RC6 is a common-key block cipher that was proposed as one of the AES candidates. Although any weakness of RC6 in the use of the confidentiality is not known, Saarinen pointed out the existence of almost equivalent keys in RC6 with 176-byte keys. This means that the Davies-Meyer hash function based on RC6 with 176-byte keys is not a good collision-resistance function. However, Saarinen could not find a precise collision of it. In this paper, we propose a practical method for obtaining a collision of the Davies-Meyer hash function based on RC6-32/20/176. In other words, there exist equivalent user supplied keys in RC6-32/20/176, and it is possible to obtain them practically. This means that the essential key space of RC6-32/20/176 is smaller than the space provided by 176-byte keys. Our computer simulation shows that a collision can be found in about 100 minutes. We should notice that the result of this paper does not affect the security of the AES version of RC6 because RC6-32/20/176 discussed in this paper is different from the parameter of the AES version.

This article discusses the provable security of pseudo-random-function (PRF) modes of an iterated hash function using a block cipher. The iterated hash function uses the Matyas-Meyer-Oseas (MMO) mode for the compression function and the Merkle-Damgård with a permutation (MDP) for the domain extension transform. It is shown that the keyed-via-IV mode and the key-prefix mode of the iterated hash function are pseudorandom functions if the underlying block cipher is a pseudorandom permutation under a related-key attack with respect to the permutation used in MDP. More precisely, the key-prefix mode also requires that EIV(K)+ K is pseudoramdom, where E is the underlying block cipher, IV is the fixed initial value of the hash function, and K is a secret key. It is also confirmed that the MMO compression function is the best choice with MDP among the block-cipher-based compression functions in the Preneel-Govaerts-Vandewalle model in terms of the provable security.

This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: f0(h0||h1,M)||f1(h0||h1,M) such that f0(h0||h1, M) = Eh1||M(h0)⊕h0 , f1(h0||h1,M) = Eh1||M(h0⊕c)⊕h0⊕c , where || represents concatenation, E is AES-256 and c is a 16-byte non-zero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and their positions. For the instantiation with AES-256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four non-zero bytes at some specific positions, and the time complexity is 264 or 296. For the instantiation with AES-256 reduced to 9 rounds, it is effective if the constant c has four non-zero bytes at some specific positions, and the time complexity is 2120. The space complexity is negligible in both cases.

The security notion of indifferentiability was proposed by Maurer, Renner, and Holenstein in 2004. In 2005, Coron, Dodis, Malinaud, and Puniya discussed the indifferentiability of hash functions. They have shown that the Merkle-Damgård construction is not secure in the sense of indifferentiability. In this paper, we analyze the security of single-block-length and rate-1 compression functions in the sense of indifferentiability. We formally show that all single-block-length and rate-1 compression functions, which include the Davies-Meyer compression function, are insecure. Furthermore, we show how to construct a secure single-block-length and rate-1 compression function in the sense of indifferentiability. This does not contradict our result above.

This paper proposes a new RSA-type scheme over non-singular parts of singular cubic curves En(α,β):(y-αx)(y-βx)x3(mod n). In usual one-to-one communication, we prove that breaking the proposed scheme is not easier than breaking the RSA scheme for the whole ciphertexts. If encryption key e is larger than 19 for 512 bits modulus n, then the proposed scheme is secure against the Hastad attack in broadcast applications. A plaintext of two blocks, i.e., x and y coordinates in En(α,β), is encrypted to a ciphertext of three blocks, where the size of one block is log2n bits. The decryption speed ofthe proposed scheme is as fast as that of the RSA scheme for the even block plaintext.

The security of the ElGamal-type signature scheme is based on the difficulty of solving a discrete logarithm problem. If a random value that is introduced in the signing procedure is small, then the time for generating signature can be reduced. This strategy is particularly advantageous when a signer uses a smart card. In this paper, we show that the secret key can be computed efficiently if the random value is less than O(q) where q is the order of the generator.

We propose an RSA-type scheme over the nonsingular part of a singular cubic curve En (0,b) : y2x3+bx2 (mod n), where n is a product of form-free primes p and q. Our new scheme encrypts/decrypts messages of 2 log n bits by operations of the x and y coordinates. The decryption is carried out over Fp or a subgroup of a quadratic extension of Fp, depending on quadratic residuosity of message-dependent parameter b. The decryption speed in our new scheme is about 4.6 and 5.8 times faster than that in the KMOV scheme and the Demytko scheme, respectively. We prove that if b is a quadratic residue in Zn, breaking our new scheme over En(0,b) is not easier than breaking the RSA scheme.

Hirose, Kuwakado and Yoshida proposed a nonce-based authenticated encryption scheme Lae0 based on Lesamnta-LW in 2019. Lesamnta-LW is a block-cipher-based iterated hash function included in the ISO/IEC 29192-5 lightweight hash-function standard. They also showed that Lae0 satisfies both privacy and authenticity if the underlying block cipher is a pseudorandom permutation. Unfortunately, their result implies only about 64-bit security for instantiation with the dedicated block cipher of Lesamnta-LW. In this paper, we analyze the security of Lae0 in the ideal cipher model. Our result implies about 120-bit security for instantiation with the block cipher of Lesamnta-LW.

This paper proposes RSA-type cryptosystems over elliptic curves En(O, b) and En(a, O),where En(a, b): y2 x3+ax+b (mod n),and n is a product of from-free primes p and q. Although RSA cryptosystem is not secure against a low exponent attack, RSA-type cryptosystems over elliptic curves seems secure against a low multiplier attack. There are the KMOV cryptosystem and the Demytko cryptosystem that were previously proposed as RSA-type cryptosystems over elliptic curves. The KMOV cryptosystem uses form-restricted primes as p q 2(mod 3)or p q 3(mod 4), and encrypts/decrypts a 2log n-bit message over varied elliptic curves by operating values of x and y coordinates. The Demytko cryptosystem, which is an extension of the KMOV cryptosystem, uses form-free primes, and encrypts/decrypts a log n-bit message over fixed elliptic curves by operating only a value of x coordinates. Our cryptosystems, which are other extensions fo the KMOV cryptosystem, encrypt/decrypt a 2log n-bit message over varied elliptic curves by operating values of x and y coordinates. The Demytko cryptosystem and our cryptosystems have higher security than the KMOV cryptosystem because from-free primes hide two-bit information about prime factors. The encryption/decryption speed in one of our cryptosystems is about 1.25 times faster than that in the Demytko cryptosystem.

This paper proposes secure regenerating codes that are composed of non-secure regenerating codes and a new all-or-nothing transform. Unlike the previous analysis of secure regenerating codes, the security of the proposed codes is analyzed in the sense of the indistinguishability. The advantage of the proposed codes is that the overhead caused by the security against eavesdropping is much less than that of previous secure regenerating codes. The security of the proposed codes against eavesdropping mainly depends on the new all-or-nothing transform.

Kurosawa, Obana, and Ogata proposed a (k,n) threshold scheme such that t cheaters can be identified, where t (k-1)/3. Their scheme is superior to previous schemes with respect to the number of participants for identifying cheaters and the size of a share. In this paper, we improve the detectability of their scheme. By using erasure decoding and the authentication code, we show that cheaters less than k/2 can be identified. Although the size of a share is larger than that of their scheme, it is independent of n.

A hash function is an important primitive for cryptographic protocols. Since algorithms of well-known hash functions are almost serial, it seems difficult to take full advantage of recent multi-core processors. This paper proposes a multilane hashing (MLH) mode that achieves both of high parallelism and high security. The MLH mode is designed in such a way that the processing speed is almost linear in the number of processors. Since the MLH mode exploits an existing hash function as a black box, it is applicable to any hash function. The bound on the indifferentiability of the MLH mode from a random oracle is beyond the birthday bound on the output length of an underlying primitive.

This paper proposes a new lightweight 256-bit hash function Lesamnta-LW. The security of Lesamnta-LW is reduced to that of the underlying AES-based block cipher and it is theoretically analyzed for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very small footprints, our main target with Lesamnta-LW is to achieve compact and fast hashing for lightweight application on a wider variety of environments ranging from inexpensive devices to high-end severs at the 2120 security level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs between speed and cost on an 8-bit CPU than SHA-256.

In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.

This paper proposes an efficient algorithm for finding preimages of the reduced MD4 compression function consisting of only the first round and the third round. We thus show that the reduced MD4 is not a one-way function.

A visual secret sharing scheme (VSSS) is one of secret sharing schemes for images. Droste showed the method for constructing VSSS based on basis matrices whose contrast was high. Koga, Iwamoto, and Yamamoto also proposed the method for constructing a lattice-based VSSS and its polynomial representation. It is known that many good VSSSs are not in the class of lattice-based VSSSs. In this paper, we show the well-defined polynomial representation of a VSSS based on permuting different matrices for black-white images. The necessary and sufficient condition of the existence of a VSSS based on permuting different matrices can be obtained from the proposed polynomial representation. This condition is useful for constructing a good VSSS. We also point out that without additional data, it is possible to achieve member verification by using a VSSS. Using the proposed polynomial representation, the probability of detecting a cheater is analyzed.

Micali and Rivest have proposed a transitive signature scheme for an undirected graph, which is suitable for signing data with undirected graph structure. The problem of finding a transitive signature scheme for a directed graph has remained an open problem. In this paper, we propose a transitive signature scheme for a directed tree. Since the directed tree is a special case of the directed graph, the proposed scheme is a partial solution for the open problem. We also show that a transitive signature scheme for the undirected graph can be constructed from a bundling homomorphism. This means that the transitive signature scheme for the undirected graph is closely related with a fail-stop signature scheme.

Two methods of the second step of the elliptic curve method for factoring are known. One is the standard method that is similar to the second step of the p-1 method, and the other is the Brent method that is based on the "birthday paradox." In this paper, we propose a revised standard method and a revised Brent method. On an average, the revised standard method is the most efficient, the standard method is the second efficient, the revised Brent method is the third and the Brent method is the fourth. If the largest prime factor on the order of an elliptic curve is congruent to 1 modulo 3, then the revised Brent method becomes more efficient than the standard method. By applying these methods to unsolved problems in the Cunningham project, we found 18 new prime factors. The largest prime factor among them was 43-digits.

The function of a message authentication code (MAC) is to verify the validity of a whole message. The disadvantage of usual MACs is that a receiver can not check its validity until the receipt of a message is finished. Hence, usual MACs are not suitable for verifying a large amount of data such as video and audio (called stream). In this letter, we propose a MAC such that the validity of a stream can be consecutively verified without waiting for the end of the reception. In addition, we show its implementations: one is based on practical hash functions, and the other is based on universal hash functions.

An all-or-nothing transform (AONT), which has been proposed by Rivest, is one of encryption modes. The AONT is intended to increase the cost of brute-fore attacks on a block cipher. This paper provides the revised definition of an unconditionally secure AONT, and shows the instance of an optimal unconditionally secure AONT. In addition, we propose a computationally secure AONT such that any information on a message cannot be obtained regardless of the position of the lost block due to a linear code.