The Impossibility of Basing One-Way Permutations on Central Cryptographic Primitives

We know that trapdoor permutations can be used to construct all kinds of basic cryptographic primitives, including trapdoor functions, public-key encryption, private information retrieval, oblivious transfer, key agreement, and those known to be equivalent to one-way functions such as digital signature, private-key encryption, bit commitment, pseudo-random generator and pseudo-random functions. On the other hand, trapdoor functions are not as powerful as trapdoor permutations, so the structural property of permutations seems to be something special that deserves a more careful study. In this paper we investigate the relationships between one-way permutations and all these basic cryptographic primitives. Following previous works, we focus on an important type of reductions called black-box reductions. We prove that no such reductions exist from one-way permutations to either trapdoor functions or private information retrieval. Together with previous results, all the relationships with one-way permutations have now been established, and we know that no such reductions exist from one-way permutations to any of these primitives except trapdoor permutations. This may have the following meaning, with respect to black-box reductions. We know that one-way permutations imply none of the primitives in "public cryptography," where additional properties are required on top of "one-wayness" \cite{IR89}, so permutations cannot be traded for any of these additional properties. On the other hand, we now know that none of these additional properties can be traded for permutations either. Thus, being a permutation seems to be something orthogonal to those additional properties on top of one-wayness. Like previous non-reducibility results, our proofs follow the oracle separation paradigm of Impagliazzo and Rudich.     

Short Non-Interactive Cryptographic Proofs

We show how to produce short proofs of theorems such that a distrusting Verifier can be convinced that the theorem is true yet obtains no information about the proof itself. We assume the theorem is represented by a boolean circuit, of size m gates, which is satisfiable if and only if the theorem holds. We use bit commitments of size k and bound the probability of false proofs going undetected by 2 ^-r . We obtain non-interactive zero-knowledge proofs of size O(mk( log m +r)) bits. In the random oracle model, we obtain non-interactive proofs of size O(m( log m+r) + rk) bits. By simulating a random oracle, we obtain non-interactive proofs which are short enough to be used in practice. We call the latter proofs ``discreet.' Received 30 March 1998 and revised 29 November 1999 Online publication 18 August 2000     

典型几何基元的高频散射建模方法梳理

高分辨率SAR图像中蕴含目标与环境丰富的信息,但复杂的电磁散射机制使其难以直观解译,这一直是SAR图像解译的重要研究课题.该文简单梳理了典型几何基元的高频散射建模方法,以面散射、线散射和点散射为线索简要回顾了若干高频散射机制的研究发展过程,并给出几种典型几何基元的散射机制表达式及部分仿真结果,分析了典型散射机制表征面临...     

Plateaued函数的密码学性质

Plateaued函数是包含Bent函数和部分Bent函数的更大函数类,是一类密码学性质优良的密码函数,在非线性组合函数的设计中有重要的应用。该文以Walsh谱和自相关系数为工具,从密码函数的角度证明了r阶Plateaued函数的全体线性结构构成的子空间维数的上界为n-r,且等号成立当且仅当f(x)为部分Bent函数,同时还给出了Plateaued函数的其他一些密码学性质。     

Cryptographic Hash Functions from Expander Graphs

We propose constructing provable collision resistant hash functions from expander graphs in which finding cycles is hard. As examples, we investigate two specific families of optimal expander graphs for provable collision resistant hash function constructions: the families of Ramanujan graphs constructed by Lubotzky-Phillips-Sarnak and Pizer respectively. When the hash function is constructed from one of Pizer’s Ramanujan graphs, (the set of supersingular elliptic curves over with ℓ-isogenies, ℓ a prime different from p), then collision resistance follows from hardness of computing isogenies between supersingular elliptic curves. For the LPS graphs, the underlying hard problem is a representation problem in group theory. Constructing our hash functions from optimal expander graphs implies that the outputs closely approximate the uniform distribution. This property is useful for arguing that the output is indistinguishable from random sequences of bits. We estimate the cost per bit to compute these hash functions, and we implement our hash function for several members of the Pizer and LPS graph families and give actual timings.     

一种用于密码协议形式化验证的简单逻辑

给出了一个可用于密码协议形式化验证与设计的简单逻辑.该逻辑采用抽象的通道概念表示具有多种安全特性的通信链路,可在比现有认证逻辑的更抽象的层次上对协议进行处理.     

A Survey of Cryptographic Primitives and Implementations for Hardware-Constrained Sensor Network Nodes

In a wireless sensor network environment, a sensor node is extremely constrained in terms of hardware due to factors such as maximizing lifetime and minimizing physical size and overall cost. Nevertheless, these nodes must be able to run cryptographic operations based on primitives such as hash functions, symmetric encryption and public key cryptography in order to allow the creation of secure services. Our objective in this paper is to survey how the existing research-based and commercial-based sensor nodes are suitable for this purpose, analyzing how the hardware can influence the provision of the primitives and how software implementations tackles the task of implementing instances of those primitives. As a result, it will be possible to evaluate the influence of provision of security in the protocols and applications/scenarios where sensors can be used.

基于T检验的广电智能终端芯片密码安全评估

本文分析了目前芯片密码侧信道攻击分析技术的特点,结合相关国际安全测试评估标准,梳理了基于T检验的广播电视智能终端密码安全评估需求,为进一步开展广播电视智能终端芯片密码安全评估提供支撑。     

Attacks on Fast Double Block Length Hash Functions

The security of hash functions based on a block cipher with a block length of m bits and a key length of k bits, where , is considered. New attacks are presented on a large class of iterated hash functions with a 2m -bit hash result which processes in each iteration two message blocks using two encryptions. In particular, the attacks break three proposed schemes: Parallel-DM, the PBGV hash function, and the LOKI DBH mode. Received 1 March 1996 and revised 16 December 1996     

Extended Black-Box Model for Fiber Length Variation of Erbium-Doped Fiber Amplifiers

Black-box models (BBMs) for erbium-doped amplification have been demonstrated to be a powerful tool. A new extended BBM including variations of the erbium-doped fiber length is presented for fiber length optimization in amplified systems. The comparisons with experimental results show a very high accuracy, with maximum discrepancies of about 0.5 dB.      

可信计算密码支撑平台完整性度量和密码机制的研究

国家密码管理局发布可信计算密码支撑平台功能与接口规范,用于指导我国可信计算平台的研究与应用。研究可信计算密码支撑平台和TCM（可信密码模块）的组成结构,分析密码算法的支撑作用和可信计算密码支撑平台的完整性度量机制。从而发现可信计算密码支撑平台和TCG（可信计算组织）的可信计算平台在完整性度量和密码机制方面的差异,得出可信计算密码支撑平台的优越性。     

Why current secure scan designs fail and how to fix them?

Scan design has become another side channel of leaking confidential information inside cryptographic chips. Methods based on obfuscating scan chain order have been proposed as countermeasures for such scan-based attacks. In this paper, we first analyze the existing secure scan designs from the angle that whether they need a complete chain state or rely on any specific scan chain order. We show that all existing attacks do not rely on specific scan chain order and therefore any secure scan design with obfuscated scan chain order cannot provide sufficient security. We then propose a new approach which clears the states of all sensitive scan cells whenever the circuit under test is switched to test mode. It will also block the access to cipher key throughout the entire testing process. Our experimental results show that the proposed scan design can effectively insulate all the information related to cipher key from the scan chain with little design overhead, thus it can successfully defend all the existing scan-based attacks.     

Selecting Cryptographic Key Sizes

In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm-based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter settings, combined with existing data points about the cryptosystems. Received September 1999 and revised February 2001 Online publication 14 August 2001     

A method to assess the robustness of cryptographic circuits at the design stage

This paper proposes the use of an FPGA-based fault injection technique, AMUSE, to study the effect of malicious attacks on cryptographic circuits. Originally, AMUSE was devised to analyze the soft error effects (SEU and SET) in digital circuits. However, many of the fault-based attacks used in cryptanalysis produce faults that can be modeled as bit-flip in memory elements or transient pulses in combinational logic, as in faults due to radiation effects. Experimental results provide information that allows the cryptographic circuit designer to detect the weakest areas in order to implement countermeasures at design stage.     

一种基于Agent的通讯模型设计及其应用

Agent的一个显著特点就是它的社会性;Agent的应用主要是以多个Agent协作的形式出现;MAS的求解问题的能力超过单个Agent,Agent间的通信是系统中较为关键的问题;操作性较好的通信方式,以＂黑板＂最为著名,也有人提出了介于黑板方式和预定点方式之间的类黑板方法;本模型需要解决3类通信;采用该TTMAS通讯模型,整体运行时间可以节约30%以上。     

Security and Composition of Multiparty Cryptographic Protocols

We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural ``subroutine substitution' operation, formalized by Micali and Rogaway. We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the information-theoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition. Received 4 June 1998 and revised 19 August 1999     

基于扩展相容性关系的通用证据模型建立过程

证据建模已经成为当前制约DS证据理论广泛应用的一个瓶颈问题。Dempster(1967)基于在多值映射方面的工作,率先提出了相容性关系这一重要概念;Shafer(1976)根据这一概念,定义了信任函数(即证据模型)。本文通过扩展信任函数的相容性关系,探索性地描述了一个适用于各种不确定性的通用证据模型的建立过程。通用证据模型的建立过程与Appriou(1999)的证据模型1相比,物理意义更加明确,理论体系更加完整;与其他针对具体应用背景的证据建模方法相比,适用范围更加广泛。     

现代密码算法研究

密码技术是信息安全的核心技术。密码技术主要包括对称密码算法和非对称密码算法及协议。对称加密算法加密密钥和解密密钥相互推导容易,加/解密速度非常快,适用于大批量数据加密的场合。非对称密钥密码体制从私有密钥推导公开密钥是计算不可行的,虽然公钥加密算法在运行速度方面无法和对称加密算法媲美,但很好地解决了对称密码学面临的密钥的分发与管理问题,同时对于数字签名问题也给出了完美的解答。     

Practical Aspects of Quantum Cryptographic Key Distribution

Performance of various experimental realizations of quantum cryptographic protocols using polarization or phase coding are compared, including a new self-balanced interferometric setup using Faraday mirrors. The importance of detector noise is illustrated and means of reducing it are presented. Maximal distances and bit rates achievable with present day technologies are evaluated. Practical eavesdropping strategies taking advantages of the optical fiber that could open a gate into the transmitter's and receiver's offices are discussed. Received 11 April 1997 and revised 21 July 1997