A cryptographic hash is an important tool in the area of a modern cryptography. It comprises a compression function, where the compression function can be built by a scratch or blockcipher. There are some familiar schemes of blockcipher compression function such as Weimar, Hirose, Tandem, Abreast, Nandi, ISA-09. Interestingly, the security proof of all the mentioned schemes are based on the ideal cipher model (ICM), which depends on ideal environment. Therefore, it is desired to use such a proof technique model, which is close to the real world such as weak cipher model (WCM). Hence, we proposed an (n, 2n) blockcipher compression function, which is secure under the ideal cipher model, weak cipher model and extended weak cipher model (ext.WCM). Additionally, the majority of the existing schemes need multiple key schedules, where the proposed scheme and the Hirose-DM follow single key scheduling property. The efficiency-rate of our scheme is r=1/2. Moreover, the number of blockcipher call of this scheme is 2 and it runs in parallel.

In this paper, we first prove beyond-birthyday-bound security for the Misty structure. Specifically, we show that an r-round Misty structure is secure against CCA attacks up to $O(2^{rac{rn}{r+7}})$ query complexity, where n is the size of each round permutation. So for any ε>0, a sufficient number of rounds would guarantee the security of the Misty structure up to 2n(1-ε) query complexity.

The Generalized Feistel Structure (GFS) is one of the structures used in designs of blockciphers and hash functions. There are several types of GFSs, and we focus on Type 1 and Type 2 GFSs. The security of these structures are well studied and they are adopted in various practical blockciphers and hash functions. The round function used in GFSs consists of two layers. The first layer uses the nonlinear function. Type 1 GFS uses one nonlinear function in this layer, while Type 2 GFS uses a half of the number of sub-blocks. The second layer is a sub-block-wise permutation, and the cyclic shift is generally used in this layer. In this paper, we formalize Type 1.x GFS, which is the natural extension of Type 1 and Type 2 GFSs with respect to the number of nonlinear functions in one round. Next, for Type 1.x GFS using two nonlinear functions in one round, we propose a permutation which has a good diffusion property. We demonstrate that Type 1.x GFS with this permutation has a better diffusion property than other Type 1.x GFS with the sub-block-wise cyclic shift. We also present experimental results of evaluating the diffusion property and the security against the saturation attack, impossible differential attack, differential attack, and linear attack of Type 1.x GFSs with various permutations.

HyRAL is a blockcipher whose block size is 128bits, and it supports the key lengths of 128, 129, ..., 256bits. The cipher was proposed for the CRYPTREC project, and previous analyses did not identify any security weaknesses. In this paper, we first consider the longest key version, 256-bit key HyRAL, and present the analysis in terms of equivalent keys. We first show that there are 251.0 equivalent keys (or 250.0 pairs of equivalent keys). Next, we propose an algorithm that derives an instance of equivalent keys with the expected time complexity of 248.8 encryptions and a limited amount of memory. Finally, we implement the proposed algorithm and fully verify its correctness by showing several instances of equivalent keys. We then consider shorter key lengths, and show that there are equivalent keys in 249-, 250-, ..., 255-bit key HyRAL. For each of these key lengths, we present the expected time complexity to derive an instance of equivalent keys.

The Generalized Feistel Structure (GFS) generally uses the sub-block-wise cyclic shift in the permutation layer, the layer between the two F function layers. For Type 2 GFS, at FSE 2010, Suzaki and Minematsu showed that a better diffusion property can be obtained if one uses some other sub-block-wise permutation. In this paper, we consider Type 1, Type 3, Source-Heavy (SH), and Target-Heavy (TH) GFSs, and study if their diffusion properties can be improved by changing the sub-block-wise cyclic shift. For Type 1 GFS and Type 3 GFS, we show that better permutations in terms of diffusion exist. For SH and TH GFSs, we show that the diffusion property does not change even if we change the sub-block-wise cyclic shift. We also experimentally derive optimum permutations in terms of diffusion, and evaluate the security of the resulting schemes against saturation, impossible differential, differential, and linear attacks.

As old as TANDEM-DM, the compression function ABREAST-DM is one of the most well-known constructions for double block length compression functions. In this paper, we give a security proof for ABREAST-DM in terms of collision resistance and preimage resistance. The bounds on the number of queries for collision resistance and preimage resistance are given by Ω(2n). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and TANDEM-DM. We also present a wide class of ABREAST-DM variants that enjoy a birthday-type security guarantee with a simple proof*.

This paper describes a differential fault analysis (DFA) attack against CLEFIA. The proposed attack can be applied to CLEFIA with all supported keys: 128, 192, and 256-bit keys. DFA is a type of side-channel attack. This attack enables the recovery of secret keys by injecting faults into a secure device during its computation of the cryptographic algorithm and comparing the correct ciphertext with the faulty one. CLEFIA is a 128-bit blockcipher with 128, 192, and 256-bit keys developed by the Sony Corporation in 2007. CLEFIA employs a generalized Feistel structure with four data lines. We developed a new attack method that uses this characteristic structure of the CLEFIA algorithm. On the basis of the proposed attack, only 2 pairs of correct and faulty ciphertexts are needed to retrieve the 128-bit key, and 10.78 pairs on average are needed to retrieve the 192 and 256-bit keys. The proposed attack is more efficient than any previously reported. In order to verify the proposed attack and estimate the calculation time to recover the secret key, we conducted an attack simulation using a PC. The simulation results show that we can obtain each secret key within three minutes on average. This result shows that we can obtain the entire key within a feasible computational time.

Tweakable pseudorandom permutations have wide applications such as the disk sector encryption, and the underlying primitive for efficient MACs and authenticated encryption schemes. Goldenberg et al. showed constructions of a tweakable pseudorandom permutation based on the Feistel structure. In this paper, we explore the possibility of designing tweakable pseudorandom permutations based on the Generalized Feistel Structure. We show that tweakable pseudorandom permutations can be obtained without increasing the number of rounds compared to the non-tweakable versions. We also present designs that take multiple tweaks as input.

To design secure blockciphers, estimating immunity against differential attack and linear attack is essential. Recently, Diffusion Switching Mechanism (DSM) is proposed as a design framework to enhance the immunity of Feistel structure against differential attack and linear attack. In this paper, we give novel results on the effect of DSM on three generalized Feistel structures, i.e. Type-I, Type-II and Nyberg's structures. We first show a method for roughly estimating lower bounds of a number of active S-boxes in Type-I and Type-II structures using DSM. Then we propose an improved search algorithm to find lower bounds for generalized structures efficiently. Experimental results obtained by the improved algorithm show that DSM raises lower bounds for all of the structures, and also show that Nyberg's structure has the slowest diffusion effect among them when SP-type F-functions are used.

KASUMI is a blockcipher that forms the heart of the 3GPP confidentiality and integrity algorithms. In this paper, we study the security of the five-round KASUMI type permutations, and derive a highly non-trivial security bound against adversaries with adaptive chosen plaintext and chosen ciphertext attacks. To derive our security bound, we heavily use the tools from graph theory. However the result does not show its super-pseudorandomness, this gives us a strong evidence that the design of KASUMI is sound.