Logistic regression is a powerful machine learning tool to classify data. When dealing with sensitive or private data, cares are necessary. In this paper, we propose a secure system for privacy-protecting both the training and predicting data in logistic regression via homomorphic encryption. Perhaps surprisingly, despite the non-polynomial tasks of training and predicting in logistic regression, we show that only additively homomorphic encryption is needed to build our system. Indeed, we instantiate our system with Paillier, LWE-based, and ring-LWE-based encryption schemes, highlighting the merits and demerits of each instantiation. Besides examining the costs of computation and communication, we carefully test our system over real datasets to demonstrate its utility.

Ranking the encrypted documents stored on secure cloud computing servers is becoming prominent with the expansion of the encrypted data collection. In our work, order preserving encryption is employed to pre-rank the encrypted documents. Paillier's additive homomorphic encryption is used to re-rank the top pre-ranked documents of some considerate scale.

We study fast inversion of the Paillier encryption function. Especially, we focus only on key generation, and do not modify the Paillier encryption function. We propose three key generation algorithms based on the speeding-up techniques for the RSA encryption function. By using our algorithms, the size of the private CRT exponent is half of that of Paillier-CRT. The first algorithm employs the extended Euclidean algorithm. The second algorithm employs factoring algorithms, and can construct the private CRT exponent with low Hamming weight. The third algorithm is a variant of the second one, and has some advantage such as compression of the private CRT exponent and no requirement for factoring algorithms. We also propose the settings of the parameters for these algorithms and analyze the security of the Paillier encryption function by these algorithms against known attacks. Finally, we give experimental results of our algorithms.

We first consider a variant of the Schmidt-Samoa-Takagi encryption scheme without losing additively homomorphic properties. We show that this variant is secure in the sense of IND-CPA under the decisional composite residuosity assumption, and of OW-CPA under the assumption on the hardness of factoring n=p2q. Second, we introduce new algebraic properties "affine" and "pre-image restriction," which are closely related to homomorphicity. Intuitively, "affine" is a tuple of functions which have a special homomorphic property, and "pre-image restriction" is a function which can restrict the receiver to having information on the encrypted message. Then, we propose an encryption scheme with primitive power roots of unity in (Z/ns+1). We show that our scheme has, in addition to the additively homomorphic property, the above algebraic properties. In addition to the properties, we also show that the encryption scheme is secure in the sense of OW-CPA and IND-CPA under new number theoretic assumptions.

Though there are intensive researches on off-line electronic cash (e-cash), the current computer network infrastructure sufficiently accepts on-line e-cash. The on-line means that the payment protocol involves with the bank, and the off-line means no involvement. For customers' privacy, the e-cash system should satisfy unlinkability, i.e., any pair of payments is unlinkable w.r.t. the sameness of the payer. In addition, for the convenience, exact payments, i.e., the payments with arbitrary amounts, should be also able to performed. In an existing off-line system with unlinkable exact payments, the customers need massive computations. On the other hand, an existing on-line system does not satisfy the efficiency and the perfect unlinkability simultaneously. This paper proposes an on-line system, where the efficiency and the perfect unlinkability are achieved simultaneously.

In this paper, we propose a proof scheme of shuffle, which is an honest verifier zero-knowledge proof of knowledge such as the protocols by Groth and Furukawa. Unlike the previous schemes proposed by Furukawa-Sako, Groth, and Furukawa, our scheme can be used as the shuffle of the elements encrypted by Paillier's encryption scheme, which has an additive homomorphic property in the message part. The ElGamal encryption scheme used in the previous schemes does not have this property.

There are two main types of digital watermark systems. In the first, users are given their own detection programs by which to verify the presence of watermark in data they have in their possession. In the second, users must request such verification from a detection center. The disadvantage of the first type is the possibility that a user might be able to analyze the detection program sufficiently to be able to obtain the secret data (secret key) used to embed the watermark. The disadvantage of the second is the possibility that a center might give dishonest results. In this paper, we propose a watermark detection scheme that can be used to overcome the disadvantages of both: it prevents users from obtaining secret key, and it prevents a center from reporting dishonest results. Our scheme is based on a previously proposed scheme which nearly achieved the same goals but, unfortunately, allowed users to receive watermark detection results for data specially created by them so as to reveal, through the results, secret information about how a center created its watermarks. To overcome this drawback, we have developed new scheme by which a center can prove its detection results to a user without revealing any other information. This scheme was developed by extending the work found in. Moreover we provide an option that prevents the center from encroaching on a user's privacy. The resulting watermark detection scheme is the first that, in addition to protecting secret keys of watermarks from user-tampering, is also able to prevent a center from reporting dishonest results. Although the proposed scheme is introduced first using the patch-work watermarking system, it is straightforward to extend it to a scheme that uses the correlation-based watermarking system, which yields a more robust watermark detection scheme.