Studies on Disk Encryption
|
|
- Grant Woods
- 5 years ago
- Views:
Transcription
1 0 Studies on Disk Encryption Cuauhteoc Mancillas López Advisor: Dr. Debrup Chakraborty Centro de Investigación y Estudios Avanzados del IPN
2 Disk Encryption Proble The proble of disk encryption k is to encrypt bulk inforation stored in a storage edia like hard disk, flash eory, CD or DVD. The nature of storage edia dictates the type of encryption required. We are priarily interested in hard disks. A well acepted proposal for encrypting hard disks is to encrypt individual sectors. k
3 Agenda Introduction Tweakable Enciphering Schees - Ipleentations Side Channel Attacks - Distinguishing Attack against EME - Stronger Attack against EME BRW Polynoials
4 3 Syetric Key Cryptography Adversarial Goals C=Enc(K,M) (Partial) Key Recovery (Partial) Plaintext Recovery Create Ciphertext Distinguishing Adversarial Resources Ciphertext only Known Plaintext Chosen Plaintext M=Dec(K,C) Chosen Ciphertext Adaptive Chosen Plaintext Adaptive Chosen Ciphertext
5 4 Finite Fields We shall view n-bit strings as eleents of GF( n ). n-bit strings can be considered as polynoials of degree atost n- over GF(). This fors a field of n eleents For exaple the 5-bit string 00 can be represented as the polynoial x 4 x
6 5 Finite Fields (Contd.) By addition of strings we shall ean the addition of polynoials which can be realized by the XOR of two n bit strings. For ultiplication of two n-bit strings we need to choose a an n degree irreducible polynoial t(x). Multiplication of two strings A and B is realized by the ultiplication of the polynoials a(x),b(x) odulo the polynoial t(x).
7 6 Finite Fields (Contd.) Given a string A, by xa we shall ean the ultiplication of the polynoial a(x) with the polynoial x. This can be realized very efficiently by a shift and a conditional XOR. For exaple if we consider the field GF( 8 ). And the irreducible polynoial x 8 x 7 x x
8 7 Finite Fields (Contd.) We can ipleent xa as A xa (A ) 0 0 if if sb(a) sb(a) 0
9 8 Polynoial Hash Inforally a hash function aps a big string into a sall one. We shall use a specific type of hash called the polynoial hash, n 0, 0, n H { 0,} n defined as H( h, P... P ) P h P h... P h All operations are in GF( n )
10 9 Block-Ciphers Block-Ciphers are one of the ost iportant priitives in cryptology. essage Block Cipher cipher key Can encrypt fixed length essages. Are generally very efficient and are widely used for bulk encryption. AES, DES, IDEA, MARS, SERPENT
11 0 Block-Ciphers (Contd.) If the block length of a block-cipher be n then the block-cipher can be seen as a function: :E n n {0,}{0,} K Generally we shall denote a block-cipher by E(K, M) E(M) K For each key K in the key space E K ust be a perutation. So, for each K there exist an inverse of the block cipher such that - EK K (E(M)) M A block-cipher secure against an adaptive chosen plaintext chosen ciphertext adversary is considered to be a Strong Pseudo Rando Perutation (SPRP).
12 The Adversary The adversary is considered to be a probabilistic algorith It has oracle access to the functions and can output either a 0 or It can interact with the function through valid queries An adversary A interacting with an oracle O outputing will be denoted by A O
13 Pseudorando Perutations K K $ π $ Per E K π E K is called a pseudorando perutation if it is infeaseable for a coputationally bounded adversary to distinguish between E K and π.
14 3 PRP Advantage The prp advantage of an adversary A is defined as Adv prp E K (A) $ Pr[K K :A E K ] $ Pr[π Per(n) :A π ] This definition can be easily translated into a resource bounded definition. The general resources of interest are nuber of queries, tie, query coplexity etc.
15 4 Strong Pseudorando Perutations K K $ E K E π π K π $ Per prp $ Adv (A) Pr[K KA: E K It is assued that a secure block-cipher is a KK E,E ] strong pseudorando perutation $ π, Pr[ π Per( A: ]
16 5 Modes of Operations A ode of operation is a specific way to use a we encrypt block cipher P P for P a M encrypting P (M>n) arbitrary P bit IV IV+ IV+(-) P length essages. IV essage? Soe classical odes of operations are: We have a secure n-bit to n-bit block-cipher how can Cipher Block Counter Chaining Mode Mode Electronic Code Book Mode Electronic Code Book (ECB) E K E K E K E K Cipher Block Chaining (CBC) Cipher Feed-back (CFB) Output Feed-back (OFB) P P C C CC C C Counter (CTR) E K E K E K C P E K E K C C
17 6 Types of Modes Modes can be classified according to the type of security service it provide Privacy Only Authenticated Encryption Authenticated encryption with associated data Tweakable enciphering schees Message Authentication Codes
18 7 Types of Modes (Contd.) Tweakable Enciphering schees Security of such schees are that of a strong pseudorando perutation They are length preserving. These schees takes in an extra public quantity called the tweak. They can provide partial authentication. A potential application area of such schees is inplace disc encryption.
19 8 Types of Modes (Contd.) NIST have been running a standarization effort for different types of odes, and currently there are ore than twenty different odes which provides various functionalities. Tweakable enciphering schees are not covered under this effort. A recent standarization effort by the IEEE working group on storage security is currently considering standarization of tweakable enciphering schees for the disc encryption application.
20 9 Tweakable Enciphering Schees E: M KT M Where M, K and T are the essage space, key space and tweak space respectively. M i {0,} i0 E should be a tweakable strong pseudorando perutation
21 0 Tweakable Enciphering Schees Current constructions can be classified into three ain categories: Encrypt Mask Encrypt Hash-ECB-Hash Hash-Counter-Hash
22 EME: HCTR: ECB-Mask-ECB Hash-Counter CMC: CBC-Mask-CBC TET: Transfor-ECB-Transfor CMC (Halevi and Rogaway, 003) EME (Halevi and Rogaway, 003) EME* (Halevi, 004) Tweakable Enciphering Schees ABL (McGrew and Viega, 004) XCB (McGrew and Fluhrer, 004) HCTR (Wang, et. al, 005) HCH (Chakraborty and Sarkar, 006 and 007) PEP (Chakraborty and Sarkar, 006) Other TET related (Halevi, work: 007) Efficient HEH (Sarkar, Tweakable 007) Enciphering Schees fro (Block- Wise) Universal Hash Functions (Sarkar, 009).
23 Hypothesis There are no efficient ipleentations of TES in both software and hardware. Soe experiental results about ipleentations in FPGAs are reported in y aster thesis. These results can be iproved. All schees in the literature have associated with it a security proof in specific security odel. These proofs do not consider real-live scenarios like Side Channel Attacks.
24 3 Hypothesis Because the counity has been focused ainly on provable security, all existing proposals are theoretical, and has not paid attention to realistic and efficient constructions. Till date block Ciphers are the unique paradig for constructing TES. It ay be possible to use other priitives for constructing TES.
25 4 Broad Objectives Efficient ipleentation of existing constructions. Analysis of the existing constructions for sidechannel vulnerabilities. Attept new constructions keeping in ind efficiency and security against side channel attacks. Exploring related applications where TES can be used.
26 5 Ipleentations of Tweakable Encipherings Schees
27 6 Field Prograable Gate Array (FPGA) It is an integrated circuit designed to be configured by the custoer or designer after anufacturing. The FPGA configuration is generally specified using a hardware description language (HDL). FPGAs contain prograable logic coponents called logic blocks, and a hierarchy of reconfigurable interconnects that allow the blocks to be wired together. In ost FPGAs, the logic blocks also include eory eleents, which ay be siple flip-flops or ore coplete blocks of eory.
28 7 Field Prograable Gate Array (FPGA) FPGAs failies like Virtex4, Virtex, Spartan 3E their lookup tables can ipleent every boolean function of four variables. The newest FPGAs Virtex5 have lookup tables with six inputs. Virtex4 and Virtex5 have dedicated hardware for digital signal processing useful for high perforance cryptographic aplications also.
29 8 Ipleentations AA L x the / A H y BB L x / B H We used 8-bit AES core as the underlaying block cipher. product C A* B is coputed as follows: C x A H B H A L B L A H B H A L B L A H A L B H B L x / C x C H L C Round key input The universal polynoial hash function included in specifications of hash-counter-hash and hash-ecbhash was key ipleented using a Karatsuba-Ofan Key 0 ultiplier as the ain building block. Initial Round Transforation round 9-ties Final round without MC output
30 9 Architecture of HCTR HCTR: Hash- Counter Keys generator coparator counter Round Round Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 0 Key Key Key 3 Key 4 Key 5 Key 6 Key 7 Key 8 Key 9 Key 0
31 30 Architecture of HCTR AES counter and single odes HCTR: Hash- Counter Control unit
32 3 EME: ECB-Mask-ECB Tweakable XCB: HEH: HCH: TET: Extended Linear Hash-ECB-Hash Hash-Counter-Hash transfor-ecb-linear Code Enciphering Book transfor Schees CMC (Halevi and Rogaway, 003) EME (Halevi and Rogaway, 003) EME* (Halevi, 004) ABL (McGrew and Viega, 004) XCB (McGrew and Fluhrer, 004) HCTR (Wang, et. al, 005) HCH (Chakraborty and Sarkar, 006 and 007) PEP (Chakraborty and Sarkar, 006) TET (Halevi, 007) HEH (Sarkar, 007)
33 Results HARDWARE COSTS OF THE PRIMITIVES: VIRTEX 4 IMPLEMENTATIONS Method Slices B-RAM Frequency (MHz) Clock Cycles Throughput GBits/Sec Full-core AES-Secuential Full-core AES-Pipeline Encryption-Only AES-Pipeline Hash Function Multiplier
34 33 Results HARDWARE COSTS OF THE MODES WITH AN UNDERLYING FULL 0- STAGE PIPELINED 8-BIT AES CORE WHEN PROCESSING ONE SECTOR OF 3 AES BLOCKS: VIRTEX 4 IMPLEMENTATIONS Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec HCH HCHfp HCTR O XCB EME TET HEH
35 34 Results HARDWARE COSTS OF THE MODES WITH AN UNDERLYING SEQUENTIAL8-BIT AES CORE WHEN PROCESSING ONE SECTOR OF 3 AES BLOCKS: VIRTEX 4 IMPLEMENTATIONS Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Throughput GBits/Sec HCH HCHfp HCTR XCB EME TET HEH
36 35 Results HARDWARE COSTS OF THE HCH, HCTR, EME, TET, AND HEH MODES WITH AN UNDERLYING ENCRYPTION-ONLY 0-STAGE PIPELINED 8-BIT AES CORE WHEN PROCESSING ONE SECTOR OF 3 AES BLOCKS: VIRTEX 4 IMPLEMENTATIONS Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec HCHfp HCTR EME TET HEH
37 36 Results PERFORMANCE OF THE MODES IN OTHER FPGA FAMILIES OF DEVICES Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec Full 0 Stage pipelined AES-8 core in Virtex 5 HCTR HCH HCHfp TET EME XCB HEH Full 0 Stage pipelined AES-8 core in Virtex pro HCTR HCH HCHfp TET EME XCB HEH Sequential AES 8 core in Spartan 3 E HEH HCTR
38 37 Results A PERFORMANCE COMPARISON OF THE EME MODE OF OPERATION USING SEVERAL AES ENCRYPTION CORES IMPLEMENTED IN SOFTWARE Vs. OUR EME RECONFIGURABLE HARDWARE DESING. Design Processor Cycles/Sector EME Latency Fold Speed up EME with AES in () Intel S 7.39 EME with AES in 7 Intel S 7.80 EME with AES in 6 Athlon-64@GHz S 7.8 EME with AES in Intel S 8.44 EME with AES in Athlon-64@GHz S 9.6 EME here Virtex IV@49MHz S.00
39 38 Side Channel Attacks Physical attacks on cryptographic devices take advantage of specific ipleentation characteristics to recover the secret paraeters involved in the coputation.
40 39 Side Channel Attacks (Contd.) Adversary tries to exploit physical inforation leakages such that: o Tiing inforation (Kocher, 996) o Power consuption (Kocher, 999) o Electroagnetic radiation (Agrawal, 00)
41 40 Side Channel Attacks Against EME and EME EME: ECB-Mask-ECB The weakness of the xtie opeation is widely known. xtie can be ipleented by linear feedback shift register (LFSR). Algorith xties(l) b MSB(L) L L << if b= L L XOR Q return L The studies on vulnerability of LFSR to side channel attacks have been published [Joux and Delaunay, 006] and [Buran et al, 007.]
42 4 Side Channel Attacks Against EME and EME Assuption: If the operation xl is ipleented according to the algorith xties as shown in last slide then MSB of L can be obtained. Proposition: If xties is applied k (k n) ties successively on L then the k ost significant bits can be recovered. In order to prove the proposition we describe the next procedure to recover the k bits of L. Algorith Recover(Q,k,L). D {d n-,d n-,,d 0 } 0 n. B Epty String 3. for i to k 4. b,l SC(x i L); (b the MSB of x i L, L x i L) 5. if d n- = 0 6. B B b 7. else 8. B B ~b 9. end if 0. D D<<;. if b =. D D XOR Q; 3. end if 4. L L 5. end for 6. return B
43 4 Side Channel Attacks Against EME and EME Algorith Recover(Q,k,L). D {d n-,d n-,,d 0 } 0 n. B Epty String 3. for i to k 4. b,l SC(x i L); (b the MSB of x i L, L x i L) 5. if d n- = 0 6. B B b 7. else 8. B B ~b 9. end if 0. D D<<;. if b =. D D XOR Q; 3. end if 4. L L 5. end for 6. return B Q= 0000 (x 8 +x 4 +x 3 +x+ ) L=0000 n=8 i=i=i=3i=4i=5i=6i=7i=8 b B L L L L L L L L D D D D D D D D We 0 0 0have b b b bl<< L<< L<< L<< recovered b b L<< L<< L<< L<< L b = b = b then 0 = b then = b then 0 = b then 0 = b then = b then 0 = then 0 then L d d 7 =0 7 d=0 then d then we we take take b b 7 =0 7 d=0 then then we we take take b b 7 d= 7 d= 7 then d= 7 then =0 then we then we take we take we take ~b take ~b ~b b B B B 0 B0 B 0 D<< D<< B 0 0 D<< D<< D<< D<< D<< D<< b = b = b then 0 = b then = b then 0 = b then 0 = b then = b then 0 = then 0 then D L b 0 B D copletely L XOR L XOR L QXOR L QXOR L QXOR L Q XOR L QXOR L QXOR Q Q L0 L L 0 L 0 L 0 L D XOR D XOR D Q XOR D Q XOR D Q XOR D Q XOR D Q XOR D Q XOR Q Q D0 D 0 D 0 D 0 D 0 D
44 43 Side Channel Attacks Against EME and EME MP Mc EME: ECB-Mask-ECB L xe(0 n ) M MPMC Algorith EME.Encrypt T,K (P). Partion P into P, P,,P. L xe K (0 n ) 3. for i to do 4. i x i- L XOR Q xties 5. PPPis i applied E K (PP i ) ties xe6. K (0) endy for- ties on M. We 7. SP PPP XOR PPP 3 XOR XOR called PPPthe L-side-channel and 8. MP M-side-channel PPP XOR SP XOR T 9. MC E K (MP ) respectively. 0. M MP XOR MC. for i to do. CCC i, PPP i XOR x i- M We 3. end can forrecover bits of xe4. K (0 SC n ) CCC XOR CCC 3 XOR XOR CCC 5. CCC MC XOR SC XOR T and 6. for- i tobits doof M. 7. CC i E K (CCC i ) 8. C i x i- L XOR CC i 9. end for 0. return C, C,,C
45 44 The Distinguishing Attack against EME. Apply L T arbitrary x L encryption query. of n blocks with an arbitrary tweak. L LObtain 0 the n bits of E K (0 n ) fro the L-side-channel. E K (0) Copute L=x E K (0 n ). P PP PPP C. Apply an encryption query with plaintext E L and and tweak x - K (0) x LEK (0) EK (0) L. Let 0 C be the response of this query. MP MCE K (0) SP0 ( SCA x) x L MP If the SCA can predict the output Mc of EME then it is not a SPRP EME: ECB-Mask-ECB CCC 3. If C Kis equal to ( KXOR x)x - L output EME otherwise output E rando. K (0) CC E (0) 0E (0) 0 C LE K (0) xe K (0) E K (0) C ( x) x L SP PPP PPP3... PPP SC CCC CCC3... CCC
46 45 The Stronger Attack against EME Proposition. An oracle access to the blockcipher E K is enough to encrypt any plaintext P P P with arbitrary tweak T using the EME ode of operation wich uses the key K. Siilarly, with oracle acces to both E - K and E K one can decrypt any arbitrary cipher text C C C with an arbitrary tweak T wich has been produced by the EME ode of operation with key K.
47 46 The Stronger Attack against EME P L EME Y xl AdvSCA K (.,.) Y ( X ) Y... Apply arbitrary encryption query of PP n i Y blocks with an arbitrary tweak. SP PPP Obtain PPP the n bits... of EPPP K (0 n ) 3 n fro the L-side-channel. SP E Copute ( Y ) L=x E K (0 n ).. Apply ( EK ( Yan ) encryption... E ( Y )) K query with tweak X and n the following n MPblocks PPPplaintext: SP X YL, YxL,..., Yx n L MP E ( Y ) E ( Y ) X Recover K - bits K of M using M-side-channel, call this as M. MCE K K ( X x ) n L x L X If T=X, we can recover n- bits EME: of EECB-Mask-ECB K (X) MP Mc M MPMCX E K ( X ) 3. Hence Output MM XXOR E drop ( X ) n- (X) K
48 47 The Stronger Attack against EME AdvSCB(X,drop n- (E K (X))). Apply an arbitrary encryption with n blocks with an arbitrary tweak.. Z - Obtain the n bits of L using the L-side-channel. drop E K X 3. SAdvSCA 4. Apply a query with tweak Z and plaintext - Get the output as C 5. if drop n- ( C L) = S output Z else output Z 0 Z x EMEK (.,.) L X L
49 48 The Stronger Attack against EME Proposition: Let the procedure AdvSCB EME K (.,.) (X,drop n- (E K (X))), then PrAdvSCB EME k (.,.) ( X, drop n ( E K ( X )) E K ( X ) n SCB can copute E K (X) for a X of his choice with a very high probability
50 49 BRW Polynoials
51 50 BRW Polynoials Sarkar at 009 proposed to use BRW as hash function to construct efficients Tweakable Enciphering Schees. ihch HEH-BRW
52 BRW Polynoials The BRW (Bernstein, Rabin and Winograd) polynoials were introduced by Bernstein in 007, in order to iprove the polynoial evaluation. They are defined as: t n t and t if H r H H r r r H r r H r H H H n t t t t n 4,8,6,3,... ),... (...,,...,,,,,,, n 4 3 n n Nuber of Multiplications: Nuber of additions: 5
53 5 BRW Polynoials We propose a fraework for construct a efficient circuit to copute BRW polynoial using pipelined ultiplier. As an exaple we will use a polynoial with 6 coefficients, defined as: r 4 8 r 3 r 4 r 5r 6 7 r 8 4 r r r r r H ( 6,..., 6 ) r Last equation has only 8 ultiplications, half in coparison with noral polynoial and soe ultiplications are independent. The total nuber of operations are 8 ultiplications, 4 squarings and 9 additions.
54 53 BRW Polynoials Every BRW polynoial can be represented as a tree with ultiplications and additions nodes as follows: H(,..,6) (6) H(,...,8) (8) H(,...,4) H(,...,3) (4) H(,) (3) () () H(,...,7) (6) (5) H(,...,5) () (7) (0) (9) () (3) (4) (5) - How can we siplify 6 the tree? 8 We can eliinate the addition nodes leaving the connections. 4 Denote the nodes as its even operand. The new tree contain only ultiplications nodes r 4 8 r 3 r 4 r 5r 6 7 r 8 4 r r r r r H ( 6,..., 6 ) r
55 54 BRW Polynoials The following are true regarding the BRW tree: Nuber of nodes: P Nuber of ultiplications in level : N N N for N i lg lg N ( ) N Nuber of ultiplications in each paralel round: N i lg Ni N i 0 lg for for for i i i 6 0 4
56 55 BRW Polynoials To achieve a good perforance in the ipleentations of BRW polynoial, there are two iportant aspects: Scheduling of the blocks of inforation, trying to have the pipeline always full. 8 6 The nuber of accuulators or registers required We design an algorith to copute the above tasks.
57 56 BRW Polynoials Scheduling using three-stages Scheduling pipeline ultiplier using three-stages pipeline Scheduling ultiplier using three-stages pipeline ultiplier clock cycles clock clock cycles cycles clock cycles ultiplications without dependencies r r 6 7 r 8 6,..., 6 r r r r r r 6 r 3 r 4 r 5r 6 7 r 8 r H ( 6 6,..., 6 ) 0 r 3 r 4 r 5 8 (,..., ) 4 r r r r 6 9 r 0 r r r r r 3 r ( ) r 4 r 4 8 r 3 r 4 r 5r 6 7 r 8 H ( 6,..., 6 ) r r r 6 r r 4 r r r r 6 9 r 0 r r 3 r 4 5 H 6 r r 4 r r r
58 57 BRW Polynoials Algorith Schedule clock=; while (there are nodes left to be scheduled ) if L is not epty If the difference of clock and START-TIME of the first node of L is greater than NSTAGES Delete the node fro L; Output the node; decreent the indegree of its parent; if the indegree of the parent reduces to zero Mark its START-TIME as clock add it to L endif else if L is not epty output the first node of L; Delete the node fro L decreent the indegree of its parent if the indegree reduces to zero Mark its start tie as clock and add it to L endif endif else endif clock = clock + end while output the first node of L; Delete the node fro L decreent the indegree of its parent if the indegree of the parent reduces to zero Mark its start tie as clock and add it to L endif
59 58 BRW Polynoials Soe propierties of the algorith with Nuber of connected coponents is the Haing weight of P, if bit i (P)= it contains a connected coponente with i nodes. P nodes: 6 If the nuber of pipeline stages is NSTAGES, and the nuber of essage blocks be, for which the nuber of nodes in the tree is P. Then the algorith Schedule gives a full pipeline in the following cases: NSTAGES= and 6 and bit 0 (P)= or bit (P)=.. NSTAGES=3 and 4 and bit 0 (P)= and bit (P)=. 3. NSTAGES=4 and 30 and bit 0 (P)= and bit (P)= and bit (P)= and bit 3 (P)=.
60 59 The HEH-BRW Mode of Operation Is easy to see the iproveent in tie, HEH takes 75 clock cycles while HEH-BRW takes 55.
61 60 The HEH-BRW Mode of Operation AES counter and siple ode T ina AES Architecture for HEHBRW inb xnties AES We use: key rcounter AES keygen outa sc Three stages pipelined Karatsuba-Ofan ultiplier. AES design suitable for Virtex 5 FPGAs (Standaert, et. al, 008 ). Reset clk inhb regs inha Microprogra BRW Hash regm Counter Control Unit Ctrl Word 4 bits KOM Three- Stage Pipeline outh regu reg reg xtie ACC ACC outb squaring squaring
62 6 Results Mode Slices Frequency (MHz) Clock Cycles Tie (ns) Latency (ns) Throughput (GBits/Sec) TPA ihch HEH-BRW Mode Slices B-RAM Frequenc y (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec HCHfp HEH
63 6 Publications - C. Mancillas-López, D. Chakraborty, and F. Rodríguez-Henríquez. Efficient Ipleentations of Soe Tweakable Enciphering Schees in Reconfigurable Hardware. In INDOCRYPT, volue 4859 of Lecture Notes in Coputer Science, pages Springer, 007. ( work done in y asters thesis). - C. Mancillas-López, D. Chakraborty, and F. Rodríguez-Henríquez. Reconfigurable Hardware Ipleentations oftweakable Enciphering Schees (extended and iproved version of the previous), IEEE Transactions on Coputers (under review ). - C. Mancillas-López, D. Chakraborty, and F. Rodríguez-Henríquez, On Soe Weaknesses in the Disk Encryption Schees EME and EME. International Conference on Inforation Systes Security (ICISS 009), Lecture Notes in Coputer Science (to appear) - D. Chakraborty, C. Mancillas-López, F. Rodríguez-Henríquez, P. Sarkar, Polynoial Evaluation with Applications to Disk Encryption. (under preparation)
64 63 Future Work Side Channel Attacks We have just started the preliinary investigations on side channel weaknesses of disk encryption schees. We would do side channel analysis of ore odes We also plan to build up an experiental setup for side channel attacks and deonstrate the attacks on real hardware ipleentations New Constructions We plan to explore new constructions in the following directions: ) Using strea ciphers instead of block ciphers. A preliinary proposal regarding this was published this year by Sarkar. We plan to iprove upon this construction. ) Explore the use of weak pseudorando functions (WPRF) for constructing TES
65 64 Future Work New Applications Secure Backup:. We shall studied the specific security requireents for secure backup application.. Design a schee to achieve secure backup. 3. Ipleentation and practical proofs.
66 65 Calendar First Year 009. Study of the Theoretical Background X X X. Efficient Ipleentation of Existing Constructions 3. Iprove Existing Constructions X X X X Second Year Side Channel Attacks X X X X 5. Propose New Schees using other priitives. X X X 6. Propose New Schees WPRF X X 7. Courses (Cryptography II, Reconfigurable Coputing, Selected Topics on Syetric Key Cryptography) 8. New applications: Secure backup X X X X Third Year Thesis Manuscript X X X
67 66 Thank you for your attention
Studies on Disk Encryption
Studies on Disk Encryption Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Nov 14, 2011 Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Studies () on Disk Encryption Nov 14, 2011 1 / 74 Disk
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationFast Montgomery-like Square Root Computation over GF(2 m ) for All Trinomials
Fast Montgoery-like Square Root Coputation over GF( ) for All Trinoials Yin Li a, Yu Zhang a, a Departent of Coputer Science and Technology, Xinyang Noral University, Henan, P.R.China Abstract This letter
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationParallel stream cipher for secure high-speed communications
Signal Processing 82 (2002 259 265 www.elsevier.co/locate/sigpro Parallel strea cipher for secure high-speed counications Hoonjae Lee a;, Sangjae Moon b a Departent of Coputer Engineering, Kyungwoon University,
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationTweakable Enciphering Schemes From Stream Ciphers With IV
Tweakable Enciphering Schemes From Stream Ciphers With IV Palash Sarkar Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. We
More informationLow complexity bit parallel multiplier for GF(2 m ) generated by equally-spaced trinomials
Inforation Processing Letters 107 008 11 15 www.elsevier.co/locate/ipl Low coplexity bit parallel ultiplier for GF generated by equally-spaced trinoials Haibin Shen a,, Yier Jin a,b a Institute of VLSI
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationOn Concurrent Detection of Errors in Polynomial Basis Multiplication
1 On Concurrent Detection of Errors in Polynoial Basis Multiplication Siavash Bayat-Saradi and M. Anwar Hasan Abstract The detection of errors in arithetic operations is an iportant issue. This paper discusses
More informationGoals of Cryptography. Definition of a Cryptosystem. Security Kerckhoff's Requirements
Goals of Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network Transport Layer Chapter 4: Security
More informationFPGA Implementation of Point Multiplication on Koblitz Curves Using Kleinian Integers
FPGA Ipleentation of Point Multiplication on Koblitz Curves Using Kleinian Integers V.S. Diitrov 1 K.U. Järvinen 2 M.J. Jacobson, Jr. 3 W.F. Chan 3 Z. Huang 1 February 28, 2012 Diitrov et al. (Univ. Calgary)
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationBlock designs and statistics
Bloc designs and statistics Notes for Math 447 May 3, 2011 The ain paraeters of a bloc design are nuber of varieties v, bloc size, nuber of blocs b. A design is built on a set of v eleents. Each eleent
More informationHandout 7. and Pr [M(x) = χ L (x) M(x) =? ] = 1.
Notes on Coplexity Theory Last updated: October, 2005 Jonathan Katz Handout 7 1 More on Randoized Coplexity Classes Reinder: so far we have seen RP,coRP, and BPP. We introduce two ore tie-bounded randoized
More informationElliptic Curve Scalar Point Multiplication Algorithm Using Radix-4 Booth s Algorithm
Elliptic Curve Scalar Multiplication Algorith Using Radix-4 Booth s Algorith Elliptic Curve Scalar Multiplication Algorith Using Radix-4 Booth s Algorith Sangook Moon, Non-eber ABSTRACT The ain back-bone
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationPolygonal Designs: Existence and Construction
Polygonal Designs: Existence and Construction John Hegean Departent of Matheatics, Stanford University, Stanford, CA 9405 Jeff Langford Departent of Matheatics, Drake University, Des Moines, IA 5011 G
More informationIdentity-Based Key Aggregate Cryptosystem from Multilinear Maps
Identity-Based Key Aggregate Cryptosyste fro Multilinear Maps Sikhar Patranabis and Debdeep Mukhopadhyay Departent of Coputer Science and Engineering Indian Institute of Technology Kharagpur {sikhar.patranabis,
More informationDTTF/NB479: Dszquphsbqiz Day 27
DTTF/NB479: Dszquphsbqiz Day 27 Announceents: Questions? This week: Discrete Logs, Diffie-Hellan, ElGaal Hash Functions and SHA-1 Birthday attacks Hash Functions Message (long) Cryptographic hash Function,
More informationRevisiting the security model for aggregate signature schemes
Revisiting the security odel for aggregate signature schees by Marie-Sarah Lacharité A thesis presented to the University of Waterloo in fulfillent of the thesis requireent for the degree of Master of
More informationAnother Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India
Another Look at XCB Debrup Chakraborty 1, Vicente Hernandez-Jimenez 1, Palash Sarkar 2 1 Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508 San Pedro Zacatenco, Mexico City 07360, Mexico debrup@cs.cinvestav.mx,
More informationMulticollision Attacks on Some Generalized Sequential Hash Functions
Multicollision Attacks on Soe Generalized Sequential Hash Functions M. Nandi David R. Cheriton School of Coputer Science University of Waterloo Waterloo, Ontario N2L 3G1, Canada 2nandi@uwaterloo.ca D.
More informationSecure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University
Secure Signatures and Chosen Ciphertext Security in a Quantu Coputing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) σ = S(sk, ) signing key sk Classical CMA
More informationBirthday Paradox Calculations and Approximation
Birthday Paradox Calculations and Approxiation Joshua E. Hill InfoGard Laboratories -March- v. Birthday Proble In the birthday proble, we have a group of n randoly selected people. If we assue that birthdays
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informatione-companion ONLY AVAILABLE IN ELECTRONIC FORM
OPERATIONS RESEARCH doi 10.1287/opre.1070.0427ec pp. ec1 ec5 e-copanion ONLY AVAILABLE IN ELECTRONIC FORM infors 07 INFORMS Electronic Copanion A Learning Approach for Interactive Marketing to a Custoer
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationFeature Extraction Techniques
Feature Extraction Techniques Unsupervised Learning II Feature Extraction Unsupervised ethods can also be used to find features which can be useful for categorization. There are unsupervised ethods that
More informations = (Y Q Y P)/(X Q - X P)
Elliptic Curves and their Applications in Cryptography Preeti Shara M.Tech Student Mody University of Science and Technology, Lakshangarh Abstract This paper gives an introduction to elliptic curves. The
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationEfficient Filter Banks And Interpolators
Efficient Filter Banks And Interpolators A. G. DEMPSTER AND N. P. MURPHY Departent of Electronic Systes University of Westinster 115 New Cavendish St, London W1M 8JS United Kingdo Abstract: - Graphical
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationUsing EM To Estimate A Probablity Density With A Mixture Of Gaussians
Using EM To Estiate A Probablity Density With A Mixture Of Gaussians Aaron A. D Souza adsouza@usc.edu Introduction The proble we are trying to address in this note is siple. Given a set of data points
More informationA remark on a success rate model for DPA and CPA
A reark on a success rate odel for DPA and CPA A. Wieers, BSI Version 0.5 andreas.wieers@bsi.bund.de Septeber 5, 2018 Abstract The success rate is the ost coon evaluation etric for easuring the perforance
More informationSoft Computing Techniques Help Assign Weights to Different Factors in Vulnerability Analysis
Soft Coputing Techniques Help Assign Weights to Different Factors in Vulnerability Analysis Beverly Rivera 1,2, Irbis Gallegos 1, and Vladik Kreinovich 2 1 Regional Cyber and Energy Security Center RCES
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More information1 Proof of learning bounds
COS 511: Theoretical Machine Learning Lecturer: Rob Schapire Lecture #4 Scribe: Akshay Mittal February 13, 2013 1 Proof of learning bounds For intuition of the following theore, suppose there exists a
More informationHigh Performance GHASH Function for Long Messages
High Performance GHASH Function for Long Messages Nicolas Méloni 1, Christophe Négre 2 and M. Anwar Hasan 1 1 Department of Electrical and Computer Engineering University of Waterloo, Canada 2 Team DALI/ELIAUS
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationA note on the multiplication of sparse matrices
Cent. Eur. J. Cop. Sci. 41) 2014 1-11 DOI: 10.2478/s13537-014-0201-x Central European Journal of Coputer Science A note on the ultiplication of sparse atrices Research Article Keivan Borna 12, Sohrab Aboozarkhani
More informationAn Introduction to Authenticated Encryption. Palash Sarkar
An Introduction to Authenticated Encryption Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata palash@isical.ac.in 20 September 2016 Presented at the Workshop on Authenticated
More informationFurther More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata
Further More o Key Wrappig 011//17 SKEW011 Lygby Nagoya Uiversity Yasushi Osaki, Tetsu Iwata 1 What is key wrappig? Used to ecrypt specialized data, such as cryptographic keys A key wrappig that also esures
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationSTES: A Stream Cipher Based Low Cost Scheme for Securing Stored Data
STES: A Stream Cipher Based Low Cost Scheme for Securing Stored Data Debrup Chakraborty 1, Cuauhtemoc Mancillas-López 1, Palash Sarkar 2 1 Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508 San
More informationGeneralized Queries on Probabilistic Context-Free Grammars
IEEE TRANSACTIONS ON PATTERN ANALYSIS AND MACHINE INTELLIGENCE, VOL. 20, NO. 1, JANUARY 1998 1 Generalized Queries on Probabilistic Context-Free Graars David V. Pynadath and Michael P. Wellan Abstract
More informationShort Papers. Test Data Compression and Decompression Based on Internal Scan Chains and Golomb Coding
IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 1, NO. 6, JUNE 00 715 Short Papers Test Data Copression and Decopression Based on Internal Scan Chains and Golob Coding
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationA Model for the Selection of Internet Service Providers
ISSN 0146-4116, Autoatic Control and Coputer Sciences, 2008, Vol. 42, No. 5, pp. 249 254. Allerton Press, Inc., 2008. Original Russian Text I.M. Aliev, 2008, published in Avtoatika i Vychislitel naya Tekhnika,
More informationPEA: Polymorphic Encryption Algorithm based on quantum computation. Nikos Komninos* and Georgios Mantas
Int. J. Systes, Control and Counications, Vol. 3, No., PEA: Polyorphic Encryption Algorith based on quantu coputation Nikos Koninos* and Georgios Mantas Algoriths and Security Group, Athens Inforation
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More information2. Accelerated Computations
2. Accelerated Computations 2.1. Bent Function Enumeration by a Circular Pipeline Implemented on an FPGA Stuart W. Schneider Jon T. Butler 2.1.1. Background A naive approach to encoding a plaintext message
More informationQuantum public-key cryptosystems based on induced trapdoor one-way transformations
Quantu public-key cryptosystes based on induced trapdoor one-way transforations Li Yang a, Min Liang a, Bao Li a, Lei Hu a, Deng-Guo Feng b arxiv:1012.5249v2 [quant-ph] 12 Jul 2011 a State Key Laboratory
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationUniform Approximation and Bernstein Polynomials with Coefficients in the Unit Interval
Unifor Approxiation and Bernstein Polynoials with Coefficients in the Unit Interval Weiang Qian and Marc D. Riedel Electrical and Coputer Engineering, University of Minnesota 200 Union St. S.E. Minneapolis,
More informationEquational Security of a Lattice-based Oblivious Transfer Protocol
Journal of Network Intelligence c 2016 ISSN 2414-8105 (Online) Taiwan Ubiquitous Inforation Volue 2, Nuber 3, August 2017 Equational Security of a Lattice-based Oblivious Transfer Protocol Mo-Meng Liu
More informationDefect-Aware SOC Test Scheduling
Defect-Aware SOC Test Scheduling Erik Larsson +, Julien Pouget*, and Zebo Peng + Ebedded Systes Laboratory + LIRMM* Departent of Coputer Science Montpellier 2 University Linköpings universitet CNRS Sweden
More informationStatistical Logic Cell Delay Analysis Using a Current-based Model
Statistical Logic Cell Delay Analysis Using a Current-based Model Hanif Fatei Shahin Nazarian Massoud Pedra Dept. of EE-Systes, University of Southern California, Los Angeles, CA 90089 {fatei, shahin,
More informationThis model assumes that the probability of a gap has size i is proportional to 1/i. i.e., i log m e. j=1. E[gap size] = i P r(i) = N f t.
CS 493: Algoriths for Massive Data Sets Feb 2, 2002 Local Models, Bloo Filter Scribe: Qin Lv Local Models In global odels, every inverted file entry is copressed with the sae odel. This work wells when
More informationNBN Algorithm Introduction Computational Fundamentals. Bogdan M. Wilamoswki Auburn University. Hao Yu Auburn University
NBN Algorith Bogdan M. Wilaoswki Auburn University Hao Yu Auburn University Nicholas Cotton Auburn University. Introduction. -. Coputational Fundaentals - Definition of Basic Concepts in Neural Network
More informationAnalyzing Simulation Results
Analyzing Siulation Results Dr. John Mellor-Cruey Departent of Coputer Science Rice University johnc@cs.rice.edu COMP 528 Lecture 20 31 March 2005 Topics for Today Model verification Model validation Transient
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationUsing a De-Convolution Window for Operating Modal Analysis
Using a De-Convolution Window for Operating Modal Analysis Brian Schwarz Vibrant Technology, Inc. Scotts Valley, CA Mark Richardson Vibrant Technology, Inc. Scotts Valley, CA Abstract Operating Modal Analysis
More informationDTTF/NB479: Dszquphsbqiz Day 26
DTTF/NB479: Dszquphsbqiz Day 26 Announceents:. HW6 due now 2. HW7 posted 3. Will pick pres dates Friday Questions? This week: Discrete Logs, Diffie-Hellan, ElGaal Hash Functions, SHA, Birthday attacks
More informationLinear recurrences and asymptotic behavior of exponential sums of symmetric boolean functions
Linear recurrences and asyptotic behavior of exponential sus of syetric boolean functions Francis N. Castro Departent of Matheatics University of Puerto Rico, San Juan, PR 00931 francis.castro@upr.edu
More informationVulnerability of MRD-Code-Based Universal Secure Error-Correcting Network Codes under Time-Varying Jamming Links
Vulnerability of MRD-Code-Based Universal Secure Error-Correcting Network Codes under Tie-Varying Jaing Links Jun Kurihara KDDI R&D Laboratories, Inc 2 5 Ohara, Fujiino, Saitaa, 356 8502 Japan Eail: kurihara@kddilabsjp
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationA Parallelizable Enciphering Mode
A Parallelizable Enciphering Mode Shai Halevi Phillip Rogaway June 17, 2003 Abstract We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme
More informationarxiv: v3 [cs.ds] 22 Mar 2016
A Shifting Bloo Filter Fraewor for Set Queries arxiv:1510.03019v3 [cs.ds] Mar 01 ABSTRACT Tong Yang Peing University, China yangtongeail@gail.co Yuanun Zhong Nanjing University, China un@sail.nju.edu.cn
More informationA Low-Complexity Congestion Control and Scheduling Algorithm for Multihop Wireless Networks with Order-Optimal Per-Flow Delay
A Low-Coplexity Congestion Control and Scheduling Algorith for Multihop Wireless Networks with Order-Optial Per-Flow Delay Po-Kai Huang, Xiaojun Lin, and Chih-Chun Wang School of Electrical and Coputer
More informationMATRIX POWER S-BOX ANALYSIS 1. Kestutis Luksys, Petras Nefas
International Book Series "Inforation Science and Coputing" 97 MATRIX POWER S-BOX ANALYSIS Keutis Luksys, Petras Nefas Abract: Conruction of syetric cipher S-bo based on atri power function and dependant
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationFast Key Recovery Attack on ARMADILLO1 and Variants
Fast Key Recovery Attack on ARMADILLO and Variants Pouyan Sepehrdad, Petr Sušil, and Serge Vaudenay EPFL, Lausanne, Switzerland {pouyan.sepehrdad,petr.susil,serge.vaudenay}@epfl.ch Abstract. The ARMADILLO
More informationLec 05 Arithmetic Coding
Outline CS/EE 5590 / ENG 40 Special Topics (7804, 785, 7803 Lec 05 Arithetic Coding Lecture 04 ReCap Arithetic Coding About Hoework- and Lab Zhu Li Course Web: http://l.web.ukc.edu/lizhu/teaching/06sp.video-counication/ain.htl
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationIntelligent Systems: Reasoning and Recognition. Perceptrons and Support Vector Machines
Intelligent Systes: Reasoning and Recognition Jaes L. Crowley osig 1 Winter Seester 2018 Lesson 6 27 February 2018 Outline Perceptrons and Support Vector achines Notation...2 Linear odels...3 Lines, Planes
More informationKernel Methods and Support Vector Machines
Intelligent Systes: Reasoning and Recognition Jaes L. Crowley ENSIAG 2 / osig 1 Second Seester 2012/2013 Lesson 20 2 ay 2013 Kernel ethods and Support Vector achines Contents Kernel Functions...2 Quadratic
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 15: Unstructured search and spatial search
Quantu algoriths (CO 781, Winter 2008) Prof Andrew Childs, University of Waterloo LECTURE 15: Unstructured search and spatial search ow we begin to discuss applications of quantu walks to search algoriths
More informationA New Algorithm for Reactive Electric Power Measurement
A. Abiyev, GAU J. Soc. & Appl. Sci., 2(4), 7-25, 27 A ew Algorith for Reactive Electric Power Measureent Adalet Abiyev Girne Aerican University, Departernt of Electrical Electronics Engineering, Mersin,
More informationOn the Counter Collision Probability of GCM*
On the Counter Collision Probability of GCM* Keisuke Ohashi, Nagoya University Yuichi Niwa, Nagoya University Tetsu Iwata, Nagoya University Early Symmetric Crypto (ESC) seminar January 14 18, Mondorf
More informationL S is not p m -hard for NP. Moreover, we prove for every L NP P, that there exists a sparse S EXP such that L S is not p m -hard for NP.
Properties of NP-Coplete Sets Christian Glaßer, A. Pavan, Alan L. Selan, Saik Sengupta January 15, 2004 Abstract We study several properties of sets that are coplete for NP. We prove that if L is an NP-coplete
More informationNew Implementations of the WG Stream Cipher
New Implementations of the WG Stream Cipher Hayssam El-Razouk, Arash Reyhani-Masoleh, and Guang Gong Abstract This paper presents two new hardware designs of the WG-28 cipher, one for the multiple output
More informationa a a a a a a m a b a b
Algebra / Trig Final Exa Study Guide (Fall Seester) Moncada/Dunphy Inforation About the Final Exa The final exa is cuulative, covering Appendix A (A.1-A.5) and Chapter 1. All probles will be ultiple choice
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography J.-L. Beuchat 1 N. Brisebarre 2 J. Detrey 3 E. Okamoto 1 1 University of Tsukuba, Japan 2 École Normale Supérieure de Lyon, France 3 Cosec, b-it, Bonn,
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationInspection; structural health monitoring; reliability; Bayesian analysis; updating; decision analysis; value of information
Cite as: Straub D. (2014). Value of inforation analysis with structural reliability ethods. Structural Safety, 49: 75-86. Value of Inforation Analysis with Structural Reliability Methods Daniel Straub
More informationEvaluation of Countermeasure Implementations Based on Boolean Masking to Thwart Side-Channel Attacks
Author anuscript, published in "N/P" Evaluation of Countereasure Ipleentations Based on Boolean Masing to Thwart ide-channel Attacs Housse Maghrebi, Jean-Luc Danger, Florent Flaent, ylvain Guilley, Laurent
More information