In this paper, we propose an efficient protocol for proving the correctness of shuffling and an efficient protocol for simultaneously proving the correctness of both shuffling and decryption. The former protocol is the most efficient in computational and communication complexity among 3-move honest verifier perfect zero-knowledge protocols for proving a shuffling of ElGamal cipher-texts. The latter protocol is the most efficient in computational, communication, and round complexity, as a whole, in proving the correctness of both shuffling and decryption of ElGamal cipher-texts. The proposed protocols will be a building block of an efficient, universally verifiable mix-net, whose application to voting systems is prominent.

We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features: 1) no one, not even an authority, can identify users who have been authenticated within the allowable number, 2) anyone can trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Our scheme can be applied to e-voting, e-cash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users' participation from protocols and guarantees that they will remain anonymous to everyone.

We propose a new group signature scheme which is secure if we assume the Decision Diffie-Hellman assumption, the q-Strong Diffie-Hellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].

The first refreshable anonymous token scheme proposed in [1] enables one to provide services in such a way that each of its users is allowed to enjoy only a fixed number of services at the same time. In this paper, we show that the scheme in [1] is insecure and propose a provably secure refreshable partial anonymous token scheme which is a generalization of the previous scheme. The new scheme has an additional ability to control the anonymity level of users. We also propose a formal model and security requirements of the new scheme.

We propose a motion estimation algorithm using less gray level images, which are composed of bits pixels lower than 8 bits pixels. Threshold values for generating low bits pixels from 8 bits pixels are simply determined as median values of pixels in a macro block. The proposed algorithm reduces the computational complexity of motion estimation at less expense of video quality. Moreover, median cut quantization can be applied to multilevel images and combined with a lot of fast algorithms to obtain more effective algorithms.

In this letter, we propose a secrecy criterion for outsourcing encrypted databases. In encrypted databases, encryption schemes revealing some information are often used in order to manipulate encrypted data efficiently. The proposed criterion is based on inference analysis for databases: We simulate attacker's inference on specified secret information with and without the revealed information from the encrypted database. When the two inference results are the same, then secrecy of the specified information is preserved against outsourcing the encrypted database. We also show that the proposed criterion is decidable under a practical setting.

In this paper, we present an efficient variant of the Boneh-Franklin scheme that achieves a tight security reduction. Our scheme is basically an IBE scheme under two keys, one of which is randomly chosen and given to the user. It can be viewed as a continuation of an idea introduced by Katz and Wang; however, unlike the Katz-Wang variant, our scheme is quite efficient, as its ciphertext size is roughly comparable to that of the original full Boneh-Franklin scheme. The security of our scheme can be based on either the gap bilinear Diffie-Hellman (GBDH) or the decisional bilinear Diffie-Hellman (DBDH) assumptions.

An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.

We propose here the first efficient publicly verifiable hybrid mix-net. Previous publicly verifiable mix-net was only efficient for short ciphertexts and was not suitable for mixing long messages. Previous hybrid mix-net can mix long messages but did not have public verifiability. The proposed scheme is efficient enough to treat large scale electronic questionnaires of long messages as well as voting with write-ins, and offers public verifiability of the correctness of the tally. The scheme is provably secure if we assume random oracles, semantic security of a one-time symmetric-key cryptosystem, and intractability of decision Diffie-Hellman problem. This paper is the full version of the extended abstract appeared in FC 2006 [10].

There are two main types of digital watermark systems. In the first, users are given their own detection programs by which to verify the presence of watermark in data they have in their possession. In the second, users must request such verification from a detection center. The disadvantage of the first type is the possibility that a user might be able to analyze the detection program sufficiently to be able to obtain the secret data (secret key) used to embed the watermark. The disadvantage of the second is the possibility that a center might give dishonest results. In this paper, we propose a watermark detection scheme that can be used to overcome the disadvantages of both: it prevents users from obtaining secret key, and it prevents a center from reporting dishonest results. Our scheme is based on a previously proposed scheme which nearly achieved the same goals but, unfortunately, allowed users to receive watermark detection results for data specially created by them so as to reveal, through the results, secret information about how a center created its watermarks. To overcome this drawback, we have developed new scheme by which a center can prove its detection results to a user without revealing any other information. This scheme was developed by extending the work found in. Moreover we provide an option that prevents the center from encroaching on a user's privacy. The resulting watermark detection scheme is the first that, in addition to protecting secret keys of watermarks from user-tampering, is also able to prevent a center from reporting dishonest results. Although the proposed scheme is introduced first using the patch-work watermarking system, it is straightforward to extend it to a scheme that uses the correlation-based watermarking system, which yields a more robust watermark detection scheme.