Most of the work in the formal analysis of
cryptographic schemes traditionally concentrated in abstract
adversarial models that do not capture side-channel attacks. Such
attacks exploit various forms of unintended information leakage,
which is inherent to almost all physical implementations. In light
of the prevalence of such attacks there are several attempts to
model them and suggestschemes that are
resistant to some of these attacks.

I will describe recent developments in the area, especially those
inspired by the "cold boot attacks", of Halderman et al (Usenix
Security 2008) and the model suggested by Akavia, Goldwasser and
Vaikuntanathan (TCC '09) in which adversarially chosen functions of
the secret key are leaked to the attacker. In particular I will show
a new simple construction of a public-key cryptosystem resistant to
leakage of almost all the key.

I will also discuss directions for future research.

Joint work with Gil Segev.

13.30

פרופ' אמיר הרצברג,
אוניברסיטת בר-אילן

Degradation Attacks on Secure Channels

We present
and analyse degradation DoS attacks on secure channels, disrupting
communication over secure VPNs using IPsec. We also present the
first analysis of IPsec's anti-reply mechanism, showing its
important role in defending against DoS attacks and analyzing its
required size; however, we also present attacks that work for any
size of IPsec's anti-replay window. Finally we present two different
solutions designed to provide secure channel immune to degradation
and other DoS attacks; one solution involves changes in the sending
host, while the other solution involves changes (only) to the two
gateway machines running IPsec.

In addition to its practical importance, our results also raise the
challenge of formally defining secure channels immune to DoS and
degradation attacks, and providing provably-secure implementations.
In particular, an open challenge is to find degradation or other DoS
attacks against TCP communication over either of our (improved)
secure channels.

Joint work
with Haya Shulman, Bar Ilan University

13.50

פרופ' טל מור, הטכניון

When classical Bob meets quantum Alice or vice versa

Most cryptogrophers agree that the only way for two parties to transmit sensitive information completely securely is to use quantum cryptography to share the key they use to encrypt the information. A key created that way can then be used to transmit secure messages such that their security is also unaffected in the future.

We show that the same degree of security is probably possible even if one party (the receiver, Bob) remains firmly rooted in the world of classical physics. When classical Bob will communicate with quantum Alice not just in theory, but also in practice, we might have simpler and cheaper secure cryptographic systems.

15.10

דר' בני פנקס,
אוניברסיטת חיפה

Implementing Secure
Multi-Party Computation

Secure
computation is one of the great achievements of modern cryptography,
enabling a set of untrusting parties to compute any function of
their private inputs while revealing nothing but the result of the
function.

We will describe in this talk two recent advances in the
implementation of secure computation. The first is a system for
secure two-party computation which has fully-simulatable security
against malicious adversaries. Experiments with this system reveal
interesting results about the overhead of different parts of the
computation, and about the efficiency of using components which are
secure in the standard model.

We also present FairplayMP (for "Fairplay Multi-Party"), a system
for multi-party computation secure against semi-honest adversaries.
The underlying protocol of FairplayMP is the Beaver-Micali-Rogaway
(BMR) protocol, which is modified and combined with the
Ben-Or-Goladwasser-Wigderson protocol in order to improve its
efficiency. This protocol was chosen since it runs in a constant
number of communication rounds. We also report on different
experiments which measure the effect of different parameters on the
performance of the system and demonstrate its scalability.

16.00

יניב כרמלי,
הטכניון

Yaniv Carmeli, The Technion, Bug Attacks

In this talk a new kind of
cryptanalytic attack will be presented. The new attack utilizes bugs
in the hardware implementation of computer instructions. The best
known example of a hardware bug is probably the Intel division bug,
which resulted in slightly inaccurate results for extremely rare
inputs. While in most applications such bugs can be viewed as a
minor nuisance, we show that when cryptographic computations are
performed on such buggy hardware, the result can be a full leakage
of the secret key.

The talk will focus on bugs in the multiplication instruction, and
describe attacks on RSA (even when protected by OAEP), and the
Pohlig-Hellman cryptosystem. We will show that decrypting
ciphertexts on any computer which multiplies even one pair of
numbers incorrectly can lead to full leakage of the secret key,
sometimes with a single well-chosen ciphertext.

Finally, we describe countermeasures against bug attacks.