Results 1  10
of
14
UMAC: Fast and Secure Message Authentication
, 1999
"... Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction f ..."
Abstract

Cited by 112 (14 self)
 Add to MetaCart
Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction family MMH. To achieve such speeds, UMAC uses a new universal hashfunction family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMACauthenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have everfaster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for nextgeneration message authentication. 1
HAIL: A HighAvailability and Integrity Layer for Cloud Storage
, 2009
"... We introduce HAIL (HighAvailability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distribute ..."
Abstract

Cited by 80 (1 self)
 Add to MetaCart
We introduce HAIL (HighAvailability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distributedsystems communities. Proofs in HAIL are efficiently computable by servers and highly compact— typically tens or hundreds of bytes, irrespective of file size. HAIL cryptographically verifies and reactively reallocates file shares. It is robust against an active, mobile adversary, i.e., one that may progressively corrupt the full set of servers. We propose a strong, formal adversarial model for HAIL, and rigorous analysis and parameter choices. We show how HAIL improves on the security and efficiency of existing tools, like Proofs of Retrievability (PORs) deployed on individual servers. We also report on a prototype implementation. 1
Towards Making LubyRackoff Ciphers Optimal and Practical
 In Proc. Fast Software Encryption 99, Lecture Notes in Computer Science
, 1999
"... We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namel ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We provide new constructions for LubyRackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for LubyRackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA1 based example block cipher called Shazam.
On the Round Security of SymmetricKey Cryptographic Primitives
 In Advances in Cryptology — CRYPTO ’00, volume 1880 of LNCS
, 2000
"... We put forward a new model for understanding the security of symmetrickey primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We comp ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We put forward a new model for understanding the security of symmetrickey primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We completely characterize the security of fourround LubyRacko ciphers in our model, and show that the ciphers remain secure even if the adversary is given blackbox access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions. 1 Introduction 1.1 Block Ciphers A block cipher is a family of permutations on a message space indexed by a secret key. Each permutation in the family deterministically maps plaintext blocks of some xed length to ciphertext blocks of the same length; both the permutation and its inverse are eciently computable given the key. Motivated originally by the study of security of the block ciphe...
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
CCCP: Secure Remote Storage for Computational RFIDs ∗
"... Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ c ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ capabilities by exploiting an often overlooked, plentiful resource: lowpower radio communication. While radio communication is more energy intensive than flash memory writes in many embedded devices, we show that the reverse is true for passive RFID tags. A tag can use CCCP to checkpoint its computational state to an untrusted reader using less energy than an equivalent flash write, thereby allowing it to devote a greater share of its energy to computation. Security is the major challenge in such remote checkpointing. Using scant and fleeting energy, a tag must enforce confidentiality, authenticity, integrity, and data freshness while communicating with potentially untrustworthy infrastructure. Our contribution synthesizes wellknown cryptographic and lowpower techniques with a novel flash memory storage strategy, resulting in a secure remote storage facility for an emerging class of devices. Our evaluation of CCCP consists of energy measurements of a prototype implementation on the batteryless, MSP430based WISP platform. Our experiments show that—despite cryptographic overhead—remote checkpointing consumes less energy than checkpointing to flash for data sizes above roughly 64 bytes. CCCP enables secure and flexible remote storage that would otherwise outstrip batteryless RFID tags ’ resources. 1
A fast and provably secure MAC
 In Applied Cryptography and Network Security: Third International Conference, ACNS 2005
, 2005
"... Abstract. We present Badger, a new fast and provably secure MAC based on universal hashing. In the construction, a modified tree hash that is more efficient than standard tree hashing is used and its security is proven. Furthermore, in order to derive the core hash function of the tree, we use a nov ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We present Badger, a new fast and provably secure MAC based on universal hashing. In the construction, a modified tree hash that is more efficient than standard tree hashing is used and its security is proven. Furthermore, in order to derive the core hash function of the tree, we use a novel technique for reducing ∆universal function families to universal families. The resulting MAC is very efficient on standard platforms both for short and long messages. As an example, for a 64bit tag, it achieves performances up to 2.2 and 1.3 clock cycles per byte on a Pentium III and Pentium 4 processor, respectively. The forgery probability is at most 2 −52.2.
Divide and Concatenate: A Scalable Hardware Architecture for Universal MAC
 in 12 th ACM International Symp. on FieldProgrammable Gate Arrays (FPGA2004
, 2003
"... We present a cryptographic architecture optimization technique called divideandconcatenate based on two observations: (i) the area of a multiplier and associated data path decreases exponentially and their speeds increase linearly as their operand size is reduced. (ii) in hash functions, message a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We present a cryptographic architecture optimization technique called divideandconcatenate based on two observations: (i) the area of a multiplier and associated data path decreases exponentially and their speeds increase linearly as their operand size is reduced. (ii) in hash functions, message authentication codes and related cryptographic algorithms, two functions are equivalent if they have the same collision probability property. In the proposed approach we divide a 2wbit data path (with collision probability 2 ) into two wbit data paths (each with collision probability 2 ) and concatenate their results to construct an equivalent 2wbit data path (with a collision probability 2 ). We applied this technique on NH hash, a universal hash function that uses multiplications and additions. When compared to the 100% overhead associated with duplicating a straightforward 32bit pipelined NH hash data path, the divideandconcatenate approach yields a 94% increase in throughput with only 40% hardware overhead. The NH hash associated message authentication code UMAC architecture with collision probability 2 that uses four equivalent 8bit divideandconcatenate NH hash data paths yields a throughput of 79.2 Gbps with only 3840 FPGA slices when implemented on a Xilinx XC2VP77 Field Programmable Gate Array (FPGA). 1. Motivation In the past, most cryptographic algorithms have been developed to run fast on generalpurpose processors. More recently, dedicated cryptographic hardware is being developed and deployed to match the >10 Gbps wire speed requirements. In this paper we will investigate scalable hardware architectures for cryptographic algorithms.
Shazam: A Block Cipher. Fast as DES, Secure as SHA
, 1999
"... We describe a block cipher which is both practical and provably secure as SHA1. The cipher uses the Secure Hash Algorithm (SHA1) as an underlying primitive, and we show that any succesful attack on the cipher results in a succesful attack against one or more of the hallowed properties of SHA1. Mo ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We describe a block cipher which is both practical and provably secure as SHA1. The cipher uses the Secure Hash Algorithm (SHA1) as an underlying primitive, and we show that any succesful attack on the cipher results in a succesful attack against one or more of the hallowed properties of SHA1. Moreover, our block cipher is still as fast as the Data Encryption Standard (DES). We also describe a practical PseudoRandom Generator which again is as secure as SHA1. We apply this generator for secure key scheduling and since it is based on the same underlying primitive as our cipher, we get efficient reuse of our code. Finally we describe a construction of an efficient family of universal hash functions which are used by our cipher, which may be of independent interest.
Universal Hash Functions over GF (2 n
 Proceedings of 2004 IEEE International Symposium on Information Theory — ISIT 2004
, 2004
"... Universal hashing was first introduced by Carter and Wegman in 1979 [1] and has many important applications in theoretical computer science. In 1981, Wegman and Carter pioneered the study of applying universal hash functions in the construction of message authentication codes (MAC) when they publish ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Universal hashing was first introduced by Carter and Wegman in 1979 [1] and has many important applications in theoretical computer science. In 1981, Wegman and Carter pioneered the study of applying universal hash functions in the construction of message authentication codes (MAC) when they published [5]. Since then there have been many papers on efficient construction of universal hash functions for secure MAC. One advantage of the WegmanCarter construction is that they enable proof of security and can be an order of magnitude faster [3, 2, 4] than MAC’s based on traditional hash functions like HMAC. In this paper, we propose variants of the MMH [3] and SQUARE hash function families [2, 4] over the finite field GF (2 n). These new variants are suited for implementation on platforms where there are no builtin specialized algorithms