Telosb implementation of elliptic curve cryptography over primary field

HBM靜電放電測試系統之二次電性過應力事件的形成與抑制作者Tom Meuse (1), Larry Ting (2), Joe Schichl (2), Robert Barrett (1), David Bennett (1), Roger Cline (2), Charvaka Duvvury (2), Michael Hopkins (1), Hans Kunz (2), JohnLeiserson (1), Robert Steinhoff (2)(1) Thermo Electron Corporation (2) Texas Instruments Inc.譯者何正江訊程實業股份有限公司目錄1.背景介紹2. 元件失效的描述和測試系統間的相互作用3. 異常尾波(trailing pulse)的發現4. 異常尾波(trailing pulse)形成的機制5. 測試系統的修改以抑制異常尾波(trailing pulse)6. 對於HBM測試標準改進之建議以及將來之挑戰7.結論HBM靜電放電測試系統之二次電性過應力事件的形成與抑制前言以往在人體帶電模型(Human Body Model，HBM)靜電放電測試系統中，未被偵測到的異常尾波(trailing pulse)，最近已被證實對於較先進技術下所製造出來的半導體產品，會在其閘極氧化層(gate oxide)部位產生預期之外的破壞。

此第二脈衝是由於放電繼電器以及充電電路寄生特性所共同引起的電性過應力(Electrical Over-Stress，EOS)自然現象。

本文件主要在探討此一重要現象以及建立測試系統如何來抑制異常尾波的機制。

1. 背景介紹自從1979年美國軍方首度制定人體帶電模型(Human Body Model，HBM)耐靜電測試標準MIL-STD-883 Method 3015以來許多商品化的HBM測試系統相繼在半導體工業界被採用。

基于比特重组快速模约简的高面积效率椭圆曲线标量乘法器设
计
刘志伟;张琦;黄海;杨晓秋;陈冠百;赵石磊;于斌
【期刊名称】《电子与信息学报》
【年(卷),期】2024(46)1
【摘要】针对现有椭圆曲线密码标量乘法器难以兼顾灵活性和面积效率的问题,该文设计了一种基于比特重组快速模约简的高面积效率标量乘法器。

首先,根据椭圆曲线标量乘的运算特点,设计了一种可实现乘法和模逆两种运算的硬件复用运算单元以提高硬件资源使用率,并采用Karatsuba-Ofman算法提高计算性能。

其次,设计了基于比特重组的快速模约简算法,并实现了支持secp256k1, secp256r1和SCA-256(SM2标准推荐曲线)快速模约简计算的硬件架构。

最后,对点加和倍点的模运算操作调度进行了优化,提高乘法与快速模约简的利用率,降低了标量乘计算所需的周期数量。

所设计的标量乘法器在55 nm CMOS工艺下需要275 k个等效门,标量乘运算速度为48 309次/s,面积时间积达到5.7。

【总页数】9页(P344-352)
【作者】刘志伟;张琦;黄海;杨晓秋;陈冠百;赵石磊;于斌
【作者单位】哈尔滨理工大学计算机科学与技术学院
【正文语种】中文
【中图分类】TN918
【相关文献】
1.基于快速标量乘算法的椭圆曲线数字签名方案
2.基于特殊加法链的快速安全椭圆曲线标量乘算法(英文)
3.基于GF(2n)上椭圆曲线标量乘的快速实现
4.面向多椭圆曲线的高速标量乘法器设计与实现
5.基于二进制Edwards曲线的椭圆曲线加密多标量乘结构设计与实现
因版权原因，仅展示原文概要，查看原文内容请购买。

2009and2010Papers:Big-4Security ConferencespvoOctober13,2010NDSS20091.Document Structure Integrity:A Robust Basis for Cross-site Scripting Defense.Y.Nadji,P.Saxena,D.Song2.An Efficient Black-box Technique for Defeating Web Application Attacks.R.Sekar3.Noncespaces:Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks.M.Van Gundy,H.Chen4.The Blind Stone Tablet:Outsourcing Durability to Untrusted Parties.P.Williams,R.Sion,D.Shasha5.Two-Party Computation Model for Privacy-Preserving Queries over Distributed Databases.S.S.M.Chow,J.-H.Lee,L.Subramanian6.SybilInfer:Detecting Sybil Nodes using Social Networks.G.Danezis,P.Mittal7.Spectrogram:A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic.Yingbo Song,Angelos D.Keromytis,Salvatore J.Stolfo8.Detecting Forged TCP Reset Packets.Nicholas Weaver,Robin Sommer,Vern Paxson9.Coordinated Scan Detection.Carrie Gates10.RB-Seeker:Auto-detection of Redirection Botnets.Xin Hu,Matthew Knysz,Kang G.Shin11.Scalable,Behavior-Based Malware Clustering.Ulrich Bayer,Paolo Milani Comparetti,Clemens Hlauschek,Christopher Kruegel,Engin Kirda12.K-Tracer:A System for Extracting Kernel Malware Behavior.Andrea Lanzi,Monirul I.Sharif,Wenke Lee13.RAINBOW:A Robust And Invisible Non-Blind Watermark for Network Flows.Amir Houmansadr,Negar Kiyavash,Nikita Borisov14.Traffic Morphing:An Efficient Defense Against Statistical Traffic Analysis.Charles V.Wright,Scott E.Coull,Fabian Monrose15.Recursive DNS Architectures and Vulnerability Implications.David Dagon,Manos Antonakakis,Kevin Day,Xiapu Luo,Christopher P.Lee,Wenke Lee16.Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems.Hong Chen,Ninghui Li,Ziqing Mao17.IntScope:Automatically Detecting Integer Overflow Vulnerability in X86Binary Using Symbolic Execution.Tielei Wang,Tao Wei,Zhiqiang Lin,Wei Zou18.Safe Passage for Passwords and Other Sensitive Data.Jonathan M.McCune,Adrian Perrig,Michael K.Reiter19.Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication.Chris Karlof,J.Doug Tygar,David Wagner20.CSAR:A Practical and Provable Technique to Make Randomized Systems Accountable.Michael Backes,Peter Druschel,Andreas Haeberlen,Dominique UnruhOakland20091.Wirelessly Pickpocketing a Mifare Classic Card.(Best Practical Paper Award)Flavio D.Garcia,Peter van Rossum,Roel Verdult,Ronny Wichers Schreur2.Plaintext Recovery Attacks Against SSH.Martin R.Albrecht,Kenneth G.Paterson,Gaven J.Watson3.Exploiting Unix File-System Races via Algorithmic Complexity Attacks.Xiang Cai,Yuwei Gui,Rob Johnson4.Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86Processors.Bart Coppens,Ingrid Verbauwhede,Bjorn De Sutter,Koen De Bosschere5.Non-Interference for a Practical DIFC-Based Operating System.Maxwell Krohn,Eran Tromer6.Native Client:A Sandbox for Portable,Untrusted x86Native Code.(Best Paper Award)B.Yee,D.Sehr,G.Dardyk,B.Chen,R.Muth,T.Ormandy,S.Okasaka,N.Narula,N.Fullagar7.Automatic Reverse Engineering of Malware Emulators.(Best Student Paper Award)Monirul Sharif,Andrea Lanzi,Jonathon Giffin,Wenke Lee8.Prospex:Protocol Specification Extraction.Paolo Milani Comparetti,Gilbert Wondracek,Christopher Kruegel,Engin Kirda9.Quantifying Information Leaks in Outbound Web Traffic.Kevin Borders,Atul Prakash10.Automatic Discovery and Quantification of Information Leaks.Michael Backes,Boris Kopf,Andrey Rybalchenko11.CLAMP:Practical Prevention of Large-Scale Data Leaks.Bryan Parno,Jonathan M.McCune,Dan Wendlandt,David G.Andersen,Adrian Perrig12.De-anonymizing Social Networks.Arvind Narayanan,Vitaly Shmatikov13.Privacy Weaknesses in Biometric Sketches.Koen Simoens,Pim Tuyls,Bart Preneel14.The Mastermind Attack on Genomic Data.Michael T.Goodrich15.A Logic of Secure Systems and its Application to Trusted Computing.Anupam Datta,Jason Franklin,Deepak Garg,Dilsun Kaynar16.Formally Certifying the Security of Digital Signature Schemes.Santiago Zanella-Beguelin,Gilles Barthe,Benjamin Gregoire,Federico Olmedo17.An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols.Ralf Kuesters,Tomasz Truderung18.Sphinx:A Compact and Provably Secure Mix Format.George Danezis,Ian Goldberg19.DSybil:Optimal Sybil-Resistance for Recommendation Systems.Haifeng Yu,Chenwei Shi,Michael Kaminsky,Phillip B.Gibbons,Feng Xiao20.Fingerprinting Blank Paper Using Commodity Scanners.William Clarkson,Tim Weyrich,Adam Finkelstein,Nadia Heninger,Alex Halderman,Ed Felten 21.Tempest in a Teapot:Compromising Reflections Revisited.Michael Backes,Tongbo Chen,Markus Duermuth,Hendrik P.A.Lensch,Martin Welk22.Blueprint:Robust Prevention of Cross-site Scripting Attacks for Existing Browsers.Mike Ter Louw,V.N.Venkatakrishnan23.Pretty-Bad-Proxy:An Overlooked Adversary in Browsers’HTTPS Deployments.Shuo Chen,Ziqing Mao,Yi-Min Wang,Ming Zhang24.Secure Content Sniffing for Web Browsers,or How to Stop Papers from Reviewing Themselves.Adam Barth,Juan Caballero,Dawn Song25.It’s No Secret:Measuring the Security and Reliability of Authentication via’Secret’Questions.Stuart Schechter,A.J.Bernheim Brush,Serge Egelman26.Password Cracking Using Probabilistic Context-Free Grammars.Matt Weir,Sudhir Aggarwal,Bill Glodek,Breno de MedeirosUSENIX Security2009promising Electromagnetic Emanations of Wired and Wireless Keyboards.(Outstanding Student Paper)Martin Vuagnoux,Sylvain Pasini2.Peeping Tom in the Neighborhood:Keystroke Eavesdropping on Multi-User Systems.Kehuan Zhang,XiaoFeng Wang3.A Practical Congestion Attack on Tor Using Long Paths,Nathan S.Evans,Roger Dingledine,Christian Grothoff4.Baggy Bounds Checking:An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors.Periklis Akritidis,Manuel Costa,Miguel Castro,Steven Hand5.Dynamic Test Generation to Find Integer Bugs in x86Binary Linux Programs.David Molnar,Xue Cong Li,David A.Wagner6.NOZZLE:A Defense Against Heap-spraying Code Injection Attacks.Paruj Ratanaworabhan,Benjamin Livshits,Benjamin Zorn7.Detecting Spammers with SNARE:Spatio-temporal Network-level Automatic Reputation Engine.Shuang Hao,Nadeem Ahmed Syed,Nick Feamster,Alexander G.Gray,Sven Krasser8.Improving Tor using a TCP-over-DTLS Tunnel.Joel Reardon,Ian Goldberg9.Locating Prefix Hijackers using LOCK.Tongqing Qiu,Lusheng Ji,Dan Pei,Jia Wang,Jun(Jim)Xu,Hitesh Ballani10.GATEKEEPER:Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code.Salvatore Guarnieri,Benjamin Livshits11.Cross-Origin JavaScript Capability Leaks:Detection,Exploitation,and Defense.Adam Barth,Joel Weinberger,Dawn Song12.Memory Safety for Low-Level Software/Hardware Interactions.John Criswell,Nicolas Geoffray,Vikram Adve13.Physical-layer Identification of RFID Devices.Boris Danev,Thomas S.Heydt-Benjamin,Srdjan CapkunCP:Secure Remote Storage for Computational RFIDs.Mastooreh Salajegheh,Shane Clark,Benjamin Ransford,Kevin Fu,Ari Juels15.Jamming-resistant Broadcast Communication without Shared Keys.Christina Popper,Mario Strasser,Srdjan Capkun16.xBook:Redesigning Privacy Control in Social Networking Platforms.Kapil Singh,Sumeer Bhola,Wenke Lee17.Nemesis:Preventing Authentication and Access Control Vulnerabilities in Web Applications.Michael Dalton,Christos Kozyrakis,Nickolai Zeldovich18.Static Enforcement of Web Application Integrity Through Strong Typing.William Robertson,Giovanni Vigna19.Vanish:Increasing Data Privacy with Self-Destructing Data.(Outstanding Student Paper)Roxana Geambasu,Tadayoshi Kohno,Amit A.Levy,Henry M.Levy20.Efficient Data Structures for Tamper-Evident Logging.Scott A.Crosby,Dan S.Wallach21.VPriv:Protecting Privacy in Location-Based Vehicular Services.Raluca Ada Popa,Hari Balakrishnan,Andrew J.Blumberg22.Effective and Efficient Malware Detection at the End Host.Clemens Kolbitsch,Paolo Milani Comparetti,Christopher Kruegel,Engin Kirda,Xiaoyong Zhou,XiaoFeng Wang 23.Protecting Confidential Data on Personal Computers with Storage Capsules.Kevin Borders,Eric Vander Weele,Billy Lau,Atul Prakash24.Return-Oriented Rootkits:Bypassing Kernel Code Integrity Protection Mechanisms.Ralf Hund,Thorsten Holz,Felix C.Freiling25.Crying Wolf:An Empirical Study of SSL Warning Effectiveness.Joshua Sunshine,Serge Egelman,Hazim Almuhimedi,Neha Atri,Lorrie Faith Cranor26.The Multi-Principal OS Construction of the Gazelle Web Browser.Helen J.Wang,Chris Grier,Alex Moshchuk,Samuel T.King,Piali Choudhury,Herman VenterACM CCS20091.Attacking cryptographic schemes based on”perturbation polynomials”.Martin Albrecht,Craig Gentry,Shai Halevi,Jonathan Katz2.Filter-resistant code injection on ARM.Yves Younan,Pieter Philippaerts,Frank Piessens,Wouter Joosen,Sven Lachmund,Thomas Walter3.False data injection attacks against state estimation in electric power grids.Yao Liu,Michael K.Reiter,Peng Ning4.EPC RFID tag security weaknesses and defenses:passport cards,enhanced drivers licenses,and beyond.Karl Koscher,Ari Juels,Vjekoslav Brajkovic,Tadayoshi Kohno5.An efficient forward private RFID protocol.Come Berbain,Olivier Billet,Jonathan Etrog,Henri Gilbert6.RFID privacy:relation between two notions,minimal condition,and efficient construction.Changshe Ma,Yingjiu Li,Robert H.Deng,Tieyan Li7.CoSP:a general framework for computational soundness proofs.Michael Backes,Dennis Hofheinz,Dominique Unruh8.Reactive noninterference.Aaron Bohannon,Benjamin C.Pierce,Vilhelm Sjoberg,Stephanie Weirich,Steve Zdancewicputational soundness for key exchange protocols with symmetric encryption.Ralf Kusters,Max Tuengerthal10.A probabilistic approach to hybrid role mining.Mario Frank,Andreas P.Streich,David A.Basin,Joachim M.Buhmann11.Efficient pseudorandom functions from the decisional linear assumption and weaker variants.Allison B.Lewko,Brent Waters12.Improving privacy and security in multi-authority attribute-based encryption.Melissa Chase,Sherman S.M.Chow13.Oblivious transfer with access control.Jan Camenisch,Maria Dubovitskaya,Gregory Neven14.NISAN:network information service for anonymization networks.Andriy Panchenko,Stefan Richter,Arne Rache15.Certificateless onion routing.Dario Catalano,Dario Fiore,Rosario Gennaro16.ShadowWalker:peer-to-peer anonymous communication using redundant structured topologies.Prateek Mittal,Nikita Borisov17.Ripley:automatically securing web2.0applications through replicated execution.K.Vikram,Abhishek Prateek,V.Benjamin Livshits18.HAIL:a high-availability and integrity layer for cloud storage.Kevin D.Bowers,Ari Juels,Alina Oprea19.Hey,you,get offof my cloud:exploring information leakage in third-party compute clouds.Thomas Ristenpart,Eran Tromer,Hovav Shacham,Stefan Savage20.Dynamic provable data possession.C.Christopher Erway,Alptekin Kupcu,Charalampos Papamanthou,Roberto Tamassia21.On cellular botnets:measuring the impact of malicious devices on a cellular network core.Patrick Traynor,Michael Lin,Machigar Ongtang,Vikhyath Rao,Trent Jaeger,Patrick Drew McDaniel,Thomas Porta 22.On lightweight mobile phone application certification.William Enck,Machigar Ongtang,Patrick Drew McDaniel23.SMILE:encounter-based trust for mobile social services.Justin Manweiler,Ryan Scudellari,Landon P.Cox24.Battle of Botcraft:fighting bots in online games with human observational proofs.Steven Gianvecchio,Zhenyu Wu,Mengjun Xie,Haining Wang25.Fides:remote anomaly-based cheat detection using client emulation.Edward C.Kaiser,Wu-chang Feng,Travis Schluessler26.Behavior based software theft detection.Xinran Wang,Yoon-chan Jhi,Sencun Zhu,Peng Liu27.The fable of the bees:incentivizing robust revocation decision making in ad hoc networks.Steffen Reidt,Mudhakar Srivatsa,Shane Balfe28.Effective implementation of the cell broadband engineTM isolation loader.Masana Murase,Kanna Shimizu,Wilfred Plouffe,Masaharu Sakamoto29.On achieving good operating points on an ROC plane using stochastic anomaly score prediction.Muhammad Qasim Ali,Hassan Khan,Ali Sajjad,Syed Ali Khayam30.On non-cooperative location privacy:a game-theoretic analysis.Julien Freudiger,Mohammad Hossein Manshaei,Jean-Pierre Hubaux,David C.Parkes31.Privacy-preserving genomic computation through program specialization.Rui Wang,XiaoFeng Wang,Zhou Li,Haixu Tang,Michael K.Reiter,Zheng Dong32.Feeling-based location privacy protection for location-based services.Toby Xu,Ying Cai33.Multi-party off-the-record messaging.Ian Goldberg,Berkant Ustaoglu,Matthew Van Gundy,Hao Chen34.The bayesian traffic analysis of mix networks.Carmela Troncoso,George Danezis35.As-awareness in Tor path selection.Matthew Edman,Paul F.Syverson36.Membership-concealing overlay networks.Eugene Y.Vasserman,Rob Jansen,James Tyra,Nicholas Hopper,Yongdae Kim37.On the difficulty of software-based attestation of embedded devices.Claude Castelluccia,Aurelien Francillon,Daniele Perito,Claudio Soriente38.Proximity-based access control for implantable medical devices.Kasper Bonne Rasmussen,Claude Castelluccia,Thomas S.Heydt-Benjamin,Srdjan Capkun39.XCS:cross channel scripting and its impact on web applications.Hristo Bojinov,Elie Bursztein,Dan Boneh40.A security-preserving compiler for distributed programs:from information-flow policies to cryptographic mechanisms.Cedric Fournet,Gurvan Le Guernic,Tamara Rezk41.Finding bugs in exceptional situations of JNI programs.Siliang Li,Gang Tan42.Secure open source collaboration:an empirical study of Linus’law.Andrew Meneely,Laurie A.Williams43.On voting machine design for verification and testability.Cynthia Sturton,Susmit Jha,Sanjit A.Seshia,David Wagner44.Secure in-VM monitoring using hardware virtualization.Monirul I.Sharif,Wenke Lee,Weidong Cui,Andrea Lanzi45.A metadata calculus for secure information sharing.Mudhakar Srivatsa,Dakshi Agrawal,Steffen Reidt46.Multiple password interference in text passwords and click-based graphical passwords.Sonia Chiasson,Alain Forget,Elizabeth Stobert,Paul C.van Oorschot,Robert Biddle47.Can they hear me now?:a security analysis of law enforcement wiretaps.Micah Sherr,Gaurav Shah,Eric Cronin,Sandy Clark,Matt Blaze48.English shellcode.Joshua Mason,Sam Small,Fabian Monrose,Greg MacManus49.Learning your identity and disease from research papers:information leaks in genome wide association study.Rui Wang,Yong Fuga Li,XiaoFeng Wang,Haixu Tang,Xiao-yong Zhou50.Countering kernel rootkits with lightweight hook protection.Zhi Wang,Xuxian Jiang,Weidong Cui,Peng Ning51.Mapping kernel objects to enable systematic integrity checking.Martim Carbone,Weidong Cui,Long Lu,Wenke Lee,Marcus Peinado,Xuxian Jiang52.Robust signatures for kernel data structures.Brendan Dolan-Gavitt,Abhinav Srivastava,Patrick Traynor,Jonathon T.Giffin53.A new cell counter based attack against tor.Zhen Ling,Junzhou Luo,Wei Yu,Xinwen Fu,Dong Xuan,Weijia Jia54.Scalable onion routing with torsk.Jon McLachlan,Andrew Tran,Nicholas Hopper,Yongdae Kim55.Anonymous credentials on a standard java card.Patrik Bichsel,Jan Camenisch,Thomas Gros,Victor Shouprge-scale malware indexing using function-call graphs.Xin Hu,Tzi-cker Chiueh,Kang G.Shin57.Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering.Juan Caballero,Pongsin Poosankam,Christian Kreibich,Dawn Xiaodong Song58.Your botnet is my botnet:analysis of a botnet takeover.Brett Stone-Gross,Marco Cova,Lorenzo Cavallaro,Bob Gilbert,MartinSzydlowski,Richard A.Kemmerer,Christopher Kruegel,Giovanni VignaNDSS20101.Server-side Verification of Client Behavior in Online Games.Darrell Bethea,Robert Cochran and Michael Reiter2.Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs.S.Wolchok,O.S.Hofmann,N.Heninger,E.W.Felten,J.A.Halderman,C.J.Rossbach,B.Waters,E.Witchel3.Stealth DoS Attacks on Secure Channels.Amir Herzberg and Haya Shulman4.Protecting Browsers from Extension Vulnerabilities.Adam Barth,Adrienne Porter Felt,Prateek Saxena,and Aaron Boodman5.Adnostic:Privacy Preserving Targeted Advertising.Vincent Toubiana,Arvind Narayanan,Dan Boneh,Helen Nissenbaum and Solon Barocas6.FLAX:Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications.Prateek Saxena,Steve Hanna,Pongsin Poosankam and Dawn Song7.Effective Anomaly Detection with Scarce Training Data.William Robertson,Federico Maggi,Christopher Kruegel and Giovanni Vignarge-Scale Automatic Classification of Phishing Pages.Colin Whittaker,Brian Ryner and Marria Nazif9.A Systematic Characterization of IM Threats using Honeypots.Iasonas Polakis,Thanasis Petsas,Evangelos P.Markatos and Spiros Antonatos10.On Network-level Clusters for Spam Detection.Zhiyun Qian,Zhuoqing Mao,Yinglian Xie and Fang Yu11.Improving Spam Blacklisting Through Dynamic Thresholding and Speculative Aggregation.Sushant Sinha,Michael Bailey and Farnam Jahanian12.Botnet Judo:Fighting Spam with Itself.A.Pitsillidis,K.Levchenko,C.Kreibich,C.Kanich,G.M.Voelker,V.Paxson,N.Weaver,S.Savage13.Contractual Anonymity.Edward J.Schwartz,David Brumley and Jonathan M.McCune14.A3:An Extensible Platform for Application-Aware Anonymity.Micah Sherr,Andrew Mao,William R.Marczak,Wenchao Zhou,Boon Thau Loo,and Matt Blaze15.When Good Randomness Goes Bad:Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography.Thomas Ristenpart and Scott Yilek16.InvisiType:Object-Oriented Security Policies.Jiwon Seo and Monica m17.A Security Evaluation of DNSSEC with NSEC3.Jason Bau and John Mitchell18.On the Safety of Enterprise Policy Deployment.Yudong Gao,Ni Pan,Xu Chen and Z.Morley Mao19.Where Do You Want to Go Today?Escalating Privileges by Pathname Manipulation.Suresh Chari,Shai Halevi and Wietse Venema20.Joe-E:A Security-Oriented Subset of Java.Adrian Mettler,David Wagner and Tyler Close21.Preventing Capability Leaks in Secure JavaScript Subsets.Matthew Finifter,Joel Weinberger and Adam Barth22.Binary Code Extraction and Interface Identification for Security Applications.Juan Caballero,Noah M.Johnson,Stephen McCamant,and Dawn Song23.Automatic Reverse Engineering of Data Structures from Binary Execution.Zhiqiang Lin,Xiangyu Zhang and Dongyan Xu24.Efficient Detection of Split Personalities in Malware.Davide Balzarotti,Marco Cova,Christoph Karlberger,Engin Kirda,Christopher Kruegel and Giovanni VignaOakland20101.Inspector Gadget:Automated Extraction of Proprietary Gadgets from Malware Binaries.Clemens Kolbitsch Thorsten Holz,Christopher Kruegel,Engin Kirda2.Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors.Matt Fredrikson,Mihai Christodorescu,Somesh Jha,Reiner Sailer,Xifeng Yan3.Identifying Dormant Functionality in Malware Programs.Paolo Milani Comparetti,Guido Salvaneschi,Clemens Kolbitsch,Engin Kirda,Christopher Kruegel,Stefano Zanero4.Reconciling Belief and Vulnerability in Information Flow.Sardaouna Hamadou,Vladimiro Sassone,Palamidessi5.Towards Static Flow-Based Declassification for Legacy and Untrusted Programs.Bruno P.S.Rocha,Sruthi Bandhakavi,Jerry I.den Hartog,William H.Winsborough,Sandro Etalle6.Non-Interference Through Secure Multi-Execution.Dominique Devriese,Frank Piessens7.Object Capabilities and Isolation of Untrusted Web Applications.Sergio Maffeis,John C.Mitchell,Ankur Taly8.TrustVisor:Efficient TCB Reduction and Attestation.Jonathan McCune,Yanlin Li,Ning Qu,Zongwei Zhou,Anupam Datta,Virgil Gligor,Adrian Perrig9.Overcoming an Untrusted Computing Base:Detecting and Removing Malicious Hardware Automatically.Matthew Hicks,Murph Finnicum,Samuel T.King,Milo M.K.Martin,Jonathan M.Smith10.Tamper Evident Microprocessors.Adam Waksman,Simha Sethumadhavan11.Side-Channel Leaks in Web Applications:a Reality Today,a Challenge Tomorrow.Shuo Chen,Rui Wang,XiaoFeng Wang Kehuan Zhang12.Investigation of Triangular Spamming:a Stealthy and Efficient Spamming Technique.Zhiyun Qian,Z.Morley Mao,Yinglian Xie,Fang Yu13.A Practical Attack to De-Anonymize Social Network Users.Gilbert Wondracek,Thorsten Holz,Engin Kirda,Christopher Kruegel14.SCiFI-A System for Secure Face Identification.(Best Paper)Margarita Osadchy,Benny Pinkas,Ayman Jarrous,Boaz Moskovich15.Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes.Haowen Chan,Adrian Perrig16.Revocation Systems with Very Small Private Keys.Allison Lewko,Amit Sahai,Brent Waters17.Authenticating Primary Users’Signals in Cognitive Radio Networks via Integrated Cryptographic and Wireless Link Signatures.Yao Liu,Peng Ning,Huaiyu Dai18.Outside the Closed World:On Using Machine Learning For Network Intrusion Detection.Robin Sommer,Vern Paxson19.All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution(but might have been afraid to ask).Thanassis Avgerinos,Edward Schwartz,David Brumley20.State of the Art:Automated Black-Box Web Application Vulnerability Testing.Jason Bau,Elie Bursztein,Divij Gupta,John Mitchell21.A Proof-Carrying File System.Deepak Garg,Frank Pfenning22.Scalable Parametric Verification of Secure Systems:How to Verify Ref.Monitors without Worrying about Data Structure Size.Jason Franklin,Sagar Chaki,Anupam Datta,Arvind Seshadri23.HyperSafe:A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity.Zhi Wang,Xuxian Jiang24.How Good are Humans at Solving CAPTCHAs?A Large Scale Evaluation.Elie Bursztein,Steven Bethard,John C.Mitchell,Dan Jurafsky,Celine Fabry25.Bootstrapping Trust in Commodity Computers.Bryan Parno,Jonathan M.McCune,Adrian Perrig26.Chip and PIN is Broken.(Best Practical Paper)Steven J.Murdoch,Saar Drimer,Ross Anderson,Mike Bond27.Experimental Security Analysis of a Modern Automobile.K.Koscher,A.Czeskis,F.Roesner,S.Patel,T.Kohno,S.Checkoway,D.McCoy,B.Kantor,D.Anderson,H.Shacham,S.Savage 28.On the Incoherencies in Web Browser Access Control Policies.Kapil Singh,Alexander Moshchuk,Helen J.Wang,Wenke Lee29.ConScript:Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.Leo Meyerovich,Benjamin Livshits30.TaintScope:A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection.(Best Student Paper)Tielei Wang,Tao Wei,Guofei Gu,Wei Zou31.A Symbolic Execution Framework for JavaScript.Prateek Saxena,Devdatta Akhawe,Steve Hanna,Stephen McCamant,Dawn Song,Feng MaoUSENIX Security20101.Adapting Software Fault Isolation to Contemporary CPU Architectures.David Sehr,Robert Muth,CliffBiffle,Victor Khimenko,Egor Pasko,Karl Schimpf,Bennet Yee,Brad Chen2.Making Linux Protection Mechanisms Egalitarian with UserFS.Taesoo Kim and Nickolai Zeldovich3.Capsicum:Practical Capabilities for UNIX.(Best Student Paper)Robert N.M.Watson,Jonathan Anderson,Ben Laurie,Kris Kennaway4.Structuring Protocol Implementations to Protect Sensitive Data.Petr Marchenko,Brad Karp5.PrETP:Privacy-Preserving Electronic Toll Pricing.Josep Balasch,Alfredo Rial,Carmela Troncoso,Bart Preneel,Ingrid Verbauwhede,Christophe Geuens6.An Analysis of Private Browsing Modes in Modern Browsers.Gaurav Aggarwal,Elie Bursztein,Collin Jackson,Dan Boneh7.BotGrep:Finding P2P Bots with Structured Graph Analysis.Shishir Nagaraja,Prateek Mittal,Chi-Yao Hong,Matthew Caesar,Nikita Borisov8.Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems.Chad R.Meiners,Jignesh Patel,Eric Norige,Eric Torng,Alex X.Liu9.Searching the Searchers with SearchAudit.John P.John,Fang Yu,Yinglian Xie,Martin Abadi,Arvind Krishnamurthy10.Toward Automated Detection of Logic Vulnerabilities in Web Applications.Viktoria Felmetsger,Ludovico Cavedon,Christopher Kruegel,Giovanni Vigna11.Baaz:A System for Detecting Access Control Misconfigurations.Tathagata Das,Ranjita Bhagwan,Prasad Naldurg12.Cling:A Memory Allocator to Mitigate Dangling Pointers.Periklis Akritidis13.ZKPDL:A Language-Based System for Efficient Zero-Knowledge Proofs and Electronic Cash.Sarah Meiklejohn,C.Chris Erway,Alptekin Kupcu,Theodora Hinkle,Anna Lysyanskaya14.P4P:Practical Large-Scale Privacy-Preserving Distributed Computation Robust against Malicious Users.Yitao Duan,John Canny,Justin Zhan,15.SEPIA:Privacy-Preserving Aggregation of Multi-Domain Network Events and Statistics.Martin Burkhart,Mario Strasser,Dilip Many,Xenofontas Dimitropoulos16.Dude,Where’s That IP?Circumventing Measurement-based IP Geolocation.Phillipa Gill,Yashar Ganjali,Bernard Wong,David Lie17.Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking.Roya Ensafi,Jong Chun Park,Deepak Kapur,Jedidiah R.Crandall18.Building a Dynamic Reputation System for DNS.Manos Antonakakis,Roberto Perdisci,David Dagon,Wenke Lee,Nick Feamster19.Scantegrity II Municipal Election at Takoma Park:The First E2E Binding Governmental Election with Ballot Privacy.R.Carback,D.Chaum,J.Clark,J.Conway,A.Essex,P.S.Herrnson,T.Mayberry,S.Popoveniuc,R.L.Rivest,E.Shen,A.T.Sherman,P.L.Vora20.Acoustic Side-Channel Attacks on Printers.Michael Backes,Markus Durmuth,Sebastian Gerling,Manfred Pinkal,Caroline Sporleder21.Security and Privacy Vulnerabilities of In-Car Wireless Networks:A Tire Pressure Monitoring System Case Study.Ishtiaq Rouf,Rob Miller,Hossen Mustafa,Travis Taylor,Sangho Oh,Wenyuan Xu,Marco Gruteser,Wade Trappe,Ivan Seskar 22.VEX:Vetting Browser Extensions for Security Vulnerabilities.(Best Paper)Sruthi Bandhakavi,Samuel T.King,P.Madhusudan,Marianne Winslett23.Securing Script-Based Extensibility in Web Browsers.Vladan Djeric,Ashvin Goel24.AdJail:Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements.Mike Ter Louw,Karthik Thotta Ganesh,V.N.Venkatakrishnan25.Realization of RF Distance Bounding.Kasper Bonne Rasmussen,Srdjan Capkun26.The Case for Ubiquitous Transport-Level Encryption.Andrea Bittau,Michael Hamburg,Mark Handley,David Mazieres,Dan Boneh27.Automatic Generation of Remediation Procedures for Malware Infections.Roberto Paleari,Lorenzo Martignoni,Emanuele Passerini,Drew Davidson,Matt Fredrikson,Jon Giffin,Somesh Jha28.Re:CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context.Marti Motoyama,Kirill Levchenko,Chris Kanich,Damon McCoy,Geoffrey M.Voelker,Stefan Savage29.Chipping Away at Censorship Firewalls with User-Generated Content.Sam Burnett,Nick Feamster,Santosh Vempala30.Fighting Coercion Attacks in Key Generation using Skin Conductance.Payas Gupta,Debin GaoACM CCS20101.Security Analysis of India’s Electronic Voting Machines.Scott Wolchok,Erik Wustrow,J.Alex Halderman,Hari Prasad,Rop Gonggrijp2.Dissecting One Click Frauds.Nicolas Christin,Sally S.Yanagihara,Keisuke Kamataki3.@spam:The Underground on140Characters or Less.Chris Grier,Kurt Thomas,Vern Paxson,Michael Zhang4.HyperSentry:Enabling Stealthy In-context Measurement of Hypervisor Integrity.Ahmed M.Azab,Peng Ning,Zhi Wang,Xuxian Jiang,Xiaolan Zhang,Nathan C.Skalsky5.Trail of Bytes:Efficient Support for Forensic Analysis.Srinivas Krishnan,Kevin Z.Snow,Fabian Monrose6.Survivable Key Compromise in Software Update Systems.Justin Samuel,Nick Mathewson,Justin Cappos,Roger Dingledine7.A Methodology for Empirical Analysis of the Permission-Based Security Models and its Application to Android.David Barrera,H.Gunes Kayacik,Paul C.van Oorschot,Anil Somayaji8.Mobile Location Tracking in Metropolitan Areas:malnets and others.Nathanial Husted,Steve Myers9.On Pairing Constrained Wireless Devices Based on Secrecy of Auxiliary Channels:The Case of Acoustic Eavesdropping.Tzipora Halevi,Nitesh Saxena10.PinDr0p:Using Single-Ended Audio Features to Determine Call Provenance.Vijay A.Balasubramaniyan,Aamir Poonawalla,Mustaque Ahamad,Michael T.Hunter,Patrick Traynor11.Building Efficient Fully Collusion-Resilient Traitor Tracing and Revocation Schemes.Sanjam Garg,Abishek Kumarasubramanian,Amit Sahai,Brent Waters12.Algebraic Pseudorandom Functions with Improved Efficiency from the Augmented Cascade.Dan Boneh,Hart Montgomery,Ananth Raghunathan13.Practical Leakage-Resilient Pseudorandom Generators.Yu Yu,Francois-Xavier Standaert,Olivier Pereira,Moti Yung14.Practical Leakage-Resilient Identity-Based Encryption from Simple Assumptions.Sherman S.M.Chow,Yevgeniy Dodis,Yannis Rouselakis,Brent Waters15.Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords.Matt Weir,Sudhir Aggarwal,Michael Collins,Henry Stern16.The Security of Modern Password Expiration:An Algorithmic Framework and Empirical Analysis.Yinqian Zhang,Fabian Monrose,Michael K.Reiter17.Attacks and Design of Image Recognition CAPTCHAs.Bin Zhu,JeffYan,Chao Yang,Qiujie Li,Jiu Liu,Ning Xu,Meng Yi18.Robusta:Taming the Native Beast of the JVM.Joseph Siefers,Gang Tan,Greg Morrisett19.Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code.Justin Cappos,Armon Dadgar,JeffRasley,Justin Samuel,Ivan Beschastnikh,Cosmin Barsan,Arvind Krishnamurthy,Thomas Anderson20.A Control Point for Reducing Root Abuse of File-System Privileges.Glenn Wurster,Paul C.van Oorschot21.Modeling Attacks on Physical Unclonable Functions.Ulrich Ruehrmair,Frank Sehnke,Jan Soelter,Gideon Dror,Srinivas Devadas,Juergen Schmidhuber22.Dismantling SecureMemory,CryptoMemory and CryptoRF.Flavio D.Garcia,Peter van Rossum,Roel Verdult,Ronny Wichers Schreur23.Attacking and Fixing PKCS#11Security Tokens.Matteo Bortolozzo,Matteo Centenaro,Riccardo Focardi,Graham Steel24.An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.Dongseok Jang,Ranjit Jhala,Sorin Lerner,Hovav Shacham25.DIFC Programs by Automatic Instrumentation.William Harris,Somesh Jha,Thomas Reps26.Predictive Black-box Mitigation of Timing Channels.Aslan Askarov,Danfeng Zhang,Andrew Myers27.In Search of an Anonymous and Secure Lookup:Attacks on Structured Peer-to-peer Anonymous Communication Systems.Qiyan Wang,Prateek Mittal,Nikita Borisov28.Recruiting New Tor Relays with BRAIDS.Rob Jansen,Nicholas Hopper,Yongdae Kim29.An Improved Algorithm for Tor Circuit Scheduling.Can Tang,Ian Goldberg30.Dissent:Accountable Anonymous Group Messaging.Henry Corrigan-Gibbs,Bryan Ford31.Abstraction by Set-Membership—Verifying Security Protocols and Web Services with Databases.Sebastian Moedersheim。

NIST P-256椭圆曲线算法是一种广泛应用的密码学算法，其数学基础是椭圆曲线密码学。

椭圆曲线密码学基于椭圆曲线离散对数问题，该问题在数学上被证明是难以解决的。

在P-256中，使用的是一条特定的椭圆曲线，其定义方程为y^2 = x^3 - 3x + b mod p，其中p是一个大素数，通常为2^256-2^224+2^192+2^96-1，b是一个常数，具体的值通过NIST标准规定。

椭圆曲线密码学的安全性基于解决椭圆曲线离散对数问题的困难性。

在P-256中，曲线上的点对应于公钥，而曲线的基点和系数则决定了椭圆曲线的具体形状。

为了提高计算效率，曲线上点的数量通常被设置为n*h，其中n是一个大素数，h通常设置为1、2或4。

此外，P-256还采用了有限域的概念。

有限域是数学中的一个概念，它是一个只能包含有限个元素的集合。

在P-256中，曲线上的点都是有限域中的元素，因此，有限域大小决定了曲线安全度。

第三部分“256”就是有限域大小的表现形式。

因此，NIST P-256椭圆曲线算法是基于数学上难以解决的椭圆曲线离散对数问题，通过特定的参数和有限域的概念来实现的密码学算法。

它广泛应用于数字签名、密钥交换和加密等安全领域。

ECC椭圆曲线加密算法—加解密（SageMath实现）简介ECC椭圆曲线加密，它的安全性基于椭圆曲线上的离散对数问题。

⽐特币和⽬前的⼆代居民⾝份证都采⽤了ECC作为加密算法。

ECC椭圆曲线函数为：y2=x3+ax+b (mod p)ECC算法如下：椭圆曲线Ep(a,b)（p为模数），基点（⽣成元）G(x,y)，G点的阶数n，私钥k，公钥K(x,y)，随机整数r，明⽂为⼀点m(x,y)，密⽂为两点c1(x,y)和c2(x,y)（其中基点G，明⽂m，密⽂c1、c2都是椭圆曲线E上的点）选择私钥k（k<n）得到公钥K = k*G选择随机整数r（r<n）加密：c1 = m+r*Kc2 = r*G解密：m = c1-k*c2（= c1-r*K)SageMath可以直接计算椭圆曲线加法和椭圆曲线乘法。

椭圆曲线运算（SageMath）：点u(x,y)，整数a，点v(x,y)，点w(x,y)a_inv = inverse_mod(a,p) #a_inv是a关于模p的乘法逆元a_invv = a*uu = v*a_invw = u+v加解密脚本SageMath加密脚本：'''加密椭圆曲线选取时，模数p应是⼀个⼤质数常⽤的有⼏个公开的椭圆曲线，如Secp256k1、Secp256r1等'''p = 115792089210356248762697446949407573530086143415290314195533631308867097853951a = 115792089210356248762697446949407573530086143415290314195533631308867097853948b = 41058363725152142129326129780047268409114441015993725554835256314039467401291E = EllipticCurve(GF(p),[a,b]) #建⽴椭圆曲线EG = E(101981543389703054444906888236965100227902100585263327233246492901054535785571,105947302391877180514060433855403037184838385483621546199124860815209826713886) #选择⼀点作为⽣成元n = G.order() #G的阶数k = 78772200542717449282831156601030024198219944170436309154595818823706214492400K = k*Gr = 3546765m = E(80764032034929976879602863302323059647882062252124869895215418422992624743795,4964654783828069942602279691168356721024126126864424301508238062949726916347) #取E上⼀点m作为明⽂c1 = m+r*Kc2 = r*Gprint(c1)print(c2)SageMath解密脚本：'''解密'''p = 115792089210356248762697446949407573530086143415290314195533631308867097853951a = 115792089210356248762697446949407573530086143415290314195533631308867097853948b = 41058363725152142129326129780047268409114441015993725554835256314039467401291k = 78772200542717449282831156601030024198219944170436309154595818823706214492400E = EllipticCurve(GF(p),[a,b]) #建⽴椭圆曲线Ec1 = E(55527726590533087179712343802771216661752045890626636388680526348340802301667,99976146729305231192119179111453136971828647307627310904093286590128902629941)c2 = E(85460365972589567444123006081329559170090723413178386022601904195400422637884,58249081362527056631776731740177334121295518073095154119886890634279528757192)m = c1-k*c2print(m)其他使⽤Crypto.PublicKey.ECC⽣成ECC密钥：from Crypto.PublicKey import ECC#⽣成ECC密钥key = ECC.generate(curve='NIST P-256') #使⽤椭圆曲线NIST P-256#输出密钥（包括私钥k，基点G）print(key)#公钥（point_x，point_y是基点G的坐标）print(key.public_key())#椭圆曲线print(key.curve)#私钥kprint(key.d)#导出为pem密钥⽂件print(key.export_key(format='PEM'))#导⼊密钥⽂件key = ECC.import_key(f.read())通过fastecdsa.Curve可以查到公开椭圆曲线的参数import fastecdsa.curve as curve#P-384的acurve.P384.a#P-384的bcurve.P384.bProcessing math: 100%#P-384的pcurve.P384.p⼏种公开椭圆曲线参数：#NIST P-256（Secp256r1）#p = 2^224(2^32 − 1) + 2^192 + 2^96 − 1p = 115792089210356248762697446949407573530086143415290314195533631308867097853951a = 115792089210356248762697446949407573530086143415290314195533631308867097853948b = 41058363725152142129326129780047268409114441015993725554835256314039467401291#Secp256k1（⽐特币使⽤）#p = 2^256 − 2^32 − 2^9 − 2^8 − 2^7 − 2^6 − 2^4 − 1 = 2^256 – 2^32 – 977p = 115792089237316195423570985008687907853269984665640564039457584007908834671663a = 0b = 7#NIST P-384#p = 2^384 – 2^128 – 2^96 + 2^32 – 1p = 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319a = -3b = 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575#NIST P-521p = 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151a = -3b = 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984 SageMath取椭圆曲线上随机⼀点：E = EllipticCurve(GF(p),[a,b])E.random_point() #取椭圆曲线E上随机⼀点sagemath计算椭圆曲线上的离散对数问题（数据量不能太⼤）a = 1234577b = 3213242p = 7654319E = EllipticCurve(GF(p),[a,b])G = E(5234568, 2287747) #⽣成元#k = 1584718K = E(2366653, 1424308) #公钥#求解私钥，⾃动选择bsgs或Pohlig Hellman算法discrete_log(K,G,operation='+')#求解私钥，Pollard rho算法discrete_log_rho(K,G,operation='+')#求解私钥，Pollard Lambda算法，能够确定所求值在某⼀⼩范围时效率较⾼discrete_log_lambda(K,G,(1500000,2000000),operation='+')使⽤openssl查看ECC的pem密钥⽂件信息#查看ECC私钥信息openssl ec -in p384-key.pem -text -noout#查看ECC公钥信息openssl ec -pubin -in public.pem -text -noout。

ANOTHER LOOK AT HMQVALFRED MENEZESAbstract.The HMQV protocols are‘hashed variants’of the MQV key agree-ment protocols.They were recently introduced by Krawczyk,who claimed thatthe HMQV protocols have very significant advantages over their MQV coun-terparts:(i)security proofs under reasonable assumptions in the(extended)Canetti-Krawczyk model for key exchange;and(ii)superior performance insome situations.In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a vic-tim’s static private key.We propose HMQV-1,patched versions of the HMQVprotocols that resists our attacks(but do not have any performance advantagesover MQV).We also identify some fallacies in the security proofs for HMQV,critique the security model,and raise some questions about the assurancesthat proofs in this model can provide.1.IntroductionThe MQV protocols[27]are a family of efficient Diffie-Hellman authenticated protocols that have been widely standardized[2,3,18,19,36].The two-pass proto-col in this family(which is what the term“the MQV protocol”sometimes refers to) provides implicit key authentication.A three-pass variant adds key confirmation, thus providing explicit key authentication,while a one-pass variant is useful for ap-plications such as email where only the sender may be online.The protocols were designed to meet a variety of security goals even in the presence of active attacks.The security of the MQV protocols has been intensively studied since1995. However,until recently there was no attempt to‘prove’that the protocols actually meet their security objectives.In a recent paper(see[25]and the expanded version [26]),Krawczyk undertook the ambitious task of trying to prove the security of the MQV protocols in the Canetti-Krawczyk model for key exchange[13,14,15].This model provides a formal security definition by carefully specifying the capabilities and goals of an attacker.Krawczyk’s analysis of MQV[25,26]resulted in his concluding that“...MQV falls to a variety of attacks in[the Canetti-Krawczyk]model that invalidate its basic security as well as many of its stated security goals”and“...raises clear concerns about the security of the protocol...”He then proceeded to modify the MQV protocols to produce HMQV,a‘hashed variant’that“...provides the same superb performance and functionality of the original protocol but for which all the MQV security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.”Date:June27,2005;updated on Jul1,5,6,Aug8,and Nov2,2005.12ALFRED MENEZESThe HMQV protocols are no less efficient than their MQV counterparts because the additional hashing performed takes negligible time compared to the group ex-ponentiations.In fact,the HMQV protocols are significantly faster in some cases because they dispense with the potentially expensive public-key validations that are mandated in MQV.An important result stated in[25,26]is that this performance improvement of HMQV is proven not to affect security in any way.We show in§2of this paper that the omission of public-key validation in the HMQV protocols is a fatal security weakness.We accomplish this by presenting small-subgroup attacks that let an attacker recover a victim’s static private key.Our attacks on the HMQV protocols are more realistic and have much more damaging consequences than any of the proposed attacks on MQV in[25,26].Our attacks can be circumvented by requiring that all public keys be validated,leading to new variants of the HMQV protocols that we call Patched HMQV(HMQV-1).As a consequence of reinstating public-key validation,the HMQV-1protocols no longer have any performance advantages over their MQV counterparts.We also present an unknown-key share attack on the one-pass HMQV-1protocol which demonstrates a deficiency in the binding between the identities of the communicating parties and the key derivation.In§3we identify someflaws in the security proofs given in[26].We critique some aspects of the Canetti-Krawczyk model,and discuss the difficulty of obtaining security reductions in this model that are meaningful in practice.In§4the purported attacks on MQV that were listed in[25,26]are analyzed and critiqued.The paper concludes with some remarks in§5.2.The HMQV key agreement protocolsLet G be a multiplicatively-written abelian group of order N,and let G= g be a subgroup of G of prime order q.We call G the main group and G the supergroup.The integer h=N/q is called the cofactor.We assume that gcd(h,q)=1,from which it follows that G is the unique subgroup of G having order q.The fundamental security requirement that determines the suitability of a group for implementing Diffie-Hellman key agreement protocols is that the discrete logarithm problem(DLP)in G should be intractable.Groups arising fromfinite fields and from elliptic curves are the only ones presently in widespread use.Infinitefield systems,G is the multiplicative group Z∗p of a primefield Z p and G is the subgroup of order q for some prime divisor q of p−1.As in DSA,the primes p and q are usually chosen so that the bitlength of q is considerably smaller than that of p.This is because the DLP in Z∗p can be solved using index-calculus methods whose running times are subexponential in p,whereas the best algorithms known for solving the DLP directly in G have running time O(√q).If p and q are selected in this way,then the cofactor h is much larger than q.For example,to achieve an80-bit security level1against discrete logarithm attacks,one might take the bitlengths of p and q to be1024and160,respectively;in this case the cofactor h has bitlength about864.1A k-bit security level means that an attacker is expected to expend at least2k effort before it can solve a computational problem or defeat the security objectives of a protocol.ANOTHER LOOK AT HMQV3 In elliptic curve systems,G is the group of points E(L)on an elliptic curve E defined over afinitefield L,and G is a subgroup of E(L)of prime order q.2Elliptic curves of(almost)prime order can be easily found,so in practice the cofactor h is very small.For example,the15NIST-recommended elliptic curves[17]have h=1,2or4.2.1.Protocol descriptions.The least non-negative residue of an integer x mod-ulo t is denoted by x t.The following notation is from[26]and will be used throughout this paper.ˆA,ˆB Identities of two communicating parties.a,b Static private keys ofˆA andˆB;a,b∈R[1,q−1].A,B Static public keys ofˆA andˆB;A=g a,B=g b.x,y Ephemeral private keys ofˆA andˆB;x,y∈R[1,q−1].X,Y Ephemeral public keys ofˆA andˆB;X=g x,Y=g y.H A hash function.H An l-bit hash function,where l=( log2q +1)/2.MAC Message authentication code algorithm.K m MAC key.K Session key.The identitiesˆA andˆB may also include certificates for their respective static public keys.2.1.1.Description of two-pass HMQV.The parties exchange their identifiers and ephemeral public keys.That is,ˆA sends(ˆA,ˆB,X)toˆB,whileˆB sends(ˆB,ˆA,Y) toˆA.ThenˆA checks3that Y=0and computes the shared secret(1)σˆA=(Y B e)x+da,whileˆB checks that X=0and computes(2)σˆB=(XA d)y+eb,where(3)d=H(X,ˆB)and e=H(Y,ˆA).Notice thatσˆA=σˆB=g(x+da)(y+eb),and so both parties can compute the session key K=H(σˆA)=H(σˆB).2.1.2.Description of three-pass HMQV.Three-pass HMQV adds key confirmation to the two-pass HMQV protocol.After receiving(ˆA,ˆB,X)from the initiatorˆA, the responderˆB checks that X=0,computesσˆB,K m=H(σˆB,0),K=H(σˆB,1),(“1”))toˆA.Upon receipt of this message,ˆA checks and sends(ˆB,ˆA,Y,MAC Kmthat Y=0,computesσˆA,K m=H(σˆA,0),K=H(σˆB,1).ˆA verifies the MAC tag(“0”)toˆB.Finally,ˆB verifies the latter MAC tag. received,and sends MAC Km2The elliptic curve group law is usually written additively,but in this paper we shall use multiplicative notation for the sake of consistency.3If G is the multiplicative group of afinitefield,then the element0in checks such as“Y=0”refers to the zero element of thefinitefield.However,since the HMQV protocols are described for generic cyclic groups G ,such checks are not well defined since it is not clear what is meant by the element“0”.4ALFRED MENEZES2.1.3.Description of one-pass HMQV.In one-pass key agreement protocols,only the sender can contribute an ephemeral public key.In one-pass HMQV,the sender ˆA transmits the single message(ˆA,ˆB,X)toˆB.Let d=H(X,ˆA,ˆB).The sessionkey computed byˆA is K=H(B x+da),whileˆB computes the same key(after checking that X=0)as K=H((XA d)b).2.2.The insecurity of HMQV.We present‘small-subgroup attacks’on all three versions of HMQV described in§2.1.The adversary’s actions in all these attacks are legitimate in that they are allowable within the Canetti-Krawczyk security model (cf.§3.1).The attacks have the most damaging consequences possible since the attacker is able to learn the victim’s static private key.Our attacks exploit the omission in the HMQV protocols of public-key validation of static and ephemeral public keys.That is,the receiver of an element X does not take any steps to verify that X is indeed an element of order q in the main group G–the only required check is X=0.Also,a certification authority who issues a certificate to partyˆA for its static public key A does not take any steps to verify that A is an element of order q in G.These omissions are by design rather than by accident.They are desirable because the parties and certification authority do not have to perform costly exponentiations by q to verify that a supergroup element is also in G,and also because some certification authorities may not be configured to do such tests[26].In[26]proofs are claimed that all three versions of HMQV are secure without these checks.Our attacks demonstrate that the security proofs must be fallacious.Some errors in the proofs will be identified in§3.2.2.2.1.Attack on one-pass HMQV.The attackerˆA,who wishes to learnˆB’s static private key,selects an elementγ∈G of order t for some small prime divisor t=q of N.(Recall that N is the order of the supergroup G .)Here by‘small’we mean thatˆA can feasibly perform t group operations and hash function evaluations.The attacker selects a∈[1,t−1],and obtains a certificate for her static public key A=γa.She then selects x∈[1,t−1],computes X=γx,and sends(ˆA,ˆB,X) toˆB.Upon receipt,ˆB verifies that X=0and computes the session key K= H((XA d)b)=H((γx+da)b)where d=H(X,ˆA,ˆB).Next,ˆA learns K by issuing a session-key query4and computesβ=γx+da.ˆA then computes K =H(βc)for c=0,1,2,...,t−1until K =K.When the latter condition is met,ˆA knows that c= b t.After repeating this procedure for several different primes t,the value b can be easily determined by the Chinese Remainder Theorem.2.2.2.Feasibility of the attack.Wefirst note that session-key queries are allowable in the Canetti-Krawczyk model.However,in practiceˆA may not even have to issue a session-key query.For example,ifˆB were to subsequently sendˆA an authenticated message(m,T=MAC K(m)),thenˆA could determine b t by iteratively computing K =H(βc)and T =MAC K (m)for c=0,1,2,...until T =T.As before,ˆA then deduces that c= b t.Is it reasonable to expect that N/q has several small prime factors?In the case of DSA-like parameters,the cofactor h=(p−1)/q is large and thus one can expect it to have several small prime factors if p and q were randomly generated.However, 4A well-designed key agreement protocol should achieve its security goals even if an attacker is able to learn some session keys.This is because a key agreement protocol cannot guarantee that session keys won’t be subsequently used in insecure applications(e.g.,to encrypt messages with a weak symmetric-key encryption scheme).ANOTHER LOOK AT HMQV5 if it happens that(p−1)/q does not have several small prime factors,the extremecase occurring when(p−1)/q is twice a prime,then the attack cannot be mounted.In the case of elliptic curve groups,we have noted that the cofactor h is verysmall,and sometimes h=1,so the attack as described above will generally fail.However,ˆA has the option of mounting an invalid-curve attack[4]which we describenext.Suppose that G =E(L)where E is an elliptic curve defined over afinitefield L.The attacker selects an elliptic curve E defined over L whose Weierstrassequation y2+a1xy+a3y=x3+a2x2+a4x+a6differs from E’s only in the coefficienta6,and such that the order of E (L)contains a prime factor t of the desired size.Then,as observed by Biehl,Meyer and M¨u ller[9],the usual formulas for addingpoints in E(L)do not involve a6and thus are identical to the formulas for addingpoints in E (L).IfˆA selects order-t points X,A∈E (L)andˆB does not checkwhether X,A∈E(L),thenˆB will successfully compute(XA d)b∈E (L)and the attack can proceed as before.Unlike in the case of DSA-like groups,the invalid-curve attack with elliptic curves is certain to succeed since there is an abundanceof elliptic curves over L with group orders divisible by small primes.We note that E (L)is not a supergroup of the main group of E(L).One couldperhaps argue that the HMQV specification implicitly required a recipient of anelement X to check that it belongs to the supergroup E(L),thus thwarting theattack.However,we maintain that it is reasonable to suppose that this check isnot likely to be performed since points in E (L)are represented in the same wayas points in E(L),5and since the HMQV specification[26]explicitly states that nochecks are required other than X=0.2.2.3.Attack on two-pass HMQV.As in the attack on one-pass HMQV,the at-tackerˆA selects an elementγ∈G of order t,selects a static public key A=γa,and sends an ephemeral public key X=γx toˆB.WhileˆB is computing the ses-sion key,ˆA issues a state-reveal query6and learnsˆB’s ephemeral private key y.AfterˆB has computedβ=XA d and the session key K=H(βy+eb),ˆA learnsK via a session-key query.NowˆA can obtain c= b t by iteratively computingK =H(βy+ec)for c=0,1,2,...until K =K.This attack is not as realistic as the attack on one-pass HMQV since a state-reveal query is required.Nonetheless,it is relevant to our analysis of the claims in[26],which include the author’s claim to have proven resistance of two-pass HMQVto damage from leakage of ephemeral private keys.7ttice attack on two-pass HMQV.The attack in§2.2.3assumes thatˆBdoes not reduce the exponent y+eb prior to computingβy+eb.This assumption isreasonable because the HMQV specification does not require y+eb to be reduced.Moreover,it is not at all clear howˆB should reduce y+eb because the order ofβisunknown toˆB(since X and A are not validated as belonging to the main group G5For example,if L=F2m,then a point in E(L)or E (L)is represented by a pair of bitstringsof length m.6State-reveal queries capture the possibility of an attacker learning some secret information such as ephemeral private keys that are specific to a particular session.Such queries do not reveal static private keys.7In[25,26],the author points out that resistance of Diffie-Hellman protocols to damage from the disclosure of ephemeral private keys is‘a prime security concern’.This is because many applications can be expected to precompute ephemeral pairs(x,X)and(y,Y)in order to improve performance,and these stored pairs become more vulnerable to disclosure.6ALFRED MENEZESof order q ).Nonetheless,one can expect that ˆB will reduce the exponent y +eb in order to accelerate the computation of βy +eb .So,let us suppose that ˆBcomputes βs where s = y +eb q .Then the following small-subgroup attack can be mounted.The attacker ˆA selects A =γa and X =γx ,where γ∈G has order t =2r for some small r (e.g.,r =6).ˆA then learns y and K =H (βs )through state-reveal and session-key queries,respectively.Now,ˆAcan determine s t by exhaustive search,thereby obtaining the r least significant bits of s .After repeating this procedure a few times (e.g.,30times),ˆAcan use the lattice attack of Leadbitter and Smart 8[28](see also [30])to find the f/2most significant bits of b ;here f is the bitlength of q .The remaining f/2bits of b can then be found in O (q 1/4)steps using Pollard’s lambda method [33].2.2.5.Attacks on three-pass HMQV.The attacks on three-pass HMQV are similar to the ones on two-pass HMQV in §2.2.3and §2.2.4except that a session-key query is not needed.This is because ˆA learns MAC K m(“1”)from ˆB ’s response,and can use this tag to recognize a correct guess for b t or s t .2.3.Patched HMQV (HMQV-1).Our small-subgroup attacks on the HMQV protocols are thwarted if public keys are validated as mandated in MQV [27].That is,the certification authority should verify that a party’s static public key A is indeed an element of order q in the main group G before issuing a certificate.Similarly,the recipient of an ephemeral public key X should verify that X is an element of order q in G before proceeding with the next step of the protocol.If the cofactor h is small,as is the case with elliptic curve groups,the com-putational cost of ephemeral public-key validation can be reduced significantly by requiring only that the recipient ˆB of X verify that X ∈G and that σh ˆB =1before computing the session key H (σh ˆB ).9This process is called ‘embedded’public-key validation in [27].2.4.Unknown-key share attack on one-pass HMQV-1.In an unknown-key share (UKS)attack,first formulated by Diffie,van Oorschot and Wiener [16],an adversary interferes with ˆA ’s and ˆB ’s communications.The result is that ˆA and ˆB still compute the same session key.However,even though ˆA correctly believes the key is shared with ˆB ,ˆB mistakenly believes that the key is shared with a third party ˆC∈{ˆA,ˆB }.One-pass HMQV-1succumbs to the following online UKS attack;such attacks were first mounted by Kaliski on the two-pass MQV protocol [21].Party ˆA trans-mits the message (ˆA,ˆB,X )and computes the session key K =H (B x +da ).The mes-sage is intercepted by the adversary ˆC ,who selects an arbitrary integer u ∈[1,q −1]and computes X =XA d g −u ,d =H (X ,ˆC,ˆB ),and C =g u (d )−1mod q .ˆC reg-isters C as her static public key (with c =u (d )−1mod q being the corresponding static private key),and then transmits (ˆC,ˆB,X )to ˆB .Note that X and C are valid public keys.Party ˆBthen computes the shared secret (X C d )b =(XA d g −u (g u (d )−1)d )b =(XA d g −u g u )b =(XA d )b =B x +da .8The Leadbitter-Smart lattice attack does not require complete knowledge of y ;it only needs the r least significant bits of y .9Thus,contrary to what is stated in [26],it is not the case that ephemeral public-key validation is always as costly as a full exponentiation in G .ANOTHER LOOK AT HMQV7 ThusˆB computes the same session key K asˆA,even thoughˆB believes that the key is shared withˆC.A similar UKS attack can also be mounted on the variant of one-pass HMQV-1suggested in[26,Remark9.2]wherebyˆA andˆB compute the shared secret as (BB e)x+da and(XA d)b+eb respectively,where d=H(X,ˆA,ˆB)and e=H(B,ˆB,ˆA). To mount the attack,the adversaryˆC interceptsˆA’s message(ˆA,ˆB,X)and re-places it with(ˆC,ˆB,X )where X =(XA d g−u)(1+e)(1+e )−1,e =H(B,ˆB,ˆC), d =H(X ,ˆC,ˆB),and C=g u(d )−1(1+e)(1+e )−1.Once again,ˆA andˆB compute the same session key even thoughˆB believes that the key is shared withˆC.These UKS attacks illustrate the unsuitability of one-pass HMQV-1for use as an authenticated CCA encryption scheme or as a verifier-specific signature scheme as described in[26].The UKS attacks are thwarted if the identifiersˆA andˆB are included in the key derivation function,i.e.,K=H(σ,ˆA,ˆB).3.Critique of the formal analysis in[26]Formal analysis of a cryptographic protocol entails the following steps.(i)(security model)Providing a clear specification of the capabilities of anadversary and how it interacts with honest parties.(ii)(security definition)Providing a clear description of the goals of the adver-sary.(iii)(security proof)Proving that the only way an adversary can meet its goals is by solving a computational problem that is widely believed to be in-tractable.The proof in step(iii)typically takes the form of a reduction,whereby one shows how a(hypothetical)adversary who succeeds in its task can be used to solve the hard computational problem with little additional effort.10The declaration that a cryptographic protocol is‘provably secure’should always be met with a healthy dose of skepticism.First,one should verify that the security model and definition are the‘right’ones,i.e.,they accurately capture the capabil-ities of attackers that one could expect in the environments in which the protocol will eventually be deployed.Second,the proof should be checked for correctness. This step is notoriously difficult since the proofs are typically long,complicated, and often poorly written.History has shown that subtleflaws may take years to be discovered.Indeed,Stern[37]has proposed adding a validation step to any security proof:Also,the fact that proofs themselves need time to be validatedthrough public discussion was somehow overlooked.Finally,one should carefully consider what the proof actually means,i.e.,what assurances are actually provided when the protocol is deployed.This step involves examining the reasonableness of the stated assumptions,and performing a concrete security analysis.The next paragraph elaborates on this last point.About ten years ago,Bellare and Rogaway(see[5])developed the notion of “practice-oriented provable security”.As a result of their work there was a greater awareness of the need to quantify the aforementioned‘additional effort’expended in a security reduction.The measure of this additional effort,obtained through a 10The effort includes the number of times the adversary is invoked;here we are thinking of the adversary as a computer program.8ALFRED MENEZESconcrete(non-asymptotic)security analysis,could then be used to provide concrete recommendations about keylengths.If the additional effort is relatively small,then the reduction is said to be tight and the security of the protocol is closely linked to the hardness of the related computational problem.For example,if there is a tight reduction from the DLP in a group G to the breaking of a protocol,then the protocol attains an80-bit security level if the parameters for G are selected so that the best algorithms known for solving the DLP in G take about280operations. On the other hand,a non-tight reduction only assures us that the protocol has an80-bit security level if the parameters for G are selected so that the best DLP solvers require significantly more than280operations.The latter assurance can be achieved only by using significantly larger group parameters,a direct consequence of which is slower performance.In the remainder of this section we provide a critique of various aspects of the HMQV security proofs given in[26].3.1.Security model and definition.In a series of papers,Canetti and Krawczyk [13,14,15]carefully developed security models and definitions for key establish-ment.Their model corrected shortcomings in previous attempts(e.g.,[8,10,6,35]), and at present is widely accepted as being the‘right’one.In the Canetti-Krawczyk model,the attacker controls all communications be-tween honest parties.Through‘corrupt’,‘session-key’and‘state-reveal’queries, she is even able to learn the static private keys of some parties,learn session keys, and learn certain secret information that is associated with a particular session.Her goal is to learn something about a session key that she cannot deduce by trivial means(e.g.through a session-key query).The thesis is that the Canetti-Krawczyk model captures all realistic attacks in an open network such as the Internet.However,one should be careful not to be lulled into a false sense of security since there may be desirable security attributes which are not adequately addressed by the model.As an example,consider the case of key-compromise impersonation(KCI)at-tacks.In these attacks,first studied by Just and Vaudenay[20],the adversary learns a partyˆA’s static private key and then tries to impersonate another honest partyˆB toˆA.Resistance to KCI attacks is important in situations where an at-tacker wishes to obtain some information possessed byˆA,who is only willing to divulge this information toˆB(and where the attacker is not able to obtainˆB’s static private key).The Canetti-Krawczyk model did not cover resistance to KCI attacks,and hence protocols proved secure in the model have to be examined on a case-by-case basis for KCI resistance.For example,the ISO[13]and SIGMA[24] protocols would appear to resist KCI attacks,while the Boyd-Mao-Paterson[11] protocol does not.This deficiency in the Canetti-Krawczyk model has apparently been addressed by Krawczyk[26].Another deficiency of the Canetti-Krawczyk model is that it does not account for the security of a session for which a state-reveal query has been issued—only the security of other sessions is considered.This deficiency was recognized in[26] where the security of HMQV session keys that were derived using compromised ephemeral private keys is analyzed.One should also be aware that the Canetti-Krawczyk model does not account for most kinds of secret-information leakage,e.g.,partial information about the static private key that may be obtainable through side-channel attacks that analyze powerANOTHER LOOK AT HMQV9 consumption[23]or electromagnetic radiation[1].An example of an attack on MQV (and HMQV-1)that is not considered in the Canetti-Krawczyk model is the side-channel attack of Leadbitter and Smart[28](cf.§2.2.4)whereby a static private key b can be deduced from the least significant bits of some ephemeral private keys y and the least significant bits of the associated secret values s= y+eb q.Krawczyk[26]states that the potentially expensive procedure of ephemeral public-key validation can be omitted if one is certain that private keys y are never revealed.However,as observed in§2.2.4,a small-subgroup attack that recovers the static private key b can be launched on two-pass and three-pass HMQV if the attacker can learn a small number of the least significant bits of each ephemeral secret y.Hence,omitting public-key validation makes two-pass and three-pass HMQV more vulnerable to side-channel attacks since an attacker only needs to obtain the least significant bits of y through a side channel.(The least significant bits of the associated secret values s do not have to be gathered using a side chan-nel,but instead can be deduced using the method described in§2.2.4.)Thus the performance improvement that can be achieved by omitting public-key validation does not seem justifiable,especially in the case of elliptic curve groups where the cost of embedded public-key validation is negligible(cf.§2.3).It is interesting that our conclusion about the performance-security trade-offfor public-key validation in two-pass and three-pass HMQV,which is based on concrete cryptanalysis and other practical considerations,is different from the conclusion derived from the proof-driven design methodology of[26].The state-reveal query is indeed useful for modeling some realistic scenarios such as the loss of ephemeral private keys.However,in the Canetti-Krawczyk model each item that is the result of some intermediate calculation involving secret data must be specified as either being in highly secure memory(whose contents are only accessible via a corrupt query),or belonging to less-secure memory(whose contents are accessible via either a state-reveal query or a corrupt query).This distinction is potentially misleading because implementors may be lulled by a provable security result into thinking that there is no possible risk in performing certain calculations in less-secure memory,and this may increase their exposure to side-channel and other attacks.3.2.The proofs.The HMQV security proof in[26]has two steps.First,an‘ex-ponential challenge-response’signature scheme XCR is defined and proven secure under the computational Diffie-Hellman(CDH)assumption.Second,the security of XCR(actually a‘dual’version of XCR)is proven to imply the security of HMQV. The reduction in thefirst step is relatively straightforward,but the second reduction is extremely long and complicated.In the XCR scheme,a verifierˆA selects x∈R[0,q−1]and sends the challenge X=g x and a message m to the signerˆB.ˆB responds by selecting y∈R[0,q−1] and sending the signature(Y=g y,σ=X y+eb)toˆA where e=H(Y,m)and(B,b) isˆB’s static key pair.The signature is accepted byˆA provided that Y=0and σ=(Y B e)x.XCR signatures are different from ordinary digital signatures.In particular,ˆA cannot convince a third party thatˆB generated a signature(Y,σ)for message m and challenge X becauseˆA could have generated this signature herself.The HCR signature scheme[26]is a slight variant of XCR where the second signature component is hashed;i.e.,ˆB’s HCR signature is(Y,H(σ))instead of (Y,σ).The HCR scheme is proven secure under the Gap Diffie-Hellman(GDH)。

_四45五3六57十4十一34十二47没做“信息安全理论与技术”习题及答案教材：《信息安全概论》段云所，魏仕民，唐礼勇，陈钟，高等教育出版社第一章概述（习题一，p11）1.信息安全的目标是什么？答：信息安全的目标是保护信息的机密性、完整性、抗否认性和可用性；也有观点认为是机密性、完整性和可用性，即CIA(Confidentiality,Integrity,Availability)。

机密性（Confidentiality）是指保证信息不被非授权访问；即使非授权用户得到信息也无法知晓信息内容，因而不能使用完整性（Integrity）是指维护信息的一致性，即信息在生成、传输、存储和使用过程中不应发生人为或非人为的非授权簒改。

抗否认性（Non-repudiation）是指能保障用户无法在事后否认曾经对信息进行的生成、签发、接收等行为，是针对通信各方信息真实同一性的安全要求。

可用性（Availability）是指保障信息资源随时可提供服务的特性。

即授权用户根据需要可以随时访问所需信息。

2.简述信息安全的学科体系。

解：信息安全是一门交叉学科，涉及多方面的理论和应用知识。

除了数学、通信、计算机等自然科学外，还涉及法律、心理学等社会科学。

信息安全研究大致可以分为基础理论研究、应用技术研究、安全管理研究等。

信息安全研究包括密码研究、安全理论研究；应用技术研究包括安全实现技术、安全平台技术研究；安全管理研究包括安全标准、安全策略、安全测评等。

3. 信息安全的理论、技术和应用是什么关系？如何体现？答：信息安全理论为信息安全技术和应用提供理论依据。

信息安全技术是信息安全理论的体现，并为信息安全应用提供技术依据。

信息安全应用是信息安全理论和技术的具体实践。

它们之间的关系通过安全平台和安全管理来体现。

安全理论的研究成果为建设安全平台提供理论依据。

安全技术的研究成果直接为平台安全防护和检测提供技术依据。

平台安全不仅涉及物理安全、网络安全、系统安全、数据安全和边界安全，还包括用户行为的安全，安全管理包括安全标准、安全策略、安全测评等。