Takeshi Koshiba

Maiki Fujita, Takeshi Koshiba, Kenji Yasunaga

Secure Message Transmission (SMT) is a two-party cryptographic protocol by which the sender can securely and reliably transmit messages to the receiver using multiple channels. An adversary can corrupt a subset of the channels and commit eavesdropping and tampering attacks over the channels. In this work, we introduce a game-theoretic security model for SMT in which adversaries have some preferences for protocol execution. We define rational "timid" adversaries who prefer to violate security requirements but do not prefer the tampering to be detected. First, we consider the basic setting where a single adversary attacks the protocol. We construct perfect SMT protocols against any rational adversary corrupting all but one of the channels. Since minority corruption is required in the traditional setting, our results demonstrate a way of circumventing the cryptographic impossibility results by a game-theoretic approach. Next, we study the setting in which all the channels can be corrupted by multiple adversaries who do not cooperate. Since we cannot hope for any security if a single adversary corrupts all the channels or multiple adversaries cooperate maliciously, the scenario can arise from a game-theoretic model. We also study the scenario in which both malicious and rational adversaries exist.

Masahito Hayashi, Takeshi Koshiba

We propose a new cryptographic task, which we call verifiable quantum secure modulo summation. Secure modulo summation is a calculation of modulo summation $Y_1+\ldots+ Y_m$ when $m$ players have their individual variables $Y_1,\ldots, Y_m$ with keeping the secrecy of the individual variables. However, the conventional method for secure modulo summation uses so many secret communication channels. We say that a quantum protocol for secure modulo summation is quantum verifiable secure modulo summation when it can verify the desired secrecy condition. If we combine device independent quantum key distribution, it is possible to verify such secret communication channels. However, it consumes so many steps. To resolve this problem, using quantum systems, we propose a more direct method to realize secure modulo summation with verification. To realize this protocol, we propose modulo zero-sum randomness as another new concept, and show that secure modulo summation can be realized by using modulo zero-sum randomness. Then, we construct a verifiable quantum protocol method to generate modulo zero-sum randomness. This protocol can be verified only with minimum requirements.

Takeshi Koshiba

Function secret sharing (FSS) scheme is a mechanism that calculates a function f(x) for x in {0,1}^n which is shared among p parties, by using distributed functions f_i:{0,1}^n -> G, where G is an Abelian group, while the function f:{0,1}^n -> G is kept secret to the parties. Ohsawa et al. in 2017 observed that any function f can be described as a linear combination of the basis functions by regarding the function space as a vector space of dimension 2^n and gave new FSS schemes based on the Fourier basis. All existing FSS schemes are of (p,p)-threshold type. That is, to compute f(x), we have to collect f_i(x) for all the distributed functions. In this paper, as in the secret sharing schemes, we consider FSS schemes with any general access structure. To do this, we observe that Fourier-based FSS schemes by Ohsawa et al. are compatible with linear secret sharing scheme. By incorporating the techniques of linear secret sharing with any general access structure into the Fourier-based FSS schemes, we show Fourier-based FSS schemes with any general access structure.

Ryota Iwamoto, Takeshi Koshiba

Non-malleable code is a relaxed version of error-correction codes and the decoding of modified codewords results in the original message or a completely unrelated value. Thus, if an adversary corrupts a codeword then he cannot get any information from the codeword. This means that non-malleable codes are useful to provide a security guarantee in such situations that the adversary can overwrite the encoded message. In 2010, Dziembowski et al. showed a construction for non-malleable codes against the adversary who can falsify codewords bitwise independently. In this paper, we consider an extended adversarial model (affine error model) where the adversary can falsify codewords bitwise independently or replace some bit with the value obtained by applying an affine map over a limited number of bits. We prove that the non-malleable codes (for the bitwise error model) provided by Dziembowski et al. are still non-malleable against the adversary in the affine error model.

Masahito Hayashi, Takeshi Koshiba

For conventional secret sharing, if cheaters can submit possibly forged shares after observing shares of the honest users in the reconstruction phase then they cannot only disturb the protocol but also only they may reconstruct the true secret. To overcome the problem, secret sharing scheme with properties of cheater-identification have been proposed. Existing protocols for cheater-identifiable secret sharing assumed non-rushing cheaters or honest majority. In this paper, we remove both conditions simultaneously, and give its universal construction from any secret sharing scheme. To resolve this end, we propose the concepts of "individual identification" and "agreed identification".

Ryuhei Mori, Takeshi Koshiba, Osamu Watanabe et al.

Goldreich suggested candidates of one-way functions and pseudorandom generators included in $\mathsf{NC}^0$. It is known that randomly generated Goldreich's generator using $(r-1)$-wise independent predicates with $n$ input variables and $m=C n^{r/2}$ output variables is not pseudorandom generator with high probability for sufficiently large constant $C$. Most of the previous works assume that the alphabet is binary and use techniques available only for the binary alphabet. In this paper, we deal with non-binary generalization of Goldreich's generator and derives the tight threshold for linear programming relaxation attack using local marginal polytope for randomly generated Goldreich's generators. We assume that $u(n)\in ω(1)\cap o(n)$ input variables are known. In that case, we show that when $r\ge 3$, there is an exact threshold $μ_\mathrm{c}(k,r):=\binom{k}{r}^{-1}\frac{(r-2)^{r-2}}{r(r-1)^{r-1}}$ such that for $m=μ\frac{n^{r-1}}{u(n)^{r-2}}$, the LP relaxation can determine linearly many input variables of Goldreich's generator if $μ>μ_\mathrm{c}(k,r)$, and that the LP relaxation cannot determine $\frac1{r-2} u(n)$ input variables of Goldreich's generator if $μ<μ_\mathrm{c}(k,r)$. This paper uses characterization of LP solutions by combinatorial structures called stopping sets on a bipartite graph, which is related to a simple algorithm called peeling algorithm.