Cryptography and Security From Theory to Applications pdf pdf

  Free ebooks ==> www.Ebook777.com

  

Free ebooks ==> www.Ebook777.com

Lecture Notes in Computer Science 6805

Commenced Publication in 1973

  Moni Naor

  Gerhard Weikum

  University of California, Berkeley, CA, USA

  Doug Tygar

  University of California, Los Angeles, CA, USA

  Demetri Terzopoulos

  Microsoft Research, Cambridge, MA, USA

  Madhu Sudan

  TU Dortmund University, Germany

  Bernhard Steffen

  Indian Institute of Technology, Madras, India

  C. Pandu Rangan

  University of Bern, Switzerland

  Oscar Nierstrasz

  Weizmann Institute of Science, Rehovot, Israel

  Stanford University, CA, USA

  Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

  John C. Mitchell

  ETH Zurich, Switzerland

  Friedemann Mattern

  University of California, Irvine, CA, USA

  Alfred Kobsa

  Cornell University, Ithaca, NY, USA

  Jon M. Kleinberg

  University of Surrey, Guildford, UK

  Josef Kittler

  Carnegie Mellon University, Pittsburgh, PA, USA

  Takeo Kanade

  Lancaster University, UK

  David Hutchison

  Editorial Board

  Max Planck Institute for Informatics, Saarbruecken, Germany David Naccache (Ed.)

Cryptography and Security:

From Theory toApplications

Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday

Volume Editor David Naccache École normale supérieure Département d’informatique

  45 Rue d’Ulm 75231 Paris Cedex 05, France E-mail: david.naccache@ens.fr

  ISSN 0302-9743 e-ISSN 1611-3349

  ISBN 978-3-642-28367-3 e-ISBN 978-3-642-28368-0 DOI 10.1007/978-3-642-28368-0 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2012931225 CR Subject Classification (1998): E.3, K.6.5, D.4.6, C.2, J.1, G.2.1 LNCS Sublibrary: SL 4 – Security and Cryptology

  © Springer-Verlag Berlin Heidelberg 2012

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is

concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,

reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication

or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,

in its current version, and permission for use must always be obtained from Springer. Violations are liable

to prosecution under the German Copyright Law.

The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply,

even in the absence of a specific statement, that such names are exempt from the relevant protective laws

  Free ebooks ==> www.Ebook777.com

  

Preface

  I met Jean-Jacques Quisquater at Crypto 1992, one of my very first conferences in cryptography. I still remember the discussion we had that evening on DES exhaustive search and on modular reduction algorithms. As a young researcher I was impressed by the flow of information coming out of Jean-Jacque’s mouth: algorithms, patents, products, designs, chip technologies, old cryptographic ma- chines... to an external observer the scene would have certainly reminded of Marty McFly’s first encounter with Dr. Emmett Brown.

  Twenty years later, here I sit, writing the preface to this volume dedicated to Jean-Jacques’s retirement. Nonetheless, one might wonder what retirement actually means for Jean-Jacques... While emeritus, Jean-Jacques continues to conduct research with great passion, keep a regular contact with his friends in the research community, attend conferences, serve as an elected IACR director, write research papers and sermon young researchers about the quality of their work. He regularly visits MIT and UCL-London and in his very active retirement he continues to teach the Number Theory course at UCL and consult for several companies.

  As it would be very hard to provide here a thorough account of Jean-Jacques’s r´esum´e, let me just mention some of his career highlights. Jean-Jacques was the first to implement DES in a smart-card (TRASEC project in 1985). For doing so, Jean-Jacques can be legitimately regarded as the researcher who first introduced cryptography into the smart-card industry. After working on the DES, Jean-Jacques turned his attention to implementing RSA in smart-cards. He started by propos- ing a technique that improved RSA execution speed by a factor of 250,000 on 8-bit 1 processors (Intel 8051 and Motorola 6805) . In 1986 computing an RSA 512 on such processors took about two minutes. Consequently, it was impossible to en- 2 vision any useful deployment of RSA in smart cards . Jean-Jacques rolled up his sleeves and launched the CORSAIR (Philips) project, that in a way reminds us of 3 the celebrated DeLorean DMC-12 modified into a time machine : Jean-Jacques started by adding up the effects of the Chinese Remainder Theorem and those 4 of a new modular multiplication algorithm (now called Quisquater’s algorithm ). 1 The very attentive reader might note that 6805 is a very special number in this LNCS 2 volume...

  

Interestingly, the situation is very similar to the implementation of fully homomorphic 3 cryptosystems in today’s 64-bit quad-core processors!

For the young generation of cryptographers who did not see the movie and for the VIII Preface

  Then he stripped the frequency divider off the device, added a hardwired 8 × 8-bit multiplier and got sub-second performance (500 factor speed-up).

  This did not fully satisfy Jean-Jacques. Hence, in episode II (aware of compet- ing efforts by Biff Tannen, another silicon manufacturer), Jean-Jacques launched the FAME project, to squeeze out of the device an extra 500 factor. The algo- rithm was refined, the clock accelerated by a factor of 16, double-access RAM was added and the multiplier’s size was extended to 16 and then to 32 bits. All in all, thanks to Jean-Jacques’s efforts, by 1996 (i.e., in 10 years) a speed-up factor of 250,000 was achieved, thereby exceeding Moore’s law provisions. This stimulated research and opened commercial perspectives to other firms who even- tually came up with creative alternatives. Until today, Philips (now NXP) uses Quisquater’s algorithm. The algorithm was duplicated in about one billion chips, most notably in around 85% of all biometric passports issued as I write these lines.

  Jean-Jacques’s contributions to our field are considerable. Jean-Jacques filed fundamental smart-card patents, authored more than 150 scientific papers in graph theory and in cryptology and coached an entire generation of UCL cryp- tographers. The GQ protocol (another saga that we cannot recount for lack of space) bears his name. QG is used daily for authenticating data exchanges throughout the world by more than 100 million machines. Jean-Jacques received many prestigious honors and marks of recognition from foreign and French- speaking institutions.

  When I asked colleagues to contribute to this volume the response was enthu- siastic. The contributions came from many countries and concerned nearly all the fields to which Jean-Jacques devoted his efforts during his academic career.

  The authors of these contributions and I would like to thank Jean-Jacques for his creativity and life-long work and to thank Springer for giving us the opportunity to gather in this volume the expression of our gratitude to Jean- Jacques.

  October 2011 David Naccache

  

Table of Contents

Personal Tributes and Re-visits of Jean-Jacques’s Legacy

  The Hidden Side of Jean-Jacques Quisquater . . . . . . . . . . . . . . . . . . . . . . . .

  1 el Quisquater Micha¨

  On Quisquater’s Multiplication Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . .

  3 Marc Joye A Brief Survey of Research Jointly with Jean-Jacques Quisquater . . . . . .

  8 Yvo Desmedt DES Collisions Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  13 Sebastiaan Indesteege and Bart Preneel Line Directed Hypergraphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  25 Jean-Claude Bermond, Fahir Ergincan, and Michel Syska

  Symmetric Cryptography

  Random Permutation Statistics and an Improved Slide-Determine Attack on KeeLoq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  35 Nicolas T. Courtois and Gregory V. Bard Self-similarity Attacks on Block Ciphers and Application to KeeLoq . . . .

  55 Nicolas T. Courtois Increasing Block Sizes Using Feistel Networks: The Example of the AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  67 Jacques Patarin, Benjamin Gittins, and Joana Treger Authenticated-Encryption with Padding: A Formal Security Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  83 Kenneth G. Paterson and Gaven J. Watson

  Asymmetric Cryptography

  Traceable Signature with Stepping Capabilities 108 . . . . . . . . . . . . . . . . . . . . . .

  

Free ebooks ==> www.Ebook777.com

  XII Table of Contents

  Autotomic Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 David Naccache and David Pointcheval

  Fully Forward-Secure Group Signatures 156 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  Benoˆıt Libert and Moti Yung Public Key Encryption for the Forgetful 185 . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  Puwen Wei, Yuliang Zheng, and Xiaoyun Wang Supplemental Access Control (PACE v2): Security Analysis of PACE Integrated Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

  Jean-S´ ebastien Coron, Aline Gouget, Thomas Icart, and Pascal Paillier

  Side Channel Attacks

  Secret Key Leakage from Public Key Perturbation of DLP-Based Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

  Alexandre Berzati, C´ ecile Canovas-Dumas, and Louis Goubin EM Probes Characterisation for Security Analysis 248 . . . . . . . . . . . . . . . . . . . .

  Benjamin Mounier, Anne-Lise Ribotta, Jacques Fournier, Michel Agoyan, and Assia Tria

  An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

  Junfeng Fan and Ingrid Verbauwhede Masking with Randomized Look Up Tables: Towards Preventing Side-Channel Attacks of All Orders 283 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  Fran¸cois-Xavier Standaert, Christophe Petit, and Nicolas Veyrat-Charvillon

  Hardware and Implementations

  Efficient Implementation of True Random Number Generator Based on SRAM PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

  Vincent van der Leest, Erik van der Sluis, Geert-Jan Schrijen, Pim Tuyls, and Helena Handschuh

  Operand Folding Hardware Multipliers 319 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  Byungchun Chung, Sandra Marcello, Amir-Pasha Mirbaha,

  Table of Contents

  XIII

  Cryptography with Asynchronous Logic Automata 355 . . . . . . . . . . . . . . . . . . .

  Peter Schmidt-Nielsen, Kailiang Chen, Jonathan Bachrach, Scott Greenwald, Forrest Green, and Neil Gershenfeld

  A Qualitative Security Analysis of a New Class of 3-D Integrated Crypto Co-processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

  Jonathan Valamehr, Ted Huffmire, Cynthia Irvine, Ryan Kastner, Cetin Kaya Ko¸ ¸

  c, Timothy Levin, and Timothy Sherwood

  Smart Cards and Information Security

  The Challenges Raised by the Privacy-Preserving Identity Card 383 . . . . . . . .

  Yves Deswarte and S´ ebastien Gambs The Next Smart Card Nightmare: Logical Attacks, Combined Attacks, Mutant Applications and Other Funny Things 405 . . . . . . . . . . . . . . . . . . . . . . .

  Guillaume Bouffard and Jean-Louis Lanet Localization Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

  Mike Burmester Dynamic Secure Cloud Storage with Provenance 442 . . . . . . . . . . . . . . . . . . . . .

  Sherman S.M. Chow, Cheng-Kang Chu, Xinyi Huang, Jianying Zhou, and Robert H. Deng

  Efficient Encryption and Storage of Close Distance Messages with Applications to Cloud Storage 465 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  George Davida and Yair Frankel

  As Diverse as Jean-Jacques’ Scientific Interests

  A Nagell Algorithm in Any Characteristic 474 . . . . . . . . . . . . . . . . . . . . . . . . . . .

  Mehdi Tibouchi How to Read a Signature? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

  Vanessa Gratzer and David Naccache Fooling a Liveness-Detecting Capacitive Fingerprint Scanner 484 . . . . . . . . . .

  Edwin Bowden-Peters, Raphael C.-W. Phan, John N. Whitley, and David J. Parish

  Physical Simulation of Inarticulate Robots 491 . . . . . . . . . . . . . . . . . . . . . . . . . . el Mathieu, David Naccache, and

  Guillaume Claret, Micha¨ Guillaume Seguin

  

The Hidden Side of Jean-Jacques Quisquater

  Micha¨el Quisquater

  

University of Versailles

michael.quisquater@prism.uvsq.fr

  If you are reading this text it is probably because you know Jean-Jacques, my Dad. While you know him professionally or more personally, I though it was a good idea to present him to you from the prism of his son. I will restrict myself to the scientifical part of our relationship, the rest being kept private.

  My scientifical education started very early. Indeed, when I didn’t want to eat something as a child, he cut the food in the shape of rocket and other devices. He used this stratagem because he knew I was interested in technical stuffs and DIY’s. I was eager to leave school as soon as possible because his office was full of computer drawings and therefore working in real life appeared to me as very entertaining. Those drawings were actually Hoffman-Singleton graphs and Ulam spiral, which I didn’t know at that time.

  In the mid-eighties, he started to travel a lot. His returns were always very ex- citing because he brought back, among other things, many gadgets and puzzles from his travels. Those were also the opportunity for me to communicate very early by email because we had an account in his office for that purpose. At that time, he also bought a ”Commodore 128”. This computer was simply great ! We had an agreement that I had to write down all my questions in an agenda. This system is very representative of his way of working ; he never pushed me in anything but he was supporting me when he could. I learned a lot this way which allowed me to write a program teaching how to program in BASIC. Simultaneously, I was interested in electronic and he explained to me things like the working of an electrical motor, of transistors, resistances, capacitors, diodes etc.

  Later he wrote, in collaboration with Thomas Berson and Louis Guillou, the paper entitled ”How to Explain Zero-Knowledge Protocols to Your Children”. To tell you the truth I have never heard of this paper neither zero-knowledge protocols at home. I am a bit ashamed to say this but actually I have never even read this paper ;-). What is true is that we had a place at home with draft papers I could use for my homeworks and most of them were filled with maths on one side. I could see things like ”mod” and even more difficult things like v mod φ(n) ”r mod n”. My sides were filled with much simple things ;-).

  Some years later, the company Philips decided to close his research lab where my father was working and he had to find a new job. I helped him to move from his office which allowed me to meet people like Philippe Delsarte, Paul Van Dooren, Benoˆıt Macq ... Those people became my professors at the university some years later. He started a company and people were calling at home for

D. Naccache (Ed.): Quisquater Festschrift, LNCS 6805, pp. 1–2, 2012.

  c Springer-Verlag Berlin Heidelberg 2012

2 M. Quisquater

  the company and some of them were asking me if I could not do the job. I had to tell them that I was only 15 but otherwise it would have been with pleasure ;-). In parallel, he got a part-time (at the beginning) position at the university and started the crypto group at UCL in Belgium. Even if he never spoke at home of what he was doing precisely in research, I could hear the names of Olivier Delos Jean-Fran¸cois Dhem, Fran¸cois Koeune, Marc Joye, Gael Hachez, Jean-Marc Boucqueau and many others.

  I started to study at the same university some years later and decided not to work in cryptography. My father didn’t want to influence me and therefore he didn’t give much advice to choose my orientation. The only tip he gave me was to attend the course ”Information and Coding Theory” given by B. Macq and P. Delsarte. This course was a revelation to me and I decided to go in discrete mathematics. There were not that many courses on the topic and I chosed to attend the course ”Cryptography” given by ... Jean-Jacques Quisquater (I haven’t passed the examen with him which was the presentation of a topic ; ”Lucas-Lehmer primality test”). Finally, I decided to do my master thesis in cryptography under the supervision of J. Stern, P. Delsarte and A. Magnus. At the end of the year, I didn’t know what to do and he proposed me to join him at Ches 99 and Crypto 99 in order to see how it was. This experience was great and I decided to start a Phd in cryptography under the supervision of B. Preneel and J. Vandewalle in the COSIC group at the KULEUVEN (Belgium). Today, I am living in France and I am an assistant professor in cryptography at the university of Versailles and we are still in touch regularly.

  I would like to take this opportunity to thank my parents for their education, support and love. I love you ! your son,

  Micha¨el

  

On Quisquater’s Multiplication Algorithm

  Marc Joye

  

Technicolor, Security & Content Protection Labs

1 avenue de Belle Fontaine, 35576 Cesson-S´evign´e Cedex, France

marc.joye@technicolor.com

  Smart card technologies have had a huge impact on the development of cryp- tographic techniques for commercial applications. The first cryptographic smart card was introduced in 1979. It implemented the Telepass 1 one-way function using 200 bytes! Next came smart cards with secret-key and public-key capa- bilities, respectively in 1985 and 1988. Implementing an RSA computation on a smart card was (and still is) a very challenging task. Numerous tips and tricks were used in the design of the resulting smart-card chip P83C852 from Philips using the CORSAIR crypto-coprocessor . Among them was a new algo- rithm for the modular multiplication of two integers, the Quisquater’s multi- plication algorithm

  and its various extensions.

1 Quisquater’s Algorithm

  The classical schoolboy method evaluates the quotient q = ⌊U/N ⌋ of the integer division of U by N in a digit-by-digit fashion; the remainder of the division k −1 i n is r = U − qN . Let β = 2 for some integer k ≥ 1. If N = N i β and i n i

  =0

  U = U i β (with 0 ≤ N i , U i ≤ β − 1 and N n , U n = 0) denote the i −1 =0 respective k-ary expansion of N and U then a good estimate for the quotient q ∈ [0, β) is given by ˆ q = min(⌊(U n β + U n )/N n ⌋, β − 1); see e.g. p. 271].

  −1 −1

  In particular, when N n ≥ β/2, it is easily verified that ˆ q − 2 ≤ q ≤ ˆ q. This

  −1

  means that the exact value for quotient q can then be obtained from ˆ q with at most two corrections.

  In order to simplify the presentation, we further assume that N is not a power of 2 — remark that evaluating a reduction modulo a power of 2 is trivial. Quisquater’s algorithm relies on the observation that quotient q = ⌊U/N ⌋ is lower bounded by the approximated quotient c n

  U 2 β q = ˆ · c n 2 β N for some integer c > 0, which defines a remainder; namely, c n

  U 2 β r := U − ˆ ˆ qN = U − · N . c n 2 β N

D. Naccache (Ed.): Quisquater Festschrift, LNCS 6805, pp. 3–7, 2012.

  c Springer-Verlag Berlin Heidelberg 2012

4 M. Joye

  

c n

  Hence, letting N = δN where δ = ⌊(2 β )/N ⌋, we see that obtaining ˆ r merely requires a binary shift operation — i.e., a division by a power of 2, by evaluating kn k

  • c ′

  ˆ r as ˆ r = U − ⌊U/2 ⌋N (remember that β = 2 ). This of course supposes the

  ′ precomputation of N .

  ′ By construction, the c most significant bits of modulus N are equal to 1. c n c n c n

  Indeed, from N = δN = ⌊(2 β )/N ⌋N = 2 β − (2 β mod N ) and since c n 1. (2 β mod N ) ≥ 1 because N is assumed not to be a power of 2, c n n 2. (2 β mod N ) ≤ N − 1 ≤ β − 2, c n c n n c n

  ′

  we get 2 β − 1 ≥ N ≥ 2 β − (β − 2) > (2 − 1)β . This also shows that

  ′ ′

  |N | = kn + c; i.e., that the bit-length of N is kn + c. Such a modulus is called

  2 a diminished-radix modulus

  It is worth noting that the two divisions in the expression of ˆ q are rounded by default so that the value of ˆ q will never exceed that of q and thus that r will never be negative. Further, the subtraction in the expression of ˆ ˆ r can advantageously be replaced with an addition using the 2-complemented value of

  ′ ′ |N | 2 ′

  N , N = 2 − N , as kn U

  • c ′ r = U mod 2 ˆ + · N .
  • kn<
  • c

  2

  ′

  It is also worth noting ˆ r ≡ U (mod N ). Moreover, from the schoolboy method,

  ′

  it is very likely a correct estimate for (U mod N ) for a sufficiently large value

  ′ ′

  for c. This is easy to check. Define r = U mod N . We have: U U

  ′ ′

  r − r ˆ = − N

  ′ kn +c

  N

  2 and U

  1 ⎨ kn c ⎪ if c ∝ k , +

  • +c −(k+1)

  U U

  2

  2 kn ≤ ≤

  • c ′

  U

  1

  2 N ⎪ ⎩ otherwise . kn +c c +

  • (c mod k)−(2k+1)

  2

  2

  ′

  For example, if c = 2k, ˆ r is expected to be equal to (U mod N ) with at least a k

  −1 ′ ′ probability of 1 − 2 ; if not, then ˆ r − N yields the value of (U mod N ).

  Proof.

  The schoolboy method computes digit-by-digit the quotient (and cor- responding remainder) of an (ℓ + 1)-digit number by an ℓ-digit number. As

  ′

  Quisquater’s algorithm replaces modulus N by modulus N = δN , which is a (n + ⌈c/k⌉)-digit, we assume that n c

  • ⌈ ⌉ k i c U = U i β with 0 ≤ U i &lt; β and U n = 0 . i
  • ⌈ ⌉ k =0 c n ′ ′ ′ ′

  The relation on ˆ r − r is immediate: ˆ r − r = U − ⌊U/(2 β )⌋N − (U mod N ) = c n kn

  

′ ′ ′ ′ +c

  ⌊U/N ⌋N − ⌊U/(2 β )⌋N . For the second relation, ⌊U/N ⌋ ≥ ⌊U/2 ⌋ since kn c n n c

  ′ +c ′ +⌈ ⌉+1 k

  N &lt; 2 . Furthermore, since N &gt; (2 − 1)β and U &lt; β , we get

  U U U U U ′ ≤ = ≤ c n c n c c n c n c c On Quisquater’s Multiplication Algorithm β k ⌉ c

  • +1

  5 N β β + + (2 −1)β U U k ⌈ +k k ⌉ c

  2 2 (2 −1)β

  2 2 (2 −1) c n 2c c n

  2

  1 c ≤ −1 = 2c k . β β + + −1−k⌈

  2

  2 2 k ⌉−

  2 c

  Suppose first that c ∝ k (i.e., that c mod k = 0). Then we have 2c−1−k⌈ ⌉−k = k c − k − 1. Suppose now that c ∝ k. Then k⌈c/k⌉ = k⌊c/k⌋ + k = c + k − (c mod k) c and therefore 2c − 1 − k⌈ ⌉ − k = c + (c mod k) − 2k − 1. ⊔ ⊓ k The description we gave is a high-level presentation of the algorithm. There is more in Quisquater’s algorithm. We refer the reader to for low-level implementation details. See also In the next sections, we will discuss the

  ′

  normalization process (i.e., the way to get N ) and some useful features satisfied by the algorithm.

2 Normalization and Denormalization

  Quisquater’s algorithm requires that the c most significant of the modulus are equal to 1. For that purpose, an input modulus N is transformed into a normal-

  ′ |N | 2 +c

  ized modulus N = δN . As shown before, a valid choice for δ is δ = ⌊2 /N ⌋.

  We note that a full division by N is not necessary to obtain the value of normalization factor δ. If we let

  2c+2

  2 ˆ

  δ = ˆ

  N where ˆ N denotes the (c + 2) most significant bits of N , then δ ≤ ˆ δ ≤ δ + 1 Hence, if we take ˆ δ as an approximation for δ, the error is at most one. As a result, with only one test, we obtain the exact value of δ from the (c + 2) most significant bits of N .

  ′

  The bit-length of the normalized modulus, N = δN , is of (kn + c) bits. If the word-size of the device implementing the algorithm is of k bits, it may be

  ′

  possible to increase the bit-length of N without degrading the performance, provided that the word-length of the resulting modulus remains the same. As a consequence, it is smart to select c as a multiple of k. Doing so, the probability

  ′

  that ˆ r is the exact value for (U mod N ) will be maximal for a given word-length

  ′ for N .

  If that probability is already high, another option would be to exploit the possible additional bits to diversify the normalized moduli. Application will be presented in the next section. The number of additional bits is given by B := −c mod k. The problem now consists in constructing normalization factors δ so

  ′

  that N = δN has at most kn + c + B = k(n + ⌈c/k⌉) bits and whose c most n −1 i significant bits are 1’s. Letting as before N = N i β the k-ary expansion i =0 of modulus N , we may define

  6 M. Joye c n

  • b

  2 β − t b n δ b,t = for any b ∈ {0, . . . , B} and t ∈ {1, . . . , (2 − 1)β + 2} .

  N They are all valid normalization factors. Note that for such δ b,t , the expression U for ˆ r = ˆ r b,t becomes ˆ r = U − c+b n · (δ b,t N ). β

  2 ′ c +b n

  Proof.

  Define N = δ b,t N and R b,t = (2 β − t) mod N . Fix b ∈ {0, . . . , B}. b,t c n

  ′ +b

  From the definition of δ b,t , we get N = 2 β − t − R b,t . Hence, we have c n b,t c n b

  ′ +b ′ +b

  N ≤ 2 β − 1 since t ≥ 1 and R b,t ≥ 0. We also have N ≥ 2 β − (2 − b,t n n c b n b n n b,t 1)β −2−(β −2) = (2 −1)2 β since t ≤ (2 −1)β +2 and R b,t ≤ N −1 ≤ β −2.

  ′

  This shows that N has always its c most significant bits equal to 1. Moreover, c n c n b,t

  ′ +b +B ′

  N ≤ 2 β − 1 ≤ 2 β − 1 implies that N has a length of at most b,t b,t (kn + c + B) bits.

  ⊔ ⊓ Again the computation of the normalization factors can be sped up by consid- ering only some highest part of N .

  3 Application

  The setting of Quisquater’s multiplication suits particularly well an RSA com- putation Suppose for example that one has to compute the RSA signature d S = µ(m) mod N on some message m, where d denotes the private signing key and µ represents some padding function. Signature S can be equivalently

  ′

  obtained using only modulo N arithmetic as d

  ′ ′

  δ · µ(m) mod N mod N S = .

  δ The correctness follows by noting that δA mod δN = δ(A mod N ) for any inte- ger A.

  Quisquater’s algorithm results in an increase of the modulus size. At first sight, this may appear as an issue but, for protected implementations, it turns out that it is not. The usual countermeasure to thwart DPA-type attacks consists in randomizing the process for evaluating a cryptographic computa- tion. Applied to the computation of the above RSA signature, this can be achieved as

  ∗ d +r 2 φ (N ) ′

  S = (µ(m) + r N ) mod N

  1

  for certain random integers r and r , and where φ denotes Euler’s totient

  1

  

2

  ). Moreover, it is even possible to freely random- function (i.e., φ(N ) = #Z N

  ′

  ize the value of N by randomly choosing the normalization factor δ as one

  ′

  of the valid δ b,t ’s when defining N . Signature S is then recovered as S =

  ∗ ′ (δS mod N )/δ.

  On Quisquater’s Multiplication Algorithm

  7

  Acknowledgments. I chose to discuss Quisquater’s algo- rithm not only because it is one of the best known methods to evaluate a modular exponentiation but also because it is the first topic I worked on as a graduate student under the supervision of Jean-Jacques. This was in the early nineties when the UCL Crypto Group was formed. Since then, many students benefited from the advices of Jean-Jacques, the scien- tist of course and, maybe more importantly, the person. Merci Jean-Jacques!

  References

1. de Waleffe, D., Quisquater, J.-J.: CORSAIR: A smart card for public key cryp-

tosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 503–512. Springer, Heidelberg (1991)

  

2. Dhem, J.F.: Design of an efficient public-key cryptographic library for RISC-based

smart cards. Ph.D. thesis, Universit´e catholique de Louvain, Louvain-la-Neuve (May 1998)

  

3. Dhem, J.-F., Joye, M., Quisquater, J.-J.: Normalisation in diminished-radix mod-

ulus transformation. Electronics Letters 33(23), 1931 (1997)

  

4. Ferreira, R., Malzahn, R., Marissen, P., Quisquater, J.J., Wille, T.: FAME: A

3rd generation coprocessor for optimising public-key cryptosystems in smart-card applications. In: Hartel, P.H., et al. (eds.) Proceedings of the 2nd Smart Card Research and Advanced Applications Conference (CARDIS 1996), pp. 59–72 (1996)

  

5. Joye, M.: Arithm´etique algorithmique: Application au crypto-syst`eme ` a cl´e

publique RSA. Master’s thesis, Universit´e catholique de Louvain, Louvain-la-Neuve (January 1994)

  

6. Knuth, D.E.: The Art of Computer Programming, Seminumerical Algorithms, 3rd

edn., vol. 2. Addison-Wesley, Reading (1997)

  

7. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.)

CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

  

8. Orton, G., Peppard, L., Tavares, S.: Design of a fast pipelined modular multiplier

based on a diminished-radix algorithm. Journal of Cryptology 6(4), 183–208 (1993)

  

9. Quisquater, J.J.: Fast modular exponentiation without division. In: Quisquater,

J.J. (ed.) Rump session of EUROCRYPT 1990, May 21–24, Aarhus, Denmark (1990)

  

10. Quisquater, J.J.: Proc´ed´e de codage selon la m´ethode dite RSA par un micro-

contrˆ oleur et dispositifs utilisant ce proc´ed´e. Demande de brevet fran¸cais, No. de d´epˆ ot 90 02274 (February 1990)

  

11. Quisquater, J.J.: Encoding system according to the so-called RSA method, by

means of a microcontroller and arrangement implementing this system. U.S. Patent # 5, 166–978 (1991)

  

12. Quisquater, J.J., de Waleffe, D., Bournas, J.P.: CORSAIR: A chip with fast RSA

capability. In: Chaum, D. (ed.) Smart Card 2000, pp. 199–205. Elsevier Science Publishers, Amsterdam (1991)

  

13. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures

and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)

  

A Brief Survey of Research Jointly with

Jean-Jacques Quisquater

  Yvo Desmedt

  

University College London, UK

Abstract. This paper surveys research jointly with Jean-Jacques Quisquater,

primarily the joint work on DES, on exhaustive key search machines, and on

information hiding.

  1 Introduction

  The joint work on, DES is surveyed in Section on exhaustive key search machines in Section

  2 Research on DES

  Jean-Jacques Quisquater’s first paper at Crypto, was at Crypto 1983 and co-authored by a total of 10 authors . This 32 page paper contained several ideas.

  A large part of the paper was dedicated to propose alternative representations of DES. The idea of transforming the representation of DES was initiated by Donald Davies when he merged the P and E boxes. This part of the paper has been an inspiration for faster software and hardware implementations of DES (see e.g.,

  Other parts have not received that much attention. For example, parts of the thesis of Jan Hulsbosch, where included in the paper and was used to improve Ingrid Schaumuller- Bichl short representations (using EXOR and AND) for the S-Boxes.

  One of the alternative presentations in the paper is a 48 bit model which led to a very algebraic representation of DES al- gebra played a major role in breaking Enigma, this or any other algebraic representation of DES has had little influence on the breaking of DES.

  Other joint research on DES appeared in particular in

  3 Exhaustive Key Search Machines

  Jean-Jacques Quisquater was interested in exhaustive key search machines and alterna- tives, as is clear from, for example, . This lead to several discussions on how to build an exhaustive key search machine. Jean-Jacques Quisquater considered whether such a machine could be built as a distributed one. A first idea was proposed in 1987 It

D. Naccache (Ed.): Quisquater Festschrift, LNCS 6805, pp. 8–12, 2012.

  Springer-Verlag Berlin Heidelberg 2012 c

  

Free ebooks ==&gt; www.Ebook777.com

A Brief Survey of Research Jointly with Jean-Jacques Quisquater

  9 Table 1. Table showing the average time to break a DES key using 1987 technology

  

Country Population Estimated number of Average time to

radio and TV sets (=1/3 break one key

of population)

China 1 billion 333 million 9 minutes

  

U.S.A. 227 million 76 million 39 minutes

Belgium 10 million 3.3 million 15 hours

Monaco 27 thousand 9 thousand 228 days

Vatican 736 245 23 years

  used the idea of putting DES decryption boxes in radio receivers. It focused on how long the computation would be if countries would organize such a distributed exhaustive key search machine (see Table

  The presentation by almost 2 years.

  Encouraged by Steve White (IBM), the journal version was prepared in 1989. We then realized that the distributed machine had the same problems as identified by NSA and mentioned in 1977 by Diffie-Hellman , i.e., some keys might be over- looked and so never found, the machine had a too large Mean Time Between Failures, and it suffered from other problems. The use of random search instead of a deterministic one solved these problems.

  Another interesting aspect of the machine is that it uses obfuscation, i.e., it hides its purpose. Moreover, Jean-Jacques Quisquater suggested several other approaches to build such a distributed machine. These were more science fiction and 20 years later cannot be realized yet! Amazingly, these science fiction approaches did appear in the paper

4 Information Hiding

  In the early stages of the research on Information Hiding, we co-authored three papers on the topic

  In the paper on “Cerebral Cryptography” , encryption (embedding) starts from a 2-dimensional picture. Two modified versions are then produced by a computer. To decrypt, the two printed ones are put in a “viewmaster.” In such a device, the viewer sees in 3-D, the original picture. Parts of it have moved up, others moved down. The up and down parts form a letter. So, the decryption is done in the brain. No computer is needed to decrypt.

  In the paper on “Audio and Optical Cryptography” , a similar effect is created but using sound. The plaintext is binary. The receiver believes the sound is coming from left (1) or right (0). So, decryption is also done in the brain. Both shares are any music, e.g. Beethoven. The optical version uses a Mach-Zehnder interferometer and pictures.

  10 Y. Desmedt

  In the paper on “Nonbinary Audio Cryptography” , to decrypt, one first needs to specially “tune” two powerful rectangular speakers. The rectangular speakers are put the one against the other, so they throughly touch each other. The tuning CD consists of two identical copies of the same mono music, but one has a 180 degrees phase shift. Slowly, the volume is increased of both speakers, adjusting them, so one can hear noth- ing! Eventually, the powerful speakers are at full power and one hears (almost) nothing. Decryption can start. In our demo, one hears a speech by Clinton. The shares of it are hidden in the noise of two mono versions of Beethoven.

  5 Odds and Ends

  There are many other papers that were co-authored by Jean-Jacques Quisquater. The paper on “Public key systems based on the difficulty of tampering” was cited by Boneh-Franklin in their paper on identity based encryption is the first identity based encryption scheme.

  The need to make long keys was questioned in the paper an idea primarily put forward by Jean-Jacques Quisquater and then improved by the co-authors. Although this paper received very few citations (according to Google Scholar 9), the topic was picked up by Ron Rivest who found another approach to slow down a cryptanalyst. This paper on the other hand got 162 citations.

  Jean-Jacques Quisquater was also interested in finding a solution against man-in-the- middle attacks against identification (entity authentication) protocols. He joined the re- search that had started earlier and became a co-author of the first solution proposed Jean-Jacques Quisquater pointed out that the book by Donald Davies and Wyn Price contained the following rather macabre statement:

  In extreme cases cloning of persons can be used. Other extreme methods are to kill the person one wants to impersonate (or to wait till he dies from a natural cause) and to cut off his hands and tear out his eyes such that they can be used if the hand geometry and/or the retinal prints are checked.

  Moreover it contained the following footnote: The authors acknowledge Adi Shamir for his communication related to cloning and retinal prints.

  However, the referees felt that this part of the text had to be removed. An uncensored version appeared in

  

Acknowledgment. The author thanks Jean-Jacques Quisquater for 30 years collabo-

A

  ration on research in cryptography. Jean-Jacques convinced the author to use L TEX for his PhD (1984) and was very helpful with printing it at Philips Research Laboratory.

  Between the typing and the actual printing, the author had learned to read dvi files on a non-graphical terminal and could see where linebreaks and pagebreaks were occuring. We had lots of fun doing research, presenting papers jointly, etc. More details of our collaboration can be found in .

  A Brief Survey of Research Jointly with Jean-Jacques Quisquater

  11 References

  

1. Bengio, S., Brassard, G., Desmedt, Y., Goutier, C., Quisquater, J.-J.: Aspects and importance

of secure implementations of identification systems. Manuscript M209 Philips Research Lab- oratory (1987); Appeared partially in Journal of Cryptology

  

2. Bengio, S., Brassard, G., Desmedt, Y.G., Goutier, C., Quisquater, J.-J.: Secure implementa-

tions of identification systems. Journal of Cryptology 4, 175–183 (1991)

  

3. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of

Cryptology 4, 3–72 (1991)

  

4. Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.)

CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)

  

5. Davies, D.W.: Some regular properties of the Data Encryption Standard algorithm. In: NPL

note 1981, Presented at Crypto 1981 (1981)