Learn More
We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string <i>M</i> &#949; {0,1}&#149; using \lceil |M|/n\rceil + 2 block-cipher invocations, where <i>n</i> is the block length of the underlying block cipher. Additional overhead is small. OCB refines a(More)
We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal(More)
We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (" Clarkdale ") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about(More)
With a scheme for robust authenticated-encryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that's λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from(More)
We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the non-invertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied(More)
We describe a universal hash-function family, PolyR, which hashes messages of effectively arbitrary lengths in 3.9–6.9 cycles/byte (cpb) on a Pentium II (achieving a collision probability in the range 2 −16 –2 −50). Unlike most proposals, PolyR actually hashes short messages faster (per byte) than long ones. At the same time, its key is only a few bytes,(More)
  • 1