IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508
Volume E95.A , Issue 1
Showing 1-50 articles out of 53 articles from the selected issue
Special Section on Cryptography and Information Security
• Naoya TORII
2012 Volume E95.A Issue 1 Pages 1
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
• Yasutaka IGARASHI, Toshinobu KANEKO
Type: PAPER
Subject area: Symmetric Cryptography
2012 Volume E95.A Issue 1 Pages 2-7
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
CLEFIA is a 128-bit block cipher proposed by Shirai et al. in 2007. On its saturation attack, Tsunoo et al. reported peculiar saturation characteristics in 2010. They formulated some hypotheses on the existence of the characteristics with no proof. In this paper we have theoretically proved their hypotheses. In their attack scenario, we show that the mod-2 distribution is a code word of Extended Hamming code, and then proof is given by using the property of Hadamard transform.
• Yasushi OSAKI, Tetsu IWATA
Type: PAPER
Subject area: Symmetric Cryptography
2012 Volume E95.A Issue 1 Pages 8-20
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Constructing a secure and efficient key wrapping scheme is demanding, and the scheme based on a universal hash function and an elementary encryption mode like ECB and CBC modes is potential for a practical use. However, at SAC 2009, Gennaro and Halevi showed that a key wrapping scheme using a universal hash function and ECB mode (a HtECB scheme) is broken, and the security of a scheme based on a universal hash function and CBC mode (a HtCBC scheme) has been left as an open problem. In this paper, we first generalize classical notions of universal and uniform hash functions, and propose a total of four new notions of the keyed hash function. We then prove that HtECB and HtCBC schemes are secure key wrapping schemes if the universal hash function satisfies uniformity and our notions, where the result on the HtCBC scheme gives a partial answer to the open problem. Then we discuss a basic problem of identifying relations between various notions of a keyed hash function, and point out that a monic polynomial hash function satisfies all the new notions.
• Yu SASAKI
Type: PAPER
Subject area: Symmetric Cryptography
2012 Volume E95.A Issue 1 Pages 21-28
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
In this paper, we present known-key attacks on block cipher Rijndael for 192-bit block and 256-bit block. Our attacks work up to 8 rounds for 192-bit block and 9 rounds for 256-bit block, which are one round longer than the previous best known-key attacks. We then search for the parameters for the ShiftRow operation which is stronger against our attacks than the one in the Rijndael specification. Finally, we show a parameter for 192-bit block which forces attackers to activate more bytes to generate a truncated differential path, and thus enhances the security against our attacks.
• Minkyu KIM, Atsushi FUJIOKA, Berkant USTAOGLU
Type: PAPER
Subject area: Public Key Cryptography
2012 Volume E95.A Issue 1 Pages 29-39
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
LaMacchia, Lauter and Mityagin [19] proposed a novel security definition for authenticate key exchange (AKE) that gives an adversary the power to obtain ephemeral information regarding a target test session. To demonstrate feasibility of secure protocols in the new definition, henceforth called eCK, the authors described a protocol called NAXOS. NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X (more precisely in what we call the NAXOS' approach X=gH(x,a)). Thus no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. This idea is crucial in the security argument to guard against leaked ephemeral secrets belonging to the test session. Another important assumption is the gap assumption that allows the protocol to remain secure even in the presence of malicious insiders. Both ideas have been successfully used in creating various protocols secure in the eCK model. In this paper, we construct two eCK-secure protocols without the above mentioned ideas. KFU1 is secure under the GDH assumption without using the NAXOS' approach. KFU2 builds upon KFU1 and drops the gap requirement, thus it is secure under the CDH assumption. Efficiency and security of the proposed protocols are comparable to the well-known HMQV [15] protocol. Furthermore, unlike HMQV and NAXOS the use of the random oracle in KFU1 and KFU2 is restricted to the key derivation function making them more suitable for practical applications.
• Atsushi FUJIOKA, Koutarou SUZUKI, Kazuki YONEYAMA
Type: PAPER
Subject area: Public Key Cryptography
2012 Volume E95.A Issue 1 Pages 40-56
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper firstly provides the extended Canetti-Krawzcyk (eCK) security model for predicate-based authenticated key exchange (AKE) that guarantees resistance to leakage of ephemeral secret keys. Moreover, we propose two-pass key-policy (resp. session-policy) attribute-based AKE protocol secure in the proposed predicate-based eCK security model based on key-policy (resp. ciphertext-policy) attribute-based encryption. The proposed protocols have advantages in security against leakage of ephemeral secret keys and the round complexity compared to the previous predicate-based AKE protocols.
• Atsushi FUJIOKA, Yoshiaki OKAMOTO, Taiichi SAITO
Type: PAPER
Subject area: Public Key Cryptography
2012 Volume E95.A Issue 1 Pages 57-69
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper analyzes security of sequential multiple encryptions based on asymmetric key encryptions, and shows that a sequential construction of secure multiple encryptions exists. The sequential multiple encryption scheme can be proved to be indistinguishable against chosen ciphertext attacks for multiple encryptions (IND-ME-CCA), where the adversary can access to the decryption oracle of the multiple encryption, even when all the underlying encryptions of the multiple encryption are indistinguishable against chosen plaintext attacks (IND-CPA}). We provide an extended security notion of sequential multiple encryptions, in which the adversary is allowed to access decryption oracles of the underlying encryptions in addition to the multiple encryption, and show that our constructed scheme satisfies the security notion when all the underlying encryptions are indistinguishable against chosen ciphertext attacks (IND-CCA).
• Lihua WANG, Licheng WANG, Masahiro MAMBO, Eiji OKAMOTO
Type: PAPER
Subject area: Public Key Cryptography
2012 Volume E95.A Issue 1 Pages 70-88
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Proxy cryptosystems are classified into proxy decryption systems and proxy re-encryption systems on the basis of a proxy's role. In this paper, we propose an ID-based proxy cryptosystem with revocability and hierarchical confidentialities. In our scheme, on receiving a ciphertext, the proxy has the rights to perform the following three tasks according to the message confidentiality levels of the sender's intention: (1) to decrypt the ciphertext on behalf of the original decryptor; (2) to re-encrypt the ciphertext such that another user who is designated by the original decryptor can learn the message; (3) to do nothing except for forwarding the ciphertext to the original decryptor. Our scheme supports revocability in the sense that it allows proxy's decryption and re-encryption rights to be revoked even during the valid period of the proxy key without changing the original decryptor's public information. We prove that our proposal is indistinguishable against chosen identity and plaintext attacks in the standard model. We also show how to convert it into a system against chosen identity and ciphertext attacks by using the Fujisaki-Okamoto transformation.
• Shoichi HIROSE, Kota IDEGUCHI, Hidenori KUWAKADO, Toru OWADA, Bart PRE ...
Type: PAPER
Subject area: Hash Function
2012 Volume E95.A Issue 1 Pages 89-99
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper proposes a new lightweight 256-bit hash function Lesamnta-LW. The security of Lesamnta-LW is reduced to that of the underlying AES-based block cipher and it is theoretically analyzed for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very small footprints, our main target with Lesamnta-LW is to achieve compact and fast hashing for lightweight application on a wider variety of environments ranging from inexpensive devices to high-end severs at the 2120 security level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs between speed and cost on an 8-bit CPU than SHA-256.
• Lei WANG, Yu SASAKI, Wataru KOMATSUBARA, Kazuo SAKIYAMA, Kazuo OHTA
Type: PAPER
Subject area: Hash Function
2012 Volume E95.A Issue 1 Pages 100-110
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.
• On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296.
• On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5.
Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.
• Yu SASAKI, Florian MENDEL, Kazumaro AOKI
Type: PAPER
Subject area: Hash Function
2012 Volume E95.A Issue 1 Pages 111-124
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
We propose preimage attacks against PKC98-Hash and HAS-V. PKC98-Hash is a 160-bit hash function proposed at PKC 1998, and HAS-V, a hash function proposed at SAC 2000, can produce hash values of 128+32k (k=0,1,...,6) bits. These hash functions adopt the Merkle-Damgård and Davies-Meyer constructions. One unique characteristic of these hash functions is that their step functions are not injective with a fixed message. We utilize this property to mount preimage attacks against these hash functions. Note that these attacks can work for an arbitrary number of steps. The best proposed attacks generate preimages of PKC98-Hash and HAS-V-320 in 264 and 2256 compression function computations with negligible memory, respectively. This is the first preimage attack against the full PKC98-Hash function.
• Isamu TERANISHI, Jun FURUKAWA
Type: PAPER
Subject area: Authentication
2012 Volume E95.A Issue 1 Pages 125-137
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.
• Le Trieu PHONG, Kaoru KUROSAWA, Wakaha OGATA
Type: PAPER
Subject area: Authentication
2012 Volume E95.A Issue 1 Pages 138-150
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Undeniable signature, and unpretendable signature schemes have been studied independently. In this paper, efficient schemes which serve as both at the same time are presented. The schemes find their typical application in anonymous auction where the winner cannot deny her bid; nobody can pretend to be the winner; and the anonymity of all losers is preserved. The security of the schemes is proved in the common reference string model under discrete logarithm type assumptions.
• Eiichiro FUJISAKI
Type: PAPER
Subject area: Authentication
2012 Volume E95.A Issue 1 Pages 151-166
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Traceable ring signatures, proposed at PKC'07, are a variant of ring signatures, which allow a signer to anonymously sign a message with a tag behind a ring, i.e., a group of users chosen by the signer, unless he signs two messages with the same tag. However, if a signer signs twice on the same tag, the two signatures will be linked and the identity of the signer will be revealed when the two signed messages are different. Traceable ring signatures can be applied to anonymous write-in voting without any special voting authority and electronic coupon services. The previous traceable ring signature scheme relies on random oracles at its security and the signature size is linear in the number of ring members. This paper proposes the first secure traceable ring signature schemes without random oracles in the common reference string model. In addition, the proposed schemes have a signature size of O(√N), where N is the number of users in the ring.
• Ryo NISHIMAKI, Eiichiro FUJISAKI, Keisuke TANAKA
Type: PAPER
Subject area: Secure Protocol
2012 Volume E95.A Issue 1 Pages 167-175
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper presents a new non-interactive string-commitment scheme that achieves universally composable security. Security is proven under the decisional composite residuosity (DCR) assumption (or the decisional Diffie-Hellman (DDH) assumption) in the common reference string (CRS) model. The universal composability (UC) is a very strong security notion. If cryptographic protocols are proven secure in the UC framework, then they remain secure even if they are composed with arbitrary protocols and polynomially many copies of the protocols are run concurrently. Many UC commitment schemes in the CRS model have been proposed, but they are either interactive commitment or bit-commitment (not string-commitment) schemes. We note, however, that although our scheme is the first non-interactive UC string-commitment scheme, a CRS is not reusable. We use an extension of all-but-one trapdoor functions (ABO-TDFs) proposed by Peikert and Waters at STOC 2008 as an essential building block. Our main idea is to extend (original deterministic) ABO-TDFs to probabilistic ones by using the homomorphic properties of their function indices. The function indices of ABO-TDFs consist of ciphertexts of homomorphic encryption schemes (such as ElGamal, and Damgård-Jurik encryption). Therefore we can re-randomize the output of ABO-TDFs by re-randomization of ciphertexts. This is a new application of ABO-TDFs.
• Ryo NISHIMAKI, Eiichiro FUJISAKI, Keisuke TANAKA
Type: PAPER
Subject area: Secure Protocol
2012 Volume E95.A Issue 1 Pages 176-184
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper presents a new non-interactive multi-trapdoor commitment scheme from the standard RSA assumption. Multi-trapdoor commitment is a stronger variant of trapdoor commitment. Its notion was introduced by Gennaro at CRYPTO 2004. Multi-trapdoor commitment schemes are very useful because we can convert a non-interactive multi-trapdoor commitment scheme into a non-interactive and reusable non-malleable commitment scheme by using one-time signature and transform any proof of knowledge into a concurrently non-malleable one (this can be used as concurrently secure identification). Gennaro gave concrete constructions of multi-trapdoor commitment, but its security relies on stronger assumptions, such as the strong RSA assumption and the q-strong Diffie-Hellman assumption as opposed to our construction based on the standard RSA assumption. As a corollary of our results, we constructed a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption. Our scheme is based on the Hohenberger-Waters (weak) signature scheme presented at CRYPTO 2009. Several non-interactive and reusable non-malleable commitment schemes (in the common reference string model) have been proposed, but they all rely on stronger assumptions (such as the strong RSA assumption). Thus, we give the first construction of a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption.
• Kazuki YONEYAMA
Type: PAPER
Subject area: Formal Approach
2012 Volume E95.A Issue 1 Pages 185-195
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
In this paper, the substitutability of the indifferentiability framework with non-sequential scheduling is examined by reformulating the framework through applying the Task-PIOA framework, which provides non-sequential activation with oblivious task sequences. First, the indifferentiability framework with non-sequential scheduling is shown to be able to retain the substitutability. Thus, the substitutability can be applied in another situation that processes of the systems may behave non-sequentially. Next, this framework is shown to be closely related to reducibility of systems. Reducibility is useful to discuss about the construction of a system from a weaker system. Finally, two modelings with respectively sequential scheduling and non-sequential scheduling are shown to be mutually independent. We find examples of systems which are indifferentiable under one model but differentiable under the other. Thus, the importance of scheduling in the indifferentiability framework is clarified.
• Naoki OGURA, Shigenori UCHIYAMA, Naoki KANAYAMA, Eiji OKAMOTO
Type: PAPER
Subject area: Mathematics
2012 Volume E95.A Issue 1 Pages 196-203
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper considers the normalization of Miller functions for computing “point-evaluation” pairings on an elliptic curve E over a finite field $\\GF_{q}$, where the characteristic of $\\GF_{q}$ is neither 2 nor 3. It is shown that the normalized Miller functions for computing point-evaluation pairings on $\\G_2 \\ imes \\G_1$ when (i) the embedding degree k is even, or (ii) 3|k and E/$\\GF_{q}$(q≡1(mod 3) is a curve of the form Y2=X3+b. Thus, there is no need to consider the normalization for computing pairings on many pairing-friendly elliptic curves.
• Takuya HAYASHI, Naoyuki SHINOHARA, Lihua WANG, Shin'ichiro MATSUO, Mas ...
Type: PAPER
Subject area: Mathematics
2012 Volume E95.A Issue 1 Pages 204-212
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.
• Kazuhide FUKUSHIMA, Shinsaku KIYOMOTO, Yutaka MIYAKE
Type: PAPER
Subject area: Software Protection
2012 Volume E95.A Issue 1 Pages 213-222
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Establishment of a practical software protection method is a major issue in software distribution. There are several approaches to the issue; however, no practical, secure method for mobile phone applications has been proposed. In this paper, we propose a new software protection scheme combined with a tamper-proof device (TPD) in order to achieve computational security against illegal analysis and copying of the target program. Our scheme achieves a reasonable level of security for encoding the data and variables in a program. The program on a mobile phone deals only with encoded data that is difficult to compromise, and the TPD plays a role of decoding execution results. We implemented the proposed scheme on a 3G mobile phone and a user identification module (UIM). An analysis and copying of the protected program impose exponential computation complexities under our attack model.
• Koichi SHIMIZU, Daisuke SUZUKI, Tomomi KASUYA
Type: PAPER
Subject area: Implementation
2012 Volume E95.A Issue 1 Pages 223-233
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
In this paper, we propose a new Delay PUF architecture trying to solve the major problem of existing Delay PUFs that it is easy to predict the relation between delay information and generated information. For that purpose, our architecture exploits glitches as a source of information generation that behave non-linearly from delay variation between gates and the characteristic of pulse propagation of each gate. We thus call it the Glitch PUF. We present two circuit structures of the Glitch PUF both of which have their own merits. We then provide the results of evaluation in which we first verify that the two Glitch PUFs exhibit the same characteristics, and second show the randomness and statistical properties of the Glitch PUF.
• Yang LI, Kazuo OHTA, Kazuo SAKIYAMA
Type: PAPER
Subject area: Implementation
2012 Volume E95.A Issue 1 Pages 234-241
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper proposes the countermeasures against an improved fault sensitivity analysis. Our countermeasure is proposed based on the WDDL technique due to its built-in resistance against both the power-based attack and differential fault analysis. At CHES 2010, Li et al. proposed the FSA attack on WDDL-AES. The vulnerability of WDDL-AES in their attack mainly comes from the implementation deficiency rather than the WDDL technique itself. This paper first proposes an improved fault sensitive analysis that can threat a well-implemented WDDL-AES based on the input-data dependency for the critical path delay of WDDL S-box. Then we discuss the possibility of efficient countermeasures by modifying the WDDL circuit with a limited overhead. The countermeasures are discussed based on either modifying the dual-rail to single-rail converter or the introduction of the enable signal.
• Junko TAKAHASHI, Toshinori FUKUNAGA, Kazuo SAKIYAMA
Type: PAPER
Subject area: Implementation
2012 Volume E95.A Issue 1 Pages 242-251
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.
Type: LETTER
2012 Volume E95.A Issue 1 Pages 252-255
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This article discusses the provable security of block-cipher-based hash functions. It introduces a new model called a weak ideal cipher model. In this model, an adversary is allowed to make key-disclosure queries to the oracle as well as encryption and decryption queries. A key-disclosure query is a pair of a plaintext and a ciphertext, and the reply is a corresponding key. Thus, in this model, a block cipher is random but completely insecure as a block cipher. It is shown that collision resistant hash functions can be constructed even in this weak model.
• Hu XIONG, Xiaofeng WANG, Fagen LI
Type: LETTER
2012 Volume E95.A Issue 1 Pages 256-258
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Recently, Kang et al. discussed some security flaws of Wu et al.'s and Wei et al.'s authentication schemes that guarantee user anonymity in wireless communications and showed how to overcome the problems regarding anonymity and the forged login messages. However, we will show that Kang et al.'s improved scheme still did not provide user anonymity as they claimed.
• Mingwu ZHANG, Tsuyoshi TAKAGI, Bo YANG, Fagen LI
Type: LETTER
2012 Volume E95.A Issue 1 Pages 259-262
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Strong designated verifier signature scheme (SDVS) allows a verifier to privately check the validity of a signature. Recently, Huang et al. first constructed an identity-based SDVS scheme (HYWS) in a stronger security model with non-interactive proof of knowledge, which holds the security properties of unforgeability, non-transferability, non-delegatability, and privacy of signer's identity. In this paper, we show that their scheme does not provide the claimed properties. Our analysis indicates that HYWS scheme neither resist on the designated verifier signature forgery nor provide simulation indistinguishability, which violates the security properties of unforgeability, non-delegatability and non-transferability.
• Sho ENDO, Takeshi SUGAWARA, Naofumi HOMMA, Takafumi AOKI, Akashi SATOH
Type: LETTER
2012 Volume E95.A Issue 1 Pages 263-266
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper presents a glitchy-clock generator integrated in FPGA for evaluating fault injection attacks and their countermeasures on cryptographic modules. The proposed generator exploits clock management capabilities, which are common in modern FPGAs, to generate clock signal with temporal voltage spike. The shape and timing of the glitchy-clock cycle are configurable at run time. The proposed generator can be embedded in a single FPGA without any external instrument (e.g., a pulse generator and a variable power supply). Such integration enables reliable and reproducible fault injection experiments. In this paper, we examine the characteristics of the proposed generator through experiments on Side-channel Attack Standard Evaluation Board (SASEBO). The result shows that the timing of the glitches can be controlled at the step of about 0.17ns. We also demonstrate its application to the safe-error attack against an RSA processor.
• Ruilin LI, Bing SUN, Chao LI, Shaojing FU
Type: LETTER
2012 Volume E95.A Issue 1 Pages 267-269
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
T-function is a kind of cryptographic function which is shown to be useful in various applications. It is known that any function f on $\\mathbb F_2^n$ or $\\mathbb{Z}_{2^n}$ automatically deduces a unique polynomial $f^{\\mathbb{F}}\in\mathbb{F}_{2^n}[x]$ with degree ≤2n-1. In this letter, we study an algebraic property of $f^{\\mathbb{F}}$ while f is a T-function. We prove that for a single cycle T-function f on $\\mathbb{F}_2^n$ or $\\mathbb{Z}_{2^n}$, $\\deg f^{\\mathbb{F}}=2^n-2$ which is optimal for a permutation. We also consider a kind of widely used T-function in many cryptographic algorithms, namely the modular addition function $A_b(x)=x+b\\in\\mathbb Z_{2^n}[x]$. We demonstrate how to calculate $\\deg A_b^{\\mathbb{F}}$ from the constant value b. These results can facilitate us to evaluate the immunity of the T-function based cryptosystem against some known attacks such as interpolation attack and integral attack.
Special Section on Intelligent Transport Systems
• Makoto ITAMI, Hiromasa HABUCHI
2012 Volume E95.A Issue 1 Pages 270
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
• Kiyohito TOKUDA
Type: INVITED PAPER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 271-277
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
ITS (Intelligent Transport Systems) wireless communications system has been developing based on the leading edge ICT (Information Communication Technologies) in Japan. The comfort driving systems for example VICS (Vehicular Information Communication system), ETC (Electronic Toll Collection), Telematics has already become popular and the safety driving support systems, such as ASV (Advanced Safety Vehicle) and SMARTWAY have been scheduled for introduction in the near future. However, there are many residual issues in the comfort driving system because of the existence of the traffic jam and the interest of the economical cars in the world. Moreover, the acceleration of the development of the Smart Grid and EV (Electric Vehicle) would affect the future development of the ITS wireless communications system. In this paper, it is clarified that the future development should be advanced considering the one of the basic business rule of ‘market-in and product-out’.
• Luobei KUANG, Zhijun WANG, Ming XU, Yingwen CHEN
Type: PAPER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 278-285
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Handoff plays an important role in vehicular networks due to high movement of vehicles. To provide seamless connectivity under Access Points (AP), this paper proposes an adaptive handoff triggering method to minimize communication time for a vehicle with an AP switch (i.e., whether and when to trigger a handoff process). In the proposed method, combined with an improved data transmission rate based trigger, handoff triggering decision is executed based on three different communication methods (called C-Dire, C-Relay and C-ALLRelay) to minimize the transmission delay when a vehicle moves from an AP to another. Transmission delay is derived through considering vehicle mobility and transmission rate diversity. The simulation results show that the proposed method is proven to be adaptive to vehicular networks.
• Hiroyuki HATANO, Tomoharu MIZUTANI, Yoshihiko KUWAHARA
Type: PAPER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 286-295
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
We consider the position estimation system for targets which exist in near wide area. The system has multiple sensors and estimates the position with multiple receivers. In the past, if receivers were arranged on a straight line, the large position error in the same direction of the line is generated. In order to reduce the error, we propose a novel estimation algorithm using transmitter's directivity information. Our system use directional emission made by an array of antennas in a transmitter. In this paper, the error characteristic which should be solved is introduced firstly. After that, our algorithm is presented. Finally the performance of the error reduction is shown by computer simulations. And we also confirm the reduction by experimental trials. The results indicate good reduction of the error.
• HyungKwan KIM, Yuuki SHIBAYAMA, Shunsuke KAMIJO
Type: PAPER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 296-304
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This paper presents a general algorithm for pedestrian detection by on-board monocular camera which can be applied to cameras of various view ranges. Under the assumption that motion of background can be nearly approximated as a linear function, the Spatio-Temporal MRF (S-T MRF) model segments foreground objects. The foreground objects contain both pedestrian and non-pedestrian urban objects, verification was conducted by a cascaded classifier. However, the segmentation results based on motion were not exactly fit into pedestrian on the image so that shrunk or inflated pedestrian were generated. This causes errors on extracting pedestrian trajectory. For precise positioning, we implemented two types of feedback algorithm for ROI correction using the Kalman filter and the voting result of Motion-classifier and HOG-classifier. We confirmed that those ROI Corrections successfully extract precise area of pedestrian and decrease the false negative rate. Elaborately extracted pedestrian trajectory could be used as a useful source for predicting collision to pedestrian.
• Chien-Sheng CHEN, Jium-Ming LIN, Wen-Hsiung LIU, Ching-Lung CHI
Type: PAPER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 305-312
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Intelligent transportation system (ITS) makes use of vehicle position to decrease the heavy traffic and improve service reliability of public transportation system. Many existing systems, such as global positioning system (GPS) and cellular communication systems, can be used to estimate vehicle location. The objective of wireless location is to determine the mobile station (MS) location in a wireless cellular communications system. The non-line-of-sight (NLOS) problem is the most crucial factor that it causes large measured error. In this paper, we present a novel positioning algorithm based on genetic algorithm (GA) to locate MS when three BSs are available for location purpose. Recently, GA are widely used as many various optimization problems. The proposed algorithm utilizes the intersections of three time of arrival (TOA) circles based on GA to estimate the MS location. The simulation results show that the proposed algorithms can really improve the location accuracy, even under severe NLOS conditions.
Type: LETTER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 313-316
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Many researchers have recently studied various applications such as Inter-Vehicle Communications (IVC) and Road-to-Vehicle Communications (RVC) for Intelligent Transport Systems (ITS). RVC is a key technology that can connect vehicles with the internet through Road Side Units (RSUs). Relative positions between vehicles vary within short periods of time. Neighboring vehicles and barriers cause shadowing that blocks communication for extended periods of time between RSUs and vehicles. We propose a fast scheme of Mobile IPv6 handover using dual-band communications in RVC. This scheme uses ISM and UHF dual bands. It switches to the UHF band during handover or in the shadowing period. We demonstrate that the proposed scheme can establish continuous communications through computer simulations.
• Hiroyuki HATANO, Tomoharu MIZUTANI, Kazuya SUGIYAMA, Yoshihiko KUWAHAR ...
Type: LETTER
Subject area: ITS
2012 Volume E95.A Issue 1 Pages 317-321
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Radar networks show an interesting potential for safety and comfortable applications such as short-range automotive monitoring system or indoor monitoring. This paper presents our novel estimation algorithm of a target position. Especially we evaluate the performance about estimation accuracy and resistance to ghost targets under multipath environment. In above applications, the robust estimation is needed because the receivers tend to output corrupted measurement data. The corrupted data are mostly generated by multipath, sensitivity of receivers. As a result of computer simulations, our algorithm has fine accuracy and robust detections compared with a popular trilateration algorithm.
Regular Section
• Akira HIRABAYASHI
Type: PAPER
Subject area: Digital Signal Processing
2012 Volume E95.A Issue 1 Pages 322-329
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
We address a problem of sampling and reconstructing periodic piecewise polynomials based on the theory for signals with a finite rate of innovation (FRI signals) from samples acquired by a sinc kernel. This problem was discussed in a previous paper. There was, however, an error in a condition about the sinc kernel. Further, even though the signal is represented by parameters, these explicit values are not obtained. Hence, in this paper, we provide a correct condition for the sinc kernel and show the procedure. The point is that, though a periodic piecewise polynomial of degree R is defined as a signal mapped to a periodic stream of differentiated Diracs by R+1 time differentiation, the mapping is not one-to-one. Therefore, to recover the stream is not sufficient to reconstruct the original signal. To solve this problem, we use the average of the target signal, which is available because of the sinc sampling. Simulation results show the correctness of our reconstruction procedure. We also show a sampling theorem for FRI signals with derivatives of a generic known function.
Type: PAPER
Subject area: Digital Signal Processing
2012 Volume E95.A Issue 1 Pages 330-337
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
In this paper, we present a maximum a posteriori probability (MAP) approach to the problem of blind estimation of single-input, multiple-output (SIMO), finite impulse response (FIR) channels. A number of methods have been developed to date for this blind estimation problem. Some of those utilize prior knowledge on input signal statistics. However, there are very few that utilize channel statistics too. In this paper, the unknown channel to be estimated is assumed as the frequency-selective Rayleigh fading channel, and we incorporate the channel prior distributions (and hyperprior distributions) into our model in two different ways. Then for each case an iterative MAP estimator is derived approximately. Performance comparisons over existing methods are conducted via numerical simulation on randomly generated channel coefficients according to the Rayleigh fading channel model. It is shown that improved estimation performance can be achieved through the MAP approaches, especially for such channel realizations that have resulted in large estimation error with existing methods.
• Kazuo HORIUCHI
Type: PAPER
Subject area: Circuit Theory
2012 Volume E95.A Issue 1 Pages 338-345
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
In this paper, we shall describe a basic fuzzy-estimation theory based on the concept of set-valued operators, suitable for available operation of extremely complicated large-scale network systems. Fundamental conditions for availability of system behaviors of such network systems are clarified in a form of β-level fixed point theorem for system of fuzzy-set-valued operators. Here, the proof of this theorem is accomplished by the concept of Hausdorff's ball measure of non-compactness introduced into the Banach space.
• Sang Woo SIN, Ru ZHOU, Dongju LI, Tsuyoshi ISSHIKI, Hiroaki KUNIEDA
Type: PAPER
Subject area: Algorithms and Data Structures
2012 Volume E95.A Issue 1 Pages 346-353
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
A novel Template Updating system for fingerprint verification systems used in mobile applications is introduced in the paper. Based on the proposed method, the system performance is improved much more than the original one. Not only the FRR (False Reject Rate) but also the small overlap problem caused by the very narrow sensor on the mobile phone are solved. Based on the template updating system, templates are replaced with matched inputs towards a target structure which can expand the coverage of templates with large displacement and rotation. By using the test database, the system performance shows the FRR can be reduced by 79% in comparison with the one without template updating procedure. This system was adopted in practical mobile phones in the commercial market in 2009.
• Yoshifumi SAKAI
Type: PAPER
Subject area: Algorithms and Data Structures
2012 Volume E95.A Issue 1 Pages 354-361
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This article presents an algorithm that solves an on-line version of the longest common subsequence (LCS) problem for two strings over a constant alphabet in O(d+n) time and O(m+d) space, where m is the length of the shorter string, the whole of which is given to the algorithm in advance, n is the length of the longer string, which is given as a data stream, and d is the number of dominant matches between the two strings. A new upper bound, O(p(m-q)), of d is also presented, where p is the length of the LCS of the two strings, and q is the length of the LCS of the shorter string and the m-length prefix of the longer string.
• Hua ZHAO, Songfeng LU
Type: PAPER
Subject area: Algorithms and Data Structures
2012 Volume E95.A Issue 1 Pages 362-366
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Let T be a text of length n and P be a pattern of length m, both strings over a fixed finite alphabet. The Pattern Matching with Swaps problem is to find all occurrences of P in T if adjacent pattern characters can be swapped. In the Approximate Pattern Matching problem with Swaps, one seeks for every text location with a swapped match of P, the number of swaps necessary to obtain a match at the location. In this paper we provide the first off-line solution for the swap matching problem and the approximate pattern matching problem with swaps. We present a new data-structure called a Swap-transforming Tree. And we give a precise upper-bond of the number of the swapped versions of a pattern. By using the swap-transforming tree, we can solve both problems in time O(λmlog 2n) on an O(nHk) bits indexing data structure. Here λ is a constant. Our solution is more effective when the pattern is short.
• Lu ZHAO, Qiao-yan WEN, Jie ZHANG, Zheng-ping JIN
Type: PAPER
Subject area: Cryptography and Information Security
2012 Volume E95.A Issue 1 Pages 367-371
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
The 2-adic complexity of binary periodic sequences plays an important role in cryptology. In this paper, by means of the usual Fourier transform, we give a simpler form of the upper bound for 2-adic complexity than related result before. For pn-periodic sequences, we discuss the relation between sequences and their Fourier coefficients. Furthermore, based on the relation, we get the lower bound for the number of pn-periodic sequences with given 2-adic complexity.
• Deukjo HONG, Bonwook KOO, Dong-Chan KIM
Type: PAPER
Subject area: Cryptography and Information Security
2012 Volume E95.A Issue 1 Pages 372-380
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
We present pseudo-preimage attacks on Davis-Meyer mode of reduced rounds of the block ciphers ARIA, Camellia, and Serpent by using Sasaki's framework. They yield preimage or second-preimage attacks on PGV hashing modes. We develop proper initial structures for applying meet-in-the-middle techniques to the block ciphers, by considering their diffusion layers, and propose a method to find matching-check equations for indirect partial matching technique with a binary matrix. These works enable us to attack 5 rounds of ARIA, 7 rounds of Camellia, and 4 rounds of Serpent faster than brute force attack.
• Takayuki NOZAKI, Kenta KASAI, Kohichi SAKANIWA
Type: PAPER
Subject area: Coding Theory
2012 Volume E95.A Issue 1 Pages 381-390
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
In this paper, we investigate the error floors of the non-binary low-density parity-check codes transmitted over the binary erasure channels under belief propagation decoding. We propose a method to improve the decoding erasure rates in the error floors by optimizing labels in zigzag cycles in the Tanner graphs of codes. Furthermore, we give lower bounds on the bit and the symbol erasure rates in the error floors. The simulation results show that the presented lower bounds are tight for the codes designed by the proposed method.
• Hee-Suk PANG, Jun-Seok LIM, Oh-Jin KWON, Sang Bae CHON, Mingu LEE, Jeo ...
Type: LETTER
Subject area: Engineering Acoustics
2012 Volume E95.A Issue 1 Pages 391-394
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
An efficient method is proposed for reconstructing speakerphone-mode cellular phone sound. The overall transfer function from digital PCM signals stored in a cellular phone to dummy head-recorded signals is modeled as a combination of a cellular phone transfer function (CPTF) and a cellular phone-to-listener transfer function (CPLTF). The CPTF represents the linear and nonlinear characteristics of a cellular phone and is modeled by the Volterra model. The CPLTF represents the effect of the path from a cellular phone to a dummy head and is measured. Listening tests show the effectiveness of the proposed method. An application scenario of the proposed method is also addressed for sound quality assessment of cellular phones in speakerphone mode.
• Yan CAO, Gang WEI
Type: LETTER
Subject area: Digital Signal Processing
2012 Volume E95.A Issue 1 Pages 395-399
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
A new frequency estimator for a single real-valued sinusoid signal in white noise is proposed. The new estimator uses the Pisarenko Harmonic Decomposer (PHD) estimator to get a coarse frequency estimate and then makes use of multiple correlation lags to obtain an adjustment term. For the limited-length single sinusoid, its correlation has the same frequency as itself but with a non-zero phase. We propose to use Taylor series to expand the correlation at the PHD coarse estimated frequency with amplitude and phase of the correlation into consideration. Simulation results show that this new method improves the estimation performance of the PHD estimator. Moreover, when compared with other existing estimator, the mean square frequency error of the proposed method is closer to the Cramer-Rao Lower Bound (CRLB) for certain SNR range.
• Fanxin ZENG, Xiaoping ZENG, Zhenyu ZHANG, Guixin XUAN
Type: LETTER
Subject area: Digital Signal Processing
2012 Volume E95.A Issue 1 Pages 400-405
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
Based on quadriphase perfect sequences and their cyclical shift versions, three families of almost perfect 16-QAM sequences are presented. When one of two time shifts chosen equals half a period of quadriphase sequence employed and another is zero, two of the proposed three sequence families possess the property that their out-of-phase autocorrelation function values vanish except one. At the same time, to the other time shifts, the nontrivial autocorrelation function values in three families are zero except two or four. In addition, two classes of periodic complementary sequence (PCS) pairs over the 16-QAM constellation, whose autocorrelation is similar to the one of conventional PCS pairs, are constructed as well.
• Masafumi KUBOTA, Toshimichi SAITO
Type: LETTER
Subject area: Nonlinear Problems
2012 Volume E95.A Issue 1 Pages 406-409
Published: January 01, 2012
Released: January 01, 2012
JOURNALS RESTRICTED ACCESS
This letter studies a nesting discrete particle swarm optimizer for multi-solution problems. The algorithm operates in discrete search space and consists of two stages. The first stage is global search in rough lattice points for constructing local sub-regions each of which includes one target solution. The second stage is local search where the algorithm operates in parallel in fine lattice points of local subspaces and tires to find all the approximate solutions within a criterion. We then propose an application to finding multiple fixed points in nonlinear dynamical systems and investigate the algorithm efficiency.