In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which are 8- and 12-round block ciphers with a 64-bit block, and a 128-bit key. They are designed based on the principle of provable security against differential and linear cryptanalysis. In this paper we present large collections of weak-key classes encompassing 273 and 270 weak keys for 7-round MISTY 1 and 2 for which they are vulnerable to a related-key amplified boomerang attack. Under our weak-key assumptions, the related-key amplified boomerang attack can be applied to 7-round MISTY 1 and 2 with 254, 256 chosen plaintexts and 255.3 7-round MISTY 1 encryptions, 265 7-round MISTY 2 encryptions, respectively.

Trapdoor commitment schemes are widely used for adding valuable properties to ordinary signatures or enhancing the security of weakly secure signatures. In this letter, we propose a trapdoor commitment scheme based on RSA function, and prove its security under the hardness of the integer factoring. Our scheme is very efficient in computing a commitment. Especially, it requires only three multiplications for evaluating a commitment when e=3 is used as a public exponent of RSA function. Moreover, our scheme has two useful properties, key exposure freeness and strong trapdoor opening, which are useful for designing secure chameleon signature schemes and converting a weakly secure signature to a strongly secure signature, respectively.

The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block cipher structures, named Feistel-variant A, B, CLEFIA and MISTY-FO-variant A, B, C, D structures, and show that these structures are provably resistant against differential cryptanalysis. The main results of this paper are that the average differential probabilities over at least 2 rounds of Feistel-variant A structure and 1 round of Feistel-variant B structure are both upperbounded by p2, while the average differential probabilities over at least 5 rounds of CLEFIA, MISTY-FO-variant A, B, C and D structures are upperbounded by p4+2p5, p4, p4, 2p4 and 2p4, respectively, if the maximum differential probability of a round F function is p. We also give provable security for the Feistel-variant A, B and CLEFIA structures against linear cryptanalysis. Our results are attained under the assumption that all of components in our proposed structures are bijective. We expect that our results are useful to design block ciphers with provable security against differential and linear cryptanalysis.

In this paper, we propose efficient sequential AES CCM architecture for the IEEE 802.16e. In the proposed architecture, only one AES encryption core is used and the operation of the CTR and the CBC-MAC is processed concurrently within one round. With this design approach, we can design sequential AES CCM architecture having 570 Mbps@102.4 MHz throughput and 1,397 slices at a Spartan3 3s5000 device.

Previously proposed batch signature schemes do not allow a signer to generate a signature immediately for sequentially asked signing queries. In this letter, we propose flexible batch signatures which do not need any waiting period and have very light computational overhead. Therefore our schemes are well suited for low power devices.

Jeong et al. recently have proposed a strong ID-based key distribution scheme in order to achieve security against long-term key reveal and session state reveal attacks. In this letter, we show that, unfortunately, the ID-based key distribution scheme is vulnerable to an impersonation attack such that anyone can manipulate public transcripts generated by a user to impersonate the original user.

The XTR public key cryptosystem was introduced in 2000. XTR is suitable for a variety of environments including low-end smart cards, and is regarded as an excellent alternative to RSA and ECC. Moreover, it is remarked that XTR single exponentiation (XTR-SE) is less susceptible than usual exponentiation routines to environmental attacks such as the timing attack and the differential power analysis (DPA). This paper investigates the security of side channel attack (SCA) on XTR. In this paper, we show the immunity of XTR-SE against the simple power analysis if the order of the computation of XTR-SE is carefully considered. In addition, we show that XTR-SE is vulnerable to the data-bit DPA, the address-bit DPA, the doubling attack, the modified refined power analysis, and the modified zero-value attack. Moreover, we propose some countermeasures against these attacks. We also show experimental results of the efficiency of the countermeasures. From our implementation results, if we compare XTR with ECC with countermeasures against "SCAs," we think XTR is as suitable to smart cards as ECC.

In this paper, we discuss the impossible differential cryptanalysis for the block cipher Zodiac. The main design principles of Zodiac include simplicity and efficiency. However, the diffusion layer in its round function is too simple to offer enough security. The impossible differential cryptanalysis exploits such weakness in Zodiac. Our attack using a 14-round impossible characteristic derives the 128-bit master key of the full 16-round Zodiac faster than the exhaustive search. The efficiency of the attack compared with exhaustive search increases as the key size increases.

In 1999, Gennaro, Halevi and Rabin proposed a signature which achieves provable security without assuming the random oracles, and it is the first RSA-type signature whose security is proved in the standard model. Since that time, several signatures have been proposed to achieve better efficiency or useful property along with the provable security in the standard model. In this paper, we construct a trapdoor hash function, and design an efficient online/offline signature by using the trapdoor hash function. Our signature scheme requires only one non-modular multiplication of two small integers for online signing, and it provides the fastest online signing among all online/offline signatures that achieve provable security in the standard model.

In this paper, we introduce new compression function design principles supporting variable output lengths (multiples of size n). They are based on a function or block cipher with an n-bit output size. In the case of the compression function with a(t+1)n-bit output size, in the random oracle and ideal cipher models, their maximum advantages from the perspective of collision resistance are . In the case of t=1, the advantage is near-optimal. In the case of t>1, the advantage is optimal.