Results 1  10
of
21
FloatingPoint Arithmetic And Message Authentication
, 2000
"... There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same securi ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same security level  using IEEE floatingpoint arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
New paradigms for constructing symmetric encryption schemes secure against chosen ciphertext attack
 Advances in Cryptology  CRYPTO 2000
, 2000
"... Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or b ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a “valid ” ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of “variablelength ” pseudorandom functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way. 1
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
Elastic Block Ciphers
, 2004
"... We introduce a new concept of elastic block ciphers, symmetrickey encryption algorithms that for a variable size input do not expand the plaintext, (i.e., do not require plaintext padding), while maintaining the diffusion property of traditional block ciphers and adjusting their computational loa ..."
Abstract

Cited by 9 (7 self)
 Add to MetaCart
We introduce a new concept of elastic block ciphers, symmetrickey encryption algorithms that for a variable size input do not expand the plaintext, (i.e., do not require plaintext padding), while maintaining the diffusion property of traditional block ciphers and adjusting their computational load proportionally to the size increase. Elastic block ciphers are ideal for applications where lengthpreserving encryption is most beneficial, such as protecting variablelength database entries or network packets.
Proposal to NIST for a parallelizable message authentication code
, 2001
"... accounting. PMAC uses djM j=ne blockcipher invocations for any nonempty message M . (The empty string takes one blockcipher invocation). We compare with the CBC MAC: The \basic" CBC MAC, which assumes that the message is a nonzero multiple of the block length and which is only secure when al ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
accounting. PMAC uses djM j=ne blockcipher invocations for any nonempty message M . (The empty string takes one blockcipher invocation). We compare with the CBC MAC: The \basic" CBC MAC, which assumes that the message is a nonzero multiple of the block length and which is only secure when all messages to be MACed are of one xed length, uses the same number of block cipher calls: jM j=n.
Elastic Block Ciphers: Method, Security and Instantiations
"... We introduce the concept of an elastic block cipher, which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. Our method uses the round function of an exist ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
We introduce the concept of an elastic block cipher, which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. Our method uses the round function of an existing block cipher as a black box and inserts it into a substitution permutation network. Our method is designed to enable us to form a reduction between the elastic and the original versions of the cipher. Using this reduction, we prove that the elastic version of a cipher is secure against keyrecovery attacks if the original cipher is secure against such attacks. We note that while reductionbased proofs of security are a cornerstone of cryptographic analysis, they are typical when complete components are used as subcomponents in a larger design. We are not aware of use of such techniques in the case of concrete block cipher designs. We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers. key words: elastic block ciphers, variablelength block ciphers, security analysis, reduction proof, key recovery attacks. 1
Extending the Salsa20 nonce
"... Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generat ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any successful fast attack on XSalsa20 can be converted into a successful fast attack on Salsa20.
Surf: Simple Unpredictable Random Function
"... . This paper presents surf k , a reasonably fast function that converts a 384bit input into a 256bit output, given a 1024bit seed k. When k is secret and uniformly selected, surf k seems to be indistinguishable from a uniformly selected 384bitto256bit function. 1. ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
. This paper presents surf k , a reasonably fast function that converts a 384bit input into a 256bit output, given a 1024bit seed k. When k is secret and uniformly selected, surf k seems to be indistinguishable from a uniformly selected 384bitto256bit function. 1.