Showing papers on "Encryption published in 1987"

A Digital Signature Based on a Conventional Encryption Function

Abstract: A new digital signature based only on a conventional encryption function (such as DES) is described which is as secure as the underlying encryption function -- the security does not depend on the difficulty of factoring and the high computational costs of modular arithmetic are avoided. The signature system can sign an unlimited number of messages, and the signature size increases logarithmically as a function of the number of messages signed. Signature size in a 'typical' system might range from a few hundred bytes to a few kilobytes, and generation of a signature might require a few hundred to a few thousand computations of the underlying conventional encryption function.

Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor

Abstract: A description of the techniques employed at Oxford University to obtain a high speed implementation of the RSA encryption algorithm on an "off-the-shelf" digital signal processing chip. Using these techniques a two and a half second (average) encrypt time (for 512 bit exponent and modulus) was achieved on a first generation DSP (The Texas Instruments TMS 32010) and times below one second are achievable on second generation parts. Furthermore the techniques of algorithm development employed lead to a provably correct implementation.

Encryption of pictures and shapes by random grids.

Abstract: A low-cost and simple technique for encryption of two-dimensional patterns and shapes is suggested and demonstrated. The method is based on the superposition of random grids.

Society and Group Oriented Cryptography: A New Concept

Abstract: Messages are frequently addressed to a group of people, e.g., board of directors. Conventional and public key systems (in the sense of Diffie and Hellman [4]) are not adapted when messages are intended for a group instead of for an individual. To deeply understand the lack of usefulness of the above cryptmystems in the case that messages are intended for (or are originating from) a group of people, let u s now nevertheless attempt to use these systems. When conventional and public key systems are used to protect privacy, the legitimate receiver(s) has (have) to know the secret key to decrypt. This means that, a first solution could be, to send the message to dl members of the group, e.g., using their public keys. A second is that the secret key is known to all membexs and that the message is sent only once. All other solutions using a conventional or public key system, are combinations of the above two solutions. We now explain briefly why these two obvious solutions are not adapted to security needs specific to the protection of information intended for groups.

On hiding information from an oracle.

Abstract: We consider the problem of computing with encrypted data. Player A wishes to know the value ƒ(x) for some x but lacks the power to compute it. Player B has the power to compute ƒ and is willing to send ƒ(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem ƒ is a method by which A, using her inferior resources, can transform the cleartext instance x into an encrypted instance y, obtain ƒ(y) from B, and infer ƒ(x) from ƒ(y) in such a way that B cannot infer x from y. When such an encryption scheme exists, we say that ƒ is encryptable. The framework defined in this paper enables us to prove precise statements about what an encrypted instance hides and what it leaks, in an information-theoretic sense. Our definitions are cast in the language of probability theory and do not involve assumptions such as the intractability of factoring or the existence of one-way functions. We use our framework to describe encryption schemes for some natural problems in NP C CoNP. We also consider the following generalization of encryption schemes. Player A, who is limited to probabilistic polynomial time, wishes to guess the value ƒ(x) with probability at least 1/2 + 1/|x|c of being correct, for some constant c. Player B can compute any function and generate arbitrary probability distributions. Players A and B can interact for a polynomial number of rounds by sending polynomial-sized messages. We prove a strong negative result: there is no such generalized encryption scheme for SAT that leaks no more than the size of x (unless the polynomial hierarchy collapses at the second level).

Code protection using cryptography

Abstract: A cryptographic method for discouraging the copying and sharing of purchased software programs allows an encrypted program to be run on only a designated computer or, alternatively, to be run on any computer but only by the user possessing a designated smart card. Each program offering sold by the software vendor is encrypted with a unique file key and then written on a diskette. A user who purchases a diskette having written thereon an encrypted program must first obtain a secret password from the software vendor. This password will allow the encrypted program to be recovered at a prescribed, designated computer having a properly implemented and initialized encryption feature. The encryption feature decrypts the file key of the program from the password, and when the encrypted program is loaded at the proper computer, the program or a portion of it is automatically decrypted and written into a protected memory from which it can only be executed and not accessed for non-execution purposes. In alternative embodiments, the user is not confined to a prescribed, designated computer buy may use the program on other, different computers with a smart card provided the computers have a properly implemented and initialized encryption feature that accepts the smart card. As a further modification, the cryptographic facility may support operations that enable the user to encrypt and decrypt user generated files and/or user generated programs.

Authentication revisited

Abstract: In a paper published in 1978 (Needham & Schroeder) we presented protocols for the use of encryption for authentication in large networks of computers. Subsequently the protocols were criticised (Denning and Sacco) on the grounds that compromise of a session key and copying of an authenticator would enable an enemy to pretend indefinitely to be the originator of a secure conversation. This note discusses a solution to the issue.

Data authentication using modification detection codes based on a public one way encryption function

Abstract: A cryptographic method and apparatus are disclosed which transform a message or arbitrary length into a block of fixed length (128 bits) defined modification detection code (MDC). Although there are a large number of messages which result in the same MDC, because the MDC is a many-to-one function of the input, it is required that it is practically not feasible for an opponent to find them. In analyzing the methods, a distinction is made between two types of attacks, i.e., insiders (who have access to the system) and outsiders (who do not). The first method employs four encryption steps per DEA block and provides the higher degree of security. Coupling between the different DEA operations is provided by using the input keys also as data in two of the four encryption steps. In addition, there is cross coupling by interchanging half of the internal keys. Although this second coupling operation does not add to security in this scheme, it is mandatory in the second method, which employs only two encryption steps per DEA block to trade off security for performance. By providing key cross coupling in both schemes, an identical kernel is established for both methods. This has an implementation advantage since the first method can be achieved by applying the second method twice. The MDC, when loaded into a secure device, authorizes one and only one data set to be authenticated by the MDC, whereas methods based on message authentication codes or digital signatures involving a public key algorithm authorize a plurality of data sets to be authenticated. The MDC therefore provides for greater security control.

On the Key Predistribution System: A Practical Solution to the Key Distribution Problem

Abstract: To utilize the common-key encryption for the efficient message protection in a large communication network, it is desired to settle the problem of how to distribute the common keys. This paper describes a practical solution called the key predistribution system (KPS, for short), which has been proposed by the present authors. On request, the KPS quickly brings a common key to an arbitrary group of entities in a network. Using the KPS, it is quite easy to construct an enciphered one-way communication system, as well as an enciphered two-way (interactive) communication system. For example, even in a very large public network, the KPS can be applied to realize a practical enciphered electronic mailing service directed to individuals. This paper presents secure and efficient realization schemes for the KPS. This paper also discusses the security issues and the variety of applications of them.

Public key cryptography

Abstract: We are going to devote most of our attention in this talk to the RSA Public Key Cryptosystem because it not only remains unbroken but it has some other useful features for digital signatures and authentication. We will briefly mention some other methods which have been compromised to some degree, and one, McEliece's which has not, but which are still valid when both keys are kept secret and some have other features which may be useful. Disciplines Physical Sciences and Mathematics Publication Details Seberry, J, Public key cryptography, Secure Data Communications Workshop, Digest of Papers, IEEE, Melbourne, 1987, 1-17. This conference paper is available at Research Online: http://ro.uow.edu.au/infopapers/1030 P"'f ' oJ! /'ltd, IUE j.}(}+lesh7 3/7/c7 PUBLIC KEY CRYPTOGRAPHY Jennifer Seberry University College The University of New South Wales Australian Defence Forces Academy Canberra INTRODUCTION We are going to devote most of our attention in this talk to the RSA Public Key Cryp~ tosystem because it not only remains unbroken but it has some other useful features for digital signatures and authentication. We will briefly mention some other methods which have been compromised to some degree, and one, McEliece' s which has not, but which are still valid when both keys are kept secret and some have other features which may be useful. PUBLIC KEY SYSTEMS A public key cryptosystem is a cryptographic system in which each encryption process is governed by not one but two keys. The two keys are inverses of each other, that is to say anything encrypted with one can be decrypted with the other and vice versa. The important additional property of a public key crptosystem is that given one of the keys, it is extremely difficult to find the other. This allows one of the keys to be made public while its inverse is kept secret, giving the systems their name. Public key cryptosystems have two very important properties. Because it is not necessary to keep both of the keys secret, one can be made readily available, published in a phonebook for example. Anyone wanting to transmit a confidential message can encrypt it in the public key of the addressee with assurance that only the addressee will be able to read it. Just as a message encrypted in a public key can be produced by anyone but can only be read by the holder of the corresponding secret key, a message encrypted in a secret key, a message encrypted in a secret key can be read by anyone. using the corresponding public key, but could only have been produced by the holder of the secret key. This gives it the fundamental property of a signature. Use is made of modular arithmetic. Mathematicians write the expression a :;b(mod m) (a is congruent to b modulo m) to denote the fact that the integer m divides exactly the difference of the integers a and b. For example, 32:; -4(mod 12). Note that if the remainder on dividing a by m is b, then a == b (mod m). Hence, 5124491" 12172(mod 21753). In fact, the remainder on dividing a by m is the only number b which is congruent to a modulo m such that 0 $; b < m. One very important cosequence of the definition of congruence is that if p (x) is any polynomial function of x with integer coefficients, then p (0)" p(b)(mod m) whenever 0" b(mod m). PUBLIC KEY DISTRIBUTION SYSTEM A public key distribution system is a mechanism which allows two people who have never had any prior secure contact to establish a secure channel "out of thin air", Public key distribution systems do not provide any signature mechanism but, at present, some are faster and more compact than public key cryptosystems which makes them better for many applications. The first practical public key distribution system makes use of the apparent difficulty of computing logarithms over a finite (Galois) field GF(q) with a prime number q of elements (the numbers (O,I, ... ,q-I) under arithmetic mod q). Let Y=axmod q,for 1

Cryptographic Computation: Secure Faut-Tolerant Protocols and the Public-Key Model

Abstract: An important area of research in cryptography is the design of protocols for carrying on certain transactions in a communications network, such as playing poker or holding an election. Many of the protocols proposed in this area have required the expensive on-line generation of a large number of new keys. On the other hand, fundamental research in the traditional problems of cryptography, such as encryption and authentication, has developed the public-key model, in which each user has a single validated public key. This model is appropriate to those situations in which generation and validation of new keys is very costly or is otherwise limited. Procedures proposed for this model must preserve the security of the keys. An important question is whether flexible protocol design for a wide variety of problems is possible within the public-key model, so that the expense of generating new keys can be minimized

Electronic funds transfer system with means for verifying a personal identification number without pre-established secret keys

Abstract: An electronic funds transfer system employs a means to verify a personal identification number PE entered by the user with the correct PIN (PT) stored at the host terminal. The remote and host terminals each generate an encryption key, and encrypt PE and PT at the respective terminals. These values are transmitted to the other terminal, where they are re-encrypted using the other encryption key. The double-encrypted numbers are then compared. The user-entered PIN can thus be verified without the need to share en encryption key between the remote and host terminals. The encryption transformation is of the type where the results of successive encryptions does not depend on the order of encryption.

How to prove all NP-statements in zero-knowledge, and a methodology of cryptographic protocol design

Abstract: Under the assumption that encryption functions exist, we show that all languages in NP possess zero-knowledge proofs.That is, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula. In particular, without yielding neither a satisfying assignment nor weaker properties such as whether there is a satisfying assignment in which x1=TRUE, or whether there is a satisfying assignment in which x1=x3 etc.The above result allows us to prove two fundamental theorems in the field of (two-party and multi-party) cryptographic protocols. These theorems yield automatic and efficient transformations that, given a protocol that is correct with respect to an extremely weak adversary, output a protocol correct in the most adversarial scenario. Thus, these theorems imply powerful methodologies for developing two-party and multiparty cryptographic protocols.

Processing encrypted data

Abstract: A severe problem in the processing of encrypted data is that very often, in order to perform arithmetic operations on the data, one has to convert the data back to its nonencrypted origin before performing the required operations. This paper addresses the issue of processing data that have been encrypted while the data are in an encrypted mode. It develops a new approach for encryption models that can facilitate the processing of such data. The advantages of this approach are reviewed, and a basic algorithm is developed to prove the feasibility of the approach.

Cryptographic system for direct broadcast satellite system

Abstract: A three key cryptographic system is used in the transmission of digitized signals to a plurality of receivers, each having a unique address number and a factory stored signature key which is a function of the address number. At the transmission end, a common key is generated and used to encrypt the signals to be transmitted. The signature key is generated for each receiver unit by encrypting the address number of the unit using a secret master key. The common key is then encrypted for use by each receiver using the generated signature key for that receiver. A data stream is inserted into the horizontal blanking intervals of the composite video signal. The data stream includes the encrypted signals receivable by all receivers and addressed portions, each receivable by a different receiver, containing the encrypted common key for that receiver. The receiver decrypts the common key with the stored signature key and uses it to decrypt the signals. Only a single master key must be stored and protected.

Digital signature system and method based on a conventional encryption function

Abstract: A method of generating digital signatures for signing an infinitely expandable series of messages M i . An infinitely expandable tree of signature nodes is used, where each node can be used to sign a message. Each node is also used to sign up to k subnodes, where k is an integer greater than one. Each signature used, both for signing messages and for signing subnodes, is a one time signature, which in the preferred embodiment is based on a one-way function F. The function F is made public. To sign a message M i the signer selects a previously unused node (i.e., node i) from the signature tree. The message signing key at this node is then used to sign this message. The sequence of nodes from the root of the tree (i.e. node l) to node i is then used to verify that the message signature is correct and has not been tampered with. Furthermore, this process proves that the message has not been tampered with. Advantages of the invention include the infinite expandability of the signature tree, dependable verification of messages based on the use of secure one time signatures (e.g., which may be based on one way functions), the small amount of computation required to set up a signature tree, the small amount of storage required to maintain a tree, and the ability to implement the invention using high speed conventional encryption equipment and methods.

Direct Minimum-Knowledge Computations

Abstract: We present a protocol scheme which directly simulates any given computation, defined on any computational device, in a minimum-knowledge fashion. We also present a scheme for simulation of computation in dual (perfect) minimum-knowledge fashion. Using the simulation protocol, we can assure that one user transfers to another user exactly the result of a given computation and nothing more.The simulation is direct and efficient; it extends, simplifies and unifies important recent results which have useful applications in cryptographic protocol design. Our technique can be used to implement several different sorts of transfer of knowledge, including: transfer of computational results, proving possession of information, proving knowledge of knowledge, gradual and adaptive revealing of information, and commitment to input values.The novelty of the simulation technique is the separation of the data encryption from the encryption of the device's structural (or control) information.

Method and device for qualitative saving of digitized data

Abstract: An encrypted signature S representative of the information and of the identity of the holder of the information is established by means of a calculation algorithm for the encryption and the compression of the information to be saved. The signature S is recorded on the medium carrying the information forming the message M. The parameters for the calculation of the signature S, one or several secret keys, are recorded on at least one inviolable carrying medium. The application is to qualitative safeguarding and protection of data, on-line or not, in data bases.

Cryptographic labeling of electronically stored data

Abstract: A method of cryptographically labeling electronically stored data is provided as part of a security system for personal computers In protecting sensitive files of data, the labeling method utilizes a plurality of key streams, which are long, relatively prime-length sequences of random-like bytes The key streams are related in some way to individual user and machine identifiers Protected files of data are encrypted and decrypted by combining the key streams with the data using a reversible function, such as Exclusive OR Each protected file has a label prefixed to it as part of the file The label contains information necessary for encrypting and decrypting the file, controlling access to the file, and verifying integrity of the label and file The label is permanently prefixed to the protected file but is encrypted and decrypted separately from encryption and decryption of the file

Encryption printed circuit board

Abstract: An encryption printed circuit board (PCB) for use as an add on board to a host computer includes address registers, read/write controller, and data information transceiver adapted for connection to the host computer. The addresses registers are connected to a memory decode, auto-start PROM, I/O decoder and register select. The memory decoder is connected to the auto-start PROM and the I/O decoder is connected to the register select. A bus logic circuit is connected to the read/write controller, and outputs read/write signals to the data information transceiver and register select. The data information transceiver is connected to the auto-start PROM and to a plurality of data registers for receiving instructions from the auto-start PROM and inputting or receiving information from the data registers pursuant to instruction of the auto-start PROM program, and selection of the appropriate registers by the register select. A cipher processor, microprocessor, low address latch and memory, program, and buffer are connected to the data registers. The microprocessor is connected to a card reader through a card reader interface, and to an upper address decoder and the memory, program, buffer. Upon receipt of a load key instruction from the PC the microprocessor loads the key and a block of information from the input register into the cipher processor for either encryption or decryption and the processed block of information into the information output register for output to the PC upon receipt of a write instruction.

On hiding information from an oracle

Abstract: We consider the problem of computing with encrypted data. Player A wishes to know the value ƒ(x) for some x but lacks the power to compute it. Player B has the power to compute ƒ and is willing to send ƒ(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem ƒ is a method by which A, using her inferior resources, can transform the cleartext instance x into an encrypted instance y, obtain ƒ(y) from B, and infer ƒ(x) from ƒ(y) in such a way that B cannot infer x from y. When such an encryption scheme exists, we say that ƒ is encryptable. The framework defined in this paper enables us to prove precise statements about what an encrypted instance hides and what it leaks, in an information-theoretic sense. Our definitions are cast in the language of probability theory and do not involve assumptions such as the intractability of factoring or the existence of one-way functions. We use our framework to describe encryption schemes for some natural problems in NP C CoNP. We also consider the following generalization of encryption schemes. Player A, who is limited to probabilistic polynomial time, wishes to guess the value ƒ(x) with probability at least 1/2 + 1/|x|c of being correct, for some constant c. Player B can compute any function and generate arbitrary probability distributions. Players A and B can interact for a polynomial number of rounds by sending polynomial-sized messages. We prove a strong negative result: there is no such generalized encryption scheme for SAT that leaks no more than the size of x (unless the polynomial hierarchy collapses at the second level).

On privacy homomorphisms

Abstract: An additive privacy homomorphism is an encryption function in which the decryption of a sum (or possibly some other operation) of ciphers is the sum of the corresponding messages. Rivest, Adleman, and Dertouzos have proposed four different additive privacy homomorphisms. In this paper, we show that two of them are insecure under a ciphertext only attack and the other two can be broken by a known plaintext attack. We also introduce the notion of an R-additive privacy homomorphism, which is essentially an additive privacy homomorphism in which only at most R messages need to be added together. We give an example of an R-additive privacy homomorphism that appears to be secure against a ciphertext only attack.

Method and system for transmission of financial data

Abstract: An improved system for transmission financial data includes, in preferred embodiments, an encryption key stored on a bank card and used to encrypt preselected data prior to transmission. Encrypted data is then transmitted through all intermediate computers without decryption and reencryption. Decryption occurs only at the final destination, where the encryption key has been stored. In preferred embodiments, the encryption key is combined with a terminal identification valve to provide further security.

Linear structures in blockciphers

Abstract: A blockcipher maps each pair of plaintext and key onto a ciphertext in such a way that for every fixed key, the relationship between plaintexts and ciphertexts is one-to-one. It is assumed that plaintexts and ciphertexts belong to a message space comprising all bit-strings (sequences of zeros and ones) of a given length; keys are taken from a key space made up of aU bitstrings of a possibly Merent given length. A well-known blockcipher is the NBS Data Encryption Standard (DES) [6], whch is the iteration of sixteen essentially equal “rounds”.

Encrtption of messages employing unique control words and randomly chosen encryption keys

Abstract: In a communication network, a transmitting station sends encrypted messages for selective decryption in any one of several receiving stations. To that end, the transmitting station stores a single set of several encryption keys, each of which is for encrypting messages to all of the receiving stations. Also, for each message that is sent for decryption in a particular receiving station, the transmitting station (a) automatically selects at random any encryption key from the single set, (b) receives, from an input terminal, a control word which is a series of bits that uniquely identifies the particular receiving station, (c) encrypts both the message and the control word with the randomly selected key, and (d) transmits the result of step (c) to all of the receiving stations.

Authenticated read-only memory

Abstract: An apparatus for controlling access to a program stored in a read-only memory is described. In one embodiment, the memory includes a random number generator and an encryptor for encrypting random numbers from the generator. A second encryptor which provides identical encryption to the first encryptor is included within the system and is coupled to receive random numbers from the generator. A comparator compares the results from the first and second encryptors and if they are identical, enables the memory. The encryptors are programmable with a 64-bit key and 32-bit random numbers are used. By making the encryption process relatively slow (e.g., one second) many decades are required to break the key.

Key management system for open communication environments

Abstract: A telecommunications security device for use on the communication medium includes a first and a second security unit each arranged to be inserted into for example the telephone line adjacent a user device. The units are identical and therefore either can act as a central unit for example for a computer access port with the other providing one of a set of remote units. Each unit includes a separable memory module with all the modules having a memory storing identical information. The information stored includes a plurality of pairs of random signals one of each pair providing a request signal and the other the security code. The central unit on receipt of a telephone call provides a signal requesting an ID code from the remote unit and on receipt of the ID code issues from one of the pairs the security code request signal. On matching the received code with the expected code a transmission gate is opened. The pairs are used in turn until all of the pairs have been used whereupon an indicator shows this condition. The modules can be removed and the memory re-written with fresh pairs of codes. The key includes a security logic circuit which controls access to the numbers to a fixed set of access rules allowing authentication and/or encryption and providing security against unauthorized access.