Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.

Authenticated encryption schemes are very useful for private and authenticated communication. In 2010, Rasslan and Youssef showed that the Hwang et al.'s authenticated encryption scheme is not secure by presenting a message forgery attack. However, Rasslan and Youssef did not give how to solve the security issue. In this letter, we give an improvement of the Hwang et al.'s scheme. The improved scheme not only solves the security issue of the original scheme, but also maintains its efficiency.

At ASIACRYPT 2018, Castryck, Lange, Martindale, Panny and Renes proposed CSIDH, which is a key-exchange protocol based on isogenies between elliptic curves, and a candidate for post-quantum cryptography. However, the implementation by Castryck et al. is not constant-time. Specifically, a part of the secret key could be recovered by the side-channel attacks. Recently, Meyer, Campos, and Reith proposed a constant-time implementation of CSIDH by introducing dummy isogenies and taking secret exponents only from intervals of non-negative integers. Their non-negative intervals make the calculation cost of their implementation of CSIDH twice that of the worst case of the standard (variable-time) implementation of CSIDH. In this paper, we propose a more efficient constant-time algorithm that takes secret exponents from intervals symmetric with respect to the zero. For using these intervals, we need to keep two torsion points on an elliptic curve and calculation for these points. We evaluate the costs of our implementation and that of Meyer et al. in terms of the number of operations on a finite prime field. Our evaluation shows that our constant-time implementation of CSIDH reduces the calculation cost by 28% compared with the implementation by Mayer et al. We also implemented our algorithm by extending the implementation in C of Meyer et al. (originally from Castryck et al.). Then our implementation achieved 152 million clock cycles, which is about 29% faster than that of Meyer et al. and confirms the above reduction ratio in our cost evaluation.

The multivariate public key cryptosystem (MPKC), which is based on the problem of solving a set of multivariate systems of quadratic equations over a finite field, is expected to be secure against quantum attacks. Although there are several existing schemes in MPKC that survived known attacks and are much faster than RSA and ECC, there have been few discussions on security against physical attacks, aside from the work of Okeya et al. (2005) on side-channel attacks against Sflash. In this study, we describe general fault attacks on MPKCs including Big Field type (e.g. Matsumoto-Imai, HFE and Sflash) and Stepwise Triangular System (STS) type (e.g. UOV, Rainbow and TTM/TTS). For both types, recovering (parts of) the secret keys S,T with our fault attacks becomes more efficient than doing without them. Especially, on the Big Field type, only single fault is sufficient to recover the secret keys.

Pairing-based cryptosystems are generally constructed using many functions such as pairing computation, arithmetic in finite fields, and arithmetic on elliptic curves. MapToPoint, which is a hashing algorithm onto an elliptic curve point, is one of the functions for constructing pairing-based cryptosystems. There are two MapToPoint algorithms on supersingular elliptic curves in characteristic three, which is used by ηT pairing. The first is computed by using a square root computation in F3m, and the computational cost of this algorithm is O(log m) multiplications in F3m. The second is computed by using an (m-1)(m-1) matrix over F3. It can be computed by O(1) multiplications in F3m. However, this algorithm needs the off-line memory to store about m F3m-elements. In this paper, we propose an efficient MapToPoint algorithm on the supersingular elliptic curves in characteristic three by using 1/3-trace over F3m. We propose 1/3-trace over F3m, which can compute solution x of x3 -x = c by using no multiplication in F3m. The proposed algorithm is computed by O(1) multiplications in F3m, and it requires less than m F3-elements to be stored in the off-line memory to efficiently compute trace over F3m. Moreover, in our software implementation of F3509, the proposed MapToPoint algorithm is approximately 35% faster than the conventional MapToPoint algorithm using the square root computation on an AMD Opteron processor (2.2 GHz).

A secret broadcasting scheme deals with secure transmission of a message so that more than one privileged receiver can decrypt it. Jeong et al. proposed an efficient secret broadcast scheme using binding encryption to obtain the security properties of IND-CPA semantic security and decryption consistency. Thereafter, Wu et al. showed that the Jeong et al.'s scheme just achieves consistency in relatively weak condition and is also inefficient, and they constructed a more efficient scheme to improve the security. In this letter, we demonstrate that the Wu et al.'s scheme is also a weak decryption consistency and cannot achieve the decryption consistency if an adversary has the ability to tamper with the ciphertext. We also present an improved and more efficient secret broadcast scheme to remedy the weakness. The proposed scheme achieves decryption consistency and IND-CCA security, which can protect against stronger adversary's attacks and allows us to broadcast a digital message securely.

SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, the secret key may be revealed. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s,t) and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of (s,t), little is known about that of Δ. Steinwandt et al. proposed a theoretical DPA for finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key Δ, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, SHA-1 must be carefully implemented in order to resist SCA on SFLASH.

A decentralized secure protocol for casting trust rating in reputation systems (StR protocol) is lately proposed by Dimitriou and Michalas, and the StR protocol is verified to be faster than the previous work providing anonymous feedback. In this letter, we present new enhanced scheme of StR. Compared with StR protocol, our new approach attains the exactly same security, but requires less processing time and about half communication overheads. Therefore, we improve the performance without sacrificing any security, especially the communication delay is dramatically reduced.

Pairing-based cryptography provides us many novel cryptographic applications such as ID-based cryptosystems and efficient broadcast encryptions. The security problems in ubiquitous sensor networks have been discussed in many papers, and pairing-based cryptography is a crucial technique to solve them. Due to the limited resources in the current sensor node, it is challenged to optimize the implementation of pairings on sensor nodes. In this paper we present an efficient implementation of pairing over MICAz, which is widely used as a sensor node for ubiquitous sensor network. We improved the speed of ηT pairing by using a new efficient multiplication specialized for ATmega128L, called the block comb method and several optimization techniques to save the number of data load/store operations. The timing of ηT pairing over GF(2239) achieves about 1.93 sec, which is the fastest implementation of pairing over MICAz to the best of our knowledge. From our dramatic improvement, we now have much high possibility to make pairing-based cryptography for ubiquitous sensor networks practical.

It has recently been reported that the performance of hyperelliptic curve cryptosystems (HECC) is competitive to that of elliptic curve cryptosystems (ECC). Concerning the security of HECC, the theta divisors play an important role. The scalar multiplication using a random base point is vulnerable to an exceptional procedure attack, which is a kind of side-channel attacks, using theta divisors. In the case of cryptographic protocols of the scalar multiplication using fixed base point, however, the exceptional procedure attack is not applicable. First, we present novel efficient scalar multiplication using theta divisors, which is the positive application of theta divisors on HECC. Second, we develop a window-based method using theta divisors that is secure against side-channel attacks. It is not obvious how to construct a base point D such that all pre-computed points are theta divisors. We present an explicit algorithm for generating such divisors.

Multivariate Public Key Cryptosystems (MPKC) are candidates for post-quantum cryptography. Rainbow is a digital signature scheme in MPKC, whose signature generation and verification are relatively efficient. However, the security of MPKC depends on the difficulty in solving a system of multivariate polynomials, and the key length of MPKC becomes substantially large compared with that of RSA cryptosystems for the same level of security. The size of the secret and public keys in MPKC has been reduced in previous research. The NC-Rainbow is a signature scheme in MPKC, which was proposed in order to reduce the size of secret key of Rainbow. So far, several attacks against NC-Rainbow have been proposed. In this paper, we summarize attacks against NC-Rainbow, containing attacks against the original Rainbow, and analyze the total security of NC-Rainbow. Based on the cryptanalysis, we estimate the security parameter of NC-Rainbow at the several security level.

We extend the Rabin cryptosystem to the Eisenstein and Gauss fields. Methods for constructing the complete representation class and modulo operation of the ideal are presented. Based on these, we describe the methods of encryption and decryption. This proposed cryptosystem is shown to be as intractable as factorization, and recently presented low exponent attacks do not work against it.

The rapid growth of the Internet provides people with tremendous opportunities for data collection, knowledge discovery and cooperative computation. However, it also brings the problem of sensitive information leakage. Both individuals and enterprises may suffer from the massive data collection and the information retrieval by distrusted parties. In this paper, we propose a privacy-preserving protocol for the distributed kernel density estimation-based clustering. Our scheme applies random data perturbation (RDP) technique and the verifiable secret sharing to solve the security problem of distributed kernel density estimation in [4] which assumed a mediate party to help in the computation.

We introduce two cheater identifiable secret sharing (CISS) schemes with efficient reconstruction, tolerating t

Cayley hash functions are a family of cryptographic hash functions constructed from Cayley graphs, with appealing properties such as a natural parallelism and a security reduction to a clean, well-defined mathematical problem. As this problem involves non-Abelian groups, it is a priori resistant to quantum period finding algorithms and Cayley hash functions may therefore be a good foundation for post-quantum cryptography. Four particular parameter sets for Cayley hash functions have been proposed in the past, and so far dedicated preimage algorithms have been found for all of them. These algorithms do however not seem to extend to generic parameters, and as a result it is still an open problem to determine the security of Cayley hash functions in general. In this paper, we study the case of Chiu's Ramanujan graphs. We design a polynomial time preimage attack against the resulting Cayley hash function, showing that these particular parameters like the previous ones are not suitable for the construction. We extend our attacks on hash functions based on similar Cayley graphs as Chiu's Ramanujan graphs. On the positive side, we then suggest some possible ways to construct the Cayley hashes that may not be affected by this type of attacks. Our results contribute to a better understanding of the hard problems underlying the security of Cayley hash functions.

We propose a new lattice-based digital signature scheme MLWRSign by modifying Dilithium, which is one of the second-round candidates of NIST's call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.

Recently, Yuan et al. (IEEE Infocom'13, pp.2652-2660) proposed an efficient secure nearest neighbor (SNN) search scheme on encrypted cloud database. Their scheme is claimed to be secure against the collusion attack of query clients and cloud server, because the colluding attackers cannot infer the encryption/decryption key. In this letter, we observe that the encrypted dataset in Yuan's scheme can be broken by the collusion attack without deducing the key, and present a simple but powerful attack to their scheme. Experiment results validate the high efficiency of our attacking approach. Additionally, we also indicate an upper bound of collusion-resistant ability of any accurate SNN query scheme.

Multivariate Public Key Cryptography (MPKC) is one of the main candidates for secure communication in a post-quantum era. Recently, Yasuda and Sakurai proposed at ICICS 2015 a new multivariate encryption scheme called SRP, which offers efficient decryption, a small blow up factor between plaintext and ciphertext and resists all known attacks against multivariate schemes. However, similar to other MPKC schemes, the key sizes of SRP are quite large. In this paper we propose a technique to reduce the key size of the SRP scheme, which enables us to reduce the size of the public key by up to 54%. Furthermore, we can use the additional structure in the public key polynomials to speed up the encryption process of the scheme by up to 50%. We show by experiments that our modifications do not weaken the security of the scheme.

At PQCrypto 2016, Szepieniec et al. proposed a new type of trapdoor called Extension Field Cancellation (EFC) for constructing secure multivariate encryption cryptosystems. They also specifically suggested two schemes EFCp- and EFCpt2- that apply this trapdoor and some modifiers. Although both of them seem to avoid all attacks used for cryptanalysis on multivariate cryptography, their decryption efficiency has room for improvement. On the other hand, their security was analyzed mainly through an algebraic attack of computing the Gröbner basis of the public key, and there possibly exists more effective attacks. In this paper, we introduce a more efficient decryption approach for EFCp- and EFCpt2-, which manages to avoid all redundant computation involved in the original decryption algorithms without altering their public key. In addition, we estimate the secure parameters for EFCp- and EFCpt2- through a hybrid attack of algebraic attack and exhaustive search.

XTR is one of the most efficient public-key cryptosystems that allow us to compress the communication bandwidth of their ciphertext. The compact representation can be achieved by deploying a subgroup Fq2 of extension field Fq6, so that the compression ratio of XTR cryptosystem is 1/3. On the other hand, Dijk et al. proposed an efficient public-key cryptosystem using a torus over Fq30 whose compression ratio is 4/15. It is an open problem to construct an efficient public-key cryptosystem whose compression ratio is smaller than 4/15. In this paper we propose a new variant of XTR cryptosystem over finite fields with characteristic three whose compression ratio is 1/6. The key observation is that there exists a trace map from Fq6 to Fq in the case of characteristic three. Moreover, the cost of compression and decompression algorithm requires only about 1% overhead compared with the original XTR cryptosystem. Therefore, the proposed variant of XTR cryptosystem is one of the fastest public-key cryptosystems with the smallest compression ratio.