Improving Integral Cryptanalysis against Rijndael with Large Blocks

This report presents new four-round integral properties against the Rijndael cipher with block sizes larger than 128 bits. Using higher-order multiset distinguishers and other well-known extensions of those properties, the deduced attacks reach up to 7 and 8 rounds of Rijndael variants with 160 up to 256-bit blocks. For example, a 7-rounds attack against Rijndael-224 has a time complexity equal to $2^{80}$

Revisiting LFSMs

Linear Finite State Machines (LFSMs) are particular primitives widely used in information theory, coding theory and cryptography. Among those linear automata, a particular case of study is Linear Feedback Shift Registers (LFSRs) used in many cryptographic applications such as design of stream ciphers or pseudo-random generation. LFSRs could be seen as particular LFSMs without inputs. In this paper, we first recall the description of LFSMs using traditional matrices representation. Then, we introduce a new matrices representation with polynomial fractional coefficients. This new representation leads to sparse representations and implementations. As direct applications, we focus our work on the Windmill LFSRs case, used for example in the E0 stream cipher and on other general applications that use this new representation. In a second part, a new design criterion called diffusion delay for LFSRs is introduced and well compared with existing related notions. This criterion represents the diffusion capacity of an LFSR. Thus, using the matrices representation, we present a new algorithm to randomly pick LFSRs with good properties (including the new one) and sparse descriptions dedicated to hardware and software designs. We present some examples of LFSRs generated using our algorithm to show the relevance of our approach.Comment: Submitted to IEEE-I

Resilient networking in wireless sensor networks

This report deals with security in wireless sensor networks (WSNs), especially in network layer. Multiple secure routing protocols have been proposed in the literature. However, they often use the cryptography to secure routing functionalities. The cryptography alone is not enough to defend against multiple attacks due to the node compromise. Therefore, we need more algorithmic solutions. In this report, we focus on the behavior of routing protocols to determine which properties make them more resilient to attacks. Our aim is to find some answers to the following questions. Are there any existing protocols, not designed initially for security, but which already contain some inherently resilient properties against attacks under which some portion of the network nodes is compromised? If yes, which specific behaviors are making these protocols more resilient? We propose in this report an overview of security strategies for WSNs in general, including existing attacks and defensive measures. In this report we focus at the network layer in particular, and an analysis of the behavior of four particular routing protocols is provided to determine their inherent resiliency to insider attacks. The protocols considered are: Dynamic Source Routing (DSR), Gradient-Based Routing (GBR), Greedy Forwarding (GF) and Random Walk Routing (RWR)

A Bottleneck Attack on Crypton

Crypton is a 12-round blockcipher proposed as an AES candidate by C.H. Lim in 1998. In this paper, we present two bottleneck attacks on reduced round version of Crypton v0.5 and Crypton v1.0. Those cryptanalyses are built upon a four-round distinguisher based on a three-round property due to a restricted dependency of the one byte to one byte permutation transformation as made for the AES in [GM00].We present an attack on a six round version of Crypton. We also present a marginal speed up of the 128-bits key exhaustive search for a seven-round version of Crypton. This attack does not endanger the practical security offered by Crypton but shows an other example where the bottleneck property could be used with an S-box level composed of at least two S-boxes

Constraint Programming Models for Chosen Key Differential Cryptanalysis

International audienceIn this paper, we introduce Constraint Programming (CP) models to solve a cryptanalytic problem: the chosen key differential attack against the standard block cipher AES. The problem is solved in two steps: In Step 1, bytes are abstracted by binary values; In Step 2, byte values are searched. We introduce two CP models for Step 1: Model 1 is derived from AES rules in a straightforward way; Model 2 contains new constraints that remove invalid solutions filtered out in Step 2. We also introduce a CP model for Step 2. We evaluate scale-up properties of two classical CP solvers (Gecode and Choco) and a hybrid SAT/CP solver (Chuffed). We show that Model 2 is much more efficient than Model 1, and that Chuffed is faster than Choco which is faster than Gecode on the hardest instances of this problem. Furthermore, we prove that a solution claimed to be optimal in two recent cryptanalysis papers is not optimal by providing a better solution

The Gain of Network Coding in Wireless Sensor Networking

Wireless Sensor Networks have some well known features such as low battery consumption, changing topology awareness, open environment, non reliable radio links, etc.In this paper, we investigate the benefits of Network Coding Wireless Sensor networking, especially resiliency.One of our main concern is the resiliency in Wireless Sensor Networks.We have seen that resiliency could be described as a multi dimensional metric \cite{5478822,erdene2011enhancing,6423640} taking parameters such as Average Delivery Ratio, Delay Efficiency, Energy Efficiency, Average Throughput and Delivery Fairness into account.Resiliency can then be graphically represented as a kiviat diagram created by the previous weighted parameters.In order to introduce these metrics, previous works have been leaded on the Random Gradient Based Routing, which proved good resiliency in malicious environment.We look for seeing the improvements in term of resiliency, when adding network coding in the Random Gradient Based Routing with malicious nodes

A Mathematical Analysis of Prophet Dynamic Address Allocation

Prophet is a dynamic address allocation protocol described at INFOCOM 2003. This protocol is based upon a family of pseudo-random generators. The goal of Prophet is to establish an addresses scheme free of conflict. The addressing capabilities of Prophet depend on the underlying properties of the pseudo-random generators. The different pseudo-random generators proposed in Prophet are analyzed and the limits of the scheme are exhibited. Most notably, the periods of the generators limit the addressing capabilities of a node and the fact that Prophet is collision-free. In this research report, we show that the underlying assumptions made in Prophet can not be met by pseudo-random generators

Tuple Cryptanalysis: Slicing and Fusing Multisets

International audienceIn this paper, we revisit the notions of Square, saturation, integrals, multisets, bit patterns and tuples, and propose a new Slice & Fuse paradigm to better exploit multiset type properties of block ciphers, as well as relations between multisets and constituent bitslice tuples. With this refined analysis, we are able to improve the best bounds proposed in such contexts against the following block ciphers: Threefish, Prince, Present and Rectangle

The KAA project: a trust policy point of view

In the context of ambient networks where each small device must trust its neighborhood rather than a fixed network, we propose in this paper a \textit{trust management framework} inspired by known social patterns and based on the following statements: each mobile constructs itself a local level of trust what means that it does not accept recommendation by other peers, and the only relevant parameter, beyond some special cases discussed later, to evaluate the level of trust is the number of common trusted mobiles. These trusted mobiles are considered as entries in a local database called history for each device and we use identity-based cryptography to ensure strong security: history must be a non-tansferable object

Private and Resilient Data Aggregation

Sensors are commonly deployed in hostile environment, and consequently a number of research works have focused on data aggregation schemes designed to be tolerant to attacks on sensor nodes. In parallel, schemes ensuring the confidentiality of sensor data have been proposed to address the emerging privacy concerns. We note that resilience against tampering attacks requires access to the sensor node's data, while in privacy-preserving systems this data must remain confidential. In this work, we aim to reconcile these two seemingly conflicting objectives. We present a novel private and resilient aggregation system, in which an aggregator combines the data collected from sensor nodes and forwards the resulting sum to an analyst. Our scheme protects the privacy of the users from both honest-but-curious aggregator and analyst, while enabling the filtering of fake data values using a Private Range Test protocol.Les réseaux de capteurs peuvent être déployés dans un environnement hostile. Ainsi un nombre de travaux de recherche se sont intéressés à des systèmes d'agrégation de données tolérant aux attaques sur les noeuds. Parallèlement des techniques garantissant la confidentialité des données collectées par les réseaux de capteurs ont été proposées afin de faire face à la problématique de vie privée. La tolérance aux attaques sur les capteurs nécessite un accès aux données retournées par ceux-ci, alors que la protection de la vie privée nécessite justement que ces données restent confidentielles. Le but de ce travail est de réconcilier ces deux objectifs qui apparaissent comme conflictuels. Nous présentons un nouveau système d'agrégation capable de tolérer les attaques sur les noeuds tout en préservant la confidentialité des données des capteurs. Ce système inclut un agrégateur qui collecte et combine les données provenant des capteurs et renvoi le résultat à l'utilisateur final appelé analyste. Ce système protège la vie privée des utilisateurs face à un couple agrégateur/analyste "curieux mais honnête". Il permet également de données les données contrôlées par un attaquant en utilisant un protocole de "Private Range Test" basé sur la théorie du calcul sécurisé multipartie