Hidenori Kuwakado

Quantum distinguisher between the 3-round Feistel cipher and the random permutation

No polynomial classical algorithms can distinguish between the 3-round Feistel cipher with internal permutations and a random permutation. It means that the 3-round Feistel cipher with internal permutations is secure against any chosen plaintext attack on the classical computer. This paper shows that there exists a polynomial quantum algorithm for distinguishing them. Hence, the 3-round Feistel cipher with internal permutations may be insecure against a chosen plaintext attack on a quantum computer. This distinguishing problem is an instance that can be efficiently solved by exploiting the quantum parallelism. The proposed algorithm is the first application of Simons algorithm to cryptographic analysis.

Indifferentiability of Single-Block-Length and Rate-1 Compression Functions

The security notion of indifferentiability was proposed by Maurer, Renner, and Holenstein in 2004. In 2005, Coron, Dodis, Malinaud, and Puniya discussed the indifferentiability of hash functions. They have shown that the Merkle-Damgard construction is not secure in the sense of indifferentiability. In this paper, we analyze the security of single-block-length and rate-1 compression functions in the sense of indifferentiability. We formally show that all single-block-length and rate-1 compression functions, which include the Davies-Meyer compression function, are insecure. Furthermore, we show how to construct a secure single-block-length and rate-1 compression function in the sense of indifferentiability. This does not contradict our result above.

A lightweight 256-bit hash function for hardware and low-end devices: lesamnta-LW

This paper proposes a new lightweight 256-bit hash function Lesamnta-LW with claimed security levels of at least 2120 with respect to collision, preimage, and second preimage attacks. We adopt the Merkle-Damgard domain extension; the compression function is constructed from a dedicated AES-based block cipher using the LW1 mode, for which a security reduction can be proven. In terms of lightweight implementations, Lesamnta-LW offers a competitive advantage over other 256-bit hash functions. Our size-optimized hardware implementation of Lesamnta-LW requires only 8.24 Kgates on 90 nm technology. Our software implementation of Lesamnta-LW requires only 50 bytes of RAM and runs fast on short messages on 8-bit CPUs.

Hashing Mode Using a Lightweight Blockcipher

This article proposes a hashing mode using a lightweight blockcipher. Since the block size of a lightweight blockcipher is small, the hashing mode uses a double-block-length compression function that consists of two Matyas-Meyer-Oseas MMO modes. Tag-based applications often require a hash function to be a one-way function and a primitive for constructing a pseudorandom function. We analyze the one-wayness of the hashing mode and the pseudorandomness of the keyed hashing mode under standard assumptions of an underlying blockcipher. The analysis in the standard model is practically more significant than the analysis in the ideal-primitive model.

Threshold ring signature scheme based on the curve

Rivest, Shamir, and Tauman (2001) have proposed a ring signature scheme, which is signer-ambiguous and setup-free. Bresson, Stern, and Szydlo (2002) have extended it to a threshold ring signature scheme. In this paper, we propose another type of the threshold ring signature scheme. While the sequence of signatures of the previous ring signature schemes forms geometrically a ring, that of the proposed scheme forms a curve.

A Scheme to Base a Hash Function on a Block Cipher

This article discusses the provable security of an iterated hash function using a block cipher. It assumes the construction using the Matyas-Meyer-Oseas (MMO) scheme for the compression function and the Merkle-Damgard with a permutation (MDP) for the domain extension transform. It is shown that this kind of hash function, MDP-MMO, is indifferentiable from the variable-input-length random oracle in the ideal cipher model. It is also shown that HMAC using MDP-MMO is a pseudorandom function if the underlying block cipher is a pseudorandom permutation under the related-key attack with respect to the permutation used in MDP. Actually, the latter result also assumes that the following function is a pseudorandom bit generator:

A Block-Cipher-Based Hash Function Using an MMO-Type Double-Block Compression Function

(E_{IV}(K\oplus\texttt{opad})\oplus K\oplus\texttt{opad})\| (E_{IV}(K\oplus\texttt{ipad})\oplus K\oplus\texttt{ipad})\enspace,

Differentiability of four prefix-free PGV hash functions

where E is the underlying block cipher, IV is the fixed initial value of MDP-MMO, and opad and ipad are the binary strings used in HMAC. This assumption still seems reasonable for actual block ciphers, though it cannot be implied by the pseudorandomness of E as a block cipher. The results of this article imply that the security of a hash function may be reduced to the security of the underlying block cipher to more extent with the MMO compression function than with the Davies-Meyer (DM) compression function, though the DM scheme is implicitly used by the widely used hash functions such as SHA-1 and MD5.