1 Introduction

Bellare, Goldreich and Goldwasser initiate the study on incremental cryptography in [3] and then refined it in [4]. Cryptographic incremental constructions are meant to provide efficient updates compared to classical algorithms. Usually, the result of a cryptographic algorithm (such as encryption or authentication) over a document has to be re-computed entirely if any change is applied to the document (and this regardless of the modification size). Incremental cryptography enables to update a signature, a message authentication code (MAC) or a ciphertext in time proportional to the number of modifications applied to the corresponding document. This attractive feature leads to build many incremental cryptographic primitives such as encryption schemes [1, 2, 4], signature [3, 9, 16], MACs [4, 9, 14], hash functions [6, 11] and authenticated encryption constructions [2, 8, 18].

An algorithm is incremental regarding specific update operations such as inserting, deleting or replacing a data block inside a document. A desirable incremental algorithm should support all these operations for any positions: it should be possible to insert, delete or replace a data block of the document for all positions without breaking the security of the cryptographic algorithm. Most known algorithms only support replacement of data blocks and the algorithms that support insertion, deletion and replacementFootnote 1 are deemed strongly incremental.

Virus protection is the first application of incremental cryptography quoted in the seminal paper [3]. They consider the usage scenario where processor accesses files on a remote host and a virus can alter these files. A simple idea is to compute authentication tags for all files with a key stored securely by the processor and any modification by a virus will be detected by verifying the corresponding tag. Knowing that these files will be updated often enough, using an incremental authentication algorithm preserves the processor by performing a lighter computation.

Bellare et al. also introduced in [3] the corresponding security notions. In the basic security model, the adversary can obtain a valid authentication tag for any message it wanted (as in classical MAC security) and it can also update (with the supported update operations) valid pairs message/tag. This is a first security level but it is reasonable to consider a stronger adversary that can alter files and tags before applying update operations; it corresponds to the tamper-proof security notion introduced in [3].

Nowadays this use case can be extended to the “digital world”. Large amount of data [10, 15] are processed every day by different services like cloud services, distributed networks and distributed storage. It is clear that all these data require integrity and/or privacy at a low computational cost otherwise going through gigabytes of data for minor changes without incremental primitives is really demanding in term of time and energy. A concrete example is the Cloud Bigtable by Google [7] that stores petabytes of data across thousands of commodity servers. This Bigtable has a particular data structure that links a unique index number to each block. In this case an incremental hashing that supports replacement and insertion operations is suitable as mentioned in [15]. A more critical usage is storage services in mobile cloud computing where a mobile client device is in addition limited in term of energy consumption. To solve this issue, Itani, Kayssi and Chehab provide an energy-efficient protocol in [13] that guarantee data integrity based on incremental MACs. Another use case is sensor networks and more specifically environmental sensors [12, 15]: several sensors are deployed at different physical positions and they record continuously data. At some point, all the data ends up in a big public database that has to be publicly checkable. The database is updated (insertion operation mainly) at a high frequency and if the hash value over all the database is entirely re-computed for each insertion it will be very consuming. All these use cases are examples among many others. Incremental cryptography is clearly an area to explore to solve practical issues.

For now incrementality is mainly investigated for hashing and signing even if it was also considered for encryption in [2, 3]. It is not surprising regarding all the practical use cases that need incremental authenticated constructions. Recently, the CAESARFootnote 2 competition stimulates research on authenticated encryption algorithm. Sasaki and Yasuda analysed several candidates and found that none of them performs incrementality. That is why they designed their own authenticated encryption mode with associated data [18] based on existing constructions. This new mode is incremental for the replace, insert and delete operations, but the insert and delete operations of this mode concern only the last block of the authenticated data or the last block of the message (and it remains open to design a strongly incremental authenticated encryption algorithm).

Actually, as far as we know, the only authentication scheme that is strongly incremental is the XOR-scheme designed by Bellare, Goldreich and Goldwasser in [4] (cf. Fig. 2). This strong property comes with a cost: only basic security is claimed in [3] and this algorithm needs to generate and store a lot of randomness. The MAC operation generates a random value for each data block and these random values are necessary for the verification and the update operations. The XOR-scheme is based on a pseudo-random function (PRF) and a pseudo-random permutation (PRP) and the incremental algorithms for (single block) insert and delete operations require only two applications of the underlying PRF and two applications of the underlying PRP. The XOR-scheme relies on the concept of pair block chaining (which was later used in [11] which involves taking each pair of two consecutive blocks of a message and feeding them into a pseudo-random function before chaining all the outputs of the PRF into the final hash. This scheme extends another scheme, called the randomized XOR-scheme, from [5] which is incremental only for replacement. Even if they share a similar name, these two algorithms are different: the randomized XOR-scheme is not based on a pair block chaining structure and requires actually much less randomness. To distinguish the two schemes, in this paper, we will call this second scheme the unchained XOR-scheme.

An analysis on some incremental hash functions was provided by Phan and Wagner [17]. They give, inter alia, patterns that could give collisions on a hash function based on pair block chaining. Two cases are of interest for the XOR-scheme: non-distinct blocks and cycling chaining. The first one considers repeated blocks messages like \(A ||B ||C ||B ||A \) and \(B ||C ||B ||A ||B\) that would have the same sum value if no randomness was used (cf. Fig. 2) but as underlined by the authors the random values appended to each message block prevents these repetitions. The second one considers a variant of the XOR-scheme [11] where the first and the last block are chained then some repeated patters like \(A ||B ||A \) and \( B ||A ||B\) would have the same sum value but it not the case in the original version from [4]. Therefore, in the present state-of-the-art, no attacks are known against the original strongly incremental XOR-scheme proposed in [4].

1.1 Contributions of the Paper

In this paper, we analyse the security of the original XOR-scheme construction proposed by Bellare, Goldreich and Goldwasser in [4] and based on a chained structure as defined in [3].

Attacks. We provide an attack that breaks the XOR-scheme basic security claimed by the authorsFootnote 3. It succeeds with probability 1 using only one MAC query. It takes advantage of the chaining structure of this scheme and some xor function properties. This attack is very simple and it is surprising that it remained unnoticed until now (especially since the paper [4] appeared in a major computer science conference and was extensively cited since 1994).

Analysis and Patched constructions. We analyse our attack and the original XOR-scheme to find where its security breaks down. We show that the main flaw is that the XOR-scheme does not explicitly take into account the document length and we noticed that adding the number of data block to the construction prevents this kind of attacks. We analyse different ways to patch the scheme by introducing the document block length in the construction and found that the scheme can still be weak for some options.

We propose a modified version of the XOR-scheme and prove its basic security. Our security proof for the patched XOR-scheme uses tool from the unchained XOR-scheme security proof [5].

Organization of the Paper. We introduce some mathematical backgrounds, recall the security models for incremental MAC constructions and we give a detailed description of the XOR-scheme construction in Sect. 2. Then we present a general forgery attack and its analysis in Sect. 3. In Sect. 4, we discuss different solutions to patch efficiently the scheme without making it more complicated neither breaking the structure of the algorithm. We choose one construction and give its detailed description. Its security proof is given in Sect. 5 before the conclusion in Sect. 6.

2 Preliminaries

2.1 Notations

For any integer n, \(\{0,1\}^n\) denotes the set of bit strings of length n and we let \(\{ 0,1\}^*\) denote the set of all finite-length bit strings. For two bit strings X and Y, \(X ||Y\) denotes their concatenation. For a finite set S, we use \(x \xleftarrow {\$}S\) to denote sampling x uniformly at random from S. For \(X \in \{0,1\}^*\), we use \(\vert X \vert \) to denote the bit length of X and \(|X|_\ell \) denotes the number of \(\ell \)-bit block in the bit-string X (and in particular \(\vert X \vert _1 = \vert X \vert \)).

Random functions/Random permutations. The set of all functions \(\{ 0,1\}^{\ell } \rightarrow \{ 0,1\}^{L}\) is denoted \(\mathcal {F}_{\ell ,L}\). A random function \(F\) is a randomly chosen function in \(\mathcal {F}_{\ell ,L}\). The set of all permutations \(\{ 0,1\}^{\ell } \rightarrow \{ 0,1\}^{\ell }\) is denoted \(\mathcal {P}_{\ell }\). A random permutation \(P\) is a randomly chosen permutation in \(\mathcal {P}_{\ell }\).

Pseudo-Random functions/Pseudo-Random permutations. Given a non-empty subset \(\mathcal {K}\), a function family \(F_{k} \): \(\mathcal {K}\times \{ 0,1\}^{\ell } \rightarrow \{ 0,1\}^{L} \), where \(k\in \mathcal {K}\), is a \((t, \epsilon )\)-pseudo-random function (PRF) if for any algorithm \(\mathcal {A} \) running in a time at most t, the following holds:

$$\begin{aligned} |Pr[k\xleftarrow {\$}\mathcal {K}: \mathcal {A} ^{F_{k}(.)}=1]-Pr[F\xleftarrow {\$}\mathcal {F}_{\ell ,L}: \mathcal {A} ^{F(.)}=1]| \le \epsilon . \end{aligned}$$

Given a non-empty subset \(\mathcal {K}\), a permutation family \(P_{k} \): \(\mathcal {K}\times \{ 0,1\}^{L} \rightarrow \{ 0,1\}^{L} \), where \(k\in \mathcal {K}\), is a \((t, \epsilon )\)-pseudo-random permutation (PRP) if for any algorithm \(\mathcal {A} \) running in a time at most t, the following holds:

$$\begin{aligned} |Pr[k\xleftarrow {\$}\mathcal {K}: \mathcal {A} ^{P_{k}(.)}=1]-Pr[F\xleftarrow {\$}\mathcal {F}_{L,L}: \mathcal {A} ^{F(.)}=1]| \le \epsilon . \end{aligned}$$

2.2 Definitions

Syntactic Definition. We begin by describing the syntactic definition of strongly incremental MAC algorithms. In the following, we consider authentication of messages whose length is a multiple of an integer \(b\) (which is usually smaller than the block length of the underlying PRF or PRP) but is obviously possible to handle messages of arbitrary finite length using padding. A document \( D_{ } \in \mathcal {D}\) with \(\mathcal {D}= \bigcup _{i=1}^{\infty } \{0,1\}^{i b}\) is a sequence of \(n\) \( b\)-bit blocks, for some integer \(n \ge 1\) denoted \(D_{ } = (D_{1}, D_{2},\dots , D_{n})\) where \(D_{i}\) is the i-th b-bit block of \(D_{}\).

Definition 1

A strongly incremental MAC scheme is a 5-tuple

$$\varPi = (\mathcal {K},~\mathtt {MAC},~ \mathtt {V},~ \mathtt {I},~ \mathtt {D}) $$

in which:

 

\(\mathcal {K}\) :

is the key space. A key \(k\) is randomly chosen in the key space \(\mathcal {K}\). The key \(k\) is an input for the \(~\mathtt {MAC},~ \mathtt {V},~ \mathtt {I}\) and \(~ \mathtt {D}\) algorithms.

\(\mathtt {MAC}\),:

the MAC algorithm, is a probabilistic algorithm that takes as input the key \(k\), a document \(D_{ } \) and returns an authentication tag \(T\).

\(\mathtt {V}\),:

the verification algorithm, is a deterministic algorithm that takes as input the key \(k\), a document \( D_{ }\) and a tag \(T\) and returns 1 if the tag is valid and 0 otherwise.

\(\mathtt {I}\),:

the incremental insert algorithm, is a probabilistic algorithm that takes as input the key \(k\), the insertion position j, the message block to add \(D_{j}'\), the document \(D_{ } \) and a tag \(T\) to update.

\(\mathtt {D}\),:

the incremental delete algorithm, is a probabilistic algorithm that takes as input the key \(k\), the deletion position j, the document \(D_{ }\) and a tag \(T\) to update.

  with the three following correctness properties:

  • \((\forall k\in \mathcal {K})(\forall n \in \mathbb {N})(\forall D_{} \in \{0,1\}^{nb})(\forall T\in \{ \mathtt {MAC}(k,D_{}) \})(\{ \mathtt {V}(k,D_{,}T) \} = \{1\})\)

  • \((\forall k\in \mathcal {K})(\forall n \in \mathbb {N})(\forall D_{} = (D_{1}, D_{2},\dots , D_{n}) \in \{0,1\}^{nb})(\forall T\in \{ \mathtt {MAC}(k,D_{}) \})\) \((\forall j \in \{1,\dots ,n+1\}) (\forall D_{}^* \in \{0,1\}^{b})(\forall T' \in \{\mathtt {I}(k,j,D_{}^*,D_{},T)\})\) \((\{ \mathtt {V}(k,(D_{1}, \dots , D_{j-1}, D_{}^*, D_{j}, \dots D_{n}),T') \} = \{1\})\)

  • \((\forall k\in \mathcal {K})(\forall n \in \mathbb {N})(\forall D_{} = (D_{1}, D_{2},\dots , D_{n}) \in \{0,1\}^{nb})(\forall T\in \{ \mathtt {MAC}(k,D_{}) \})\) \((\forall j \in \{1,\dots ,n\})(\forall T' \in \{\mathtt {D}(k,j,D_{},T)\})\) \((\{ \mathtt {V}(k,(D_{1}, \dots , D_{j-1}, D_{j+1}, \dots D_{n}),T') \} = \{1\})\)

Remark 1. All these algorithms take as input a key \(k\) and to lighten the notation, in the following, the key \(k\) is put as subscript. For example, the MAC algorithm is simply denoted \(\mathtt {MAC}_{k}(D_{ })\).

Remark 2. In practice, the incremental algorithms \(\mathtt {I}\) and \(\mathtt {D}\) have to be more efficient than re-computing an entire authentication tag \(T\) and cryptographers are looking for scheme where these algorithms are constant-time (i.e. independent of the number of b-bit blocks of the document \(D_{}\)).

Security Model. The adversary \(\mathcal {A} \) is an algorithm (i.e. an oracle probabilistic Turing machine) playing in a computational security game denoted \(G_{\mathtt {MAC}, \mathtt {V}, \mathtt {I}, \mathtt {D}}^{BS}\) (cf. Fig. 1). A key k is picked uniformly at random in the key space of the strongly incremental MAC and the adversary has access to all the following oracles

  • a MAC oracle: the adversary can ask to compute a MAC (for k) on any document of its choice;

  • a verifying oracle: the adversary can ask to verify (for k) the validity of any pair document/authentication tag;

  • an update oracle(s): the adversary can use the incremental operations (for k) on chosen document/authentication tag pairs (in a way depending on the security models as defined below).

At the end of each oracle query (except verification queries), the corresponding authenticated document/authentication tag \((D_{ }, T{})\) is added to a list \(\mathcal {L}\) and the adversary wins the game if it outputs eventually a pair \((D_{ }^\star , T{}^\star ) \notin \mathcal {L}\) that is accepted by the verification algorithm.

Basic Security. As defined in [3], in basic security settings the adversary \(\mathcal {A} \) is not allowed to do incremental operations on a couple (\(D_{ }, T\)) where the verification algorithm \(\mathtt {V}_{k}(D_{ }, T)\) will fail. It can only apply incremental operations on couples \((D_{ }, T)\) that belong to the list \(\mathcal {L}\). As mentioned above, to win the security game, \(\mathcal {A} \) must provide a forgery that is to say a document \(D_{ }^* \) and a tag \(T^*\) such that \(\mathtt {V}_{k}(D_{ }^*, T^*) \) returns 1 and the couple (\(D_{ }^*, T^* \)) is not in the list \(\mathcal {L}\).

Remark 1

The verification \(\mathtt {V}_{k}(D_{ }, T) \) is not applied before incremental operation to check authenticity otherwise the low computational cost is lost. It is simply assumed that \(\mathcal {A} \) does not query incremental operations on altered couples. In this paper, we focus on this basic security notion only.

Definition 2

Let \(\varPi = (\mathcal {K},~ \mathtt {MAC},~ \mathtt {V},~ \mathtt {I},~ \mathtt {D}) \) be a strongly incremental MAC scheme and let \( \mathcal {A} \) be an adversary. Let \(\mathbf {Adv}^{BS}_{A, \varPi }:= \)

$$\begin{aligned} \mathbf {Pr}[k\xleftarrow {\$}\mathcal {K}; \mathcal {L}\leftarrow \{ \}; (D_{ }^*, T^*)\leftarrow \mathcal {A} ^{\mathtt {MAC}^{\mathcal {L}}_{k}, \mathtt {V}^{\mathcal {L}}_{k}, \mathtt {I}^{\mathcal {L}}_{k}, \mathtt {D}^{\mathcal {L}}_{k}}: 1 \leftarrow \mathtt {V}^{\mathcal {L}}_{k}(D_{ }^*, T^*) \wedge (D_{ }^*, T^*) \notin \mathcal {L}] . \end{aligned}$$

\(\varPi \) is \((\lambda ,q_m, q_v, q_{inc}; \epsilon )\)-BS-secure in the basic sense if, for any adversary \(\mathcal {A} \) which runs in time \(\lambda \), making \(q_m\) queries to the \(\mathtt {MAC}\) oracle, \(q_v\) to the \(\mathtt {V}\) oracle and \(q_{inc}\) valid queries to the incremental oracles \((\mathtt {I}, \mathtt {D})\) we have \(\mathbf {Adv}^{BS}_{A, \varPi } < \epsilon \).

Fig. 1.
figure 1

Game defining basic security (BS) for an incremental authentication scheme.

Full size image

Tamper-Proof Security. As defined in [4] tamper-proof security is a stronger security notion since the adversary \(\mathcal {A} \) is allowed to query incremental operation on any couple (\(D_{ }, T\)) even new couples (couples that do not belong to \(\mathcal {L}\)). Then \(\mathcal {A} \) wins the security game if it provides a new couple (\(D_{ }^*, T^* \)) such that \(\mathtt {V}_{k}(D_{ }^*, T^*) \) returns 1. It was already mentioned in [4], that the XOR-scheme does not achieve tamper-proof security and this is also the case of our modified XOR-scheme.

2.3 Description of the XOR-Scheme

The XOR-scheme (\(\mathcal {XS}\)) as defined in [3] is an incremental authenticated algorithm based on pair-wise chaining as shown in Fig. 2. Let \(\ell \) and L be two positive integers and let \(b < \ell \) be some positive integer. The \(\mathcal {XS}\) scheme is based on a pseudo-random function \(F: \mathcal {K}_F\times \{0,1\}^{2\ell } \longrightarrow \{0,1\}^L\) and a pseudo-random permutation \(P: \mathcal {K}_P\times \{0,1\}^L \longrightarrow \{0,1\}^L\). The incremental algorithms for (single block) insert and delete operations require only two applications of the underlying PRF and two applications of the underlying PRP. The \(\mathcal {XS}\) scheme generates an authentication tag for a document D by repeatedly applying the PRF to pairs of blocks – each made of a b-bit data block from the document D and an \(\ell -b\) random block (pick uniformly at random and independently for each block). In the following, for simplicity, we consider only documents whose binary length is a multiple of b and we denote \(\mathcal {D} = (\{0,1\}^b)^*\).

Fig. 2.
figure 2

Description of the XOR-scheme

Full size image

  • The key space \(\mathcal {XS}.\mathcal {K}\) is \(\mathcal {K}_F\times \mathcal {K}_P\) the Cartesian product of the key space of the underlying PRF \(F\) and PRP \(P\).

  • The MAC algorithm \(\mathcal {XS}.\mathtt {MAC}\) takes as input a document \( D_{ } \in \mathcal {D}\) and outputs a tag \( T:= (r_{ }, \tau \)). For each document block \(D_{i} \), an \( (\ell - b)\)-bits block \(r_{ i}\) is randomly generated. The concatenation of these values is denoted \(R_{i}:= D_{i} ||r_{i}\). Each couple (\(R_{i-1} ,R_{i} \)) is processed by the function \(F_{k_1}\) and outputs a value denoted \(h_{i} \) then the bitwise XOR (eXclusive OR) of all the values (denoted \(\varSigma \)) is processed by the permutation \(P_{k_2}\) to give the value \(\tau \).

  • The Verification algorithm \(\mathcal {XS}.\mathtt {V}\) takes as inputs the document \( D_{ }\) and a tag \(T:=(r_{ }, \tau ) \). It re-computes the value \(\tau \) from the inputs \(r_{ }\) and \(D_{ } \). It returns 1 if this value is equal to the input \(\tau \) and 0 otherwise.

  • The Insert operation \(\mathcal {XS}.\mathtt {I}\) enables to insert a block value in a document. It takes as inputs the position \(j\) where the block value has to be inserted, the previous block value \(D_{j-1} \)Footnote 4, the block value \(D_{j} \)Footnote 5, the new block value \(D_{j}'\) and the tag \( T\). It outputs the new tag.

  • The Delete operation \(\mathcal {XS}.\mathtt {D}\) enables to delete a block from the document. It takes as inputs the position \(j\) where the block as to be deleted, the block value to delete \(D_{j} \), the previous and next block values \(D_{j-1} \) and \(D_{j+1} \) and the tag \(T\).

The update algorithms are intuitive and given in Fig. 8 (in Appendix) for update operations at a position different from the first block position. They can be adapted to be applied to the first block. In the original version, it is specified that a prefix and postfix are added to the document. For a document \(D_{ } = D_{1} \dots D_{n}\), the authentication tag is computed on \(D_{0} ||D_{1} \dots D_{n} ||D_{n+1}\) where \(D_{0}\) and \(D_{n+1}\) are specific prefix and postfix values. In this paper, this specification is not taken into account: it does not prevent our attack and the repaired scheme is proven secure without it.

XOR-scheme limits. Supporting insert, delete and consequently replace operations should make the XOR-scheme very efficient in term of update time running. The fresh random values \(r_{ i}\) generated by this scheme for each new document block are necessary for security. But generating so much randomness is time consuming: for an \(n\)-block document \(D_{ } \), a \(n(\ell - b)\)-random bits value \(r_{ }\) is generated. Random generation also slows down the insertion operation. Another drawback is the tag expansion: the random value \(r_{ }\) is part of the tag and needs to be stored. For a \(n\) block document, random storage costs \( n(\ell - b)\) bits. Even if today storage is not an issue, having short tags is desirable.

3 Forgery Attacks Against the XOR-Scheme

According to the basic security game described in Fig. 1, the adversary \(\mathcal {A} \) wins the game if it finds a new pair (\(D_{ }^*, T^*\)) such that the verification operation returns 1. If an adversary has access to any tag \(T\) (such that \(T= (r_{ },\tau )\)) returned by the \(\mathtt {MAC}\) algorithm on a document \(D_{ }\) (for example \(D_{0} ||D_{1} ||D_{2} \)), it can forge a different document \(D_{ }^*\) having the same value \(\tau \). The value \(\tau \) is computed as follows:

$$\begin{aligned} \tau= & {} P_{k_2} [F_{k_1}(D_{0}||r_{0}, D_{1} ||r_{1}) \oplus F_{k_1}(D_{1}||r_{1}, D_{2} ||r_{2}) ] \end{aligned}$$
(1)
$$\begin{aligned} \varSigma= & {} F_{k_1}(R_{0},R_{1}) \oplus F_{k_1}(R_{1},R_{2}) = h_{1} \oplus h_{2} \end{aligned}$$
(2)

\(\mathcal {A} \) can build a document \(D_{ }^* \ne D_{ }\) and a value \(r_{ }^*\) such that the corresponding \(\varSigma ^*\) value collides with \(\varSigma \) even if there is no weakness on \(F\). A way to do so is inserting a specific block chain in document \(D_{ }\) in order to cancel all the new values \( h_{i}'\) introduced by these repetitions as shown in Fig. 3. It seems that the chaining structure of the XOR-scheme should prevent this behavior because changing or inserting a block value will affect two values \(h_{i}\) then the tag \(\tau \) will be different. These modifications have to be compensated: the values \(h_{i}'\) introduced has to be canceled by xoring the same value and all the original values \(h_{i}\) that are deleted has to be re-introduced. We use this trick to break the claimed basic security.

Fig. 3.
figure 3

Xor cancellation strategy in the XOR-scheme

Full size image

Forgery Attack. Applying this strategy gives us an adversary \(\mathcal {A} ^{\mathtt {MAC}_{k_1,k_2}}\) wining the game \( G_{\mathtt {MAC}, \mathtt {V}, \mathtt {I}, \mathtt {D}}^{BS}\) with probability 1 and that requires only 1 \(\mathtt {MAC}_{k_1,k_2} \) query (Fig. 4).

Fig. 4.
figure 4

\(\varSigma \) computation for 3 block document

Full size image

 

1:

\(\mathcal {A} \) asks the MAC of a short document \( D_{ }\) where \(D_{ } = D_{0} ||D_{1} ||D_{2}\) and receives the corresponding authentication-tag \( T= (r_{ }, \tau )\).

2:

\(\mathcal {A} \) builds a document \(D_{ }^*\) from \(D_{ }\) such that \(D^* = D_{0} ||D_{1} ||D_{2} ||D_{1} ||D_{2} ||D_{1} ||D_{2} \) and a value \( r_{ }^*\) from \( r_{ }\) such that \(r_{ }^* = r_{0} ||r_{1} ||r_{2} ||r_{1} ||r_{2} ||r_{1} ||r_{2} \).

 

Fig. 5.
figure 5

Attack on the XOR-scheme

Full size image

The document \(D_{ }^*\) is different from \(D_{ }\) but it has the same value \(\tau \). The document \(D_{ }^*\) given in Fig. 5 is an example of a forgery and many other examples can be given. To be more general, for any \(x \in \{0,1\}^{b} \), any \(x' \in \{0,1\}^{(\ell - b)} \) and for any valid pair (\(D_{ }, T\)) such that \(D_{ } = D_{0} \dots D_{i} ||D_{i+1} \dots D_{n}\), many forgeries (\(D_{ }^*, (r_{ }^*, \tau )\)) can be built by inserting the specific block chain \( D_{i} ||x ||D_{i} ||x \) in \(D_{ }\) (and the corresponding random value chain \( r_{i} ||x' ||r_{i} ||x'\) in \(r_{ } \) for any \(x'\)) such that:

$$\begin{aligned} D_{ }^* = D_{0} \dots D_{i-1} ||\underbrace{D_{i} ||x ||D_{i} ||x ||D_{i} } ||D_{i+1} \dots D_{n}\\ r_{ }^* = r_{0} \dots r_{i-1} ||\underbrace{r_{i} ||x' ||r_{i} ||x' ||r_{i} ||} r_{i+1} \dots r_{n}. \end{aligned}$$

A variant of this forgery is to insert only a repeated document block \(D_{i}\) (and \(r_{i}\)) is the following:

$$\begin{aligned} D_{ }^* = D_{0} \dots D_{i-1} ||\underbrace{D_{i} ||D_{i} ||D_{i} } ||D_{i+1} \dots D_{n}.\\ r_{ }^* = r_{0} \dots r_{i-1} ||\underbrace{r_{i} ||r_{i} ||r_{i} ||} r_{i+1} \dots r_{n}. \end{aligned}$$

A more powerful forgery can be built from \((D_{ }, T)\) by inserting any values x and y in \(D_{} \) (and any values \(x'\) and \(y'\) in \(r_{ }\) ) such that:

$$\begin{aligned} D_{ }^* = D_{0} \dots D_{i-1} ||\underbrace{D_{i} ||x ||y ||x ||y ||x ||D_{i} ||x ||D_{i}} ||D_{i+1} \dots D_{n}.\\ r_{ }^* = r_{0} \dots r_{i-1} ||\underbrace{r_{i} ||x' ||y' ||x' ||y' ||x' r_{i} ||x' ||r_{i} ||} r_{i+1} \dots r_{n}. \end{aligned}$$

For all these attacks, the underbraced chains can be repeated many times. These three attacks are some of the possible attacks, following this canceling strategy, some exotic chains can be inserted in order to ends with a value \(\tau \) that corresponds to a legitimate tag. A first observation is that all these attacks are performed by inserting blocks and providing a forgery \(D_{ }^*\) that has the same length that the original one looks impossible or at least harder.

4 Modification of the XOR-Scheme

The previous section described an attack that breaks the basic security of the XOR-scheme by producing a document \(D_{ }^*\) using a MAC query \((D_{ },T)\) where \(\tau = \tau ^*\) and \( |D_{ }|_{b} \ne |D_{ }^*|_{b}\). All the forgeries \(D_{ }^*\) produced are longer that the original document \(D_{ } \). One can notice that if the adversary \(\mathcal {A} \) is only allowed to MAC and verify documents that have the same length \(n\) then the attack presented in Sect. 3 will fail. A first naive idea is to force all documents to have the same length (documents that are too small can be padded in the MAC algorithm) but this solution is not realistic and the incremental property will be lost. A natural way to fix this flaw is to use the document length \(n\) for the computation of the value \(\tau \) in order to make it size dependent. The size can be expressed according to any units: number of bits, bytes, blocks. Choosing the number of blocks \(n\) is sufficient. A postfix block containing the number of blocks \(n\) can be added at the end of the document then the computation of the value \(\varSigma \) will become:

$$\begin{aligned} \varSigma = F_{k_1}(D_{0}||r_{0}, D_{1} ||r_{1}) \oplus F_{k_1}(D_{1}||r_{1}, D_{2} ||r_{2}) \oplus \dots \oplus F_{k_1}(D_{n-1}||r_{n-1}, r_{n} ||n) \end{aligned}$$
Fig. 6.
figure 6

Description of the fixed XOR-scheme

Full size image

The last block works as a mask for each value \(\tau \): incremental operation will refresh the last random value \(r_{n}\) in order to have a different mask value for any modification. As a consequence, the pseudo-random permutation \(P\) is not necessary anymore (\(\tau = \varSigma \)), it is removed in the modified scheme (Fig. 6). This version of the XOR-scheme is proven in Sect. 5.

The last random block value \(r_{n}\) (concatenated with the document length \(n\)) is necessary otherwise the corresponding \(h_{n}\) value can be canceled. If it is omitted, the following attack is indeed possible:

  1. 1.

    \(\mathcal {A} \) asks the \(\mathtt {MAC}\) of a document \(D_{ } =D_{0} ||D_{1}\) and receives the tag \( T_1 = (r_{0} ||r_{1}, \tau _1)\).

  2. 2.

    \(\mathcal {A} \) asks to delete the first block of \(D_{ }\) by with the delete query \(\mathtt {D}(0,., D_{0}, D_{1},\tau _1)\) and receives \(T_2 = (r_{1},\tau _2)\).

  3. 3.

    \(\mathcal {A} \) asks to insert the block \(D_{0}'\) at the first position of the resulting document with the query \(\mathtt {I}_{k}(0,D_{1},., D_{0}', \tau _2)\) and receives \(T_3 = (r_{0}' ||r_{1}, \tau _3)\).

  4. 4.

    \(\mathcal {A} \) asks to insert the block \(D_{2}\) at the position 2 of the original document \(D_{ } \) with the query \(\mathtt {I}_{k}(2,., D_{1}, D_{2},\tau _1)\) and receives \(T_4 = (r_{0} ||r_{1} ||r_{2},\tau _4)\).

  5. 5.

    \(\mathcal {A} \) builds the document \(D_{}^* = D_{0}' ||D_{1} ||D_{2}\) and the tag \(T^* = (r_{0}' ||r_{1} ||r_{2},\tau _1 \oplus \tau _3 \oplus \tau _4)\).

The couple \((D_{ }^*, r_{ }^*)\) is a forgery: it is not in the list \(\mathcal {L}\) of tagged document and it has a valid tag. To avoid such attacks, for incremental operations the last random block (concatenated with the document length) needs to be always refreshed. To be sure that none of the previous attack will not be practical, an independent key is used to process the last couple (\(R_{n-1}, R_{n}\)). That way, it would be hard for an adversary to make a forgery from a linear combination of tagged documents.

Complexity. The modified XOR-scheme is slightly slower than the original one. For the \(\mathtt {MAC}\) and the incremental algorithms the \(P\) call is removed but a call to the function \(F_{k_2}\) is added as shown in Fig. 7. The delete \(\mathtt {D}\) and insert \(\mathtt {I}\) operations are slightly slower because of the last block update: the last value \(R_{i} \) depending on the document length has to be removed and the a new value \(R_{i} '\) with the new document length \(n'\) is added.

Fig. 7.
figure 7

Complexity: XOR-scheme (XS) and modified XOR-scheme (M-XS)

Full size image

Other Solutions. In the original XOR-scheme (Fig. 2), the document length can be added differently in the algorithm (but still with a random value \(r_{n}\)):

 

1:

Before the last operation \(P_{k_2}(\varSigma )\), an intermediate operation \(F_{k_3}(r_{n} ||n, \varSigma ) \) can be added such that \(\tau = P_{k_2}[F_{k_3}(r_{n} ||n, \varSigma )]\).

2:

The block length can be processed individually as a last block such that \(\tau = P_{k_2}[F_{k_3}(r_{n} ||n) \oplus \varSigma ]\).

 

5 Security Proof

The security proof follows the proof strategy used in [5] for proving the unchained XOR-scheme.

Information theoretic case. As in [5], we first consider the case where the two underlying PRFs \(F_{k_1}\) and \(F_{k_2}\) are replaced by two truly random functions \(F_1\) and \(F_2\) from \(\{0,1\}^{2\ell }\) to \(\{0,1\}^L\). We consider an unbounded adversary and the following theorem claims the security of this modified scheme in the information theoretic case. More precisely, it provides an absolute bound on the success of the adversary in terms of the number of oracle queries it makes.

Theorem 1

Let \(\mathcal {F}_{2 \ell ,L}\) be the family of random functions with input length \(2 \ell \) and output length L. Let \(\mathcal {A}\) be any (computationally unbounded) adversary, in the basic security settings, making a \((q_m, q_v, q_{inc})\)-attack against the modified XOR-scheme with two functions picked uniformly at random from \(\mathcal {F}_{2 \ell ,L}\). The probability that \(\mathcal {A}\) is successful is at most

$$ q^2 \cdot 2^{b - \ell } + q_v \cdot (t^2 \cdot 2^{b - \ell } + \cdot 2^{-L}). $$

where \(q = q_m + q_{inc}\) and t denotes the maximal block-length of the documents authenticated in the security game.

Proof

(Theorem 1 (Sketch)). The proof follows closely the proof from [5]. The main difference is that we use two different random functions in the modified scheme and that we need the following simple lemma to prove that some specific matrix (close to the one used in  [5]) is full-rank. For the reader familiar with [5], we use similar notations in the following.

Lemma 1

Let X be some finite set and let \(n\in \mathbb {N}\). Let \((R_{0}, R_{1},\dots , R_{n}) \in X^{n+1}\) with \(R_{i} \ne R_{j} \) for all \( i \ne j\) then if there exists \((R_{0}^*, R_{1}^*,\dots , R_{n}^*) \in X^{n+1}\) such that

$$ \{ (R_{0}, R_{1}), (R_{1}, R_{2}), \dots (R_{n-1}, R_{n})\} = \{ (R_{0}^*, R_{1}^*), (R_{1}^*, R_{2}^*), \dots (R_{n-1}^*, R_{n}^*)\} $$

then for all \(i \in \{0,\dots , n\}\), \(R_{i} = R_{i}^* \).

Proof

(Lemma 1). This lemma can be easily proved by induction over \(n\). Let us denote \(S_{n} \) the first set \(\{ (R_{0}, R_{1}), (R_{1}, R_{2}), \dots (R_{n-1}, R_{n})\}\) where all \(R_{i}\) are distinct. In particular, the set \(S_{n} \) contains exactly n different couples. One can notice that the first member of each couple is the second member of the previous couple except the first and the last couples. In others words a value \(R_{i}\) appears in two couples: once as a first member and once as a second member except the first one \( R_{0}\) and the last one \(R_{n}\).

The case \(n=1\) is trivial. We consider the case \( n= 2\) that provides greater clarity. Let assume that it exists \((R_{0}^*, R_{1}^*, R_{2}^*) \in X^{3}\) such that

$$ \{(R_{0}, R_{1}), (R_{1}, R_{2})\} = \{(R_{0}^*, R_{1}^*), (R_{1}^*, R_{2}^*)\}$$

and \(\# \{R_{0}, R_{1}, R_{2}\} = 3\). As there are exactly two couples in each set, we have the following two cases:

  • case 1: \( (R_{0}, R_{1}) = (R_{0}^*, R_{1}^*) \) and \( (R_{1}, R_{2}) = (R_{1}^*, R_{2}^*) \) then in this case, we get \(R_{0} = R_{0}^*, R_{1} = R_{1}^*, R_{2} = R_{2}^*\);

  • case 2: \( (R_{0}, R_{1}) = (R_{1}^*, R_{2}^*) \) and \( (R_{1}, R_{2}) = (R_{0}^*, R_{1}^*)\). The first equality implies \( R_{1}^* = R_{0} \) and the second equality implies \( R_{1}^* = R_{2} \) and thus \( R_{0} = R_{2}\) which contradicts the statement \( R_{0} \ne R_{2}\).

Suppose now that Lemma 1 holds for all integers \(k \le n-1\) for some \(n\in \mathbb {N}^*\). We will show that it holds for \(n\).

Let us suppose that there exists \((R_{0}^*, R_{1}^*, \dots , R_{n}^*) \in X^{n+1}\) such that \(S_{n} = S_{n}^*\) where \(S_{n}^* \) is the set \(\{ (R_{0}^*, R_{1}^*), (R_{1}^*, R_{2}^*), \dots (R_{n-1}^*, R_{n}^*)\}\). Again, as all the values \(R_{i}\) are different in \(S_{n} \) then the n couples are different. The equality of these two sets \(S_{n} \) and \(S_{n}^*\) implies that they contain exactly the same \(n\) couples and that in each set a couple appears only once. We have the following two cases:

  • case 1: \((R_{n-1}, R_{n})= (R_{n-1}^*, R_{n}^*) \) and \(S_{n-1}= S^*_{n-1}\). From the induction hypothesis, for all \(i \in \{0,\dots , n-1\} \), \(R_{i} = R_{i}^*\).

  • case 2: \((R_{n-1}, R_{n}) \ne (R_{n-1}^*, R_{n}^*) \) Then there exists \(i \in \{0,\dots , n-1\} \) such that \((R_{n-1}, R_{n})= (R_{i-1}^*, R_{i}^*)\). It implies \(R_{i}^* = R_{n}\) and according to the structure of these sets, there is a couple in \( S_{n}^*\) that has a first member equal to \(R_{i}^* = R_{n})\) and it has to be the case in \(S_{n}\). But as mentioned above, \(R_{n} \) is a value that appears only in one couple of \( S_{n}\) and we get a contradiction.    \(\square \)

We will use this lemma with \(X = \{0,1\}^\ell \) at the end of the proof to show that different messages of the same block-length involve different input pairs for the underlying PRF \(F_1\).

Since the adversary \(\mathcal {A}\) is computationally unbounded we may assume without loss of generality that it is deterministic. The probabilistic choices in \(\mathcal {A}\)’s attack on the scheme are thus the initial choice of \(F_1\) and \(F_2\) of the random functions in \(\mathcal {F}_{2\ell ,L}\) and the choices of random coins made by the authentication oracles in the security game. We assume (again without loss of generality) that \(\mathcal {A}\) makes exactly \(q = q_s + q_{inc}\) authentication queries (either as a direct MAC query or as an update query using the insert or the delete oracle). As in [5], there is no loss of generality to assume that \(\mathcal {A}\) makes all its authentication queries and then makes exactly one verify query (for its purported forgery). We prove that in this case the probability of the event (denoted \(\mathsf {Succ}\)) \(\mathcal {A}\)’s forgery is valid is upper-bounded by

$$ q^2 \cdot 2^{b - \ell } + t^2 \cdot 2^{b - \ell } + 2^{-L}. $$

and using a classical argument (see e.g. [5]) we get the claimed bound for general adversaries.

We consider the simple case where all the random coins used in the last block of each authenticated document are different. Note that in all authentication queries (from a fresh MAC query or an update query), this random block is picked uniformly at random and independently of the previous blocks. To analyze the probability of this event (denoted \(\mathsf {Distinct}\)), we can therefore use the following simple lemma:

Lemma 2

([5, Fact A.1]). Let P(mt) denote the probability of at least one collision in the experiment of throwing t balls, independently at random, into m buckets. Then \(P(m, t) \le t^2/m\).

We thus have

$$\begin{aligned} \Pr [\mathsf {Succ}]&= \Pr [\mathsf {Succ} \vert \mathsf {Distinct}] \cdot \Pr [\mathsf {Distinct}] + \Pr [\mathsf {Succ} \vert \overline{\mathsf {Distinct}}] \cdot \Pr [\overline{\mathsf {Distinct}}] \\&\le \Pr [\mathsf {Succ} \vert \mathsf {Distinct}] + \Pr [\overline{\mathsf {Distinct}}] \\&\le \Pr [\mathsf {Succ} \vert \mathsf {Distinct}] + P(2^{b - \ell },q) \\&\le \Pr [\mathsf {Succ} \vert \mathsf {Distinct}] + q^2 \cdot 2^{b - \ell }. \end{aligned}$$

and it remains to upper-bound \( \Pr [\mathsf {Succ} \vert \mathsf {Distinct}]\).

Let us fix a particular sequence of q documents \(D^1,\dots ,D^{q}\) (each made of at most t blocks of b bits) corresponding to all documents authenticated in the security game by some authentication queries (either as a direct MAC query or as an update query using the insert or the delete oracle). We also fix \(r^1,\dots ,r^q\) some bit-strings possibly used as random values in the modified XOR-scheme for these documents (i.e. \(r^i\) consists in \(1 \le t_i \le t\) blocks of \(\ell -b\) bits if \(D^i\) is made of \(t_i\) blocks of b bits) and we assume that the last blocks of all of them are all different. Finally we fix \(\tau ^1,\dots ,\tau ^q\) some possible corresponding tags in \(\{0,1\}^L\) for these documents. We consider only bit-strings \((D^1,\dots ,D^{q})\), \((r^1,\dots ,r^q)\) and \((\tau ^1,\dots ,\tau ^q)\) for which the probability that there exists two functions \(F_1\) and \(F_2\) such that \(T^i = (r^i,\tau ^i)\) is a valid MAC for \(D^i\) (for all \(i \in \{1,\dots ,q\}\)) for \(F_1\) and \(F_2\) is non-zero.

We will compute the probability of the event that \(\mathcal {A}\)’s forgery is valid conditioned on the event that the authentication queries made by \(\mathcal {A}\) are on the documents \(D^1,\dots ,D^{q}\), use the random coins \((r^1,\dots ,r^q)\) and result in the tags \((\tau ^1,\dots ,\tau ^q)\). More precisely, we will show that this probability is upper-bounded by \(t^2 \cdot 2^{b- \ell } + 2^{-L}\) (and since the bit-strings \((D^1,\dots ,D^{q})\), \((r^1,\dots ,r^q)\) and \((\tau ^1,\dots ,\tau ^q)\) are arbitrary, we will get the result by standard conditioning arguments).

We consider a possible forgery output by \(\mathcal {A}\) and we denote \(D^{q+1}\) the corresponding document, \(r^{q+1}\) the used randomness and \(\tau ^{q+1}\) the tag. It is worth noting that the pair \((D^{q+1},r^{q+1})\) is different from all pairs \((D^{i},r^{i})\) for all \(i \in \{1,\dots ,q\}\) (since otherwise, this is not an actual forgery) but we cannot assume that the last block of \(r^{q+1}\) is different from the last blocks of all previous random values \(r^{i}\) for all \(i \in \{1,\dots ,q\}\) (since \(\mathcal {A}\) may choose it arbitrarily and it can reuse a value obtained in a previous authentication query).

For \(i \in \{1,\dots ,q+1\}\), we denote \(D^i_j\) for all \(j \in \{1,\dots ,t_i\}\), the j-th block of the document \(D^i\) and similarly \(r^i_j\) for all \(j \in \{1,\dots ,t_i+1\}\), the j-th block of the randomness \(r^i\). As in [5], we consider the matrix B with \(q+1\) rows and \(2^{2\ell +1}\) columns over \(\mathbb {F}_2 = \{0,1\}\) where the entry in row \(i \in \{1,\dots ,q+1\}\) and column \(j \in \{1,\dots ,2^{2\ell +1}\}\) is defined as follows:

  • for \(j \in \{1,\dots ,2^{2\ell }\}\), the entry is equal to 1 if j is the index of the \(2\ell \)-bit string \((D^{i}_{t_i} ||r^i_{t_i} ||t_i ||r^i_{t_i+1})\) in lexicographic order (and 0 otherwise).

  • for \(j \in \{2^{2\ell }+1,\dots ,2^{2\ell +1}\}\), the entry is equal to 1 if \(j-2^{2\ell }\) is the index of the \(2\ell \)-bit string \((D^{i}_{k} ||r^i_{k} ||D^{i}_{k+1} ||r^i_{k+1} )\) in lexicographic order for some \(k \in \{1,\dots ,t_i-1\}\) (and 0 otherwise).

In other words, the matrix B contains a 1 on the row i for \(i \in \{1,\dots ,q+1\}\) only at positions corresponding to bit-strings of length \(2\ell \) used as inputs to the random functions \(F_1\) and \(F_2\) in the modified XOR-scheme (where the left part consisting of the first \(2^{2\ell }\) columns of the matrix corresponds to the unique input of \(F_2\) and the right part corresponds to all inputs to \(F_1\)).

We have the following lemma:

Lemma 3

The matrix B has full rank with probability at least \(1-t^2 \cdot 2^{b - \ell }\).

Proof

(Lemma 3). The proof is similar to the proof of [5, Lemma A.3]. If the pair \((t_{q+1},r^{q+1}_{t_{q+1}+1})\) is different from all \((t_{i},r^{i}_{t_{i}+1})\) for \(i \in \{1,\dots ,q\}\), then the matrix B is in echelon form (in its left part) and is thus trivially of full rank.

Otherwise, we assume that \(r^{q+1}_{t_{q+1}+1}\) is equal to some \(r^{i}_{t_{i}+1}\) and if \(t_{q+1} = t_{i}\) (the last block of randomness of \(\mathcal {A}\)’s forgery is equal to the last block of randomness of the i-th authenticated message and the block-length of these two messages are equal). It is worth noting that there exists only one index \(i \in \{1,\dots ,q\}\) such that this is the case (since we assume that these last blocks of randomness are all different). For this i-th document, the random blocks \(r^{i}_j\) for \(j \in \{1,\dots ,t_i\}\) are all different with probability at least \(1-t_i^2 \cdot 2^{b - \ell } \ge 1-t^2 \cdot 2^{b - \ell }\) by Lemma 2. Since the pair \((D^{q+1},r^{q+1})\) is different from \((D^{i},r^{i})\) and since the pairs \((D^{i}_{k} , r^i_{k})\) are all different for \(k \in \{1,\dots ,t_i\}\) (with probability at least \(1-t^2 \cdot 2^{b - \ell }\)), we can apply Lemma 1 to the sets (of the same length \(t_i=t_{q+1}\)):

$$ \left\{ D^{i}_{1} ||r^i_{1} ||D^{i}_{2} ||r^i_{2},D^{i}_{2} ||r^i_{2}||D^{i}_{3} ||r^i_{3},\dots , D^{i}_{t_i-1} ||r^i_{t_i-1} ||D^{i}_{t_i} ||r^i_{t_i}\right\} $$

and

$$ \left\{ D^{q+1}_{1} ||r^{q+1}_{1} ||D^{q+1}_{2} ||r^{q+1}_{2},D^{{q+1}}_{2} ||r^{q+1}_{2} ||D^{q+1}_{3} ||r^{q+1}_{3},\dots , D^{q+1}_{t_{i}-1} ||r^{q+1}_{t_i-1} ||D^{q+1}_{t_{i}} ||r^{q+1}_{t_i} \right\} .$$

We thus obtain that there exist an index \(k \in \{1,\dots ,t_i-1\}\) such that

$$ (D^{q+1}_{k} ||r^{q+1}_{k} ||D^{q+1}_{k+1} ||r^{q+1}_{k+1} ) \ne (D^{i}_{k} ||r^i_{k} ||D^{i}_{k+1} ||r^i_{k+1} ). $$

Therefore in this case the left part of the last row (consisting of the first \(2^{2\ell }\) columns) is identical to the left part of the i-th row but these rows differ in at least one position in the right part of the matrix B. By elementary operations on the rows, one can easily transform the matrix B in echelon form and it is therefore of full rank (with probability at least \(1-t^2 \cdot 2^{\ell -b}\)).    \(\square \)

To conclude the proof, one can identify the functions \(F_1\) and \(F_2\) to their vector of values in \((\{0,1\}^{2\ell })^L\) by denoting \(F_i(x) = (\varphi _{i,1}^{(x)},\dots ,\varphi _{i,L}^{(x)})\) for \(x \in \{0,1\}^{2\ell }\) and \(i \in \{1,2\}\), where \(\varphi _{i,j} \in \{0,1\}^{2\ell }\) for \(i \in \{1,2\}\) and \(j \in \{1,\dots ,L\}\). In this case by construction, \(\tau ^i\) is the authentication tag of the document \(D^i\) with randomness \(r^i\) for all \(i \in \{1,\dots ,q+1\}\) if and only if for all \(j \in \{1,\dots ,L\}\), the j-th bit \(\tau _i^{(j)}\) of \(\tau _i\) is equal to the dot product of the i-th row of the matrix B and the vector \(\varphi _{2,i} ||\varphi _{1,i}\). Using the same argument as in [5], since B is of full rank, the number of vectors satisfying this \(q+1\) equations is \(2^L\) times smaller than the number of vectors satisfying only the first q equations (corresponding to the first q rows of B), and therefore we obtained that the forgery \(\tau ^{q+1}\) output by the adversary is valid with probability \(2^{-L}\) if the matrix B is full rank.

We have thus proved that, in the simplified case, the probability that \(\mathcal {A}\)’s forgery is valid is upper-bounded by

$$ q^2 \cdot 2^{b - \ell } + t^2 \cdot 2^{b - \ell } + 2^{-L}. $$

and thus the claimed bound for general adversaries.   \(\square \)

Computational case. If we replace the (truly) random functions by pseudo-random functions in the previous result, we obtain readily the following computational security result:

Theorem 2

Let \(F\) be the family of pseudo-random functions with input length \(2 \cdot \ell \) and output length L. Let \(\mathcal {A}\) be any adversary making a \((q_m, q_v, q_{inc})\)-attack against the modified XOR-scheme with two functions picked uniformly at random from \(F\) and running in time \(\lambda \).

There exist an adversary \(\mathcal {B}\) against the pseudo-randomness property of \(F\) that makes \(q' = q \cdot t\) queries to \(F\), runs in time \(\lambda ' = \lambda + O(q'(\ell +L))\) such that

$$ \mathbf {Adv}^{PRF}_{\mathcal {B}, F} \ge \mathbf {Adv}^{BS}_{\mathcal {A}, \mathcal {XS}} - [(q^2 + t^2) \cdot 2^{b - \ell } + 2^{-L}]. $$

where \(q = q_m + q_{inc}\) and t denotes the maximal block-length of the documents authenticated in the security game.

Proof

(Theorem 2). The proof is identical to the proof of [5, Theorem 4.2] and is left to the reader.    \(\square \)

6 Conclusion

We showed that the XOR-scheme as described in [3] does not provide the claimed basic security: a forgery can be easily built from any tag by inserting specific document block chains to a legitimate document and the corresponding random value chains to the legitimate random value. We proposed a modified XOR-scheme that is not vulnerable to these attacks and we proved its security in the basic sense. Our modified XOR-scheme is the only secure strongly incremental algorithm but unfortunately it still has some drawbacks: the randomness generation slows down the algorithm and the tag length makes it unpractical because the random values have to be stored. But it is definitely worth analyzing its structure in order to improve it or to build another strongly incremental authenticated scheme (or prove a lower bound on the length of strongly incremental MAC algorithms). Another interesting open problem is to design a strongly incremental authenticated scheme that achieves tamper-proof security.