The search functionality is under construction.
The search functionality is under construction.

Author Search Result

[Author] Go OHTAKE(11hit)

1-11hit
  • A Trade-off Traitor Tracing Scheme

    Go OHTAKE  Kazuto OGAWA  Goichiro HANAOKA  Hideki IMAI  

     
    PAPER-Contents Protection

      Vol:
    E92-D No:5
      Page(s):
    859-875

    There has been a wide-ranging discussion on the issue of content copyright protection in digital content distribution systems. Fiat and Tassa proposed the framework of dynamic traitor tracing. Their framework requires dynamic computation transactions according to the real-time responses of the pirate, and it presumes real-time observation of content redistribution. Therefore, it cannot be simply utilized in an application where such an assumption is not valid. In this paper, we propose a new scheme that provides the advantages of dynamic traitor tracing schemes and also overcomes their problems.

  • Efficient Provider Authentication for Bidirectional Broadcasting Service

    Go OHTAKE  Goichiro HANAOKA  Kazuto OGAWA  

     
    PAPER-Cryptography and Information Security

      Vol:
    E93-A No:6
      Page(s):
    1039-1051

    Provider authentication is necessary in bidirectional broadcasting services, and a digital signature scheme is often used to prevent an adversary from attempting impersonation. The cost of secure signing key management is extremely high. In addition, the key has to be updated very often, since it is frequently used. The result is that the verification key also has to be updated very often, and its redistribution cost is huge. These costs are real and substantive problems, especially when the number of users is large. In this paper, we propose a system that dramatically reduces these costs. In the system, the signing key is updated, but the corresponding verification key does not have to be updated. This means that the signing key can be updated without any cost for redistributing the verification key and that the system is secure against the threat of signing key leakage, since the key can be frequently updated. Moreover, we propose a new key management method that divides a conventional key management server's role into two. The use of a key-insulated signature (KIS) scheme enables low-cost and more secure key management with two servers. Finally, to make a bidirectional broadcasting service more secure even if the signing key is leaked, we developed a new strong KIS scheme. We performed an experiment that assessed the cost of our strong KIS scheme and found that it is sufficiently low. Accordingly, a provider authentication system employing this scheme would be more efficient and would have lower key redistribution and network costs in comparison with conventional authentication systems.

  • Partially Wildcarded Ciphertext-Policy Attribute-Based Encryption and Its Performance Evaluation

    Go OHTAKE  Kazuto OGAWA  Goichiro HANAOKA  Shota YAMADA  Kohei KASAMATSU  Takashi YAMAKAWA  Hideki IMAI  

     
    PAPER

      Vol:
    E100-A No:9
      Page(s):
    1846-1856

    Attribute-based encryption (ABE) enables flexible data access control based on attributes and policies. In ciphertext-policy ABE (CP-ABE), a secret key is associated with a set of attributes and a policy is associated with a ciphertext. If the set of attributes satisfies the policy, the ciphertext can be decrypted. CP-ABE can be applied to a variety of services such as access control for file sharing systems and content distribution services. However, a CP-ABE scheme usually has larger costs for encryption and decryption than conventional public-key encryption schemes due to flexible policy setting. In particular, wildcards, which mean that certain attributes are not relevant to the ciphertext policy, are not essential for a certain service. In this paper, we propose a partially wildcarded CP-ABE scheme with a lower encryption and decryption cost. In our scheme, user's attributes are separated into those requiring wildcards and those not requiring wildcards. Our scheme embodies a CP-ABE scheme with a wildcard functionality and an efficient CP-ABE scheme without wildcard functionality. We show that our scheme is provably secure under the DBDH assumption. Then, we compare our scheme with the conventional CP-ABE schemes and describe a content distribution service as an application of our scheme. Also, we implement our scheme on a PC and measure the processing time. The result shows that our scheme can reduce all of the costs for key generation, encryption, and decryption as much as possible.

  • Managing Encryption and Key Publication Independently in Digital Rights Management Systems

    Goichiro HANAOKA  Kazuto OGAWA  Itsuro MUROTA  Go OHTAKE  Keigo MAJIMA  Seiichi GOHSHI  Kimiyuki OYAMADA  Seiichi NAMBA  Hideki IMAI  

     
    PAPER-Applications

      Vol:
    E87-A No:1
      Page(s):
    160-172

    Secure distribution of digital goods is now a significantly important issue for protecting publishers' copyrights. In this paper, we study a useful primitive for constructing a secure and efficient digital rights management system (DRM) where a server which encrypts digital content and one which issues the corresponding decryption key works independently, and existing schemes lack this property. We first argue the desired property necessary of an encryption scheme for constructing an efficient DRM, and formally define an encryption scheme as split encryption scheme containing such property. Also, we show that an efficient split encryption scheme can be constructed from any identity-based scheme. More precisely, we show an equivalence result implying that a split encryption scheme for some system parameter setting and an identity-based encryption scheme have the same primitives but for different uses. Since currently there is no identity-based encryption scheme which is based on well-known computational assumption and/or provably secure in the standard model (i.e. without the random oracle model), by reasonably tuning the system parameter, we show another construction of split encryption which is secure against chosen ciphertext attacks in the standard model assuming that decision Diffie-Hellman problem is hard to solve.

  • Privacy-Preserving System for Enriched-Integrated Service

    Kaisei KAJITA  Go OHTAKE  Kazuto OGAWA  

     
    PAPER

      Pubricized:
    2021/02/24
      Vol:
    E104-D No:5
      Page(s):
    647-658

    In this study, we propose a secure data-providing system by using a verifiable attribute-based keyword search (VABKS), which also has the functions of privacy preservation and feedback to providers with IP anonymous server. We give both theoretic and experimental result, which show that our proposed system is a secure system with real-time property. One potential application of the system is to Integrated Broadcast-Broadband (IBB) services, which acquire information related to broadcast programs via broadband networks. One such service is a recommendation service that delivers recommendations matching user preferences (such as to TV programs) determined from the user's viewing history. We have developed a real-time system outsourcing data to the cloud and performing keyword searches on it by dividing the search process into two stages and performing heavy processing on the cloud side.

  • Weakened Anonymity of Group Signature and Its Application to Subscription Services

    Kazuto OGAWA  Go OHTAKE  Arisa FUJII  Goichiro HANAOKA  

     
    PAPER

      Vol:
    E97-A No:6
      Page(s):
    1240-1258

    For the sake of privacy preservation, services that are offered with reference to individual user preferences should do so with a sufficient degree of anonymity. We surveyed various tools that meet requirements of such services and decided that group signature schemes with weakened anonymity (without unlinkability) are adequate. Then, we investigated a theoretical gap between unlinkability of group signature schemes and their other requirements. We show that this gap is significantly large. Specifically, we clarify that if unlinkability can be achieved from any other property of group signature schemes, it becomes possible to construct a chosen-ciphertext secure cryptosystem from any one-way function. This result implies that the efficiency of group signature schemes can be drastically improved if unlinkability is not taken into account. We also demonstrate a way to construct a scheme without unlinkability that is significantly more efficient than the best known full-fledged scheme.

  • Attribute-Based Encryption for Range Attributes

    Nuttapong ATTRAPADUNG  Goichiro HANAOKA  Kazuto OGAWA  Go OHTAKE  Hajime WATANABE  Shota YAMADA  

     
    PAPER

      Vol:
    E101-A No:9
      Page(s):
    1440-1455

    Attribute-Based Encryption (ABE) is an advanced form of public-key encryption where access control mechanisms based on attributes and policies are possible. In conventional ABE, attributes are specified as strings. However, there are certain applications where it is useful to specify attributes as numerical values and consider a predicate that determines if a certain numerical range would include a certain value. Examples of these types of attributes include time, position coordinate, person's age, rank, identity, and so on. In this paper, we introduce ABE for boolean formulae over Range Membership (ABE-RM). We show generic methods to convert conventional ABE to ABE-RM. Our generic conversions are efficient as they introduce only logarithmic overheads (in key and ciphertext sizes), as opposed to trivial methods, which would pose linear overheads. By applying our conversion to previous ABE schemes, we obtain new efficient and expressive ABE-RM schemes. Previous works that considered ABE with range attributes are specific and can only deal with either a single relation of range membership (Paterson and Quaglia at SCN'10, and Kasamatsu et al. at SCN'12), or limited classes of policies, namely, only AND-gates of range attributes (Shi et al. at IEEE S&P'07, and some subsequent work). Our schemes are generic and can deal with expressive boolean formulae.

  • Secure Broadcast System with Simultaneous Individual Messaging

    Arisa FUJII  Go OHTAKE  Goichiro HANAOKA  Nuttapong ATTRAPADUNG  Hajime WATANABE  Kazuto OGAWA  Hideki IMAI  

     
    PAPER

      Vol:
    E94-A No:6
      Page(s):
    1328-1337

    Broadcasters transmit TV programs and often need to transmit an individual message, e.g. an individual contract, to each user. The programs have to be encrypted in order to protect the copyright and the individual messages have to be encrypted to preserve the privacy of users. For these purposes, broadcasters transmit not only encrypted content but also encrypted personalized messages to individual users. Current broadcasting services employ an inefficient encryption scheme based on a symmetric key. Recently, several broadcast encryption schemes using a public key have been proposed in which the broadcaster encrypts a message for some subset S of users with a public key and any user in S can decrypt the broadcast with his/her private key. However, it is difficult to encrypt a personalized message and transmit it to every user efficiently. In this paper, we propose a broadcast encryption scheme that has a personalized message encryption function. We show that our scheme is efficient in terms of the ciphertext size.

  • Short Lattice Signature Scheme with Tighter Reduction under Ring-SIS Assumption

    Kaisei KAJITA  Go OHTAKE  Kazuto OGAWA  Koji NUIDA  Tsuyoshi TAKAGI  

     
    PAPER

      Pubricized:
    2022/09/08
      Vol:
    E106-A No:3
      Page(s):
    228-240

    We propose a short signature scheme under the ring-SIS assumption in the standard model. Specifically, by revisiting an existing construction [Ducas and Micciancio, CRYPTO 2014], we demonstrate lattice-based signatures with improved reduction loss. As far as we know, there are no ways to use multiple tags in the signature simulation of security proof in the lattice tag-based signatures. We address the tag-collision possibility in the lattice setting, which improves reduction loss. Our scheme generates tags from messages by constructing a scheme under a mild security condition that is existentially unforgeable against random message attack with auxiliary information. Thus our scheme can reduce the signature size since it does not need to send tags with the signatures. Our scheme has short signature sizes of O(1) and achieves tighter reduction loss than that of Ducas et al.'s scheme. Our proposed scheme has two variants. Our scheme with one property has tighter reduction and the same verification key size of O(log n) as that of Ducas et al.'s scheme, where n is the security parameter. Our scheme with the other property achieves much tighter reduction loss of O(Q/n) and verification key size of O(n), where Q is the number of signing queries.

  • Application Authentication System with Efficiently Updatable Signature

    Kazuto OGAWA  Go OHTAKE  

     
    PAPER

      Pubricized:
    2015/10/21
      Vol:
    E99-D No:1
      Page(s):
    69-82

    Broadcasting and communications networks can be used together to offer hybrid broadcasting services that incorporate a variety of personalized information from communications networks in TV programs. To enable these services, many different applications have to be run on a user terminal, and it is necessary to establish an environment where any service provider can create applications and distribute them to users. The danger is that malicious service providers might distribute applications which may cause user terminals to take undesirable actions. To prevent such applications from being distributed, we propose an application authentication protocol for hybrid broadcasting and communications services. Concretely, we modify a key-insulated signature scheme and apply it to this protocol. In the protocol, a broadcaster distributes a distinct signing key to each service provider that the broadcaster trusts. As a result, users can verify that an application is reliable. If a signed application causes an undesirable action, a broadcaster can revoke the privileges and permissions of the service provider. In addition, the broadcaster can update the signing key. That is, our protocol is secure against leakage of the signing key by the broadcaster and service providers. Moreover, a user terminal uses only one verification key for verifying a signature, so the memory needed for storing the verification key in the user terminal is very small. With our protocol, users can securely receive hybrid services from broadcasting and communications networks.

  • Outsider-Anonymous Broadcast Encryption with Keyword Search: Generic Construction, CCA Security, and with Sublinear Ciphertexts Open Access

    Keita EMURA  Kaisei KAJITA  Go OHTAKE  

     
    PAPER-Cryptography and Information Security

      Pubricized:
    2024/02/26
      Vol:
    E107-A No:9
      Page(s):
    1465-1477

    As a multi-receiver variant of public key encryption with keyword search (PEKS), broadcast encryption with keyword search (BEKS) has been proposed (Attrapadung et al. at ASIACRYPT 2006/Chatterjee-Mukherjee at INDOCRYPT 2018). Unlike broadcast encryption, no receiver anonymity is considered because the test algorithm takes a set of receivers as input and thus a set of receivers needs to be contained in a ciphertext. In this paper, we propose a generic construction of BEKS from anonymous and weakly robust 3-level hierarchical identity-based encryption (HIBE). The proposed generic construction provides outsider anonymity, where an adversary is allowed to obtain secret keys of outsiders who do not belong to the challenge sets, and provides sublinear-size ciphertext in terms of the number of receivers. Moreover, the proposed construction considers security against chosen-ciphertext attack (CCA) where an adversary is allowed to access a test oracle in the searchable encryption context. The proposed generic construction can be seen as an extension to the Fazio-Perera generic construction of anonymous broadcast encryption (PKC 2012) from anonymous and weakly robust identity-based encryption (IBE) and the Boneh et al. generic construction of PEKS (EUROCRYPT 2004) from anonymous IBE. We run the Fazio-Perera construction employs on the first-level identity and run the Boneh et al. generic construction on the second-level identity, i.e., a keyword is regarded as a second-level identity. The third-level identity is used for providing CCA security by employing one-time signatures. We also introduce weak robustness in the HIBE setting, and demonstrate that the Abdalla et al. generic transformation (TCC 2010/JoC 2018) for providing weak robustness to IBE works for HIBE with an appropriate parameter setting. We also explicitly introduce attractive concrete instantiations of the proposed generic construction from pairings and lattices, respectively.