A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery
|
|
- Gavin Fields
- 6 years ago
- Views:
Transcription
1 A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery Christophe Petit 1, François-Xavier Standaert 1, Olivier Pereira 1, Tal G. Malkin 2, Moti Yung 2 1, Université catholique de Louvain. 2 Dept. of Computer Science, Columbia University. Microelectronics Laboratory Christophe Petit, March
2 Physical Security Security is usually proved in an idealized model Microelectronics Laboratory Christophe Petit, March
3 Physical Security Security is usually proved in an idealized model While implemented, many secure cryptographic protocols are vulnerable to side-channel attacks (SC) Microelectronics Laboratory Christophe Petit, March
4 Physical Security Security is usually proved in an idealized model While implemented, many secure cryptographic protocols are vulnerable to side-channel attacks (SC) Issue : partial information on the SECRET is leaked by physical media Microelectronics Laboratory Christophe Petit, March
5 Physical Security Security is usually proved in an idealized model While implemented, many secure cryptographic protocols are vulnerable to side-channel attacks (SC) Issue : partial information on the SECRET is leaked by physical media By recovering many pieces of partial info, one can recover the whole secret key Microelectronics Laboratory Christophe Petit, March
6 Physical Security How to deal with leakages? (Try to) remove them by electronic countermeasures (masking, noise addition, dual-rails,...) Microelectronics Laboratory Christophe Petit, March
7 Physical Security How to deal with leakages? (Try to) remove them by electronic countermeasures (masking, noise addition, dual-rails,...) Assume some perfect component (e.g. Katz non-tamperable device) Microelectronics Laboratory Christophe Petit, March
8 Physical Security How to deal with leakages? (Try to) remove them by electronic countermeasures (masking, noise addition, dual-rails,...) Assume some perfect component (e.g. Katz non-tamperable device) Re-design algorithms Microelectronics Laboratory Christophe Petit, March
9 Physical Security Re-design algorithms Do not only prevent leakages from occuring Make their combination hard Microelectronics Laboratory Christophe Petit, March
10 Physical Security Re-design algorithms Do not only prevent leakages from occuring Make their combination hard Model the leakages Micali-Reyzin model Microelectronics Laboratory Christophe Petit, March
11 Physical Security Re-design algorithms Do not only prevent leakages from occuring Make their combination hard Model the leakages Micali-Reyzin model Case Study : Pseudo-Random Number Generator (PRNG) Microelectronics Laboratory Christophe Petit, March
12 Case Study: PRNG Black-Box security (BB) : PRNG Grey-Box security (GB): prevent traditional SC cryptanalysis Microelectronics Laboratory Christophe Petit, March
13 Talk Overview Introduction PRNG Construction BB model & security GB model & security PRNG summary Conclusion and further work Microelectronics Laboratory Christophe Petit, March
14 Construction (Public IV, secret keys) Microelectronics Laboratory Christophe Petit, March
15 Construction (Public IV, secret keys) First idea (in BB): if E1 and E 2 are good, then the y i s should be PRNs. Microelectronics Laboratory Christophe Petit, March
16 Construction (Public IV, secret keys) First idea (in BB): if E1 and E 2 are good, then the y i s should be PRNs. But (in GB) successive leakages allow recovering the whole secret. Microelectronics Laboratory Christophe Petit, March
17 The construction So key update : k i+1 = k i m i and k i+1 = k i m i Microelectronics Laboratory Christophe Petit, March
18 The construction So key update : k i+1 = k i m i and k i+1 = k i m i Each running key ki, k i is used to encrypt only one message. Microelectronics Laboratory Christophe Petit, March
19 Black-Box Model Ideal cipher model E : K M M (Here K = M) for each key k K, the function Ek ( ) = E(k, ) is a random permutation on M Microelectronics Laboratory Christophe Petit, March
20 Black-Box Model PRNG : Deterministic algorithm G : K ˆK (with K < ˆK ) Microelectronics Laboratory Christophe Petit, March
21 Black-Box Model PRNG : Deterministic algorithm G : K ˆK (with K < ˆK ) For any adversary A : ˆK {0, 1}, let Succ prng 1 G,A = Pr[A(ˆk) = 1 : ˆk R ˆK], Succ prng 0 G,A = Pr[A(ˆk) = 1 : ˆk G(k); k R K], Adv prng G,A = Succ prng 1 G,A Succ prng 0 G,A. Microelectronics Laboratory Christophe Petit, March
22 Black-Box Model PRNG : Deterministic algorithm G : K ˆK (with K < ˆK ) For any adversary A : ˆK {0, 1}, let Succ prng 1 G,A = Pr[A(ˆk) = 1 : ˆk R ˆK], Succ prng 0 G,A = Pr[A(ˆk) = 1 : ˆk G(k); k R K], Adv prng G,A = Succ prng 1 G,A Succ prng 0 G,A. G is a PRNG if for any A, Adv prng G,A 0. Microelectronics Laboratory Christophe Petit, March
23 Black-Box Analysis Proof: study security of one round and extend it to multiple rounds by hybrid argument Microelectronics Laboratory Christophe Petit, March
24 Black-Box Analysis Proof: study security of one round and extend it to multiple rounds by hybrid argument For each X M = K, let G X : K K K K K G X (K, K ) = (E K (X ) K, E K (X ) K, E K (E K (X ))). Microelectronics Laboratory Christophe Petit, March
25 Black-Box Analysis Security of a single round By definition, Succ prng 0 G X,A = Pr[A(ˆk) = 1 : (k, k ) R K K; ˆk G X (k, k )] Microelectronics Laboratory Christophe Petit, March
26 Black-Box Analysis Security of a single round By definition, Succ prng 0 G X,A = Pr[A(ˆk) = 1 : (k, k ) R K K; ˆk G X (k, k )] Recalling what G X (k, k ) is, Microelectronics Laboratory Christophe Petit, March
27 Black-Box Analysis Security of a single round Recalling what G X (k, k ) is, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m E k (X ); k 1 m k; k 1 m k ; y E k (m)] Microelectronics Laboratory Christophe Petit, March
28 Black-Box Analysis Security of a single round Recalling what G X (k, k ) is, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m E k (X ); k 1 m k; k 1 m k ; y E k (m)] Now using the ideal cipher model for E k and E k, Microelectronics Laboratory Christophe Petit, March
29 Black-Box Analysis Security of a single round Now using the ideal cipher model for E k and E k, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; P R Perm(K); P m P(X ); R Perm(K); k 1 m k; k 1 m k ; y P (m)] Microelectronics Laboratory Christophe Petit, March
30 Black-Box Analysis Security of a single round Now using the ideal cipher model for E k and E k, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; P R Perm(K); P m P(X ); R Perm(K); k 1 m k; k 1 m k ; y P (m)] Choosing random permutation and then applying to X is equivalent to choosing random element, so Microelectronics Laboratory Christophe Petit, March
31 Black-Box Analysis Security of a single round Choosing random permutation and then applying to X is equivalent to choosing random element, so Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m R K; k 1 m k; k 1 m k ; y R K] Microelectronics Laboratory Christophe Petit, March
32 Black-Box Analysis Security of a single round Choosing random permutation and then applying to X is equivalent to choosing random element, so Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m R K; k 1 m k; k 1 m k ; y R K] So, each of the inputs of A looks random Microelectronics Laboratory Christophe Petit, March
33 Black-Box Analysis Security of a single round So, each of the inputs of A looks random Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k 1 R K; k 1 y R K] R K; Microelectronics Laboratory Christophe Petit, March
34 Black-Box Analysis Security of a single round So, each of the inputs of A looks random Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k 1 R K; k 1 y R K] = Succ prng 1 G X,A R K; Microelectronics Laboratory Christophe Petit, March
35 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds Microelectronics Laboratory Christophe Petit, March
36 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds The i th hybrid has i single G rounds, followed by q i rounds of truly random generators Microelectronics Laboratory Christophe Petit, March
37 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds The i th hybrid has i single G rounds, followed by q i rounds of truly random generators The i + 1 th hybrid differs from the i th hybrid only by one round Microelectronics Laboratory Christophe Petit, March
38 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds The i th hybrid has i single G rounds, followed by q i rounds of truly random generators The i + 1 th hybrid differs from the i th hybrid only by one round prng If there is A such that Adv G q,a > ɛ, then there is A such that Adv prng > ɛ G,A q for one of the rounds Microelectronics Laboratory Christophe Petit, March
39 Grey-Box Model Microelectronics Laboratory Christophe Petit, March
40 Grey-Box Model Now recall that physical means leak information on the keys Microelectronics Laboratory Christophe Petit, March
41 Grey-Box Model Now recall that physical means leak information on the keys Implementation = algorithm + (probabilistic) leakage function of the keys P q (K, K ) = (G q (K, K ), L q (K, K )) Microelectronics Laboratory Christophe Petit, March
42 Grey-Box Model Now recall that physical means leak information on the keys Implementation = algorithm + (probabilistic) leakage function of the keys P q (K, K ) = (G q (K, K ), L q (K, K )) We show the available information does not permit recovering the secret Microelectronics Laboratory Christophe Petit, March
43 Grey-Box Model Side-channel key recovery adversary Succ sc kr δ(k,k ) P q (K,K ),A = Pr[A(P q (k, k )) = δ(k, k ) : δ(k, K ) is part of the key (e.g., 1 byte) k R K; k R K] Microelectronics Laboratory Christophe Petit, March
44 Grey-Box Model Side-channel key recovery adversary Succ sc kr δ(k,k ) P q (K,K ),A = Pr[A(P q (k, k )) = δ(k, k ) : δ(k, K ) is part of the key (e.g., 1 byte) If δ(k, K ) = K [0 7] k R K; k R K] Succ sc kr K P q (K,K ),A = (Succsc kr K [0 7] P q (K,K ),A )n/8 Microelectronics Laboratory Christophe Petit, March
45 Grey-Box Model Assumptions : Fixed IV Leakages on the mi s, k i s (and ki s) Cannot be related but by the rekeying relations k j i+1 = kj i m i Microelectronics Laboratory Christophe Petit, March
46 Grey-Box Model Additional assumptions Iterative BC, no key schedule The adversary targets first round key L(ki ) = L(ki 0) Form of leakage functions : HW, GHW, NI Microelectronics Laboratory Christophe Petit, March
47 Grey-Box Analysis With observed leakages l q = {L(k i ), L(m i )} and relations k i+1 = k i m i, the best guess is k guess := arg max Pr[K = k L q = l q ] k Microelectronics Laboratory Christophe Petit, March
48 Grey-Box Analysis With observed leakages l q = {L(k i ), L(m i )} and relations k i+1 = k i m i, the best guess is k guess := arg max Pr[K = k L q = l q ] k We derive formulae for the success rate Succ sc kr K 0 P q (K,K ),A = f (q, {L(k i), L(m i )}) Microelectronics Laboratory Christophe Petit, March
49 Grey-Box Analysis With observed leakages l q = {L(k i ), L(m i )} and relations k i+1 = k i m i, the best guess is k guess := arg max Pr[K = k L q = l q ] k We derive formulae for the success rate Succ sc kr K 0 P q (K,K ),A = f (q, {L(k i), L(m i )}) Goal : show that SR remains small as q increases Microelectronics Laboratory Christophe Petit, March
50 Hamming Weight Leakages Hamming weight leakages L(x) = W H (x) = i x i (relevant in power consumption measures) Microelectronics Laboratory Christophe Petit, March
51 Hamming Weight Leakages Hamming weight leakages L(x) = W H (x) = i x i (relevant in power consumption measures) In this case we compute : Succ sc kr K 0 P q (K,K ),A = n+1 2 n High security, independently of q Microelectronics Laboratory Christophe Petit, March
52 Noisy Identity Leakages Here the above formulae are hard to evaluate analytically Monte-Carlo simulations success rate AES 128, 8 bit architecture AES 128, 32 bit architecture AES 128, 128 bit architecture AES 256, 256 bit architecture number of PRNG rounds Microelectronics Laboratory Christophe Petit, March
53 Noisy Identity Leakages Here the above formulae are hard to evaluate analytically Monte-Carlo simulations success rate AES 128, 8 bit architecture AES 128, 32 bit architecture AES 128, 128 bit architecture AES 256, 256 bit architecture number of PRNG rounds Succ sc-kr-k AES256,A (0.08) 32 = Microelectronics Laboratory Christophe Petit, March
54 PRNG Summarized BB : secure in the ideal cipher model Microelectronics Laboratory Christophe Petit, March
55 PRNG Summarized BB : secure in the ideal cipher model GB : SC Key Recovery prevented by the rekeying process Some practically relevant leakages are investigated and SR 1 even if q increases Microelectronics Laboratory Christophe Petit, March
56 PRNG Summarized BB : secure in the ideal cipher model GB : SC Key Recovery prevented by the rekeying process Some practically relevant leakages are investigated and SR 1 even if q increases With other countermeasures, leakages on more rounds means better attack Microelectronics Laboratory Christophe Petit, March
57 Conclusion and Further Work Re-design strategy to be used with other countermeasures Microelectronics Laboratory Christophe Petit, March
58 Conclusion and Further Work Re-design strategy to be used with other countermeasures Need of theoretical framework for SC unify BB and GB... define physical primitives compose primitives Microelectronics Laboratory Christophe Petit, March
59 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March
60 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March
61 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March
62 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March
63 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March
64 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March
65 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March
66 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March
67 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March
68 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March
69 Grey-Box Model Assumptions : Fixed IV (removed further) Leakages on the mi s, k i s (and ki s) Cannot be related but by the rekeying relations k j i+1 = kj i m i Microelectronics Laboratory Christophe Petit, March
70 Grey-Box Model Additional assumptions Iterative BC, no key schedule The adversary targets first round key L(ki ) = L(ki 0)) Form of leakage functions : HW, GHW, NI We suppose Bayesian adversary Microelectronics Laboratory Christophe Petit, March
71 Discussion about Grey-Box assumptions Many assumptions make the proofs cleaner......but are not essential. Relaxations same qualitative conclusions key schedule adapt the leakage model L(ki ) targeting not only the first iteration of the PRNG may increase SR, but qualitative results remains Microelectronics Laboratory Christophe Petit, March
Pseudorandom Number Generation and Stream Ciphers
Pseudorandom Number Generation and Stream Ciphers Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationFrom New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security
From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security Stéphanie Kerckhof, François-Xavier Standaert, Eric Peeters CARDIS 2013 November 2013 Microelectronics Laboratory
More informationRandom Bit Generation and Stream Ciphers
Random Bit Generation and Stream Ciphers Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 8-1 Overview 1.
More informationLow Randomness Masking and Shulfifgn:
Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands
More informationBlock Ciphers Security of block ciphers. Symmetric Ciphers
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 26 Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable
More informationEliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA
Eliminating Random Permutation Oracles in the Even-Mansour Cipher Zulfikar Ramzan Joint work w/ Craig Gentry DoCoMo Labs USA ASIACRYPT 2004 Outline Even-Mansour work and open problems. Main contributions
More informationNew Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256
New Linear Cryptanalytic Results of Reduced-Round of CAST-28 and CAST-256 Meiqin Wang, Xiaoyun Wang, and Changhui Hu Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,
More informationProtocoles de vote end-to-end
Protocoles de vote end-to-end Analyse de sécurité basée sur la simulation Olivier de Marneffe, Olivier Pereira, Jean-Jacques Quisquater Université catholique de Louvain, Belgium 19 mars 2008 Microelectronics
More informationState Separation for Code-Based Game-Playing Proofs
State Separation for Code-Based Game-Playing Proofs Chris Brzuska, Antoine Délignat-Lavaud, Cédric Fournet, Konrad Kohbrok, Markulf Kohlweiss December 6, 2018 Aalto University Microsoft esearch Cambridge
More informationCourse Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here
Course Business Homework 2 Due Now Midterm is on March 1 Final Exam is Monday, May 1 (7 PM) Location: Right here Harry Hagrid 1 Cryptography CS 555 Topic 17: DES, 3DES 2 Recap Goals for This Week: Practical
More informationDiffie-Hellman key-exchange protocol
Diffie-Hellman key-exchange protocol This protocol allows two users to choose a common secret key, for DES or AES, say, while communicating over an insecure channel (with eavesdroppers). The two users
More informationThreshold Implementations. Svetla Nikova
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold
More informationCryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1
Cryptography CS 555 Topic 20: Other Public Key Encryption Schemes Topic 20 1 Outline and Readings Outline Quadratic Residue Rabin encryption Goldwasser-Micali Commutative encryption Homomorphic encryption
More informationEvaluation of the Masked Logic Style MDPL on a Prototype Chip
Evaluation of the Masked Logic Style MDPL on a Prototype Chip Thomas Popp, Mario Kirschbaum, Thomas Zefferer Graz University of Technology Institute for Applied Information Processing and Communications
More informationSymmetric-key encryption scheme based on the strong generating sets of permutation groups
Symmetric-key encryption scheme based on the strong generating sets of permutation groups Ara Alexanyan Faculty of Informatics and Applied Mathematics Yerevan State University Yerevan, Armenia Hakob Aslanyan
More informationIdentity-based multisignature with message recovery
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Identity-based multisignature with message
More informationTime-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala
Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers Praveen Vadnala Differential Power Analysis Implementations of cryptographic systems leak Leaks from bit 1 and bit 0 are
More informationSolution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.
Example - Coin Toss Coin Toss: Alice and Bob want to toss a coin. Easy to do when they are in the same room. How can they toss a coin over the phone? Mutual Commitments Solution: Alice tosses a coin and
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 128
More informationSIDE-CHANNEL attacks exploit the leaked physical information
546 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 57, NO. 7, JULY 2010 A Low Overhead DPA Countermeasure Circuit Based on Ring Oscillators Po-Chun Liu, Hsie-Chia Chang, Member, IEEE,
More information4. Design Principles of Block Ciphers and Differential Attacks
4. Design Principles of Block Ciphers and Differential Attacks Nonli near 28-bits Trans forma tion 28-bits Model of Block Ciphers @G. Gong A. Introduction to Block Ciphers A Block Cipher Algorithm: E and
More informationRecommendations for Secure IC s and ASIC s
Recommendations for Secure IC s and ASIC s F. Mace, F.-X. Standaert, J.D. Legat, J.-J. Quisquater UCL Crypto Group, Microelectronics laboratory(dice), Universite Catholique de Louvain(UCL), Belgium email:
More informationComparison of Profiling Power Analysis Attacks Using Templates and Multi-Layer Perceptron Network
Comparison of Profiling Power Analysis Attacks Using Templates and Multi-Layer Perceptron Network Zdenek Martinasek and Lukas Malina Abstract In recent years, the cryptographic community has explored new
More informationB. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.
B. Substitution Ciphers, continued 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet. Non-periodic case: Running key substitution ciphers use a known text (in
More informationImage Encryption using Pseudo Random Number Generators
Image Encryption using Pseudo Random Number Generators Arihant Kr. Banthia Postgraduate student (MTech) Deptt. of CSE & IT, MANIT, Bhopal Namita Tiwari Asst. Professor Deptt. of CSE & IT, MANIT, Bhopal
More informationDUBLIN CITY UNIVERSITY
DUBLIN CITY UNIVERSITY SEMESTER ONE EXAMINATIONS 2013/2014 MODULE: CA642/A Cryptography and Number Theory PROGRAMME(S): MSSF MCM ECSA ECSAO MSc in Security & Forensic Computing M.Sc. in Computing Study
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 25 Mental Poker And Semantic Security CS 355 Fall 2005 / Lecture 25 1 Lecture Outline Review of number theory The Mental Poker Protocol Semantic security Semantic
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Pseudorandom Functions and Permutaitons Modes of Operation Pseudorandom Functions Functions that look like random
More informationConditional Cube Attack on Reduced-Round Keccak Sponge Function
Conditional Cube Attack on Reduced-Round Keccak Sponge Function Senyang Huang 1, Xiaoyun Wang 1,2,3, Guangwu Xu 4, Meiqin Wang 2,3, Jingyuan Zhao 5 1 Institute for Advanced Study, Tsinghua University,
More informationPower Analysis Attacks on SASEBO January 6, 2010
Power Analysis Attacks on SASEBO January 6, 2010 Research Center for Information Security, National Institute of Advanced Industrial Science and Technology Table of Contents Page 1. OVERVIEW... 1 2. POWER
More informationpaioli Power Analysis Immunity by Offsetting Leakage Intensity Sylvain Guilley perso.enst.fr/ guilley Telecom ParisTech
paioli Power Analysis Immunity by Offsetting Leakage Intensity Pablo Rauzy rauzy@enst.fr pablo.rauzy.name Sylvain Guilley guilley@enst.fr perso.enst.fr/ guilley Zakaria Najm znajm@enst.fr Telecom ParisTech
More informationEvaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit
R1-3 SASIMI 2013 Proceedings Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit Tsunato Nakai Mitsuru Shiozaki Takaya Kubota Takeshi Fujino Graduate School of Science and
More informationClassical Cryptography
Classical Cryptography CS 6750 Lecture 1 September 10, 2009 Riccardo Pucella Goals of Classical Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to all communications Alice
More informationComments on An Image Encryption Scheme Based on Rotation Matrix Bit-Level Permutation and Block Diffusion
American Journal of Circuits, Systems and Signal Processing Vol. 1, No. 3, 2015, pp. 105-113 http://www.aiscience.org/journal/ajcssp Comments on An Image Encryption Scheme Based on Rotation Matrix Bit-Level
More informationPower Analysis an overview. Agenda. Measuring power consumption. Measuring power consumption (2) Benedikt Gierlichs, KU Leuven - COSIC.
Power Analysis an overview Agenda Benedikt Gierlichs KU Leuven COSIC, Belgium benedikt.gierlichs@esat.kuleuven.be Measurements Analysis Pre-processing Summer School on Design and security of cryptographic
More informationSome Cryptanalysis of the Block Cipher BCMPQ
Some Cryptanalysis of the Block Cipher BCMPQ V. Dimitrova, M. Kostadinoski, Z. Trajcheska, M. Petkovska and D. Buhov Faculty of Computer Science and Engineering Ss. Cyril and Methodius University, Skopje,
More informationLOSSLESS CRYPTO-DATA HIDING IN MEDICAL IMAGES WITHOUT INCREASING THE ORIGINAL IMAGE SIZE THE METHOD
LOSSLESS CRYPTO-DATA HIDING IN MEDICAL IMAGES WITHOUT INCREASING THE ORIGINAL IMAGE SIZE J.M. Rodrigues, W. Puech and C. Fiorio Laboratoire d Informatique Robotique et Microlectronique de Montpellier LIRMM,
More informationAutomated Analysis and Synthesis of Block-Cipher Modes of Operation
Automated Analysis and Synthesis of Block-Cipher Modes of Operation Alex J. Malozemoff 1 Jonathan Katz 1 Matthew D. Green 2 1 University of Maryland 2 Johns Hopkins University Presented at the Fall Protocol
More informationDETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk
DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE Adrien Le Masle, Wayne Luk Department of Computing, Imperial College London 180 Queen s Gate, London SW7 2BZ, UK email: {al1108,wl}@doc.ic.ac.uk ABSTRACT
More informationCryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 1 Cryptography Module in Autumn Term 2016 University of Birmingham Lecturers: Mark D. Ryan and David Galindo Slides originally written
More informationMulti-Instance Security and its Application to Password- Based Cryptography
Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT Joint work with Mihir Bellare (UC San Diego) Thomas Ristenpart (Univ. of Wisconsin) Scenario: File encryption
More informationStream Ciphers And Pseudorandomness Revisited. Table of contents
Stream Ciphers And Pseudorandomness Revisited Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Stream Ciphers Stream ciphers & pseudorandom
More informationBIKE - Bit-Flipping Key Encapsulation Presented to the NIST Post-Quantum Cryptography Standardization Conference April, 13 th 2018, Fort Lauderdale, Florida, USA Authors: Nicolas Aragon Paulo S. L. M.
More informationWhen Failure Analysis Meets Side-Channel Attacks
When Failure Analysis Meets Side-Channel Attacks Jérôme DI-BATTISTA (THALES), Jean-Christophe COURREGE (THALES), Bruno ROUZEYRE (LIRMM), Lionel TORRES (LIRMM), Philippe PERDU (CNES) Outline Introduction
More informationIs Your Mobile Device Radiating Keys?
Is Your Mobile Device Radiating Keys? Benjamin Jun Gary Kenworthy Session ID: MBS-401 Session Classification: Intermediate Radiated Leakage You have probably heard of this before App Example of receiving
More informationWhy (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System
Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Sandy Clark Travis Goodspeed Perry Metzger Zachary Wasserman Kevin Xu Matt Blaze Usenix
More informationCryptography, Number Theory, and RSA
Cryptography, Number Theory, and RSA Joan Boyar, IMADA, University of Southern Denmark November 2015 Outline Symmetric key cryptography Public key cryptography Introduction to number theory RSA Modular
More informationContinuous Non-Malleable Key Derivation and Its Application to Related-Key Security
Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security Baodong Qin 1,2, Shengli Liu 1, Tsz Hon Yuen 3, Robert H. Deng 4, Kefei Chen 5 1. Shanghai Jiao Tong University, China
More informationPublic Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014
7 Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 Cryptography studies techniques for secure communication in the presence of third parties. A typical
More informationA Cryptosystem Based on the Composition of Reversible Cellular Automata
A Cryptosystem Based on the Composition of Reversible Cellular Automata Adam Clarridge and Kai Salomaa Technical Report No. 2008-549 Queen s University, Kingston, Canada {adam, ksalomaa}@cs.queensu.ca
More informationNote Computations with a deck of cards
Theoretical Computer Science 259 (2001) 671 678 www.elsevier.com/locate/tcs Note Computations with a deck of cards Anton Stiglic Zero-Knowledge Systems Inc, 888 de Maisonneuve East, 6th Floor, Montreal,
More informationarxiv: v1 [cs.cr] 2 May 2016
Power Side Channels in Security ICs: Hardware Countermeasures Lu Zhang 1, Luis Vega 2, and Michael Taylor 3 Computer Science and Engineering University of California, San Diego {luzh 1, lvgutierrez 2,
More informationCorrelation Power Analysis of Lightweight Block Ciphers
Correlation Power Analysis of Lightweight Block Ciphers From Theory to Practice Alex Biryukov Daniel Dinu Johann Großschädl SnT, University of Luxembourg ESC 2017 (University of Luxembourg) CPA of Lightweight
More informationChapter 4 The Data Encryption Standard
Chapter 4 The Data Encryption Standard History of DES Most widely used encryption scheme is based on DES adopted by National Bureau of Standards (now National Institute of Standards and Technology) in
More informationOn Symmetric Key Broadcast Encryption
On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical Institute, Kolkata Elliptic Curve Cryptography (This is not) 2014 Bhattacherjee and Sarkar Symmetric Key
More informationYale University Department of Computer Science
LUX ETVERITAS Yale University Department of Computer Science Secret Bit Transmission Using a Random Deal of Cards Michael J. Fischer Michael S. Paterson Charles Rackoff YALEU/DCS/TR-792 May 1990 This work
More informationEncryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme
Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme Sharon Goldberg * Ron Menendez **, Paul R. Prucnal * *, ** Telcordia Technologies IPAM Workshop on Special
More informationAn enciphering scheme based on a card shuffle
An enciphering scheme based on a card shuffle Ben Morris Mathematics, UC Davis Joint work with Viet Tung Hoang (Computer Science, UC Davis) and Phil Rogaway (Computer Science, UC Davis). Setting Blockcipher
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mar Zhandry Princeton University Spring 2017 Announcements Homewor 3 due tomorrow Homewor 4 up Tae- home midterm tentative dates: Posted 3pm am Monday 3/13 Due 1pm Wednesday
More informationV.Sorge/E.Ritter, Handout 2
06-20008 Cryptography The University of Birmingham Autumn Semester 2015 School of Computer Science V.Sorge/E.Ritter, 2015 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel
More informationDesign of Message Authentication Code with AES and. SHA-1 on FPGA
Design of Message uthentication Code with ES and SH-1 on FPG Kuo-Hsien Yeh, Yin-Zhen Liang Institute of pplied Information, Leader University, Tainan City, 709, Taiwan E-mail: khyeh@mail.leader.edu.tw
More informationGeneric Attacks on Feistel Schemes
Generic Attacks on Feistel Schemes Jacques Patarin 1, 1 CP8 Crypto Lab, SchlumbergerSema, 36-38 rue de la Princesse, BP 45, 78430 Louveciennes Cedex, France PRiSM, University of Versailles, 45 av. des
More informationCryptanalysis on short messages encrypted with M-138 cipher machine
Cryptanalysis on short messages encrypted with M-138 cipher machine Tsonka Baicheva Miroslav Dimitrov Institute of Mathematics and Informatics Bulgarian Academy of Sciences 10-14 July, 2017 Sofia Introduction
More informationPower Analysis Based Side Channel Attack
CO411/2::Individual Project I & II Report arxiv:1801.00932v1 [cs.cr] 3 Jan 2018 Power Analysis Based Side Channel Attack Hasindu Gamaarachchi Harsha Ganegoda http://www.ce.pdn.ac.lk Department of Computer
More informationk-nearest Neighbors Algorithm in Profiling Power Analysis Attacks
RADIOENGINEERING, VOL. 25, NO. 2, JUNE 2016 365 k-nearest Neighbors Algorithm in Profiling Power Analysis Attacks Zdenek MARTINASEK 1, Vaclav ZEMAN 1, Lukas MALINA 1, Josef MARTINASEK 2 1 Dept. of Telecommunications,
More informationVariety of scalable shuffling countermeasures against side channel attacks
Variety of scalable shuffling countermeasures against side channel attacks Nikita Veshchikov, Stephane Fernandes Medeiros, Liran Lerman Department of computer sciences, Université libre de Bruxelles, Brussel,
More informationGeneric Attacks on Feistel Schemes
Generic Attacks on Feistel Schemes -Extended Version- Jacques Patarin PRiSM, University of Versailles, 45 av. des États-Unis, 78035 Versailles Cedex, France This paper is the extended version of the paper
More informationMerkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)
Merkle s Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems, UMI Research press, 1982 Merkle, Secure Communications Over Insecure Channels, CACM, Vol. 21, No. 4, pp. 294-299, April 1978
More informationThe Capability of Error Correction for Burst-noise Channels Using Error Estimating Code
The Capability of Error Correction for Burst-noise Channels Using Error Estimating Code Yaoyu Wang Nanjing University yaoyu.wang.nju@gmail.com June 10, 2016 Yaoyu Wang (NJU) Error correction with EEC June
More informationTCP/IP COVERT TIMING CHANNEL: THEORY TO IMPLEMENTATION. Sarah H. Sellke, Chih-Chun Wang Saurabh Bagchi, and Ness B. Shroff
1 TCP/IP COVERT TIMING CHANNEL: THEORY TO IMPLEMENTATION Sarah H. Sellke, Chih-Chun Wang Saurabh Bagchi, and Ness B. Shroff NETWORK COVERT TIMING CHANNELS Confidential Data 1 of RECENT WORK IP Covert Timing
More informationInvestigations of Power Analysis Attacks on Smartcards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Investigations of Power Analysis
More informationElectromagnetic-based Side Channel Attacks
Electromagnetic-based Side Channel Attacks Yasmine Badr 10/28/2015 What is Side Channel Attack Any attack based on information gained from the physical implementation of a cryptosystem, rather than brute
More informationMobility Tolerant Broadcast in Mobile Ad Hoc Networks
Mobility Tolerant Broadcast in Mobile Ad Hoc Networks Pradip K Srimani 1 and Bhabani P Sinha 2 1 Department of Computer Science, Clemson University, Clemson, SC 29634 0974 2 Electronics Unit, Indian Statistical
More informationDES Data Encryption standard
DES Data Encryption standard DES was developed by IBM as a modification of an earlier system Lucifer DES was adopted as a standard in 1977 Was replaced only in 2001 with AES (Advanced Encryption Standard)
More informationCourse Developer: Ranjan Bose, IIT Delhi
Course Title: Coding Theory Course Developer: Ranjan Bose, IIT Delhi Part I Information Theory and Source Coding 1. Source Coding 1.1. Introduction to Information Theory 1.2. Uncertainty and Information
More informationAnalysis of symmetric key establishment based on reciprocal channel quantization
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 2010 Analysis of symmetric key establishment based on reciprocal channel quantization David Wagner Follow this
More informationo Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary
We spoke about defense challenges Crypto introduction o Secret, public algorithms o Symmetric, asymmetric crypto, one-way hashes Attacks on cryptography o Cyphertext-only, known, chosen, MITM, brute-force
More informationDUBLIN CITY UNIVERSITY
DUBLIN CITY UNIVERSITY SEMESTER ONE EXAMINATIONS 2013 MODULE: (Title & Code) CA642 Cryptography and Number Theory COURSE: M.Sc. in Security and Forensic Computing YEAR: 1 EXAMINERS: (Including Telephone
More informationAn Architecture-Independent Instruction Shuffler to Protect against Side-Channel Attacks
An Architecture-Independent Instruction Shuffler to Protect against Side-Channel Attacks ALI GALIP BAYRAK, NIKOLA VELICKOVIC, and PAOLO IENNE, Ecole Polytechnique Fédérale de Lausanne (EPFL) WAYNE BURLESON,
More informationPROJECT 5: DESIGNING A VOICE MODEM. Instructor: Amir Asif
PROJECT 5: DESIGNING A VOICE MODEM Instructor: Amir Asif CSE4214: Digital Communications (Fall 2012) Computer Science and Engineering, York University 1. PURPOSE In this laboratory project, you will design
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 5: Cryptographic Algorithms Common Encryption Algorithms RSA
More informationLecture 1: Introduction
Lecture 1: Introduction Instructor: Omkant Pandey Spring 2018 (CSE390) Instructor: Omkant Pandey Lecture 1: Introduction Spring 2018 (CSE390) 1 / 13 Cryptography Most of us rely on cryptography everyday
More informationA Fast Image Encryption Scheme based on Chaotic Standard Map
A Fast Image Encryption Scheme based on Chaotic Standard Map Kwok-Wo Wong, Bernie Sin-Hung Kwok, and Wing-Shing Law Department of Electronic Engineering, City University of Hong Kong, 83 Tat Chee Avenue,
More informationThe number theory behind cryptography
The University of Vermont May 16, 2017 What is cryptography? Cryptography is the practice and study of techniques for secure communication in the presence of adverse third parties. What is cryptography?
More informationDifferential Cryptanalysis of REDOC III
Differential Cryptanalysis of REDOC III Ken Shirriff Address: Sun Microsystems Labs, 2550 Garcia Ave., MS UMTV29-112, Mountain View, CA 94043. Ken.Shirriff@eng.sun.com Abstract: REDOC III is a recently-developed
More informationFinding the key in the haystack
A practical guide to Differential Power hunz Zn000h AT gmail.com December 30, 2009 Introduction Setup Procedure Tunable parameters What s DPA? side channel attack introduced by Paul Kocher et al. 1998
More informationSecure communication based on noisy input data Fuzzy Commitment schemes. Stephan Sigg
Secure communication based on noisy input data Fuzzy Commitment schemes Stephan Sigg May 24, 2011 Overview and Structure 05.04.2011 Organisational 15.04.2011 Introduction 19.04.2011 Classification methods
More informationA Jamming-Resistant MAC Protocol for Single-Hop Wireless Networks
A Jamming-Resistant MAC Protocol for Single-Hop Wireless Networks Baruch Awerbuch Dept. of Computer Science Johns Hopkins University Baltimore, MD 21218, USA baruch@cs.jhu.edu Andrea Richa Dept. of Computer
More informationMathematics Explorers Club Fall 2012 Number Theory and Cryptography
Mathematics Explorers Club Fall 2012 Number Theory and Cryptography Chapter 0: Introduction Number Theory enjoys a very long history in short, number theory is a study of integers. Mathematicians over
More informationOn the Complexity of Broadcast Setup
On the Complexity of Broadcast Setup Martin Hirt, Pavel Raykov ETH Zurich, Switzerland {hirt,raykovp}@inf.ethz.ch July 5, 2013 Abstract Byzantine broadcast is a distributed primitive that allows a specific
More informationPrevention of Selective Jamming Attack Using Cryptographic Packet Hiding Methods
Prevention of Selective Jamming Attack Using Cryptographic Packet Hiding Methods S.B.Gavali 1, A. K. Bongale 2 and A.B.Gavali 3 1 Department of Computer Engineering, Dr.D.Y.Patil College of Engineering,
More informationDEEJAM: Defeating Energy-Efficient Jamming in IEEE based Wireless Networks
DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer Science University of Virginia Wireless Sensor Networks
More informationWireless Sensor Networks
DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer Science University of Virginia June 19, 2007 Wireless
More informationImplementation and Performance Testing of the SQUASH RFID Authentication Protocol
Implementation and Performance Testing of the SQUASH RFID Authentication Protocol Philip Koshy, Justin Valentin and Xiaowen Zhang * Department of Computer Science College of n Island n Island, New York,
More informationUniversiteit Leiden Opleiding Informatica
Universiteit Leiden Opleiding Informatica An Analysis of Dominion Name: Roelof van der Heijden Date: 29/08/2014 Supervisors: Dr. W.A. Kosters (LIACS), Dr. F.M. Spieksma (MI) BACHELOR THESIS Leiden Institute
More informationFIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begül Bilgin, Andrey Bogdanov, Miroslav Knežević, Florian Mendel, and Qingju Wang DIAC 2013, Chicago 1 Side
More informationNEW FINDINGS ON RFID AUTHENTICATION SCHEMES AGAINST DE-SYNCHRONIZATION ATTACK. Received March 2011; revised July 2011
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1349-4198 Volume 8, Number 7(A), July 2012 pp. 4431 4449 NEW FINDINGS ON RF AUTHENTICATION SCHEMES
More informationII. RC4 Cryptography is the art of communication protection. This art is scrambling a message so it cannot be clear; it
Enhancement of RC4 Algorithm using PUF * Ziyad Tariq Mustafa Al-Ta i, * Dhahir Abdulhade Abdullah, Saja Talib Ahmed *Department of Computer Science - College of Science - University of Diyala - Iraq Abstract:
More informationIMPROVING CPA ATTACK AGAINST DSA AND ECDSA
Journal of ELECTRICAL ENGINEERING, VOL. 66, NO. 3, 2015, 159 163 IMPROVING CPA ATTACK AGAINST DSA AND ECDSA Marek Repka Michal Varchola Miloš Drutarovský In this work, we improved Correlation Power Analysis
More informationJournal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10
Dynamic extended DES Yi-Shiung Yeh 1, I-Te Chen 2, Ting-Yu Huang 1, Chan-Chi Wang 1, 1 Department of Computer Science and Information Engineering National Chiao-Tung University 1001 Ta-Hsueh Road, HsinChu
More information