Bilinear-type conversion is to translate a cryptographic scheme designed over symmetric bilinear groups into one that works over asymmetric bilinear groups with small overhead regarding the size of objects concerned in the target scheme. In this paper, we address scalability for converting complex cryptographic schemes. Our contribution is threefold. Investigating complexity of bilinear-type conversion. We show that there exists no polynomial-time algorithm for worst-case inputs under standard complexity assumption. It means that bilinear-type conversion in general is an inherently difficult problem. Presenting a new scalable conversion method. Nevertheless, we show that large-scale conversion is indeed possible in practice when the target schemes are built from smaller building blocks with some structure. We present a novel conversion method, called IPConv, that uses 0-1 Integer Programming instantiated with a widely available IP solver. It instantly converts schemes containing more than a thousand of variables and hundreds of pairings. Application to computer-aided design. Our conversion method is also useful in modular design of middle to large scale cryptographic applications; first construct over simpler symmetric bilinear groups and run over efficient asymmetric groups. Thus one can avoid complication of manually allocating variables over asymmetric bilinear groups. We demonstrate its usefulness by somewhat counter-intuitive examples where converted DLIN-based Groth-Sahai proofs are more compact than manually built SXDH-based proofs. Though the early purpose of bilinear-type conversion is to save existing schemes from attacks against symmetric bilinear groups, our new scalable conversion method will find more applications beyond the original goal. Indeed, the above computer-aided design can be seen as a step toward automated modular design of cryptographic schemes.

This paper presents a Mix-net that has the following properties; (1) it efficiently handles long plaintexts that exceed the modulus size of the underlying public-key encryption scheme as well as very short ones (length-flexibility), (2) input ciphertext length is not impacted by the number of mix-servers (length-invariance), and (3) its security in terms of anonymity can be proven in a formal way (probable security). If desired, one can add robustness so that it outputs correct results in the presence of corrupt users and servers. The security is proven in such a sense that breaking the anonymity of our Mix-net is equivalent to breaking the indistinguishability assumption of the underlying symmetric encryption scheme or the Decision Diffie-Hellman assumption.

We present an efficient Hybrid Mix scheme that provides both routing flexibility and the optimal length of ciphertext. Although it is rather easy to embed routing information in the ciphertext, and a scheme that provides the optimal length of ciphertext is already known, it is not a trivial task to achieve both properties all at the same time. A critical obstacle for providing the optimal length of ciphertext is the session-key encapsulation header in a ciphertext that carries the encrypted session-key to each router, which linearly increases according to the number of intermediate routers. We solve this problem by improving the previously reported Hybrid Mix scheme such that the resulting scheme benefits from routing flexibility with a constant length of such headers. Our basic scheme is only secure against honest, but curious intermediate routers. Therefore, we further address the robustness issue to prevent malicious behavior by incorporating and improving an existing efficient approach based on the Message Authentication Code.

This paper addresses how to use public-keys of several different signature schemes to generate 1-out-of-n signatures. Previously known constructions are for either RSA-type keys only or DL-type keys only. We present a widely applicable method to construct a 1-out-of-n signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DL-type keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et al. With all RSA-type keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et al.

This paper studies the relations among several definitions of anonymity for ring signature schemes in the same attack environment. It is shown that one intuitive and two technical definitions we consider are asymptotically equivalent, and the indistinguishability-based technical definition is the strongest, i.e., the most secure when achieved, when the exact reduction cost is taken into account. We then extend our result to the threshold case where a subset of members cooperate to create a signature. The threshold setting makes the notion of anonymity more complex and yields a greater variety of definitions. We explore several notions and observe certain relation does not seem hold unlike the simple single-signer case. Nevertheless, we see that an indistinguishability-based definition is the most favorable in the threshold case. We also study the notion of linkability and present a simple scheme that achieves both anonymity and linkability.

We construct the first fully homomorphic encryption (FHE) scheme that encrypts matrices and supports homomorphic matrix addition and multiplication. This is a natural extension of packed FHE and thus supports more complicated homomorphic operations. We optimize the bootstrapping procedure of Alperin-Sheriff and Peikert (CRYPTO 2014) by applying our scheme. Our optimization decreases the lattice approximation factor from Õ(n3) to Õ(n2.5). By taking a lattice dimension as a larger polynomial in a security parameter, we can also obtain the same approximation factor as the best known one of standard lattice-based public-key encryption without successive dimension-modulus reduction, which was essential for achieving the best factor in prior works on bootstrapping of standard lattice-based FHE.

Batch verification is a useful tool in verifying a large number of cryptographic items all at one time. It is especially effective in verifying predicates based on modular exponentiation. In some cases, however the items can be incorrect although they pass batch verification together. Such leniency can be eliminated by checking the domain of each item in advance. With this in mind, we introduce the strict batch verification and investigate if the strict batch verification can remain more effective than separate verification. In this paper, we estimate the efficiency of such strict batch verification in several types of groups, a prime subgroup of Zp with special/random prime p and prime subgroups defined on elliptic curves over Fp, F2m and Fpm, with are often used in DL-based cryptographic primitives. Our analysis concludes that the efficiency differs greatly depending on the choice of the group and parameters determined by the verifying predicate. Furthermore, we even show that there are some cases where batch verification, regardless of strictness, loses its computational advantage.

Novel thermopiles based on modulation doped AlGaAs/InGaAs and AlGaN/GaN heterostructures are proposed and developed for the first time, for uncooled infrared FPA (Focal Plane Array) image sensor application. The high responsivity with the high speed response time are designed to 4,900 V/W with 110 µs for AlGaAs/InGaAs, and to 460 V/W with 9 µs for AlGaN/GaN thermopiles, respectively. Based on integrated HEMT-MEMS technology, the AlGaAs/InGaAs 3232 matrix FPAs are fabricated to demonstrate its enhanced performances by black body measurement. The technology presented here demonstrates the potential of this approach for low-cost uncooled infrared FPA image sensor application.

We propose a simple framework for evaluating the performance of pairing-based cryptographic schemes for various types of curves and parameter settings. The framework, which we call ‘Opcount’, enables the selection of an appropriate curve and parameters by estimating the performance of a cryptographic scheme from a pseudo-code describing the cryptographic scheme and an implementation-information database that records the performance of basic operations in curves targeted for evaluation. We apply Opcount to evaluate and compare the computational efficiency of several structure-preserving signature schemes that involve tens of pairing products in their signature verification. In addition to showing the usefulness of Opcount, our experiments also reveal the overlooked importance of taking account of the properties of underlying curves when optimizing computations and demonstrate the impact of tight security reductions.

This paper provides a M+1-st price auction scheme using homomorphic encryption and the mix and match technique; it offers secrecy of bidding price and public verifiability. Our scheme has low round communication complexity: 1 round from each bidder to auctioneer in bidding and log p rounds from auctioneer to trusted authority in opening when prices are selected from p prefixed choices.

Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.

This paper presents an efficient and generic solution in the following scenario: There are n independent people using variety of signature schemes such as DSS, RSA, Schnorr, and so on, and a subset of them attempts to sign a document without being identified which subset they are. This is a generalized scenario of the Ring Signatures by Rivest, Shamir and Tauman, whose original scenario limits the subset to be a single person and the base signature scheme to be RSA/Rabin schemes. Our scheme allows any signature schemes based on sigma-protocols and claw-free permutations. It also offers shorter signatures and less computation compared to known generic construction. The security is argued in the random oracle model as well as previous schemes and shows that our scheme achieves reduction cost linear in the number of hash queries while it is square for previous generic constructions.

This paper, for the first time, presents a provably secure signature scheme with message recovery based on the elliptic-curve discrete logarithm. The proposed scheme is proven to be secure in the strongest sense (i.e., existentially unforgeable against adaptively chosen message attacks) in the random oracle model under the discrete logarithm assumption. We give a concrete analysis of the security reduction. When practical hash functions are used in place of truly random functions, the proposed scheme is almost as efficient as the elliptic-curve version of the Schnorr signature scheme and existing schemes with message recovery such as the elliptic-curve version of the Nyberg-Rueppel and Miyaji schemes.

In this paper, we present a framework to construct message recovery signature schemes from Sigma-protocols. The key technique of our construction is the redundancy function that adds some redundancy to the message only legitimately signed and recovered message can have. We provide a characterization of the redundancy functions that make the resulting message recovery signature scheme proven secure. Our framework includes known schemes when the building blocks are given concrete implementations, i.e., random oracles and ideal ciphers, hence presents insightful explanation to their structure.

Recently a framework called Tag-KEM/DEM was introduced to construct efficient hybrid encryption schemes. Although it is known that generic encode-then-encrypt construction of chosen ciphertext secure public-key encryption also applies to secure Tag-KEM construction and some known encoding method like OAEP can be used for this purpose, it is worth pursuing more efficient encoding method dedicated for Tag-KEM construction. This paper proposes an encoding method that yields efficient Tag-KEM schemes when combined with set partial one-way permutations such as RSA and Rabin's encryption scheme. To our knowledge, this leads to the most practical hybrid encryption scheme of this type. We also present an efficient Tag-KEM which is CCA-secure under general factoring assumption rather than Blum factoring assumption.

Novel thermopiles based on modulation doped AlGaAs/InGaAs, AlGaN/GaN, and ZnMgO/ZnO heterostructures are proposed and designed for the first time, for uncooled infrared image sensor application. These devices are expected to offer high performances due to both the superior Seebeck coefficient and the excellently high mobility of 2DEG and 2DHG due to high purity channel layers at the heterojunction interface. The AlGaAs/InGaAs thermopile has the figure-of-merit Z of as large as 1.110-2/K (ZT = 3.3 over unity at T = 300 K), and can be realized with a high responsivity R of 15,200 V/W and a high detectivity D* of 1.8109 cmHz1/2/W with uncooled low-cost potentiality. The AlGaN/GaN and the ZnMgO/ZnO thermopiles have the advantages of high sheet carrier concentration due to their large polarization charge effects (spontaneous and piezo polarization charges) as well as of a high Seebeck coefficient due to their strong phonon-drag effect. The high speed response time τ of 0.9 ms with AlGaN/GaN, and also the lower cost with ZnMgO/ZnO thermopiles can be realized. The modulation-doped heterostructure thermopiles presented here are expected to be used for uncooled infrared image sensor applications, and for monolithic integrations with other photon detectors such as InGaAs, GaN, and ZnO PiN photodiodes, as well as HEMT functional integrated circuit devices.

The Even-Goldreich-Micali framework is a generic method for constructing secure digital signature schemes from weaker signature schemes and one-time signature schemes. Several variations are known due to properties demanded on the underlying building blocks. It is in particular interesting when the underlying signature scheme is a so-called F-signature scheme that admits different message spaces for signing and verification. In this paper we overview these variations in the literature and add a new one to the bucket.

This paper presents a non-interactive and optimally resilient distributed multiplication scheme. By non-interactive we mean that the players need to use outgoing communication channels only once without the need to synchronize with the other players as long as no disruption occurs. Our protocol withstands corrupt players up to less than the half of the players, so it provides optimal resiliency. Furthermore, the shared secrets are secure even against infinitely powerful adversaries. The security is proven under the intractability assumption of the discrete logarithm problem. Those properties are achieved by using an information theoretically secure non-interactive verifiable secret sharing as a kind of non-interactive proof system between a single prover and distributed verifiers. Compared to a former interactive solution in the same setting, the cost is an increase in local computation and communication complexity that is determined by the factor of the threshold used in the verifiable secret sharing.

This paper presents a universally verifiable Mix-net where the amount of work done by a verifier is independent of the number of mix-servers. Furthermore, the computational task of each mix-server is constant with regard to the number of mix-servers except for some negligible tasks like computing hash function when no disruption occurs. The scheme also provides robustness.