Results 1  10
of
59
Practical Byzantine Fault Tolerance
"... This paper describes a new replication algorithm that is able to tolerate Byzantine faults. We believe that Byzantinefaulttolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbi ..."
Abstract

Cited by 544 (20 self)
 Add to MetaCart
This paper describes a new replication algorithm that is able to tolerate Byzantine faults. We believe that Byzantinefaulttolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior. Whereas previous algorithms assumed a synchronous system or were too slow to be used in practice, the algorithm described in this paper is practical: it works in asynchronous environments like the Internet and incorporates several important optimizations that improve the response time of previous algorithms by more than an order of magnitude. We implemented a Byzantinefaulttolerant NFS service using our algorithm and measured its performance. The results show that our service is only 3 % slower than a standard unreplicated NFS.
UMAC: Fast and Secure Message Authentication
, 1999
"... Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction f ..."
Abstract

Cited by 111 (14 self)
 Add to MetaCart
Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction family MMH. To achieve such speeds, UMAC uses a new universal hashfunction family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMACauthenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have everfaster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for nextgeneration message authentication. 1
Pseudorandom functions revisited: The cascade construction and its concrete security
 Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE
, 1996
"... Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we ..."
Abstract

Cited by 92 (20 self)
 Add to MetaCart
Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we investigate new ways of designing pseudorandom function families. The goal is to find constructions that are both efficient and secure, and thus eventually to bring thebenefits of pseudorandom functions to practice.
On Fast and Provably Secure Message Authentication Based on Universal Hashing
 In Advances in Cryptology – CRYPTO ’96
, 1996
"... There are wellknown techniques for message authentication using universal hash functions. This approach seems very promising, as it provides schemes that are both efficient and provably secure under reasonable assumptions. This paper contributes to this line of research in two ways. First, it analy ..."
Abstract

Cited by 67 (0 self)
 Add to MetaCart
There are wellknown techniques for message authentication using universal hash functions. This approach seems very promising, as it provides schemes that are both efficient and provably secure under reasonable assumptions. This paper contributes to this line of research in two ways. First, it analyzes the basic construction and some variants under more realistic and practical assumptions. Second, it shows how these schemes can be efficiently implemented, and it reports on the results of empirical performance tests that demonstrate that these schemes are competitive with other commonly employed schemes whose security is less wellestablished. 1 Introduction Message Authentication. Message authentication schemes are an important security tool. As more and more data is being transmitted over networks, the need for secure, highspeed, softwarebased message authentication is becoming more acute. The setting for message authentication is the following. Two parties A and B agree on a secre...
Message Authentication using Hash Functions The HMAC Construction
 CryptoBytes
, 1996
"... Introduction Two parties communicating across an insecure channel need a method by which any attempt to modify the information sent by one to the other, or fake its origin, is detected. Most commonly such a mechanism is based on a shared key between the parties, and in this setting is usually calle ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
Introduction Two parties communicating across an insecure channel need a method by which any attempt to modify the information sent by one to the other, or fake its origin, is detected. Most commonly such a mechanism is based on a shared key between the parties, and in this setting is usually called a MAC, or Message Authentication Code. (Other terms include Integrity Check Value or Cryptographic Checksum). The sender appends to the data D an authentication tag computed as a function of the data and the shared key. At reception, the receiver recomputes the authentication tag on the received message using the shared key, and accepts the data as valid only if this value matches the tag attached to the received message. The most common approach is to construct MACs from block ciphers like DES. Of such constructions Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Driv
On the security of two MAC algorithms
 In Advances in Cryptology — EUROCRYPT ’96
, 1996
"... We consider the security of two message authentication code �MAC � algorithms� the MD5�based envelope method �RFC 1828� � and the banking standard MAA �ISO 8731�2�. Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method � the forgery attack is extend ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
We consider the security of two message authentication code �MAC � algorithms� the MD5�based envelope method �RFC 1828� � and the banking standard MAA �ISO 8731�2�. Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method � the forgery attack is extended to allow key recovery� for example � a 128�bit key can be recovered using 2 67 known text�MAC pairs and time plus 2 13 chosen texts. For MAA � internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm�s internal structure � the number of chosen texts �each 256 Kbyte long � for a forgery can be reduced by two orders of magnitude � e.g. from 2 24 to 2 17. Moreover � certain internal collisions allow key recovery � and weak keys for MAA are identi�ed. 1
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
Constructing VILMACs from FILMACs: Message authentication under weakened assumptions
, 1999
"... ..."
Authenticated Byzantine Fault Tolerance without PublicKey Cryptography
, 1999
"... We have developed a practical statemachine replication algorithm that tolerates Byzantine faults: it works correctly in asynchronous systems like the Internet and it incorporates several optimizations that improve the response time of previous algorithms by more than an order of magnitude. This pap ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
We have developed a practical statemachine replication algorithm that tolerates Byzantine faults: it works correctly in asynchronous systems like the Internet and it incorporates several optimizations that improve the response time of previous algorithms by more than an order of magnitude. This paper describes the most important of these optimizations. It explains how to modify the base algorithm to eliminate the major performance bottleneck in previous systems  publickey cryptography. The optimization replaces publickey signatures by vectors of message authentication codes during normal operation, and it overcomes a fundamental limitation on the power of message authentication codes relative to digital signatures  the inability to prove that a message is authentic to a third party. As a result, authentication is more than two orders of magnitude faster while providing the same level of security.