Side channel cryptanalysis of product ciphers (2000)

by J Kelsey, B Schneier, D Wagner, C Hall
Venue:Journal of Computer Security
Add To MetaCart
Results 1 - 10 of 109

R.H.: Examining smart-card security under the threat of power analysis attacks.

by T S Messerges, E A Dabbish, Sloan - IEEE Trans. Comput. , 2002
"... ..."
Abstract - Cited by 164 (0 self) - Add to MetaCart
Abstract not found
(Show Context)

Leakage-resilient cryptography

by Stefan Dziembowski, La Sapienza, Krzysztof Pietrzak - In Proceedings of the 49th IEEE Symposium on Foundation of Computer Science , 2008
"... We construct a stream-cipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked dur-ing computation. This captures all possible side-channel attacks on S where the amount of information leaked in a given peri ..."
Abstract - Cited by 143 (9 self) - Add to MetaCart
We construct a stream-cipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked dur-ing computation. This captures all possible side-channel attacks on S where the amount of information leaked in a given period is bounded, but overall can be arbitrary large. The only other assumption we make on the implementation of S is that only data that is accessed during computation leaks information. The stream-cipher S generates its output in chunks K1,K2,..., and arbitrary but bounded information leak-age is modeled by allowing the adversary to adaptively chose a function fℓ: {0, 1} ∗ → {0, 1}λ before Kℓ is computed, she then gets fℓ(τℓ) where τℓ is the internal state of S that is accessed during the computation of Kℓ. One notion of security we prove for S is that Kℓ is in-distinguishable from random when given K1,...,Kℓ−1, f1(τ1),..., fℓ−1(τℓ−1) and also the complete internal state of S after Kℓ has been computed (i.e. S is forward-secure). The construction is based on alternating extraction (used in the intrusion-resilient secret-sharing scheme from FOCS’07). We move this concept to the computational set-ting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high min-entropy) even if arbi-trary information about the seed is leaked. The amount of leakage λ that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of S if the PRG is exponentially hard. 1.
(Show Context)

Cache Attacks and Countermeasures: the Case of AES

by Dag Arne Osvik, Adi Shamir, Eran Tromer - Topics in Cryptology - CT-RSA 2006, The Cryptographers’ Track at the RSA Conference 2006 , 2005
"... We describe several software side-channel attacks based on inter-process leakage through the state of the CPU's memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks all ..."
Abstract - Cited by 142 (8 self) - Add to MetaCart
We describe several software side-channel attacks based on inter-process leakage through the state of the CPU's memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the e#ect of the cryptographic process on the cache.
(Show Context)

Cache-timing attacks on AES

by Daniel J. Bernstein , 2005
"... Abstract. This paper warns against the use of S-boxes in cryptography. In particular, this paper shows that a simple cache-timing attack against AES software reveals some key bits; this paper also discusses some of the obstacles to constant-time array access on modern CPUs. ..."
Abstract - Cited by 136 (3 self) - Add to MetaCart
Abstract. This paper warns against the use of S-boxes in cryptography. In particular, this paper shows that a simple cache-timing attack against AES software reveals some key bits; this paper also discusses some of the obstacles to constant-time array access on modern CPUs.

Private Circuits: Securing Hardware against Probing Attacks

by Yuval Ishai, Amit Sahai, David Wagner - In Proceedings of CRYPTO 2003 , 2003
"... Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an a ..."
Abstract - Cited by 128 (7 self) - Add to MetaCart
Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an adversary to gain partial access to the inner workings of hardware. Recent work has shown that side channel attacks pose a serious threat to cryptosystems implemented in embedded devices. In this paper, we develop theoretical foundations for security against side channels. In particular, we propose several efficient techniques for building private circuits resisting this type of attacks. We initiate a systematic study of the complexity of such private circuits, and in contrast to most prior work in this area provide a formal threat model and give proofs of security for our constructions.

Reclaiming Space from Duplicate Files in a Serverless Distributed File System

by John R. Douceur, Atul Adya, William J. Bolosky, Dan Simon, Marvin Theimer - In Proceedings of 22nd International Conference on Distributed Computing Systems (ICDCS , 2002
"... The Farsite distributed file system provides availability by replicating each file onto multiple desktop computers. Since this replication consumes significant storage space, it is important to reclaim used space where possible. Measurement of over 500 desktop file systems shows that nearly half of ..."
Abstract - Cited by 98 (3 self) - Add to MetaCart
The Farsite distributed file system provides availability by replicating each file onto multiple desktop computers. Since this replication consumes significant storage space, it is important to reclaim used space where possible. Measurement of over 500 desktop file systems shows that nearly half of all consumed space is occupied by duplicate files. We present a mechanism to reclaim space from this incidental duplication to make it available for controlled file replication. Our mechanism includes 1) convergent encryption, which enables duplicate files to coalesced into the space of a single file, even if the files are encrypted with different users' keys, and 2) SALAD, a SelfArranging, Lossy, Associative Database for aggregating file content and location information in a decentralized, scalable, fault-tolerant manner. Large-scale simulation experiments show that the duplicate-file coalescing system is scalable, highly effective, and fault-tolerant.
(Show Context)

Survey and Benchmark of Block Ciphers for Wireless Sensor Networks

by Yee Wei Law, Jeroen Doumen, Pieter Hartel - ACM Transactions on Sensor Networks , 2004
"... Choosing the most storage- and energy-e#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract - Cited by 89 (1 self) - Add to MetaCart
Choosing the most storage- and energy-e#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
(Show Context)

Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel

by D. Page , 2002
"... We expand on the idea, proposed by Kelsey et al. [14], of cache memory being used as a side-channel which leaks information during the run of a cryptographic algorithm. By using this side-channel, an attacker may be able to reveal or narrow the possible values of secret information held on the ta ..."
Abstract - Cited by 78 (1 self) - Add to MetaCart
We expand on the idea, proposed by Kelsey et al. [14], of cache memory being used as a side-channel which leaks information during the run of a cryptographic algorithm. By using this side-channel, an attacker may be able to reveal or narrow the possible values of secret information held on the target device. We describe an attack which encrypts 2 chosen plaintexts on the target processor in order to collect cache profiles and then performs around 2 computational steps to recover the key. As well as describing and simulating the theoretical attack, we discuss how hardware and algorithmic alterations can be used to defend against such techniques.

A leakage-resilient mode of operation

by Krzysztof Pietrzak - In EUROCRYPT , 2009
"... Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attack ..."
Abstract - Cited by 76 (5 self) - Add to MetaCart
Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attacks, that is they remain secure even if a bounded amount of information about the secret key is leaked to the adversary. As an application of this result we propose a simple mode of operation which – when instantiated with any wPRF – gives a leakage-resilient stream-cipher. Such a cipher is secure against any side-channel attack, as long as the amount of information leaked per round is bounded, but overall can be arbitrary large. This construction is simpler than the only previous one (Dziembowski-Pietrzak FOCS’08) as it only uses a single primitive (a wPRF) in a straight forward manner. 1
(Show Context)

Investigations of power analysis attacks on smartcards

by Thomas S. Messerges, Ezzy A. Dabbish, Robert H. Sloan, Thomas S. Messerges, Ezzy A. Dabbish, Robert H. Sloan - In USENIX Workshop on Smartcard Technology , 1999
"... Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more ..."
Abstract - Cited by 70 (0 self) - Add to MetaCart
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. For more information about the USENIX Association:
(Show Context)