This paper provides a M+1-st price auction scheme using homomorphic encryption and the mix and match technique; it offers secrecy of bidding price and public verifiability. Our scheme has low round communication complexity: 1 round from each bidder to auctioneer in bidding and log p rounds from auctioneer to trusted authority in opening when prices are selected from p prefixed choices.

Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext overhead for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ciphertext overhead matches the generic lower bound up to a small constant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the permutation while retaining the minimal overhead.

This paper presents an efficient and generic solution in the following scenario: There are n independent people using variety of signature schemes such as DSS, RSA, Schnorr, and so on, and a subset of them attempts to sign a document without being identified which subset they are. This is a generalized scenario of the Ring Signatures by Rivest, Shamir and Tauman, whose original scenario limits the subset to be a single person and the base signature scheme to be RSA/Rabin schemes. Our scheme allows any signature schemes based on sigma-protocols and claw-free permutations. It also offers shorter signatures and less computation compared to known generic construction. The security is argued in the random oracle model as well as previous schemes and shows that our scheme achieves reduction cost linear in the number of hash queries while it is square for previous generic constructions.

This paper, for the first time, presents a provably secure signature scheme with message recovery based on the elliptic-curve discrete logarithm. The proposed scheme is proven to be secure in the strongest sense (i.e., existentially unforgeable against adaptively chosen message attacks) in the random oracle model under the discrete logarithm assumption. We give a concrete analysis of the security reduction. When practical hash functions are used in place of truly random functions, the proposed scheme is almost as efficient as the elliptic-curve version of the Schnorr signature scheme and existing schemes with message recovery such as the elliptic-curve version of the Nyberg-Rueppel and Miyaji schemes.

In this paper, we present a framework to construct message recovery signature schemes from Sigma-protocols. The key technique of our construction is the redundancy function that adds some redundancy to the message only legitimately signed and recovered message can have. We provide a characterization of the redundancy functions that make the resulting message recovery signature scheme proven secure. Our framework includes known schemes when the building blocks are given concrete implementations, i.e., random oracles and ideal ciphers, hence presents insightful explanation to their structure.

Recently a framework called Tag-KEM/DEM was introduced to construct efficient hybrid encryption schemes. Although it is known that generic encode-then-encrypt construction of chosen ciphertext secure public-key encryption also applies to secure Tag-KEM construction and some known encoding method like OAEP can be used for this purpose, it is worth pursuing more efficient encoding method dedicated for Tag-KEM construction. This paper proposes an encoding method that yields efficient Tag-KEM schemes when combined with set partial one-way permutations such as RSA and Rabin's encryption scheme. To our knowledge, this leads to the most practical hybrid encryption scheme of this type. We also present an efficient Tag-KEM which is CCA-secure under general factoring assumption rather than Blum factoring assumption.

Novel thermopiles based on modulation doped AlGaAs/InGaAs, AlGaN/GaN, and ZnMgO/ZnO heterostructures are proposed and designed for the first time, for uncooled infrared image sensor application. These devices are expected to offer high performances due to both the superior Seebeck coefficient and the excellently high mobility of 2DEG and 2DHG due to high purity channel layers at the heterojunction interface. The AlGaAs/InGaAs thermopile has the figure-of-merit Z of as large as 1.110-2/K (ZT = 3.3 over unity at T = 300 K), and can be realized with a high responsivity R of 15,200 V/W and a high detectivity D* of 1.8109 cmHz1/2/W with uncooled low-cost potentiality. The AlGaN/GaN and the ZnMgO/ZnO thermopiles have the advantages of high sheet carrier concentration due to their large polarization charge effects (spontaneous and piezo polarization charges) as well as of a high Seebeck coefficient due to their strong phonon-drag effect. The high speed response time τ of 0.9 ms with AlGaN/GaN, and also the lower cost with ZnMgO/ZnO thermopiles can be realized. The modulation-doped heterostructure thermopiles presented here are expected to be used for uncooled infrared image sensor applications, and for monolithic integrations with other photon detectors such as InGaAs, GaN, and ZnO PiN photodiodes, as well as HEMT functional integrated circuit devices.

The Even-Goldreich-Micali framework is a generic method for constructing secure digital signature schemes from weaker signature schemes and one-time signature schemes. Several variations are known due to properties demanded on the underlying building blocks. It is in particular interesting when the underlying signature scheme is a so-called F-signature scheme that admits different message spaces for signing and verification. In this paper we overview these variations in the literature and add a new one to the bucket.

This paper presents a non-interactive and optimally resilient distributed multiplication scheme. By non-interactive we mean that the players need to use outgoing communication channels only once without the need to synchronize with the other players as long as no disruption occurs. Our protocol withstands corrupt players up to less than the half of the players, so it provides optimal resiliency. Furthermore, the shared secrets are secure even against infinitely powerful adversaries. The security is proven under the intractability assumption of the discrete logarithm problem. Those properties are achieved by using an information theoretically secure non-interactive verifiable secret sharing as a kind of non-interactive proof system between a single prover and distributed verifiers. Compared to a former interactive solution in the same setting, the cost is an increase in local computation and communication complexity that is determined by the factor of the threshold used in the verifiable secret sharing.

This paper presents a universally verifiable Mix-net where the amount of work done by a verifier is independent of the number of mix-servers. Furthermore, the computational task of each mix-server is constant with regard to the number of mix-servers except for some negligible tasks like computing hash function when no disruption occurs. The scheme also provides robustness.

In this paper we discuss how one can delegate his power to authenticate or sign documents to others who, again, can delegate the power to someone else. A practical cryptographic solution would be to issue a certificate that consists of one's signature. The final verifier checks verifies the chain of these certificates. This paper provides an efficient and provably secure scheme that is suitable for such a delegation chain. We prove the security of our scheme against an adaptive chosen message attack in the random oracle model. Though our primary application would be agent systems where some agents work on behalf of a user, some other applications and variants will be discussed as well. One of the variants enjoys a threshold feature whereby one can delegate his power to a group so that they have less chance to abuse their power. Another application is an identity-based signature scheme that provides faster verification capability and less communication complexity compared to those provided by existing certificate-based public key infrastructure.

This paper describes our new technology for creating a highly productive 0. 1 µm gate InGaP/InGaAs HEMT with a GaAs substrate for a millimeter-wave MMIC. We applied a phase-shifting photo lithographic technique and sidewall deposition/etching process to fabricate a 0. 1 µm gate electrode. The fabricated HEMTs showed excellent high-frequency performance; An MSG exceeding 10 dB at 60 GHz. We also fabricated a 60 GHz band, four-stage low-noise amplifier MMIC and demonstrated its superior performance (Gain= 27 dB and NF= 3. 1 dB @61 GHz). These results strongly suggest that our InGaP/InGaAs HEMTs technologies are highly applicable for millimeter-wave applications.

We developed a 32-bit pseudorandom number generator (RNG) operating at liquid nitrogen temperature based on HEMT ICs. It generates maximum-length-sequence codes whose primitive polynomial is X47+X42+1 with the period of 247-1 clock cycle. We designed and fabricated three kinds of cryogenic HEMT IC for this system: A 1306-gate controller IC, a 3319-gate pseudorandom number generator (RNG) IC, and a buffer IC containing a 4-kb RAM and 514 gates. We used 0.6-µm gate-length Se-doped GaAlAs/GaAs HEMTs. Interconnects were Al for the first layer and Au/Pt/Ti for the second layer with a SiON insulator between them. The HEMT ICs have direct-coupled FET logic (DCFL) gates internally and emitter-coupled logic (ECL) compatible input-putput buffers. The unloaded basic delay of the DCFL gate was 17 ps/gate with a power consumption of 1.4 mW/gate at liquid nitrogen temperature. We used an automatic cryogenic wafer probe we developed and an IC tester for function tests, and used a high-speed performance measuring system we also developed with a bandwidth of more than 20 GHz for high-speed performance tests. Power dissipations were 3.8 W for the controller IC, 4.5 W for the RNG IC, and 3.0 W for the buffer IC. The RNG IC, the largest of the three HEMT ICs, had a maximum operating clock rate of 1.6 GHz at liquid nitrogen temperature. We submerged a specially developed zirconium ceramic printed circuit board carrying the HEMT ICs in a closed-cycle cooling system. The HEMT ICs were flip-chip-packaged on the board with bumps containing indium as the principal component. We confirmed that the RNG system operates at liquid nitrogen temperature and measured a minimum system clock period of 1.49 ns.

Inner product functional encryption (IPFE) is a subclass of functional encryption (FE), whose function class is limited to inner product. We construct an efficient private-key IPFE scheme with full-hiding security, where confidentiality is assured for not only encrypted data but also functions associated with secret keys. Recently, Datta et al. presented such a scheme in PKC 2016 and this is the only scheme that achieves full-hiding security. Our scheme has an advantage over their scheme for the two aspects. More efficient: keys and ciphertexts of our scheme are almost half the size of those of their scheme. Weaker assumption: our scheme is secure under the k-linear (k-Lin) assumption, while their scheme is secure under a stronger assumption, namely, the symmetric external Diffie-Hellman (SXDH) assumption. It is well-known that the k-Lin assumption is equivalent to the SXDH assumption when k=1 and becomes weak as k increases.

Contribution of this paper is twofold: First we introduce weaknesses of two Mix-nets claimed to be robust in the literature. Since such flaws are due to their weak security definitions, we then present a stronger security definition by regarding a Mix-net as a batch decryption algorithm of a CCA secure public-key encryption scheme. We show two concrete attacks on the schemes proposed in [1] and [2]. The scheme in [1] loses anonymity in the presence of a malicious user even though all servers are honest. The scheme in [2] also loses anonymity through the collaboration of a malicious user and the first server. In the later case the user can identify the plaintext sent from the targeted user by invoking two mix sessions at the risk of the colluding server receiving an accusation. We also point out that in a certain case, anonymity is violated solely by the user without colluding to any server. Heuristic repairs are provided for both schemes.

Phase pure cubic (c-) GaN/AlGaN heterostructures on 3C-SiC free standing (001) substrates have successfully been developed. Almost complete (100%) phase pure c-GaN films are achieved with 2-nm surface roughness on 3C-SiC substrate and stoichiometric growth conditions. The polarization effect in c-GaN/AlGaN has been evaluated, based on measuring the transition energy of GaN/AlGaN quantum wells (QWs). It is demonstrated that the polarization electric fields are negligible small in c-GaN/AlGaN/3C-SiC compared with those of hexagonal (h-)GaN/AlGaN, 710 kV/cm for Al content x of 0.15, and 1.4 MV/cm for x of 0.25. A sheet carrier concentration of c-GaN/AlGaN heterojunction interface is estimated to 1.61012 cm-2, one order of magnitude smaller than that of h-GaN/AlGaN. The band diagrams of c-GaN/AlGaN HEMTs have been simulated to demonstrate the normally-off mode operation. The blocking voltage capability of GaN films was demonstrated with C-V measurement of Schottky diode test vehicle, and extrapolated higher than 600 V in c-GaN films at a doping level below 51015 cm-3, to show the possibility for high power electronics applications.

After the work of Impagliazzo and Rudich (STOC, 1989), the black box framework has become one of the main research domain of cryptography. However black box techniques say nothing about non-black box techniques such as making use of zero-knowledge proofs. Brakerski et al. introduced a new black box framework named augmented black box framework, in which they gave a zero-knowledge proof oracle in addition to a base primitive oracle (TCC, 2011). They showed a construction of a non-interactive zero knowledge proof system based on a witness indistinguishable proof system oracle. They presented augmented black box construction of chosen ciphertext secure public key encryption scheme based on chosen plaintext secure public key encryption scheme and augmented black box separation between one-way function and key agreement. In this paper we simplify the work of Brakerski et al. by introducing a proof system oracle without witness indistinguishability, named coin-free proof system oracle, that aims to give the same construction and separation results of previous work. As a result, the augmented black box framework becomes easier to handle. Since our oracle is not witness indistinguishable, our result encompasses the result of previous work.

Bilinear-type conversion is to translate a cryptographic scheme designed over symmetric bilinear groups into one that works over asymmetric bilinear groups with small overhead regarding the size of objects concerned in the target scheme. In this paper, we address scalability for converting complex cryptographic schemes. Our contribution is threefold. Investigating complexity of bilinear-type conversion. We show that there exists no polynomial-time algorithm for worst-case inputs under standard complexity assumption. It means that bilinear-type conversion in general is an inherently difficult problem. Presenting a new scalable conversion method. Nevertheless, we show that large-scale conversion is indeed possible in practice when the target schemes are built from smaller building blocks with some structure. We present a novel conversion method, called IPConv, that uses 0-1 Integer Programming instantiated with a widely available IP solver. It instantly converts schemes containing more than a thousand of variables and hundreds of pairings. Application to computer-aided design. Our conversion method is also useful in modular design of middle to large scale cryptographic applications; first construct over simpler symmetric bilinear groups and run over efficient asymmetric groups. Thus one can avoid complication of manually allocating variables over asymmetric bilinear groups. We demonstrate its usefulness by somewhat counter-intuitive examples where converted DLIN-based Groth-Sahai proofs are more compact than manually built SXDH-based proofs. Though the early purpose of bilinear-type conversion is to save existing schemes from attacks against symmetric bilinear groups, our new scalable conversion method will find more applications beyond the original goal. Indeed, the above computer-aided design can be seen as a step toward automated modular design of cryptographic schemes.

This paper presents a Mix-net that has the following properties; (1) it efficiently handles long plaintexts that exceed the modulus size of the underlying public-key encryption scheme as well as very short ones (length-flexibility), (2) input ciphertext length is not impacted by the number of mix-servers (length-invariance), and (3) its security in terms of anonymity can be proven in a formal way (probable security). If desired, one can add robustness so that it outputs correct results in the presence of corrupt users and servers. The security is proven in such a sense that breaking the anonymity of our Mix-net is equivalent to breaking the indistinguishability assumption of the underlying symmetric encryption scheme or the Decision Diffie-Hellman assumption.

We present an efficient Hybrid Mix scheme that provides both routing flexibility and the optimal length of ciphertext. Although it is rather easy to embed routing information in the ciphertext, and a scheme that provides the optimal length of ciphertext is already known, it is not a trivial task to achieve both properties all at the same time. A critical obstacle for providing the optimal length of ciphertext is the session-key encapsulation header in a ciphertext that carries the encrypted session-key to each router, which linearly increases according to the number of intermediate routers. We solve this problem by improving the previously reported Hybrid Mix scheme such that the resulting scheme benefits from routing flexibility with a constant length of such headers. Our basic scheme is only secure against honest, but curious intermediate routers. Therefore, we further address the robustness issue to prevent malicious behavior by incorporating and improving an existing efficient approach based on the Message Authentication Code.