Chris Hall

Side channel cryptanalysis of product ciphers

Building on the work of Kocher (1996), Jaffe and Yun (1998), we discuss the notion of side-channel cryptanalysisc cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers - timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES - and then generalize our research to other cryptosystems.

Cryptanalytic Attacks on Pseudorandom Number Generators

In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, random nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.

Side Channel Cryptanalysis of Product Ciphers

Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers—timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES—and then generalize our research to other cryptosystems.

Secure Applications of Low-Entropy Keys

We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the time required to brute-force search a s-bit key stretched by t bits.

Reaction Attacks against several Public-Key Cryptosystems

We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the apparent intractibility of one or more problems. The attacks we present do not violate the intractibility of the underlying problems, but instead obtain information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key. In the case of the McEliece system we must repeat the attack for each ciphertext we wish to decrypt, whereas for the Ajtai-Dwork system we are able to recover the private key.

Remote electronic gambling

We examine the problem of putting a casino on the Internet. We discuss fairly generating random bits and permutations for use in casino games, protecting against player/player and player/dealer collusions, and ensuring a secure audit trail that both the player and dealer can use to ensure the payment of debts. We conclude with a series of open problems.

An authenticated camera

We develop protocols for an authenticated camera that allows people to verify that a given digital image was taken by a specific camera at a specific time and specific place. These protocols require interaction between the camera and base station both before and after a series of images are taken.

On the Twofish Key Schedule

Twofish is a new block cipher with a 128 bit block, and a key length of 128, 192, or 256 bits, which has been submitted as an AES candidate. In this paper, we briefly review the structure of Twofish, and then discuss the key schedule of Twofish, and its resistance to attack. We close with some open questions on the security of Twofishs key schedule.

An improved e-mail security protocol

Current e-mail security systems base their security on the secrecy of the long-term private key. If this private key is ever compromised, an attacker can decrypt any messages-past, present or future-encrypted with the corresponding public key. The system described in this paper uses short-term private-key/public-key key pairs to reduce the magnitude of this vulnerability.