CWI Cryptology Group

Abstract: Differential Power Analysis (DPA) is a powerful cryptanalytic technique aiming at extracting secret data from a cryptographic device by collecting power consumption traces and averaging over a series of acquisitions. In order to prevent the leakage, hardware designers and software programmers make use of masking techniques (a.k.a. data whitening methods). However, the resulting implementations may still succumb to second-order DPA. Several recent papers studied second-order DPA but, although the conclusions that are drawn are correct, the analysis is not.
This work fills the gap by providing an exact analysis of second-order DPA (in the Hamming weight model) as introduced by Messerges. We also consider several generalizations, including an extended analysis in the more general Hamming-distance model.
Joint work with Marc Joye and Pascal Paillier (both of Gemplus). To appear at CHES'05.

Abstract: Recently, Tassa has proposed a scheme for hierarchical threshold secret sharing. In this scheme, the participants are divided into different hierarchical levels and given shares such that a certain number of higher level participants is always required for the recovery of the secret. An example of this would be the situation where three bank employees can open the vault, provided that at least one of them is a bank manager. Tassa's scheme, which is based on Birkhoff interpolation, is a perfect scheme, in the sense that each subset of the players that is not allowed to reconstruct the secret can obtain no information about it. Furthermore, it is an ideal scheme, which means that every player gets a share that is of the same size as the secret. In this talk we give an overview of this result.

Abstract: The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin. In this work we point out that there is a flawed step in the security reduction exhibited by the authors. Fortunately, it is possible to fix it without changing the scheme neither the underlying assumption. In the second place, we introduce a variant of the seminal IBE scheme which allows a more efficient security reduction. The new scheme is simpler, and has more compact ciphertexts than Boneh-Franklin's proposal, while keeping the computational cost. Finally, we observe that the flawed step pointed out here is present in several works, and that our techniques can be applied to obtain tighter reductions for previous relevant schemes.