Results 1  10
of
19
Oorschot. MdxMAC and Building Fast MACs from Hash Functions
 In Advances in Cryptology CRYPTO’95
, 1995
"... ..."
Bucket Hashing and its Application to Fast Message Authentication
, 1995
"... We introduce a new technique for constructing a family of universal hash functions. ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
We introduce a new technique for constructing a family of universal hash functions.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
, 2008
"... Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is nonrobust in the sense that the adversary can modify its cont ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is nonrobust in the sense that the adversary can modify its contents by adding some offset ∆ ∈ G. Due to the privacy of the storage device, the value ∆ can only depend on an adversary’s a priori knowledge of x. We introduce a new primitive called an algebraic manipulation detection (AMD) code, which encodes a source s into a value x stored on Σ(G) so that any tampering by an adversary will be detected, except with a small error probability δ. We give a nearly optimal construction of AMD codes, which can flexibly accommodate arbitrary choices for the length of the source s and security level δ. We use this construction in two applications: – We show how to efficiently convert any linear secret sharing scheme into a robust secret sharing scheme, which ensures that no unqualified subset of players can modify their shares and cause the reconstruction of some value s ′ � = s. – We show how how to build nearly optimal robust fuzzy extractors for several natural metrics. Robust fuzzy extractors enable one to reliably extract and later recover random keys from noisy and nonuniform secrets, such as biometrics, by relying only on nonrobust public storage. In the past, such constructions were known only in the random oracle model, or required the entropy rate of the secret to be greater than half. Our construction relies on a randomly chosen common reference string (CRS) available to all parties. 1
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
Universal Hashing and Geometric Codes
 DESIGNS, CODES AND CRYPTOGRAPHY
, 1997
"... We describe a new application of algebraic coding theory to universal hashing and authentication without secrecy. This permits to make use of the hitherto sharpest weapon of coding theory, the construction of codes from algebraic curves. We show in particular how codes derived from ArtinSchreier cu ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We describe a new application of algebraic coding theory to universal hashing and authentication without secrecy. This permits to make use of the hitherto sharpest weapon of coding theory, the construction of codes from algebraic curves. We show in particular how codes derived from ArtinSchreier curves, Hermitian curves and Suzuki curves yield classes of universal hash functions which are substantially better than those known before.
Shortoutput universal hash functions and their use in fast and secure message authentication. Cryptology ePrint Archive: Report 2011/116. http://eprint.iacr.org
"... Abstract. Message authentication codes usually require the underlining universal hash functions to have a long output so that the probability of successfully forging messages is low enough for cryptographic purposes. To take advantage of fast operation on wordsize parameters in modern processors, l ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Message authentication codes usually require the underlining universal hash functions to have a long output so that the probability of successfully forging messages is low enough for cryptographic purposes. To take advantage of fast operation on wordsize parameters in modern processors, longoutput universal hashing schemes can be securely constructed by concatenating several instances of shortoutput primitives. In this paper, we describe a new method for shortoutput universal hash function termed digest() suitable for very fast software implementation and applicable to secure message authentication. The method possesses a higher level of security relative to other wellstudied shortoutput universal hashing schemes. Suppose that the universal hash output is fixed at one word of b bits, then the collision probability of ours is 2 1−b compared to 6 × 2 −b of MMH, whereas 2 −b/2 of NH within UMAC is far away from optimality. In addition to message authentication codes, we show how shortoutput universal hashing is applicable to manual authentication protocols where universal hash keys are used in a very different and interesting way. 1
Generating shortoutput digest functions, in preparation
"... This paper forms the sixth chapter of my thesis, and reports my recent research result towards the first goal of my proposal: “Efficient and secure digest functions”. This paper has also been submitted to AFRICACRYPT 2010 in January 2010. This paper introduces two related methods of generating a new ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper forms the sixth chapter of my thesis, and reports my recent research result towards the first goal of my proposal: “Efficient and secure digest functions”. This paper has also been submitted to AFRICACRYPT 2010 in January 2010. This paper introduces two related methods of generating a new cryptographic primitive termed digest which has similarities to ɛbalanced and almost universal hash functions. Digest functions, however, typically have a very short output, e.g. 1664 bits, and hence they are not required to resist collision and inversion attacks. They also have the potential to be very fast to compute relative to longoutput hash functions. The first construction uses Toeplitz matrix multiplication, which is similar to a Toeplitz based universal hashing algorithm of Krawczyk, whose security requirements can be reduced to the underlying ɛbiased sequences of random variables. The second is based on integer multiplications which have, perhaps surprisingly, a similar structure to Toeplitz matrix multiplication. However, due to the complication of carry bits, a rigorous mathematical proof of the second construction cannot be provided. We instead exploit the short output of digest functions to carry out statistical analysis, including chisquare tests, quantilequantile plots and maximum median calculation, of digest collision and distribution test results to argue for the security of the second construction. 1
Cryptanalysis of the Gemmell and Naor Multiround Authentication Protocol
, 1994
"... Gemmell and Naor proposed a new protocol for the authen tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Gemmell and Naor proposed a new protocol for the authen tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length.
On the construction of digest functions for manual authentication protocols
"... A digest function is a sort of universal hash that takes a key and a message as its inputs. This paper will study these functions ’ properties and design in the context of their application in manual authentication technology. Frequently a digest function needs to have a very short output (e.g. 16–3 ..."
Abstract
 Add to MetaCart
A digest function is a sort of universal hash that takes a key and a message as its inputs. This paper will study these functions ’ properties and design in the context of their application in manual authentication technology. Frequently a digest function needs to have a very short output (e.g. 16–32 bits) and no key is used to digest more than one message. These together with other characteristics represent a new kind of game played between an attacker and honest parties, which is very different from other authentication mechanisms, notably message authentication codes or MACs. Short digests can be constructed directly or by ”condensing ” longer functions. We offer an improved method for the latter but concentrate mainly on direct constructions. We propose a digest algorithm which uses word multiplications to obtain a very fast implementation. This digest scheme enjoys strong and provable security properties, namely for a singleword or bbit output digest function the collision probability is ɛ = 2 1−b on equal and arbitrarily length inputs. The scheme is based on the multiplicative universal hash function of Dietzfelbinger et al., and it improves on several wellstudied and efficient universal hashing algorithms, including MMH and NH.
Direct Proof of Security of WegmanCarter Authentication with Partially Known Key
"... Abstract. Informationtheoretically secure (ITS) authentication is needed in Quantum Key Distribution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Wegman&Carter, in the case of partially known authentication key. This scheme uses a new authentication key in ..."
Abstract
 Add to MetaCart
Abstract. Informationtheoretically secure (ITS) authentication is needed in Quantum Key Distribution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Wegman&Carter, in the case of partially known authentication key. This scheme uses a new authentication key in each authentication attempt, to select a hash function from an Almost Strongly Universal2 hash function family. The partial knowledge of the attacker is measured as the trace distance between the authentication key distribution and the uniform distribution; this is the usual measure in QKD. We provide direct proofs of security of the scheme, when using partially known key, first in the informationtheoretic setting and then in terms of witness indistinguishability as used in the Universal Composability (UC) framework. We find that if the authentication procedure has a failure probability ε and the authentication key has an ε ′ trace distance to the uniform, then under ITS, the adversary’s success probability conditioned on an authentic messagetag pair is only bounded by ε + T ε ′ , where T  is the size of the set of tags. Furthermore, the trace distance between the authentication key distribution and the uniform increases to T ε ′ after having seen an authentic messagetag pair. Despite this, we are able to prove directly that the authenticated channel is indistinguishable from an (ideal) authentic channel (the desired functionality), except with probability less than ε + ε ′. This proves that the scheme is (ε + ε ′)UCsecure, without using the composability theorem.