Naoto Yanai

Certificateless Ordered Sequential Aggregate Signature Scheme

Ordered sequential aggregate signature scheme is a signature scheme in which each signer for a group signs an individual document, and guarantees both of the validity of the document and the signing order. Many ordered sequential aggregate signature schemes are ID-based scheme and inherit an intrinsic insider problem, called key escrow problem, of the ID-based scheme. In this paper, we propose an ordered sequential aggregate signature scheme with certificate less property which solves the key escrow problem. Our proposed scheme can be regarded as a hybrid scheme of PKI and ID-based scheme and has the advantages of both of PKI and ID-based scheme. To the best of our knowledge, certificate less ordered sequential aggregate signature scheme has never been proposed. The proposed scheme is a pairing-based scheme and has a fixed signature size with respect to the number of signers. Also, the security of the proposed scheme is analyzed in the random oracle model.

Tightly-Secure Identity-Based Structured Aggregate Signature Scheme under the Computational Diffie-Hellman Assumption.

An aggregate signature scheme is a primitive whereby each signer signs an individual document and combines them to compress data size. We propose an aggregate signature scheme which is an extension in two standpoints of structured signatures and ID-based signatures, i.e., we construct an identity-based structured aggregate signature scheme. The proposed scheme is expected to be used with consumer-generated media services. We prove the security of the proposed scheme with tight reduction under the computational Diffie-Hellman (CDH) assumption in the random oracle model. Tight reduction means that the cost of a reduction algorithm is independent of an adversarys capability, i.e., security is not downgraded by the adversarys capability. To the best of our knowledge, no structured signature scheme with tight reduction has been proposed to date because it contains complicated structures that make the reduction inefficient. Note that the security of our scheme captures the switching attack (CCS 2007, Boldyreva et al.) and the re-ordering attack (ISPEC 2007, Shao), which break several famous schemes.

An Anonymous Authentication Protocol for Smart Grid

Smart Grid allows users to deal with information related to the electricity usage via IP networks, and then guarantee of both validity and privacy of information is necessary for users. In our future scope, the electricity bill used by consumers may be charged to the consumers themselves via the Smart Grid, even outside their homes. Such information is strictly related to privacy of consumers and hence we propose an anonymous authentication protocol for the electricity usage on the Smart Grid. Our main idea is to utilize group signatures with controllable linkability. In these group signatures, only designated signers can generate digital signatures with anonymity under a single group public key, and only entities with a link key can distinguish whether the signatures are generated by a same signer or not. Whereas our proposed protocol is able to include any group signature scheme with controllable linkability, we also propose new controllably linkable group signatures with tokens, which are handled by smart meters on the Smart Grid.

SPaCIS: Secure Payment Protocol for Charging Information over Smart Grid

A use of an electric outlet by a consumer forces the outlet manager to pay for the consumer’s power usage in current electrical power systems. Even if a consumer uses an outlet managed by another person, one bill for both indoor and outdoor charging information should be required to the consumer in their contract with the utility company. For this purpose, we define a model for the Smart Grid security and propose a Secure Payment Protocol for Charging Information over Smart grid, SPaCIS for short, as a protocol satisfying the model. Our model provides for the unlinkability of consumers as well as for the undeniability and unforgeability of billing information using digital signatures and identity federations. SPaCIS is also efficient in the sense that time complexity is constant relatively to a trivial use such as an individual verification for each signatures, unless a verification error happens. We furthermore evaluate performance of SPaCIS via cryptographic implementation, and simulate SPaCIS in a case that one thousand users generate thirty signatures. Then, we show that SPaCIS with ECDSA can be executed within 6.30 msec for signing and 21.04 msec for verification of signatures, and conclude that SPaCIS is fairly practical.

Towards Provable Security of Dynamic Source Routing Protocol and Its Applications

Routing control such as Internet routing is one of the most popular topics that dram many researchers’ attention in recent years. However, to the best of our knowledge, there are few works to deal with their provable security, where the security can be mathematically proven under some reasonable assumption. Although the provable security has been discussed in the area of cryptography, we consider that such analysis should also be done to conventional network systems in order to guarantee the security of their specifications. In this work, we aim to construct such a provable framework, and particularly discuss formalization of dynamic source routing (DSR) protocol which is a kernel protocol for sensor networks. Our formalization can be easily extended into secure routing protocols with cryptographic schemes such as digital signatures.

A CDH-based Ordered Multisignature Scheme Provably Secure without Random Oracles

Ordered multisignature scheme is a signature scheme to guarantee both validity of an electronic document and its signing order. Although the security of most of such schemes has been proven in the random oracle model, the difficulty of implementation of the random oracle implies that the security should be proven without random oracles, i.e., in the standard model. A straightforward way to construct such schemes in the standard model is to apply aggre- gate signature schemes. However, the existing schemes based on the CDH problem are inefficient in the sense that the number of computations of the bilinear maps and the length of public keys depend upon the length of (a hash value of) the message. Therefore, in this paper, we propose a CDH-based ordered multisignature scheme which is provably secure in the standard model under a moderate attack model. Its computational cost for the bilinear maps and the size of public key are independent of the length of (a hash value of) the message. More specifically, in comparison with the existing schemes, the public key length is reduced to three group elements from 512 group elements while the computational cost is reduced to 0.85msec from 1.6msec.

An Ordered Multisignature Scheme Under the CDH Assumption Without Random Oracles

Ordered multisignatures are digital signatures which allow multiple signers to guarantee the signing order as well as the validity of a message, and thus are useful for constructing secure routing protocols. Although one of approaches to constructing the ordered multisignatures is to utilize aggregate signatures, there is no known scheme which is provably secure without using aggregate signatures under a reasonable complexity assumption in the standard model. In this paper we propose a provably secure ordered multisignature scheme under the CDH assumption in the standard model from scratch. Our proposed scheme has a positive property that the data size of signatures and the number of computations of bilinear maps are fixed with respect to the number of signers and the message length.

On Security of Anonymous Invitation-Based System

In an anonymous invitation-based system, a user can join a group by receiving invitations sent by current members, i.e., inviters, to a server anonymously. This kind of system is suitable for social networks, and a formal framework with the anonymity of inviters and the unforgeability of an invitation letter was proposed in DPM 2017. The main concept of this previous system is elegant, but the formal security definitions are insufficient and weak in a realistic application scenario. In this paper, we revise formal security definitions as attacks representing a realistic scenario. In addition, we define a new aspect of the security wherein an adversary maliciously generates an invitation letter, i.e., invitation opacity, and the security for guaranteeing that an invitee with a valid invitation letter can always join the system, i.e., invitation extractability. A secure and useful construction can be expected by satisfying the security definitions described above.

Identity-Based Key-Insulated Aggregate Signatures, Revisited.

Identity-based key-insulated cryptography is a cryptography which allows a user to update an exposed secret key by generating a temporal secret key as long as the user can keep any string as its own public key. In this work, we consider the following question; namely, can we construct aggregate signatures whereby individual signatures can be aggregated into a single signature in an identity-based key-insulated setting? We call such a scheme identity-based key-insulated aggregate signatures (IBKIAS), and note that constructing an IBKIAS scheme is non-trivial since one can aggregate neither each signer’s randomness nor components depending on the temporal secret keys. To overcome this problem, we utilize the synchronized technique proposed by Gentry and Ramzan (PKC’06) for both aas state information and a partial secret key generated by a secure device. We then show that the proposed scheme is still provably secure under an adaptive security model of identity-based aggregate signatures.

Towards Efficient and Secure Encrypted Databases: Extending Message-Locked Encryption in Three-Party Model

In database systems with three parties consisting of a data owner, a database manager and a data analyst, the data owner uploads encrypted data to a database and the data analyst delegated by the data owner analyzes the data by accessing to the database without knowing plaintexts. In this work, towards an efficient and secure scheme whose encryption can be processed in real time, we extend message-locked encryption (Bellare et al. [2]), where parts of ciphertexts are generated from their plaintexts deterministically. In particular, we introduce both delegations of relational search between ciphertexts from a data owner to a data analyst, and re-encryption of ciphertexts such that ciphertexts of the message-locked encryption become truly probabilistic against a database manager. We call the scheme message-locked encryption with re-encryption and relational search, and formalize the security, which is feasible and practical, in two cases, i.e., any relationship in a general setting and only an equality test in a restricted setting. Both settings are useful from a standpoint of trade-offs between the security and the efficiency. We also propose an instantiation with the equality test between ciphertexts.