Showing papers on "40-bit encryption published in 2000"

Partial encryption of compressed images and videos

Abstract: The increased popularity of multimedia applications places a great demand on efficient data storage and transmission techniques. Network communication, especially over a wireless network, can easily be intercepted and must be protected from eavesdroppers. Unfortunately, encryption and decryption are slow, and it is often difficult, if not impossible, to carry out real-time secure image and video communication and processing. Methods have been proposed to combine compression and encryption together to reduce the overall processing time, but they are either insecure or too computationally intensive. We propose a novel solution called partial encryption, in which a secure encryption algorithm is used to encrypt only part of the compressed data. Partial encryption is applied to several image and video compression algorithms in this paper. Only 13-27% of the output from quadtree compression algorithms is encrypted for typical images, and less than 2% is encrypted for 512/spl times/512 images compressed by the set partitioning in hierarchical trees (SPIHT) algorithm. The results are similar for video compression, resulting in a significant reduction in encryption and decryption time. The proposed partial encryption schemes are fast, secure, and do not reduce the compression performance of the underlying compression algorithm.

Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms

Abstract: We present a new 128-bit block cipher called Camellia. Camellia sup- ports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway for use of the next 10-20 years. There are no hidden weakness inserted by the designers. It was also designed to have suitability for both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can en- crypt on a PentiumIII (800MHz) at the rate of m ore than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In ad- dition, a distinguishing feature is its small hardware design. The hardware design, which includes key schedule, encryption and decryption, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know. It perfectly meet current market requirements in wireless cards, for instance, where low power consumption is a mandaroty condition.

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

Abstract: We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33% more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.

Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography

Abstract: We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encode-then-encipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.

Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes

Abstract: We generalize and improve the security and efficiency of the verifiable encryption scheme of Asokan et al, such that it can rely on more general assumptions, and can be proven secure without assuming random oracles We extend our basic protocol to a new primitive called verifiable group encryption We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use In particular, we achieve perfect separability for all these applications, ie, all participants can choose their signature and encryption schemes and the keys there of independent of each other, even without having these applications in mind

Long-Lived Broadcast Encryption

Abstract: In a broadcast encryption scheme, digital content is encrypted to ensure that only privileged users can recover the content from the encrypted broadcast. Key material is usually held in a "tamper-resistant," replaceable, smartcard. A coalition of users may attack such a system by breaking their smartcards open, extracting the keys, and building "pirate decoders" based on the decryption keys they extract. In this paper we suggest the notion of long-lived broadcast encryption as a way of adapting broadcast encryption to the presence of pirate decoders and maintaining the security of broadcasts to privileged users while rendering all pirate decoders useless. When a pirate decoder is detected in a long-lived encryption scheme, the keys it contains are viewed as compromised and are no longer used for encrypting content. We provide both empirical and theoretical evidence indicating that there is a long-lived broadcast encryption scheme that achieves a steady state in which only a small fraction of cards need to be replaced in each epoch. That is, for any fraction β, the parameter values may be chosen in such a way to ensure that eventually, at most β of the cards must be replaced in each epoch. Long-lived broadcast encryption schemes are a more comprehensive solution to piracy than traitor-tracing schemes, because the latter only seek to identify the makers of pirate decoders and don't deal with how to maintain secure broadcasts once keys have been compromised. In addition, long-lived schemes are a more efficient long-term solution than revocation schemes, because their primary goal is to minimize the amount of recarding that must be done in the long term.

Improved Non-committing Encryption Schemes Based on a General Complexity Assumption

Abstract: Non-committing encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any non-committing encryption scheme must be secure in the ordinary semantic sense, the converse is not necessarily true. We propose a construction of non-committing encryption that can be based on any public-key system which is secure in the ordinary sense and which has an extra property we call simulatability. This generalises an earlier scheme proposed by Beaver based on the Diffie-Hellman problem, and we propose another implementation based on RSA. In a more general setting, our construction can be based on any collection of trapdoor permutations with a certain simulatability property. This offers a considerable efficiency improvement over the first non-committing encryption scheme proposed by Canetti et al. Finally, at some loss of efficiency, our scheme can be based on general collections of trapdoor permutations without the simulatability assumption, and without the common-domain assumption of Canetti et al. In showing this last result, we identify and correct a bug in a key generation protocol from Canetti et al.

Hidden Link Dynamic Key Manager for use in Computer Systems with Database Structure for Storage and Retrieval of Encrypted Data

Abstract: of Disclosure A computer system (20) with a security domain (22), at least one client business domain (26), and a plurality of client terminals (34) utilizes a hidden link dynamic key manager (24, 84) and a database structure including encrypted data entities (30C, 30D) and a security identification attribute (32) for storage of encrypted data. A method for encryption, storage, decryption, and retrieval of encrypted data operates on the computer system (20), which also includes an information database (62) and a key database (44). The key database (44) is isolated from the information database (62). The security domain (22) includes a system key manager (84) operable to generate system keys with system key common names and an encryption key manager (24) operable to generate encryption keys having encryption key identifications. The key managers (24, 84) operate on a key server (40), which is mirrored by a secondary key server (42). A general security manager (82) also operates on the key server (40) to control access to the security domain (22). The security information attribute (32) is stored with a persistent data entity (30A) that is associated with the other data entities (30C, 30D) by a database schema. The security information attribute (32) includes the encryption key identification (112) for the encryption key used to encrypt the data entities (30C, 30D). The encryption key identification is encrypted by the system key, and the system key common name hash value (114) is also stored in the security information attribute (32). The information data entities (30) are stored on the information database (62), but the encryption key identification (153), encryption key (154), system key common name hash value (156, 157), and system key common name (158) are stored in the key database (44) inside the security domain (22). The system key itself is stored on a Smart Card reader (56) inside the security domain.

Method and apparatus for secure authentication and sensitive data management

Abstract: A method and apparatus for improved data management are described. In one embodiment, the method comprises generating a first key component, generating an encryption key using the first key component, a token key and a personal identification number (PIN), encrypting data using the encryption key, and sending the data encrypted with the encryption key to a server along with the first key component.

Dual encryption protocol for scalable secure group communication

Abstract: A logical tree structure (10) and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups (20) and subgroups (24, 22), with each subgroup having a subgroup manager (12, 14, 18). Dual encryption allows the sender (12) of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers (12, 14, 18) manage the distribution of a second set of encryption keys. The two key sets allow the sender (12) to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers (12, 14, 18) can be either members (18) or participants (14). Access to both keys is provided to members (18) whereas access to only one key is provided to participants (14). Nodes can be added without generating a new encryption key at the top level which provides improved scalability.

Efficient multi-layer coding and encryption of MPEG video streams

Abstract: This paper introduces a novel, light-weight video encryption algorithm that supports light-weight, multi-layered encryption. The objectives of this encryption algorithm are to reduce the total amount of data encrypted (while providing reasonable privacy and security) and to allow for the playback of the encrypted stream in the presence of network packet loss and bit-errors. The latter property allows for the easy adaptation of encrypted video over best-effort networks, such as the Internet. This algorithm partitions the stream into three layers and provides encryption on the lower two layers. An adaptive algorithm is provided that shows how to adaptively partition the video data so that the user can ensure a maximum peak signal to noise ratio in the base layer. Our results show that we can provide security by encrypting only a fraction of the data depending on the level of security the user requires.

The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search

Abstract: We investigate the all-or-nothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an all-or-nothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive key-search attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this key-search resistance property. We suggest a new characterization of AONTs and establish that the resulting all-or-nothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the all-or-nothing encryption paradigm. We describe a simple block-cipher-based AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property.

Combined hardware and software based encryption of databases

Abstract: A relational database system for encryption of individual data elements comprising a encryption devices of at least two different types, the types being tamper-proof hardware and software implemented. The encryption processes of the system are of at least two different security levels, differing in the type of encryption device holding the process keys for at least one of the process key categories and also differing in which type of device executing the algorithm of the process. Each data element to be protected is assigned an attribute indicating the usage of encryption process of a certain security level.

Methods and apparatus for secure personal identification number and data encryption

Abstract: A system and methods for implementing a low cost and simple PIN encryption device is disclosed. The PIN encryption device may be incorporated into customer transaction terminals, ATMs and PIN pads for use with POS terminals or other transaction devices. The PIN encryption device securely stores PIN encryption keys and PIN encryption algorithms that are used to encrypt user entered PINs on a cryptographic smart card. The system disclosed is a physically secure device that protects the integrity of the encryption keys and algorithms. The system also protects the cryptographic smart card from tampering, and prevents the discovery of PIN data by tapping the external interfaces of the customer transaction terminal.

Why Textbook ElGamal and RSA Encryption Are Insecure

Abstract: We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of both systems.

Improved non-committing encryption schemes based on a general complexity assumption

Abstract: Non-committing encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any non-committing encryption scheme must be secure in the ordinary semantic sense, the converse is not necessarily true. We propose a construction of non-committing encryption that can be based on any public-key system which is secure in the ordinary sense and which has an extra property we call simulatability. This generalises an earlier scheme proposed by Beaver based on the Diffie-Hellman problem, and we propose another implementation based on RSA. In a more general setting, our construction can be based on any collection of trapdoor permutations with a certain simulatability property. This offers a considerable efficiency improvement over the first non-committing encryption scheme proposed by Canetti et al. Finally, at some loss of efficiency, our scheme can be based on general collections of trapdoor permutations without the simulatability assumption, and without the common-domain assumption of Canetti et al. In showing this last result, we identify and correct a bug in a key generation protocol from Canetti et al.

Secure voice communication system

Abstract: A secure real time voice communication system 70 is provided that allows for the secure transmission of voice communications between a sending device 72 and a receiving device 78 through the public switch telephone network 76 . The device 72 uses an encryption decryption engine 30 which is capable of executing a number of encryption algorithms which are selected using an encryption selection table 80 . An encryption key can be calculated from a periodic key value and a public variable key value. Further, the encryption algorithm used can be periodically changed during a voice communication session so that multiple encryption techniques can be used within the same communication session.

Why Textbook ElGamal and RSA Encryption Are Insecure (Extended Abstract)

Abstract: We present an attack on plain ElGamal and plain RSA en- cryption. The attack shows that without proper preprocessing of the plaintexts, bothElGamal and RSA encryption are fundamentally inse- cure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing mes- sages prior to encryption is an essential part of bothsystems.

Fair encryption of RSA keys

Abstract: Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without compromising secrecy. We consider an optimistic scenario in which users have pairs of public and private keys and give an encryption of their secret key with the public key of a third party. In this setting we wish to provide a publicly verifiable proof that the third party is able to recover the secret key if needed. Our emphasis is on size; we believe that the proof should be of the same length as the original key. In this paper, we propose such proofs of fair encryption for El Gamal and RSA keys, using the Paillier cryptosystem. Our proofs are really efficient since in practical terms they are only a few hundred bytes long. As an application, we design a very simple and efficient key recovery system.

A cryptographic device having reduced vulnerability to side-channel attack and method of operating same

Abstract: A cryptographic device and method of operation for encrypting messages. The device can be incorporated into a postage metering system to provide cryptographically secured postal indicia. The device and method provide increased security against side-channel attacks such as differential power analysis (DPA). An encryption key is transformed with a first function to generate a temporary key as a function of a random number. A message is encrypted with the temporary key to generate a modified message. The modified message is transformed with a second function to generate an encryption. The encryption generated is identical to a direct encryption of the message with the untransformed key. The temporary key is changed frequently to protect against side-channel attacks.

Method of updating encryption keys in a data communication system

Abstract: The invention discloses a method of updating, in nodes on both ends of a secure link, the encryption key they share to encrypt and decrypt data When having to transmit data from one of the nodes towards its peer remote node, a data base in the forwarding node, is first updated from the data to be transmitted Then, encryption is performed and data transmitted to the peer remote node while a next-to-use encryption key is derived from the new contents of the data base When received, data are decrypted with the current value of the encryption key and the peer remote node data base is updated identically from the received decrypted data after which a next-to-use encryption key is derived, thereby obtaining in the peer remote node, a next-to-use identical key The data base is preferably the dictionary of a data compression/decompression system used simultaneously with encryption/decryption to transmit data over the secure link While keys are frequently updated, for improved security, the invention does not require that key updates need to be actually distributed

Hardware implementation of the improved WEP and RC4 encryption algorithms for wireless terminals

Abstract: This paper presents hardware implementations for Improved Wired Equivalent Privacy (IWEP) and RC4 ("Ron's Cipher #4") encryption algorithms. IWEP is a block algorithm providing light-strength encryption. The algorithm has been designed for a new Wireless Local Area Network (WLAN), called TUTWLAN (Tampere University of Technology Wireless Local Area Network). On the contrary RC4, developed by RSA Data Security, Inc., is a powerful stream algorithm used in many commercial products. It is also utilized in the Wired Equivalent Privacy (WEP) standard algorithm for WLANs. The objective of this work has been to study the suitability of hardware implementation for these previously software-implemented ciphers. Hardware is needed to replace software especially in wireless multimedia terminals, in which real-time data processing and limited on-chip memory sizes are key elements. The implementations are made in Very highspeed integrated circuit Hardware Description Language (VHDL) on Xilinx Field Programmable Gate Array (FPGA) chips.

Method and apparatus for encrypting transmissions in a communication system

Abstract: Method and apparatus for encrypting transmission traffic at separate protocol layers L1 (220), L2 (210), and L3 (200) so that separate encryption elements (204) can be assigned to separate types of transmission traffic (201, 203, 205), which allows the implementation of different levels of encryption according to service requirements. Encryption elements (204) use variable value inputs, called crypto-syncs, along with semi-permanent encryption keys to protect from replay attacks from rogue mobile stations. Since crypto-sync values vary, a method for synchronization and authentificated registration of crypto-syncs is also presented. Crypto-scancs can be built expediently for each different type of traffic frame by using different system resources. In one embodiment, a cyclic redundancy check (CRC) can be used to verify crypto-syncs.

Standing the Test of Time : The Data Encryption Standard

Abstract: F ast and hard, that is all that cryptographers have ever wanted: a system that encrypts quickly but is essentially impossible to break. With their reliance on elementary number theory, public-key systems have captured mathematicians' imagination. Public-key algorithms are too slow to be used for most data transmissions, and instead public-key algorithms are used for establishing a key. Then a private-key system does the encryption. Private-key algorithms are typically faster than public-key ones. The workhorse private-key algorithm is the Data Encryption Standard (DES), which relies on cryptographic design principles that predate public key. With the exception of RC4 in Web browsers and relatively insecure cable-TV signal encryption, DES is the most widely used public cryptosystem in the world. DES is the cryptographic algorithm used by banks for electronic funds transfer, DES is used for the protection of civilian satellite communications , and a variant of DES is used for UNIX password protection. Proposed in 1975 and approved in 1977 as a Federal Information Processing Standard, 1 DES was immediately attacked by those who felt that its 56-bit key length was insecure. In spite of such claims, DES remained a strong encryption algorithm until the middle of the 1990s—several times longer than the government had reason to expect. Now, however, DES is past the end of its useful lifetime. In the summer of 1998 DES's insecurity was definitively demonstrated when a $250,000 computer built by the Electronic Frontier Foundation (EFF) decrypted a DES-encoded message in 56 hours. In January 1999 this was improved to 22 hours through a combination of 100,000 networked PCs and the EFF machine. But until a substitute is found, DES remains a de facto standard. The National Institute of Standards and Technology (NIST)—whose predecessor, the National Bureau of Standards, certified DES—is currently seeking a successor to the algorithm. The Advanced Encryption Standard (AES) will work in three key lengths: 128, 192, and 256 bits. Fifteen candidates were submitted in June 1998 (there were actually twenty-one submissions, but six candidates had not fulfilled NIST's requirements). In August 1999 NIST eliminated ten of the fifteen. The agency is scheduled to pick DES's successor in the summer of 2000. The winning algorithm will be one whose security should stand well into the new century. The publication of DES heralded a new era in cryptography. Academic and industrial researchers had an algorithm available for study that the National Security Agency had …

Systems and methods for encryption key archival and auditing in a quantum-cryptographic communications network

Abstract: A system archives encryption keys used for encrypting information in a network (105). The system includes a plurality of nodes configured to collect one or more encryption keys generated at each node and to transmit the one or more collected encryption keys to a key archive (110) for storage in a database associated with the key archive (110). The key archive (110) is configured to receive encryption keys transmitted from nodes in the network and to store the encryption keys in a database of the key archive.

Public key encryption with digital signature scheme

Abstract: An improved encryption and digital signature system and method in accordance with the invention reuses an encryption ephemeral key pair from an encryption process in a digital signature process. The reuse of the encryption ephemeral key pair in the digital signature process advantageously results in reduced byte size of the digital signature and reduction of costly computation overhead. In a preferred embodiment, the invention is based on the El Gamal encryption scheme and the Nyberg-Rueppel signature scheme. The present invention is particularly useful for operation in conjunction with small communication devices having limited processing and storage, wherein such devices may communicate via bandwidth sensitive RF links.

Super encrypted storage and retrieval of media programs with modified conditional access functionality

Abstract: A method and apparatus for storing and retrieving program material for subsequent replay is disclosed. The apparatus comprises a conditional access module, for accepting encrypted access control information and the program material encrypted according to a first encryption key, the encrypted access control information including a first encryption key and temporally-variant control data; the conditional access module having a first decryptor module, for decrypting the encrypted access control information to produce the temporally variant control data; a conversion module for modifying the temporally-variant control data to produce temporally-invariant control data; a re-encryptor module, for re-encrypting the decrypted access control information; a second decryptor module for decrypting the re-encrypted access control information to produce the first encryption key; a copy protection encryption module, communicatively coupleable to the conditional access module and a media storage device, the copy protection encryption module for further encrypting the encrypted program material according to a second encryption key and for encrypting the second encryption key according to a third encryption key to produce a fourth encryption key; and a copy protection decryption module, communicatively coupleable to the conditional access module and the media storage device, the copy protection decryption module for decrypting the encrypted fourth encryption key to produce the second encryption key using the third encryption key.

Secure memory and processing system having laser-scribed encryption key

Abstract: A secure memory and processing system is disclosed for use in various types of communication devices. The secure processing system provides for the encryption and storage of sensitive data in a storage medium external to the secure processing system. The encrypted data is decrypted with encryption logic circuitry within the secure memory and transferred to a zeroizable memory for use by a host processor. The secure memory uses a laser-scribed encryption key coupled to encryption logic circuitry within the secure memory for encrypting and decrypting the sensitive information.

Secure Length-Saving ElGamal Encryption under the Computational Diffie-Hellman Assumption

Abstract: A design of secure and efficient public key encryption schemes under weaker computational assumptions has been regarded as an important and challenging task. As far as the ElGamal-type encryption is concerned, some variants of the original ElGamal encryption scheme whose security depends on weaker computational assumption have been proposed: Although the security of the original ElGamal encryption is based on the decisional Diffie-Hellman assumption (DDH-A), the security of a recent scheme, such as Pointcheval’s ElGamal encryption variant, is based on the weaker assumption, the computational Diffie-Hellman assumption (CDH-A). In this paper, we propose a length-saving ElGamal encryption variant whose security is based on CDH-A and analyze its security in the random oracle model. The proposed scheme is length-efficient which provides a shorter ciphertext than that of Pointcheval’s scheme and provably secure against the chosen-ciphertext attack.