International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Kaisa Nyberg

Affiliation: Aalto University, Finland

Publications

Year
Venue
Title
2017
JOFC
2016
TOSC
Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis
Céline Blondeau Kaisa Nyberg
Statistical attacks form an important class of attacks against block ciphers. By analyzing the distribution of the statistics involved in the attack, cryptanalysts aim at providing a good estimate of the data complexity of the attack. Recently multiple papers have drawn attention to how to improve the accuracy of the estimated success probability of linear key-recovery attacks. In particular, the effect of the key on the distribution of the sample correlation and capacity has been investigated and new statistical models developed. The major problem that remains open is how to obtain accurate estimates of the mean and variance of the correlation and capacity. In this paper, we start by presenting a solution for a linear approximation which has a linear hull comprising a number of strong linear characteristics. Then we generalize this approach to multiple and multidimensional linear cryptanalysis and derive estimates of the variance of the test statistic. Our simplest estimate can be computed given the number of the strong linear approximations involved in the offline analysis and the resulting estimate of the capacity. The results tested experimentally on SMALLPRESENT-[4] show the accuracy of the estimated variance is significantly improved. As an application we give more realistic estimates of the success probability of the multidimensional linear attack of Cho on 26 rounds of PRESENT.
2015
JOFC
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
CRYPTO
2014
EUROCRYPT
2014
FSE
2013
EUROCRYPT
2013
FSE
2012
ASIACRYPT
2012
FSE
2009
FSE
2006
FSE
2005
EPRINT
Efficient Mutual Data Authentication Using Manually Authenticated Strings
Sven Laur N. Asokan Kaisa Nyberg
Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. In this paper we analyse the SAS protocol by Vaudenay and propose a new three round protocol MA-3 for mutual data authentication based on a cryptographic commitment scheme and short manually authenticated out-of-band messages. We show that non-malleability of the commitment scheme is essential for the security of the SAS and the MA-3 schemes and that extractability or equivocability do not imply non-malleability. We also give new proofs of security for the SAS and MA-3 protocols and suggestions how to instantiate the MA-3 protocol in practise.
2002
EPRINT
Man-in-the-Middle in Tunnelled Authentication Protocols
N. Asokan Valtteri Niemi Kaisa Nyberg
Recently new protocols have been proposed in IETF for protecting remote client authentication protocols by running them within a secure tunnel. Examples of such protocols are PIC, PEAP and EAP-TTLS. One goal of these new protocols is to enable the migration from legacy client authentication protocols to more secure protocols, e.g., from plain EAP type to, say, PEAP. In the new drafts, the security of the subsequent session credentials are based only on keys derived during the unilateral authentication where the network server is authenticated to the client. Client authentication is mentioned as an option in PEAP and EAP-TTLS, but is not mandated. Naturally, the PIC protocol does not even offer this option, because the goal of PIC is to obtain credentials that can be used for client authentication. In addition to running the authentication protocols within such tunnel it should also be possible to use them in legacy mode without any tunnelling so as to leverage the legacy advantages such as widespread use. In this paper we show that in practical situations, such a mixed mode usage opens up the possibility to run a man-in-the-middle attack for impersonating the legitimate client. For those well-designed client authentication protocols that already have a sufficient level of security, the use of tunnelling in the proposed form is a step backwards because they introduce a new vulnerability. The problem is due to the fact that the legacy client authentication protocol is not aware if it is run in protected or unprotected mode. We propose to solve the discovered problem by using a cryptographic binding between the client authentication protocol and the protection protocol.
1996
ASIACRYPT
1996
FSE
1995
JOFC
1994
EUROCRYPT
1994
EUROCRYPT
1994
FSE
1993
EUROCRYPT
1993
FSE
1992
CRYPTO
1992
EUROCRYPT
1991
EUROCRYPT
1990
EUROCRYPT

Program Committees

FSE 2020
FSE 2019
FSE 2018
Crypto 2016
Eurocrypt 2015
Asiacrypt 2013
Crypto 2012
Eurocrypt 2012
FSE 2011
Asiacrypt 2010
FSE 2010
Asiacrypt 2009
FSE 2009
FSE 2008
Asiacrypt 2008
FSE 2007
Eurocrypt 2006
Asiacrypt 2006
FSE 2006
Eurocrypt 2005
PKC 2005
FSE 2005
FSE 2004
FSE 2003
Eurocrypt 2002
FSE 2002
FSE 2001
Eurocrypt 2001
Eurocrypt 2000
Eurocrypt 1998
Eurocrypt 1997
Asiacrypt 1996