Results 1  10
of
31
UMAC: Fast and Secure Message Authentication
, 1999
"... Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction f ..."
Abstract

Cited by 150 (15 self)
 Add to MetaCart
Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction family MMH. To achieve such speeds, UMAC uses a new universal hashfunction family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMACauthenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have everfaster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for nextgeneration message authentication. 1
CBC MACs for arbitrarylength messages: The threekey constructions
 Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science
, 2000
"... Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. O ..."
Abstract

Cited by 82 (19 self)
 Add to MetaCart
Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. Our favorite construction, XCBC, works like this: if M  is a positive multiple of n then XOR the nbit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the nbit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1
Message Authentication using Hash Functions The HMAC Construction
 CryptoBytes
, 1996
"... Introduction Two parties communicating across an insecure channel need a method by which any attempt to modify the information sent by one to the other, or fake its origin, is detected. Most commonly such a mechanism is based on a shared key between the parties, and in this setting is usually calle ..."
Abstract

Cited by 56 (1 self)
 Add to MetaCart
Introduction Two parties communicating across an insecure channel need a method by which any attempt to modify the information sent by one to the other, or fake its origin, is detected. Most commonly such a mechanism is based on a shared key between the parties, and in this setting is usually called a MAC, or Message Authentication Code. (Other terms include Integrity Check Value or Cryptographic Checksum). The sender appends to the data D an authentication tag computed as a function of the data and the shared key. At reception, the receiver recomputes the authentication tag on the received message using the shared key, and accepts the data as valid only if this value matches the tag attached to the received message. The most common approach is to construct MACs from block ciphers like DES. Of such constructions Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Driv
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
Square Hash: Fast Message Authentication via Optimized Universal Hash Functions
 In Proc. CRYPTO 99, Lecture Notes in Computer Science
, 1999
"... This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
(Show Context)
This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.
From unpredictability to indistinguishability: A simple construction of pseudorandom functions from MACs
 Advances in Cryptology  CRYPTO '98, LNCS
, 1998
"... Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudorandom functions. We show an efficient transformation of the former to the latter using a unique application of the GoldreichLevin hardcore bit (taking the innerproduct ..."
Abstract

Cited by 25 (9 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudorandom functions. We show an efficient transformation of the former to the latter using a unique application of the GoldreichLevin hardcore bit (taking the innerproduct with a random vector r): While in most applications of the GLbit the random vector r may be public, in our setting this is not the case. The transformation is only secure when r is secret and treated as part of the key. In addition, we consider weaker notions of unpredictability and their relationship to the corresponding notions of pseudorandomness. Using these weaker notions we formulate the exact requirements of standard protocols for privatekey encryption, authentication and identification. In particular, this implies a simple construction of a privatekey encryption scheme from the standard challengeresponse identification scheme. 1
Fast Hashing and Stream Encryption with
 PANAMA,” Fast Software Encryption, LNCS 1372
, 1998
"... Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low workfactor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low workfactor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a commercially available VLIW microprocessor. 1
Minding Your MAC Algorithms
, 2004
"... In spite of the advantages of digital signatures, MAC algorithms are still widely used to authenticate data; common uses include authorization of financial transactions, mobile communications (GSM and 3GPP), and authentication of Internet communications with SSL/TLS and IPsec. While some MAC a ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
In spite of the advantages of digital signatures, MAC algorithms are still widely used to authenticate data; common uses include authorization of financial transactions, mobile communications (GSM and 3GPP), and authentication of Internet communications with SSL/TLS and IPsec. While some MAC algorithms are part of `legacy' implementations, the success of MAC algorithms is mainly due to their much lower computational and storage costs (compared to digital signatures). This article describes a list of common pitfalls that the authors have encountered when evaluating MAC algorithms deployed in commercial applications and provides some recommendations for practitioners.
Slide Attacks on a Class of Hash Functions
 Advances in Cryptology—ASIACRYPT ’08 Proceedings
, 2008
"... Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for spongefunction like structures. As it turns out, ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for spongefunction like structures. As it turns out, certain constructions for hashfunctionbased MACs can be vulnerable to forgery and even to key recovery attacks. In other cases, we can at least distinguish a given hash function from a random oracle. To illustrate our results, we describe attacks against the Grindahl256 and Grindahl512 hash functions. To the best of our knowledge, this is the first cryptanalytic result on Grindahl512. Furthermore, we point out a slidebased distinguisher attack on a slightly modified version of RadioGatún. We finally discuss simple countermeasures as a defense against slide attacks. Key words: slide attacks, hash function, Grindahl, RadioGatún, MAC, sponge function. 1