Highly Automated Formal Verification of Arithmetic Circuits

This dissertation investigates the problems of two distinctive formal verification techniques for verifying large scale multiplier circuits and proposes two approaches to overcome some of these problems. The first technique is equivalence checking based on recurrence relations, while the second one is the symbolic computation technique which is based on the theory of Gröbner bases. This investigation demonstrates that approaches based on symbolic computation have better scalability and more robustness than state-of-the-art equivalence checking techniques for verification of arithmetic circuits. According to this conclusion, the thesis leverages the symbolic computation technique to verify floating-point designs. It proposes a new algebraic equivalence checking, in contrast to classical combinational equivalence checking, the proposed technique is capable of checking the equivalence of two circuits which have different architectures of arithmetic units as well as control logic parts, e.g., floating-point multipliers

Selected Topics in Cryptanalysis of Symmetric Ciphers

It is well established that a symmetric cipher may be described as a system of Boolean polynomials, and that the security of the cipher cannot be better than the difficulty of solving said system. Compressed Right-Hand Side (CRHS) Equations is but one way of describing a symmetric cipher in terms of Boolean polynomials. The first paper of this thesis provides a comprehensive treatment firstly of the relationship between Boolean functions in algebraic normal form, Binary Decision Diagrams and CRHS equations. Secondly, of how CRHS equations may be used to describe certain kinds of symmetric ciphers and how this model may be used to attempt a key-recovery attack. This technique is not left as a theoretical exercise, as the process have been implemented as an open-source project named CryptaPath. To ensure accessibility for researchers unfamiliar with algebraic cryptanalysis, CryptaPath can convert a reference implementation of the target cipher, as specified by a Rust trait, into the CRHS equations model automatically. CRHS equations are not limited to key-recovery attacks, and Paper II explores one such avenue of CRHS equations flexibility. Linear and differential cryptanalysis have long since established their position as two of the most important cryptanalytical attacks, and every new design since must show resistance to both. For some ciphers, like the AES, this resistance can be mathematically proven, but many others are left to heuristic arguments and computer aided proofs. This work is tedious, and most of the tools require good background knowledge of a tool/technique to transform a design to the right input format, with a notable exception in CryptaGraph. CryptaGraph is written in Rust and transforms a reference implementation into CryptaGraphs underlying data structure automatically. Paper II introduces a new way to use CRHS equations to model a symmetric cipher, this time in such a way that linear and differential trail searches are possible. In addition, a new set of operations allowing us to count the number of active S-boxes in a path is presented. Due to CRHS equations effective initial data compression, all possible trails are captured in the initial system description. As is the case with CRHS equations, the crux is the memory consumption. However, this approach also enables the graph of a CRHS equation to be pruned, allowing the memory consumption to be kept at manageable levels. Unfortunately, pruning nodes also means that we will lose valid, incomplete paths, meaning that the hulls found are probably incomplete. On the flip side, all paths, and their corresponding probabilities, found by the tool are guaranteed to be valid trails for the cipher. This theory is also implemented in an extension of CryptaPath, and the name is PathFinder. PathFinder is also able to automatically turn a reference implementation of a cipher into its CRHS equations-based model. As an additional bonus, PathFinder supports the reference implementation specifications specified by CryptaGraph, meaning that the same reference implementation can be used for both CryptaGraph and PathFinder. Paper III shifts focus onto symmetric ciphers designed to be used in conjunction with FHE schemes. Symmetric ciphers designed for this purpose are relatively new and have naturally had a strong focus on reducing the number of multiplications performed. A multiplication is considered expensive on the noise budget of the FHE scheme, while linear operations are viewed as cheap. These ciphers are all assuming that it is possible to find parameters in the various FHE schemes which allow these ciphers to work well in symbiosis with the FHE scheme. Unfortunately, this is not always possible, with the consequence that the decryption process becomes more costly than necessary. Paper III therefore proposes Fasta, a stream cipher which has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. The linear layers are drawn from a family of rotation-based linear transformations, as cyclic rotations are cheap to do in FHE schemes that allow packing of multiple plaintext elements in one FHE ciphertext. Fasta follows the same design philosophy as Rasta, and will never use the same linear layer twice under the same key. The result is a stream cipher tailor-made for fast evaluation in HElib. Fasta shows an improvement in throughput of a factor more than 7 when compared to the most efficient implementation of Rasta.Doktorgradsavhandlin

Proceedings of the 22nd Conference on Formal Methods in Computer-Aided Design – FMCAD 2022

The Conference on Formal Methods in Computer-Aided Design (FMCAD) is an annual conference on the theory and applications of formal methods in hardware and system verification. FMCAD provides a leading forum to researchers in academia and industry for presenting and discussing groundbreaking methods, technologies, theoretical results, and tools for reasoning formally about computing systems. FMCAD covers formal aspects of computer-aided system design including verification, specification, synthesis, and testing

Proceedings of the 22nd Conference on Formal Methods in Computer-Aided Design – FMCAD 2022

The Conference on Formal Methods in Computer-Aided Design (FMCAD) is an annual conference on the theory and applications of formal methods in hardware and system verification. FMCAD provides a leading forum to researchers in academia and industry for presenting and discussing groundbreaking methods, technologies, theoretical results, and tools for reasoning formally about computing systems. FMCAD covers formal aspects of computer-aided system design including verification, specification, synthesis, and testing

Sécurité étendue de la cryptographie fondée sur les réseaux euclidiens

Lattice-based cryptography is considered as a quantum-safe alternative for the replacement of currently deployed schemes based on RSA and discrete logarithm on prime fields or elliptic curves. It offers strong theoretical security guarantees, a large array of achievable primitives, and a competitive level of efficiency. Nowadays, in the context of the NIST post-quantum standardization process, future standards may ultimately be chosen and several new lattice-based schemes are high-profile candidates. The cryptographic research has been encouraged to analyze lattice-based cryptosystems, with a particular focus on practical aspects. This thesis is rooted in this effort.In addition to black-box cryptanalysis with classical computing resources, we investigate the extended security of these new lattice-based cryptosystems, employing a broad spectrum of attack models, e.g. quantum, misuse, timing or physical attacks. Accounting that these models have already been applied to a large variety of pre-quantum asymmetric and symmetric schemes before, we concentrate our efforts on leveraging and addressing the new features introduced by lattice structures. Our contribution is twofold: defensive, i.e. countermeasures for implementations of lattice-based schemes and offensive, i.e. cryptanalysis.On the defensive side, in view of the numerous recent timing and physical attacks, we wear our designer’s hat and investigate algorithmic protections. We introduce some new algorithmic and mathematical tools to construct provable algorithmic countermeasures in order to systematically prevent all timing and physical attacks. We thus participate in the actual provable protection of the GLP, BLISS, qTesla and Falcon lattice-based signatures schemes.On the offensive side, we estimate the applicability and complexity of novel attacks leveraging the lack of perfect correctness introduced in certain lattice-based encryption schemes to improve their performance. We show that such a compromise may enable decryption failures attacks in a misuse or quantum model. We finally introduce an algorithmic cryptanalysis tool that assesses the security of the mathematical problem underlying lattice-based schemes when partial knowledge of the secret is available. The usefulness of this new framework is demonstrated with the improvement and automation of several known classical, decryption-failure, and side-channel attacks.La cryptographie fondée sur les réseaux euclidiens représente une alternative prometteuse à la cryptographie asymétrique utilisée actuellement, en raison de sa résistance présumée à un ordinateur quantique universel. Cette nouvelle famille de schémas asymétriques dispose de plusieurs atouts parmi lesquels de fortes garanties théoriques de sécurité, un large choix de primitives et, pour certains de ses représentants, des performances comparables aux standards actuels. Une campagne de standardisation post-quantique organisée par le NIST est en cours et plusieurs schémas utilisant des réseaux euclidiens font partie des favoris. La communauté scientifique a été encouragée à les analyser car ils pourraient à l’avenir être implantés dans tous nos systèmes. L’objectif de cette thèse est de contribuer à cet effort.Nous étudions la sécurité de ces nouveaux cryptosystèmes non seulement au sens de leur résistance à la cryptanalyse en “boîte noire” à l’aide de moyens de calcul classiques, mais aussi selon un spectre plus large de modèles de sécurité, comme les attaques quantiques, les attaques supposant des failles d’utilisation, ou encore les attaques par canaux auxiliaires. Ces différents types d’attaques ont déjà été largement formalisés et étudiés par le passé pour des schémas asymétriques et symétriques pré-quantiques. Dans ce mémoire, nous analysons leur application aux nouvelles structures induites par les réseaux euclidiens. Notre travail est divisé en deux parties complémentaires : les contremesures et les attaques.La première partie regroupe nos contributions à l’effort actuel de conception de nouvelles protections algorithmiques afin de répondre aux nombreuses publications récentes d’attaques par canaux auxiliaires. Les travaux réalisés en équipe auxquels nous avons pris part on abouti à l’introduction de nouveaux outils mathématiques pour construire des contre-mesures algorithmiques, appuyées sur des preuves formelles, qui permettent de prévenir systématiquement les attaques physiques et par analyse de temps d’exécution. Nous avons ainsi participé à la protection de plusieurs schémas de signature fondés sur les réseaux euclidiens comme GLP, BLISS, qTesla ou encore Falcon.Dans une seconde partie consacrée à la cryptanalyse, nous étudions dans un premier temps de nouvelles attaques qui tirent parti du fait que certains schémas de chiffrement à clé publique ou d’établissement de clé peuvent échouer avec une faible probabilité. Ces échecs sont effectivement faiblement corrélés au secret. Notre travail a permis d’exhiber des attaques dites « par échec de déchiffrement » dans des modèles de failles d’utilisation ou des modèles quantiques. Nous avons d’autre part introduit un outil algorithmique de cryptanalyse permettant d’estimer la sécurité du problème mathématique sous-jacent lorsqu’une information partielle sur le secret est donnée. Cet outil s’est avéré utile pour automatiser et améliorer plusieurs attaques connues comme des attaques par échec de déchiffrement, des attaques classiques ou encore des attaques par canaux auxiliaires