Results 1  10
of
12
MDxMAC and Building Fast MACs from Hash Functions
 In Crypto 95
, 1995
"... . We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDxMAC) is proposed for transforming any secure hash function of the MD4family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...
Bucket Hashing and its Application to Fast Message Authentication
, 1995
"... We introduce a new technique for constructing a family of universal hash functions. ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
We introduce a new technique for constructing a family of universal hash functions.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
, 2008
"... Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is nonrobust in the sense that the adversary can modify its cont ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is nonrobust in the sense that the adversary can modify its contents by adding some offset ∆ ∈ G. Due to the privacy of the storage device, the value ∆ can only depend on an adversary’s a priori knowledge of x. We introduce a new primitive called an algebraic manipulation detection (AMD) code, which encodes a source s into a value x stored on Σ(G) so that any tampering by an adversary will be detected, except with a small error probability δ. We give a nearly optimal construction of AMD codes, which can flexibly accommodate arbitrary choices for the length of the source s and security level δ. We use this construction in two applications: – We show how to efficiently convert any linear secret sharing scheme into a robust secret sharing scheme, which ensures that no unqualified subset of players can modify their shares and cause the reconstruction of some value s ′ � = s. – We show how how to build nearly optimal robust fuzzy extractors for several natural metrics. Robust fuzzy extractors enable one to reliably extract and later recover random keys from noisy and nonuniform secrets, such as biometrics, by relying only on nonrobust public storage. In the past, such constructions were known only in the random oracle model, or required the entropy rate of the secret to be greater than half. Our construction relies on a randomly chosen common reference string (CRS) available to all parties. 1
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
Universal Hashing and Geometric Codes
 DESIGNS, CODES AND CRYPTOGRAPHY
, 1997
"... We describe a new application of algebraic coding theory to universal hashing and authentication without secrecy. This permits to make use of the hitherto sharpest weapon of coding theory, the construction of codes from algebraic curves. We show in particular how codes derived from ArtinSchreier cu ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We describe a new application of algebraic coding theory to universal hashing and authentication without secrecy. This permits to make use of the hitherto sharpest weapon of coding theory, the construction of codes from algebraic curves. We show in particular how codes derived from ArtinSchreier curves, Hermitian curves and Suzuki curves yield classes of universal hash functions which are substantially better than those known before.
Generating shortoutput digest functions, in preparation
"... This paper forms the sixth chapter of my thesis, and reports my recent research result towards the first goal of my proposal: “Efficient and secure digest functions”. This paper has also been submitted to AFRICACRYPT 2010 in January 2010. This paper introduces two related methods of generating a new ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper forms the sixth chapter of my thesis, and reports my recent research result towards the first goal of my proposal: “Efficient and secure digest functions”. This paper has also been submitted to AFRICACRYPT 2010 in January 2010. This paper introduces two related methods of generating a new cryptographic primitive termed digest which has similarities to ɛbalanced and almost universal hash functions. Digest functions, however, typically have a very short output, e.g. 1664 bits, and hence they are not required to resist collision and inversion attacks. They also have the potential to be very fast to compute relative to longoutput hash functions. The first construction uses Toeplitz matrix multiplication, which is similar to a Toeplitz based universal hashing algorithm of Krawczyk, whose security requirements can be reduced to the underlying ɛbiased sequences of random variables. The second is based on integer multiplications which have, perhaps surprisingly, a similar structure to Toeplitz matrix multiplication. However, due to the complication of carry bits, a rigorous mathematical proof of the second construction cannot be provided. We instead exploit the short output of digest functions to carry out statistical analysis, including chisquare tests, quantilequantile plots and maximum median calculation, of digest collision and distribution test results to argue for the security of the second construction. 1
Cryptanalysis of the Gemmell and Naor Multiround Authentication Protocol
, 1994
"... Gemmell and Naor proposed a new protocol for the authen tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Gemmell and Naor proposed a new protocol for the authen tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length.
Authentication protocols in pervasive computing
"... The popularity of personal computing devices (e.g. smart cards) exposes users to risks, notably identity theft, and creates new requirements for secure communication. A recently proposed approach to creating secure communication is to use human trust and human interactions. These approaches potentia ..."
Abstract
 Add to MetaCart
The popularity of personal computing devices (e.g. smart cards) exposes users to risks, notably identity theft, and creates new requirements for secure communication. A recently proposed approach to creating secure communication is to use human trust and human interactions. These approaches potentially eliminate the need for passwords as in Bluetooth, shared secrets or trusted parties, which are often too complex and expensive to use in portable devices. In this new technology, handheld devices exchange data (e.g. payment, heart rates or public keys) over some medium (e.g. WiFi) and then display a short and nonsecret digest of the protocol’s run that the devices ’ human owners manually compare to ensure they agree on the same data, i.e. human interactions are used to prevent fraud. In this thesis, we present several new protocols of this type which are designed to optimise the work required of humans to achieve a given level of security. We discover that the design of these protocols is influenced by several principles, including the ideas of commitment without knowledge and separation of security concerns, where random and cryptographic attacks should be tackled separately.
Computing Science Group A new bound for lwise almost universal hash functions
"... Abstract. Using the pigeonhole principle, we derive a new bound for the key length in a lwise almost universal hash function where the multicollision or lcollision probability is bounded above by ɛ ∈ [0, 1]. The important features of this bound are (1) it decreases very slowly as l increases, and ..."
Abstract
 Add to MetaCart
Abstract. Using the pigeonhole principle, we derive a new bound for the key length in a lwise almost universal hash function where the multicollision or lcollision probability is bounded above by ɛ ∈ [0, 1]. The important features of this bound are (1) it decreases very slowly as l increases, and (2) the key length grows at least linearly with the logarithm of the message length. To our knowledge, this is the first almost universal hash bound for any integer l ≥ 2. This work arises from the use of lwise almost universal hash functions in manual authentication protocols. 1
On the construction of digest functions for manual authentication protocols
"... A digest function is a sort of universal hash that takes a key and a message as its inputs. This paper will study these functions ’ properties and design in the context of their application in manual authentication technology. Frequently a digest function needs to have a very short output (e.g. 16–3 ..."
Abstract
 Add to MetaCart
A digest function is a sort of universal hash that takes a key and a message as its inputs. This paper will study these functions ’ properties and design in the context of their application in manual authentication technology. Frequently a digest function needs to have a very short output (e.g. 16–32 bits) and no key is used to digest more than one message. These together with other characteristics represent a new kind of game played between an attacker and honest parties, which is very different from other authentication mechanisms, notably message authentication codes or MACs. Short digests can be constructed directly or by ”condensing ” longer functions. We offer an improved method for the latter but concentrate mainly on direct constructions. We propose a digest algorithm which uses word multiplications to obtain a very fast implementation. This digest scheme enjoys strong and provable security properties, namely for a singleword or bbit output digest function the collision probability is ɛ = 2 1−b on equal and arbitrarily length inputs. The scheme is based on the multiplicative universal hash function of Dietzfelbinger et al., and it improves on several wellstudied and efficient universal hashing algorithms, including MMH and NH.