Results 1  10
of
16
LSdesigns: Bitslice encryption for efficient masked software implementations. To appear in the proceedings of FSE 2014, available at http://www.uclouvain.be/crypto/people/show/382
 Vincent Grosso, Gaëtan Leurent, FrançoisXavier Standaert, Kerem Varici, François Durvaux, Lubos
, 2014
"... Abstract. Sidechannel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher desig ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Sidechannel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher designs. Previous proposals in this direction were applicable to different types of masking schemes (e.g. Boolean and polynomial). In this paper, we study possible optimizations when specializing the designs to Boolean masking. For this purpose, we first observe that bitslice ciphers have interesting properties for improving both the efficiency and the regularity of masked software implementations. Next we specify a family of block ciphers (denoted as LSdesigns) that can systematically take advantage of bitslicing in a principled manner. Eventually, we evaluate both the security and performance of such designs and two of their instances, confirming excellent properties for physically secure applications. 1
On ReverseEngineering SBoxes with Hidden Design Criteria or Structure
 In Advances in Cryptology – CRYPTO 2015, Lecture Notes in Computer Science
, 2015
"... Abstract. SBoxes are the key components of many cryptographic primitives and designing them to improve resilience to attacks such as linear or differential cryptanalysis is well understood. In this paper, we investigate techniques that can be used to reverseengineer Sbox design and illustrate th ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. SBoxes are the key components of many cryptographic primitives and designing them to improve resilience to attacks such as linear or differential cryptanalysis is well understood. In this paper, we investigate techniques that can be used to reverseengineer Sbox design and illustrate those by studying the SBox F of the Skipjack block cipher whose design process so far remained secret. We first show that the linear properties of F are far from random and propose a design criteria, along with an algorithm which generates SBoxes very similar to that of Skipjack. Then we consider more general Sbox decomposition problems and propose new methods for decomposing SBoxes built from arithmetic operations or as a Feistel Network of up to 5 rounds. Finally, we develop an Sbox generating algorithm which can fix a large number of DDT entries to the values chosen by the designer. We demonstrate this algorithm by embedding images into the visual representation of Sbox's DDT.
Total Break of Zorro using Linear and Differential Attacks
"... Abstract. An AESlike lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16byte state, it uses only 4 SBoxes per round. This weak nonlinearity was widely criticized, insofar as it has been directly exploited in all the attacks on Zorro reported by now, including the ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. An AESlike lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16byte state, it uses only 4 SBoxes per round. This weak nonlinearity was widely criticized, insofar as it has been directly exploited in all the attacks on Zorro reported by now, including the weak key, reduced round, and even full round attacks. In this paper, Using some observations discovered by Wang et. al., we present new differential and linear attacks on Zorro, both of which recover the full secret key with practical complexity. These attacks are based on very efficient distinguishers that have only two active sboxes per four rounds. The time complexity of our differential and linear attacks are 252.74 and 257.85 and the data complexity are 255.15 chosen plaintexts and 245.44 known plaintexts, respectively. The results clearly show that the block cipher Zorro does not have enough security against differential and linear cryptanalysis.
Probabilistic slide cryptanalysis and its applications to LED64 and Zorro
 the proceedings of FSE 2014, available at http://research.ics.aalto.fi/publications/ bibdb2014/pdf/fse2014.pdf
, 2014
"... Abstract. This paper aims to enhance the application of slide attack which is one of the most wellknown cryptanalysis methods using selfsimilarity of a block cipher. The typical countermeasure against slide cryptanalysis is to use rounddependent constants. We present a new probabilistic technique ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper aims to enhance the application of slide attack which is one of the most wellknown cryptanalysis methods using selfsimilarity of a block cipher. The typical countermeasure against slide cryptanalysis is to use rounddependent constants. We present a new probabilistic technique and show how to overcome rounddependent constants in a slide attack against a block cipher based on the general EvenMansour scheme with a single key. Our technique can potentially break more rounds than any previously known cryptanalysis for a specific class of block ciphers. We show employing round constants is not always sufficient to provide security against slide variant cryptanalysis, but also the relation between the round constants should be taken into account. To demonstrate the impact of our model we provide analysis of two roundreduced block ciphers LED64 and Zorro, presented in CHES 2011 and CHES 2013, respectively. As a first application we recover the key for 16 rounds of Zorro. This result improves the best cryptanalysis presented by the designers which could be applied upto 12 rounds of its 24 rounds. In the case of LED64 the cryptanalysis leads to the best results on 2step reduced LED64 in the knownplaintext model.
Correlation power analysis of lightweight block ciphers: From theory to practice.
 In: International Conference on Applied Cryptography and Network Security – ACNS 2016. Volume 9696 of Lecture Notes in Computer Science.,
, 2016
"... Abstract. SideChannel Analysis (SCA) represents a serious threat to the security of millions of smart devices that form part of the socalled Internet of Things (IoT). Choosing the "right" cryptographic primitive for the IoT is a highly challenging task due to the resource constraints of ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. SideChannel Analysis (SCA) represents a serious threat to the security of millions of smart devices that form part of the socalled Internet of Things (IoT). Choosing the "right" cryptographic primitive for the IoT is a highly challenging task due to the resource constraints of IoT devices and the variety of primitives. An important criterion to assess the suitability of a lightweight cipher with respect to SCA is the amount of leakage available to an adversary. In this paper, we analyze the efficiency of different selection functions that are commonly used in Correlation Power Analysis (CPA) attacks on symmetric primitives. To this end, we attacked implementations of the lightweight block ciphers AES, Fantomas, LBlock, Piccolo, PRINCE, RC5, Simon, and Speck on an 8bit AVR processor. By exploring the relation between the nonlinearity of the studied selection functions and the measured leakages, we discovered some imperfections when using nonlinearity to quantify the resilience against CPA. Then, we applied these findings in an evaluation of the "intrinsic" CPAresistance of unprotected implementations of the eight mentioned ciphers. We show that certain implementation aspects can influence the leakage level and try to explain why. Our results shed new light on the resilience of basic operations executed by these ciphers against CPA and help to bridge the gap between theory and practice.
Implementing Lightweight Block Ciphers on x86 Architectures
"... Abstract. Lightweight block ciphers are designed so as to fit into very constrained environments, but usually not really with software performance in mind. For classical lightweight applications where many constrained devices communicate with a server, it is also crucial that the cipher has good sof ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Lightweight block ciphers are designed so as to fit into very constrained environments, but usually not really with software performance in mind. For classical lightweight applications where many constrained devices communicate with a server, it is also crucial that the cipher has good software performance on the server side. Recent work has shown that bitslice implementations applied to Piccolo and PRESENT led to very good software speeds, thus making lightweight ciphers interesting for cloud applications. However, we remark that bitslice implementations might not be interesting for some situations, where the amount of data to be enciphered at a time is usually small, and very little work has been done on nonbitslice implementations. In this article, we explore general software implementations of lightweight ciphers on x86 architectures, with a special focus on LED, Piccolo and PRESENT. First, we analyze tablebased implementations, and we provide a theoretical model to predict the behavior of various possible tradeoffs depending on the processor cache latency profile. We obtain the fastest tablebased implementations for our lightweight ciphers, which is of interest for legacy processors. Secondly, we apply to our portfolio of primitives the vperm implementation trick for 4bit Sboxes, which gives good performance, extra sidechannels protection, and is quite fit for many lightweight primitives. Finally, we investigate bitslice implementations, analyzing various costs which are usually neglected (bitsliced form (un)packing, key schedule, etc.), but that must be taken in account for many lightweight applications. We finally discuss which type of implementation seems to be the best suited depending on the applications profile.
Improving the Security and Efficiency of Block Ciphers based on LSDesigns Extended Abstract
"... Abstract. LSdesigns are a family of bitslice ciphers aiming at efficient masked implementations against sidechannel analysis. This paper discusses their security against invariant subspace attacks, and describes an alternative family of eXtended LSdesigns (XLSdesigns), that enables additional ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. LSdesigns are a family of bitslice ciphers aiming at efficient masked implementations against sidechannel analysis. This paper discusses their security against invariant subspace attacks, and describes an alternative family of eXtended LSdesigns (XLSdesigns), that enables additional options to prevent such attacks. LS and XLSdesigns provide a large family of ciphers from which efficient implementations can be obtained, possibly enhanced with countermeasures against physical attacks. We argue that they are interesting primitives in order to discuss the general question of “how simple can block ciphers be?”. 1
Reversed Genetic Algorithms for Generation of Bijective Sboxes with Good Cryptographic Properties
"... Abstract. Often Sboxes are the only nonlinear component in a block cipher and as such play an important role in ensuring its resistance to cryptanalysis. Cryptographic properties and constructions of Sboxes have been studied for many years. The most common techniques for constructing Sboxes are: ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Often Sboxes are the only nonlinear component in a block cipher and as such play an important role in ensuring its resistance to cryptanalysis. Cryptographic properties and constructions of Sboxes have been studied for many years. The most common techniques for constructing Sboxes are: algebraic constructions, pseudorandom generation and a variety of heuristic approaches. Among the latter are the genetic algorithms. In this paper, a genetic algorithm working in a reversed way is proposed. Using the algorithm we can rapidly and repeatedly generate a large number of strong bijective Sboxes of each dimension from (8 × 8) to (16 × 16), which have suboptimal properties close to the ones of Sboxes based on finite field inversion, but have more complex algebraic structure and possess no linear redundancy.
Rotational Cryptanalysis of ARX Revisited
"... Abstract. Rotational cryptanalysis is a probabilistic attack applicable to word oriented designs that use (almost) rotationinvariant constants. It is believed that the success probability of rotational cryptanalysis against ciphers and functions based on modular additions, rotations and XORs, can ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Rotational cryptanalysis is a probabilistic attack applicable to word oriented designs that use (almost) rotationinvariant constants. It is believed that the success probability of rotational cryptanalysis against ciphers and functions based on modular additions, rotations and XORs, can be computed only by counting the number of additions. We show that this simple formula is incorrect due to the invalid Markov cipher assumption used for computing the probability. More precisely, we show that chained modular additions used in ARX ciphers do not form a Markov chain with regards to rotational analysis, thus the rotational probability cannot be computed as a simple product of rotational probabilities of individual modular additions. We provide a precise value of the probability of such chains and give a new algorithm for computing the rotational probability of ARX ciphers. We use the algorithm to correct the rotational attacks on BLAKE2 and to provide valid rotational attacks against the simplified version of Skein.
K.: Perfect nonlinear functions and cryptography. Finite Fields and Their
 Applications 32(0) (2015) 120 147 Special Issue : Second Decade of FFA
"... In the late 1980s the importance of highly nonlinear functions in cryptography was first discovered by Meier and Staffelbach from the point of view of correlation attacks on stream ciphers, and later by Nyberg in the early 1990s after the introduction of the differential cryptanalysis method. Perfe ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
In the late 1980s the importance of highly nonlinear functions in cryptography was first discovered by Meier and Staffelbach from the point of view of correlation attacks on stream ciphers, and later by Nyberg in the early 1990s after the introduction of the differential cryptanalysis method. Perfect nonlinear (PN) and almost perfect nonlinear (APN) functions, which have the optimal properties for offering resistance against differential cryptanalysis, have since then been an object of intensive study by many mathematicians. In this paper, we survey some of the theoretical results obtained on these functions in the last 25 years. We recall how the links with other mathematical concepts have accelerated the search on PN and APN functions. To illustrate the use of PN and APN functions in practice, we discuss examples of ciphers and their resistance to differential attacks. In particular, we recall that in cryptographic applications suboptimal functions are often used.