bart.preneel(AT)esat.kuleuven.be

Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1

This talk follows on more from the talks by Larry Paulson and Giampaolo Bella that we had earlier. The problem I’m going to discuss is, what’s the next problem to tackle once we’ve done crypto protocols? We keep on saying that crypto-protocols appear to be “done” and then some new application comes along to give us more targets to work on – multi-media, escrow, you name it. But sooner or later, it seems reasonable to assume, crypto will be done. What’s the next thing to do? The argument I’m going to make is that we now have to start looking at the interface between crypto and tamper-resistance. Why do people use tamper resistance? I’m more or less (although not quite) excluding the implementation of tamper resistance that simply has a server sitting in a vault. Although that’s functionally equivalent to many more portable kinds of tamper resistance, and although it’s the traditional kind of tamper resistance in banking, it’s got some extra syntax which becomes most clear when we consider the Regulation of Investigatory Powers (RIP) Bill. When people armed with decryption notices are going to be able to descend on your staff, grab keys, and forbid your staff from telling you, then having these staff working in a Tempest vault doesn’t give the necessary protection.

This paper derives some further results on unconditionally secure asymmetric authentication schemes. It starts by giving a general framework for constructing A 2 -codes, identifying many known constructions as special cases.

At the VIth Computer Security Foundations Workshop Simmons presented a protocol to make the Digital Signature Standard free of any subliminal channels. As Simmons has pointed out at several occasions the design of protocols is very difficult and one has claimed protocols to have certain properties, they turned out not to have. In this paper we demonstrate that Simmons' protocol is not free of any subliminal channels, by presenting a subliminal channel with a small capacity. We also discuss generalizations, which imply that several already presented protocols claimed to be "subliminal-free" are not. 1. Introduction At the end of the 1970's and the beginning of the 1980's Simmons addressed at several occasions, see e.g., [21, 22, 23], how to achieve message authentication "without" covert channels in the context of verification of treaty compliance. Then, in 1983 Simmons discovered that one overlooked that one could hide covert data in the authenticator itself, which he called a sublimi...

This talk follows on more from the talks by Larry Paulson and Giampaolo Bella that we had earlier. The problem I’m going to discuss is, what’s the next problem to tackle once we’ve done crypto protocols? We keep on saying that crypto-protocols appear to be “done ” and then some new application comes along to give us more targets to work on – multi-media, escrow, you name it. But sooner or later, it seems reasonable to assume, crypto will be done. What’s the next thing to do? The argument I’m going to make is that we now have to start looking at the interface between crypto and tamper-resistance. Why do people use tamper resistance? I’m more or less (although not quite) excluding the implementation of tamper resistance that simply has a server sitting in a vault. Although that’s functionally equivalent to many more portable kinds of tamper resistance, and although it’s the traditional kind of tamper resistance in banking, it’s got some extra syntax which becomes most clear when we consider the Regulation of Investigatory Powers (RIP) Bill. When people armed with decryption notices are going to be able to descend on your staff, grab keys, and forbid your staff from telling you, then having these staff working in a Tempest vault doesn’t give the necessary protection.