Abstract: An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

Abstract: The security of digital images attracts much attention recently, and many image encryption methods have been proposed. In IS-CAS2000, a new chaotic key-based algorithm (CKBA) for image encryption was proposed. This paper points out CKBA is very weak to the chosen/known-plaintext attack with only one plain-image, and its security to brute-force ciphertext-only attack is overestimated by the authors. That is to say, CKBA is not secure at all from cryptographic viewpoint. Some experiments are made to show the feasibility of the chosen/known-plaintext attack. We also discuss some remedies to the original scheme and their performance, and we find none of them can essentially improve the security of CKBA.

Abstract: RC4 is the most widely deployed stream cipher in software applications. In this paper we describe a major statistical weakness in RC4, which makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes. This weakness can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications, in which the same plaintext is sent to multiple recipients under different keys.

Abstract: A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Physical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of "Optical Tempest" attack.

Abstract: The data security method, system and associated data mining enables multiple users, each having a respective security clearance level to access security sensitive words, data objects, characters or icons. The method extracts security sensitive words, data objects, characters or icons from plaintext or other source documents to obtain (a) subsets of extracted data and (b) remainder data. The extracted data is, in one embodiment, stored in a multilevel security system (MLS) which separates extract data of different security levels with MLS guards. Some or all of the original data is reconstructed via one or more of the subsets of extracted data and remainder data only in the presence of a predetermined security level. In this manner, an inquiring party, with the proper security clearance, can data mine the data in the MLS secured storage.

Abstract: In this paper, we show that the natural and most common way of implementing modes of operation for cryptographic primitives often leads to insecure implementations. We illustrate this problem by attacking several modes of operation that were proved to be semantically secure against either chosen plaintext or chosen ciphertext attacks. The problem stems from the simple following fact: in the definition and proofs of semantic security, messages are considered as atomic objects that cannot be split; however, in most practical implementations, messages are subdivided into smaller chunks than can be easily manipulated. Depending on the implementation, each chunk may consist of one or several blocks of the underlying primitive. The key point here is that upon reception of a processed chunk, the attacker can now adapt his choice for the next chunk. Since the possibility of adapting within a single message is not taken into account in the current security models, this leaves room for unexpected attacks. We illustrate this new paradigm by attacking three symmetric and hybrid encryption schemes based on the chaining mode in spite of their security proofs.

Abstract: We describe efficient protocols for non-malleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols: - Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semantically-secure scheme. - Password-based authenticated key exchange. We derive efficient protocols for password-based key exchange in the public-key model [28, 5] whose security may be based on any of the cryptosystems mentioned above. - Deniable authentication. Our techniques give the first efficient constructions of deniable authentication protocols based on, e.g., the RSA or computational Diffie-Hellman assumption. Of independent interest, we consider the concurrent composition of proofs of knowledge; this is essential to prove security of our protocols when run in an asynchronous, concurrent environment.

Abstract: In this paper, we show that the natural and most common way of implementing modes of operation for cryptographic primitives often leads to insecure implementations. We illustrate this problem by attacking several modes of operation that were proved to be semantically secure against either chosen plaintext or chosen ciphertext attacks.The problem stems from the simple following fact: in the definition and proofs of semantic security, messages are considered as atomic objects that cannot be split; however, in most practical implementations, messages are subdivided into smaller chunks than can be easily manipulated. Depending on the implementation, each chunk may consist of one or several blocks of the underlying primitive. The key point here is that upon reception of a processed chunk, the attacker can now adapt his choice for the next chunk. Since the possibility of adapting within a single message is not taken into account in the current security models, this leaves room for unexpected attacks.We illustrate this new paradigm by attacking three symmetric and hybrid encryption schemes based on the chaining mode in spite of their security proofs.

Abstract: This paper describes the design of a censorship-resistant distributed file sharing protocol which has been implemented on top of gnunet, an anonymous, reputation-based network. We focus on the encoding layer of the gnunet file-sharing protocol which supports efficient dissemination of encrypted data as well as queries over encrypted data. The main idea advocated in this paper is that simple cryptographic techniques are sufficient to engineer an efficient data encoding that can make it significantly harder to selectively censor information. Our encoding allows users to share files encrypted under descriptive keys which are the basis for querying the network for content. A key property of our encoding is that intermediaries can filter invalid encrypted replies without being able to decrypt the query or the reply. Files are stored in small chunks which are distributed and replicated automatically by the GNUnet infrastructure. Additionally, data files may be stored in plaintext or encrypted form or as a combination of both and encrypted on demand.

Abstract: A method of generating a practically unlimited number of quasigroups of a (theoretically) arbitrary order using the computer algebra system Maple 7 is presented. This problem is crucial to cryptography and its solution permits to implement practical quasigroup-based endomorphic cryptosystems. The order of a quasigroup usually equals the number of characters of the alphabet used for recording both the plaintext and the ciphertext. From the practical viewpoint, the most important quasigroups are of order 256, suitable for a fast software encryption of messages written down in the universal ASCII code. That is exactly what this paper provides: fast and easy ways of generating quasigroups of order up to 256 and a little more.

Abstract: Whereas conventional cryptography is suitable for any kind of data, it does not allow for perceptual degradation of encrypted data in multimedia-compressed formats. We present perceptual cryptography applied to MPEG Layer III compressed audio (MP3). The inputs of the cipher are the plaintext MP3 bit-stream, encryption key and encryption percentage. The cipher outputs a MPEG Layer III compliant bit-stream (ciphertext) that is perceptually less valuable than the original bit-stream. The original MP3 bit-stream can be recovered using the ciphertext bit-stream and the same decryption key and percentage used on encryption. An introduction to MP3 audio compression is given followed by a description of the perceptual cipher and its applications. The paper addresses the relationship between the encryption percentage and the subjective quality.

Abstract: Methods and apparatus are presented for partially encrypting a data transmission, yet providing authentication for all of the data transmission. Plaintext blocks are combined with noise blocks and then either encrypted or decrypted to form ciphertext blocks and authentication blocks. The authentication blocks are used to determine a checksum that is then used to determine an authentication tag.

Abstract: This paper describes related key attacks on five and six round KASUMI The five round attack requires the encryption of approximately 2 19 chosen plaintext pairs X and X* under keys K and K* respectively where K and K* differ in only one bit, and requires a maximum of a little over 233 trials to recover the entire key The six round attack requires a smaller number of chosen plaintext encryptions than the five round attack, and recovers the entire key in a maximum of 2 112 trials

Abstract: Information hiding has several applications, one of which is to hide the use of cryptography. The Nicetext [5,6] system introduced a method for hiding cryptographic information by converting cryptographic strings (random-looking) into "nice text" (namely innocuous looking). The system retains the ability to recover the original ciphertext from the generated text. Nicetext can hide both plaintext and cryptographic text.The purpose of such transformations are to mask ciphertext from anyone who wants to detect or censor encrypted communication, such as a corporation that may monitor, or censor, its employee private mail. Even if the message is identified as the output of Nicetext, the sender might claim that the input was simply a pseudo-random number source rather than ciphertext.This paper extends the Nicetext protocol to enable deniable cryptography/ messaging using the concepts of plausible deniability [2,7]. Deniability is derived from the fact that even if one is forced to reveal a key to the random string that "nice text" reverts to, the real cryptographic/ plaintext messages may be stored within additional required sources of "randomness" in the extended protocol.

Abstract: Given any weak pseudorandom function, we present a general and efficient technique transforming such a function to a new weak pseudorandom function with an arbitrary length output. This implies, among other things, an encryption mode for block ciphers. The mode is as efficient as known (and widely used) encryption modes as CBC mode and counter (CTR) mode, but is provably secure against chosen-plaintext attack (CPA) already if the underlying symmetric cipher is secure against known-plaintext attack (KPA). We prove that CBC, CTR and Jutla's integrity aware modes do not have this property. In particular, we prove that when using a KPA secure block cipher, then: CBC mode is KPA secure, but need not be CPA secure, Jutla's modes need not be CPA secure, and CTR mode need not be even KPA secure. The analysis is done in a concrete security framework.

Abstract: We investigate the decoding problem of Reed-Solomon Codes (aka: the Polynomial Reconstruction Problem - PR) from a cryptographic hardness perspective. Following the standard methodology for constructing cryptographically strong primitives, we formulate a decisional intractability assumption related to the PR problem. Then, based on this assumption we show: (i) hardness of partial information extraction and (ii) pseudorandomness. This lays the theoretical framework for the exploitation of PR as a basic cryptographic tool which, as it turns out, possesses unique properties. One such property is the fact that in PR, the size of the corrupted codeword (which corresponds to the size of a ciphertext and the plaintext) and the size of the index of error locations (which corresponds to the size of the key) are independent and can even be super-polynomially related. We then demonstrate the power of PR-based cryptographic design by constructing a stateful cipher.

Abstract: Rijndael is an iterated block cipher that supports key and block lengths of 128 to 256 bits in steps of 32 bits. It transforms a plaintext block into a ciphertext block by iteratively applying a single round function alternated by the addition (XOR) of a round keys. The round keys are derived from the cipher key by means of a key schedule. As a result of the wide trail strategy, the round function of Rijndael consists of three dedicated steps that each have a particular role. Rijndael versions with a block length of 128 bits, and key lengths of 128, 192 and 256 bits have been adopted as the Advanced Encryption Standard (AES).

Abstract: This paper contains three parts. In the first part we present a new side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Manger's attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant.

Abstract: In this paper we develop two new chosen plaintext attacks on reduced rounds of the IDEA block cipher. The attacks exploit the word structure of the algorithm and are based on the observation that suitable chosen plaintexts give rise to some special kind of distributions which provide a way to distinguish reduced round IDEA output from a random permutation with very few plaintexts. As a result, we develop an attack for 3.5 rounds of IDEA which requires only 103 chosen plaintexts. We have reduced the number of required plaintexts significantly up to 4 rounds. We also present some interesting properties of the reduced round variants of the cipher which have not been published before. The properties and the attacks bring a different approach to analyse the cipher.

Abstract: In this paper, we firstly evaluate the resistance of the reduced 5-round version of the block cipher CIKS-1 against linear cryptanalysis (LC). A feature of the CIKS-1 is the use of both Data-Dependent permutations(DDP) and internal key scheduing which consist in datadapendent transformation of the round subkeys. Taking into account the structure of CIKS-1 we investigate linear approximation. That is, we consider 16 linear approximations with p = 3/4 for 16 parallel modulo 22 additions to construct one-round linear approximation and derive one-round linear approximation with the probability of P = 1/2 + 2-17 by Piling-Up lemma. Also we estimate that the P is a valid probability of one-round approximation and achieve that the probability P for oneround approximation is better than 1/2 +2-17 through experiments. Then we construct 3-round linear approximation with P = 1/2 +2-17 using this one-round approximation and can attack the reduced 5-round CIKS-1 with 64-bit block by LC. In conclusion, we present that our attack requires about 236 chosen plaintexts with a probability of success of 78.5 % and 1/5 × 232 × 236 ? 265.7 encryption times to recover last round(5-round) key. In addition, we discuss a few improvements of the cipher CIKS-1.

Abstract: This paper presents some FPGA-based implementations of the private key Advanced Encryption Standard (AES) cryptography algorithm. The technological fixed target is one V1000BG560 Xilinx Virtex FPGA. A basic architecture is presented first for a 256-bit Cipher Key and a 256-bit Block configuration. Partially pipelined structures were also implemented and perform a throughput rate proportional to the pipeline degree. These improved architectures can ensure high speed encryption by processing several Blocks of the plaintext concurrently. In return they need more logic resources. The resources being limited to the Virtex device ones, the highest speed implementations will loose flexibility as for the choice of the number of bits coding the Cipher Key or the Blocks. Different implementation results illustrating this time - flexibility tradeoff are presented and commented.

Abstract: The technical analysis used in determining which of the NESSIE candidates will be selected as a standard block cipher includes efficiency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as Field Programmable Gate Arrays (FPGA’s) are highly attractive options for hardware implementations of encryption algorithms and this report investigates the significance of FPGA implementations of the block ciphers KHAZAD and MISTY1. A strong focus is placed on high throughput circuits and we propose designs that unroll the cipher rounds and pipeline them in order to optimize the frequency and throughput results. In addition, we implemented solutions that allow to change the plaintext and the key on a cycle-by-cycle basis with no dead cycle. The resulting designs fit on a VIRTEX1000 FPGA and have throughput between 8 and 9 Gbits/s. This is an impressive result compared with existing FPGA implementations of block ciphers within similar devices.

Abstract: The present efficient packet encryption method decreases the computation time to encrypt and decrypt successive packets of plaintext data. An S-vector is generated and the S-vector is used to encrypt successive packets of plaintext, thus reducing the per packet encryption/decryption time. The formula for encrypting successive packets includes use of the packet sequence number with a third variable injected to eliminate the predictability of the variables, thus making the present efficient packet encryption method more secure. A fourth variable is injected into the calculations to generate an encryption stream that does not repeat as frequently to provide additional security from hackers. For encrypting a packet having a long payload of plaintext, a packet byte sequence number is used to generate an encryption stream that is less likely to repeat within a particular packet.

Abstract: In one embodiment, a computer-implemented method comprises receiving a data cipher operation. The method also comprises processing the data cipher operation. The processing of the operation includes generating a number of portions of ciphertext from plaintext, wherein a load operation associated with the generating of at least one portion of the ciphertext executes prior to a store operation associated with the generating of a prior portion of the ciphertext.

Abstract: This invention relates to a method and apparatus for generating a cryptographic authentication code of a set of plaintext blocks, while allowing incremental updates to the set of plaintext blocks. Additionally, an aspect of the invention, allows the updated authentication code to be computed in a highly parallelizable manner. Another embodiment of the present invention defines a new class of authentication trees in which the updated authentication tree, although requiring log(n) block cryptographic operations, allows for the log(n) block cryptographic operations to be computed in parallel. Another embodiment of the present invention provides encryption and verification authentication tree schemes, as well as, an apparatus that generates, updates, and verifies such authentication trees. Another embodiment of the present invention provides authentication tree schemes in which the individual cryptographic operations are block cipher invocations as opposed to hash function invocations. A method according to an embodiment of the present invention, for implementing a parallelizable authentication tree is provided within the application. The method comprises the steps of recursively initializing an authentication tree to include nodes, inputting plaintext blocks into an authentication tree modifier, inputting the initialized authentification tree into the authentification tree modifier, processing the plaintext blocks and the initialized authentication tree by the authentication tree modifier, and outputting a modified authentication tree from the authentication tree modifier. tree modifier, inputting the initialized authentication tree into the authentication tree modifier, processing the plaintext blocks and the initialized authentication tree by the authentication tree modifier, and outputting a modified authentication tree from the authentication tree modifier.

Abstract: The present invention provides a data security device and a data security method of storage media. The data security device comprises an interface decoder for receiving control instructions and data from a host computer. The interface decoder is connected to an encryption/decryption unit and a password check unit. When a user wants to access the security data region in the storage medium, the password check unit will check the inputted password. If the password is correct, the encryption/decryption unit is activated to encrypt the data to be secured into a ciphertext and decrypt the ciphertext into a plaintext. A storage data access control unit connected to the encryption/decryption unit and the storage medium is also provided to store the ciphertext and plaintext from the encryption/decryption unit into the storage medium and read the data in the storage medium into the decryption/decryption unit. The present invention encrypts the data to be secured in the storage medium to have the advantage of absolute security.

Abstract: This paper contains three parts. In the first part we present a new side channel attack on plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Mangers attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). This is a new threat for those implementations of PKI, in which the roles of signature and encryption keys are not strictly separated. This situation is often encountered in the SSL protocol used to secure access to web servers. In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant. Category / Keywords: public-key cryptography / side channel attack, confirmation oracle, RSA-KEM, RSAES-OAEP, PKCS#1 v.1.5, PKCS#1 v.2.1, Bleichenbacher's attack, Manger's attack, power analysis, fault analysis.

Abstract: An encryption and decryption method applied upon transmitting a plaintext in a communication network containing plural subscriber ends is provided. The method includes steps of: picking a synchronization variation secret key from a first subscriber end, the value of the synchronization variation secret key synchronously varying at the subscriber ends; executing a first operation on the synchronization variation secret key by the first subscriber end to obtain an automatically changed secret key; utilizing the automatically changed secret key to process a subsequent encryption to the plaintext by the first subscriber end so as to obtain a ciphertext to be transmitted to a second subscriber end; receiving the ciphertext and picking the synchronization variation secret key by the second subscriber end to execute the first operation and obtain the automatically changed secret key; and utilizing the automatically changed secret key to process a subsequent decryption to the ciphertext by the second subscriber end so as to obtain the plaintext.

Abstract: Given any weak pseudorandom function, we present a general and efficient technique transforming such a function to a new weak pseudorandom function with an arbitrary length output. This implies, among other things, an encryption mode for block ciphers. The mode is as efficient as known (and widely used) encryption modes as CBC mode and counter (CTR) mode, but is provably secure against chosen-plaintext attack (CPA) already if the underlying symmetric cipher is secure against known-plaintext attack (KPA). We prove that CBC, CTR and Jutla's integrity aware modes do not have this property. In particular, we prove that when using a KPA secure block cipher, then: CBC mode is KPA secure, but need not be CPA secure, Jutla's modes need not be CPA secure, and CTR mode need not be even KPA secure. The analysis is done in a concrete security framework.