Jump to: navigation, search

Martin Albrecht

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Elena Andreeva

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Frederik Armknecht

Title On group-homomorphic encryption

Abstract

Group homomorphic encryption represents one of the most important building blocks in modern cryptography. It forms the basis of widely-used, more sophisticated primitives, such as CCA2-secure encryption or secure multiparty computation.

In this talk, we present various recent results on group-homomorphic encryption schemes like a security characterization in terms of an algebraic problem, a complete characterization both in terms of security and design of a specific sub-class called shift-type, and the general impossibility of group homomorphic encryption in the presence of quantum adversaries. Furthermore, we point out some connections to fully-homomorphic encryption schemes and state several research directions.

Slides PDF

Gilles van Assche

Title: Differential Power Analysis and Keccak

Abstract: We analyze the security of straightforward and three-share hardware implementations of Keccak against differential power analysis. We generalize this to any cryptographic primitive that is implemented as a sequence of quadratic functions. Starting from the analytical treatment of such distinguishers and information-theoretic arguments, we derive the success probability and required number of traces in the presence of algorithmic noise.

Joint talk with Joan and Michaël.

slides

Jean-Philippe Aumasson

Title: BLAKE2

Abstract: We present the cryptographic hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64-bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 has more benefits than just speed: BLAKE2 uses up to 32% less RAM than BLAKE, and comes with a comprehensive tree-hashing mode as well as an efficient MAC mode.

This is a joint work with Samuel (@sevenps), Zooko (@zooko), and Chris (@codesinchaos).

Slides: PDF

Steve Babbage

Title Choosing new authentication and key generation algorithms for mobiles


Abstract

I chair the group that specifies crypto algorithms for the GSM/GPRS/UMTS/LTE family of mobile phone standards. This is a talk about some practical considerations when choosing a new set of authentication and key generation algorithms for the mobile devices. This is work in progress: I will be asking for advice from the audience, and your feedback can help to influence what we choose.

Slides slides

Eli Biham

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Céline Blondeau

Title: Using Multiple Differentials... On the LLR and chi^2 Statistical Tests.

Abstract In parallel to similar extensions in linear cryptanalysis, a few papers about multiple differential cryptanalysis of block ciphers have been recently published. In the recent works published in SAC 2012 and SCN 2012 different and complementary approaches how to use information from multiple differentials were presented. During this presentation we will explain how the LLR and the chi^2 statistical test can be used in the differential cryptanalysis context to handle information from number of differential or truncated differential. We present and compare different techniques, classify them into families and discuss their relevance for cryptanalysis in light of available experimental results.

Joint work with Benoit Gérard and Kaisa Nyberg

Slides

Andrey Bogdanov

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Ioana Boureanu

Title "On the Need for Provably Secure Distance Bounding".

Abstract "Distance-bounding is a practical solution to prevent relay attacks. Yet, security models are not well-established. We will briefly show recent techniques that expose serious distance-frauds, mafia-frauds, and/or terrorist-frauds on distance-bounding protocols that were proved/claimed to resist such attacks. We show, at a high-level, what sort of formal model/requirements would be needed in order to move towards secure distance-bounding."

Joan Daemen

Title: Differential Power Analysis and Keccak

Abstract: We analyze the security of straightforward and three-share hardware implementations of Keccak against differential power analysis. We generalize this to any cryptographic primitive that is implemented as a sequence of quadratic functions. Starting from the analytical treatment of such distinguishers and information-theoretic arguments, we derive the success probability and required number of traces in the presence of algorithmic noise.

Joint talk with Gilles and Michaël.

slides

Itai Dinur

Title

Exploiting Symmetry in Collision Attacks on Round-Reduced SHA-3

slides

Orr Dunkelman

Title: New Directions in Dividing: Le Fabuleux Destin d'MISTY1 (The Case of MISTY1)

Abstract: MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan where it is an e-government standard, and is recognized internationally as a NESSIE-recommended cipher as well as an ISO standard and an RFC. Moreover, MISTY1 was selected to be the blueprint on top of which KASUMI, the GSM/3G block cipher, was based. Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. Most of these attacks aimed at maximizing the number of attacked rounds, and as a result, their complexities are highly impractical.

In this work we pursue another direction, by focusing on attacks with a practical time complexity. The best previously-known attacks with practical complexity against MISTY1 could break either 4 rounds (out of 8), or 5 rounds in a modified variant in which some of the $FL$ functions are removed. We present an attack on 5-round MISTY1 with all the $FL$ functions present whose time complexity is $2^{38}$ encryptions. When the $FL$ functions are removed, we present a devastating related-key attack on the full 8-round variant, requiring only $2^{18}$ data and time.

While our attacks clearly do not compromise the security of the full MISTY1, they expose several weaknesses in MISTY1's components, and improve our understanding of its security. Moreover, future designs which rely on MISTY1 as their base, should take these issues into close consideration.

Joint talk with Nathan Keller.

slides

Christian Forler

Title OCFB: Output Ciphertext Feedback Mode\\ Authenticated Encryption Without a Block Cipher

Abstract: We introduce the first authenticated encryption scheme based on a hash function, called OFCB. This research has been motivated by the challenge to fit secure cryptography into constrained devices -- some of these devices have to use a hash function, anyway, and the challenge is to avoid the usage of an additional block cipher to provide authenticated encryption. The OFCB scheme satisfies the common security requirements regarding authenticated encryption, i.e., IND-CPA and INT-CTXT security. Beyond that, it provides the following additional security features: resistance against side-channel attacks and misuse-resistance. It also support failure-friendly authentication under reasonable assumptions.

Slides:

Henri Gilbert

Title

An Untwisted Representation of AES

Slides

slides

Johann Großschädl

Topic: Hardware/Software Co-Design of Lightweight Elliptic Curve Cryptography for the Internet of Things

Abstract: The talk will be about a small 8-bit AVR-compatible Processor that we designed from scratch so that we can include some hardware support for speeding up ECC. We have achieved some interesting results: our processor is fully AVR (i.e. ATmega128) compatible, has a size of only 20k gates and is able to perform a 160-bit scalar multiplication in only 1 million cycles, all of which compares very well in relation to the ECC hardware for RFID that was mentioned in the talk by Jens Hermans. We have also some interesting results about power consumption and energy requirements of ECC.

Slides: Johann-ESC2013.pdf

Jens Hermans

Title: "RFID Authentication: security, privacy and the real world."

Abstract: "A cheap wireless device that responds to every query it receives and maybe even authenticates. It's becoming the classical recipe for tracing goods in supply chains, ticketing, access control... In this talk we look at the different security and privacy threats and the protocols presented in research. We also discuss recent solutions from industry."

Tetsu Iwata

Title On the Counter Collision Probability of GCM

Abstract A counter collision in GCM is a bad event in the sense that, once it occurs, partial information about plaintexts can leak. Both upper and lower bounds on the counter collision probability are known, and there is a large gap between them. In this talk, we narrow the gap by finding a better lower bound.

Joint work with Keisuke Ohashi and Yuichi Niwa

Antoine Joux

Title New discrete logarithms results

Abstract

Many index calculus algorithms generate multiplicative relations between smoothness basis elements by using a process called Sieving. This process allows to filter potential candidate relations very quickly, without spending too much time to consider bad candidates. However, from an asymptotic point of view, there is not much difference between sieving and straightforward testing of candidates. The reason is that even when sieving, some small amount time is spend for each bad candidates. Thus, asymptotically, the total number of candidates contributes to the complexity.

In this talk, we introduce a new technique which allows us to construct multiplicate relations much faster, thus reducing the asymptotic complexity of relations' construction. We illustrate the feasability of the method with a discrete logarithm record in medium prime finite fields of sizes 1175 bits and 1425 bits.

Title Improved attack on the Even-Mansour construction

Abstract

Pascal Junod

Title QCrypt: Implementing a Next-Generation Quantum Key Distillation Engine in Practice

Abstract

We will describe the design and implementation of the QCrypt QKD engine, and go into details on all the (security|engineering) aspects that had (engineering|security) impacts.

Joint work with A. Burg, J. Constantin, Ch. Portmann, R. Houlmann, Ch. L. Ci Wen, N. Walenta, H. Zbinden, N. Kulesza

Slides: slides

Dmitry Khovratovich

Title: "Key wrapping with the Keccak permutation"

Abstract: We propose a deterministic authenticated encryption mode aimed at encrypting session keys up to 1200 bit long, which also handles associated data. Our goal is to use as simple construction as possible to achieve the 128-bit security within the DAE concept introduced by Rogaway and Shrimpton.


Slides: slides

Lars Knudsen

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Matthias Krause

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Gregor Leander

Title

Bounds in Shallows and in Miseries

(Bounds on Differential Characteristics for Fixed Permutations)

slides

Gaetan Leurent

Title "Differential Attacks against ARX Designs".


Astract:

In this talk, we study differential attacks against ARX schemes. We build upon the generalized characteristics of de Canničre and Rechberger; we introduce new multi-bit constraints to describe differential characteristics in ARX designs more accurately, and quartet constraints to analyze boomerang attacks. We describe an efficient way to propagate multi-bit constraints, that allows us to use the complete set of 2^32 2.5-bit constraints.

We have developed a set of tools for this analysis of ARX primitives based on this set of constraints. We show that the new constraints are more precise than what was used in previous works, and can detect several cases of incompatibility. In particular, we show that several published attacks are in fact fact invalid because the differential characteristics cannot be satisfied. This highlights the importance of verifying differential attacks more thoroughly.

Moreover, we are able to build automatically complex non-linear differential characteristics for reduced versions of the hash function Skein. We describe several characteristics for use in various attack scenarios; this results in attacks with a relatively low complexity, in relatively strong settings. In particular, we show practical free-start and semi-free-start collision attacks for 20 rounds and 12 rounds of Skein-256, respectively. To the best of our knowledge, these are the first examples of complex differential trails built for pure ARX designs.

Links

slides

ARXtools homepage: mirror1 mirror2

Stefan Lucks

Title

Tree Hashing

slides

Meiqin Wang

Title: Zero-Correlation Linear Cryptanalysis of Reduced-Round Camellia and CLEFIA

Abstract: Zero-correlation linear cryptanalysis has been proposed and some techniques have been studied such as multidimensional zero-correlation distinguisher and integral distinguisher etc. In this talk, we show how to use FFT technique to reduce the time complexity of zero-correlation cryptanalysis and give the attacks on Camellia-128 and Camellia-192. At the same time, the multidimensional zero-correlation linear attacks on CLEFIA-192 and CLEFIA-256 are given.

Author: Andrey Bogdanov, Meiqin Wang

Willi Meier

Title: Near-colliding Keys in RC4

Abstract: Search of key collisions in the RC4 stream cipher has been an active area. We investigate near-colliding keys that lead to related states after key scheduling and related key stream bytes. Our investigation reveals that near-colliding states do not necessarily lead to near-colliding key streams. From this motivation, we present practical methods to find a related key pair with differences in two bytes, that leads to a large number of matches in the initial key stream. In the process, we discover a class of related key distinguishers for RC4. The best one of these shows that given a random key and a related one to that (the last two bytes increased and decreased by 1 respectively), the first pair of bytes corresponding to the related keys are the same with significant probability (e.g., approximately 0.011 for 16-byte keys to 0.044 for 30-byte keys).

Slides: Nearcollisionrc4.pdf

Florian Mendel

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Bart Mennink

Title: Impossibility Results for Indifferentiability with Resets

Abstract: The indifferentiability framework of Maurer, Renner, and Holenstein (MRH) has gained immense popularity in recent years and has proved to be a powerful way to argue security of cryptosystems that enjoy proofs in the random oracle model. Recently, however, Ristenpart, Shacham, and Shrimpton (RSS) showed that the composition theorem of MRH has a more limited scope than originally thought, and that extending its scope required the introduction of reset-indifferentiability, a notion which no practical domain extenders satisfy with respect to random oracles. In light of the results of RSS, we set out to rigorously tackle the specifics of indifferentiability and reset-indifferentiability by viewing the notions as special cases of a more general definition. Our contributions are twofold. Firstly, we provide the necessary formalism to refine the notion of indifferentiability regarding composition. By formalizing the definition of stage minimal games we expose new notions lying in between regular indifferentiability (MRH) and reset-indifferentiability (RSS). Secondly, we answer the open problem of RSS by showing that it is impossible to build any domain extender which is reset-indifferentiable from a random oracle. This result formally confirms the intuition that reset-indifferentiability is too strong of a notion to be satisfied by any hash function. As a consequence we look at the weaker notion of single-reset-indifferentiability, yet there as well we demonstrate that there are no meaningful domain extenders which satisfy this notion. Not all is lost though, as we also view indifferentiability in a more general setting and point out the possibility for different variants of indifferentiability.

Authors: Atul Luykx, Elena Andreeva, Bart Mennink, and Bart Preneel

Shiho Moriai

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Maria Naya-Plasencia

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Kaisa Nyberg

Title

Computing Averages over Fixed Inputs and Links between Linear and Differential Attacks

slides

Michael Peeters

Title: Differential Power Analysis and Keccak

Abstract: We analyze the security of straightforward and three-share hardware implementations of Keccak against differential power analysis. We generalize this to any cryptographic primitive that is implemented as a sequence of quadratic functions. Starting from the analytical treatment of such distinguishers and information-theoretic arguments, we derive the success probability and required number of traces in the presence of algorithmic noise.

Joint talk with Joan and Gilles.

slides

Thomas Peyrin

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Christian Rechberger

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Greg Rose

Title

A new efficient construction for wide S-boxes

Abstract

I have been searching for a wide, computable S-box construction for some time. My previous attempt was seriously flawed. Recently I became aware of a construction based on Hidden Weighted Bit Functions, which have some provable and desirable properties. During the presentation it became clear that there are also some remaining undesirable properties. Work continues.

Peter Ryan

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Yu Sasaki

Title:

Meet-in-the-Middle Attacks on Feistel Functions: Impact of Omitting the Last Network Twist

Abstract:

Several block ciphers omit the the network twist in the last round. This makes the encryption and decryption algorithms symmetric, and leads to some advantage for implementations, while it does not lower the provable security bound against the differential and linear cryptanalysis. In this talk, it is shown that the omission of the last network twist can be a weakness against preimage attacks, when they are used to build a compression function with some PGV mode.

Slides PDF

Francois-Xavier Standaert

Title

New cipher designs for improved SCA resistance

slides

Serge Vaudenay

Title: strong privacy for RFID systems from plaintext-aware encryption

Abstract: in this talk we briefly survey the evolution of privacy protection in RFID protocols, then the model I presented at Asiacrypt'07. In this model, the strongest notion was proven to be impossible to achieve. Then, several relaxations were proposed. We finally change a bit the definition and show that strong privacy is feasible based on plaintext-aware encryption.

Slides

Vesselin Velichkov

Title

On the Construction of Partial Difference Distribution Tables for ARX Ciphers

Joint work with Alex Biryukov

slides

Ralf-Philipp Weinmann

Title

Abstract

Jakob Wenzel

Editing Jakob Wenzel - ESC2013 Fake ray bans http://www.stormglasses.com/

Erik Zenner

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Charles Bouillaguet

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Bart Preneel

There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.

Personal tools
Namespaces

Variants
Views
Actions
ESC 2013
Tools