Showing papers on "Cryptography published in 1992"
04 May 1992
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
1,571 citations
TL;DR: An efficient scheme for two-dimensional data encryption is presented based on the principles and ideas reflected by the specification and development of the SCAN language, and is mainly motivated for the encryption of 2D digital pictures.
278 citations
TL;DR: A review and comment on NIST's proposal for a public key digital signature standard, which is a variant of the E1-Gamal and Schnorr schemes, and is based on reasonably familiar number-theoretic concepts.
Abstract: he U.S. Government agency NIST has recently proposed a public key digital signature standard [3, 4]. Although the proposal is nominally only \"for government use\" such a proposal, if adopted, would likely have an effect on commercial cryptography as well. In this note I review and comment on NIST's proposal. Positive Aspects The following positive aspects of the proposal are worth noting: • The U.S. government has finally recognized the utility of public key cryptography. • The proposal is based on reasonably familiar number-theoretic concepts, and is a variant of the E1-Gamal [1] and Schnorr [5] schemes. • Signatures are relatively short (only 320 bits). • When signing, computation of r can be done before the message m is available, in a \"precomputation\" step. Problems with the Proposed DSS DSS is different from the de facto public key standard (RSA). Two-thirds of the U.S. computer industry is already using RSA. among others. These companies are using industry-developed interoperable standards-the public key cryptography standard (PKCS) [2]. Moreover, DSS is not compatible with existing international standards. International standards organizations such as ISO, CCITT, and SWIFT, as well as other organizations (such as Internet) have accepted RSA as a standard. DSS is not compatible with ISO 9796, the most widely accepted international digital signature standard. Adopting DSS would create a double standard , causing difficulties for U.S. industry that have to maintain both DSS (for domestic or U.S. government use) and RSA (for international use). DSS also has patent problems. Users of the NIST proposal may be infringing one or more patents. Claus Schnorr claims that DSS infringes his U.S. patent #4,995,082, and Public Key Partners (PKP) asserts that DSS infringes U.S. patents #4,200,770 and #4,218,582. NIST does not give a firm opinion on this m~itter, and has not made licensing arrangements with either Schnorr or PKP. This leaves potential users of the NIST proposal vulnerable. To add to the patent confusion, NIST says it has filed for a patent on DSS; a move that has no obvious justification. NIST has not stated why it has filed for a patent. The only motivation I can imagine is that NIST may wish to force users, via licensing requirements, to use key sizes shorter than they might naturally wish to use. (See my discussion of weak cryptography.) DSS has engineering problems; it's buggy. The verification process can blow up due to division by zero-when s …
171 citations
24 May 1992
TL;DR: It is proved that this protocol is secure against the malicious actions of any adversary, limited to feasible computation, but with the power to eavesdrop on all messages and to corrupt any dynamically chosen minority of the parties.
Abstract: We introduce new techniques for generating and reasoning about protocols. These techniques are based on protocol transformations that depend on the nature of the adversaries under consideration. We propose a set of definitions that, captures and unifies the intuitive notions of correctness, privacy, and robustness, and enables us to give concise and modular proofs that our protocols possess these desirable properties. Using these techniques, whose major purpose is to greatly simplify the design and verification of cryptographic protocols, we show how to construct a multiparty cryptographic protocol to compute any given feasible function of the parties' inputs. We prove that our protocol is secure against the malicious actions of any adversary, limited to feasible computation, but with the power to eavesdrop on all messages and to corrupt any dynamically chosen minority of the parties. This is the first proof of security against dynamic adversaries in the "cryptographic" model of multiparty protocols. We assume the existeuce of a one-way function and allow the participants to erase small portions of memory. Our result combines the superior resilience of the cryptographic setting of [GMW87] with the stronger (dynamic) fault pattern of the "non-cryptographic" setting of [BGW88, CCD88].
163 citations
01 May 1992
TL;DR: In this article, the authors extend the use of traditional point-to-point message authentication to multireceiver and/or multisender scenarios, where a single sender can broadcast (multicast) only one unconditionally secure authenticator for a message and which all receivers can verify.
Abstract: The authors extend the use of traditional point-to-point message authentication to multireceiver and/or multisender scenarios. They provide efficient cryptographic authentication methods for point-to-multipoint communication, where a single sender can broadcast (multicast) only one unconditionally secure authenticator for a message and which all receivers can verify. They further develop multipoint-to-point communication (incast) in which any subset (of a specified size) of a group of individuals can transmit a single authenticator (or a signature) for a message using the group's key. This method has been called threshold authentication. It is an application layer that is transparent to the receiver which only deals with the group as one entity. The bandwidth, computations, and storage overheads are reduced substantially when compared with the traditional approach. Threshold authentication hides some aspects of the internal structure of the group, which may be important in interenterprise communication. >
138 citations
16 Aug 1992
TL;DR: To build cryptographic systems that are provably secure against enemies with unlimited computing power under realistic assumptions about the partial independence of the noise on the involved communication channels is suggested.
Abstract: Consider the following scenario: Alice and Bob, two parties who share no secret key initially but whose goal it is to generate a (large amount of) information-theoretically secure (or unconditionally secure) shared secret key, are connected only by an insecure public channel to which an eavesdropper Eve has perfect (read) access. Moreover, there exists a satelite broadcasting random bits at a very low signal power. Alice and Bob can receive these bits with certain bit error probabilities ?A and ?B, respectively (e.g. ?A = ?B = 30%) while Eve is assumed to receive the same bits much more reliably with bit error probability ?E ? ?A, ?B (e.g. ?E = 1%). The errors on the three channels are assumed to occur at least partially independently. Practical protocols are discussed by which Alice and Bob can generate a secret key despite the facts that Eve possesses more information than both of them and is assumed to have unlimited computational resources as well as complete knowledge of the protocols.The described scenario is a special case of a much more general setup in which Alice, Bob and Eve are assumed to know random variables X, Y and Z jointly distributed according to some probability distribution PXYZ, respectively. The results of this paper suggest to build cryptographic systems that are provably secure against enemies with unlimited computing power under realistic assumptions about the partial independence of the noise on the involved communication channels.
125 citations
03 Jan 1992
TL;DR: In this article, a modification of Schnorr's interactive identification scheme for use by smart cards is presented, which requires only slightly more communication and about a factor of a 3.6 increase in computational power.
Abstract: We describe a modification of an interactive identification scheme of Schnorr intended for use by smart cards. Schnorr's original scheme had its security based on the difficulty of computing discrete logarithms in a subgroup of GF(p) given some side information. We prove that our modification will be witness hiding, which is a more rigid security condition than Schnorr proved for his scheme, if factoring a large integer with some side information is computationally infeasible. In addition, even if the large integer can be factored, then our scheme is still as secure as Schnorr's scheme. For this enhanced security we require only slightly more communication and about a factor of a 3.6 increase in computational power, but the requirements remain quite modest, so that the scheme is well suited for use in smart cards.
109 citations
TL;DR: The PROLOG program extensively searches for potential attacks in a simple rule-based model of the system and is suggested that this program is capable of extended operations in other areas when security or safety flaws are to be investigated.
101 citations
04 May 1992
TL;DR: A message splicing/decomposition invariant of the cipher block chaining mode of encryption is derived and used to identify heretofore-unknown vulnerabilities of well-known protocols.
Abstract: An operational model for message integrity in cryptographic protocols is presented, message integrity requirements are discussed, and message structures that satisfy those requirements are suggested. A message splicing/decomposition invariant of the cipher block chaining (CBC) mode of encryption is derived and used to identify heretofore-unknown vulnerabilities of well-known protocols. The suggested message structures remove these vulnerabilities relying only on the use of weak one-way functions. >
96 citations
Patent•
20 Mar 1992TL;DR: In this paper, the security and integrity of programs contained in a system storage and for checking their integrity, the programs are in each case coded by a symmetric cryptographic algorithm with the application of a readback secured, secret key, and a check number for each program is simultaneously formed and stored in the storage of the system.
Abstract: For securing programs contained in a system storage and for checking their integrity, the programs are in each case coded by a symmetric cryptographic algorithm with the application of a readback secured, secret key, and a check number for each program is simultaneously formed and stored in the storage of the system. For checking the integrity, the programs are then coded again in the same manner and the check number thus obtained in each case is compared with the check number stored at the first coding. It is possible to derive from the result of comparison a criteria for activation or locking the following programs.
83 citations
TL;DR: A cryptographic key assignment scheme for access control in a user hierarchy where only the security classes in the higher level can access the information items owned by the security class in the lower level is proposed.
24 May 1992
TL;DR: The substitution boxes of DES are relatively small in dimension and they can be generated by testing randomly chosen functions for required design criteria, but when the dimensions grow larger, analytic construction methods become necessary.
Abstract: Highly nonlinear permutations play an important role in the design of cryptographic transformations such as block ciphers, hash functions and stream ciphers. The substitution boxes of DES are relatively small in dimension and they can be generated by testing randomly chosen functions for required design criteria. Security may be increased by the use of substitution transformations of higher dimensions. But when the dimensions grow larger, analytic construction methods become necessary.
Book•
01 Jan 1992
TL;DR: This work focuses on the design and analysis of protocols for access control in distributed systems, and the shared generation of authenticators and signatures in public Cryptosystems.
Abstract: Protocol Design and Analysis.- A Calculus for Access Control in Distributed Systems.- Deriving the Complete Knowledge of Participants in Cryptographic Protocols.- Systematic Design of Two-Party Authentication Protocols.- Combinatorics and Authentication.- Combinatorial characterizations of authentication codes.- Universal hashing and authentication codes.- On Correlation-immune functions.- Secret Sharing and Information Theory.- On the Size of Shares for Secret Sharing Schemes.- On Verification in Secret Sharing.- Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing.- Multiparty Secret Key Exchange Using a Random Deal of Cards.- Cryptanalysis.- Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer.- A Known Plaintext Attack of FEAL-4 and FEAL-6.- A switching closure test to analyze cryptosystems.- An Attack on the Last Two Rounds of MD4.- The Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks.- Complexity Theory.- A One-Round, Two-Prover, Zero-Knowledge Protocol for NP.- Interactive Proofs with Space Bounded Provers.- Functional Inversion and Communication Complexity.- The Use of Interaction in Public Cryptosystems..- Cryptographic Schemes Based on Number Theory.- New Public-Key Schemes Based on Elliptic Curves over the Ring Zn.- Efficient Algorithms for the Construction of Hyperelliptic Cryptosystems.- CM-Curves with Good Cryptographic Properties.- A New ID-Based Key Sharing System.- Pseudorandomness.- Pseudo-random Generators from One-way Functions.- New Results on Pseudorandom Permutation Generators Based on the Des Scheme.- Applications and Implementations.- Faster Modular Multiplication by Operand Scaling.- Universal Electronic Cash.- How to Break and Repair a "Provably Secure" Untraceable Payment System.- Practical Quantum Oblivious Transfer.- Exploiting Parallelism in Hardware Implementation of the DES.- Secure Computation Protocols.- Foundations of Secure Interactive Computing.- Secure Computation.- A Cryptographic Scheme for Computerized General Elections.- Efficient Multiparty Protocols Using Circuit Randomization.- Public-Key Cryptosystems and Signatures.- Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack.- Towards Practical Public Key Systems Secure Against Chosen Ciphertext attacks.- Shared generation of authenticators and signatures.- Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer.
Book•
01 Jan 1992
TL;DR: Review of methods, D.J.Cartwright user opinion of software protection in the UK, S.I.Davies intelligent modules, G.M.Elsom.
Abstract: Review of methods, D.J.Grover disk protection, R.Sather physical protection devices, J.G.W.Phipps cryptography, D.W.Davies intelligent modules, G.I.Parkin and B.W.Wichmann program identification, D.J.Grover hacking, M.Samociuk copyright and patents, R.J.Hart licensing issues, J.R.Cartwright user opinion of software protection in the UK, S.M.Elsom.
15 Jun 1992
TL;DR: The concept of integrated security system (ISS) and its realization are described, and encryption tools are used for information secrecy, and authentication tools is used for user identification and access control.
Abstract: The concept of integrated security system (ISS) and its realization are described. An integrated security system protects information network systems from computer viruses, hackers and other computer crimes. For this purpose, the ISS requires three mechanisms: information secrecy, user identification and access control mechanisms. The information secrecy mechanism protects information against intrusion through 'non-gates' of the information network systems. User identification mechanism permits authorized users to enter the systems only at 'the gates'. Access control mechanism allows only the users with permission to actually access data. The author implements an integrated security system using an ID-based security scheme. The ID-based security scheme provides encryption tools and authentication tools Encryption tools are used for information secrecy, and authentication tools are used for user identification and access control. >
04 May 1992
TL;DR: It is shown that KP seems to be suitable for secure key distribution and the approach due to P. Bieber is modified to facilitate the detection of the class of multirole flaws.
Abstract: In protocols for the distribution of symmetric keys, a principal will usually either take on the role as a session key provider or as a session key user. A principal taking on the role as session key user may also act as the master or the slave. Methods for the analysis of cryptographic protocols that fail to properly handle multiple roles are demonstrated to yield undependable results. A protocol, KP, similar to the Needham and Schroeder symmetric key distribution protocol (1978) is presented. An example is provided to show how a multirole flaw in KP can be utilized by an adversary to obtain a session key. Using a method due to M. Burrows et al. (1989) and P. Bieber (1990) it is shown that KP seems to be suitable for secure key distribution. The approach due to P. Bieber is then modified to facilitate the detection of the class of multirole flaws. >
13 Sep 1992
TL;DR: An implementation of a security protocol in an extended LAN environment is described, which makes it possible to obtain security based on two very well known algorithms such as the DES and RSA.
Abstract: An implementation of a security protocol in an extended LAN environment is described. The protocol has a hierarchical architecture. At the first level, the session key is disposed of, in the second level there are the master keys, and at the highest level there are the public and private key of the manager and the CryptoNet's keys. The relations between them, the right time to do the keys' renewal, and the appropriate form in which to do it are also characteristics that make it possible to obtain security based on two very well known algorithms such as the DES and RSA. >
TL;DR: The role of public-key cryptography in open systems interconnection (OSI) is discussed, and how security fits into the OSI architecture, and what standards are being developed are discussed.
Abstract: The role of public-key cryptography in open systems interconnection (OSI) is discussed. A short tutorial introduction to public-key cryptography is followed by a discussion of how security fits into the OSI architecture, and what standards are being developed in this area. The use being made of public-key cryptography in the network layer and in the message handling system and directory application is also discussed. >
TL;DR: This paper describes a software authentication technique based on the public key cryptography for information integrity that can be used to verify the integrity of programs obtained from vendors or a ''trusted information database''.
TL;DR: The Letter points out that in the Xinmei scheme it is possible to combine valid signatures of messages into a valid signature of another message in polynomial time even when the factoring of large matrices is unknown.
Abstract: W. Xinmei proposed a digital signature scheme based on the error-correcting code. The Letter points out that in the Xinmei scheme it is possible to combine valid signatures of messages into a valid signature of another message in polynomial time even when the factoring of large matrices is unknown. Some modifications are suggested to improve the security and performance
16 Aug 1992
TL;DR: The main contribution of this paper is the introduction of a formal notion of public randomness in the context of cryptography, and it is shown how this notion affects the definition of the security of a cryptographic primitive and how much security is preserved when one cryptographic primitive is reduced to another.
Abstract: The main contribution of this paper is the introduction of a formal notion of public randomness in the context of cryptography. We show how this notion affects the definition of the security of a cryptographic primitive and the definition of how much security is preserved when one cryptographic primitive is reduced to another. Previous works considered the public random bits as a part of the input, and security was parameterized in terms of the total length of the input. We parameterize security solely in terms of the length of the private input, and treat the public random bits as a separate resource. This separation allows us to independently address the important issues of how much security is preserved by a reduction and how many public random bits are used in the reduction.To exemplify these new definitions, we present reductions from weak one-way permutations to one-way permutations with strong security preserving properties that are simpler than previously known reductions.
01 Jan 1992
TL;DR: A design procedure which is formal in that both network components--the substitution boxes--and the networks themselves can be proven to possess certain cryptographically desirable properties and practical in that new cryptosystems with efficient software/hardware implementations can easily be constructed with this method.
Abstract: The design and analysis of private key block cryptosystems has long been an area of interest to the cryptographic community This thesis focusses on a certain class of these ciphers known as substitution-permutation networks We describe a design procedure which is formal in that both network components--the substitution boxes--and the networks themselves can be proven to possess certain cryptographically desirable properties Furthermore, this design procedure is practical in that new cryptosystems with efficient software/hardware implementations can easily be constructed with this method
Our results include a procedure for substitution box design which guarantees bijection, nonlinearity, satisfaction of the Strict Avalanche criterion, and satisfaction of the Output Bit Independence Criterion Procedures for the generation of binary bent sequences and a new lower bound on the cardinality of this set of vectors are also given We prove the equivalence of bent functions and Boolean functions satisfying the highest order Strict Avalanche Criterion and provide a design procedure for substitution-permutation networks which uses bent functions explicitly in the component s-boxes These networks therefore display ideal plaintext/ciphertext and key/ciphertext avalanche characteristics with respect to arbitrary input modification We also discuss the concept of the "statistical security" of a cryptosystem and propose new methods for the statistical analysis of block ciphers
13 Feb 1992
TL;DR: This paper presents Secure commitment, a two-party partial-information game between a “committer” and a "receiver”, in which a secure envelope is first implemented and later opened.
Abstract: Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a two-party partial-information game between a “committer” and a “receiver”, in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a “secure envelope”. The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed.
TL;DR: A version of the RSA scheme is presented with encryption exponent e ≡ 3 (mod 6) and the equivalence of decryption and factorization of R can be demonstrated.
Abstract: The RSA public-key encryption system of Rivest, Shamir, and Adelman can be broken if the modulus, R say, can be factorized. However, it is still not known if this system can be broken without factorizing R. A version of the RSA scheme is presented with encryption exponent e ≡ 3 (mod 6). For this modified version, the equivalence of decryption and factorization of R can be demonstrated.
16 Nov 1992
TL;DR: The design strategy for high speed self-synchronizing stream ciphers as presented in Maurer (1991) is criticized and an alternative, engineering oriented design approach is given.
Abstract: The design strategy for high speed self-synchronizing stream ciphers as presented in Maurer (1991) is criticized. An alternative, engineering oriented design approach is given. To show that it can be followed in practice, an actual design is presented and motivated. This SSSC is claimed to be fast (gate delay 2 XORs), cryptographically secure and easily implementable in hardware (standard cells). >
TL;DR: This work presents very efficient new zero-knowledge schemes in a general algebraic setting and discusses how this scheme can be used for identification, in particular as an electronic passport scheme.
Abstract: Secure identification is an important security issue to avoid computer fraud due to masquerading. This can be achieved with zero-knowledge based smart cards. We present very efficient new zero-knowledge schemes in a general algebraic setting. Particular cases of our scheme improve the performance of the Guillou-Quisquater and the Chaum-Evertsevan de Graaf schemes. Our scheme is formally proven and, overall, is more efficient than currently available schemes including the Fiat-Shamir scheme. As an application we discuss how our scheme can be used for identification, in particular as an electronic passport scheme.
24 May 1992
TL;DR: This paper proposes two novel implementation methods for the RSA cryptographic scheme and a systolic architecture useful for high-speed and efficient and flexible chip implementation of the RSA scheme.
Abstract: This paper proposes two novel implementation methods for the RSA cryptographic scheme. (1) The most efficient RSA implementation known to the present authors. This implementation achieves 50 Kbps at about 25 Kgates for a 512-bit exponent e and a 512-bit modulus N. Thus the efficiency is 2.0 bps/gate. (2) A systolic architecture useful for high-speed and efficient and flexible chip implementation of the RSA scheme.
Book•
01 Jan 1992
TL;DR: This book contains the papers presented at the second conference in what has become an ongoing series of joint international conferences on cryptography and coding theory.
Abstract: Cryptography and coding theory are both rapidly evolving areas involving the application of discrete mathematics to problems in computing and electronic engineering. Such is the close relationship between both the underlying mathematics and the application domains that a joint international conference was organized in late 1986. This book contains the papers presented at the second conference in what has become an ongoing series.
TL;DR: Two enhancements to a recently published hierarchical encryption key management protocol for end-to-end secure communication in internet environments are outlined, including a more reliable authentication of the principals and a modified protocol that permits the implementation of the hierarchical key management approach in the widely employed TCP/IP-based network interconnections.
Abstract: Two enhancements to a recently published hierarchical encryption key management protocol for end-to-end secure communication in internet environments are outlined. The first one concerns a more reliable authentication of the principals which can be realized by a modification of the message structures being exchanged, while the second one concerns a modified protocol that permits the implementation of the hierarchical key management approach in the widely employed TCP/IP-based network interconnections. >