Abstract: In encryption, a random number r is generated to generate a ciphertext C2=M(+)R(r), function values HS(r, C2), a common key K, a ciphertext C(?+1) of the random number r using the common key K, and ciphertexts C(0) and C(?) of the common key K that correspond to function values HS(r, C2). In decryption, a common key K? is decrypted from input ciphertexts C?(0) and C?(?), an input ciphertext C?(?+1) is decrypted by using the common key K? to generate a decrypted value r?, and function values HS(r?, C2?) is generated. If the input ciphertexts C?(0) and C?(?) do not match ciphertexts C?(0) and C?(?) of the common key K? that correspond to the function values HS(r?, C2?), decryption is rejected; if they match, the input ciphertext C2? is decrypted.

Abstract: Security against CCA is improved without providing space for just improving the security against CCA in a ciphertext space. In encryption processing, a first ciphertext C1 is calculated from a plaintext M and a symmetric key K; a value containing a value corresponding to the symmetric key K and a value corresponding to the first ciphertext C1 is put into a collision-resistant function H to calculate a function value of the function H; and r corresponding to the function value is used to calculate second ciphertext C2=r·(??=1nv?·b?)+?·bn+1?G1n+1. In decryption processing, the second ciphertext C2?G1n+1 and key information D1*=?·(??=1nw?·b?*)+bn+1*?G2n+1 are put into a bilinear function e to calculate a function value S˜=e(C2, D1*)?GT; a value corresponding to the function value S˜ and the first ciphertext C1 are put into the collision-resistant function H to calculate a function value of the function H; and it is judged whether r˜ corresponding to the function value satisfies C2=r˜·(??=1nv?·b?)+?˜·bn+1?G1n+1.

Abstract: In encryption, a random number r is generated to generate a ciphertext C2 =M (+) R(r), function values Hs(r, C2), a common key K, a ciphertext C(?+1) of the random number r using the common key K, and ciphertexts C(0) and C(?) of the common key K that correspond to function values HS(r, C2). In decryption, a common key K? is decrypted from input ciphertexts C?(0) and C?(?), an input ciphertext C?(?+1) is decrypted by using the common key K? to generate a decrypted value r?, and function values HS(r?, C2?) is generated. If the input ciphertexts C?(0) and C?(?) do not match ciphertexts C?(0) and C?(?) of the common key K? that correspond to the function values HS(r?, C2?), decryption is rejected; if they match, the input ciphertext C2? is decrypted.

Abstract: Security against CCA is improved without providing space for just improving the security against CCA in a ciphertext space. In encryption processing, a first ciphertext C1 is calculated from a plaintext M and a symmetric key K; a value containing a value corresponding to the symmetric key K and a value corresponding to the first ciphertext C1 is put into a collision-resistant function H to calculate a function value of the function H; and r corresponding to the function value is used to calculate second ciphertext C2=r·(??=1nv?·b?)+?·bn+1?G1n+1. In decryption processing, the second ciphertext C2?G1n+1 and key information D1*=?·(??=1nw?·b?*)+bn+1*?G2n+1 are put into a bilinear function e to calculate a function value S˜=e(C2, D1*)?GT; a value corresponding to the function value S˜ and the first ciphertext C1 are put into the collision-resistant function H to calculate a function value of the function H; and it is judged whether r˜ corresponding to the function value satisfies C2=r˜·(??=1nv?·b?)+?˜·bn+1?G1n+1.

Abstract: A verification device stores verification information and first random information in a storage. The verification information depends upon contents of comparative information, and not upon an information volume of the comparative information. The verification device generates an authentication information generation factor using the first random information and transmits the factor to a proving device, which generates authentication information using the authentication information generation factor and held information and transmits the authentication information to the verification device. The authentication information depends upon contents of the authentication information generation factor and the held information, and not upon the information volume of the held information. A decision section of the verification device decides whether a predetermined relationship is established between the authentication information and the verification information and the first random information.

Abstract: A verification device stores verification information and first random information in a first storage section. The verification information depends upon the contents of comparative information and does not depend upon an information volume of the comparative information. Further, the verification device generates an authentication information generation factor by using the first random information and transmits the factor to a proving device. The proving device generates authentication information by using the authentication information generation factor and held information and transmits the authentication information to the verification device. The authentication information depends upon the contents of the authentication information generation factor and the held information and does not depend upon the information volume of the held information.

Abstract: In an electronic cash implementing method using a trustee, a user registers his identification information ID.sub.U and anonymous public key N with the trustee and receives a license (B,I). The user processes the license (B,I) by a public key corresponding to the amount to be issued and sends the processed information to a bank to have it attach a blind signature to the information so that the user obtain electronic cash C from the blind signature. The user transmits to a shop the information B,I,C,N and a digital signature that assures the divisional use of the electronic cash. The shop verifies the validity of the information B and C and accepts it as cash and sends a history H of communication with the user to the bank and receives a payment therefrom.

Abstract: In a method for implementing traceable electronic cash, a user US sends a bank BK a product N of prime numbers P and Q, a prime number L and his real name ID.sub.U, and the bank BK generates a pseudonym I corresponding to the real name ID.sub.U and keeps the correspondence between the real name ID.sub.U and the pseudonym I secret. The bank BK uses a signature function .OMEGA.=D.sub.eB (N,L,I) to attach a signature to information composed of the above-mentioned N, L and I and sends the user US the signed information .OMEGA. as information containing a license B. The user US generates authentication information X from the N and a random number R and sends the bank BK information Z obtained by performing blind signature preprocessing on information (X,B) with a function F.sub.eC and has the information Z signed by the bank BK with a signature function D.sub.eC (Z) to obtain electronic cash C.