Abstract: In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel. In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.

Abstract: The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol or to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Abstract: We show that the Abadi-Rogaway logic of indistinguishability for cryptographic expressions is not complete by giving a natural example of a secure encryption function and a pair of expressions, such that the distributions associated to the two expressions are computationally indistinguishable, but equality cannot be proved within the logic. We then introduce a new property for encryption schemes, which we call confusion freeness, and show that the Abadi-Rogaway logic is sound and complete, whenever the encryption scheme used satisfies this property. We relate confusion freeness with standard cryptographic security notions, showing that any authenticated encryption scheme is confusion free. We also consider two extensions of the basic logic. The first is a refinement of the Abadi-Rogaway logic that overcomes certain limitations of the original proposal, allowing for encryption functions that do not hide the length of the message being sent. Both the soundness theorem of Abadi and Rogaway, and our completeness result for confusion free (or authenticated) encryption easily extend to this more realistic notion of secrecy. The second is an extension of the logic due to Abadi and Jurjens that allows to study more complex protocols in the presence of a passive adversary. Our completeness results holds for this extended logic as well.

Abstract: The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Abstract: We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR ("counter") encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. We present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB.

Abstract: An efficient authenticated encryption scheme with message linkages is proposed. For achieving both privacy and integrity in data communications, the proposed scheme requires smaller bandwidth and computational time when compared to previously pro- posed authenticated encryption schemes with message linkages. Moreover, the proposed scheme allows the verifier to recover and verify the message blocks simultaneously, and hence, the message recovery phase could be speeded up. The security of the proposed scheme is based on the authenticated encryption scheme as well as the one-way hash cryptographic function assumption.

Abstract: To make authenticated encryption which provides confidentiality and authenticity of a message simultaneously, a signcryption scheme uses asymmetric primitives, such as an asymmetric encryption scheme for confidentiality and a signature scheme for authentication. Among the signcryption schemes, the hybrid signcryption schemes are the signcryption schemes that use a key agreement scheme to exchange a symmetric encryption key, and then encrypt a plaintext using a symmetric encryption scheme. The hybrid signcryption schemes are specially efficient for signcrypting a bulk data because of its use of a symmetric encryption. Hence to achieve the joint goals of confidentiality and authenticity in most practical implementation, hybrid signcryption schemes are commonly used. In the paper, we study the properties of signcryption and propose a new generic hybrid signcryption scheme called DHEtS using encrypt-then-sign composition method. DHEtS uses a symmetric encryption scheme, a signature scheme, and the DH key agreement scheme. We analyze DHEtS with respect to the properties of signcryption, and show that DHEtS provides non-repudiation and public verifiability. DHEtS is the first provable secure signcryption schemes with public verifiability. If encrypting and signing components of DHEtS can use the same random coins, the computational cost and the size of a signcryption would be greatly reduced. We show the conditions of signing component to achieve randomness-efficiency.

Abstract: A new signcryption scheme with (t, n) shared unsigncryption based on the discrete logarithm is proposed, which is the integration of the signcryption scheme of Jung et al. (2001) and the Shamir (1979) secret sharing scheme. In this scheme, any t of n receivers can unsigncrypt the message and any t-1 or fewer receivers can not unsigncrypt the message. As compared to Hsu and Wu's authenticated encryption scheme with (t, n) shared verification, the proposed scheme has the following advantages: it is more efficient for signcryption; it can prevent malicious receivers from cheating others.

Abstract: There are disclosed methods, systems and devices whereby SSL or TLS communications between an end-user such as a browsing agent and a small embedded device such as a microcontroller without substantial memory or processing power are made possible. One approach is to provide an interfacing computing device between the end-user and the embedded device comprising an SSL/TLS proxy server/router which translates between a relatively heavyweight encryption protocol used by the end-user and a relatively lightweight encryption protocol used by the embedded device. An alternative approach utilises an SSL/TLS assistant computing device that performs computationally expensive encryption/decryption calculations on behalf of the embedded device.

Abstract: We describe a block-cipher mode of operation, EMD, that builds a strong pseudorandom permutation (PRP) on nm bits (m ≥ 2) out of a strong PRP on n bits (i.e., a block cipher). The constructed PRP is also tweaked (in the sense of [10]): to determine the nm-bit ciphertext block C = EK(P ) one provides, besides the key K and the nm-bit plaintext block P , an n-bit tweak T . The mode uses 2m block-cipher calls and no other complex or computationally expensive steps (such as universal hashing). Encryption and decryption are identical except that encryption uses the forward direction of the underlying block cipher and decryption uses the backwards direction. We suggest that EMD provides an attractive solution to the disk-sector encryption problem, where one wants to encipher the contents of an nm-bit disk sector in a way that depends on the sector index and is secure against chosen-plaintext/chosen-ciphertext attack.

Abstract: The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol (or to SSH implementations). We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Abstract: We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (“counter”) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. We present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB.

Abstract: A non-algebraic method of encrypting and decrypting data. A cryptographic algorithm based on the properties of certain nonlinear equations (115, 130) is used to encrypt and decrypt data without algebraic computations. In particular, the present invention utilizes those nonlinear equations for which the solution space includes attractors to obtain intractable quantities and then operates on clear text data (120) and the intractable quantities to produce secure cipher text. Data needed or desirable for decryption are retained during the encryption process, thus optimizing the decryption process of the present invention.

Abstract: This paper shows that many independent pseudorandom permutations over {0,1}n can be obtained from a single public random permutation and secret n bits. It is then proved that a slightly modified IAPM (an authenticated-encryption scheme) is secure even if the underlying block cipher F is publicly accessible (as a blackbox). A similar result is derived for OCB mode, too. The security proofs are based on our first result, and they are extremely simple. Finally, it is shown that our security bound is tight within a constant factor.

Abstract: Practice-oriented provable security is a modern approach in cryptography to concretely reduce security of a cryptographic construct to the computational hardness of an underlying problem. This dissertation studies a construct called authenticated encryption scheme, a set of algorithms whose collective purpose is to simultaneously guarantee both privacy and authenticity of the data being transmitted between two parties. First, we focus on the symmetric settings. We define precise security notions for authenticated encryption schemes, show relative strengths among our notions and existing standard notions, and investigate the effectiveness of one of the most popular design methodologies for authenticated encryption schemes, namely the generic composition paradigm. In this paradigm, one combines a standard encryption scheme—a construct whose goal is privacy—and a MAC scheme—a construct whose goal is authenticity—in a modular fashion to obtain an authenticated encryption scheme. The methods we study are Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC . As a case study, we analyze the popular SSH Internet protocol suite, find that its current design yields insecure authenticated encryption schemes, then suggest provably secure fixes. Our proofs model SSH's authenticated encryption mechanism as a case of what we call the Encode-then-Encrypt-and-MAC composition method. Our proofs can thus be generically applied to other schemes employing this composition method. In real applications, symmetric-key cryptography is often used in combination with public-key cryptography. We focus on the most common way to combine public-key cryptography with authenticated encryption schemes. First, two parties run an authenticated key-exchange protocol to obtain a shared session key. Then, they secure successive data transmissions via an authenticated encryption scheme based on the session key. We show that such a communication session meets the notion of a secure channel proposed by Canetti and Krawczyk if and only if the underlying authenticated encryption scheme meets two new, simple definitions of security that we introduce, and the key-exchange protocol is secure. This reduces the secure channel requirements of Canetti and Krawczyk to easier to use, stand-alone security requirements on the underlying authenticated encryption scheme.

Abstract: PROBLEM TO BE SOLVED: To enable senders and receivers to deny communication contents with respect to a third person, but will authorize a receiver person to conduct message authentication SOLUTION: If sender's signature key is defined as sks, signature verification key as pks, encryption key as pkr, the signature verification key pks and the encryption key pkr are opened as public keys and are used for an encryption communication between two persons in a public key encryption method For generating an encrypted text c, using an identification value IDb for identifying the receiver, a random number r is generated to generate an address authenticator h from the identification value IDb for identifying the receiving person and the random number r, a signature σfor the address authenticator h is generated, using the signature key, and (m, r, σ) are encrypted to obtain the encrypted text c, using the encryption key pkr COPYRIGHT: (C)2004,JPO

Abstract: We consider communication sessions in which a pair of parties begin by running an authenticated key-exchange protocol to obtain a shared session key, and then secure successive data transmissions between them via an authenticated encryption scheme based on the session key. We show that such a communication session meets the notion of a secure channel protocol proposed by Canetti and Krawczyk [9] if and only if the underlying authenticated encryption scheme meets two new, simple deflnitions of security that we introduce, and the key-exchange protocol is secure. In other words, we reduce the secure channel requirements of Canetti and Krawczyk to easier to use, stand-alone security requirements on the underlying authenticated encryption scheme. In addition, we relate the two new notions to existing security notions for authenticated encryption schemes.

Abstract: We consider communication sessions in which a pair of parties begin by running an authenticated key-exchange protocol to obtain a shared session key, and then secure successive data transmissions between them via an authenticated encryption scheme based on the session key. We show that such a communication session meets the notion of a secure channel protocol proposed by Canetti and Krawczyk [9] if and only if the underlying authenticated encryption scheme meets two new, simple definitions of security that we introduce, and the key-exchange protocol is secure. In other words, we reduce the secure channel requirements of Canetti and Krawczyk to easier to use, stand-alone security requirements on the underlying authenticated encryption scheme. In addition, we relate the two new notions to existing security notions for authenticated encryption schemes.