Frédéric Muller

Differential Attacks against the Helix Stream Cipher

In this paper, we analyze the security of the stream cipher Helix, recently proposed at FSE’03. Helix is a high-speed asynchronous stream cipher, with a built-in MAC functionality. We analyze the differential properties of its keystream generator and describe two new attacks.

Enhancing Collision Attacks

Side Channel Attacks (SCA) have received a huge interest in the last 5 years. These new methods consider non-cryptographic sources of information (like timing or power consumption) in addition to traditional techniques. Consequently block ciphers must now resist a variety of SCAs, among which figures the class of “collision attacks”. This recent technique combines side channel information with tools originally developed for block cipher or hash function cryptanalysis, like differential cryptanalysis for instance.

Power attack on small RSA public exponent

In this paper, we present a new attack on RSA when the public exponent is short, for instance 3 or 2 16 +1, and when the classical exponent randomization is used. This attack works even if blinding is used on the messages. From a Simple Power Analysis (SPA) we study the problem of recovering the RSA private key when non consecutive bits of it leak from the implementation. We also show that such information can be gained from sliding window implementations not protected against SPA.

SCARE of the DES

Side-Channel Analysis for Reverse Engineering (SCARE) is a new field of application for Side-Channel Attacks (SCA), that was recently introduced, following initial results on the GSM A3/A8 algorithm. The principle of SCARE is to use side-channel information (for instance, power consumption) as a tool to reverse-engineer some secret parts of a cryptographic implementation. SCARE has the advantage of being discrete and non-intrusive, so it appears to be a promising new direction of research. In this paper, we apply the concepts of SCARE in the case of the block cipher DES. We measure the power consumption of a software DES executed on a target smart card and propose new methods to exploit this information. We manage to retrieve many details about the underlying device, including some constants used by the algorithm (e.g. permutation tables for the round function and for the key scheduling), but also interesting implementation choices (e.g. registers where subkeys are loaded). Of course some information was already known in our case, but situations can be envisaged where the designer would like to keep it secret. An application of these methods is to reverse-engineer a proprietary algorithm, provided some information about its basic structure is know. Hence it illustrates the power of SCARE and demonstrates yet again the accuracy of Kerckhoffs principle. In addition, a better understanding of a cryptographic implementation can be a first step to mount more sophisticated Side Channel Attacks.

Some attacks against a double length hash proposal

At FSE 2005, Nandi et al proposed a method to turn an n-bit compression function into a 2n-bit compression function. In the black-box model, the security of this double length hash proposal against collision attacks is proven, if no more than Ω(22n/3) oracle queries to the underlying n-bit function are made. We explore the security of this hash proposal regarding several classes of attacks. We describe a collision attack that matches the proven security bound and we show how to find preimages in time 2n. For optimum security the complexities of finding collisions and preimages for a 2n-bit compression function should be respectively of 2n and 22n. We also show that if the output is truncated to s≤ 2n bits, one can find collisions in time roughly 2s/3 and preimages in time roughly 2s/2. These attacks illustrate some important weaknesses of the FSE 2005 proposal, while none of them actually contradicts the proof of security.

The MD2 Hash Function Is Not One-Way

MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of 2128. We describe preimage attacks against the underlying compression function, the best of which has complexity of 273. As a result, the full MD2 hash can be attacked in preimage with complexity of 2104.

Combining compression functions and block cipher-based hash functions

The design of secure compression functions is of vital importance to hash function development. In this paper we consider the problem of combining smaller trusted compression functions to build a larger compression function. This work leads directly to impossibility results on a range of block cipher-based hash function constructions.

Cryptanalysis of achterbahn

We present several attacks against the Achterbahn stream cipher, which was proposed to the eSTREAM competition. We can break the reduced and the full version with complexity of 2 55 and 2 61 steps. Extensions of our attacks are also described to break modified versions of the Achterbahn stream cipher, which were proposed following the publication of preliminary cryptanalysis results. These attacks highlight some problems in the design principle of Achterbahn, i.e., combining the outputs of several nonlinear (but small) shift registers using a nonlinear (but rather sparse) output function.

Defeating countermeasures based on randomized BSD representations

The recent development of side channel attacks has lead implementers to use increasingly sophisticated countermeasures in critical operations such as modular exponentiation, or scalar multiplication on elliptic curves. A new class of countermeasures is based on inserting random decisions when choosing one representation of the secret scalar out of a large set of representations of the same value. For instance, this is the case of countermeasures proposed by Oswald and Aigner, or Ha and Moon, both based on randomized Binary Signed Digit (BSD) representations. Their advantage is to offer excellent speed performances. However, the first countermeasure and a simplified version of the second one were already broken using Markov chain analysis.

Chosen-Ciphertext attacks against MOSQUITO

Self-Synchronizing Stream Ciphers (SSSC) are a particular class of symmetric encryption algorithms, such that the resynchronization is automatic, in case of error during the transmission of the ciphertext. In this paper, we extend the scope of chosen-ciphertext attacks against SSSC. Previous work in this area include the cryptanalysis of dedicated constructions, like KNOT, HBB or SSS. We go further to break the last standing dedicated design of SSSC, i.e. the ECRYPT proposal MOSQUITO. Our attack costs about 270 computation steps, while a 96-bit security level was expected. It also applies to ΓΥ (an ancestor of MOSQUITO) therefore the only secure remaining SSSC are block-cipher-based constructions.