Jean-jacques Quisquater - Profile on Academia.edu (original) (raw)

Papers by Jean-jacques Quisquater

International Workshop in Information Security, Theory and Practice: Smart Devices, Pervasive Systems, and Ubiquitous Networks

info:eu-repo/semantics/publishe

Blockchain: la machine à créer de la confiance et beaucoup d'espoir

info:eu-repo/semantics/publishe

Abstract. SEA is a scalable encryption algorithm targeted for small embedded applications. It was... more Abstract. SEA is a scalable encryption algorithm targeted for small embedded applications. It was initially designed for software implementations in controllers, smart cards or processors. In this paper, we investigate its hardware performances in a 0.13 µm CMOS technology. For these purposes, different designs are detailed. First, a single clock cycle per round loop architecture is implemented. Beyond its low cost performances, a significant advantage of the proposed encryption core is its full flexibility for any parameter of the scalable encryption algorithm, taking advantage of generic VHDL coding. Second, a more realistic design with a reduced datapath combined with a serial communication interface is described in order to put forward the low-power opportunities of SEA. Finally, a minimum datapath is presented and its applicability to RFID encryption is discussed. Additionally to these results, performance comparisons with the AES Rijndael are proposed. They illustrate the inte...

Hash functions are widely used in cryptography. Recent breakthroughs against the standard SHA-1 p... more Hash functions are widely used in cryptography. Recent breakthroughs against the standard SHA-1 prompted NIST to launch a competition for a new secure hash algorithm, . Provably secure hash functions, that is functions whose security reduces to a simply-stated, supposedly hard mathematical problem, are widely believed to be much too slow for the NIST competition. In this paper, we discuss Cayley hashes, a class of efficient and provably secure hash functions constructed from the Cayley graphs of (projective) linear groups. We review two existing constructions, the ZT and LPS hash functions, and put a new one forward, the Morgenstern hash function. We show that Cayley hashes are "provable" and efficient: on one hand, their security reduces to a representation problem in (projective) linear groups; on the other hand, they are only 5 times slower than SHA-2 in FPGA hardware, and about 400 times slower in software (in our future implementations, many optimizations currently under investigation are expected to decrease these gaps even more). Last but not least, Cayley hash computation can be easily parallelized. We believe their nice properties as well as their elegant design make Cayley hashes very interesting hash functions.

Lecture Notes in Computer Science, 2001

This paper specializes the signature forgery by Coron, Naccache and Stern (1999) to Rabin-type sy... more This paper specializes the signature forgery by Coron, Naccache and Stern (1999) to Rabin-type systems. We present a variation in which the adversary may derive the private keys and thereby forge the signature on any chosen message. Further, we demonstrate that, contrary to the RSA, the use of larger (even) public exponents does not reduce the complexity of the forgery. Finally, we show that our technique is very general and applies to any Rabin-type system designed in a unique factorization domain, including the Williams' M 3 scheme (1986), the cubic schemes of Loxton et al. (1992) and of Scheidler (1998), and the cyclotomic schemes (1995).

Intrusion-resilient signatures are key-evolving protocols that extend the concepts of forward-sec... more Intrusion-resilient signatures are key-evolving protocols that extend the concepts of forward-secure and key-insulated signatures. As in the latter schemes, time is divided into distinct periods where private keys are periodically updated while public keys remain fixed. Private keys are stored in both a user and a base; signature operations are performed by the user while the base is involved in periodic updates. Such a system remains secure after arbitrarily many compromises of both modules as long as break-ins are not simultaneous. Besides, when they simultaneously occur within some time period, past periods remain safe. In this work, we propose the first intrusion-resilient signature in the standard model (i.e. without random oracles) which provides both short signatures and at most log-squared private storage in the number of time periods.

Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions t... more Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions to search over, the time-memory tradeoff allows the solution to be found with high probability, in T operations (time) with M words of memory, provided the time-memory product T ×M is larger than K. Cryptanalytic attacks based on exhaustive key search are the typical context where time-memory tradeoffs are applicable. Due to large key sizes, exhaustive key search usually needs unrealistic computing pow-ers and corresponds to a situation where T = K and M = 1. However, if the same attack has to be carried out numerous times, it may be possible to execute the exhaus-tive search in advance and store all the results in a memory. Once this precomputation is done, the attack could be performed almost instantaneously, although in practice, the method is not realistic because of the huge amount of memory needed: T = 1, M = K. The aim of a time-memory tradeoff is to mount an attack that has a lowe...

Efficiency and pseudo-randomness of a variant of Zémor-Tillich hash function

For the last ten years, security of integrated circuits has attracted a greater attention from th... more For the last ten years, security of integrated circuits has attracted a greater attention from the cryptographic community. Several sources of information leakage within the circuits have been emphasized. Power consumption based attacks have been mounted successfully against various types of circuits like ASIC, smartcards or FPGA. To counter them, specific high level solutions were developed, but none of them achieved a total prevention of such attacks. Circuit and transistor level solutions have also been developed with better results. We present here an interesting alternative to those solutions, using Dynamic Current Mode Logic. This type of logic style gives the same security margins as the other proposed alternatives to CMOS, with better performances in terms of power, delay, complexity of implemented functions and the possibility of an asynchronous mode of the signal propagation.

Since their publication in 1998, power analysis attacks have attracted significant attention with... more Since their publication in 1998, power analysis attacks have attracted significant attention within the cryptographic community. So far, they have been successfully applied to different kinds of implementations (e:g: smart cards, ASICs, FPGAs) of cryptographic algorithms. To protect such devices against power analysis attacks, it has been proposed to use a dynamic and differential logic style for which the power consumption does not depend on the data handled. In this paper, we suggest to use the Dynamic Current Mode Logic to counteract power analysis. The resulting circuits exhibit similar resistance to the previously published proposals but significantly reduce the power delay product. We also demonstrate that certain criteria previously used to evaluate the resistance against power analysis have no cryptographic relevance.

This report summarizes readings in the area of the crypt- analysis of block ciphers. Historically... more This report summarizes readings in the area of the crypt- analysis of block ciphers. Historically, the academic field started in 1981 with the first CRYPTO conference and observations on some undesir- able properties of the DES. Practically, most cryptanalytic techniques were developed in the 1990s. A number of them are variants of two decisive progresses in the field. Dierential cryptanalysis was found by Biham and Shamir and presented at CRYPTO 90. Linear cryptanaly- sis was developed by Matsui and presented at EUROCRYPT 93. From these times plenty of papers tried to take advantage of these techniques in dierent attempts to break public ciphers and some of these papers introduced original improvements. These two techniques also led to the development of criteria for security evaluation of block ciphers. Recently designed block ciphers like the Advanced Encryption Standard Rijndael have been based on the idea of provable security against these two attacks and their improvements. Th...

Boneh, Ding, Tsudik and Wong recently proposed a way for obtaining fast revocation of RSA keys. T... more Boneh, Ding, Tsudik and Wong recently proposed a way for obtaining fast revocation of RSA keys. Their method consists in using security mediators that keep a piece of each user's private key in such a way that every decrytion or signature operation requires the help of the mediator for the user. Revocation is achieved by instructing the mediator to stop helping the user to sign or decrypt messages. This security architecture, called SEM, gave rise to an identity based mediated RSA scheme (IB-mRSA) that combines the advantages of fast revocation and identity based public keys. We show that, in opposition to what was stated in [9], this revocation method can be applied to several existing public key encryption and signature schemes (all those for which a secure practical threshold adaptation exists) including the Boneh-Franklin identity based encryption scheme and a pairing based digital signature schemes. We first describe a threshold adaptation of the Boneh-Franklin identity based encryption scheme and, then, we compare the mediated versions of these schemes with IB-mRSA from security and efficiency points of view.

We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric blo... more We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric block cipher algorithm. This hash-function can be considered as a extension of an already known one, which only provided n-bit hash-results. The difference is crucial, because a lot of symmetric block cipher algorithms use 64-bit blocks and recent works have shown that a 64-bit hash-result is greatly insufficient.

Journal of Computer Security

The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed in 2001.... more The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed in 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now. In this paper, we prove that it is in fact impossible to design a scalable authenticated group key agreement protocol based on the same design assumptions as the A-GDH ones. We proceed by providing a systematic way to derive an attack against any A-GDH-type protocol with at least four participants and exhibit protocols with two and three participants which we cannot break using our technique. As far as we know, this is the first generic insecurity result reported in the literature concerning authentication protocols.

This paper shows a surprising similarity between the con- struction of, respectively, impossible ... more This paper shows a surprising similarity between the con- struction of, respectively, impossible differentials and square distin- guishers. This observation is illustrated by comparing two attacks on IDEA (Biham & al., FSE'99 (2), Nakahara & al., 2001 (7)). Using this similarity, we also derive a 16-round square distinguisher on Skip- jack, directly based on the impossible differential attack presented in

In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practic... more In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practical attack against 3 rounds of Safer++128, as well as attacks on 4 rounds of Safer++128 and Safer++256, under the chosen-plaintext hypothesis. These results achieve much lower complexity than the currently known best attacks on Safer++, namely weak-key linear cryptanalysis by Nakahara(8). As a

In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practic... more In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practical attack against 3 rounds of Safer++128, as well as attacks on 4 rounds of Safer++128 and Safer++256 (without the last key addition layer), under the chosen-plaintext hypoth- esis. These results achieve much lower complexity than the currently known best attacks on Safer++, namely

Authentication of sequences with the SL2 hash function: application to video sequences

Journal of Computer Security, 1997

ABSTRACT

Impossible difierential and square attacks: Cryptanalytic link and application to Skipjack

This paper shows a surprising similarity between the con- struction of, respectively, impossible ... more This paper shows a surprising similarity between the con- struction of, respectively, impossible difierentials and square distin- guishers. This observation is illustrated by comparing two attacks on IDEA (Biham & al., FSE'99 (2), Nakahara & al., 2001 (7)). Using this similarity, we also derive a 16-round square distinguisher on Skip- jack, directly based on the impossible difierential attack presented in

International Workshop in Information Security, Theory and Practice: Smart Devices, Pervasive Systems, and Ubiquitous Networks

info:eu-repo/semantics/publishe

Blockchain: la machine à créer de la confiance et beaucoup d'espoir

info:eu-repo/semantics/publishe

Abstract. SEA is a scalable encryption algorithm targeted for small embedded applications. It was... more Abstract. SEA is a scalable encryption algorithm targeted for small embedded applications. It was initially designed for software implementations in controllers, smart cards or processors. In this paper, we investigate its hardware performances in a 0.13 µm CMOS technology. For these purposes, different designs are detailed. First, a single clock cycle per round loop architecture is implemented. Beyond its low cost performances, a significant advantage of the proposed encryption core is its full flexibility for any parameter of the scalable encryption algorithm, taking advantage of generic VHDL coding. Second, a more realistic design with a reduced datapath combined with a serial communication interface is described in order to put forward the low-power opportunities of SEA. Finally, a minimum datapath is presented and its applicability to RFID encryption is discussed. Additionally to these results, performance comparisons with the AES Rijndael are proposed. They illustrate the inte...

Hash functions are widely used in cryptography. Recent breakthroughs against the standard SHA-1 p... more Hash functions are widely used in cryptography. Recent breakthroughs against the standard SHA-1 prompted NIST to launch a competition for a new secure hash algorithm, . Provably secure hash functions, that is functions whose security reduces to a simply-stated, supposedly hard mathematical problem, are widely believed to be much too slow for the NIST competition. In this paper, we discuss Cayley hashes, a class of efficient and provably secure hash functions constructed from the Cayley graphs of (projective) linear groups. We review two existing constructions, the ZT and LPS hash functions, and put a new one forward, the Morgenstern hash function. We show that Cayley hashes are "provable" and efficient: on one hand, their security reduces to a representation problem in (projective) linear groups; on the other hand, they are only 5 times slower than SHA-2 in FPGA hardware, and about 400 times slower in software (in our future implementations, many optimizations currently under investigation are expected to decrease these gaps even more). Last but not least, Cayley hash computation can be easily parallelized. We believe their nice properties as well as their elegant design make Cayley hashes very interesting hash functions.

Lecture Notes in Computer Science, 2001

This paper specializes the signature forgery by Coron, Naccache and Stern (1999) to Rabin-type sy... more This paper specializes the signature forgery by Coron, Naccache and Stern (1999) to Rabin-type systems. We present a variation in which the adversary may derive the private keys and thereby forge the signature on any chosen message. Further, we demonstrate that, contrary to the RSA, the use of larger (even) public exponents does not reduce the complexity of the forgery. Finally, we show that our technique is very general and applies to any Rabin-type system designed in a unique factorization domain, including the Williams' M 3 scheme (1986), the cubic schemes of Loxton et al. (1992) and of Scheidler (1998), and the cyclotomic schemes (1995).

Intrusion-resilient signatures are key-evolving protocols that extend the concepts of forward-sec... more Intrusion-resilient signatures are key-evolving protocols that extend the concepts of forward-secure and key-insulated signatures. As in the latter schemes, time is divided into distinct periods where private keys are periodically updated while public keys remain fixed. Private keys are stored in both a user and a base; signature operations are performed by the user while the base is involved in periodic updates. Such a system remains secure after arbitrarily many compromises of both modules as long as break-ins are not simultaneous. Besides, when they simultaneously occur within some time period, past periods remain safe. In this work, we propose the first intrusion-resilient signature in the standard model (i.e. without random oracles) which provides both short signatures and at most log-squared private storage in the number of time periods.

Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions t... more Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions to search over, the time-memory tradeoff allows the solution to be found with high probability, in T operations (time) with M words of memory, provided the time-memory product T ×M is larger than K. Cryptanalytic attacks based on exhaustive key search are the typical context where time-memory tradeoffs are applicable. Due to large key sizes, exhaustive key search usually needs unrealistic computing pow-ers and corresponds to a situation where T = K and M = 1. However, if the same attack has to be carried out numerous times, it may be possible to execute the exhaus-tive search in advance and store all the results in a memory. Once this precomputation is done, the attack could be performed almost instantaneously, although in practice, the method is not realistic because of the huge amount of memory needed: T = 1, M = K. The aim of a time-memory tradeoff is to mount an attack that has a lowe...

Efficiency and pseudo-randomness of a variant of Zémor-Tillich hash function

For the last ten years, security of integrated circuits has attracted a greater attention from th... more For the last ten years, security of integrated circuits has attracted a greater attention from the cryptographic community. Several sources of information leakage within the circuits have been emphasized. Power consumption based attacks have been mounted successfully against various types of circuits like ASIC, smartcards or FPGA. To counter them, specific high level solutions were developed, but none of them achieved a total prevention of such attacks. Circuit and transistor level solutions have also been developed with better results. We present here an interesting alternative to those solutions, using Dynamic Current Mode Logic. This type of logic style gives the same security margins as the other proposed alternatives to CMOS, with better performances in terms of power, delay, complexity of implemented functions and the possibility of an asynchronous mode of the signal propagation.

Since their publication in 1998, power analysis attacks have attracted significant attention with... more Since their publication in 1998, power analysis attacks have attracted significant attention within the cryptographic community. So far, they have been successfully applied to different kinds of implementations (e:g: smart cards, ASICs, FPGAs) of cryptographic algorithms. To protect such devices against power analysis attacks, it has been proposed to use a dynamic and differential logic style for which the power consumption does not depend on the data handled. In this paper, we suggest to use the Dynamic Current Mode Logic to counteract power analysis. The resulting circuits exhibit similar resistance to the previously published proposals but significantly reduce the power delay product. We also demonstrate that certain criteria previously used to evaluate the resistance against power analysis have no cryptographic relevance.

This report summarizes readings in the area of the crypt- analysis of block ciphers. Historically... more This report summarizes readings in the area of the crypt- analysis of block ciphers. Historically, the academic field started in 1981 with the first CRYPTO conference and observations on some undesir- able properties of the DES. Practically, most cryptanalytic techniques were developed in the 1990s. A number of them are variants of two decisive progresses in the field. Dierential cryptanalysis was found by Biham and Shamir and presented at CRYPTO 90. Linear cryptanaly- sis was developed by Matsui and presented at EUROCRYPT 93. From these times plenty of papers tried to take advantage of these techniques in dierent attempts to break public ciphers and some of these papers introduced original improvements. These two techniques also led to the development of criteria for security evaluation of block ciphers. Recently designed block ciphers like the Advanced Encryption Standard Rijndael have been based on the idea of provable security against these two attacks and their improvements. Th...

Boneh, Ding, Tsudik and Wong recently proposed a way for obtaining fast revocation of RSA keys. T... more Boneh, Ding, Tsudik and Wong recently proposed a way for obtaining fast revocation of RSA keys. Their method consists in using security mediators that keep a piece of each user's private key in such a way that every decrytion or signature operation requires the help of the mediator for the user. Revocation is achieved by instructing the mediator to stop helping the user to sign or decrypt messages. This security architecture, called SEM, gave rise to an identity based mediated RSA scheme (IB-mRSA) that combines the advantages of fast revocation and identity based public keys. We show that, in opposition to what was stated in [9], this revocation method can be applied to several existing public key encryption and signature schemes (all those for which a secure practical threshold adaptation exists) including the Boneh-Franklin identity based encryption scheme and a pairing based digital signature schemes. We first describe a threshold adaptation of the Boneh-Franklin identity based encryption scheme and, then, we compare the mediated versions of these schemes with IB-mRSA from security and efficiency points of view.

We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric blo... more We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric block cipher algorithm. This hash-function can be considered as a extension of an already known one, which only provided n-bit hash-results. The difference is crucial, because a lot of symmetric block cipher algorithms use 64-bit blocks and recent works have shown that a 64-bit hash-result is greatly insufficient.

Journal of Computer Security

The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed in 2001.... more The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed in 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now. In this paper, we prove that it is in fact impossible to design a scalable authenticated group key agreement protocol based on the same design assumptions as the A-GDH ones. We proceed by providing a systematic way to derive an attack against any A-GDH-type protocol with at least four participants and exhibit protocols with two and three participants which we cannot break using our technique. As far as we know, this is the first generic insecurity result reported in the literature concerning authentication protocols.

This paper shows a surprising similarity between the con- struction of, respectively, impossible ... more This paper shows a surprising similarity between the con- struction of, respectively, impossible differentials and square distin- guishers. This observation is illustrated by comparing two attacks on IDEA (Biham & al., FSE'99 (2), Nakahara & al., 2001 (7)). Using this similarity, we also derive a 16-round square distinguisher on Skip- jack, directly based on the impossible differential attack presented in

In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practic... more In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practical attack against 3 rounds of Safer++128, as well as attacks on 4 rounds of Safer++128 and Safer++256, under the chosen-plaintext hypothesis. These results achieve much lower complexity than the currently known best attacks on Safer++, namely weak-key linear cryptanalysis by Nakahara(8). As a

In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practic... more In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practical attack against 3 rounds of Safer++128, as well as attacks on 4 rounds of Safer++128 and Safer++256 (without the last key addition layer), under the chosen-plaintext hypoth- esis. These results achieve much lower complexity than the currently known best attacks on Safer++, namely

Authentication of sequences with the SL2 hash function: application to video sequences

Journal of Computer Security, 1997

ABSTRACT

Impossible difierential and square attacks: Cryptanalytic link and application to Skipjack

This paper shows a surprising similarity between the con- struction of, respectively, impossible ... more This paper shows a surprising similarity between the con- struction of, respectively, impossible difierentials and square distin- guishers. This observation is illustrated by comparing two attacks on IDEA (Biham & al., FSE'99 (2), Nakahara & al., 2001 (7)). Using this similarity, we also derive a 16-round square distinguisher on Skip- jack, directly based on the impossible difierential attack presented in