IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508
Volume E95.A , Issue 1
Showing 1-50 articles out of 53 articles from the selected issue
Special Section on Cryptography and Information Security
  • Naoya TORII
    2012 Volume E95.A Issue 1 Pages 1
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Download PDF (99K)
  • Yasutaka IGARASHI, Toshinobu KANEKO
    Type: PAPER
    Subject area: Symmetric Cryptography
    2012 Volume E95.A Issue 1 Pages 2-7
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    CLEFIA is a 128-bit block cipher proposed by Shirai et al. in 2007. On its saturation attack, Tsunoo et al. reported peculiar saturation characteristics in 2010. They formulated some hypotheses on the existence of the characteristics with no proof. In this paper we have theoretically proved their hypotheses. In their attack scenario, we show that the mod-2 distribution is a code word of Extended Hamming code, and then proof is given by using the property of Hadamard transform.
    Download PDF (482K)
  • Yasushi OSAKI, Tetsu IWATA
    Type: PAPER
    Subject area: Symmetric Cryptography
    2012 Volume E95.A Issue 1 Pages 8-20
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Constructing a secure and efficient key wrapping scheme is demanding, and the scheme based on a universal hash function and an elementary encryption mode like ECB and CBC modes is potential for a practical use. However, at SAC 2009, Gennaro and Halevi showed that a key wrapping scheme using a universal hash function and ECB mode (a HtECB scheme) is broken, and the security of a scheme based on a universal hash function and CBC mode (a HtCBC scheme) has been left as an open problem. In this paper, we first generalize classical notions of universal and uniform hash functions, and propose a total of four new notions of the keyed hash function. We then prove that HtECB and HtCBC schemes are secure key wrapping schemes if the universal hash function satisfies uniformity and our notions, where the result on the HtCBC scheme gives a partial answer to the open problem. Then we discuss a basic problem of identifying relations between various notions of a keyed hash function, and point out that a monic polynomial hash function satisfies all the new notions.
    Download PDF (407K)
  • Yu SASAKI
    Type: PAPER
    Subject area: Symmetric Cryptography
    2012 Volume E95.A Issue 1 Pages 21-28
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    In this paper, we present known-key attacks on block cipher Rijndael for 192-bit block and 256-bit block. Our attacks work up to 8 rounds for 192-bit block and 9 rounds for 256-bit block, which are one round longer than the previous best known-key attacks. We then search for the parameters for the ShiftRow operation which is stronger against our attacks than the one in the Rijndael specification. Finally, we show a parameter for 192-bit block which forces attackers to activate more bytes to generate a truncated differential path, and thus enhances the security against our attacks.
    Download PDF (627K)
  • Minkyu KIM, Atsushi FUJIOKA, Berkant USTAOGLU
    Type: PAPER
    Subject area: Public Key Cryptography
    2012 Volume E95.A Issue 1 Pages 29-39
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    LaMacchia, Lauter and Mityagin [19] proposed a novel security definition for authenticate key exchange (AKE) that gives an adversary the power to obtain ephemeral information regarding a target test session. To demonstrate feasibility of secure protocols in the new definition, henceforth called eCK, the authors described a protocol called NAXOS. NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X (more precisely in what we call the NAXOS' approach X=gH(x,a)). Thus no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. This idea is crucial in the security argument to guard against leaked ephemeral secrets belonging to the test session. Another important assumption is the gap assumption that allows the protocol to remain secure even in the presence of malicious insiders. Both ideas have been successfully used in creating various protocols secure in the eCK model. In this paper, we construct two eCK-secure protocols without the above mentioned ideas. KFU1 is secure under the GDH assumption without using the NAXOS' approach. KFU2 builds upon KFU1 and drops the gap requirement, thus it is secure under the CDH assumption. Efficiency and security of the proposed protocols are comparable to the well-known HMQV [15] protocol. Furthermore, unlike HMQV and NAXOS the use of the random oracle in KFU1 and KFU2 is restricted to the key derivation function making them more suitable for practical applications.
    Download PDF (360K)
  • Atsushi FUJIOKA, Koutarou SUZUKI, Kazuki YONEYAMA
    Type: PAPER
    Subject area: Public Key Cryptography
    2012 Volume E95.A Issue 1 Pages 40-56
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper firstly provides the extended Canetti-Krawzcyk (eCK) security model for predicate-based authenticated key exchange (AKE) that guarantees resistance to leakage of ephemeral secret keys. Moreover, we propose two-pass key-policy (resp. session-policy) attribute-based AKE protocol secure in the proposed predicate-based eCK security model based on key-policy (resp. ciphertext-policy) attribute-based encryption. The proposed protocols have advantages in security against leakage of ephemeral secret keys and the round complexity compared to the previous predicate-based AKE protocols.
    Download PDF (495K)
  • Atsushi FUJIOKA, Yoshiaki OKAMOTO, Taiichi SAITO
    Type: PAPER
    Subject area: Public Key Cryptography
    2012 Volume E95.A Issue 1 Pages 57-69
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper analyzes security of sequential multiple encryptions based on asymmetric key encryptions, and shows that a sequential construction of secure multiple encryptions exists. The sequential multiple encryption scheme can be proved to be indistinguishable against chosen ciphertext attacks for multiple encryptions (IND-ME-CCA), where the adversary can access to the decryption oracle of the multiple encryption, even when all the underlying encryptions of the multiple encryption are indistinguishable against chosen plaintext attacks (IND-CPA}). We provide an extended security notion of sequential multiple encryptions, in which the adversary is allowed to access decryption oracles of the underlying encryptions in addition to the multiple encryption, and show that our constructed scheme satisfies the security notion when all the underlying encryptions are indistinguishable against chosen ciphertext attacks (IND-CCA).
    Download PDF (415K)
  • Lihua WANG, Licheng WANG, Masahiro MAMBO, Eiji OKAMOTO
    Type: PAPER
    Subject area: Public Key Cryptography
    2012 Volume E95.A Issue 1 Pages 70-88
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Proxy cryptosystems are classified into proxy decryption systems and proxy re-encryption systems on the basis of a proxy's role. In this paper, we propose an ID-based proxy cryptosystem with revocability and hierarchical confidentialities. In our scheme, on receiving a ciphertext, the proxy has the rights to perform the following three tasks according to the message confidentiality levels of the sender's intention: (1) to decrypt the ciphertext on behalf of the original decryptor; (2) to re-encrypt the ciphertext such that another user who is designated by the original decryptor can learn the message; (3) to do nothing except for forwarding the ciphertext to the original decryptor. Our scheme supports revocability in the sense that it allows proxy's decryption and re-encryption rights to be revoked even during the valid period of the proxy key without changing the original decryptor's public information. We prove that our proposal is indistinguishable against chosen identity and plaintext attacks in the standard model. We also show how to convert it into a system against chosen identity and ciphertext attacks by using the Fujisaki-Okamoto transformation.
    Download PDF (903K)
  • Shoichi HIROSE, Kota IDEGUCHI, Hidenori KUWAKADO, Toru OWADA, Bart PRE ...
    Type: PAPER
    Subject area: Hash Function
    2012 Volume E95.A Issue 1 Pages 89-99
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper proposes a new lightweight 256-bit hash function Lesamnta-LW. The security of Lesamnta-LW is reduced to that of the underlying AES-based block cipher and it is theoretically analyzed for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very small footprints, our main target with Lesamnta-LW is to achieve compact and fast hashing for lightweight application on a wider variety of environments ranging from inexpensive devices to high-end severs at the 2120 security level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs between speed and cost on an 8-bit CPU than SHA-256.
    Download PDF (651K)
  • Lei WANG, Yu SASAKI, Wataru KOMATSUBARA, Kazuo SAKIYAMA, Kazuo OHTA
    Type: PAPER
    Subject area: Hash Function
    2012 Volume E95.A Issue 1 Pages 100-110
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.
    • On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296.
    • On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5.
    Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.
    Download PDF (1507K)
  • Yu SASAKI, Florian MENDEL, Kazumaro AOKI
    Type: PAPER
    Subject area: Hash Function
    2012 Volume E95.A Issue 1 Pages 111-124
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    We propose preimage attacks against PKC98-Hash and HAS-V. PKC98-Hash is a 160-bit hash function proposed at PKC 1998, and HAS-V, a hash function proposed at SAC 2000, can produce hash values of 128+32k (k=0,1,...,6) bits. These hash functions adopt the Merkle-Damgård and Davies-Meyer constructions. One unique characteristic of these hash functions is that their step functions are not injective with a fixed message. We utilize this property to mount preimage attacks against these hash functions. Note that these attacks can work for an arbitrary number of steps. The best proposed attacks generate preimages of PKC98-Hash and HAS-V-320 in 264 and 2256 compression function computations with negligible memory, respectively. This is the first preimage attack against the full PKC98-Hash function.
    Download PDF (679K)
  • Isamu TERANISHI, Jun FURUKAWA
    Type: PAPER
    Subject area: Authentication
    2012 Volume E95.A Issue 1 Pages 125-137
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.
    Download PDF (322K)
  • Le Trieu PHONG, Kaoru KUROSAWA, Wakaha OGATA
    Type: PAPER
    Subject area: Authentication
    2012 Volume E95.A Issue 1 Pages 138-150
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Undeniable signature, and unpretendable signature schemes have been studied independently. In this paper, efficient schemes which serve as both at the same time are presented. The schemes find their typical application in anonymous auction where the winner cannot deny her bid; nobody can pretend to be the winner; and the anonymity of all losers is preserved. The security of the schemes is proved in the common reference string model under discrete logarithm type assumptions.
    Download PDF (408K)
  • Eiichiro FUJISAKI
    Type: PAPER
    Subject area: Authentication
    2012 Volume E95.A Issue 1 Pages 151-166
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Traceable ring signatures, proposed at PKC'07, are a variant of ring signatures, which allow a signer to anonymously sign a message with a tag behind a ring, i.e., a group of users chosen by the signer, unless he signs two messages with the same tag. However, if a signer signs twice on the same tag, the two signatures will be linked and the identity of the signer will be revealed when the two signed messages are different. Traceable ring signatures can be applied to anonymous write-in voting without any special voting authority and electronic coupon services. The previous traceable ring signature scheme relies on random oracles at its security and the signature size is linear in the number of ring members. This paper proposes the first secure traceable ring signature schemes without random oracles in the common reference string model. In addition, the proposed schemes have a signature size of O(√N), where N is the number of users in the ring.
    Download PDF (341K)
  • Ryo NISHIMAKI, Eiichiro FUJISAKI, Keisuke TANAKA
    Type: PAPER
    Subject area: Secure Protocol
    2012 Volume E95.A Issue 1 Pages 167-175
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper presents a new non-interactive string-commitment scheme that achieves universally composable security. Security is proven under the decisional composite residuosity (DCR) assumption (or the decisional Diffie-Hellman (DDH) assumption) in the common reference string (CRS) model. The universal composability (UC) is a very strong security notion. If cryptographic protocols are proven secure in the UC framework, then they remain secure even if they are composed with arbitrary protocols and polynomially many copies of the protocols are run concurrently. Many UC commitment schemes in the CRS model have been proposed, but they are either interactive commitment or bit-commitment (not string-commitment) schemes. We note, however, that although our scheme is the first non-interactive UC string-commitment scheme, a CRS is not reusable. We use an extension of all-but-one trapdoor functions (ABO-TDFs) proposed by Peikert and Waters at STOC 2008 as an essential building block. Our main idea is to extend (original deterministic) ABO-TDFs to probabilistic ones by using the homomorphic properties of their function indices. The function indices of ABO-TDFs consist of ciphertexts of homomorphic encryption schemes (such as ElGamal, and Damgård-Jurik encryption). Therefore we can re-randomize the output of ABO-TDFs by re-randomization of ciphertexts. This is a new application of ABO-TDFs.
    Download PDF (349K)
  • Ryo NISHIMAKI, Eiichiro FUJISAKI, Keisuke TANAKA
    Type: PAPER
    Subject area: Secure Protocol
    2012 Volume E95.A Issue 1 Pages 176-184
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper presents a new non-interactive multi-trapdoor commitment scheme from the standard RSA assumption. Multi-trapdoor commitment is a stronger variant of trapdoor commitment. Its notion was introduced by Gennaro at CRYPTO 2004. Multi-trapdoor commitment schemes are very useful because we can convert a non-interactive multi-trapdoor commitment scheme into a non-interactive and reusable non-malleable commitment scheme by using one-time signature and transform any proof of knowledge into a concurrently non-malleable one (this can be used as concurrently secure identification). Gennaro gave concrete constructions of multi-trapdoor commitment, but its security relies on stronger assumptions, such as the strong RSA assumption and the q-strong Diffie-Hellman assumption as opposed to our construction based on the standard RSA assumption. As a corollary of our results, we constructed a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption. Our scheme is based on the Hohenberger-Waters (weak) signature scheme presented at CRYPTO 2009. Several non-interactive and reusable non-malleable commitment schemes (in the common reference string model) have been proposed, but they all rely on stronger assumptions (such as the strong RSA assumption). Thus, we give the first construction of a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption.
    Download PDF (334K)
  • Kazuki YONEYAMA
    Type: PAPER
    Subject area: Formal Approach
    2012 Volume E95.A Issue 1 Pages 185-195
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    In this paper, the substitutability of the indifferentiability framework with non-sequential scheduling is examined by reformulating the framework through applying the Task-PIOA framework, which provides non-sequential activation with oblivious task sequences. First, the indifferentiability framework with non-sequential scheduling is shown to be able to retain the substitutability. Thus, the substitutability can be applied in another situation that processes of the systems may behave non-sequentially. Next, this framework is shown to be closely related to reducibility of systems. Reducibility is useful to discuss about the construction of a system from a weaker system. Finally, two modelings with respectively sequential scheduling and non-sequential scheduling are shown to be mutually independent. We find examples of systems which are indifferentiable under one model but differentiable under the other. Thus, the importance of scheduling in the indifferentiability framework is clarified.
    Download PDF (1285K)
  • Naoki OGURA, Shigenori UCHIYAMA, Naoki KANAYAMA, Eiji OKAMOTO
    Type: PAPER
    Subject area: Mathematics
    2012 Volume E95.A Issue 1 Pages 196-203
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper considers the normalization of Miller functions for computing “point-evaluation” pairings on an elliptic curve E over a finite field $\\GF_{q}$, where the characteristic of $\\GF_{q}$ is neither 2 nor 3. It is shown that the normalized Miller functions for computing point-evaluation pairings on $\\G_2 \\ imes \\G_1$ when (i) the embedding degree k is even, or (ii) 3|k and E/$\\GF_{q}$(q≡1(mod 3) is a curve of the form Y2=X3+b. Thus, there is no need to consider the normalization for computing pairings on many pairing-friendly elliptic curves.
    Download PDF (358K)
  • Takuya HAYASHI, Naoyuki SHINOHARA, Lihua WANG, Shin'ichiro MATSUO, Mas ...
    Type: PAPER
    Subject area: Mathematics
    2012 Volume E95.A Issue 1 Pages 204-212
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.
    Download PDF (596K)
  • Kazuhide FUKUSHIMA, Shinsaku KIYOMOTO, Yutaka MIYAKE
    Type: PAPER
    Subject area: Software Protection
    2012 Volume E95.A Issue 1 Pages 213-222
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Establishment of a practical software protection method is a major issue in software distribution. There are several approaches to the issue; however, no practical, secure method for mobile phone applications has been proposed. In this paper, we propose a new software protection scheme combined with a tamper-proof device (TPD) in order to achieve computational security against illegal analysis and copying of the target program. Our scheme achieves a reasonable level of security for encoding the data and variables in a program. The program on a mobile phone deals only with encoded data that is difficult to compromise, and the TPD plays a role of decoding execution results. We implemented the proposed scheme on a 3G mobile phone and a user identification module (UIM). An analysis and copying of the protected program impose exponential computation complexities under our attack model.
    Download PDF (617K)
  • Koichi SHIMIZU, Daisuke SUZUKI, Tomomi KASUYA
    Type: PAPER
    Subject area: Implementation
    2012 Volume E95.A Issue 1 Pages 223-233
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    In this paper, we propose a new Delay PUF architecture trying to solve the major problem of existing Delay PUFs that it is easy to predict the relation between delay information and generated information. For that purpose, our architecture exploits glitches as a source of information generation that behave non-linearly from delay variation between gates and the characteristic of pulse propagation of each gate. We thus call it the Glitch PUF. We present two circuit structures of the Glitch PUF both of which have their own merits. We then provide the results of evaluation in which we first verify that the two Glitch PUFs exhibit the same characteristics, and second show the randomness and statistical properties of the Glitch PUF.
    Download PDF (2106K)
  • Yang LI, Kazuo OHTA, Kazuo SAKIYAMA
    Type: PAPER
    Subject area: Implementation
    2012 Volume E95.A Issue 1 Pages 234-241
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper proposes the countermeasures against an improved fault sensitivity analysis. Our countermeasure is proposed based on the WDDL technique due to its built-in resistance against both the power-based attack and differential fault analysis. At CHES 2010, Li et al. proposed the FSA attack on WDDL-AES. The vulnerability of WDDL-AES in their attack mainly comes from the implementation deficiency rather than the WDDL technique itself. This paper first proposes an improved fault sensitive analysis that can threat a well-implemented WDDL-AES based on the input-data dependency for the critical path delay of WDDL S-box. Then we discuss the possibility of efficient countermeasures by modifying the WDDL circuit with a limited overhead. The countermeasures are discussed based on either modifying the dual-rail to single-rail converter or the introduction of the enable signal.
    Download PDF (559K)
  • Junko TAKAHASHI, Toshinori FUKUNAGA, Kazuo SAKIYAMA
    Type: PAPER
    Subject area: Implementation
    2012 Volume E95.A Issue 1 Pages 242-251
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.
    Download PDF (789K)
  • Shoichi HIROSE, Hidenori KUWAKADO
    Type: LETTER
    2012 Volume E95.A Issue 1 Pages 252-255
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This article discusses the provable security of block-cipher-based hash functions. It introduces a new model called a weak ideal cipher model. In this model, an adversary is allowed to make key-disclosure queries to the oracle as well as encryption and decryption queries. A key-disclosure query is a pair of a plaintext and a ciphertext, and the reply is a corresponding key. Thus, in this model, a block cipher is random but completely insecure as a block cipher. It is shown that collision resistant hash functions can be constructed even in this weak model.
    Download PDF (99K)
  • Hu XIONG, Xiaofeng WANG, Fagen LI
    Type: LETTER
    2012 Volume E95.A Issue 1 Pages 256-258
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Recently, Kang et al. discussed some security flaws of Wu et al.'s and Wei et al.'s authentication schemes that guarantee user anonymity in wireless communications and showed how to overcome the problems regarding anonymity and the forged login messages. However, we will show that Kang et al.'s improved scheme still did not provide user anonymity as they claimed.
    Download PDF (64K)
  • Mingwu ZHANG, Tsuyoshi TAKAGI, Bo YANG, Fagen LI
    Type: LETTER
    2012 Volume E95.A Issue 1 Pages 259-262
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Strong designated verifier signature scheme (SDVS) allows a verifier to privately check the validity of a signature. Recently, Huang et al. first constructed an identity-based SDVS scheme (HYWS) in a stronger security model with non-interactive proof of knowledge, which holds the security properties of unforgeability, non-transferability, non-delegatability, and privacy of signer's identity. In this paper, we show that their scheme does not provide the claimed properties. Our analysis indicates that HYWS scheme neither resist on the designated verifier signature forgery nor provide simulation indistinguishability, which violates the security properties of unforgeability, non-delegatability and non-transferability.
    Download PDF (87K)
  • Sho ENDO, Takeshi SUGAWARA, Naofumi HOMMA, Takafumi AOKI, Akashi SATOH
    Type: LETTER
    2012 Volume E95.A Issue 1 Pages 263-266
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper presents a glitchy-clock generator integrated in FPGA for evaluating fault injection attacks and their countermeasures on cryptographic modules. The proposed generator exploits clock management capabilities, which are common in modern FPGAs, to generate clock signal with temporal voltage spike. The shape and timing of the glitchy-clock cycle are configurable at run time. The proposed generator can be embedded in a single FPGA without any external instrument (e.g., a pulse generator and a variable power supply). Such integration enables reliable and reproducible fault injection experiments. In this paper, we examine the characteristics of the proposed generator through experiments on Side-channel Attack Standard Evaluation Board (SASEBO). The result shows that the timing of the glitches can be controlled at the step of about 0.17ns. We also demonstrate its application to the safe-error attack against an RSA processor.
    Download PDF (1595K)
  • Ruilin LI, Bing SUN, Chao LI, Shaojing FU
    Type: LETTER
    2012 Volume E95.A Issue 1 Pages 267-269
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    T-function is a kind of cryptographic function which is shown to be useful in various applications. It is known that any function f on $\\mathbb F_2^n$ or $\\mathbb{Z}_{2^n}$ automatically deduces a unique polynomial $f^{\\mathbb{F}}\in\mathbb{F}_{2^n}[x]$ with degree ≤2n-1. In this letter, we study an algebraic property of $f^{\\mathbb{F}}$ while f is a T-function. We prove that for a single cycle T-function f on $\\mathbb{F}_2^n$ or $\\mathbb{Z}_{2^n}$, $\\deg f^{\\mathbb{F}}=2^n-2$ which is optimal for a permutation. We also consider a kind of widely used T-function in many cryptographic algorithms, namely the modular addition function $A_b(x)=x+b\\in\\mathbb Z_{2^n}[x]$. We demonstrate how to calculate $\\deg A_b^{\\mathbb{F}}$ from the constant value b. These results can facilitate us to evaluate the immunity of the T-function based cryptosystem against some known attacks such as interpolation attack and integral attack.
    Download PDF (84K)
Special Section on Intelligent Transport Systems
  • Makoto ITAMI, Hiromasa HABUCHI
    2012 Volume E95.A Issue 1 Pages 270
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Download PDF (147K)
  • Kiyohito TOKUDA
    Type: INVITED PAPER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 271-277
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    ITS (Intelligent Transport Systems) wireless communications system has been developing based on the leading edge ICT (Information Communication Technologies) in Japan. The comfort driving systems for example VICS (Vehicular Information Communication system), ETC (Electronic Toll Collection), Telematics has already become popular and the safety driving support systems, such as ASV (Advanced Safety Vehicle) and SMARTWAY have been scheduled for introduction in the near future. However, there are many residual issues in the comfort driving system because of the existence of the traffic jam and the interest of the economical cars in the world. Moreover, the acceleration of the development of the Smart Grid and EV (Electric Vehicle) would affect the future development of the ITS wireless communications system. In this paper, it is clarified that the future development should be advanced considering the one of the basic business rule of ‘market-in and product-out’.
    Download PDF (1975K)
  • Luobei KUANG, Zhijun WANG, Ming XU, Yingwen CHEN
    Type: PAPER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 278-285
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Handoff plays an important role in vehicular networks due to high movement of vehicles. To provide seamless connectivity under Access Points (AP), this paper proposes an adaptive handoff triggering method to minimize communication time for a vehicle with an AP switch (i.e., whether and when to trigger a handoff process). In the proposed method, combined with an improved data transmission rate based trigger, handoff triggering decision is executed based on three different communication methods (called C-Dire, C-Relay and C-ALLRelay) to minimize the transmission delay when a vehicle moves from an AP to another. Transmission delay is derived through considering vehicle mobility and transmission rate diversity. The simulation results show that the proposed method is proven to be adaptive to vehicular networks.
    Download PDF (1093K)
  • Hiroyuki HATANO, Tomoharu MIZUTANI, Yoshihiko KUWAHARA
    Type: PAPER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 286-295
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    We consider the position estimation system for targets which exist in near wide area. The system has multiple sensors and estimates the position with multiple receivers. In the past, if receivers were arranged on a straight line, the large position error in the same direction of the line is generated. In order to reduce the error, we propose a novel estimation algorithm using transmitter's directivity information. Our system use directional emission made by an array of antennas in a transmitter. In this paper, the error characteristic which should be solved is introduced firstly. After that, our algorithm is presented. Finally the performance of the error reduction is shown by computer simulations. And we also confirm the reduction by experimental trials. The results indicate good reduction of the error.
    Download PDF (1752K)
  • HyungKwan KIM, Yuuki SHIBAYAMA, Shunsuke KAMIJO
    Type: PAPER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 296-304
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This paper presents a general algorithm for pedestrian detection by on-board monocular camera which can be applied to cameras of various view ranges. Under the assumption that motion of background can be nearly approximated as a linear function, the Spatio-Temporal MRF (S-T MRF) model segments foreground objects. The foreground objects contain both pedestrian and non-pedestrian urban objects, verification was conducted by a cascaded classifier. However, the segmentation results based on motion were not exactly fit into pedestrian on the image so that shrunk or inflated pedestrian were generated. This causes errors on extracting pedestrian trajectory. For precise positioning, we implemented two types of feedback algorithm for ROI correction using the Kalman filter and the voting result of Motion-classifier and HOG-classifier. We confirmed that those ROI Corrections successfully extract precise area of pedestrian and decrease the false negative rate. Elaborately extracted pedestrian trajectory could be used as a useful source for predicting collision to pedestrian.
    Download PDF (5528K)
  • Chien-Sheng CHEN, Jium-Ming LIN, Wen-Hsiung LIU, Ching-Lung CHI
    Type: PAPER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 305-312
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Intelligent transportation system (ITS) makes use of vehicle position to decrease the heavy traffic and improve service reliability of public transportation system. Many existing systems, such as global positioning system (GPS) and cellular communication systems, can be used to estimate vehicle location. The objective of wireless location is to determine the mobile station (MS) location in a wireless cellular communications system. The non-line-of-sight (NLOS) problem is the most crucial factor that it causes large measured error. In this paper, we present a novel positioning algorithm based on genetic algorithm (GA) to locate MS when three BSs are available for location purpose. Recently, GA are widely used as many various optimization problems. The proposed algorithm utilizes the intersections of three time of arrival (TOA) circles based on GA to estimate the MS location. The simulation results show that the proposed algorithms can really improve the location accuracy, even under severe NLOS conditions.
    Download PDF (1033K)
  • Tomotaka WADA, Hiroyuki TAKAHASHI, Kouichi MUTSUURA, Hiromi OKADA
    Type: LETTER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 313-316
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Many researchers have recently studied various applications such as Inter-Vehicle Communications (IVC) and Road-to-Vehicle Communications (RVC) for Intelligent Transport Systems (ITS). RVC is a key technology that can connect vehicles with the internet through Road Side Units (RSUs). Relative positions between vehicles vary within short periods of time. Neighboring vehicles and barriers cause shadowing that blocks communication for extended periods of time between RSUs and vehicles. We propose a fast scheme of Mobile IPv6 handover using dual-band communications in RVC. This scheme uses ISM and UHF dual bands. It switches to the UHF band during handover or in the shadowing period. We demonstrate that the proposed scheme can establish continuous communications through computer simulations.
    Download PDF (978K)
  • Hiroyuki HATANO, Tomoharu MIZUTANI, Kazuya SUGIYAMA, Yoshihiko KUWAHAR ...
    Type: LETTER
    Subject area: ITS
    2012 Volume E95.A Issue 1 Pages 317-321
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Radar networks show an interesting potential for safety and comfortable applications such as short-range automotive monitoring system or indoor monitoring. This paper presents our novel estimation algorithm of a target position. Especially we evaluate the performance about estimation accuracy and resistance to ghost targets under multipath environment. In above applications, the robust estimation is needed because the receivers tend to output corrupted measurement data. The corrupted data are mostly generated by multipath, sensitivity of receivers. As a result of computer simulations, our algorithm has fine accuracy and robust detections compared with a popular trilateration algorithm.
    Download PDF (553K)
Regular Section
  • Akira HIRABAYASHI
    Type: PAPER
    Subject area: Digital Signal Processing
    2012 Volume E95.A Issue 1 Pages 322-329
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    We address a problem of sampling and reconstructing periodic piecewise polynomials based on the theory for signals with a finite rate of innovation (FRI signals) from samples acquired by a sinc kernel. This problem was discussed in a previous paper. There was, however, an error in a condition about the sinc kernel. Further, even though the signal is represented by parameters, these explicit values are not obtained. Hence, in this paper, we provide a correct condition for the sinc kernel and show the procedure. The point is that, though a periodic piecewise polynomial of degree R is defined as a signal mapped to a periodic stream of differentiated Diracs by R+1 time differentiation, the mapping is not one-to-one. Therefore, to recover the stream is not sufficient to reconstruct the original signal. To solve this problem, we use the average of the target signal, which is available because of the sinc sampling. Simulation results show the correctness of our reconstruction procedure. We also show a sampling theorem for FRI signals with derivatives of a generic known function.
    Download PDF (732K)
  • Koji HARADA, Hideaki SAKAI
    Type: PAPER
    Subject area: Digital Signal Processing
    2012 Volume E95.A Issue 1 Pages 330-337
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    In this paper, we present a maximum a posteriori probability (MAP) approach to the problem of blind estimation of single-input, multiple-output (SIMO), finite impulse response (FIR) channels. A number of methods have been developed to date for this blind estimation problem. Some of those utilize prior knowledge on input signal statistics. However, there are very few that utilize channel statistics too. In this paper, the unknown channel to be estimated is assumed as the frequency-selective Rayleigh fading channel, and we incorporate the channel prior distributions (and hyperprior distributions) into our model in two different ways. Then for each case an iterative MAP estimator is derived approximately. Performance comparisons over existing methods are conducted via numerical simulation on randomly generated channel coefficients according to the Rayleigh fading channel model. It is shown that improved estimation performance can be achieved through the MAP approaches, especially for such channel realizations that have resulted in large estimation error with existing methods.
    Download PDF (844K)
  • Kazuo HORIUCHI
    Type: PAPER
    Subject area: Circuit Theory
    2012 Volume E95.A Issue 1 Pages 338-345
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    In this paper, we shall describe a basic fuzzy-estimation theory based on the concept of set-valued operators, suitable for available operation of extremely complicated large-scale network systems. Fundamental conditions for availability of system behaviors of such network systems are clarified in a form of β-level fixed point theorem for system of fuzzy-set-valued operators. Here, the proof of this theorem is accomplished by the concept of Hausdorff's ball measure of non-compactness introduced into the Banach space.
    Download PDF (379K)
  • Sang Woo SIN, Ru ZHOU, Dongju LI, Tsuyoshi ISSHIKI, Hiroaki KUNIEDA
    Type: PAPER
    Subject area: Algorithms and Data Structures
    2012 Volume E95.A Issue 1 Pages 346-353
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    A novel Template Updating system for fingerprint verification systems used in mobile applications is introduced in the paper. Based on the proposed method, the system performance is improved much more than the original one. Not only the FRR (False Reject Rate) but also the small overlap problem caused by the very narrow sensor on the mobile phone are solved. Based on the template updating system, templates are replaced with matched inputs towards a target structure which can expand the coverage of templates with large displacement and rotation. By using the test database, the system performance shows the FRR can be reduced by 79% in comparison with the one without template updating procedure. This system was adopted in practical mobile phones in the commercial market in 2009.
    Download PDF (2005K)
  • Yoshifumi SAKAI
    Type: PAPER
    Subject area: Algorithms and Data Structures
    2012 Volume E95.A Issue 1 Pages 354-361
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This article presents an algorithm that solves an on-line version of the longest common subsequence (LCS) problem for two strings over a constant alphabet in O(d+n) time and O(m+d) space, where m is the length of the shorter string, the whole of which is given to the algorithm in advance, n is the length of the longer string, which is given as a data stream, and d is the number of dominant matches between the two strings. A new upper bound, O(p(m-q)), of d is also presented, where p is the length of the LCS of the two strings, and q is the length of the LCS of the shorter string and the m-length prefix of the longer string.
    Download PDF (292K)
  • Hua ZHAO, Songfeng LU
    Type: PAPER
    Subject area: Algorithms and Data Structures
    2012 Volume E95.A Issue 1 Pages 362-366
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Let T be a text of length n and P be a pattern of length m, both strings over a fixed finite alphabet. The Pattern Matching with Swaps problem is to find all occurrences of P in T if adjacent pattern characters can be swapped. In the Approximate Pattern Matching problem with Swaps, one seeks for every text location with a swapped match of P, the number of swaps necessary to obtain a match at the location. In this paper we provide the first off-line solution for the swap matching problem and the approximate pattern matching problem with swaps. We present a new data-structure called a Swap-transforming Tree. And we give a precise upper-bond of the number of the swapped versions of a pattern. By using the swap-transforming tree, we can solve both problems in time O(λmlog 2n) on an O(nHk) bits indexing data structure. Here λ is a constant. Our solution is more effective when the pattern is short.
    Download PDF (244K)
  • Lu ZHAO, Qiao-yan WEN, Jie ZHANG, Zheng-ping JIN
    Type: PAPER
    Subject area: Cryptography and Information Security
    2012 Volume E95.A Issue 1 Pages 367-371
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    The 2-adic complexity of binary periodic sequences plays an important role in cryptology. In this paper, by means of the usual Fourier transform, we give a simpler form of the upper bound for 2-adic complexity than related result before. For pn-periodic sequences, we discuss the relation between sequences and their Fourier coefficients. Furthermore, based on the relation, we get the lower bound for the number of pn-periodic sequences with given 2-adic complexity.
    Download PDF (904K)
  • Deukjo HONG, Bonwook KOO, Dong-Chan KIM
    Type: PAPER
    Subject area: Cryptography and Information Security
    2012 Volume E95.A Issue 1 Pages 372-380
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    We present pseudo-preimage attacks on Davis-Meyer mode of reduced rounds of the block ciphers ARIA, Camellia, and Serpent by using Sasaki's framework. They yield preimage or second-preimage attacks on PGV hashing modes. We develop proper initial structures for applying meet-in-the-middle techniques to the block ciphers, by considering their diffusion layers, and propose a method to find matching-check equations for indirect partial matching technique with a binary matrix. These works enable us to attack 5 rounds of ARIA, 7 rounds of Camellia, and 4 rounds of Serpent faster than brute force attack.
    Download PDF (783K)
  • Takayuki NOZAKI, Kenta KASAI, Kohichi SAKANIWA
    Type: PAPER
    Subject area: Coding Theory
    2012 Volume E95.A Issue 1 Pages 381-390
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    In this paper, we investigate the error floors of the non-binary low-density parity-check codes transmitted over the binary erasure channels under belief propagation decoding. We propose a method to improve the decoding erasure rates in the error floors by optimizing labels in zigzag cycles in the Tanner graphs of codes. Furthermore, we give lower bounds on the bit and the symbol erasure rates in the error floors. The simulation results show that the presented lower bounds are tight for the codes designed by the proposed method.
    Download PDF (794K)
  • Hee-Suk PANG, Jun-Seok LIM, Oh-Jin KWON, Sang Bae CHON, Mingu LEE, Jeo ...
    Type: LETTER
    Subject area: Engineering Acoustics
    2012 Volume E95.A Issue 1 Pages 391-394
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    An efficient method is proposed for reconstructing speakerphone-mode cellular phone sound. The overall transfer function from digital PCM signals stored in a cellular phone to dummy head-recorded signals is modeled as a combination of a cellular phone transfer function (CPTF) and a cellular phone-to-listener transfer function (CPLTF). The CPTF represents the linear and nonlinear characteristics of a cellular phone and is modeled by the Volterra model. The CPLTF represents the effect of the path from a cellular phone to a dummy head and is measured. Listening tests show the effectiveness of the proposed method. An application scenario of the proposed method is also addressed for sound quality assessment of cellular phones in speakerphone mode.
    Download PDF (652K)
  • Yan CAO, Gang WEI
    Type: LETTER
    Subject area: Digital Signal Processing
    2012 Volume E95.A Issue 1 Pages 395-399
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    A new frequency estimator for a single real-valued sinusoid signal in white noise is proposed. The new estimator uses the Pisarenko Harmonic Decomposer (PHD) estimator to get a coarse frequency estimate and then makes use of multiple correlation lags to obtain an adjustment term. For the limited-length single sinusoid, its correlation has the same frequency as itself but with a non-zero phase. We propose to use Taylor series to expand the correlation at the PHD coarse estimated frequency with amplitude and phase of the correlation into consideration. Simulation results show that this new method improves the estimation performance of the PHD estimator. Moreover, when compared with other existing estimator, the mean square frequency error of the proposed method is closer to the Cramer-Rao Lower Bound (CRLB) for certain SNR range.
    Download PDF (305K)
  • Fanxin ZENG, Xiaoping ZENG, Zhenyu ZHANG, Guixin XUAN
    Type: LETTER
    Subject area: Digital Signal Processing
    2012 Volume E95.A Issue 1 Pages 400-405
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    Based on quadriphase perfect sequences and their cyclical shift versions, three families of almost perfect 16-QAM sequences are presented. When one of two time shifts chosen equals half a period of quadriphase sequence employed and another is zero, two of the proposed three sequence families possess the property that their out-of-phase autocorrelation function values vanish except one. At the same time, to the other time shifts, the nontrivial autocorrelation function values in three families are zero except two or four. In addition, two classes of periodic complementary sequence (PCS) pairs over the 16-QAM constellation, whose autocorrelation is similar to the one of conventional PCS pairs, are constructed as well.
    Download PDF (101K)
  • Masafumi KUBOTA, Toshimichi SAITO
    Type: LETTER
    Subject area: Nonlinear Problems
    2012 Volume E95.A Issue 1 Pages 406-409
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    This letter studies a nesting discrete particle swarm optimizer for multi-solution problems. The algorithm operates in discrete search space and consists of two stages. The first stage is global search in rough lattice points for constructing local sub-regions each of which includes one target solution. The second stage is local search where the algorithm operates in parallel in fine lattice points of local subspaces and tires to find all the approximate solutions within a criterion. We then propose an application to finding multiple fixed points in nonlinear dynamical systems and investigate the algorithm efficiency.
    Download PDF (364K)
  • Qiping LIN, Fangguo ZHANG
    Type: LETTER
    Subject area: Cryptography and Information Security
    2012 Volume E95.A Issue 1 Pages 410-413
    Published: January 01, 2012
    Released: January 01, 2012
    JOURNALS RESTRICTED ACCESS
    The main benefit of HECC is that it has much smaller parameter sizes and offers equivalent security as ECC and RSA. However, there are still more researches on ECC than on HECC. One of the reasons is that the computation of scalar multiplication cannot catch up. The Kummer surface can speed up the scalar multiplication in genus two curves. In this paper, we find that the scalar multiplication formulas of Duquesne in characteristic p>3 on the Kummer surface are not correct. We verify and revise the formulas with mathematical software. The operation counts become 29M+2S for new pseudo-addition formulas and 30M+10S for doubling ones. And then we speed up the scalar multiplication on the Kummer surface with Euclidean addition chains.
    Download PDF (87K)
feedback
Top