Wakaha Ogata

Oblivious keyword search

In this paper, we introduce a notion of oblivious keyword search (OKS). Let W be the set of possible keywords. In the commit phase, a database supplier I commits n data. In each transfer subphase, a user U can choose a keyword w∈W adaptively and find Search(w) without revealing w to I, where Search(w) is the set of all data which includes w as a keyword.We then show two efficient protocols such that the size of the commitments is only O(nB) regardless of the size of W, where B is the size of each data. It is formally proved that U learns nothing more than search(w) and J gains no information on the keywords which U searched for. We further present a more efficient adaptive OTkn protocol than the previous one [19] as an application of our first OKS protocol.

Fault tolerant anonymous channel

Previous anonymous channels, called MIX nets, do not work if one center stops. This paper shows new anonymous channels which allow less than a half of faulty centers. A fault tolerant multivalued election scheme is obtained automatically. A very efficient ZKIP for the centers is also presented.

The security of the FDH variant of Chaum's undeniable signature scheme

In this paper, a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes is introduced. Note that forgeability does not necessarily imply impersonation ability. The security of the full-domain hash (FDH) variant of Chaums undeniable signature scheme is then classified according to three dimensions, the goal of adversaries, the attacks, and the zero-knowledge (ZK) level of confirmation and disavowal protocols. Each security is then related to some well-known computational problem. In particular, the security of the FDH variant of Chaums scheme with noninteractive zero-knowledge (NIZK) protocol confirmation and disavowal protocols is proven to be equivalent to the computational Diffie-Hellman (CDH) problem, as opposed to the gap Diffie-Hellman (GDH) problem as claimed by Okamoto and Pointcheval.

New combinatorial designs and their applications to authentication codes and secret sharing schemes

This paper introduces three new types of combinatorial designs, which we call external difference families (EDF), external BIBDs (EBIBD) and splitting BIBDs. An EDF is a special type of EBIBD, so existence of an EDF implies existence of an EBIBD. We construct optimal splitting A-codes by using EDF. Then we give a new bound on the number of shares required in robust secret sharing schemes (i.e., schemes secure against cheaters). EDF can be used to construct robust secret sharing schemes that are optimal with respect to the new bound. We also prove a weak converse, showing that if there exists an optimal secret sharing scheme, then there exists an EBIBD. Finally, we derive a Fisher-type inequality for splitting BIBDs. We also prove a weak equivalence between splitting BIBDs and splitting A-codes. Further, it is shown that an EDF implies a splitting BIBD.

The security of the FDH variant of chaum's undeniable signature scheme

In this paper, a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes is introduced. Note that forgeability does not necessarily imply impersonation ability. The security of the full-domain hash (FDH) variant of Chaums undeniable signature scheme is then classified according to three dimensions, the goal of adversaries, the attacks, and the zero-knowledge (ZK) level of confirmation and disavowal protocols. Each security is then related to some well-known computational problem. In particular, the security of the FDH variant of Chaums scheme with noninteractive zero-knowledge (NIZK) protocol confirmation and disavowal protocols is proven to be equivalent to the computational Diffie-Hellman (CDH) problem, as opposed to the gap Diffie-Hellman (GDH) problem as claimed by Okamoto and Pointcheval.

Bit-Slice Auction Circuit

In this paper, we introduce a bit-slice approach for auctions and present a more efficient circuit than the normal approach for the highest-price auction. Our circuit can be combined with any auction protocol based on general circuit evaluation. Especially, if we combine with the mix and match technique, then we can obtain a highest-price auction protocol which is at least seven times faster. A second-price auction protocol is also easily constructed from our circuit.

General conversion for obtaining strongly existentially unforgeable signatures

We say that a signature scheme is strongly existentially unforgeable if no adversary, given message/signature pairs adaptively, can generate a new signature on either a signature on a new message or a new signature on a previously signed message. Strongly existentially unforgeable signature schemes are used to construct many applications, such as an IND-CCA2 secure public-key encryption scheme and a group signature scheme. We propose two general and efficient conversions, both of which transform a secure signature scheme to a strongly existentially unforgeable signature scheme. There is a tradeoff between the two conversions. The first conversion requires the random oracle, but the signature scheme transformed by the first conversion has shorter signature length than the scheme transformed by the second conversion. The second conversion does not require the random oracle. Therefore, if the original signature scheme is of the standard model, the strongly existentially unforgeable property of the converted signature scheme is proved also in the standard model. Both conversions ensure tight security reduction to the underlying security assumptions. Moreover, the transformed schemes by the first or second conversion satisfy the on-line/off-line property. That is, signers can precompute almost all operations on the signing before they are given a message.

t-Cheater Identifiable (k, n) Threshold Secret Sharing Schemes

In this paper, we show that there exists a t-cheater identifiable (k, n) threshold secret sharing scheme such as follows for cheating probability ? > O. If k ≥ 3t + 1, then 1. Just k participants are enough to identify who are cheaters. 2. |Vi| is independent of n. That is, |Vi| = |S|(l/?)(t+2), where S denotes the set of secrets and Vi denotes the set of shares of a participant Pi, respectively. (Previously, no schemes were known which satisfy both requirements.) Further, we present a lower bound on |Vi| for our model and for the model of Tompa and Woll. Our bound for the TW model is much more tight than the previous bound.

Privacy-preserving similarity evaluation and application to remote biometrics authentication

In this paper, a new method for secure remote biometric authentication preventing the vulnerability of compromised biometrics is presented. The idea is based on a public-key cryptographical protocol, referred as zero-knowledge proof, which allows a user to prove that she has surely a valid biometric data without revealing the data. Hence, the scheme is free from the risk of disclosure of biometric data. Even if a malicious administrator has a privilege access to the private database, it is infeasible for him to learn the private template. This paper studies two well-known definitions, the cosine correlation and the Euclidean distance as similarities of given two feature vectors. Both similarities are defined with some multiplications and additions, which can be performed in privacy-preserving way because of the useful property of public-key commitment scheme, additive homomorphism. The estimation based on the experimental implementation shows that the private Euclidean distance scheme archives better accuracy in terms of false acceptance and rejection than the private cosine coloration scheme, but it requires about