Time filter

Source Type

Leuven, Belgium

Dai Y.,Tsinghua University | Lee J.,Sejong University | Mennink B.,ESAT COSIC | Steinberger J.,Tsinghua University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2014

Multiple encryption - the practice of composing a blockcipher several times with itself under independent keys - has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for arbitrary number of rounds and show that the security of ℓ-round multiple encryption is precisely exp(k+min{k(ℓ′-2)/2), n(ℓ′-2)/ℓ′}) where exp(t) = 2t and where ell;′ = 2⌈ell;/2⌉ is the smallest even integer greater than or equal to ℓ, for all ℓ ≥ 1. Our technique is based on Patarin's H-coefficient method and relies on a combinatorial result of Chen and Steinberger originally required in the context of key-alternating ciphers. © 2014 International Association for Cryptologic Research.

Braeken A.,Erasmushoge school | Singelee D.,ESAT COSIC
Ad-Hoc and Sensor Wireless Networks | Year: 2013

To provide healthcare to large heterogeneous populations, one envisions new ways of remote healthcare monitoring in the form of ubiquitous and pervasive healthcare systems. However, the widespread deployment of this technology will depend on the extent to which security and privacy can be guaranteed. In this article, we propose a set of efficient, practical and scalable cryptographic protocols for wireless body sensor networks. Taking into account the computational resources of the sensors, the cryptographic operations performed by the latter exclusively rely on symmetric key cryptography. Our communication protocols guarantee data confidentiality, data authentication, and location privacy of the patient. In addition, we propose an authorization scheme based on time frames. This restricts the doctor's access to the patient's medical data in time, and explicitly enforces the minimal data disclosure principle. Our proposed remote monitoring system outperforms the current stateof- the-art, since it offers security and privacy protection, efficiency and scalability. ©2013 Old City Publishing, Inc.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

The idea of double block length hashing is to construct a compression function on 2n bits using a block cipher with an n-bit block size. All optimally secure double length hash functions known in the literature employ a cipher with a key space of double block size, 2n-bit. On the other hand, no optimally secure compression functions built from a cipher with an n-bit key space are known. Our work deals with this problem. Firstly, we prove that for a wide class of compression functions with two calls to its underlying n-bit keyed block cipher collisions can be found in about 2n/2 queries. This attack applies, among others, to functions where the output is derived from the block cipher outputs in a linear way. This observation demonstrates that all security results of designs using a cipher with 2n-bit key space crucially rely on the presence of these extra n key bits. The main contribution of this work is a proof that this issue can be resolved by allowing the compression function to make one extra call to the cipher. We propose a family of compression functions making three block cipher calls that asymptotically achieves optimal collision resistance up to 2n(1-ε) queries and preimage resistance up to 23n(1-ε)/2 queries, for any ε > 0. To our knowledge, this is the first optimally collision secure double block length construction using a block cipher with single length key space. © International Association for Cryptologic Research 2012.

Ashur T.,ESAT COSIC | Dunkelman O.,Haifa University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

The MMB block cipher (Modular Multiplication-based Block cipher) is an iterative block cipher designed by Daemen, Govaerts, and Vandewalle in 1993 as an improvement of the PES and IPES ciphers. In this paper we present several new related-key differential characteristics of MMB. These characteristics can be used to form several related-key boomerangs to attack the full MMB. Using 2 20 adaptive chosen plaintexts and ciphertexts we recover all key bits in 235.2 time for the full MMB. Our attack was experimentally verified, and it takes less than 15 minutes on a standard Intel i5 machine to recover the full MMB key. After showing this practical attack on the full key of the full MMB, we present attacks on extended versions of MMB with up to 8 rounds (which is two more rounds than in the full MMB). We recover 64 out of the 128 key in time of 232.2 for 7-round MMB, and time of 232 for 8-round MMB using 220 plaintexts. © Springer International Publishing 2013.

Andreeva E.,ESAT COSIC | Bogdanov A.,Technical University of Denmark | Luykx A.,ESAT COSIC | Mennink B.,ESAT COSIC | And 3 more authors.
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2014

Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements.We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle, without the secret key. Releasing unverified plaintext to the attacker then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are compared with conventional definitions, and are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes. © International Association for Cryptologic Research 2014.

Discover hidden collaborations