4,838 research outputs found
MILP-aided Cryptanalysis of the FUTURE Block Cipher
FUTURE is a recently proposed, lightweight block cipher. It has an AES-like, SP-based, 10-round encryption function, where, unlike most other lightweight constructions, the diffusion layer is based on an MDS matrix. Despite its relative complexity, it has a remarkable hardware performance due to careful design decisions.
In this paper, we conducted a MILP-based analysis of the cipher, where we incorporated exact probabilities rather than just the number of active S-boxes into the model. Through the MILP analysis, we were able to find differential and linear distinguishers for up to 5 rounds of FUTURE, extending the known distinguishers of the cipher by one round
Revisiting LFSMs
Linear Finite State Machines (LFSMs) are particular primitives widely used in
information theory, coding theory and cryptography. Among those linear
automata, a particular case of study is Linear Feedback Shift Registers (LFSRs)
used in many cryptographic applications such as design of stream ciphers or
pseudo-random generation. LFSRs could be seen as particular LFSMs without
inputs.
In this paper, we first recall the description of LFSMs using traditional
matrices representation. Then, we introduce a new matrices representation with
polynomial fractional coefficients. This new representation leads to sparse
representations and implementations. As direct applications, we focus our work
on the Windmill LFSRs case, used for example in the E0 stream cipher and on
other general applications that use this new representation.
In a second part, a new design criterion called diffusion delay for LFSRs is
introduced and well compared with existing related notions. This criterion
represents the diffusion capacity of an LFSR. Thus, using the matrices
representation, we present a new algorithm to randomly pick LFSRs with good
properties (including the new one) and sparse descriptions dedicated to
hardware and software designs. We present some examples of LFSRs generated
using our algorithm to show the relevance of our approach.Comment: Submitted to IEEE-I
On the Design of Secure and Fast Double Block Length Hash Functions
In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered.
Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose's two examples which were left as an open problem. Therefore, although all the rate-1 hash functions in this general class are failed to be optimally (second) preimage resistant, the necessary conditions are refined for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the refined conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in
the compression function has the key length is equal to the block length, while the other is doubled
MV3: A new word based stream cipher using rapid mixing and revolving buffers
MV3 is a new word based stream cipher for encrypting long streams of data. A
direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word
version will obviously need vast amounts of memory. This scaling issue
necessitates a look for new components and principles, as well as mathematical
analysis to justify their use. Our approach, like RC4's, is based on rapidly
mixing random walks on directed graphs (that is, walks which reach a random
state quickly, from any starting point). We begin with some well understood
walks, and then introduce nonlinearity in their steps in order to improve
security and show long term statistical correlations are negligible. To
minimize the short term correlations, as well as to deter attacks using
equations involving successive outputs, we provide a method for sequencing the
outputs derived from the walk using three revolving buffers. The cipher is fast
-- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor.
A word based cipher needs to output more bits per step, which exposes more
correlations for attacks. Moreover we seek simplicity of construction and
transparent analysis. To meet these requirements, we use a larger state and
claim security corresponding to only a fraction of it. Our design is for an
adequately secure word-based cipher; our very preliminary estimate puts the
security close to exhaustive search for keys of size < 256 bits.Comment: 27 pages, shortened version will appear in "Topics in Cryptology -
CT-RSA 2007
Best Effort and Practice Activation Codes
Activation Codes are used in many different digital services and known by
many different names including voucher, e-coupon and discount code. In this
paper we focus on a specific class of ACs that are short, human-readable,
fixed-length and represent value. Even though this class of codes is
extensively used there are no general guidelines for the design of Activation
Code schemes. We discuss different methods that are used in practice and
propose BEPAC, a new Activation Code scheme that provides both authenticity and
confidentiality. The small message space of activation codes introduces some
problems that are illustrated by an adaptive chosen-plaintext attack (CPA-2) on
a general 3-round Feis- tel network of size 2^(2n) . This attack recovers the
complete permutation from at most 2^(n+2) plaintext-ciphertext pairs. For this
reason, BEPAC is designed in such a way that authenticity and confidentiality
are in- dependent properties, i.e. loss of confidentiality does not imply loss
of authenticity.Comment: 15 pages, 3 figures, TrustBus 201
Transparent code authentication at the processor level
The authors present a lightweight authentication mechanism that verifies the authenticity of code and thereby addresses the virus and malicious code problems at the hardware level eliminating the need for trusted extensions in the operating system. The technique proposed tightly integrates the authentication mechanism into the processor core. The authentication latency is hidden behind the memory access latency, thereby allowing seamless on-the-fly authentication of instructions. In addition, the proposed authentication method supports seamless encryption of code (and static data). Consequently, while providing the software users with assurance for authenticity of programs executing on their hardware, the proposed technique also protects the software manufacturers’ intellectual property through encryption. The performance analysis shows that, under mild assumptions, the presented technique introduces negligible overhead for even moderate cache sizes
Design and validation of a platform for electromagnetic fault injection
Security is acknowledged as one of the main challenges in the design and deployment of embedded circuits. Devices need to operate on-the-field safely and correctly, even when at physical reach of potential adversaries. One of the most powerful techniques to compromise the correct functioning of a device are fault injection attacks. They enable an active adversary to trigger errors on a circuit in order to bypass security features or to gain knowledge of security-sensitive information. There are several methods to induce such errors. In this work we focus on the injection of faults through the electromagnetic (EM) channel. In particular, we document our efforts towards building a suitable platform for EM pulse injection. We design a pulse injection circuit that can provide currents over 20 A to an EM injector in order to generate abrupt variations of the EM field on the vicinity of a circuit. We validate the suitability of our platform by applying a well-know attack on an embedded 8-bit microcontroller implementing the AES block cipher. In particular, we show how to extract the AES secret cryptographic keys stored in the device by careful injection of faults during the encryption operations and simple analysis of the erroneous outputs.Peer ReviewedPostprint (published version
- …