International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Bart Preneel

Publications

Year
Venue
Title
2022
EUROCRYPT
A Greater GIFT: Strengthening GIFT against Statistical Cryptanalysis 📺
GIFT-64 is a 64-bit block cipher with a 128-bit key that is more lightweight than PRESENT. This paper provides a detailed analysis of GIFT-64 against differential and linear attacks. Our work complements automatic search methods for the best differential and linear characteristics with a careful manual analysis. This hybrid approach leads to new insights. In the differential setting, we theoretically explain the existence of differential characteristics with two active S-boxes per round and derive some novel properties of these characteristics. Furthermore, we prove that all optimal differential characteristics of GIFT-64 covering more than seven rounds must activate two S-boxes per round. We can construct all optimal characteristics by hand. In parallel to the work in the differential setting, we conduct a similar analysis in the linear setting. However, unlike the clear view in differential setting, the optimal linear characteristics of GIFT-64 must have at least one round activating only one S-box. Moreover, with the assistance of automatic searching methods, we identify 24 GIFT-64 variants achieving better resistance against differential attack while maintaining a similar security level against a linear attack. Since the new variants strengthen GIFT-64 against statistical cryptanalysis, we claim that the number of rounds could be reduced from 28 to 26 for the variants. This observation enables us to create a cipher with lower energy consumption than GIFT-64. Similarly to the case in GIFT-64, we do not claim any related-key security for the round-reduced variant as this is not relevant for most applications.
2022
CRYPTO
Implicit White-Box Implementations: White-Boxing ARX Ciphers 📺
Since the first white-box implementation of AES published twenty years ago, no significant progress has been made in the design of secure implementations against an attacker with full control of the device. Designing white-box implementations of existing block ciphers is a challenging problem, as all proposals have been broken. Only two white-box design strategies have been published this far: the CEJO framework, which can only be applied to ciphers with small S-boxes, and self-equivalence encodings, which were only applied to AES. In this work we propose implicit implementations, a new design of white-box implementations based on implicit functions, and we show that current generic attacks that break CEJO or self-equivalence implementations are not successful against implicit implementations. The generation and the security of implicit implementations are related to the self-equivalences of the non-linear layer of the cipher, and we propose a new method to obtain self-equivalences based on the CCZ-equivalence. We implemented this method and many other functionalities in a new open-source tool BoolCrypt, which we used to obtain for the first time affine, linear, and even quadratic self-equivalences of the permuted modular addition. Using the implicit framework and these self-equivalences, we describe for the first time a practical white-box implementation of a generic Addition-Rotation-XOR (ARX) cipher, and we provide an open-source tool to easily generate implicit implementations of ARX ciphers.
2022
ASIACRYPT
Stretching Cube Attacks: Improved Methods to Recover Massive Superpolies
Cube attacks exploit the algebraic properties of symmetric ciphers by recovering a special polynomial, the superpoly, and subsequently the secret key. When the algebraic normal forms of the corresponding Boolean functions are not available, the division property based approach allows to recover the exact superpoly in a clever way. However, the computational cost to recover the superpoly becomes prohibitive as the number of rounds of the cipher increases. For example, the nested monomial predictions (NMP) proposed at ASIACRYPT 2021 stuck at round 845 for \trivium. To alleviate the bottleneck of the NMP technique, i.e., the unsolvable model due to the excessive number of monomial trails, we shift our focus to the so-called valuable terms of a specific middle round that contribute to the superpoly. Two new techniques are introduced, namely, Non-zero Bit-based Division Property (NBDP) and Core Monomial Prediction (CMP), both of which result in a simpler MILP model compared to the MILP model of MP. It can be shown that the CMP technique offers a substantial improvement over the monomial prediction technique in terms of computational complexity of recovering valuable terms. Combining the divide-and-conquer strategy with these two new techniques, we catch the valuable terms more effectively and thus avoid wasting computational resources on intermediate terms contributing nothing to the superpoly. As an illustration of the power of our techniques, we apply our framework to \trivium, \grain, \kreyvium and \acorn. As a result, the computational cost of earlier attacks can be significantly reduced and the exact ANFs of the superpolies for 846-, 847- and 848-round \trivium, 192-round \grain, 895-round \kreyvium and 776-round \acorn can be recovered in practical time, even though the superpoly of 848-round \trivium contains over 500 million terms; this corresponds to respectively 3, 1, 1 and 1 rounds more than the previous best results. Moreover, by investigating the internal properties of M\"obius transformation, we show how to perform key recovery using superpolies involving full key bits, which leads to the best key recovery attacks on the targeted ciphers.
2021
TCHES
My other car is your car: compromising the Tesla Model X keyless entry system 📺
This paper documents a practical security evaluation of the Tesla Model X keyless entry system. In contrast to other works, the keyless entry system analysed in this paper employs secure symmetric-key and public-key cryptographic primitives implemented by a Common Criteria certified Secure Element. We document the internal workings of this system, covering the key fob, the body control module and the pairing protocol. Additionally, we detail our reverse engineering techniques and document several security issues. The identified issues in the key fob firmware update mechanism and the key fob pairing protocol allow us to bypass all of the cryptographic security measures put in place. To demonstrate the practical impact of our research we develop a fully remote Proof-of-Concept attack that allows to gain access to the vehicle’s interior in a matter of minutes and pair a modified key fob, allowing to drive off. Our attack is not a relay attack, as our new key fob allows us to start the car anytime anywhere. Finally, we provide an analysis of the update performed by Tesla to mitigate our findings. Our work highlights how the increased complexity and connectivity of vehicular systems can result in a larger and easier to exploit attack surface.
2021
ASIACRYPT
Categorization of Faulty Nonce Misuse Resistant Message Authentication 📺
Yu Long Chen Bart Mennink Bart Preneel
A growing number of lightweight block ciphers are proposed for environments such as the Internet of Things. An important contribution to the reduced implementation cost is a block length n of 64 or 96 bits rather than 128 bits. As a consequence, encryption modes and message authentication code (MAC) algorithms require security beyond the 2^{n/2} birthday bound. This paper provides an extensive treatment of MAC algorithms that offer beyond birthday bound PRF security for both nonce-respecting and nonce-misusing adversaries. We study constructions that use two block cipher calls, one universal hash function call and an arbitrary number of XOR operations. We start with the separate problem of generically identifying all possible secure n-to-n-bit pseudorandom functions (PRFs) based on two block cipher calls. The analysis shows that the existing constructions EDM, SoP, and EDMD are the only constructions of this kind that achieve beyond birthday bound security. Subsequently we deliver an exhaustive treatment of MAC algorithms, where the outcome of a universal hash function evaluation on the message may be entered at any point in the computation of the PRF. We conclude that there are a total amount of nine schemes that achieve beyond birthday bound security, and a tenth construction that cannot be proven using currently known proof techniques. For these former nine MAC algorithms, three constructions achieve optimal n-bit security in the nonce-respecting setting, but are completely insecure if the nonce is reused. The remaining six constructions have 3n/4-bit security in the nonce-respecting setting, and only four out of these six constructions still achieve beyond the birthday bound security in the case of nonce misuse.
2021
TOSC
1, 2, 3, Fork: Counter Mode Variants based on a Generalized Forkcipher 📺
A multi-forkcipher (MFC) is a generalization of the forkcipher (FC) primitive introduced by Andreeva et al. at ASIACRYPT’19. An MFC is a tweakable cipher that computes s output blocks for a single input block, with s arbitrary but fixed. We define the MFC security in the ind-prtmfp notion as indistinguishability from s tweaked permutations. Generalizing tweakable block ciphers (TBCs, s = 1), as well as forkciphers (s = 2), MFC lends itself well to building simple-to-analyze modes of operation that support any number of cipher output blocks.Our main contribution is the generic CTR encryption mode GCTR that makes parallel calls to an MFC to encrypt a message M. We analyze the set of all 36 “simple and natural” GCTR variants under the nivE security notion by Peyrin and Seurin rom CRYPTO’16. Our proof method makes use of an intermediate abstraction called tweakable CTR (TCTR) that captures the core security properties of GCTR common to all variants, making their analyses easier. Our results show that many of the schemes achieve from well beyond birthday bound (BBB) to full n-bit security under nonce respecting adversaries and some even BBB and close to full n-bit security in the face of realistic nonce misuse conditions.We finally present an efficiency comparison of GCTR using ForkSkinny (an MFC with s = 2) with the traditional CTR and the more recent CTRT modes, both are instantiated with the SKINNY TBC. Our estimations show that any GCTR variant with ForkSkinny can achieve an efficiency advantage of over 20% for moderately long messages, illustrating that the use of an efficient MFC with s ≥ 2 brings a clear speed-up.
2020
TCHES
Dismantling DST80-based Immobiliser Systems 📺
Car manufacturers deploy vehicle immobiliser systems in order to prevent car theft. However, in many cases the underlying cryptographic primitives used to authenticate a transponder are proprietary in nature and thus not open to public scrutiny. In this paper we publish the proprietary Texas Instruments DST80 cipher used in immobilisers of several manufacturers. Additionally, we expose serious flaws in immobiliser systems of major car manufacturers such as Toyota, Kia, Hyundai and Tesla. Specifically, by voltage glitching the firmware protection mechanisms of the microcontroller, we extracted the firmware from several immobiliser ECUs and reverse engineered the key diversification schemes employed within. We discovered that Kia and Hyundai immobiliser keys have only three bytes of entropy and that Toyota only relies on publicly readable information such as the transponder serial number and three constants to generate cryptographic keys. Furthermore, we present several practical attacks which can lead to recovering the full 80-bit cryptographic key in a matter of seconds or permanently disabling the transponder. Finally, even without key management or configuration issues, we demonstrate how an attacker can recover the cryptographic key using a profiled side-channel attack. We target the key loading procedure and investigate the practical applicability in the context of portability. Our work once again highlights the issues automotive vendors face in implementing cryptography securely.
2020
TCHES
Revisiting a Methodology for Efficient CNN Architectures in Profiling Attacks 📺
This work provides a critical review of the paper by Zaid et al. titled “Methodology for Efficient CNN Architectures in Profiling attacks”, which was published in TCHES Volume 2020, Issue 1. This work studies the design of CNN networks to perform side-channel analysis of multiple implementations of the AES for embedded devices. Based on the authors’ code and public data sets, we were able to cross-check their results and perform a thorough analysis. We correct multiple misconceptions by carefully inspecting different elements of the model architectures proposed by Zaid et al. First, by providing a better understanding on the internal workings of these models, we can trivially reduce their number of parameters on average by 52%, while maintaining a similar performance. Second, we demonstrate that the convolutional filter’s size is not strictly related to the amount of misalignment in the traces. Third, we show that increasing the filter size and the number of convolutions actually improves the performance of a network. Our work demonstrates once again that reproducibility and review are important pillars of academic research. Therefore, we provide the reader with an online Python notebook which allows to reproduce some of our experiments1 and additional example code is made available on Github.2
2019
TCHES
Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars 📺
The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.
2018
EUROCRYPT
2017
TOSC
Preface
María Naya-Plasencia Bart Preneel
Preface to Volume 2017, Issue 1
2017
TOSC
Efficient Length Doubling From Tweakable Block Ciphers
We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n − 1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.
2016
EUROCRYPT
2016
FSE
2016
EUROCRYPT
The Future of Cryptography 📺
Bart Preneel
2015
ASIACRYPT
2012
CRYPTO
2012
CHES
2012
FSE
2012
FSE
2011
JOFC
2011
FSE
2010
ASIACRYPT
2009
FSE
2008
EUROCRYPT
2008
CHES
2008
CRYPTO
2007
ASIACRYPT
2007
CHES
2007
EUROCRYPT
2007
FSE
2007
FSE
2006
ASIACRYPT
2006
ASIACRYPT
2006
CHES
2006
FSE
2006
FSE
2006
FSE
2005
CHES
2005
FSE
2005
PKC
2005
ASIACRYPT
2004
ASIACRYPT
2004
ASIACRYPT
2004
CHES
2004
FSE
2003
ASIACRYPT
2003
CHES
2003
EUROCRYPT
2003
FSE
2003
FSE
2002
FSE
2002
PKC
2002
PKC
2001
EUROCRYPT
2001
FSE
2001
FSE
2001
FSE
2000
FSE
1999
ASIACRYPT
1999
EUROCRYPT
1999
FSE
1999
FSE
1999
FSE
1998
ASIACRYPT
1998
JOFC
1997
CRYPTO
1997
FSE
1996
ASIACRYPT
1996
EUROCRYPT
1996
FSE
1996
FSE
1995
CRYPTO
1994
FSE
FSE'94 - Introduction
Bart Preneel
1994
FSE
1994
FSE
1993
CRYPTO
1993
CRYPTO
1993
FSE
1992
AUSCRYPT
1992
AUSCRYPT
1991
EUROCRYPT
1991
EUROCRYPT
1990
EUROCRYPT
1989
CRYPTO

Program Committees

FSE 2022
FSE 2020
FSE 2019
Eurocrypt 2019
FSE 2018
Eurocrypt 2018
Asiacrypt 2017
FSE 2017 (Program chair)
Crypto 2016
CHES 2015
Crypto 2015
Asiacrypt 2015
Asiacrypt 2012
Crypto 2012
CHES 2011 (Program chair)
Crypto 2011
FSE 2010
Eurocrypt 2010
FSE 2009
Asiacrypt 2009
Crypto 2009
FSE 2008
Asiacrypt 2008
FSE 2007
Asiacrypt 2007
Crypto 2007
FSE 2006
Crypto 2006
Asiacrypt 2006
CHES 2005
FSE 2005
Eurocrypt 2005
FSE 2004
Asiacrypt 2004
Crypto 2004
Crypto 2003
FSE 2003
CHES 2003
CHES 2002
Eurocrypt 2002
Asiacrypt 2002
FSE 2002
Crypto 2002
CHES 2001
FSE 2001
Eurocrypt 2000 (Program chair)
FSE 2000
Crypto 2000
FSE 1999
Crypto 1999
FSE 1998
Eurocrypt 1998
Eurocrypt 1997
FSE 1997
Eurocrypt 1996
FSE 1996
Crypto 1996
Asiacrypt 1996
FSE 1994 (Program chair)
Asiacrypt 1994
Eurocrypt 1993
FSE 1993

Coauthors

Elena Andreeva (2)
Victor Arribas (1)
Tomer Ashur (1)
Steve Babbage (1)
Paulo S. L. M. Barreto (1)
Lejla Batina (3)
Amit Singh Bhati (1)
Eli Biham (1)
Gert Bijnens (2)
Alex Biryukov (2)
Johan Borst (1)
Antoon Bosselaers (3)
An Braeken (1)
Johan Buelens (1)
Christophe De Cannière (3)
Christophe De Cannière (1)
David Chaum (1)
Yu Long Chen (2)
Carl D'Halluin (2)
Joan Daemen (1)
Hans Dobbertin (1)
Orr Dunkelman (1)
Walter Fumy (1)
Soichi Furuya (1)
Flavio D. Garcia (1)
Benedikt Gierlichs (5)
René Govaerts (6)
Helena Handschuh (2)
Jiahui He (1)
Alireza Hodjat (1)
Dowon Hong (1)
Seokhie Hong (2)
Deukjo Hong (1)
Kai Hu (1)
David Hwang (1)
Sebastiaan Indesteege (3)
Cees J. A. Jansen (1)
Jorge Nakahara Jr. (2)
Ju-Sung Kang (1)
Nathan Keller (1)
Jongsung Kim (2)
Hae Yong Kim (1)
Jun Kitahara (1)
Lars R. Knudsen (4)
Özgül Küçük (1)
Xuejia Lai (1)
Peter Landrock (1)
Joseph Lano (1)
Sangjin Lee (2)
Werner Van Leekwijck (1)
Vincent van der Leest (1)
Luc Van Linden (1)
Atul Luykx (4)
Eduard Marin (1)
Willi Meier (1)
Bart Mennink (4)
Nicky Mouha (2)
María Naya-Plasencia (1)
Wim Nevelsteen (1)
Gregory Neven (1)
Ventzislav Nikov (1)
Svetla Nikova (1)
Marnix Nuttin (1)
Katsuyuki Okeya (1)
Paul C. van Oorschot (2)
Siddika Berna Örs (2)
Elisabeth Oswald (1)
David Oswald (1)
Souradyuti Paul (3)
Michaël Quisquater (1)
Adrián Ranea (1)
Vincent Rijmen (10)
Gert Roelofsen (1)
Bart Van Rompay (2)
Heuisu Ryu (1)
Kazuo Sakiyama (1)
Gautham Sekar (1)
Taizo Shirai (1)
Thomas Shrimpton (1)
Erik van der Sluis (1)
François-Xavier Standaert (1)
Ling Sun (1)
Yue Sun (1)
Alan Szepieniec (1)
Kazuo Takaragi (1)
Elmar Tischhauser (2)
Pim Tuyls (1)
Jan Van den Herrewegen (1)
Joachim Vandersmissen (1)
Joos Vandewalle (14)
Vesselin Velichkov (2)
Ingrid Verbauwhede (2)
Frederik Vercauteren (1)
Sven Verdoolaege (1)
Damian Vizár (1)
Wei Wang (1)
Meiqin Wang (3)
Dai Watanabe (2)
Erik De Win (1)
Christopher Wolf (1)
Lennert Wouters (4)
Hongjun Wu (5)
Kan Yasuda (2)
Hirotaka Yoshida (2)