## CryptoDB

### Sihem Mesnager

#### Publications

**Year**

**Venue**

**Title**

2021

TCHES

Information Leakages in Code-based Masking: A Unified Quantification Approach
📺
Abstract

This paper presents a unified approach to quantifying the information leakages in the most general code-based masking schemes. Specifically, by utilizing a uniform representation, we highlight first that all code-based masking schemes’ side-channel resistance can be quantified by an all-in-one framework consisting of two easy-tocompute parameters (the dual distance and the number of conditioned codewords) from a coding-theoretic perspective. In particular, we use signal-to-noise ratio (SNR) and mutual information (MI) as two complementary metrics, where a closed-form expression of SNR and an approximation of MI are proposed by connecting both metrics to the two coding-theoretic parameters. Secondly, considering the connection between Reed-Solomon code and SSS (Shamir’s Secret Sharing) scheme, the SSS-based masking is viewed as a particular case of generalized code-based masking. Hence as a straightforward application, we evaluate the impact of public points on the side-channel security of SSS-based masking schemes, namely the polynomial masking, and enhance the SSS-based masking by choosing optimal public points for it. Interestingly, we show that given a specific security order, more shares in SSS-based masking leak more information on secrets in an information-theoretic sense. Finally, our approach provides a systematic method for optimizing the side-channel resistance of every code-based masking. More precisely, this approach enables us to select optimal linear codes (parameters) for the generalized code-based masking by choosing appropriate codes according to the two coding-theoretic parameters. Summing up, we provide a best-practice guideline for the application of code-based masking to protect cryptographic implementations.

2021

TCHES

Structural Attack (and Repair) of Diffused-Input-Blocked-Output White-Box Cryptography
📺
Abstract

In some practical enciphering frameworks, operational constraints may require that a secret key be embedded into the cryptographic algorithm. Such implementations are referred to as White-Box Cryptography (WBC). One technique consists of the algorithm’s tabulation specialized for its key, followed by obfuscating the resulting tables. The obfuscation consists of the application of invertible diffusion and confusion layers at the interface between tables so that the analysis of input/output does not provide exploitable information about the concealed key material.Several such protections have been proposed in the past and already cryptanalyzed thanks to a complete WBC scheme analysis. In this article, we study a particular pattern for local protection (which can be leveraged for robust WBC); we formalize it as DIBO (for Diffused-Input-Blocked-Output). This notion has been explored (albeit without having been nicknamed DIBO) in previous works. However, we notice that guidelines to adequately select the invertible diffusion ∅and the blocked bijections B were missing. Therefore, all choices for ∅ and B were assumed as suitable. Actually, we show that most configurations can be attacked, and we even give mathematical proof for the attack. The cryptanalysis tool is the number of zeros in a Walsh-Hadamard spectrum. This “spectral distinguisher” improves on top of the previously known one (Sasdrich, Moradi, Güneysu, at FSE 2016). However, we show that such an attack does not work always (even if it works most of the time).Therefore, on the defense side, we give a straightforward rationale for the WBC implementations to be secure against such spectral attacks: the random diffusion part ∅ shall be selected such that the rank of each restriction to bytes is full. In AES’s case, this seldom happens if ∅ is selected at random as a linear bijection of F322. Thus, specific care shall be taken. Notice that the entropy of the resulting ∅ (suitable for WBC against spectral attacks) is still sufficient to design acceptable WBC schemes.

2010

EPRINT

On a conjecture about binary strings distribution
Abstract

It is a difficult challenge to find Boolean functions used in stream ciphers achieving all of the necessary criteria and the research of such functions has taken a significant delay with respect to cryptanalyses. A lot of attacks has led to design criteria for these functions; mainly: balancedness, a high algebraic degree, a high nonlinearity, a good behavior against Fast Algebraic Attacks and also a high algebraic immunity (which is now an absolutely necessary criterion (but not sufficient) for cryptographic Boolean functions).
Very recently, an infinite class of Boolean functions has been proposed by Tu and Deng having many very nice cryptographic properties under the assumption that the following combinatorial conjecture about binary strings is true:
\begin{cjt}
\label{cjt:original}
Let $\Stk$ be the following set:
\[
\Stk=\set{(a,b) \in \left(\Zk\right)^2 | a + b = t \text{ and } w(a) + w(b) < k} .
\]
Then:
\[
\abs{\Stk} \leq 2^{k-1} .
\]
\end{cjt}
The main contribution of the present paper is the reformulation of the problem in terms of {\em carries} which gives more insight on it than simple counting arguments.
Successful applications of our tools include explicit formulas of $\abs{\Stk}$ for numbers whose binary expansion is made of one block (see theorem \ref{thm:one}), a proof that the conjecture is {\em asymptotically} true (see theorem \ref{thm:asymptotic}) and a proof that a family of numbers (whose binary expansion has a high number of \textttup{1}s and isolated \textttup{0}s) reaches the bound of the conjecture (see theorem \ref{thm:extremal}). We also conjecture that the numbers in that family are the only ones reaching the bound (see conjecture \ref{cjt:extremal}).

2008

EPRINT

A new class of Bent functions in Polynomial Forms
Abstract

This paper is a contribution to the construction of bent functions
having the form $f(x) = \tr {o(s_1)} (a x^ {s_1}) +
\tr {o(s_2)} (b x^{s_2})$ where $o(s_i$) denotes the cardinality of the cyclotomic
class of 2 modulo $2^n-1$ which contains $i$ and whose coefficients
$a$ and $b$ are, respectively in $F_{2^{o(s_1)}}$ and
$F_{2^{o(s_2)}}$. Many constructions of monomial bent functions are
presented in the literature but very few are known even in the
binomial case.
We prove that the exponents $s_1=2^{\frac n2}-1$ and $s_2={\frac
{2^n-1}3}$, where $a\in\GF{n}$ and $ b\in\GF[4]{}$ provide the
construction of new infinite class of bent functions over $\GF{n}$
with maximum algebraic degree. For $m$ odd, we give an explicit
characterization of the bentness of these functions,
in terms of the Kloosterman sums of the corresponding coefficients. For $m$ even,
we give a necessary condition in terms of these Kloosterman sums.

2007

EPRINT

Improving the lower bound on the higher order nonlinearity of Boolean functions with prescribed algebraic immunity
Abstract

The recent algebraic attacks have received a lot of attention in
cryptographic literature. The algebraic immunity of a Boolean
function quantifies its resistance to the standard algebraic attacks
of the pseudo-random generators using it as a nonlinear filtering or
combining function. Very few results have been found concerning its
relation with the other cryptographic parameters or with the $r$-th
order nonlinearity. As recalled by Carlet at Crypto'06, many papers
have illustrated the importance of the $r$th-order nonlinearity
profile (which includes the first-order nonlinearity). The role of
this parameter relatively to the currently known attacks has been
also shown for block ciphers. Recently, two lower bounds involving
the algebraic immunity on the $r$th-order nonlinearity have been
shown by Carlet et \emph{al}. None of them improves upon the other
one in all situations. In this paper, we prove a new lower bound on
the $r$th-order nonlinearity profile of Boolean functions, given
their algebraic immunity, that improves significantly upon one of
these lower bounds for all orders and upon the other one for low
orders.

2004

EPRINT

On the supports of the Walsh transforms of Boolean functions
Abstract

In this paper, we study, in relationship with covering sequences, the structure of those subsets of $\V {n}$ which can be the Walsh supports of Boolean functions.

#### Coauthors

- Claude Carlet (3)
- Pascale Charpin (1)
- Lusheng Chen (1)
- Wei Cheng (1)
- Gérard D. Cohen (1)
- Jean-Luc Danger (1)
- Jean-Pierre Flori (1)
- Sylvain Guilley (2)
- Nese Koçak (1)
- Jian Liu (1)
- Ferruh Özbudak (1)
- Hugues Randriambololona (1)
- Sumanta Sarkar (1)