• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.9
• /
• pp.4576-4598
• /
• 2018

In big data age, flexible and affordable cloud storage service greatly enhances productivity for enterprises and individuals, but spontaneously has their outsourced data susceptible to integrity breaches. Provable Data Possession (PDP) as a critical technology, could enable data owners to efficiently verify cloud data integrity, without downloading entire copy. To address challenging integrity problem on multiple clouds for multiple owners, an identity-based batch PDP scheme was presented in ProvSec 2016, which attempted to eliminate public key certificate management issue and reduce computation overheads in a secure and batch method. In this paper, we firstly demonstrate this scheme is insecure so that any clouds who have outsourced data deleted or modified, could efficiently pass integrity verification, simply by utilizing two arbitrary block-tag pairs of one data owner. Specifically, malicious clouds are able to fabricate integrity proofs by 1) universally forging valid tags and 2) recovering data owners' private keys. Secondly, to enhance the security, we propose an improved scheme to withstand these attacks, and prove its security with CDH assumption under random oracle model. Finally, based on simulations and overheads analysis, our batch scheme demonstrates better efficiency compared to an identity based multi-cloud PDP with single owner effort.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.12 no.1
• /
• pp.67-80
• /
• 2002

In this article, a new block encryption algorithm FRACTAL is introduced. FRACTAL adopts 8-round Feistel structure handling 128 hit inputs and keys. Furthermore, FRACTAL possesses the provable security against DC and LC, which are known to he the most powerful attacks on block ciphers.

• ETRI Journal
• /
• v.23 no.4
• /
• pp.158-167
• /
• 2001

We examine the diffusion layers of some block ciphers referred to as substitution-permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S-boxes and that of linearly active S-boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by $p^n(resp.q^n)$ and that of each differential (resp. linear hull) of the SDS function with a semi-maximal diffusion layer is bounded by $p^{n-1}(resp. q^{n-1})$, where p and q are maximum differential and linear probabilities of the substitution layer, respectively.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.8 no.6
• /
• pp.15-20
• /
• 2008

Provable security has widely been used to prove a cryptosystem's security formally in crpytography. In this paper, we analyze the Cramer-Shoup public key cryptosystem that has been known to be provable secure against adaptive chosen ciphertext attack and argue that its security proof is not complete in the generic sense of adaptive chosen ciphertext attack. Future research should be directed toward two directions: one is to make the security proof complete even against generic sense of adaptive chosen ciphertext attack, and another is to try finding counterexamples of successful adaptive chosen ciphertext attack on the Cramer-Shoup cryptosystem.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.4
• /
• pp.3-16
• /
• 2010

Key derivation functions are used within many cryptographic systems in order to generate various keys from a fixed short key string. In this paper we survey a state-of-the-art in the key derivation functions and wish to examine the soundness of the functions on the view point of provable security. Especially we focus on the key derivation functions using pseudorandom functions which are recommended by NISI recently, and show that the variant of Double-Pipeline Iteration mode using pseudorandom permutations is a pseudorandom function. Block ciphers can be regarded as practical primitives of pseudorandom permutations.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.4
• /
• pp.910-922
• /
• 2013

In 2008, Chin et al. proposed an efficient and provable secure identity-based identification scheme in the standard model. However, we discovered a subtle flaw in the security proof which renders the proof of security useless. While no weakness has been found in the scheme itself, a scheme that is desired would be one with an accompanying proof of security. In this paper, we provide a fix to the scheme to overcome the problem without affecting the efficiency as well as a new proof of security. In particular, we show that only one extra pre-computable pairing operation should be added into the commitment phase of the identification protocol to fix the proof of security under the same hard problems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.3
• /
• pp.547-557
• /
• 2015

The security of all cryptographic algorithms and protocols is based on the confidentiality of secret keys. Key management mechanism is an indispensable part of the cryptographic system and this deals with the generation, exchange, storage, use, and replacement of keys. Within the key management mechanism there are key derivation functions (KDFs) which derive one or more keys from a master key. NIST specifies three families of PRF-based KDFs in SP 800-108. In this paper, we examine the difference of security models between the KDFs and the encryption modes of operations. Moreover we focus on the provable security of PRF-based KDFs according to input types of counters, and show that the counter and feedback modes of KDFs using XOR of counters are insecure, while these modes using concatenation of counters are secure.

• Journal of Communications and Networks
• /
• v.14 no.1
• /
• pp.104-110
• /
• 2012

Group key agreement protocols allow a group of users, communicating over a public network, to establish a shared secret key to achieve a cryptographic goal. Protocols based on certificateless public key cryptography (CL-PKC) are preferred since CL-PKC does not need certificates to guarantee the authenticity of public keys and does not suffer from key escrow of identity-based cryptography. Most previous certificateless group key agreement protocols deploy signature schemes to achieve authentication and do not have constant rounds. No security model has been presented for group key agreement protocols based on CL-PKC. This paper presents a security model for a certificateless group key agreement protocol and proposes a constant-round group key agreement protocol based on CL-PKC. The proposed protocol does not involve any signature scheme, which increases the efficiency of the protocol. It is formally proven that the proposed protocol provides strong AKE-security and tolerates up to $n$-2 malicious insiders for weak MA-security. The protocol also resists key control attack under a weak corruption model.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 1994.11a
• /
• pp.45-50
• /
• 1994

대화형 영지식 증명시스템을 사용하여 D. Chaum의 undeniable signature에 대한 거짓말 탐지기 기능 문제를 해결한 안전성이 증명된 의뢰 undeniable signature 방식을 제안한다. 제안한 방식의 안전성은 영지식 대화형 증명시스템과 고차잉여류 문제에 기반을 두고 있다.

• The KIPS Transactions:PartC
• /
• v.9C no.4
• /
• pp.573-580
• /
• 2002

Within the security architecture of the 3GPP system there is a standardised integrity algorithm f9. The integrity algorithm f9 computes a MAC to authenticate the data integrity and data origin of signalling data over a radio access link of W-CDMA IMT-2000. f9 is a variant of the standard CBC MAC based on the block cipher KASUMI. In this paper we provide the provable security of f9 We prove that f9 is secure by giving concrete bound on an adversary's inability to forge in terms of her inability to distinguish the underlying block cipher from a pseudorandom permutation.