scispace - formally typeset
Search or ask a question
Author

Pouyan Sepehrdad

Bio: Pouyan Sepehrdad is an academic researcher from École Polytechnique Fédérale de Lausanne. The author has contributed to research in topics: Block cipher & RC4. The author has an hindex of 12, co-authored 18 publications receiving 586 citations. Previous affiliations of Pouyan Sepehrdad include Qualcomm & Technische Universität Darmstadt.

Papers
More filters
Book ChapterDOI
23 Nov 2009
TL;DR: The first linear hulls are computed in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.
Abstract: The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al. , announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

84 citations

Book ChapterDOI
19 Mar 2012
TL;DR: This paper proposes a new class of diffusion layers constructed from several rounds of Feistel-like structures whose round functions are linear, and investigates the requirements of the underlying linear functions to achieve the maximal branch number for the proposed 4×4 words diffusion layer.
Abstract: Many modern block ciphers use maximum distance separable (MDS) matrices as the main part of their diffusion layers In this paper, we propose a new class of diffusion layers constructed from several rounds of Feistel-like structures whose round functions are linear We investigate the requirements of the underlying linear functions to achieve the maximal branch number for the proposed 4×4 words diffusion layer The proposed diffusion layers only require word-level XORs, rotations, and they have simple inverses They can be replaced in the diffusion layer of the block ciphers MMB and Hierocrypt to increase their security and performance, respectively Finally, we try to extend our results for up to 8×8 words diffusion layers

76 citations

Book ChapterDOI
12 Aug 2010
TL;DR: A technique to automatically reveal linear correlations in the PRGA of RC4 is presented and 9 new exploitable correlations have been revealed, which lead to a key recovery attack on WEP with only 9800 encrypted packets (less than 20 seconds), instead of 24200 for the best previous attack.
Abstract: In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4. With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9800 encrypted packets (less than 20 seconds), instead of 24200 for the best previous attack.

72 citations

Book ChapterDOI
17 Aug 2010
TL;DR: The security of a general-purpose cryptographic function design, with application in RFID tags and sensor networks, is described and analyzes, and minimum parameter values for the main components of this cryptographic function, called ARMADILLO are suggested.
Abstract: This paper describes and analyzes the security of a general-purpose cryptographic function design, with application in RFID tags and sensor networks. Based on these analyzes, we suggest minimum parameter values for the main components of this cryptographic function, called ARMADILLO. With fully serial architecture we obtain that 2923 GE could perform one compression function computation within 176 clock cycles, consuming 44 µW at 1MHz clock frequency. This could either authenticate a peer or hash 48 bits, or encrypt 128 bits on RFID tags. A better tradeoff would use 4030 GE, 77 µW of power and 44 cycles for the same, to hash (resp. encrypt) at a rate of 1.1 Mbps (resp. 2.9 Mbps). As other tradeoffs are proposed, we show that ARMADILLO offers competitive performances for hashing relative to a fair Figure Of Merit (FOM).

68 citations

Book ChapterDOI
12 Dec 2010
TL;DR: This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers, and shows how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key.
Abstract: This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32 Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack

67 citations


Cited by
More filters
Book ChapterDOI
28 Sep 2011
TL;DR: This work considers the resistance of ciphers, and LED in particular, to related-key attacks, and is able to derive simple yet interesting AES-like security proofs for LED regarding related- or single- key attacks.
Abstract: We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

848 citations

Proceedings ArticleDOI
07 Jun 2015
TL;DR: Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design and these goals were balanced in the design of Simon and Speck.
Abstract: The Simon and Speck families of block ciphers were designed specifically to offer security on constrained devices, where simplicity of design is crucial. However, the intended use cases are diverse and demand flexibility in implementation. Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design. This paper outlines how these goals were balanced in the design of Simon and Speck.

504 citations

Book ChapterDOI
28 Sep 2011
TL;DR: Piccolo is one of the competitive ultra-lightweight blockciphers which is suitable for extremely constrained environments such as RFID tags and sensor nodes and its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable.
Abstract: We propose a new 64-bit blockcipher Piccolo supporting 80 and 128-bit keys Adopting several novel design and implementation techniques, Piccolo achieves both high security and notably compact implementation in hardware We show that Piccolo offers a sufficient security level against known analyses including recent related-key differential attacks and meet-in-the-middle attacks In our smallest implementation, the hardware requirements for the 80 and the 128-bit key mode are only 683 and 758 gate equivalents, respectively Moreover, Piccolo requires only 60 additional gate equivalents to support the decryption function due to its involution structure Furthermore, its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable Thus, Piccolo is one of the competitive ultra-lightweight blockciphers which are suitable for extremely constrained environments such as RFID tags and sensor nodes

457 citations

Journal ArticleDOI
TL;DR: According to the novel taxonomy of IoT framework, different research challenges will be highlighted, important solutions and research activities will be exposed, and interesting research directions will be proposed to ensure security of IoT components and applications.

354 citations

Posted Content
TL;DR: The U.S. National Security Agency developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable.
Abstract: The U.S. National Security Agency (NSA) developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable. This paper summarizes the algorithms, their design rationale, along with current cryptanalysis and implementation results.

259 citations