Let γ and n be positive integers. An integer z with gcd(z, n)1 is called a γth-residue mod n if there exists an integer x such that zxγ (mode n), or a γth-nonresidue mod n if there doesn't exist such an x. Denote by Z*n the set of integers relatively prime to n between 0 and n. The problem of determining whether or not a randomly selected element zZ*n is a γth-residue mod n is called the γth-Residuosity Problem (γth-RP), and appears to be intractable when n is a composite integer whose factorization is unknown. In this paper, we explore some important properties of γth-RP for the case where γ is an odd integer greater than 2, and discuss its applications to cryptography. Based on the difficulty or γth-RP, we generalize the Goldwasser-Micali bit-by-bit probabilistic encryption to a block-by-block probabilistic one, and propose a direct protocol for the dice casting problem over a network. This problem is a general one which includes the well-studied coin flipping problem.

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.

This paper proposes a novel one-way hash function that can serve as a tool in achieving authenticity and data integrity. The one-way hash function can be viewed as a representative of a family of fast dedicated one-way hash functions whose construction is based on linear cellular automata over GF(a). The design and analysis of security of the function is accomplished by the use of very recently published results on cellular automata and their applications in cryptography. The analysis indicates that the one-way hash function is secure against all known attacks. A promising property of the proposed one-way hash function is that it is especially suitable for compact and fast implementation.

In the literature, many cryptosystems have been proposed to be secure under the Strong Diffie-Hellman (SDH) and related problems. For example, there is a cryptosystem that is based on the SDH/related problem or allows the Diffie-Hellman oracle. If the cryptosystem employs general domain parameters, this leads to a significant security loss caused by Cheon's algorithm [14], [15]. However, all elliptic curve domain parameters explicitly recommended in the standards (e.g., ANSI X9.62/63 [1], [2], FIPS PUB 186-4 [43], SEC 2 [50], [51]) are susceptible to Cheon's algorithm [14], [15]. In this paper, we first prove that (q-1)(q+1) is always divisible by 24 for any prime order q>3. Based on this result and depending on small divisors d1,d2≤(log q)2, we classify primes q>3, such that both (q-1)/d1 and (q+1)/d2 are primes, into Perfect, Semiperfect, SEC1v2 and Acceptable. Then, we describe algorithmic procedures and show their simulation results of secure elliptic curve domain parameters over prime/character 2 finite fields resistant to Cheon's algorithm [14], [15]. Also, several examples of the secure elliptic curve domain parameters (including Perfect or Semiperfect prime q) are followed.

A technique is presented for constructing (d,k) block codes capable of detecting single bit errors and single peak-shift errors in consecutive two runs. This constrains the runlengths in the code sequences to odd numbers. The capacities and the cardinalities for finite code length of these codes are described. A technique is also proposed for constructing (d,k) block codes capable of correcting single peak-shift errors.

This paper presents a non-interactive verifiable secret sharing scheme (VSS) tolerating a dishonest majority based on data pre-distributed by a trusted authority. As an application of this VSS scheme we present very efficient unconditionally secure protocols for performing multiplication of shares based on pre-distributed data which generalize two-party computations based on linear pre-distributed bit commitments. The main results of this paper are a non-interactive VSS, a simplified multiplication protocol for shared values based on pre-distributed random products, and non-interactive zero knowledge proofs for arbitrary polynomial relations. The security of the schemes is proved using the UC framework.

Interference Cancellation (IC) receivers can be used in CDMA cellular systems to improve the capacity. The IC receivers can be divided into two main categories, Single-User Detectors (SUD) and Multi-User Detectors (MUD). They have different characteristics in terms of intra-cell and inter-cell interference cancellation ability. In this paper we propose two new IC receivers that combines the properties of SUD and MUD receivers. The first one is a Serial IC receiver followed by the Normalized Griffiths' algorithm (SING). The second one is an Integrated Serial IC and Normalized Griffiths' algorithm (iSING). We first compare their basic single-cell performance with the conventional RAKE receiver, the Serial IC and the Normalized Griffiths' Algorithm. Next, we examine their multi-cell performance by doing multi-cell link-level simulations. The results show that even though the Serial IC receiver has good single-cell performance, the proposed receivers have as much as 35-40% higher capacity than the Serial IC receiver in the multi-cell case under the ideal conditions assumed in this paper.

We have introduced the first electronic cash scheme with unconditional security. That is, even malicious users with unlimited computational ability cannot forge a coin and cannot change user's identity secretly embedded in each coin. While, the spender's anonymity is preserved by our new blind signature scheme based on unconditionally secure signature proposed in [7]. But the anonymity is preserved only computationally under the assumption that Decisional Diffie-Hellman Problem is intractable.

Viterbi decoding is known as a decoding scheme that can realize maximum likelihood decoding. However, it is impossible to continue it without re-synchronization even if only an insertion/deletion error occurs in a channel. In this paper, we show that Levenshtein distance is suitable for the metric of Viterbi decoding in a channel where not only symbol errors but also insertion/deletion errors occur under some conditions and we propose a kind of Viterbi decoding considering insertion/deletion errors.

We propose a new group signature scheme which is secure if we assume the Decision Diffie-Hellman assumption, the q-Strong Diffie-Hellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].

A lot of encryption and watermarking schemes have been developed as countermeasures to protect copyrights of broadcast or multicast content from malicious subscribers (traitors) that make pirate receivers (PRs) to use the content illegally. However, solo use of these schemes does not necessarily work well. Traitor tracing encryption schemes are a type of broadcasting encryption and have been developed for broadcasting and multicast services. There are multiple distinct decryption keys for each encryption key, and each service subscriber is given a unique decryption key. Any subscriber that redistributes his or her decryption key to a third party or who uses it and maybe other keys to make a PR can be identified with using the tracing algorithm of the scheme that is used by the services. However, almost all previous schemes have the same weakness; that is, they are vulnerable to an attack (content comparison attack). This is a concrete example such that solo use of the scheme does not work well. The attack involves multiple distinct decryption keys and a content-data comparison mechanism. We have developed a method, called complementary traitor tracing method (CTT), that makes traitor tracing schemes secure against content comparison attacks. It makes it impossible for PRs to distinguish ordinary content data from test data and makes traitor tracing schemes effective against all PRs, even those with multiple distinct decryption keys. CTT is made with a simple combination of schemes that are absolutely necessary. It makes broadcasting or multicast services secure.

A novel family of keystream generators is proposed employing a linear cellular automata over GF (q) with time-varying transition rule. The analysis indicates that the generator, which is the general member of the family, reaches standard minimal security conditions (large period and good statistical properties) and that it is secure against all known attacks. An important feature of the proposed generators is that they are compact and suitable for high speed applications.

S(ubstitution)-boxes are quite important components of modern symmetric cryptosystems. S-boxes bring nonlinearity to cryptosystems and strengthen their cryptographic security. An S-box satisfies the strict avalanche criterion (SAC), if and only if for any single input bit of the S-box, the inversion of it changes each output bit with probability one half. This paper presents some interesting properties of S-boxes and proposes an efficient and systematic means of generating arbitrary input size bijective S-boxes satisfying SAC.

Runlength-limited block codes are investigated. These codes are useful for storing data in storage devices. Since most devices are not noiselss, the codes are often required to have some error-control capability. We consider runlength-limited codes that can correct or detect unidirectional byte errors. Some constructions of such codes are presented.

Security protocols flaws represent a substantial portion of security exposures of data networks. In order to evaluate security protocols against any attack, formal methods are equipped with a number of techniques. Unfortunately, formal methods are applicable for static state only, and don't guarantee detecting all possible flaws. Therefore, formal methods should be complemented with dynamic protection. Anomaly detection systems are very suitable for security protocols environments as dynamic activities protectors. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against security protocols.

This paper presents new algorithms for the Tate pairing on a prime field. Recently, many pairing-based cryptographic schemes have been proposed. However, computing pairings incurs a high computational cost and represents the bottleneck to using pairings in actual protocols. This paper shows that the proposed algorithms reduce the cost of multiplication and inversion on an extension field, and reduce the number of calculations of the extended finite field. This paper also discusses the optimal algorithm to be used for each pairing parameter and shows that the total computational cost is reduced by 50% if k = 6 and 57% if k = 8.

This paper proposes and investigates an adaptive equalizer with diversity-combining over a multipath fading channel. It consists of two space-diversity antennas and a Ts/2-spaced decision-feedback-equalizer (DFE). Received signals from the two antennas are alternatively switched and fed into the feed forward-filter of DFE. We call this structure a Switched Input Combining Equalizer with diversity-combining (SICE). By using an SICE, the receiver structure for combining diversity equalization can be simplified, because it needs only two receiver sections up to IF BPF. The bit error rate (BER) performance of SICE was evaluated by both computer simulation and experiment over a multipath fading channel. We experimentally confirmed the excellent BER performance, around 1% of BER over a multipath fading channel at 160Hz of maximum doppler fading frequency. Therefore, the proposed SICE is applicable to highly reliable transmission in the 1.5-GHz-band mobile radio.

This paper presents two methods for securely realizing caller-authenticated and callee-specified calls over telecommunication networks with terminals that accept IC cards having KPS-based cryptographic functions. In the proposed protocols, users can verify that the partner is the proper owner of a certain ID or a certain pen name. Users' privacy is protected even if they do the caller-authenticated and callee-specified calls and do not pay their telephone charge in advance.

A challenge-and-response type identification protocol consists of three moves of messages between a prover and a verifier: Move-1--The prover claims to the verifier that his/her identity is ID. Move-2--The verifier challenges the prover with a question related to the ID. Move-3--The prover responds with the answer of the question. The verifier accepts the prover if the answer is correct. The main contribution of this paper is to show that the folklore can be made provably secure under the sole assumption of the existence of one-way functions.

Although individual segments of a natural language such as words have different importance on human interpretation of the meaning, every segment has been uniformly protected by an error-correcting code. If the importance of individual segments is defined by considering their meaning in the sentence, we can adaptively control the level of error-protection for each segment according to its importance in order to reduce errors on human interpretation of the meaning. In this paper, we propose an error-control scheme based on the varying importance of each word. We first introduce a method which determines the importance of each word and then propose an error-control scheme in which several error-correcting codes are alternately used to protect each word according to its importance. Probablity of semantic errors, that is, errors on human interpretation of the meaning, is defined and used as a criterion in mapping error-correcting codes to words possessing different importance. We theoretically formalize the problem of obtaining an optimum mapping which minimizes the probability of semantic errors under some constraint. Given a certain probability distribution of the importance of words and set of error-correcting codes, we can derive the optimum mapping. The proposed error-controlling scheme is theoretically evaluated by comparing its probability of semantic errors with that of a conventional scheme in which every word is uniformly protected by a single error-correcting code. Results show that the proposed scheme can considerably raduce the probability of semantic errors while retaining the same average transmission rate or redundancy.