Yuichi Komano

Toward the fair anonymous signatures: deniable ring signatures

Ring signature scheme, proposed by Rivest et al., allows a signer to sign a message anonymously. In the ring signature scheme, the signer who wants to sign a document anonymously first chooses some public keys of entities (signers) and then generates a signature which ensures that one of the signer or entities signs the document. In some situations, however, this scheme allows the signer to shift the blame to victims because of the anonymity. The group signature scheme may be a solution for the problem; however, it needs a group manager (electronic big brother) who can violate the signer anonymity without notification, and a complicated key setting. This paper introduces a new concept of a signature scheme with signer anonymity, a deniable ring signature scheme (

Secure authenticated key exchange with revocation for smart grid

\mathcal{DRS}

Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation

), in which no group manager exists, and the signer should be involved in opening the signer anonymity. We also propose a concrete scheme proven to be secure under the assumption of the DDH (decision Diffie Hellman) problem in the random oracle model.

Provably secure electronic cash based on blind multisignature schemes

Using cryptographic technologies to provide security solutions in smart grid is extensively discussed in NISTIR 7628 [1] and IEC 62351 standards series [2]. Both series identify cryptographic key management for Intelligent Electronic Devices (IEDs) communication as one of the most important issues. In this paper, considering the system constraints and the security requirements in the smart grid, we propose an authenticated key exchange scheme with revocation by exploiting a well-known cryptographic protocol: Broadcast encryption [3], [11], [12] using a media key block(MKB) [15]. Furthermore, we show that our scheme is efficient in comparison with the PKI-signature based Internet Key Exchange(IKE) protocol, [4], [8] in terms of the following points of view: (1) communication cost; (2) compuation cost; (3) device revocation cost. The comparison results show that our scheme is efficient and cost-effective in most cases for devices and systems in smart grid.

Security evaluation of a DPA-Resistant s-box based on the fourier transform

Coron et al. proposed the ES-based scheme PSS-ES which realizes an encryption scheme and a signature scheme with a unique padding technique and key pair. The security of PSS-ES as an encryption scheme is based on the partial-domain one-wayness of the encryption permutation. In this paper, we propose new ES schemes OAEP-ES, OAEP++-ES, and REACT-ES, and prove their security under the assumption of only the one-wayness of encryption permutation. OAEP-ES, OAEP++-ES, and REACT-ES suit practical implementation because they use the same padding technique for encryption and for signature, and their security proof guarantees that we can prepare one key pair to realize encryption and signature in the same way as PSS-ES. Since one-wayness is a weaker assumption than partial-domain one-wayness, the proposed schemes offer tighter security than PSS-ES. Hence, we conclude that OAEP-ES, OAEP++-ES, and REACT-ES are more effective than PSS-ES. REACT-ES is the most practical approach in terms of the tightness of security and communication efficiency.

Formal security model of multisignatures

Though various blind multisignature schemes have been proposed for secure electronic cash, the formal model of security was not discussed. This paper first formalizes the security notions for e-cash schemes based on the blind multisignature scheme. We then construct a blind multisignature scheme and propose a new untraceable e-cash scheme which is provably secure under the DDH assumption in the random oracle model applying the blind multisignature scheme. The proposed scheme can ensure the framing attack by banks where they collude to simulate the double-spending of an honest user.

On the security of probabilistic multisignature schemes and their optimality

At CHES 2006, Prouff et al. proposed a novel S-box calculation based on the discrete Fourier transform as a first-order DPA countermeasure. At CHES 2008, Coron et al. showed that the original countermeasure can be broken by first-order DPA due to a biased mask and they proposed an improved algorithm. This paper shows that there is still a flaw in the Corons S-box algorithm with respect to a practical software implementation. We pre-process the power traces to separate them into two subgroups, each has a biased mask. For the separated power traces, we propose two post analysis methods to identify the key. One is based on CPA attack against one subgroup, and the other is utilizing the difference of means for two subgroups and a pattern matching. Finally, we compare these two attack methods and propose an algorithm level countermeasure to enhance the security of Corons S-box.

Algorithmic Tamper Proof (ATP) Counter Units for Authentication Devices Using PIN

A multisignature scheme enables multiple signers to cooperate to generate one signature for some message. The aim of the multisignatures is to decrease the total length of the signature and/or the signing (verification) costs. This paper first discusses a formal security model of multisignatures following that of the group signatures [1,4]. This model allows an attacker against multisignatures to access five oracles adaptively. With this model, we can ensure more general security result than that with the existence model [14,11,12]. Second, we propose a multisignature scheme using a claw-free permutation. The proposed scheme can decrease the signature length compared to those of existence multisignature schemes using a trapdoor one-way permutation (TWOP) [11,12], because its signing does not require the random string. We also prove that the proposed scheme is tightly secure with the formal security model, in the random oracle model. Third, we discuss the security of the multisignature schemes [11,12] using a TOWP with the formal security model to confirm that these schemes can be proven to be tightly secure.

Provably Secure Multisignatures in Formal Security Model and Their Optimality

We first prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), PSS (probabilistic signature scheme) based multisignature scheme (PSS-MSS), and short signature PSS based multisignature scheme (S-PSS-MSS). Second, we give an optimal proof (general result) for multisignature schemes, which derives the lower bound for the length of random salt. We also estimate the upper bound for the length in each scheme and derive the optimal length of a random salt. Two of the schemes are promising in terms of security tightness and optimal signature length.

Toward the Fair Anonymous Signatures: Deniable Ring Signatures*The proceedings version of this paper [12] appeared in the cryptographers' track at the RSA Conference 2006 (CT-RSA 2006).

Though Gennaro et al. discussed the algorithmic tamper proof (ATP) devices using the personal identification number (PIN) with less tamper-proof devices, and proposed counter units which count the number of wrong attempts in user authentication; however, as for the counter unit, they only constructed one which counts the total number of wrong attempts. Although large number for the limit of wrong attempts is required for usability, it allows an attacker to search PIN up to the limit and degrades the security. The construction of secure counter units which count the number of consecutive wrong attempts remains as an open problem. In this paper, we first formalize the ATP security of counter units, and propose two constructions of counter unit which count the number of consecutive wrong attempts. The security of each construction can be proven under the assumptions of secure signature scheme and random function. The former one is required to store two states in secure memory area (RP *** Mem) with low computation cost; and the latter one has high computation cost but is required to store only one state in RP *** Mem. This shows the trade-off between the costs of hardware and algorithm.