International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Louis Goubin

Affiliation: Versailles University

Publications

Year
Venue
Title
2015
EPRINT
2013
CHES
2012
FSE
2011
CHES
2010
CHES
2008
FSE
2008
CHES
2007
EPRINT
Cryptanalysis of white box DES implementations
Obfuscation is a method consisting in hiding information of some parts of a computer program. According to the Kerckhoffs principle, a cryptographical algorithm should be kept public while the whole security should rely on the secrecy of the key. In some contexts, source codes are publicly available, while the key should be kept secret; this is the challenge of code obfuscation. This paper deals with the cryptanalysis of such methods of obfuscation applied to the DES. Such methods, called the ``naked-DES'' and ``nonstandard-DES'', were proposed by Chow et al. in 2002. Some methods for the cryptanalysis of the ``naked-DES'' were proposed by Chow et al., Jacob et al., and Link and Neuman. In their paper, Link and Neuman proposed another method for the obfuscation of the DES. In this paper, we propose a general method that applies to all schemes. Moreover, we provide a theoretical analysis. We implemented our method with a C code and applied it successfully to thousands of obfuscated implementations of DES (both ``naked'' and ``non-standard'' DES). In each case, we recovered enough information to be able to invert the function.
2006
CHES
2005
EPRINT
An Algebraic Masking Method to Protect AES Against Power Attacks
Nicolas Courtois Louis Goubin
The central question in constructing a secure and efficient masking method for AES is to address the interaction between additive masking and the inverse S-box of Rijndael. All recently proposed methods to protect AES against power attacks try to avoid this problem and work by decomposing the inverse in terms of simpler operations that are more easily protected against DPA by generic methods. In this paper, for the first time, we look at the problem in the face, and show that this interaction is not as intricate as it seems. In fact, any operation, even complex, can be directly protected against DPA of any given order, if it can be embedded in a group that has a compact representation. We show that a secure computation of a whole masked inverse can be done directly in this way, using the group of homographic transformations over the projective space (but not exactly, with some non-trivial technicalities). This is used to propose a general high-level algebraic method to protect AES against power attacks of any given order.
2004
FSE
2003
FSE
2003
PKC
2003
PKC
2003
EPRINT
What do DES S-boxes Say to Each Other ?
DES is not only very widely implemented and used today, but triple DES and other derived schemes will probably still be around in ten or twenty years from now. We suggest that, if an algorithm is so widely used, its security should still be under scrutiny, and not taken for granted. In this paper we study the S-boxes of DES. Many properties of these are already known, yet usually they concern one particular S-box. This comes from the known design criteria on DES, that strongly suggest that S-boxes have been chosen independently of each other. On the contrary, we are interested in properties of DES S-boxes that concern a subset of two or more DES S-boxes. For example we study the properties related to Davies-Murphy attacks on DES, recall the known uniformity criteria to resist this attack, and discuss a stronger criterion. More generally we study many different properties, in particular related to linear cryptanalysis and algebraic attacks. The interesting question is to know if there are any interesting properties that hold for subsets of S-boxes bigger than 2. Such a property has already been shown by Shamir at Crypto'85 (and independently discovered by Franklin), but Coppersmith et al. explained that it was rather due to the known S-box design criteria. Our simulations confirm this, but not totally. We also present several new properties of similar flavour. These properties come from a new type of algebraic attack on block ciphers that we introduce. What we find is not easily explained by the known S-box design criteria, and the question should be asked if the S-boxes of DES are related to each other, or if they follow some yet unknown criteria. Similarly, we also found that the s5DES S-boxes have an unexpected common structure that can be exploited in a certain type of generalised linear attack. This fact substantially decreases the credibility of s5DES as a DES replacement. This paper has probably no implications whatsoever on the security of DES.
2003
EPRINT
SFLASHv3, a fast asymmetric signature scheme
SFLASH-v2 is one of the three asymmetric signature schemes recommended by the European consortium for low-cost smart cards. The latest implementation report published at PKC 2003 shows that SFLASH-v2 is the fastest signature scheme known. This is a detailed specification of SFLASH-v3 produced in 2003 for fear of v2 being broken. HOWEVER after detailed analysis by Chen Courtois and Yang [ICICS04], Sflash-v2 is not broken and we still recommend the previous version Sflash-v2, already recommended by Nessie, instead of this version.
2002
PKC
2001
CHES
2000
ASIACRYPT
2000
CHES
1999
CHES
1999
EUROCRYPT
1998
ASIACRYPT
1998
EUROCRYPT

Program Committees

CHES 2015
CHES 2014
Eurocrypt 2013
CHES 2013
Eurocrypt 2012
CHES 2012
Crypto 2011
CHES 2011
CHES 2010
CHES 2009
CHES 2008
CHES 2007
CHES 2006
CHES 2005
CHES 2003