[crypto] [tanja at hyperelliptic.org: Crypto Working Group, September 25th 2015]

[R. Hirschfeld]

------- Start of forwarded message -------
Date: 18 Sep 2015 21:51:22 -0000
From: Tanja Lange <tanja at hyperelliptic.org>
Subject: Crypto Working Group, September 25th 2015


CRYPTO WORKING GROUP 
Friday, September 25th 2015
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht

Program

10:45 - 11:30   Ko Stoffelen (RU Nijmegen),
		Intrinsic side-channel analysis resistance and efficient masking
		(Abstract below)

11:30 - 11:45   Coffee / tea break
 

11:45 - 12:30   Fabian van den Broek (RU Nijmegen),
		Defeating IMSI catchers
		(Abstract below)
		

12:30 - 14:00   Lunch break (lunch not included)

14:00 - 14:45   Ruben Niederhgen (TU/e),
		Breaking ECC2-113 - joy and pain of hardware design
		(Abstract below)

14:45 - 15:00   Coffee / tea break

15:00 - 15:45   Thijs Laarhoven (TU/e),
		Speeding up lattice sieving with nearest neighbor techniques
		(Abstract below)
		

 

Abstracts 

Fabian van den Broek
"Defeating IMSI catchers" 
Recently the FIOD (the Dutch financial fraud investigation division --
the Dutch IRS) requested to add the use of IMSI catchers to its
investigative capabilities. IMSI catchers can MitM your GSM
connection, but also gather the uniquely identifying number of your
SIM card; the IMSI.  If you are worried because you commit financial
fraud, and until now thought to be safe from prosecution because you
always use pre-paid phones for your transactions, then let me ease
your worries by presenting you a novel method to hinder IMSI catching,
which can be deployed within the current mobile telephony setup and
only requires the cooperation of your telco provider!

Thijs Laarhoven (TU/e)
"Speeding up lattice sieving with nearest neighbor techniques"
Most lattice-based cryptographic primitives rely on the shortest
vector problem (SVP) on lattices being hard. To assess the
computational hardness of SVP and breaking these schemes, one commonly
relies on the estimated time complexity of enumeration for solving
SVP. In 2001 the breakthrough work of Ajtai et al.  showed that SVP
can actually be solved faster in high dimensions, using a technique
called sieving. Although this method seemed impractical at first,
various improvements have since shown that sieving may be competitive
with enumeration after all. In this talk we will look at recent
advances in sieving using techniques from the nearest neighbor
searching literature.


Ruben Niederhagen (TU/e)
"Breaking ECC2-113 - joy and pain of hardware design" 
In this talk I will describe our FPGA design for an attack on a
113-bit binary-field curve using Pollard's Rho algorithm including the
negation map, introduce some tools that helped us to program the
FPGAs, and discuss the performance of our design.


Ko Stoffelen (RU Nijmegen),
"Intrinsic side-channel analysis resistance and efficient masking"
Metrics such as the transparency order and the confusion coefficient
have been proposed to assess the intrinsic resistance to SCA attacks
of a given S-box at the design stage. We have compared the metrics
that have appeared in literature and applied them to the S-boxes used
in the CAESAR competition for new authenticated encryption
schemes. Although the most promising metrics are consistent in their
predictions and behave as expected under various circumstances, the
results are not reflected by CPA simulation results.  We then look at
cipher design strategies that reduce the costs of masking. We compute
the multiplicative complexity of the S-boxes by encoding the problem
in logic and feeding it to SAT solvers, and we provide implementations
with a provably minimum number of nonlinear operations, for which the
cost of masking is quadratic in the number of gates. We also compare
high-level operations used by the CAESAR candidates and show which
ciphers are expected to have the lowest masking costs and why.
------- End of forwarded message -------