On Finding Short Cycles in Cryptographic Algorithms

We show how short cycles in the state space of a cryptographic algorithm can be used to mount a fault attack on its implementation which results in a full secret key recovery. The attack is based on the assumption that an attacker can inject a transient fault at a precise location and time of his/her choice and more than once. We present an algorithm which uses a SAT-based bounded model checking for finding all short cycles of a given length. The existing Boolean Decision Diagram (BDD) based algorithms for finding cycles have limited capacity due to the excessive memory requirements of BDDs. The simulation-based algorithms can be applied to larger problem instances, however, they cannot guarantee the detection of all cycles of a given length. The same holds for general-purpose SAT-based model checkers. The presented algorithm can find all short cycles in cryptographic algorithms with very large state spaces. We evaluate it by analyzing Trivium, Bivium, Grain-80 and Grain-128 stream ciphers. The analysis shows these ciphers have short cycles whose existence, to our best knowledge, was previously unknown

MrBayes 3.2: Efficient Bayesian Phylogenetic Inference and Model Choice Across a Large Model Space

Since its introduction in 2001, MrBayes has grown in popularity as a software package for Bayesian phylogenetic inference using Markov chain Monte Carlo (MCMC) methods. With this note, we announce the release of version 3.2, a major upgrade to the latest official release presented in 2003. The new version provides convergence diagnostics and allows multiple analyses to be run in parallel with convergence progress monitored on the fly. The introduction of new proposals and automatic optimization of tuning parameters has improved convergence for many problems. The new version also sports significantly faster likelihood calculations through streaming single-instruction-multiple-data extensions (SSE) and support of the BEAGLE library, allowing likelihood calculations to be delegated to graphics processing units (GPUs) on compatible hardware. Speedup factors range from around 2 with SSE code to more than 50 with BEAGLE for codon problems. Checkpointing across all models allows long runs to be completed even when an analysis is prematurely terminated. New models include relaxed clocks, dating, model averaging across time-reversible substitution models, and support for hard, negative, and partial (backbone) tree constraints. Inference of species trees from gene trees is supported by full incorporation of the Bayesian estimation of species trees (BEST) algorithms. Marginal model likelihoods for Bayes factor tests can be estimated accurately across the entire model space using the stepping stone method. The new version provides more output options than previously, including samples of ancestral states, site rates, site dN/dS rations, branch rates, and node dates. A wide range of statistics on tree parameters can also be output for visualization in FigTree and compatible software

All Around Logic Synthesis

This dissertation is in the area of Computer-Aided Design (CAD) of digital Integrated Circuits (ICs). Today's digital ICs, such as microprocessors, memories, digital signal processors (DSPs), etc., range from a few thousands to billions of logic gates, flip-flops, and other components, packed in a few millimeters of area. The creation of such highly complex systems would not be possible without the use of CAD tools. CAD tools play the key role in determining the area, speed and power consumption of the resulting circuits. We address several problems related to the logic synthesis step of the CAD flow. First, we investigate properties of double-vertex dominators in directed acyclic graphs. We present an O(n) algorithm for identifying all O(n2) double-vertex dominators of a given vertex, where n is the size of the graph. The key to the algorithm's efficiency is a new data structure for representing double-vertex dominators which has O(n) size and can be efficiently manipulated. This work improves the state of the art in double-vertex dominators identification in terms of both space and time complexity. We also show how dominators can be used for structural decomposition of Boolean functions represented by circuit graphs. Next, we present a depth-optimal technology mapping algorithm for look-up table (LUT) based Field Programmable Gate Arrays. This algorithm is two orders of magnitude faster than previous technology mapping algorithms while achieving solution with a smaller number of LUTs. We also consider level-limited decomposition of Boolean functions which is of particular interest for applications which require circuit representations of a limited depth, such as control logic of microprocessors. We present an efficient algorithm for computing the decomposition of type f = g * h + r, where f, g, h and r are Boolean functions. Another contribution of the dissertation is an algorithm for identifying and removing redundancy in combinational circuits. This algorithm provides a quick partial solution which might be more suitable than exact ATPG and SAT-based approaches for redundancy removal runs at the intermediate steps of the CAD flow. It is embedded into the internal logic synthesis tool of IBM. Other contributions of the dissertation are a proof that, for some Reduced Ordered Binary Decision Diagrams, none of the bound-set preserving orderings is best, a proof of the existence of a perfect input assignment which guarantees that two non-equivalent Boolean functions hash to two different values, and a set of efficient algorithms for the analysis of random Boolean networks.QC 2010091

On Analysis and Synthesis of (n,k)-Non-Linear Feedback Shift Registers

Abstract — Non-Linear Feedback Shift Registers (NLFSRs) have been proposed as an alternative to Linear Feedback Shift Registers (LFSRs) for generating pseudo-random sequences for stream ciphers. In this paper, we introduce (n,k)-NLFSRs which can be considered a generalization of the Galois type of LFSR. In an (n,k)-NLFSR, the feedback can be taken from any of the n bits, and the next state functions can be any Boolean function of up to k variables. Our motivation for considering this type NLFSRs is that their Galois configuration makes it possible to compute each next state function in parallel, thus increasing the speed of output sequence generation. Thus, for stream cipher application where the encryption speed is important, (n,k)-NLFSRs may be a better alternative than the traditional Fibonacci ones. We derive a number of properties of (n,k)-NLFSRs. First, we demonstrate that they are capable of generating output sequences with good statistical properties which cannot be generated by the Fibonacci type of NLFSRs. Second, we show that the period of the output sequence of an (n,k)-NLFSR is not necessarily equal to the length of the largest cycle of its states. Third, we compute the period of an (n,k)-NLFSR constructed from several parallel NLFSRs whose outputs are XOR-ed and show how to maximize this period. We also present an algorithm for estimating the length of cycles of states of (n,k)-NLFSRs which uses Binary Decision Diagrams for representing the set of states and the transition relation on this set. I