In Shamir's (k,n)-threshold secret sharing scheme (threshold scheme)[1], a heavy computational cost is required to make n shares and recover the secret from k shares. As a solution to this problem, several fast threshold schemes have been proposed. However, there is no fast ideal (k,n)-threshold scheme, where k and n are arbitrary. This paper proposes a new fast (k,n)-threshold scheme which uses just EXCLUSIVE-OR(XOR) operations to make n shares and recover the secret from k shares. We prove that every combination of k or more participants can recover the secret, but every group of less than k participants cannot obtain any information about the secret in the proposed scheme. Moreover, the proposed scheme is an ideal secret sharing scheme similar to Shamir's scheme, in which every bit-size of shares equals that of the secret. We also evaluate the efficiency of the scheme, and show that our scheme realizes operations that are much faster than Shamir's.

Shamir's (k,n)-threshold secret sharing scheme (threshold scheme) has two problems: a heavy computational cost is required to make shares and recover the secret, and a large storage capacity is needed to retain all the shares. As a solution to the heavy computational cost problem, several fast threshold schemes have been proposed. On the other hand, threshold ramp secret sharing schemes (ramp scheme) have been proposed in order to reduce each bit-size of shares in Shamir's scheme. However, there is no fast ramp scheme which has both low computational cost and low storage requirements. This paper proposes a new (k,L,n)-threshold ramp secret sharing scheme which uses just EXCLUSIVE-OR(XOR) operations to make shares and recover the secret at a low computational cost. Moreover, by proving that the fast (k,n)-threshold scheme in conjunction with a method to reduce the number of random numbers is an ideal secret sharing scheme, we show that our fast ramp scheme is able to reduce each bit-size of shares by allowing some degradation of security similar to the existing ramp schemes based on Shamir's threshold scheme.

This paper presents a chosen-IV (Initial Vector) correlation power analysis on the international standard stream cipher KCipher-2 together with an effective countermeasure. First, we describe a power analysis technique which can reveal the secret key (initial key) of KCipher-2 and then evaluate the validity of the CPA with experiments using both FPGA and ASIC implementations of KCipher-2 processors. This paper also proposes a masking-based countermeasure against the CPA. The concept of the proposed countermeasure is to mask intermediate data which pass through the non-linear function part including integer addition, substitution functions, and internal registers L1 and L2. We design two types of masked integer adders and two types of masked substitution circuits in order to minimize circuit area and delay, respectively. The effectiveness of the countermeasure is demonstrated through an experiment on the same FPGA platform. The performance of the proposed method is evaluated through the ASIC fabricated by TSMC 65nm CMOS process technology. In comparison with the conventional design, the design with the countermeasure can be achieved by the area increase of 1.6 times at most.

Program analysis techniques have improved steadily over the past several decades, and software obfuscation schemes have come to be used in many commercial programs. A software obfuscation scheme transforms an original program or a binary file into an obfuscated program that is more complicated and difficult to analyze, while preserving its functionality. However, the security of obfuscation schemes has not been properly evaluated. In this paper, we analyze obfuscation schemes in order to clarify the advantages of our scheme, the XOR-encoding scheme. First, we more clearly define five types of attack models that we defined previously, and define quantitative resistance to these attacks. Then, we compare the security, functionality and efficiency of three obfuscation schemes with encoding variables: (1) Sato et al.'s scheme with linear transformation, (2) our previous scheme with affine transformation, and (3) the XOR-encoding scheme. We show that the XOR-encoding scheme is superior with regard to the following two points: (1) the XOR-encoding scheme is more secure against a data-dependency attack and a brute force attack than our previous scheme, and is as secure against an information-collecting attack and an inverse transformation attack as our previous scheme, (2) the XOR-encoding scheme does not restrict the calculable ranges of programs and the loss of efficiency is less than in our previous scheme.

Establishment of a practical software protection method is a major issue in software distribution. There are several approaches to the issue; however, no practical, secure method for mobile phone applications has been proposed. In this paper, we propose a new software protection scheme combined with a tamper-proof device (TPD) in order to achieve computational security against illegal analysis and copying of the target program. Our scheme achieves a reasonable level of security for encoding the data and variables in a program. The program on a mobile phone deals only with encoded data that is difficult to compromise, and the TPD plays a role of decoding execution results. We implemented the proposed scheme on a 3G mobile phone and a user identification module (UIM). An analysis and copying of the protected program impose exponential computation complexities under our attack model.

KCipher-2 is a word-oriented stream cipher and an ISO/IEC 18033 standard. It is listed as a CRYPTREC cryptographic algorithm for Japanese governmental use. It consists of two feedback shift registers and a non-linear function. The size of each register in KCipher-2 is 32 bits and the non-linear function mainly applies 32-bit operations. Therefore, it can be efficiently implemented as software. SNOW-family stream ciphers are also word-oriented stream ciphers, and their high performance has already been demonstrated.We propose optimised implementations of KCipher-2 and compare their performance to that of the SNOW-family and other eSTREAM portfolios. The fastest algorithm is SNOW 2.0 and KCipher-2 is the second fastest despite the complicated irregular clocking mechanism. However, KCipher-2 is the fastest of the feasible algorithms, as SNOW 2.0 has been shown to have a security flaw. We also optimise the hardware implementation for the Virtex-5 field-programmable gate array (FPGA) and show two implementations. The first implementation is a rather straightforward optimisation and achieves 16,153 Mbps with 732 slices. In the second implementation, we duplicate the non-linear function using the structural advantage of KCipher-2 and we achieve 17,354 Mbps with 813 slices. Our implementation of KCipher-2 is around three times faster than those of the SNOW-family and efficiency, which is evaluated by “Throughput/Area (Mbps/slice)”, is 3.6-times better than that of SNOW 2.0 and 8.5-times better than that of SNOW 3G. These syntheses are performed using Xilinx ISE version 12.4.

We propose a new lattice-based digital signature scheme MLWRSign by modifying Dilithium, which is one of the second-round candidates of NIST's call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.

The hardness in solving the shortest vector problem (SVP) is a fundamental assumption for the security of lattice-based cryptographic algorithms. In 2010, Micciancio and Voulgaris proposed an algorithm named the Gauss Sieve, which is a fast and heuristic algorithm for solving the SVP. Schneider presented another algorithm named the Ideal Gauss Sieve in 2011, which is applicable to a special class of lattices, called ideal lattices. The Ideal Gauss Sieve speeds up the Gauss Sieve by using some properties of the ideal lattices. However, the algorithm is applicable only if the dimension of the ideal lattice n is a power of two or n+1 is a prime. Ishiguro et al. proposed an extension to the Ideal Gauss Sieve algorithm in 2014, which is applicable only if the prime factor of n is 2 or 3. In this paper, we first generalize the dimensions that can be applied to the ideal lattice properties to when the prime factor of n is derived from 2, p or q for two primes p and q. To the best of our knowledge, no algorithm using ideal lattice properties has been proposed so far with dimensions such as: 20, 44, 80, 84, and 92. Then we present an algorithm that speeds up the Gauss Sieve for these dimensions. Our experiments show that our proposed algorithm is 10 times faster than the original Gauss Sieve in solving an 80-dimensional SVP problem. Moreover, we propose a rotation-based Gauss Sieve that is approximately 1.5 times faster than the Ideal Gauss Sieve.

The Blum-Kalai-Wasserman algorithm (BKW) is an algorithm for solving the learning parity with noise problem, which was then adapted for solving the learning with errors problem (LWE) by Albrecht et al. Duc et al. applied BKW also to the learning with rounding problem (LWR). The number of blocks is a parameter of BKW. By optimizing the number of blocks, we can minimize the time complexity of BKW. However, Duc et al. did not derive the optimal number of blocks theoretically, but they searched for it numerically. Duc et al. also showed that the required number of samples for BKW for solving LWE can be dramatically decreased using Lyubashevsky's idea. However, it is not shown that his idea is also applicable to LWR. In this paper, we theoretically derive the asymptotically optimal number of blocks, and then analyze the minimum asymptotic time complexity of the algorithm. We also show that Lyubashevsky's idea can be applied to LWR-solving BKW, under a heuristic assumption that is regularly used in the analysis of LPN-solving BKW. Furthermore, we derive an equation that relates the Gaussian parameter σ of LWE and the modulus p of LWR. When σ and p satisfy the equation, the asymptotic time complexity of BKW to solve LWE and LWR are the same.

Privacy remains an issue for IT services. Users are concerned that their history of service use may be traceable since each user is assigned a single identifier as a means of authentication. In this paper, we propose a perfectly anonymous attribute authentication scheme that is both unidentifiable and untraceable. Then, we present the evaluation results of a prototype system using a PC and mobile phone with the scheme. The proposed scheme employs a self-blindable certificate that a user can change randomly; thus the certificate is modified for each authentication, and the authentication scheme is unidentifiable and untraceable. Furthermore, our scheme can revoke self-blindable certificates without leaks of confidential private information and check the revocation status without online access.

This paper proposes a ternary subset difference method (SD method) that is resistant to coalition attacks. In order to realize a secure ternary SD method, we design a new cover-finding algorithm, label assignment algorithm and encryption algorithm. These algorithms are required to revoke one or two subtrees simultaneously while maintaining resistance against coalition attacks. We realize this two-way revocation mechanism by creatively using labels and hashed labels. Then, we evaluate the efficiency and security of the ternary SD method. We show that the number of labels on each client device can be reduced by about 20.4 percent. The simulation results show that the proposed scheme reduces the average header length by up to 15.0 percent in case where the total number of devices is 65,536. On the other hand, the computational cost imposed on a client device stays within O(log n). Finally, we prove that the ternary SD method is secure against coalition attacks.

In this paper, we examine the effectiveness of clock control in protecting stream ciphers from a distinguishing attack, and show that this form of control is effective against such attacks. We model two typical clock-controlled stream ciphers and analyze the increase in computational complexity for these attacks due to clock control. We then analyze parameters for the design of clock-controlled stream ciphers, such as the length of the LFSR used for clock control. By adopting the design criteria described in this paper, a designer can find the optimal length of the clock-control sequence LFSR.

The hardness of the syndrome decoding problem (SDP) is the primary evidence for the security of code-based cryptosystems, which are one of the finalists in a project to standardize post-quantum cryptography conducted by the U.S. National Institute of Standards and Technology (NIST-PQC). Information set decoding (ISD) is a general term for algorithms that solve SDP efficiently. In this paper, we conducted a concrete analysis of the time complexity of the latest ISD algorithms under the limitation of memory using the syndrome decoding estimator proposed by Esser et al. As a result, we present that theoretically nonoptimal ISDs, such as May-Meurer-Thomae (MMT) and May-Ozerov, have lower time complexity than other ISDs in some actual SDP instances. Based on these facts, we further studied the possibility of multiple parallelization for these ISDs and proposed the first GPU algorithm for MMT, the multiparallel MMT algorithm. In the experiments, we show that the multiparallel MMT algorithm is faster than existing ISD algorithms. In addition, we report the first successful attempts to solve the 510-, 530-, 540- and 550-dimensional SDP instances in the Decoding Challenge contest using the multiparallel MMT.

We propose how to homomorphically evaluate arbitrary univariate and bivariate integer functions such as division. A prior work proposed by Okada et al. (WISTP'18) uses polynomial evaluations such that the scheme is still compatible with the SIMD operations in BFV and BGV schemes, and is implemented with the input domain ℤ257. However, the scheme of Okada et al. requires the quadratic numbers of plaintext-ciphertext multiplications and ciphertext-ciphertext additions in the input domain size, and although these operations are more lightweight than the ciphertext-ciphertext multiplication, the quadratic complexity makes handling larger inputs quite inefficient. In this work, first we improve the prior work and also propose a new approach that exploits the packing method to handle the larger input domain size instead of enabling the SIMD operation, thus making it possible to work with the larger input domain size, e.g., ℤ215 in a reasonably efficient way. In addition, we show how to slightly extend the input domain size to ℤ216 with a relatively moderate overhead. Further we show another approach to handling the larger input domain size by using two ciphertexts to encrypt one integer plaintext and applying our techniques for uni/bivariate function evaluation. We implement the prior work of Okada et al., our improved version of Okada et al., and our new scheme in PALISADE with the input domain ℤ215, and confirm that the estimated run-times of the prior work and our improved version of the prior work are still about 117 days and 59 days respectively while our new scheme can be computed in 307 seconds.

In Shamir's (k,n)-threshold secret sharing scheme [1], a heavy computational cost is required to make n shares and recover the secret from k shares. As a solution to this problem, several fast threshold schemes have been proposed. However, there is no fast ideal (k,n)-threshold scheme, where k ≥ 3 and n is arbitrary. This paper proposes a new fast (3,n)-threshold scheme by using just EXCLUSIVE-OR(XOR) operations to make shares and recover the secret, which is an ideal secret sharing scheme similar to Shamir's scheme. Furthermore, we evaluate the efficiency of the scheme, and show that it is more efficient than Shamir's in terms of computational cost. Moreover, we suggest a fast (k,n)-threshold scheme can be constructed in a similar way by increasing the sets of random numbers constructing pieces of shares.