Dates are inconsistent

Dates are inconsistent

50 results sorted by ID

2024/2024 (PDF) Last updated: 2024-12-13
Hash-Prune-Invert: Improved Differentially Private Heavy-Hitter Detection in the Two-Server Model
Borja Balle, James Bell, Albert Cheu, Adria Gascon, Jonathan Katz, Mariana Raykova, Phillipp Schoppmann, Thomas Steinke
Cryptographic protocols

Differentially private (DP) heavy-hitter detection is an important primitive for data analysis. Given a threshold $t$ and a dataset of $n$ items from a domain of size $d$, such detection algorithms ignore items occurring fewer than $t$ times while identifying items occurring more than $t+\Delta$ times; we call $\Delta$ the error margin. In the central model where a curator holds the entire dataset, $(\varepsilon,\delta)$-DP algorithms can achieve error margin $\Theta(\frac 1 \varepsilon...

2024/1998 (PDF) Last updated: 2024-12-11
Impossible Differential Automation: Model Generation and New Techniques
Emanuele Bellini, Paul Huynh, David Gerault, Andrea Visconti, Alessandro De Piccoli, Simone Pelizzola
Secret-key cryptography

In this paper, we aim to enhance and automate advanced techniques for impossible differential attacks. To demonstrate these advancements, we present improved attacks on the LBlock and HIGHT block ciphers. More precisely, we (a) introduce a methodology to automatically invert symmetric ciphers when represented as directed acyclic graphs, a fundamental step in the search for impossible differential trails and in key recovery techniques; (b) automate the search for impossible differential...

2024/448 (PDF) Last updated: 2024-03-15
Differential Cryptanalysis of a Lightweight Block Cipher LELBC
Manjeet Kaur, Tarun Yadav, Manoj Kumar, Dhananjoy Dey
Attacks and cryptanalysis

In this study, we investigate the newly developed low energy lightweight block cipher (LELBC), specifically designed for resource-constrained Internet of Things (IoT) devices in smart agriculture. The designers conducted a preliminary differential cryptanalysis of LELBC through mixed-integer linear programming (MILP). This paper further delves into LELBC’s differential characteristics in both single and related-key frameworks using MILP, identifying a nine-round differential characteristic...

2023/1911 (PDF) Last updated: 2023-12-13
Non-Interactive Classical Verification of Quantum Depth: A Fine-Grained Characterization
Nai-Hui Chia, Shih-Han Hung
Cryptographic protocols

We introduce protocols for classical verification of quantum depth (CVQD). These protocols enable a classical verifier to differentiate between devices of varying quantum circuit depths, even in the presence of classical computation. The goal is to demonstrate that a classical verifier can reject a device with a quantum circuit depth of no more than $d$, even if the prover employs additional polynomial-time classical computation to deceive. Conversely, the verifier accepts a device with a...

2023/1689 (PDF) Last updated: 2023-11-01
Revisiting the Boomerang Attack from a Perspective of 3-differential
Libo Wang, Ling Song, Baofeng Wu, Mostafizar Rahman, Takanori Isobe
Secret-key cryptography

In this paper, inspired by the work of Beyne and Rijmen at CRYPTO 2022, we explore the accurate probability of $d$-differential in the fixed-key model. The theoretical foundations of our method are based on a special matrix $-$ quasi-$d$-differential transition matrix, which is a natural extension of the quasidifferential transition matrix. The role of quasi-$d$-differential transition matrices in polytopic cryptananlysis is analogous to that of correlation matrices in linear cryptanalysis....

2023/1213 (PDF) Last updated: 2023-12-05
Fallen Sanctuary: A Higher-Order and Leakage-Resilient Rekeying Scheme
Rei Ueno, Naofumi Homma, Akiko Inoue, Kazuhiko Minematsu
Secret-key cryptography

This paper presents a provably secure, higher-order, and leakage-resilient (LR) rekeying scheme named LR Rekeying with Random oracle Repetition (LR4), along with a quantitative security evaluation methodology. Many existing LR primitives are based on a concept of leveled implementation, which still essentially require a leak-free sanctuary (i.e., differential power analysis (DPA)-resistant component(s)) for some parts. In addition, although several LR pseudorandom functions (PRFs) based on...

2023/944 (PDF) Last updated: 2023-06-16
BALoo: First and Efficient Countermeasure dedicated to Persistent Fault Attacks
Pierre-Antoine Tissot, Lilian Bossuet, Vincent Grosso
Implementation

Persistent fault analysis is a novel and efficient cryptanalysis method. The persistent fault attacks take advantage of a persistent fault injected in a non-volatile memory, then present on the device until the reboot of the device. Contrary to classical physical fault injection, where differential analysis can be performed, persistent fault analysis requires new analyses and dedicated countermeasures. Persistent fault analysis requires a persistent fault injected in the S-box such that the...

2023/928 (PDF) Last updated: 2024-06-21
On vectorial functions mapping strict affine subspaces of their domain into strict affine subspaces of their co-domain, and the strong D-property
Claude Carlet, Enrico Piccione
Foundations

Given three positive integers $n<N$ and $M$, we study those vectorial Boolean $(N,M)$-functions $\mathcal{F}$ which map an $n$-dimensional affine space $A$ into an $m$-dimensional affine space where $m<M$ and possibly $m=n$. This provides $(n,m)$-functions $\mathcal{F}_A$ as restrictions of $\mathcal{F}$. We show that the nonlinearity of $\mathcal{F}$ must not be too large for allowing this, and we observe that if it is zero, then it is always possible. In this case, we show that the...

2023/894 (PDF) Last updated: 2023-06-09
Differentially Private Selection from Secure Distributed Computing
Ivan Damgård, Hannah Keller, Boel Nelson, Claudio Orlandi, Rasmus Pagh
Cryptographic protocols

Given a collection of vectors $\mathbf{x}^{(1)},\dots,\mathbf{x}^{(n)} \in \{0,1\}^d$, the selection problem asks to report the index of an "approximately largest" entry in $\mathbf{x}=\sum_{j=1}^n \mathbf{x}^{(j)}$. Selection abstracts a host of problems; in machine learning it can be used for hyperparameter tuning, feature selection, or to model empirical risk minimization. We study selection under differential privacy, where a released index guarantees privacy for individual vectors....

2022/1335 (PDF) Last updated: 2023-09-20
Revisiting Higher-Order Differential-Linear Attacks from an Algebraic Perspective
Kai Hu, Thomas Peyrin, Quan Quan Tan, Trevor Yap
Secret-key cryptography

The Higher-order Differential-Linear (HDL) attack was introduced by Biham \textit{et al.} at FSE 2005, where a linear approximation was appended to a Higher-order Differential (HD) transition. It is a natural generalization of the Differential-Linear (DL) attack. Due to some practical restrictions, however, HDL cryptanalysis has unfortunately attracted much less attention compared to its DL counterpart since its proposal. In this paper, we revisit HD/HDL cryptanalysis from an algebraic...

2022/1059 (PDF) Last updated: 2022-08-15
Classification of all DO planar polynomials with prime field coefficients over GF(3^n) for n up to 7
Diana Davidova, Nikolay Kaleyski
Foundations

We describe how any function over a finite field $\mathbb{F}_{p^n}$ can be represented in terms of the values of its derivatives. In particular, we observe that a function of algebraic degree $d$ can be represented uniquely through the values of its derivatives of order $(d-1)$ up to the addition of terms of algebraic degree strictly less than $d$. We identify a set of elements of the finite field, which we call the degree $d$ extension of the basis, which has the property that for any...

2022/816 (PDF) Last updated: 2022-06-22
Securing Approximate Homomorphic Encryption Using Differential Privacy
Baiyu Li, Daniele Micciancio, Mark Schultz, Jessica Sorrell
Cryptographic protocols

Recent work of Li and Micciancio (Eurocrypt 2021) has shown that the traditional formulation of indistinguishability under chosen plaintext attack (INDCPA) is not adequate to capture the security of approximate homomorphic encryption against passive adversaries, and identified a stronger INDCPA^D security definition (INDCPA with decryption oracles) as the appropriate security target for approximate encryption schemes. We show how to any approximate homomorphic encryption scheme achieving...

2022/664 (PDF) Last updated: 2023-06-09
The $c-$differential uniformity and boomerang uniformity of three classes of permutation polynomials over $\mathbb{F}_{2^n}$
Qian Liu, Zhiwei Huang, Jianrui Xie, Ximeng Liu, Jian Zou
Foundations

Permutation polynomials with low $c$-differential uniformity and boomerang uniformity have wide applications in cryptography. In this paper, by utilizing the Weil sums technique and solving some certain equations over $\mathbb{F}_{2^n}$, we determine the $c$-differential uniformity and boomerang uniformity of these permutation polynomials: (1) $f_1(x)=x+\mathrm{Tr}_1^n(x^{2^{k+1}+1}+x^3+x+ux)$, where $n=2k+1$, $u\in\mathbb{F}_{2^n}$ with $\mathrm{Tr}_1^n(u)=1$; (2)...

2022/505 (PDF) Last updated: 2022-10-17
Riding the Waves Towards Generic Single-Cycle Masking in Hardware
Rishub Nagpal, Barbara Gigerl, Robert Primas, Stefan Mangard
Implementation

Research on the design of masked cryptographic hardware circuits in the past has mostly focused on reducing area and randomness requirements. However, many embedded devices like smart cards and IoT nodes also need to meet certain performance criteria, which is why the latency of masked hardware circuits also represents an important metric for many practical applications. The root cause of latency in masked hardware circuits is the need for additional register stages that synchronize the...

2021/310 (PDF) Last updated: 2022-02-24
A New Neural Distinguisher Considering Features Derived from Multiple Ciphertext Pairs
Yi Chen, Yantian Shen, Hongbo Yu, Sitong Yuan
Secret-key cryptography

Neural aided cryptanalysis is a challenging topic, in which the neural distinguisher (N D) is a core module. In this paper, we propose a new N D considering multiple ciphertext pairs simultaneously. Besides, multiple ciphertext pairs are constructed from different keys. The motivation is that the distinguishing accuracy can be improved by exploiting features derived from multiple ciphertext pairs. To verify this motivation, we have applied this new N D to five different ciphers. Experiments...

2021/098 (PDF) Last updated: 2021-01-27
Image sets of perfectly nonlinear maps
Lukas Kölsch, Björn Kriepke, Gohar Kyureghyan
Secret-key cryptography

We consider image sets of $d$-uniform maps of finite fields. We present a lower bound on the image size of such maps and study their preimage distribution, by extending methods used for planar maps. We apply the results to study $d$-uniform Dembowsi-Ostrom polynomials. Further, we focus on a particularly interesting case of APN maps on binary fields $\F_{2^n}$. For these maps our lower bound coincides with previous bounds. We show that APN maps fulfilling the lower bound have a very...

2020/503 (PDF) Last updated: 2020-04-30
A New Encoding Algorithm for a Multidimensional Version of the Montgomery Ladder
Aaron Hutchinson, Koray Karabina
Public-key cryptography

We propose a new encoding algorithm for the simultaneous differential multidimensional scalar point multiplication algorithm $d$-MUL. Previous encoding algorithms are known to have major drawbacks in their efficient and secure implementation. Some of these drawbacks have been avoided in a recent paper in 2018 at a cost of losing the general functionality of the point multiplication algorithm. In this paper, we address these issues. Our new encoding algorithm takes the binary representations...

2019/1382 (PDF) Last updated: 2020-06-13
On the Power of Multiple Anonymous Messages
Badih Ghazi, Noah Golowich, Ravi Kumar, Rasmus Pagh, Ameya Velingker
Foundations

An exciting new development in differential privacy is the shuffled model, in which an anonymous channel enables non-interactive, differentially private protocols with error much smaller than what is possible in the local model, while relying on weaker trust assumptions than in the central model. In this paper, we study basic counting problems in the shuffled model and establish separations between the error that can be achieved in the single-message shuffled model and in the shuffled model...

2019/1253 (PDF) Last updated: 2019-10-28
Probabilistic Properties of Modular Addition \\ (Extended abstract)
Victoria Vysotskaya
Secret-key cryptography

We studied the applicability of differential cryptanalysis to cryptosystems based on operation of addition modulo $2^n$. We obtained an estimate (accurate up to an additive constant) of expected value of entropy $H_n$ in rows of DDT of corresponding mapping. Moreover, the $k$-th moments of $2^{H_n}$ are explored. In particular, asymptotic inequalities that describe the behavior of values $\mathbb{E}2^{H_n}$ and $\mathbb{D}2^{H_n}$ as $n \to \infty$ were obtained. A simple analytical formula...

2019/956 (PDF) Last updated: 2021-02-23
Security of Hedged Fiat-Shamir Signatures under Fault Attacks
Diego F. Aranha, Claudio Orlandi, Akira Takahashi, Greg Zaverucha
Public-key cryptography

Deterministic generation of per-signature randomness has been a widely accepted solution to mitigate the catastrophic risk of randomness failure in Fiat--Shamir type signature schemes. However, recent studies have practically demonstrated that such de-randomized schemes, including EdDSA, are vulnerable to differential fault attacks, which enable adversaries to recover the entire secret signing key, by artificially provoking randomness reuse or corrupting computation in other ways. In order...

2019/823 (PDF) Last updated: 2020-01-07
Securely Sampling Biased Coins with Applications to Differential Privacy
Jeffrey Champion, abhi shelat, Jonathan Ullman
Applications

We design an efficient method for sampling a large batch of $d$ independent coins with a given bias $p \in [0,1]$. The folklore secure computation method for doing so requires $O(\lambda + \log d)$ communication and computation per coin to achieve total statistical difference $2^{-\lambda}$. We present an exponential improvement over the folklore method that uses just $O(\log(\lambda+\log d))$ gates per coin when sampling $d$ coins with total statistical difference $2^{-\lambda}$. We...

2019/767 (PDF) Last updated: 2022-02-25
On cryptographic parameters of permutation polynomials of the form $x^rh(x^{(q-1)/d})$
Jaeseong Jeong, Chang Heon Kim, Namhun Koo, Soonhak Kwon, Sumin Lee
Secret-key cryptography

The differential uniformity, the boomerang uniformity, and the extended Walsh spectrum etc are important parameters to evaluate the security of S(substitution)-box. In this paper, we introduce efficient formulas to compute these cryptographic parameters of permutation polynomials of the form $x^rh(x^{(q-1)/d})$ over a finite field of $q=2^n$ elements, where $r$ is a positive integer and $d$ is a positive divisor of $q-1$. The computational cost of those formulas is proportional to $d$. We...

2018/592 (PDF) Last updated: 2024-05-29
XS-circuits in Block Ciphers
Sergey Agievich
Secret-key cryptography

XS-circuits describe block ciphers that utilize 2 operations: X) bitwise modulo 2 addition of binary words and S) substitution of words using key-dependent S-boxes with possibly complicated internal structure. We propose a model of XS-circuits which, despite the simplicity, covers a rather wide range of block ciphers. In our model, several instances of a simple round circuit, which contains only one S~operation, are linked together and form a compound circuit called a cascade. S operations...

2018/527 (PDF) Last updated: 2018-12-29
Improved Key Recovery Attacks on Reduced-Round AES with Practical Data an d Memory Complexities
Achiya Bar-On, Orr Dunkelman, Nathan Keller, Eyal Ronen, Adi Shamir
Secret-key cryptography

Determining the security of AES is a central problem in cryptanalysis, but progress in this area had been slow and only a handful of cryptanalytic techniques led to significant advancements. At Eurocrypt 2017 Grassi et al. presented a novel type of distinguisher for AES-like structures, but so far all the published attacks which were based on this distinguisher were inferior to previously known attacks in their complexity. In this paper we combine the technique of Grassi et al. with several...

2018/009 (PDF) Last updated: 2018-01-02
Evaluation of Resilience of randomized RNS implementation
Jérôme Courtois, Lokman Abbas-Turki, Jean-Claude Bajard
Implementation

Randomized moduli in Residue Number System (RNS) generate effectively large noise and make quite difficult to attack a secret key $K$ from only few observations of Hamming distances $H=(H_0, ..., H_{d-1})$ that result from the changes on the state variable. Since Hamming distances have gaussian distribution and most of the statistic tests, like NIST's ones, evaluate discrete and uniform distribution, we choose to use side-channel attacks as a tool in order to evaluate randomisation of...

2017/1117 (PDF) Last updated: 2018-02-27
Risky Traitor Tracing and New Differential Privacy Negative Results
Rishab Goyal, Venkata Koppula, Andrew Russell, Brent Waters
Public-key cryptography

In this work we seek to construct collusion-resistant traitor tracing systems with small ciphertexts from standard assumptions that also move toward practical efficiency. In our approach we will hold steadfast to the principle of collusion resistance, but relax the requirement on catching a traitor from a successful decoding algorithm. We define a $f$-risky traitor tracing system as one where the probability of identifying a traitor is $f(\lambda,n)$ times the probability a successful box is...

2017/1107 (PDF) Last updated: 2024-05-23
Hardness of Non-Interactive Differential Privacy from One-Way Functions
Lucas Kowalczyk, Tal Malkin, Jonathan Ullman, Daniel Wichs
Foundations

A central challenge in differential privacy is to design computationally efficient non-interactive algorithms that can answer large numbers of statistical queries on a sensitive dataset. That is, we would like to design a differentially private algorithm that takes a dataset $D \in X^n$ consisting of some small number of elements $n$ from some large data universe $X$, and efficiently outputs a summary that allows a user to efficiently obtain an answer to any query in some large family...

2017/103 (PDF) Last updated: 2017-06-26
Reconciling d+1 Masking in Hardware and Software
Hannes Gross, Stefan Mangard
Implementation

The continually growing number of security-related autonomous devices require efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks like differential power analysis. Masking provides a high resistance against SCA at an adjustable level of security. A high level of security, however, goes hand in hand with an increasing demand for fresh randomness which also affects other implementation costs. Since software based masking has other security requirements than masked...

2016/1061 (PDF) Last updated: 2017-07-07
Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing
Joan Daemen
Implementation

Since they were first proposed as a countermeasure against differential power analysis (DPA) in 2006, threshold schemes have attracted a lot of attention from the community concentrating on cryptographic implementations. What makes threshold schemes so attractive from an academic point of view is that they come with an information-theoretic proof of resistance against a specific subset of side-channel attacks: first-order DPA. From an industrial point of view they are attractive as a careful...

2016/754 (PDF) Last updated: 2024-06-07
Practical Key Recovery Attack on MANTIS-5
Christoph Dobraunig, Maria Eichlseder, Daniel Kales, Florian Mendel
Secret-key cryptography

MANTIS is a lightweight tweakable block cipher recently published at CRYPTO 2016. In addition to the full 14-round version, MANTIS-7, the designers also propose an aggressive 10-round version, MANTIS-5. The security claim for MANTIS-5 is resistance against "practical attacks", defined as related-tweak attacks with data complexity $2^d$ less than $2^{30}$ chosen plaintexts (or $2^{40}$ known plaintexts), and computational complexity at most $2^{126-d}$. We present a key-recovery attack...

2016/744 (PDF) Last updated: 2016-08-02
A New Method to Investigate the CCZ-Equivalence between Functions with Low Differential Uniformity
Xi Chen, Longjiang Qu, Chao Li, Jiao Du
Foundations

Recently, many new classes of differentially $4$-uniform permutations have been constructed. However, it is difficult to decide whether they are CCZ-inequivalent or not. In this paper, we propose a new notion called "Projected Differential Spectrum". By considering the properties of the projected differential spectrum, we find several relations that should be satisfied by CCZ-equivalent functions. Based on these results, we mathematically prove that any differentially $4$-uniform permutation...

2016/721 (PDF) Last updated: 2018-05-31
Strong Hardness of Privacy from Weak Traitor Tracing
Lucas Kowalczyk, Tal Malkin, Jonathan Ullman, Mark Zhandry

A central problem in differential privacy is to accurately answer a large family $Q$ of statistical queries over a data universe $X$. A statistical query on a dataset $D \in X^n$ asks ``what fraction of the elements of $D$ satisfy a given predicate $p$ on $X$?'' Ignoring computational constraints, it is possible to accurately answer exponentially many queries on an exponential size universe while satisfying differential privacy (Blum et al., STOC'08). Dwork et al. (STOC'09) and Boneh...

2016/286 (PDF) Last updated: 2016-03-15
On a remarkable property of APN Gold functions
Anastasiya Gorodilova
Foundations

In [13] for a given vectorial Boolean function $F$ from $\mathbb{F}_2^n$ to itself it was defined an associated Boolean function $\gamma_F(a,b)$ in $2n$ variables that takes value~$1$ iff $a\neq{\bf 0}$ and equation $F(x)+F(x+a)=b$ has solutions. In this paper we introduce the notion of differentially equivalent functions as vectorial functions that have equal associated Boolean functions. It is an interesting open problem to describe differential equivalence class of a given APN...

2015/612 (PDF) Last updated: 2015-06-30
The Simeck Family of Lightweight Block Ciphers
Gangqiang Yang, Bo Zhu, Valentin Suder, Mark D. Aagaard, Guang Gong
Secret-key cryptography

Two lightweight block cipher families, SIMON and SPECK, have been proposed by researchers from the NSA recently. In this paper, we introduce Simeck, a new family of lightweight block ciphers that combines the good design components from both SIMON and SPECK, in order to devise even more compact and efficient block ciphers. For Simeck32/64, we can achieve 505 GEs (before the Place and Route phase) and 549 GEs (after the Place and Route phase), with the power consumption of 0.417 $\mu W$ in...

2013/574 (PDF) Last updated: 2014-02-14
On the Minimum Number of Multiplications Necessary for Universal Hash Constructions
Mridul Nandi
Secret-key cryptography

Let $d \geq 1$ be an integer and $R_1$ be a finite ring whose elements are called {\bf block}. A $d$-block universal hash over $R_1$ is a vector of $d$ multivariate polynomials in message and key block such that the maximum {\em differential probability} of the hash function is ``low''. Two such single block hashes are pseudo dot-product (\tx{PDP}) hash and Bernstein-Rabin-Winograd (\tx{BRW}) hash which require $\frac{n}{2}$ multiplications for $n$ message blocks. The Toeplitz construction...

2013/382 (PDF) Last updated: 2013-08-08
To Hash or Not to Hash Again? (In)differentiability Results for H^2 and HMAC
Yevgeniy Dodis, Thomas Ristenpart, John Steinberger, Stefano Tessaro

We show that the second iterate H^2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with...

2011/541 (PDF) Last updated: 2011-10-03
Minimalism in Cryptography: The Even-Mansour Scheme Revisited
Orr Dunkelman, Nathan Keller, Adi Shamir
Foundations

In this paper we consider the following fundamental problem: What is the simplest possible construction of a block cipher which is provably secure in some formal sense? This problem motivated Even and Mansour to develop their scheme in 1991, but its exact security remained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which was based on differential cryptanalysis) required chosen plaintexts. In this paper...

2010/608 (PDF) Last updated: 2010-12-07
A New Model of Binary Elliptic Curves with Fast Arithmetic
Hongfeng Wu, Chunming Tang, Rongquan Feng

This paper presents a new model of ordinary elliptic curves with fast arithmetic over field of characteristic two. In addition, we propose two isomorphism maps between new curves and Weierstrass curves. This paper proposes new explicit addition law for new binary curves and prove the addition law corresponds to the usual addition law on Weierstrass curves. This paper also presents fast unified addition formulae and doubling formulae for these curves. The unified addition formulae cost...

2010/516 (PDF) Last updated: 2010-10-24
Key Agreement Protocols Based on Multivariate Polynomials over Fq
Masahiro Yagisawa
Public-key cryptography

In this paper we propose new key agreement protocols based on multivariate polynomials over finite field Fq. We concretely generate the multivariate polynomial F(X)\in Fq[x1,..,xn] such that F(X)=\sum^m_{i=1} ki[Ai(X)^d+ Ai(X)^{d-1}+ ..+ Ai(X)] where Ai(X) =ai1x1+…+ainxn ,coefficients ki , aij\in Fq (i=1,..,m:j=1,..,n) and variables X=(x1,..,xn)^T \in Fq[x1,..,xn]^n. The common key K(X) has the form such that K(X)=\sum^m_{i=1}hi F((bi1x1,...,binxn)^T) where hi ,bij\in Fq (i=1,..,m:j=1,..,n)...

2010/417 (PDF) Last updated: 2010-07-27
Distinguishing Properties of Higher Order Derivatives of Boolean Functions
Ming Duan, Xuejia Lai, Mohan Yang, Xiaorui Sun, Bo Zhu
Foundations

Higher order differential cryptanalysis is based on the property of higher order derivatives of Boolean functions that the degree of a Boolean function can be reduced by at least 1 by taking a derivative on the function at any point. We define \emph{fast point} as the point at which the degree can be reduced by at least 2. In this paper, we show that the fast points of a $n$-variable Boolean function form a linear subspace and its dimension plus the algebraic degree of the function is at...

2009/523 (PDF) Last updated: 2010-03-04
Differential Addition in generalized Edwards Coordinates
Benjamin Justus, Daniel Loebenberger
Foundations

We use two parametrizations of points on elliptic curves in generalized Edwards form x^2 + y^2 = c^2 (1+d x^2 y^2) that omit the x-coordinate. The first parametrization leads to a differential addition formula that can be computed using 6M + 4S, a doubling formula using 1M+4S and a tripling formula using 4M + 7S. The second one yields a differential addition formula that can be computed using 5M+2S and a doubling formula using 5S. All formulas apply also for the case c <> 1 and arbitrary...

2009/274 (PDF) Last updated: 2009-06-09
A Collision-resistance Hash Function DIHA2
Xigen. Yao

Abstract. The new hash function DIHA2 (Dynamic Input Hash Algorithm)is with the structure of Merkle-Damgard and is based on 64-bit computing.It oper- ates each 1024-bit block and outputts a 256-bit hash-value. For a 64-bit sub-block X[j](0 &#8804; j &#8804; 15) of each step, DIHA2 gets a dynamic mapping value of TLU (table look up,The table was 256-Byte only)and add it to operation of variables a, b, c, d,so as to eliminate the differential effect.At the same time DIHA2 sets 3 assistant...

2009/034 (PDF) Last updated: 2009-01-17
On a Conditional Collision Attack on NaSHA-512
S. Markovski, A. Mileva, V. Dimitrova, D. Gligoroski

A collision attack on NaSHA-512 was proposed by L. Ji et al. The claimed complexity of the attack is $2^{192}$. The proposed attack is realized by using a suitable differential pattern. In this note we show that the correct result that can be inferred from their differential pattern is in fact a conditional one. It can be stated correctly as follows: A collision attack on NaSHA-512 of complexity $k=1,2,\dots,2^{320}$ can be performed with an unknown probability of success $p_k$, where $ 0\le...

2009/012 (PDF) Last updated: 2009-01-15
Avoid Mask Re-use in Masked Galois Multipliers
D. Canright
Implementation

This work examines a weakness in re-using masks for masked Galois inversion, specifically in the masked Galois multipliers. Here we show that the mask re-use scheme included in our work[1] cannot result in "perfect masking," regardless of the order in which the terms are added; explicit distributions are derived for each step. The same problem requires new masks in the subfield calculations, not included in [1]. Hence, for resistance to first-order differential attacks, the masked S-box must...

2009/011 (PDF) Last updated: 2009-01-15
A Very Compact "Perfectly Masked" S-Box for AES (corrected)
D. Canright, Lejla Batina
Implementation

Implementations of the Advanced Encryption Standard (AES), including hardware applications with limited resources (e.g., smart cards), may be vulnerable to "side-channel attacks" such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this randomizes the statistics of the calculation at the cost of computing "mask corrections." The single nonlinear step in each AES round is the "S-box" (involving a Galois inversion), which incurs the...

2008/171 (PDF) Last updated: 2008-06-11
Binary Edwards Curves
Daniel J. Bernstein, Tanja Lange, Reza Rezaeian Farashahi
Public-key cryptography

This paper presents a new shape for ordinary elliptic curves over fields of characteristic 2. Using the new shape, this paper presents the first complete addition formulas for binary elliptic curves, i.e., addition formulas that work for all pairs of input points, with no exceptional cases. If n >= 3 then the complete curves cover all isomorphism classes of ordinary elliptic curves over F_2^n. This paper also presents dedicated doubling formulas for these curves using 2M + 6S + 3D, where M...

2007/248 (PDF) (PS) Last updated: 2007-06-20
1. AES seems weak. 2. Linear time secure cryptography
Warren D. Smith

We describe a new simple but more powerful form of linear cryptanalysis. It appears to break AES (and undoubtably other cryptosystems too, e.g. SKIPJACK). The break is ``nonconstructive,'' i.e. we make it plausible (e.g. prove it in certain approximate probabilistic models) that a small algorithm for quickly determining AES-256 keys from plaintext-ciphertext pairs exists -- but without constructing the algorithm. The attack's runtime is comparable to performing $64^w$ encryptions where $w$...

2006/451 (PDF) Last updated: 2006-12-04
Combined Differential, Linear and Related-Key Attacks on Block Ciphers and MAC Algorithms
Jongsung Kim
Secret-key cryptography

Differential and linear attacks are the most widely used cryptanalytic tools to evaluate the security of symmetric-key cryptography. Since the introduction of differential and linear attacks in the early 1990's, various variants of these attacks have been proposed such as the truncated differential attack, the impossible differential attack, the square attack, the boomerang attack, the rectangle attack, the differential-linear attack, the multiple linear attack, the nonlinear attack and the...

2006/384 (PDF) Last updated: 2014-11-01
Design and Analysis of a Hash Ring-iterative Structure
Shenghui Su, Yixian Yang, Bo Yang, Shaolan Zhang

The authors propose a new type of hash iterative structure &#9472; the ring-iterative structure with feedback which is subdivided into the single feedback ring iteration and the multiple feedback ring iteration, namely SFRI and MFRI. Prove that SFRI is at least equivalent to the MD structure in security, and MFRI is at least equivalent to SFRI in security (property 1 makes people incline to believe MFRI is more secure than MD). Analyze the resistance of MFRI, which results from the joint...

2004/141 (PDF) (PS) Last updated: 2004-07-06
Elastic AES
Debra L. Cook, Moti Yung, Angelos D. Keromytis
Secret-key cryptography

Recently an algorithmic schema was proposed for converting any existing block cipher into one which excepts variable length inputs with the computational workload increasing in proportion to the block size. The resulting cipher is referred to as an elastic block cipher. The initial work presented immunity to certain key recovery attacks, and left open further analysis of the method and its possible instantiations. In order to provide a concrete example of an elastic block cipher, we design...

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.