A limitation on security evaluation of cryptographic primitives with fixed keys

In this paper, we discuss security of public‐key cryptographic primitives in the case that the public key is fixed. In the standard argument, security of cryptographic primitives are evaluated by estimating the average probability of being successfully attacked where keys are treated as random variables. In contrast to this, in practice, a user is mostly interested in the security under his specific public key, which has been already fixed. However, it is obvious that such security cannot be mathematically guaranteed because for any given public key, there always potentially exists an adversary, which breaks its security. Therefore, the best what we can do is just to use a public key such that its effective adversary is not likely to be constructed in the real life and, thus, it is desired to provide a method for evaluating this possibility. The motivation of this work is to investigate (in)feasibility of predicting whether for a given fixed public key, its successful adversary will actually appear in the real life or not. As our main result, we prove that for any digital signature scheme or public key encryption scheme, it is impossible to reduce any fixed key adversary in any weaker security notion than the de facto ones (i.e., existential unforgery against adaptive chosen message attacks or indistinguishability against adaptive chosen ciphertext attacks) to fixed key adversaries in the de facto security notion in a black‐box manner. This result means that, for example, for any digital signature scheme, impossibility of extracting the secret key from a fixed public key will never imply existential unforgery against chosen message attacks under the same key as long as we consider only black‐box analysis

An Information Theoretic Perspective on the Differential Fault Analysis against AES

Differential Fault Analysis against AES has been actively studied these years. Based on similar assumptions of the fault injection, different DFA attacks against AES have been proposed. However, it is difficult to understand how different attack results are obtained for the same fault injection. It is also difficult to understand the relationship between similar assumptions of fault injection and the corresponding attack results. This paper reviews the previous DFA attacks against AES based on the information theory, and gives a general and easy understanding of DFA attacks against AES. We managed to apply the analysis on DFA attacks on AES-192 and AES-256, and we propose the attack procedures to reach the theoretically minimal number of fault injections

前立腺癌に対するPepleomycin(Bleomycin Derivative, NK-631)の効果

未治療の前立腺腺癌2症例に本剤を投与し，その効果を検討した。症例1： 71歳， 排尿困難，左大腿部痛を主訴として1978年6月15日当科受診。前立腺は超鶏卵大，石様硬，表面不整，骨盤へ浸潤。左ソケイ部にくるみ大の硬いリンパ腺を触知。骨シンチで多数の転移を認めた。 前立腺の針生検組織像は分化型腺癌であった。pepleomycin 200 mg (1回10mg，静注， 週3回)の投与により前立腺癌，左ソケイ部リンパ腺の著明な縮小がみられ，血清酸ホスファターゼ値が治療前6.5K.A.U.から9.5K.A.U まで低下した。治療終了後の生検組織像は癌細胞の変性，壊死組織の線維化が目立った。　　症例2: 74歳，排尿困難で1978年8月19日当科受診。前立腺は鶏卵大，硬，周囲に浸潤。骨シンチで転移巣が多数あり，前立腺生検組織像は未分化型腺癌であった。 pepleomycin投与で自覚症状は症例1ほどの改善はみられず，前立腺癌そのものもあまり縮小しなかったが，残尿は80mlから10mlへ減少した。治療後の前立腺生検所見でも癌細胞の空胞化が著明に認められた。なお副作用としては症例1では著明な皮膚変化がみられたが，症例2でぎ軽度の口内炎を認めるにとどまった。NK 631 投与前後で血中FSH，LH，testosteroneを測定したところ，両症例ともに投与終了後FSH，LH，t estosterone値は投与前値の約1/2となっていた (Table 2)。 つまり， NK 631 の抗腫瘍作用はDNA合成抑制によるということになっているが，前立腺癌に対する抗腫聖書効果はNK631 の下重体抑制による睾丸のLeydig cellよりのandrogen分泌抑制も関与している可能性があることが示唆された。本剤の下垂体抑制効果については今後検討されるべき課題であると考える。Since the new bleomycin derivative-pepleomycin was reported to be effective for experimentally induced adenocarcinoma of stomach in rats, it was administered in two cases of prostatic cancer. Satisfactory response was obtained in well differentiated carcinoma, meanwhile only histological effect was observed in undifferentiated one. It seems that the effect of pepleomycin on prostatic cancer was brought about by the suppression of DNA synthesis of tumor and also of pituitary function resulting in decreased androgen secretion from Leydig cells

Seasonal variation of chemical composition of aerosols at Syowa Station, Antarctica in 2001

Antarctic aerosols collected at Syowa Station in 2001 were analyzed to investigate their seasonal variations and long-range transport of anthropogenic aerosols. The measured chemical species were elemental carbon(E.C.) and organic carbon(O.C.) using a combustion technique, SO_4^, NO_3^-, Cl^-, Na^+, NH_4^+, K^+, Ca^ and Mg^ using ion chromatographs, and metals such as Al, V, Cr, Mn, Fe, Co, Ni, Zn and Pb using an inductively coupled plasma mass spectrometer. Total mass concentration of aerosols ranged from 0.366 to 2.72μg/m^3 and increased from winter to spring. The NO_3^- concentration was lower than 0.01μg/m^3 in March-July; in contrast, it was higher than 0.02μg/m^3 in August-November. Concentration of elemental carbon was relatively low in April-June and was high in March, October and November. In October and November, NO_3^- concentration was also high. Therefore, the air mass was possibly affected by biomass burning. The concentration of SO_4^- was low around 0.02μg/m^3 in May-July, and it increased to higher than 0.1μg/m^3 in August-December. The concentrations of Al, V, Co, Ni and Pb were sometimes lower than the detection limits. Nevertheless, spikes of the highest concentrations of V, Cr, Fe, Co, Ni, Zn and Pb were recorded in August-October, while V and Fe showed second spikes in March. The enrichment factors of Cr, Ni, Zn and Pb were high during 13-20 September and 12-22 October. The E.C. concentrations in these periods were also relatively higher than before and after the sampling periods. Moreover, blizzards occurred in these periods

Octacosanol Attenuates Disrupted Hepatic Reactive Oxygen Species Metabolism Associated with Acute Liver Injury Progression in Rats Intoxicated with Carbon Tetrachloride

We examined whether octacosanol, the main component of policosanol, attenuates disrupted hepatic reactive oxygen species metabolism associated with acute liver injury progression in rats intoxicated with carbon tetrachloride (CCl4). In rats intoxicated with CCl4 (1 ml/kg, i.p.), the activities of serum transaminases increased 6 h after intoxication and further increased at 24 h. In the liver of CCl4-intoxicated rats, increases in lipid peroxide (LPO) concentration and myeloperoxidase activity and decreases in superoxixde dismutase activity and reduced glutathione (GSH) concentration occurred 6 h after intoxication and these changes were enhanced with an increase in xanthine oxidase activity and a decrease in catalase activity at 24 h. Octacosanol (10, 50 or 100 mg/kg) administered orally to CCl4-intoxicated rats at 6 h after intoxication attenuated the increased activities of serum transaminases and the increased hepatic myeloperoxidase and xanthine oxidase activities and LPO concentration and the decreased hepatic superoxide dismutase and catalase activities and GSH concentration found at 24 h after intoxication dose-dependently. Octacosanol (50 or 100 mg/kg) administered to untreated rats decreased the hepatic LPO concentration and increased the hepatic GSH concentration. These results indicate that octacosanol attenuates disrupted hepatic reactive oxygen species metabolism associated with acute liver injury progression in CCl4-intoxicated rats

How to Construct Cryptosystems and Hash Functions in Weakened Random Oracle Models

In this paper, we discuss how to construct secure cryptosystems and secure hash functions in weakened random oracle models. ~~~~The weakened random oracle model (\wrom), which was introduced by Numayama et al. at PKC 2008, is a random oracle with several weaknesses. Though the security of cryptosystems in the random oracle model, \rom, has been discussed sufficiently, the same is not true for \wrom. A few cryptosystems have been proven secure in \wrom. In this paper, we will propose a new conversion that can convert \emph{any} cryptosystem secure in \rom to a new cryptosystem that is secure in the first preimage tractable random oracle model \fptrom \emph{without re-proof}. \fptrom is \rom without preimage resistance and so is the weakest of the \wrom models. Since there are many secure cryptosystems in \rom, our conversion can yield many cryptosystems secure in \fptrom. ~~~~The fixed input length weakened random oracle model, \filwrom, introduced by Liskov at SAC 2006, reflects the known weakness of compression functions. We will propose new hash functions that are indifferentiable from \ro when the underlying compression function is modeled by a two-way partially-specified preimage-tractable fixed input length random oracle model (\wfilrom). \wfilrom is \filrom without two types of preimage resistance and is the weakest of the \filwrom models. The proposed hash functions are more efficient than the existing hash functions which are indifferentiable from \ro when the underlying compression function is modeled by \wfilrom

Secret Handshake: Strong Anonymity Definition and Construction

Secret handshake allows two members in the same group to authenticate each other secretly. In previous works of secret handshake schemes, two types of anonymities against the group authority (GA) of a group G are discussed: 1)Even GA cannot identify members, namely nobody can identify them (No-Traceability), 2)Only GA can identify members (Traceability). In this paper, first the necessity of tracing of the identification is shown. Second, we classify abilities of GA into the ability of identifying players and that of issuing the certificate to members. We introduce two anonymities Co-Traceability and Strong Detector Resistance. When a more strict anonymity is required ever for GA, the case 2) is unfavorable for members. Then, we introduce Co-Traceability where even if A has GAs ability of identifying members or issuing the certificate, A cannot trace members identification. However, if a scheme satisfies Co-Traceability, GA may be able to judge whether handshake players belong to the own group. Then, we introduce Strong Detector Resistance where even if an adversary A has GAs ability of identifying members, A cannot make judgments whether a handshaking player belongs to G. Additionally, we propose a secret handshake scheme which satisfies previous security requirements and our proposed anonymity requirements by using group signature scheme with message recovery

Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII

As a result of extensive analyses on cryptographic hash functions, NIST started an open competition for selecting a new standard hash function SHA-3. One important aspect of this competition is in evaluating hardware implementations and in collecting much attention of researchers in this area. For a fair comparison of the hardware performance, we propose an evaluation platform, a hardware design strategy, and evaluation criteria that must be consistent for all SHA-3 candidates. First, we define specifications of interface for the SASEBO-GII platform that are suitable for evaluating the performance in real-life hash applications, while one can also evaluate the performance of the SHA-3 core function that has an ideal interface. Second, we discuss the design strategy for high-throughput hardware implementations. Lastly, we explain the evaluation criteria to compare the cost and speed performance of eight SHA-3 candidates out of fourteen

Clockwise Collision Analysis -- Overlooked Side-Channel Leakage Inside Your Measurements

This paper presents a new side-channel attack technique called {\it clockwise collision} analysis. For the cryptographic implementations using synchronous digital circuit with a loop architecture, signal transitions as well as the side-channel leakage relates to not only the input data in the current cycle, but also the status in one-cycle before. The clockwise collision utilizes the fact that little computation is required in the second clock cycle when the inputs for two consecutive clock cycles are the same. In contrast, the previously known {\it computational collision} utilizes the fact that the computation of the same input value leads to similar side-channel leakage. By experimentation, we demonstrate the feasibility and vulnerability for this novel clockwise collision analysis both by injecting faults and by analyzing the power consumption