Results 1  10
of
73
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 273 (25 self)
 Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC
, 2003
"... We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K × {0, 1}^n → {0, 1}^n into a tweakable blockcipher... ..."
Abstract

Cited by 77 (9 self)
 Add to MetaCart
(Show Context)
We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K &times; {0, 1}^n &rarr; {0, 1}^n into a tweakable blockcipher...
The Security and Performance of the Galois/Counter Mode (GCM) of Operation
 In INDOCRYPT, volume 3348 of LNCS
, 2004
"... The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most e#cient mode of op ..."
Abstract

Cited by 68 (4 self)
 Add to MetaCart
The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most e#cient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet tra#c in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a standalone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important systemsecurity aspects.
A System for Authenticated PolicyCompliant Routing
, 2004
"... Internet end users and ISPs alike have little control over how packets are routed outside of their own AS, restricting their ability to achieve levels of performance, reliability, and utility that might otherwise be attained. While researchers have proposed a number of sourcerouting techniques to c ..."
Abstract

Cited by 62 (6 self)
 Add to MetaCart
Internet end users and ISPs alike have little control over how packets are routed outside of their own AS, restricting their ability to achieve levels of performance, reliability, and utility that might otherwise be attained. While researchers have proposed a number of sourcerouting techniques to combat this limitation, there has thus far been no way for independent ASes to ensure that such traffic does not circumvent local traffic policies, nor to accurately determine the correct party to charge for forwarding the traffic. We present Platypus, an authenticated source routing system built around the concept of network capabilities. Network capabilities allow for accountable, finegrained path selection by cryptographically attesting to policy compliance at each hop along a source route. Capabilities can be composed to construct routes through multiple ASes and can be delegated to third parties. Platypus caters to the needs of both end users and ISPs: users gain the ability to pool their resources and select routes other than the default, while ISPs maintain control over where, when, and whose packets traverse their networks. We describe how Platypus can be used to address several wellknown issues in widearea routing at both the edge and the core, and evaluate its performance, security, and interactions with existing protocols. Our results show that incremental deployment of Platypus can achieve immediate gains.
Authenticatedencryption with associateddata
 In Proc. 9th CCS
, 2002
"... Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB. ..."
Abstract

Cited by 58 (18 self)
 Add to MetaCart
(Show Context)
Keywords: Associateddata problem, authenticatedencryption, blockcipher usage, key separation, modes of operation, OCB.
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 50 (12 self)
 Add to MetaCart
(Show Context)
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 46 (10 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
CWC: A highperformance conventional authenticated encryption mode
 Proceedings of FSE 2004, LNCS 3017
, 2004
"... Abstract. We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is currently the only such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high perfor ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is currently the only such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performancecritical cryptographic applications. CWC is also the only appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patentfree modes, and CWC is the only such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.
HCTR: A variableinputlength enciphering mode
 In Information Security and Cryptology
, 2005
"... Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a lengthpreserving encryption mode. HCTR turns an nbit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zer ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a lengthpreserving encryption mode. HCTR turns an nbit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. We prove that HCTR is a strong tweakable pseudorandom permutation (sprp), when the underlying blockcipher is a strong pseudorandom permutation (sprp). HCTR is shown to be a very efficient mode of operation when some precomputations are taken into consideration. Arbitrary variable input length brings much flexibility in various application environments. HCTR can be used in disk sector encryption, and other lengthpreserving encryptions, especially for the message that is not multiple of n bits.
OMAC: OneKey CBC MAC
 Preproceedings of Fast Software Encryption, FSE 2003
, 2002
"... In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block l ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
In this paper, we present Onekey CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block length of E.