Cryptanalysis of Triple Modes of Operation

Multiple modes of operation and, in particular, triple modes of operation were proposed as a simple method to improve the strength of blockciphers, and in particular of DES. Developments in the cryptanalysis of DES in recent years have popularized the triple modes of DES, and such modes are now considered for ANSI standards. In a previous paper we analyzed multiple modes of operation and showed that the security of many multiple modes is significantly smaller than expected. In this paper we extend these results, with new cryptanalytic techniques, and show that all the (cascaded) triple modes of operation are not much more secure than a single encryption—in the case of DES they can be attacked with up to an order of 2 ⁵⁶ —2 ⁶⁶ chosen plaintexts or ciphertexts and complexity of analysis. We then propose several candidates for more secure modes. Received 19 August 1996 and revised 29 September 1997     

On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited

Luby and Rackoff [26] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so-called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following: • Reduce the success probability of the adversary. • Provide a construction of pseudorandom permutations with large input-length using pseudorandom functions with small input-length. Received 2 August 1996 and revised 26 July 1997     

Cryptanalysis of the ANSI X9.52 CBCM mode

In this paper we cryptanalyze the CBCM mode of operation, which was almost included in the ANSI X9.52 Triple-DES Modes of Operation standard. The CBCM mode is a Triple-DES CBC variant which was designed against powerful attacks which control intermediate feedback for the benefit of the attacker. For this purpose, it uses intermediate feedbacks that the attacker cannot control, choosing them as a keyed OFB stream, independent of the plaintexts and the ciphertexts. In this paper we find a way to use even this kind of feedback for the benefit of the attacker, and we present an attack which requires a single chosen ciphertext of 2 ⁶⁵ blocks which needs to be stored and 2 ⁵⁹ complexity of analysis (CBCM encryptions) to find the key with a high probability. As a consequence of our attack, ANSI decided to remove the CBCM mode from the proposed standard. Received May 1998 and revised June 2001 Online publication 28 November 2001     

2轮Trivium的多线性密码分析

作为欧洲流密码发展计划eSTREAM的7个最终获选算法之一,Trivium的安全性考察表明至今为止还没有出现有效的攻击算法。该文针对2轮Trivium,通过找出更多线性逼近方程,对其进行了多线性密码分析,提出了一种更有效的区分攻击算法。与现有的单线性密码分析算法相比,该算法攻击成功所需的数据量明显减少,即：若能找到n个线性近似方程,在达到相同攻击成功概率的前提下,多线性密码分析所需的数据量只有单线性密码分析的1/n。该研究结果表明,Trivium的设计还存在一定的缺陷,投入实用之前还需要实施进一步的安全性分析。     

On Probability of Success in Linear and Differential Cryptanalysis

Despite their widespread usage in block cipher security, linear and differential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have commonly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of linear and differential cryptanalytic attacks. The results apply to an extended sense of the term “success” where the correct key is found not necessarily as the highest-ranking candidate but within a set of high-ranking candidates. Experimental results show that the analysis provides accurate results in most cases, especially in linear cryptanalysis. In cases where the results are less accurate, as in certain cases of differential cryptanalysis, the results are useful to provide approximate estimates of the success probability and the necessary plaintext requirement. The analysis also reveals that the attacked key length in differential cryptanalysis is one of the factors that affect the success probability directly besides the signal-to-noise ratio and the available plaintext amount.     

Encryption Modes with Almost Free Message Integrity

We define a new mode of operation for block ciphers which, in addition to providing confidentiality, also ensures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware Parallelizable Mode (IAPM), requires a total of m+1 block cipher evaluations on a plain-text of length m blocks. For comparison, the well-known CBC (cipher block chaining) encryption mode requires m block cipher evaluations, and the second pass of computing the CBC-MAC essentially requires additional m+1 block cipher evaluations. As the name suggests, the new mode is also highly parallelizable.     

Two-Key Triple Encryption

In this paper we consider multiple encryption schemes built from conventional cryptosystems such as DES. The existing schemes are either vulnerable to variants of meet-in-the-middle attacks, i.e., they do not provide security corresponding to the full key length used or there is no proof that the schemes are as secure as the underlying cipher. We propose a variant of two-key triple encryption with a new method of generating three keys from two. Our scheme is not vulnerable to the meet-in-the-middle attack and, under an appropriate assumption, we can show that our scheme is at least about as hard to break as the underlying block cipher. Received 22 June 1995 and revised 11 October 1996     

闭环模式的线性空时分组码

介绍了正交空时分组码的模型,自干扰,性能;并由此提出了一种高速率准正交空时分组码的闭环模式,保证MIMO系统获得较高的速率,同时减少由于正交性减弱而引起的性能下降.其中反馈的方法就是根据发射端能够获得部分信道状态信息而提出的,这种自适应模式的性能在瑞利衰落信道下通过仿真得到了验证.     

基于DS证据理论的机载火控雷达空空工作模式判定

针对机载火控雷达典型空空工作模式的判定问题,提出一种基于DS证据理论的判定体系。首先,从侦收到的敌方雷达信号中提取特征参数并构建雷达信号特征库,通过预判断流程快速实现单平台下的模式分组;然后,对分组后的多维空间模式识别结果运用DS证据理论,采用分布式结构进行单平台多周期时域融合和多平台空域信息融合,实现雷达工作模式判定。仿真结果表明:该体系能在单平台下识别速度搜索模式和单目标跟踪模式,在多平台下对边搜索边测距模式和边扫描边跟踪模式的判定信度达83.3%,实时性和准确率较好,具有实际应用价值。     

一种具有多种谐振模式的太赫兹超表面器件

设计了一种中心对称的分裂环形状超表面结构,该结构具有偏振不敏感和高品质因子的特性。通过理论和实验研究,深入分析了其谐振点的频谱特性,并确定了谐振峰的模式,包括LC、偶极和高阶谐振等。其中,几种高阶谐振模式表现出较高的高品质因数Q(约230),并且对超表面衬底材料的介电常数变化高度敏感。此外,还研究了具有不对称超表面结构的电磁性质,发现通过分别增加超表面结构沿水平轴(x轴)和垂直轴(y轴)的不对称性,可以产生和增强0.332 THz和0.210 THz的谐振。     

减轮SPECK算法的不可能差分分析

SPECK系列算法是2013年由美国国家安全局提出的轻量分组密码算法。算法整体为变形的Feistel结构,轮函数为模整数加法、循环移位和异或的组合,即所谓的ARX模块。在不可能差分研究方面,目前仅有LEE等人给出了SPECK 64算法的一些6轮不可能差分特征。该文进一步找到了SPECK 32/64算法和SPECK 48/96算法的一些6轮不可能差分特征,并在其前面添加1轮后面添加3轮,给出了对两个算法的10轮不可能差分分析。     

基于多种接入方式的数字互动电视应用

目前,有线电视数字化正在全国广泛展开。数字互动电视使用户变被动收视为主动收视,提供了更加个性化的服务,成为推广数字电视的一个亮点。提出了广电网络运营商利用现有接入网络开展数字互动电视业务的解决方案。     

NIST新分组密码工作模式及快速实现研究

分组密码是密码学中使用最为广泛的工具之一,而分组密码的工作模式是指使用分组密码对任意长度的消息进行加解密、认证等的方案。美国国家标准与技术研究院（ NIST ）积极致力于分组密码工作模式的研究,十余年来陆续发布了大量的工作模式。文中集中讨论了NIST近几年发布的几种新型工作模式,包括加密认证模式GCM、磁盘加密模式XTS、密钥封装模式KeyWrap,并且对这几种新型工作模式的快速实现进行了深入研究。     

分组密码算法抗故障攻击能力度量方法研究

该文从算法层面对分组密码固有的故障泄露特点进行了分析,提出一种可用于刻画其故障传播特性的传播轨迹框架,并以此为基础构建了适用于单次和多次故障注入场景的抗故障攻击能力度量方法。实验表明,该度量方法能够有效刻画不同故障注入场景下密钥空间的变化规律,进而揭示其算法层面的抗故障攻击能力。     

Cryptanalysis of mCrypton‐64

In recent years, because of the security requirements of resource‐constrained devices, design and analysis of lightweight block ciphers has received more attention. mCrypton is a lightweight block cipher that has been specifically designed for using in resource‐constrained devices, such as low‐cost radio‐frequency identification tags and sensors. In this paper, we consider cryptanalysis of full‐round mCrypton‐64 using a new extension of biclique attack called non‐isomorphic biclique cryptanalysis. As it is known, effectiveness of the biclique attack is highly dependent to the weakness of key schedule, and it does not seem to be appropriate for block ciphers with strong key scheduling. The non‐isomorphic biclique attack, using an asymmetric key partitioning technique, provides more degrees of freedom to the attacker and makes it possible to use the diffusion layer properties of a block cipher for constructing longer bicliques. Results show that the attack on full‐round mCrypton requires 2^33.9 chosen plaintexts and a time complexity of 2^62.67 encryptions. The computational complexity reduces to 2^62.3, 2^61.4, and 2^59.75 encryptions for 10, 8, and 6 rounds of mCrypton‐64, respectively. We also have a discussion on the general form of the computational complexity for non‐isomorphic biclique cryptanalysis. Copyright © 2014 John Wiley & Sons, Ltd.     

CBC MAC for Real-Time Data Sources

The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the use of the CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of the CBC MAC are known by folklore. The first rigorous proof of the security of CBC MAC, when used on fixed length messages, was given only recently by Bellare et al.[3]. They also suggested variants of CBC MAC that handle variable-length messages but in these variants the length of the message has to be known in advance (i.e., before the message is processed). We study CBC authentication of real-time applications in which the length of the message is not known until the message ends, and furthermore, since the application is real-time, it is not possible to start processing the authentication until after the message ends. We first consider a variant of CBC MAC, that we call the encrypted CBC MAC (EMAC), which handles messages of variable unknown lengths. Computing EMAC on a message is virtually as simple and as efficient as computing the standard CBC MAC on the message. We provide a rigorous proof that its security is implied by the security of the underlying block cipher. Next, we argue that the basic CBC MAC is secure when applied to a prefix-free message space. A message space can be made prefix-free by also authenticating the (usually hidden) last character which marks the end of the message. Received 16 September 1997 and revised 24 August 1999 Online publication 2 June 2000     

法国电信集团运营模式研究

中国电信企业经过多年的高速发展，逐渐步入成熟期，增长率下降、利润降低将是必然趋势，因此目前亟需探索新的运营模式，向综合型全业务电信运营商的方向发展。法国电信集团历史悠久，市场转型起步早．其发展经验有许多地方值得借鉴，包括法国电信集团具有特色的品牌战咯、灵活的经营模式、为企业提供全方位服务的经营手段。中国电信企业应积极开展全业务经营，加快发展企业网市场，完善合作运营模式，争取早日走向世界。     

多视点业务运维质量综合评估模型

本文基于流程和策略为下一代网络运维管理提出了多视点业务运维质量综合评估模型(MV-SOQEM),该模型从业务运维目标和业务运维流程两个视点对业务运维管理进行了评估.本文基于业务运维目标和流程视点建立了评估仿真模型,并将其应用于自适应业务管理中,来验证模型的准确性和有效性.仿真结果表明业务管理者可以通过MV-SOQEM从不同角度获得管理质量信息,这必将有益于业务管理质量的提高.     

微圆柱的局域模密度

本文利用微圆柱的分立电磁场模计算了有泄漏的微圆柱腔的局域膜密度。并利用所得结果对微圆柱的模密度进行了计算，从而说明了微圆柱轴向和横向模谱的不同。由此我们可以知道微圆柱在散射，热辐射谱，以及形貌共振等实验中都具有空间不均匀性和方向性。     

Characteristic Modes for the Multiple Stacked Aperture Problem with Application to the Finite Array Analysis of Flat Plate Slot Array Antennas.

For the emerging market of Direct-to-User Broadcast Satellite TV (DBS-TV), flat plate slot array antennas are currently being designedand commercialized. Although the antenna configuration resembles a FSS (Frequency Selective Surface) slot array, the electromagnetic analysis ofthe antenna problem requires a new approach. The theory of Characteristic Modes is extended to deal with multiple stacked apertures. Entire domain expansion functions are selected from the Characteristic Mode set and used to reduce the computational effort to analyze finite arrays with an orderof magnitude.