Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication. 1

A key challenge in combating Denial of Service (DoS) attacks is to reliably identify attack sources from packet contents. If a source can be reliably identified, routers can stop an attack by filtering packets from the attack sources without causing collateral damage to legitimate traffic. This task is difficult because attackers may spoof arbitrary packet contents to hide their identities. This paper proposes a packet passport system to address this challenge. A packet passport efficiently and securely authenticates the source of a packet. A packet with a valid passport must have originated from the claimed source. The packet passport system can be incrementally deployed without introducing extra control messages. It also provides incentives for early adoption: a domain that deploys packet passport system can prevent other domains from spoofing its source identifiers. Our preliminary analysis suggests that the packet passport system can be implemented at high-speed routers with today’s technologies. 1

Abstract. Shoup proved that various message-authentication codes of the form (n, m) ↦ → h(m) + f(n) are secure against all attacks that see at most � 1/ɛ authenticated messages. Here m is a message; n is a nonce chosen from a public group G; f is a secret uniform random permutation of G; h is a secret random function; and ɛ is a differential probability associated with h. Shoup’s result implies that if AES is secure then various state-of-the-art message-authentication codes of the form (n, m) ↦ → h(m) + AESk(n) are secure up to � 1/ɛ authenticated messages. Unfortunately, � 1/ɛ is only about 2 50 for some state-of-the-art systems, so Shoup’s result provides no guarantees for long-term keys. This paper proves that security of the same systems is retained up to √ #G authenticated messages. In a typical state-of-the-art system, √ #G is 2 64. The heart of the paper is a very general “one-sided ” security theorem: (n, m) ↦ → h(m) + f(n) is secure if there are small upper bounds on differential probabilities for h and on interpolation probabilities for f. Keywords: mode of operation, authentication, MAC, Wegman-Carter, provable security

We present the design and evaluation of Passport, a system that allows source addresses to be validated within the network. Passport uses efficient, symmetric-key cryptography to place tokens on packets that allow each autonomous system (AS) along the network path to independently verify that a source address is valid. It leverages the routing system to efficiently distribute the symmetric keys used for verification, and is incrementally deployable without upgrading hosts. We have implemented Passport with Click and XORP and evaluated the design via micro-benchmarking, experiments on the Deterlab, security analysis, and adoptability modeling. We find that Passport is plausible for gigabit links, and can mitigate reflector attacks even without separate denial-of-service defenses. Our adoptability modeling shows that Passport provides stronger security and deployment incentives than alternatives such as ingress filtering. This is because the ISPs that adopt it protect their own addresses from being spoofed at each other’s networks even when the overall deployment is small. 1.

The UMAC message authentication code (MAC) proposed by us at CRYPTO '99 combined a softwareoptimized hash-function family, NH, with a pseudorandom function (CBC-RC6 or HMAC-SHA1) [1]. For aMAC with forging probability of2,60 we reported peak speeds of 1.0 Pentium II cycles-per-byte (cpb) using Pentium MMX SIMD parallelism, and about 1.9 cpb without. Since CRYPTO '99 we have continued to re ne UMAC. An Internet Working Draft is now ready [2]. Here we summarize a few of the re nements to UMAC embodied by that spec, plus our most recent timings. The re nements were aimed at achieving three main goals: Faster MACing of short messages. Recent discussions with David McGrew and Scott Fluhrer (Cisco Systems) has reminded us that much tra c requiring MACs, particularly IP ows, is heavily geared towards short messages. Thus we have done more to achieve the best performance we can for very short messages. According to these Cisco folks, a fair rule-of-thumb for the distribution on message-sizes on an Internet backbone is that roughly one-third of messages are 43 bytes (TCP ACKs), one-third are about 256 bytes (common PPP dialup MTU), and one-third are 1,500 bytes (common Ethernet MTU). The following table gives current timings for the original UMAC (UMAC-STD and UMAC-MMX) and their corresponding replacements (UMAC32 and UMAC16). Timings are in cycles-per-byte and gathered on a 700 MHz Pentium III under gcc 2.95, mixed C/assembly. Both UMAC16 and UMAC32 give 64-bit tags with forging probability of approximately 2,60.

We present a novel hybrid communication protocol that guarantees mobile users’ k-anonymity against a wide-range of adversaries by exploiting the capability of handheld devices to connect to both WiFi and cellular networks. Unlike existing anonymity schemes, we consider all parties that can intercept communications between the mobile user and a server as potential privacy threats. We formally quantify the privacy exposure and the protection of our system in the presence of malicious neighboring peers, global WiFi eavesdroppers, and omniscient mobile network operators. We show how our system provides an automatic incentive for users to collaborate, since by forwarding packets for other peers users gain anonymity for their own traffic.

The Border Gateway Protocol (BGP) is the Internet’s inter-domain routing protocol. One of the major concerns related to BGP is its lack of effective security measures, and as a result the routing infrastructure of the Internet is vulnerable to various forms of attack. This paper examines the Internet’s routing architecture and the design of BGP in particular, and surveys the work to date on securing BGP. To date no proposal has been seen as offering a combination of adequate security functions, suitable performance overheads and deployable support infrastructure. Some open questions on the next steps in the study of BGP security are posed.

The use of UMAC in the SSH Transport Layer Protocol draft-miller-secsh-umac-01.txt By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at

Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra nonce-setup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any successful fast attack on XSalsa20 can be converted into a successful fast attack on Salsa20.

This document discusses how to secure block storage and storage discovery protocols running over IP (Internet Protocol) using IPsec and IKE (Internet Key Exchange). Threat models and security protocols are developed for iSCSI (Internet Protocol Small Computer System Interface), iFCP (Internet Fibre Channel Storage Networking) and FCIP (Fibre Channel over TCP/IP), as well as the iSNS (Internet Storage Name Server) and SLPv2 (Service Location Protocol v2) discovery protocols. Performance issues and resource constraints are analyzed.