Showing papers on "Plaintext-aware encryption published in 2002"
02 May 2002
TL;DR: In this article, the authors present several new and fairly practical public-key encryption schemes and prove them secure against adaptive chosen ciphertext attack, and introduce a general framework that allows one to construct secure encryption schemes from language membership problems.
Abstract: We present several new and fairly practical public-key encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier's Decision Composite Residuosity assumption, while another is based in the classical Quadratic Residuosity assumption. The analysis is in the standard cryptographic model, i.e., the security of our schemes does not rely on the Random Oracle model. Moreover, we introduce a general framework that allows one to construct secure encryption schemes in a generic fashion from language membership problems that satisfy certain technical requirements. Our new schemes fit into this framework, as does the Cramer-Shoup scheme based on the Decision Diffie-Hellman assumption.
770 citations
07 Aug 2002
TL;DR: This paper points out CKBA is very weak to the chosen/known-plaintext attack with only one plain-image, and its security to brute-force ciphertext-only attack is overestimated by the authors.
Abstract: The security of digital images attracts much attention recently, and many image encryption methods have been proposed. In IS-CAS2000, a new chaotic key-based algorithm (CKBA) for image encryption was proposed. This paper points out CKBA is very weak to the chosen/known-plaintext attack with only one plain-image, and its security to brute-force ciphertext-only attack is overestimated by the authors. That is to say, CKBA is not secure at all from cryptographic viewpoint. Some experiments are made to show the feasibility of the chosen/known-plaintext attack. We also discuss some remedies to the original scheme and their performance, and we find none of them can essentially improve the security of CKBA.
294 citations
12 Feb 2002
TL;DR: In the trivial n-recipient public-key encryption, a ciphertext is a concatenation of independently encrypted messages for n recipients as discussed by the authors, and the security is still almost the same as the underlying single-receiver scheme.
Abstract: In the trivial n-recipient public-key encryption scheme, a ciphertext is a concatenation of independently encrypted messages for n recipients. In this paper, we say that an n-recipient scheme has a "shortened ciphertext" property if the length of the ciphertext is almost a half (or less) of the trivial scheme and the security is still almost the same as the underlying single-recipient scheme. We first present (multi-plaintext, multi-recipient) schemes with the "shortened ciphertext" property for ElGamal scheme and Cramer-Shoup scheme. We next show (single-plaintext, multi-recipient) hybrid encryption schemes with the "shortened ciphertext" property.
164 citations
TL;DR: One-way coupled map lattices can reach optimal trade-off of security and performance, i.e., it shows high security together with fast encryption (and decryption) speed.
Abstract: One-way coupled map lattices are used for cryptography in secure communication, based on spatiotemporal chaos synchronization. The sensitivity of synchronization between the encryption and decryption systems can be adjusted by varying the system size. With a suitable parameter combination, the cryptosystem can reach optimal trade-off of security and performance, i.e., it shows high security (resistant against the public-structure and known-plaintext attacks) together with fast encryption (and decryption) speed. An experiment of duplex voice transmission through university network is realized, which confirms the above advantages of our approach.
126 citations
10 Dec 2002
TL;DR: This paper points out that BRIE (bit recirculation image encryption) is not secure enough from strict cryptographic viewpoint, and a known/chosen-plaintext attack can break BriE with only one known/Chosen plain-image.
Abstract: The security of digital images has attracted much attention, and many different image encryption methods have been proposed. Yen and Guo (see Proc. IEEE Workshop Signal Processing Systems, p.430-37, 1999) proposed a novel image encryption algorithm called BRIE (bit recirculation image encryption). This paper points out that BRIE is not secure enough from strict cryptographic viewpoint. It has been found that some defects exist in BRIE, and a known/chosen-plaintext attack can break BRIE with only one known/chosen plain-image. Experiments are made to verify the defects of BRIE and the feasibility of the attack.
109 citations
TL;DR: This article proposes a simple cryptosystem which allows a large confidential message to be encrypted efficiently and is based on the Diffie-Hellman distribution scheme, together with the ElGamal cryptosSystem.
Abstract: In practice, we usually require two cryptosystems, an asymmetric one and a symmetric one, to encrypt a large confidential message. The asymmetric cryptosystem is used to deliver secret key SK, while the symmetric cryptosystem is used to encrypt a large confidential message with the secret key SK. In this article, we propose a simple cryptosystem which allows a large confidential message to be encrypted efficiently. Our scheme is based on the Diffie-Hellman distribution scheme, together with the ElGamal cryptosystem.
89 citations
Proceedings Article•
05 Aug 2002TL;DR: It is argued that the best way to prevent all of these attacks is to insist on integrity of ciphertexts in addition to semantic security as the “proper” notion of privacy for symmetric encryption schemes.
Abstract: Vaudenay recently demonstrated side-channel attacks on a common encryption scheme, CBC Mode encryption, exploiting a “valid padding” oracle [Vau02]. Mirroring the side-channel attacks of Bleichenbacher [Ble98] and Manger [Man01] on asymmetric schemes, he showed that symmetric encryption methods are just as vulnerable to side-channel weaknesses when an adversary is able to distinguish between valid and invalid ciphertexts. Our paper demonstrates that such attacks are pervasive when the integrity of ciphertexts is not guaranteed. We first review Vaudenday’s attack and give a slightly more efficient version of it. We then generalize the attack in several directions, considering various padding schemes, other symmetric encryption schemes, and other side-channels, demonstrating attacks of various strengths against each. Finally we argue that the best way to prevent all of these attacks is to insist on integrity of ciphertexts [BN00] in addition to semantic security as the “proper” notion of privacy for symmetric encryption schemes.
71 citations
18 Feb 2002
TL;DR: This paper proposes an efficient and provably secure transform to encrypt a message with any asymmetric one-way cryptosystem, and achieves adaptive chosen-ciphertext security in the random oracle model.
Abstract: This paper proposes an efficient and provably secure transform to encrypt a message with any asymmetric one-way cryptosystem. The resulting scheme achieves adaptive chosen-ciphertext security in the random oracle model.Compared to previous known generic constructions (Bellare, Rogaway, Fujisaki, Okamoto, and Pointcheval), our embedding reduces the encryption size and/or speeds up the decryption process. It applies to numerous cryptosystems, including (to name a few) ElGamal, RSA, Okamoto-Uchiyama and Paillier systems.
53 citations
01 Nov 2002
TL;DR: In this paper, the authors present perceptual cryptography applied to MPEG Layer III compressed audio (MP3), where the inputs of the cipher are the plaintext MP3 bit-stream, encryption key and encryption percentage.
Abstract: Whereas conventional cryptography is suitable for any kind of data, it does not allow for perceptual degradation of encrypted data in multimedia-compressed formats. We present perceptual cryptography applied to MPEG Layer III compressed audio (MP3). The inputs of the cipher are the plaintext MP3 bit-stream, encryption key and encryption percentage. The cipher outputs a MPEG Layer III compliant bit-stream (ciphertext) that is perceptually less valuable than the original bit-stream. The original MP3 bit-stream can be recovered using the ciphertext bit-stream and the same decryption key and percentage used on encryption. An introduction to MP3 audio compression is given followed by a description of the perceptual cipher and its applications. The paper addresses the relationship between the encryption percentage and the subjective quality.
45 citations
01 Jan 2002
TL;DR: It is conjecture that both these problems are difficult and it is shown how it is possible to formally reduce the security of these systems to two well identified algorithmic problems.
Abstract: As RSA, the McEliece public-key cryptosystem has successfully resisted more than 20 years of cryptanalysis effort. However, despite the fact that it is faster, it was not as successful as RSA as far as applications are concerned. This is certainly due to its very large public key and probably also to the belief that the system could not be used for the design of a digital signature scheme. We present here the state of art of the implementation and the security of the two main variants of code-based public-key encryption schemes (McEliece’s and Niedereitter’s) as well as the more recent signature scheme derived from them. We also show how it is possible to formally reduce the security of these systems to two well identified algorithmic problems. The decoding attack (aimed on one particular ciphertext) is connected to the NP-complete syndrome decoding problem. The structural attack (aimed on the public key) is connected to the problem of distinguishing binary Goppa codes from random codes. We conjecture that both these problems are difficult and present some arguments to support this claim.
45 citations
02 May 2002
TL;DR: In this article, a family of symmetric encryption schemes was proposed, which guarantee that no adversary can predict the ciphertext of a message m with more than 1/n!(1) advantage; this is achieved with keys of length '+!(logn).
Abstract: We consider the symmetric encryption problem which manifests when two parties must securely transmit a message m with a short shared secret key. As we permit arbitrarily powerful adversaries, any encryption scheme must leak information about m|the mutual information between m and its ciphertext cannot be zero. Despite this, we present a family of encryption schemes which guarantee that for any mes- sage space in f0;1gn with minimum entropy ni ' and for any Boolean function h : f0;1gn ! f0;1g, no adversary can predict h(m) from the ciphertext of m with more than 1=n!(1) advantage; this is achieved with keys of length '+!(logn). In general, keys of length '+s yield a bound of 2i£(s) on the advantage. These encryption schemes rely on no unproven assumptions and can be implemented e-ciently.
Patent•
04 Jan 2002TL;DR: In this article, an S-vector is generated and the S vector is used to encrypt successive packets of plaintext, thus reducing the per packet encryption/decryption time, and a third variable is injected to eliminate the predictability of the variables, thus making the present efficient packet encryption method more secure.
Abstract: The present efficient packet encryption method decreases the computation time to encrypt and decrypt successive packets of plaintext data. An S-vector is generated and the S-vector is used to encrypt successive packets of plaintext, thus reducing the per packet encryption/decryption time. The formula for encrypting successive packets includes use of the packet sequence number with a third variable injected to eliminate the predictability of the variables, thus making the present efficient packet encryption method more secure. A fourth variable is injected into the calculations to generate an encryption stream that does not repeat as frequently to provide additional security from hackers. For encrypting a packet having a long payload of plaintext, a packet byte sequence number is used to generate an encryption stream that is less likely to repeat within a particular packet.
12 Feb 2002
TL;DR: In this paper, the authors considered arbitrary-length chosen-ciphertext secure asymmetric encryption, and proposed two generic constructions, gem-1 and gem-2, which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length (typically computer files).
Abstract: This paper considers arbitrary-length chosen-ciphertext secure asymmetric encryption, thus addressing what is actually needed for a practical usage of strong public-key cryptography in the real world. We put forward two generic constructions, gem-1 and gem-2 which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length (typically computer files). Our techniques optimally combine a single call to any one-way trapdoor function with repeated encryptions through some weak block-cipher (a simple xor is fine) and hash functions of fixed-length input so that a minimal number of calls to these functions is needed. Our encryption/decryption throughputs are comparable to the ones of standard methods (asymmetric encryption of a session key + symmetric encryption with multiple modes). In our case, however, we formally prove that our designs are secure in the strongest sense and provide complete security reductions holding in the random oracle model.
Patent•
31 Jan 2002TL;DR: In this paper, the authors proposed a public-key encryption method, which uses the sender-side apparatus (100) by the creator of a ciphertest and creates the ciphertext (y1, y2) of a plaintext x (∈{0, 1}n) in y1 = f (x0klG(r)), y2 = H (x 0k1G( r))r with respect to the published trapdoor-equipped unidirectional function f and the random functions G, H.
Abstract: The public-key encryption method uses the sender-side apparatus (100) by the creator of a ciphertest and creates the ciphertext (y1, y2) of a plaintext x (∈{0, 1}n) in y1 = f (x0klG(r)), y2 = H (x0k1G(r))r with respect to the published trapdoor-equipped unidirectional function f and the random functions G, H. Meanwhile, the receiver of the ciphertext, who has received the ciphertext by the receiver-side apparatus (200) via the communications line (300), performs the decryption processing with the use of f-1, i.e., the secret key, in accordance with the steps inverse to those of the encryption processing.
18 Feb 2002
TL;DR: This paper shows how to securely combine a simple encryption scheme with a proof of knowledge made noninteractive with a hash function to create encryption schemes that offer security against adaptive chosen ciphertext attacks.
Abstract: To create encryption schemes that offer security against adaptive chosen ciphertext attacks, this paper shows how to securely combine a simple encryption scheme with a proof of knowledge made noninteractive with a hash function. A typical example would be combining the ElGamal encryption scheme with the Schnorr signature scheme. While the straightforward combination will fail to provide security in the random oracle model, we present a class of encryption schemes that uses a proof of knowledge where the security can be proven based on the random oracle assumption and the number theoretic assumptions. The resulting schemes are useful as any casual party can be assured of the (in)validity of the ciphertexts.
TL;DR: A chosen ciphertext attack against an implementation of EPOC-2 in which it is possible to tell for what reason the decryption of a given ciphertext fails is presented.
Abstract: A chosen ciphertext attack against an implementation of EPOC-2 in which it is possible to tell for what reason the decryption of a given ciphertext fails is presented.
Posted Content•
TL;DR: An elliptic curve scheme over the ring Zn2 is proposed, which is efficient and semantically secure in the standard model, and based on a new decisional assumption, namely, the Decisional Small-x eMultiples assumption.
Abstract: We propose an elliptic curve scheme over the ring Zn2 , which is efficient and semantically secure in the standard model. There appears to be no previous elliptic curve cryptosystem based on factoring that enjoys both of these properties. The KMOV scheme has been used as an underlying primitive to obtain efficiency and probabilistic encryption. Semantic security of the scheme is based on a new decisional assumption, namely, the Decisional Small-x eMultiples assumption. Confidence on this assumption is also discussed.
01 Jan 2002
TL;DR: Three choseniphertext attacks on the un-padded version of this optimized NTRU cryptosystem are given and any one of the three attacks will recover the private key with just a few queries to the decryption machine.
Abstract: NTRU([3]) is an efficient public-key cryptosystem proposed by Hoffstein, Pipher, and Silverman. In [4], some modifications were made to the original scheme to make the system even faster. We give three chosenciphertext attacks on the un-padded version of this optimized NTRU cryptosystem. Any one of the three attacks will recover the private key with just a few queries to the decryption machine.
Journal Article•
12 Feb 2002
TL;DR: The framework contributes to elucidating the role of randomness in public-key encryption scheme and improves to understand the security of public- key encryption schemes and eases the discussion of the safety of practical public-Key encryption schemes.
Abstract: In this paper, we consider what condition is sufficient for random inputs to secure probabilistic public-key encryption schemes. Although a framework given in [16] enables us to discuss uniformly and comprehensively security notions of public-key encryption schemes even for the case where cryptographically weak pseudorandom generator is used as random nonce generator to encrypt single plaintext messages, the results are rather theoretical. Here we naturally generalize the framework in order to handle security for the situation where we want to encrypt many messages with the same key. We extend some results w.r.t. single message security in [16] - separation results between security notions and a non-trivial sufficient condition for the equivalence between security notions - to multiple messages security. Besides the generalization, we show another separation between security notions for k-tuple messages and for (k+1)-tuple messages. The natural generalization, obtained here, rather improves to understand the security of public-key encryption schemes and eases the discussion of the security of practical public-key encryption schemes. In other words, the framework contributes to elucidating the role of randomness in public-key encryption scheme. As application of results in the generalized framework, we consider compatibility between the ElGamal encryption scheme and some sequence generators. Especially, we consider the applicability of the linear congruential generator (LCG) to the ElGamal encryption scheme.
30 Sep 2002
TL;DR: This paper reports a research on the development of an efficient public key cryptosystem that uses simple matrix operations to encrypt and decrypt messages that is "self-sufficient" and needs not to be integrated with any symmetric cryptosSystem.
Abstract: This paper reports a research on the development of an efficient public key cryptosystem that uses simple matrix operations to encrypt and decrypt messages. The new cryptosystem has the following advantages: a) It is "self-sufficient" and needs not to be integrated with any symmetric cryptosystem. This new asymmetric cryptosystem is supposed to work directly on large quantity of user data and provide an average encryption/decryption speed much higher than mixed cryptosystems currently in use; b) It is good for implementation with constrained hardware. Both encryption and decryption are performed with simple algorithms and require less computing power than existing public key cryptosystems.
Journal Article•
TL;DR: In the paper, the data encryption technologies of the classical cipher algorithm (DES and RSA) are introduced in the modern cryptology and the method that encryption Chinese characters and text is brought forward.
Abstract: The data encryption is an important technological means that ensures network data secure in the communication.In the paper,the data encryption technologies of the classical cipher algorithm(DES and RSA)are introduced in the modern cryptology.Further more,the method that encryption Chinese characters and text is brought forward.Finally,the process of the data encryption is given through adopting this method to implement with Visual Basic6.0.
TL;DR: The authors give a counterexample to show that the RSA-based cryptosystem with low exponent proposed by Lee and Chang is vulnerable to the low exponent attack with respect to their suggested lower boundary for the size of the public encryption key.
Abstract: The authors give a counterexample to show that the RSA-based cryptosystem with low exponent proposed by Lee and Chang (Computer Communications 21 (1998)) is vulnerable to the low exponent attack with respect to their suggested lower boundary for the size of the public encryption key. That is, an eavesdropper can recover the plaintext from the ciphertext without knowing the secret decryption key, even though the size of the secret decryption key is large enough. The authors also suggest a new lower boundary for the size of the public encryption key for the Lee-Chang cryptosystem to enforce secrecy.
06 Nov 2002
TL;DR: This paper shows how anyone knowing only the public key and a ciphertext can easily retrieve the corresponding message by solving the linear equation system, and proves that the proposed cryptanalysis method is very efficient for breaking Wu and Dawson's public-key cryptosystem.
Abstract: The theory of generalized inverses of matrices over finite fields has been used in cryptographic applications in recent years. Wu and Dawson (1998) proposed a public-key cryptosystem based on generalized inverses of matrices. In 2001, Sun proposed a scheme for cryptanalysing Wu and Dawson's public-key cryptosystem. However, his method is time intensive because message recovery requires the pre-computation of many plaintext and ciphertext pairs (m/sub i/, c/sub i/). This paper shows how anyone knowing only the public key and a ciphertext can easily retrieve the corresponding message by solving the linear equation system. Thus, it proves that the proposed cryptanalysis method is very efficient for breaking Wu and Dawson's public-key cryptosystem.
Journal Article•
TL;DR: It is shown that a recently proposed variation of Cramer-Shoup's public key scheme is insecure against the adaptive chosen ciphertext attack, and that the proposed Zhu-Chan-Deng scheme doesn't satisfy the non-malleability property, even under the weakest attack model the chosen plaintext attack.
Abstract: In this paper, we show that a recently proposed variation of Cramer-Shoup's public key scheme is insecure against the adaptive chosen ciphertext attack. Moreover, we showed that the proposed scheme doesn't satisfy the non-malleability property, even under the weakest attack model the chosen plaintext attack. At Crypto'98, Cramer and Shoup (1) proposed a public key cryptosystem that is provably secure against the adaptive chosen ciphertext attacks. Recently, Zhu, Chan, and Deng (2) proposed a variation of Cramer and Shoup's scheme (the Zhu-Chan-Deng scheme in short) which attempts to reduce Cramer and Shoup's public key cryptosystem in terms of both the size of the ciphertext and the computation required for decryption. However, in this paper, we show that the Zhu-Chan-Deng scheme is insecure against the adaptive chosen ciphertext attacks. Moreover, we also show that the Zhu-Chan-Deng scheme doesn't exhibit the non-malleability property, even under the weakest attack model the chosen plaintext attack.
TL;DR: The two phases encryption model is proposed as an enhanced cipher that includes three basic encryption techniques that are confusion, diffusion and product and makes the original application system more secured, economical and practical.
Abstract: Using the enciphering technique to improve the security of an exist cryptosystem is the major purpose of this paper. We propose “two phases encryption model” as an enhanced cipher. It includes three basic encryption techniques that are confusion, diffusion and product. The two phases encryption model is being used for the user authentication and the resources sharing applications to provide a secure service. If a security system is affected by the working environmental requirement and it claims to use the cryptosystem which can withstand the chosen-plaintext attack, then we can consider using the two phases encryption addressed in this article to enhance the security of a cryptosystem. So it only needs to use the cryptosystem that can resist to the known-plaintext attack in order to achieve the function of resisting the chosen-plaintext attack. Therefore, it makes the original application system more secured, economical and practical.