ENERGY-EFFICIENT CRYPTOGRAPHIC PRIMITIVES

Our society greatly depends on services and applications provided by mobile communication networks. As billions of people and devices become connected, it becomes increasingly important to guarantee security of interactions of all players. In this talk we address several aspects of this important, many-folded problem. First, we show how to design cryptographic primitives which can assure integrity and confidentiality of transmitted messages while satisfying resource constrains of low-end low-cost wireless devices such as sensors or RFID tags. Second, we describe counter measures which can enhance the resistance of hardware implementing cryptographic algorithms to hardware Trojans

Cryptographic Pairings: Efficiency and DLP security

This thesis studies two important aspects of the use of pairings in cryptography, efficient algorithms and security. Pairings are very useful tools in cryptography, originally used for the cryptanalysis of elliptic curve cryptography, they are now used in key exchange protocols, signature schemes and Identity-based cryptography. This thesis comprises of two parts: Security and Efficient Algorithms. In Part I: Security, the security of pairing-based protocols is considered, with a thorough examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the relationship between the two instances of the DLP will be presented along with a discussion about the appropriate selection of parameters to ensure particular security level. In Part II: Efficient Algorithms, some of the computational issues which arise when using pairings in cryptography are addressed. Pairings can be computationally expensive, so the Pairing-Based Cryptography (PBC) research community is constantly striving to find computational improvements for all aspects of protocols using pairings. The improvements given in this section contribute towards more efficient methods for the computation of pairings, and increase the efficiency of operations necessary in some pairing-based protocol

Group Factorizations and Cryptology

Asymmetric cryptosystems, also called public-key systems, can for instance be used for encrypting data, authentication and integrity checking of data. Such systems can be found in numerous protocols, e.g. in the areas World Wide Web (HTTPS based on SSL/TLS), e-mail (S/MIME, OpenPGP/PGP), remote command execution (SSH), file transfer (SCP), and many more. One-way functions are functions that can be computed efficiently, but are hard to invert. One-way functions that can be inverted efficiently with an additional information (the private key) are called trap-door functions. Asymmetric cryptosystems are based on trap-door functions. Most of the currently used asymmetric systems, especially RSA and ElGamal, are based on such functions in commutative algebraic structures. Whether commutative structures are a security issue due to their properties is unknown up to now. In any case the development and analysis of systems that are based on non-commutative structures is reasonable. A cryptosystem called MST1, which has been introduced by S. S. Magliveras, D. R. Stinson and T. van Trung, is based on so-called logarithmic signatures of arbitrary (also including non-commutative, i.e. non-abelian) finite groups. For a finite group G an ordered set L of subsets of G is being regarded, where each element of G has a unique representation as product of one element from each subset in L. L is then called a logarithmic signature. An interesting question now is whether there exist logarithmic signatures where it is hard to find a factorization as product in L for a given group element. If yes, this would be a one-way function: products of group elements (with factors from L) can be computed efficiently, but the inversion, i.e. finding a factorization as product in L, would be hard. In this dissertation the realizability and security of MST1 is analyzed for various groups and logarithmic signature types. The first part of the dissertation deals with the generation of logarithmic signatures. The ability to efficiently generate logarithmic signatures is a requirement for a concrete realization of the MST1 cryptosystem. We first investigate transformations of logarithmic signatures (their effect on factorization mappings, subclasses of transformations, compositions of transformations, etc.). Based on this, we develop an algorithm for generating logarithmic signatures. This algorithm also works with non-abelian groups, and for abelian groups the set of generated logarithmic signatures is typically a proper superset of the logarithmic signatures generated by the methods usually used in literature. Subsequently, we regard the factorization problem with respect to logarithmic signatures for various groups. For abelian groups we develop factorization algorithms that are efficient for specific classes of logarithmic signatures. Furthermore, we develop a generic factorization algorithm, which not only works with logarithmic signatures but all block sequences (and the run-time depends on the structure of the input), and for which the efficiency can be shown for some large classes of logarithmic signatures. Moreover, we analyze logarithmic signatures of dihedral groups, and present efficient factorization algorithms for specific types of logarithmic signatures. These results are generalized and extended: we analyze the generalized quaternion group and wreath products. In the previous investigations we used a specific representation of the group. In another part of the dissertation we analyze in which cases one can give an efficient algorithm for converting elements of an arbitrarily represented group (black box group) with known structure to the representation used in the previous chapters. Finally, we present our program, in which a cryptosystem (based on a generalized MST1) and the various generation and factorization algorithms developed in this work have been implemented.Asymmetrische Kryptosysteme, auch Public-Key-Systeme genannt, können u.a. zur Verschlüsselung von Daten, Authentifizierung und Sicherstellung der Integrität von Daten eingesetzt werden. Solche Systeme sind in zahlreichen Protokollen zu finden, z.B. in den Bereichen World Wide Web (HTTPS basierend auf SSL/TLS), E-Mail (S/MIME, OpenPGP/PGP), entfernte Befehlsausführung (SSH), Dateitransfer (SCP), und vielen weiteren. Einwegfunktionen sind Funktionen, die sich effizient berechnen lassen, aber sehr schwierig zu invertieren sind. Einwegfunktionen, die sich mit einer Zusatzinformation (dem privaten Schlüssel) doch effizient invertieren lassen, werden Falltürfunktionen genannt. Asymmetrische Kryptosysteme basieren auf Falltürfunktionen. Die meisten der heute verwendeten asymmetrischen Verfahren, insbesondere RSA und ElGamal, basieren auf solchen Funktionen in kommutativen algebraischen Strukturen. Ob kommutative Strukturen aufgrund deren Eigenschaften ein Sicherheitsproblem darstellen könnten, lässt sich derzeit nicht sagen. Auf jeden Fall ist die Entwicklung und Untersuchung von Verfahren, die auf nicht-kommutativen Strukturen beruhen, sinnvoll. Ein Kryptosystem namens MST1, das von S. S. Magliveras, D. R. Stinson und T. van Trung vorgestellt wurde, basiert auf sogenannten logarithmischen Signaturen von beliebigen (also auch nicht-kommutativen, d.h. nicht-abelschen) endlichen Gruppen. Für eine endliche Gruppe G wird eine geordnete Menge L von Teilmengen von G betrachtet, wobei jedes Element von G eine eindeutige Darstellung als Produkt von jeweils einem Element aus den Teilmengen in L haben soll. L wird dann eine logarithmische Signatur genannt. Interessant ist nun die Frage, ob es logarithmische Signaturen gibt, für die es schwierig ist, für ein gegebenes Gruppenelement eine solche Faktorisierung als Produkt in L zu finden. Falls ja, dann wäre dies eine Einwegfunktion: Produkte von Gruppenelementen (mit Faktoren aus L) können effizient berechnet werden, aber die Invertierung, d.h. das Finden einer Faktorisierung als Produkt in L, wäre schwierig. In dieser Dissertation wird für verschiedene Gruppen und Typen logarithmischer Signaturen die Realisierbarkeit und Sicherheit von MST1 untersucht. Der erste Teil der Dissertation befasst sich mit der Erzeugung von logarithmischen Signaturen. Logarithmische Signaturen effizient erzeugen zu können ist eine Voraussetzung für eine konkrete Realisierung des MST1-Kryptosystems. Wir untersuchen zunächst Transformationen logarithmischer Signaturen (deren Effekt auf Faktorisierungsabbildungen, Unterklassen von Transformationen, Hintereinanderausführungen von Transformationen, usw.). Basierend darauf entwickeln wir einen Algorithmus zur Erzeugung logarithmischer Signaturen. Dieser funktioniert auch mit nicht-abelschen Gruppen, und bei abelschen Gruppen werden in der Regel mehr logarithmische Signaturen erzeugt als bei den üblicherweise in der Literatur verwendeten Verfahren. Danach betrachten wir das Faktorisierungsproblem bzgl. logarithmischer Signaturen für verschiedene Gruppen. Für abelsche Gruppen entwickeln wir Faktorisierungsalgorithmen, die bei bestimmten Klassen von logarithmischen Signaturen effizient sind. Außerdem entwickeln wir einen generischen Faktorisierungsalgorithmus, der nicht nur mit logarithmischen Signaturen sondern mit allen Blocksequenzen funktioniert (wobei die Laufzeit von der Struktur der Eingabe abhängig ist), und bei dem für einige große Klassen logarithmischer Signaturen die Effizienz gezeigt werden kann. Des Weiteren untersuchen wir logarithmische Signaturen von Diedergruppen, und geben effiziente Faktorisierungsalgorithmen für bestimmte Typen logarithmischer Signaturen an. Diese Ergebnisse werden verallgemeinert und ausgebaut; wir untersuchen u.a. die verallgemeinerte Quaternionengruppe und Kranzprodukte. Bei den vorherigen Untersuchungen wurde jeweils eine bestimmte Darstellung der Gruppe verwendet. In einem weiteren Teil der Dissertation analysieren wir, in welchen Fällen sich für eine beliebig gegebene Gruppe (Black-Box-Gruppe) mit bekannter Struktur ein effizienter Algorithmus zur Konvertierung von Gruppenelementen in die Darstellung, die in den vorherigen Kapiteln verwendet wurde, angeben lässt. Abschließend stellen wir unser Programm vor, in dem ein Kryptosystem (basierend auf einem verallgemeinerten MST1) und die verschiedenen in dieser Arbeit entwickelten Erzeugungs- und Faktorisierungsalgorithmen implementiert wurden

Cryptographic Key Distribution In Wireless Sensor Networks Using Bilinear Pairings

It is envisaged that the use of cheap and tiny wireless sensors will soon bring a third wave of evolution in computing systems. Billions of wireless senor nodes will provide a bridge between information systems and the physical world. Wireless nodes deployed around the globe will monitor the surrounding environment as well as gather information about the people therein. It is clear that this revolution will put security solutions to a great test. Wireless Sensor Networks (WSNs) are a challenging environment for applying security services. They differ in many aspects from traditional fixed networks, and standard cryptographic solutions cannot be used in this application space. Despite many research efforts, key distribution in WSNs still remains an open problem. Many of the proposed schemes suffer from high communication overhead and storage costs, low scalability and poor resilience against different types of attacks. The exclusive usage of simple and energy efficient symmetric cryptography primitives does not solve the security problem. On the other hand a full public key infrastructure which uses asymmetric techniques, digital signatures and certificate authorities seems to be far too complex for a constrained WSN environment. This thesis investigates a new approach to WSN security which addresses many of the shortcomings of existing mechanisms. It presents a detailed description on how to provide practical Public Key Cryptography solutions for wireless sensor networks. The contributions to the state-of-the-art are added on all levels of development beginning with the basic arithmetic operations and finishing with complete security protocols. This work includes a survey of different key distribution protocols that have been developed for WSNs, with an evaluation of their limitations. It also proposes Identity- Based Cryptography (IBC) as an ideal technique for key distribution in sensor networks. It presents the first in-depth study of the application and implementation of Pairing- Based Cryptography (PBC) to WSNs. This is followed by a presentation of the state of the art on the software implementation of Elliptic Curve Cryptography (ECC) on typical WSNplatforms. New optimized algorithms for performing multiprecision multiplication on a broad range of low-end CPUs are introduced as well. Three novel protocols for key distribution are proposed in this thesis. Two of these are intended for non-interactive key exchange in flat and clustered networks respectively. A third key distribution protocol uses Identity-Based Encryption (IBE) to secure communication within a heterogeneous sensor network. This thesis includes also a comprehensive security evaluation that shows that proposed schemes are resistant to various attacks that are specific to WSNs. This work shows that by using the newest achievements in cryptography like pairings and IBC it is possible to deliver affordable public-key cryptographic solutions and to apply a sufficient level of security for the most demanding WSN applications

Hardware Architectures for Post-Quantum Cryptography

The rapid development of quantum computers poses severe threats to many commonly-used cryptographic algorithms that are embedded in different hardware devices to ensure the security and privacy of data and communication. Seeking for new solutions that are potentially resistant against attacks from quantum computers, a new research field called Post-Quantum Cryptography (PQC) has emerged, that is, cryptosystems deployed in classical computers conjectured to be secure against attacks utilizing large-scale quantum computers. In order to secure data during storage or communication, and many other applications in the future, this dissertation focuses on the design, implementation, and evaluation of efficient PQC schemes in hardware. Four PQC algorithms, each from a different family, are studied in this dissertation. The first hardware architecture presented in this dissertation is focused on the code-based scheme Classic McEliece. The research presented in this dissertation is the first that builds the hardware architecture for the Classic McEliece cryptosystem. This research successfully demonstrated that complex code-based PQC algorithm can be run efficiently on hardware. Furthermore, this dissertation shows that implementation of this scheme on hardware can be easily tuned to different configurations by implementing support for flexible choices of security parameters as well as configurable hardware performance parameters. The successful prototype of the Classic McEliece scheme on hardware increased confidence in this scheme, and helped Classic McEliece to get recognized as one of seven finalists in the third round of the NIST PQC standardization process. While Classic McEliece serves as a ready-to-use candidate for many high-end applications, PQC solutions are also needed for low-end embedded devices. Embedded devices play an important role in our daily life. Despite their typically constrained resources, these devices require strong security measures to protect them against cyber attacks. Towards securing this type of devices, the second research presented in this dissertation focuses on the hash-based digital signature scheme XMSS. This research is the first that explores and presents practical hardware based XMSS solution for low-end embedded devices. In the design of XMSS hardware, a heterogenous software-hardware co-design approach was adopted, which combined the flexibility of the soft core with the acceleration from the hard core. The practicability and efficiency of the XMSS software-hardware co-design is further demonstrated by providing a hardware prototype on an open-source RISC-V based System-on-a-Chip (SoC) platform. The third research direction covered in this dissertation focuses on lattice-based cryptography, which represents one of the most promising and popular alternatives to today\u27s widely adopted public key solutions. Prior research has presented hardware designs targeting the computing blocks that are necessary for the implementation of lattice-based systems. However, a recurrent issue in most existing designs is that these hardware designs are not fully scalable or parameterized, hence limited to specific cryptographic primitives and security parameter sets. The research presented in this dissertation is the first that develops hardware accelerators that are designed to be fully parameterized to support different lattice-based schemes and parameters. Further, these accelerators are utilized to realize the first software-harware co-design of provably-secure instances of qTESLA, which is a lattice-based digital signature scheme. This dissertation demonstrates that even demanding, provably-secure schemes can be realized efficiently with proper use of software-hardware co-design. The final research presented in this dissertation is focused on the isogeny-based scheme SIKE, which recently made it to the final round of the PQC standardization process. This research shows that hardware accelerators can be designed to offload compute-intensive elliptic curve and isogeny computations to hardware in a versatile fashion. These hardware accelerators are designed to be fully parameterized to support different security parameter sets of SIKE as well as flexible hardware configurations targeting different user applications. This research is the first that presents versatile hardware accelerators for SIKE that can be mapped efficiently to both FPGA and ASIC platforms. Based on these accelerators, an efficient software-hardwareco-design is constructed for speeding up SIKE. In the end, this dissertation demonstrates that, despite being embedded with expensive arithmetic, the isogeny-based SIKE scheme can be run efficiently by exploiting specialized hardware. These four research directions combined demonstrate the practicability of building efficient hardware architectures for complex PQC algorithms. The exploration of efficient PQC solutions for different hardware platforms will eventually help migrate high-end servers and low-end embedded devices towards the post-quantum era

Security Analysis of Isogeny-Based Cryptosystems

Let $E$ be a supersingular elliptic curve over a finite field. In this document we study public-key encryption schemes which use non-constant rational maps from $E$. The purpose of this study is to determine if such cryptosystems are secure. Supersingular Isogeny Diffie-Hellman (SIDH) and other supersingular isogeny-based cryptosystems are considered. The content is naturally divided by cryptosystem, and in the case of SIDH, further divided by type of cryptanalysis: SIDH when the endomorphism ring of the base elliptic curve is given (as is done in practice), repeated use of keys in SIDH, and endomorphism ring constructing algorithms. In each case the relevent background material is presented to develop the theory. In studying the security of SIDH when the endomorphism ring of the base curve $E$ is known, one of the main results is the following. This theorem is then used to reduce the security of such an SIDH instantiation to the problem of finding particular endomorphisms in \End(E). \begin{thm} Given \begin{enumerate} \item a supersingular elliptic curve E/\FQ such that $p = N_1 N_2 - 1$ for coprime $N_1\approx N_2$, where $N_2$ is $\log p$-smooth, \item an elliptic curve $E'$ that is the codomain of an $N_1$-isogeny $\phi:E\rightarrow E'$, \item the action of $\phi$ on $E[N_2]$, and \item a $k$-endomorphism $\psi$ of $E$, where $\gcd(k, N_1) = 1$, and if \g is the greatest integer such that $g\mid N_2^2$ and $g\mid k$, then \h := \frac{k}{g} < N_1, \end{enumerate} there exists a classical algorithm with worst case runtime \tilde{O}(\h^3) which decides whether $\psi(\ker\phi) = \ker\phi$ or not, but may give false positives with probability $\approx \frac{1}{\sqrt{p}}$. Further, if \h is $\log{p}$-smooth, then the runtime is \tilde{O} (\sqrt{\h}). \end{thm} In studying the security of repeated use of SIDH public keys, the main result presented is the following theorem, which proves that performing multiple pairwise instances of SIDH prevents certain active attacks when keys are reused. \begin{thm} Assuming that the CSSI problem is intractable, it is computationally infeasible for a malicious adversary, with non-negligible probability, to modify a public key $(E_B,\phi_B(P_A),\phi_B(Q_A))$ to some $(E_B,R,S)$ which is malicious for SIDH. \end{thm} It is well known that the problem of computing hidden supersingular isogenies can be reduced to computing the endomorphism rings of the domain and codomain elliptic curves. A novel algorithm for computing an order in the endomorphism ring of a supersingular elliptic curve is presented and analyzed to have runtime $O(p^{1/2}(\log p)^2)$. In studying non-SIDH cryptosystems, four other isogeny-based cryptosystems are examined. The first three were all proposed by the same authors and use secret endomorphisms. These are each shown to be either totally insecure (private keys can be recovered directly from public keys) or impractical to implement efficiently. The fourth scheme is a novel proposal which attempts to combine isogenies with the learning with errors problem. This proposal is also shown to be totally insecure

Advances in Information Security and Privacy

With the recent pandemic emergency, many people are spending their days in smart working and have increased their use of digital resources for both work and entertainment. The result is that the amount of digital information handled online is dramatically increased, and we can observe a significant increase in the number of attacks, breaches, and hacks. This Special Issue aims to establish the state of the art in protecting information by mitigating information risks. This objective is reached by presenting both surveys on specific topics and original approaches and solutions to specific problems. In total, 16 papers have been published in this Special Issue

Vers une arithmétique efficace pour le chiffrement homomorphe basé sur le Ring-LWE

Fully homomorphic encryption is a kind of encryption offering the ability to manipulate encrypted data directly through their ciphertexts. In this way it is possible to process sensitive data without having to decrypt them beforehand, ensuring therefore the datas' confidentiality. At the numeric and cloud computing era this kind of encryption has the potential to considerably enhance privacy protection. However, because of its recent discovery by Gentry in 2009, we do not have enough hindsight about it yet. Therefore several uncertainties remain, in particular concerning its security and efficiency in practice, and should be clarified before an eventual widespread use. This thesis deals with this issue and focus on performance enhancement of this kind of encryption in practice. In this perspective we have been interested in the optimization of the arithmetic used by these schemes, either the arithmetic underlying the Ring Learning With Errors problem on which the security of these schemes is based on, or the arithmetic specific to the computations required by the procedures of some of these schemes. We have also considered the optimization of the computations required by some specific applications of homomorphic encryption, and in particular for the classification of private data, and we propose methods and innovative technics in order to perform these computations efficiently. We illustrate the efficiency of our different methods through different software implementations and comparisons to the related art.Le chiffrement totalement homomorphe est un type de chiffrement qui permet de manipuler directement des données chiffrées. De cette manière, il est possible de traiter des données sensibles sans avoir à les déchiffrer au préalable, permettant ainsi de préserver la confidentialité des données traitées. À l'époque du numérique à outrance et du "cloud computing" ce genre de chiffrement a le potentiel pour impacter considérablement la protection de la vie privée. Cependant, du fait de sa découverte récente par Gentry en 2009, nous manquons encore de recul à son propos. C'est pourquoi de nombreuses incertitudes demeurent, notamment concernant sa sécurité et son efficacité en pratique, et devront être éclaircies avant une éventuelle utilisation à large échelle.Cette thèse s'inscrit dans cette problématique et se concentre sur l'amélioration des performances de ce genre de chiffrement en pratique. Pour cela nous nous sommes intéressés à l'optimisation de l'arithmétique utilisée par ces schémas, qu'elle soit sous-jacente au problème du "Ring-Learning With Errors" sur lequel la sécurité des schémas considérés est basée, ou bien spécifique aux procédures de calculs requises par certains de ces schémas. Nous considérons également l'optimisation des calculs nécessaires à certaines applications possibles du chiffrement homomorphe, et en particulier la classification de données privées, de sorte à proposer des techniques de calculs innovantes ainsi que des méthodes pour effectuer ces calculs de manière efficace. L'efficacité de nos différentes méthodes est illustrée à travers des implémentations logicielles et des comparaisons aux techniques de l'état de l'art