Showing papers on "Cryptography published in 1996"

Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

Abstract: By carefully measuring the amount of time required tm perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against, a valnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevenl timing attacks.

Visual Cryptography for General Access Structures

Abstract: A visual cryptography scheme for a set P ofnparticipants is a method of encoding a secret imageSIintonshadow images called shares, where each participant in P receives one share. Certain qualified subsets of participants can “visually” recover the secret image, but other, forbidden, sets of participants have no information (in an information-theoretic sense) onSI. A “visual” recovery for a setX?P consists of xeroxing the shares given to the participants inXonto transparencies, and then stacking them. The participants in a qualified setXwill be able to see the secret image without any knowledge of cryptography and without performing any cryptographic computation. In this paper we propose two techniques for constructing visual cryptography schemes for general access structures. We analyze the structure of visual cryptography schemes and we prove bounds on the size of the shares distributed to the participants in the scheme. We provide a novel technique for realizingkout ofnthreshold visual cryptography schemes. Our construction forkout ofnvisual cryptography schemes is better with respect to pixel expansion than the one proposed by M. Naor and A. Shamir (Visual cryptography,in“Advances in Cryptology?Eurocrypt '94” CA. De Santis, Ed.), Lecture Notes in Computer Science, Vol. 950, pp. 1?12, Springer-Verlag, Berlin, 1995) and for the case of 2 out ofnis the best possible. Finally, we consider graph-based access structures, i.e., access structures in which any qualified set of participants contains at least an edge of a given graph whose vertices represent the participants of the scheme.

Analyzing and comparing Montgomery multiplication algorithms

Abstract: Montgomery multiplication methods constitute the core of modular exponentiation, the most popular operation for encrypting and signing digital data in public-key cryptography. In this article, we study the operations involved in computing the Montgomery product, describe several high-speed, space-efficient algorithms for computing MonPro(a, b), and analyze their time and space requirements. Our focus is to collect several alternatives for Montgomery multiplication, three of which are new. However, we do not compare the Montgomery techniques to other modular multiplication approaches.

Creation and distribution of cryptographic envelope

Abstract: A method and apparatus to create, distribute, sell and control access to digital documents using secure cryptographic envelopes. An envelope is an aggregation of information parts, where each of the parts to be protected are encrypted with a corresponding part encryption key. These encrypted information parts along with the other information parts become part of the envelope. Each part encryption key is also encrypted with a public key, and these encrypted part encryption keys are also included in the envelope. The envelope also includes a list of parts where each entry in the list has a part name and a secure hash of the named part. The list is then signed with a secret key to generate a signature, which is also included in the envelope. The signature can be verified using a second public key associated with first secret key, and the integrity of any information part in the envelope can be checked by computing a second hash and comparing it with the corresponding hash in the list of parts. Also, the information content of any encrypted part can only be recovered by knowledge of a second secret key corresponding to the public key that was used to encrypt the part encryption keys.

Pocket encrypting and authenticating communications device

Abstract: A portable security device is disclosed which can be carried by an individual and connected directly to telephone circuits to both authenticate that individual and encrypt data communications. The invention can operate as an electronic "token" to uniquely identify the user to a network, to a computer system or to an application program. The "token" contains the complete network interface, such as a modem, which modulates the data and provides the circuitry required for direct connection to the network. Furthermore, this "token" will not permit communications to proceed until the device, and optionally the user, have been identified by the proper authentication. The token also contains all of the cryptographic processing required to protect the data using data encryption or message authentication or digital signatures or any combination thereof. Thus, the present invention provides the user with all of the communications and security equipment needed for use with personal computers and electronic notebooks and eliminates the need for any other security measures and/or devices.

Chinese remainder theorem: applications in computing, coding, cryptography

Abstract: Introduction and philosophy Chinese remainder algorithm in modular computations in algorithmics in bridging computations in coding theory in cryptography tutorial in information theory tutorial in algebra list of mathematical symbols.

SSH: secure login connections over the internet

Abstract: SSH provides secure login, file transfer, X11, and TCP/IP connections over an untrusted network. It uses cryptographic authentication, automatic session encryption, and integrity protection for transferred data. RSA is used for key exchange and authentication, and symmetric algorithms (e.g., IDEA or three-key triple-DES) for encrypting transferred data. SSH is intended as a replacement for the existing rsh, rlogin, rcp, rdist, and telnet protocols. SSH is currently (March 1996) being used at thousands of sites in at least 50 countries. Its users include top universities, research laboratories, many major corporations, and numerous smaller companies and individuals. The SSH protocol can also be used as a generic transport layer encryption mechanism, providing both host authentication and user authentication, together with privacy and integrity protection.

On the Contrast in Visual Cryptography Schemes.

Abstract: A visual cryptography scheme is a method to encode a secret image SI into shadow images called shares such that certain qualified subsets of shares enable the ``visual'' recovery of the secret image. The ``visual'' recovery consists of xeroxing the shares onto transparencies, and then stacking them. The shares of a qualified set will reveal the secret image without any cryptographic computation. In this paper we analyze the contrast of the reconstructed image in k out of n visual cryptography schemes. (In such a scheme any k shares will reveal the image, but no set of k-1 shares gives any information about the image.) In the case of 2 out of n threshold schemes we give a complete characterization of schemes having optimal contrast and minimum pixel expansion in terms of certain balanced incomplete block designs. In the case of k out of n threshold schemes with $k\geq 3$ we obtain upper and lower bounds on the optimal contrast.

The Dark Side of Black-Box Cryptography, or: Should We Trust Capstone?

Abstract: The use of cryptographic devices as "black boxes", namely trusting their internal designs, has been suggested and in fact Capstone technology is offered as a next generation hardware-protectcd escrow encryption technology. Software cryptographic servers and programs are being offered as well, for use as library functions, as cryptography gets more and more prevalent in computing environments. The question we address in this paper is how the usage of cryptography as a black box exposes users to various threats and attacks that are undetectable in a black-box environment. We present the SETUP (Secretly Embedded Trapdoor with Universal Protection) mechanism, which can be embedded in a cryptographic black-box device. It enables an attacker (the manufacturer) to get the user's secret (from some stage of the output process of the dcvice) in an unnoticeable fashion, yet protects against attacks by others and against, reverse engineering (thus, maintaining the relative advantage of the actual attacker). We also show how the SETUP can, in fact, be employed for the design of "aubo-escrowing key" systems. We present embeddings of SElUPs in RSA, El-Gamal, DSA, and private key systems (Kerberos). We implemented an RSA key-generation based SETUP that performs favorably when compared to PGP, a readily available RSA implementation. We also relate message-based SETUPs and subliminal channel attacks. Finally, we reflect on the potential implications of "trust management" in the context of the design and production of cryptosystems.

Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem

Abstract: The new signature scheme presented by the authors in [13] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery. For each of the six basic ElGamal-type signature equations five variants are presented with different properties regarding message recovery, length of commitment and strong equivalence. Moreover, the six basic signature schemes have different properties regarding security and implementation. It turns out that the scheme proposed in [13] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In general, message recovery variants can be given for ElGamal-type signature schemes over any group with large cyclic subgroup as the multiplicative group of GF(2n) or elliptic curve over a finite field. The present paper also shows how to integrate the DLP-based message recovery schemes with secret session key establishment and ElGamal encryption. In particular, it is shown that with DLP-based schemes the same functionality as with RSA can be obtained. However, the schemes are not as elegant as RSA in the sense that the signature (verification) function cannot at the same time be used as the decipherment (encipherment) function.

Cryptovirology: extortion-based security threats and countermeasures

Abstract: Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of ``Cryptovirology'' which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a ``cryptovirus'' that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks''). We also suggest countermeasures and mechanisms to cope with and prevent such attacks. These attacks have implications on how the use of cryptographic tools should be managed and audited in general purpose computing environments, and imply that access to cryptographic tools should be well controlled. The experimental virus demonstrates how cryptographic packages can be condensed into a small space, which may have independent applications (e.g., cryptographic module design in small mobile devices).

A new paradigm for public key identification

Abstract: The present paper investigates the possibility of designing zero-knowledge identification schemes based on hard problems from coding theory. Zero-knowledge proofs were introduced by Goldwasser, Micali, and Rackoff (1985). Their practical significance was soon demonstrated in the work of Fiat and Shamir [1986], who turned zero-knowledge proofs of quadratic residuosity into efficient means of establishing user identities. In the present paper, we propose a new identification scheme, based on error-correcting codes, which is zero-knowledge and seems of practical value. Furthermore, we describe several variants, including one which has an identity-based character. The security of our schemes depends on the hardness of finding a word of given syndrome and prescribed (small) weight with respect to some randomly generated binary linear error-correcting code. This is, of course, not the first attempt to design a cryptographic scheme using tools from coding theory. The difference is that identification protocols do not follow the public key paradigm based on trap-door functions and described in the seminal Diffie-Hellman paper [1976]. Rather, they only require one-way functions, which opens the way to using, in a rather direct manner, simple combinatorial problems of the kind provided by coding theory. The resulting schemes compare favorably to their number-theoretic analogs.

Indirect Discourse Proof: Achieving Efficient Fair Off-Line E-cash

Abstract: Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced.

The advanced video information system: data structures and query processing

Abstract: We describe how video data can be organized and structured so as to facilitate efficient querying. We develop a formal model for video data and show how spatial data structures, suitably modified, provide an elegant way of storing such data. We develop algorithms to process various kinds of video queries and show that, in most cases, the complexity of these algorithms is linear. A prototype system, called the Advanced Video Information System (AVIS), based on these concepts, has been designed at the University of Maryland.

Algorithms for Black-Box Fields and their Application to Cryptography

Abstract: We introduce the notion of a black box field and present several algorithms for manipulating such fields. Black box fields arise naturally in cryptography and our algorithms have several cryptographic implications. First, our results show that any algebraically homomorphic cryptosystem can be broken in sub-exponential time. The existence of such cryptosystems was posed as an open problem in [12]. Second we show that over elliptic (or hyperelliptic) curves the hardness of computing discrete-log implies the security of the Diffie-Hellman protocol. This provable security of the Diffie-Hellman protocol over elliptic curves demonstrates an additional advantage of elliptic curve cryptosystems over conventional ones. Finally, we prove that manipulating black box fields over the rationals is as hard as factoring integers.

What do we mean by entity authentication

Abstract: The design of authentication protocols has proven to be surprisingly error-prone. We suggest that this is partly due to a language problem. The objectives of entity authentication are usually given in terms of human encounters while we actually implement message passing protocols. We propose various translations of the high-level objectives into a language appropriate for communication protocols. In addition, protocols are often specified at too low a level of abstraction. We argue that encryption should not be used as a general primitive as it does not capture the specific purpose for using a cryptographic function in aparticular protocol.

Constructions and Bounds for Visual Cryptography

Abstract: A visual cryptography scheme for a set P of n participants is a method to encode a secret image SI into n images in such a way that any participant in P receives one image and only qualified subsets of participants can “visually” recover the secret image, but non-qualified sets of participants have no information, in an information theoretical sense, on SI. A “visual” recover for a set X\(\subseteq \)P consists of stacking together the images associated to participants in X. The participants in a qualified set X will be able to see the secret image without any knowledge of cryptography and without performing any cryptographic computation.

Public-Key Cryptosystems from Lattice Reduction Problems

Abstract: We present a new proposal for a trapdoor one-way function, from which we derive public-key encryption and digital signatures. The security of the new construction is based on the conjectured computational difficulty of lattice-reduction problems, providing a possible alternative to existing public-key encryption algorithms and digital signatures such as RSA and DSS.

Efficient and Secure Conference-Key Distribution

Abstract: Key distribution is a major cryptographic component for secure communication. For privacy data must be encrypted with keys which are distributed securely. In this paper we focus on conference key distribution. Our approach is to use a two-party key distribution system as an underlying cryptographic primitive and extend it to a conference system.

Computer Based Steganography: How It Works and Why Therefore Any Restrictions on Cryptography Are Nonsense, at Best

Abstract: In the future, messages, e.g. speech, text or pictures, will be transmitted digitally since this is cheaper, more perfect and more flexible. It is possible to hide messages, which are of necessity much shorter, nearly unrecognizable for outsiders in such digitized messages. In this article we describe how computer based steganography works and give a summary on the results of our implementation.

Method and system for providing secure edi over an open network.

Abstract: A method and system for selectively interconnecting a plurality of computers (112,114) over an open public network (120,102,122), such as the INTERNET, provides a private secure computer exchange of EDI interchange communications between a sender computer (112) and a recipient computer (114), each of which has an associated public key and an associated private key, such as in an RSA type cryptographic communication system (100). The associated EDI acknowledgement message, such as the AUTACK, is used to provide secure authentication and non-repudiation of both origin and receipt of the secure private EDI interchange communications transmitted over the open public network (120,102,122) with the AUTACK transmitted from the sender computer (112) being digitally signed with the sender's private key, and with the reply AUTACK transmitted from the recipient computer (114) being digitally signed with the recipient's private key. The respective digitally signed AUTACKs are decrypted after receipt by using the public key associated with the private key used to provide the digital signature. The transmitted AUTACK from the sender computer (112) includes an MD5 for the entire EDI interchange as well as an MD5 of the AUTACK, with the AUTACK, thus, being used to provide the digital signature. The reply AUTACK from the recipient computer (114) includes an MD5 of the reply AUTACK. The ability to conduct business over the network (120,102,122) is controlled by private trading partner agreement communications which provide key certification.

Cryptographic key management and validation system

Abstract: A Key Management System for generating, distributing and managing cryptographic keys used by an information transaction system that employs cryptographic means to produce evidence of information integrity. The system comprises a plurality of functionally distinct secure boxes operatively coupled to each other. Each of the secure boxes performs functions for key generation, key installation, key verification or validation of tokens. Computers, operatively coupled to the secure boxes, provide system control and facilitate communication among the secure boxes. A plurality of separate logical security domains provide domain processes for key generation, key installation, key verification and validation of tokens produced by the transaction evidencing device within the domain using the key management functions. A plurality of domain archives, corresponding respectively to each of the security domains, securely and reliably record key status records and master keys for each domain. The Key Management System installs the master keys in the transaction evidencing device and validates the tokens. The secure boxes include a key generation box for generating, encrypting and signing a master key; a key installation box for receiving, verifying and decrypting the signed master key and for installing the master key into the transaction evidencing device; a key verification box for verifying the installation of the master key in the transaction evidencing device, a token verification box for verifying the tokens, and at least one manufacturing box for generating domain keys and distributing the domain keys among the secure boxes for each of the domains.

Joint encryption and message-efficient secure computation

Abstract: This paper addresses the message complexity of secure computation in the (passive adversary) privacy setting. We show that O(nC) encrypted bits of communication suffice for n parties to evaluate any boolean circuit of size C privately, under a specific cryptographic assumption. This work establishes a connection between secure distributed computation and group-oriented cryptography, i.e., cryptographic methods in which subsets of individuals can act jointly as single agents. Our secure computation protocol relies on a new group-oriented probablistic public-key encryption scheme with useful algebraic properties.

Security enhanced MPEG player

Abstract: Conventional cryptography deals with the encryption and decryption of traditional textual data. The advent of networked multimedia systems will make continuous media streams, such as real-time audio and video, increasingly pervasive in future computing and communications environments. It is thus important to secure networked continuous media from potential eavesdroppers. We consider the process of real-time encryption and decryption for video streams. We implement a software-only security-enhanced MPEG player. The security-enhanced player implements a protection hierarchy by specializing the encryption scheme based on MPEG's coding sequences. Encryption may be performed on only I frames (intra-frames), on I and P frames (forward predicted frames), or on all I, P and B frames (bidirectional predicted frames). Increased protection incurs more overhead as more encryption is done. Our security-enhanced MPEG player incurs small average overheads in terms of achievable frame rate compared with the unmodified MPEG player depending on the MPEG frame size, encoding format and encryption method used, with speeds fast enough for most multimedia Internet applications. This is demonstrated by its integration with Vosaic, a real-time multimedia WWW browser. We also observe that increased compression actually results in less cryptographic overhead, due to the fact that more compression means less data, as well as longer dependencies between MPEG frames. Our work shows that video streams can also be encrypted and decrypted while satisfying the real-time requirements of the present-day Internet.

On the Risk of Disruption in Several Multiparty Signature Schemes

Abstract: Multiparty cryptography is an important topic in contemporary cryptography. In this paper we examine the security of some multiparty signature schemes. In particular, we point out that a multisignature scheme is vulnerable to universal forgery by an insider attacker under reasonable assumptions. This attack can be applied to some generalizations as well. Then we present a universal forgery attack on two threshold group signature schemes with anonymous signers. Furthermore, we show that in two threshold multisignature schemes it can't be guaranteed that a signer can decide with whom he is going to sign a message. All attacks have in common that the protocol is disrupted. Thus they are not undetectable. However, as they can only be detected afterwards and knowledge leaked by protocol disruptions must be useless, such attacks are not acceptable in general and must be avoided. Finally, we suggest some heuristic fixes.

High-Bandwidth Encryption with Low-Bandwidth Smartcards

Abstract: This paper describes a simple protocol, the Remotely Keyed Encryption Protocol (RKEP), that enables a secure, but bandwidthlimited, cryptographic smartcard to function as a high-bandwidth secretkey encryption and decryption engine for an insecure, but fast, host processor. The host processor assumes most of the computational and bandwidth burden of each cryptographic operation without ever learning the secret key stored on the card. By varying the parameters of the protocol, arbitrary size blocks can be processed by the host with only a single small message exchange with the card and minimal card computation. RKEP works with any conventional block cipher and requires only standard ECB mode block cipher operations on the smartcard, permitting its implementation with off-the-shelf components. There is no storage overhead. Computational overhead is minimal, and includes the calculation of a cryptographic hash function as well as a conventional cipher function on the host processor.

A simplified data encryption standard algorithm

Abstract: In this paper we describe a method of teaching the Data Encryption Standard algorithm in an undergraduate cryptology course. We present a simplified version of the Data Encryption Standard algorithm with all parameters reduced as much as possible. This makes the inner workings of the algorithm accessible to undergraduates. Once the simplified algorithm has been explained to a class, it is easier to explain the real one. We suggest class discussions and homework based on this simplified algorithm.

Efficient finite field serial/parallel multiplication

Abstract: Finite field has received a lot of attention due to its widespread applications in cryptography, coding theory, etc. Design of efficient finite field arithmetic architectures is very important and of great practical concern. In this paper, a new bit-serial/parallel finite field multiplier is presented with standard basis representation. This design is regular and well suited for VLSI implementation. As compared to existing serial/parallel finite field multipliers, it has smaller critical path, lower latency and can be easily pipelined. When it is used as a building block for large systems, it can achieve more savings in hardware in the broadcast structures by utilizing sub-structure sharing technique. This paper also presents two generalized algorithms for finite field serial/parallel multiplication. They can be used to derive efficient bit-parallel, digit-serial or bit-serial multiplication architectures. The optimal primitive polynomials over GF(2/sup m/) (for 2/spl les/m/spl les/9) are provided which will generate structures with minimum hardware complexity and relatively more flexibilities for feasible digit-sizes with respect to the proposed algorithms. Finally a multiplier over GF(2/sup 8/) is given as an example showing how to derive finite field multipliers using the proposed algorithms. This multiplier has less number of transistors, smaller critical path and consumes less power compared to the existing semi-systolic architecture.

A HOL extension of GNY for automatically analyzing cryptographic protocols

Abstract: This paper describes a Higher Order Logic (HOL) theory formalizing an extended version of the Gong, Needham, Yahalom (GNY) belief logic, a theory used by software that automatically proves authentication properties of cryptographic protocols. The theory's extensions to the GNY logic include being able to specify protocol properties at intermediate stages and being able to specify protocols that use multiple encryption and hash operations, message authentication codes, computed values (e.g., hash codes) as keys, and key-exchange algorithms.

Compliance defects in public-key cryptography

Abstract: Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. A compliance defect in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.