scispace - formally typeset
Search or ask a question
Book ChapterDOI

Software performance of universal hash functions

Wim Nevelsteen1, Bart Preneel1
Katholieke Universiteit Leuven1
02 May 1999-Vol. 1592, pp 24-41
TL;DR: This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing to find constructions that offer a comparable security level.
Abstract: This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood.

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI
FPGA Intrinsic PUFs and Their Use for IP Protection

[...]

Jorge Guajardo1, Sandeep Kumar1, Geert-Jan Schrijen1, Pim Tuyls1
Philips1
10 Sep 2007
TL;DR: New protocols for the IP protection problem on FPGAs are proposed and the first construction of a PUF intrinsic to current FPGA based on SRAM memory randomness present on current FFPAs is provided.
Abstract: In recent years, IP protection of FPGA hardware designs has become a requirement for many IP vendors. In [34], Simpson and Schaumont proposed a fundamentally different approach to IP protection on FPGAs based on the use of Physical Unclonable Functions (PUFs). Their work only assumes the existence of a PUF on the FPGAs without actually proposing a PUF construction. In this paper, we propose new protocols for the IP protection problem on FPGAs and provide the first construction of a PUF intrinsic to current FPGAs based on SRAM memory randomness present on current FPGAs. We analyze SRAM-based PUF statistical properties and investigate the trade offs that can be made when implementing a fuzzy extractor.

1,235 citations

Cites background from "Software performance of universal h..."

  • ...research on universal hash functions (see for example [33, 27 ])....

    [...]

Proceedings ArticleDOI
HAIL: a high-availability and integrity layer for cloud storage

[...]

Kevin D. Bowers, Ari Juels, Alina Oprea
09 Nov 2009
TL;DR: The HighAvailability and Integrity Layer (HAIL) as discussed by the authors is a distributed cryptographic system that allows a set of servers to prove to a client that a stored file is intact and retrievable.
Abstract: We introduce HAIL (High-Availability and Integrity Layer), a distributed cryptographic system that allows a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distributed-systems communities. Proofs in HAIL are efficiently computable by servers and highly compact---typically tens or hundreds of bytes, irrespective of file size. HAIL cryptographically verifies and reactively reallocates file shares. It is robust against an active, mobile adversary, i.e., one that may progressively corrupt the full set of servers. We propose a strong, formal adversarial model for HAIL, and rigorous analysis and parameter choices. We show how HAIL improves on the security and efficiency of existing tools, like Proofs of Retrievability (PORs) deployed on individual servers. We also report on a prototype implementation.

759 citations

Book ChapterDOI
UMAC: Fast and Secure Message Authentication

[...]

John Black1, Shai Halevi2, Hugo Krawczyk3, Hugo Krawczyk2, Ted Krovetz1, Phillip Rogaway1 
University of California1, IBM2, Technion – Israel Institute of Technology3
15 Aug 1999
TL;DR: A message authentication algorithm, UMAC, which can authenticate messages roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH.
Abstract: We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The "cryptographic" work of UMAC is done using standard primitives of the user's choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication.

419 citations

Cites background from "Software performance of universal h..."

  • ...UMAC employs a subkey generation process in which the shared (convenientlength) key is mapped into UMAC’s internal keys....

    [...]

  • ...The performance curves for the Alpha and PowerPC look similar to the Pentium II— they perform better than the reference MACs at around the same message length, and level out at around the same message length....

    [...]

  • ...Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementations as machines offer up increasing amounts of parallelism....

    [...]

  • ...Numbers n and w are two of UMAC’s parameters....

    [...]

  • ...While any reasonable setting of these parameters should out-perform conventional MACs, the fastest version of UMAC for one platform differs from the fastest version for another platform....

    [...]

Book ChapterDOI
The Poly1305-AES message-authentication code

[...]

Daniel J. Bernstein1
University of Illinois at Chicago1
21 Feb 2005
TL;DR: The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2106 if messages have at most L bytes, the attacker sees at most 264 authenticated messages, and the attacker attempts D forgeries.
Abstract: Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2106 if messages have at most L bytes, the attacker sees at most 264 authenticated messages, and the attacker attempts D forgeries. Poly1305-AES can be computed at extremely high speed: for example, fewer than 3.1l+780 Athlon cycles for an l-byte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Special-purpose hardware can compute Poly1305-AES at even higher speed. Poly1305-AES is parallelizable, incremental, and not subject to any intellectual-property claims.

371 citations

Cites methods from "Software performance of universal h..."

  • ...Several subsequent papers reported implementations of polynomial-evaluation MACs over binary fields: [26] by Shoup; [3] by Afanassiev, Gehrmann, and Smeets, reinventing Kaminski’s division algorithm in [16]; [20] by Nevelsteen and Preneel....

    [...]

Journal Article
UMAC : Fast and secure message authentication

[...]

John Black1, Shai Halevi2, Hugo Krawczyk3, Hugo Krawczyk2, Ted Krovetz1, Phillip Rogaway1 
University of California1, IBM2, Technion – Israel Institute of Technology3
01 Jan 1999-Lecture Notes in Computer Science
TL;DR: In this paper, the authors describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash function family MMH.
Abstract: We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism The cryptographic work of UMAC is done using standard primitives of the user's choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication.

359 citations

References
More filters
Journal ArticleDOI
New Directions in Cryptography

[...]

Whitfield Diffie1, Martin E. Hellman1
Stanford University1
01 Nov 1976-IEEE Transactions on Information Theory
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

14,980 citations

"Software performance of universal h..." refers methods in this paper

  • ...Digital signatures, introduced in 1976 by Diffie and Hellman [13], are the main tool for protecting the integrity of information....

    [...]

Journal ArticleDOI
Communication theory of secrecy systems

[...]

Claude E. Shannon
01 Oct 1949-Bell System Technical Journal
TL;DR: A theory of secrecy systems is developed on a theoretical level and is intended to complement the treatment found in standard works on cryptography.
Abstract: THE problems of cryptography and secrecy systems furnish an interesting application of communication theory.1 In this paper a theory of secrecy systems is developed. The approach is on a theoretical level and is intended to complement the treatment found in standard works on cryptography.2 There, a detailed study is made of the many standard types of codes and ciphers, and of the ways of breaking them. We will be more concerned with the general mathematical structure and properties of secrecy systems.

8,777 citations

"Software performance of universal h..." refers background in this paper

  • ...Subsequently their theory has been developed further by Simmons, analogous to Shannon’s theory of secrecy systems [34]....

    [...]

Proceedings Article
The MD5 Message-Digest Algorithm

[...]

Ronald L. Rivest
01 Apr 1992
TL;DR: This document describes the MD5 message-digest algorithm, which takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
Abstract: This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This memo provides information for the Internet community. It does not specify an Internet standard.

3,514 citations

"Software performance of universal h..." refers background in this paper

  • ...For MD5 [32], SHA-1 [17], RIPEMD-160, and RIPEMD-128 [15] the speeds are respectively 228 Mbit/s, 122 Mbit/s, 101 Mbit/s, and 173 Mbit/s (note however that the security of MD5 as a hash-function is questionable; this has no immediate impact to its use in HMAC and MDx-MAC, but it is prudent to plan for its replacement)....

    [...]

The MD5 Message-Digest Algorithm

[...]

Rivest
01 Jan 1992

3,158 citations

Journal ArticleDOI
Universal classes of hash functions

[...]

J. Lawrence Carter1, Mark N. Wegman1
IBM1
01 Apr 1979-Journal of Computer and System Sciences
TL;DR: An input independent average linear time algorithm for storage and retrieval on keys that makes a random choice of hash function from a suitable class of hash functions.

2,886 citations

"Software performance of universal h..." refers background or methods in this paper

  • ...Stinson improves the work by Wegman and Carter, and establishes an explicit link between authentication codes and strongly universal hash functions [39]....

    [...]

  • ...This research developed from exploring connections to the rich theory of error-correcting codes, and connects to the work of Wegman and Carter [12,40]....

    [...]

  • ...Carter and Wegman make the following key observations: i) long messages can be authenticated efficiently using short keys if the number of bits in the authentication tag is increased slightly compared to ‘perfect’ schemes; ii) if a message is hashed to a short authentication tag, weaker properties are sufficient for the first stage of the compression; iii) under certain conditions, the hash function can remain the same for many plaintexts, provided that the hash result is encrypted using a one-time pad....

    [...]

  • ...This is the more surprising because Carter and Wegman developed already in the late seventies efficient authentication codes under the name of strongly universal hash functions [12,40]....

    [...]

  • ...Several of these results were applied by Wegman and Carter [40]....

    [...]

Related Papers (5)
LFSR-based Hashing and Authentication

[...]

21 Aug 1994
Hugo Krawczyk
Universal classes of hash functions

[...]

01 Apr 1979-Journal of Computer and System Sciences
J. Lawrence Carter, Mark N. Wegman
UMAC: Fast and Secure Message Authentication

[...]

15 Aug 1999
John Black, Shai Halevi, Hugo Krawczyk, Hugo Krawczyk, Ted Krovetz, Phillip Rogaway 
New hash functions and their use in authentication and set equality

[...]

01 Jun 1981-Journal of Computer and System Sciences
Mark N. Wegman, J. Lawrence Carter
Keying Hash Functions for Message Authentication

[...]

18 Aug 1996
Mihir Bellare, Ran Canetti, Hugo Krawczyk