Results 11  20
of
64
FloatingPoint Arithmetic And Message Authentication
, 2000
"... There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same securi ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same security level  using IEEE floatingpoint arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.
Remote Data Checking for Network Codingbased Distributed Stroage Systems
 in the Proceedings of ACM CCSW 2010, 2010
"... Remote Data Checking (RDC) is a technique by which clients can establish that data outsourced at untrusted servers remains intact over time. RDC is useful as a prevention tool, allowing clients to periodically check if data has been damaged, and as a repair tool whenever damage has been detected. In ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
(Show Context)
Remote Data Checking (RDC) is a technique by which clients can establish that data outsourced at untrusted servers remains intact over time. RDC is useful as a prevention tool, allowing clients to periodically check if data has been damaged, and as a repair tool whenever damage has been detected. Initially proposed in the context of a single server, RDC was later extended to verify data integrity in distributed storage systems that rely on replication and on erasure coding to store data redundantly at multiple servers. Recently, a technique was proposed to add redundancy based on network coding, which offers interesting tradeoffs because of its remarkably low communication overhead to repair corrupt servers. Unlike previous work on RDC which focused on minimizing the costs of the prevention phase, we take a holistic look and initiate the investigation of RDC schemes for distributed systems that rely on network coding to minimize the combined costs of both the prevention and repair phases. We propose RDCNC, a novel secure and efficient RDC scheme for network codingbased distributed storage systems. RDCNC mitigates new attacks that stem from the underlying principle of network coding. The scheme is able to preserve in an adversarial setting the minimal communication overhead of the repair component achieved by network coding in a benign setting. We implement our scheme and experimentally show that it is computationally inexpensive for both clients and servers.
Square Hash: Fast Message Authentication via Optimized Universal Hash Functions
 In Proc. CRYPTO 99, Lecture Notes in Computer Science
, 1999
"... This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
(Show Context)
This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.
OMAC: OneKey CBC MAC
 Preproceedings of Fast Software Encryption, FSE 2003
, 2002
"... In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block l ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block length of E.
From unpredictability to indistinguishability: A simple construction of pseudorandom functions from MACs
 Advances in Cryptology  CRYPTO '98, LNCS
, 1998
"... Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudorandom functions. We show an efficient transformation of the former to the latter using a unique application of the GoldreichLevin hardcore bit (taking the innerproduct ..."
Abstract

Cited by 26 (9 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudorandom functions. We show an efficient transformation of the former to the latter using a unique application of the GoldreichLevin hardcore bit (taking the innerproduct with a random vector r): While in most applications of the GLbit the random vector r may be public, in our setting this is not the case. The transformation is only secure when r is secret and treated as part of the key. In addition, we consider weaker notions of unpredictability and their relationship to the corresponding notions of pseudorandomness. Using these weaker notions we formulate the exact requirements of standard protocols for privatekey encryption, authentication and identification. In particular, this implies a simple construction of a privatekey encryption scheme from the standard challengeresponse identification scheme. 1
How to Stretch Random Functions: The Security of Protected Counter Sums
 Journal of Cryptology
, 1999
"... . Let f be an unpredictable random function taking (b + c)bit inputs to bbit outputs. This paper presents an unpredictable random function f 0 taking variablelength inputs to bbit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Ki ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
. Let f be an unpredictable random function taking (b + c)bit inputs to bbit outputs. This paper presents an unpredictable random function f 0 taking variablelength inputs to bbit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Kilian, and Rogaway, and cascading, which was proven unpredictable by Bellare, Canetti, and Krawczyk. The highlight here is a very simple proof of security. 1.
Does Encryption with Redundancy Provide Authenticity?
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 2001, B. PFITZMANN, ED. LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each s ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryptionwithredundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryptionwithredundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.
On the Round Security of SymmetricKey Cryptographic Primitives
 In Advances in Cryptology — CRYPTO ’00, volume 1880 of LNCS
, 2000
"... We put forward a new model for understanding the security of symmetrickey primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We comp ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
We put forward a new model for understanding the security of symmetrickey primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We completely characterize the security of fourround LubyRacko ciphers in our model, and show that the ciphers remain secure even if the adversary is given blackbox access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions. 1 Introduction 1.1 Block Ciphers A block cipher is a family of permutations on a message space indexed by a secret key. Each permutation in the family deterministically maps plaintext blocks of some xed length to ciphertext blocks of the same length; both the permutation and its inverse are eciently computable given the key. Motivated originally by the study of security of the block ciphe...
Fast universal hashing with small keys and no preprocessing: the PolyR construction
, 2000
"... We describe a universal hashfunction family, PolyR, which hashes messages of effectively arbitrary lengths in 3.96.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 16 2 50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) tha ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We describe a universal hashfunction family, PolyR, which hashes messages of effectively arbitrary lengths in 3.96.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 16 2 50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) than long ones. At the same time, its key is only a few bytes, the output is only a few bytes, and no "preprocessing" is needed to achieve maximal effciency. Our designs have been strongly influenced by lowlevel considerations relevant to software speed, and experimental results are given throughout.