The research activities in this group are concentrated on the design, evaluation, and implementation of cryptographic algorithms and protocols, and on security architectures for computers and telecommunications networks. Cryptography is generally acknowledged as the best method to protect data against passive (eavesdropping) and active (data diddling, replay) fraud. The research is oriented to fundamental problems with a practical importance. Part of the work within COSIC is carried out in close collaboration with the company uti-maco Belgium.
COSIC is headed by René Govaerts and Joos Vandewalle, and has one post-doctoral researcher and 7 Ph.D. students.
The two-yearly summer course on Computer Security and Industrial Cryptography will be held in Leuven from June 12--15, 1995.
COSIC cooperates with the University of California at Berkeley, Bell Northern Research, RSA Laboratories, Stanford University, Diva Communications, CWI Amsterdam, Cardware, Gemplus Card International, Service d'Etudes Communes de la Poste et de France Telecom, PTT Research Nederland, Sintef Delab, DigiCash BV, Institut für Sozialforschung, Universität Hildesheim, Ingenico, Aarhus Universitet, Siemens AG, the Dutch organization for Applied Scientific Research (TNO), ENST Paris, Eucis-Conseil, Baltimore Technologies, Cambridge University, ICL, Bull.
Differential and Linear Cryptanalysis
R. Govaerts, J. Vandewalle, B. Preneel, V. Rijmen
Differential cryptanalysis is a recent technique based on the study of the relation between input and output differences. It is applicable to both block ciphers and hash functions. The attack is statistical as one searches for input differences that are likely to cause a certain output difference.
Linear cryptanalysis, also a very recent method, is based on judiciously chosen linear approximations of the non-linear parts of an algorithm. The deviation of the actual encryption process and the linear approximation is key dependent. This fact can be used to deduce a part of the secret key.
The theoretic foundations of the linear cryptanalysis have been studied and improved. A practical attack was implemented and executed in parallel on 70 workstations (DEC, HP, and SUN).
Both cryptanalytic methods were used to demonstrate the weaknesses in MacGuffin, a recent new block cipher proposal. Both methods were also used to cryptanalyze hash functions.
The Realisation of Security Services in the User-Oriented Layers of
OSI-RM
R. Govaerts, J. Vandewalle, J. Verschuren
The research with respect to securing computer networks can be split up into two parts: devising secure computer networks and trying to break computer networks which are said to be secure. Building a computer network before being sure about its security features, is a risky matter: if the security architecture is not sound, then the users of the network will lose their confidence and scarcely use the network. Thus the network in question will turn out to be a bad investment.
From the above reasoning it turns out that there is a need for methods which can evaluate a draft of a security architecture of a computer network. The following three remarks apply to such a method.
In order to devise such an evaluation method, the following two activities are performed:
Design and Implementation of Cryptographic Finite State Machines
R. Govaerts, J. Vandewalle, J. Daemen
From a system-theoretic point of view conventional cryptographic algorithms can be subdivided into four categories: cryptographic hash functions, pseudorandom sequence generators (for stream encryption), block ciphers, and self-synchronizing stream ciphers. The design of the first three types can be tackled by designing a cryptographic finite state machine. Key words in the approach are simplicity, symmetry, and parallelism. We introduced this concept in 1992 and have been using it successfully since.
We have developed a software oriented module called STEPRIGHTUP. The functionality of present-day processors is reflected in the extensive use of of bitwise logical operations and cyclic shifts operating on 32-bit words. The design can be seen as specifying an arrangement that has to meet strict cryptographic criteria and has a minimum number of operations per encrypted (or hashed) bit. The current proposal can perform both hashing and encryption/decryption at less than 5 (32-bit) operations per (32-bit) word. Although the design is software-oriented, ultra high processing speeds can be attained by a straightforward hardware implementation. This is possible because the cryptographic functions (pseudorandom sequence generation and hashing) are specified in terms of a cryptographic finite state machine.
In the research for the nature of the basic mechanisms of differential and linear cryptanalysis, we have introduced a number of tools that significantly increase the understanding of these phenomena. These include correlation matrices of Boolean mappings and prop ratios. We have proved that there is an isomorphism between the set of Boolean mappings with composition and the set of correlation matrices with (matrix multiplication) and that the difference propagation and correlation properties of a Boolean mapping are linked by a Walsh-Hadamard transform.
We have developed the block cipher BASEKING with a block and key length of 192 bits. It can efficiently be implemented on any processor that can do bitwise logical operations and shifts. For a dedicated hardware implementation with standard CMOS technology current speed estimates are in the range of 1.6 Gigabit/s. Because of its large block length, is very well suited to be used as the basic component of a cryptographic hash function.
Aspects of Database Security Involved in Electronic
Transaction Systems
R. Govaerts, J. Vandewalle, C. Radu, M. Vandenwauver
The Electronic Transaction System (ETS) is the unified framework that allows the transfer of electronic cash as well as receiving and showing vouchers, certificates, and credentials. The term ``transaction'' refers to any of the previous mentioned activities. The participants in the system are individuals and organizations. In order to perform a transaction, data needs to be exchanged between computers belonging to these participants. Each computer is equipped with and manages a database. This contains information used to perform the transaction(s).
The aim of realizing an ETS has led to research that addresses security issues concerning generation, conveying, handling, and storage of the information. We contributed to this research by addressing the topic of conditional access to databases. We investigated what properties and options are necessary in order to guarantee the security of the database(s). We deal with security aspects related to the personal database in the hand-held personal device of the individual and the database managed by the organizations.
Considering these types of databases, the research was concentrated on following two objectives: the access control in personal databases and the integrity preservation of the huge databases managed by powerful organizations. A bottom--up approach in considering these objectives was adopted: we were concerned about the mechanisms implementing policies of database security.
The multi-application paradigm in connection with a personal device is a new trend of the IC development, from which the concept of personal database has emerged. Little attention has yet been given to the conditional access to this special type of database. We have designed a model of the personal database of the individual and the access control mechanism that can enforce this model. The specific solution we have proposed matches the strong restriction of a limited storage space inherent to a (tamper-resistant) personal device (like a smart card).
The security study related to macrodatabases (managed by organizations) addressed the design of conditional access mechanisms in object oriented databases. Specific solutions for the ONTOS object-oriented database management system where developed and implemented.
Evaluation of Cryptographic Soft- and Hardware
R. Govaerts, J. Vandewalle, B. Preneel, A. Bosselaers,
J. Daemen, M. Vandenwauver, V. Rijmen, L. Van Linden
In an industrial environment the communications network is the first place where special protection is introduced, as this is certainly one of the most vulnerable parts of an information system. Depending on the application, the users require protection of the information against disclosure and/or the protection of the authenticity of the information and its origin. This protection can only be achieved through the use of cryptographic algorithms, implemented either in hardware or in software. Two types of algorithms are available on the market: algorithms that are public and widely used, and secret algorithms.
A public algorithm has the advantage that is has been thoroughly analyzed and that security properties are well-known. However the fact that an algorithm is widely used implies that the number of potential attackers increases, and that it offers an interesting target. A breakthrough in cryptanalysis will result in a substantial benefit and the cost of special purpose hardware can be depreciated over different applications. These considerations explain the preference of several organizations for secret algorithms or for variations on publicly known algorithms. However, one has to be very careful with this type of algorithms as a large number of them were declared secure by their designers but have been broken afterwards. As a consequence, a secret algorithm must be evaluated by different cryptographic experts before it can be given any trust. Such an independent evaluation is based on literature study, and both algebraic and statistical evaluation. Most cryptographic algorithms are based on the principles of permutation and substitution. Therefore the analysis of substitution boxes is an important tool possibly leading to an attack on these algorithms. Software has been written allowing quick evaluation of currently known important properties. Eventually this can lead to the discovery of new properties and to a better view on the existing design criteria.
In addition, recommendations can be made to improve the security of the system. The difference with an academic evaluation is that imposed requirements are to be related to the economic implications of a successful fraud. For both types of algorithms one also has to pay special attention to the cryptographic protocols and the key management system.
Conditional Access for Europe (CAFE)
R. Govaerts, J. Vandewalle, A. Bosselaers, C. Radu
CAFE is a European project, carried out by a consortium of companies active in electronic payments together with leading research organizations. It is supported, also financially, by the European Commission. The project is developing an electronic wallet, to be used as a pan-European device for consumer payments, access to information services and --if required-- identification. The project will conclude with a trial of the payment device in the second quarter of 1995. After a successful trial with actual users the technology should be ready for the market in 1996.
The CAFE system is based on recent research in public key cryptography. The use of public key technology offers big advantages over other payment and ID systems. It makes it possible to use the wallet for signature transporting. Electronic money, issued by a bank, can be tagged with a unique electronic signature per payment, to be compared with the unique number on printed bank notes. This signature can be down-loaded into the wallet. This feature makes the system more secure, less expensive, and offers the privacy people want. The public key nature of the CAFE protocols makes it also possible to create an open system. Participants don't have to trust each other and don't have to negotiate on the division of the risks involved. Once in use, multiple providers of goods and services, as well as multiple issuers of electronic money can join the system.
During the second CAFE year, COSIC was involved in developing and specifying the protocols for both a smart card and a wallet based payment system to be trailed in year three of the project. A reference implementation of the entire system was written, that has been and will be used by the other partners to develop, test, and verify the actual system. It already proved its usefulness during the development of the smart card code, and is currently being used in the development of the other components in the system.
A Secure European System for Applications in a Multi-Vendor Environment
(SESAME)
R. Govaerts, J. Vandewalle, B. Preneel, M. Vandenwauver
SESAME's origins lie in the open Systems Standards work of ECMA. In 1987 ECMA started its work on Security in Open Systems. Experts of all the major computer manufacturers have been involved at different times. The success of this ECMA initiative prompted the CEC to sponsor under its RACE programme a project aimed at proving this theory in the hard school of actual implementation, and thus Project SESAME was born. The project was undertaken by Bull, ICL, and Siemens (SNI), funded in part by the CEC.
In order to enlarge the chance of broad acceptance of the results of this project, a group of experts was added to the project : SEUG (SESAME End Users Group). Their task is to consider the merits of the project from a user point of view, and to promote the results of the project. COSIC forms part of this team. In this framework, COSIC evaluates the architectural ideas and cryptographic protocols that are proposed by the main contractors. One of the contributions is to evaluate whether the SESAME architecture would be a good candidate to introduce security features into the ESAT computer network. This comprises a study of the overhead imposed by the security features and the way to incorporate the security in existing networks. Another major contribution was the actual piloting work that consisted in installing and testing the SESAME V2 distribution on CD-ROM. In order to prepare for the future the SEUG was enlarged with a number of industrial pilots (Alcatel, Thomson, ...) and a new group called ``SESAME User Forum'' was created of which COSIC will continue to be a member.
Frequency Allocation for Cellular Communications
B. Preneel, J. Walrand
An important problem for cellular telecommunications systems is the optimal assignment of the frequencies to the different cells. An optimal pattern minimizes co-channel interference between neighboring cells. The theoretical solution of the problem is easy for a regular pattern, but in practice the cells are highly irregular, which makes it very hard to find a good pattern. As a consequence, frequency allocation is a very time consuming and expensive operation.
We have developed in collaboration with J. Walrand a distributed quasistatic algorithm for frequency allocation. The algorithm takes into account the real propagation conditions and is robust, i.e., it can adopt itself to modified conditions. First we have proved the convergence of the algorithm using the theory of Markov chains. Subsequently we have improved the algorithm to speed up the convergence. We have also established relations with algorithms for graph coloring. The proposed techniques can also be used to improve existing distributed algorithms for this problem.