Searchable encryption with advanced query function is an important technique in today's cloud environment. To date, in the public key setting, the best query function supported by the previous schemes are conjunctive or disjunctive keyword search, which are elementary but not enough to satisfy the user's query requirements. In this paper, we make a progress for constructing a searchable public key encryption scheme with advanced query function called simple Boolean keyword search. To create our scheme, we proposed a keywords conversion method that projects the index and query keywords into a group of vectors. Based on a combination of these obtained vectors and an adaptively secure inner product encryption scheme, a public key encryption with simple Boolean keyword search scheme is proposed. We also present both theoretical and experimental analysis to show the effectiveness of this scheme. To the best of our knowledge, it is the first time to give a searchable public key encryption scheme supporting queries like q1op1q2op2…opi-1qiopi…opn-1qn, where opi is a logical operator which can be and(∨) or or(∧) and qi is a keyword.

To develop countermeasures against fault attacks, it is important to model an attacker's ability. The instruction skip model is a well-studied practical model for fault attacks on software. Contrastingly, few studies have investigated the instruction replacement model, which is a generalization of the instruction skip model, because replacing an instruction with a desired one is considered difficult. Some previous studies have reported successful instruction replacements; however, those studies concluded that such instruction replacements are not practical attacks because the outcomes of the replacements are uncontrollable. This paper proposes the concept of a controllable instruction replacement technique that uses the laser irradiation of flash memory. The feasibility of the proposed technique is demonstrated experimentally using a smartcard-type ARM SC100 microcontroller. Then, practical cryptosystem attacks that exploit the proposed technique are investigated. The targeted cryptosystems employ the AES with software-based anti-fault countermeasures. We demonstrate that an existing anti-instruction-skip countermeasure can be circumvented by replacing a critical instruction, e.g., a branch instruction to detect fault occurrence.

In this paper, we extend the notion of bijective connection graphs to introduce directed bijective connection graphs. We propose algorithms that solve the node-to-set node-disjoint paths problem and the node-to-node node-disjoint paths problem in a directed bijective connection graph. The time complexities of the algorithms are both O(n4), and the maximum path lengths are both 2n-1.

In this letter, we investigate the secure transmission in radio frequency (RF) powered two-hop untrusted relay networks, where the source node and untrusted relay are both wireless powered by an RF power supplier. Specifically, considering the non-linear energy-harvesting (EH) model, the two-process communication protocol is proposed. The secrecy rate is maximized by jointly designing the beamforming vector at source and beamforming matrix at relay, under the constraints of transmit power at RF power supplier and destination. The secrecy rate maximization (SRM) is non-convex, hence we propose an alternative optimization (AO) based iterative algorithm. Numerical results demonstrate that the proposed scheme can significantly increase the secrecy rate compared to the baseline schemes.

Herein, we analytically derive the effective index and field distribution of the LP01 mode of a step-index N-sided regular-polygonal-core fiber. To do this, we utilize the lowest-order non-anomalous approximation of the π/N expansion. These properties are also calculated numerically and the results are compared the with approximations.

We propose a key-policy attribute-based encryption (KP-ABE) scheme with constant-size ciphertexts, whose almost tightly semi-adaptive security is proven under the decisional linear (DLIN) assumption in the standard model. The access structure is expressive, that is given by non-monotone span programs. It also has fast decryption, i.e., a decryption includes only a constant number of pairing operations. As an application of our KP-ABE construction, we also propose an efficient, fully secure attribute-based signatures with constant-size secret (signing) keys from the DLIN. For achieving the above results, we extend the sparse matrix technique on dual pairing vector spaces. In particular, several algebraic properties of an elaborately chosen sparse matrix group are applied to the dual system security proofs.

Power line communications (PLC) is a communication technology that uses a power-line as a transmission medium. Previous studies have shown that connecting an AC adapter such as a mobile phone charger to the power-line affects signal quality. Therefore, in this paper, the authors analyze the influence of chargers on inter-computer communications using packet capture to evaluate communications quality. The analysis results indicate the occurrence of a short duration in which packets are not detected once in a half period of the power-line supply: named communication forbidden time. For visualizing the communication forbidden time and for evaluating the communications quality of the inter-computer communications using PLC, the authors propose an instantaneous power-line frequency synchronized superimposed chart and its plotting algorithm. Further, in order to analyze accurately, the position of the communication forbidden time can be changed by altering the initial burst signal plotting position. The difference in the chart, which occurs when the plotting start position changes, is also discussed. We show analysis examples using the chart for a test bed data assumed an ideal environment, and show the effectiveness of the chart for analyzing PLC inter-computer communications.

In order to realize better understanding of influential order sequences of surrounding atmospheres on break arc durations of electrical contacts in DC load conditions, a quantitative mathematical model, which aims to indicate dependences of break arc durations on several gas parameters such as molecular mass, viscosity, specific heat capacity, thermal conductivity, electro-negativity, and ionization potential, was analyzed. Break arc durations of AgCdO contact pairs were measured in several kinds of surrounding atmospheres (N2, Ar, He, air, O2 and CO2) under different DC voltage and current conditions, and data fitting processes were conducted. As a result, a candidate mathematical model was established, which could indicate possible influential order sequences of surrounding atmospheres on break arc durations in the range of the tested conditions.

In decision feedback scheme, Forney's decision criterion (Forney's rule: FR) is optimal in the sense that the Neyman-Pearson's lemma is satisfied. Another prominent criterion called LR+Th was proposed by Hashimoto. Although LR+Th is suboptimal, its error exponent is shown to be asymptotically equivalent to that of FR by random coding arguments. In this paper, applying the technique of the DS2 bound, we derive an upper bound for the error probability of LR+Th for the ensemble of linear block codes. Then we can observe the new bound from two significant points of view. First, since the DS2 type bound can be expressed by the average weight distribution whose code length is finite, we can compare the error probability of FR with that of LR+Th for the fixed-length code. Second, the new bound elucidates the relation between the random coding exponents of block codes and those of linear block codes.

Embedded software developers assume the behavior of the environment when specifications are not available. However, developers may assume the behavior incorrectly, which may result in critical faults in the system. Therefore, it is important to detect the faults caused by incorrect assumptions. In this letter, we propose a log-based testing approach to detect the faults. First, we create a UML behavioral model to represent the assumed behavior of the environment, which is then transformed into a state model. Next, we extract the actual behavior of the environment from a log, which is then incorporated in the state model, resulting in a state model that represents both assumed and actual behaviors. Existing testing techniques based on the state model can be used to generate test cases from our state model to detect faults.

Inner product functional encryption (IPFE) is a subclass of functional encryption (FE), whose function class is limited to inner product. We construct an efficient private-key IPFE scheme with full-hiding security, where confidentiality is assured for not only encrypted data but also functions associated with secret keys. Recently, Datta et al. presented such a scheme in PKC 2016 and this is the only scheme that achieves full-hiding security. Our scheme has an advantage over their scheme for the two aspects. More efficient: keys and ciphertexts of our scheme are almost half the size of those of their scheme. Weaker assumption: our scheme is secure under the k-linear (k-Lin) assumption, while their scheme is secure under a stronger assumption, namely, the symmetric external Diffie-Hellman (SXDH) assumption. It is well-known that the k-Lin assumption is equivalent to the SXDH assumption when k=1 and becomes weak as k increases.

We present an improved constant-round secure two-party protocol for integer comparison functionality, which is one of the most fundamental building blocks in secure computation. Our protocol is in the so-called client-server model, which is utilized in real-world MPC products such as Sharemind, where any number of clients can create shares of their input and distribute to the servers who then jointly compute over the shares and return the shares of the result to the client. In the client-aided client-server model, as mentioned briefly by Mohassel and Zhang (S&P'17), a client further generates and distributes some necessary correlated randomness to servers. Such correlated randomness admits efficient protocols since otherwise, servers have to jointly generate randomness by themselves, which can be inefficient. In this paper, we improve the state-of-the-art constant-round comparison protocols by Damgå rd et al. (TCC'06) and Nishide and Ohta (PKC'07) in the client-aided model. Our techniques include identifying correlated randomness in these comparison protocols. Along the way, we also use tree-based techniques for a building block, which deviate from the above two works. Our proposed protocol requires only 5 communication rounds, regardless of the bit length of inputs. This is at least 5 times fewer rounds than existing protocols. We implement our secure comparison protocol in C++. Our experimental results show that this low-round complexity benefits in high-latency networks such as WAN. We also present secure Min/Argmin protocols using the secure comparison protocol.

This paper presents decentralized multi-authority attribute-based encryption and signature (DMA-ABE and DMA-ABS) schemes, in which no central authority exists and no global coordination is required except for the setting of a parameter for a prime order bilinear group and a hash function, which can be available from public documents, e.g., ISO and FIPS official documents. In the proposed DMA-ABE and DMA-ABS schemes, every process can be executed in a fully decentralized manner; any party can become an authority and issue a piece for a secret key to a user without interacting with any other party, and each user obtains a piece of his/her secret key from the associated authority without interacting with any other party. While enjoying such fully decentralized processes, the proposed schemes are still secure against collusion attacks, i.e., multiple pieces issued to a user by different authorities can form a collusion resistant secret key, composed of these pieces, of the user. The proposed ABE scheme is the first DMA-ABE for non-monotone relations (and more general relations), which is adaptively secure under the decisional linear (DLIN) assumption in the random oracle model. This paper also proposes the first DMA-ABS scheme for non-monotone relations (and more general relations), which is fully secure, adaptive-predicate unforgeable and perfect private, under the DLIN assumption in the random oracle model. DMA-ABS is a generalized notion of ring signatures. The efficiency of the proposed DMA-ABE and DMA-ABS schemes is comparable to those of the existing practical ABE and ABS schemes with comparable relations and security.

Public-key encryption with keyword search (PEKS) is a cryptographic primitive that allows us to search for particular keywords over ciphertexts without recovering plaintexts. By using PEKS in cloud services, users can outsource their data in encrypted form without sacrificing search functionality. Concerning PEKS that can specify logical disjunctions and logical conjunctions as a search condition, it is known that such PEKS can be (generically) constructed from anonymous attribute-based encryption (ABE). However, it is not clear whether it is possible to construct this types of PEKS without using ABE which may require large computational/communication costs and strong mathematical assumptions. In this paper, we show that ABE is crucial for constructing PEKS with the above functionality. More specifically, we give a generic construction of anonymous key-policy ABE from PEKS whose search condition is specified by logical disjunctions and logical conjunctions. Our result implies such PEKS always requires large computational/communication costs and strong mathematical assumptions corresponding to those of ABE.

Group signatures are signatures providing signer anonymity where signers can produce signatures on behalf of the group that they belong to. Although such anonymity is quite attractive considering privacy issues, it is not trivial to check whether a signer has been revoked or not. Thus, how to revoke the rights of signers is one of the major topics in the research on group signatures. In particular, scalability, where the signing and verification costs and the signature size are constant in terms of the number of signers N, and other costs regarding signers are at most logarithmic in N, is quite important. In this paper, we propose a revocable group signature scheme which is currently more efficient compared to previous all scalable schemes. Moreover, our revocable group signature scheme is secure under simple assumptions (in the random oracle model), whereas all scalable schemes are secure under q-type assumptions. We implemented our scheme by employing a Barreto-Lynn-Scott curve of embedding degree 12 over a 455-bit prime field (BLS-12-455), and a Barreto-Naehrig curve of embedding degree 12 over a 382-bit prime field (BN-12-382), respectively, by using the RELIC library. We showed that the online running times of our signing algorithm were approximately 14msec (BLS-12-455) and 11msec (BN-12-382), and those of our verification algorithm were approximately 20msec (BLS-12-455) and 16msec (BN-12-382), respectively. Finally, we showed that our scheme (with a slight extension) is applied to an identity management system proposed by Isshiki et al.

Chosen-ciphertext security is a central goal in designing a secure public-key encryption scheme, and it is also important that the chosen-ciphertext security is tightly reduced to some well-established hard problem. Moreover, it is more important to have a tight reduction in the multi-user multi-challenge setting, since a tight security reduction in the single-user single-challenge setting generally does not imply a tight reduction to the multi-user multi-challenge setting. We propose the first fully tightly secure and practical public-key encryption scheme which is chosen-ciphertext secure in the multi-user multi-challenge setting in the random oracle model. The scheme is proven secure under the decisional Diffie-Hellman assumption in a pairing-free group. The ciphertext overhead of our scheme is two group elements and two exponents.

We present a constant-size signature scheme under the CDH assumption. It has a tighter security reduction than any other constant-size signature scheme with a security reduction to solving some intractable search problems. Hofheinz, Jager, and Knapp (PKC 2012) presented a constant-size signature scheme under the CDH assumption with a reduction loss of O(q), where q is the number of signing queries. They also proved that the reduction loss of O(q) is optimal in a black-box security proof. To the best of our knowledge, no constant-size signature scheme has been proposed with a tighter reduction (to the hardness of a search problem) than that proposed by Hofheinz et al., even if it is not re-randomizable. We remark that our scheme is not re-randomizable. We achieve the reduction loss of O(q/d), where d is the number of group elements in a public key.

The Blum-Kalai-Wasserman algorithm (BKW) is an algorithm for solving the learning parity with noise problem, which was then adapted for solving the learning with errors problem (LWE) by Albrecht et al. Duc et al. applied BKW also to the learning with rounding problem (LWR). The number of blocks is a parameter of BKW. By optimizing the number of blocks, we can minimize the time complexity of BKW. However, Duc et al. did not derive the optimal number of blocks theoretically, but they searched for it numerically. Duc et al. also showed that the required number of samples for BKW for solving LWE can be dramatically decreased using Lyubashevsky's idea. However, it is not shown that his idea is also applicable to LWR. In this paper, we theoretically derive the asymptotically optimal number of blocks, and then analyze the minimum asymptotic time complexity of the algorithm. We also show that Lyubashevsky's idea can be applied to LWR-solving BKW, under a heuristic assumption that is regularly used in the analysis of LPN-solving BKW. Furthermore, we derive an equation that relates the Gaussian parameter σ of LWE and the modulus p of LWR. When σ and p satisfy the equation, the asymptotic time complexity of BKW to solve LWE and LWR are the same.

Homomorphic encryption allows computation over encrypted data, and can be used for delegating computation: data providers encrypt their data and send them to an aggregator, who can then perform computation over the encrypted data on behalf of a client, without the underlying data being exposed to the aggregator. However, since the aggregator is merely a third party, it may be malicious, and in particular, may submit an incorrect aggregation result to the receiver. Ohara et al. (APKC2014) studied secure aggregation of time-series data while enabling the correctness of aggregation to be verified. However, they only provided a concrete construction in the smart metering system and only gave an intuitive argument of security. In this paper, we define verifiable homomorphic encryption (VHE) which generalizes their scheme, and introduce formal security definitions. Further, we formally prove that Ohara et al.'s VHE scheme satisfies our proposed security definitions.

In this paper, we revisit related-key security of TWINE block cipher with 80-bit and 128-bit keys. Using an MILP-aided automatic search algorithm, we point out the previous evaluation of TWINE with a 80-bit key is wrong, and give a corrected evaluation result. Besides, we show a first security evaluation of TWINE with a 128-bit key in the related-key setting, which was infeasible due to the high computation cost in the original proposal.