Results 1  10
of
27
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS1
, 1998
"... This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA privatekey operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to ..."
Abstract

Cited by 237 (1 self)
 Add to MetaCart
This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA privatekey operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attackisSSL V.3.0.
Secure information flow in a multithreaded imperative language
 IN PROC. ACM SYMP. ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1998
"... Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we ..."
Abstract

Cited by 201 (8 self)
 Add to MetaCart
Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we extend the analysis to deal with a multithreaded language. We show that the previous type system is insufficient to ensure a desirable security property called noninterference. Noninterference basically means that the final values of low variables are independent of the initial values of high variables. By modifying the sequential type system, we are able to guarantee noninterference for concurrent programs. Crucial to this result, however, is the use of purely nondeterministic thread scheduling. Since implementing such scheduling is problematic, we also show how a more restrictive type system can guarantee noninterference, given a more deterministic (and easily implementable) scheduling policy, such as roundrobin time slicing. Finally, we consider the consequences of adding a clock to the language.
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems
, 1999
"... Differential Power Analysis, first introduced by Kocher et al. in [14], is a powerful technique allowing to recover secret smart card information by monitoring power signals. In [14] a specific DPA attack against smartcards running the DES algorithm was described. As few as 1000 encryptions were su ..."
Abstract

Cited by 162 (2 self)
 Add to MetaCart
Differential Power Analysis, first introduced by Kocher et al. in [14], is a powerful technique allowing to recover secret smart card information by monitoring power signals. In [14] a specific DPA attack against smartcards running the DES algorithm was described. As few as 1000 encryptions were sufficient to recover the secret key. In this paper we generalize DPA attack to elliptic curve (EC) cryptosystems and describe a DPA on EC DiffieHellman key exchange and EC ElGamal type encryption. Those attacks enable to recover the private key stored inside the smartcard. Moreover, we suggest countermeasures that thwart our attack.
Probabilistic noninterference in a concurrent language
, 1998
"... In [15], we give a type system that guarantees that welltyped multithreaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then welltyped programs may have probabilistic timing channels. We describe how they can be eliminated without making the type ..."
Abstract

Cited by 91 (7 self)
 Add to MetaCart
In [15], we give a type system that guarantees that welltyped multithreaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then welltyped programs may have probabilistic timing channels. We describe how they can be eliminated without making the type system more restrictive. We show that welltyped concurrent programs are probabilistically noninterfering if every total command with a high guard executes atomically. The proof uses the concept of a probabilistic state of a computation, following the work of Kozen [10].
On the Importance of Eliminating Errors in Cryptographic Computations
 Journal of Cryptology
, 2001
"... We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a blackbox containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time t ..."
Abstract

Cited by 59 (0 self)
 Add to MetaCart
We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a blackbox containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is aected by a random hardware fault causing it to output incorrect values. For example, the hardware fault ips an internal register bit at some point during the computation. We show that for many digital signature and identication schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for nonCRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in FiatShamir ...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Verifying secrets and relative secrecy
 In Symposium on Principles of Programming Languages (POPL'00
, 2000
"... Systems that authenticate a user based on a shared secret (such as a password or PIN) normally allow anyone to query whether the secret is a given value. For example, an ATM machine allows one to ask whether a string is the secret PIN of a (lost or stolen) ATM card. Yet such queries are prohibited i ..."
Abstract

Cited by 50 (0 self)
 Add to MetaCart
Systems that authenticate a user based on a shared secret (such as a password or PIN) normally allow anyone to query whether the secret is a given value. For example, an ATM machine allows one to ask whether a string is the secret PIN of a (lost or stolen) ATM card. Yet such queries are prohibited in any model whose programs satisfy an informationflow property like Noninterference. But there is complexitybased justification for allowing these queries. A type system is given that provides the access control needed to prove that no welltyped program can leak secrets in polynomial time, or even leak them with nonnegligible probability if secrets are of sufficient length and randomly chosen. However, there are welltyped deterministic programs in a synchronous concurrent model capable of leaking secrets in linear time. 1
LowCost Solutions for Preventing Simple SideChannel Analysis: SideChannel Atomicity
 IEEE Transactions on Computers
, 2004
"... Abstract. This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to vi ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
Abstract. This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely a protected squareandmultiply algorithm, its righttoleft counterpart, and several protected slidingwindow algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations.
A Cautionary Note Regarding Evaluation of AES Candidates on SmartCards
 In Second Advanced Encryption Standard (AES) Candidate Conference
"... NIST has considered the performance of AES candidates on smartcards as an important selection criterion and many submitters have highlighted the compactness and efficiency of their submission on low end smart cards. However, in light of recently discovered power based attacks, we strongly argue tha ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
NIST has considered the performance of AES candidates on smartcards as an important selection criterion and many submitters have highlighted the compactness and efficiency of their submission on low end smart cards. However, in light of recently discovered power based attacks, we strongly argue that evaluating smartcard suitability of AES candidates requires a very cautious approach. We demonstrate that straightforward implementations of AES candidates on smart cards, are highly vulnerable to power analysis and readily leak away all secret keys. To illustrate our point, we describe a power based attack on the Twofish Reference 6805 code which we implemented on a ST16 smart card. The attack required power samples from only 100 independent block encryptions to fully recover the 128bit secret key. We also describe how all other AES candidates are susceptible to similar attacks. We review the basis of power attacks and suggest countermeasures for a secure implementation. Unfortun...