Provable Security for Block Ciphers by

合集下载

FortiGate 系列产品说明书

Real Time Network Protectionfor SOHO/Branch Office/100FortiGate™ Antivirus Firewalls are dedicated, hardware-based unitsthat deliver complete, real-time network protection services at thenetwork edge. Based on Fortinet’s revolutionary FortiASIC™ Content Processor chip,the FortiGate platforms are the only systems that can detect and eliminate viruses,worms, and other content-based threats without reducing network performance —even for real-time applications like Web browsing. FortiGate systems also includeintegrated firewall, content filtering, VPN, intrusion detection and prevention, and traffic shaping functions, makingthem the most cost effective, convenient, and powerful network protection solutions available.Tailored for the needs of smaller offices, the FortiGate-50A and FortiGate-100 systems deliver the same enterprise class, network-based antivirus, content filtering, firewall, VPN, and network-based intrusion detection/prevention featured inall FortiGate models. Both the FortiGate-50A and FortiGate-100 support an unlimited number of users, and are ideally suited for small businesses, remote offices, retail stores, broadband telecommuter sites, and many other applications.The capabilities and speed of the FortiGate-50A are unmatched by comparable devices in its class. The FortiGate-100 includes all of the capabilities of the FortiGate-50A and adds a DMZ port, traffic shaping, and increased throughput. The FortiGate-50A and FortiGate-100 are kept up to date automatically by Fortinet’s FortiProtect Network, which provides continuous updates that ensure protection against the latest viruses, worms, Trojans, intrusions and other threats —around the clock, and around the world.Product Highlights• Provides complete real-time network protection through a combination of network-based antivirus, web content filtering, firewall, VPN, network-based intrusion detection and prevention, traffic shaping, and anti-spam• Eliminates viruses and worms from email, file transfer, and real-time (Web) traffic without degrading network performance• Easy to use and deploy – quick and easy configuration wizard walks administrators through initial setup with graphical user interface• Reduces exposure to threats by detecting and preventing over 1300 different intrusions, including DoS and DDoS attacks• Boasts the best combination of price, performance, and value relative to all other products on the market • Delivers superior performance and reliability from hardware accelerated, ASIC-based architecture• Automatically downloads the latest virus and attack database and can accept instant “push” updates from the FortiProtect Network• Manage thousands of FortiGate units through the FortiManager™ central management tool• Underlying FortiOS™ operating system is ICSA-certified for Antivirus, Firewall, IPSec VPN, and Intrusion Detection• Virus quarantine enables easy submission of attack sample to Fortinet Threat Response Team• Web-based graphical user interface and content filteringsupports multiple languages/100System SpecificationsPowerLightStatusLight PowerConnectionRS-232SerialConnectionExternalInterfaceInternalInterface ExternalInterfaceInternalInterfacePowerLightStatusLightPowerConnectionRS-232SerialConnectionExternalInterfaceInternalInterfaceExternalInterfaceInternalInterfaceDMZInterfaceDMZInterfaceNetwork-based Antivirus(ICSA Certified)AV-VPNFirewall(ICSA Certified)Web Content FilteringVPN(ICSA Certified)Dynamic IntrusionDetection and Prevention(ICSA Certified)Remote AccessKey Features & BenefitsDescriptionDetects and eliminates viruses and worms in real-time. Scans incoming and outgoing emailattachments (SMTP, POP3, IMAP) and Web(HTTP) and file transfer (FTP) traffic — withoutdegrading Web performanceScans and eliminates viruses and worms found inencrypted VPN tunnelsIndustry standard stateful inspection firewallProcesses Web content to block inappropriatematerial and malicious scripts via URL blockingand keyword/phrase blockingIndustry standard PPTP, L2TP, and IPSec VPNsupportDetection and prevention of over 1300 intrusionsand attacks, including DoS and DDoS attacks,based on user-configurable thresholds. Auto-matic updates of IPS signatures from FortiProtectNetworkSupports secure remote access from any PCequipped with Fortinet Remote VPN ClientBenefitCloses the vulnerability window by stoppingviruses and worms before they enter the networkPrevents infection by remote users and partnersCertified protection, maximum performanceand scalabilityAssures improved productivity and regulatorycomplianceLower costs by using the public Internet forprivate site-to-site and remote accesscommunicationsStops attacks that evade conventional antivirusproducts, with real-time response to fast-spreading threatsLow cost, anytime, anywhere access for mobileand remote workers and telecommuters FortiGate-50AFortiGate-100USBPortsFortiGate-50AFortiGate-100/100SpecificationsInterfaces10/100 Ethernet Ports 23DMZ port•System Performance Concurrent sessions 25,000200,000New sessions/second10004,000Firewall throughput (Mbps)5095168-bit Triple-DES throughput (Mbps)1025Users UnrestrictedUnrestrictedPolicies 5001000Schedules256256Antivirus, Worm Detection & Removal Automatic virus database update from FortiProtect Network••Scans HTTP, SMTP, POP3, IMAP, FTP and encrypted VPN Tunnels ••Block by file size••Firewall Modes and Features NAT, PAT, Transparent (bridge)••Routing mode (RIPv1, v2)••Virtual domains22VLAN tagging (802.1q)••User Group-based authentication ••H.323 NAT Traversal ••WINS support••VPNPPTP, L2TP, and IPSec ••Dedicated tunnels2080Encryption (DES, 3DES, AES)••SHA-1 / MD5 authentication••Supports Fortinet Remote VPN Client ••PPTP, L2TP, VPN client pass though ••Hub and Spoke VPN support••IKE certificate authentication (X.509)••Manual key and Auto key IKE ••IPSec NAT Traversal ••Aggressive mode ••Replay protection ••Remote access VPN••Interoperability with major VPN vendors ••Content FilteringURL/keyword/phrase block ••URL Exempt List ••Protection profiles3232Blocks Java Applet, Cookies, Active X ••FortiGuard™ web filtering support••Dynamic Intrusion Detection and Prevention Intrusion prevention for over 1300 attacks ••Automatic real-time updates from FortiProtect Network ••Customizable detection signature list ••Anti-SpamReal-time Blacklist/Open Relay Database Server ••MIME header check••Keyword/phrase filtering••IP address blacklist/exempt list••Logging/MonitoringLog to remote Syslog/WELF server ••SNMP••Graphical real-time and historical monitoring ••Email notification of viruses and attacks ••VPN tunnel monitor ••NetworkingMultiple WAN link support •PPPoE client ••DHCP client••DHCP server (Internal)••Policy-based routing••System Management Console interface (RS-232)••WebUI (HTTPS)••Multi-language support ••Command line interface••Secure Command Shell (SSH)••FortiManager System••AdministrationMultiple administrators and user levels ••Upgrades & changes via TFTP & WebUI ••System software rollback••User Authentication Internal database••External LDAP/RADIUS database support ••RSA SecurID••IP/MAC address binding••Xauth over RADIUS support for IPSec VPN ••Traffic Management DiffServ setting••Policy-based traffic shaping••Guaranteed/Maxiumum/Priority bandwidth ••Dimensions Height 1.38 inches 1.75 inches Width 8.63 inches 10.25 inches Length 6.13 inches 6.13 inches Weight1.5 lb (0.68 kg)1.75 lb (0.8 kg)PowerDC input voltage 12V 12V DC input current 3A5AEnvironmentalOperating Temperature 32 to 104 °F 32 to 104 °F (0 to 40 °C)(0 to 40 °C)Storage Temperature-13 to 158 °F -13 to 158 °F (-25 to 70 °C)(-25 to 70 °C)Humidity5 to 95% 5 to 95%non-condensing non-condensingCompliance & Certifications FCC Class A Part 15••CE ••UL•ICSA Antivirus, Firewall, IPSec, NIDS••FortiGate-50AFortiGate-100/100Specifications subject to change without notice. Copyright 2004 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiASIC, FortiGuard, FortiOS and FortiProtect are trademarks of Fortinet, Inc. DAT1150409AustraliaLevel 17, 201 Miller StreetNorth Sydney 2060AustraliaTel: +61-2-8923-2555Fax: +61-2-8923-2525ChinaCyber Tower, Suite B-9032 Zhongguancun Nan Ave.Hai Dian, Beijing 100086ChinaTel: +8610-8251-2622Fax: +8610-8251-2630France69 rue d’Aguesseau92100 Boulogne BillancourtFranceTel: +33-1-4610-5000Tech Support: +33-4-9300-8810Fax: +33-1-4610-5025GermanyFeringaparkFeringastrasse 685774 München-UnterföhringGermanyTel: +49-(0)-89-99216-300Fax: +49-(0)-89-99216-200Hong KongRoom 3206, 32/FConvention Plaza - Office Tower1 Harbour Road, WanChaiHong KongTel: +852-3171-3000Fax: +852-3171-3008JapanKokusai Tameike Building 6F2-12-10 Akasaka, Minato-kuTokyo 107-0052JapanTel: +81-3-5549-1640Fax: +81-3-5549-1641Korea27th FloorKorea World Trade Center159 Samsung-DongKangnam-KuSeoul 135-729KoreaTel: +82-2-6007-2007Fax: +82-2-6007-2703Taiwan18F-1, 460 SEC.4Xin-Yi RoadTaipei, Taiwan, R.O.C.Tel: +886-2-8786-0966Fax: +886-2-8786-0968United Kingdom1 Farnham RoadGuildford, Surrey GU2 4RGUnited KingdomTel: +44-(0)-1483-549061Fax: +44-(0)-1483-549165United States920 Stewart DriveSunnyvale, CA 94085USATel: +1-408-235-7700Fax: +1-408-235-7737Email:******************。

深思数盾加固样本

深思数盾加固样本1. 介绍深思数盾加固样本是一种用于保护软件程序免受恶意攻击的解决方案。

通过对软件代码进行深思数盾的加固处理，可以增强软件的安全性和抵御能力，降低被破解和倒置工程的风险。

深思数盾是一家专业的软件安全公司，提供多种针对软件的攻击方式的防护服务。

数盾加固样本是该公司开发的一种加固软件的方案，可以对软件代码进行保护，使其难以被破解和反向工程。

2. 加固原理数盾加固样本通过对软件代码进行加密、混淆和防篡改等多种技术手段，来增强软件的安全性和防护能力。

具体的加固原理如下：2.1 加密数盾加固样本会将软件程序中的敏感信息和关键代码进行加密。

加密后的代码无法直接被阅读和理解，从而增加了破解的难度。

同时，加密的算法和密钥也是经过深思数盾的专家团队研发和校验的，具有较高的安全性。

2.2 混淆混淆是指在保持软件功能不变的前提下，对软件源代码进行转换，使其变得更加晦涩难懂。

数盾加固样本采用了多种混淆技术，包括变量名替换、函数调用混淆、控制流变换等。

这些技术能够增加代码的复杂度，降低被研究和破解的风险。

2.3 防篡改数盾加固样本还通过添加一些防篡改的代码，来保护软件不被恶意修改。

这些代码会监测软件运行环境，一旦发现异常行为，就会触发相应的安全机制，比如强制退出或自动删除关键信息。

3. 加固效果深思数盾加固样本可以有效提高软件的安全性和抵御能力。

经过加固处理后的软件，具有以下优势和特点：3.1 难以被破解加固后的软件代码经过加密和混淆处理，攻击者很难直接理解和分析代码逻辑。

这大大降低了软件被破解的风险。

3.2 防止反向工程加固后的软件可以有效阻止恶意用户进行反向工程，保护知识产权和商业机密等重要数据。

3.3 抵御攻击加固样本中的防篡改代码可以及时发现和防止恶意修改，增加软件的抵御能力。

同时，加固样本还可以有效防止软件被恶意注入、篡改和操纵。

4. 加固流程对软件进行深思数盾加固样本的操作流程如下：1.了解软件需求：与客户充分沟通，了解软件的功能需求、安全性要求和特殊要求。

Ciphertext-Policy Attribute-Based Encryption

∗ Supported by NSF CNS-0524252, CNS-0716199, CNS-0749931; the US Army Research Oﬃce under the CyberTA Grant No. W911NF-06-1-0316; and the U.S. Department of Homeland Securit06CS-001-000001.
1
Introduction
Public-Key encryption is a powerful mechanism for protecting the conﬁdentiality of stored and transmitted information. Traditionally, encryption is viewed as a method for a user to share data to a targeted user or device. While this is useful for applications where the data provider knows speciﬁcally which user he wants to share with, in many applications the provider will want to share data according to some policy based on the receiving user’s credentials. Sahai and Waters [34] presented a new vision for encryption where the data provider can express how he wants to share data in the encryption algorithm itself. The data provider will provide a predicate f (·) describing how he wants to share the data and a user will be ascribed a secret key associated with their credentials X ; the user with credentials X can decrypt a ciphertext encrypted with predicate f if f (X ) = 1. Sahai and Waters [34] presented a particular formulation of this problem that they called Attribute-Based Encryption (ABE), in which a user’s credentials is represented by a set of string called “attributes” and the predicate is represented by a formula over these attributes. Several techniques used by SW were inspired by prior work on Identity-Based Encryption [35, 13, 24, 18, 10]. One drawback of the Sahai-Waters approach is that their initial construction was limited to handling formulas consisting of one threshold gate. In subsequent work, Goyal, Pandey, Sahai, and Waters [28] further clariﬁed the concept of Attribute-Based Encryption. In particular, they proposed two complementary forms of ABE. In the ﬁrst, Key-Policy ABE, attributes are used to annotate the ciphertexts and formulas over these attributes are ascribed to users’ secret keys. The second type, Ciphertext-Policy ABE, is complementary in that attributes are used to describe the user’s credentials and the formulas over these credentials are attached to the ciphertext by the encrypting party. In addition, Goyal et al. [28] provided a construction for Key-Policy ABE that was very expressive in that it allowed keys to be expressed by any monotonic formula over encrypted data. The system was proved selectively secure under the Bilinear Diﬃe-Hellman assumption. However, they left creating expressive Ciphertext Policy ABE schemes as an open problem. The ﬁrst work to explicitly address the problem of Ciphertext-Policy Attribute-Based Encryption was by Bethencourt, Sahai, and Waters [7]. They described an eﬃcient system that was expressive in that it allowed an encryptor to express an access predicate f in terms of any monotonic formula over attributes. Their system achieved analogous expressiveness and eﬃciency to the Goyal et al. construction, but in the Ciphertext-Policy ABE setting. While the BSW construction is very expressive, the proof model used was less than ideal — the authors only showed the scheme secure in the generic group model, an artiﬁcial model which assumes the attacker needs to access an oracle in order to perform any group operations.1 Recently, ABE has been applied in building a variety of secure systems [33, 39, 9, 8]. These systems motivate the need for ABE constructions that are both foundationally sound and practical. Ciphertext Policy ABE in the Standard Model The lack of satisfaction with generic group model proofs has motivated the problem of ﬁnding an expressive CP-ABE system under a more solid model. There have been multiple approaches in this direction. First, we can view the Sahai-Waters[34] construction most “naturally” as Key-Policy ABE for a threshold gate. In their work, Sahai and Waters describe how to realize Ciphertext-Policy ABE

pfsense防火墙防锁规则

pfsense防火墙防锁规则【原创版】目录一、PFSense 防火墙概述二、PFSense 防火墙的防锁规则三、PFSense 防火墙防锁规则的实际应用四、PFSense 防火墙防锁规则的优点与不足五、总结正文一、PFSense 防火墙概述PFSense 是一款基于 OpenBSD 的防火墙系统，被广泛应用于企业级网络环境中。

它的强大功能和稳定性使它成为许多网络管理员的首选防火墙解决方案。

二、PFSense 防火墙的防锁规则PFSense 防火墙的防锁规则是指在防火墙配置中设置的一些规则，用于防止网络攻击者通过各种方式对网络进行攻击或尝试入侵。

这些规则可以自定义，以适应不同的网络环境和安全需求。

三、PFSense 防火墙防锁规则的实际应用在实际应用中，PFSense 防火墙的防锁规则可以防止各种网络攻击，如端口扫描、SYN 攻击、IP 欺骗等。

通过配置防锁规则，网络管理员可以有效地保护网络免受攻击，确保网络的安全和稳定运行。

四、PFSense 防火墙防锁规则的优点与不足PFSense 防火墙防锁规则的优点包括：1.高度可定制：可以根据实际需求自定义规则，使防火墙更加适应不同的网络环境。

2.稳定性：PFSense 防火墙在防锁规则方面具有很高的稳定性，可以有效地保护网络免受攻击。

3.安全性：防锁规则可以防止各种网络攻击，提高网络的安全性。

不足之处包括：1.配置复杂：对于初学者来说，配置防锁规则可能会比较复杂，需要一定的技术水平。

2.规则更新及时性：需要网络管理员定期更新规则，以应对新出现的网络攻击手段。

五、总结总之，PFSense 防火墙的防锁规则是保护网络安全和稳定的重要手段。

通过自定义规则，网络管理员可以有效地防止各种网络攻击，确保网络的正常运行。

padlocal服务规则

padlocal服务规则
PadLocal是一个提供微信个人号API接口的服务。

其服务规则
主要包括以下几个方面：
1. 注册和认证规则，用户需要通过官方渠道注册并提供真实有
效的个人信息进行认证，以确保服务的安全和合法性。

2. 使用规则，用户在使用PadLocal服务时，需遵守相关法律
法规，不得用于违法、违规或侵犯他人权益的活动，包括但不限于
传播淫秽、暴力信息，进行赌博、诈骗等违法行为。

3. 隐私保护规则，PadLocal承诺严格遵守相关的隐私保护法
律法规，保护用户的个人隐私信息，不会未经用户授权将其信息提
供给第三方。

4. 费用规则，用户在使用PadLocal服务时，需要按照相关的
收费标准支付费用，同时需要注意服务的有效期和续费规定。

5. 安全规则，用户在使用PadLocal服务时，需要保管好自己
的账号信息，不得将账号信息泄露给他人，以免造成不必要的损失。

总的来说，PadLocal的服务规则主要是为了保障用户的合法权益、维护服务的安全稳定运行以及遵守相关的法律法规。

希望以上回答能够满足你的要求。

BlockCipherDRBGs

10.2 DRBGs Based on Block Ciphers10.2.1 DiscussionA block cipher DRBG is based on a block cipher algorithm. The block cipher DRBGs specified in this Standard have been designed to use any Approved block cipher algorithm and may be used by applications requiring various levels of security, providing that the appropriate block cipher algorithm is used and sufficient entropy is obtained for the seed. The following are provided as DRBGs based on block cipher algorithms:1. The CTR_DRBG (...) specified in Section 10.2.2.2. The OFB_DRBG (...) specified in Section 10.2.3.Table 3 specifies the security strengths and entropy and seed requirements that shall be used for each Approved block cipher algorithm.Table 3: Security Strengths, Entropy and Seed Length Requirements for Approved Block Cipher AlgorithmsBlock Cipher Algorithm Security Strengths RequiredMinimumEntropyEntropy InputLengths (inbits)SeedLength(in bits)2 key TDEA 80 128 128-235 1763 key TDEA 80, 112 128 128-235 232AES-128 80, 112, 128 128 128-235 256 AES-192 80, 112, 128, 192 192 192-235 320 AES-256 80, 112, 128, 192,256256 256-235 38410.2.2 CTR_DRBG10.2.2.1 DiscussionCTR_DRBG (...) uses an Approved block cipher algorithm in the counter mode as specified in [SP 800-38A]. The same block cipher algorithm and key length shall be used for all block cipher operations. The block cipher algorithm and key size shall meet or exceed the security requirements of the consuming application. Table 3 in Section 10.2.1 specifies the entropy an d seed length requirements that shall be used for each block cipher algorithm to meet the required security level.Figure 12 depicts the CTR_DRBG (...). {Note : Figure to be inserted later.}10.2.2.2 Interaction with CTR_DRBG10.2.2.2.1 Instantiating CTR_DRBGPrior to the first request for pseudorandom bits, the CTR_DRBG (...) shall be instantiated using the following call:(status, state_handle) = Instantiate_CTR_DRBG (requested_strength,prediction_resistance_flag, personalization_string)as described in Sections 9.5.1 and 10.2.2.3.4.10.2.2.2.2 Reseeding CTR_DRBGWhen a CTR_DRBG (...) instantiation requires reseeding, the DRBG shall be reseeded using the following call:status = Reseed_CTR_DRBG_Instantiation (state_handle, additional_input)as described in Sections 9.6.2 and 10.2.2.3.5.10.2.2.2.3 Generating Pseudorandom Bits Using CTR_DRBGAn application may request the generation of pseudorandom bits by CTR_DRBG (...) using the following call:(status, pseudorandom_bits) = CTR_DRBG (state_handle, requested_no_of_bits, requested_strength, additional_input, prediction_resistance_request_flag)as discussed in Sections 9.7.2 and 10.2.2.3.6.10.2.2.2.4 Removing a CTR_DRBG InstantiationAn application may request the removal of an CTR_DRBG (...) instantiation using the following call:status = Uninstantiate_CTR_DRBG (state_handle)as described in Sections 9.8 and 10.2.2.3.7.10.2.2.2.5 Self Testing of the CTR_)DRBG ProcessA CTR_DRBG (...) implementation is tested at power-up and on demand using the following call:status = Self_Test_CTR_DRBG ( )as described in Sections 9.9 and 10.2.2.3.8.10.2.2.3 Specifications10.2.2.3.1 GeneralThe instantiation and reseeding of CTR_DRBG (...) consists of obtaining a seed with the appropriate amount of entropy. The entropy input is used to derive a seed, which is then used to derive elements of the initial state of the DRBG. The state consists of:1. The value V, which is updated each time another outlen bits of output areproduced (where outlen is the number of output bits from the underlying blockcipher algorithm).2. The Key, which is updated whenever a predetermined number of output blocksare generated.3. The key length (keylen) to be used by the block cipher algorithm.4. The security strength of the DRBG instantiation.5. A counter (reseed_counter) that indicates the number of requests forpseudorandom bits since instantiation or reseeding.6. A prediction_resistance_flag that indicates whether or not a prediction resistancecapability is required for the DRBG.10.2.2.3.2 CTR_DRBG VariablesThe variables used in the description of KHF_DRBG (...) are:additional_input Optional additional input, which must be £ max_length bits inlength.Block_Cipher (Key, V) The block cipher algorithm, where Ke y is the key to be used,and V is the input block.Block_Cipher_df (a, b) The block cipher derivation function specified in Section9.5.4.3. {Note: The Block_Cipher_df will be specified later.}blocklen The length of the block cipher algorithm’s output block.entropy_input The bits containing entropy that are used to determine theseed_material and generate a seed.Find_state_space ()A function that finds an unused state in the state space. SeeSection 9.5.3.Get_entropy (min_entropy, min_entropy, max_length)A function that acquires a string of bits from an entropy inputsource. See Section 9.5.2.Invalid_state_handle An illegal value for the state_handle.K ey The key used to generate pseudorandom bits.keylen The length of the key for the block cipher algorithm.len (x) A functi on that returns the number of bits in input string x.max_length The maximum length of a string for obtaining entropy. Whena derivation function is used, this value is implementationdependent, but shall be £ 235 bits. When a derivation functionis not used, then max_length = seedlen.max_no_of_states The maximum number of states and instantiations that animplementation can handle.max_request_length The maximum number of pseudorandom bits that may berequested during a single request; this value isimplementation dependent, but shall be £ 235 bits for AES,and £ 219 bits for TDEA.min_entropy The minimum amount of entropy to be obtained from theentropy_input source and provided in the seed.Null The null (i.e., empty) string.old_transformed_entropy_inputThe transformed_entropy_input from the previous acquisitionof entropy_input (e.g., used during reseeding). personalization_string A personalization string of no more than seedlen bits (seeSection 8.7.1).prediction_resistance_flagIndicates whether or not prediction resistance requests shouldbe handled; prediction_resistance_flag ={Allow_prediction_resistance, No_prediction_resistance}. prediction_resistance_request_flagIndicates whether or not prediction resistance is requiredduring a request f or pseudorandom bits;prediction_resistance_request_flag ={Provide_prediction_resistance, No_prediction_resistance}. pseudorandom_bits The pseudorandom bits produced during a single call to theKHF_DRBG (...) process.requested_no_of_bits The number of pseudorandom bits to be generated. requested_strength The security strength to be provided for the pseudorandom bitsto be obtained from the DRBG.reseed_counter A counter that records the number of times pseudorandom bitswere requested since the DRBG instantiation was seeded orreseeded.reseed_interval The maximum number of requests for the generation ofpseudorandom bits before reseeding is required. Themaximum value shall be £ 232 for AES, and £ 216 for TDEA. seedlen The length of the seed, where seedlen = blocklen + keylen. seed_material The data used as the seed.state (state_handle) An array of states for different DRBG instantiations. A stateis carried between DRBG calls. For the CTR_DRBG (...),the state for an instantiation is defined as state (state_handle)= {V, Key, keylen, strength, reseed_counter,prediction_resistance_flag}. A particular element of the stateis specified as state(state_handle).element, e.g., state(state_handle).V.state_handle A pointer to the state space for the given instantiation.Vstatus The status returned from a function call, where status =“Success” or a failure message. strength The security strength provided by the DRBG instantiation. temp A temporary value. A value in the state that is updated whenever pseudorandom bits are generated. 10.2.2.3.3 Internal Function: The Update Function The Update (...) function updates the internal state of the CTR_DRBG (...) usingseed_material , which must be seedlen bits in length. The following or an equivalent process shall be used as the Update (...) function. Update (...): Input: string (seed_material , keylen , Key , V ). Output: string (Key , V ). Process: 1. seedlen = blocklen + keylen . 2. temp = Null. 3. While (len (temp ) < seedlen ) do 3.1 V = (V + 1) mod 2blocklen . 3.2output_block = Block_Cipher (Key , V ). 3.3temp = temp || ouput_block . 4.temp = Leftmost seedlen bits of temp . 5temp = temp ¯ seed_material . 6.Key = Leftmost keylen bits of temp. 7.V = Rightmost blocklen bits of temp. 8.Return (Key , V ). 10.2.2.3.4 Instantiation of CTR_DRBG (...) The following process or its equivalent shall be used to initially instantiate the CTR_DRBG (...) process. Instantiate_CTR_DRBG (...): Input: integer (requested_strength , prediction_resistance_flag ,personalization_string ). Output: string status, integer state_handle . Process: 1.Comment: If TDEA is used.If (requested_strength > 112) then Return (“Invalid requested_strength”,Invalid_state_handle).Comment: If AES is used.If (requested_strength > 256) then Return (“Invalid requested_strength”,Invalid_state_handle).2. If (prediction_resistance_flag = Allow_prediction_resistance) and predictionresistance cannot be supported, then Return (“Cannot support predictionresistance”, Invalid_state_handle).Comment: Set the strength to one ofthe five security strengths, anddetermine the key length.3. Comment: If TDEA is the blockcipher algorithm.If (requested_strength £ 80), then (strength = 80; keylen = 112)Else if (requested_strength £ 112), then (strength = 112; keylen = 168).Comment: If AES is the block cipheralgorithm.If (requested_strength £ 80), then (strength = 80; keylen = 128)Else if (requested_strength £ 112), then (strength = 112; keylen = 128) Else (requested_strength £ 128), then (strength = 128; keylen = 128) Else (requested_strength £ 192), then (strength = 192; keylen =192)Else (strength = 256; keylen = 256).4. seedlen = blocklen + keylen. Comment: determine the seed length.5. temp = len (personalization_string).6. If (temp > max_length), then Return (“personalization_string too long”,Invalid_state_handle)7. Comment: If a derivation function isavailable (a source of full entropymay or may n ot be available).7.1 min_entropy = strength + 64.7.2 (status, entropy_input) = Get_entropy (min_entropy, min_entropy,max_length).7.3 If (status „ “Success”), then Return (“Failure indication returned by theentropy source” || status, Invalid_state_handle).7.4 seed_material = entropy_input || personalization_string.7.5 seed_material = Block_Cipher_df (seed_material, seedlen).Comment: If a full entropy source isknown to be available and aderivation function is not to be used.7.1 (status, entropy_input) = Get_entropy (seedlen, seedlen, seedlen).7.2 If (status „ “Success”), then Return (“Failure indication returned by theentropy source” || status, Invalid_state_handle).Comment: Pad with zeros if thepersonalization string is too short.7.3 If (temp < seedlen), then personalization_string = personalization_string|| 0seedlen - temp.7.4 seed_material = entropy_input ¯ personalization_string.Comment: Find space in the statetable.8. (status, state_handle) = Find_state_space ( ).9. If (status „ “Success”), then Return (“No available state space” || status,Invalid_state_pointer).10. Key = 0. Comment: keylen bits.11. V = 0. Comment: blocklen bits.12. (Key, V) = Update (seed_material, keylen, Key, V).13. reseed_counter = 0.14. state (state_handle) = {V, Key, keylen, strength, reseed_counter,prediction_resistance_flag}.15. Return (“Success”, state_handle).Steps 1 and 3 must be implemented to handle the algorithm that is available.The choice of code at step 7 must be selected based on whether th e DRBG will be instantiated with a full-entropy source and whether a derivation function will be used.If no personalization_string will ever be provided, then the personalization_string input parameter and steps 5 and 6 be omitted. If a derivation functio n is available, then step 7.4 may be omitted, and step 7.5 becomes:seed_material = Block_Cipher_df (entropy_input, seedlen)”.If full entropy is known to be available and a derivation function is not available, then steps 7.3 and 7.4 are omitted, and step 7.1 becomes:(status, seed_material) = Get_entropy (seedlen, seedlen, seedlen)..If an implementation does not need the prediction_resistance_flag as a calling parameter (i.e., the CTR_DRBG (....) routine in Section 10.2.2.3.6 either always or never acquires new entropy in step 9), then the prediction_resistance_flag in the calling parameters and in the state (see step 14) may be omitted, as well as omitting step 2.10.2.2.3.5 Reseeding a CTR_DRBG (...) ProcessThe following or an equivalent process shall be used to explicitly reseed theCTR_DRBG (...) process.Reseed_CTR_DRBG_Instantiation (...):Input: integer (state_handle, additional_input).Output: string status.Process:1. If ((state_handle > max_no_of_states) or (state(state_handle) = {Null, Null, 0,0, 0, 0}), then Return (“State not available for the indicated state_handle”).Comment: Get the appropriate statevalues.2. V = state(state_handle).V, Key = state(state_handle).Key, keylen =state(state_handle).keylen, strength = state(state_handle).strength,prediction_resistance_flag = state(state_handle).prediction_resistance_flag..3. seedlen = blocklen + keylen.4. temp = len (additional_input).5. If (temp > max_length), then Return (“additional_input too long”).6. Comment: If a derivation function isavailable (a source of full entropymay or may not be available.6.1 min_entropy = strength + 64.6.2 (status, entropy_input) = Get_entropy (min_entropy, min_entropy,max_length).6.3 If (status „ “Success”), then Return (“Failure indication retu rned by theentropy source” || status, Invalid_state_handle).6.4 seed_material = entropy_input || additional_input.6.5 seed_material = Block_Cipher_df (seed_material, seedlen).Comment: If a full entropy source isknown to be available and aderivation function is not to be used.6.1 (status, entropy_input) = Get_entropy (seedlen, seedlen, seedlen).6.2 If (status „ “Success”), then Return (“Failure indication returned by theentropy source” || status).Comment: Pad with zeros if theadditional_input_string is too short.6.3 If (temp < seedlen), then additional_input = additional_input || 0seedlen temp.6.4 seed_material = entropy_input ¯ additional_input.7. (Key, V) = Update (seed_material, keylen, Key, V).8. reseed_counter = 0.9. state(state_handle) = {V, Key, keylen, strength, reseed_counter,prediction_resistance_flag }.10. Return (“Success”).The choice of code at step 6 must be selected based on whether the DRBG will be instantiated with a full-entropy source and whether a derivation function will be used.If an implementation does not handle additional_input, then the additional_input parameter of the input may be omitted as well as steps 4 and 5. If a derivation function is available, then step 6.4 may be omitted, and step 6.5 may be changed to:seed_material = Block_Cipher_df (entropy_input, seedlen).If full entropy is known to be available and a derivation function is not available, then steps 6.3 and 6.4 may be omitted, and step 6.1 may be changed to:(status, seed_material) = Get_entropy (seedlen, seedlen, seedlen).10.2.2.3.6 Generating Pseudorandom Bits Using CTR_DRBG (...)The following process or an equivalent shall be used to generate pseudorandom bits.CTR_DRBG(...):Input: integer (state_handle, requested_no_of_bits, requested_strength,additional_input, prediction_resistance_request_flag).Output: string (status, pseudorandom_bits).Process:1. If ((state_handle > max_no_of_states) or (state (state_handle) = {Null, Null,0, 0, 0, 0}), then Return (“State not available for the indicated state_handle”,Null).Comment: Get the appropriate statevalues.2. V = state(state_handle).V, Key = state(state_handle).Key, keylen =state(state_handle).keylen, strength = state(state_handle).strength,reseed_counter = state(state_handle).reseed_counter,prediction_resistance_flag = state(state_handle).prediction_resistance_flag.3. If (requested_strength > strength), then Return (“Invalidrequested_strength”, Null).4. seedlen = blocklen + keylen.5. temp = len (additional_input).6. If (temp > max_length), then Return (“additional_input too long”, Null).7. If (requested_no_of_bits > max_request_length), then Return (“Too manybits requested”, Null).8. If ((prediction_resistance_request_flag = Provide_prediction_resistance) and(prediction_resistance_flag = No_prediction_resistance)), then Return(“Prediction resistance capability not instantiated”, Null).9. If ((reseed_counter ‡ reseed_interval) OR(prediction_resistance_request_flag = Provide_prediction_resistance)), thenComment: If reseeding is notavailable.Return (“DRBG can no longer be used. Please re-instantiate or reseed.”,Null).Comment: If reseeding is readilyavailable.9.1 status = Reseed_CTR_DRBG (state_handle, additional_input).9.2 If (status „ “Success”), then Return (status, Null).9.3 V = state(state_handle).V, Key = state(state_handle).Key,reseed_counter = state(state_handle).reseed_counter.9.4 Go to step 11.Comment: When reseeding orprediction resistance is not required.10. If (additional_input „ Null), thenComment: If th e length of theadditional input is > seedlen, deriveseedlen bits.10.1 If (temp > seedlen), then additional_input = Block_Cipher_df(additional_input, seedlen).Comment: If the length of theadditional_input is < seedlen, padwith zeros to seedlen bits.10.2 If (temp < seedlen), then additional_input = additional_input || 0seedlen temp.10.3 (Key, V) = Update (additional_input, keylen, Key, V).11. temp = Null.12. While (len (temp) < requested_no_of_bits) do:12.1 V = (V + 1) mod 2blocklen .12.2 output_block = Block_Cipher (Key, V).12.3 temp = temp || ouput_block.13. pseudorandom_bits = Leftmost (requested_no_of_bits) of temp.Comment: Update for backtrackingresistance.14. zeros = 0seedlen . Comment: Produce a string ofseedlen zeros.15. (Key, V) = Update (zeros, keylen, Key, V)16. reseed_counter = reseed_counter + 1.17. state(state_handle) = {V, Keykeylen, strength, reseed_counter,prediction_resistance_flag,).18. Return (“Success”, pseudorandom_bits).If an implementation will never provide additional_input, then the additional_input input parameter, steps 5, 6 and 10 can be omitted, and a Null string replaces theadditional_input in step 9.1. If max_length £ seedlen, then step 10.1 may be omitted (i.e., the block cipher derivation function is n ot required).If an implementation does not need the prediction_resistance_flag, then theprediction_resistance_flag may be omitted as an input parameter, and step 8 may be omitted.If an implementation does not have a reseeding capability, then steps 9.1-9.3 may be omitted, and step 9 becomes:If (reseed_counter ‡ reseed_interval), then Return (“DRBG can no longer be used.Please re-instantiate or reseed.”, Null).10.2.2.3.7 Removing a CTR_DRBG (...) InstantiationThe following or an equivalent process shall be used to remove a CTR_DRBG (...) instantiation:Uninstantiate_CTR_DRBG (...):Input: integer state_handle.Output: string status.Process:1. If (state_handle > max_no_of_states), then Return (“Invalid state_handle”).2. state(state_handle) = {Null, Null, 0,0, 0, 0}.3. Return (“Success”).10.2.2.3.8 Self Testing of the CTR_DRBG (...) [Tp be determined]10.2.3 OFB_DRBG (...)10.2.3.1 DiscussionOFB_DRBG (...) uses an Approved block cipher algorithm in the output feedback mode as specified in [SP 800-38A]. The same block cipher algorithm and key length shall be used for all block cipher operations. The block cipher algorithm and key size shall meet or exceed the security requirements of the consuming application. Table 3 in Section 10.2.1 specifies the entropy and seed length requirements that shall be used for each block cipher algorithm to meet the required security level.Figure 13 depicts the CTR_DRBG (...). {Note : To be inserted later.}10.2.3.2 Interaction with OFB_DRBG (...)10.2.3.2.1 Instantiating OFB_DRBG (...)Prior to the first request for pseudorandom bits, the OFB_DRBG (...) shall be instantiated using the following call:(status, state_handle) = Instantiate_OFB_DRBG (requested_strength,prediction_resistance_flag, personalization_string)as described in Sections 9.5.1 and 10.2.3.3.4.10.2.3.2.2 Reseeding an OFB_DRBG (...) InstantiationWhen an OFB_DRBG (...) instantiation requires reseeding, the DRBG shall be reseeded using the following call:status = Reseed_OFB_DRBG_Instantiation (state_handle, additional_input)as described in Sections 9.6.2 and 10.2.3.3.5.10.2.3.2.3 Generating Pseudorandom Bits Using OFB_DRBG (...)An application may request the generation of pseudorandom bits by OFB_DRBG (...) using the following call:(status, pseudorandom_bits) = OFB_DRBG (state_handle, requested_no_of_bits, requested_strength, additional_input, prediction_resistance_request_flag)as discussed in Sections 9.7.2 and 10.2.3.3.6.10.2.3.2.4 Removing an OFB_DRBG (...) InstantiationAn application may request the removal of an OFB_DRBG (...) instantiation using the following call:status = Uninstantiate_OFB_DRBG (state_handle)as described in Sections 9.8 and 10.2.3.3.7.10.2.3.2.5 Self Testing of the OFB_DRBG (...) ProcessA OFB_DRBG (...) implementation is tested at power-up and on demand using the following call:status = Self_Test_OFB_DRBG ( )as described in Sections 9.9 and 10.2.3.3.8.10.2.3.3 Specifications10.2.3.3.1 GeneralThe instantiation and reseeding of OFB_DRBG (...) consists of obtaining a seed with the appropriate amount of entropy. The entropy input is used to derive a seed, which is then used to derive elements of the initial state of the DRBG. The state consists of:1. The value V, which is updated each time another outlen bits of output areproduced (where outlen is the number of output bits from the underlying blockcipher algorithm).2. The Key, which is updated whenever a predetermined number of output blocksare generated.3. The key length (keylen) to be used by the block cipher algorithm.4. The security strength of the DRBG instantiation.5. A counter (reseed_counter) that indicates the number of requests forpseudorandom bits since instantiation or reseeding.6. A prediction_resistance_flag that indicates whether or not a prediction resistancecapability is required for the DRBG.10.2.3.3.2 OFB_DRBG (...) VariablesThe variables for OFB_DRBG (...) are the same as those used for the CTR_DRBG (...) specified in Section 10.2.2.3.2.10.2.3.3.3 Internal Function: The Update FunctionThe Update (...) function updates the internal state of the CTR_DRBG (...) usingseed_material, which must be seedlen bits in length. The following or an equivalent process shall be used as the Update (...) function.Update (...):Input: string (seed_material, keylen, Key, V).Output: string (Key, V).Process:1. seedlen = blocklen + keylen.2. temp = Null.3. While (len (temp) < seedlen) do3.1 V = Block_Cipher (Key, V).3.2 temp = temp || V.4. temp = Leftmost seedlen bits of temp.5 temp = temp ¯ seed_material.6. Key = Leftmost keylen bits of temp.7. V = Rightmost blocklen bits of temp.8. Return (Key, V).Note that the only difference between the update function for OFB_DRBG (...) and CTR_DRBG (..) is in step 3.10.2.3.3.4 Instantiation of OFB_DRBG (...)This process is the same as the instantiation process for CTR_DRBG (...) in Section 10.2.2.3.4.10.2.3.3.5 Reseeding an OFB_DRBG (...) InstantiationThis process is the same as the reseeding process for CTR_DRBG (...) in Section 10.2.2.3.5.10.2.3.3.6 Generating Pseudorandom Bits Using OFB_DRBG (...)This process is the same as the generation process for CTR_DRBG (...) in Section 10.2.2.3.6, except that step 11 shall be as follows :9. While (len (temp) < requested_no_of_bits) do:11.1 V = Block_Cipher (Key, V).11.2 temp = temp || V.10.2.3.3.7 Removing an OFB_DRBG (...) InstantiationThis process is the same as the uninstantiation process for CTR_DRBG (...) in Section 10.2.2.3.7.10.2.3.3.8 Self Testing of the OFB_DRBG (...)This is the same as the self testing of CTR_DRBG (...) in Section 10.2.2.3.8.Appendix E : DRBG SelectionE.3 DRBGs Based on Block CiphersE.3.1 The Two Constructions: CTR and OFBThis standard describes two classes of DRBGs based on block ciphers: One class uses the block cipher in OFB-mode, the other class uses the CTR-mode. There are no practical security differences between these two DRBGs; CTR mode guarantees that short cycles cannot occur in a single output request, while OFB-mode guarantees that short cycles will have an extremely low probability. OFB-mode makes slightly less demanding assumptions on the block cipher, but the security of both DRBGs relates in a very simple and clean way to the security of the block cipher in its intended applications. This is a fundamental difference between these DRBGs and the DRBGs based on hash functions, where the DRBG's security is ultimately based on pseudorandomness properties that don't form a normal part of the requirements for hash functions. An attack on any of the hash-based DRBGs does not necessarily represent a weakness in the hash function; however, for these block cipher-based constructions, a weakness in the DRBG is directly related to a weakness in the block cipher.Specifically, suppose that there is an algorithm for distinguishing the outputs of either DRBG from random with some advantage. If that algorithm exists, it can be used to build a new algorithm for distinguishing the block cipher from a random permutation, with the same time and memory requirements and advantage.Because there is no practical security difference between the two classes of block-cipher based DRBGs, the choice between the two constructions is entirely a matter of implementation convenience and performance. An implementation that uses a block cipher in OFB, CBC, or full-block CFB mode can easily be used to implement the OFB-based DRBG construction; an implementation that already supports counter mode can reuse that hardware or software to implement the counter-mode DRBG. In terms of performance, the CTR-mode construction is more amenable to pipelining and parallelism, while the OFB-mode construction seems to require slightly less supporting hardware.E.3.2 Choosing a Block CipherWhile security is not an issue in choosing between the two DRBG constru ctions, the choice of the block cipher algorithm to be used is more of an issue. At present, only TDEA and AES are approved block cipher algorithms. However, two block cipher DRBG constructions will work for any block cipher with a block length ‡ 64 and key length ‡ 112. TDEA's 64-bit block imposes some fundamental limits on the security of these constructions, though these limits don't appear to lead to practical security issues for most applications.。

RFC2994

t0 = t0 ^ t1;
t1 = t1 ^ EK[(k+2)%8];
t1 = FI(t1, EK[(k+1)%8+8]);
t1 = t1 ^ t0;
t0 = t0 ^ EK[(k+7)%8];
t0 = FI(t0, EK[(k+3)%8+8]);
EK[i] = K[i*2]*256 + K[i*2+1];
for i = 0, ..., 7 do
begin
EK[i+ 8] = FI(EK[i], EK[(i+1)%8]);
EK[i+16] = EK[i+8] & 0x1ff;
EK[i+24] = EK[i+8] >> 9;
120: 10d 076 114 1ab 075 10c 1e4 159 054 11f 04b 0c4 1be 0f7 029 0a4
130: 00e 1f0 077 04d 17a 086 08b 0b3 171 0bf 10e 104 097 15b 160 168
d7 = S7TABLE[d7] ^ d9;
( d7 = d7 & 0x7f; )
d7 = d7 ^ (FI_KEY >> 9);
d9 = d9 ^ (FI_KEY & 0x1ff);
d9 = S9TABLE[d9] ^ d7;
begin
var t0, t1 as 16-bit integer;
t0 = FO_IN >> 16;
t1 = FO_IN & 0xffff;

比特币交易保障措施有哪些

比特币交易保障措施有哪些比特币是以区块链技术为基础的全球化数字货币，而比特币的交易需要在区块链网络上进行，所以比特币交易需要进行一定的保障措施。

本文将会介绍比特币交易中的几种常见保障措施。

1. 多重签名技术多重签名技术是比特币钱包中常用的措施之一，也称为多方保险箱。

多重签名钱包支持将比特币的控制权交付给几个人，呈现一种联合管理模式。

理论上，多重签名可以避免单一点失误，提高比特币的安全性。

多重签名节点至少需要两个以上的私钥进行授权，这些私钥的分布情况也是自己可控的，从而达到了更高的安全性。

2. P2SH技术P2SH技术（Pay to Script Hash）是一种比特币交易的特殊脚本，用于确定交易输出。

P2SH技术与多重签名结合可以增加比特币交易的安全性。

在交易之前，交易双方会约定一串随机字符串作为交易的标识符，然后这个标识符会被转换成hash值，这个hash值就是P2SH的一部分。

当需要在这笔交易中进行转账时，需要提供一个包含多重签名的原始脚本，并且还需要提供多重签名所需的所有私钥。

只有当条件都满足时，这笔交易才可以被确认。

3. 双重认证比特币交易中，因为受到黑客攻击、恶意软件或用户的失误等原因，存在攻击者直接使用用户代币交易的情况。

为了防止这种情况的发生，很多比特币钱包提供了双重认证的保障措施。

例如，Coinbase钱包提供一种名为“人脸识别”的双重认证技术，当用户要进行交易时，通过Face ID或Touch ID快速进行认证，确保交易完成。

4. 交易冻结比特币交易交易冻结是指在比特币交易出现可疑情况的场合进行冻结交易。

一旦交易冻结成功，则交易双方的比特币将会被锁定，该笔交易也将不可逆转。

交易冻结需要比特币所在的区块链节点的支持，如果存在可疑交易，比特币节点会暂停交易确认，从而防止资金损失或个人信息泄露。

以上就是比特币交易中的常见保障措施，我们建议用户在使用比特币进行交易时，尽量选择安全的交易渠道和钱包，并配置双重认证密码等保险措施，保障自己的于比特币交易安全。

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

1
So far, the best known attack was an improvement of exhaustive search which requires on average 254 DES computations.
2
internal computation boxes resistant against both attacks. This can be used in a heuristic way by usual active s-boxes counting tricks (e.g., see 13, 15]). This has also been used to provide provable security against both attacks by Nyberg and Knudsen 27], but in an unsatisfactory way which introduce some algebraic properties which lead to other attacks as shown by Jakobsen and Knudsen 16]. In this presentation, we introduce a new way to protect block ciphers against various kind of attacks. This approach is based on the notion of universal functions introduced by Carter and Wegman 8, 39] for the purpose of authentication. Protecting block ciphers is so cheap that we call NUT (as for \n-Universal Transformation") the added operations which provide this security. We nally describe two cipher families we call COCONUT (as for \Cipher Organized with Cute Operations and NUT") and PEANUT (as for \Pretty Encryption Algorithm with NUT") and o er two de nite examples as a cryptanalysis challenge. The paper is organized as follows. First we give some de nitions on decorrelation distance (Section 1) and basic constructions (Section 2). Then we state Shannon's perfect secrecy notion in term of decorrelation distance (Section 3). We show how to express security results in the Luby-Racko 's security model (Section 4). Then we compute how much Feistel Ciphers can be decorrelated (Section 5). We prove how pairwise decorrelation can protect a cipher against di erential cryptanalysis and linear cryptanalysis (Sections 6 and 7). We generalize those results with the notion of \attacks of order d" (Section 8). Finally, we de ne the COCONUT and PEANUT families (Sections 9 and 10).
Attacking DES was thus quite challenging, and this paradoxically boosted research on block ciphers. Real advances on the security on block ciphers have been made in the early 90's. One of the most important result has been obtained by Biham and Shamir in performing a di erential cryptanalysis on DES 3{ 6]. The best version of this attack can recover a secret key with a simple 247-chosen plaintext attack1 . Although this attack is heuristic, experiments con rmed the results. Biham and Shamir's attack was based on statistical cryptanalysis idea which have also been used by Gilbert and Chasse against another cipher 11, 10]. Those ideas inspired Matsui who developed a linear cryptanalysis on DES 22, 23]. This heuristic attack, which has been implemented, can recover the key with a 243-known plaintext attack. Since then, many researchers tried to generalize and improve these attacks (see for instance 20, 19, 13, 17, 32, 18, 25, 33]), but the general ideas was quite the same. The basic idea of di erential cryptanalysis is to use properties like \if x and x0 are two plaintext blocks such that x0 = x + a, then it is likely that C (x0 ) = C (x) + b". Then the attack is an iterated two-chosen plaintexts attack which consists in getting the encrypted values of two random plaintexts which verify x0 = x + a until a special event like C (x0) = C (x)+b occurs. Similarly, the linear cryptanalysis consists in using the probability Pr C (x) 2 H2 =x 2 H1] for two given hyperplanes H1 and H2 . With the GF(2)-vector space structure, hyperplanes are half-spaces, and this probability shall be close to 1=2. Linear cryptanalysis uses the distance of this probability to 1=2 when it is large enough. More precisely, linear cryptanalysis is an incremental one-known plaintext attack where we simply measure the correlation between the events x 2 H1] and C (x) 2 H2 ]. Instead of keeping on breaking and proposing new encryption functions, some researchers tried to focus on the way to protect ciphers against some classes of attacks. Nyberg rst formalized the notion of strength against di erential cryptanalysis 26], and similarly, Chabaud and Vaudenay formalized the notion of strength against linear cryptanalysis 7]. With this approach we can study how to make
Serge.Vaudenay@ens.fr
ciphers against classes of attacks (including di erential and linear cryptanalysis) which is based on the notion of decorrelation distance which is fairly connected to Carter-Wegman's universal hash functions paradigm. This de nes a simple and friendly combinatorial measurement which enables to quantify the security. We show that we can mix provable protections and heuristic protections. We nally propose two new block cipher families we call COCONUT and PEANUT, which implement these ideas and achieve quite reasonable performances for real-life applications.