State Key Laboratory of Cryptology

Beijing, China

State Key Laboratory of Cryptology

Beijing, China

Time filter

Source Type

Zheng Y.,CAS Institute of Software | Zheng Y.,State Key Laboratory of Cryptology | Wu W.,CAS Institute of Software
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2017

SKINNY is a lightweight tweakable block cipher, which was proposed at CRYPTO 2016. This paper presents an optimized brute force attack on full SKINNY using biclique attack with partial matching and precomputation. The results show that full round SKINNY64/64 is not secure against balanced biclique attack, the data complexity is 248, and the time complexity is 262.92. That is a very tiny advantage against brute force attack. Furthermore, an unbalanced biclique attack is considered, which improves the time complexity to 262.82. Moreover, in order to be immune to biclique attack, the round of SKINNY64/64 needs to be increased by 4 rounds to 36 rounds. Other versions of SKINNY do not have full round biclique attack owing to more encryption rounds. © Springer International Publishing AG 2017.

Wang D.,China Aerospace Science and Technology Corporation | Wang A.,State Key Laboratory of Cryptology | Wang A.,Tsinghua University
KSII Transactions on Internet and Information Systems | Year: 2017

Correlation-enhanced collision attack has been proposed by Moradi et al. for several years. However, in practical operations, this method costs lots of time on trace acquisition, storage and averaging due to its bytewise collision detection. In this paper, we propose a bitwise collision attack based on second-order distance model. In this method, only 9 average traces are enough to finish a collision attack. Furthermore, two candidate models are given in this study to distinguish collisions, and the corresponding practical experiments are also performed. The experimental results indicate that the operation time of our attack is only 8% of that of correlation-enhanced collision attack, when the two success rates are both above 0.9. © 2017 KSII.

He D.,Wuhan University | He D.,Fujian Normal University | Zeadally S.,University of Kentucky | Xu B.,Nanjing University | And 2 more authors.
IEEE Transactions on Information Forensics and Security | Year: 2015

By broadcasting messages about traffic status to vehicles wirelessly, a vehicular ad hoc network (VANET) can improve traffic safety and efficiency. To guarantee secure communication in VANETs, security and privacy issues must be addressed before their deployment. The conditional privacy-preserving authentication (CPPA) scheme is suitable for solving security and privacy-preserving problems in VANETs, because it supports both mutual authentication and privacy protection simultaneously. Many identity-based CPPA schemes for VANETs using bilinear pairings have been proposed over the last few years to enhance security or to improve performance. However, it is well known that the bilinear pairing operation is one of the most complex operations in modern cryptography. To achieve better performance and reduce computational complexity of information processing in VANET, the design of a CPPA scheme for the VANET environment that does not use bilinear paring becomes a challenge. To address this challenge, we propose a CPPA scheme for VANETs that does not use bilinear paring and we demonstrate that it could supports both the mutual authentication and the privacy protection simultaneously. Our proposed CPPA scheme retains most of the benefits obtained with the previously proposed CPPA schemes. Moreover, the proposed CPPA scheme yields a better performance in terms of computation cost and communication cost making it be suitable for use by the VANET safety-related applications. © 2005-2012 IEEE.

Wang H.,Dalian Ocean University | Wang H.,State Key Laboratory of Cryptology | He D.,Wuhan University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2016

Since public clouds are untrusted by many consumers, it is important to check whether their remote data keeps intact. Sometimes, it is necessary for many clients to cooperate to store their data in the public clouds. For example, a file needs many clients’ approval before it is stored in the public clouds. Specially, different files need different client subsets’ approval. After that, these stored remote data will be proved possession by the verifier. In some cases, the verifier has no ability to perform remote data possession proof, for example, the verifier is in the battlefield because of the war. It will delegate this task to its proxy. In this paper, we propose the concept of proxy provable data possession (PPDP) which supports a general access structure. We propose the corresponding system model, security model and a concrete PPDP protocol from n-multilinear map. Our concrete PPDP protocol is provably secure and efficient by security analysis and performance analysis. Since our proposed PPDP protocol supports the general access structure, only the clients of an authorized subset can cooperate to store the massive data to PCS (Public Cloud Servers), and it is impossible for those of an unauthorized subset to store the data to PCS. © Springer International Publishing Switzerland 2016.

Wang T.,Purdue University | Zhaoy Y.,Fudan University | Zhaoy Y.,State Key Laboratory of Cryptology
ASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security | Year: 2016

Cloud storage services such as Dropbox [1] and Google Drive [2] are becoming more and more popular. On the one hand, they provide users with mobility, scalability, and convenience. However, privacy issues arise when the storage becomes not fully controlled by users. Although modern encryption schemes are effective at protecting content of data, there are two drawbacks of the encryption-before-outsourcing approach: First, one kind of sensitive information, Access Pattern of the data is left unprotected. Moreover, encryption usually makes the data difficult to use. In this paper, we propose AIS (Access Indistinguishable Storage), the first client-side system that can partially conceal access pattern of the cloud storage in constant time. Besides data content, AIS can conceal information about the number of initial files, and length of each initial file. When it comes to the access phase after initiation, AIS can effectively conceal the behavior (read or write) and target file of the current access. Moreover, the existence and length of each file will remain confidential as long as there is no access after initiation. One application of AIS is SSE (Searchable Symmetric Encryption), which makes the encrypted data searchable. Based on AIS, we propose SBA (SSE Built on AIS). To the best of our knowledge, SBA is safer than any other SSE systems of the same complexity, and SBA is the first to conceal whether current keyword was queried before, the first to conceal whether current operation is an addition or deletion, and the first to support direct modification of files. © 2016 Copyright held by the owner/author(s).

Zhang B.,CAS Institute of Software | Zhang B.,State Key Laboratory of Cryptology | Gong X.,CAS Institute of Software
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

Sprout is a new lightweight stream cipher with shorter internal state proposed at FSE 2015, using key-dependent state updating in the keystream generation phase. Some analyses have been available on eprint so far. In this paper, we extend the design paradigm in general and study the security of Sprout-like ciphers in a unified framework. Our new penetration is to investigate the k-normality of the augmented function, a vectorial Boolean function derived from the primitive. Based on it, a dedicated time/memory/data tradeoff attack is developed for such designs. It is shown that Sprout can be broken in 279 −x −y time, given [c (2x + 2y − 58) · 271 −x −y]-bit memory and 29+x+y-bit keystream, where x/y is the number of forward/backward steps and c is a small constant. Our attack is highly flexible and compares favorably to all the previous results. With carefully chosen parameters, the new attack is at least 220 times faster than Lallemand/Naya-Plasencia attack at Crypto 2015, Maitra et al. attack and Banik attack, 210 times faster than Esgin/Kara attack with much less memory. © International Association for Cryptologic Research 2015.

Qu L.,National University of Defense Technology | Qu L.,State Key Laboratory of Cryptology
IEEE Transactions on Information Theory | Year: 2016

Planar functions over finite fields give rise to finite projective planes. They were also used in the constructions of DES-like iterated ciphers, error-correcting codes, and codebooks. They were originally defined only in finite fields with odd characteristic, but recently Zhou introduced pesudo-planar functions in even characteristic which yields similar applications. All known pesudo-planar functions are quadratic and hence they give presemifields. In this paper, a new approach to constructing quadratic pseudo-planar functions is given. Then five explicit families of pseudo-planar functions are constructed, one of which is a binomial, two of which are trinomials, and the other two are quadrinomials. All known pesudo-planar functions are revisited, some of which are generalized. These functions not only lead to projective planes, relative difference sets and presemifields, but also give optimal codebooks meeting the Levenstein bound, complete sets of mutually unbiased bases (MUB) and compressed sensing matrices with low coherence. © 2016 IEEE.

Chen Y.,Chinese Academy of Sciences | Chen Y.,State Key Laboratory of Cryptology | Zhang Z.,Japan National Institute of Advanced Industrial Science and Technology
Journal of Computer Security | Year: 2016

We put forth the notion of publicly evaluable pseudorandom functions (PEPRFs), which can be viewed as a counterpart of standard pseudorandom functions (PRFs) in the public-key setting. Briefly, PEPRFs are defined over domain X containing a language L associated with a hard relation RL, and each secret key sk is associated with a public key pk. For any x ∈ L, in addition to evaluate Fsk (x) using sk as standard PRFs, one is also able to evaluate Fsk (x) with pk, x and a witness w for x ∈ L. We consider two security notions for PEPRFs. The basic one is weak pseudorandomness which stipulates a PEPRF cannot be distinguished from a real random function on uniformly random chosen inputs. The strengthened one is adaptive weak pseudorandomness which requires a PEPRF remains weak pseudorandom even when an adversary is given adaptive access to an evaluation oracle. We conduct a formal study of PEPRFs, focusing on applications, constructions, and extensions. • We show how to construct chosen-plaintext secure (CPA) and chosen-ciphertext secure (CCA) public-key encryption (PKE) schemes from (adaptive) PEPRFs. The construction is simple, black-box, and admits a direct proof of security. We provide evidence that (adaptive) PEPRFs exist by showing constructions from injective trapdoor functions, hash proof systems, extractable hash proof systems, as well as a construction from puncturable PRFs with program obfuscation. • We introduce the notion of publicly sampleable PRFs (PSPRFs), which is a relaxation of PEPRFs, but nonetheless imply PKE. We show (adaptive) PSPRFs are implied by (adaptive) trapdoor relations. This helps us to unify and clarify many PKE schemes from seemingly unrelated general assumptions and paradigms under the notion of PSPRFs. • We explore similar extension on recently emerging constrained PRFs, and introduce the notion of publicly evaluable constrained PRFs, which, as an immediate application, implies attribute-based encryption. • We propose a twist on PEPRFs, which we call publicly evaluable and verifiable functions (PEVFs). Compared to PEPRFs, PEVFs have an additional promising property named public verifiability while the best possible security degrades to unpredictability. We justify the applicability of PEVFs by presenting a simple construction of "hash-and-sign" signatures, both in the random oracle model and the standard model. © 2016 - IOS Press and the authors. All rights reserved.

Heng Z.,Nanjing University of Aeronautics and Astronautics | Heng Z.,State Key Laboratory of Cryptology | Yue Q.,Nanjing University of Aeronautics and Astronautics | Yue Q.,State Key Laboratory of Cryptology
IEEE Transactions on Information Theory | Year: 2016

Cyclic codes with a few weights are very useful in the design of frequency hopping sequences and the development of secret sharing schemes. In this paper, we mainly use Gauss sums to represent the Hamming weights of cyclic codes whose duals have two zeroes. A lower bound of the minimum Hamming distance is determined. In some cases, we give the Hamming weight distributions of the cyclic codes. In particular, we obtain a class of three-weight optimal cyclic codes achieving the Griesmer bound, which generalizes a Vega's result, and several classes of cyclic codes with a few weights, which solve an open problem proposed by Vega. © 1963-2012 IEEE.

Zhang J.,State Key Laboratory of Cryptology | Chen Y.,Chinese Academy of Sciences | Zhang Z.,Information Assurance
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2016

Driven by the open problem raised by Hofheinz and Kiltz [34], we study the formalization of lattice-based programmable hash function (PHF), and give two types of constructions by using several techniques such as a novel combination of cover-free sets and lattice trapdoors. Under the Inhomogeneous Small Integer Solution (ISIS) assumption, we show that any (non-trivial) lattice-based PHF is collisionresistant, which gives a direct application of this new primitive. We further demonstrate the power of lattice-based PHF by giving generic constructions of signature and identity-based encryption (IBE) in the standard model, which not only provide a way to unify several previous lattice-based schemes using the partitioning proof techniques, but also allow us to obtain a new short signature scheme and a new fully secure IBE scheme with keys consisting of a logarithmic number of matrices/ vectors in the security parameter κ. Besides, we also give a refined way of combining two concrete PHFs to construct an improved short signature scheme with short verification keys from weaker assumptions. In particular, our methods depart from the confined guessing technique of Böhl et al. [8] that was used to construct previous standard model short signature schemes with short verification keys by Ducas and Micciancio [24] and by Alperin-Sheriff [6], and allow us to achieve existential unforgeability against chosen message attacks (EUF-CMA) without resorting to chameleon hash functions. © International Association for Cryptologic Research 2016.

Loading State Key Laboratory of Cryptology collaborators
Loading State Key Laboratory of Cryptology collaborators