Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in partic-ular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of one-way functions) has been established.In this work we investigate new ways of designing pseudorandom function families. The goal is to find constructions that are both efficient and secure, and thus eventually to bring thebenefits of pseudorandom functions to practice.

Real-world traffic traces are crucial for Internet research, but only a very small percentage of traces collected are made public. One major reason why traffic trace owners hesitate to make the traces publicly available is the concern that confidential and private information may be inferred from the trace. In this paper we focus on the problem of anonymizing IP addresses in a trace. More specifically, we are interested in prefix-preserving anonymization in which the prefix relationship among IP addresses is preserved in the anonymized trace, making such a trace usable in situations where prefix relationships are important. The goal of our work is two fold. First, we develop a cryptographybased, prefix-preserving anonymization technique that is provably as secure as the existing well-known TCPdpriv scheme, and unlike TCPdpriv, provides consistent prefix-preservation in large scale distributed setting. Second, we evaluate the security properties inherent in all prefix-preserving IP address anonymization schemes (including TCPdpriv). Through the analysis of Internet backbone traffic traces, we investigate the effect of some types of attacks on the security of any prefix-preserving anonymization algorithm. We also derive results for the optimum manner in which an attack should proceed, which provides a bound on the effectiveness of attacks in general.

. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDx-MAC) is proposed for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...

There are well-known techniques for message authentication using universal hash functions. This approach seems very promising, as it provides schemes that are both efficient and provably secure under reasonable assumptions. This paper contributes to this line of research in two ways. First, it analyzes the basic construction and some variants under more realistic and practical assumptions. Second, it shows how these schemes can be efficiently implemented, and it reports on the results of empirical performance tests that demonstrate that these schemes are competitive with other commonly employed schemes whose security is less well-established. 1 Introduction Message Authentication. Message authentication schemes are an important security tool. As more and more data is being transmitted over networks, the need for secure, high-speed, software-based message authentication is becoming more acute. The setting for message authentication is the following. Two parties A and B agree on a secre...

Abstract. We initiate the investigation of a new kind of efficiency for cryptographic transformations. The idea is that having once applied the transformation to some document M, the time to update the result upon modification of M should be “proportional ” to the “amount of modification” done to M. Thereby one obtains much faster cryptographic primitives for environments where closely related documents are undergoing the same cryptographic transformations. We provide some basic definitions enabling treatment of the new notion. We then exemplify our approach by suggesting incremental schemes for hashing and signing which are efficient according to our new measure. 1

This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the Diffie-Hellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, and NIST. The practical and provable security aspects of these protocols are discussed.

We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encode-then-encipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.

This paper provides a comprehensive treatment of forward-security in the context of sharedkey based cryptographic primitives, as a practical means to mitigate the damage caused by key-exposure. We provide definitions of security, practical proven-secure constructions, and applications for the main primitives in this area. We identify forward-secure pseudorandom bit generators as the central primitive, providing several constructions and then showing how forward-secure message authentication schemes and symmetric encryption schemes can be built based on standard schemes for these problems coupled with forward-secure pseudorandom bit generators. We then apply forward-secure message authentication schemes to the problem of maintaining secure access logs in the presence of break-ins.

The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle–Damgård transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle–Damgård construction and are easily implementable in practice.

We introduce a new technique for constructing a family of universal hash functions.