Christof Paar - Academia.edu (original) (raw)

Papers by Christof Paar

2009 IEEE International Conference on RFID, 2009

ABSTRACT The RFID technology in combination with cryptographic algorithms and protocols is discus... more ABSTRACT The RFID technology in combination with cryptographic algorithms and protocols is discussed widely as a promising solution against product counterfeiting. Usually the discussion is focussed on passive low-cost RFID-tags, which have harsh power constraints. 4-Bit microcontrollers have very low-power characteristics (5-60 muA) and are therefore an interesting platform for active and passive low-cost RFID-tags. To the best of our knowledge there are no implementations of cryptographic algorithms on a 4-bit microcontroller published so far. Therefore, the main contribution of this work is to demonstrate that cryptography is feasible on these ultra-constrained devices and to close this gap. We chose PRESENT as the cryptographic algorithm, because contrary to many other ciphers, PRESENT uses a 4times4 S-Box. Our implementation draws a current of 6:7 muA at a supply voltage of 1:8 V and a frequency of 500 KHz and requires less than 200 ms for the processing of one data block.

Lecture Notes in Computer Science, 2007

In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classi... more In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box repeated eight times. 1 On this account we adapt well-known DES S-box design criteria, such that they can be applied to the special case of a single S-box. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the Davies-Murphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultraconstrained devices such as RFID tags.

Applied Cryptography and Network Security, 2000

The ad-hoc network technology matures and starts becoming of interest for several industries as e... more The ad-hoc network technology matures and starts becoming of interest for several industries as enabler for more safety, comfortability, and new business models. However, such network systems must not only fulflll the conventional security requirements like e‐ciency, robustness, and privacy, but they must be resistant to ma- nipulation by the system owners and further in- volved parties. For instance,

Lecture Notes in Computer Science, 2007

With the establishment of the AES the need for new block ciphers has been greatly diminished; for... more With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.

The KSII Transactions on Internet and Information Systems, 2010

... University, Singapore aposchmann@ntu.edu.sg 2 Orange Labs, 38-40 rue du Général Leclerc, Issy... more ... University, Singapore aposchmann@ntu.edu.sg 2 Orange Labs, 38-40 rue du Général Leclerc, Issy les Moulineaux, France matt.robshaw@orange ... A public key identification scheme [23] allows the possessor of a secret key to prove possession of that secret by means of an ...

Lecture Notes in Computer Science, 2007

Abstract. Since the introduction of RFID technology there have been public debates on security an... more Abstract. Since the introduction of RFID technology there have been public debates on security and privacy concerns. In this context the Ma-chine Readable Travel Document (MRTD), also known as e-passport, is of particular public interest. Whereas strong cryptographic ...

Lecture Notes in Computer Science, 2003

Until now in cryptography the term collision was mainly associated with the surjective mapping of... more Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which originates from Hans Dobbertin and is based on the fact that side channel analysis can be used to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We exploit the fact that internal collisions can be caused in three adjacent S-Boxes of DES [DDQ84] in order to gain information about the secret key-bits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions 1 yielding 10.2 key-bits. Moreover, we successfully applied the attack to a smart card processor.

Lecture Notes in Computer Science, 2003

The use of FPGAs for cryptographic applications is highly attractive for a variety of reasons but... more The use of FPGAs for cryptographic applications is highly attractive for a variety of reasons but at the same time there are many open issues related to the general security of FPGAs. This contribution attempts to provide a state-of-the-art description of this topic. First, the advantages of reconfigurable hardware for cryptographic applications are discussed from a systems perspective. Second, potential security problems of FPGAs are described in detail, followed by a proposal of a some countermeasure. Third, a list of open research problems is provided. Even though there have been many contributions dealing with the algorithmic aspects of cryptographic schemes implemented on FPGAs, this contribution appears to be the first comprehensive treatment of system and security aspects.

Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers, 2004., 2004

... The authors in [22], [19], [20] provided results of relevant implementations on the ARMmicrop... more ... The authors in [22], [19], [20] provided results of relevant implementations on the ARMmicroprocessor for genus-2, genus-3, and genus-4 curves, respectively. ... IV. THE ARMMICROPROCESSOR The presented implementation of HECC especially targets embedded ...

Since the introduction of the Machine Readable Travel Do- cument (MRTD) that is also known as e-p... more Since the introduction of the Machine Readable Travel Do- cument (MRTD) that is also known as e-passport for human identifi- cation at border control debates have been raised about security and privacy concerns. In this paper, we present the first hardware implemen- tation for cracking Basic Access Control (BAC) keys of the e-passport is- suing schemes in Germany and the

Proceedings of the 2007 ACM workshop on Scalable trusted computing - STC '07, 2007

Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms... more Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The Trusted Computing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Platform Module (TPM).

Lecture Notes in Computer Science, 2008

Hash functions play an important role in various cryptographic applications. Modern cryptography ... more Hash functions play an important role in various cryptographic applications. Modern cryptography relies on a few but supposedly well analyzed hash functions which are mostly members of the so-called MD4-family. This work shows whether it is possible, using special-purpose hardware, to significantly speedup collision search for MD4-family hash functions. A thorough analysis of the computational requirements for MD4-family hash functions and corresponding collision attacks reveals that a microprocessor based architecture is best suited for the implementation of collision search algorithms. Consequently, we designed and implemented a (concerning MD4-family hash-functions) general-purpose microprocessor with minimal area requirements and, based on this, a full collision search unit. Comparing the performance characteristics of both ASICs with standard PC processors and clusters, it turns out that our design, massively parallelized, is nearly four times more cost-efficient than parallelized standard PCs. With further optimizations, we believe that this factor can even be improved.

Lecture Notes in Computer Science, 2003

Abstract. For most of the time since they were proposed, it was widely believed that hyperellipti... more Abstract. For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosys-tems (ECC) and are, thus, not too attractive for practical applications. Only ...

International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004., 2004

Hardware accelerators are often used in cryptographic applications for speeding up the highly ari... more Hardware accelerators are often used in cryptographic applications for speeding up the highly arithmetic-intensive publickey primitives, e.g. in high-end smart cards. One of these emerging and very promising public-key scheme is based on HyperElliptic Curve Cryptosystems (HECC). In the open literature only a few considerations deal with hardware implementation issues of HECC.

Lecture Notes in Computer Science, 2003

Abstract. Recently, there has been a lot of interest on cryptographic applications based on field... more Abstract. Recently, there has been a lot of interest on cryptographic applications based on fields GF(pm ), for p>2. This contribution presents GF(pm ) multipliers architectures, where p is odd. We present designs which trade area for performance based on the number of ...

Encyclopedia of Cryptography and Security, 2005

Lecture Notes in Computer Science, 2008

... University Bochum, Germany 2 Orange Labs, Issy les Moulineaux, France leander@rub.de, {abogda... more ... University Bochum, Germany 2 Orange Labs, Issy les Moulineaux, France leander@rub.de, {abogdanov,cpaar,poschmann}@crypto.rub.de, {matt.robshaw,yannick ... is more in-line with the second approach—seeing what we can do with what we have—though we hope it will be ...

Lecture Notes in Computer Science, 2009

This paper explores the resistance of MOS Current Mode Logic (MCML) against attacks based on the ... more This paper explores the resistance of MOS Current Mode Logic (MCML) against attacks based on the observation of the power consumption. Circuits implemented in MCML, in fact, have unique characteristics both in terms of power consumption and the dependency of ...

Encyclopedia of Cryptography and Security, 2011

2009 IEEE International Conference on RFID, 2009

ABSTRACT The RFID technology in combination with cryptographic algorithms and protocols is discus... more ABSTRACT The RFID technology in combination with cryptographic algorithms and protocols is discussed widely as a promising solution against product counterfeiting. Usually the discussion is focussed on passive low-cost RFID-tags, which have harsh power constraints. 4-Bit microcontrollers have very low-power characteristics (5-60 muA) and are therefore an interesting platform for active and passive low-cost RFID-tags. To the best of our knowledge there are no implementations of cryptographic algorithms on a 4-bit microcontroller published so far. Therefore, the main contribution of this work is to demonstrate that cryptography is feasible on these ultra-constrained devices and to close this gap. We chose PRESENT as the cryptographic algorithm, because contrary to many other ciphers, PRESENT uses a 4times4 S-Box. Our implementation draws a current of 6:7 muA at a supply voltage of 1:8 V and a frequency of 500 KHz and requires less than 200 ms for the processing of one data block.

Lecture Notes in Computer Science, 2007

In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classi... more In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box repeated eight times. 1 On this account we adapt well-known DES S-box design criteria, such that they can be applied to the special case of a single S-box. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the Davies-Murphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultraconstrained devices such as RFID tags.

Applied Cryptography and Network Security, 2000

The ad-hoc network technology matures and starts becoming of interest for several industries as e... more The ad-hoc network technology matures and starts becoming of interest for several industries as enabler for more safety, comfortability, and new business models. However, such network systems must not only fulflll the conventional security requirements like e‐ciency, robustness, and privacy, but they must be resistant to ma- nipulation by the system owners and further in- volved parties. For instance,

Lecture Notes in Computer Science, 2007

With the establishment of the AES the need for new block ciphers has been greatly diminished; for... more With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.

The KSII Transactions on Internet and Information Systems, 2010

... University, Singapore aposchmann@ntu.edu.sg 2 Orange Labs, 38-40 rue du Général Leclerc, Issy... more ... University, Singapore aposchmann@ntu.edu.sg 2 Orange Labs, 38-40 rue du Général Leclerc, Issy les Moulineaux, France matt.robshaw@orange ... A public key identification scheme [23] allows the possessor of a secret key to prove possession of that secret by means of an ...

Lecture Notes in Computer Science, 2007

Abstract. Since the introduction of RFID technology there have been public debates on security an... more Abstract. Since the introduction of RFID technology there have been public debates on security and privacy concerns. In this context the Ma-chine Readable Travel Document (MRTD), also known as e-passport, is of particular public interest. Whereas strong cryptographic ...

Lecture Notes in Computer Science, 2003

Until now in cryptography the term collision was mainly associated with the surjective mapping of... more Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which originates from Hans Dobbertin and is based on the fact that side channel analysis can be used to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We exploit the fact that internal collisions can be caused in three adjacent S-Boxes of DES [DDQ84] in order to gain information about the secret key-bits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions 1 yielding 10.2 key-bits. Moreover, we successfully applied the attack to a smart card processor.

Lecture Notes in Computer Science, 2003

The use of FPGAs for cryptographic applications is highly attractive for a variety of reasons but... more The use of FPGAs for cryptographic applications is highly attractive for a variety of reasons but at the same time there are many open issues related to the general security of FPGAs. This contribution attempts to provide a state-of-the-art description of this topic. First, the advantages of reconfigurable hardware for cryptographic applications are discussed from a systems perspective. Second, potential security problems of FPGAs are described in detail, followed by a proposal of a some countermeasure. Third, a list of open research problems is provided. Even though there have been many contributions dealing with the algorithmic aspects of cryptographic schemes implemented on FPGAs, this contribution appears to be the first comprehensive treatment of system and security aspects.

Conference Record of the Thirty-Eighth Asilomar Conference on Signals, Systems and Computers, 2004., 2004

... The authors in [22], [19], [20] provided results of relevant implementations on the ARMmicrop... more ... The authors in [22], [19], [20] provided results of relevant implementations on the ARMmicroprocessor for genus-2, genus-3, and genus-4 curves, respectively. ... IV. THE ARMMICROPROCESSOR The presented implementation of HECC especially targets embedded ...

Since the introduction of the Machine Readable Travel Do- cument (MRTD) that is also known as e-p... more Since the introduction of the Machine Readable Travel Do- cument (MRTD) that is also known as e-passport for human identifi- cation at border control debates have been raised about security and privacy concerns. In this paper, we present the first hardware implemen- tation for cracking Basic Access Control (BAC) keys of the e-passport is- suing schemes in Germany and the

Proceedings of the 2007 ACM workshop on Scalable trusted computing - STC '07, 2007

Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms... more Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The Trusted Computing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Platform Module (TPM).

Lecture Notes in Computer Science, 2008

Hash functions play an important role in various cryptographic applications. Modern cryptography ... more Hash functions play an important role in various cryptographic applications. Modern cryptography relies on a few but supposedly well analyzed hash functions which are mostly members of the so-called MD4-family. This work shows whether it is possible, using special-purpose hardware, to significantly speedup collision search for MD4-family hash functions. A thorough analysis of the computational requirements for MD4-family hash functions and corresponding collision attacks reveals that a microprocessor based architecture is best suited for the implementation of collision search algorithms. Consequently, we designed and implemented a (concerning MD4-family hash-functions) general-purpose microprocessor with minimal area requirements and, based on this, a full collision search unit. Comparing the performance characteristics of both ASICs with standard PC processors and clusters, it turns out that our design, massively parallelized, is nearly four times more cost-efficient than parallelized standard PCs. With further optimizations, we believe that this factor can even be improved.

Lecture Notes in Computer Science, 2003

Abstract. For most of the time since they were proposed, it was widely believed that hyperellipti... more Abstract. For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosys-tems (ECC) and are, thus, not too attractive for practical applications. Only ...

International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004., 2004

Hardware accelerators are often used in cryptographic applications for speeding up the highly ari... more Hardware accelerators are often used in cryptographic applications for speeding up the highly arithmetic-intensive publickey primitives, e.g. in high-end smart cards. One of these emerging and very promising public-key scheme is based on HyperElliptic Curve Cryptosystems (HECC). In the open literature only a few considerations deal with hardware implementation issues of HECC.

Lecture Notes in Computer Science, 2003

Abstract. Recently, there has been a lot of interest on cryptographic applications based on field... more Abstract. Recently, there has been a lot of interest on cryptographic applications based on fields GF(pm ), for p>2. This contribution presents GF(pm ) multipliers architectures, where p is odd. We present designs which trade area for performance based on the number of ...

Encyclopedia of Cryptography and Security, 2005

Lecture Notes in Computer Science, 2008

... University Bochum, Germany 2 Orange Labs, Issy les Moulineaux, France leander@rub.de, {abogda... more ... University Bochum, Germany 2 Orange Labs, Issy les Moulineaux, France leander@rub.de, {abogdanov,cpaar,poschmann}@crypto.rub.de, {matt.robshaw,yannick ... is more in-line with the second approach—seeing what we can do with what we have—though we hope it will be ...

Lecture Notes in Computer Science, 2009

This paper explores the resistance of MOS Current Mode Logic (MCML) against attacks based on the ... more This paper explores the resistance of MOS Current Mode Logic (MCML) against attacks based on the observation of the power consumption. Circuits implemented in MCML, in fact, have unique characteristics both in terms of power consumption and the dependency of ...

Encyclopedia of Cryptography and Security, 2011