Showing papers on "Ciphertext published in 2000"

Practical techniques for searches on encrypted data

Abstract: It is desirable to store data on data storage servers such as mail servers and file servers in encrypted form to reduce security and privacy risks. But this usually implies that one has to sacrifice functionality for security. For example, if a client wishes to retrieve only documents containing certain words, it was not previously known how to let the data storage server perform the search and answer the query, without loss of data confidentiality. We describe our cryptographic schemes for the problem of searching on encrypted data and provide proofs of security for the resulting crypto systems. Our techniques have a number of crucial advantages. They are provably secure: they provide provable secrecy for encryption, in the sense that the untrusted server cannot learn anything about the plaintext when only given the ciphertext; they provide query isolation for searches, meaning that the untrusted server cannot learn anything more about the plaintext than the search result; they provide controlled searching, so that the untrusted server cannot search for an arbitrary word without the user's authorization; they also support hidden queries, so that the user may ask the untrusted server to search for a secret word without revealing the word to the server. The algorithms presented are simple, fast (for a document of length n, the encryption and search algorithms only need O(n) stream cipher and block cipher operations), and introduce almost no space and communication overhead, and hence are practical to use today.

Nonmalleable Cryptography

Abstract: The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

Abstract: We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33% more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.

Security of Signed ElGamal Encryption

Abstract: Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel one-more-decyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts.

A Generalisation, a Simplification and some Applications of Paillier’s Probabilistic Public-Key System

Abstract: We propose a generalisation of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalisation is as secure as Paillier's original system. We construct a threshold variant of the generalised scheme as well as zero-knowledge protocols to show that a given ciphertext encrypts one of a set of given plaintexts, and protocols to verify multiplicative relations on plaintexts. We then show how these building blocks can be used for applying the scheme to efficient electronic voting. This reduces dramatically the work needed to compute the final result of an election, compared to the previously best known schemes. We show how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up to t out of L candidates. The same basic building blocks can also be adapted to provide receipt-free elections, under appropriate physical assumptions. The scheme for 1 out of L elections can be optimised such that for a certain range of parameter values, a ballot has size only O(log L) bits.

Chosen-Ciphertext Security for Any One-Way Cryptosystem

Abstract: For two years, public key encryption has become an essential topic in cryptography, namely with security against chosen-ciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor one-way function, in the random oracle model. More concretely, any suitable problem providing a one-way cryptosystem can be efficiently derived into a chosen-ciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational Diffie-Hellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).

Device comprising encryption circuitry enabled by comparing an operating spectral signature to an initial spectral signature

Abstract: A device is disclosed comprising encryption circuitry for encrypting plaintext data into ciphertext data. A memory stores an initial spectral signature representing an initial spectral characteristic of the device, and a signal generator for generating an operating spectral signature representing an operating spectral characteristic of the device. A comparator compares the operating spectral signature to the initial spectral signature and enables the encryption circuitry if the operating spectral characteristic substantially matches the initial spectral characteristic.

Why Chosen Ciphertext Security Matters

Abstract: This article motivates the importance of public-key cryptosystems that are secure against chosen ciphertext attack, and of rigorous security proofs. It also discusses the new cryptosystem developed by Cramer and Shoup, and its relevance in this regard.

Why Textbook ElGamal and RSA Encryption Are Insecure

Abstract: We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of both systems.

Method and apparatus for encryption, method and apparatus for decryption, and computer-readable medium storing program

Abstract: In order to encipher data while enciphering other data, a memory (55) is arranged in parallel to a feedback line (65) for feedback to a selector (54) from an enciphering module (51) using an encryption key (K). If an interrupt (IT) for processing plaintext block data (Ni) occurs during the processing of plaintext block data (Mi), the cryptogram block data (Ci) being in process when the interrupt (IT) occurs is stored in a register (56). When the processing of the plaintext block data Ni is completed, a selector (54) selects the cryptogram block data (Ci) stored in the memory (55), and the processing of plaintext block data (Mi+1) is started.

A Length-Invariant Hybrid Mix

Abstract: This paper presents a secure and flexible Mix-net that has the following properties; it efficiently handles long plaintexts that exceed the modulus size of underlying public-key encryption as well as very short ones (length-flexible), input ciphertext length is not impacted by the number of mix-servers (length-invariant), and its security in terms of anonymity is proven in a formal way (provably secure). One can also add robustness i.e. it outputs correct results in the presence of corrupt servers. The security is proved in the random oracle model by showing a reduction from breaking the anonymity of our Mix-net to breaking a sort of indistinguishability of the underlying symmetric encryption scheme or solving the Decision Diffie-Hellman problem.

Countermeasure against denial-of-service attack on authentication protocols using public key encryption

Abstract: The present invention gives robustness for the denial-of-service to the authentication protocol itself, loads no additional public key computation, and is applicable to any authentication protocol in which the client authenticates the server by sending the client's random number encrypted under the public key of the server. The method for defeating a denial-of-service attack for use in a communication system in which the client sends a ciphertext of a random number chosen by the client encrypted under a public key of the server to authenticate the server includes the steps of: (a) the server's generating a random number r B in response to a service request from the client and sending the random number to the client; (b) the server's receiving the ciphertext which the client produced by using the random number r B from the client and a random number r A of the client; (c) the server's recovering a random number r B from the ciphertext received from the client and comparing the recovered random number with the random number sent to the client; and (d) if the random numbers match at the step (c), providing the service, and, otherwise, denying the service.

Method of and system for encrypting messages, generating encryption keys and producing secure session keys

Abstract: A technique for encrypting and decrypting a data message is described herein and includes a stream cipher, a block cipher, and IV generation embodiment and a key generation embodiment which use a process of Summary Reduction. This overall technique uses a secret key to generate ciphertext from plaintext and in doing so, the technique isolates the nature of the secret key values from the nature of the cipher text created.

Public key cryptosystem

Abstract: PROBLEM TO BE SOLVED: To enable the cryptoanalysis of both of a ciphertext sent to the entire part of a group and a ciphertext addressed to the receivers themselves to be performed with one secret key with each of the respective receivers by having the respective secret keys derived from the secret key of the group held by the respective receivers SOLUTION: In the case of a cipher level 0, ie, transmission to the entire part of the group, an integer n-0 to attain n-0=p-0*q-0 is determined with respect to arbitrary integers p-0 and q-0 (S1) and the Euler's function thereof is put as phi(n-0) And a-0*b-0=b-0=1 (mod phi(n-0)) is determined (S2) and the integers a-0 and b-0 are respectively determined as the public key and secret key of the cipher lever 0 In the case of the cipher level (i) to be sent only to the receiver (i), the integer n-i to attain n-i=p-i*q-i is determined with respect to arbitrary integers p-i and q-i (S6) The intrinsic integer is formed by using random numbers, etc, and this integer is determined as k-i The secret key b-i of the receiver (i) is determined from b-i=b-0+k-i×phi(n-0) (S7)

New Paradigms for Constructing Symmetric Encryption Schemes Secure against Chosen-Ciphertext Attack

Abstract: The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge "valid" ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a "valid" ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of "variable-length" pseudo-random functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way.

New paradigms for constructing symmetric encryption schemes secure against chosen-ciphertext attack

Abstract: The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge valid ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a valid ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of variable-length pseudo-random functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way.

Ciphertext Only Reconstruction of Stream Ciphers Based on Combination Generators

Abstract: This paper presents an operational reconstruction technique of most stream ciphers. We primarily expose it for key-stream generators which consist of several linear feedback shift registers combined by a nonlinear Boolean function. It is shown how to completely recover the different feedback polynomials and the combining function, when the algorithm is totally unknown. This attack only requires the knowledge of some ciphertexts, which may be generated from different secret keys. Estimates of necessary ciphertext length and experimental results are detailed.

Personal authentication system and portable unit and storage medium used therefor

Abstract: When a personal authentication is to be executed, the encryption section of an IC card encrypts biological data and supplies the obtained ciphertext to a sensor unit. When the decryption section of the sensor unit obtains biological data by decrypting the ciphertext, a collation section collates the biological data with input biological measurement data, thereby authenticating personal identification.

Decimation Attack of Stream Ciphers.

Abstract: This paper presents a new attack called Decimation Attack of most stream ciphers. It exploits the property that multiple clocking (or equivalently d-th decimation) of a LFSR can simulate the behavior of many other LFSRs of possible shorter length. It yields then significant improvements of all the previous known correlation and fast correlation attacks. A new criterion on the length of the polynomial is then defined to resist to the decimation attack. Simulation results and complexity comparison are detailed for ciphertext only attacks.

Secure Length-Saving ElGamal Encryption under the Computational Diffie-Hellman Assumption

Abstract: A design of secure and efficient public key encryption schemes under weaker computational assumptions has been regarded as an important and challenging task. As far as the ElGamal-type encryption is concerned, some variants of the original ElGamal encryption scheme whose security depends on weaker computational assumption have been proposed: Although the security of the original ElGamal encryption is based on the decisional Diffie-Hellman assumption (DDH-A), the security of a recent scheme, such as Pointcheval’s ElGamal encryption variant, is based on the weaker assumption, the computational Diffie-Hellman assumption (CDH-A). In this paper, we propose a length-saving ElGamal encryption variant whose security is based on CDH-A and analyze its security in the random oracle model. The proposed scheme is length-efficient which provides a shorter ciphertext than that of Pointcheval’s scheme and provably secure against the chosen-ciphertext attack.

Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security

Abstract: We present and analyze attacks on additive stream ciphers that rely on linear equations that hold with non-trivial probability in plaintexts that are encrypted using distinct keys. These attacks extend Biham's key collision attack and Hellman's time memory tradeoff attack, and can be applied to any additive stream cipher. We define linear redundancy to characterize the vulnerability of a plaintext source to these attacks. We show that an additive stream cipher with an n-bit key has an effective key size of n-min(l, lgM) against the key collision attack, and of 2n/3+ lg(n/3) + max(n - l, 0) against the time memory tradeoff attack, when the the attacker knows l linear equations over the plaintext and has M ciphertexts encrypted with M distinct unknown secret keys. Lastly, we analyze the IP, TCP, and UDP protocols and some typical protocol constructs, and show that they contain significant linear redundancy. We conclude with observations on the use of stream ciphers for Internet security.

Decimation Attack of Stream Ciphers

Abstract: This paper presents a new attack called Decimation Attack of most stream ciphers. It exploits the property that multiple clocking (or equivalently d-th decimation) of a LFSR can simulate the behavior of many other LFSRs of possible shorter length. It yields then significant improvements of all the previous known correlation and fast correlation attacks. A new criterion on the length of the polynomial is then defined to resist to the decimation attack. Simulation results and complexity comparison are detailed for ciphertext only attacks.

Self authentication ciphertext chaining

Abstract: Existing key encryption approaches are extended by using overlapping portions of encrypted information. Another provision inserts one or more bits of data to ensure correct encryption/decryption. The inserted data can also be used for authentication.

Cryptographical properties of Ising spin systems.

Abstract: The relation between Ising spin systems and public-key cryptography is investigated using methods of statistical physics. The insight gained from the analysis is used for devising a matrix-based cryptosystem whereby the ciphertext comprises products of the original message bits; these are selected by employing two predetermined randomly constructed sparse matrices. The ciphertext is decrypted using methods of belief propagation. The analyzed properties of the suggested cryptosystem show robustness against various attacks and competitive performance to modern cryptographical methods.

Efficient Protocols based on Probabilistic Encryption using Composite Degree Residue Classes

Abstract: We study various applications and variants of Paillier's probabilistic encryption scheme. First, we propose a threshold variant of the scheme, and also zero-knowledge protocols for proving that a given ciphertext encodes a given plaintext, and for verifying multiplication of encrypted values. We then show how these building blocks can be used for applying the scheme to efficient electronic voting. This reduces dramatically the work needed to compute the final result of an election, compared to the previously best known schemes. We show how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up to t out of L candidates. The same basic building blocks can also be adapted to provide receipt-free elections, under appropriate physical assumptions. The scheme for 1 out of L elections can be optimised such that for a certain range of parameter values, a ballot has size only O(log L) bits. Finally, we propose a variant of the encryption scheme, that allows reducing the expansion factor of Paillier's scheme from 2 to almost 1.

Cryptographic combiner using two sequential non-associative operations

Abstract: A stream cipher cryptosystem includes a keystream generator receiving a key and providing a keystream. A cryptographic combiner combines a first binary data sequence and the keystream with two non-associative operations to provide a second binary data sequence. In encryption operations, the cryptographic combiner is an encryption combiner and the first binary data sequence is a plaintext binary data sequence and the second binary data sequence is a ciphertext binary data sequence. In decryption operations, the cryptographic combiner is a decryption combiner and the first binary data sequence is a ciphertext binary data sequence and the second binary data sequence is a plaintext binary data sequence.

Modes of Operation of Stream Ciphers

Abstract: A general stream cipher with memory in which each cipher-text symbol depends on both the current and previous plaintext symbols, as well as each plaintext symbol depends on both the current and previous ciphertext symbols, is pointed out. It is shown how to convert any keystream generator into a stream cipher with memory and their security is discussed. It is proposed how to construct secure self-synchronizing stream ciphers, keyed hash functions, hash functions, and block ciphers from any secure stream cipher with memory. Rather new and unusual designs can thus be obtained, such as the designs of block ciphers and (keyed) hash functions based on clock-controlled shift registers only.

Cryptographic apparatus, encryptor, and decryptor

Abstract: A cryptographic apparatus has an encryption/encapsulation processing section for encrypting plaintext data received from a plaintext network, referencing the predetermined correspondence between addresses and different cryptographic apparatus, setting a new header based on the cryptographic apparatus corresponding to the address set in the header of the plaintext data as encapsulation processing, and transmitting ciphertext data provided thereby to the ciphertext network of the same IP subnet as the plaintext network, and a decryption/decapsulation processing section for decrypting ciphertext data received from the ciphertext network into plaintext data, again setting a header based on the address set in the header of the plaintext data as decapsulation processing, and transmitting plaintext data provided thereby to the plaintext network of the same IP subnet as the ciphertext network.

Information server device equipped with ciphering processing function

Abstract: PROBLEM TO BE SOLVED: To provide a means for preventing a secret key from leaking and a means for reallocating computer resources of an information server device according to the busyness of processing for cipher communication and non-cipher communication while evading a decrease in the response speed of the information server device due to cipher processing. SOLUTION: A normal OS which logically divides the computer resources of the information server device and administers the transmission and reception of information and a secure OS which administers a function of deciphering a ciphertext ciphered with an open key at a request from the normal OS are placed in operation. Further, the device is provided with a means which measures information on the CPU use rates of the secure OS and normal OS and information on the memory use rates, informs a system administrator of the computer resource use state of the information server device when a set threshold is exceeded, and allows the system administrator having been informed to reallocate the computer resources of the information server device.

Encryption schemes with almost free integrity awareness

Abstract: An encryption/decryption method and system. The method comprises the steps of encrypting a plaintext message by dividing the plaintext message into a multitude of plaintext blocks and encrypting the plaintext blocks to form a multitude of cyphertext blocks. A single pass technique is used in the method to embed a message integrity check in the cyphertext blocks. The method further comprises the steps of decrypting the cyphertext blocks to re-form the plaintext blocks, and testing the message integrity check in the cyphertext blocks to test the integrity of the re-formed plaintext blocks.