Results 1  10
of
205
Differential Fault Analysis of Secret Key Cryptosystems
, 1997
"... In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems suc ..."
Abstract

Cited by 252 (3 self)
 Add to MetaCart
In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES). In this paper, we describe a related attack, which we call Differential Fault Analysis, or DFA, and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. Our DFA attack can use various fault models and various cryptanalytic techniques to recover the cryptographic secrets hidden in the tamperresistant device. In particular, we have demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamperresistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts. In the second part of the paper we develop techniques to identify the keys of completely unknown ciphers (such as SkipJack) sealed in tamperresistant devices, and to reconstruct the complete specification of DESlike unknown ciphers. In the last part of the paper, we consider a different fault model, based on permanent hardware faults, and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts.
Practical privacy: the sulq framework
 In PODS ’05: Proceedings of the twentyfourth ACM SIGMODSIGACTSIGART symposium on Principles of database systems
, 2005
"... We consider a statistical database in which a trusted administrator introduces noise to the query responses with the goal of maintaining privacy of individual database entries. In such a database, a query consists of a pair (S, f) where S is a set of rows in the database and f is a function mapping ..."
Abstract

Cited by 166 (34 self)
 Add to MetaCart
(Show Context)
We consider a statistical database in which a trusted administrator introduces noise to the query responses with the goal of maintaining privacy of individual database entries. In such a database, a query consists of a pair (S, f) where S is a set of rows in the database and f is a function mapping database rows to {0, 1}. The true answer is P i∈S f(di), and a noisy version is released as the response to the query. Results of Dinur, Dwork, and Nissim show that a strong form of privacy can be maintained using a surprisingly small amount of noise – much less than the sampling error – provided the total number of queries is sublinear in the number of database rows. We call this query and (slightly) noisy reply the SuLQ (SubLinear Queries) primitive. The assumption of sublinearity becomes reasonable as databases grow increasingly large. We extend this work in two ways. First, we modify the privacy analysis to realvalued functions f and arbitrary row types, as a consequence greatly improving the bounds on noise required for privacy. Second, we examine the computational power of the SuLQ primitive. We show that it is very powerful indeed, in that slightly noisy versions of the following computations can be carried out with very few invocations of the primitive: principal component analysis, k means clustering, the Perceptron Algorithm, the ID3 algorithm, and (apparently!) all algorithms that operate in the in the statistical query learning model [11].
Side Channel Cryptanalysis of Product Ciphers
 JOURNAL OF COMPUTER SECURITY
, 1998
"... Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three produ ..."
Abstract

Cited by 92 (7 self)
 Add to MetaCart
Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three product ciphers  timing attack against IDEA, processorflag attack against RC5, and Hamming weight attack against DES  and then generalize our research to other cryptosystems.
Private Circuits: Securing Hardware against Probing Attacks
 In Proceedings of CRYPTO 2003
, 2003
"... Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an a ..."
Abstract

Cited by 80 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an adversary to gain partial access to the inner workings of hardware. Recent work has shown that side channel attacks pose a serious threat to cryptosystems implemented in embedded devices. In this paper, we develop theoretical foundations for security against side channels. In particular, we propose several efficient techniques for building private circuits resisting this type of attacks. We initiate a systematic study of the complexity of such private circuits, and in contrast to most prior work in this area provide a formal threat model and give proofs of security for our constructions.
Reclaiming Space from Duplicate Files in a Serverless Distributed File System
 In Proceedings of 22nd International Conference on Distributed Computing Systems (ICDCS
, 2002
"... The Farsite distributed file system provides availability by replicating each file onto multiple desktop computers. Since this replication consumes significant storage space, it is important to reclaim used space where possible. Measurement of over 500 desktop file systems shows that nearly half of ..."
Abstract

Cited by 64 (3 self)
 Add to MetaCart
(Show Context)
The Farsite distributed file system provides availability by replicating each file onto multiple desktop computers. Since this replication consumes significant storage space, it is important to reclaim used space where possible. Measurement of over 500 desktop file systems shows that nearly half of all consumed space is occupied by duplicate files. We present a mechanism to reclaim space from this incidental duplication to make it available for controlled file replication. Our mechanism includes 1) convergent encryption, which enables duplicate files to coalesced into the space of a single file, even if the files are encrypted with different users' keys, and 2) SALAD, a SelfArranging, Lossy, Associative Database for aggregating file content and location information in a decentralized, scalable, faulttolerant manner. Largescale simulation experiments show that the duplicatefile coalescing system is scalable, highly effective, and faulttolerant.
Investigations of power analysis attacks on smartcards
 In USENIX Workshop on Smartcard Technology
, 1999
"... Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more ..."
Abstract

Cited by 60 (0 self)
 Add to MetaCart
(Show Context)
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more information about the USENIX Association:
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Lowcost solutions for preventing simple sidechannel analysis: Sidechannel atomicity
 IEEE Transactions on Computers
, 2004
"... Abstract—This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to vi ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
(Show Context)
Abstract—This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely, a protected squareandmultiply algorithm, its righttoleft counterpart, and several protected slidingwindow algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations. Index Terms—Cryptographic algorithms, sidechannel analysis, protected implementations, atomicity, exponentiation, elliptic curves. 1
Secure Reactive Systems
, 2000
"... We introduce a precise definition of the security of reactive systems following the simulatability approach in the synchronous model. No simulatability definition for reactive systems has been worked out in similar detail and generality before. Particular new aspects are a precise switching model th ..."
Abstract

Cited by 48 (10 self)
 Add to MetaCart
We introduce a precise definition of the security of reactive systems following the simulatability approach in the synchronous model. No simulatability definition for reactive systems has been worked out in similar detail and generality before. Particular new aspects are a precise switching model that allows us to discover timing vulnerabilities, a precise treatment of the interaction of users and adversaries, and independence of the trust model. We present several theorems relating the definition to other possible variants. They substantiate which aspects of such a definition do and do not make a real difference, and are useful in larger proofs. We also have a methodology for defining the security of practical systems by simulation of an ideal system, although they typically have imperfections tolerated for efficiency reasons. We sketch several examples to show the range of applicability, and present a very detailed proof of one example, secure reactive message transmission. Its main purpose...