Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication. 1

The study of self-testing/correcting programs was introduced in [8] in order to allow one to use program P to compute function f without trusting that P works correctly. A self-tester for f estimates the fraction of x for which P (x) = f(x); and a self-corrector for f takes a program that is correct on most inputs and turns it into a program that is correct on every input with high probability 1 . Both access P only as a black-box and in some precise way are not allowed to compute the function f . Self-correcting is usually easy when the function has the random self-reducibility property. One class of such functions that has this property is the class of multivariate polynomials over finite fields [4] [12]. We extend this result in two directions. First, we show that polynomials are random self-reducible over more general domains: specifically, over the rationals and over noncommutative rings. Second, we show that one can get self-correctors even when the program satisfies weaker co...

We obtain the first non-trivial time-space tradeoff lower bound for functions f : {0, 1}^n → {0, 1} on general branching programs by exhibiting a Boolean function f that requires exponential size to be computed by any branching program of length (1 + ε)n, for some constant ε > 0. We also give the first separation result between the syntactic and semantic read-k models [BRS93] for k > 1 by showing that polynomial-size semantic read-twice branching programs can compute functions that require exponential size on any syntactic read-k branching program. We also show...

We prove the first time-space lower bound tradeoffs for randomized computation of decision problems. The bounds hold even in the case that the computation is allowed to have arbitrary probability of error on a small fraction of inputs. Our techniques are an extension of those used by Ajtai [Ajt99a, Ajt99b] in his time-space tradeoffs for deterministic RAM algorithms computing element distinctness and for Boolean branching programs computing a natural quadratic form. Ajtai's bounds were of the following form...

In the multiparty communication game introduced by Chandra, Furst, and Lipton [CFL] (1983), k players wish to evaluate collaboratively a function f(x0 , ..., xk\Gamma1 ) for which player i sees all inputs except x i : The players have unlimited computational power. The objective is to minimize the amount of communication. We consider a restricted version of the multiparty communication game which we call the simultaneous messages model. The difference is that in this model, each of the k players simultaneously sends a message to a referee, who sees none of the input. The referee then announces the function value. We demonstrate an exponential gap between the Simultaneous Messages and the Communication models for up to (log n) 1\Gammaffl players, for any ffl ? 0: The separation is obtained by comparing the respective complexities of the generalized addressing function, GAFG;k , in each model. In addition, we give a nontrivial protocol for GAFG;k for G = Z t 2 ; which is very eff...

We prove the first time-space lower bound tradeoffs for randomized computation of decision problems.

We study the effect of limited communication throughput on parallel computation in a setting where the number of processors is much smaller than the length of the input. Our model has p processors that communicate through a shared memory of size m. The input has size n, and can be read directly by all the processors. We will be primarily interested in studying cases where n AE p AE m. As a test case we study the list reversal problem. For this problem we prove a time lower bound of \Omega\Gamma n p mp ). (A similar lower bound holds also for the problems of sorting, finding all unique elements, convolution, and universal hashing.) This result shows that limiting the communication (i.e., small m) has significant effect on parallel computation. We show an almost matching upper bound of O( n p mp log O(1) n). The upper bound requires the development of a few interesting techniques which can alleviate the limited communication in some

In this paper we consider solutions to the dictionary problem on AC RAMs, i.e.

We obtain an exponential separation between consecutive levels in the hierarchy of classes of functions computable by polynomial-size syntactic read-k-times branching programs, for all k ? 0, as conjectured by various authors [Weg87, SS93, Pon95]. For every k, we exhibit two explicit functions that can be computed by linear-sized read-(k+1)-times branching programs but require size exp n\Omega i n 1=k+1 2 \Gamma2k k \Gamma4 jo to be computed by any read-k-times branching program. The result actually gives the strongest possible separation --- the exponential lower bound applies to both non-deterministic read-k-times branching programs and randomized read-k-times branching programs with 2-sided error ", for some " ? 0. The only previously known results are the separation between k = 1 and k = 2 [BRS93] and a separation of non-deterministic read-k from deterministic read-(k ln k= ln 2 +C), where C is some appropriate constant, for each k [Oko97]. A simple corollary of our result...

Abstract not found