Chen et al. introduced a new notion of a concurrent signature scheme for a fair exchange of signatures with two parties. Chen et al. also proposed a concrete scheme and proved its security under the assumption of discrete logarithm problem. Recently, Hiwatari and Tanaka extended the concept of concurrent signature to many-to-one setting. Hiwatari and Tanaka also proposed a concrete scheme; however, it requires some strong assumption to achieve the fair exchange and it is not efficient. This paper gives another construction of concurrent signature for many-to-one setting with multisignature scheme. Hereafter, we call it (n,1) concurrent signature scheme. The proposed scheme is more efficient than the scheme of Hiwatari and Tanaka in computation complexity and signature size, and achieves the fair exchange without the assumption required for the scheme of Hiwatari and Tanaka. This paper also gives a construction for the fair exchange of signatures in many-to-many setting, called (n,m) concurrent signature scheme, in appendix.

The new concept of ES (Encryption-Signature) schemes which realize an encryption scheme and a signature scheme with a unique padding technique and key pair, was proposed by Coron et al. They also gave a proof of PSS-ES. In this paper, first, we discuss the methodology for the construction for ES schemes by using padding techniques of encryption schemes, and propose a new ES scheme, OAEP-ES, adopting this methodology. It is proven that OAEP-ES scheme can be constructed under the assumption of the one-wayness of the encryption permutation, while the security of PSS-ES utilized as an encryption scheme is based on the partial-domain one-wayness; which is a theoretical progress since the one-wayness is more general assumption than the partial-domain one-wayness. It is shown that OAEP-ES attains tighter security than PSS-ES, which is a practical interest.

We proposed a one-way trapdoor permutation f based multi-signature scheme which can keep tighter reduction rate. Assuming the underlying hash functions are ideal, our proposed scheme is not only provably secure, but are so in a tight. An ability to forge multi-signatures with a certain amount of computational resources implies the ability to invert a one-way trapdoor permutation f (on the same size modulus) with about the same computational effort. The proposed scheme provides the exact security against Adaptive-Chosen-Message-Attack and Adaptive-Insider-Attack by . can also attack in key generation phase, and act in collusion with corrupted signers.

Although a great deal of research has been done on electronic cash schemes with blind multisignatures to prevent an insider attack, there is no discussion of a formal security model in the literature. Firstly we discussed the security model of e-cash schemes based on the blind multisignature scheme against a (restricted) attack model and proposed a concrete scheme proven to be secure in the model [1]; however, this attack model disallows an attacker from corrupting an issuing bank and shops in the forgery game. In this paper, first, we reconsider the security model to remove the restriction of the attack model. Second, we propose a new untraceable e-cash scheme with a blind multisignature scheme and prove that the proposed scheme is secure against the (non-restricted) attacks under the DDH assumption in the random oracle model.

We first model the formal security model of multisignature scheme following that of group signature scheme. Second, we prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), PSS (probabilistic signature scheme) based multisignature scheme (PSS-MSS), and short signature PSS based multisignature scheme (S-PSS-MSS). Third, we give an optimal proof (general result) for multisignature schemes, which derives the lower bound for the length of random salt. We also estimate the upper bound for the length in each scheme and derive the optimal length of a random salt. Two of the schemes are promising in terms of security tightness and optimal signature length. In appendix, we describe a multisignature scheme using the claw-free permutation and discuss its security.

We first model the variants of OAEP and SAEP by changing a construction and position of a redundancy, and establish a universal proof technique in the random oracle model, the comprehensive event dividing tree. We then make a taxonomical security consideration of the variants of OAEP and SAEP, based on the assumptions of one-wayness and partial-domain one-wayness of the encryption permutation, by applying the tree. Furthermore, we demonstrate the concrete attack procedures against all insecure schemes; we insist that the security proof failure leads to some attacks. From the security consideration, we find that one of the variants leads to a scheme without the redundancy; the scheme is not PA (plaintext aware) but IND-CCA2 secure. Finally, we conclude that some of them are practical in terms of security tightness and short bandwidth.

The PayWord Scheme, invented by Rivest and Shamir, is an efficient micropayment scheme utilizing a hash function. We point out that the scheme has the following problem: a malicious customer can damage the bank by purchasing in excess of the customer's credit which the bank has guaranteed by issuing a certificate. Generally, there are two positions of the bank with regard to the certificate. Position 1: the bank takes full responsibility for the certificate and compensates all payments created by the customer's purchases; and Position 2: the bank does not redeem payments exceeding a limit set for the customer and shares the loss with the shop if trouble occurs. In the PayWord Scheme, the bank can reduce its risk by adopting Position 2 rather than Position 1. However, this paper points out that the bank can damage the shop in Position 2 by impersonating an imaginary customer and making the shop share the loss with the bank. We propose a micropayment scheme (countermeasure) that overcomes these problems.

Ring signature scheme enables a signer to sign a message anonymously. In the ring signature scheme, the signer who wants to sign a document anonymously first chooses some public keys of entities (signers) and then generates a signature which ensures that one of the signer or entities signs the document. In some situations, however, the ring signature scheme allows the signer to shift the blame to victims because of the anonymity. The group signature scheme may be a solution for the problem; however, it needs an electronic big brother, called a group manager, who can violate the signer anonymity by himself, and a complicated key setting. This paper introduces a new notion of a signature scheme with signer anonymity, a deniable ring signature scheme (DRS), in which no group manager exists, and the signer should be involved in opening the signer anonymity. We also propose a concrete scheme proven to be secure under the assumption of the DDH (decision Diffie Hellman) problem in the random oracle model.

The residue number system (RNS) is a method for representing an integer x as an n-tuple of its residues with respect to a given set of moduli. In RNS, addition, subtraction, and multiplication can be carried out by independent operations with respect to each modulus. Therefore, an n-fold speedup can be achieved by parallel processing. The main disadvantage of RNS is that we cannot efficiently compare the magnitude of two integers or determine the sign of an integer. Two general methods of comparison are to transform a number in RNS to a mixed-radix system or to a radix representation using the Chinese remainder theorem (CRT). We used the CRT to derive an equation approximating a value of x relative to M, the product of moduli. Then, we propose two algorithms that efficiently evaluate the equation and output a sign bit. The expected number of steps of these algorithms is of order n. The algorithms use a lookup table that is (n+3) times as large as M, which is reasonably small for most applications including cryptography.

Correlation power analysis (CPA) is a well-known attack against cryptographic modules with which an attacker evaluates the correlation between the power consumption and the sensitive data candidates calculated from a guessed sub-key and known data such as plaintexts and ciphertexts. This paper enhances CPA to propose a new general power analysis, built-in determined sub-key CPA (BS-CPA), which finds a new sub-key by using the previously determined sub-keys recursively to compute the sensitive data candidates and to increase the signal-to-noise ratio in its analysis. BS-CPA also reuses the power traces in the repetitions of finding sub-keys to decrease the total number of the required traces for determining the all sub-keys. BS-CPA is powerful and effective when the multiple sensitive data blocks such as sbox outputs are processed simultaneously as in the hardware implementation. We apply BS-CPA to the power traces provided at the DPA contest and succeed in finding a DES key using fewer traces than the original CPA does.