Elliptic and Hyperelliptic Curve Arithmetic

Faster Halvings in Genus 2

Abstract

We study divisor class halving for hyperelliptic curves of genus 2 over binary fields. We present explicit halving formulas for the most interesting curves (from a cryptographic perspective), as well as all other curves whose group order is not divisible by 4. Each type of curve is characterized by the degree and factorization form of the polynomial h(x) in the curve equation. For each of these curves, we provide explicit halving formulæ for all possible divisor classes, and not only the most frequent case where the degree of the first polynomial in the Mumford representation is 2. In the optimal performance case, where h(x) = x, we also improve on the state-of-the-art and when h(x) is irreducible of degree 2, we achieve significant savings over both the doubling as well as the previously fastest halving formulas.

Peter Birkner, Nicolas Thériault

Efficient Pairing Computation on Genus 2 Curves in Projective Coordinates

Abstract

In recent years there has been much interest in the development and the fast computation of bilinear pairings due to their practical and myriad applications in cryptography. Well known efficient examples are the Weil and Tate pairings and their variants such as the Eta and Ate pairings on the Jacobians of (hyper-)elliptic curves. In this paper, we consider the use of projective coordinates for pairing computations on genus 2 hyperelliptic curves over prime fields. We generalize Chatterjee et. al.’s idea of encapsulating the computation of the line function with the group operations to genus 2 hyperelliptic curves, and derive new explicit formulae for the group operations in projective and new coordinates in the context of pairing computations. When applying the encapsulated explicit formulae to pairing computations on supersingular genus 2 curves over prime fields, theoretical analysis shows that our algorithm is faster than previously best known algorithms whenever a field inversion is more expensive than about fifteen field multiplications. We also investigate pairing computations on non-supersingular genus 2 curves over prime fields based on the new formulae, and detail the various techniques required for efficient implementation.

Xinxin Fan, Guang Gong, David Jao

On Software Parallel Implementation of Cryptographic Pairings

Abstract

A significant amount of research has focused on methods to improve the efficiency of cryptographic pairings; in part this work is motivated by the wide range of applications for such primitives. Although numerous hardware accelerators for pairing evaluation have used parallelism within extension field arithmetic to improve efficiency, thus far less emphasis has been placed on software exploitation of similar. In this paper we focus on parallelism within one pairing evaluation (intra-pairing), and parallelism between different pairing evaluations (inter-pairing). We identify several methods for exploiting such parallelism (extending previous results in the context of ECC) and show that it is possible to accelerate pairing evaluation by a significant factor in comparison to a naive approach.

Philipp Grabher, Johann Großschädl, Dan Page

Block Ciphers I

The Cryptanalysis of Reduced-Round SMS4

Abstract

In this paper we consider the cryptanalysis of the block cipher SMS4. The cipher has received much recent attention due its simplicity and prominence (it is used in wireless networks in China) and a range of differential attacks break up to 21 of the 32 rounds used in SMS4. Here we consider the application of linear cryptanalysis to the cipher and we demonstrate a simple attack on 22 rounds of SMS4. We also consider some advanced linear cryptanalytic techniques which, under the best conditions for the cryptanalyst, might (just) extend to 23 rounds.

Jonathan Etrog, Matt J. B. Robshaw

Building Secure Block Ciphers on Generic Attacks Assumptions

Abstract

Up to now, the design of block ciphers has been mainly driven by heuristic arguments, and little theory is known to constitute a good guideline for the development of their architecture. Trying to remedy this situation, we introduce a new type of design for symmetric cryptographic primitives with high self-similarity. Our design strategy enables to give a reductionist security proof for the primitive based on plausible assumptions regarding the complexity of the best distinguishing attacks on random Feistel schemes or other ideal constructions. Under these assumptions, the cryptographic primitives we obtain are perfectly secure against any adversary with computational resources less than a given bound. By opposition, other provably secure symmetric primitives, as for example C [3] and KFC [4], designed using information-theoretic results, are only proved to resist a limited (though significant) range of attacks. Our construction strategy leads to a large expanded key size, though still usable in practice (around 1 MB).

Jacques Patarin, Yannick Seurin

First Invited Talk

Lifting and Elliptic Curve Discrete Logarithms

Abstract

The difficulty of the elliptic curve discrete logarithm problem (ECDLP) underlies the attractiveness of elliptic curves for use in cryptography. The index calculus is a lifting algorithm that solves the classical finite field discrete logarithm problem in subexponential time, but no such algorithm is known in general for elliptic curves. It turns out that there are four distinct lifting scenarios that one can use in attempting to solve the ECDLP; the lifting field may be a local field or a global field, and the lifted points may be torsion points or nontorsion points. These choices lead to four quite different ways to try to solve the ECDLP via lifting. None of these approaches has led to a solution to the ECDLP, but each method has its own reasons for failing to work. In this article I survey the four ways of lifting the ECDLP, explain their similarities and their differences, and describe the distinct roadblocks that arise in each case.

Joseph H. Silverman

Hash Functions I

Preimage Attacks on One-Block MD4, 63-Step MD5 and More

Abstract

This paper shows preimage attacks on one-block MD4 and MD5 reduced to 63 (out of 64) steps. Our attacks are based on the meet-in-the-middle attack, and many additional improvements make the preimage computable faster than that of the brute-force attack, 2¹²⁸ hash computation. A preimage of one-block MD4 can be computed in the complexity of the 2¹⁰⁷ MD4 compression function computation, and a preimage of MD5 reduced to 63 steps can be computed in the complexity of the 2¹²¹ MD5 compression function computation. Moreover, we optimize the computational order of the brute-force attack against MD5, and a preimage of full-round MD5 can be computed in the complexity of the 2¹²⁷ MD5 compression function computation.

Kazumaro Aoki, Yu Sasaki

Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

Abstract

This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2²²⁴ compression function evaluations instead of 2²⁵⁶. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 2⁹⁶ trials instead of 2¹²⁸. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.

Jean-Philippe Aumasson, Willi Meier, Florian Mendel

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Abstract

In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time ${\mathcal O}(n2^{n/3})$. This time complexity can be reduced to ${\mathcal O}(2^{2\sqrt{n}})$ for the first tweak version, which means an attack against SMASH-256 in c·2³² for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the ideal-cipher model in Ω(2^n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a non-trivial attack in ${\mathcal O}(2^{3n/8})$ queries. Finally, we also prove that our construction is preimage resistant in Ω(2^n/2) queries, which the best security level that can be reached for 2-permutation based hash functions, as proved in [12].

Pierre-Alain Fouque, Jacques Stern, Sébastien Zimmer

Mathematical Aspects of Applied Cryptography I

Counting Functions for the k-Error Linear Complexity of 2 n -Periodic Binary Sequences

Abstract

Linear complexity is an important measure of the cryptographic strength of key streams used in stream ciphers. The linear complexity of a sequence can decrease drastically when a few symbols are changed. Hence there has been considerable interest in the k-error linear complexity of sequences which measures this instability in linear complexity. For 2ⁿ-periodic sequences it is known that minimum number of changes needed per period to lower the linear complexity is the same for sequences with fixed linear complexity. In this paper we derive an expression to enumerate all possible values for the k-error linear complexity of 2ⁿ-periodic binary sequences with fixed linear complexity L, when k equals the minimum number of changes needed to lower the linear complexity below L. For some of these values we derive the expression for the corresponding number of 2ⁿ-periodic binary sequences with fixed linear complexity and k-error linear complexity when k equals the minimum number of changes needed to lower the linear complexity. These results are of importance to compute some statistical properties concerning the stability of linear complexity of 2ⁿ-periodic binary sequences.

Ramakanth Kavuluru, Andrew Klapper

On the Exact Success Rate of Side Channel Analysis in the Gaussian Model

Abstract

Nowadays, Side Channel Analysis is one of the most powerful cryptanalytic technique against cryptosystems embedded in portable devices such as smart cards. Faced with this threat, it is of crucial importance to precisely determine what is achievable by a given side channel adversary against a cryptosystem producing a given side channel leakage. This can be answered by evaluating the success rate of an attack according to the adversary capacities and to the leakage properties.

In this paper, we investigate the issue of evaluating the success rate of side channel analysis in the widely admitted Gaussian leakage model. We introduce a new approach that allows us to efficiently compute the success rate of an attack in this model and we apply it to the two main families of side channel analysis: differential side channel analysis and profiling side channel analysis.

Matthieu Rivain

Stream Ciphers Cryptanalysis

Algebraic and Correlation Attacks against Linearly Filtered Non Linear Feedback Shift Registers

Abstract

The filter generator is a well known and extensively studied stream cipher construction. It consists of a Linear Feedback Shift Register (LFSR) filtered by a non linear Boolean function. In this paper we focus on the dual construction, namely a linearly filtered Non linear Feedback Shift Register (NFSR). We show that the existing algebraic and correlation attacks against the filter generator can be transposed to mount algebraic or correlation attacks against this dual construction. We investigate such attacks and extend them to the case where a linearly filtered NFSR is combined linearly with one or more non linearly filtered LFSRs. We apply our algebraic attack to a modified version of Grain-128, resulting in an attack requiring 2¹⁰⁵ computations and 2³⁹ keystream bits. Even though this attack does not apply to the original Grain-128, it shows that the use of a NFSR is not sufficient to avoid all algebraic attacks.

Côme Berbain, Henri Gilbert, Antoine Joux

A Cache Timing Analysis of HC-256

Abstract

In this paper, we describe a cache-timing attack against the stream cipher HC-256, which is the strong version of eStream winner HC-128. The attack is based on an abstract model of cache timing attacks that can also be used for designing stream ciphers. From the observations made in our analysis, we derive a number of design principles for hardening ciphers against cache timing attacks.

Erik Zenner

An Improved Fast Correlation Attack on Stream Ciphers

Abstract

At Crypto’2000, Johansson and Jönsson proposed a fast correlation attack on stream ciphers based on the Goldreich-Rubinfeld-Sudan algorithm. In this paper we show that a combination of their approach with techniques for substituting keystream and evaluating parity-checks gives us the most efficient fast correlation attack known so far. An application of the new algorithm results in the first-known near-practical key recovery attack on the shrinking generator with the parameters suggested by Krawczyk in 1994, which was verified in the 40-bit data LFSR case for which the only previously known efficient attacks were distinguishing attacks.

Bin Zhang, Dengguo Feng

Hash Functions II

A Three-Property-Secure Hash Function

Abstract

This paper proposes a new hash construction based on the widely used Merkle-Damgård (MD) iteration [13,9]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property preservation for the first two properties in the standard security model and the third Pre security property is proved in the random oracle model. Similar to earlier known hash constructions that achieve a form of Sec (eSec [16]) property preservation [4,17], we make use of fixed key material in the iteration. But while these hashes employ keys of size at least logarithmic in the message length (in blocks), we only need a small constant key size. Another advantage of our construction is that the underlying compression function is instantiated as a keyless primitive.

The Sec security of our hash scheme, however, relies heavily on the standard definitional assumption that the target messages are sufficiently random. An example of a practical application that requires Sec security and satisfies this definitional premise on the message inputs is the popular Cramer-Shoup encryption scheme [8]. Still, in practice we have other hashing applications where the target messages are not sampled from spaces with uniform distribution. And while our scheme is Sec preserving for uniform message distributions, we show that this is not always the case for other distributions.

Elena Andreeva, Bart Preneel

Analysis of the Collision Resistance of RadioGatúnUsing Algebraic Techniques

Abstract

In this paper, we present some preliminary results on the security of the RadioGatúnhash function. RadioGatúnhas an internal state of 58 words, and is parameterized by the word size, from one to 64 bits. We mostly study the one-bit version of RadioGatúnsince according to the authors, attacks on this version also affect the reasonably-sized versions. On this toy version, we revisit the claims of the designers and first improve some results. Secondly, given a differential path, we show how to find a message pair colliding more efficiently than the strategy proposed by the authors using algebraic techniques. We experimented this strategy on the one-bit version since we can efficiently find differential path by brute force. Even though the complexity of this collision attack is higher than the general security claim on RadioGatún〈1 〉, it is still less than the birthday paradox on the size of the internal state.

Charles Bouillaguet, Pierre-Alain Fouque

A Scheme to Base a Hash Function on a Block Cipher

Abstract

This article discusses the provable security of an iterated hash function using a block cipher. It assumes the construction using the Matyas-Meyer-Oseas (MMO) scheme for the compression function and the Merkle-Damgård with a permutation (MDP) for the domain extension transform. It is shown that this kind of hash function, MDP-MMO, is indifferentiable from the variable-input-length random oracle in the ideal cipher model. It is also shown that HMAC using MDP-MMO is a pseudorandom function if the underlying block cipher is a pseudorandom permutation under the related-key attack with respect to the permutation used in MDP. Actually, the latter result also assumes that the following function is a pseudorandom bit generator:

$$ (E_{IV}(K\oplus\texttt{opad})\oplus K\oplus\texttt{opad})\| (E_{IV}(K\oplus\texttt{ipad})\oplus K\oplus\texttt{ipad})\enspace, $$

where E is the underlying block cipher, IV is the fixed initial value of MDP-MMO, and opad and ipad are the binary strings used in HMAC. This assumption still seems reasonable for actual block ciphers, though it cannot be implied by the pseudorandomness of E as a block cipher. The results of this article imply that the security of a hash function may be reduced to the security of the underlying block cipher to more extent with the MMO compression function than with the Davies-Meyer (DM) compression function, though the DM scheme is implicitly used by the widely used hash functions such as SHA-1 and MD5.

Shoichi Hirose, Hidenori Kuwakado

Collisions and Other Non-random Properties for Step-Reduced SHA-256

Abstract

We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities 2¹⁸ and 2^28.5, respectively. We give example colliding message pairs for 23-step and 24-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24-step reduced SHA-512 with respective complexities of 2^44.9 and 2^53.0. Additionally, we show non-random behaviour of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a semi-free-start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256.

Sebastiaan Indesteege, Florian Mendel, Bart Preneel, Christian Rechberger

Cryptography with Algebraic Curves

Public Verifiability from Pairings in Secret Sharing Schemes

Abstract

In this paper we propose a new publicly verifiable secret sharing scheme using pairings with close relations to Shoenmakers’ scheme. This scheme is efficient, multiplicatively homomorphic and with unconditional verifiability in the standard model. We formalize the notion of Indistinguishability of Secrets and prove that out scheme achieves it under the Decisional Bilinear Square (DBS) Assumption that is a natural variant of the Decisional Bilinear Diffie Hellman Assumption. Moreover, our scheme tolerates active and adaptive adversaries.

Somayeh Heidarvand, Jorge L. Villar

The Elliptic Curve Discrete Logarithm Problem and Equivalent Hard Problems for Elliptic Divisibility Sequences

Abstract

We define three hard problems in the theory of elliptic divisibility sequences (EDS Association, EDS Residue and EDS Discrete Log), each of which is solvable in sub-exponential time if and only if the elliptic curve discrete logarithm problem is solvable in sub-exponential time. We also relate the problem of EDS Association to the Tate pairing and the MOV, Frey-Rück and Shipsey EDS attacks on the elliptic curve discrete logarithm problem in the cases where these apply.

Kristin E. Lauter, Katherine E. Stange

Second Invited Talk – Stafford Tavares Lecture

The “Coefficients H” Technique

Abstract

The “coefficient H technique” is a tool introduced in 1991 and used to prove various pseudo-random properties from the distribution of the number of keys that sends cleartext on some ciphertext. It can also be used to find attacks on cryptographic designs. We can like this unify a lot of various pseudo-random results obtained by different authors. In this paper we will present this technique and we will give some examples of results obtained.

Jacques Patarin

Mathematical Aspects of Applied Cryptography II

Distinguishing Multiplications from Squaring Operations

Abstract

In this paper we present a new approach to attacking a modular exponentiation and scalar multiplication based by distinguishing multiplications from squaring operations using the instantaneous power consumption. Previous approaches have been able to distinguish these operations based on information of the specific implementation of the embedded algorithm or the relationship between specific plaintexts. The proposed attack exploits the expected Hamming weight of the result of the computed operations. We extrapolate our observations and assess the consequences for elliptic curve cryptosystems when unified formulæ for point addition are used.

Frederic Amiel, Benoit Feix, Michael Tunstall, Claire Whelan, William P. Marnane

Subquadratic Polynomial Multiplication over GF(2 m ) Using Trinomial Bases and Chinese Remaindering

Abstract

Following the previous work by Bajard-Didier-Kornerup, McLaughlin, Mihailescu and Bajard-Imbert-Jullien, we present an algorithm for modular polynomial multiplication that implements the Montgomery algorithm in a residue basis; here, as in Bajard et al.’s work, the moduli are trinomials over ${\mathbb{F}}_2$. Previous work used a second residue basis to perform the final division. In this paper, we show how to keep the same residue basis, inspired by l’Hospital rule. Additionally, applying a divide-and-conquer approach to the Chinese remaindering, we obtain improved estimates on the number of additions for some useful degree ranges.

Éric Schost, Arash Hariri

Bounds on Fixed Input/Output Length Post-processing Functions for Biased Physical Random Number Generators

Abstract

Post-processing functions are used to reduce the imperfectness of physical random number generators. At FSE ’07, Dichtl considered the case where the physical random number generator outputs independent bits that have a constant bias, and the post-processing function has fixed input and output lengths. In this paper, we first present a number of bounds on deg(n,m), which is a measure of the reduction of biases with n-bit input and m-bit output post-processing functions. We next show the exact values of deg(n,m) for a large class of (n,m) such that 1 ≤ m ≤ n ≤ 16, by using the bounds on deg(n,m) and a computer simulation. We finally discuss how we have derived these numerical values.

Kyohei Suzuki, Tetsu Iwata

Curve-Based Primitives in Hardware

HECC Goes Embedded: An Area-Efficient Implementation of HECC

Abstract

In this paper we describe a high performance, area-efficient implementation of Hyperelliptic Curve Cryptosystems over GF(2^m). A compact Arithmetic Logic Unit (ALU) is proposed to perform multiplication and inversion. With this ALU, we show that divisor multiplication using affine coordinates can be efficiently supported. Besides, the required throughput of memory or Register File (RF) is reduced so that area of memory/RF is reduced. We choose hyperelliptic curves using the parameters h(x) = x and $f(x)=x^5+f_3x^3+x^2+f_0$. The performance of this coprocessor is substantially better than all previously reported FPGA-based implementations. The coprocessor for HECC over GF(2⁸³) uses 2316 slices and 2016 bits of Block RAM on Xilinx Virtex-II FPGA, and finishes one scalar multiplication in 311 μs.

Junfeng Fan, Lejla Batina, Ingrid Verbauwhede

ECC Is Ready for RFID – A Proof in Silicon

Abstract

This paper presents the silicon chip ECCon, an Elliptic Curve Cryptography processor for application in Radio-Frequency Identification. The circuit is fabricated on a 180 nm CMOS technology. ECCon features small silicon size (15K GE) and has low power consumption (8.57 μW). It computes 163-bit ECC point-multiplications in 296k cycles and has an ISO 18000-3 RFID interface. ECCon’s very low and nearly constant power consumption makes it the first ECC chip that can be powered passively. This major breakthrough is possible because of a radical change in hardware architecture. The ECCon datapath operates on 16-bit words, which is similar to ECC instruction-set extensions. A number of innovations on the algorithmic and on the architectural level substantially increased the efficiency of 163-bit ECC. ECCon is the first demonstration that the proof of origin via electronic signatures can be realized on RFID tags in 180 nm CMOS and below.

Daniel Hein, Johannes Wolkerstorfer, Norbert Felber

Block Ciphers II

Cryptanalysis of a Generic Class of White-Box Implementations

Abstract

A white-box implementation of a block cipher is a software implementation from which it is difficult for an attacker to extract the cryptographic key. Chow et al. published white-box implementations for AES and DES. These implementations are based on ideas that can be used to derive white-box implementations for other block ciphers as well. In particular, the ideas can be used to derive a white-box implementation for any substitution linear-transformation (SLT) cipher. Although the white-box implementations of AES and DES have been cryptanalyzed, the cryptanalyses published use typical properties of AES and DES. It is therefore an open question whether an SLT cipher exists for which the techniques of Chow et al. result in a secure white-box implementation. In this paper we largely settle this question by presenting an algorithm that is able to extract the key from such an implementation under a mild condition on the diffusion matrix. The condition is, for instance, satisfied by all MDS matrices. Our result can serve as a basis to design block ciphers and to develop white-box techniques that result in secure white-box implementations.

Wil Michiels, Paul Gorissen, Henk D. L. Hollmann

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Abstract

This paper presents a linear cryptanalysis for reduced round variants of CAST-128 and CAST-256 block ciphers. Compared with the linear relation of round function with the bias 2^− 17 by J. Nakahara et al., we found the more heavily biased linear approximations for 3 round functions and the highest one is 2^− 12.91. We can mount the known-plaintext attack on 6-round CAST-128 and the ciphertext-only attack on 4-round CAST-128. Moreover the known-plaintext attack on 24-round CAST-256 with key size 192 and 256 bits has been given, and the ciphertext-only attack on 21-round CAST-256 with key size 192 and 256 bits can be performed. At the same time, we also present the attack on 18-round CAST-256 with key size 128 bits.

Meiqin Wang, Xiaoyun Wang, Changhui Hu

Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia

Abstract

The block cipher Camellia has now been adopted as an international standard by ISO/IEC, and it has also been selected to be Japanese CRYPTREC e-government recommended cipher and in the NESSIE block cipher portfolio. Most recently, Wu et al constructed some 8-round impossible differentials of Camellia, and presented an attack on 12-round Camellia-192/256 in [5]. Later in [6], Lu et al improved the above attack by using the same 8-round impossible differential and some new observations on the diffusion transformation of Camellia. Considering that all these previously known impossible differential attacks on Camellia have not taken the key scheduling algorithm into account, in this paper we exploit the relations between the round subkeys of Camellia, together with some novel techniques in the key recovery process to improve the impossible differential attack on Camellia up to 12-round Camellia-128 and 16-round Camellia-256. The data complexities of the two attacks are 2⁶⁵ and 2⁸⁹ respectively, and the time complexities of the two attacks are less than 2^111.5 and 2^222.1 respectively. The presented results are better than any previously published cryptanalytic results on Camellia without the FL/FL ^− 1 functions and whitening layers.

Wenling Wu, Lei Zhang, Wentao Zhang

Springer Professional

Inhaltsverzeichnis

Frontmatter

Elliptic and Hyperelliptic Curve Arithmetic

Faster Halvings in Genus 2

Efficient Pairing Computation on Genus 2 Curves in Projective Coordinates

On Software Parallel Implementation of Cryptographic Pairings

Block Ciphers I

The Cryptanalysis of Reduced-Round SMS4

Building Secure Block Ciphers on Generic Attacks Assumptions

First Invited Talk

Lifting and Elliptic Curve Discrete Logarithms

Hash Functions I

Preimage Attacks on One-Block MD4, 63-Step MD5 and More

Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Mathematical Aspects of Applied Cryptography I

Counting Functions for the k-Error Linear Complexity of 2 n -Periodic Binary Sequences

On the Exact Success Rate of Side Channel Analysis in the Gaussian Model

Stream Ciphers Cryptanalysis

Algebraic and Correlation Attacks against Linearly Filtered Non Linear Feedback Shift Registers

A Cache Timing Analysis of HC-256

An Improved Fast Correlation Attack on Stream Ciphers

Hash Functions II

A Three-Property-Secure Hash Function

Analysis of the Collision Resistance of RadioGatúnUsing Algebraic Techniques

A Scheme to Base a Hash Function on a Block Cipher

Collisions and Other Non-random Properties for Step-Reduced SHA-256

Cryptography with Algebraic Curves

Public Verifiability from Pairings in Secret Sharing Schemes

The Elliptic Curve Discrete Logarithm Problem and Equivalent Hard Problems for Elliptic Divisibility Sequences

Second Invited Talk – Stafford Tavares Lecture

The “Coefficients H” Technique

Mathematical Aspects of Applied Cryptography II

Distinguishing Multiplications from Squaring Operations

Subquadratic Polynomial Multiplication over GF(2 m ) Using Trinomial Bases and Chinese Remaindering

Bounds on Fixed Input/Output Length Post-processing Functions for Biased Physical Random Number Generators

Curve-Based Primitives in Hardware

HECC Goes Embedded: An Area-Efficient Implementation of HECC

ECC Is Ready for RFID – A Proof in Silicon

Block Ciphers II

Cryptanalysis of a Generic Class of White-Box Implementations

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia

Backmatter

Premium Partner