We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M # {0, 1} # using #|M |/n# + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. e-mail: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. e-mail: mihir@cs.ucsd.edu web: www-cse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. e-mail: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. e-mail: tdk@acm.org 1

Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.

We present a careful analysis of elliptic curve point multiplication methods that use the point halving technique of Knudsen and Schroeppel, and compare these methods to traditional algorithms that use point doubling. The performance advantage of halving methods is clearest in the case of point multiplication kP where P is not known in advance, and smaller field inversion to multiplication ratios generally favour halving. Although halving essentially operates on affine coordinate representations, we adapt an algorithm of Knuth to allow efficient use of projective coordinates with halving-based windowing methods for point multiplication.

Abstract. This paper presents new speed records for AES software, taking advantage of (1) architecture-dependent reduction of instructions used to compute AES and (2) microarchitecture-dependent reduction of cycles used for those instructions. A wide variety of common CPU architectures—amd64, ppc32, sparcv9, and x86—are discussed in detail, along with several specific microarchitectures.

We explore the use of subfield arithmetic for efficient implementations Galois Field arithmetic in the context of Rijndael cipher.

Multi-Party Electronic Payments for Mobile Communications Michael Peirce Supervisor: Dr. Donal O'Mahony As mobile communications become increasingly sophisticated and ubiquitous, traditional mobile billing with its implicit trust relationships will no longer be adequate. With a large number of different sized mobile networks, a huge variety of value added service providers and many millions of roaming users, it is desirable to remove any unnecessary trust in order to increase security and provide incontestable charging.

We propose techniques to utilize the data parallelism capabilities of a SIMD architecture in computations involving Galois Field arithmetic. Galois Field arithmetic nds wide use in engineering applications, including error-correcting codes and cryptography. Often these applications involve extensive arithmetic on small (8-bit) numbers, and straightforward implementations may highly under-utilize the wide-word capabilities of a SIMD processor.

Abstract not found

Abstract not found

The main goal of this diploma work is the implementation of Matsui's linear cryptanalysis of DES and a statistical and theoretical analysis of its complexity and success probability. In order to achieve this goal, we implement first a very fast DES routine on the Intel Pentium III MMX architecture which is fully optimised for linear cryptanalysis. New implementation concepts are applied, resulting in a speed increase of almost 50 % towards the best known classical implementation. The experimental results suggest strongly that the attack is in average about 10 times faster (O 2 39 computations) as expected with 2 known plaintext-ciphertext at disposal; furthermore, we have achieved a complexity of O 2 by using only 2 known pairs. Last, we propose a new analytical expression which approximates success probabilities; it gives slightly better results than Matsui's experimental ones.