if
{
(bt,z,y E dynamic region)and (bt,z-u~,Y-uI E projected region)} bt,z,y is a false motion block
else
bt,z,y is a true motion block (3) If the number of true motion blocks is larger than the number of
false motion blocks in a projected region, the region becomes a projected dynamic region. The uncovered region has a smaller number of true motion blocks than of false motion blocks in the projected region.
Finally, moving objects consist of dynamic regions and pro- jected dynamic regions.
a b
C d
Fig. 2 Blocks with non-zero motion vectors in ‘mother and daughter’ sequence a 3rd frame b 81st frame c 180th frame d 213th frame a b C d
1012/31
Fig. 3 Segmented moving object of ‘mother and daughter’ sequence fromproposed segmentation method a 3rd frame
b 81st frame
c 180th frame
d 213th frame
Experimental results: Experiments were performed on several com- pressed bit-streams. Figs. 2 and 3 show blocks with non-zero motion vectors and a segmented moving object, respectively, for
the ‘mother and daughter’ QCIF sequence, which was compressed by an H.263 encoder with a frame rate of lOHz and a target bit- rate of 24kbiUs. The frame numbers in Figs. 2 and 3 are from the original sequence obtained at a frame rate of 30Hz. Although motion vectors themselves are not appropriate for moving object segmentation as shown in Fig. 2, the proposed segmentation method is able to detect and track moving objects, as shown in Fig. 3.
Discussion: We have developed a block-based moving object seg- mentation algorithm for compressed video. Since block-based video coders determine motion vectors based on the coding effi- ciency, motion vectors may give false motion information. How- ever, the proposed algorithm uses the stochastic behaviour of spatially similar blocks to segment moving objects and the seg- mentation result is successful.
0 IEE 2000
Electronics Letters Online No: 20001279 DOI: IO. 1049/el:20001279
Salkmann Ji and HyunWook Park (Department of Electrical Engineering, Korea Advanced Institute of Science and Technology, 373- I Kusong-dong, Yusong-gu, Taejon 305-701, Korea)
E-mail: [email protected]
29 August 2000
References
CHANG, s.F., and MESSERSCHMITT, D.G.: ‘Manipulation and compositing of MC-DCT compressed video’, IEEE Trans.
Commun., 1995, 13, (11, pp. 1-11
DOGAN, s., SADKA, A.H., and KONDOZ, A.M.: ‘Efficient MPEG-41 H.263 video transcoder for interoperability of heterogeneous multimedia networks’, Electron. Lett., 1999, 35, (1 l), pp. 863-864
JAIN, A.K.: ‘Fundamentals of digital image processing’ (Prentice- Hall, 1989)
Cryptanalysis of modified authenticated key
agreement protocol
Wei-ChiKu and Sheng-DeWang
Tseng addressed a weakness within and proposed a modification to the key agreement protocol presented by Seo and Sweeney. The authors show that Tseng’s modified protocol is still vulnerable to two simple attacks and describe a new enhancement to the Seo- Sweeney protocol.
Introduction: By using a pre-shared password technique, Seo and Sweeney [l] proposed a simple key agreement protocol which was intended to act as a Dale-Hellman scheme [2] with user authenti- cation. In the Seo-Sweeney protocol, two parties who have shared a common password can establish a session key by exchanging two messages. The authors also claimed that key validation can be achieved by exchanging two more messages. Later, Tseng [3] addressed a weakness in the key validation steps of the Seo- Sweeney protocol. By replying to the message sent from the hon- est party, the adversary can fool the honest party into believing a wrong session key. Tseng modified the key validation steps of the Seo-Sweeney protocol and claimed that key validation can be achieved in the modified protocol. In this Letter, we will show that Tseng’s modified protocol is still vulnerable to two simple attacks. Additionally, a new enhancement to the Seo-Sweeney pro- tocol will be described.
Tseng’s modjied protocol: As in the original Dale-Hellman scheme [2], the system possesses two public values n and g, where n is a large prime and g is a generator with order n - 1 in G q n ) . Let Alice and Bob denote the two parties who have shared a com- mon password P. The protocol has two phases, the key establish- ment phase and the key validation phase, and can be described as follows:
(e.1) Alice and Bob each compute two integers Q and
0’
mod (n Key establishment phase:- 1) from P, where Q is computed in a predetermined way and is relatively prime to n - 1.
(e.,?)
Alice selectsa
random integer a and sends BobXI = gaQ mod n
(e.3) Bob also selects a random integer b and sends Alice
Yl = gbQ mod n
(e.4) Alice computes the session key Keyl as follows:
Y = Y2-I mod n = g b mod n
Key1 = Y” mod n = gab mod n (e.5) Bob computes the session key Key2 as follows:
X = Xf-’ mod n = g a mod n Key2 = Y b mod n = gab mod n Key validation phase:
(v.1) Alice sends Y to Bob. (v.2) Bob sends
X
to Alice.(v.3) Alice and Bob check whether X =
g
mod n and Y =&‘
mod n hold or not, respectively.Backward replay without mod3cation [4]: Upon seeing XI sent by Alice in step (e.2), the adversary (Eve) can masquerade as Bob to re-send it back to Alice in step (e.3) as Y,. Consequently, Alice will compute
Y = Y,&-’ mod n = Xf-’ mod n = ga mod n
Key1 = Y a mod n = gaZ mod n
and send Y to Bob in step (v.1). Then, Eve can masquerade as Bob to re-send Y back to Alice in step (v.2) as
X.
Since Y =g
mod n holds, Alice will be fooled into believing the wrong session key Key,. It should be noted that if step (v.1) and step (v.2) are exchanged, the protocol is still vulnerable to the replay attack, in which Eve masquerades as Bob to start another protocol run with Alice by using XI. The message sent by Alice in the first key vali- dation step of the new protocol run can be used by Eve in the sec- ond key validation step of the original protocol
run.
Again, Alice will be fooled into believing the wrong session key.Modification attack: Upon seeing XI sent by Alice in step (e.2), Eve can replace it with any number E [I, n - I], say
Xi.
In step (e.3), Bob sends Y, to Alice, and then Alice sends the correspond- ing response Y to Bob in step (v.1). In step (v.2), Bob will sendX‘,
which equals
(X[)@
mod n, to Alice. BecauseX’
#g
mod n,Alice will not believe Keyl. However, since Y =
&’
mod n holds, Bob will believe the wrong session key Key;, which equals(X;
)@b mod n. Although Eve cannot compute Key;, she can still fool Bob into believing this wrong session key. Note that if step (v.1) and step (v.2) are exchanged, the protocol is still vulnerable to the modification attack in the opposite direction, i.e. it is Alice rather than Bob who will be fooled into believing a wrong session key.Enhanced key validation steps: (v. 1) Alice computes
Yz = (Keyl)& mod n = gab& mod n
and then sends Y, to Bob.
(v.2) Bob checks whether Y2Q’ mod n = Key2 holds or not. If it holds, Bob believes that he has obtained the correct XI and Alice has obtained the correct Yl, i.e. Bob is convinced that Key2 is val- idated, and then sends
X
to Alice.(v.3) Alice checks whether
X
=g
mod n holds or not. If it holds, Alice believes that she has obtained the correct Y, and Bob has obtained the correct XI, i.e. Alice is convinced that Keyl is vali- dated.Discussions: The weakness of the Seo-Sweeney protocol is due to the same values of the two key validation messages. One problem within Tseng’s modified protocol is that the values of the two key validation messages will be the same once Yl = XI. Another prob-
ELECTRONICS LETTERS 12th October 2000 Vol. 36
lem within Tseng’s modified protocol is that Bob cannot judge the correctness of XI from the received Y. In the enhanced key valida- tion steps, the first key validation message is directly inherited from the Seo-Sweeney protocol while the second key validation message is adopted from Tseng’s modified protocol. The use of asymmetric messages in the enhanced key validation steps is one of the methods of resisting the attack of backward replay without modification [4]. In addition, the first key validation message, Y,, can alternatively be generated from Y, = (Y,)” mod n and verified by checking whether Y2 = (XJb mod n. This alternative is useful if the protocol is implemented in hardware. As the generation (or verification) of Y, can be performed in parallel with the session key generation, the computation delay can be reduced.
0 IEE 2000
Electronics Letters Online No: 20001269 DOI: 1O.I049/el:20001269
Wei-Chi Ku and Sheng-De Wang (Department of’ Electrical Engineering, National Taiwan University, Taipei 106, Taiwan, Republic
of China)
E-mail: [email protected]
4 September 2000
References
SEO, D.H., and SWEENEY, P.: ‘Simple authenticated key agreement
algorithm’, Electron. Lett., 1999, 35, (13), pp. 1073-1074
DIFFIE, w., and HELLMAN, M.E.: ‘New directions in cryptography’,
IEEE Trans., 1976, IT-22, (6), pp. 644-654
TSENG, Y M.: ‘Weakness in simple authenticated key agreement
protocol’, Electron. Lett., 2000, 36, (l), pp. 4849
GONG, L.: ‘Variations on the themes of message freshness and
replay’. Proc. IEEE Computer Security Foundations Workshop VI, June 1993, pp. 131-136
Embedding attacks on step[l
..Dl clock-
controlled generators
W.G. Chambers a n d
D.
GollmannIn a step[l..D] cryptogaphc generator a selector determines which bits from a primitive shift-register’s output are sent to the final output, the maximum spacing being D. Two attacks are described, one through finding where embeddings are possible, valid for D = 2 and 3, and the other through counting embeddings.
Introduction: A clock-controlled cryptographic sequence generator produces as its final output {yi}os the irregular decimation of a binary sequence {xi} produced by a pseudorandom binary genera- tor A. (For the sake of definiteness we assume that A is a primi- tive linear feedback shift register (LFSR) of period N). The decimation is controlled by another pseudorandom generator S (the ‘selector’) which in effect gives rise to a strictly increasing series of integers a[d such that y i = xaL4 for i = 0, 1, 2, ..., s. We say that the sequence {yi}os can be embedded in {xi} at the location a[O]. If, moreover, we require that a[i] - a[i - 11 2 D for some fixed integer D (D > 1) then we call the embedding a step[l..D] embed- ding. Fig. 1 shows how the sequence { 101001 1001 10) of length s
+ 1
= 12 can be embedded in a ‘target’ sequence of length e+
s+
1 = 22. There are e = 10 points skipped (‘skips’) and s + 1 = 12 ‘hits’. Note that the embedding starts and ends with hits.h
. .
h
. .
1 1 0 0 1 0 0 1 0 0 1 0 1 0 1 1 0 1 1 1 0 0
1232/11 Fig. 1 Embedding of sequence y = (IO1001100110) of length s
+
I = I 2 in target sequence of length e+
s + I = 22There are e = 10 points skipped (‘skips’) and s
+
1 = 12 hits. The embedding starts and ends with hits. Note that there are several pos- sible embeddings of y into the sequence shownIn an embedding attack we assume that we know a prefvr of the final output (yi},,” for sufficiently large s, and we wish to fmd out
