Results 1  10
of
28
Curve25519: new DiffieHellman speed records
 In Public Key Cryptography (PKC), SpringerVerlag LNCS 3958
, 2006
"... Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection) ..."
Abstract

Cited by 58 (20 self)
 Add to MetaCart
Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1
Pathquality monitoring in the presence of adversaries
 In ACM SIGMETRICS
, 2008
"... Edge networks connected to the Internet need effective monitoring techniques to drive routing decisions and detect violations of Service Level Agreements (SLAs). However, existing measurement tools, like ping, traceroute, and trajectory sampling, are vulnerable to attacks that make a path look bette ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
Edge networks connected to the Internet need effective monitoring techniques to drive routing decisions and detect violations of Service Level Agreements (SLAs). However, existing measurement tools, like ping, traceroute, and trajectory sampling, are vulnerable to attacks that make a path look better than it really is. In this paper, we design and analyze pathquality monitoring protocols that robustly raise an alarm when packetloss rate and delay exceeds a threshold, even when adversary tries to bias monitoring results by selectively delaying, dropping, modifying, injecting, or preferentially treating packets. Despite the strong threat model we consider in this paper, our protocols are efficient enough to run at line rate on highspeed routers. We present a secure sketching protocol for identifying when packet loss and delay degrade beyond a threshold. This protocol is extremely lightweight, requiring only 250–600 bytes of storage and periodic transmission of a comparably sized IP packet. We also present secure sampling protocols that provide faster feedback and more accurate roundtrip delay estimates, at the expense of somewhat higher storage and communication costs. We prove that all our protocols satisfy a precise definition of secure pathquality monitoring and derive analytic expressions for the tradeoff between statistical accuracy and system overhead. We also compare how our protocols perform in the clientserver setting, when paths are asymmetric, and when packet marking is not permitted. 1.
Toward Acceleration of RSA Using 3D Graphics Hardware
"... Abstract. Demand in the consumer market for graphics hardware that accelerates rendering of 3D images has resulted in commodity devices capable of astonishing levels of performance. These results were achieved by specifically tailoring the hardware for the target domain. As graphics accelerators bec ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
Abstract. Demand in the consumer market for graphics hardware that accelerates rendering of 3D images has resulted in commodity devices capable of astonishing levels of performance. These results were achieved by specifically tailoring the hardware for the target domain. As graphics accelerators become increasingly programmable however, this performance has made them an attractive target for other domains. Specifically, they have motivated the transformation of costly algorithms from a general purpose computational model into a form that executes on said graphics hardware. We investigate the implementation and performance of modular exponentiation using a graphics accelerator, with the view of using it to execute operations required in the RSA public key cryptosystem. 1
The Salsa20 family of stream ciphers
 in [38] (2008). URL: http://cr.yp.to/papers.html#salsafamily. Citations in this document: §2
"... Abstract. Salsa20 is a family of 256bit stream ciphers designed in 2005 ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. Salsa20 is a family of 256bit stream ciphers designed in 2005
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
The Software Performance of AuthenticatedEncryption Modes
, 2011
"... We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 c ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counterbased nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of
A TradeOff Between Collision Probability and Key Size in Universal Hashing Using Polynomials
"... Abstract. Let IF be a finite field and suppose that a single element of IF is used as an authenticator (or tag). Further, suppose that any message consists of at most L elements of IF. For this setting, usual polynomial based universal hashing achieves a collision bound of (L − 1)/IF  using a sing ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. Let IF be a finite field and suppose that a single element of IF is used as an authenticator (or tag). Further, suppose that any message consists of at most L elements of IF. For this setting, usual polynomial based universal hashing achieves a collision bound of (L − 1)/IF  using a single element of IF as the key. The wellknown multilinear hashing achieves a collision bound of 1/IF  using L elements of IF as the key. In this work, we present a new universal hash function which achieves a collision bound of m⌈log m L⌉/IF, m ≥ 2, using 1 + ⌈log m L ⌉ elements of IF as the key. This provides a new tradeoff between key size and collision probability for universal hash functions.
Message authentication on 64bit architectures
 In Selected Areas in Cryptography: 13th International Workshop, SAC 2006
, 2006
"... Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cacheresident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly fast ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. This paper introduces VMAC, a message authentication algorithm (MAC) optimized for high performance in software on 64bit architectures. On the Athlon 64 processor, VMAC authenticates 2KB cacheresident messages at a cost of about 0.5 CPU cycles per message byte (cpb) — significantly faster than other recent MAC schemes such as UMAC (1.0 cpb) and Poly1305 (3.1 cpb). VMAC is a MAC in the WegmanCarter style, employing a “universal ” hash function VHASH, which is fully developed in this paper. VHASH employs a threestage hashing strategy, and each stage is developed with the goal of optimal performance in 64bit environments.
A New Universal Hash Function and Other Cryptographic Algorithms Suitable for Resource Constrained Devices
"... Abstract. A new multilinear universal hash family is described. Messages are sequences over a finite field IFq while keys are sequences over an extension field IFq n. A linear map ψ from IFqn to itself is used to compute the output digest. Of special interest is the case q = 2. For this case, we sh ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. A new multilinear universal hash family is described. Messages are sequences over a finite field IFq while keys are sequences over an extension field IFq n. A linear map ψ from IFqn to itself is used to compute the output digest. Of special interest is the case q = 2. For this case, we show that there is an efficient way to implement ψ using a tower field representation of IFq n. Such a ψ corresponds to a word oriented LFSR. We describe a method of combining the new universal hash function and a stream cipher with IV to obtain a MAC algorithm. Further, we extend the basic universal hash function to an invertible blockwise universal hash function. Following the NaorReingold approach, this is used to construct a tweakable enciphering scheme which uses a single layer of encryption and no finite field multiplications. From an efficiency viewpoint, the focus of all our constructions is small hardware and other resource constrained applications. For such platforms, our constructions compare favourably to previous work.