In this paper, we deal with c-secure codes in a fingerprinting scheme, which encode user ID to be embedded into the contents. If a pirate copy appears, c-secure codes allow the owner of the contents to trace the source of the illegal redistribution under collusion attacks. However, when dealing in practical applications, most past proposed codes are failed to obtain a good efficiency, i.e. their codeword length are too large to be embedded into digital contents. In this paper, we propose a construction method of c-secure CRT codes based on polynomials over finite fields and it is shown that the codeword length in our construction is shorter than that of Muratani's scheme. We compare the codeword length of our construction and that of Muratani's scheme by numerical experiments and present some theoretical results which supports the results obtained by numerical experiments. As a result, we show that our construction is especially efficient in respect to a large size of any coalition c. Furthermore, we discuss the influence of the random error on the traceability and formally define the Weak IDs in respect to our construction.

Authentication codes (A-codes, for short) are considered as important building blocks for constructing unconditionally secure authentication schemes. Since in the conventional A-codes, two communicating parties, transmitter and receiver, utilized a common secret key, and such A-codes do not provide non-repudiation. With the aim of enhancing with non-repudiation property, Simmons introduced A2-codes. Later, Johansson formally defined an improved version of A2-codes called, the A3-codes. Unlike A2-codes, A3-codes do not require an arbiter to be fully trusted. In this paper, we clarify the security definition of A3-codes which may be misdefined. We show a concrete attack against an A3-code and conclude that concrete constructions of A3-codes implicitly assumes a trusted arbiter. We also show that there is no significant difference between A2-codes and A3-codes in a practical sense and further argue that it is impossible to construct an "ideal" A3-codes, that is, without any trusted arbiter. Finally, we introduce a novel model of asymmetric A-codes with an arbiter but do not have to be fully trusted, and also show a concrete construction of the asymmetric A-codes for the model. Since our proposed A-code does not require fully trusted arbiters, it is more secure than A2-codes or A3-codes.

An authentication code (A-code) is a two-party message authentication code in the information-theoretic security setting. One of the variants of A-codes is a multi-receiver authentication code (MRA-code), where there are a single sender and multiple receivers and the sender can create a single authenticator so that all receivers accepts it unless it is maliciously modified. In this paper, we introduce a multi-designated receiver authentication code (MDRA-code) with information-theoretic security as an extension of MRA-codes. The purpose of MDRA-codes is to securely transmit a message via a broadcast channel from a single sender to an arbitrary subset of multiple receivers that have been designated by the sender, and only the receivers in the subset (i.e., not all receivers) should accept the message if an adversary is absent. This paper proposes a model and security formalization of MDRA-codes, and provides constructions of MDRA-codes.

In this paper, we developed the latest IoT honeypots to capture IoT malware currently on the loose, analyzed IoT malware with new features such as persistent infection, developed malware removal methods to be provided to IoT device users. Furthermore, as attack behaviors using IoT devices become more diverse and sophisticated every year, we conducted research related to various factors involved in understanding the overall picture of attack behaviors from the perspective of incident responders. As the final stage of countermeasures, we also conducted research and development of IoT malware disabling technology to stop only IoT malware activities in IoT devices and IoT system disabling technology to remotely control (including stopping) IoT devices themselves.

This paper considers the problem of balancing traceability and anonymity in designated verifier signatures (DVS), which are a kind of group-oriented signatures. That is, we propose claimable designated verifier signatures (CDVS), where a signer is able to claim that he/she indeed created a signature later. Ordinal DVS does not provide any traceability, which could indicate too strong anonymity. Thus, adding claimability, which can be seen as a sort of traceability, moderates anonymity. We demonstrate two generic constructions of CDVS from (i) ring signatures, (non-ring) signatures, pseudorandom function, and commitment scheme, and (ii) claimable ring signatures (by Park and Sealfon, CRYPTO'19).

A group signature scheme introduced by Chaum and Van Heyst allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signer of a group signature can be revealed only by a privileged entity, called a group manager. The group signature scheme has mainly been studied from the viewpoint of computational security setting so far. The main contribution of this paper is to study group signature schemes in unconditional security. More specifically, we newly introduce strong security notions of unconditionally secure group signatures (USGS for short) based on the idea of those of computationally secure group signatures proposed by Bellare, Micciancio and Warinschi. We also provide a generic method to construct USGS that is provably secure in our security definition. More precisely, we construct USGS by combining an encryption scheme with a signature, and show that the constructed scheme is unconditionally secure if the encryption and the signature used in the construction are unconditionally secure. Finally, we provide an instantiation of the one-time secure group signature scheme based on the generic construction.

In this paper, general definitions of collusion secure codes are shown. Previously defined codes such as frameproof code, secure frameproof code, identifiable parent property code, totally c-secure code, traceability code, and (c,g/s)-secure code are redefined under various marking assumptions which are suitable for most of the fingerprinting systems. Then, new relationships among the combined notions of codes and the marking assumptions are revealed. Some (non)existence results are also shown.

Illegal distribution of signed documents can be considered as one of serious problems of digital signatures. In this paper, to solve the problem, we propose three protocols concerning signature schemes. These schemes achieve not only traceability of an illegal user but also universal verifiability. The first scheme is a basic scheme which can trace an illegal receiver, and the generation and tracing of a signed document are simple and efficient. However, in this scheme, it is assumed that a signer is honest. The second scheme gives another tracing method which does not always assume that a signer is honest. Furthermore, in the method, an illegal user can be traced by an authority itself, hence, it is efficient in terms of communication costs. However, in this scheme it is assumed that there exists only a legal verification algorithm. Thus, in general, this scheme cannot trace a modified signed document which is accepted by a modified verification algorithm. The third one is a scheme which requires no trusted signer and allows a modified verification algorithm. It can trace an illegal receiver or even a signer in such a situation. All of our schemes are constructed by simple combinations of standard signature schemes, consequently, one can flexibly choose suitable building blocks for satisfying requirements for a system.

An (≤n,≤ω)-one-time secure broadcast encryption scheme (BES) allows a sender to choose any subset of receivers so that only the designated users can decrypt a ciphertext. In this paper, we first show an efficient construction of an (≤n,≤ω)-one-time secure BES with general ciphertext sizes. Specifically, we propose a generic construction of an (≤n,≤ω)-one-time secure BES from key predistribution systems (KPSs) when its ciphertext size is equal to integer multiple of the plaintext size, and our construction includes all known constructions. However, there are many possible combinations of the KPSs to realize the BES in our construction methodology, and therefore, we show that which combination is the best one in the sense that secret-key size can be minimized. Our (optimized) construction provides a flexible parameter setup (i.e. we can adjust the secret-key sizes) by setting arbitrary ciphertext sizes based on restrictions on channels such as channel capacity and channel bandwidth.

Computer systems are constantly under attack and illegal access is a constant threat which makes security even more critical. A system can be broken into and secret information, e.g. decryption key, may be exposed, resulting in a total break of the system. Recently, a new framework for the protection against such key exposure problem was suggested and was called, Key-Insulated Encryption (KIE). In our paper, we introduce a novel approach to key insulated cryptosystems that offers provable security without computational assumptions. For the model of Information-Theoretically Secure Key-Insulated Encryption (ISKIE), we show lower bounds on required memory sizes of user, trusted device and sender. Our bounds are all tight as our concrete construction of ISKIE achieves all the bounds. We also extend this concept further by adding an extra property so that any pair of users in the system is able to communicate with each other and still have the same security benefits as the existing KIE based on intractability assumptions. We called this, Dynamic and Mutual Key-Insulated Encryption (DMKIE), and concrete implementations of DMKIE will be shown as well. In the end, we discuss the relationship of DMKIE against Key Predistribution Schemes (KPS) and Broadcast Encryption Schemes (BES), that is, we show that DMKIE can be constructed from either KPS or BES.

The problem we consider in this paper is whether the Menezes-Okamoto-Vanstone (MOV) reduction for attacking elliptic curve cryptosystems can be realized for genera elliptic curves. In realizing the MOV reduction, the base field Fq is extended so that the reduction to the discrete logarithm problem in a finite field is possible. Recent results by Balasubramanian and Koblitz suggest that, if l q-1, such a minimum extension degree is the minimum k such that l|qk-1, which is equivalent to the condition under which the Frey-Ruck (FR) reduction can be applied, where l is the order of the group in the elliptic curve discrete logarithm problem. Our point is that the problem of finding an l-torsion point required in evaluating the Weil pairing should be considered as well from an algorithmic point of view. In this paper, we actually propose a method which leads to a solution of the problem. In addition, our contribution allows us to draw the conclusion that the MOV reduction is indeed as powerful as the FR reduction under l q-1 not only from the viewpoint of the minimum extension degrees but also from that of the effectiveness of algorithms.

Fingerprinting is a technique to add identifying marks to each copy of digital contents in order to enhance traceability to a distribution system. Collusion attacks, in which the attackers collect two or more fingerprinted copies and try to generate an untraceable copy, are considered to be a threat for the fingerprinting system. With the aim of enhancing collusion security to the fingerprinting system, several collusion secure codes, such as c-frameproof code, c-secure frameproof code and c-identifiable parent property code, have been proposed. Here, c indicates the maximum number of colluding users. However, a practical construction of the above codes is still an issue because of the tight restrictions originated from their combinatorial properties. In this paper, we introduce an evaluation of frameproof, secure frameproof, and identifiable parent property by the probability that a code has the required property. Then, we focus on random codes. For frameproof and secure frameproof properties, we estimate the average probability that random codes have the required property where the probability is taken over the random construction of codes and random construction of coalitions. For the estimation, we assume the uniform distribution of symbols of random codes and the symbols that the coalitions hold. Therefore, we clarify the adequacy of the assumptions by comparison with numerical results. The estimates and numerical results resemble, which implies the adequacy of the assumption at least in the range of the experiment.

We have introduced the first electronic cash scheme with unconditional security. That is, even malicious users with unlimited computational ability cannot forge a coin and cannot change user's identity secretly embedded in each coin. While, the spender's anonymity is preserved by our new blind signature scheme based on unconditionally secure signature proposed in [7]. But the anonymity is preserved only computationally under the assumption that Decisional Diffie-Hellman Problem is intractable.

This paper briefly deals with a wide range of topics in information-theoretic cryptography. First, we focus on the results on symmetric-key encryption and authentication codes, since these protocols are fundamental in the field and well studied in the frameworks by Shannon and Simmons, respectively. Secondly, we explain several existing assumptions and security criteria whose merit mainly lies in realizing cryptographic protocols with short/weak shared secret-keys, correlated weak secret-keys, or no shared secrets. Thirdly, we consider research themes by three aspects for further development of information-theoretic cryptography. Finally, we refer to trends of technical approaches in information-theoretic cryptography and explain our recent results brought by using the approach.

This paper addresses the problem of designing an unconditionally secure conference system that fulfills the requirements of both traceability and dynamic sender. In a so-called conference system, a common key is shared among all authorized users, and messages are encrypted using the shared key. It is known that a straightforward implementation of such a system may present a number of security weaknesses. Our particular concern lies in the possibility that unauthorized users may be able to acquire the shared key by illegal means, say from one or more authorized but dishonest users (called traitors). An unauthorized user who has successfully obtained the shared key can now decrypt scrambled messages without leaving any evidence on who the traitors were. To solve this problem, in this paper we propose a conference system that admits dynamic sender traceability. The new solution can detect traitors, even if the sender of a message is dynamically determined after a shared key is distributed to authorized users. We also prove that this scheme is unconditionally secure.

In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.

Modern cryptology was born in the late seventies and developed in the eighties. A decade since 1991 is the period of continuation of the development and new expansion of cryptology. In this paper we survey the development of cryptologic researches in this decade with emphasis on the results in Japan. We also present some future important works and propose the foundation of a public institution for evaluation of information security techniques.

Cancelable approaches for biometric person authentication have been studied to protect enrolled biometric data, and several algorithms have been proposed. One drawback of cancelable approaches is that the performance is inferior to that of non-cancelable approaches. In this paper, we propose a scheme to improve the performance of a cancelable approach for online signature verification. Our scheme generates two cancelable dataset from one raw dataset and uses them for verification. Preliminary experiments were performed using a distance-based online signature verification algorithm. The experimental results show that our proposed scheme is promising.

Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.

Digital signatures whose security does not rely on any unproven computational assumption have recently received considerable attention. While these unconditionally secure digital signatures provide a foundation for long term integrity and non-repudiation of data, currently known schemes generally require a far greater amount of memory space for the storage of secret and public keys than a traditional digital signature. The focus of this paper is on methods for reducing memory requirements of unconditionally secure digital signatures. A major contribution of this paper is to propose two novel unconditionally secure digital signature schemes, one called a symmetric construction and other an asymmetric construction, which require a significantly smaller amount of memory. As a specific example, with a typical parameter setting the required memory size for a user is reduced to be approximately of that in a previously known scheme. Another contribution of the paper is to show an attack on a multireceiver authentication code which was proposed by Safavi-Naini and Wang. A simple method to fix the problem of the multireceiver authentication code is also proposed.