Abstract: This paper proposes lossless, reversible, and combined data hiding schemes for ciphertext images encrypted by public-key cryptosystems with probabilistic and homomorphic properties. In the lossless scheme, the ciphertext pixels are replaced with new values to embed the additional data into several least significant bit planes of ciphertext pixels by multilayer wet paper coding. Then, the embedded data can be directly extracted from the encrypted domain, and the data-embedding operation does not affect the decryption of original plaintext image. In the reversible scheme, a preprocessing is employed to shrink the image histogram before image encryption, so that the modification on encrypted images for data embedding will not cause any pixel oversaturation in plaintext domain. Although a slight distortion is introduced, the embedded data can be extracted and the original image can be recovered from the directly decrypted image. Due to the compatibility between the lossless and reversible schemes, the data-embedding operations in the two manners can be simultaneously performed in an encrypted image. With the combined technique, a receiver may extract a part of embedded data before decryption, and extract another part of embedded data and recover the original plaintext image after decryption.

Abstract: In the past more than one decade, hundreds of reversible data hiding (RDH) algorithms have been reported. Via exploring the correlation between the neighboring pixels (or coefficients), extra information can be embedded into the host image reversibly. However, these RDH algorithms cannot be accomplished in encrypted domain directly, since the correlation between the neighboring pixels will disappear after encryption. In order to accomplish RDH in encrypted domain, specific RDH schemes have been designed according to the encryption algorithm utilized. In this paper, we propose a new simple yet effective framework for RDH in encrypted domain. In the proposed framework, the pixels in a plain image are first divided into sub-blocks with the size of $m\times n$ . Then, with an encryption key, a key stream (a stream of random or pseudorandom bits/bytes that are combined with a plaintext message to produce the encrypted message) is generated, and the pixels in the same sub-block are encrypted with the same key stream byte. After the stream encryption, the encrypted $m\times n$ sub-blocks are randomly permutated with a permutation key. Since the correlation between the neighboring pixels in each sub-block can be well preserved in the encrypted domain, most of those previously proposed RDH schemes can be applied to the encrypted image directly. One of the main merits of the proposed framework is that the RDH scheme is independent of the image encryption algorithm. That is, the server manager (or channel administrator) does not need to design a new RDH scheme according to the encryption algorithm that has been conducted by the content owner; instead, he/she can accomplish the data hiding by applying the numerous RDH algorithms previously proposed to the encrypted domain directly.

Abstract: Permutation is a commonly used primitive in multimedia (image/video) encryption schemes, and many permutation-only algorithms have been proposed in recent years for the protection of multimedia data. In permutation-only image ciphers, the entries of the image matrix are scrambled using a permutation mapping matrix which is built by a pseudo-random number generator. The literature on the cryptanalysis of image ciphers indicates that the permutation-only image ciphers are insecure against ciphertext-only attacks and/or known/chosen-plaintext attacks. However, the previous studies have not been able to ensure the correct retrieval of the complete plaintext elements. In this paper, we revisited the previous works on cryptanalysis of permutation-only image encryption schemes and made the cryptanalysis work on chosen-plaintext attacks complete and more efficient. We proved that in all permutation-only image ciphers, regardless of the cipher structure, the correct permutation mapping is recovered completely by a chosen-plaintext attack. To the best of our knowledge, for the first time, this paper gives a chosen-plaintext attack that completely determines the correct plaintext elements using a deterministic method. When the plain-images are of size ${M}\times {N}$ and with ${L}$ different color intensities, the number ${n}$ of required chosen plain-images to break the permutation-only image encryption algorithm is ${n}=\lceil \log _{L}$ ( MN ) $\rceil $ . The complexity of the proposed attack is $O$ ( $n\,\cdot \, {M N}$ ) which indicates its feasibility in a polynomial amount of computation time. To validate the performance of the proposed chosen-plaintext attack, numerous experiments were performed on two recently proposed permutation-only image/video ciphers. Both theoretical and experimental results showed that the proposed attack outperforms the state-of-the-art cryptanalytic methods.

Abstract: With the popularity of outsourcing data to the cloud, it is vital to protect the privacy of data and enable the cloud server to easily manage the data at the same time. Under such demands, reversible data hiding in encrypted images (RDH-EI) attracts more and more researchers’ attention. In this paper, we propose a novel framework for RDH-EI based on reversible image transformation (RIT). Different from all previous encryption-based frameworks, in which the ciphertexts may attract the notation of the curious cloud, RIT-based framework allows the user to transform the content of original image into the content of another target image with the same size. The transformed image, that looks like the target image, is used as the “encrypted image,” and is outsourced to the cloud. Therefore, the cloud server can easily embed data into the “encrypted image” by any RDH methods for plaintext images. And thus a client-free scheme for RDH-EI can be realized, that is, the data-embedding process executed by the cloud server is irrelevant with the processes of both encryption and decryption. Two RDH methods, including traditional RDH scheme and unified embedding and scrambling scheme, are adopted to embed watermark in the encrypted image, which can satisfy different needs on image quality and large embedding capacity, respectively.

Abstract: While modern block ciphers, such as AES, have a block size of at least 128 bits, there are many 64-bit block ciphers, such as 3DES and Blowfish, that are still widely supported in Internet security protocols such as TLS, SSH, and IPsec. When used in CBC mode, these ciphers are known to be susceptible to collision attacks when they are used to encrypt around 232 blocks of data (the so-called birthday bound). This threat has traditionally been dismissed as impractical since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. Indeed, practical collision attacks have never been demonstrated against any mainstream security protocol, leading to the continued use of 64-bit ciphers on the Internet. In this work, we demonstrate two concrete attacks that exploit collisions on short block ciphers. First, we present an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, we show how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections. In our proof-of-concept demos, the attacker needs to capture about 785GB of data, which takes between 19-38 hours in our setting. This complexity is comparable to the recent RC4 attacks on TLS: the only fully implemented attack takes 75 hours. We evaluate the impact of our attacks by measuring the use of 64-bit block ciphers in real-world protocols. We discuss mitigations, such as disabling all 64-bit block ciphers, and report on the response of various software vendors to our responsible disclosure of these attacks.

Abstract: Encrypting Internet communications has been the subject of renewed focus in recent years. In order to add end-to-end encryption to legacy applications without losing the convenience of full-text search, ShadowCrypt and Mimesis Aegis use a new cryptographic technique called "efficiently deployable efficiently searchable encryption" (EDESE) that allows a standard full-text search system to perform searches on encrypted data. Compared to other recent techniques for searching on encrypted data, EDESE schemes leak a great deal of statistical information about the encrypted messages and the keywords they contain. Until now, the practical impact of this leakage has been difficult to quantify. In this paper, we show that the adversary's task of matching plaintext keywords to the opaque cryptographic identifiers used in EDESE can be reduced to the well-known combinatorial optimization problem of weighted graph matching (WGM). Using real email and chat data, we show how off-the-shelf WGM solvers can be used to accurately and efficiently recover hundreds of the most common plaintext keywords from a set of EDESE-encrypted messages. We show how to recover the tags from Bloom filters so that the WGM solver can be used with the set of encrypted messages that utilizes a Bloom filter to encode its search tags. We also show that the attack can be mitigated by carefully configuring Bloom filter parameters.

Abstract: The purpose of this paper is to compare side-by-side the NTRU and BGV schemes in their non-scale invariant messages in the lower bits, and their scale invariant message in the upper bits forms. The scale invariant versions are often called the YASHE and FV schemes. As an additional optimization, we also investigate the ffect of modulus reduction on the scale-invariant schemes. We compare the schemes using the "average case" noise analysis presented by Gentry et al. In addition we unify notation and techniques so as to show commonalities between the schemes. We find that the BGV scheme appears to be more efficient for large plaintext moduli, whilst YASHE seems more efficient for small plaintext moduli although the benefit is not as great as one would have expected.

Abstract: While modern block ciphers, such as AES, have a block size of at least 128 bits, there are many 64-bit block ciphers, such as 3DES and Blowfish, that are still widely supported in Internet security protocols such as TLS, SSH, and IPsec. When used in CBC mode, these ciphers are known to be susceptible to collision attacks when they are used to encrypt around 232 blocks of data (the so-called birthday bound). This threat has traditionally been dismissed as impractical since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. Indeed, practical collision attacks have never been demonstrated against any mainstream security protocol, leading to the continued use of 64-bit ciphers on the Internet. In this work, we demonstrate two concrete attacks that exploit collisions on short block ciphers. First, we present an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, we show how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections. In our proof-of-concept demos, the attacker needs to capture about 785GB of data, which takes between 19-38 hours in our setting. This complexity is comparable to the recent RC4 attacks on TLS: the only fully implemented attack takes 75 hours. We evaluate the impact of our attacks by measuring the use of 64-bit block ciphers in real-world protocols. We discuss mitigations, such as disabling all 64-bit block ciphers, and report on the response of various software vendors to our responsible disclosure of these attacks.

Abstract: A promising solution to protect data privacy in cloud storage services is known as ciphertext-policy attribute-based encryption CP-ABE. However, in a traditional CP-ABE scheme, a ciphertext is bound with an explicit access structure, which may leak private information about the underlying plaintext in that anyone having access to the ciphertexts can tell the attributes of the privileged recipients by looking at the access structures. A notion called CP-ABE with partially hidden access structures [14, 15, 18, 19, 24] was put forth to address this problem, in which each attribute consists of an attribute name and an attribute value and the specific attribute values of an access structure are hidden in the ciphertext. However, previous CP-ABE schemes with partially hidden access structures only support access structures in AND gates, whereas a few other schemes supporting expressive access structures are computationally inefficient since they are built from bilinear pairings over the composite-order groups. In this paper, we focus on addressing this problem, and present an expressive CP-ABE scheme with partially hidden access structures in prime-order groups.

Abstract: The security of digital medical images has attracted much attention recently, especially when these images are sent through the communication networks. An image encryption technique tries to convert an image to another image that is hard to understand. In this communication, we propose an encryption method for gray scale medical images based on the features of genetic algorithms. Performance analysis show that the proposed scheme has good statistical character, key sensitivity and can resist brute-force attack, differential attack, plaintext attack and entropy attack efficiently.

Abstract: Substitution box is a unique and nonlinear core component of block ciphers. A better designing technique of substitution box can boost up the quality of ciphertexts. In this paper, a new encryption method based on dynamic substitution boxes is proposed via using two chaotic maps. To break the correlation in an original image, pixels values of the original plaintext image are permuted row- and column-wise through random sequences. The aforementioned random sequences are generated by 2-D Burgers chaotic map. For the generation of dynamic substitution boxes, Logistic chaotic map is employed. In the process of diffusion, the permuted image is divided into blocks and each block is substituted via different dynamic substitution boxes. In contrast to conventional encryption schemes, the proposed scheme does not undergo the fixed block cipher and hence the security level can be enhanced. Extensive security analysis including histogram test is applied on the proposed image encryption technique. All experimental results reveal that the proposed scheme has a high level of security and robustness for transmission of digital images on insecure communication channels.

Abstract: In this paper, we propose the first identity-based broadcast encryption scheme, which can simultaneously achieves confidentiality and full anonymity against adaptive chosen-ciphertext attacks under a standard assumption. In addition, two further desirable features are also provided: one is fully-collusion resistant which means that even if all users outside of receivers S collude they cannot obtain any information about the plaintext. The other one is stateless which means that the users in the system do not need to update their private keys when the other users join or leave our system. In particular, our scheme is highly efficient, where the public parameters size, the private key size and the decryption cost are all constant and independent to the number of receivers.

Abstract: This paper proposed a plaintext-related image encryption system, which employed the hyper-chaotic system to generate the secret code streams used for encryption. The encryption algorithm includes two plaintext-unrelated diffusion operations and one plaintext-related shuffling. Due to the use of plaintext-related shuffling, the proposed encryption system can resist the chosen/known plaintext attacks. Simulation results show that the proposed system has many good characters, such as fast encryption speed, large key space, high key sensitivity, effectively resisting differential attack, noise-like cipher-text image, etc., and thus can be used in actual communications.

Abstract: The situation for post-challenge continuous auxiliary input leakage has not been considered in the cryptography schemes for previous literature. We present a semantic-security model with post-challenge continuous auxiliary inputs for identity-based encryption. In this model, the adversary is permitted to obtain some information of the private keys constantly and to query more information after seeing the challenge ciphertext through the side-channel attacks. Furthermore, we present an identity-based encryption scheme resilient to leakage under composite order groups. Our scheme is secure against post-challenge continuous auxiliary input, adaptive chosen-identity, and adaptive chosen plaintext attacks under three static assumptions in the standard model. Compared with existing identity-based encryption schemes under security properties and performance, our scheme is practical. Copyright © 2015 John Wiley & Sons, Ltd.

Abstract: The Evolved Packet System-based Authentication and Key Agreement (EPS-AKA) protocol of the long-term evolution (LTE) network does not support Internet of Things (IoT) objects and has several security limitations, including transmission of the object’s (user/device) identity and key set identifier in plaintext over the network, synchronization, large overhead, limited identity privacy, and security attack vulnerabilities. In this article, we propose a new secure and efficient AKA protocol for the LTE network that supports secure and efficient communications among various IoT devices as well as among the users. Analysis shows that our protocol is secure, efficient, and privacy preserved, and reduces bandwidth consumption during authentication.

Abstract: In this paper, we propose a masking scheme to protect ring-LWE decryption from first-order side-channel attacks. In an unprotected ring-LWE decryption, the recovered plaintext is computed by first performing polynomial arithmetic on the secret key and then decoding the result. We mask the polynomial operations by arithmetically splitting the secret key polynomial into two random shares; the final decoding operation is performed using a new bespoke masked decoder. The outputs of our masked ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. Thus, the masking scheme keeps all intermediates, including the recovered plaintext, in the masked domain. We have implemented the masking scheme on both hardware and software. On a Xilinx Virtex-II FPGA, the masked ring-LWE processor requires around 2000 LUTs, a $$20~\%$$ increase in the area with respect to the unprotected architecture. A masked decryption operation takes 7478 cycles, which is only a factor $$2.6\times $$ larger than the unprotected decryption. On a 32-bit ARM Cortex-M4F processor, the masked software implementation costs around $$5.2\times $$ more cycles than the unprotected implementation.

Abstract: Abundant multimedia data generated in our daily life has intrigued a variety of very important and useful real-world applications such as object detection and recognition etc. Accompany with these applications, many popular feature descriptors have been developed, e.g., SIFT, SURF and HOG. Manipulating massive multimedia data locally, however, is a storage and computation intensive task, especially for resource-constrained clients. In this work, we focus on exploring how to securely outsource the famous feature extraction algorithm--Histogram of Oriented Gradients (HOG) to untrusted cloud servers, without revealing the data owner's private information. For the first time, we investigate this secure outsourcing computation problem under two different models and accordingly propose two novel privacy-preserving HOG outsourcing protocols, by efficiently encrypting image data by somewhat homomorphic encryption (SHE) integrated with single-instruction multiple-data (SIMD), designing a new batched secure comparison protocol, and carefully redesigning every step of HOG to adapt it to the ciphertext domain. Explicit Security and effectiveness analysis are presented to show that our protocols are practically-secure and can approximate well the performance of the original HOG executed in the plaintext domain. Our extensive experimental evaluations further demonstrate that our solutions achieve high efficiency and perform comparably to the original HOG when being applied to human detection.

Abstract: A secure multiparty quantum key agreement protocol using single-qubit states is proposed. The agreement key is computed by performing exclusive-OR operation on all the participants' secret keys. Based on the commutative property of the commutative encryption, the exclusive-OR operation can be performed on the plaintext in the encrypted state without decrypting it. Thus, it not only protects the final shared key, but also reduces the complexity of the computation. The efficiency of the proposed protocol, compared with previous multiparty QKA protocols, is also improved. In the presented protocol, entanglement states, joint measurement and even the unitary operations are not needed, and only rotation operations and single-state measurement are required, which are easier to be realized with current technology.

Abstract: While most reversible data hiding in encrypted images (RDH-EI) are based on stream cipher, this paper aims to present an alternative method feasible for block-enciphered images. Before uploading data to a remote server, the content owner encrypts the original image with a block cipher algorithm using an encryption key. Then, the server embeds additional bits into the encrypted image with an embedding key to generate the marked encrypted image. On the recipient side, the additional bits can be extracted if the receiver has the embedding key. In case the receiver has only the encryption key, the marked encrypted image can be directly deciphered to a plaintext image with good quality. When both the embedding and encryption keys are available for the receiver, he can recover the original image without any errors. Compared with the existing block cipher based RDH-EI method, drawbacks of the encryption and the recovery are avoided, and good embedding payloads are achieved.

Abstract: We propose a new zero-knowledge protocol applicable to additively homomorphic functions that map integer vectors to an Abelian group. The protocol demonstrates knowledge of a short preimage and achieves amortised efficiency comparable to the approach of Cramer and Damgard from Crypto 2010, but gives a much tighter bound on what we can extract from a dishonest prover. Towards achieving this result, we develop an analysis for bins-and-balls games that might be of independent interest. We also provide a general analysis of rewinding of a cut-and-choose protocol as well as a method to use Lyubachevsky's rejection sampling technique efficiently in an interactive protocol when many proofs are given simultaneously. Our new protocol yields improved proofs of plaintext knowledge for Ring-LWE-based cryptosystems, where such general techniques were not known before. Moreover, they can be extended to prove preimages of homomorphic hash functions as well.

Abstract: Indistinguishability under chosen-ciphertext attack (IND-CCA) is now considered the de facto security notion for public-key encryption. However, this sometimes offers a stronger security guarantee than what is needed. In this study, the authors consider a weaker security notion, termed as indistinguishability under plaintext-checking attacks (IND-PCA), in which the adversary has only access to an oracle indicating whether or not a given ciphertext encrypts a given message. After formalising this notion, the authors design a new public-key encryption scheme satisfying it. The new scheme is a variant of the Cramer–Shoup encryption scheme with shorter ciphertexts. Its security is also based on the plain decisional Diffie–Hellman (DDH) assumption. Additionally, the algebraic properties of the new scheme allow proving plaintext knowledge using Groth–Sahai non-interactive zero-knowledge proofs or smooth projective hash functions. Finally, as a concrete application, the authors show that, for many password-based authenticated key exchange (PAKE) schemes in the Bellare–Pointcheval–Rogaway security model, they can safely replace the underlying IND-CCA encryption schemes with their new IND-PCA one. By doing so, they reduce the overall communication complexity of these protocols and obtain the most efficient PAKE schemes to date based on plain DDH.

Abstract: In this paper, we present the notion of recipient-revocable identity-based broadcast encryption scheme In this notion, a content provider will produce encrypted content and send them to a third party (which is a broadcaster) This third party will be able to revoke some identities from the ciphertext We present a security model to capture these requirements, as well as a concrete construction The ciphertext consists of k+3 group elements, assuming that the maximum number of revocation identities is k That is, the ciphertext size is linear in the maximal size of R, where R is the revocation identity set However, we say that the additional elements compared to that from an IBBE scheme are only for the revocation but not for decryption Therefore, the ciphertext sent to the users for decryption will be of constant size (ie,3 group elements) Finally, we present the proof of security of our construction

Abstract: Chaos-based image cryptosystems usually adopt the traditional confusion-diffusion architecture which is considered insecure against known/chosen plaintext attacks. To overcome this drawback, this paper proposes a novel chaos-based image encryption scheme, in which the two-dimensional rectangular transform is employed to directly scramble the image of any rectangular size, and the dependent substitution is introduced to substitute for each pixel according to the image pixels. This scheme comprises two stages of encryption processes. Each stage provides the confusion and diffusion simultaneously in one traverse of image pixels. As a result, the proposed scheme has high speed and achieves a satisfactory security performance. Experimental results and various types of security analysis indicate that this scheme is efficient and secure enough to be used for practical image encryption and transmission.