Nagao OGINO Yuto NAKAMURA Shigehiro ANO
A threshold secret sharing scheme can realize reliable delivery of important content using redundant routes through a network. Furthermore, multicast delivery of threshold secret shared content can achieve efficient resource utilization thanks to the application of multicast and network coding techniques to multiple pieces of the content. Nevertheless, a tradeoff exists between reliability and efficiency if multicast content delivery uses network coding. This paper proposes a flexible multicast delivery scheme for threshold secret shared content that can control the tradeoff between reliability and efficiency. The proposed scheme classifies all the pieces obtained from the original content into multiple groups, and each group is subjected to network coding independently. An optimization procedure is proposed for the multicast delivery scheme, which involves two different heuristic delivery route computation methods applicable to large-scale networks. Evaluation results show that the optimized multicast delivery scheme adopting an appropriate grouping method and classifying the pieces into a suitable number of groups can minimize the required link bandwidth while satisfying a specified content loss probability requirement.
Rui XU Kirill MOROZOV Tsuyoshi TAKAGI
Harn and Lin proposed an algorithm to detect and identify cheaters in Shamir's secret sharing scheme in the journal Designs, Codes and Cryptography, 2009. In particular, their algorithm for cheater identification is inefficient. We point out that some of their conditions for cheater detection and identification essentially follow from those on error detection/correction of Reed-Solomon codes, which have efficient decoding algorithms, while some other presented conditions turn out to be incorrect. The extended and improved version of the above mentioned scheme was recently presented at the conference International Computer Symposium 2012 (and the journal version appeared in the journal IET Information Security). The new scheme, which is ideal (i.e. the share size is equal to that of the secret), attempts to identify cheaters from minimal number of shares (i.e. the threshold of them). We show that the proposed cheater identification is impossible using the arguments from coding theory.
Kevin Nathanael SANTOSO Suk-Hwan LEE Won-Joo HWANG Ki-Ryong KWON
This paper presents an information hiding method for DNA steganography with which a massive amount of data can be hidden in a noncoding strand. Our method maps the encrypted data to the DNA sequence using a numerical mapping table, before concealing it in the noncoding sequence using a secret key comprising sector length and the random number generator's seed. Our encoding algorithm is sector-based and reference dependent. Using modular arithmetic, we created a unique binary-base translation for every sector. By conducting a simulation study, we showed that our method could preserve amino acid information, extract hidden data without reference to the host DNA sequence, and detect the position of mutation error. Experimental results verified that our method produced higher data capacity than conventional methods, with a bpn (bit-per-nucleotide) value that ranged from approximately 1-2, depending on the selected sector length. Additionally, our novel method detected the positions of mutation errors by the presence of a parity base in each sector.
We introduce a coding theoretic criterion for Yamamoto's strong security of the ramp secret sharing scheme. After that, by using it, we show the strong security of the strongly multiplicative ramp secret sharing proposed by Chen et al. in 2008.
Wyner has shown in his seminal paper on (discrete memoryless) wiretap channels that if the channel between the sender and an eavesdropper is a degraded version of the channel between the sender and the legitimate receiver, then the sender can reliably and securely transmit a message to the receiver, while the eavesdropper obtains absolutely no information about the message. Later, Leung-Yan-Cheong and Hellman extended Wyner's result to the case where the noise is white Gaussian. In this paper we extend the white Gaussian wiretap channel to the colored Gaussian case and show the finite block length secrecy capacity of colored Gaussian wiretap channels. We also show the asymptotic secrecy capacity of a specific colored Gaussian wiretap channel for which optimal power allocation can be found by a water-filling procedure.
Yasunori ISHIHARA Yasuhiro USHIROZAKO Kengo MORI Jun FURUKAWA
In this letter, we propose a secrecy criterion for outsourcing encrypted databases. In encrypted databases, encryption schemes revealing some information are often used in order to manipulate encrypted data efficiently. The proposed criterion is based on inference analysis for databases: We simulate attacker's inference on specified secret information with and without the revealed information from the encrypted database. When the two inference results are the same, then secrecy of the specified information is preserved against outsourcing the encrypted database. We also show that the proposed criterion is decidable under a practical setting.
Lei WANG Xinrong GUAN Yueming CAI Weiwei YANG Wendong YANG
This work investigates the physical layer security for three cooperative automatic-repeat-request (CARQ) protocols, including the decode-and-forward (DF) CARQ, opportunistic DF (ODF) CARQ, and the distributed space-time code (DSTC) CARQ. Assuming that there is no instantaneous channel state information (CSI) of legitimate users' channel and eavesdropper's channel at the transmitter, the connection outage performance and secrecy outage performance are derived to evaluate the reliability and security of each CARQ protocol. Then, we redefine the concept of the secrecy throughput to evaluate the overall efficiency of the system in terms of maintaining both reliable and secure transmission. Furthermore, through an asymptotic analysis in the high signal-to-noise ratio (SNR) regime, the direct relationship between reliability and security is established via the reliability-security tradeoff (RST). Numerical results verify the analysis and show the efficiency of the CARQ protocols in terms of the improvement on the secrecy throughput. More interestingly, increasing the transmit SNR and the maximum number of transmissions of the ARQ protocols may not achieve a security performance gain. In addition, the RST results underline the importance of determining how to balance the reliability vs. security, and show the superiority of ODF CARQ in terms of RST.
Eiichiro FUJISAKI Akinori KAWACHI Ryo NISHIMAKI Keisuke TANAKA Kenji YASUNAGA
Leakage resilient cryptography is often considered in the presence of a very strong leakage oracle: An adversary may submit arbitrary efficiently computable function f to the leakage oracle to receive f(x), where x denotes the entire secret that a party possesses. This model is somewhat too strong in the setting of public-key encryption (PKE). It is known that no secret-key leakage resilient PKE scheme exists if the adversary may have access to the secret-key leakage oracle to receive only one bit after it was given the challenge ciphertext. Similarly, there exists no sender-randomness leakage resilient PKE scheme if one-bit leakage occurs after the target public key was given to the adversary. At TCC 2011, Halevi and Lin have broken the barrier of after-the-fact leakage, by proposing the so-called split state model, where a secret key of a party is explicitly divided into at least two pieces, and the adversary may have not access to the entire secret at once, but each divided pieces, one by one. In the split-state model, they have constructed post-challenge secret-key leakage resilient CPA secure PKEs from hash proof systems, but the construction of CCA secure post-challenge secret-key leakage PKE has remained open. They have also remained open to construct sender-randomness leakage PKE in the split state model. This paper provides a solution to the open issues. We also note that the proposal of Halevi and Lin is post-challenge secret-key leakage CPA secure against a single challenge ciphertext; not against multiple challenges. We present an efficient generic construction that converts any CCA secure PKE scheme into a multiple-challenge CCA secure PKE that simultaneously tolerates post-challenge secret-key and sender-randomness leakage in the split state model, without any additional assumption. In addition, our leakage amount of the resulting schemes is the same as that of Halevi and Lin CPA PKE, i.e., (1/2+γ)l/2 where l denotes the length of the entire secret (key or randomness) and γ denotes a universal (possitive) constant less than 1/2. Our conversion is generic and available for many other public-key primitives. For instance, it can convert any identity-based encryption (IBE) scheme to a post-challenge master-key leakage and sender-randomness leakage secure IBE.
A secret sharing scheme is said to be d-multiplicative if the scheme allows the players to multiply shared d secrets by locally converting their shares into an additive sharing of the product. In the previous work, the following negative result for perfect secret sharing has been shown: The d-multiplicative secret sharing for d players is impossible. This paper extends the impossibility result to non-perfect secret sharing. Our main result is a proof that d-multiplicative secret sharing for d players is impossible even if every player has partial information on the secret (e.g., all but one bit). This result means that there is no need to relax the privacy requirement with leakage of partial information only for the purpose of d-multiplication.
A threshold secret sharing scheme protects content by dividing it into many pieces and distributing them among different servers. This scheme can also be utilized for the reliable delivery of important content. Thanks to this scheme, the receiver can still reconstruct the original content even if several pieces are lost during delivery due to a multiple-link failure. Nevertheless, the receiver cannot reconstruct the original content unless it receives pieces more than or equal to the threshold. This paper aims to obtain reliable delivery routes for the pieces, as this will minimize the probability that the receiver cannot reconstruct the original content. Although such a route optimization problem can be formulated using an integer linear programming (ILP) model, computation of globally optimum delivery routes based on the ILP model requires large amounts of computational resources. Thus, this paper proposes a lightweight method for computing suboptimum delivery routes. The proposed greedy method computes each of the delivery routes successively by using the conventional shortest route algorithm repeatedly. The link distances are adjusted iteratively on the basis of the given probability of failure on each link and they are utilized for the calculation of each shortest route. The results of a performance evaluation show that the proposed method can compute sub-optimum delivery routes efficiently thanks to the precise adjustment of the link distances, even in backbone networks on a real-world scale.
Ryo KIKUCHI Dai IKARASHI Koki HAMADA Koji CHIDA
Secret sharing (SS) has been extensively studied as for both secure data storage and a fundamental building block for multiparty computation (MPC). Recently, Kikuchi et al. proposed a passively and unconditionally secure conversion protocol that converts from a share of a ramp scheme to another of homomorphic SS scheme. The share-size of the ramp scheme is small, and the homomorphic SS scheme is a class of SS schemes that includes Shamir's and replicated SS schemes, which are convenient for MPC. Therefore, their protocol is a conversion from an SS scheme whose share-size is small to MPC-friendly SS schemes, and can be applied to reduce the amount of data storage while maintaining extendibility to MPC. We propose five unconditionally and actively secure protocols in the honest majority. In this paper, we consider a privacy and correctness as security requirement and does not consider a robustness: A cheat caused by an active adversary must be detected. These protocols consist of two conversion protocols, two reveal protocols and a protocol generating specific randomness. Main protocols among them are two conversion protocols for bilateral conversion between a ramp scheme and linear SS scheme, and the others are building blocks of the main protocols. Linear SS scheme is a subset of homomorphic SS scheme but includes both Shamir's and replicated SS schemes. Therefore, these main protocols are conversions between an SS scheme whose share-size is small to MPC-friendly SS schemes. These main protocols are unconditionally and actively secure so if MPC protocols used after the conversion are actively secure, the whole system involving SS scheme, conversion, and MPC protocols can be unconditionally and actively secure by using our main protocols. One of our two main protocols is the first to convert from MPC-friendly SS schemes to the ramp scheme. This enhances applications, such as secure backup, of the conversion protocol. Other than the two main protocols, we propose a protocol for generating specific randomnesses and two reveal protocols as building blocks. The latter two reveal protocols are actively and unconditionally secure in the honest majority and requires O(n||F||)-bit communication per revealing, and we believe that it is independently interest.
We introduce a graphical calculus for multi-qutrit systems (the qutrit ZX-calculus) based on the framework of dagger symmetric monoidal categories. This graphical calculus consists of generators for building diagrams and rules for transforming diagrams, which is obviously different from the qubit ZX-calculus. As an application of the qutrit ZX-calculus, we give a graphical description of a (2, 3) threshold quantum secret sharing scheme. In this way, we prove the correctness of the secret sharing scheme in a intuitively clear manner instead of complicated linear algebraic operations.
Shingo HASEGAWA Shuji ISOBE Jun-ya IWAZAKI Eisuke KOIZUMI Hiroki SHIZUYA
Password-protected secret sharing (PPSS, for short) schemes were proposed by Bagherzandi, Jarecki, Saxena and Lu. In this paper, we consider another attack for PPSS schemes which is based on public parameters and documents. We show that the protocol proposed by Bagherzandi et al. is broken with the attack. We then propose an enhanced protocol which is secure against the attack.
Ryo KIKUCHI Koji CHIDA Dai IKARASHI Wakaha OGATA Koki HAMADA Katsumi TAKAHASHI
Secret sharing scheme (SS) has been extensively studied since SSs are important not only for secure data storage but also as a fundamental building block for multiparty computation (MPC). For an application to secure data storage, the share size of SS is an important factor. For an application to a building block for MPC, the extendibility to MPC is needed. Computationally secure SSs and a ramp scheme have a small share size but there have been few studies concerning their MPC. In contrast, there have been many studies about MPC on Shamir's and replicated SSs while their share size is large. We consider an application scenario of SS such as applying SSs to secure data storage service with MPC. In this application, users store their data in servers through SS, and sometimes the servers perform MPC as an optional feature. In this case, the extendibility to MPC is needed and good code-efficiency is preferable. We propose a new computational SS, and show how to convert shares of our SS and a ramp SS to those of multiparty-friendly SS such as Shamir's and replicated SS. This enables one to secretly-share data compactly and extend secretly-shared data to MPC if needed.
Chao WANG Hui-Ming WANG Weile ZHANG
This paper studies the design of cooperative beamforming (CB) and cooperative jamming (CJ) for the physical layer security of an amplify-and-forward (AF) relay network in the presence of multiple multi-antenna eavesdroppers. The secrecy rate maximization (SRM) problem of such a network is to maximize the difference of two concave functions, a problem which is non-convex and has no efficient solution. Based on the inner convex approximation (ICA) and semidefinite relaxation (SDR) techniques, we propose two novel low-complexity schemes to design CB and CJ for SRM in the AF network. In the first strategy, relay nodes adopt the CB only to secure transmission. Based on ICA, this design guarantees convergence to a Karush-Kuhn-Tucker (KKT) solution of the SDR of the original problem. In the second strategy, the optimal joint CB and CJ design is studied and the proposed joint design can guarantee convergence to a KKT solution of the original problem. Moreover, in the second strategy, we prove that SDR always has a rank-1 solution for the SRM problem. Simulation results show the superiority of the proposed schemes.
Dae-Hee HAN Shun-ichiro OHMI Tomoyuki SUWA Philippe GAUBERT Tadahiro OHMI
To improve metal oxide semiconductor field effect transistors (MOSFET) performance, flat interface between gate insulator and silicon (Si) should be realized. In this paper, the influence of Si surface roughness on electrical characteristics of MOSFET with hafnium oxynitride (HfON) gate insulator formed by electron cyclotron resonance (ECR) plasma sputtering was investigated for the first time. The surface roughness of Si substrate was reduced by Ar/4.9%H2 annealing utilizing conventional rapid thermal annealing (RTA) system. The obtained root-mean-square (RMS) roughness was 0.07nm (without annealed: 0.18nm). The HfON was formed by 2nm-thick HfN deposition followed by the Ar/O2 plasma oxidation. The electrical properties of HfON gate insulator were improved by reducing Si surface roughness. It was found that the current drivability of fabricated nMOSFETs was remarkably increased by reducing Si surface roughness. Furthermore, the reduction of Si surface roughness also leads to decrease of the 1/f noise.
Jinxiao ZHU Yulong SHEN Xiaohong JIANG Osamu TAKAHASHI Norio SHIRATORI
The fading channel model is seen as an important approach that can efficiently capture the basic time-varying properties of wireless channels, while physical layer security is a promising approach to providing a strong form of security. This paper focuses on the fundamental performance study of applying physical layer security to achieve secure and reliable information transmission over the fading wire-tap channel. For the practical scenario where the main channel is correlated with the eavesdropper channel but only the real time channel state information (CSI) of the main channel is known at the transmitter, we conduct a comprehensive study on the fundamental performance limits of this system by theoretically modeling its secrecy capacity, transmission outage probability and secrecy outage probability. With the help of these theoretical models, we then explore the inherent performance tradeoffs under fading wire-tap channel and also the potential impact of channel correlation on such tradeoffs.
In secret sharing scheme, Tompa and Woll considered a problem of cheaters who try to make another participant reconstruct an invalid secret. Later, some models of such cheating were formalized and lower bounds of the size of shares were shown in the situation of fixing the minimum successful cheating probability. Under the assumption that cheaters do not know the distributed secret, no efficient scheme is known which can distribute bit strings. In this paper, we propose an efficient scheme for distributing bit strings with an arbitrary access structure. When distributing a random bit string with threshold access structures, the bit length of shares in the proposed scheme is only a few bits longer than the lower bound.
In 2001, Boneh and Franklin realized the first Identity-Based Encryption (IBE), and at the same time they proposed a simple way to revoke users from the system. Later, Boldyreva et al. pointed out that Boneh-Franklin's revocation method is not scalable well and they proposed the first IBE scheme with efficient revocation. Recently, Tseng and Tsai [Computer Journal, Vol.55 No.4, page 475-486, 2012] claimed that Boldyreva et al.'s scheme requires a secure channel between each user and the key generation center in the key update phase, and proposed a new revocable IBE (RIBE) with a public channel by extending the Boneh-Franklin scheme. In this paper, we revisit Tseng and Tsai's result; we first point out that secure channels (except for the initial key setup) are not mandatory in the definition of RIBE scheme formalized by Boldyreva et al. Next, we show that Boldyreva et al.'s scheme does not require any secure channels (except for the initial key setup), which is different from what Tseng and Tsai claimed and so invalidates their contribution of the first RIBE with a public channel. Moreover, we point out that there are simple techniques to remove secure channels from the Boneh-Franklin RIBE. Interestingly, we show that the secure-channel-free Boneh-Franklin RIBE scheme is secure against decryption key exposure, whereas the Tseng-Tsai RIBE scheme is vulnerable to this attack.
Forward secrecy (FS) is a central security requirement of authenticated key exchange (AKE). Especially, strong FS (sFS) is desirable because it can guarantee security against a very realistic attack scenario that an adversary is allowed to be active in the target session. However, most of AKE schemes cannot achieve sFS, and currently known schemes with sFS are only proved in the random oracle model. In this paper, we propose a generic construction of AKE protocol with sFS in the standard model against a constrained adversary. The constraint is that session-specific intermediate computation results (i.e., session state) cannot be revealed to the adversary for achieving sFS, that is shown to be inevitable by Boyd and González Nieto. However, our scheme maintains weak FS (wFS) if session state is available to the adversary. Thus, our scheme satisfies one of strongest security definitions, the CK+ model, which includes wFS and session state reveal. The main idea to achieve sFS is to use signcryption KEM while the previous CK+ secure construction uses ordinary KEM. We show a possible instantiation of our construction from Diffie-Hellman problems.