WO1994021066A1 - A method and apparatus for generating a digital message authentication code - Google Patents

A method and apparatus for generating a digital message authentication code Download PDF

Info

Publication number
WO1994021066A1
WO1994021066A1 PCT/AU1994/000101 AU9400101W WO9421066A1 WO 1994021066 A1 WO1994021066 A1 WO 1994021066A1 AU 9400101 W AU9400101 W AU 9400101W WO 9421066 A1 WO9421066 A1 WO 9421066A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
cipher
sequence
generating
authentication code
Prior art date
Application number
PCT/AU1994/000101
Other languages
French (fr)
Inventor
Richard Taylor
Original Assignee
Telstra Corporation Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telstra Corporation Limited filed Critical Telstra Corporation Limited
Priority to AU62556/94A priority Critical patent/AU683646B2/en
Publication of WO1994021066A1 publication Critical patent/WO1994021066A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Definitions

  • This invention relates to a method and apparatus for generating a digital message authentication code.
  • B-ISDN broadband integrated systems digital networks
  • digital messages are often encrypted or enciphered such that a person intercepting the transmitted message is unable to ascertain its meaning. Therefore, at the sending site on the network a plain text message is, under control of an enciphering key, transformed into cipher text which is preferably unintelligible to anyone not having the secret deciphering key.
  • the cipher text is, under control of the secret deciphering key, retransformed into the original plain text message.
  • Stream ciphers act by dividing the plain text into characters, each of which is enciphered utilising a time varying function whose time dependency is governed by the internal state of the stream cipher.
  • the time varying function is produced by a cipher stream generator, which generates a digital cipher stream in accordance with key data which is kept secret.
  • the cipher stream generator is constructed such that the cipher stream produced is a pseudo random bit stream which is cyclic, but has a period which is much greater than the length of key data provided.
  • the device changes state according to a rule, such that two occurrences of the same character in the plain text message will usually not result in the same cipher text character.
  • the security or strength of a stream cipher depends on the "randomness" of the generated cipher stream. Assuming an interceptor has knowledge of the plain text message, full access to the running cipher stream may also be deduced. For the system to be secure, the cipher stream must be unpredictable: regardless of the number of cipher stream digits observed, the subsequent cipher stream digits must not be more easily predictable than by just randomly guessing them. An enciphering system such as this ensures that an unauthorised person is unable to determine the meaning of an intercepted message, but does not address the issue of interference with the message despite its meaning being unknown. For example, a portion of a transmitted message may be intercepted altered or replaced with another message portion even if the interceptor is unable to ascertain the deciphered meaning of the original, altered or replaced message portion.
  • a message authentication code (mac), or integrity check value (icv) determined from the content of the plain text message may be transmitted with the cipher text to enable the receiver to determine whether the received deciphered plain text corresponds with the plain text originally transmitted, i.e. whether the cipher text has been altered during transmission.
  • the message deciphering and authentication process involves the receiver having access to a cipher stream corresponding to the cipher stream with which the message was enciphered.
  • the receiver can decipher it and generate a mac from the deciphered plain text message.
  • a comparison of the received mac and the mac generated by the receiver can then be used as an indication of whether the transmitted mac or message has been altered in transit, since the mac generated by the receiver should be the same as the mac generated at the transmitter.
  • a cryptanalyst it may be possible for a cryptanalyst to alter both the cipher text message and the enciphered mac in such a way that the change is not apparent to the receiver, even though the cryptanalyst is unable to determine the meaning of the cipher text which has been altered.
  • a paper entitled “A Fast Cryptographic Checksum Algorithm Based on Stream Ciphers” (X. Lai, R. Reuppel, J. Woollven; AUSCRYPT “92 Abstracts; pp 8-7 to 8-11) describes a cryptographic checksum algorithm for producing a message authentication code with a stream cipher system.
  • the checksum algorithm presented involves demultiplexing the message stream into two subsequences according to the binary state of the cipher stream. The two subsequences are input to respective accumulating feedback shift registers, the outputs of which serve as a pair of message authentication codes.
  • a method for generating a message authentication code for a digital message in a telecommunications or computer system comprising:
  • the message comprises a sequence of message units which are multiplied by respective powers of said first cipher string in generating the message authentication code.
  • the message comprises a sequence of message blocks each comprising a said sequence of message units, each sequence of message units being multiplied by respective different said first cipher strings and summed with said second cipher string to form the message authentication code.
  • a method for generating a message authentication code in a telecommunications or computer system for a digital message which comprises a sequence of message blocks each comprising a sequence of message units, including the steps of:
  • the message units are multiplied by respective powers of a said cipher string sequence value.
  • the present invention further provides a method for encoding a digital message comprising generating a sequence of cipher strings, generating a message authentication code according to a method described above, enciphering the message by combining at least one said cipher string therewith, the at least one cipher string being distinct from the cipher strings utilised for generating the message authentication code, and appending the message authentication code to the enciphered message.
  • the invention also provides apparatus for generating a message authentication code for a digital message composed of a sequence of message blocks, comprising: a stream cipher for generating a sequence of pseudo-random cipher strings; and computation means for generating a non-linear function value for each message block by combining each message block with at least one said cipher string by way of modular arithmetic to a prime modulus, and generating a message authentication code by summing the non-linear function values together with at least one further said cipher string.
  • Figure 1 is a flow chart of a preferred algorithm for generating a message authentication code
  • Figure 2 is a block diagram of a system for encoding digital messages for transmission by way of a telecommumcations path.
  • An effective cipher stream generator utilises secret key data to produce an output consisting of a pseudo random bit stream Z.
  • the cipher stream Z is typically used to encrypt a stream of message data by logically combining the cipher stream and the message stream. Since the cipher stream is continuously changing, a particular bit sequence repeated in the message stream will be encrypted differently each time, depending on the state of the cipher stream. It is therefore advantageous to exploit the time dependence randomness of the cipher stream not only for encryption of the message, but also to ensure that the integrity of the message is not compromised.
  • message authenticity and message integrity are used interchangeably to refer to the condition of a digital message reaching its destination unaltered or, if altered, the alteration being detectable at the destination.
  • message authentication code (mac) and integrity check value (icv) are used interchangeably throughout the specification to denote a numerical value generated from the numerical value of a message which may be utilised to determine whether the message itself has been altered before reaching its destination.
  • t[u] to represent the unique positive integer satisfying: t[u] ⁇ t(mod u) and 0 ⁇ t[u] ⁇ (u-1)
  • the output of the cipher stream may be used to provide message integrity by the construction of an integrity check value (icv) that is generated from the message and appended thereto.
  • a non-linear combination of the message and the stream cipher output is utilised to prevent an attacker from modifying the message and determining the necessary modification to generate a valid icv.
  • Prime power modular arithmetic is also used in generating the icv, which ensures that the values of the icv are uniformly distributed and minimal in number for a given message value.
  • the preferred implementation of the integrity check value generation involves generating a single icv for a message which consists of a sequence of message blocks each comprising a sequence of message integer units.
  • M s m bs , m bs+1 ,..., m bs+1 , for some t ⁇ b-1
  • the icv is calculated as: icv(M, b, p, z i , z i+1 ,..., z i+s+1 )
  • the following example illustrates the procedure for generation of an icv for transmission with a message, such as over a telecommumcations network.
  • the cipher is used to generate 7 outputs z 56 , z 57 , z 58 ,..., z 62 , and the integrity check value is calculated according to (1) and (2).
  • the transmitted message is then m 0 , m 1 ,..., m 108 icv.
  • the strength of the message integrity or authentication checking system is preferably of the same order as the strength of the accompanying encryption system. In other words, the probability that an attacker is able to alter a message undetected should be comparable to the probability of the attacker successfully deciphering the message.
  • Corollary 1 is an immediate consequence of this theorem.
  • Corollary 1 Let M and M' be any two unequal message strings, and y any fixed integer. Let the function icv() be defined as in (1) and (2). Then if z i , z i+1 , z i+2 ,..., z i+s are independent and uniformly distributed random variables in the range 0 to 2 w -l,
  • Corollary 2 indicates the strength of the integrity mechanism in terms of the likelihood of replacing, in transit, a message and the corresponding icv with a legitimate, but different, message-icv pair.
  • Corollary 2 Let M and M' be any two unequal message strings, and y, g any fixed integers. Let the function icv() be defined as in (1) and (2). Then if z i , z i+1 , z i+2 ,..., z i+s , Z i+s+1 are independent and uniformly distributed random variables in the range 0 to 2 w -1,
  • the stream cipher produces output that are independent and uniformly distributed random variables in the range 0 to 2 w -1. It follows from Corollary 2 that if any message and its integrity check value were to be altered in transit (the message being altered in at least one bit position), the new message and integrity check value would register as valid by the receiver with probability at most b/2 w . Thus we refer to log 2 (2 w /b) as the effective icv size. As an example, with a word size w of 32 bits and a block size b of 20 the resulting effective icv size is approximately 28. Note that the effective icv size indicates the strength of the integrity method used with an idealised stream cipher (with outputs that are uniformly distributed independent random variables).
  • the stream cipher key size must be at least as large as the effective icv size. In this case if there is some way of altering or substituting message-icv pairs that goes undetected with a probability of more than b/2 w then this implies some corresponding level of predicability in the stream cipher output.
  • Figure 1 illustrates a flow chart of the preferred method of generating an integrity check value (icv) or message authentication code (mac).
  • the flow chart 2 is structured into a dual loop iterative process, wherein steps 6, 8, 12 and 18 are used for the calculation of non linear function y (equation (2)) whilst steps 16, 20 and 22 perform the steps necessary for the calculation of the icv according to equation (1).
  • Step 6 acts as an initialisation step for the non linear function value y, such that the first iteration of steps 8 and 12 are effective to calculate the first term of equation (2) (ie: n 0 x).
  • steps 8 and 12 successive integer values of the message are input from the message stream 10 and values of the stream cipher are input from cipher stream 14 according to the message block counter index k.
  • the index j is incremented by one, and a test of the value of index j is applied at step 16 to determine whether or not the last unit of the message has been processed. Where there remains message units left to process, the procedure continues to step 18 where a test is applied to index j to determine whether or not the end of a message block has been reached.
  • step 18 If j+1 is an integer divisor of block size b at step 18, this indicates that the beginning of a new message block has been reached, and the procedure continues to step 20 where the icv is incremented by the value of the non linear function y.
  • the block counter index k is incremented following step 20, and the procedure passes to step 6 where the non linear function y is reset. Where the beginning of a message block has not been reached at step 18 the procedure returns to step 8, so as to perform a further iteration of steps 8, 12 and 16.
  • the block counter index k is again incremented and the icv is totalled together with the final stream cipher value z k (step 22).
  • this method allows the icv to be calculated in a serial manner, which is consistent with the continuous output form of the message stream and cipher stream.
  • a message string M (m 0 , m 1 ,...) is divided into blocks M 0 , M 1 ,..., M s each contaimng at most b integers.
  • the stream cipher is used to generate h(s+2) outputs z i , z i+1 , z i+2 ,..., z i+h(s+2)-1 .
  • the integrity check value icv h is defined as a sequence of h integers between 0 and p calculated according to: icv h (M, b, p, z i , Z i+1 ,..., z i+h(s+2)-1 )
  • the cipher stream can be used to provide input to the integrity calculation as well as output to be used for message encryption.
  • cipher stream output that is used in icv calculations by the receiver never be used for message encryption by the sender. Otherwise a known plaintext attack combined with altering the synchronisation of the cipher stream may succeed in making the receiver use cipher data in icv calculations which is known to an attacker.
  • an integer d ( ⁇ b) is chosen such that only those z i for which i is a multiple of d are used in the icv calculation, the remaining z i being used for encryption. This technique is illustrated in the example below.
  • the transmitted message is
  • FIG. 2 illustrates a simple block diagram of an encryption and integrity system which may be utilised to implement the above described.
  • Message data m j is output from a message source 26, which message data is passed to both an encryption processor 30 and a message authentication code generator 32.
  • a cipher stream generator 28 outputs stream cipher data z i , which also passes to both the encryption processor 30 and mac generator 32.
  • the encryption processor 30 acts to combine the message and cipher stream data so as to encrypt the message for transmission thereof.
  • the mac generator 32 produces an integrity check value, as described above, utilising the same message data but only one of out every d cipher stream outputs, the other d-1 cipher stream outputs being utilised for encryption by the encryption processor 30.
  • M j m bj , m bj+1 , ...., m b(j+1)-1
  • N n 0 , n 1 , n 2 , .... n r

Abstract

A method and apparatus for generating a message authentication code (mac) or integrity check value (icv) for a digital message to be transmitted by way of a telecommunications medium. Modular arithmetic to a prime modulus is utilised to combine message data and pseudo-random cipher data so as to produce a mac or icv which has a cryptographic strength comparable to that of the source of cipher data. The method for generating the mac can be performed iteratively, this being suitable for use with stream cipher encryption methods.

Description

A METHOD AND APPARATUS FOR GENERATING A DIGITAL MESSAGE
AUTHENTICATION CODE
This invention relates to a method and apparatus for generating a digital message authentication code.
In digital communication systems, such as broadband integrated systems digital networks (B-ISDN) it is often desirable to prevent the meaning of digital messages transmitted thereon from being intercepted and/or interfered with by an unauthorised person. For this reason, digital messages are often encrypted or enciphered such that a person intercepting the transmitted message is unable to ascertain its meaning. Therefore, at the sending site on the network a plain text message is, under control of an enciphering key, transformed into cipher text which is preferably unintelligible to anyone not having the secret deciphering key. At the legitimate receiving site on the network, the cipher text is, under control of the secret deciphering key, retransformed into the original plain text message. Cryptographic systems which operate in this way are commonly classified into block ciphers and stream ciphers. Stream ciphers act by dividing the plain text into characters, each of which is enciphered utilising a time varying function whose time dependency is governed by the internal state of the stream cipher. The time varying function is produced by a cipher stream generator, which generates a digital cipher stream in accordance with key data which is kept secret. The cipher stream generator is constructed such that the cipher stream produced is a pseudo random bit stream which is cyclic, but has a period which is much greater than the length of key data provided. In a stream cipher, after each character is enciphered, the device changes state according to a rule, such that two occurrences of the same character in the plain text message will usually not result in the same cipher text character.
The security or strength of a stream cipher depends on the "randomness" of the generated cipher stream. Assuming an interceptor has knowledge of the plain text message, full access to the running cipher stream may also be deduced. For the system to be secure, the cipher stream must be unpredictable: regardless of the number of cipher stream digits observed, the subsequent cipher stream digits must not be more easily predictable than by just randomly guessing them. An enciphering system such as this ensures that an unauthorised person is unable to determine the meaning of an intercepted message, but does not address the issue of interference with the message despite its meaning being unknown. For example, a portion of a transmitted message may be intercepted altered or replaced with another message portion even if the interceptor is unable to ascertain the deciphered meaning of the original, altered or replaced message portion.
The immunity of a system to unauthorised and undetected alteration of a transmitted message is referred to as the integrity of the system. Integrity is a factor which is not often considered in relation to stream ciphers. A message authentication code (mac), or integrity check value (icv) determined from the content of the plain text message, may be transmitted with the cipher text to enable the receiver to determine whether the received deciphered plain text corresponds with the plain text originally transmitted, i.e. whether the cipher text has been altered during transmission. The message deciphering and authentication process involves the receiver having access to a cipher stream corresponding to the cipher stream with which the message was enciphered. Then, upon receiving the message the receiver can decipher it and generate a mac from the deciphered plain text message. A comparison of the received mac and the mac generated by the receiver can then be used as an indication of whether the transmitted mac or message has been altered in transit, since the mac generated by the receiver should be the same as the mac generated at the transmitter. However, in certain cryptographic systems it may be possible for a cryptanalyst to alter both the cipher text message and the enciphered mac in such a way that the change is not apparent to the receiver, even though the cryptanalyst is unable to determine the meaning of the cipher text which has been altered. Therefore, it is also advantageous for cryptographic systems to provide an integrity checking or authentication process which prevents such alterations during transmission from taking place without detection. A paper entitled "A Fast Cryptographic Checksum Algorithm Based on Stream Ciphers" (X. Lai, R. Reuppel, J. Woollven; AUSCRYPT "92 Abstracts; pp 8-7 to 8-11) describes a cryptographic checksum algorithm for producing a message authentication code with a stream cipher system. The checksum algorithm presented involves demultiplexing the message stream into two subsequences according to the binary state of the cipher stream. The two subsequences are input to respective accumulating feedback shift registers, the outputs of which serve as a pair of message authentication codes. The checksum algorithm is easily implemented, regardless of the cipher stream generator structure. However, the cryptographic checksum algorithm is flawed in so far as the alteration of a single digit in the message stream only requires the alteration of a single digit in the message authentication code to obtain the correct mac value. Consequently, certain alterations can be made to the message with a high probability of also obtaining the correct message authentication code. A further integrity checking system is described in International Patent Application
No. PCT/AU93/00687 entitled "A method and apparatus for generating a cipher stream". The algorithms described therein for generating message authentication codes, however, are dependent upon the particular structure of the cipher stream generator. It would be preferable, therefore to provide an integrity checking mechanism for a stream cipher system which is independent from the method used for generating the stream cipher itself.
In accordance with the present invention there is provided a method for generating a message authentication code for a digital message in a telecommunications or computer system comprising:
generating a sequence of pseudo random cipher strings; and
generating a message authentication code by performing modular arithmetic to a prime modulus including multiplication of the digital message by a first said cipher string and addition of a second said cipher string. Preferably, the message comprises a sequence of message units which are multiplied by respective powers of said first cipher string in generating the message authentication code. Preferably, the message comprises a sequence of message blocks each comprising a said sequence of message units, each sequence of message units being multiplied by respective different said first cipher strings and summed with said second cipher string to form the message authentication code.
In accordance with the present invention there is also provided a method for generating a message authentication code in a telecommunications or computer system for a digital message which comprises a sequence of message blocks each comprising a sequence of message units, including the steps of:
generating a sequence of pseudo random cipher strings;
generating a non-linear function value for each message block by summing the constituent message units multiplied by respective values derived from said cipher string sequence; and
generating the message authentication code by summing the non-linear function values with a said cipher string sequence value to a prime modulus.
Preferably the message units are multiplied by respective powers of a said cipher string sequence value. In accordance with the present invention there is also provided a method for generating a message authentication code in a telecommunications or computer system for a digital message M which comprises a sequence of message units mj for j=0, 1, ..., r, comprising the steps of:
generating a sequence of pseudo random cipher strings zi;
determining a non-linear function value f according to f (M,zi) = mxzi r-x (mod p); and
Figure imgf000006_0001
generating the message authentication code Q modulus p, where p is prime, according to Q = (f(M,zi) + zi+1) (mod p)
In accordance with the present invention there is also provided a method for generating a message authentication code in a telecommunications or computer system for a digital message M which comprises a sequence of message units mj for j=0, 1, ..., r, comprising the steps of:
generating a sequence of pseudo random cipher strings zi;
determining a non-linear function value f according to (f(M,z) = mxzx (mod P); and
Figure imgf000007_0001
generating the message authentication code Q modulus p, where p is prime, according to
Q = (f(M,z) + zi+1) (mod p)
In accordance with the present invention there is also provided a method for generating a message authentication code in a telecommunications or computer system for a digital message M which comprises a sequence of message blocks Mj for j=0, 1, ..., s, each message block comprising a sequence of b message units mjk for k=0, 1, ..., b-1, comprising the steps of:
generating a sequence of cipher strings zi, zi+1, z1+2 . . . Z1+s+1;
determining a non-linear function value f for each message block according to (f(Mj,zi) = m jx Zj x (mod p); and
Figure imgf000007_0002
generating the message authentication code Q modulus p, where p is prime, according to
Q(Mj,zi) = f(Mx,zi+x) + zi+s+ 1) (mod P).
Figure imgf000007_0003
Preferably the message authentication code effective code size is increased by a factor of h by generating a modified message authentication code Q' according to: Q' = Q(M,zi) | Q(M,z i+s+2) | Q(M,z i+2s+4)
.... | Q(M,z i+ (h-1)s+2) (mod p)
where | represents concatenation.
The present invention further provides a method for encoding a digital message comprising generating a sequence of cipher strings, generating a message authentication code according to a method described above, enciphering the message by combining at least one said cipher string therewith, the at least one cipher string being distinct from the cipher strings utilised for generating the message authentication code, and appending the message authentication code to the enciphered message. The invention also provides apparatus for generating a message authentication code for a digital message composed of a sequence of message blocks, comprising: a stream cipher for generating a sequence of pseudo-random cipher strings; and computation means for generating a non-linear function value for each message block by combining each message block with at least one said cipher string by way of modular arithmetic to a prime modulus, and generating a message authentication code by summing the non-linear function values together with at least one further said cipher string.
Preferred embodiments of the invention are described in detail hereinafter, by way of example only, with reference to the accompanying drawings, wherein:
Figure 1 is a flow chart of a preferred algorithm for generating a message authentication code; and
Figure 2 is a block diagram of a system for encoding digital messages for transmission by way of a telecommumcations path.
An effective cipher stream generator utilises secret key data to produce an output consisting of a pseudo random bit stream Z. The cipher stream Z is typically used to encrypt a stream of message data by logically combining the cipher stream and the message stream. Since the cipher stream is continuously changing, a particular bit sequence repeated in the message stream will be encrypted differently each time, depending on the state of the cipher stream. It is therefore advantageous to exploit the time dependence randomness of the cipher stream not only for encryption of the message, but also to ensure that the integrity of the message is not compromised. Throughout the following description the terms message authenticity and message integrity are used interchangeably to refer to the condition of a digital message reaching its destination unaltered or, if altered, the alteration being detectable at the destination. In particular, the terms message authentication code (mac) and integrity check value (icv) are used interchangeably throughout the specification to denote a numerical value generated from the numerical value of a message which may be utilised to determine whether the message itself has been altered before reaching its destination. Furthermore, in the following for integers t and u we shall write t[u] to represent the unique positive integer satisfying: t[u]≡ t(mod u) and 0≤t[u]≤(u-1)
Consider a stream cipher with output Z = (Z0, Z1, Z2, ...) where each output zi is a word of w bits (typically w = 16 or 32), such that each z_ has a value from 0 to 2w-1. It is assumed that Z is unpredictable in the sense that from any part of the Z stream it should be difficult to predict (either exactly or with high probability) what another part of the Z stream was or will be. The output of the cipher stream may be used to provide message integrity by the construction of an integrity check value (icv) that is generated from the message and appended thereto. A non-linear combination of the message and the stream cipher output is utilised to prevent an attacker from modifying the message and determining the necessary modification to generate a valid icv. Prime power modular arithmetic is also used in generating the icv, which ensures that the values of the icv are uniformly distributed and minimal in number for a given message value. The simplest icv can thus be calculated as follows, for a single message unit m0, such as a message word, and a prime modulus p: icv = (m0z0 + Z1) [p]
Extending this to generate a single icv for two message units yields: icv = ((m0zo + m1z1) + z2) [p]
The preferred implementation of the integrity check value generation, however, involves generating a single icv for a message which consists of a sequence of message blocks each comprising a sequence of message integer units.
The procedure for generating the icv is as follows:
Select a message block length b and prime number p = 2w+k (k small). Let a message string M = (m0, m1,...), of integers between 0 and 2w-1 be partitioned into blocks M0, M1,..., Ms each containing at most b integers so that:
M0 = m0, m1,..., mb-1
Mj = m bj, mbj+1,..., m b(j+1)-1, j = 0, 1,..., s-1
Ms = mbs, mbs+1,..., mbs+1, for some t≤ b-1 Use the stream cipher to generate s+2 outputs zi, zi+1, zi+2,..., zi+s+1. The icv is calculated as: icv(M, b, p, zi, zi+1,..., zi+s+1)
- (f(M0,zi) +f(M1, zi+1)+...+f(Ms, zi+s)+zi+s+1) [p] (1) where for any message string N = (n0, n1,..., nr), and integer x, f(N,x) = (...((n0x+n1)x+n2)x+...+nr) x [p] (2)
= (n0xr + n1xr-1 + n2xr-2 + .... +nrx) [p]
The following example illustrates the procedure for generation of an icv for transmission with a message, such as over a telecommumcations network.
Example 1: Let w = 32, p = 232+15, d = 10, b = 20. Let the cipher be in state 56 (the last output produced being z55). Let M = (m0, m1,..., m108) be a message string of length 109 that requires integrity. M is divided into blocks Mo, M1,..., M4 of length 20 where Mi = (m20i, m20i+1,..., M20i+19), i = 0, 1,..., 4, and one block of 9 integers M5 = (m100, m101,..., m108). The cipher is used to generate 7 outputs z56, z57, z58,..., z62, and the integrity check value is calculated according to (1) and (2). icv(M, 20, 232 +15, z56, z57, z58,..., z62)
The transmitted message is then m0, m1,..., m108 icv.
As mentioned above, the strength of the message integrity or authentication checking system is preferably of the same order as the strength of the accompanying encryption system. In other words, the probability that an attacker is able to alter a message undetected should be comparable to the probability of the attacker successfully deciphering the message. The following Theorem and Corollaries establish a clear link between the strength of the integrity mechanism and the strength of the stream cipher from which it is constructed. Theorem: Let p = 2w+k, and the function f be defined by (2). Let M and M' be any two unequal message strings of length b, and y any fixed integer. Then if x is a uniformly distributed random variable in the range 0 to 2w-1,
Probability[f(M,x)-f(M',x)≡ y(mod p)]≤
Figure imgf000011_0001
T
Proof: Let M = (mo, m1,..., m b-1) and M' = (m'0, m'1,..., m'b-1). By expanding (2) f(M,x)- f(M',x)≡(( m0 - m'0)xb+(m1 - m'1)xb-1+...+(mb-1 - m'b-1)x){mod p).
Thus f(M,x) - f(M',x)≡y(mod p) if and only if
By a standard result of elementary number theory (see, for example, p58 of Ivan Niven (m0 - m'0)xb+(m1 - m'1)xb-1+...+(mb-1 - m'b- 1)x≡ y(mod p). and H.S. Zuckeπnan, The Theory of Numbers (fourth edition), John Wiley and Sons, 1980) such an equivalence has at most b solutions for x, from which the result follows.
Corollary 1 is an immediate consequence of this theorem.
Corollary 1: Let M and M' be any two unequal message strings, and y any fixed integer. Let the function icv() be defined as in (1) and (2). Then if zi, zi+1, zi+2,..., zi+s are independent and uniformly distributed random variables in the range 0 to 2 w-l,
Probability[icv(M, b, p, zi, zi+1,..., zi+s+1)
-icv (M', b, p, zi, zi+1,..., zi+s+1)≡ y(mod p)]≤
Figure imgf000012_0001
Corollary 2 indicates the strength of the integrity mechanism in terms of the likelihood of replacing, in transit, a message and the corresponding icv with a legitimate, but different, message-icv pair.
Corollary 2: Let M and M' be any two unequal message strings, and y, g any fixed integers. Let the function icv() be defined as in (1) and (2). Then if zi, zi+1, zi+2,..., zi+s, Zi+s+1 are independent and uniformly distributed random variables in the range 0 to 2w-1,
Probability [icv(M', b, p. zi, zi+1,..., zi+s+1)≡ y(mod p) | icv(M, b, p, zi, Zi+1 zi+s+1)≡ g(mod p)]≤ (3)
Figure imgf000012_0002
Proof: Expanding the left hand side of the inequality above, Probability[icv(M'. b, p, zi, z i+1,.., zi+s+1)≡ y(mod p)
| icv(M, b, p, zi, zi+1,..., zi+s+1)≡ g(mod p)] However = Probability[icv(M, b, p, zi, zi+1,..., zi+s+1)-icv(M', b, p, zi, zi+1,...,zi+s+1) ≡ g - y(mod p) | icv(M, b, p, zi, zi+1,..., zi+s+1)≡ g(mod p)]. icv(M, b, p, zi, zi+1,..., zi+s+1)-icv(M', b, p, zi, zi+1,..., Zi+s+1)
≡ (f(M0, zi)+f(M1, zi+1)+...+f(Ms, zi +s)-f(M'0, zi)+f(M'1, zi+1)-...-f(Ms, zi +s) (mod p) is independent of zi+s+1 while icv(M, b, p, zi, zi+1,..., zi+s+1) = g (mod p) if and only if zi+s+1≡ (g-f(M0, zi )-f(M1, zi +1)-...-f(Ms, zi +s))(mod p).
Thus the events described in the conditional probability of (3) are independent and so the left hand side of (3) is equal to
Probability[icv(M, b, p, zi, zi+1,..., zi+s+1)-icv(M', b, p, zi, zi+1,..., zi+s+1)
≡ (g-y)(mod p)]. The result now follows by Corollary 1.
Assume that the stream cipher produces output that are independent and uniformly distributed random variables in the range 0 to 2w-1. It follows from Corollary 2 that if any message and its integrity check value were to be altered in transit (the message being altered in at least one bit position), the new message and integrity check value would register as valid by the receiver with probability at most b/2w. Thus we refer to log2 (2w/b) as the effective icv size. As an example, with a word size w of 32 bits and a block size b of 20 the resulting effective icv size is approximately 28. Note that the effective icv size indicates the strength of the integrity method used with an idealised stream cipher (with outputs that are uniformly distributed independent random variables). For this to be a meaningful indicator of integrity strength with a practical deterministic stream cipher however, clearly the stream cipher key size must be at least as large as the effective icv size. In this case if there is some way of altering or substituting message-icv pairs that goes undetected with a probability of more than b/2w then this implies some corresponding level of predicability in the stream cipher output.
Figure 1 illustrates a flow chart of the preferred method of generating an integrity check value (icv) or message authentication code (mac). The flow chart 2 begins with an initialisation step 4 in which the icv and indices j and k are initialised such that icv = 0, j = 0 and k = i, where i is the initial state of the stream cipher with output z. In order to determine the icv for a given message according to equations (1) and (2), the flow chart 2 is structured into a dual loop iterative process, wherein steps 6, 8, 12 and 18 are used for the calculation of non linear function y (equation (2)) whilst steps 16, 20 and 22 perform the steps necessary for the calculation of the icv according to equation (1). Step 6 acts as an initialisation step for the non linear function value y, such that the first iteration of steps 8 and 12 are effective to calculate the first term of equation (2) (ie: n0x). For each iteration of steps 8 and 12 successive integer values of the message are input from the message stream 10 and values of the stream cipher are input from cipher stream 14 according to the message block counter index k. Following each iteration of step 12 the index j is incremented by one, and a test of the value of index j is applied at step 16 to determine whether or not the last unit of the message has been processed. Where there remains message units left to process, the procedure continues to step 18 where a test is applied to index j to determine whether or not the end of a message block has been reached. If j+1 is an integer divisor of block size b at step 18, this indicates that the beginning of a new message block has been reached, and the procedure continues to step 20 where the icv is incremented by the value of the non linear function y. The block counter index k is incremented following step 20, and the procedure passes to step 6 where the non linear function y is reset. Where the beginning of a message block has not been reached at step 18 the procedure returns to step 8, so as to perform a further iteration of steps 8, 12 and 16. When the end of the message has been reached, as indicated by the result at step 16, the block counter index k is again incremented and the icv is totalled together with the final stream cipher value zk (step 22). Utilising this method allows the icv to be calculated in a serial manner, which is consistent with the continuous output form of the message stream and cipher stream.
The following describes a modification of the above described integrity system, to enable the effective icv size to be increased by any required factor h. As above, a message string M = (m0, m1,...) is divided into blocks M0, M1,..., Ms each contaimng at most b integers. The stream cipher is used to generate h(s+2) outputs zi, zi+1, zi+2,..., zi+h(s+2)-1. Then the integrity check value icvh is defined as a sequence of h integers between 0 and p calculated according to: icvh(M, b, p, zi, Zi+1,..., zi+h(s+2)-1)
=(f(M0, zi) + f(M1, zi+1)+...+f(Ms, zi+s) +zi +s+1) [p],
(f(M0, zi+s+2) + (f(M1, zi+s+3+...+(f(Ms, z1+2s+2) + zi+2s+3) [p],
(f(M0, zi+(h-1)(s+2))+f(Ms, zi +(h -1)(s+2)+1)+...+f(Ms, zi +h(s+2)-2)+zi+h(s+2)-1) [p] where the function f is given by (2). This provides an icv of length hp with an effective icv size of log2
Figure imgf000015_0001
Thus, for example, if b = 20, w = 32, h = 4 then the effective icv size is
4 (32 - log2 20)
Figure imgf000015_0002
110.7
To provide both integrity and encryption the cipher stream can be used to provide input to the integrity calculation as well as output to be used for message encryption. In order to prevent the integrity mechanism from being undermined by a known plain text attack it is important that cipher stream output that is used in icv calculations by the receiver never be used for message encryption by the sender. Otherwise a known plaintext attack combined with altering the synchronisation of the cipher stream may succeed in making the receiver use cipher data in icv calculations which is known to an attacker. To overcome this problem an integer d (< b) is chosen such that only those zi for which i is a multiple of d are used in the icv calculation, the remaining zi being used for encryption. This technique is illustrated in the example below.
Example 2: As in Example 1 let w = 32, p = 232+15, d = 10, b = 20, M = (m 0, m1,..., m108) and the cipher be in state 56. To apply integrity and confidentiality the cipher is used to generate 121 outputs z56, z57, z58,..., z176, and the icv is calculated as, icv(M, 20, 232 +15, z60, z70,..., z120), where the icv function is defined by (1) and (2). The transmitted message is
(m0 + z56)[232], (m1 + z57)[232],..., (m4 + z61)[232],..., (m108 + z176)[232], icv.
Figure 2 illustrates a simple block diagram of an encryption and integrity system which may be utilised to implement the above described. Message data mj is output from a message source 26, which message data is passed to both an encryption processor 30 and a message authentication code generator 32. A cipher stream generator 28 outputs stream cipher data zi, which also passes to both the encryption processor 30 and mac generator 32. The encryption processor 30 acts to combine the message and cipher stream data so as to encrypt the message for transmission thereof. Meanwhile, the mac generator 32 produces an integrity check value, as described above, utilising the same message data but only one of out every d cipher stream outputs, the other d-1 cipher stream outputs being utilised for encryption by the encryption processor 30. The encrypted message m'j and the icv are passed to a transmission source 34 whereat the icv is appended to the encrypted message for transmission on an output 36. The foregoing detailed description has been put forward merely by way of explanation only, and is not intended to be limiting to the invention, which is defined in the claims appended hereto. GLOSSARY
Z = pseudo-random cipher stream sequence of cipher strings zi; zi = cipher string word of w bits fø is an integer in the range 1 to (2w-1))
M = digital message
= (m0, m1, m2, ..... ) sequence of integer words in the range 0 to (2w-1)
= (M0, M1, ...., Ms) sequence of message blocks of length b, such that message length L≤ (s+1) b, where:
M0 = m0, m1, ...., mb-1
Mj = mbj, mbj+1, ...., mb(j+1)-1
Ms = mbs, mbs+1, ...., mbs+t for t≤ (b-1) icv = integrity check value
t[u] = t(mod u)
p = 2w + k (k small) such that p is prime f (N,x) = n0xr + njxr-1 + n2xr-2 + ... + n1x [p]
= (...(( n0x + n1) x + n2) x + ... + nr) x [p]
for N = n0, n1, n2, .... nr
and integer word x icv (M, b, p, Z) = (f(M0, Zi) + f(M1, zi+1) + ....
+ f(Ms, zi+s) + zi+s+1) [p]

Claims

CLAIMS:
1. A method for generating a message authentication code for a digital message in a telecommumcations or computer system comprising:
generating a sequence of pseudo random cipher strings; and
generating a message authentication code by performing modular arithmetic to a prime modulus including multiplication of the digital message by a first said cipher string and addition of a second said cipher string.
2. A method as claimed in claim 1, wherein the message comprises a sequence of message units which are multiplied by respective powers of said first cipher string in generating the message authentication code.
3. A method as claimed in claim 1, wherein the message comprises a sequence of message blocks which are each multiplied by respective different first cipher strings in generating the message authentication code.
4. A method as claimed in claim 2, wherein the message comprises a sequence of message blocks each comprising a said sequence of message units, each sequence of message units being multiplied by respective different said first cipher strings and summed with said second cipher string to form the message authentication code.
5. A method as claimed in any preceding claim wherein a plurality of message authentication codes are generated for the same message but utilising different cipher strings, and the plurality of message authentication codes combined or concatenated to form a further message authentication code.
6. A method for generating a message authentication code in a telecommunications or computer system for a digital message which comprises a sequence of message blocks each comprising a sequence of message units, including the steps of:
generating a sequence of pseudo random cipher strings;
generating a non-linear function value for each message block by summing the constituent message units multiplied by respective values derived from said cipher string sequence; and
generating the message authentication code by summing the non-linear function values with a said cipher string sequence value to a prime modulus.
7. A method as claimed in claim 6, wherein the message units are multiplied by respective powers of a said cipher string sequence value.
8. A method as claimed in claim 6, wherein in generating each non-linear function value the message units are multiplied by respective powers of a said cipher stream sequence value, a different sequence value being utilised for each non-linear function value.
9. A method as claimed in claim 8, wherein the cipher string sequence value summed with the non-linear function values to generate the message authentication code is a different sequence value from the cipher strings used to generate the non-linear function values.
10. A method as claimed in any one of claims 6 to 9, wherein the non-linear function values, f, are generated according to: f (M,zi) = mxzi r-x (mod p)
Figure imgf000019_0001
where M is a message block comprising r message units mx (x=0,1,.... ,r), and zi are said cipher string sequence values.
11. A method for generating a message authentication code in a telecommunications or computer system for a digital message M which comprises a sequence of message units mj for j=0, 1, ..., r, comprising the steps of:
generating a sequence of pseudo random cipher strings zi;
determining a non-linear function value f according to f (M,zi) = mxzi r-x (mod p); and
Figure imgf000020_0001
generating the message authentication code Q modulus p, where p is prime, according to
Q = (f(M,zi) + zi+1) (mod p)
12. A method as claimed in claim 11, wherein the message is composed of a sequence of message blocks Mk which each comprise a said sequence of message units, and wherein the message authentication code Q, modulus p, is generated according to:
Q = f (Mx, zi+x) + zi+k+1 (mod p)
Figure imgf000020_0002
Figure imgf000020_0003
13. A method for generating a message authentication code in a telecommunications or computer system for a digital message M which comprises a sequence of message units mj for j=0, 1, ..., r, comprising the steps of:
generating a sequence of pseudo random cipher strings Zi;
determining a non-linear function value f according to f(M,z) = mxzx (mod p); and
Figure imgf000020_0004
generating the message authentication code Q modulus p, where p is prime, according to
Q = (f(M,z) + zr+1) (mod p)
14. A method for generating a message authentication code in a telecommunications or computer system for a digital message M which comprises a sequence of message blocks Mj for j=0, 1, ..., s, each message block comprising a sequence of b message units mjk for k=0, 1, ..., b-1, comprising the steps of:
generating a sequence of cipher strings zi, zi+1, zi+2,..., zi+s +1; determining a non-linear function value f for each message block according to (f(Mj,zi) = mjx zj x (mod p); and
Figure imgf000021_0001
generating the message authentication code Q modulus p, where p is prime, according to
Q(M,zi) = (f(Mj,zi+x) + zi+s+1) (mod p).
Figure imgf000021_0002
15. A method as claimed in claim 14, including the step of increasing the effective code size of the message authentication code by a factor of h by generating a modified message authentication code Q' according to: Q' = Q(M,zi) | Q(M,zi+s+2) | Q(M,zi+2s+4)
.... | Q(M,zi+(h-1)s+2) (mod p)
where | represents concatenation.
16. A method as claimed in any one of claims 1, 6, 11, 13 or 14 wherein the sequence of cipher strings comprises a subset selection of cipher string values from a cipher stream.
17. A method as claimed in claim 16 wherein the remaining cipher string values from the cipher stream are utilised for encrypting the message and/or the message authentication code.
18. A method for encoding a digital message comprising generating a sequence of cipher strings, generating a message authentication code according to any one of claims 1, 6, 11, 13 or 14, enciphering the message by combining at least one said cipher string therewith, the at least one cipher string being distinct from the cipher strings utilised for generating the message authentication code, and appending the message authentication code to the enciphered message.
19. Apparatus for generating a message authentication code for a digital message composed of a sequence of message blocks, comprising:
a stream cipher for generating a sequence of pseudo-random cipher strings; and computation means for generating a non-linear function value for each message block by combining each message block with at least one said cipher string by way of modular arithmetic to a prime modulus, and generating a message authentication code by summing the non-linear function values together with at least one further said cipher string.
20. Apparatus according to claim 19, including:
encryption means for encrypting the message by utilising sequence values of said pseudo-random cipher string sequence which are distinct from the sequence values used to generate the message authentication code; and
means for appending the message authentication code to the encrypted message for transmission thereof.
PCT/AU1994/000101 1993-03-05 1994-03-04 A method and apparatus for generating a digital message authentication code WO1994021066A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU62556/94A AU683646B2 (en) 1993-03-05 1994-03-04 A method and apparatus for generating a digital message authentication code

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPL7714 1993-03-05
AUPL771493 1993-03-05

Publications (1)

Publication Number Publication Date
WO1994021066A1 true WO1994021066A1 (en) 1994-09-15

Family

ID=3776758

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU1994/000101 WO1994021066A1 (en) 1993-03-05 1994-03-04 A method and apparatus for generating a digital message authentication code

Country Status (1)

Country Link
WO (1) WO1994021066A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998015085A1 (en) * 1996-10-01 1998-04-09 Deutsche Telecom Ag Signal transmission process
WO2000069206A1 (en) * 1999-05-11 2000-11-16 Nokia Corporation Integrity protection method for radio network signaling
US6941461B2 (en) * 2000-05-12 2005-09-06 International Business Machines Corporation System and method of uniquely authenticating each replication of a group of soft-copy documents
US7072868B2 (en) * 2003-02-20 2006-07-04 First Data Corporation Methods and systems for negotiable-instrument fraud prevention
US7571320B2 (en) * 1999-11-22 2009-08-04 Intel Corporation Circuit and method for providing secure communications between devices
US7933835B2 (en) 2007-01-17 2011-04-26 The Western Union Company Secure money transfer systems and methods using biometric keys associated therewith
US8504473B2 (en) 2007-03-28 2013-08-06 The Western Union Company Money transfer system and messaging system
US8818904B2 (en) 2007-01-17 2014-08-26 The Western Union Company Generation systems and methods for transaction identifiers having biometric keys associated therewith
DE102016219926A1 (en) * 2016-10-13 2018-04-19 Siemens Aktiengesellschaft Method, sender and receiver for authentication and integrity protection of message content
JP2019016987A (en) * 2017-07-10 2019-01-31 Necソリューションイノベータ株式会社 Communication system, management device, terminal device, communication method, and program
CN112887079A (en) * 2021-03-11 2021-06-01 中国石油大学(华东) Transformation encryption algorithm based on generation of random bit sequence

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3657476A (en) * 1970-01-23 1972-04-18 Howard H Aiken Cryptography
US4972474A (en) * 1989-05-01 1990-11-20 Cylink Corporation Integer encryptor
US5146500A (en) * 1991-03-14 1992-09-08 Omnisec A.G. Public key cryptographic system using elliptic curves over rings

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3657476A (en) * 1970-01-23 1972-04-18 Howard H Aiken Cryptography
US4972474A (en) * 1989-05-01 1990-11-20 Cylink Corporation Integer encryptor
US5146500A (en) * 1991-03-14 1992-09-08 Omnisec A.G. Public key cryptographic system using elliptic curves over rings

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7188361B1 (en) 1996-10-01 2007-03-06 Deutsche Telekom Ag Method of transmitting signals
WO1998015085A1 (en) * 1996-10-01 1998-04-09 Deutsche Telecom Ag Signal transmission process
WO2000069206A1 (en) * 1999-05-11 2000-11-16 Nokia Corporation Integrity protection method for radio network signaling
US7246242B1 (en) 1999-05-11 2007-07-17 Nokia Corporation Integrity protection method for radio network signaling
US7571320B2 (en) * 1999-11-22 2009-08-04 Intel Corporation Circuit and method for providing secure communications between devices
US6941461B2 (en) * 2000-05-12 2005-09-06 International Business Machines Corporation System and method of uniquely authenticating each replication of a group of soft-copy documents
US7072868B2 (en) * 2003-02-20 2006-07-04 First Data Corporation Methods and systems for negotiable-instrument fraud prevention
US9123044B2 (en) 2007-01-17 2015-09-01 The Western Union Company Generation systems and methods for transaction identifiers having biometric keys associated therewith
US7933835B2 (en) 2007-01-17 2011-04-26 The Western Union Company Secure money transfer systems and methods using biometric keys associated therewith
US8818904B2 (en) 2007-01-17 2014-08-26 The Western Union Company Generation systems and methods for transaction identifiers having biometric keys associated therewith
US8504473B2 (en) 2007-03-28 2013-08-06 The Western Union Company Money transfer system and messaging system
US10311410B2 (en) 2007-03-28 2019-06-04 The Western Union Company Money transfer system and messaging system
DE102016219926A1 (en) * 2016-10-13 2018-04-19 Siemens Aktiengesellschaft Method, sender and receiver for authentication and integrity protection of message content
CN110089068A (en) * 2016-10-13 2019-08-02 西门子股份公司 For authenticating and the method for integrity protected message's content, transmitters and receivers
CN110089068B (en) * 2016-10-13 2020-10-30 西门子股份公司 Method, sender and receiver for authenticating and integrity protecting message content
EP3501136B1 (en) * 2016-10-13 2021-06-23 Siemens Aktiengesellschaft Method, transmitter, and receiver for authenticating and protecting the integrity of message contents
US11288400B2 (en) 2016-10-13 2022-03-29 Siemens Aktiengesellschaft Method, transmitter, and receiver for authenticating and protecting the integrity of message contents
JP2019016987A (en) * 2017-07-10 2019-01-31 Necソリューションイノベータ株式会社 Communication system, management device, terminal device, communication method, and program
CN112887079A (en) * 2021-03-11 2021-06-01 中国石油大学(华东) Transformation encryption algorithm based on generation of random bit sequence

Similar Documents

Publication Publication Date Title
US5703952A (en) Method and apparatus for generating a cipher stream
US5799088A (en) Non-deterministic public key encrypton system
Rueppel et al. Stream ciphers
US7054445B2 (en) Authentication method and schemes for data integrity protection
EP0635956B1 (en) Encryption apparatus, communication system using the same and method therefor
US20020048364A1 (en) Parallel block encryption method and modes for data confidentiality and integrity protection
US20060056623A1 (en) Block encryption method and schemes for data confidentiality and integrity protection
EP1583278A1 (en) Stream Cipher Design with Revolving Buffers
US5768390A (en) Cryptographic system with masking
JPH08510365A (en) Method and apparatus for data encryption
WO1994021066A1 (en) A method and apparatus for generating a digital message authentication code
AU683646B2 (en) A method and apparatus for generating a digital message authentication code
US6044488A (en) Process for generating a check word for a bit sequence for verifying the integrity and authenticity of the bit sequence
Djordjevic et al. Conventional Cryptography Fundamentals
Handschuh et al. On the security of double and 2-key triple modes of operation
AU750408B2 (en) A method of combining a serial keystream output with binary information
Selvi et al. A Novel Hybrid Chaotic Map–Based Proactive RSA Cryptosystem in Blockchain
Singh et al. Encryption algorithms with emphasis on probabilistic Encryption & time stamp in network security
AU670355B2 (en) A method and apparatus for generating a cipher stream
Krzyzanowski Computer Security
Hasan Key-joined block ciphers with input-output pseudorandom shuffling applied to remotely keyed authenticated encryption
EP3285429A1 (en) Method for securely transmitting digital data
Rojasri et al. Secure Message Authentication Process in Mobile Computing
Hasan et al. Key-linked block ciphers with input-output shuffling applied to remotely keyed encryption
Barlow Symmetric encryption with multiple keys: techniques and applications

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AT AU BB BG BR BY CA CH CN CZ DE DK ES FI GB GE HU JP KG KP KR KZ LK LU LV MD MG MN MW NL NO NZ PL PT RO RU SD SE SI SK TJ UA US UZ VN

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: CA