#### DMCA

## doi:10.1093/comjnl/bxh149 Unconditionally Secure Anonymous Encryption and Group Authentication 1 (2005)

### Citations

3888 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ge contents along with the identity of the sender open to perusal. In a computationally secure setting, this problem can be solved straightforwardly by using (conventional) public-key encryption e.g. =-=[5, 6]-=- and group signatures [7, 8] shielding the sender’s identity. Theses2of12 G. Hanaoka et al. schemes and the infrastructure within which they operate are restricted in scope in that they rely for their... |

3532 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...for decryption or message verification, these systems can be easily compromised, thus corrupting results or violating senders’ privacy. For example, if Diffie–Hellman key exchange (with certificates) =-=[4]-=- or (conventional) digital signatures are used, the receiver will be able to easily obtain information regarding the sender’s identity, and also may leave the message contents along with the identity ... |

1578 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...thout revealing his/her identity, e.g. electronic voting. A most commonly used cryptographic technique that is used to build an actual implementation of these characters, is called anonymous channels =-=[1, 2, 3]-=-. However, if not 1 A preliminary version of this paper was presented at Asiacrypt’02 [Hanaoka, G., Shikata, J., Hanaoka, Y. and Imai, H. (2002) Unconditionally secure anonymous encryption and group a... |

1548 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...ge contents along with the identity of the sender open to perusal. In a computationally secure setting, this problem can be solved straightforwardly by using (conventional) public-key encryption e.g. =-=[5, 6]-=- and group signatures [7, 8] shielding the sender’s identity. Theses2of12 G. Hanaoka et al. schemes and the infrastructure within which they operate are restricted in scope in that they rely for their... |

1218 |
Communication Theory of Secrecy Systems
- Shannon
- 1949
(Show Context)
Citation Context ...rem. ⊓⊔ Lemma 2.1 implies that the memory size requirement for an encryption key in USAE is equal to or greater than that for a ciphertext. This is also closely related to the famous Shannon’s result =-=[24]-=-. That is, in unconditionally secure symmetric encryption, it is a well-known fact that the required memory size for an encryption key is equal to or greater than that for a plaintext, assuming that a... |

840 |
Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...butes each user’s secret in the initial phase and deletes his memory after the distribution of the secrets. We should note that the trusted initializer can be removed by using multi-party computation =-=[23]-=- if the number of malicious users is less than a third of the total number of users and there exists a private channel between each pair of users. In the model of USAE, there are n+2 participants, a s... |

641 |
Group Signatures
- Chaum, Heyst
- 1991
(Show Context)
Citation Context ...dentity of the sender open to perusal. In a computationally secure setting, this problem can be solved straightforwardly by using (conventional) public-key encryption e.g. [5, 6] and group signatures =-=[7, 8]-=- shielding the sender’s identity. Theses2of12 G. Hanaoka et al. schemes and the infrastructure within which they operate are restricted in scope in that they rely for their security on the assumed com... |

574 | The dining cryptographers problem: Unconditional sender and recipient untraceability
- Chaum
- 1988
(Show Context)
Citation Context ...thout revealing his/her identity, e.g. electronic voting. A most commonly used cryptographic technique that is used to build an actual implementation of these characters, is called anonymous channels =-=[1, 2, 3]-=-. However, if not 1 A preliminary version of this paper was presented at Asiacrypt’02 [Hanaoka, G., Shikata, J., Hanaoka, Y. and Imai, H. (2002) Unconditionally secure anonymous encryption and group a... |

515 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
(Show Context)
Citation Context ...ferent ciphertext ĉ such that the plaintexts m, ˆm underlying these two ciphertexts are meaningfully related. For computational encryption schemes, formal definitions of non-malleability are given in =-=[27, 28]-=-. Here, we give a definition of non-malleability for USAE. Definition 4. Let ĉ(�= c) be another ciphertext which could have been generated by s instead of c in USAE, and ˆm(�= m) be a plaintext underl... |

477 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...s fact is due to the following proposition: Proposition 1 ([25]). In a non-trivial (n, t, k)-CFF with n>t, [k(k − 1)]/2 ≤ n. 2.6. Non-malleable scheme In this subsection, we consider non-malleability =-=[26]-=- of the proposed USAE. Frankly, non-malleability means an adversary’s inability i.e. given a challenge ciphertext c, to generate a different ciphertext ĉ such that the plaintexts m, ˆm underlying thes... |

420 | A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ...ferent ciphertext ĉ such that the plaintexts m, ˆm underlying these two ciphertexts are meaningfully related. For computational encryption schemes, formal definitions of non-malleability are given in =-=[27, 28]-=-. Here, we give a definition of non-malleability for USAE. Definition 4. Let ĉ(�= c) be another ciphertext which could have been generated by s instead of c in USAE, and ˆm(�= m) be a plaintext underl... |

314 | Efficient group signature schemes for large groups.
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...dentity of the sender open to perusal. In a computationally secure setting, this problem can be solved straightforwardly by using (conventional) public-key encryption e.g. [5, 6] and group signatures =-=[7, 8]-=- shielding the sender’s identity. Theses2of12 G. Hanaoka et al. schemes and the infrastructure within which they operate are restricted in scope in that they rely for their security on the assumed com... |

153 | Families of finite sets in which no set is covered by the union of r others,
- ERDSS, FRANKL, et al.
- 1985
(Show Context)
Citation Context ... message. We also investigate tight lower bounds on required memory sizes from information theory and also show concrete constructions of USAE schemes based on polynomials and cover free family (CFF) =-=[9]-=-. A USAE based on polynomials is optimal because it matches the lower bounds. We further show another construction from combinatorial theory, a non-malleable scheme and a multireceiver scheme. We then... |

97 |
Universally verifiable mix-net with verification work independent of the number of mix-servers.
- Abe
- 1998
(Show Context)
Citation Context ...thout revealing his/her identity, e.g. electronic voting. A most commonly used cryptographic technique that is used to build an actual implementation of these characters, is called anonymous channels =-=[1, 2, 3]-=-. However, if not 1 A preliminary version of this paper was presented at Asiacrypt’02 [Hanaoka, G., Shikata, J., Hanaoka, Y. and Imai, H. (2002) Unconditionally secure anonymous encryption and group a... |

86 |
Perfectly Secure Key Distribution for Dynamic Conferences”,
- Blundo, Santis, et al.
- 1998
(Show Context)
Citation Context ...sing MDS linear codes. His idea was later generalized by Matsumoto and Imai [11], viz. key predistribution schemes (KPS); they also proposed a simpler version of KPS, the linear scheme. Blundo et al. =-=[12]-=- proposed a concrete construction of KPS for conference key distribution and investigated lower bounds on required memory size for users and showed that their scheme, as well as Blom’s original scheme... |

79 |
Codes which detect deception,
- Gilbert, MacWilliams, et al.
- 1974
(Show Context)
Citation Context ...t a requirement of sender’s identity. Unconditionally secure authentication schemes and group signatures. For a secure authentication without computational assumptions, unconditionally secure A-codes =-=[16, 17]-=- may be considered which have been intensively studied in the literature. An overall structure of A-codes is as follows. In the first stage of A-codes, a trusted authority generates secret information... |

62 | On some methods for unconditionally secure key distribution and broadcast encryption, Design, Codes and Cryptography 12
- Stinson
- 1997
(Show Context)
Citation Context ...l as Blom’s original scheme and Matsumoto–Imai’s scheme, all matched the lower bounds. Blundo et al. [13], as well as Kurosawa et al. [14] showed other interesting bounds on required memory sizes. In =-=[15]-=-, an in-depth survey of various constructions of KPS has been carried out and corresponding properties have been investigated. KPS may seem to be the best building blocks for unconditionally secure co... |

52 |
On the Key Predistribution System: A Practical Solution to the Key Distribution Problem”,
- Matsumoto, Imai
- 1987
(Show Context)
Citation Context ...table security primitives. Blom [10] made the first attempt to construct an unconditionally secure key distribution scheme using MDS linear codes. His idea was later generalized by Matsumoto and Imai =-=[11]-=-, viz. key predistribution schemes (KPS); they also proposed a simpler version of KPS, the linear scheme. Blundo et al. [12] proposed a concrete construction of KPS for conference key distribution and... |

47 |
Authentication theory/coding theory
- Simmons
- 1985
(Show Context)
Citation Context ...t a requirement of sender’s identity. Unconditionally secure authentication schemes and group signatures. For a secure authentication without computational assumptions, unconditionally secure A-codes =-=[16, 17]-=- may be considered which have been intensively studied in the literature. An overall structure of A-codes is as follows. In the first stage of A-codes, a trusted authority generates secret information... |

46 |
Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback..
- Desmedt, Frankel, et al.
- 1992
(Show Context)
Citation Context ...wer. There have also been many attempts to modify A-codes with the aim of enhancing the codes with desirable properties other than anonymity, such as asymmetricity [18] and multireceiver-authenticity =-=[19]-=-.sUnconditionally Secure Anonymous Encryption and Group Authentication 3of12 However, in none of these attempted modifications, receivers were able to identify the sender of the message. Thus, there w... |

45 | Trade-offs between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution.
- Blundo, Mattos, et al.
- 1996
(Show Context)
Citation Context ...nd investigated lower bounds on required memory size for users and showed that their scheme, as well as Blom’s original scheme and Matsumoto–Imai’s scheme, all matched the lower bounds. Blundo et al. =-=[13]-=-, as well as Kurosawa et al. [14] showed other interesting bounds on required memory sizes. In [15], an in-depth survey of various constructions of KPS has been carried out and corresponding propertie... |

41 |
Non-Public Key Distribution
- Blom
- 1982
(Show Context)
Citation Context ...onally secure key distribution schemes. For confidentiality without computational assumptions, unconditionally secure key distribution schemes are often utilized as suitable security primitives. Blom =-=[10]-=- made the first attempt to construct an unconditionally secure key distribution scheme using MDS linear codes. His idea was later generalized by Matsumoto and Imai [11], viz. key predistribution schem... |

17 |
Message authentication with arbitration of transmitter/receiver disputes
- Simmons
- 1987
(Show Context)
Citation Context ...rsary has unlimited computational power. There have also been many attempts to modify A-codes with the aim of enhancing the codes with desirable properties other than anonymity, such as asymmetricity =-=[18]-=- and multireceiver-authenticity [19].sUnconditionally Secure Anonymous Encryption and Group Authentication 3of12 However, in none of these attempted modifications, receivers were able to identify the ... |

11 | M.: Some Bounds and a Construction for Secure Broadcast Encryption
- Kurosawa, Yoshida, et al.
- 1998
(Show Context)
Citation Context ...equired memory size for users and showed that their scheme, as well as Blom’s original scheme and Matsumoto–Imai’s scheme, all matched the lower bounds. Blundo et al. [13], as well as Kurosawa et al. =-=[14]-=- showed other interesting bounds on required memory sizes. In [15], an in-depth survey of various constructions of KPS has been carried out and corresponding properties have been investigated. KPS may... |

9 | Unconditionally Secure Digital Signature Schemes Admitting Transferability
- Hanaoka, Shikata, et al.
- 2000
(Show Context)
Citation Context ... existing A-codes and their variants that were applicable concerning the protection of the sender’s identity, i.e. no anonymity. Though there are some unconditionally secure digital signature schemes =-=[20, 21, 22]-=- that do exist, these schemes yet too, do not provide anonymity. However, in computationally secure settings, anonymity can be achieved by using group signatures [7, 8]. For a group signature, a user ... |

5 | Security notions for unconditionally secure signature schemes
- Shikata, Hanaoka, et al.
- 2002
(Show Context)
Citation Context ... existing A-codes and their variants that were applicable concerning the protection of the sender’s identity, i.e. no anonymity. Though there are some unconditionally secure digital signature schemes =-=[20, 21, 22]-=- that do exist, these schemes yet too, do not provide anonymity. However, in computationally secure settings, anonymity can be achieved by using group signatures [7, 8]. For a group signature, a user ... |

3 | Efficient and unconditionally secure digital signatures and a security analysis of a multireceiver authentication code
- Hanaoka, Shikata, et al.
- 2002
(Show Context)
Citation Context ... existing A-codes and their variants that were applicable concerning the protection of the sender’s identity, i.e. no anonymity. Though there are some unconditionally secure digital signature schemes =-=[20, 21, 22]-=- that do exist, these schemes yet too, do not provide anonymity. However, in computationally secure settings, anonymity can be achieved by using group signatures [7, 8]. For a group signature, a user ... |