Re: A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
Quoting Jonathan Katz jk...@cs.umd.edu: On Mon, 14 Jun 2010, Alfonso De Gregorio wrote: The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 Err...I read that paper by Rijmen as a bit of a joke. I think he was poking fun at some of these unrealistic attack models. Dear Jonathan, Thanks for your email. It is the only comment received so far and is greatly appreciated! I've been off the net for a much needed holiday and unable to reply within the time I would have liked to. I'm sorry. I can't speak for him, of course. Only Rijmen can tell and I'm adding his address in cc. Yet, I believe his emphasis was on the existence of zero-query attacks on a symmetric encryption primitives -- he says the attack to be zero-query as the adversary does not need to observe the ciphertext the encryption oracle would output. Now, I expect the unusual nature of the attack model might stir up a lively discussion. My post was soliciting comments in this regard. Still, I would like to respectfully disagree wrt the objectives given to the paper, as to me the chosen-text relations model of analysis appears to be interesting and relevant. There are two scenario worth to be investigated: Zero query The first one is the plausibility and power of the chosen-text relations model of analysis as presented in his paper. I believe there might be applications endangered by zero-query attacks. I claim this might be the case of white-box implementations; and I could be wrong. No roll back The second scenario arise when we consider the avenues of analysis provided by chosen-text relations if we revoke the adversary ability to roll back the encryption. If we do that, we restore the analysis model to a variant of the DFA, where the attacker can query both oracles. So, no zero-query but still chosen-text relations to be exploited. In the fault attacks setting, we expect from encryption primitives secure under related-key attacks resistance to attempts to recover the secret key by attackers tampering with the stored secret and observing the outputs of cryptographic primitive under the modified key (interesting in this regard the paper by Bellare and Cash to the upcoming Crypto on PRFs and PRPs providing RKA-security). In a similar way, it would be fascinating to have symmetric encryption primitives secure under related plaintext attacks (RPA). They would provide resistance to attackers tampering with interim data, observing faulty ciphertext and querying the decryption oracle, before engaging in the key extraction step. (Of course, from the implementation side, fault tolerance techniques could be employed to protect crypto modules from attacks exploiting chosen-text relations.) Thanks again. Cheers, alfonso -- Alfonso De Gregorio, http://Crypto.lo.gy - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 I believe the related-subkey model is an interesting model to look at and, with this email, I would like to solicit comments from the community about chosen-text relations attacks and their implications. For example, this model might be pretty relevant while attacking white-box implementations of the target encryption algorithm with embedded secret key, assuming the ability to tamper with at least 1bit of the round output (debugging...). A Fault Attack In order to further solicit comments, I would like to contribute a fault attack construction based on chosen-text relations attack. First, it is worth to note how the zero-query attack provided by chosen-text-relations-in-the-middle can be transformed into an attack with a single-query to both the encryption and decryption oracles. It is possible to do so by resuming the interrupted encryption after applying the specific difference delta to the state (ie, no rollback anymore) and querying the decryption oracle. More specifically: - halt the computer in the middle of execution of an encryption routine; - apply the specific difference delta to the state; - resume the encryption and output the ciphertext c*; - query the decryption oracle with c* and retrieve the modified plaintext p*- The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Watermarking...
On Tue, Apr 20, 2010 at 12:29 AM, Massimiliano Pala p...@cs.dartmouth.edu wrote: Hi all, I was wondering if any of you have some pointers on the security of watermarking. In particular I am interested in public-key or asymmetric watermarking algorithms. Ciao Massimiliano, You might be interesting in checking out the deliverables of BOWS contests at: http://bows2.gipsa-lab.inpg.fr/ and http://lci.det.unifi.it/BOWS/ Also, do you know of any free-to-use (opensource/etc.) implementation that can be used for research-test purposes ? -- Best Regards, Massimiliano Pala From a cursory look at bookmarks... - Peter Meerwald's implementation of digital image watermarking algorithms. - Microsoft Audio Watermarking Tool http://research.microsoft.com/en-us/downloads/885bb5c4-ae6d-418b-97f9-adc9da8d48bd/default.aspx Cheers, alfonso -- http://crypto.lo.gy - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: [Cfrg] Applications of target collisions: Pre or post-dating MD5-based RFC 3161 time-stamp tokens
Hi Steven, hi Benne, Yes, this is a sweet and sour truth. We are not getting closer to preimage attacks. We are getting more far away from considering preimage and second-preimage resistance sufficient hash-function requirements for the real-world security of some protocols. Cheers, -- Alfonso http://crypto.lo.gy Weger, B.M.M. de wrote: So how close are we getting to first or second preimage attacks? As far as we know, not one bit closer. Best known attack on MD5 preimage resistance still is brute force. You may interpret our result as enlarging the applicability of collision attacks. In that sense the gap to preimage attacks has diminished. But we have no measure available to tell by how much. Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
