logo EDITE Christina BOURA
Christina BOURA
État académique
Thèse soutenue le 2012-12-07
Sujet: Sécurité et cryptanalyse des fonctions de hachage soumises à la compétition SHA-3
Direction de thèse:
Ellipse bleue: doctorant, ellipse jaune: docteur, rectangle vert: permanent, rectangle jaune: HDR. Trait vert: encadrant de thèse, trait bleu: directeur de thèse, pointillé: jury d'évaluation à mi-parcours ou jury de thèse.
Productions scientifiques
Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size 2^{19} and 2^{10} for the finalization permutation in Hamsi-256.
Lecture notes in computer science Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 Selected Areas in Cryptography - 17th International Workshop, SAC 2010,conference proceeding 2010
A zero-sum property for the KECCAK-f permutation with 18 rounds
A new type of distinguishing property, named the zero-sum property has been recently presented by Aumasson and Meier. It has been applied to the inner permutation of the hash function Keccak and it has led to a distinguishing property for the Keccak-f permutation up to 16 rounds, out of 24 in total. Here, we additionally exploit some spectral properties of the Keccak-f permutation and we improve the previously known upper bounds on the degree of the inverse permutation after a certain number of rounds. This result enables us to extend the zero-sum property to 18 rounds of the Keccak-f permutation, which was the number of rounds in the previous version of Keccak submitted to the SHA-3 competition.
IEEE International Symposium on Information Theory, ISIT 2010 IEEE International Symposium on Information Theory, ISIT 2010conference proceeding 2010
Higher-order differential properties of Keccak and Luffa
In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of a number of balanced Sboxes. These techniques yield zero-sum partitions of size 2^{1575} for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.
Lecture notes in computer science Higher-order differential properties of Keccak and Luffa Fast Software Encryption - 18th International Workshop, FSE 2011,conference proceeding 2011
On the Influence of the Algebraic Degree of F^{-1} on the Algebraic Degree of G\circ F
We present a study on the algebraic degree of iterated permutations seen as multivariate polynomials. The main result shows that this degree depends on the algebraic degree of the inverse of the permutation which is iterated. This result is also extended to non-injective balanced vectorial functions where the relevant quantity is the minimal degree of the inverse of a permutation expanding the function. This property has consequences in symmetric cryptography since several attacks or distinguishers exploit a low algebraic degree, like higher-order di erential attacks, cube attacks and cube testers, or algebraic attacks. Here, we present some applications of this improved bound to a higherdegree variant of the block cipher KN, to the block cipher Rijndael-256 and to the inner permutations of the hash functions ECHO and JH.
IEEE Transactions on Information Theoryarticle in peer-reviewed journal 2012-09-14
Side-channel Analysis of Gr{\o}stl and Skein
In this work, a detailed study of two finalists of the SHA-3 competition from the side-channel analysis point of view is provided. For both functions when used as a MAC, this paper presents detected strategies for performing a power analysis. Besides the classical HMAC mode, two additionally proposed constructions, the envelope MAC for Grøstl and the Skein-MAC for Skein are analyzed. Consequently, examples of software countermeasures thwarting first-order DPA or CPA are given. For the validation of our choices, HMAC-Grøstl, HMAC-Skein as well as the countermeasures were implemented on a 32-bit ARM-based smart card, and power analysis attacks were mounted in practice on both unprotected and protected implementations. Finally, the performance difference between both versions is discussed.
Security and Privacy Workshops (SPW), 2012 IEEE Symposium on Security and Privacy Workshops (SPW), 2012conference proceeding 2012
Thèse: Analyse de Fonctions de Hachage Cryptographiques
Soutenance: 2012-12-07
Rapporteurs: Pierre-Alain FOUQUE    Henri GILBERT