Railway operators adjust timetables, and accordingly reschedule rolling stock circulation and crew duties, when the train operations are disrupted by accidents or adverse weather conditions. This paper discusses the problem of rescheduling driver assignment to freight trains after timetable adjustment has been completed. We construct a network from the disrupted situation, and model the problem as an integer programming problem with set-covering constraints combined with set-partitioning constraints. The integer program is solved by column generation in which we reduce the column generation subproblem to a shortest path problem and such paths by utilizing data parallelism. Numerical experiments using a real timetable, driver scheduling plan and major disruption data in the highest-frequency freight train operation area in Japan reveal that our method provides a quality driver rescheduling solution within 25 seconds.

In this paper, we develop linear-programming (LP) decoding for multiple-access channels with binary linear codes. For single-user channels, LP decoding has attracted much attention in recent years as a good approximation to maximum-likelihood (ML) decoding. We demonstrate how the ML decoding problem for multiple-access channels with binary linear codes can be formulated as an LP problem. This is not straightforward, because the objective function of the problem is generally a non-linear function of the codeword symbols. We introduce auxiliary variables such that the objective function is a linear function of these variables. The ML decoding problem then reduces to the LP problem. As in the case for single-user channels, we formulate the relaxed LP problem to reduce the complexity for practical implementation, and as a result propose a decoder that has the desirable property known as the ML certificate property (i.e., if the decoder outputs an integer solution, the solution is guaranteed to be the ML codeword). Although the computational complexity of the proposed algorithm is exponential in the number of users, we can reduce this complexity for Gaussian multiple-access channels. Furthermore, we compare the performance of the proposed decoder with a decoder based on the sum-product algorithm.

If a d-dimensional pure simplicial complex C has a shelling, which is a specific total order of all facets of C, C is said to be shellable. We consider the problem of deciding whether C is shellable or not. This problem is solved in linear time of m, the number of all facets of C, if d = 1 or C is a pseudomanifold in d = 2. Otherwise it is unknown at this point whether the decision of shellability can be solved in polynomial time of m. Thus, for the latter case, we had no choice but to apply a brute force method to the decision problem; namely checking up to the m! ways to see if one can arrange all the m facets of C into a shelling. In this paper, we introduce a new concept, called h-assignment, to C and propose a practical method using h-assignments to decide whether C is shellable or not. Our method can make the decision of shellability of C by smaller sized computation than the brute force method.

P. Kirchberger proved that, for a finite subset X of R^d such that each point in X is painted with one of two colors, if every d+2 or fewer points in X can be separated along the colors, then all the points in X can be separated along the colors. In this paper, we show a more colorful theorem.

We study nn random symmetric matrices whose entries above the diagonal are iid random variables each of which takes 1 with probability p and 0 with probability 1-p, for a given density parameter p=α/n for sufficiently large α. For a given such matrix A, we consider a matrix A ' that is obtained by removing some rows and corresponding columns with too many value 1 entries. Then for this A', we show that the largest eigenvalue is asymptotically close to α+1 and its eigenvector is almost parallel to all one vector (1,...,1).

It is well known that the problem to solve a set of randomly chosen multivariate quadratic equations over a finite field is NP-hard. However, when the number of variables is much larger than the number of equations, it is not necessarily difficult to solve equations. In fact, when n ≥ m(m+1) (n,m are the numbers of variables and equations respectively) and the field is of even characteristic, there is an algorithm to find one of solutions of equations in polynomial time (see [Kipnis et al., Eurocrypt '99] and also [Courtois et al., PKC '02]). In the present paper, we propose two new algorithms to find one of solutions of quadratic equations; one is for the case of n ≥ (about) m²-2m ^3/2+2m and the other is for the case of n ≥ m(m+1)/2+1. The first one finds one of solutions of equations over any finite field in polynomial time, and the second does with O(2^m) or O(3^m) operations. As an application, we also propose an attack to UOV with the parameters given in 2003.

Fair exchange is an important tool to achieve “fairness” of electronic commerce. Several previous schemes satisfy universally composable security which provides security preserving property under complex networks like the Internet. In recent years, as the demand for electronic commerce increases, fair exchange for electronic vouchers (e.g., electronic tickets, moneys, etc.) to obtain services or contents is in the spotlight. The definition of fairness for electronic vouchers is different from that for general electronic items (e.g., the sender must not do duplicate use of exchanged electronic vouchers). However, although there are universally composable schemes for electronic items, there is no previous study for electronic vouchers. In this paper, we introduce a universally composable definition of fair voucher exchange, that is, an ideal functionality of fair voucher exchange. Also, we prove the equivalence between our universally composable definition and the conventional definition for electronic vouchers. Thus, our formulation of the ideal functionality is justified. Finally, we propose a new fair voucher exchange scheme from non-blocking atomic commitment as black-box, which satisfies our security definition and is adequate for mobile environments. By instantiating general building blocks with known practical ones, our scheme can be also practical because it is implemented without trusted third party in usual executions.

We introduce a “generalized small inverse problem (GSIP)” and present an algorithm for solving this problem. GSIP is formulated as finding small solutions of f(x₀, x₁, ..., x_n)=x₀ h(x₁, ..., x_n)+C=0 (mod ; M) for an n-variate polynomial h, non-zero integers C and M. Our algorithm is based on lattice-based Coppersmith technique. We provide a strategy for construction of a lattice basis for solving f=0, which is systematically transformed from a lattice basis for solving h=0. Then, we derive an upper bound such that the target problem can be solved in polynomial time in log M in an explicit form. Since GSIPs include some RSA-related problems, our algorithm is applicable to them. For example, the small key attacks by Boneh and Durfee are re-found automatically.

In the present paper, we propose elliptic curve scalar multiplication methods on pairing-friendly elliptic curves. The proposed method is efficient on elliptic curves on which Ate_i pairing or optimal pairing is efficiently computed.

This paper shows a simple methodology for shortening a ciphertext of reproducible key encapsulation mechanisms. Specifically, it transforms a key encapsulation mechanism having OW-CCCA security and reproducibility into that of IND-CCA secure in the random oracle model whose ciphertext is shorter. Various existing chosen-ciphertext secure key encapsulation mechanisms (in the standard model) are reproducible, and thus their ciphertext can be shortened by the proposed transformation. The transformed scheme requires only one additional hashing for encryption. This property enables us to implement both the original scheme and the transformed scheme into a single chip simultaneously with small gate-size overhead. Using this chip, a sender can flexibly switch schemes to encrypt a message in a message-by-message manner. Such a use of schemes is also analyzed.

In this paper, the first extended Canetti-Krawzcyk (eCK) security model for hierarchical ID-based authenticated key exchange (AKE) that guarantee resistance to leakage of ephemeral secret keys is proposed. Moreover, an two-pass hierarchical ID-based AKE protocol secure in the proposed hierarchical ID-based eCK security model based on a hierarchical ID-based encryption is also proposed.

A lot of improvements and optimizations for the hardware implementation of SubBytes of Rijndael, in detail inversion in F_2⁸ have been reported. Instead of the Rijndael original F_2⁸, it is known that its isomorphic tower field F_((2²)²)² has a more efficient inversion. Then, some conversion matrices are also needed for connecting these isomorphic binary fields. According to the previous works, it is said that the number of 1's in the conversion matrices is preferred to be small; however, they have not focused on the Hamming weights of the row vectors of the matrices. It plays an important role for the calculation architecture, in detail critical path delays. This paper shows the existence of efficient conversion matrices whose row vectors all have the Hamming weights less than or equal to 4. They are introduced as quite rare cases. Then, it is pointed out that such efficient conversion matrices can connect the Rijndael original F_2⁸ to some less efficient inversions in F_((2²)²)² but not to the most efficient ones. In order to overcome these inconveniences, this paper next proposes a technique called mixed bases. For the towerings, most of previous works have used several kinds of bases such as polynomial and normal bases in mixture. Different from them, this paper proposes another mixture of bases that contributes to the reduction of the critical path delay of SubBytes. Then, it is shown that the proposed mixture contributes to the efficiencies of not only inversion in F_((2²)²)² but also conversion matrices between the isomorphic fields F_2⁸ and F_((2²)²)².

Broadcasters transmit TV programs and often need to transmit an individual message, e.g. an individual contract, to each user. The programs have to be encrypted in order to protect the copyright and the individual messages have to be encrypted to preserve the privacy of users. For these purposes, broadcasters transmit not only encrypted content but also encrypted personalized messages to individual users. Current broadcasting services employ an inefficient encryption scheme based on a symmetric key. Recently, several broadcast encryption schemes using a public key have been proposed in which the broadcaster encrypts a message for some subset S of users with a public key and any user in S can decrypt the broadcast with his/her private key. However, it is difficult to encrypt a personalized message and transmit it to every user efficiently. In this paper, we propose a broadcast encryption scheme that has a personalized message encryption function. We show that our scheme is efficient in terms of the ciphertext size.

In (k,n) threshold scheme, Tompa and Woll considered a problem of cheaters who try to make another participant reconstruct an invalid secret. Later, some models of such cheating were formalized and lower bounds of the size of share were shown in the situation of fixing the maximum successful cheating probability to ε. Some efficient schemes in which size of share is equal to the lower bound were also proposed. Let |S| be the field size of the secret. Under the assumption that cheaters do not know the distributed secret, these sizes of share of previous schemes which can work for ε > 1/|S| are somewhat larger than the bound. In this paper, we show the bound for this case is really tight by constructing a new scheme. When distributing uniform secret, the bit length of share in the proposed scheme is only 1 bit longer than the known bound. Further, we show a tighter bound of the size of share in case of ε < 1/|S|.

Verifying the signing order is sometimes very important in multisignature schemes. A multisignature scheme in which the signing order can be verified is called structured multisignature scheme and many such schemes have been proposed so far. However, there are not many structured multisignature schemes utilizing an algebraic structure of underlying algebraic operation. Ohmori, Chida, Shizuya and Nishizeki have proposed a structured multisignature scheme by utilizing a non-commutative ring homomorphism. Since their scheme does not fully reflect the structure of signers and its rigorous security analysis is not provided, we construct an improved structured multisignature scheme overcoming these problems by utilizing the non-commutative ring homomorphism in a different way and discuss its rigorous security against various attacks, including signer structure forgery, rogue key attack and attack-0 under the discrete logarithm assumption. As far as we know, the scheme in [30], which does not use non-commutative ring homomorphism, guarantees the most rigorous security but the number of signers is restricted in order to prevent attack-0. In contrast, our scheme overcomes attack-0 by virtue of a ring homomorphism and no restriction is imposed on the number of signers.

In the case of Barreto-Naehrig pairing-friendly curves of embedding degree 12 of order r, recent efficient Ate pairings such as R-ate, optimal, and Xate pairings achieve Miller loop lengths of(1/4) ⌊log₂ r⌋. On the other hand, the twisted Ate pairing requires (3/4) ⌊log₂ r⌋ loop iterations, and thus is usually slower than the recent efficient Ate pairings. This paper proposes an improved twisted Ate pairing using Frobenius maps and a small scalar multiplication. The proposed idea splits the Miller's algorithm calculation into several independent parts, for which multi-pairing techniques apply efficiently. The maximum number of loop iterations in Miller's algorithm for the proposed twisted Ate pairing is equal to the (1/4) ⌊log₂ r ⌋ attained by the most efficient Ate pairings.

A pairing over an elliptic curve E/F_p^m to an extension field of F_p^mk has begun to be attractive in cryptosystems, from the practical and theoretical point of view. From the practical point of view, many cryptosystems using a pairing, called the pairing-based cryptosystems, have been proposed and, thus, a pairing is a necessary tool for cryptosystems. From the theoretical point of view, the so-called embedding degree k is an indicator of a relationship between the elliptic curve Discrete Logarithm Problem (ECDLP) and the Discrete Logarithm Problem (DLP), where ECDLP over E(F_p^m) is reduced to DLP over F_p^mk by using the pairing. An elliptic curve is determined by mathematical parameters such as the j-invariant or order of an elliptic curve, however, explicit conditions between these mathematical parameters and an embedding degree have been described only in a few degrees. In this paper, we focus on the theoretical view of a pairing and investigate a new condition of the existence of elliptic curves with pre-determined embedding degrees. We also present some examples of elliptic curves over 160-bit, 192-bit and 224-bit F_p^m with embedding degrees k < (log p)² such as k=10, 12, 14, 20, 22, 24, 28.

This paper presents a novel technique to realize Karnin et al.'s (k,n)-threshold schemes over binary field extensions as a software. Our realization uses the matrix representation of finite fields and matrix-vector multiplications, and enables rapid operations in software implementation. The theoretical evaluation and computer simulation reveal that our realization of Karnin et al.'s scheme achieves much faster processing time than the ordinary symbol oriented realization of the scheme. Further, we show that our realization has comparable performance to the existing exclusive-OR-based fast schemes of Fujii et al. and Kurihara et al.

In an undirected graph, the feedback vertex set (FVS for short) problem is to find a set of vertices of minimum cardinality whose removal makes the graph acyclic. The FVS has applications to several areas such that combinatorial circuit design, synchronous systems, computer systems, VLSI circuits and so on. The FVS problem is known to be NP-hard on general graphs but interesting polynomial solutions have been found for some special classes of graphs. In this paper, we present an O(n^2.68 + γn) time algorithm for solving the FVS problem on trapezoid graphs, where γ is the total number of factors included in all maximal cliques.

In this paper, a linear optimization of the dual-tree complex wavelet transform (DTCWT) based on the least squares method is proposed. The proposed method can design efficient DTCWTs by improving the design degrees of freedom and solving the least square solution iteratively. Because the resulting DTCWTs have good approximation accuracy of the half sample delay condition and the stopband attenuation, they provide precise shift-invariance and directionality. Finally, the proposed DTCWTs are evaluated by applying to non-linear approximation and image denoising, and showed their effectiveness, compared with the conventional DTCWTs.

A new compact form of the sliding window recursive least squares (SWRLS) algorithm, the I-SWRLS algorithm, is derived using an indefinite matrix. The resultant algorithm has a form similar to that of the traditional recursive least squares (RLS) algorithm, and is more computationally efficient than the conventional SWRLS algorithm including two Riccati equations. Furthermore, a computationally reduced version of the I-SWRLS algorithm is developed utilizing a shift property of the correlation matrix of input data. The resulting fast algorithm reduces the computational complexity from O(N²) to O(N) per iteration when the filter length (tap number) is N, but retains the same tracking performance as the original algorithm. This fast algorithm is much easier to implement than the existing SWC FTF algorithms.

A perfect sequence is a sequence having an impulsive autocorrelation function. Perfect sequences have several applications, such as CDMA, ultrasonic imaging, and position control. A parameterization of a perfect sequence is presented in the present paper. We treat a set of perfect sequences as a zero set of quadratic equations and prove a decomposition law of perfect sequences. The decomposition law reduces the problem of the parameterization of perfect sequences to the problem of the parameterization of quasi-perfect sequences and the parameterization of perfect sequences of short length. The parameterization of perfect sequences for simple cases and quasi-perfect sequences should be helpful in obtaining a parameterization of perfect sequences of arbitrary length. According to our theorem, perfect sequences can be represented by a sum of trigonometric functions.

In this paper, we define a discretized chaotic map as a digital realization of a one-dimensional chaos map. As a concrete example, we consider a family of pseudochaotic sequences with maximum length, referred to as maximum length pseudochaotic sequences, obtained from a class of discretized piecewise linear map. A theoretical framework for designing maximum length pseudochaotic sequences of the discretized chaotic maps is obtained. These discretized piecewise linear chaotic maps can be used in the design of binary sequences with constant autocorrelation values for several time delays.

This paper presents a new and robust framework for real-coded genetic algorithm, called real-code conditional genetic algorithm (rc-CGA). The most important characteristic of the proposed rc-CGA is the implicit self-adaptive feature of the crossover and mutation mechanism. Besides, a new crossover operator with laplace distribution following a few promising descent directions (FPDD-LX) is proposed for the rc-CGA. The proposed genetic algorithm (rc-CGA+FPDD-LX) is tested using 31 benchmark functions and compared with four existing algorithms. The simulation results show excellent performance of the proposed rc-CGA+FPDD-LX for continuous function optimization.

Kim and Chung previously proposed a password-based user authentication scheme to improve Yoon and Yoo's scheme. However, Kim and Chung's scheme is still vulnerable to an offline password guessing attack, an unlimited online password guessing attack, and server impersonation. We illustrate how their scheme can be compromised and then propose an improved scheme to overcome the weaknesses. Our improvement is based on the Rabin cryptosystem. We verify the correctness of our proposed scheme using the BAN logic.

In this paper, we deal with the algebraic immunity of the symmetric Boolean functions. The algebraic immunity is a property which measures the resistance against the algebraic attacks on symmetric ciphers. It is well known that the algebraic immunity of the symmetric Boolean functions is completely determined by a narrow class of annihilators with low degree which is denoted by G(n,). We study and determine the weight support of part of these functions. Basing on this, we obtain some relations between the algebraic immunity of a symmetric Boolean function and its simplified value vector. For applications, we put forward an upper bound on the number of the symmetric Boolean functions with algebraic immunity at least d and prove that the algebraic immunity of the symmetric palindromic functions is not high.

Low-density parity-check (LDPC) codes are typically designed to avoid the length-4 cycles to ensure acceptable levels of performance. However, the turbo equalization, which relies on an interaction between an inner code such as an LDPC code and a soft-output Viterbi algorithm (SOVA) detector, exhibits a performance degradation due to the pseudo cycles. In this paper, we propose an interleaved modified array code (IMAC) that can reduce the number of pseudo cycles, hence, improving the gains from the iterative processing technique. The modification is made on the existing array-based LDPC codes named modified array codes (MAC) by introducing an additional interleaving matrix to the parity-check matrix. Simulation results on the perpendicular magnetic recording channels (PMRC) demonstrate that the IMAC outperforms both the MAC and the previously proposed random interleave array (RIA) codes for the partial-response targets under consideration. In addition, a subblock-based encoder design is proposed to reduce the encoding complexity of the IMAC and when compared with the RIA code, the IMAC exhibits a lower encoding complexity, and still maintains a comparable level of the decoding complexity.

This paper presents an improved version of multi-stage threshold decoding with a difference register (MTD-DR) for self-orthogonal convolutional codes (SOCCs). An approximate lower bound on the bit error rate (BER) with the maximum likelihood (ML) decoding is also given. MTD-DR is shown to achieve an approximate lower bound of ML decoding performance at the higher E_b/N₀. The code with larger minimum Hamming distance reduces the BER in error floor, but the BER in waterfall shifts to the higher E_b/N₀. This paper gives a decoding scheme that improves the BER in both directions, waterfall and error floor. In the waterfall region, a 2-step decoding (2SD) improves the coding gain of 0.40 dB for shorter codes (code length 4200) and of 0.55 dB for longer codes (code length 80000) compared to the conventional MTD-DR. The 2-step decoding that serially concatenates the parity check (PC) decoding improves the BER in the error floor region. This paper gives an effective use of PC decoding, that further makes the BER 1/8 times compared to the ordinary use of PC decoding in the error floor region. Therefore, the 2SD with effective use of parity check decoding improves the BER in the waterfall and the error floor regions simultaneously.

Thus far, there have been many reports and publications on the algorithm for the efficient generation of a circle or an ellipse by the parametric method. In this parametric method, we compute a trigonometric function only at the time of setting the initial condition for generating graphics incrementally using the recurrence formula consisting of the arithmetical operations of addition, subtraction, and multiplication in the main loop. This means that the key to the faster generation of a circle or an ellipse is to reduce the number of multiplication operations. In the conventional methods, the numbers of multiplication operations required to generate a single point each for a circle and an ellipse are three and four, respectively. However, in this paper, we propose a method that makes it possible to generate a slanted ellipse by performing only two multiplication operations per point. The key to this is to use simultaneous recurrences. The proposed method allows a simpler initial setup than any of the conventional methods, thus performing the computation more efficiently. In addition, the new method proposed here causes no theoretical errors, with the rounding error being similar to or less than that of any conventional method.

In this letter, we consider a control problem of a chain of integrators with a delay in the input under measurement feedback. While there are several control results for our considered system, they have not dealt with any of measurement feedback problems. Our proposed controller is coupled with a low-pass filter such that it can attenuate the sensor noise effect and reduce the ultimate bounds of the controlled systems states. Our result shows that the proposed method has clear benefit over the existing results.

This letter is devoted to derivation of a transformation law which converts a class of nonlinear affine control systems with n-states and 2-iputs into simpler systems with chained structure. First, we give a problem formulation that we consider throughout this letter. We next introduce a transformation law and gives its mathematical certification. Then, we apply the transformation method to an example and consider control design based on chained structure for the example in order to confirm the effectiveness of our approach.

This paper presents a simplifying method of the two previous fault attacks to pairing and the Miller algorithms based on a practical fault assumption. Our experimental result shows that the assumption is feasible and easy to implement.