We propose a short signature scheme under the ring-SIS assumption in the standard model. Specifically, by revisiting an existing construction [Ducas and Micciancio, CRYPTO 2014], we demonstrate lattice-based signatures with improved reduction loss. As far as we know, there are no ways to use multiple tags in the signature simulation of security proof in the lattice tag-based signatures. We address the tag-collision possibility in the lattice setting, which improves reduction loss. Our scheme generates tags from messages by constructing a scheme under a mild security condition that is existentially unforgeable against random message attack with auxiliary information. Thus our scheme can reduce the signature size since it does not need to send tags with the signatures. Our scheme has short signature sizes of O(1) and achieves tighter reduction loss than that of Ducas et al.'s scheme. Our proposed scheme has two variants. Our scheme with one property has tighter reduction and the same verification key size of O(log n) as that of Ducas et al.'s scheme, where n is the security parameter. Our scheme with the other property achieves much tighter reduction loss of O(Q/n) and verification key size of O(n), where Q is the number of signing queries.

Aggregate signature (AS) schemes enable anyone to compress signatures under different keys into one. In sequential aggregate signature (SAS) schemes, the aggregate signature is computed incrementally by the sighers. Several trapdoor-permutation-based SAS have been proposed. In this paper, we give a constructions of SAS based on the first SAS scheme with lazy verification proposed by Brogle et al. in ASIACRYPT 2012. In Brogle et al.'s scheme, the size of the aggregate signature is linear of the number of the signers. In our scheme, the aggregate signature has constant length which satisfies the original ideal of compressing the size of signatures.

We present a constant-size signature scheme under the CDH assumption. It has a tighter security reduction than any other constant-size signature scheme with a security reduction to solving some intractable search problems. Hofheinz, Jager, and Knapp (PKC 2012) presented a constant-size signature scheme under the CDH assumption with a reduction loss of O(q), where q is the number of signing queries. They also proved that the reduction loss of O(q) is optimal in a black-box security proof. To the best of our knowledge, no constant-size signature scheme has been proposed with a tighter reduction (to the hardness of a search problem) than that proposed by Hofheinz et al., even if it is not re-randomizable. We remark that our scheme is not re-randomizable. We achieve the reduction loss of O(q/d), where d is the number of group elements in a public key.

We introduce a notion of watermarking for cryptographic functions and propose a concrete scheme for watermarking cryptographic functions. Informally speaking, a digital watermarking scheme for cryptographic functions embeds information, called a mark, into functions such as one-way functions and decryption functions of public-key encryption. There are two basic requirements for watermarking schemes. A mark-embedded function must be functionally equivalent to the original function. It must be difficult for adversaries to remove the embedded mark without damaging the original functionality. In spite of its importance and usefulness, there have only been a few theoretical works on watermarking for functions (or programs). Furthermore, we do not have rigorous definitions of watermarking for cryptographic functions and concrete constructions. To solve the problem above, we introduce a notion of watermarking for cryptographic functions and define its security. Furthermore, we present a lossy trapdoor function (LTF) based on the decisional bilinear Diffie-Hellman problem problem and a watermarking scheme for the LTF. Our watermarking scheme is secure under the symmetric external Diffie-Hellman assumption in the standard model. We use techniques of dual system encryption and dual pairing vector spaces (DPVS) to construct our watermarking scheme. This is a new application of DPVS.

In this paper, we propose a new generic construction of signatures from trapdoor commitments with strong openings in the random oracle model. Our construction is very efficient in the sense that signatures consist of just a single decommitment of the underlying commitment scheme, and verification corresponds to verifying this decommitment against a commitment derived via a hash function. Furthermore, assuming the commitment scheme provides sufficiently strong statistical hiding and trapdoor opening properties, the reduction of the security of the signature scheme to the binding property of the commitment scheme is tight. To instantiate our construction, we propose two new commitment schemes with strong openings. Both of these are statistically hiding, and have binding properties based on a Diffie-Hellman inversion problem and factoring, respectively. The signature schemes obtained from these are very efficient; the first matches the performance of BLS signatures, which currently provides the shortest signatures, and the second provides signatures of similar length to the shortest version of Rabin-Williams signatures while still being tightly related to factoring.

This paper proposes and theoretically analyzes the performance of amplify-and-forward (AF) relaying free-space optical (FSO) systems using avalanche photodiode (APD) over atmospheric turbulence channels. APD is used at each relay node and at the destination for optical signal conversion and amplification. Both serial and parallel relaying configurations are considered and the subcarrier binary phase-shift keying (SC-BPSK) signaling is employed. Closed-form expressions for the outage probability and the bit-error rate (BER) of the proposed system are analytically derived, taking into account the accumulating amplification noise as well as the receiver noise at the relay nodes and at the destination. Monte-Carlo simulations are used to validate the theoretical analysis, and an excellent agreement between the analytical and simulation results is confirmed.

In this letter, we propose an improvement on a knapsack probabilistic encryption scheme [B. Wang, Q. Wu, Y. Hu, Information Sciences 177 (2007)], which was shown vulnerable to attacks due to Youssef [A.M. Youssef, Information Sciences 179 (2009)] and Lee [M.S. Lee, Information Sciences 222 (2013)], respectively. The modified encryption scheme is secure against Youssef's and Lee's attacks only at the costs of slightly compromising the efficiency of the original proposal.

This paper presents a new non-interactive string-commitment scheme that achieves universally composable security. Security is proven under the decisional composite residuosity (DCR) assumption (or the decisional Diffie-Hellman (DDH) assumption) in the common reference string (CRS) model. The universal composability (UC) is a very strong security notion. If cryptographic protocols are proven secure in the UC framework, then they remain secure even if they are composed with arbitrary protocols and polynomially many copies of the protocols are run concurrently. Many UC commitment schemes in the CRS model have been proposed, but they are either interactive commitment or bit-commitment (not string-commitment) schemes. We note, however, that although our scheme is the first non-interactive UC string-commitment scheme, a CRS is not reusable. We use an extension of all-but-one trapdoor functions (ABO-TDFs) proposed by Peikert and Waters at STOC 2008 as an essential building block. Our main idea is to extend (original deterministic) ABO-TDFs to probabilistic ones by using the homomorphic properties of their function indices. The function indices of ABO-TDFs consist of ciphertexts of homomorphic encryption schemes (such as ElGamal, and Damgåd-Jurik encryption). Therefore we can re-randomize the output of ABO-TDFs by re-randomization of ciphertexts. This is a new application of ABO-TDFs.

LaMacchia, Lauter and Mityagin [19] proposed a novel security definition for authenticate key exchange (AKE) that gives an adversary the power to obtain ephemeral information regarding a target test session. To demonstrate feasibility of secure protocols in the new definition, henceforth called eCK, the authors described a protocol called NAXOS. NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X (more precisely in what we call the NAXOS' approach X = gH(x,a)). Thus no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. This idea is crucial in the security argument to guard against leaked ephemeral secrets belonging to the test session. Another important assumption is the gap assumption that allows the protocol to remain secure even in the presence of malicious insiders. Both ideas have been successfully used in creating various protocols secure in the eCK model. In this paper, we construct two eCK-secure protocols without the above mentioned ideas. KFU1 is secure under the GDH assumption without using the NAXOS' approach. KFU2 builds upon KFU1 and drops the gap requirement, thus it is secure under the CDH assumption. Efficiency and security of the proposed protocols are comparable to the well-known HMQV [15] protocol. Furthermore, unlike HMQV and NAXOS the use of the random oracle in KFU1 and KFU2 is restricted to the key derivation function making them more suitable for practical applications.

This paper presents a new non-interactive multi-trapdoor commitment scheme from the standard RSA assumption. Multi-trapdoor commitment is a stronger variant of trapdoor commitment. Its notion was introduced by Gennaro at CRYPTO 2004. Multi-trapdoor commitment schemes are very useful because we can convert a non-interactive multi-trapdoor commitment scheme into a non-interactive and reusable non-malleable commitment scheme by using one-time signature and transform any proof of knowledge into a concurrently non-malleable one (this can be used as concurrently secure identification). Gennaro gave concrete constructions of multi-trapdoor commitment, but its security relies on stronger assumptions, such as the strong RSA assumption and the q-strong Diffie-Hellman assumption as opposed to our construction based on the standard RSA assumption. As a corollary of our results, we constructed a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption. Our scheme is based on the Hohenberger-Waters (weak) signature scheme presented at CRYPTO 2009. Several non-interactive and reusable non-malleable commitment schemes (in the common reference string model) have been proposed, but they all rely on stronger assumptions (such as the strong RSA assumption). Thus, we give the first construction of a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption.

This paper introduces a novel type of digital watermarking, which is mainly designed for embededing information into cryptographic data such as keys, ciphertexts, and signatures. We focus on a mathematical structure of the recent major cryptosystems called pairing-based schemes. We present a detection-type watermarking scheme by which a watermark is visible by anyone but unremovable without secret trapdoor. The important feature is that both correctness and security of cryptographic data remain satisfied even if the trapdoor is published.

Trapdoor commitment schemes are widely used for adding valuable properties to ordinary signatures or enhancing the security of weakly secure signatures. In this letter, we propose a trapdoor commitment scheme based on RSA function, and prove its security under the hardness of the integer factoring. Our scheme is very efficient in computing a commitment. Especially, it requires only three multiplications for evaluating a commitment when e=3 is used as a public exponent of RSA function. Moreover, our scheme has two useful properties, key exposure freeness and strong trapdoor opening, which are useful for designing secure chameleon signature schemes and converting a weakly secure signature to a strongly secure signature, respectively.

In 1999, Gennaro, Halevi and Rabin proposed a signature which achieves provable security without assuming the random oracles, and it is the first RSA-type signature whose security is proved in the standard model. Since that time, several signatures have been proposed to achieve better efficiency or useful property along with the provable security in the standard model. In this paper, we construct a trapdoor hash function, and design an efficient online/offline signature by using the trapdoor hash function. Our signature scheme requires only one non-modular multiplication of two small integers for online signing, and it provides the fastest online signing among all online/offline signatures that achieve provable security in the standard model.

This paper describes the recent advances in semiconductor photodiodes for use in ultra-high-speed optical systems. We developed two types of waveguide photodiodes (WG-PD) -- an evanescently coupled waveguide photodiode (EC-WG-PD) and a separated-absorption-and-multiplication waveguide avalanche photodiode (WG-APD). The EC-WG-PD is very robust under high optical input operation because of its distribution of photo current density along the light propagation. The EC-WG-PD simultaneously exhibited a high external quantum efficiency of 70% for both 1310 and 1550 nm, and a wide bandwidth of more than 40 GHz. The WG-APD, on the other hand, has a wide bandwidth of 36.5 GHz and a gain-bandwidth product of 170 GHz as a result of its small waveguide mesa structure and a thin multiplication layer. Record high receiver sensitivity of -19.6 dBm at 40 Gbps was achieved. Additionally, a monolithically integrated dual EC-WG-PD for differential phase shift-keying (DPSK) systems was developed. Each PD has equivalent characteristics with 3-dB-down bandwidth of more than 40 GHz and external quantum efficiency of 70% at 1550 nm.

We first model the formal security model of multisignature scheme following that of group signature scheme. Second, we prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), PSS (probabilistic signature scheme) based multisignature scheme (PSS-MSS), and short signature PSS based multisignature scheme (S-PSS-MSS). Third, we give an optimal proof (general result) for multisignature schemes, which derives the lower bound for the length of random salt. We also estimate the upper bound for the length in each scheme and derive the optimal length of a random salt. Two of the schemes are promising in terms of security tightness and optimal signature length. In appendix, we describe a multisignature scheme using the claw-free permutation and discuss its security.

Optical wireless communications is a research topic of extreme interest since it offers high data rate (Gbps data rate), security, and RF interference immunity. However, optical wireless communications places severe restrictions on the communications paths; they must be direct beam connections. To increase the number of users and link robustness, optical wireless communications must be able to operate even when obstacles are placed between transmitters and receivers, so optical micro-cell (OMC) with autonomous beam control can overcome link robustness. In addition, OMC based optical wireless communication yields compact systems. This paper presents the design, an implementation, and a demonstration of a 114 Mbps autonomous beam control optical wireless communication system based on an OMC technique. The robust posture control results optimum downlink alignment and good eye diagram of data transmission.

The measured values of electromagnetic disturbances should strongly correlate with degradation in the communication quality of digital wireless communication systems. The Amplitude Probability Distribution (APD) of a disturbance represents statistical information as applicable measurement readings that meet the above requirement. In this paper, correlations between APD measurements of disturbances and the bit error rate (BER) as a quality degradation index for victim systems are quantitatively investigated. Disturbance regulation by APD measurements is discussed from the viewpoint of protecting systems from disturbances. This investigation specifically considers the situation in which a repetition pulse disturbance impacts PHS and W-CDMA systems assumed as victims. The results confirm high correlations between the APD and BER not only experimentally but also theoretically under some conditions. A disturbance regulation criterion based on APD measurements is thus proposed for compliance testing of electronic appliances with the potential to act as disturbance noise sources.

This study was designed to evaluate localized muscular fatigue induced during mouse operation in a VDT task. Ten male undergraduates from 19 to 23 years old participated in the experiment. The subject performed a pointing task with a PC mouse for about 4 hours. The EMG measurements and psychological rating of fatigue were conducted before the experimental task and after each 30-minutes block during the experimental task. The changes in the Mean Power Frequency (MPF) and Percentage Maximum Voluntary Contraction (%MVC)-shift for the constant cumulative probability in the Amplitude Probability Distribution Function (APDF) with time were explored. The correspondence between the index (MPF or APDF) and the subjective rating of localized muscular fatigue was also examined. The performance was nearly constant across all blocks. The psychological rating of fatigue tended to increase with time. The MPF tended to increase with time, although the main effect of block (time) was not statistically significant. The %MVC-shift tended to increase with time. The correspondence with the perceived sensation of localized muscular fatigue was higher when using the %MVC-shift than when using the MPF. Based on the results, the effectiveness of the indexes used for evaluating localized muscular fatigue was discussed. The %MVC-shift obtained from the APDF was found to be a sensitive index of localized muscular fatigue and corresponded well with the subjective rating of localized muscular fatigue.

The complete subtree (CS) method is widely accepted for the broadcast encryption. A new method for assigning keys in the CS method is proposed in this paper. The essential idea behind the proposed method is to use two trapdoor permutations. Using the trapdoor information, the key management center computes and assigns a key to each terminal so that the terminal can derive all information necessary in the CS method. A terminal has to keep just one key, while log2 N + 1 keys were needed in the original CS method where N is the number of all terminals. The permutations to be used need to satisfy a certain property which is similar to but slightly different from the claw-free property. The needed property, named strongly semi-claw-free property, is formalized in terms of probabilistic polynomial time algorithm, and its relation to the claw-free property is discussed. It is also shown that if the used permutations fulfill the strongly semi-claw-free property, then the proposed method is secure against attacks of malicious users.

This paper deals with broadcast encryption schemes, in which a sender can send information securely to a group of receivers excluding some receivers over a broadcast channel. In this paper we propose modifications of the Complete Subtree (CS), the Subset Difference (SD) and the Layered Subset Difference (LSD) methods based on the Master Key Tree (MKT). Our modifications eliminate log N keys or labels from receivers' storage, in exchange for an increase in the computational overhead, where N is the total number of receivers. We also propose modifications of the SD and LSD methods by applying the Trapdoor One-way Permutation Tree (TOPT) which is originally proposed in order to modify the CS method. Our modifications based on TOPT also eliminate log N labels, and the computational cost is much smaller than MKT based methods.