Results 11  20
of
80
Hash functions and RFID tags: Mind the gap
 of Lecture Notes in Computer Science
, 2008
"... Abstract. The security challenges posed by RFIDtag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an ontag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. The security challenges posed by RFIDtag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an ontag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFIDtag protocol. 1
Another Look at Tightness
 Proceedings of Selected Areas in Cryptography (SAC’11), LNCS. 7118
, 2012
"... Abstract. We examine a natural, but nontight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multiuser setting. If security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction, then the MAC scheme is s ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We examine a natural, but nontight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multiuser setting. If security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multiuser setting. We find similar deficiencies in the security assurances provided by nontight proofs when we analyze some protocols intheliteratureincludingonesfor networkauthentication and aggregate MACs. Our observations call into question the practical value of nontight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multiuser setting. 1
Beyondbirthdaybound security based on tweakable block cipher
 In FSE
"... Abstract. This paper studies how to build a 2nbit block cipher which is hard to distinguish from a truly random permutation against attacks with q 2n=2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweak ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies how to build a 2nbit block cipher which is hard to distinguish from a truly random permutation against attacks with q 2n=2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underlying tweakable block cipher is also secure against birthday attacks. We also study how to build such tweakable block ciphers from ordinary block ciphers, which may
Tweakable Blockciphers with Beyond BirthdayBound Security
"... Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the bi ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO’02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and requires perinvocation blockcipher rekeying. This paper gives the first TBC construction that simultaneously allows for arbitrarily “wide ” tweaks, does not rekey, and delivers provable security beyond the birthday bound. Our construction is built from a blockcipher and an ɛAXU2 hash function. As an application of the TBC primitive, LRW suggest the TBCMAC construction (similar to CBCMAC but chaining through the tweak), but leave open the question of its security. We close this question, both for TBCMAC as a PRF and a MAC. Along the way, we find a noncebased variant of TBCMAC that has a tight reduction to the security of the underlying TBC, and also displays graceful security degradation when nonces are misused. This result is interesting on its own, but it also serves as an application of our new TBC construction, ultimately giving a variable inputlength PRF with beyond birthdaybound security.
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
Tweaks and Keys for Block Ciphers: the TWEAKEY Framework
"... Abstract. We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to relatedkey attacks. Our framework is simple, extends the keyalternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to relatedkey attacks. Our framework is simple, extends the keyalternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field multiplications on low hamming weight constants. We give very efficient instances of STK, in particular, a 128bit tweak/key/state block cipher DeoxysBC that is the first AESbased adhoc tweakable block cipher. At the same time, DeoxysBC could be seen as a secure alternative to AES256, which is known to be insecure in the relatedkey model. As another member of the TWEAKEY framework, we describe KiasuBC, which is a very simple and even more efficient tweakable variation of AES128 when the tweak size is limited to 64 bits. In addition to being efficient, our proposals, compared to the previous schemes that use AES as a black box, offer security beyond the birthday bound. DeoxysBC and KiasuBC represent interesting pluggable primitives for authenticated encryption schemes, for instance, ΘCB3 instantiated with KiasuBC runs at about 0.75 c/B on Intel Haswell. Our work can also be seen as advances on the topic of secure key schedule design for AESlike ciphers, describing several proposals in this direction.
On Tweaking LubyRackoff Blockciphers
 In Advances in Cryptology – ASIACRYPT
, 2007
"... Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. Th ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [13], are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a preexisting blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more efficient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for LubyRackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more efficient than previously known constructions. 1
AEGIS: A Fast Authenticated Encryption Algorithm ⋆ (Full Version)
"... Abstract. This paper introduces a dedicated authenticated encryption algorithm AEGIS; AEGIS allows for the protection of associated data which makes it very suitable for protecting network packets. AEGIS128L uses eight AES round functions to process a 32byte message block (one step). AEGIS128 use ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. This paper introduces a dedicated authenticated encryption algorithm AEGIS; AEGIS allows for the protection of associated data which makes it very suitable for protecting network packets. AEGIS128L uses eight AES round functions to process a 32byte message block (one step). AEGIS128 uses five AES round functions to process a 16byte message block (one step); AES256 uses six AES round functions. The security analysis shows that these algorithms offer a high level of security. On the Intel Sandy Bridge Core i5 processor, the speed of AEGIS128L, AEGIS128 and AEGIS256 is around 0.48, 0.66 and 0.7 clock cycles/byte (cpb) for 4096byte messages, respectively. This is substantially faster than the AES CCM, GCM and OCB modes.
The GamePlaying Technique
, 2004
"... In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to th ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pseudocode  a chain of games. The approach was first used by Kilian and Rogaway (1996) and has been used repeatedly since, but it has never received a systematic treatment. In this paper we provide one. We develop the foundations...
A Simple and Generic Construction of Authenticated Encryption With Associated Data
"... Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256bit hash function is combined with some known singlepass AE protocols employing either 128bit or 256bit block ciphers. This results in possible efficiency improvement in the processing of the header.