Abstract
At ProvSec 2013, Minematsu presented the circulant hash, an almost-xor universal hash using only the xor and rotation operations. The circulant hash is a variant of Carter and Wegman’s H3 hash as well as Krawczyk’s Toeplitz hash, both of which are hashes based on matrix-vector multiplication over 𝔽2. In this paper we revisit the circulant hash and reinterpret it as a multiplication in the polynomial ring 𝔽2[x]/(xn + 1). This leads to simpler proofs, faster implementations in modern computer chips, and newer variants with practical implementation advantages.
1 Introduction
Universal hashing was formally introduced by Carter and Wegman [1, 2, 3] and has numerous applications in data structures, authentication, and many other areas. In cryptography, universal hashes are often found in Wegman-Carter-Shoup [3, 4] authenticators and their variants. Lucks [5] and later Naor-Reingold [6] showed that the first and last rounds of the 4-round Luby-Rackoff construction can be universal. Universal hash functions are also very useful in randomness extraction, via the leftover-hash lemma [7].
The usage of universal hashing for authentication does, in fact, predate Carter and Wegman, and is often attributed to Gilbert, MacWilliams, and Sloane’s multilinear hash [8], as well as Zobrist [9]. Many practical universal hash functions have been since proposed, including integer multiply and shift [10], polynomial evaluation [11, 12, 13], polynomial or integer remainder [14, 15], or Toeplitz matrices [16]. Achieving the best possible speeds continues to be a popular research problem, with new proposals being regularly published.
One such almost-xor universal hash function, the circulant hash, was recently proposed by Mine-matsu [17]. It is described in Definition 1.1.
Definition 1.1
Let n be a positive integer. The circulant hash (CLH) is the keyed function {0, 1}n×{0, 1}n−1 ↦ {0, 1}n defined as
In other words, the hash consists of the xor of the key k rotated by the amounts defined by the positions of the nonzero bits of the input a. Alternatively, CLH is a matrix-vector multiplication in which the matrix is a circulant matrix (hence the name). Minematsu proved this function is 2/2n-almost xor universal.
Theorem 1.2
([17, Lemma 1]). Let k be a key uniformly sampled from {0, 1}n. We have
for n prime and 2 a primitive root modulo n.
Minematsu’s proof of Theorem 1.2 is fairly involved, and relies on nontrivial results in linear algebra, e.g., [18].
CLH is quite similar to the “shift register hash” first described by Vazirani in the context of entropy extraction [19]. Indeed, Vazirani’s proof sketch [19, Lemma 2] is similar to the one presented below in Section 3.
1.1 Contribution
Our contribution is threefold. First, we reinterpret the circulant hash in terms of polynomial arithmetic modulo xn + 1, which results in a much simpler proof (Section 3), and immediate implementation possibilities. Secondly, we present several variants of CLH that have speed or flexibility advantages (Sections 4 and 5). Lastly, we (re-)obtain the differential probability of data-dependent rotation and the stretch-then-shift hash using largely the same techniques (Section 6).
2 Notation and Definitions
Unless otherwise specified, a polynomial p(x) of degree d is written as xd + · · · + 1 and has coefficients in 𝔽2. wi denotes the ith bit of an n-bit word w.
We define a family of hash functions as a finite multiset H of 2k functions, for some k, with each h ∈H having domain {0, 1}n and range {0, 1}m for some constant n and m.
The original definition of universal hashing is due to Carter and Wegman [1], and is presented below.
Definition 2.1
A hash function family H : {0, 1}n ↦ {0, 1}m of size 2k is ϵ-almost universal if for every distinct a, b ∈ {0, 1}n there are at most ϵ · 2k functions h ∈ H such that h(a) = h(b). In other words,
If ϵ = 2−n, H is simply called universal.
A stronger notion is presented next. It was stated independently by Krawczyk [16], Rogaway [20], and Lucks [5] for xor differences, and generalized to arbitrary additive groups by Stinson [21].
Definition 2.2
A hash function family H : {0, 1}n ↦ {0, 1}m of size 2k is ϵ-almost xor universal if for every distinct a, b ∈ {0, 1}n there are at most ϵ2k functions h ∈H such that h(a) ⊕ h(b) = c, for any c ∈ {0, 1}m. In other words,
If ϵ = 2−n, H is simply called xor universal.
A xor universal hash function is necessarily universal; this is the special case c = 0.
3 Simpler Proof of Theorem 1.2
Our proof approach follows the lead of Rivest [22] and observes the natural embedding of bit rotation by i as multiplication by xi in the ring 𝔽2[x]/(xn + 1). That is, a word w of n bits is interpreted as the polynomial
Additionally, word rotation by i bits can be interpreted as multiplication by xi modulo xn + 1 [1], and addition can be accomplished by element-wise addition modulo 2, i.e., xor. Coupled with the identities 0 and 1, this yields the ring 𝔽2[x]/(xn + 1). This interpretation of circulant matrices is often found in error correcting code literature [23], cellular automata [24, 25], as well as cipher design [26].
In light of this understanding, we can restate Definition 1.1 as follows.
Definition 3.1
Let n be a positive integer. The circulant hash (CLH) is the keyed function {0, 1}n×{0, 1}n−1 ↦ {0, 1}n defined as
Not only does this definition have more explanatory power than Minematsu’s, it also makes it clear that it does not matter whether we are rotating the key depending on the data, or vice-versa. This allows variable-time implementations without the risk of timing side-channel attacks. It also makes it obvious how to implement this function in terms of carryless multiplication, in the common case where hardware supports it. Now we are ready to restate and prove Theorem 1.2.
Theorem 3.2
Let
for n prime and 2 a primitive root modulo n.
Proof
Since CLHn(k, a) is clearly linear, i.e., k · a + k · b ≡ k · (a + b) (mod xn + 1), proving uniformity for nonzero input is sufficient [16, Theorem 6].
If n is an odd prime, xn + 1 factors as (x + 1)Φn(x), Φn(x) being the nth cyclotomic polynomial xn−1 + xn−2 + · · · + x + 1. Suppose that Φn(x) is irreducible modulo 2. Because the degree of a is at most n − 2, a mod Φn(x) = a. We can analyze the behavior of CLH modulo Φn(x) and x + 1 independently:
Modulo Φn(x). This is a finite field multiplication. Therefore any equation k · a ≡ c (mod Φn(x)) has a unique solution k ≡ ca−1 (mod Φn(x)).
Modulo x + 1. By a counting argument there can be at most 2 keys satisfying k · a ≡ c (mod (x + 1)) for any choice of parameters.
Combining the two cases with the Chinese remainder theorem, we obtain at most 2 distinct solutions.
It remains to be determined that Φn(x) is irreducible. This follows directly from the fact that n is prime, Φn(x) is the nth cyclotomic polynomial, and 2 is a primitive root modulo n [27, §1.6]. Thus, the differential probability is at most 2/2n. □
Remark 3.3
The conditions imposed by Minematsu on n are precisely the necessary conditions for there being a type-I optimal normal basis for the field 𝔽2n−1. Optimal normal bases are exceptionally fast representations for polynomials over binary fields, to the point that field sizes for binary elliptic curves are often chosen such that such bases are known to exist [28].
The circulant hash is, as a matter of fact, a multiplication in the “ghost bit” redundant representation of a type-I optimal normal basis [29, 30], with one exception—the end result remains in the ring 𝔽2[x]/(xn + 1) instead of being reduced modulo Φn(x). Reduction by “all-one” polynomials is exceptionally simple, and would enable a straightforward {0, 1}n−1 × {0, 1}n−1 ↦ {0, 1}n−1 finite-field multiplicative hash—simply add the coefficient of xn−1 to every coefficient in the polynomial, i.e.,
and output the first n − 1 coefficients. This can be achieved on a computer with a single xor and arithmetic shift.
4 Polynomial Evaluation
A very successful approach to designing universal hashes that accept an arbitrary-sized input is polynomial evaluation [31, 32]. Our interpretation of the circulant hash in the previous section lends itself to a straight-forward polynomial evaluation variant, which allows for arbitrary-sized inputs.
In this setting, we split an m(n−1)-bit input message a into m blocks (a0, a1, . . . , am−1) of n−1 bits each, padding as needed [2]. We interpret the message a as the degree m polynomial with coefficients in 𝔽2[x]/(xn+1):
We can now define the hash function PCLH(k, a) as the evaluation of this polynomial at k.
Definition 4.1
Let n be a positive integer. The polynomial evaluation circulant hash (PCLH) is a keyed function {0, 1}n × {0, 1}(n−1)m ↦ {0, 1}n defined as
Theorem 4.2
Let n be a prime such that 2 is a primitive root modulo n. For messages of at most m blocks, the polynomial hash PCLHn is 2m/2n-almost xor universal.
Proof
By linearity, PCLHn(k, a)+PCLHn(k, b) = PCLHn(k, a+b), where a+b indicates addition of polynomials of the form (3). Furthermore, PCLHn(k, a + b) = (a + b)(k). Thus we have (a + b)(k) = c, from which follows that (a + b + c)(k) = 0, which means the number of keys coincides with the number of roots of the polynomial a + b + c, which has degree at most m.
As in Theorem 1.2, given the constraints on n we can consider the behavior of the hash modulo x + 1 and Φn(x) independently:
– Modulo Φn(x). This is a finite field polynomial evaluation and the fundamental theorem of algebra applies—there are at most m roots of a degree m polynomial.
– Modulo x + 1. Here, by a simple counting argument, there cannot be more than 2 roots for any polynomial.
This leads to a probability of at most 2m/2n. The case m = 1 is exactly Theorem 1.2. □
5 A Variant for Powers of 2
Operating on block sizes of prime size, as required by the original CLH function, is not very convenient. Ideally, one would work instead on “natural” power of two blocks, such as n = 128. To this end, we define a new variant of the circulant hash that works in this setting.
Definition 5.1
Let n be a power of 2. The modified circulant hash (MCLH) is a keyed function {0, 1}n × {0, 1}n−1 ↦ {0, 1}n defined as
In this variant, instead of keeping the (n − 1)th coefficient empty we use it to ensure that the input is always invertible modulo xn + 1 with the injective transformation (a + xn−1(a + 1 mod (x + 1)). The input to MCLH can equivalently be defined as every element of {0, 1}n with an odd number of bits. Lemma 5.2 proves this is the case.
Lemma 5.2
For any a ∈ {0, 1}n−1, (a + xn−1(a + 1 mod (x + 1))) mod (x + 1) = 1.
Proof
xn−1 mod (x + 1) = (xn−1)(1) = 1 by the polynomial remainder theorem. Thus,
□
We now prove MCLH is an almost-xor universal hash.
Theorem 5.3
Let n be a power of 2. Let
Proof
Again, by linearity it suffices to prove
Given an equation k ·a ≡ c (mod xn +1), there is a unique k such that k ≡ ca−1 (mod xn +1). a is always invertible modulo xn + 1 by construction, as shown in Lemma 5.2. □
Remark 5.4
The value a mod (x + 1) can be efficiently computed with, e.g., the Intel instruction popcnt. It can also be computed by keeping track of the parity of the input.
6 Related Functions
6.1 Data-dependent Rotation
The same mathematical framework used in the previous sections may also be used to show that data-dependent rotation has low differential probability when the difference is in the rotation amounts. In Theorem 6.1 we re-derive the differential probability result of [33] in terms of multiplication in 𝔽2[x]/(xn + 1).
Theorem 6.1
([33]). Let n be a power of 2, and
Proof
As above, k≪r1 ⊕ k≪r2 is equivalent to k · (xr1 + xr2 ) mod (xn + 1). Thus, we want to bound the probability that k · (xr1 + xr2 ) mod (xn + 1) = c. We begin by rewriting it as k ·
We may factor any exponent r2 − r1 mod n as 2p · q, for odd q. Then xr2−r1 +1 = (xq +1)2p = (x+1)2p (xq−1 + xq−2 + · · · + 1)2p . We can now rewrite the above equality further as
as the right hand side multipliers are all units in this ring. The remaining factor (x+1)2p remains to be handled. Since 2p divides n, multiplication by (x+1)2p is a surjective group homomorphism sending 𝔽2[x]/(xn+1) to the unique subgroup of 𝔽2[x]/(xn +1) of order 2n−2p . As such, each key is one of 22p equivalent representations in this subgroup, k+t·(x+1)n−2p for t of degree less than 2p. If the right hand side of (6) belongs to the subgroup, i.e., it is congruent to 0 modulo (x + 1)2p , there is a unique solution in the subgroup with corresponding 22p equivalents in the main group; otherwise there are no solutions.
Finally, since n is a power of 2, we have 2p = gcd(r2 − r1, n). Putting it all together, we have at most 2gcd(r2−r1,n) possible keys for any given r1, r2, c, leading to a maximum probability of 2gcd(r2−r1,n)−n. □
6.2 Stretch-then-shift
The OCB3 authenticated encryption mode [34] introduced a special-purpose almost xor universal function—stretch-then-shift—to hash the 6 least significant bits of a nonce. This function, Hc(k, a), takes a 128-bit key k, a 6-bit input a, and outputs the first 128 bits of the result:
where stretch(k) is defined as kk ⊕ (k c), for some constant c < 128.
As with the case of the circulant hash, the authors of stretch-then-shift offer only a linear-algebraic rationale for the almost xor universal property of their function. Yet, we can also offer a polynomial interpretation that, once again, makes things simpler. We can understand this function as equivalent to a multiplication in the ring 𝔽2[x]/(x128 + xc + 1). Namely,
This comes directly from the fact that shift left by a is equivalent to polynomial multiplication by xa, and reduction of a polynomial f of degree < 256 − c modulo x128 + xc + 1 can be written as
since x128 mod x128+xc+1 = xc +1. Therefore, the stretch-then-shift hash is nothing more than an optimized polynomial multiplication modulo a trinomial. Since there are no irreducible trinomials of degree 128, the analysis proceeds similarly to the case of rotation.
We now prove in Theorem 6.2 that the concrete choice of shift used in OCB3, H8, makes for a xor universal hash.
Theorem 6.2
Let
Proof
We use the equivalence of H8 to k·xa mod (x128+x8+1). We have, as before, k·xa+k·xb = k·(xa+xb) = c can be written as k · (xa−b + 1) = c · x−b. As long as both xa−b and x−b are unique (i.e., invertible modulo x128 + x8 + 1), there is a unique k satisfying the equation.
The modulus x128 + x8 + 1 factors as (x8 + x6 + x5 + x3 + 1)8(x8 + x6 + x5 + x4 + x3 + x + 1)8. As x−b shares no factors with it, we need only concern with xa−b + 1. Without loss of generality, we consider positive differences a > b only. As long as xa−b + 1 shares no factor with the modulus, this multiplication is invertible. We rewrite xa−b + 1 as xa−b = 1 modulo any of the factors of the modulus, i.e., the order of x. The order of x modulo x8 + x6 + x5 + x3 + 1 is 255; the order of x modulo x8 + x6 + x5 + x4 + x3 + x + 1 is 85. Therefore, as long as a − b ∈ [−84, . . . , 84], H8 is injective and thus for any c at most one choice of k exists. □
This interpretation also gives us efficient ways to find suitable constants c. Given the factorization of the trinomial x128 + xc + 1, the function is xor universal as long as x has sufficiently large order modulo every factor. Alternatively, gcd(xa + 1, x128 + xc + 1) = 1 for every admissible value of a.
References
[1] Mark N.Wegman and Larry Carter,New Classes and Applications of Hash Functions, in: 20th Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 29-31 October 1979 pp. 175–182, IEEE Computer Society, 1979.10.1109/SFCS.1979.26Search in Google Scholar
[2] Larry Carter and Mark N. Wegman, Universal Classes of Hash Functions, J. Comput. Syst. Sci. 18 (1979), 143–154.10.1016/0022-0000(79)90044-8Search in Google Scholar
[3] Mark N. Wegman and Larry Carter, New Hash Functions and Their Use in Authentication and Set Equality, J. Comput. Syst. Sci. 22 (1981), 265–279.10.1016/0022-0000(81)90033-7Search in Google Scholar
[4] Victor Shoup, On Fast and Provably Secure Message Authentication Based on Universal Hashing, in: Advances in Cryptology - CRYPTO’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings (Neal Koblitz, ed.), Lecture Notes in Computer Science 1109, pp. 313–328, Springer, 1996.10.1007/3-540-68697-5_24Search in Google Scholar
[5] Stefan Lucks, Faster Luby-Rackoff Ciphers, in: Fast Software Encryption, Third International Workshop, Cambridge, UK, February 21-23, 1996, Proceedings (Dieter Gollmann, ed.), Lecture Notes in Computer Science 1039, pp. 189–203, Springer, 1996.10.1007/3-540-60865-6_53Search in Google Scholar
[6] Moni Naor and Omer Reingold, On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited, J. Cryptology 12 (1999), 29–66.10.1007/PL00003817Search in Google Scholar
[7] Russell Impagliazzo, Leonid A. Levin and Michael Luby, Pseudo-random Generation from one-way functions (Extended Abstracts), in: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14-17, 1989, Seattle, Washigton, USA (David S. Johnson, ed.), pp. 12–24, ACM, 1989.10.1145/73007.73009Search in Google Scholar
[8] Edgar N. Gilbert, F. Jessie MacWilliams and Neil J. A. Sloane, Codes Which Detect Deception, Bell System Technical Journal 53 (1974), 405–424.10.1002/j.1538-7305.1974.tb02751.xSearch in Google Scholar
[9] Albert L. Zobrist, A New Hashing Method With Application for Game Playing University of Wisconsin—Madison Department of Computer Sciences, Report no. #88, April 1970.Search in Google Scholar
[10] Martin Dietzfelbinger, Universal Hashing and k-Wise Independent Random Variables via Integer Arithmetic without Primes, in: STACS 96, 13th Annual Symposium on Theoretical Aspects of Computer Science, Grenoble, France, February 22-24, 1996, Proceedings (Claude Puech and Rüdiger Reischuk, eds.), Lecture Notes in Computer Science 1046, pp. 569–580, Springer, 1996.10.1007/3-540-60922-9_46Search in Google Scholar
[11] Bert den Boer, A Simple and Key-Economical Unconditional Authentication Scheme, Journal of Computer Security 2 (1993), 65–72.Search in Google Scholar
[12] Jürgen Bierbrauer, Thomas Johansson, Gregory Kabatianskii and Ben J. M. Smeets, On Families of Hash Functions via Geometric Codes and Concatenation, in: Advances in Cryptology - CRYPTO ’93, 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26, 1993, Proceedings (Douglas R. Stinson, ed.), Lecture Notes in Computer Science 773, pp. 331–342, Springer, 1993.10.1007/3-540-48329-2_28Search in Google Scholar
[13] Richard Taylor, Near Optimal Unconditionally Secure Authentication, in: Advances in Cryptology - EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings (Alfredo De Santis, ed.), Lecture Notes in Computer Science 950, pp. 244–253, Springer, 1994.Search in Google Scholar
[14] Michael O. Rabin, Fingerprinting by Random Polynomials Center for Research in Computing Technology, Harvard University, Report no. TR-CSE-03-01, 1981.Search in Google Scholar
[15] Richard M. Karp and Michael O. Rabin, Efficient Randomized Pattern-Matching Algorithms, IBM Journal of Research and Development 31 (1987), 249–260.10.1147/rd.312.0249Search in Google Scholar
[16] Hugo Krawczyk, LFSR-based Hashing and Authentication, in: Advances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings (Yvo Desmedt, ed.), Lecture Notes in Computer Science 839, pp. 129–139, Springer, 1994.10.1007/3-540-48658-5_15Search in Google Scholar
[17] Kazuhiko Minematsu, A Short Universal Hash Function from Bit Rotation, and Applications to Blockcipher Modes, in: Provable Security - 7th International Conference, ProvSec 2013, Melaka, Malaysia, October 23-25, 2013. Proceedings (Willy Susilo and Reza Reyhanitabar, eds.), Lecture Notes in Computer Science 8209, pp. 221–238, Springer, 2013.10.1007/978-3-642-41227-1_13Search in Google Scholar
[18] D. E. Daykin, On the Rank of the Matrix f A and the Enumeration of Certain Matrices over a Finite Field, Journal of the London Mathematical Society s1-35 (1960), 36–42.10.1112/jlms/s1-35.1.36Search in Google Scholar
[19] Umesh V. Vazirani, Efficiency Considerations in Using Semi-random Sources (Extended Abstract), in: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA (Alfred V. Aho, ed.), pp. 160–168, ACM, 1987.10.1145/28395.28413Search in Google Scholar
[20] Phillip Rogaway, Bucket Hashing and Its Application to Fast Message Authentication, J. Cryptology 12 (1999), 91–115.10.1007/PL00003822Search in Google Scholar
[21] Douglas R. Stinson, On the Connections Between Universal Hashing, Combinatorial Designs and Error-Correcting Codes, in: Congressus Numerantium 114 pp. 7–27, 1996.Search in Google Scholar
[22] Ronald L. Rivest, The invertibility of the XOR of rotations of a binary word, Int. J. Comput. Math. 88 (2011), 281–284.10.1080/00207161003596708Search in Google Scholar
[23] Cunsheng Ding and Zhengchun Zhou, Binary cyclic codes from explicit polynomials over GF(2m), Discrete Mathematics 321 (2014), 76–89.10.1016/j.disc.2013.12.020Search in Google Scholar
[24] Olivier Martin, Andrew M. Odlyzko and Stephen Wolfram, Algebraic properties of cellular automata, Comm. Math. Phys. 93 (1984), 219–258.10.1007/BF01223745Search in Google Scholar
[25] Dario Bini, Gianna M. Del Corso, Giovanni Manzini and Luciano Margara, Inversion of circulant matrices over Zm Math. Comput. 70 (2001), 1169–1182.10.1090/S0025-5718-00-01235-7Search in Google Scholar
[26] Joan Daemen, Cipher and hash function design, strategies based on linear and differential cryptanalysis, PhD Thesis K.U.Leuven, 1995.Search in Google Scholar
[27] Ian F. Blake and Ronald C. Mullin, The Mathematical Theory of Coding Academic Press, April 1975.Search in Google Scholar
[28] Christophe Doche, Finite Field Arithmetic Handbook of Elliptic and Hyperelliptic Curve Cryptography. (Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen and Frederik Vercauteren, eds.), Chapman and Hall/CRC,2005, pp. 201–237.10.1201/9781420034981.ch11Search in Google Scholar
[29] Toshiya Itoh and Shigeo Tsujii, Structure of Parallel Multipliers for a Class of Fields GF(2m Inf. Comput. 83 (1989), 21–40.10.1016/0890-5401(89)90045-XSearch in Google Scholar
[30] Joseph H. Silverman, Fast Multiplication in Finite Fields GF(2N in: Cryptographic Hardware and Embedded Systems, First International Workshop, CHES’99, Worcester, MA, USA, August 12-13, 1999, Proceedings (Çetin Kaya Koç and Christof Paar, eds.), Lecture Notes in Computer Science 1717, pp. 122–134, Springer, 1999.10.1007/3-540-48059-5_12Search in Google Scholar
[31] Ted Krovetz and Phillip Rogaway, Fast Universal Hashing with Small Keys and No Preprocessing: The PolyR Construction, in: Information Security and Cryptology - ICISC 2000, Third International Conference, Seoul, Korea, December 8-9, 2000, Proceedings (Dongho Won, ed.), Lecture Notes in Computer Science 2015, pp. 73–89, Springer, 2000.10.1007/3-540-45247-8_7Search in Google Scholar
[32] Daniel J. Bernstein, The Poly1305-AES Message-Authentication Code, in: Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Revised Selected Papers (Henri Gilbert and Helena Handschuh, eds.), Lecture Notes in Computer Science 3557, pp. 32–49, Springer, 2005.10.1007/11502760_3Search in Google Scholar
[33] Scott Contini and Yiqun Lisa Yin, On differential properties of data-dependent rotations and their use in MARS and RC6, in: The 2nd Conference on Advanced Encryption Standard (AES), Rome, Italy, March 22-23, 1999 February 1999.Search in Google Scholar
[34] Ted Krovetz and Phillip Rogaway, The Software Performance of Authenticated-Encryption Modes, in: Fast Software Encryption - 18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers (Antoine Joux, ed.), Lecture Notes in Computer Science 6733, pp. 306–327, Springer, 2011.10.1007/978-3-642-21702-9_18Search in Google Scholar
© 2020 F. Araujo and S. Neves, published by De Gruyter
This work is licensed under the Creative Commons Attribution 4.0 International License.
