International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Jianying Zhou

Publications

Year
Venue
Title
2021
TOSC
PLCrypto: A Symmetric Cryptographic Library for Programmable Logic Controllers
Programmable Logic Controllers (PLCs) are control devices widely used in industrial automation. They can be found in critical infrastructures like power grids, water systems, nuclear plants, manufacturing systems, etc. This paper introduces PLCrypto, a software cryptographic library that implements lightweight symmetric cryptographic algorithms for PLCs using a standard PLC programming language called structured text (ST). To the best of our knowledge, PLCrypto is the first ST-based cryptographic library that is executable on commercial off-the-shelf PLCs. PLCrypto includes a wide range of commonly used algorithms, totaling ten algorithms, including one-way functions, message authentication codes, hash functions, block ciphers, and pseudo-random functions/generators. PLCrypto can be used to protect the confidentiality and integrity of data on PLCs without additional hardware or firmware modification. This paper also presents general optimization methodologies and techniques used in PLCrypto for implementing primitive operations like bit-shifting/rotation, substitution, and permutation. The optimization tricks we distilled from our practice can also guide future implementation of other computationheavy programs on PLCs. To demonstrate a use case of PLCrypto in practice, we further realize a cryptographic protocol called proof of aliveness as a case study. We benchmarked the algorithms and protocols in PLCrypto on a commercial PLC, Allen Bradley ControlLogix 5571, which is widely used in the real world. Also, we make our source codes publicly available, so plant operators can freely deploy our library in practice.
2014
EPRINT
2014
EPRINT
2010
EPRINT
Practical ID-based Encryption for Wireless Sensor Network
In this paper, we propose a new practical identity-based encryption scheme which is suitable for wireless sensor network (WSN). We call it \textit{Receiver-Bounded Online/Offline Identity-based Encryption} (RB-OOIBE). It splits the encryption process into two parts -- the offline and the online part. In the offline part, all heavy computations are done without the knowledge of the receiver's identity and the plaintext message. In the online stage, only light computations such as modular operation and symmetric key encryption are required, together with the receiver's identity and the plaintext message. Moreover, since each offline ciphertext can be re-used for the same receiver, the number of offline ciphertexts the encrypter holds only confines the number of receivers instead of the number of messages to be encrypted. In this way, a sensor node (with limited computation power and limited storage) in WSN can send encrypted data easily: A few offline ciphertexts can be computed in the manufacturing stage while the online part is light enough for the sensor to process. We propose an efficient construction for this new notion. The scheme can be proven selective-ID CCA secure in the standard model. Compared to previous online/offline identity-based encryption schemes, our scheme is exempt from a high storage requirement, which is proportional to the number of messages to be sent. The improvement is very significant if many messages are sent to few receivers.
2010
EPRINT
Efficient Online/Offline Identity-Based Signature for Wireless Sensor Network
In this paper, we present an \emph{online/offline identity-based signature} scheme for the wireless sensor network (WSN). We argue that due to significant reduction in computational and storage costs, our scheme is particularly suitable for the WSN environment with severely constrained resources. One of the interesting features of our scheme is that it provides \textit{multi-time} usage of the offline storage, which allows the signer to re-use the offline pre-computed information in polynomial time, in contrast to \textit{one-time} usage in all previous online/offline signature schemes. As evidence of the practicality and feasibility of our scheme to be used in the WSN environment, we provide an actual implementation result of our scheme on the MicaZ platform.
2010
EPRINT
Identity-Based Online/Offline Key Encapsulation and Encryption
An identity-based online/offline encryption (IBOOE) scheme splits the encryption process into two phases. The first phase performs most of the heavy computations, such as modular exponentiation or pairing over points on elliptic curve. The knowledge of the plaintext or the receiver's identity is not required until the second phase, where the ciphertext is produced by only light computations, such as integer addition/multiplication or hashing. This division of computations makes encryption affordable by devices with limited computation power since the preparation works can be executed ``offline'' or possibly by some powerful devices. Since efficiency is the main concern, smaller ciphertext size and less burden in the computation requirements of all phases (i.e., both phases of encryption and the decryption phase) are desirable. In this paper, we proposed new schemes with improved efficiency over previous schemes by assuming random oracles. Our first construction is a very efficient scheme which is secure against chosen-plaintext attack (CPA), This scheme is slightly modified from an existing scheme. In particular, the setup and the user private key remain the same. We then proceed to propose the notion of ID-based Online/Offline KEM (IBOOKEM) that allows the key encapsulation process to be split into offline and online stages, in the same way as IBOOE does. We also present a generic transformation to get security against chosen-ciphertext attack (CCA) for IBOOE from any IBOOKEM scheme with one-wayness only. Our schemes (both CPA and CCA) are the most efficient one in the state-of-the-art, in terms of online computation and ciphertext size, which are the two main focuses of online/offline schemes. Our schemes are very suitable to be deployed on embedded devices such as smartcard or wireless sensor which have very limited computation powers and the communication bandwidth is very expensive.
2010
EPRINT
Online/Offline Identity-Based Signcryption Re-visited
In this paper, we re-define a cryptographic notion called Online/Offline Identity-Based Signcryption. It is an ``online/offline'' version of identity-based signcryption, where most of the computations are carried out offline and the online part does not require any heavy computations such as pairings or multiplications on elliptic curve. It is particularly suitable for power-constrained devices such as smart cards. We give a concrete implementation of online/offline identity-based signcryption. The construction is very efficient and flexible. Unlike all previous schemes in the literature, our scheme does not require the knowledge of receiver's information (either public key or identity) in the offline stage. The receiver's identity and the message to be signcrypted are only needed in the online stage. This feature provides great flexibility to our scheme and makes it practical to use in real-world applications. We prove that the proposed scheme meets strong security requirements in the random oracle model, assuming the Strong Diffie-Hellman (SDH) and Bilinear Diffie-Hellman Inversion (BDHI) are computationally hard.
2008
EPRINT
Certificate-Based Signature Schemes without Pairings or Random Oracles
In this paper, we propose two new certificate-based signature (CBS) schemes with new features and advantages. The first one is very efficient as it does not require any pairing computation and its security can be proven using Discrete Logarithm assumption in the random oracle model. We also propose another scheme whose security can be proven in the standard model without random oracles. To the best of our knowledge, these are the \emph{first} CBS schemes in the literature that have such kind of features.
2008
EPRINT
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
We propose a new variant of the Cramer-Shoup KEM (key encapsulation mechanism). The proposed variant is more efficient than the original Cramer-Shoup KEM scheme in terms of public key size and encapsulation cost, but is proven to be (still) secure against chosen ciphertext attack in the standard model, relative to the Decisional Diffie-Hellman problem.
2007
EPRINT
New Constructions of Fuzzy Identity-Based Encryption
Joonsang Baek Willy Susilo Jianying Zhou
In this paper we construct two new fuzzy identity-based encryption (IBE) schemes in the random oracle model. Not only do our schemes provide public parameters whose size is independent of the number of attributes in each identity (used as public key) but they also have useful structures which result in more e±cient key extraction and/or encryption than the random oracle version of Sahai and Water's fuzzy IBE scheme, considered recently by Pirretti et al. We prove that the confidentiality of the proposed schemes is relative to the Bilinear Decisional Bilinear Diffie-Hellman problem.
2006
EPRINT
The Fairness of Perfect Concurrent Signatures
Guilin Wang Feng Bao Jianying Zhou
At Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of {\it concurrent signatures}, which allows two parties to produce two ambiguous signatures until an extra piece of information (called {\it keystone}) is released by the initial signer. Once the keystone is released publicly, both signatures are binding to their true signers {\it concurrently}. At ICICS 2004, Susilo, Mu and Zhang further proposed {\it perfect concurrent signatures} to strengthen the ambiguity of concurrent signatures. That is, even the both signers are known having issued one of the two ambiguous signatures, any third party is still unable to deduce who signed which signature, different from Chen et al.'s scheme. However, this paper points out that Susilo et al.'s two perfect concurrent signatures are actually {\it not} concurrent signatures. Specifically, we identify an attack that enables the initial signer to release a carefully prepared keystone that binds the matching signer's signature, but not the initial signer's. Therefore, both of their two schemes are {\it unfair} for the matching signer. Moreover, we present a simple but effective way to avoid this attack such that the improved schemes are truly perfect concurrent signatures.
2003
EPRINT
Security Analysis of Some Proxy Signatures
A proxy signature scheme allows an entity to delegate his/her signing capability to another entity in such a way that the latter can sign messages on behalf of the former. Such schemes have been suggested for use in a number of applications, particularly in distributed computing where delegation of rights is quite common. Followed by the first schemes introduced by Mambo, Usuda and Okamoto in 1996, a number of new schemes and improvements have been proposed. In this paper, we present a security analysis of four such schemes newly proposed in [15,16]. By successfully identifying several interesting forgery attacks, we show that all the four schemes are insecure. Consequently, the fully distributed proxy scheme in [11] is also insecure since it is based on the (insecure) LKK scheme [14,15]. In addition, we point out the reasons why the security proofs provided in [15] are invalid.
2003
EPRINT
On the Security of a Multi-Party Certified Email Protocol
Jianying Zhou
As a value-added service to deliver important data over the Internet with guaranteed receipt for each successful delivery, certified email has been discussed for years and a number of research papers appeared in the literature. But most of them deal with the two-party scenarios, i.e., there are only one sender and one recipient. In some applications, however, the same certified message may need to be sent to a set of recipients. In ISC'02, Ferrer-Gomila et. al. presented a multi-party certified email protocol~\cite{FPH02}. It has two major features. A sender could notify multiple recipients of the same information while only those recipients who acknowledged are able to get the information. In addition, its exchange protocol is optimized, which has only three steps. In this paper, we demonstrate some flaws and weaknesses in that protocol, and propose an improved version which is robust against the identified attacks while preserving the features of the original protocol.
2002
EPRINT
Cryptanalysis of the Lee-Hwang Group-Oriented Undeniable Signature Schemes
Guilin Wang Jianying Zhou Robert H. Deng
Undeniable signature is an intriguing concept introduced by Chaum and Antwerpen at Crypto'89. In 1999, Lee and Hwang presented two group-oriented undeniable signature schemes with a trusted center. Their schemes are natural generalizations of Chaum's zero-knowledge undeniable signature scheme proposed in 1990. However, we find that the Lee-Hwang schemes are insecure. In this paper, we demonstrate five attacks on their schemes: four of them are universal forgery, in which one dishonest member (maybe collude with a verifier) can get a valid signature on any chosen massage, and another attack allows a dishonest member to prevent honest members from generating valid signatures but his cheating behavior is undetected. We also suggest heuristic improvements to overcome some of the problems involved in these attacks.
2002
EPRINT
Validating Digital Signatures without Time-Stamping and Certificate Revocation
Jianying Zhou Feng Bao Robert Deng
In non-repudiation services where digital signatures usually serve as irrefutable cryptographic evidence for dispute resolution, trusted time-stamping and certificate revocation services, although very costly in practice, must be available, to prevent big loss due to compromising of the signing key. In [IR02], a new concept called intrusion-resilient signature} was proposed to get rid of trusted time-stamping and certificate revocation services and a concrete scheme was presented. In this paper, we put forward a new scheme that can achieve the same effect in a much more efficient way. In our scheme, forward-secure signature serves as a building block that enables signature validation without trusted time-stamping, and a one-way hash chain is employed to control the validity of public-key certificates without the CA's involvement for certificate revocation. We adopt a model similar to the intrusion-resilient signature in [IR02], where time is divided into predefined short periods and a user has two modules, signer and home base. The signer generates forward-secure signatures on his own while the home base manages the validity of the signer's public-key certificate with a one-way hash chain. The signature verifier can check the validity of signatures without retrieving the certificate revocation information from the CA. Our scheme is more robust in the sense that loss of synchronization between the signer and the home base could be recovered in the next time period while it is unrecoverable in [IR02]. To facilitate the implementation of our signature validation scheme, we further present a new forward-secure signature scheme which is more efficient than all of the existing forward-secure signature schemes.
2000
PKC
1999
PKC
1996
ASIACRYPT

Program Committees

Asiacrypt 2006
PKC 2004
PKC 2002