Leuven, Belgium
Leuven, Belgium

Time filter

Source Type

Andreeva E.,ESAT COSIC | Bogdanov A.,Technical University of Denmark | Luykx A.,ESAT COSIC | Mennink B.,ESAT COSIC | And 3 more authors.
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2014

Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements.We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle, without the secret key. Releasing unverified plaintext to the attacker then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are compared with conventional definitions, and are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes. © International Association for Cryptologic Research 2014.


Andreeva E.,ESAT COSIC | Bogdanov A.,Technical University of Denmark | Luykx A.,ESAT COSIC | Mennink B.,ESAT COSIC | And 3 more authors.
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern general-purpose CPUs or dedicated hardware.We propose the first parallelizable online cipher, COPE. It performs two calls to the underlying block cipher per plaintext block and is fully parallelizable in both encryption and decryption. COPE is proven secure against chosenplaintext attacks assuming the underlying block cipher is a strong PRP. We then extend COPE to create COPA, the first parallelizable, online authenticated cipher with nonce-misuse resistance. COPA only requires two extra block cipher calls to provide integrity. The privacy and integrity of the scheme is proven secure assuming the underlying block cipher is a strong PRP. Our implementation with Intel AES-NI on a Sandy Bridge CPU architecture shows that both COPE and COPA are about 5 times faster than their closest competition: TC1, TC3, and McOE-G. This high factor of advantage emphasizes the paramount role of parallelizability on up-to-date computing platforms. © 2013 Springer-Verlag.


Dai Y.,Tsinghua University | Lee J.,Sejong University | Mennink B.,ESAT COSIC | Steinberger J.,Tsinghua University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2014

Multiple encryption - the practice of composing a blockcipher several times with itself under independent keys - has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for arbitrary number of rounds and show that the security of ℓ-round multiple encryption is precisely exp(k+min{k(ℓ′-2)/2), n(ℓ′-2)/ℓ′}) where exp(t) = 2t and where ell;′ = 2⌈ell;/2⌉ is the smallest even integer greater than or equal to ℓ, for all ℓ ≥ 1. Our technique is based on Patarin's H-coefficient method and relies on a combinatorial result of Chen and Steinberger originally required in the context of key-alternating ciphers. © 2014 International Association for Cryptologic Research.


Braeken A.,Erasmushoge school | Singelee D.,ESAT COSIC
Ad-Hoc and Sensor Wireless Networks | Year: 2013

To provide healthcare to large heterogeneous populations, one envisions new ways of remote healthcare monitoring in the form of ubiquitous and pervasive healthcare systems. However, the widespread deployment of this technology will depend on the extent to which security and privacy can be guaranteed. In this article, we propose a set of efficient, practical and scalable cryptographic protocols for wireless body sensor networks. Taking into account the computational resources of the sensors, the cryptographic operations performed by the latter exclusively rely on symmetric key cryptography. Our communication protocols guarantee data confidentiality, data authentication, and location privacy of the patient. In addition, we propose an authorization scheme based on time frames. This restricts the doctor's access to the patient's medical data in time, and explicitly enforces the minimal data disclosure principle. Our proposed remote monitoring system outperforms the current stateof- the-art, since it offers security and privacy protection, efficiency and scalability. ©2013 Old City Publishing, Inc.


Das A.,ESAT COSIC | Ege B.,Radboud University Nijmegen | Ghosh S.,Catholic University of Leuven | Ghosh S.,Intel Corporation | And 2 more authors.
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems | Year: 2013

Test compression is widely used for reducing test time and cost of a very large scale integration circuit. It is also claimed to provide security against scan-based side-channel attacks. This paper pursues the legitimacy of this claim and presents scan attack vulnerabilities of test compression schemes used in commercial electronic design automation tools. A publicly available advanced encryption standard design is used and test compression structures provided by Synopsys, Cadence, and Mentor Graphics design for testability tools are inserted into the design. Experimental results of the differential scan attacks employed in this paper suggest that tools using X-masking and X-tolerance are vulnerable and leak information about the secret key. Differential scan attacks on these schemes have been demonstrated to have a best case success rate of 94.22% and 74.94%, respectively, for a random scan design. On the other hand, time compaction seems to be the strongest choice with the best case success rate of 3.55%. In addition, similar attacks are also performed on existing scan attack countermeasures proposed in the literature, thus experimentally evaluating their practical security. Finally, a suitable countermeasure is proposed and compared to the previously proposed countermeasures. © 1982-2012 IEEE.


Ashur T.,ESAT COSIC | Dunkelman O.,Haifa University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

The MMB block cipher (Modular Multiplication-based Block cipher) is an iterative block cipher designed by Daemen, Govaerts, and Vandewalle in 1993 as an improvement of the PES and IPES ciphers. In this paper we present several new related-key differential characteristics of MMB. These characteristics can be used to form several related-key boomerangs to attack the full MMB. Using 2 20 adaptive chosen plaintexts and ciphertexts we recover all key bits in 235.2 time for the full MMB. Our attack was experimentally verified, and it takes less than 15 minutes on a standard Intel i5 machine to recover the full MMB key. After showing this practical attack on the full key of the full MMB, we present attacks on extended versions of MMB with up to 8 rounds (which is two more rounds than in the full MMB). We recover 64 out of the 128 key in time of 232.2 for 7-round MMB, and time of 232 for 8-round MMB using 220 plaintexts. © Springer International Publishing 2013.


Mennink B.,ESAT COSIC | Preneel B.,ESAT COSIC
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

We consider the family of 2n-to-n-bit compression functions that are solely based on at most three permutation executions and on XOR-operators, and analyze its collision and preimage security. Despite their elegance and simplicity, these designs are not covered by the results of Rogaway and Steinberger (CRYPTO 2008). By defining a carefully chosen equivalence relation on this family of compression functions, we obtain the following results. In the setting where the three permutations π1, π2, π3 are selected independently and uniformly at random, there exist at most four equivalence classes that achieve optimal 2n/2 collision resistance. Under a certain extremal graph theory based conjecture, these classes are then proven optimally collision secure. Three of these classes allow for finding preimages in 2n/2 queries, and only one achieves optimal 2 2n/3 preimage resistance (with respect to the bounds of Rogaway and Steinberger, EUROCRYPT 2008). Consequently, a compression function is optimally collision and preimage secure if and only if it is equivalent to F(x 1,x2) = x 1 ⊕ π1(x 1) ⊕ π2(x2) ⊕ π3(x 1 ⊕ x2 ⊕ π1(x1)). For compression functions that make three calls to the same permutation we obtain a surprising negative result, namely the impossibility of optimal 2 n/2 collision security: for any scheme, collisions can be found with 22n/5 queries. This result casts some doubt over the existence of any (larger) secure permutation-based compression function built only on XOR-operators and (multiple invocations of) a single permutation. © 2012 International Association for Cryptologic Research.


Mennink B.,ESAT COSIC
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

The idea of double block length hashing is to construct a compression function on 2n bits using a block cipher with an n-bit block size. All optimally secure double length hash functions known in the literature employ a cipher with a key space of double block size, 2n-bit. On the other hand, no optimally secure compression functions built from a cipher with an n-bit key space are known. Our work deals with this problem. Firstly, we prove that for a wide class of compression functions with two calls to its underlying n-bit keyed block cipher collisions can be found in about 2n/2 queries. This attack applies, among others, to functions where the output is derived from the block cipher outputs in a linear way. This observation demonstrates that all security results of designs using a cipher with 2n-bit key space crucially rely on the presence of these extra n key bits. The main contribution of this work is a proof that this issue can be resolved by allowing the compression function to make one extra call to the cipher. We propose a family of compression functions making three block cipher calls that asymptotically achieves optimal collision resistance up to 2n(1-ε) queries and preimage resistance up to 23n(1-ε)/2 queries, for any ε > 0. To our knowledge, this is the first optimally collision secure double block length construction using a block cipher with single length key space. © International Association for Cryptologic Research 2012.


Luykx A.,ESAT COSIC | Mennink B.,ESAT COSIC | Preneel B.,ESAT COSIC | Winnen L.,ESAT COSIC
Journal of Mathematical Cryptology | Year: 2015

We consider the generic design of compression functions based on two n-bit permutations and XOR-based mixing functions. It is known that any such function mapping n+α to α bits, with 1≤α≤n, can achieve at most min{2α/2 ,2n/2-α/4} collision security. Using techniques similar to Mennink and Preneel [CRYPTO 2012, Lecture Notes in Comput. Sci. 7417, Springer, Heidelberg (2012), 330-347], we show that there is only one equivalence class of these functions achieving optimal collision security, and additionally min{2α,2n/2} preimage security. The equivalence class compares well with existing functions based on two or three permutations, and is well-suited for wide-pipe hashing. © 2015 by De Gruyter.

Loading ESAT COSIC collaborators
Loading ESAT COSIC collaborators