Distinguishing attacks on block ciphers by differentials of two-block texts

Предложена модель наблюдений (случайные двублочные тексты, шифруемые на независимых случайных ключах), в которой разностные атаки различения полностью соответствуют общепринятым схемам их статистического расчёта. В этой модели получены нижние границы и асимптотические оценки объёма материала мультиразностных атак различения. Показано, что материала объёма O (1/pmax ) недостаточно для успешной атаки при малых значениях pmax — максимальной вероятности перехода разностей. Проведены вычислительные и статистические эксперименты для марковских моделей шифрсистемы SmallPresent c длиной блока до 28 бит

The decoding failure probability of MDPC codes

Moderate Density Parity Check (MDPC) codes are defined here as codes which have a parity-check matrix whose row weight is $O(\sqrt{n})$ where $n$ is the length $n$ of the code. They can be decoded like LDPC codes but they decode much less errors than LDPC codes: the number of errors they can decode in this case is of order $\Theta(\sqrt{n})$. Despite this fact they have been proved very useful in cryptography for devising key exchange mechanisms. They have also been proposed in McEliece type cryptosystems. However in this case, the parameters that have been proposed in \cite{MTSB13} were broken in \cite{GJS16}. This attack exploits the fact that the decoding failure probability is non-negligible. We show here that this attack can be thwarted by choosing the parameters in a more conservative way. We first show that such codes can decode with a simple bit-flipping decoder any pattern of $O\left(\frac{\sqrt{n} \log \log n}{\log n}\right)$ errors. This avoids the previous attack at the cost of significantly increasing the key size of the scheme. We then show that under a very reasonable assumption the decoding failure probability decays almost exponentially with the codelength with just two iterations of bit-flipping. With an additional assumption it has even been proved that it decays exponentially with an unbounded number of iterations and we show that in this case the increase of the key size which is required for resisting to the attack of \cite{GJS16} is only moderate

BIKE: Bit Flipping Key Encapsulation

Submission to the NIST post quantum standardization proces

Accurate estimates of the data complexity and success probability for various cryptanalyses

36 pagesInternational audienceMany attacks on encryption schemes rely on statistical considerations using plaintext/ciphertext pairs to find some information on the key. We provide here simple formulae for estimating the data complexity and the success probability which can be applied to a lot of different scenarios (differential cryptanalysis, linear cryptanalysis, truncated differential cryptanalysis, etc.). Our work does not rely here on Gaussian approximation which is not valid in every setting but use instead a simple and general approximation of the binomial distribution and asymptotic expansions of the beta distribution

Influence du mapping sur la reconnaissance d'un système de communication

Le contexte de cette thèse est la reconnaissance de systèmes de communication dans un contexte non coopératif. Nous nous intéressons au problème de la reconstruction de codes convolutifs et à la reconstruction du mapping (la bijection utilisée pour associer une séquence binaire à un signal modulé). Nous avons élaboré une nouvelle méthode statistique qui à partir d'une séquence binaire bruitée observée permet de détecter si une séquence binaire est codée par un codeur convolutif. Cette méthode consiste à former des blocs de séquence suffisamment grands pour contenir le support d'une équation de parité et à compter le nombre de blocs identiques. Elle a l'avantage de fournir la longueur du code utilisé lorsque le mapping est inconnu. Cette méthode peut également être utilisée pour reconstruire le dual d'un code convolutif lorsque le mapping est connu. Nous proposons par ailleurs un algorithme de reconnaissance de mapping basé sur le parcours de classes d'équivalences. Deux types de classes sont définies. Nous disposons d'un signal bruité partiellement démodulé (démodulé avec un mapping par défaut) et supposons que les données sont codées par un codeur convolutif. Nous utilisons la reconnaissance d'un tel code comme testeur et parcourons enfin les classes d'équivalences faisant apparaître une structure de codes convolutifs. Cette classification améliore la complexité de la recherche pour les petites constellations (4 et 8-PSK). Dans le cas des constellations 16 à 256-QAM l'algorithme est appliqué aux mappings Gray ou quasi-Gray. L'algorithme ne fournit pas un résultat unique mais il permet de trouver un ensemble de mappings possibles à partir de données bruitées.The context of this thesis is the recognition of communication systems in a non-cooperative context. We are interested in the convolutional code reconstruction problem and in the constellation labeling reconstruction (the mapping used to associate a binary sequence to a modulated signal). We have defined a new statistical method for detecting if a given binary sequence is a noisy convolutional code-word obtained from an unknown convolutional code. It consists in forming blocks of sequence which are big enough to contain the support of a parity check equation and counting the number of blocks which are equal. It gives the length of the convolutional code without knowledge of the constellation labeling. This method can also be used to reconstruct the dual of a convolutional code when the constellation labeling is known. Moreover we propose a constellation labeling recognition algorithm using some equivalence classes. Two types of classes are defined: linear and affine. We observe a noisy signal which is partially demodulated (with a default labeling) and assume that the data are coded by a convolutional encoder. Thus we use the reconstruction of a code as a test and run through the classes which reveal a code structure. This classification improves the complexity of the search for small constellations (4-PSK and 8-PSK). In case of 16-QAM to 256-QAM constellations we apply the algorithm to Gray or quasi-Gray labelings. The algorithm does not give a unique result but it allows to find a small set of possible constellation labelings from noisy data.PARIS-JUSSIEU-Bib.électronique (751059901) / SudocSudocFranceF