Showing papers on "Ciphertext published in 1998"

A new public-key cryptosystem as secure as factoring

Abstract: This paper proposes a novel public-key cryptosystem, which is practical, provably secure and has some other interesting properties as follows: 1. Its trapdoor technique is essentially different from any other previous schemes including RSA-Rabin and Diffie-Hellman. 2. It is a probabilistic encryption scheme. 3. It can be proven to be as secure as the intractability of factoring n = p2q (in the sense of the security of the whole plaintext) against passive adversaries. 4. It is semantically secure under the p-subgroup assumption, which is comparable to the quadratic residue and higher degree residue assumptions. 5. Under the most practical environment, the encryption and decryption speeds of our scheme are comparable to (around twice slower than) those of elliptic curve cryptosystems. 6. It has a homomorphic property: E(m0, r0)E(m1, r1) mod n = E(@#@ m0 + m1, r2), where E(m, r) means a ciphertext of plaintext m as randomized by r and m0+ m1 < p. 7. Anyone can change a ciphertext, C = E(m, r), into another ciphertext, C′ = Chr' mod n, while preserving plaintext of C (i.e., C′ = E(m,r″)), and the relationship between C and C′ can be concealed.

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

Abstract: This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attack is SSL V.3.0.

Enhanced block ciphers with data-dependent rotations

Abstract: A plaintext message to be encrypted is segmented into a number of words, e.g., four words stored in registers A, B, C and D, and an integer multiplication function is applied to a subset of the words, e.g., to the two words in registers B and D. The integer multiplication function may be a quadratic function of the form ƒ(x)=x(ax+b) or other suitable function such as a higher-order polynomial. The results of the integer multiplication function are rotated by lg w bits, where lg denotes log base 2 and w is the number of bits in a given word, to generate a pair of intermediate results t and u. An exclusive-or of another word, e.g., the word in register A, and one of the intermediate results, e.g., t, is rotated by an amount determined by the other intermediate result u. Similarly, an exclusive-or of the remaining word in register D and the intermediate result u is rotated by an amount determined by the other intermediate result t. An element of a secret key array is applied to each of these rotation results, and the register contents are then transposed. This process is repeated for a designated number of rounds to generate a ciphertext message. Pre-whitening and post-whitening operations may be included to ensure that the input or output does not reveal any internal information about any encryption round. Corresponding decryption operations may be used to decrypt the ciphertext message.

DES cipher processor for full duplex interleaving encryption/decryption service

Abstract: A full duplex DES cipher processor (DCP) supports to execute sixteen rounds of data encryption standard (DES) operation in four encryption modes and four decryption modes, namely: Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and Output Feedback (OFB) mode for both encryption and decryption. A DCP is composed of an I/O unit, an IV/key storage unit, a control unit, and an algorithm unit. The algorithm unit is used to encrypt/decrypt the incoming text message. The algorithm unit having a crypto engine allows encryption and decryption performed alternately, by sharing the same crypto engine. Since for crypto applications in communication services like T1, E1, V.35, the algorithm unit operation time is much shorter than the data I/O time; in other word, the algorithm unit is in the idle state mostly. The full duplex operation is achieved by storing the interim results of the DES encryption operation in a cipher text buffer (CTB) and the decryption results in a plain text buffer (PTB), where the CTB and PTB are in the crypto engine. The full duplex DCP has two ports, one for encrypting and the other for decrypting. In addition, the DCP can also be used for single port simplex or dual port simplex applications.

Data encryption system for encrypting plaintext data

Abstract: In order to encrypt plaintext data while maintaining high security, the plaintext data is received and divided into a plurality of plaintext data blocks, each of which has the same bit length. A preset master key is used to obtain a set of round subkeys, and each of the plaintext data blocks is encrypted by using the preset master key and combining the encrypted blocks to thereby provide cipheitext data having a bit length which is identical to that of the plaintext data.

Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree

Abstract: Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but non-negligible, probability Μ. The method employed is essentially Sudan's algorithm for decoding Reed-Solomon codes beyond the error-correction diameter. The known-plaintext attack needs n = 2m/Μ 2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general non-linear relations p(x, y)= 0 between plaintext x and ciphertext y that hold with small probability Μ. The second attack needs access to n = (2m/Μ)2 plaintext/ciphertext pairs where m = degp and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.

Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1

Abstract: This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attack is SSL V.3.0.

Cryptographic technique that provides fast encryption and decryption and assures integrity of a ciphertext message through use of a message authentication code formed through cipher block chaining of the plaintext message

Abstract: A cryptographic technique that not only provides fast and extremely secure encryption and decryption but also assures integrity of a ciphertext message. This technique involves, during message encryption: generating, in response to an incoming plaintext message, an intermediate stream—such as by chaining the message, wherein a predefined portion of the intermediate stream defines a message authentication code (MAC); inserting an encrypted version of the MAC into a predefined portion of a ciphertext message; and generating, in response to the intermediate stream and the encrypted MAC, a remainder of the ciphertext message such that the remainder exhibits a predefined variation, e.g., a pseudo-random sequence, also contained within the encrypted MAC. Decryption proceeds in essentially a reverse fashion. By extending the sequence across the remainder of the ciphertext, any subsequent change to the ciphertext would likely destroy the continuity of the sequence otherwise residing throughout the remainder of the ciphertext. During decryption, any violation to the integrity of the ciphertext can be readily detected by decrypting the MAC contained in the ciphertext and comparing it, for any discrepancies, against a MAC generated from recovered plaintext.

System and method for deriving an appropriate initialization vector for secure communications

Abstract: A secure communications arrangement is disclosed including a source device (11(l)) and a destination device (11(N)) interconnected to a network by communications link (12). The source device (11(l)) generates message packets (24) for transfer to the destination device (11(N)), each message packet including information in ciphertext form. The source device (11(N)) generates the ciphertext from plaintext using the cipher block chaining mode, employing an initialization vector (IV), generated by an IV generator (23), produced from a hash function selected so that small changes in an input result in large changes in the IV. As a result, values such as sequence numbers produced by a packet sequence number generator (25) or time stamps can be used in generating the IV, without sacrificing cryptographic security. The destination device (11(l)) receives the message packet and decrypts the ciphertext to generate plaintext using the cipher block chaining mode, employing an IV that is generated using the corresponding hash function. Although the secure communications arrangement is described in connection with the cipher block chaining mode, other modes such as the cipher-feedback mode, output-feedback mode, and other encryption modes which make use of initialization vectors, could also be used.

Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR

Abstract: Skipjack is the secret key encryption algorithm developed by the NSA for the Clipper chip and Fortezza PC card. It uses an 80-bit key, 128 table lookup operations, and 320 XOR operations to map a 64- bit plaintext into a 64-bit ciphertext in 32 rounds. This paper describes an efficient attack on a variant, which we call Skipjack-3XOR (Skipjack minus 3 XORs). The only difference between Skipjack and Skipjack- 3XOR is the removal of 3 out of the 320 XOR operations. The attack uses the ciphertexts derived from about 500 plaintexts and its total running time is equivalent to about one million Skipjack encryptions, which can be carried out in seconds on a personal computer. We also present a new cryptographic tool, which we call the Yoyo game, and efficient attacks on Skipjack reduced to 16 rounds. We conclude that Skipjack does not have a conservative design with a large margin of safety.

Encryption network system and method

Abstract: A key used for deciphering ciphertext is safely transmitted, to establish simple encryption communication. A transmitter and a receiver are connected through a network such that they can communicate with each other. In the transmitter, plaintext is enciphered using a common key. Ciphertext, together with a key generation program in a public-key cryptosystem, is transmitted from the transmitter to the receiver. In the receiver, a pair of a public key and a secret key is generated in accordance with the key generation program, the public key is transmitted to the transmitter, and the secret key is held in the receiver. In the transmitter, the common key is enciphered using the public key transmitted from the receiver. An enciphered common key transmitted to the receiver is deciphered using the held secret key. The ciphertext is deciphered using the deciphered common key.

Authenticated encryption scheme with (t, n) shared verification

Abstract: A new authenticated encryption scheme with (t, n) shared verification based on discrete logarithms is proposed. In the scheme any ciphertext of signature for a message is addressed to a specified group of verifiers in such a way that the ability to decrypt the ciphertext of signature is regulated by the adopted (t, n) threshold scheme. That is, any t out of n verifiers in the group share the responsibility (or authority) for message recovery. The proposed scheme preserves the merits inherent in the signature scheme with message recovery and the (t, n) shared verification scheme. As compared to Harn's (t, n) shared verification scheme and its further modifications, the proposed scheme has the following advantages: it requires smaller bandwidth and achieves more secrecy of data transmission; it is more efficient for signature verification.

Encryption and decryption devices for public-key cryptosystems and recording medium with their processing programs recorded thereon

Abstract: In a public-key cryptosystem based on a multiplicative group, n=p2q, where p and q are odd primes, and g, selected from (Z/nZ)* such that gp=gr−1 mod p2 has an order of p in (Z/ p2Z)*, are made public. A plaintext m, a random number and n are used to calculate m+rn, and n and g are used to compute C=gm+rn mod n to generate it as ciphertext. For the ciphertext C, C mod p2 is calculated, then Cp=Cp−1 mod p2 is calculated to obtain (Cp−1)/p=L(Cp), and L(Cp) is multiplied by a secret key L(gp)−1 mod p to obtain the plaintext m.

Decryption method and device, and access right authentication method and apparatus

Abstract: A decryption method and device, an access right authentication method and apparatus for securely transmitting specific information to the decryption device while retaining blindness of data that is assigned to be decrypted. An input unit of the decryption device receives a cipher text C′ generated by providing a blind effect to a cipher text C and second decryption information d2 from a user and transmits them to a decryption unit. The decryption unit takes a modulus n and first decryption information d1 from a modulus storage unit and a first decryption information storage unit, respectively. The decryption unit then calculates the expression R=C′d1d2 mod n and outputs R through an output unit. If a combination of a cipher text C and the second decryption information d2 is correct, a correct decryption result is available.

From Differential Cryptoanalysis to Ciphertext-Only Attacks

Abstract: We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks. Our observation may save up to a factor of 220 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.

A method and apparatus for a robust high-speed cryptosystem

Abstract: A cryptographic information and communication system of the knapsack type characterized by secret logical segregation of the key sets into sections, where the sections are generated by different construction methods and are transformed differently; and characterized by multiple solutions to subset sum ciphertext codes, where resolution protocols are employed when necessary to resolve non-unique subset sum solutions at the decryptor.

Method and apparatus for producing a message authentication code in a cipher block chaining operation by using linear combinations of an encryption key

Abstract: A cryptographic technique that not only provides fast and extremely secure encryption and decryption but also assures integrity of a ciphertext message. This technique involves, during message encryption: generating, in response to an incoming plaintext message, an intermediate stream--such as by chaining the message, wherein a predefined portion of the intermediate stream defines a message authentication code (MAC); inserting an encrypted version of the MAC into a predefined portion of a ciphertext message; and generating, in response to the intermediate stream and the encrypted MAC, a remainder of the ciphertext message such that the remainder exhibits a predefined variation, e.g., a pseudo-random sequence, also contained within the encrypted MAC. Decryption proceeds in essentially a reverse fashion. By extending the sequence across the remainder of the ciphertext, any subsequent change to the ciphertext would likely destroy the continuity of the sequence otherwise residing throughout the remainder of the ciphertext. During decryption, any violation to the integrity of the ciphertext can be readily detected by decrypting the MAC contained in the ciphertext and comparing it, for any discrepancies, against a MAC generated from recovered plaintext.

Cryptographic engine using logic and base conversions

Abstract: Apparatus and method for encrypting and decrypting using permutation, concatenation and decatenation together with rotation and arithmetic and logic combining with elements or digits or characters from random, pseudo-random, or arbitrary sources wherein the plaintext may be partitioned, block-by-block, the block size being a user selectable power of 2 in size. The data bytes in the input block are selected M bytes at a time, where M≧2, with permuted addressing to form a single concatenated data byte, CDB. The CDB is modified by rotating (or barrel shifting) a random bit distance. The CDB may also be modified before or after rotation by simple arithmetic/logic operations. After modification, the CDB is broken up into M bytes and each of the M bytes is placed into the output block with permuted addressing. The output block, or ciphertext, may again be used as an input block and the process repeated with a new output block. This scheme may be used as an encryption method by itself or in conjunction other block encryption methods. The latter may be accomplished by using this scheme between successive stages of other encryption methods on blocked data, or between an internal stage of these other methods. The sources of random numbers used to determine the distance for the random rotation operation can be from: a pseudo-random number generator, sampled music CD-ROMs, entries in tables, arrays, buffers, or any other digital source.

From differential cryptanalysis to ciphertext-only attacks

Abstract: We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks. Our observation may save up to a factor of 2 20 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.

Block ciphers: A survey

Abstract: In this paper we give a short overview of the state of the art of secret key block ciphers. We focus on the main application of block ciphers, namely for encryption. The most important known attacks on block ciphers are linear cryptanalysis and differential cryptanalysis. Linear cryptanalysis makes use of so-called linear hulls i.e., the parity of a subset of ciphertext bits with a probability sufficiently far away from one half. Differential cryptanalysis makes use of so-called differentials (A, B),i.e., a pair of plaintexts with difference A, which after a certain number of rounds result in a difference B with a high probability. The hulls and differentials can be used to derive (parts of) the secret key.

Differential fault analysis hardening apparatus and evaluation method

Abstract: A method of evaluating a cryptosystem to determine whether the cryptosystem can withstand a fault analysis attack, the method includes the steps of providing a cryptosystem having an encrypting process to encrypt a plaintext into a ciphertext, introducing a fault into the encrypting process to generate a ciphertext with faults, and comparing the ciphertext with the ciphertext with faults in an attempt to recover a key of the cryptosystem.

Key recovery method and system

Abstract: A key recovery method and system capable of key recovery without informing a third party of one's own secret key are disclosed. For realization of the method, a transmitting information processor generates a data value satisfying a relational expression by which if one of data obtained by converting a first public key and used as a cipher text generating parameter and data obtained by converting at least one second public key is decided, the other can be determined. The transmitting processor transmits a cipher text applied with the generated data value to a first receiving information processor which has a secret key paired with the first public key and at least one second receiving information processor which has a secret key paired with the second public key. The first receiving processor, even in the case of loss of the secret key paired with the first public key, can determine the data obtained by converting the first public key in such a manner that data obtained from the second receiving processor by converting the second public key and determined from the secret key paired with the second public key and the data value applied to the cipher text sent from the transmitting processor are introduced into the above relational relationship. Thereby, the cipher text can be deciphered into the original message.

Monkey: Black-Box Symmetric Ciphers Designed for MONopolizing KEYs

Abstract: We consider the problem of designing a black-box symmetric cipher that leaks information subliminally and exclusively to the designer. We show how to construct a cipher which we call 'Monkey' that leaks one key bit per output block to the designer of the system (in any mode). This key bit is leaked only if a particular plaintext bit is known to the designer (known bit/message attack which is typically available in plain ASCII). The attack is of kleptographic nature as it gives a unique advantage to the designer while using strong (e.g., externally supplied) keys. The basic new difficulty with the design of spoofable block ciphers is that it is a deterministic function (previous attacks exploited randomness in key generation or message encryption/signature), and the fact that we do not want easy (statistical) observability of the spoofing (e.g., the variability of ciphertexts should be noticeable when keys change etc.). We distinguish between three entities: the designer, the reverse-engineer and the user. We show a design methodology that assures that: (1) if the device is not reverse-engineered, the attack is secure (namely, the cipher is good) and undetectable, (2) if the device is reverse-engineered, then the reverse-engineer learns at most one plaintext bit from every ciphertext (but no past/future keys), and (3) the designer learns one plaintext bit and one key bit from each ciphertext block (say in ECB mode). The method is therefore highly robust against reverse-engineering.

Encryption apparatus and computer-readable recording medium containing program for realizing the same

Abstract: The present encryption apparatus is provided with a plurality of conversion means connected in multiple steps, an intermediate-key generating means for performing linear or non-linear conversion for an intermediate-key and subsequently generating an initial-value of the intermediate-key, and an intermediate-key memory means for updating and storing the intermediate-key update information. The present encryption apparatus provides a ciphertext which is refractory to a chosen plaintext cryptanalysis in the evaluation of the key update information. The present apparatus is capable of high speed operation by parallel processing and is also capable of maintaining high speed operation by higher multiplication of the parallel operation even when the number of repetitive conversion is increased.

High assurance encryption system and method

Abstract: A processor ( 22 ) of an encryption system ( 20 ) receives plain text ( 24 ) and operates an encryption algorithm to convert the plain text ( 24 ) to cipher text ( 26 ). A state monitor ( 30 ) confirms a conversion sequence within each of a plurality of conversion cycles performed by the encryption algorithm. The state monitor ( 30 ) produces a first enablement signal ( 38 ) when the conversion sequence is confirmed. An encryption activity monitor ( 34 ) determines a number of blocks of cipher text ( 24 ) that are not encrypted. The encryption activity monitor ( 34 ) produces a second enablement signal ( 42 ) when the number of unencrypted blocks of cipher text ( 26 ) is less than a predetermined failure threshold ( 86 ). A monitor gate ( 36 ) enables output of the cipher text ( 26 ) in response to the first and second enablement signals ( 38, 42 ).

Multiple number base encoder/decoder using a corresponding exclusive or function

Abstract: Plaintext elements and masking array elements are converted into digits in another number base. The resulting digits are combined modulo the new number base and the result is converted back into elements using the original number base resulting in ciphertext elements. For recovery of the plaintext, the ciphertext elements and masking array elements are converted again into digits in the same number base as used for encryption and a reverse arithmetic combination of these digits is employed, modulo the new number base, and the result of the combination is converted back into elements in the original number base resulting in the original plaintext elements.

Steganographic encryption system for secure data

Abstract: A data security system for digitized data that can use both encryption and steganographic techniques. Encrypted data (14) is steganographically encoded into a secondary data stream (16), the least significant bit of selected bytes of which are replaced with bits of the encrypted data. Byte selection (15) is performed via ciphertext created separately that uses an encryption key (13) as both key and data to be encrypted. The resulting secondary data stream (17) chosen such that it does not resemble any modification can be stored or transmitted. Decoding is accomplished by using the cypertext to find the selected bytes in the modified secondary data stream, extracting the least significant bits, and reassembling those bits into the original data. Data can be backed up by first encrypting it, then splitting it into multiple parts and storing each part on separate floppy disks in locations selected by separate encryption process which produces a selection ciphertext. The original data is restored by merging the data blocks from each floppy.

Data processor and communication system as well as recording medium

Abstract: PROBLEM TO BE SOLVED: To enable the apparatus scale of secret keys cipher to be reduced, to enable the safety of the keys to be enhanced and to facilitate key management SOLUTION: The data processor which encrypts a plaintext to a ciphertext by using the key for excryption and/or decrypts a ciphertext to a plaintext by using the key for decryption has a key conversion section 2 which is constituted by successively connecting plural involutional key conversion functions fk to execute key conversion processing and the output of the magnification key in accordance with any of the keys or the results of the key conversion and sequentially or reversally transfers the results of the key conversion among the key conversion functions and an agitation section 1 which is constituted by successively connecting the plural involutional round functions to execute the encryption processing and/or decryption processing by using the magnification key and sequentially or reversally transfers the results of the processing at the round functions fr among the round functions

Methods and apparatus for multiple-iteration cmea encryption and decryption for improved security for wireless telephone messages

Abstract: An enhanced CMEA encryption system suitable for use in wireless telephony. A plaintext message is introduced into the system and subjected to a first iteration of a CMEA process, using a first CMEA key to produce an intermediate ciphertext. The intermediate ciphertext is then subjected to a second iteration of the CMEA process using a second CMEA key to produce a final ciphertext. Additional security is achieved by subjecting the plaintext and intermediate ciphertext to input and output transformations before and after each iteration of the CMEA process. The CMEA iterations may be performed using an improved use of a box function which adds permutations to a message or intermediate crypto-processed data. Decryption is achieved by subjecting a ciphertext message to the reverse order of the steps used for encryption, replacing the input and output transformations by inverse output and inverse input transformations, respectively, as appropriate.