# NSM Crypto Projects

Contact NSM researcher Sondre Rønjom (sondre "punkt" ronjom "krøllalfa" nsm "punkt" stat "punkt" no) (or sondrer@gmail.com) if you are interested in doing one of the crypto projects below.

### 1. Intermediate solutions for quantum resistant key exchange

Quantum computers pose a real threat to cryptography if and when they are realized in full scale. Certain hard problems are much easier to solve with a quantum computer. This holds in particular for cryptography based on factoring and computing discrete logarithms. Standardization bodies have already begun the process of finding new quantum resistant primitives that can replace current schemes based on problems that are easy to solve with quantum computer. However, this process will take some time, while current projections estimate that it is not unlikely that a cryptographically relevant quantum computer is realized in the next 10-15 years. Governments are taking action right now. In particular, systems that carry information that requires protection for a long time (15 yrs) should replace algorithms that can be broken by quantum computers now. However, this is difficult without a post quantum replacement at hand. The goal of this project is to investigate candidate hybrid solutions for key exchange for the intermediate period between pre and post-quantum era. In hybrid solutions for key exchange one combines classical key exchange algorithms with quantum resistant algorithms that has not been analysed that well. The idea is that one gets classical security and at least some post-quantum security. Examples of hybrid schemes include ECDH+pre-placed key, ECDH+lattice key exchange(New Nope, Chrome browser) and so on. The goal of the project is to investigate the limitations of the di↵erent hybrid solutions proposed in literature, in particular when implemented in current protocols and systems.

### 2. The usability of NIST post-quantum competition candidates as replacements in existing systems and protocols

Quantum computers pose a real threat to cryptography if and when they are realized in full scale. Certain hard problems are much easier to solve with a quantum computer. This holds in particular for cryptography based on factoring and computing discrete logarithms. Standardization bodies have already begun the process of finding new quantum resistant primitives that can replace current schemes based on problems that are easy to solve with quantum computer. However, this process will take some time, while current projections estimate that it is not unlikely that a cryptographically relevant quantum computer is realized in the next 10-15 years. Governments are taking action right now. In particular, systems that carry information that requires protection for a long time (>15 yrs) should replace algorithms that can be broken by quantum computers now. However, this is difficult without a post quantum replacement at hand. This goal of this project is to investigate the practical limitations of the post quantum NIST candidates as replacements in real world systems and protocols. In particular, the goal of the project is to rank candidates in terms of how easy they are to deploy in existing protocols and systems. Relevant metrics include implementation costs, key-sizes and speed. One suggestion is to use deployment into TLS as a benchmark.

### 3. Implementation of key-exchange based on McEliece cryptosystem

Post quantum key exchange algorithms based on hard problems from coding theory are believed to be secure post quantum candidates. The McEliece cryptosystem was introduced in the 70s and has been surprisingly stable against cryptanalysis up until this day. However, it has practical limitations with regards to implementation. In particular, key generation can be slow which can make it unsuitable for forward secrecy. Thus, in this project the aim is to implement McEliece (or Niederreiter) for secure parameter choices and investigate how the various parts (particularly key generation) can be optimized. It is recommended that implementations for simulations are done in C/C++ (Alternatively, optimization for FPGAs).

### 4. Cryptanalysis of AES

The aim of this project is to survey the techniques used in modern cryptanalysis of block ciphers. There exist many different types of attacks, each attack assuming a slightly different attack model. The two typical types of attacks we are interested in are distinguishers and key-recovery attacks. The aim of key-recovery attacks is obvious. The aim of distinguishing attacks is to find non-random properties of a block cipher that can be used to distinguish it from a random permutation. Thus, a distinugisher is typically used to identify whether a black box oracle is actually AES or is further extended to a key recovery attack. The practicality of an attack depends on the adversarial model used in the attack. For instance, an adversary that can ask for encryptions of arbitrary plaintexts is more powerful than adversaries that can only observe ciphertexts. There are also models where the adversary knows that the secret key stems from a class of related keys. Thus, it is not always easy to compare the efficiency (time and data complexity) of attacks that work in slightly different models. It may be a good idea to focus on AES, which is the most important block cipher in use today. With a focus on AES, the aim should be to survey the various attacks on AES and try to make a meaningful comparison. Examples of relevant cryptanalysis against AES are integral(”Square attack”) and subspace cryptanalysis, (impossible) differential cryptanalysis, biclique attacks, algebraic attakcs and Boomerang attacks. In particular, an important contribution of this project would be to provide a meaningful comparison of attacks on AES in terms of practically meaningful parameters such as attack model, time complexity and data complexity. A complete and meaningful comparison is currently lacking in the literature. Such a comparison may very-well become a standard reference for further comparisons in the literature.

### 5. Computing on encrypted data

There are many scenarios where different data-owners want to compare information without revealing their actual data. For instance, government wants to search network traffic for malicious activity without revealing what it looks for, while the network operator does not want to give access to its network to the government. Maybe two companies want to compute common statistics between their data without revealing the actual data. Computation on encrypted data can solve many of the issues we have today when it comes to ”fact based” information sharing. Different parties do not want to share confidential data, but they want to be able to share information about the data. Secure multiparty computation is a branch of cryptography that enables parties to compute a function on their joint data without each party having to reveal their respectively input.

The aim of this project is to survey the current state of the art in multiparty computation and its applications. The candidate should look into real world implementations to get an understanding of efficiency and limitations.

### 6. White-Box AES

En White-Box (WB) implementering av AES (Advanced Crypto Standard) er en program-binary som implementerer AES kryptering eller dekryptering med en hemmelig nøkkel på en slik måte at det er praktisk umulig å gjøre det motsatte (dekryptere eller kryptere) selv om man har tilgang til program-binarien. Dette er typisk brukt i DRM (Digital Rights Management) og lignende scenarioer hvor man har behov for å kryptere eller dekryptere uten at brukeren eller noen andre skal finne nøkkelen.

Dette Master-prosjektet går ut på å studere teknikker for beskyttelse av AES program-binary basert på WB-implementering av AES-algoritmen. Dette er teknikker som gjør det vanskelig å angripe WB-implementasjonen med hjelp av f.eks. gray-box teknikker. Denne teknikken for beskyttelse av programvare ligner på teknikker man bruker for å beskytte seg mot sidekanalsangrep i hardware. Dette krever i hvert fall en viss grad av forståelse for hvordan en WB-AES programkode fungerer. Eksempler på WB-beskyttelsesteknikker er randomiserte execution paths / control flow randomisering, integritetsbeskyttelse, anti-debugging teknikker osv.

Se f.eks. Whitebox Encryption