Eliminating Variables in Boolean Equation Systems

Systems of Boolean equations of low degree arise in a natural way when analyzing block ciphers. The cipher's round functions relate the secret key to auxiliary variables that are introduced by each successive round. In algebraic cryptanalysis, the attacker attempts to solve the resulting equation system in order to extract the secret key. In this paper we study algorithms for eliminating the auxiliary variables from these systems of Boolean equations. It is known that elimination of variables in general increases the degree of the equations involved. In order to contain computational complexity and storage complexity, we present two new algorithms for performing elimination while bounding the degree at $3$, which is the lowest possible for elimination. Further we show that the new algorithms are related to the well known \emph{XL} algorithm. We apply the algorithms to a downscaled version of the LowMC cipher and to a toy cipher based on the Prince cipher, and report on experimental results pertaining to these examples.Comment: 21 pages, 3 figures, Journal pape

Formally Unimodular Packings for the Gaussian Wiretap Channel

This paper introduces the family of lattice-like packings, which generalizes lattices, consisting of packings possessing periodicity and geometric uniformity. The subfamily of formally unimodular (lattice-like) packings is further investigated. It can be seen as a generalization of the unimodular and isodual lattices, and the Construction A formally unimodular packings obtained from formally self-dual codes are presented. Recently, lattice coding for the Gaussian wiretap channel has been considered. A measure called secrecy function was proposed to characterize the eavesdropper's probability of correctly decoding. The aim is to determine the global maximum value of the secrecy function, called (strong) secrecy gain. We further apply lattice-like packings to coset coding for the Gaussian wiretap channel and show that the family of formally unimodular packings shares the same secrecy function behavior as unimodular and isodual lattices. We propose a universal approach to determine the secrecy gain of a Construction A formally unimodular packing obtained from a formally self-dual code. From the weight distribution of a code, we provide a necessary condition for a formally self-dual code such that its Construction A formally unimodular packing is secrecy-optimal. Finally, we demonstrate that formally unimodular packings/lattices can achieve higher secrecy gain than the best-known unimodular lattices.Comment: Accepted for publication in IEEE Transactions on Information Theory. arXiv admin note: text overlap with arXiv:2111.0143

Information exchange for routing protocols

Abstract—Distance vector routing is a classic distributed algo-rithm for obtaining routing tables in a communication network. The algorithm relies on message exchange between neighbor routers. This paper studies the amount of routing data that needs to be stored and exchanged. On a static network, a variation of the algorithm that exchanges routing trees or pseudotrees is slightly more information theoretically efficient than a tradi-tional implementation that exchanges tables. Knowledge of an underlying graph model and proper estimation of parameters allow more efficient coding schemes, including schemes related to Slepian-Wolf coding. Further improvements can be obtained on a dynamic network

Dynamic Security Aspects of Onion Routing

An anonymous communication network (ACN) is designed to protect the identities of two parties communicating through it, even if an adversary controls or observes parts of the network. Among the ACNs, Tor represents a practical trade-off between offering a reasonable level of anonymity and, simultaneously, an acceptable transmission delay. Due to its practical impact, there is abundant literature on the performance of Tor concerning both communication and security aspects. Recently, a static framework was suggested for evaluating and comparing, in a quantifiable way, the effect of different scenarios (attacks, defence mechanisms, and other protocol changes). Although a static model is useful, many scenarios involve parameters and stochastic variables that change or evolve over time, or that may be influenced by active and malicious adversaries. In this paper, we propose a dynamic framework for evaluating such scenarios. We identify several scenarios where this framework is applicable, and illustrate our framework by considering the guard node mechanism in Tor. We evaluate and compare variations on the guard node concept suggested in the literature with respect to relevant performance metrics and, using the framework, support our evaluation with a theoretical analysis

Variable Elimination - a Tool for Algebraic Cryptanalysis

Techniques for eliminating variables from a system of nonlinear equations are used to find solutions of the system. We discuss how these methods can be used to attack certain types of symmetric block ciphers, by solving sets of equations arising from known plain text attacks. The systems of equations corresponding to these block ciphers have the characteristics that the solution is determined by a small subset of the variables (i.e., the secret key), and also that it is known that there always exists at least one solution (again corresponding to the key which is actually used in the encryption). It turns out that some toy ciphers can be solved simpler than anticipated by this method, and that the method can take advantage of overdetermined systems

Error Correction on an Insertion/Deletion Channel Applying Codes From RFID Standards

Abstract-This paper 1 investigates how to improve the performance of a passive RFID tag-to-reader communication channel with imperfect timing, by using codes mandated by international RFID standards. I. SHORTCUT This brief section is intended for those who want to skip the practical motivation and jump directly to the theoretical problem setting. Essentially, we have a binary channel which transmits information in terms of the length of runs of identical symbols. The valid runlengths are one or two, and if the receiver can determine exactly the time of each transition, she can also acquire the transmitted information sent. Due to a noisy process and with probability p, a given length-one run is detected as a length-two run, in which case a symbol has been inserted. Vice versa, with probability p, a given lengthtwo run is detected as a length-one run, in which case a symbol has been deleted. Thus, this is a special case of an insertion/deletion channel. The uncoded information is totally vulnerable to the noise of this channel. In order to protect the information, an error correction code is applied. In this paper, the error correcting code is actually a CRC-CCITT code, mandated by many international standard protocols (but intended for error detection). Now, if you also know about cyclic redundancy check (CRC) codes, you can go to Section VI if you want to skip the introduction. II. INTRODUCTION Inductive coupling is a technique by which energy from one circuit is transferred to another without wires. This is a fundamental technology for near-field passive radio frequency identification (RFID) applications as well as lightweight sensor applications. In the passive RFID application, a reader, containing or attached to a power source, controls and powers a communication session with a tag; a device without a separate power source. The purpose of the communication session may be, for examples, object identification, access control, or acquisition of sensor data. The operating range of a reader-tag pair is determined by communications requirements as well as by power transfer requirements. To meet the communications requirements, the reader-to-tag and the tag-to-reader communication channels satisfy specified demands on communication transfer rate and reliability. To meet the power transfer requirements, the received power at the tag must be sufficiently large as to provide operating power at the tag. In [1], a discretized Gaussian shift channel is proposed as a modified bit-shift channel to model synchronization loss. In this paper, we will apply the same model to the tag-toreader channel. In terms of coding, the practical difference is that the tag-to-reader channel allows more elaborate decoding schemes, especially since the volume of data transmitted and the transmission rates are modest. We will investigate the performance of Manchester coding, which is a standardized modulation technique for RFID applications. As a stand-alone code this code was studied i

Avoiding Cycles in Combined Turbo Decoding and Channel Estimation for Correlated Fading Channels

We consider combined turbo decoding and channel estimation using pilot symbol assisted modulation (PSAM). When transmitting information on correlated fading channels, a channel interleaver is required to break up deep channel bursts. Our primary concern in this work is not the estimation scheme, but the interleaver pair (consisting of the channel interleaver and the turbo code interleaver), and its effect on the overall system performance. If no precautions are taken, the interleaver pair will generate short cycles in the system’s graph description. In this report, different types of cycles are described, and the expected length distribution of primary combined cycles in a uniform channel-coding scheme is derived analytically. We further discuss how to design interleavers that avoid, or reduce the number of (short) primary combined cycles. Simulation results indicate that these cycles to some extent degrade the overall system performance in the high signal-to-noise ratio (SNR) region. Both low and high rate turbo codes are considered in the simulation study.