Results 1  10
of
142
A Pairwise Key PreDistribution Scheme for Wireless Sensor Networks
, 2003
"... this paper, we provide a framework in which to study the security of key predistribution schemes, propose a new key predistribution scheme which substantially improves the resilience of the network compared to previous schemes, and give an indepth analysis of our scheme in terms of network resili ..."
Abstract

Cited by 377 (13 self)
 Add to MetaCart
this paper, we provide a framework in which to study the security of key predistribution schemes, propose a new key predistribution scheme which substantially improves the resilience of the network compared to previous schemes, and give an indepth analysis of our scheme in terms of network resilience and associated overhead. Our scheme exhibits a nice threshold property: when the number of compromised nodes is less than the threshold, the probability that communications between any additional nodes are compromised is close to zero. This desirable property lowers the initial payoff of smallerscale network breaches to an adversary, and makes it necessary for the adversary to attack a large fraction of the network before it can achieve any significant gain
Tinysec: A link layer security architecture for wireless sensor networks
 in Proc of the 2nd Int’l Conf on Embedded Networked Sensor Systems
"... We introduce TinySec, the first fullyimplemented link layer security architecture for wireless sensor networks. In our design, we leverage recent lessons learned from design vulnerabilities in security protocols for other wireless networks such as 802.11b and GSM. Conventional security protocols te ..."
Abstract

Cited by 333 (0 self)
 Add to MetaCart
We introduce TinySec, the first fullyimplemented link layer security architecture for wireless sensor networks. In our design, we leverage recent lessons learned from design vulnerabilities in security protocols for other wireless networks such as 802.11b and GSM. Conventional security protocols tend to be conservative in their security guarantees, typically adding 16–32 bytes of overhead. With small memories, weak processors, limited energy, and 30 byte packets, sensor networks cannot afford this luxury. TinySec addresses these extreme resource constraints with careful design; we explore the tradeoffs among different cryptographic primitives and use the inherent sensor network limitations to our advantage when choosing parameters to find a sweet spot for security, packet overhead, and resource requirements. TinySec is portable to a variety of hardware and radio platforms. Our experimental results on a 36 node distributed sensor network application clearly demonstrate that software based link layer protocols are feasible and efficient, adding less than 10 % energy, latency, and bandwidth overhead.
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 223 (22 self)
 Add to MetaCart
and analysis of the generic composition paradigm
OCB: A BlockCipher Mode of Operation for Efficient Authenticated Encryption
, 2001
"... We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional ov ..."
Abstract

Cited by 138 (19 self)
 Add to MetaCart
We describe a parallelizable blockcipher mode of operation that simultaneously provides privacy and authenticity. OCB encryptsandauthenticates a nonempty string M # {0, 1} # using #M /n# + 2 blockcipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extendedprecision addition; a nearly optimal number of blockcipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. email: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. email: mihir@cs.ucsd.edu web: wwwcse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. email: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. email: tdk@acm.org 1
Blackbox analysis of the blockcipherbased hashfunction constructions from pgv
 In Advances in Cryptology – CRYPTO ’02 (2002
, 2002
"... Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 sc ..."
Abstract

Cited by 104 (15 self)
 Add to MetaCart
Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 schemes were shown to be subject to various attacks. Here we provide a formal and quantitative treatment of the 64 constructions considered by PGV. We prove that, in a blackbox model, the 12 schemes that PGV singled out as secure really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the MerkleDamg˚ard approach to analysis, we show that an additional 8 of the 64 schemes are just as collision resistant (up to a small constant) as the first group of schemes. Nonetheless, we are able to differentiate among the 20 collisionresistant schemes by bounding their security as oneway functions. We suggest that proving blackbox bounds, of the style given here, is a feasible and useful step for understanding the security of any blockcipherbased hashfunction construction. 1
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 94 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 83 (8 self)
 Add to MetaCart
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
A tweakable enciphering mode
 of LNCS
, 2003
"... Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, inplace, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other nontrivial operation beyond the blockcipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the nonmalleability of these objects. 1
CBC MACs for arbitrarylength messages: The threekey constructions
 Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science
, 2000
"... Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. O ..."
Abstract

Cited by 66 (16 self)
 Add to MetaCart
Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈M/n⌉} applications of the underlying nbit block cipher. Our favorite construction, XCBC, works like this: if M  is a positive multiple of n then XOR the nbit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the nbit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CB ..."
Abstract

Cited by 58 (7 self)
 Add to MetaCart
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1