MD6

Abstract: Protection of a computer's memory's integrity is crucial in situations where physical attacks on the computer system are a threat. Such attacks can happen during physical break in into a data center or when a mobile device is lost or stolen. Since the memory modules can be easily removed or manipulated, the integrity of their contents cannot be trusted under threat of physical attacks. To counter this, hardware memory integrity checking schemes have been proposed, and realized in a number of security microprocessor architectures. At the core of these schemes is usually some form of a Merkle tree. All previous work on security architectures, however, uses full, balanced Merkle trees. In this paper, we propose a new solution to hardware memory integrity checking based on skewed Merkel trees. Because not all memory locations are accessed equally frequently in a modern computer system, a skewed Merkle three offers better performance as the frequently accessed memory locations can be located on the leaves of the skewed Merkle tree that have shorter path to the root -- thus fewer nodes of the tree have to be accessed during integrity checks. Skewed Merkle trees offer better system performance when considering realistic memory access patterns where some page are accessed more frequently than others, they do not impact caches as much as full Merkle trees, and they do not require more storage than full, balanced Merkle trees.

Abstract: Authentication based on the Merkle tree has been proposed as an energy efficient approach in a resource constrained sensor network environment. It replaces complicated certificate verification with more power efficient hash computations. While previous works assumed complete binary Merkle tree structures, which can be used efficiently only in sensor networks with a specific number of sensor nodes, we investigate incomplete Merkle trees to support any number of sensors. For the incomplete Merkle tree, we demonstrate that an optimal structure can be found through mathematical analysis and simulation. A novel tree indexing scheme is also proposed to reduce communication overhead and save sensors resources during authentication

Abstract: The Merkle Signature Scheme relies on hash function and is, therefore, assumed to be resistant to attacks by quantum computers. This paper presents an efficient hardware architecture to accelerate the generation of Merkle hash trees. Timing measurements on a prototype show a considerable performance boost compared to a similar software solution.

Abstract: In recent years there have been a series of serious and alarming cryptanalytic attacks on several commonly-used hash functions, such as MD4, MD5, SHA-0, and SHA1 [13, 38]. These culminated with the celebrated work of Wang, Yin, and Yu from 2005, which demonstrated relatively efficient methods for finding collisions in the SHA-1 hash function [37]. Although there are several cryptographic hash functions — such as the SHA-2 family [28] — that have not yet succumbed to such attacks, the U.S. National Institute of Standards and Technology (NIST) put out a call in 2007 for candidate proposals for a new cryptographic hash function family, to be dubbed SHA-3 [29]. Hash functions are algorithms for converting an arbitrarily large input into a fixedlength message digest. They typically consist of two main components: a compression function that operates on fixed-length pieces of the input, and a mode of operation that governs how apply the compression function repeatedly on the pieces in order to allow for arbitrary-length inputs. Cryptographic hash functions are furthermore required to have several important and stringent security properties including (but not limited to) first-preimage resistance, second-preimage resistance, collision resistance, pseudorandomness, and unpredictability. This work presents proofs of security for the mode of operation of the MD6 cryptographic hash function [32] — a candidate for the SHA-3 competition — which differs greatly from the modes of operation of many commonly-used hash functions today (MD4, MD5, as well as the SHA family of hash functions.) In particular, we demonstrate provably that the mode of operation used in MD6 preserves some cryptographic properties of the compression function — that is, assuming some ideal conditions about the compression function used, the overall MD6 hash function is secure as well. Thesis Supervisor: Ronald L. Rivest Title: Andrew and Erna Viterbi Professor of Electrical Engineering and Computer Science