Simplified Modeling of MITM Attacks for Block Ciphers: new (Quantum) Attacks

The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. MITM attacks aim at finding efficiently the internal states conforming to a constrained computational path in the given design. The path is split into two independent computations (forward and backward) which are performed separately and then matched pairwise. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, their modeling was limited to cryptographic permutations. In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash

Simplified Modeling of MITM Attacks for Block Ciphers: New (Quantum) Attacks

The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021). However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations. In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash

BAKSHEESH: Similar Yet Different From GIFT

We propose a lightweight block cipher named BAKSHEESH, which follows up on the popular cipher GIFT-128 (CHES\u2717). BAKSHEESH runs for 35 rounds, which is 12.50 percent smaller compared to GIFT-128 (runs for 40 rounds) while maintaining the same security claims against the classical attacks. The crux of BAKSHEESH is to use a 4-bit SBox that has a non-trivial Linear Structure (LS). An SBox with one or more non-trivial LS has not been used in a cipher construction until DEFAULT (Asiacrypt\u2721). DEFAULT is pitched to have inherent protection against the Differential Fault Attack (DFA), thanks to its SBox having 3 non-trivial LS. BAKSHEESH, however, uses an SBox with only 1 non-trivial LS; and is a traditional cipher just like GIFT-128, with no claims against DFA. The SBox requires a low number of AND gates, making BAKSHEESH suitable for side channel countermeasures (when compared to GIFT-128) and other niche applications. Indeed, our study on the cost of the threshold implementation shows that BAKSHEESH offers a few-fold advantage over other lightweight ciphers. The design is not much deviated from its predecessor (GIFT-128), thereby allowing for easy implementation (such as fix-slicing in software). However, BAKSHEESH opts for the full-round key XOR, compared to the half-round key XOR in GIFT. Thus, when taking everything into account, we show how a cipher construction can benefit from the unique vantage point of using 1 LS SBox, by combining the state-of-the-art progress in classical cryptanalysis and protection against device-dependent attacks. We, therefore, create a new paradigm of lightweight ciphers, by adequate deliberation on the design choice, and solidify it with appropriate security analysis and ample implementation/benchmark

Passive Compliance Control of Redundant Serial Manipulators

Current industrial robotic manipulators, and even state of the art robotic manipulators, are slower and less reliable than humans at executing constrained manipulation tasks, tasks where motion is constrained in some direction (e.g., opening a door, turning a crank, polishing a surface, or assembling parts). Many constrained manipulation tasks are still performed by people because robots do not have the manipulation ability to reliably interact with a stiff environment, for which even small commanded position error yields very high contact forces in the constrained directions. Contact forces can be regulated using compliance control, in which the multi-directional elastic behavior (force-displacement relationship) of the end-effector is controlled along with its position. Some state of the art manipulators can directly control the end-effector\u27s elastic behavior using kinematic redundancy (when the robot has more than the necessary number of joints to realize a desired end-effector position) and using variable stiffness actuators (actuators that adjust the physical joint stiffness in real time). Although redundant manipulators with variable stiffness actuators are capable of tracking a time-varying elastic behavior and position of the end-effector, no prior work addresses how to control the robot actuators to do so. This work frames this passive compliance control problem as a redundant inverse kinematics path planning problem extended to include compliance. The problem is to find a joint manipulation path (a continuous sequence of joint positions and joint compliances) to realize a task manipulation path (a continuous sequence of end-effector positions and compliances). This work resolves the joint manipulation path at two levels of quality: 1) instantaneously optimal and 2) globally optimal. An instantaneously optimal path is generated by integrating the optimal joint velocity (according to an instantaneous cost function) that yields the desired task velocity. A globally optimal path is obtained by deforming an instantaneously generated path into one that minimizes a global cost function (integral of the instantaneous cost function). This work shows the existence of multiple local minima of the global cost function and provides an algorithm for finding the global minimum

GIFT: A Small Present Towards Reaching the Limit of Lightweight Encryption

In this article, we revisit the design strategy of PRESENT, leveraging all the advances provided by the research community in construction and cryptanalysis since its publication, to push the design up to its limits. We obtain an improved version, named GIFT, that provides a much increased efficiency in all domains (smaller and faster), while correcting the well-known weakness of PRESENT with regards to linear hulls. GIFT is a very simple and clean design that outperforms even SIMON or SKINNY for round-based implementations, making it one of the most energy efficient ciphers as of today. It reaches a point where almost the entire implementation area is taken by the storage and the Sboxes, where any cheaper choice of Sbox would lead to a very weak proposal. In essence, GIFT is composed of only Sbox and bit-wiring, but its natural bitslice data flow ensures excellent performances in all scenarios, from area-optimised hardware implementations to very fast software implementation on high-end platforms. We conducted a thorough analysis of our design with regards to state-of-the-art cryptanalysis, and we provide trong bounds with regards to differential/linear attacks

GIFT: A Small Present

In this article, we revisit the design strategy of PRESENT, leveraging all the advances provided by the research community in construction and cryptanalysis since its publication, to push the design up to its limits. We obtain an improved version, named GIFT, that provides a much increased efficiency in all domains (smaller and faster), while correcting the well-known weakness of PRESENT with regards to linear hulls. GIFT is a very simple and clean design that outperforms even SIMON or SKINNY for round-based implementations, making it one of the most energy efficient ciphers as of today. It reaches a point where almost the entire implementation area is taken by the storage and the Sboxes, where any cheaper choice of Sbox would lead to a very weak proposal. In essence, GIFT is composed of only Sbox and bit-wiring, but its natural bitslice data flow ensures excellent performances in all scenarios, from area-optimised hardware implementations to very fast software implementation on high-end platforms. We conducted a thorough analysis of our design with regards to state-of-the-art cryptanalysis, and we provide strong bounds with regards to differential/linear attacks

Algorithmes quantiques pour la cryptanalyse et cryptographie symétrique post-quantique

Modern cryptography relies on the notion of computational security. The level of security given by a cryptosystem is expressed as an amount of computational resources required to break it. The goal of cryptanalysis is to find attacks, that is, algorithms with lower complexities than the conjectural bounds.With the advent of quantum computing devices, these levels of security have to be updated to take a whole new notion of algorithms into account. At the same time, cryptography is becoming widely used in small devices (smart cards, sensors), with new cost constraints.In this thesis, we study the security of secret-key cryptosystems against quantum adversaries.We first build new quantum algorithms for k-list (k-XOR or k-SUM) problems, by composing exhaustive search procedures. Next, we present dedicated cryptanalysis results, starting with a new quantum cryptanalysis tool, the offline Simon's algorithm. We describe new attacks against the lightweight algorithms Spook and Gimli and we perform the first quantum security analysis of the standard cipher AES.Finally, we specify Saturnin, a family of lightweight cryptosystems oriented towards post-quantum security. Thanks to a very similar structure, its security relies largely on the analysis of AES.La cryptographie moderne est fondée sur la notion de sécurité computationnelle. Les niveaux de sécurité attendus des cryptosystèmes sont exprimés en nombre d'opérations ; une attaque est un algorithme d'une complexité inférieure à la borne attendue. Mais ces niveaux de sécurité doivent aujourd'hui prendre en compte une nouvelle notion d'algorithme : le paradigme du calcul quantique. Dans le même temps,la délégation grandissante du chiffrement à des puces RFID, objets connectés ou matériels embarqués pose de nouvelles contraintes de coût.Dans cette thèse, nous étudions la sécurité des cryptosystèmes à clé secrète face à un adversaire quantique.Nous introduisons tout d'abord de nouveaux algorithmes quantiques pour les problèmes génériques de k-listes (k-XOR ou k-SUM), construits en composant des procédures de recherche exhaustive.Nous présentons ensuite des résultats de cryptanalyse dédiée, en commençant par un nouvel outil de cryptanalyse quantique, l'algorithme de Simon hors-ligne. Nous décrivons de nouvelles attaques contre les algorithmes Spook et Gimli et nous effectuons la première étude de sécurité quantique du chiffrement AES. Dans un troisième temps, nous spécifions Saturnin, une famille de cryptosystèmes à bas coût orientés vers la sécurité post-quantique. La structure de Saturnin est proche de celle de l'AES et sa sécurité en tire largement parti

Non-fungible tokens (NFTS) and their security challenges

The Non-Fungible Token (NFT) market has been exploding in the past years. The notion of NFT originated with Ethereum's token standard, which aimed to differentiate each token using distinguishing signals. Tokens of this type can be associated with virtual or digital properties to serve as unique identifiers. Using NFTs Non-Fungible Token (NFT) is a new technology gaining traction in the Blockchain industry. In this article, we examine state-of the art NFT systems that have the potential to reshape the market for digital virtual assets. We will assess the security of existing NFT systems and expand on the opportunities and prospective uses for the NFT idea. Finally, we discuss existing research challenges that must be overcome before mass-market penetration may occur. We hope that this paper provides an up-to-date analysis and summary of existing and proposed solutions and projects, making it easier for newcomers to stay current.Fonksuz Belirteç (NFT) pazarı son yıllarda patlama yapıyor. NFT'nin nosyonu Ethereum'un belirteç standardıyla ortaya çıkmıştır ve bu durum, her belirteci ayırt edici sinyaller kullanarak ayırt etmeyi amaçlamaktadır. Bu tipteki belirteçler, benzersiz tanımlayıcılar olarak hizmet vermek için sanal veya dijital özelliklerle ilişkilendirilebilir. NFTS Non-Fungible Token (NFT) kullanmak, Blockchain endüstrisinde yeni bir teknoloji kazanıyor. Bu makalede, dijital sanal varlıklar için pazarı yeniden şekillendirme potansiyeline sahip son teknoloji ürünü NFT sistemlerini inceliyoruz. Mevcut NFT sistemlerinin güvenliğini değerlendirecek ve NFT fikri için fırsatları ve olası kullanımları genişleteceğiz. Son olarak, kitle pazara giriş gerçekleşmeden önce aşılması gereken mevcut araştırma zorluklarını ele alıyoruz. Bu incelemede, mevcut ve önerilen çözüm ve projelerin güncel bir analizi ve özeti sağlanarak, yeni gelenlerin güncel kalmasını kolaylaştırılmasını umuyoruz.No sponso

High-dimensional polytopes defined by oracles: algorithms, computations and applications

Η επεξεργασία και ανάλυση γεωμετρικών δεδομένων σε υψηλές διαστάσεις διαδραματίζει ένα θεμελιώδη ρόλο σε διάφορους κλάδους της επιστήμης και της μηχανικής. Τις τελευταίες δεκαετίες έχουν αναπτυχθεί πολλοί επιτυχημένοι γεωμετρικοί αλγόριθμοι σε 2 και 3 διαστάσεις. Ωστόσο, στις περισσότερες περιπτώσεις, οι επιδόσεις τους σε υψηλότερες διαστάσεις δεν είναι ικανοποιητικές. Αυτή η συμπεριφορά είναι ευρέως γνωστή ως κατάρα των μεγάλων διαστάσεων (curse of dimensionality). Δυο πλαίσια λύσης που έχουν υιοθετηθεί για να ξεπεραστεί αυτή η δυσκολία είναι η εκμετάλλευση της ειδικής δομής των δεδομένων, όπως σε περιπτώσεις αραιών (sparse) δεδομένων ή στην περίπτωση που τα δεδομένα βρίσκονται σε χώρο χαμηλότερης διάστασης, και ο σχεδιασμός προσεγγιστικών αλγορίθμων. Στη διατριβή αυτή μελετάμε προβλήματα μέσα σε αυτά τα πλαίσια. Το κύριο ερευνητικό πεδίο της παρούσας εργασίας είναι η διακριτή και υπολογιστικής γεωμετρία και οι σχέσεις της με τους κλάδους της επιστήμης των υπολογιστών και τα εφαρμοσμένα μαθηματικά, όπως είναι η θεωρία πολυτόπων, οι υλοποιήσεις αλγορίθμων, οι πιθανοθεωρητικοί γεωμετρικοί αλγόριθμοι, η υπολογιστική αλγεβρική γεωμετρία και η βελτιστοποίηση. Τα θεμελιώδη γεωμετρικά αντικείμενα της μελέτης μας είναι τα πολύτοπα, και οι βασικές τους ιδιότητες είναι η κυρτότητα και ότι ορίζονται από ένα μαντείο (oracle) σε ένα χώρο υψηλής διάστασης. Η επεξεργασία και ανάλυση γεωμετρικών δεδομένων σε υψηλές διαστάσεις διαδραματίζει ένα θεμελιώδη ρόλο σε διάφορους κλάδους της επιστήμης και της μηχανικής. Τις τελευταίες δεκαετίες έχουν αναπτυχθεί πολλοί επιτυχημένοι γεωμετρικοί αλγόριθμοι σε 2 και 3 διαστάσεις. Ωστόσο, στις περισσότερες περιπτώσεις, οι επιδόσεις τους σε υψηλότερες διαστάσεις δεν είναι ικανοποιητικές. Δυο πλαίσια λύσης που έχουν υιοθετηθεί για να ξεπεραστεί αυτή η δυσκολία είναι η εκμετάλλευση της ειδικής δομής των δεδομένων, όπως σε περιπτώσεις αραιών (sparse) δεδομένων ή στην περίπτωση που τα δεδομένα βρίσκονται σε χώρο χαμηλότερης διάστασης, και ο σχεδιασμός προσεγγιστικών αλγορίθμων. Το κύριο ερευνητικό πεδίο της παρούσας εργασίας είναι η διακριτή και υπολογιστικής γεωμετρία και οι σχέσεις της με τους κλάδους της επιστήμης των υπολογιστών και τα εφαρμοσμένα μαθηματικά. Η συμβολή αυτής της διατριβής είναι τριπλή. Πρώτον, στο σχεδιασμό και την ανάλυση των γεωμετρικών αλγορίθμων για προβλήματα σε μεγάλες διαστάσεις. Δεύτερον, θεωρητικά αποτελέσματα σχετικά με το συνδυαστικό χαρακτηρισμό βασικών οικογενειών πολυτόπων. Τρίτον, η εφαρμογή και πειραματική ανάλυση των προτεινόμενων αλγορίθμων και μεθόδων. Η ανάπτυξη λογισμικού ανοιχτού κώδικα, που είναι διαθέσιμο στο κοινό και βασίζεται και επεκτείνει διαδεδομένες γεωμετρικές και αλγεβρικές βιβλιοθήκες λογισμικού, όπως η CGAL και το polymake.The processing and analysis of high dimensional geometric data plays a fundamental role in disciplines of science and engineering. The last decades many successful geometric algorithms has been developed in 2 and 3 dimensions. However, in most cases their performance in higher dimensions is poor. This behavior is commonly called the curse of dimensionality. A solution framework adopted for the healing of the curse of dimensionality is the exploitation of the special structure of the data, such as sparsity or low intrinsic dimension and the design of approximation algorithms. The main research area of this thesis is discrete and computational geometry and its connections to branches of computer science and applied mathematics. The contribution of this thesis is threefold. First, the design and analysis of geometric algorithms for problems concerning high-dimensional, convex polytopes, such as convex hull and volume computation and their applications to computational algebraic geometry and optimization. Second, the establishment of combinatorial characterization results for essential polytope families. Third, the implementation and experimental analysis of the proposed algorithms and methods. The developed software is opensource, publicly available and builds on and extends state-of-the-art geometric and algebraic software libraries such as CGAL and polymake