Results 1  10
of
11
MMH: Software Message Authentication in the Gbit/second Rates
, 1997
"... March, 1997 Abstract We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increa ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
March, 1997 Abstract We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increasingly supported by modern processors due to the growing needs for fast arithmetic posed by multimedia applications. We report on handoptimized assembly implementations on a 150 MHz PowerPC 604 and a 150 MHz PentiumPro, which achieve hashing speeds of 350 to 820 Mbit/sec, depending on the desired level of security (or collision probability), and a rate of more than 1 Gbit/sec on a 200 MHz PentiumPro. This represents a significant speedup over current software implementations of universal hashing and other message authentication techniques (e.g., MD5based). Moreover, our construction is specifically designed to take advantage of emerging microprocessor technologies (such as Intel's MMX, ...
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
kwise Independent Sample Spaces and Their Cryptologic Applications
, 1997
"... . An almost kwise independent sample space is a small subset of m bit sequences in which any k bits are "almost independent". We show that this idea has close relationships with useful cryptologic notions such as multiple authentication codes (multiple Acodes), almost strongly universal hash famil ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
. An almost kwise independent sample space is a small subset of m bit sequences in which any k bits are "almost independent". We show that this idea has close relationships with useful cryptologic notions such as multiple authentication codes (multiple Acodes), almost strongly universal hash families and almost kresilient functions. We use almost kwise independent sample spaces to construct new efficient multiple Acodes such that the number of key bits grows linearly as a function of k (here k is the number of messages to be authenticated with a single key). This improves on the construction of Atici and Stinson [2], in which the number of key bits is\Omega (k 2 ). We also introduce the concept of fflalmost kresilient functions and give a construction that has parameters superior to kresilient functions. Finally, new bounds (necessary conditions) are derived for almost kwise independent sample spaces, multiple Acodes and balanced fflalmost k resilient functions. 1 Intro...
Square Hash: Fast Message Authentication via Optimized Universal Hash Functions
 In Proc. CRYPTO 99, Lecture Notes in Computer Science
, 1999
"... This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.
Does Encryption with Redundancy Provide Authenticity?
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 2001, B. PFITZMANN, ED. LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each s ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryptionwithredundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryptionwithredundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.
Key recycling in authentication
, 2012
"... In their seminal work on authentication, Wegman and Carter propose that to authenticate multiple messages, it is sufficient to reuse the same hash function as long as each tag is encrypted with a onetime pad. They argue that because the onetime pad is perfectly hiding, the hash function used remai ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In their seminal work on authentication, Wegman and Carter propose that to authenticate multiple messages, it is sufficient to reuse the same hash function as long as each tag is encrypted with a onetime pad. They argue that because the onetime pad is perfectly hiding, the hash function used remains completely unknown to the adversary. Since their proof is not composable, we revisit it using a universally composable framework. It turns out that the above argument is insufficient: information about the hash function is in fact leaked in every round to the adversary, and after a bounded finite amount of rounds it is completely known. We show however that this leak is very small, and Wegman and Carter’s protocol is still εsecure, if εalmost strongly universal2 hash functions are used. This implies that the secret key corresponding to the choice of hash function can be recycled for any task without any additional error than this ε. We illustrate this by applying it to quantum key distribution (QKD): if the same hash function is recycled to authenticate the classical communication in every round of a QKD protocol, and used ℓ times per round, the total error after r rounds is upper bounded by r(ℓε + ε ′), where ε ′ is the error of one round of QKD given an authentic channel. 1
A Construction Method for Optimally Universal Hash Families and its Consequences for the Existence of RBIBDs (Extended Abstract)
"... We introduce a method for constructing optimally universal hash families and equivalently RBIBDs. As a consequence of our construction we obtain minimal optimally universal hash families, if the cardinalities of the universe and the range are powers of the same prime. A corollary of this result is t ..."
Abstract
 Add to MetaCart
We introduce a method for constructing optimally universal hash families and equivalently RBIBDs. As a consequence of our construction we obtain minimal optimally universal hash families, if the cardinalities of the universe and the range are powers of the same prime. A corollary of this result is that the necessary condition for the existence of an RBIBD with parameters (v, k, λ), namely v mod k = λ(v − 1) mod (k − 1) = 0, is sufficient, if v and k are powers of the same prime. As an application of our construction, we show that the kMAXCUT algorithm of Hofmeister and Lefmann [9] can be implemented such that it has a polynomial running time, in the case that the number of vertices and k are powers of the same prime.
1 Universal Hash Function in Randomness Extraction and Message Authentication As a Randomness Extractor
, 1998
"... (a submission to IEEE P1363a) ..."
Multireceiver Homomorphic Authentication Codes for Network Coding
"... Abstract. We investigate a new class of authenticate codes (Acodes) that support verification by a group of message recipients in the network coding setting. That is, a sender generates an Acode over a message such that any intermediate node or recipient can check the authenticity of the message, ..."
Abstract
 Add to MetaCart
Abstract. We investigate a new class of authenticate codes (Acodes) that support verification by a group of message recipients in the network coding setting. That is, a sender generates an Acode over a message such that any intermediate node or recipient can check the authenticity of the message, typically to detect pollution attacks. We call such an Acode as multireceiver homomorphic Acode (MRHAcode). In this paper, we first formally define an MRHAcode. We then derive some lower bounds on the security parameters and key sizes associated with our MRHAcodes. Moreover, we give efficient constructions of MRHAcode schemes that can be used to mitigate pollution attacks on network codes. Unlike prior works on computationally secure homomorphic signatures and MACs for network coding, our MRHAcodes achieve unconditional security.
Direct Proof of Security of WegmanCarter Authentication with Partially Known Key
"... Abstract. Informationtheoretically secure (ITS) authentication is needed in Quantum Key Distribution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Wegman&Carter, in the case of partially known authentication key. This scheme uses a new authentication key in eac ..."
Abstract
 Add to MetaCart
Abstract. Informationtheoretically secure (ITS) authentication is needed in Quantum Key Distribution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Wegman&Carter, in the case of partially known authentication key. This scheme uses a new authentication key in each authentication attempt, to select a hash function from an Almost Strongly Universal2 hash function family. The partial knowledge of the attacker is measured as the trace distance between the authentication key distribution and the uniform distribution; this is the usual measure in QKD. We provide direct proofs of security of the scheme, when using partially known key, first in the informationtheoretic setting and then in terms of witness indistinguishability as used in the Universal Composability (UC) framework. We find that if the authentication procedure has a failure probability ε and the authentication key has an ε ′ trace distance to the uniform, then under ITS, the adversary’s success probability conditioned on an authentic messagetag pair is only bounded by ε + T ε ′ , where T  is the size of the set of tags. Furthermore, the trace distance between the authentication key distribution and the uniform increases to T ε ′ after having seen an authentic messagetag pair. Despite this, we are able to prove directly that the authenticated channel is indistinguishable from an (ideal) authentic channel (the desired functionality), except with probability less than ε + ε ′. This proves that the scheme is (ε + ε ′)UCsecure, without using the composability theorem.