Riccardo Aragona

Riccardo Aragona, Roberto Civino, Francesca Dalla Volta

The key-scheduling algorithm in the AES is the component responsible for selecting from the master key the sequence of round keys to be xor-ed to the partially encrypted state at each iteration. We consider here the group $Γ$ generated by the action of the AES-128 key-scheduling operation, and we prove that the smallest group containing $Γ$ and all the translations of the message space is primitive. As a consequence, we obtain that no proper and non-trivial subspace can be invariant under its action.

Riccardo Aragona, Roberto Civino

In symmetric cryptography, the round functions used as building blocks for iterated block ciphers are often obtained as the composition of different layers providing confusion and diffusion. The study of the conditions on such layers which make the group generated by the round functions of a block cipher a primitive group has been addressed in the past years, both in the case of Substitution Permutation Networks and Feistel Networks, giving to block cipher designers the receipt to avoid the imprimitivity attack. In this paper a similar study is proposed on the subject of the Lai-Massey scheme, a framework which combines both Substitution Permutation Network and Feistel Network features. Its resistance to the imprimitivity attack is obtained as a consequence of a more general result in which the problem of proving the primitivity of the Lai-Massey scheme is reduced to the simpler one of proving the primitivity of the group generated by the round functions of a strictly related Substitution Permutation Network.

Riccardo Aragona, Roberto Civino, Norberto Gavioli et al.

Nodes of sensor networks may be resource-constrained devices, often having a limited lifetime, making sensor networks remarkably dynamic environments. Managing a cryptographic protocol on such setups may require a disproportionate effort when it comes to update the secret parameters of new nodes that enter the network in place of dismantled sensors. For this reason, the designers of schemes for sensor network are always concerned with the need of scalable and adaptable solutions. In this work, we present a novel elliptic-curve based solution, derived from the previously released cryptographic protocol TAKS, which addresses this issue. We give a formal description of the scheme, built on a two-dimensional vector space over a prime field and over elliptic curves, where node topology is more relevant than node identity, allowing a dynamic handling of the network and reducing the cost of network updates. We also study some security concerns and their relation to the related discrete logarithm problem over elliptic curves.

Riccardo Aragona, Marco Calderini, Roberto Civino

The study of the trapdoors that can be hidden in a block cipher is and has always been a high-interest topic in symmetric cryptography. In this paper we focus on Feistel-network-like ciphers in a classical long-key scenario and we investigate some conditions which make such a construction immune to the partition-based attack introduced recently by Bannier et al.

Riccardo Aragona, Roberto Civino, Norberto Gavioli et al.

In this paper we study the relationships between the elementary abelian regular subgroups and the Sylow $2$-subgroups of their normalisers in the symmetric group $\mathrm{Sym}(\mathbb{F}_2^n)$, in view of the interest that they have recently raised for their applications in symmetric cryptography.

Riccardo Aragona, Alessio Meneghetti

We provide a new property, called Non-Type-Preserving, for a mixing layer which guarantees protection against algebraic attacks based on the imprimitivity of the group generated by the round functions. Our main result is to present necessary and sufficient conditions on the structure of the binary matrix associated to the mixing layer, so that it has this property. Then we show how several families of linear maps are Non-Type-Preserving, including the mixing layers of AES, GOST and PRESENT. Finally we prove that the group generated by the round functions of an SPN cipher with addition modulo a power of 2 as key mixing function is primitive if its mixing layer satisfies this property. Moreover we generalise the definition of a GOST-like cipher using a Non-Type-Preserving matrix as mixing layer and we show, under the only assumption of invertibility of the S-Boxes, that the corresponding group is primitive.

Riccardo Aragona, Marco Calderini, Roberto Civino et al.

Round functions used as building blocks for iterated block ciphers, both in the case of Substitution-Permutation Networks and Feistel Networks, are often obtained as the composition of different layers which provide confusion and diffusion, and key additions. The bijectivity of any encryption function, crucial in order to make the decryption possible, is guaranteed by the use of invertible layers or by the Feistel structure. In this work a new family of ciphers, called wave ciphers, is introduced. In wave ciphers, round functions feature wave functions, which are vectorial Boolean functions obtained as the composition of non-invertible layers, where the confusion layer enlarges the message which returns to its original size after the diffusion layer is applied. This is motivated by the fact that relaxing the requirement that all the layers are invertible allows to consider more functions which are optimal with regard to non-linearity. In particular it allows to consider injective APN S-boxes. In order to guarantee efficient decryption we propose to use wave functions in Feistel Networks. With regard to security, the immunity from some group-theoretical attacks is investigated. In particular, it is shown how to avoid that the group generated by the round functions acts imprimitively, which represent a serious flaw for the cipher.

Riccardo Aragona, Marco Calderini, Antonio Tortora et al.

We provide two sufficient conditions to guarantee that the round functions of a translation based cipher generate a primitive group. Furthermore, under the same hypotheses, and assuming that a round of the cipher is strongly proper and consists of m-bit S-Boxes, with m = 3; 4 or 5, we prove that such a group is the alternating group. As an immediate consequence, we deduce that the round functions of some lightweight translation based ciphers, such as the PRESENT cipher, generate the alternating group.

Riccardo Longo, Massimiliano Sala, Riccardo Aragona

In this paper we propose a tokenization algorithm of Reversible Hybrid type, as defined in PCI DSS guidelines for designing a tokenization solution, based on a block cipher with a secret key and (possibly public) additional input. We provide some formal proofs of security for it, which imply our algorithm satisfies the most significant security requirements described in PCI DSS tokenization guidelines. Finally, we give an instantiation with concrete cryptographic primitives and fixed length of the PAN, and we analyze its efficiency and security.

Federico Giacon, Riccardo Aragona, Massimiliano Sala

A revocable-storage attribute-based encryption (RS-ABE) scheme is an encryption scheme which extends attribute-based encryption by intro- ducing user revocation. A key-policy RS-ABE scheme links each key to an access structure. We propose a new key-policy RS-ABE scheme whose security we prove in term of indistinguishability under a chosen-plaintext attack (IND-CPA).