Results 1  10
of
20
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
(Show Context)
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
"... Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2 128). We present message forgery attacks t ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2 128). We present message forgery attacks that are made possible by its extremely smoothorder multiplicative group which splits into 512 subgroups. GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial for GHASH. In present literature, only the trivial weak key H = 0 has been considered. We show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results on AESGCM weak key search. Our attacks can be used not only to bypass message authentication with garbage but also to target specific plaintext bits if a polynomial MAC is used in conjunction with a stream cipher. These attacks can also be applied with varying efficiency to other polynomial hashes and MACs, depending on their field properties. Our findings show that especially the use of short polynomialevaluation MACs should be avoided if the underlying field has a smooth multiplicative order.
Cryptography in NaCl
"... “NaCl ” (pronounced “salt”) is the CACE Networking and Cryptography library, a new easytouse highspeed highsecurity publicdomain software library for network communication, encryption, decryption, signatures, etc. Of course, other libraries already exist for these core operations; NaCl advances ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
“NaCl ” (pronounced “salt”) is the CACE Networking and Cryptography library, a new easytouse highspeed highsecurity publicdomain software library for network communication, encryption, decryption, signatures, etc. Of course, other libraries already exist for these core operations; NaCl advances the state of the
EMACs: Towards More Secure and More Efficient Constructions of Secure Channels
, 2010
"... In cryptography, secure channels enable the confidential and authenticated message exchange between authorized users. A generic approach of constructing such channels is by combining an encryption primitive with an authentication primitive (MAC). In this work, we introduce the design of a new crypt ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
In cryptography, secure channels enable the confidential and authenticated message exchange between authorized users. A generic approach of constructing such channels is by combining an encryption primitive with an authentication primitive (MAC). In this work, we introduce the design of a new cryptographic primitive to be used in the construction of secure channels. Instead of using general purpose MACs, we propose the deployment of special purpose MACs, named EMACs. The main motive behind this work is the observation that, since the message must be both encrypted and authenticated, there might be some redundancy in the computations performed by the two primitives. Therefore, removing such redundancy can improve the efficiency of the overall composition. Moreover, computations performed by the encryption algorithm can be further utilized to improve the security of the authentication algorithm. In particular, we will show how EMACs can be designed to reduce the amount of computation required by standard MACs based on universal hash functions, and show how EMACs can be secured against keyrecovery attacks.
Revisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation
 B Proof of Lemma 3 Let x and c be integers such that 0 ≤ x ≤ 31 and 0 ≤ c ≤ 2x − 1. Throughout the proof of Lemma 3, we abuse the notation and regard an integer 0 ≤ a ≤ 232 − 1 and its 32bit binary representation, str32(a), identically. For a 32bit stri
, 2013
"... Abstract. Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCMlike polynomialbased MAC schemes, hash collisions are not necessarily re ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCMlike polynomialbased MAC schemes, hash collisions are not necessarily required and any polynomials could be used in the attacks, which removes the restrictions of attacks previously proposed by Procter and Cid. Based on these new discoveries on forgery attacks, we show that all subsets with no less than two authentication keys are weak key classes, if the final block cipher masking is computed additively. In addition, by utilizing a special structure of GCM, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Furthermore, we provide a method to fix GCM in order to avoid the security proof flaw discovered by Iwata, Ohashi and Minematsu. By applying the method, the security bounds of GCM can be improved by a factor of around 2 20 . Lastly, we show that these forgery attacks will still succeed if GCM adopts MACthenEnc paradigm to protect its MAC scheme as one of the options mentioned in previous papers.
Keysizes (20112012) Editor
, 2008
"... provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ECRYPT II Partners ..."
Abstract
 Add to MetaCart
(Show Context)
provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ECRYPT II Partners
ECRYPT Yearly Report on Algorithms and Keysizes (20072008) Editor Mats Näslund (ERICS)
, 2008
"... provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ii ECRYPT — European NoE in Cryptology 5.3.3 Cost Estimates............................... 17 ..."
Abstract
 Add to MetaCart
(Show Context)
provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ii ECRYPT — European NoE in Cryptology 5.3.3 Cost Estimates............................... 17
Keysizes (20092010) Editor
, 2008
"... provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ECRYPT II Partners ..."
Abstract
 Add to MetaCart
(Show Context)
provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ECRYPT II Partners
Editor
"... PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services) ECRYPT2 Yearly Report on Algo ..."
Abstract
 Add to MetaCart
(Show Context)
PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services) ECRYPT2 Yearly Report on Algorithms and Keysizes (20082009)
Keysizes (20102011) Editor
, 2008
"... provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ECRYPT II Partners ..."
Abstract
 Add to MetaCart
(Show Context)
provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ECRYPT II Partners