Ryo Nojima

Bio: Ryo Nojima is an academic researcher from National Institute of Information and Communications Technology. The author has contributed to research in topics: Computer science & Encryption. The author has an hindex of 8, co-authored 23 publications receiving 278 citations.

Semantic security for the McEliece cryptosystem without random oracles

Abstract: In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt '05 showing "pseudorandomness" implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme--against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.

Cryptographically Secure Bloom-Filters

Abstract: In this paper, we propose a privacy-preserving variant of Bloom-filters. The Bloom-filter has many applications such as hash-based IP-traceback systems and Web cache sharing. In some of those applications, equipping the Bloom-filter with the privacy-preserving mechanism is crucial for the deployment. In this paper, we propose a cryptographically secure privacy-preserving Bloom-filter protocol. We propose such two protocols based on blind signatures and oblivious pseudorandom functions, respectively. To show that the proposed protocols are secure, we provide a reasonable security definition and prove the security.

A Storage Efficient Redactable Signature in the Standard Model

Abstract: In this paper, we propose a simple redactable signature scheme for super-sets whose message-signature size is O (|M | + *** ), where *** is a security parameter and M is a message to be signed. The scheme proposed by Johnson et al. in CT-RSA 2003 has the similar performance but this scheme was proven secure based on the RSA assumption in the random oracle model. In this paper, we show that such a scheme can be constructed based on the RSA assumption without the random oracles.

Unbreakable distributed storage with quantum key distribution network and password-authenticated secret sharing

Abstract: Distributed storage plays an essential role in realizing robust and secure data storage in a network over long periods of time. A distributed storage system consists of a data owner machine, multiple storage servers and channels to link them. In such a system, secret sharing scheme is widely adopted, in which secret data are split into multiple pieces and stored in each server. To reconstruct them, the data owner should gather plural pieces. Shamir's (k, n)-threshold scheme, in which the data are split into n pieces (shares) for storage and at least k pieces of them must be gathered for reconstruction, furnishes information theoretic security, that is, even if attackers could collect shares of less than the threshold k, they cannot get any information about the data, even with unlimited computing power. Behind this scenario, however, assumed is that data transmission and authentication must be perfectly secure, which is not trivial in practice. Here we propose a totally information theoretically secure distributed storage system based on a user-friendly single-password-authenticated secret sharing scheme and secure transmission using quantum key distribution, and demonstrate it in the Tokyo metropolitan area (≤90 km).

Unbreakable distributed storage with quantum key distribution network and password-authenticated secret sharing

Abstract: Distributed storage plays an essential role in realizing robust and secure data storage in a network over long periods of time. A distributed storage system consists of a data owner machine, multiple storage servers and channels to link them. In such a system, secret sharing scheme is widely adopted, in which secret data are split into multiple pieces and stored in each server. To reconstruct them, the data owner should gather plural pieces. Shamir's (k, n)-threshold scheme, in which the data are split into n pieces (shares) for storage and at least k pieces of them must be gathered for reconstruction, furnishes information theoretic security, that is, even if attackers could collect shares of less than the threshold k, they cannot get any information about the data, even with unlimited computing power. Behind this scenario, however, assumed is that data transmission and authentication must be perfectly secure, which is not trivial in practice. Here we propose a totally information theoretically secure distributed storage system based on a user-friendly single-password-authenticated secret sharing scheme and secure transmission using quantum key distribution, and demonstrate it in the Tokyo metropolitan area.

Theory and Practice of Bloom Filters for Distributed Systems

Abstract: Many network solutions and overlay networks utilize probabilistic techniques to reduce information processing and networking costs. This survey article presents a number of frequently used and useful probabilistic techniques. Bloom filters and their variants are of prime importance, and they are heavily used in various distributed systems. This has been reflected in recent research and many new algorithms have been proposed for distributed systems that are either directly or indirectly based on Bloom filters. In this survey, we give an overview of the basic and advanced techniques, reviewing over 20 variants and discussing their application in distributed systems, in particular for caching, peer-to-peer systems, routing and forwarding, and measurement data summarization.

Photonic quantum information processing: a review

Abstract: Photonic quantum technologies represent a promising platform for several applications, ranging from long-distance communications to the simulation of complex phenomena. Indeed, the advantages offered by single photons do make them the candidate of choice for carrying quantum information in a broad variety of areas with a versatile approach. Furthermore, recent technological advances are now enabling first concrete applications of photonic quantum information processing. The goal of this manuscript is to provide the reader with a comprehensive review of the state of the art in this active field, with a due balance between theoretical, experimental and technological results. When more convenient, we will present significant achievements in tables or in schematic figures, in order to convey a global perspective of the several horizons that fall under the name of photonic quantum information.

Photonic quantum information processing: a review

Abstract: Photonic quantum technologies represent a promising platform for several applications, ranging from long-distance communications to the simulation of complex phenomena. Indeed, the advantages offered by single photons do make them the candidate of choice for carrying quantum information in a broad variety of areas with a versatile approach. Furthermore, recent technological advances are now enabling first concrete applications of photonic quantum information processing. The goal of this manuscript is to provide the reader with a comprehensive review of the state of the art in this active field, with a due balance between theoretical, experimental and technological results. When more convenient, we will present significant achievements in tables or in schematic figures, in order to convey a global perspective of the several horizons that fall under the name of photonic quantum information.

Efficient selective identity-based encryption without random oracles

Abstract: We construct two efficient Identity-Based Encryption (IBE) systems that admit selective-identity security reductions without random oracles in groups equipped with a bilinear map. Selective-identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in an adaptive-identity attack the adversary is allowed to choose this identity adaptively. Our first system—BB1—is based on the well studied decisional bilinear Diffie–Hellman assumption, and extends naturally to systems with hierarchical identities, or HIBE. Our second system—BB2—is based on a stronger assumption which we call the Bilinear Diffie–Hellman Inversion assumption and provides another approach to building IBE systems. Our first system, BB1, is very versatile and well suited for practical applications: the basic hierarchical construction can be efficiently secured against chosen-ciphertext attacks, and further extended to support efficient non-interactive threshold decryption, among others, all without using random oracles. Both systems, BB1 and BB2, can be modified generically to provide “full” IBE security (i.e., against adaptive-identity attacks), either using random oracles, or in the standard model at the expense of a non-polynomial but easy-to-compensate security reduction.

Invertible Bloom Lookup Tables

Abstract: We present a version of the Bloom filter data structure that supports not only the insertion, deletion, and lookup of key-value pairs, but also allows a complete listing of its contents with high probability, as long the number of key-value pairs is below a designed threshold. Our structure allows the number of key-value pairs to greatly exceed this threshold during normal operation. Exceeding the threshold simply temporarily prevents content listing and reduces the probability of a successful lookup. If later entries are deleted to return the structure below the threshold, everything again functions appropriately. We also show that simple variations of our structure are robust to certain standard errors, such as the deletion of a key without a corresponding insertion or the insertion of two distinct values for a key. The properties of our structure make it suitable for several applications, including database and networking applications that we highlight.