关于Trivium-型序列密码代数次数估计的研究

对于序列密码,输出密钥流比特可以视为关于密钥变元和Ⅳ变元的布尔函数,而该布尔函数的代数次数是影响密码算法安全性的重要因素;当代数次数偏低时,密码算法抵抗代数攻击、立方攻击和积分攻击的能力比较弱.目前,针对Trivium-型序列密码算法,最有效的代数次数估计方法是数值映射方法和基于MILP的可分性质方法.本文通过分析两种典型方法的特点,结合两种方法的优势,对Trivium-型算法的代数次数估计进行了改进.我们利用改进后的方法对大量随机选取的Ⅳ变量集进行了实验.实验结果表明,对于Trivium-型算法,改进后的方法能够给出比数值映射方法更紧的代数次数上界.特别地,针对Trivium算法,当输入变元为全密钥变元和全Ⅳ变元时,即80个密钥变元和80个Ⅳ变元,输出比特代数次数未达到160的最大轮数从907轮提高到912轮,这是目前已知的全变元情形下的最优代数次数估计结果.     

A simple power analysis attack against the key schedule of the Camellia block cipher

This paper presents a simple power analysis attack against the key schedule of Camellia. The attack works for the smart card environment which leaks the Hamming weight of data being processed, making use of the Hamming weight to deduce all key bits. It is shown that determining the cipher key given accurate power analysis data is very fast and does not require any pair of plaintext and ciphertext.     

代数免疫度最优的偶数元旋转对称布尔函数的构造

针对目前许多流密码算法无法抵抗代数攻击问题,提出了一种构造代数免疫度最优的偶数元旋转对称布尔函数的新方法。该方法在择多函数的基础上,通过巧妙选择汉明重量不一的若干轨道,并改变这些轨道上的函数值,从而构造出一类新的旋转对称布尔函数。给定布尔函数达到代数免疫度最优的一个充分条件,通过证明新构造的布尔函数满足该充分条件,从而表明该类函数代数免疫度最优,能够有效抵抗代数攻击。     

A robust color image watermarking using local invariant significant bitplane histogram

Desynchronization attacks that cause displacement between embedding and detection are usually difficult for watermark to survive. It is a challenging work to design a robust image watermarking scheme against desynchronization attacks, especially for color images. In this paper, we propose a robust color image watermarking approach based on local invariant significant bitplane histogram. The novelty of the proposed approach includes: 1) A fast and effective color image feature points detector is constructed, in which probability density and color invariance model are used; 2) The fully affine invariant local feature regions are built based on probability density Hessian matrix; and 3) The invariant significant bitplane histograms are introduced to embed digital watermark. The extensive experimental works are carried out on a color image set collected from Internet, and the preliminary results show that the proposed watermarking approach can survive numerous kinds of distortions, including common image processing operations and desynchronization attacks.     

Lower bounds for the polynomial calculus

We show that polynomial calculus proofs (sometimes also called Groebner proofs) of the pigeonhole principle must have degree at least over any field. This is the first non-trivial lower bound on the degree of polynomial calculus proofs obtained without using unproved complexity assumptions. We also show that for some modifications of , expressible by polynomials of at most logarithmic degree, our bound can be improved to linear in the number of variables. Finally, we show that for any Boolean function in n variables, every polynomial calculus proof of the statement “ cannot be computed by any circuit of size t,” must have degree . Loosely speaking, this means that low degree polynomial calculus proofs do not prove . Received: January 15, 1997.     

Complexity of boolean functions in a class of canonical polarized polynomials

Relationships for the maximum of a minimal number of summands among all canonical polarized polynomials of a Boolean function are obtained. Translated from Kibernetika i Sistemnyi Analiz, No. 3, pp. 179–183, May–June, 2000.     

关于代数攻击中代数免疫的若干性质分析

代数免疫是衡量布尔函数抵抗代数攻击能力的重要指标,本文证明了在仿射变换作用下,代数免疫保持不变,并且通过证明布尔函数与仿射函数异或后所得到的新函数与原布尔函数代数免疫最多相差1,找到了Walsh谱与代数免疫的关系,使得代数免疫作为密码函数的一个性质特征与其他特征类似,同样可以通过谱来衡量。     

Robust and efficient detection of DDoS attacks for large-scale internet

In recent years, distributed denial of service (DDoS) attacks have become a major security threat to Internet services. How to detect and defend against DDoS attacks is currently a hot topic in both industry and academia. In this paper, we propose a novel framework to robustly and efficiently detect DDoS attacks and identify attack packets. The key idea of our framework is to exploit spatial and temporal correlation of DDoS attack traffic. In this framework, we design a perimeter-based anti-DDoS system, in which traffic is analyzed only at the edge routers of an internet service provider (ISP) network. Our framework is able to detect any source-address-spoofed DDoS attack, no matter whether it is a low-volume attack or a high-volume attack. The novelties of our framework are (1) temporal-correlation based feature extraction and (2) spatial-correlation based detection. With these techniques, our scheme can accurately detect DDoS attacks and identify attack packets without modifying existing IP forwarding mechanisms at routers. Our simulation results show that the proposed framework can detect DDoS attacks even if the volume of attack traffic on each link is extremely small. Especially, for the same false alarm probability, our scheme has a detection probability of 0.97, while the existing scheme has a detection probability of 0.17, which demonstrates the superior performance of our scheme.     

Security of Quantum Key Distribution against All Collective Attacks

Abstract. Security of quantum key distribution against sophisticated attacks is among the most important issues in quantum information theory. In this work we prove security against a very important class of attacks called collective attacks (under a compatible noise model) which use quantum memories and gates, and which are directed against the final key. This work was crucial for a full proof of security (against the joint attack) recently obtained by Biham, Boyer, Boykin, Mor, and Roychowdhury [1].     

CRYPTOLOGY AND THE LAW

Abstract

Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&;T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998, and it sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating a decade since Skipjack's public revelation, we revisit the security of Skipjack, in particular its resistance to advanced differential-style distinguishers. In contrast to previous work that considered conventional and impossible differential distinguishers, we concentrate our attention on the more recent advanced differential-style and related-key distinguishers that were most likely not considered in the original design objectives of the NSA. In particular, we construct first-known related-key impossible differential, rectangle and related-key rectangle distinguishers of Skipjack. Our related-key attacks (i.e., related-key miss-in-the-middle and related-key rectangle attacks) are better than all the previous related-key attacks on Skipjack. Finally, we characterize the strength of Skipjack against all these attacks and motivate reasons why, influenced by the Skipjack structure, some attacks fare better. What is intriguing about Skipjack is its simple key schedule and a structure that is a cross between conventional Feistel design principles and the unconventional use of different round types. This work complements past results on the security analysis of Skipjack and is hoped to provide further insight into the security of an NSA-designed block cipher; the only one publicly known to date.     

Elastic block ciphers: method, security and instantiations

We introduce the concept of an elastic block cipher which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. Our method uses the round function of an existing block cipher as a black box and inserts it into a substitution- permutation network. Our method is designed to enable us to form a reduction between the elastic and the original versions of the cipher. Using this reduction, we prove that the elastic version of a cipher is secure against key-recovery attacks if the original cipher is secure against such attacks. We note that while reduction-based proofs of security are a cornerstone of cryptographic analysis, they are typical when complete components are used as sub-components in a larger design. We are not aware of the use of such techniques in the case of concrete block cipher designs. We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1, and RC6. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers.

A practical distinguisher for the Shannon cipher

In this paper, we present a practical linear distinguisher on the Shannon stream cipher. Shannon is a synchronous stream cipher that uses at most 256-bit secret key. In the specification for Shannon, designers state that the intention of the design is to make sure that there are no distinguishing attacks on Shannon requiring less than 2⁸⁰ keystream words and less than 2¹²⁸ computations. In this work we use the Crossword Puzzle attack technique to construct a distinguisher which requires a keystream of length about 2³¹ words with workload about 2³¹.     

Generic Certificateless Encryption Secure Against Malicious-but-Passive KGC Attacks in the Standard Model

Despite the large number of certificateless encryption schemes proposed recently, many of them have been found insecure under a practical attack, called malicious-but-passive KGC (Key Generation Center) attack. In this work we propose the first generic construction of certificateless encryption, which can be proven secure against malicious-but-passive KGC attacks in the standard model. In order to encrypt a message of any length, we consider the KEM/DEM (key encapsulation mechanism/data encapsulation mechanism) framework in the certificateless setting, and propose a generic construction of certificateless key encapsulation mechanism (CL-KEM) secure against malicious-but-passive KGC attacks in the standard model. It is based on an identity-based KEM, a public key encryption and a message authentication code. The high efficiency of our construction is due to the efficient implementations of these underlying building blocks, and is comparable to Bentahar et al.’s CL-KEMs, which have only been proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attack. We also introduce the notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.’ s work to the certificateless setting. We show that an efficient CL-TKEM can be constructed by modifying our CL-KEM scheme. We also show that with a CL-TKEM and a data encapsulation mechanism secure under our proposed security model, an efficient certificateless hybrid encryption can be constructed by applying Abe et al.'s transformation in the certificateless setting.     

The design of S-boxes by simulated annealing

Substitution boxes (S-boxes) are important components in many modern-day symmetric key ciphers. Their study has attracted a great deal of attention over many years. The emergence of a variety of cryptosystem attacks has shown that substitutions must be designed with great care. Some general criteria such as high non-linearity and low autocorrelation have been proposed (providing some protection against attacks such as linear cryptanalysis and differential cryptanalysis). The design of appropriate S-boxes is a difficult task; several criteria must be traded off and the design space is huge. There has been little application of evolutionary search to the development of S-boxes. In this paper we show how a cost function that has found excellent single-out put Boolean functions can be generalised to provide improved results for small S-boxes. John A. Clark: He is Professor of Critical Systems at the University of York, where he leads the software testing, security and cryptography work. Much of this has been concerned with the application of meta-heuristic search. Jeremy L. Jacob: He has a BSc. in Mathematics from the University of Hull, England, M.Sc. and D. Phil. in Computation from the University of Oxford, England and now works for the Univerity of York. His research interests include modelling secure systems and software engineering practices for secure systems. Susan Stepney: She is Professor of computer Science at the University of York, and leads the Non-Standard Computation research group there. She is a member of the ACM, Fellow of the British Computer Society, and moderator of the UKCRC Grand Challenge in Non-Classical Computation. Her main research interests include novel applications of nature-inspired computation, modelling self-organising complex systems and designing and reasoning about emergent properties.     

ALAN TURING: THE ENIGMA – BOOK REVIEW

Abstract

Simple substitution ciphers are a class of puzzles often found in newspapers, in which each plaintext letter is mapped to a fixed ciphertext letter and spaces are preserved. In this article, a system for automatically solving them is described even when the ciphertext is too short for statistical analysis, and when the puzzle contains non-dictionary words. The approach is based around a dictionary attack; several important performance optimizations are described as well as effective techniques for dealing with non-dictionary words. Quantitative performance results for several variations of the approach and two other implementations are presented.     

Cryptanalysis of Achterbahn-Version 1 and -Version 2

Achterbahn is one of the candidate stream ciphers submitted to the eSTREAM, which is the ECRYPT Stream Cipher Project. The cipher Achterbahn uses a new structure which is based on several nonlinear feedback shift registers （NLFSR） and a nonlinear combining output Boolean function. This paper proposes distinguishing attacks on Achterbahn-Version 1 and -Version 2 on the reduced mode and the full mode. These distinguishing attacks are based on linear approximations of the output functions. On the basis of these linear approximations and the periods of the registers, parity checks with noticeable biases are found. Then distinguishing attacks can be achieved through these biased parity checks. As to Achterbahn-Version 1, three cases that the output function has three possibilities are analyzed. Achterbahn-Version 2, the modification version of Achterbahn-Version 1, is designed to avert attacks based on approximations of the output Boolean function. Our attack with even much lower complexities on Achterbahn-Version 2 shows that Achterbahn-Version 2 cannot prevent attacks based on linear approximations.     

Prevention of Black Hole Attack in Multicast Routing Protocols for Mobile Ad-Hoc Networks Using a Self-Organized Public Key Infrastructure

ABSTRACT

A mobile ad-hoc network (MANET) is an autonomous system of mobile nodes connected by wireless links in which nodes cooperate by forwarding packets for each other thereby enabling communication beyond direct wireless transmission range. Example applications include battlefield communication, disaster recovery operations, and mobile conferencing. The dynamic nature of ad-hoc networks makes them more vulnerable to security attacks compared with fixed networks. Providing security in mobile ad-hoc networks has been a major issue in recent years. Most of the secure routing protocols proposed by researchers need a centralized authority or a trusted third party to provide authentication. This destroys the self-organizing nature of ad-hoc networks. Black Hole attack is one of the routing attacks that occur in MANETs. In this attack, a malicious node uses the routing protocol to advertise itself as having the shortest path to the node whose packets it wants to intercept. In this article, we propose an enhanced certificate based authentication mechanism, where nodes authenticate each other by issuing certificates to neighboring nodes and generating public key without the need of any online centralized authority. The proposed scheme uses Multicast Ad-hoc On Demand Distance Vector Routing (MAODV) protocol as a support for certification. The effectiveness of our mechanism is illustrated by simulations conducted using network simulator ns-2.     

A note on quantum related-key attacks

In a basic related-key attack against a block cipher, the adversary has access to encryptions under keys that differ from the target key by bit-flips. In this short note we show that for a quantum adversary such attacks are quite powerful: if the secret key is (i) uniquely determined by a small number of plaintext–ciphertext pairs, (ii) the block cipher can be evaluated efficiently, and (iii) a superposition of related keys can be queried, then the key can be extracted efficiently.     

Attacking a polynomial-based cryptosystem: Polly Cracker

We describe several attacks on Polly Cracker, a public key cryptosystem proposed by Fellows and Koblitz. The first kind of attack shows that variations in the CPU time needed for evaluating polynomials can leak significant information about the secret key. This kind of attack might also be of interest when dealing with other cryptosystems using polynomial evaluations, like Patarin’s hidden fields equations. Next, we exhibit some “structural” weaknesses in Polly Cracker’s encryption procedure. In particular, we demonstrate that with the parameters considered in a book by Koblitz it is often possible to reveal the private key easily. Published online: 9 April 2002