In this paper, we describe a technique for optimizing the algebraic method that is applied to higher order differential attack. The higher order differential attack is a well-known attack on block ciphers, in which we derive an attack equation to determine a round key from a property of a higher order differential of a target block cipher. The algebraic method is a linearization of the attack equation and determines the true key by a method such as Gaussian elimination. Our technique is based on linear dependency and can reduce the complexity of that method. We also describe a technique that allows the algebraic method to be used as an attack equation that holds probabilistically. We demonstrate this method by attacking a five-round MISTY1 and show that it needs 221.6 chosen plaintexts and 228.0 encryption times. The computer simulation took about two minutes to complete.

Computer systems with GPUs are expected to become a strong methodology for high-speed encryption processing. Moreover, power consumption has remained a primary deterrent for such processing on devices of all sizes. However, GPU vendors are currently announcing their future roadmaps of GPU architecture development: Nvidia Corp. promotes the Kepler architecture and AMD Corp. emphasizes the GCN architecture. Therefore, we evaluated throughput and power efficiency of three 128-bit block ciphers on GPUs with recent Nvidia Kepler and AMD GCN architectures. From our experiments, whereas the throughput and per-watt throughput of AES-128 on Radeon HD 7970 (2048 cores) with GCN architecture are 205.0Gbps and 1.3Gbps/Watt respectively, those on Geforce GTX 680 (1536 cores) with Kepler architecture are, respectively, 63.9Gbps and 0.43Gbps/W; an approximately 3.2 times throughput difference occurs between AES-128 on the two GPUs. Next, we investigate the reasons for the throughput difference using our micro-benchmark suites. According to the results, we speculate that to ameliorate Kepler GPUs as co-processor of block ciphers, the arithmetic and logical instructions must be improved in terms of software and hardware.

Cryptographic hash functions have been widely studied and are used in many current systems. Though much research has been done on the security of hash functions, system designers cannot determine which hash function is most suitable for a particular system. The main reason for this is that the current security classification does not correspond very well to the security requirements of practical systems. This paper describes a new classification which is more suitable for designing real-life systems. This classification is the result of a new qualitative classification and a new quantitative classification. We show a mapping between each class and standard protocols. In addition, we show new requirements for four types of hash function for a future standard.

We focus on the relationship between the linearization method and linear complexity and show that the linearization method is another effective technique for calculating linear complexity. We analyze its effectiveness by comparing with the logic circuit method. We compare the relevant conditions and necessary computational cost with those of the Berlekamp-Massey algorithm and the Games-Chan algorithm. The significant property of a linearization method is that it needs no output sequence from a pseudo-random number generator (PRNG) because it calculates linear complexity using the algebraic expression of its algorithm. When a PRNG has n [bit] stages (registers or internal states), the necessary computational cost is smaller than O(2n). On the other hand, the Berlekamp-Massey algorithm needs O(N2) where N ( 2n) denotes period. Since existing methods calculate using the output sequence, an initial value of PRNG influences a resultant value of linear complexity. Therefore, a linear complexity is generally given as an estimate value. On the other hand, a linearization method calculates from an algorithm of PRNG, it can determine the lower bound of linear complexity.

Quantum cryptography has become a subject of widespread interest. In particular, quantum key distribution, which provides a secure key agreement by using quantum systems, is believed to be the most important application of quantum cryptography. Quantum key distribution has the potential to achieve the "unconditionally" secure infrastructure. We also have many cryptographic tools that are based on "modern cryptography" at the present time. They are being used in an effort to guarantee secure communication over open networks such as the Internet. Unfortunately, their ultimate efficacy is in doubt. Quantum key distribution systems are believed to be close to practical and commercial use. In this paper, we discuss what we should do to apply quantum cryptography to our communications. We also discuss how quantum key distribution can be combined with or used to replace cryptographic tools based on modern cryptography.

This paper presents a new information-theoretical evaluation method, for the resistance of cryptographic implementation against side-channel attacks. In conventional methods, the results of actual attacks have been often used empirically. However, these experimental methods have some problems. In the proposed method, a side-channel attack is regarded as a communication channel model. Then, a new evaluation index “the amount of leakage information” can be defined. The upper-bound of this index is estimated as the channel capacity. The proposed evaluation using this index can avoid the problems of conventional methods. Consequently, the proposed method provides some benefits: (1) It provides rationale for evaluation; (2) It enables execution of numerical evaluation and mutual evaluation among several kinds of countermeasures. This research achieves a unification of evaluation indexes for resistance against side-channel attack. This paper applies the proposed method to correlation power analysis against implementations of stream cipher Enocoro-128 v2. As a result, we confirmed its effectiveness.

In ASIACRYPT2015, a new model for the analysis of block cipher against side-channel attack and a dedicated attack, differential bias attack, were proposed by Bogdanov et al. The model assumes an adversary who has leaked values whose positions are unknown and randomly chosen from internal states (random leakage model). This paper improves the security analysis on AES under the random leakage model. In the previous method, the adversary requires at least 234 chosen plaintexts; therefore, it is hard to recover a secret key with a small number of data. To consider the security against the adversary given a small number of data, we reestimate complexity. We propose another hypothesis-testing method which can minimize the number of required data. The proposed method requires time complexity more than t>260 because of time-data tradeoff, and some attacks are tractable under t≤280. Therefore, the attack is a threat for the long-term security though it is not for the short-term security. In addition, we apply key enumeration to the differential bias attack and propose two evaluation methods, information-theoretic evaluation and experimental one with rank estimation. From the evaluations on AES, we show that the attack is a practical threat for the long-term security.

It is well known that there is relationship between electromagnetic emanation and processing information in IT devices such as personal computers and smart cards. By analyzing such electromagnetic emanation, eavesdropper will be able to get some information, so it becomes a real threat of information security. In this paper, we show how to estimate amount of information that is leaked as electromagnetic emanation. We assume the space between the IT device and the receiver is a communication channel, and we define the amount of information leakage via electromagnetic emanations by its channel capacity. By some experimental results of Tempest, we show example estimations of amount of information leakage. Using the value of channel capacity, we can calculate the amount of information per pixel in the reconstructed image. And we evaluate the effectiveness of Tempest fonts generated by Gaussian method and its threshold of security.