Systematic Construction of Nonlinear Product Attacks on Block Ciphers

A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract the attack from any particular block cipher. We study these attacks in terms of transformations on multivariate polynomials. We shall demonstrate how numerous variables including key variables may sometimes be eliminated and at the end two very complex Boolean polynomials will become equal. We present a general construction of an attack where multiply all the polynomials lying on one or several cycles. Then under suitable conditions the non-linear functions involved will be eliminated totally. We obtain a periodic invariant property holding for any number of rounds. A major difficulty with invariant attacks is that they typically work only for some keys. In T-310 our attack works for any key and also in spite of the presence of round constants

Constructing TI-Friendly Substitution Boxes Using Shift-Invariant Permutations

The threat posed by side channels requires ciphers that can be efficiently protected in both software and hardware against such attacks. In this paper, we proposed a novel Sbox construction based on iterations of shift-invariant quadratic permutations and linear diffusions. Owing to the selected quadratic permutations, all of our Sboxes enable uniform 3-share threshold implementations, which provide first order SCA protections without any fresh randomness. More importantly, because of the shift-invariant property, there are ample implementation trade-offs available, in software as well as hardware. We provide implementation results (software and hardware) for a four-bit and an eight-bit Sbox, which confirm that our constructions are competitive and can be easily adapted to various platforms as claimed. We have successfully verified their resistance to first order attacks based on real acquisitions. Because there are very few studies focusing on software-based threshold implementations, our software implementations might be of independent interest in this regard

Shuffle and Mix: On the Diffusion of Randomness in Threshold Implementations of Keccak

Threshold Implementations are well-known as a provably firstorder secure Boolean masking scheme even in the presence of glitches. A precondition for their security proof is a uniform input distribution at each round function, which may require an injection of fresh randomness or an increase in the number of shares. However, it is unclear whether violating the uniformity assumption causes exploitable leakage in practice. Recently, Daemen undertook a theoretical study of lossy mappings to extend the understanding of uniformity violations. We complement his work by entropy simulations and practical measurements of Keccak’s round function. Our findings shed light on the necessity of mixing operations in addition to bit-permutations in a cipher’s linear layer to propagate randomness between S-boxes and prevent exploitable leakage. Finally, we argue that this result cannot be obtained by current simulation methods, further stressing the continued need for practical leakage measurements

Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation

This paper proposes tweakable block cipher (TBC) based modes $\mathsf{PFB\_Plus}$ and $\mathsf{PFB}\omega$ that are efficient in threshold implementations (TI). Let $t$ be an algebraic degree of a target function, e.g.~$t=1$ (resp.~$t>1$) for linear (resp.~non-linear) function. The $d$-th order TI encodes the internal state into $d t + 1$ shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires $s$-bit block to ensure $s$-bit security, e.g. \textsf{PFB} and \textsf{Romulus}, while BC requires $2s$-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of $s$-bit state with $t=2$ and the first-order TI ($d=1$). Our first design $\mathsf{PFB\_Plus}$ aims to break the barrier of the $3s$-bit state in TI. The block size of an underlying TBC is $s/2$ bits and the output of TBC is linearly expanded to $s$ bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size $2.5s$ bits. We also provide rigorous security proof of $\mathsf{PFB\_Plus}$. Our second design $\mathsf{PFB}\omega$ further increases a parameter $\omega$: a ratio of the security level $s$ to the block size of an underlying TBC. We prove security of $\mathsf{PFB}\omega$ for any $\omega$ under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of $\mathsf{PFB\_Plus}$ for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending \textsf{SKINNY} and provide basic security evaluation. Finally, we give hardware benchmarks of $\mathsf{PFB\_Plus}$ in the first-order TI to show that TI of $\mathsf{PFB\_Plus}$ is smaller than that of \textsf{PFB} by more than one thousand gates and is the smallest within the schemes having 128-bit security

Amplification of a Zygosaccharomyces bailii DNA Segment in Wine Yeast Genomes by Extrachromosomal Circular DNA Formation

We recently described the presence of large chromosomal segments resulting from independent horizontal gene transfer (HGT) events in the genome of Saccharomyces cerevisiae strains, mostly of wine origin. We report here evidence for the amplification of one of these segments, a 17 kb DNA segment from Zygosaccharomyces bailii, in the genome of S. cerevisiae strains. The copy number, organization and location of this region differ considerably between strains, indicating that the insertions are independent and that they are post-HGT events. We identified eight different forms in 28 S. cerevisiae strains, mostly of wine origin, with up to four different copies in a single strain. The organization of these forms and the identification of an autonomously replicating sequence functional in S. cerevisiae, strongly suggest that an extrachromosomal circular DNA (eccDNA) molecule serves as an intermediate in the amplification of the Z. bailii region in yeast genomes. We found little or no sequence similarity at the breakpoint regions, suggesting that the insertions may be mediated by nonhomologous recombination. The diversity between these regions in S. cerevisiae represents roughly one third the divergence among the genomes of wine strains, which confirms the recent origin of this event, posterior to the start of wine strain expansion. This is the first report of a circle-based mechanism for the expansion of a DNA segment, mediated by nonhomologous recombination, in natural yeast populations

Leukocyte Telomere Length in Major Depression: Correlations with Chronicity, Inflammation and Oxidative Stress - Preliminary Findings

Depression is associated with an unusually high rate of aging-related illnesses and early mortality. One aspect of “accelerated aging” in depression may be shortened leukocyte telomeres. When telomeres critically shorten, as often occurs with repeated mitoses or in response to oxidation and inflammation, cells may die. Indeed, leukocyte telomere shortening predicts early mortality and medical illnesses in non-depressed populations. We sought to determine if leukocyte telomeres are shortened in Major Depressive Disorder (MDD), whether this is a function of lifetime depression exposure and whether this is related to putative mediators, oxidation and inflammation.Leukocyte telomere length was compared between 18 unmedicated MDD subjects and 17 controls and was correlated with lifetime depression chronicity and peripheral markers of oxidation (F2-isoprostane/Vitamin C ratio) and inflammation (IL-6). Analyses were controlled for age and sex.The depressed group, as a whole, did not differ from the controls in telomere length. However, telomere length was significantly inversely correlated with lifetime depression exposure, even after controlling for age (p<0.05). Average telomere length in the depressed subjects who were above the median of lifetime depression exposure (≥9.2 years' cumulative duration) was 281 base pairs shorter than that in controls (p<0.05), corresponding to approximately seven years of “accelerated cell aging.” Telomere length was inversely correlated with oxidative stress in the depressed subjects (p<0.01) and in the controls (p<0.05) and with inflammation in the depressed subjects (p<0.05).These preliminary data indicate that accelerated aging at the level of leukocyte telomeres is proportional to lifetime exposure to MDD. This might be related to cumulative exposure to oxidative stress and inflammation in MDD. This suggest that telomere shortening does not antedate depression and is not an intrinsic feature. Rather, telomere shortening may progress in proportion to lifetime depression exposure

The First Thorough Side-Channel Hardware Trojan

Hardware Trojans have gained high attention in academia, industry and by government agencies. The effective detection mechanisms and countermeasures against such malicious designs are only possible when there is a deep understanding of how hardware Trojans can be built in practice. In this work, we present a mechanism which shows how easily a stealthy hardware Trojan can be inserted in a provably-secure side-channel analysis protected implementation. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage leading to successful key recovery attacks. Such a Trojan does not add or remove any logic (even a single gate) to the design which makes it very hard to detect. In ASIC platforms, it is indeed inserted by subtle manipulations at the sub-transistor level to modify the parameters of a few transistors. The same is applicable on FPGA applications by changing the routing of particular signals, leading to null resource utilization overhead. The underlying concept is based on a secure masked hardware implementation which does not exhibit any detectable leakage. However, by running the device at a particular clock frequency one of the requirements of the underlying masking scheme is not fulfilled anymore, i.e., the Trojan is triggered, and the device\u27s side-channel leakage can be exploited. Although as a case study we show an application of our designed Trojan on an FPGA-based threshold implementation of the PRESENT cipher, our methodology is a general approach and can be applied on any similar circuit

Cryptanalysis of Masked Ciphers: A not so Random Idea

A new approach to the security analysis of hardware-oriented masked ciphers against second-order side-channel attacks is developed. By relying on techniques from symmetric-key cryptanalysis, concrete security bounds are obtained in a variant of the probing model that allows the adversary to make only a bounded, but possibly very large, number of measurements. Specifically, it is formally shown how a bounded-query variant of robust probing security can be reduced to the linear cryptanalysis of masked ciphers. As a result, the compositional issues of higher-order threshold implementations can be overcome without relying on fresh randomness. From a practical point of view, the aforementioned approach makes it possible to transfer many of the desirable properties of first-order threshold implementations, such as their low randomness usage, to the second-order setting. For example, a straightforward application to the block cipher LED results in a masking using less than 700 random bits including the initial sharing. In addition, the cryptanalytic approach introduced in this paper provides additional insight into the design of masked ciphers and allows for a quantifiable trade-off between security and performance