Differential Cryptanalysis of DESlike Cryptosystems
 CRYPTO'91
, 1991
Cited by 676 (9 self)
Cited by 676 (9 self)
The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Buraeu of Standards in the mid 70's, and has successfully withstood all the attacks published so far in the open literature
Timing Attacks on Implementations of DiffieHellman, RSA, DSS, and Other Systems
, 1996
Cited by 644 (3 self)
Cited by 644 (3 self)
ciphertext. Actual systems are potentially at risk, including cryptographic tokens, networkbased cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and DiffieHellman are presented. Some cryptosystems will need
Algorithms for Quantum Computation: Discrete Logarithms and Factoring
, 1994
Cited by 1103 (7 self)
Cited by 1103 (7 self)
of steps which is polynomial in the input size, e.g., the number of digits of the integer to be factored. These two problems are generally considered hard on a classical computer and have been used as the basis of several proposed cryptosystems. (We thus give the first examples of quantum cryptanalysis.) 1
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
Cited by 490 (21 self)
Cited by 490 (21 self)
system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
New Directions in Cryptography
, 1976
Cited by 3499 (7 self)
Cited by 3499 (7 self)
Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Data Security
, 1979
Cited by 611 (3 self)
Cited by 611 (3 self)
The rising abuse of computers and increasing threat to personal privacy through data banks have stimulated much interest m the techmcal safeguards for data. There are four kinds of safeguards, each related to but distract from the others. Access controls regulate which users may enter the system and subsequently whmh data sets an active user may read or wrote. Flow controls regulate the dissemination of values among the data sets accessible to a user. Inference controls protect statistical databases by preventing questioners from deducing confidential information by posing carefully designed sequences of statistical queries and correlating the responses. Statlstmal data banks are much less secure than most people beheve. Data encryption attempts to prevent unauthorized disclosure of confidential information in transit or m storage. This paper describes the general nature of controls of each type, the kinds of problems they can and cannot solve, and their inherent limitations and weaknesses. The paper is intended for a general audience with little background in the area.
Good ErrorCorrecting Codes based on Very Sparse Matrices
, 1999
Cited by 741 (23 self)
Cited by 741 (23 self)
We study two families of errorcorrecting codes defined in terms of very sparse matrices. "MN" (MacKayNeal) codes are recently invented, and "Gallager codes" were first investigated in 1962, but appear to have been largely forgotten, in spite of their excellent properties. The decoding of both codes can be tackled with a practical sumproduct algorithm. We prove that these codes are "very good," in that sequences of codes exist which, when optimally decoded, achieve information rates up to the Shannon limit. This result holds not only for the binarysymmetric channel but also for any channel with symmetric stationary ergodic noise. We give experimental results for binarysymmetric channels and Gaussian channels demonstrating that practical performance substantially better than that of standard convolutional and concatenated codes can be achieved; indeed, the performance of Gallager codes is almost as close to the Shannon limit as that of turbo codes.
Encrypted Key Exchange: PasswordBased Protocols Secure Against Dictionary Attacks
 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY
, 1992
Cited by 431 (5 self)
Cited by 431 (5 self)
Classical cryptographic protocols based on userchosen keys allow an attacker to mount passwordguessing attacks. We introduce a novel combination of asymmetric (publickey) and symmetric (secretkey) cryptography that allow two parties sharing a common password to exchange confidential
On the Importance of Checking Cryptographic Protocols for Faults
, 1997
Cited by 396 (8 self)
Cited by 396 (8 self)
. Schnorr's protocol can also be broken, but a larger number of erroneous executions is needed. Keywords: Hardware faults, Cryptanalysis, RSA, FiatShamir, Schnorr, Public key systems, Identification protocols. 1 Introduction Direct attacks on the famous RSA cryptosystem seem to require that one factor
Tamper Resistance  a Cautionary Note
 IN PROCEEDINGS OF THE SECOND USENIX WORKSHOP ON ELECTRONIC COMMERCE
, 1996
Cited by 428 (15 self)
Cited by 428 (15 self)
An increasing number of systems, from payTV to electronic purses, rely on the tamper resistance of smartcards and other security processors. We describe a number of attacks on such systems  some old, some new and some that are simply little known outside the chip testing community. We conclude that trusting tamper resistance is problematic; smartcards are broken routinely, and even a device that was described by a government signals agency as `the most secure processor generally available' turns out to be vulnerable. Designers of secure systems should consider the consequences with care.
