We introduce a new technique for constructing a family of universal hash functions.

unconditionally secure authentication codes without secrecy. This idea is most useful when the number of authenticators is exponentially small compared to the number of possible source states (plaintext messages). We formally de ne some new classes of hash functions and then prove some new bounds and give some general constructions for these classes of hash functions. Then we discuss the implications to authentication codes.

We study how to efficiently diffuse updates to a large distributed system of data replicas, some of which may exhibit arbitrary (Byzantine) failures. We assume that strictly fewer than t replicas fail, and that each update is initially received by at least t correct replicas. The goal is to diffuse each update to all correct replicas while ensuring that correct replicas accept no updates generated spuriously by faulty replicas. To achieve reliable diffusion, each correct replica accepts an update only after receiving it from at least t others. We provide the first analysis of epidemic-style protocols for such environments. This analysis is fundamentally different from known analyses for the benign case due to our treatment of fully Byzantine failures---which, among other things, precludes the use of digital signatures for authenticating forwarded updates. We propose two epidemic-style diffusion algorithms and two measures that characterize the efficiency of diffusion algorithms in general. We characterize both of our algorithms according to these measures, and also prove lower bounds with regards to these measures that show that our algorithms are close to optimal.

... In this paper, we focus on another collection of recent applications in the general area of communications, including cryptography and networking. Applications have been chosen to represent those in which design theory plays a useful, and sometimes central, role. Moreover, applications have been chosen to reflect in addition the genesis of new and interesting problems in design theory in order to treat the practical concerns. Of many candidates, thirteen applications areas have been included. They are as follows:

Abstract. Multi-receiver authentication is an extension of traditional point-to-point message authentication in which a sender broadcasts a sin-gle authenticated message such that all the receivers can independently verify the authenticity of the message, and malicious groups of up to a given size of receivers can not successfully impersonate the transmitter, or substitute a transmitted message. This paper presents some new re-sults on unconditionally secure multi-receiver authentication codes. First we generalize a polynomial construction due to Desmedt, Frankel and Yung, to allow multiple messages be authenticated with each key. Sec-ond, we propose a new flexible construction for multi-receiver A-code by combining an A-code and an (n, m, k)-cover-free family. Finally, we introduce the model of multi-receiver A-code with dynamic sender and present an efficient construction for that. Keywords: Authentication code, Multi-receiver authentication code. 1

Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the exact object ciphertext to be cryptanalyzed. The rst strengthening method is based on the use of one-way hash functions, the second on the use of universal hash functions and the third on the use of digital signature schemes. Each method is illustrated by an example ofapublickey cryptosystem based on the intractability ofcomputing discrete logarithms in nite elds. Two other issues, namely applications of the methods to public key cryptosystems based on other intractable problems and enhancement of information authentication capability to the cryptosystems, are also discussed. 1

We study how to efficiently diffuse updates to a large distributed system of data replicas, some of which may exhibit arbitrary (Byzantine) failures. We assume that strictly fewer than t replicas fail, and that each update is initially received by at least t correct replicas. The goal is to diffuse each update to all correct replicas while ensuring that correct replicas accept no updates generated spuriously by faulty replicas. To achieve this, each correct replica further propagates an update only after receiving it from at least t others. In this way, no correct replica will ever propagate or accept an update that only faulty replicas introduce, since it will receive that update from only the t 1 faulty replicas.

Reliable communication between parties in a network is a basic requirement for executing any protocol. In this work, we consider the effect on reliable communication when some pairs of parties have common authentication keys. The pairs sharing keys define a natural "authentication graph", which may be quite different from the "communication graph" of the network. We characterize when reliable communication is possible in terms of these two graphs, focusing on the very strong setting of a Byzantine adversary with unlimited computational resources. Key Words: Reliable Communication, Private Communication, Authentication Keys, Graph Connectivity, Byzantine Failures. 1 Introduction Suppose that some processors are connected by a network of reliable channels. All of the processors cooperate to execute some protocol, but some of them are maliciously faulty. Dolev [4] and Dolev et al. [5] proved that if there are t faulty processors, then every pair of processors can communicate reliably if...

An authentication protocol is a procedure by which an informant tries to convey n bits of information, which we call an input message, to a recipient. An intruder, I, controls the network over which the informant and the recipient talk and may change any message before it reaches its destination. a If the protocol ha security p, then the the recipient must detect this a cheating with probability at leat I - p. This paper

to Bob, she encrypts x using the encryption rule e K . That is, she computes y = e K (x), and sends y to Bob over the channel. When Bob receives y, he decrypts it using the decryption function dK , obtaining x. Informally, perfect secrecy means that observation of a ciphertext gives no information about the corresponding plaintext. This idea can be stated more precisely using probability distributions. Suppose there is are probability distributions pP on P, and pK on K. Then a probability distribution p C is induced on C. A cryptosystem is said to provide perfect secrecy provided that pP (xjy) = pP<F24.