By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevent timing attacks.

This paper presents a benchmark, CommBench, for use in evaluating and designing telecommunications network processors. The benchmark applications focus on small, computationally intense program kernels typical of the network processor environment. The benchmark

This memo describes a syntax for securing messages sent using the Hypertext Transfer Protocol (HTTP), which forms the basis for the World Wide Web. Secure HTTP (S-HTTP) provides independently applicable security services for transaction confidentiality, authenticity/integrity and non-repudiability of origin.

The increased popularity of multimedia applications places a great demand on efficient data storage and transmission techniques. Network communication, especially over a wireless network, can easily be intercepted and must be protected from eavesdroppers. Unfortunately, encryption and decryption are slow and it is often difficult, if not impossible, to carry out real-time secure image and video communication and processing. Methods have been proposed to combine compression and encryption together to reduce the overall processing time [3, 4, 12, 18, 20], but they are either insecure or too computationally intensive. We propose a novel solution, called partial encryption, in which a secure encryption algorithm is used to encrypt only part of the compressed data. Partial encryption is applied to several image and video compression algorithms in this paper. Only 13%--27% of the output from quadtree compression algorithms [13, 17, 29, 30, 31, 32] is encrypted for typical images, and less than 2% is encrypted for 512 \Theta 512 images compressed by the SPIHT algorithm [26]. The results are similar for video compression, resulting in a significant reduction in encryption and decryption time. The proposed partial encryption schemes are fast, secure, and do not reduce the compression performance of the underlying compression algorithm. EDICS Number: SP 7.8 This research is supported in part by the Motorola Wireless Data Group and the Canadian Natural Sciences and Engineering Research Council under Grant OGP9198 and Postgraduate Scholarship. y Presently at Department of Computer Science, University of Waterloo. z To whom correspondence should be addressed. 1 1

The emergence of the Internet as a trusted medium for commerce and communication has made cryptography an essential component of modern information systems. Cryptography provides the mechanisms necessary to implement accountability, accuracy, and confidentiality in communication. As demands for secure communication bandwidth grow, efficient cryptographic processing will become increasingly vital to good system performance. In this paper, we explore techniques to improve the performance of symmetric key cipher algorithms. Eight popular strong encryption algorithms are examined in detail. Analysis reveals the algorithms are computationally complex and contain little parallelism. Overall throughput on a high-end microprocessor is quite poor, a 600 Mhz processor is incapable of saturating a T3 communication line with 3DES (triple DES) encrypted data. We introduce new instructions that improve the efficiency of the analyzed algorithms. Our approach adds instruction set support for fast substitutions, general permutations, rotates, and modular arithmetic. Performance analysis of the optimized ciphers shows an overall speedup of 59 % over a baseline machine with rotate instructions and 74 % speedup over a baseline without rotates. Even higher speedups are demonstrated with optimized substitutions (SBOXes) and additional functional unit resources. Our analyses of the original and optimized algorithms suggest future directions for the design of high-performance programmable cryptographic processors. 1

. Matsui's linear cryptanalysis for iterated block ciphers is generalized by replacing his linear expressions with I#O sums. For a single round, an I#O sum is the XOR of a balanced binary-valued function of the round input and a balanced binary-valued function of the round output. The basic attack is described and conditions for it to be successful are given. A procedure for #nding e#ective I#O sums, i.e., I#O sums yielding successful attacks, is given. A cipher contrived to be secure against linear cryptanalysis but vulnerable to this generalization of linear cryptanalysis is given. Finally, it is argued that the ciphers IDEA and SAFER K-64 are secure against this generalization. Keywords. Linear cryptanalysis, di#erential cryptanalysis, piling-up lemma, IDEA, SAFER. 1 Introduction Linear cryptanalysis, whichwas introduced by Matsui in #Mat93# to attack DES, is an attack that applies to any iterated block cipher. In this paper, wedevelop a generalized version of linear cryptanalysis...

Version 1.0 Status of this memo <draft-ietf-tls-protocol-01.txt> This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as work in progress. To learn the current status of any Internet-Draft, please check the

This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.

This document describes how to use CBC-mode cipher algorithms with the IPSec ESP (Encapsulating Security Payload) Protocol. It not only clearly states how to use certain cipher algorithms, but also how to use all CBC-mode cipher algorithms. Table of Contents 1. Introduction...................................................2 1.1 Specification of Requirements...............................2 1.2 Intellectual Property Rights Statement......................2 2. Cipher Algorithms..............................................2 2.1 Mode........................................................3 2.2 Key Size....................................................3 2.3 Weak Keys...................................................4 2.4 Block Size and Padding......................................5 2.5 Rounds......................................................6 2.6 Backgrounds.................................................6 2.7 Performance.................................................8 3. ESP Payl...

#7 December 1995# Since many existing security systems can be broken with timing attacks# I am releasing this preliminary abstract to alert vendors and users. Research in this area is still in progress. Abstract. Cryptosystems often take slightly di#erent amounts of time to process di#erent messages. With network#based cryptosystems# cryp# tographic tokens# and many other applications# attackers can measure the amount of time used to complete cryptographic operations. This abstract shows that timing channels can# and often do# leak key material. The at# tacks are particularly alarming because they often require only known ciphertext#work even if timing measurements are somewhat inaccurate# are computationally easy# and are di#cult to detect. This preliminary draft outlines attacks that can #nd secret exponents in Di#e#Hellman key exchange# factor RSA keys# and #nd DSS secret parameters. Other symmetric and asymmetric cryptographic functions are also at risk. A complete ...