DOCSLIB.ORG

High-Speed Cryptography and Cryptanalysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
High-Speed Cryptography and Cryptanalysis High-speed cryptography and cryptanalysis Citation for published version (APA): Schwabe, P. (2011). High-speed cryptography and cryptanalysis. Technische Universiteit Eindhoven. https://doi.org/10.6100/IR693478 DOI: 10.6100/IR693478 Document status and date: Published: 01/01/2011 Document Version: Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers) Please check the document version of this publication: • A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers. Link to publication General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal. If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement: www.tue.nl/taverne Take down policy If you believe that this document breaches copyright please contact us at: [email protected] providing details and we will investigate your claim. Download date: 25. Sep. 2021 High-Speed Cryptography and Cryptanalysis Peter Schwabe High-Speed Cryptography and Cryptanalysis PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op maandag 24 januari 2011 om 16.00 uur door Peter Schwabe geboren te Siegburg, Duitsland Dit proefschrift is goedgekeurd door de promotoren: prof.dr. T. Lange en prof.dr. D.J. Bernstein CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Schwabe, Peter High-Speed Cryptography and Cryptanalysis / door Peter Schwabe. – Eindhoven: Technische Universiteit Eindhoven, 2011 Proefschrift. – ISBN 978-90-386-2415-0 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 94A62, 11Y16, 11T71 Printed by Printservice Technische Universiteit Eindhoven Cover design by Paula Schwabe Public domain Für meine Eltern Promotor: prof.dr. T. Lange prof.dr. D.J. Bernstein (University of Illinois at Chicago) Commissie: prof.dr. A.M. Cohen, chairman prof.dr. B. Preneel (Katholieke Universiteit Leuven) prof.dr. M. Scott (Dublin City University) prof.dr.ir. H.C.A. van Tilborg prof.dr. G. Woeginger prof.dr. B.-Y. Yang (Academia Sinica) Thanks This thesis would not exist without the support, help and encouragement of many people. First of all I would like to thank my supervisors Tanja Lange and Daniel J. Bern- stein. The time and effort they spent on teaching, guiding and supporting me is probably best expressed by using the German words for Ph.D. supervisor and saying that they are really a “Doktormutter” and “Doktorvater”. I also want to express my gratitude to Michael Naehrig. He supervised my Diplo- marbeit, taught me a lot about elliptic curves and pairings during our joint time in Aachen and Eindhoven, introduced me to my supervisors Tanja Lange and Daniel J. Bernstein, and always supported and encouraged me. I am very grateful for Michael’s friendship. I thank Arjeh Cohen, Bart Preneel, Michael Scott, Henk van Tilborg, Gerhard Woeginger, and Bo-Yin Yang for joining my Ph.D. committee and for reading this manuscript and giving valuable comments. Various people invited me to present my results or to work together, I am very grateful for these opportunities and wish to thank Pierrick Gaudry, Emmanuel Thomé, Jérémie Detrey, and Gaëtan Bisson at INRIA, Nancy; Bart Preneel and Emilia Käsper at Katholieke Universiteit Leuven; Christof Paar, Tim Güneysu, and Timo Kasper at Ruhr Universität Bochum; and Francisco Rodríguez-Henríquez, Debrup Chakraborty, Luis Gerardo de la Fraga, and Jorge E. González Díaz at CINVESTAV, Mexico City. Especially I want to thank Chen-Mou Cheng at National Taiwan Univer- sity and Bo-Yin Yang at Academia Sinica who invited me several times to Taipei and also hosted me for many weeks while I was writing this thesis. I also want to thank Grace Song for welcoming me as a frequent visitor in the apartment in Taipei that she shares with my girlfriend Chen-Han Lee. I thank my coauthors Gerd Ascheid, Dominik Auras, Daniel V. Bailey, Brian Bald- win, Lejla Batina, Paulo S. L. M. Barreto, Daniel J. Bernstein, Peter Birkner, Joppe W. Bos, Hsieh-Chung Chen, Chen-Mou Cheng, Neil Costigan, Gauthier van Damme, Luis Julian Dominguez Perez, Junfeng Fan, Tim Güneysu, Frank Gürkaynak, David Kamm- ler, Emilia Käsper, Thorsten Kleinjung, Tanja Lange, Markus Langenberg, Rainer Leu- pers, Nele Mentens, Heinrich Meyr, Rudolf Mathar, Giacomo de Meulenaer, Michael Naehrig, Ruben Niederhagen, Christof Paar, Christiane Peters, Francesco Regazzoni, Hanno Scharwaechter, Leif Uhsadel, Anthony Van Herrewege, Bo-Yin Yang, and Dian- dian Zhang for the fruitful collaboration. I thank the European Commission for supporting my Ph.D studies through the ICT Programme under Contract ICT-2007-216499 CACE. 7 8 Many thanks go to Michael Naehrig, Ruben Niederhagen, Christiane Peters and Anne Schwabe for proofreading earlier versions of this thesis, pointing out mistakes and suggesting improvements. I wish to thank the people at the coding and cryptology group at Eindhoven University of Technology, in particular Henk van Tilborg and Anita Klooster-Derks for making this group a very pleasant work environment. I also want to thank the other EiPSI Ph.D. students, former and current, for their company: Peter Birkner, Gaëtan Bisson, Dion Boesten, Mayla Brusò, Elisa Costante, Sebastiaan de Hoogh, Relinde Jurrius, Mehmet Sabir Kiraz, Xiao-Ping Liang Peter van Liesdonk, Michael Naehrig, Ruben Niederhagen, Jan-Jaap Osterwijk, Jing Pan, Christiane Peters, Bruno Pontes Soares Rocha, Reza Rezaeian Farashahi, Antonino Simone, Daniel Trivellato, Meilof Veeningen, and José Villegas. I also thank Çiçek Güven, Maxim Hendriks, and Shona Yu for the company in the coffee breaks and for the great time in Istanbul. Let me also mention the people at the Institute for Theoretical Information Tech- nology at RWTH Aachen University: Rudolf Mathar, Mathilde Getz, Detlef Maus, Daniel Bielefeld, Georg Böcherer, Daniel Catrein, Alexander Engels, Gernot Fabeck, Chunhui Liu, Wolfgang Meyer zu Bergsten, Melanie Neunerdt, Michael Reyer, Tobias Rick, Michael Schmeink, and Milan Zivkovic. Thank you for the support and the good time I had working together with you in Aachen. I very much thank my parents and my sister for their support. I thank my cousin Paula Schwabe for designing the cover of this thesis. Finally I deeply thank my girlfriend Chen-Han Lee for her support, understanding, and for her love. Contents List of algorithms 13 List of tables 15 1 Introduction 17 2 Preliminaries 23 2.1 Instructions and instruction sets . 24 2.2 Exploiting instruction-level parallelism . 25 2.2.1 Dependencies between instructions . 25 2.2.2 Pipelined and superscalar execution . 26 2.2.3 Optimizing code for in-order CPUs . 27 2.2.4 Optimizing code for out-of-order CPUs . 28 2.3 Exploiting data-level parallelism . 28 2.3.1 Reducing to instruction-level parallelism . 29 2.3.2 Single instruction stream, multiple data streams (SIMD) . 29 2.3.3 Algorithmic improvements . 31 2.4 Exploiting task-level parallelism . 31 2.5 Function calls, loops, and conditional statements . 32 2.6 Accessing memory . 35 2.6.1 Caching . 35 2.6.2 Virtual-address translation . 37 2.7 Limitations of compilers . 38 2.8 The qhasm programming language . 38 3 Implementations of AES 41 3.1 The Advanced Encryption Standard (AES) . 42 3.1.1 AES encryption . 42 3.1.2 Combining SUBBYTES,SHIFTROWS, and MIXCOLUMNS ....... 44 3.1.3 AES key expansion . 44 3.1.4 The Galois/Counter Mode (GCM) . 44 3.2 Cache-timing attacks against AES and GCM . 45 3.2.1 Attacks against AES encryption . 46 3.2.2 Attacks against AES key expansion . 46 3.2.3 Attacks against Galois/Counter Mode authentication . 47 3.3 Table-based implementations . 48 9 10 CONTENTS 3.3.1 Reducing instructions for table-based AES . 48 3.3.2 Reducing cycles for table-based AES . 54 3.4 Bitsliced AES for 64-bit Intel processors . 57 3.4.1 Bitsliced representation of the AES state . 58 3.4.2 The ADDROUNDKEY operation . 58 3.4.3 The SUBBYTES operation . 58 3.4.4 The SHIFTROWS operation . 59 3.4.5 The MIXCOLUMNS operation . 60 3.4.6 Key expansion . 61 3.5 AES-GCM for 64-bit Intel processors . 61 3.5.1 Table-based implementation . 61 3.5.2 Constant-time implementation . 62 3.6 Performance results and comparison . 63 3.6.1 Benchmarks of AES-CTR . 65 3.6.2 Benchmarks of AES-GCM . 72 4 Elliptic-curve cryptography on Cell processors 75 4.1 ECDH key exchange and the Curve25519 function . 76 4.1.1 Elliptic-Curve Diffie-Hellman key exchange (ECDH) . 76 4.1.2 Montgomery ladder for scalar multiplication .
Load more

Recommended publications
  • A Low-Latency Block Cipher for Pervasive Computing Applications Extended Abstract?
    PRINCE { A Low-latency Block Cipher for Pervasive Computing Applications Extended Abstract? Julia Borghoff1??, Anne Canteaut1;2???, Tim G¨uneysu3, Elif Bilge Kavun3, Miroslav Knezevic4, Lars R. Knudsen1, Gregor Leander1y, Ventzislav Nikov4, Christof Paar3, Christian Rechberger1, Peter Rombouts4, Søren S. Thomsen1, and Tolga Yal¸cın3 1 Technical University of Denmark 2 INRIA, Paris-Rocquencourt, France 3 Ruhr-University Bochum, Germany 4 NXP Semiconductors, Leuven, Belgium Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are de- sirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryp- tion on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a re- lated key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks. 1 Introduction The area of lightweight cryptography, i.e., ciphers with particularly low imple- mentation costs, has drawn considerable attention over the last years.
    [Show full text]
  • Lecture Notes on Error-Correcting Codes and Their Applications to Symmetric Cryptography
    Lecture Notes on Error-Correcting Codes and their Applications to Symmetric Cryptography Anne Canteaut Inria [email protected] https://www.rocq.inria.fr/secret/Anne.Canteaut/ version: December 4, 2017 Contents 10 Reed-Muller Codes and Boolean Functions 5 10.1 Boolean functions and their representations . .5 10.1.1 Truth table and Algebraic normal form . .5 10.1.2 Computing the Algebraic Normal Form . .8 10.2 Reed-Muller codes . 11 10.2.1 Definition . 11 10.2.2 The (uju + v) construction . 12 10.3 Weight distributions of Reed-Muller codes . 13 10.3.1 Minimum distance of R(r; m) ........................ 13 10.3.2 Weight distribution of R(1; m) ....................... 14 10.3.3 Weight distribution of R(m − 1; m) ..................... 15 10.3.4 Weight distribution of R(2; m) ....................... 15 10.3.5 Duality . 15 10.3.6 Other properties of the weights of R(r; m) ................. 17 11 Stream Cipher Basics 19 11.1 Basic principle . 19 11.1.1 Synchronous additive stream ciphers . 19 11.1.2 Pseudo-random generators . 21 11.1.3 General functionalities of stream ciphers and usage . 22 11.2 Models of attacks . 23 11.3 Generic attacks on stream ciphers . 24 11.3.1 Period of the sequence of internal states . 24 11.3.2 Time-Memory-Data Trade-off attacks . 27 11.3.3 Statistical tests . 36 11.4 The main families of stream ciphers . 37 11.4.1 Information-theoretically generators . 37 11.4.2 Generators based on a difficult mathematical problem . 38 11.4.3 Generators based on block ciphers .
    [Show full text]
  • Stream Ciphers
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by HAL-CEA Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancr`edeLepoint, Mar´ıa Naya-Plasencia, Pascal Paillier, Renaud Sirdey To cite this version: Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancr`edeLepoint, Mar´ıaNaya-Plasencia, et al.. Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression. FSE 2016 : 23rd International Conference on Fast Software Encryption, Mar 2016, Bochum, Germany. Springer, 9783 - LNCS (Lecture Notes in Computer Science), pp.313-333, Fast Software Encryption 23rd International Conference, FSE 2016, Bochum, Germany, March 20- 23, 2016, <http://fse.rub.de/>. <10.1007/978-3-662-52993-5 16>. <hal-01280479> HAL Id: hal-01280479 https://hal.archives-ouvertes.fr/hal-01280479 Submitted on 28 Nov 2016 HAL is a multi-disciplinary open access L'archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destin´eeau d´ep^otet `ala diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publi´esou non, lished or not. The documents may come from ´emanant des ´etablissements d'enseignement et de teaching and research institutions in France or recherche fran¸caisou ´etrangers,des laboratoires abroad, or from public or private research centers. publics ou priv´es. Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression?
    [Show full text]
  • A Bibliography of Papers in Lecture Notes in Computer Science (2002) (Part 2 of 4)
    A Bibliography of Papers in Lecture Notes in Computer Science (2002) (Part 2 of 4) Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 02 May 2020 Version 1.11 Title word cross-reference -adic [1754, 1720]. -Center [1691]. -D [1664, 84, 1060, 1019, 1637, 1647, 1364]. -Gram [1705]. -Level [50]. -List [1694]. -nearest [408]. -Partition [434]. -SAT (3; 3) [1732]. 0 [426]. 1 [426, 1647]. 1=f [420]. -Split [1732]. -Stability [164]. -Stage [1260]. 168 [1729]. 2 [1662]. -Tier [1430]. [1740, 943, 1677, 420, 50, 1732]. 3 [146, 154, 18, 1094, 1033, 1664, 196, 992, 1020, .NET [88]. 1065, 84, 29, 1640, 1075, 1093, 1662, 1023, 142, 1011, 1019, 1637, 30, 219, 1364, 1107, 1430]. /Geom/c [659]. 3 × 3 [536]. 4 [1060]. 8 · 168 [1729]. (G) [659]. 2 [1056]. st [208]. TM [596]. [213]. 2 1003.1q [1336]. 128 [1540]. 1980-88 [19]. ax7 + bx + c [1729]. ax8 + bx + c [1729]. ∆ 1989-1997 [20]. [1694]. Dy2 = x3 [1735]. k [1701, 434, 1677, 408, 1691]. kth [1711]. 2 [637]. 21 [208]. 2nd [1247]. MIN ERVA [292]. NEMESIS [358]. p [1754]. n [301]. N = pq [1752]. P [164, 1720]. 3G [649, 102, 640]. 3GPP [673]. 3rd [709]. Ψ [285]. q [1705]. x [1735]. y00 = f(x; y) [164]. 1 2 90 [186]. 95 [1328, 1329].
    [Show full text]
  • Improved Correlation Attacks on SOSEMANUK and SOBER-128
    Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35 SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric` Lauradoux, Marine Minier, Thomas Pornin and Herve` Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35 SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35 SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s0,..., s9 (320 bits) −1 st+10 = st+9 ⊕ α st+3 ⊕ αst, t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R1 and R2 R1t+1 = R2t ¢ (rtst+9 ⊕ st+2) R2t+1 = Trans(R1t) ft = (st+9 ¢ R1t) ⊕ R2t where rt denotes the least significant bit of R1t. F 3. The trans function Trans on 232 : 32 Trans(R1t) = (R1t × 0x54655307 mod 2 )≪7 4. The output of the FSM : (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 5 / 35 SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent1 and there are too many unknown bits...”.
    [Show full text]
  • (Pseudo) Random Number Generation for Cryptography
    Thèse de Doctorat présentée à L’ÉCOLE POLYTECHNIQUE pour obtenir le titre de DOCTEUR EN SCIENCES Spécialité Informatique soutenue le 18 mai 2009 par Andrea Röck Quantifying Studies of (Pseudo) Random Number Generation for Cryptography. Jury Rapporteurs Thierry Berger Université de Limoges, France Andrew Klapper University of Kentucky, USA Directeur de Thèse Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET, France Examinateurs Philippe Flajolet INRIA Paris-Rocquencourt, équipe-projet ALGORITHMS, France Peter Hellekalek Universität Salzburg, Austria Philippe Jacquet École Polytechnique, France Kaisa Nyberg Helsinki University of Technology, Finland Acknowledgement It would not have been possible to finish this PhD thesis without the help of many people. First, I would like to thank Prof. Peter Hellekalek for introducing me to the very rich topic of cryptography. Next, I express my gratitude towards Nicolas Sendrier for being my supervisor during my PhD at Inria Paris-Rocquencourt. He gave me an interesting topic to start, encouraged me to extend my research to the subject of stream ciphers and supported me in all my decisions. A special thanks also to Cédric Lauradoux who pushed me when it was necessary. I’m very grateful to Anne Canteaut, which had always an open ear for my questions about stream ciphers or any other topic. The valuable discussions with Philippe Flajolet about the analysis of random functions are greatly appreciated. Especially, I want to express my gratitude towards my two reviewers, Thierry Berger and Andrew Klapper, which gave me precious comments and remarks. I’m grateful to Kaisa Nyberg for joining my jury and for receiving me next year in Helsinki.
    [Show full text]
  • NOCAS: a Nonlinear Cellular Automata Based Stream Cipher
    NOCAS : A Nonlinear Cellular Automata Based Stream Cipher Sandip Karmakar, Dipanwita Roy Chowdhury To cite this version: Sandip Karmakar, Dipanwita Roy Chowdhury. NOCAS : A Nonlinear Cellular Automata Based Stream Cipher. 17th International Workshop on Celular Automata and Discrete Complex Systems, 2011, Santiago, Chile. pp.135-146. hal-01196137 HAL Id: hal-01196137 https://hal.inria.fr/hal-01196137 Submitted on 9 Sep 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. AUTOMATA 2011, Santiago, Chile DMTCS proc. AP, 2012, 135–146 NOCAS : A Nonlinear Cellular Automata Based Stream Cipher Sandip Karmakary and Dipanwita Roy Chowdhury Indian Institute of Technology, Kharagpur, WB, India LFSR and NFSR are the basic building blocks in almost all the state of the art stream ciphers like Trivium and Grain- 128. However, a number of attacks are mounted on these type of ciphers. Cellular Automata (CA) has recently been chosen as a suitable structure for crypto-primitives. In this work, a stream cipher is presented based on hybrid CA. The stream cipher takes 128 bit key and 128 bit initialization vector (IV) as input. It is designed to produce 2128 random keystream bits and initialization phase is made faster 4 times than that of Grain-128.
    [Show full text]
  • INRIA, Evaluation of Theme Sym B
    INRIA, Evaluation of Theme Sym B Project-team CODES November 2006 Project-team title: CODES Scientific leader: Nicolas Sendrier Research center: Rocquencourt 1 Personnel Personnel (March 2002) Misc. INRIA CNRS University Total DR (1) / Professors 1 1 2 CR (2) / Assistant Professors 4 4 Permanent Engineers (3) Temporary Engineers (4) PhD Students 5 1 3 9 Post-Doc. 1 1 Total 5 6 5 16 External Collaborators 6 4 9 Visitors (> 1 month) (1) “Senior Research Scientist (Directeur de Recherche)” (2) “Junior Research Scientist (Charg´ede Recherche)” (3) “Civil servant (CNRS, INRIA, ...)” (4) “Associated with a contract (Ing´enieurExpert or Ing´enieurAssoci´e)” Personnel (November 2006) Misc. INRIA CNRS University Total DR / Professors 3 3 CR / Assistant Professor 2 2 Permanent Engineer Temporary Engineer PhD Students 6 4 1 11 Post-Doc. 1 1 Total 7 9 1 17 External Collaborators 5 2 8 Visitors (> 1 month) 1 Changes in staff DR / Professors Misc. INRIA CNRS University total CR / Assistant Professors Arrival Leaving Comments: Claude Carlet was moved from “Staff” to “External Collaborators” be- cause of his involvement at the University Paris 8. Nicolas Sendrier and Anne Canteaut have been promoted from CR to DR during the period. Jean-Pierre Tillich was on a temporary INRIA CR position (“d´etachement”) and has now a permanent INRIA CR position. The following researchers had a temporary position in the group during the period: • Enes Pasalic (Post-doc. in 2003) • Emmanuel Cadic (Post-doc. in 2004) • Avishek Adhikari (Post-doc. in 2004/2005) • Michael Quisquater
    [Show full text]
  • Construction of Lightweight S-Boxes Using Feistel and MISTY Structures (Full Version?)??
    Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version?)?? Anne Canteaut, S´ebastienDuval, and Ga¨etanLeurent Inria, project-team SECRET, France fAnne.Canteaut, Sebastien.Duval, [email protected] Abstract. The aim of this work is to find large S-Boxes, typically operating on 8 bits, having both good cryptographic properties and a low implementation cost. Such S-Boxes are suitable building-blocks in many lightweight block ciphers since they may achieve a better security level than designs based directly on smaller S-Boxes. We focus on S-Boxes corresponding to three rounds of a balanced Feistel and of a balanced MISTY structure, and generalize the recent results by Li and Wang on the best differential uniformity and linearity offered by such a construction. Most notably, we prove that Feistel networks supersede MISTY networks for the construction of 8-bit permutations. Based on these results, we also provide a particular instantiation of an 8-bit permutation with better properties than the S-Boxes used in several ciphers, including Robin, Fantomas or CRYPTON. Keywords: S-Box, Feistel network, MISTY network, Lightweight block-cipher. 1 Introduction A secure block cipher must follow Shannon's criteria and provide confusion and diffusion [42]. In most cases, confusion is achieved with small substitution boxes (S-Boxes) operating on parts of the state (usually bytes) in parallel, and diffusion is achieved with linear operations mixing the state. The security of the cipher is then strongly dependent on the cryptographic properties of the S-Boxes. For instance, the AES uses an 8-bit S-Box based on the inversion in the finite field with 28 elements.
    [Show full text]
  • Adapting Rigidity to Symmetric Cryptography: Towards “Unswerving” Designs∗
    Adapting Rigidity to Symmetric Cryptography: Towards “Unswerving” Designs∗ Orr Dunkelman1 and Léo Perrin2 1 Computer Science Department, University of Haifa, Haifa, Israel; [email protected] 2 Inria, Paris, France; [email protected] Abstract. While designers of cryptographic algorithms are rarely considered as potential adversaries, past examples, such as the standardization of the Dual EC PRNG highlights that the story might be more complicated. To prevent the existence of backdoors, the concept of rigidity was introduced in the specific context of curve generation. The idea is to first state a strict scope statement for the properties that the curve needs to have and then pick e.g. the one with the smallest parameters. The aim is to ensure that the designers did not have the degrees of freedom that allows the addition of a trapdoor. In this paper, we apply this approach to symmetric algorithms. The task is challenging because the corresponding primitives are more complex: they consist of several sub- components of different types, and the properties required by these sub-components to achieve the desired security level are not as clearly defined. Furthermore, security often comes in this case from the interplay between these components rather than from their individual properties. In this paper, we argue that it is nevertheless necessary to demand that symmetric algorithms have a similar but, due to their different nature, more complex property which we call “unswervingness”. We motivate this need via a study of the literature on symmetric “kleptography” and via the study of some real-world standards. We then suggest some guidelines that could be used to leverage the unswervingness of a symmetric algorithm to standardize a highly trusted and equally safe variant of it.
    [Show full text]
  • The Estream Project
    The eSTREAM Project Matt Robshaw Orange Labs 11.06.07 Orange Labs ECRYPT An EU Framework VI Network of Excellence > 5 M€ over 4.5 years More than 30 european institutions (academic and industry) ECRYPT activities are divided into Virtual Labs Which in turn are divided into Working Groups General SPEED eSTREAM Assembly Project Executive Strategic Coordinator Mgt Comm. Committee STVL AZTEC PROVILAB VAMPIRE WAVILA WG1 WG2 WG3 WG4 The eSTREAM Project – Matt Robshaw (2) Orange Labs 1 Cryptography (Overview!) Cryptographic algorithms often divided into two classes Symmetric (secret-key) cryptography • Participants using secret-key cryptography share the same key material Asymmetric (public-key) cryptography • Participants using public-key cryptography use different key material Symmetric encryption can be divided into two classes Block ciphers Stream ciphers The eSTREAM Project – Matt Robshaw (3) Orange Labs Stream Ciphers Stream encryption relies on the generation of a "random looking" keystream Encryption itself uses bitwise exclusive-or 0110100111000111001110000111101010101010101 keystream 1110111011101110111011101110111011100000100 plaintext 1000011100101001110101101001010001001010001 ciphertext Stream encryption offers some interesting properties They offer an attractive link with perfect secrecy (Shannon) No data buffering required Attractive error handling and propagation (for some applications) How do we generate keystream ? The eSTREAM Project – Matt Robshaw (4) Orange Labs 2 Stream Ciphers in a Nutshell Stream ciphers
    [Show full text]
  • Symmetric Cryptography
    Security Issues in Cloud Computing Modern Cryptography I { Symmetric Cryptography Peter Schwabe October 14, 2011 The binary alphabet So far we considered the alphabet A; B; : : : ; Z, and noted that it could also be written as 0;:::; 25. Encryption used addition modulo 26. Modern cryptography is targeted at computations carried out by a computer, it typically uses the alphabet 0; 1 (binary alphabet). • We call a letter at this alphabet bit. • A word of length 8 is called a byte. • We use the term n-bit string for a word of length n. • Most important operation is addition modulo 2, denoted ⊕, we call this operation xor (exclusive or). This operation can be extended to n-bit strings by applying it letter-wise, for example: 0 1 0 1 1 1 0 1 ⊕ 1 1 1 0 1 0 0 1 1 0 1 1 0 1 0 0 • Addition is the same as subtraction modulo 2. Adding (xoring) the same value twice results in the orignial value. • All information stored on typical computers is represented as words over this al- phabet. Stream ciphers Recall Vernam's cipher: Encryption is performed by adding (now: xoring) a random key stream to the message. The main disadvantage is that the random key needs to be as long as the message. 1 Idea: Use a relatively short random key. Use that to deterministically generate a random-looking (pseudo-random) key stream, xor this with the message. To obtain different key streams from the same key one usually uses a non-secret initalization vector (or nonce), as additional input.
    [Show full text]