Catálogo de publicaciones - libros

In this paper we revisit a known but ignored weakness of the RC4 keystream generator, where secret state info leaks to the generated keystream, and show that this leakage, also known as Jenkins’ correlation or the RC4 glimpse, can be used to attack RC4 in several modes. Our main result is a practical key recovery attack on RC4 when an IV modifier is concatenated to the beginning of a secret root key to generate a session key. As opposed to the WEP attack from [FMS01] the new attack is applicable even in the case where the first 256 bytes of the keystream are thrown and its complexity grows only linearly with the length of the key. In an exemplifying parameter setting the attack recovers a 16-byte key in 2^48 steps using 2^17 short keystreams generated from different chosen IVs. A second attacked mode is when the IV succeeds the secret root key. We mount a key recovery attack that recovers the secret root key by analyzing a single word from 2^22 keystreams generated from different IVs, improving the attack from [FMS01] on this mode. A third result is an attack on RC4 that is applicable when the attacker can inject faults to the execution of RC4. The attacker derives the internal state and the secret key by analyzing 2^14 faulted keystreams generated from this key.

Stream cipher Hiji-Bij-Bij (HBB) was proposed by Sarkar at Indocrypt’03. This cipher uses cellular automata (CA). The algorithm has two modes: a basic mode (B) and a self-synchronizing mode (SS). This article presents the first attack on B mode of HBB using 128 bit secret key. This is a known-pliantext guess-then-determine attack. The main step in the attack guesses 512 bits of unknown out of the 640 bits of the initial internal state. The guesses are done sequentially and the attack uses a breadth-first-search-type algorithm so that the time complexity is 2^50.

In this paper, we revisit the famous Davies-Murphy cryptanalysis of DES. First we improve its complexity down to the analysis of 2^45 chosen plaintexts, by considering 6 distributions instead of 7. The previous improvement of the attack by Biham and Biryukov costed 2^50 known plaintexts. This new result is better than differential cryptanalysis but slightly worse than linear cryptanalysis. Secondly, we explore the link between this attack and other cryptanalysis techniques, in particular linear cryptanalysis.

KASUMI is an 8-round Feistel block cipher used in the confidentiality and the integrity algorithms of the 3GPP mobile communications. As more and more 3GPP networks are being deployed, more and more users use KASUMI to protect their privacy. Previously known attacks on KASUMI can break up to 6 out of the 8 rounds faster than exhaustive key search, and no attacks on the full KASUMI have been published. In this paper we apply the recently introduced related-key boomerang and rectangle attacks to KASUMI, resulting in an attack that is faster than exhaustive search against the full cipher. We also present a related-key boomerang distinguisher for 6-round KASUMI using only 768 adaptively chosen plaintexts and ciphertexts encrypted or decrypted under four related keys. Recently, it was shown that the security of the entire encryption system of the 3GPP networks cannot be proven using only the “ordinary” assumption that the underlying cipher (KASUMI) is a Pseudo-Random Permutation. It was also shown that if we assume that KASUMI is also secure with respect to differential-based related-key attacks then the security of the entire system can be proven. Our results show that theoretically, KASUMI is not secure with respect to differential-based related-key attacks, and thus, the security of the entire encryption system of the 3GPP cannot be proven at this time.

At FSE 2005, Nandi et al proposed a method to turn an n -bit compression function into a 2 n -bit compression function. In the black-box model, the security of this double length hash proposal against collision attacks is proven, if no more than Ω(2^2n/3) oracle queries to the underlying n -bit function are made. We explore the security of this hash proposal regarding several classes of attacks. We describe a collision attack that matches the proven security bound and we show how to find preimages in time 2^ n . For optimum security the complexities of finding collisions and preimages for a 2 n -bit compression function should be respectively of 2^ n and 2^2n. We also show that if the output is truncated to s ≤ 2 n bits, one can find collisions in time roughly 2^ s /3 and preimages in time roughly 2^ s /2. These attacks illustrate some important weaknesses of the FSE 2005 proposal, while none of them actually contradicts the proof of security.

This paper reconsiders the established Merkle-Damgård design principle for iterated hash functions. The internal state size w of an iterated n -bit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the wide-pipe hash, internally using a w -bit compression function, and the double-pipe hash, with w =2 n and an n -bit compression function used twice in parallel.

In this paper, we discuss non-interactive updating of decryption keys in identity-based encryption (IBE). In practice, key revocation is a necessary and inevitable process and IBE is no exception when it comes to having to manage revocation of decryption keys without losing its merits in efficiency. Our main contribution of this paper is to propose novel constructions of IBE where a decryption key can be renewed without having to make changes to its public key, i.e. user’s identity. We achieve this by extending the hierarchical IBE (HIBE). Regarding security, we address semantic security against adaptive chosen ciphertext attacks for a very strong attack environment that models all possible types of key exposures in the random oracle model. In addition to this, we show method of constructing a partially collusion resistant HIBE from arbitrary IBE in the random oracle model. By combining both results, we can construct an IBE with non-interactive key update from only an arbitrary IBE.

In this paper we describe a new identity-based signcryption (IBSC) scheme built upon bilinear maps. This scheme turns out to be more efficient than all others proposed so far. We prove its security in a formal model under recently studied computational assumptions and in the random oracle model. As a result of independent interest, we propose a new provably secure identity-based signature (IBS) scheme that is also faster than all known pairing-based IBS methods.

An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlikability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps.

The security of key agreement protocols has traditionally been notoriously hard to establish. In this paper we present a modular approach to the construction of proofs of security for a large class of key agreement protocols. By following a modular approach to proof construction, we hope to enable simpler and less error-prone analysis and proof generation for such key agreement protocols. The technique is compatible with Bellare-Rogaway style models as well as the more recent models of Bellare et al. and Canetti and Krawczyk. In particular, we show how the use of a decisional oracle can aid the construction of proofs of security for this class of protocols and how the security of these protocols commonly reduces to some form of Gap assumption.