Improved Side Channel Cube Attacks on PRESENT

The paper presents several improved side channel cube attacks on PRESENT based on single bit leakage model. Compared with the previous study of Yang et al in CANS 2009 [30], based on the same model of single bit leakage in the 3rd round, we show that: if the PRESENT cipher structure is unknown, for the leakage bit 0, 32-bit key can be recovered within $2^{7.17}$ chosen plaintexts; if the cipher structure is known, for the leakage bit 4,8,12, 48-bit key can be extracted by $2^{11.92}$ chosen plaintexts, which is less than $2^{15}$ in [30]; then, we extend the single bit leakage model to the 4th round, based on the two level “divide and conquer” analysis strategy, we propose a sliding window side channel cube attack on PRESENT, for the leakage bit 0, about $2^{15.14}$ chosen plaintexts can obtain 60-bit key; in order to obtain more key bits, we propose an iterated side channel cube attack on PRESENT, about $2^{8.15}$ chosen plaintexts can obtain extra 12 equivalent key bits, so overall $2^{15.154}$ chosen plaintexts can reduce the PRESENT-80 key searching space to $2^{8}$; finally, we extend the attack to PRESENT-128, about $2^{15.156}$ chosen plaintexts can extract 85 bits key, and reduce the PRESENT-128 key searching space to $2^{43}$. Compared with the previous study of Abdul-Latip et al in ASIACCS 2011 [31] based on the Hamming weight leakage model, which can extract 64-bit key of PRESENT-80/128 by $2^{13}$ chosen plaintexts, our attacks can extract more key bits, and have certain advantages over [31]

An Algebraic Approach to Nivat's Conjecture

This thesis introduces a new, algebraic method to study multidimensional configurations, also sometimes called words, which have low pattern complexity. This is the setting of several open problems, most notably Nivat’s conjecture, which is a generalization of Morse-Hedlund theorem to two dimensions, and the periodic tiling problem by Lagarias and Wang. We represent configurations as formal power series over d variables where d is the dimension. This allows us to study the ideal of polynomial annihilators of the series. In the two-dimensional case we give a detailed description of the ideal, which can be applied to obtain partial results on the aforementioned combinatorial problems. In particular, we show that configurations of low complexity can be decomposed into sums of periodic configurations. In the two-dimensional case, one such decomposition can be described in terms of the annihilator ideal. We apply this knowledge to obtain the main result of this thesis – an asymptotic version of Nivat’s conjecture. We also prove Nivat’s conjecture for configurations which are sums of two periodic ones, and as a corollary reprove the main result of Cyr and Kra from [CK15].Algebrallinen lähestymistapa Nivat’n konjektuuriin Tässä väitöskirjassa esitetään uusi, algebrallinen lähestymistapa moniulotteisiin,matalan kompleksisuuden konfiguraatioihin. Näistä konfiguraatioista, joita moniulotteisiksi sanoiksikin kutsutaan, on esitetty useita avoimia ongelmia. Tärkeimpinä näistä ovat Nivat’n konjektuuri, joka on Morsen-Hedlundin lauseen kaksiulotteinen yleistys, sekä Lagariaksen ja Wangin jaksollinen tiilitysongelma. Väitöskirjan lähestymistavassa d-ulotteiset konfiguraatiot esitetään d:n muuttujan formaaleina potenssisarjoina. Tämä mahdollistaa konfiguraation polynomiannihilaattoreiden ihanteen tutkimisen. Väitöskirjassa selvitetään kaksiulotteisessa tapauksessa ihanteen rakenne tarkasti. Tätä hyödyntämällä saadaan uusia, osittaisia tuloksia koskien edellä mainittuja kombinatorisia ongelmia. Tarkemmin sanottuna väitöskirjassa todistetaan, että matalan kompleksisuuden konfiguraatiot voidaan hajottaa jaksollisten konfiguraatioiden summaksi. Kaksiulotteisessa tapauksessa eräs tällainen hajotelma saadaan annihilaattori-ihanteesta. Tämän avulla todistetaan asymptoottinen versio Nivat’n konjektuurista. Lisäksi osoitetaan Nivat’n konjektuuri oikeaksi konfiguraatioille, jotka ovat kahden jaksollisen konfiguraation summia, ja tämän seurauksena saadaan uusi todistus Cyrin ja Kran artikkelin [CK15] päätulokselle

Design and Cryptanalysis of Symmetric-Key Algorithms in Black and White-box Models

Cryptography studies secure communications. In symmetric-key cryptography, the communicating parties have a shared secret key which allows both to encrypt and decrypt messages. The encryption schemes used are very efficient but have no rigorous security proof. In order to design a symmetric-key primitive, one has to ensure that the primitive is secure at least against known attacks. During 4 years of my doctoral studies at the University of Luxembourg under the supervision of Prof. Alex Biryukov, I studied symmetric-key cryptography and contributed to several of its topics. Part I is about the structural and decomposition cryptanalysis. This type of cryptanalysis aims to exploit properties of the algorithmic structure of a cryptographic function. The first goal is to distinguish a function with a particular structure from random, structure-less functions. The second goal is to recover components of the structure in order to obtain a decomposition of the function. Decomposition attacks are also used to uncover secret structures of S-Boxes, cryptographic functions over small domains. In this part, I describe structural and decomposition cryptanalysis of the Feistel Network structure, decompositions of the S-Box used in the recent Russian cryptographic standard, and a decomposition of the only known APN permutation in even dimension. Part II is about the invariant-based cryptanalysis. This method became recently an active research topic. It happened mainly due to recent extreme cryptographic designs, which turned out to be vulnerable to this cryptanalysis method. In this part, I describe an invariant-based analysis of NORX, an authenticated cipher. Further, I show a theoretical study of linear layers that preserve low-degree invariants of a particular form used in the recent attacks on block ciphers. Part III is about the white-box cryptography. In the white-box model, an adversary has full access to the cryptographic implementation, which in particular may contain a secret key. The possibility of creating implementations of symmetric-key primitives secure in this model is a long-standing open question. Such implementations have many applications in industry; in particular, in mobile payment systems. In this part, I study the possibility of applying masking, a side-channel countermeasure, to protect white-box implementations. I describe several attacks on direct application of masking and provide a provably-secure countermeasure against a strong class of the attacks. Part IV is about the design of symmetric-key primitives. I contributed to design of the block cipher family SPARX and to the design of a suite of cryptographic algorithms, which includes the cryptographic permutation family SPARKLE, the cryptographic hash function family ESCH, and the authenticated encryption family SCHWAEMM. In this part, I describe the security analysis that I made for these designs

Lightweight symmetric cryptography

The Internet of Things is one of the principal trends in information technology nowadays. The main idea behind this concept is that devices communicate autonomously with each other over the Internet. Some of these devices have extremely limited resources, such as power and energy, available time for computations, amount of silicon to produce the chip, computational power, etc. Classical cryptographic primitives are often infeasible for such constrained devices. The goal of lightweight cryptography is to introduce cryptographic solutions with reduced resource consumption, but with a sufficient security level. Although this research area was of great interest to academia during the last years and a large number of proposals for lightweight cryptographic primitives have been introduced, almost none of them are used in real-word. Probably one of the reasons is that, for academia, lightweight usually meant to design cryptographic primitives such that they require minimal resources among all existing solutions. This exciting research problem became an important driver which allowed the academic community to better understand many cryptographic design concepts and to develop new attacks. However, this criterion does not seem to be the most important one for industry, where lightweight may be considered as "rightweight". In other words, a given cryptographic solution just has to fit the constraints of the specific use cases rather than to be the smallest. Unfortunately, academic researchers tended to neglect vital properties of the particular types of devices, into which they intended to apply their primitives. That is, often solutions were proposed where the usage of some resources was reduced to a minimum. However, this was achieved by introducing new costs which were not appropriately taken into account or in such a way that the reduction of costs also led to a decrease in the security level. Hence, there is a clear gap between academia and industry in understanding what lightweight cryptography is. In this work, we are trying to fill some of these gaps. We carefully investigate a broad number of existing lightweight cryptographic primitives proposed by academia including authentication protocols, stream ciphers, and block ciphers and evaluate their applicability for real-world scenarios. We then look at how individual components of design of the primitives influence their cost and summarize the steps to be taken into account when designing primitives for concrete cost optimization, more precisely - for low energy consumption. Next, we propose new implementation techniques for existing designs making them more efficient or smaller in hardware without the necessity to pay any additional costs. After that, we introduce a new stream cipher design philosophy which enables secure stream ciphers with smaller area size than ever before and, at the same time, considerably higher throughput compared to any other encryption schemes of similar hardware cost. To demonstrate the feasibility of our findings we propose two ciphers with the smallest area size so far, namely Sprout and Plantlet, and the most energy efficient encryption scheme called Trivium-2. Finally, this thesis solves a concrete industrial problem. Based on standardized cryptographic solutions, we design an end-to-end data-protection scheme for low power networks. This scheme was deployed on the water distribution network in the City of Antibes, France

Extensions of the cube attack based on low degree annihilators

At Crypto 2008, Shamir introduced a new algebraic attack called the cube attack, which allows us to solve black-box polynomials if we are able to tweak the inputs by varying an initialization vector. In a stream cipher setting where the filter function is known, we can extend it to the cube attack with annihilators: By applying the cube attack to Boolean functions for which we can find low-degree multiples (equivalently annihilators), the attack complexity can be improved. When the size of the filter function is smaller than the LFSR, we can improve the attack complexity further by considering a sliding window version of the cube attack with annihilators. Finally, we extend the cube attack to vectorial Boolean functions by finding implicit relations with low-degree polynomials

Fitting aggregation operators to data

Theoretical advances in modelling aggregation of information produced a wide range of aggregation operators, applicable to almost every practical problem. The most important classes of aggregation operators include triangular norms, uninorms, generalised means and OWA operators.With such a variety, an important practical problem has emerged: how to fit the parameters/ weights of these families of aggregation operators to observed data? How to estimate quantitatively whether a given class of operators is suitable as a model in a given practical setting? Aggregation operators are rather special classes of functions, and thus they require specialised regression techniques, which would enforce important theoretical properties, like commutativity or associativity. My presentation will address this issue in detail, and will discuss various regression methods applicable specifically to t-norms, uninorms and generalised means. I will also demonstrate software implementing these regression techniques, which would allow practitioners to paste their data and obtain optimal parameters of the chosen family of operators.<br /

Spectral Edge Properties of Periodic Elliptic Operators

In this dissertation, we study some spectral problems for periodic elliptic operators arising in solid state physics, material sciences, and differential geometry. More precisely, we are interested in dealing with various effects near and at spectral edges of such operators. We use the name “threshold effects” for the features that depend only on the infinitesimal structure (e.g., a finite number of Taylor coefficients) of the dispersion relation at a spectral edge. We begin with an example of a threshold effect by describing explicitly the asymptotics of the Green’s function near a spectral edge of an internal gap of the spectrum of a periodic elliptic operator of second-order on Euclidean spaces, as long as the dispersion relation of this operator has a non-degenerate parabolic extremum there. This result confirms the expectation that the asymptotics of such operators resemble the case of the Laplace operator. Then we generalize these results by establishing Green’s function asymptotics near and at gap edges of periodic elliptic operators on abelian coverings of compact Riemannian manifolds. The interesting feature we discover here is that the torsion-free rank of the deck transformation group plays a more important role than the dimension of the covering manifold. Finally, we provide a combination of the Liouville and the Riemann-Roch theorems for periodic elliptic operators on abelian co-compact coverings. We obtain several results in this direction for a wide class of periodic elliptic operators. As a simple application of our Liouville-Riemann-Roch inequalities, we prove the existence of non-trivial solutions of polynomial growth of certain periodic elliptic operators on noncompact abelian coverings with prescribed zeros, provided that such solutions grow fast enough