Analysis and Improvement of an Authentication Scheme in Incremental Cryptography

  • Louiza Khati
  • Damien Vergnaud
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11349)


Introduced in cryptography by Bellare, Goldreich and Goldwasser in 1994, incrementality is an attractive feature that enables to update efficiently a cryptographic output like a ciphertext, a signature or an authentication tag after modifying the corresponding input. This property is very valuable in large scale systems where gigabytes of data are continuously processed (e.g. in cloud storage). Adding cryptographic operations on such systems can decrease dramatically their performance and incrementality is an interesting solution to have security at a reduced cost.

We focus on the so-called XOR-scheme, the first incremental authentication construction proposed by Bellare, Goldreich and Goldwasser, and the only strongly incremental scheme (i.e. incremental regarding insert and delete update operations at any position in a document). Surprisingly, we found a simple attack on this construction that breaks the basic security claimed by the authors in 1994 with only one authentication query (not necessarily chosen). Our analysis gives different ways to fix the scheme; some of these patches are discussed in this paper and we provide a security proof for one of them.



The authors are supported in part by the French ANR ALAMBIC Project (ANR-16-CE39-0006). The authors thank Mihir Bellare for helpful discussions and for pointing out references.


  1. 1.
    Atighehchi, K.: Space-efficient, byte-wise incremental and perfectly private encryption schemes. Cryptology ePrint Archive, Report 2014/104 (2014).
  2. 2.
    Atighehchi, K., Muntean, T.: Towards fully incremental cryptographic schemes. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS 2013, 8–10 May 2013, pp. 505–510. ACM Press, Hangzhou (2013)Google Scholar
  3. 3.
    Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and Signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994). Scholar
  4. 4.
    Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography and application to virus protection. In: 27th ACM STOC, 29 May–1 June 1995, pp. 45–56. ACM Press, Las Vegas (1995)Google Scholar
  5. 5.
    Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995). Scholar
  6. 6.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. Cryptology ePrint Archive, Report 1997/001 (1997).
  7. 7.
    Bershad, B.N., Mogul, J.C. (eds.): 7th Symposium on Operating Systems Design and Implementation (OSDI 2006), 6–8 November, Seattle, WA, USA. USENIX Association (2006).[0]=im$_$group$_$audience3A137
  8. 8.
    Buonanno, E., Katz, J., Yung, M.: Incremental unforgeable encryption. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 109–124. Springer, Heidelberg (2002). Scholar
  9. 9.
    Fischlin, M.: Lower bounds for the signature size of incremental schemes. In: 38th FOCS, 19–22 October 1997, pp. 438–447. IEEE Computer Society Press, Miami Beach (1997)Google Scholar
  10. 10.
    Gantz, J., Reinsel, D.: The digital universe in 2010: big data, bigger digital shadows, and biggest growth in the far east. EMC report (2013).
  11. 11.
    Goi, B.M., Siddiqi, M.U., Chuah, H.T.: Incremental hash function based on pair chaining & modular arithmetic combining. In: Rangan, C.P., Ding, C. (eds.) Progress in Cryptology – INDOCRYPT 2001, vol. 2247, pp. 50–61. Springer, Heidelberg (2001). Scholar
  12. 12.
    Hart, J.K., Martinez, K.: Environmental sensor networks: a revolution in the earth system science? Earth-Sci. Rev. 78(3), 177–191 (2006). Scholar
  13. 13.
    Itani, W., Kayssi, A.I., Chehab, A.: Energy-efficient incremental integrity for securing storage in mobile cloud computing. In: 2010 International Conference on Energy Aware Computing, pp. 1–2 (2010)Google Scholar
  14. 14.
    Micciancio, D.: Oblivious data structures: applications to cryptography. In: 29th ACM STOC, 4–6 May 1997, pp. 456–464. ACM Press, El Paso (1997)Google Scholar
  15. 15.
    Mihajloska, H., Gligoroski, D., Samardjiska, S.: Reviving the idea of incremental cryptography for the zettabyte era use case: incremental hash functions based on SHA-3. Cryptology ePrint Archive, Report 2015/1028 (2015).
  16. 16.
    Mironov, I., Pandey, O., Reingold, O., Segev, G.: Incremental deterministic public-key encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 628–644. Springer, Heidelberg (2012). Scholar
  17. 17.
    Phan, R.C., Wagner, D.A.: Security considerations for incremental hash functions based on pair block chaining. Comput. Secur. 25(2), 131–136 (2006). Scholar
  18. 18.
    Sasaki, Y., Yasuda, K.: A new mode of operation for incremental authenticated encryption with associated data. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 397–416. Springer, Cham (2016). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Département d’informatique de l’ENS, École normale supérieure, CNRS, PSL Research UniversityParisFrance
  2. 2.ANSSIParisFrance
  3. 3.Sorbonne Université, CNRS, Laboratoire d’Informatique de Paris 6, LIP6ParisFrance
  4. 4.Institut Universitaire de FranceParisFrance

Personalised recommendations