Results 1  10
of
14
The Poly1305AES messageauthentication code
 In Proc. FSE
, 2005
"... Abstract. Poly1305AES is a stateoftheart messageauthentication code suitable for a wide variety of applications. Poly1305AES computes a 16byte authenticator of a variablelength message, using a 16byte AES key, a 16byte additional key, and a 16byte nonce. The security of Poly1305AES is ve ..."
Abstract

Cited by 37 (12 self)
 Add to MetaCart
Abstract. Poly1305AES is a stateoftheart messageauthentication code suitable for a wide variety of applications. Poly1305AES computes a 16byte authenticator of a variablelength message, using a 16byte AES key, a 16byte additional key, and a 16byte nonce. The security of Poly1305AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2 106 if messages have at most L bytes, the attacker sees at most 2 64 authenticated messages, and the attacker attempts D forgeries. Poly1305AES can be computed at extremely high speed: for example, fewer than 3.625(ℓ + 170) Athlon cycles for an ℓbyte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Specialpurpose hardware can compute Poly1305AES at even higher speed. Poly1305AES is parallelizable, incremental, and not subject to any intellectualproperty claims.
Message authentication on 64bit architectures
 In Selected Areas in Cryptography: 13th International Workshop, SAC 2006
, 2006
"... Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cacheresident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly fast ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cacheresident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly faster than other recent MAC schemes such as UMAC (1.0 cpb) and Poly1305 (3.1 cpb). VMAC is a MAC in the WegmanCarter style, employing a “universal ” hash function VHASH, which is fully developed in this paper. VHASH employs a threestage hashing strategy, and each stage is developed with the goal of optimal performance in 64bit environments.
A New Universal Hash Function and Other Cryptographic Algorithms Suitable for Resource Constrained Devices
"... Abstract. A new multilinear universal hash family is described. Messages are sequences over a finite field IFq while keys are sequences over an extension field IFq n. A linear map ψ from IFqn to itself is used to compute the output digest. Of special interest is the case q = 2. For this case, we sh ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. A new multilinear universal hash family is described. Messages are sequences over a finite field IFq while keys are sequences over an extension field IFq n. A linear map ψ from IFqn to itself is used to compute the output digest. Of special interest is the case q = 2. For this case, we show that there is an efficient way to implement ψ using a tower field representation of IFq n. Such a ψ corresponds to a word oriented LFSR. We describe a method of combining the new universal hash function and a stream cipher with IV to obtain a MAC algorithm. Further, we extend the basic universal hash function to an invertible blockwise universal hash function. Following the NaorReingold approach, this is used to construct a tweakable enciphering scheme which uses a single layer of encryption and no finite field multiplications. From an efficiency viewpoint, the focus of all our constructions is small hardware and other resource constrained applications. For such platforms, our constructions compare favourably to previous work.
Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
"... Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2 128). We present message forgery attacks t ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2 128). We present message forgery attacks that are made possible by its extremely smoothorder multiplicative group which splits into 512 subgroups. GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial for GHASH. In present literature, only the trivial weak key H = 0 has been considered. We show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results on AESGCM weak key search. Our attacks can be used not only to bypass message authentication with garbage but also to target specific plaintext bits if a polynomial MAC is used in conjunction with a stream cipher. These attacks can also be applied with varying efficiency to other polynomial hashes and MACs, depending on their field properties. Our findings show that especially the use of short polynomialevaluation MACs should be avoided if the underlying field has a smooth multiplicative order.
Extending the Salsa20 nonce
"... Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generat ..."
Abstract
 Add to MetaCart
Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any successful fast attack on XSalsa20 can be converted into a successful fast attack on Salsa20.
unknown title
"... Abstract. It is well known that, inside any cryptographic protocol, a uniform random function can be safely replaced with a uniform random injective function: as long as the number of function queries is small, the attacker's success probability does not noticeably increase. This paper presents a qu ..."
Abstract
 Add to MetaCart
Abstract. It is well known that, inside any cryptographic protocol, a uniform random function can be safely replaced with a uniform random injective function: as long as the number of function queries is small, the attacker's success probability does not noticeably increase. This paper presents a quantitatively stronger theorem that handles a larger number of function queries. This quantitative improvement can be viewed as a generalization of the author's recent improvement in security bounds for WegmanCarterShoup authenticators. 1 Introduction Let p be a uniform random permutation of S = {0, 1,..., 255}16, and let f be auniform random function from S to S. A cryptographic protocol using p is almostas hard to break as the same cryptographic protocol using
New combinatorial bounds for universal hash functions
"... Using combinatorial analysis, we introduce a new lower bound for the key length in an almost universal hash function, which is tighter than another similar bound derived from a wellstudied equivalence between almost universal hashes and errorcorrecting codes. To the best of our knowledge, this is ..."
Abstract
 Add to MetaCart
Using combinatorial analysis, we introduce a new lower bound for the key length in an almost universal hash function, which is tighter than another similar bound derived from a wellstudied equivalence between almost universal hashes and errorcorrecting codes. To the best of our knowledge, this is the first time that combinatorial analysis has been demonstrated to yield a better universal hash bound than the use of the relation, and we will explain why there is a mismatch. We then compare the new bound against known bounds for this and other families of universal hashes and discover a crucial value of the hash collision probability, which not only represents a threshold in the behaviour of bounds but also quantifies the WegmanCarter effect. 1 Introduction and
Authentication protocols in pervasive computing
"... The popularity of personal computing devices (e.g. smart cards) exposes users to risks, notably identity theft, and creates new requirements for secure communication. A recently proposed approach to creating secure communication is to use human trust and human interactions. These approaches potentia ..."
Abstract
 Add to MetaCart
The popularity of personal computing devices (e.g. smart cards) exposes users to risks, notably identity theft, and creates new requirements for secure communication. A recently proposed approach to creating secure communication is to use human trust and human interactions. These approaches potentially eliminate the need for passwords as in Bluetooth, shared secrets or trusted parties, which are often too complex and expensive to use in portable devices. In this new technology, handheld devices exchange data (e.g. payment, heart rates or public keys) over some medium (e.g. WiFi) and then display a short and nonsecret digest of the protocol’s run that the devices ’ human owners manually compare to ensure they agree on the same data, i.e. human interactions are used to prevent fraud. In this thesis, we present several new protocols of this type which are designed to optimise the work required of humans to achieve a given level of security. We discover that the design of these protocols is influenced by several principles, including the ideas of commitment without knowledge and separation of security concerns, where random and cryptographic attacks should be tackled separately.
PatentFree AuthenticatedEncryption As Fast As OCB
"... Abstract—This paper presents an efficient authenticated encryption construction based on a universal hash function and block cipher. Encryption is achieved via countermode while authentication uses the WegmanCarter paradigm. A single blockcipher key is used for both operations. The construction i ..."
Abstract
 Add to MetaCart
Abstract—This paper presents an efficient authenticated encryption construction based on a universal hash function and block cipher. Encryption is achieved via countermode while authentication uses the WegmanCarter paradigm. A single blockcipher key is used for both operations. The construction is instantiated using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten percent slower than encryption alone. Keywords Authenticated encryption, blockcipher modeofoperation, AEAD, UMAC, VMAC. I.
General Terms
"... A cryptographic network file system has to guarantee confidentiality and integrity of its files, and also it has to support random access. For this purpose, existing designs mainly rely on (often adhoc) combination of Merkle hash tree with a block cipher mode of encryption. In this paper, we propos ..."
Abstract
 Add to MetaCart
A cryptographic network file system has to guarantee confidentiality and integrity of its files, and also it has to support random access. For this purpose, existing designs mainly rely on (often adhoc) combination of Merkle hash tree with a block cipher mode of encryption. In this paper, we propose a new design based on a MAC tree construction which uses a universalhash based stateful MAC. This new design enables standard model security proof and also better performance compared with Merkle hash tree. We formally define the security notions for file encryption and prove that our scheme provides both confidentiality and integrity. We implement our scheme in coreFS, a userlevel network file system, and evaluate the performance in comparison with the standard design. Experimental results confirm that our construction provides integrity protection at a smaller cost.