Emilia Käsper

Fast elliptic curve cryptography in OpenSSL

We present a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224. Our implementation is fully integrated into OpenSSL 1.0.1: full TLS handshakes using a 1024-bit RSA certificate and ephemeral Elliptic Curve Diffie-Hellman key exchange over P-224 now run at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster. In addition, our implementation is immune to timing attacks--most notably, we show how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation. To put our results in context, we also discuss the various security-performance trade-offs available to TLS applications.

Distinguishers for the compression function and output transformation of hamsi-256

Hamsi is one of 14 remaining candidates in NISTs Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsis resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsis building blocks do not behave ideally.

Correlated keystreams in MOUSTIQUE

Moustique is one of the sixteen finalists in the eSTREAM stream cipher project. Unlike the other finalists it is a self-synchronising cipher and therefore offers very different functional properties, compared to the other candidates. We present simple related-key phenomena in Moustique that lead to the generation of strongly correlated keystreams and to powerful key-recovery attacks. Our best key-recovery attack requires only 238 steps in the related-key scenario. Since the relevance of related-key properties is sometimes called into question, we also show how the described effects can help speed up exhaustive search (without related keys), thereby reducing the effective key length of Moustique from 96 bits to 90 bits.

Efficient simultaneous broadcast

We present an efficient simultaneous broadcast protocol ν-SimCast that allows n players to announce independently chosen values, even if up to t < n/2 players are corrupt. Independence is guaranteed in the partially synchronous communication model, where communication is structured into rounds, while each round is asynchronous. The ν-SimCast protocol is more efficient than previous constructions. For repeated executions, we reduce the communication and computation complexity by a factor O(n). Combined with a deterministic extractor, ν-SimCast provides a particularly efficient solution for distributed coin-flipping. The protocol does not require any zero-knowledge proofs and is shown to be secure in the standard model under the Decisional Diffie Hellman assumption.