An algorithm for cryptanalysis of certain keystream generators is proposed. The developed algorithm has the following two advantages over other reported ones: it is more powerful, and it can be implemented by a high-speed software or a simple hardware suitable for high parallel architectures. The algorithm is based on error-correction of information bits only (of the corresponding binary block code) with a novel method for construction of the parity-checks, and the employed error-correction procedure is an APP based threshold decoding. Experimental and theoretical analyses of the algorithm performance are presented, and its complexity is evaluated. The proposed algorithm is compared with recently proposed improved fast correlation attacks based on convolutional codes and turbo decoding. The underlying principles, performance and complexity are compared, and the gain obtained with the novel approach is pointed out.

Internet Key Exchange (IKE) is very important as an entrance to secure communication over the Internet. The first phase of IKE is based on Diffie-Hellman (DH) key-agreement protocol. Since DH protocol on its own is vulnerable to man-in-the-middle (MIM) attack, IKE provides authentication to protect the protocol from MIM. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of-Service (DoS) attacks; computational burden caused by malicious requests may exhaust the CPU resource of the target. DoS attackers can also abuse inappropriate use of Cookies in IKE; as an anti-clogging token, Cookie must eliminate the responder's state during initial exchanges of the protocol while IKE Cookies do not. Thus a large number of malicious requests may exhaust the memory resource of the target. In search of resistance against those DoS attacks, this paper first reviews DoS-resistance of the current version of IKE and basic ideas on DoS-protection. The paper then proposes a DoS-resistant version of three-pass IKE Phase 1 where attackers are discouraged by heavy stateful computation they must do before the attack really burdens the target. DoS-resistance is evaluated in terms of the computational cost and the memory cost caused by bogus requests. The result shows that the proposed version gives the largest ratio of the attacker's cost to the responder's cost.

A function can be represented in many ways. A representation O of a function f is called 'obscure' if O is different from the representation D used as the definition of f and if it is (or, seems to be) computationally infeasible to get D from O. Such an obscure representation is useful for cryptographic techniques so that it is important to estimate its descriptive and executive complexity. We present a complexity-estimation method for certain functions used to constructing asymmetric cryptosystems. Let m be a positive integer and let K, Km, and L denote the field {0, 1}, the set of all m-tuples over K, and an extention field or order m over K, respectively. The objective function is a composit g:Km Km of three functions s, e, and t, where s:Km L and t:L Km are affine and e:L L is defined by a univariate polynomial e over L. The obscure representation of g is an m-tuple g of m-variate polynomials over K. The complexity respect to g is well measured by its degree. So we give a theorem for estimating the degree of g in terms of a characteristic quantity of the polynomial e.

To utilize the common-key encryption foe the message protection in a communication network, it is desired to settle the problem of how to distribute the common keys. This paper discusses a sort of schemes (the direct schemes, we call) that smartly provide different keys in different communications. Such a property has not attained via the basic scheme for the public key distribution systems proposed by Diffie and Hellman. This paper shows that the recently introduced five direct schemes are classified into three sets (called sequences) of infinite schemes, and points out that there are some tight relations among the sequences. And it is clarified which is the best in the three sequences by a systematic evaluation of the complexities for the normal update and for the deliberate forgery of the shared common keys.

Let γ and n be positive integers. An integer z with gcd(z, n)1 is called a γth-residue mod n if there exists an integer x such that zxγ (mode n), or a γth-nonresidue mod n if there doesn't exist such an x. Denote by Z*n the set of integers relatively prime to n between 0 and n. The problem of determining whether or not a randomly selected element zZ*n is a γth-residue mod n is called the γth-Residuosity Problem (γth-RP), and appears to be intractable when n is a composite integer whose factorization is unknown. In this paper, we explore some important properties of γth-RP for the case where γ is an odd integer greater than 2, and discuss its applications to cryptography. Based on the difficulty or γth-RP, we generalize the Goldwasser-Micali bit-by-bit probabilistic encryption to a block-by-block probabilistic one, and propose a direct protocol for the dice casting problem over a network. This problem is a general one which includes the well-studied coin flipping problem.

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.

This paper proposes a novel one-way hash function that can serve as a tool in achieving authenticity and data integrity. The one-way hash function can be viewed as a representative of a family of fast dedicated one-way hash functions whose construction is based on linear cellular automata over GF(a). The design and analysis of security of the function is accomplished by the use of very recently published results on cellular automata and their applications in cryptography. The analysis indicates that the one-way hash function is secure against all known attacks. A promising property of the proposed one-way hash function is that it is especially suitable for compact and fast implementation.

In the literature, many cryptosystems have been proposed to be secure under the Strong Diffie-Hellman (SDH) and related problems. For example, there is a cryptosystem that is based on the SDH/related problem or allows the Diffie-Hellman oracle. If the cryptosystem employs general domain parameters, this leads to a significant security loss caused by Cheon's algorithm [14], [15]. However, all elliptic curve domain parameters explicitly recommended in the standards (e.g., ANSI X9.62/63 [1], [2], FIPS PUB 186-4 [43], SEC 2 [50], [51]) are susceptible to Cheon's algorithm [14], [15]. In this paper, we first prove that (q-1)(q+1) is always divisible by 24 for any prime order q>3. Based on this result and depending on small divisors d1,d2≤(log q)2, we classify primes q>3, such that both (q-1)/d1 and (q+1)/d2 are primes, into Perfect, Semiperfect, SEC1v2 and Acceptable. Then, we describe algorithmic procedures and show their simulation results of secure elliptic curve domain parameters over prime/character 2 finite fields resistant to Cheon's algorithm [14], [15]. Also, several examples of the secure elliptic curve domain parameters (including Perfect or Semiperfect prime q) are followed.

A technique is presented for constructing (d,k) block codes capable of detecting single bit errors and single peak-shift errors in consecutive two runs. This constrains the runlengths in the code sequences to odd numbers. The capacities and the cardinalities for finite code length of these codes are described. A technique is also proposed for constructing (d,k) block codes capable of correcting single peak-shift errors.

This paper presents a non-interactive verifiable secret sharing scheme (VSS) tolerating a dishonest majority based on data pre-distributed by a trusted authority. As an application of this VSS scheme we present very efficient unconditionally secure protocols for performing multiplication of shares based on pre-distributed data which generalize two-party computations based on linear pre-distributed bit commitments. The main results of this paper are a non-interactive VSS, a simplified multiplication protocol for shared values based on pre-distributed random products, and non-interactive zero knowledge proofs for arbitrary polynomial relations. The security of the schemes is proved using the UC framework.

Interference Cancellation (IC) receivers can be used in CDMA cellular systems to improve the capacity. The IC receivers can be divided into two main categories, Single-User Detectors (SUD) and Multi-User Detectors (MUD). They have different characteristics in terms of intra-cell and inter-cell interference cancellation ability. In this paper we propose two new IC receivers that combines the properties of SUD and MUD receivers. The first one is a Serial IC receiver followed by the Normalized Griffiths' algorithm (SING). The second one is an Integrated Serial IC and Normalized Griffiths' algorithm (iSING). We first compare their basic single-cell performance with the conventional RAKE receiver, the Serial IC and the Normalized Griffiths' Algorithm. Next, we examine their multi-cell performance by doing multi-cell link-level simulations. The results show that even though the Serial IC receiver has good single-cell performance, the proposed receivers have as much as 35-40% higher capacity than the Serial IC receiver in the multi-cell case under the ideal conditions assumed in this paper.

We have introduced the first electronic cash scheme with unconditional security. That is, even malicious users with unlimited computational ability cannot forge a coin and cannot change user's identity secretly embedded in each coin. While, the spender's anonymity is preserved by our new blind signature scheme based on unconditionally secure signature proposed in [7]. But the anonymity is preserved only computationally under the assumption that Decisional Diffie-Hellman Problem is intractable.

Viterbi decoding is known as a decoding scheme that can realize maximum likelihood decoding. However, it is impossible to continue it without re-synchronization even if only an insertion/deletion error occurs in a channel. In this paper, we show that Levenshtein distance is suitable for the metric of Viterbi decoding in a channel where not only symbol errors but also insertion/deletion errors occur under some conditions and we propose a kind of Viterbi decoding considering insertion/deletion errors.

We propose a new group signature scheme which is secure if we assume the Decision Diffie-Hellman assumption, the q-Strong Diffie-Hellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].

A lot of encryption and watermarking schemes have been developed as countermeasures to protect copyrights of broadcast or multicast content from malicious subscribers (traitors) that make pirate receivers (PRs) to use the content illegally. However, solo use of these schemes does not necessarily work well. Traitor tracing encryption schemes are a type of broadcasting encryption and have been developed for broadcasting and multicast services. There are multiple distinct decryption keys for each encryption key, and each service subscriber is given a unique decryption key. Any subscriber that redistributes his or her decryption key to a third party or who uses it and maybe other keys to make a PR can be identified with using the tracing algorithm of the scheme that is used by the services. However, almost all previous schemes have the same weakness; that is, they are vulnerable to an attack (content comparison attack). This is a concrete example such that solo use of the scheme does not work well. The attack involves multiple distinct decryption keys and a content-data comparison mechanism. We have developed a method, called complementary traitor tracing method (CTT), that makes traitor tracing schemes secure against content comparison attacks. It makes it impossible for PRs to distinguish ordinary content data from test data and makes traitor tracing schemes effective against all PRs, even those with multiple distinct decryption keys. CTT is made with a simple combination of schemes that are absolutely necessary. It makes broadcasting or multicast services secure.

A novel family of keystream generators is proposed employing a linear cellular automata over GF (q) with time-varying transition rule. The analysis indicates that the generator, which is the general member of the family, reaches standard minimal security conditions (large period and good statistical properties) and that it is secure against all known attacks. An important feature of the proposed generators is that they are compact and suitable for high speed applications.

S(ubstitution)-boxes are quite important components of modern symmetric cryptosystems. S-boxes bring nonlinearity to cryptosystems and strengthen their cryptographic security. An S-box satisfies the strict avalanche criterion (SAC), if and only if for any single input bit of the S-box, the inversion of it changes each output bit with probability one half. This paper presents some interesting properties of S-boxes and proposes an efficient and systematic means of generating arbitrary input size bijective S-boxes satisfying SAC.

Runlength-limited block codes are investigated. These codes are useful for storing data in storage devices. Since most devices are not noiselss, the codes are often required to have some error-control capability. We consider runlength-limited codes that can correct or detect unidirectional byte errors. Some constructions of such codes are presented.

Security protocols flaws represent a substantial portion of security exposures of data networks. In order to evaluate security protocols against any attack, formal methods are equipped with a number of techniques. Unfortunately, formal methods are applicable for static state only, and don't guarantee detecting all possible flaws. Therefore, formal methods should be complemented with dynamic protection. Anomaly detection systems are very suitable for security protocols environments as dynamic activities protectors. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against security protocols.

This paper presents new algorithms for the Tate pairing on a prime field. Recently, many pairing-based cryptographic schemes have been proposed. However, computing pairings incurs a high computational cost and represents the bottleneck to using pairings in actual protocols. This paper shows that the proposed algorithms reduce the cost of multiplication and inversion on an extension field, and reduce the number of calculations of the extended finite field. This paper also discusses the optimal algorithm to be used for each pairing parameter and shows that the total computational cost is reduced by 50% if k = 6 and 57% if k = 8.