Multi-recast techniques make it possible for a voter to participate in a sequence of different designated votings by using only one ticket. In a multi-recastable ticket scheme for electronic voting, every voter of a group can obtain an m-castable ticket (m-ticket), and through the m-ticket, the voter can participate in a sequence of m different designated votings held in this group. The m-ticket contains all possible intentions of the voter in the sequence of votings, and in each of the m votings, a voter casts his vote by just making appropriate modifications to his m-ticket. The authority cannot produce both the opposite version of a vote cast by a voter in one voting and the succeeding uncast votes of the voter. Only one round of registration action is required for a voter to request an m-ticket from the authority. Moreover, the size of such an m-ticket is not larger than that of an ordinary vote. It turns out that the proposed scheme greatly reduces the network traffic between the voters and the authority during the registration stages in a sequence of different votings, for example, the proposed method reduces the communication traffic by almost 80% for a sequence of 5 votings and by nearly 90% for a sequence of 10 votings.

A computational model for security verification of cryptographic protocols is proposed. Until most recently, security verification of cryptographic protocols was left to the protocol designers' experience and heuristics. Though some formal verification methods have been proposed for this purpose, they are still insufficient for the verification of practical real-time cryptographic protocols. In this paper we propose a new formalism based on a term rewriting system approach that we have developed. In this model, what and when the saboteur can obtain is expressed by a first-order term of a special form, and time-related concepts such as the passage of time and the causality relation are specified by conditional term rewriting systems. By using our model, a cryptographic protocol which was shown to be secure by the BAN-logic is shown to be insecure.

A group-oriented cipher communication method is developed and implemented on a WWW-based (World Wide Web) network system. In this method, a group key common to all entities of the group is generated based on the group name or the identities of entities belonging to the group. The group key, in turn, is used for encrypting the data being shared among the group via the WWW server. The data theft at the WWW cache sites on the intermediate communication line is prevented, establishing a unified feature of the good WWW cache performance and security. A prototype of our method proved the feasibility and the efficiency.

We propose new key exchange and authentication protocols, which are efficient in protecting a poorly-chosen weak secret from guessing attacks, based on the use of a one-time pad and a strong one-way hash function. Cryptographic protocols assume that a strong secret should be shared between communication participants for authentication, in the light of an ever-present threat of guessing attacks. Cryptographically long secret would be better for security only if ordinary users could remember it. But most users choose an easy-to-remember password as a secret and such a weak secret can be guessed easily. In our previous work, we made much of introducing a basic concept and its application. In this paper, we describe our idea in more detail and propose more protocols which correspond to variants of our basic protocol using well-defined notations. Formal verification and efficiency comparison of the proposed protocols are also presented. By our scheme the password guessing attacks are defeated efficiently, and a session key is exchanged and participants are authenticated securely.

A multiple signature scheme proposed in [1] is proved to be insecure.

The computers are connected with each other by the network as a result of the progress of technology in the field of the computer and network, and then all of the data to be processed are transferred quickly and at the real-time through the computer network. However the user can use the computer system at any time, the user must go to the location of the computer system to use the computer resources. The necessities for using the computer system occur anywhere and anytime in spite of the location of the computer system. For this requirement the mobile computing environment (MCE) is expected strongly. In this paper we introduce the model of MCE and discuss the need of the user authentication at entering and logging-in the network in MCE only with a user ID. We propose the method of a user ID assignment from which a server ID can be decided by a simple logical operation. Also, we propose a protocol for a user authentication in MCE and discuss the robustness of security against the various attacking on the route.

Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudrandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and differential cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptograohic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructiong pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and differential attacks. More specifically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation.

In this paper, we propose a practical and secure electronic voting scheme which meets the requirements of large scale general elections. This scheme involves voters, the administrator or so called the government and some scrutineers. In our scheme, a voter only has to communicate with the administrator three times and it ensures independence among voters without the need of any global computation. This scheme uses the threshold cryptosystem to guarantee the fairness among the candidate's campaign and to provide mechanism for achieving the function that any voter can make an open objection to the tally if his vote has not been published. This scheme preserves the privacy of a voter against the administrator, scrutineers, and other voters. Completeness, robustness, and verifiability of the voting process are ensured and hence no one can produce a false tally, corrupt or disrupt the election.

During the last decade the decrease in the size of computing machinery, coupled with the increase in their computing power has lend to the development of the concept of mobile computing. Effects of this new vision is currently evident in the flourishing numbers of mobile telephones and portable computing units. In this paper we briefly investigate some issues concerning the security of mobile computing systems, within the framework of the categories of mobility, disconnection, data access modes and scale of operation (Imielinski & Badrinath, 1993). In contrast to previous works which concentrate on security in wireless communications, we focus on the security of interactions which are built upon the underlying wireless communications medium. Some conclusions are presented on the future directoins for security research in mobile computing sysytems.

We have devised a polynomial time algorithm to decide the security of cryptographic protocols formally under certain conditions, and implemented the algorithm on a computer as a supporting system for deciding the security. In this paper, a useful approach is presented to decide security problems which do not satisfy some of the above-mentioned conditions by using the system. For its application, we consider a basic security problem of Kerberos protocol, whether or not an enemy can obtain the session key between a client and a server by using any information not protected in communication channels and using any operation not prohibited in the system. It is shown that Kerberos is secure for this problem.

We reveal fundamental electromagnetic characteristics of a basic proposition of the security tag system, being able to exclude a misjudgment caused by a neighboring reflective object, provided with a correlative detection, and that with a multi-resonant tag.

It is demonstrated with the Berlekamp-Massey shift-register synthesis algorithm that the linear complexity value of binary complementary sequences is at least 3/4 of the sequence length. For some sequence pairs the linear complexity value can be even 0.98 times the sequence length. In the light of these results strongly non-linear complementary sequences are considered suitable for information security applications employing the spread-spectrum (SS) technique.

Access control has been an important security issue in information systems. Multilevel hierarchical information access widely exists in present-day government, military, and business applications. Extending access control design to work in a hierarchical environment is natural and necessary but rarely addressed so far in the literature. In this paper, a dynamic group-oriented cryptographic scheme to access a multilevel data hierarchy is proposed. In the proposed scheme, a trusted central authority is in charge of the administrative activities among the organization hierarchy. At the beginning, each user class submits its associated information and a cryptographic key of its preference to the central authority. Next the central authority generates a public information for each class according to their location in the organization hierarchy. The cryptographic key held by each class can be used directly as an encryption key to encipher data. These keys need not be modified when adding/deleting a class to/from the system. Compare with other existing schemes, ours has the advantages of flexibility in choosing user preferred cryptographic keys, cryptographic keys not exceeding a fixed length, reduced storage space in publishing pubic information, and protection from conspiracy attack.

On a simple model, the quality of the security tag is simulated theoretically and experimentally. A simple correction makes both results correspond exactly and a simulation formula is provided. By using novel insulating film, a small-sized tag of high quality is developed.

Schnorr's identification scheme is the most efficient and simplest scheme based on the discrete logarithm problem. Unfortunately, Schnorr's scheme is not provably secure, i.e., the security has not been proven to be reducible to well defined intractable problems. Two works have already succeeded to construct provably secure variants of Schnorr's scheme. They have been constructed with a common approach, i.e., by modifying the formula to compute the public key so that each public key has multiple secret keys. These multiple secret keys seem to be essential for their provable security, but also give rise to a penalty in their efficiency. In this paper, we describe a new approach to constructing a provably secure variant, where we never modify the formula, and show that with our approach, we can construct a new efficient provably secure scheme.

Password checking schemes are human identification methods commonly adopted in many information systems. One of their disadvantages is that an attacker who correctly observed an input password can impersonate the corresponding user freely. To overcome it there have been proposed interactive human identification schemes. Namely, a human prover who has a secret key is asked a question by a machine verifier, who then checks if an answer from the prover matches the question with respect to the key. This letter examines such a scheme that requires relatively less efforts to human provers. By computer experiments this letter evaluates its resistance against a type of attack; after observing several pairs of questions and correct answers how successfully can an attacker answer the next question?

A permutation cipher scheme using polynomials over a field is presented. A permutation as well as substitution plays a major role in almost all conventional cryptosystems. But the security of the permutation depends on how symbols are permuted. This paper proposes the use of polynomials for the permutation and show that the scheme satisfies the following security criteria. (1) There are enough encryption keys to defend exhaustive attacks. (2) The permutation moves almost all samples into places which are different from the original places. (3) Most samples are shifted differently by different permutations. The permutation cipher scheme could be regarded as a scheme based on Reed-Solomon codes. The information symbols of the codes compose a key of the permutation cipher scheme.

Two new algorithms for performing modular exponentiation are suggested. Nonstandard number systems are used. The first algorithm is based on the representing the exponent as a sum of generalized Fibonacci numbers. This representation is known as Zeckendorf representation. When precomputing is allowed the resulting algorithm is more efficient than the classical binary algorithm, but requires more memory. The second algorithm is based on a new number system, which is called hybrid binary-ternary number system (HBTNS). The properties of the HBTNS are investigated. With or without precomputing the resulting algorithm for modular exponentiation is superior to the classical binary algorithm. A conjecture is made that if more bases are used asymptotically optimal algorithm can be obtained. Comparisons are made and directions for future research are given.

This paper deals with the information leakage measurement in a distributed computation protocol called SASC. The SASC protocol is a kind of two-party protocol between a client and a server. The computation for RSA cryptosystem is the target of this paper. This paper shows that a secure RSA-SASC protocol proposed recently could be changed to be insecure if the client which has secret information were to complain about the computation result. This paper first clarifies how to measure the information amount which leaks through the protocol. It, then, shows an attack procedure to make use of the client's complaint. Effectiveness of the attack procedure is measured by the information theoretic measure. By using the same measure, it is shown that some attacks do not work to derive the client's secret. It is also shown that a practical countermeasure to limit the number of incorrect computation allowed is effctive to limit the leakage of the secret information to some reasonable extent.

This paper proposes an electronic retail payment system to provide flexible and efficient funds transfers with adequate security, reliability, circulativity, and anonymity even in large-scale applications. Funds are represented by a portable intelligent device called a card issued by a supervising organization, the system provider. Funds can be transferred from a card to another at an intelligent terminal called a mediator. To update the balance of each card, two digital signatures are generated by a three-party protocol conducted by the cards and mediator, and are encoded and appended to a write-once separate memory in the card. Old signatures are simultaneously nullified. Through a wired or radio non-real-time link, the generated signatures are periodically reported to the system provider to systemically manage possible abuses.