Results 1  10
of
31
Slide Attacks
 Proceedings of Fast Software Encryption ’99, Lecture Notes in Computer Science 1636
, 1999
"... Abstract. In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most ..."
Abstract

Cited by 185 (10 self)
 Add to MetaCart
Abstract. In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), PohligHellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single wellchosen ciphertext. Keywords: Bug attack, Fault attack, RSA, PohligHellman, ECC. 1
Enhancing DifferentialLinear Cryptanalysis
 Advances in Cryptology  Asiacrypt’02, volume 2501 of LNCS
, 2002
"... Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate hnear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate hnear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique called differentiallinear cryptanalysis, in which the differential part creates a hnear approximation with probabihty 1. They apphed their technique to 8round DES. In this paper we present an enhancement of differentiallinear cryptanalysis in which the inherited hnear probabihty is smaller than 1. We use this extension to describe a differentialhnear distinguisher for a 7round reducedversion of DES, and to present the best known keyrecovery attack on a 9round reducedversion of DES. We use our enhanced technique to attack COCONUT98 with time complexity 233'7 encryptions and 227'7 chosen plaintexts.
Indistinguishability amplification
, 2006
"... A random system is the abstraction of the inputoutput behavior of any kind of discrete system, in particular cryptographic systems. Many aspects of cryptographic security analyses and proofs can be seen as the proof that a certain random system (e.g. a block cipher) is indistinguishable from an ide ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
A random system is the abstraction of the inputoutput behavior of any kind of discrete system, in particular cryptographic systems. Many aspects of cryptographic security analyses and proofs can be seen as the proof that a certain random system (e.g. a block cipher) is indistinguishable from an ideal system (e.g. a random permutation), for different types of distinguishers. This paper presents a new generic approach to proving upper bounds on the distinguishing advantage of a combined system, assuming upper bounds of various types on the component systems. For a general type of combination operation of systems (including the combination of functions or the cascade of permutations), we prove two amplification theorems. The first is a directproduct theorem, similar in spirit to the XORLemma: The distinguishing advantage (or security) of the combination of two (possibly stateful) systems is twice the product of the individual distinguishing advantages, which is optimal. The second theorem states that the combination of systems is secure against some strong class of distinguishers, assuming only that the components are secure against some weaker class of attacks. As a corollary we obtain tight bounds on the adaptive security of the cascade and parallel composition of nonadaptively (or only randomquery) secure component systems. A key technical tool of the paper is to show a tight twoway correspondence, previously only known to hold in one direction, between the distinguishing advantage of two systems and the probability of provoking an appropriately defined event on one of the systems.
On the pseudorandomness of toplevel schemes of block ciphers
 Advances in Cryptology  Asiacrypt’00, volume 1976 of LNCS
, 2000
"... Abstract. Block ciphers are usually basedon one toplevel scheme into which we plug “roundfunctions”. To analyze security, it is important to study the intrinsic security provided by the toplevel scheme from the viewpoint of randomness: given a block cipher in which we replaced the lowerlevel sche ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Block ciphers are usually basedon one toplevel scheme into which we plug “roundfunctions”. To analyze security, it is important to study the intrinsic security provided by the toplevel scheme from the viewpoint of randomness: given a block cipher in which we replaced the lowerlevel schemes by idealized oracles, we measure the security (in terms of best advantage for a distinguisher) depending on the number of rounds and the number of chosen plaintexts. We then extrapolate a sufficient number of secure rounds given the regular bounds provided by decorrelation theory. This approach allows the comparison of several generalizations of the Feistel schemes andothers. In particular, we compare the randomness provided by the schemes used by the AES candidates. In addition we provide a general paradigm for analyzing the security provided by the interaction between the different levels of the block cipher structure. 1
Decorrelated Fast Cipher: an AES Candidate. (Extended Abstract
 In Proceedings from the First Advanced Encryption Standard Candidate Conference, National Institute of Standards and Technology (NIST
, 1998
"... ..."
Resistance Against General Iterated Attacks
 In Advances in Cryptology EUROCRYPT'99, Prague, Czech Republic, Lectures Notes in Computer Science 1592
, 1998
"... . In this paper we study the resistance of a block cipher against any general iterated attack. This class of attacks includes differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using Vaudenay's decorrelation technique. Our main theorem enable ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
. In this paper we study the resistance of a block cipher against any general iterated attack. This class of attacks includes differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using Vaudenay's decorrelation technique. Our main theorem enables to prove the security of some recently proposed block ciphers COCONUT98 and PEANUT98. Since publickey cryptography has been discovered in the late 70s, proving the security of cryptographic protocols has been a challenging problem. Recently, the random oracle model and the generic algorithm techniques have introduced new tools for validating cryptographic algorithms. Although much older, the area of symmetric cryptography did not get so many tools. In the early 90s, Biham and Shamir [2] introduced the notion of differential cryptanalysis and Matsui [7, 8] introduced the notion of linear cryptanalysis, which was a quite general model of attack. Since then many authors tried to formalize these a...
Decorrelation over Infinite Domains: the Encrypted CBCMAC Case
, 2000
"... Decorrelation theory has recently been proposed in order to address the security of block ciphers and other cryptographic primitives over a nite domain. We show here how to extend it to innite domains, which can be used in the Message Authentication Code (MAC) case. In 1994, Bellare, Kilian and Roga ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Decorrelation theory has recently been proposed in order to address the security of block ciphers and other cryptographic primitives over a nite domain. We show here how to extend it to innite domains, which can be used in the Message Authentication Code (MAC) case. In 1994, Bellare, Kilian and Rogaway proved that CBCMAC is secure when the input length is xed. This has been extended by Petrank and Racko in 1997 with a variable length. In this paper, we prove a result similar to Petrank and Racko's one by using decorrelation theory. This leads to a slightly improved result and a more compact proof. This result is meant to be a general proving technique for security, which can be compared to the approach which was announced by Maurer at CRYPTO'99. Decorrelation theory has recently been introduced. (See references [17] to [22].) Its rst aim was to address provable security in the area of block ciphers in order to prove their security against dierential [7] and linear cryptanalysis...
Another Look at Security Definitions
, 2011
"... Abstract. We take a critical look at security models that are often used to give “provable security ” guarantees. We pay particular attention to digital signatures, symmetrickey encryption, and leakage resilience. We find that there has been a surprising amount of uncertainty about what the “right ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We take a critical look at security models that are often used to give “provable security ” guarantees. We pay particular attention to digital signatures, symmetrickey encryption, and leakage resilience. We find that there has been a surprising amount of uncertainty about what the “right ” definitions might be. Even when definitions have an appealing logical elegance and nicely reflect certain notions of security, they fail to take into account many types of attacks and do not provide a comprehensive model of adversarial behavior. 1.
Report on the AES Candidates
, 1999
"... This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycas ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycase comments. We finally recommend the selection of Mars, RC6, Serpent, ... and DFC. As the report is being finalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the Appendix which are not considered in the main body of the report.