-
Mitsuru MATSUI
2008 Volume E91.A Issue 1 Pages
1-2
Published: January 01, 2008
Released on J-STAGE: July 01, 2018
JOURNAL
RESTRICTED ACCESS
-
Toshihiro OHIGASHI, Yoshiaki SHIRAISHI, Masakatu MORII
Article type: PAPER
Subject area: Symmetric Cryptography
2008 Volume E91.A Issue 1 Pages
3-11
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In a key scheduling algorithm (KSA) of stream ciphers, a secret key is expanded into a large initial state. An internal state reconstruction method is known as a general attack against stream ciphers; it recovers the initial state from a given pair of plaintext and ciphertext more efficiently than exhaustive key search. If the method succeeds, then it is desirable that the inverse of KSA is infeasible in order to avoid the leakage of the secret key information. This paper shows that it is easy to compute a secret key from an initial state of RC4. We propose a method to recover an
l-bit secret key from only the first
l bits of the initial state of RC4 using linear equations with the time complexity less than that of one execution of KSA. It can recover the secret keys of which number is 2
103.6 when the size of the secret key is 128bits. That is, the 128-bit secret key can be recovered with a high probability when the first 128bits of the initial state are determined using the internal state reconstruction method.
View full abstract
-
Yibo FAN, Jidong WANG, Takeshi IKENAGA, Yukiyasu TSUNOO, Satoshi GOTO
Article type: PAPER
Subject area: Symmetric Cryptography
2008 Volume E91.A Issue 1 Pages
12-21
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
H.264/AVC is the newest video coding standard. There are many new features in it which can be easily used for video encryption. In this paper, we propose a new scheme to do video encryption for H.264/AVC video compression standard. We define Unequal Secure Encryption (USE) as an approach that applies different encryption schemes (with different security strength) to different parts of compressed video data. This USE scheme includes two parts:
video data classification and
unequal secure video data encryption. Firstly, we classify the video data into two partitions: Important data partition and unimportant data partition. Important data partition has small size with high secure protection, while unimportant data partition has large size with low secure protection. Secondly, we use AES as a block cipher to encrypt the important data partition and use LEX as a stream cipher to encrypt the unimportant data partition. AES is the most widely used symmetric cryptography which can ensure high security. LEX is a new stream cipher which is based on AES and its computational cost is much lower than AES. In this way, our scheme can achieve both high security and low computational cost. Besides the USE scheme, we propose a low cost design of hybrid AES/LEX encryption module. Our experimental results show that the computational cost of the USE scheme is low (about 25% of naive encryption at
Level 0 with VEA used). The hardware cost for hybrid AES/LEX module is 4678 Gates and the AES encryption throughput is about 50Mbps.
View full abstract
-
Hidema TANAKA
Article type: PAPER
Subject area: Symmetric Cryptography
2008 Volume E91.A Issue 1 Pages
22-29
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We focus on the relationship between the linearization method and linear complexity and show that the linearization method is another effective technique for calculating linear complexity. We analyze its effectiveness by comparing with the logic circuit method. We compare the relevant conditions and necessary computational cost with those of the Berlekamp-Massey algorithm and the Games-Chan algorithm. The significant property of a linearization method is that it needs no output sequence from a pseudo-random number generator (PRNG) because it calculates linear complexity using the algebraic expression of its algorithm. When a PRNG has
n [bit] stages (registers or internal states), the necessary computational cost is smaller than
O(2
n). On the other hand, the Berlekamp-Massey algorithm needs
O(
N2) where
N(≅2
n) denotes period. Since existing methods calculate using the output sequence, an initial value of PRNG influences a resultant value of linear complexity. Therefore, a linear complexity is generally given as an estimate value. On the other hand, a linearization method calculates from an algorithm of PRNG, it can determine the lower bound of linear complexity.
View full abstract
-
Tetsu IWATA, Tohru YAGI, Kaoru KUROSAWA
Article type: PAPER
Subject area: Symmetric Cryptography
2008 Volume E91.A Issue 1 Pages
30-38
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
KASUMI is a blockcipher that forms the heart of the 3GPP confidentiality and integrity algorithms. In this paper, we study the security of the five-round KASUMI type permutations, and derive a highly non-trivial security bound against adversaries with adaptive chosen plaintext and chosen ciphertext attacks. To derive our security bound, we heavily use the tools from graph theory. However the result does not show its super-pseudorandomness, this gives us a strong evidence that the design of KASUMI is sound.
View full abstract
-
Kazuhiro SUZUKI, Dongvu TONIEN, Kaoru KUROSAWA, Koji TOYOTA
Article type: PAPER
Subject area: Hash Functions
2008 Volume E91.A Issue 1 Pages
39-45
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this paper, we study multi-collision probability. For a hash function
H:
D→
R with |
R|=
n, it has been believed that we can find an
s-collision by hashing
Q=
n(s-1)/s times. We first show that this probability is at most 1/
s! for any
s, which is very small for large
s. (for example,
s=
n(s-1)/s) Thus the above folklore is wrong for large
s. We next show that if
s is small, so that we can assume
Q-
s≈
Q, then this probability is at least 1/
s!-1/2(
s!)
2, which is very high for small
s (for example,
s is a constant). Thus the above folklore is true for small
s. Moreover, we show that by hashing (
s!)
1/s×
Q+
s-1(≤
n) times, an
s-collision is found with probability approximately 0.5 for any
n and
s such that (
s!/
n)
1/s≈0. Note that if
s=2, it coincides with the usual birthday paradox. Hence it is a generalization of the birthday paradox to multi-collisions.
View full abstract
-
Yusuke NAITO, Kazuo OHTA, Noboru KUNIHIRO
Article type: PAPER
Subject area: Hash Functions
2008 Volume E91.A Issue 1 Pages
46-54
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this paper, we discuss the collision search for hash functions, mainly in terms of their advanced message modification. The advanced message modification is a collision search tool based on Wang et al.'s attacks. Two advanced message modifications have previously been proposed: cancel modification for MD4 and MD5, and propagation modification for SHA-0. In this paper, we propose a new concept of advanced message modification,
submarine modification. As a concrete example combining the ideas underlying these modifications, we apply submarine modification to the collision search for SHA-0. As a result, we show that this can reduce the collision search attack complexity from 2
39 to 2
36 SHA-0 compression operations.
View full abstract
-
Yu SASAKI, Lei WANG, Noboru KUNIHIRO, Kazuo OHTA
Article type: PAPER
Subject area: Hash Functions
2008 Volume E91.A Issue 1 Pages
55-63
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differences is the most important part of collision attacks against hash functions. So far, many researchers have tried to analyze Wang et al.'s method and proposed improved collision attacks. Although several researches proposed improved attacks, all improved results so far were based on the same message differences proposed by Wang et al. In this paper, we propose new message differences for collision attacks on MD4 and MD5. Our message differences of MD4 can generate a collision with complexity of less than two MD4 computations, which is faster than the original Wang et al.'s attack, and moreover, than the all previous attacks. This is the first result that improves the complexity of collision attack by using different message differences from Wang et al.'s. Regarding MD5, so far, no other message difference from Wang et al.'s is known. Therefore, study for constructing method of other message differences on MD5 should be interesting. Our message differences of MD5 generates a collision with complexity of 2
42 MD5 computations, which is slower than the latest best attack. However, since our attack needs only 1 bit difference, it has some advantages in terms of message freedom of collision messages.
View full abstract
-
Yasumasa HIRAI, Takashi KUROKAWA, Shin'ichiro MATSUO, Hidema TANAKA, A ...
Article type: PAPER
Subject area: Hash Functions
2008 Volume E91.A Issue 1 Pages
64-73
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Cryptographic hash functions have been widely studied and are used in many current systems. Though much research has been done on the security of hash functions, system designers cannot determine which hash function is most suitable for a particular system. The main reason for this is that the current security classification does not correspond very well to the security requirements of practical systems. This paper describes a new classification which is more suitable for designing real-life systems. This classification is the result of a new qualitative classification and a new quantitative classification. We show a mapping between each class and standard protocols. In addition, we show new requirements for four types of hash function for a future standard.
View full abstract
-
Shoichi HIROSE
Article type: PAPER
Subject area: Hash Functions
2008 Volume E91.A Issue 1 Pages
74-82
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this article, we discuss the security of double-block-length (DBL) hash functions against the free-start collision attack. We focus on the DBL hash functions composed of compression functions of the form
F(
x)=(
f(
x),
f(
p(
x))), where
f is a smaller compression function and
p is a permutation. We first show, in the random oracle model, that a significantly good upper bound can be obtained on the success probability of the free-start collision attack with sufficient conditions on
p and the set of initial values. We also show that a similar upper bound can be obtained in the ideal cipher model if
f is composed of a block cipher.
View full abstract
-
Eiichiro FUJISAKI, Koutarou SUZUKI
Article type: PAPER
Subject area: Signatures
2008 Volume E91.A Issue 1 Pages
83-93
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
The ring signature allows a signer to leak secrets anonymously, without the risk of identity escrow. At the same time, the ring signature provides great flexibility: No group manager, no special setup, and the dynamics of group choice. The ring signature is, however, vulnerable to malicious or irresponsible signers in some applications, because of its anonymity. In this paper, we propose a traceable ring signature scheme. A traceable ring scheme is a ring signature except that it can restrict “excessive” anonymity. The traceable ring signature has a
tag that consists of a list of ring members and an
issue that refers to, for instance, a social affair or an election. A ring member can make any signed but anonymous opinion regarding the issue, but only once (per tag). If the member submits another signed opinion, possibly pretending to be another person who supports the first opinion, the identity of the member is immediately revealed. If the member submits the same opinion, for instance, voting “yes” regarding the same issue twice, everyone can see that these two are linked. The traceable ring signature can suit to many applications, such as an anonymous voting on a BBS. We formalize the security definitions for this primitive and show an efficient and simple construction in the random oracle model.
View full abstract
-
Isamu TERANISHI, Takuro OYAMA, Wakaha OGATA
Article type: PAPER
Subject area: Signatures
2008 Volume E91.A Issue 1 Pages
94-106
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We say that a signature scheme is strongly existentially unforgeable (SEU) if no adversary, given message/signature pairs adaptively, can generate a signature on a new message or a new signature on a previously signed message. We propose a general and efficient conversion in the standard model that transforms a secure signature scheme to SEU signature scheme. In order to construct that conversion, we use a chameleon commitment scheme. Here a chameleon commitment scheme is a variant of commitment scheme such that one can change the committed value after publishing the commitment if one knows the secret key. We define the chosen message security notion for the chameleon commitment scheme, and show that the signature scheme transformed by our proposed conversion satisfies the SEU property if the chameleon commitment scheme is chosen message secure. By modifying the proposed conversion, we also give a general and efficient conversion in the random oracle model, that transforms a secure signature scheme into a SEU signature scheme. This second conversion also uses a chameleon commitment scheme but only requires the key only attack security for it.
View full abstract
-
Yuichi KOMANO, Kazuo OHTA, Atsushi SHIMBO, Shinichi KAWAMURA
Article type: PAPER
Subject area: Signatures
2008 Volume E91.A Issue 1 Pages
107-118
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We first model the formal security model of multisignature scheme following that of group signature scheme. Second, we prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), PSS (probabilistic signature scheme) based multisignature scheme (PSS-MSS), and short signature PSS based multisignature scheme (S-PSS-MSS). Third, we give an optimal proof (general result) for multisignature schemes, which derives the lower bound for the length of random salt. We also estimate the upper bound for the length in each scheme and derive the optimal length of a random salt. Two of the schemes are promising in terms of security tightness and optimal signature length. In appendix, we describe a multisignature scheme using the claw-free permutation and discuss its security.
View full abstract
-
Dae Hyun YUM, Pil Joong LEE
Article type: PAPER
Subject area: Protocols
2008 Volume E91.A Issue 1 Pages
119-126
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
A fair exchange scheme is a protocol by which two parties Alice and Bob exchange items or services without allowing either party to gain advantages by quitting prematurely or otherwise misbehaving. To this end, modern cryptographic solutions use a semi-trusted arbitrator who involves only in cases where one party attempts to cheat or simply crashes. We call such a fair exchange scheme
optimistic. When no registration is required between the signer and the arbitrator, we say that the fair exchange scheme is
setup free. To date, the setup-free optimist fair exchange scheme under the standard RSA assumption was only possible from the generic construction of [12], which uses ring signatures. In this paper, we introduce a new setup-free optimistic fair exchange scheme under the standard RSA assumption. Our scheme uses the GQ identity-based signature and is more efficient than [12]. The construction can also be generalized by using various identity-based signature schemes. Our main technique is to allow each user to choose his (or her) own “random” public key in the identitybased signature scheme.
View full abstract
-
Jun KURIHARA, Shinsaku KIYOMOTO, Kazuhide FUKUSHIMA, Toshiaki TANAKA
Article type: PAPER
Subject area: Protocols
2008 Volume E91.A Issue 1 Pages
127-138
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In Shamir's (
k,
n)-threshold secret sharing scheme [1], a heavy computational cost is required to make
n shares and recover the secret from
k shares. As a solution to this problem, several fast threshold schemes have been proposed. However, there is no fast
ideal (
k,
n)-threshold scheme, where
k≥3 and
n is arbitrary. This paper proposes a new fast (3,
n)-threshold scheme by using just EXCLUSIVE-OR (XOR) operations to make shares and recover the secret, which is an
ideal secret sharing scheme similar to Shamir's scheme. Furthermore, we evaluate the efficiency of the scheme, and show that it is more efficient than Shamir's in terms of computational cost. Moreover, we suggest a fast (
k,
n)-threshold scheme can be constructed in a similar way by increasing the sets of random numbers constructing pieces of shares.
View full abstract
-
SeongHan SHIN, Kazukuni KOBARA, Hideki IMAI
Article type: PAPER
Subject area: Protocols
2008 Volume E91.A Issue 1 Pages
139-149
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this paper, we propose a leakage-resilient and proactive authenticated key exchange (called LRP-AKE) protocol for credential services which provides not only a higher level of security against leakage of stored secrets but also secrecy of private key with respect to the involving server. And we show that the LRP-AKE protocol is provably secure in the random oracle model with the reduction to the computational Difie-Hellman problem. In addition, we discuss about some possible applications of the LRP-AKE protocol.
View full abstract
-
Koji CHIDA, Go YAMAMOTO
Article type: PAPER
Subject area: Protocols
2008 Volume E91.A Issue 1 Pages
150-159
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
This paper presents batch processing protocols for efficiently proving a great deal of partial knowledge. These protocols reduce the computation and communication costs for a MIX-net and secure circuit evaluation. The efficiency levels of the proposed protocols are estimated based on the implementation results of a secure circuit evaluation with batch processing.
View full abstract
-
Sung-Shiou SHEN, Jung-Hui CHIU
Article type: PAPER
Subject area: Side Channel Attacks
2008 Volume E91.A Issue 1 Pages
160-167
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Advances in smart card technology encourages smart card use in more sensitive applications, such as storing important information and securing application. Smart cards are however vulnerable to side channel attacks. Power consumption and electromagnetic radiation of the smart card can leak information about the secret data protected by the smart card. Our paper describes two possible hardware countermeasures that protect against side channel information leakage. We show that power analysis can be prevented by adopting photo-coupling techniques. This method involves the use of LED with photovoltaic cells and photo-couplers on the power, reset, I/O and clock lines of the smart card. This method reduces the risk of internal data bus leakage on the external data lines. Moreover, we also discuss the effectiveness of reducing electromagnetic radiation by using embedded metal plates.
View full abstract
-
Katsuyuki OKEYA
Article type: PAPER
Subject area: Side Channel Attacks
2008 Volume E91.A Issue 1 Pages
168-175
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
HMAC is one of the most famous keyed hash functions, and widely utilized. In order to design secure hash functions, we often use PGV construction consisting of 64 schemes, each of which utilizes a block cipher. If the underlying block cipher is ideal, 12 schemes are proven to be secure. In this paper, we evaluate the security of these schemes in view of side channel attacks. As it turns out, HMACs based on 11 out of 12 secure PGV schemes are vulnerable to side channel attacks,
even if the underlying block cipher is secure against side channel attacks. These schemes are classified into two groups based on their vulnerabilities. For the first group which contains 8 schemes, we show that the attacker can reveal the whole key of HMAC, and selectively forge in consequence. For the other group which contains 3 schemes, we specify the importance of the execution sequence for the inner operations of the scheme, and refine it. If wrong orders of operations are used, the attacker can reveal a portion of the key of HMAC. Hence, the use of HMACs based on such PGV schemes as they are is not recommended when the resistance against side channel attacks is necessary.
View full abstract
-
Minoru SAEKI, Daisuke SUZUKI
Article type: PAPER
Subject area: Side Channel Attacks
2008 Volume E91.A Issue 1 Pages
176-183
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In recent years, some countermeasures have been proposed against differential power analysis (DPA) at the basic composition element level of logic circuits. We propose a countermeasure named random switching logic (RSL). RSL involves computation with data masking using a single logic gate and suppression of transient transitions using EN-ABLE signals generated independently of input data. Recently, some countermeasures that were proposed against DPA, such as MRSL and DRSL, adopted the concept of RSL. Although MRSL is based on RSL, it uses a different method to suppress the transient transitions. DRSL uses RSL to avoid the possibility of leakage caused by a difference in delays occurring in MDPL that combines dual-rail circuits with random masking. The important difference between these countermeasures and RSL is that they can vary the output transition timing depending on the input data patterns. In this paper, we focus on this feature to evaluate the DPA resistance of MRSL and DRSL. Experiments are also conducted on DPA resistance by using an FPGA to verify the evaluation results. It is confirmed that in both MRSL and DRSL, there is a possibility of leakage if a sufficient difference in delays exists in input signals.
View full abstract
-
Daisuke SUZUKI, Minoru SAEKI
Article type: PAPER
Subject area: Side Channel Attacks
2008 Volume E91.A Issue 1 Pages
184-192
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In recent years, certain countermeasures against differential power analysis (DPA) at the logic level have been proposed. Recently, Popp and Mangard proposed a new countermeasure-masked dual-rail pre-charge logic (MDPL); this countermeasure combines dual-rail circuits with random masking to improve the wave dynamic differential logic (WDDL). They claimed that it could implement secure circuits using a standard CMOS cell library without special constraints for the place-and-route method because the difference between the loading capacitances of all the pairs of complementary logic gates in MDPL can be compensated for by the random masking. In this paper, we particularly focus on the signal transition of MDPL gates and evaluate the DPA-resistance of MDPL in detail. Our evaluation results reveal that when the input signals have different delay times, leakage occurs in the MDPL as well as WDDL gates, even if MDPL is effective in reducing the leakage caused by the difference in loading capacitances. Furthermore, in order to validate our evaluation, we demonstrate a problem with different input signal delays by conducting measurements for an FPGA.
View full abstract
-
Naofumi HOMMA, Sei NAGASHIMA, Takeshi SUGAWARA, Takafumi AOKI, Akashi ...
Article type: PAPER
Subject area: Side Channel Attacks
2008 Volume E91.A Issue 1 Pages
193-202
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
This paper presents an enhanced side-channel attack using a phase-based waveform matching technique. Conventionally, side-channel attacks such as Simple Power Analysis (SPA) and Differential Power Analysis (DPA) capture signal waveforms (e. g., power traces) with a trigger signal or a system clock, and use a statistical analysis of the waveforms to reduce noise and to retrieve secret information. However, the waveform data often includes displacement errors, and this degrades the accuracy of the statistical analysis. The use of a Phase-Only Correlation (POC) technique makes it possible to estimate the displacements between the signal waveforms with higher resolution than the sampling resolution. The accuracy of side-channel attacks can be enhanced using the POC-based matching method. Also, a popular DPA countermeasure of creating distorted waveforms with random delays can be defeated by our method. In this paper, we demonstrate the advantages of the proposed method in comparison with conventional approaches of experimental DPA and Differential ElectroMagnetic Analysis (DEMA) against DES software and hardware implementations.
View full abstract
-
Masayuki YOSHINO, Katsuyuki OKEYA, Camille VUILLAUME
Article type: PAPER
Subject area: Implementation
2008 Volume E91.A Issue 1 Pages
203-210
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We present a novel approach for computing 2
n-bit Montgomery multiplications with
n-bit hardware Montgomery multipliers. Smartcards are usually equipped with such hardware Montgomery multipliers; however, due to progresses in factoring algorithms, the recommended bit length of public-key schemes such as RSA is steadily increasing, making the hardware quickly obsolete. Thanks to our double-size technique, one can re-use the existing hardware while keeping pace with the latest security requirements. Unlike the other double-size techniques which rely on
classical n-bit modular multipliers, our idea is tailored to take advantage of
n-bit
Montgomery multipliers. Thus, our technique increases the perenniality of existing products without compromises in terms of security.
View full abstract
-
Shuichi ICHIKAWA, Takashi SAWADA, Hisashi HATA
Article type: PAPER
Subject area: Implementation
2008 Volume E91.A Issue 1 Pages
211-220
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
By diversifying processor architecture, computer software is expected to be more resistant to plagiarism, analysis, and attacks. This study presents a new method to diversify instruction set architecture (ISA) by utilizing the redundancy in the instruction set. Our method is particularly suited for embedded systems implemented with FPGA technology, and realizes a genuine instruction set randomization, which has not been provided by the preceding studies. The evaluation results on four typical ISAs indicate that our scheme can provide a far larger degree of freedom than the preceding studies. Diversified processors based on MIPS architecture were actually implemented and evaluated with Xilinx Spartan-3 FPGA. The increase of logic scale was modest: 5.1% in Specialized design and 3.6% in RAM-mapped design. The performance overhead was also modest: 3.4% in Specialized design and 11.6% in RAM-mapped design. From these results, our scheme is regarded as a practical and promising way to secure FPGA-based embedded systems.
View full abstract
-
Masaaki SHIRASE, Tsuyoshi TAKAGI, Eiji OKAMOTO
Article type: PAPER
Subject area: Implementation
2008 Volume E91.A Issue 1 Pages
221-228
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Recently Tate pairing and its variations are attracted in cryptography. Their operations consist of a main iteration loop and a final exponentiation. The final exponentiation is necessary for generating a unique value of the bilinear pairing in the extension fields. The speed of the main loop has become fast by the recent improvements, e. g., the Duursma-Lee algorithm and η
T pairing. In this paper we discuss how to enhance the speed of the final exponentiation of the η
T pairing in the extension field F
36n. Indeed, we propose some efficient algorithms using the torus
T2(F
33n) that can efficiently compute an inversion and a powering by 3
n+1. Consequently, the total processing cost of computing the η
T pairing can be reduced by 16% for
n=97.
View full abstract
-
Mohammad Mesbah UDDIN, Yasunobu NOHARA, Daisuke IKEDA, Hiroto YASUURA
Article type: PAPER
Subject area: Implementation
2008 Volume E91.A Issue 1 Pages
229-235
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
A multi-application smart card system consists of an issuer, service vendors and cardholders, where cardholders are recipients of smart cards (from the issuer) to be used in connection with applications offered by service vendors. Authentic post-issuance program modification is necessary for a multi-application smart card system because applications in the system are realized after the issuance of a smart card. In this paper, we propose a system where only authentic modification is possible. In the proposed system, the smart card issuer stores a unique long bitstring called PID in a smart card. The smart card is then given to the cardholder. A unique substring of the PID (subPID) is shared between the cardholder and a corresponding service vendor. Another subPID is shared between the issuer and the cardholder. During program modification, a protocol using the subPlDs, a one-way hash function and a pseudorandom number generator function verifies the identity of the parties and the authenticity of the program.
View full abstract
-
Soonhak KWON, Taekyoung KWON, Young-Ho PARK
Article type: PAPER
Subject area: Implementation
2008 Volume E91.A Issue 1 Pages
236-243
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We propose a new linear array for multiplication in
GF (2
m) which outperforms most of the existing linear multipliers in terms of the area and time complexity. Moreover we will give a very detailed comparison of our array with other existing architectures for the five binary fields
GF (2
m),
m=163,233,283,409,571, recommended by NIST for elliptic curve cryptography.
View full abstract
-
Isamu TERANISHI, Wakaha OGATA
Article type: PAPER
Subject area: Security Notions
2008 Volume E91.A Issue 1 Pages
244-261
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Recently, Bellare and Palacio defined the plaintext awareness (PA-ness) in the standard model. In this paper, we study the relationship between the standard model PA-ness and the property about message hiding, that is, IND-CPA. Although these two notions seem to be independent at first glance, we show that PA-ness in the standard model implies the IND-CPA security if the encryption function is oneway. By using this result, we also showed that “PA+Oneway⇒IND-CCA2.” We also show that the computational PA-ness notion is strictly stronger than the statistical one.
View full abstract
-
Ryo NISHIMAKI, Yoshifumi MANABE, Tatsuaki OKAMOTO
Article type: PAPER
Subject area: Security Notions
2008 Volume E91.A Issue 1 Pages
262-271
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Identity-based encryption (IBE) is one of the most important primitives in cryptography, and various security notions of IBE (e. g., IND-ID-CCA2, NM-ID-CCA2, IND-sID-CPA etc.) have been introduced. The relations among them have been clarified recently. This paper, for the first time, investigates the security of IBE in the universally composable (UC) framework. This paper first defines the UC-security of IBE, i. e., we define the ideal functionality of IBE,
FIBE. We then show that UC-secure IBE is equivalent to conventionally-secure (IND-ID-CCA2-secure) IBE.
View full abstract
-
Miyako OHKUBO, Masayuki ABE
Article type: PAPER
Subject area: Security Notions
2008 Volume E91.A Issue 1 Pages
272-282
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
This paper studies the relations among several definitions of anonymity for ring signature schemes in the same attack environment. It is shown that one intuitive and two technical definitions we consider are asymptotically equivalent, and the indistinguishability-based technical definition is the strongest, i. e., the most secure when achieved, when the exact reduction cost is taken into account. We then extend our result to the threshold case where a subset of members cooperate to create a signature. The threshold setting makes the notion of anonymity more complex and yields a greater variety of definitions. We explore several notions and observe certain relation does not seem hold unlike the simple single-signer case. Nevertheless, we see that an indistinguishability-based definition is the most favorable in the threshold case. We also study the notion of linkability and present a simple scheme that achieves both anonymity and linkability.
View full abstract
-
Waka NAGAO, Yoshifumi MANABE, Tatsuaki OKAMOTO
Article type: PAPER
Subject area: Security Notions
2008 Volume E91.A Issue 1 Pages
283-297
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
KEM (Key Encapsulation Mechanism) and DEM (Data Encapsulation Mechanism) were introduced by Shoup to formalize the asymmetric encryption specified for key distribution and the symmetric encryption specified for data exchange in ISO standards on public-key encryption. Shoup defined the “semantic security (IND) against adaptive chosen ciphertext attacks (CCA2)” as a desirable security notion of KEM and DEM, that is, IND-CCA2 KEM and IND-CCA2 DEM. This paper defines “non-malleability (NM)” for KEM, which is a stronger security notion than IND. We provide three definitions of NM for KEM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND for KEM under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and DEM, and shows that IND-CCA2 KEM (or NM-CCA2 KEM) is equivalent to UC KEM and that “IND against adaptive chosen plaintext/ciphertext attacks (IND-P2-C2)” DEM is equivalent to UC DEM.
View full abstract
-
Koichi ITO, Akira NIKAIDO, Takafumi AOKI, Eiko KOSUGE, Ryota KAWAMATA, ...
Article type: PAPER
Subject area: Biometrics
2008 Volume E91.A Issue 1 Pages
298-305
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In mass disasters such as earthquakes, fire disasters, tsunami, and terrorism, dental records have been used for identifying victims due to their processing time and accuracy. The greater the number of victims, the more time the identification tasks require, since a manual comparison between the dental radiograph records is done by forensic experts. Addressing this problem, this paper presents an efficient dental radiograph recognition system using Phase-Only Correlation (POC) for human identification. The use of phase components in 2D (two-dimensional) discrete Fourier transforms of dental radiograph images makes possible to achieve highly robust image registration and recognition. Experimental evaluation using a set of dental radiographs indicates that the proposed system exhibits efficient recognition performance for low-quality images.
View full abstract
-
Bagus SANTOSO, Noboru KUNIHIRO, Naoki KANAYAMA, Kazuo OHTA
Article type: PAPER
Subject area: Cryptanalysis
2008 Volume E91.A Issue 1 Pages
306-315
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this paper we propose an algorithm of factoring any integer
N which has
k different prime factors with the same bit-length, when about (1/
k+2+ε/
k-1)log
2N high-order bits of each prime factor are given. For a fixed ε, the running time of our algorithm is heuristic polynomial in (log
2N). Our factoring algorithm is based on a lattice-based algorithm of solving any
k-variate polynomial equation over Z, which might be an independent interest.
View full abstract
-
Kazuhide FUKUSHIMA, Shinsaku KIYOMOTO, Toshiaki TANAKA, Kouichi SAKURA ...
Article type: PAPER
Subject area: Cryptanalysis
2008 Volume E91.A Issue 1 Pages
316-329
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Program analysis techniques have improved steadily over the past several decades, and software obfuscation schemes have come to be used in many commercial programs. A
software obfuscation scheme transforms an original program or a binary file into an obfuscated program that is more complicated and difficult to analyze, while preserving its functionality. However, the security of obfuscation schemes has not been properly evaluated. In this paper, we analyze obfuscation schemes in order to clarify the advantages of our scheme, the XOR-encoding scheme. First, we more clearly define five types of attack models that we defined previously, and define quantitative resistance to these attacks. Then, we compare the security, functionality and efficiency of three obfuscation schemes with encoding variables: (1) Sato et al.'s scheme with linear transformation, (2) our previous scheme with affine transformation, and (3) the XOR-encoding scheme. We show that the XOR-encoding scheme is superior with regard to the following two points: (1) the XOR-encoding scheme is more secure against a data-dependency attack and a brute force attack than our previous scheme, and is as secure against an information-collecting attack and an inverse transformation attack as our previous scheme, (2) the XOR-encoding scheme does not restrict the calculable ranges of programs and the loss of efficiency is less than in our previous scheme.
View full abstract
-
Shingo HASEGAWA, Hiroyuki HATANAKA, Shuji ISOBE, Eisuke KOIZUMI, Hirok ...
Article type: PAPER
Subject area: Cryptanalysis
2008 Volume E91.A Issue 1 Pages
330-337
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
This paper studies a method for transforming ordinary cryptographic primitives to new harder primitives. Such a method is expected to lead to general schemes that make present cryptosystems secure against the attack of quantum computers. We propose a general technique to construct a new function from an ordinary primitive function
f with a help of another hard function
g so that the resulting function is to be new hard primitives. We call this technique a lifting of
f by
g. We show that the lifted function is harder than original functions under some simple conditions.
View full abstract
-
Bo Gyeong KANG, Je Hong PARK
Article type: LETTER
2008 Volume E91.A Issue 1 Pages
338-341
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this letter, we provide a simple proof of bilinearity for the eta pairing. Based on it, we show an efficient method to compute the powered Tate pairing as well. Although efficiency of our method is equivalent to that of the Tate pairing on the eta pairing approach, but ours is more general in principle.
View full abstract
-
Shingo HASEGAWA, Shuji ISOBE, Hiroki SHIZUYA
Article type: LETTER
2008 Volume E91.A Issue 1 Pages
342-344
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We define two functions
fDL and
fIF in NPMV, the class of all partial, multivalued functions computed nondeterministically in polynomial time. We prove that they are complete for NPMV, and show that (a) computing discrete logarithms modulo a prime reduces to
fDL, and (b) computing integer factorization reduces to
fIF. These are the first complete functions that have explicit reductions from significant cryptographic primitives.
View full abstract
-
Ki Hoon SHIN, Youngjin PARK
Article type: PAPER
Subject area: Engineering Acoustics
2008 Volume E91.A Issue 1 Pages
345-356
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Human's ability to perceive elevation of a sound and distinguish whether a sound is coming from the front or rear strongly depends on the monaural spectral features of the pinnae. In order to realize an effective virtual auditory display by HRTF (head-related transfer function) customization, the pinna responses were isolated from the median HRIRs (head-related impulse responses) of 45 individual HRIRs in the CIPIC HRTF database and modeled as linear combinations of 4 or 5 basic temporal shapes (basis functions) per each elevation on the median plane by PCA (principal components analysis) in the time domain. By tuning the weight of each basis function computed for a specific height to replace the pinna response in the KEMAR HRIR at the same height with the resulting customized pinna response and listening to the filtered stimuli over headphones, 4 individuals with normal hearing sensitivity were able to create a set of HRIRs that outperformed the KEMAR HRIRs in producing vertical effects with reduced front/back ambiguity in the median plane. Since the monaural spectral features of the pinnae are almost independent of azimuthal variation of the source direction, similar vertical effects could also be generated at different azimuthal directions simply by varying the ITD (interaural time difference) according to the direction as well as the size of each individual's own head.
View full abstract
-
Chen-Chien HSU, Tsung-Chi LU, Heng-Chou CHEN
Article type: PAPER
Subject area: Systems and Control
2008 Volume E91.A Issue 1 Pages
357-364
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this paper, an evolutionary approach is proposed to obtain a discrete-time state-space interval model for uncertain continuous-time systems having interval uncertainties. Based on a worst-case analysis, the problem to derive the discrete interval model is first formulated as multiple mono-objective optimization problems for matrix-value functions associated with the discrete system matrices, and subsequently optimized via a proposed genetic algorithm (GA) to obtain the lower and upper bounds of the entries in the system matrices. To show the effectiveness of the proposed approach, roots clustering of the characteristic equation of the obtained discrete interval model is illustrated for comparison with those obtained via existing methods.
View full abstract
-
Chia-Chun TSAI, Jan-Ou WU, Trong-Yen LEE
Article type: PAPER
Subject area: VLSI Design Technology and CAD
2008 Volume E91.A Issue 1 Pages
365-374
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
This study has demonstrated that the clock tree construction in an SoC should be expanded to consider the intrinsic delay and skew of each IP's clock sink. A novel algorithm, called GDME, is proposed to combine grey relational clustering and DME approach for solving the problem of clock tree construction. Grey relational analysis can cluster the best pair of clock sinks and that guide a tapping point search for a DME algorithm for constructing a clock tree with zero skew and minimal delay. Experimentally, the proposed algorithm always obtains an RC-or RLC-based clock tree with zero skew and minimal delay for all the test cases and benchmarks. Experimental results demonstrate that the GDME improves up to 3.74% for total average in terms of total wire length compared with other DME algorithms. Furthermore, our results for the zero-skew RLC-based clock trees compared with Hspice are 0.017% and 0.2% lower for absolute average in terms of skew and delay, respectively.
View full abstract
-
Shih-Hsu HUANG, Chun-Hua CHENG
Article type: PAPER
Subject area: VLSI Design Technology and CAD
2008 Volume E91.A Issue 1 Pages
375-382
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
At the behavioral level, large power savings are possible by shutting down unused operations, which is commonly referred to as power management. However, operation scheduling has a significant impact on the potential for power saving via power management. In this paper, we present an integer linear programming (ILP) model to formally formulate the simultaneous application of operation scheduling and power management in high level synthesis. Our objective is to maximize the power saving under both the timing constraints and the resource constraints. Note that our approach guarantees solving the problem optimally. Compared with previous work, experimental data consistently show that our approach has significant relative improvement in the power savings.
View full abstract
-
Hirotoshi HONMA, Shigeru MASUYAMA
Article type: PAPER
Subject area: Algorithms and Data Structures
2008 Volume E91.A Issue 1 Pages
383-391
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Let
G=(
V, E) be an undirected simple graph with
u∈
V. If there exist any two vertices in
G whose distance becomes longer when a vertex
u is removed, then
u is defined as a hinge vertex. Finding the set of hinge vertices in a graph is useful for identifying critical nodes in an actual network. A number of studies concerning hinge vertices have been made in recent years. In a number of graph problems, it is known that more efficient sequential or parallel algorithms can be developed by restricting classes of graphs. In this paper, we shall propose a parallel algorithm which runs in
O (log
n) time with
O (
n/log
n) processors on EREW PRAM for finding all hinge vertices of a circular-arc graph.
View full abstract
-
Kunihiko MIYAZAKI, Goichiro HANAOKA, Hideki IMAI
Article type: PAPER
Subject area: Cryptography and Information Security
2008 Volume E91.A Issue 1 Pages
392-402
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
A digital signature does not allow any alteration of the document to which it is attached. Appropriate alteration of some signed documents, however, should be allowed because there are security requirements other than the integrity of the document. In the disclosure of official information, for example, sensitive information such as personal information or national secrets is masked when an official document is sanitized so that its nonsensitive information can be disclosed when it is requested by a citizen. If this disclosure is done digitally by using the current digital signature schemes, the citizen cannot verify the disclosed information because it has been altered to prevent the leakage of sensitive information. The confidentiality of official information is thus incompatible with the integrity of that information, and this is called the
digital document sanitizing problem. Conventional solutions such as content extraction signatures and digitally signed document sanitizing schemes with disclosure condition control can either let the sanitizer assign disclosure conditions or hide the number of sanitized portions. The digitally signed document sanitizing scheme we propose here is based on the aggregate signature derived from bilinear maps and can do both. Moreover, the proposed scheme can sanitize a signed document
invisibly, that is, no one can distinguish whether the signed document has been sanitized or not.
View full abstract
-
Masaya OHTA, Hideyuki YAMADA, Katsumi YAMASHITA
Article type: PAPER
Subject area: Spread Spectrum Technologies and Applications
2008 Volume E91.A Issue 1 Pages
403-408
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
This paper proposes a novel Orthogonal frequency-division multiplexing (OFDM) system based on polynomial cancellation coded OFDM (PCC-OFDM). This proposed system can reduce peak-to-average power ratio (PAPR) by our neural phase rotator and it does not need any side information to transmit phase rotation factors. Moreover, this system can compensate the common phase error (CPE) by a proposed technique which allows estimating frequency offset at receiver. From numerical experiments, it is shown that our system can reduce PAPR and ICI at the same time and improve BER performance effectively.
View full abstract
-
Ching-Yuan YANG, Ken-Hao CHANG
Article type: LETTER
Subject area: VLSI Design Technology and CAD
2008 Volume E91.A Issue 1 Pages
409-412
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
An injection-locked clock recovery circuit (CRC) with quadrature outputs based on multiplexed oscillator is presented. The CRC can operate at a half-rate speed to provide an adequate locking range with reasonable jitter and power consumption because both clock edges sample the data waveforms. Implemented by 0.18-μm CMOS technique, experimental results demonstrate that it can achieve the phase noise of the recovered clock about -121.55dBc/Hz at 100-kHz offset and -129.58dBc/Hz at 1-MMz offset with ±25MHz lock range, while operating at the input data rate of 1.55Gb/s.
View full abstract
-
Taesoon PARK, Kwangho KIM
Article type: LETTER
Subject area: Reliability, Maintainability and Safety Analysis
2008 Volume E91.A Issue 1 Pages
413-416
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
Fault-tolerance is an important design issue in building a reliable mobile computing system. This paper considers checkpointing recovery services for a mobile computing system based on the ad-hoc network environment. Since potential problems of this new environment are insufficient power and limited storage capacity, the proposed scheme tries to reduce disk access frequency for saving recovery information, and also the amount of information saved for recovery. A brief simulation study has been performed and the results show that the proposed scheme takes advantage of the existing checkpointing recovery schemes.
View full abstract
-
Wenfeng JIANG, Lei HU, Xiangyong ZENG
Article type: LETTER
Subject area: Coding Theory
2008 Volume E91.A Issue 1 Pages
417-421
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this paper, a new family of binary sequences of period 2
n-1 with low correlation is proposed for integer
n=
em and even
m. The new family has family size 2
n+1 and maximum nontrivial correlation 2
n+
e/2+1 and 2
n+
e-1/2+1 for even and odd
e respectively. Especially, for
n=2
m and 3
m, we obtain a new family of binary sequences with maximum nontrivial correlation 2
n/2+1+1, and the obtained family is one of the binary families with best correlation among the known families with family size no less than their period 2
n-1 for even
n. Moreover, the correlation distribution of the new family is also determined.
View full abstract
-
Suckchel YANG, Yoan SHIN
Article type: LETTER
Subject area: Communication Theory and Signals
2008 Volume E91.A Issue 1 Pages
422-425
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We propose an adaptive SLM scheme based on peak observation for PAPR reduction of OFDM signals. The proposed scheme is composed of three steps: peak scaling, sequence selection, and SLM procedures. In the first step, the peak signal samples in the IFFT outputs of the original input sequence are scaled down. In the second step, the sub-carrier positions where the power difference between the original input sequence and the FFT output of the scaled signal is large, are identified. Then, the phase sequences having the maximum number of phase-reversed sequence words only for these positions are selected. Finally, the generic SLM procedure is performed by using only the selected phase sequences for the original input sequence. Simulation results show that the proposed scheme significantly reduce the complexity in terms of IFFT and PAPR calculation than the conventional SLM, while maintaining the PAPR reduction performance.
View full abstract
-
Kyung Seung AHN
Article type: LETTER
Subject area: Communication Theory and Signals
2008 Volume E91.A Issue 1 Pages
426-429
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
In this letter, we analyze symbol error probability (SEP) and diversity gain of orthogonal space-time block codes (OSTBCs) in spatially correlated Rician fading channel. We derive the moment generating function (MGF) of an effective signal-to-noise ratio (SNR) at the receiver and use it to derive the SEP for
M-PSK modulation. We use this result to show that the diversity gain is achieved by the product of the rank of the transmit and receive correlation matrix, and the loss in array gain is quantified as a function of the spatial correlation and the line of sight (LOS) component.
View full abstract
-
Suckchel YANG, Dongwoo KANG, Young NAMGOONG, Yoan SHIN
Article type: LETTER
Subject area: Spread Spectrum Technologies and Applications
2008 Volume E91.A Issue 1 Pages
430-432
Published: January 01, 2008
Released on J-STAGE: March 01, 2010
JOURNAL
RESTRICTED ACCESS
We propose a simple asynchronous UWB (Ultra Wide Band) position location algorithm with low complexity, power consumption and processing delay. In the proposed algorithm, only a single RTTX (Round-Trip Transmission) of UWB pulses is utilized based on the ToA (Time of Arrival) principle. Hence, the proposed algorithm decreases power consumption and processing delay as compared to the basic ToA based on triple RTTXs. Moreover, unlike the TDoA (Time Difference of Arrival) algorithm, the proposed algorithm can perform the position location with low complexity since it does not require strict synchronization between multiple beacons. Simulation results using IEEE 802.15.4a UWB channel models reveal that the proposed algorithm achieves closely comparable position location performance of the basic ToA and TDoA algorithms.
View full abstract