对一个基于细胞自动机的分组密码变形的分析

Subhayan Sen等人提出了一个基于细胞自动机的分组密码系统(cellular automata based cryptosystem,简称CAC),但并没有给出CAC的某些构造模块的细节描述,从应用角度考虑,将其中的一个模块固定得到CAC的变形--SMCAC(samemajor-CACAC).对SMCAC进行密码分析,结果表明,CAC的这种变形在选择明文攻击下是极不安全的.对SMCAC进行分析的意义在于,知道CAC的具体设计细节以后,借鉴对SMCAC的分析,有可能对CAC密码系统本身的安全性造成威胁.

AC分组密码的差分和线性密码分析

讨论AC分组密码对差分和线性密码分析的安全性，通过估计3轮AC的差分活动盒子的个数下界和12轮AC的线性活动盒子的个数下界，本文得到AC的12轮差分特征概率不大于2－128和线性逼近优势不大于2－67，因此，AC分组密码对差分和线性密码分析是安全的。

低轮FOX分组密码的碰撞-积分攻击

FOX是最近推出的系列分组密码，它的设计思想基于可证安全的研究结果，且在各种平台上的性能优良．本文利用碰撞攻击和积分攻击相结合的技术分析FOX的安全性，结果显示碰撞-积分攻击比积分攻击有效，攻击对4轮FOX64的计算复杂度是2^45.4，对5轮FOX64的计算复杂度是2^109.4，对6轮FOX64的计算复杂度是2^173.4，对7轮FOX64的计算复杂度是2^237.4，且攻击所需数据量均为2^9；也就是说4轮FOX64／64、5轮FOX64／128、6轮FOX64／192和7轮FOX64／256对本文攻击是不免疫的．

改进的CBC模式及其安全性分析

针对CBC模式在分块适应性攻击模型下不安全这一问题，提出了一个新的分组密码工作模式。新方案引进了Gray码，改变了原有模式的输入方式，打乱了前后输出输入的内在联系。同时，利用规约的思想对其安全性进行了分析。结果表明，在所用分组密码是伪随机置换的条件下，方案在分块适应性攻击模型下是可证明安全的。

一个优化的分组密码的工作模式

作为基本工作模式OFB具有流密码的特点，它允许明文的分组单位长度小于分组密码的长度，从而可适应用户数据格式的需要。但当分组单位长度远远小于分组密码的长度时，此模式使用分组密码的效率不高。因为不管加密多短的明文块，每加密一块都要使用一次分组密码。为了提高其效率，引进了计数嚣和缓冲嚣，使分组密码的输出得到全部使用。同时为了增强安全性，改进了OFB模式的反馈输入方式，使得在P．Rogaway等人给出的强安全性定义（priv）下是可证明安全的，并用M．Bellare和V．Shoup的玩游戏的方法给出了一个自然、通俗易懂的证明。

简评欧洲密码大计划的发展现状

NESSIE(New European Schemes for Signatures，Integrity，and Encryption)是一个为时三年的密码大计划，它的主要目的是为了推出一系列安全的密码模块，另一个目的是保持欧洲在密码研究领域的领先地位并增强密码在欧洲工业中的作用。它的整个运作过程是公开透明的，2000年3月公布了征集通告，2000年11月13～14日，召开第一次NESSIE会议，并公布征集到的所有算法。NESSIE共征集17个分组密码算法，经过一年多的评估，在今年9月12～13日召开的第二次NESSIE会议上，NESSIE公布了评选出的7个算法：IDEA，Khazad，MISTY1，SAFER++，Camellia，RC6，SHACAL，它们将作为NESSIE计划下一阶段重点评估的对象。NEESIE预计将在明年秋季召开第三次会议，届时将宣布最后的评选结果。本文简要介绍NESSIE的评估原则，阐述NESSIE对各个候选算法的取舍原因，同时列出算法设计者和公众对各个算法的分析情况。

SAFER系列密码算法的设计与分析

SAFER系列密码算法的总体结构采用SP-网络,它的设计具有其独到的几个特色.分析SAFER系列密码算法的设计思想,沿着设计者对它们不断改进的思路,分别描述其混淆层、扩散层、密钥扩展算法的性质和对它们的攻击.最后提出几个尚需进一步考虑的问题.

关于Noekeon分组密码

Noekeon是NESSIE公布的17个候选算法之一,讨论了Noekeon各个模块的密码特性及它们在整个密码中的作用,从中体会Noekeon的设计技巧.

Profiling side-channel attacks on cryptographic algorithms

Traditionally, attacks on cryptographic algorithms looked for mathematical weaknesses in the underlying structure of a cipher. Side-channel attacks, however, look to extract secret key information based on the leakage from the device on which the cipher is implemented, be it smart-card, microprocessor, dedicated hardware or personal computer. Attacks based on the power consumption, electromagnetic emanations and execution time have all been practically demonstrated on a range of devices to reveal partial secret-key information from which the full key can be reconstructed. The focus of this thesis is power analysis, more specifically a class of attacks known as profiling attacks. These attacks assume a potential attacker has access to, or can control, an identical device to that which is under attack, which allows him to profile the power consumption of operations or data flow during encryption. This assumes a stronger adversary than traditional non-profiling attacks such as differential or correlation power analysis, however the ability to model a device allows templates to be used post-profiling to extract key information from many different target devices using the power consumption of very few encryptions. This allows an adversary to overcome protocols intended to prevent secret key recovery by restricting the number of available traces. In this thesis a detailed investigation of template attacks is conducted, along with how the selection of various attack parameters practically affect the efficiency of the secret key recovery, as well as examining the underlying assumption of profiling attacks in that the power consumption of one device can be used to extract secret keys from another. Trace only attacks, where the corresponding plaintext or ciphertext data is unavailable, are then investigated against both symmetric and asymmetric algorithms with the goal of key recovery from a single trace. This allows an adversary to bypass many of the currently proposed countermeasures, particularly in the asymmetric domain. An investigation into machine-learning methods for side-channel analysis as an alternative to template or stochastic methods is also conducted, with support vector machines, logistic regression and neural networks investigated from a side-channel viewpoint. Both binary and multi-class classification attack scenarios are examined in order to explore the relative strengths of each algorithm. Finally these machine-learning based alternatives are empirically compared with template attacks, with their respective merits examined with regards to attack efficiency.

WLAN Security Processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures. © 2006 IEEE.

Generic Architecture and Semiconductor Intellectual Property Cores for Avanced Encryption Standard Cryptography

A generic architecture for implementing the advanced encryption standard (AES) encryption algorithm in silicon is proposed. This allows the instantiation of a wide range of chip specifications, with these taking the form of semiconductor intellectual property (IP) cores. Cores implemented from this architecture can perform both encryption and decryption and support four modes of operation: (i) electronic codebook mode; (ii) output feedback mode; (iii) cipher block chaining mode; and (iv) ciphertext feedback mode. Chip designs can also be generated to cover all three AES key lengths, namely 128 bits, 192 bits and 256 bits. On-the-fly generation of the round keys required during decryption is also possible. The general, flexible and multi-functional nature of the approach described contrasts with previous designs which, to date, have been focused on specific implementations. The presented ideas are demonstrated by implementation in FPGA technology. However, the architecture and IP cores derived from this are easily migratable to other silicon technologies including ASIC and PLD and are capable of covering a wide range of modem communication systems cryptographic requirements. Moreover, the designs produced have a gate count and throughput comparable with or better than the previous one-off solutions.