Xuejia Lai - Academia.edu (original) (raw)
Papers by Xuejia Lai
Journal of Information Science and Engineering
In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-... more In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-Massey scheme. Motivated by Hoang and Rogaway's analysis of generalized Feistel networks, we use the coupling technology from Markov chain theory and prove that for any > 0, with enough rounds, the Lai-Massey scheme is indistinguishable from a uniform random permutation by any computationally unbounded distinguisher making at most q ∼ N 1− combined chosen plaintext/ciphertext (CCA) queries, where N is the range size of the round function. Previous works by Vaudenay et al. and Yun et al. only proved the birthday-bound CCA security of Lai-Massey scheme.
Advances in Intelligent Systems and Computing, 2014
Previously a 28-tile multiplier system which computes the product of two numbers was proposed by ... more Previously a 28-tile multiplier system which computes the product of two numbers was proposed by Brun. However the tileset-size is not optimal. In this paper we prove that multiplication can be carried out using less tile types while maintaining the same time efficiency: we propose two new tile assembly systems, both can deterministically compute A*B for given A and B in constant time. Our first system requires 24 computational tile types while our second system requires 16 tile types, which achieve smaller constants than Brun’s 28-tile multiplier system.
2008 International Conference on Audio, Language and Image Processing, 2008
... A Linguistic Reputaion System Applied in Peer-to-Peer Zijian Deng1, Xuejia Lai2, Dake He1 1La... more ... A Linguistic Reputaion System Applied in Peer-to-Peer Zijian Deng1, Xuejia Lai2, Dake He1 1Laboratory of Information Security and National Computing Grid,Southwest Jiaotong ... the explanatory database (ED) is a collection of relation in terms of "X is i ω " which is defined. ...
Communications and Cryptography, 1994
Higher Order Derivatives and Differential Cryptanalysis Xuejia Lai " R^ Security... more Higher Order Derivatives and Differential Cryptanalysis Xuejia Lai " R^ Security Engineering AG CH-8607 Aathal, Swit2erland Abstract High-order derivatives of multi-variable functions are studied in this paper as a natural generali2ation of the basic concept used in differential ...
Workshop on Intelligent Network
Science in China Series F: Information Sciences, 2007
... symmetric-key encryption, DNA cryptography, DNA computing ... As described, unresolved diffic... more ... symmetric-key encryption, DNA cryptography, DNA computing ... As described, unresolved difficult problems in DNA science might have special value in cryptography independent from computing technologies and can be used to achieve new cryptosystems. ...
Lecture Notes in Computer Science, 2009
In this paper, we formalize an attack scheme using the keydependent property, called key-dependen... more In this paper, we formalize an attack scheme using the keydependent property, called key-dependent attack. In this attack, the intermediate value, whose distribution is key-dependent, is considered. The attack determines whether a key is right by conducting statistical hypothesis test of the intermediate value. The time and data complexity of the key-dependent attack is also discussed. We also apply key-dependent attack on reduced-round IDEA. This attack is based on the key-dependent distribution of certain items in Biryukov-Demirci Equation. The attack on 5.5-round variant of IDEA requires 2 21 chosen plaintexts and 2 112.1 encryptions. The attack on 6-round variant requires 2 49 chosen plaintexts and 2 112.1 encryptions. Compared with the previous attacks, the key-dependent attacks on 5.5round and 6-round IDEA have the lowest time and data complexity, respectively.
We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybr... more We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybrid encryption schemes. Although it is weaker than adaptive chosen ciphertext security(IND-CCA), a IND-WCCA secure hybrid encryption scheme can be used in any situations that a IND-CCA secure hybrid encryption scheme used in. We show that IND-WCCA secure hybrid encryption scheme can be constructed from IND-CCA secure KEM and IND-PA secure DEM. Since IND-PA is the basic requirement of symmetric key encryption schemes, IND-WCCA hybrid encryption scheme is very flexible and can use most of the stream ciphers and block ciphers as the DEM part of the scheme. Use the new secure notion we can refine current IND-CCA secure hybrid encryption schemes and get more efficient IND-WCCA secure hybrid encryption schemes.
Block ciphers are the very foundation of computer and information security. FOX, also known as ID... more Block ciphers are the very foundation of computer and information security. FOX, also known as IDEA NXT, is a family of block ciphers published in 2004 and is famous for its provable security to cryptanalysis. In this paper, we apply impossible differential cryptanalysis on FOX cipher. We find a 4-round impossible difference, by using which adversaries can attack 5, 6 and 7-round FOX64 with 2 71 , 2 135 and 2 199 one-round encryptions respectively. Compared to the previous best attack with 2 109.4 , 2 173.4 and 2 237.4 full-round encryptions to 5, 6 and 7-round FOX64, the method in this paper is the best attack to FOX cipher. This attack can also be applied to 5-round FOX128 with 2 135 one-round encryptions.
Lecture Notes in Computer Science, 2010
This paper attempts to utilize the ideas of higher order differential cryptanalysis to investigat... more This paper attempts to utilize the ideas of higher order differential cryptanalysis to investigate Boolean algebra based block ciphers. The theoretical foundation is built for later research, and two kinds of distinguishing attacks are proposed. The prerequisites of the attacks are also presented and proved, and an efficient algorithm is introduced to search these prerequisites. Furthermore, our analysis result shows that 5 rounds of the block cipher PRESENT can be distinguished by using only 512 chosen plaintexts.
Lecture Notes in Computer Science, 2010
In this paper, we analyze the pseudorandomness of the high level structure of FOX64, and describe... more In this paper, we analyze the pseudorandomness of the high level structure of FOX64, and describe a 2-round pseudorandomness distinguisher and a 3-round strong pseudorandomness distinguisher, and thus prove that 3-round and 4-round are necessary to achieve the pseudorandomness and strong pseudorandomness respectively. We also find a 4-round impossible difference characteristic. By using it, an adversary can attack 5, 6 and 7-round FOX64 with 2 69 , 2 133 and 2 197 encryptions respectively. which improves the best known attack by a factor of 2 40.4. This attack can be extended to 5-round FOX128 with 2 133 encryptions.
Lecture Notes in Computer Science, 2011
ABSTRACT
Lecture Notes in Computer Science, 2011
This book constitutes the refereed proceedings of the 14th International Conference on Informatio... more This book constitutes the refereed proceedings of the 14th International Conference on Information Security, ISC 2011, held in Xi'an, China, in October 2011. The 25 revised full papers were carefully reviewed and selected from 95 submissions. The papers are organized in topical sections on attacks; protocols; public-key cryptosystems; network security; software security; system security; database security; privacy; digital signatures.
IERI Procedia, 2013
One-Time Passwords (OTP) can provide complete protection of the login-time authentication mechani... more One-Time Passwords (OTP) can provide complete protection of the login-time authentication mechanism against replay attacks. In this paper, we propose TSOTP: a new effective simple OTP method that generates a unique passcode for each use. The calculation uses both time stamps and sequence numbers. A two-factor authentication prototype for mobile phones using this method has been developed and has been used in practice for a year.
M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Die-Hellman assumption named as ora... more M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Die-Hellman assumption named as oracle Die-Hellman(ODH) assumption. They recommend to use a one-way cryptographic hash function for the ODH assumption. We notice that if the hash function is just one-way then there will be an attack. We show that if the the hash function is non-malleable then the computational version of ODH assumption can be reduced to the computational Die-Hellman(CDH) assumption. But we can not reduce the ODH assumption to the decisional Die-Hellman(DDH) even if the hash function is non-malleable. It seems that we need a random oracle hash function to reduce the ODH assumption to the DDH assumption.
Journal of Software, 2009
In this paper, a hash function with lower rate but higher efficiency is proposed and it can be bu... more In this paper, a hash function with lower rate but higher efficiency is proposed and it can be built on insecure compression functions. The security of this scheme is proved under black-box model and some compression function based on block ciphers are given to build this scheme. It is also shown that key schedule is a more important factor affecting the efficiency of a block-cipher-based hash function than rate. The new scheme only needs 2 keys and the key schedule of it can be pre-computed. It means the new scheme need not reschedule the keys at every step during the iterations and its efficiency is improved.
Journal of Systems and Software, 2012
We propose an improved preimage attack on one-block MD4 with the time complexity 2 94.98 MD4 comp... more We propose an improved preimage attack on one-block MD4 with the time complexity 2 94.98 MD4 compression function operations, as compared to 2 107 in [3]. We research the attack procedure in [3] and formulate the complexity for computing a preimage attack on one-block MD4. We attain the result mainly through the following two aspects with the help of the complexity formula. First, we continue to compute two more steps backward to get two more chaining values for comparison during the meet-in-the-middle attack. Second, we search two more neutral words in one independent chunk, and then propose the multineutral-word partial-fixing technique to get more message freedom and skip ten steps for partial-fixing, as compared to previous four steps. We also use the initial structure technique and apply the same idea to improve the pseudo-preimage and preimage attacks on Extended MD4 with 2 25.2 and 2 12.6 improvement factor, as compared to previous attacks in [20], respectively.
Information Sciences, 2014
Higher order differential cryptanalysis is based on a property of higher order derivatives of Boo... more Higher order differential cryptanalysis is based on a property of higher order derivatives of Boolean functions such that derivative of a Boolean function reduces its degree at least 1 and continuously taking derivatives eventually yields a zero function. A quicker degree reduction means a lower data complexity in cryptanalysis, which can be determined by fast point at which the derivative reduces the degree at least 2. In this paper, we show that the set of the fast points of a Boolean function constitutes a linear subspace and its dimension plus the degree of the function is at most the size of the function. We also show that non-zero fast point exists in every n-variable Boolean function of degree n À 1, every symmetric Boolean function of degree d where n X d ðmod 2Þ or every quadratic Boolean function of odd number variables, which help us distinguish a few block ciphers and propose a new design principle about degree for block cipher.
Information Sciences, 2014
In this paper, we propose a systematic method for finding impossible differentials for block ciph... more In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, better than the Umethod introduced by Kim et al [4]. It is referred as a unified impossible differential finding method (UID-method). We apply the UID-method to some popular block ciphers such as Gen-Skipjack, Gen-CAST256, Gen-MARS, Gen-RC6, Four-Cell, SMS4 and give the detailed impossible differentials. By the UID-method, we find a 16-round impossible differential on Gen-Skipjack and a 19-round impossible differential on Gen-CAST256. Thus we disprove the Conjecture 2 proposed in Asiacrypt'00 [9] and the theorem in FSE'09 rump session presentation [8]. On Gen-MARS and SMS4, the impossible differentials find by the UID-method are much longer than that found by the U-method. On the Four-Cell block cipher, our result is the same as the best result previously obtained by case-bycase treatment.
Information Processing Letters, 2009
Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure against adapt... more Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure against adaptive chosen ciphertext attacks(IND-CCA2) under the gap hashed Diffie-Hellman(GHDH) assumption[8]. We show a variant of Kiltz07-KEM which is more efficient than Kiltz07-KEM in encryption. The new scheme can be proved to be IND-CCA2 secure under the same assumption, GHDH.
Journal of Information Science and Engineering
In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-... more In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-Massey scheme. Motivated by Hoang and Rogaway's analysis of generalized Feistel networks, we use the coupling technology from Markov chain theory and prove that for any > 0, with enough rounds, the Lai-Massey scheme is indistinguishable from a uniform random permutation by any computationally unbounded distinguisher making at most q ∼ N 1− combined chosen plaintext/ciphertext (CCA) queries, where N is the range size of the round function. Previous works by Vaudenay et al. and Yun et al. only proved the birthday-bound CCA security of Lai-Massey scheme.
Advances in Intelligent Systems and Computing, 2014
Previously a 28-tile multiplier system which computes the product of two numbers was proposed by ... more Previously a 28-tile multiplier system which computes the product of two numbers was proposed by Brun. However the tileset-size is not optimal. In this paper we prove that multiplication can be carried out using less tile types while maintaining the same time efficiency: we propose two new tile assembly systems, both can deterministically compute A*B for given A and B in constant time. Our first system requires 24 computational tile types while our second system requires 16 tile types, which achieve smaller constants than Brun’s 28-tile multiplier system.
2008 International Conference on Audio, Language and Image Processing, 2008
... A Linguistic Reputaion System Applied in Peer-to-Peer Zijian Deng1, Xuejia Lai2, Dake He1 1La... more ... A Linguistic Reputaion System Applied in Peer-to-Peer Zijian Deng1, Xuejia Lai2, Dake He1 1Laboratory of Information Security and National Computing Grid,Southwest Jiaotong ... the explanatory database (ED) is a collection of relation in terms of "X is i ω " which is defined. ...
Communications and Cryptography, 1994
Higher Order Derivatives and Differential Cryptanalysis Xuejia Lai " R^ Security... more Higher Order Derivatives and Differential Cryptanalysis Xuejia Lai " R^ Security Engineering AG CH-8607 Aathal, Swit2erland Abstract High-order derivatives of multi-variable functions are studied in this paper as a natural generali2ation of the basic concept used in differential ...
Workshop on Intelligent Network
Science in China Series F: Information Sciences, 2007
... symmetric-key encryption, DNA cryptography, DNA computing ... As described, unresolved diffic... more ... symmetric-key encryption, DNA cryptography, DNA computing ... As described, unresolved difficult problems in DNA science might have special value in cryptography independent from computing technologies and can be used to achieve new cryptosystems. ...
Lecture Notes in Computer Science, 2009
In this paper, we formalize an attack scheme using the keydependent property, called key-dependen... more In this paper, we formalize an attack scheme using the keydependent property, called key-dependent attack. In this attack, the intermediate value, whose distribution is key-dependent, is considered. The attack determines whether a key is right by conducting statistical hypothesis test of the intermediate value. The time and data complexity of the key-dependent attack is also discussed. We also apply key-dependent attack on reduced-round IDEA. This attack is based on the key-dependent distribution of certain items in Biryukov-Demirci Equation. The attack on 5.5-round variant of IDEA requires 2 21 chosen plaintexts and 2 112.1 encryptions. The attack on 6-round variant requires 2 49 chosen plaintexts and 2 112.1 encryptions. Compared with the previous attacks, the key-dependent attacks on 5.5round and 6-round IDEA have the lowest time and data complexity, respectively.
We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybr... more We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybrid encryption schemes. Although it is weaker than adaptive chosen ciphertext security(IND-CCA), a IND-WCCA secure hybrid encryption scheme can be used in any situations that a IND-CCA secure hybrid encryption scheme used in. We show that IND-WCCA secure hybrid encryption scheme can be constructed from IND-CCA secure KEM and IND-PA secure DEM. Since IND-PA is the basic requirement of symmetric key encryption schemes, IND-WCCA hybrid encryption scheme is very flexible and can use most of the stream ciphers and block ciphers as the DEM part of the scheme. Use the new secure notion we can refine current IND-CCA secure hybrid encryption schemes and get more efficient IND-WCCA secure hybrid encryption schemes.
Block ciphers are the very foundation of computer and information security. FOX, also known as ID... more Block ciphers are the very foundation of computer and information security. FOX, also known as IDEA NXT, is a family of block ciphers published in 2004 and is famous for its provable security to cryptanalysis. In this paper, we apply impossible differential cryptanalysis on FOX cipher. We find a 4-round impossible difference, by using which adversaries can attack 5, 6 and 7-round FOX64 with 2 71 , 2 135 and 2 199 one-round encryptions respectively. Compared to the previous best attack with 2 109.4 , 2 173.4 and 2 237.4 full-round encryptions to 5, 6 and 7-round FOX64, the method in this paper is the best attack to FOX cipher. This attack can also be applied to 5-round FOX128 with 2 135 one-round encryptions.
Lecture Notes in Computer Science, 2010
This paper attempts to utilize the ideas of higher order differential cryptanalysis to investigat... more This paper attempts to utilize the ideas of higher order differential cryptanalysis to investigate Boolean algebra based block ciphers. The theoretical foundation is built for later research, and two kinds of distinguishing attacks are proposed. The prerequisites of the attacks are also presented and proved, and an efficient algorithm is introduced to search these prerequisites. Furthermore, our analysis result shows that 5 rounds of the block cipher PRESENT can be distinguished by using only 512 chosen plaintexts.
Lecture Notes in Computer Science, 2010
In this paper, we analyze the pseudorandomness of the high level structure of FOX64, and describe... more In this paper, we analyze the pseudorandomness of the high level structure of FOX64, and describe a 2-round pseudorandomness distinguisher and a 3-round strong pseudorandomness distinguisher, and thus prove that 3-round and 4-round are necessary to achieve the pseudorandomness and strong pseudorandomness respectively. We also find a 4-round impossible difference characteristic. By using it, an adversary can attack 5, 6 and 7-round FOX64 with 2 69 , 2 133 and 2 197 encryptions respectively. which improves the best known attack by a factor of 2 40.4. This attack can be extended to 5-round FOX128 with 2 133 encryptions.
Lecture Notes in Computer Science, 2011
ABSTRACT
Lecture Notes in Computer Science, 2011
This book constitutes the refereed proceedings of the 14th International Conference on Informatio... more This book constitutes the refereed proceedings of the 14th International Conference on Information Security, ISC 2011, held in Xi'an, China, in October 2011. The 25 revised full papers were carefully reviewed and selected from 95 submissions. The papers are organized in topical sections on attacks; protocols; public-key cryptosystems; network security; software security; system security; database security; privacy; digital signatures.
IERI Procedia, 2013
One-Time Passwords (OTP) can provide complete protection of the login-time authentication mechani... more One-Time Passwords (OTP) can provide complete protection of the login-time authentication mechanism against replay attacks. In this paper, we propose TSOTP: a new effective simple OTP method that generates a unique passcode for each use. The calculation uses both time stamps and sequence numbers. A two-factor authentication prototype for mobile phones using this method has been developed and has been used in practice for a year.
M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Die-Hellman assumption named as ora... more M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Die-Hellman assumption named as oracle Die-Hellman(ODH) assumption. They recommend to use a one-way cryptographic hash function for the ODH assumption. We notice that if the hash function is just one-way then there will be an attack. We show that if the the hash function is non-malleable then the computational version of ODH assumption can be reduced to the computational Die-Hellman(CDH) assumption. But we can not reduce the ODH assumption to the decisional Die-Hellman(DDH) even if the hash function is non-malleable. It seems that we need a random oracle hash function to reduce the ODH assumption to the DDH assumption.
Journal of Software, 2009
In this paper, a hash function with lower rate but higher efficiency is proposed and it can be bu... more In this paper, a hash function with lower rate but higher efficiency is proposed and it can be built on insecure compression functions. The security of this scheme is proved under black-box model and some compression function based on block ciphers are given to build this scheme. It is also shown that key schedule is a more important factor affecting the efficiency of a block-cipher-based hash function than rate. The new scheme only needs 2 keys and the key schedule of it can be pre-computed. It means the new scheme need not reschedule the keys at every step during the iterations and its efficiency is improved.
Journal of Systems and Software, 2012
We propose an improved preimage attack on one-block MD4 with the time complexity 2 94.98 MD4 comp... more We propose an improved preimage attack on one-block MD4 with the time complexity 2 94.98 MD4 compression function operations, as compared to 2 107 in [3]. We research the attack procedure in [3] and formulate the complexity for computing a preimage attack on one-block MD4. We attain the result mainly through the following two aspects with the help of the complexity formula. First, we continue to compute two more steps backward to get two more chaining values for comparison during the meet-in-the-middle attack. Second, we search two more neutral words in one independent chunk, and then propose the multineutral-word partial-fixing technique to get more message freedom and skip ten steps for partial-fixing, as compared to previous four steps. We also use the initial structure technique and apply the same idea to improve the pseudo-preimage and preimage attacks on Extended MD4 with 2 25.2 and 2 12.6 improvement factor, as compared to previous attacks in [20], respectively.
Information Sciences, 2014
Higher order differential cryptanalysis is based on a property of higher order derivatives of Boo... more Higher order differential cryptanalysis is based on a property of higher order derivatives of Boolean functions such that derivative of a Boolean function reduces its degree at least 1 and continuously taking derivatives eventually yields a zero function. A quicker degree reduction means a lower data complexity in cryptanalysis, which can be determined by fast point at which the derivative reduces the degree at least 2. In this paper, we show that the set of the fast points of a Boolean function constitutes a linear subspace and its dimension plus the degree of the function is at most the size of the function. We also show that non-zero fast point exists in every n-variable Boolean function of degree n À 1, every symmetric Boolean function of degree d where n X d ðmod 2Þ or every quadratic Boolean function of odd number variables, which help us distinguish a few block ciphers and propose a new design principle about degree for block cipher.
Information Sciences, 2014
In this paper, we propose a systematic method for finding impossible differentials for block ciph... more In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, better than the Umethod introduced by Kim et al [4]. It is referred as a unified impossible differential finding method (UID-method). We apply the UID-method to some popular block ciphers such as Gen-Skipjack, Gen-CAST256, Gen-MARS, Gen-RC6, Four-Cell, SMS4 and give the detailed impossible differentials. By the UID-method, we find a 16-round impossible differential on Gen-Skipjack and a 19-round impossible differential on Gen-CAST256. Thus we disprove the Conjecture 2 proposed in Asiacrypt'00 [9] and the theorem in FSE'09 rump session presentation [8]. On Gen-MARS and SMS4, the impossible differentials find by the UID-method are much longer than that found by the U-method. On the Four-Cell block cipher, our result is the same as the best result previously obtained by case-bycase treatment.
Information Processing Letters, 2009
Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure against adapt... more Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure against adaptive chosen ciphertext attacks(IND-CCA2) under the gap hashed Diffie-Hellman(GHDH) assumption[8]. We show a variant of Kiltz07-KEM which is more efficient than Kiltz07-KEM in encryption. The new scheme can be proved to be IND-CCA2 secure under the same assumption, GHDH.