| 摘要 |
<p>It is an object to structure efficient message authentication that uses a block code and has a short key length and theoretical safety to surpass birthday bounds. A message authentication device fixes one input bit of an n-bit block code, carries out the compression of an (n-1)-bit block code obtained by shortening an output by one bit and figures out of the sum of its result and mask random numbers to make a tag. The message authentication device generates the mask random numbers from the block code that uses the same key as the message, but a counter value is input so that an input to the block code generated at that time does not conflict with an input to the block code always generated by the compression processing. With this, the same safety to surpass the birthday bounds as Wegman-Carter-Shoup construction is secured. Further, as a message compression system, it is possible to use PHASH compression processing applied to CBC or PMAC.</p> |
