International Association for Cryptologic Research

International Association
for Cryptologic Research


Shin'ichiro Matsuo


Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII
As a result of extensive analyses on cryptographic hash functions, NIST started an open competition for selecting a new standard hash function SHA-3. One important aspect of this competition is in evaluating hardware implementations and in collecting much attention of researchers in this area. For a fair comparison of the hardware performance, we propose an evaluation platform, a hardware design strategy, and evaluation criteria that must be consistent for all SHA-3 candidates. First, we define specifications of interface for the SASEBO-GII platform that are suitable for evaluating the performance in real-life hash applications, while one can also evaluate the performance of the SHA-3 core function that has an ideal interface. Second, we discuss the design strategy for high-throughput hardware implementations. Lastly, we explain the evaluation criteria to compare the cost and speed performance of eight SHA-3 candidates out of fourteen.
Solving a 676-bit Discrete Logarithm Problem in $GF(3^{6n})$
Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The \eta_T pairing on supersingular curves over GF(3^n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(3^{6n}) becomes a concern for the security of cryptosystems using \eta_T pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(3^{6n}). Therefore, we first fulfilled such an implementation and we successfully set a new record for solving the DLP in GF(3^{6n}), the DLP in GF(3^{6 \cdot 71}) of 676-bit size. In addition, we also compared JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.
Robust RFID Authentication Protocol with Formal Proof and Its Feasibility
The proloferation of RFID tags enhances everyday activities, such as by letting us reference the price, origin and circulation route of specific goods. On the other hand, this lecel of traceability gives rise to new privacy issues and the topic of developing cryptographic protocols for RFID- tags is garnering much attention. A large amount of research has been conducted in this area. In this paper, we reconsider the security model of RFID- authentication with a man-in-the-middle adversary and communication fault. We define model and security proofs via a game-based approach makes our security models compatible with formal security analysis tools. We show that an RFID authentication protocol is robust against the above attacks, and then provide game-based (hand-written) proofs and their erification by using CryptoVerif.
On Universal Composable Security of Time-Stamping Protocols
Toshihiko Matsuo Shin'ichiro Matsuo
Time-stamping protocols, which assure that a document was existed at a certain time, are applied to some useful and practical applications such as electronic patent applications and so on. There are two major time-stamping protocols, the simple protocol and the linking protocol. In the former, a time-stamp authority issues a time-stamp token that is the digital signature of the concatenated value of a hashed message and the present time. In the latter, the time-stamp authority issues a time-stamp token that is the hash value of the concatenated value of a hashed message and the previous hash value. Although security requirements and analysis for above time-stamping protocols has been discussed, there are no strict cryptographic security notions for them. In this paper, we reconsider the security requirements for time-stamping protocols and define security notions for them, in a universally composable security sense, which was proposed by Canetti. We also show that these notions can be achieved using combinations of a secure key exchange protocol, a secure symmetric encryption scheme, and a secure digital signature scheme.
Divisible Voting Scheme
Natsuki Ishida Shin'ichiro Matsuo Wakaha Ogata
Electronic voting is a prime application of cryptographic tools. Many researches are addressing election or confidence voting in this area. We address a new type of voting scheme ``Divisible Voting Scheme,'' in which each voter has multiple ballots where the number of ballots can be different among the voters. This type of voting is popular, however there is no secure protocol which achieves this type of voting. We first define the divisible voting scheme and show naive protocols based on existing voting schemes. Then we propose two efficient divisible voting schemes. The first scheme uses multisets, the second scheme uses $L$-adic representation of number of ballots. The total cost for a voter is $O(M^2 \log (N))$ in the first scheme and $O(M \log(N))$ in the second scheme where $M$ is the number of candidates to vote for and $N$ is the number of ballots for a voter.