Jean-Jacques Quisquater

Robust Object Watermarking: Application to Code

In this paper, we focus on a step of the watermarking process whose importance has been disregarded so far. In this perspective, we introduce the vector extraction paradigm which is the transformation between digital data and an abstract vector representation of these data. As an application, we propose a new, robust technique in order to insert watermarks in executable code.

A Time-Memory Tradeoff Using Distinguished Points: New Analysis & FPGA Results

In 1980, Martin Hellman [1] introduced the concept of cryptanalytic time-memory tradeoffs, which allows the cryptanalysis of any N key symmetric cryptosystem in O(N2/3) operations with O(N2/3) storage, provided a precomputation of O(N) is performed beforehand. This procedure is well known but did not lead to realistic implementations. This paper considers a cryptanalytic time-memory tradeoff using distinguished points, a method referenced to Rivest [2]. The algorithm proposed decreases the expected number of memory accesses with sensible modifications of the other parameters and allows much more realistic implementations of fast key search machines.We present a detailed analysis of the algorithm and solve theoretical open problems of previous models. We also propose efficient mask functions in terms of hardware cost and probability of success. These results were experimentally confirmed and we used a purpose-built FPGA design to perform realistic tradeoffs against DES. The resulting online attack is feasible on a single PC and we recover a 40-bit key in about 10 seconds.

Timestamps: main issues on their use and implementation

This paper discusses some of the issues that appear on the creation and use of secure digital timestamps. From the timestamp creation side, it first introduces a review of the existing systems, giving a recommendation for the one we believe is more suitable for the general use. Afterwards, it deals with an extension of the basic scheme in order to be used in the enterprise environments. Finally, it discusses the general scalability problem, analyzing an existing system and proposing a more adequate solution. From the timestamp use side, it discusses one of the possible misuses and it proposes a solution to secure it.

Observability Analysis - Detecting When Improved Cryptosystems Fail

In this paper we show that, paradoxically, what looks like a universal improvement or a straight-forward improvement which enables better security and better reliability on a theoretical level, may in fact, within certain operational contexts, introduce new exposures and attacks, resulting in a weaker operational cryptosystem. We demonstrate a number of such dangerous improvements. This implies that careful considerations should be given to the fact that an implemented cryptosystem exists within certain operational environments (which may enable certain types of tampering and other observed information channels via faults, side-channel attacks or behavior of system operators). We use our case studies to draw conclusions about certain investigations required in studying implementations and suggested improvements of cryptosystems; looking at them in the context of their operating environments (combined with their potential adversarial settings). We call these investigations observability analysis.

Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves

In this work we analyse the GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphism ? with minimal polynomial X2 +rX +s to compute any multiple kP of a point P of order n lying on an elliptic curve.First we fill in a gap in the proof of the bound of the kernel ? vectors of the reduction map f : (i, j) ? i+?j (mod n). In particular, we prove the GLV decomposition with explicit constant kP = k1P + k2?(P), with max{|k1|, |k2|} ? ?1 +|r| + s?n.Next we improve on this bound and give the best constant in the given examples for the quantity supk, n max{|k1|, |k2|}/?n. Independently Park, Jeong, Kim, and Lim (PKC 2002) have given similar but slightly weaker bounds.Finally we provide the first explicit bounds for the GLV method generalised to hyperelliptic curves as described in Park, Jeong and Lim (EUROCRYPT 2002).

Preventing Differential Analysis in GLV Elliptic Curve Scalar Multiplication

In [2], Gallant, Lambert and Vanstone proposed a very efficient algorithmto compute Q = kP on elliptic curves having non-trivial efficiently computable endomorphisms. Cryptographic protocols are sensitive to implementations, indeed as shown in [6,7] information about the secret can be revealed analysing external leakage of the support, typically a smart card. Several software countermeasures have been proposed to protect the secret. However, speed computation is needed for practical use. In this paper, we propose a method to protect scalar multiplication on elliptic curves against Differential Analysis, that benefits fromthe speed of the Gallant, Lambert and Vanstone method. It can be viewed as a two-dimensional analogue of Corons method [1] of randomising the exponent k. We propose two variants of this method (one linear and one affine), the second one slightly more effective, whereas the first one offers two in one, combining point-blinding and exponent randomisation, which have hitherto been dealt separately. For instance, for at most a mere 37.5% (resp. 25%) computation speed loss on elliptic curves over fields with 160 (resp. 240) bits the computation of kP can take on 240 different consumption patterns.

A Cryptanalytic Time-Memory Tradeoff: First FPGA Implementation

A cryptanalytic time-memory tradeoff allows the cryptanalysis of any N key symmetric cryptosystem in O(N2/3) operations with O(N2/3) storage, if a precomputation of O(N) operations has been done in advance. This procedure is well known but did not lead to any realistic implementations. In this paper, the experimental results for the cryptanalysis of DES that are presented are based on a time-memory tradeoff using distinguished points, a method which is referenced to Rivest [2]. For this task, a fast hardware implementation of DES was designed using FPGA technology. The target is a 40-bit DES which is obtained from DES by fixing 16 key bits to arbitrary values. The precomputation task is performed with a purpose-built FPGA design, whereas the search algorithm corresponding to the online attack is reported to be feasible on any PC within about 10 seconds, with a success rate of 72%. The cost of an expansion to 56-bit DES is evaluated.

An FPGA Implementation of the Linear Cryptanalysis

Thispa per dealsw ith cryptographic concepts. It presents a hardware FPGA implementation of linear cryptanalysis of DES1. Linear cryptanalysis is the best attack known able to break DES faster than exhaustive search. Matsuis original attack [4, 5] could not be applied as such, and we had to implement a modified attack [1] to face hardware constraints. The resulting attack is less efficient than Matsuis attack, but fitsi n our hardware and breaksa DES key in 12-15 hourso n one single FPGA, therefore becoming the first practical implementation to our knowledge. As a comparison, the fastest implementation known so far used the idle time of 18 Intel Pentium III MMX, and broke a DES key in 4.32 days.Our fast implementation made it possible for us to perform practical tests, allowing a comparison with theoretical estimations.

Deriving a role-based access control model from the OBBAC model

The object-based access control model (OBBAC), a conceptual access control model, has been proposed to deal with the high-level specification of a security policy in an object-oriented environment. This model is based on the notion of security labels which, however, are associated to operations rather than to objects as in the classic label-based access control models. It was used to specify the security policy of a distance learning system. The key issue that has arisen from the OBBAC model is the handling of security labels during the application development. The goal of the paper is to prove that there exists a mapping from an OBBAC model to a role-based access control model (RBAC) which can be used to specify the system security policy.

A New Parallelism Management Scheme for Multiprocessor Systems

Current multimedia and signal processing applications become more complex. This paper proposes a new parallelism management scheme that can explicitly deal with complex and general parallelism patterns. The parallelism description is based on a task flow graph representation interlaced with control commands. A graph management algorithm is proposed to extract eligible tasks and implement synchronization operations. We show that this management outperforms classical parallelism extraction in case of complex applications. Moreover, the parallelism description can be directly inserted in sequential programs without deep code modifications.