18th CSEC Group Meeting

Date

July 18, 2002

July 19, 2002

Location

Tohoku University

Transportation

18th CSEC Group Meeting Program

(1) Implementation of security functions for "FIPA-OS" Agent Platform

Shinsaku KIYOMOTO (KDDI R&D Laboratories)
Toshiaki TANAKA (KDDI R&D Laboratories)
Koji NAKAO (KDDI R&D Laboratories)

Recently, mobile agent technologies have been actively discussed and researched. FIPA-OS(Foundation for Intelligent Physical Agents) is one of organizations, which standardize agent technologies in general. Although several standardized documents have been already produced in many areas of agent technologies in FIPA, their security functions have not been satisfactiorily discussed. In this paper, we design security functions of FIPA architecture, implement to "FIPA-OS", and finally evaluate their feasibility. We believe that our proposed security functions and their implementation method can be a valuable security framework for FIPA activities.

(2) Security policy for regular-connected personal network terminal - A Simple Method for All Personal Users -

Daigo YOSHII (Toshiba Corporation, e-Solution Company)
Tatsuro IKEDA (Toshiba Corporation, e-Solution Company)
Tomoaki MORIJIRI (Toshiba Corporation, e-Solution Company)
Toshiaki SAISHO (Toshiba Corporation, e-Solution Company)

We consider a way which helps all the personal users to set up their terminal secure. We suggest that security policy for a personal user should be a set of certain rules. The rule consists of a condition and actions. The condition is what the user wants to do. The actions are what the user should do. The condition is described in plain words. The actions are concrete teaching how to set up his/her terminal. The policy is broken into more primitive rules, which makes the policies reusable. A security service based on the policies is exhibited.

(3) Development of a Flexible Support Tool for Production of Security Policies

Masayuki Morohashi (Systems Development Laboratory, Hitachi, Ltd.)
Tatsuya Fujiyama (Systems Development Laboratory, Hitachi, Ltd.)
Yasuhiko Nagai (Systems Development Laboratory, Hitachi, Ltd.)

To counter the increasing threats in proportion to popularization of the Internet, conventional countermeasures, such as setting firewall, have been enforced. But in the case that coventional countermeasures are merely enforced, there is possibility of arising excess or lack of countermeasures toward threats. Recently, to solve such problem, it is needed to make security policies that are policy to protect the assets and then enforce countermeasures based on the security policies. But is needed long term and high expertise to make security policies. Accordingly support tool for production of security policies is requested. Conventional tools can support to make security policies by using specific risk analysis methodology and specific standards. But conventional tools cannot support to make security policies by using appropriate risk analysis methodology and appropriate standards selected according to the needs and the object. Then, in this paper, we report the realization method and development result of the tool that can support to make security plicies by using appropriate risk analysis methodology and appropriate standards selected according to the needs and the object.

(4) Implementation of Damage Analysis Support System against Illegal Access

Kenji Fukushi (Network Security Solutions Development Department, Oki Electric Industry Co., Ltd.)
Haruo Takeuchi (Oki Consulting Solutions Co., Ltd.)
Hiroshi Kurauchi (Info-Communications Planning Division, Info-Communications Bureau, National Police Agency)
Masakatu Morii (Dept. of Information Science and Intelligent Systems, The University of Tokushima)
Shigeo Tsujii (Dept. of Information Sys. Eng., Chuo University)

Illegal accesses such as Web page defacing have become frequent as the Internet gains popularity. Intrusion Detecion Systems can dtect illegal sccesses. But, the procedure of damage analysis, from detection of a damage, identification of its cause, to recommendation of countermeasures, are performed by system managers using expertise and knowhow. This article proposes a system which supports system managers in analyzing damages caused by illegal accesses, by automatically detecting a damage, identifying its cause and recommending countermeasures. We implemented and evaluated a prototype. We will examine the results.

(5) Detection Algorithms of Unauthorized Manipulation for Web Remoto Patrol Systems

Keisuke TAKEMORI (KDDI R&D Laboratiries)
Yutaka MIYAKE (KDDI R&D Laboratiries)
Koji NAKAO (KDDI R&D Laboratiries)

We have developed a remoto patrol system for web servers which detects the change of contents. However, it could not distinguish between regular updata and and unauthorized manipulation. The administrator of web servers may receive many alarms from this system if the contents are updated, frequently. In this paper, we propose detection algorithm of unauthorized manipulation by concentrating on the characteristics on HTML contents as well as the correlation between before and after changes. We could abstract six characteristics, which are so-called signatures to detect manipulations based on the several sample data. We also evaluate our algorithm using many sample data, and as the results our algorithm is quite feasible to detect any types of contents with little miss-detection of faults positive. In conclusion, administrators of web servers detect and manage the unauthorized detection efficiently among their routing works.

(6) Evaluation of Protocol and Policy-Based Intrusion Detection System in Real Environment

Tatsuya BABA (Research and Development Headquarters, NTT Data Corporation)
Hiroaki KAMODA (Research and Development Headquarters, NTT Data Corporation)
Katsutoshi KOKUBO (Research and Development Headquarters, NTT Data Corporation)
Shigeyuki MATSUDA (Research and Development Headquarters, NTT Data Corporation)

Currently, unauthorized access detection technology is strongly required. We have proposed a method of detecting unauthorized accesses including unknown ones by monitoring packets and comparing them with protocol specifications and site access policy. In this paper, we show the effectiveness of the proposed detection method by evaluating the false positive rate of prototype system in a real environment.

(7) Center Management Type Intrusion Detection System

Takeshi OTSUKA
Yoshiaki SHIRAISHI
Masakatu MORII

In this paper, we give and center management model in unlawful access detection. Agent gather the network information in each management domain. When the agent detects abnormal event, it communicates to the center and the center analyzes the network information to specify the unlawful access by using IDS. The advantages of this model are that the administrator of each domain does not need to update signatures of IDS and he can receive an essential information of an unlawful access and the way of its countermeasure.

(8) A Method to Detect Unknown Computer Virus Using Virtual Server

Takashi MIYAKE
Yoshiaki SHIRAISHI
Masakatu MORI

The spread of computer virus via E-mail is a social problem. In some virus detection system with pattern matching mechanism, they can detect the virus as they have pattern files corresponding to that. However, such a system can not detect an unknown virus. In this paper, we propose a system to detect unknown virus. The system receives all E-mail in user's place. That opens and executes the mail with attached file and watches its behavior against Operating System etc. in order to detect the unknown virus.

(9) Copyright protection system for website content -The efficiency of a bounty hunting-based copyright protection system for website content-

Tetsuya Matsushita (Graduated School of Informatics, Shizuoka University)
Masakatsu Nishigaki (Faculty of Information, Shizuoka University)
Masakazu Soga (Faculty of Software and Information, Iwate Prefectural University)
Akio Takubo (School of Information Environment, Tokyo Denki University)
Itsukazu Nakamura (NTT Data Corp., Security Business Division)

This paper proposes a distributed copyright protection system for digital content which is based on the idea of bounty hunting. The system employs a digital watermark method in which all information for extracting watermarks can be opened, so that any home page visitor can verify the authenticity of the content on the home page he/she is visiting. It allows, essentially, every net surfer to be a kind of bounty hunter who finds illegal content or home pages. We believe this type of self-policing system is necessary because it is impossible for a limited number of trusted parties to check the vast number of content in all home pages over the Internet. Moreover, in the proposed system, illegal home page owners can not know if or when they have been discovered, as each and every visitor has the potential to discover and report them. Therefore, this distributed-type check of the proposed system promises to be a much greater deterrent than a centralized-type check could ever be. Thus, a copyright protection on the Internet is successfully achived by the system. This paper discusses the efficiency of a bounty hunting-based copyright protection system by comparing it with the related systems.

(10) Proposal of Security Architecture for IP Multicast Routing Protocol

Yoshinori WATANABE (Systems Development Laboratory, Hitachi, Ltd.)
Mariko KASAI (Systems Development Laboratory, Hitachi, Ltd.)
Yoshitaka SAINOMOTO (Enterprise Server Division, Hitachi, Ltd.)

The broadband internet connection from homes has come into wide use, and the services of broadcasting contents via the Internet will be expected to increase. So we propose a security architecture for IP multicast routing protocol for broadcasting contents more securely. It is based on a data authentication method used by IPsec protocol and a new key management method studied by us to aviod wire tapping, IP spoofing and replay attacks. Now we are trying to design a new key management protocol based on our architecture and implementing it to evaluate its effectiveness.

(11) Design and evaluation of countermeasure system against DDoS attacks using active network technology

Yusuke MORIKAWA (Faculty of Science and Engineering,Keio University)
Dai KASHIWA (NTT Information Sharing Platform Laboratories)
Shin-ya MATSUMOTO (Faculty of Science and Engineering,Keio University)
Hiroshi SHIGENO (Faculty of Science and Engineering,Keio University)
Ken-ichi OKADA (Faculty of Science and Engineering,Keio University)
Yutaka MATSUSHITA (Tokyo University of Technology)

In this paper, we propose a contermeasure system against DDoS(Distributed Denial of Service) attacks. In the system, cooperating routers using Active Network technology with each other, malicious traffic is shaped and only legitimate traffic can be communicating. This paper describes a model of the system realizing proposed architecture and the evaluation result about the effectiveness of the prototype when causing a false DDoS attack.

(12) The active SPAM Buckler: Preventing the SPAM

Takamichi SAITO (Tokyo University of Technology)
Akio MORII (INTEC Inc.)
Tadashi KOMORI (Tokyo University of Science)
Toshiyuki KITO (Tokyo University of Science)

In recent years, while E-mail over an internet has achieved popularity, there is a great trouble, i.e. the SPAM mail. Although some countermeasures against the SPAM mail is proposed, the SPAM mail is coming persistently. On the other, an oversensitive way of countermeasure can refuse and eliminate legitimate E-mails. Hence, we propose a countermeasure that guarantees legitimate E-mails must be delivered. In this paper, we will explain the proposed system and show some experiments on it.

(13) On the Architecture of the SSL System

Toshiyuki KITO (Tokyo University of Science)
Takamichi SAITO (Tokyo University of Technology)

Some flaws have been found out in the SSL, the Secure Socket Layer. Therefore, in this paper, we consider the SSL's architecture and its total design of the SSL. There are mainly the way of authenticating between the SSL server and user, and that of only authentication the SSL server. Each authentication exchanges session key, which can make establish secure communication between the SSL client and server. In authenticating of the SSL server and user, the SSL server and user must have the own secret key. For convenience, in the case authenticationg a uer who dose not hold secret key, the way of using password, encrypted by session key is used after server authentication. However, a user can be deprived of its password.

(14) Examination of the counter measure for the Web service based worm propagation

Masato Terada (Systems Development Laboratory, Hitachi Ltd.)
Yasuhiko Nagai (Systems Development Laboratory, Hitachi Ltd.)
Morihiko Kurata (Information Technology Division, Hitachi Ltd.)

Unauthorized access containing Malware propagation is activated and causes a lot of damage. Especially, In the information system which consists of Web service based, the influence accompanied by self-propagating worm of Web service based becomes very large. This paper described the overview of the Web mapper's (Web service port/host mapping system) functions, which suppress Web service based worm propagation and support the stable Web service operation. The features of Web mapper are the following. The port change component on the Web server shifts Web service port number to an alternative port number for suppression Web service based worm propagation. The port/host conversion component on proxy sever hides the URL change accompanied by a shift for an alternative port number.

(15) Consideration of False Rejection Rate about DNA Biometrics Athentication system using DNA personal ID

Yukio ITAKURA (Chuo University, Research and Development Initiative)
Masaki HASHIYADA (Tohoku University, Graduate Medical Research Department)
Toshio NAGASHIMA (NTT DATA Technology Corporation)
Tsujii SHIGEO (Chuo University, Research and Development Initiative)

There are two measures, FAR(False Acceptance Rate) and FRR(False Rejection Rate) to evaluate the characterisity of Biometrics Authentication systems. In the DNA Biometrics Authentication system using DNA personal ID generated by DNA information, FAR means matching probability of DNA personal ID and FRR means the mutation of DNA information and measuring fluctuation error. We have been reported about the FAR of DNA personal ID before [1]. In this paper, we discuss about the FRR of DNA personal ID considering at the point of forensic view and measureing errors.

(16) Consideration on Security Quality

Hideyo MURAKAMI
Hiroaki SAKAMOTO
Norio YUKI

In advanced information society, information .trouble effects on not only one peson or company but also human continuation. Information is important property. On the basis of the previous paper proposal, this describes consideration on security quality design method that include quality objectives for each scale of a service system, quality allocation for both of system function (soft ware and hardware) and operation people, design concept of security quality.

(17) Runtime Data Extraction Tool for Java Virtual Machine

Tsutomu MATSUMOTO (Graduate School of Environment and Information Sciences, Yokohama National University)
Kenichiro AKAI (Graduate School of Environment and Information Sciences, Yokohama National University)
Goichi NAKAMURA (Mitsubishi Research Institute)
Kou OUCHI (MRIsystems)
Ichiro MURASE (Mitsubishi Research Institute)

Tamper-resistance, which means secret data protection in this paper, is important for softwares in which secret data are stored and calculated. There is a method to evaluate tamper-resistance of a software, the runtime data exhausive search method. We developed a tool to extract runtime data in JVM(Java Virtual Machine). This tool is an implementation for the runtime data exhausive search method. Then, we carried out experiments to use this tool for RSA signature software written by Java to extract RSA private key.

(18) About buffer_overflow detection by static analysis of C program

Goichi NAKAMURA (Mitsubishi Research Institute)
Ichiro MURASE (Mitsubishi Research Institute)

C language is still important as programming language of softwares such as network control software that needs high security. But the buffer_overflow problem is frequently seen in C programs, it is one of the most serious vulnerabilities about C programs. Among the buffer_overflow vulnerabilities, rewriting of return address on the stack is most important. There are several methods to detect this buffer_overflow vulnerability in C program .But these methods can not pick over this buffer_overflow vulnerability. In this research, a new method is developed to detect the buffer_overflow vulnerability(rewriting of return address on the stack) in C program statically, that is, by static analysis of register tarnslate language code(RTL code) which is made in C program compilation by GCC compiler. As this method's output, the conditions on which rewriting of return address on the stack occurs is expressed in function arguments and so on. And the tool which carry out this method is developed. Then, the effectiveness of this method is checked by adapting the tool to C programs to detect the buffer_overflow vulnerability.

(19) A study on sound quality and embedding capacity of Time-spread Echo Method for Digital Audio Watermarking

Byeong-Seob KO (Research Institute of Electrical Communication/Graduate School of Information Science, Tohoku University)
Ryouichi NISHIMURA (Research Institute of Electrical Communication/Graduate School of Information Science, Tohoku University)
Yoite SUZUKI (Research Institute of Electrical Communication/Graduate School of Information Science, Tohoku University)

Several methods for digital audio watermarking have been proposed, such as echo hiding, spread spectrum, masking, and phase modulation. Among these methods, echo hiding provides many advantages. However, there is a weak with this method from view point from protecting copyrights, because its decoding process is very lenient. To cope with this weak point of the echo hiding, we proposed a time-spread echo method using PN sequences that play a role of a secret key in decoding the embedded information. In this paper, we investigate the embedding capacity, the robustness against typical signal transformations, and the sound quality of the proposed method.

(20) Images Scrambling and Watermarking based on Discrete Wavelet Transformations

Yasuhiro FUJII (Systems Development Laboratory, Hitachi, Ltd.)
Kazunori NAKANO (Systems Development Laboratory, Hitachi, Ltd.)
Isao ECHIZEN (Systems Development Laboratory, Hitachi, Ltd.)
JUN'ICHI TAGUCHI (Systems Development Laboratory, Hitachi, Ltd.)
Hiroshi YOSHIURA (Systems Development Laboratory, Hitachi, Ltd.)

Digital watermarking is a method that prevents illegal distributeions by buyers. In case the copyright holder commits a watermarking server to embed watermarks into image contents, it is required to send scrambled images to a watermarking server for the sake of avoiding the leakage of originals. This paper proposes a new method consisting of scrambling and watermarking based on the theory of discrete wavelet transformations.

(21) Linguistic Steganography using SD-Form Semantic Model

Sayaka Minewaki (Faculty of Engineering, Kyushu Institute of Technology)
Tomokazu Ito (Faculty of Engineering, Kyushu Institute of Technology)
Michiharu Niimi (Faculty of Engineering, Kyushu Institute of Technology)
Hideki Noda (Faculty of Engineering, Kyushu Institute of Technology)
Eiji Kawaguchi (Faculty of Engineering, Kyushu Institute of Technology)

This paper proposes a method for linguistic steganography in consideration of the meaning of natural language sentences. To describe the meaning of the sentences, this method uses SD-Form, which is a meaning description from consisting of symbols, developed by the authors. An SD-Form is assigned an amount of semantic information of a sentence. The amount of the meaning of sentences is used to carry secret information on text data. In embedding secret information, firstly the sentences are transformed to SD-From and then the amount of semantic information of SD-From is decreased or increased to coincide with the value of the secret information. We can expect the sentence with secret information embedded is consistent in the meaning. We confirmed that the sentences are understandable.

(22) Proposal of Next-Generation Building Security System

Masaki FUJIKAWA (Chuo University)
Hiroshi DOI (Research and Development Initiative, Chuo University)
Shigeo TSUJII (Chuo University)

Because a physical key is used in a current bldg. security system, it has the following problems in the security company. (1) When the number of observed buildings increases, the key management becomes complex. (2) It is necessary to prevent an illegal taking out the key. (3) Prompter correspondence cannot be achieved. In this paper, we propose a new bldg. security system with an electronic key. The employee in the security company can switch the guard from set/release to release/set, and unlocck the door by using a portable terminal. Safety and the utility of the proposal system are discussed in the latter half.

(23) A Note on an Anonymous Loan System

Rie SHIGETOMI (Tsuda College)
Akira OTSUKA (Institute of Industrial)
Takahide OGAWA (Tsuda College)
Hideki IMAI (Institute of Industrial)

Recently, paper based transactions are being replaced by digitized transactions in rapid pace. These kind of digitized data is useful compared to paper based data in sense of the flexibility of the data. Loan Service, (for example, Library, Rental video, debt etc.,) is among the services that makes use of sophisticated digitized transactions. Loan services handle a lot of personal information, which enables the administrators of the information, the analysis of personal hobby and tastes, or even living levels. This leans to a large privacy problem. We examined ways to aviod this privacy problem. One solution is to use "An Anonymous Loan" that the user can be anonymous while borrowing and returning, but the anonymity is unveiled on the due data without return. In this paper, we will suggest a new virsion "An Anonymous Loan System" that the loan party is allowed to control the number of rithts transact by one user, using tamper resistance device and electronic cash sheme for off-line payment.

(24) Proposal of Certified E-mail in consideration of Authentication and Scalability

Kenji IMAMOTO (Graduate School of Information Science and Electrical Engineering Kyushu University)
Kouichi SAKURAI (Graduate School of Information Science and Electrical Engineering Kyushu University)

The business through the network is being expanded with the spread of the Internet in recent years. However, the Internet is not eqipped with the functions required for business or fair contracts. These functions require some characteristics such as authentication, confidentiality, integrity, non-repudiation, fairness and efficiency. Then, Certified E-mail is considerd as a system which realizes such characteristics. Various systems and commercialization as Certified E-mail are proposed. Especially, Abadi's proposal system [AGHP02] requires small number of times of communication and also has few amounts of transmission to TTP. However, sender is authenticated by password shared with reciever, so the burden of preparation and management of passwords becomes large for both users when dealings partners increase in number. Then, in this paper, we modify the authentication method of Abadi's system. The modification is that the sender also makes pre-registration of a password with TTP. This modification realizes the system with which a user side should just prepare only one password when there are many partners.

(25) An English Auction Protocol with Proxy Bidding

Toru SHIOTSUKI (School od Information Science, Japan Advanced Institute of Science and Technology)
Atsuko MIYAJI (School od Information Science, Japan Advanced Institute of Science and Technology)

This paper proposes an English auction protocol with the proxy bidding system,using mix and match techniques. At the Internet English auction, the proxy bidding system is in common use because it is convenient for bidders. Our protocol protects the secrecy of the highest bids, and realizes public verifiability, while preveting collusions among manages, bidders, and suppliers.

(26) Key Management System for Digital Content Protection-Generalized Tree Pattern Division Scheme-

Toshihisa NAKANO (Multimedia Development Center, Matsushita Electric Industrial Co.,Ltd.)
Natsume MATSUZAKI (Multimedia Development Center, Matsushita Electric Industrial Co.,Ltd.)
Makoto TATEBATASHI (Multimedia Development Center, Matsushita Electric Industrial Co.,Ltd.)

In this paper, we present and evaluate the scheme named "Generalized Tree Limited Pattern Division Scheme" which generalized [1]. This scheme is one of the tree-based key management systems for digital content protection. In [1],"Node Revocation Pattern (NRP)"is defined, and the divice keys are assigned to every possible patterns of NRP for each node. In the present scheme, we generalize [1] by assigning device keys to a subset of possible patterns of NRP.

(27) The Implementation of The Block Cipher SC2000 (III)

Masahiko TAKENAKA (FUJITSU LABORATORIES LTD)
Helger Lipmaa (Department of Computer Science and Engineering Heisinki University of Technology)
Naoya TORII (FUJITSU LABORATORIES LTD)

We show the latest implemention results of the block cipher SC2000, which are a software implementation on the IA-32 processors and a hardware implementation. In the software implementation, we introduce a new combination strategy of non-homogeneous S-box that is one of the characteristics of SC2000, and achieve the fast implementation of SC2000. In addition, we discuss the transition of the speed by the combination strategies of S-box. In the hardware implementation, we implementation, we introduce a new architecture for fast implementation of SC2000 and show the results of our implementation. In particular we improve the software encryption speed by 1.6 times as compared to the previous best implementation. In particular, we improve the software encryption speed by 1.6 times as compared to the previous best implementation, and we achieve the speed of 1.4Gbps with the hardware of 26KGates.

(28) Risks for Raw-key Masking the Security of 2-key XCBC MAC-generation scheme

Soichi FURUYA (Hitachi, Systems Development Laboratory)
Kouichi SAKURAI (Dept. of CSCE.,Kyushu University)

Two-key XCBC proposed by Moriai and Imai is a CBCMAC-based method to generate a message authentication code. This method is optimal from several aspects, the number of PRP invocations, key setups, and key materials. This mode is alsp proven the security as a MAC. In this paper, we discuss how masking a secret key for a plaintext block effects to its security. Concerning that the PRP is limited to the special permutations,we show the two-key XCBC is forgeable if one uses Even-Mansour constructions. In case of using DESX construction for two-key XCBC, the necesarry complexity to attack the scheme is below that what is proven for DESX. We also study the security of AES and Camellia when they are used in two-key XCBC mode from another aspect, rather than the context of the provable security.

(29) An Attack of 6-round MISTY1 without FL functions

Hidema TANAKA (Emergency Communications Group, Communications Research Laboratory)
Toshinobu KANEKO (Department of Electrical Engineering, Science University of TOKYO)

The encryption algorithm MISTY1 is provably secure, when it has 3-round FO functions, against linear cryptanalysis and differential cryptanalysis. We estimated the strength of FO function against higher order differential attack. We found that the value of 7th order differential of part of the output from 3-round FO function is constant, for any key or fixed value of plaintexts. The attack of 6round MISTY1 without FL functions using this fact is demonstrated. It is attackable using 2 12 chosen plaintexts and 2 93 times the number of FO function operations.

(30) Differential and Liner cryptanalysis of CIPHERUNICORN-A

Yukiyasu TSUNDO (NEC Corporation)
Hiroyasu KUBO (NEC Software Hokuriku,Ltd.)
Maki YAMADA (NEC Software Hokuriku,Ltd.)
Tomoyasu SUZAKI (NEC Software Hokuriku,Ltd.)
Hiroshi MIYAUCHI (NEC Corporation)

In this paper, we describe an experimental result of safety against differential and liner cryptanalysis of CIPHERUNICORN-A. Because of the complex structure, it is difficult to calculate the probability of differential and liner characteristics of CIPHERUNICORN-A. We used an mF function in our previous evaluation in order to be able to do the approximate calculation in short term. But, by using the mF function, the approximation of the constant multiplication did not have enough coverage with its possible influential bits relations in differential and linear cryptanalysis. The mF function has two changes from original F function. One is key additions and the other is constant multiplications, searchd exhaustively byte-oriented differential and linear influential paths and investigated more strict defferential and linear characteristic probabilities.

(31) A Design of Cryptographic Hash Function Group with Variable Output-Length Based on SHA-1

Yong-Sork HER (Dept.of Computer Science and Communication Engineering, Kyushu University)
Kouichi SAKURAI (Dept.of Computer Science and Communication Engineering, Kyushu University)

The cryptographic hash function provides the services of information security, authentication, integrity, non-reputation in a branch of information secret. A cryptographic hash function has been developed since MD4 was proposed by Rivest. In present, U.S standard of a hash function is SHA-1 with 160 bits of output length. It is difficult to be sure of a security of a hash function with 160 bits of output length. In this paper, we propose a hash function, namely SHA-V, with variable output-length based on SHA-1, HAS-V. The structure of SHA-V is two parallel lines, denoted as the Left-line and Right-line, consisting of 80 steps each and 3-variable 4 Boolean functions each line. The input length is 1024 bits and the output length is from 128 bits to 320 bits by 32-bit. SHA-V has the most advantage of SHA-1.That is, the message variable creates in combination with input message and step calculations. This new message variable provides the resistance against most of attacks that search the collection resistance by the fabricating of input messages. When we compare SHA-V and HAS-V in side of operation, SHA-V is 10% faster than HAS-V on a Pentium PC

(32) Secret sharing scheme in World Wide master key system

Shuichi SUZUKI

In the environment of World Wide master key system, we can construct secret key information with variable key length making use of secret keys and key topologies. At first, we propose simple secret sharing scheme using set theoretical covering of this key information. Then we can construct(k,n) threshould secret sharing scheme. This method has a defect to consume large memories, but has the strong point which is extremely fast. It is especially effective to use this method for small n.

(33) Discussions on Unconditionally Secure VSS Robust against Dishonest Majority

Akira OTSKA (Institute of Industrial Science, University of Tokyo)
Junji SHIKATA (Dept. of Electrical and Computer Engineering, Yokohama National University.)
Hideki IMAI (Institute of Industrial Science, University of Tokyo)

In this paper, we introduce an unconditionally secure verifiable secret sharing scheme that works even if majority of the players are dishonest. We mean by unconditionally secure that the security of the scheme does not depend on any unproven assumptions such as computational ones. We assume that each player including a dealer has a pre-distributed private key, so that each player can verify any share using his or her private key non-interactively and independently from the other players. Therefore, in the reconstruction phase, even if majority of the players are dishonest but at least t players give correct shares, then the secret can be correctly reconstructed, where t is threshold of the underlying secret sharing scheme. Such a pre-distributed private key can be formed if we have Rivest's trusted initializer or if we can execute interactive multi-party computation at some point of time when more than 2/3 of the players can be trusted(or 1/2 if broadcast channel is available). We achieved a VSS scheme with pre-distributed private keys such that privacy of secret is unconditionally hidden from an adversary with unbound computing power with less than t colluders. Simultaneously, even majority of players are dishonest and with unbounded computing power, if there are more than t honest players,then they can reconstruct a consistent secret.

(34) Locally PVSS Based on Unconditional Security

Daisuke KITO (Institute of Industrial Science, University of Tokyo)
Akira OTSUKA (Institute of Industrial Science, University of Tokyo)
Hideki IMAI (Institute of Industrial Science, University of Tokyo)

Publicly verifiable secret sharing(PVSS) allows everybody, not only the participants, to verify that the shares are correctly distributed. Former PVSS is based on public-key encryption. So the security of secret is computational. In this paper we introduce new notion "locally PVSS" which meets weak condition of PVSS. We use trusted authority called "trusted initializer" that exists only inthe initialization protocol of the scheme and propose locally PVSS based on unconditional security.

(35) Digital Signature Schemes with Anonymous Signers

Hidenori KUWAKADO (Faculty of Engineering,Kobe University)
Hatsukazu TANAKA (Faculty of Engineering,Kobe University)

Rivest, Shamir, and Tauman have proposed a ring signature scheme such that a verifier can make sure that someone in a group signs a message, but cannnot decide the identification of the signer. The application of the ring signature is whistle-blowing. Without revealing their identification to the signer, the third party can check the validity of the message. In this paper, we propose the generalized version of the ring signature scheme, which makes it possible for k members to sign a message without revealing the identification of the verifier. We show two implementations of such a signature scheme; one is based on zero-knowledge proof of random self-reducible problems,and the other is based on the polynomial over a finite field. Similar to the ring signers is impossible even if unlimited computational resources do not make the ring of signatures.

(36) A Digital Signature Scheme that can erify Signing Hardware

Masashi UNE (Institute for Monetary and Economic Studies, Bank of Japan)
Tsutomu MATSUMOTO (Graduate School of Environment and Information Sciences, Yokohama National University,)

In order to use digital signature securely, it is important to consider countermeasures against the compromise of a signing key. This paper discusses a digital signature scheme that canverify signing hardware even though the signing key was compromised. To verify hardware that carried out a computational process, Matsumoto and Tanaka[12] proposed a method that is based on a clone resistant module. In this paper, we apply the method of Matsumoto and Tanaka[12] to a digital signature scheme and consider its security requirements. Next, we compare the signature scheme that employs the method of Matsumoto and Tanaka[12] with the hysteresis signature[9,10] and the forwrd-secure digital signature scheme [1,2,4,5] from viewpoints of their effects and environments. We also show a protocol of the digital signature scheme that fulfills the security requirements.

(37) A Method for Evaluating Reliability of Digital Signature Schemes with Linking Structure

Kunihiko MIYAZAKI
Hiroshi YOSHIURA
Mitsuru IWAMURA
Tsutomu MATSUMOTO
Ryoichi SASAKI

Hysteresis signature, which improves security of digital signatures by cryptographic hash functions,has been proposed. By hysteresis signature technique a linking structure among the signatures is constructed. That is, one signature affects others. This is a major characteristic of the hysteresis signature. Although some reliability evaluation results are known which are based on onewayness of hash functions, these results are not represented the characteristic of the hysteresis signature properly. In this paper, we propose a method for evaluating reliability of digital signature schemes with a linking structure.

(38) An extension of traitor tracing scheme using Weil-pairing on elliptic curves

Shigeo MITSUNARI (Pixela Co.,Ltd)
Hideyuki WATANABE (Ibis Inc.,)
Maki YOSHIDA (Dept. of Multimedia Engineering, Graduate School of Information Science and Technology, Osaka University)
Ryuichi SAKAI (Faculty of Engineering, Osaka Electro-Communication University)
Masao KASAHARA (Faculry of Informatics, Osaka Gakuin University)

In the previous traitor tracing schemes, there exists an upper bound on the number of traitors who attack the schemes for certifying the security. We proposed one resolution of the problem using Weil-pairing on the elliptic curves. In this paper, we extend the scheme, yielding an asymmetric self-enforcement and revocation scheme.

(39) Efficient exponentiation of Montgomery-type elliptic curves(2)

Yuichi FUTA (Multimedia Development Center, Matsushita Electric Industrial Co., Ltd.,)
Motoji OHMORI (Multimedia Development Center, Matsushita Electric Industrial Co., Ltd.,)

The Montgomery-type elliptic curve is known for their faster arithmetic than the Weierstrass-type elliptic curve. The dominant operation of Elliptic Curve Cryptosystem(ECC) is scalar multiplication of points on an elliptic curve, and it usually includes scalar multiplication of a fixed base point of ECC. For Weierstrass-type elliptic curves, accelerating methods, using the pre-computed table of scalar multiplication of the fixed point, are widely studied. However, such a scheme does not naturally expand to the Montgomery-type elliptic curve. In this paper, we propose fast scalar multiplication methods on Montgomery-type elliptic curves using pre-computed table for the first time. Our method is 1.6 times as fast as the known method for Montgomery-type elliptic curves.

(40) Cryptographic Schemes based on Pairing over Elliptic Curve(part2)

Ryuichi SAKAI (Faculty of Engineering, Osaka Electro-Communication University)
Masao KASAHARA (Faculty of Informatics, Osaka Gakuin University)

We have proposed a new traitor tracing scheme based on the Weil or Tate pairing over the elliptic curve. In this paper we propose a new ID based public key cryptosystem and a new ID based signature schemes on the same system parameters of the traitor tracing scheme based on the Weil or Tate pairing. The proposed ID based schemes have some advantages over the conventional ones based on the pairing over the curve in the sense that the user need not convert the ID to the n torsion point of the curve.

(41) Security Notions and Construction Methods for Unconditionally Secure Encryption Schemes

Junji SHIKATA (Graduate School of Environment and Information Science, Yokohama National University)
Goichiro HANAOKA (Institute of Industrial Science, University of Tokyo)
Yuliang ZHENG (Department of Software and Information Systems, University of North Carolina)
Hideki IMAI (Institute of Industrial Science, University of Tokyo)

This paper focuses on analysis of security notions and construction methods for encryption schemes whose resistance against attacks is not dependent on unproven computational assumptions. Inthe aspect of analysis of security notions, this paper introduces a new notion of almost perfect secrecy, gives precise formulation of non-malleability in unconditional setting, and reveals relations among security notions. In addition, this paper proposes construction methods which are provably secure in terms of our strong security definition.

(42) An SPA Attack Breaks the Randomized Addition-Subtraction Chains Method at CHES 2001

Katsuyuki OKEYA
Kouichi SAKURAI

We show that a randomized addition-subtraction chains countermeasure against side channel attacks is vulnerable to SPA attack, a kind of side channel attack, under distinguishability between addition and boubling. A side channel attack is an attack that takes advantage of information leaked during exection of a cryptographic procedure. The randomized addition-substraction chains countermeasure has been proposed by Oswald-Aigner, and is a random decision inserted into computations. However, its immunity to side channel attacks is still countermeasure is also vulnerable. Moreover, compared with other countermeasures against side channel attacks , the randomized addition-subtraction chains countermeasure, after being improved to prevent side channel attacks, is much slower.

(43) A Fault Attack Breaks a Window-based Countermeasure against Side Channel Attacks

Katsuyuki OKEYA
Kouichi SAKURAI

Moller proposed a countermeasure using window method against side channel attacks. However, it is unknown as to whether it can prevent fault attack. In this paper, we show Moller's countermeasure is vulnerable to fault attack. A side channel attack is an attack that takes advantage of information leaked during execution of a cryptographic procedure. A fault attack is one that takes advantage of information leaked during execution of a cryptographic procedure. A fault attack is one that takes advantage of output when errors occur or incorrect values are inputted. Oue proposed attack against Moller's countermeasure forces precomputation points tobe invalid, and detects partial information of the secret scalar value. In these circumstances, the attack completely detects the scalar value using Baby-Step Giant-Step method as a direct-computational attack. For a 160-bit scalar value, the proposed fault attack restricts the number of candidates of the scalar to an 88-bit integer, and the direct-computational attack can actually detect the scalar value. Besides, we improve Moller's countermeasure to prevent fault attack also. We compare the original method and improved countermeasure in terms of the computational intractability after fault attack is applied and the computational cost of the scalar multiplication.

(44) On Fast Elliptic Curve Multiplication Resistant against Side Channel Attacks

Tetsuya IZU
Tsuyoshi TAKAGI

We enhance the efficiency of the Montgomery-type scalar multiplication for the standard elliptic curves over prime fields. The Montgomery-type scalar multiplication for the standard elliptic curves over prime fields. The Montgomery-type scalar multiplication for the standard elliptic curves over prime fields. The Montgomery-type scalar multiplication utilizes the addition formulae assembled by only x-coordinates, namely xECDBL and xECADD. We encapsulate the two addition formulae into one addition formula xECADDDBL, which accomplishes a faster computation because several auxiliary variables of two formulae can be shared. The efficiency improvement of the proposed scalar multiplication over the scheme without the encapsulation is about 11%. Moreover, we extend the proposed algorithm for the implementation over SIMD. Compared with the similar scheme proposed by Fischer et al., our scheme is about 16% faster.

---

[home]