One of Kaliski and Robshaw's algorithms, which is used for the linear attack on block ciphers with multiple linear approximations and introduced as Algorithm 2M in this paper, looks efficient but lacks any theoretical and mathematical description. It means there exists no way to estimate the data complexity required for the attack by the algorithm except experiments of the reduced variants. In this paper we propose a new algorithm using multiple linear approximation. We achieve the theoretical and mathematical analysis of its success probability. The new algorithm needs about 2^40.6 plaintexts to find 12 bits of secret key of 16-round DES with a success probability of about 86%.

In the key recovery variant of the interpolation attack, exhaustive search is required to find the last round key K_m. Therefore, this attack is almost impractical if the size of K_m is too large. In this paper, we show that K_m can be very efficiently obtained if F(K,x) can be approximated by a low degree polynomial g_x(K) in K for any fixed x, where F is a round function of Feistel type block ciphers.

This paper reports the strength of a pseudorandom number generator MUGI, which was published as a stream cipher by Hitachi, Ltd. in 2001, against linear cryptanalysis. MUGI is one of the recommended ciphers of CRYPTREC, which is a project for the e-Government in Japan. It has two internal states called state and buffer, which are updated by a linear function λ and a non-linear function ρ. The non-linear function ρ and the linear function λ have already been analyzed, independently. In this paper, whole MUGI is analyzed by truncated linear cryptanalysis. The analysis of λ function is based on the state variables method. The result is combined to the result of the analysis of ρ function to make a trellis diagram. Viterbi search is conducted on the diagram to find the best possible linear path under 64-bit truncated linear cryptanalysis. As the result, the upper bound of the maximum linear characteristic probability is estimated as less than 2^-138. Therefore, MUGI is secure against linear cryptanalysis.

OMAC is a provably secure MAC scheme proposed by Iwata and Kurosawa. NIST currently intends to specify OMAC as the modes recommendation. In August 2003, Mitchell published a note "On the security of XCBC, TMAC and OMAC" to propose a new variant of OMAC. We call it OMAC1". In this paper, we prove that OMAC1" is less secure than the original OMAC. We show a security gap between them. As a result, we obtain a negative answer to Mitchell's open question--OMAC1" is not provably secure even if the underlying block cipher is a PRP. Further, we point out limitations of discussion in [16].

Cryptographic unkeyed hash functions should satisfy preimage resistance, second-preimage resistance and collision resistance. In this article, weak second-preimage resistance and weak collision resistance are defined following the definition of weak one-wayness. Preimage resistance is one-wayness of cryptographic hash functions. The properties of weak collision resistance is discussed in this article. The same kind of results can be obtained for weak second-preimage resistance. Weak collision resistance means that the probability of failing to find a collision is not negligible, while collision resistance means that the success probability is negligible. It is shown that there really exist weakly collision resistant hash functions if collision resistant ones exist. Then, it is shown that weak collision resistance is amplifiable, that is, collision resistant hash functions can be constructed from weakly collision resistant ones. Unfortunately, the method of amplification presented in this article is applicable only to a certain kind of hash functions. However, the method is applicable to hash functions based on discrete logarithms. This implies that collision resistant hash functions can be obtained even if the discrete logarithm problem is much easier than is believed and only weakly intractable, that is, exponentiation modulo a prime is weakly one-way.

In [1] it was proved that 20 of 64 PGV hash functions based on block cipher are collision-resistant and one-way in the black-box model of the underlying block cipher. Here, we generalize the definition of PGV-hash function into a hash family and we will prove that, aside from the previously reported 20 hash functions, we have 22 more collision-resistant and one-way hash families. As all these 42 families are keyed hash family, these are also target-collision-resistant. All these 42 hash families have tight upper and lower bounds on (target) collision-resistant and one-way-ness.

We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar's construction which is the previously best known complete binary tree based construction. But only disadvantage is that here we need more key length expansion than that of Shoup's sequential algorithm. But it is not too large as in all practical situations we need just two more masks than Shoup's. Our second algorithm is based on non-complete l-ary tree and has the same optimal key length expansion as Shoup's which has the most efficient key length expansion known so far. Using the recent result, we can also prove that the key length expansion of this algorithm and Shoup's sequential algorithm are the minimum possible for any algorithms in a large class of "natural" domain extending algorithms. But its parallelizability performance is less efficient than complete tree based constructions. However if l is getting larger, then the parallelizability of the construction is also getting near to that of complete tree based constructions. We also give a sufficient condition for valid domain extension in sequential domain extension.

In this study, we construct balanced Boolean functions with a high nonlinearity and an optimum algebraic degree for both odd and even dimensions. Our approach is based on modifying functions from the Maiorana-McFarland's superclass, which has been introduced by Carlet. A drawback of Maiorana-McFarland's function is that their restrictions obtained by fixing some variables in their input are affine. Affine functions are cryptographically weak functions, so there is a risk that this property will be exploited in attacks. Due to the contribution of Carlet, our constructions do not have the potential weakness that is shared by the Maiorana-McFarland construction or its modifications.

In this paper, the problem in the distribution of the test statistic of the Discrete Fourier Transform (DFT) test included in SP800-22 released by the National Institute of Standards and Technology (NIST), which causes a very high rate of rejection compared with the significance level, is considered on the basis of the distribution of the spectrum. The statistic of the DFT test, which was supposed to follow the standard normal distribution N(0, 1) according to the central limit theorem, seems to follow the normal distribution N(0.691, 0.5) approximately. The author derived the distribution function of the spectrum, and changed the threshold value from the default value of to the value of 1.7308 , where n is the length of a random number sequence. By this modification, the test statistic becomes to follow the normal distribution N(0, 0.5) approximately. The disagreement between this variance (= 0.5) and that of the standard normal distribution (= 1) can be considered to originate in the dependence of the spectrum. The evidences of the dependence are shown.

Extensive studies have been made of the public key cryptosystems based on multivariate polynomials over F₂. However most of the proposed public key cryptosystems based on multivariate polynomials, are proved not secure. In this paper, we propose several types of new constructions of public key cryptosystems based on randomly generated singular simultaneous equations. One of the features of the proposed cryptosystems is that the sets of random singular simultaneous equations significantly enlarges the size of the transformation.

To the authors' knowledge, there are not many cryptosystems proven to be as difficult as or more difficult than the discrete logarithm problem. Concerning problems related to the discrete logarithm problem, there are problems called the double discrete logarithm problem and the e-th root of the discrete logarithm problem. These two problems are likely to be difficult and they have been utilized in cryptographic protocols such as verifiable secret sharing scheme and group signature scheme. However, their exact complexity has not been clarified, yet. Related to the e-th root of the discrete logarithm problem, we can consider a square root of the discrete logarithm problem. Again, the exact complexity of this problem has not been clarified, yet. The security of cryptosystems using these underlying problems deeply depends on the difficulty of these underlying problems. Hence it is important to clarify their difficulty. In this paper we prove reductions among these fundamental problems and show that under certain conditions, these problems are as difficult as or more difficult than the discrete logarithm problem modulo a prime.

Genus 3 hyperelliptic curve cryptosystems are capable of fast-encryption on a 64-bit CPU, because a 56-bit field is enough for their definition fields. Recently, Kuroki et al. proposed an extension of the Harley algorithm, which had been known as the fastest addition algorithm of divisor classes on genus 2 hyperelliptic curves, on genus 3 hyperelliptic curves and Pelzl et al. improved the algorithm. This paper shows an improvement of the Harley algorithm on genus 3 hyperelliptic curves using Toom's multiplication. The proposed algorithm takes only I + 70M for an addition and I + 71M for a doubling instead of I + 76M and I + 74M respectively, which are the best possible of the previous works, where I and M denote the required time for an inversion and a multiplication over the definition field respectively. This paper also shows 2 variations of the proposed algorithm in order to adapt the algorithm to various platforms. Moreover this paper discusses finite field arithmetic suitable for genus 3 hyperelliptic curve cryptosystems and shows implementation results of the proposed algorithms on a 64-bit CPU. The implementation results show a 160-bit scalar multiplication can be done within 172 µs on a 64-bit CPU Alpha EV68 1.25 GHz.

The Weil descent attack, suggested by Frey, has been implemented by Gaudry, Hess and Smart (the so-called GHS attack) on elliptic curves over finite fields of characteristic two and with composite extension degrees. Recently, Diem presented a general treatment of the GHS attack to hyperelliptic curves over finite fields of arbitrary odd characteristics. This paper shows that Diem's approach can be extended to curves of which the function fields are cyclic Galois extensions. In particular, we show the existence of GHS Weil restriction, triviality of the kernel of GHS conorm-norm homomorphism, and lower/upper bounds of genera of the resulting curves.

We evaluate the exact number of gates for circuits of Shor's factoring algorithm. We estimate the running time for factoring a large composite such as 576 and 1024 bit numbers by appropriately setting gate operation time. For example, we show that on the condition that each elementary gate is operated within 50 µsec, the running time for factoring 576 bit number is 1 month even if the most effective circuit is adopted. Consequently, we find that if we adopt the long gate operation-time devices or qubit-saving circuits, factorization will not be completed within feasible time on the condition that a new efficient modular exponentiation algorithm will not be proposed. Furthermore, we point out that long gate operation time may become a new problem preventing a realization of quantum computers.

Many computer systems are designed to make it easy for end-users to install and update software. An undesirable side effect, from the perspective of many software producers, is that hostile end-users may analyze or tamper with the software being installed or updated. This paper proposes a way to avoid the side effect without affecting the ease of installation and updating. We construct a computer system M with the following properties: 1) the end-user may install a program P in any conveniently accessible area of M; 2) the program P contains encoded instructions whose semantics are obscure and difficult to understand; and 3) an internal interpreter W, embedded in a non-accessible area of M, interprets the obfuscated instructions without revealing their semantics. Our W is a finite state machine (FSM) which gives context-dependent semantics and operand syntax to the encoded instructions in P; thus, attempts to statically analyze the relation between instructions and their semantics will not succeed. We present a systematic method for constructing a P whose instruction stream is always interpreted correctly regardless of its input, even though changes in input will (in general) affect the execution sequence of instructions in P. Our framework is easily applied to conventional computer systems by adding a FSM unit to a virtual machine or a reconfigurable processor.

SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, the secret key may be revealed. In this paper, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s,t) and the random seed Δ used for the hash function SHA-1. Whereas many papers discussed the security of (s,t), little is known about that of Δ. Steinwandt et al. proposed a theoretical DPA for finding Δ by observing the XOR operations. We propose another DPA on Δ using the addition operation modulo 2³², and present an experimental result of the DPA. After obtaining the secret key Δ, the underlying problem of SFLASH can be reduced to the C^* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, SHA-1 must be carefully implemented in order to resist SCA on SFLASH.

Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0,y), which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x,y) which cause the zero-value registers, e.g., (1) 3x² + a = 0,(2) 5x⁴ + 2ax² - 4bx + a² = 0,(3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae -- in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

Isogeny for elliptic curve cryptosystems was initially used for efficient improvement of order counting methods. Recently, Smart proposed a countermeasure using isogeny for resisting a refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine a countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that the class of curves that satisfies (-3/p) = 1 and whose order is odd cannot be mapped by isogeny to curves with a = -3 and secure against ZVP attack. We point out that three SECG curves are in this class. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing a scalar multiplication for each curve from SECG. Finally, we discuss another improvement for an efficient scalar multiplication, namely the usage of a point (0,y) for a base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0,y) exists in an underlying curve or its isogeny.

At CHES 2000, Schindler introduced a timing attack that enables the factorization of an RSA-modulus if RSA implementations use the Chinese Remainder Theorem and Montgomery multiplication. In this paper we introduce another approach for deriving the secret prime factor by focusing on the conditional branch Schindler used in his attack. One of the countermeasures against Schindler's attack is the blinding method. If input data are blinded with a fixed value or short-period random numbers, Schindler's attack does not work but our method can still factorize the RSA-modulus.

In this paper we propose a new side channel attack, where exponent recodings for public key cryptosystems such as RSA and ECDSA are considered. The known side channel attacks and countermeasures for public key cryptosystems were against the main stage (square and multiply stage) of the modular exponentiation (or the point multiplication on an elliptic curve). We have many algorithms which achieve fast computation of exponentiations. When we compute an exponentiation, the exponent recoding has to be carried out before the main stage. There are some exponent recoding algorithms including conditional branches, in which instructions depend on the given exponent value. Consequently exponent recoding can constitute an information channel, providing the attacker with valuable information on the secret exponent. In this paper we show new algorithms of attack on exponent recoding. The proposed algorithms can recover the secret exponent, when the width-w NAF and the unsigned/signed fractional window representation are used.

This paper proposes fast elliptic curve multiplication algorithms resistant against side channel attacks, based on the Montgomery-type scalar multiplication. The proposed scalar multiplications can be applied to all curves over prime fields, e.g., any standardized curves over finite fields with characteristic larger than 3. The method utilizes the addition formulas xECDBL and xECADD assembled by only x-coordinates of points, and is applicable for any types of curves over finite fields. Then, we encapsulate two addition formulas into one formula xECADDDBL, which accomplishes a faster computation because several auxiliary variables of two formulas can be shared. We also develop a novel addition chain for the new formula, with which we can compute scalar multiplications. The improvement of our scalar multiplications over previous Coron's dummy operation method is about 18% for a 160-bit scalar multiplication. Our method requires no table-up of precomputed points and it is suitable for the implementation on memory constraint computing architectures, e.g., smart cards. Moreover, we optimize the proposed algorithms for parallelized implementations with SIMD operations. Compared with the similar scheme proposed by Fischer et al., our scheme is about 16% faster.

In this paper, we propose an efficient protocol for proving the correctness of shuffling and an efficient protocol for simultaneously proving the correctness of both shuffling and decryption. The former protocol is the most efficient in computational and communication complexity among 3-move honest verifier perfect zero-knowledge protocols for proving a shuffling of ElGamal cipher-texts. The latter protocol is the most efficient in computational, communication, and round complexity, as a whole, in proving the correctness of both shuffling and decryption of ElGamal cipher-texts. The proposed protocols will be a building block of an efficient, universally verifiable mix-net, whose application to voting systems is prominent.

The complete subtree (CS) method is one of the most well-known broadcast encryptions which do not enforce the receivers to keep "online." This paper is to reduce the size of secret information which must be stored in a terminal of the method. In the original CS method, the size of the secret information increases as the number of terminals increases. It is shown in this paper that, by making use of a one-way trapdoor permutation, we can make the size constant regardless of the number of terminals. The security of the proposed scheme is investigated, and detailed comparison with other similar schemes is presented. The proposed scheme is suitable for practical implementations of the CS method.

The PayWord Scheme, invented by Rivest and Shamir, is an efficient micropayment scheme utilizing a hash function. We point out that the scheme has the following problem: a malicious customer can damage the bank by purchasing in excess of the customer's credit which the bank has guaranteed by issuing a certificate. Generally, there are two positions of the bank with regard to the certificate. Position 1: the bank takes full responsibility for the certificate and compensates all payments created by the customer's purchases; and Position 2: the bank does not redeem payments exceeding a limit set for the customer and shares the loss with the shop if trouble occurs. In the PayWord Scheme, the bank can reduce its risk by adopting Position 2 rather than Position 1. However, this paper points out that the bank can damage the shop in Position 2 by impersonating an imaginary customer and making the shop share the loss with the bank. We propose a micropayment scheme (countermeasure) that overcomes these problems.

This paper deals with broadcast encryption schemes, in which a sender can send information securely to a group of receivers excluding some receivers over a broadcast channel. In this paper we propose modifications of the Complete Subtree (CS), the Subset Difference (SD) and the Layered Subset Difference (LSD) methods based on the Master Key Tree (MKT). Our modifications eliminate log N keys or labels from receivers' storage, in exchange for an increase in the computational overhead, where N is the total number of receivers. We also propose modifications of the SD and LSD methods by applying the Trapdoor One-way Permutation Tree (TOPT) which is originally proposed in order to modify the CS method. Our modifications based on TOPT also eliminate log N labels, and the computational cost is much smaller than MKT based methods.

We present an efficient Hybrid Mix scheme that provides both routing flexibility and the optimal length of ciphertext. Although it is rather easy to embed routing information in the ciphertext, and a scheme that provides the optimal length of ciphertext is already known, it is not a trivial task to achieve both properties all at the same time. A critical obstacle for providing the optimal length of ciphertext is the session-key encapsulation header in a ciphertext that carries the encrypted session-key to each router, which linearly increases according to the number of intermediate routers. We solve this problem by improving the previously reported Hybrid Mix scheme such that the resulting scheme benefits from routing flexibility with a constant length of such headers. Our basic scheme is only secure against honest, but curious intermediate routers. Therefore, we further address the robustness issue to prevent malicious behavior by incorporating and improving an existing efficient approach based on the Message Authentication Code.

To investigate cyber-criminals, Police sometimes asks Administrator of a computer system to disclose the whole transaction log. Administrator, however, wants to protect the privacy of innocent users. This paper presents a solution for the disclosure/privacy problem of transaction log. In this scheme, Police can search over the encrypted records of the transaction log by keywords. The administrator discloses only the records which include the keyword, but nothing more. Police can verify that the administrator faithfully disclosed all the records which include the keyword.

Electronic voting is a prime application of cryptographic tools. Many researches are addressing election or confidence voting in this area. We address a new type of voting scheme "Divisible Voting Scheme," in which each voter has multiple ballots where the number of ballots can be different among the voters. This type of voting is popular. We first define the divisible voting scheme and show naive protocols based on existing voting schemes. Then we propose two efficient divisible voting schemes. The first scheme uses multisets, the second scheme uses L-adic representation of the number of ballots. The total cost for a voter is O(M ² log (N)) in the first scheme and O(M log (N)) in the second scheme where M is the number of candidates to vote for and N is the number of ballots for a voter.

A digital signature does not allow any alteration of the document to which it is attached. Appropriate alteration of some signed documents, however, should be allowed because there are security requirements other than that for the integrity of the document. In the disclosure of official information, for example, sensitive information such as personal information or national secrets is masked when an official document is sanitized so that its nonsensitive information can be disclosed when it is demanded by a citizen. If this disclosure is done digitally by using the current digital signature schemes, the citizen cannot verify the disclosed information correctly because the information has been altered to prevent the leakage of sensitive information. That is, with current digital signature schemes, the confidentiality of official information is incompatible with the integrity of that information. This is called the digital document sanitizing problem, and some solutions such as digital document sanitizing schemes and content extraction signatures have been proposed. In this paper, we point out that the conventional digital signature schemes are vulnerable to additional sanitizing attack and show how this vulnerability can be eliminated by using a new digitally signed document sanitizing scheme with disclosure condition control.

The Public Key Infrastructure (PKI) technology is very important to support the electronic commerce and digital communications on existing networks. The Online Certificate Status Protocol (OCSP) is the standard protocol for retrieving certificate revocation information in the PKI. To minimize the damages caused by OCSP responder's private key exposure, a distributed OCSP composed of multiple responders is needed. This paper presents a new distributed OCSP with a single public key by using key-insulated signature scheme. In proposed distributed OCSP, each responder has the different private key, but corresponding public key remains fixed. Therefore the user simply obtains and stores one certificate, and can verify any responses by using a single public key.

This paper presents an attempt to make rational active adversary passive using mechanism design. We propose a secure Generalized Vickrey Auction (GVA) scheme where the procedure executed by a bidder affects neither the prices nor the allocation of the bidder. Therefore, a bidder does not have an incentive to be an active adversary.

We consider delivering interactive dramas. A viewer interacts with a contents provider by answering multiple-choice questions and the answers to these questions influence the plot of delivered story. All possible plots can be represented by a directed graph such that every plot corresponds to some path of the graph. A delivery should be controlled according to the directed graph such that each viewer's history of answered choices forms a path of the graph. On the other hand, because some character of a viewer is known to a contents provider from his history of choices, a viewer tries to prevent even a contents provider from linking choices made by him. In this paper, we introduce unlinkable delivery for an interactive drama and propose such a delivery system for interactive dramas that viewer's choices are unlinkable and delivery is controlled according to the directed graph.

The research communitiy has shown considerable interest in studying access control in single Trusted Operating Systems (TOS). However, interactions among multiple TOSs have attracted relatively little attention. In this paper, we propose a Collaborative Role-Based Access Control (C-RBAC) model for distributed systems in which accesses across system domain boundaries are allowed. Access entities in a TOS vary in time. The changes in the organizational structure of the access entities in one system may influence other cooperating systems. In addition, policy-freeness, domain and rule conflicts are possible. These problems restrict the flexibility and scalability of coordination. We propose drafting a meta-component to play the role of a coordinator in multi-domain role-based access control. It is then possible to impart flexibility and scalability in a secure fashion. Experimental studies of the proposed model with the Network File System and SELinux system support our conclusion.

We propose discrimination method of synthetic speech using pitch pattern of speech signal. By applying the proposed synthetic speech discrimination system as pre-process before the conventional HMM speaker verification system, we can improve the safety of conventional speaker verification system against imposture using synthetic speech. The proposed method distinguishes between synthetic speech and natural speech according to the pitch pattern which is distribution of value of normalized short-range autocorrelation function. We performed the experiment of user verification, and confirmed the validity of the proposed method.

In this paper, we propose a transformation function for a user's raw iris data, an "iris code" in iris scanning verification on the server, since the iris code requires to be hidden from even a server administrator. We then show that the user can be properly authenticated on the server, even though the iris code is transformed by the proposed function. The reason is that the function has a characteristic, "The (normalized) Hamming distances between the enrolled iris codes and the verified iris codes are conserved before and after the computation of the function," that is, the normalized Hamming distance in this scheme is equal to that in the existing scheme. We also show that the transformed iris code is sufficiently secure to hide the original iris code, even if a stronger attack model is supposed than the previously described model. That can be explained from the following two reasons. One reason is that nonlinear function, which consists of the three-dimensional rotation about the x-axis and the y-axis with the iris code lengthened bit by bit, and the cyclic shift, does not enable an attacker to conjecture the iris code. The other reason is that the success probabilities for the exhaustive search attack concerning the iris code in the supposed attack models are lower than those of the previously proposed methods and are negligible.

Fingerprinting is a technique to add identifying marks to each copy of digital contents in order to enhance traceability to a distribution system. Collusion attacks, in which the attackers collect two or more fingerprinted copies and try to generate an untraceable copy, are considered to be a threat for the fingerprinting system. With the aim of enhancing collusion security to the fingerprinting system, several collusion secure codes, such as c-frameproof code, c-secure frameproof code and c-identifiable parent property code, have been proposed. Here, c indicates the maximum number of colluding users. However, a practical construction of the above codes is still an issue because of the tight restrictions originated from their combinatorial properties. In this paper, we introduce an evaluation of frameproof, secure frameproof, and identifiable parent property by the probability that a code has the required property. Then, we focus on random codes. For frameproof and secure frameproof properties, we estimate the average probability that random codes have the required property where the probability is taken over the random construction of codes and random construction of coalitions. For the estimation, we assume the uniform distribution of symbols of random codes and the symbols that the coalitions hold. Therefore, we clarify the adequacy of the assumptions by comparison with numerical results. The estimates and numerical results resemble, which implies the adequacy of the assumption at least in the range of the experiment.

In this letter, we propose a fast modular reduction method over Euclidean rings, which is a generalization of Barrett's reduction algorithm over the ring of integers. As an application, we construct new universal hash function families whose operations are modular arithmetic over a Euclidean ring, which can be any of three rings, the ring of integers, the ring of Gauss integers and the ring of Eisenstein integers. The implementation of these families is efficient by using our method.

We discuss a typical profile of the k-error linear complexity for balanced binary exponent periodic sequences and the number of periodic distinct sequences by their profiles. A numerical example with period 16 is also shown.

This letter presents an image rectification scheme that can be used by any image watermarking algorithms to provide robustness against rotation, scaling and translation (RST) transformations.

In 2003, Shen et al. proposed an improvement on Yang-Shieh's timestamp-based password authentication scheme using smart cards. Then they claimed that their scheme cannot withstand a forged login attack, but also eliminate a problem of Yang-Shieh's. However, their scheme is still susceptible to forged login attack. In this letter, we show how the forged login attack can be worked out on Shen et al.'s scheme.

We propose efficient secret sharing schemes realizing general access structures. Our proposed schemes are perfect secret sharing schemes and include Shamir's (k, n)-threshold schemes as a special case. Furthermore, we show that a verifiable secret sharing scheme for general access structures is realized by one of the proposed schemes.

This paper presents the Coloured Petri Net modeling for security analysis of the Extended Role Based Access Control systems.

Cryptosystems for smartcard are required to provide protection from Differential Power Analysis (DPA) attack. Self-timed circuit based cryptosystems demonstrate considerable resistance against DPA attack, but they take substantial circuit area. A novel approach offering up to 30% area reduction and maintaining DPA protection level close to DIMS scheme is proposed.

In this work we give an extension of Kauffman's NK-Landscapes to multiobjective MNK-Landscapes in order to study the effects of epistasis on the performance of multiobjective evolutionary algorithms (MOEAs). This paper focuses on the development of multiobjective random one-bit climbers (moRBCs). We incrementally build several moRBCs and analyze basic working principles of state of the art MOEAs on landscapes of increased epistatic complexity and number of objectives. We specially study the effects of Pareto dominance, non-dominance, and the use of memory and a population to influence the search. We choose an elitist non-dominated sorting multiobjective genetic algorithm (NSGA-II) as a representative of the latest generation of MOEAs and include its results for comparison. We detail the behavior of the climbers and show that population based moRBCs outperform NSGA-II for all values of M and K.

The Mobius cube MQ_n proposed by Cull et al. is an alternative to the popular hypercube network. Recently, MQ_n was shown to be pancyclic, i.e., cycles of any lengths at least four can be embedded into it. Due to the importance of the fault tolerance in the parallel processing area, in this paper, we study an injured MQ_n with mixed node and link faults. We show that it is (n - 2)-fault-tolerant pancyclic for n 3, that is, an injured n-dimensional MQ_n is still pancyclic with up to (n - 2) faults. Furthermore, our result is optimal.

In this paper, we study trellis properties of the tensor product (product code) of two linear codes, and prove that the tensor product of the lexicographically first bases for two linear codes in minimal span form is exactly the lexicographically first basis for their product code in minimal span form, also the tensor products of characteristic generators of two linear codes are the characteristic generators of their product code.

A low-complexity step-by-step decoding algorithm for t-error-correcting binary Bose-Chaudhuri-Hocquenghem (BCH) codes is proposed. Using logical analysis, we obtained a simple rule which can directly determine whether a bit in the received word is correct. The computational complexity of this decoder is less than the conventional step-by-step decoding algorithm, since it reduces at least half of the matrix computations and the most complex element in the conventional step-by-step decoder is the "matrix-computing" element.

In orthogonal frequency division multiplexing (OFDM) systems with differential phase shift keying (DPSK), it is possible to apply differential modulation either in the time or frequency domain depending on the condition of fading channels, such as the Doppler frequency shift and the delay spread. This paper proposes a simple calculation method, that is, an approximate closed-form equation of the bit error rate (BER) in DPSK/OFDM systems mentioned above over both time and frequency selective Rician fading channels. The validity of the proposed method is demonstrated by the fact that the BER performances given by the derived equation coincide with those by Monte Carlo simulation.

Tamper proofing is a crucial problem in the watermarking application. Aiming at the credibility of multimedia, we present a semi-fragile watermark based on the image permutation. Watermarking detection is performed without resorting to the host image and it is only controlled by secrete keys, thus the whole scheme does not have certain security gaps. The simulation experiments show that it can survive the JPEG compression and effectively specify the region of the image that has been modified maliciously.

One of the main disadvantage of multi-carrier CDMA (MC-CDMA) signals is the high peak power of the transmitted signals which limits their applications. To account for this issue, we provide a simple signal processing for reducing the high crest factor (CF) of MC-CDMA signals. Using this modified MC-CDMA signal, the high CF due to Walsh spreading sequences can be mitigated without explicit side information and degradation in the detection performance.

Tufts-Kumaresan (TK) method, which is based on linear prediction approach, is a standard algorithm for estimating the frequencies of sinusoids in noise. In this Letter, the TK algorithm is improved by attenuating the noise in the observation vector with the use of the reduced rank data matrix. It is shown that the proposed modification can provide smaller mean square frequency errors with lower threshold signal-to-noise ratios than the TK method and a total least squares solution.

A new bipolar linear transconductor for low-voltage low-power signal processing is proposed. The proposed circuit has larger input linear range and smaller power dissipation when compared with the conventional bipolar linear transconductor. The experimental results show that the transconductor with a transconductance of 50 µS has a linearity error of less than 0.02% over an input voltage range of 2.1 V at supply voltages of 3 V. The power dissipation of the transconductor is 3.15 mW.

Sliding mode control (SMC) is known to be robust with respect to matched uncertainties. However, it does not guarantee stability of systems with mismatched uncertainties. In this paper, we propose a new method to design a sliding surface for linear systems with mismatched uncertainties. The proposed sliding surface provides a new stability criterion of the reduced-order system origin with respect to mismatched uncertainties. A numerical example is given to illustrate the effectiveness of the proposed method.

In this letter we first introduce a new generalized cyclotomic sequence of order four with respect to pq, then we calculate the linear complexity and minimal polynomial of this sequence. Our results show that the new binary sequence is quite good from the linear complexity viewpoint.

In this letter, a method to construct good binary and quaternary error correcting codes, called complex Hadamard codes, based on a complex Hadamard matrix is presented. The related properties of the codes are analyzed. In addition, through the operation in Z₄ domain, a new simplex soft-decision decoding algorithm for the complex Hadamard codes is also proposed.

For fixed initial and destination states (i.e., markings), M₀ and M_d, there exist generally infinite firing count vectors in a Petri net. In this letter, it is shown that all fundamental particular solutions as well as all minimal T-invariants w.r.t. firing count vectors are needed to express an arbitrary firing count vector for the fixed M₀ and M_d. An algorithm for finding a special firing count vector which is expressed by using the only one specified fundamental particular solution is also given.