Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication. 1

March, 1997 Abstract We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increasingly supported by modern processors due to the growing needs for fast arithmetic posed by multimedia applications. We report on hand-optimized assembly implementations on a 150 MHz PowerPC 604 and a 150 MHz Pentium-Pro, which achieve hashing speeds of 350 to 820 Mbit/sec, depending on the desired level of security (or collision probability), and a rate of more than 1 Gbit/sec on a 200 MHz Pentium-Pro. This represents a significant speed-up over current software implementations of universal hashing and other message authentication techniques (e.g., MD5-based). Moreover, our construction is specifically designed to take advantage of emerging microprocessor technologies (such as Intel's MMX, ...

Abstract. Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2 106 if messages have at most L bytes, the attacker sees at most 2 64 authenticated messages, and the attacker attempts D forgeries. Poly1305-AES can be computed at extremely high speed: for example, fewer than 3.625(ℓ + 170) Athlon cycles for an ℓ-byte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Special-purpose hardware can compute Poly1305-AES at even higher speed. Poly1305-AES is parallelizable, incremental, and not subject to any intellectualproperty claims.

Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1

In this paper we consider very fast evaluation of strongly universal hash functions, or equivalently, authentication codes. We show how it is possible to modify some known families of hash functions into a form such that the evaluation is similar to "bucket hashing", a technique for very fast hashing introduced by Rogaway. Rogaway's bucket hash family has a huge key size, which for common parameter choices can be more than a hundred thousand bits. The proposed hash families have a key size that is close to the key size of the theoretically best known constructions, typically a few hundred bits, and the evaluation has a time complexity that is similar to bucket hashing.

We describe a universal hash-function family, PolyR, which hashes messages of effectively arbitrary lengths in 3.9--6.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 -16 --2 -50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) than long ones. At the same time, its key is only a few bytes, the output is only a few bytes, and no "preprocessing" is needed to achieve maximal effciency. Our designs have been strongly influenced by low-level considerations relevant to software speed, and experimental results are given throughout.

Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64-bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cache-resident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly faster than other recent MAC schemes such as UMAC (1.0 cpb) and Poly1305 (3.1 cpb). VMAC is a MAC in the Wegman-Carter style, employing a “universal ” hash function VHASH, which is fully developed in this paper. VHASH employs a three-stage hashing strategy, and each stage is developed with the goal of optimal performance in 64-bit environments.

In this paper, we consider the problem of efficient computation of polynomial modular reduction: A(x) mod f(x), where f(x) is a monic polynomial of degree n and A(x) is a polynomial of degree not greater than n + t 1; t > 1, both f(x) and A(x) are defined over a commutative ring R with identity. For given f(x) and the degree n + t 1 of A(x), we present an algorithm to compute this problem in t(w 1) addition operations in R and the same number of multiplication operations in R, where w is the Hamming weight of f(x). Applications of the proposed algorithm to finite field arithmetic are also discussed. Key Word: Polynomial arithmetic, modular operation, finite field arithmetic, complexity. 1. INTRODUCTION The recent advances in public key cryptography, especially elliptic curve cryptography, have rekindled the research in polynomial arithmetic, which is required in many finite field operations. One example is finite field multiplication. Let f(x) be an irreducible polynomial over GF(q) ...