Protocols and security proofs for data authentication

This thesis studies security of various cryptographic primitives which provide for data authentication. We first study how security of existing primitives such as message authentication, authentication encryption, AEAD or XOR-tag schemes depends on the number of verification attempts towards forgery, the adversary is able to make. We point out that, contrary to popular belief, allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so that the notion of security that most message authentication schemes are proven to meet does not guarantee their security in practice. We next develop a framework for establishing security of various cryptographic protocols against multiple verification queries. We introduce a new primitive, called the data authentication primitive which generalizes message authentication, authenticated encryption and other primitives. We specify a condition under which security of a data authentication primitive against multiple verification queries is equivalent to that against a single query and prove security against multiple verification queries for any data authentication primitives that satisfy to this condition. We use the results on data authentication primitives to recover security of popular classes of message authentication schemes such as MACs (including HMAC and PRF-based MACs) and CW-schemes. As well, we improve concrete security of the EAX mode of operation and of generalized Carter-Wegman message authentication schemes, where we show that multiple verification queries give virtually no advantage to the adversary. We also present a new primitive for data authentication---Append-only Signatures (AOS)---with the property that any party given an AOS signature on message M1 can "append" this signature with any message M2 to obtain the signature on a concatenation of M1 and M 2. We define the security of AOS, present concrete AOS schemes, and prove their security under standard assumptions. In addition, we find that despite its simple definition, AOS is equivalent to Hierarchical Identity-based Signatures (HIBS) through efficient and security-preserving reductions. We finally show how to apply AOS to authenticate route announcements in the BGP routing protocol, which is an important open problem in network security.