Fumitaka Hoshino

Remarks on Mix-Network Based on Permutation Networks

This paper addresses the security and efficiency issues of the Mix-net based on permutation networks introduced in [1]. We first show that the original construction results in a Mix-net that yields biased permutation, so it gives some advantage to adversaries. A simple repair is provided. We then observe that one of the original schemes can be improved so that the servers and verifier enjoy more efficient computation and communication.

Elliptic Curve Arithmetic Using SIMD

Focusing on servers that process many signatures or ciphertexts, this paper proposes two techniques for parallel computing with SIMD, which significantly enhances the speed of elliptic curve scalar multiplication. We also evaluate one of them based on a real implementation on a Pentium III, which incorporates the SIMD architecture. The results show that the proposed method is about 4.4 times faster than the conventional method.

Lenient/Strict Batch Verification in Several Groups

Batch verification is a useful tool in verifying a large number of cryptographic items all at one time. It is especially effective in verifying predicates based on modular exponentiation. In some cases, however, the items can be incorrect although they pass batch verification together. Such leniency can be eliminated by checking the domain of each item in advance. With this in mind, we investigate if the strict batch verification can remain more effective than separate verification. In this paper, we estimate the efficiency of such strict batch verification in several types of groups, a prime subgroup of ZZp with special/random prime p and prime subgroups defined on elliptic curves over Fp, F2m and Fpm, which are often used in DL-based cryptographic primitives. Our analysis concludes that the efficiency differs greatly depending on the choice of the group and parameters determined by the verifying predicate. Furthermore, we even show that there are some cases where batch verification, regardless of strictness, loses its computational advantage.

Candidate One-Way Functions on Non-Supersingular Elliptic Curves*A preliminary version was presented at ISEC2003 [22].

This paper proposes new candidate one-way functions constructed with a certain type of endomorphisms on non-supersingular elliptic curves. We can show that the one-wayness of our proposed functions is equivalent to some special cases of the co-Diffie-Hellman assumption. Also a digital signature scheme is explicitly described using our proposed functions.

A Cyclic Window Algorithm for ECC Defined over Extension Fields

This paper presents a new sliding window algorithm that is well-suited to an elliptic curve defined over an extension field for which the Frobenius map can be computed quickly, e.g., optimal extension field. The algorithm reduces elliptic curve group operations by approximately 15% for scalar multiplications for a practically used curve in comparison with Lim-Hwangs results presented at PKC2000, the fastest previously reported. The algorithm was implemented on computers. As a result, scalar multiplication can be accomplished in 573µs, 595µs, and 254µs on Pentium II (450 MHz), 21164A (500 MHz), and 21264 (500 MHz) computers, respectively.

Design in Type-I, Run in Type-III: Fast and Scalable Bilinear-Type Conversion Using Integer Programming

Bilinear type conversion is to convert cryptographic schemes designed over symmetric groups instantiated with imperilled curves into ones that run over more secure and efficient asymmetric groups. In this paper we introduce a novel type conversion method called IPConv using 0---1 Integer Programming. Instantiated with a widely available IP solver, it instantly converts existing intricate schemes, and can process large-scale schemes that involves more than a thousand variables and hundreds of pairings. Such a quick and scalable method allows a new approach in designing cryptographic schemes over asymmetric bilinear groups. Namely, designers work without taking much care about asymmetry of computation but the converted scheme runs well in the asymmetric setting. We demonstrate the usefulness of conversion-aided design by presenting somewhat counter-intuitive examples where converted DLIN-based Groth-Sahai proofs are more compact than manually built SXDH-based proofs.

Relinkable Ring Signature

In this paper, we propose the concept of a relinkable ring signature, which is a ring signature with ring reformation function, i.e., a signer can delegate ring reformation ability separately from signing ability to his/her proxy. The relinkable ring signature can be applicable to proxy ring reformation, anonymization of past-generated signature, or ring signature for dynamic group. We also propose a concrete relinkable ring signature scheme that uses pairing in the random oracle model.

Anonymizable signature and its construction from pairings

We present the notion of anonymizable signature, which is an extension of the ring signature [RST01, BKM06]. By using an anonymizable signature, anyone who has a signed message can convert the signature into an anonymous signature. In other words, one can leave a signed message with an appropriate agent who will later anonymize the signature. A relinkable ring signature [SHK09] is also an extension of the ring signature by which the ring forming ability can be separated from the signing ability. In the relinkable ring signature, an agent who has a special key given by the signer can modify the membership of existing ring signatures. However, the relinkable ring signature has two problematic limitations; a signer cannot select an agent according to the worth of the signature, because there exists the unique key to modify the membership for each public key, and we cannot achieve perfect anonymity even if the agent is honest. The proposed anonymizable signature can free one from these limitations. In the anonymizable signature scheme, each signature can be anonymized without any secret but the signature itself. Thus, the signer can delegate signature anonymization to multiple agents signature by signature. Moreover, the anonymizable signature can guarantee unconditional anonymity and be used for anonymity-sensitive purposes, e.g., voting. After providing the definition of the anonymizable signature, we also give a simple construction methodology and a concrete scheme that satisfies perfect anonymity and computational unforgeability under the gap Diffie-Hellman assumption with the random oracle model.

Compressed jacobian coordinates for OEF

This paper presents a new coordinate system for elliptic curves that accelerates the elliptic curve addition and doubling over an optimal extension field (OEF). Many coordinate systems for elliptic curves have been proposed to accelerate elliptic curve cryptosystems. This paper is a natural extension of these papers and the new coordinates are much faster when the elliptic curve is defined over an OEF. This paper also shows that the total computational cost is reduced by 28% when the elliptic curve is defined over

Privacy Enhanced Active RFID Tag

{\mathbb F}_{q^m}