Efficient and Provable White-Box Primitives

International audienceIn recent years there have been several attempts to build white-box block ciphers whose implementations aim to be incompress-ible. This includes the weak white-box ASASA construction by Bouil-laguet, Biryukov and Khovratovich from Asiacrypt 2014, and the recent space-hard construction by Bogdanov and Isobe from CCS 2015. In this article we propose the first constructions aiming at the same goal while offering provable security guarantees. Moreover we propose concrete instantiations of our constructions, which prove to be quite efficient and competitive with prior work. Thus provable security comes with a surprisingly low overhead

Cryptanalysis of MORUS

Item does not contain fulltextAdvances in Cryptology - ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2-

Algebraic Insights into the Secret Feistel Network

We introduce the high-degree indicator matrix (HDIM), an object closely related with both the linear approximation table and the algebraic normal form (ANF) of a permutation. We show that the HDIM of a Feistel Network contains very specific patterns depending on the degree of the Feistel functions, the number of rounds and whether the Feistel functions are 1-to-1 or not. We exploit these patterns to distinguish Feistel Networks, even if the Feistel Network is whitened using unknown affine layers. We also present a new type of structural attack exploiting monomials that cannot be present at round r-1 to recover the ANF of the last Feistel function of a r-round Feistel Network. Finally, we discuss the relations between our findings, integral attacks, cube attacks, Todo's division property and the congruence modulo 4 of the Linear Approximation Table

FPL: White-Box Secure Block Cipher Using Parallel Table Look-Ups

In this work, we propose a new table-based block cipher structure, dubbed $\mathsf{FPL}$, that can be used to build white-box secure block ciphers. Our construction is a balanced Feistel cipher, where the input to each round function determines multiple indices for the underlying table via a probe function, and the sum of the values from the table becomes the output of the round function. We identify the properties of the probe function that make the resulting block cipher white-box secure in terms of weak and strong space hardness against known-space and non-adaptive chosen-space attacks. Our construction, enjoying rigorous provable security without relying on any ideal primitive, provides flexibility to the block size and the table size, and permits parallel table look-ups. We also propose a concrete instantiation of $\mathsf{FPL}$, dubbed $\mathsf{FPL}_{\mathsf{AES}}$, using (round-reduced) $\mathsf{AES}$ for the underlying table and probe functions. Our implementation shows that $\mathsf{FPL}_{\mathsf{AES}}$ provides stronger security without significant loss of efficiency, compared to existing schemes including $\mathsf{SPACE}$, $\mathsf{WhiteBlock}$ and $\mathsf{WEM}$

Attacks and Countermeasures for White-box Designs

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task. Recently, Bos et al. proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy. Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must pro- vide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack. We present a provably secure first-order protection against the new al- gebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction

Anomalies and Vector Space Search: Tools for S-Box Analysis

International audienceS-boxes are functions with an input so small that the simplest way to specify them is their lookup table (LUT). How can we quantify the distance between the behavior of a given S-box and that of an S-box picked uniformly at random? To answer this question, we introduce various "anomalies". These real numbers are such that a property with an anomaly equal to should be found roughly once in a set of $2^a$ random S-boxes. First, we present statistical anomalies based on the distribution of the coefficients in the difference distribution table, linear approximation table, and for the first time, the boomerang connectivity table. We then count the number of S-boxes that have block-cipher like structures to estimate the anomaly associated to those. In order to recover these structures, we show that the most general tool for decomposing S-boxes is an algorithm efficiently listing all the vector spaces of a given dimension contained in a given set, and we present such an algorithm. Combining these approaches, we conclude that all permutations that are actually picked uniformly at random always have essentially the same cryptographic properties and the same lack of structure

The visual and material dimensions of legitimacy:Accounting and the search for Socie-ties

We are grateful to the Fondation Audencia for the financial support provided for our archival research.The aim of this article is to contribute to the literature on legitimacy by investigating its material and visual dimensions. By drawing on studies on rhetoric as a means of composing visions of social order and on an historical analysis of accounts in three paradigmatic eras (Roman times, Renaissance and Modernity), it shows how symmetry in accounts constituted an aesthetic code which tied members of a community together in ‘socie-ties’. We investigate the rhetorical process of ratiocinatio and explore how the visual and material dimensions of accounts provided social actors with an opportunity to explore their positions and ties within a community. This process augmented social actors’ understanding of their current relations by reducing them to a series of entries into an account, thus allowing them to reflect on what it meant to be a legitimate member of a society.PostprintPeer reviewe

La mesure de l'excrétion urinaire de l'uranium par spectrofluorimétrie laser à résolution temporelle

La quantification directe rapide de l'excrétion urinaire de l'uranium est souvent perturbée par des incertitudes métaboliques et par des interférences analytiques. Ces phénomènes conduisent à des limites de détection ou à des incertitudes trop élevées. La technique proposée associe à la fois un traitement rapide de l'échantillon et un système optimisé de mesure. L'association d'un laser solide de puissance utilisé comme source d'excitation et d'un fluorimètre modifié du commerce permet d'atteindre les objectifs de l'étude : rapidité de réponse et facilité de mise en oeuvre, précision et exactitude inférieures 10 %. Les stades analytiques selon deux modalités (mesure directe et après minéralisation de l'échantillon) sont décrits. Les résultats expérimentaux portant sur 120 mesures sont comparés aux résultats obtenus par chromatographie d'extraction. Les avantages et inconvénients de la technique sont commentés. Enfin les valeurs de l'excrétion urinaire naturelle de l'uranium chez 80 travailleurs non-exposés de la région de Marcoule sont présentées en fonction de la technique analytique choisie

Synthesis and characterization of La0.6Sr0.4Co0.8Fe0.2O3 films for solid oxide fuel cell cathodes

International audienc