DOCSLIB.ORG

Software-Optimized Universal Hashing and Message Authentication

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Software-Optimized Universal Hashing and Message Authentication Software-Optimized Universal Hashing and Message Authentication by THEODORE D. KROVETZ B.S. (Stanford University) 1988 M.Sc. (University of Oxford) 1990 DISSERTATION Submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Computer Science in the OFFICE OF GRADUATE STUDIES of the UNIVERSITY OF CALIFORNIA DAVIS Approved: Phillip Rogaway, Chair Daniel Gusfield Daniel Boneh Committee in Charge September 2000 i To Emma, Hannah and Avery, the milk in my coconut. ii Abstract We describe a message authentication algorithm, UMAC, which can authenticate messages in software, on contemporary machines, at a rate faster than one Pentium cycle per byte of authenticated message. This is roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1 or CBC-MAC-RC6). We explore three designs, all variations on the style of Wegman and Carter [39], which achieve such speeds. As a first step, all three designs utilize NH, a universal hash-function family which allows effective exploitation of SIMD parallelism. Unlike conventional, inherently serial authentication algorithms, UMAC will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. UMAC was designed and analyzed in a “provable-security” framework which has allowed its design to be minimal and therefore conducive to high-speeds. Along with the description of UMAC, we develop some new concepts. We introduce “verifier-selectable assurance” for message authentication, where the receiver of a message and authentication tag can verify the message up to a level of their own choosing, trad- ing computation time for assurance level. Also introduced is the notion of “variationally- universal” hash-function families, a relaxation of strongly-universal which measures univer- sal hash-function families in terms of variational distance from the uniform distribution. Also described is an almost-universal hash-function family based on polynomial evaluation that hashes arbitrary-length messages into short strings using short keys. iii iv Contents 1 Introduction and Background 1 1.1SummaryofResults............................... 3 1.2MACModel.................................... 7 1.3SomeMACExamples.............................. 9 1.4Wegman-CarterMACs.............................. 12 1.5Complexity-TheoreticReductions........................ 15 2 UMAC (1999) 16 2.1Introduction.................................... 17 2.1.1 Universal-HashingApproach...................... 18 2.1.2 OurContributions............................ 19 2.1.3 RelatedWork............................... 22 2.2OverviewofUMAC............................... 24 2.2.1 AnIllustrativeSpecialCase....................... 25 2.2.2 UMAC Parameters . .................... 26 2.3UMACPerformance............................... 29 2.4TheNHHashFamily............................... 34 2.4.1 Preliminaries............................... 34 2.4.2 DefinitionofNH............................. 35 2.4.3 Analysis.................................. 36 2.4.4 TheSignedConstruction:NHS..................... 39 2.5 Reducing the Collision Probability: Toeplitz Extensions . ...... 43 2.5.1 TheToeplitzApproach......................... 43 2.5.2 TheUnsignedCase............................ 44 2.5.3 TheSignedCase............................. 46 2.5.4 ShorterKeys:T2............................. 47 2.6Padding,Concatenation,andLengthAnnotation............... 48 2.7FinalExtensions:Stride,Endianness,KeyShifts............... 51 2.8FromHashtoMAC............................... 52 2.8.1 SecurityDefinitions........................... 52 2.8.2 DefinitionofthePRF(HASH,Nonce)Construction.......... 55 2.8.3 Discussion................................. 58 2.8.4 RealizingthePRF............................ 60 3 Improving UMAC 62 3.1 A First Attempt . .............................. 64 3.1.1 HashingtoaFixedLength....................... 65 3.1.2 t-WiseUniversality............................ 67 3.2MovingOn.................................... 69 4 Fast Polynomial Hashing 70 4.1Introduction.................................... 70 4.1.1 RelatedWork............................... 72 4.1.2 Notation.................................. 73 4.1.3 Organization............................... 74 4.2Carter-WegmanPolynomialHashing:PolyCW................ 75 4.3 Making PolyCW [F]Fast............................. 75 4.4ExpandingtheDomaintoArbitraryStrings.................. 79 4.5 RPHash:OvercomingPolynomialHashLengthLimitations......... 84 4.5.1 SecurityNotes.............................. 89 4.6 Fully Parameterized: Poly, RPHash ....................... 89 5 Variationally Universal Hashing 92 5.1Introduction.................................... 92 5.2 -VUHashFunctions............................... 95 5.2.1 SomeCommonHashFunctions..................... 97 5.3 -VUConstructions................................ 98 6 UMAC (2000) 105 6.1Introduction.................................... 105 6.1.1 UMACBasicDescription........................ 108 6.1.2 RelatedWork............................... 110 6.2Performance.................................... 111 6.3UMACDescription................................ 113 6.4Security...................................... 118 6.4.1 UHash32Differences........................... 120 6.5Proofs....................................... 120 6.5.1 ProofofTheorem6.4.1......................... 121 6.5.2 ProofofTheorem6.4.2......................... 124 6.5.3 ProofofTheorem6.4.3......................... 125 6.5.4 ProofofTheorem6.4.4......................... 126 6.5.5 ProofofTheorem6.4.5......................... 127 Bibliography 130 A UMAC (2000) Specification 133 B UMAC (2000) Implementation 174 B.1UMACANSICHeader............................. 175 B.2UMACANSICSource.............................. 177 B.3 UMAC Accelleration File for Intel IA-32 Architectures . ...... 216 C UMAC (1999) Specification 243 v Acknowledgements I have lived a blessed life, and for that I owe many thanks to many people. Ever supportive and encouraging, my wife and children, parents and siblings, have been a constant source of love and affection. From an early age my parents have taught me the value of education and have provided me with a supportive environment in which to thrive. I now have the great fortune to offer those same lessons, with my marvelous wife Emma, to our own children, Hannah and Avery. I believe most thoroughly that I could not have accomplished my goals without such a wonderful family, and for their help I am thankful. Having chosen to attend the University of California at Davis for mostly logistical reasons, I stumbled into a situation that could not have been better. As a new graduate student, I had the notion that I would research computer architecture. But luckily I was as- signed to be Phillip Rogaway’s teaching assistant during my first quarter at the University, and he quickly changed my mind. He opened my eyes to the beautiful world of computa- tional theory and cryptography, and I was soon over my head in that world. In the ensuing months and years, I have learned a great deal from Phil, and not only academically. Phil’s generosity of time and spirit has been inspirational. I thank him for always being available and for working so hard on helping me make sense of it all. I was also lucky to have been paired in my research with John Black, one of the most clever and pleasant people I have yet to meet. Although I did not choose to come to U.C. Davis because of its academic environment, I might as well have. My teachers have been enthusiastic, knowledgeable and available. Davis has been a wonderful place to be. None of my research was done alone, and I have had the great fortune to work with some of the best cryptographers around. I appreciate very much their patience and brilliance: Mihir Bellare, John Black, Shai Halevi, Hugo Krawczyk and, of course, Phillip Rogaway. vi Finally, thanks are owed to Dan Boneh, Dan Gusfield and Phillip Rogaway for taking the time to review this tome and offer valuable feedback. This research was partially supported by Phillip Rogaway’s CAREER award CCR- 962540, and by MICRO grants 97-150, 98-129, and 99-103 funded by RSA Data Security Inc., ORINCON Corporation, Certicom Corporation, and the State of California. Also supporting this research was the GAANN fellowship program underwritten by the U.S. Department of Education and participating universities, including U.C. Davis. vii 1 Chapter 1 Introduction and Background One of the most common uses of cryptography is message authentication. When Alice receives a message purportedly to be from Bob, how can she know that the message received is actually from Bob and has not been tampered with during transport? Reliable systems exist for ensuring the authenticity of messages written and delivered on paper — these messages can be sealed with a signature in a tamper-resistant envelope. But what about electronic messages delivered by digital computer networks? Each day billions of messages, from IP packets at the network level to bulk file-transfers at the application level, are delivered by the Internet and other networks. The open nature of many of these networks, however, leave them vulnerable to mischief. Clever adversaries have the ability to read any message being transported across the network and to delete, interject or alter any desired message. To combat these adversaries, cryptography can be used to ensure message privacy and authenticity. Ensuring that a message remains private is done with the use of encryption. An encrypted message intercepted by
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • The Software Performance of Authenticated-Encryption Modes 1
    An earlier version of this paper appears at Fast Software Encryption 2011 (FSE 2011). The Software Performance of Authenticated-Encryption Modes Ted Krovetz∗ Phillip Rogawayy March 21, 2011 Abstract We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (\Clarkdale") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of operation, CCM, GCM, OCB. 1 Introduction Background. Over the past few years, considerable effort has been spent constructing schemes for authenticated encryption (AE). One reason is recognition of the fact that a scheme that delivers both privacy and authenticity may be more efficient than the straightforward amalgamation of separate privacy and authenticity techniques. A second reason is the realization that an AE scheme is less likely to be incorrectly used than an encryption scheme designed for privacy alone. While other possibilities exist, it is natural to build AE schemes from blockciphers, employing some mode of operation. There are two approaches. In a composed (\two-pass") AE scheme one conjoins essentially separate privacy and authenticity modes.
    [Show full text]
  • Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms
    Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms Helena Handschuh1 and Bart Preneel2,3 1 Spansion, 105 rue Anatole France 92684 Levallois-Perret Cedex, France [email protected] 2 Katholieke Universiteit Leuven, Dept. Electrical Engineering-ESAT/COSIC, Kasteelpark Arenberg 10, bus 2446, B-3001 Leuven, Belgium [email protected] 3 IBBT, Van Crommenlaan, B-9000 Gent Abstract. This paper discusses key recovery and universal forgery at- tacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives. 1 Introduction Message Authentication Code (MAC) algorithms are symmetric cryptographic primitives that allow senders and receivers who share a common secret key to make sure the contents of a transmitted message has not been tampered with. Three main types of constructions for MAC algorithms can be found in the literature: constructions based on block ciphers, based on hash functions and based on universal hash functions.
    [Show full text]
  • CS 473: Algorithms, Fall 2019
    CS 473: Algorithms, Fall 2019 Universal and Perfect Hashing Lecture 10 September 26, 2019 Chandra and Michael (UIUC) cs473 1 Fall 2019 1 / 45 Today's lecture: Review pairwise independence and related constructions (Strongly) Universal hashing Perfect hashing Announcements and Overview Pset 4 released and due on Thursday, October 3 at 10am. Note one day extension over usual deadline. Midterm 1 is on Monday, Oct 7th from 7-9.30pm. More details and conflict exam information will be posted on Piazza. Next pset will be released after the midterm exam. Chandra and Michael (UIUC) cs473 2 Fall 2019 2 / 45 Announcements and Overview Pset 4 released and due on Thursday, October 3 at 10am. Note one day extension over usual deadline. Midterm 1 is on Monday, Oct 7th from 7-9.30pm. More details and conflict exam information will be posted on Piazza. Next pset will be released after the midterm exam. Today's lecture: Review pairwise independence and related constructions (Strongly) Universal hashing Perfect hashing Chandra and Michael (UIUC) cs473 2 Fall 2019 2 / 45 Part I Review Chandra and Michael (UIUC) cs473 3 Fall 2019 3 / 45 Pairwise independent random variables Definition Random variables X1; X2;:::; Xn from a range B are pairwise independent if for all 1 ≤ i < j ≤ n and for all b; b0 2 B, 0 0 Pr[Xi = b; Xj = b ] = Pr[Xi = b] · Pr[Xj = b ] : Chandra and Michael (UIUC) cs473 4 Fall 2019 4 / 45 Interesting case: n = m = p where p is a prime number Pick a; b uniformly at random from f0; 1; 2;:::; p − 1g Set Xi = ai + b Only need to store a; b.
    [Show full text]
  • BLAKE2: Simpler, Smaller, Fast As MD5
    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017
    Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 1 Authentication Authentication Message Authentication Code (MAC) Key Message MAC Tag • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication CBC-MAC M1 M2 Mi 0 EK EK EK T 4 Authentication Hash-based: • H(k jj m) • Okay with Sponge, fails with MD construction. • H(m jj k) • Collision on H allows to construct Tag collision. • HMAC: H(k ⊕ c1kj H(k ⊕ c2jjm)) 5 Authentication Universal Hashing (UMAC, Poly1305, …) • We need a universal hash function family H. • Parties share a secret member of H and key k. • Attacker does not know which one was chosen. Definition A set H of hash functions h : U ! N is universal iff 8x; y 2 U: 1 Pr (h(x) = h(y)) ≤ h2H jNj when h is chosen uniformly at random. 6 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] • Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Problem Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages..
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • High-Speed Hardware Implementations of BLAKE, Blue
    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].
    [Show full text]
  • Reducing the Impact of Dos Attacks on Endpoint IP Security
    Reducing the Impact of DoS Attacks on Endpoint IP Security Joseph D. Touch and Yi-Hua Edward Yang USC/ISI [email protected] / [email protected] 1 Abstract some attack traffic. These results also indicate that this technique becomes more effective as the algorithm IP security is designed to protect hosts from attack, becomes more computationally intensive, and suggest but can itself provide a way to overwhelm the that such hierarchical intra-packet defenses are needed resources of a host. One such denial of service (DoS) to avoid IPsec being itself an opportunity for attack. attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources 2. Background to reject unwanted traffic. This paper quantifies the impact of such attacks and explores preliminary ways Performance has been a significant issue for to reduce that impact. Measurements of the impact of Internet security since its inception and affects the DoS attack traffic on PC hosts indicate that a single IPsec suite both at the IKE (session establishment) and attacker can reduce throughput by 50%. This impact IPsec (packets in a session) level [10][11]. This paper can be reduced to 20% by layering low-effort nonce focuses on the IPsec level, i.e., protection for validation on IPsec’s CPU-intensive cryptographic established sessions. Previous performance analysis of algorithms, but the choice of algorithm does not have HMAC-MD5 (Hashed-MAC, where MAC means as large an effect. This work suggests that effective keyed Message Authentication Code), HMAC-SHA1, DoS resistance requires a hierarchical defense using and 3DES showed that the cost of the cryptographic both nonces and strong cryptography at the endpoints, algorithms dwarfs other IPsec overheads [6] [7] [15].
    [Show full text]
  • Implementation of Hash Function for Cryptography (Rsa Security)
    International Journal For Technological Research In Engineering Volume 4, Issue 6, February-2017 ISSN (Online): 2347 - 4718 IMPLEMENTATION OF HASH FUNCTION FOR CRYPTOGRAPHY (RSA SECURITY) Syed Fateh Reza1, Mr. Prasun Das2 1M.Tech. (ECE), 2Assistant Professor (ECE), Bitm,Bolpur ABSTRACT: In this thesis, a new method for expected to have a unique hash code and it should be implementing cryptographic hash functions is proposed. generally difficult for an attacker to find two messages with This method seeks to improve the speed of the hash the same hash code. function particularly when a large set of messages with Mathematically, a hash function (H) is defined as follows: similar blocks such as documents with common Headers H: {0, 1}* → {0, 1}n are to be hashed. The method utilizes the peculiar run-time In this notation, {0, 1}* refers to the set of binary elements configurability Feature of FPGA. Essentially, when a block of any length including the empty string while {0, 1}n refers of message that is commonly hashed is identified, the hash to the set of binary elements of length n. Thus, the hash value is stored in memory so that in subsequent occurrences function maps a set of binary elements of arbitrary length to of The message block, the hash value does not need to be a set of binary elements of fixed length. Similarly, the recomputed; rather it is Simply retrieved from memory, thus properties of a hash function are defined as follows: giving a significant increase in speed. The System is self- x {0, 1}*; y {0,1}n learning and able to dynamically build on its knowledge of Pre-image resistance: given y= H(x), it should be difficult to frequently Occurring message blocks without intervention find x.
    [Show full text]