Results 1  10
of
13
FloatingPoint Arithmetic And Message Authentication
, 2000
"... There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same securi ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
There is a wellknown class of message authentication systems guaranteeing that attackers will have a negligible chance of successfully forging a message. This paper shows how one of these systems can hash messages at extremely high speed  much more quickly than previous systems at the same security level  using IEEE floatingpoint arithmetic. This paper also presents a survey of the literature in a unified mathematical framework.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
New paradigms for constructing symmetric encryption schemes secure against chosen ciphertext attack
 Advances in Cryptology  CRYPTO 2000
, 2000
"... Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or b ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge “valid ” ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a “valid ” ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of “variablelength ” pseudorandom functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way. 1
Elastic Block Ciphers
, 2004
"... We introduce a new concept of elastic block ciphers, symmetrickey encryption algorithms that for a variable size input do not expand the plaintext, (i.e., do not require plaintext padding), while maintaining the diffusion property of traditional block ciphers and adjusting their computational loa ..."
Abstract

Cited by 7 (7 self)
 Add to MetaCart
We introduce a new concept of elastic block ciphers, symmetrickey encryption algorithms that for a variable size input do not expand the plaintext, (i.e., do not require plaintext padding), while maintaining the diffusion property of traditional block ciphers and adjusting their computational load proportionally to the size increase. Elastic block ciphers are ideal for applications where lengthpreserving encryption is most beneficial, such as protecting variablelength database entries or network packets.
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
Proposal to NIST for a parallelizable message authentication code
, 2001
"... accounting. PMAC uses djM j=ne blockcipher invocations for any nonempty message M . (The empty string takes one blockcipher invocation). We compare with the CBC MAC: The \basic" CBC MAC, which assumes that the message is a nonzero multiple of the block length and which is only secure when all mes ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
accounting. PMAC uses djM j=ne blockcipher invocations for any nonempty message M . (The empty string takes one blockcipher invocation). We compare with the CBC MAC: The \basic" CBC MAC, which assumes that the message is a nonzero multiple of the block length and which is only secure when all messages to be MACed are of one xed length, uses the same number of block cipher calls: jM j=n.
Surf: Simple Unpredictable Random Function
"... . This paper presents surf k , a reasonably fast function that converts a 384bit input into a 256bit output, given a 1024bit seed k. When k is secret and uniformly selected, surf k seems to be indistinguishable from a uniformly selected 384bitto256bit function. 1. ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
. This paper presents surf k , a reasonably fast function that converts a 384bit input into a 256bit output, given a 1024bit seed k. When k is secret and uniformly selected, surf k seems to be indistinguishable from a uniformly selected 384bitto256bit function. 1.
PMAC: A Parallelizable Message Authentication Code
, 2000
"... We describe a MAC (message authentication code) which is deterministic, parallelizable, and uses only ### #### blockcipher invocations to MAC a nonempty string # (where # is the blocksize of the underlying block cipher). The MAC can be proven secure (work to appear) in the reductionbased approa ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We describe a MAC (message authentication code) which is deterministic, parallelizable, and uses only ### #### blockcipher invocations to MAC a nonempty string # (where # is the blocksize of the underlying block cipher). The MAC can be proven secure (work to appear) in the reductionbased approach of modern cryptography. The MAC is similar to one recently suggested by Gligor and Donescu [5]. 1 Introduction PMAC and its characteristics This note describes a new message authentication code, ####. Unlike customary modes for message authentication, the construction here is fully parallelizable. This will result in faster authentication in a variety of settings. The #### construction is stingy in its use of blockcipher calls, employing just ### #### blockcipher invocations to MAC a nonempty string # using an #bit block cipher. A MAC computed by PMAC can have any length from up to # bits. Unlike the CBC MAC (in its basic form), #### can be applied to any message # ; in particula...
Extending the Salsa20 nonce
"... Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generat ..."
Abstract
 Add to MetaCart
Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any successful fast attack on XSalsa20 can be converted into a successful fast attack on Salsa20.