Jean-Sébastien Coron

Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems

Differential Power Analysis, first introduced by Kocher et al. in [14], is a powerful technique allowing to recover secret smart card information by monitoring power signals. In [14] a specific DPA attack against smart-cards running the DES algorithm was described. As few as 1000 encryptions were sufficient to recover the secret key. In this paper we generalize DPA attack to elliptic curve (EC) cryptosystems and describe a DPA on EC Diffie-Hellman key exchange and EC EI-Gamal type encryption. Those attacks enable to recover the private key stored inside the smart-card. Moreover, we suggest countermeasures that thwart our attack.

On the Exact Security of Full Domain Hash

The Full Domain Hash (FDH) scheme is a RSA-based signature scheme in which the message is hashed onto the full domain of the RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper we exhibit a slightly different proof which provides a tighter security reduction. This in turn improves the efficiency of the scheme since smaller RSA moduli can be used for the same level of security. The same method can be used to obtain a tighter security reduction for Rabin signature scheme, Paillier signature scheme, and the Gennaro-Halevi-Rabin signature scheme.

Security analysis of the Gennaro-Halevi-Rabin signature scheme

We exhibit an attack against a signature scheme recently proposed by Gennaro, Halevi and Rabin [9]. The schemes security is based on two assumptions namely the strong RSA assumption and the existence of a division-intractable hash-function. For the latter, the authors conjectured a security level exponential in the hash-functions digest size whereas our attack is sub-exponential with respect to the digest size. Moreover, since the new attack is optimal, the length of the hash function can now be rigorously fixed. In particular, to get a security level equivalent to 1024-bit RSA, one should use a digest size of approximately 1024 bits instead of the 512 bits suggested in [9].

An Accurate Evaluation of Maurer's Universal Test

Maurers universal test is a very common randomness test, capable of detecting a wide gamut of statistical defects. The algorithm is simple (a few Java code lines), flexible (a variety of parameter combinations can be chosen by the tester) and fast. Although the test is based on sound probabilistic grounds, one of its crucial parts uses the heuristic approximation: c(L,K) ≅ 0.7 - 0.8/L+(1.6 + 12.8/L)K-4/L In this work we compute the precise value of c(L,K) and show that the inaccuracy due to the heuristic estimate can make the test 2.67 times more permissive than what is theoretically admitted. Moreover, we establish a new asymptotic relation between the test parameter and the sources entropy.

On the Security of Random Sources

Many applications rely on the security of their random number generator. It is therefore essential that such devices be extensively tested for malfunction. The purpose of a statistical test is to detect specific weaknesses in random sources. Maurers universal test is a very common randomness test, capable of detecting a wide range of statistical defects. The test is based on the computation of a function which is asymptotically related to the sources entropy, which measures the effective key-size of block ciphers keyed by the sources output. In this work we develop a variant of Maurers test where the test function is in theory exactly equal to the sources entropy, thereby enabling a better detection of defects in the tested source.

New attacks on PKCS#1 v1.5 encryption

This paper introduces two new attacks on PKCS#1 v1.5, an RSA-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbachers attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two or more ciphertexts c orresponding to the same plaintext are available. We believe the technique we employ to be of independent interest, as it extends Coppersmiths low-exponent attack to certain length parameters. Our second attack is applicable to arbitrary public exponents, provided that most message bits are zeroes. It seems to constitute the first chosen-plaintext attack on an rsa-based encryption standard that yields to practical results for any public exponent.

Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves

We propose a method for increasing the speed of scalar multiplication on binary anomalous (Koblitz) elliptic curves. By introducing a generator which produces random pairs (k, [k]P) of special shape, we exhibit a specific setting where the number of elliptic curve operations is reduced by 25% to 50% compared with the general case when k is chosen uniformly. This generator can be used when an ephemeral pair (k, [k]P) is needed by a cryptographic algorithm, and especially for Elliptic Curve Diffie-Hellman key exchange, ECDSA signature and El-Gamal encryption. The presented algorithm combines normal and polynomial basis operations to achieve optimal performance. We prove that a probabilistic signature scheme using our generator remains secure against chosen message attacks.

Supplemental access control (PACE v2): security analysis of PACE integrated mapping

We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Securite. PACE v2 IM enjoys the following properties: patent-freeness (to the best of current knowledge in the field); full resistance to dictionary attacks, secrecy and forward secrecy in the security model agreed upon by the CEN TC224 WG16 group; optimal performances. The PACE v2 IM protocol is intended to provide an alternative to the German PACE v1 protocol, which is also the German PACE v2 Generic Mapping (GM) protocol, proposed by the German Federal Office for Information Security (BSI). In this document, we provide a description of PACE v2 IM, a description of the security requirements one expects from a password-based key establishment protocol in order to support secure applications, a security proof of PACE v2 IM in the so-called Bellare-Pointcheval-Rogaway (BPR) security model.

ECC: Do We Need to Count?

A prohibitive barrier faced by elliptic curve users is the difficulty of computing the curves’ cardinalities. Despite recent theoretical breakthroughs, point counting still remains very cumbersome and intensively time consuming.

From Fixed-Length to Arbitrary-Length RSA Padding Schemes

A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size messages. This focuses more sharply the question of finding a secure encoding for RSA signatures, by showing that the difficulty is not in handling messages of arbitrary length, but rather in finding a secure redundancy function for short messages, which remains an open problem.