Kazumaro Aoki

Factorization of a 768-bit RSA modulus

This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis

We present a new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit keys, i.e., the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalyses. Compared to the AES finalists, i.e., MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes encryption and decryption and key schedule, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.

Finding Preimages in Full MD5 Faster Than Exhaustive Search

In this paper, we present the first cryptographic preimage attack on the full MD5 hash function. This attack, with a complexity of 2116.9, generates a pseudo-preimage of MD5 and, with a complexity of 2123.4, generates a preimage of MD5. The memory complexity of the attack is 245 ×11 words. Our attack is based on splice-and-cut and local-collision techniques that have been applied to step-reduced MD5 and other hash functions. We first generalize and improve these techniques so that they can be more efficiently applied to many hash functions whose message expansions are a permutation of message-word order in each round. We then apply these techniques to MD5 and optimize the attack by considering the details of MD5 structure.

Preimage Attacks on One-Block MD4, 63-Step MD5 and More

This paper shows preimage attacks on one-block MD4 and MD5 reduced to 63 (out of 64) steps. Our attacks are based on the meet-in-the-middle attack, and many additional improvements make the preimage computable faster than that of the brute-force attack, 2128 hash computation. A preimage of one-block MD4 can be computed in the complexity of the 2107 MD4 compression function computation, and a preimage of MD5 reduced to 63 steps can be computed in the complexity of the 2121 MD5 compression function computation. Moreover, we optimize the computational order of the brute-force attack against MD5, and a preimage of full-round MD5 can be computed in the complexity of the 2127 MD5 compression function computation.

Preimages for Step-Reduced SHA-2

In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1

Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against reduced SHA-0 and SHA-1 hash functions by analyzing a message schedule that does not consist of permutations but linear combinations of message words. The newly developed cryptanalytic techniques enable the meet-in-the-middle attack to be applied to reduced SHA-0 and SHA-1 hash functions. The attacks find preimages of SHA-0 and SHA-1 in 2156.6 and 2159.3 compression function computations up to 52 and 48 steps, respectively, compared to the brute-force attack, which requires 2160 compression function computations. The previous best attacks find preimages up to 49 and 44 steps, respectively.

Preimage Attacks on 3, 4, and 5-Pass HAVAL

This paper proposes preimage attacks on hash function HAVAL whose output length is 256 bits. This paper has three main contributions; a preimage attack on 3-pass HAVAL at the complexity of 2225, a preimage attack on 4-pass HAVAL at the complexity of 2241, and a preimage attack on 5-pass HAVAL reduced to 151 steps at the complexity of 2241. Moreover, we optimize the computational order for brute-force attack on full 5-pass HAVAL and its complexity is 2254.89. As far as we know, the proposed attack on 3-pass HAVAL is the best attack and there is no preimage attack so far on 4-pass and 5-pass HAVAL. Note that the complexity of the previous best attack on 3-pass HAVAL is 2230. Technically, our attacks find pseudo-preimages of HAVAL by combining the meet-in-the-middle and local-collision approaches, then convert pseudo-preimages to a preimage by using a generic algorithm.

A Strategy for Constructing Fast Round Functions with Practical Security Against Differential and Linear Cryptanalysis

In this paper, we study a strategy for constructing fast and practically secure round functions that yield sufficiently small values of the maximum Differential and linear probabilities p, q. We consider mn- bit round functions with 2-round SPN structure for Feistel ciphers. In this strategy, we regard a linear transformation layer as an n × n matrix P over {0,1}. We describe the relationship between the matrix representation and the actual construction of the linear transformation layer. We propose a search algorithm for constructing the optimal linear transformation layer by using the matrix representation in order to minimize probabilities p, q as much possible. Furthermore, by this algorithm, we determine the optimal linear transformation layer that provides p ≤ ps5, q ≤ qs5 in the case of n = 8, where ps, qs denote the maximum differential and linear probabilities of s-box.

Elliptic Curve Arithmetic Using SIMD

Focusing on servers that process many signatures or ciphertexts, this paper proposes two techniques for parallel computing with SIMD, which significantly enhances the speed of elliptic curve scalar multiplication. We also evaluate one of them based on a real implementation on a Pentium III, which incorporates the SIMD architecture. The results show that the proposed method is about 4.4 times faster than the conventional method.

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions: Application to RIPEMD and Others

We describe preimage attacks on several double-branch hash functions. We first present meet-in-the-middle preimage attacks on RIPEMD, whose output length is 128 bits and internal state size is 256 bits. With this internal state size, a straightforward application of the meet-in-the-middle attack will cost the complexity of at least 2128, which gives no advantage compared to the brute force attack. We show two attacks on RIPEMD. The first attack finds pseudo-preimages and preimages of the first 33 steps with complexities of 2121 and 2125.5, respectively. The second attack finds pseudo-preimages and preimages of the intermediate 35 steps with complexities of 296 and 2113, respectively. We next present meet-in-the-middle preimage attacks on full Extended MD4, reduced RIPEMD-256, and reduced RIPEMD-320. The best known attack for these is the brute force attack. We show how to find preimages more efficiently on these hash functions.