An increasing number of systems, from pay-TV to electronic purses, rely on the tamper resistance of smartcards and other security processors. We describe a number of attacks on such systems -- some old, some new and some that are simply little known outside the chip testing community. We conclude that trusting tamper resistance is problematic; smartcards are broken routinely, and even a device that was described by a government signals agency as `the most secure processor generally available' turns out to be vulnerable. Designers of secure systems should consider the consequences with care.

We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use shared-key cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs.

In this paper, we aim at characterizing elliptic curve traces by FR-reduction and investigate explicit conditions of traces vulnerable or secure against FR-reduction. We show new explicit conditions of elliptic curve traces for FRreduction. We also present algorithms to construct such elliptic curves, which have relation to famous number theory problems. key words: elliptic curve cryptosystems, trace, FRreduction 1. Introduction Koblitzand Miller proposed ind end tly a public key cryptosystembased on an elliptic curve E d2EO8 over a finitefield F q (q = p r )([19], [ 5]). If elliptic curve cryptosystems satisfy socalled FRcondO0GO2 ([11], [17], [ 4])and avoid anomalous elliptic curve over F q ([3], [33], [35]), then the only known attacks are the Pollard #-method ([ 7])and the Pohlig-Hellman method ([ 6]). Hence with current knowledEL we can construct elliptic curve cryptosystems over a smallerdaller2L field than thede2OAOS logarithm problem(DLP)-based cryptosystems like the ElGamal cryptosystems ([13]) or the DSA ([1 ])and RSA cryptosystems ([ 8]). Elliptic curve cryptosystems with a 160-bit key are Manuscript received August 31, 2000. Manuscript revised August 31, 2000. The author is with Japan Advanced Institute of Science and Technology, Ishikawa-ken, 923-1292 Japan. The author is with Matsushita Communication Industrial Co., Ltd., Kanagawa-ken, 223-8639 Japan. This work was conducted when he was with JAIST. thus believed to have the same security as both the ElGamal cryptosystemsand RSA cryptosystems with a 1,0 4-bit key. Recently some researches on comparing MOV and FR-redgAGSSE have been reported in [15], [18]. These attacks imbed a subgroup # E(F q )toF # q k for an extensionfield F q kand red -2 ECDLPbased on # E(F q ) to DLP based ...

In many real-world applications, sensitive information must be kept in log les on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log les and to limit his ability to corrupt the log les. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to undetectably modify or destroy. 1

Cryptographic protocols are used in distributed systems to identify users and authenticate transactions. They may involve the exchange of about 2--5 messages, and one might think that a program of this size would be fairly easy to get right. However, this is absolutely not the case: bugs are routinely found in well known protocols, and years after they were first published. The problem is the presence of a hostile opponent, who can alter messages at will. In effect, our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. This is a fascinating problem; and we hope that the lessons learned from programming Satan 's computer may be helpful in tackling the more common problem of programming Murphy's.

Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Thus, several authors have proposed metrics to evaluate the confidence afforded by a set of paths. In this paper we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches failed with respect to these priniciples and what the consequences to authentication might be. We then propose a new metric that appears to meet our principles, and so to be a satisfactory metric of authentication.

Consider the well-known oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete log-based schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most Diffie-Hellman-type key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...

This paper describes a new public-key cryptosystem based on the hardness of computing higher residues modulo a composite RSA integer. We introduce two versions of our scheme, one deterministic and the other probabilistic. The deterministic version is practically oriented: encryption amounts to a single exponentiation w.r.t. a modulus with at least 768 bits and a 160-bit exponent. Decryption can be suitably optimized so as to become less demanding than a couple RSA decryptions.

There are many cases in the literature in which reuse of the same key material for different functions can open up security holes. In this paper, we discuss such interactions between protocols, and present a new attack, called the chosen protocol attack, in which an attacker may write a new protocol using the same key material as a target protocol, which is individually very strong, but which interacts with the target protocol in a security-relevant way. We finish with a brief discussion of design principles to resist this class of attack.

We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on public-key encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" and "private" keys) with different levels of secrecy and scopes.