Dirk Van Heule

The Quasi-Newton Least Squares Method: A New and Fast Secant Method Analyzed for Linear Systems

We present a new quasi-Newton method that can solve systems of equations of which no information is known explicitly and which requires no special structure of the system matrix, like positive definiteness or sparseness. The method builds an approximate Jacobian based on input-output combinations of a black box system, uses a rank-one update of this Jacobian after each iteration, and satisfies the secant equation. While it has originally been developed for nonlinear equations we analyze its properties and performance when applied to linear systems. Analytically, the method is shown to be convergent in

On the Similarities Between the Quasi-Newton Inverse Least Squares Method and GMRes

n+1

SAT based analysis of LTE stream cipher ZUC

iterations (

Secure and practical threshold RSA

n

Safe cryptographic random number generation using untrusted generators

being the number of unknowns), irrespective of the nature of the system matrix. The performance of this method is greatly superior to other quasi-Newton methods and comparable with GMRes when tested on a number of standardized test-cases.

Multi-stage solvers optimized for damping and propagation

We show how one of the best-known Krylov subspace methods, the generalized minimal residual method (GMRes), can be interpreted as a quasi-Newton method and how the quasi-Newton inverse least squares method (QN-ILS) relates to Krylov subspace methods in general and to GMRes in particular when applied to linear systems. We also show that we can modify QN-ILS in order to make it analytically equivalent to GMRes, without the need for extra matrix-vector products.

Arbitrated Secure Authentication realized by using quantum principles

Mobile security is of paramount importance. The security of LTE (long term evolution of radio networks), which is currently widely deployed as a long-term standard for mobile networks, relies upon three cryptographic primitives, among which the stream cipher ZUC. In this paper, we point out that the linear feedback shift register (LFSR) used in ZUC has about 225 encodings of the zero state (i.e. all LFSR variables are 0) due to the fact that operations are performed modulo 231 -- 1 on 32-bit operands. We use SAT solvers to show that these states are reachable when 64 bits of ZUCs initial state can be chosen (i.e. R1, R2). That is, for each key there are many initial vectors that lead to a weak state after ZUCs initialization. We also use SAT-solvers to disprove the existence of such weak inputs when the initial values of R1, R2 are set to zero as required by the official specifications. Finally, we discuss how the redundancy introduced in ZUCs output function might help mounting SAT-solver based guess-and-determine attacks given a few keystream digits.

Cryptographic Boolean Functions with R

This article describes a scheme that outputs RSA signatures using a threshold mechanism in which each share has a bitlength close to the bitlength of the RSA modulus. The scheme is proven unforgeable under the standard RSA assumption against an honest but curious adversary that has static corruption capabilities. Previous practical and provably secure schemes require to introduce a factor n! [33] and 2kt [15] in the exponent when computing the partial signatures, where n is the RSA modulus, t + 1 the threshold and k a fixed parameter. Our scheme requires only t + 1 modular exponentiations and l + 1 modular multiplications, with t the threshold and l the number of participants.

Applications of SAT Solvers in Cryptanalysis: Finding Weak Keys and Preimages

The security of many cryptographic applications relies heavily on the quality of the random numbers used. Therefore, random number generation is one of the most critical primitives for cryptography. This paper focuses on true random number generators (TRNGs) and the analysis of their security requirements. After illustrating issues associated with adversarial influences on TRNGs, we propose a simple method to obtain a secure TRNG based on n TRNGs originating from (potentially) untrusted vendors. The untrusted generators are combined such that as long as one out of the n vendors does not collude with the other vendors, the generator is secure, i.e., the output is unpredictable and uniformly distributed even in the presence of an active attacker. In order to achieve this, we review several choices of functions to be used as combiner. The advantage of our design is that only the (black-box) input-output behavior of the vendors TRNGs needs to be evaluated. No overhead is introduced by the combiner. The resulting generator offers faultresilience and ease of maintenance.

On the automated verification of symmetric-key cryptographic algorithms: an approach based on SAT-solvers

Explicit multi-stage solvers are routinely used to solve the semi-discretized equations that arise in Computational Fluid Dynamics (CFD) problems. Often they are used in combination with multi-grid methods. In that case, the role of the multi-stage solver is to efficiently reduce the high frequency modes on the current grid and is called a smoother. In the past, when optimizing the coefficients of the scheme, only the damping characteristics of the smoother were taken into account and the interaction with the remainder of the multi-grid cycle was neglected. Recently it had been found that coefficients that result in less damping, but allow for a higher Courant-Friedrichs-Lewy (CFL) number are often superior to schemes that try to optimize damping alone. While this is certainly true for multi-stage schemes used as a stand-alone solver, we investigate in this paper if using higher CFL numbers also yields better results in a multi-grid setting. We compare the results with a previous study we conducted and where a more accurate model of the multi-grid cycle was used to optimize the various parameters of the solver. We show that the use of the more accurate model results in better coefficients and that in a multi-grid setting propagation is of little importance. We also look into the gains to be made when we allow the parameters to be different for the pre- and post-smoother and show that even better coefficients can be found in this way.