Shekh Faisal Abdul Latip - Academia.edu (original) (raw)

Papers by Shekh Faisal Abdul Latip

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11, 2011

In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. qu... more In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems in which the original cube attack may fail due to the attacker's inability in finding sufficiently many independent linear equations. As an application of our extended method, we exhibit a side channel cube attack against the PRESENT block cipher using the Hamming weight leakage model. Our side channel attack improves upon the previous work of Yang, Wang and Qiao at CANS 2009 from two aspects. First, we use the Hamming weight leakage model which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the "exact" value of the internal state bits as used by Yang et al. Thanks to applying the extended cube method, our attack has also a reduced complexity compared to that of Yang et al. Namely, for PRESENT-80 (80-bit key variant) as considered by Yang et al., our attack has a time complexity 2 16 and data complexity of about 2 13 chosen plaintexts; whereas, that of Yang et al. has time complexity of 2 32 and needs about 2 15 chosen plaintexts. Furthermore, our method directly applies

Abstract. In this paper, we investigate security of the KATAN family of block ciphers against dif... more Abstract. In this paper, we investigate security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault induction process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. Then, we determine suitable rounds for effective fault inductions by analyzing distributions of...

Journal of Telecommunication, Electronic and Computer Engineering, 2018

This paper investigates the security of the KTANTAN block cipher against differential fault analy... more This paper investigates the security of the KTANTAN block cipher against differential fault analysis. This attack is considered to be first side channel analysis of KTANTAN in the literature. KTANTAN is a relative to the KATAN block cipher. Therefore, the previous fault analysis on KATAN family of block cipher is revisited. Similar to KATAN, KTANTAN has three variants namely KTANTAN32, KTANTAN48 and KTANTAN64. The inner structure of KTANTAN is similar to KATAN except the key schedule algorithms. KATAN has been practically broken by using fault analysis, employing a transient single-bit fault model, with the assumption is that the attacker is able to inject faults randomly into the internal state of the cipher. The attack is empowerd by extended cube method similarly as applied on KATAN. The complexity of this attack is 274 for KTANTAN32 and 276 for both KTANTAN48 and KTANTAN64. Furthermore, based on the obtained results, this paper concludes that KTANTAN is more robust against fault...

Etri Journal, 2021

Resistance against known standard attacks has become one of the criteria for measuring the securi... more Resistance against known standard attacks has become one of the criteria for measuring the security of a block cipher. Cryptanalytic attacks such as linear and differential cryptanalysis [1,2] have been used widely to facilitate such security evaluations [3– 7]. However, a cipher that can resist standard attacks may not necessarily be secure against sidechannel attacks, which exploits the weaknesses in its physical implementation. Leaked information such as timing information [8], power consumption [9,10], and electromagnetic leaks [11] can be exploited for key recovery. Ciphers which can resist standard attacks [12] are not necessarily secure. They can be broken from the weaknesses of their implementation, Which have been shown in [17]. However, the feasibility of sidechannel attacks varies depending on the implementation, even if the same cipher is adopted. Nevertheless, it is important to study the capabilities of available ciphers to protect communications across various devices...

A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-pee... more A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-peer network. It is the main technology behind the large number of diverse cryptocurrencies that are currently available in circulation. Since its introduction, the blockchain technology has shown promising application prospects and attracted lot of attention from both academia and industry. It also has become an obvious target to adversaries. In this paper, we conduct a systematic literature review on the security vulnerabilities and cyber-attacks to blockchain and cryptocurrency by searching and analyzing previous research papers indexed in reputable journal databases. Based on our findings, we then summarize the most common and critical security threats and attacks and the current countermeasures.

Fruit is a small-state stream cipher designed for securing communications among resource-constrai... more Fruit is a small-state stream cipher designed for securing communications among resource-constrained devices. The design of Fruit was first known to the public in 2016. It was later improved as Fruit-80 in 2018 and becomes the latest and final version among all versions of the Fruit stream ciphers. In this paper, we analyze the Fruit-80 stream cipher. We found that Fruit-80 generates identical keystreams from certain two distinct pairs of key and IV. Such pair of key and IV pairs is known as a slid pair. Moreover, we discover that when two pairs of key and IV fulfill specific characteristics, they will generate identical keystreams. This shows that slid pairs do not always exist arbitrarily in Fruit-80. We define specific rules which are equivalent to the characteristics. Using the defined rules, we are able to automate the searching process using an MILP solver, which makes searching of the slid pairs trivial.

Addition Rotation XOR is suitable for fast implementation symmetric –key primitives, such as stre... more Addition Rotation XOR is suitable for fast implementation symmetric –key primitives, such as stream and block ciphers. This paper presents a review of several block and stream ciphers based on ARX construction followed by the discussion on the security analysis of symmetric key primitives where the best attack for every cipher was carried out. We benchmark the implementation on software and hardware according to the evaluation metrics. Therefore, this paper aims at providing a reference for a better selection of ARX design strategy.

IACR Cryptol. ePrint Arch., 2016

General Lucas sequences are practically useful in cryptography. In the past quarter century, fact... more General Lucas sequences are practically useful in cryptography. In the past quarter century, factoring large RSA modulo into its primes is one of the most important and most challenging problems in computational number theory. A factoring technique on RSA modulo is mainly hindered by the strong prime properties. The success of factoring few large RSA modulo within the last few decades has been due to computing prowess overcoming one strong prime of RSA modulo. In this paper, some useful properties of Lucas sequences shall be explored in factoring RSA modulo. This paper introduces the Sindex formation in solving quadratic equation modulo N. The S-index pattern is very useful in designing an algorithm to factor RSA modulo. At any instance in the factoring algorithm, the accumulative result stands independently. In effect, there is no clear direction to maneuver whether to go left or right. The S-index will add another comparative tool to better maneuver in a factoring process. On one ...

2021 3rd International Cyber Resilience Conference (CRC)

A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-pee... more A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-peer network. It is the primary technology behind the large number of diverse cryptocurrencies that are currently available in circulation. Since its introduction, blockchain technology has shown promising application prospects and attracted much attention from academia and industry. It also has become an obvious target for adversaries. In this paper, we conduct a review of the implementation of digital forensic investigation processes to blockchain and cryptocurrency. Based on our findings, we can conclude that digital forensics is still considered a new area for blockchain technology, especially in cryptocurrency.

Proceedings of the 4th International Conference on Information and Network Security - ICINS '16, 2016

This paper investigates the key schedules of the PRESENT block cipher and studies some repeated d... more This paper investigates the key schedules of the PRESENT block cipher and studies some repeated differential properties of the key schedules. The concept of repeated differential pattern for PRESENT key schedules are defined and introduced. Our study shows that there is a repeated differential pattern in both PRESENT-80 and PRESENT-128 key schedules. The differential patterns for PRESENT-80 are found repeated until round 28 with at least four bits out of two bytes differential pattern. Meanwhile, for PRESENT-128, the differential patterns are found repeated in all round with at least four bits out of 16-bits initial differential pattern. In addition, the secret keys with the repeated differential pattern have a large number of bytes in common. From the result, we found that the key schedule for PRESENT-80 is more ideal compared to PRESENT-128.

Procedia Computer Science, 2015

Abstract It is too fast. The advances of the computing technology are moving very fast and far fr... more Abstract It is too fast. The advances of the computing technology are moving very fast and far from the era of gigantic machine. This advanced technology offers easy, fast and wide range of computing activities particularly users who want to use the Internet, regardless of time and place. In addition, this advanced technology can also connect more communication tool. At the same time, greater storage platform is also available as mobile computing cloud computing architecture adopted to carry out computer activities. However, the larger the network which is connected to a computer, the more susceptible the computer to the outside threats. Indirectly, the communication system and the information stored in the computer are also exposed. Therefore, in this paper, we has discussed on the evolution of the computing which begin with the distributed system until recent computing technology which we called Mobile Big Data Computing. Besides, in this paper, we define the term Mobile Big Data Computing. Our discussion focuses on the information security aspects for the security of storage and transmitted data. Ultimately, this paper discusses the direction of the lightweight cipher design consideration towards Mobile Big Data Computing.

… Security Practice and …, 2012

In this paper, we investigate security of the KATAN family of block ciphers against differential ... more In this paper, we investigate security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault induction process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. Then, we determine suitable rounds for effective fault inductions by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. The complexity of our attack on KATAN32 is 2 59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2 55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively.

Proceedings of the 6th …, 2011

In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. qu... more In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems in which the original cube attack may fail due to the attacker's inability in finding sufficiently many independent linear equations. As an application of our extended method, we exhibit a side channel cube attack against the PRESENT block cipher using the Hamming weight leakage model. Our side channel attack improves upon the previous work of Yang, Wang and Qiao at CANS 2009 from two aspects. First, we use the Hamming weight leakage model which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the "exact" value of the internal state bits as used by Yang et al. Thanks to applying the extended cube method, our attack has also a reduced complexity compared to that of Yang et al. Namely, for PRESENT-80 (80-bit key variant) as considered by Yang et al., our attack has a time complexity 2 16 and data complexity of about 2 13 chosen plaintexts; whereas, that of Yang et al. has time complexity of 2 32 and needs about 2 15 chosen plaintexts. Furthermore, our method directly applies

In this paper, we investigate the security of the NOEKEON block cipher against side channel cube ... more In this paper, we investigate the security of the NOEKEON block cipher against side channel cube attacks. NOEKEON was proposed by Daemen et al. for the NESSIE project. The block size and the key size are both 128 bits. The cube attack, introduced by Dinur and Shamir at EUROCRYPT 2009, is a new type of algebraic cryptanalysis. The attack may be applied if the adversary has access to a single bit of information that can be represented by a low degree multivariate polynomial over GF(2) of secret and public variables. In the side channel attack model, the attacker is assumed to have access to some leaked information about the internal state of the cipher as well as the plaintext and ciphertext. Adopting the notion of a single bit leakage as formalized by Dinur and Shamir, we assume that the attacker has only one bit of information about the intermediate state after each round. Using this side channel attack model, we show that it is possible to extract 60 independent linear equations over 99 (out of 128) key variables. To recover the whole 128-bit key, the attack requires only about 2 10 chosen plaintext and O(2 68) time complexity.

The design and analysis of lightweight block ciphers is gaining increasing popularity due to the ... more The design and analysis of lightweight block ciphers is gaining increasing popularity due to the general assumption that in the future extensive use will be made of block ciphers in ubiquitous devices. In this PhD thesis we address cryptanalysis of several lightweight block ciphers using algebraic and side channel attacks. In the first part of the thesis, we investigate the security of the NOEKEON block cipher. We provide the first result of side channel attack on NOEKEON using side channel cube attack. In the second part of this thesis, we improve the original cube attack by Dinur and Shamir in EUROCRYPT 2009 by introducing an efficient method called extended cube for extracting low-degree nonlinear equations. We apply our extended cube method on PRESENT-80 and PRESENT-128. We show that using our extended cube method, we have been able to improve the previous side channel cube attack on PRESENT-80 from CANS 2009. However our attack on PRESENT-128 was the first attack in the side ch...

Simeck, a lightweight block cipher has been proposed to be one of the encryption that can be empl... more Simeck, a lightweight block cipher has been proposed to be one of the encryption that can be employed in the Internet of Things (IoT) applications. Therefore, this paper presents the security of the Simeck32/64 block cipher against side-channel cube attack. We exhibit our attack against Simeck32/64 using the Hamming weight leakage assumption to extract linearly independent equations in key bits. We have been able to find 32 linearly independent equations in 32 key variables by only considering the second bit from the LSB of the Hamming weight leakage of the internal state on the fourth round of the cipher. This enables our attack to improve previous attacks on Simeck32/64 within side-channel attack model with better time and data complexity of 2 35 and 2 11.29 respectively.

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11, 2011

In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. qu... more In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems in which the original cube attack may fail due to the attacker's inability in finding sufficiently many independent linear equations. As an application of our extended method, we exhibit a side channel cube attack against the PRESENT block cipher using the Hamming weight leakage model. Our side channel attack improves upon the previous work of Yang, Wang and Qiao at CANS 2009 from two aspects. First, we use the Hamming weight leakage model which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the "exact" value of the internal state bits as used by Yang et al. Thanks to applying the extended cube method, our attack has also a reduced complexity compared to that of Yang et al. Namely, for PRESENT-80 (80-bit key variant) as considered by Yang et al., our attack has a time complexity 2 16 and data complexity of about 2 13 chosen plaintexts; whereas, that of Yang et al. has time complexity of 2 32 and needs about 2 15 chosen plaintexts. Furthermore, our method directly applies

Abstract. In this paper, we investigate security of the KATAN family of block ciphers against dif... more Abstract. In this paper, we investigate security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault induction process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. Then, we determine suitable rounds for effective fault inductions by analyzing distributions of...

Journal of Telecommunication, Electronic and Computer Engineering, 2018

This paper investigates the security of the KTANTAN block cipher against differential fault analy... more This paper investigates the security of the KTANTAN block cipher against differential fault analysis. This attack is considered to be first side channel analysis of KTANTAN in the literature. KTANTAN is a relative to the KATAN block cipher. Therefore, the previous fault analysis on KATAN family of block cipher is revisited. Similar to KATAN, KTANTAN has three variants namely KTANTAN32, KTANTAN48 and KTANTAN64. The inner structure of KTANTAN is similar to KATAN except the key schedule algorithms. KATAN has been practically broken by using fault analysis, employing a transient single-bit fault model, with the assumption is that the attacker is able to inject faults randomly into the internal state of the cipher. The attack is empowerd by extended cube method similarly as applied on KATAN. The complexity of this attack is 274 for KTANTAN32 and 276 for both KTANTAN48 and KTANTAN64. Furthermore, based on the obtained results, this paper concludes that KTANTAN is more robust against fault...

Etri Journal, 2021

Resistance against known standard attacks has become one of the criteria for measuring the securi... more Resistance against known standard attacks has become one of the criteria for measuring the security of a block cipher. Cryptanalytic attacks such as linear and differential cryptanalysis [1,2] have been used widely to facilitate such security evaluations [3– 7]. However, a cipher that can resist standard attacks may not necessarily be secure against sidechannel attacks, which exploits the weaknesses in its physical implementation. Leaked information such as timing information [8], power consumption [9,10], and electromagnetic leaks [11] can be exploited for key recovery. Ciphers which can resist standard attacks [12] are not necessarily secure. They can be broken from the weaknesses of their implementation, Which have been shown in [17]. However, the feasibility of sidechannel attacks varies depending on the implementation, even if the same cipher is adopted. Nevertheless, it is important to study the capabilities of available ciphers to protect communications across various devices...

A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-pee... more A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-peer network. It is the main technology behind the large number of diverse cryptocurrencies that are currently available in circulation. Since its introduction, the blockchain technology has shown promising application prospects and attracted lot of attention from both academia and industry. It also has become an obvious target to adversaries. In this paper, we conduct a systematic literature review on the security vulnerabilities and cyber-attacks to blockchain and cryptocurrency by searching and analyzing previous research papers indexed in reputable journal databases. Based on our findings, we then summarize the most common and critical security threats and attacks and the current countermeasures.

Fruit is a small-state stream cipher designed for securing communications among resource-constrai... more Fruit is a small-state stream cipher designed for securing communications among resource-constrained devices. The design of Fruit was first known to the public in 2016. It was later improved as Fruit-80 in 2018 and becomes the latest and final version among all versions of the Fruit stream ciphers. In this paper, we analyze the Fruit-80 stream cipher. We found that Fruit-80 generates identical keystreams from certain two distinct pairs of key and IV. Such pair of key and IV pairs is known as a slid pair. Moreover, we discover that when two pairs of key and IV fulfill specific characteristics, they will generate identical keystreams. This shows that slid pairs do not always exist arbitrarily in Fruit-80. We define specific rules which are equivalent to the characteristics. Using the defined rules, we are able to automate the searching process using an MILP solver, which makes searching of the slid pairs trivial.

Addition Rotation XOR is suitable for fast implementation symmetric –key primitives, such as stre... more Addition Rotation XOR is suitable for fast implementation symmetric –key primitives, such as stream and block ciphers. This paper presents a review of several block and stream ciphers based on ARX construction followed by the discussion on the security analysis of symmetric key primitives where the best attack for every cipher was carried out. We benchmark the implementation on software and hardware according to the evaluation metrics. Therefore, this paper aims at providing a reference for a better selection of ARX design strategy.

IACR Cryptol. ePrint Arch., 2016

General Lucas sequences are practically useful in cryptography. In the past quarter century, fact... more General Lucas sequences are practically useful in cryptography. In the past quarter century, factoring large RSA modulo into its primes is one of the most important and most challenging problems in computational number theory. A factoring technique on RSA modulo is mainly hindered by the strong prime properties. The success of factoring few large RSA modulo within the last few decades has been due to computing prowess overcoming one strong prime of RSA modulo. In this paper, some useful properties of Lucas sequences shall be explored in factoring RSA modulo. This paper introduces the Sindex formation in solving quadratic equation modulo N. The S-index pattern is very useful in designing an algorithm to factor RSA modulo. At any instance in the factoring algorithm, the accumulative result stands independently. In effect, there is no clear direction to maneuver whether to go left or right. The S-index will add another comparative tool to better maneuver in a factoring process. On one ...

2021 3rd International Cyber Resilience Conference (CRC)

A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-pee... more A blockchain can be summarized as a decentralized ledger of all transactions across a peer-to-peer network. It is the primary technology behind the large number of diverse cryptocurrencies that are currently available in circulation. Since its introduction, blockchain technology has shown promising application prospects and attracted much attention from academia and industry. It also has become an obvious target for adversaries. In this paper, we conduct a review of the implementation of digital forensic investigation processes to blockchain and cryptocurrency. Based on our findings, we can conclude that digital forensics is still considered a new area for blockchain technology, especially in cryptocurrency.

Proceedings of the 4th International Conference on Information and Network Security - ICINS '16, 2016

This paper investigates the key schedules of the PRESENT block cipher and studies some repeated d... more This paper investigates the key schedules of the PRESENT block cipher and studies some repeated differential properties of the key schedules. The concept of repeated differential pattern for PRESENT key schedules are defined and introduced. Our study shows that there is a repeated differential pattern in both PRESENT-80 and PRESENT-128 key schedules. The differential patterns for PRESENT-80 are found repeated until round 28 with at least four bits out of two bytes differential pattern. Meanwhile, for PRESENT-128, the differential patterns are found repeated in all round with at least four bits out of 16-bits initial differential pattern. In addition, the secret keys with the repeated differential pattern have a large number of bytes in common. From the result, we found that the key schedule for PRESENT-80 is more ideal compared to PRESENT-128.

Procedia Computer Science, 2015

Abstract It is too fast. The advances of the computing technology are moving very fast and far fr... more Abstract It is too fast. The advances of the computing technology are moving very fast and far from the era of gigantic machine. This advanced technology offers easy, fast and wide range of computing activities particularly users who want to use the Internet, regardless of time and place. In addition, this advanced technology can also connect more communication tool. At the same time, greater storage platform is also available as mobile computing cloud computing architecture adopted to carry out computer activities. However, the larger the network which is connected to a computer, the more susceptible the computer to the outside threats. Indirectly, the communication system and the information stored in the computer are also exposed. Therefore, in this paper, we has discussed on the evolution of the computing which begin with the distributed system until recent computing technology which we called Mobile Big Data Computing. Besides, in this paper, we define the term Mobile Big Data Computing. Our discussion focuses on the information security aspects for the security of storage and transmitted data. Ultimately, this paper discusses the direction of the lightweight cipher design consideration towards Mobile Big Data Computing.

… Security Practice and …, 2012

In this paper, we investigate security of the KATAN family of block ciphers against differential ... more In this paper, we investigate security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault induction process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. Then, we determine suitable rounds for effective fault inductions by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. The complexity of our attack on KATAN32 is 2 59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2 55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively.

Proceedings of the 6th …, 2011

In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. qu... more In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems in which the original cube attack may fail due to the attacker's inability in finding sufficiently many independent linear equations. As an application of our extended method, we exhibit a side channel cube attack against the PRESENT block cipher using the Hamming weight leakage model. Our side channel attack improves upon the previous work of Yang, Wang and Qiao at CANS 2009 from two aspects. First, we use the Hamming weight leakage model which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the "exact" value of the internal state bits as used by Yang et al. Thanks to applying the extended cube method, our attack has also a reduced complexity compared to that of Yang et al. Namely, for PRESENT-80 (80-bit key variant) as considered by Yang et al., our attack has a time complexity 2 16 and data complexity of about 2 13 chosen plaintexts; whereas, that of Yang et al. has time complexity of 2 32 and needs about 2 15 chosen plaintexts. Furthermore, our method directly applies

In this paper, we investigate the security of the NOEKEON block cipher against side channel cube ... more In this paper, we investigate the security of the NOEKEON block cipher against side channel cube attacks. NOEKEON was proposed by Daemen et al. for the NESSIE project. The block size and the key size are both 128 bits. The cube attack, introduced by Dinur and Shamir at EUROCRYPT 2009, is a new type of algebraic cryptanalysis. The attack may be applied if the adversary has access to a single bit of information that can be represented by a low degree multivariate polynomial over GF(2) of secret and public variables. In the side channel attack model, the attacker is assumed to have access to some leaked information about the internal state of the cipher as well as the plaintext and ciphertext. Adopting the notion of a single bit leakage as formalized by Dinur and Shamir, we assume that the attacker has only one bit of information about the intermediate state after each round. Using this side channel attack model, we show that it is possible to extract 60 independent linear equations over 99 (out of 128) key variables. To recover the whole 128-bit key, the attack requires only about 2 10 chosen plaintext and O(2 68) time complexity.

The design and analysis of lightweight block ciphers is gaining increasing popularity due to the ... more The design and analysis of lightweight block ciphers is gaining increasing popularity due to the general assumption that in the future extensive use will be made of block ciphers in ubiquitous devices. In this PhD thesis we address cryptanalysis of several lightweight block ciphers using algebraic and side channel attacks. In the first part of the thesis, we investigate the security of the NOEKEON block cipher. We provide the first result of side channel attack on NOEKEON using side channel cube attack. In the second part of this thesis, we improve the original cube attack by Dinur and Shamir in EUROCRYPT 2009 by introducing an efficient method called extended cube for extracting low-degree nonlinear equations. We apply our extended cube method on PRESENT-80 and PRESENT-128. We show that using our extended cube method, we have been able to improve the previous side channel cube attack on PRESENT-80 from CANS 2009. However our attack on PRESENT-128 was the first attack in the side ch...

Simeck, a lightweight block cipher has been proposed to be one of the encryption that can be empl... more Simeck, a lightweight block cipher has been proposed to be one of the encryption that can be employed in the Internet of Things (IoT) applications. Therefore, this paper presents the security of the Simeck32/64 block cipher against side-channel cube attack. We exhibit our attack against Simeck32/64 using the Hamming weight leakage assumption to extract linearly independent equations in key bits. We have been able to find 32 linearly independent equations in 32 key variables by only considering the second bit from the LSB of the Hamming weight leakage of the internal state on the fourth round of the cipher. This enables our attack to improve previous attacks on Simeck32/64 within side-channel attack model with better time and data complexity of 2 35 and 2 11.29 respectively.