Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.

For determining whether an input number is prime, there are two kinds of algorithms, a primality test and a primality proving. A primality test is very efficient but probabilistic, that is, there are certain errors in determining primality. On the other hand, a primality proving always gives a correct answer but it is not so efficient. Grantham proposed a very interesting problem on the Quadratic Frobenius Test (QFT) which is a primality test. If we negatively solve the problem, then we can construct a primality proving more efficient than any other existing primality proving. To solve Grantham's problem, it is important to study when QFT fails. In this paper, as the first step to solve Grantham's problem, we show two conditions on a given odd composite number n and parameters a,b of QFT such that n passes QFT for a,b. Based on these conditions, we made a computational experiment that may suggest the problem will be negatively solved. Moreover, the two conditions give two algorithms computing a pair (a,b) for which a given odd composite number n passes QFT, where n's prime factorization is known.

This paper describes non-reference objective quality evaluation for noise-reduced speech. First, a subjective test is conducted in accordance with ITU-T Rec. P.835 to obtain the speech quality, the noise quality, and the overall quality of noise-reduced speech. Based on the results, we then propose an overall quality estimation model. The unique point of the proposed model is that the estimation of the overall quality is done only using the previously estimated speech quality and noise quality, in contrast to conventional models, which utilize the acoustical features extracted. Finally, we propose a non-reference objective quality evaluation method using the proposed model. The results of an experiment with different noise reduction algorithms and noise types confirmed that the proposed method gives more accurate estimates of the overall quality compared with the method described in ITU-T Rec. P.563.

In this paper, we present a lattice based method on small secret exponent attack on the RSA scheme. Boneh and Durfee reduced the attack to finding the small roots of the bivariate modular equation: x(N+1+y)+1 ≡ 0 (mod e), where N is an RSA modulus and e is the RSA public key and proposed a lattice based algorithm for solving the problem. When the secret exponent d is less than N0.292, their method breaks the RSA scheme. Since the lattice used in the analysis is not full-rank, the analysis is not easy. Blömer and May proposed an alternative algorithm that uses a full-rank lattice, even though it gives a bound (d≤N0.290) that is worse than Boneh-Durfee. However, the proof for their bound is still complicated. Herrmann and May, however, have given an elementary proof for the Boneh-Durfee's bound: d≤N0.292. In this paper, we first give an elementary proof for achieving Blömer-May's bound: d≤N0.290. Our proof employs the unravelled linearization technique introduced by Herrmann and May and is rather simpler than that of Blömer-May's proof. We then provide a unified framework — which subsumes the two previous methods, the Herrmann-May and the Blömer-May methods, as a special case — for constructing a lattice that can be are used to solve the problem. In addition, we prove that Boneh-Durfee's bound: d≤N0.292 is still optimal in our unified framework.

We discuss how to recover RSA secret keys from noisy key bits with erasures and errors. There are two known algorithms recovering original secret keys from noisy keys. At Crypto 2009, Heninger and Shacham proposed a method for the case where an erroneous version of secret keys contains only erasures. Subsequently, Henecka et al. proposed a method for an erroneous version containing only errors at Crypto 2010. For physical attacks such as side-channel and cold boot attacks, we need to study key recovery from a noisy secret key containing both erasures and errors. In this paper, we propose a method to recover a secret key from such an erroneous version and analyze the condition for error and erasure rates so that our algorithm succeeds in finding the correct secret key in polynomial time. We also evaluate a theoretical bound to recover the secret key and discuss to what extent our algorithm achieves this bound.

This paper proposes Photonic Core Node based on a 2.56-Terabit/s opto-electronic switching fabric, which can economically handle the rapidly increasing multimedia traffics, such as Internet traffic. We have successfully developed the first prototype of Photonic Core Node. The prototype consists of a single-stage full-crossbar opto-electronic switching fabric, super-packet buffers for input queuing, and a desynchronized-round-robin scheduler. The switching fabric is upgradable up to 2.56 Tb/s, and employs wavelength-division-multiplexing techniques, which dramatically reduce the total number of optical switching elements down to one-eighth the number of those used in a conventional switching fabric. The super-packet buffer assembles 16 ATM cells routed to the same output port into a single fixed-length packet. The super-packet-switching scheme drastically reduces the overhead of optical switching from 32 to 2.9%, although it tends to decrease effective throughput. The desynchronized-round-robin scheduler maintains nearly 100% effective throughput for random traffic, recursively resolving the contention of connection requests in one scheduling routine while keeping fairness in a round robin manner. The proposed Photonic Core Node can accommodate not only ATM switching but also WDM optical path grooming/multiplexing, and IP routing by using IP input buffer interfaces, because optical switches are bit-rate/format-independent.

This paper proposes Photonic Core Node based on a 2.56-Terabit/s opto-electronic switching fabric, which can economically handle the rapidly increasing multimedia traffics, such as Internet traffic. We have successfully developed the first prototype of Photonic Core Node. The prototype consists of a single-stage full-crossbar opto-electronic switching fabric, super-packet buffers for input queuing, and a desynchronized-round-robin scheduler. The switching fabric is upgradable up to 2.56 Tb/s, and employs wavelength-division-multiplexing techniques, which dramatically reduce the total number of optical switching elements down to one-eighth the number of those used in a conventional switching fabric. The super-packet buffer assembles 16 ATM cells routed to the same output port into a single fixed-length packet. The super-packet-switching scheme drastically reduces the overhead of optical switching from 32 to 2.9%, although it tends to decrease effective throughput. The desynchronized-round-robin scheduler maintains nearly 100% effective throughput for random traffic, recursively resolving the contention of connection requests in one scheduling routine while keeping fairness in a round robin manner. The proposed Photonic Core Node can accommodate not only ATM switching but also WDM optical path grooming/multiplexing, and IP routing by using IP input buffer interfaces, because optical switches are bit-rate/format-independent.

CRT-RSA is a variant of RSA, which uses integers dp = d mod (p-1) and dq = d mod (q-1) (CRT-exponents), where d, p, q are the secret keys of RSA. May proposed a method to obtain the secret key in polynomial time if a CRT-exponent is small, moreover Bleichenbacher and May improved this method. On the other hand, Takagi's RSA is a variant of CRT-RSA, whose public key N is of the form prq for a given positive integer r. In this paper, we extend the May's method and the Bleichenbacher-May's method to Takagi's RSA, and we show that we obtain p in polynomial time if by the extended May's method, and if by the extended Bleichenbacher-May's method, when dq is arbitrary small. If r=1, these upper bounds conform to May's and Bleichenbacher-May's results respectively. Moreover, we also show that the upper bound of pr increase with an increase in r. Since these attacks are heuristic algorithms, we provide several experiments which show that we can obtain the secret key in practice.

Multivariate public key cryptosystem (MPKC) is one of the major post quantum cryptosystems (PQC), and the National Institute of Standards and Technology (NIST) recently selected four MPKCs as candidates of their PQC. The security of MPKC depends on the hardness of solving systems of algebraic equations over finite fields. In particular, the multivariate quadratic (MQ) problem is that of solving such a system consisting of quadratic polynomials and is regarded as an important research subject in cryptography. In the Fukuoka MQ challenge project, the hardness of the MQ problem is discussed, and algorithms for solving the MQ problem and the computational results obtained by these algorithms are reported. Algorithms for computing Gröbner basis are used as the main tools for solving the MQ problem. For example, the F4 algorithm and M4GB algorithm have succeeded in solving many instances of the MQ problem provided by the project. In this paper, based on the F4-style algorithm, we present an efficient algorithm to solve the MQ problems with dense polynomials generated in the Fukuoka MQ challenge project. We experimentally show that our algorithm requires less computational time and memory for these MQ problems than the F4 algorithm and M4GB algorithm. We succeeded in solving Type II and III problems of Fukuoka MQ challenge using our algorithm when the number of variables was 37 in both problems.

The security of pairing-based cryptosystems is determined by the difficulty of solving the discrete logarithm problem (DLP) over certain types of finite fields. One of the most efficient algorithms for computing a pairing is the ηT pairing over supersingular curves on finite fields of characteristic 3. Indeed many high-speed implementations of this pairing have been reported, and it is an attractive candidate for practical deployment of pairing-based cryptosystems. Since the embedding degree of the ηT pairing is 6, we deal with the difficulty of solving a DLP over the finite field GF(36n), where the function field sieve (FFS) is known as the asymptotically fastest algorithm of solving it. Moreover, several efficient algorithms are employed for implementation of the FFS, such as the large prime variation. In this paper, we estimate the time complexity of solving the DLP for the extension degrees n=97, 163, 193, 239, 313, 353, and 509, when we use the improved FFS. To accomplish our aim, we present several new computable estimation formulas to compute the explicit number of special polynomials used in the improved FFS. Our estimation contributes to the evaluation for the key length of pairing-based cryptosystems using the ηT pairing.