Roberto Civino

Riccardo Aragona, Roberto Civino, Francesca Dalla Volta

The key-scheduling algorithm in the AES is the component responsible for selecting from the master key the sequence of round keys to be xor-ed to the partially encrypted state at each iteration. We consider here the group $Γ$ generated by the action of the AES-128 key-scheduling operation, and we prove that the smallest group containing $Γ$ and all the translations of the message space is primitive. As a consequence, we obtain that no proper and non-trivial subspace can be invariant under its action.

Riccardo Aragona, Roberto Civino

In symmetric cryptography, the round functions used as building blocks for iterated block ciphers are often obtained as the composition of different layers providing confusion and diffusion. The study of the conditions on such layers which make the group generated by the round functions of a block cipher a primitive group has been addressed in the past years, both in the case of Substitution Permutation Networks and Feistel Networks, giving to block cipher designers the receipt to avoid the imprimitivity attack. In this paper a similar study is proposed on the subject of the Lai-Massey scheme, a framework which combines both Substitution Permutation Network and Feistel Network features. Its resistance to the imprimitivity attack is obtained as a consequence of a more general result in which the problem of proving the primitivity of the Lai-Massey scheme is reduced to the simpler one of proving the primitivity of the group generated by the round functions of a strictly related Substitution Permutation Network.

Riccardo Aragona, Roberto Civino, Norberto Gavioli et al.

Nodes of sensor networks may be resource-constrained devices, often having a limited lifetime, making sensor networks remarkably dynamic environments. Managing a cryptographic protocol on such setups may require a disproportionate effort when it comes to update the secret parameters of new nodes that enter the network in place of dismantled sensors. For this reason, the designers of schemes for sensor network are always concerned with the need of scalable and adaptable solutions. In this work, we present a novel elliptic-curve based solution, derived from the previously released cryptographic protocol TAKS, which addresses this issue. We give a formal description of the scheme, built on a two-dimensional vector space over a prime field and over elliptic curves, where node topology is more relevant than node identity, allowing a dynamic handling of the network and reducing the cost of network updates. We also study some security concerns and their relation to the related discrete logarithm problem over elliptic curves.

Riccardo Aragona, Marco Calderini, Roberto Civino

The study of the trapdoors that can be hidden in a block cipher is and has always been a high-interest topic in symmetric cryptography. In this paper we focus on Feistel-network-like ciphers in a classical long-key scenario and we investigate some conditions which make such a construction immune to the partition-based attack introduced recently by Bannier et al.

Riccardo Aragona, Roberto Civino, Norberto Gavioli et al.

In this paper we study the relationships between the elementary abelian regular subgroups and the Sylow $2$-subgroups of their normalisers in the symmetric group $\mathrm{Sym}(\mathbb{F}_2^n)$, in view of the interest that they have recently raised for their applications in symmetric cryptography.

Riccardo Aragona, Marco Calderini, Roberto Civino et al.

Round functions used as building blocks for iterated block ciphers, both in the case of Substitution-Permutation Networks and Feistel Networks, are often obtained as the composition of different layers which provide confusion and diffusion, and key additions. The bijectivity of any encryption function, crucial in order to make the decryption possible, is guaranteed by the use of invertible layers or by the Feistel structure. In this work a new family of ciphers, called wave ciphers, is introduced. In wave ciphers, round functions feature wave functions, which are vectorial Boolean functions obtained as the composition of non-invertible layers, where the confusion layer enlarges the message which returns to its original size after the diffusion layer is applied. This is motivated by the fact that relaxing the requirement that all the layers are invertible allows to consider more functions which are optimal with regard to non-linearity. In particular it allows to consider injective APN S-boxes. In order to guarantee efficient decryption we propose to use wave functions in Feistel Networks. With regard to security, the immunity from some group-theoretical attacks is investigated. In particular, it is shown how to avoid that the group generated by the round functions acts imprimitively, which represent a serious flaw for the cipher.

Massimo Cafaro, Roberto Civino, Barbara Masucci

The access control problem in a hierarchy can be solved by using a hierarchical key assignment scheme, where each class is assigned an encryption key and some private information. A formal security analysis for hierarchical key assignment schemes has been traditionally considered in two different settings, i.e., the unconditionally secure and the computationally secure setting, and with respect to two different notions: security against key recovery (KR-security) and security with respect to key indistinguishability (KI-security), with the latter notion being cryptographically stronger. Recently, Freire, Paterson and Poettering proposed strong key indistinguishability (SKI-security) as a new security notion in the computationally secure setting, arguing that SKI-security is strictly stronger than KI-security in such a setting. In this paper we consider the unconditionally secure setting for hierarchical key assignment schemes. In such a setting the security of the schemes is not based on specific unproven computational assumptions, i.e., it relies on the theoretical impossibility of breaking them, despite the computational power of an adversary coalition. We prove that, in this setting, SKI-security is not stronger than KI-security, i.e., the two notions are fully equivalent from an information-theoretic point of view.