Showing papers on "Authenticated encryption published in 2012"
21 May 2012
TL;DR: For symmetric encryption, under the minimal assumption that one-way functions exist, n -weak circular (CPA) security is not implied by CCA security, for any n, and is not even implied by authenticated encryption security, where ciphertext integrity is guaranteed.
Abstract: Traditional definitions of encryption security guarantee secrecy for any plaintext that can be computed by an outside adversary. In some settings, such as anonymous credential or disk encryption systems, this is not enough, because these applications encrypt messages that depend on the secret key. A natural question to ask is do standard definitions capture these scenarios? One area of interest is n-circular security where the ciphertexts $E(pk_1,sk_2),\allowbreak E(pk_2,sk_3)$, …$,\allowbreak E(pk_{n-1},sk_n), E(pk_n, sk_1)$ must be indistinguishable from encryptions of zero. Acar et al. (Eurocrypt 2010) provided a CPA-secure public key cryptosystem that is not 2-circular secure due to a distinguishing attack.
In this work, we consider a natural relaxation of this definition. Informally, a cryptosystem is n-weak circular secure if an adversary given the cycle $E(pk_1,sk_2),\allowbreak E(pk_2,sk_3), \dots,\allowbreak E(pk_{n-1},sk_n), E(pk_n, sk_1)$ has no significant advantage in the regular security game, (e.g., CPA or CCA) where ciphertexts of chosen messages must be distinguished from ciphertexts of zero. Since this definition is sufficient for some practical applications and the Acar et al. counterexample no longer applies, the hope is that it would be easier to realize, or perhaps even implied by standard definitions. We show that this is unfortunately not the case: even this weaker notion is not implied by standard definitions. Specifically, we show:For symmetric encryption, under the minimal assumption that one-way functions exist, n -weak circular (CPA) security is not implied by CCA security, for any n . In fact, it is not even implied by authenticated encryption security, where ciphertext integrity is guaranteed.
For public-key encryption, under a number-theoretic assumption, 2-weak circular security is not implied by CCA security.
In both of these results, which also apply to the stronger circular security definition, we actually show for the first time an attack in which the adversary can recover the secret key of an otherwise-secure encryption scheme after an encrypted key cycle is published. These negative results are an important step in answering deep questions about which attacks are prevented by commonly-used definitions and systems of encryption. They say to practitioners: if key cycles may arise in your system, then even if you use CCA-secure encryption, your system may break catastrophically; that is, a passive adversary might be able to recover your secret keys.
62 citations
Patent•
25 May 2012TL;DR: In this article, the authenticated encryption key is constructed based on a corresponding one of transmitted events and detected events, and the authenticated key can be modified based on disclosed detection information, such as detection interval information, basis-sifting information, associated detection basis information, and/or parity measures.
Abstract: In methods and systems to authenticate systems in a quantum key distribution environment based on limited disclosures and identical, re-usable, pre-provisioned authentication keys, each system constructs an encryption key based on a corresponding one of transmitted events and detected events. Basis-sifting, error detection, error correction, and/or privacy amplification (PA) may be performed on the encryption keys based on limited disclosures (e.g., detection interval information, basis-sifting information, associated detection basis information, and/or parity measures). The authenticated keys may be modified based on disclosed detection information. Error detection and/or PA may be performed with identical pre-provisioned algorithms and pseudo-random values generated from the authenticated keys or modified authenticated keys. Final authenticated encryption keys are selectively constructed depending upon an extent of detected errors. Construction of authenticated encryption keys indicates authentication of the systems. None of the pre-provisioned authentication keys or modified authentication keys is disclosed and may thus be reused.
49 citations
7 Oct 2012
TL;DR: This work describes an optimized implementation of authenticated encryption for the MSP430X family of microcontrollers and explores the characteristics of the AES accelerator to improve the performance of the implemented modes.
Abstract: Authenticated encryption is a symmetric cryptography scheme that provides both confidentiality and authentication. In this work we describe an optimized implementation of authenticated encryption for the MSP430X family of microcontrollers. The CCM, GCM, SGCM, OCB3, Hummingbird-2 and MASHA authenticated encryption schemes were implemented at the 128-bit level of security and their performance was compared. The AES accelerator included in some models of the MSP430X family is also studied and we explore its characteristics to improve the performance of the implemented modes, achieving up to 10 times of speedup. The CCM and OCB3 schemes were the fastest when using the AES accelerator while MASHA and Hummingbird-2 were the fastest when using only software.
29 citations
Patent•
28 Jun 2012TL;DR: In this paper, the contents of a memory are authenticated using redundant encryption by comparing the plaintext generated by decrypting the cipher text and the authentication tag, and the matching results indicate the data was not corrupted or modified during storage in the memory.
Abstract: Contents of a memory may be authenticated using redundant encryption. In some examples, data to be stored by a memory is encrypted with two unique encryption keys—a first encryption key is used generate a cipher text and a second encryption key (different than the first encryption key) is used to generate an authentication tag. The cipher text and authentication tag are stored by the memory. At a later time, the cipher text and authentication tag may be retrieved from the memory and decrypted using the respective encryption keys. After decrypting the cipher text and the authentication tag, the data retrieved from the memory may be authenticated by comparing the plaintext generated by decrypting the cipher text and with the plaintext generated by decrypting the authentication tag. A match between the plaintext indicates the data was not corrupted or modified during storage in the memory.
22 citations
28 Nov 2012
TL;DR: An attempt is made by implementing the new SpongeWrap authenticated encryption schemes on all existing sponge functions and showing that it is possible to realize a low-latency scheme in less than 6K gate equivalents at a throughput of 5 Gbps with a 128-bit claimed security level.
Abstract: Widespread use of pervasive devices has resulted in security problems which can not be solved by conventional algorithms and approaches. These devices are not only extremely resource-constrained, but most of them also require high performance --- with respect to available resources --- in terms of security, speed and latency. Especially for authenticated encryption, such performance can not be achieved with a standard encryption-hash algorithm pair or even a "block cipher mode of operation" approach. New ideas such as permutation-based authenticated encryption have to be explored. This scheme has been made possible by the introduction of sponge functions. Implementation feasibility of such an approach has yet to be explored. In this study, we make such an attempt by implementing the new SpongeWrap authenticated encryption schemes on all existing sponge functions and show that it is possible to realize a low-latency scheme in less than 6K gate equivalents at a throughput of 5 Gbps with a 128-bit claimed security level.
17 citations
1 Jan 2012
TL;DR: The chosen-ciphertext setting is considered, examining the question of how CBC mode encryption, padding, and an integrity protection mechanism should be combined in order to provably defeat padding oracle attacks.
Abstract: Vaudenay's padding oracle attacks are a powerful type of side-channel attack against systems using CBC mode encryption. They have been shown to work in practice against certain implementations of important secure network protocols, including IPsec and SSL/TLS. A formal security analysis of CBC mode in the context of padding oracle attacks in the chosen-plaintext setting was previously performed by the authors. In this paper, we consider the chosen-ciphertext setting, examining the question of how CBC mode encryption, padding, and an integrity protection mechanism should be combined in order to provably defeat padding oracle attacks. We introduce new security models for the chosen-ciphertext setting which we then use to formally analyse certain authenticated-encryption schemes, namely the three compositions: Pad-then-Encrypt-then-Authenticate (as used in particular configurations of IPsec), Pad-then-Authenticate-then-Encrypt, and Authenticate-then-Pad-then-Encrypt (as used in SSL/TLS).
16 citations
23 Jul 2012
TL;DR: A data link authenticated encryption (DLAE) scheme is designed for simultaneously protecting both message's privacy and its authenticity and can increase significantly the processing speed in comparison with the traditional design methods.
Abstract: To meet future demand for air transport growth, break the traditional ground navigation aids facilities limitations and effectively enhance flight safety and efficiency, a new generation of air surveillance system will use automatic dependent surveillance-broadcast (ADS-B) system. However, ADS-B data link is a wireless broadcast-type link which is without designed-in security measures. Therefore potential security vulnerabilities and threats remain to be assessed and resolved. This paper aims to assess security of the ADS-B data link, and build encryption and authentication capability on the ADS-B data link to provide privacy and integrity of broadcast information. In the paper, a data link authenticated encryption (DLAE) scheme is designed for simultaneously protecting both message's privacy and its authenticity. Traditionally, these two security goals had been handled separately by means of encryption schemes and message authentication codes. The proposed DLAE can increase significantly the processing speed in comparison with the traditional design methods.
16 citations
1 Dec 2012
TL;DR: This work proposes a new solution for authenticated encryption (AE) tailored for FPGA bitstream protection based on the recent proposal presented at DIAC'12: the AES-based authenticated encryption scheme ALE, which is at least twice more resource-efficient than the best AE modes of operation instantiated with AES.
Abstract: State-of-the-art solutions for FPGA bitstream protection rely on encryption and authentication of the bitstream to both ensure its confidentiality, thwarting unauthorized copying and reverse engineering, and prevent its unauthorized modification, maintaining a root of trust in the field. Adequate protection of the FPGA bitstream is of paramount importance to sustain the central functionality of dynamic reconfiguration in a hostile environment. In this work, we propose a new solution for authenticated encryption (AE) tailored for FPGA bitstream protection. It is based on the recent proposal presented at DIAC'12: the AES-based authenticated encryption scheme ALE. Our comparison to existing AES-based schemes reveals that ALE is at least twice more resource-efficient than the best AE modes of operation instantiated with AES. In the view of the recent successful side-channel attacks on Xilinx Virtex bitstream encryption, we investigate the possibility for side-channel resistant implementations of all these AES-based AE algorithms using state-of-the-art threshold masking techniques. Also in this side-channel resistant setting, the protected ALE design is about twice more resource-efficient than the best AE modes of operation with the same countermeasure. We conclude that the deployment of dedicated AE schemes such as ALE significantly facilitates the real-world efficiency and security of FPGA bitstream protection in practice: Not only our solution enables authenticated encryption for bitstream on low-cost FPGAs but it also aims to mitigate physical attacks which have been lately shown to undermine the security of the bitstream protection mechanisms in the field.
15 citations
Patent•
10 Feb 2012
TL;DR: A method of verifying public parameters from a trusted center in an identity-based encryption system prior to encrypting a plaintext message by a sender having a sender identity string may be found in this paper.
Abstract: A method of verifying public parameters from a trusted center in an identity-based encryption system prior to encrypting a plaintext message by a sender having a sender identity string may include: identifying the trusted center by a TC identity string, the trusted center having an identity-based public encryption key of the trusted center based on the TC identity string; determining if the sender has a sender private key and the public parameters for the trusted center including the public encryption key of the trusted center and a bilinear map; and verifying the public parameters using the TC identity string prior to encrypting the plaintext message into a ciphertext by comparing values of the bilinear map calculated with variables from the trusted center. The ciphertext may include a component to authenticate the sender once the ciphertext is received and decrypted by the recipient using the private key of the recipient.
13 citations
28 Nov 2012
TL;DR: Research shows that OCB-ZXY still cannot resist against collision attacks, and even if OCB2 and OCB3 adopt the ODPBT technique, collision attacks still exist.
Abstract: Three versions of OCB appeared in the literature: OCB1, OCB2 and OCB3. Ferguson pointed out that OCB1 could not resist against collision attacks, which was improved by Mathiassen. Zhang, Xing and Yang made the first attempt to improve OCB1 against this prevailing attack in blockcipher modes of operation, and proposed a new authenticated encryption mode OCB-ZXY, using offset dependent plaintext block transformation (ODPBT) technique. Our research shows that: 1) OCB-ZXY still cannot resist against collision attacks. 2) OCB2 and OCB3 also suffer from collision attacks, even more severely than OCB1. 3) Even if OCB2 and OCB3 adopt the ODPBT technique, collision attacks still exist.
13 citations
1 Jan 2012
TL;DR: This work creates a new Quark instance to use in a custom SpongeWrap mode, and proposes a 256-bit authenticated encryption scheme with associated data (AEAD) based on the lightweight design Quark, providing insights on the scalability of lightweight designs to higher security levels.
Abstract: Lightweight primitives are generally limited to 80- or 128-bit security, because lightweight applications seldom need more than this However, non-lightweight platforms like multimedia systems-on-chip would also greatly benet from a smaller hardware footprint, as it reduces development and integration costs, and leaves more circuit area to another component, or to add another functionality Such systems sometimes need up to 256-bit security, for example to ensure a consistent security level across primitives This paper thus breaks with the tradition and proposes a 256-bit authenticated encryption scheme with associated data (AEAD), based on the lightweight design Quark We create a new Quark instance to use in a custom SpongeWrap mode, oering one-pass AEAD supporting arbitrary interleaving of encrypted and associated data, as well as a range of trade-os between security and usage limit More than a new primitive, this work provides insights on the scalability of lightweight designs to higher security levels: our new design c-Quark has internal state of 384 bits, and allows the implementation of 256-bit AEAD with in the order of 4000 GE
12 Nov 2012
TL;DR: An RSA time-lock puzzle authenticated e-voting system provides public-key based authenticated encryption algorithm that takes sender's secret key, receiver's public key and designated time and the resulting cipher text can be decrypted only by receiver.
Abstract: The main principle of e-voting is that it must be as similar to regular voting as possible, compliant with election legislation and principles and be at least as secure as regular voting. Therefore, e-voting must be uniform and secret, only eligible persons could be allowed to use the e-voting system. In this paper, we assume that every voter should be able to cast only one vote corresponding to one voting case, a voter will not be able to prove her/his choice. Furthermore, the collecting of votes has to be secure, reliable and accountable. In the term of Timed-Release Cryptography, e-voting is intended to prevent the early opening of electronically-case votes. It also avoids election fraud which means that all parties involved do not have access to the results until a specific, predefined time in the future. In this thesis, we propose an RSA time-lock puzzle authenticated e-voting system. It provides public-key based authenticated encryption algorithm that takes sender's secret key, receiver's public key and designated time. Therefore, the resulting cipher text can be decrypted only by receiver and only starting with designated time by using receiver's secret key and sender's public key, together with some secret that will be disclosed only on designated time.
11 Jun 2012
TL;DR: This paper concentrates on the handling of nonces ("number used once") and on authenticated encryption, i.e., on establishing a safe communication channel between two parties which share a common secret key.
Abstract: Most of the time, cryptography fails due to "implementation and management errors". So the task at hand is to design a cryptographic library to ease its safe use and to hinder implementation errors. This is of special interest when the implementation language is celebrated for its qualification to write reliable safe and secure systems, such as Ada.This paper concentrates on the handling of nonces ("number used once") and on authenticated encryption, i.e., on establishing a safe communication channel between two parties which share a common secret key. Cryptographers consider it as a "nonce misuse", if a nonce value is ever reused. Avoiding nonce-misuse is easy in theory, but difficult in practice. One problem with authenticated encryption is that a naive combination of a secure authentication and a secure encryption scheme may turn out to be insecure. Another problem is that decryption temporarily provides an incomplete plaintext, that may eventually found to be unauthentic.We discuss how to ease the proper usage of cryptosystems, how to hinder unintentional misuse, and how one may possibly limit the damage in the case of a misuse.
TL;DR: A proxy signature scheme is developed for protecting mobile agents against malicious agent hosts, and a proxy authenticated encryption scheme is designed so that the signature of the contracts will satisfy users' constraints, and the non-repudiation of servers can be achieved.
Abstract: The mobile agent plays an increasingly important role in electronic business applications, because it can provide the essential properties of personalization, automation and intelligence, etc. This paper proposes several appropriate security schemes for protecting mobile agent networks in electronic business applications. As far as mobile agent security is concerned, we develop a proxy signature scheme for protecting mobile agents against malicious agent hosts. The proposed proxy signature scheme can protect users' private keys stored in smart cards, and provide the fairness of contracts signed by agents. In addition, we also design a proxy authenticated encryption scheme so that the signature of the contracts will satisfy users' constraints, and the non-repudiation of servers can be achieved. On the other hand, as far as agent host security is concerned, we apply the idea of proxy signature to construct an authentication scheme for protecting agent hosts. This scheme is to achieve the requirements of authentication and authorization. Furthermore, we also implement the proposed security schemes to achieve security requirements of confidentiality, integrity, authenticity, and non-repudiation for protecting Linux-based mobile agents and hosts in an electronic auction application. Hence, we affirm that the proposed security schemes are suitable for practical electronic business applications in mobile-agent-based network environments.
TL;DR: This paper proposes a new convertible multi-authenticated encryption scheme without using message redundancy for generalized group communications that is more efficient in terms of computational efforts and communication overheads.
1 Mar 2012
TL;DR: A bilinear pairing‐based proxy convertible authenticated encryption scheme that allows the delegated proxy signer to generate an authenticated ciphertext in behalf of the original signer while only the designated recipient is able to decrypt the ciphertext and verify the proxy signature.
Abstract: With the diversity of business transactions, new application requirements will emerge. Many confidential transactions, such as online auctions and bank savings withdrawals, sometimes might be conducted by an authorized proxy. In this paper, we propose a bilinear pairing-based proxy convertible authenticated encryption scheme. The proposed scheme allows the delegated proxy signer to generate an authenticated ciphertext in behalf of the original signer while only the designated recipient is able to decrypt the ciphertext and verify the proxy signature. To benefit the encryption of a large message, we further present another variant with message linkages. Both schemes are publicly verifiable, that is, the designated recipient can convert the ciphertext into an ordinary proxy signature for public verification. In addition, the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks and that of unforgeability against existential forgery under adaptive chosen-message attacks are proved in random oracle models. Copyright © 2011 John Wiley & Sons, Ltd.
25 May 2012
TL;DR: Based on the public discrete logarithm hard problem solely, this paper proposes a novel convertible authenticated encryption scheme without using hash functions, and extends it to a (t, n) threshold scheme.
Abstract: An authenticated encryption scheme allows a designated recipient to recover the message and then verify its authenticity while keeping the message secret from the public, and a convertible authenticated encryption scheme enables the recipient to convert the signature to an ordinary one so that any third party can verify its validity. The paper shows a weaknesses in Chien's [3] convertible authenticated encryption scheme, then based on the public discrete logarithm hard problem solely, we propose a novel convertible authenticated encryption scheme without using hash functions, and extend it to a (t, n) threshold scheme. The proposed schemes have the following characteristics: Each scheme provides semantic security of the message, that is, after getting a valid signature, any adversary cannot determine whether his guessed message is the actual message signed by the sender by checking if it satisfies the verification equalities. If the signer repudiates her signature, the recipient can prove, without the cooperation with the signer, the dishonesty of the signer to any third party by revealing the message and its converted signature; If the recipient does not reveal the converted signature, any third party cannot check the validity of the message even though he gets the message and its corresponding signature; There are no hash functions in the proposed convertible authenticated encryption schemes.
10 Sep 2012
TL;DR: Symbolic encryption, in the style of Dolev-Yao models, is ubiquitous in formal security models, but many reasonable encryption schemes, such as AES in the CBC or CFB mode, are not among the implementation options.
Abstract: Symbolic encryption, in the style of Dolev-Yao models, is ubiquitous in formal security models. In its common use, encryption on a whole message is specified as a single monolithic block. From a cryptographic perspective, however, this may require a resource-intensive cryptographic algorithm, namely an authenticated encryption scheme that is secure under chosen ciphertext attack. Therefore, many reasonable encryption schemes, such as AES in the CBC or CFB mode, are not among the implementation options.
TL;DR: Random Key Chaining (RKC) block cipher mode of operation that makes use of Deterministic Random Bit Generator and with the application of DRBG every block of plaintext is being encrypted with a different key bringing it closer to one-time pad approach.
Abstract: There is a compelling need for a mode of operation that can efficiently provide authenticated encryption at a higher data rate, and is capable of making use of pipelining and parallel processing. This paper describes Random Key Chaining (RKC) block cipher mode of operation that fills this need. RKC mode makes use of Deterministic Random Bit Generator (DRBG) and with the application of DRBG every block of plaintext is being encrypted with a different key bringing it closer to one-time pad approach. The slight variation of RKC mode can be used as a confidentiality mode that can be used in application like hard-disk compression with reduced computational cost. GENERAL TERMS Security, Authenticated Encryption mode.
19 Oct 2012
TL;DR: The analysis and the simulation results indicated that compared with the counter mode encryption, the proposed scheme can decrease memory space overhead and the number of overflow.
Abstract: Focusing on the problem of high overhead and frequent overflow of counter mode encryption, this paper proposed an efficient scheme to protect data confidentiality and integrity. Based on the locality character of data accessing, the scheme set different counter length for memory area according to different accessing frequency and the counter length can be dynamic adjusted. The analysis and the simulation results indicated that compared with the counter mode encryption, the scheme can decrease memory space overhead and the number of overflow. The proposed scheme can be applied to other schemes of protecting confidentiality and integrity based on counters and can satisfy performance requirement for most applications.
Book•
1 Jan 2012
TL;DR: Improved Exponentiation and Key Agreement in the Infrastructure of a Real Quadratic Field and Random Mappings with Restricted Preimages are presented.
Abstract: Indifferentiable Hashing to Barreto-Naehrig Curves.- Semi-bent Functions with Multiple Trace Terms and Hyperelliptic Curves.- Complete Atomic Blocks for Elliptic Curves in Jacobian Coordinates over Prime Fields.- Message-Based Traitor Tracing with Optimal Ciphertext Rate.- Leakage-Resilient Spatial Encryption.- On the Pseudorandom Function Assumption in (Secure) Distance- Bounding Protocols: PRF-ness alone Does Not Stop the Frauds!.- Lattice-Based Hierarchical Inner Product Encryption.- Towards Efficient Arithmetic for Lattice-Based Cryptography on Reconfigurable Hardware.- The Security Impact of a New Cryptographic Library.- Faster Implementation of Scalar Multiplication on Koblitz Curves.- Zero-Knowledge for Multivariate Polynomials.- Improved Exponentiation and Key Agreement in the Infrastructure of a Real Quadratic Field.- UOWHFs from OWFs: Trading Regularity for Efficiency.- Random Mappings with Restricted Preimages.- On the Sosemanuk Related Key-IV Sets.- High Speed Implementation of Authenticated Encryption for the MSP430X Microcontroller.- Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output.
1 Oct 2012
TL;DR: This work proposes a block-cipher-based hardware architecture for authenticated encryption applications supporting the Ethernet standard IEEE 802.3ba, and achieves a throughput of 133 Gbit/s on an Altera Stratix IV FPGA, which represents, to the best of the knowledge, the fastest full implementation of an AE scheme on FPGAs to date.
Abstract: We propose a block-cipher-based hardware architecture for authenticated encryption (AE) applications supporting the Ethernet standard IEEE 802.3ba. Our main design goal was to achieve high throughput on FPGA platforms. Compared to previous works aiming at data rates beyond 100 Gbit/s, our design makes use of an alternative block cipher and an alternative mode of operation, namely Serpent and the offset codebook mode of operation, respectively. Using four cipher cores for the encryption part of the AE architecture, we achieve a throughput of 133 Gbit/s on an Altera Stratix IV FPGA. The design requires 30 kALMs and runs at a maximum clock frequency of 260 MHz. This represents, to the best of our knowledge, the fastest full implementation of an AE scheme on FPGAs to date.
Patent•
3 Oct 2012
TL;DR: In this article, a sharing device based on NFC (near field communication) short-distance transmission, which comprises a computer device, a system database and a data transmission module, was disclosed.
Abstract: The utility model discloses a sharing device based on NFC (near field communication) short-distance transmission, which comprises a computer device, a system database and a data transmission module, wherein the system database is arranged on the computer device, and the data transmission module is arranged on the computer device; in addition, the sharing device also comprises more than two mobile terminals, and the data transmission modules is connected with the more than two mobile terminals in an NFC point-to-point communication mode. Through adopting the NFC point-to-point communication mode and taking the mobile terminals as media, the system database on the computer device can be connected with the more than two mobile terminals so as to achieve short-distance data transmission and exchange functions, and through an authenticated encryption module and a secure encryption module, a situation that the data transmission is not revealed can be guaranteed, thereby achieving the purpose that the more than two mobile terminals can be provided for data transmission, so that the data transmission is secure, the operation is convenient, and the response speed is fast.
1 Jan 2012
13 Sep 2012
TL;DR: A new and efficient two-pass authenticated encryption scheme, called SCAE, which is different from previously proposed ones based on number theoretic problems such as factoring and discrete logarithm problem or block ciphers and is the first AE scheme of this type based on coding theory.
Abstract: An authenticated encryption (AE) scheme is a better way to simultaneously provide privacy and authenticity. This paper presents a new and efficient two-pass AE scheme, called SCAE, which is different from previously proposed ones based on number theoretic problems such as factoring and discrete logarithm problem or block ciphers. The proposed scheme is based on coding theory and is the first AE scheme of this type. Its security is related to the hardness of the regular syndrome decoding problem. The security requirement of privacy and that of authenticity are also proved. Additionally, the performance of SCAE is comparable to that of the other efficient schemes from the theoretical point of view. A software or hardware implementation of the proposed scheme is left open as future work to show its speed in practice.
4 Jul 2012
TL;DR: Problems of a transitioning to new specifications including the SSL/TLS renegotiation vulnerability are discussed, which affects a large number of applications and systems.
Abstract: In November 2009, Marsh Ray, Steve Dispensa and Martin Rex released details of a vulnerability in the SSL and TLS protocols that could allow Man-in-the-Middle attacks to be carried out. SSL and TLS operate between the IP and application layers and ensure application data encryption and data integrity, authenticating the target of communications using X.509 public key certificates. As they are used together with application layer communication protocols such as HTTP, SMTP, and POP, this vulnerability affects a large number of applications and systems. This vulnerability can be attributed to a problem in the SSL and TLS protocol specifications themselves. Fixes have been released for Open SSL and Apache immediately, however most of these involve simply disabling the renegotiation feature that is causing the problem. More thorough measures would require an update to the current specifications and migration to implementations that follow the new specifications. IETF published countermeasures with unprecedented speed as RFC5746, however server-side implementations are not settled. In this paper, we discuss about problems of a transitioning to new specifications including the SSL/TLS renegotiation vulnerability.
TL;DR: The author presents the first complete formal model of CMAE, and shows that his scheme is distinguishable under adaptive chosen-message attack, and that the designated verifier can generate the signature of the same message for other verifiers.
Abstract: In 2009, Tsai proposed an efficient convertible multi-authenticated encryption (CMAE) scheme. However, the author shows that his scheme is distinguishable under adaptive chosen-message attack, and that the designated verifier can generate the signature of the same message for other verifiers. Since no formal model of CMAE has been presented in the literature, the author presents the first complete formal model of CMAE. Then, a new scheme is proposed. The proposed scheme is provably secure in the random oracle model.
11 Jun 2012
TL;DR: The working group has made recommendations for the use of both cryptographic and authentication algorithms which will be published as a CCSDS Recommendation Blue Book so that all national space agencies compliant with the CCS DS recommendation can potentially interoperate with each other and can take advantage of cost savings through theUse of international standards.
Abstract: The Consultative Committee for Space Data Systems (CCSDS) Security Working Group has published several security guidelines for use within CCSDS. Recognizing the need to establish algorithmic standards, the working group set out to determine the need for cryptographic and authentication algorithms for the civil space community. Tradeoff analyses were performed to determine optimal algorithms for use with both space and ground infrastructures. As a result of those tradeoff analyses, the working group has made recommendations for the use of both cryptographic and authentication algorithms which will be published as a CCSDS Recommendation Blue Book. In this manner, all national space agencies compliant with the CCSDS recommendation can potentially interoperate with each other and can take advantage of cost savings through the use of international standards. Within CCSDS, the standardized algorithms will also form the basis of further security standards such as space data link, network layer, and application layer security. For confidentiality, a single algorithm (AES) using counter mode has been selected because of its ability to be efficiently implemented in hardware. However, authenticated encryption is highly encouraged for all missions using AES in Galois/Counter Mode (AES/GCM). For authentication, multiple algorithms have been selected to allow mission planners the ability to use shared-secret message authentication codes (MACs), cryptographic MACs, or digital signatures – depending on their individual mission’s needs and profiles. For shared-secret MAC, HMAC has been specified. For cryptographic MACs, CMAC is the standard. And for digital signature, RSA Digital Signature has been specified.
Journal Article•
TL;DR: This paper further improves the weakness in Wu-Hsu’s scheme, which is to convert the signature into an ordinary one should divulge the message, and reduces the computational complexities in both sides of signer and recipient.
Abstract: A convertible authenticated encryption scheme simultaneously provides the functions of integration, authentication, confldentiality, and non-repudiation. A signer generates an authenticated ciphertext signature on the chosen message. So that only a designated recipient can recover the message by using her/his secret key and verify the message by using the signer’s public key. If there is a dispute, the recipient is able to convert the authenticated ciphertext signature into an ordinary signature that can be verifled by anyone. This paper separately points out that any adversary can forge a converted signature in Araki’s scheme and Ma-Chen’s scheme. Moreover, we further improve the weakness in Wu-Hsu’s scheme, which is to convert the signature into an ordinary one should divulge the message. The improved scheme not only solves the weakness but also reduces the computational complexities in both sides of signer and recipient. Furthermore, the proposed convertible authenticated encryption scheme is extended for multiple recipients. The message can be recovered and verifled by a group with multiple recipients.
TL;DR: Analyzed on the basis of the EPON network security risks, according to the two-way authenticated encryption scheme and the technology roadmap proposed two- way authentication scheme of an anti-MAC frame to eavesdropping and replay attacks, hybrid encryption is proposed.
Abstract: Analyzed on the basis of the EPON network security risks that exist in the EPON network security issues,according to the two-way authenticated encryption scheme and the technology roadmap proposed two-way authentication scheme of an anti-MAC frame to eavesdropping and replay attacks,hybrid encryption.The program at no extra cost on the basis of comprehensive protection of the safety of the EPON system data,but also to meet the needs of different users,the system has certain practical significance.