一个优化的分组密码的工作模式

作为基本工作模式OFB具有流密码的特点，它允许明文的分组单位长度小于分组密码的长度，从而可适应用户数据格式的需要。但当分组单位长度远远小于分组密码的长度时，此模式使用分组密码的效率不高。因为不管加密多短的明文块，每加密一块都要使用一次分组密码。为了提高其效率，引进了计数嚣和缓冲嚣，使分组密码的输出得到全部使用。同时为了增强安全性，改进了OFB模式的反馈输入方式，使得在P．Rogaway等人给出的强安全性定义（priv）下是可证明安全的，并用M．Bellare和V．Shoup的玩游戏的方法给出了一个自然、通俗易懂的证明。

简评欧洲密码大计划的发展现状

NESSIE(New European Schemes for Signatures，Integrity，and Encryption)是一个为时三年的密码大计划，它的主要目的是为了推出一系列安全的密码模块，另一个目的是保持欧洲在密码研究领域的领先地位并增强密码在欧洲工业中的作用。它的整个运作过程是公开透明的，2000年3月公布了征集通告，2000年11月13～14日，召开第一次NESSIE会议，并公布征集到的所有算法。NESSIE共征集17个分组密码算法，经过一年多的评估，在今年9月12～13日召开的第二次NESSIE会议上，NESSIE公布了评选出的7个算法：IDEA，Khazad，MISTY1，SAFER++，Camellia，RC6，SHACAL，它们将作为NESSIE计划下一阶段重点评估的对象。NEESIE预计将在明年秋季召开第三次会议，届时将宣布最后的评选结果。本文简要介绍NESSIE的评估原则，阐述NESSIE对各个候选算法的取舍原因，同时列出算法设计者和公众对各个算法的分析情况。

SAFER系列密码算法的设计与分析

SAFER系列密码算法的总体结构采用SP-网络,它的设计具有其独到的几个特色.分析SAFER系列密码算法的设计思想,沿着设计者对它们不断改进的思路,分别描述其混淆层、扩散层、密钥扩展算法的性质和对它们的攻击.最后提出几个尚需进一步考虑的问题.

关于Noekeon分组密码

Noekeon是NESSIE公布的17个候选算法之一,讨论了Noekeon各个模块的密码特性及它们在整个密码中的作用,从中体会Noekeon的设计技巧.

一种无线认证密钥协商协议

提出一种新的无线局域网认证密钥协商协议,可以提供双方相互认证及密钥确认.该协议在密钥设置上基于挑战响应协议和KAS方案,在密钥预分配上基于Diffie-Hellman协议,可以提供完美前向安全性,抵抗被动攻击、字典攻击、中间人攻击、假冒攻击等.并对协议的计算代价和通信代价进行分析.

一种新的一阶段加密认证模式

在信息安全的许多实际应用中往往需要同时提供私密性和认证性,通常采用加密模式和消息认证码的组合来实现这一目的,但这种实现方式须对同一消息分加密和认证两阶段进行处理,不仅密钥使用量大,而且效率低下.本文基于CBC加密模式设计了一种新的一阶段加密认证方案OXCBC,能够同时提供私密性和认证性,且仅使用一个密钥和一个Nonce,与同类型的加密认证方案相比具有较高的效率.在分组密码是强伪随机置换的假设下,证明了该方案的认证性.

基于ITS 序列和matK 基因序列的中国药用石斛及其混伪品的分子鉴定

为了从分子水平对中国药用石斛及其混伪品进行鉴定，本文选取了核rDNA ITS 序列和叶绿体DNA 的matK 基因序列进行研究。采用改良的CTAB 法提取石斛的基因组DNA，PCR 产物直接测序法对17 种（共32 份）药用石斛的核糖体内转录间隔区ITS 全序列进行测定，克隆测序法对12 种（共22 份）药用石斛的叶绿体的matK 基因序列进行测定，运用BioEd it，MEGA4.0 等生物软件分析了石斛属植物的rDNA ITS 序列及叶绿体的matK 基因序列的特征，比较了石斛属间、种间、种内不同居群（品种）间的序列碱基差异及遗传距离，应用邻接法构建分子系统树。主要研究结果如下： （1）建立了17 种（共32 份）药用石斛rDNA ITS 区碱基全序列数据库，其中，ITS1 的长度为228~234 bp，GC 含量为45.7%~53.0%，变异位点167 个，占总位点67.34%，信息位点106 个，占总位点42.74%，ITS2 长度为241~247 bp，GC含量为44.8%~55.7%，变异位点165 个，占总位点66.27%，信息位点115 个，占总位点46.18%。 （2）建立了12 种（共22 份）药用石斛的叶绿体matK 基因全序列数据库，叶绿体matK 基因长1410 bp，变异位点51 个，信息位点11 个。除了存在碱基替换的遗传变异外，还存在碱基的插入和缺失。 （3）通过ITS 序列比较分析了各材料间的遗传距离和碱基差异，属间的遗传距离为0.295，石斛种间的平均遗传距离为0.142，碱基相差2~156 个，种内各居群间的平均遗传距离为0.002，碱基相差1~2 个。属间的遗传距离大于种间的遗传距离，种间的遗传距离大于种内不同居群（品种）间的遗传距离。 （4）根据分析石斛叶绿体的matK 基因序列得到，外类群（密花石豆兰）与石斛属间最小遗传距离为0.027，石斛种间的平均遗传距离为0.008，种间最大的遗传距离0.014， 最小的遗传距离为0.003，碱基相差8~20 个。种内不同居群（品种）遗传距离为0.001，相差1~5 个碱基。 （5）利用17 种石斛的全序列数据库及遗传分析软件，通过对待检种rDNA I TS区进行序列测定，成功地对10 个待检种进行了鉴定，并且在原植物开花后得到了验证。 （6）运用12 种石斛的matK 基因全序列数据库及遗传分析软件，成功地对4个待检种进行了鉴定，同样在原植物开花后得到了验证。 （7）本文利用石斛的核糖体内转录间隔区ITS 序列和叶绿体的matK 基因序列数据库分别构建了NJ 树，外类群与石斛属间石斛种间以及种内不同居群（品种）间均能在NJ 树中明显分化开来，二者构建的分子系统树一致，为石斛的分子鉴定提供了依据。 In order to identify Chinese Herba Dendrobii and its adulterant species on molecular level, we studied the sequences of rDNA ITS and chloroplast matK gene. Genomic DNA of Dendrobium was extracted using the modified cetyltrimethyl ammonium bromide (CTAB) method. The PCR products of the rDNA ITS sequences of Dendrobium (32 materia ls) were purified and then sequenced. The PCR products of chloroplast matK gene of Dendrobium (22 materia ls) were purified, cloned and then sequenced. The characteristic of the sequences and the genetic dista nce were compared between Bulbophyllum odoratissimum and Dendrobium, Dendrobium interspecies, and different populations. Phylogenetic trees were constructed using the NJ method by the biology softwares including BioEd it, MEGA4.0 etc. The ma in results as follows: (1) It was built up that the database of rDNA ITS sequences of 17 species of Herba Dendrobii (32 materia ls). The ITS1 was 228~234 bp, the GC content accounting for 45.7%~53.0%. Its variable sites were 167, accounting for 67.34%. The Parsim-Informative positions were 106, accounting for 42.74%. The ITS2 was 241~247 bp, the GC accounting for 44.8%~55.7%. The variable sites were 165, accounting for 66.27%. The Parsim-Informative positions were 115, accounting for 46.18%. (2) The database of the chloroplast matK gene sequences was built up, which contained 12 species of Herba Dendrobii (22 materia ls). The matK gene sequences were about 1410bp in length. There were 51 variable sites and 11 Parsim-Informative sites. And there were nucleotides insertions and deletions in some species , in addition to the nucleotides substitutions. (3) The rDNA ITS sequences were compared and analyzed by the biology softwares. The genetic dista nce between Bulbophyllum odoratissimum and Dendrobium was 0.295. The avera ge genetic dista nce was 0.142 between Dendrobium species, and there were 2~156 variable nucleotides. The avera ge genetic dista nce between different populations was 0.002, and there were 2~156 variable nucleotides. The genetic dista nce between Bulbophyllum odoratissimum and Dendrobium was greater tha n that of Denrobium interspecies. Meanwhile, the genetic dista nce between Denrobium species was also greater tha n that of different populations (variaties). (4) The characteristics of the chloroplast matK gene sequences were obtained after analyzing by the biology softwares. The minima l genetic dista nce was 0.027 between Bulbophyllum odoratissimum and Dendrobium . The ma xima l genetic dista nce was 0.014 between Dendrobium species, and there were 20 variable nucleotides. The minima l genetic dista nce between populations was 0.003, and there were 8 variable nucleotides.The genetic dista nce between populations was 0.001, and there were 1~5 variable nucleotides. (5) The molecular Phylogeny tree was constructed on the database of rDNA ITS the sequences of 17 species of Herba Dendrobii using the biology softwares. Then we authenticated 10 materia ls on molecular level. What’s more, they had been proved when these pla nts flowered. (6) The molecular Phylogeny tree was built up on the database of chloroplast matK gene sequences of 12 species of Herba Dendrobii with the biology softwares.Then 4 materia ls were authenticated on molecular level. Moreover, they had also been proved when these pla nts were in flower. (7) The Phylogenetic trees were separately constructed on the sequences of rDNA ITS and chloroplast matK gene B. odoratissimum and Dendrobium all could be distinguished on the Phylogenetic trees. Meanwhile, the Phylogenetic trees based on two groups of sequences were coincident. rDNA ITS and matK gene sequence could be used as molecular markers for authentication of Herba Dendrobii.

分工式门限认证加密方案

(t,n)门限认证加密方案允许t个以上签名方产生指定接收方的认证加密签名,使得只有指定的接收方能够恢复消息和验证消息的完整性,而其他人却无法做到这一点.最近,在Tseng和Jan的认证加密方案的基础上,Chung等构造了一个(t,n)门限认证加密方案.该方案运用了分工式签名技术,有效地减轻了签名方的负担.然而,该文作者对该方案的安全性仅进行了解释性说明.目前,文献中没有对分工式门限认证加密的形式化刻画,没有出现可证安全分工式门限认证加密方案.事实上,Chung等的分工式门限认证加密方案存在设计上的缺陷.文中给出了分工式门限认证加密方案的形式化模型和安全模型,基于双线性映射构造了一个新的分工式门限认证加密方案.在随机预言机模型下,证明了该方案对于适应性选择密文攻击是语义安全的,该方案对于适应性选择消息攻击是存在性不可伪造的.方案的安全性可规约到计算性Diffie-Hellman(CDH)困难假设和决定性双线性Diffie-Hellman困难假设(DBDH).

Profiling side-channel attacks on cryptographic algorithms

Traditionally, attacks on cryptographic algorithms looked for mathematical weaknesses in the underlying structure of a cipher. Side-channel attacks, however, look to extract secret key information based on the leakage from the device on which the cipher is implemented, be it smart-card, microprocessor, dedicated hardware or personal computer. Attacks based on the power consumption, electromagnetic emanations and execution time have all been practically demonstrated on a range of devices to reveal partial secret-key information from which the full key can be reconstructed. The focus of this thesis is power analysis, more specifically a class of attacks known as profiling attacks. These attacks assume a potential attacker has access to, or can control, an identical device to that which is under attack, which allows him to profile the power consumption of operations or data flow during encryption. This assumes a stronger adversary than traditional non-profiling attacks such as differential or correlation power analysis, however the ability to model a device allows templates to be used post-profiling to extract key information from many different target devices using the power consumption of very few encryptions. This allows an adversary to overcome protocols intended to prevent secret key recovery by restricting the number of available traces. In this thesis a detailed investigation of template attacks is conducted, along with how the selection of various attack parameters practically affect the efficiency of the secret key recovery, as well as examining the underlying assumption of profiling attacks in that the power consumption of one device can be used to extract secret keys from another. Trace only attacks, where the corresponding plaintext or ciphertext data is unavailable, are then investigated against both symmetric and asymmetric algorithms with the goal of key recovery from a single trace. This allows an adversary to bypass many of the currently proposed countermeasures, particularly in the asymmetric domain. An investigation into machine-learning methods for side-channel analysis as an alternative to template or stochastic methods is also conducted, with support vector machines, logistic regression and neural networks investigated from a side-channel viewpoint. Both binary and multi-class classification attack scenarios are examined in order to explore the relative strengths of each algorithm. Finally these machine-learning based alternatives are empirically compared with template attacks, with their respective merits examined with regards to attack efficiency.

WLAN Security Processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures. © 2006 IEEE.

Generic Architecture and Semiconductor Intellectual Property Cores for Avanced Encryption Standard Cryptography

A generic architecture for implementing the advanced encryption standard (AES) encryption algorithm in silicon is proposed. This allows the instantiation of a wide range of chip specifications, with these taking the form of semiconductor intellectual property (IP) cores. Cores implemented from this architecture can perform both encryption and decryption and support four modes of operation: (i) electronic codebook mode; (ii) output feedback mode; (iii) cipher block chaining mode; and (iv) ciphertext feedback mode. Chip designs can also be generated to cover all three AES key lengths, namely 128 bits, 192 bits and 256 bits. On-the-fly generation of the round keys required during decryption is also possible. The general, flexible and multi-functional nature of the approach described contrasts with previous designs which, to date, have been focused on specific implementations. The presented ideas are demonstrated by implementation in FPGA technology. However, the architecture and IP cores derived from this are easily migratable to other silicon technologies including ASIC and PLD and are capable of covering a wide range of modem communication systems cryptographic requirements. Moreover, the designs produced have a gate count and throughput comparable with or better than the previous one-off solutions.