Kazuo Ohta
- Article
A quantum algorithm using NMR computers to break secret-key cryptosystems
In this paper, we discuss quantum algorithms that, for a given plaintextm o and a given ciphertextc o, will find a secret key,k o, satisfyingc o=E(k - Chapter
Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation
Coron et al. proposed the ES-based scheme PSS-ES which realizes an encryption scheme and a signature scheme with a unique padding technique and key pair. The security of PSS-ES as an encryption scheme is based...
- Article
A new method for enhancing variety and maintaining reliability of PUF responses and its evaluation on ASICs
Physically unclonable functions (PUFs) are expected to provide a breakthrough in anti-counterfeiting devices for secure ID generation and authentication, etc. Factory-manufactured PUFs are generally more secur... -
Article
Practical improvements of side-channel attacks on AES: feedback from the 2nd DPA contest
Side-channel analyses constitute a major threat for embedded devices, because they allow an attacker to recover secret keys without the device being aware of the sensitive information theft. They have been pro... -
Chapter
Constant Rounds Almost Linear Complexity Multi-party Computation for Prefix Sum
One of research goals on multi-party computation (MPC) is to achieve both perfectly secure and efficient protocols for basic functions or operations (e.g., equality, comparison, bit decomposition, and modular ... -
Chapter
An Automated Evaluation Tool for Improved Rebound Attack: New Distinguishers and Proposals of ShiftBytes Parameters for Grøstl
In this paper, we study the security of AES-like permutations against the improved rebound attack proposed by Jean et al. at FSE 2012 which covers three full-active rounds in the inbound phase. The attack is v... -
Chapter
Yet Another Fault-Based Leakage in Non-uniform Faulty Ciphertexts
This paper discusses the information leakage that comes from the non-uniform distribution of the faulty calculation results for hardware AES implementations under setup-time violations. For the setup-time viol... -
Chapter
Improved Indifferentiable Security Analysis of PHOTON
In this paper, we study the indifferentiable security of the domain extension algorithm of the PHOTON hash function that was proven to be indifferentiable from a random oracle up to ... -
Chapter
Reset Indifferentiability from Weakened Random Oracle Salvages One-Pass Hash Functions
Ristenpart et al. (EUROCRYPT 2011) showed that the indifferentiability theorem of Maurer et al. (TCC 2004) does not cover all multi-stage security notions; it only covers single-stage security notions. They de... -
Open AccessArticle
Variety enhancement of PUF responses using the locations of random outputting RS latches
Physical Unclonable Functions (PUFs) are expected to represent an important solution for secure ID generation and authentication etc. In general, manufactured PUFs are considered to be more secure when the pat... -
Chapter
An Extension of Fault Sensitivity Analysis Based on Clockwise Collision
This paper proposes an extension of fault sensitivity analysis based on clockwise collision. The original FSA attack uses the fault injections to exploit the sensitivity of calculations against the fault injectio... -
Chapter
Exploring the Relations between Fault Sensitivity and Power Consumption
This paper qualitatively explores the relations between two kinds of side-channel leakages, i.e., the fault sensitivity (FS) and the power consumption. The FS is a relatively new active side-channel leakage, w... -
Chapter
Key-Dependent Weakness of AES-Based Ciphers under Clockwise Collision Distinguisher
In 2011, Li et al. proposed a series of side-channel attacks that are related to a fundamental side-channel leakage source called clockwise collision. This paper discloses the fact that hardware implementations o... -
Chapter
New Truncated Differential Cryptanalysis on 3D Block Cipher
This paper presents 11- and 13-round key-recovery attacks on block cipher 3D with the truncated differential cryptanalysis, while the previous best key-recovery attack broke only 10 rounds with the impossible ... -
Chapter
Fault Injection and Key Retrieval Experiments on an Evaluation Board
This chapter presents fault injection experiments using a side-channel evaluation board called SASEBO, which was developed to unify testing environments for side-channel analysis. We describe experiments where... -
Chapter
Polynomial-Advantage Cryptanalysis of 3D Cipher and 3D-Based Hash Function
This paper evaluates a block cipher mode, whose round functions of both the key schedule and the encryption process are independent of the round indexes. Previously related-key attack has been applied to such ... -
Chapter
Proxiable Designated Verifier Signature
Designated Verifier Signature (DVS) guarantees that only a verifier designated by a signer can verify the “validity of a signature”. In this paper, we propose a new variant of DVS; Proxiable Designated Verifier S... -
Chapter
Boomerang Distinguishers for Full HAS-160 Compression Function
This paper studies a boomerang-attack-based distinguisher against full steps of the compression function of HAS-160, which is the hash function standard in Korea. The attack produces a second-order collision f... -
Chapter
A Study on Computational Formal Verification for Practical Cryptographic Protocol: The Case of Synchronous RFID Authentication
Formal verification of cryptographic protocols has a long history with a great number of successful verification tools created. Recent progress in formal verification theory has brought more powerful tools cap... -
Chapter
On the Security of Dynamic Group Signatures: Preventing Signature Hijacking
We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably mee... -
Chapter
Three-Subset Meet-in-the-Middle Attack on Reduced XTEA
This paper presents an improved single-key attack on a block-cipher XTEA by using the three-subset meet-in-the-middle (MitM) attack. Firstly, a technique on a generic block-cipher is discussed. It points out t... -
Chapter
(Second) Preimage Attacks on Step-Reduced RIPEMD/RIPEMD-128 with a New Local-Collision Approach
This paper uses new types of local collisions named one-message-word local collisions to construct meet-in-the-middle preimage attacks on two double-branch hash functions RIPEMD and RIPEMD-128, and obtains the fo...
- Chapter
Combination of SW Countermeasure and CPU Modification on FPGA against Power Analysis
This paper presents a design flow for secure software (SW) implementations of cryptographic algorithms against Side-Channel Attacks (SCAs) by using a CPU modification. The development of countermeasures to inc... -
Chapter
On the Power of Fault Sensitivity Analysis and Collision Side-Channel Attacks in a Combined Setting
At CHES 2010 two powerful new attacks were presented, namely the Fault Sensitivity Analysis and the Correlation Collision Attack. This paper shows how these ideas can be combined to create even stronger attack... -
Chapter
Uniqueness Enhancement of PUF Responses Based on the Locations of Random Outputting RS Latches
Physical Unclonable Functions (PUFs) are expected to represent an important solution for secure ID generation and authentication etc. In general, PUFs are considered to be more secure the larger their output e... -
Chapter
Rigorous Security Requirements for Designated Verifier Signatures
In this paper, we point out that previous security models for the Designated Verifier Signature (DVS) are not sufficient because some serious problems may be caused such that the verifier cannot confirm the va... -
Chapter
Security of Practical Cryptosystems Using Merkle-Damgård Hash Function in the Ideal Cipher Model
In this paper, we clarify the security of practical cryptosystems with hash functions based on key derivation functions (KDFs). We use the indifferentiability framework in order to discuss the security because... -
Chapter
Ciphertext-Policy Delegatable Hidden Vector Encryption and Its Application to Searchable Encryption in Multi-user Setting
We propose a new type of hidden vector encryption (HVE) schemes that we call a ciphertext-policy delegatable hidden vector encryption (CP-dHVE) scheme. Several HVE or delegatable HVE schemes have already been pro... -
Chapter
Experimental Verification of Super-Sbox Analysis — Confirmation of Detailed Attack Complexity
This paper implements the super-sbox analysis on 8-round AES proposed by Gilbert and Peyrin in order to verify its correctness and the attack cost. The attack consists of three parts; the first outbound phase,... -
Chapter
Fault Sensitivity Analysis
This paper proposes a new fault-based attack called the Fault Sensitivity Analysis (FSA) attack, which unlike most existing fault-based analyses including Differential Fault Analysis (DFA) does not use values ... -
Chapter
A Generic Method for Reducing Ciphertext Length of Reproducible KEMs in the RO Model
In this paper, a simple generic method is proposed which can make a key encapsulation mechanism (KEM) more efficient. While the original KEM needs to be OW-CCCA secure and to satisfy reproducibility, the transfor... -
Chapter
Improving Efficiency of an ‘On the Fly’ Identification Scheme by Perfecting Zero-Knowledgeness
We present a new methodology for constructing an efficient identification scheme, and based on it, we propose a lightweight identification scheme whose computational and storage costs are sufficiently low even... -
Chapter
Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl
In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal properties of a class of AES-based permutations with a low complexity. We apply this framework to SHA-3 round-2 candidates ... -
Chapter
Secret Handshake: Strong Anonymity Definition and Construction
Secret handshake allows two members in the same group to authenticate each other secretly. In previous works of secret handshake schemes, two types of anonymities against the group authority (GA) of a group G are... -
Chapter
Sanitizable and Deletable Signature
Recently, the sanitizable signature attracts much attention since it allows to modify (sanitize) the document for hiding partial information without keeping the integrity of the disclosed subdocuments. Sanitiz... -
Chapter
Extension of Secret Handshake Protocols with Multiple Groups in Monotone Condition
Secret Handshake protocol allows members of the same group to authenticate each other secretly, that is, two members who belong to the same group can learn counterpart is in the same group, while non-member of... -
Chapter
Fault Analysis Attack against an AES Prototype Chip Using RSL
This paper reports a successful Fault Analysis (FA) attack against a prototype AES (Advanced Encryption Standard) hardware implementation using a logic-level countermeasure called Random Switching Logic (RSL).... -
Chapter
Security Evaluation of a DPA-Resistant S-Box Based on the Fourier Transform
At CHES 2006, Prouff et al. proposed a novel S-box calculation based on the discrete Fourier transform as a first-order DPA countermeasure. At CHES 2008, Coron et al. showed that the original countermeasure can b... -
Chapter
How to Confirm Cryptosystems Security: The Original Merkle-Damgård Is Still Alive!
At Crypto 2005, Coron et al. showed that Merkle-Damgård hash function (MDHF) with a fixed input length random oracle is not indifferentiable from a random oracle RO due to the extension attack. Namely MDHF does n... -
Chapter
Algorithmic Tamper Proof (ATP) Counter Units for Authentication Devices Using PIN
Though Gennaro et al. discussed the algorithmic tamper proof (ATP) devices using the personal identification number (PIN) with less tamper-proof devices, and proposed counter units which count the number of wr... -
Chapter
Bit-Free Collision: Application to APOP Attack
This paper proposes a new variant of collisions on hash functions named bit-free collision, which can be applied to reduce the number of chosen challenges in password recovery attacks on hash-based challenge and ... -
Chapter
Leaky Random Oracle (Extended Abstract)
This work focuses on vulnerability of hash functions due to sloppy usage or implementation in the real world. If our cryptographic research community succeeded in development of perfectly secure random functio...
- Chapter
Attribute-Based Encryption with Partially Hidden Encryptor-Specified Access Structures
We propose attribute-based encryption schemes where encryptor-specified access structures (also called ciphertext policies) are hidden. By using our schemes, an encryptor can encrypt data with a hidden access ... -
Chapter
Password Recovery on Challenge and Response: Impossible Differential Attack on Hash Function
We propose practical password recovery attacks against two challenge-response authentication protocols using MD4. When a res- ponse is computed as MD4(Password||Challenge), passwords up to 12 characters are pr... -
Chapter
Security of MD5 Challenge and Response: Extension of APOP Password Recovery Attack
In this paper, we propose an extension of the APOP attack that recovers the first 31 characters of APOP password in practical time, and theoretically recovers 61 characters. We have implemented our attack, and... -
Chapter
New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
At Crypto ’07, Fouque, Leurent and Nguyen presented full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5, by extending the partial key-recovery attacks of Contini and Yin from Asiacrypt ’06. Such attacks ar... -
Chapter
Secure Cross-Realm Client-to-Client Password-Based Authenticated Key Exchange Against Undetectable On-Line Dictionary Attacks
The cross-realm client-to-client password-based authenticated key exchange (C2C-PAKE) is protocol which two clients in two different realms with different passwords exchange a session key through their corresp... -
Chapter
A New Strategy for Finding a Differential Path of SHA-1
In this paper, we propose a new construction algorithm for finding differential paths of Round 1 of SHA-1 for use in the collision search attack. Generally, the differential path of Round 1 is very complex, and i... -
Chapter
Modeling Agreement Problems in the Universal Composability Framework
Agreement problems are one of the keys to distributed computing. In this paper, we propose a construction of the ideal-model functionality of one of the most important agreement problems, non-blocking atomic c... -
Chapter
A Sanitizable Signature Scheme with Aggregation
A sanitizable signature scheme is a digital signature scheme in which, after generating a signer’s signature on a document, specific entities (called sanitizers) can modify the document for hiding partial informa... -
Chapter
Multiparty Computation for Interval, Equality, and Comparison Without Bit-Decomposition Protocol
Damgård et al. [11] showed a novel technique to convert a polynomial sharing of secret a into the sharings of the bits of a in constant rounds, which is called the bit-decomposition protocol. The bit-decompositio... -
Chapter
New Message Difference for MD4
This paper proposes several approaches to improve the collision attack on MD4 proposed by Wang et al. First, we propose a new local collision that is the best for the MD4 collision attack. Selection of a good ... -
Chapter
Factorization of Square-Free Integers with High Bits Known
In this paper we propose an algorithm of factoring any integer N which has k different prime factors with the same bit-length, when $(... -
Chapter
Analysis on the Clockwise Transposition Routing for Dedicated Factoring Devices
Recently, dedicated factoring devices have attracted much attention since they might be a threat for a current RSA-based cryptosystems. In some devices, the clockwise transposition routing is used as a key tec... -
Chapter
Improved Collision Attack on MD4 with Probability Almost 1
In EUROCRYPT2005, a collision attack on MD4 was proposed by Wang, Lai, Chen, and Yu. They claimed that collision messages were found with probability 2− 6 to 2− 2, and the complexity was less than 28 MD4 hash ope... -
Chapter
Provably Secure Electronic Cash Based on Blind Multisignature Schemes
Though various blind multisignature schemes have been proposed for secure electronic cash, the formal model of security was not discussed. This paper first formalizes the security notions for e-cash schemes ba... -
Chapter
Formal Security Model of Multisignatures
A multisignature scheme enables multiple signers to cooperate to generate one signature for some message. The aim of the multisignatures is to decrease the total length of the signature and/or the signing (ver... -
Chapter
Toward the Fair Anonymous Signatures: Deniable Ring Signatures
Ring signature scheme, proposed by Rivest et al., allows a signer to sign a message anonymously. In the ring signature scheme, the signer who wants to sign a document anonymously first chooses some public keys... -
Chapter
How to Construct Sufficient Conditions for Hash Functions
Wang et al. have proposed collision attacks for various hash functions. Their approach is to first construct a differential path, and then determine the conditions (sufficient conditions) that maintain the dif... -
Chapter
Improved Collision Search for SHA-0
At CRYPTO2005, Xiaoyun Wang, Hongbo Yu and Yiqun Lisa Yin proposed a collision attack on SHA-0 that could generate a collision with complexity 239 SHA-0 hash operations. Although the method of Wang et al. can fin... -
Chapter
On the Security of Probabilistic Multisignature Schemes and Their Optimality
We first prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), P... -
Chapter
Taxonomic Consideration to OAEP Variants and Their Security
In this paper, we first model the variants of OAEP and SAEP, and establish a systematic proof technique, the comprehensive event dividing tree, and apply the technique to prove the security of the (120) variants ...
-
Chapter
A Strategy for Constructing Fast Round Functions with Practical Security Against Differential and Linear Cryptanalysis
In this paper, we study a strategy for constructing fast and practically secure round functions that yield suffciently small values of the maximum differential and linear probabilities p; q. We consider mn-bit ro... -
Book
Advances in Cryptology — ASIACRYPT’98
International Conference on the Theory and Application of Cryptology and Information Security Beijing, China, October 18–22, 1998 Proceedings -
Chapter
Remarks on blind decryption
This paper describes two attacks against blind decryption (decode) based on the commutative random-self reducibility and RSA systems utilizing the transformability of digital signatures proposed in -
Chapter
On concrete security treatment of signatures derived from identification
Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random o... -
Chapter
Improving the Search Algorithm for the Best Linear Expression
It is important to find the best linear expression to estimate the vulnerability of crytosystems to Linear Cryptanalysis. This paper presents a method to improve Matsui’s search algorithm which determines the ... -
Article
Nationwide randomized comparative study of daunorubicin and aclarubicin in combination with behenoyl cytosine arabinoside, 6-mercaptopurine, and prednisolone for previously untreated acute myeloid leukemia
Aclarubicin was evaluated in combination chemotherapy for adult acute myeloid leukemia in a randomized trial involving 58 institutions throughout Japan. Behenoyl cytosine arabinoside (BH-AC)•daunorubicin, 6-me... -
Chapter
Linear Cryptanalysis of the Fast Data Encipherment Algorithm
This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL-8 can be derived with 225 pairs of known p... -
Chapter
Differential Attack on Message Authentication Codes
We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DES-MAC and FEAL-MAC. The attack derives the secr... -
Chapter
A practical secret voting scheme for large scale elections
This paper proposes a practical secret voting scheme for large scale elections. The participants of the scheme are voters, an administrator, and a counter. The scheme ensures the privacy of the voters even if ... -
Chapter
A digital multisignature scheme based on the Fiat-Shamir scheme
We show the sequential multisignature scheme based on the Fiat-Shamir scheme which is a slight variant of simultaneous multisignature scheme, and discuss the security of a digital multisignature scheme. The fo... -
Chapter
Results of switching-closure-test on FEAL
The closure tests, CCT and MCT, were introduced to analyze the algebraic properties of cryptosystems by Kaliski et al. [KaRiSh]. If a cryptosystem is closed, the tests give the same results “Fail” and the cryp... -
Chapter
Secure Bit Commitment Function against Divertibility
Some zero-knowledge interactive proofs (ZKIPs) have divertibility, that is, evidence of proof issued by a genuine prover, A, can be transferred to plural verifiers, B and then C, where the intermediate verifier, -
Chapter
A switching closure test to analyze cryptosystems
The closure test MCT (meet-in-the-middle closure test) was introduced to analyze the algebraic properties of cryptosystems [KaRiSh]. Since MCT needs a large amount of memory, it is hard to implement with an ordin... -
Chapter
Universal Electronic Cash
This paper proposes the first ideal untraceable electronic cash system which solves the most crucial problem inherent with real cash and all previous untraceable electronic cash systems. The main advantage of ... -
Chapter
Confirmation that Some Hash Functions Are Not Collision Free
Hash functions are used to compress messages into digital signatures. A hash function has to be collision free; i.e., it must be computationally infeasible to construct different messages which output the same... -
Chapter
Membership Authentication for Hierarchical Multigroups Using the Extended Fiat-Shamir Scheme
We propose two membership authentication schemes that allow an authorized user to construct one master secret key for accessing the set of hierarchically ordered groups defined by the user, without releasing a... -
Chapter
Direct Zero Knowledge Proofs of Computational Power in Five Rounds
Zero-knowledge proofs of computational power have been proposed by Yung and others. In this paper, we propose an efficient (direct) and constant round (five round) construction of zero knowledge proofs of computa... -
Chapter
Interactive Bi-Proof Systems and Undeniable Signature Schemes
This paper proposes a new construction of the minimum knowledge undeniable signature scheme which solves a problem inherent in Chaum’s scheme. We formulate a new proof system, the minimum knowledge interactive bi...
- Chapter
How to Utilize the Randomness of Zero-Knowledge Proofs
In zero-knowledge interactive proofs, a lot of randomized information is exchanged between the prover and the verifier, and the randomness of the prover is used in satisfying the zero-knowledge condition. In t... -
Chapter
Meet-in-the-middle attack on digital signature schemes
The meet-in-the-middle attack can be used for forging signatures on mixed-type digital signature schemes, and takes less time than an exhaustive attack. This paper formulates a meet-in-the-middle attack on mix... -
Chapter
A Modification of the Fiat-Shamir Scheme
Fiat-Shamir’s identification and signature scheme is efficient as well as provably secure, but it has a problem in that the transmitted information size and memory size cannot simultaneously be small. This pap... -
Chapter
Disposable Zero-Knowledge Authentications and Their Applications to Untraceable Electronic Cash
In this paper, we propose a new type of authentication system, disposable zero-knowledge authentication system. Informally speaking, in this authentication system, double usage of the same authentication is preve... -
Chapter
Divertible Zero Knowledge Interactive Proofs and Commutative Random Self-Reducibility
In this paper, a new class of zero knowledge interactive proofs, a divertible zero knowledge interactive proof, is presented. Informally speaking, we call (A,B,C), a triplet of Turing machines, a divertible zero ... -
Chapter
Security of Improved Identity-based Conference Key Distribution Systems
At Crypto-87 conference, we proposed identity-based key distribution systems for generating a common secret conference key for two or more users. Protocols were shown for three configurations: a ring, a comple... -
Chapter
Identity-based conference key distribution systems
This paper proposes identity-based key distribution systems for generating a common secret conference key for two or more users. Users are connected in a ring, a complete graph, or a star network. Messages amo... -
Article
Phase I clinical and pharmacokinetic study ofN 4-behenoyl-1-β-d-arabinofuranosylcytosine
A phase I study ofN 4-behenoyl-1-β-d-arabinofuranosylcytosine (BHAC) was conducted in 66 patients, 41 with solid tumors and 25 with hematological malignancies. The patients received either a 2-h s...
