On the security of the block cipher GOST suitable for the protection in U-business services

The paper revisits the security of the block cipher GOST, which is suitable for the protection in U-business services due to its simple design. Inspired from the reflection-meet-in-the-middle attack on GOST, we firstly find a large portion of weak keys on the full GOST: GOST has 2¹²⁸ weak keys in which key recovery attack is mounted with a data complexity of 2³² known plaintexts and a time complexity of 2^125.5. Secondly, we present a differential fault attack on the full GOST, which required 64 fault injections to recover the entire key. This is the first known side-channel attack on GOST.     

组合公钥（CPK）体制密钥间的线性关系

对组合公钥（CPK）体制标准进行了分析,认为在CPKv5．0中,实体组合私钥与密钥种子之间、私钥与私钥之间存在线性关系,且最大线性无关量不超过N1＋N2,其中N1为标识矩阵的总量,N2为分割密钥序列的总量,实际的安全界限应是N1＋N2,而不是N1×N2,因此OPKv5．0仍然不能抵抗共谋攻击,存在安全隐患。     

Cryptanalysis of an image encryption algorithm using Chebyshev generator

Recently, studies of image encryption algorithms have been increasingly based on chaos, but there still exist drawbacks in chaotic cryptosystem that threat the security. In this paper, we make cryptanalysis on an image encryption based on Chebyshev chaotic map and find the following: (1) chosen-plaintext attack can break the scheme. (2) There exist equivalent keys and weak keys for the encryption scheme. (3) The scheme has low sensitivity to the changes of plain image. And we successfully carry out the chosen-plaintext attack. To overcome the drawbacks, a remedial technique is suggested.     

Slide attacks and LC-weak keys in T-310

T-310 is an important Cold War cipher (Cryptologia 2006). In a recent article (Cryptologia 2018), researchers show that, in spite of specifying numerous very technical requirements, the designers do not protect the cipher against linear cryptanalysis and some 3% of the keys are very weak. However, such a weakness does not necessarily allow breaking the cipher because it is extremely complex and extremely few bits from the internal state are used for the actual encryption. In this article, we finally show a method that allows recovering a part of the secret key for about half of such weak keys in a quasi-realistic setting. For this purpose, we revisit another recent article from Cryptologia from 2018 and introduce a new peculiar variant of the decryption oracle slide attack with d?=?0.     

对称密码算法中两类线性表达式的概率优势

分析欧洲序列密码候选算法ABC的安全性,提炼出两类与安全性密切相关的具有概率优势的线性表达式。两个概率优势反映了模加法运算之间的两种线性相关性。利用每类表达式及其概率优势都可以推导出ABC算法的大量弱密钥。在弱密钥条件下,可以计算出算法的1 257 bit初始密钥,从而导致了算法的有效破解方法。第一类表达式反映了两个模加法方程普遍存在的一种线性相关性,第二类表达式反映了三个模加法方程的比特进位之间的线性相关性。其中,第二类中一个典型的表达式最初是由Wu和Preneel发现,并由此得到2~(96)个弱密钥,但他们只是通过测试试验数据得到了该表达式的概率优势估计值,并未给出严格证明。文中给出两类表达式的概率优势的严格证明。模加运算被广泛应用于对称密码的设计中,相信这两类线性表达式的概率优势不仅可以用来分析其它对称密码算法,而且对于设计安全的对称密码算法也是非常重要的。     

基于ECC的组合公钥技术的安全性分析

分析了唐文等人提出的一种基于ECC(椭圆曲线密码体制)的组合公钥技术的安全性特点,给出了两种合谋攻击的方法。第1种方法称之为选择合谋攻击,一个用户与其选择的具有某些映射特点的w( 2)个用户合谋,可以得到2w-w-1个不同用户的私钥。第2种方法称之为随机合谋攻击,两个合谋用户首先计算其公钥的差值 和 ,然后在公开的公钥因子矩阵中任意选取组合公钥,通过计算所选取的公钥与两个合谋用户之一的公钥的差值是否等于 或 ,从而达到攻击的目标。     

Security of robust generalized MQV key agreement protocol without using one-way hash functions

The MQV key agreement protocol has been adopted by IEEE P1363 Committee to become a standard, which uses a digital signature to sign the Diffie–Hellman public keys without using any one-way hash function. Based on the MQV protocol, Harn and Lin proposed a generalized key agreement protocol to enable two parties to establish multiple common secret keys in a single round of message exchange. However, the Harn–Lin protocol suffers from the known-key attack if all the secret keys established are adopted. Recently, Tseng proposed a new generalized MQV key agreement protocol without using one-way hash functions. Tseng claimed that the proposed protocol is robust since the new protocol can withstand the forgery attack and the known-key attack. In this paper we show that this protocol is not secure since the receiver can forge signatures. We also propose an improved authenticated multiple-key agreement protocol, which is secure against the forgery attack and the known-key attack.     

混沌密码系统弱密钥随机性分析

弱密钥问题是混沌密码系统设计中的关键问题,已有研究主要从混沌序列退化角度进行分析.然而,本文指出保证混沌序列不退化的密钥参数仍可能构成混沌密码的弱密钥.本文提出以混沌密码序列随机性作为评价标准,应用严格的统计检验方法对混沌密码的弱密钥进行检测.进一步,对一类混沌密码系统进行了弱密钥研究,检测出了该系统大量未被发现的弱密钥.这确证了所提出方法的有效性.另一方面,虽然已有较多研究采用统计检验对混沌比特序列进行测试,但将统计检验用于分析混沌密码弱密钥或弱序列的研究还很少见.本文给出的统计检验弱序列分析,对当前混沌密码统计检验研究是一个很好的补充.     

3DES分组加密算法模型分析

数据加密标准DES是分组加密算法的代表,针对单DES的短密钥和双DES弱密钥等缺陷,论文重点对三重DES进行了研究.分析表明,3DES三次调用加密函数,由于其长密钥和复杂度的增加,抗攻击能力大大得到提升,加密信息的安全可靠得到保障.最后,面对日益强大的攻击,提出了DES未来发展的方向和设想.     

Cryptanalysis of an asymmetric cipher protocol using a matrix decomposition problem一个基于矩阵分解的非对称密码协议的分析

Advances in quantum computation threaten to break public key cryptosystems such as RSA, ECC, and ElGamal that are based on the difficulty of factorization or taking a discrete logarithm, although up to now, no quantum algorithms have been found that are able to solve certain mathematical problems on noncommutative algebraic structures. Against this background, Raulynaitis et al. have proposed a novel asymmetric cipher protocol using a matrix decomposition problem. Their proposed scheme is vulnerable to a linear algebra attack based on the probable occurrence of weak keys in the generation process. In this paper, we show that the asymmetric cipher of the non-commutative cryptography scheme is vulnerable to a linear algebra attack and that it only requires polynomial time to obtain the equivalent keys for some given public keys. We also propose an improvement to enhance the scheme of Raulynaitis et al.     

LEX算法的相关密钥攻击

LEX算法是入选欧洲序列密码工程eSTREAM第三阶段的候选流密码算法之一,在分组密码算法AES的基础上进行设计。为此,针对LEX算法进行基于猜测决定方法的相关密钥攻击,在已知一对相关密钥各产生239.5个字节密钥流序列的条件下,借助差分分析的思想和分组密码算法AES轮变换的性质,通过穷举2个字节密钥值和中间状态的8个字节差分恢复出所有候选密钥,利用加密检验筛选出正确的密钥。分析结果表明,该密钥攻击的计算复杂度为2100.3轮AES加密、成功率为1。     

基于椭圆曲线的改进RC4算法

针对流密码（RC4）算法存在不变性弱密钥、密钥流序列随机性不高和算法初始状态可以被破解等问题，提出一种基于椭圆曲线的RC4改进算法。该算法利用椭圆曲线、哈希函数和伪随机数产生器生成初始密钥，在S盒和指针的作用下进行非线性变换最终生成具有高随机性的密钥流序列。美国国家标准与技术研究院（NIST）随机性测试结果表明，改进算法的频率检验、游程检验和Maurer指标比原RC4算法分别高出0.13893，0.13081和0.232050，能有效防止不变性弱密钥的产生，抵抗"受戒礼"攻击；初始密钥是一个分布均匀的随机数，不存在偏差，能够有效抵御区分攻击；椭圆曲线、哈希函数具有单向不可逆性，伪随机数产生器具有高密码强度，初始密钥猜测赋值困难，不易破解，能够抵抗状态猜测攻击。理论和实验结果表明改进RC4算法的随机性和安全性高于原RC4算法。     

New related-key rectangle attacks on reduced AES-192 and AES-256

In this paper, we examine the security of reduced AES-192 and AES-256 against related-key rectangle attacks by exploiting the weakness in the AES key schedule. We find the following two new attacks: 9-round reduced AES-192 with 4 related keys, and 10-round reduced AES-256 with 4 related keys. Our results show that related-key rectangle attack with 4 related keys on 9-round reduced AES-192 requires a data complexity of about 2¹⁰¹ chosen plaintexts and a time complexity of about 2^174.8 encryptions, and moreover, related-key rectangle attack with 4 related keys on 10-round reduced AES-256 requires a data complexity of about 2^97.5 chosen plaintexts and a time complexity of about 2²⁵⁴ encryptions. These attacks are the first known attacks on 9-round reduced AES-192 and 10-round reduced AES-256 with only 4 related keys. Furthermore, we give an improvement of the 10-round reduced AES-192 attack presented at FSE2007, which reduces both the data complexity and the time complexity. Supported by the National Natural Science Foundation of China (Grant No. 60673072), and the National Basic Research Program of China (Grant No. 2007CB311201)     

Self-generated-certificate public key encryption without pairing and its application

Recently, Liu et al. [26] discovered that Certificateless Public Key Encryption (CL-PKE) suffers the Denial-of-Decryption (DoD) attack. Based on CL-PKC, the authors introduced a new paradigm called Self-Generated-Certificate Public Key Cryptography (SGC-PKC) that captured the DoD attack and proposed the first scheme derived from a novel application of Water’s Identity-Based Encryption scheme [43]. In this paper, we propose a new SGC-PKE scheme that does not depend on the bilinear pairings and hence, is more efficient and requires shorter public keys than Liu et al.’s scheme. More importantly, our scheme reaches Girault’s trust level 3 [16] (cf. Girault’s trust level 2 of Liu and Au’s scheme), the same trust level achieved by a traditional PKI. In addition, we also discuss how our scheme can lead to a secure and self-organized key management and authentication system for ad hoc wireless networks with a function of user-controlled key renewal.     

A related key impossible differential attack against 22 rounds of the lightweight block cipher LBlock

LBlock is a new lightweight block cipher proposed by Wu and Zhang (2011) [12] at ACNS 2011. It is based on a modified 32-round Feistel structure. It uses keys of length 80 bits and message blocks of length 64 bits.In this letter, we examine the security arguments given in the original article and we show that we can improve the impossible differential attack given in the original article on 20 rounds by constructing a 22-round related key impossible differential attack that relies on intrinsic weaknesses of the key schedule. This attack has a complexity of 2⁷⁰ cipher operations using 2⁴⁷ plaintexts. This result was already published in Minier and Naya-Plasencia (2011) [9].     

针对流密码MAG算法的已知明文攻击

基于已知明文的假设下,针对MAG算法初始化、密钥流生成阶段的不同特点,给出2个前向逆推攻击算法。对于密钥规模为 80 bit、128 bit的MAG算法,利用上述2个攻击算法只需已知前128个密钥流输出值,即可恢复其40 bit、32 bit的密钥,计算复杂度为O(214)。模拟结果表明,该方法的平均攻击时间约为9 min,攻击成功率为1。     

基于最大F距离码的McEliece公钥密码体制

基于F度量,构造了最大F距离码,提出了基于最大F距离码的新McEliece公钥密码系统。合法接收者通过引入一个随机矩阵X作为附加私钥,并把X加入到原始公钥中,从而产生了一个新的公钥,使该密码系统能够有效抗击敌手通过已知的公钥获得私钥的攻击。同时F度量的引入,提高了攻击密钥体积较小的公钥密码系统的复杂度和难度。通过对现有可行攻击方法的分析,说明了基于最大F距离码的新McEliece公钥密码系统是安全可行的。     

针对CSC系列流密码算法的区分攻击

研究CSC-(n,N)序列流密码算法簇的安全性,证明产生的第1个密钥字节为0的概率约为2-n~2-2n,利用模拟实验验证其正确性,据此提出对CSC-(n,N)的区分攻击。该区分攻击只需利用23n+2个密钥产生的第1个密钥字就能以0.84以上的正确率将CSC-(n,N)产生的密钥流序列与随机序列进行区分。     

An efficient ID-based cryptographic encryption based on discrete logarithm problem and integer factorization problem

ID-based encryption (identity-based) is a very useful tool in cryptography. It has many potential applications. The security of traditional ID-based encryption scheme wholly depends on the security of secret keys. Exposure of secret keys requires reissuing all previously assigned encryptions. This limitation becomes more obvious today as key exposure is more common with increasing use of mobile and unprotected devices. Under this background, mitigating the damage of key exposure in ID-based encryption is an important problem. To deal with this problem, we propose to integrate forward security into ID-based encryption. In this paper, we propose a new construction of ID-based encryption scheme based on integer factorization problem and discrete logarithm problem is semantically secure against chosen plaintext attack (CPA) in random oracle model. We demonstrate that our scheme outperforms the other existing schemes in terms of security, computational cost and the length of public key.     

一种基于身份的密钥协商协议安全分析与改进

认证密钥协商是保证参与者后续通信安全的一种重要机制。2007年,J.Oh等人提出了一种新的利用椭圆曲线密码体制的基于身份的认证密钥协商协议,该协议最大的特点是可以通过一次会话密钥协商过程生成两个会话密钥。但研究发现,该协议不能抵抗基本的冒充攻击和密钥泄露冒充攻击,详细地描述了这两个安全弱点后提出了一种新的改进方法,并分析了新协议的安全性。