Shiho Moriai

Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis

We present a new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit keys, i.e., the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalyses. Compared to the AES finalists, i.e., MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes encryption and decryption and key schedule, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.

The 128-Bit Blockcipher CLEFIA (Extended Abstract)

We propose a new 128-bit blockcipher CLEFIA supporting key lengths of 128, 192 and 256 bits, which is compatible with AES. CLEFIA achieves enough immunity against known attacks and flexibility for efficient implementation in both hardware and software by adopting several novel and state-of-the-art design techniques. CLEFIA achieves a good performance profile both in hardware and software. In hardware using a 0.09 μm CMOS ASIC library, about 1.60 Gbps with less than 6 Kgates, and in software, about 13 cycles/byte, 1.48 Gbps on 2.4 GHz AMD Athlon 64 is achieved. CLEFIA is a highly efficient blockcipher, especially in hardware.

Efficient Algorithms for Computing Differential Properties of Addition

In this paper we systematically study the differential properties of addition modulo 2n. We derive ?(log n)-time algorithms for most of the properties, including differential probability of addition.We also present log-time algorithms for finding good differentials. Despite the apparent simplicity of modular addition, the best known algorithms require naive exhaustive computation. Our results represent a significant improvement over them. In the most extreme case, we present a complexity reduction from ?(24n) to ?(log n).

Improving the Search Algorithm for the Best Linear Expression

It is important to find the best linear expression to estimate the vulnerability of cryptosystems to Linear Cryptanalysis. This paper presents a method to improve Matsuis search algorithm which determines the best linear expression. This method is based on analyzing the dominant factor of search complexity. We introduce the search pattern in order to reduce unnecessary search candidates, and apply the proposed search algorithm to DES and FEAL. The n-round best linear expressions of DES are found as fast as Matsuis algorithm for n ? 32. Those of FEAL are found much faster than his algorithm; the required time is decreased from over three months to about two and a half days. New results for FEAL are also described; we find the n-round best linear expressions (n ? 32) with higher deviations than those derived from Bihams 4-round iterative linear approximations.

Lightweight cryptography for the cloud: exploit the power of bitslice implementation

This paper shows the great potential of lightweight cryptography in fast and timing-attack resistant software implementations in cloud computing by exploiting bitslice implementation. This is demonstrated by bitslice implementations of the PRESENT and Piccolo light-weight block ciphers. In particular, bitsliced PRESENT-80/128 achieves 4.73 cycles/byte and Piccolo-80 achieves 4.57 cycles/byte including data conversion on an Intel Xeon E3-1280 processor (Sandy Bridge microarchitecture). It is also expected that bitslice implementation offers resistance to side channel attacks such as cache timing attacks and cross-VM attacks in a multi-tenant cloud environment. Lightweight cryptography is not limited to constrained devices, and this work opens the way to its application in cloud computing.

Best Differential Characteristic Search of FEAL

This paper presents the results of the best differential characteristic search of FEAL. The search algorithm for the best differential characteristic (best linear expression) was already presented by Matsui, and improvements on this algorithm were presented by Moriai et al. We further improve the speed of the search algorithm. For example, the search time for the 7-round best differential characteristic of FEAL is reduced to about 10 minutes (Pentium/166 MHz), which is about 2 12.6 times faster than Matsuis algorithm. Moreover, we determine all the best differential characteristics of FEAL for up to 32 rounds assuming all S-boxes are independent. As a result, we confirm that the N-round (7 < N <32) best differential characteristic probability of FEAL is 2 -2N , which was found by Biham. For N = 6, we find 6-round differential characteristics with a greater probability, 2 -11 , than that previously discovered, 2 -12 .

Improving the Higher Order Differential Attack and Cryptanalysis of the KN Cipher

Since the proposal of differential cryptanalysis and linear cryptanalysis in 1991 and 1993, respectively, the resistance to these cryptanalyses have been studied for many cryptosystems. Moreover, some block ciphers with provable security against differential and linear cryptanalysis have been proposed. One of them is the KN cipher proposed by Knudsen and Nyberg. The KN cipher is a prototype cipher with provable security against ordinary differential cryptanalysis, and has been proved to be secure against linear cryptanalysis, too. Recently a new method of attacking block ciphers, the higher order differential attack, was proposed, and Jakobsen and Knudsen showed that the KN cipher can be attacked by this method in FSE4. In this paper, we improve this attack to reduce both of the required chosen plaintexts and running time, and apply it to the cryptanalysis of the KN cipher. We show that, for the attacking of the KN cipher with 6 rounds, the number of required chosen plaintexts can be reduced by half and running time reduced from 241 to 214, and that all round keys can be derived in only 0.02 seconds on a Sun Ultra 1 (UltraSPARC 170MHz).

Impossible Differential Cryptanalysis of Zodiac

We discuss the impossible differential cryptanalysis of the blockcipher Zodiac. The main design principles of Zodiac are simplicity and efficiency. However the diffusion layer in its round function is too simple to offer enough security. An impossible differential cryptanalysis is a proper method to attack the weakness of Zodiac. Our attack using two 14-round impossible characteristics derives 128-bit master key of the full 16-round Zodiac with its complexity 2119 encryption times faster than the exhaustive search. The efficiency of the attack compared with exhaustive search increases as the key size increases.

Privacy-Preserving Deep Learning: Revisited and Enhanced

We build a privacy-preserving deep learning system in which many learning participants perform neural network-based deep learning over a combined dataset of all, without actually revealing the participants’ local data to a curious server. To that end, we revisit the previous work by Shokri and Shmatikov (ACM CCS 2015) and point out that local data information may be actually leaked to an honest-but-curious server. We then move on to fix that problem via building an enhanced system with following properties: (1) no information is leaked to the server; and (2) accuracy is kept intact, compared to that of the ordinary deep learning system also over the combined dataset. Our system makes use of additively homomorphic encryption, and we show that our usage of encryption adds little overhead to the ordinary deep learning system.

Unbreakable distributed storage with quantum key distribution network and password-authenticated secret sharing.

Distributed storage plays an essential role in realizing robust and secure data storage in a network over long periods of time. A distributed storage system consists of a data owner machine, multiple storage servers and channels to link them. In such a system, secret sharing scheme is widely adopted, in which secret data are split into multiple pieces and stored in each server. To reconstruct them, the data owner should gather plural pieces. Shamir’s (k, n)-threshold scheme, in which the data are split into n pieces (shares) for storage and at least k pieces of them must be gathered for reconstruction, furnishes information theoretic security, that is, even if attackers could collect shares of less than the threshold k, they cannot get any information about the data, even with unlimited computing power. Behind this scenario, however, assumed is that data transmission and authentication must be perfectly secure, which is not trivial in practice. Here we propose a totally information theoretically secure distributed storage system based on a user-friendly single-password-authenticated secret sharing scheme and secure transmission using quantum key distribution, and demonstrate it in the Tokyo metropolitan area (≤90 km).