Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication. 1

We introduce HAIL (High-Availability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distributed-systems communities. Proofs in HAIL are efficiently computable by servers and highly compact— typically tens or hundreds of bytes, irrespective of file size. HAIL cryptographically verifies and reactively reallocates file shares. It is robust against an active, mobile adversary, i.e., one that may progressively corrupt the full set of servers. We propose a strong, formal adversarial model for HAIL, and rigorous analysis and parameter choices. We show how HAIL improves on the security and efficiency of existing tools, like Proofs of Retrievability (PORs) deployed on individual servers. We also report on a prototype implementation. 1

We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.

We put forward a new model for understanding the security of symmetric-key primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We completely characterize the security of four-round Luby-Racko ciphers in our model, and show that the ciphers remain secure even if the adversary is given black-box access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions. 1 Introduction 1.1 Block Ciphers A block cipher is a family of permutations on a message space indexed by a secret key. Each permutation in the family deterministically maps plaintext blocks of some xed length to ciphertext blocks of the same length; both the permutation and its inverse are eciently computable given the key. Motivated originally by the study of security of the block ciphe...

Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ capabilities by exploiting an often overlooked, plentiful resource: low-power radio communication. While radio communication is more energy intensive than flash memory writes in many embedded devices, we show that the reverse is true for passive RFID tags. A tag can use CCCP to checkpoint its computational state to an untrusted reader using less energy than an equivalent flash write, thereby allowing it to devote a greater share of its energy to computation. Security is the major challenge in such remote checkpointing. Using scant and fleeting energy, a tag must enforce confidentiality, authenticity, integrity, and data freshness while communicating with potentially untrustworthy infrastructure. Our contribution synthesizes wellknown cryptographic and low-power techniques with a novel flash memory storage strategy, resulting in a secure remote storage facility for an emerging class of devices. Our evaluation of CCCP consists of energy measurements of a prototype implementation on the batteryless, MSP430-based WISP platform. Our experiments show that—despite cryptographic overhead—remote checkpointing consumes less energy than checkpointing to flash for data sizes above roughly 64 bytes. CCCP enables secure and flexible remote storage that would otherwise outstrip batteryless RFID tags ’ resources. 1

Abstract. We present Badger, a new fast and provably secure MAC based on universal hashing. In the construction, a modified tree hash that is more efficient than standard tree hashing is used and its security is proven. Furthermore, in order to derive the core hash function of the tree, we use a novel technique for reducing ∆-universal function families to universal families. The resulting MAC is very efficient on standard platforms both for short and long messages. As an example, for a 64-bit tag, it achieves performances up to 2.2 and 1.3 clock cycles per byte on a Pentium III and Pentium 4 processor, respectively. The forgery probability is at most 2 −52.2.

We present a cryptographic architecture optimization technique called divide-and-concatenate based on two observations: (i) the area of a multiplier and associated data path decreases exponentially and their speeds increase linearly as their operand size is reduced. (ii) in hash functions, message authentication codes and related cryptographic algorithms, two functions are equivalent if they have the same collision probability property. In the proposed approach we divide a 2w-bit data path (with collision probability 2 ) into two w-bit data paths (each with collision probability 2 ) and concatenate their results to construct an equivalent 2w-bit data path (with a collision probability 2 ). We applied this technique on NH hash, a universal hash function that uses multiplications and additions. When compared to the 100% overhead associated with duplicating a straightforward 32-bit pipelined NH hash data path, the divide-and-concatenate approach yields a 94% increase in throughput with only 40% hardware overhead. The NH hash associated message authentication code UMAC architecture with collision probability 2 that uses four equivalent 8-bit divide-and-concatenate NH hash data paths yields a throughput of 79.2 Gbps with only 3840 FPGA slices when implemented on a Xilinx XC2VP7-7 Field Programmable Gate Array (FPGA). 1. Motivation In the past, most cryptographic algorithms have been developed to run fast on general-purpose processors. More recently, dedicated cryptographic hardware is being developed and deployed to match the >10 Gbps wire speed requirements. In this paper we will investigate scalable hardware architectures for cryptographic algorithms.

We describe a block cipher which is both practical and provably secure as SHA-1. The cipher uses the Secure Hash Algorithm (SHA-1) as an underlying primitive, and we show that any succesful attack on the cipher results in a succesful attack against one or more of the hallowed properties of SHA-1. Moreover, our block cipher is still as fast as the Data Encryption Standard (DES). We also describe a practical Pseudo-Random Generator which again is as secure as SHA-1. We apply this generator for secure key scheduling and since it is based on the same underlying primitive as our cipher, we get efficient reuse of our code. Finally we describe a construction of an efficient family of universal hash functions which are used by our cipher, which may be of independent interest.

Universal hashing was first introduced by Carter and Wegman in 1979 [1] and has many important applications in theoretical computer science. In 1981, Wegman and Carter pioneered the study of applying universal hash functions in the construction of message authentication codes (MAC) when they published [5]. Since then there have been many papers on efficient construction of universal hash functions for secure MAC. One advantage of the Wegman-Carter construction is that they enable proof of security and can be an order of magnitude faster [3, 2, 4] than MAC’s based on traditional hash functions like HMAC. In this paper, we propose variants of the MMH [3] and SQUARE hash function families [2, 4] over the finite field GF (2 n). These new variants are suited for implementation on platforms where there are no built-in specialized algorithms

(on the leave to Bauhaus-University Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2n-bit hash functions, based on n-bit block ciphers with 2n-bit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1