Aline Gouget

Gemalto · R&D

The invention relates to a method for generating a session key between two communicating electronic devices not requiring any prerecorded information in one of the two devices and enabling the authentication of one of said devices. The method uses a close collaboration between a symmetrical algorithm and an asymmetrical algorithm.

The present invention is a method to ensure a secure exchange of crypted numeric data between two entities, where their decryption depends to the approval of a third entity. The solution uses a combination of Identity Based Encryption scheme, and transcription trap use.

Internet services such as online banking, social networking and other web services require identification and authentication means. The European Citizen card can be used to provide a privacy-preserving authentication for Internet services enabling e.g. an anonymous age verification or other forms of anonymous attribute verification. The Modular Enh...

We study the problem of searching on encrypted data, where the search is performed using a plaintext message or a keyword, rather than a message-specific trapdoor as done by state-of-the-art schemes. The use cases include delegation of key-word search e.g. to a cloud data storage provider or to an email server, using a plaintext message. We define...

We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Sécurité. PACE v2 IM enjoys the following properties: patent-freeness (to the best of current knowledge in the field); full resistance to dictionary attacks, secrecy and forward secrecy...

Electronic cash (e-cash) refers to money exchanged electronically. The main features of traditional cash are usually considered desirable also in the context of e-cash. One such property is off-line transferability, meaning the recipient of a coin in a transaction can transfer it in a later payment transaction to a third person without contacting a...

We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Sécurité. PACE v2 IM enjoys the following properties: patent-freeness (to the best of current knowledge in the field); full resistance to dictionary attacks, secrecy and forward secrecy...

Decim-128 is the adaptation example to 128-bit-security of the eSTREAM candidate Decim v2, whose aim is to prove that the Decim v2 design can easily be adapted to different security parameters. This erratum is submitted in order to correct an error in the tap sequence of the filtering function in Decim-128 specifications. 1 Erratum to the Decim-128...

SPAKE is a cryptographic protocol that provides lightweight transactions in contact-less applications. In this protocol a verifier (a reader or terminal) authenticates a prover (a contact-less card) relative to a certification authority. Additionally, the prover and the verifier must establish a session key for secure messaging. Contrarily to previ...

We present a new construction of divisible e-cash that makes use of 1) a new generation method of the binary tree of keys; 2) a new way of using bounded accumulators. The transaction data sent to the merchant has a constant number of bits while spending a monetary value 2ℓ. Moreover, the spending protocol does not require complex zero-knowledge pro...

We present the first fair e-cash system with a compact wallet that enables users to spend efficiently k coins while only sending to the merchant O(l log(k)) bits, where l is a security parameter. The best previously known schemes require to transmit data of size at least linear in the number of spent coins. This result is achieved thanks to a new w...

GRAIN-v1 is a stream cipher that has been selected in the final portfolio of the eSTREAM project. GRAIN-128 is a variant of GRAIN-v1. The best known mathematical attack against GRAIN-128 is the brute force key-search. This paper introduces a fault attack on GRAIN-128 based on a realistic fault model and explores possible improvements of the attack....

Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in...

Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It ac- commodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles...

This paper reports a thorough standard-model investigation on how at- tacks on hash functions impact the security of hash-and-sign signature schemes. We identify two important properties that appear to be crucial in analyzing the nature of security relations between signature schemes and their inner hash func- tions: primitiveness and injectivity....

In this paper, we present Decimv2, a stream cipher hardware- oriented selected for the phase 3 of the ECRYPT stream cipher project eSTREAM. As required by the initial call for hardware-oriented stream cipher contribution, Decimv2 manages 80-bit secret keys and 64-bit public initialization vectors. The design of Decimv2 combines two filtering mechan...

Regular cash systems provide both the anonymity of users and the transferability of coins. In this paper, we study the anonymity properties of transferable e-cash. We define two natural additional levels of anonymity directly related to transferability and not reached by existing schemes that we call full anonymity (FA) and perfect anonymity (PA)....

The practical advantage expected from transferable e-cash compare to non-transferable is the signiflcant reduction of the interaction number between the bank and the users. However, this property is not fulfllled by anonymous transferable e-cash schemes of the state-of-the art. In this paper, we flrst present a transferable e-cash scheme with a red...

Recent articles (6, 3, 5, 7) introduce the concept of phase shift- ing equivalent keys in stream ciphers, and exploit this concept in order to mount attacks on some specic ciphers. The idea behind phase shifting equivalent keys is that, for many ciphers, each internal state can be con- sidered as the result of an injection of a key and initializati...

Correlation-immunity is a cryptographic criterion on Boolean functions arising from correlation attacks on combining functions. When it comes to filtering functions, the status of correlation-immunity lacks study in itself and, if it is commonly accepted as a requirement for non- linear filter generators, this is for other concerns. We revisit the...

This paper presents an off-line divisible e-cash scheme where a user can withdraw a divisible coin of monetary value 2L that he can parceled and spend anonymously and unlinkably. We present the construction of a security tag that allows to protect the anonymity of honest users and to revoke anonymity only in case of cheat for protocols based on a b...

After years of almost full confidence in the security of common hash functions such as MD5 and SHA-1, the cryptographic community is now facing the unprecedented threat of seeing practical security applications succumb to concrete attacks. A way to cope with this crisis is to fasten the development of new hash functions, but another crucial task is...

Distributed Denial of Service (DDoS) attacks are a major network security threat. Most recent host-based DDoS detection mechanisms are dedicated to a particular set of attacks, focusing either on the recent dynamic of the traffic, or on its long range dependence. We propose a DDoS early detection component based on anomaly detection which combines...

A coupon is an electronic data that represents the right to access a service provided by a service provider (e.g. gift certiflcates or movie tickets). Recently, a privacy- protecting multi-coupon system that allows a user to withdraw a predeflned number of single coupons from the service provider has been proposed by Chen et al. at Financial Crypto...

Sequence compression is one of the most promising tools for strengthening pseudo-random generators used in stream ciphers. Indeed, adding compression components can thwart algebraic attacks aimed at LFSR-based stream ciphers. Among such components are the Shrink- ing Generator and the Self-Shrinking Generator, as well as recent vari- ations on Bit-...

In public key schemes based on multivariate cryptography, the public key is a finite set of m (generally quadratic) polynomial equations and the private key is a trapdoor allowing the owner of the private key to invert the public key. In existing schemes, a signature or an answer to an authentication is valid if all the m equations of the public ke...

Decim is a hardware oriented stream cipher with 80-bit key and 64-bit IV which was submitted to the ECRYPT stream cipher project. The design of Decim is based on both a nonlinear filter LFSR and an irregular decimation mechanism called the ABSG. As a consequence, Decim is of low hardware complexity. Recently, Hongjun Wu and Bart Preneel pointed out...

Algebraic attacks on stream ciphers apply (at least theoretically) to all LFSR-based stream ciphers that are clocked in a simple and/or easily predictable way. One interesting approach to help resist such attacks is to add a component that de-synchronizes the output bits of the cipher from the clock of the LFSR. The Bit-search generator, recently p...

The propagation criterion is one of the main cryptographic criteria on Boolean functions used in block ciphers. Quadratic Boolean functions satisfying the propagation criterion of high degree were given by Preneel et al., but their algebraic degree is too small for a cryptograhic use. Then designing Boolean functions of high algebraic degree and hi...

We present the construction of a pseudorandom generator, that we call the Bit-Search Generator (BSG), based on a single input sequence. The construction is related to the so-called Self-Shrinking Generator which is known for its simplicity (conception and implementation-wise) linked with some interesting properties. After presenting the general run...

The enumeration of m-resilient Boolean functions in n vari- ables would be a quite useful information for cryptography. But it seems to be an intractable open problem. Upper and lower bounds have ap- peared in the literature in the mid 800s. Since then, improving them has been the goal of several papers. In this paper, we give a new upper bound whi...

Electronic cash (or e-cash) is an electronic payment solution that is usually viewed as an attempt to emulate electronically the main characteristics of regular cash. In particular, e-cash and other payment solutions should protect the privacy of users during a purchase. The main distinction of e-cash with respect to other electronic payment system...

We analyze the relevant candidates in phase 3 of the eSTREAM project with respect to side channel analysis in a theoretical approach.

Decim is a hardware oriented stream cipher submitted to the ECRYPT stream cipher project. The design of Decim is based on both a non linearly filtered LFSR and an irregular decimation mechanism called the ABSG. While the initial call for contributions required hardware-oriented stream ciphers to manage 80-bit secret keys and 64-bit public initializ...

Decim is a new stream cipher designed for hardware applications with restricted resources. The design of the cipher is based on both a nonlinear filter LFSR and an irregular decimation mechanism recently introduced and called the ABSG. Apart from the security aspects, the design goal is to produce a stream cipher with a compact hardware implementat...

Shabal Shabal is a cryptographic hash function submitted by the France funded research project Saphir to NIST's international competition on hash functions. More specifically, the research partners of Saphir (with the notable exception of LIENS) initiated the conception of Shabal and were later joined by partners of the soon-to-be research projectS...