Contribution of this paper is twofold: First we introduce weaknesses of two Mix-nets claimed to be robust in the literature. Since such flaws are due to their weak security definitions, we then present a stronger security definition by regarding a Mix-net as a batch decryption algorithm of a CCA secure public-key encryption scheme. We show two concrete attacks on the schemes proposed in [1] and [2]. The scheme in [1] loses anonymity in the presence of a malicious user even though all servers are honest. The scheme in [2] also loses anonymity through the collaboration of a malicious user and the first server. In the later case the user can identify the plaintext sent from the targeted user by invoking two mix sessions at the risk of the colluding server receiving an accusation. We also point out that in a certain case, anonymity is violated solely by the user without colluding to any server. Heuristic repairs are provided for both schemes.

This paper compares the throughput performance employing hybrid automatic repeat request (ARQ) packet combining, i.e., Chase combining, and Incremental redundancy, considering the frequency diversity effect in the broadband forward-link channel for Orthogonal Frequency and Code Division Multiplexing (OFCDM) packet wireless access achieving a peak throughput above 100 Mbps. Simulation results show that the achievable throughput at the average received signal energy per symbol-to-background noise power spectrum density ratio (Es/N0) of 0 and 6 dB employing Incremental redundancy is increased by approximately 35 and 30% compared to that using Chase combining for QPSK and 16QAM data modulation schemes with the coding rate of R = 1/2, respectively, considering a large frequency diversity effect in a 12-path exponential decayed Rayleigh fading channel, since the reduced variations in the received signal level in a broadband channel bring about a larger coding gain in Incremental redundancy. We also show that when adaptive modulation and channel coding (AMC) is applied, Incremental redundancy is superior to Chase combining since the large coding gain is effective in achieving a large time diversity gain for a low number of retransmissions such as M = 1 or 2 for a maximum Doppler frequency up to fD = 400 Hz. It is demonstrated, nevertheless, that the total throughput when employing Incremental redundancy associated with a near optimum MCS set according to the channel conditions becomes almost identical to that using Chase combining when a large number of retransmissions, M, is allowed, such as M = 10, owing to time diversity along with frequency diversity.

We have proposed a new low-IF transceiver architecture to simultaneously achieve both a small chip area and good minimum input sensitivity. The distinctive point of the receiver architecture is that we replace the complicated high-order analog filter for channel selection with the combination of a simple low-order analog filter and a sharp digital band-pass filter. We also proposed a high-speed convergence AGC (automatic gain controller) and a demodulation block to realize the proposed digital architecture. For the transceiver, we further reduce the chip area by applying a new form of direct modulation for the VCO. Since conventional VCO direct modulation tends to suffer from variation of the modulation index with frequency, we have developed a new compensation technique that minimizes this variation, and designed the low-phase noise VCO with a new biasing method to achieve large PSRR (power-supply rejection ratio) for oscillation frequency. The test chip was fabricated in 0.35-µm BiCMOS. The chip size was 3 3 mm2; this very small area was realized by the advantages of the proposed transceiver architecture. The transceiver also achieved good minimum input sensitivity of -85 dBm and showed interference performance that satisfied the requirements of the Bluetooth standard.

This paper investigates the effect of fast cell selection (FCS) associated with fast packet scheduling methods and hybrid automatic repeat request (HARQ) with Chase combining, in which the optimum cell (or sector) transmitting a slot-assigned downlink shared channel (DSCH) is selected based on the received signal-to-interference power ratio (SIR), in high-speed downlink packet access (HSDPA). The Round robin (RR), Proportional fairness (PF) and Maximum carrier-to-interference power ratio (CIR) schedulers are used as the scheduling algorithm. The simulation results elucidate that although almost no additional diversity gain through FCS is obtained for the PF and Maximum CIR schedulers, the improvement in throughput by FCS coupled with the RR scheduler is achieved. Furthermore, we elucidate that the effect of FCS is small when only inter-sector FCS is performed; however, inter-cell FCS is effective in improving the radio link throughput for the access users with a lower received SIR near the cell edge. The radio link throughput at the cumulative distribution of 20% of soft handover users when both inter-sector and inter-cell FCS are performed is increased by approximately 20% and 60% for PF and RR schedulers, respectively, compared to that without FCS, i.e. with hard handover. We also show that when a traffic model such as the modified ETSI WWW browsing model is taken into account, the effect of FCS associated with the decreasing effect of fast packet scheduling is greater than that assuming continuous packet transmission. The user throughput at the cumulative distribution of 20% employing both inter-sector and inter-cell FCS is increased by approximately 60% compared to that without FCS.

Phase pure cubic (c-) GaN/AlGaN heterostructures on 3C-SiC free standing (001) substrates have successfully been developed. Almost complete (100%) phase pure c-GaN films are achieved with 2-nm surface roughness on 3C-SiC substrate and stoichiometric growth conditions. The polarization effect in c-GaN/AlGaN has been evaluated, based on measuring the transition energy of GaN/AlGaN quantum wells (QWs). It is demonstrated that the polarization electric fields are negligible small in c-GaN/AlGaN/3C-SiC compared with those of hexagonal (h-)GaN/AlGaN, 710 kV/cm for Al content x of 0.15, and 1.4 MV/cm for x of 0.25. A sheet carrier concentration of c-GaN/AlGaN heterojunction interface is estimated to 1.61012 cm-2, one order of magnitude smaller than that of h-GaN/AlGaN. The band diagrams of c-GaN/AlGaN HEMTs have been simulated to demonstrate the normally-off mode operation. The blocking voltage capability of GaN films was demonstrated with C-V measurement of Schottky diode test vehicle, and extrapolated higher than 600 V in c-GaN films at a doping level below 51015 cm-3, to show the possibility for high power electronics applications.

A verification is made on the accuracy of Radar-AMeDAS precipitation, which represents hourly precipitation over the Japanese Islands and the surrounding sea area with a spatial resolution of 5km using data from 5cm conventional radars, 10cm Fujisan Radar, and Automated Meteorological Data Acquisition System (AMeDAS) raingauge network. By comparing with data from a very dense raingauge network of the Tokyo Metropolitan Government, it is found that 1) Radar-AMeDAS precipitation shows good agreement if a positioning error of one pixel of 5km square is allowed 2) Radar-AMeDAS precipitation represents almost the average of raingauge measurements in the 5km square for most of the precipitation caused by a large scale disturbance, and 3) Radar-AMeDAS precipitation is close to the maximum raingauge measurement in the pixel when precipitation is extremely localized such as thunderstorms or showers. Radar-AMeDAS precipitations are compared also with AMeDAS measurements statistically with respect to the appearance rates, that is (total number of pixels where specific intensity is observed) / (total number of all pixels), for different precipitation intensities. The rate of Radar- AMeDAS precipitation shows excellent agreement with that of AMeDAS if radar echoes are observed at the altitude lower than 2km. Since Radar- AMeDAS precipitation on land sometimes represents the maximum of precipitation in a pixel for the purpose of unfailingly detecting extremely localized severe precipitation, it shows a high appearance rate at high precipitation intensity than AMeDAS, which is considered to represent statistically the average of a pixel. As a result, in estimating areal rainfall amounts, Radar- AMeDAS precipitation overestimates AMeDAS measurement by 8% at 5mm/h and by 12% at 40mm/h. Radar- AMeDAS precipitation over the sea, with no local calibration by AMeDAS and with little influence of orography, is 2% weaker in intensity than AMeDAS at 10mm/h, and 12% at 40mm/h.

This paper presents a comparison of the throughput performance employing hybrid automatic repeat request (HARQ) with packet combining, such as Type-I with packet combining (simply Chase combining hereafter) and Type-II (Incremental redundancy hereafter), using turbo coding in a multipath fading channel in high speed downlink packet access (HSDPA). We apply a multipath interference canceller (MPIC) to remove the influence of severe multipath interference. Link level simulation results show that the maximum throughput using Incremental redundancy with 64QAM is improved by approximately 5-8% compared to that using Chase combining, and that the required average received signal energy of 12 code channels per chip-to-background noise spectrum density (Ec/N0) at the throughput of 4 Mbps with Incremental redundancy is decreased by approximately 1.0 dB rather than that with Chase combining when the vehicular speed is higher than approximately 30 km/h. Furthermore, we elucidate based on the system level simulation that although no improvement is obtained in a slow mobility environment such as the average vehicular speed of 3 km/h, the achieved throughput of Incremental redundancy is increased by approximately 5-6% and 13% for the average vehicular speed of 30 km/h and 120 km/h, respectively, compared to that with Chase combining.

After the work of Impagliazzo and Rudich (STOC, 1989), the black box framework has become one of the main research domain of cryptography. However black box techniques say nothing about non-black box techniques such as making use of zero-knowledge proofs. Brakerski et al. introduced a new black box framework named augmented black box framework, in which they gave a zero-knowledge proof oracle in addition to a base primitive oracle (TCC, 2011). They showed a construction of a non-interactive zero knowledge proof system based on a witness indistinguishable proof system oracle. They presented augmented black box construction of chosen ciphertext secure public key encryption scheme based on chosen plaintext secure public key encryption scheme and augmented black box separation between one-way function and key agreement. In this paper we simplify the work of Brakerski et al. by introducing a proof system oracle without witness indistinguishability, named coin-free proof system oracle, that aims to give the same construction and separation results of previous work. As a result, the augmented black box framework becomes easier to handle. Since our oracle is not witness indistinguishable, our result encompasses the result of previous work.

This paper proposes cell selection (CS) based on shadowing variation for the forward-link Orthogonal Frequency and Code Division Multiplexing (OFCDM) packet wireless access. We clarify its effects using a broadband propagation channel model in a comparison with fast cell selection (FCS), which tracks the instantaneous fading variation, and with the conventional slow CS, which tracks only the distance-dependent path loss, based on radio link level simulations that take into account time-varying instantaneous fading and shadowing variations. The simulation results show that the achievable throughput with FCS improves slightly in a broadband channel with an increasing number of paths when the average path-loss difference between two cells is greater than 2 dB. Nevertheless, we show that the optimum CS interval becomes approximately 100 msec, because the interval can track the time-varying shadowing variation considering low-to-high mobility up to the maximum Doppler frequency of 200 Hz. Consequently, we show that the throughput by employing the CS based on shadowing variation with the selection interval of 100 msec is increased by approximately 5 and 15% compared to that using the conventional slow CS with the selection interval of 1 sec, for the maximum Doppler frequency of 20 and 200 Hz, respectively.

Bilinear-type conversion is to translate a cryptographic scheme designed over symmetric bilinear groups into one that works over asymmetric bilinear groups with small overhead regarding the size of objects concerned in the target scheme. In this paper, we address scalability for converting complex cryptographic schemes. Our contribution is threefold. Investigating complexity of bilinear-type conversion. We show that there exists no polynomial-time algorithm for worst-case inputs under standard complexity assumption. It means that bilinear-type conversion in general is an inherently difficult problem. Presenting a new scalable conversion method. Nevertheless, we show that large-scale conversion is indeed possible in practice when the target schemes are built from smaller building blocks with some structure. We present a novel conversion method, called IPConv, that uses 0-1 Integer Programming instantiated with a widely available IP solver. It instantly converts schemes containing more than a thousand of variables and hundreds of pairings. Application to computer-aided design. Our conversion method is also useful in modular design of middle to large scale cryptographic applications; first construct over simpler symmetric bilinear groups and run over efficient asymmetric groups. Thus one can avoid complication of manually allocating variables over asymmetric bilinear groups. We demonstrate its usefulness by somewhat counter-intuitive examples where converted DLIN-based Groth-Sahai proofs are more compact than manually built SXDH-based proofs. Though the early purpose of bilinear-type conversion is to save existing schemes from attacks against symmetric bilinear groups, our new scalable conversion method will find more applications beyond the original goal. Indeed, the above computer-aided design can be seen as a step toward automated modular design of cryptographic schemes.

This paper presents a Mix-net that has the following properties; (1) it efficiently handles long plaintexts that exceed the modulus size of the underlying public-key encryption scheme as well as very short ones (length-flexibility), (2) input ciphertext length is not impacted by the number of mix-servers (length-invariance), and (3) its security in terms of anonymity can be proven in a formal way (probable security). If desired, one can add robustness so that it outputs correct results in the presence of corrupt users and servers. The security is proven in such a sense that breaking the anonymity of our Mix-net is equivalent to breaking the indistinguishability assumption of the underlying symmetric encryption scheme or the Decision Diffie-Hellman assumption.

We present an efficient Hybrid Mix scheme that provides both routing flexibility and the optimal length of ciphertext. Although it is rather easy to embed routing information in the ciphertext, and a scheme that provides the optimal length of ciphertext is already known, it is not a trivial task to achieve both properties all at the same time. A critical obstacle for providing the optimal length of ciphertext is the session-key encapsulation header in a ciphertext that carries the encrypted session-key to each router, which linearly increases according to the number of intermediate routers. We solve this problem by improving the previously reported Hybrid Mix scheme such that the resulting scheme benefits from routing flexibility with a constant length of such headers. Our basic scheme is only secure against honest, but curious intermediate routers. Therefore, we further address the robustness issue to prevent malicious behavior by incorporating and improving an existing efficient approach based on the Message Authentication Code.

This paper addresses how to use public-keys of several different signature schemes to generate 1-out-of-n signatures. Previously known constructions are for either RSA-type keys only or DL-type keys only. We present a widely applicable method to construct a 1-out-of-n signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DL-type keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et al. With all RSA-type keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et al.

This paper studies the relations among several definitions of anonymity for ring signature schemes in the same attack environment. It is shown that one intuitive and two technical definitions we consider are asymptotically equivalent, and the indistinguishability-based technical definition is the strongest, i.e., the most secure when achieved, when the exact reduction cost is taken into account. We then extend our result to the threshold case where a subset of members cooperate to create a signature. The threshold setting makes the notion of anonymity more complex and yields a greater variety of definitions. We explore several notions and observe certain relation does not seem hold unlike the simple single-signer case. Nevertheless, we see that an indistinguishability-based definition is the most favorable in the threshold case. We also study the notion of linkability and present a simple scheme that achieves both anonymity and linkability.

We construct the first fully homomorphic encryption (FHE) scheme that encrypts matrices and supports homomorphic matrix addition and multiplication. This is a natural extension of packed FHE and thus supports more complicated homomorphic operations. We optimize the bootstrapping procedure of Alperin-Sheriff and Peikert (CRYPTO 2014) by applying our scheme. Our optimization decreases the lattice approximation factor from Õ(n3) to Õ(n2.5). By taking a lattice dimension as a larger polynomial in a security parameter, we can also obtain the same approximation factor as the best known one of standard lattice-based public-key encryption without successive dimension-modulus reduction, which was essential for achieving the best factor in prior works on bootstrapping of standard lattice-based FHE.

Batch verification is a useful tool in verifying a large number of cryptographic items all at one time. It is especially effective in verifying predicates based on modular exponentiation. In some cases, however the items can be incorrect although they pass batch verification together. Such leniency can be eliminated by checking the domain of each item in advance. With this in mind, we introduce the strict batch verification and investigate if the strict batch verification can remain more effective than separate verification. In this paper, we estimate the efficiency of such strict batch verification in several types of groups, a prime subgroup of Zp with special/random prime p and prime subgroups defined on elliptic curves over Fp, F2m and Fpm, with are often used in DL-based cryptographic primitives. Our analysis concludes that the efficiency differs greatly depending on the choice of the group and parameters determined by the verifying predicate. Furthermore, we even show that there are some cases where batch verification, regardless of strictness, loses its computational advantage.

Novel thermopiles based on modulation doped AlGaAs/InGaAs and AlGaN/GaN heterostructures are proposed and developed for the first time, for uncooled infrared FPA (Focal Plane Array) image sensor application. The high responsivity with the high speed response time are designed to 4,900 V/W with 110 µs for AlGaAs/InGaAs, and to 460 V/W with 9 µs for AlGaN/GaN thermopiles, respectively. Based on integrated HEMT-MEMS technology, the AlGaAs/InGaAs 3232 matrix FPAs are fabricated to demonstrate its enhanced performances by black body measurement. The technology presented here demonstrates the potential of this approach for low-cost uncooled infrared FPA image sensor application.

We propose a simple framework for evaluating the performance of pairing-based cryptographic schemes for various types of curves and parameter settings. The framework, which we call ‘Opcount’, enables the selection of an appropriate curve and parameters by estimating the performance of a cryptographic scheme from a pseudo-code describing the cryptographic scheme and an implementation-information database that records the performance of basic operations in curves targeted for evaluation. We apply Opcount to evaluate and compare the computational efficiency of several structure-preserving signature schemes that involve tens of pairing products in their signature verification. In addition to showing the usefulness of Opcount, our experiments also reveal the overlooked importance of taking account of the properties of underlying curves when optimizing computations and demonstrate the impact of tight security reductions.

This paper compares the BER performance of two types of pilot channel-based coherent Rake combining achievable by the use of weighted multi-slot averaging (WMSA) channel estimation filter in DS-CDMA transmission links. One is for the time-multiplexed pilot channel and the other is for the parallel pilot channel. The WMSA channel estimation filter weights and averages the received pilot over a period of several slots to improve the BER performance. We propose the WMSA channel estimation filters for time-multiplexed pilot and parallel pilot structures. Achievable BER performance under frequency-selective fading environments is computer simulated. The simulation results show that almost same BER performance can be achieved for both pilot channel structures when the same energy is allocated to the pilot.