Results 11  20
of
73
A System for Authenticated PolicyCompliant Routing
, 2004
"... Internet end users and ISPs alike have little control over how packets are routed outside of their own AS, restricting their ability to achieve levels of performance, reliability, and utility that might otherwise be attained. While researchers have proposed a number of sourcerouting techniques to c ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
Internet end users and ISPs alike have little control over how packets are routed outside of their own AS, restricting their ability to achieve levels of performance, reliability, and utility that might otherwise be attained. While researchers have proposed a number of sourcerouting techniques to combat this limitation, there has thus far been no way for independent ASes to ensure that such traffic does not circumvent local traffic policies, nor to accurately determine the correct party to charge for forwarding the traffic. We present Platypus, an authenticated source routing system built around the concept of network capabilities. Network capabilities allow for accountable, finegrained path selection by cryptographically attesting to policy compliance at each hop along a source route. Capabilities can be composed to construct routes through multiple ASes and can be delegated to third parties. Platypus caters to the needs of both end users and ISPs: users gain the ability to pool their resources and select routes other than the default, while ISPs maintain control over where, when, and whose packets traverse their networks. We describe how Platypus can be used to address several wellknown issues in widearea routing at both the edge and the core, and evaluate its performance, security, and interactions with existing protocols. Our results show that incremental deployment of Platypus can achieve immediate gains.
On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  A New Construction
 Fast Software Encryption ’02, Lecture Notes in Computer Science
, 2001
"... . In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, nonrandomized CBC{MAC. 1
ExposureResilient Cryptography
, 2000
"... We develop the notion of ExposureResilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of ExposureResilient Cryptography is to build infor ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
We develop the notion of ExposureResilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of ExposureResilient Cryptography is to build information structures such that almost complete (intentional or unintentional) exposure of such a structure still protects the secret information embedded in this structure. The key to our approach is a new primitive of independent interest, which we call an ExposureResilient Function (ERF)  a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves eciently solve the partial exposure of secrets in the setting where the secret is simply a random value, like in the privatekey cryptography. They can also be viewed as very secure pseudorandom generators and have many other applica...
Passport: Secure and Adoptable Source Authentication
"... We present the design and evaluation of Passport, a system that allows source addresses to be validated within the network. Passport uses efficient, symmetrickey cryptography to place tokens on packets that allow each autonomous system (AS) along the network path to independently verify that a sour ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
We present the design and evaluation of Passport, a system that allows source addresses to be validated within the network. Passport uses efficient, symmetrickey cryptography to place tokens on packets that allow each autonomous system (AS) along the network path to independently verify that a source address is valid. It leverages the routing system to efficiently distribute the symmetric keys used for verification, and is incrementally deployable without upgrading hosts. We have implemented Passport with Click and XORP and evaluated the design via microbenchmarking, experiments on the Deterlab, security analysis, and adoptability modeling. We find that Passport is plausible for gigabit links, and can mitigate reflector attacks even without separate denialofservice defenses. Our adoptability modeling shows that Passport provides stronger security and deployment incentives than alternatives such as ingress filtering. This is because the ISPs that adopt it protect their own addresses from being spoofed at each other’s networks even when the overall deployment is small. 1.
Square Hash: Fast Message Authentication via Optimized Universal Hash Functions
 In Proc. CRYPTO 99, Lecture Notes in Computer Science
, 1999
"... This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
Refined quorum systems
 In Proceedings of the 26th annual ACM symposium on Principles of distributed computing
, 2007
"... Abstract. It is considered good distributed computing practice to devise object implementations that tolerate contention, periods of asynchrony and a large number of failures, but perform fast if few failures occur, the system is synchronous and there is no contention. This paper initiates the first ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. It is considered good distributed computing practice to devise object implementations that tolerate contention, periods of asynchrony and a large number of failures, but perform fast if few failures occur, the system is synchronous and there is no contention. This paper initiates the first study of quorum systems that help design such implementations by encompassing, at the same time, optimal resilience, as well as optimal bestcase complexity. We introduce the notion of a refined quorum system (RQS) of some set S as a set of three classes of subsets (quorums) of S: first class quorums are also second class quorums, themselves being also third class quorums. First class quorums have large intersections with all other quorums, second class quorums typically have smaller intersections with those of the third class, the latter simply correspond to traditional quorums. Intuitively, under uncontended and synchronous conditions, a distributed object implementation would expedite an operation if a quorum of the first class is accessed, then degrade gracefully depending on whether a quorum of the second or the third class is accessed. Our notion of refined quorum system is devised assuming a general adversary structure, and this basically allows algorithms relying on refined quorum systems to relax the assumption of independent process failures, often questioned in practice.
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
On the Round Security of SymmetricKey Cryptographic Primitives
 In Advances in Cryptology — CRYPTO ’00, volume 1880 of LNCS
, 2000
"... We put forward a new model for understanding the security of symmetrickey primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We comp ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We put forward a new model for understanding the security of symmetrickey primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We completely characterize the security of fourround LubyRacko ciphers in our model, and show that the ciphers remain secure even if the adversary is given blackbox access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions. 1 Introduction 1.1 Block Ciphers A block cipher is a family of permutations on a message space indexed by a secret key. Each permutation in the family deterministically maps plaintext blocks of some xed length to ciphertext blocks of the same length; both the permutation and its inverse are eciently computable given the key. Motivated originally by the study of security of the block ciphe...
Fast universal hashing with small keys and no preprocessing: the PolyR construction
, 2000
"... We describe a universal hashfunction family, PolyR, which hashes messages of effectively arbitrary lengths in 3.96.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 16 2 50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) tha ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We describe a universal hashfunction family, PolyR, which hashes messages of effectively arbitrary lengths in 3.96.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 16 2 50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) than long ones. At the same time, its key is only a few bytes, the output is only a few bytes, and no "preprocessing" is needed to achieve maximal effciency. Our designs have been strongly influenced by lowlevel considerations relevant to software speed, and experimental results are given throughout.