In 2005, Nandi introduced a class of double-block-length compression functions hπ(x) := (h(x), h(π(x))), where h is a random oracle with an n-bit output and π is a non-cryptographic public permutation. Nandi demonstrated that the collision resistance of hπ is optimal if π has no fixed point in the classical setting. Our study explores the collision resistance of hπ and the Merkle-Damgård hash function using hπ in the quantum random oracle model. Firstly, we reveal that the quantum collision resistance of hπ may not be optimal even if π has no fixed point. If π is an involution, then a colliding pair of inputs can be found for hπ with only O(2n/2) queries by the Grover search. Secondly, we present a sufficient condition on π for the optimal quantum collision resistance of hπ. This condition states that any collision attack needs Ω(22n/3) queries to find a colliding pair of inputs. The proof uses the recent technique of Zhandry’s compressed oracle. Thirdly, we show that the quantum collision resistance of the Merkle-Damgård hash function using hπ can be optimal even if π is an involution. Finally, we discuss the quantum collision resistance of double-block-length compression functions using a block cipher.

An all-or-nothing transform (AONT), which has been proposed by Rivest, is one of encryption modes. The AONT is intended to increase the cost of brute-fore attacks on a block cipher. This paper provides the revised definition of an unconditionally secure AONT, and shows the instance of an optimal unconditionally secure AONT. In addition, we propose a computationally secure AONT such that any information on a message cannot be obtained regardless of the position of the lost block due to a linear code.

Relative time-stamping schemes prove the chronological sequence of digital documents and their integrity. Since the chronological sequence is verified by tracing the link between two timestamps, it is desirable that the length of the verification path is short. Buldas, Laud, Lipmaa, and Villemson have proposed the relative time-stamping scheme based on the binary link. In this paper, we extend the binary link to the ternary link, and apply it to the relative time-stamping scheme. We show that the maximum length of the verification path of the proposed scheme is shorter than that of the previous scheme. Moreover, we show that the average length of the proposed scheme is shorter than that of the previous scheme. Thus, the proposed time-stamping schemes is more efficient than the previous scheme.

We discuss the security of the improved knapsack cryptosystem that Kobayashi and Kimura have proposed. Two attacking methods for their cryptosystem are proposed; one is the method for obtaining secret keys from public keys by using the continued fraction, and the other is for decrypting the ciphertext without knowing secret keys. We show that their cryptosystem is not secure against these attacks.

In this paper, we present a construction of (n,k,d,m) secure regenerating codes for distributed storage systems against eavesdroppers that can observe either data stored in at most m storage nodes or downloaded data for repairing at most m failed nodes in a network where m < k ≤ d ≤ n-1. The (n,k,d,m) secure regenerating code is based on an (n,k,d) minimum bandwidth regenerating (MBR) code, which was proposed by Rashmi, Shah and Kumar as optimal exact-regenerating codes, for all values of the parameters (n,k,d). The (n,k,d,m) secure regenerating codes have the security as a secret sharing scheme such that even if an eavesdropper knows either data stored in at most m storage nodes or downloaded data for repairing at most m failed nodes, no information about data leaks to the eavesdropper.

In the visual secret sharing scheme proposed by Naor and Shamir, a secret image is encoded into shares, of which size is larger than that of the secret image and the shares are decoded by stacking them without performing any cryptographic computation. In this paper we propose a (k,n) visual secret sharing scheme to encode a black-and-white image into the same size shares as the secret image, where the reconstructed image of the proposed scheme is visible as well as that of the conventional scheme.

Conventional class of weak keys on RC4 stream cipher is defined as a specific case that combinations of the first three bytes of secret key satisfy two relational equations. This paper expands and generalizes the classes of weak keys using generalized relational equations and special classes of the internal state (called predictive state). We derive the probability that generalized classes of weak keys leak the information of bytes of the secret key. Furthermore, we enumerate the generalized classes of weak keys and show that most of them leak more information of the secret key than Roos' one.

This paper discusses a mode for pseudorandom functions (PRFs) based on the hashing mode of Lesamnta-LW and the domain extension called Merkle-Damgård with permutation (MDP). The hashing mode of Lesamnta-LW is a plain Merkle-Damgård iteration of a block cipher with its key size half of its block size. First, a PRF mode is presented which produces multiple independent PRFs with multiple permutations and initialization vectors if the underlying block cipher is a PRP. Then, two applications of the PRF mode are presented. One is a PRF with minimum padding. Here, padding is said to be minimum if the produced message blocks do not include message blocks only with the padded sequence for any non-empty input message. The other is a vector-input PRF using the PRFs with minimum padding.

This article discusses the provable security of block-cipher-based hash functions. It introduces a new model called a weak ideal cipher model. In this model, an adversary is allowed to make key-disclosure queries to the oracle as well as encryption and decryption queries. A key-disclosure query is a pair of a plaintext and a ciphertext, and the reply is a corresponding key. Thus, in this model, a block cipher is random but completely insecure as a block cipher. It is shown that collision resistant hash functions can be constructed even in this weak model.

We propose a method for reducing the size of a share in visual secret sharing schemes. The proposed method does not cause the leakage and the loss of the original image. The quality of the recovered image is almost same as that of previous schemes.

The subliminal channel is one of the methods for hiding a message in other messages. Simmons has shown conjectures on the upper bound to the bandwidth of a subliminal channel. This paper proposes a new broad-band subliminal channel embedded in the ESIGN. The bandwidth of the proposed subliminal channel is wider than that of the previous one, and it exceeds the upper bound that Simmons has conjectured. Namely, we disprove the conjectures due to Simmons. We also show that it is possible to construct the subliminal channel even if the transmitter and the subliminal receiver do not have any key in common.

Conventional efficient key recovery attacks against Wired Equivalent Privacy (WEP) require specific initialization vectors or specific packets. Since it takes much time to collect the packets sufficiently, any active attack should be performed. An Intrusion Detection System (IDS), however, will be able to prevent the attack. Since the attack logs are stored at the servers, it is possible to prevent such an attack. This paper proposes an algorithm for recovering a 104-bit WEP key from any IP packets in a realistic environment. This attack needs about 36,500 packets with a success probability 0.5, and the complexity of our attack is equivalent to about 220 computations of the RC4 key setups. Since our attack is passive, it is difficult for both WEP users and administrators to detect our attack.