Atmel’s CryptoMemory devices are non-volatile memories with cryptographically secured access control. Recently, the authentication mechanism of these devices have been shown to be severely vulnerable. More precisely, to recover the secret key the published attack requires only two to six days of computation on a cluster involving 200 CPU cores. In this work, we identified and applied theoretica...

In this paper, we address the following problem: \ Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak error-handling methods. Our attack relies on the cryptana-lyst being able to modify some ciphertext and then getting access to the decryption of this modiied ciphertext. and Re-iter 4] presented a serious weakness in the...

Initially, the use of pairings did not involve any secret entry. However in an Identity Based Cryptographic protocol, one of the two entries of the pairing is secret, so fault attack can be applied to Pairing Based Cryptography to nd it. In [18], the author shows that Pairing Based Cryptography in Weierstrass coordinates is vulnerable to a fault attack. The addition law in Edwards coordinates i...

We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and ...

In this paper we study authenticated encryption algorithms inspired by the OCB mode (Offset Codebook). These algorithms use secret offsets (masks derived from a whitening key) to turn a block cipher into a tweakable block cipher, following the XE or XEX construction. OCB has a security proof up to 2 queries, and a matching forgery attack was described by Ferguson, where the main step of the att...

At Eurocrypt ’06, Nguyen and Regev presented a new key-recovery attack on the GoldreichGoldwasser-Halevi (GGH) lattice-based signature scheme: when applied to NTRUSign-251 without perturbation, the attack recovers the secret key given only 90,000 signatures. At the rump session, Whyte speculated whether the number of required signatures might be significantly decreased to say 1,000, due to the ...

Two techniques are introduced that enable sidechannel based reverse engineering of secret algorithms. The first is sign-extended differential power analysis (SDPA) while the second technique targets table lookups. The SDPA reveals values that collide with the DPA target value within the circuitry. The interpretation of those values can provide significant amounts of the information about the al...

Zero-knowledge proof (ZKP) plays an important role in authentication without revealing secret information. Diffie–Hellman (D-H) key exchange algorithm was developed to exchange secret keys through unprotected channels. Previously we have diffiehellmen key exchange algorithm. It has some security attacks like man in the middle attack to overcome this attack by using zero knowledge proof concepts...

We devise the first closed formula for the number of rounds of a blockcipher with secret components so that these components can be revealed using multiset, algebraic-degree, or division-integral properties, which in this case are equivalent. Using the new result, we attack 7 (out of 9) rounds of Kuznyechik, the recent Russian blockcipher standard, thus halving its security margin. With the sam...