Authors: Louiza Khati
Abstract: This thesis is dedicated to the analysis of modes of operation in the context of diskprotection usage. Firstly, we give modes of operation secure in the Full Disk Encryption (FDE) model where additional data storage are not allowed. In this context, encryption hasto be length preserving which implies length-preserving encryption. However, it is possible to use a value already present in the system, called a diversifier, to randomize the encryption and to have a better security. Then, we introduce two methods to analyse symmetric primitive in the very constraint Key-Dependent Message (KDM) model which is of interest for disk encryption because the encryption key can end up in the disk. It enables to analyse the KDM security of the Even-Mansour and the Key-Alternating Feistel constructions which are the basis of different block-ciphers. Moreover, knowing that data authenticity cannot be ensured in the FDE model because tag storage is not allowed, we relax this constraint which gives us two models: the Authenticated Disk Encryptionmodel (ADE) and the Fully Authenticated Disk Encryption (FADE). A secure mode in the ADE model ensures data authenticity of a sector but can be vulnerable to replay attacks; and a secure mode in the FADE model ensures the authenticity of the entire disk even against replay attacks. Storage is not the only point to take into account, the read and write delays on a sector is a competitive argument for disk manufacturers since disk performances tightly depend on it and adding the computation of codes of authentication does not help. That is why, we tend to analyse incremental Message Authentication Codes: they have the property to be updatable in a time proportional to the corresponding modification.
Authors: Ryad Benadjila, Louiza Khati, Emmanuel Prouff and Adrian Thillard
Description: The members of ANSSI's laboratory of embedded security have developed a C library to perform AES-128 encryption and decryption on 32-bit Cortex-M ARM architecture while taking Side-Channel Attacks (SCA for short) into account.
The implementation codes are published for research and pedagogical purposes only.
The platforms on which the code has been tested are the STM32F3 and STM32F4, but should be compatible with any Cortex-M3/Cortex-M4 using the Thumb-2 ARMv7-M instruction set.
The STM32 MCUs are not secure ones; in particular no effort has been made to harden them against side-channel attacks and fault injections (e.g. clock jittering, shield, etc.). The information leakage is consequently particularly high and there is almost no jittering (traces' acquisition should therefore not suffer from too much de-synchronization). To secure the implementation, it has been chosen to apply state of the art techniques.
Authors: Pooya Farshim, Louiza Khati, Yannick Seurin and Damien Vergnaud
Abstract: Key-Alternating Feistel (KAF) ciphers are a popular variant
of Feistel ciphers whereby the round functions are defined as x 7→ F(k i ⊕x),
where k i are the round keys and F is a public random function. Most
Feistel ciphers, such as DES, indeed have such a structure. However,
the security of this construction has only been studied in the classical
CPA/CCA models. We provide the first security analysis of KAF ciphers
in the key-dependent message (KDM) attack model, where plaintexts can
be related to the private key. This model is motivated by cryptographic
schemes used within application scenarios such as full-disk encryption or
anonymous credential systems.
We show that the four-round KAF cipher, with a single function F
reused across the rounds, provides KDM security for a non-trivial set of
KDM functions. To do so, we develop a generic proof methodology, based
on the H-coefficient technique, that can ease the analysis of other block
ciphers in such strong models of security.
Authors: Vivek Arte, Mihir Bellare, Louiza Khati
Abstract: This paper gives the first definitions and constructions for incremental pseudo-randomfunctions (IPRFs). The syntax is nonce based. (Algorithms are deterministic but may takeas input a non-repeating quantity called a nonce.) The design approach is modular. First, given a scheme secure only in the single-document setting (there is just one document on whichincremental updates are being performed) we show how to generically build a scheme that is secure in the more realistic multi-document setting (there are many documents, and they are simultaneously being incrementally updated). Then we give a general way to build an IPRF from (1) an incremental hash function with weak collision resistance properties and (2) asymmetric encryption scheme. (This adapts the classic Carter-Wegman paradigm used to build message authentication schemes in the non-incremental setting.) This leads to many particular IPRFs. Our work has both practical and theoretical motivation and value: Incremental PRFs bring the benefits of incrementality to new applications (such as incremental key derivation), and the movement from randomized or stateful schemes to nonce based ones, and from UF(unforgeability) to PRF security, bring incremental symmetric cryptography up to speed withthe broader field of symmetric cryptography itself.
Authors: Louiza Khati, Damien Vergnaud
Abstract: Introduced in cryptography by Bellare, Goldreich and Goldwasser in 1994, incrementality is an attractive feature that enables to update efficiently a cryptographic output like a ciphertext, a signature or an authentication tag after modifying the corresponding input. This property is very valuable in large scale systems where gigabytes of data are continuously processed (e.g. in cloud storage). Adding cryptographic operations on such systems can decrease dramatically their performance and incrementality is an interesting solution to have security at a reduced cost. We focus on the so-called XOR-scheme, the first incremental authentication construction proposed by Bellare, Goldreich and Goldwasser, and the only strongly incremental scheme (i.e. incremental regarding insert and delete update operations at any position in a document). Surprisingly, we found a simple attack on this construction that breaks the basic security claimed by the authors in 1994 with only one authentication query (not necessarily chosen). Our analysis gives different ways to fix the scheme; some of these patches are discussed in this paper and we provide a security proof for one of them.
Authors: Pooya Farshim, Louiza Khati, Damien Vergnaud
Abstract: The iterated Even-Mansour (EM) ciphers form the basis of many block cipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even-Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for block ciphers since non-expanding mechanisms are convenient in setting such as full disk encryption (where various forms of key-dependency might exist). We formalize the folklore result that the ideal cipher is KDM secure. We then show that EM ciphers meet varying levels of KDM security depending on the number of rounds and permutations used. One-round EM achieves some form of KDM security, but this excludes security against offsets of keys. With two rounds we obtain KDM security against offsets, and using different round permutations we achieve KDM security against all permutation-independent claw-free functions. As a contribution of independent interest, we present a modular framework that can facilitate the security treatment of symmetric constructions in models such as RKA or KDM that allow for correlated inputs.
Authors: Louiza Khati, Nicky Mouha, Damien Vergnaud
Abstract: We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.