26th CSEC Group Meeting

Date: July 20, 2004; July 21, 2004

Location: The University of Tokushima; Tokushima-city, Tokushima 770-8506, JAPAN (Japanese)

Transportation: Access (Japanese)

26th CSEC Group Meeting Program

(1) A Method for Checking the parity of (#E-1)/2: Mayumi OBARA (Communication Network Engineering, Okayama University)
Yasuyuki NOGAMI (Communication Network Engineering, Okayama University)
Yoshitaka MORIKAWA (Communication Network Engineering, Okayama University)
: When we try to generate a certain order elliptic curve by using CM method, we have two candidate curves at the last step of the calculations; the one is given from the j-invariant, and the other is its twisted elliptic curve. In this paper, we propose a method for distinguishing these two candidate curves. This method is based on the fact that the parities of (#E+ -1)/2 and (#E- -1)/2 are reciprocal to each other, Where #E+ and #E- denote the orders of the two candidate curves.

(2) A Fast Square Root Computation in Some Finite Fields: Feng WANG (Communication Network Engineering, Okayama University)
Yasuyuki NOGAM (Communication Network Engineering, Okayama University)
Yoshitaka MORIKAWA (Communication Network Engineering, Okayama University)
: It is well Known that quadratic residue (QR) test should be implemented in advance of a square root (SQRT) computation. Smart algorithm, the previously known fastest algorithm for SQRT computation, only got the idea how to compute SQRT through QR test. However there is a lot of computation overlap in QR test and Smart algorithm. The essence of our proposition is thus to present a new QR test and SQRT algorithm to avoid all the overlapping computations. In this paper the authors devised a SQRT algorithm for which most of the data required have been computed in QR test. This yields many reductions in the computational time and amount. In GF(p) and GF(p^2), we implemented Smart algorithm and the proposed algorithm in C++ Language on Pentium4 (2.6GHz), where p=2^16+1(4|p-1) and p=2^16+3(4 p-1). The computer simulations showed that for p = 2^16 + 1 the proposed algorithm on average accelerates the SQRT computation 2 times and 10 times faster than Smart algorithm over GF(p) and GF(p^2), respectively and for p=2^16+3 the Proposed algorithm on average accelerates the SQRT computation 20 times and 6 times faster than Smart algorithm over GF(p) and GF(p^2), respectively.

(3) A Hardware Organization of High-Radix Modular Multiplication for RSA Cryptosystem: Yi GE
Takao SAKURAi
Koki ABE
Shuichi SAKAI
: Hardware organized modular multiplication based on division algorithm is one of the effective methods used for RSA encryption/decryption. This paper generalizes the hardware organization of the modular multiplication based on the higher-radix SRT division algorithm, and describes the area/time trade-off of the organization. For the number representation we used the signed-digit number system and for selecting the multiple of modular we employed the arithmetic operation instead of the conventional look-up table. The method based on the arithmetic operation is suitable for keeping the same structure over wide range of high radices. The result of the evaluation revealed that a radix-16 multiplier produced 1.5 times speedup at about 1.6 times area cost compared with radix-4 multiplier.

(4) Secure Double Block Length Hash Functions Based on Abreast/Tandem Davies-Meyer: Shoichi HIROSE
: It is an open question whether there exists an efficient double-block-length hash function such that time complexity of any collision-finding algorithm against it is OMEGA(2^l/2), where l is the length of the output. In this article, a partial but affirmative answer is given to this question in a black-box model. The answer is partial because it is assumed that two different block ciphers are used in the hash functions for the security proofs.

(5) A More Efficient Modification of KASUMI Type Pseudorandom Permutations: Wonil LEE (Faculty of Information Science and Electrical Engineering)
Kouichi SAKURAI (Faculty of Information Science and Electrical Engineering)
Seokhie HONG (Center for Information and Security Technologies (CIST), Korea University)
Sangjin LEE (Center for Information and Security Technologies (CIST), Korea University)

(6) Some Extentions of Multi-Variate Public Key Crytptosystems: Ryuichi SAKAI (Osaka Electro-Communication University)
Masao KASAHARA (Osaka Gakuin University)
: We have been proposed multi-variate public key criptosystems based on random simultaneous equations(RSE(2)PKC). In thess system, the decryption algorithm can be done very fast as the encryption algorithm compared with the conventional algebraic decryption algorithm. Using the property of the fast decryption, we propose some new extension sof RSE(2)PKC and decryption algorithms. For the secure multi-valiate public key system, the new RSE(2)PKC seems apparantly secure compared with the original RSE(2)PKC[?].

(7) A Construction of Public Key Cryptosystem based on Random Singular and Non-singular Simultaneous Equations over Extension Field: Masao KASAHARA (Osaka Gakuin University)
Ryuichi SAKAI (Osaka Electro-Communication University)

(8) An Attack against the Traveling Salesman Cryptosystem: Akira HAYASHI
: We propose a method for breaking one of the traveling-salesman invented by K. Kobayashi and his students. The target system is different from their previous ones in the following two ways. First, each path has a length of Gaussian integer. Secondly, mixed arithmetic operations of addition and multiplication are used in encipherment. In the present attack multiplied keys are first found, and then the remaining summed part is analyzed by the Lagarias-Odlyzko method. The success rate of atttacks obtained from computer experiments was more than 40% in the case of 5-15 cities.

(9) A note on a decryption problem for some type of generic conversion method to secure encryption: Eiichiro FUJISAKI
: We present a generic method to construct secure hybrid encryption schemes (in the random oracle model). including as special cases ECIES-HC and RSA-HC argued now in ISO/IEC 18033-2[5]. In general, a hybrid encryption scheme transformed via this kind of method can enjoy a "better decryption time". However, we show that the decryption of this type can be cost more than expected in the "folklore", when giving a rigorous security proof to it.

(10) Optimal Security Proof for PFDH under Existential Unforgeability against Strong Adaptive Chosen Message Attack: Bagus SANTOSO (University of Electro-Communications Department of Information Communication Engineering)
Kazuo OHTA (University of Electro-Communications Department of Information Communication Engineering)
Noboru KUNIHIRO (University of Electro-Communications Department of Information Communication Engineering)

(11) A Feasibility Analysis of the Factoring Device TWIRL (Part I): Tetsuya IZU (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Kouichi ITOH (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Jun KOGURE (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Kiyoshi KOHIYAMA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Takeshi SHIMOYAMA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Masahiko TAKENAKA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Naoya TORII (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Shoichi MASUI (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Kenji MUKAIDA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
: This document reports an overview of our evaluation results of the dedicated factoring device TWIRL by reviewing the circuit design assuming the current state-of-the-art-technologies.

(12) A Feasibility Analysis of the Factoring Device TWIRL (Part II): Tetsuya IZU (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Kouichi ITOH (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Jun KOGURE (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Kiyoshi KOHIYAMA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Takeshi SHIMOYAMA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Masahiko TAKENAKA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Naoya TORII (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Shoichi MASUI (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
Kenji MUKAIDA (FUJITSU LABORATORIES LTD./FUJITSU LIMITED)
: This document reports an overview of our evaluation results of the dedicated factoring device TWIRL by reviewing the circuit design assuming the current state-of-art-technologies.

(13) A trial of GNFS implementation (Part V) -Speeding up sieving using bucket sort: Kazumaro AOKI (NTT)
Hiroki UEDA (NTT)
: This paper proposes a new sieving algorithm that employs a bucket sort as a part of a factoring algorithm such as the number field sieve. The sieving step requires an enormous number of memory updates; however, these updates usually cause cache hit misses. The proposed algorithm dramatically reduces the number of cache hit misses when the size of the sieving region is roughly less than the square of the cache size, and the memory updates are several times faster than the straightforward implementation.

(14) On Validation Tests for Block Cipher Modules: Jun YAJIMA (FUJITSU LABORATORIES LTD, Secure Computing Laboratory)
Masahiko TAKENAKA (FUJITSU LABORATORIES LTD, Secure Computing Laboratory)
Takeshi SHIMOYAMA ()
: We consider validation tests for a block cipher module with table-lookup. In tests for these modules, all data in tables should be referred for validation. In this paper, we have examined probability that all entries of tables are referred by test data. The probability is derived from the size of tables and amount of test data. Using the probability, we have considered the validation of tables about Monte Carlo tests published by NIST. As a result, we show that whether or not the NIST's Monte Carlo tests work defends on the implementation methods for the module. And we propose two revised validation testing methods.

(15) Implementation of Damage Prediction System of Unlawful Access by Event Dependent Model: Ryoji HASUI (Department of Information Science and Intelligent System, The University of Tokushima)
Yoshiaki SHIRAISHI (Department of Informatics, Kinki University)
Masakatu MORII (Department of Information Science and Intelligent System, The University of Tokushima)
: IDS (Intrusion Detection System) is well known as a system that detects unlawful computer access to network and systems. However, it is impossible to deal with IDS for unlawful computer access beforehand. We have proposed a method for predicting the unlawful computer access using the event dependent model. We implement damage prediction system of unlawful access using event dependent model. In this paper, we show effectiveness of the damage prediction system of unlawful access using event dependent model.

(16) An Assessment of Wireless Location Privacy Risks in High Precision Positioning System: Leping Huang (Arco Tower 17F,The University of Tokyo)
Kaoru Sezaki (The University of Tokyo)

(17) A Proposal of Congestion DoS Attack Avoidance System to which Mobile IPv6 Technology Applied: Takayoshi KUSAKA (Research and Development Headquarters, NTT Data Corporation)
Tatsuya BABA (Research and Development Headquarters, NTT Data Corporation)
Masataka KADO (Research and Development Headquarters, NTT Data Corporation)
Tsutomu INADA (Research and Development Headquarters, NTT Data Corporation)
: We propose hot to protect a site of services to the public in the Internet from the congestion type DoS attack which saturates Server management ability, and the result that a movement was verified by the trial production is reported. Concrete contents of a proposal change the IP address of the server which congestion type DoS attack is taken from dynamically by using the function which the IP address of the Mobile IPv6 technology, and the function which informs it of the movement point IP address. Furthermore as the characteristics, the connection of the legitimate user be maintained.

(18) A Policy-based Autonomous Handling Mechanism for Network Security Events: Shin SHIRAHATA (Graduate School of Media and Governance, KEIO University)
Masaki MINAMI (Faculty of Environmental information, KEIO University)
Jun MURAI (Graduate School of Media and Governance, KEIO University,Faculty of Environmental information, KEIO University)
: In this paper, we propose an integrative security event-handling framework for reducing network administration cost's. We designed and implemented policy-based autonomous security event handling system. Our proposed system collects security events from various security devices such as IDS or firewall, and handles events based on operational policy. Then, this systems evaluates network environment data such as OS, software version and vulnerability data. Therefore, our system realizes highly accurate automated security event handling. In the rules, operators can script in event handling conditions and procedure that can run program for handling security event or notify to an operators. As a result, we realize network administration cost reduction, and rapid security event handling by rule-based security event handling system.

(19) Evaluations for Machine Learning Based IDS with Automatic Training Data Generation: Akira YAMADA (KDDI R&D Laboratories Inc)
Yutaka MIYAKE (KDDI R&D Laboratories Inc)
Keisuke TAKEMORI (KDDI R&D Laboratories Inc)
Toshiaki TANAKA (KDDI R&D Laboratories Inc)
: Although many intrusion detection systems based on learning algorithms have been proposed to detect unknown attacks or variants of known attacks, most systems require sophisticated training data for supervised learning. Because it is not easy to prepare the training data, the anomaly detection systems are not widely used in the practical environment. On the other hand, misuse detection systems that use signature to detect attacks are deployed widely. However, they are not able to detect unknown attacks or variants of known attacks. So we have proposed a new anomaly detection system, which detects the variants of known attacks without preparing the training data. In this system, we use outputs of signature-based conventional IDS to generate the training data for anomaly detection. This system identifies novel features of attacks, and generates generalized signature from the output of IDS to detect the variant attacks. We conducted experiments on the prototype system with three types of traffic data, 1999 DARPA IDS Evaluation Data, attacks by vulnerability scanner and actual traffic. The results show that our scheme can detect the variants of attacks efficiently, which cannot be detected by conventional IDS.

(20) An implementable Scheme of Quantum Bit String Commitment: Toyohiro TSURUMARU
: The quantum bit string commitment(QBSC,[7])is a variant of bit commitment(BC). In this paper, we propose an implementable scheme of the QBEC and prove its security under the same security criteria as discussed by Kent[7]. On top of this, we give a new definition of binding co condition that allows intuitive interpretations, and show that the proposed scheme is also secure under this security condition. QBSC is a generalization of BC, but with slightly weaker security, and our proposed protocol is not meant to break the no-go theorem of quantum BCs.

(21) Implementation and Evaluation of Illegal Copy Protection for multicast: Masaki INAMURA (KDDI R&D Laboratories Inc.)
Toshiaki TANAKA (KDDI R&D Laboratories Inc.)
: We propose a new method of illegal copy protection, which is adapted for multicast contents delivery. Our remarkable features are to allow private copies to arbitrary terminals with in the limited times of duplication, and to require no secure hardware. Thus we can realize a broadcast service on wired network where user can store and reuse broadcast contents under the control of allowable license. In this paper, we implement the proposed method and evaluate whether our method is feasible from the viewpoint of security and performance.

(22) Reducing Frequency of Communication on the Consignment Delivering System Protecting Marketing Information: Akira FUJIWARA (Graduate School of Information Science and Technology, Osaka University)
Shingo OKAMURA (Graduate School of Information Science and Technology, Osaka University)
Maki YOSHIDA (Graduate School of Information Science and Technology, Osaka University)
Toru FUJIWARA (Graduate School of Information Science and Technology, Osaka University)
: A digital contents delivering system is considered, where contents providers consign delivering and charging to distributors who have infrastructures of delivering e,g Internet Service Providers (ISP). One of marking information in delivering services is the result of an audience rating survey. This information is important for contents providers can know the useful to make their profit. We proposed a consignment delivering system in which only a contents provider can know the result of an audience rating survey for contents of which he consigned delivering in this paper, the system is improved to reduce the frequency of communication relating changing. The privacy of subscribers is protected and the correctness of charging is guaranteed in the improved system as in the previous system.

(23) A Secure Traitor Tracing Scheme against Key Exposure: Kazuto OGAWA (Science & Technical Research Laboratories, Japan Broadcasting Corporation)
Arisa FUJII (Science & Technical Research Laboratories, Japan Broadcasting Corporation)
Go OHTAKE (Science & Technical Research Laboratories, Japan Broadcasting Corporation)
Goichiro HANAOKA (Institute of Industrial Science, University of Tokyo)
Keigo MAJIMA (Science & Technical Research Laboratories, Japan Broadcasting Corporation)
Kimiyuki OYAMADA (Science & Technical Research Laboratories, Japan Broadcasting Corporation)
Hideki IMAI (Institute of Industrial Science, University of Tokyo)
: Copyright protection is a major issue in distributing content on the Internet. One well-known method of protecting copyright is a traitor tracing scheme. With this scheme, when a pirate decoder is made, the content provider can check the secret key contained in it and trace the authorized user (traitor). Furthermore, a forward secure public key cryptosystem has been developed. With this system, the user secret key is valid for a limited period of time, which means that even if it were exposed, the user would be affected only for a limited time period. In this paper, we propose a secure traitor tracing scheme against key exposure, which contains the properties of both a traitor tracing scheme and a forward secure public key cryptosystem. It is constructed by using a polynomial with two variables (the user identification and the time period) to generate the user secret keys. This scheme enables identifying the user from the keys included in the decoder and tracing at least one of the traitors, and it enables making the secret keys temporary by updating them at a specific time. The secret key can be updated only when the user has both his previous secret key and his master key. As a result, this scheme can be useful in preventing traitors from making illegal decoders and in minimizing the damage from accidental key exposure.

(24) A Report on the 3rd Annual PKI R&D Workshop: Satoshi KOGA
Hiroaki KIKUCHI
: This paper reports the 3rd annual PKI R&D workshop, held on April 12-14, 2004 at NIST.(URL:http//middleware.internet2.edu/pki04/)

(25) Certification of Program Execution by Tamper Resistant CPU: Atsuya OKAZAKI (Graduate School of Information Science, Nara Institute of Science and Technology)
Masaki NAKANISHI (Graduate School of Information Science, Nara Institute of Science and Technology)
Shigeru YAMASHITA (Graduate School of Information Science, Nara Institute of Science and Technology)
Katsumasa WATANABE (Graduate School of Information Science, Nara Institute of Science and Technology)
: In grid computing and mobile agents system, remote computers may be untrusted. It is difficult to certify that remote computers execute given programs as required. We propose a new CPU (Central Processing Unit) architecture. This architecture can certify that a given program has been executed without failure. This CPU is "tamper resistant" hardware with some cryptographic circuits to certify secure execution.

(26) A proposal foe protection of low-cost RFID tags using trusted devices: Jose GUEVARA VERA
Hiroshi HONJO
: In the Foreseeable future, radio frequency identification (RFID) will develop an outstanding roll in our society. However, due to the powerless computational capabilities of RFID tags, protection of data is a major concern in this technology. This paper discusses a way to protect the data contained in an RFID tag making use of a server and trusted devices that wish to interact with the tag. Considering the low cost implementation as a requirement for the RFID, this paper suggests the use of few functions for unlocking the tag and refreshing its data.

(27) A Challenge-response authentication with a password extracted from a fingerprint: Yoichi SHIBATA (Graduate School of Information Shizuoka University)
Itsukazu NAKAMURA (BEIJIN NTT DATA SYSTEMS INTEGRATIOM CO.,LTD)
Masahiro MIMURA (Hitachi, Ltd., System Development, Lab.)
Kenta TAKAHASHI (Faculty of Information, Shizuoka University)
Maskaatsu NISHIGAKI ( Faculty of Information, Shizuoka University)
: This paper proposes a biometric challenge-response authentication with a key extracted from a fingerprint. The authentication scheme proposed here employs "statistical A/D conversion", which is an effective technique to convert fingerprint to just one and the same ID in real-time. Then, the ID generated from fingerprint is used as a password for challenge-response authentication. The proposed scheme provides advantages such that (i) the user no longer needs to memorize his/her password because the password is a part of body, (ii) the password does not travel on the network since challenge-response authentication is carried out. (iii) user's private fingerprint information would not be revealed from the password because any password is generated from fingerprint with a random number added. The availability of the fingerprint-based challenge-response authentication is studied by comparing it with existing schemes.

(28) A consideration from the habit of a handwriting about the anonymity of a handwriting: Norihisa Segawa
Yuko Murayama
Masatoshi Miyazaki
Yoshiaki Nemoto
: The habit of a handwriting appears into the part of a handwriting, and the whole handwriting. In order to anonymity-ize a handwriting, without using character recognition, the 3rd person needs to take care not to recognize the habit. In this paper, the habit which appears in the part of a handwriting, and the habit which appears into the whole are considered, and it proposes about the anonymity-ized technique of the handwriting corresponding to each habit. Moreover, the proposed technique is evaluated and the validity of this technique is shown.

(29) Modeling and Analysis of Computer Virus Diffusion Process: Masato UCHIDA (NTT Service Integration Laboratories, NTT Corporation)
Daisuke SATOH (NTT Service Integration Laboratories, NTT Corporation)
: Almost all contemporary computer viruses spread through the network. Therefore, understanding how and how much a given computer virus will spread through the network is an essential and important problem in terms of evaluating the threat of computer viruses. The goal of this work is to reveal the relationship between the process of the spread of infection and the attack pattern. We start by classifying computer viruses that spread through networks in terms of their attack patterns, as either Random IP (attack repetitively after infection) Model or Mail (attack immidiately after infection) Model. We then propose mathematical models of the process of the spread of infection by viruses in each classes. We derive difference equations which explain the diffusion process in each case, and give some analysis result obtained by using these equations.

(30) An E-mail Virus Diffusion Model: Daisuke SATOH (NTT Service Integration Laboratories)
Masato UCHIDA (NTT Service Integration Laboratories)
Keisuke ISHIBASHI (NTT Information Sharing Platform Laboratories)
Makoto KOBAYASHI (Nihon Software Products)
: We propose a model of computer viruses that infect other computers by using e-mail. We assume that infection-ratio is constant. We obtain an discrete equation by modeling the computer viruses that infect other computers by using e-mail. The discrete equation is reduced to the Riccati equation under a limit where the time interval equals 0. We analyze the effect of the initial number of infected computers to the total number of computers infected in the infinitely long duration by using a discrete equation that has an exact solution. We also analyze the condition that the infected curve becomes the logistic curve. We show that this model describes actual data of computer viruses. Akaike's information criteria (AIC) shows that the model is superior to a liner model. Finally, we propose another model whose infect ratio is varying We propose the equation of the model is a discrete equation that has an exact solution.

(31) A Proposal of Estimation Method of Magnitude of Worm Infection by using Site Level Profiling: KANBA KOIZUMI (Graduate School of Media and Governance, Keio University)
HIDEKI KOIKE (Graduate School of Information Systems, University of Electro-Communication)
MICHIAKI YASUMURA (Faculty od Environmental Information, Keio University)
: It is neccesary to estimate the magnitude of worm infection from the log of scanning packets that come form infected hosts to observation points. In a previous research, an estimation method by feature extraction of random scanning is proposed. But such a method is not applicable to a worm that includes local scanning. In this paper, we propose an estimation method of the magnitude of worm by using site level profiling. Site level profiling is a feature extraction method of worms that includes local scanning. With the proposed method, we report the analysis results for W32.Welchia.Worm and W32.Sasser.D.Worm.

(32) Protecting Memories in Multitask OSes -A Cryptographic Memory System for Resource-poor Platforms-: INAMURA YU (Multimedia Laboratory, NTT DoCoMo, inc.)
EGASHIRA TORU (Multimedia Laboratory, NTT DoCoMo, inc.)
TAKESHITA ATSUSHI (Multimedia Laboratory, NTT DoCoMo, inc.)
: The authors have proposed a method, called Cryptographic Memory System (CMS), to protect the data stored in the address space of the typical multi-task operation systems. Here we will present a new scheme, which reduces the memory usage by decreasing the number of encryption keys etc., aiming at the application for rather resource-poor platforms such as PDAs or mobile communication devices.

(33) Protecting Memories in Multitask OSes -Tampering Detection-: Toru EGASHIRA (Multimedia Labs., NTT DoCoMo, Inc.)
Yu INAMURA (Multimedia Labs., NTT DoCoMo, Inc.)
Atsushi TAKESHITA (Multimedia Labs., NTT DoCoMo, Inc.)
: This paper provides the design of an integrity check function, which detects in-process data tampering done by the other processes. The function prevents adversaries from hijacking processes to continuously impresonate a legitimate user and to attempt frauds. For practical applicability, both of two basic designs in this paper allow one to dynamically any number of data to be checked, and also to check metadata that are essential for the integrity checking. The lazy-chackeing method, one of the two designs, can reduce the processing overhead that might be a drawback, by delaying integrity checks until the protected data is actually accessed by the user application.

(34) Implementation of Secure Seamless Roaming Method by IPsec/IKE: Masahiko TAKENAKA
Shingo FUJIMOTO
Nobutsugu FUJINO
: It is most important requirement that the mobile nodes are connected with the network, anytime, anywhere, on the ubiquitous computing environment. The IPsec/IKE based VPN system is the one of the service elements of the ubiquitous computing. However, existing IPsec/IKE based VPN system didn't support mobile nodes, which IP address will quite often. In SCI2004, we proposed the extension to the IKE protocol, which adds mobile node support. In this paper, we described the prototype implementation based on our past proposal. The implementation is based on Fujitsu VPN product which is compliant to IPsec/IKE protocol. As the result, we successfully added the mobile node support, we named as "Secure Seamless Roaming". This extension provides secure, persistent network connection, even if the node's IP address was changed.

(35) A Note on Probabilistic Internal-State Reconstruction Method to Stream ciphers with Time-variant Tables: Toshihiro OHIGASHI (Department of Information Science, and Intelligent Systems, The University of Tokushima)
Yoshiaki SHIRAISHI (Department of Informatics, Kinki University)
Masakatu MORII (Department of Information Science, and Intelligent Systems, The University of Tokushima)
: Internal-state reconstruction method is a method for reconstructing the internal state of stream ciphers with time-variant tables. The key size and the key scheduling algorithm of stream ciphers with time-variant tables do not influence the time-complexity of internal-state reconstruction method. We have already proposed an efficient deterministic internal-state reconstruction method based on a tree-search algorithm. In this paper, we improve the method by applying probabilistic internal-state reconstruction method proposed by Golic. The proposed method is most effective method in the all internal-state reconstruction methods.

(36) SSSM: A New Key Stream Generator with Time-variant Tables: Sanzo UGAWA (Department of Information Science and Intelligent Systems, The University of Tokushima)
Toshihiro OHIGASHI (Department of Information Science and Intelligent Systems, The University of Tokushima)
Yoshiaki SHIRAISHI (Department of Informatics, Kinki University)
Masakatu MORII (Department of Information Science and Intelligent Systems, The University of Tokushima)
: A new key stream generator with time-variant tables, named SSSM, is proposed. SSSM is high-speed and secure key stream generator operated by the unit of 32-bit. This paper gives the algorithm and analytical result of SEEM.

(37) Evaluation of Guess-and-Determine Attacks on Clock Controlled Stream Ciphers: Shinsaku KIYOMOTO (KDDI R&D Laboratories Inc.)
Toshiaki TANAKA (KDDI R&D Laboratories Inc.)
Kouichi SAKURAI (Dept. of CSCE., Kyushu University)
: Guess-and-Determine attacks have recently been proposed for the effective analysis of word-oriented stream ciphers. In this paper, we discuss GD attacks on stream ciphers using a clock controller as a non-linear function. We focus on analyzing the influence of the clock controller. First, we model a stream ciphers and discuss a maximum process complexity of GD attacks for existing stream ciphers. Next, we propose GD attacks on typical clock controlled stream ciphers, which uses a clock controller, We remove the irregularity of clocking to use assumption. In the attacks, we assume some condition, for example, clocking of LFSRs is truly random. An important condition for practical attacks, is the real probabilities of assumptions because the clocking is determined by current internal states. We also implement toy ciphers of clock controlled stream ciphers to evaluate the proposed attacks, and evaluate feasibility of the attacks. We also discuss properties of GD attacks on clock controlled stream ciphers and the effectiveness of the clock controllers.

(38) A Study on the DFT Test in NIST SP800-22: Hisashi YAMAMOTO (Graduate School of Science and Technology, Tokyo University of Science)
Toshinobu KANEKO (Faculty of Science and Technology, Tokyo University of Science)
: The Discrete Fourier Transform Test is one of sixteen randomness tests in NIST SP800-22. The purpose of this test is to evaluate the input sequence on the basis of randomness in the sequence, which binarize frequency components by a threshold value. Hamano et al. pointed out that the empirical variance of the binarized sequence is decreased to approximately 50% of the theoretical value. In this paper, we claim that the decrease is due to the energy restriction of frequency components by Perseval's theorem. And the ratio of the variance depends on the threshold value.

(39) The mechanism of DPRP in Flexible Private Network: Hidekazu SUZUKI
Akira WATANABE
: The management of network system tends to become difficult when we improve security in intranet. Therefore, we have been developing the concept of FPN (Flexible Private Network) which is compatible with security levels and simple management. Under the FPN environment, users are grouped according to their access policies and the communications between terminals in the same group are enciphered, and the communications between terminals in different groups are rejected, In this paper, we describe the mechanism of DPRP (Dynamic Process Resolution Protocol) that defines the behavior of the function in FPN.

(40) The Proposal of Practical Cipher Communication Systems: Shinya MASUDA (Postgraduate Course in Science and Technology, Meijo University)
Akira WATANABE (Postgraduate Course in Science and Technology, Meijo University)
: In recent years, threads via network have become serious problem, hence people place a special emphasis on network security technologies. IPsec, the technology on IP layer, has been studied as the most popular protocol. However, it has a lot of subjects to be solved. Those are the compatibility problems with NA(P)T and Firewall, and occurrence of fragments, etc. In this paper, we propose the cipher communication systems, called PCCOM (Practical Cipher COMmunication protocol), which can authenticate sender and receiver, guarantee the integrity of the packets. It does not give any influences to the existing systems because it is familiar with NA(P)T and Firewall, and we can expect high throughput systems, because it does not change the packet size.

(41) Researches on Detection Method of Island Hop in Flexible Private Network: Daisuke TAKEO (Graduate School of Science and Technology, Meijo University)
Akira WATANABE (Graduate School of Science and Technology, Meijo University)
: In recent years, illegal access inside intranet is increasing. When crackers access the target host illegally, they usually hop through many hosts witch we call it "Island Hop". We have been developing FPN (Flexible Private Network) which realizes secure and simple management systems. Under the FPN environment, each user having different access policies are grouped according to their post or their jobs, and the communication between different groups is refused However, the user can access to the host of different groups using Island Hop technology. In this paper, we examine how to detect such Island Hop.

(42) A Privacy Protection Method using Information Entropy: LooM: Miyuki IMADA (NTT Network Innovation labs.)
Koichi TAKASUGI (NTT Network Innovation labs.)
Masakatsu OHTA (NTT Network Innovation labs.)
: We propose a privacy protection method for use by service providers supplying users with services where user information requires privacy in the ubiquitous networking environments. The main feature is the use of an entropy value as a criteria for the evaluation of anonymity. This prevents loss of the convenience of services in the target environment. Objects in the ubiquitous environments will include more private information. This is because information gathered by sensors and so on will be added to static information such as sex and age. Furthermore the end-to-end communication assurance that are conventionally used become more complicated. In the new method, privacy information is managed in a database on a server. The novel idea behind the method is that a calculated by using this database decides whether or not the provider is given access to private information. The entropy value is independent of the number of people listed in the database, so the values are consistent over time . We implement the proposed method and evaluate it though simulations, thus confirming its anonymity feasibility.

(43) Development of DPA Evaluation Platform for 8 bit Processor: Koichi FUJISAKI (Toshiba, Corporate Research & Development Center)
Yuki TOMOEDA (Toshiba, Social Network & Infrastructure Systems Company)
Hideyuki MIYAKE (Toshiba, Corporate Research & Development Center)
Yuichi KOMANO (Toshiba, Corporate Research & Development Center)
Atsushi SHIMBO (Toshiba, Corporate Research & Development Center)
Shinichi KAWAMURA (Toshiba, Corporate Research & Development Center)
: A lot of papers have been published about side channel attacks, which expose a secret key in cryptographic module, using a power consumption or execution time. There is a problem that we can't evaluate threats or countermeasures of the attacks in papers, because there is no standard evaluation platform for the side channel attack. The temper-resistance standardization research committee which established in INSTAC (Information Standardization Center) within the Japanese Standards Association(JSA), designed a standard evaluation platform with 8 bit CPU(Z80) and opens its specification to the public. This paper reports the actual experiment of DPA (Differential Power Analysis) using the standard evaluation platform(INSTAC-8).

(44) Side Cannel Attacks on XTR and An Efficient Countermeasure: Dong-GukHan (Center for Information and Security Technologies(CIST))
Tetsuya IZU (FUJITSU LABORATORIES Ltd.)
Jongin LIM (Center for Information and Security Technologies(CIST))
Kouiichi SAKURAI (Faculty of Information Science and Electrical Engineering)
: In[HLS04], Han et al. presented a nice overview of some side channel attacks (SCA) against XTR, and some classical countermeasures. However, their proposed countermeasures against SCA are so inefficient that the efficiency of XTR with SCA countermeasures is at least 129 times slower than that of XTR without them. Thus they remained the construction of the efficient countermeasures against SCA as an open question. In this paper, we show that XTR can be also attacked by the modified refined power analysis (MRPA) and the modified zero-value attack (MZVA). To show validity of MRPA and MZVA on XTR, we give some numerical data of them. We propose a novel efficient countermeasure against "SCAs": SPA, Data-bit DPA, Address-bit DPA, Doubling attack, MRPA, and MZVA. The proposed countermeasure, that is XTR-RSE, uses the exponent splitting method with a random number. We show that XTR-RSE itself without other countermeasures is secure against all "SCAs". From our implementation results, if we compare XTR with ECC with countermeasures against "SCAs", we think XTR is more suitable to smart-cards than ECC sue to the efficiency of the proposed XTR-RSE.

(45) Construction of DPA Leakage Model and Evaluation by Logic Simulation: Minoru SAEKI (Mitsubishi Electric Corporation, Information Technology R&D Center)
Daisuke SUZUKI (Mitsubishi Electric Corporation, Information Technology R&D Center)
Tetsuya ICHIKAWA (Mitsubishi Electric Engineering Company Limited, Kamakura Office)
: Differential Power Analysis(DPA) is a technique that analyzes the secret information in the code device based on minute electric power change according to data. In this paper, we consider about the cause where the information that enables analysis of secret information by DPA occurs, especially in CMOS device, and construct DPA leakage model. Moreover, we propose the DPA evaluation technique using logic simulation, which efficiently evaluates the presence of DPA leakage at the upstream stage of design.

(46) An Attack on Cryptographic Hardware Design with masking Method: Tetsuya ICHIKAWA (Mitsubishi Electric Engineering Company Limited, Kamakura Office)
Daisuke SUZUKI (Mitsubishi Electric Corporation, Information Technology R & D Center)
Minoru SAEKI (Mitsubishi Electric Corporation, Information Technology R & D Center)
: In this paper, we evaluate one of DPA countermeasures of hardware implementation of AES, which was proposed by Elena Trichina and is called Masked-AND method. We evaluate about protection effectiveness of the Masked-AND in hardware using our models of DPA-leakage, which we proposed in [12]. We also point out a new model of DPA-leakage, which is not included in [12]. We also evaluate the effectiveness using a simulator and using SCAPE (Side Channel Attack Platform for Evaluation), which was developed by Mitsubishi Electric Corporation. As a result, we point out the result that the Masked-AND is not strong enough for protection against DPA because of different propagation-delay time of every signal caused by dynamic hazard in the AES hardware.

(47) Countermeasure against DPA Considering Transition Probabilities: Daisuke SUZUKI (Mitsubishi Electric Corporation, Information Technology R&D Center)
MInoru SAEKI (Mitsubishi Electric Corporation, Information Technology R&D Center)
Tetsuya ICHIKAWA (Mitsubishi Electric Engineering Company Limited, Kamakura Office)
: In this paper, we point out the problem of the countermeasure against DPA using dual-rail circuit, and propose a new countermeasure on single-rail circuit. Our countermeasure can be constructed using CMOS circuit and achieve the power consumption that doesn't depend on predictable data equalizing the transition of each gate and suppressing dynamic hazards. Moreover, by modeling that uses FPGA, we show that the proposed method can efficiently achieve security against DPA compared with a past method.

(48) An Electronic Weighted Voting Protocol with Tallying Cost Reduced: Shinji NAKATAKE
Toru NAKANISHI
Nobuo FUNABIKI
Yuji SUGIYAMA
: A weighted voting is a system such that a voter submits a vote with a weight, e.g., voting in stockholders' meetings. A weighted voting protocol that can keep weight secret has been proposed. However, this protocol has a problem that a tallying cost is large when there are many voters, since a management server must re-encrypt and permute all votes. In this paper, we propose a weighted voting protocol with tallying cost reduced.

(49) Electronic Voting Scheme Based on MIX-net and Homomorphism: Natsuki ISHIDA (Hitachi Software Engineering Co.,Ltd.)
Wakaha OGATA (Tokyo Institute of Technology)
: Publicly varifiableelectronic voting schemes are classified into two types, MIX-net based one and homomorphism based one .Former ones are efficient for voters, since each voter should just publish a ciphertext of his choice. However tallying servers must perform MIX-net with long input after voting period. On the other hand, latter ones are effiented for tallying servers, however, they are costly for voters than former onets. In this paper, we give a new construction of publicly verifiable electronic voting protocols whisch are basically homomorphis based ones. In our protocols, Mix-net technique is used to cut off voter's cost.

(50) Receipt-free and Universal verifiable E-Voting System based on Universal Re-encryption Mix net: Yong-Dok
;KemjiIMAMOTO
Kouichi SAKURAI
: Sako and Killian proposed mix-net e-voting system which satisfies receipt-free and universal verifiability-Michels and Horster pointed out that Sako-Killian scheme does not satisfy robustness and privacy. Dolle et al. proposed universal re-encryption mix net which satisfies correctness and communication privacy. In this paper, we propose mix-net e-voting system which satisfies receipt-free and universal verifiability as well as robustness and privacy based on universal re-encryption mix net. In order to apply universal re-encryption to mix-net e-voting system, we modify designated-verifier re-encryption proof. The modified designated-verifier re-encryption proof is used to prove the valid of mixing. Also, we introduce E-voing Sheet which is similar to z real voting, and an Overwritable Bulletin Board which can be changed the contents of bulletin board by each mix-center.

(51) Unconditionally Secure Polynomial Evaluation And Its Application To Electronic Voting: Akira OTSUKA (IT Scurity Center, IPA.)
Anderson C.A. NASCIMENTO (Institute of Industrial Science, University of Tokyo)
Hideki IMAI (Institute of Industrial Science, University of Tokyo)
: In this paper, we propose an unconditionally secure oblivious polynomial evaluation (UE-OPE) and a novel electronic voting scheme based on US-OPE. Oblivious Polynomial Evaluation is a 2-party protocol proposed by Neor and Pinkas in 1999 where Alice and Bob are given a secret polynomial, a secret value respectively, and after executing the protocol Bob privately outputs a value of the polynomial evaluated at the secret value without giving any useful information on their secrets. The proposed US-OPE is secure without assuming any computational/storage bound on adversary, and is an optimal construction satisfying the lower bounds previously shown by the authors. Moreover, in this paper, we will present an construction of unconditionally secure publicly verifiable secret sharing (US-PVSS) and an electronic voting scheme in the bulletin board model based on our PVSS.The proposed electronic voting scheme is efficient. For example, in a case of 1 million voters, the storage complexity to store private key required to store for each voter is as small as 300MB. communication complexity to verify the overall tallying process is 27GB in a case of tolerating up to 1000 colluding users, and 220GB in a case of tolerating up to 10,000 users.

(52) Refrehshable Tokens with Optional Linkability: Rie SHIGETOMI (Institute of Industrial Science, University of Tokyo)
Akira OTSUKA (Information-technology Promotion Agency)
Keith MARTIN (Roasl Holloway, University of London)
Hideki IMAI (Institute of Industrial Science, University of Tokyo)
: As more service are provided digitally and digital service providers collect more information about users, potential privacy problems are on the increase. This is particularly true when users have to present some form of electronic token in exchange for a digital service. One way to address privacy problems is to provide digital services anonymously. The problem with many previous anonymous token services is that once a token is issued, for a particular value, it cannot be modified in any way other than to decrease the amount of credit associated with the token as it is spent. In this paper we propose a system for "refreshing" tokens anonymously which allows the holder of a token to request that the issuing organization reissues a modified token in an anonymous way. the new (refreshed) token includes the same embedded user identification as the original token. Unlike most previous schemes, this allows anonymous tokens to be used for applications such as foreign exchange, where tokens may need to be exchanged for refreshed tokens issued in a different monetary value. This scheme also allows anybody to check the validity of the token (not just the token)

(53) Transferable Off-line Anonymous Electronic Tickets System: Kyoko MIKAMI (Tsuda College)
Asuka NAKAMURA (NIWS Co., Ltd.)
Rie SHIGETOMI (Institute of Industrial Science, the University of Tokyo)
Takahide OGAWA (Tsuda College)
: Electronic ticket services, such as tickets for movies, are begin popular. It will be easy to deal with the information when many kinds of information are digitized. On the other hand, there is a possibility of invading the user's privacy with that easiness. In the electronic ticket services, by storing personal information, purchase records, and past records of users' usage, the service providers could provide services suitable for the user's needs. However, if these information were misused, it will lead to the privacy infringement. To resolve these problems, this paper proposed an electronic tickets system that will not allow the service provider to get the information who bought what. This system extends Refreshable Tokens Scheme applying off-line electronic cash scheme enables us not only to buy and use tickets but also to transfer them to other users anonymously.

(54) Electronic Voting System Using Mobile Phone with Camera: Hiroshi Motosugi (Information Security Laboratory, Tokyo Denki University)
Ken-ichi Katsuragawa (Information Security Laboratory, Tokyo Denki University)
Ryoichi Sasaki (Information Security Laboratory, Tokyo Denki University)
: Electronic Voting system is becoming to be widely used caused by the effective summing up function. However, there is a few problems, for example, Vote-buying and Voter coercion in Electronic Voting from home via internet. We propose the Electronic Voting system with counter-measures against vote-buying and voter coercion. This system make it possible to prevent the Vote-buying and Voter coercion by observing the voting process using Mobile Phone with Camera. We think that it is possible to carry out this system providing that improve in Mobile Phone and use the JPKI.

[home]