CLEFIA is a 128-bit block cipher proposed by Shirai et al. at FSE 2007, and it was selected as several standards. CLEFIA adopts a generalized Feistel structure with the switching diffusion mechanism, which realizes a compact hardware implementation for CLEFIA, and it seems one of the promising candidates to be used for restricted environments, which require that a cryptographic primitive is versatile. It means that we need to evaluate the security of CLEFIA even for unusual scenario such as known-key scenario. As Knudsen and Rijmen did for 7-round AES at Asiacrypt 2007, we construct 17-round known-key distinguisher using two integral characteristics. To combine the 17-round known-key distinguisher with the standard subkey recovery technique for a secret-key scenario, we can construct a known-key distinguisher for full CLEFIA-128 from a random permutation under the framework of middletext distinguisher proposed by Minier et al. at Africacrypt 2009. The known-key distinguisher requires query of 2112 texts, time complexity of 2112, and memory complexity of 23 blocks, with the advantage of e-1, where e is the base of the natural logarithm. Note that there is no practical impact on the security of CLEFIA-128 for the current usages, since the result can only work under the known-key setting and data used by the adversary are enormous and needs a special form.

In this paper, we present known-key attacks on block cipher Rijndael for 192-bit block and 256-bit block. Our attacks work up to 8 rounds for 192-bit block and 9 rounds for 256-bit block, which are one round longer than the previous best known-key attacks. We then search for the parameters for the ShiftRow operation which is stronger against our attacks than the one in the Rijndael specification. Finally, we show a parameter for 192-bit block which forces attackers to activate more bytes to generate a truncated differential path, and thus enhances the security against our attacks.

As far as the knowledge of authors, the rigorous security of Okamoto-Tanaka identity-based key exchange scheme was shown in [4] for the first time since its invention. However, the analysis deals with only the passive attack. In this paper, we give several models of active attacks against the scheme and show the rigorous security of the scheme in these models. We prove several relationships among attack models, including that (1) breaking the scheme in one attack model is equivalent to breaking the RSA public-key cryptosystem and (2) breaking the scheme in another attack model is equivalent to breaking the Diffie-Hellman key exchange scheme over Zn. The difference of the complexity stems from the difference of the timing of dishonest party's sending out and receiving messages.