IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508
Volume E94.A , Issue 1
Showing 1-50 articles out of 57 articles from the selected issue
Special Section on Cryptography and Information Security
• Toru FUJIWARA
2011 Volume E94.A Issue 1 Pages 1-2
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
• Bonwook KOO, Yongjin YEOM, Junghwan SONG
Type: PAPER
Subject area: Symmetric Cryptography
2011 Volume E94.A Issue 1 Pages 3-9
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Square is an 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of Square is simple and efficient but fully affine, so we apply a related-key attack on it. We find a 3-round related-key differential trail with probability 2-28, which has zero differences both on its input and output states, which is called local collision in [6]. By extending of this related-key differential, we construct a successful attack on full rounds of Square. In this paper, we present a key recovery attack on full rounds of Square using a related-key boomerang distinguisher. We construct a 7-round related-key boomerang distinguisher with probability 2-119 by finding local collision, and calculate its probability using ladder switch and multiple path estimation techniques. As a result, one round on top of the distinguisher is added to construct an attack on full rounds of Square which recovers 16-bit key information with 2123 encryptions and 2121 data.
• Ryoichi TERAMURA, Toshihiro OHIGASHI, Hidenori KUWAKADO, Masakatu MORI ...
Type: PAPER
Subject area: Symmetric Cryptography
2011 Volume E94.A Issue 1 Pages 10-18
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Conventional class of weak keys on RC4 stream cipher is defined as a specific case that combinations of the first three bytes of secret key satisfy two relational equations. This paper expands and generalizes the classes of weak keys using generalized relational equations and special classes of the internal state (called predictive state). We derive the probability that generalized classes of weak keys leak the information of bytes of the secret key. Furthermore, we enumerate the generalized classes of weak keys and show that most of them leak more information of the secret key than Roos' one.
• Naoyuki SHINOHARA, Tetsuya IZU, Noboru KUNIHIRO
Type: PAPER
Subject area: Public Key Cryptography
2011 Volume E94.A Issue 1 Pages 19-27
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
CRT-RSA is a variant of RSA, which uses integers dp = d mod(p - 1) and dq = d mod(q - 1) (CRT-exponents), where d,p,q are the secret keys of RSA. May proposed a method to obtain the secret key in polynomial time if a CRT-exponent is small, moreover Bleichenbacher and May improved this method. On the other hand, Takagi's RSA is a variant of CRT-RSA, whose public key N is of the form prq for a given positive integer r. In this paper, we extend the May's method and the Bleichenbacher-May's method to Takagi's RSA, and we show that we obtain p in polynomial time if $p < N^{3/(4 + 2 \\sqrt{r(r+3)})}$ by the extended May's method, and if $p < N^{6/(5r + \\sqrt{13r^2 + 48r})}$ by the extended Bleichenbacher-May's method, when dq is arbitrary small. If r=1, these upper bounds conform to May's and Bleichenbacher-May's results respectively. Moreover, we also show that the upper bound of pr increase with an increase in r. Since these attacks are heuristic algorithms, we provide several experiments which show that we can obtain the secret key in practice.
• Daisuke MORIYAMA, Hiroshi DOI
Type: PAPER
Subject area: Public Key Cryptography
2011 Volume E94.A Issue 1 Pages 28-35
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Spatial encryption is one of the generalized identity based encryption proposed by Boneh and Hamburg in 2008. Spatial encryption provides a framework for generating many identity based cryptosystems such as broadcast encryption, forward secure encryption or ring signature. While this may appear to be an attractive feature, all existing spatial encryption schemes are only selectively secure. In this paper, we present a fully secure spatial encryption scheme based on the three composite order bilinear groups.
• Takeo MIZUNO, Hiroshi DOI
Type: PAPER
Subject area: Public Key Cryptography
2011 Volume E94.A Issue 1 Pages 36-44
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In proxy re-encryption schemes, a semi-trusted entity called a proxy can convert a ciphertext encrypted for Alice into a new ciphertext for Bob without seeing the underlying plaintext. Several proxy re-encryption schemes have been proposed, however, only two schemes which enables the conversion of IBE ciphertexts to PKE ciphertexts has been proposed. One of schemes has some drawbacks such that the size of the re-encrypted ciphertext increases and Bob must be aware of existence of the proxy, which means Bob cannot decrypt a re-encrypted ciphertext with same PKE decryption algorithm. The other one achieves security under Selective-ID model. We propose a new, efficient scheme that enables the conversion of IBE ciphertexts to PKE ciphertexts, and prove full-ID CPA security in the standard model. In our scheme, the size of the re-encrypted ciphertext is optimal and Bob should not aware of existence of the proxy. As far as we know, this is the first IBE-PKE type scheme that holds the above properties.
• Jae Hong SEO, Tetsutaro KOBAYASHI, Miyako OHKUBO, Koutarou SUZUKI
Type: PAPER
Subject area: Public Key Cryptography
2011 Volume E94.A Issue 1 Pages 45-56
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
We propose an anonymous Hierarchical Identity-Based Encryption (anonymous HIBE) scheme with short ciphertexts. Prior to our work, most anonymous HIBE schemes have long ciphertexts increased according to the hierarchical depth of recipient. The size of the ciphertext in our scheme does not depend on the depth of the hierarchy. Moreover, our scheme achieves the lowest computational cost because during the decryption phase the computational cost of decryption is constant. The security can be proven under reasonable assumptions without using random oracles. Our scheme achieves selective-ID security notion.
• Yusuke NAITO, Kazuki YONEYAMA, Lei WANG, Kazuo OHTA
Type: PAPER
Subject area: Public Key Cryptography
2011 Volume E94.A Issue 1 Pages 57-70
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Since the Merkle-Damgård hash function (denoted by MDFH) that uses a fixed input length random oracle as a compression function is not indifferentiable from a random oracle (denoted by RO) due to the extension attack, there is no guarantee for the security of cryptosystems, which are secure in the RO model, when RO is instantiated with MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security when RO is instantiated with MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1. Find a weakened random oracle (denoted by WRO) which leaks values needed to realize the extension attack. 2. Prove that MDHF is indifferentiable from WRO. 3. Prove cryptosystems security in the WRO model. The indifferentiability framework of Maurer, Renner and Holenstein guarantees that we can securely use the cryptosystem when WRO is instantiated with MDHF. Thus we concentrate on such finding WRO. We propose Traceable Random Oracle (denoted by TRO) which leaks values enough to permit the extension attack. By using TRO, we can easily confirm the security of OAEP encryption scheme and variants of OAEP encryption scheme. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks values that are irrelevant to the extension attack. Therefore, we propose another WRO, Extension Attack Simulatable Random Oracle (denoted by ERO), which leaks just the value needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.
• Jacob C. N. SCHULDT, Kanta MATSUURA
Type: PAPER
Subject area: Identification
2011 Volume E94.A Issue 1 Pages 71-83
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures, introduced by Boyar, Chaum, Damgård, and Pedersen, furthermore allow the signer to convert signatures to publicly verifiable ones by publicizing a verification token, either for individual signatures or for all signatures universally. In addition, the original definition allows the signer to delegate the ability to prove validity and convert signatures to a semi-trusted third party by providing a verification key. While this functionality is implemented by the early convertible undeniable signature schemes, most recent schemes do not consider this form of delegation despite its practical appeal. In this paper we present an updated definition and security model for schemes allowing delegation, and furthermore highlight a new essential security property, token soundness, which is not formally treated in the previous security models for convertible undeniable signatures. We then propose a new convertible undeniable signature scheme. The scheme allows delegation of verification and is provably secure in the standard model assuming the computational co-Diffie-Hellman problem, a closely related problem, and the decisional linear problem are hard. Furthermore, unlike the recently proposed schemes by Phong et al. and Huang et al., our scheme provably fulfills all security requirements while providing short signatures.
• Kan YASUDA
Type: PAPER
Subject area: Identification
2011 Volume E94.A Issue 1 Pages 84-91
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
We revisit the double-pipe construction introduced by Lucks at Asiacrypt 2005. Lucks originally studied the construction for iterated hash functions and showed that the approach is effective in improving security against various types of collision and (second-)preimage attacks. Instead, in this paper we apply the construction to the secret-key setting, where the underlying FIL (fixed-input-length) compression function is equipped with a dedicated key input. We make some adjustments to Lucks' original design so that now the new mode works with a single key and operates as a domain extension of MACs (message authentication codes). Though more than twice as slow as the Merkle-Damgård construction, the double-piped mode enjoys security strengthened beyond the birthday bound. More specifically, when iterating an FIL-MAC whose output size is n-bit, the new double-piped mode yields an AIL-(arbitrary-input-length-)MAC with security up to O(2n) query complexity. This bound contrasts sharply with the birthday bound of O(2n/2), which was the best MAC security accomplished by earlier constructions.
• Bagus SANTOSO, Kazuo OHTA, Kazuo SAKIYAMA, Goichiro HANAOKA
Type: PAPER
Subject area: Identification
2011 Volume E94.A Issue 1 Pages 92-103
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
We present a new methodology for constructing an efficient identification scheme, and based on it, we propose a lightweight identification scheme whose computational and storage costs are sufficiently low even for cheap devices such as RFID tags. First, we point out that the efficiency of a scheme with statistical zero-knowledgeness can be significantly improved by enhancing its zero-knowledgeness to perfect zero-knowledge. Then, we apply this technique to the Girault-Poupard-Stern (GPS) scheme which has been standardized by ISO/IEC. The resulting scheme shows a perfect balance between communication cost, storage cost, and circuit size (computational cost), which are crucial factors for implementation on RFID tags. Compared to GPS, the communication and storage costs are reduced, while the computational cost is kept sufficiently low so that it is implementable on a circuit nearly as small as GPS. Under standard parameters, the prover's response is shortened 80 bits from 275 bits to 195 bits and in application using coupons, storage for one coupon is also reduced 80 bits, whereas the circuit size is estimated to be larger by only 335 gates. Hence, we believe that the new scheme is a perfect solution for fast authentication of RFID tags.
• Jooyoung LEE, Daesung KWON
Type: PAPER
Subject area: Hash Function
2011 Volume E94.A Issue 1 Pages 104-109
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
As old as Tandem-DM, the compression function Abreast-DM is one of the most well-known constructions for double block length compression functions. In this paper, we give a security proof for Abreast-DM in terms of collision resistance and preimage resistance. The bounds on the number of queries for collision resistance and preimage resistance are given by Ω(2n). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and Tandem-DM. We also present a wide class of Abreast-DM variants that enjoy a birthday-type security guarantee with a simple proof.
• Lei WANG, Yu SASAKI
Type: PAPER
Subject area: Hash Function
2011 Volume E94.A Issue 1 Pages 110-120
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
This paper evaluates the preimage resistance of the Tiger hash function. To our best knowledge, the maximum number of the attacked steps is 17 among previous preimage attacks on Tiger, where the full version has 24 steps. Our attack will extend the number of the attacked steps to 23. The main contribution is a pseudo-preimage attack on the compression function up to 23 steps with a complexity of 2181 following the meet-in-the-middle approach. This attack can be converted to a preimage attack on 23-step Tiger hash function with a complexity of 2187.5. The memory requirement of our attack is 222 words. A Tiger digest has 192bits. Therefore, our attacks are faster than the exhaustive search.
• Yu SASAKI
Type: PAPER
Subject area: Hash Function
2011 Volume E94.A Issue 1 Pages 121-128
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named “Double-Mix Merkle-Damgård (DMMD).” The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.
• Jooyoung LEE, Je Hong PARK
Type: PAPER
Subject area: Secure Protocol
2011 Volume E94.A Issue 1 Pages 129-138
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper, we propose two authenticated key exchange (AKE) protocols and prove their security in the extended Canetti-Krawczyk model. The first protocol, called NAXOS+, is obtained by slightly modifying the NAXOS protocol proposed by LaMacchia, Lauter and Mityagin [15]. We prove its security under the Computational Diffie-Hellman (CDH) assumption by using the trapdoor test introduced in [6]. To the authors' knowledge, this is the first AKE protocol which is secure under the CDH assumption in the eCK model. The second protocol, called NETS, enjoys a simple and tight security reduction compared to existing schemes including HMQV and CMQV without using the Forking Lemma. Since each session of the NETS protocol requires only three exponentiations per party, its efficiency is also comparable to MQV, HMQV and CMQV.
• Tatsumi OBA, Wakaha OGATA
Type: PAPER
Subject area: Secure Protocol
2011 Volume E94.A Issue 1 Pages 139-149
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
On-line secret sharing scheme, introduced by Cachin, is a computational variation of secret sharing scheme. It supports dynamic changing of access structures and reusable shares, by grace of public bulletin board. In this paper, first we introduce a formal model of on-line secret sharing scheme, and analyze existing on-line secret sharing schemes. As a result, it is shown that they are all vulnerable by giving concrete attacks. Next, we propose a novel on-line secret sharing scheme which is provably secure.
• Yuto KAWAHARA, Tetsutaro KOBAYASHI, Gen TAKAHASHI, Tsuyoshi TAKAGI
Type: PAPER
Subject area: Mathematics
2011 Volume E94.A Issue 1 Pages 150-155
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Pairing-based cryptosystems are generally constructed using many functions such as pairing computation, arithmetic in finite fields, and arithmetic on elliptic curves. MapToPoint, which is a hashing algorithm onto an elliptic curve point, is one of the functions for constructing pairing-based cryptosystems. There are two MapToPoint algorithms on supersingular elliptic curves in characteristic three, which is used by ηT pairing. The first is computed by using a square root computation in F3m, and the computational cost of this algorithm is O(log m) multiplications in F3m. The second is computed by using an (m-1)×(m-1) matrix over F3. It can be computed by O(1) multiplications in F3m. However, this algorithm needs the off-line memory to store about m F3m-elements. In this paper, we propose an efficient MapToPoint algorithm on the supersingular elliptic curves in characteristic three by using 1/3-trace over F3m. We propose 1/3-trace over F3m, which can compute solution x of x3-x=c by using no multiplication in F3m. The proposed algorithm is computed by O(1) multiplications in F3m, and it requires less than m F3-elements to be stored in the off-line memory to efficiently compute trace over F3m. Moreover, in our software implementation of F3509, the proposed MapToPoint algorithm is approximately 35% faster than the conventional MapToPoint algorithm using the square root computation on an AMD Opteron processor (2.2GHz).
• Masaaki SHIRASE
Type: PAPER
Subject area: Mathematics
2011 Volume E94.A Issue 1 Pages 156-164
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
It is necessary to perform arithmetic in Fp12 to use an Ate pairing on a Barreto-Naehrig (BN) curve, where p is a prime given by p(z)=36z4+36z3+24z2+6z+1 for some integer z. In many implementations of Ate pairings, Fp12 has been regarded as a 6th degree extension of Fp2, and it has been constructed by Fp12=Fp2[v]/(v6-ξ) for an element ξ ∈ Fp2 such that v6-ξ is irreducible in Fp2[v]. Such a ξ depends on the value of p, and we may use a mathematical software package to find ξ. In this paper it is shown that when z ≡ 7,11 (mod 12), we can universally construct Fp12 as Fp12=Fp2[v]/(v6-u-1), where Fp2=Fp[u]/(u2+1).
• Chik-How TAN, Siong-Thye GOH
Type: PAPER
Subject area: Mathematics
2011 Volume E94.A Issue 1 Pages 165-171
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper, we constructed six infinite classes of balanced Boolean functions. These six classes of Boolean functions achieved optimal algebraic degree, optimal algebraic immunity and high nonlinearity. Furthermore, we gave the proof of the lower bound of the nonlinearities of these balanced Boolean functions and proved the better lower bound of nonlinearity for Carlet-Feng's Boolean function.
• Kenta NEKADO, Yasuyuki NOGAMI, Hidehiro KATO, Yoshitaka MORIKAWA
Type: PAPER
Subject area: Mathematics
2011 Volume E94.A Issue 1 Pages 172-179
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Recently, pairing-based cryptographic application sch-emes have attracted much attentions. In order to make the schemes more efficient, not only pairing algorithm but also arithmetic operations in extension field need to be efficient. For this purpose, the authors have proposed a series of cyclic vector multiplication algorithms (CVMAs) corresponding to the adopted bases such as type-I optimal normal basis (ONB). Note here that every basis adapted for the conventional CVMAs are just special classes of Gauss period normal bases (GNBs). In general, GNB is characterized with a certain positive integer h in addition to characteristic p and extension degree m, namely type-<h.m> GNB in extension field Fpm. The parameter h needs to satisfy some conditions and such a positive integer h infinitely exists. From the viewpoint of the calculation cost of CVMA, it is preferred to be small. Thus, the minimal one denoted by hmin will be adapted. This paper focuses on two remaining problems: 1) CVMA has not been expanded for general GNBs yet and 2) the minimal hmin sometimes becomes large and it causes an inefficient case. First, this paper expands CVMA for general GNBs. It will improve some critical cases with large hmin reported in the conventional works. After that, this paper shows a theorem that, for a fixed prime number r, other prime numbers modulo r uniformly distribute between 1 to r-1. Then, based on this theorem, the existence probability of type-<hmin,m> GNB in Fpm and also the expected value of hmin are explicitly given.
• Salih ERGÜN, Ülkühan GÜLER, Kunihiro ASADA
Type: PAPER
Subject area: Implementation
2011 Volume E94.A Issue 1 Pages 180-190
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
A novel random number generation method based on chaotic sampling of regular waveform is proposed. A high speed IC truly random number generator based on this method is also presented. Simulation and experimental results, verifying the feasibility of the circuit, are given. Numerical binary data obtained according to the proposed method pass the four basic tests of FIPS-140-2, while experimental data pass the full NIST-800-22 random number test suite without post-processing.
• Yang LI, Kazuo SAKIYAMA, Shinichi KAWAMURA, Kazuo OHTA
Type: PAPER
Subject area: Implementation
2011 Volume E94.A Issue 1 Pages 191-199
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
This paper shows two power analysis attacks against a software implementation of a first-order DPA resistant S-box algorithm that is based on the discrete Fourier Transform (DFT). The DPA resistant S-box algorithm based on DFT was proposed by Prouff et al. in 2006 and improved by Coron et al. in 2008, respectively. In our attacks against the improved one, we pre-process the power traces by separating them into two subgroups, so that each has a biased mask. For the separated power traces, two post analysis methods are proposed to identify the key. One is based on DPA attack against one subgroup, and the other utilizes the difference of means for two subgroups and a pattern matching. Finally, we compare these two attack methods and propose an algorithm-level countermeasure to enhance the security of S-box calculation based on the DFT.
• Daisuke SUZUKI, Minoru SAEKI, Koichi SHIMIZU, Tsutomu MATSUMOTO
Type: PAPER
Subject area: Implementation
2011 Volume E94.A Issue 1 Pages 200-210
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper we first demonstrate that effective selection functions in power analysis attacks change depending on circuit architectures of a block cipher. We then conclude that the most resistant architecture on its own, in the case of the loop architecture, has two data registers have separate roles: one for storing the plaintext and ciphertext, and the other for storing intermediate values. There, the pre-whitening operation is placed at the output of the former register. The architecture allows the narrowest range of selection functions and thereby has resistance against ordinary CPA. Thus, we can easily defend against attacks by ordinary CPA at the architectural level, whereas we cannot against DPA. Secondly, we propose a new technique called “self-templates” in order to raise the accuracy of evaluation of DPA-based attacks. Self-templates enable to differentiate meaningful selection functions for DPA-based attacks without any strong assumption as in the template attack. We also present the results of attacks to an AES co-processor on an ASIC and demonstrate the effectiveness of the proposed technique.
• Daisuke SUZUKI, Tsutomu MATSUMOTO
Type: PAPER
Subject area: Implementation
2011 Volume E94.A Issue 1 Pages 211-222
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
This paper describes a modular exponentiation processing method and circuit architecture that can exhibit the maximum performance of FPGA resources. The modular exponentiation architecture proposed by us comprises three main techniques. The first one is to improve the Montgomery multiplication algorithm in order to maximize the performance of the multiplication unit in an FPGA. The second one is to balance and improve the circuit delay. The third one is to ensure scalability of the circuit. Our architecture can perform fast operations using small-scale resources; in particular, it can complete a 512-bit modular exponentiation as fast as in 0.26ms with the smallest Virtex-4 FPGA, XC4VF12-10SF363. In fact the number of SLICEs used is approx. 4200, which proves the compactness of our design. Moreover, the scalability of our design also allows 1024-, 1536-, and 2048-bit modular exponentiations to be processed in the same circuit.
• Hiroki KOGA, Yusuke MINAMI
Type: PAPER
Subject area: Digital Fingerprinting
2011 Volume E94.A Issue 1 Pages 223-232
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper we unveil basic properties of a code Γq for digital fingerprinting based on a projective plane of order q. We consider a situation where a coalition of malicious users generates a pirated digital content in which a binary sequence w is embedded subject to the marking assumption. Here, the size of the coalition is assumed to be less than or equal to a known constant c ≥ 2. We evaluate the number of candidates of the coalition that can also generate w subject to the marking assumption. It is shown that the number of such candidates is completely determined as a function of w for the case of c=2. In addition, we give a sufficient condition under which all the malicious users are correctly identified from w for the case of c &;ge 3. Relationships between Γq and other existing classes of codes are discussed as well.
• Kenta TAKAHASHI, Shinji HIRATA
Type: PAPER
Subject area: Biometrics
2011 Volume E94.A Issue 1 Pages 233-244
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Biometric authentication has attracted attention because of its high security and convenience. However, biometric feature such as fingerprint can not be revoked like passwords. Thus once the biometric data of a user stored in the system has been compromised, it can not be used for authentication securely for his/her whole life long. To address this issue, an authentication scheme called cancelable biometrics has been studied. However, there remains a major challenge to achieve both strong security and practical accuracy. In this paper, we propose a novel and fundamental algorithm for cancelable biometrics called correlation-invariant random filtering (CIRF) with provable security. Then we construct a method for generating cancelable fingerprint templates based on the chip matching algorithm and the CIRF. Experimental evaluation shows that our method has almost the same accuracy as the conventional fingerprint verification based on the chip matching algorithm.
• Jungsuk SONG, Daisuke INOUE, Masashi ETO, Hyung Chan KIM, Koji NAKAO
Type: PAPER
Subject area: Network Security
2011 Volume E94.A Issue 1 Pages 245-254
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In recent years, the number of spam emails has been dramatically increasing and spam is recognized as a serious internet threat. Most recent spam emails are being sent by bots which often operate with others in the form of a botnet, and skillful spammers try to conceal their activities from spam analyzers and spam detection technology. In addition, most spam messages contain URLs that lure spam receivers to malicious Web servers for the purpose of carrying out various cyber attacks such as malware infection, phishing attacks, etc. In order to cope with spam based attacks, there have been many efforts made towards the clustering of spam emails based on similarities between them. The spam clusters obtained from the clustering of spam emails can be used to identify the infrastructure of spam sending systems and malicious Web servers, and how they are grouped and correlate with each other, and to minimize the time needed for analyzing Web pages. Therefore, it is very important to improve the accuracy of the spam clustering as much as possible so as to analyze spam based attacks more accurately. In this paper, we present an optimized spam clustering method, called O-means, based on the K-means clustering method, which is one of the most widely used clustering methods. By examining three weeks of spam gathered in our SMTP server, we observed that the accuracy of the O-means clustering method is about 87% which is superior to the previous clustering methods. In addition, we define 12 statistical features to compare similarity between spam emails, and we determined a set of optimized features which makes the O-means clustering method more effective.
• Jingyu HUA, Mingchu LI, Yizhi REN, Kouichi SAKURAI
Type: PAPER
Subject area: Network Security
2011 Volume E94.A Issue 1 Pages 255-264
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.
• Shaojing FU, Chao LI, Kanta MATSUURA, Longjiang QU
Type: LETTER
2011 Volume E94.A Issue 1 Pages 265-267
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Constructing degree-optimized resilient Boolean functions with high nonlinearity is a significant study area in Boolean functions. In this letter, we provide a construction of degree-optimized n-variable (n odd and n ≥ 35) resilient Boolean functions, and it is shown that the resultant functions achieve the currently best known nonlinearity.
• Fagen LI, Yongjian LIAO, Zhiguang QIN
Type: LETTER
2011 Volume E94.A Issue 1 Pages 268-269
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Recently, Jin, Wen, and Du proposed an identity-based signcryption scheme in the standard model. In this letter, we show that their scheme does not have the indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen messages attacks.
• Maki YOSHIDA, Toru FUJIWARA
Type: LETTER
2011 Volume E94.A Issue 1 Pages 270-272
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
This paper introduces a novel type of digital watermarking, which is mainly designed for embededing information into cryptographic data such as keys, ciphertexts, and signatures. We focus on a mathematical structure of the recent major cryptosystems called pairing-based schemes. We present a detection-type watermarking scheme by which a watermark is visible by anyone but unremovable without secret trapdoor. The important feature is that both correctness and security of cryptographic data remain satisfied even if the trapdoor is published.
Regular Section
• Yusuke HIOKA, Ken'ichi FURUYA, Yoichi HANEDA, Akitoshi KATAOKA
Type: PAPER
Subject area: Engineering Acoustics
2011 Volume E94.A Issue 1 Pages 273-281
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
An improvement of estimating sound power spectra located in a particular 2-dimensional area is proposed. We previously proposed a conventional method that estimates sound power spectra using multiple fixed beamformings in order to emphasize speech located in a particular 2-dimensional area. However, the method has one drawback that the number of areas where the active sound sources are located must be restricted. This restriction makes the method less effective when many noise source located in different areas are simultaneously active. In this paper, we reveal the cause of this restriction and determine the maximum number of areas for which the method is able to simultaneously estimate sound power spectra. Then we also introduce a procedure for investigating areas that include active sound sources to reduce the number of unknown power spectra to be estimated. The effectiveness of the proposed method is examined by experimental evaluation applied to sounds recorded in a practical environment.
• Takaya MIYANO, Kazuhiro NISHIMURA, Yusuke YOSHIDA
Type: PAPER
Subject area: Nonlinear Problems
2011 Volume E94.A Issue 1 Pages 282-289
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
We have applied the open-plus-closed-loop control method, recently devised by Grosu et al., to chaos-based communications. In our method, a message is handled as if it were part of a parameter mismatch between the chaotic oscillators installed on a drive and a response system. In the drive system, the message is encrypted by adding it to a state variable of the oscillator as dynamical noise. In the response system, the message is decrypted by subtracting the chaotic signal reproduced by chaotic synchronization using the open-plus-closed-loop control method from the received signal, followed by differentiation with respect to time. When the oscillators have multiple parameter mismatches, multiple messages can be simultaneously encrypted and decrypted to achieve multiplex secure communications.
• Lihong SHANG, Mi ZHOU, Yu HU, Erfu YANG
Type: PAPER
Subject area: Nonlinear Problems
2011 Volume E94.A Issue 1 Pages 290-299
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Field programmable gate arrays (FPGAs) are widely used in reliability-critical systems due to their reconfiguration ability. However, with the shrinking device feature size and increasing die area, nowadays FPGAs can be deeply affected by the errors induced by electromigration and radiation. To improve the reliability of FPGA-based reconfigurable systems, a permanent fault recovery approach using a domain partition model is proposed in this paper. In the proposed approach, the fault-tolerant FPGA recovery from faults is realized by reloading a proper configuration from a pool of multiple alternative configurations with overlaps. The overlaps are presented as a set of vectors in the domain partition model. To enhance the reliability, a technical procedure is also presented in which the set of vectors are heuristically filtered so that the corresponding small overlaps can be merged into big ones. Experimental results are provided to demonstrate the effectiveness of the proposed approach through applying it to several benchmark circuits. Compared with previous approaches, the proposed approach increased MTTF by up to 18.87%.
• Kai KINOSHITA, Hiroyuki TORIKAI
Type: PAPER
Subject area: Nonlinear Problems
2011 Volume E94.A Issue 1 Pages 300-314
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper, an artificial sub-threshold oscillating spiking neuron is presented and its response phenomena to an input spike-train are analyzed. In addition, a dynamic parameter update rule of the neuron for achieving synchronizations to the input spike-train having various spike frequencies is presented. Using an analytical two-dimensional return map, local stability of the parameter update rule is analyzed. Furthermore, a pulse-coupled network of the neurons is presented and its basic self-organizing function is analyzed. Fundamental comparisons are also presented.
• Chin-Long WEY, Shin-Yo LIN, Hsu-Sheng WANG, Hung-Lieh CHEN, Chun-Ming ...
Type: PAPER
Subject area: VLSI Design Technology and CAD
2011 Volume E94.A Issue 1 Pages 315-323
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In UWB systems, data symbols are transmitted and received continuously. The Fast Fourier Transform (FFT) processor must be able to seamlessly process input/output data. This paper presents the design and implementation of a continuous data flow parallel memory-based FFT (CF-PMBFFT) processor without the use of input buffer for pre-loading the input data. The processor realizes a memory space of two N-words and multiple processing elements (PEs) to achieve the seamless data flow and meet the design requirement. The circuit has been fabricated in TSMC 0.18µm 1P6M CMOS process with the supply voltage of 1.8V. Measurement results of the test chip shows that the developed CF-PMBFFT processor takes a core area of 1.97mm2 with a power consumption of 62.12mW for a throughput rate of 528MS/s.
• Shingo YOSHIZAWA, Hirokazu IKEUCHI, Yoshikazu MIYANAGA
Type: PAPER
Subject area: VLSI Design Technology and CAD
2011 Volume E94.A Issue 1 Pages 324-331
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
MIMO-OFDM performs signal detection on a subcarrier basis which requires high speed computation in MIMO detection due to its large computational cost. Conventional designs in a MIMO detector increase processing time in proportion to the number of subcarriers and have difficulty in real-time processing for large numbers of subcarriers. A complete pipeline MMSE MIMO detector presented in our previous work can provide high speed computation. However, it tends to be excessive in a circuit scale for small numbers of subcarriers. We propose a new scalable architecture to reduce circuit scale by adjusting the number of iterative operations according to various types of OFDM system. The proposed detector has reduced circuit area to about 1/2 to 1/7 in the previous design with providing acceptable latency time.
• Ji-Hyung KIM, Jun-Dong CHO
Type: PAPER
Subject area: VLSI Design Technology and CAD
2011 Volume E94.A Issue 1 Pages 332-341
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
The earlier the stage where we perform low power design, the higher the dynamic power reduction we achieve. In this paper, we focus on reducing switching activity in high-level synthesis, especially, in the problem of functional module binding, bus binding or register binding. We propose an effective low power bus binding algorithm based on the table decomposition method, to reduce switching activity. The proposed algorithm is based on the decomposition of the original problem into sub-problems by exploiting the optimal substructure. As a result, it finds an optimal or close-to-optimal binding solution with less computation time. Experimental results show the proposed method obtains a solution 2.3-22.2% closer to optimal solution than one with a conventional heuristic method, 8.0-479.2 times faster than the optimal one (at a threshold value of 1.0E+9).
• Hasitha Muthumala WAIDYASOORIYA, Masanori HARIYAMA, Michitaka KAMEYAMA
Type: PAPER
Subject area: VLSI Design Technology and CAD
2011 Volume E94.A Issue 1 Pages 342-351
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Accelerator cores in low-power embedded processors have on-chip multiple memory modules to increase the data access speed and to enable parallel data access. When large functional units such as multipliers and dividers are used for addressing, a large power and chip area are consumed. Therefore, recent low-power processors use small functional units such as adders and counters to reduce the power and area. Such small functional units make it difficult to implement complex addressing patterns without duplicating data among multiple memory modules. The data duplication wastes the memory capacity and increases the data transfer time significantly. This paper proposes a method to reduce the memory duplication for window-based image processing, which is widely used in many applications. Evaluations using an accelerator core show that the proposed method reduces the data amount and data transfer time by more than 50%.
• Pei-Wen LUO, Jwu-E CHEN, Chin-Long WEY
Type: PAPER
Subject area: VLSI Design Technology and CAD
2011 Volume E94.A Issue 1 Pages 352-361
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
Device mismatch plays an important role in the design of accurate analog circuits. The common centroid structure is commonly employed to reduce device mismatches caused by symmetrical layouts and processing gradients. Among the candidate placements generated by the common centroid approach, however, whichever achieves better matching is generally difficult to be determined without performing the time-consuming yield evaluation process. In addition, this rule-based methodology makes it difficult to achieve acceptable matching between multiple capacitors and to handle an irregular layout area. Based on a spatial correlation model, this study proposed a design methodology for yield enhancement of analog circuits using switched-capacitor techniques. An efficient and effective placement generator is developed to derive a placement for a circuit to achieve the highest or near highest correlation coefficient and thus accomplishing a better yield performance. A simple yield analysis is also developed to evaluate the achieved yield performance of a derived placement. Results show that the proposed methodology derives a placement which achieves better yield performance than those generated by the common centroid approach.
• Yuan LI, Hui WANG, Haibin KAN
Type: PAPER
Subject area: Cryptography and Information Security
2011 Volume E94.A Issue 1 Pages 362-366
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper, we explicitly construct a large class of symmetric Boolean functions on 2k variables with algebraic immunity not less than d, where integer k is given arbitrarily and d is a given suffix of k in binary representation. If let d=k, our constructed functions achieve the maximum algebraic immunity. Remarkably, 2⌊log 2k⌋+2 symmetric Boolean functions on 2k variables with maximum algebraic immunity are constructed, which are much more than the previous constructions. Based on our construction, a lower bound of symmetric Boolean functions with algebraic immunity not less than d is derived, which is 2⌊ log 2d⌋+2(k-d+1). As far as we know, this is the first lower bound of this kind.
• Seiko ARITA
Type: PAPER
Subject area: Cryptography and Information Security
2011 Volume E94.A Issue 1 Pages 367-382
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
It is known that composable secure commitments, that is, concurrent non-malleable commitments exist in the plain model, based only on standard assumptions such as the existence of claw-free permutations or even one-way functions. Since being based on the plain model, the deniability of them is trivially satisfied, and especially the latter scheme satisfies also adaptivity, hence it is adaptive-deniable-concurrent non-malleable. However, those schemes cannot be said to be practically efficient. We show a practically efficient (string) adaptive-deniable-concurrent commitment scheme is possible under a global setup model, called the Global CRS-KR model.
• Dae Hyun YUM, Jin Seok KIM, Pil Joong LEE, Sung Je HONG
Type: PAPER
Subject area: Cryptography and Information Security
2011 Volume E94.A Issue 1 Pages 383-391
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
A hash chain H for a hash function hash(·) is a sequence of hash values <xn,xn-1,...,x0>, where x0 is a secret value, xi is generated by xi = hash(xi-1) for 1≤ in, and xn is a public value. Hash values of H are disclosed gradually from xn-1 to x0. The correctness of a disclosed hash value xi can be verified by checking the equation $x_n \\stackrel{?}{=} \\hash^{n-i}(x_i)$. To speed up the verification, Fischlin introduced a check-bit scheme at CT-RSA 2004. The basic idea of the check-bit scheme is to output some extra information cb, called a check-bit vector, in addition to the public value xn, which allows each verifier to perform only a fraction of the original work according to his or her own security level. We revisit the Fischlin's check-bit scheme and show that the length of the check-bit vector cb can be reduced nearly by half. The reduced length of cb is close to the theoretic lower bound.
• Goichiro HANAOKA, Shoichi HIROSE, Atsuko MIYAJI, Kunihiko MIYAZAKI, Ba ...
Type: PAPER
Subject area: Cryptography and Information Security
2011 Volume E94.A Issue 1 Pages 392-404
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
A sanitizable signature scheme is a signature scheme which, after the signer generates a valid signature of a message, allows a specific entity (sanitizer) to modify the message for hiding several parts. Existing sanitizable signature schemes require the message to be divided into pre-defined blocks before signing so that each block can be sanitized independently. However, there are cases where the parts of the message which are needed to be sanitized can not be determined in the time of signing. Thus, it is difficult to decide the partition of the blocks in such cases. Since the length of the signature is usually proportional to the number of blocks, signing every bit independently will make the signature too long. In this paper, we propose a solution by introducing a new concept called sequential bitwise sanitizable signature schemes, where any sequence of bits of the signed document can be made sanitizable without pre-defining them, and without increasing the length of signature. We also show that a one-way permutation suffices to get a secure construction, which is theoretically interesting in its own right, since all the other existing schemes are constructed using stronger assumptions.
• Hyun YANG, Young-Hwan YOU
Type: PAPER
Subject area: Mobile Information Network and Personal Communications
2011 Volume E94.A Issue 1 Pages 405-409
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
This paper evaluates the performance of a pilot-assisted fine carrier frequency offset (CFO) estimation scheme for orthogonal frequency division multiplexing (OFDM) in time-varying channels. An analytical closed-form expression of the mean square error (MSE), of the post-FFT based CFO synchronization scheme, is presented in terms of time-variant fading channels. To verify our analysis in this paper, simulations are carried out within the framework of mobile WiMAX systems.
• Tomotaka WADA, Shinji NAKAI, Tetsuya MARUOKA, Haokun WANG, Hiromi OKAD ...
Type: PAPER
Subject area: Intelligent Transport System
2011 Volume E94.A Issue 1 Pages 410-419
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper, we develop a VCASS substitution system (S-VCASS) using a personal mobile terminal in order to improve the effectiveness of VCASS in an environment comprising both VCASS and non-VCASS vehicles. We propose three new pedestrian state judgment algorithms that can be implemented on a personal mobile terminal for inter-vehicle communications. We evaluate the performances of the three proposed algorithms with real vehicles. Finally, we show that the proposed algorithms can recognize vehicles without VCASS.
• Xuan ZHANG, Qiaoyan WEN, Jie ZHANG
Type: LETTER
Subject area: Digital Signal Processing
2011 Volume E94.A Issue 1 Pages 420-423
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this paper, we introduce a new general construction of zero correlation zone (ZCZ) sequence set, which is based on two given ZCZ sequence sets. Compared with the two given sequence sets, the resultant sequence set not only has larger family size and longer period, but also provides more flexible choices of basic sequences, ZCZ length and family size.
• Jongwook YANG, Juhoon BACK, Jin H. SEO
Type: LETTER
Subject area: Systems and Control
2011 Volume E94.A Issue 1 Pages 424-429
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
In this letter, we propose a new observer error linearization approach that is called reduced-order dynamic observer error linearization (RDOEL), which is a modified version of dynamic observer error linearization (DOEL). We introduce the concepts and properties of RDOEL, and provide a complete solution to RDOEL with one integrator. Moreover, we show that it is also a complete solution to a simple case of DOEL.
• Katsuma ONO, Kenya JIN'NO, Toshimichi SAITO
Type: LETTER
Subject area: Nonlinear Problems
2011 Volume E94.A Issue 1 Pages 430-433
Published: January 01, 2011
Released: January 01, 2011
JOURNALS RESTRICTED ACCESS
This letter studies application of the growing PSO to the design of DC-AC inverters. In this application, each particle corresponds to a set of circuit parameters and moves to solve a multi-objective problem of the total harmonic distortion and desired average power. The problem is described by the hybrid fitness consisting of analog objective function, criterion and digital logic. The PSO has growing structure and dynamic acceleration parameters. Performing basic numerical experiments, we have confirmed the algorithm efficiency.