Security of Message Authentication Codes in the Presence of Key-Dependent Messages

Transcription

1 Designs, Codes and Cryptography manuscript No. (will be inserted by the editor) Security of Message Authentication Codes in the Presence of Key-Dependent Messages Madeline González Muñiz Rainer Steinwandt Received: date / Accepted: date Abstract In recent years, the security of encryption and signature schemes in the presence of key-dependent plaintexts received attention, and progress in understanding such scenarios has been made. In this paper we motivate and discuss a setting where an adversary can access tags of a message authentication code (MAC) on key-dependent message inputs, and we propose a way to formalize the security of MACs in the presence of key-dependent messages (KD-EUF). Like signature schemes, MACs have a verification algorithm, and hence the tagging algorithm must be stateful. We present a scheme MAC-ver which offers KD-EUF security and also yields a forward-secure scheme. Keywords message authentication codes key-dependent message 1 Introduction Established security notions for encryption schemes like IND-CCA refer to scenarios where encrypted plaintexts do not depend on the secret key. For some scenarios like encrypting a hard disk storing the secret decryption key such a security model is inadequate. In recent years, significant progress in understanding such cryptographic settings has been made (see [1, 5, 8 11], for instance). Here, we explore the scenario of key-dependent messages in message authentication codes (MACs). For example, an adversary may be granted access to a MAC of a (possibly encrypted) backup of a hard disk containing the secret tagging key; this is a scenario not covered by EUF-CMA security. M. González Muñiz Cybernetica AS, Estonia, madeline@research.cyber.ee R. Steinwandt Florida Atlantic University, USA, rsteinwa@fau.edu

2 2 Madeline González Muñiz, Rainer Steinwandt Our contribution. Following the notion of key dependent message security (KDM) as proposed by Black et al. [5], we propose a formalization of security in the presence of key-dependent MACs (KD-EUF). For stateless signers, this level of security is impossible to achieve even in the random oracle model, where one might be tempted to believe that designing a MAC is not particularly challenging. We present a stateful scheme (MAC-ver) that offers KD-EUF security in the random oracle model. Further related work. In addition to research on encryption and signing in the presence of key-dependent messages, leakage resilience is of interest for the context of our paper (see, for instance, [6,7,13,16,18]). Leakage functions are used to model leaked information as occurring during a side-channel attack, which may include information about the secret key. Unlike in the case of typical leakage functions, the functions f that we allow the adversary to query may leak a complete secret state. However, in our setting an adversary does not obtain output values of f directly, but rather the result of the tag generation algorithm when being applied to images under f, thus our discussion seems more adequate for dealing with structural than with side-channel attacks. 2 Message Authentication Codes and Existential Unforgeability We formalize MACs as in [15], but we interpret the secret value K not as a (static) key but rather as the state of the user; i. e., all secret information of the user is part of the state. The security of MACs has been researched extensively including the work in [2, 12, 14, 17]. Definition 1 (Message authentication code) A message authentication code Π is a triple of, possibly stateful, polynomial time algorithms (K, T, V): The randomized key generation algorithm K returns a string K on input of the security parameter 1 k. We denote the generation of the initial state by K $ K(1 k ). The tag generation algorithm T, which may be randomized or stateful, takes a state K and a message M {0, 1} to return a tag T {0, 1} { }, and we denote it by T $ T K (M). Here {0, 1} is a dedicated symbol to indicate an error. The deterministic MAC-verification algorithm V takes a state K, a message M {0, 1} and a candidate tag T {0, 1} to return either 1 (Accept) or 0 (Reject). We write d V K (M, T ) with d denoting the decision bit returned. We require that for K $ K(1 k ) with overwhelming probability for any message M {0, 1} and tag T $ T K (M) the condition V K (M, T ) = 1 holds. An adversary may repeat a transmission of a valid pair (M, T ) and get the receiver to accept it once again; this is known as a replay attack. In the

3 Title Suppressed Due to Excessive Length 3 definition of security that we present, we do not consider this a valid forgery; existential unforgeability against chosen message attacks (EUF-CMA) is defined as follows. Definition 2 (EUF-CMA) Let Π = (K, T, V) be a message authentication code, and let A euf be a probabilistic polynomial time algorithm. Consider the following attack scenario: 1. Compute a secret state K $ K(1 k ). 2. The adversary A euf is given unrestricted access to a tag generation oracle O T and verification oracle O V to run T K and V K. 3. Eventually, A euf outputs a message/tag pair (M, T ). Let QueriedEarlier be the event that A euf outputs a message M that has been queried to the tag generation oracle O T already. The success probability Succ euf A = Succ euf A (k) of A euf is defined as Succ euf A := Pr[V K (M, T ) = 1 and QueriedEarlier], and we refer to the MAC Π as secure in the sense of EUF-CMA if Succ euf A negligible for all probabilistic polynomial time adversaries A euf. is 3 MAC Security in the Presence of Key-Dependent Queries Informally, a MAC Π is KD-EUF (key-dependent existentially unforgeable) secure if it is secure despite a forger s ability to obtain tags on arbitrary (efficiently computable) functions g of the state K. We begin by making this intuition more precise and then show how to achieve this security requirement in the random oracle model. While one may be tempted to think that the use of a random oracle makes the construction of a MAC trivial, the presence of key-dependent queries changes the situation significantly even with a random oracle there is no stateless KD-EUF-secure MAC (see Remark 1). 3.1 Defining KD-EUF security Unlike a digital signature, the verification of a MAC requires knowledge of the secret key, so we provide our adversary A kd with a verification oracle in addition to the key-dependent tag generation oracle. Definition 3 (KD-EUF) Let Π = (K, T, V) be a message authentication code, and let A kd be a probabilistic polynomial time algorithm. Consider the following attack scenario: 1. Compute a secret state K $ K(1 k ).

4 4 Madeline González Muñiz, Rainer Steinwandt 2. The adversary A kd is given unrestricted access to a tag generation oracle Ô T and verification oracle O V to run T K and V K. The oracle ÔT accepts as input a function g, represented as a boolean circuit of polynomial size, and executes the tag generation algorithm T with the current state K and the message g(k) as input Eventually, A kd outputs a message M {0, 1} and a tag T. Let QueriedEarlier be the event that A kd outputs a message M such that one of A kd s queries g to the tagging oracle ÔT evaluated to g(k) = M. Then the success probability Succ A kd = Succ A kd(k) of A kd is defined as Succ A kd := Pr[V K (M, T ) = 1 and QueriedEarlier], and we call the MAC Π secure in the sense of KD-EUF if Succ A kd is negligible for all probabilistic polynomial time adversaries A kd. As a negative result, we note that no MAC with a stateless tag generation algorithm can meet the security goal of KD-EUF this follows with the same argument as used for digital signatures in [8]. Access to a verification oracle resp. verification key is a rather powerful tool for adversaries against MACs resp. signature schemes, when functions of the secret key can be summoned: Remark 1 Let Π = (K, T, V) be a MAC with a stateless tag generation algorithm T ; i. e., the secret state K is not changed by executing T. Then the MAC Π is not secure in the sense of KD-EUF. 3.2 Achieving KD-EUF security In this section, we define a stateful MAC that we prove to be KD-EUF-secure in the random oracle model. As hinted at by Remark 1, even with a random oracle the existence of a KD-EUF-secure MAC is not immediate. Definition 4 (The scheme MAC-ver) We define the stateful message authentication code MAC-ver = (K, T, V) with security parameter k, message space {0, 1}, key space {0, 1} k, and random oracle H : {0, 1} {0, 1} k as follows. K(1 k ) outputs a uniformly at random chosen key K $ {0, 1} k. The sender runs T K (M), which samples R $ {0, 1} k, outputs the tag T := (R, H(0 M R K)) and updates the state K to K := H(K R). If the receiver runs V K (M, T ) and verifies that D = H(0 M R K) on input T = (R, D), it sets K := H(K R) and outputs 1, i. e., the tag is accepted. Otherwise V K (M, T ) outputs 0, i. e., the tag is rejected. 1 In the random oracle model, g may invoke the random oracle.

5 Title Suppressed Due to Excessive Length 5 Note that in the above scheme, we assume that messages are verified in order ; the verifier updates its state if and only if a tag verification was successful. We have the following result Theorem 1 If H is a random oracle, the scheme MAC-ver = (K, T, V) as in Definition 4 is secure in the sense of KD-EUF. Proof We will create a series of games in which we alter the environment of the adversary. During each transition, the adversary may only gain a negligible advantage; hence, the probability of creating a forgery differs negligibly. Suppose that a probabilistic polynomial time adversary A kd can forge with non-negligible probability, let q T be a polynomial upper bound on the number of A kd s queries to the tagging oracle, and similarly let q H be a polynomial upper bound on the number of queries of A kd to the random oracle H (including indirect queries through verification or tagging queries). Game 0. This is a trivial simulation of the original game in the definition of EUF-CMA security. All needed oracles for A kd can be simulated faithfully. Random oracle: To simulate A kd s random oracle H, we create an empty list L RO. Then, whenever A kd queries its random oracle with a message X such that L RO contains no entry of the form (X, ), we choose a value H(X) {0, 1} k uniformly at random, append the pair (X, H(X)) to L RO and send H(X) to A kd. In case A kd queries L RO a second time with the same value X, we return the stored random value H(X). We assume without loss of generality that A kd does not repeat a direct random oracle query. We define Domain(H) to be the set of points X where an entry of the form (X, ) is in L RO. Tagging and verification oracle: Knowing the secret key, we can faithfully answer all tag queries ÔT and verification queries O V, by executing T and V respectively with the appropriate input and using the above simulation of the random oracle H. Game 1. By Collision we denote the event that during the simulation, the pairs (X, H(X)) and (X, H(X )) in L RO are stored, where X X and H(X) = H(X ). Whenever the event Collision occurs, the simulation is restarted. As A kd is polynomially bounded, Collision occurs with negligible probability only, and subsequently, we may assume that the event Collision does not occur. Game 2. In this game, we pick a value j {0,..., q T } uniformly at random. If A kd does not forge after the j th and before the (j + 1) st query to the tagging oracle, we abort. Since q T is polynomial in the security parameter k, A kd can still forge with non-negligible probability. Game 3. Now we change the simulation of the tagging oracle ÔT : we claim that providing the adversary with (R, H(R K)) instead of (R, H(0 M R K)) during the j th query to ÔT does not significantly change A kd s ability to forge. Denoting by K j the state after the j th tagging query, there

6 6 Madeline González Muñiz, Rainer Steinwandt are two cases to consider: A kd can (Case 1) or cannot (Case 2) predict 2 g(k j ) with non-negligible probability. Case 1: Suppose that A kd can predict the value of g(k j ) with nonnegligible probability. Then we modify A kd and force it to replace g(k j ) with a key-independent query M, where M is the predicted value. Note that the adversary wins if the verification algorithm accepts a tag for a message not previously summoned from the tagging oracle, and the verification oracle automatically updates the secret key after a successful verification. Thus, without loss of generality, we can assume that A kd does not verify the tag for message M received in the j th query to Ô T. Suppose that A kd can distinguish between H(0 M R K j ) and H(R K j ) without using the verification oracle. Since the key K j has not been used in a previous tag, then A kd could only distinguish between the two values by using direct random oracle queries. Although A kd knows M (with non-negligible probability) and R, this would also imply that A kd knows K j. Since K j is chosen fresh for each tag, A kd can guess K j with probability of at most 1/2 k, which is negligible. Since 0 is not prepended in the argument of H(R K j ), the latter hash value can only be a valid tag for some message, if the event Collision occurs, which we excluded in Game 1 already. Consequently, substituting the value H(0 M R K j ) with H(R K j ) will not be noticed by A kd. Case 2: Suppose that A kd has a negligible probability of predicting the value M = g(k j ). Verifying the tag for message M would contradict A kd being able to forge during the j th query. Since A kd has a negligible probability of predicting the value M, A kd s probability of verifying the tag for M is also negligible. Therefore, without loss of generality, we may assume that A kd does not verify the tag for M. Similar to Case 1, A kd can only distinguish between H(0 M R K j ) and H(R K j ) using direct oracle queries with negligible probability. Hence, substituting H(0 M R K j ) with H(R K j ) will not be noticed by A kd. Game 4. In this game, we claim that there is no need to faithfully simulate the key update in the scheme; rather we can choose new keys uniformly at random. Given a tag T = (R, D), the new key H(K R) should be indistinguishable from a random k-bit string. Given (R, H(R K)) (instead of (R, H(0 M R K)), due to Game 3), can A kd distinguish between H(K R) and a random k-bit string where R is given and K = k? Since K = R with probability at most 1/2 k, which is negligible, we can assume that K R (otherwise distinguishing becomes trivial). Since we assumed from Game 1 that the event Collision does not occur, we have that H(K R) is not equal to an element previously output by H. As a result, 2 meaning there is a probabilistic polynomial time extractor which derives from the state of A kd the value to be predicted

7 Title Suppressed Due to Excessive Length 7 A kd cannot distinguish between H(K R) and a random k-bit string, so there is no need to faithfully simulate the key update in T or V. Suppose that A kd creates a forgery (M F, (R F, D F )) without the event Collision occurring. If 0 M F R F K j / Domain(H), then H(0 M F R F K j ) is a uniformly at random chosen element in {0, 1} k, and the probability that D F = H(0 M F R F K j ) is 1/2 k, which is negligible. If 0 M F R F K j Domain(H), then we need to consider two cases: either 0 M F R F K j has been queried implicitly by a tagging query, or it has not. The former case contradicts a forgery, and hence the hash value for 0 M F R F K j has been assigned through a direct random oracle query by A kd. In turn, this implies that A kd knows the full key K j given (R, H(R K j )). Since we assumed that the event Collision does not occur, then A kd gets K j by computing the preimage of H(R K j ). Since H(R K j ) is a random element and K j = k, then the probability of A kd computing the preimage of H(R K j ) is negligible in k. This is a contradiction to A kd forging with non-negligible probability. 4 Forward-Secure Message Authentication Codes In [4], Bellare and Yee propose a stateful general construction that lifts any EUF-CMA-secure MAC to one that is forward-secure. By forward-secure, we mean that in the case of key-exposure during some time period j, an adversary cannot forge tags for any time period in the past. Using a variant of the scheme MAC-ver in Definition 4, we will prove that the new scheme is forward-secure as defined below. To do so, we first define the notion of a key-evolving message authentication code. Definition 5 (Key-Evolving Message Authentication Codes) A keyevolving message authentication code Ψ = (K f, T f, V f, U f, n) consists of four polynomial time algorithms along with a natural number n. The randomized key generation algorithm K f returns a string K 0 on input of the security parameter 1 k, and we denote it by K 0 $ K f (1 k ). During each time period j {1, 2,..., n}, the parties use a key denoted K j (which contains j). The key K j is obtained by using the deterministic key-update algorithm: K j U f (K j 1 ). After the update, K j 1 is deleted. Within time period j, the tag generation algorithm T f takes a key K j and a message M {0, 1} to return a tag T {0, 1} { } along with time period j, and we denote this by T, j $ T f K j (M). Here {0, 1} is a dedicated symbol to indicate an error. In time period j, the deterministic MAC-verification algorithm V f takes a key K j, a message M {0, 1} and a candidate tag T {0, 1} to return either 1 (Accept) or 0 (Reject). We write d V f K j (M, T, j ) with d denoting the decision bit returned.

8 8 Madeline González Muñiz, Rainer Steinwandt When defining forward-security, we allow the adversary to query chosen messages adaptively using the provided tagging and verification oracles within a time period j. Once the adversary has moved on to a new time period, messages from the past cannot be queried since using the key-update algorithm deletes the previous key. The adversary, A fwd, can choose a time period during which the current secret key K j is revealed as long as j n. Definition 6 (FWD-CMA) Let Ψ = (K f, T f, V f, U f, n) be a key-evolving message authentication code, and let A fwd be a probabilistic polynomial time algorithm. Let ε be the empty string, and let h be a history kept by the adversary between invocations. Consider the following attack scenario: 1. Compute a secret state K 0 $ K f (1 k ). Set j 0 and h ε. 2. repeat j j + 1; K j U f (K j 1 ) The adversary A fwd is given unrestricted access to a tag generation oracle O T f and verification oracle O V f to run T f and V f. A fwd outputs (c, h). until (c = breakin) or j = n if c breakin and j = n then j n Eventually A fwd will output a message M {0, 1} and a tag T, l with 1 l < j. Let QueriedEarlier be the event that A fwd outputs a message M queried to the tagging oracle O T f in time period l already. Then the success probability Succ A fwd = Succ A fwd(k) of A fwd is defined as Succ A fwd := Pr[V f K (M, T, l ) = 1 and QueriedEarlier], and we call the key-evolving MAC Ψ secure in the sense of FWD-CMA if Succ A fwd is negligible for all probabilistic polynomial time adversaries A fwd. During each time period, an adversary can query a polynomial number of messages on a fixed key. If these queries are allowed to be key-dependent, the adversary can extract the key for that period bit-by-bit. Hence, forwardsecurity does not imply security in the presence of key-dependent messages. We now propose a variant of the scheme MAC-ver which is secure in the sense of FWD-CMA. Definition 7 (The scheme fmac-ver) The stateful key-evolving MAC scheme fmac-ver = (K f, T f, V f, U f, n) with security parameter k, message space {0, 1}, key space {0, 1} k, and oracle H : {0, 1} {0, 1} k is specified as follows, where bin(j) is the k-bit binary representation of time period j. K f (1 k ) selects R {0, 1} k uniformly at random, and outputs K 0 where K 0 := H(R) bin(0). The update algorithm U f takes as input K j 1 and sets K j := H(K j 1 ) bin(j).

9 Title Suppressed Due to Excessive Length 9 The sender runs the tagging algorithm T f K j (M) which outputs the pair T, j where T := H(0 M bin(j) K j ), then runs the update algorithm U f (K j ). If the receiver runs V f K j (M, T, j ) and verifies that T = H(0 M bin(j) K j ), it runs the update algorithm U f (K j ) and outputs 1. Otherwise V Kj (M, T, j ) outputs 0. Similarly as in the previous section we asssume that tags are verified in order. Theorem 2 The scheme fmac-ver = (K f, T f, V f, U f, n) as in Definition 7 is secure in the sense of FWD-CMA in the random oracle model. Proof We omit details of the proof that are similar to those in the proof of Theorem 1. Suppose that A fwd creates a forgery (M F, T F, j F ) during time period j F with non-negligible probability such that j F < j B where j B is the break-in time index. We know that T F = H(0 M F bin(j F ) K jf ); either 0 M F bin(j F ) K jf Domain(H) or 0 M F bin(j F ) K jf / Domain(H) when A fwd outputs the forgery. In the latter case, a value from {0, 1} k is selected uniformly at random in the verification and the probability that A fwd will succeed is negligible. Hence, 0 M F bin(j F ) K jf Domain(H). To be a valid forgery, 0 M F bin(j F ) K jf could not have been queried to the tagging oracle during period j F. Therefore, A fwd evaluated T F via a direct random oracle query. In turn, this implies that A fwd was able to come up with K jf. Without loss of generality, let j F be the smallest index such that A fwd can create a forgery. That is, A fwd knows K jf, but not K j for any j < j F. If A fwd can distinguish between hashes involving K j and random elements for j < j F (that end with the correct period representation), then A fwd must know some key with index smaller than j F which would contradict our assumption that j F is the smallest index. So in particular, the keys {K 0,..., K jf 1} are indistinguishable from 2k-bit elements that begin with a random k-bit string and end with the respective k-bit period representation. Without guessing, A fwd must invert K jf +1 at some point, that is, invert H(K jf ) since bin(j F +1) is known. A fwd can invert H(K jf ) with probability at most 1/2 k which is a contradiction to A fwd creating a forgery with non-negligible probability. 5 Conclusion In the presence of key-dependent messages, there is even in the random oracle model no MAC meeting the suggested (seemingly natural) formalization of existential unforgeability. We presented a stateful MAC in the random oracle model which offers strong security guarantees, and also leads to a forwardsecure scheme. While in the one-time signature compiler presented in [8] the signature grows linearly in the security parameter, the scheme MAC-ver has a state of a fixed size and the tag size does not depend on the number of tags already created. For future work it is natural to ask for constructions in the

10 10 Madeline González Muñiz, Rainer Steinwandt standard model, but it seems also interesting to explore which types of security can be achieved with a MAC that has a static key. In general, the composition method Encrypt-and-MAC does not provide both integrity and privacy as shown by Bellare and Namprempre in [3] by Encrypt-and-MAC, we mean to encrypt the plaintext (using a symmetric key) and append a MAC of the plaintext. It could be interesting to explore combinations of a symmetric encryption scheme and a MAC that share a secret key and when composed by the Encrypt-and-MAC method, the resulting composition is secure in a strong sense despite an adversary s ability to get key-dependent encryptions and MACs of the shared secret key. Acknowledgements Madeline González Muñiz s research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science, EXCS. References 1. Backes, M., Pfitzmann, B., Scedrov, A.: Key-Dependent Message Security under Active Attacks BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles. In: CSF 2007: Proceedings of the 20th IEEE Computer Security Foundations Symposium, pp IEEE Computer Society (2007) 2. Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: M. Franklin (ed.) Advances in Cryptology CRYPTO 1994: Proceedings of the 14th Annual International Cryptology Conference, vol. 839, pp Springer (1994) 3. Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: T. Okamoto (ed.) Advances in Cryptology ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, pp Springer (2000) 4. Bellare, M., Yee, B.: Forward-Security in Private-Key Cryptography. In: M. Joye (ed.) Topics in Cryptology CT-RSA 2003, Lecture Notes in Computer Science, vol. 2612, pp Springer (2003) 5. Black, J., Rogaway, P., Shrimpton, T.: Encryption-Scheme Security in the Presence of Key-Dependent Messages. In: K. Nyberg, H.M. Heys (eds.) Selected Areas in Cryptography SAC 2003: 10th Annual International Workshop, Lecture Notes in Computer Science, vol. 2595, pp Springer-Verlag (2003) 6. Dziembowski, S., Pietrzak, K.: Leakage-Resilient Cryptography. In: FOCS 2008: Proceedings of the th Annual IEEE Symposium on Foundations of Computer Science, pp IEEE Computer Society (2008) 7. Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.: Leakage-Resilient Signatures. In: D. Micciancio (ed.) 7th Theory of Cryptography Conference, TCC 2010, Lecture Notes in Computer Science, vol. 5978, pp Springer (2010) 8. González Muñiz, M., Steinwandt, R.: Security of Signature Schemes in the Presence of Key-Dependent Messages. Tatra Mountains Mathematical Publications 47, (2010) 9. Haitner, I., Holenstein, T.: On the (Im)Possibility of Key Dependent Encryption. In: O. Reingold (ed.) Theory of Cryptography TCC 2009: Sixth Theory of Cryptography Conference, Lecture Notes in Computer Science, vol. 5444, pp Springer (2009) 10. Halevi, S., Krawczyk, H.: Security Under Key-Dependent Inputs. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp ACM (2007) 11. Hofheinz, D., Unruh, D.: Towards Key-Dependent Message Security in the Standard Model. In: N. Smart (ed.) Advances in Cryptology EUROCRYPT 2008: International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, vol. 4965, pp Springer (2008)

11 Title Suppressed Due to Excessive Length Jaulmes, E., Joux, A., Valette, F.: On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction. In: J. Daemen, V. Rijmen (eds.) FSE 2002: Revised Papers from the 9th International Workshop on Fast Software Encryption, vol. 2365, pp Springer (2002) 13. Katz, J., Vaikuntanathan, V.: Signature Schemes with Bounded Leakage Resilience. In: M. Matsui (ed.) Advances in Cryptology ASIACRYPT 2009, Lecture Notes in Computer Science, vol. 5912, pp Springer (2009) 14. Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: R.D. Prisco, M. Yung (eds.) Security and Cryptography for Networks, 5th International Conference, SCN 2006, Lecture Notes in Computer Science, vol. 4116, pp Springer (2006) 15. Menezes, A., Vanstone, S., Oorschot, P.V.: Handbook of Applied Cryptography. CRC Press (1996) 16. Micali, S., Reyzin, L.: Physically Observable Cryptography (Extended Abstract). In: M. Naor (ed.) Theory of Cryptography TCC 2004: First Theory of Cryptography Conference, Lecture Notes in Computer Science, vol. 2951, pp Springer (2004) 17. Preneel, B., van Oorschot, P.: On the Security of Iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), (1999) 18. Standaert, F.X., Pereira, O., Y., Y., Quisquater, J.J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. Cryptology eprint Archive, Report 2009/341 (2009). Available at