Noboru Kunihiro

New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5

At Crypto 07, Fouque, Leurent and Nguyen presented full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5, by extending the partial key-recovery attacks of Contini and Yin from Asiacrypt 06. Such attacks are based on collision attacks on the underlying hash function, and the most expensive stage is the recovery of the socalled outer key. In this paper, we show that the outer key can be recovered with near-collisions instead of collisions: near-collisions can be easier to find and can disclose more information. This improves the complexity of the FLN attack on HMAC/NMAC-MD4: the number of MAC queries decreases from 288 to 272, and the number of MD4 computations decreases from 295 to 277. We also improved the total complexity of the related-key attack on NMAC-MD5. Moreover, our attack on NMAC- MD5 can partially recover the outer key without the knowledge of the inner key, which might be of independent interest.

Improved collision search for SHA-0

At CRYPTO2005, Xiaoyun Wang, Hongbo Yu and Yiqun Lisa Yin proposed a collision attack on SHA-0 that could generate a collision with complexity 239 SHA-0 hash operations. Although the method of Wang et al. can find messages that satisfy the sufficient conditions in steps 1 to 20 by using message modification, it makes no mention of the message modifications needed to yield satisfaction of the sufficient conditions in steps 21 and onwards. n nIn this paper, first, we give sufficient conditions for the steps from step 21, and propose submarine modification as the message modification technique that will ensure satisfaction of the sufficient conditions from steps 21 to 24. Submarine modification is an extension of the multi-message modification used in collision attacks on the MD-family. Next, we point out that the sufficient conditions given by Wang et al. are not enough to generate a collision with high probability; we rectify this shortfall by introducing two new sufficient conditions. The combination of our newly found sufficient conditions and submarine modification allows us to generate a collision with complexity 236 SHA-0 hash operations. At the end of this paper, we show the example of a collision generated by applying our proposals.

Security of MD5 challenge and response: extension of APOP password recovery attack

In this paper, we propose an extension of the APOP attack that recovers the first 31 characters of APOP password in practical time, and theoretically recovers 61 characters. We have implemented our attack, and have confirmed that 31 characters can be successfully recovered. Therefore, the security of APOP is completely broken. The core of our new technique is finding collisions for MD5 which are more suitable for the recovery of APOP passwords. These collisions are constructed by employing the collision attack of den Boer and Bosselares and by developing a new technique named IV Bridge which is an important step to satisfy the basic requirements of the collision finding phase. We show that the construction of this IV Bridge can be done efficiently as well.

A sanitizable signature scheme with aggregation

A sanitizable signature scheme is a digital signature scheme in which, after generating a signers signature on a document, specific entities (called sanitizers) can modify the document for hiding partial information. A verifier can confirm the integrity of disclosed parts of the sanitized document from the signature. The sanitizable signature is quite useful in governmental or military offices, where there is a dilemma between disclosure requirements of documents and privacy or diplomatic secrets. In this paper, we construct an efficient and provably secure sanitizable signature scheme with aggregation from bilinear maps, based on a sanitizable signature proposed by Izu et al, by applying the general aggregate signature by Boneh et al. We also propose some efficiency improvements on the proposed scheme by reducing the number of hash values required as verifiers input.

Small secret key attack on a variant of RSA (due to Takagi)

For a variant of RSA with modulus N = prq and ed Ξ 1 mod (p - 1)(q - 1), we show that d can be recovered if d < N(2-√2)/(r+1). (Note that φ(N) ≠ (p - 1)(q - 1).) Boneh-Durfees result for the standard RSA is obtained as a special case for r = 1. Technically, we develop a method of a finding small root of a trivariate polynomial equation f(x, y, z) = x(y - 1)(z - 1) + 1 = 0 (mode) under the condition that yrz = N. Our result cannot be obtained from the generic method of Jochemsz-May.

New definition of density on knapsack cryptosystems

Many knapsack cryptosystems have been proposed but almost all the schemes are vulnerable to lattice attack because of its low density. To prevent the lattice attack, Chor and Rivest proposed a low weight knapsack scheme, which made the density higher than critical density. In Asiacrypt2005, Nguyen and Stern introduced pseudodensity and proved that if the pseudo-density is low enough (even if the usual density is not low enough), the knapsack scheme can be broken by a single call of SVP/CVP oracle. However, the usual density and the pseudodensity are not sufficient to measure the resistance to the lattice attack individually. In this paper, we first introduce a new notion of density D, which naturally unifies the previous two densities. Next, we derive conditions for our density so that a knapsack scheme is vulnerable to lattice attack. We obtain a critical bound of density which depends only on the ratio of the message length and its Hamming weight. Furthermore, we show that if D < 0.8677, the knapsack scheme is solved by lattice attack. Next, we show that the critical bound goes to 1 if the Hamming weight decreases, which means that it is quite difficult to construct a low weight knapsack scheme which is supported by an argument of density.

New message difference for MD4

This paper proposes several approaches to improve the collision attack on MD4 proposed byWang et al. First, we propose a new local collision that is the best for the MD4 collision attack. Selection of a good message difference is the most important step in achieving effective collision attacks. This is the first paper to introduce an improvement to the message difference approach of Wang et al., where we propose a new local collision. Second, we propose a new algorithm for constructing differential paths. While similar algorithms have been proposed, they do not support the new local collision technique. Finally, we complete a collision attack, and show that the complexity is smaller than the previous best work.

Provably secure electronic cash based on blind multisignature schemes

Though various blind multisignature schemes have been proposed for secure electronic cash, the formal model of security was not discussed. This paper first formalizes the security notions for e-cash schemes based on the blind multisignature scheme. We then construct a blind multisignature scheme and propose a new untraceable e-cash scheme which is provably secure under the DDH assumption in the random oracle model applying the blind multisignature scheme. The proposed scheme can ensure the framing attack by banks where they collude to simulate the double-spending of an honest user.

Sanitizable and Deletable Signature

Recently, the sanitizable signature attracts much attention since it allows to modify (sanitize) the document for hiding partial information without keeping the integrity of the disclosed subdocuments. Sanitizable signatures are quite useful in governmental or military offices, where there is a dilemma between disclosure laws for public documents and privacy or diplomatic secrets. Since a verifier can detect whether the document was sanitized or not, especially which subdocuments was sanitized, the scheme does not establish the perfect hiding. In order to solve the problem, the deletable signature was introduced in 2006. However, because these schemes are not compatible to each other, we have to select the scheme to meet the requirement. In this paper, we propose the sanitizable and deletable signature as a combination of the sanitizable signature and the deletable signature. We also establish two concrete sanitizable and deletable signatures based on the deletable signature by Miyazaki, Hanaoka and Imai.

A strict evaluation method on the number of conditions for the SHA-1 collision search

This paper proposes a new algorithm for evaluating the number of chaining variable conditions(CVCs) in the selecting step of a distrubance vector (DV) for the analysis of SHA-1 collision attack. The algorithm is constructed by combining the following four strategies, Strict Differential Bit Compression, DV expansion, Precise Counting Rules in Every Step and Differential Path Confirmation for Rounds 2 to 4, that can evaluate the number of CVCs morestrictly compared with the previous approach.