15 research outputs found
Improved Side Channel Cube Attacks on PRESENT
The paper presents several improved side channel cube attacks on PRESENT based on single bit leakage model. Compared with the previous study of Yang et al in CANS 2009 [30], based on the same model of single bit leakage in the 3rd round, we show that: if the PRESENT cipher structure is unknown, for the leakage bit 0, 32-bit key can be recovered within chosen plaintexts; if the cipher structure is known, for the leakage bit 4,8,12, 48-bit key can be extracted by chosen plaintexts, which is less than in [30]; then, we extend the single bit leakage model to the 4th round, based on the two level âdivide and conquerâ analysis strategy, we propose a sliding window side channel cube attack on PRESENT, for the leakage bit 0, about chosen plaintexts can obtain 60-bit key; in order to obtain more key bits, we propose an iterated side channel cube attack on PRESENT, about chosen plaintexts can obtain extra 12 equivalent key bits, so overall chosen plaintexts can reduce the PRESENT-80 key searching space to ; finally, we extend the attack to PRESENT-128, about chosen plaintexts can extract 85 bits key, and reduce the PRESENT-128 key searching space to . Compared with the previous study of Abdul-Latip et al in ASIACCS 2011 [31] based on the Hamming weight leakage model, which can extract 64-bit key of PRESENT-80/128 by chosen plaintexts, our attacks can extract more key bits, and have certain advantages over [31]
An Algebraic Approach to Nivat's Conjecture
This thesis introduces a new, algebraic method to study multidimensional configurations, also sometimes called words, which have low pattern complexity. This is the setting of several open problems, most notably Nivatâs conjecture, which is a generalization of Morse-Hedlund theorem to two dimensions, and the periodic tiling problem by Lagarias and Wang.
We represent configurations as formal power series over d variables where d is the dimension. This allows us to study the ideal of polynomial annihilators of the series. In the two-dimensional case we give a detailed description of the ideal, which can be applied to obtain partial results on the aforementioned combinatorial problems.
In particular, we show that configurations of low complexity can be decomposed into sums of periodic configurations. In the two-dimensional case, one such decomposition can be described in terms of the annihilator ideal. We apply this knowledge to obtain the main result of this thesis â an asymptotic version of Nivatâs conjecture. We also prove Nivatâs conjecture for configurations which are sums of two periodic ones, and as a corollary reprove the main result of Cyr and Kra from [CK15].Algebrallinen lĂ€hestymistapa Nivatân konjektuuriin
TĂ€ssĂ€ vĂ€itöskirjassa esitetÀÀn uusi, algebrallinen lĂ€hestymistapa moniulotteisiin,matalan kompleksisuuden konfiguraatioihin. NĂ€istĂ€ konfiguraatioista, joita moniulotteisiksi sanoiksikin kutsutaan, on esitetty useita avoimia ongelmia. TĂ€rkeimpinĂ€ nĂ€istĂ€ ovat Nivatân konjektuuri, joka on Morsen-Hedlundin lauseen kaksiulotteinen yleistys, sekĂ€ Lagariaksen ja Wangin jaksollinen tiilitysongelma.
VÀitöskirjan lÀhestymistavassa d-ulotteiset konfiguraatiot esitetÀÀn d:n muuttujan formaaleina potenssisarjoina. TÀmÀ mahdollistaa konfiguraation polynomiannihilaattoreiden ihanteen tutkimisen. VÀitöskirjassa selvitetÀÀn kaksiulotteisessa tapauksessa ihanteen rakenne tarkasti. TÀtÀ hyödyntÀmÀllÀ saadaan uusia, osittaisia tuloksia koskien edellÀ mainittuja kombinatorisia ongelmia.
Tarkemmin sanottuna vĂ€itöskirjassa todistetaan, ettĂ€ matalan kompleksisuuden konfiguraatiot voidaan hajottaa jaksollisten konfiguraatioiden summaksi. Kaksiulotteisessa tapauksessa erĂ€s tĂ€llainen hajotelma saadaan annihilaattori-ihanteesta. TĂ€mĂ€n avulla todistetaan asymptoottinen versio Nivatân konjektuurista. LisĂ€ksi osoitetaan Nivatân konjektuuri oikeaksi konfiguraatioille, jotka ovat kahden jaksollisen konfiguraation summia, ja tĂ€mĂ€n seurauksena saadaan uusi todistus Cyrin ja Kran artikkelin [CK15] pÀÀtulokselle
Design and Cryptanalysis of Symmetric-Key Algorithms in Black and White-box Models
Cryptography studies secure communications. In symmetric-key cryptography, the communicating parties have a shared secret key which allows both to encrypt and decrypt messages. The encryption schemes used are very efficient but have no rigorous security proof. In order to design a symmetric-key primitive, one has to ensure that the primitive is secure at least against known attacks. During 4 years of my doctoral studies at the University of Luxembourg under the supervision of Prof. Alex Biryukov, I studied symmetric-key cryptography and contributed to several of its topics.
Part I is about the structural and decomposition cryptanalysis. This type of cryptanalysis aims to exploit properties of the algorithmic structure of a cryptographic function. The first goal is to distinguish a function with a particular structure from random, structure-less functions. The second goal is to recover components of the structure in order to obtain a decomposition of the function. Decomposition attacks are also used to uncover secret structures of S-Boxes, cryptographic functions over small domains. In this part, I describe structural and decomposition cryptanalysis of the Feistel Network structure, decompositions of the S-Box used in the recent Russian cryptographic standard, and a decomposition of the only known APN permutation in even dimension.
Part II is about the invariant-based cryptanalysis. This method became recently an active research topic. It happened mainly due to recent extreme cryptographic designs, which turned out to be vulnerable to this cryptanalysis method. In this part, I describe an invariant-based analysis of NORX, an authenticated cipher. Further, I show a theoretical study of linear layers that preserve low-degree invariants of a particular form used in the recent attacks on block ciphers.
Part III is about the white-box cryptography. In the white-box model, an adversary has full access to the cryptographic implementation, which in particular may contain a secret key. The possibility of creating implementations of symmetric-key primitives secure in this model is a long-standing open question. Such implementations have many applications in industry; in particular, in mobile payment systems. In this part, I study the possibility of applying masking, a side-channel countermeasure, to protect white-box implementations. I describe several attacks on direct application of masking and provide a provably-secure countermeasure against a strong class of the attacks.
Part IV is about the design of symmetric-key primitives. I contributed to design of the block cipher family SPARX and to the design of a suite of cryptographic algorithms, which includes the cryptographic permutation family SPARKLE, the cryptographic hash function family ESCH, and the authenticated encryption family SCHWAEMM. In this part, I describe the security analysis that I made for these designs
Lightweight symmetric cryptography
The Internet of Things is one of the principal trends in information
technology nowadays. The main idea behind this concept is that devices
communicate autonomously with each other over the Internet. Some of
these devices have extremely limited resources, such as power and energy,
available time for computations, amount of silicon to produce the chip,
computational power, etc. Classical cryptographic primitives are often
infeasible for such constrained devices. The goal of lightweight
cryptography is to introduce cryptographic solutions with reduced resource
consumption, but with a sufficient security level.
Although this research area was of great interest to academia during the
last years and a large number of proposals for lightweight cryptographic
primitives have been introduced, almost none of them are used in real-word.
Probably one of the reasons is that, for academia, lightweight usually
meant to design cryptographic primitives such that they require minimal
resources among all existing solutions. This exciting research problem
became an important driver which allowed the academic community to better
understand many cryptographic design concepts and to develop new attacks.
However, this criterion does not seem to be the most important one for
industry, where lightweight may be considered as "rightweight". In other
words, a given cryptographic solution just has to fit the constraints of
the specific use cases rather than to be the smallest. Unfortunately,
academic researchers tended to neglect vital properties of the particular
types of devices, into which they intended to apply their primitives. That
is, often solutions were proposed where the usage of some resources was
reduced to a minimum. However, this was achieved by introducing new costs
which were not appropriately taken into account or in such a way that the
reduction of costs also led to a decrease in the security level. Hence,
there is a clear gap between academia and industry in understanding what
lightweight cryptography is. In this work, we are trying to fill some of
these gaps. We carefully investigate a broad number of existing lightweight
cryptographic primitives proposed by academia including authentication
protocols, stream ciphers, and block ciphers and evaluate their
applicability for real-world scenarios. We then look at how individual
components of design of the primitives influence their cost and summarize
the steps to be taken into account when designing primitives for concrete
cost optimization, more precisely - for low energy consumption. Next, we
propose new implementation techniques for existing designs making them more
efficient or smaller in hardware without the necessity to pay any
additional costs. After that, we introduce a new stream cipher design
philosophy which enables secure stream ciphers with smaller area size than
ever before and, at the same time, considerably higher throughput compared
to any other encryption schemes of similar hardware cost. To demonstrate
the feasibility of our findings we propose two ciphers with the smallest
area size so far, namely Sprout and Plantlet, and the most energy
efficient encryption scheme called Trivium-2. Finally, this thesis solves
a concrete industrial problem. Based on standardized cryptographic
solutions, we design an end-to-end data-protection scheme for low power
networks. This scheme was deployed on the water distribution network in the
City of Antibes, France
Extensions of the cube attack based on low degree annihilators
At Crypto 2008, Shamir introduced a new algebraic attack called the cube attack, which allows us to solve black-box polynomials if we are able to tweak the inputs by varying an initialization vector. In a stream cipher setting where the filter function is known, we can extend it to the cube attack with annihilators: By applying the cube attack to Boolean functions for which we can find low-degree multiples (equivalently annihilators), the attack complexity can be improved. When the size of the filter function is smaller than the LFSR, we can improve the attack complexity further by considering a sliding window version of the cube attack with annihilators. Finally, we extend the cube attack to vectorial Boolean functions by finding implicit relations with low-degree polynomials
Fitting aggregation operators to data
Theoretical advances in modelling aggregation of information produced a wide range of aggregation operators, applicable to almost every practical problem. The most important classes of aggregation operators include triangular norms, uninorms, generalised means and OWA operators.With such a variety, an important practical problem has emerged: how to fit the parameters/ weights of these families of aggregation operators to observed data? How to estimate quantitatively whether a given class of operators is suitable as a model in a given practical setting? Aggregation operators are rather special classes of functions, and thus they require specialised regression techniques, which would enforce important theoretical properties, like commutativity or associativity. My presentation will address this issue in detail, and will discuss various regression methods applicable specifically to t-norms, uninorms and generalised means. I will also demonstrate software implementing these regression techniques, which would allow practitioners to paste their data and obtain optimal parameters of the chosen family of operators.<br /
Spectral Edge Properties of Periodic Elliptic Operators
In this dissertation, we study some spectral problems for periodic elliptic operators arising in solid state physics, material sciences, and differential geometry. More precisely, we are interested in dealing with various effects near and at spectral edges of such operators. We use the name âthreshold effectsâ for the features that depend only on the infinitesimal structure (e.g., a finite number of Taylor coefficients) of the dispersion relation at a spectral edge.
We begin with an example of a threshold effect by describing explicitly the asymptotics of the Greenâs function near a spectral edge of an internal gap of the spectrum of a periodic elliptic operator of second-order on Euclidean spaces, as long as the dispersion relation of this operator has a non-degenerate parabolic extremum there. This result confirms the expectation that the asymptotics of such operators resemble the case of the Laplace operator.
Then we generalize these results by establishing Greenâs function asymptotics near and at gap edges of periodic elliptic operators on abelian coverings of compact Riemannian manifolds. The interesting feature we discover here is that the torsion-free rank of the deck transformation group plays a more important role than the dimension of the covering manifold.
Finally, we provide a combination of the Liouville and the Riemann-Roch theorems for periodic elliptic operators on abelian co-compact coverings. We obtain several results in this direction for a wide class of periodic elliptic operators. As a simple application of our
Liouville-Riemann-Roch inequalities, we prove the existence of non-trivial solutions of polynomial growth of certain periodic elliptic operators on noncompact abelian coverings with prescribed zeros, provided that such solutions grow fast enough