Wun-she Yap - Academia.edu (original) (raw)

Papers by Wun-she Yap

Security and Communication Networks, 2015

ABSTRACT In 2011, Eissa, Razak and Ngadi proposed a lightweight authentication and encryption sch... more ABSTRACT In 2011, Eissa, Razak and Ngadi proposed a lightweight authentication and encryption scheme to enhance the performance for mobile ad hoc network in Wireless Network, Vol. 17, No. 4, 2011. The main building block of such scheme is an identity-based encryption scheme. The scheme was proven secure in the random oracle model assuming the computational Diffie–Hellman assumption is hard. In this paper, we show that the proposed scheme is not even secure against chosen plaintext attack, which is the lowest acceptable level of security. In addition, we demonstrate the RSA parameter suggested by Eissa et al. to yield a better network performance is not appropriate under a wrong security assumption that each mobile node is totally trusted. Such short RSA parameter leads to a key recovery attack. Copyright © 2015 John Wiley & Sons, Ltd.

Lecture Notes in Computer Science, 2006

In traditional public key cryptosystems (PKC), the public key of a signer is essentially a random... more In traditional public key cryptosystems (PKC), the public key of a signer is essentially a random bit string. This leads to a problem of how the public key is associated with the signer. In these cryptosystems, the binding between public key and identity of the signer is obtained via a ...

Nonlinear Dynamics, 2015

ABSTRACT Wang and Guo (Nonlinear Dyn 76(4):1943-1950, 2014) proposed a new image alternate encryp... more ABSTRACT Wang and Guo (Nonlinear Dyn 76(4):1943-1950, 2014) proposed a new image alternate encryption algorithm based on chaotic map. The image alternate encryption can be conceptually treated as a block cipher where a round function which provides both confusion and diffusion is applied on a plain image iteratively. After performing the round function for \(T\) iterations, the processed image is denoted as the encrypted image. We analyse the security of Wang and Guo image encryption scheme, especially from cryptographic point of view, in line with the designers’ approach in their security analyses. Negatively, we show that the image encryption scheme is vulnerable to an impossible differential attack (a type of chosen plaintext attack) and a divide-and-conquer attack when a large all black image is encrypted. This paper serves as another important security result showing that any future design of image encryption schemes based on chaotic map should be evaluated through systematic cryptanalytic approaches which include impossible differential attack. To the best of our knowledge, this is the first impossible differential attack applied on an image encryption algorithm.

Lecture Notes in Computer Science, 2007

The concept of proxy signature was introduced by Mambo et al. to delegate signing capability in t... more The concept of proxy signature was introduced by Mambo et al. to delegate signing capability in the digital world. In this paper, we show that three existing proxy signature schemes without certificates, namely, the Qian and Cao identity-based proxy signature (IBPS) scheme, the Guo et al. IBPS scheme and the Li et al. certificateless proxy signature (CLPS) scheme are insecure against universal forgery. More precisely, we show that any user who has a valid public-private key pair can act as a cheating proxy signer and forge the proxy signature on behalf of the original signer at will, without obtaining the official delegation from the original signer.

22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008), 2008

... Wun-She Yap Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 wsyap@... more ... Wun-She Yap Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 wsyap@i2r.a-star.edu.sg Swee-Huay Heng Bok-Min Goi Centre for Cryptography and Information Security (CCIS) Multimedia University, Malaysia {shheng,bmgoi}@mmu ... Cheng et al. ...

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rou... more The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2 69.71 bytes, and has a time complexity of 2 126.36 encryptions with a success probability of 99.9% when using 2 125 chosen plaintexts, or a time complexity of 2 125.36 encryptions with a success probability of 97.8% when using 2 124 chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.

Lecture Notes in Computer Science, 2007

In PKC 2006, Chow, Boyd and González Neito introduced the notion of security mediated certificate... more In PKC 2006, Chow, Boyd and González Neito introduced the notion of security mediated certificateless (SMC) cryptography. SMC cryptography equips certificateless cryptography with instantaneous revocation. They presented a formal security model with two constructions for SMC encryption. This paper studies SMC signatures. We first present a security analysis of a previous attempt by Ju et al. in constructing a SMC signature scheme. We then formalize the notion of SMC signatures and propose the first concrete provable ...

ABSTRACT The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode... more ABSTRACT The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode encryption and the authentication component (i.e., GTAG) to provide both privacy and authenticity. GTAG can be used as a stand-alone message authentication code. In this paper, we analyze the security of GTAG and GCM with respect to the forgery and distinguishing attacks. More precisely,We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2n − 1, where n denotes the block size, for the existence of weak key classes.By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley & Sons, Ltd.

ABSTRACT Multi-proxy signature is used to delegate a permission of an owner to at least two proxi... more ABSTRACT Multi-proxy signature is used to delegate a permission of an owner to at least two proxies in the digital world. Recently, Sahu and Padhye gave a new construction of identity-based multi-proxy signature. Their scheme's security was supported by a reduction proof against a hard mathematical problem. Even supported by such security proofs, we present some forgery attacks against Sahu and Padhye's scheme. We demonstrate that any dishonest insider or any malicious outsider can break the security of Sahu and Padhye's scheme by forging either a permission or a multi-proxy signature. In fact, our forgery attacks exploit the security weakness in their underlying identity-based signature scheme, which is the fundamental constructing component of their proposed scheme. Copyright © 2014 John Wiley & Sons, Ltd.

ABSTRACT Message authentication codes (MACs) are widely used in communication networks for authen... more ABSTRACT Message authentication codes (MACs) are widely used in communication networks for authentication purposes. In EUROCRYPT 2002, Black and Rogaway proposed a parallelizable MAC (PMAC), which is relatively efficient when a parallel environment is possible. This parallelism is achieved via constant multiplications in the underlying finite field. In order to yield a better solution, Rogaway refined PMAC in ASIACRYPT 2004 by using a powering-up construction to generate the constants. This is in contrast to the first design that uses successive words of the gray code to generate the constants. In this paper, we analyze how some unique characteristics of these constants result in weaknesses of the respective PMAC designs against forgery attacks in different ways. Thus, our analysis highlights some pitfalls that designers should be mindful of when designing schemes that exploit such constants. Copyright © 2013 John Wiley & Sons, Ltd.

Lecture Notes in Computer Science, 2007

Unforgeability and blindness are two important properties of blind signature. The latter means th... more Unforgeability and blindness are two important properties of blind signature. The latter means that after interacting with various users, the signer is unable to link a valid message-signature pair. In ICCSA 2006, Zhang et al. showed that a signer in an identity-based blind signature scheme proposed by Huang et al. is able to link a valid messagesignature pair obtained by some user. They also presented an improved scheme to overcome this flaw. In ICICIC 2006, Zhang and Zou showed that the identity-based blind signature scheme proposed by Zhang and Kim also suffered from the similar linkability attack. In this paper, we first show that the so-called linkability can be shown for Zhang et al.'s improved scheme as well. We then point out that the linkability attack against the Huang et al. scheme and the Zhang-Kim scheme is invalid.

IEEE Communications Letters, 2000

ABSTRACT Usually the main primitive in building a secure wireless authentication is a cryptograph... more ABSTRACT Usually the main primitive in building a secure wireless authentication is a cryptographic algorithm, such as digital signature scheme. He et al. proposed a handover authentication protocol in [1] (IEEE Trans. Wireless Commun., vol. 11, no. 1, 2011) and a distributed reprogramming protocol in [3] (IEEE Trans. Ind. Electron., vol. 59, no. 11, 2012) for wireless networks. Both protocols are based on an identity-based signature scheme which is claimed to be secure yet efficient. Very recently, He et al. pointed out that such a signature scheme is vulnerable to the key compromised problem. They proposed a simple modification to fix this problem without losing the efficiency and security of the scheme in both [2] (IEEE Commun. Lett., vol. 16, no. 8, 2012) and [4] (IEEE Trans. Ind. Electron., to appear). In this letter, we show that the proposed modification remains vulnerable to the key compromised problem.

Information Processing Letters, 2014

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rou... more The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2 69.71 bytes, and has a time complexity of 2 126.36 encryptions with a success probability of 99.9% when using 2 125 chosen plaintexts, or a time complexity of 2 125.36 encryptions with a success probability of 97.8% when using 2 124 chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.

This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm stream cipher... more This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm stream cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed.

Security and Communication Networks, 2015

ABSTRACT In 2011, Eissa, Razak and Ngadi proposed a lightweight authentication and encryption sch... more ABSTRACT In 2011, Eissa, Razak and Ngadi proposed a lightweight authentication and encryption scheme to enhance the performance for mobile ad hoc network in Wireless Network, Vol. 17, No. 4, 2011. The main building block of such scheme is an identity-based encryption scheme. The scheme was proven secure in the random oracle model assuming the computational Diffie–Hellman assumption is hard. In this paper, we show that the proposed scheme is not even secure against chosen plaintext attack, which is the lowest acceptable level of security. In addition, we demonstrate the RSA parameter suggested by Eissa et al. to yield a better network performance is not appropriate under a wrong security assumption that each mobile node is totally trusted. Such short RSA parameter leads to a key recovery attack. Copyright © 2015 John Wiley & Sons, Ltd.

Lecture Notes in Computer Science, 2006

In traditional public key cryptosystems (PKC), the public key of a signer is essentially a random... more In traditional public key cryptosystems (PKC), the public key of a signer is essentially a random bit string. This leads to a problem of how the public key is associated with the signer. In these cryptosystems, the binding between public key and identity of the signer is obtained via a ...

Nonlinear Dynamics, 2015

ABSTRACT Wang and Guo (Nonlinear Dyn 76(4):1943-1950, 2014) proposed a new image alternate encryp... more ABSTRACT Wang and Guo (Nonlinear Dyn 76(4):1943-1950, 2014) proposed a new image alternate encryption algorithm based on chaotic map. The image alternate encryption can be conceptually treated as a block cipher where a round function which provides both confusion and diffusion is applied on a plain image iteratively. After performing the round function for \(T\) iterations, the processed image is denoted as the encrypted image. We analyse the security of Wang and Guo image encryption scheme, especially from cryptographic point of view, in line with the designers’ approach in their security analyses. Negatively, we show that the image encryption scheme is vulnerable to an impossible differential attack (a type of chosen plaintext attack) and a divide-and-conquer attack when a large all black image is encrypted. This paper serves as another important security result showing that any future design of image encryption schemes based on chaotic map should be evaluated through systematic cryptanalytic approaches which include impossible differential attack. To the best of our knowledge, this is the first impossible differential attack applied on an image encryption algorithm.

Lecture Notes in Computer Science, 2007

The concept of proxy signature was introduced by Mambo et al. to delegate signing capability in t... more The concept of proxy signature was introduced by Mambo et al. to delegate signing capability in the digital world. In this paper, we show that three existing proxy signature schemes without certificates, namely, the Qian and Cao identity-based proxy signature (IBPS) scheme, the Guo et al. IBPS scheme and the Li et al. certificateless proxy signature (CLPS) scheme are insecure against universal forgery. More precisely, we show that any user who has a valid public-private key pair can act as a cheating proxy signer and forge the proxy signature on behalf of the original signer at will, without obtaining the official delegation from the original signer.

22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008), 2008

... Wun-She Yap Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 wsyap@... more ... Wun-She Yap Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 wsyap@i2r.a-star.edu.sg Swee-Huay Heng Bok-Min Goi Centre for Cryptography and Information Security (CCIS) Multimedia University, Malaysia {shheng,bmgoi}@mmu ... Cheng et al. ...

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rou... more The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2 69.71 bytes, and has a time complexity of 2 126.36 encryptions with a success probability of 99.9% when using 2 125 chosen plaintexts, or a time complexity of 2 125.36 encryptions with a success probability of 97.8% when using 2 124 chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.

Lecture Notes in Computer Science, 2007

In PKC 2006, Chow, Boyd and González Neito introduced the notion of security mediated certificate... more In PKC 2006, Chow, Boyd and González Neito introduced the notion of security mediated certificateless (SMC) cryptography. SMC cryptography equips certificateless cryptography with instantaneous revocation. They presented a formal security model with two constructions for SMC encryption. This paper studies SMC signatures. We first present a security analysis of a previous attempt by Ju et al. in constructing a SMC signature scheme. We then formalize the notion of SMC signatures and propose the first concrete provable ...

ABSTRACT The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode... more ABSTRACT The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode encryption and the authentication component (i.e., GTAG) to provide both privacy and authenticity. GTAG can be used as a stand-alone message authentication code. In this paper, we analyze the security of GTAG and GCM with respect to the forgery and distinguishing attacks. More precisely,We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2n − 1, where n denotes the block size, for the existence of weak key classes.By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley & Sons, Ltd.

ABSTRACT Multi-proxy signature is used to delegate a permission of an owner to at least two proxi... more ABSTRACT Multi-proxy signature is used to delegate a permission of an owner to at least two proxies in the digital world. Recently, Sahu and Padhye gave a new construction of identity-based multi-proxy signature. Their scheme's security was supported by a reduction proof against a hard mathematical problem. Even supported by such security proofs, we present some forgery attacks against Sahu and Padhye's scheme. We demonstrate that any dishonest insider or any malicious outsider can break the security of Sahu and Padhye's scheme by forging either a permission or a multi-proxy signature. In fact, our forgery attacks exploit the security weakness in their underlying identity-based signature scheme, which is the fundamental constructing component of their proposed scheme. Copyright © 2014 John Wiley & Sons, Ltd.

ABSTRACT Message authentication codes (MACs) are widely used in communication networks for authen... more ABSTRACT Message authentication codes (MACs) are widely used in communication networks for authentication purposes. In EUROCRYPT 2002, Black and Rogaway proposed a parallelizable MAC (PMAC), which is relatively efficient when a parallel environment is possible. This parallelism is achieved via constant multiplications in the underlying finite field. In order to yield a better solution, Rogaway refined PMAC in ASIACRYPT 2004 by using a powering-up construction to generate the constants. This is in contrast to the first design that uses successive words of the gray code to generate the constants. In this paper, we analyze how some unique characteristics of these constants result in weaknesses of the respective PMAC designs against forgery attacks in different ways. Thus, our analysis highlights some pitfalls that designers should be mindful of when designing schemes that exploit such constants. Copyright © 2013 John Wiley & Sons, Ltd.

Lecture Notes in Computer Science, 2007

Unforgeability and blindness are two important properties of blind signature. The latter means th... more Unforgeability and blindness are two important properties of blind signature. The latter means that after interacting with various users, the signer is unable to link a valid message-signature pair. In ICCSA 2006, Zhang et al. showed that a signer in an identity-based blind signature scheme proposed by Huang et al. is able to link a valid messagesignature pair obtained by some user. They also presented an improved scheme to overcome this flaw. In ICICIC 2006, Zhang and Zou showed that the identity-based blind signature scheme proposed by Zhang and Kim also suffered from the similar linkability attack. In this paper, we first show that the so-called linkability can be shown for Zhang et al.'s improved scheme as well. We then point out that the linkability attack against the Huang et al. scheme and the Zhang-Kim scheme is invalid.

IEEE Communications Letters, 2000

ABSTRACT Usually the main primitive in building a secure wireless authentication is a cryptograph... more ABSTRACT Usually the main primitive in building a secure wireless authentication is a cryptographic algorithm, such as digital signature scheme. He et al. proposed a handover authentication protocol in [1] (IEEE Trans. Wireless Commun., vol. 11, no. 1, 2011) and a distributed reprogramming protocol in [3] (IEEE Trans. Ind. Electron., vol. 59, no. 11, 2012) for wireless networks. Both protocols are based on an identity-based signature scheme which is claimed to be secure yet efficient. Very recently, He et al. pointed out that such a signature scheme is vulnerable to the key compromised problem. They proposed a simple modification to fix this problem without losing the efficiency and security of the scheme in both [2] (IEEE Commun. Lett., vol. 16, no. 8, 2012) and [4] (IEEE Trans. Ind. Electron., to appear). In this letter, we show that the proposed modification remains vulnerable to the key compromised problem.

Information Processing Letters, 2014

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rou... more The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2 69.71 bytes, and has a time complexity of 2 126.36 encryptions with a success probability of 99.9% when using 2 125 chosen plaintexts, or a time complexity of 2 125.36 encryptions with a success probability of 97.8% when using 2 124 chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.

This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm stream cipher... more This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm stream cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed.