In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.

This paper describes a brief history of the development of crytologic research in Japan since 1984, when the first symposium on cryptography and information security was held. Six symposia and three workshops since 1984 played the leading roles in the history.

In this paper, we study the problem of secure integrating public key encryption with keyword search (PEKS) with public key data encryption (PKE). We argue the previous security model is not complete regarding keyword privacy and the previous constructions are secure only in the random oracle model. We solve these problems by first defining a new security model, then give a generic construction which is secure in the new security model without random oracles. Our construction is based on secure PEKS and tag-KEM/DEM schemes and achieves modular design. We also give some applications and extensions for our construction. For example, instantiate our construction with proper components, we have a concrete scheme without random oracles, whose performance is even competitive to the previous schemes with random oracles.

Modern cryptology was born in the late seventies and developed in the eighties. A decade since 1991 is the period of continuation of the development and new expansion of cryptology. In this paper we survey the development of cryptologic researches in this decade with emphasis on the results in Japan. We also present some future important works and propose the foundation of a public institution for evaluation of information security techniques.

We study the following two kinds of one-way hash functions: universal one-way hash functions (UOHs) and collision intractable hash functions (CIHs). The main property of the former is that given an initial-string x, it is computationally difficult to find a different string y that collides with x. And the main property of the latter is that it is computationally difficult to find a pair xy of strings such that x collides with y. Our main results are as follows. First we prove that UOHs with respect to initial-strings chosen arbitrarily exist if and only if UOHs with respect to initial-strings chosen uniformly at random exist. Then, as an application of the result, we show that UOHs with respect to initial-strings chosen arbitrarily can be constructed under a weaker assumption, the existence of one-way quasi-injections. Finally, we investigate relationships among different versions of one-way hash functions. We prove that some versions of one-way hash functions are strictly included in others by explicitly constructing hash functions that are one-way in the sense of the former but not in the sense of the latter.

ID-based key sharing scheme is one of the important topics in Key management, and the Key Predistiribution System (KPS) is one of the major divisions of such key sharing schemes. In KPS, in order to share a common key between the participants, one of the participants need to simply feed-in his partner's identifier value into their secret-algorithm. In contrast to its such remarkable property and its high contribution to the field of key management for digital signature, it has downsides as well. In this paper, we propose an efficient signature scheme on the KPS infrastructure that can overcome such difficulties that are faced. It is shown that if an ID-based key sharing system belonging to KPS is provided, the new digital signature scheme can be used straightforwardly. Moreover, this signature scheme is proven to be secure if the discrete logarithm is reasonably complex. There already exists other digital signature scheme which are also based on KPS, but they contain inevitable flaws: its verifier is restricted and a tamper resistant module(TRM) is required. Our method resolved these problems. In our signature scheme, it is an ensured fact that, all signatures are authenticated by any entity, which is based on the inherence behavior of key generator and not of some common key. Moreover, TRM is not required in our scheme. In order to describe our new scheme, a new concept of "one-way homomorphism" is introduced.

Efficient ID-based key sharing schemes are desired worldwide in order to obtain secure communications on the Internet and other related networks, and Key Pre-distribution System (KPS) is one of the majority of such key sharing schemes. The remarkable property of KPS, is that, user need only input the partner's identifier to the secret KPS-algorithm in order to share a key between them. Although this is just a small part of many advantages KPS has in terms of efficiency, an enormous amount of memory is always required to achieve perfect security. While the conventional KPS methods can establish communication links between any pair of entities in a communication system, in most of the practical communication environment, such as in a broadcast system, not all links will be required. In this article, we achieved a desirable method to remove the unnecessary communication links between any pair of entities in a communication system. In our scheme, required memory size per entity was just proportional to the number of entities of the partner's, while that in conventional KPS, it is proportional to the number of entities of the whole communication system. As an example, if an entity communicates with only 1/r others, the memory requirement is reduced to 1/r of the conventional KPS's. Furthermore, it was proven that the obtained memory size was optimum. Overall, our scheme confirmed greater efficiency to achieve secure communication particularly suited in large-scale networks.

Watermarking techniques proposed up to now have some measure of robustness against non-geometrical alteration, however, most of them are not so robust against geometrical alteration. As also for video watermarking, small translation, scaling, rotation, affine transformation can be effective attacks on the watermark. In this paper, we propose an image correction scheme for video watermarking extraction. This scheme embeds 'patchwork' into digital video data for detection of positions, and corrects the images attacked by geometrical alteration on the basis of the detected positions. We also show the simulation results of applying proposed scheme to the conventional watermarking technique.

There has been a wide-ranging discussion on the issue of content copyright protection in digital content distribution systems. Fiat and Tassa proposed the framework of dynamic traitor tracing. Their framework requires dynamic computation transactions according to the real-time responses of the pirate, and it presumes real-time observation of content redistribution. Therefore, it cannot be simply utilized in an application where such an assumption is not valid. In this paper, we propose a new scheme that provides the advantages of dynamic traitor tracing schemes and also overcomes their problems.

At Indocrypt 2005, Viet et al.[21], have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n 2 -1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t=1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [21].

Contribution of this paper is twofold: First we introduce weaknesses of two Mix-nets claimed to be robust in the literature. Since such flaws are due to their weak security definitions, we then present a stronger security definition by regarding a Mix-net as a batch decryption algorithm of a CCA secure public-key encryption scheme. We show two concrete attacks on the schemes proposed in [1] and [2]. The scheme in [1] loses anonymity in the presence of a malicious user even though all servers are honest. The scheme in [2] also loses anonymity through the collaboration of a malicious user and the first server. In the later case the user can identify the plaintext sent from the targeted user by invoking two mix sessions at the risk of the colluding server receiving an accusation. We also point out that in a certain case, anonymity is violated solely by the user without colluding to any server. Heuristic repairs are provided for both schemes.

Multilevel RLL (Runlength Limited) sequences are analyzed. Their noiseless capacity and lower bounds on the channel capacity in the presence of additive white Gaussian noise are given. Moreover, the analytical power spectra formulae for those sequences which generalize the previously derived one for binary sequences are newly derived. We conclude from the analysis of the power spectra that multilevel RLL sequences are attractive from the point of view that they increase information rate while keeping low DC-content and self-clocking capability of binary RLL sequences.

In this letter, we consider a magnetic or optical recording system employing a concatenated code that consists of a runlength-limited (d, k) block code as an inner code and a byte-error-correcting code as an outer code. (d, k) means that any two consecutive ones in the code bit stream are separated by at least d zeros and by at most k zeros. The minimum separation d and the maximum separation k are imposed in order to reduce intersymbol interference and extract clock control from the received bit stream, respectively. This letter recommends to use as the outer code a unidirectional-byte-error-correcting code instead of an ordinary byte-error-correcting code. If we devise the mapping of the code symbols of the outer code onto the codewords of the inner code, we may improve the error performance. Examples of the mappings are described.

An augmented PAKE (Password-Authenticated Key Exchange) protocol is said to be secure against server-compromise impersonation attacks if an attacker who obtained password verification data from a server cannot impersonate a client without performing off-line dictionary attacks on the password verification data. There are two augmented PAKE protocols where the first one [12] was proposed in the IEEE Communications Letters and the second one [15] was submitted to the IEEE P1363.2 standard working group [9]. In this paper, we show that these two augmented PAKE protocols [12], [15] (claimed to be secure) are actually insecure against server-compromise impersonation attacks. More specifically, we present generic server-compromise impersonation attacks on these augmented PAKE protocols [12],[15].

The notion of anonymous signatures has recently been formalized by [18], which captures an interesting property that a digital signature can sometimes hide the identity of the signer, if the message is hidden from the verifier. However, in many practical applications, e.g., an anonymous paper review system mentioned in [18], the message for anonymous authentication is actually known to the verifier. This implies that the effectiveness of previous anonymous signatures may be unjustified in these applications. In this paper, we extend the previous models, and develop a related primitive called strong anonymous signatures. For strong anonymous signatures, the identity of the signer remains secret even if the challenge message is chosen by an adversary. We then demonstrate some efficient constructions and prove their security in our model.

Secure channels can be realized by an authenticated key exchange (AKE) protocol that generates authenticated session keys between the involving parties. In, Shin et al., proposed a new kind of AKE (RSA-AKE) protocol whose goal is to provide high efficiency and security against leakage of stored secrets as much as possible. Let us consider more powerful attacks where an adversary completely controls the communications and the stored secrets (the latter is denoted by "replacement" attacks). In this paper, we first show that the RSA-AKE protocol is no longer secure against such an adversary. The main contributions of this paper are as follows: (1) we propose an RSA-based leakage-resilient AKE (RSA-AKE2) protocol that is secure against active attacks as well as replacement attacks; (2) we prove that the RSA-AKE2 protocol is secure against replacement attacks based on the number theory results; (3) we show that it is provably secure in the random oracle model, by showing the reduction to the RSA one-wayness, under an extended model that covers active attacks and replacement attacks; (4) in terms of efficiency, the RSA-AKE2 protocol is comparable to in the sense that the client needs to compute only one modular multiplication with pre-computation; and (5) we also discuss about extensions of the RSA-AKE2 protocol for several security properties (i.e., synchronization of stored secrets, privacy of client and solution to server compromise-impersonation attacks).

We present generic frameworks for constructing efficient broadcast encryption schemes in the subset-cover paradigm, introduced by Naor et al., based on various key derivation techniques. Our frameworks characterize any instantiation completely to its underlying graph decompositions, which are purely combinatorial in nature. These abstract away the security of each instantiated scheme to be guaranteed by the generic one of the frameworks; thus, give flexibilities in designing schemes. Behind these, we present new techniques based on (trapdoor) RSA accumulators utilized to obtain practical performances. We then give some efficient instantiations from the frameworks, via a new structure called subset-incremental-chain. Our first construction improves the currently best schemes, including the one proposed by Goodrich et al., without any further assumptions (only pseudo-random generators are used) by some factors. The second instantiation, which is the most efficient, is instantiated based on RSA and directly improves the first scheme. Its ciphertext length is of order O(r), the key size is O(1), and its computational cost is O(n1/klog2 n) for any (arbitrary large) constant k; where r and n are the number of revoked users and all users respectively. To the best of our knowledge, this is the first explicit collusion-secure scheme in the literature that achieves both ciphertext size and key size independent of n simultaneously while keeping all other costs efficient, in particular, sub-linear in n. The third scheme improves Gentry and Ramzan's scheme, which itself is more efficient than the above schemes in the aspect of asymptotic computational cost.

Copyright protection is a major issue in distributing content on Internet or broadcasting service. One well-known method of protecting copyright is a traitor tracing scheme. With this scheme, if a pirate decoder is made, the content provider can check the secret key contained in it and trace the authorized user/subscriber (traitor). Furthermore, users require that they could obtain services anywhere they want (Anywhere TV). For this purpose, they would need to take along their secret keys and therefore key exposure has to be kept in mind. As one of countermeasures against key exposure, a forward secure public key cryptosystem has been developed. In this system, the user secret key remains valid for a limited period of time. It means that even if it is exposed, the user would be affected only for the limited time period. In this paper, we propose a traitor tracing scheme secure against adaptive key exposure (TTaKE) which contains the properties of both a traitor tracing scheme and a forward secure public key cryptosystem. It is constructed by using two polynomials with two variables to generate user secret keys. Its security proof is constructed from scratch. Moreover we confirmed its efficiency through comparisons. Finally, we show the way how its building blocks can be applied to anywhere TV service. Its structure fits current broadcasting systems.

In this paper, coded modulation techniques suitable for satellite broadcasting of digital high-definition TV are studied. An overview of current approaches to satellite broadcasting is presented. New constructions of coded modulation schemes for unequal error protection (UEP), based on both block and trellis codes, are introduced in this paper. The proposed schemes can achieve both better overall performance and enhanced graceful degradation of the received signal, in comparison with existing digital satellite broadcasting approaches.

Turbo codes have fascinated many coding researchers because of thier near-Shannon-limit error correction performance. In this paper, we discuss multi-dimensional turbo codes which are parallel concatenation of multiple constituent codes. The average upper bound to bit error probability of multidimensional turbo codes is derived. The bound shows that the interleaver gains of this kind of codes are larger than that of conventional two-dimensional turbo codes. Simplified structures of multi-dimensional turbo encoder and decoder are proposed for easier implementation. Simulation results show that for a given interleaver size, by increasing the dimension, great performance improvement can be obtained.