Eric Brier

Correlation Power analysis with a leakage model

A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis.

Efficient indifferentiable hashing into ordinary elliptic curves

We provide the first construction of a hash function into ordinary elliptic curves that is indifferentiable from a random oracle, based on Icarts deterministic encoding from Crypto 2009. While almost as efficient as Icarts encoding, this hash function can be plugged into any cryptosystem that requires hashing into elliptic curves, while not compromising proofs of security in the random oracle model. We also describe a more general (but less efficient) construction that works for a large class of encodings into elliptic curves, for example the Shallue-Woestijne-Ulas (SWU) algorithm. Finally we describe the first deterministic encoding algorithm into elliptic curves in characteristic 3.

Linearization Framework for Collision Attacks: Application to CubeHash and MD6

In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.

Inside the Hypercube

Bernsteins CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r , a block byte size b , and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The submissions to NIST recommends r = 8, b = 1, and h *** {224,256,384,512}. This paper presents the first external analysis of CubeHash, with improved standard generic attacks for collisions and preimages a multicollision attack that exploits fixed points a study of the round function symmetries a preimage attack that exploits these symmetries a practical collision attack on a weakened version of CubeHash a study of fixed points and an example of nontrivial fixed point high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parameters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions.

Fast Primitives for Internal Data Scrambling in Tamper Resistant Hardware

Although tamper-resistant devices are specifically designed to thwart invasive attacks, they remain vulnerable to micro-probing. Among several possibilities to provide data obfuscations, keyed hardware permutations can provide compact design and easy diversification. We discuss the efficiency of such primitives, and we give several examples of implementations, along with proofs of effectively large key-space.

Modulus fault attacks against RSA-CRT signatures

RSA-CRT fault attacks have been an active research area since their discovery by Boneh, DeMillo and Lipton in 1997. We present alternative key-recovery attacks on RSA-CRT signatures: instead of targeting one of the sub-exponentiations in RSA-CRT, we inject faults into the public modulus before CRT interpolation, which makes a number of countermeasures against Boneh et al.s attack ineffective. Our attacks are based on orthogonal lattice techniques and are very efficient in practice: depending on the fault model, between 5 to 45 faults suffice to recover the RSA factorization within a few seconds. Our simplest attack requires that the adversary knows the faulty moduli, but more sophisticated variants work even if the moduli are unknown, under reasonable fault models. All our attacks have been fully validated experimentally with fault-injection laser techniques.

Cryptanalysis of CubeHash

CubeHash is a family of hash functions submitted by Bernstein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash -1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and based on a linearization of the scheme, allowed us to compute a collision for the CubeHash -2/4 hash function. Finally, a theoretical collision attack against CubeHash -2/3, CubeHash -4/4 and CubeHash -4/3 is described. This is currently by far the best known cryptanalysis result on this SHA-3 candidate.

New Families of ECM Curves for Cunningham Numbers

In this paper we study structures related to torsion of elliptic curves defined over number fields. The aim is to build families of elliptic curves more efficient to help factoring numbers of special form, including numbers from the Cunningham Project. We exhibit a family of curves with rational ℤ/4ℤ×ℤ/4ℤ torsion and positive rank over the field ℚ(ζ 8) and a family of elliptic curves with rational ℤ/6ℤ×ℤ/3ℤ torsion and positive rank over the field ℚ(ζ 3). These families have been used in finding new prime factors for the numbers 2972 + 1 and 21048 + 1. Along the way, we classify and give a parameterization of modular curves for some torsion subgroups.

A Forward-Secure Symmetric-Key Derivation Protocol

In this article, we study an interesting and very practical key management problem. A server shares a symmetric key with a client, whose memory is limited to R key registers. The client would like to send private messages using each time a new key derived from the original shared secret and identified with a public string sent together with the message. The server can only process N computations in order to retrieve the derived key corresponding to a given message. Finally, the algorithm must be forward-secure on the client side: even if the entire memory of the client has leaked, it should be impossible for an attacker to retrieve previously used communication keys. Given N and R, the total amount T of keys the system can handle should be as big as possible.

Exploring Naccache-Stern Knapsack Encryption

The Naccache-Stern public-key cryptosystem (NS) relies on the conjectured hardness of the modular multiplicative knapsack problem: Given \(p,\{v_i\},\prod v_i^{m_i} \bmod p\), find the \(\{m_i\}\).