Results 1  10
of
28
PRINCE – A Lowlatency Block Cipher for Pervasive Computing Applications Full version
"... Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with realtime security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with realtime security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as αreflection is of independent interest and we prove its soundness against generic attacks. 1
S.: Cryptanalysis of RoundReduced LED
 In: Fast Software Encryption, FSE 2013. LNCS
, 2013
"... Abstract. In this paper we present knownplaintext singlekey and chosenkey attacks on roundreduced LED64 and LED128. We show that with an application of the recently proposed slidex attacks [7], one immediately improves the complexity of the previous singlekey 4step attack on LED128. Furthe ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present knownplaintext singlekey and chosenkey attacks on roundreduced LED64 and LED128. We show that with an application of the recently proposed slidex attacks [7], one immediately improves the complexity of the previous singlekey 4step attack on LED128. Further, we explore the possibility of multicollisions and show singlekey attacks on 6 steps of LED128. A generalization of our multicollision attack leads to the statement that no 6round cipher with two subkeys that alternate, or 2round cipher with linearly dependent subkeys, is secure in the singlekey model. Next, we exploit the possibility of finding pairs of inputs that follow a certain differential rather than a differential characteristic, and obtain chosenkey differential distinguishers for 5step LED64, as well as 8step and 9step LED128. We provide examples of inputs that follow the 8step differential, i.e. we are able to practically confirm our results on 2/3 of the steps of LED128. We introduce a new type of chosenkey differential distinguisher, called randomdifference distinguisher, and successfully penetrate 10 of the total 12 steps of LED128. We show that this type of attack is generic in the chosenkey model, and can be applied to any 10round cipher with two alternating subkeys.
Chaskey: An Efficient MAC Algorithm for 32bit Microcontrollers
"... Abstract. We propose Chaskey: a very efficient Message Authentication Code (MAC) algorithm for 32bit microcontrollers. It is intended for applications that require 128bit security, yet cannot implement standard MAC algorithms because of stringent requirements on speed, energy consumption, or code ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We propose Chaskey: a very efficient Message Authentication Code (MAC) algorithm for 32bit microcontrollers. It is intended for applications that require 128bit security, yet cannot implement standard MAC algorithms because of stringent requirements on speed, energy consumption, or code size. Chaskey is a permutationbased MAC algorithm that uses the AdditionRotationXOR (ARX) design methodology. We prove that Chaskey is secure in the standard model, based on the security of an underlying EvenMansour block cipher. Chaskey is designed to perform well on a wide range of 32bit microcontrollers. Our benchmarks show that on the ARM CortexM3/M4, our Chaskey implementation reaches a speed of 7.0 cycles/byte, compared to 89.4 cycles/byte for AES128CMAC. For the ARM CortexM0, our benchmark results give 16.9 cycles/byte and 136.5 cycles/byte for Chaskey and AES128CMAC respectively.
LSdesigns: Bitslice encryption for efficient masked software implementations. To appear in the proceedings of FSE 2014, available at http://www.uclouvain.be/crypto/people/show/382
 Vincent Grosso, Gaëtan Leurent, FrançoisXavier Standaert, Kerem Varici, François Durvaux, Lubos
, 2014
"... Abstract. Sidechannel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher desig ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Sidechannel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher designs. Previous proposals in this direction were applicable to different types of masking schemes (e.g. Boolean and polynomial). In this paper, we study possible optimizations when specializing the designs to Boolean masking. For this purpose, we first observe that bitslice ciphers have interesting properties for improving both the efficiency and the regularity of masked software implementations. Next we specify a family of block ciphers (denoted as LSdesigns) that can systematically take advantage of bitslicing in a principled manner. Eventually, we evaluate both the security and performance of such designs and two of their instances, confirming excellent properties for physically secure applications. 1
Multiuser collisions: Applications to Discrete Logs, EvenMansour and Prince
"... Abstract. In this paper, we investigate the multiuser setting both in publickey and in secretkey cryptanalytic applications. In this setting, the adversary tries to recover keys of many users in parallel more efficiently than with classical attacks, i.e., the number of recovered keys multiplied b ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. In this paper, we investigate the multiuser setting both in publickey and in secretkey cryptanalytic applications. In this setting, the adversary tries to recover keys of many users in parallel more efficiently than with classical attacks, i.e., the number of recovered keys multiplied by the time complexity to find a single key, by amortizing the cost among several users. One possible scenario is to recover a single key in a large set of users more efficiently than to recover a key in the classical model. Another possibility is, after some shared precomputation, to be able to learn individual keys very efficiently. This latter model is close to traditional time/memory tradeoff attacks with precomputation. With these goals in mind, we introduce two new algorithmic ideas to improve collisionbased attacks in the multiuser setting. Both ideas are derived from the parallelizable collision search as proposed by van Oorschot and Wiener. We recall that this collision search uses precomputed chains obtained by iterating some basic function. In our cryptanalytic application, each pair of merging chains can be used to correlate the key of two distinct users. The first idea is to construct a graph, whose vertices are keys and whose edges are these correlations. When the graph becomes connected, we simultaneously recover all the keys. Thanks to random graph
Differential Analysis of the LED Block Cipher ∗
"... Abstract. In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the EvenMansour scheme, we first review existing attacks on this scheme and extend them to relatedkey and relatedkeycipher s ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In this paper, we present a security analysis of the lightweight block cipher LED proposed by Guo et al. at CHES 2011. Since the design of LED is very similar to the EvenMansour scheme, we first review existing attacks on this scheme and extend them to relatedkey and relatedkeycipher settings before we apply them to LED. We obtain results for 12 and 16 rounds (out of 32) for LED64 and 16 and 24 rounds (out of 48) for LED128. Furthermore, we present an observation on LED in the relatedkeycipher setting. For all these attacks we need to find good differentials for one step (4 rounds) of LED. Therefore, we extend the study of plateau characteristics for AESlike structures from two rounds to four rounds when the key addition is replaced with a constant addition. We introduce an algorithm that can be used to find good differentials and right pairs for one step of LED. To be more precise, we can find more than 2 10 right pairs for one step of LED with complexity of 2 16 and memory requirement of 5 × 2 17. Moreover, a similar algorithm can also be used to find iterative characteristics for LED. 1
Multiuser collisions: Applications to Discrete Logarithm, EvenMansour and PRINCE (Full version∗)
"... Abstract. In this paper, we investigate the multiuser setting both in public and in secretkey cryptanalytic applications. In this setting, the adversary tries to recover keys of many users in parallel more efficiently than with classical attacks, i.e., the number of recovered keys multiplied by th ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. In this paper, we investigate the multiuser setting both in public and in secretkey cryptanalytic applications. In this setting, the adversary tries to recover keys of many users in parallel more efficiently than with classical attacks, i.e., the number of recovered keys multiplied by the time complexity to find a single key, by amortizing the cost among several users. One possible scenario is to recover a single key in a large set of users more efficiently than to recover a key in the classical model. Another possibility is, after some shared precomputation, to be able to learn individual keys very efficiently. This latter model is close to traditional time/memory tradeoff attacks with precomputation. With these goals in mind, we introduce two new algorithmic ideas to improve collisionbased attacks in the multiuser setting. Both ideas are derived from the parallelizable collision search as proposed by van Oorschot and Wiener. This collision search uses precomputed chains obtained by iterating some basic function. In our cryptanalytic application, each pair of merging chains can be used to correlate the key of two distinct users. The first idea is to construct a graph, whose vertices are keys and whose edges are these correlations. When the graph becomes connected, we simultaneously recover
Security Analysis of KeyAlternating Feistel Ciphers?
, 2014
"... Abstract. We study the security of keyalternating Feistel ciphers, a class of keyalternating ciphers with a Feistel structure. Alternatively, this may be viewed as the study of Feistel ciphers where the pseudorandom round functions are of the form Fi(x ⊕ ki), where ki is the (secret) round key an ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We study the security of keyalternating Feistel ciphers, a class of keyalternating ciphers with a Feistel structure. Alternatively, this may be viewed as the study of Feistel ciphers where the pseudorandom round functions are of the form Fi(x ⊕ ki), where ki is the (secret) round key and Fi is a public random function that the adversary is allowed to query in a blackbox way. Interestingly, our results can be seen as a generalization of traditional results à la LubyRackoff in the sense that we can derive results for this model by simply letting the number of queries of the adversary to the public random functions Fi be zero in our general bounds. We make an extensive use of the coupling technique. In particular (and as a result of independent interest), we improve the analysis of the coupling probability for balanced Feistel schemes previously carried out by Hoang and Rogaway (CRYPTO 2010).
L.: MeetintheMiddle Attacks and Structural Analysis of RoundReduced PRINCE
 In: Fast Software Encryption Conference
, 2015
"... Abstract. NXP Semiconductors and its academic partners challenged the cryptographic community with finding practical attacks on the block cipher they designed, PRINCE. Instead of trying to attack as many rounds as possible using attacks which are usually impractical despite being faster than brutef ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. NXP Semiconductors and its academic partners challenged the cryptographic community with finding practical attacks on the block cipher they designed, PRINCE. Instead of trying to attack as many rounds as possible using attacks which are usually impractical despite being faster than bruteforce, the challenge invites cryptographers to find practical attacks and encourages them to actually implement them. In this paper, we present new attacks on roundreduced PRINCE including the ones which won the challenge in the 6 and 8round categories the highest for which winners were identified. Our first attacks rely on a meetinthemiddle approach and break up to 10 rounds of the cipher. We also describe heuristic methods we used to find practical SATbased and differential attacks. Finally, we also present an analysis of the cycle structure of the internal rounds of PRINCE leading both to a low complexity distinguisher for 4round PRINCEcore and an alternative representation of the cipher valid in particular contexts and which highlights, in this cases, a poor diffusion.
XPX: Generalized Tweakable EvenMansour with Improved Security Guarantees. Cryptology ePrint Archive
"... Abstract. We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k⊕t12P (k) and ∆2 = t21k⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of tr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t11, t12, t21, t22) ∈ T and a message m, it outputs ciphertext c = P (m⊕∆1)⊕∆2, where ∆1 = t11k⊕t12P (k) and ∆2 = t21k⊕t22P (k). Here, the tweak space T is required to satisfy a certain set of trivial conditions (such as (0, 0, 0, 0) 6 ∈ T). We prove that XPX with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of XPX under relatedkey attacks, where the adversary can freely select a keyderiving function upon every evaluation. We prove that XPX achieves various levels of relatedkey security, depending on the set of keyderiving functions and the properties of T. For instance, if t12, t22 6 = 0 and (t21, t22) 6 = (0, 1) for all tweaks, XPX is XORrelatedkey secure. XPX generalizes EvenMansour (EM), but also Rogaway’s XEX based on EM, and tweakable EM used in Minalpher. As such, XPX finds a wide range of applications. We show how our results on XPX directly imply relatedkey security of the authenticated encryption schemes PrøstCOPA and Minalpher, and how a straightforward adjustment to the MAC function Chaskey and to keyed Sponges makes them provably relatedkey secure.