Results 21  30
of
88
Square Hash: Fast Message Authentication via Optimized Universal Hash Functions
 In Proc. CRYPTO 99, Lecture Notes in Computer Science
, 1999
"... This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.
Universal hashing and multiple authentication
 In Proc. CRYPTO 96, Lecture Notes in Computer Science
, 1996
"... at,iciOcse.unl.edu ..."
Does Encryption with Redundancy Provide Authenticity?
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 2001, B. PFITZMANN, ED. LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each s ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryptionwithredundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryptionwithredundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
OnLine Ciphers and the HashCBC constructions
 Advances in Cryptology  CRYPTO 2000. Lecture Notes in Computer Science
, 2001
"... Abstract We initiate a study of online ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit lengthpreserving encryption of adata stre ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Abstract We initiate a study of online ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit lengthpreserving encryption of adata stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates,including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, basedon a given block cipher E and a family of computationally AXU functions. HCBC1 is provensecure against chosenplaintext attacks assuming that E is a PRP secure against chosenplaintextattacks, while HCBC2 is proven secure against chosenciphertext attacks assuming that E is aPRP secure against chosenciphertext attacks.
Authentication protocols based on lowbandwidth unspoofable channels: a comparative survey
, 2009
"... unspoofable channels: a comparative survey ..."
Verifying distributed erasurecoded data
 In Proceedings of the 26 th ACM Symposium on Principles of Distributed Computing
, 2007
"... Erasure coding can reduce the space and bandwidth overheads of redundancy in faulttolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasurecoded fragments correspond to the same block of data. Without such assurance, a different block may ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Erasure coding can reduce the space and bandwidth overheads of redundancy in faulttolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasurecoded fragments correspond to the same block of data. Without such assurance, a different block may be reconstructed from different subsets of fragments. This paper develops a technique for providing this assurance without the bandwidth and computational overheads associated with current approaches. The core idea is to distribute with each fragment what we call homomorphic fingerprints. These fingerprints preserve the structure of the erasure code and allow each fragment to be independently verified as corresponding to a specific block. We demonstrate homomorphic fingerprinting functions that are secure, efficient, and compact.
Authentication, enhanced security and error correcting codes
 Advances in Cryptology – proc. of CRYPTO ’98, LNCS 1462
, 1998
"... Abstract. In electronic communications and in access to systems, the issue of authentication of the Sender S of a message M, aswellasofthe message itself, is of paramount importance. Recently S. Goldwasser has raised the additional issue of Deniable Authentication where the sender S authenticates th ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Abstract. In electronic communications and in access to systems, the issue of authentication of the Sender S of a message M, aswellasofthe message itself, is of paramount importance. Recently S. Goldwasser has raised the additional issue of Deniable Authentication where the sender S authenticates the message M to the Receiver’s (R) satisfaction, but can later deny his authorship of M even to an Inquisitor INQ who has listened to the exchange between S and R and who gains access to all of the the secret information used by S and R. We present two practical schemes for Deniable Authentication of messages M of arbitrary length n. In both schemes the Receiver R is assured with probability greater than 1 − 2 −k,wherekis a chosen security parameter, that M originated with the Sender S. Deniability is absolute in the information theoretic sense. The first scheme requires 2.4kn XOR operations on bits and one public key encoding and decoding of a short message. The second scheme requires the same number of XOR operations and k multiplications mod N, whereNis some fixed product of two large primes. A key new feature of our method is the use of a Shannonstyle error correction code. Traditional authentication for a long message M starts by hashing M down to a standard wordsize. We expand M through error correction. The first Deniable Authentication method is provably valid for any encryption scheme with minimal security properties, i.e. this method is generic. The second Deniable Authentication method is provably valid under the usual assumption that factorization is intractable. Background and New Results The question of authentication of transmitted messages is of paramount importance. When a Sender S communicates with a receiver R and sends him a message M, it does not suffice for R to authenticate (identify) S in order to know that M has actually originated with S. AnAdversaryAD can actively tap the line between S and R, andafterRhas authenticated the sender S, AD can block the Sender’s transmission and inject his own message ¯ M to R.
Reliable Communication over Partially Authenticated Networks
 Theoretical Computer Science
, 1998
"... Reliable communication between parties in a network is a basic requirement for executing any protocol. In this work, we consider the effect on reliable communication when some pairs of parties have common authentication keys. The pairs sharing keys define a natural "authentication graph", which may ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Reliable communication between parties in a network is a basic requirement for executing any protocol. In this work, we consider the effect on reliable communication when some pairs of parties have common authentication keys. The pairs sharing keys define a natural "authentication graph", which may be quite different from the "communication graph" of the network. We characterize when reliable communication is possible in terms of these two graphs, focusing on the very strong setting of a Byzantine adversary with unlimited computational resources. Key Words: Reliable Communication, Private Communication, Authentication Keys, Graph Connectivity, Byzantine Failures. 1 Introduction Suppose that some processors are connected by a network of reliable channels. All of the processors cooperate to execute some protocol, but some of them are maliciously faulty. Dolev [4] and Dolev et al. [5] proved that if there are t faulty processors, then every pair of processors can communicate reliably if...