Results 1  10
of
38
Efficient Mutual Data Authentication Using Manually Authenticated Strings. Cryptology ePrint Archive, Report 2005/424
, 2005
"... Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a ..."
Abstract

Cited by 65 (7 self)
 Add to MetaCart
Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a solution, we propose an asymptotically optimal protocol family for data authentication that uses short manually authenticated outofband messages. Compared to previous articles by Vaudenay and Pasini the results of this paper are more general and based on weaker security assumptions. In addition to providing security proofs for our protocols, we focus also on implementation details and propose practically secure and efficient subprimitives for applications. 1
Bucket Hashing and its Application to Fast Message Authentication
, 1995
"... We introduce a new technique for constructing a family of universal hash functions. ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
We introduce a new technique for constructing a family of universal hash functions.
The Poly1305AES messageauthentication code
 In Proc. FSE
, 2005
"... Abstract. Poly1305AES is a stateoftheart messageauthentication code suitable for a wide variety of applications. Poly1305AES computes a 16byte authenticator of a variablelength message, using a 16byte AES key, a 16byte additional key, and a 16byte nonce. The security of Poly1305AES is ve ..."
Abstract

Cited by 37 (12 self)
 Add to MetaCart
Abstract. Poly1305AES is a stateoftheart messageauthentication code suitable for a wide variety of applications. Poly1305AES computes a 16byte authenticator of a variablelength message, using a 16byte AES key, a 16byte additional key, and a 16byte nonce. The security of Poly1305AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2 106 if messages have at most L bytes, the attacker sees at most 2 64 authenticated messages, and the attacker attempts D forgeries. Poly1305AES can be computed at extremely high speed: for example, fewer than 3.625(ℓ + 170) Athlon cycles for an ℓbyte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Specialpurpose hardware can compute Poly1305AES at even higher speed. Poly1305AES is parallelizable, incremental, and not subject to any intellectualproperty claims.
Robust fuzzy extractors and authenticated key agreement from close secrets
 In Advances in Cryptology — Crypto 2006, volume 4117 of LNCS
, 2006
"... Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel co ..."
Abstract

Cited by 37 (16 self)
 Add to MetaCart
Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the boundedstorage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W. Our solution applies whenever the minentropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1
FloatingPoint Arithmetic And Message Authentication
, 2000
"... There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same securi ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same security level  using IEEE floatingpoint arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
Some New Results on Key Distribution Patterns and Broadcast Encryption
 Designs, Codes and Cryptography
, 1997
"... This paper concerns methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
This paper concerns methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know. The problems are studied using the tools of information theory, so the security provided is unconditional (i.e., not based on any computational assumption). In a recent paper [14], Stinson described a method of constructing key predistribution schemes by combining MitchellPiper key distribution patterns with resilient functions; and also presented a construction method for broadcast encryption schemes that combines FiatNaor key predistribution schemes with ideal secret sharing schemes. In this paper, we further pursue these two themes, providing several nice applications of these techniques by using combin...
Key Preassigned Traceability Schemes for Broadcast Encryption (Extended Abstract)
, 1998
"... ) D. R. Stinson and R. Wei Department of Combinatorics and Optimization University of Waterloo Waterloo Ontario, N2L 3G1 Canada May 19, 1998 1 Introduction Most networks can be thought of as broadcast networks, in that any one connected to the network can access to all the information that flows th ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
) D. R. Stinson and R. Wei Department of Combinatorics and Optimization University of Waterloo Waterloo Ontario, N2L 3G1 Canada May 19, 1998 1 Introduction Most networks can be thought of as broadcast networks, in that any one connected to the network can access to all the information that flows through it. In many situations, such as a payperview television broadcast, the data is only available to authorized users. To prevent an unauthorized user from accessing the data, the trusted authority (TA) will encrypt the data and give the authorized users keys to decrypt it. Some unauthorized users might obtain some decryption keys from a group of one or more authorized users (called traitors). Then the unauthorized users can decrypt data that they are not entitled to. To prevent this, Chor, Fiat and Naor [5] devised a traitor tracing scheme, called a traceability scheme, which will reveal at least one traitor on the confiscation of a pirate decoder. This scheme was then generalized by S...
On the (Non)Universality of the OneTime Pad
 In Proc. 43rd FOCS
, 2002
"... Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While conve ..."
Abstract

Cited by 23 (12 self)
 Add to MetaCart
Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While convenient, this assumption is often highly unrealistic, and cryptographic systems have to be built based on imperfect sources of randomness. Remarkably, this fundamental problem has received little or no attention so far, despite the fact that a related question of simulating probabilistic (BPP) algorithms with imperfect random sources has a long and rich history.
kwise Independent Sample Spaces and Their Cryptologic Applications
, 1997
"... . An almost kwise independent sample space is a small subset of m bit sequences in which any k bits are "almost independent". We show that this idea has close relationships with useful cryptologic notions such as multiple authentication codes (multiple Acodes), almost strongly universal hash famil ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
. An almost kwise independent sample space is a small subset of m bit sequences in which any k bits are "almost independent". We show that this idea has close relationships with useful cryptologic notions such as multiple authentication codes (multiple Acodes), almost strongly universal hash families and almost kresilient functions. We use almost kwise independent sample spaces to construct new efficient multiple Acodes such that the number of key bits grows linearly as a function of k (here k is the number of messages to be authenticated with a single key). This improves on the construction of Atici and Stinson [2], in which the number of key bits is\Omega (k 2 ). We also introduce the concept of fflalmost kresilient functions and give a construction that has parameters superior to kresilient functions. Finally, new bounds (necessary conditions) are derived for almost kwise independent sample spaces, multiple Acodes and balanced fflalmost k resilient functions. 1 Intro...