This paper proposes RSA-type cryptosystems over elliptic curves En(O, b) and En(a, O),where En(a, b): y2 x3+ax+b (mod n),and n is a product of from-free primes p and q. Although RSA cryptosystem is not secure against a low exponent attack, RSA-type cryptosystems over elliptic curves seems secure against a low multiplier attack. There are the KMOV cryptosystem and the Demytko cryptosystem that were previously proposed as RSA-type cryptosystems over elliptic curves. The KMOV cryptosystem uses form-restricted primes as p q 2(mod 3)or p q 3(mod 4), and encrypts/decrypts a 2log n-bit message over varied elliptic curves by operating values of x and y coordinates. The Demytko cryptosystem, which is an extension of the KMOV cryptosystem, uses form-free primes, and encrypts/decrypts a log n-bit message over fixed elliptic curves by operating only a value of x coordinates. Our cryptosystems, which are other extensions fo the KMOV cryptosystem, encrypt/decrypt a 2log n-bit message over varied elliptic curves by operating values of x and y coordinates. The Demytko cryptosystem and our cryptosystems have higher security than the KMOV cryptosystem because from-free primes hide two-bit information about prime factors. The encryption/decryption speed in one of our cryptosystems is about 1.25 times faster than that in the Demytko cryptosystem.

This paper proposes secure regenerating codes that are composed of non-secure regenerating codes and a new all-or-nothing transform. Unlike the previous analysis of secure regenerating codes, the security of the proposed codes is analyzed in the sense of the indistinguishability. The advantage of the proposed codes is that the overhead caused by the security against eavesdropping is much less than that of previous secure regenerating codes. The security of the proposed codes against eavesdropping mainly depends on the new all-or-nothing transform.

Kurosawa, Obana, and Ogata proposed a (k,n) threshold scheme such that t cheaters can be identified, where t (k-1)/3. Their scheme is superior to previous schemes with respect to the number of participants for identifying cheaters and the size of a share. In this paper, we improve the detectability of their scheme. By using erasure decoding and the authentication code, we show that cheaters less than k/2 can be identified. Although the size of a share is larger than that of their scheme, it is independent of n.

A hash function is an important primitive for cryptographic protocols. Since algorithms of well-known hash functions are almost serial, it seems difficult to take full advantage of recent multi-core processors. This paper proposes a multilane hashing (MLH) mode that achieves both of high parallelism and high security. The MLH mode is designed in such a way that the processing speed is almost linear in the number of processors. Since the MLH mode exploits an existing hash function as a black box, it is applicable to any hash function. The bound on the indifferentiability of the MLH mode from a random oracle is beyond the birthday bound on the output length of an underlying primitive.

This paper proposes a new lightweight 256-bit hash function Lesamnta-LW. The security of Lesamnta-LW is reduced to that of the underlying AES-based block cipher and it is theoretically analyzed for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very small footprints, our main target with Lesamnta-LW is to achieve compact and fast hashing for lightweight application on a wider variety of environments ranging from inexpensive devices to high-end severs at the 2120 security level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs between speed and cost on an 8-bit CPU than SHA-256.

In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.

This paper proposes an efficient algorithm for finding preimages of the reduced MD4 compression function consisting of only the first round and the third round. We thus show that the reduced MD4 is not a one-way function.

A visual secret sharing scheme (VSSS) is one of secret sharing schemes for images. Droste showed the method for constructing VSSS based on basis matrices whose contrast was high. Koga, Iwamoto, and Yamamoto also proposed the method for constructing a lattice-based VSSS and its polynomial representation. It is known that many good VSSSs are not in the class of lattice-based VSSSs. In this paper, we show the well-defined polynomial representation of a VSSS based on permuting different matrices for black-white images. The necessary and sufficient condition of the existence of a VSSS based on permuting different matrices can be obtained from the proposed polynomial representation. This condition is useful for constructing a good VSSS. We also point out that without additional data, it is possible to achieve member verification by using a VSSS. Using the proposed polynomial representation, the probability of detecting a cheater is analyzed.

Micali and Rivest have proposed a transitive signature scheme for an undirected graph, which is suitable for signing data with undirected graph structure. The problem of finding a transitive signature scheme for a directed graph has remained an open problem. In this paper, we propose a transitive signature scheme for a directed tree. Since the directed tree is a special case of the directed graph, the proposed scheme is a partial solution for the open problem. We also show that a transitive signature scheme for the undirected graph can be constructed from a bundling homomorphism. This means that the transitive signature scheme for the undirected graph is closely related with a fail-stop signature scheme.

Two methods of the second step of the elliptic curve method for factoring are known. One is the standard method that is similar to the second step of the p-1 method, and the other is the Brent method that is based on the "birthday paradox." In this paper, we propose a revised standard method and a revised Brent method. On an average, the revised standard method is the most efficient, the standard method is the second efficient, the revised Brent method is the third and the Brent method is the fourth. If the largest prime factor on the order of an elliptic curve is congruent to 1 modulo 3, then the revised Brent method becomes more efficient than the standard method. By applying these methods to unsolved problems in the Cunningham project, we found 18 new prime factors. The largest prime factor among them was 43-digits.

The function of a message authentication code (MAC) is to verify the validity of a whole message. The disadvantage of usual MACs is that a receiver can not check its validity until the receipt of a message is finished. Hence, usual MACs are not suitable for verifying a large amount of data such as video and audio (called stream). In this letter, we propose a MAC such that the validity of a stream can be consecutively verified without waiting for the end of the reception. In addition, we show its implementations: one is based on practical hash functions, and the other is based on universal hash functions.