In this paper, we propose a new type of authentication system, one-time zero-knowledge authentication system. Informally speaking, in this authentication system, double usage of the same authentication is prevented. Based on these one-time zero-knowledge authentication systems, we propose a new untraceable electronic cash scheme satisfying both untraceability and unreusablity. This scheme overcomes the problems of the previous scheme proposed by Chaum, Fiat and Naor through its greater efficiency and provable security under reasonable cryptographic assumptions. We also propose a scheme, transferable untraceable electronic cash scheme, satisfying transferability as well as the above two criteria. Moreover, we also propose a new type of electronic cash, untraceable electronic coupon ticket, in which the value of one piece of the electronic cash can be subdivided into many pieces.

This paper proposes practical escrow cash schemes with particular emphasis on countermeasures against social crimes such as money laundering and extortion. The proposed cash schemes restrict "unconditional" privacy in order to prevent these social crimes while preserving off-line-ness, divisibility and transferability, properties listed in [25] as criteria for ideal cash schemes.

This paper proposes a secure electronic sealed-bid auction protocol (SEAP) that provides an auction service on the Internet by combining three providers: an auction service provider, a key service provider, and a time service provider. The SEAP uses public key cryptography and the concept of a time-key certificate. The most important property of this protocol is that time-dependent security requirements can be strictly satisfied. The SEAP satisfies the following nine security requirements: (a) no one can deny having made a bid; (b) the protocol should be secure against malicious acts; (c) no bidder can act for another bidder; (d) no one can know who else is bidding until the time comes for the bids to be opened; (e) no one can discover the contents of any of the bids until the time comes for the bids to be opened; (f) the successful bid must have been submitted before the bidding deadline; (g) all bidders can verify that the auction policy has been correctly implemented; (h) the successful bidder can be identified without being required to make himself or herself known; and (i) the bidding contents cannot be altered. The protocol consists of three subprotocols: the Registration Subprotocol, the Bidding Subprotocol, and the Auction Subprotocol. The protocol parameters and algorithm are described in detail.

A group-oriented cipher communication method is developed and implemented on a WWW-based (World Wide Web) network system. In this method, a group key common to all entities of the group is generated based on the group name or the identities of entities belonging to the group. The group key, in turn, is used for encrypting the data being shared among the group via the WWW server. The data theft at the WWW cache sites on the intermediate communication line is prevented, establishing a unified feature of the good WWW cache performance and security. A prototype of our method proved the feasibility and the efficiency.

This paper proposes to apply random mapping methods of a pseudo random function to find collisions of a hash function. We test a hash function including a block cipher (see ISO/IEC 10118-2) with computers, where users can select its initial vector. In particular, the paper shows that a hash function with multiple stages generates a lot of collision hash values, so our probabilistic consideration of a small model for the hash function well explains the computational results. We show that it's feasible to find collisions between the selected messages in advance for 64-bit-size hash functions with WSs linked via an ordinary LAN (Local Area Network). Thus, it is dangerous to use the hash function -- single block mode -- defined in [6] and [7].

S-boxes (vector output Boolean functions) should satisfy cryptographic criteria even if some input bits (say, k bits) are kept constant. However, this kind of security has been studied only for scalar output Boolean functions. SAC (k) is a criterion for scalar output Boolean functions of this type. This paper studies a generalization of SAC (k) to vector output Boolean functions as the first step toward the security of block ciphers against attacks which keep some input bits constant. We first show a close relationship between such Boolean functions and linear error correcting codes. Then we show the existence, bounds and enumeration of vector Boolean functions which satisfy the generalized SAC (k). A design method and examples are also presented.

In Asiacrypt '96, Bleichenbacher et al. showed the upper limit of the efficiency of one-time digital signature scheme using a directed graph of tree structure as its base. They also claimed that there exists more effective signature scheme on general directed graphs, and showed an example of a method to construct more effective signature schemes as a witness. Unfortunately, their example does not achieve the efficiency as they claimed. This paper shows the upper limit of the efficiency of the signature scheme on general directed graphs by showing no signature scheme is more effective than the optimal signature scheme on trees (or forests). Further, we introduce another signature scheme named pseudo k-time signature scheme. This signature scheme allows signers to sign k-time which is no less efficient than the one time signature scheme.

In this paper a public key certification scheme, which protects privacy of user of the public key certificate, is proposed. In the proposed scheme a certification authority issues anonymous public key certificates, with which a certificate user having his/her own secret key can make use of public key cryptography and a certificate verifier can confirm the authenticity of the cryptographic communication of the certificate user. The anonymity of their users is preserved against the verifier. In general, user's activities should not be linked each other from the viewpoint of privacy protection. The use of the same certificate results in the linkage of the cryptographic communications. So, ideally, a certificate should be used only once, and such a certificate is called a one-time certificate. In the proposed scheme one-time certificates are realized with low cost of communication and computation for the certificate user. Multiple certificates can be issued without interaction between CA and the user. The additional computation of the user to obtain a new anonymous public key certificate is one modular exponentiation. In addition, only one secret key is required for multiple certificates. Therefore, the proposed scheme is useful for applications which require anonymity, unlinkability, and efficiency.

Fiat-Shamir's identification and signature scheme is efficient as well as provably secure, but it has a problem in that the transmitted information size and memory size cannot simultaneously be small. This paper proposes an identification and signature scheme which overcomes this problem. Our scheme is based on the difficulty of extracting theL-th roots modn (e. g.L=2 10²⁰) when the factors ofnare unknown. We prove that the sequential version of our scheme is a zero knowledge interactive proof system and our parallel version reveals no transferable information if the factoring is difficult. The speed of our scheme's typical implementation is at least one order of magnitude faster than that of the RSA scheme and is relatively slow in comparison with that of the Fiat-Shamir scheme.

The addition chain (A-chain) and addition-subtraction chain (AS-chain) are efficient tools to calculate power M^e (or multiplication eM), where integere is fixed andM is variable. Since the optimization problem to find the shortest A (or AS)-chain is NP-hard, many algorithms to get a sub-optimal A (or AS)-chain in polynomial time are proposed. In this paper, a window method for the AS-chain and an extended window method for the A-chain and AS-chain are proposed and their performances are theoretically evaluated by applying the theory of the optimal variable-to-fixed length code, i. e. , Tunstall code, in data compression. It is shown by theory and simulation that the proposed algorithms are more efficient than other algorithms in practical cases in addition to the asymptotic case.

In the linear cryptanalysis (LC), to decrease the number of plain/cipher text pairs required for successful attack against DES, it is necessary to improve the effectiveness of the linear approximate expression and to decrease the number of key bits in the expression to be exhaustively searched for. In the previous work, we proposed a linear sieve method to improve the effectiveness of the linear approximate expression. On the other hand, the number of key bits increased. To suppress the number of key bits, we propose Fixed Sieve Linear Cryptanalysis (FS-LC) with fixed sieve key of the linear sieve method. With FS-LC against 8-round DES, we showed the number of plain/cipher text pairs required for sucessful attack is less than that of LC. Furthmore, we extended FS-LC with Kaliski's techniques using the multiple linear approximate expressions to intoroduce Fixed Sieve multiple Linear Cryptanalysis (FS-mLC). With FS-mLC against 8-round DES, computer simulation revealed that it is possible to solve its encryption-key with 2²⁰ plain/cipher text pairs. The number of pairs is about a half of the Matsui's 1-round linear cryptanalysis cases.

This paper applies linear cryptanalysis to FEAL and describes the experimental results of attacking FEAL-8 by linear cryptanalysis. The following points are important in linear cryptanalysis to reduce the processing amount and memory size in the attack: 1) to find linear expressions with as high a deviation as possible, and 2) to reduce the number of effective key bits and effective text bits. We have succeeded in attacking FEAL-8 in about 1 hour on a low-end workstation (SPARCstation 10 Model 30). We have confirmed that the entire set of subkeys of FEAL-8 can be derived from 2²⁵ known plaintexts with a success rate of over 70%, and from 2²⁶ known plaintexts with a success rate of almost 100%.

This paper presents the results of the best differential characteristic search of FEAL. The search algorithm for the best differential characteristic (best linear expression) was already presented by Matsui, and improvements on this algorithm were presented by Moriai et al. We further improve the speed of the search algorithm. For example, the search time for the 7-round best differential characteristic of FEAL is reduced to about 10 minutes (Pentium/166 MHz), which is about 2^{12. 6} times faster than Matsui's algorithm. Moreover, we determine all the best differential characteristics of FEAL for up to 32 rounds assuming all S-boxes are independent. As a result, we confirm that the N-round (7N32) best differential characteristic probability of FEAL is 2^-2N, which was found by Biham. For N=6, we find 6-round differential characteristics with a greater probability, 2^-11, than that previously discovered, 2^-12.

A multiple signature scheme proposed in [1] is proved to be insecure.

This letter gives a study of additionY=X+K mod 2^w which is used in some cryptosystems as RC5. Our results enables us to express the differential and linear probability of addition as a function of addendK. To detect a good differential characteristics or linear approximation of a cryptosystem in which extended key is used as addend, we need to consider how the characteristics or approximations behave depending upon the value of the addend, which are clarified by our results.

In this paper, a threshold voltage (V_T) cancellation circuit for neuron-MOS (νMOS) analog circuits is described. By connecting the output terminal of this circuit with one of the input terminals of the νMOS transistor, cancellation ofV_T is realized. The circuit has advantages of ground-referenced output and is insensitive to the fluctuation of bias and supply voltages. Second-order effects, such as the channel length modulation effect, the mobility reduction effect and device mismatch of the proposed circuit are analyzed in detail. Low-power and high-swing νMOS cascode current mirror is presented as an application. Performance of the proposed circuits is confirmed by HSPICE simulation with MOSIS 2. 0 µ p-well double-poly and double-metal CMOS device parameters.

This paper presents two types of two-dimensional (2-D) adaptive beamforming algorithm which have high rate of convergence. One is a linearly constrained minimum variance (LCMV) beamforming algorithm which minimizes the average output power of a beamformer, and the other is a generalized sidelobe canceler (GSC) algorithm which generalizes the notion of a linear constraint by using the multiple linear constraints. In both algorithms, we apply a 2-D lattice filter to an adaptive filtering since the 2-D lattice filter provides excellent properties compared to a transversal filter. In order to evaluate the validity of the algorithm, we perform computer simulations. The experimental results show that the algorithm can reject interference signals while maintaining the direction of desired signal, and can improve convergent performance.

An adaptive infinite impulse response (IIR) filter implemented using an allpass and a minimum phase system has an advantage of its poles converging to the poles of the unknown system when the input is a white signal. However, when the input signal is colored, convergence speed deteriorates considerably, even to the point of lack of convergence for certain colored signals. Furthermore with a colored input signal, there is no guarantee that the poles of the adaptive digital filter (ADF) will converge to the poles of the unknown system. In this paper we propose a method which uses a linear predictor filter to whiten the input signal so as to improve the convergence characteristic. Computer simulation results confirm the increase in convergence speed and the convergence of the poles of the ADF to the poles of the unknown system even when the input is a colored signal.

An oversampling theorem for regular sampling in wavelet subspaces is established. The sufficient-necessary condition for which it holds is found. Meanwhile the truncation error and aliasing error are estimated respectively when the theorem is applied to reconstruct discretely sampled signals. Finally an algorithm is formulated and an example is calculated to show the algorithm.

For given integerp, a flow networkNwithn vertices, and sources inN, a problem of finding location ofp sinks inN which maximize the value of maximum flow from sources to sinks is calledp-collection problem. This problem is NP-hard even if a given network is a tree, but a pseudo-polynomial time algorithm is possible for such a network. This paper proposes a new pseudo-polynomial time algorithm for a tree-type network, which is simpler and more efficient than the previous algorithm, and has time complexity of O(p²n²C_c min {C_c,C_d}), whereC_c andC_d are the maximum edge capacity and the maximum vertex weight, respectively.

Recently reported multidimensional geometrically uniform signal constellations (L MPSK and Decomposed-Lattice constellations) are joined in the term of Generalized Permutation Alphabets (GPA). Possibility of a binary isometric labeling of GPA's is completely characterized. An algorithm for constructing generating groups of PSK-type GPA is proposed. We show that this concept, when is extended to the lattice, gives rise to a class of new coset codes which perform out best codes listed in [11].

We propose new key exchange and authentication protocols, which are efficient in protecting a poorly-chosen weak secret from guessing attacks, based on the use of a one-time pad and a strong one-way hash function. Cryptographic protocols assume that a strong secret should be shared between communication participants for authentication, in the light of an ever-present threat of guessing attacks. Cryptographically long secret would be better for security only if ordinary users could remember it. But most users choose an easy-to-remember password as a secret and such a weak secret can be guessed easily. In our previous work, we made much of introducing a basic concept and its application. In this paper, we describe our idea in more detail and propose more protocols which correspond to variants of our basic protocol using well-defined notations. Formal verification and efficiency comparison of the proposed protocols are also presented. By our scheme the password guessing attacks are defeated efficiently, and a session key is exchanged and participants are authenticated securely.

Petri nets are one of useful models for discrete event systems in which liveness problem as well as reachability problem is one of big issues. But, it has not been completely solved from the point of view of useful initial-marking-based liveness conditions in general Petri nets. In this paper, to guarantee local liveness (i. e. , liveness underM_oD) for each minimal deadlock (MSDL),N_D=(S_D,T_D,F_D,M_oD), with real deadlock-trap structure, it is shown that the minimum number of required live minimal structural traps (MSTRs),N_T=(S_T,T_T,F_T,M_oT) s. t. S_D S_T, is conditionally (which means that the conditions of Lemma 4-9 are fulfilled for a bounded MSDL N_D containing at least one MSTR N_T s. t. S_D S_T and see also Remarks 4-2 (3) in Sect. 4. 3) "one. " Note that this local liveness for N_D s. t. S_D S_T is one of useful necessary conditions for liveness condition of general Petri nets N=(S,T,F,M_o) s. t. S S_D. However, because this has not been discussed in literature and is not trivial, some new concepts such as T-cornucopias and return paths are introduced into the real deadlock-trap structure s. t. S_D S_T in N and this is proven by dividing it into two cases: N_D s. t. S_D S_T is live and unbounded under M_oD and N_D s. t. S_D S_T is live and bounded under M_oD. Usefulness for the results obtained is also discussed.

This paper focuses on competitive learning algorithms for WTA (winner-take-all) networks which perform rotation invariant pattern classification. Although WTA networks may theoretically be possible to achieve rotation invariant pattern classification with infinite memory capacities, actual networks cannot memorize all input data. To effectively memorize input patterns or the vectors to be classified, we present two algorithms for learning vectors in classes (LVC1 and LVC2), where the cells in the network memorize not only weight vectors but also their firing numbers as statistical values of the vectors. The LVC1 algorithm uses simple and ordinary competitive learning functions, but it incorporates the firing number into a coefficient of the weight change equation. In addition to all the functions of the LVC1, the LVC2 algorithm has a function to utilize under-utilized weight vectors. From theoretical analysis, the LVC2 algorithm works to minimize the energy of all weight vectors to form an effective memory. From computer simulation with two-dimensional rotated patterns, the LVC2 is shown to be better than the LVC1 in learning and generalization abilities, and both are better than the conventional Kohonen self-organizing feature map (SOFM) and the learning vector quantization (LVQ1). Furthermore, the incorporation of the firing number into the weight change equation is shown to be efficient for both the LVC1 and the LVC2 to achieve higher learning and generalization abilities. The theoretical analysis given here is not only for rotation invariant pattern classification, but it is also applicable to other WTA networks for learning vector quantization.

In the circumstances we want to deal with, transmission channel is limited and global motion can happen by camera movement, and also there exists a region-of-interest (ROI) which is more important than background. So very low bit rate coding algorithm is required and processing of global motion must be considered. Also ROI must be reconstructed with required quality after decoding because of its importance. But the existing methods such as H. 261, H. 263 are not suitable for such situations because they do not compensate global motion, which needs large amount of transmission bits in motion information and degrades image quality. And also they can not reconstruct ROI's with high quality because they do not consider the fact that ROI's are more important than background. So a new coding scheme is proposed that describes a method for encoding image sequences distinguishing bits between ROI and background. Simulations show that the suggested algorithm performs well especially in the circumstances where background changes and the area of ROI is small enough compared with that of background.

This letter proposes a Perfect-Reconstruction (PR) encryption scheme based on a PR QMF bank. Using the proposed scheme, signals can be encrypted and reconstructed perfectly by using two Periodically Time-Varying (PTV) digital filters respectively. Also we find that the proposed scheme has a "good" encryption effect and compares favorably with frequency scramble in the aspects of computation complexity, PR property, and degree of security.

In this paper, a new nonlinear integrator with positive phase shifts is proposed. Results of the digital simulation show that the nonlinear integrator has a better performance than the conventional one in a control system.