Results 1  10
of
25
Automatic Search for RelatedKey Differential Characteristics in ByteOriented Block Ciphers: Application to AES, Camellia, Khazad and others
"... While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against relatedkey attacks is still very ad hoc. In this paper we ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against relatedkey attacks is still very ad hoc. In this paper we make a first step towards provable security of block ciphers against relatedkey attacks by presenting an efficient search tool for finding differential characteristics both in the state and in the key (note that due to similarities between block ciphers and hash functions such tool will be useful in analysis of hash functions as well). We use this tool to search for the best possible (in terms of the number of rounds) relatedkey differential characteristics in AES, byteCamellia, Khazad, FOX, and Anubis. We show the best relatedkey differential characteristics for 5, 11, and 14 rounds of AES128, AES192, and AES256 respectively. We use the optimal differential characteristics to design the best relatedkey and chosen key attacks on AES128 (7 out of 10 rounds), AES192 (full 12 rounds), byteCamellia (full 18 rounds) and Khazad (7 and 8 out of 8 rounds). We also show that ciphers FOX and Anubis have no relatedkey attacks on more than 45 rounds.
E.: Leakage resilient cryptography in practice
 Towards HardwareIntrinsic Security, Information Security and Cryptography
, 2010
"... Abstract. In this report, we are concerned with models to analyze the security of cryptographic algorithms against sidechannel attacks. Our objectives are threefold. In a first part of the paper, we aim to survey a number of well known intuitions related to physical security and to connect them wit ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this report, we are concerned with models to analyze the security of cryptographic algorithms against sidechannel attacks. Our objectives are threefold. In a first part of the paper, we aim to survey a number of well known intuitions related to physical security and to connect them with more formal results in this area. For this purpose, we study the definition of leakage function introduced by Micali and Reyzin in 2004 and its relation to practical power consumption traces. Then, we discuss the non equivalence between the unpredictability and indistinguishability of pseudorandom generators in physically observable cryptography. Eventually, we examine the assumption of bounded leakage per iteration that has been used recently to prove the security of different constructions against sidechannel attacks. We show that approximated leakage bounds can be obtained using the framework for the analysis of sidechannel key recovery attacks published at Eurocrypt 2009. In a second part of the paper, we aim to investigate two recent leakage
Perfect diffusion primitives for block ciphers
 In [14
, 2004
"... Abstract. Although linear perfect diffusion primitives, i.e. MDS matrices, are widely used in block ciphers, e.g. AES, very little systematic work has been done on how to find "efficient " ones. In this paper we attempt to do so by considering software implementations on various platforms. ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. Although linear perfect diffusion primitives, i.e. MDS matrices, are widely used in block ciphers, e.g. AES, very little systematic work has been done on how to find "efficient " ones. In this paper we attempt to do so by considering software implementations on various platforms. These considerations lead to interesting combinatorial problems: how to maximize the number of occurrences of 1 in those matrices, and how to minimize the number of pairwise different entries. We investigate these problems and construct efficient 4*4 and 8*8 MDS matrices to be used e.g. in block ciphers. 1 Introduction Block ciphers are cascades of diffusion and confusion layers [9]. We usually formalize confusion layers as application of substitution boxes which are defined by lookup tables. Since those tables must be as small as possible for implementationreasons, confusion layers apply substitution in parallel on pieces of informations, e.g. elements whose values lie in a set K of size 256. The goal of diffusion is tomix up those pieces. One possibility for formalizing the notion of perfect diffusion is the concept of multipermutation which was introduced in [8, 10]. Bydefinition, a diffusion function f from Kp to Kq is a multipermutation if for any x1,..., xp 2 K and any integer r such that 1 < = r < = p, the influence of modifying r input values on f (x1,..., xp) is to modify at least q r + 1 output values.Another way to define it consists of saying that the set of all words consisting of
Security Analysis of the GFNLFSR Structure and FourCell Block Cipher
"... Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (G ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (Generalized FeistelNonLinear Feedback Shift Register), and designed a new block cipher called FourCell which is based on the 4cell GFNLFSR. In this paper, we first study properties of the ncell GFNLFSR structure, and prove that for an ncell GFNLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25round FourCell using this kind of 18round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.
M.: Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes
 In: FSE. Lecture Notes in Computer Science
, 2014
"... Abstract. MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that can be computed as a power of a simple companion matrix, thus having a compact description suitable even for constrained environments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, allowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters. Linear diffusion, recursive MDS matrices, BCH codes. 1
Provably Secure SBox Implementation Based on Fourier Transform
"... Abstract. Cryptographic algorithms implemented in embedded devices must withstand Side Channel Attacks such as the Differential Power Analysis (DPA). A common method of protecting symmetric cryptographic implementations against DPA is to use masking techniques. However, clever masking of nonlinear ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic algorithms implemented in embedded devices must withstand Side Channel Attacks such as the Differential Power Analysis (DPA). A common method of protecting symmetric cryptographic implementations against DPA is to use masking techniques. However, clever masking of nonlinear parts such as SBoxes is difficult and has been the flaw of many countermeasures. In this article, we take advantage of some remarkable properties of the Fourier Transform to propose a new method to thwart DPA on the implementation of every SBox. After introducing criteria so that an implementation is qualified as DPAresistant, we prove the security of our scheme. Finally, we apply the method to FOX and AES SBoxes and we show in the latter case that the resulting implementation is one of the most efficient.
Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER
"... Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp esti ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1
New Integrated proof method on Iterated Hash Structure and New Structures
, 2006
"... A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepi ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.