Showing papers on "Cipher published in 2000"

Advanced slide attacks

Abstract: Recently a powerful cryptanalytic tool--the slide attack-- was introduced [3]. Slide attacks are very successful in breaking iterative ciphers with a high degree of self-similarity and even more surprisingly are independent of the number of rounds of a cipher. In this paper we extend the applicability of slide attacks to a larger class of ciphers. We find very efficient known- and chosen-text attacks on generic Feistel ciphers with a periodic key-schedule with four independent subkeys, and consequently we are able to break a DES variant proposed in [2] using just 128 chosen texts and negligible time for the analysis (for one out of every 216 keys). We also describe known-plaintext attacks on DESX and Even-Mansour schemes with the same complexity as the best previously known chosen-plaintext attacks on these ciphers. Finally, we provide new insight into the design of GOST by successfully analyzing a 20-round variant (GOST⊕) and demonstrating weak key classes for all 32 rounds.

Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography

Abstract: We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encode-then-encipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.

The block cipher rijndael

Abstract: In this paper we present the block cipher Rijndael, which is one of the fifteen candidate algorithms for the Advanced Encryption Standard (AES). We show that the cipher can be implemented very efficiently on Smart Cards.

New fragile authentication watermark for images

Abstract: We propose a new fragile watermark for image authentication. Based on the Yeung-Mintzer (see Proc. ICIP'97, Santa Barbara, California, 1997) scheme, the new watermark does not have certain security gaps common to many previously proposed fragile watermarks. A block cipher is used instead of binary look-up tables. Pixel values are perturbed by small quantities so that the cipher maps small pixel neighborhoods to a fixed binary logo. This process is further modified in order to embed image indices (time stamps) into disjoint blocks of every image. This is necessary for detection of collages from multiple authenticated images. We also formulate basic security requirements and investigate the security of the new scheme.

Cryptanalysis of the A5/1 GSM Stream Cipher

Abstract: A5/1 is the stream cipher used in most European countries in order to ensure privacy of conversations on GSM mobile phones. In this paper we describe an attack on this cipher with total work complexity 239.91 of A5/1 clockings, given 220.8 known plaintext. This is the best known result with respect to the total work complexity.

Logical Cryptanalysis as a SAT Problem

Abstract: Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength. In this paper, we claim that one can feasibly encode the low-level properties of state-of-the-art cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach i>logical cryptanalysis. In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “real-world” problems and randomly generated problems. Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties. We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance. A discussion of open problems and future research concludes the paper.

SNOW - A new stream cipher

Abstract: In this paper a new word-oriented stream cipher, called SNOW, is proposed. The design of the cipher is quite simple, consisting of a linear feedback shift register, feeding a nite state machine. The design goals of producing a stream cipher signi cantly faster than AES, with signi cantly lower implementation costs in hardware, and a security level similar to AES is currently met. Our fastest C implementation requires under 1 clock cycle per running key bit. The best attacks are generic attacks like an exhaustive key search attack.

Architectural support for fast symmetric-key cryptography

Abstract: The emergence of the Internet as a trusted medium for commerce and communication has made cryptography an essential component of modern information systems. Cryptography provides the mechanisms necessary to implement accountability, accuracy, and confidentiality in communication. As demands for secure communication bandwidth grow, efficient cryptographic processing will become increasingly vital to good system performance.In this paper, we explore techniques to improve the performance of symmetric key cipher algorithms. Eight popular strong encryption algorithms are examined in detail. Analysis reveals the algorithms are computationally complex and contain little parallelism. Overall throughput on a high-end microprocessor is quite poor, a 600 Mhz processor is incapable of saturating a T3 communication line with 3DES (triple DES) encrypted data.We introduce new instructions that improve the efficiency of the analyzed algorithms. Our approach adds instruction set support for fast substitutions, general permutations, rotates, and modular arithmetic. Performance analysis of the optimized ciphers shows an overall speedup of 59% over a baseline machine with rotate instructions and 74% speedup over a baseline without rotates. Even higher speedups are demonstrated with optimized substitutions (SBOXes) and additional functional unit resources. Our analyses of the original and optimized algorithms suggest future directions for the design of high-performance programmable cryptographic processors.

Mercy: A Fast Large Block Cipher for Disk Sector Encryption

Abstract: We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway's 1999 proposal, proposing a new quantitative measure of avalanche. To address these needs, we present Mercy, a new block cipher accepting large (4096-bit) blocks, which uses a key-dependent state machine to build a bijective F function for a Feistel cipher. Mercy achieves 9 cycles/byte on a Pentium compatible processor.

System and method of authenticating individuals

Abstract: A method of dynamic password authentication used in an authentication system, in which a password generator applies a segmentation on its dynamic variable, according to predetermined segment length and positions, to produce a segment initial value and an offset for the dynamic variable. An encryption process applied on secret cryptographic key, segment initial value and offset results in the production of first dynamic cipher. Another encryption process applied on secret cryptographic key, dynamic variable etc results in the production of second dynamic cipher. Then first dynamic cipher and second dynamic cipher are combined to result in the production of a dynamic password. When a password undergoes verification executed by verifier, the verifier applies appropriate inverse processing. The present method can serve to enable the generator generated dynamic password to transmit synchronous information implicitly to verifier, which improves security in generation of a dynamic password and efficiency in password verification. Therefore reduction in costs of generator manufacture may be resulted.

Coding sublayer for multi-channel media with error correction

Abstract: A method and apparatus for encoding and decoding data. A primary data channel comprising a parallel data word has a bit of a secondary data channel associated with the parallel data word. ECC bits are generated based upon the parallel data word and the monitor bit and the ECC bits are appended to the data comprising the primary and secondary channel data to form an extended width parallel word. The extended width parallel data word is divided into a plurality of lesser width data words which are each scrambled using respective side scrambler for form respective cipher data words. An ECC control bit and a parity bit is generated for each channel, and associated with the cipher data words to form extended cipher data words. The cipher data words are serialized and transmitted over a serial link. The received serial data is deserialized, word framed and word aligned across the respective channels, and descrambled to obtain the data contained in the primary and secondary data channels. ECC is provided both on data and control bits to permit error correction on either the data or control information.

Hardware implementation of the improved WEP and RC4 encryption algorithms for wireless terminals

Abstract: This paper presents hardware implementations for Improved Wired Equivalent Privacy (IWEP) and RC4 ("Ron's Cipher #4") encryption algorithms. IWEP is a block algorithm providing light-strength encryption. The algorithm has been designed for a new Wireless Local Area Network (WLAN), called TUTWLAN (Tampere University of Technology Wireless Local Area Network). On the contrary RC4, developed by RSA Data Security, Inc., is a powerful stream algorithm used in many commercial products. It is also utilized in the Wired Equivalent Privacy (WEP) standard algorithm for WLANs. The objective of this work has been to study the suitability of hardware implementation for these previously software-implemented ciphers. Hardware is needed to replace software especially in wireless multimedia terminals, in which real-time data processing and limited on-chip memory sizes are key elements. The implementations are made in Very highspeed integrated circuit Hardware Description Language (VHDL) on Xilinx Field Programmable Gate Array (FPGA) chips.

Public key cryptosystem

Abstract: PROBLEM TO BE SOLVED: To enable the cryptoanalysis of both of a ciphertext sent to the entire part of a group and a ciphertext addressed to the receivers themselves to be performed with one secret key with each of the respective receivers by having the respective secret keys derived from the secret key of the group held by the respective receivers SOLUTION: In the case of a cipher level 0, ie, transmission to the entire part of the group, an integer n-0 to attain n-0=p-0*q-0 is determined with respect to arbitrary integers p-0 and q-0 (S1) and the Euler's function thereof is put as phi(n-0) And a-0*b-0=b-0=1 (mod phi(n-0)) is determined (S2) and the integers a-0 and b-0 are respectively determined as the public key and secret key of the cipher lever 0 In the case of the cipher level (i) to be sent only to the receiver (i), the integer n-i to attain n-i=p-i*q-i is determined with respect to arbitrary integers p-i and q-i (S6) The intrinsic integer is formed by using random numbers, etc, and this integer is determined as k-i The secret key b-i of the receiver (i) is determined from b-i=b-0+k-i×phi(n-0) (S7)

The Block Cipher BKSQ

Abstract: In this paper we present a new 96-bit block cipher called BKSQ. The cipher can be implemented efficiently on a wide range of processors (including smartcards) and in hardware.

Data terminal device

Abstract: PROBLEM TO BE SOLVED: To provide a data terminal device capable of ripping contents data off in response to regularity in the usage rules of contents data. SOLUTION: A watermark detection means 5400 detects a watermark from music data, and a watermark decision means 5401 decides whether the usage rule of the detected watermark has any regularity. A license generation means 5403 generates a license according to the regularity in the usage rules for the watermark. A remark means 5402 replaces the watermark with the one of which the copying condition for musical data is changed according to the regularity in the usage rules for the watermark. A music encoder 5404 encodes music data from the remark means 5402 to a prescribed method. A cipher means 5405 encrypts music data from the music encoder 5404 by the license key generated at the license generation means 5403.

Logical Cryptanalysis as a SAT Problem ? Encoding and Analysis of the U.S. Data Encryption Standard

Abstract: Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength. In this paper, we claim that one can feasibly encode the low-level properties of state-of-the- art cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach logical cryptanalysis. In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of "real-world" problems and randomly generated problems. Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties. We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance. A discussion of open problems and future research concludes the paper.

Recordable optical disk

Abstract: The operating and other procedures of an optical disk application system of the type for which a network is used are simplified. Optical disks have auxiliary data recording areas, where different IDs for individual disks, and/or cipher keys and/or decoding keys for ciphers are recorded in advance in a factory. By using the IDs to release the soft ciphers, using the cipher keys when sending the ciphers, and using the decoding keys when receiving the ciphers, user authorization procedures are simplified.

Data encryption using stateless confusion generators

Abstract: This invention provides for the encoding of synchronization information in the transmitted streamed data so that the receiver and transmitter may synchronize their internal cipher states. It uses a random number generator at the transmitter subsystem as well as one-way cryptographic hash functions, and streaming cipher algorithms at both the transmitter subsystem and the receiver subsystem. The output of the random number generator at the transmitter is included in the transmitted data packet, and data in the packet is encrypted using a key derived from this same output value. Since this derivation is earned out using a number of encryption steps, such as a one-way hash function and a streaming cipher algorithm, to produce a key that is then used to encrypt the data before it is transmitted, the value of this key is of little use in decrypting the message. Thus, each packet now contains the information needed to generate the correct unique decryption key by the intended receiver and every packet effectively resynchronizes the encryption functions.

Secure interoperation between 2G and 3G mobile radio networks

Abstract: Interoperation of 2G and 3G networks will be an important issue when both kinds of networks will exist in parallel and need to interwork with each other. Among other things, this implies that 2G subscribers should be able to access 3G networks by means of a 2G SIM card and a dual-mode handset. However, it is well known that 3G networks will offer its users an increased level of security when compared to 2G networks. For example, in 3G networks there will be mutual authentication between user and network as well as integrity protection of signalling commands on the air interface, with an associated 128 bit integrity key. Also the 3G cipher key will be 128 bit long, as opposed to the 2G cipher key of 64 bit length. The paper concentrates on the security aspects of 2G and 3G interworking. We identify all relevant roaming and handover cases between 2G and 3G networks and describe the solution for handling the cipher and integrity keys in these cases developed by the 3GPP security group, which is the relevant standardisation body. The guiding principle was to provide 3G security to 3G users whenever possible. The solution is assessed with respect to the security it offers and the signalling load it causes.

Device for updating vehicle basic function control program

Abstract: PROBLEM TO BE SOLVED: To update the contents of a vehicle basic function control program without performing the overall or partial exchange of an onboard computer for executing a vehicle basic function control program. SOLUTION: Cipher data necessary for updating a vehicle basic function control program are fetched by a data fetching part 100 by radio waves transmitted from a server 30 for a vehicle dealer. The contents of a vehicle basic function control program are updated in a flash memory 80 in which the vehicle basic function control program is stored by a decoding circuit 90 and a rewriting circuit 92 based on the fetched cipher data.

Software-hardware trade-offs : Application to A5/1 cryptanalysis

Abstract: This paper shows how a well-balanced trade-off between a generic workstation and dumb but fast reconfigurable hardware can lead to a more efficient implementation of a cryptanalysis than a full hardware or a full software implementation A realistic cryptanalysis of the A5/1 1 GSM stream cipher is presented as an illustration of such trade-off We mention that our cryptanalysis requires only a minimal amount of cipher output and cannot be compared to the attack recently announced by Alex Biryukov, Adi Shamir and David Wagner[2]

Cipher communication method and storage medium recording its program

Abstract: PROBLEM TO BE SOLVED: To relieve the load of a sender and to save computer resources by allowing a user of cipher communication to select an optimum encryption algorithm while keeping the security of the cipher communication under a network computing environment. SOLUTION: A key length selection section 303 retrieves an encryption algorithm and an encryption key from an encryption key registration table 304 by using a recipient ID entered to a recipient entry section 301 and converted into a network class and importance information entered to a communication message importance entry section 302 as keys, and an encryption processing section 305 encrypts a message by using them when the result of retrieval shows the encryption algorithm and encryption key are existent and a message transmission section 306 transmits the encrypted message via a communication channel. When the result of retrieval shows they are not existent in the table, the message is transmitted as a plain message without being encrypted.

The RSA Public Key Cryptosystem

Abstract: The RSA (Rivest, Shamir, Adleman) cipher algorithm has captured the imagination of many mathematicians by its elegance and basic simplicity ever since it was introduced in 1978. Numerous descriptions of the algorithm have been published. Readers with a knowledge of a little basic number theory will find the original paper [RSA] by the inventors of the algorithm, Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, quite readable. Perhaps the most famous description is Martin Gardner’s expository article [G], which is written for readers of Scientific American. Martin E. Hellman [H] wrote another good Scientific American article describing the RSA algorithm and the knapsack cipher algorithm. The goal of this paper is to lead the reader who has some mathematical maturity but no knowledge of number theory, say a first year calculus student, a clever high school student, or an interested engineer, through the basic results needed to understand the RSA algorithm. The prerequisites are only a knowledge of the elementary school arithmetic of the integers, high school algebra, some familiarity with the notions of sets and of functions, and, most importantly, a real desire to understand how the RSA algorithm works. We begin with a discussion of general crypto systems and the differences between classical systems and public key systems. Then the treatment will give an informal but fairly rigorous introduction to the division algorithm, divisibility properties, greatest common divisors, the Euclidean algorithm, modular arithmetic, repeated squaring algorithm for b a (mod m), time estimates for these algorithms, Euler’s totient function, Euler’s Theorem, and, as a corollary, Fermat’s Little Theorem.

Information server device equipped with ciphering processing function

Abstract: PROBLEM TO BE SOLVED: To provide a means for preventing a secret key from leaking and a means for reallocating computer resources of an information server device according to the busyness of processing for cipher communication and non-cipher communication while evading a decrease in the response speed of the information server device due to cipher processing. SOLUTION: A normal OS which logically divides the computer resources of the information server device and administers the transmission and reception of information and a secure OS which administers a function of deciphering a ciphertext ciphered with an open key at a request from the normal OS are placed in operation. Further, the device is provided with a means which measures information on the CPU use rates of the secure OS and normal OS and information on the memory use rates, informs a system administrator of the computer resource use state of the information server device when a set threshold is exceeded, and allows the system administrator having been informed to reallocate the computer resources of the information server device.

On the hardware design for DES cipher in tamper resistant devices against differential fault analysis

Abstract: In the past 20 years, DES has been the most widely used symmetric block cipher for information security. Recently, a novel method called Differential Fault Analysis (DFA) has been proposed to attack DES. Under the assumption that the attacker can induce errors into the cipher device, the key of DES can be unveiled easily. The assumed technique is not mature today, but is like to appear in the near future, especially for attacking a tamper resistant device with an embedded DES VLSI chip. In this paper, we proposed a new hardware design for the DES cipher to resist DFA. By adding some protection circuitry, all the unidirectional faults induced into the registers of a DES chip can be detected, and then alter to the cryptosystem immediately. A hardware emulation experiment using Altera's CPLD chip shows the effectiveness of the protection design.

Method for certifying terminal and cipher communication system

Abstract: PROBLEM TO BE SOLVED: To make a terminal connected to a network certifiable by a method capable of maintaining high secrecy and reducing the processing load for ciphering/deciphering. SOLUTION: A 1st common key (session key B) is generated by using secret information corresponding to the machine sort number of the terminal and used for the ciphering of the machine number of the terminal and a 2nd common key (session key D) is generated by using secret information corresponding to the machine number and used for collation. Since the common key for safely transmitting the machine number is generated from the secret information corresponding to the machine sort number, high secrecy can be maintained. In addition, the connection of a terminal other than the specific machine sort to a server can be excluded.

Retrieving device and medium stored with control program for retrieving device

Abstract: PROBLEM TO BE SOLVED: To quickly retrieve a specific file from plural ciphered files stored in a storage device by using a ciphered access key. SOLUTION: The retrieving device is constituted of an input part 2 for inputting a retrieving character string, various instructions, etc., a storage part 5 for storing plural previously ciphered file data, a decoding processing part 7 for decoding ciphered file data by a previously prepared cipher key, an extraction processing part 6 for extracting plural keywords and file names related to the decoded file data from the file data, a ciphering processing part 8 for ciphering plural extracted keywords, a storing processing part 9 for storing the ciphered keywords in the storage part 5 as access keys, and a retrieving processing part 10 for allowing the processing part 8 to cipher the retrieving character string inputted to the input part 2, referring to an access key coincident with the ciphered retrieving character string and retrieving a file name corresponding to the access key.

Encrypting method, decrypting method and their equipment

Abstract: PROBLEM TO BE SOLVED: To provide an encrypting method and a decrypting method and their equipment which enable powerful encrypting/decrypting operation wherein an ordinary sentence is not correspondent to a cipher one to one and the conventional cryptology cannot be applied by introducing error correcting encoding. SOLUTION: Error correcting encoding processing is performed to the ordinary sentence with error correcting encoding processing equipment 11. Bit errors are generated at random with random bit error generating equipment 13, to the error correcting encoded data, in a range of correction capability of error correcting code. The data in which bit errors are generated are encrypted with encrypting processing equipment 15, and the cipher is formed. The cipher is decrypted with decrypting processing equipment 21. The decrypted sentence is subjected to error correcting encoding processing with error correcting encoding processing equipment, thereby recovering the ordinary sentence.

The Saturation Attack - a Bait for Twofish.

Abstract: This paper introduces the notion of a saturation attack. Consider a permutation p over w-bit words. If p is applied to all 2 ω disjoint words, the set of outputs is exactly the same as the set of inputs. A saturation attack exploits this fact. The current paper applies saturation attacks on reduced-round variants of the Twofish block cipher with up to seven rounds with full whitening or eight rounds without whitening at the end (i.e., half of the cipher). The attacks take up to 2 127 chosen plaintexts (half of the codebook) and are 2-4 times faster than exhaustive search. The attacks are based on key-independent distinguishers for up to six rounds of Twofish, making extensive use of saturation properties.