Wenn nicht anders angegeben, findet das Seminar immer Montags um 13:15 im Raum IC 4 / 39-41 statt.

Im Sommersemester 2007 wurde es von Michael Psarros organisiert.

16. April 2007 Dr. Graham Steel Formal Analysis of Security APIs
23. April 2007 Dr. Alex Dent Plaintext awareness
30. April 2007 Felix Gröbert Mass Exploitation of the Software Distribution Attack Vector
14. Mai 2007 Dr. Christopher Wolf Exotic Public Key Signature Schemes: Multivariate Quadratic PK Systems
4. Juni 2007 Sven Schäge Efficient Hash Collision Search Strategies on Special-Purpose Hardware
11. Juni 2007 Gordon Meiser Efficient Implementation of Stream Ciphers on Embedded Processors
18. Juni 2007 Leif Uhsadel Comparison of Low-Power Public Key Cryptography on MICAz 8-Bit Micro Controller
25. Juni 2007 Prof. Dr. Werner Schindler Ein stochastisches Modell für ein Design eines physikalischen Zufallszahlengenerators mit robusten Entropieschätzern
2. Juli 2007 Sören Rinne Performance Analysis of Contemporary Light-Weight Block Ciphers on 8-bit Microcontrollers
9. Juli 2007 Prof. Dr. Roberto Avanzi Another Look at Square Roots, Traces and Quadratic Equations in Fields of Even Characteristic, with Applications to Elliptic Curve Cryptography

Dr. Graham Steel, University of Edinburgh:
Formal Analysis of Security APIs

Cash machines (ATMs) and other critical parts of the electronic payment infrastructure contain tamper-proof hardware security modules (HSMs), which protect highly sensitive data such as the keys used to obtain personal identification numbers (PINs). These HSMs have a restricted API that is designed to prevent malicious code from gaining access to the sensitive data. However, several attacks have been found on these APIs, as the result of painstaking manual analysis by experts such as Mike Bond and Jolyon Clulow.

At the University of Edinburgh, a project is underway to formalise and mechanise the analysis of these APIs. This talk will present some API attacks, and our efforts to generalise them and capture them formally, using theorem provers, protocol analysis tools, and the PRISM probabilistic model checker.

Dr. Alex Dent, Royal Holloway University of London:
Plaintext awareness

Plaintext awareness is the property of an encryption scheme that means that no attacker can create a ciphertext without "knowing" the underlying plaintext (or that the ciphertext is invalid and won't be decrypted). This renders a decryption oracle useless to an attacker. For any ciphertext that the attacker submits to the decryption oracle, that attacker must already know underlying plaintext; hence, they get no new information when the decryption oracle returns this plaintext.

The notion of plaintext awareness was first developed as a method to prove IND-CCA2 security. It has turned out not to be very useful in this regard -- it is almost always significantly more difficult to prove that a scheme is plaintext aware, than simply to prove that it is IND-CCA2 directly. However, it is useful in giving some insight as to why a particular scheme achieves IND-CCA2 security.

This talk will survey the known results in standard model plaintext awareness that have been developed over the last couple of years. This will include discussions of several new results that have not yet been published.

Felix Gröbert, Ruhr-Universität Bochum:
Mass Exploitation of the Software Distribution Attack Vector

"Wir fordern die Bundesregierung auf, die illegalen Praktiken sofort zu beenden." -- Wolfgang Wieland, Sprecher der Grünen-Fraktion für Innere Sicherheit.
Nachdem der Bundesgerichtshof die Online-Durchsuchung Anfang dieses Jahres verboten hat, wurde nun bekannt dass die Nachrichtendienste diese seit 2005 laut BMI bereits nutzen dürfen. Die Diskussion um die Online-Durchsuchung wird seit einem halben Jahr auf juristischer und politischer Ebene geführt.

Software-Updates sind heute ein integraler Bestandteil von einem sicheren, Netzwerk-verbundenen Computersystem. Während heruntergeladene Updates durch viele Installationsroutinen auf ihre Integrität überprüft werden gibt es auch Software-Updates bei denen dies nicht geschieht. Auch Erstinstallationen von Software stellen ein potentielles Ziel für den Angreifer dar, da diese selten signiert sind und durch das Betriebssystem nicht verifiziert werden können.

Ich werde in diesem technischen Vortrag einen möglichen Angriffsvektor für die Online-Durchsuchung vorstellen sowie Gegenmaßnahmen diskutieren.

Der Angriff beschreibt wie ein potentieller Angreifer, unter bestimmten Annahmen, Schadcode auf einem Computersystem ausführen kann. Dazu infiziert der Angreifer ausführbare Dateien mit Schadcode während sie heruntergeladen werden. Eine proof-of-concept Implementation wird ebenfalls vorgestellt.

Dr. Christopher Wolf, Ruhr-Universität Bochum:
Exotic Public Key Signature Schemes: Multivariate Quadratic PK Systems

Since the invention of RSA and public key cryptography, alternative schemes with better properties have been searched - elliptic curves and NTRU, to name but a few. One class of public key schemes are multivariate quadratic public key schemes. They allow fast computation of signatures and their verification - but suffer from rather large public and private keys. However, depending on the application scenario, this is not a serious drawback. In addition, they allow short signatures down to 128 bit. In this presentation, we introduce multivariate quadratic public key schemes, the mathematical tools needed for their description, and also outline some possible application domains.

Sven Schäge, Ruhr-Universität Bochum:
Efficient Hash Collision Search Strategies on Special-Purpose Hardware

Hash functions play an important role in various cryptographic applications. Modern cryptography relies on a few but supposedly well analyzed hash functions, most of which are part of the so called MD4-family. No wonder that in 2005, a new theoretical attack on SHA-1 caused great excitement in the cryptographic community, since it reduced attack complexity to find a random collision from O(2^80) to O(2^63) step computations.

This presentation shows whether it is possible, using special-purpose hardware, to significantly speedup collision search for SHA-1 so that finding a single collision comes into practical reach.

A thorough analysis of MD5 and current collision search algorithms reveals that a microprocessor based architecture is best suited for the implementation of collision search algorithms for hash functions of the MD4-family.

Consequently, we designed and implemented a (concerning MD4-family hash-functions) general-purpose microprocessor with minimal area requirements and, based on this, a complete collision search unit. Additionally, we developed an assembler to equip our collision search unit with a full implementation of suited collision search algorithms.

Comparing the performance characteristics of both ASICs with standard PC processors and networks, it turns out that our design, massively parallelized, is nearly four times more cost-efficient than parallelized standard PCs. We believe that there is much room for further improvements left.

Gordon Meiser, Ruhr-Universität Bochum:
Efficient Implementation of Stream Ciphers on Embedded Processors

This work is motivated by the question of how efficient modern stream ciphers in the focus of eSTREAM Profile I (Phase 2) can be implemented on small embedded microcontrollers. In response to this question, we present the first implementation results for Dragon, HC-128, LEX, Salsa20 and Sosemanuk on 8-bit microcontrollers. For the evaluation process, we follow a two-stage approach and compare with efficient AES implementations. First, the C code implementation provided by the designers was ported to an 8-bit AVR microcontroller and the suitability of Dragon, HC-128, LEX, Salsa20 and Sosemanuk for the use in embedded systems was assessed. In the second stage we implemented Dragon, LEX, Salsa20 and Sosemanuk in Assembly to tap the full potential of an embedded implementation. Our efficiency metrics are performance of keystream generation, key setup, and IV setup, and memory usage in flash and SRAM, since microcontrollers are usually strongly constrained in memory resources. Regarding encryption speed, all stream ciphers turned out to outperform AES. In terms of memory needs, Salsa20 and LEX are almost as compact as AES. When considering a time-memory tradeoff metric, LEX and Salsa20 yield significantly better results than AES.

Leif Uhsadel, Ruhr-Universität Bochum:
Comparison of Low-Power Public Key Cryptography on MICAz 8-Bit Micro Controller

The terms ubiquitous and pervasive computing designate the penetration of our everyday life with intelligent devices. These tiny, constrained, and battery powered nodes are used to build WSNs that may process sensitive data. Therefore security as well as low energy consumption are crucial in this field. Since runtime scales with energy consumption efficient implementation is necessary at all costs. We will show by comparing of different implementations of asymmetric algorithms that ECC is a good choice in this case, as it allows shorter key length with adequate security level and furthermore can be efficiently implemented. We will provide mathematical background as well as algorithms for an efficient implementation. Subsequently we will present the fastest known implementation of a 160-bit multiplication, which is the core operation of the prime field of the standardized elliptic curve secp160r1. Even though the implementation is highly optimized for speed, the code-size of 5.4 KB and RAM requirements of 112 B are acceptable. The high efficient prime field is implemented in assembly and available on request. It is thought to be the base for high efficient curve implementations. A curve with basic optimizations is written in C and can also be reused. The 160-bit multiplication has a runtime of 0.39ms and requires with our C implementation of the curve 1.151s for a point multiplication. This could be optimized to approximately 0.76s for one point multiplication in combination with a highly efficient elliptic curve. Furthermore this would allow the execution of an ECDSA signature in less than one second without pre-calculation.

Prof. Dr. Werner Schindler, BSI, Bonn:
Ein stochastisches Modell für ein Design eines physikalischen Zufallszahlengenerators mit robusten Entropieschätzern

Physikalische Zufallszahlengeneratoren (kurz: physikalische RNGs) stellen in vielen kryptographischen Systemen zentrale Komponenten dar. Die Entwicklung eines starken physikalischen RNGs wirft mehrere Probleme auf. Zunächst gilt es, ein geeignetes RNG-Design zu entwickeln und sorgfältig zu implementieren. Die zweite Aufgabe, nämlich der Nachweis, dass das gewählte Design und insbesondere die konkrete Implementierung (inklusive Onlinetests) sicher sind, ist in der Regel nicht minder schwierig. Insbesondere gilt es, die Entropie der erzeugten Zufallszahlen abzuschätzen und nachzuweisen, dass die Onlinetests etwaige nichttolerierbare Schwächen im laufenden Betrieb des RNGs zuverlässig erkennen. Dies erfordert ein stochastisches Modell der Rauschquelle.

Der Vortrag führt zunächst allgemein in die Thematik ein. Danach wird ein konkretes RNG-Design vorgestellt und erläutert, das auf zwei Zenerdioden basiert. Es wird ein stochastisches Modell der Rauschquelle formuliert und analysiert. Dieses Modell ist sehr allgemein und kann (ggf. nach Modifikation) auch auf andere RNG-Designs angewandt werden. Insbesondere erlaubt das vorgestellte Design robuste Entropieschätzer, und mit geringem Resourcenverbrauch (Speicherplatz, Rechenzeit) können wirksame Onlinetests realisiert werden.

Sören Rinne, Ruhr-Universität Bochum:
Performance Analysis of Contemporary Light-Weight Block Ciphers on 8-bit Microcontrollers

This work presents a performance analysis of software implementations of ciphers that are especially designed for the domain of ubiquitous computing. The analysis focuses on the special properties of embedded devices that need to be taken into account like cost (given by memory consumption) and energy needs. The discussed ciphers include DESL, HIGHT, SEA, and TEA/XTEA. Assembler implementations of the ciphers for an 8-bit AVR microcontroller platform were analyzed and compared with a byte-oriented AES implementation. While all ciphers fail to outperform AES on the discussed 8-bit platform, TEA/XTEA and SEA at least consume significantly less memory than the AES.

Prof. Dr. Roberto Avanzi, Ruhr-Universität Bochum:
Another Look at Square Roots, Traces and Quadratic Equations in Fields of Even Characteristic, with Applications to Elliptic Curve Cryptography

We discuss irreducible polynomials that can be used to speed up square root extraction in fields of characteristic two. The obvious applications are to point halving methods for elliptic curves and divisor halving methods for hyperelliptic curves.

Irreducible polynomials P(X) such that the square root ? of a zero x of P(X) is a sparse polynomial are considered and those for which ? has minimal degree are characterized. We reveal a surprising connection between the minimality of this degree and the extremality of the the number of trace one elements in the polynomial base associated to P(X).

We also show how to improve the speed of solving quadratic equations and that the increase in the time required to perform modular reduction is marginal and does not affect performance adversely. Experimental results confirm that the new polynomials mantain their promises; These results generalize work by Fong et al. to polynomials other than trinomials. Point halving gets a speed-up of 20% and the performance of scalar multiplication based on point halving is improved by at least 11%.


Zum SeitenanfangSeitenanfang | Aktuelles HGI-Seminar | Druckfassung dieser Seite
Letzte Änderung: 1.08.2007  | Ansprechpartner/in: Inhalt oder Technik