IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508
Volume E91.A , Issue 1
Showing 1-50 articles out of 51 articles from the selected issue
Special Section on Cryptography and Information Security
  • Mitsuru MATSUI
    2008 Volume E91.A Issue 1 Pages 1-2
    Published: January 01, 2008
    Released: July 01, 2018
    JOURNALS RESTRICTED ACCESS
    Download PDF (71K)
  • Toshihiro OHIGASHI, Yoshiaki SHIRAISHI, Masakatu MORII
    Type: PAPER
    Subject area: Symmetric Cryptography
    2008 Volume E91.A Issue 1 Pages 3-11
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In a key scheduling algorithm (KSA) of stream ciphers, a secret key is expanded into a large initial state. An internal state reconstruction method is known as a general attack against stream ciphers; it recovers the initial state from a given pair of plaintext and ciphertext more efficiently than exhaustive key search. If the method succeeds, then it is desirable that the inverse of KSA is infeasible in order to avoid the leakage of the secret key information. This paper shows that it is easy to compute a secret key from an initial state of RC4. We propose a method to recover an l-bit secret key from only the first l bits of the initial state of RC4 using linear equations with the time complexity less than that of one execution of KSA. It can recover the secret keys of which number is 2103.6 when the size of the secret key is 128bits. That is, the 128-bit secret key can be recovered with a high probability when the first 128bits of the initial state are determined using the internal state reconstruction method.
    Download PDF (2543K)
  • Yibo FAN, Jidong WANG, Takeshi IKENAGA, Yukiyasu TSUNOO, Satoshi GOTO
    Type: PAPER
    Subject area: Symmetric Cryptography
    2008 Volume E91.A Issue 1 Pages 12-21
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    H.264/AVC is the newest video coding standard. There are many new features in it which can be easily used for video encryption. In this paper, we propose a new scheme to do video encryption for H.264/AVC video compression standard. We define Unequal Secure Encryption (USE) as an approach that applies different encryption schemes (with different security strength) to different parts of compressed video data. This USE scheme includes two parts: video data classification and unequal secure video data encryption. Firstly, we classify the video data into two partitions: Important data partition and unimportant data partition. Important data partition has small size with high secure protection, while unimportant data partition has large size with low secure protection. Secondly, we use AES as a block cipher to encrypt the important data partition and use LEX as a stream cipher to encrypt the unimportant data partition. AES is the most widely used symmetric cryptography which can ensure high security. LEX is a new stream cipher which is based on AES and its computational cost is much lower than AES. In this way, our scheme can achieve both high security and low computational cost. Besides the USE scheme, we propose a low cost design of hybrid AES/LEX encryption module. Our experimental results show that the computational cost of the USE scheme is low (about 25% of naive encryption at Level 0 with VEA used). The hardware cost for hybrid AES/LEX module is 4678 Gates and the AES encryption throughput is about 50Mbps.
    Download PDF (4598K)
  • Hidema TANAKA
    Type: PAPER
    Subject area: Symmetric Cryptography
    2008 Volume E91.A Issue 1 Pages 22-29
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We focus on the relationship between the linearization method and linear complexity and show that the linearization method is another effective technique for calculating linear complexity. We analyze its effectiveness by comparing with the logic circuit method. We compare the relevant conditions and necessary computational cost with those of the Berlekamp-Massey algorithm and the Games-Chan algorithm. The significant property of a linearization method is that it needs no output sequence from a pseudo-random number generator (PRNG) because it calculates linear complexity using the algebraic expression of its algorithm. When a PRNG has n [bit] stages (registers or internal states), the necessary computational cost is smaller than O(2n). On the other hand, the Berlekamp-Massey algorithm needs O(N2) where N(≅2n) denotes period. Since existing methods calculate using the output sequence, an initial value of PRNG influences a resultant value of linear complexity. Therefore, a linear complexity is generally given as an estimate value. On the other hand, a linearization method calculates from an algorithm of PRNG, it can determine the lower bound of linear complexity.
    Download PDF (2086K)
  • Tetsu IWATA, Tohru YAGI, Kaoru KUROSAWA
    Type: PAPER
    Subject area: Symmetric Cryptography
    2008 Volume E91.A Issue 1 Pages 30-38
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    KASUMI is a blockcipher that forms the heart of the 3GPP confidentiality and integrity algorithms. In this paper, we study the security of the five-round KASUMI type permutations, and derive a highly non-trivial security bound against adversaries with adaptive chosen plaintext and chosen ciphertext attacks. To derive our security bound, we heavily use the tools from graph theory. However the result does not show its super-pseudorandomness, this gives us a strong evidence that the design of KASUMI is sound.
    Download PDF (1820K)
  • Kazuhiro SUZUKI, Dongvu TONIEN, Kaoru KUROSAWA, Koji TOYOTA
    Type: PAPER
    Subject area: Hash Functions
    2008 Volume E91.A Issue 1 Pages 39-45
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this paper, we study multi-collision probability. For a hash function H:DR with |R|=n, it has been believed that we can find an s-collision by hashing Q=n(s-1)/s times. We first show that this probability is at most 1/s! for any s, which is very small for large s. (for example, s=n(s-1)/s) Thus the above folklore is wrong for large s. We next show that if s is small, so that we can assume Q-sQ, then this probability is at least 1/s!-1/2(s!)2, which is very high for small s (for example, s is a constant). Thus the above folklore is true for small s. Moreover, we show that by hashing (s!)1/s×Q+s-1(≤n) times, an s-collision is found with probability approximately 0.5 for any n and s such that (s!/n)1/s≈0. Note that if s=2, it coincides with the usual birthday paradox. Hence it is a generalization of the birthday paradox to multi-collisions.
    Download PDF (1321K)
  • Yusuke NAITO, Kazuo OHTA, Noboru KUNIHIRO
    Type: PAPER
    Subject area: Hash Functions
    2008 Volume E91.A Issue 1 Pages 46-54
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this paper, we discuss the collision search for hash functions, mainly in terms of their advanced message modification. The advanced message modification is a collision search tool based on Wang et al.'s attacks. Two advanced message modifications have previously been proposed: cancel modification for MD4 and MD5, and propagation modification for SHA-0. In this paper, we propose a new concept of advanced message modification, submarine modification. As a concrete example combining the ideas underlying these modifications, we apply submarine modification to the collision search for SHA-0. As a result, we show that this can reduce the collision search attack complexity from 239 to 236 SHA-0 compression operations.
    Download PDF (2414K)
  • Yu SASAKI, Lei WANG, Noboru KUNIHIRO, Kazuo OHTA
    Type: PAPER
    Subject area: Hash Functions
    2008 Volume E91.A Issue 1 Pages 55-63
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In 2005, collision resistance of several hash functions was broken by Wang et al. The strategy of determining message differences is the most important part of collision attacks against hash functions. So far, many researchers have tried to analyze Wang et al.'s method and proposed improved collision attacks. Although several researches proposed improved attacks, all improved results so far were based on the same message differences proposed by Wang et al. In this paper, we propose new message differences for collision attacks on MD4 and MD5. Our message differences of MD4 can generate a collision with complexity of less than two MD4 computations, which is faster than the original Wang et al.'s attack, and moreover, than the all previous attacks. This is the first result that improves the complexity of collision attack by using different message differences from Wang et al.'s. Regarding MD5, so far, no other message difference from Wang et al.'s is known. Therefore, study for constructing method of other message differences on MD5 should be interesting. Our message differences of MD5 generates a collision with complexity of 242 MD5 computations, which is slower than the latest best attack. However, since our attack needs only 1 bit difference, it has some advantages in terms of message freedom of collision messages.
    Download PDF (2001K)
  • Yasumasa HIRAI, Takashi KUROKAWA, Shin'ichiro MATSUO, Hidema TANAKA, A ...
    Type: PAPER
    Subject area: Hash Functions
    2008 Volume E91.A Issue 1 Pages 64-73
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Cryptographic hash functions have been widely studied and are used in many current systems. Though much research has been done on the security of hash functions, system designers cannot determine which hash function is most suitable for a particular system. The main reason for this is that the current security classification does not correspond very well to the security requirements of practical systems. This paper describes a new classification which is more suitable for designing real-life systems. This classification is the result of a new qualitative classification and a new quantitative classification. We show a mapping between each class and standard protocols. In addition, we show new requirements for four types of hash function for a future standard.
    Download PDF (2320K)
  • Shoichi HIROSE
    Type: PAPER
    Subject area: Hash Functions
    2008 Volume E91.A Issue 1 Pages 74-82
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this article, we discuss the security of double-block-length (DBL) hash functions against the free-start collision attack. We focus on the DBL hash functions composed of compression functions of the form F(x)=(f(x),f(p(x))), where f is a smaller compression function and p is a permutation. We first show, in the random oracle model, that a significantly good upper bound can be obtained on the success probability of the free-start collision attack with sufficient conditions on p and the set of initial values. We also show that a similar upper bound can be obtained in the ideal cipher model if f is composed of a block cipher.
    Download PDF (1952K)
  • Eiichiro FUJISAKI, Koutarou SUZUKI
    Type: PAPER
    Subject area: Signatures
    2008 Volume E91.A Issue 1 Pages 83-93
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    The ring signature allows a signer to leak secrets anonymously, without the risk of identity escrow. At the same time, the ring signature provides great flexibility: No group manager, no special setup, and the dynamics of group choice. The ring signature is, however, vulnerable to malicious or irresponsible signers in some applications, because of its anonymity. In this paper, we propose a traceable ring signature scheme. A traceable ring scheme is a ring signature except that it can restrict “excessive” anonymity. The traceable ring signature has a tag that consists of a list of ring members and an issue that refers to, for instance, a social affair or an election. A ring member can make any signed but anonymous opinion regarding the issue, but only once (per tag). If the member submits another signed opinion, possibly pretending to be another person who supports the first opinion, the identity of the member is immediately revealed. If the member submits the same opinion, for instance, voting “yes” regarding the same issue twice, everyone can see that these two are linked. The traceable ring signature can suit to many applications, such as an anonymous voting on a BBS. We formalize the security definitions for this primitive and show an efficient and simple construction in the random oracle model.
    Download PDF (3042K)
  • Isamu TERANISHI, Takuro OYAMA, Wakaha OGATA
    Type: PAPER
    Subject area: Signatures
    2008 Volume E91.A Issue 1 Pages 94-106
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We say that a signature scheme is strongly existentially unforgeable (SEU) if no adversary, given message/signature pairs adaptively, can generate a signature on a new message or a new signature on a previously signed message. We propose a general and efficient conversion in the standard model that transforms a secure signature scheme to SEU signature scheme. In order to construct that conversion, we use a chameleon commitment scheme. Here a chameleon commitment scheme is a variant of commitment scheme such that one can change the committed value after publishing the commitment if one knows the secret key. We define the chosen message security notion for the chameleon commitment scheme, and show that the signature scheme transformed by our proposed conversion satisfies the SEU property if the chameleon commitment scheme is chosen message secure. By modifying the proposed conversion, we also give a general and efficient conversion in the random oracle model, that transforms a secure signature scheme into a SEU signature scheme. This second conversion also uses a chameleon commitment scheme but only requires the key only attack security for it.
    Download PDF (3125K)
  • Yuichi KOMANO, Kazuo OHTA, Atsushi SHIMBO, Shinichi KAWAMURA
    Type: PAPER
    Subject area: Signatures
    2008 Volume E91.A Issue 1 Pages 107-118
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We first model the formal security model of multisignature scheme following that of group signature scheme. Second, we prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), PSS (probabilistic signature scheme) based multisignature scheme (PSS-MSS), and short signature PSS based multisignature scheme (S-PSS-MSS). Third, we give an optimal proof (general result) for multisignature schemes, which derives the lower bound for the length of random salt. We also estimate the upper bound for the length in each scheme and derive the optimal length of a random salt. Two of the schemes are promising in terms of security tightness and optimal signature length. In appendix, we describe a multisignature scheme using the claw-free permutation and discuss its security.
    Download PDF (2822K)
  • Dae Hyun YUM, Pil Joong LEE
    Type: PAPER
    Subject area: Protocols
    2008 Volume E91.A Issue 1 Pages 119-126
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    A fair exchange scheme is a protocol by which two parties Alice and Bob exchange items or services without allowing either party to gain advantages by quitting prematurely or otherwise misbehaving. To this end, modern cryptographic solutions use a semi-trusted arbitrator who involves only in cases where one party attempts to cheat or simply crashes. We call such a fair exchange scheme optimistic. When no registration is required between the signer and the arbitrator, we say that the fair exchange scheme is setup free. To date, the setup-free optimist fair exchange scheme under the standard RSA assumption was only possible from the generic construction of [12], which uses ring signatures. In this paper, we introduce a new setup-free optimistic fair exchange scheme under the standard RSA assumption. Our scheme uses the GQ identity-based signature and is more efficient than [12]. The construction can also be generalized by using various identity-based signature schemes. Our main technique is to allow each user to choose his (or her) own “random” public key in the identitybased signature scheme.
    Download PDF (1806K)
  • Jun KURIHARA, Shinsaku KIYOMOTO, Kazuhide FUKUSHIMA, Toshiaki TANAKA
    Type: PAPER
    Subject area: Protocols
    2008 Volume E91.A Issue 1 Pages 127-138
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In Shamir's (k, n)-threshold secret sharing scheme [1], a heavy computational cost is required to make n shares and recover the secret from k shares. As a solution to this problem, several fast threshold schemes have been proposed. However, there is no fast ideal (k, n)-threshold scheme, where k≥3 and n is arbitrary. This paper proposes a new fast (3, n)-threshold scheme by using just EXCLUSIVE-OR (XOR) operations to make shares and recover the secret, which is an ideal secret sharing scheme similar to Shamir's scheme. Furthermore, we evaluate the efficiency of the scheme, and show that it is more efficient than Shamir's in terms of computational cost. Moreover, we suggest a fast (k, n)-threshold scheme can be constructed in a similar way by increasing the sets of random numbers constructing pieces of shares.
    Download PDF (2476K)
  • SeongHan SHIN, Kazukuni KOBARA, Hideki IMAI
    Type: PAPER
    Subject area: Protocols
    2008 Volume E91.A Issue 1 Pages 139-149
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this paper, we propose a leakage-resilient and proactive authenticated key exchange (called LRP-AKE) protocol for credential services which provides not only a higher level of security against leakage of stored secrets but also secrecy of private key with respect to the involving server. And we show that the LRP-AKE protocol is provably secure in the random oracle model with the reduction to the computational Difie-Hellman problem. In addition, we discuss about some possible applications of the LRP-AKE protocol.
    Download PDF (3079K)
  • Koji CHIDA, Go YAMAMOTO
    Type: PAPER
    Subject area: Protocols
    2008 Volume E91.A Issue 1 Pages 150-159
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    This paper presents batch processing protocols for efficiently proving a great deal of partial knowledge. These protocols reduce the computation and communication costs for a MIX-net and secure circuit evaluation. The efficiency levels of the proposed protocols are estimated based on the implementation results of a secure circuit evaluation with batch processing.
    Download PDF (1775K)
  • Sung-Shiou SHEN, Jung-Hui CHIU
    Type: PAPER
    Subject area: Side Channel Attacks
    2008 Volume E91.A Issue 1 Pages 160-167
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Advances in smart card technology encourages smart card use in more sensitive applications, such as storing important information and securing application. Smart cards are however vulnerable to side channel attacks. Power consumption and electromagnetic radiation of the smart card can leak information about the secret data protected by the smart card. Our paper describes two possible hardware countermeasures that protect against side channel information leakage. We show that power analysis can be prevented by adopting photo-coupling techniques. This method involves the use of LED with photovoltaic cells and photo-couplers on the power, reset, I/O and clock lines of the smart card. This method reduces the risk of internal data bus leakage on the external data lines. Moreover, we also discuss the effectiveness of reducing electromagnetic radiation by using embedded metal plates.
    Download PDF (4859K)
  • Katsuyuki OKEYA
    Type: PAPER
    Subject area: Side Channel Attacks
    2008 Volume E91.A Issue 1 Pages 168-175
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    HMAC is one of the most famous keyed hash functions, and widely utilized. In order to design secure hash functions, we often use PGV construction consisting of 64 schemes, each of which utilizes a block cipher. If the underlying block cipher is ideal, 12 schemes are proven to be secure. In this paper, we evaluate the security of these schemes in view of side channel attacks. As it turns out, HMACs based on 11 out of 12 secure PGV schemes are vulnerable to side channel attacks, even if the underlying block cipher is secure against side channel attacks. These schemes are classified into two groups based on their vulnerabilities. For the first group which contains 8 schemes, we show that the attacker can reveal the whole key of HMAC, and selectively forge in consequence. For the other group which contains 3 schemes, we specify the importance of the execution sequence for the inner operations of the scheme, and refine it. If wrong orders of operations are used, the attacker can reveal a portion of the key of HMAC. Hence, the use of HMACs based on such PGV schemes as they are is not recommended when the resistance against side channel attacks is necessary.
    Download PDF (1494K)
  • Minoru SAEKI, Daisuke SUZUKI
    Type: PAPER
    Subject area: Side Channel Attacks
    2008 Volume E91.A Issue 1 Pages 176-183
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In recent years, some countermeasures have been proposed against differential power analysis (DPA) at the basic composition element level of logic circuits. We propose a countermeasure named random switching logic (RSL). RSL involves computation with data masking using a single logic gate and suppression of transient transitions using EN-ABLE signals generated independently of input data. Recently, some countermeasures that were proposed against DPA, such as MRSL and DRSL, adopted the concept of RSL. Although MRSL is based on RSL, it uses a different method to suppress the transient transitions. DRSL uses RSL to avoid the possibility of leakage caused by a difference in delays occurring in MDPL that combines dual-rail circuits with random masking. The important difference between these countermeasures and RSL is that they can vary the output transition timing depending on the input data patterns. In this paper, we focus on this feature to evaluate the DPA resistance of MRSL and DRSL. Experiments are also conducted on DPA resistance by using an FPGA to verify the evaluation results. It is confirmed that in both MRSL and DRSL, there is a possibility of leakage if a sufficient difference in delays exists in input signals.
    Download PDF (1910K)
  • Daisuke SUZUKI, Minoru SAEKI
    Type: PAPER
    Subject area: Side Channel Attacks
    2008 Volume E91.A Issue 1 Pages 184-192
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In recent years, certain countermeasures against differential power analysis (DPA) at the logic level have been proposed. Recently, Popp and Mangard proposed a new countermeasure-masked dual-rail pre-charge logic (MDPL); this countermeasure combines dual-rail circuits with random masking to improve the wave dynamic differential logic (WDDL). They claimed that it could implement secure circuits using a standard CMOS cell library without special constraints for the place-and-route method because the difference between the loading capacitances of all the pairs of complementary logic gates in MDPL can be compensated for by the random masking. In this paper, we particularly focus on the signal transition of MDPL gates and evaluate the DPA-resistance of MDPL in detail. Our evaluation results reveal that when the input signals have different delay times, leakage occurs in the MDPL as well as WDDL gates, even if MDPL is effective in reducing the leakage caused by the difference in loading capacitances. Furthermore, in order to validate our evaluation, we demonstrate a problem with different input signal delays by conducting measurements for an FPGA.
    Download PDF (1716K)
  • Naofumi HOMMA, Sei NAGASHIMA, Takeshi SUGAWARA, Takafumi AOKI, Akashi ...
    Type: PAPER
    Subject area: Side Channel Attacks
    2008 Volume E91.A Issue 1 Pages 193-202
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    This paper presents an enhanced side-channel attack using a phase-based waveform matching technique. Conventionally, side-channel attacks such as Simple Power Analysis (SPA) and Differential Power Analysis (DPA) capture signal waveforms (e. g., power traces) with a trigger signal or a system clock, and use a statistical analysis of the waveforms to reduce noise and to retrieve secret information. However, the waveform data often includes displacement errors, and this degrades the accuracy of the statistical analysis. The use of a Phase-Only Correlation (POC) technique makes it possible to estimate the displacements between the signal waveforms with higher resolution than the sampling resolution. The accuracy of side-channel attacks can be enhanced using the POC-based matching method. Also, a popular DPA countermeasure of creating distorted waveforms with random delays can be defeated by our method. In this paper, we demonstrate the advantages of the proposed method in comparison with conventional approaches of experimental DPA and Differential ElectroMagnetic Analysis (DEMA) against DES software and hardware implementations.
    Download PDF (6552K)
  • Masayuki YOSHINO, Katsuyuki OKEYA, Camille VUILLAUME
    Type: PAPER
    Subject area: Implementation
    2008 Volume E91.A Issue 1 Pages 203-210
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We present a novel approach for computing 2n-bit Montgomery multiplications with n-bit hardware Montgomery multipliers. Smartcards are usually equipped with such hardware Montgomery multipliers; however, due to progresses in factoring algorithms, the recommended bit length of public-key schemes such as RSA is steadily increasing, making the hardware quickly obsolete. Thanks to our double-size technique, one can re-use the existing hardware while keeping pace with the latest security requirements. Unlike the other double-size techniques which rely on classical n-bit modular multipliers, our idea is tailored to take advantage of n-bit Montgomery multipliers. Thus, our technique increases the perenniality of existing products without compromises in terms of security.
    Download PDF (2700K)
  • Shuichi ICHIKAWA, Takashi SAWADA, Hisashi HATA
    Type: PAPER
    Subject area: Implementation
    2008 Volume E91.A Issue 1 Pages 211-220
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    By diversifying processor architecture, computer software is expected to be more resistant to plagiarism, analysis, and attacks. This study presents a new method to diversify instruction set architecture (ISA) by utilizing the redundancy in the instruction set. Our method is particularly suited for embedded systems implemented with FPGA technology, and realizes a genuine instruction set randomization, which has not been provided by the preceding studies. The evaluation results on four typical ISAs indicate that our scheme can provide a far larger degree of freedom than the preceding studies. Diversified processors based on MIPS architecture were actually implemented and evaluated with Xilinx Spartan-3 FPGA. The increase of logic scale was modest: 5.1% in Specialized design and 3.6% in RAM-mapped design. The performance overhead was also modest: 3.4% in Specialized design and 11.6% in RAM-mapped design. From these results, our scheme is regarded as a practical and promising way to secure FPGA-based embedded systems.
    Download PDF (2244K)
  • Masaaki SHIRASE, Tsuyoshi TAKAGI, Eiji OKAMOTO
    Type: PAPER
    Subject area: Implementation
    2008 Volume E91.A Issue 1 Pages 221-228
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Recently Tate pairing and its variations are attracted in cryptography. Their operations consist of a main iteration loop and a final exponentiation. The final exponentiation is necessary for generating a unique value of the bilinear pairing in the extension fields. The speed of the main loop has become fast by the recent improvements, e. g., the Duursma-Lee algorithm and ηT pairing. In this paper we discuss how to enhance the speed of the final exponentiation of the ηT pairing in the extension field F36n. Indeed, we propose some efficient algorithms using the torus T2(F33n) that can efficiently compute an inversion and a powering by 3n+1. Consequently, the total processing cost of computing the ηT pairing can be reduced by 16% for n=97.
    Download PDF (1808K)
  • Mohammad Mesbah UDDIN, Yasunobu NOHARA, Daisuke IKEDA, Hiroto YASUURA
    Type: PAPER
    Subject area: Implementation
    2008 Volume E91.A Issue 1 Pages 229-235
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    A multi-application smart card system consists of an issuer, service vendors and cardholders, where cardholders are recipients of smart cards (from the issuer) to be used in connection with applications offered by service vendors. Authentic post-issuance program modification is necessary for a multi-application smart card system because applications in the system are realized after the issuance of a smart card. In this paper, we propose a system where only authentic modification is possible. In the proposed system, the smart card issuer stores a unique long bitstring called PID in a smart card. The smart card is then given to the cardholder. A unique substring of the PID (subPID) is shared between the cardholder and a corresponding service vendor. Another subPID is shared between the issuer and the cardholder. During program modification, a protocol using the subPlDs, a one-way hash function and a pseudorandom number generator function verifies the identity of the parties and the authenticity of the program.
    Download PDF (4545K)
  • Soonhak KWON, Taekyoung KWON, Young-Ho PARK
    Type: PAPER
    Subject area: Implementation
    2008 Volume E91.A Issue 1 Pages 236-243
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We propose a new linear array for multiplication in GF (2m) which outperforms most of the existing linear multipliers in terms of the area and time complexity. Moreover we will give a very detailed comparison of our array with other existing architectures for the five binary fields GF (2m), m=163,233,283,409,571, recommended by NIST for elliptic curve cryptography.
    Download PDF (2035K)
  • Isamu TERANISHI, Wakaha OGATA
    Type: PAPER
    Subject area: Security Notions
    2008 Volume E91.A Issue 1 Pages 244-261
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Recently, Bellare and Palacio defined the plaintext awareness (PA-ness) in the standard model. In this paper, we study the relationship between the standard model PA-ness and the property about message hiding, that is, IND-CPA. Although these two notions seem to be independent at first glance, we show that PA-ness in the standard model implies the IND-CPA security if the encryption function is oneway. By using this result, we also showed that “PA+Oneway⇒IND-CCA2.” We also show that the computational PA-ness notion is strictly stronger than the statistical one.
    Download PDF (3743K)
  • Ryo NISHIMAKI, Yoshifumi MANABE, Tatsuaki OKAMOTO
    Type: PAPER
    Subject area: Security Notions
    2008 Volume E91.A Issue 1 Pages 262-271
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Identity-based encryption (IBE) is one of the most important primitives in cryptography, and various security notions of IBE (e. g., IND-ID-CCA2, NM-ID-CCA2, IND-sID-CPA etc.) have been introduced. The relations among them have been clarified recently. This paper, for the first time, investigates the security of IBE in the universally composable (UC) framework. This paper first defines the UC-security of IBE, i. e., we define the ideal functionality of IBE, FIBE. We then show that UC-secure IBE is equivalent to conventionally-secure (IND-ID-CCA2-secure) IBE.
    Download PDF (2315K)
  • Miyako OHKUBO, Masayuki ABE
    Type: PAPER
    Subject area: Security Notions
    2008 Volume E91.A Issue 1 Pages 272-282
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    This paper studies the relations among several definitions of anonymity for ring signature schemes in the same attack environment. It is shown that one intuitive and two technical definitions we consider are asymptotically equivalent, and the indistinguishability-based technical definition is the strongest, i. e., the most secure when achieved, when the exact reduction cost is taken into account. We then extend our result to the threshold case where a subset of members cooperate to create a signature. The threshold setting makes the notion of anonymity more complex and yields a greater variety of definitions. We explore several notions and observe certain relation does not seem hold unlike the simple single-signer case. Nevertheless, we see that an indistinguishability-based definition is the most favorable in the threshold case. We also study the notion of linkability and present a simple scheme that achieves both anonymity and linkability.
    Download PDF (2685K)
  • Waka NAGAO, Yoshifumi MANABE, Tatsuaki OKAMOTO
    Type: PAPER
    Subject area: Security Notions
    2008 Volume E91.A Issue 1 Pages 283-297
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    KEM (Key Encapsulation Mechanism) and DEM (Data Encapsulation Mechanism) were introduced by Shoup to formalize the asymmetric encryption specified for key distribution and the symmetric encryption specified for data exchange in ISO standards on public-key encryption. Shoup defined the “semantic security (IND) against adaptive chosen ciphertext attacks (CCA2)” as a desirable security notion of KEM and DEM, that is, IND-CCA2 KEM and IND-CCA2 DEM. This paper defines “non-malleability (NM)” for KEM, which is a stronger security notion than IND. We provide three definitions of NM for KEM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND for KEM under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and DEM, and shows that IND-CCA2 KEM (or NM-CCA2 KEM) is equivalent to UC KEM and that “IND against adaptive chosen plaintext/ciphertext attacks (IND-P2-C2)” DEM is equivalent to UC DEM.
    Download PDF (3307K)
  • Koichi ITO, Akira NIKAIDO, Takafumi AOKI, Eiko KOSUGE, Ryota KAWAMATA, ...
    Type: PAPER
    Subject area: Biometrics
    2008 Volume E91.A Issue 1 Pages 298-305
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In mass disasters such as earthquakes, fire disasters, tsunami, and terrorism, dental records have been used for identifying victims due to their processing time and accuracy. The greater the number of victims, the more time the identification tasks require, since a manual comparison between the dental radiograph records is done by forensic experts. Addressing this problem, this paper presents an efficient dental radiograph recognition system using Phase-Only Correlation (POC) for human identification. The use of phase components in 2D (two-dimensional) discrete Fourier transforms of dental radiograph images makes possible to achieve highly robust image registration and recognition. Experimental evaluation using a set of dental radiographs indicates that the proposed system exhibits efficient recognition performance for low-quality images.
    Download PDF (7709K)
  • Bagus SANTOSO, Noboru KUNIHIRO, Naoki KANAYAMA, Kazuo OHTA
    Type: PAPER
    Subject area: Cryptanalysis
    2008 Volume E91.A Issue 1 Pages 306-315
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this paper we propose an algorithm of factoring any integer N which has k different prime factors with the same bit-length, when about (1/k+2+ε/k-1)log2N high-order bits of each prime factor are given. For a fixed ε, the running time of our algorithm is heuristic polynomial in (log2N). Our factoring algorithm is based on a lattice-based algorithm of solving any k-variate polynomial equation over Z, which might be an independent interest.
    Download PDF (2248K)
  • Kazuhide FUKUSHIMA, Shinsaku KIYOMOTO, Toshiaki TANAKA, Kouichi SAKURA ...
    Type: PAPER
    Subject area: Cryptanalysis
    2008 Volume E91.A Issue 1 Pages 316-329
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Program analysis techniques have improved steadily over the past several decades, and software obfuscation schemes have come to be used in many commercial programs. A software obfuscation scheme transforms an original program or a binary file into an obfuscated program that is more complicated and difficult to analyze, while preserving its functionality. However, the security of obfuscation schemes has not been properly evaluated. In this paper, we analyze obfuscation schemes in order to clarify the advantages of our scheme, the XOR-encoding scheme. First, we more clearly define five types of attack models that we defined previously, and define quantitative resistance to these attacks. Then, we compare the security, functionality and efficiency of three obfuscation schemes with encoding variables: (1) Sato et al.'s scheme with linear transformation, (2) our previous scheme with affine transformation, and (3) the XOR-encoding scheme. We show that the XOR-encoding scheme is superior with regard to the following two points: (1) the XOR-encoding scheme is more secure against a data-dependency attack and a brute force attack than our previous scheme, and is as secure against an information-collecting attack and an inverse transformation attack as our previous scheme, (2) the XOR-encoding scheme does not restrict the calculable ranges of programs and the loss of efficiency is less than in our previous scheme.
    Download PDF (3024K)
  • Shingo HASEGAWA, Hiroyuki HATANAKA, Shuji ISOBE, Eisuke KOIZUMI, Hirok ...
    Type: PAPER
    Subject area: Cryptanalysis
    2008 Volume E91.A Issue 1 Pages 330-337
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    This paper studies a method for transforming ordinary cryptographic primitives to new harder primitives. Such a method is expected to lead to general schemes that make present cryptosystems secure against the attack of quantum computers. We propose a general technique to construct a new function from an ordinary primitive function f with a help of another hard function g so that the resulting function is to be new hard primitives. We call this technique a lifting of f by g. We show that the lifted function is harder than original functions under some simple conditions.
    Download PDF (2255K)
  • Bo Gyeong KANG, Je Hong PARK
    Type: LETTER
    2008 Volume E91.A Issue 1 Pages 338-341
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this letter, we provide a simple proof of bilinearity for the eta pairing. Based on it, we show an efficient method to compute the powered Tate pairing as well. Although efficiency of our method is equivalent to that of the Tate pairing on the eta pairing approach, but ours is more general in principle.
    Download PDF (595K)
  • Shingo HASEGAWA, Shuji ISOBE, Hiroki SHIZUYA
    Type: LETTER
    2008 Volume E91.A Issue 1 Pages 342-344
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We define two functions fDL and fIF in NPMV, the class of all partial, multivalued functions computed nondeterministically in polynomial time. We prove that they are complete for NPMV, and show that (a) computing discrete logarithms modulo a prime reduces to fDL, and (b) computing integer factorization reduces to fIF. These are the first complete functions that have explicit reductions from significant cryptographic primitives.
    Download PDF (567K)
Regular Section
  • Ki Hoon SHIN, Youngjin PARK
    Type: PAPER
    Subject area: Engineering Acoustics
    2008 Volume E91.A Issue 1 Pages 345-356
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Human's ability to perceive elevation of a sound and distinguish whether a sound is coming from the front or rear strongly depends on the monaural spectral features of the pinnae. In order to realize an effective virtual auditory display by HRTF (head-related transfer function) customization, the pinna responses were isolated from the median HRIRs (head-related impulse responses) of 45 individual HRIRs in the CIPIC HRTF database and modeled as linear combinations of 4 or 5 basic temporal shapes (basis functions) per each elevation on the median plane by PCA (principal components analysis) in the time domain. By tuning the weight of each basis function computed for a specific height to replace the pinna response in the KEMAR HRIR at the same height with the resulting customized pinna response and listening to the filtered stimuli over headphones, 4 individuals with normal hearing sensitivity were able to create a set of HRIRs that outperformed the KEMAR HRIRs in producing vertical effects with reduced front/back ambiguity in the median plane. Since the monaural spectral features of the pinnae are almost independent of azimuthal variation of the source direction, similar vertical effects could also be generated at different azimuthal directions simply by varying the ITD (interaural time difference) according to the direction as well as the size of each individual's own head.
    Download PDF (6020K)
  • Chen-Chien HSU, Tsung-Chi LU, Heng-Chou CHEN
    Type: PAPER
    Subject area: Systems and Control
    2008 Volume E91.A Issue 1 Pages 357-364
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this paper, an evolutionary approach is proposed to obtain a discrete-time state-space interval model for uncertain continuous-time systems having interval uncertainties. Based on a worst-case analysis, the problem to derive the discrete interval model is first formulated as multiple mono-objective optimization problems for matrix-value functions associated with the discrete system matrices, and subsequently optimized via a proposed genetic algorithm (GA) to obtain the lower and upper bounds of the entries in the system matrices. To show the effectiveness of the proposed approach, roots clustering of the characteristic equation of the obtained discrete interval model is illustrated for comparison with those obtained via existing methods.
    Download PDF (3231K)
  • Chia-Chun TSAI, Jan-Ou WU, Trong-Yen LEE
    Type: PAPER
    Subject area: VLSI Design Technology and CAD
    2008 Volume E91.A Issue 1 Pages 365-374
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    This study has demonstrated that the clock tree construction in an SoC should be expanded to consider the intrinsic delay and skew of each IP's clock sink. A novel algorithm, called GDME, is proposed to combine grey relational clustering and DME approach for solving the problem of clock tree construction. Grey relational analysis can cluster the best pair of clock sinks and that guide a tapping point search for a DME algorithm for constructing a clock tree with zero skew and minimal delay. Experimentally, the proposed algorithm always obtains an RC-or RLC-based clock tree with zero skew and minimal delay for all the test cases and benchmarks. Experimental results demonstrate that the GDME improves up to 3.74% for total average in terms of total wire length compared with other DME algorithms. Furthermore, our results for the zero-skew RLC-based clock trees compared with Hspice are 0.017% and 0.2% lower for absolute average in terms of skew and delay, respectively.
    Download PDF (3519K)
  • Shih-Hsu HUANG, Chun-Hua CHENG
    Type: PAPER
    Subject area: VLSI Design Technology and CAD
    2008 Volume E91.A Issue 1 Pages 375-382
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    At the behavioral level, large power savings are possible by shutting down unused operations, which is commonly referred to as power management. However, operation scheduling has a significant impact on the potential for power saving via power management. In this paper, we present an integer linear programming (ILP) model to formally formulate the simultaneous application of operation scheduling and power management in high level synthesis. Our objective is to maximize the power saving under both the timing constraints and the resource constraints. Note that our approach guarantees solving the problem optimally. Compared with previous work, experimental data consistently show that our approach has significant relative improvement in the power savings.
    Download PDF (1823K)
  • Hirotoshi HONMA, Shigeru MASUYAMA
    Type: PAPER
    Subject area: Algorithms and Data Structures
    2008 Volume E91.A Issue 1 Pages 383-391
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Let G=(V, E) be an undirected simple graph with uV. If there exist any two vertices in G whose distance becomes longer when a vertex u is removed, then u is defined as a hinge vertex. Finding the set of hinge vertices in a graph is useful for identifying critical nodes in an actual network. A number of studies concerning hinge vertices have been made in recent years. In a number of graph problems, it is known that more efficient sequential or parallel algorithms can be developed by restricting classes of graphs. In this paper, we shall propose a parallel algorithm which runs in O (log n) time with O (n/log n) processors on EREW PRAM for finding all hinge vertices of a circular-arc graph.
    Download PDF (1946K)
  • Kunihiko MIYAZAKI, Goichiro HANAOKA, Hideki IMAI
    Type: PAPER
    Subject area: Cryptography and Information Security
    2008 Volume E91.A Issue 1 Pages 392-402
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    A digital signature does not allow any alteration of the document to which it is attached. Appropriate alteration of some signed documents, however, should be allowed because there are security requirements other than the integrity of the document. In the disclosure of official information, for example, sensitive information such as personal information or national secrets is masked when an official document is sanitized so that its nonsensitive information can be disclosed when it is requested by a citizen. If this disclosure is done digitally by using the current digital signature schemes, the citizen cannot verify the disclosed information because it has been altered to prevent the leakage of sensitive information. The confidentiality of official information is thus incompatible with the integrity of that information, and this is called the digital document sanitizing problem. Conventional solutions such as content extraction signatures and digitally signed document sanitizing schemes with disclosure condition control can either let the sanitizer assign disclosure conditions or hide the number of sanitized portions. The digitally signed document sanitizing scheme we propose here is based on the aggregate signature derived from bilinear maps and can do both. Moreover, the proposed scheme can sanitize a signed document invisibly, that is, no one can distinguish whether the signed document has been sanitized or not.
    Download PDF (3628K)
  • Masaya OHTA, Hideyuki YAMADA, Katsumi YAMASHITA
    Type: PAPER
    Subject area: Spread Spectrum Technologies and Applications
    2008 Volume E91.A Issue 1 Pages 403-408
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    This paper proposes a novel Orthogonal frequency-division multiplexing (OFDM) system based on polynomial cancellation coded OFDM (PCC-OFDM). This proposed system can reduce peak-to-average power ratio (PAPR) by our neural phase rotator and it does not need any side information to transmit phase rotation factors. Moreover, this system can compensate the common phase error (CPE) by a proposed technique which allows estimating frequency offset at receiver. From numerical experiments, it is shown that our system can reduce PAPR and ICI at the same time and improve BER performance effectively.
    Download PDF (1210K)
  • Ching-Yuan YANG, Ken-Hao CHANG
    Type: LETTER
    Subject area: VLSI Design Technology and CAD
    2008 Volume E91.A Issue 1 Pages 409-412
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    An injection-locked clock recovery circuit (CRC) with quadrature outputs based on multiplexed oscillator is presented. The CRC can operate at a half-rate speed to provide an adequate locking range with reasonable jitter and power consumption because both clock edges sample the data waveforms. Implemented by 0.18-μm CMOS technique, experimental results demonstrate that it can achieve the phase noise of the recovered clock about -121.55dBc/Hz at 100-kHz offset and -129.58dBc/Hz at 1-MMz offset with ±25MHz lock range, while operating at the input data rate of 1.55Gb/s.
    Download PDF (2863K)
  • Taesoon PARK, Kwangho KIM
    Type: LETTER
    Subject area: Reliability, Maintainability and Safety Analysis
    2008 Volume E91.A Issue 1 Pages 413-416
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    Fault-tolerance is an important design issue in building a reliable mobile computing system. This paper considers checkpointing recovery services for a mobile computing system based on the ad-hoc network environment. Since potential problems of this new environment are insufficient power and limited storage capacity, the proposed scheme tries to reduce disk access frequency for saving recovery information, and also the amount of information saved for recovery. A brief simulation study has been performed and the results show that the proposed scheme takes advantage of the existing checkpointing recovery schemes.
    Download PDF (719K)
  • Wenfeng JIANG, Lei HU, Xiangyong ZENG
    Type: LETTER
    Subject area: Coding Theory
    2008 Volume E91.A Issue 1 Pages 417-421
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this paper, a new family of binary sequences of period 2n-1 with low correlation is proposed for integer n=em and even m. The new family has family size 2n+1 and maximum nontrivial correlation 2n+e/2+1 and 2n+e-1/2+1 for even and odd e respectively. Especially, for n=2m and 3m, we obtain a new family of binary sequences with maximum nontrivial correlation 2n/2+1+1, and the obtained family is one of the binary families with best correlation among the known families with family size no less than their period 2n-1 for even n. Moreover, the correlation distribution of the new family is also determined.
    Download PDF (722K)
  • Suckchel YANG, Yoan SHIN
    Type: LETTER
    Subject area: Communication Theory and Signals
    2008 Volume E91.A Issue 1 Pages 422-425
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We propose an adaptive SLM scheme based on peak observation for PAPR reduction of OFDM signals. The proposed scheme is composed of three steps: peak scaling, sequence selection, and SLM procedures. In the first step, the peak signal samples in the IFFT outputs of the original input sequence are scaled down. In the second step, the sub-carrier positions where the power difference between the original input sequence and the FFT output of the scaled signal is large, are identified. Then, the phase sequences having the maximum number of phase-reversed sequence words only for these positions are selected. Finally, the generic SLM procedure is performed by using only the selected phase sequences for the original input sequence. Simulation results show that the proposed scheme significantly reduce the complexity in terms of IFFT and PAPR calculation than the conventional SLM, while maintaining the PAPR reduction performance.
    Download PDF (1545K)
  • Kyung Seung AHN
    Type: LETTER
    Subject area: Communication Theory and Signals
    2008 Volume E91.A Issue 1 Pages 426-429
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    In this letter, we analyze symbol error probability (SEP) and diversity gain of orthogonal space-time block codes (OSTBCs) in spatially correlated Rician fading channel. We derive the moment generating function (MGF) of an effective signal-to-noise ratio (SNR) at the receiver and use it to derive the SEP for M-PSK modulation. We use this result to show that the diversity gain is achieved by the product of the rank of the transmit and receive correlation matrix, and the loss in array gain is quantified as a function of the spatial correlation and the line of sight (LOS) component.
    Download PDF (1501K)
  • Suckchel YANG, Dongwoo KANG, Young NAMGOONG, Yoan SHIN
    Type: LETTER
    Subject area: Spread Spectrum Technologies and Applications
    2008 Volume E91.A Issue 1 Pages 430-432
    Published: January 01, 2008
    Released: March 01, 2010
    JOURNALS RESTRICTED ACCESS
    We propose a simple asynchronous UWB (Ultra Wide Band) position location algorithm with low complexity, power consumption and processing delay. In the proposed algorithm, only a single RTTX (Round-Trip Transmission) of UWB pulses is utilized based on the ToA (Time of Arrival) principle. Hence, the proposed algorithm decreases power consumption and processing delay as compared to the basic ToA based on triple RTTXs. Moreover, unlike the TDoA (Time Difference of Arrival) algorithm, the proposed algorithm can perform the position location with low complexity since it does not require strict synchronization between multiple beacons. Simulation results using IEEE 802.15.4a UWB channel models reveal that the proposed algorithm achieves closely comparable position location performance of the basic ToA and TDoA algorithms.
    Download PDF (2160K)
feedback
Top