Constructing TI-Friendly Substitution Boxes Using Shift-Invariant Permutations

The threat posed by side channels requires ciphers that can be efficiently protected in both software and hardware against such attacks. In this paper, we proposed a novel Sbox construction based on iterations of shift-invariant quadratic permutations and linear diffusions. Owing to the selected quadratic permutations, all of our Sboxes enable uniform 3-share threshold implementations, which provide first order SCA protections without any fresh randomness. More importantly, because of the shift-invariant property, there are ample implementation trade-offs available, in software as well as hardware. We provide implementation results (software and hardware) for a four-bit and an eight-bit Sbox, which confirm that our constructions are competitive and can be easily adapted to various platforms as claimed. We have successfully verified their resistance to first order attacks based on real acquisitions. Because there are very few studies focusing on software-based threshold implementations, our software implementations might be of independent interest in this regard

Design of Efficient Symmetric-Key Cryptographic Algorithms

兵庫県立大学大学院202

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

This paper proposes tweakable block cipher (TBC) based modes $\mathsf{PFB\_Plus}$ and $\mathsf{PFB}\omega$ that are efficient in threshold implementations (TI). Let $t$ be an algebraic degree of a target function, e.g.~$t=1$ (resp.~$t>1$) for linear (resp.~non-linear) function. The $d$-th order TI encodes the internal state into $d t + 1$ shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires $s$-bit block to ensure $s$-bit security, e.g. \textsf{PFB} and \textsf{Romulus}, while BC requires $2s$-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of $s$-bit state with $t=2$ and the first-order TI ($d=1$). Our first design $\mathsf{PFB\_Plus}$ aims to break the barrier of the $3s$-bit state in TI. The block size of an underlying TBC is $s/2$ bits and the output of TBC is linearly expanded to $s$ bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size $2.5s$ bits. We also provide rigorous security proof of $\mathsf{PFB\_Plus}$. Our second design $\mathsf{PFB}\omega$ further increases a parameter $\omega$: a ratio of the security level $s$ to the block size of an underlying TBC. We prove security of $\mathsf{PFB}\omega$ for any $\omega$ under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of $\mathsf{PFB\_Plus}$ for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending \textsf{SKINNY} and provide basic security evaluation. Finally, we give hardware benchmarks of $\mathsf{PFB\_Plus}$ in the first-order TI to show that TI of $\mathsf{PFB\_Plus}$ is smaller than that of \textsf{PFB} by more than one thousand gates and is the smallest within the schemes having 128-bit security

From Substitution Box To Threshold

With the escalating demand for lightweight ciphers as well as side channel protected implementation of those ciphers in recent times, this work focuses on two aspects. First, we present a tool for automating the task of finding a Threshold Implementation (TI) of a given Substitution Box (SBox). Our tool returns `with decomposition\u27 and `without decomposition\u27 based TI. The `with decomposition\u27 based implementation returns a combinational SBox; whereas we get a sequential SBox from the `without decomposition\u27 based implementation. Despite being high in demand, it appears that this kind of tool has been missing so far. Second, we show an algorithmic approach where a given cipher implementation can be tweaked (without altering the cipher specification) so that its TI cost can be significantly reduced. We take the PRESENT cipher as our case study (our methodology can be applied to other ciphers as well). Indeed, we show over 31 percent reduction in area and over 52 percent reduction in depth compared to the basic threshold implementation

Scaling Up Automated Verification: A Case Study and a Formalization IDE for Building High Integrity Software

Component-based software verification is a difficult challenge because developers must specify components formally and annotate implementations with suitable assertions that are amenable to automation. This research investigates the intrinsic complexity in this challenge using a component-based case study. Simultaneously, this work also seeks to minimize the extrinsic complexities of this challenge through the development and usage of a formalization integrated development environment (F-IDE) built for specifying, developing, and using verified reusable software components. The first contribution is an F-IDE built to support formal specification and automated verification of object-based software for the integrated specification and programming language RESOLVE. The F-IDE is novel, as it integrates a verifying compiler with a user-friendly interface that provides a number of amenities including responsive editing for model-based mathematical contracts and code, assistance for design by contract, verification, responsive error handling, and generation of property-preserving Java code that can be run within the F-IDE. The second contribution is a case study built using the F-IDE that involves an interplay of multiple artifacts encompassing mathematical units, component interfaces, and realizations. The object-based interfaces involved are specified in terms of new mathematical models and non-trivial theories designed to encapsulate data structures and algorithms. The components are designed to be amenable to modular verification and analysis

Higher spin gravity

Diese Dissertation ist den Quantenaspekten von Gravitationen höherer Spins (GRAHSs) und den ihnen zugrundeliegenden algebraischen Strukturen gewidmet. Theorien höherer Spins enthalten unendlichdimensionale Symmetrien, die mächtig genug sein sollten, um keine relevanten Gegenterme zuzulassen. Aus diesem Grund wird seit langem erwartet, dass GRAHSs endlich, oder zumindest renormierbar sind. Sobald gezeigt ist, dass diese Eigenschaft tatsächlich realisiert wird, macht sie Theorien höherer Spins zu interessanten Quantengravitationsmodellen. Wenn das keine-Gegenterme-Argument funktioniert, reduziert sich das Problem, eine quantenkonsistente Theorie höherer Spins zu konstruieren, bemerkenswerterweise auf das Problem, ein konsistentes klassisches Modell von GRAHS zu finden. Eine der interessantesten Klassen von GRAHSs ist die chirale GRAHS, die sowohl in der Minkowski- als auch in der AdS-Raumzeit existiert. Sie ist momentan die einzige Theorie mit propagierenden Feldern höherer Spins und einer recht einfachen Wirkung. Die Theorie ist auf perturbativer Ebene lokal. Die Wirkung der chiralen GRAHS ist in der Lichtkegel-Eichung bekannt und vermeidet alle Theoreme, welche die Existenz einer Theorie höherer Spins im flachen Raum verbieten. Wir studieren die Struktur der Quantenkorrekturen in der chiralen GRAHS im Minkowskiraum im Detail. Wir zeigen, dass aufgrund einer nichttrivialen Kürzung unter den Feynmandiagrammen dank einer spezifischen Form der Wechselwirkungen (dem Kopplungs-Verschwörungs-Mechanismus), alle Baumniveau-Amplituden verschwinden; wir analysieren im Detail zwei-, drei- und vier-Punkt Einschleifenamplituden und zeigen, dass diese UV-konvergent sind. Mit Hilfe von Unitaritätsschnitten berechnen wir die komplette n-Punkt Einschleifenamplitude und zeigen, dass sie aus drei Faktoren besteht: (i) der Einschleifenamplitude in QCD oder SDYM mit allen Helizitäten plus; (ii) einem bestimmten kinematischen Verzierungsfaktor für höhere Spins; (iii) einem rein numerischen Faktor der Gesamtanzahl der Freiheitsgrade. Im Kontext von AdS/KFT wird vermutet, dass GRAHSs dual zu recht einfachen konformen Feldtheorien (KFTs) sind: zu freien und kritischen Vektormodellen (Typ-A), freien Fermionen und Gross–Neveu-Modellen (Typ-B) und, allgemeiner, zu Chern–Simons-Materie- Theorien. Wir studieren im Detail die Vakuum-Einschleifenkorrekturen in verschiedenen Theorien höherer Spins in der anti-de Sitter (AdS) Raumzeit. Für die Typ-A-Theorie in AdSd+1 beweisen wir die Vermutung, dass die freie Energie für alle ganzzahligen Spins verschwindet und der freien Energie einer Kugel eines freien Skalarfeldes für alle geraden Spins gleicht. Wir erweitern dieses Resultat auf alle nicht-ganzzahligen Dimensionen und reproduzieren insbesondere die freie-Energie-Korrektur zur 4 − ε Wilson–Fisher KFT als einen Einschleifeneffekt in der Typ-A-Theorie auf AdS5−ε. Wir berechnen ebenfalls die Beiträge fermionischer Felder höherer Spins, die für supersymmetrische GRAHS relevant sind. Es wird gezeigt, dass diese exakt mit der Vorhersage der KFT übereinstimmen. Der Beitrag bestimmter Felder gemischter Symmetrie, die in Typ-B GRAHS vorkommen, wird ebenfalls berechnet. Der letztere Beitrag führt (in geraden Raumzeitdimensionen) auf eine Frage, die zu beantworten bleibt. Freie KFTs haben unendlichdimensionale globale Symmetrien, die in Algebras höherer Spins manifestiert sind. Die holographisch dualen GRAHSs sollten im Prinzip komplett durch diese Symmetrie bestimmt sein. Deshalb ist die einzige Information, die wir benötigen, um eine Theorie höherer Spins in AdS zu konstruieren, eine Algebra höherer Spins, die aus ihrer dualen freien KFT extrahiert werden kann. In dieser Dissertation rekonstruieren wir die Typ-A GRAHS in AdS5 auf der Ebene der formal konsistenten klassischen Bewegungsgleichungen (formale GRAHS).This dissertation is dedicated to the quantum aspects of higher spin gravities (HSGRAs) and to their underlining algebraic structures. Higher-spin theories are governed by infinite-dimensional symmetries called higher-spin symmetries. Higher-spin symmetry should be powerful enough to leave no room for any relevant counterterms. Therefore, higher spin gravities have long been expected to be finite or at least renormalizable. This feature, once shown to be realized, makes higher-spin theories interesting toy models of Quantum Gravity. Remarkably, if the no-counterterm argument works, the problem of constructing a quantum consistent higher-spin theory downgrades to a problem of finding a consistent classical model of higher-spin gravity. One of the most interesting classes of HSGRAs is chiral HSGRA, which exists both in Minkowski and AdS spacetime. It is the only theory at present with propagating massless higher spin fields and a rather simple action. The theory is perturbatively local. The action of the chiral theory is known in the light-cone gauge and and avoids all No-Go theorems that forbid the existence of higher-spin theories in flat space. We study in detail the structure of quantum corrections in the Minkowski Chiral HSGRA. We show that all tree-level amplitudes vanish, which is due to a nontrivial cancellation among all Feynman diagrams thanks to the specific form of the interactions (coupling conspiracy mechanism); we analyze in detail two-, three- and four-point one-loop amplitudes and show that they are UV-convergent. Using unitarity cuts we compute the complete one-loop n-point amplitude and show that it consists of three factors: (i) all-plus helicity one-loop amplitude in QCD or SDYM; (ii) a certain kinematical higher spin dressing factor; (iii) a purely numerical factor of the total number of degrees of freedom. In the context of AdS/CFT, HSGRAs are conjectured to be dual to rather simple conformal field theories (CFT): free and critical vector models (Type-A), free fermion and Gross-Neveu models (Type-B) and, more generally, to Chern-Simons Matter theories. We study in detail vacuum one-loop corrections in various higher-spin theories in anti-de Sitter (AdS) spacetime. For the Type-A theory in AdSd+1 we prove the conjecture that the free energy vanishes for all integer spins and is equal to the sphere free energy of one free scalar field for all even spins. We extend this result to non-integer dimension and, in particular, reproduce the free energy correction to the 4 − ε Wilson-Fisher CFT as a one-loop effect in the Type- A theory on AdS5−ε. We also compute the contribution of fermionic higher spin fields that are relevant for supersymmetric HSGRA. These are shown to match precisely with the prediction of the CFT. The contribution of certain mixed-symmetry fields that appear in Type-B HSGRA is also computed. The latter leads to a puzzle (in even spacetime dimension) that remains to be resolved. Free CFTs have infinite-dimensional global symmetries manifested in higher spin algebras. The holographic dual HSGRAs should, in principle, be completely determined by this higher spin symmetry. Therefore, to construct a higher-spin theory in AdS, the only initial data we need is a higher spin algebra extracted from its free CFT dual. In this thesis, we reconstructed the Type-A HSGRA in AdS5 at the level of formally consistent classical equations of motion (Formal HSGRA)

Analyse et Conception d'Algorithmes de Chiffrement Légers

The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du projet FUI Paclido, qui a pour but de définir de nouveaux protocoles et algorithmes de sécurité pour l’Internet des Objets, et plus particulièrement les réseaux de capteurs sans fil. Cette thèse s’intéresse donc aux algorithmes de chiffrements authentifiés dits à bas coût ou également, légers, pouvant être implémentés sur des systèmes très limités en ressources. Une première partie des contributions porte sur la conception de l’algorithme léger Lilliput-AE, basé sur un schéma de Feistel généralisé étendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisé par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques théoriques menées contre des solutions déjà existantes, notamment un certain nombre de candidats à la compétition LWC du NIST. Elle présente donc des analyses spécifiques des algorithmes Skinny et Spook ainsi qu’une étude plus générale des attaques de type boomerang contre les schémas de Feistel