Renaud DUBOIS - Academia.edu (original) (raw)

Papers by Renaud DUBOIS

Method for identifying a protocol at the origin of a packet flow includes the following steps: - ... more Method for identifying a protocol at the origin of a packet flow includes the following steps: - a catch (102) flow protocol to be identified, - a statistical classification flow, comprising an extraction parameters classification and a comparison of the classification parameters with statistical models built during a learning phase, wherein the statistical classification includes: - a first stage (108) global statistical classification comprising a step (114) for extracting global parameters classification calculated by applying statistical formulas in part or all of the flow, and a step (114) for processing global classification parameters from a statistical model built during a learning phase; - a second stage (110) sequentially classification comprising a step (116) for extracting sequential parameters representative classification temporary packet string constituting the flow, and a step (118) for processing sequential sort parameters from a statistical model built during a lea...

2020 4th Cyber Security in Networking Conference (CSNet), 2020

For security applications for connected vehicles, choosing the best cryptographic algorithm is a ... more For security applications for connected vehicles, choosing the best cryptographic algorithm is a real challenge. Traditional cryptography does not fit the constraints on the communication (e.g., bandwidth, delay) environment and the protocols defined in the standards do not allow flexibility. In this work, we provide an analysis of the cryptographic algorithms used to secure V2X communications and an overview of lightweight cryptography algorithms in order to select algorithms that might fit the connected vehicles constraints.

IACR Cryptol. ePrint Arch., 2017

In this paper we describe how to use a secret bug as a trapdoor to design trapped ellliptic curve... more In this paper we describe how to use a secret bug as a trapdoor to design trapped ellliptic curve E(Fp). This trapdoor can be used to mount an invalid curve attack on E(Fp). E(Fp) is designed to respect all ECC security criteria (prime order, high twist order, etc.) but for a secret exponent the point is projected on another unsecure curve. We show how to use this trap with a particular type of time/memory tradeoff to break the ECKCDSA verification process for any public key of the trapped curve. The process is highly undetectable : the chosen defender effort is quadratic in the saboter computational effort. This work provides a concrete hardly detectable and easily deniable example of cryptographic sabotage. While this proof of concept is very narrow, it highlights the necessity of the Full Verifiable Randomness of ECC. keywords:Bug Attacks, Fault Attacks, ECC, Invalid Curve Attack, ECKCDSA, Kleptography, NSA, Paranoia, Verifiable Randomness, Sabotage-resilient Cryptography.

IACR Cryptol. ePrint Arch., 2013

Broadcast encryption is conventionally formalized as broadcast encapsulation in which, instead of... more Broadcast encryption is conventionally formalized as broadcast encapsulation in which, instead of a ciphertext, a session key is produced, which is required to be indistinguishable from random. Such a scheme can provide public encryption functionality in combination with a symmetric encryption through the hybrid encryption paradigm. The Boneh-Gentry-Waters scheme of 2005 proposed a broadcast scheme with constant-size ciphertext. It is one of the most ecient broadcast encryption schemes regarding overhead size. In this work we consider the improved scheme of Phan-Pointcheval-Shahandashi-Steer [PPSS12] which provides an adaptive CCA broadcast encryption scheme. These two schemes may be tweaked to use bilinear pairings[DGS12].This document details our choices for the implementation of the PPSS scheme. We provide a complete golden sequence of the protocol with ecient pairings (Tate, Ate and Optimal Ate). We target a 128-bit security level, hence we use a BN-curve [BN06]. The aim of this...

L'invention concerne un procede de diffusion de donnees dans un systeme utilisant un schema s... more L'invention concerne un procede de diffusion de donnees dans un systeme utilisant un schema stateless BES (A1) utilisant un arbre binaire T avec une structure de cle KEKs N °2, i.e. telle qu'une cle ki,j est associee a chaque difference de sous-ensembles S,,j, et une cle racine ko,-- associee a l'ensemble de l'arbre T et un schema 'stateful' BES (A2) utilisant le meme arbre binaire T avec une structure de cle KEKs N °1, i.e. telle qu'une cle k, soit associee a chaque sous arbre Si, dans lequel on utilise le schema (A1) pour la session courante de diffusion et mettre a jour les cles connues par les utilisateurs denies avec un schema « stateful » (A2) de temps a autre.

IACR Cryptol. ePrint Arch., 2018

We apply Smith's construction [9] to generate four-dimensional GLV curves with fast arithmeti... more We apply Smith's construction [9] to generate four-dimensional GLV curves with fast arithmetic in the group law as well as in the base eld. As Costello and Longa did in [5] for a 128-bit security level, we obtained an interesting curve for fast GLV scalar multiplication, providing a high level of security (254 bits). Our curve is de ned over a well-known nite eld: Fp2 where p = 2−19. We nally explicit the two endomorphisms used during GLV decomposition.

Lecture Notes in Computer Science, 2013

The Boneh-Gentry-Waters (BGW) [4] scheme is one of the most efficient broadcast encryption scheme... more The Boneh-Gentry-Waters (BGW) [4] scheme is one of the most efficient broadcast encryption scheme regarding the overhead size. This performance relies on the use of a pairing. Hence this protocol can benefit from public key improvements. The ciphertext is of constant size, whatever the proportion of revoked users is. The main lasting constraint is the computation time at receiver end as it depends on the number of revoked users. In this paper we describe two modifications to improve the BGW bandwidth and time complexity. First we rewrite the protocol and its security proof with an asymmetric pairing over the Barreto-Naehrig (BN) curves instead of a symmetric one over supersingular curves. This modification leads to a practical gain of 60% in speed and 84% in bandwidth. The second tweaks allows to reduce the computation time from O(n − r) to min(O(r), O(n − r)) for the worst case (and better for the average case). We give performance measures of our implementation for a 128-bit security level of the modified protocol on a smartphone.

rta.nato.int

Tunnel establishment, like HTTPS tunnel or related ones, between a computer protected by a securi... more Tunnel establishment, like HTTPS tunnel or related ones, between a computer protected by a security gate-way and a remote server located outside the protected network is the most effective way to bypass the network security policy. Indeed, a permitted protocol can be used to ...

Lecture Notes in Computer Science

Cryptographic embedded systems are vulnerable to Differential Power Analysis (DPA). In particular... more Cryptographic embedded systems are vulnerable to Differential Power Analysis (DPA). In particular, the S-boxes of a block cipher are known to be the most sensitive parts with respect to this very kind of attack. While many sound countermeasures have been proposed to withstand this weakness, most of them are too costly to be adopted in real-life implementations of cryptographic algorithms. In this paper, we focus on a widely adopted lightweight variation on the well-known Duplication Method. While it is known that this design is vulnerable to higher-order DPA attacks, we show that it can also be efficiently broken by first-order DPA attacks. Finally, we point out ad hoc costless countermeasures that circumvent our attacks.

Method for identifying a protocol at the origin of a packet flow includes the following steps: - ... more Method for identifying a protocol at the origin of a packet flow includes the following steps: - a catch (102) flow protocol to be identified, - a statistical classification flow, comprising an extraction parameters classification and a comparison of the classification parameters with statistical models built during a learning phase, wherein the statistical classification includes: - a first stage (108) global statistical classification comprising a step (114) for extracting global parameters classification calculated by applying statistical formulas in part or all of the flow, and a step (114) for processing global classification parameters from a statistical model built during a learning phase; - a second stage (110) sequentially classification comprising a step (116) for extracting sequential parameters representative classification temporary packet string constituting the flow, and a step (118) for processing sequential sort parameters from a statistical model built during a lea...

2020 4th Cyber Security in Networking Conference (CSNet), 2020

For security applications for connected vehicles, choosing the best cryptographic algorithm is a ... more For security applications for connected vehicles, choosing the best cryptographic algorithm is a real challenge. Traditional cryptography does not fit the constraints on the communication (e.g., bandwidth, delay) environment and the protocols defined in the standards do not allow flexibility. In this work, we provide an analysis of the cryptographic algorithms used to secure V2X communications and an overview of lightweight cryptography algorithms in order to select algorithms that might fit the connected vehicles constraints.

IACR Cryptol. ePrint Arch., 2017

In this paper we describe how to use a secret bug as a trapdoor to design trapped ellliptic curve... more In this paper we describe how to use a secret bug as a trapdoor to design trapped ellliptic curve E(Fp). This trapdoor can be used to mount an invalid curve attack on E(Fp). E(Fp) is designed to respect all ECC security criteria (prime order, high twist order, etc.) but for a secret exponent the point is projected on another unsecure curve. We show how to use this trap with a particular type of time/memory tradeoff to break the ECKCDSA verification process for any public key of the trapped curve. The process is highly undetectable : the chosen defender effort is quadratic in the saboter computational effort. This work provides a concrete hardly detectable and easily deniable example of cryptographic sabotage. While this proof of concept is very narrow, it highlights the necessity of the Full Verifiable Randomness of ECC. keywords:Bug Attacks, Fault Attacks, ECC, Invalid Curve Attack, ECKCDSA, Kleptography, NSA, Paranoia, Verifiable Randomness, Sabotage-resilient Cryptography.

IACR Cryptol. ePrint Arch., 2013

Broadcast encryption is conventionally formalized as broadcast encapsulation in which, instead of... more Broadcast encryption is conventionally formalized as broadcast encapsulation in which, instead of a ciphertext, a session key is produced, which is required to be indistinguishable from random. Such a scheme can provide public encryption functionality in combination with a symmetric encryption through the hybrid encryption paradigm. The Boneh-Gentry-Waters scheme of 2005 proposed a broadcast scheme with constant-size ciphertext. It is one of the most ecient broadcast encryption schemes regarding overhead size. In this work we consider the improved scheme of Phan-Pointcheval-Shahandashi-Steer [PPSS12] which provides an adaptive CCA broadcast encryption scheme. These two schemes may be tweaked to use bilinear pairings[DGS12].This document details our choices for the implementation of the PPSS scheme. We provide a complete golden sequence of the protocol with ecient pairings (Tate, Ate and Optimal Ate). We target a 128-bit security level, hence we use a BN-curve [BN06]. The aim of this...

L'invention concerne un procede de diffusion de donnees dans un systeme utilisant un schema s... more L'invention concerne un procede de diffusion de donnees dans un systeme utilisant un schema stateless BES (A1) utilisant un arbre binaire T avec une structure de cle KEKs N °2, i.e. telle qu'une cle ki,j est associee a chaque difference de sous-ensembles S,,j, et une cle racine ko,-- associee a l'ensemble de l'arbre T et un schema 'stateful' BES (A2) utilisant le meme arbre binaire T avec une structure de cle KEKs N °1, i.e. telle qu'une cle k, soit associee a chaque sous arbre Si, dans lequel on utilise le schema (A1) pour la session courante de diffusion et mettre a jour les cles connues par les utilisateurs denies avec un schema « stateful » (A2) de temps a autre.

IACR Cryptol. ePrint Arch., 2018

We apply Smith's construction [9] to generate four-dimensional GLV curves with fast arithmeti... more We apply Smith's construction [9] to generate four-dimensional GLV curves with fast arithmetic in the group law as well as in the base eld. As Costello and Longa did in [5] for a 128-bit security level, we obtained an interesting curve for fast GLV scalar multiplication, providing a high level of security (254 bits). Our curve is de ned over a well-known nite eld: Fp2 where p = 2−19. We nally explicit the two endomorphisms used during GLV decomposition.

Lecture Notes in Computer Science, 2013

The Boneh-Gentry-Waters (BGW) [4] scheme is one of the most efficient broadcast encryption scheme... more The Boneh-Gentry-Waters (BGW) [4] scheme is one of the most efficient broadcast encryption scheme regarding the overhead size. This performance relies on the use of a pairing. Hence this protocol can benefit from public key improvements. The ciphertext is of constant size, whatever the proportion of revoked users is. The main lasting constraint is the computation time at receiver end as it depends on the number of revoked users. In this paper we describe two modifications to improve the BGW bandwidth and time complexity. First we rewrite the protocol and its security proof with an asymmetric pairing over the Barreto-Naehrig (BN) curves instead of a symmetric one over supersingular curves. This modification leads to a practical gain of 60% in speed and 84% in bandwidth. The second tweaks allows to reduce the computation time from O(n − r) to min(O(r), O(n − r)) for the worst case (and better for the average case). We give performance measures of our implementation for a 128-bit security level of the modified protocol on a smartphone.

rta.nato.int

Tunnel establishment, like HTTPS tunnel or related ones, between a computer protected by a securi... more Tunnel establishment, like HTTPS tunnel or related ones, between a computer protected by a security gate-way and a remote server located outside the protected network is the most effective way to bypass the network security policy. Indeed, a permitted protocol can be used to ...

Lecture Notes in Computer Science

Cryptographic embedded systems are vulnerable to Differential Power Analysis (DPA). In particular... more Cryptographic embedded systems are vulnerable to Differential Power Analysis (DPA). In particular, the S-boxes of a block cipher are known to be the most sensitive parts with respect to this very kind of attack. While many sound countermeasures have been proposed to withstand this weakness, most of them are too costly to be adopted in real-life implementations of cryptographic algorithms. In this paper, we focus on a widely adopted lightweight variation on the well-known Duplication Method. While it is known that this design is vulnerable to higher-order DPA attacks, we show that it can also be efficiently broken by first-order DPA attacks. Finally, we point out ad hoc costless countermeasures that circumvent our attacks.