Feng Dengguo

Survey of information security

The 21st century is the age of information when information becomes an important strategic resource. The information obtaining, processing and security guarantee capability are playing critical roles in comprehensive national power, and information security is related to the national security and social stability. Therefore, we should take measures to ensure the information security of our country. In recent years, momentous accomplishments have been obtained with the rapid development of information security technology. There are extensive theories about information security and technology. However, due to the limitation of length, this article mainly focuses on the research and development of cryptology, trusted computing, security of network, and information hiding, etc.

Collision attack and pseudorandomness of reduced-round camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack 6,7,8 and 9 rounds of Camellia with 128-bit key and 8,9 and 10 rounds of Camellia with 192/256-bit key. The attack on 6-round of 128-bit key Camellia is more efficient than known attacks. The complexities of the attack on 7(8,9,10)-round Camellia without FL /FL−−1 functions are less than that of previous attacks. Furthermore, we prove that the 4-round primitive-wise idealized Camellia is not pseudorandom permutation and the 5-round primitive-wise idealized Camellia is super-pseudorandom permutation for non-adaptive adversaries.

An attack on hash function HAVAL-128

In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Collision attack on reduced-round Camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and a random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack on 6, 7, 8 and 9 rounds of Camellia with 128-bit key and 8, 9 and 10 rounds of Camellia with 192/256-bit key. The 128-bit key of 6 rounds Camellia can be recovered with 210 chosen plaintexts and 215 encryptions. The 128-bit key of 7 rounds Camellia can be recovered with 212 chosen plaintexts and 254.5 encryptions. The 128-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2112.1 encryptions. The 128-bit key of 9 rounds Camellia can be recovered with 2113.6 chosen plaintexts and 2121 encryptions. The 192/256-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2111.1 encryptions. The 192/256-bit key of 9 rounds Camellia can be recovered with 213 chosen plaintexts and 2175.6 encryptions. The 256-bit key of 10 rounds Camellia can be recovered with 214 chosen plaintexts and 2239.9 encryptions.

An Anonymous Property-Based Attestation Protocol from Bilinear Maps

Remote attestation presented in TCG specification is one of the significant ways to establish trust between the two endpoints. There are two categories of remote attestation: anonymous identity attestation of TPM and the security properties attestation of trust computing platform, and the verifier can verify both at the far endpoint. In order to simplify the attestations, we propose the hybrid attestation called APA(anonymous property attestation) from the elliptic curve cryptography and bilinear map. The scheme is provable security under the LRSW assumption, the hardness of discrete logarithms. The lengths of the attestation signature in our scheme are much shorter than directly associated two attestations, and also takes the less computation cost.

A Group of Threshold Group-Signature Schemes with Privilege Subsets

Reference[9] proposed a threshold group-signature scheme in order to solve the problem so called “threshold group-signature scheme with privilege subsets” suggested by Feng Dengguo. We firstly show there exist some insufficiencies and potential hazard in the scheme mentioned above. Secondly, Using the idea of constructing group-signature schemes by individual signature schemes, we put forward a group of the ones with four variants of ElGamal type, having many attractive properties such as shorter length of signature, message recovery, authentication and so on. Finally, the security of our schemes is proved in the standard model.

Identity-based PKI scheme for machine readable travel document

Certificate-based public key infrastructure (PKI) scheme of International Civil Aviation Organization (ICAO) has some problems, especially with the distribution of public key. In this paper, we propose an identity-based PKI scheme for machine readable travel document (MRTD). By virtue of simple key management on identity-based signature, our scheme facilitates public key distribution among participating countries, and eliminates the need of a global public key directory (PKD).

Security analysis of a new stream cipher

In this paper, we analyze the security of a new stream cipher-COSvd(2, 128). This cipher was proposed by E. Filiol et al. at the ECRYPT SASC’2004 (The State of the Art of Stream Ciphers). It uses clock-controlled non-linear feedback registers together with an S-box controlled by a chaotic sequence and was claimed to prevent any existing attacks. However, our analysis shows that there are some serious security flaws in the design of the S-box, resulting in heavy biased byte distribution in the keystream. In some broadcast applications, this flaw will cause a ciphertext-only attack with high success rate. Besides, there are also many security flaws in other parts of the cipher. We point out these flaws one by one and develop a divide-and-conquer attack to recover the secret keys from O(226)-byte known plaintext with success rate 93.4597% and complexity O(2113), which is much lower than 2512, the complexity of exhaustive search.

Cryptanalysis on AW digital signature scheme based on error-correcting codes

In 1993, Alabhadi and Wicker gave a modification to Xinmei Digital Signature Scheme based on error-correcting codes, which is usually denoted by AW Scheme. In this paper we show that the AW Scheme is actually not secure: anyone holding public keys of the signatory can obtain the equivalent private keys, and then forge digital signatures for arbitrary messages successfully. We also point out that one can hardly construct a digital signature scheme with high-level security due to the difficulty of decomposing large matrixes.

Constructing parallel long-message signcryption scheme from trapdoor permutation

A highly practical parallel signcryption scheme named PLSC from trapdoor permutations (TDPs for short) was built to perform long messages directly. The new scheme follows the idea “scramble all, and encrypt small”, using some scrambling operation on message m along with the user’s identities, and then passing, in parallel, small parts of the scrambling result through corresponding TDPs. This design enables the scheme to flexibly perform long messages of arbitrary length while avoid repeatedly invoking TDP operations such as the CBC mode, or verbosely black-box composing symmetric encryption and signcryption, resulting in noticeable practical savings in both message bandwidth and efficiency. Concretely, the signcryption scheme requires exactly one computation of the “receiver’s TDP” (for “encryption”) and one inverse computation of the “sender’s TDP” (for “authentication”), which is of great practical significance in directly performing long messages, since the major bottleneck for many public encryption schemes is the excessive computational overhead of performing TDP operations. Cutting out the verbosely repeated padding, the newly proposed scheme is more efficient than a black-box hybrid scheme. Most importantly, the proposed scheme has been proven to be tightly semantically secure under adaptive chosen ciphertext attacks (IND-CCA2) and to provide integrity of ciphertext (INT-CTXT) as well as non-repudiation in the random oracle model. All of these security guarantees are provided in the full multi-user, insider-security setting. Moreover, though the scheme is designed to perform long messages, it may also be appropriate for settings where it is impractical to perform large block of messages (i.e. extremely low memory environments such as smart cards).