Riccardo Aragona

The group generated by the round functions of a GOST-like cipher

We define a cipher that is an extension of GOST, and study the permutation group generated by its round functions. We show that, under minimal assumptions on the components of the cipher, this group is the alternating group on the plaintext space. This we do by first showing that the group is primitive, and then applying the O’Nan-Scott classification of primitive groups.

A Real Life Project in Cryptography: Assessment of RSA Keys

We describe a project carried out by CryptoLabTN. In this project we provide a rigorous analysis of the RSA cryptographic keys employed in the Certification Authority (CA) to certify the keys exchange during some financial transactions. In particular, we consider the asymptotically fastest known factorization algorithm, that is, the General Number Field Sieve (GNFS). We estimate the computational effort required by an attacker to break the certification keys. Our estimate differs from a direct application of the asymptotic estimates,because in a real-life attack several factors have to be vetted.

Implementation and Improvement of the Partial Sum Attack on 6-Round AES

The Partial Sum Attack is one of the most powerful attacks, independent of the key schedule, developed in the last 15 years against reduced-round versions of AES. In this chapter, we introduce a slight improvement to the basic attack which lowers the number of chosen plaintexts needed to successfully mount it. Our version of the attack on 6-round AES can be carried out completely in practice, as we demonstrate providing a full implementation. We also detail the structure of our implementation, showing the performances we achieve.

On weak differential uniformity of vectorial Boolean functions as a cryptographic criterion

We study the relation between weakly differential uniformity and other security parameters for Boolean functions. In particular, we focus on both power functions and 4-bit S-Boxes.We study the relation among some security parameters for vectorial Boolean functions which prevent attacks on the related block cipher. We focus our study on a recently-introduced security criterion, called weak differential uniformity, which prevents the existence of an undetectable trapdoor based on imprimitive group action. We present some properties of functions with low weak differential uniformity, especially for the case of power functions and 4-bit S-Boxes.

A note on an infeasible linearization of some block ciphers

Abstract A block cipher can be easily broken if its encryption functions can be seen as linear maps on a small vector space. Even more so, if its round functions can be seen as linear maps on a small vector space. We show that this cannot happen for the AES. More precisely, we prove that if the AES round transformations can be embedded into a linear cipher acting on a vector space, then this space is huge-dimensional and so this embedding is infeasible in practice. We present two elementary proofs.

Primitivity of PRESENT and other lightweight ciphers

We provide two sufficient conditions to guarantee that the round functions of a translation-based cipher generate a primitive group. Furthermore, under the same hypotheses, and assuming that a round of the cipher is strongly proper and consists of m-bit S-Boxes, with m = 3, 4 or 5, we prove that such a group is the alternating group. As an immediate consequence, we deduce that the round functions of some lightweight translation-based ciphers, such as the PRESENT cipher, generate the alternating group.

Several proofs of security for a tokenization algorithm

In this paper we propose a tokenization algorithm of Reversible Hybrid type, as defined in PCI DSS guidelines for designing a tokenization solution, based on a block cipher with a secret key and (possibly public) additional input. We provide some formal proofs of security for it, which imply our algorithm satisfies the most significant security requirements described in PCI DSS tokenization guidelines. Finally, we give an instantiation with concrete cryptographic primitives and fixed length of the PAN, and we analyze its efficiency and security.

Some security bounds for the key sizes of DGHV scheme

The correctness in decrypting a ciphertext after some operations in the DGVH scheme depends heavily on the dimension of the secret key. In this paper we compute two bounds on the size of the secret key for the DGHV scheme to decrypt correctly a ciphertext after a fixed number of additions and a fixed number of multiplication. Moreover we improve the original bound on the dimension of the secret key for a general circuit.