Results 1  10
of
14
ChosenCiphertext Security from IdentityBased Encryption. Adv
 in Cryptology — Eurocrypt 2004, LNCS
, 2004
"... We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes secure against adaptive chosenciphertext attacks) based on any identitybased encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a n ..."
Abstract

Cited by 279 (14 self)
 Add to MetaCart
(Show Context)
We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes secure against adaptive chosenciphertext attacks) based on any identitybased encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a new paradigm for achieving CCAsecurity; this paradigm avoids “proofs of wellformedness ” that have been shown to underlie previous constructions. Second, instantiating our construction using known IBE constructions we obtain CCAsecure encryption schemes whose performance is competitive with the most efficient CCAsecure schemes to date. Our techniques extend naturally to give an efficient method for securing also IBE schemes (even hierarchical ones) against adaptive chosenciphertext attacks. Coupled with previous work, this gives the first efficient constructions of CCAsecure IBE schemes. 1
Robust fuzzy extractors and authenticated key agreement from close secrets
 In Advances in Cryptology — Crypto 2006, volume 4117 of LNCS
, 2006
"... Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel co ..."
Abstract

Cited by 71 (20 self)
 Add to MetaCart
(Show Context)
Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the boundedstorage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W. Our solution applies whenever the minentropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1
Randomness extraction and key derivation using the cbc, cascade and hmac modes
 In Franklin [14
"... Abstract. We study the suitability of common pseudorandomness modes associated with cryptographic hash functions and block ciphers (CBCMAC, Cascade and HMAC) for the task of “randomness extraction”, namely, the derivation of keying material from semisecret and/or semirandom sources. Important appl ..."
Abstract

Cited by 48 (5 self)
 Add to MetaCart
Abstract. We study the suitability of common pseudorandomness modes associated with cryptographic hash functions and block ciphers (CBCMAC, Cascade and HMAC) for the task of “randomness extraction”, namely, the derivation of keying material from semisecret and/or semirandom sources. Important applications for such extractors include the derivation of strong cryptographic keys from nonuniform sources of randomness (for example, to extract a seed for a pseudorandom generator from a weak source of physical or digital noise), and the derivation of pseudorandom keys from a DiffieHellman value. Extractors are closely related in their applications to pseudorandom functions and thus it is attractive to (re)use the common pseudorandom modes as randomness extractors. Yet, the crucial difference between pseudorandom generation and randomness extraction is that the former uses random secret keys while the latter uses random but known keys. We show that under a variety of assumptions on the underlying primitives (block ciphers and compression functions), ranging from ideal randomness assumptions to realistic universalhashing properties, these modes induce good extractors. Hence, these schemes represent a more practical alternative to combinatorial extractors (that are seldom used in practice), and a betteranalyzed alternative to the common practice of using SHA1 or MD5 (as a single unkeyed function) for randomness extraction. In particular, our results serve to validate the method of key extraction and key derivation from DiffieHellman values used in the IKE (IPsec’s Key Exchange) protocol.
FloatingPoint Arithmetic And Message Authentication
, 2000
"... There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same securi ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same security level  using IEEE floatingpoint arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.
Universal Hashing and Geometric Codes
 DESIGNS, CODES AND CRYPTOGRAPHY
, 1997
"... We describe a new application of algebraic coding theory to universal hashing and authentication without secrecy. This permits to make use of the hitherto sharpest weapon of coding theory, the construction of codes from algebraic curves. We show in particular how codes derived from ArtinSchreier cu ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We describe a new application of algebraic coding theory to universal hashing and authentication without secrecy. This permits to make use of the hitherto sharpest weapon of coding theory, the construction of codes from algebraic curves. We show in particular how codes derived from ArtinSchreier curves, Hermitian curves and Suzuki curves yield classes of universal hash functions which are substantially better than those known before.
Message authentication on 64bit architectures
 In Selected Areas in Cryptography: 13th International Workshop, SAC 2006
, 2006
"... Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cacheresident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly fast ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cacheresident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly faster than other recent MAC schemes such as UMAC (1.0 cpb) and Poly1305 (3.1 cpb). VMAC is a MAC in the WegmanCarter style, employing a “universal ” hash function VHASH, which is fully developed in this paper. VHASH employs a threestage hashing strategy, and each stage is developed with the goal of optimal performance in 64bit environments.
VHASH Security
, 2007
"... Abstract. VHASH is an almostdeltauniversal hash family, designed for exceptional performance on computers that multiply 64bit quantities efficiently. Changes to the algorithm detailed in this note improve both security and performance over the original 2006 version. Speed is improved through a ne ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. VHASH is an almostdeltauniversal hash family, designed for exceptional performance on computers that multiply 64bit quantities efficiently. Changes to the algorithm detailed in this note improve both security and performance over the original 2006 version. Speed is improved through a newly analyzed hash construction which allows the use of lowerdegree polynomials. Claimed security is higher due primarily to improved analysis and a change in prime modulus. The result is a hash family capable of hashing cacheresident one kilobyte messages on the Intel Core 2 architecture at a rate of about onehalf processor cycle per byte of message with a collision probability of less than 1/261.
Authentication Codes and Algebraic Curves
"... Abstract. We survey a recent application of algebraic curves over finite fields to the constructions of authentication codes. 1. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We survey a recent application of algebraic curves over finite fields to the constructions of authentication codes. 1.
1Cryptographic Primitives for Information Authentication  State of the Art
"... Abstract. This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the ¯rst class can be divided into Manipulation Detection Codes (MDCs, also known as oneway and ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the ¯rst class can be divided into Manipulation Detection Codes (MDCs, also known as oneway and collision resistant hash functions) and Message Authentication Codes (or MACs). The theoretical background is sketched, but most attention is paid to overview the large number of practical constructions for hash functions and to the recent developments in their cryptanalysis. It is also explained to what extent the security of these primitives can be reduced in a provable way to realistic assumptions. 1