Finding rare cases with medical data is important when hospitals or research institutes want to identify rare diseases. To extract meaningful information from a large amount of sensitive medical data, privacy-preserving data mining techniques can be used. A privacy-preserving t-repetition protocol can be used to find rare cases with distributed medical data. A privacy-preserving t-repetition protocol is to find elements which exactly t parties out of n parties have in common in their datasets without revealing their private datasets. A privacy-preserving t-repetition protocol can be used to find not only common cases with a high t but also rare cases with a low t. In 2011, Chun et al. suggested the generic set operation protocol which can be used to find t-repeated elements. In the paper, we first show that the Chun et al.'s protocol becomes infeasible for calculating t-repeated elements if the number of users is getting bigger. That is, the computational and communicational complexities of the Chun et al.'s protocol in calculating t-repeated elements grow exponentially as the number of users grows. Then, we suggest a polynomial-time protocol with respect to the number of users, which calculates t-repeated elements between users.

Smart card-based key exchange in the three-party setting allows two users with smart cards to agree on a common session key with the help of the trusted server. In this letter, we propose an efficient three-party smart card-based key exchange scheme with explicit (or mutual) authentication which requires only three rounds. Our scheme is the most round-/communication-efficient smart card-based key exchange scheme among those found in the literature, while providing key independence, forward secrecy and security against denial-of-service (DoS) attacks.

In 2006, Tanaka has proposed an efficient variant of Maurer-Yacobi's identity-based non-interactive key sharing scheme. In Tanaka's scheme, the computational complexity to generate each user's secret information is much smaller than that of Maurer-Yacobi's scheme. Tanaka's original key sharing scheme does not provide completeness, and so Tanaka has corrected the original scheme to provide completeness. In this paper, we show that Tanaka's corrected key sharing scheme is not secure against collusion attacks. That is, two users can collaborate to factorize a system modulus with their secret information and thus break the key sharing scheme.

In a linkable ring signature scheme, a signer himself selects a set of parties called a "ring" and signs the messages on behalf of the ring. Any party can know whether or not the ring signatures are made by the same signer, although the party cannot know the identity of the actual signer. Au, Liu, Susilo, and Yuen proposed an ID-based linkable ring signature scheme and an ID-based revocable-iff-linked ring signature scheme. With a revocable-iff-linked ring signature scheme, any party can recover the identity of the signer, if the signer makes two or more ring signatures. In this paper, we show that Au et al.'s revocable-iff-linked ring signature scheme does not provide anonymity, even if the signer makes only one ring signature. Anonymity is one of the most basic security requirements of ring signatures.

Several ID-based key distribution schemes can be used to realize secure broadcasting systems. Unfortunately, none of the proposed schemes provide both security against long-term key reveal attacks and security against session state reveal attacks. In this letter, we suggest an ID-based key distribution scheme secure against long-term key reveal attacks and session state reveal attacks.

In this letter, we show that Jung's ID-based scheme, which is the improved version of the Chikazawa-Yamagishi scheme, satisfies only the weak forward secrecy. But the weak forward secrecy is not quite realistic, since it is not sufficient for modeling the real attacks. To address this problem, the strong forward secrecy has been pursued, which is modeling the more realistic attacks. We then suggest a modification of Jung's ID-based scheme to provide the strong forward secrecy.

The Chikazawa-Yamagishi scheme is an ID-based key distribution scheme which is based on the RSA cryptosystem. There are several variant schemes to improve the efficiency and the security of the Chikazawa-Yamagishi scheme. Unfortunately, all of the proposed schemes have some weaknesses. First, all the proposed schemes require time synchronization of the communicating parties. Second, none of the proposed schemes provide both forward secrecy and security against session state reveal attacks. In this paper, we suggest an ID-based key distribution scheme which does not require time synchronization and provides both forward secrecy and security against session state reveal attacks.

Searchable encryption has many applications including e-mail systems and storage systems. The usefulness of searchable encryption derives from its support of keyword-testability. Keyword-testability means that a receiver of a ciphertext can test whether the ciphertext contains a specific keyword. Recently, Bellare et al. suggested an efficiently-searchable encryption scheme with keyword-recoverability as well as keyword-testability. Keyword-recoverability means that a receiver can extract the keyword from a ciphertext. All of the previous searchable encryption schemes have provided only keyword-testability. However, as explained by Bellare et al., no efficiently-searchable encryption scheme can provide even security against chosen keyword attacks. That is, Bellare et al.'s scheme assumes that no useful partial information about the keyword is known to the adversaries. In this paper, we suggest an SEKR (searchable encryption with keyword-recoverability) scheme which is secure even if the adversaries have any useful partial information about the keyword. Our scheme provides security against chosen ciphertext attacks which are stronger attacks than chosen keyword attacks. We also suggest an SEKR scheme for multi-keywords.

A proxy signature scheme allows an entity to delegate his signing capabilities to another. Many schemes have been provided for use in numerous applications such as distributed computing, grid computing, and mobile communications. In 2003, Boldyreva et al. introduced the first formal security model of proxy signatures and also proposed a generic construction secure in their model. However, an adversary can arbitrarily alter the warrants of the proxy signatures because the warrants are not explicitly considered in their model. To solve this problem, Huang et al. provided an enhanced security model of proxy signatures in 2005. Some proxy signatures secure in this security model have been proposed but there is no generic construction yet. In this paper, we redefine and improve the Huang et al.'s security model in terms of multi-user and then provide a new generic construction of proxy signatures secure against our enhanced security model based on ID-based signatures. Moreover, we can make a lattice-based proxy signature scheme in the standard model from our result.