Peyravian and Zunic (2000) presented two schemes for protecting password transmission and password change respectively. Like the traditional authentication scheme using passwords, the two new schemes are also vulnerable to attacks like guessing attacks, server spoofing, and server data eavesdropping. This paper will give demonstrations on what have caused to these drawbacks, and more of that, two improved schemes are also proposed which are free from worries of those possible attacks.

A new approach on designing a finite field multiplier architecture is proposed. The proposed architecture trades reduction in the number of clock cycles with resources. This architecture features high performance, simple structure, scalability and independence on the choice of the finite field, and can be used in high security cryptographic applications such as elliptic curve crypto-systems in large prime Galois Fields (GF(2m)).

This paper addresses the problem of designing an unconditionally secure conference system that fulfills the requirements of both traceability and dynamic sender. In a so-called conference system, a common key is shared among all authorized users, and messages are encrypted using the shared key. It is known that a straightforward implementation of such a system may present a number of security weaknesses. Our particular concern lies in the possibility that unauthorized users may be able to acquire the shared key by illegal means, say from one or more authorized but dishonest users (called traitors). An unauthorized user who has successfully obtained the shared key can now decrypt scrambled messages without leaving any evidence on who the traitors were. To solve this problem, in this paper we propose a conference system that admits dynamic sender traceability. The new solution can detect traitors, even if the sender of a message is dynamically determined after a shared key is distributed to authorized users. We also prove that this scheme is unconditionally secure.

Since the impact of the recent rapid penetration of Information Technologies into the society is so tremendous, it is said that IT revolution is coming. Recognizing the above new waves, the Japanese Government is now promoting e-Government programs, and most enterprises are going to depend on the Internet to do their various activities. However, computer criminals, and other threats to security are increasing and becoming serious. Therefore, 'security' is the key for the Internet to be infrastructure of the future society in a true sense. There are many products for security controls, which are not necessarily compatible or interoperable. Interoperability is the basic requirement for infrastructures. In April, 2000, JNSA was organized by about a hundred IT companies. On the other hand, in October, 2000, LINCS was set up in Kogakuin University. The two organizations set up a Consortium to make experimental studies on IPSec interoperability. This is the first report of the activities and intermediate (the first) results obtained.

The function of a message authentication code (MAC) is to verify the validity of a whole message. The disadvantage of usual MACs is that a receiver can not check its validity until the receipt of a message is finished. Hence, usual MACs are not suitable for verifying a large amount of data such as video and audio (called stream). In this letter, we propose a MAC such that the validity of a stream can be consecutively verified without waiting for the end of the reception. In addition, we show its implementations: one is based on practical hash functions, and the other is based on universal hash functions.

Almost all of the current public-key cryptosystems (PKCs) are based on number theory, such as the integer factoring problem and the discrete logarithm problem (which will be solved in polynomial-time after the emergence of quantum computers). While the McEliece PKC is based on another theory, i.e. coding theory, it is vulnerable against several practical attacks. In this paper, we summarize currently known attacks to the McEliece PKC, and then point out that, without any decryption oracles or any partial knowledge on the plaintext of the challenge ciphertext, no polynomial-time algorithm is known for inverting the McEliece PKC whose parameters are carefully chosen. Under the assumption that this inverting problem is hard, we propose a slightly modified version of McEliece PKC that can be proven, in the random oracle model, to be semantically secure against adaptive chosen-ciphertext attacks. Our conversion can achieve the reduction of the redundant data down to 1/3-1/4 compared with the generic conversions for practical parameters.

This paper studies security of Feistel ciphers with SPN round function against differential cryptanalysis, linear cryptanalysis, and truncated differential cryptanalysis from the "designer's standpoint." In estimating the security, we use the upper bounds of differential characteristic probability, linear characteristic probability and truncated differential probability, respectively. They are useful to design practically secure ciphers against these cryptanalyses. Firstly, we consider the minimum numbers of differential and linear active s-boxes. They provide the upper bounds of differential and linear characteristic probability, which show the security of ciphers constructed by s-boxes against differential and linear cryptanalysis. We clarify the (lower bounds of) minimum numbers of differential and linear active s-boxes in some consecutive rounds of the Feistel ciphers by using differential and linear branch numbers, Pd, Pl, respectively. Secondly, we discuss the following items on truncated differential probability from the designer's standpoint, and show how the following items affect the upper bound of truncated differential probability; (a) truncated differential probability of effective active-s-box, (b) XOR cancellation probability, and (c) effect of auxiliary functions. Finally, we revise Matsui's algorithm using the above discussion in order to evaluate the upper bound of truncated differential probability, since we consider the upper bound of truncated differential probability as well as that of differential and linear probability.

We have introduced the first electronic cash scheme with unconditional security. That is, even malicious users with unlimited computational ability cannot forge a coin and cannot change user's identity secretly embedded in each coin. While, the spender's anonymity is preserved by our new blind signature scheme based on unconditionally secure signature proposed in [7]. But the anonymity is preserved only computationally under the assumption that Decisional Diffie-Hellman Problem is intractable.

Time stamping is a technique used to prove the existence of certain digital data prior to a specific point in time. With the recent expansion of electronic commerce, it has been widely recognized as an important technique for ensuring the integrity of digital data for a long time period. Recently, various time stamping schemes have been proposed. However, a framework for evaluating their security and cost has not yet been established. Therefore, it has been difficult for users and system designers to select appropriate time stamping schemes. This paper presents a new framework for evaluating the security and cost of time stamping schemes. Our framework classifies time stamping schemes into 108 categories and clarifies their characteristics with regard to security and cost. By applying our framework to a certain scheme, we can easily evaluate its security and cost without discussing details of its specification. In this paper, we explain the basic idea of our framework and show how to use it by applying it to four existing schemes: Digital Notary/SecureSeal, PKITS, TIMESEC and Cuculus.

The security of an iterated block cipher heavily depends on its structure as well as each round function. Matsui showed that MISTY type structure is faster and more robust than Feistel structure in terms of its resistance against linear and differential cryptanalysis. On the other hand, Luby and Rackoff proved that the four round Feistel structure is super-pseudorandom if each round function fi is a random function. This paper proves that the five round MISTY type structure is super-pseudorandom. We also characterize its round security.

The number of computer break-ins from the outside of an organization has increased with the rapid growth of the Internet. Since many intruders from the outside of an organization employ stepping stones, it is difficult to trace back where the real origin of the attack is. Some research projects have proposed tracing methods for DoS attacks and detecting method of stepping stones. It is still difficult to locate the origin of an attack that uses stepping stones. We have developed IDA (Intrusion Detection Agent system), which has an intrusion tracing mechanism in a LAN environment. In this paper, we improve the tracing mechanism so that it can trace back stepping stones attack in the Internet. In our method, the information about tracing stepping stone is collected from hosts in a LAN effectively, and the information is made available at the public information server. A pursuer of stepping stone attack can trace back the intrusion based on the information available at the public information server on an intrusion route.

Solutions based on error-correcting codes for the blacklisting problem of a broadcast distribution system have been proposed by Kumar, Rajagopalan and Sahai. In this paper, detailed analysis of the solutions is presented. By choosing parameters properly in their constructions, we show that the performance is improved significantly.

An accurate automatic personal identification is critical to a wide range of application domains such as access control, electronic commerce, and welfare benefits disbursement. Traditional personal identification methods (e.g., passwords, and PIN) suffer from a number of drawbacks and are unable to positively identify a person. Biometrics refers to automatic identification of an individual based on her distinct physiological and/or behavioral traits. While biometrics is not an identification panacea, it is beginning to provide very powerful tools for a variety of new applications (e.g., cellular phones, smart cards and international border control) requiring positive identification. This paper attempts to summarize important research issues in biometrics.

This paper proposes a managed IP multicast platform that enables IP multicast services to be used for business. Nowadays, many business applications have switched from traditional network platforms to the IP platform. Among these applications, one-to-many or many-to -many types of applications are especially essential to business users. These applications may use IP Multicasting for transmitting data to many users. However, for business applications, it is difficult to use the present IP Multicast services, because they lack many requirements for business usage. The requirements are address management, authentication, time management, and guaranteed throughput. To satisfy the business users, we made the design of a managed IP multicast platform that will meet these requirements. Our platform, which separates the routing control layer and the packet forwarding layer, is called GMN-CL (Connection Technologies for Global Mega-media Network). The routing control layer manages routing information and controls network routing centrally, so it can understand the whole network situation and perform efficient routing. The packet forwarding layer can concentrate completely on forwarding, so the forwarding speed and copying speed is higher than when using routers. We have implemented our design of a managed IP multicast platform over GMN-CL. This paper reports the system design, implementation, and evaluation.

Based on the use of Berlekamp-Massey algorithm, six conjectures for the linear complexity (LC) of some Kronecker sequences of two and three component codes are given. Components were chosen from the families of Gold, Kasami, Barker, Golay complementary and M-sequences. Typically, the LC value is a large part of the code length. The LC value of the outermost code influences mostly on the LC value.

Many methods have been proposed to detect intrusions; for example, the pattern matching method on known intrusion patterns and the statistical approach to detecting deviation from normal activities. We investigated a new method for detecting intrusions based on the number of system calls during a user's network activity on a host machine. This method attempts to separate intrusions from normal activities by using discriminant analysis, a kind of multivariate analysis. We can detect intrusions by analyzing only 11 system calls occurring on a host machine by discriminant analysis with the Mahalanobis' distance, and can also tell whether an unknown sample is an intrusion. Our approach is a lightweight intrusion detection method, given that it requires only 11 system calls for analysis. Moreover, our approach does not require user profiles or a user activity database in order to detect intrusions. This paper explains our new method for the separation of intrusions and normal behavior by discriminant analysis, and describes the classification method by which to identify an unknown behavior.

Kurosawa, Obana, and Ogata proposed a (k,n) threshold scheme such that t cheaters can be identified, where t (k-1)/3. Their scheme is superior to previous schemes with respect to the number of participants for identifying cheaters and the size of a share. In this paper, we improve the detectability of their scheme. By using erasure decoding and the authentication code, we show that cheaters less than k/2 can be identified. Although the size of a share is larger than that of their scheme, it is independent of n.

At Eurocrypt'98, Okamoto and Uchiyama presented a new trap-door (one-way) function based on factoring, while Fujisaki and Okamoto, at CRYPTO'99, showed a generic conversion from just one-way encryption to chosen-cipher secure encryption in the random oracle model. This paper shows that the result of combining both schemes is well harmonized (rather than an arbitrary combination) and, in the sense of exact security, boosts the level of security more than would be expected from [6]--The security of the scheme yielded by the combination is tightly reduced from factoring. This paper also gives a rigorous description of the new scheme, because this type of encryption may suffer serious damage if poorly implemented. The proposed scheme is at least as efficient as any other chosen-cipher secure asymmetric encryption scheme such as [2],[4],[13].

We introduce a refined definition of semantic security. The new definition is valid against not only chosen-plaintext attacks but also chosen-ciphertext attacks whereas the original one is defined against only chosen-plaintext attacks. We show that semantic security formalized by the new definition is equivalent to indistinguishability, due to Goldwasser and Micali for each of chosen-plaintext attacks, non-adaptive chosen-ciphertext attack, and adaptive chosen-ciphertext attack.

This paper, for the first time, presents a provably secure signature scheme with message recovery based on the elliptic-curve discrete logarithm. The proposed scheme is proven to be secure in the strongest sense (i.e., existentially unforgeable against adaptively chosen message attacks) in the random oracle model under the discrete logarithm assumption. We give a concrete analysis of the security reduction. When practical hash functions are used in place of truly random functions, the proposed scheme is almost as efficient as the elliptic-curve version of the Schnorr signature scheme and existing schemes with message recovery such as the elliptic-curve version of the Nyberg-Rueppel and Miyaji schemes.