We investigate protocols for athenticaged exchange of messages between two parties in communication network. Secure authenticated exchange is essential for network security. It is not difficult to design sirop!e and seemingly correct solutions for its however, roany such Csolutions' can be broken. We give some examples of such protocols tnd we show a useful methodology which cn be used to break many protocols. In particuhr, we brek a protocol that is being standardized by the I$O. We present a new authenticated exchange protocol which is both p'o,abll nd highii ici ad practica/. The security of the protocol is proven, bed on tn sumption about the the cryptosystero employed (nnely, that it is secure when used in CBC mode on a certain message spce). We think that this tssumption is quite retsonabte for mny cryptosystems, tnd furthermore it is often ssuroed in pr&ctical use of the DES cryptosystem. Our protocol cnnot be broken using the methodology we present (which w strong enough to catch tit protocol we found). The reduction to the security of the encryption mode, indeed ctptures the non-existence of the exposures thtt the methodology catches (specitli=ed to the actual use of encryption in our protocol). Furthermore, the protocol prevents chosen plaintext or ciphertext attacks on the cryptosystem. The proposed protocol is efficient ad practical in senertl spects. First, it uses only conventional cryptosrtphy (tike the DES, or ny printrely-shared one-wry function) and no public-key.,Second, the protocol does not require synchronized clocks or counter mnaement. Third, only a srodl number of encryption operations is needed (we use no decryption), tll with a sinsis shared Iey. In idition, only three messMss tre exchased durin$ the protocol, nd the size of these roesaes is r...

bart.preneel(AT)esat.kuleuven.be

Abstract. We have developed a methodology for unique identification of integrated circuits (ICs) that addresses untrusted fabrication and other security problems. The new method leverages nondestructive gate-level characterization of ICs post-manufacturing, revealing the hidden and unclonable uniqueness of each IC. The IC characterization uses the externally measured leakage currents for multiple input vectors. We have derived several optimization techniques for gate-level characterization. The probability of collision of IDs in presence of intra- and inter-chip correlations is computed. We also introduce a number of novel security and authentication protocols, such as hardware metering, challenge-based authentication and prevention of software piracy, that leverage the extraction of a unique ID for each IC. Experimental evaluations of the proposed approach on a large set of benchmark examples reveals its effectiveness even in presence of measurement errors. 1

In this paper we suggest key-collision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messages: in particular, one key of DES can be recovered with complexity 2 28 , and one key of (three-key) triple-DES can be recovered with complexity 2 84 .

Abstract not found

Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudo-random permutations from kn bits to kn bits using d pseudo-random functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen plaintexts an adversary can distinguish Fk (with d =3k−3) from a random permutation with high probability. If d< (3k − 3) then fewer plaintexts are required. We also show that for any Fk (with d =2k), any adversary with m chosen plaintext oracle queries, has probability O(m k /2 (k−1)n) of distinguishing Fk from a random permutation.

Abstract. Unbalanced Feistel schemes with expanding functions are used to construct pseudo-random permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F d k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA-1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Block ciphers. 1

1.4 Simple XOR

Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hash-twice ” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.

Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hash-twice ” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.