Catálogo de publicaciones - libros

This paper presents the results of a preliminary analysis of the stream cipher . We study the nonlinear component of this cipher and identify several potential weaknesses in its design. While we can not break the full design, we show that it is extremely sensitive to small variations. For example, it is possible to recover the full 1216-bit state of the cipher and the original 128-bit secret key using just 56 words of known stream and in 2 steps of analysis if the cipher outputs any state word which is different than the one used in the actual design. If the linear part is eliminated from the design, then the secret non-linear 192-bit state can be recovered given only three output words and in just 2 steps. If it is kept in the design but in a simplified form, then the scheme can be broken by an attack which is slightly faster than exhaustive search.

Hiji-Bij-Bij (HBB) is a new stream cipher proposed by Sarkar at Indocrypt’03. In this algorithm, classical LFSRs are replaced by cellular automata (CA). This idea of using CAs in such constructions was initially proposed by Sarkar at Crypto’02, in order to instantiate its new Filter-Combiner model.

In this paper, we show two attacks against HBB. First we apply differential cryptanalysis to the self-synchronizing mode. The resulting attack is very efficient since it recovers the secret key by processing a chosen message of length only 2 Kbytes. Then we describe an algebraic attack against the basic mode of HBB. This attack is much faster than exhaustive search for secret keys of length 256 bits.

At FSE 2004 two new stream ciphers VMPC and RC4A have been proposed. VMPC is a generalisation of the stream cipher RC4, whereas RC4A is an attempt to increase the security of RC4 by introducing an additional permuter in the design. This paper is the first work presenting attacks on VMPC and RC4A. We propose two linear distinguishing attacks, one on VMPC of complexity 2, and one on RC4A of complexity 2. We investigate the RC4 family of stream ciphers and show some theoretical weaknesses of such constructions.

In this paper we introduce the notion of , and present an impossible fault analysis of RC4, whose complexity 2 is smaller than the previously best known attack of Hoch and Shamir (2), along with an even faster fault analysis of RC4, based on different ideas, with complexity smaller than 2.

In this paper we propose a notion of related-key rectangle attack using 4 related keys. It is based on two consecutive related-key differentials which are independent of each other. Using this attack we can break SHACAL-1 with 512-bit keys up to 70 rounds out of 80 rounds and AES with 192-bit keys up to 8 rounds out of 12 rounds, which are faster than exhaustive search.

In this paper, we describe a sequence of simple, yet efficient chosen-plaintext (or chosen-ciphertext) attacks against reduced-round versions of IDEA (with 2, 2.5, 3, 3.5, and 4 rounds) which compare favourably with the best known attacks: some of them decrease considerably the time complexity given the same order of data at disposal while other ones decrease the amount of necessary known- or chosen-plaintext pairs under comparable time complexities. Additionally, we show how to trade time and memory for some of the known-plaintext attacks of Nakahara

This paper discusses the state-of-the-art software optimization methodology for symmetric cryptographic primitives on Pentium III and 4 processors. We aim at maximizing speed by considering the internal pipeline architecture of these processors. This is the first paper studying an optimization of ciphers on Prescott, a new core of Pentium 4. Our AES program with 128-bit key achieves 251 cycles/block on Pentium 4, which is, to our best knowledge, the fastest implementation of AES on Pentium 4. We also optimize SNOW2.0 keystream generator. Our program of SNOW2.0 for Pentium III runs at the rate of 2.75 íops/cycle, which seems the most efficient code ever made for a real-world cipher primitive. For FOX128 block cipher, we propose a technique for speeding-up by interleaving two independent blocks using a register group separation. Finally we consider fast implementation of SHA512 and Whirlpool, two hash functions with a genuine 64-bit architecture. It will be shown that new SIMD instruction sets introduced in Pentium 4 excellently contribute to fast hashing of SHA512.

So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware.

Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to (4). In this field, the inversion is a linear operation and therefore it is easy to mask.

Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against first-order side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

For the power consumption model called , we rewrite DPA attacks in terms of correlation coefficients between two Boolean functions. We exhibit properties of -boxes (also called (,)-functions) relied on DPA attacks. We show that these properties are opposite to the non-linearity criterion and to the propagation criterion. To quantify the resistance of an -box to DPA attacks, we introduce the notion of and we study this new criterion with respect to the non-linearity and to the propagation criterion.