126 research outputs found

    A SAT-based preimage analysis of reduced KECCAK hash functions

    Get PDF
    In this paper, we present a preimage attack on reduced versions of Keccak hash functions. We use our recently developed toolkit CryptLogVer for generating CNF (conjunctive normal form) which is passed to the SAT solver PrecoSAT. We found preimages for some reduced versions of the function and showed that full Keccak function is secure against the presented attack

    Inductive analysis of security protocols in Isabelle/HOL with applications to electronic voting

    Get PDF
    Security protocols are predefined sequences of message exchanges. Their uses over computer networks aim to provide certain guarantees to protocol participants. The sensitive nature of many applications resting on protocols encourages the use of formal methods to provide rigorous correctness proofs. This dissertation presents extensions to the Inductive Method for protocol verification in the Isabelle/HOL interactive theorem prover. The current state of the Inductive Method and of other protocol analysis techniques are reviewed. Protocol composition modelling in the Inductive Method is introduced and put in practice by holistically verifying the composition of a certification protocol with an authentication protocol. Unlike some existing approaches, we are not constrained by independence requirements or search space limitations. A special kind of identity-based signatures, auditable ones, are specified in the Inductive Method and integrated in an analysis of a recent ISO/IEC 9798-3 protocol. A side-by-side verification features both a version of the protocol with auditable identity-based signatures and a version with plain ones. The largest part of the thesis presents extensions for the verification of electronic voting protocols. Innovative specification and verification strategies are described. The crucial property of voter privacy, being the impossibility of knowing how a specific voter voted, is modelled as an unlinkability property between pieces of information. Unlinkability is then specified in the Inductive Method using novel message operators. An electronic voting protocol by Fujioka, Okamoto and Ohta is modelled in the Inductive Method. Its classic confidentiality properties are verified, followed by voter privacy. The approach is shown to be generic enough to be re-usable on other protocols while maintaining a coherent line of reasoning. We compare our work with the widespread process equivalence model and examine respective strengths

    On Finding Short Cycles in Cryptographic Algorithms

    Get PDF
    We show how short cycles in the state space of a cryptographic algorithm can be used to mount a fault attack on its implementation which results in a full secret key recovery. The attack is based on the assumption that an attacker can inject a transient fault at a precise location and time of his/her choice and more than once. We present an algorithm which uses a SAT-based bounded model checking for finding all short cycles of a given length. The existing Boolean Decision Diagram (BDD) based algorithms for finding cycles have limited capacity due to the excessive memory requirements of BDDs. The simulation-based algorithms can be applied to larger problem instances, however, they cannot guarantee the detection of all cycles of a given length. The same holds for general-purpose SAT-based model checkers. The presented algorithm can find all short cycles in cryptographic algorithms with very large state spaces. We evaluate it by analyzing Trivium, Bivium, Grain-80 and Grain-128 stream ciphers. The analysis shows these ciphers have short cycles whose existence, to our best knowledge, was previously unknown

    SAT-based preimage attacks on SHA-1

    Get PDF
    Hash functions are important cryptographic primitives which map arbitrarily long messages to fixed-length message digests in such a way that: (1) it is easy to compute the message digest given a message, while (2) inverting the hashing process (e.g. finding a message that maps to a specific message digest) is hard. One attack against a hash function is an algorithm that nevertheless manages to invert the hashing process. Hash functions are used in e.g. authentication, digital signatures, and key exchange. A popular hash function used in many practical application scenarios is the Secure Hash Algorithm (SHA-1). In this thesis we investigate the current state of the art in carrying out preimage attacks against SHA-1 using SAT solvers, and we attempt to find out if there is any room for improvement in either the encoding or the solving processes. We run a series of experiments using SAT solvers on encodings of reduced-difficulty versions of SHA-1. Each experiment tests one aspect of the encoding or solving process, such as e.g. determining whether there exists an optimal restart interval or determining which branching heuristic leads to the best average solving time. An important part of our work is to use statistically sound methods, i.e. hypothesis tests which take sample size and variation into account. Our most important result is a new encoding of 32-bit modular addition which significantly reduces the time it takes the SAT solver to find a solution compared to previously known encodings. Other results include the fact that reducing the absolute size of the search space by fixing bits of the message up to a certain point actually results in an instance that is harder for the SAT solver to solve. We have also identified some slight improvements to the parameters used by the heuristics of the solver MiniSat; for example, contrary to assertions made in the literature, we find that using longer restart intervals improves the running time of the solver

    Algorithms and efficient encodings for argumentation frameworks and arithmetic problems

    Get PDF
    In this thesis we focus on the design and implementation of a particular framework of Possibilistic Defeasible Logic Programming (RP-DeLP). This framework is based on a general notion of collective (non-binary) conflict among arguments allowing to ensure direct and indirect consistency properties with respect to the strict knowledge. An output of an RP-DeLP program is a pair of sets of warranted and blocked conclusions (literals), all of them recursively based on warranted conclusions but, while warranted conclusions do not generate any conflict, blocked conclusions do. An RP-DeLP program may have multiple outputs in case of circular definitions of conflicts among arguments. We introduce two semantics, the first one where all possible outputs are computed and the second one which is a characterization of an unique output property. The computation of the outputs for both semantics relies on two main problems: the problem of finding a collective conflict among a set of arguments and the problem of finding almost valid arguments for a conclusion. Both problems are combinatorial problems, so we propose two resolution approaches: a first one based on SAT techniques and a second one based on Answer Set Programming techniques. We propose an implementation and we empirically test our algorithms. We provide an analysis on the performance of the implementation of the algorithms, and we explain the results on the resolution of some randomly generated problems. In this thesis we also focus on the resolution of some combinatorial problems. We analyze, design and implement some resolution tools for arithmetic problems, modular constraints and networking problems. We studied empirically how our approaches perform and we compared them to other solving techniques known as best proposals in the literature.Esta tesis se centra en el diseño e implementación de un framework particular para Possibilistic Defeasible Logic Programming (RP-DeLP). Este framework está basado en la noción general de conflicto colectivo entre argumentos (no binario) que permite asegurar las propiedades de consistencia directa e indirecta respecto al conocimiento estricto. Una salida de un programa RP-DeLP es una tupla de conjuntos de conclusiones (literales) garantizadas y bloqueadas, todas ellas basadas recursivamente sobre conclusiones garantizadas con la particularidad de que mientras las conclusiones garantizadas no generan ningún conflicto, las conclusiones bloqueadas sí lo hacen. Un programa RP-DeLP puede tener múltiples salidas en el caso de que existan definiciones circulares de conflictos entre los argumentos. Se introducen dos semánticas, la primera donde se computan todas las posibles salidas del programa y una segunda que nace de la caracterización de la propiedad de la salida única. El cómputo de las salidas para ambas semánticas se basa en la solución de dos problemas principales: el problema de la búsqueda de argumentos almost valid para una conclusión y la búsqueda de conflictos colectivos entre un conjunto de argumentos. Ambos problemas son problemas combinatorios y se proponen dos aproximaciones de resolución diferentes: una primera aproximación basada en técnicas SAT y otra segunda aproximación basada en técnicas de Answer Set Programming. Se propone una implementación y también se prueba empíricamente el comportamiento de los algoritmos propuestos. A través de un análisis sobre el comportamiento de la implementación se explican los resultados obtenidos. Para ello se generan problemas aleatorios donde algunas propiedades pueden ser controladas mediante la configuración de parámetros de entrada. Adicionalmente esta tesis también se centra en la resolución de otros problemas combinatorios. Se analizan e implementan herramientas para la resolución de problemas aritméticos, restricciones modulares y problemas de redes de comunicaciones. Se propone un estudio empírico de las propuestas y se comparan con las aproximaciones, conocidas como más eficientes hasta el momento, de la literatura.Aquesta tesi doctoral se centra en el disseny i implementació d'un framework particular per Possibilistic Defeasible Logic Programming (RP-DeLP). Aquest framework es basa en una noció de conflicte col·lectiu (no binària) entre arguments que permet assegurar les propietats de consistència directa i indirecta respecte del coneixement estricte. Una sortida d'un programa RP-DeLP és una parella de conjunts de conclusions garantides i bloquejades (literals), totes elles basades recursivament en conclusions prèviament garantides. La diferència radica en què mentre les conclusions garantides no generen cap conflicte, les conclusions bloquejades sí que ho fan. Un programa RP-DeLP pot tenir múltiples sortides en el cas de definicions circulars de conflictes entre arguments. S'introdueixen dues semàntiques pel sistema d'argumentació presentat. La primera d'elles pren en consideració totes les possibles sortides que poden ser obtingudes d'un programa RP-DeLP tenint en compte les diferents maneres de resoldre els conflictes circulars que poden sorgir. La segona semàntica se centra en el còmput d'una única sortida que està basada en la caracterització del que anomenem maximal ideal output. Aquesta sortida conté un nombre maximal de literals garantits, però que inclou només literals els arguments dels quals tenen els seus suports inclosos en la sortida. El comput de les sortides per ambdues semàntiques es basa en la resolució de dos problemes principals: el problema de trobar conflictes col·lectius entre un conjunt d'arguments i el problema de trobar arguments almost valid per una conclusió. Ambdós problemes són considerats problemes combinatoris i es proposen dues aproximacions per a la resolució: una primera aproximació basada en tècniques SAT i una segona basada en Answer Set Programming. Es proposa una implementació i una anàlisi empírica dels algorismes implementats. Aquests algorismes es proven sobre un conjunt de problemes generats aleatòriament mitjançant un generador que permet la configuració dels diferents paràmetres dels problemes generats. Un cop obtinguts els resultats, s'estudia quina afectació han tingut els diferents paràmetres observant el temps de resolució i la informació obtinguda. En aquesta tesi també s'estudien diferents tècniques de resolució per a altres problemes combinatoris. S'analitzen, dissenyen i implementen algunes eines de resolució per a problemes aritmètics, restriccions modulars i problemes de xarxes de comunicacions. S'ha estudiat com les aproximacions proposades es comporten en comparació amb altres tècniques proposades a la literatura considerades com les més eficients fins al moment

    Introductory Computer Forensics

    Get PDF
    INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic

    CDCL(Crypto) and Machine Learning based SAT Solvers for Cryptanalysis

    Get PDF
    Over the last two decades, we have seen a dramatic improvement in the efficiency of conflict-driven clause-learning Boolean satisfiability (CDCL SAT) solvers over industrial problems from a variety of applications such as verification, testing, security, and AI. The availability of such powerful general-purpose search tools as the SAT solver has led many researchers to propose SAT-based methods for cryptanalysis, including techniques for finding collisions in hash functions and breaking symmetric encryption schemes. A feature of all of the previously proposed SAT-based cryptanalysis work is that they are \textit{blackbox}, in the sense that the cryptanalysis problem is encoded as a SAT instance and then a CDCL SAT solver is invoked to solve said instance. A weakness of this approach is that the encoding thus generated may be too large for any modern solver to solve it efficiently. Perhaps a more important weakness of this approach is that the solver is in no way specialized or tuned to solve the given instance. Finally, very little work has been done to leverage parallelism in the context of SAT-based cryptanalysis. To address these issues, we developed a set of methods that improve on the state-of-the-art SAT-based cryptanalysis along three fronts. First, we describe an approach called \cdcl (inspired by the CDCL(TT) paradigm) to tailor the internal subroutines of the CDCL SAT solver with domain-specific knowledge about cryptographic primitives. Specifically, we extend the propagation and conflict analysis subroutines of CDCL solvers with specialized codes that have knowledge about the cryptographic primitive being analyzed by the solver. We demonstrate the power of this framework in two cryptanalysis tasks of algebraic fault attack and differential cryptanalysis of SHA-1 and SHA-256 cryptographic hash functions. Second, we propose a machine-learning based parallel SAT solver that performs well on cryptographic problems relative to many state-of-the-art parallel SAT solvers. Finally, we use a formulation of SAT into Bayesian moment matching to address heuristic initialization problem in SAT solvers
    corecore