In this paper, we present a framework to construct message recovery signature schemes from Sigma-protocols. The key technique of our construction is the redundancy function that adds some redundancy to the message only legitimately signed and recovered message can have. We provide a characterization of the redundancy functions that make the resulting message recovery signature scheme proven secure. Our framework includes known schemes when the building blocks are given concrete implementations, i.e., random oracles and ideal ciphers, hence presents insightful explanation to their structure.

In this paper, the first extended Canetti-Krawzcyk (eCK) security model for hierarchical ID-based authenticated key exchange (AKE) that guarantee resistance to leakage of ephemeral secret keys is proposed. Moreover, an two-pass hierarchical ID-based AKE protocol secure in the proposed hierarchical ID-based eCK security model based on a hierarchical ID-based encryption is also proposed.

We propose an anonymous Hierarchical Identity-Based Encryption (anonymous HIBE) scheme with short ciphertexts. Prior to our work, most anonymous HIBE schemes have long ciphertexts increased according to the hierarchical depth of recipient. The size of the ciphertext in our scheme does not depend on the depth of the hierarchy. Moreover, our scheme achieves the lowest computational cost because during the decryption phase the computational cost of decryption is constant. The security can be proven under reasonable assumptions without using random oracles. Our scheme achieves selective-ID security notion.

We propose a protocol for implementing secure circuit evaluation (SCE) based on the threshold homomorphic ElGamal encryption scheme and present the implementation results of the protocol. To the best of knowledge of the authors, the proposed protocol is more efficient in terms of computational complexity than previously reported protocols. We also introduce applications using SCE and estimate their practicality based on the implementation results.

This paper firstly provides the extended Canetti-Krawzcyk (eCK) security model for predicate-based authenticated key exchange (AKE) that guarantees resistance to leakage of ephemeral secret keys. Moreover, we propose two-pass key-policy (resp. session-policy) attribute-based AKE protocol secure in the proposed predicate-based eCK security model based on key-policy (resp. ciphertext-policy) attribute-based encryption. The proposed protocols have advantages in security against leakage of ephemeral secret keys and the round complexity compared to the previous predicate-based AKE protocols.

In this paper, we propose an identity-based authenticated key exchange (ID-AKE) protocol that is secure in the identity-based extended Canetti-Krawczyk (id-eCK) model in the random oracle model under the gap Bilinear Diffie-Hellman assumption. The proposed ID-AKE protocol is the most efficient among the existing ID-AKE protocols that is id-eCK secure, and it can be extended to use in asymmetric pairing.

This paper addresses how to use public-keys of several different signature schemes to generate 1-out-of-n signatures. Previously known constructions are for either RSA-type keys only or DL-type keys only. We present a widely applicable method to construct a 1-out-of-n signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DL-type keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et al. With all RSA-type keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et al.

The need for electronic sealed-bid auction services with quantitative competition is increasing. This paper proposes a new method that combines one-way functions and a bit commitment technique for quantitative competitive sealed-bid auctions. Since each modular exponentiation is replaced with a one-way function, the proposed method's computational time is one forty thousandth that of the former methods and the proposed method suits mass bidder systems.

This paper provides a M+1-st price auction scheme using homomorphic encryption and the mix and match technique; it offers secrecy of bidding price and public verifiability. Our scheme has low round communication complexity: 1 round from each bidder to auctioneer in bidding and log p rounds from auctioneer to trusted authority in opening when prices are selected from p prefixed choices.

This paper proposes an id-eCK secure identity-based authenticated key exchange (ID-AKE) scheme, where the id-eCK security implies that a scheme resists against leakage of all combinations of master, static, and ephemeral secret keys except ones trivially break the security. Most existing id-eCK secure ID-AKE schemes require two symmetric pairing operations or a greater number of asymmetric pairing, which is faster than symmetric one, operations to establish a session key. However, our scheme is realized with a single asymmetric pairing operation for each party, and this is an advantage in efficiency. The proposed scheme is based on the ID-AKE scheme by McCullagh and Barreto, which is vulnerable to an active attack. To achieve id-eCK security, we apply the HMQV construction and the NAXOS technique to the McCullagh-Barreto scheme. The id-eCK security is proved under the external Diffie-Hellman for target group assumption and the q-gap-bilinear collision attack assumption.

This paper investigates the effects of backdoor attacks on graph neural networks (GNNs) trained through simple data augmentation by modifying the edges of the graph in graph classification. The numerical results show that GNNs trained with data augmentation remain vulnerable to backdoor attacks and may even be more vulnerable to such attacks than GNNs without data augmentation.

This paper presents an attempt to make rational active adversary passive using mechanism design. We propose a secure Generalized Vickrey Auction (GVA) scheme where the procedure executed by a bidder affects neither the prices nor the allocation of the bidder. Therefore, a bidder does not have an incentive to be an active adversary.

The ring signature allows a signer to leak secrets anonymously, without the risk of identity escrow. At the same time, the ring signature provides great flexibility: No group manager, no special setup, and the dynamics of group choice. The ring signature is, however, vulnerable to malicious or irresponsible signers in some applications, because of its anonymity. In this paper, we propose a traceable ring signature scheme. A traceable ring scheme is a ring signature except that it can restrict "excessive" anonymity. The traceable ring signature has a tag that consists of a list of ring members and an issue that refers to, for instance, a social affair or an election. A ring member can make any signed but anonymous opinion regarding the issue, but only once (per tag). If the member submits another signed opinion, possibly pretending to be another person who supports the first opinion, the identity of the member is immediately revealed. If the member submits the same opinion, for instance, voting "yes" regarding the same issue twice, everyone can see that these two are linked. The traceable ring signature can suit to many applications, such as an anonymous voting on a BBS. We formalize the security definitions for this primitive and show an efficient and simple construction in the random oracle model.

This paper presents an efficient and generic solution in the following scenario: There are n independent people using variety of signature schemes such as DSS, RSA, Schnorr, and so on, and a subset of them attempts to sign a document without being identified which subset they are. This is a generalized scenario of the Ring Signatures by Rivest, Shamir and Tauman, whose original scenario limits the subset to be a single person and the base signature scheme to be RSA/Rabin schemes. Our scheme allows any signature schemes based on sigma-protocols and claw-free permutations. It also offers shorter signatures and less computation compared to known generic construction. The security is argued in the random oracle model as well as previous schemes and shows that our scheme achieves reduction cost linear in the number of hash queries while it is square for previous generic constructions.

An efficient construction of a permutation network has been proposed by Waksman. However, his construction is only for permutation networks with 2k inputs. This paper provides a construction of permutation networks with arbitrary number of inputs that is an extension of Waksman's construction. By applying our construction to Abe's Mix-net, we can improve the efficiency of the Mix-net.

We propose a security model, referred as g-eCK model, for group key exchange that captures essentially all non-trivial leakage of static and ephemeral secret keys of participants, i.e., group key exchange version of extended Canetti-Krawczyk (eCK) model. Moreover, we propose the first one-round tripartite key exchange (3KE) protocol secure in the g-eCK model under the gap Bilinear Diffie-Hellman (gap BDH) assumption and in the random oracle model.

This paper studies Tripartite Key Exchange (3KE) which is a special case of Group Key Exchange. Though general one-round GKE satisfying advanced security properties such as forward secrecy and maximal-exposure-resilience (MEX-resilience) is not known, it can be efficiently constructed with the help of pairings in the 3KE case. In this paper, we introduce the first one-round 3KE which is MEX-resilient in the standard model, though existing one-round 3KE schemes are proved in the random oracle model (ROM), or not MEX-resilient. Each party broadcasts 4 group elements, and executes 14 pairing operations. Complexity is only three or four times larger in computation and communication than the existing most efficient MEX-resilient 3KE scheme in the ROM; thus, our protocol is adequately practical.