The telegram analysis problem posed by P. Henderson and R. A. Snowdon has been repeatedly taken into account. This paper adds yet another contribution to this problem. We propose a rigorous specification method, and describe how programs can be derived from it. This method functional programming by which procedural programs can be easily derived from a formal specification in the form of an abstract sequential machine. The method has been applied to sorting, file handlers and High Level Data Link Control Procedures.

This paper proposes a group signature scheme with efficient membership revocation. Though group signature schemes with efficient membership revocation based on a dynamic accumulator were proposed, the previous schemes force a member to change his secret key whenever he makes a signature. Furthermore, for the modification, the member has to obtain a public membership information of O(nN) bits, where n is the length of the RSA modulus and N is the total number of joining members and removed members. In our scheme, the signer needs no modification of his secret, and the public membership information has only K bits, where K is the maximal number of members. Then, for middle-scale groups with the size that is comparable to the RSA modulus size (e.g., up to about 1000 members for 1024 bit RSA modulus), the public membership information is a single small value only, while the signing/verification also remains efficient.

Efficient general secure multiparty computation (MPC) protocols were previously proposed, and the combination with the efficient auction circuits achieves the efficient sealed-bid auctions with the full privacy and correctness. However, the combination requires that each bidder submits ciphertexts of bits representing his bid, and their zero-knowledge proofs. This cost amounts to about 80 multi-exponentiations in usual case that the bid size is 20 bits (i.e. about 1,000,000 bid prices). This paper proposes sealed-bid auction protocols based on the efficient MPC protocols, where a bidder can submit only a single ciphertext. The bidder's cost is a few multi-exponentiations, and thus the proposed protocols are suitable for mobile bidders. A novel technique for the realization is a bit-slicing conversion by multiple servers, where a single ciphertext for a bid is securely converted into ciphertexts of bits representing the bid.

Though there are intensive researches on off-line electronic cash (e-cash), the current computer network infrastructure sufficiently accepts on-line e-cash. The on-line means that the payment protocol involves with the bank, and the off-line means no involvement. For customers' privacy, the e-cash system should satisfy unlinkability, i.e., any pair of payments is unlinkable w.r.t. the sameness of the payer. In addition, for the convenience, exact payments, i.e., the payments with arbitrary amounts, should be also able to performed. In an existing off-line system with unlinkable exact payments, the customers need massive computations. On the other hand, an existing on-line system does not satisfy the efficiency and the perfect unlinkability simultaneously. This paper proposes an on-line system, where the efficiency and the perfect unlinkability are achieved simultaneously.

This paper considers a test set for a multibit shifter which can execute arbitrary bit length shifting/rotating operations. The multibit shifter consists of several stages of sub-shifters, each of which can shift/rotate its inputs by an arbitrary number of bits less than or equal to a predetermined constant. Outputs of one sub-shifter are shifted/rotated in the next sub-shifted. All of the sub-shifters have the same structure, and are constructed with multiplexers. Every sub-shirter is separately tested. All of the multiplexers in each sub-shifter are tested in parallel and exhaustively. A minimum test set for every sub-shifter can be obtained by the use of an algorithm which generates a Boolean 2pq matrix M such that any 2pp submatrix of M includes all bit patterns of length p, where p and q (pq) are the numbers of input lines in a multiplexer and those in a sub-shifter, respectively. A complete test set for the multibit shifter can be easily obtained as the union of minimum test sets for all sub-shifters.

A distributor of digital contents desires to collect users' attributes. On the other hand, the users do not desire to offer the attributes owing to the privacy protection. Previously, an anonymous survey system for attributes statistics is proposed. In this system, asking trusted third parties' helps, a distributor can obtain the correct statistics of users' attributes, such as gender and age, while no information beyond the statistics is revealed. However, the system suffers from the inefficiency of a protocol to generate the statistics, since the cost depends on the number of all the users registering this survey system. This paper proposes an anonymous survey system, where this cost is independent from the number of all the registering users. In this accomplishment, a group signature scheme with attribute tracing is also proposed. A conventional group signature scheme allows a group member to anonymously sign a message on behalf of the group, while only a designated party can identify the signer. The proposed scheme further enables the party to trace signer's attribute.

Any minimum test set (MLTS) for locally exhaustive testing of multiple output combinational circuits (CUTs) has at least 2w test patterns, where w is the maximum number of inputs on which any output depends. In the previous researches, it is clarified that every CUT with up to four outputs has an MLTS with 2w elements. On the other hand, it can be easily shown that every CUT with more than five outputs does not have such an MLTS. It has not been however known whether every CUT with five outputs has such an MLTS or not. In this paper, it is clarified that every CUT with five outputs has such an MLTS. First, some terminologies are introduced as preliminaries. Second, features of 5(w1) dependence matrices of CUTs with five outputs and (w1) inputs are discussed. Third, an equivalence relation between dependence matrices of two CUTs is introduced. The relation means that if it holds and one of the CUTs has an MLTS with 2w elements, then the other CUT also has such an MLTS. Based on the features described above, a theorem is established that there exists a 5w dependence matrix which is equivalent to each of the above 5(w1) matrices. Finally, it is proved by the use of the theorem that every CUT with five outputs has an MLTS with 2 w elements.

We present an efficiency improvement on an existing unlinkable divisible e-cash system. In the based e-cash system, an e-coin can be divided to spent, and thus the exact payments are available. Furthermore, to protect customer's privacy, the system also satisfies the unlinkability in all the payments, which is not satisfied in other existing divisible e-cash systems. The unlinkability means the infeasibility of determining whether two payments are made by the same customer. However, in the unlinkable divisible e-cash system, the payment protocol needs O(N) computations, and thus inefficient, where N indicates the divisibility precision. For example, in case of N=100,000, about 200,000 exponentiations are needed for the worst. We improve the payment protocol using the tree approach. In case of N=100,000, the protocol with our improvement needs only about 600 exponentiations for the worst. This good result can be obtained for other N which is more than about 100.

There have been few studies on formal approaches to the specification and realization of asynchronous sequential circuits. For synchronous sequential circuits, an algebraic method is proposed as one of such approaches, but it cannot be applied to asynchronous ones directly. This paper describes an algebraic method of specifying the abstract behavior of asynchronous sequential circuits. We select an daisy chain arbiter as an example of them. In the arbiter, state transitions are caused by input changes, and all the modules do not always make state transitions simultaneously. These are main obstacles to specify it in the same way as sychronous sequential circuits. In order to remove them, we modify the meaning of input in specifications and introduce pseudo state transitions so that we can regard all the modules as if they make state transitions simultaneously. This method can be applied to most of the other asynchronous sequential circuits.