Results 11  20
of
52
Square Hash: Fast Message Authentication via Optimized Universal Hash Functions
 In Proc. CRYPTO 99, Lecture Notes in Computer Science
, 1999
"... This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.
Stronger security bounds for WegmanCarterShoup authenticators
 In EUROCRYPT
, 2005
"... Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secr ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
Abstract. Shoup proved that various messageauthentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ɛ is a differential probability associated with h. Shoup’s result implies that if AES is secure then various stateoftheart messageauthentication codes of the form (n, m) ↦ → h(m) + AESk(n) are secure up to � 1/ɛ authenticated messages. Unfortunately, � 1/ɛ is only about 2 50 for some stateoftheart systems, so Shoup’s result provides no guarantees for longterm keys. This paper proves that security of the same systems is retained up to √ #G authenticated messages. In a typical stateoftheart system, √ #G is 2 64. The heart of the paper is a very general “onesided ” security theorem: (n, m) ↦ → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. Keywords: mode of operation, authentication, MAC, WegmanCarter, provable security
How to Stretch Random Functions: The Security of Protected Counter Sums
 Journal of Cryptology
, 1999
"... . Let f be an unpredictable random function taking (b + c)bit inputs to bbit outputs. This paper presents an unpredictable random function f 0 taking variablelength inputs to bbit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Ki ..."
Abstract

Cited by 19 (7 self)
 Add to MetaCart
. Let f be an unpredictable random function taking (b + c)bit inputs to bbit outputs. This paper presents an unpredictable random function f 0 taking variablelength inputs to bbit outputs. This construction has several advantages over chaining, which was proven unpredictable by Bellare, Kilian, and Rogaway, and cascading, which was proven unpredictable by Bellare, Canetti, and Krawczyk. The highlight here is a very simple proof of security. 1.
OnLine Ciphers and the HashCBC constructions
 Advances in Cryptology  CRYPTO 2000. Lecture Notes in Computer Science
, 2001
"... Abstract We initiate a study of online ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit lengthpreserving encryption of adata stre ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Abstract We initiate a study of online ciphers. These are ciphers that can take input plaintexts oflarge and varying lengths and will output the ith block of the ciphertext after having processedonly the first i blocks of the plaintext. Such ciphers permit lengthpreserving encryption of adata stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates,including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, basedon a given block cipher E and a family of computationally AXU functions. HCBC1 is provensecure against chosenplaintext attacks assuming that E is a PRP secure against chosenplaintextattacks, while HCBC2 is proven secure against chosenciphertext attacks assuming that E is aPRP secure against chosenciphertext attacks.
Verifying distributed erasurecoded data
 In Proceedings of the 26 th ACM Symposium on Principles of Distributed Computing
, 2007
"... Erasure coding can reduce the space and bandwidth overheads of redundancy in faulttolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasurecoded fragments correspond to the same block of data. Without such assurance, a different block may ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Erasure coding can reduce the space and bandwidth overheads of redundancy in faulttolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasurecoded fragments correspond to the same block of data. Without such assurance, a different block may be reconstructed from different subsets of fragments. This paper develops a technique for providing this assurance without the bandwidth and computational overheads associated with current approaches. The core idea is to distribute with each fragment what we call homomorphic fingerprints. These fingerprints preserve the structure of the erasure code and allow each fragment to be independently verified as corresponding to a specific block. We demonstrate homomorphic fingerprinting functions that are secure, efficient, and compact.
Efficient Tweakable Enciphering Schemes from (BlockWise) Universal Hash Functions
"... Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook m ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook mode. A more recent work of this type is TET and is due to Halevi at Crypto 2007. We present a new construction Ψ of an invertible blockwise almost universal hash function. Using this we construct a tweakable enciphering scheme HEH. For variable length messages HEH has better efficiency than TET, while for fixed length messages HEH provides better key agility. HEH can only handle messages whose lengths are multiples of the block length. To tackle this, we define variants of Ψ and present a construction HEH ∗ which can handle partial blocks. We show that the basic universal hash function can be combined with the counter mode of operation and the output feedback (OFB) mode to obtain new tweakable enciphering schemes of the hashCtrhash and the hashOFBhash type. The hashCtrhash type construction improves upon previous work, while the hashOFBhash construction is the first proposal using the OFB mode. An important feature of our work is to show that a new class of polynomials defined by Bernstein can be used to construct the universal hash function. This results in an improvement of efficiency of the hashing layers by almost a factor of two. From a practical point of view, our constructions provide the currently best known algorithms for disk encryption protocols. 1
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
Fast universal hashing with small keys and no preprocessing: the PolyR construction
, 2000
"... We describe a universal hashfunction family, PolyR, which hashes messages of effectively arbitrary lengths in 3.96.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 16 2 50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) tha ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We describe a universal hashfunction family, PolyR, which hashes messages of effectively arbitrary lengths in 3.96.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 16 2 50 ). Unlike most proposals, PolyR actually hashes short messages faster (per byte) than long ones. At the same time, its key is only a few bytes, the output is only a few bytes, and no "preprocessing" is needed to achieve maximal effciency. Our designs have been strongly influenced by lowlevel considerations relevant to software speed, and experimental results are given throughout.
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to "behave like " a certain ideal random primitive (e.g. a random function), according to some security notion.
Energy Scalable Universal Hashing
, 2004
"... Message Authentication Codes (MACs) are valuable tools for ensuring the integrity of messages. MACs may be built around a universal hash function (NH) which was explored in the construction of UMAC. In this paper, we use a variation on NH called WH. WH reaches optimality in the sense that it is univ ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Message Authentication Codes (MACs) are valuable tools for ensuring the integrity of messages. MACs may be built around a universal hash function (NH) which was explored in the construction of UMAC. In this paper, we use a variation on NH called WH. WH reaches optimality in the sense that it is universal with half the hash length of NH and it achieves perfect serialization in hardware implementation. We achieved substantial power savings of up to 59 % and a speedup of up to 7.4 times over NH. Moreover, we show how the technique of multihashing and the Toeplitz approach can be combined to reduce the power and energy consumption even further while maintaining the same security level with a very slight increase in the amount of the key material. At low frequencies the power and energy reductions are achieved simultaneously while keeping the hashing time constant. We developed formulae for estimation of the leakage and dynamic power consumptions as well as the energy consumption based on the frequency and the Toeplitz parameter t. We introduce a powerful method for scaling WH according to specific energy and power consumption requirements. Our implementation of WH16 consumes only 2.95 µW at 500 kHz. It can therefore be integrated into a selfpowered device.