We suggest an MAC scheme which combines a hash function and an block cipher in order. We strengthen this scheme to prevent the problem of leaking the intermediate hash value between the hash function and the block cipher by additional random bits. The requirements to the used hash function are loosely. Security of the proposed scheme is heavily dependent on the underlying block cipher. This scheme is efficient on software implementation for processing long messages and has clear security properties.

Recently the study and implementation of elliptic curve cryptosystems (ECC) have developed rapidly and its achievements have become a center of attraction. ECC has the advantage of high-speed processing in software even on restricted environments such as smart cards. In this paper, we concentrate on complete software implementation of ECC over a prime field on a 16-bit microcomputer M16C (10 MHz). We propose a new type of prime characteristic of base field suitable for small and fast implementation, and also improve basic elliptic arithmetic formulas. We report a small and fast software implementation of a cryptographic library which supports 160-bit elliptic curve DSA (ECDSA) signature generation, verification and SHA-1 on the processor. This library also includes general integer arithmetic routines for applicability to other cryptographic algorithms. We successfully implemented the library in 4 Kbyte code/data size including SHA-1, and confirmed a speed of 150 msec for generating an ECDSA signature and 630 msec for verifying an ECDSA signature on M16C.

Privacy, voter uncoercibility, collision freedom, verifiability, and tally correctness are essential properties of modern electronic election systems. None of the single-authority election systems proposed in the literatures achieves all the above five properties. In this paper we propose a universal single-authority election system that satisfies the five properties. In particular, the privacy of each voter is protected against the authority and other voters, and no voter can coerce any other voter into changing the value of his vote in our proposed system. We also show that it is impossible for a collision-free single-authority election system to possess the voter uncoercibility and authority uncoercibility at the same time.

The visual secret sharing scheme (VSSS) proposed by Naor and Shamir provides a way to encrypt a secret black-white image into shares and decrypt the shares without using any cryptographic computation. This paper proposes an extension of VSSS to sharing of color or gray-scale images. In this paper (k,n) VSSS for images with J different colors is defined as a collection of J disjoint subsets in n-th product of a finite lattice. The subsets can be sequentially constructed as a solution of a certain simultaneous linear equation. In particular, the subsets are simply expressed in (n,n), (n-1,n) and (2,n) cases. Any collections of k-1 shares reveal no information on a secret image while stacking of k arbitrary shares reproduces the secret image.

In a secure partially blind signature scheme, the signer assures that the blind signatures issued by him contains the information he desires. The techniques make it possible to minimize the unlimited growth of the bank's database which storing all spent electronic cash in an anonymous electronic cash system. In this paper we propose an efficient partially blind signature scheme for electronic cash. In our scheme, only several modular additions and modular multiplications are required for a signature requester to obtain and verify a signature. It turns out that the proposed scheme is suitable for mobile clients and smart-card applications because no time-consuming computations are required, such as modular exponentiation and inverse computations. Comparing with the existing blind signature schemes proposed in the literatures, our method reduces the amount of computations for signature requesters by almost 98%.

Multi-recast techniques make it possible for a voter to participate in a sequence of different designated votings by using only one ticket. In a multi-recastable ticket scheme for electronic voting, every voter of a group can obtain an m-castable ticket (m-ticket), and through the m-ticket, the voter can participate in a sequence of m different designated votings held in this group. The m-ticket contains all possible intentions of the voter in the sequence of votings, and in each of the m votings, a voter casts his vote by just making appropriate modifications to his m-ticket. The authority cannot produce both the opposite version of a vote cast by a voter in one voting and the succeeding uncast votes of the voter. Only one round of registration action is required for a voter to request an m-ticket from the authority. Moreover, the size of such an m-ticket is not larger than that of an ordinary vote. It turns out that the proposed scheme greatly reduces the network traffic between the voters and the authority during the registration stages in a sequence of different votings, for example, the proposed method reduces the communication traffic by almost 80% for a sequence of 5 votings and by nearly 90% for a sequence of 10 votings.

This paper proposes a secure electronic sealed-bid auction protocol (SEAP) that provides an auction service on the Internet by combining three providers: an auction service provider, a key service provider, and a time service provider. The SEAP uses public key cryptography and the concept of a time-key certificate. The most important property of this protocol is that time-dependent security requirements can be strictly satisfied. The SEAP satisfies the following nine security requirements: (a) no one can deny having made a bid; (b) the protocol should be secure against malicious acts; (c) no bidder can act for another bidder; (d) no one can know who else is bidding until the time comes for the bids to be opened; (e) no one can discover the contents of any of the bids until the time comes for the bids to be opened; (f) the successful bid must have been submitted before the bidding deadline; (g) all bidders can verify that the auction policy has been correctly implemented; (h) the successful bidder can be identified without being required to make himself or herself known; and (i) the bidding contents cannot be altered. The protocol consists of three subprotocols: the Registration Subprotocol, the Bidding Subprotocol, and the Auction Subprotocol. The protocol parameters and algorithm are described in detail.

In Asiacrypt '96, Bleichenbacher et al. showed the upper limit of the efficiency of one-time digital signature scheme using a directed graph of tree structure as its base. They also claimed that there exists more effective signature scheme on general directed graphs, and showed an example of a method to construct more effective signature schemes as a witness. Unfortunately, their example does not achieve the efficiency as they claimed. This paper shows the upper limit of the efficiency of the signature scheme on general directed graphs by showing no signature scheme is more effective than the optimal signature scheme on trees (or forests). Further, we introduce another signature scheme named pseudo k-time signature scheme. This signature scheme allows signers to sign k-time which is no less efficient than the one time signature scheme.

A family of nonce-based authentication and key distribution protocols based on the trusted third-party model are proposed which are not only efficient on the view points of computation and communication, but also secure against on-line and off-line password guessing attacks. A new concept of implicit or indirect challenge-response authentication which can be used to combine the processes of identify authentication and data integrity assurance during key distribution and to make the entire protocol be more concise and efficient is introduced in this paper. In the proposed family of protocols, specific protocol can be chosen such that the secure session key to be distributed is selected by specific participant in the protocol. Detailed security analyses of every protocols are given.

The computers are connected with each other by the network as a result of the progress of technology in the field of the computer and network, and then all of the data to be processed are transferred quickly and at the real-time through the computer network. However the user can use the computer system at any time, the user must go to the location of the computer system to use the computer resources. The necessities for using the computer system occur anywhere and anytime in spite of the location of the computer system. For this requirement the mobile computing environment (MCE) is expected strongly. In this paper we introduce the model of MCE and discuss the need of the user authentication at entering and logging-in the network in MCE only with a user ID. We propose the method of a user ID assignment from which a server ID can be decided by a simple logical operation. Also, we propose a protocol for a user authentication in MCE and discuss the robustness of security against the various attacking on the route.

The technique of common-multiplicand multiplication, CMM, is modified and the similar approach is utilized to enhance the performance of a recently proposed fast exponentiation algorithm by exponent decomposition. On average, the improved exponentiation, its original version, and the traditional right to left binary exponentiation algorithm take 1.292m+11,1.375m+3, and 1.5m multiplications, respectively where m is the bit length of the exponent. Finally, it is shown how to improve the overall performance of an exponentiation by employing the improved exponentiation algorithm, the improved CMM algorithm , and any general purpose fast multiplication algorithm.

Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudrandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and differential cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptograohic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructiong pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and differential attacks. More specifically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation.

A speedup of Lenstra's Elliptic Curve Method of factorization is presented. The speedup works for integers of the form N = PQ2, where P is a prime sufficiently smaller than Q. The result is of interest to cryptographers, since integers with secret factorization of this form are being used in digital signatures. The algorithm makes use of what we call Jacobi signatures. We believe these to be of independent interest.

Polynomials are called permutation polynomials if they induce bijective functions. This paper investigates algebraic properties of permutation polynomials over a finite field, especially properties associated with permutation cycles. A permutation polynomial has a simple structure but good randomness properties suitable for applications. The cycle structure of permutations are considered to be related to randomness. We investigate the algebraic structure from the viewpoint of randomness. First we show the relationship between polynomials and permutations using a matrix equation. Then, we give a general form of a permutation polynomial corresponding to a product C1C2Ck of pairwise disjoint cycles. Finally, permutation polynomials with fixed points -or with 2, 3 and 4-cycles -and their compositions are given together with distribution of degree of the permutation polynomials.

In this paper we discuss the relation between a one-way group homomorphism and a one-way ring homomorphism. Let U,V be finite abelian groups with #U=n. We show that if there exists a one-way group homomorphism f:UV, then there exists a one-way ring homomorphism F:ZnUZnImf. We also give examples of such ring homomorphisms which are one-way under a standard cryptographic assumption. This implies that there is an affirmative solution to an extended version of the open question raised by Feigenbaum and Merrit: Is there an encryption function f such that both f(x+y) and f(xy) can be efficiently computed from f(x) and f(y)? A multiple signature scheme is also given as an application of one-way ring homomorphisms.

GDL is the language whose membership problerm is polynomial-time Turing equivalent to the discrete logarithm problem for a general finite group G. This paper gives a characterization of GDL from the viewpoint of computational complexity theory. It is shown that GDL NP co-AM, assuming that G is in NP co-NP, and that the group law operation of G can be executed in polynomial time of the element size. Furthermore, as a natural probabilistic extension, the complexity of GDL is investigated under the assumption that the group law operation is executed in an expected polynomial time of the element size. In this case, it is shown that GDL MA co-AM if G MA co-MA. As a consequence, we show that GDL is not NP-complete unless the polynomial time hierarchy collapses to the second level.

We create a new version of the FEAL-N(X) cryptographic function, called FEAL-N(X)S, by introducing a dynamic swapping function. FEAL-N(X)S is stronger against Differential Cryptanalysis in the sense that any characteristic for FEAL-N(X) is less effective when applied to FEAL-N(X)S. Furthermore, the only iterative characteristics. that may attack the same number of rounds for the two versions are the symmetric ones, which have an average probability bounded above by 2-4 per round, i.e., the FEAL-N(X)S is at least as strong as DES with respect to this type of characteristic. We also show that in general the probability of an iterative characteristic for the FEAL-N(X) that is still valid for FEAL-N(X)S is decreased by 1/2 per round. Some of the best characteristics are shown. Experimental results show that the running time required by FEAL-N(X)S is around 10% greater compared to FEAL-N(X), in software; but this price is small compared to the gained strength against Differential Cryptanalysis.

Password checking schemes are human identification methods commonly adopted in many information systems. One of their disadvantages is that an attacker who correctly observed an input password can impersonate the corresponding user freely. To overcome it there have been proposed interactive human identification schemes. Namely, a human prover who has a secret key is asked a question by a machine verifier, who then checks if an answer from the prover matches the question with respect to the key. This letter examines such a scheme that requires relatively less efforts to human provers. By computer experiments this letter evaluates its resistance against a type of attack; after observing several pairs of questions and correct answers how successfully can an attacker answer the next question?

A permutation cipher scheme using polynomials over a field is presented. A permutation as well as substitution plays a major role in almost all conventional cryptosystems. But the security of the permutation depends on how symbols are permuted. This paper proposes the use of polynomials for the permutation and show that the scheme satisfies the following security criteria. (1) There are enough encryption keys to defend exhaustive attacks. (2) The permutation moves almost all samples into places which are different from the original places. (3) Most samples are shifted differently by different permutations. The permutation cipher scheme could be regarded as a scheme based on Reed-Solomon codes. The information symbols of the codes compose a key of the permutation cipher scheme.

For symmetric cryptosystems, their transformations should have nonlinear elements to be secure against various attacks. Several nonlinearity criteria have been defined and their properties have been made clear. This paper focuses on, among these criteria, the propagation criterion (PC) and the strict avalanche criterion (SAC), and makes a further investigation of them. It discusses the sets of Boolean functions satisflying the PC of higher degrees, the sets of those satisfying the SAC of higher orders and their relationships. We give a necessary and sufficient condition for an n-input Boolean function to satisfy the PC with respect to a set of all but one or two elements in {0,1}n{(0,...,0)}. From this condition, it follows that, for every even n 2, an n-input Boolean function satisfies the PC of degree n 1 if and only if it satisfies the PC of degree n. We also show a method that constructs, for any odd n 3, n-input Boolean functions that satisfy the PC with respect to a set of all but one elements in {0,1}n{(0,...,0)}. This method is a generalized version of a previous one. Concerned with the SAC of higher orders, it is shown that the previously proved upper bound of the nonlinear order of Boolean functions satisfying the criterion is tight. The relationships are discussed between the set of n-input Boolean functions satisfying the PC and the sets of those satisfying the SAC.