Projects
Quantum safe cryptography for the Internet of Things
We are entering the era of the Internet of Things (IoT). The IoT connects not only classical computing and communication devices, but all kinds of other gadgets that we use in our everyday lives: Cars, door locks, personal medical devices, washing machines, refrigerators, and light switches are often cited examples. These devices can then download software from, and upload data to, the Internet. Likewise, users on the Internet can query the devices for information, or issue commands for the device to perform specific actions.
Thus the IoT provides a capacity for remote users to manipulate our physical environment. This manipulation is obviously potentially dangerous, and it must be understood that access to IoT devices must be allowed only for legitimate, authorized users. This requires the use of cryptographic techniques for proving the identity of devices and users, and for protecting the interchanged information.
The most popular current cryptographic techniques are not secure against an attacker that can do computations on a quantum computer. As of early 2018, full-scale quantum computers are not publicly known to exist, and it is still considered a significant challenge to construct one. However, there are strong ongoing efforts worldwide to build these computers, motivated by political and commercial interests. Therefore it is recommended that sensitive information is protected by new cryptographic techniques that are not vulnerable to an attacker with access to a quantum computer. These techniques are referred to as quantum-safe, or post-quantum, crypto.
Known quantum-safe techniques rely on heavy computations and very long cryptographic keys. This is particularly inconvenient in the IoT setting, where many devices may be strictly limited with respect to computation, storage, communication, and battery capacity. In this project, we address the design and analysis of lightweight quantum-safe crypto primitives and IoT-compatible crypto communication protocols.
Funding source:
The Research Council of Norway (IKTPluss)
Publications for Quantum safe cryptography for the Internet of Things
Proceedings, refereed
On the Secrecy Gain of Isodual Lattices from Tail-Biting Convolutional Codes
In International Symposium on Topics in Coding (ISTC), 2023.Status: Published
On the Secrecy Gain of Isodual Lattices from Tail-Biting Convolutional Codes
Afilliation | Cryptography |
Project(s) | Information Theory Section, Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | International Symposium on Topics in Coding (ISTC) |
Construction and Secrecy Gain of Formally Unimodular Lattices in Odd Dimensions
In Information Theory Workshop (ITW), 2023.Status: Published
Construction and Secrecy Gain of Formally Unimodular Lattices in Odd Dimensions
Afilliation | Cryptography |
Project(s) | Information Theory Section, Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | Information Theory Workshop (ITW) |
A New Algebraic Approach to the Regular Syndrome Decoding Problem and Implications for PCG Constructions
In Advances in Cryptology – EUROCRYPT 2023, 2023.Status: Accepted
A New Algebraic Approach to the Regular Syndrome Decoding Problem and Implications for PCG Constructions
Afilliation | Cryptography |
Project(s) | Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | Advances in Cryptology – EUROCRYPT 2023 |
From Farfalle to Megafono via Ciminion: The PRF Hydra for MPC Applications
In Advances in Cryptology – EUROCRYPT 2023, 2023.Status: Accepted
From Farfalle to Megafono via Ciminion: The PRF Hydra for MPC Applications
Afilliation | Cryptography |
Project(s) | Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | Advances in Cryptology – EUROCRYPT 2023 |
Proceedings, refereed
Determining the equivocation in coded transmission over a noisy channel
In 2022 IEEE International Symposium on Information Theory (ISIT). Espoo, Finland: IEEE, 2022.Status: Published
Determining the equivocation in coded transmission over a noisy channel
Afilliation | Cryptography |
Project(s) | Quantum safe cryptography for the Internet of Things, Cryptography Section, Information Theory Section |
Publication Type | Proceedings, refereed |
Year of Publication | 2022 |
Conference Name | 2022 IEEE International Symposium on Information Theory (ISIT) |
Pagination | 1253-1258 |
Publisher | IEEE |
Place Published | Espoo, Finland |
URL | https://ieeexplore.ieee.org/document/9834781/http://xplorestaging.ieee.o... |
DOI | 10.1109/ISIT50566.2022.9834781 |
On the Secrecy Gain of Formally Unimodular Construction A4 Lattices
In 2022 IEEE International Symposium on Information Theory (ISIT). IEEE, 2022.Status: Published
On the Secrecy Gain of Formally Unimodular Construction A4 Lattices
Afilliation | Cryptography |
Project(s) | Information Theory Section, Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2022 |
Conference Name | 2022 IEEE International Symposium on Information Theory (ISIT) |
Pagination | 3226-3231 |
Publisher | IEEE |
DOI | 10.1109/ISIT50566.2022.9834686 |
PhD Thesis
Algebraic Cryptanalysis of Cryptographic Schemes with Extension Field Structure
In University of Bergen, 2021.Status: Published
Algebraic Cryptanalysis of Cryptographic Schemes with Extension Field Structure
Afilliation | Cryptography |
Project(s) | Simula UiB, Quantum safe cryptography for the Internet of Things |
Publication Type | PhD Thesis |
Year of Publication | 2021 |
Degree awarding institution | University of Bergen |
URL | https://bora.uib.no/bora-xmlui/handle/11250/2771891 |
Proceedings, refereed
On the Effect of Projection on Rank Attacks in Multivariate Cryptography
In The 12th International Conference on Post-Quantum Cryptography (PQCRYPTO 2021). Vol. LNCS, vol 12841. Cham: Springer, 2021.Status: Published
On the Effect of Projection on Rank Attacks in Multivariate Cryptography
The multivariate scheme HFEv- used to be considered a promising candidate for a post-quantum signature system. First suggested in the early 2000s, a version of the scheme made it to the third round of the ongoing NIST post-quantum standardization process. In late 2020, the system suffered from an efficient rank attack due to Tao, Petzoldt, and Ding. In this paper, we inspect how this recent rank attack is affected by the projection modification. This modification was introduced to secure the signature scheme PFLASH against its predecessor's attacks. We prove upper bounds for the rank of projected HFEv- (pHFEv-) and PFLASH under the new attack, which are tight for the experiments we have performed. We conclude that projection could be a useful tool in protecting against this recent cryptanalysis.
Afilliation | Cryptography |
Project(s) | Simula UiB, Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2021 |
Conference Name | The 12th International Conference on Post-Quantum Cryptography (PQCRYPTO 2021) |
Volume | LNCS, vol 12841 |
Pagination | 98-113 |
Publisher | Springer |
Place Published | Cham |
Tiling of Constellations
In 2021 IEEE International Symposium on Information Theory (ISIT). Melbourne, Australia: IEEE, 2021.Status: Published
Tiling of Constellations
Afilliation | Cryptography |
Project(s) | Quantum safe cryptography for the Internet of Things, Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2021 |
Conference Name | 2021 IEEE International Symposium on Information Theory (ISIT) |
Pagination | 450-454 |
Publisher | IEEE |
Place Published | Melbourne, Australia |
URL | https://ieeexplore.ieee.org/document/9518129/http://xplorestaging.ieee.o... |
DOI | 10.1109/ISIT45174.2021.9518129 |
Proceedings, refereed
An Algebraic Attack on Ciphers with Low-Degree Round Functions: Application to Full MiMC
In Advances in Cryptology – ASIACRYPT 2020. Springer, 2020.Status: Published
An Algebraic Attack on Ciphers with Low-Degree Round Functions: Application to Full MiMC
Afilliation | Cryptography |
Project(s) | Simula UiB, Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2020 |
Conference Name | Advances in Cryptology – ASIACRYPT 2020 |
Pagination | 477-506 |
Publisher | Springer |
Cryptography Section
The cryptography section both develops and assesses new and existing cryptographic primitives, protocols, and implementations.
Cryptanalytic assessment focuses on, but is not limited to, symmetric-key cryptography and takes into account both algebraic, statistical, and side channel attacks. The goal is to acquire an in-depth understanding of the level of protection provided by cryptographic algorithms and simultaneously develop a roadmap for improved protection. New ideas are explored resulting in new algorithms and implementations to realize the roadmap.
We also construct provably secure yet efficient cryptographic protocols for complex tasks like secure e-voting, privacy-preserving data mining, and privacy-preserving blockchain applications. We work on the underlying theory that allows us to both construct better tools and understand principal limitations and impossibility results of such tools.
Publications for Cryptography Section
Edited books
Advances in Cryptology – EUROCRYPT 2023
In 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part V. Vol. 14008. Cham: Springer Nature Switzerland, 2023.Status: Published
Advances in Cryptology – EUROCRYPT 2023
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Edited books |
Year of Publication | 2023 |
Secondary Title | 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part V |
Volume | 14008 |
Number of pages in book | XVII, 786 |
Date Published | 04/2023 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-30588-7 |
ISSN Number | 0302-9743 |
Keywords | ciphertexts, communication protocols, Computer networks, Computer security, Cryptanalysis, Cryptography, Data mining, data security, Encryption, information theory, privacy preserving, public key cryptography |
URL | htps://link.springer.com/content/pdf/10.1007/978-3-031-30589-4 |
DOI | 10.1007/978-3-031-30589-4 |
Advances in Cryptology – EUROCRYPT 2023
In 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part IV. Vol. 14007. Cham: Springer Nature Switzerland, 2023.Status: Published
Advances in Cryptology – EUROCRYPT 2023
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Edited books |
Year of Publication | 2023 |
Secondary Title | 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part IV |
Volume | 14007 |
Number of pages in book | XVII, 660 |
Date Published | 04/2023 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-30633-4 |
ISSN Number | 0302-9743 |
Keywords | ciphertexts, communication protocols, Computer networks, Computer security, Cryptanalysis, Cryptography, Data mining, data security, Encryption, information theory, privacy preserving, public key cryptography |
URL | https://link.springer.com/10.1007/978-3-031-30634-1https://link.springer... |
DOI | 10.1007/978-3-031-30634-1 |
Advances in Cryptology – EUROCRYPT 2023
In 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part III. Vol. 14006. Cham: Springer Nature Switzerland, 2023.Status: Published
Advances in Cryptology – EUROCRYPT 2023
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Edited books |
Year of Publication | 2023 |
Secondary Title | 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part III |
Volume | 14006 |
Number of pages in book | XVI, 670 |
Date Published | 04/2023 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-30619-8 |
ISSN Number | 0302-9743 |
Other Numbers | LNCS 14006 |
Keywords | ciphertexts, communication protocols, Computer networks, Computer security, Cryptanalysis, Cryptography, Data mining, data security, Encryption, information theory, privacy preserving, public key cryptography |
URL | https://link.springer.com/10.1007/978-3-031-30620-4 |
DOI | 10.1007/978-3-031-30620-4 |
Advances in Cryptology – EUROCRYPT 2023
In 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part II. Vol. 14005. Cham: Springer Nature Switzerland, 2023.Status: Published
Advances in Cryptology – EUROCRYPT 2023
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Edited books |
Year of Publication | 2023 |
Secondary Title | 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part II |
Volume | 14005 |
Number of pages in book | XVI, 628 |
Date Published | 04/2023 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-30616-7 |
ISSN Number | 0302-9743 |
Other Numbers | LNCS 14005 |
Keywords | ciphertexts, communication protocols, Computer networks, Computer security, Cryptanalysis, Cryptography, Data mining, data security, Encryption, information theory, privacy preserving, public key cryptography |
URL | https://link.springer.com/10.1007/978-3-031-30617-4 |
DOI | 10.1007/978-3-031-30617-4 |
Advances in Cryptology – EUROCRYPT 2023
In 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part I. Vol. 14004. Cham: Springer Nature Switzerland, 2023.Status: Published
Advances in Cryptology – EUROCRYPT 2023
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Edited books |
Year of Publication | 2023 |
Secondary Title | 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part I |
Volume | 14004 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-30544-3 |
ISSN Number | 0302-9743 |
Other Numbers | LNCS 14004 |
Keywords | ciphertexts, communication protocols, Computer networks, Computer security, Cryptanalysis, Cryptography, Data mining, data security, Encryption, information theory, privacy preserving, public key cryptography |
URL | https://link.springer.com/10.1007/978-3-031-30545-0 |
DOI | 10.1007/978-3-031-30545-0 |
Journal Article
Pincering SKINNY by Exploiting Slow Diffusion: Enhancing Differential Power Analysis with Cluster Graph Inference
IACR Transactions on Cryptographic Hardware and Embedded Systems 2023 (2023).Status: Accepted
Pincering SKINNY by Exploiting Slow Diffusion: Enhancing Differential Power Analysis with Cluster Graph Inference
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Journal Article |
Year of Publication | 2023 |
Journal | IACR Transactions on Cryptographic Hardware and Embedded Systems |
Volume | 2023 |
Number | 4 |
Publisher | IACR |
Place Published | Bochum, Germany |
Proceedings, refereed
Verifying Classic McEliece: Examining the Role of Formal Methods in Post-Quantum Cryptography Standardisation
In Code-Based Cryptography. CBCrypto 2022. Lecture Notes in Computer Science. Vol. 13839. Cham: Springer Nature Switzerland, 2023.Status: Published
Verifying Classic McEliece: Examining the Role of Formal Methods in Post-Quantum Cryptography Standardisation
Developers of computer-aided cryptographic tools are optimistic that formal methods will become a vital part of developing new cryptographic systems. We study the use of such tools to specify and verify the implementation of Classic McEliece, one of the code-based cryptography candidates in the fourth round of the NIST Post-Quantum standardisation Process. From our case study we draw conclusions about the practical applicability of these methods to the development of novel cryptography.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | Code-Based Cryptography. CBCrypto 2022. Lecture Notes in Computer Science |
Volume | 13839 |
Pagination | 21–36 |
Date Published | 03/2023 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-29689-5 |
URL | https://link.springer.com/chapter/10.1007/978-3-031-29689-5_2 |
DOI | 10.1007/978-3-031-29689-5_2 |
Counting Vampires: From Univariate Sumcheck to Updatable ZK-SNARK
In Asiacrypt 2022. Vol. 13792. Cham: Springer Nature Switzerland, 2023.Status: Published
Counting Vampires: From Univariate Sumcheck to Updatable ZK-SNARK
We propose a univariate sumcheck argument Count of essentially optimal communication efficiency of one group element. While the previously most efficient univariate sumcheck argument of Aurora is based on polynomial commitments, Count is based on inner-product commitments. We use Count to construct a new pairing-based updatable and universal zk-SNARK Vampire with the shortest known argument length (four group and two finite field elements) for NP. In addition, Vampire uses the aggregated polynomial commitment scheme of Boneh et al.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | Asiacrypt 2022 |
Volume | 13792 |
Pagination | 249 - 278 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-22965-7 |
ISSN Number | 0302-9743 |
URL | https://link.springer.com/10.1007/978-3-031-22966-4 |
DOI | 10.1007/978-3-031-22966-410.1007/978-3-031-22966-4_9 |
Multi-Instance Secure Public-Key Encryption
In PKC 2023, Part II. Cham: Springer Nature Switzerland, 2023.Status: Published
Multi-Instance Secure Public-Key Encryption
Mass surveillance targets many users at the same time with the goal of learning as much as possible. Intuitively, breaking many users’ cryptography simultaneously should be at least as hard as that of only breaking a single one, but ideally security degradation is gradual: an adversary ought to work harder to break more. Bellare, Ristenpart and Tessaro (Crypto’12) introduced the notion of multi-instance security to capture the related concept for password hashing with salts. Auerbach, Giacon and Kiltz (Eurocrypt’20) motivated the study of public key encryption (PKE) in the multi-instance setting, yet their technical results are exclusively stated in terms of key encapsulation mechanisms (KEMs), leaving a considerable gap. We investigate the multi-instance security of public key encryption. Our contributions are twofold. Firstly, we define and compare possible security notions for multi-instance PKE, where we include PKE schemes whose correctness is not perfect. Secondly, we observe that, in general, a hybrid encryption scheme of a multi-instance secure KEM and an arbitrary data encapsulation mechanism (DEM) is unlikely to inherit the KEM’s multi-instance security. Yet, we show how with a suitable information-theoretic DEM, and a computationally secure key derivation function if need be, inheritance is possible. As far as we are aware, ours is the first inheritance result in the challenging multi-bit scenario.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Proceedings, refereed |
Year of Publication | 2023 |
Conference Name | PKC 2023, Part II |
Pagination | 336-367 |
Date Published | 05/2023 |
Publisher | Springer Nature Switzerland |
Place Published | Cham |
ISBN Number | 978-3-031-31370-7 |
Other Numbers | LNCS 13941 |
Keywords | Hybrid Encryption, Mass Surveillance, Multi-Instance Security, Property Inheritance |
URL | https://doi.org/10.1007/978-3-031-31371-4_12 |
DOI | 10.1007/978-3-031-31371-4_12 |
Reprint Edition | https://eprint.iacr.org/2022/909 |
Journal Article
On the IND-CCA1 Security of FHE Schemes
MDPI Cryptography 6, no. 1 (2022).Status: Published
On the IND-CCA1 Security of FHE Schemes
Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we group SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1 secure FHE and SHE schemes. We conclude that none of the proposed schemes are IND-CCA1 secure, and that the known general constructions all have their shortcomings.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Journal Article |
Year of Publication | 2022 |
Journal | MDPI Cryptography |
Volume | 6 |
Issue | 1 |
Number | 13 |
Date Published | 03/2022 |
Publisher | MDPI |
Place Published | Online |
ISSN | 2410-387X |
Keywords | Cryptanalysis, FHE schemes, IND-CCA1 |
URL | https://www.mdpi.com/2410-387X/6/1/13 |
DOI | 10.3390/cryptography6010013 |
Publications
Talks, contributed
Factoring RSA Keys Found in Certificate Transparency Logs
In Linz, Austria, 2023.Status: Published
Factoring RSA Keys Found in Certificate Transparency Logs
TLS is the most important protocol for securing web communication today. Authenticating servers on the internet relies on PKI, and the number of public key certificates issued yearly
by certificate authorities (CA) are now in the billions. Most of the public keys attested by these certificates are 2048-bit RSA keys. The security of RSA is based on the hardness of factoring N = pq where N is public and p and q are two secret big primes. With so many keys generated for certificates each year it is important that all CAs use cryptographically strong random number generators when selecting their prime numbers. If the same prime is used in two different RSA keys it is easy to factor both by computing their greatest common divisor (GCD). Experiments on computing the GCDs of all pairs from a large set of RSA keys have been done before. In 2012, two teams of researchers independently harvested approximately 6 million certificates with RSA keys each, and ran GCD on all pairs. One finding was that around 0.5% of the RSA keys could be factored this way, mostly due to faulty random number generators. The same experiment was repeated in 2016, this time collecting 81 million keys. The result was that 0.4% of the RSA keys could be factored via GCD. Finally, in 2019 approximately 75 million certificates with RSA keys were collected from the internet and almost 0.6% of them were factored by taking GCD of all pairs. According
to the authors this is due to IoT devices with poor random generators. The authors compare this to a set of 100 million RSA keys collected from the Certificate Transparency (CT) logs, where they could only factor 5 keys.
We have redone the GCD factoring experiment using 159 million certificates from the CT log Argon from 2021, and report on our findings. To our knowledge, this is the largest
experiment of this type done so far.
Afilliation | Cryptography |
Project(s) | No Simula project |
Publication Type | Talks, contributed |
Year of Publication | 2023 |
Location of Talk | Linz, Austria |
Type of Talk | Conference contribution |
Keywords | factoring, RSA, X.509 certificates |
Proceedings, refereed
FASTA – a stream cipher for fast FHE evaluation
In Topics in Cryptology - CT-RSA 2022 - Cryptographers' Track at the RSA Conference 2022. Vol. 13161. Lecture Notes in Computer Science: Springer, 2022.Status: Published
FASTA – a stream cipher for fast FHE evaluation
In this paper we propose Fasta, a stream cipher design optimised for implementation over popular fully homomorphic encryption schemes. A number of symmetric encryption ciphers have been recently proposed for FHE applications, e.g. the block cipher LowMC, and the stream ciphers Rasta (and variants), FLIP and Kreyvium. The main design criterion employed in these ciphers has typically been to minimise the multiplicative complexity of the algorithm. However, other aspects affecting their efficient evaluation over common FHE libraries are often overlooked, compromising their real-world performance. Whilst Fasta may also be considered as a variant of Rasta, it has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. This results in a speedup by a factor of 25 compared to the most efficient publicly available implementation of Rasta. Fasta’s target is BGV, as implemented in HElib. However the design ideas introduced in the cipher could also be potentially employed to achieve improvements in the homomorphic evaluation in other popular FHE schemes/libraries. We do consider such alternatives in this paper (e.g. BFV and BGVrns, as implemented in SEAL and PALISADE), but argue that, unlike BGVin HElib, it is more challenging to make use of their parallelism in a Rasta-like stream cipher design.
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2022 |
Conference Name | Topics in Cryptology - CT-RSA 2022 - Cryptographers' Track at the RSA Conference 2022 |
Volume | 13161 |
Pagination | 451-483 |
Publisher | Springer |
Place Published | Lecture Notes in Computer Science |
Keywords | Homomorphic Encryption, Hybrid Encryption, secret-key cryptography, Stream Ciphers |
URL | https://link.springer.com/chapter/10.1007/978-3-030-95312-6_19 |
DOI | 10.1007/978-3-030-95312-6_19 |
Journal Article
On the IND-CCA1 Security of FHE Schemes
MDPI Cryptography 6, no. 1 (2022).Status: Published
On the IND-CCA1 Security of FHE Schemes
Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we group SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1 secure FHE and SHE schemes. We conclude that none of the proposed schemes are IND-CCA1 secure, and that the known general constructions all have their shortcomings.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Journal Article |
Year of Publication | 2022 |
Journal | MDPI Cryptography |
Volume | 6 |
Issue | 1 |
Number | 13 |
Date Published | 03/2022 |
Publisher | MDPI |
Place Published | Online |
ISSN | 2410-387X |
Keywords | Cryptanalysis, FHE schemes, IND-CCA1 |
URL | https://www.mdpi.com/2410-387X/6/1/13 |
DOI | 10.3390/cryptography6010013 |
Proceedings, refereed
A Practical Adaptive Key Recovery Attack on the LGM (GSW-like) Cryptosystem
In International Conference on Post-Quantum Cryptography. Vol. 12841. Springer, 2021.Status: Published
A Practical Adaptive Key Recovery Attack on the LGM (GSW-like) Cryptosystem
We present an adaptive key recovery attack on the leveled homomorphic encryption scheme suggested by Li, Galbraith and Ma (Provsec 2016), which itself is a modification of the GSW cryptosystem designed to resist key recovery attacks by using a different linear combination of secret keys for each decryption. We were able to efficiently recover the secret key for a realistic choice of parameters using a statistical attack. In particular, this means that the Li, Galbraith and Ma strategy does not prevent adaptive key recovery attacks.
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2021 |
Conference Name | International Conference on Post-Quantum Cryptography |
Volume | 12841 |
Pagination | 483-498 |
Date Published | 07/2021 |
Publisher | Springer |
ISBN Number | 978-3-030-81292-8 |
Keywords | GSW, Key recovery, Somewhat homomorphic encryption, Statistical attack |
URL | https://link.springer.com/chapter/10.1007/978-3-030-81293-5_25 |
DOI | 10.1007/978-3-030-81293-5_25 |
Analysis of Multivariate Encryption Schemes: Application to Dob
In Public-Key Cryptography (PKC 2021). Vol. LNCS, vol 12710. Cham: Springer International Publishing, 2021.Status: Published
Analysis of Multivariate Encryption Schemes: Application to Dob
In this paper, we study the effect of two modifications to multivariate public key encryption schemes: internal perturbation (ip), and Q_+. Focusing on the Dob encryption scheme, a construction utilising these modifications, we accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree five. The predictions remain accurate even when fixing variables. Based on this new theory we design a novel attack on the Dob encryption scheme, which breaks Dob using the parameters suggested by its designers. While our work primarily focuses on the Dob encryption scheme, we also believe that the presented techniques will be of particular interest to the analysis of other big–field schemes
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2021 |
Conference Name | Public-Key Cryptography (PKC 2021) |
Volume | LNCS, vol 12710 |
Pagination | 155 - 183 |
Date Published | 05/2021 |
Publisher | Springer International Publishing |
Place Published | Cham |
ISBN Number | 978-3-030-75244-6 |
ISSN Number | 0302-9743 |
URL | https://link.springer.com/10.1007/978-3-030-75245-3 |
DOI | 10.1007/978-3-030-75245-310.1007/978-3-030-75245-3_7 |
Boolean Polynomials, BDDs and CRHS Equations – Connecting the Dots with CryptaPath
In Selected Areas in Cryptography. Vol. 12804. Cham: Springer, 2021.Status: Published
Boolean Polynomials, BDDs and CRHS Equations – Connecting the Dots with CryptaPath
When new symmetric-key ciphers and hash functions are proposed they are expected to document resilience against a number of known attacks. Good, easy to use tools may help designers in this process and give improved cryptanalysis. In this paper we introduce CryptaPath, a tool for doing algebraic cryptanalysis which utilizes Compressed Right-Hand Side (CRHS) equations to attack SPN ciphers and sponge constructions. It requires no previous knowledge of CRHS equations to be used, only a reference implementation of a primitive.
The connections between CRHS equations, binary decision diagrams and Boolean polynomials have not been described earlier in literature. A comprehensive treatment of these relationships is made before we explain how CryptaPath works. We then describe the process of solving CRHS equation systems while introducing a new operation, dropping variables.
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2021 |
Conference Name | Selected Areas in Cryptography |
Volume | 12804 |
Pagination | 229-251 |
Date Published | 07/2021 |
Publisher | Springer |
Place Published | Cham |
ISBN Number | 978-3-030-81651-3 |
Keywords | algebraic cryptanalysis, binary decision diagram, block cipher, equation system, Open Source, tool |
URL | https://link.springer.com/chapter/10.1007/978-3-030-81652-0_9 |
DOI | 10.1007/978-3-030-81652-0_9 |
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
In Eurocrypt. Vol. 12697. Springer, 2021.Status: Published
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
This paper presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, we show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time 2^{40} GEA-1 evaluations and using 44.5 GiB of memory.
The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design.
In contrast, for GEA-2 we did not discover the same intentional weakness. However, using a combination of algebraic techniques and list merging algorithms we are still able to break GEA-2 in time 2^{45.1} GEA-2 evaluations. The main practical hurdle is the required knowledge of 1600 bytes of keystream.
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2021 |
Conference Name | Eurocrypt |
Volume | 12697 |
Pagination | 155-183 |
Date Published | 06/2021 |
Publisher | Springer |
ISBN Number | 978-3-030-77885-9 |
Keywords | algebraic attacks, GEA, GPRS Encryption, Stream Cipher |
URL | https://link.springer.com/chapter/10.1007/978-3-030-77886-6_6 |
DOI | 10.1007/978-3-030-77886-6_6 |
Proceedings, refereed
Cryptanalysis of the Multivariate Encryption Scheme EFLASH
In RSA Conference Cryptographers' Track 2020. Vol. 12006. Lecture Notes in Computer Science: Springer, 2020.Status: Published
Cryptanalysis of the Multivariate Encryption Scheme EFLASH
EFLASH is a multivariate public-key encryption scheme proposed by Cartor and Smith-Tone at SAC 2018. In this paper we investigate the hardness of solving the particular equation systems arising from EFLASH, and show that the solving degree for these types of systems is much lower than estimated by the authors. We show that a Gröbner basis algorithm will produce degree fall polynomials at a low degree for EFLASH systems. In particular we are able to accurately predict the number of these polynomials occurring at step degrees 3 and 4 in our attacks. We performed several experiments using the computer algebra system MAGMA, which indicate that the solving degree is at most one higher than the one where degree fall polynomials occur; moreover, our experiments show that whenever the predicted number of degree fall polynomials is positive, it is exact. Our conclusion is that EFLASH does not offer the level of security claimed by the designers. In particular, we estimate that the EFLASH version with 80-bit security parameters offers at most 69 bits of security.
Afilliation | Cryptography |
Project(s) | Simula UiB, Quantum safe cryptography for the Internet of Things |
Publication Type | Proceedings, refereed |
Year of Publication | 2020 |
Conference Name | RSA Conference Cryptographers' Track 2020 |
Volume | 12006 |
Pagination | 85-105 |
Date Published | 02/2020 |
Publisher | Springer |
Place Published | Lecture Notes in Computer Science |
ISBN Number | 978-3-030-40186-3 |
Proceedings, refereed
Graphs and Self-dual additive codes over GF(4)
In The Eleventh International Workshop on Coding and Cryptography, 2019.Status: Published
Graphs and Self-dual additive codes over GF(4)
We initiate the study of self-dual codes over GF(4) whose corresponding graphs have fixed rankwidth. We show that by combining the structural properties of rankwidth 1 graphs, the classification of corresponding codes becomes significantly faster.
We give a new algorithm for computing weight enumerators using Binary Decision Diagrams (BDD), which has similar complexity to brute force O(2^k) but has the benefit that we automatically get complexity O(2^min{k,n−k}) (for k > n/2) without needing to consider the dual code.
We show that the minimum distance of a code is at least 3 if and only if the corresponding graph does not contain any pendant vertex or any twin-pairs. We also give an algorithm for computing an approximate minimum distance in codes corresponding to general graphs.
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2019 |
Conference Name | The Eleventh International Workshop on Coding and Cryptography |
Keywords | binary decision diagram, Minimum Distance, Rankwidth, Self-dual, Stabilizer Code |
Journal Article
Reducing Lattice Enumeration Search Trees
Infocommunications Journal 11, no. 4 (2019): 8-16.Status: Published
Reducing Lattice Enumeration Search Trees
We revisit the standard enumeration algorithm for finding the shortest vectors in a lattice, and study how the number of nodes in the associated search tree can be reduced. Two approaches for reducing the number of nodes are suggested. First we show that different permutations of the basis vectors have a big effect on the running time of standard enumeration, and give a class of permutations that give relatively few nodes in the search tree. This leads to an algorithm called hybrid enumeration that has a better running time than standard enumeration when the lattice is large. Next we show that it is possible to estimate the signs of the coefficients yielding a shortest vector, and that a pruning strategy can be based on this fact. Sign-based pruning gives fewer nodes in the search tree, and never missed the shortest vector in the experiments we did.
Afilliation | Cryptography |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2019 |
Journal | Infocommunications Journal |
Volume | 11 |
Issue | 4 |
Pagination | 8-16 |
Date Published | 12/2019 |
Publisher | The scientific association for infocommunications |
Place Published | Budapest, Hungary |
ISSN | 2061-2079 |
Keywords | enumeration, Lattices, pruning, SVP problem |
DOI | 10.36244/ICJ.2019.4.2 |
Solving non-linear Boolean equation systems by variable elimination
Applicable Algebra in Engineering, Communication and Computing (2019).Status: Published
Solving non-linear Boolean equation systems by variable elimination
In this paper we study Boolean equation systems, and how to eliminate variables from them while bounding the degree of polynomials produced. A procedure for variable elimination is introduced, and we relate the techniques to Gröbner bases and XL methods. We prove that by increasing the degree of the polynomials in the system by one for each variable eliminated, we preserve the solution space, provided that the system satisfies a particular condition. We then estimate how many variables we need to eliminate in order to solve the resulting system by re-linearization, and show that we get complexities lower than the trivial brute-force {\$}{\$}{\backslash}mathcal {\O{\}(2^n){\$}{\$}O(2n)when the system is overdetermined.
Afilliation | Cryptography |
Publication Type | Journal Article |
Year of Publication | 2019 |
Journal | Applicable Algebra in Engineering, Communication and Computing |
Date Published | Aug |
Publisher | Springer |
ISSN | 1432-0622 |
URL | https://doi.org/10.1007/s00200-019-00399-7 |
DOI | 10.1007/s00200-019-00399-7 |
Proceedings, refereed
Definitions for Plaintext-Existence Hiding in Cloud Storage
In Proceedings of the 13th International Conference on Availability, Reliability and Security. New York, NY, USA: ACM Press, 2018.Status: Published
Definitions for Plaintext-Existence Hiding in Cloud Storage
Cloud storage services use deduplication for saving bandwidth and storage. An adversary can exploit side-channel information in several attack scenarios when deduplication takes place at the client side, leaking information on whether a specific plaintext exists in the cloud storage. Generalising existing security definitions, we introduce formal security games for a number of possible adversaries in this domain, and show that games representing all natural adversarial behaviors are in fact equivalent. These results allow users and practitioners alike to accurately assess the vulnerability of deployed systems to this real-world concern.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Proceedings, refereed |
Year of Publication | 2018 |
Conference Name | Proceedings of the 13th International Conference on Availability, Reliability and Security |
Publisher | ACM Press |
Place Published | New York, NY, USA |
ISBN Number | 9781450364485 |
Keywords | Cloud based storage, information systems, security and privacy |
URL | http://dl.acm.org/citation.cfm?doid=3230833http://dl.acm.org/citation.cf... |
DOI | 10.1145/323083310.1145/3230833.3234515 |
Security Notions for Cloud Storage and Deduplication
In ProvSec 2018: Provable Security. Switzerland: Springer International Publishing, 2018.Status: Published
Security Notions for Cloud Storage and Deduplication
Cloud storage is in widespread use by individuals and enterprises but introduces a wide array of attack vectors. A basic step for users is to encrypt their data, yet it is not obvious what security properties are required for such encryption. Furthermore, cloud storage providers often use techniques such as data deduplication for improving efficiency which restricts the application of semantically-secure encryption. Generic security goals and attack models have thus far proved elusive: primitives are considered in isolation and protocols are often proved secure under ad hoc models for restricted classes of adversaries.
We formally model natural security notions for cloud storage and deduplication using a generic syntax for storage systems. We define security notions for confidentiality and integrity in encrypted cloud storage and determine relations between these notions. We show how to build cloud storage systems that satisfy our defined security notions using standard cryptographic components.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Proceedings, refereed |
Year of Publication | 2018 |
Conference Name | ProvSec 2018: Provable Security |
Pagination | 347 - 365 |
Publisher | Springer International Publishing |
Place Published | Switzerland |
ISBN Number | 978-3-030-01445-2 |
ISSN Number | 0302-9743 |
URL | https://link.springer.com/chapter/10.1007/978-3-030-01446-9_20 |
DOI | 10.1007/978-3-030-01446-9_20 |
Journal Article
Factorization using binary decision diagrams
Cryptography and Communications 11, no. 1 (2018): 1-18.Status: Published
Factorization using binary decision diagrams
We address the factorization problem in this paper: Given an integer N=pq, find two factors p and q of N such that p and q are of same bit-size. When we say integer multiplication of N, we mean expressing N as a product of two factors p and q such that p and q are of same bit-size. We work on this problem in the light of Binary Decision Diagrams (BDD). A Binary Decision Diagram is an acyclic graph which can be used to represent Boolean functions. We represent integer multiplication of N as product of factors p and q using a BDD. Using various operations on the BDD we present an algorithm for factoring N. All calculations are done over GF(2). We show that the number of nodes in the constructed BDD is O(n3) where n is the number of bits in p or q. We do factoring experiments for the case when p and q are primes as in the case of RSA modulus N, and report on the observed complexity. The multiplication of large RSA numbers (that cannot be factored fast in practice) can still be easily represented as a BDD.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Journal Article |
Year of Publication | 2018 |
Journal | Cryptography and Communications |
Volume | 11 |
Issue | 1 |
Pagination | 1-18 |
Date Published | 2018 |
Publisher | Springer |
ISSN | 1936-2447 |
Keywords | Binary decision diagrams, Integer factorization, RSA |
URL | https://link.springer.com/article/10.1007/s12095-018-0304-7 |
DOI | 10.1007/s12095-018-0304-7 |
MRHS solver based on linear algebra and exhaustive search
Journal of Mathematical Cryptology 12, no. 3 (2018): 143-157.Status: Published
MRHS solver based on linear algebra and exhaustive search
We show how to build a binary matrix from the MRHS representation of a symmetric-key cipher. The matrix contains the cipher represented as an equation system and can be used to assess a cipher’s resistance against algebraic attacks. We give an algorithm for solving the system and compute its complexity. The complexity is normally close to exhaustive search on the variables representing the user-selected key. Finally, we show that for some variants of LowMC, the joined MRHS matrix representation can be used to speed up regular encryption in addition to exhaustive key search.
Afilliation | Cryptography |
Project(s) | Cryptography Section |
Publication Type | Journal Article |
Year of Publication | 2018 |
Journal | Journal of Mathematical Cryptology |
Volume | 12 |
Issue | 3 |
Pagination | 143-157 |
Date Published | 09/2018 |
Publisher | De Gruyter |
ISSN | 1862-2976 |
Keywords | algebraic cryptanalysis, LowMC, MRHS |
URL | https://www.degruyter.com/view/j/jmc.2018.12.issue-3/jmc-2017-0005/jmc-2... |
DOI | 10.1515/jmc-2017-0005 |
Journal Article
Cryptanalysis of 6-round PRINCE using 2 Known Plaintexts
Cryptography and Communications (2017).Status: Submitted
Cryptanalysis of 6-round PRINCE using 2 Known Plaintexts
In this paper we focus on the PRINCE block cipher reduced to 6 rounds, with two known plaintext/ciphertext pairs. We develop two attacks on 6-round PRINCE based on accelerated exhaustive search, one with negligible memory usage and one having moderate memory requirements. The time complexity for the first attack is 2^{96.78} encryptions. Time complexity for the second attack depends on the implementation, but can be argued to be approximately 2^{89} for a normal PC. The memory consumption of the second attack is less than 200MB and so is not a restricting factor in a real-world setting.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2017 |
Journal | Cryptography and Communications |
Publisher | Springer |
ISSN | 1936-2447 |
Keywords | exhaustive search, lightweight cipher, PRINCE |
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Tatra Mountains Mathematical Publications 67, no. 1 (2017): 149-166.Status: Published
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
We study multidimensional meet-in-the-middle attacks on the KATAN block cipher family. Several improvements to the basic attacks are ex- plained. The most noteworthy of these is the technique of guessing only non- linearly involved key bits, which reduces the search space by a significant fac- tor. The optimization decreases the complexity of multidimensional meet-in-the- -middle attacks, allowing more rounds of KATAN to be efficiently attacked than previously reported.
Afilliation | Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2017 |
Journal | Tatra Mountains Mathematical Publications |
Volume | 67 |
Issue | 1 |
Pagination | 149-166 |
Publisher | Tatra Mountains Mathematical Publications |
ISSN | 1338 – 9750 |
Keywords | block cipher, KATAN, lightweight, Meet-in-the-Middle, Reducing complexity |
DOI | 10.1515/tmmp-2016-0037 |
Proceedings, refereed
Faster Key Recovery Attack on Round-Reduced PRINCE
In LightSec 2016. Vol. 10098. Lecture Notes in Computer Science, Springer Verlag, 2017.Status: Published
Faster Key Recovery Attack on Round-Reduced PRINCE
We introduce a new technique for doing the key recovery part of an integral or higher order differential attack. This technique speeds up the key recovery phase significantly and can be applied to any block cipher with small S-boxes. We show several properties of this technique, then apply it to PRINCE and report on the improvements in complexity from earlier integral and higher order differential attacks on this cipher. Our attacks on 4 and 6 rounds were the fastest and the winner of PRINCE Challenge's last round in the category of chosen plaintext attack.
Afilliation | Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2017 |
Conference Name | LightSec 2016 |
Volume | 10098 |
Pagination | 3-17 |
Date Published | 03/2017 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-319-55714-4 |
Keywords | block cipher, higher-order differential, integral, key recovery attack, lightweight, PRINCE |
URL | https://link.springer.com/chapter/10.1007/978-3-319-55714-4_1 |
DOI | 10.1007/978-3-319-55714-4_1 |
Proceedings, refereed
Cryptanalysis of PRINCE with Minimal Data
In Africacrypt 2016. Vol. 9646. Lecture Notes in Computer Science, Springer Verlag, 2016.Status: Published
Cryptanalysis of PRINCE with Minimal Data
We investigate two attacks on the PRINCE block cipher in the most realistic scenario, when the attacker only has a minimal amount of known plaintext available. The first attack is called Accelerated Exhaustive Search, and is able to recover the key for up to the full 12-round PRINCE with a complexity slightly lower than the security claim given by the designers. The second attack is a meet-in-the-middle attack, where we show how to successfully attack 8- and 10-round PRINCE with only two known plaintext/ciphertext pairs. Both attacks take advantage of the fact that the two middle rounds in PRINCE are unkeyed, so guessing the state before the first middle round gives the state after the second round practically for free. These attacks are the fastest until now in the known plaintext scenario for the 8 and 10 reduced-round versions and the full 12-round of PRINCE.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2016 |
Conference Name | Africacrypt 2016 |
Volume | 9646 |
Pagination | 109-126 |
Date Published | 04/2016 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-319-31516-4 |
ISSN Number | 0302-9743 |
Keywords | Cryptanalysis, exhaustivesearch, lightweight cipher, meet- in-the-middle, PRINCE |
URL | http://link.springer.com/chapter/10.1007/978-3-319-31517-1_6 |
DOI | 10.1007/978-3-319-31517-1_6 |
Proceedings, refereed
Algebraic Analysis of the Simon Block Cipher Family
In LatinCrypt 2015. Lecture Notes in Computer Science ed. Vol. 9230. Lecture Notes in Computer Science, Springer.Verlag, 2015.Status: Published
Algebraic Analysis of the Simon Block Cipher Family
This paper focuses on algebraic attacks on the Simon family of block ciphers. We construct equation systems using multiple plaintext/ciphertext pairs, and show that many variables in the cipher states coming from different plaintexts are linearly related. A simple solving algorithm exploiting these relations is developed and extensively tested on the different Simon variants, giving efficient algebraic attacks on up to 16 rounds of the largest Simon variants.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2015 |
Conference Name | LatinCrypt 2015 |
Volume | 9230 |
Edition | Lecture Notes in Computer Science |
Pagination | 157 - 169 |
Publisher | Lecture Notes in Computer Science, Springer.Verlag |
ISBN Number | 978-3-319-22173-1 |
ISSN Number | 0302-9743 |
Keywords | algebraic attack, block cipher, equation system, Simon |
Algebraic Attacks Using Binary Decision Diagrams
In BalkanCryptSec 2014. Vol. 9024. Lecture Notes in Computer Science, Springer.Verlag, 2015.Status: Published
Algebraic Attacks Using Binary Decision Diagrams
Algebraic attacks have been developed against symmetric primitives during the last decade. In this paper we represent equation systems using binary decision diagrams, and explain techniques for solving them. Next, we do experiments with systems describing reduced versions of DES and AES, as well as systems for the problem of determining EA-equivalence. We compare our results against Gröbner basis and CryptoMiniSat.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2015 |
Conference Name | BalkanCryptSec 2014 |
Volume | 9024 |
Pagination | 40 - 54 |
Date Published | 07/2015 |
Publisher | Lecture Notes in Computer Science, Springer.Verlag |
ISBN Number | 978-3-319-21356-9 |
ISSN Number | 0302-9743 |
Keywords | algebraic attack, binary decision diagram, block cipher, symmetric primitives |
URL | http://link.springer.com/chapter/10.1007/978-3-319-21356-9_4 |
DOI | 10.1007/978-3-319-21356-9_4 |
Journal Article
Influence of addition modulo 2^n on algebraic attacks
Cryptography and Communications 8, no. 2 (2015): 277-289.Status: Published
Influence of addition modulo 2^n on algebraic attacks
Many modern ciphers have a substitution-permutation (SP) network as a main component. This design is well researched in relation to Advanced Encryption Standard (AES). One of the ways to improve the security of cryptographic primitives is the use of additional nonlinear layers. However, this replacement may not have any effect against particular cryptanalytic attacks. In this paper we use algebraic attacks to analyze an SP network with addition modulo 2^n as the key mixing layer. In particular, we show how to reduce the number of intermediate variables in round functions based on SP networks. We also apply the proposed method to the GOST 28147-89 block cipher that allows us to break reduced 8- and 14-round versions with complexity at most 2^{155} and 2^{215.4}, respectively.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2015 |
Journal | Cryptography and Communications |
Volume | 8 |
Issue | 2 |
Pagination | 277-289 |
Date Published | 05/2015 |
Publisher | Springer Verlag |
ISSN | 1936-2455 |
Keywords | Addition modulo 2^n, algebraic attack, binary decision diagram, block cipher |
URL | http://link.springer.com/article/10.1007/s12095-015-0136-7 |
DOI | 10.1007/s12095-015-0136-7 |
Public outreach
Dømt til dårlig sikkerhet
In Chronicle in Bergens Tidende. Bergen: Bergens Tidende, 2014.Status: Published
Dømt til dårlig sikkerhet
SIKKERHET PÅ NETT: Ville vi akseptert at postmannen åpnet alle brevene våre og la innholdet i postkassen?
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Public outreach |
Year of Publication | 2014 |
Secondary Title | Chronicle in Bergens Tidende |
Date Published | 02/2014 |
Publisher | Bergens Tidende |
Place Published | Bergen |
Type of Work | Chronicle |
URL | http://www.bt.no/meninger/kronikk/Domt-til-darlig-sikkerhet-3055677.html |
Snowden-stormen har stilnet. Hva nå?
In Chronicle on NRK Ytring. Oslo: Norsk Rikskringkasting, 2014.Status: Published
Snowden-stormen har stilnet. Hva nå?
USA ser ikke ut til å ville innskrenke overvåkningen. Supervarsleren Edward Snowden har likevel nådd sitt uttalte mål.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Public outreach |
Year of Publication | 2014 |
Secondary Title | Chronicle on NRK Ytring |
Date Published | 04/2014 |
Publisher | Norsk Rikskringkasting |
Place Published | Oslo |
Type of Work | Chronicle |
URL | http://www.nrk.no/ytring/snowden-stormen-har-stilnet-1.11633844 |
Proceedings, refereed
Solving Compressed Right Hand Side Equation Systems with Linear Absorption
In 7th International Conference on Sequences and Their Applications, SETA 2012. Vol. 7280. Lecture Notes in Computer Science, Springer Verlag, 2012.Status: Published
Solving Compressed Right Hand Side Equation Systems with Linear Absorption
In this paper we describe an approach for solving complex multivariate equation systems related to algebraic cryptanalysis. The work uses the newly introduced Compressed Right Hand Sides (CRHS) representation, where equations are represented using Binary Decision Diagrams (BDD). The paper introduces a new technique for manipulating a BDD, similar to swapping variables in the well-known sifting-method. Using this technique we develop a new solving method for CRHS equation systems. The new algorithm is successfully tested on systems representing reduced variants of Trivium.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2012 |
Conference Name | 7th International Conference on Sequences and Their Applications, SETA 2012 |
Volume | 7280 |
Pagination | 291-302 |
Date Published | 06/2012 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-642-30614-3 |
ISSN Number | 0302-9743 |
Keywords | algebraic cryptanalysis, BDD, multivariate equation system, Trivium |
URL | http://link.springer.com/chapter/10.1007/978-3-642-30615-0_27 |
DOI | 10.1007/978-3-642-30615-0_27 |
Proceedings, refereed
Analysis of Trivium Using Compressed Right Hand Side Equations
In 14th International Conference on Information Security and Cryptology - ICISC 2011. Vol. 7259. Lecture Notes in Computer Science, Springer Verlag, 2011.Status: Published
Analysis of Trivium Using Compressed Right Hand Side Equations
We study a new representation of non-linear multivariate equations for algebraic cryptanalysis. Using a combination of multiple right hand side equations and binary decision diagrams, our new representation allows a very efficient conjunction of a large number of separate equations. We apply our new technique to the stream cipher Trivium and variants of Trivium reduced in size. By merging all equations into one single constraint, manageable in size and processing time, we get a representation of the Trivium cipher as one single equation.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2011 |
Conference Name | 14th International Conference on Information Security and Cryptology - ICISC 2011 |
Volume | 7259 |
Pagination | 18-32 |
Date Published | 12/2011 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-642-31911-2 |
ISSN Number | 0302-9743 |
Keywords | algebraic cryptanalysis, BDD, multivariate equation system, Trivium |
URL | http://link.springer.com/chapter/10.1007/978-3-642-31912-9_2 |
DOI | 10.1007/978-3-642-31912-9_2 |
Talks, contributed
Tutorial Paper on Quantitative Risk Assessment
In Norsk Informasjonssikkerhetskonferanse (NISK) 2011, Tromsø, 2011.Status: Published
Tutorial Paper on Quantitative Risk Assessment
This paper shows how to carry out a quantitative risk assessment, describing how each step in the process is carried out. We use the grade management system at the University of Bergen as a case study, evaluating the risk of wrong grades ending up in the university grade database.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Talks, contributed |
Year of Publication | 2011 |
Location of Talk | Norsk Informasjonssikkerhetskonferanse (NISK) 2011, Tromsø |
Type of Talk | Conference presentation |
URL | http://entrance-exam.net/forum/attachments/private-sector-jobs/147807d13... |
Talks, contributed
Coercion-Resistant Receipts in Electronic Elections
In Norsk Informasjonssikkerhetskonferanse, NISK 2010, Gjøvik, 2010.Status: Published
Coercion-Resistant Receipts in Electronic Elections
Several suggested Internet-based electronic voting systems provide the voters with receipts to prove that their votes were counted. Unfortunately, these receipts strengthen an adversary’s ability to coerce voters. This paper proposes a technique for generating receipts which gives voters a high degree of certainty their votes were counted, but without helping a coercer.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Talks, contributed |
Year of Publication | 2010 |
Location of Talk | Norsk Informasjonssikkerhetskonferanse, NISK 2010, Gjøvik |
Type of Talk | Conference presentation |
Proceedings, refereed
Security Analysis of Mobile Phones Used as OTP Generators
In International Workshop on Security Theory and Practice, WISTP 2010. Vol. 6033. Lecture Notes in Computer Science, Springer Verlag, 2010.Status: Published
Security Analysis of Mobile Phones Used as OTP Generators
The Norwegian company Encap has developed protocols enabling individuals to use their mobile phones as one-time password (OTP) generators. An initial analysis of the protocols reveals minor security flaws. System-level testing of an online bank utilizing Encap’s solution then shows that several attacks allow a malicious individual to turn his own mobile phone into an OTP generator for another individual’s bank account. Some of the suggested countermeasures to thwart the attacks are already incorporated in an updated version of the online banking system.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2010 |
Conference Name | International Workshop on Security Theory and Practice, WISTP 2010 |
Volume | 6033 |
Pagination | 324-331 |
Date Published | 04/2010 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-642-12367-2 |
ISSN Number | 0302-9743 |
URL | http://link.springer.com/chapter/10.1007/978-3-642-12368-9_26 |
DOI | 10.1007/978-3-642-12368-9_26 |
Solving Equation Systems by Agreeing and Learning
In Third International Workshop on the Arithmetic of Finite Fields, WAIFI 2010. Vol. 6087. Lecture Notes in Computer Science, Springer Verlag, 2010.Status: Published
Solving Equation Systems by Agreeing and Learning
We study sparse non-linear equation systems defined over a finite field. Representing the equations as symbols and using the Agreeing algorithm we show how to learn and store new knowledge about the system when a guess-and-verify technique is used for solving. Experiments are then presented, showing that our solving algorithm compares favorably to MiniSAT in many instances.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2010 |
Conference Name | Third International Workshop on the Arithmetic of Finite Fields, WAIFI 2010 |
Volume | 6087 |
Pagination | 151-165 |
Date Published | 06/2010 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-642-13796-9 |
ISSN Number | 0302-9743 |
Keywords | agreeing, dynamic learning, multivariate equation system, SAT-solving |
URL | http://link.springer.com/chapter/10.1007/978-3-642-13797-6_11 |
DOI | 10.1007/978-3-642-13797-6_11 |
Journal Article
The Zodiac Killer Ciphers
Tatra Mountains Mathematical Publications 45 (2010): 75-91.Status: Published
The Zodiac Killer Ciphers
We describe the background of the Zodiac killer’s cipher, and present a strategy for how to attack the unsolved Z340 cipher. We present evidence that there is a high degree of non-randomness in the sequence of ciphertext symbols in this cipher, suggesting it has been constructed in a systematic way. Next, we use this information to design a tool for solving the Zodiac ciphers. Using this tool we are able to re-solve the known Z408 cipher.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2010 |
Journal | Tatra Mountains Mathematical Publications |
Volume | 45 |
Pagination | 75-91 |
Publisher | Tatra Mountains Mathematical Publications |
URL | http://www.sav.sk/journals/uploads/0317152012ra-sy.pdf |
DOI | 10.2478/v10127-010-0007-8 |
Proceedings, refereed
Algebraic Analysis of LEX
In Australasian Information Security Conference, AISC2009. Vol. 98. ACS, 2009.Status: Published
Algebraic Analysis of LEX
LEX is a stream cipher that progressed to Phase 3 of the eSTREAM stream cipher project. In this paper, we show that the security of LEX against algebraic attacks relies on a small equation system not being solvable faster than exhaustive search. We use the byte leakage in LEX to construct a system of 21 equations in 17 variables. This is very close to the require- ment for an efficient attack, i.e. a system containing 16 variables. The system requires only 36 bytes of keystream, which is very low.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2009 |
Conference Name | Australasian Information Security Conference, AISC2009 |
Volume | 98 |
Pagination | 33-45 |
Publisher | ACS |
ISBN Number | 978-1-920682-79-8 |
ISSN Number | 1445-1336 |
Keywords | Advanced Encryption Standard, LEX, Stream Cipher |
URL | http://crpit.com/abstracts/CRPITV98RezaZaba.html |
Public outreach
Når folk stemmer hjemme
In Feature article in HUBRO, 2009.Status: Published
Når folk stemmer hjemme
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Public outreach |
Year of Publication | 2009 |
Secondary Title | Feature article in HUBRO |
Proceedings, refereed
Bit-Pattern Based Integral Attack
In Fast Software Encryption, FSE 2008. Vol. 5086. Lecture Notes in Computer Science, Springer Verlag, 2008.Status: Published
Bit-Pattern Based Integral Attack
Integral attacks are well-known to be effective against byte-based block ciphers. In this document, we outline how to launch integral attacks against bit-based block ciphers. This new type of integral attack traces the propagation of the plaintext structure at bit-level by incorporating bit-pattern based notations. The new notation gives the attacker more details about the properties of a structure of cipher blocks. The main difference from ordinary integral attacks is that we look at the pattern the bits in a specific position in the cipher block has through the structure. The bit-pattern based integral attack is applied to Noekeon, Serpent and present reduced up to 5, 6 and 7 rounds, respectively. This includes the first attacks on Noekeon and present using integral cryptanalysis. All attacks manage to recover the full subkey of the final round.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2008 |
Conference Name | Fast Software Encryption, FSE 2008 |
Volume | 5086 |
Pagination | 363-381 |
Date Published | 02/2008 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-71038-7 |
ISSN Number | 0302-9743 |
Keywords | block ciphers, integral cryptanalysis, Noekeon, Present, Serpent |
URL | http://link.springer.com/chapter/10.1007/978-3-540-71039-4_23 |
DOI | 10.1007/978-3-540-71039-4_23 |
On the Number of Linearly Independent Equations Generated by XL
In Sequences and Their Applications, SETA 2008. Vol. 5203. Lecture Notes in Computer Science, Springer Verlag, 2008.Status: Published
On the Number of Linearly Independent Equations Generated by XL
Solving multivariate polynomial equation systems has been the focus of much attention in cryptography in the last years. Since most ciphers can be represented as a system of such equations, the problem of breaking a cipher naturally reduces to the task of solving them. Several papers have appeared on a strategy known as eXtended Linearization (XL) with a view to assessing its complexity. However, its efficiency seems to have been overestimated and its behaviour has yet to be fully understood. Our aim in this paper is to fill in some of these gaps in our knowledge of XL. In particular, by examining how dependencies arise from multiplication by monomials, we give a formula from which the efficiency of XL can be deduced for multivariate polynomial equations over F_2. This confirms rigorously a result arrived at by Yang and Chen by a completely different approach. The formula was verified empirically by investigating huge amounts of random equation systems with varying degree, number of variables and number of equations.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2008 |
Conference Name | Sequences and Their Applications, SETA 2008 |
Volume | 5203 |
Pagination | 239-251 |
Date Published | 09/2008 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-85911-6 |
ISSN Number | 0302-9743 |
Keywords | Gröbner bases, Stream Ciphers, XL |
URL | http://link.springer.com/chapter/10.1007/978-3-540-85912-3_22 |
DOI | 10.1007/978-3-540-85912-3_22 |
Journal Article
Solving Multiple Right Hand Sides linear equations
Designs, Codes and Cryptography 49, no. 1 (2008): 147-160.Status: Published
Solving Multiple Right Hand Sides linear equations
A new method for solving algebraic equation systems common in cryptanalysis is proposed. Our method differs from the others in that the equations are not represented as multivariate polynomials, but as a system of Multiple Right Hand Sides linear equations. The method was tested on scaled versions of the AES. The results overcome significantly what was previously achieved with Gröbner Basis related algorithms.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2008 |
Journal | Designs, Codes and Cryptography |
Volume | 49 |
Issue | 1 |
Pagination | 147-160 |
Date Published | 04/2008 |
Publisher | Springer Verlag |
Keywords | AES, algebraic attacks, Multiple Right Hand Sides linear equations |
URL | http://link.springer.com/article/10.1007/s10623-008-9180-z |
DOI | 10.1007/s10623-008-9180-z |
Proceedings, refereed
An Analysis of the Hermes8 Stream Ciphers
In 12th Australasian Conference on Information Security and Privacy, ACISP 2007 . Vol. 4586. Lecture Notes in Computer Science, Springer Verlag, 2007.Status: Published
An Analysis of the Hermes8 Stream Ciphers
Hermes8 [6,7] is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [3]). In this paper we present an analysis of the Hermes8 stream ciphers. In particular, we show an attack on the latest version of the cipher (Hermes8F), which requires very few known keystream bytes and recovers the cipher secret key in less than a second on a normal PC. Furthermore, we make some remarks on the cipher’s key schedule and discuss some properties of ciphers with similar algebraic structure to Hermes8.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2007 |
Conference Name | 12th Australasian Conference on Information Security and Privacy, ACISP 2007 |
Volume | 4586 |
Pagination | 1-10 |
Date Published | 08/2007 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-73457-4 |
ISSN Number | 0302-9743 |
Keywords | Cryptanalysis, Hermes8, Stream Cipher |
URL | http://link.springer.com/chapter/10.1007/978-3-540-73458-1_1 |
DOI | 10.1007/978-3-540-73458-1_1 |
MRHS Equation Systems
In 14th International Workshop on Selected Areas in Cryptography, SAC 2007. Vol. 4876. Lecture Notes in Computer Science, Springer Verlag, 2007.Status: Published
MRHS Equation Systems
We show how to represent a non-linear equation over GF(2) using linear systems with multiple right hand sides. We argue that this representation is particularly useful for constructing equation systems describing ciphers using an S-box as the only means for non-linearity. Several techniques for solving systems of such equations were proposed in earlier work, and are also explained here. Results from experiments with DES are reported. Finally we use our representation to link a particular problem concerning vector spaces to the security of ciphers with S-boxes as the only non-linear operation.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2007 |
Conference Name | 14th International Workshop on Selected Areas in Cryptography, SAC 2007 |
Volume | 4876 |
Pagination | 232-245 |
Date Published | 08/2007 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-77359-7 |
ISSN Number | 0302-9743 |
Keywords | algebraic attacks, Cryptanalysis, DES, non-linear equation systems |
URL | http://link.springer.com/chapter/10.1007/978-3-540-77360-3_15 |
DOI | 10.1007/978-3-540-77360-3_15 |
Proceedings, refereed
More Dual Rijndaels
In 4th International Conference, AES 2004. Vol. 3373. Lecture Notes in Computer Science, Springer Verlag, 2005.Status: Published
More Dual Rijndaels
It is well known that replacing the irreducible polynomial used in the AES one can produce 240 dual ciphers. In this paper we present 9120 other representations of GF(28), producing more ciphers dual to the AES. We also show that if the matrix used in the S-box of Rijndael is linear over a larger field than GF(2), this would have implications for the XSL attack.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2005 |
Conference Name | 4th International Conference, AES 2004 |
Volume | 3373 |
Pagination | 142-147 |
Date Published | 05/2005 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-26557-3 |
URL | http://link.springer.com/chapter/10.1007/11506447_12 |
DOI | 10.1007/11506447_12 |
Journal Article
On the computation of coset leaders with high Hamming weight
Discrete Mathematics 274, no. 1-3 (2004): 213-231.Status: Published
On the computation of coset leaders with high Hamming weight
The Newton radius of a code is the largest weight of a uniquely correctable error. The covering radius is the largest distance between a vector and the code. In this paper, we use the modular representation of a linear code to give an efficient algorithm for computing coset leaders of relatively high Hamming weight. The weights of these coset leaders serve as lower bounds on the Newton radius and the covering radius for linear codes.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2004 |
Journal | Discrete Mathematics |
Volume | 274 |
Issue | 1-3 |
Pagination | 213-231 |
Date Published | 01/2004 |
Publisher | Elsevier |
Keywords | Covering radius, Modular representation, Newton radius |
DOI | 10.1016/S0012-365X(03)00090-6 |
Weaknesses in the temporal key hash of WPA
Mobile Computing and Communications Review 8, no. 2 (2004): 76-83.Status: Published
Weaknesses in the temporal key hash of WPA
This article describes some weaknesses in the key scheduling in Wi-Fi Protected Access (WPA) put forward to secure the IEEE standard 802.11-1999. Given a few RC4 packet keys in WPA it is possible to find the Temporal Key (TK) and the Message Integrity Check (MIC) key. This is not a practical attack on WPA, but it shows that parts of WPA are weak on their own. Using this attack it is possible to do a TK recovery attack on WPA with complexity O(2105) compared to a brute force attack with complexity O (2128).
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2004 |
Journal | Mobile Computing and Communications Review |
Volume | 8 |
Issue | 2 |
Pagination | 76-83 |
Date Published | 04/2004 |
Publisher | ACM Sigmobile |
Keywords | 802.11, MIC, Michael, temporal key hash, TKIP, WPA |
DOI | 10.1145/997122.997132 |
Proceedings, refereed
Cryptanalysis of IDEA-X/2
In Fast Software Encryption. Vol. 2887. Lecture Notes in Computer Science, Springer Verlag, 2003.Status: Published
Cryptanalysis of IDEA-X/2
IDEA is a 64-bit block cipher with a 128-bit key designed by J. Massey and X. Lai. At FSE 2002 a slightly modified version called IDEA-X was attacked using multiplicative differentials. In this paper we present a less modified version of IDEA we call IDEA-X/2, and an attack on this cipher. This attack also works on IDEA-X, and improves on the attack presented at FSE 2002.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2003 |
Conference Name | Fast Software Encryption |
Volume | 2887 |
Pagination | 1 - 8 |
Date Published | 02/2003 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-20449-7 |
ISSN Number | 0302-9743 |
Keywords | block ciphers, Cryptography, differential cryptanalysis, IDEA |
DOI | 10.1007/978-3-540-39887-5_1 |
Journal Article
Distinguishing attack on five-round Feistel networks
Electronic Letters 39, no. 16 (2003): 1175-1177.Status: Published
Distinguishing attack on five-round Feistel networks
Recently it was shown (by J. Patarin) how to distinguish a general five-round Feistel network from a random permutation using O(23n/2) chosen plaintexts or O(27n/4) known plaintexts. The present authors report improvement of these results and a distinguisher is presented which uses roughly 2n chosen plaintexts or roughly 23n/2 known plaintexts.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Journal Article |
Year of Publication | 2003 |
Journal | Electronic Letters |
Volume | 39 |
Issue | 16 |
Pagination | 1175-1177 |
Date Published | 08/2003 |
Publisher | IEE |
Other Numbers | ISSN: 0013-5194 |
DOI | 10.1049/el:20030768 |
Proceedings, refereed
A Differential Attack on Reduced-Round SC2000
In Selected Areas in Cryptography 2001. Vol. 2259. Lecture Notes in Computer Science, Springer Verlag, 2001.Status: Published
A Differential Attack on Reduced-Round SC2000
SC2000 is a 128-bit block cipher with key length of 128, 192 or 256 bits, developed by Fujitsu Laboratories LTD. For 128-bit keys, SC2000 consists of 6.5 rounds, and for 192- and 256-bit keys it consists of 7.5 rounds. In this paper we demonstrate two different 3.5-round differential characteristics that hold with probabilities 2-106 and 2-107. These characteristics can be used to extract up to 32 bits of the first and last round keys in a 4.5-round variant of SC2000.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2001 |
Conference Name | Selected Areas in Cryptography 2001 |
Volume | 2259 |
Pagination | 190 - 198 |
Date Published | 12/2001 |
Publisher | Lecture Notes in Computer Science, Springer Verlag |
ISBN Number | 978-3-540-43066-7 |
ISSN Number | 0302-9743 |
DOI | 10.1007/3-540-45537-X_15 |
On Noekeon
In Second Open NESSIE workshop. London: Royal Holloway Univerity of London, 2001.Status: Published
On Noekeon
In this note we analyse Noekeon, a 128-bit block cipher submitted to the NESSIE project. It is shown that for six of seven S-boxes which satisfy the design criteria of the Noekeon designers the resulting block ciphers are vulnerable to either a differential attack, a linear attack or both. One conclusion is that Noekeon is not designed according to the wide trail strategy. Also, it is shown that there exist many related keys for which plaintexts of certain differences result in ciphertexts of certain differences with high probabilities. Noekeon has two key-schedules, one for applications where related-key attacks are not considered dangerous and one for applications where related-key attacks can be mounted. In this paper it is shown that for any given user-selected keys there are many related keys independently of which key-schedule is used.
Afilliation | , Communication Systems |
Project(s) | Simula UiB |
Publication Type | Proceedings, refereed |
Year of Publication | 2001 |
Conference Name | Second Open NESSIE workshop |
Date Published | 09/2001 |
Publisher | Royal Holloway Univerity of London |
Place Published | London |