Showing papers on "Encryption published in 2000"

Practical techniques for searches on encrypted data

Abstract: It is desirable to store data on data storage servers such as mail servers and file servers in encrypted form to reduce security and privacy risks. But this usually implies that one has to sacrifice functionality for security. For example, if a client wishes to retrieve only documents containing certain words, it was not previously known how to let the data storage server perform the search and answer the query, without loss of data confidentiality. We describe our cryptographic schemes for the problem of searching on encrypted data and provide proofs of security for the resulting crypto systems. Our techniques have a number of crucial advantages. They are provably secure: they provide provable secrecy for encryption, in the sense that the untrusted server cannot learn anything about the plaintext when only given the ciphertext; they provide query isolation for searches, meaning that the untrusted server cannot learn anything more about the plaintext than the search result; they provide controlled searching, so that the untrusted server cannot search for an arbitrary word without the user's authorization; they also support hidden queries, so that the user may ask the untrusted server to search for a secret word without revealing the word to the server. The algorithms presented are simple, fast (for a document of length n, the encryption and search algorithms only need O(n) stream cipher and block cipher operations), and introduce almost no space and communication overhead, and hence are practical to use today.

Secure online music distribution system

Abstract: A computer implemented online music distribution system provides for the secure delivery of audio data and related media, including text and images, over a public communications network. The online music distribution system provides security through multiple layers of encryption, and the cryptographic binding of purchased audio data to each specific purchaser. The online music distribution system also provides for previewing of audio data prior to purchase. In one embodiment, the online music distribution system is a client-server system including a content manager, a delivery server, and an HTTP server, communicating with a client system including a Web browser and a media player. The content manager provides for management of media and audio content, and processing of purchase requests. The delivery server provides delivery of the purchased media data. The Web browser and HTTP server provide a communications interface over the public network between the content manager and media players. The media player provides for encryption of user personal information, and for decryption and playback of purchased media data. Security of purchased media data is enhanced in part by the use of a personal, digital passport in each media player. The digital passport contains identifying information that identifies the purchaser, along with confidential information, such as credit card number, and encryption data, such as the media player's public and private keys. The media player encryption data is used to encrypt purchased media data, which is decrypted in real time by the media player. The media player also displays confidential information, such as the purchaser's credit card number, during playback.

The Random Oracle Methodology, Revisited

Abstract: We take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes that result from implementing the random oracle by so called "cryptographic hash functions". The main result of this paper is a negative one: There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes. In the process of devising the above schemes, we consider possible definitions for the notion of a "good implementation" of a random oracle, pointing out limitations and challenges.

Nonmalleable Cryptography

Abstract: The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.

Partial encryption of compressed images and videos

Abstract: The increased popularity of multimedia applications places a great demand on efficient data storage and transmission techniques. Network communication, especially over a wireless network, can easily be intercepted and must be protected from eavesdroppers. Unfortunately, encryption and decryption are slow, and it is often difficult, if not impossible, to carry out real-time secure image and video communication and processing. Methods have been proposed to combine compression and encryption together to reduce the overall processing time, but they are either insecure or too computationally intensive. We propose a novel solution called partial encryption, in which a secure encryption algorithm is used to encrypt only part of the compressed data. Partial encryption is applied to several image and video compression algorithms in this paper. Only 13-27% of the output from quadtree compression algorithms is encrypted for typical images, and less than 2% is encrypted for 512/spl times/512 images compressed by the set partitioning in hierarchical trees (SPIHT) algorithm. The results are similar for video compression, resulting in a significant reduction in encryption and decryption time. The proposed partial encryption schemes are fast, secure, and do not reduce the compression performance of the underlying compression algorithm.

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

Abstract: We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by "generic composition," meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is "yes" and counter-examples for the cases where the answer is "no."

Public-key encryption in a multi-user setting: security proofs and improvements

Abstract: This paper addresses the security of public-key cryptosystems in a "multi-user" setting, namely in the presence of attacks involving the encryption of related messages under different public keys, as exemplified by Hastad's classical attacks on RSA. We prove that security in the single-user setting implies security in the multi-user setting as long as the former is interpreted in the strong sense of "indistinguishability," thereby pin-pointing many schemes guaranteed to be secure against Hastad-type attacks. We then highlight the importance, in practice, of considering and improving the concrete security of the general reduction, and present such improvements for two Diffie-Hellman based schemes, namely El Gamal and Cramer-Shoup.

Real Time Cryptanalysis of A5/1 on a PC

Abstract: A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best published attacks against it require between 240 and 245 steps. This level of security makes it vulnerable to hardware-based attacks by large organizations, but not to software-based attacks on multiple targets by hackers. In this paper we describe new attacks on A5/1, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets. After a 248 parallelizable data preparation stage (which has to be carried out only once), the actual attacks can be carried out in real time on a single PC. The first attack requires the output of the A5/1 algorithm during the first two minutes of the conversation, and computes the key in about one second. The second attack requires the output of the A5/1 algorithm during about two seconds of the conversation, and computes the key in several minutes. The two attacks are related, but use different types of time-memory tradeoffs. The attacks were verified with actual implementations, except for the preprocessing stage which was extensively sampled rather than completely executed. REMARK: We based our attack on the version of the algorithm which was derived by reverse engineering an actual GSM telephone and published at http://www.scard.org. We would like to thank the GSM organization for graciously confirming to us the correctness of this unofficial description. In addition, we would like to stress that this paper considers the narrow issue of the cryptographic strength of A5/1, and not the broader issue of the practical security of fielded GSM systems, about which we make no claims.

Securing information by use of digital holography.

Abstract: An information security method that uses a digital holographic technique is presented. An encrypted image is stored as a digital hologram. The decryption key is also stored as a digital hologram. The encrypted image can be electrically decrypted by use of the digital hologram of the key. This security technique provides secure storage and data transmission. Experimental results are presented to demonstrate the proposed method.

Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis

Abstract: We present a new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit keys, i.e., the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalyses. Compared to the AES finalists, i.e., MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes encryption and decryption and key schedule, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.

Digital rights management system operating on computing device and having black box tied to computing device

Abstract: A digital rights management (DRM) system operates on a computing device when a user requests that an encrypted piece of digital content be rendered by the computer device. The computing device has an identifier. A black box performs decryption and encryption functions in the DRM system. The black box includes a key file and an executable. The key file includes at least one black box public key and is expected to include the identifier of the computing device, the black box thus being tied to the computing device by inclusion of such first identifier. A digital license corresponding to the digital content is resident in the DRM system and includes a decryption key for decrypting the encrypted digital content. The decryption key is expected to be encrypted according to a black box public key of the key file of the black box, the license thus being tied to the black box and by extension the computing device. If the identifier of the computing device is in fact different than the identifier in the key file of the black box, a different key file is produced based on the black box public key(s) of the key file and the different identifier of the computing device.

Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)

Abstract: Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. There is an uncomfortable and interesting gap between these two approaches to cryptography. This paper starts to bridge the gap, by providing a computational justification for a formal treatment of encryption.

Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms

Abstract: We present a new 128-bit block cipher called Camellia. Camellia sup- ports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway for use of the next 10-20 years. There are no hidden weakness inserted by the designers. It was also designed to have suitability for both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can en- crypt on a PentiumIII (800MHz) at the rate of m ore than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In ad- dition, a distinguishing feature is its small hardware design. The hardware design, which includes key schedule, encryption and decryption, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know. It perfectly meet current market requirements in wireless cards, for instance, where low power consumption is a mandaroty condition.

Encrypting three-dimensional information with digital holography

Abstract: A method for optical encryption of three-dimensional (3D) information by use of digital holography is presented. A phase-shifting interferometer records the phase and amplitude information generated by a 3D object at a plane located in the Fresnel diffraction region with an intensity-recording device. Encryption is performed optically by use of the Fresnel diffraction pattern of a random phase code. Images of the 3D object with different perspectives and focused at different planes can be generated digital or optically after decryption with the proper key. Experimental results are presented.

Efficient Trace and Revoke Schemes

Abstract: Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfuctional.We start by designing an efficient revocation scheme, based on secret sharning. It remove up to t parties and is secure against coalitions of size t. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to combine the revocation scheme with traitor tracing and self enforcement schemes. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), and therefore users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt, users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.

Sharing Decryption in the Context of Voting or Lotteries

Abstract: Several public key cryptosystems with additional homomorphic properties have been proposed so far. They allow to perform computation with encrypted data without the knowledge of any secret information. In many applications, the ability to perform decryption, i.e. the knowledge of the secret key, gives a huge power. A classical way to reduce the trust in such a secret owner, and consequently to increase the security, is to share the secret between many entities in such a way that cooperation between them is necessary to decrypt. In this paper, we propose a distributed version of the Paillier cryptosystem presented at Eurocrypt '99. This shared scheme can for example be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.

Optical encryption using a joint transform correlator architecture

Abstract: An optical double random-phase encryption method using a joint transform correlator architecture is proposed. In this method, the joint power spectrum of the image to be encrypted and the key codes is recorded as the encrypted data. Unlike the case with classical double random-phase encryption, the same key code is used to both encrypt and decrypt the data, and the conjugate key is not required. Computer simulations and optical experimental results using a photorefractive- crystal-based processor are presented. © 2000 Society of Photo-Optical Instru- mentation Engineers. (S0091-3286(00)03508-X)

Selective and renewable encryption for secure distribution of video on-demand

Abstract: Selective encryption is provided in a process which includes: determining whether a predetermined criterion is satisfied; setting a selective encryption status field (1402) if the predetermined criterion is satisfied; and encrypting an unencrypted payload to generate an encrypted payload, and constructing a packet with the encrypted payload (1406), if the predetermined criterion is satisfied. The predetermined criterion may be one of several criteria, each of which reduce the required amount of encryption and decryption while maintaining a high level of security. Renewable encryption is provided in a process which includes: copying a first encrypted digital video program from a remote server to a video source; decrypting the first encrypted digital video program using a first key to generate an unencrypted digital video program; encrypting the unencrypted digital video program using a second key to generate a second encrypted digital video program; transmitting the second encrypted digital video program from the video source to the remote server; and deleting the first encrypted digital video program from the remote server.

Tracing traitors

Abstract: We give cryptographic schemes that help trace the source of leaks when sensitive or proprietary data is made available to a large set of parties. A very relevant application is in the context of pay television, where only paying customers should be able to view certain programs. In this application, the programs are normally encrypted, and then the sensitive data is the decryption keys that are given to paying customers. If a pirate decoder is found, it is desirable to reveal the source of its decryption keys. We describe fully resilient schemes which can be used against any decoder which decrypts with nonnegligible probability. Since there is typically little demand for decoders which decrypt only a small fraction of the transmissions (even if it is nonnegligible), we further introduce threshold tracing schemes which can only be used against decoders which succeed in decryption with probability greater than some threshold. Threshold schemes are considerably more efficient than fully resilient schemes.

Digital rights management and watermarking of multimedia content for m-commerce applications

Abstract: E-commerce has become a huge business and a driving factor in the development of the Internet. Online shopping services are well established and will, with the advent of evolved 2G and 3G mobile networks, soon be complemented by their wireless counterparts. Furthermore, online delivery of digital media, such as MP3 audio or video, is very popular today and will become an increasingly important part of e-commerce and mobile e-commerce (m-commerce). However, a major obstacle for digital media distribution and associated business is the possibility of unlimited consecutive copying in the digital domain, which threatens intellectual property rights (e.g., copyrights). Digital rights management systems are required to protect rights and business. DRM systems typically incorporate encryption, conditional access, copy control mechanisms, and media identification and tracing mechanisms. Watermarking is the technology used for copy control and media identification and tracing. Most proposed watermarking methods use a so-called spread spectrum approach: a pseudo-noise signal with small amplitude is added to the host signal, and later on detected using correlation methods. A secret key is used to ensure that the watermark can only be detected and removed by authorized parties. Thus, watermarking is an essential component of modern DRM systems. Several standardization bodies are involved in DRM standardization. Some examples, (MPEG-4, SDMI, and DVD), are discussed in this article. Watermarking as an enabling technology is especially highlighted. Furthermore, the relation between DRM and m-commerce, and the impact on business models for m-commerce are discussed. A common experience today is that Internet e-commerce applications cannot always easily be adapted for mobile telecommunications systems. We emphasize, however, that DRM and watermarking can benefit from the additional information available in mobile telecommunications systems, and can thus help to improve rights management for digital media delivery.

A new chaotic key-based design for image encryption and decryption

Abstract: In this paper, an image encryption/decryption algorithm and its VLSI architecture are proposed. According to a chaotic binary sequence, the gray level of each pixel is XORed or XNORed bit-by-bit to one of the two predetermined keys. Its features are as follows: (1) low computational complexity, (2) high security, and (3) no distortion. In order to implement the algorithm, its VLSI architecture with low hardware cost, high computing speed, and high hardware utilization efficiency is also designed. Moreover, the architecture of integrating the scheme with MPEG2 is proposed. Finally, simulation results are included to demonstrate its effectiveness.

Rendering digital content in an encrypted rights-protected form

Abstract: A rendering application determines that digital content is in an encrypted rights-protected form and invokes a Digital Rights Management (DRM) system which includes a license store having at least one digital license stored therein. Each license corresponds to a piece of digital content and includes a decryption key (KD) for decrypting the corresponding digital content. The DRM system locates each license in the license store corresponding to the digital content to be rendered, selects one of the located licenses, obtains (KD) from the selected license, decrypts the digital content with (KD), and returns the decrypted digital content to the rendering application for actual rendering.

Cryptography with DNA binary strands

Abstract: Biotechnological methods can be used for cryptography. Here two different cryptographic approaches based on DNA binary strands are shown. The first approach shows how DNA binary strands can be used for steganography, a technique of encryption by information hiding, to provide rapid encryption and decryption. It is shown that DNA steganography based on DNA binary strands is secure under the assumption that an interceptor has the same technological capabilities as sender and receiver of encrypted messages. The second approach shown here is based on steganography and a method of graphical subtraction of binary gel-images. It can be used to constitute a molecular checksum and can be combined with the first approach to support encryption. DNA cryptography might become of practical relevance in the context of labelling organic and inorganic materials with DNA ‘barcodes’. © 2000 Elsevier Science Ireland Ltd. All rights reserved.

Copy security for portable music players

Abstract: Data such as a musical track is stored as a secure portable track (SPT) which can be bound to one or more players and can be bound to a particular storage medium, restricting playback of the SPT to the specific players and ensuring that playback is only from the original storage medium. The SPT is bound to a player by encrypting data of the SPT using a storage key which is unique to the player, is difficult to change, and is held in strict secrecy by the player. The SPT is bound to a particular storage medium by including data uniquely identifying the storage medium in a tamper-resistant form, e.g., cryptographically signed. The SPT can also be bound to the storage medium by embedding cryptographic logic circuitry, e.g., integrate circuitry, in the packaging of the storage medium. The SPT is bound by encrypting an encryption key using the embedded logic. By using unique cryptographic logic, only that particular storage medium can decrypt the encryption key and, therefore, the data of the SPT encrypted with the encryption key. To allow a user to playback the SPT on a number of players, players can share storage keys with one another. Such key sharing is done in a cryptographically secure manner. Before downloading an SPT to a particular external player, the ability of the external player to enforce restrictions placed upon the SPT is verified.

Optoelectronic information encryption with phase-shifting interferometry

Abstract: A technique that combines the high speed and the high security of optical encryption with the advantages of electronic transmission, storage, and decryption is introduced. Digital phase-shifting interferometry is used for efficient recording of phase and amplitude information with an intensity recording device. The encryption is performed by use of two random phase codes, one in the object plane and another in the Fresnel domain, providing high security in the encrypted image and a key with many degrees of freedom. We describe how our technique can be adapted to encrypt either the Fraunhofer or the Fresnel diffraction pattern of the input. Electronic decryption can be performed with a one-step fast Fourier transform reconstruction procedure. Experimental results for both systems including a lensless setup are shown.

The relationship between public key encryption and oblivious transfer

Abstract: In this paper we study the relationships among some of the most fundamental primitives and protocols in cryptography: public-key encryption (i.e. trapdoor predicates), oblivious transfer (which is equivalent to general secure multi-party computation), key agreement and trapdoor permutations. Our main results show that public-key encryption and oblivious transfer are incomparable under black-box reductions. These separations are tightly matched by our positive results where a restricted (strong) version of one primitive does imply the other primitive. We also show separations between oblivious transfer and key agreement. Finally, we conclude that neither oblivious transfer nor trapdoor predicates imply trapdoor permutations. Our techniques for showing negative results follow the oracle separations of R. Impagliazzo and S. Rudich (1989).

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

Abstract: We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33% more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.

Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography

Abstract: We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encode-then-encipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.

Double random fractional Fourier domain encoding for optical security

Abstract: We propose a new optical encryption technique using the fractional Fourier transform. In this method, the data are encrypted to a stationary white noise by two statistically independent random phase masks in fractional Fourier domains. To decrypt the data correctly, one needs to specify the fractional domains in which the input plane, encryp- tion plane, and output planes exist, in addition to the key used for en- cryption. The use of an anamorphic fractional Fourier transform for the encryption of two-dimensional data is also discussed. We suggest an optical implementation of the proposed idea. Results of a numerical simulation to analyze the performance of the proposed method are pre- sented. © 2000 Society of Photo-Optical Instrumentation Engineers. (S0091-3286(00)01811-0)

Image encryption for secure Internet multimedia applications

Abstract: Internet multimedia applications have become very, popular. Valuable multimedia content such as digital images, however, is vulnerable to unauthorized access while in storage and during transmission over a network. Streaming digital images also require high network bandwidth for transmission. For effective image transmission over the Internet, therefore, both security and bandwidth issues must be considered. We present a novel scheme, which combines the discrete wavelet transform (DWT) for image compression and block cipher Data Encryption Standard (DES) for image encryption. The simulation results indicate that our proposed method enhances the security for image transmission over the Internet as well as improves the transmission rate.