Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-boxes

We present a cryptanalysis of the ASASA public key cipher introduced at Asiacrypt 2014. This scheme alternates three layers of affine transformations A with two layers of quadratic substitutions S. We show that the partial derivatives of the public key polynomials contain information about the intermediate layer. This enables us to present a very simple distinguisher between an ASASA public key and random polynomials. We then expand upon the ideas of the distinguisher to achieve a full secret key recovery. This method uses only linear algebra and has a complexity dominated by the cost of computing the kernels of $2^{26}$ small matrices with entries in $\mathbb F_{16}$

Generic Attacks on Misty Schemes -5 rounds is not enough-

Misty schemes are classic cryptographic schemes used to construct pseudo-random permutations from $2n$ bits to $2n$ bits by using $d$ pseudo-random permutations from $n$ bits to $n$ bits. These $d$ permutations will be called the ``internal\u27\u27 permutations, and $d$ is the number of rounds of the Misty scheme. Misty schemes are important from a practical point of view since for example, the Kasumi algorithm based on Misty schemes has been adopted as the standard blockcipher in the third generation mobile systems. In this paper we describe the best known ``generic\u27\u27 attacks on Misty schemes, i.e. attacks when the internal permutations do not have special properties, or are randomly chosen. We describe known plaintext attacks (KPA), non-adaptive chosen plaintext attacks (CPA-1) and adaptive chosen plaintext and ciphertext attacks (CPCA-2) against these schemes. Some of these attacks were previously known, some are new. One important result of this paper is that we will show that when $d=5$ rounds, there exist such attacks with a complexity strictly less than $2^{2n}$. Consequently, at least 6 rounds are necessary to avoid these generic attacks on Misty schemes. When $d \geq 6$ we also describe some attacks on Misty generators, i.e. attacks where more than one Misty permutation is required

Etude de la sécurité de schémas de chiffrement par bloc et de schémas multivariés

La thèse se compose de deux parties. La première partie relate de l'étude de schémas de chiffrement par blocs, notamment les schémas de Feistel avec permutations internes et les schémas du type Misty. Le cadre de l'étude est générique, i.e. les permutations internes sont supposées aléatoires. Ceci permet d'obtenir des propriétés de la structure même des schémas, sans prendre en compte leur contexte d'utilisation. Cette partie focalise sur les attaques génériques sur ces deux schémas. La deuxième partie concerne l'étude de cryptosystèmes multivariés. Une propriété de la différentielle de la clé publique du schéma HM est exhibée, fournissant un distingueur. Par ailleurs, une attaque par bases de Gröbner permet d'inverser le système efficacement. Nous exposons également une attaque sur le schéma HFE, permettant le recouvrement de la clé privée pour une famille d'instances particulières, classées à présent comme "clés faibles".The thesis is made up of two parts. The first one deals with the study of bloc ciphers, Feistel networks with internal permutations and Misty-like schemes. The context is generic, in the sense that the internal permutations are supposed random. his allows to obtain properties that only concern the structure of the scheme and do not depend on any particular application. This part focuses on generic attacks on these two schemes. The second part is about multivariate cryptosystems. A differential property of the public key of HM is shown, allowing to get an efficient distinguisher. Moreover, we can invert the system by using Gröbner bases. We also describe a key-recovery attack on HFE, which works for a family of key instances, now called "weak keys".VERSAILLES-BU Sciences et IUT (786462101) / SudocSudocFranceF

Cryptanalysis of the Hidden Matrix Cryptosystem

International audienceIn this paper, we present an efficient cryptanalysis of the so-called HM cryptosystem which was published at Asiacrypt’1999, and one perturbed version of HM. Until now, this scheme was exempt from cryptanalysis. We first present a distinguisher which uses a differential property of the public key. This distinguisher permits to break one perturbed version of HM. After that, we describe a practical message-recovery attack against HM using Gröbner bases. The attack can be mounted in few hundreds seconds for recommended parameters. It turns out that algebraic systems arising in HM are easier to solve than random systems of the same size. Note that this fact provides another distinguisher for HM. Interestingly enough, we offer an explanation why algebraic systems arising in HM are easy to solve in practice. Briefly, this is due to the apparition of many new linear and quadratic equations during the Gröbner basis computation. More precisely, we provide an upper bound on the maximum degree reached during the Gröbner basis computation (a.k.a. the degree of regularity) of HM systems. For F2, which is the initial and usual setting of HM, the degree of regularity is upper-bounded by 3. In general, this degree of regularity is upper-bounded by 4. These bounds allow a polynomial-time solving of the system given by the public equations in any case. All in all, we consider that the HM scheme is broken for all practical parameters

A Family of Weak Keys in HFE (and the Corresponding Practical Key-Recovery)

The HFE (Hidden Field Equations) cryptosystem is one of the most interesting public-key multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) problem between the equations of the public key and themselves. Even though for schemes such as SFLASH or C∗ the hardness of key-recovery relies on the hardness of the IP problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”. Recovering the secret key takes a few minutes