Recently, two new efficient server-aided RSA secret computation protocols were proposed. They are efficient and can guard against some active attacks. In this letter, we propose two multi-round active attacks which can effectively reduce their security level even break them.

We present here the Controlling Value Boolean Matching based on fault analysis. The problem is to match a Boolean function with don't cares on library cells under arbitrary input permutations and/or input-output phase assignments. Most of the library cells can be represented by tree structure circuits. The approach presented here is suitable for these structures and computes the Boolean matching better than the structural matching used in SIS. It can handle library cells with a general topology and reconvergent paths. The benchmark test shows that the Controlling Value Boolean Matching can be as facter as the structural matching used in SIS.

We propose an interactive identification scheme based on the quadratic residue problem. Prover's identity can be proved without revealing his secret information with only one accreditation. The proposed scheme requires few computations in the verification process, and a small amount of memory to store the secret information, A digital signature based on this scheme is proposed, and its validity is then proved. Lastly, analysis about the proposed scheme is presented at the end of the paper.

Modern database systems have to support complex data objects, which appear in advanced data models such as object-oriented data models and nested relational data models. Set-valued objects are basic constructs to build complex structures in those models. Therefore, efficient processing of set-valued object retrieval (simply, set retrieval) is an important feature required of advanced database systems. Our previous work proposed a basic scheme to apply superimposed coded signature files to set retrieval and showed its potential advantages over the B-tree index based approach using a performance analysis model. Retrieval with signature files is always accompanied by mismatches called false drops, and proper control of the false drops is indispensable in the signature file design. This study intensively analyzes the false drops in set retrieval with signature files. First, schemes to use signature files are presented to process set retrieval involving "has-subset," "is-subset," "has-intersection," and "is-equal" predicates, and generic formulas estimating the false drops are derived. Then, three sets of concrete formulas are derived in three ways to estimate the false drops in the four types of set retrieval. Finally, their estimates are validated with computer simulations, and advantages and disadvantages of each set of the false drop estimation formulas are discussed. The analysis shows that proper choice of estimation formulas gives quite accurate estimates of the false drops in set retrieval with signature files.

Some kind of practical problems such as security verification of cryptographic protocols can be described as a problem to accomplish a given purpose by using limited operations and limited materials only. To model such problems in a natural way, unification problems under constrained substitutions have been proposed. This paper is a collection of results on the decidability and the computational complexity of a syntactic unification problem under constrained substitutions. A number of decidable, undecidable, tractable and intractable results of the problem are presented. Since a unification problem under constrained substitutions can be regarded as an order-sorted unification problem with term declarations such that the number of sorts is only one, the results presented in this paper also indicate how the intractability of order-sorted unification problems is reduced by restecting the number of sorts to one.

We review a fundamental weak point of the OSS digital signature scheme against cryptanalysis by Pollard et al., and propose a new scheme of digital signature which overcomes this defect. More specifically, instead of the ring of the rational integer, we use the ring of integral quaternions, which is a non-commutative Euclidean ring. Known attacks to OSS signature do not work our scheme due to the non-commutativity. On the other hand, this scheme causes little increase in the burden of generation and verification of digital signature for the legitimate users, with respect to the original OSS scheme.

In this paper, we propose a practical and secure electronic voting scheme which meets the requirements of large scale general elections. This scheme involves voters, the administrator or so called the government and some scrutineers. In our scheme, a voter only has to communicate with the administrator three times and it ensures independence among voters without the need of any global computation. This scheme uses the threshold cryptosystem to guarantee the fairness among the candidate's campaign and to provide mechanism for achieving the function that any voter can make an open objection to the tally if his vote has not been published. This scheme preserves the privacy of a voter against the administrator, scrutineers, and other voters. Completeness, robustness, and verifiability of the voting process are ensured and hence no one can produce a false tally, corrupt or disrupt the election.

In this paper a new type of digital proxy signature is proposed. The proxy signature allows a designated person, called a proxy signer, to sign on behalf of an original signer. Classification of the proxy signatures is shown from the point of view of the degree of delegation, and the necessary conditions of a proxy signature are clarified. The proposed proxy signature scheme is based on either the discrete logarithm problem or the problem of taking the square root modulo of a composite number. Compared to the consecutive execution of the ordinary digital signature schemes, it has a direct from, and a verifier does not need a public key of a user other than the original signer in the verification stage. Moreover, it requires less computational work than the consecutive execution of the signature schemes. Due to this efficiency together with the delegation property, an organization, e.g. a software company, can very efficiently create many signatures of its own by delegating its signing power to multiple employees. Another attractive feature is that the proxy signature based on the discrete logarithm problem is highly applicable to other ordinary signature schemes based on the same problem, For instance, designated confirmer proxy signatures can be constructed. As a stronger form of proxy signature for partial delegation, another type of proxy signature scheme is proposed in which even an original signer cannot create a proxy signature. Furthermore, using a proposed on-line proxy updating protocol, the orignal signer can revoke proxies of dishonest proxy signers.

For the dependent protocols to perform the server-aided RSA secret computation, the damage caused by the active attacks is greater than that by the passive attacks. Though there are two dependent proposed protocols against active attacks, the cost of the two protocols is still high. In this paper, we propose two efficient dependent protocols. Even considering the low cost of these two protocols, they can also guard against the proposed active attacks.

This paper deals with on-line signature verification. A signature is obtained as a sequence of x, y-coordinates of pen-tip movement and writing pressure. The features of a signature are derived from the coordinates and the writing pressure and are decomposed into two principal features, shape and motion, using the DP-matching technique. We found that each point of a signature varies each time to some degree. However, the degrees of local variations subject to points, as some points are relatively stable and do not vary much while some of them are not. In this paper, we propose to incorporate weighted local variations based on the stability of each point so as to evaluate the difference of two signatures locally as well as globally. The dissimilarity measures are presented with respect to the corresponding features and are combined into one for efficient verification. In addition to the x, y-coordinates, the writing pressure is also considered to be part of shape. Experiments were carried out with a database which consists of 300 genuine signatures and 300 forgeries collected from 10 subjects. The effectiveness of incorporating the weighted local variation is shown by the experimental results. It contributes to an average increase in the correct verification rate as the correct verification rate increased 1.0% and was found to be 98.7%.

Computer viruses, hackers, intrusions and ther computer crimes have recently become a serious security problem in information systems. Digital signatures are useful to defend against these threats, especially against computer viruses. This is because a modification of a file can be detected by checking the consistency of the originai file with its accompanying digital signature. But an executable program might have been infected with the viruses before the signature was created. In this case, the infection cannot be detected by signature verification and the origin of the infection cannot be specified either. In this paper, we propose a signature scheme in which one can sign right after the creation of an executable program. That is, when a user compiles a source program, the compiler automatically creates both the executable program and its signature. Thus viruses cannot infect the executable programs without detection. Moreover, we can specify the creator of contaminated executable programs. In our signature scheme, a signature is created from a set of secret integers stored in a compiler, which is calculated from a compiler-maker's secret key. Each compiler is possessed by only one user and it is used only when a secret value is fed into it. In this way a signature of an executable program and the compiler-owner are linked to each other. Despite these measures, an executable program could run abnormally because of an infection in prepro-cessing step, e.g. an infection of library files or included files. An infection of these files is detected by ordinary digital signatures. The proposed signature scheme together with digital signature against infection in the preprocessing step enables us to specify the origin of the infection. The name of the signature creator is not necessary for detecting an infection. So, an owner's public value is not searched in our scheme, and only a public value of a compiler-maker is required for signature verification. Furthermore, no one can use a compiler owned by another to create a proper signature.

In a (k,n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an efncient (k,n) threshold EIGamal type digital signature scheme with no trusted center. We first present a variant of EIGamal type digital signature scheme which requires only a linear combination of two shared secrets when applied to the (k,n)-threshold scenario. More precisely, it is a variant of Digital Signature Standard (DSS) which was recommended by the U.S. National Institute ofStandard and Technology (NIST). We consider that it is meaningful to develop an efficient (k,n)-threshold digital signature scheme for DSS. The proposed (k,n)-threshold digital signature scheme is proved to be as secure as the proposed variant of DSS against chosen message attack.

Efficient retrieval of nested objects is an important issue in advanced database systems. So far, a number of indexing methods for nested objects have been proposed. However, they do not consider retrieval of nested objects based on the set comparison operators such as and . Previouly, we proposed four set access facilities for nested objects and compared their performance in terms of retrieval cost, storage cost, and update cost. In this paper, we extend the study and present refined algorithms and cost formulas applicable to more generalized situations. Our cost models and analysis not only contribute to the study of set-valued retrieval but also to cost estimation of various indexing methods for nested objects in general.

This paper considers the subliminal channel, hidden in an identification scheme, for transferring signatures. We observe the direct parallelization of the Fiat-Shamir identification scheme has a subliminal channel for the transmission of the digital signature. A positive aspect of this hidden channel supplies us how to transfer signatures without secure channels. As a formulation of such application, we introduce a new notion called privately recordable signature. The privately recordable signature is generated in an interactive protocol between a signer and a verifier, and only the verifier can keep the signatures although no third adversary can record the signatures. ln this scheme, then the disclosure of the verifier's private coin turns the signer's signature into the ordinary digital signature which is verified by anybody with the singer's public key. The basic idea of our construction suggests the novel primitive that a transferring securely signatures without secret channels could be constructed using only one-way function (without trapdoor).

This paper points out that there are two types of claw free families with respect to a level of claw freeness. We formulate them as weak claw free families and strong claw free families. Then, we present sufficient conditions for each type of claw free families. (A similar result is known for weak claw free families.) They are represented as some algebraic forms of one way functions. A new example of strong claw free families is also given.

In this paper, we discuss secure protocols for shared computation of algorithms associated with digital signature schemes based on discrete logarithms. Generic solutions to the problem of cooperatively computing arbitraty functions, though formally provable according to strict security notions, are inefficient in terms of communication--bits and rounds of interaction--; practical protocols for shared computation of particular functions, on the other hand, are often shown secure according to weaker notions of security. We propose efficient secure protocols to share the generation of keys and signatures in the digital signature schemes introduced by Schnorr (1989) and ElGamal (1985). The protocols are built on a protocol for non-interactive verifiable secret sharing (Feldman, 1987) and a novel construction for non-interactively multiplying secretly shared values. Together with the non-interactive protocols for shared generation of RSA signatures introduced by Desmedt and Frankel (1991), the results presented here show that practical signature schemes can be efficiently shared.

With rapid increase of information requirements from various application areas, there has been much research on the efficient information retrieval. A signature is an abstraction of information, and has been applied in many proposals of information retrieval systems. In this paper we evaluate the performance of various signature-based information retrieval methods and provide guidelines for the most effective usage to a given operational environment. We derive analytic performance evaluation models of these access methods based on retrieval time, storage overhead and insertion time. The relationships between various performance parameters are thoroughly investigated. We also perform simulation experiments by using wide range of parameter values and show that the performance experiments agree with those analytic models.

Compared to multi-level signature file techniques, PSF (Partitioned Signature File) technique has less processing overhead by its characteristics of a simple file organization. In a multi-processor environment, the PSF technique also has an advantage that queries can be processed in parallel effectively by allocating one or more partitions to each processor. Main point of the PSF technique is a partitioning scheme based on a key selection. In this paper, an n-BFK (n-Bounded Floating Key) partitioning scheme is proposed, in which the number of segments for a key selection is bounded by n. The cost model is developed for the performance evaluation of the proposed scheme. By performance comparison with the existing schemes, the efficiencies of the proposed scheme are shown with respect to a disk access cost, a signature reduction ratio, and an uniformity of workload.

This paper presents an efficient multi-precision modular-multiplication algorithm which minimizes the calculation RAM space required when implementing public-key schemes with software on general-purpose computers including smart cards and personal computers. Many modular-multiplication algorithms cannot be efficiently realized on small systems due to their high RAM consumption. The Montgomery algorithm, which can rapidly perform modular multiplication, has received a lot of attention. Unfortunately, the Montgomery algorithm is difficult to implement, especially in smart cards which have extremely limited RAM space. Furthermore, when the modulus of modular multiplication is frequently changed, or when the number of permissible repeated modular multiplications is small, pre- and post-processing operations such as conversion from/to the Montgomery space become wasteful. The proposed algorithm avoids these problems because it requires only half the RAM space and no pre- and post-processing operations. The algorithm is a radical extension to the approximation methods that use the most significant bits and our newly proposed lookahead determination method. This paper gives a proof of the completeness of this method, describes implementation results using a smart card, introduces a theory supported by the results, and considers the optimal technique to enhance the speed of this method.

Signature analysis using a Multiple-Input LFSR as the output response compaction circuit is widely adopted in actual BIST schemes. While aliasing probabilities for random errors are usually very small, MI-LFSRs are tend to fail detecting diagonal errors. A spot error, which include the diagonal error as a particular case, is defined as multiple bit crrors adjacent in space and in time domain. Then, shuffling of interconnection between CUT output and MI-LFSR input is studied as a scheme to prevent aliasing for such errors. The condition for preventing aliasing due to a predetermined size of single spot error is shown. Block based shuffling and the shortened one are proposed to realize required distance properties. Effect of shuffling for multiple spot errors is examined by simulation showing that shuffling is effective also for a certain extend of multiple spot errors.