Johannes Blömer

Priority encoding transmission

We introduce a new method, called priority encoding transmission, for sending messages over lossy packet-based networks. When a message is to be transmitted, the user specifies a priority value for each part of the message. Based on the priorities, the system encodes the message into packets for transmission and sends them to (possibly multiple) receivers. The priority value of each part of the message determines the fraction of encoding packets sufficient to recover that part. Thus even if some of the encoding packets are lost en-route, each receiver is still able to recover the parts of the message for which a sufficient fraction of the encoding packets are received. For any set of priorities for a message, we define a natural quantity called the girth of the priorities. We develop systems for implementing any given set of priorities such that the total length of the encoding packets is equal to the girth. On the other hand, we give an information-theoretic lower bound that shows that for any set of priorities the total length of the encoding packets must be at least the girth. Thus the system we introduce is optimal in terms of the total encoding length. This work has immediate applications to multimedia and high-speed networks applications, especially in those with bursty sources and multiple receivers with heterogeneous capabilities. Implementations of the system show promise of being practical.

Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)

In this paper we describe several fault attacks on the Ad- vanced Encryption Standard (AES). First, using optical/eddy current fault induction attacks as recently publicly presented by Skorobogatov, Anderson and Quisquater, Samyde (SA,QS), we present an implemen- tation independent fault attack on AES. This attack is able to deter- mine the complete 128-bit secret key of a sealed tamper-proof smart- card by generating 128 faulty cipher texts. Second, we present several implementation-dependent fault attacks on AES. These attacks rely on the observation that due to the AESs known timing analysis vulnera- bility (as pointed out by Koeune and Quisquater (KQ)), any implemen- tation of the AES must ensure a data independent timing behavior for the so called AESs xtime operation. We present fault attacks on AES based on various timing analysis resistant implementations of the xtime- operation. Our strongest attack in this direction uses a very liberal fault model and requires only 256 faulty encryptions to determine a 128-bit key.

Provably secure masking of AES

A general method to secure cryptographic algorithms against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any useful information from the side-channel. Unfortunately, previous AES randomization techniques have based their security on heuristics and experiments. Thus, flaws have been found which make AES randomized implementations still vulnerable to side-channel cryptanalysis. In this paper, we provide a formal notion of security for randomized maskings of arbitrary cryptographic algorithms. Furthermore, we present an AES randomization technique that is provably secure against side-channel attacks if the adversary is able to access a single intermediate result. Our randomized masking technique is quite general and it can be applied to arbitrary algorithms using only arithmetic operations over some finite field. To our knowledge this is the first time that a randomization technique for the AES has been proven secure in a formal model.

Approximate matching of polygonal shapes

For two given simple polygonsP, Q, the problem is to determine a rigid motionI ofQ giving the best possible match betweenP andQ, i.e. minimizing the Hausdorff distance betweenP andI(Q). Faster algorithms as the one for the general problem are obtained for special cases, namely thatI is restricted to translations or even to translations only in one specified direction. It turns out that determining pseudo-optimal solutions, i.e. ones that differ from the optimum by just a constant factor, can be done much more efficiently than determining optimal solutions. In the most general case, the algorithm for the pseudo-optimal solution is based on the surprising fact that for the optimal possible match betweenP and an imageI(Q) ofQ, the distance between the centroids of the edges of the convex hulls ofP andI(Q) is a constant multiple of the Hausdorff distance betweenP andI(Q). It is also shown that the Hausdorff distance between two polygons can be determined in timeO(n logn), wheren is the total number of vertices.

A new CRT-RSA algorithm secure against bellcore attacks

In this paper we describe a new algorithm to prevent fault attacks on RSA signature algorithms using the Chinese Remainder Theorem (CRT-RSA). This variant of the RSA signature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault attacks like the one described in [7]. Recent results have shown that fault attacks are practical and easy to accomplish ([21], [17]).Therefore, they establish a practical need for fault attack protected CRT-RSA schemes. Starting from a careful derivation and classification of fault models, we describe a new variant of the CRT-RSA algorithm. For the most realistic fault model described, we rigorously analyze the success probability of an adversary against our new CRT-RSA algorithm. Thereby, we prove that our new algorithm is secure against the Bellcore attack.

New partial key exposure attacks on RSA

In 1998, Boneh, Durfee and Frankel [4] presented several attacks on RSA when an adversary knows a fraction of the secret key bits. The motivation for these so-called partial key exposure attacks mainly arises from the study of side-channel attacks on RSA. With side channel attacks an adversary gets either most significant or least significant bits of the secret key. The polynomial time algorithms given in [4] only work provided that the public key e is smaller than N. It was raised as an open question whether there are polynomial time attacks beyond this bound. We answer this open question in the present work both in the case of most and least significant bits. Our algorithms make use of Coppersmiths heuristic method for solving modular multivariate polynomial equations [8]. For known most significant bits, we provide an algorithm that works for public exponents e in the interval [N, N 0.725 ]. Surprisingly, we get an even stronger result for known least significant bits: An algorithm that works for all e < N. We also provide partial key exposure attacks on fast RSA-variants that use Chinese Remaindering in the decryption process (e.g. [20,21]). These fast variants are interesting for time-critical applications like smart-cards which in turn are highly vulnerable to side-channel attacks. The new attacks are provable. We show that for small public exponent RSA half of the bits of dp = d mod p- 1 suffice to find the factorization of N in polynomial time. This amount is only a quarter of the bits of N and therefore the method belongs to the strongest known partial key exposure attacks.

Sign change fault attacks on elliptic curve cryptosystems

We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit different number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to output points which are on a cryptographically weak curve. Such attacks can easily be defended against. Our attack produces points which do not leave the curve and are not easily detected. The paper also presents a revised scalar multiplication algorithm that protects against Sign Change Attacks.

On the complexity of computing short linearly independent vectors and short bases in a lattice

Motivated by Ajtai’s worst-case to average-case reduction for lattice problems, we study the complexity of computing short linearly independent vectors (short basis) in a lattice. We show that approximating the length of a shortest set of linearly independent vectors (shortest basis) within any constant factor is NP-hard. Under the assumption that problems in NP cannot be solved in DTIME(n p”‘y’og(n)) we show that no polynomial time algorithm can approximate the length of a shortest set of linearly independent vectors (shortest basis) within a factor of 2’“g’-‘(“), E > 0 arbitrary, but fixed. Finally, we obtain results on the limits of non-approximability for computing short linearly independent vectors (short basis). Our strongest result in this direction states that under reasonable complexity-theoretic assumptions, approximating the length of a shortest set of linearly independent vectors (shortest basis) within a factor of n/a is not NP-hard.

Low Secret Exponent RSA Revisited

We present a lattice attack on low exponent RSA with short secret exponent d = Nδ for every δ 0.265. Our method, as well as the method by Boneh and Durfee, is heuristic, since the method is based on Coppersmiths approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic must fail in some cases. We argue in this paper, that a (practically not interesting) variant of the Boneh/Durfee attack proposed in [4] always fails. Many authors have already stressed the necessity for rigorous proofs of Coppersmiths method in the multivariate case. This is even more evident in light of these results.

Approximation of convex polygons

We consider the approximation of convex polygons by simpler figures such as rectangles, circles, or polygons with fewer edges. As distance measures for figures A, B we use either the area of the symmetric difference δS(A, B) or the Hausdorff-distance δH(A, B). It is shown that the optimal δS-approximation of an n-gon P by an axes-parallel rectangle can be found in time O(log3n) by a nested binary search algorithm. With respect to δ H pseudo-optimal algorithms are given, i.e. algorithms producing a solution whose distance to P differs from the optimum only by a constant factor. We obtain algorithms of runtimes O(n) for approximation by rectangles and O(n3log2n) for approximation by k-gons (k