Results 11  20
of
635
Leakageresilient cryptography
 In Proceedings of the 49th IEEE Symposium on Foundation of Computer Science
, 2008
"... We construct a streamcipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked during computation. This captures all possible sidechannel attacks on S where the amount of information leaked in a given peri ..."
Abstract

Cited by 147 (9 self)
 Add to MetaCart
(Show Context)
We construct a streamcipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked during computation. This captures all possible sidechannel attacks on S where the amount of information leaked in a given period is bounded, but overall can be arbitrary large. The only other assumption we make on the implementation of S is that only data that is accessed during computation leaks information. The streamcipher S generates its output in chunks K1,K2,..., and arbitrary but bounded information leakage is modeled by allowing the adversary to adaptively chose a function fℓ: {0, 1} ∗ → {0, 1}λ before Kℓ is computed, she then gets fℓ(τℓ) where τℓ is the internal state of S that is accessed during the computation of Kℓ. One notion of security we prove for S is that Kℓ is indistinguishable from random when given K1,...,Kℓ−1, f1(τ1),..., fℓ−1(τℓ−1) and also the complete internal state of S after Kℓ has been computed (i.e. S is forwardsecure). The construction is based on alternating extraction (used in the intrusionresilient secretsharing scheme from FOCS’07). We move this concept to the computational setting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high minentropy) even if arbitrary information about the seed is leaked. The amount of leakage λ that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of S if the PRG is exponentially hard. 1.
Serpent: A Proposal for the Advanced Encryption Standard
"... . We propose a new block cipher as a candidate for the Advanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses Sboxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient ..."
Abstract

Cited by 122 (4 self)
 Add to MetaCart
. We propose a new block cipher as a candidate for the Advanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses Sboxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis that enables us to demonstrate its security against all known types of attack. With a 128bit block size and a 256bit key, it is as fast as DES on the market leading Intel Pentium/MMX platforms (and at least as fast on many others); yet we believe it to be more secure than threekey tripleDES. 1 Introduction For many applications, the Data Encryption Standard algorithm is nearing the end of its useful life. Its 56bit key is too small, as shown by a recent distributed key search exercise [28]. Although tripleDES can solve the key length problem, the DES algorithm was also designed primarily for hardware encryption, yet the great majori...
Simultaneous hardcore bits and cryptography against memory attacks
 IN TCC
, 2009
"... This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptograp ..."
Abstract

Cited by 116 (11 self)
 Add to MetaCart
(Show Context)
This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the publickey encryption scheme of Regev (STOC 2005), and the identitybased encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secretkey, or more generally, can compute an arbitrary function of the secretkey of bounded output length. This is done without increasing the size of the secretkey, and without introducing any
On the Concurrent Composition of ZeroKnowledge Proofs
 In EuroCrypt99, Springer LNCS 1592
, 1999
"... Abstract. We examine the concurrent composition of zeroknowledge proofs. By concurrent composition, we indicate a single prover that is involved in multiple, simultaneous zeroknowledge proofs with one or multiple verifiers. Under this type of composition it is believed that standard zeroknowledge ..."
Abstract

Cited by 115 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We examine the concurrent composition of zeroknowledge proofs. By concurrent composition, we indicate a single prover that is involved in multiple, simultaneous zeroknowledge proofs with one or multiple verifiers. Under this type of composition it is believed that standard zeroknowledge protocols are no longer zeroknowledge. We show that, modulo certain complexity assumptions, any statement in NP has k ɛround proofs and arguments in which one can efficiently simulate any k O(1) concurrent executions of the protocol.
Overshadow: A VirtualizationBased Approach to Retrofitting Protection in Commodity Operating Systems
 IN: PROC. OF THE 13TH CONFERENCE ON ARCHITECTURAL SUPPORT FOR PROGRAMMING LANGUAGES AND OPERATING SYSTEMS (ASPLOS
, 2008
"... Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtualmachinebased system called Overshadow that protects the privacy and integrity of application data ..."
Abstract

Cited by 100 (1 self)
 Add to MetaCart
(Show Context)
Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtualmachinebased system called Overshadow that protects the privacy and integrity of application data, even in the event of a total OS compromise. Overshadow presents an application with a normal view of its resources, but the OS with an encrypted view. This allows the operating system to carry out the complex task of managing an application’s resources, without allowing it to read or modify them. Thus, Overshadow offers a last line of defense for application data. Overshadow builds on multishadowing, a novel mechanism that presents different views of “physical ” memory, depending on the context performing the access. This primitive offers an additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processor architectures. We present the design and implementation of Overshadow and show how its new protection semantics can be integrated with existing systems. Our design has been fully implemented and used to protect a wide range of unmodified legacy applications running on an unmodified Linux operating system. We evaluate the performance of our implementation, demonstrating that this approach is practical.
PublicKey Cryptosystems Resilient to Key Leakage
"... Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidec ..."
Abstract

Cited by 89 (6 self)
 Add to MetaCart
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidechannel attacks, especially the “cold boot attacks ” of Halderman et al. (USENIX Security ’08), Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of sidechannel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of publickey encryption, Akavia et al. showed that Regev’s latticebased scheme (STOC ’05) is resilient to any leakage of
An InformationTheoretic Model for Adaptive SideChannel Attacks
 CCS'07
, 2007
"... We present a model of adaptive sidechannel attacks which we combine with informationtheoretic metrics to quantify the information revealed to an attacker. This allows us to express an attacker’s remaining uncertainty about a secret as a function of the number of sidechannel measurements made. We ..."
Abstract

Cited by 85 (8 self)
 Add to MetaCart
We present a model of adaptive sidechannel attacks which we combine with informationtheoretic metrics to quantify the information revealed to an attacker. This allows us to express an attacker’s remaining uncertainty about a secret as a function of the number of sidechannel measurements made. We present algorithms and approximation techniques for computing this measure. We also give examples of how they can be used to analyze the resistance of hardware implementations of cryptographic functions to both timing and power attacks.
Theoretical Use of Cache Memory as a Cryptanalytic SideChannel
, 2002
"... We expand on the idea, proposed by Kelsey et al. [14], of cache memory being used as a sidechannel which leaks information during the run of a cryptographic algorithm. By using this sidechannel, an attacker may be able to reveal or narrow the possible values of secret information held on the ta ..."
Abstract

Cited by 78 (1 self)
 Add to MetaCart
We expand on the idea, proposed by Kelsey et al. [14], of cache memory being used as a sidechannel which leaks information during the run of a cryptographic algorithm. By using this sidechannel, an attacker may be able to reveal or narrow the possible values of secret information held on the target device. We describe an attack which encrypts 2 chosen plaintexts on the target processor in order to collect cache profiles and then performs around 2 computational steps to recover the key. As well as describing and simulating the theoretical attack, we discuss how hardware and algorithmic alterations can be used to defend against such techniques.
A leakageresilient mode of operation
 In EUROCRYPT
, 2009
"... Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attack ..."
Abstract

Cited by 77 (5 self)
 Add to MetaCart
(Show Context)
Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attacks, that is they remain secure even if a bounded amount of information about the secret key is leaked to the adversary. As an application of this result we propose a simple mode of operation which – when instantiated with any wPRF – gives a leakageresilient streamcipher. Such a cipher is secure against any sidechannel attack, as long as the amount of information leaked per round is bounded, but overall can be arbitrary large. This construction is simpler than the only previous one (DziembowskiPietrzak FOCS’08) as it only uses a single primitive (a wPRF) in a straight forward manner. 1
A Practical Implementation of the Timing Attack
, 1998
"... When the running time of a cryptographic algorithm is nonconstant, timing measurements can leak information about the secret key. This idea, first publicly introduced by Kocher, is developed here to attack an earlier version of the CASCADE smart card. We propose several improvements on Kocher's ..."
Abstract

Cited by 76 (3 self)
 Add to MetaCart
When the running time of a cryptographic algorithm is nonconstant, timing measurements can leak information about the secret key. This idea, first publicly introduced by Kocher, is developed here to attack an earlier version of the CASCADE smart card. We propose several improvements on Kocher's ideas, leading to a practical implementation that is able to break a 512bit key in few hours, provided we are able to collect 300 000 timing measurements (128bit keys can be recovered in few seconds using a personal computer and less than 10 000 samples). We therefore show that the timing attack represents an important threat against cryptosystems, which must be very seriously taken into account.