Gaël Thomas’s research while affiliated with Orange Labs and other places

This paper present two new attacks on two lightweight authenticated encryption with associated data (AEAD): Sparkle and $\textsf{Elephant}$. These attacks are blind side channel analysis (BSCA). The leakage is considered as an Hamming weight (HW) with a Gaussian noise. In both attacks, a belief propagation (BP) algorithm is used to link the different leaks. Another objective is to present BSCA as a new tool for evaluating the robustness of a symmetric cryptographic primitive subfunctions.

The National Institute of Standards and Technology (NIST) started a competition for lightweight cryptography candidates for authenticated encryption. Elephant is one of the ten finalists. Many physical attacks exist on the different traditional cryptographic algorithms. New standard are a new targets for this domain. In this paper, an improvement of the first theoretical blind side channel attack against the authenticated encryption algorithm Elephant is presented. More precisely, we are targeting the LFSR-based counter used internally. LFSRs are classic functions used in symmetric cryptography. In the case of Elephant, retrieving the initial state of the LFSR is equivalent to recovering the encryption key. This paper is an extension of a previous version. So an optimization of our previous theoretical attack is given. In the previous version, in only half of the cases, the attack succeeds in less than two days. In this extended paper, with optimization, the attack succeeds in three quarters of the cases.

The National Institute of Standards and Technology (NIST) started a competition for lightweight cryptography candidates for au- thenticated encryption. Elephant is one of the ten finalists. Many physical attacks exist on the different traditional cryptographic algorithms. New standard are a new targets for this domain. In this paper, an improve- ment of the first theoretical blind side channel attack against the authen- ticated encryption algorithm Elephant is presented. More precisely, we are targeting the LFSR-based counter used internally. LFSRs are clas- sic functions used in symmetric cryptography. In the case of Elephant, retrieving the initial state of the LFSR is equivalent to recovering the encryption key. This paper is an extension of a previous version. So an optimization of our previous theoretical attack is given. In the previous version, in only half of the cases, the attack succeeds in less than two days. In this extended paper, with optimization, the attack succeeds in three quarters of the cases.

Even if a software is proven sound and secure, an attacker can still insert vulnerabilities with fault attacks. In this paper, we propose HAPEI, an Instruction Set Randomization scheme to guarantee Program Execution Integrity even in the presence of hardware fault injection. In particular, we propose a new solution to the multi-predecessors problem. This scheme is then implemented as a hardened CHIP-8 virtual machine, able to ensure program execution integrity, to prove the viability and to explore the limits of HAPEI.

The security issues of devices, used in the Internet of Things (IoT) for example, can be considered in two contexts. On the one hand, these algorithms can be proven secure mathematically. On the other hand, physical attacks can weaken the implementation. In this work, we want to compare these attacks between them. A tool to evaluate and compare different physical attacks, by separating the theoretical attack path and the experimental parts of the attacks, is presented.

This paper presents a new side channel attack to recover a block cipher key. No plaintext and no ciphertext are required, no templates are built. Only the leakage measurements collected in many different rounds of the algorithm are exploited. The leakage is considered as a Hamming weight with a Gaussian noise. The chosen target is the Advanced Encryption Standard (AES). Bayesian inference is used to score all guesses on several consecutive round-key bytes. From these scores a Belief Propagation algorithm is used, based on the relations of the KeyExpansion, to discriminate the unique correct guess. Theoretical results according to various noise models are obtained with simulations.

In this paper, we propose a generic method to assess the vulnerability to Differential Fault Analysis of generalized Feistel networks (GFN). This method is based on an in-depth analysis of the GFN properties. First the diffusion of faults is studied, both at the block level and at the S-box level, in order to have a fault which maximizes the number of S-boxes impacted by a fault. Then the number of faults in an S-box required to find the key is evaluated. By combining these results, a precise assessment of the vulnerability to fault attacks of GFN can be made. This method is then used on several examples of Feistel ciphers.