Improved algebraic cryptanalysis of QUAD, Bivium and Trivium via graph partitioning on equation systems

We present a novel approach for preprocessing systems of polynomial equations via graph partitioning. The variable-sharing graph of a system of polynomial equations is defined. If such graph is disconnected, then the corresponding system of equations can be split into smaller ones that can be solved individually. This can provide a tremendous speed-up in computing the solution to the system, but is unlikely to occur either randomly or in applications. However, by deleting certain vertices on the graph, the variable-sharing graph could be disconnected in a balanced fashion, and in turn the system of polynomial equations would be separated into smaller systems of near-equal sizes. In graph theory terms, this process is equivalent to finding balanced vertex partitions with minimum-weight vertex separators. The techniques of finding these vertex partitions are discussed, and experiments are performed to evaluate its practicality for general graphs and systems of polynomial equations. Applications of this approach in algebraic cryptanalysis on symmetric ciphers are presented: For the QUAD family of stream ciphers, we show how a malicious party can manufacture conforming systems that can be easily broken. For the stream ciphers Bivium and Trivium, we nachieve significant speedups in algebraic attacks against them, mainly in a partial key guess scenario. In each of these cases, the systems of polynomial equations involved are well-suited to our graph partitioning method. These results may open a new avenue for evaluating the security of symmetric ciphers against algebraic attacks

Using graphic methods to challenge cryptographic performance

Block and stream ciphers have formed the traditional basis for the standardisation of commercial ciphers in the DES, AES, RC4, and so on. More recently alternative graphic methods such as Elliptic Curve Cryptography (ECC) have been adopted for performance gains. In this research we reviewed a range of graphic and non-graphic methods and then designed our own cipher system based on several graphic methods, including Visual Cryptography (VC). We then tested our cipher against RC4 and the AES algorithms for performance and security. The results showed that a graphics based construct may deliver comparable or improved security and performance in many of the required areas. These findings offer potential alternative avenues for post-quantum cryptographic research

The implementation of cubic public keys based on a new family of algebraic graphs

Families of edge transitive algebraic graphs defined over finite commutative rings were used for the development of stream ciphers, public key cryptosystems and key exchange protocols. We present the results of the first implementation of a public key algorithm based on the family of algebraic graphs, which are not edge transitive. The absence of an edge transitive group of symmetries means that the algorithm can not be described in group theoretical terms. We hope that it licates cryptanalysis of the algorithm. We discuss the connections between the security of algorithms and the discrete logarithm problem.The plainspace of the algorithm is Kn, where K is the chosen commutative ring. The graph theoretical encryption corresponds to walk on the bipartite graph with the partition sets which are isomorphic to Kn. We conjugate the chosen graph based encryption map, which is a composition of several elementary cubical polynomial automorphisms of a free module Kn with special invertible affine transformation of Kn. Finally we compute symbolically the corresponding cubic public map g of Kn onto Kn. We evaluate time for the generation of g, and the number of monomial expression in the list of corresponding public rules

Selected Topics in Cryptanalysis of Symmetric Ciphers

It is well established that a symmetric cipher may be described as a system of Boolean polynomials, and that the security of the cipher cannot be better than the difficulty of solving said system. Compressed Right-Hand Side (CRHS) Equations is but one way of describing a symmetric cipher in terms of Boolean polynomials. The first paper of this thesis provides a comprehensive treatment firstly of the relationship between Boolean functions in algebraic normal form, Binary Decision Diagrams and CRHS equations. Secondly, of how CRHS equations may be used to describe certain kinds of symmetric ciphers and how this model may be used to attempt a key-recovery attack. This technique is not left as a theoretical exercise, as the process have been implemented as an open-source project named CryptaPath. To ensure accessibility for researchers unfamiliar with algebraic cryptanalysis, CryptaPath can convert a reference implementation of the target cipher, as specified by a Rust trait, into the CRHS equations model automatically. CRHS equations are not limited to key-recovery attacks, and Paper II explores one such avenue of CRHS equations flexibility. Linear and differential cryptanalysis have long since established their position as two of the most important cryptanalytical attacks, and every new design since must show resistance to both. For some ciphers, like the AES, this resistance can be mathematically proven, but many others are left to heuristic arguments and computer aided proofs. This work is tedious, and most of the tools require good background knowledge of a tool/technique to transform a design to the right input format, with a notable exception in CryptaGraph. CryptaGraph is written in Rust and transforms a reference implementation into CryptaGraphs underlying data structure automatically. Paper II introduces a new way to use CRHS equations to model a symmetric cipher, this time in such a way that linear and differential trail searches are possible. In addition, a new set of operations allowing us to count the number of active S-boxes in a path is presented. Due to CRHS equations effective initial data compression, all possible trails are captured in the initial system description. As is the case with CRHS equations, the crux is the memory consumption. However, this approach also enables the graph of a CRHS equation to be pruned, allowing the memory consumption to be kept at manageable levels. Unfortunately, pruning nodes also means that we will lose valid, incomplete paths, meaning that the hulls found are probably incomplete. On the flip side, all paths, and their corresponding probabilities, found by the tool are guaranteed to be valid trails for the cipher. This theory is also implemented in an extension of CryptaPath, and the name is PathFinder. PathFinder is also able to automatically turn a reference implementation of a cipher into its CRHS equations-based model. As an additional bonus, PathFinder supports the reference implementation specifications specified by CryptaGraph, meaning that the same reference implementation can be used for both CryptaGraph and PathFinder. Paper III shifts focus onto symmetric ciphers designed to be used in conjunction with FHE schemes. Symmetric ciphers designed for this purpose are relatively new and have naturally had a strong focus on reducing the number of multiplications performed. A multiplication is considered expensive on the noise budget of the FHE scheme, while linear operations are viewed as cheap. These ciphers are all assuming that it is possible to find parameters in the various FHE schemes which allow these ciphers to work well in symbiosis with the FHE scheme. Unfortunately, this is not always possible, with the consequence that the decryption process becomes more costly than necessary. Paper III therefore proposes Fasta, a stream cipher which has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. The linear layers are drawn from a family of rotation-based linear transformations, as cyclic rotations are cheap to do in FHE schemes that allow packing of multiple plaintext elements in one FHE ciphertext. Fasta follows the same design philosophy as Rasta, and will never use the same linear layer twice under the same key. The result is a stream cipher tailor-made for fast evaluation in HElib. Fasta shows an improvement in throughput of a factor more than 7 when compared to the most efficient implementation of Rasta.Doktorgradsavhandlin

Performance of algebraic graphs based stream-ciphers using large finite fields

Algebraic graphs D(n, q) and their analog graphs D(n, K), where K is a finite commutative ring were used successfully in Coding Theory (as Tanner graphs for the construction of LDPC codes and turbo-codes) and in Cryptography (stream-ciphers, public-keys and tools for the key-exchange protocols. Many properties of cryptography algorithms largely depend on the choice of finite field Fq or commutative ring K. For practical implementations the most convenient fields are F and rings modulo Z modulo 2m. In this paper the reader can find the first results about the comparison of D(n, 2m) based stream-ciphers for m = 8, 16, 32 implemented in C++. They show that performance (speed) of algorithms gets better when m is increased

Revisiting LFSMs

Linear Finite State Machines (LFSMs) are particular primitives widely used in information theory, coding theory and cryptography. Among those linear automata, a particular case of study is Linear Feedback Shift Registers (LFSRs) used in many cryptographic applications such as design of stream ciphers or pseudo-random generation. LFSRs could be seen as particular LFSMs without inputs. In this paper, we first recall the description of LFSMs using traditional matrices representation. Then, we introduce a new matrices representation with polynomial fractional coefficients. This new representation leads to sparse representations and implementations. As direct applications, we focus our work on the Windmill LFSRs case, used for example in the E0 stream cipher and on other general applications that use this new representation. In a second part, a new design criterion called diffusion delay for LFSRs is introduced and well compared with existing related notions. This criterion represents the diffusion capacity of an LFSR. Thus, using the matrices representation, we present a new algorithm to randomly pick LFSRs with good properties (including the new one) and sparse descriptions dedicated to hardware and software designs. We present some examples of LFSRs generated using our algorithm to show the relevance of our approach.Comment: Submitted to IEEE-I

Survey on Lightweight Primitives and Protocols for RFID in Wireless Sensor Networks

The use of radio frequency identification (RFID) technologies is becoming widespread in all kind of wireless network-based applications. As expected, applications based on sensor networks, ad-hoc or mobile ad hoc networks (MANETs) can be highly benefited from the adoption of RFID solutions. There is a strong need to employ lightweight cryptographic primitives for many security applications because of the tight cost and constrained resource requirement of sensor based networks. This paper mainly focuses on the security analysis of lightweight protocols and algorithms proposed for the security of RFID systems. A large number of research solutions have been proposed to implement lightweight cryptographic primitives and protocols in sensor and RFID integration based resource constraint networks. In this work, an overview of the currently discussed lightweight primitives and their attributes has been done. These primitives and protocols have been compared based on gate equivalents (GEs), power, technology, strengths, weaknesses and attacks. Further, an integration of primitives and protocols is compared with the possibilities of their applications in practical scenarios

1. Kryptotag - Workshop über Kryptographie

Der Report enthält eine Sammlung aller Beiträge der Teilnehmer des 1. Kryptotages am 1. Dezember 2004 in Mannheim

Building Correlation Immune Functions from Sets of Mutually Orthogonal Cellular Automata

Correlation immune Boolean functions play an important role in the implementation of efficient masking countermeasures for side-channel attacks in cryptography. In this paper, we investigate a method to construct correlation immune functions through families of mutually orthogonal cellular automata (MOCA). First, we show that the orthogonal array (OA) associated to a family of MOCA can be expanded to a binary OA of strength at least 2. To prove this result, we exploit the characterization of MOCA in terms of orthogonal labelings on de Bruijn graphs. Then, we use the resulting binary OA to define the support of a second-order correlation immune function. Next, we perform some computational experiments to construct all such functions up to $n=12$ variables, and observe that their correlation immunity order is actually greater, always at least 3. We conclude by discussing how these results open up interesting perspectives for future research, with respect to the search of new correlation-immune functions and binary orthogonal arrays