ngming Khoo

Side-Channel Resistant Crypto for Less than 2,300 GE

A provably secure countermeasure against first order side-channel attacks was proposed by Nikova et al. (P. Ning, S. Qing, N. Li (eds.) International conference in information and communications security. Lecture notes in computer science, vol. 4307, pp. 529–545, Springer, Berlin, 2006). We have implemented the lightweight block cipher PRESENT using the proposed countermeasure. For this purpose we had to decompose the S-box used in PRESENT and split it into three shares that fulfill the properties of the scheme presented by Nikova et al. (P. Lee, J. Cheon (eds.) International conference in information security and cryptology. Lecture notes in computer science, vol. 5461, pp. 218–234, Springer, Berlin, 2008). Our experimental results on real-world power traces show that this countermeasure provides additional security. Post-synthesis figures for an ASIC implementation require only 2,300 GE, which makes this implementation suitable for low-cost passive RFID-tags.

A New Characterization of Semi-bent and Bent Functions on Finite Fields*

We present a new characterization of semi-bent and bent quadratic functions on finite fields. First, we determine when a GF(2)-linear combination of Gold functions Tr(x2i+1) is semi-bent over GF(2n), n odd, by a polynomial GCD computation. By analyzing this GCD condition, we provide simpler characterizations of semi-bent functions. For example, we deduce that all linear combinations of Gold functions give rise to semi-bent functions over GF(2p) when p belongs to a certain class of primes. Second, we generalize our results to fields GF(pn) where p is an odd prime and n is odd. In that case, we can determine whether a GF(p)-linear combination of Gold functions Tr(xpi+1) is (generalized) semi-bent or bent by a polynomial GCD computation. Similar to the binary case, simple characterizations of these p-ary semi-bent and bent functions are provided.

EPCBC: a block cipher suitable for electronic product code encryption

In this paper, we present EPCBC, a lightweight cipher that has 96-bit key size and 48-bit/96-bit block size. This is suitable for Electronic Product Code (EPC) encryption, which uses low-cost passive RFID-tags and exactly 96 bits as a unique identifier on the item level. EPCBC is based on a generalized PRESENT with block size 48 and 96 bits for the main cipher structure and customized key schedule design which provides strong protection against related-key differential attacks, a recent class of powerful attacks on AES. Related-key attacks are especially relevant when a block cipher is used as a hash function. In the course of proving the security of EPCBC, we could leverage on the extensive security analyses of PRESENT, but we also obtain new results on the differential and linear cryptanalysis bounds for the generalized PRESENT when the block size is less than 64 bits, and much tighter bounds otherwise. Further, we analyze the resistance of EPCBC against integral cryptanalysis, statistical saturation attack, slide attack, algebraic attack and the latest higher-order differential cryptanalysis from FSE 2011 [11]. Our proposed cipher would be the most efficient at EPC encryption, since for other ciphers such as AES and PRESENT, it is necessary to encrypt 128-bit blocks (which results in a 33% overhead being incurred). The efficiency of our proposal therefore leads to huge market implications. Another contribution is an optimized implementation of PRESENT that is smaller and faster than previously published results.

A new family of Gold-like sequences

Families of sequences with low cross correlation have important applications in CDMA communications and cryptography. One class of such sequences are those which have period 2/sup n/-1 and cross correlation values -1, -1/spl plusmn/2 /sup (n+1)/2/ with m-sequence represented by Tr(x) when n is odd. These sequences are called Gold-like sequences and they are well studied in the literature, In this paper, we generalise their concept and consider sequences over GF(2/sup n/), n odd. Using techniques from linear algebra and coding theory, we can efficiently determine if the sequence is Gold-like by a polynomial gcd computation. Using the tools developed, we prove that the sequence is Gold-like for all choice of coefficients if and only if n is a prime of certain form.

Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure

In this paper, we study GF-NLFSR, a Generalized Unbalanced Feistel Network (GUFN) which can be considered as an extension of the outer function FO of the KASUMI block cipher. We prove upper bounds for the differential and linear hull probabilities for any n + 1 rounds of an n -cell GF-NLFSR. Besides analyzing security against differential and linear cryptanalysis, we provide a frequency distribution for upper bounds on the true differential and linear hull probabilities. We also demonstrate a (2n *** 1)-round impossible differential distinguisher and a (3n *** 1)-round integral attack distinguisher on the n -cell GF-NLFSR. As an application, we design a new block cipher Four-Cell based on a 4-cell GF-NLFSR. We prove the security of Four-Cell against differential, linear, and boomerang attack. Based on the 7-round impossible differential and 11-round integral attack distinguisher, we set the number of rounds of Four-Cell to be 25 for protection against these attacks. Furthermore, Four-Cell can be shown to be secure against other attacks such as higher order differential attack, cube attack, interpolation attack, XSL attack and slide attack.

Additive Autocorrelation of Resilient Boolean Functions

In this paper, we introduce a new notion called the dual function for studying Boolean functions. First, we discuss general properties of the dual function that are related to resiliency and additive autocorrelation. Second, we look at preferred functions which are Boolean functions with the lowest 3-valued spectrum. We prove that if a balanced preferred function has a dual function which is also preferred, then it is resilient, has high nonlinearity and optimal additive autocorrelation. We demonstrate four such constructions of optimal Boolean functions using the Kasami, Dillon-Dobbertin, Segre hyperoval and Welch-Gong Transformation functions. Third, we compute the additive autocorrelation of some known resilient preferred functions in the literature by using the dual function. We conclude that our construction yields highly nonlinear resilient functions with better additive autocorrelation than the Maiorana-McFarland functions. We also analysed the saturated functions, which are resilient functions with optimized algebraic degree and nonlinearity. We show that their additive autocorrelation have high peak values, and they become linear when we fix very few bits. These potential weaknesses have to be considered before we deploy them in applications.

FOAM: Searching for Hardware-Optimal SPN Structures and Components with a Fair Comparison

In this article, we propose a new comparison metric, the figure of adversarial merit FOAM, which combines the inherent security provided by cryptographic structures and components with their implementation properties. To the best of our knowledge, this is the first such metric proposed to ensure a fairer comparison of cryptographic designs. We then apply this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware implementations, and we provide new results on hardware-friendly cryptographic building blocks. For practical reasons, we considered linear and differential attacks and we restricted ourselves to fully serial and round-based implementations. We explore several design strategies, from the geometry of the internal state to the size of the S-box, the field size of the diffusion layer or even the irreducible polynomial defining the finite field. We finally test all possible strategies to provide designers an exhaustive approach in building hardware-friendly cryptographic primitives according to area or FOAM metrics, also introducing a model for predicting the hardware performance of round-based or serial-based implementations. In particular, we exhibit new diffusion matrices circulant or serial that are surprisingly more efficient than the current best known, such as the ones used in AES , LED and PHOTON .

An analysis of XSL Applied to BES

Currently, the only plausible attack on the Advanced Encryption System (AES) is the XSL attack over F256 through the Big Encryption System (BES) embedding. In this paper, we give an analysis of the XSL attack when applied to BES and conclude that the complexity estimate is too optimistic. For example, the complexity of XSL on BES-128 should be at least 2401 instead of the value of 287 from current literature. Our analysis applies to the eprint version of the XSL attack, which is different from the compact XSL attack studied by Cid and Leurent at Asiacrypt 2005. Moreover, we study the attack on the BES embedding of AES, while Cid and Leurent studies the attack on AES itself. Thus our analysis can be considered as a parallel work, which together with Cid and Leurents study, disproves the effectiveness of both versions of the XSL attack against AES.

Lightweight MDS Involution Matrices

In this article, we provide new methods to look for lightweight MDS matrices, and in particular involutory ones. By proving many new properties and equivalence classes for various MDS matrices constructions such as circulant, Hadamard, Cauchy and Hadamard-Cauchy, we exhibit new search algorithms that greatly reduce the search space and make lightweight MDS matrices of rather high dimension possible to find. We also explain why the choice of the irreducible polynomial might have a significant impact on the lightweightness, and in contrary to the classical belief, we show that the Hamming weight has no direct impact. Even though we focused our studies on involutory MDS matrices, we also obtained results for non-involutory MDS matrices. Overall, using Hadamard or Hadamard-Cauchy constructions, we provide the (involutory or non-involutory) MDS matrices with the least possible XOR gates for the classical dimensions \(4 \times 4\), \(8 \times 8\), \(16 \times 16\) and \(32 \times 32\) in \(\mathrm {GF}(2^4)\) and \(\mathrm {GF}(2^8)\). Compared to the best known matrices, some of our new candidates save up to 50 % on the amount of XOR gates required for an hardware implementation. Finally, our work indicates that involutory MDS matrices are really interesting building blocks for designers as they can be implemented with almost the same number of XOR gates as non-involutory MDS matrices, the latter being usually non-lightweight when the inverse matrix is required.

New constructions for resilient and highly nonlinear boolean functions

We explore three applications of geometric sequences in constructing cryptographic Boolean functions. First, we construct 1-resilient functions of n Boolean variables with nonlinearity 2n-1-2(n-1)/2, n odd. The Hadamard transform of these functions is 3-valued, which limits the efficiency of certain stream cipher attacks. From the case for n odd, we construct highly nonlinear 1-resilient functions which disprove a conjecture of Pasalic and Johansson for n even. Our constructions do not have a potential weakness shared by resilient functions which are formed from concatenation of linear functions. Second, we give a new construction for balanced Boolean functions with high nonlinearity, exceeding 2n-1-2(n-1)/2, which is not based on the direct sum construction. Moreover, these functions have high algebraic degree and large linear span. Third, we construct balanced vectorial Boolean functions with nonlinearity 2n-1-2(n-1)/2 and low maximum correlation. They can be used as nonlinear combiners for stream cipher systems with high throughput.