Results 11  20
of
86
CBC MACs for arbitrarylength messages: The threekey constructions
 Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science
, 2000
"... Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. O ..."
Abstract

Cited by 67 (16 self)
 Add to MetaCart
Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. Our favorite construction, XCBC, works like this: if M  is a positive multiple of n then XOR the nbit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the nbit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1
Practical and ProvablySecure Commitment Schemes from CollisionFree Hashing
 in Advances in Cryptology  CRYPTO96, Lecture Notes in Computer Science 1109
, 1996
"... . We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, a ..."
Abstract

Cited by 65 (6 self)
 Add to MetaCart
. We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, and computation. Our result also proves that constant round statistical zeroknowledge arguments and constantround computational zeroknowledge proofs for NP exist based on the existence of collisionfree hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following twostage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the Decommit stage), the Sender provides the Receiver with ...
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequentia ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1
The Computational Complexity of Universal Hashing
 Theoretical Computer Science
, 2002
"... Any implementation of CarterWegman universal hashing from nbit strings to mbit strings requires a timespace tradeoff of TS = Ω(nm). The bound holds in the general boolean branching program model, and thus in essentially any model of computation. As a corollary, computing a+b*c in any f ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
Any implementation of CarterWegman universal hashing from nbit strings to mbit strings requires a timespace tradeoff of TS = &Omega;(nm). The bound holds in the general boolean branching program model, and thus in essentially any model of computation. As a corollary, computing a+b*c in any field F requires a quadratic timespace tradeoff, and the bound holds for any representation of the elements of the field. Other lower bounds on the...
Bucket Hashing and its Application to Fast Message Authentication
, 1995
"... We introduce a new technique for constructing a family of universal hash functions. ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
We introduce a new technique for constructing a family of universal hash functions.
MMH: Software Message Authentication in the Gbit/second Rates
, 1997
"... March, 1997 Abstract We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increa ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
March, 1997 Abstract We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increasingly supported by modern processors due to the growing needs for fast arithmetic posed by multimedia applications. We report on handoptimized assembly implementations on a 150 MHz PowerPC 604 and a 150 MHz PentiumPro, which achieve hashing speeds of 350 to 820 Mbit/sec, depending on the desired level of security (or collision probability), and a rate of more than 1 Gbit/sec on a 200 MHz PentiumPro. This represents a significant speedup over current software implementations of universal hashing and other message authentication techniques (e.g., MD5based). Moreover, our construction is specifically designed to take advantage of emerging microprocessor technologies (such as Intel's MMX, ...
Analysis of a Memory Architecture for Fast Packet Buffers
 In Proceedings of IEEE High Performance Switching and Routing
, 2001
"... All packet switches contain packet buffers to hold packets ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
All packet switches contain packet buffers to hold packets
On Recycling the Randomness of States in Space Bounded Computation
 In Proceedings of the ThirtyFirst Annual ACM Symposium on the Theory of Computing
, 1999
"... Let M be a logarithmic space Turing machine (or a polynomial width branching program) that uses up to k 2 p log n (read once) random bits. For a fixed input, let P i (S) be the probability (over the random string) that at time i the machine M is in state S, and assume that some weak estimation of ..."
Abstract

Cited by 34 (14 self)
 Add to MetaCart
Let M be a logarithmic space Turing machine (or a polynomial width branching program) that uses up to k 2 p log n (read once) random bits. For a fixed input, let P i (S) be the probability (over the random string) that at time i the machine M is in state S, and assume that some weak estimation of the probabilities P i (S) is known or given or can be easily computed. We construct a logarithmic space pseudorandom generator that uses only logarithmic number of truly random bits and outputs a sequence of k bits that looks random to M . This means that a very weak estimation of the state probabilities of M is sufficient for a full derandomization of M and for constructing pseudorandom sequences for M . We have several applications of the main theorem, as stated within. To prove our theorem, we introduce the idea of recycling the state S of the machine M at time i as part of the random string for the same machine at later time. That is, we use the entropy of the random variable S in o...
True Random Number Generators Secure in a Changing Environment
 In Workshop on Cryptographic Hardware and Embedded Systems (CHES
, 2003
"... A true random number generator (TRNG) usually consists of two components: an "unpredictable" source with high entropy, and a randomness extractor  a function which, when applied to the source, produces a result that is statistically close to the uniform distribution. ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
A true random number generator (TRNG) usually consists of two components: an "unpredictable" source with high entropy, and a randomness extractor  a function which, when applied to the source, produces a result that is statistically close to the uniform distribution.
Routing with Improved CommunicationSpace TradeOff
 IN 18 TH INTERNATIONAL SYMPOSIUM ON DISTRIBUTED COMPUTING (DISC
, 2004
"... Given a weighted undirected network with arbitrary node names, we present a family of routing schemes characterized by an integral parameter κ ≥ 1. The scheme uses log D) space routing table at each node, and routes along paths of linear stretch O(κ), where D is the normal ..."
Abstract

Cited by 27 (10 self)
 Add to MetaCart
Given a weighted undirected network with arbitrary node names, we present a family of routing schemes characterized by an integral parameter &kappa; &ge; 1. The scheme uses log D) space routing table at each node, and routes along paths of linear stretch O(&kappa;), where D is the normalized diameter of the network. When D is polynomial in n, the scheme has asymptotically optimal stretch factor. With the same memory bound, the best previous results obtained stretch O(&kappa;&sup2;). Of independent interest, ...