Results 1  10
of
51
Efficient Mutual Data Authentication Using Manually Authenticated Strings. Cryptology ePrint Archive, Report 2005/424
, 2005
"... Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a ..."
Abstract

Cited by 80 (7 self)
 Add to MetaCart
Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a solution, we propose an asymptotically optimal protocol family for data authentication that uses short manually authenticated outofband messages. Compared to previous articles by Vaudenay and Pasini the results of this paper are more general and based on weaker security assumptions. In addition to providing security proofs for our protocols, we focus also on implementation details and propose practically secure and efficient subprimitives for applications. 1
Robust fuzzy extractors and authenticated key agreement from close secrets
 In Advances in Cryptology — Crypto 2006, volume 4117 of LNCS
, 2006
"... Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel co ..."
Abstract

Cited by 68 (19 self)
 Add to MetaCart
(Show Context)
Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the boundedstorage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W. Our solution applies whenever the minentropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1
Bucket Hashing and its Application to Fast Message Authentication
, 1995
"... We introduce a new technique for constructing a family of universal hash functions. ..."
Abstract

Cited by 63 (4 self)
 Add to MetaCart
(Show Context)
We introduce a new technique for constructing a family of universal hash functions.
The Poly1305AES messageauthentication code
 In Proc. FSE
, 2005
"... Abstract. Poly1305AES is a stateoftheart messageauthentication code suitable for a wide variety of applications. Poly1305AES computes a 16byte authenticator of a variablelength message, using a 16byte AES key, a 16byte additional key, and a 16byte nonce. The security of Poly1305AES is ve ..."
Abstract

Cited by 53 (13 self)
 Add to MetaCart
Abstract. Poly1305AES is a stateoftheart messageauthentication code suitable for a wide variety of applications. Poly1305AES computes a 16byte authenticator of a variablelength message, using a 16byte AES key, a 16byte additional key, and a 16byte nonce. The security of Poly1305AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2 106 if messages have at most L bytes, the attacker sees at most 2 64 authenticated messages, and the attacker attempts D forgeries. Poly1305AES can be computed at extremely high speed: for example, fewer than 3.625(ℓ + 170) Athlon cycles for an ℓbyte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Specialpurpose hardware can compute Poly1305AES at even higher speed. Poly1305AES is parallelizable, incremental, and not subject to any intellectualproperty claims.
On the (Non)Universality of the OneTime Pad
 In Proc. 43rd FOCS
, 2002
"... Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While conve ..."
Abstract

Cited by 34 (13 self)
 Add to MetaCart
(Show Context)
Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While convenient, this assumption is often highly unrealistic, and cryptographic systems have to be built based on imperfect sources of randomness. Remarkably, this fundamental problem has received little or no attention so far, despite the fact that a related question of simulating probabilistic (BPP) algorithms with imperfect random sources has a long and rich history.
FloatingPoint Arithmetic And Message Authentication
, 2000
"... There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same securi ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same security level  using IEEE floatingpoint arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
Some New Results on Key Distribution Patterns and Broadcast Encryption
 Designs, Codes and Cryptography
, 1997
"... This paper concerns methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
This paper concerns methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know. The problems are studied using the tools of information theory, so the security provided is unconditional (i.e., not based on any computational assumption). In a recent paper [14], Stinson described a method of constructing key predistribution schemes by combining MitchellPiper key distribution patterns with resilient functions; and also presented a construction method for broadcast encryption schemes that combines FiatNaor key predistribution schemes with ideal secret sharing schemes. In this paper, we further pursue these two themes, providing several nice applications of these techniques by using combin...
On the Connections Between Universal Hashing, Combinatorial Designs and ErrorCorrecting Codes
 In Proc. Congressus Numerantium 114
, 1996
"... In this primarily expository paper, we discuss the connections between two popular and useful tools in theoretical computer science, namely, universal hashing and pairwise independent random variables; and classical combinatorial stuctures such as errorcorrecting codes, balanced incomplete block de ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
(Show Context)
In this primarily expository paper, we discuss the connections between two popular and useful tools in theoretical computer science, namely, universal hashing and pairwise independent random variables; and classical combinatorial stuctures such as errorcorrecting codes, balanced incomplete block designs, difference matrices and orthogonal arrays. 1 Introduction The concept known as "universal hashing" was invented by Carter and Wegman [5] in 1979. In [29, p. 18], Avi Wigderson characterizes universal hashing as being a tool which "should belong to the fundamental bag of tricks of every computer scientist". This is no exaggeration, as there are probably well in excess of fifty papers in theoretical computer science that employ universal hashing as an important tool. Several of the most attractive applications are outlined in the the lecture notes [29]. A closely related topic goes by several names: "strongly universal hashing " [27], "twopoint based sampling" [6], and "pairwise indep...
kwise Independent Sample Spaces and Their Cryptologic Applications
, 1997
"... . An almost kwise independent sample space is a small subset of m bit sequences in which any k bits are "almost independent". We show that this idea has close relationships with useful cryptologic notions such as multiple authentication codes (multiple Acodes), almost strongly universal ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
. An almost kwise independent sample space is a small subset of m bit sequences in which any k bits are "almost independent". We show that this idea has close relationships with useful cryptologic notions such as multiple authentication codes (multiple Acodes), almost strongly universal hash families and almost kresilient functions. We use almost kwise independent sample spaces to construct new efficient multiple Acodes such that the number of key bits grows linearly as a function of k (here k is the number of messages to be authenticated with a single key). This improves on the construction of Atici and Stinson [2], in which the number of key bits is\Omega (k 2 ). We also introduce the concept of fflalmost kresilient functions and give a construction that has parameters superior to kresilient functions. Finally, new bounds (necessary conditions) are derived for almost kwise independent sample spaces, multiple Acodes and balanced fflalmost k resilient functions. 1 Intro...