Inference attacks mean that a user derives information on the execution results of unauthorized queries from the execution results of authorized queries. Most of the studies on inference attacks so far have focused on only inference of positive information (i.e., what value is the execution result of a given unauthorized query). However, negative information (i.e., what value is never the execution result of a given unauthorized query) is also sensitive in many cases. This paper presents the following results on the security against inference attacks on negative information in object-oriented databases. First, inference of negative information is formalized under a model of object-oriented databases called method schemas. Then, the following two types of security problems are defined: (1) Is a given database instance secure against inference attacks on given negative information? (2) Are all of the database instances of a given database schema secure against inference attacks on given negative information? It is shown that the first problem is decidable in polynomial time in the description size of the database instance while the second one is undecidable. A decidable sufficient condition for any database instance of a given database schema to be secure is also proposed. Finally, it is shown that for a monadic schema (i.e., every method has exactly one parameter), this sufficient condition is also a necessary one.

A broadcast distribution system (BDS) is a system for the distribution of digital contents over broadcast channel where the data supplier broadcasts the contents in encrypted form and gives each subscriber a decoder containing a secret decryption key. A traitor is a subscriber who offers the information which allows to decrypt the broadcast. When a pirate decoder is captured, if at least one traitor can be identified from it, a BDS is said to be traitor-tracing. If the data supplier can prevent subscribers from obtaining the contents without recalling their decoders, a BDS is said to be subscriber-excluding. In this paper, we propose an efficient BDS which is both subscriber-excluding and traitor-tracing. We use similar mathematics to a threshold cryptosystem. In the proposed BDS, the maximum number of excluded subscribers reaches the maximum number of traitors in a coalition for which at least one traitor can be identified. We prove that the proposed BDS is secure against ciphertext-only attack if and only if ElGamal cryptosystem is secure against the attack and the discrete logarithm problem is hard. The proposed BDS is the first one which satisfies all the following features: Both subscriber-excluding and traitor-tracing, identifying all the traitors, black box tracing and public key system.

Local weight distribution is the weight distribution of minimal codewords in a linear code. We give the local weight distribution of the (256, 93) third-order binary Reed-Muller code. For the computation, a coset partitioning algorithm is modified by using a binary shift invariance property. This reduces the time complexity by about 1/256 for the code. A necessary and sufficient condition for minimality in Reed-Muller codes is also presented.

MISRs are widely used as signature circuits for VLSI built-in self tests. To improve the aliasing probability of MISRs, multiple MISRs and M-stage MISRs with m inputs are available, where M is grater than m. The aliasing probability as a function of the test length is analyzed for the compaction circuits for a binary symmetric channel. It is observed that the peak aliasing probability of the double MISRs is less than that of M-stage MISRs with m inputs. It is also shown that the final aliasing probability for a multiple MISR with d MISRs is 2dm and that for an M-stage MISR with m imputs is 2M if it is characterized by a primitive polynomial.

Computing the weight distribution of a code is a challenging problem in coding theory. In this paper, the weight distributions of (256, k) extended binary primitive BCH codes with k≤71 and k≥187 are given. The weight distributions of the codes with k≤63 and k≥207 have already been obtained in our previous work. Affine permutation and trellis structure are used to reduce the computing time. Computer programs in C language which use recent CPU instructions, such as SIMD, are developed. These programs can be deployed even on an entry model workstation to obtain the new results in this paper.

Subtrellises for low-weight codewords of binary linear block codes have been recently used in a number of trellis-based decoding algorithms to achieve near-optimum or suboptimum error performance with a significant reduction in decoding complexity. An algorithm for purging a full code trellis to obtain a low-weight subtrellis has been proposed by H.T. Moorthy et al. This algorithm is effective for codes of short to medium lengths, however for long codes, it becomes very time consuming. This paper investigates the structure and complexity of low-weight subtrellises for binary linear block codes. A construction method for these subtrellises is presented. The state and branch complexities of low-weight subtrellises for Reed-Muller codes and some extended BCH codes are given. In addition, a recursive algorithm for searching the most likely codeword in low-weight subtrellis-based decoding algorithm is proposed. This recursive algorithm is more efficient than the conventional Viterbi algorithm.

This paper introduces a new computational problem on a two-dimensional vector space, called the vector decomposition problem (VDP), which is mainly defined for designing cryptosystems using pairings on elliptic curves. We first show a relation between the VDP and the computational Diffie-Hellman problem (CDH). Specifically, we present a sufficient condition for the VDP on a two-dimensional vector space to be at least as hard as the CDH on a one-dimensional subspace. We also present a sufficient condition for the VDP with a fixed basis to have a trapdoor. We then give an example of vector spaces which satisfy both sufficient conditions and on which the CDH is assumed to be hard in previous work. In this sense, the intractability of the VDP is a reasonable assumption as that of the CDH.

A recursive and efficient method for generating binary vectors in non-increasing order of their likelihood for a set of all binary vectors is proposed. Numerical results on experiments show the effectiveness of this method. Efficient decoding algorithms with simulation results are also proposed as applications of the method.

A method is presented for computing the number of codewords of weight less than or equal to a given integer in a binary block code by using its trellis diagram. The time and space complexities are analyzed. It is also shown that this method is very efficient for the codes which have relatively simple trellis diagram, say some BCH codes. By using this method, the weight distribution of (128,36) extended BCH code is computed efficiently.

A cover free family (CFF) is a useful mathematical tool for cryptographic schemes where any pre-defined number of sets in the family do not cover another set in the family. The common disadvantage of CFF-based schemes is the requirement for a significantly large amount of data such as public keys and ciphertexts. This paper proposes a simple method to reduce the size of ciphertexts in CFF-based broadcast encryption schemes by removing redundant elements from sets in the family, and then analyzes the size of cihpertexts. As a result, in a typical distribution case, the average amount of ciphertexts is reduced to 83 percents (from 691Kbits to 576Kbits).

This letter is concerned with the evaluation of the average computational complexity of the maximum likelihood decoding of a linear block code using its trellis diagram. Each section of the L-section minimal trellis diagram for a linear block code consists of parallel components which are structurally identical subgraphs without cross connection between them. A parallel component is also known to be decomposed into subgraphs, and a decoding algorithm by using the structure of the subgraphs of parallel components was proposed, and an upper bound on the worst case computational complexity was derived. In this letter, the average computational complexity of the decoding algorithm is evaluated by computer simulation. We evaluated the average numbers of additions and comparisons performed in the decoding algorithm for example codes, (64,45) extended and permuted binary primitive BCH code, the third order Reed-Muller (64,42) code and its (64,40) subcode. It is shown that the average numbers are much smaller than those for the worst case, and hence the decoding algorithm is efficient when the number of sections, L, is small, say 4 or 8, for the example codes. Especially, for the (64,45) extended binary primitive BCH code with L4, the average numbers of additions and comparisons in the decoding algorithm for finding the survivor's metric of each state after finding the smallest metric among parallel branches are about 1/50 and 17/100 of those in the conventional exhaustive search, respectively. The number of additions and comparisons by the conventional search for all the example codes is smallest when L is 4. As a result, the decoding algorithm with L4 gives the smallest number of operations among those decoding methods considered here.

A secret sharing scheme is said to be d-multiplicative if the scheme allows the players to multiply shared d secrets by locally converting their shares into an additive sharing of the product. In the previous work, the following negative result for perfect secret sharing has been shown: The d-multiplicative secret sharing for d players is impossible. This paper extends the impossibility result to non-perfect secret sharing. Our main result is a proof that d-multiplicative secret sharing for d players is impossible even if every player has partial information on the secret (e.g., all but one bit). This result means that there is no need to relax the privacy requirement with leakage of partial information only for the purpose of d-multiplication.

A linear block code has a finite-length trellis diagram which terminates at the length of the code. Such a trellis diagram is expressed and constructed in terms of sections. The complexity of an L-section trellis diagram for a linear block code is measured by the state and branch complexities, the state connectivity, and the parallel structure. The state complexity is defined as the number of states at the end of each section of the L-section trellis diagram, the branch complexity is defined as the number of parallel branches between two adjacent states, the state connectivity is defined in terms of the number of states which are adjacent to and from a given state and the connections between disjoint subsets of states, and the parallel structure is expressed in terms of the number of parallel sub-trellis diagrams without cross connections between them. This paper investigates the branch complexity, the state connectivity, and the parallel structure of an L-section minimal trellis diagram for a binary linear block code. First these complexities and structure are expressed in terms of the dimensions of specific subcodes of the given code. Then, the complexities of 2i-section minimal trellis diagrams for Reed-Muller codes are given.

New algorithms for the MAP (also known as the APP) decoding and the MAX-LogMAP decoding of linear block codes are presented. The algorithms are devised based on the structural properties of linear block codes, and succeeds in reducing the decoding complexity without degrading the error performance. The proposed algorithms are suitable for the parallel and pipeline processing which improves the throughput of the decoder. To evaluate the decoding complexity of the proposed algorithms, simulation results for some well-known codes are presented. The results show that the algorithms are especially efficient than the conventional BCJR-based algorithms for codes whose rate are relatively low.

An algorithm for finding the optimal sectionalization for sectionalized trellises with respect to distinct optimality criterions was presented by Lafourcade and Vardy. In this paper, for linear block codes, we give a direct method for finding the optimal sectionalization when the optimality criterion is chosen as the total number |E| of the edges, the expansion index |E|-|V|+1, or the quantity 2|E|-|V|+1, only using the dimensions of the past and future sub-codes. A more concrete method for determining the optimal sectionalization is given for the Reed-Muller codes with the natural lexicographic coordinate ordering.

We have devised a polynomial time algorithm to decide the security of cryptographic protocols formally under certain conditions, and implemented the algorithm on a computer as a supporting system for deciding the security. In this paper, a useful approach is presented to decide security problems which do not satisfy some of the above-mentioned conditions by using the system. For its application, we consider a basic security problem of Kerberos protocol, whether or not an enemy can obtain the session key between a client and a server by using any information not protected in communication channels and using any operation not prohibited in the system. It is shown that Kerberos is secure for this problem.

A recursive maximum likelihood decoding (RMLD) algorithm is more efficient than the Viterbi algorithm. The decoding complexity of the RMLD algorithm depends on the recursive sectionalization. The recursive sectionalization which minimizes the decoding complexity is called the optimum sectionalization. In this paper, for a class of non-linear codes, called rectangular codes, it is shown that a near optimum sectionalization can be obtained with a dynamic programming approach. Furthermore, for a subclass of rectangular codes, called C-rectangular codes, it is shown that the exactly optimum sectionalization can be obtained with the same approach. Following these results, an efficient algorithm to obtain the optimum sectionalization is proposed. The optimum sectionalizations for the minimum weight subcode of some Reed-Muller codes and of a BCH code are obtained with the proposed algorithm.

A b-symbol read channel is a channel model in which b consecutive symbols are read at once. As special cases, it includes a symbol-pair read channel (b=2) and an ordinary channel (b=1). The sphere packing bound, the Gilbert-Varshamov (G-V) bound, and the asymptotic G-V bound for symbol-pair read channels are known for b=1 and 2. In this paper, we derive these three bounds for b-symbol read channels with b≥1. From analysis of the proposed G-V bound, it is confirmed that the achievable rate is higher for b-symbol read channels compared with those for ordinary channels based on the Hamming metric. Furthermore, it is shown that the optimal value of b that maximizes the asymptotic G-V bound is finitely determined depending on the fractional minimum distance.

This paper introduces a novel type of digital watermarking, which is mainly designed for embededing information into cryptographic data such as keys, ciphertexts, and signatures. We focus on a mathematical structure of the recent major cryptosystems called pairing-based schemes. We present a detection-type watermarking scheme by which a watermark is visible by anyone but unremovable without secret trapdoor. The important feature is that both correctness and security of cryptographic data remain satisfied even if the trapdoor is published.