Abstract: In some embodiments, a key shared between communicating parties is mapped to a key variant using a block cipher. The key variant is mapped into a sequence of basis offsets using shifts and conditional xors. A nonce-dependent base offset is formed, and a sequence of offsets is constructed by starting with the base offset and then xoring, for each offset, an appropriate basis offset. Each message block is combined with a corresponding offset, enciphered, and then combined again with the offset, yielding a ciphertext block. The message fragment is xored with a computed pad to give a ciphertext fragment. A checksum is formed using the message blocks, the message fragment, and the pad, and is then combined with an offset and enciphered to yield a tag. The encrypted message includes the ciphertext blocks, the ciphertext fragment, and the tag.

Abstract: A shared-key encryption scheme that uses identically keyed block-cipher calls, low additional overhead, supports the encryption of arbitrary-length strings, produces a minimal-length-ciphertext, and is fully parallelizable. In one embodiment, “OCB”, a key shared between communicating parties is mapped to a key variant using the block cipher. The key variant is mapped into a sequence of basis offsets using shifts and conditional xors. To encrypt a message using a nonce, a nonce-dependent base offset is formed, and then a sequence of offsets is constructed by starting with the base offset and then xoring, for each offset, an appropriate basis offset. The message is partitioned into message blocks of the same length as the block length of the block cipher, along with a message fragment that may be shorter. Each message block is combined with a corresponding offset, enciphered, and then combined again with the offset, yielding a ciphertext block.

Abstract: A shared-key encryption scheme that uses identically keyed block-cipher calls, low additional overhead, supports the encryption of arbitrary-length strings, produces a minimal-length-ciphertext, and is fully parallelizable. In one embodiment, “OCB”, a key shared between communicating parties is mapped to a key variant using the block cipher. The key variant is mapped into a sequence of basis offsets using shifts and conditional xors. To encrypt a message using a nonce, a nonce-dependent base offset is formed, and then a sequence of offsets is constructed by starting with the base offset and then xoring, for each offset, an appropriate basis offset. The message is partitioned into message blocks of the same length as the block length of the block cipher, along with a message fragment that may be shorter. Each message block is combined with a corresponding offset, enciphered, and then combined again with the offset, yielding a ciphertext block.

Abstract: A shared-key encryption scheme that uses identically keyed block-cipher calls, low additional overhead, supports the encryption of arbitrary-length strings, produces a minimal-length-ciphertext, and is fully parallelizable. In one embodiment, “OCB”, a key shared between communicating parties is mapped to a key variant using the block cipher. The key variant is mapped into a sequence of basis offsets using shifts and conditional xors. To encrypt a message using a nonce, a nonce-dependent base offset is formed, and then a sequence of offsets is constructed by starting with the base offset and then xoring, for each offset, an appropriate basis offset. The message is partitioned into message blocks of the same length as the block length of the block cipher, along with a message fragment that may be shorter. Each message block is combined with a corresponding offset, enciphered, and then combined again with the offset, yielding a ciphertext block.

Abstract: A block-cipher based encryption scheme providing both privacy and authenticity that encrypts an arbitrary-length message into a minimal-length ciphertext. In one embodiment, “OCB”, a message is encrypted using a nonce by partitioning it into 128-bit message blocks and a possibly shorter message fragment. A sequence of offsets is computed from the nonce and block cipher using shifts and conditional xors. Each message block is xored with an offset, enciphered, and xored with the offset, yielding a ciphertext block. The length of the message fragment is encoded, xored with an offset, enciphered to give a pad, truncated, and xored with the message fragment to give a ciphertext fragment. A checksum is formed by xoring the message blocks, the padded ciphertext fragment, and the pad. It is xored with an offset and enciphered to yield a tag. The ciphertext is the ciphertext blocks, the ciphertext fragment, and the tag.

Abstract: A wide-blocksize block cipher that takes a possibly long string as plaintext and turns it into a ciphertext having the same length as the plaintext. Every bit of the ciphertext strongly depends on every bit of the plaintext. The wide-blocksize block cipher is made from a conventional block cipher, which is a block cipher that operates on strings of some small, fixed length. The wide-blocksize block cipher is obtained from the conventional block cipher by a three-step process. The first step is to encipher the plaintext using some mode of operation of the conventional block cipher. The second step is to mask the resulting intermediate value by way of a computationally cheap mixing step. The third step is to decipher the masked intermediate value using some mode of operation of the conventional block cipher. The specified steps may depend on a non-secret tweak, so that the wide-blocksize block cipher becomes tweakable.

Abstract: A shared-key encryption scheme that uses identically keyed block-cipher calls, low additional overhead, supports the encryption of arbitrary-length strings, produces a minimal-length-ciphertext, and is fully parallelizable. In one embodiment, “OCB”, a key shared between communicating parties is mapped to a key variant using the block cipher. The key variant is mapped into a sequence of basis offsets using shifts and conditional xors. To encrypt a message using a nonce, a nonce-dependent base offset is formed, and then a sequence of offsets is constructed by starting with the base offset and then xoring, for each offset, an appropriate basis offset. The message is partitioned into message blocks of the same length as the block length of the block cipher, along with a message fragment that may be shorter. Each message block is combined with a corresponding offset, enciphered, and then combined again with the offset, yielding a ciphertext block.

Abstract: A parallelizable variable-input-length pseudorandom function constructed out of a fixed-input-length pseudorandom function. The variable-input-length pseudorandom function can be used as a message authentication code. The fixed-input-length pseudorandom function from which it is built can be a block cipher. In one embodiment, using an n-bit block cipher, the given key is mapped into a sequence of offsets, and the given message is partitioned into n-bit message blocks and a final fragment that may be shorter. Each message block is xored with a corresponding offset and then the block cipher is applied. The resulting output blocks are xored together, and also xored with the padded final fragment, to yield a partial checksum. An additional offset may then be xored into the partial checksum, depending on the length of the final fragment, to yield a checksum. The block cipher is then applied to the checksum, the result being the output of the function constructed.

Abstract: A software-efficient pseudorandom function maps an index and an encryption key to a pseudorandom bit string useful for constructing a stream cipher. The method begins by preprocessing the encryption key into a table of pseudorandom values. The index and a set of values from the table is then used to generate a set of initial values for the registers. At least some of the register values are modified in part by taking a current value of a register and replacing the current value with a function of the current value and a value retrieved from the table, the latter value being determined by the values in one or more other registers. After modifying the register values in this fashion, the values are masked using other values from the table and the results then concatenated into the pseudorandom bit string. The modification step is repeated and a new masked function of the register values is then concatenated into the pseudorandom bit string.

Abstract: A method, using a secret key, to protect information in a storage disk of a computer, where the secret key is derived from a password entered into the computer by an authorized user. The method begins by applying a length-increasing pseudorandom function to the secret key and an index to generate a pseudorandom bit string having a length that is a function of the size of a sector of the storage disk. The sector is associated or otherwise identified by the index used by the pseudorandom function to generate the pseudorandom bit string. The pseudorandom bit string is then used to encrypt and decrypt data accesses to and from the sector.

Abstract: A software-efficient pseudorandom function maps an index and an encryption key to a pseudorandom bit string useful for constructing a stream cipher. The method begins by preprocessing the encryption key into a table of pseudorandom values. The index and a set of values from the table is then used to generate a set of initial values for the registers. At least some of the register values are modified in part by taking a current value of a register and replacing the current value with a function of the current value and a value retrieved from the table, the latter value being determined by the values in one or more other registers. After modifying the register values in this fashion, the values are masked using other values from the table and the results then concatenated into the pseudorandom bit string. The modification step is repeated and a new masked function of the register values is then concatenated into the pseudorandom bit string.

Abstract: A method for encrypting a plaintext string into ciphertext begins by cipher block chaining (CBC) the plaintext using a first key and a null initialization vector to generate a CBC message authentication code (MAC) whose length is equal to the block length. The plaintext string is then cipher block chained again, now using a second key and the CBC-MAC as the initialization vector, to generate an enciphered string. The CBC-MAC and a prefix of the enciphered string comprising all of the enciphered string except the last block are then combined to create the ciphertext. The described mode of operation is length-preserving, yet has the property that related plaintexts give rise to unrelated ciphertexts.

Abstract: Fast message authentication code generation is achieved by preprocessing a secret key into an efficiently-computable representation of a hash function selected from a family of hash functions that share a characteristic property. The secret key is also mapped into a particular cryptographic transform. The hash function and the transform are used to generate the authentication code. In particular, the hash function is applied to the message to generate a hashed message. The cryptographic transform is then applied to the hashed message to generate a tag. The tag and possibly other information (such as the state of a counter) are then combined to create the authentication code.

Abstract: A method is provided for authenticating communication partners utilizing communication flows which are passed over an insecure communication channel. The method includes a number of method steps. A trusted intermediary is provided which is capable of communication with the communication partners over the insecure communication channel. A plurality of long-lived secret keys are provided, one for each communication partner. The plurality of long-lived secret keys are distributed to a particular one of the communication partners, and to the trusted intermediary. Therefore, the long-lived secret key is known only by the particular communication partner to which it is assigned, and the trusted intermediary. A request for communication between communication partners is provided to the trusted intermediary. The trusted intermediary is utilized to generate a short-lived secret key for utilization in a communication session between the communication partners.

Abstract: A method is described for substantially concurrently performing entity authentication operations and short-lived secret key distribution operations over an insecure communication channel between communication partners, wherein authenticity of communication partners is determined by possession of the long-lived shared secret key. The method includes a number of steps. Data flows are exchanged between the communication partners to define a composite key. At least a portion of the data flows have been encrypted or otherwise masked in a manner which utilizes the long-lived shared secret key. At least one authentication tag is passed between communication partners over the communication channel. The at least one authentication tag is based at least partially upon the composite key. The authentication tag is utilized to determine the authenticity of at least one communication partner.

Abstract: A software-efficient pseudorandom function maps an index and an encryption key to a pseudorandom bit string useful for constructing a stream cipher. The method begins by preprocessing the encryption key into a table of pseudorandom values. The index and a set of values from the table is then used to generate a set of initial values for the registers. At least some of the register values are modified in part by taking a current value of a register and replacing the current value with a function of the current value and a value retrieved from the table, the latter value being determined by the values in one or more other registers. After modifying the register values in this fashion, the values are masked using other values from the table and the results then concatenated into the pseudorandom bit string. The modification step is repeated and a new masked function of the register values is then concatenated into the pseudorandom bit string.