Publications

This note discusses aspects of fuzzy extraction: in particular, how the interplay between PUF entropy and the revelation of helper data affects the entropy of the underlying secret. We examine the theory behind a scheme by Dodis et alii to develop exact formulas for the entropy of the given seed, given that an adversary knows the helper data. We also give a simple lower bound on the security of the Dodis scheme that is achieved exactly in many instances. By way of several examples, we quantify the amount of entropy that can be lost due to interactions between imperfect PUF implementations and given error correction methods. We repeatedly show that understanding the details of the error correction scheme and the interaction with the PUF response is crucial to being able to estimate the entropy of the system.

Abstract not provided.

Abstract not provided.

We consider a theoretical side-channel attack on SHA-512; the attack should easily generalize to other algorithms in the SHA-2 family. Rather than looking at a side-channel attack on an HMAC, which has been done in various papers, we assume that the targeted device is applying the hash function as a pseudo-random function (prf) in order to generate a secret key from a secret seed, as recommended by NIST. The analyst uses side-channel information to try to recover the secret seed. We use entropy/information theory to show how one might judge whether or not a side-channel attack might be possible and/or feasible, and we show how the design of the implementation can affect the feasibility of an attack.

We illustrate a theoretical side-channel analysis on the intermediate rounds of AES, using only the Hamming weights of the bytes registered after the S-box operation. Input and output state values are unknown. Simulations and a blind test were used to show the feasibility of the analysis under ideal conditions. General applicability of the idea and possible extensions are discussed, as well as limiting assumptions. Some implementation approaches are described in Appendix A, in the case of constrained computing capabilities (desktop or laptop).

For strong cryptologic algorithms, it is often assumed that exhaustive search (AKA "brute force) will take 2^b trials, where b is the number of bits of the secret key. What happens, though, if an adversary gains partial knowledge of the secret key? Perhaps he has intercepted a garbled transmission of the key, where he knows the maximum number of garbles, but not where they occur, or perhaps he knows the probability of each bit being correct. How much does this help him?

For factoring an integer N, the complexity of the General Number Field Sieve (GNFS) is explored.

Abstract not provided.

For AES-256, the entire key schedule, including the original secret key, can be recovered easily from a 32 consecutive byte portion of the key schedule.