On the Hardness of the Mersenne Low Hamming Ratio Assumption

In a recent paper, Aggarwal, Joux, Prakash, and Santha (AJPS) describe an ingenious public-key cryptosystem mimicking NTRU over the integers. This algorithm relies on the properties of Mersenne primes instead of polynomial rings. The security of the AJPS cryptosystem relies on the conjectured hardness of the Mersenne Low Hamming Ratio Assumption, defined in [AJPS]. This work shows that AJPS\u27 security estimates are too optimistic and describes an algorithm allowing to recover the secret key from the public key much faster than foreseen in [AJPS]. In particular, our algorithm is \emph{experimentally practical} (within the reach of the computational capabilities of a large organization), at least for the parameter choice $\{n=1279,h=17\}$ conjectured in [AJPS] as corresponding to a $2^{120}$ security level. The algorithm is fully parallelizable

A First DFA on PRIDE: from Theory to Practice (extended version)

PRIDE is one of the most effcient lightweight block cipher proposed so far for connected objects with high performance and low resource constraints. In this paper we describe the first ever complete Differential Fault Analysis against PRIDE. We describe how fault attacks can be used against implementations of PRIDE to recover the entire encryption key. Our attack has been validated first through simulations, and then in practice on a software implementation of PRIDE running on a device that could typically be used in IoT devices. Faults have been injected using electromagnetic pulses during the PRIDE execution and the faulty ciphertexts have been used to recover the key bits. We also discuss some countermeasures that could be used to thwart such attacks

aPlonK : Aggregated PlonK from Multi-Polynomial Commitment Schemes

PlonK is a prominent universal and updatable zk-SNARK for general circuit satisfiability. We present aPlonK, a variant of PlonK that reduces the proof size and verification time when multiple statements are proven in a batch. Both the aggregated proof size and the verification complexity of aPlonK are logarithmic in the number of aggregated statements. Our main building block, inspired by the techniques developed in SnarkPack (Gailly, Maller, Nitulescu, FC 2022), is a multi-polynomial commitment scheme, a new primitive that generalizes polynomial commitment schemes. Our techniques also include a mechanism for involving committed data into PlonK statements very efficiently, which can be of independent interest. We also implement an open-source industrial-grade library for zero-knowledge PlonK proofs with support for aPlonK. Our experimental results show that our techniques are suitable for real-world applications (such as blockchain rollups), achieving significant performance improvements in proof size and verification time

From Clustering Supersequences to Entropy Minimizing Subsequences for Single and Double Deletions

A binary string transmitted via a memoryless i.i.d. deletion channel is received as a subsequence of the original input. From this, one obtains a posterior distribution on the channel input, corresponding to a set of candidate supersequences weighted by the number of times the received subsequence can be embedded in them. In a previous work it is conjectured on the basis of experimental data that the entropy of the posterior is minimized and maximized by the constant and the alternating strings, respectively. In this work, in addition to revisiting the entropy minimization conjecture, we also address several related combinatorial problems. We present an algorithm for counting the number of subsequence embeddings using a run-length encoding of strings. We then describe methods for clustering the space of supersequences such that the cardinality of the resulting sets depends only on the length of the received subsequence and its Hamming weight, but not its exact form. Then, we consider supersequences that contain a single embedding of a fixed subsequence, referred to as singletons, and provide a closed form expression for enumerating them using the same run-length encoding. We prove an analogous result for the minimization and maximization of the number of singletons, by the alternating and the uniform strings, respectively. Next, we prove the original minimal entropy conjecture for the special cases of single and double deletions using similar clustering techniques and the same run-length encoding, which allow us to characterize the distribution of the number of subsequence embeddings in the space of compatible supersequences to demonstrate the effect of an entropy decreasing operation

Exploiting Decryption Failures in Mersenne Number Cryptosystems

Mersenne number schemes are a new strain of potentially quantum-safe cryptosystems that use sparse integer arithmetic modulo a Mersenne prime to encrypt messages. Two Mersenne number based schemes were submitted to the NIST post-quantum standardization process: Ramstake and Mersenne-756839. Typically, these schemes admit a low but non-zero probability that ciphertexts fail to decrypt correctly. In this work we show that the information leaked from failing ciphertexts can be used to gain information about the secret key. We present an attack exploiting this information to break the IND-CCA security of Ramstake. First, we introduce an estimator for the bits of the secret key using decryption failures. Then, our estimates can be used to apply the Slice-and-Dice attack due to Beunardeau et al. at significantly reduced complexity to recover the full secret. We implemented our attack on a simplified version of the code submitted to the NIST competition. Our attack is able to extract a good estimate of the secrets using $2^{12}$ decryption failures, corresponding to $2^{74}$~failing ciphertexts in the original scheme. Subsequently the exact secrets can be extracted in $O(2^{46})$ quantum computational steps

Application of cryptographic and verification techniques to the security and privacy of information systems

Cette thèse, à la frontière entre sécurité de l’information et cryptographie s’intéresse à l’utilisation de cette dernière dans la sécurité informatique. Cette thèse est divisée en trois parties scientifiquement indépendantes, qui partagent la même propriété de résoudre des problèmes auxquels sont ou seront confrontés les industries du digital. Nous étudions ainsi le traitement par batch de signatures, afin de répondre à la future omniprésence d’appareils à faible puissance de calcul étant connecté à des réseaux ouverts ; et devant donc authentifier un grand nombre de messages. Nous nous intéressons ensuite à la menace post-quantique, en examinant un nouveau problème difficile impliquant des ratios de nombre de faibles poids de Hamming. Enfin nous regardons la sécurité physique d’algorithme symétrique et d’échange de clé quantique, le premier étant un défi de longue date et l’autre une possibilité pour la future distribution de clé cryptographique s’affranchissant des problèmes classiques de la cryptographie.This thesis, on the border between information security and cryptography, focuses on the use of information security in computer security. This thesis is divided into three scientifically independent parts, which share the same property of solving problems that are or will be faced by the digital industries. We study the batch processing of signatures, in order to respond to the future omnipresence of devices with low computing power being connected to open networks; and therefore having to authenticate a large number of messages. We then focus on the post-quantum threat, examining a new challenging problem involving low-weight Hamming number ratios. Finally, we look at the physical security of symmetric algorithm and quantum key exchange, the former being a long-standing challenge, and the other a possibility for future cryptographic key distribution free from the classic problems of cryptograph

Cryptographie appliquée à la sécurité des systèmes d’information

This thesis, on the border between information security and cryptography, focuses on the use of information security in computer security. This thesis is divided into three scientifically independent parts, which share the same property of solving problems that are or will be faced by the digital industries. We study the batch processing of signatures, in order to respond to the future omnipresence of devices with low computing power being connected to open networks; and therefore having to authenticate a large number of messages. We then focus on the post-quantum threat, examining a new challenging problem involving low-weight Hamming number ratios. Finally, we look at the physical security of symmetric algorithm and quantum key exchange, the former being a long-standing challenge, and the other a possibility for future cryptographic key distribution free from the classic problems of cryptographyCette thèse, à la frontière entre sécurité de l’information et cryptographie s’intéresse à l’utilisation de cette dernière dans la sécurité informatique. Cette thèse est divisée en trois parties scientifiquement indépendantes, qui partagent la même propriété de résoudre des problèmes auxquels sont ou seront confrontés les industries du digital. Nous étudions ainsi le traitement par batch de signatures, afin de répondre à la future omniprésence d’appareils à faible puissance de calcul étant connecté à des réseaux ouverts ; et devant donc authentifier un grand nombre de messages. Nous nous intéressons ensuite à la menace post-quantique, en examinant un nouveau problème difficile impliquant des ratios de nombre de faibles poids de Hamming. Enfin nous regardons la sécurité physique d’algorithme symétrique et d’échange de clé quantique, le premier étant un défi de longue date et l’autre une possibilité pour la future distribution de clé cryptographique s’affranchissant des problèmes classiques de la cryptographie

The Case for System Command Encryption

International audienceIn several popular standards (e.g. ISO 7816, ISO 14443 or ISO 11898) and IoT applications, a node (transponder, terminal) sends commands and data to another node (transponder, card) to accomplish an applicative task (e.g. a payment or a measurement). Most standards encrypt and authenticate the data. However, as an application of Kerckhoffs' principle, system designers usually consider that commands are part of the system specifications and must hence be transmitted in clear while the data that these commands process is encrypted and signed. While this assumption holds in systems representable by relatively simple state machines, leaking command information is undesirable when the addressed nodes offer the caller a large "toolbox" of commands that the addressing node can activate in many different orders to accomplish different applicative goals. This work proposes protections allowing encrypting and protecting not only the data but also the commands associated to them. The practical implementation of this idea raises a number of difficulties. The first is that of defining a clear adversarial model, a question that we will not address in this paper. The difficulty comes from the application-specific nature of the harm that may possibly stem from leaking the command sequence as well as from the modeling of the observations that the attacker has on the target node's behavior (is a transaction accepted? is a door opened? is a packet routed etc). This paper proposes a collection of empirical protection techniques allowing the sender to hide the sequence of commands sent. We discuss the advantages and the shortcomings of each proposed method. Besides the evident use of nonces (or other internal system states) to render the encryption of identical commands different in time, we also discuss the introduction of random delays between commands (to avoid inferring the next command based on the time elapsed since the previous command), the splitting of a command followed by n data bytes into a collection of encrypted sub-commands conveying the n bytes in chunks of random sizes and the appending of a random number of useless bytes to each packet. Independent commands can be permuted in time or sent ahead of time and buffered. Another practically useful countermeasure consists in masking the number of commands by adding useless "null" command packets. In its best implementation, the flow of commands is sent in packets in which, at times, the sending node addresses several data and command chunks belonging to different successive commands in the sequence

Partitioned Searchable Encryption

Symmetric searchable encryption (SSE) allows to outsource encrypted data to an untrusted server and retain searching capabilities. This is done without impacting the privacy of both the data and the search/update queries. In this work we put forth a new flavour of symmetric searchable encryption (SSE): Partitioned SSE is meant to capture the cases where the search rights must be partitioned among multiple individuals. We motivate through compelling examples the practical need for such a notion and discuss instantiations based on functional encryption and trapdoor permutations. First we leverage the power of functional encryption (FE). Our construction follows the general technique of encrypting the set of keywords and the presumably larger datafiles separately, a keyword acting as a ``pointer'' to datafiles it belongs to. To improve on the constraint factors (large ciphertext, slow encryption/decryption procedures) that are inherent in FE schemes, the keyword check is done with the help of a Bloom filter -- one per datafile: the crux idea is to split the filter into buckets, and encrypt each bucket separately under an FE scheme. Functional keys are given for binary \masks checking if relevant positions are set to 1 inside the underlying bit-vector of the Bloom filter. The second construction we present achieves forward security and stems from the scheme by Bost in CCS'16. We show that a simple tweak of the original construction gives rise to a scheme supporting updates in the partitioned setting. Moreover, the constructions take into account the possibility that some specific users are malicious while declaring their search results