Marcin Gomułkiewicz

Onions based on universal re-encryption – anonymous communication immune against repetitive attack

Encapsulating messages in onions is one of the major techniques providing anonymous communication in computer networks. To some extent, it provides security against traffic analysis by a passive adversary. However, it can be highly vulnerable to attacks by an active adversary. For instance, the adversary may perform a simple so–called repetitive attack: a malicious server sends the same massage twice, then the adversary traces places where the same message appears twice – revealing the route of the original message. A repetitive attack was examined for mix–networks. However, none of the countermeasures designed is suitable for onion–routing. In this paper we propose an “onion-like” encoding design based on universal re-encryption. The onions constructed in this way can be used in a protocol that achieves the same goals as the classical onions, however, at the same time we achieve immunity against a repetitive attack. Even if an adversary disturbs communication and prevents processing a message somewhere on the onion path, it is easy to identify the malicious server performing the attack and provide an evidence of its illegal behavior.

Rapid mixing and security of Chaum's visual electronic voting

Recently, David Chaum proposed an electronic voting scheme that combines visual cryptography and digital processing. It was designed to meet not only mathematical security standards, but also to be accepted by voters that do not trust electronic devices.

Provable Unlinkability Against Traffic Analysis Already After O(log(n)) Steps

We consider unlinkability of communication problem: given n users, each sending a message to some destination, encode and route the messages so that an adversary analyzing the traffic in the communication network cannot link the senders with the recipients. A solution should have a small communication overhead, that is, the number of additional messages should be kept low.

Low-cost and Universal Secure Scan: a Design- Architecture for Crypto Chips

Scan based design-for-test is a powerful testing scheme, but it can be used to retrieve secrets stored inside a crypto device. In this paper, we propose a novel scan based DFT architecture called secure scan that maintains the high test quality without compromising the security. Moreover our proposition is universal and can be easily implemented as an extension of the standard scan chain architecture. Apart from presenting our proposal we analyse its implementation complexity, tests efficiency impact and gained security level

Hamming Weight Attacks on Cryptographic Hardware - Breaking Masking Defense

It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is combined with a random value. This has to prevent leaking information since the input to the operation is random.We show that this belief might be wrong. We present a Hamming weight attack on an addition operation. It works with random inputs to the addition circuit, hence masking even helps in the case when we cannot control the plaintext. It can be applied to any round of the encryption. Even with moderate accuracy of measuring power consumption it determines explicitly subkey bits. The attack combines the classical power analysis (over Hamming weight) with the strategy of the saturation attack performed using a random sample.We conclude that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption. In particular, the simple key schedule of certain algorithms (such as IDEA and Twofish) combined with the usage of addition might be a serious danger.It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is combined with a random value. This has to prevent leaking information since the input to the operation is random.

Provable Unlinkability Against Traffic Analysis with Low Message Overhead

Rackoff and Simon proved that a variant of Chaum’s protocol for anonymous communication, later developed as the Onion Routing Protocol, is unlinkable against a passive adversary that controls all communication links and most of the nodes in a communication system. A major drawback of their analysis is that the protocol is secure only if (almost) all nodes participate at all times. That is, even if only n≪N nodes wish to send messages, allN nodes have to participate in the protocol at all times. This suggests necessity of sending dummy messages and a high message overhead.Our first contribution is showing that this is unnecessary. We relax the adversary model and assume that the adversary only controls a certain fraction of the communication links in the communication network. We think this is a realistic adversary model. For this adversary model we show that a low message overhead variant of Chaum’s protocol is provably secure.Furthermore, all previous security proofs assumed the a priori distribution on the messages is uniform. We feel this assumption is unrealistic. The analysis we give holds for any a priori information on the communication distribution. We achieve that by combining Markov chain techniques together with information theory tools in a simple and elegant way.

Fault cryptanalysis and the shrinking generator

We present two efficient and simple fault attacks on the shrinking generator. In a first case if the attacker can stop control generator for some small number of steps and observe the output, then with high probability he can deduce the full control sequence, and so the other input bitstream. The second method assumes that the attacker can disturb the control sequence (in an unpredictable and random way) and observe many samples of such experiments. Then he can reconstruct a certain sequence that agrees with the input sequence of the generator on a large fraction of bits.

Random Fault Attack against Shrinking Generator

We concern security of shrinking generator against fault attacks. While this pseudorandom bitstream generator is cryptographically strong and well suited for hardware implementations, especially for cheap artefacts, we show that using it for the devices that are not fault resistant is risky. That is, even if a device concerned is tamper-proof, generating random faults and analyzing the results may reveal secret keys stored inside the device. For the attack we flip a random bit and observe propagation of errors. The attack uses peculiar properties of the shrinking generator and presents a new kind of threats for designs based on combining weaker generators. In particular, it indicates that potentially all designs based on combining LFSR generators might be practically weak due to slow propagation of errors in a single LFSR.