Helena Handschuh

Selected Areas in Cryptography

Stream Cipher Cryptanalysis.- An Improved Correlation Attack on A5/1.- Extending the Resynchronization Attack.- A New Simple Technique to Attack Filter Generators and Related Ciphers.- Side-Channel Analysis.- On XTR and Side-Channel Analysis.- Provably Secure Masking of AES.- Block Cipher Design.- Perfect Diffusion Primitives for Block Ciphers.- Security of the MISTY Structure in the Luby-Rackoff Model: Improved Results.- FOX : A New Family of Block Ciphers.- Efficient Implementations.- A Note on the Signed Sliding Window Integer Recoding and a Left-to-Right Analogue.- Fast Irreducibility Testing for XTR Using a Gaussian Normal Basis of Low Complexity.- Modular Number Systems: Beyond the Mersenne Family.- Efficient Doubling on Genus Two Curves over Binary Fields.- Secret Key Cryptography I.- About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations).- A Subliminal Channel in Secret Block Ciphers.- Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes.- Cryptanalysis.- Cryptanalysis of a White Box AES Implementation.- Predicting Subset Sum Pseudorandom Generators.- Collision Attack and Pseudorandomness of Reduced-Round Camellia.- Cryptographic Protocols.- Password Based Key Exchange with Mutual Authentication.- Product Construction of Key Distribution Schemes for Sensor Networks.- Deterministic Key Predistribution Schemes for Distributed Sensor Networks.- On Proactive Secret Sharing Schemes.- Secret Key Cryptography II.- Efficient Constructions of Variable-Input-Length Block Ciphers.- A Sufficient Condition for Optimal Domain Extension of UOWHFs.

Security analysis of SHA-256 and sisters

This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux’s attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don’t apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.

Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms

This paper discusses key recovery and universal forgery attacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives.

Smart Card Crypto-Coprocessors for Public-Key Cryptography

This paper intends to provide information about up-to-date performances of smart-card arithmetic coprocessors regarding major public-key cryptosystems and analyze the main tendences of this developing high-tech industry and related markets. We also comment hardware limitations of current technologies and provide a technique for extending them by virtually doubling their capacities.

A Timing Attack on RC5

This paper describes a timing attack on the RC5 block encryption algorithm. The analysis is motivated by the possibility that some implementations of RC5 could result in the data-dependent rotations taking a time that is a function of the data. Assuming that encryption timing measurements can be made which enable the cryptanalyst to deduce the total amount of rotations carried out during an encryption, it is shown that, for the nominal version of RC5, only a few thousand ciphertexts are required to determine 5 bits of the last half-round subkey with high probability. Further, it is shown that it is practical to determine the whole secret key with about 220 encryption timings with a time complexity that can be as low as 228.

GEM: A Generic Chosen-Ciphertext Secure Encryption Method

This paper proposes an efficient and provably secure transform to encrypt a message with any asymmetric one-way cryptosystem. The resulting scheme achieves adaptive chosen-ciphertext security in the random oracle model.Compared to previous known generic constructions (Bellare, Rogaway, Fujisaki, Okamoto, and Pointcheval), our embedding reduces the encryption size and/or speeds up the decryption process. It applies to numerous cryptosystems, including (to name a few) ElGamal, RSA, Okamoto-Uchiyama and Paillier systems.

Analysis of SHA-1 in Encryption Mode

This paper analyses the cryptographic hash function SHA- 1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.

Probing Attacks on Tamper-Resistant Devices

This paper describes a new type of attack on tamper-resistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to public-key cryptosystems such as RSA or El Gamal, as well as to secret-key encryption schemes including DES and RC5.

x2 Cryptanalysis of the SEAL Encryption Algorithm

SEAL was first introduced in [1] by Rogaway and Coppersmith as a fast software-oriented encryption algorithm. It is a pseudorandom function which stretches a short index into a much longer pseudorandom string under control of a secret key pre-processed into internal tables. In this paper we first describe an attack of a simplified version of SEAL, which provides large parts of the secret tables from approximately 224 algorithm computations. As far as the original algorithm is concerned, we construct a test capable of distinguishing SEAL from a random function using approximately 230 computations. Moreover, we describe how to derive some bits of information about the secret tables. These results were confirmed by computer experiments.

A Statistical Attack on RC6

This paper details the attack on RC6 which was announced in a report published in the proceedings of the second AES candidate conference (March 1999). Based on an observation on the RC6 statistics, we show how to distinguish RC6 from a random permutation and to recover the secret extended key for a fair number of rounds.