219 research outputs found
Guaranteeing the diversity of number generators
A major problem in using iterative number generators of the form
x_i=f(x_{i-1}) is that they can enter unexpectedly short cycles. This is hard
to analyze when the generator is designed, hard to detect in real time when the
generator is used, and can have devastating cryptanalytic implications. In this
paper we define a measure of security, called_sequence_diversity_, which
generalizes the notion of cycle-length for non-iterative generators. We then
introduce the class of counter assisted generators, and show how to turn any
iterative generator (even a bad one designed or seeded by an adversary) into a
counter assisted generator with a provably high diversity, without reducing the
quality of generators which are already cryptographically strong.Comment: Small update
The Dimpled Manifold Model of Adversarial Examples in Machine Learning
The extreme fragility of deep neural networks when presented with tiny
perturbations in their inputs was independently discovered by several research
groups in 2013, but in spite of enormous effort these adversarial examples
remained a baffling phenomenon with no clear explanation. In this paper we
introduce a new conceptual framework (which we call the Dimpled Manifold Model)
which provides a simple explanation for why adversarial examples exist, why
their perturbations have such tiny norms, why these perturbations look like
random noise, and why a network which was adversarially trained with
incorrectly labeled images can still correctly classify test images. In the
last part of the paper we describe the results of numerous experiments which
strongly support this new model, and in particular our assertion that
adversarial perturbations are roughly perpendicular to the low dimensional
manifold which contains all the training examples
Length-based cryptanalysis: The case of Thompson's Group
The length-based approach is a heuristic for solving randomly generated
equations in groups which possess a reasonably behaved length function. We
describe several improvements of the previously suggested length-based
algorithms, that make them applicable to Thompson's group with significant
success rates. In particular, this shows that the Shpilrain-Ushakov public key
cryptosystem based on Thompson's group is insecure, and suggests that no
practical public key cryptosystem based on this group can be secure.Comment: Final version, to appear in JM
How Did Dread Pirate Roberts Acquire and Protect his Bitcoin Wealth?
Abstract. The Bitcoin scheme is one of the most popular and talked about alternative payment schemes. One of the most active parts of the Bitcoin ecosystem was the Silk Road marketplace, in which highly illegal substances and services were traded. It was run by a person who called himself Dread Pirate Roberts (DPR), whose bitcoin holdings are esti-mated to be worth hundreds of millions of dollars at today’s exchange rate. On October 1-st 2013, the FBI arrested a 29 year old person named Ross William Ulbricht, claiming that he is DPR, and seizing a small fraction of his bitcoin wealth. In this paper we use the publicly available record to trace the evolution of his holdings in order to find how he ac-quired and how he tried to hide them from the authorities. In particular, we trace the amounts he received and the amounts he transferred out of his accounts, and show that all his Silk Road commissions from the months of May, June and September 2013, along with numerous other amounts, were not seized by the FBI. This analysis demonstrates the power of data mining techniques in analyzing large payment systems, and especially publicly available transaction graphs of the type provided by the Bitcoin scheme
An Improved Algebraic Attack on Hamsi-256
Hamsi is one of the second-stage candidates in NIST\u27s SHA-3
competition. The only previous attack on this hash function was a
very marginal attack on its 256-bit version published by Thomas Fuhr
at Asiacrypt , which is better than generic attacks only for
very short messages of fewer than 32-bit blocks, and is only
times faster than a straightforward exhaustive search attack. In
this paper we describe a different algebraic attack which is less
marginal: It is better than the best known generic attack for all
practical message sizes (up to gigabytes), and it outperforms
exhaustive search by a factor of at least . The attack is based
on the observation that in order to discard a possible second
preimage, it suffices to show that one of its hashed output bits is
wrong. Since the output bits of the compression function of Hamsi-256
can be described by low degree polynomials, it is actually faster to
compute a small number of output bits by a fast polynomial evaluation
technique rather than via the official algorithm
Side Channel Cube Attacks on Block Ciphers
In this paper we formalize the notion of {\it leakage attacks} on
iterated block ciphers, in which the attacker can find (via
physical probing, power measurement, or any other type of side
channel) one bit of information about the intermediate state of
the encryption after each round. Since bits computed during the
early rounds can be typically represented by low degree
multivariate polynomials, cube attacks seem to be an ideal generic
key recovery technique in these situations. However, the original
cube attack requires extremely clean data, whereas the information
provided by side channel attacks can be quite noisy. To address
this problem, we develop a new variant of cube attack which can
tolerate considerable levels of noise (affecting more than 11\% of
the leaked bits in practical scenarios). Finally, we demonstrate
our approach by describing efficient leakage attacks on two of the
best known block ciphers, AES (requiring about time for
full key recovery) and SERPENT (requiring about time for
full key recovery)
A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony
The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of . By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, data, bytes of memory, and time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem
Improved Single-Key Attacks on 8-round AES
AES is the most widely used block cipher today,
and its security is one of the most important issues in cryptanalysis.
After 13 years of analysis, related-key attacks were recently found against two
of its flavors (AES-192 and AES-256). However, such a strong type of
attack is not universally accepted as a valid attack model,
and in the more standard single-key attack model
at most 8 rounds of these two versions can be currently attacked.
In the case of 8-round AES-192, the only known attack
(found 10 years ago) is extremely marginal, requiring the evaluation
of essentially all the 2^{128} possible plaintext/ciphertext pairs in order
to speed up exhaustive key search by a factor of 16. In this paper we introduce
three new cryptanalytic techniques,
and use them to get the first non-marginal attack on 8-round AES-192
(making its time complexity about a million times faster than exhaustive search,
and reducing its data complexity to about 1/32,000 of the full codebook).
In addition, our new techniques can reduce the best known time
complexities for all the other combinations of 7-round and 8-round AES-192
and AES-256
Improved Related-Key Attacks on DESX and DESX+
In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo . Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity
- …