SAFER block cipher family consists of SAFER K, SAFER SK, SAFER+ and SAFER++. As the first proposed block cipher of them, SAFER K is strengthened by SAFER SK with improved key schedule. SAFER+ is designed as an AES candidate and Bluetooth uses a customized version of it for security. SAFER++, a variant of SAFER+, is among the cryptographic primitives selected for the second phase of the NESSIE project. In this paper, we take advantage of properties of the linear transformation and S-boxes to identify new impossible differentials for SAFER SK, SAFER+, and SAFER++. Moreover, we give the impossible differential attacks on 4-round SAFER SK/128 and 4-round SAFER+/128(256), 5-round SAFER++/128 and 5.5-round SAFER++/256. Our attacks significantly improve previously known impossible differential attacks on them. Specifically, our attacks on SAFER+ are the best attack in terms of number of rounds.

Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudrandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and differential cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptograohic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructiong pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and differential attacks. More specifically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation.

Digital signatures whose security does not rely on any unproven computational assumption have recently received considerable attention. While these unconditionally secure digital signatures provide a foundation for long term integrity and non-repudiation of data, currently known schemes generally require a far greater amount of memory space for the storage of secret and public keys than a traditional digital signature. The focus of this paper is on methods for reducing memory requirements of unconditionally secure digital signatures. A major contribution of this paper is to propose two novel unconditionally secure digital signature schemes, one called a symmetric construction and other an asymmetric construction, which require a significantly smaller amount of memory. As a specific example, with a typical parameter setting the required memory size for a user is reduced to be approximately of that in a previously known scheme. Another contribution of the paper is to show an attack on a multireceiver authentication code which was proposed by Safavi-Naini and Wang. A simple method to fix the problem of the multireceiver authentication code is also proposed.

In the past few years, we have seen the emergence of a large number of proposals for electronic payments over open networks. Among these proposals is the Secure Electronic Transaction (SET) protocol promoted by MasterCard and VISA which is currently being deployed world-widely. While SET has a number of advantages over other proposals in terms of simplicity and openness, there seems to be a consensus regarding the relative inefficiency of the protocol. This paper proposes a light-weight version of the SET protocol, called "LITESET. " For the same level of security as recommended in the latest version of SET specifications, LITESET yields a 56.2/51.4% reduction in the computational time in message generation/verification and a 79.9% reduction in communication overhead. This has been achieved by the use of a new cryptographic primitive called signcryption. We hope that our proposal can contribute to the practical and engineering side of real-world electronic payments.

This paper proves several theorems on probabilistic cryptosystems. From these theorems it follows directly that a probabilistic cryptosystem proposed by the authors, whose security is based upon the (supposed) infeasibility of γth-Residuosity Problem, is polynomially secure. Techniques developed in the paper are of independent interest.

Credit-based electronic payment systems are considered to play important roles in future automated payment systems. Like most other types of payment systems, however, credit-based systems proposed so far generally involve computationally expensive cryptographic operations. Such a relatively heavy computational load is preventing credit-based systems from being used in applications which require very fast processing. A typical example is admission-fee payment at the toll gate of an expressway without stopping a vehicle that travels at a high speed. In this article, we propose a very fast credit-based electronic payment protocol for admission-fee payment. More specifically, we propose a payment system between a high-speed vehicle and a toll gate which uses only very simple and fast computations. The proposed system makes use of an optimized Key Pre-distribution System (or KPS) to obtain high resistance against collusion attacks.

This paper presents a new concept in cryptography called the sibling intractable function family (SIFF) which has the property that given a set of initial strings colliding with one another, it is computationally infeasible to find another string that would collide with the initial strings. The various concepts behind SIFF are presented together with a construction of SIFF from any one-way function. Applications of SIFF to many practical problems are also discussed. These include the hierarchical access control problem which is a long-standing open problem induced by a paper of Akl and Taylor about ten years ago, the shared mail box problem, access control in distributed systems and the multiple message authentication problem.

The problem we consider in this paper is whether the Menezes-Okamoto-Vanstone (MOV) reduction for attacking elliptic curve cryptosystems can be realized for genera elliptic curves. In realizing the MOV reduction, the base field Fq is extended so that the reduction to the discrete logarithm problem in a finite field is possible. Recent results by Balasubramanian and Koblitz suggest that, if l q-1, such a minimum extension degree is the minimum k such that l|qk-1, which is equivalent to the condition under which the Frey-Ruck (FR) reduction can be applied, where l is the order of the group in the elliptic curve discrete logarithm problem. Our point is that the problem of finding an l-torsion point required in evaluating the Weil pairing should be considered as well from an algorithmic point of view. In this paper, we actually propose a method which leads to a solution of the problem. In addition, our contribution allows us to draw the conclusion that the MOV reduction is indeed as powerful as the FR reduction under l q-1 not only from the viewpoint of the minimum extension degrees but also from that of the effectiveness of algorithms.

Let γ and n be positive integers. An integer z with gcd(z, n)1 is called a γth-residue mod n if there exists an integer x such that zxγ (mode n), or a γth-nonresidue mod n if there doesn't exist such an x. Denote by Z*n the set of integers relatively prime to n between 0 and n. The problem of determining whether or not a randomly selected element zZ*n is a γth-residue mod n is called the γth-Residuosity Problem (γth-RP), and appears to be intractable when n is a composite integer whose factorization is unknown. In this paper, we explore some important properties of γth-RP for the case where γ is an odd integer greater than 2, and discuss its applications to cryptography. Based on the difficulty or γth-RP, we generalize the Goldwasser-Micali bit-by-bit probabilistic encryption to a block-by-block probabilistic one, and propose a direct protocol for the dice casting problem over a network. This problem is a general one which includes the well-studied coin flipping problem.

This paper proposes a novel one-way hash function that can serve as a tool in achieving authenticity and data integrity. The one-way hash function can be viewed as a representative of a family of fast dedicated one-way hash functions whose construction is based on linear cellular automata over GF(a). The design and analysis of security of the function is accomplished by the use of very recently published results on cellular automata and their applications in cryptography. The analysis indicates that the one-way hash function is secure against all known attacks. A promising property of the proposed one-way hash function is that it is especially suitable for compact and fast implementation.

A challenge-and-response type identification protocol consists of three moves of messages between a prover and a verifier: Move-1--The prover claims to the verifier that his/her identity is ID. Move-2--The verifier challenges the prover with a question related to the ID. Move-3--The prover responds with the answer of the question. The verifier accepts the prover if the answer is correct. The main contribution of this paper is to show that the folklore can be made provably secure under the sole assumption of the existence of one-way functions.

This paper addresses the problem of designing an unconditionally secure conference system that fulfills the requirements of both traceability and dynamic sender. In a so-called conference system, a common key is shared among all authorized users, and messages are encrypted using the shared key. It is known that a straightforward implementation of such a system may present a number of security weaknesses. Our particular concern lies in the possibility that unauthorized users may be able to acquire the shared key by illegal means, say from one or more authorized but dishonest users (called traitors). An unauthorized user who has successfully obtained the shared key can now decrypt scrambled messages without leaving any evidence on who the traitors were. To solve this problem, in this paper we propose a conference system that admits dynamic sender traceability. The new solution can detect traitors, even if the sender of a message is dynamically determined after a shared key is distributed to authorized users. We also prove that this scheme is unconditionally secure.

In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.

We study the following two kinds of one-way hash functions: universal one-way hash functions (UOHs) and collision intractable hash functions (CIHs). The main property of the former is that given an initial-string x, it is computationally difficult to find a different string y that collides with x. And the main property of the latter is that it is computationally difficult to find a pair xy of strings such that x collides with y. Our main results are as follows. First we prove that UOHs with respect to initial-strings chosen arbitrarily exist if and only if UOHs with respect to initial-strings chosen uniformly at random exist. Then, as an application of the result, we show that UOHs with respect to initial-strings chosen arbitrarily can be constructed under a weaker assumption, the existence of one-way quasi-injections. Finally, we investigate relationships among different versions of one-way hash functions. We prove that some versions of one-way hash functions are strictly included in others by explicitly constructing hash functions that are one-way in the sense of the former but not in the sense of the latter.

Efficient ID-based key sharing schemes are desired worldwide in order to obtain secure communications on the Internet and other related networks, and Key Pre-distribution System (KPS) is one of the majority of such key sharing schemes. The remarkable property of KPS, is that, user need only input the partner's identifier to the secret KPS-algorithm in order to share a key between them. Although this is just a small part of many advantages KPS has in terms of efficiency, an enormous amount of memory is always required to achieve perfect security. While the conventional KPS methods can establish communication links between any pair of entities in a communication system, in most of the practical communication environment, such as in a broadcast system, not all links will be required. In this article, we achieved a desirable method to remove the unnecessary communication links between any pair of entities in a communication system. In our scheme, required memory size per entity was just proportional to the number of entities of the partner's, while that in conventional KPS, it is proportional to the number of entities of the whole communication system. As an example, if an entity communicates with only 1/r others, the memory requirement is reduced to 1/r of the conventional KPS's. Furthermore, it was proven that the obtained memory size was optimum. Overall, our scheme confirmed greater efficiency to achieve secure communication particularly suited in large-scale networks.