We introduce a new technique for constructing a family of universal hash functions.

There is a well-known class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed -- much more quickly than previous systems at the same security level -- using IEEE floating-point arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.

Abstract. Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2 106 if messages have at most L bytes, the attacker sees at most 2 64 authenticated messages, and the attacker attempts D forgeries. Poly1305-AES can be computed at extremely high speed: for example, fewer than 3.625(ℓ + 170) Athlon cycles for an ℓ-byte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Special-purpose hardware can compute Poly1305-AES at even higher speed. Poly1305-AES is parallelizable, incremental, and not subject to any intellectualproperty claims.

Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bit-length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1

Abstract. NEON is a vector instruction set included in a large fraction of new ARM-based tablets and smartphones. This paper shows that NEON supports high-security cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of high-security cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.

Abstract not found

The popularity of personal computing devices (e.g. smart cards) exposes users to risks, notably identity theft, and creates new requirements for secure communication. A recently proposed approach to creating secure communication is to use human trust and human interactions. These approaches potentially eliminate the need for passwords as in Bluetooth, shared secrets or trusted parties, which are often too complex and expensive to use in portable devices. In this new technology, handheld devices exchange data (e.g. payment, heart rates or public keys) over some medium (e.g. WiFi) and then display a short and non-secret digest of the protocol’s run that the devices ’ human owners manually compare to ensure they agree on the same data, i.e. human interactions are used to prevent fraud. In this thesis, we present several new protocols of this type which are designed to optimise the work required of humans to achieve a given level of security. We discover that the design of these protocols is influenced by several principles, including the ideas of commitment without knowledge and separation of security concerns, where random and cryptographic attacks should be tackled separately.

A digest function is a sort of universal hash that takes a key and a message as its inputs. This paper will study these functions ’ properties and design in the context of their application in manual authentication technology. Frequently a digest function needs to have a very short output (e.g. 16–32 bits) and no key is used to digest more than one message. These together with other characteristics represent a new kind of game played between an attacker and honest parties, which is very different from other authentication mechanisms, notably message authentication codes or MACs. Short digests can be constructed directly or by ”condensing ” longer functions. We offer an improved method for the latter but concentrate mainly on direct constructions. We propose a digest algorithm which uses word multiplications to obtain a very fast implementation. This digest scheme enjoys strong and provable security properties, namely for a single-word or b-bit output digest function the collision probability is ɛ = 2 1−b on equal and arbitrarily length inputs. The scheme is based on the multiplicative universal hash function of Dietzfelbinger et al., and it improves on several well-studied and efficient universal hashing algorithms, including MMH and NH.