ChapterPDF Available

Springer Encyclopedia of Cryptography and Security

Authors:
A preview of the PDF is not available
... Traditional S-box design criteria focus on the resistance to differential and linear attacks [2,3]. Some S-box transformations, equivalences and classes have been proposed to address this goal. ...
... For each binary vector x ∈ {0, 1} n , HW(x) represents the Hamming weight of x [10]. Its objective is to cause the greatest possible confusion by masking the relationship between the plain text and the ciphertext [2,19]. ...
... In the Hamming weight model [2], the hypothetical leakage X j,p of the power consumption evaluating an S-box is represented by the value X j,p = HW(F(j ⊕ p)), where F is the S-box, p represents the clear text and j is the assumed subkey to encrypt the plain text. ...
Article
Full-text available
The search of bijective n×n S-boxes resilient to power attacks in the space of dimension (2n)! is a controversial topic in the cryptology community nowadays. This paper proposes partitioning the space of (2n)! S-boxes into equivalence classes using the hypothetical power leakage according to the Hamming weights model, which ensures a homogeneous theoretical resistance within the class against power attacks. We developed a fast algorithm to generate these S-boxes by class. It was mathematically demonstrated that the theoretical metric confusion coefficient variance takes constant values within each class. A new search strategy—jumping over the class space—is justified to find S-boxes with high confusion coefficient variance in the space partitioned by Hamming weight classes. In addition, a decision criterion is proposed to move quickly between or within classes. The number of classes and the number of S-boxes within each class are calculated, showing that, as n increases, the class space dimension is an ever-smaller fraction of the space of S-boxes, which significantly reduces the space of search of S-boxes resilient to power attacks, when the search is performed from class to class.
... Vastly used cheap masked ROM memories can literally be read out after the proper delayering of a device [7,20,28,29]. To deflect an information breach, we recommend complete abandoning of using masked ROM memory types and types with similar features (readability of stored values, e.g., [7,30,28]; impossible to erase/rewrite content). ...
... Vastly used, cheap masked ROM memories can literally be read out after proper imaging with an X-ray or after delayering a device [30], [42], [43], [44]. To deflect an information breach, we recommend to completely abandon using masked ROM memory types and those with similar features (readability of stored values, e.g., [30], [45], [43]; impossible to erase/rewrite content). ...
... In general, payment protocols and the micropayment variant thereof are not a new research topic at all, cf., research on electronic cash [4] [6] [7] and its many extensions, or see van Tilborg [16] for an overview. Still, the payment problem in the constrained RFID environment raises very challenging research problems. ...
Chapter
Current research in RFID security focuses on basic authentication protocols between a tag and a reader. In this paper, we claim that, in future, different new RFID-based scenarios will play an increasing role. In particular, we propose two new research directions: 1. Multi-Tag Security, and 2. RFID-based Payment. In multi-tag security, multiple tags try to jointly compute an information while using the reader either as the focal point of all communication or as a relay for tag-to-tag communication. In this scenario, the security of the computation has to be guaranteed while also privacy of individual tags must be protected. In a payment scenario, tags are used as electronic wallets similar to the notions of traditional electronic cash. Payment must be secured against malicious spending, and the privacy of tags and their payments must be protected.
Article
Full-text available
In this paper the generality and wide applicability of Zero-knowledge proofs, a notion introduced by Goldwasser, Micali, and Rackoff is demonstrated. These are probabilistic and interactive proofs that, for the members of a language, efficiently demonstrate membership in the language without conveying any additional knowledge. All previously known zero-knowledge proofs were only for number-theoretic languages in NP fl CONP. Under the assumption that secure encryption functions exist or by using "physical means for hiding information, '' it is shown that all languages in NP have zero-knowledge proofs. Loosely speaking, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula, in particular, without yielding neither a satis@ing assignment nor properties such as whether there is a satisfying assignment in which xl = X3 etc. It is also demonstrated that zero-knowledge proofs exist "outside the domain of cryptography and number theory. " Using no assumptions. it is shown that both graph isomorphism and graph nonisomor- phism have zero-knowledge interactive proofs. The mere existence of an interactive proof for graph nonisomorphism is interesting, since graph nonisomorphism is not known to be in NP and hence no efficient proofs were known before for demonstrating that two graphs are not isomorphic.
Article
We show that interaction in any zero-knowledge proof can be replaced by sharing a common, short, random string. We use this result to construct the first public-key cryptosystem secure against chosen ciphertext attack.
Article
Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the 'knowledge' contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.
Article
We introduce the notion of Resettable Zero-Knowledge (rZK), a new security measure forcryptographic protocols which strengthens the classical notion of zero-knowledge. In essence,an rZK protocol is one that remains zero knowledge even if an adversary can interact with theprover many times, each time resetting the prover to its initial state and forcing him to use thesame random tape.
Article
Concurrent executions of a zero-knowledge protocol by a single prover (with one or more veriers) may leak information and may not be zero-knowledge in toto. In this paper, we study the problem of maintaining zero-knowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will nish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist four-round almost concurrent zero-knowledge interactive proofs and perfect concurrent zero-knowledge arguments for every language in NP . We also address the more specic problem of Deniable Authentication, for which we propose several particularly ecient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model. 1
Per-sianoNon-interactivezero-knowledgeproof systems
  • M Blum
  • A De
  • S Santis
  • Micali
Blum, M., A. De Santis, S. Micali, and G. Per-siano(1991).“Non-interactivezero-knowledgeproof systems.” SIAM Journal on Computing, 20 (6), 1084–1118.