In this paper, we show that a key encapsulation mechanism (KEM) does not have to be IND-CCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup  by using a KEM which is not necessarily IND-CCA secure. Nevertheless, our scheme is secure in the sense… (More)
The k-error linear complexity of a periodic sequence of period N is deened as the smallest linear complexity that can be obtained by changing k or fewer bits of the sequence per period. This paper shows a relationship between the linear complexity and the minimum value k for which the k-error linear complexity is strictly less than the linear complexity.
This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes. We deene natural classes of NSS and derive a lower bound of jVij for those classes. \Ideal" nonperfect schemes are deened based on this lower bound. We prove… (More)
A Boolean function f satisses PC(l) of order k if f(x) f(x) is balanced for any such that 1 W () l even if any k input bits are kept constant, where W () denotes the Hamming weight of. This paper shows the rst design method of such functions which provides deg(f) 3. More than that, we show how to design \balanced" such functions. High nonlinearity and large… (More)
A traceability scheme is a broadcast encryption scheme such that a data supplier T can trace malicious authorized users (traitors) who gave a decryption key to an unauthorized user (pirate). This paper rst derives lower bounds on the sizes of keys and ciphertexts. These bounds are all tight because an optimum one-time use scheme is also presented. We then… (More)
Tompa and Woll considered a problem of cheaters in (k; n) threshold secret sharing schemes. We rst derive a tight lower bound on the size of shares jVij for this problem: jVij (jSj 0 1)= + 1, where Vi denotes the set of shares of participant Pi, S denotes the set of secrets, and denotes the cheating probability. We next present an optimum scheme which meets… (More)
SUMMARY We analyze the security of iterated 2m-bit hash functions with rate 1 whose round functions use a block cipher with an m-bit input (output) and a 2m-bit key. We first show a preimage attack with O(2 m) complexity on Yi and Lam's hash function of this type. This means that their claim is wrong and it is less secure than MDC-2. Next, it is shown that… (More)