Mobile agent systems are essential in the next generation of electronic commercial applications. However, existing solutions for mobile agents to sign documents without user intervention are problematic because there is no restriction on who can generate the signatures. In this paper, we present a modified version of undetachable signature scheme with which the power to generate digital signatures can be designated to a neutral party. We also give a transaction model to support the scheme. Discussions regarding the security of the signature scheme as well as some attacks on its application in our model are presented too.

In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.

f 8 and f 9 are standardized by 3GPP to provide confidentiality and integrity, respectively. It was claimed that f 8 and f 9 are secure if the underlying block cipher is a PseudoRandom Permutation (PRP), where f 9 is a slightly modified version of f 9. In this paper, however, we disprove both claims by showing a counterexample. We first construct a PRP F with the following property: There is a non-zero constant Cst such that for any key K, FK()=(). We then show that f 8 and f 9 are completely insecure if F is used as the underlying block cipher. Therefore, PRP assumption does not necessarily imply the security of f 8 and f 9, and it is impossible to prove their security under PRP assumption. It should be stressed that these results do not imply the original f 8 and f 9 (with KASUMI as the underlying block cipher) are insecure, or broken. They simply undermine their provable security.

We propose a new authentication and key establishment (AKE) protocol that can be applied to low-power PDAs in Public Wireless LANs (PWLANs), using two factor authentication and precomputation. This protocol provides mutual authentication, identity privacy, and half forward-secrecy. The computational complexity that the client must perform is just one symmetric key encryption and five hash functions during the runtime of the protocol.

KASUMI is a block cipher which has been adopted as a standard of 3GPP. In this paper, we study the pseudorandomness of idealized KASUMI type permutations for adaptive adversaries. We show that ●the four-round version is pseudorandom and ●the six-round version is super-pseudorandom.

Braids have been studied by mathematicians for more than one century. Because they are so practical as to be used for cryptography, many cryptographers have been interested in them. For the last five years, there have been proposed some cryptographic applications and cryptanalyses in the area of braids. We survey the main examples of these results.

We proposed a one-way trapdoor permutation f based multi-signature scheme which can keep tighter reduction rate. Assuming the underlying hash functions are ideal, our proposed scheme is not only provably secure, but are so in a tight. An ability to forge multi-signatures with a certain amount of computational resources implies the ability to invert a one-way trapdoor permutation f (on the same size modulus) with about the same computational effort. The proposed scheme provides the exact security against Adaptive-Chosen-Message-Attack and Adaptive-Insider-Attack by . can also attack in key generation phase, and act in collusion with corrupted signers.

In this paper, we propose a fast signature scheme which realizes short transmissions and minimal on-line computation. Our scheme requires a modular exponentiation as preprocessing (i.e., off-line computation). However, we need to acknowledge the existance of the following remarkable properties: neither multiplication nor modular reduction is used in the actual signature generation (i.e., on-line computation). Our scheme requires only two operations: hashing and addition. Although some fast signature schemes with small on-line computation have been proposed so far, those schemes require multiplication or modular reduction in the on-line phase. This leads to a large amount of work compared to that of addition. As far as we know, this is the first approach to obtain the fast signature without those two calculus methods.

Authentication codes (A-codes, for short) are considered as important building blocks for constructing unconditionally secure authentication schemes. Since in the conventional A-codes, two communicating parties, transmitter and receiver, utilized a common secret key, and such A-codes do not provide non-repudiation. With the aim of enhancing with non-repudiation property, Simmons introduced A2-codes. Later, Johansson formally defined an improved version of A2-codes called, the A3-codes. Unlike A2-codes, A3-codes do not require an arbiter to be fully trusted. In this paper, we clarify the security definition of A3-codes which may be misdefined. We show a concrete attack against an A3-code and conclude that concrete constructions of A3-codes implicitly assumes a trusted arbiter. We also show that there is no significant difference between A2-codes and A3-codes in a practical sense and further argue that it is impossible to construct an "ideal" A3-codes, that is, without any trusted arbiter. Finally, we introduce a novel model of asymmetric A-codes with an arbiter but do not have to be fully trusted, and also show a concrete construction of the asymmetric A-codes for the model. Since our proposed A-code does not require fully trusted arbiters, it is more secure than A2-codes or A3-codes.

We propose a method for analyzing trade-off between an environment where a Java mobile code application is running and requirements for the application. In particular, we focus on the security-related problems that originate in low-level security policy of the code-centric style of the access control in Java runtime. As the result of this method, we get feasible requirements with respect to security issues of mobile codes. This method will help requirements analysts to compromise the differences between customers' goals and realizable solutions. Customers will agree to the results of the analysis by this method because they can clearly trace the reasons why some goals are achieved but others are not. We can clarify which functions can be performed under the environment systematically. We also clarify which functions in mobile codes are needed so as to meet the goals of users by goal oriented requirements analysis(GORA). By comparing functions derived from the environment and functions from the goals, we can find conflicts between the environments and the goals, and also find vagueness of the requirements. By resolving the conflicts and by clarifying the vagueness, we can develop bases for the requirements specification.

A watermarking system is secure as long as it satisfies Kerckhoffs principle according to the cryptography. In this letter, two novel techniques named the encrypted orthogonal transformation and its improved scheme as useful preprocessing methods are presented to apply to the watermarking field, which can enhance the security of the watermarking scheme. Compared to discrete cosine transform watermarking algorithms, this method has similar robustness but higher security.

In 1983, Chaum first introduced the concept of blind signature. In 2003, Hwang, Lee and Lai pointed out that the Chaum scheme cannot meet the untraceability property of the blind signature scheme. This letter will demonstrate that Hwang et al.'s claim is incorrect and the Chaum blind signature scheme still keeps the untraceability property.

Secure distribution of digital goods is now a significantly important issue for protecting publishers' copyrights. In this paper, we study a useful primitive for constructing a secure and efficient digital rights management system (DRM) where a server which encrypts digital content and one which issues the corresponding decryption key works independently, and existing schemes lack this property. We first argue the desired property necessary of an encryption scheme for constructing an efficient DRM, and formally define an encryption scheme as split encryption scheme containing such property. Also, we show that an efficient split encryption scheme can be constructed from any identity-based scheme. More precisely, we show an equivalence result implying that a split encryption scheme for some system parameter setting and an identity-based encryption scheme have the same primitives but for different uses. Since currently there is no identity-based encryption scheme which is based on well-known computational assumption and/or provably secure in the standard model (i.e. without the random oracle model), by reasonably tuning the system parameter, we show another construction of split encryption which is secure against chosen ciphertext attacks in the standard model assuming that decision Diffie-Hellman problem is hard to solve.

Digital signatures whose security does not rely on any unproven computational assumption have recently received considerable attention. While these unconditionally secure digital signatures provide a foundation for long term integrity and non-repudiation of data, currently known schemes generally require a far greater amount of memory space for the storage of secret and public keys than a traditional digital signature. The focus of this paper is on methods for reducing memory requirements of unconditionally secure digital signatures. A major contribution of this paper is to propose two novel unconditionally secure digital signature schemes, one called a symmetric construction and other an asymmetric construction, which require a significantly smaller amount of memory. As a specific example, with a typical parameter setting the required memory size for a user is reduced to be approximately of that in a previously known scheme. Another contribution of the paper is to show an attack on a multireceiver authentication code which was proposed by Safavi-Naini and Wang. A simple method to fix the problem of the multireceiver authentication code is also proposed.

Distributed signcryption is specifically designed for distributing a signcrypted message to a designated group. As such, it can not be used in anonymous communication. Accordingly, the current study adds an anonymity property to distributed signcryption that results in almost the same computational load as regards the modular arithmetic. Therefore, the new scheme is more efficient than the expansion for anonymity in, and has potential applications in electronic commerce.

In this paper, we propose TMAC. TMAC is a refinement of XCBC such that it requires only two keys while XCBC requires three keys. More precisely, TMAC requires only (k + n)-bit keys while XCBC requires (k + 2n)-bit keys, where k is the key length of the underlying block cipher E and n is its block length. We achieve this by using a universal hash function and the cost is almost negligible. Similar to XCBC, the domain is {0,1}* and it requires no extra invocation of E even if the size of the message is a multiple of n.

Recently, Hwang and Li proposed a smartcard-based remote user authentication scheme. Later, Chan and Cheng showed that Hwang and Li's scheme is insecure against a kind of impersonation attack where a legitimate user can create another valid pair of user identity and password without knowing the secret key of the remote system. However, an assumption under Chan and Cheng's attack is that the attacker must be a legal user. In this paper, we further present a more fundamental and efficient impersonation attack on Hwang and Li's scheme. Using our attack, any users (including legal and illegal users) can easily get a specific legal user's password, impersonate this specific user to login to the remote system, and pass the system authentication.

A new spectrum management architecture for a flexible software defined radio (SDR) is proposed. In this architecture, the SDR hardware and software are certified separately so as not to destroy the SDR flexibility, but to ensure that any combinations of hardware and software are compliant to the radio regulations even at the system (vertical) handover, global (horizontal) handover, and upgrade (forward) or downgrade (backward) handover. This architecture is based on automatic calibration & certification unit (ACU), built-in GPS receiver, and radio security module (RSM). The ACU is a hardware embedded RF manager that dynamically controls the output power spectrum to be compliant to the local radio regulation parameters. This local radio regulation parameters are securely downloaded to the hardware as an electronic label of the SDR software and stored in the RSM which is a security manager of the hardware. The GPS position check is used, especially during roaming, to keep the compliancy of the terminal to each local radio regulations managed by the geographical region. The principle parties involved in this architecture are telecommunication certification body (TCB), SDR hardware maker (HW maker), SDR software maker (SW maker), and SDR user. The roles and relationships of these four parties in the proposed architecture are clarified in this paper.

Interest in the regulatory issues for Software Defined Radio (SDR) is spreading worldwide since the Federal Communications Commission (FCC) recently recognized SDR and created a new category for SDR authorization. SDR technology will bring enormous benefits to the field of wireless services. However, in order to ensure such benefits, revisions of the radio law and/or related ordinances are required regardless of standardization of the software downloading and other implementation details. In order to define the issues peculiar to SDR and to investigate how conformity evaluation should be conducted for radio equipments whose RF characteristics can be altered by software changes in the field, "Study Group on Software Technology for Radio Equipment" was organized by the Telecom Engineering Center (TELEC) in 2000. This paper summarizes a report of the Study Group that was published in March 2003 including the proposal for "Technical regulation conformity evaluation system," the principal output of the study, which proposes how to prevent unauthorized changes to radio equipment in the field.

Detecting the possibility of inference attacks is necessary in order to keep a database secure. Inference attacks mean that a user tries to infer the result of an unauthorized queries to the user. For method schemas, which are a formal model of object-oriented databases, it is known that the security problem against inference attacks is decidable in polynomial time in the size of a given database instance. However, when the database instance or authorization has slightly been updated, it is not desirable to check the entire database again for efficiency. In this paper, we propose several sufficient conditions for update operations to preserve the security. Furthermore, we show that some of the proposed sufficient conditions can be decided much more efficiently than the entire security check. Thus, the sufficient conditions are useful for incremental security checking.