Results 11  20
of
40
Stronger security bounds for WegmanCarterShoup authenticators
 In EUROCRYPT
, 2005
"... Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secr ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ɛ is a differential probability associated with h. Shoup’s result implies that if AES is secure then various stateoftheart messageauthentication codes of the form (n, m) ↦ → h(m) + AESk(n) are secure up to � 1/ɛ authenticated messages. Unfortunately, � 1/ɛ is only about 2 50 for some stateoftheart systems, so Shoup’s result provides no guarantees for longterm keys. This paper proves that security of the same systems is retained up to √ #G authenticated messages. In a typical stateoftheart system, √ #G is 2 64. The heart of the paper is a very general “onesided ” security theorem: (n, m) ↦ → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. Keywords: mode of operation, authentication, MAC, WegmanCarter, provable security
Quantum Oblivious Mutual Identification
"... . We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and efficient protocol based on the exchange of quantum information to check mutual knowledge of a common string in such a w ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
. We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and efficient protocol based on the exchange of quantum information to check mutual knowledge of a common string in such a way that honest parties will always succeed in convincing each other, while a dishonest party interacting with an honest party will have vanishingly small probability of convincing him. Moreover, a dishonest party gains only a very small amount of information about the secret string from running the protocol: whoever enters the protocol with no knowledge of the secret string would have to enter this protocol an exponential number of times in order to gain nonnegligible information about the string. Our scheme offers an efficient identification technique with a security that depends on no computational assumption, only on the correctness of quantum mechanics. We believe such a system should b...
PseudoRandom Functions and Factoring
 Proc. 32nd ACM Symp. on Theory of Computing
, 2000
"... The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to constru ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to construct efficient lengthpreserving pseudorandom functions where each evaluation requires only a (small) constant number of modular multiplications per output bit. This is substantially more efficient than any previous construction of pseudorandom functions based on factoring, and matches (up to a constant factor) the efficiency of the best known factoringbased pseudorandom bit generators.
Oblivious Verification of Common String
 CWI Quarterly
, 1995
"... . We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and e#cient protocol based on oblivious transfer to check mutual knowledge of a common string in such a way that honest p ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
. We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and e#cient protocol based on oblivious transfer to check mutual knowledge of a common string in such a way that honest parties will always succeed in convincing each other, while a dishonest party interacting with an honest party will have vanishingly small probability of convincing him. Moreover, a dishonest party gains only a very small amount of information about the secret string from running the protocol: whoever enters the protocol with no knowledge of the secret string would have to enter this protocol an exponential number of times in order to gain nonnegligible information about the string. 1 Introduction Didn't you worry last time you typed your PIN (Personal Identification Number) to an unknown Automated Teller Machine (ATM) that it could be a fake and that the sole purpose of this ATM could be t...
The chain sum primitive and its applications to MACs and stream ciphers
 in (K. Nyberg, Ed) Advances in Cryptology  Proc. EUROCRYPT '98, Lecture Notes in Computer Science 1403
, 1998
"... We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBCtype encryption along with a summing step, and can be used as a ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBCtype encryption along with a summing step, and can be used as a front end to stream ciphers to encrypt pages or blocks of data (e.g., in an encrypted file system or in a video stream). Under standard assumptions, the resulting encryption scheme provably acts as a random permutation on the blocks, and has message integrity features of standard CBC encryption. The primitive also yields a very fast message authentication code (MAC), which is a multivariate polynomial evaluation hash. The multivariate feature and the summing aspect are novel parts of the design. Our tests show that the chain & sum primitive adds approximately 20 percent overhead to the fastest stream ciphers. 1
Secure and Anonymous Electronic Commerce: Providing Legal Certainty in Open Digital Systems Without Compromising Anonymity
, 2000
"... The growing importance of conducting legal transactions over open digital systems creates new requirements for these systems. They have to be designed in such a way that the users remain anonymous to one another and their activities cannot be observed by uninvolved parties. At the same time, the sys ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
The growing importance of conducting legal transactions over open digital systems creates new requirements for these systems. They have to be designed in such a way that the users remain anonymous to one another and their activities cannot be observed by uninvolved parties. At the same time, the systems have to guarantee the necessary legal certainty for the transactions being carried out. It will be demonstrated (Section 1) that legal regulation alone is not sucient to ensure that these requirements are dependably met. For this reason, known technical methods and new proposals from the eld of information technology are presented as a complement to legal regulation. On the one hand, these proposals guarantee unobservability and anonymity when using the system (Section 2) and, on the other hand, they provide sucient legal certainty for the conduct of typical business processes over the open system without sacricing anonymity (Section 3). Due to their particular importance, two issues...
CCCP: Secure Remote Storage for Computational RFIDs ∗
"... Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ c ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ capabilities by exploiting an often overlooked, plentiful resource: lowpower radio communication. While radio communication is more energy intensive than flash memory writes in many embedded devices, we show that the reverse is true for passive RFID tags. A tag can use CCCP to checkpoint its computational state to an untrusted reader using less energy than an equivalent flash write, thereby allowing it to devote a greater share of its energy to computation. Security is the major challenge in such remote checkpointing. Using scant and fleeting energy, a tag must enforce confidentiality, authenticity, integrity, and data freshness while communicating with potentially untrustworthy infrastructure. Our contribution synthesizes wellknown cryptographic and lowpower techniques with a novel flash memory storage strategy, resulting in a secure remote storage facility for an emerging class of devices. Our evaluation of CCCP consists of energy measurements of a prototype implementation on the batteryless, MSP430based WISP platform. Our experiments show that—despite cryptographic overhead—remote checkpointing consumes less energy than checkpointing to flash for data sizes above roughly 64 bytes. CCCP enables secure and flexible remote storage that would otherwise outstrip batteryless RFID tags ’ resources. 1
R.: MAC precomputation with applications to secure memory
 ISC 2009. LNCS
, 2009
"... We present ShMAC (Shallow MAC), a fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC’s messagedependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present ShMAC (Shallow MAC), a fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC’s messagedependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation (PRP), and can be implemented by a small shallow circuit, while its precomputation consists of one PRP evaluation. A main building block for ShMAC is the notion of strong differential uniformity (SDU), which we introduce, and which may be of independent interest. We present an efficient SDU construction built from previously considered differentially uniform functions. Our motivating application is a system architecture where a hardwaresecured processor uses memory controlled by an adversary. We present in technical detail a novel, more efficient approach to encrypting and authenticating memory and discuss the associated tradeoffs, while paying special attention to minimizing hardware costs and the reduction of DRAM latency.
New Applications of Differential Bounds of the SDS Structure ⋆
"... Abstract. In this paper, we present some new applications of the bounds for the differential probability of a SDS (SubstitutionDiffusionSubstitution) structure by Park et al. at FSE 2003. Park et al. have applied their result on the AES cipher which uses the SDS structure based on MDS matrices. We ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. In this paper, we present some new applications of the bounds for the differential probability of a SDS (SubstitutionDiffusionSubstitution) structure by Park et al. at FSE 2003. Park et al. have applied their result on the AES cipher which uses the SDS structure based on MDS matrices. We shall apply their result to practical ciphers that use SDS structures based on {0, 1}matrices of size n × n. These structures are useful because they can be efficiently implemented in hardware. We prove a bound on {0, 1}matrices to show that they cannot be MDS and are almostMDS only when n = 2, 3, or 4. Thus we have to apply Park’s result whenever {0, 1}matrices where n ≥ 5 are used because previous results only hold for MDS and almostMDS diffusion matrices. Based on our bound, we also show that the {0, 1}matrix used in E2 is almostoptimal among {0, 1}matrices. Using Park’s result, we prove differential bounds for E2 and an MCryptonlike cipher, from which we can deduce their security against boomerang attack and some of its variants. At ICCSA 2006, Khoo and Heng constructed block cipherbased universal hash functions, from which they derived Message Authentication Codes (MACs) which are faster than CBCMAC. Park’s result provides us with the means to obtain a more accurate bound for their universal hash function. With this bound, we can restrict the number of MAC’s performed before a change of MAC key is needed.