Results 1  10
of
32
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS1
, 1998
"... This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA privatekey operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to ..."
Abstract

Cited by 286 (1 self)
 Add to MetaCart
(Show Context)
This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA privatekey operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attackisSSL V.3.0.
Secure information flow in a multithreaded imperative language
 IN PROC. ACM SYMP. ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1998
"... Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we ..."
Abstract

Cited by 245 (8 self)
 Add to MetaCart
Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we extend the analysis to deal with a multithreaded language. We show that the previous type system is insufficient to ensure a desirable security property called noninterference. Noninterference basically means that the final values of low variables are independent of the initial values of high variables. By modifying the sequential type system, we are able to guarantee noninterference for concurrent programs. Crucial to this result, however, is the use of purely nondeterministic thread scheduling. Since implementing such scheduling is problematic, we also show how a more restrictive type system can guarantee noninterference, given a more deterministic (and easily implementable) scheduling policy, such as roundrobin time slicing. Finally, we consider the consequences of adding a clock to the language.
Serpent: A Proposal for the Advanced Encryption Standard
"... . We propose a new block cipher as a candidate for the Advanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses Sboxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient ..."
Abstract

Cited by 122 (4 self)
 Add to MetaCart
. We propose a new block cipher as a candidate for the Advanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses Sboxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis that enables us to demonstrate its security against all known types of attack. With a 128bit block size and a 256bit key, it is as fast as DES on the market leading Intel Pentium/MMX platforms (and at least as fast on many others); yet we believe it to be more secure than threekey tripleDES. 1 Introduction For many applications, the Data Encryption Standard algorithm is nearing the end of its useful life. Its 56bit key is too small, as shown by a recent distributed key search exercise [28]. Although tripleDES can solve the key length problem, the DES algorithm was also designed primarily for hardware encryption, yet the great majori...
Probabilistic noninterference in a concurrent language
, 1998
"... In [15], we give a type system that guarantees that welltyped multithreaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then welltyped programs may have probabilistic timing channels. We describe how they can be eliminated without making the type ..."
Abstract

Cited by 113 (7 self)
 Add to MetaCart
(Show Context)
In [15], we give a type system that guarantees that welltyped multithreaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then welltyped programs may have probabilistic timing channels. We describe how they can be eliminated without making the type system more restrictive. We show that welltyped concurrent programs are probabilistically noninterfering if every total command with a high guard executes atomically. The proof uses the concept of a probabilistic state of a computation, following the work of Kozen [10].
On the Importance of Eliminating Errors in Cryptographic Computations
 Journal of Cryptology
, 2001
"... We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a blackbox containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time t ..."
Abstract

Cited by 99 (0 self)
 Add to MetaCart
(Show Context)
We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a blackbox containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is aected by a random hardware fault causing it to output incorrect values. For example, the hardware fault ips an internal register bit at some point during the computation. We show that for many digital signature and identication schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for nonCRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in FiatShamir ...
Lowcost solutions for preventing simple sidechannel analysis: Sidechannel atomicity
 IEEE Transactions on Computers
, 2004
"... Abstract—This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to vi ..."
Abstract

Cited by 67 (6 self)
 Add to MetaCart
Abstract—This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely, a protected squareandmultiply algorithm, its righttoleft counterpart, and several protected slidingwindow algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations. Index Terms—Cryptographic algorithms, sidechannel analysis, protected implementations, atomicity, exponentiation, elliptic curves. 1
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Provably Secure Masking of AES
 In SAC
, 2004
"... A general method to secure cryptographic algorithm implementations against sidechannel attacks is the use of randomization techniques and, in particular, masking. ..."
Abstract

Cited by 59 (2 self)
 Add to MetaCart
(Show Context)
A general method to secure cryptographic algorithm implementations against sidechannel attacks is the use of randomization techniques and, in particular, masking.
Verifying secrets and relative secrecy
 In Symposium on Principles of Programming Languages (POPL'00
, 2000
"... Systems that authenticate a user based on a shared secret (such as a password or PIN) normally allow anyone to query whether the secret is a given value. For example, an ATM machine allows one to ask whether a string is the secret PIN of a (lost or stolen) ATM card. Yet such queries are prohibited i ..."
Abstract

Cited by 56 (0 self)
 Add to MetaCart
Systems that authenticate a user based on a shared secret (such as a password or PIN) normally allow anyone to query whether the secret is a given value. For example, an ATM machine allows one to ask whether a string is the secret PIN of a (lost or stolen) ATM card. Yet such queries are prohibited in any model whose programs satisfy an informationflow property like Noninterference. But there is complexitybased justification for allowing these queries. A type system is given that provides the access control needed to prove that no welltyped program can leak secrets in polynomial time, or even leak them with nonnegligible probability if secrets are of sufficient length and randomly chosen. However, there are welltyped deterministic programs in a synchronous concurrent model capable of leaking secrets in linear time. 1