Message Authentication on 64-Bit Architectures

Krovetz, Ted

doi:10.1007/978-3-540-74462-7_23

Cited by 34 publications

(40 citation statements)

References 13 publications

(24 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Given all of these concerns, maybe GCM really is faster than OCB-and, more generally, maybe composed schemes are the fastest way to go. The existence of extremely high-speed MACs supports this possibility [3,5,25].…”

mentioning

confidence: 80%

The Software Performance of Authenticated-Encryption Modes

Krovetz

Rogaway

2011

Lecture Notes in Computer Science

Self Cite

192

188

View full text Add to dashboard Cite

We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 ("Clarkdale") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB.

show abstract

mentioning

confidence: 80%

The Software Performance of Authenticated-Encryption Modes

Krovetz

Rogaway

2011

Lecture Notes in Computer Science

Self Cite

192

188

View full text Add to dashboard Cite

show abstract

“…For the specific case of γ = 2, examples abound [8,23,24,40,50,76]. On a more general note, we remark that typically stand-alone key derivation functions are multi-purpose, with main application the key derivation from passwords and salts.…”

Section: On Multi-key-derivation Functionsmentioning

confidence: 96%

Connecting tweakable and multi-key blockcipher security

Lee

Luykx

Mennink

et al. 2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

The significance of understanding blockcipher security in the multi-key setting is highlighted by the extensive literature on attacks, and how effective key size can be significantly reduced. Nevertheless, little attention has been paid in formally understanding the design of multi-key secure blockciphers. In this work, we formalize the multi-key security of tweakable blockciphers in case of general key derivation functions. We show an equivalence between blockcipher multi-key security and tweakable blockcipher security. Our equivalence connects two objects of study, the iterated Even-Mansour (EUROCRYPT 2012) and the iterated Tweakable Even-Mansour (CRYPTO 2015), which establishes that results in both areas are, to a certain extent, transferable. Using our novel equivalence relation, we derive new bounds for both constructions, pave the path towards the solution of two wellstudied conjectures, and show that, contrary to common knowledge, key derivation functions need not necessarily be pseudorandom functions in order to provide security: for the iterated Even-Mansour universal hash functions suffice.

show abstract

“…Therefore, the construction in [25] is more efficient as only 2 calls are required to the underlying tweakable block-cipher, instead of 3 calls in our construction (this is assuming very fast universal hashing, e.g. [21]). However, we stress that the constructions in [25] are secure only in the symmetric-key setting; it is easy to see that none of the two constructions from [25] can achieve the indifferentiability property (the attack is similar to the attack against 2-round Feistel described in Section 3).…”

Section: Related Workmentioning

confidence: 99%

A Domain Extender for the Ideal Cipher

Coron

Dodis

Mandal

et al. 2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We describe the first domain extender for ideal ciphers, i.e. we show a construction that is indifferentiable from a 2n-bit ideal cipher, given a n-bit ideal cipher. Our construction is based on a 3-round Feistel, and is more efficient than first building a n-bit random oracle from a n-bit ideal cipher (as in [9]) and then a 2n-bit ideal cipher from a n-bit random oracle (as in [10], using a 6-round Feistel). We also show that 2 rounds are not enough for indifferentiability by exhibiting a simple attack. We also consider our construction in the standard model: we show that 2 rounds are enough to get a 2n-bit tweakable block-cipher from a n-bit tweakable block-cipher and we show that with 3 rounds we can get beyond the birthday security bound.

show abstract

Message Authentication on 64-Bit Architectures

Cited by 34 publications

References 13 publications

The Software Performance of Authenticated-Encryption Modes

The Software Performance of Authenticated-Encryption Modes

Connecting tweakable and multi-key blockcipher security

A Domain Extender for the Ideal Cipher

Contact Info

Product

Resources

About