In this paper, we show that a key encapsulation mechanism (KEM) does not have to be IND-CCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup  by using a KEM which is not necessarily IND-CCA secure. Nevertheless, our scheme is secure in the sense… (More)
This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes. We deene natural classes of NSS and derive a lower bound of jVij for those classes. \Ideal" nonperfect schemes are deened based on this lower bound. We prove… (More)
A Boolean function f satisses PC(l) of order k if f(x) f(x) is balanced for any such that 1 W () l even if any k input bits are kept constant, where W () denotes the Hamming weight of. This paper shows the rst design method of such functions which provides deg(f) 3. More than that, we show how to design \balanced" such functions. High nonlinearity and large… (More)
The k-error linear complexity of a periodic sequence of period N is deened as the smallest linear complexity that can be obtained by changing k or fewer bits of the sequence per period. This paper shows a relationship between the linear complexity and the minimum value k for which the k-error linear complexity is strictly less than the linear complexity.
In this paper, we present One-key CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k + 2n) bits in total, and TMAC requires two keys, (k + n) bits in total, where n denotes the block length of E. The saving of the key length makes the security… (More)
A traceability scheme is a broadcast encryption scheme such that a data supplier T can trace malicious authorized users (traitors) who gave a decryption key to an unauthorized user (pirate). This paper rst derives lower bounds on the sizes of keys and ciphertexts. These bounds are all tight because an optimum one-time use scheme is also presented. We then… (More)
In the model of perfectly secure message transmission schemes (PSMTs), there are n channels between a sender and a receiver. An infinitely powerful adversary A may corrupt (observe and forge) the messages sent through t out of n channels. The sender wishes to send a secret s to the receiver perfectly privately and perfectly reliably without sharing any key… (More)