# Jean-Jacques QuisquaterUniversité Catholique de Louvain - UCLouvain | UCLouvain · Institute of Information and Communication Technologies, Electronics and Applied Mathematics

Jean-Jacques Quisquater

Ph D in computer science (eng. in applied math)

## About

411

Publications

92,416

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

16,307

Citations

Introduction

Additional affiliations

September 1991 - present

## Publications

Publications (411)

Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be...

Cayley hash functions are a family of cryptographic hash functions constructed from the Cayley graphs of non-Abelian finite groups. Their security relies on the hardness of mathematical problems related to long-standing conjectures in graph and group theory. We recall the Cayley hash design and known results on the underlying problems. We then desc...

Differential Cryptanalysis (DC) is one of the oldest known attacks on block ciphers. DC is based on tracking of changes in the differences between two messages as they pass through the consecutive rounds of encryption. However DC remains very poorly understood. In his textbook written in the late 1990s Schneier wrote that against differential crypt...

GOST is a well-known Russian government standard block cipher which was submitted to ISO in 2010 to become an international standard. A number of advanced differential attacks on GOST have been proposed including the best known single-key attack on GOST to date in 2179 [14]. This attack, however, was designed for the oldest known set of GOST S-boxe...

This book constitutes the proceedings of the 41st International Conference on Current Trends in Theory and Practice of Computer Science held in Pec pod Sněžkou, Czech Republic, during January 24-29, 2015. The book features 8 invited talks and 42 regular papers which were carefully reviewed and selected from 101 submissions. The papers are organized...

Hard mathematical problems are at the core of security arguments in cryptography. In this paper, we study mathematical generalizations of the famous Rubik’s cube puzzle, namely the factorization, representation and balance problems in non-Abelian groups. These problems arise naturally when describing the security of Cayley hash functions, a class o...

Ensuring the physical security of small embedded devices is challenging. Such devices have to be produced under strong cost constraints, and generally operate with limited power and energy budget. However, they may also be deployed in applications where physical access is indeed possible for adversaries. In this paper, we consider the case of SIM c...

In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. Based on new experimental results and heuristic evidence, we conjecture that their degrees o...

RSA-CRT uses the Chinese Remainder Theorem to speed up the computation of an RSA decryption or a signature and reduces the size of the data stored in memory. This implementation is four times faster than the RSA standard implementation. This is why the CRT implementation of RSA is widely deployed in embedded systems. However, Boneh et al. showed th...

In this paper we demonstrate that widely known identification systems, such as the public-file-based Feige-Fiat-Shamir scheme, can be insecure if proper care is not taken with their implementation. We suggest possible solutions. On the other hand, identity-based versions of the Feige-Fiat-Shamir scheme are conceptually more complicated than necessa...

Let y 2 = x 3 + ax + b be an elliptic curve over F; p, p being a prime number greater than 3, and consider a; b ∈ [1, p]. In this paper, we study elliptic curve isomorphisms, with a view towards reduction in the size of elliptic curves coefficients. We first consider reducing the ratio a/b. We then apply these considerations to determine the number...

Exhaustive key search is the simplest attack against a cryp-tosystem, but it is sometimes the most realistic. This is specially true for carefully designed block ciphers for which advanced cryptanalysis (e.g. linear, differential) is not applicable. In this paper, we first update the cost of an exhaustive key search of the Data Encryption Standard...

This paper analyzes the problem of checking the integrity of files stored on remote servers. Since servers are prone to successful
attacks by malicious hackers, the result of simple integrity checks run on the servers cannot be trusted. Conversely, downloading
the files from the server to the verifying host is impractical. Two solutions are propose...

Related Concepts Integer Factoring; RSA Factoring Challenge Definition Rabin's public-key encryption is an asymmetric encryption scheme based on the modular square root problem, an thus related to integer factoring.

As has been established in the previous chapters, signcryption is a cryptographic primitive which combines the message integrity,
message origin authentication
, and (if possible) signature non-repudiation
properties of a traditional digital signature with the privacy-preserving property of a public key encryption scheme.

In this chapter we examine various signcryption schemes based on the Diffie–Hellman problem
. Importantly, this set of schemes includes the original signcryption scheme by Zheng
[203] and also several constructions with enhanced properties, for example, the scheme by Bao and Deng [15]
.

Establishing a strong link between the paper medium and the data represented on it is an interesting alternative to defeat unauthorised copy and content modification attempts. Many applications would benefit from it, such as show tickets, contracts, banknotes or medical prescripts. In this study, the authors present a low-cost solution that establi...

After 15 years of unsuccessful cryptanalysis attempts by the research community, Grassl et al. have recently broken the collision
resistance property of the Tillich-Zémor hash function. In this paper, we extend their cryptanalytic work and consider the
preimage resistance of the function.
We present two algorithms for computing preimages, each alg...

Key-evolving protocols aim at limiting damages when an attacker obtains full access to the signer’s storage. To simplify the integration of such mechanisms into standard security architectures, Boyen, Shacham, Shen and Waters suggested the construction of forward-secure signatures (FSS) that protect past periods after a break-in, with untrusted upd...

A multi-set (ms) is a set where an element can occur more than once. ms hash functions (mshfs) map mss of arbitrary cardinality to fixed-length strings.
This paper introduces a new rsa-based mshf. The new function is efficient and produces small hashes. We prove that the proposed mshf is collision-resistant under the assumption of unforgeability o...

The rapid advancement and the wide-spread use of the Internet and wireless communications in our professional endeavors and personal lives are making ubiquitous authenticated connectivity for mobile users indispensable. Individuals and groups may roam within a network or across networks, either in infrastructure or ad hoc mode. In any case, uninter...

Hitag2 is a stream cipher that is widely used in RFID car locks in the automobile industry. It can be seen as a (much) more secure version of the [in]famous Crypto-1 cipher that is used in MiFare Classic RFID products [14,20,15]. Recently, a specification of Hitag2 was circulated on the Internet [29]. Is this cipher secure w.r.t. the recent algebra...

In March 2009, the Université catholique de Louvain elected its President using a custom deployment of the Helios web-based open-audit voting system. Out of 25,000 potential voters, 5000 registered, and almost 4000 voted in each round of the election. The precision of the voting system turned out to be crucial: in the first round, the leader came s...

The Z emor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94. We present the rst generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cu- bic root of the birthday bound; for the parameters initially suggested by Till...

In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device...

Hash functions are widely used in Cryptography, and hardware implemen- tations of hash functions are of interest in a variety of contexts such as speeding up the computations of a network server or providing authentication in small electronic devices such as RFID tags. Provably secure hash functions, the security of which relies on the hardness of...

Theoretical treatments of physical attacks have recently attracted the attention of the cryptographic community, as witnessed
by various publications, e.g., [1, 17, 22, 24, 29, 31, 33, 34, 42]. These works consider adversaries enhanced with abilities
such as inserting faults during a computation or monitoring side-channel leakages.

In traditional image and video content protection schemes, called fully layered, the whole content is first compressed. Then, the compressed bitstream is entirely encrypted using a standard cipher (DES, AES, IDEA, etc.). The specific characteristics of this kind of data (high-transmission rate with limited bandwidth) make standard encryption algori...

Talk given at eSmart 2010. How to attack the Hitag2 cipher in RFID trannsponders.

In this work we present the first passive attack over the SASI lightweight authentication protocol with modular rotations. This can be used to fully recover the secret $ID$ of the RFID tag, which is the value the protocol is designed to conceal. The attack is described initially for recovering $\lfloor log_2(96) \rfloor=6$ bits of the secret value...

The doubling attack by Fouque and Valette and its analogue, the relative doubling attack, by Yen et al. are a new kind of
simple power analysis that can be applied to a binary double-and-add algorithm in a scalar multiplication (or a multiply-and-square
algorithm in a modular exponentiation). The doubling attack is very powerful because it requires...

Recent breakthroughs concerning the current standard SHA-1 prompted NIST to launch a competition for a new secure hash algorithm by X.Wang et al (2005). Provably secure hash functions (in the sense that their security relates to the hardness of some mathematical problems by V. Lyubashevsky et al (2006) are particularly interesting from a theoretica...

WiFi technology has become the preferable form for mobile users to connect to the Internet. The growing popularity of WiFi-enabled
devices and the increasing number of WiFi networks guarantees that this trend will continue in the future. Since a single
network provider is usually not able to ensure WiFi coverage for its own users across many geogra...

In this paper we show a new differential fault analysis (DFA) on the AES-128 key scheduling process. We can obtain 96 bits
of the key with 2 pairs of correct and faulty ciphertexts enabling an easy exhaustive key search of 232 keys. Furthermore we can retrieve the entire 128 bits with 4 pairs. To the authors’ best knowledge, it is the smallest numb...

Checking data possession in networked information systems such as those related to critical infrastructures (power facilities, airports, data vaults, defense systems, etc.) is a matter of crucial importance. Remote data possession checking protocols permit to check that a remote server can access an uncorrupted file in such a way that the verifier...

Electronic passports (ePassports) have known a wide and fast deployment all around the world since the International Civil
Aviation Organization published their specifications in 2004. Based on an integrated circuit, ePassports are significantly
more secure than their predecessors. Forging an ePassport is definitely thwarted by the use of cryptogra...

In 2004, Biryukov et al. presented a new theoretical framework for the linear cryptanalysis of block ciphers using multiple approximations. Although
they provided first experimental results to confirm the relevance of their approach, a scope for further research was to apply
this framework to other ciphers. In this paper, we present various attacks...

Many cryptosystems suffer from fault attacks when implemented in physical devices such as smart cards. Fault attacks on secret
key elements have successfully targeted many protocols relying on the Elliptic Curve Discrete Logarithm Problem (ECDLP), the
Integer Factorization Problem (IFP) or the Discrete Logarithm Problem (DLP). More recently, faults...

This paper presents an updated implementation of the Advanced Encryption Standard (AES) on the recent Xilinx Virtex-5 FPGAs.
We show how a modified slice structure in these reconfigurable hardware devices results in significant improvement of the
design efficiency. In particular, a single substitution box of the AES can fit in 8FPGA slices. We comb...

SEA is a scalable encryption algorithm targeted for small embedded applications. It was initially designed for software implementations in controllers, smart cards, or processors. In this letter, we investigate its performances in field-programmable gate array (FPGA) devices. For this purpose, a loop architecture of the block cipher is presented. B...

In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 231 collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterround function, that is then extended to the rowround and columnround functions. This allows us to find an input subset o...

Collisions in the LPS cryptographic hash function of Charles, Goren and Lauter have been found by Zémor and Tillich [16], but it was not clear whether computing preimages was also easy for this hash function. We present a probabilistic polynomial time algorithm solving this problem. Subsequently, we study the Morgenstern hash, an interesting varian...

We propose to apply an information theoretic metric to the evaluation of side-channel resistant logic styles. Due to the long design and development time required for the physical evaluation of such hard- ware countermeasures, our analysis is based on simulations. Although they do not aim to replace the need of actual measurements, we show that sim...

Most electronic cash systems being deployed look very different from what academics have been envisioning over the last 3
decades. Experts on the panel gave different definitions for electronic cash, surveyed systems deployed in some countries,
discussed reliability, privacy and security concerns. Moreover, electronic cash and advertisements were l...

Forward-Secure Signatures (FSS) prevent forgeries for past time periods when an attacker obtains full access to the signer’s storage by evolving the private key in a one-way fashion. To simplify the integration of these primitives into standard security architectures, Boyen et al. [2006] recently introduced the concept of forward-secure signatures...

Collisions in the LPS cryptographic hash function of Charles, Goren and Lauter have been found by Zémor and Tillich [17],
but it was not clear whether computing preimages was also easy for this hash function. We present a probabilistic polynomial
time algorithm solving this problem. Subsequently, we study the Morgenstern hash, an interesting varian...

The deployment of wireless networks is in permanent growth. To exploit their intrinsic mobility advantages, collaborative networks such as first responder networks (FRNs) have recently adopted wireless networking technologies, Albiet at a small scale. FRNs require the collaboration of heterogeneous and mobile groups. Impeding the wide-scale use of...

An active attacker can induce errors during the computation of the cryptographic algorithm and exploit the faulty results to extract information about the secret key in embedded systems. We call this kind of attack a fault attack. Fault attacks can break an unprotected system more quickly than any other kind of side-channel attack such as simple po...

The RSA is one of the most widely used algorithms nowadays in smart cards. The main part of RSA is the modular exponentiation
composed of modular multiplications. Therefore most smart cards have a hardware modular multiplier to speed up the computation.
However, secure implementation of a cryptographic algorithm in an embedded device such as a sma...

This paper reports on an improvement of Matsui’s linear cryptanalysis that reduces the complexity of an attack with algorithm 2, by taking advantage of the Fast Fourier Transform. Using this improvement, the time complexity decreases from O(2k
*2k
) to O(k*2k
), where k is the number of bits in the keyguess. This improvement is very generic and can...

When speaking about attacks against networks and computers, people mainly think today about viruses, worms, Trojans, keyloggers,
denial of services, etc.
In the last ten years a lot of new attacks were found against servers and smart cards. First are side-channels attacks: those
are by using ”esoteric” channels to obtain protected, secure and priv...

The rapid progress and the wide-spread use of the Internet and wireless communications in our professional endeavors and personal lives are making indispensable the need for ubiquitous authenticated connectivity for both mobile individuals and groups. In this paper, we present mGAP, a new protocol for mobile group authentication in wireless network...

Forward-secure signatures (FSS) prevent forgeries for past time periods when an attacker obtains full access to the signer's storage. To simplify the integration of these primi- tives into standard security architectures, Boyen, Shacham, Shen and Waters recently introduced the concept of forward- secure signatures with untrusted updates where priva...

RSA cryptosystem is one of the most widely used algorithms nowadays. However when it is implemented in embedded devices such as smart cards, it can be vulnerable to power analysis attacks and fault attacks. To defeat all known side channel attacks and fault attacks, several countermeasures should be used together. However due to the low computation...

End-to-end auditable voting systems are expected to guarantee very interesting, and often sophisticated security properties, including correctness, privacy, fairness, receipt-freeness, ... However, for many well-known protocols, these properties have never been analyzed in a systematic way. In this paper, we investigate the use of techniques from t...

Encryption is the basic means to enforce confidentiality in digital communications. This work explores a hardware design alternative and a cost assessment of an FPGA-based brute force attack against RSA secret-key challenge RC5-72. The aim is to develop an alternative to software-based solutions for distributed.net. Implementation results show that...

In this last decade, Elliptic Curve Cryptography (ECC) has gained increasing acceptance in the industry and the academic community
and has been the subject of several standards. This interest is mainly due to the high level of security with relatively small
keys provided by ECC. Indeed, no sub-exponential algorithms are known to solve the underlyin...

At FC’05, Dodis and Yum introduced a new cryptographic tool called time capsule signature
(TCS) which allows signers to generate ”future signatures” that only become valid from a specific future time t (chosen at signature generation) when a trusted entity (called Time Server) discloses some trapdoor information for period t. In addition, time caps...

SEA is a scalable encryption algorithm targeted for small embedded applications. It was initially designed for software implemen-tations in controllers, smart cards or processors. In this paper, we inves-tigate its hardware performances in a 0.13 µm CMOS technology. For these purposes, different designs are detailed. First, a single clock cycle per...

A recent branch of cryptography focuses on the physical constraints that a real-life cryptographic device must face, and attempts to exploit these constraints to expose the devices se- crets. This gave birth to implementation-specific attacks, which often turned out to be much more efficient than the best known cryptanalytic attacks against the und...

Currently, the best known algorithm for factorizing modulus of the RSA public key cryptosystem is the Number Field Sieve. One of its important phases usually combines a sieving technique and a method for checking smoothness of mid-size numbers. For this factorization, the Elliptic Curve Method (ECM) is an attractive solution. As ECM is highly regul...

This work explores a hardware design alternative and a cost assessment of an FPGA-based brute force attack against the challenge RC5-72. The aim is to develop an alternative to software-based solutions for distributed.net. Hardware platforms, particularly reconfigurable hardware, can offer significant cost, flexibility and performance advantages, w...

Nowadays RSA using Chinese Remainder Theorem (CRT) is widely used in practical applications. However there is a very powerful attack against it with a fault injection
during one of its exponentiations. Many countermeasures were proposed but almost all of them are proven to be insecure. In
2005, two new countermeasures were proposed. However they s...

Public key cryptography is a concept used by many useful functionalities, such as digital signature, encryption, key agreements, etc. For those needs, elliptic curve cryptography is an attractive solution. Cryptosystems based on elliptic curves (EC) need a costly modular division. Efficient implementations of this operation are useful for both area...

Key-insulated cryptography is a crucial technique for pro- tecting private keys. To strengthen the security of key-insulated proto- cols, Hanaoka, Hanaoka and Imai recently introduced the idea of parallel key-insulated encryption (PKIE) where distinct physically-secure devices (called helpers) are independently used in key updates. Their motivation...

For the last decade, Elliptic Curve Cryptography (ECC) has gained increasing acceptance in the industry and the academic community and has been the subject of several standards. This interest is mainly due to the high level of security with relatively small keys provided by ECC. To sustain the high throughput required by applications like network s...

Since their publication in 1998 and 2001 respectively, Power and Electromagnetic Analysis (SPA, DPA, EMA) have been successfully used to retrieve secret informa- tion stored in cryptographic devices. Both attacks usually model the side-channel leakages using the so-called \Hamming weight" and \Hamming distance" models, i.e. they only consider the n...

For the last ten years, security of integrated circuits has attracted a greater attention from the cryptographic community. Several sources of information leakage within the circuits have been emphasized. Power consumption based attacks have been mounted successfully against various types of circuits like ASIC, smartcards or FPGA. To counter them,...

Efficient cryptographic implementations are a fundamental factor in the achievement and dissemination of new computerized ap-plications. In some recent environments with (very) limited resources such as smart cards, sensor networks or RFID tags, standard algorithms may not be completely adapted.Consequently, the design of new solu-tions for low-cos...

This paper presents FPGA (Field Programmable Gate Array) implementations of ICEBERG, a block cipher designed for reconfigurable hardware implementations and presented at FSE 2004. All its components are involutional and allow very efficient combinations of encryption/decryption. The implementations proposed also allow changing the key and Encrypt/D...