Chris Hall | College of the Canyons (original) (raw)
Papers by Chris Hall
We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer ke... more We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the time required to brute-force search a s-bit key stretched by t bits.
Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is ... more Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a xed 4-by-4 maximum distance separable matrix over GF(2 8), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twosh encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twosh can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeos between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twosh; our best attack breaks 5 rounds with 222:5 chosen plaintexts and 251 eort.
Journal of Computer Security, 2000
Future Generation Computer Systems, 2000
We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Crypt... more We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the apparent intractibility of one or more problems. The attacks we present do not violate the intractibility of the underlying problems, but instead obtain information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key. In the case of the McEliece system we must repeat the attack for each ciphertext we wish to decrypt, whereas for the Ajtai-Dwork system we are able to recover the private key.
In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryp... more In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, “random” nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.
Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cr... more Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers—timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES—and then generalize our research to other cryptosystems.
We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer ke... more We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the time required to brute-force search a s-bit key stretched by t bits.
Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is ... more Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a xed 4-by-4 maximum distance separable matrix over GF(2 8), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twosh encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twosh can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeos between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twosh; our best attack breaks 5 rounds with 222:5 chosen plaintexts and 251 eort.
Journal of Computer Security, 2000
Future Generation Computer Systems, 2000
We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer ke... more We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the time required to brute-force search a s-bit key stretched by t bits.
Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is ... more Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a xed 4-by-4 maximum distance separable matrix over GF(2 8), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twosh encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twosh can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeos between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twosh; our best attack breaks 5 rounds with 222:5 chosen plaintexts and 251 eort.
Journal of Computer Security, 2000
Future Generation Computer Systems, 2000
We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Crypt... more We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the apparent intractibility of one or more problems. The attacks we present do not violate the intractibility of the underlying problems, but instead obtain information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key. In the case of the McEliece system we must repeat the attack for each ciphertext we wish to decrypt, whereas for the Ajtai-Dwork system we are able to recover the private key.
In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryp... more In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, “random” nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.
Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cr... more Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers—timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES—and then generalize our research to other cryptosystems.
We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer ke... more We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the time required to brute-force search a s-bit key stretched by t bits.
Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is ... more Twosh is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a xed 4-by-4 maximum distance separable matrix over GF(2 8), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twosh encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twosh can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeos between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twosh; our best attack breaks 5 rounds with 222:5 chosen plaintexts and 251 eort.
Journal of Computer Security, 2000
Future Generation Computer Systems, 2000