## Bucket Hashing and its Application to Fast Message Authentication (1997)

### Cached

### Download Links

- [seclab.cs.ucdavis.edu]
- [www.cs.ucdavis.edu]
- [web.cs.ucdavis.edu]
- [www.cs.ucdavis.edu]
- [www.cs.ucdavis.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 55 - 4 self |

### BibTeX

@INPROCEEDINGS{Rogaway97buckethashing,

author = {Phillip Rogaway},

title = {Bucket Hashing and its Application to Fast Message Authentication},

booktitle = {},

year = {1997},

pages = {29--42},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. We introduce a new technique for constructing a family of universal hash functions. At its center is a simple metaphor: to hash a string x, cast each of its words into a small number of buckets; xor the contents of each bucket; then collect up all the buckets' contents. Used in the context of Wegman--Carter authentication, this style of hash function provides a fast approach for software message authentication. Key words: Cryptography, Hashing, Message authentication codes, Universal Hashing. 1 Introduction Message authentication. Message authentication is one of the most common cryptographic aims. The setting is that two parties, a signer S and verifier V , share a (short, random, secret) key, k. When S wants to send V a message, x, S computes for it a message authentication code (MAC), oe / MAC k (x), and S sends V the pair (x; oe). On receipt of (x 0 ; oe 0 ), verifier V checks that MACV k (x 0 ; oe 0 ) = 1. To describe the security of a message authentication scheme, an...

### Citations

1354 |
Graph Theory with Applications
- Bondy, Murty
- 1976
(Show Context)
Citation Context ...om from G, then the probability that their union (with multiplicities) comprises a union of cycles is at most some tiny number . One possible choice of graphs in this regard are the (d� g)-cages (see =-=[8]-=-). A(d� g)-cage is a smallest d-regular graph whose shortest cycle has g edges. These graphs have been explicitly constructed for various values of (d� g). Though (d� g)-cages are rather large (for ev... |

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...proach to the complexity-theoretic case. The complexity-theoretic notion for a secure MAC is a straightforward adaptation of the definition of a digital signature due to Goldwasser, Micali and Rivest =-=[14]-=-. Their notion of an adaptive chosen message attack is equally at home for defining an unconditionally-secure MAC. Thus we view work like ours as making statements about unconditionally-secure authent... |

662 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ruction of efficient MACs, and suggest them as a desirable starting point for practical, prowbly-good constructions. Finite PRFs are a refinement of the PRF notion of Goldreich, Goldwasser and Micali =-=[13]-=- to take account of the fixed lengths of inputs and outputs in the efficient primitives of cryptographic practice. Zobrist [33] gives a hashing technique which predates [10] and essentially coincides ... |

500 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...in common use today are exemplified by MAC k (x) = h(k k x k k), with h a (software-efficient) cryptographic hash function, such as h =MD5 [22]. Such methods are described in [30]. The algorithm HMAC =-=[3]-=- represents the most refined algorithm in this direction. Schemes like these might seem to be about as software-efficient as one might realistically hope for: after all, we are computing one of the fa... |

400 |
The MD4 message digest algorithm
- Rivest
- 1991
(Show Context)
Citation Context ...ROACHES TO MESSAGE AUTHENTICATION. The fastest software MACs in common use today are exemplified by MACk(x) = h(k II x II k), with h a (software-efficient) cryptographic hash function, such as h =MD5 =-=[22]-=-. Such methods are described in [30]. The algorithm HMAC [3] represents the most refined algorithm in this direction. Schemes like these might seem to be about as software-efficient as one might reali... |

353 | HMAC: Keyed-Hashing for Message Authentication
- Krawczyk, Bellare, et al.
- 1997
(Show Context)
Citation Context ...also fast enough to be gainfully employed all by themselves. Halevi and Krawczyk describe a family of hash functions, MMH, which achieves extremely impressive software speeds on some modern platforms =-=[15]-=-. To achieve such performance one needs the underlying hardware to be able to quickly multiply two 32-bit integers to form a 64-bit product. Johansson investigates how to reduce the size of the key fo... |

348 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...ypes of cryptographic primitives over a string nearly identical in length to that which we want to authenticate. But it is well-known that this reasoning is specious: in particular, Wegman and Carter =-=[32] showed ba-=-ck in 1981 that we do not have to "cryptographically" transform the entire string x. In the Wegman-Carter approach communicating parties S and V share a secret key k -- (h, P) which specifie... |

300 | How to construct pseudorandom permutations from pseudorandom functions - Luby, Rackoff |

269 | Simple construction of almost k-wise independent random variables. Random Struct - Alon, Goldreich, et al. - 1992 |

155 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...tatements and concrete schemes in the complexity-theoretic tradition. To make this translation we regard a finite pseudorandom function (PRF) as the most appropriate tool. Bellare, Kilian and Rogaway =-=[5]-=- were the first to formalize such objects, investigate their usage in the construction of efficient MACs, and suggest them as a desirable starting point for practical, prowbly-good constructions. Fini... |

134 |
LFSR-based Hashing and Authentication
- Krawczyk
(Show Context)
Citation Context ...ding values vi using a table only slightly bigger than i vi. The proof of our main technical result is somewhat reminiscent of their analysis. Lai, Rueppel and Woolven [19], Taylor [28], and Krawczyk =-=[18]-=- have all been interested in computationally efficient MACs. The last two works basically follow the Wegman-Carter paradigm. In particular, Krawczyk obtains efficient message authentication codes from... |

109 | Message Authentication with One-Way Hash Functions
- Tsudik
- 1992
(Show Context)
Citation Context ...he fastest software MACs in common use today are exemplified by MACk(x) = h(k II x II k), with h a (software-efficient) cryptographic hash function, such as h =MD5 [22]. Such methods are described in =-=[30]-=-. The algorithm HMAC [3] represents the most refined algorithm in this direction. Schemes like these might seem to be about as software-efficient as one might realistically hope for: after all, we are... |

87 |
A new hashing method with application for game playing
- Zobrist
- 1970
(Show Context)
Citation Context ...ite PRFs are a re nement of the PRF notion of Goldreich, Goldwasser and Micali [13] totakeaccount of the xed lengths of inputs and outputs in the e cient primitives of cryptographic practice. Zobrist =-=[33]-=- gives a hashing technique which predates [10] and essentially coincides with one method from [10]. Arnold and Coppersmith [2] give aninteresting hashing technique which allows one to map a set of key... |

86 |
Universal Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... S now MACs the i th message, x, with MAC(h,a)(x) = (i, Fa(i)sh(x)). As it turns out, to make a good MAC it is enough to construct something weaker than a strongly universal family. Carter and Wegman =-=[10]-=- also introduced the notion of an almost universal family, 7/. This must satisfy the weaker condition that Prhe/[h(x ) ---- h(x)] is small for all xsx . As observed by Stinson [27], an almost universa... |

81 | Incremental cryptography: The case of hashing and signing
- Bellare, Goldreich, et al.
- 1994
(Show Context)
Citation Context ...tics for a bucket hash MAC. In particular, bucket hashing is parallelizable, since each word of the hash is just the xor of certain words of the message. Bucket hashing is incremental in the sense of =-=[4]-=- with respect to both append and substitute operations. Finally, the only processor instructions a bucket hash needs are word-aligned load, store, and xor; thus a bucket hash MAC is essentially endian... |

74 | On fast and provably secure message authentication based on universal hashing
- Shoup
- 1996
(Show Context)
Citation Context ...riginally intended for hardware, these techniques are fast in software, too. We recall Krawczyk's CRC-like hash in Section 2. An earlier version of this paper appeared as [23]. SUBSEqUeNT WORK. Shoup =-=[24] has carri-=-ed out implementations and analysis of hash function families akin to polynomial evaluation. Such hash functions make good candidates for "second level hashing" when a speed-optimized hash f... |

55 | Performance analysis of MD5 - Touch - 1995 |

47 |
On universal classes of fast high performance hash functions, their time-space tradeo, and their applications
- Siegel
- 1989
(Show Context)
Citation Context ...ication the size of the hash family corresponds to the number of bits of shared key--one reason to find smaller families of universal hash functions than those of [10, 32]. Siegel (for other reasons) =-=[25]-=- constructs families of fast-to-compute hash functions which use few bits of randomness and have small description size. Stinson finds small hash families in [27], and also gives general results on th... |

45 |
Onfamilies of hash functions via geometric codes and concatenation
- Bierbrauer, Johansson, et al.
- 1994
(Show Context)
Citation Context ...esults on the construction of universal hash functions. We exploit some of these ideas here. Subsequent improvements (rooted in coding theory) came from Bierbrauer, Johansson, Kabatianskii and Smeets =-=[6]-=-, and Gemmell and Naor [12]. The above work concentrates on universal hash families and unconditionally-secure authentication. Brassard [9] first connects the Wegman-Carter approach to the complexity-... |

43 | Fast Hash on the Pentium
- Bosselaers, Govaerts, et al.
- 1996
(Show Context)
Citation Context ...rectly; it will need to be composed with an additional layer of hashing. All the same, one can compare the instruction count mentioned above to that of MD5, which usess36 instructions per 32-bit word =-=[7]-=-, and see that there is potential for substantial efficiency gains even if the true cost of using bucket hashing substantially exceeds 6 instructions/word. A bucket hash MAC has advantages in addition... |

40 |
On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys
- Brassard
- 1983
(Show Context)
Citation Context ...ry) came from Bierbrauer, Johansson, Kabatianskii and Smeets [6], and Gemmell and Naor [12]. The above work concentrates on universal hash families and unconditionally-secure authentication. Brassard =-=[9]-=- first connects the Wegman-Carter approach to the complexity-theoretic case. The complexity-theoretic notion for a secure MAC is a straightforward adaptation of the definition of a digital signature d... |

34 |
Efficiency Considerations in Using Semi-Random Sources
- Vazirani
- 1987
(Show Context)
Citation Context ...nique from the following section. We comment that there are many other well-known techniques for universal hashing, such as the linear congruential hash (modulo a prime) [10], the shift register hash =-=[31], or the T-=-oeplitz matrix hash [18]. 3 Bucket Hashing Let X = X1...X be a string, partitioned into n words. To hash X using bucket hashing we will scatter the words of X into N "buckets," then XOR the ... |

31 |
A survey of information authentication
- Simmons
- 1992
(Show Context)
Citation Context ... underlying cryptographic primitive (the pseudorandom function F) with essentially identical efficiency. PREWOUS WORK. The general theory of unconditional authentication was developed by Simmons; see =-=[26]-=- for a survey. As we have already explained, the universM-hash-and-then-encrypt paradigm is due to Wegman and Carter [32]. The idea springs from their highly influential [10]. In Wegman-Carter authent... |

24 | K [1990]. Fast Hashing of Variable-Length Text Strings - Pearson |

20 | On the relation between A-codes and codes correcting independent errors - Johansson, Kabatianskii, et al. - 1994 |

14 | An integrity check value algorithm for stream ciphers - Taylor - 1994 |

13 | Bucket hashing with a small key size
- Johansson
- 1997
(Show Context)
Citation Context ...o be able to quickly multiply two 32-bit integers to form a 64-bit product. Johansson investigates how to reduce the size of the key for bucket hashing, which, in the current paper, is quite enormous =-=[16]-=-. OgGANZATmN. We continue in Section 2 by reviewing the definition and basic properties of universal hash families. Sections 3 and 4 give our main result. In the former we formally define our family o... |

12 | Codes for interactive authentication
- Gemmell, Naor
- 1994
(Show Context)
Citation Context ... of universal hash functions. We exploit some of these ideas here. Subsequent improvements (rooted in coding theory) came from Bierbrauer, Johansson, Kabatianskii and Smeets [6], and Gemmell and Naor =-=[12]-=-. The above work concentrates on universal hash families and unconditionally-secure authentication. Brassard [9] first connects the Wegman-Carter approach to the complexity-theoretic case. The complex... |

9 | A fast cryptographic checksum algorithm based on stream ciphers - Lai, Rueppel, et al. - 1993 |

5 | Unconditionally secure authentication schemes and practical and theoretical consequences - Desmedt - 1985 |

5 |
ciency considerations in using semi-random sources
- Vazirani, E
- 1987
(Show Context)
Citation Context ...nique from the following section. We comment that there are many other well-known techniques for universal hashing, such as the linear congruential hash (modulo a prime) [10], the shift register hash =-=[31]-=-, or the Toeplitz matrix hash [18]. 3 Bucket Hashing Let X = X 1 :::Xn be a string, partitioned into n words. To hashX using bucket hashing we will scatter the words of X into N \buckets," then XOR th... |

4 |
Universal Hashing and Authentication Codes,” Designs
- Stinson
- 1994
(Show Context)
Citation Context .... Carter and Wegman [10] also introduced the notion of an almost universal family, 7/. This must satisfy the weaker condition that Prhe/[h(x ) ---- h(x)] is small for all xsx . As observed by Stinson =-=[27]-=-, an almost universal family can easily be turned into an almost strongly universal family by composing the almost universal2 family with an almost strongly universal one. In computing h(hl(X)), where... |

1 |
An alternative to perfect hashing
- Arnold, Coppersmith
- 1984
(Show Context)
Citation Context ...d outputs in the efficient primitives of cryptographic practice. Zobrist [33] gives a hashing technique which predates [10] and essentially coincides with one method from [10]. Arnold and Coppersmith =-=[2]-=- give an interesting hashing technique which allows one to map a set of keys k i into a set of corresponding values v i using a table only slightly bigger than P i v i . The proof of our main technica... |