Preuves de sécurité en cryptographie symétrique à l'aide de la technique du coupling

In this thesis, we study blockciphers, meaning that the encryption (and decryption) sends a block of n bits on a block of n bits. There is essentially two main structures used for a blockcipher: the Feistel structure (used for DES) and the SPN structure (used for AES). The study of the security of these structures and schemes has led to many practical and theoretical advances. We present in this thesis proofs of security for the iterated Even-Mansour scheme, the tweakable blockcipher CLRW and the key-alternating Feistel cipher. These proofs use a probabilistic technique, called coupling, introduced in cryptography in 2002 by Mironov. We present this technique in the context of probabilities, then we present how to use the coupling to prove the security for the schemes mentioned above. We also present an analysis of the security of the Even-Mansour cipher with two rounds and some properties (same round keys or same internal permutations for example) and, finally, we compare the different techniques to prove indistinguishabilityDans cette thèse, on s'intéresse à des schémas de chiffrement par blocs, c'est-à-dire que le chiffrement (et le déchiffrement) envoie un bloc de n bits sur un bloc de n bits. Il y a essentiellement deux grandes structures utilisées pour un schéma de chiffrement par blocs : la structure de Feistel (utilisée pour le DES) et la structure SPN (utilisée pour l'AES). L'étude de la sécurité de ces différents structures et schémas a permis de nombreuses avancées autant pratiques que théoriques. Nous présentons dans cette thèse des preuves de sécurité pour le schéma d'Even-Mansour itéré, le schéma paramétrable CLRW et le schéma de Feistel à clés alternées. Ces preuves utilisent une technique probabiliste, appelée coupling, introduite en cryptographie en 2002 par Mironov. Nous présentons cette technique dans le cadre des probabilités, puis la façon d'utiliser le coupling pour prouver la sécurité des schémas cités précédemment. Nous présentons également une étude de la sécurité du schéma d'Even-Mansour à deux tours pour certaines minimisations (même clés de tours ou même permutations internes par exemple) et, pour conclure, une comparaison des différentes techniques d'indistinguabilit

Composition Theorems for CCA Cryptographic Security

We present two new theorems to analyze the indistinguishability of the composition of cryptographic permutations and the indistinguishability of the XOR of cryptographic functions. Using the H Coefficients technique of \cite{Patarin-2001}, for any two families of permutations $F$ and $G$ with CCA distinghuishability advantage $\leq\alpha_F$ and $\leq\alpha_G$, we prove that the set of permutations $f\circ g, f\in F, g\in G$ has CCA distinguishability advantage $\leq\alpha_F\times\alpha_G$. This simple composition result gives a CCA indistinguishability geometric gain when composing blockciphers (unlike previously known clasical composition theorems). As an example, we apply this new theorem to analyze $4r$ and $6r$ rounds Feistel schemes with $r\geq 1$ and we improve previous best known bounds for a certain range of queries. Similarly, for any two families of functions $F$ and $G$ with distinghuishability advantage $\leq\alpha_F$ and $\leq\alpha_G$, we prove that the set of functions $f\oplus g, f\in F, g\in G$ has distinguishability advantage $\leq\alpha_F\times\alpha_G$. As an example, we apply this new theorem to analyze the XOR of $2r$ permutations and we improve the previous best known bounds for certain range of querie

Tweaking Even-Mansour Ciphers

We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere black-box composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterated Even-Mansour construction (which turns a tuple of public permutations into a traditional block cipher) that has received considerable attention since the work of Bogdanov et al. (EUROCRYPT 2012). More concretely, we introduce the (one-round) tweakable Even-Mansour (TEM) cipher, constructed from a single $n$-bit permutation $P$ and a uniform and almost XOR-universal family of hash functions $(H_k)$ from some tweak space to $\{0,1\}^n$, and defined as $(k,t,x)\mapsto H_k(t)\oplus P(H_k(t)\oplus x)$, where $k$ is the key, $t$ is the tweak, and $x$ is the $n$-bit message, as well as its generalization obtained by cascading $r$ independently keyed rounds of this construction. Our main result is a security bound up to approximately $2^{2n/3}$ adversarial queries against adaptive chosen-plaintext and ciphertext distinguishers for the two-round TEM construction, using Patarin\u27s H-coefficients technique. We also provide an analysis based on the coupling technique showing that asymptotically, as the number of rounds $r$ grows, the security provided by the $r$-round TEM construction approaches the information-theoretic bound of $2^n$ adversarial queries

Heterogeneity in outcomes of treated HIV-positive patients in Europe and North America: relation with patient and cohort characteristics

Background HIV cohort collaborations, which pool data from diverse patient cohorts, have provided key insights into outcomes of antiretroviral therapy (ART). However, the extent of, and reasons for, between-cohort heterogeneity in rates of AIDS and mortality are unclear. Methods We obtained data on adult HIV-positive patients who started ART from 1998 without a previous AIDS diagnosis from 17 cohorts in North America and Europe. Patients were followed up from 1 month to 2 years after starting ART. We examined between-cohort heterogeneity in crude and adjusted (age, sex, HIV transmission risk, year, CD4 count and HIV-1 RNA at start of ART) rates of AIDS and mortality using random-effects meta-analysis and meta-regression. Results During 61 520 person-years, 754/38 706 (1.9%) patients died and 1890 (4.9%) progressed to AIDS. Between-cohort variance in mortality rates was reduced from 0.84 to 0.24 (0.73 to 0.28 for AIDS rates) after adjustment for patient characteristics. Adjusted mortality rates were inversely associated with cohorts' estimated completeness of death ascertainment [excellent: 96-100%, good: 90-95%, average: 75-89%; mortality rate ratio 0.66 (95% confidence interval 0.46-0.94) per category]. Mortality rate ratios comparing Europe with North America were 0.42 (0.31-0.57) before and 0.47 (0.30-0.73) after adjusting for completeness of ascertainment. Conclusions Heterogeneity between settings in outcomes of HIV treatment has implications for collaborative analyses, policy and clinical care. Estimated mortality rates may require adjustment for completeness of ascertainment. Higher mortality rate in North American, compared with European, cohorts was not fully explained by completeness of ascertainment and may be because of the inclusion of more socially marginalized patients with higher mortality ris

Long-term Mortality in HIV-Positive Individuals Virally Suppressed for >3 Years With Incomplete CD4 Recovery

Virally suppressed HIV-positive individuals on combination antiretroviral therapy who do not achieve a CD4 count >200 cells/µL have substantially increased long-term mortality. The increased mortality was seen across different patient groups and for all causes of deat

Security proofs in symmetric cryptography using the coupling technique

Dans cette thèse, on s'intéresse à des schémas de chiffrement par blocs, c'est-à-dire que le chiffrement (et le déchiffrement) envoie un bloc de n bits sur un bloc de n bits. Il y a essentiellement deux grandes structures utilisées pour un schéma de chiffrement par blocs : la structure de Feistel (utilisée pour le DES) et la structure SPN (utilisée pour l'AES). L'étude de la sécurité de ces différents structures et schémas a permis de nombreuses avancées autant pratiques que théoriques. Nous présentons dans cette thèse des preuves de sécurité pour le schéma d'Even-Mansour itéré, le schéma paramétrable CLRW et le schéma de Feistel à clés alternées. Ces preuves utilisent une technique probabiliste, appelée coupling, introduite en cryptographie en 2002 par Mironov. Nous présentons cette technique dans le cadre des probabilités, puis la façon d'utiliser le coupling pour prouver la sécurité des schémas cités précédemment. Nous présentons également une étude de la sécurité du schéma d'Even-Mansour à deux tours pour certaines minimisations (même clés de tours ou même permutations internes par exemple) et, pour conclure, une comparaison des différentes techniques d'indistinguabilitéIn this thesis, we study blockciphers, meaning that the encryption (and decryption) sends a block of n bits on a block of n bits. There is essentially two main structures used for a blockcipher: the Feistel structure (used for DES) and the SPN structure (used for AES). The study of the security of these structures and schemes has led to many practical and theoretical advances. We present in this thesis proofs of security for the iterated Even-Mansour scheme, the tweakable blockcipher CLRW and the key-alternating Feistel cipher. These proofs use a probabilistic technique, called coupling, introduced in cryptography in 2002 by Mironov. We present this technique in the context of probabilities, then we present how to use the coupling to prove the security for the schemes mentioned above. We also present an analysis of the security of the Even-Mansour cipher with two rounds and some properties (same round keys or same internal permutations for example) and, finally, we compare the different techniques to prove indistinguishabilit

Tweakable Blockciphers with Asymptotically Optimal Security

International audienceWe consider tweakable blockciphers with beyond the birthday bound security. Landecker, Shrimpton, and Terashima (CRYPTO 2012) gave the first construction with security up to O(2(2n/3)) adversarial queries (n denotes the block size in bits of the underlying blockcipher), and for which changing the tweak does not require changing the keys for blockcipher calls. In this paper, we extend this construction, which consists of two rounds of a previous proposal by Liskov, Rivest, and Wagner (CRYPTO 2002), by considering larger numbers of rounds r > 2. We show that asymptotically, as r increases, the resulting tweakable blockcipher approaches security up to the information bound, namely O(2 n) queries. Our analysis makes use of a coupling argument, and carries some similarities with the analysis of the iterated Even-Mansour cipher by Lampe, Patarin, and Seurin (ASIACRYPT 2012)

Analysis of some natural variants of the PKP Algorithm

In 1989, Adi Shamir [15] proposed a new zero-knowledge identi cation scheme based on a NP-complete problem called PKP for Permuted Kernel Problem. For a given prime p, a given matrix A and a given vector V, the problem is to nd a permutation π such that the permuted vector Vπ veri es A · Vπ = 0 mod p. This scheme is still in 2011 known as one of the most e cient identi cation scheme based on a combinatorial problem. However, we will see in this paper that it is possible to improve this scheme signi cantly by combining new ideas in order to reduce the total number of computations to be performed and to improve very e ciently the security against side channel attacks using precomputations. We will obtain like this a new scheme that we have called SPKP. Moreover, if we use precomputed values in the scheme SPKP, then the prover will need to perform no computations (i.e. only selection and transmission of precomputed values). This is very interesting for security against side channel attacks because our scheme is zero-knowledge and we don't perform any computations using the key during the identi cation so we prove that any attacker (even using side channel attacks) being successfully identi ed implies that he has a solution to the NP-complete problem PKP.

The Indistinguishability of the XOR of k Permutations

International audienceGiven k independent pseudorandom permutations f(1), ... , f(k) over {0, 1}(n), it is natural to define a pseudorandom function by XORing the permutations f(1) circle plus... circle plus f(k). In [9] Stefan Lucks studied the security of this PRF. In this paper we improve the security bounds of [9] by using different proof techniques