Results 1  10
of
49
The LED Block Cipher
 Cryptographic Hardware and Embedded Systems  CHES 2011, volume 6917 of LNCS
, 2011
"... Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultralight (in ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultralight (in fact nonexistent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to relatedkey attacks: we are able to derive simple yet interesting AESlike security proofs for LED regarding related or singlekey attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation. Key words: lightweight, block cipher, RFID tag, AES. 1
Second preimages on nbit hash functions for much less than 2^n work
"... We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RI ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
(Show Context)
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any nbit hash function built using the DamgårdMerkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
Alpaca: extensible authorization for distributed services
 In 14th ACM Conference on Computer and Communications Security
, 2007
"... Traditional Public Key Infrastructures (PKI) have not lived up to their promise because there are too many ways to define PKIs, too many cryptographic primitives to build them with, and too many administrative domains with incompatible roots of trust. Alpaca is an authentication and authorization fr ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
(Show Context)
Traditional Public Key Infrastructures (PKI) have not lived up to their promise because there are too many ways to define PKIs, too many cryptographic primitives to build them with, and too many administrative domains with incompatible roots of trust. Alpaca is an authentication and authorization framework that embraces PKI diversity by enabling one PKI to “plug in ” another PKI’s credentials and cryptographic algorithms, allowing users of the latter to authenticate themselves to services using the former using their existing, unmodified certificates. Alpaca builds on ProofCarrying Authorization (PCA) [8], expressing a credential as an explicit proof of a logical claim. Alpaca generalizes PCA to express not only delegation policies but also the cryptographic primitives, credential formats, and namespace structure needed to use foreign credentials directly. To achieve this goal, Alpaca introduces a method of creating and naming new principals which behave according to arbitrary rules, a modular approach to logical axioms, and a domainspecific language specialized for reasoning about authentication. We have implemented Alpaca as a Python module that assists applications in generating proofs (e.g., in a client requesting access to a resource), and in verifying those proofs via a compact 800line TCB (e.g., in a server providing that resource). We present examples demonstrating Alpaca’s extensibility in scenarios involving interorganization PKI interoperability and secure remote PKI upgrade.
On the impossibility of efficiently combining collision resistant hash functions
 In Proc. Crypto ’06
, 2006
"... Abstract. Let H1, H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better constr ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Let H1, H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better construction exists, namely, can we hedge our bets without doubling the size of the output? We take a step towards answering this question in the negative — we show that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions. 1
A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
 PROCEEDINGS OF EUROCRYPT 2003
, 2003
"... This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 2 2n). The algorithms are efficient and allow to study linear and affine equivalences for bijective Sboxes of all popular sizes (LE is efficient up to n ≤ 32). Using these tools new equivalent representations are found for a variety of ciphers: Rijndael, DES, Camellia, Serpent, Misty, Kasumi, Khazad, etc. The algorithms are furthermore extended for the case of nonbijective n to mbit Sboxes with a small value of n − m  and for the case of almost equivalent Sboxes. The algorithms also provide new attacks on a generalized EvenMansour scheme. Finally, the paper defines a new problem of Sbox decomposition in terms of Substitution Permutations Networks (SPN) with layers of smaller Sboxes. Simple informationtheoretic bounds are proved for such decompositions.
V.: The Rebound Attack and Subspace Distinguishers: Application to Whirlpool
 J. Cryptology
"... Abstract. We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the Whirlpool hash function and the Whirlpool compression function. Next, we introduc ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the Whirlpool hash function and the Whirlpool compression function. Next, we introduce the subspace problems as generalizations of nearcollision resistance. Finally, we present distinguishers based on the rebound attack, that apply to the full compression function of Whirlpool and the underlying block cipher W.
How to Improve Rebound Attacks
 In: Advances in Crypology: CRYPTO 2011. Lecture Notes in Computer Science
, 2011
"... Abstract. Rebound attacks are a stateoftheart analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA3 competition, providing the best known analysis in these cases. In this paper we ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Rebound attacks are a stateoftheart analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a large number of cases that the complexities of existing attacks can be improved. This is done by identifying problems that optimally adapt to the cryptanalytic situation, and by using better algorithms to find solutions for the differential path. Our improvements affect one particular operation that appears in most rebound attacks and which is often the bottleneck of the attacks. This operation, which varies depending on the attack, can be roughly described as merging large lists. As a result, we introduce new general purpose algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms on real hash functions. More precisely, we demonstrate how to reduce the complexities of the best known analysis on four SHA3 candidates: JH, Grøstl, ECHO and Lane and on the best known rebound analysis on the SHA3 candidate Luffa.
Structural Evaluation of AES and ChosenKey Distinguisher of 9round AES128
, 2013
"... While the symmetrickey cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a keyschedule for block ciphers, as shown by the numerous candidates broken in the relatedkey model or in a hash function set ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
While the symmetrickey cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a keyschedule for block ciphers, as shown by the numerous candidates broken in the relatedkey model or in a hash function setting. Provable security against differential and linear cryptanalysis in the relatedkey scenario is an important step towards a better understanding of its construction. Using a structural analysis, we show that the full AES128 cannot be proven secure unless the exact coefficients of the MDS matrix and the SBox differential properties are taken into account since its structure is vulnerable to a relatedkey differential attack. We then exhibit a chosenkey distinguisher for AES128 reduced to 9 rounds, which solves an open problem of the symmetric community. We obtain these results by revisiting algorithmic theory and graphbased ideas to compute all the best differential characteristics in SPN ciphers, with a special focus on AESlike ciphers subject to relatedkeys. We use a variant of Dijkstra’s algorithm to efficiently find the most efficient relatedkey attacks on SPN ciphers with an algorithm linear in the number of rounds.
Koufopavlou: “Efficient Architecture and Hardware Implementation of the Whirlpool Hash Function
 IEEE Transactions on Consumer Electronics
, 2004
"... Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the expl ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder. Efficient Architecture and Hardware Implementation of the Whirlpool Hash Function Abstract — The latest cryptographical applications demand both high speed and high security. In this paper, an architecture and VLSI implementation of the newest powerful standard in the hash families, Whirlpool, is presented. It reduces the required hardware resources and achieves highspeed performance. The architecture permits a wide variety of implementation tradeoffs. The implementation is examined and compared in the security level and in the performance by using hardware terms. This is the first Whirlpool implementation allowing fast execution, and effective substitution of any previous hash families ’ implementations such as MD5, RIPEMD160, SHA1, SHA2 etc, in any cryptography application 1.
Evaluation of Standardized PasswordBased Key Derivation against Parallel Processing Platforms
 Proceedings ESORICS 2012, LNCS 7459
"... Abstract. Passwords are still the preferred method of user authentication for a large number of applications. In order to derive cryptographic keys from (humanentered) passwords, keyderivation functions are used. One of the most wellknown keyderivation functions is the standardized PBKDF2 (RFC28 ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Passwords are still the preferred method of user authentication for a large number of applications. In order to derive cryptographic keys from (humanentered) passwords, keyderivation functions are used. One of the most wellknown keyderivation functions is the standardized PBKDF2 (RFC2898), which is used in TrueCrypt, CCMP of WPA2, and many more. In this work, we evaluate the security of PBKDF2 against password guessing attacks using stateoftheart parallel computing architectures, with the goal to find parameters for the PBKDF2 that protect against today’s attacks. In particular we developed fast implementations of the PBKDF2 on FPGAclusters and GPUclusters. These two families of platforms both have a better priceperformance ratio than PCclusters and pose, thus, a great threat when running large scale guessing attacks. To the best of our knowledge, we demonstrate the fastest attacks against PBKDF2, and show that we can guess more than 65 % of typical passwords in about one week. 1