Results 1 - 10
of
420
Differential Power Analysis
, 1999
"... Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measuremen ..."
Abstract
-
Cited by 1121 (7 self)
- Add to MetaCart
Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
The RC5 Encryption Algorithm
, 1995
"... Abstract. This document describes the RC5 encryption algorithm. RC5 is a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of data-dependent rotations. RC5 has a variable word size, a variable number of rounds, and a variable-lengt ..."
Abstract
-
Cited by 363 (7 self)
- Add to MetaCart
(Show Context)
Abstract. This document describes the RC5 encryption algorithm. RC5 is a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of data-dependent rotations. RC5 has a variable word size, a variable number of rounds, and a variable-length secret key. 1 AParameterized Family of Encryption Algorithms RC5 is word-oriented: all of the primitive operations work on w-bit words as their basic unit of information. Here we assume w = 32, although the formal speci cation of RC5 admits variants for other word lengths, such asw = 64 bits. RC5 has two-word (64-bit) input (plaintext) and output (ciphertext) block sizes. RC5 uses an \expanded key table, " S, derived from the user's supplied secret key. The size t of table S depends on the number r of rounds: S has t =2(r +1) words. There are thus several distinct \RC5 " algorithms, depending on the choice of parameters w and r. We summarize these parameters below: w This is the word size, in bits � each word contains u =(w=8) 8-bit bytes. The standard value of w is 32 bits � allowable values of w are 16, 32, and 64. RC5 encrypts two-word blocks: plaintext and ciphertext blocks are each 2w bits long. r This is the number of rounds. Also, the expanded key table S contains t =2(r +1)words. Allowable values of r are 0, 1,..., 255. In addition to w and r, RC5 has a variable-length secret cryptographic key, speci ed parameters b and K: b The number of bytes in the secret key K. Allowable values of b are 0, 1,
How to break MD5 and other hash functions
- In EUROCRYPT
, 2005
"... Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the has ..."
Abstract
-
Cited by 317 (7 self)
- Add to MetaCart
(Show Context)
Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1
Differential Fault Analysis of Secret Key Cryptosystems
, 1997
"... In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems suc ..."
Abstract
-
Cited by 315 (3 self)
- Add to MetaCart
In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES). In this paper, we describe a related attack, which we call Differential Fault Analysis, or DFA, and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. Our DFA attack can use various fault models and various cryptanalytic techniques to recover the cryptographic secrets hidden in the tamper-resistant device. In particular, we have demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts. In the second part of the paper we develop techniques to identify the keys of completely unknown ciphers (such as SkipJack) sealed in tamper-resistant devices, and to reconstruct the complete specification of DES-like unknown ciphers. In the last part of the paper, we consider a different fault model, based on permanent hardware faults, and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts.
Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish)
- IN FAST SOFTWARE ENCRYPTION, CAMBRIDGE SECURITY WORKSHOP PROCEEDINGS
, 1994
"... Blowfish, a new secret-key block cipher, is proposed. It is a Feistel network, iterating a simple encryption function 16 times. The block size is 64 bits, and the key can be any length up to 448 bits. Although there is a complex initialization phase required before any encryption can take place, the ..."
Abstract
-
Cited by 217 (13 self)
- Add to MetaCart
(Show Context)
Blowfish, a new secret-key block cipher, is proposed. It is a Feistel network, iterating a simple encryption function 16 times. The block size is 64 bits, and the key can be any length up to 448 bits. Although there is a complex initialization phase required before any encryption can take place, the actual encryption of data is very efficient on large microprocessors. The cryptographic community needs to provide the world with a new encryption standard. DES [16], the workhorse encryption algorithm for the past fifteen years, is nearing the end of its useful life. Its 56-bit key size is vulnerable to a brute-force attack [22], and recent advances in differential cryptanalysis [1] and linear cryptanalysis [10] indicate that DES is vulnerable to other attacks as well. Many of the other unbroken algorithms in the literature--Khufu [11,12], REDOC II [2,23, 20], and IDEA [7,8,9]--are protected by patents. RC2 and RC4, approved for export with a small key size, are proprietary [18]. GOST [6], a Soviet government algorithm, is specified without the S-boxes. The U.S. government is moving towards secret algorithms, such as the Skipjack algorithm in the Clipper and Capstone chips [17]. If the
Slide Attacks
- Proceedings of Fast Software Encryption ’99, Lecture Notes in Computer Science 1636
, 1999
"... Abstract. In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most ..."
Abstract
-
Cited by 194 (11 self)
- Add to MetaCart
Abstract. In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig-Hellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext. Keywords: Bug attack, Fault attack, RSA, Pohlig-Hellman, ECC. 1
PRESENT: An Ultra-Lightweight Block Cipher
- THE PROCEEDINGS OF CHES 2007
, 2007
"... With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such ..."
Abstract
-
Cited by 167 (19 self)
- Add to MetaCart
(Show Context)
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract
-
Cited by 153 (4 self)
- Add to MetaCart
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Truncated and Higher Order Differentials
- Fast Software Encryption - Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
Abstract
-
Cited by 153 (10 self)
- Add to MetaCart
(Show Context)
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
