*12:04*[PhD][New] Benoit Feix

Name: Benoit Feix

Get an update on changes of the IACR web-page here. For questions, contact *newsletter (at) iacr.org*.
You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

Name: Pouyan Sepehrdad

Topic: Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives

Category: secret-key cryptography

Description:

Symmetric cryptographic primitives such as block and stream ciphers are the building blocks in many cryptographic \r\nprotocols. Having such blocks which provide provable security against various types of attacks is often hard. On the \r\nother hand, if possible, such designs are often too costly to be implemented and are usually ignored by practitioners.\r\nMoreover, in RFID protocols or sensor networks, we need lightweight and ultra-lightweight algorithms. Hence, \r\ncryptographers often search for a fair trade-off between security and usability depending on the application. Contrary \r\nto public key primitives, which are often based on some hard problems, security in symmetric key is often based on some\r\nheuristic assumptions. Often, the researchers in this area argue that the security is based on the confidence level the \r\ncommunity has in their design. Consequently, everyday symmetric protocols appear in the literature and stay secure \r\nuntil someone breaks them. In this thesis, we evaluate the security of multiple symmetric primitives against statistical \r\nand algebraic attacks. This thesis is composed of two distinct parts:

\r\n\r\nIn the first part, we investigate the security of RC4 stream cipher against statistical attacks. We focus on its applications \r\nin WEP and WPA protocols. We revisit the previous attacks on RC4 and optimize them. In fact, we propose a framework\r\non how to deal with a pool of biases for RC4 in an optimized manner. During this work, we found multiple new weaknesses \r\nin the corresponding applications. We show that the current best attack on WEP can still be improved. We compare our \r\nresults with the state of the art implementation of the WEP attack on Aircrack-ng program and improve its success rate.\r\nNext, we propose a theoretical key recovery and distinguishing attacks on WPA, which cryptographically break the protocol. \r\nWe perform an extreme amount of experiments to make sure that the proposed theor[...]

Name: Vincent Verneuil

Topic: Elliptic curve cryptography and security of embedded devices

Category: implementation

Description:

Elliptic curve based cryptosystems are nowadays increasingly used in protocols involving public-key cryptography. This is particularly true in the context of embedded devices which are subject to strong cost, resources, and efficiency constraints, since elliptic curve cryptography requires significantly smaller key sizes compared to other cryptosystems such as RSA.

\r\nThe following study focuses in the first part on secure and efficient implementation of elliptic curve cryptography in embedded devices, especially smart cards. Designing secure implementations requires to take into account physical attacks which can target embedded devices. These attacks include in particular side-channel analysis which may infer information on a secret key manipulated from a component by monitoring how it interacts with its environment, and fault analysis in which an adversary can disturb the normal functioning of a device with the same goal.

\r\nIn the second part of this thesis, we study these attacks and their impact on the implementation of the most used public-key cryptosystems. In particular, we propose new analysis techniques and new countermeasures for these cryptosystems, together with specific attacks on the AES block cipher.

[...]Name: Joern-Marc Schmidt

Topic: Implementation Attacks - Manipulating Devices to Reveal Their Secrets

Category: implementation

Description: Nowadays, embedded systems and smart cards are part of everyday life. With the proliferation of these devices the need for security increases. In order to meet this demand, cryptographic algorithms are applied. However, for implementations of such algorithms on mobile devices, not only the security from a cryptanalytical point of view, i.e. in a black box model, is important. This is because the practical realization of a theoretically secure algorithm can be insecure.

\r\n\r\nAn adversary with physical access to the device can benefit from its characteristics or influence its behavior. Methods that measure the properties of a device are passive implementation attacks. In contrast to passive methods, active implementation attacks try to manipulate the computation and benefit from the erroneous results. These methods are called fault attacks.

\r\n\r\nIn this thesis, we discuss the theory of implementation attacks as well as their practical realizations. New attacks and algorithmic countermeasures are presented. We show how to attack RSA implementations that make use of the square and multiply algorithm by manipulating the program flow. The attack is expanded to work on ECC and ECDSA. In order to protect devices against such attacks, we developed a countermeasure that secures the program flow of RSA and ECC implementations by an implicitly calculated program signature. Moreover, we present a probing attack on AES and discuss the problem of an untrusted external memory.

\r\n\r\nFurthermore, we describe our setups for different practical attacks. The possibilities range from low-cost methods using equipment for about 50 Euro up to high-end attacks, involving a focused ion beam (FIB). In particular, we performed non-invasive spike and glitch attacks, semi-invasive optical and electromagnetic fault induction, as well as an invasive chemical attack. In addition, we used a FIB for chip modification attacks.

\r\n\r\nMoreover, we applied fault i[...]

Name: Marc Stevens

Topic: Attacks on Hash Functions and Applications

Category: secret-key cryptography

Description: Cryptographic hash functions compute a small fixed-size hash value for any given message. A main application is in digital signatures which require that it must be hard to find collisions, i.e., two different messages that map to the same hash value. In this thesis we provide an analysis of the security of the cryptographic hash function standards MD5 and SHA-1 that have been broken since 2004 due to so called identical-prefix collision attacks. In particular, we present more efficient identical-prefix collision attacks on both MD5 and SHA-1 that improve upon the literature. Furthermore, we introduce a new more flexible attack on MD5 and SHA-1 called the chosen-prefix collision attack that allows significantly more control over the two colliding messages. Moreover, we have proven that our new attack on MD5 poses a realistic threat to the security of everyday applications with our construction of a rogue Certification Authority (CA). Our rogue CA could have enabled the total subversion of secure communications with any website -- if we had not purposely crippled it. Finally, we have introduced an efficient algorithm to detect whether a given message was generated using an identical-prefix or chosen-prefix collision attack on MD5 or SHA-1.[...]

Name: Eike Kiltz

Topic: Complexity Theoretic Lower Bounds on Cryptographic Functions

Category: foundations

Required:

• Senior hands-on engineer with broad experience in cryptography

• Experienced with designing and implementing cryptographic algorithms and key management systems

• Must be familiar with algorithms and protocols including AES-CBC, AES-GCM, SHA, EC-DH, EC-DSA, random number generation, PKI

• Knowledge of Suite B crypto, TLS, smartcards/CAC, X.509, soft certificates, PKCS11

• Experience developing crypto APIs for both internal and external use

• Must have strong skills with C/C++ and/or Java programming languages on multiple platforms

• Ability to work with and mentor a team of programmers

• Ability to obtain US security clearance.

Highly desired:

• Familiar with FIPS 140-2 process, VPNs, S/MIME, data at rest crypto, and other cryptographic products.

• Familiar with DoD and US Federal requirements and regulations related to cryptography for SBU/CUI and classified data.

• Familiar with secure voice protocols, such as SRTP, SIP/TLS, SSIP, zRTP, etc.

• Ability to create high-level software design documents.

• Experience writing device drivers, low-level APIs, or software development kits.

• Familiar with implementing crypto in hardware in ASIC or FPGA-based systems

• BA/BS, MS, Ph.D. degree in Cryptography, Mathematics, Computer Science, Software Engineering, Computer Engineering, Electrical Engineering or equivalent experience.

• CISSP, CSSLP, or SANS certifications

2012-11-01

There has been considerable recent interest in \"cloud storage\'\' wherein a user asks a server to store a large file. One issue is whether the user can verify that the server is actually storing the file, and typically a challenge-response protocol is employed to convince the user that the file is indeed being stored correctly. The security of these schemes is phrased in terms of an extractor which will recover or retrieve the file given any \"proving algorithm\'\' that has a sufficiently high success probability.

This paper treats proof-of-retrievability schemes in the model of unconditional security, where an adversary has unlimited computational power. In this case retrievability of the file can be modelled as error-correction in a certain code. We provide a general analytical framework for such schemes that yields exact (non-asymptotic) reductions that precisely quantify conditions for extraction to succeed as a function of the success probability of a proving algorithm, and we apply this analysis to several archetypal schemes. In addition, we provide a new methodology for the analysis of keyed POR schemes in an unconditionally secure setting, and use it to prove the security of a modified version of a scheme due to Shacham and Waters under a slightly restricted attack model, thus providing the first example of a keyed POR scheme with unconditional security. We also show how classical statistical techniques can be used to evaluate whether the responses of the prover are accurate enough to permit successful extraction. Finally, we prove a new lower bound on storage and communication complexity of POR schemes.