Tweak-Length Extension for Tweakable Blockciphers

Tweakable blockcipher (TBC) is an extension of standard blockcipher introduced by Liskov, Rivest and Wagner in 2002. TBC is a versatile building block for efficient symmetric-key cryptographic functions, such as authenticated encryption. In this paper we study the problem of extending tweak of a given TBC of fixed-length tweak, which is a variant of popular problem of converting a blockcipher into a TBC, i.e., blockcipher mode of operation. The problem is particularly important for known dedicated TBCs since they have relatively short tweak. We propose a simple and efficient solution, called XTX, for this problem. XTX converts a TBC of fixed-length tweak into another TBC of arbitrarily long tweak, by extending the scheme of Liskov, Rivest and Wagner that converts a blockcipher into a TBC. Given a TBC of $n$-bit block and $m$-bit tweak, XTX provides $(n+m)/2$-bit security while conventional methods provide $n/2$ or $m/2$-bit security. We also show that XTX is even useful when combined with some blockcipher modes for building TBC having security beyond the birthday bound

Fabrication of resistively-coupled single-electron device using an array of gold nanoparticles

We demonstrated one type of single-electron device that exhibited electrical characteristics similar to those of resistively-coupled SE transistor (R-SET) at 77 K and room temperature (287 K). Three Au electrodes on an oxidized Si chip served as drain, source, and gate electrodes were formed using electron-beam lithography and evaporation techniques. A narrow (70-nm-wide) gate electrode was patterned using thermal evaporation, whereas wide (800-nm-wide) drain and source electrodes were made using shadow evaporation. Subsequently, aqueous solution of citric acid and 15-nm-diameter gold nanoparticles (Au NPs) and toluene solution of 3-nm-diameter Au NPs chemisorbed via decanethiol were dropped on the chip to make the connections between the electrodes. Current–voltage characteristics between the drain and source electrodes exhibited Coulomb blockade (CB) at both 77 and 287 K. Dependence of the CB region on the gate voltage was similar to that of an R-SET. Simulation results of the model based on the scanning electron microscopy image of the device could reproduce the characteristics like the R-SET

Gate-tuned negative differential resistance observed at room temperature in an array of gold nanoparticles

We fabricated a single-electron (SE) device using gold nanoparticles (Au NPs). Drain, source, and gate electrodes on a SiO2/Si substrate were formed using electron beam lithography (EBL) and thermal evaporation of Au. Subsequently, solutions of 3-nm-diameter and 5-nm-diameter Au NPs were dropped on the device to make current paths through Au NPs among the electrodes. Measurements of the device exhibited negative differential resistance (NDR) in the current-voltage characteristics between the drain and source electrodes at room temperature (298 K). The NDR behavior was tuned by applying a gate voltage

Matching Attacks on Romulus-M

This paper considers a problem of identifying matching attacks against Romulus-M, one of the ten finalists of NIST Lightweight Cryptography standardization project. Romulus-M is provably secure, i.e., there is a theorem statement showing the upper bound on the success probability of attacking the scheme as a function of adversaries\u27 resources. If there exists an attack that matches the provable security bound, then this implies that the attack is optimal, and that the bound is tight in the sense that it cannot be improved. We show that the security bounds of Romulus-M are tight for a large class of parameters by presenting concrete matching attacks

New Indifferentiability Security Proof of MDPH Hash Function

MDPH is a double-block-length hash function proposed by Naito at Latincrypt 2019.This is a combination of Hirose\u27s compression function and the domain extender called Merkle-Damg\r{a}rd with permutation (MDP). When instantiated with an $n$-bit block cipher, Naito proved that this achieves the (nearly) optimal indifferentiable security bound of $O(n-\log n)$-bit security. In this paper, we first point out that the proof of the claim contains a gap, which is related to the definition of the simulator in simulating the decryption of the block cipher. We then show that the proof can be fixed. We introduce a new simulator that addresses the issue, showing that MDPH retains its (nearly) optimal indifferentiable security bound of $O(n-\log n)$-bit security

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. We next show that ChaCha20-Poly1305 is provably secure in the INT-RUP notion. Finally, we show that 4 out of the remaining 10 AEAD schemes are provably secure in the INT-RUP notion

Improved Authenticity Bound of EAX, and Refinements

EAX is a mode of operation for blockciphers to implement an authenticated encryption. The original paper of EAX proved that EAX is unforgeable up to $O(2^{n/2})$ data with one verification query. However, this generally guarantees a rather weak bound for the unforgeability under multiple verification queries, i.e., only $(2^{n/3})$ data is acceptable. This paper provides an improvement over the previous security proof, by showing that EAX is unforgeable up to $O(2^{n/2})$ data with multiple verification queries. Our security proof is based on the techniques appeared in a paper of FSE 2013 by Minematsu et al. which studied the security of a variant of EAX called EAX-prime. We also provide some ideas to reduce the complexity of EAX while keeping our new security bound. In particular, EAX needs three blockcipher calls and keep them in memory as a pre-processing, and our proposals can effectively reduce three calls to one call. This would be useful when computational power and memory are constrained

Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle

We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using $q_e$ encryption queries and no decryption query to break privacy (IND-CPA). The success probability is $O(q_e/2^{n/2})$ for $n$-bit block while the claimed bound contains $O(q^2_e/2^{n})$. This positively solves an open question posed in~[Khairallah, ePrint~2021/648 (also accepted at FSE~2022)]. For Photon-Beetle, we show an attack using $q_e$ encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is $O(q^2_e/2^{b})$ for a $b$-bit block permutation, and it is significantly larger than what the claimed bound tells, which is independent of the number of encryption queries. We also show a simple tag guessing attack that violates the INT-CTXT bound when the rate $r=32$. Then, we analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475]. As a side result of our security analysis of Photon-Beetle, we point out that a simple and efficient forgery attack is possible in the related-key setting. We emphasize that our results do not contradict the claimed ``bit security\u27\u27 in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is $(n/2 - \log n)$-bit secure for $n=128$, and Photon-Beetle is $(b/2 - \log b/2)$-bit secure for $b=256$ and $r=128$, where $r$ is a rate. We also note that the security against related-key attacks is not included in the security requirements of NIST LwC, and is not claimed by the designers

Studies on Diversification of Speech Expressions for Conversational Speech Synthesis

早大学位記番号:新9251博士（工学）早稲田大

One-dimensional array of small tunnel junctions fabricated using 30-nm-diameter gold nanoparticles placed in a 140-nm-wide resist groove

We present percolative arrays of gold nanoparticles (NPs) formed in a resist groove. To enhance the con nection probability, the width of the resist groove (140 nm) was designed to be approximately five times larger than the diameter of gold NPs (30 nm). Two-stage deposition of gold NPs was employed to form bridge connections between the source and drain electrodes. Dithiol molecules coated on surfaces of gold NPs worked as tunnel barriers. 5 of 12 samples exhibited Coulomb blockade characteristics, in one of which the gate response was confirmed