Results 11  20
of
47
Stronger security bounds for WegmanCarterShoup authenticators
 In EUROCRYPT
, 2005
"... Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secr ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ɛ is a differential probability associated with h. Shoup’s result implies that if AES is secure then various stateoftheart messageauthentication codes of the form (n, m) ↦ → h(m) + AESk(n) are secure up to � 1/ɛ authenticated messages. Unfortunately, � 1/ɛ is only about 2 50 for some stateoftheart systems, so Shoup’s result provides no guarantees for longterm keys. This paper proves that security of the same systems is retained up to √ #G authenticated messages. In a typical stateoftheart system, √ #G is 2 64. The heart of the paper is a very general “onesided ” security theorem: (n, m) ↦ → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. Keywords: mode of operation, authentication, MAC, WegmanCarter, provable security
Quantum Oblivious Mutual Identification
"... . We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and efficient protocol based on the exchange of quantum information to check mutual knowledge of a common string in such a w ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
. We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and efficient protocol based on the exchange of quantum information to check mutual knowledge of a common string in such a way that honest parties will always succeed in convincing each other, while a dishonest party interacting with an honest party will have vanishingly small probability of convincing him. Moreover, a dishonest party gains only a very small amount of information about the secret string from running the protocol: whoever enters the protocol with no knowledge of the secret string would have to enter this protocol an exponential number of times in order to gain nonnegligible information about the string. Our scheme offers an efficient identification technique with a security that depends on no computational assumption, only on the correctness of quantum mechanics. We believe such a system should b...
PseudoRandom Functions and Factoring
 Proc. 32nd ACM Symp. on Theory of Computing
, 2000
"... The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to constru ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to construct efficient lengthpreserving pseudorandom functions where each evaluation requires only a (small) constant number of modular multiplications per output bit. This is substantially more efficient than any previous construction of pseudorandom functions based on factoring, and matches (up to a constant factor) the efficiency of the best known factoringbased pseudorandom bit generators.
CCCP: Secure Remote Storage for Computational RFIDs ∗
"... Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ c ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
(Show Context)
Passive RFID tags harvest their operating energy from an interrogating reader, but constant energy shortfalls severely limit their computational and storage capabilities. We propose Cryptographic Computational Continuation Passing (CCCP), a mechanism that amplifies programmable passive RFID tags ’ capabilities by exploiting an often overlooked, plentiful resource: lowpower radio communication. While radio communication is more energy intensive than flash memory writes in many embedded devices, we show that the reverse is true for passive RFID tags. A tag can use CCCP to checkpoint its computational state to an untrusted reader using less energy than an equivalent flash write, thereby allowing it to devote a greater share of its energy to computation. Security is the major challenge in such remote checkpointing. Using scant and fleeting energy, a tag must enforce confidentiality, authenticity, integrity, and data freshness while communicating with potentially untrustworthy infrastructure. Our contribution synthesizes wellknown cryptographic and lowpower techniques with a novel flash memory storage strategy, resulting in a secure remote storage facility for an emerging class of devices. Our evaluation of CCCP consists of energy measurements of a prototype implementation on the batteryless, MSP430based WISP platform. Our experiments show that—despite cryptographic overhead—remote checkpointing consumes less energy than checkpointing to flash for data sizes above roughly 64 bytes. CCCP enables secure and flexible remote storage that would otherwise outstrip batteryless RFID tags ’ resources. 1
Oblivious Verification of Common String
 CWI Quarterly
, 1995
"... . We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and e#cient protocol based on oblivious transfer to check mutual knowledge of a common string in such a way that honest p ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
. We consider a situation where two parties, Alice and Bob, share a common secret string and would like to mutually check their knowledge of that string. We describe a simple and e#cient protocol based on oblivious transfer to check mutual knowledge of a common string in such a way that honest parties will always succeed in convincing each other, while a dishonest party interacting with an honest party will have vanishingly small probability of convincing him. Moreover, a dishonest party gains only a very small amount of information about the secret string from running the protocol: whoever enters the protocol with no knowledge of the secret string would have to enter this protocol an exponential number of times in order to gain nonnegligible information about the string. 1 Introduction Didn't you worry last time you typed your PIN (Personal Identification Number) to an unknown Automated Teller Machine (ATM) that it could be a fake and that the sole purpose of this ATM could be t...
The chain sum primitive and its applications to MACs and stream ciphers
 in (K. Nyberg, Ed) Advances in Cryptology  Proc. EUROCRYPT '98, Lecture Notes in Computer Science 1403
, 1998
"... We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBCtype encryption along with a summing step, and can be used as a ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBCtype encryption along with a summing step, and can be used as a front end to stream ciphers to encrypt pages or blocks of data (e.g., in an encrypted file system or in a video stream). Under standard assumptions, the resulting encryption scheme provably acts as a random permutation on the blocks, and has message integrity features of standard CBC encryption. The primitive also yields a very fast message authentication code (MAC), which is a multivariate polynomial evaluation hash. The multivariate feature and the summing aspect are novel parts of the design. Our tests show that the chain & sum primitive adds approximately 20 percent overhead to the fastest stream ciphers. 1
Secure and Anonymous Electronic Commerce: Providing Legal Certainty in Open Digital Systems Without Compromising Anonymity
, 2000
"... The growing importance of conducting legal transactions over open digital systems creates new requirements for these systems. They have to be designed in such a way that the users remain anonymous to one another and their activities cannot be observed by uninvolved parties. At the same time, the sys ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
The growing importance of conducting legal transactions over open digital systems creates new requirements for these systems. They have to be designed in such a way that the users remain anonymous to one another and their activities cannot be observed by uninvolved parties. At the same time, the systems have to guarantee the necessary legal certainty for the transactions being carried out. It will be demonstrated (Section 1) that legal regulation alone is not sucient to ensure that these requirements are dependably met. For this reason, known technical methods and new proposals from the eld of information technology are presented as a complement to legal regulation. On the one hand, these proposals guarantee unobservability and anonymity when using the system (Section 2) and, on the other hand, they provide sucient legal certainty for the conduct of typical business processes over the open system without sacricing anonymity (Section 3). Due to their particular importance, two issues...
R.: MAC precomputation with applications to secure memory
 ISC 2009. LNCS
, 2009
"... We present ShMAC (Shallow MAC), a fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC’s messagedependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We present ShMAC (Shallow MAC), a fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC’s messagedependent computation is much faster and smaller in hardware than the evaluation of a pseudorandom permutation (PRP), and can be implemented by a small shallow circuit, while its precomputation consists of one PRP evaluation. A main building block for ShMAC is the notion of strong differential uniformity (SDU), which we introduce, and which may be of independent interest. We present an efficient SDU construction built from previously considered differentially uniform functions. Our motivating application is a system architecture where a hardwaresecured processor uses memory controlled by an adversary. We present in technical detail a novel, more efficient approach to encrypting and authenticating memory and discuss the associated tradeoffs, while paying special attention to minimizing hardware costs and the reduction of DRAM latency.
New Constructions of Universal Hash Functions based on Function Sums
"... Abstract. In this paper, we propose a generalization of the SQUARE hash function family to the function sum hash, which is based on functions with low maximal differential over arbitrary Abelian groups. These new variants allow the designer to construct SQUARElike hash functions on different platfo ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we propose a generalization of the SQUARE hash function family to the function sum hash, which is based on functions with low maximal differential over arbitrary Abelian groups. These new variants allow the designer to construct SQUARElike hash functions on different platforms for efficient and secure message authentication. A variant using functions with low algebraic degree over a finite field is also proposed which enables the user to use a shorter key. For more versatility, we also propose a tradeoff between the hash key length and security bound. Finally, we show that we can use an SPN structure in the function sum hash to construct a provably secure MAC with performance which are several times faster than the traditional CBCMAC. Moreover, there are implementation advantages like parallelizability to increase the speed further and reuse of cipher components which help save on implementation resources. 1