Xuejia Lai

Advances in Cryptology – ASIACRYPT 2006

Attacks on Hash Functions.- Finding SHA-1 Characteristics: General Results and Applications.- Improved Collision Search for SHA-0.- Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions.- Stream Ciphers and Boolean Functions.- New Guess-and-Determine Attack on the Self-Shrinking Generator.- On the (In)security of Stream Ciphers Based on Arrays and Modular Addition.- Construction and Analysis of Boolean Functions of 2t+1 Variables with Maximum Algebraic Immunity.- Biometrics and ECC Computation.- Secure Sketch for Biometric Templates.- The 2-Adic CM Method for Genus 2 Curves with Application to Cryptography.- Extending Scalar Multiplication Using Double Bases.- ID-Based Schemes.- HIBE With Short Public Parameters Without Random Oracle.- Forward-Secure and Searchable Broadcast Encryption with Short Ciphertexts and Private Keys.- On the Generic Construction of Identity-Based Signatures with Additional Properties.- Public-Key Schemes.- On the Provable Security of an Efficient RSA-Based Pseudorandom Generator.- On the Security of OAEP.- Relationship Between Standard Model Plaintext Awareness and Message Hiding.- RSA and Factorization.- On the Equivalence of RSA and Factoring Regarding Generic Ring Algorithms.- Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption.- A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants.- Construction of Hash Function.- Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding.- Multi-Property-Preserving Hash Domain Extension and the EMD Transform.- Combining Compression Functions and Block Cipher-Based Hash Functions.- Protocols.- A Scalable Password-Based Group Key Exchange Protocol in the Standard Model.- A Weakness in Some Oblivious Transfer and Zero-Knowledge Protocols.- Almost Optimum Secret Sharing Schemes Secure Against Cheating for Arbitrary Secret Distribution.- Block Ciphers.- KFC - The Krazy Feistel Cipher.- Generic Attacks on Unbalanced Feistel Schemes with Contracting Functions.- New Cryptanalytic Results on IDEA.- Signatures.- New Approach for Selectively Convertible Undeniable Signature Schemes.- Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures.- Analysis of One Popular Group Signature Scheme.

Asymmetric encryption and signature method with DNA technology

This paper proposes DNA-PKC, an asymmetric encryption and signature cryptosystem by combining the technologies of genetic engineering and cryptology. It is an exploratory research of biological cryptology. Similar to conventional public-key cryptology, DNA-PKC uses two pairs of keys for encryption and signature, respectively. Using the public encryption key, everyone can send encrypted message to a specified user, only the owner of the private decryption key can decrypt the ciphertext and recover the message; in the signature scheme, the owner of the private signing key can generate a signature that can be verified by other users with the public verification key, but no else can forge the signature. DNA-PKC differs from the conventional cryptology in that the keys and the ciphertexts are all biological molecules. The security of DNA-PKC relies on difficult biological problems instead of computational problems; thus DNA-PKC is immune from known attacks, especially the quantum computing based attacks.

A Lightweight Stream Cipher WG-7 for RFID Encryption and Authentication

The family of WG stream ciphers has good randomness properties. In this paper, we parameterize WG-7 stream cipher for RFID tags, where the modest computation/storage capabilities and the necessity to keep their prices low present a challenging problem that goes beyond the well-studied cryptography. The rigorous security analysis of WG-7 indicates that it is secure against time/memory/data trade off attack, differential attack, algebraic attack, correlation attack and Discrete Fourier Transform (DFT) attack. Furthermore, we offer efficient implementation of WG-7 on the 4-bit microcontroller ATAM893-D and the 8-bit microcontroller ATmega8 from ATmel. The experimental results show that WG-7 outperforms most of previous proposals in terms of throughput and implementation complexity. Moreover, we propose a mutual authentication protocol based on WG-7, which provides the untraceability, resistance of tag impersonation and reader impersonation. With its verified cryptographic properties, low implementation complexity and ideal throughput, WG-7 is a promising candidate for RFID applications.

A Secure Implementation of White-Box AES

ShiftRows has no effect on Chow’s scheme, the obfuscations of the key can be divided into smaller ones and removed with the help of specific characters of the MixColumns operation in AES. In this paper, we present a secure implementation of White-Box AES, the main difference lies in ShiftRows operation. It is now embedded in matrices product, the output encodings has the same size as the output of MixColumns operation (32bits). Thus the obfuscation of the key cannot be divided into smaller ones or removed by using Billets attack technique. Thus, our scheme can resist Billet’s attack. It is more secure than Chows.

A unified method for finding impossible differentials of block cipher structures

In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, which we call the unified impossible differential finding method or UID-method. It is more effective than the U-method introduced by Kim et al. We apply the UID-method to some well-known block cipher structures. Using it, we find a 16-round impossible differential for Gen-Skipjack and a 19-round impossible differential for Gen-CAST256. By this result we can disprove Sungs long standing conjecture that no such differential is possible for 16 or more rounds. On Gen-MARS and SMS4, the impossible differentials found by the UID-method are much longer than those found by the U-method. On the Four-Cell and Gen-RC6 block ciphers, our results are the same as the best results previously obtained.

Improved collision attack on hash function MD5

In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al. in the Conference EUROCRYPT 2005. We found that the derived conditions for the desired collision differential path were not sufficient to guarantee the path to hold and that some conditions could be modified to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in the attack algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique presented by Wang et al., the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pentium4 1.70GHz CPU.

A synthetic indifferentiability analysis of some block-cipher-based hash functions

At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefix-free padding. In this article, a synthetic indifferentiability analysis of some block-cipher-based hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in block-cipher-based hash functions. Next, the advantage of indifferentiability is separately analyzed by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefix-free padding, the NMAC/HMAC and the chop construction.

Survey on cyberspace security

Along with the rapid development and wide application of information technology, human society has entered the information era. In this era, people live and work in cyberspace. Cyberspace is the collection of all information systems; it is the information environment for human survival. Therefore, it is necessary to ensure the security of cyberspace. This paper gives a comprehensive introduction to research and development in this field, with a description of existing problems and some currently active research topics in the areas of cyberspace itself, cyberspace security, cryptography, network security, information system security and information content security.

The Key-Dependent Attack on Block Ciphers

In this paper, we formalize an attack scheme using the key-dependent property, called key-dependent attack. In this attack, the intermediate value, whose distribution is key-dependent, is considered. The attack determines whether a key is right by conducting statistical hypothesis test of the intermediate value. The time and data complexity of the key-dependent attack is also discussed. We also apply key-dependent attack on reduced-round IDEA. This attack is based on the key-dependent distribution of certain items in Biryukov-Demirci Equation. The attack on 5.5-round variant of IDEA requires 221 chosen plaintexts and 2112.1 encryptions. The attack on 6-round variant requires 249 chosen plaintexts and 2112.1 encryptions. Compared with the previous attacks, the key-dependent attacks on 5.5-round and 6-round IDEA have the lowest time and data complexity, respectively.

Pseudorandomness analysis of the (extended) Lai-Massey scheme

In this paper we find that the two-round (extended) Lai-Massey scheme is not pseudorandom and three-round (extended) Lai-Massey scheme is not strong pseudorandom. Combined with previous work, we prove that three rounds are necessary and sufficient for the pseudorandomness and four rounds are necessary and sufficient for the strong pseudorandomness.