489 research outputs found
The Structure of Differential Invariants and Differential Cut Elimination
The biggest challenge in hybrid systems verification is the handling of
differential equations. Because computable closed-form solutions only exist for
very simple differential equations, proof certificates have been proposed for
more scalable verification. Search procedures for these proof certificates are
still rather ad-hoc, though, because the problem structure is only understood
poorly. We investigate differential invariants, which define an induction
principle for differential equations and which can be checked for invariance
along a differential equation just by using their differential structure,
without having to solve them. We study the structural properties of
differential invariants. To analyze trade-offs for proof search complexity, we
identify more than a dozen relations between several classes of differential
invariants and compare their deductive power. As our main results, we analyze
the deductive power of differential cuts and the deductive power of
differential invariants with auxiliary differential variables. We refute the
differential cut elimination hypothesis and show that, unlike standard cuts,
differential cuts are fundamental proof principles that strictly increase the
deductive power. We also prove that the deductive power increases further when
adding auxiliary differential variables to the dynamics
On the freezing of variables in random constraint satisfaction problems
The set of solutions of random constraint satisfaction problems (zero energy
groundstates of mean-field diluted spin glasses) undergoes several structural
phase transitions as the amount of constraints is increased. This set first
breaks down into a large number of well separated clusters. At the freezing
transition, which is in general distinct from the clustering one, some
variables (spins) take the same value in all solutions of a given cluster. In
this paper we study the critical behavior around the freezing transition, which
appears in the unfrozen phase as the divergence of the sizes of the
rearrangements induced in response to the modification of a variable. The
formalism is developed on generic constraint satisfaction problems and applied
in particular to the random satisfiability of boolean formulas and to the
coloring of random graphs. The computation is first performed in random tree
ensembles, for which we underline a connection with percolation models and with
the reconstruction problem of information theory. The validity of these results
for the original random ensembles is then discussed in the framework of the
cavity method.Comment: 32 pages, 7 figure
Towards a deeper understanding of APN functions and related longstanding problems
This dissertation is dedicated to the properties, construction and analysis of APN and AB functions. Being cryptographically optimal, these functions lack any general structure or patterns, which makes their study very challenging. Despite intense work since at least the early 90's, many important questions and conjectures in the area remain open. We present several new results, many of which are directly related to important longstanding open problems; we resolve some of these problems, and make significant progress towards the resolution of others.
More concretely, our research concerns the following open problems: i) the maximum algebraic degree of an APN function, and the Hamming distance between APN functions (open since 1998); ii) the classification of APN and AB functions up to CCZ-equivalence (an ongoing problem since the introduction of APN functions, and one of the main directions of research in the area); iii) the extension of the APN binomial over into an infinite family (open since 2006); iv) the Walsh spectrum of the Dobbertin function (open since 2001); v) the existence of monomial APN functions CCZ-inequivalent to ones from the known families (open since 2001); vi) the problem of efficiently and reliably testing EA- and CCZ-equivalence (ongoing, and open since the introduction of APN functions).
In the course of investigating these problems, we obtain i.a. the following results: 1) a new infinite family of APN quadrinomials (which includes the binomial over ); 2) two new invariants, one under EA-equivalence, and one under CCZ-equivalence; 3) an efficient and easily parallelizable algorithm for computationally testing EA-equivalence; 4) an efficiently computable lower bound on the Hamming distance between a given APN function and any other APN function; 5) a classification of all quadratic APN polynomials with binary coefficients over for ; 6) a construction allowing the CCZ-equivalence class of one monomial APN function to be obtained from that of another; 7) a conjecture giving the exact form of the Walsh spectrum of the Dobbertin power functions; 8) a generalization of an infinite family of APN functions to a family of functions with a two-valued differential spectrum, and an example showing that this Gold-like behavior does not occur for infinite families of quadratic APN functions in general; 9) a new class of functions (the so-called partially APN functions) defined by relaxing the definition of the APN property, and several constructions and non-existence results related to them.Doktorgradsavhandlin
Mathematical aspects of the design and security of block ciphers
Block ciphers constitute a major part of modern symmetric cryptography. A mathematical analysis is necessary to ensure the security of the cipher. In this thesis, I develop several new contributions for the analysis of block ciphers. I determine cryptographic properties of several special cryptographically interesting mappings like almost perfect nonlinear functions. I also give some new results both on the resistance of functions against differential-linear attacks as well as on the efficiency of implementation of certain block ciphers
On the Design and Analysis of Stream Ciphers
This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware
New cryptanalysis of LFSR-based stream ciphers and decoders for p-ary QC-MDPC codes
The security of modern cryptography is based on the hardness of solving certain problems. In this context, a problem is considered hard if there is no known polynomial time algorithm to solve it. Initially, the security assessment of cryptographic systems only considered adversaries with classical computational resources, i.e., digital computers. It is now known that there exist polynomial-time quantum algorithms that would render certain cryptosystems insecure if large-scale quantum computers were available. Thus, adversaries with access to such computers should also be considered. In particular, cryptosystems based on the hardness of integer factorisation or the discrete logarithm problem would be broken. For some others such as symmetric-key cryptosystems, the impact seems not to be as serious; it is recommended to at least double the key size of currently used systems to preserve their security level. The potential threat posed by sufficiently powerful quantum computers motivates the continued study and development of post-quantum cryptography, that is, cryptographic systems that are secure against adversaries with access to quantum computations.
It is believed that symmetric-key cryptosystems should be secure from quantum attacks. In this manuscript, we study the security of one such family of systems; namely, stream ciphers. They are mainly used in applications where high throughput is required in software or low resource usage is required in hardware. Our focus is on the cryptanalysis of stream ciphers employing linear feedback shift registers (LFSRs). This is modelled as the problem of finding solutions to systems of linear equations with associated probability distributions on the set of right hand sides. To solve this problem, we first present a multivariate version of the correlation attack introduced by Siegenthaler. Building on the ideas of the multivariate attack, we propose a new cryptanalytic method with lower time complexity. Alongside this, we introduce the notion of relations modulo a matrix B, which may be seen as a generalisation of parity-checks used in fast correlation attacks. The latter are among the most important class of attacks against LFSR-based stream ciphers. Our new method is successfully applied to hard instances of the filter generator and requires a lower amount of keystream compared to other attacks in the literature. We also perform a theoretical attack against the Grain-v1 cipher and an experimental attack against a toy Grain-like cipher. Compared to the best previous attack, our technique requires less keystream bits but also has a higher time complexity. This is the result of joint work with Semaev.
Public-key cryptosystems based on error-correcting codes are also believed to be secure against quantum attacks. To this end, we develop a new technique in code-based cryptography. Specifically, we propose new decoders for quasi-cyclic moderate density parity-check (QC-MDPC) codes. These codes were proposed by Misoczki et al.\ for use in the McEliece scheme. The use of QC-MDPC codes avoids attacks applicable when using low-density parity-check (LDPC) codes and also allows for keys with short size. Although we focus on decoding for a particular instance of the p-ary QC-MDPC scheme, our new decoding algorithm is also a general decoding method for p-ary MDPC-like schemes. This algorithm is a bit-flipping decoder, and its performance is improved by varying thresholds for the different iterations. Experimental results demonstrate that our decoders enjoy a very low decoding failure rate for the chosen p-ary QC-MDPC instance. This is the result of joint work with Guo and Johansson.Doktorgradsavhandlin
cc-differential uniformity, (almost) perfect cc-nonlinearity, and equivalences
In this article, we introduce new notions -differential uniformity,
-differential spectrum, PccN functions and APccN functions, and investigate
their properties. We also introduce -CCZ equivalence, -EA equivalence,
and -equivalence. We show that -differential uniformity is invariant
under -equivalence, and -differential uniformity and -differential
spectrum are preserved under -CCZ equivalence. We characterize
-differential uniformity of vectorial Boolean functions in terms of the
Walsh transformation. We investigate -differential uniformity of power
functions . We also illustrate examples to prove that -CCZ
equivalence is strictly more general than -EA equivalence.Comment: 18 pages. Comments welcom
Simple Vs Vectorial: Exploiting Structural Symmetry to Beat the ZeroSum Distinguisher Applications to SHA3, Xoodyak and Bash
Higher order differential properties constitute a very insightful tool at the hands
of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as
SymSum_Vec in this paper), a new distinguisher based on higher order vectorial
Boolean derivatives of SHA-3, constituting one of the best distinguishers on the
latest cryptographic hash standard. SymSum_Vec exploits the difference in the
algebraic degree of highest degree monomials in the algebraic normal form of
SHA-3 with regards to their dependence on round constants. Later in Africacrypt
2020, Suryawanshi et al. extended SymSum_Vec using linearization techniques and
in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major
limitation of SymSum_Vec is the maximum attainable derivative (MAD) which is
less than half of the widely studied ZeroSum distinguisher. This is attributed
to SymSum_Vec being dependent on m−fold vectorial derivatives while ZeroSum
relies on m−fold simple derivatives. In this work we overcome this limitation
of SymSum_Vec by developing and validating the theory of computing SymSum_Vec
with simple derivatives. This gives us a close to 100% improvement in the MAD
that can be computed. The new distinguisher reported in this work can also be combined with one/two-round linearization to penetrate more rounds. Moreover, we identify an issue with the two-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnish an algebraic fix at the cost of some additional constraints.
Combining all results we report SymSum_Sim , a new variant of the SymSum_Vec
distinguisher based on m−fold simple derivatives that outperforms ZeroSum by
a factor of , for 10-round SHA-3-384 and 9-round SHA-3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant,
SymSum_Sim maintains an advantage of factor 2. Combined with one/two-round
linearization, SymSum_Sim improves upon all existing ZeroSum and SymSum_Vec
distinguishers on both SHA-3 and Xoodyak. As regards Keccak-p, the internal
permutation of SHA-3, we report the best 15-round distinguisher with a complexity of and the first better than birthday-bound 16-round distinguisher with
a complexity of (improving upon the 15/16-round results by Guo et al. in
Asiacrypt 2016). We also devise the best full-round distinguisher on the Xoodoo
internal permutation of Xoodyak with a practically verifiable complexity of
and furnish the first third-party distinguishers on the Belarushian hash function
Bash. All distinguishers furnished in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken,
SymSum_Sim emerges as a better distinguisher than ZeroSum on all fronts and
adds to the state-of-the-art of cryptanalytic tools investigating non-randomness
of crypto primitives
- …