Abstract: We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by "generic composition," meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is "yes" and counter-examples for the cases where the answer is "no."

Abstract: In 1985 Fell and Diffie proposed constructing trapdoor functions with multivariate equations [11]. They used several sequentially solved stages that combine into a triangular system we call T. In the present paper, we study a more general family of TPM (for "Triangle Plus Minus") schemes: a triangular construction mixed with some u random polynomials and with some r of the beginning equations removed. We go beyond all previous attacks proposed on such cryptosystems using a low degree component of the inverse function. The cryptanalysis of TPM is reduced to a simple linear algebra problem called MinRank(r): Find a linear combination of given matrices that has a small rank r. We introduce a new attack for MinRank called 'Kernel Attack' that works for qr small. We explain that TPM schemes can be used in encryption only if qr is small and therefore they are not secure. As an application, we showed that the TTM cryptosystem proposed by T.T. Moh at CrypTec'99 [15,16] reduces to MinRank(2). Thus, though the cleartext size is 512 bits, we break it in O(252). The particular TTM of [15,16] can be broken in O(228) due additional weaknesses, and we needed only few minutes to solve the challenge TTM 2.1. from the website of the TTM selling company, US Data Security. We also studied TPM in signature, possible only if qu small. It is equally insecure: the 'Degeneracy Attack' we introduce runs in qu polynomial.

Abstract: A disk drive comprising a disk for storing encrypted data is disclosed. The disk drive comprises a first circuit for providing plaintext data to a second circuit. The second circuit comprises controllable encryption circuitry for encrypting the plaintext data into the encrypted data. The controllable encryption circuitry comprises a data input, an enable input, and a data output. The second circuit further comprises a plaintext input for providing the plaintext data to the data input, an encrypted text output for providing the encrypted data from the data output, and a first control input for receiving a first device authentication signal for authenticating the first circuit. The second circuit comprises a first verification circuit, responsive to the first device authentication signal, for producing a first verification signal for use in controlling the enable input of the encryption circuitry to enable the encryption circuitry to provide the encrypted data via the encrypted text output.

Abstract: The present invention may be regarded as a digital video recorder (DVR) comprising a storage device for storing an encrypted video program, a unique ID for interlocking the encrypted video program with the digital video recorder, and a cryptography facility. The cryptography facility comprises an encoder, responsive to the unique ID, for encrypting a plaintext video program into the encrypted video program stored on the storage device, and a decoder, responsive to the unique ID, for decrypting the encrypted video program stored on the storage device into the plaintext video program during playback.

Abstract: A digital video recorder (DVR) is disclosed comprising a unique ID, a hard disk drive (HDD) for storing a plurality of encrypted video programs and an encrypted file system, the encrypted file system comprising a plurality of encrypted file system entries for decrypting the plurality of video programs The DVR further comprises host circuitry for interfacing with the HDD, the host circuitry comprising a cryptography facility for encrypting plaintext file system entries into the encrypted file system entries stored on the HDD, and for decrypting the encrypted file system entries read from the HDD into plaintext file system entries The cryptography facility comprises a pseudo-random sequence generator, responsive to the unique ID, for generating a pseudo-random sequence The cryptography facility further comprises an encoder for combining the pseudo-random sequence with the plaintext file system entries to generate the encrypted file system entries stored on the HDD, and a decoder for combining the pseudo-random sequence with the encrypted file system entries read from the HDD to generate the plaintext file system entries

Abstract: A device is disclosed comprising encryption circuitry for encrypting plaintext data into ciphertext data. A memory stores an initial spectral signature representing an initial spectral characteristic of the device, and a signal generator for generating an operating spectral signature representing an operating spectral characteristic of the device. A comparator compares the operating spectral signature to the initial spectral signature and enables the encryption circuitry if the operating spectral characteristic substantially matches the initial spectral characteristic.

Abstract: A digital video recorder (DVR) is disclosed for storing a plaintext video program as an encrypted video program. The DVR comprises a random access storage (RAS) device for storing the encrypted video program in encrypted segments. The DVR further comprises a cryptography facility comprising an encoder for encrypting plaintext segments of the plaintext video program into the encrypted segments stored on the RAS device, and a decoder for randomly and independently decrypting the encrypted segments of the encrypted video program into plaintext segments during playback.

Abstract: In this paper we consider a chosen-plaintext variant of the linear attack on DES introduced by Matsui. By choosing plaintexts in a clever way one can reduce the number of plaintexts required in a successful linear attack. This reduces the amount of plaintexts to find key bits to a factor of more than four compared to Matsui's attack. To estimate the probabilities of success in the attack we did extensive experiments on DES reduced to 8 and 12 rounds. We believe that the results in this paper contain the fastest attack on the DES reported so far in the open literature. As an example, one attack needs about 242 chosen texts, finds 12 bits of key information and succeeds with a probability of about 86%. An additional 12 key bits can be found by similar methods. For comparison, Matsui's attack on the DES needs about 244 known texts, finds 13 bits of the key and succeeds with a probability of 78%. Of independent interest is a new approach searching for "pseudo-keys", which are secret key bits added an unknown but fixed value. These bits can be used to find the secret key bits at a later stage in the analysis.

Abstract: In a database, a frequently retrieved column is encrypted using a common key, and other columns are encrypted using a specific row key. Thus, a retrieving process can be performed at a high speed, and the security can be improved. Then, the row and column of the database are encrypted by assuming the plaintext to be encrypted as a bit string, and performing a binary operation with a random bit string. A random bit string is obtained by sequentially generating multidimensional vectors using a nonlinear function by defining a predetermined bit length as 1 word and a plurality of words as components of the multidimensional vector.

Abstract: In order to encipher data while enciphering other data, a memory (55) is arranged in parallel to a feedback line (65) for feedback to a selector (54) from an enciphering module (51) using an encryption key (K). If an interrupt (IT) for processing plaintext block data (Ni) occurs during the processing of plaintext block data (Mi), the cryptogram block data (Ci) being in process when the interrupt (IT) occurs is stored in a register (56). When the processing of the plaintext block data Ni is completed, a selector (54) selects the cryptogram block data (Ci) stored in the memory (55), and the processing of plaintext block data (Mi+1) is started.

Abstract: A technique for encrypting and decrypting a data message is described herein and includes a stream cipher, a block cipher, and IV generation embodiment and a key generation embodiment which use a process of Summary Reduction. This overall technique uses a secret key to generate ciphertext from plaintext and in doing so, the technique isolates the nature of the secret key values from the nature of the cipher text created.

Abstract: The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge valid ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a valid ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of variable-length pseudo-random functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way.

Abstract: We present and analyze attacks on additive stream ciphers that rely on linear equations that hold with non-trivial probability in plaintexts that are encrypted using distinct keys. These attacks extend Biham's key collision attack and Hellman's time memory tradeoff attack, and can be applied to any additive stream cipher. We define linear redundancy to characterize the vulnerability of a plaintext source to these attacks. We show that an additive stream cipher with an n-bit key has an effective key size of n-min(l, lgM) against the key collision attack, and of 2n/3+ lg(n/3) + max(n - l, 0) against the time memory tradeoff attack, when the the attacker knows l linear equations over the plaintext and has M ciphertexts encrypted with M distinct unknown secret keys. Lastly, we analyze the IP, TCP, and UDP protocols and some typical protocol constructs, and show that they contain significant linear redundancy. We conclude with observations on the use of stream ciphers for Internet security.

Abstract: Receiver access to a secure communication is determined by the sender. The sender defines an access parameter, such as number of times a message can be decrypted, expiration time of message, or some contingent event that triggers expiration of a message. A send configuration module defines the encryption method, encryption key length, and the control parameter(s). A key management module serves to implement the send configuration parameters during a communication. Upon receiving a message the receiver module contacts the key management module to request a decryption key. The key management module returns the decryption key or a ‘denied’ message. Once the message is decrypted at the receiver, the key and the decrypted source are deleted from the receiver computer. The message is displayed in a bit-mapped window.

Abstract: A general stream cipher with memory in which each cipher-text symbol depends on both the current and previous plaintext symbols, as well as each plaintext symbol depends on both the current and previous ciphertext symbols, is pointed out. It is shown how to convert any keystream generator into a stream cipher with memory and their security is discussed. It is proposed how to construct secure self-synchronizing stream ciphers, keyed hash functions, hash functions, and block ciphers from any secure stream cipher with memory. Rather new and unusual designs can thus be obtained, such as the designs of block ciphers and (keyed) hash functions based on clock-controlled shift registers only.

Abstract: This thesis provides a formal analysis of two kinds of cryptographic objects that used to be treated with much less rigor: All-or-Nothing Transforms (AONTs) and Password-Authenticated Key Exchange protocols. For both, novel formal definitions of security are given, and then practical and efficient constructions are proven secure. The constructions for password-authenticated key exchange are novel, and the AONT construction is an application of an existing scheme to a new area. AONTs have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and efficiency of encryption. We give several strong formal definitions of security for AONTs. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. We also show that no AONT can achieve substantially better security than OAEP. The second part of this thesis is about password-authenticated key exchange protocols. We present a new protocol called PAK which is the first such Diffie-Hellman-based protocol to provide a formal proof of security (in the random oracle model) against active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more efficient protocol called PPK that is provably secure in the implicit-authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a verifier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for password-authenticated key exchange is new, and may be of independent interest. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

Abstract: A stream cipher cryptosystem includes a keystream generator receiving a key and providing a keystream. A cryptographic combiner combines a first binary data sequence and the keystream with two non-associative operations to provide a second binary data sequence. In encryption operations, the cryptographic combiner is an encryption combiner and the first binary data sequence is a plaintext binary data sequence and the second binary data sequence is a ciphertext binary data sequence. In decryption operations, the cryptographic combiner is a decryption combiner and the first binary data sequence is a ciphertext binary data sequence and the second binary data sequence is a plaintext binary data sequence.

Abstract: This paper addresses mobile code security with respect to potential integrity and privacy violations originating from the runtime environment. The suggested solution requires a trusted hardware with limited capacity like a smartcard and assures the security of a program executed on untrusted runtime environments by means of some interactions between the program and the trusted hardware. The security of this scheme is based on an extension of function hiding using error correcting codes. Unlike prior function hiding schemes, the proposed technique allows multi-step execution and the delivery of cleartext output at the remote site.

Abstract: A cryptographic apparatus has an encryption/encapsulation processing section for encrypting plaintext data received from a plaintext network, referencing the predetermined correspondence between addresses and different cryptographic apparatus, setting a new header based on the cryptographic apparatus corresponding to the address set in the header of the plaintext data as encapsulation processing, and transmitting ciphertext data provided thereby to the ciphertext network of the same IP subnet as the plaintext network, and a decryption/decapsulation processing section for decrypting ciphertext data received from the ciphertext network into plaintext data, again setting a header based on the address set in the header of the plaintext data as decapsulation processing, and transmitting plaintext data provided thereby to the plaintext network of the same IP subnet as the ciphertext network.

Abstract: The encryption algorithm KASUMI is referred to MISTY, proposed by Matsui, is a provably secure against Linear cryptoanalysis and Differential attack. We attacked KASUMI without FL functions by using Higher Order Differential Attack. The necessary order of Higher Order Differential Attack depends on the degree of F function and it is determined by the chosen plaintext. We found effective chosen plaintext which enables the attack to 4 round KASUMI without FL functions. As the result, we can attack it using 2nd order differentials. This attack needs about 1,416 chosen plaintexts.

Abstract: An encryption/decryption method and system. The method comprises the steps of encrypting a plaintext message by dividing the plaintext message into a multitude of plaintext blocks and encrypting the plaintext blocks to form a multitude of cyphertext blocks. A single pass technique is used in the method to embed a message integrity check in the cyphertext blocks. The method further comprises the steps of decrypting the cyphertext blocks to re-form the plaintext blocks, and testing the message integrity check in the cyphertext blocks to test the integrity of the re-formed plaintext blocks.

Abstract: Methods and an apparatus for storing information in a processing device with flexible security are disclosed. In one embodiment, a method stores information within the processing device. The method receives a download via a first input path which includes a first breakable link and stores the donwload within the processing device. At some point, a key is also stored within the processing device. A ciphertext download is received via a second input path which includes a second breakable link. The ciphertext download is decrypted utilizing the key and the resulting plaintext download is stored within the processing device.

Abstract: Automatic systems (200) and methods for electronic document (including records, documents, electronic mail, etc.) management and destruction are disclosed, comprising an encryption system that generates encryption/decryption keys, a key storage area (212) for storing said keys; communication media (214) whereby said keys may be disseminated to authorized user's workstation (218) within a company; and a key destroying system that destroys keys that are no longer valid. The encryption system creates encryption/decryption keys that may be communicated to a set of authorized users of the email system. Sender types in the email message in plaintext (220) at the workstation (218). The system encrypts the email message, which is subsequently sent to the recipient in its encrypted form. When the recipient opens the email message, the system uses the decryption key to decrypt the message and presents a plaintext (220) view of the message to the recipient. When the system (200) makes a backup to disk drive, tape drive, or other storage, the encrypted email message (224) is usually the object that is actually stored on the storage (222). Decryption keys are regularly destroyed in the normal course of business, thus effectively destroying the email.

Abstract: The strength of our current encryption systems is based on cryptographic keys and complex mathematical algorithms. Using a sufficiently long cryptographic key, a mathematical algorithm transforms plaintext into ciphertext in such a way as to make it computationally infeasible for a cryptanalyst to determine either the enciphered message or the underlying key. An implicit assumption is that computer technology, as we know it, is used throughout this process. But what if a different type of computer - one based on quantum physics rather than classical mechanics - was used?

Abstract: A public-key cryptosystem, digital signature and authentication procedures based on a Gallager-type parity-check error-correcting code are presented. The complexity of the encryption and the decryption processes scale linearly with the size of the plaintext Alice sends to Bob. The public-key is pre-corrupted by Bob, whereas a private-noise added by Alice to a given fraction of the ciphertext of each encrypted plaintext serves to increase the secure channel and is the cornerstone for digital signatures and authentication. Various scenarios are discussed including the possible actions of the opponent Oscar as an eavesdropper or as a disruptor.

Abstract: PROBLEM TO BE SOLVED: To collect charges for database use, while improving the safety by coupling a network-client side data input device which ciphers and makes information open with a network-server side data base processor, which interprets and replaces the information protected by the ciphering with a plaintext. SOLUTION: A client side receives an ID, a cipher key, and an authoring program for application ciphering to a server side. The authoring program ciphers inputted data according to the ID and cipher key. Data generated on the client side are made open through a network in the form of a document which can be replaced with ordinary protocols. Even though the data can be accessed, the contents have been ciphered and cannot be read by a 3rd person. The ciphered document itself can be freely distributed through an open network whose running cost is low.