We introduce an efficient interpolation attack which gives the tighter upper bound of the complexity and the number of pairs of plaintexts and ciphertexts required for the attack. In the previously known interpolation attack there is a problem in that the required complexity for the attack can be overestimated. We solve this problem by first, finding the actual number of coefficients in the polynomial used in the attack by using a computer algebra system, and second, by finding the polynomial with fewer coefficients by choosing the plaintexts. We apply this interpolation attack to the block cipher SNAKE and succeeded in attacking many ciphers in the SNAKE family. When we evaluate the resistance of a block cipher to interpolation attack, it is necessary to apply the interpolation attack described in this paper.

In this paper, we present the first results on the preimage resistance against step-reduced versions of ISO standard hash functions RIPEMD-128 and RIPEMD-160, which were designed as strengthened versions of RIPEMD. While preimage attacks on the first 33 steps and intermediate 35 steps of RIPEMD (48 steps in total) are known, no preimage attack exists on RIPEMD-128 (64 steps) or RIPEMD-160 (80 steps). This paper shows three variations of preimage attacks of RIPEMD-128; the first 33 steps, intermediate 35 steps, and the last 32 steps. Because of the large security margin, full RIPEMD-128 is still enough secure, however, it is interesting that the number of attacked steps for RIPEMD-128 reaches the same level as for RIPEMD. We also show that our approach can be applied to RIPEMD-160, and present preimage attacks on the first 30 steps and the last 31 steps.

Carbon brushes for starters are used under severe conditions of high electric current density, high contact pressure and high sliding velocity. Lead has traditionally been added to carbon brushes to improve their performance and durability. Because lead is an environmentally hazardous substance, after January 2005 the EU will prohibit adding lead to carbon brushes for electric motors installed in vehicles. The purpose of our current study is to develop materials of lead-free carbon brushes for starters. Analyzing the effects of adding lead has shown that lead inhibits the brush resistance from increasing under high temperatures, or a combination of both high temperature and high humidity. This is because corrosion of lead precedes that of copper, which is one of the materials comprising the brush, and this prevents the copper from corroding. Moreover, lead functions as a solid lubricant and reduces brush wear. We developed the lead-free brush material, by adding soft metallic substances that corrode prior to copper and are also oxidation-resistant, as well as possessing low hardness and solid lubricant properties. The developed lead-free brush surpasses the conventional lead-added brush in durability and permanence.

The security of pairing-based cryptosystems is determined by the difficulty of solving the discrete logarithm problem (DLP) over certain types of finite fields. One of the most efficient algorithms for computing a pairing is the ηT pairing over supersingular curves on finite fields of characteristic 3. Indeed many high-speed implementations of this pairing have been reported, and it is an attractive candidate for practical deployment of pairing-based cryptosystems. Since the embedding degree of the ηT pairing is 6, we deal with the difficulty of solving a DLP over the finite field GF(36n), where the function field sieve (FFS) is known as the asymptotically fastest algorithm of solving it. Moreover, several efficient algorithms are employed for implementation of the FFS, such as the large prime variation. In this paper, we estimate the time complexity of solving the DLP for the extension degrees n=97, 163, 193, 239, 313, 353, and 509, when we use the improved FFS. To accomplish our aim, we present several new computable estimation formulas to compute the explicit number of special polynomials used in the improved FFS. Our estimation contributes to the evaluation for the key length of pairing-based cryptosystems using the ηT pairing.

This paper reports the development of a lead-free brush material for a high-load starter. These brushes are used in much more extreme conditions -- at the PV-value (the product of brush contact pressure and sliding velocity) approximately three times that of other starter brushes, and double the electrical current density. The major technical requirement of this development was to decrease the electrical wear in brushes caused by commutation sparking. We developed a brush material that reduces electrical wear by adding zinc phosphate. Because zinc phosphate can improve the lubricity at high-temperature and the contact stability of brushes, the developed brush reduces commutation sparks. The life of the developed brush is about 1.5 times longer than that of conventional brushes containing lead.

This paper studies two types of documents in which an adversary can forge a signature on a chosen document. One type is that a nonce is padded on an input document. The time-stamp protocol is a good example of this type. Another is a structured document (such as PS or PDF) whose contents are described in a body part and information (such as generated time and a generator) are in a meta part. In fact, this paper shows how to forge a time-stamp, a signature on a PDF and an X.509 certificate by the extended forgery attack and numerical examples. Forged signature by the original or the extended attacks is only accepted by the clients whose length check of zero-field is loosely implemented. As a result, we found that the latest versions of Adobe's Acrobat and Acrobat Reader accept the forged time-stamp and the forged signature on a PDF document. Target of this attack is RSASSA-PKCS1-v1_5, which does not have provable security. We also show the expanded attack might forge the signature of RSASSA-PSS, which has provable security, when the length check of zero-field is omitted or loosely implemented.

In this paper, we give a theoretical analysis of χ2 attack proposed by Knudsen and Meier on the RC6 block cipher. To this end, we propose a method of security evaluation against χ2 attack precisely including key dependency by introducing a method "Transition Matrix Computing." Previously, no theoretical security evaluation against χ2 attack was known, it has been done by computer experiments. We should note that it is the first result concerning the way of security evaluation against χ2 attack is shown theoretically.

Let us consider a situation where someone wants to encrypt his/her will on an existing blockchain, e.g. Bitcoin, and allow an encrypted will to be decryptable only if designated members work together. At a first glance, such a property seems to be easily provided by using conventional threshold encryption. However, this idea cannot be straightforwardly implemented since key pairs for an encryption mechanism is additionally required. In this paper, we propose a new threshold encryption scheme in which key pairs for ECDSA that are already used in the Bitcoin protocol can be directly used as they are. Namely, a unique key pair can be simultaneously used for both ECDSA and our threshold encryption scheme without losing security. Furthermore, we implemented our scheme on the Bitcoin regtest network, and show that it is fairly practical. For example, the execution time of the encryption algorithm Enc (resp., the threshold decryption algorithm Dec) is 0.2sec. (resp., 0.3sec.), and the total time is just only 3sec. including all the cryptographic processes and network communications for a typical parameter setting. Also, we discuss several applications of our threshold encryption scheme in detail: Claiming priority of intellectual property, sealed-bid auction, lottery, and coin tossing service.

This paper proposes a new algorithm for evaluating the number of chaining variable conditions (CVCs) in the selecting step of a disturbance vector (DV) for the analysis of SHA-1 collision search. The algorithm is constructed by combining four strategies, that can evaluate the number of CVCs more strictly compared with the previous approach. By using our method, we found some DVs that have 57 (or 59) essential CVCs for 1st (or 2nd) block in the case if we assume that we can modify messages up to step 25, which we have not confirmed the practicability of the assumption.

Since the proposal of differential cryptanalysis and linear cryptanalysis in 1991 and 1993, respectively, the resistance to these cryptanalysis has been studied. In FSE2, Knudsen proposed a method of attacking block ciphers that used the higher order differential, and in FSE4, Jakobsen and Knudsen applied it to a cipher proposed by Nyberg and Knudsen. Their approach, however, requires large complexity of running time. In this paper, we improve this attack and show that our improved algorithm requires much fewer chosen texts and much less complexity than those of previous works.