Ryo Nojima

Semantic security for the McEliece cryptosystem without random oracles

In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt ’05 showing “pseudorandomness” implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme—against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.

A Storage Efficient Redactable Signature in the Standard Model

In this paper, we propose a simple redactable signature scheme for super-sets whose message-signature size is O (|M | + *** ), where *** is a security parameter and M is a message to be signed. The scheme proposed by Johnson et al. in CT-RSA 2003 has the similar performance but this scheme was proven secure based on the RSA assumption in the random oracle model. In this paper, we show that such a scheme can be constructed based on the RSA assumption without the random oracles.

Unbreakable distributed storage with quantum key distribution network and password-authenticated secret sharing.

Distributed storage plays an essential role in realizing robust and secure data storage in a network over long periods of time. A distributed storage system consists of a data owner machine, multiple storage servers and channels to link them. In such a system, secret sharing scheme is widely adopted, in which secret data are split into multiple pieces and stored in each server. To reconstruct them, the data owner should gather plural pieces. Shamir’s (k, n)-threshold scheme, in which the data are split into n pieces (shares) for storage and at least k pieces of them must be gathered for reconstruction, furnishes information theoretic security, that is, even if attackers could collect shares of less than the threshold k, they cannot get any information about the data, even with unlimited computing power. Behind this scenario, however, assumed is that data transmission and authentication must be perfectly secure, which is not trivial in practice. Here we propose a totally information theoretically secure distributed storage system based on a user-friendly single-password-authenticated secret sharing scheme and secure transmission using quantum key distribution, and demonstrate it in the Tokyo metropolitan area (≤90 km).

Analyzing Randomized Response Mechanisms Under Differential Privacy

The randomized response technique was first introduced by Warner in 1965 [27] as a technique to survey sensitive questions. Since it is considered to protect the respondent’s privacy, many variants and applications have been proposed in the literature. Unfortunately, the randomized response and its variants have not been well evaluated from the privacy viewpoint historically. In this paper, we evaluate them by using differential privacy. Specifically, we show that some variants have a tradeoff between the privacy and utility, and that the “negative” survey technique obtains negative results.

Can We Securely Use CBC Mode in TLS1.0

Currently, TLS1.0 is one of the most widely deployed protocol versions for SSL/TLS. In TLS1.0, there are only two choices for the bulk encryption, i.e., RC4 or block ciphers in the CBC mode, which have been criticized to be insecure.

Enhancing the security of Bloom-filters with blind signatures

In this paper, we propose a privacy-preserving variant of Bloom-filters. The Bloom-filter has many applications in the network. In some of those applications, equipping the Bloom-filter with the privacy-preserving mechanism is crucial for the deployment. In this paper, to make them secure, we propose a new Bloom-filter protocol named privacy-preserving Bloom filter. We propose two protocols based on the unique blind signature and the oblivious pseudorandom function. To show that the protocol is secure, we give a formal security definition and prove the security under the definition.

How to Handle Excessively Anonymized Datasets

Many companies and organizations have been collecting personal data with the aim of sharing it with partners. To prevent re-identification, the data should be anonymized before being shared. Although many anonymization methods have been proposed thus far, choosing one from them is not trivial since there is no widely accepted criteria. To overcome this situation, we have been conducting a data anonymization and re-identification competition, called PWS CUP, in Japan. In this paper, we introduce a problem appeared at the competition, named an excessive anonymization, and show how to formally handle it.

POSTER: PRINCESS: A Secure Cloud File Storage System for Managing Data with Hierarchical Levels of Sensitivity

PRINCESS (Proxy Re-encryption with INd-Cca security in an Encrypted file Storage System) is a secure storage system which utilizes special proxy re-encryption technology. With PRINCESS, the files encrypted in accordance with the confidentiality levels can be shared among appointed users while remaining encrypted. In this poster/demo, we show the efficiency of PRINCESS, which can be applied to a Body Area Network information sharing, automobile information sharing, etc. This system facilitates the potential for new services that require privacy data to be shared securely via cloud technology.

A Secure Automobile Information Sharing System

Utilizing the proxy re-encryption technique described in \cite{w-IBPdr}, we construct a secure storage system named PRINCESS Proxy Re-encryption with INd-Cca security in an Encrypted file Storage System). With PRINCESS, the files encrypted in accordance with the confidentiality levels can be shared among appointed users while remaining encrypted. Furthermore, we implement an automobile information-sharing system based on PRINCESS. With this system, location information obtained from a GPS and the vehicle data obtained via on-board diagnosis and Bluetooth can be shared flexibly and securely. By using this system, it is possible to share automobile information, such as the position and speed, and even the engines rotational frequency, while ensuring user control and privacy. This system facilitates the potential for new services that require automobile information to be shared securely via cloud technology.

Efficient shared-key authentication scheme from any weak pseudorandom function

One of the most widely used shared-key authentication schemes today is a challenge-response scheme. In this scheme, a function such as a message authentication code or a symmetric encryption scheme plays an important role. To ensure the security, we need to assume that these functions are included in a certain kind of functions family, e.g., a pseudorandom functions family. For example, functions such as SHA1-HMAC, DES and AES often assumed as the pseudorandom functions. But unfortunately, nobody knows that these functions are really pseudorandom functions and if not, then the security of the challenge-response scheme is not ensured any more. The common way to reduce this kind of fear is to construct the shared-key authentication scheme which can be proven secure with a weaker assumption on these functions. In this paper, we show that a blind-challenge-response shared-key authentication scheme which is a simple modified version of the original challenge-response authentication scheme can be constructed from a weaker cryptographic assumption known as weak pseudorandom functions.