Les représentations équivalentes d'un LFSR et leur impact en cryptanalyse

National audienceLe LFSR filtré est un modèle de chiffrement à flot à coût réduit, qui est encore actuellement très utilisé dans des systèmes réels soit tout seul soit comme partie d'un générateur plus complexe. De nombreuses attaques existent déjà sur ce type de systèmes comme les attaques par corrélation ou les attaques algébriques. Rønjom et Cid ont constaté que, dans certains cas, les représentations équivalentes des LFSR filtrés obtenues par un changement de racine primitive pouvaient aboutir à un nouveau type de cryptanalyse. Ils ont aussi décrit une attaque qui s'applique quand la fonction de filtrage est une composante d'une fonction monôme x → Tr(λx r) sur le corps fini F 2 n où n est la longueur du LFSR. Beaucoup de questions se posent en conséquence de cet article : la possibilité de généraliser cette attaque à d'autres fonctions de filtrage et la recherche d'autres attaques exploitant ces représentations équivalentes. L'utilisation des représentations équivalentes m'a permis de mettre en évidence trois nouveaux types de faiblesses potentielles pour les LFSR filtrés et ainsi de donner de nouveaux critères à prendre en compte pour ce type de système

Attacks Against Filter Generators Exploiting Monomial Mappings

International audienceFilter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function. However , Rønjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent generators. They usually offer different security levels since they involve filtering functions of the form F (x k) where k is coprime to (2 n − 1) and n denotes the LFSR length. It is proved here that this monomial equivalence does not affect the resistance of the generator against algebraic attacks, while it usually impacts the resistance to correlation attacks. Most importantly, a more efficient attack can often be mounted by considering non-bijective mono-mial mappings. In this setting, a divide-and-conquer strategy applies based on a search within a multiplicative subgroup of F * 2 n. Moreover, if the LFSR length n is not a prime, a fast correlation involving a shorter LFSR can be performed

On the Security of Keyed Hashing Based on Public Permutations

Doubly-extendable cryptographic keyed functions (deck) generalize the concept of message authentication codes (MAC) and stream ciphers in that they support variable-length strings as input and return variable-length strings as output. A prominent example of building deck functions is Farfalle, which consists of a set of public permutations and rolling functions that are used in its compression and expansion layers. By generalizing the compression layer of Farfalle, we prove its universality in terms of the probability of differentials over the public permutation used in it. As the compression layer of Farfalle is inherently parallel, we compare it to a generalization of a serial compression function inspired by Pelican-MAC. The same public permutation may result in different universalities depending on whether the compression is done in parallel or serial. The parallel construction consistently performs better than the serial one, sometimes by a big factor. We demonstrate this effect using Xoodoo[3], which is a round-reduced variant of the public permutation used in the deck function Xoofff

Cryptanalysis of the FLIP Family of Stream Ciphers

International audienceAt Eurocrypt 2016, Méaux et al. proposed FLIP, a new family of stream ciphers intended for use in Fully Homomorphic Encryption systems. Unlike its competitors which either have a low initial noise that grows at each successive encryption, or a high constant noise, the FLIP family of ciphers achieves a low constant noise thanks to a new construction called filter permutator. In this paper, we present an attack on the early version of FLIP that exploits the structure of the filter function and the constant internal state of the cipher. Applying this attack to the two instantiations proposed by Méaux et al. allows for a key recovery in 2 54 basic operations (resp. 2 68), compared to the claimed security of 2 80 (resp. 2 128)

Boolean functions with restricted input and their robustness; application to the FLIP cipher

We study the main cryptographic features of Boolean functions (balancedness, nonlinearity, algebraic immunity) when, for a given number n of variables, the input to these functions is restricted to some subset E o

Differential analysis of the ternary hash function Troika

Troika is a sponge-based hash function designed by Kölbl, Tischhauser, Bogdanov and Derbez in 2019. Its specificity is that it is defined over $\mathbb{F}_3$ in order to be used inside IOTA’s distributed ledger but could also serve in all settings requiring the generation of ternary randomness. To be used in practice, Troika needs to be proven secure against state-of-the-art cryptanalysis. However, there are today almost no analysis tools for ternary designs. In this article we take a step in this direction by analyzing the propagation of differential trails of Troika and by providing bounds on the weight of its trails. For this, we adapt a well-known framework for trail search designed for KECCAK and provide new advanced techniques to handle the search on $\mathbb{F}_3$. Our work demonstrates that providing analysis tools for non-binary designs is a highly non-trivial research direction that needs to be enhanced in order to better understand the real security offered by such non-conventional primitives

New Results on Modified Versions of Ketje Jr

International audienceThis report documents the program and the outcomes of Dagstuhl Seminar 18021 "Symmetric Cryptography", which was held on January 7-12, 2018 in Schloss Dagstuhl-Leibniz Center for Informatics. The seminar was the sixth in a series of Dagstuhl seminars on "Symmetric Cryptography", previously held i

Attaques par invariant : comment s'en protéger?

National audienc

Proving Resistance against Invariant Attacks: Properties of the Linear Layer

International audienceMany lightweight block ciphers use a very simple key-schedule where the round-keys only differ by a round-constant. However, several of those schemes were recently broken using invariant attacks, i.e. invariant subspace attacks or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and Mantis7 are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on these attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round-constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the Sbox-layer

Generic Attack on Duplex-Based AEAD Modes using Random Function Statistics

Duplex-based authenticated encryption modes with a sufficiently large key length are proven to be secure up to the birthday bound 2^(c/2), where c is the capacity. However this bound is not known to be tight and the complexity of the best known generic attack, which is based on multicollisions, is much larger: it reaches (2^c)/α where α represents a small security loss factor. There is thus an uncertainty on the true extent of security beyond the bound 2^(c/2) provided by such constructions. In this paper, we describe a new generic attack against several duplex-based AEAD modes. Our attack leverages random functions statistics and produces a forgery in time complexity O(2^(3c/4)) using negligible memory and no encryption queries. Furthermore, for some duplex-based modes, our attack recovers the secret key with a negligible amount of additional computations. Most notably, our attack breaks a security claim made by the designers of the NIST lightweight competition candidate Xoodyak. This attack is a step further towards determining the exact security provided by duplex-based constructions