthmessages,h.However,foralackofspaceandforabettercontinuityofthemainideasofthepaper,weomitgoingintothedetailsofsuchtechniques.(Interestedreadersmayreferto[9,26,50]formoreinformation.)Therefore,weemphasizethatthekeyK=(k1;k2;:::;kB)canbeusedtoauthenticatearbitrary-lengthmessages.Remark2.Clearly,aswillbeformallyproveninSection5,theboundontheprobabilityofsuccessfulforgeryisdependentonthesecurityparameterN.Dependingonapplication,onemightrequirelowerboundsonprobabilityofsuccessfulforgery.Astraightforwardwayistoincreasethesecurityparametertogivelowerprobabilityofsuccessfulforgery.Anothermethodistohashthesamemessagemultipletimeswithindependentkeys.This,however,willrequireamuchlongerkey.Awell-studiedandmoreecientmethodistousetheToeplitz-extensiononthehashfunction[36,39].(See,e.g.,[9]foradetaileduseofToeplitz-extensiontoincreasethesecurityofMACsbasedonuniversalhashfunctions.)Again,weomitdescribingthistopicsinceitisoutofthescopeofthisworkandreferinterestedreadersto[9,26,36,39]formoredetails.Veri cation.Uponreceivingaciphertext-tagpair,(c;),thereceivercallsthecorrespondingdecryptionalgorithmDtoextracttheplaintextMjjr.ToverifytheintegrityofMjjr,thereceivercomputesPB�1i=1kimi+kBrandauthenticatesthemessageonlyifthecomputedvalueiscongruenttothereceivedmodulop.Formally,thefollowingintegritycheckmustbesatis edforthemessagetobeauthenticated:?B�1Xi=1kimi+kBrmodp:(2)Remark3.Weemphasizethattherandomnonce,r,requiresnokeymanagement.Itisgeneratedbythesenderasthecointossesofthesigningalgorithmanddeliveredtothereceiverviatheciphertext.Inotherwords,itisnotasharedsecretanditneedsnosynchronization.6 1.Assumethatonlyasinglemessageblockisdi erent.Sinceadditioniscommutative,assumewithoutlossofgeneralitythatthe rstmessageblockisdi erent;thatis,m016m1modp.Sinceonlythe rstmessageblockisdi erent,equation(4)isequivalenttok1m01k1m1modp:(5)Therefore,byLemma1,theprobabilityofsuccessfulforgerygivenasingleblockdi erenceiszero.2.Assume,withoutlossofgenerality,thatthe rsttwomessageblocksaredi erent;i.e.,m01m1+16m1modpandm02m2+26m2modp.Then,equation(4)isequivalenttok11+k220modp:(6)Therefore,byLemma2,theprobabilityofsuccessfulforgerygiventhatexactlytwomessageblocksaredi erentisatmost1=(p�1).3.Assumethatmorethantwomessageblocksaredi erent,i.e.,m0imi+i6mimodp;8i2If1;2;;Bg;jIj3.Then,equation(4)isequivalenttokii+Xj2Ij6=ikjj0modp;(7)forsomei2I.Therefore,usingLemma2andthefactthatPj2I;j6=ikjjcanbecongruenttozeromodulop,theprobabilityofsuccessisatmost1=p.(Thedi erencebetweenthiscaseandthecaseofexactlytwoblocksisthat,evenifthe'sarechosentobenonzerointegers,Pj2I;j6=ikjjcanstillbecongruenttozeromodulop.)Fromtheabovethreecases,theprobabilityofsuccessfulforgerywhentheforgedtaghasbeenoutputtedbythesigningoracleisatmost1=(p�1).Unqueriedtag(M0;0):Assumenowthatthetag0isdi erentthanalltherecordedtags;thatis,06=qforallq=1;;qs.If0isindependentoftherecordedtags,thentheprobabilityofsuccessfulforgeryis1=p(usingthefactthatthetagisuniformlydistributedoverZp).Assume,however,that0isafunctionofq,foraq2f1;;qsg.Let0q+ modpforsome 2Zpnf0goftheadversary'schoice.(Notethat, canbeafunctionofanyvaluerecordedbytheadversary.)Then,V(K;M0;0)=1ifandonlyifthefollowingcongruenceholds:BX`=1k`m0`?0q+ BX`=1k`m`+ modp;(8)wherem0`denotesthe`thblockofM0andm`denotesthe`thblockofMq.Bellowweanalyzeequation(8)byconsideringtwocases:M0andMqdi erbyasingleblock,orM0andMqdi erbymorethanoneblock.1.Withoutlossofgenerality,assumethatM0andMqdi erinthe rstblockonly.Thatism01m1+6m1modpandm0imimodpforalli=2;;B.Then,equation(8)isequivalenttok1 modp:(9)Therefore,byLemma2,theprobabilityofsuccessisatmost1=(p�1).9 2.AssumenowthatM0andMqdi erbymorethanoneblock.Thatis,m0imi+i6=mimodp;8i2If1;2;;Bg;jIj2.Then,equation(8)isequivalenttoXi2Ikii modp:(10)ByLemma2andthefactthatPi2Ikiicanbecongruenttozeromodulop,theprobabilityofsuccessisatmost1=p.Fromtheabovetwocases,theprobabilityofsuccessfulforgerywhentheforgedtaghasnotbeenoutputtedbythesigningoracleisatmost1=(p�1).Therefore,giventhatAhasmadeatleastonesigningquery,A'sprobabilityofsuccessfulforgeryforeachverifyqueryisatmost1=(p�1).utRemark5.Observethatthecaseofqueriedtagimpliesthattheusedhashfamilyis(1 p�1)-AU.Similarly,thecaseofunqueriedtagimpliesthattheusedhashfamilyis(1 p�1)-AU.ObservefurtherthattheproposedE-MACisstronglyunforgeableunderchosenmessageattacks(SUF-CMA).RecallthatSUF-CMArequiresthatitbecomputationallyinfeasiblefortheadversaryto ndanewmessage-tagpairafterchosen-messageattacksevenifthemessageisnotnew,aslongasthetaghasnotbeenattachedtothemessagebyalegitimateuser[5].Toseethis,let(M;)beavalidmessagetagpair.Assumethattheadversaryisattemptingtoauthenticatethesamemessagewithadi erenttag0.Forthe(M;0)pairtobeauthenticated,Pikimi+kBr0modpmustbeequalto0.Thatis,given0,r0mustbesettok�1B(0�Pikimi)modpforthetagtobeauthenticated.ByTheorem1,however,theadversarycannotexposetheE-MAC'skey.Therefore,Theorem2holdswhetherornotthemessageisnew,aslongasthetaghasnotbeenattachedtothemessagebythesigningoracle.5.2SecurityoftheE&ACompositionIn[5],BellareandNampremprede nedtwonotionsofintegrityinauthenticatedencryptionschemes,integrityofplaintexts(INT-PTXT)andintegrityofciphertexts(INT-CTXT).INT-PTXTimpliesthatitiscomputationallyinfeasibleforanadversarytoproduceaciphertextdecryptingtoamessagewhichthesenderhadneverencrypted,whileINT-CTXTimpliesthatitiscomputa-tionallyinfeasibleforanadversarytoproduceaciphertextnotpreviouslyproducedbythesender,regardlessofwhetherornotthecorrespondingplaintextisnew.Althoughtheworkof[5]showsthattheE&Acompositionisgenerallyinsecure,theresultsdonotapplytoallvariantsofE&Aconstructions.Forinstance,theE&Acompositiondoesnotprovideindistinguishabilityunderchosenplaintextattacks(IND-CPA)becausethereexistsecureMACsthatrevealinformationabouttheplaintext([5]providesadetailedexample).Obviously,ifsuchaMACisusedintheconstructionofanE&Asystem,theresultingcompositionwillnotprovideIND-CPA.UnlikestandardMACs,however,itisabasicrequirementofE-MACstobeassecretastheusedencryptionalgorithm.Indeed,Theorem1guaranteesthattheproposedE-MACdoesnotrevealanyinformationabouttheplaintextthatisnotrevealedbytheciphertext.Anotherresultof[5]isthatthegenericE&AdoesnotprovideINT-CTXT.(AlthoughthenotionofINT-PTXTisthemorenaturalsecurityrequirement[5]whiletheinterestofthestrongerINT-CTXTnotionismoreinthesecurityimplicationsshownin[5].)ThereasonwhyE&AcompositionsgenerallydonotprovideINT-CTXTisthatonecancomeupwithasecureencryptionalgorithmwiththepropertythataciphertextcanbemodi edwithoutchangingitsdecryption[5].Obviously,whensuchanencryptionalgorithmiscombinedwiththeproposedE-MACtoconstructanE&Asystem,sincethetagiscomputedasafunctionoftheplaintext,onlyINT-PTXTisreached.10 AProofofLemma3Proof.Throughoutthisproof,randomvariableswillberepresentedbyboldfontsymbols,whereasthecorrespondingnon-boldfontsymbolsrepresentspeci cvaluesthatcanbetakenbytheserandomvariables.LetthesecretkeyK=k1jjk2jjjjkBbe xed.Then,foranytag2Zpcomputedaccordingtoequation(1),andanyplaintextmessageM,thefollowingholds:Pr(=jM=M)=Prr=(�B�1Xi=1kimi)k�1B=1 p;(15)wheremidenotestheithblockofthemessageM.Equation(15)holdsbytheassumptionthatrisdrawnuniformlyfromZp.Theexistenceofk�1B,themultiplicativeinverseofkBintheinteger eldZp,isaguaranteedsincekBisnotthezeroelement.Furthermore,asadirectconsequenceofthefactthatZpisa eld,foranrdrawnuniformlyatrandomfromZp,theresulting(kBrmodp)isuniformlydistributedoverZp.Consequently,foranyplaintextmessageM,sincethetagisaresultofadding(kBrmodp)to(Pikimimodp),andsince(kBrmodp)isuniformlydistributedoverZp,theresultingtagisuniformlydistributedoverZp.Thatis,forany xedvalue2Zp,theprobabilitythatthetagwilltakethisspeci cvalueisgivenby:Pr(=)=1 p:(16)CombiningBayes'theorem[25]withequations(15)and(16)yields:Pr(M=Mj=)=Pr(=jM=M)Pr(M=M) Pr(=)=Pr(M=M):(17)Equation(17)impliesthatthetaggivesnoinformationabouttheplaintextMsinceissta-tisticallyindependentofM.Similarly,onecanshowthatthetagisindependentofthesecretkey.Now,let1through`representthetagsformessagesM1throughM`,respectively.Further,letr1throughr`bethecointossesofthesigningalgorithmSfortheauthenticationofmessagesM1throughM`,respectively.Recallthatri'saremutuallyindependentanduniformlydistributedoverZp.Then,foranypossiblevaluesofthemessagesM1throughM`witharbitraryjointprobabilitymassfunction,andallpossiblevaluesof1through`,weget:Pr(1=1;;`=`)=XM1;;M`Pr(1=1;;`=`jM1=M1;;M`=M`)Pr(M1=M1;;M`=M`)=XM1;;M`Prr1=(1�B�1Xi=1kim1i)k�1B;;r`=(`�B�1Xi=1kim`i)k�1BPr(M1=M1;;M`=M`)(18)=XM1;;M`Prr1=(1�B�1Xi=1kim1i)k�1BPrr`=(`�B�1Xi=1kim`i)k�1BPr(M1=M1;;M`=M`)(19)=XM1;;M`1 p1 pPr(M1=M1;;M`=M`)(20)=Pr(1=1)Pr(`=`);(21)wheremjidenotestheithblockofthejthmessageMj.Equation(19)holdsduetotheindependenceoftheri's;equation(20)holdsduetotheuniformdistributionoftheri's;andequation(21)holdsduetotheuniformdistributionofthei's.Therefore,authenticationtagsaremutuallyindependent,andthelemmafollows.ut15