• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations

R.J.: On the importance of checking cryptographic protocols for faults (extended abstract (1997)

by D Boneh, R A DeMillo, Lipton
Venue:LNCS
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 405
Next 10 →

Differential Power Analysis

by Paul Kocher, Joshua Jaffe, Benjamin Jun , 1999
"... Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measuremen ..."
Abstract - Cited by 1121 (7 self) - Add to MetaCart
Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

Universally composable security: A new paradigm for cryptographic protocols

by Ran Canetti , 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract - Cited by 833 (37 self) - Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its security-preserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.

Differential Fault Analysis of Secret Key Cryptosystems

by Eli Biham, Adi Shamir , 1997
"... In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems suc ..."
Abstract - Cited by 315 (3 self) - Add to MetaCart
In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES). In this paper, we describe a related attack, which we call Differential Fault Analysis, or DFA, and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. Our DFA attack can use various fault models and various cryptanalytic techniques to recover the cryptographic secrets hidden in the tamper-resistant device. In particular, we have demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts. In the second part of the paper we develop techniques to identify the keys of completely unknown ciphers (such as SkipJack) sealed in tamper-resistant devices, and to reconstruct the complete specification of DES-like unknown ciphers. In the last part of the paper, we consider a different fault model, based on permanent hardware faults, and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems

by Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest, Daniel W. Engels , 2003
"... Like many technologies, low-cost Radio Frequency Identification (RFID) systems will become pervasive in our daily lives when affixed to everyday consumer items as "smart labels". While yielding great productivity gains, RFID systems may create new threats to the security and privacy of ..."
Abstract - Cited by 311 (5 self) - Add to MetaCart
Like many technologies, low-cost Radio Frequency Identification (RFID) systems will become pervasive in our daily lives when affixed to everyday consumer items as "smart labels". While yielding great productivity gains, RFID systems may create new threats to the security and privacy of individuals or organizations. This paper presents a brief description of RFID systems and their operation. We describe privacy and security risks and how they apply to the unique setting of low-cost RFID devices. We propose several security mechanisms and suggest areas for future research.

Remote Timing Attacks are Practical

by David Brumley, Dan Boneh
"... Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from an OpenSSL-based web server running ..."
Abstract - Cited by 248 (4 self) - Add to MetaCart
Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from an OpenSSL-based web server running on a machine in the local network. Our results demonstrate that timing attacks against network servers are practical and therefore security systems should defend against them.

Design principles for Tamper-Resistant Smartcard Processors

by Oliver Kömmerling, Markus G. Kuhn , 1999
"... ..."
Abstract - Cited by 192 (0 self) - Add to MetaCart
Abstract not found
(Show Context)

Citation Context

...can also aim to corrupt data values as they are transferred between registers and memory. Of the many fault-induction attack techniques on smartcards that have been discussed in the recent literature =-=[11, 12, 16, 17, 18]-=-, it has been our experience that glitch attacks are the ones most useful in practical attacks. We are currently aware of three techniques for creating fairly reliable malfunctions that affect only a ...

The Elliptic Curve Digital Signature Algorithm (ECDSA)

by Don Johnson, Alfred Menezes , 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract - Cited by 183 (5 self) - Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponential-time algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
(Show Context)

Citation Context

...ATION ATTACKS. ANSI X9.62 does not address attacks that could be launched against implementations of ECDSA such as timing attacks (Kocher [53]), differential fault analysis (Boneh, DeMillo and Lipton =-=[13]-=-), differential power analysis (Kocher, Jaffe and Jun [54]), and attacks which exploit weak random or pseudorandom number generators (Kelsey et al. [48]). 9 Implementation Considerations Before implem...

Twenty years of attacks on the RSA cryptosystem.

by Dan Boneh - Notices of the AMS, , 1999
"... ..."
Abstract - Cited by 173 (3 self) - Add to MetaCart
Abstract not found
(Show Context)

Citation Context

...N, where T1 = { 1 mod p 0 mod q } and T2 = { 0 mod p 1 mod q } . The running time of the last CRT step is negligible compared to the two exponentiations. Note that p and q are half the length of N. Since simple implementations of multiplication take quadratic time, multiplication modulo p is four times faster than modulo N. Furthermore, dp is half the length of d , and consequently computing Mdp mod p is eight times faster than computing Md mod N. Overall signature time is thus reduced by a factor of four. Many implementations use this method to improve performance. Boneh, DeMillo, and Lipton [3] observed that there is an inherent danger in using the CRT method. Suppose that while generating a signature, a glitch on Bob’s computer causes it to miscalculate in a single instruction. For instance, while copying a register from one location to another, one of the bits is flipped. (A glitch may be caused by ambient electromagnetic interference or perhaps by a rare hardware bug, like the one found in an early version of the Pentium chip.) Given an invalid signature, Marvin can easily factor Bob’s modulus N. We present a version of the attack as described by A. K. Lenstra. Suppose a single e...

Leakage-resilient cryptography

by Stefan Dziembowski, La Sapienza, Krzysztof Pietrzak - In Proceedings of the 49th IEEE Symposium on Foundation of Computer Science , 2008
"... We construct a stream-cipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked dur-ing computation. This captures all possible side-channel attacks on S where the amount of information leaked in a given peri ..."
Abstract - Cited by 143 (9 self) - Add to MetaCart
We construct a stream-cipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked dur-ing computation. This captures all possible side-channel attacks on S where the amount of information leaked in a given period is bounded, but overall can be arbitrary large. The only other assumption we make on the implementation of S is that only data that is accessed during computation leaks information. The stream-cipher S generates its output in chunks K1,K2,..., and arbitrary but bounded information leak-age is modeled by allowing the adversary to adaptively chose a function fℓ: {0, 1} ∗ → {0, 1}λ before Kℓ is computed, she then gets fℓ(τℓ) where τℓ is the internal state of S that is accessed during the computation of Kℓ. One notion of security we prove for S is that Kℓ is in-distinguishable from random when given K1,...,Kℓ−1, f1(τ1),..., fℓ−1(τℓ−1) and also the complete internal state of S after Kℓ has been computed (i.e. S is forward-secure). The construction is based on alternating extraction (used in the intrusion-resilient secret-sharing scheme from FOCS’07). We move this concept to the computational set-ting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high min-entropy) even if arbi-trary information about the seed is leaked. The amount of leakage λ that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of S if the PRG is exponentially hard. 1.
(Show Context)

Citation Context

...o observe leakage from the computation. In active attacks, which are not the subject of this paper, one considers adversaries which intentionally introduce errors in the computation of a cryptodevice =-=[5, 4]-=-.Provable Security & Side-Channel Attacks? Clearly, this situation cannot be satisfying from a cryptographic point of view. What are our beautiful provably secure cryptosystems good for, when ultimat...

Private Circuits: Securing Hardware against Probing Attacks

by Yuval Ishai, Amit Sahai, David Wagner - In Proceedings of CRYPTO 2003 , 2003
"... Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an a ..."
Abstract - Cited by 128 (7 self) - Add to MetaCart
Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an adversary to gain partial access to the inner workings of hardware. Recent work has shown that side channel attacks pose a serious threat to cryptosystems implemented in embedded devices. In this paper, we develop theoretical foundations for security against side channels. In particular, we propose several efficient techniques for building private circuits resisting this type of attacks. We initiate a systematic study of the complexity of such private circuits, and in contrast to most prior work in this area provide a formal threat model and give proofs of security for our constructions.
(Show Context)

Citation Context

...nd Reyzin [28], who put forward a very general model for side channel attacks.sAnother natural extension of the problem studied in this work is to allowing additional protection against fault attacks =-=[7, 26]-=-. Similarly to our problem, solutions to this more general problem can be based on existing protocols from the MPC literature. However, even the most efficient of these (e.g., [22]) are still quite in...

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University