Stefan LucksBauhaus-Universität Weimar · Faculty of Media
Stefan Lucks
About
158
Publications
11,998
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,222
Citations
Publications
Publications (158)
A deterministic random bit generator (DRBG) generates pseudorandom bits from an unpredictable seed, i.e., a seed drawn from any random source with sufficient entropy. The current paper formalizes a security notion for a DRBG, in which an attacker may make any legal sequence of requests to the DRBG and sometimes compromise the DRBG state, but should...
We study the post-quantum security of authenticated encryption (AE) schemes, designed with classical security in mind. Under superposition attacks, many CBC-MAC variants have been broken, and AE modes employing those variants, such as EAX and GCM, thus fail at authenticity. As we show, the same modes are IND-qCPA insecure, i.e., they fail to provid...
QCB is a proposal for a post-quantum secure, rate-one authenticated encryption with associated data scheme (AEAD) based on classical OCB3 and \(\varTheta \)CB, which are vulnerable against a quantum adversary in the Q2 setting. The authors of QCB prove integrity under plus-one unforgeability, whereas the proof of the stronger definition of blind un...
When keys are small or parts thereof leak, key-recovery attacks on symmetric-key primitives still pose a plausible threat. Key stretching is one well-known means to throttle potential adversaries, where stretching a key by s bit means that a key-recovery attack has to perform \(\min \{2^{k-1}, 2^{k-\lambda +s-1}\}\) operations on average for \(\lam...
This paper proposes Pholkos, a family of heavyweight tweakable block ciphers with state and key sizes of \({\ge }256\) and tweaks of either 128 or 256 bits. When encrypting large chunks of data under the same key, modes with Pholkos do not require “beyond-birthday security” since it provides “bigger birthday security”. This also makes it a good cho...
Forkciphers are a new kind of primitive proposed recently by Andreeva et al. for efficient encryption and authentication of small messages. They fork the middle state of a cipher and encrypt it twice under two smaller independent permutations. Thus, forkciphers produce two output blocks in one primitive call.
On-line ciphers are convenient building blocks for realizing efficient single- pass encryption. In particular, the trend to limit the consequences of nonce reuses rendered them popular in recent authenticated encryption schemes. While encryption schemes, such as POE, COPE, or the ciphers within ElmE/ElmD concentrated on efficiency, their security g...
Leakage resilient cryptography wants to provide security against side channel attacks. In this paper, we present several issues of the \(\mathsf {RCB}\) block cipher mode, proposed by Agrawal et al. in [2]. \(\mathsf {RCB}\) is the first Leakage Resilient Authenticated Encryption (AE) scheme ever presented. In particular, we present a forgery attac...
Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damgård hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online ph...
This paper presents Gimli, a 384-bit permutation designed to achieve high security with high performance across a broad range of platforms, including 64-bit Intel/AMD server CPUs, 64-bit and 32-bit ARM smartphone CPUs, 32-bit ARM microcontrollers, 8-bit AVR microcontrollers, FPGAs, ASICs without side-channel protection, and ASICs with side-channel...
This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: \(j\text {-}\textsc {Int}\text...
In the context of the chromatic-number problem, a critical graph is an instance where the deletion of any element would decrease the graph's chromatic number. Such instances have shown to be interesting objects of study for deepen the understanding of the optimization problem. This work introduces critical graphs in context of Minimum Vertex Cover....
This work introduces Passphone, a new smartphone-based authentication scheme that outsources user verification to a trusted third party without sacrificing privacy: neither can the trusted third party learn the relation between users and service providers, nor can service providers learn those of their users to others. When employed as a second fac...
An authenticated encryption scheme is a scheme which provides privacy and integrity by using a secret key. In 2013, CAESAR (the “Competition for Authenticated Encryption: Security, Applicability, and Robustness”) was co-founded by NIST and Dan Bernstein with the aim of finding authenticated encryption schemes that offer advantages over AES-GCM and...
On-line ciphers are convenient building blocks for realizing efficient single-pass en-cryption. In particular, the trend to limit the consequences of nonce reuses rendered them popular in recent authenticated encryption schemes. While recent encryption scheme designs, such as POE, COPE, or the ciphers within ElmE/ElmD concentrated on efficiency, th...
Block-cipher-based authenticated encryption has obtained considerable attention from the ongoing CAESAR competition. While the focus of CAESAR resides primarily on nonce-based authenticated encryption, Deterministic Authenticated Encryption (DAE) is used in domains such as key wrap, where the available message entropy motivates to omit the overhead...
Typical AE schemes are supposed to be secure when used as specified. However, they can – and often do – fail miserably when used improperly. As a partial remedy, Rogaway and Shrimpton proposed (nonce-)misuse-resistant AE (MRAE) and the first MRAE scheme SIV (“Synthetic Initialization Vector”). This paper proposes RIV (“Robust Initialization Vector”...
Catena is a password-scrambling framework characterized by its high flexibility. The user (defender) can simply adapt the underlying (cryptographic) primitives, the underlying memory-hard function, and the time (\(\lambda \)) and memory (garlic) parameters, to render it suitable for a wide range of applications. This enables Catena to maximize the...
In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functionality, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties, e.g., memory usage and flexibility of the underlying primitives. Furthermo...
Cryptographic constructions are often designed and analyzed in idealized frameworks such as the random-oracle or ideal-cipher models. When the underlying primitives are instantiated in the real world, however, they may be far from ideal. Constructions should therefore be robust to known or potential defects in the lower-level primitives.
With this...
Most of the common password scramblers hinder password-guessing attacks by “key stretching”, e.g., by iterating a cryptographic hash function many times. With the increasing availability of cheap and massively parallel off-the-shelf hardware, iterating a hash function becomes less and less useful. To defend against attacks based on such hardware, o...
In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functional-ity, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties , e.g., memory usage and flexibility of the underlying primitives. Further...
EAX′ (or EAX-prime) is an authenticated encryption (AE) specified by ANSI C12.22 as a standard security function for Smart Grid. EAX′ is based on EAX proposed by Bellare, Rogaway, and Wagner. While EAX has a proof of security based on the pseudorandomness of the internal blockcipher, no published security result is known for EAX′. This paper studie...
In this paper we introduce Janus, a software framework – written in Java – which is built to provide assistance in finding independent-biclique attacks for a user-chosen set of parameters, e.g., the number of rounds and dimension of the biclique. Given a certain cipher, Janus not only finds an optimal bipartite graph (biclique), but also provides a...
Block-cipher-based compression functions serve an important purpose in cryptography since they allow to turn a given block cipher into a one-way hash function. While there are a number of secure double-block-length compression functions, there is little research on generalized constructions. This paper introduces the Counter-bDM family of multi-blo...
This paper presents differential attacks on Simon and Speck, two families of lightweight block ciphers that were presented by the U.S. National Security Agency in June 2013. We describe attacks on up to slightly more than half the number of rounds. While our analysis is only of academic interest, it demonstrates the drawback of the intensive optimi...
Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes s...
EAX is a mode of operation for blockciphers to implement an authenticated encryption. The original paper of EAX proved that EAX is unforgeable up to O(2
n/2) data with one verification query. However, this generally guarantees a rather weak bound for the unforgeability under multiple verification queries, i.e., only (2
n/3) data is acceptable.
Thi...
In this paper, we propose the first full-round attacks on the PRESENT and LED lightweight ciphers. In our attacks, we use the independent-biclique approach which has been de-veloped recently. The proposed attacks on PRESENT-80 and PRESENT-128 require 2 60 and 2 44 chosen plaintexts, and have time complexities of 2 79.46 and 2 127.37 respectively. O...
There are four somewhat classical double length block cipher based compression functions known: MDC-2, MDC-4, Abreast-DM, and Tandem-DM. They all have been developed over 20 years ago. In recent years, cryptographic research has put a focus on block cipher based hashing and found collision security results for three of them (MDC-2, Abreast-DM, Tand...
We present Weimar-DM, a double length compression function using two calls to a block cipher with 2n-bit key and n-bit block size to compress a 3n-bit string to a 2n-bit one. For Weimar-DM, we show that for n=128, no adversary asking less than 2n−1.77=2126.23 queries can find a collision with probability greater than 1/2. This is the highest collis...
Most of the time, cryptography fails due to “implementation and management errors”. So the task at hand is to design a cryptographic library to ease its safe use and to hinder implementation errors. This is of special interest when the implementation language is celebrated for its qualification to write reliable safe and secure systems, such as Ada...
In this paper, we introduce a new class of universal hash function families called almost regular universal (ε− ARU). Informally, an ε− ARU hash function family is almost universal, and additionally provides almost regularity. Furthermore, we present \(\Gamma\mbox{-MAC}\lbrack H,P\rbrack\), a new MAC scheme based on a ε− ARU hash function family. I...
The block cipher MARS has been designed by a team from IBM and became one of the five finalists for the AES. A unique feature is the usage of two entirely different round function types. The ”wrapper rounds” are unkeyed, while the key schedule for the ”core rounds” is a slow and complex one, much more demanding then, e.g., the key schedule for the...
On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practic...
ARIA [5] is a block cipher proposed at ICISC’03. Its design is very similar to the Advanced Encryption Standard (AES). The
authors propose that on 32-bit processors, the encryption speed is at least 70% of that of the AES. It is claimed to offer
a higher security level than AES. In this paper we present three new attacks of reduced round ARIA which...
We give collision resistance bounds for blockcipher based, double-call, double-length hash functions using (k,n)-bit blockciphers with k > n. Özen and Stam recently proposed a framework [21] for such hash functions that use 3n-to-2n-bit compression functions and two parallel calls to two independent blockciphers with 2n-bit key and n-bit block size...
At Crypto 2005, Coron et al. introduced a formalism to study the presence or absence of structural flaws in iterated hash functions. If one cannot differentiate a hash function using ideal primitives from a random oracle, it is considered structurally sound, while the ability to differentiate it from a random oracle indicates a structural weakness....
In this paper we present TWISTER<SUB align=right>π, a framework for hash functions. It is an improved version of TWISTER, a candidate of the NIST SHA-3 hash function competition. TWISTER<SUB align=right>π is built upon the ideas of wide pipe and sponge functions. The core of this framework is a - very easy to analyse - Twister-Round providing both...
In this paper we investigate the security of the encryption mode of the HAS-160 hash function. HAS-160 is a Korean hash standard
which is widely used in Korean industry. The structure of HAS-160 is similar to SHA-1 besides some modifications. In this
paper, we present the first cryptographic attack that breaks the encryption mode of the full 80-rou...
An r-collision for a function is a set of r distinct inputs with identical outputs. Actually finding r-collisions for a random map over a finite set of cardinality N requires at least about N
(r − 1)/r
units of time on a sequential machine. For r=2, memoryless and well-parallelizable algorithms are known. The current paper describes memory-efficien...
We provide a proof of security for a huge class of double block length hash function that we will call Cyclic-DM. Using this result, we are able to give a collision resistance bound for Abreast-DM, one of the oldest and most well-known constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic...
Identity management provides PET (privacy enhancing technology) tools for users to control privacy of their personal data. With the support of mobile location determination techniques based on GPS, WLAN, Bluetooth, etc., context-aware and location-aware mobile applications (e.g. restaurant finder, friend finder, indoor and outdoor navigation, etc.)...
The AES-256 has received less attention in cryptanalysis than the 192 or 128-bit versions of the AES. In this paper we propose
new attacks on 9 and 10-round AES-256. In particular we present a 9-round attack on AES-256 which has the lowest data complexity
of all known 9-round attacks. Also, our 10-round attack has a lower data complexity than all k...
Digital Enhanced Cordless Telecommunications (DECT) is a standard for connecting cordless telephones to a xed telecommunica- tions network over a short range. The cryptographic algorithms used in DECT are not publicly available. In this paper we reveal one of the two algorithms used by DECT, the DECT Standard Authentication Algo- rithm (DSAA). We g...
In this paper we present Twister, a new framework for hash functions. Twister incorporates the ideas of wide pipe and sponge functions. The core of this framework is a – very easy to analyze – Mini-Round providing both extremely fast diffusion as well as collision-freeness for one Mini-Round. The total security level is claimed to be not below 2
n/...
SHACAL-2 is a 64-round block cipher based on the compression function of the hash function standard SHA-256. It has a 256-bit
block size and a variable length key of up to 512 bits. Up to now, all attacks on more than 37 rounds require at least 2235 bytes of memory. Obviously such attacks will never become of practical interest due to this high amo...
In this paper we present the first attack on the full 24 round internal block cipher of Tiger [1]. Tiger is a hash function proposed by Biham and Anderson at FSE'96. It takes about ten years until the first cryptanalytic result was presented by Kelsey and Lucks [10] at FSE'06. Up to now, the best known attack on the internal block cipher of Tiger i...
We provide the first proof of security for Tandem-DM, one of the oldest and most well-known constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, block length 128 bits and key length 256 bits, any adversary that as...
We analyse the Double-Mix Merkle-Damg ard construction (DMMD) used in the AU- RORA family of hash functions. We show that DMMD falls short of providing the expected level of security. Specically, we are able to
In this paper we investigate the security of the encryption mode of the HAS-160 hash function. HAS-160 is a Korean hash standard which is widely used in Korea's industry. The structure of HAS-160 is similar to SHA-1 but includes some improvements. The encryption mode of HAS-160 is defined similarly as the encryption mode of SHA-1 that is called SHA...
ARIA (4) is a block cipher proposed at ICISC'03. Its design is very similar to the advanced encryption standard (AES). The authors propose that on 32-bit processors, the encryption speed is at least 70% of that of the AES. They claim to oer a higher security level than AES. In this paper we present two attacks of reduced round ARIA which shows some...
We provide the first proof of security for Abreast-DM, one of the oldest and most well- known constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic hash function. In particular, we prove that when Abreast-DM is instantiated with AES-256, i.e. a block cipher with 128-bit block length and 2...
Entity recognition does not ask whether the message is from some entity X, just whether a message is from the same entity as a pre- vious message. This turns turns out to be very useful for low-end devices. Motivated by an attack against a protocol presented at SAC 2003, the current paper proposes a new protocol { the \Jane Doe Protocol" {, and pro...
Research in Symmetric Cryptography is quickly evolving. The seminar was the second of its kind, the first one took place in 2007. We observe a steadily increasing interest in Symmetric Cryptography, as well as a growing practical demand for symmetric algorithms and protocols. The seminar was very successful in discussing recent results and sharing...
In this paper we present two new attacks on round reduced versions of the AES. We present the first application of the related-key
boomerang attack on 7 and 9 rounds of AES-192. The 7-round attack requires only 218 chosen plaintexts and ciphertexts and needs 267.5 encryptions. We extend our attack to nine rounds of AES-192. This leaves to a data co...
Entity recognition does not ask whether the message is from some entity X, just whether a message is from the same entity as a previous message. This turns turns out to be very useful for low-end
devices. The current paper proposes a new protocol –the “Jane Doe Protocol”–, and provides a formal proof of its concrete
security. The protocol neither e...
This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher
cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for sponge-function
like structures. As it turns out, certain constructions for hash-function-based MACs can be vu...
We present an efficient simultaneous broadcast protocol ν-SimCast that allows n players to announce independently chosen values, even if up to
t n2t
players are corrupt. Independence is guaranteed in the partially synchronous communication model, where communication is
structured into rounds, while each round is asynchronous. The ν-SimCast proto...
Protection of personal data is a privacy right from both ethical and legislation perspectives. Internet
users require safeguarding their privacy against misuses and exploits. On the other hand,
internet search engines and especially the most popular Google threaten user privacy. Google
Hacking is a general term describing how Google can be used to...
Zusammenfassung Die Jahre 2004 bis 2006 waren in Bezug auf kryptographische Hashfunktionen dramatisch: Angriffe auf die leider immer noch
weithin genutzte Hashfunktion MD5 wurden so verbessert, dass sie sich auf einem PC binnen weniger Sekunden durchführen lassen.
Und es zeigte sich, dass der bis dahin als sicher geltende Standard SHA-1 zumindest t...
This paper proposes a construction for collision resistant $2n$-bit hash functions, based on $n$-bit block ciphers with $2n$-bit keys. The construction is analysed in the ideal cipher model; for $n=128$ an adversary would need roughly $2^{122}$ units of time to find a collision. The construction employs ``combinatorial'' hashing as an underlying bu...
The Seminar brought together about 35 researchers from industry and academia. Most of the participants came from different European countries, but quite a few also came from America and Asia. Almost all the participants gave a presentation. Most of them gave a "regular" talk of 30 to 50 minutes (including discussion time), some gave a "rump session...
From .. to .., the Dagstuhl Seminar 07021 ``Symmetric Cryptography'' automatically was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the semina...
Classical cryptographic protocols based on shared secret keys often are vulnerable to key-guessing attacks. For security, the keys must be strong, difficult to memorize for humans. Bellovin and Merritt [4] proposed encrypted key exchange (EKE) protocols, to frustrate key-guessing attacks. EKE requires the use of asymmetric cryptosystems and is base...
We propose a novel mechanism for authentication of queries in a sensor network in case these queries are flooded. In our protocol,
the base station appends an authenticator to every query, such that each sensor can verify with certain probability that the
query is sent by the base station. Implicit cooperation between sensor nodes during the floodi...
We propose a novel mechanism for authentication of flooded queries in sensor networks. Each sensor can verify with certain probability that the query is sent by the base station. Implicit cooperation between sensor nodes during the flooding process ensures that the propagation of fake queries is limited to a small part of the network.
We describe a collision-finding attack on 16 rounds of the Tiger hash function requiring the time for about 244 compression function invocations. Another attack generates pseudo-near collisions, but for 20 rounds of Tiger with work less than that of 248 compression function invocations. Since Tiger has only 24 rounds, these attacks may raise some q...
This paper reconsiders the established Merkle-Damgard de- sign principle for iterated hash functions. The internal state size w of an iterated n-bit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function...
Introduction Energy Cost of Embedded Security for Wireless Sensor Networks Increasing Authentication and Communication Confidentiality in Wireless Sensor Networks Efficient Pairwise Authentication Protocols for Sensor and Ad Hoc Networks Fast and Scalable Key Establishment in Sensor Networks Weil Pairing-Based Round, Efficient, and Fault-Tolerant G...
In addition to mobility, the ability of context awareness and especially location awareness has greatly enhanced the opportunities of mobile businesses. Many different kinds of context-aware services ranging from "finding nearby restaurants" to "sending ambulances to people in emergency" have already taken their places in the business. Besides avai...
This paper introduces CCFB and CCFB+H, two patent-free authenticated encryption schemes. CCFB+H also supports the authentication
of associated data. Our schemes can employ any block cipher and are provably secure under standard assumptions. The schemes
and their proofs of security are simple and straightforward. CCFB and CCFB+H restrict the sizes o...
When evaluating systems containing cryptographic components, the question arises how to measure the security provided by the
cryptography included in the system. In this chapter we highlight the difficulties involved and show that, while measuring
cryptographic security is desirable, the opposite point of view, i.e. measuring cryptographic insecuri...
In this paper we identify shortcomings of the TCG specification related to the availability of sealed data during software and hardware life cycles, i.e., software update or/and hardware migration. In our view these problems are major obstacles for large-scale use of trusted computing technologies, e.g., in e-commerce, as adopters are concerned tha...
Flawed implementations of security protocols is a major source of real world security problems. Typically, security protocols are specified in some "high- level" way and may even be formally proven secure. Implementing them in practi- cal (and comparatively low-level) source code has turned out to be error-prone. This paper introduces an experiment...
This paper deals with the security of iterated hash functions against generic attacks, such as, e.g., Joux' multicollision attacks from Crypto 04 [6]. The core idea is to increase the size of the internal state of an n-bit hash function to w > n bit. Variations of this core idea allow the use of a compression function with n output bits, even if th...
The AES key schedule can almost be described as collection of 32 linear feedback shift registers LFSRs, working in parallel. This implies that for related keys, i.e., pairs of unknown keys with known differences, one can in part predict the differences of the individual round keys.
Such a property has been used (but not explained in detail) by Ferg...
In a related-key attack, the adversary is allowed to transform the secret key and request encryptions of plaintexts under the transformed key. This paper studies the security of PRF- and PRP-constructions against related-key attacks.
For adversaries who can only transform a part of the key, we propose a construction and prove its security, assuming...
Helix is a high-speed stream cipher with a built-in MAC function-ality. On a Pentium II CPU it is about twice as fast as Rijndael or Twofish, and comparable in speed to RC4. The overhead per encrypted/authenticated message is low, making it suitable for small messages. It is efficient in both hardware and software, and with some pre-computation can...
Phelix1 is a high-speed stream cipher with a built-in MAC func- tionality. It is e-cient in both hardware and software. On current Pentium CPUs, Phelix has a per-packet overhead of less than 900 clocks, plus a per- byte cost well under 8 clocks per byte, comparing very favorably with the best AES (encryption-only) implementations, even for small pa...
It is a hazardous fact of life that users are hardly ever willing and able to memorise strong passwords or long personal identification numbers (PINs). This paper describes a variant of the “open key exchange” (OKE) protocol, a cryptographic scheme to provide high security even when using low-entropy passwords. The variant has been dedicatedly desi...
With its 56-bit key size, the data encryption standard (DES) seems to be at end of its useful lifetime. Also, the 64-bit DES block size is dangerously small for some applications. We discuss techniques such as triple DES and DESX to push up the key size, and we present DEAL to increase both block and key size. We propose DEALkx, a new variant of DE...
The Cramer-Shoup cryptosystem for groups of prime order is a practical public-key cryptosystem, provably secure in the standard model under standard assumptions. This paper extends the cryptosystem for groups of unknown order, namely the group of quadratic residues modulo a composed N. Two security results are: In the standard model, the scheme is...