Entity

Time filter

Source Type


Zhang B.,CAS Institute of Software | Zhang B.,State Key Laboratory of Cryptology | Gong X.,CAS Institute of Software
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

Sprout is a new lightweight stream cipher with shorter internal state proposed at FSE 2015, using key-dependent state updating in the keystream generation phase. Some analyses have been available on eprint so far. In this paper, we extend the design paradigm in general and study the security of Sprout-like ciphers in a unified framework. Our new penetration is to investigate the k-normality of the augmented function, a vectorial Boolean function derived from the primitive. Based on it, a dedicated time/memory/data tradeoff attack is developed for such designs. It is shown that Sprout can be broken in 279 −x −y time, given [c (2x + 2y − 58) · 271 −x −y]-bit memory and 29+x+y-bit keystream, where x/y is the number of forward/backward steps and c is a small constant. Our attack is highly flexible and compares favorably to all the previous results. With carefully chosen parameters, the new attack is at least 220 times faster than Lallemand/Naya-Plasencia attack at Crypto 2015, Maitra et al. attack and Banik attack, 210 times faster than Esgin/Kara attack with much less memory. © International Association for Cryptologic Research 2015. Source


Wang H.,Nanjing University of Posts and Telecommunications | Wang H.,State Key Laboratory of Cryptology | He D.,Wuhan University | Tang S.,South China University of Technology
IEEE Transactions on Information Forensics and Security | Year: 2016

More and more clients would like to store their data to public cloud servers (PCSs) along with the rapid development of cloud computing. New security problems have to be solved in order to help more clients process their data in public cloud. When the client is restricted to access PCS, he will delegate its proxy to process his data and upload them. On the other hand, remote data integrity checking is also an important security problem in public cloud storage. It makes the clients check whether their outsourced data are kept intact without downloading the whole data. From the security problems, we propose a novel proxy-oriented data uploading and remote data integrity checking model in identity-based public key cryptography: identity-based proxy-oriented data uploading and remote data integrity checking in public cloud (ID-PUIC). We give the formal definition, system model, and security model. Then, a concrete ID-PUIC protocol is designed using the bilinear pairings. The proposed ID-PUIC protocol is provably secure based on the hardness of computational Diffie-Hellman problem. Our ID-PUIC protocol is also efficient and flexible. Based on the original client's authorization, the proposed ID-PUIC protocol can realize private remote data integrity checking, delegated remote data integrity checking, and public remote data integrity checking. © 2016 IEEE. Source


Wang H.,Dalian Ocean University | Wang H.,State Key Laboratory of Cryptology | He D.,Wuhan University
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2016

Since public clouds are untrusted by many consumers, it is important to check whether their remote data keeps intact. Sometimes, it is necessary for many clients to cooperate to store their data in the public clouds. For example, a file needs many clients’ approval before it is stored in the public clouds. Specially, different files need different client subsets’ approval. After that, these stored remote data will be proved possession by the verifier. In some cases, the verifier has no ability to perform remote data possession proof, for example, the verifier is in the battlefield because of the war. It will delegate this task to its proxy. In this paper, we propose the concept of proxy provable data possession (PPDP) which supports a general access structure. We propose the corresponding system model, security model and a concrete PPDP protocol from n-multilinear map. Our concrete PPDP protocol is provably secure and efficient by security analysis and performance analysis. Since our proposed PPDP protocol supports the general access structure, only the clients of an authorized subset can cooperate to store the massive data to PCS (Public Cloud Servers), and it is impossible for those of an unauthorized subset to store the data to PCS. © Springer International Publishing Switzerland 2016. Source


He D.,Wuhan University | He D.,State Key Laboratory of Cryptology | Zeadally S.,University of Kentucky | Kumar N.,Thapar University | Wu W.,Fujian Normal University
IEEE Transactions on Information Forensics and Security | Year: 2016

Rapid advances in wireless communication technologies have paved the way for a wide range of mobile devices to become increasingly ubiquitous and popular. Mobile devices enable anytime, anywhere access to the Internet. The fast growth of many types of mobile services used by various users has made the traditional single-server architecture inefficient in terms of its functional requirements. To ensure the availability of various mobile services, there is a need to deploy multi-server architectures. To ensure the security of various mobile service applications, the anonymous mobile user authentication (AMUA) protocol without online registration using the self-certified public key cryptography (SCPKC) for multi-server architectures was proposed in the past. However, most of the past AMUA solutions suffer from malicious attacks or have unacceptable computation and communication costs. To address these drawbacks, we propose a new AMUA protocol that uses the SCPKC for multi-server architectures. In contrast to the existing AMUA protocols, our proposed AMUA protocol incurs lower computation and communication costs. By comparing with two of the latest AMUA protocols, the computation and the communication costs of our protocol are at least 74.93% and 37.43% lower than them, respectively. Moreover, the security analysis of our AMUA protocol demonstrates that it satisfies the security requirements in practical applications and is provably secure in the novel security model. By maintaining security at various levels, our AMUA protocol is more practical for various mobile applications. © 2005-2012 IEEE. Source


Chen H.,Shandong University | Cui T.,Shandong University | Wang M.,Shandong University | Wang M.,State Key Laboratory of Cryptology
Designs, Codes, and Cryptography | Year: 2016

The multidimensional linear cryptanalysis and the multidimensional zero-correlation linear cryptanalysis have been widely used in the attacks on block ciphers. In the multidimensional linear cryptanalysis with (Formula presented.)-method and the multidimensional zero-correlation linear cryptanalysis, the statistics used to distinguish the right key and wrong keys are calculated from the probability distribution of multidimensional (zero-correlation) linear approximations. In this paper, we show that the statistics can be computed directly from the empirical correlations of multidimensional (zero-correlation) linear approximations for random plaintext set. In this way, the computation cost of the probability distribution can be removed. In the situation where FFT technique can be applied to calculate the correlations, our proposed computing method for the statistics can decrease the time complexity of multidimensional (zero-correlation) linear cryptanalysis. As an illustration, the Feistel network with bijective round functions consisting of the modular additions or XORs with subkeys and CAST-256 have been attacked with our revised multidimensional zero-correlation linear cryptanalysis. Our attacks on such kind of Feistel networks are the best according to the number of rounds and we improved the previous multidimensional zero-correlation attack on CAST-256 from 28 to 29 rounds. Compared with the best attack on 29-round CAST-256 with multiple zero-correlation linear cryptanalysis method, our attack leads to the same complexity but without any assumption of independence. Therefore our attack on CAST-256 is the best attack without any assumption. © 2016 Springer Science+Business Media New York Source

Discover hidden collaborations