ハッシュ関数の設計理論

ランダムオラクル証明法(RO 証明法) は暗号学的なハッシュ関数を用いた暗号システムの安全性を保証する最も重要な証明方法である. ハッシュ関数を部品とする暗号アルゴリズムをCと書き, 具体的なハッシュ関数HP をC に組み込んだCHP を暗号システムと呼ぶ. RO 証明法を用いて暗号システムCHP のG-安全性を証明するとき，ハッシュ関数HP を理想化したランダムオラクル(RO) を用いる暗号システムCRO のG-安全性を証明する. 一般には，RO をHP に置き換えたCHP のG-安全性が保証されていない点がRO 証明法の問題である.ハッシュ関数HP は入力長が任意長の関数で, 入出力長固定のプリミティブP と, P を用いて任意長の入力を規定長の出力に変換する定義域拡張構造H から構成される. すなわち, HPはH とP から構成されているので, 入力に対して規定長のランダムな値を出力するRO とは異なる動作をする.Indiff. 理論(Indifferentiability 理論) は，P を理想化して, CRO のG-安全性からCHP のG-安全性を保証する理論で, 「ハッシュ関数HP がIndifferentiable From RO（IFRO）（HP @ ROと書く）」ならば，SS（シングルステージ）という制約条件はあるものの，任意のSS の安全性Gs と任意のC に対し，「CRO がGs-安全性ならばCHP もGs-安全性となる(CHP ?GsCRO と書く)」ことを保証する. IFRO 安全性はP を理想化してP の構造を取り除くHP に注目する安全性, すなわち, H の構造に対する安全性である.IFRO 安全が提案されて以降, Sponge 構造やChopMD 構造など, 多くのIFRO 安全な定義域拡張構造が提案されている．また, 次世代標準ハッシュ関数として採用されることが決まっているSHA-3 はSponge 構造を採用しており, IFRO 安全性は定義域拡張構造の標準的な安全性の概念となっている．MD (Merkle-Damg?ard) 構造はIndiff. 理論が提案される以前に設計された構造で, SHA-2ハッシュ関数族であるSHA-256 とSHA-512 の定義域拡張構造に採用されているが, MDP ?@RO となることが知られている. すなわち，∃Gs, ∃C : CMDP ??GsCRO （CRO はGs-安全性を満たすがCMDP はGs-安全性を満たさない）となる．Indiff. 理論は, 任意のSS の安全性をカバーするものの, 任意のMS（マルチステージ）の安全性Gm をカバーしない. すなわち，∃Gm, ∃HP s.t. HP @ RO ∧ CHP ??GmCRO となる反例が知られている.一方, ハッシュ関数に求められる実装に関する要件として, ハッシュ関数は高速に計算できることが求められる. 今後, SHA-3 は多くの暗号システムで実装されるハッシュ関数であり,Sponge の高速化はSHA-3 を用いる暗号システムの高速化につながるため重要な研究テーマである.また, ハッシュ関数に求められる実装に関する要件として, ハッシュ関数のプログラムサイズや回路サイズは小さいことが好ましい. プログラムサイズや回路サイズを小さくすることができる定義域拡張構造H として，ブロック暗号（例えば，AES）をプリミティブとする倍ブロック長定義域拡張構造がある．ブロック暗号とハッシュ関数を両方実装する場合，ブロック暗号を共通化して使うことができるなら，実装サイズを小さくすることができる．既存研究では, IFRO 安全性より弱い安全性である衝突困難性を満たすH は提案されているものの,IFRO 安全なH は提案されていない.ところで, 新しいハッシュ関数を設計するために, 既存のハッシュ関数の強力な攻撃法の限界点を見極めることも重要である. 差分攻撃法はハッシュ関数の強力な攻撃法の1 つであるが, Message Modification という新しい攻撃技法が2004 年にSHA-0 とSHA-1 の差分攻撃法に適用されて, ハッシュ関数の安全性の研究が活発になった. 今後, この攻撃法の限界点を見極めることは, ハッシュ関数を設計する立場からも重要である.本論文ではハッシュ関数の設計を目標として, Indiff. 理論に関して次の5 つの研究課題を設定して研究する.1. SS の安全性に対するMD の救済.2. MS の安全性に対するIFRO 安全なH の救済.3. Sponge の高速化．4. P としてブロック暗号を用いたIFRO 安全性なH の提案．5. Message Modification の改良.研究課題1 について. ∃Gs, ∃C : CMDP ??GsCRO となることが知られているものの，重要なG?s と, 実用的なC0 に対して，CMDP0??G?sCRO0 となるとは限らない. また，MD の重要性からCMDP0 がG-安全性を満たすことが望ましい．本研究では，IFRO 安全性を弱めた安全性「Indifferentiable fromWeakened RO（IFWRO）」を考えて, 以下のことを示す.? MDP @ WRO となるWRO を定義する. WRO が定義できると, Indiff. 理論より,∀Gs, ∀C : CMDP ?GsCWRO が保証できる.? 次に，重要なG?s と実用的なC0 に対し，個別にCWRO0 がG?s -安全性を満たすことを示す.? 以上の2 点から, CMDP0 のG?s -安全性を保証する.研究課題2 について. ∃Gm, ∃C, ∃HP s.t. HP @ RO ∧ CHP ??GmCRO となることが知られているものの，重要なG?m と実用的なC0 に対して，CHP0??G?mCRO0 となることは限らない. また，Sponge とChopMD の重要性から，H ∈ {Sponge, ChopMD}, 重要なG?m, 実用的なC0 に対して，CHP0?G?mCRO0 となっていることが望ましい．Reset Indifferentiability (Reset Indiff.) 理論はMS の安全性をカバーし, 「ハッシュ関数HP がReset Indifferentiable from RO (RIFRO) (HP @r RO と書く)」ならば, 「∀Gm, ∀C :CHP ?GmCRO となる」ことを保証する. 一方, H ∈ {Sponge, ChopMD} はHP ?@r RO となることが知られている.本研究では，RIFRO 安全性を弱めた「Reset Indifferentiable from WRO (Weakened RO)」を考えて, 以下のことを示す.? ∀H ∈ {Sponge, ChopMD} に対して, HP @r WRO となるWRO を定義する．WROが定義できると, Reset Indiff. 理論より, ∀Gm, ∀C : CHP ?GmCWRO が保証できる.? 次に, 重要なG?m と実用的なC0 に対し，個別にCWRO0 がG?m-安全を満たすことを示す.? 以上の2 点を示して, CHP0 がG?m-安全を満たすことを保証する．電気通信大学201

Tweakable Blockciphers for Efficient Authenticated Encryptions with Beyond the Birthday-Bound Security

Modular design via a tweakable blockcipher (TBC) offers efficient authenticated encryption (AE) schemes (with associated data) that call a blockcipher once for each data block (of associated data or a plaintext). However, the existing efficient blockcipher-based TBCs are secure up to the birthday bound, where the underlying keyed blockcipher is a secure strong pseudorandom permutation. Existing blockcipher-based AE schemes with beyond-birthday-bound (BBB) security are not efficient, that is, a blockcipher is called twice or more for each data block. In this paper, we present a TBC, XKX, that offers efficient blockcipher-based AE schemes with BBB security, by combining with efficient TBC-based AE schemes such as ΘCB3 an

The Exact Security of PMAC with Three Powering-Up Masks

PMAC is a rate-1, parallelizable, block-cipher-based message authentication code (MAC), proposed by Black and Rogaway (EUROCRYPT 2002). Improving the security bound is a main research topic for PMAC. In particular, showing a tight bound is the primary goal of the research, since Luykx et al.\u27s paper (EUROCRYPT 2016). Regarding the pseudo-random-function (PRF) security of PMAC, a collision of the hash function, or the difference between a random permutation and a random function offers the lower bound $\Omega(q^2/2^n)$ for $q$ queries and the block cipher size $n$. Regarding the MAC security (unforgeability), a hash collision for MAC queries, or guessing a tag offers the lower bound $\Omega(q_m^2/2^n + q_v/2^n)$ for $q_m$ MAC queries and $q_v$ verification queries (forgery attempts). The tight upper bound of the PRF-security $O(q^2/2^n)$ of PMAC was given by Gaž et el. (ToSC 2017, Issue 1), but their proof requires a 4-wise independent masking scheme that uses 4 $n$-bit random values. Open problems from their work are: (1) find a masking scheme with three or less random values with which PMAC has the tight upper bound for PRF-security; (2) find a masking scheme with which PMAC has the tight upper bound for MAC-security. In this paper, we consider PMAC with three powering-up masks that uses three random values for the masking scheme. We show that the PMAC has the tight upper bound $O(q^2/2^n)$ for PRF-security, which answers the open problem (1), and the tight upper bound $O(q_m^2/2^n + q_v/2^n)$ for MAC-security, which answers the open problem (2). Note that these results deal with two-key PMAC, thus showing tight upper bounds of PMACs with single-key and/or with two (or one) powering-up masks are open problems

Blockcipher-based Double-length Hash Functions for Pseudorandom Oracles

The notion of PRO (pseudorandom oracle) is an important security notion of hash functions because a PRO hash function inherits all properties of a random oracle up to the PRO bound (e.g., security against generic attacks, collision resistant security, preimage resistant security and so on). In this paper, we propose a new block cipher-based double-length hash function for PROs. Our hash function uses a single block cipher, which encrypts an $n$-bit string using a $2n$-bit key, and maps an input of arbitrary length to a $2n$-bit output. Since many block ciphers supports a $2n$-bit key (e.g. AES supports a $256$-bit key), the assumption to use the $2n$-bit key length block cipher is acceptable. We prove that our hash function is PRO up to \order(2^n) query complexity as long as the block cipher is an ideal cipher. To our knowledge, this is the first time double-length hash function based on a single (practical size) block cipher with the birthday type PRO security

ヘモグロビン小胞体は無呼吸ラットにおいて循環虚脱までの時間を延長させる

BACKGROUND: Hemoglobin vesicles (HbV) are hemoglobin-based oxygen carriers manufactured by liposome encapsulation of hemoglobin molecules. We hypothesised that the infusion of oxygenated HbV could prolong the time to circulatory collapse during apnea in rats. METHODS: Twenty-four Sprague-Dawley rats were randomly divided into four groups (Air, Oxy, NS and HbV). The rats were anaesthetized with isoflurane and the trachea was intubated using 14-gauge intravenous catheters. Rats in the Air group were mechanically ventilated with 1.5% isoflurane in room air, and those in other groups received 1.5% isoflurane in 100% oxygen. Mechanical ventilation was withdrawn 1 min after the administration of rocuronium bromide to induce apnea. After 30 s, 6 mL saline and HbV boluses were infused at a rate of 0.1 mL/s in the NS and HbV groups, respectively. Circulatory collapse was defined as a pulse pressure < 20 mmHg and the time to reach this point (PP20) was compared between the groups. The results were analysed via a one-way analysis of variance and post-hoc Holm-Sidak test. RESULTS: PP20 times were 30.4 ± 4.2 s, 67.5 ± 9.7 s, 95 ± 17.3 s and 135 ± 38.2 s for the Air (ventilated in room air with no fluid bolus), Oxy (ventilated with 100% oxygen with no fluid bolus), NS (ventilated with 100% oxygen with a normal saline bolus), and HbV (ventilated in 100% oxygen with an HbV bolus) groups, respectively, and differed significantly between the four groups (P = 0.0001). The PP20 times in the HbV group were significantly greater than in the Air (P = 0.0001), Oxy (P = 0.007) and NS (P = 0.04) groups. CONCLUSION: Infusion of oxygenated HbV prolongs the time to circulatory collapse during apnea in rats.博士（医学）・甲第680号・平成30年3月15日© The Author(s). 2017 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated

New Bounds for Keyed Sponges with Extendable Output: Independence between Capacity and Message Length

We provide new bounds for the pseudo-random function security of keyed sponge constructions. For the case $c\leq b/2$ ($c$ the capacity and $b$ the permutation size), our result improves over all previously-known bounds. A remarkable aspect of our bound is that dependence between capacity and message length is removed, partially solving the open problem posed by Gaži~et~al. at CRYPTO~2015. Our bound is essentially tight, matching the two types of attacks pointed out by Gaži~et~al. For the case $c>b/2$, Gaži~et~al.\u27s bound remains the best for the case of single-block output, but for keyed sponges with extendable outputs, our result partly (when query complexity is relatively large) provides better security than Mennink~et~al.\u27s bound presented at ASIACRYPT~2015

How to Construct Cryptosystems and Hash Functions in Weakened Random Oracle Models

In this paper, we discuss how to construct secure cryptosystems and secure hash functions in weakened random oracle models. ~~~~The weakened random oracle model (\wrom), which was introduced by Numayama et al. at PKC 2008, is a random oracle with several weaknesses. Though the security of cryptosystems in the random oracle model, \rom, has been discussed sufficiently, the same is not true for \wrom. A few cryptosystems have been proven secure in \wrom. In this paper, we will propose a new conversion that can convert \emph{any} cryptosystem secure in \rom to a new cryptosystem that is secure in the first preimage tractable random oracle model \fptrom \emph{without re-proof}. \fptrom is \rom without preimage resistance and so is the weakest of the \wrom models. Since there are many secure cryptosystems in \rom, our conversion can yield many cryptosystems secure in \fptrom. ~~~~The fixed input length weakened random oracle model, \filwrom, introduced by Liskov at SAC 2006, reflects the known weakness of compression functions. We will propose new hash functions that are indifferentiable from \ro when the underlying compression function is modeled by a two-way partially-specified preimage-tractable fixed input length random oracle model (\wfilrom). \wfilrom is \filrom without two types of preimage resistance and is the weakest of the \filwrom models. The proposed hash functions are more efficient than the existing hash functions which are indifferentiable from \ro when the underlying compression function is modeled by \wfilrom

Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking

We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An $s$-bit key-dependent state is necessary for achieving $s$-bit security, and the conventional schemes always protect the entire $s$ bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode $\mathsf{HOMA}$ that achieves $s$-bit security using a tweakable block cipher with the $s/2$-bit block size. We also propose a new primitive for instantiating $\mathsf{HOMA}$ with $s=128$ by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a $(256+3)$-bit tweak. We make hardware performance evaluation by implementing $\mathsf{HOMA}$ with high-order masking for $d \le 5$. For any $d > 0$, $\mathsf{HOMA}$ outperforms the current state-of-the-art $\mathsf{PFB\_Plus}$ by reducing the circuit area larger than that of the entire S-box

Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode

Context-committing security of authenticated encryption (AE) that prevents ciphertexts from being decrypted with distinct decryption contexts, (K,N,A) comprising a key K, a nonce N, and associate data A is an active research field motivated by several real-world attacks. In this paper, we study the context-committing security of Ascon, the lightweight permutation-based AE selected by the NIST LWC in 2023, for cryptanalysis on primitive and proof on mode. The attacker’s goal is to find a collision of a ciphertext and a tag with distinct decryption contexts in which an attacker can control all the parameters including the key. First, we propose new attacks with primitives that inject differences in N and A. The new attack on Ascon-128 improves the number of rounds from 2 to 3 and practically generates distinct decryption contexts. The new attack also works in a practical complexity on 3 rounds of Ascon-128a. Second, we prove the context-committing security of Ascon with zero padding, namely Ascon-zp, in the random permutation model. Ascon-zp achieves min {t+z/2 , n+t−k−ν/2 , c/2}-bit security with a t-bit tag, a z-bit padding, an n-bit state, a ν-bit nonce, and a c-bit inner part. This bound corresponds to min {64 + z/2 , 96} with Ascon-128 and Ascon-128a, and min {64 + z/2 , 80} with Ascon-80pq. The original Ascon (z = 0) achieves 64-bit security bounded by a generic birthday attack. By appending zeroes to the plaintext, the security can be enhanced up to 96 bits for Ascon-128 and Ascon-128a and 80 bits for Ascon-80pq