This paper proposes a group signature scheme with efficient membership revocation. Though group signature schemes with efficient membership revocation based on a dynamic accumulator were proposed, the previous schemes force a member to change his secret key whenever he makes a signature. Furthermore, for the modification, the member has to obtain a public membership information of O(nN) bits, where n is the length of the RSA modulus and N is the total number of joining members and removed members. In our scheme, the signer needs no modification of his secret, and the public membership information has only K bits, where K is the maximal number of members. Then, for middle-scale groups with the size that is comparable to the RSA modulus size (e.g., up to about 1000 members for 1024 bit RSA modulus), the public membership information is a single small value only, while the signing/verification also remains efficient.

As a flexible and cost-efficient scalable Internet access network, we studied architectures, protocols, and design optimizations of the Wireless Internet-access Mesh NETwork (WIMNET). WIMNET is composed of multiple access points (APs) connected through multihop wireless communications on IEEE 802.11 standards. The increasing popularity of real-time applications such as IP-phones and IP-TV means that they should be supported in WIMNET. However, the contention resolution mechanism using a random backoff-time in the CSMA/CA protocol of 802.11 standards is not sufficient for handling real-time traffic in multihop wireless communications. In this paper, we propose a Fixed Backoff-time Switching (FBS) method for the CSMA/CA protocol to improve the real-time traffic performance in WIMNET by giving the necessary activation chances to each link. We implement our proposal on the QualNet simulator, and verify its effectiveness through simulations on three network topologies with four scenarios.

Efficient general secure multiparty computation (MPC) protocols were previously proposed, and the combination with the efficient auction circuits achieves the efficient sealed-bid auctions with the full privacy and correctness. However, the combination requires that each bidder submits ciphertexts of bits representing his bid, and their zero-knowledge proofs. This cost amounts to about 80 multi-exponentiations in usual case that the bid size is 20 bits (i.e. about 1,000,000 bid prices). This paper proposes sealed-bid auction protocols based on the efficient MPC protocols, where a bidder can submit only a single ciphertext. The bidder's cost is a few multi-exponentiations, and thus the proposed protocols are suitable for mobile bidders. A novel technique for the realization is a bit-slicing conversion by multiple servers, where a single ciphertext for a bid is securely converted into ciphertexts of bits representing the bid.

To enhance the user's privacy in electronic ID, anonymous credential systems have been researched. In the anonymous credential system, a trusted issuing organization first issues a certificate certifying the user's attributes to a user. Then, in addition to the possession of the certificate, the user can anonymously prove only the necessary attributes. Previously, an anonymous credential system was proposed, where CNF (Conjunctive Normal Form) formulas on attributes can be proved. The advantage is that the attribute proof in the authentication has the constant size for the number of attributes that the user owns and the size of the proved formula. Thus, various expressive logical relations on attributes can be efficiently verified. However, the previous system has a limitation: The proved CNF formulas cannot include any negation. Therefore, in this paper, we propose an anonymous credential system with constant-size attribute proofs such that the user can prove CNF formulas with negations. For the proposed system, we extend the previous accumulator for the limited CNF formulas to verify CNF formulas with negations.

As a flexible, cost effective solution for a large-scale access network to the Internet, we have studied the design optimization of the Wireless Internet-access Mesh NETwork (WIMNET). WIMNET consists of multiple access points (APs) that have wireless links between them mainly on the wireless distribution system (WDS). In WIMNET, the links around the Internet gateway can be bottlenecks because every packet passes through it after multihop link activations. Besides, the link quality may be degraded by obstacles in indoor environments. Thus, the proper allocation of APs is essential in WIMNET, so that the communication quality should be ensured while the installation and management cost be minimized. In this paper, we formulate this AP allocation problem for indoor environments in WIMNET with the proof of the NP-completeness of its decision version. Then, we present its two-stage heuristic algorithm composed of the initial greedy allocation and the iterative improvement. The effectiveness of our proposal is verified through extensive simulations in three indoor environments.

Though there are intensive researches on off-line electronic cash (e-cash), the current computer network infrastructure sufficiently accepts on-line e-cash. The on-line means that the payment protocol involves with the bank, and the off-line means no involvement. For customers' privacy, the e-cash system should satisfy unlinkability, i.e., any pair of payments is unlinkable w.r.t. the sameness of the payer. In addition, for the convenience, exact payments, i.e., the payments with arbitrary amounts, should be also able to performed. In an existing off-line system with unlinkable exact payments, the customers need massive computations. On the other hand, an existing on-line system does not satisfy the efficiency and the perfect unlinkability simultaneously. This paper proposes an on-line system, where the efficiency and the perfect unlinkability are achieved simultaneously.

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. In the systems, the user can prove relations on his/her attributes embedded into the certificate. Previously, a pairing-based anonymous credential system with constant-size proofs in the number of attributes of the user was proposed. This system supports the proofs of the inner product relations on attributes, and thus can handle the complex logical relations on attributes as the CNF and DNF formulas. However this system suffers from the computational cost: The proof generation needs exponentiations depending on the number of the literals in OR relations. In this paper, we propose a pairing-based anonymous credential system with the constant-size proofs for CNF formulas and the more efficient proof generation. In the proposed system, the proof generation needs only multiplications depending on the number of literals, and thus it is more efficient than the previously proposed system. The key of our construction is to use an extended accumulator, by which we can verify that multiple attributes are included in multiple sets, all at once. This leads to the verification of CNF formulas on attributes. Since the accumulator is mainly calculated by multiplications, we achieve the better computational costs.

To prove the graph relations such as the connectivity and isolation for a certified graph, a system of a graph signature and proofs has been proposed. In this system, an issuer generates a signature certifying the topology of an undirected graph, and issues the signature to a prover. The prover can prove the knowledge of the signature and the graph in the zero-knowledge, i.e., the signature and the signed graph are hidden. In addition, the prover can prove relations on the certified graph such as the connectivity and isolation between two vertexes. In the previous system, using integer commitments on RSA modulus, the graph relations are proved. However, the RSA modulus needs a longer size for each element. Furthermore, the proof size and verification cost depend on the total numbers of vertexes and edges. In this paper, we propose a graph signature and proof system, where these are computed on bilinear groups without the RSA modulus. Moreover, using a bilinear map accumulator, the prover can prove the connectivity and isolation on a graph, where the proof size and verification cost become independent from the total numbers of vertexes and edges.

In conventional ID-based user authentications, privacy issues may occur, since users' behavior histories are collected in Service Providers (SPs). Although anonymous authentications such as group signatures have been proposed, these schemes rely on a Trusted Third Party (TTP) capable of tracing misbehaving users. Thus, the privacy is not high, because the TTP of tracing authority can always trace users. Therefore, the anonymous credential system using a blacklist without the TTP of tracing authority has been proposed, where blacklisted anonymous users can be blocked. Recently, an RSA-based blacklistable anonymous credential system with efficiency improvement has been proposed. However, this system still has an efficiency problem: The data size in the authentication is O(K'), where K' is the maximum number of sessions in which the user can conduct. Furthermore, the O(K')-size data causes the user the computational cost of O(K') exponentiations. In this paper, a blacklistable anonymous credential system using a pairing-based accumulator is proposed. In the proposed system, the data size in the authentication is constant for parameters. Although the user's computational cost depends on parameters, the dependent cost is O(δBL·K) multiplications, instead of exponentiations, where δBL is the number of sessions added to the blacklist after the last authentication of the user, and K is the number of past sessions of the user. The demerit of the proposed system is O(n)-size public key, where n corresponds to the total number of all sessions of all users in the system. But, the user only has to download the public key once.

A distributor of digital contents desires to collect users' attributes. On the other hand, the users do not desire to offer the attributes owing to the privacy protection. Previously, an anonymous survey system for attributes statistics is proposed. In this system, asking trusted third parties' helps, a distributor can obtain the correct statistics of users' attributes, such as gender and age, while no information beyond the statistics is revealed. However, the system suffers from the inefficiency of a protocol to generate the statistics, since the cost depends on the number of all the users registering this survey system. This paper proposes an anonymous survey system, where this cost is independent from the number of all the registering users. In this accomplishment, a group signature scheme with attribute tracing is also proposed. A conventional group signature scheme allows a group member to anonymously sign a message on behalf of the group, while only a designated party can identify the signer. The proposed scheme further enables the party to trace signer's attribute.

In ID-based user authentications, a privacy problem can occur, since the service provider (SP) can accumulate the user's access history from the user ID. As a solution to that problem, group signatures have been researched. One of important issues in the group signatures is the user revocation. Previously, an efficient revocable scheme with signing/verification of constant complexity was proposed by Libert et al. In this scheme, users are managed by a binary tree, and a list of data for revoked users, called a revocation list (RL), is used for revocation. However, the scheme suffers from the large RL. Recently, an extended scheme has been proposed by Sadiah and Nakanishi, where the RL size is reduced by compressing RL. On the other hand, there is a problem that some overhead occurs in the authentication as a price for reducing the size of RL. In this paper, we propose an extended scheme where the authentication is speeded up by reducing the number of Groth-Sahai (GS) proofs. Furthermore, we implemented it on a PC to show the effectiveness. The verification time is about 30% shorter than that of the previous scheme by Sadiah and Nakanishi.

Two-state number-conserving cellular automaton (NCCA) is a cellular automaton of which cell states are 0 or 1, and the total sum of all the states of cells is kept for any time step. It is a kind of particle-based modeling of physical systems. We introduce a new structure of its value-1 patterns, which we call a “bundle pair” and a “bundle quad”. By employing this structure, we show a relation between the neighborhood size n and n - 2 NCCAs.

A variety of real-time multicast applications such as video conferences, remote lectures, and video-on-demand have become in commonplace with the expansion of broadband Internet services. Due to nontrivial problems in the IP multicast technology, the peer-to-peer multicast technology (P2P-multicast) has emerged as a practical implementation, although its network resource utilization is less efficient. A multihome network has the potential of alleviating this inefficiency by providing flexibility in communication path selections for each host with multiple gateways to the Internet. This paper has first formulated the P2P-multicast routing problem in the multihome network, and has proved the NP-completeness of its decision problem. Then, a two-stage heuristic algorithm called P2PMM_router has been presented for this P2P Multicast Multihome-network routing problem. The first stage constructs an initial multicast routing tree from an optimum spanning tree by Prim algorithm, through satisfying the constraints. The second stage improves the tree by repeating partial modifications and constraint satisfactions. The extensive simulation results using random network instances support the effectiveness of our P2PMM_router.

To reduce the damage of key exposures, forward-secure group signature schemes have been first proposed by Song. In the forward-secure schemes, a secret key of a group member is updated by a one-way function every interval and the previous secret key is erased. Thus, even if a secret key is exposed, the signatures produced by the secret keys of previous intervals remain secure. Since the previous forward-secure group signature schemes are based on the strong RSA assumption, the signatures are longer than pairing-based group signatures. In addition, the complexity of the key update or signing/verification is O(T), where T is the total number of intervals. In this paper, a forward-secure group signature scheme from pairings is proposed. The complexity of our key update and signing/verification is O(log T).

For efficient use of limited electromagnetic wave resource, the assignment of communication channels to call requests is very important in a cellular network. This task has been formulated as an NP-hard combinatorial optimization problem named the channel assignment problem (CAP). Given a cellular network and a set of call requests, CAP requires to find a channel assignment to the call requests such that three types of interference constraints between channels are not only satisfied, but also the number of channels (channel span) is minimized. This paper presents an iterative search approximation algorithm for CAP, called the Quasi-solution state evolution algorithm for CAP (QCAP). To solve hard CAP instances in reasonable time, QCAP evolutes quasi-solution states where a subset of call requests are assigned channels and no more request can be satisfied without violating the constraint. QCAP is composed of three stages. The first stage computes the lower bound on the channel span for a given instance. After the second stage greedily generates an initial quasi-solution state, the third stage evolutes them for a feasible channel assignment by iteratively generating best neighborhoods, with help of the dynamic state jump and the gradual span expansion for global convergence. The performance of QCAP is evaluated through solving benchmark instances in literature, where QCAP always finds the optimum or near-optimum solution in very short time. Our simulation results confirm the extensive search capability and the efficiency of QCAP.

We present an efficiency improvement on an existing unlinkable divisible e-cash system. In the based e-cash system, an e-coin can be divided to spent, and thus the exact payments are available. Furthermore, to protect customer's privacy, the system also satisfies the unlinkability in all the payments, which is not satisfied in other existing divisible e-cash systems. The unlinkability means the infeasibility of determining whether two payments are made by the same customer. However, in the unlinkable divisible e-cash system, the payment protocol needs O(N) computations, and thus inefficient, where N indicates the divisibility precision. For example, in case of N=100,000, about 200,000 exponentiations are needed for the worst. We improve the payment protocol using the tree approach. In case of N=100,000, the protocol with our improvement needs only about 600 exponentiations for the worst. This good result can be obtained for other N which is more than about 100.

Previously, we have proposed an access point (AP) allocation algorithm in indoor environments for the Wireless Internet-access Mesh NETwork (WIMNET) using one gateway (GW) to the Internet. WIMNET consists of multiple APs that are connected wirelessly mainly by the Wireless Distribution System (WDS), to expand the coverage area inexpensively and flexibly. In this paper, we present two extensions of this algorithm to enhance the applicability to the large-scale WIMNET. One is the multiple GW extension of the algorithm to increase the communication bandwidth with multiple GWs, where all the rooms in the network field are first partitioned into a set of disjoint GW clusters and then, our previous allocation algorithm is applied to each GW cluster sequentially. The APs in a GW cluster share the same GW. The other is the dependability extension to assure the network function by maintaining the connectivity and the host coverage, even if one link/AP fault occurs, where redundant APs are added to the AP allocation by our previous algorithm. The effectiveness of our proposal in terms of the number of APs and the throughput is verified through simulations using the WIMNET simulator.

An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlinkability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps.

The wavelength-division multiplexing (WDM) technology has been popular in communication societies for providing very large communication bands by multiple lightpaths with different wavelengths on a single optical fiber. Particularly, a double-ring optical network architecture based on the packet-over-WDM technology such as the HORNET architecture, has been extensively studied as a next generation platform for metropolitan area networks (MANs). Each node in this architecture is equipped with a wavelength-fixed optical-drop and a fast tunable transmitter so that a lightpath can be established between any pair of nodes without wavelength conversions. In this paper, we formulate the optical-drop wavelength assignment problem (ODWAP) for efficient wavelength reuse under heterogeneous traffic in this network, and prove the NP-completeness of its decision problem. Then, we propose a simple heuristic algorithm for the basic case of ODWAP. Through extensive simulations, we demonstrate the effectiveness of our approach in reducing waiting times for packet transmissions when a small number of wavelengths are available to retain the network cost for MANs.

In anonymous reputation systems, where after an interaction between anonymous users, one of the users evaluates the peer by giving a rating. Ratings for a user are accumulated, which becomes the reputation of the user. By using the reputation, we can know the reliability of an anonymous user. Previously, anonymous reputation systems have been proposed, using an anonymous e-cash scheme. However, in the e-cash-based systems, the bank grasps the accumulated reputations for all users, and the fluctuation of reputations. These are private information for users. Furthermore, the timing attack using the deposit times is possible, which makes the anonymity weak. In this paper, we propose an anonymous reputation system, where the reputations of users are secret for even the reputation manager such as the bank. Our approach is to adopt an anonymous credential certifying the accumulated reputation of a user. Initially a user registers with the reputation manager, and is issued an initial certificate. After each interaction with a rater, the user as the ratee obtains an updated certificate certifying the previous reputation summed up by the current rating. The update protocol is based on the zero-knowledge proofs, and thus the reputations are secret for the reputation manager. On the other hand, due to the certificate, the user cannot maliciously alter his reputation.