Liam Keliher

New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs

We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of s-boxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128-bit block size, 10 rounds), we obtain the upper bound UB = 2-75, corresponding to a lower bound on the data complexity of 8/UB = 278 (for 96.7% success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.

Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard

The current standard approach to demonstrate provable security of a block cipher against differential and linear cryptanalysis is based on the maximum expected differential and linear prob- ability (MEDP and MELP) over a sequence of core cipher rounds. Often information about these values for a small number of rounds leads to significant insights concerning the security of the cipher for larger numbers of rounds, including the full cipher. Recent results have tightened the bounds on the MEDP and MELP for the two-round Advanced Encryption Standard (AES), but no previous approach has determined them exactly. An algorithm that computes the exact MEDP and MELP for the two-round AES is presented, and the computational results of our algor- ithm are provided. In addition to resolving this outstanding question for the AES, these exact values also lead to improved upper bounds on the MEDP and MELP for four or more AES rounds.

Hand occlusion with tablet-sized direct pen input

We present results from an experiment examining the area occluded by the hand when using a tablet-sized direct pen input device. Our results show that the pen, hand, and forearm can occlude up to 47% of a 12 inch display. The shape of the occluded area varies between participants due to differences in pen grip rather than simply anatomical differences. For the most part, individuals adopt a consistent posture for long and short selection tasks. Overall, many occluded pixels are located higher relative to the pen than previously thought. From the experimental data, a five-parameter scalable circle and pivoting rectangle geometric model is presented which captures the general shape of the occluded area relative to the pen position. This model fits the experimental data much better than the simple bounding box model often used implicitly by designers. The space of fitted parameters also serves to quantify the shape of occlusion. Finally, an initial design for a predictive version of the model is discussed.

Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael

In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2-75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32/UB = 280 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8×8 s-box. Our new upper bound on the MALHP when 9 rounds are approximated is 2-92, corresponding to a lower bound on the data complexity of 297 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilized--see Section 7.]

Refined analysis of bounds related to linear and differential cryptanalysis for the AES

The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2−−106 and 1.144 × 2−−111, respectively, for T ≥ 4 rounds. These values are simply the 4th powers of the best upper bounds on the MELP and MEDP for T=2 [3,23]. In our analysis we first derive nontrivial lower bounds on the 2-round MELP and MEDP, thereby trapping each value in a small interval; this demonstrates that the best 2-round upper bounds are quite good. We then prove that these same 2-round upper bounds are not tight—and therefore neither are the corresponding upper bounds for T ≥ 4. Finally, we show how a modified version of the KMT2 algorithm (or its dual, KMT2-DC), due to Keliher et al. (see [8]), can potentially improve any existing upper bound on the MELP (or MEDP) for any SPN. We use the modified version of KMT2 to improve the upper bound on the AES MELP to 1.778 × 2−−107,for T ≥ 8.

Cryptanalysis of the Toorani-Falahati Hill Ciphers

In 2009 and 2011, Toorani and Falahati introduced two variants of the classical Hill Cipher, together with protocols for the exchange of encrypted messages. The designers claim that the new systems overcome the weaknesses of the original Hill Cipher, and are resistant to any ciphertext-only, known-plaintext, chosen-plaintext, or chosen-ciphertext attack. However, we describe a chosen-plaintext attack that easily breaks both Toorani-Falahati Hill Ciphers, and we present computational results that confirm the effectiveness of our attack.

Modeling Linear Characteristics of Substitution-Permutation Networks

In this paper we present a model for the bias values associated with linear characteristics of substitution-permutation networks (SPNs). The first iteration of the model is based on our observation that for sufficiently large s-boxes, the best linear characteristic usually involves one active s-box per round. We obtain a result which allows us to compute an upper bound on the probability that linear cryptanalysis using such a characteristic is feasible, as a function of the number of rounds. We then generalize this result, upper bounding the probability that linear cryptanalysis is feasible when any linear characteristic may be used (no restriction on the number of active s-boxes). The work of this paper indicates that the basic SPN structure provides good security against linear cryptanalysis based on linear characteristics after a reasonably small number of rounds.

Toward the True Random Cipher: On Expected Linear Probability Values for SPNS with Randomly Selected S-Boxes

A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0,1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. This chapter considers a fundamental block cipher architecture called a substitution-permutation network (SPN). Specifically, expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis, are investigated. It is shown that if the substitution components (s-boxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.

Selected Areas in Cryptography

In this paper we propose a new publicly verifiable secret sharing scheme using pairings with close relations to Shoenmakers’ scheme. This scheme is efficient, multiplicatively homomorphic and with unconditional verifiability in the standard model. We formalize the notion of Indistinguishability of Secrets and prove that out scheme achieves it under the Decisional Bilinear Square (DBS) Assumption that is a natural variant of the Decisional Bilinear Diffie Hellman Assumption. Moreover, our scheme tolerates active and adaptive adversaries.

Selected Areas in Cryptography: 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14-15, Revised Selected Papers

In this paper we propose a new publicly verifiable secret sharing scheme using pairings with close relations to Shoenmakers’ scheme. This scheme is efficient, multiplicatively homomorphic and with unconditional verifiability in the standard model. We formalize the notion of Indistinguishability of Secrets and prove that out scheme achieves it under the Decisional Bilinear Square (DBS) Assumption that is a natural variant of the Decisional Bilinear Diffie Hellman Assumption. Moreover, our scheme tolerates active and adaptive adversaries.