In the IEEE 802.11 MAC protocol, access points (APs) are given the same priority as wireless terminals in terms of acquiring the wireless link, even though they aggregate several downlink flows. This feature leads to a serious throughput degradation of downlink flows, compared with uplink flows. In this paper, we propose a dynamic contention window control scheme for the IEEE 802.11e EDCA-based wireless LANs, in order to achieve fairness between uplink and downlink TCP flows while guaranteeing QoS requirements for real-time traffic. The proposed scheme first determines the minimum contention window size in the best-effort access category at APs, based on the number of TCP flows. It then determines the minimum and maximum contention window sizes in higher priority access categories, such as voice and video, so as to guarantee QoS requirements for these real-time traffic. Note that the proposed scheme does not require any modification to the MAC protocol at wireless terminals. Through simulation experiments, we show the effectiveness of the proposed scheme.

In IEEE 802.11 wireless local area networks (WLANs), contention window (CW) in carrier sense multiple access with collision avoidance (CSMA/CA) is one of the most important techniques determining throughput performance. In this paper, we propose a novel CW control scheme to achieve high transmission efficiency in dense user environments. Whereas the standard CSMA/CA mechanism. Employs an adaptive CW control scheme that responds to the number of retransmissions, the proposed scheme uses the optimum CW size, which is shown to be a function of the number of terminal stations. In the proposed scheme, the number of terminal stations are estimated from the probability of packet collision measured at an access point (AP). The optimum CW size is then derived from a theoretical analysis based on a Markov chain model. We evaluate the performance of the proposed scheme with simulation experiments and show that it significantly improves the throughput performance.

Fault-tolerant aggregate signature (FT-AS) is a special type of aggregate signature that is equipped with the functionality for tracing signers who generated invalid signatures in the case an aggregate signature is detected as invalid. In existing FT-AS schemes (whose tracing functionality requires multi-rounds), a verifier needs to send a feedback to an aggregator for efficiently tracing the invalid signer(s). However, in practice, if this feedback is not responded to the aggregator in a sufficiently fast and timely manner, the tracing process will fail. Therefore, it is important to estimate whether this feedback can be responded and received in time on a real system. In this work, we measure the total processing time required for the feedback by implementing an existing FT-AS scheme, and evaluate whether the scheme works without problems in real systems. Our experimental results show that the time required for the feedback is 605.3 ms for a typical parameter setting, which indicates that if the acceptable feedback time is significantly larger than a few hundred ms, the existing FT-AS scheme would effectively work in such systems. However, there are situations where such feedback time is not acceptable, in which case the existing FT-AS scheme cannot be used. Therefore, we further propose a novel FT-AS scheme that does not require any feedback. We also implement our new scheme and show that a feedback in this scheme is completely eliminated but the size of its aggregate signature (affecting the communication cost from the aggregator to the verifier) is 144.9 times larger than that of the existing FT-AS scheme (with feedbacks) for a typical parameter setting, and thus has a trade-off between the feedback waiting time and the communication cost from the verifier to the aggregator with the existing FT-AS scheme.

TCP/IP is a key technology in the next generation mobile communication networks. A significant amount of wireless traffic will be carried in the Internet, and wireless connections will have to share network resources with wired connections. However, in a wireless network environment, TCP suffers significant throughput degradation due to the lossy characteristic of a wireless link. Therefore, to design the next generation mobile networks, it is necessary to know how much the wireless connection suffers from the degradation in comparison to the wired connection. In this paper, we discuss the fairness issue between TCP connections over wireless and wired links, and theoretically analyze the fairness of throughput between TCP over wireless link with ARQ (Automatic Repeat reQuest)-based link layer error recovery and TCP over error-free wired link. We validate our analysis by comparing the numerical results obtained from the analysis with the results obtained from computer simulation. The numerical results show that the fairness is sensitive to network propagation delay and variation rapidity of wireless link characteristic. We also obtain the theoretical lower bound of fairness.

In wireless links between ground stations and UAVs (Unmanned Aerial Vehicles), wireless signals may be attenuated by obstructions such as buildings. A three-dimensional RSS (Received Signal Strength) map (3D-RSS map), which represents a set of RSSs at various reception points in a three-dimensional area, is a promising geographical database that can be used to design reliable ground-to-air wireless links. The construction of a 3D-RSS map requires higher computational complexity, especially for a large 3D area. In order to sequentially estimate a 3D-RSS map from partial observations of RSS values in the 3D area, we propose a graph Laplacian-based sequential smooth estimator. In the proposed estimator, the 3D area is divided into voxels, and a UAV observes the RSS values at the voxels along a predetermined path. By considering the voxels as vertices in an undirected graph, a measurement graph is dynamically constructed using vertices from which recent observations were obtained and their neighboring vertices, and the 3D-RSS map is sequentially estimated by performing graph Laplacian regularized least square estimation.

In this paper, we propose a similarity searchable encryption in the symmetric key setting for the weighted Euclidean distance, by extending the functional encryption scheme for inner product proposed by Bishop et al. [4]. Our scheme performs predetermined encoding independently of vectors x and y, and it obtains the weighted Euclidean distance between the two vectors while they remain encrypted.

In the mobile Internet, a handover brings significant performance degradation of TCP due to bursty packet losses during handover processing. In this paper, we propose a new bandwidth control for improving the TCP performance. In the proposed system, when a mobile node changes its accessing base station, an intermediate router suppresses an available bandwidth to the corresponding TCP flow. Because suppressing the bandwidth results in reducing mis-forwarded packets to the old base station, the bursty packet losses can be avoided. In the hierarchical mobile network structure, which is recently developed in order to realize micro-mobility protocol, all packets transferred to mobile nodes are converged to several gateways such as mobility anchor points (MAP) in hierarchical Mobile IPv6 (HMIPv6). Therefore, the proposed system is suited to the hierarchical structure because it can be easily implemented at such gateways. Computer simulation results show that the proposed system can improve the TCP performance degradation especially in a situation where handovers frequently occur.

Network tomography is an inference technique for internal network characteristics such as link loss rate and link delay from end-to-end measurements. In this paper, we consider network tomography for link loss rates, which is referred to as loss tomography. We propose a loss tomography scheme with bitwise operation-based in-network processing. Intermediate nodes generate coded packets by performing bitwise-operations on received packets so as to embed information about paths along which those packets have been transmitted. The coded packets are then forwarded to downstream nodes. In this way, receiver nodes obtain information about paths along which packets are transmitted successfully. Moreover, we show a recursion to compute the likelihood function of path loss rates, which can be utilized in estimating link loss rates from path loss information.

In a large-scale information-sharing platform, such as a cloud storage, it is often required to not only securely protect sensitive information but also recover it in a reliable manner. Public-key encryption with non-interactive opening (PKENO) is considered as a suitable cryptographic tool for this requirement. This primitive is an extension of public-key encryption which enables a receiver to provide a non-interactive proof which confirms that a given ciphertext is decrypted to some public plaintext. In this paper, we present a Tag-KEM/DEM framework for PKENO. In particular, we define a new cryptographic primitive called a Tag-KEM with non-interactive opening (Tag-KEMNO), and prove the KEM/DEM composition theorem for this primitives, which ensures a key encapsulation mechanism (KEM) and a data encapsulation mechanism (DEM) can be, under certain conditions, combined to form a secure PKENO scheme. This theorem provides a secure way of combining a Tag-KEMNO scheme with a DEM scheme to construct a secure PKENO scheme. Using this framework, we explain the essence of existing constructions of PKENO. Furthermore, we present four constructions of Tag-KEMNO, which yields four PKENO constructions. These PKENO constructions coincide with the existing constructions, thereby we explain the essence of these existing constructions. In addition, our Tag-KEMNO framework enables us to expand the plaintext space of a PKENO scheme. Some of the previous PKENO schemes are only able to encrypt a plaintext of restricted length, and there has been no known way to expand this restricted plaintext space to the space of arbitrary-length plaintexts. Using our framework, we can obtain a PKENO scheme with the unbounded-length plaintext space by modifying and adapting such a PKENO scheme with a bounded-length plaintext space.

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.

In the ordinary security model for signature schemes, we consider an adversary that tries to forge a signature on a new message using only his knowledge of other valid message and signature pairs. To take into account side channel attacks such as tampering or fault-injection attacks, Bellare and Kohno (Eurocrypt 2003) formalized related-key attacks (RKA), where stronger adversaries are considered. In the RKA security model for signature schemes, we consider an adversary that can also manipulate the signing key and obtain signatures computed under the modified key. RKA security is defined with respect to the related-key deriving functions which are used by an adversary to manipulate the signing key. This paper considers RKA security of three established signature schemes: the Schnorr signature scheme, a variant of DSA, and a variant of ElGamal signature scheme. First, we show that these signature schemes are secure against a weak notion of RKA with respect to polynomial functions. Second, we demonstrate that, on the other hand, none of the Schnorr signature scheme, DSA, nor the ElGamal signature scheme achieves the standard notion of RKA security with respect to linear functions, by showing concrete attacks on these. Lastly, we show that slight modifications of the Schnorr signature scheme, (the considered variant of) DSA, and the variant of ElGamal signature scheme yield fully RKA secure schemes with respect to polynomial functions.

Multicast transmission, which can send the same information simultaneously to multiple users, is a key technology in content delivery networks. In this paper, we discuss a new multicast architecture with network coding proposed by Li et al. , which breaks limitation of existing IP multicast in terms of network resource utilization. Network coding based multicast can achieve the max-flow, which is the theoretical upper bound of network resource utilization. However, the max-flow transmission is not always effective and may not be robust against congestion because it maximally uses link capacity of multicast distribution tree. In this paper, we first introduce a load balancing method of network coding as an alternative use to the max-flow transmission. Next, we study the feasibility of network coding based multicast architecture from performance aspect and evaluate the network coding in terms of the max-flow and load balancing with a computer simulation. There has been no evaluation of network coding in practical network environment with packet losses and propagation delay. We also describe required key techniques and technical problems to implement network coding on the current IP networks. Our results will offer valuable insight for designing the future Internet with higher and more effective network utilization.

We study wireless networked control systems (WNCSs), where controllers (CLs), controlled objects (COs), and other devices are connected through wireless networks. In WNCSs, COs can become unstable due to bursty packet losses and random delays on wireless networks. To reduce these network-induced effects, we utilize the packetized predictive control (PPC) method, where future control vectors to compensate bursty packet losses are generated in the receiving horizon manner, and they are packed into packets and transferred to a CO unit. In this paper, we extend the PPC method so as to compensate random delays as well as bursty packet losses. In the extended PPC method, generating many control vectors improves the robustness against both problems while it increases traffic on wireless networks. Therefore, we consider control vector selection to improve the robustness effectively under the constraint of single packet transmission. We first reconsider the input strategy of control vectors received by COs and propose a control vector selection scheme suitable for the strategy. In our selection scheme, control vectors are selected based on the estimated average and variance of round-trip delays. Moreover, we solve the problem that the CL may misconceive the CO's state due to insufficient information for state estimation. Simulation results show that our selection scheme achieves the higher robustness against both bursty packet losses and delays in terms of the 2-norm of the CO's state.

In this paper, we consider the broadcast storm problem in dense wireless ad hoc networks where interference among densely populated wireless nodes causes significant packet loss. To resolve the problem, we apply randomized network coding (RNC) to the networks. RNC is a completely different approach from existing techniques to resolve the problem, and it reduces the number of outstanding packets in the networks by encoding several packets into a single packet. RNC is a kind of linear network coding, and it is suited to wireless ad hoc networks because it can be implemented in a completely distributed manner. We describe a procedure for implementing the wireless ad hoc broadcasting with RNC. Further, with several simulation scenarios, we provide some insights on the relationship between the system parameters and performance and find that there is the optimal length of coding vectors for RNC in terms of packet loss probability. We also show a guideline for the parameter setting to resolve the broadcast storm problem successfully.

The window flow control based end-to-end TCP congestion control may cause unfair resource allocation among multiple TCP connections with different RTTs (round trip times) at a bottleneck link. In this paper, in order to improve this unfairness, we propose the active ECN which is an ECN based active queue mechanism (AQM). A bottleneck router with the proposed mechanism marks TCP segments with a probability which depends on the RTT of each connection. By enabling the TCP senders to reduce their transmission rate when their packets are marked, the proposed mechanism can realize the same transmission rate among TCP connections with different RTTs. Furthermore, the active ECN can directly mark ACKs from TCP receivers, while the conventional ECN marks TCP segments coming from the TCP senders. As a result, the queue length distribution at the bottleneck link gets stabilized, because the sender can quickly react to the marking according to variation of the queue length.

Homomorphic encryption (HE) is useful to analyze encrypted data without decrypting it. However, by using ordinary HE, a user who can decrypt a ciphertext that is generated by executing homomorphic operations, can also decrypt ciphertexts on which homomorphic evaluations have not been performed, since homomorphic operations cannot be executed among ciphertexts which are encrypted under different public keys. To resolve the above problem, we introduce a new cryptographic primitive called Homomorphic Proxy Re-Encryption (HPRE) combining the “key-switching” property of Proxy Re-Encryption (PRE) and the homomorphic property of HE. In our HPRE, original ciphertexts (which have not been re-encrypted) guarantee CCA2 security (and in particular satisfy non-malleability). On the other hand, re-encrypted ciphertexts only guarantee CPA security, so that homomorphic operations can be performed on them. We define the functional/security requirements of HPRE, and then propose a specific construction supporting the group operation (over the target group in bilinear groups) based on the PRE scheme by Libert and Vergnaud (PKC 2008) and the CCA secure public key encryption scheme by Lai et al. (CT-RSA 2010), and prove its security in the standard model. Additionally, we show two extensions of our HPRE scheme for the group operation: an HPRE scheme for addition and an HPRE scheme for degree-2 polynomials (in which the number of degree-2 terms is constant), by using the technique of the recent work by Catalano and Fiore (ACMCCS 2015).

Machine learning models inherently memorize significant amounts of information, and thus hiding not only prediction processes but also trained models, i.e., model obliviousness, is desirable in the cloud setting. Several works achieved model obliviousness with the MNIST dataset, but datasets that include complicated samples, e.g., CIFAR-10 and CIFAR-100, are also used in actual applications, such as face recognition. Secret sharing-based secure prediction for CIFAR-10 is difficult to achieve. When a deep layer architecture such as CNN is used, the calculation error when performing secret calculation becomes large and the accuracy deteriorates. In addition, if detailed calculations are performed to improve accuracy, a large amount of calculation is required. Therefore, even if the conventional method is applied to CNN as it is, good results as described in the paper cannot be obtained. In this paper, we propose two approaches to solve this problem. Firstly, we propose a new protocol named Batch-normalizedActivation that combines BatchNormalization and Activation. Since BatchNormalization includes real number operations, when performing secret calculation, parameters must be converted into integers, which causes a calculation error and decrease accuracy. By using our protocol, calculation errors can be eliminated, and accuracy degradation can be eliminated. Further, the processing is simplified, and the amount of calculation is reduced. Secondly, we explore a secret computation friendly and high accuracy architecture. Related works use a low-accuracy, simple architecture, but in reality, a high accuracy architecture should be used. Therefore, we also explored a high accuracy architecture for the CIFAR10 dataset. Our proposed protocol can compute prediction of CIFAR-10 within 15.05 seconds with 87.36% accuracy while providing model obliviousness.

In this paper, we discuss TCP performance in a wireless overlay network where wireless LANs and cellular networks are integrated. In the overlay network, vertical handover, where a mobile node changes its access link during a session, is one of the most important technologies. When a vertical handover occurs, throughput performance of a TCP flow is degraded due to not only packet losses during the handover, but drastic change of its bandwidth-delay product. In this paper, we propose an ACK-pacing mechanism for TCP congestion control to improve the performance degradation. The proposed system is receiver-driven, so no modification is required to the mechanism of TCP sender. In the proposed system, a TCP receiver adjusts a transmission rate of ACKs according to the relationship between bandwidth-delay products before and after a handover. Since the ACK-clocking mechanism of TCP adjusts the transmission rate of TCP segments, the TCP receiver can seamlessly adjust its congestion window size to the new bandwidth-delay product. Computer simulation results show that the proposed system can improve the TCP performance during the vertical handover.

In the situation where there are one sender and multiple receivers, a receiver selective opening (RSO) attack for an identity-based encryption (IBE) scheme considers adversaries that can corrupt some of the receivers and get their user secret keys and plaintexts. Security against RSO attacks for an IBE scheme ensures confidentiality of ciphertexts of uncorrupted receivers. In this paper, we formalize a definition of RSO security against chosen ciphertext attacks (RSO-CCA security) for IBE and propose the first RSO-CCA secure IBE schemes. More specifically, we construct an RSO-CCA secure IBE scheme based on an IND-ID-CPA secure IBE scheme and a non-interactive zero-knowledge proof system with unbounded simulation soundness and multi-theorem zero-knowledge. Through our generic construction, we obtain the first pairing-based and lattice-based RSO-CCA secure IBE schemes.

Wireless networked control systems (WNCSs) are control systems whose components are connected through wireless networks. In WNCSs, a controlled object (CO) could become unstable due to bursty packet losses in addition to random packet losses and round-trip delays on wireless networks. In this paper, to reduce these network-induced effects, we propose a new design for multihop TDMA-based WNCSs with two-disjoint-path switching, where two disjoint paths are established between a controller and a CO, and they are switched if bursty packet losses are detected. In this system, we face the following two difficulties: (i) link scheduling in TDMA should be done in such a way that two paths can be switched without rescheduling, taking into account of the constraint of control systems. (ii) the conventional cross-layer design method of control systems is not directly applicable because round-trip delays may vary according to the path being used. Therefore, to overcome the difficulties raised by the two-path approach, we reformulate link scheduling in multihop TDMA and cross-layer design for control systems. Simulation results confirm that the proposed WNCS achieves better performance in terms of the 2-norm of CO's states.