Seminar & Events

Summary: The slides for these two talks are available here and here .

Summary: The slides for this talk are available here.

Summary: In the first part of my talk I will briefly
sketch a solution for the prevention of DDoS attacks and malware spread in networks and hightlight the involved cryptographic problems and protocols. The solution is based on the cryptographic tagging of legitimate traffic. For example, legitimate traffic can be defined as originating from a machine operated by a human instead of a bot. Here, the solution requires the ability to distinguish between human users and remotely-controlled bots in a way that is usable for the transport of cryptographic keys. Such protocols can be termed "Human-enhanced key transport protocols". I will show how such a protocol can be built on CAPTCHAs and IP puzzles and discuss its strengths and weaknesses as well as possible extensions.

The second part of my talk will be about remotely keyed cryptographic constructions. The general idea is to hide cryptographic keys from a host system where they could be exposed in a host compromise. A small trusted component such as a smart card holds the key and executes all key-dependent operations, while the host handles the bulk of the data. Remotely keyed cryptographic schemes are designed to be resilient to temporary exposure of the host's components to an adversary, and thus to keep the secret key secure even under these conditions. I will talk about how the existing deterministic encryption-only schemes can be extended to provide authenticated encryption, including a model for proofs of security. Work in progress includes further improvements aiming towards using nonces and incorporating associated data into the authentication.

Summary: In the world of cryptography, stream ciphers are known as primitives used to ensure privacy over a communication channel. Although the idea of such constructions is known since the middle of the last century, a serious investigation of stream ciphers has just started around 20 years ago. The use of various construction blocks in these primitives has always been evaluating, from Boolean functions till currently attractive nonlinear feedback shift registers. Cryptanalysis techniques of such construction blocks have been accumulated from various research results, helping people to choose building blocks for stream ciphers properly.

In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. It also includes the work done during two European projects NESSIE and eSTREAM. That potential candidate should be proven good by time and by the results of cryptanalysis. In fact, different methods of analysis explain how a stream cipher should be constructed. Therefore, techniques for cryptanalysis are important.

In this seminar, we will focus on two principles for construction of stream ciphers: primitives based on linear and nonlinear feedback shift registers, such as SNOW 2.0, Grain, and Trivium. Various linear cryptanalysis techniques will be considered, such as distinguishing and correlation attacks. In relation to practical bottlenecks in cryptanalysis, a class of pseudo-linear functions will be introduced. The importance of fast Fourier and Hadamard transforms in cryptanalysis will be shown.

Summary: The basic goal of a cryptanalytic attack is to recover the secret key from publicly available information. Very often a successful attack exploits weakness in the design of the specific algorithm being considered. For example, linear and differential attacks try to find the linear and differential characteristic between the plaintext and the ciphertext for a given encryption algorithms. A generic approach for cryptanalysis views the encryption function as a black box, i.e., it does not utilize information about how the function is constructed. A simplest generic attack is to try every possible key until the correct one is found. This is called an exhaustive search attack. The importance of such an approach arises from the fact that if a cryptographic algorithm is not secure against exhaustive search, then it cannot be considered secure at all. The main disadvantage of using exhaustive search is that it has to be repeated separately for each target. To address this problem, Hellman introduced time/memory trade-off (TMTO) attack that enables one to perform an exhaustive search once in an offline precomputation phase. The actual attack, i.e., finding the key corresponding to a target is done in an online phase with table lookup and is significantly faster than exhaustive search. Also, one can repeat the attack on different targets without going through the pre-computation each time. A TMTO attack is a generic attack which can be carried out against any one-way function. The online target consists of an image y and the goal of the attack is to find a x, such that f(x)=y, x being the secret key (pre-image) from a key space of size N corresponding to the target y.

Summary: Elliptic Curve Public Key Cryptography and Pairings Earlier bilinear pairings, namely Weil pairing and Tate pairing of algebraic curves were used in cryptography to reduce the discrete logarithm problem on some elliptic or hyperelliptic curve to the discrete logarithm problem in a finite field. In recent years, bilinear pairings have found positive applications in cryptography to construct new cryptographic primitives. Since the publication of the breakthrough results by Joux (on key agreement), by Boneh and Franklin (on ID-based encryption) and by Boneh, Lynn and Shacham (on short signature), there has been a spurt in research on pairing-based cryptography. In this presentation, we will mainly concentrate on providing a brief overview on elliptic curves and pairings from a mathematical point of view.

For more details, see: Website of the Chambre de Commerce ; Press Review .

Summary: Hash functions are important cryptographic primitives which have been used in many applications, such as digital signatures and message authentication codes. This talk starts with an introduction of hash functions including what the definition of it is, what kind of security requirements they need to satisfy, how they are designed in principle. Next this talk explains about analysis of hash functions such as how the attacker-models look like and what the attacks want to achieve. Finally this talk presents recent advances in this area where several break-through results on well-known-hash functions like SHA-1 and MD5 are discussed, and tries to identify what are the problems in those hash functions.

Summary: We provide evidence that the unforgeability of several discrete-log based signatures such as Schnorr signatures *cannot* be equivalent to the discrete log problem in the standard model. This contradicts in nature well-known proofs standing in weakened proof methodologies, in particular proofs employing various formulations of the Forking Lemma in the random oracle model. Our impossibility proofs apply to many discrete-log-based signatures like ElGamal signatures and their extensions, DSA, ECDSA and KCDSA as well as standard generalizations of these, and even RSA-based signatures like GQ.

Summary: We show several attacks on RSA with keys of a special structure. This implies that certain parts of RSA's key space should not be used in practice. The method of our choice is Coppersmith's method for finding small roots of polynomial equations which in turn is based on the famous LLL-lattice reduction algorithm. In particular, we show how to obtain the following results within the framework of Coppersmith's method:

• Wiener/Boneh-Durfee attack and generalizations
• Computing the RSA secret key is dpoly-time equivalent to Factoring
• Partial Key Exposure Attacks on RSA