暗号プロトコルの安全性を,検証ツールを用いて自動検証する研究が活発に行われている.鍵交換プロトコルの安全性については,人手による証明ではセッション鍵とランダムな値の識別不可能性に基づくSK-secure性が代表的であるが,その自動検証に成功した事例は報告されていない.本研究では,土屋らとZhaoらのグループ認証付鍵交換プロトコルについて,ProVerifを用いた自動検証を行う.まず,セッション鍵の識別不能性を求めるSK-secure性よりは攻撃成功のための基準が低いものの,攻撃者が利用できるクエリはSK-secure性と同一の安全性モデルであるweak-SK-secure性を定式化する.そして,それらのプロトコルが weak-SK-secure性を満たすことを自動証明で示す.さらに,Zhaoらの方式はSK-secure性を満たさないことを自動検証で示す.一方,土屋らの方式は,本論文で定式化した手法ではProVerifが"cannot be proved"を返しSK-secure性を証明できない.そこで,ProVerifでSK-secure性の証明を困難にする原因について考察を与える.
機械学習によるプライバシ設定推測手法に関する評価
◎中村 徹(KDDI研究所)、清本 晋作(KDDI研究所)、Welderufael B. Tesfay(Goethe University Frankfurt)、Jetzabel Serna-Olvera(Goethe University Frankfurt)
Lattice-based Multi-signature with Linear Homomorphism
◎Rakyong Choi(KAIST)、Kwangjo Kim(KAIST)
This paper extends the lattice-based linearly homomorphic signature to have multiple signers with the security proof. In our construction, we assume that there are one trusted dealer and either single signer or multiple signers for a message, The dealer pre-shares the message vector $\textbf{v}$ during the set-up phase and gives pre-shared vector $\textbf{v}_i$ to each signer. Then, from partial signatures $\sigma_i$ of $\textbf{v}_i$ signed by each signer, one obtains a valid signature $\sigma$ of $\textbf{v}$ by combining all partial signatures $\sigma_i$ of $\textbf{v}_i$. We use well-known lattice-based algorithms like trapdoor generation algorithm and extracting basis algorithm to distribute different secret keys to each signer. Our signature holds multi-unforgeability and weakly context hiding property and is provably secure in the random oracle model under $k$-Small Integer Solution ($k$-SIS) problem assuming the soundness of Boneh and Freeman's signature.
1D1-4
Revisiting Isomorphism of Polynomials with Two Secrets: towards a Shorter Zero Knowledge Protocol
○Bagus Santoso(The University of Electro-Communications)
The isomorphism of polynomials with two secret (IP2S) problem has been intensively studied and recognized as one candidate of computational assumption for post-quantum cryptography. Except for few special cases, up to this date, no algorithm can solve it better than $O(q^{n/2})$. In 1996, Patarin introduced an identification scheme which is a zero knowledge protocol based on IP2S problem. However, the communication cost is very large,i.e., $O(q^{n\times n})$. It is an interesting question whether we can find any method to reduce the communication cost of the scheme. In this paper, we analyse several variants of IP2S which might lead us to a zero-knowledge protocol with less communication cost compared to the Patarin's original scheme. Our analysis shows that there is a kind of a trade off between the communication cost and the security level of the variants, i.e., variants who give more cut on the communication cost will be more likely more insecure in practice. Finally, we propose a variant of IP2S which we argue is still secure in practice, and is able to bring us a new scheme whose communication cost is approximately a quarter of the original cost in $80$-bit standard security.
1D1-5
On the Security of the CFS Signature
○Kirill Morozov(Kyushu University)、Partha Sarathi Roy(University of Calcutta)、Rainer Steinwandt(Florida Atlantic University)、Rui Xu(KDDI R&D Laboratories)
We prove that the code-based Courtois-Finiasz-Sendrier (CFS) signature is strongly existentially unforgeable under chosen message attacks (SEUF-CMA secure) in the random oracle model, assuming hardness of the Permuted Goppa Syndrome Decoding Problem (also known as the Niederreiter problem). In addition, we explicitly show that security against key substitution attacks can be arranged by the standard technique of Menezes and Smart that requires to hash the public key.
On the Security of Some Homomorphic Authentication Schemes for Network Coding
○Chi Cheng(Kyushu University)、Jemin Lee(Singapore University of Technology and Design)、Tsuyoshi Takagi(Kyushu University)
Recently, based on the homomorphic signatures, the authentication schemes such as homomorphic subspace signature (HSS) and key predistribution-based tag encoding (KEPTE) have been proposed to resist against pollution attacks in network coding. In this paper, we show that there exists an efficient multi-generation pollution attack on HSS and KEPTE. Specifically, we show that by using packets and their signatures of different generations, the adversary can create invalid packets and their corresponding signatures that pass the verification of HSS and KEPTE at intermediate nodes as well as at the destination nodes. After giving a more generic attack, we analyze the cause of the proposed attack. We then propose the improved key distribution schemes for HSS and KEPTE, respectively. Next, we show that the proposed key distribution schemes can combat against the proposed multi-generation pollution attacks. Finally, we analyze the computation and communication costs of the proposed key distribution schemes for HSS and KEPTE, and by implementing experiments, we demonstrate that the proposed schemes add acceptable burden on the system.
A Note on Authenticated Key Exchange in Cryptocurrency
◎京極 達也(京都大学大学院情報学研究科)、阿部 正幸(NTTセキュアプラットフォーム研究所)、岡本 龍明(NTTセキュアプラットフォーム研究所)
In this paper we focus on how to realize end-to-end secure communication between a cryptocurrency users.While a cryptocurrency users have not only financial transactions but also commercial transactions (e.g., acknowledgment of receipt, follow-up correspondence, etc), a cryptocurrency only guarantees the security of financial transactions. If we want to get end-to-end security, we need another long term key to execute authenticated key exchange(AKE), but It is wasteful to require two long term keys. In order to solve this problem, A bitcoin-based authenticated key exchange protocol was proposed by Patrick McCorry et al. This protocol executes all interactions by same keys. However, this protocol has the following inefficiencies. 1) Request a wasteful payment to generate a session key, and 2) Unable to prove the security in formal model. To overcome the above inefficiencies, we present a new protocol that achieves secure commercial transactions as well as secure financial transactions. Our protocol never requests any extra long term keys, any extra payments and any trusted third parties. We finally, formally prove the security of our protocol in the Canetti-Krawczyk model.
1A2-2
New Cryptocurrency Protocol without Proof of Work
◎久米潤一郎(京都大学)、阿部正幸(京都大学,NTTセキュアプラットフォーム研究所)、岡本龍明(京都大学,NTTセキュアプラットフォーム研究所)
The Bitcoin system has adopted a mechanism called Proof of Work (PoW), which contains certain requirements on the block generation. Protocols based on PoW require miners to solve difficult computational puzzles, that cause an issue of wasted electricity. Furthermore, the system has another problem about data storage. A public distributed ledger, called the block chain, logs all existing transactions. Miners must store the whole of it to verify the legitimacy of transactions. In SCIS2015 we proposed a lottery protocol for a cryptocurrency in which a block generator is randomly selected. In this paper we improve the protocol by increasing the efficiency of a method called follow-the-satoshi and reducing the size of the public ledger.
E-voting System Based on the Bitcoin Protocol and Blind Signatures
◎Jason Paul Cruz(Nara Institute of Science and Technology)、Yuichi Kaji(Nara Institute of Science and Technology)
This study proposes an electronic voting (e-voting) system based on the Bitcoin protocol and blind signatures. Various cryptographic schemes have been studied to realize secure and efficient e-voting systems, but these systems are hardly used in practical voting. One of the technical reasons for this unfortunate situation is that many e-voting systems require an anonymous communication channel, which is difficult to implement over the Internet. This study investigates if the Bitcoin protocol, a payment network wherein transactions are managed collectively by a peer-to-peer network, can provide a breakthrough to the practicality issue of e-voting systems. In the proposed system, the Bitcoin protocol is complemented with known protocols, such as the blind signature protocol and digital signature protocol, to realize an e-voting system that is secure, anonymous, and transparent. This study discusses several important properties of e-voting systems, including fairness, eligibility, anonymity, robustness, and verifiability, and shows that the use of the Bitcoin protocol brings favorable features besides the anonymity of the communication.
Securing BYOD with Mobile Device Management based on SCAP and SE Android
○楊中皇(國立高雄師範大学)、董倫銘(國立高雄師範大学)
As popularity of the mobile devices, including smartphones and tablets, continues to grow, more and more personal data inevitably stored inside these devices and it has become an important issue to protect private data on the devices. Many organizations have adopted Bring Your Own Devices (BYOD), allowing employees to use their personal mobile devices at work. But, both personal-owned and corporate-owned mobile devices came with security risks. Since the protection of private data on mobile devices could not be achieved with a single measurement, we designed and implemented centralized management system for Android devices based on SCAP (Security Content Automation Protocol) and SE Android. Automated configuration management based on SCAP will reduce time effort for user to setup one’s mobile device with recommended configuration, while SE Android allow dynamically configuration of security policy.
Single Server Private Information Retrieval in Sublinear Time
◎Vannet Thomas(東京大学)、國廣昇(東京大学)
Private Information Retrieval is the art of recovering data on a remote server without revealing what data is being retrieved, protecting the client's privacy. Many protocols achieve this with low communication in a generic setting but all of them require the reading of at least as many bits as the entire server is storing. We provide the first fully sublinear single server private information retrieval scheme. Depending on parameters, each query can be performed several orders of magnitude faster than previous options in the same setting. The scheme is based on our previous result from SAC2015 and does not require the batching of several queries, trusted hardware or non colluding servers. It relies instead on the hardness of the Approximate GCD assumption. We achieve the desired complexity by using new preprocessing techniques allowing the server to partially select bits belonging to the private key and transferring some of the online computational cost to the client.
On the Security of a Public Key Cryptosystem based on Diophantine Equations of Degree Increasing Type
Jintai Ding(Department of Mathematical Sciences, University of Cincinnati)、◎Momonari Kudo(Graduate School of Mathematics, Kyushu University)、Shinya Okumura(Institute of Math for Industry, Kyushu University)、Tsuyoshi Takagi(Institute of Math for Industry, Kyushu University)、Chengdong Tao(South China University of Technology)
In this paper, we propose an attack against the one-wayness of a public key cryptosystem based on Diophantine equations of degree increasing type (DEC, for short) proposed by Okumura in 2015. Through a concrete example, we show that the security of DEC depends on the difficulty of finding certain vectors in the lattices of low ranks, (e.g. 2 or 3), obtained by a public key and a ciphertext. The most important target vector in our attack has a special property: it is not a shortest vector but only some entries are relatively small, and thus the usual LLL algorithm does not work well to find such a special vector. From this, we apply the ``weighted LLL algorithm'', which is the LLL algorithm with respect to a special norm called a weighted norm, to our attack. We describe heuristically how to choose an appropriate weight in order to find a relatively short vector with entries of unbalanced sizes. Our experimental results show that the weighted LLL algorithm for a weight chosen by our method is able to break the instances of DEC that is considered to have 128 bit security. Our result suggests some possible applications of the weighted LLL algorithm.
1D2-4
Recent Developments in Multivariate Cryptography
◎Albrecht Petzoldt(Kyushu University)、Tsuyoshi Takagi(Kyushu University)
Multivariate Cryptography is one of the main candidates for creating post-quantum cryptosystems. The public key of these schemes is a set of quadratic polynomial equations in several variables. Solving such a system has been proven to be an NP-hard problem. In the last two decades, many new multivariate schemes both for public key encryption and digital signatures have been proposed. In this report we give an overview of some of the most important recent developments in this field. We describe two of the currently most promising multivariate schemes for encryption and digital signatures, namely the SimpleMatrix encryption and the Gui signature scheme. Furthermore, this report discusses open challenges in the area of multivariate cryptography and describes current attempts to solve these problems.
Revocable Group Signatures with Compact Revocation List Using Vector Commitments
◎Shahidatul Sadiah(HIROSHIMA UNIVERSITY)、Toru Nakanishi(HIROSHIMA UNIVERSITY)
A group signature allows any group member to anonymously sign a message on behalf of the group. On the other hand, this scheme needs an efficient member revocation scheme. Lots of member revocation schemes have been proposed so far. One scheme proposed by Libert et al. recently has achieved a constant signature size and verification time, but the revocation list (RL) has the size of O(R), for the number of revoke member, R. Another scheme proposed by Nakanishi et al. achieved a compact RL. However, this scheme increases membership certificate size by O(T ). In this paper, we extend the scheme proposed by Libert et al. by reducing the the RL size to O(R/T ) using vector commitment method to compress the revocation entries. In addition, the proposed scheme achieves O(1) membership certificate size.
1E2-3
Secure Deduplication for Multiple Group Setting
◎Ei Mon Cho(埼玉大学)、Takeshi Koshiba(埼玉大学)
Multiple group setting scheme have recently become important for enabling deduplication for cloud server. It starts with the group signature features for multiple groups setting. We construct multiple groups’ scheme that allows one or more groups to access a file such that the cloud server can avoid duplicate according to the ownership of users. The main goal of the primitive is to allow multiple groups that are managed separately (even a server also called verifier is used). The group managers mainly manage the new entities and revocation list for client and server respectively. Consequently we use the Message Lock Encryption (MLE) as an ingredient for deduplication both for uploading a new file and for updating an existing file.
CAN(Controller Area Network)は,組込み機器向けのバス型ネットワーク規格であり,車載ネットワーク等に広く用いられている.近年,ディジタルデータを運ぶアナログなレイヤーに着目し,送信側には受信側にデータが正しく送信されたと認識させ,受信側には攻撃者が改ざんしたデータを受信させるという電気的データ改ざん攻撃が指摘されている.この攻撃に対するセキュリティ強化策としてMAC付加と電圧波形解析が挙げられている.電圧波形解析は,この攻撃によりバスの電圧波形に現れる特徴を利用し検知を行うものである.具体的には,本来の1bitの送信では起こり得ないタイミングの電圧変化を検知するタイミング違反検知と,送信側が送るビット列の変化の回数とバスの電圧変化の回数が異なることを検知する回数違反検知が提案されている.本論文では,電気的データ改ざん攻撃に現れる本来の1bitの送信より短い電圧変化に着目することで検知を行う電圧波形解析の新たな手法を提案する.この手法は従来手法より容易に実装が可能であり検知精度も良好であると考えられる.さらに実験用のCANバスを用いて実証することにより,検知手法の有効性を示す.また,それぞれの手法について考察を行いまとめる.
近年,DNSやNTPサーバなどを踏み台にしたDDoS攻撃のひとつであるDRDoS(Distributed Reflection Denial of Service)攻撃が問題となっている.ISPのネットワーク管理の観点からDRDoS攻撃への対応を考えると,ネットワーク障害等の実被害に至る攻撃だけでなく表面化していない攻撃を把握することも重要である.NTPを使用したDRDoS攻撃(NTPリフレクション攻撃)に使用されるmonlist機能の応答には,NTPサーバに問い合わせを行ったホストの履歴が記録されており,NTPリフレクション攻撃の場合,過去の被害IPアドレス群が記録されている可能性がある.そこで本稿では,NTPリフレクション攻撃トラフィック中のmonlist応答を調査することで潜在的な被害ホスト群を推定する手法を提案する.また,提案手法の有効性を検証するためにISPバックボーンの大量通信検知ログと提案手法により推定したIPアドレス群とを突合した.その結果,表面化していないNTPリフレクション攻撃の被害ホストを提案手法により抽出できることを確認した.さらに本稿では,推定した潜在被害ホスト群をDRDoS攻撃の早期警戒に応用する方法について議論する.
On the Security of Cryptosystems Using Short Generators over Ideal Lattices for Cyclotomic Fields
◎奥村 伸也(九州大学マス・フォア・インダストリ研究所)、杉山 真吾(九州大学マス・フォア・インダストリ研究所)、安田 雅哉(九州大学マス・フォア・インダストリ研究所)、高木 剛(九州大学マス・フォア・インダストリ研究所)
Some cryptosystems over ideal lattices use short generators as secret keys. These include the candidate of multilinear maps by Garg, Gentry and Halevi, and the fully homomorphic encryption scheme by Smart and Vercauteren. The security of these cryptosystems relies on the computational difficulty of the principal ideal problem (PIP) and the short generator problem (SGP). For PIP, Biasse and Fieker proposed a subexponential algorithm. For SGP, Bernstein and Campbell-Groves-Shepherd sketched an attack using the log-unit lattice. The size of a dual basis of the log-unit lattice is related with the success probability of the attack. Recently, Cramer, Ducas, Peikert and Regev gave an implicit upper bound of the size of the dual basis over cyclotomic fields of prime power conductors. In our work, we give explicit upper and lower bounds of the size of the dual basis. We give experimental evidences that SGP over cyclotomic fields can be solved with high probability under Weber's class number problem. Our analysis suggests that the security of cryptosystems using short generators depends on the difficulty of PIP if Weber's class number problem holds true.
On the Security of QUIC
◎井関正也(東京工業大学)、藤崎英一郎(NTTセキュアプラットフォーム研究所)
We study the security of Quick UDP Internet Connections (QUIC for short). Lychev et al., show that QUIC is secure in their security model which is called QACCE. However, QUIC has vulnerabilities against the attacks which increase server loads and their security model does not cover these attacks. QUIC should prevent these attacks because these attacks assist an adversary to do Distributed Denial of Service (DDoS) attacks. To cover these security concerns, we propose a new security model, extending server-only authenticated and channel confidentiality establishment (SACCE), so that authentication and channel confidentiality can be evaluated including abbreviated handshake sessions. Our security model is stronger than QACCE to cover the security concerns. We then show that the original QUIC does not satisfy our security model. We also propose a new scheme to solve the security concerns and enhance the performance. There are three advantages in the our proposed scheme. First, it prevents the attacks. Second, it does not require Strong Computational Diffie-Hellman assumption to satisfy the security model. On the other hand, the original QUIC require Strong Computational Diffie-Hellman to satisfy QACCE secure. Third, it reduces a number of interactions from four times to two times.
属性ベース署名とは、各署名者がその属性に応じた署名鍵を鍵発行機関から発行され、その署名鍵を用いて、属性上の述語が関連付けられた署名を発行できる暗号技術である。このとき、署名者は自身の属性が満たす述語について署名が発行可能であり、しかもその署名は発行者がどのような属性を持っていたかについて情報を漏洩させないという性質を持つ。この研究分野において、(i) 広い範囲の述語のクラスを取り扱え、かつ (ii) 実用的な効率を備えた方式を (iii) シンプルな仮定から構成することは、これら三つの要素が方式の実用性を左右するため、重要な研究課題の一つである。本稿では、任意の論理回路を述語として使用可能でかつ実用的な効率を持つ初めての属性ベース署名方式を、symmetric external Diffie-Hellman仮定から構成する。提案方式は、代数的な関係の証明に特化した効率的なゼロ知識証明であるGroth-Sahai証明と、回路充足可能性を証明できるGroth-Ostrovsky-Sahai証明のアイデアとを組み合わることで、効率的でかつ表現力の高い属性ベース署名方式を構成している。
2E1-5
Lightweight Authentication Protocols Based on the LPN Problem and Random Selection
○Miodrag J. Mihaljevic(Institute of Industrial Science, The University of Tokyo)、Kanta Matsuura(Institute of Industrial Science, The University of Tokyo)
Lightweight and provably secure authentication protocols are of high importance for securing machine-to-machine communications and Internet of Things. In a number of scenarios, an entity with very limited capabilities (a tag for example) should perform authentication to a more powerful entity (a reader, for example). Accordingly, we discuss certain issues regarding authentication protocols with asymmetric implementation complexity which fits into the capabilities of the parties involved. The discussed authentication approach is based on the LPN problem and a paradigm of random selection in order to provide desired level of authentication security as well as implementation complexity. We explore the background for security evaluation of the approach in the active attacking scenario as well as certain implications regarding the man-in-the-middle attack evaluation scenario.
近年,デジタルICの多くはコスト削減のために一部の設計・製造工程を第三者もしくは第三者のツールで設計・製造されており,悪意のある機能を持つ回路が挿入される危険性が指摘されている.この悪意のある機能を持つ回路がハードウェアトロイと呼ばれ,深刻なセキュリティ上の懸念となっている.事実,United States Department of Defenseは2005年にハードウェアトロイの脅威に関するレポートを発表し,2007年にDefense Advances Research Projects Agencyでも研究が開始され,米国を中心にハードウェアトロイの研究が加速度的に成長している.本稿では,特に容易にハードウェアトロイを設計・挿入することができる設計段階を対象とする.本稿で提案するハードウェアトロイ検出手法は回路の振る舞いを動的に監視することで,回路の定常状態を学習し,ハードウェアトロイが動作した時の異常状態を検出することで,ハードウェアトロイを検出する手法である.定常状態を学習するために短時間のランダムシミュレーション,異常状態を検出するために長時間のランダムシミュレーションを行う.これら二種類のシミュレーションを使い分けることで,既存手法では検出することのできなかったハードウェアトロイのタイプを検出することに成功した.
Proxy Trapdoor-Re-Generation Scheme in Public Key Encryption with Keyword Search - Realization of Provably Secure Organizational Cryptosystem
○Ryo Fujita(Chuo University)、Takeo Mizuno(Institute of Information Security)、Hiroshi Doi(Institute of Information Security)、Shigeo Tsujii(Chuo University)
With the rapid development of information and communication technology, cross-sectoral cooperation has advanced, and the importance of inter-organizational confidential communication has been growing to allow further information sharing among various organizations. In this paper, we propose "Proxy Trapdoor-Re-Generation Scheme in Public Key Encryption with Keyword Search (PTRG-PEKS)" for an organizational cryptosystem for confidential communication among organizations. Our scheme enables members not having the secret key to perform the search. Furthermore, in our scheme, the revocation of privileges of the search can be easily done. We show the security of our proposed scheme against chosen keyword attack and master secret security in the case that either the proxy, which transforms pseudo trapdoor sent from users to intermediate trapdoor, or the search server, which performs the search, is corrupted by an adversary.
Evaluation of ACA-based Intrusion Detection Systems for Unknown-attacks
◎Kyung-min Kim(KAIST)、Jina Hong(KAIST)、Kwangjo Kim(KAIST)、Paul D. Yoo(Bournmouth University)
Intrusion Detection System (IDS) monitors a network and detects users' malicious activities. Since new unknown-attacks are appearing continuously, IDS must have capability of detecting attacks without any specific prior knowledge. Also many devices are connected on network and produce enormous large volumes of network data. Labeling enormous network data manually is impractical task. Therefore, we should find a way to learn normal traffic and attack traffic by itself on the unlabeled dataset. In this paper, we propose two IDS for unknown-attacks based on Ant Clustering Algorithm (ACA). Our IDS can learn on the unlabeled dataset and detect unknown-attacks. Our proposed IDS are combination of ACA and other supervised learning algorithm. We combined Decision Tree and Artificial Neural Network with ACA separately and compared performance between them.
2B2-2
Another Fuzzy Anomaly Detection System Based on Ant Clustering Algorithm
◎Muhamad Erza Aminanto(KAIST)、HakJu Kim(KAIST)、Kyung-min Kim(KAIST)、Kwangjo Kim(KAIST)
Attacks against computer networks are evolving rapidly. Conventional intrusion detection system based on pattern matching and static signatures have a significant limitation since the signature database should be updated frequently. The unsupervised learning algorithm can overcome this limitation. Ant Clustering Algorithm (ACA) is a popular unsupervised learning algorithm to classify data into different categories. However, ACA needs to be complemented with other algorithms for the classification process. In this paper, we present a fuzzy anomaly detection system that works in two phases. In the first phase, the training phase, we propose ACA to determine clusters. In the second phase, the classification phase, we exploit a fuzzy approach by the combination of two distance-based methods to detect anomalies in new monitored data. We validate our hybrid approach using the KDD Cup'99 dataset. The results indicate that, compared to several traditional and new techniques, the proposed hybrid approach achieves higher detection rates and lower false alarm rate.
Secure and Mutual Traceable Distributing Scheme for Big Data
Kaitai Liang(Aalto University)、Atsuko Miyaji(Osaka University)、○Chunhua Su(Japan Advanced Institute of Science and Technology)
In recent years, the rapid growth of big data and the data analysis on big data make data owners prefer to outsource their data to cloud service providers to maintain the high-quality retrieval and storage service without suffering the high-cost local data management and maintenance. However, such cloud service providers are not fully trust-worthy and the risk of leakage of sensitive personal information are one of major concerns which prevent the wide-spread utility of big data. Efficient data traceability and distribution with security are of critical importance for big data. In this paper, we propose mutual traceable data distribution and secure outsorcing computation system for big data related service. Our constructions are based on searchable attribute-based proxy re-encryption. When compared to existing systems only supporting either searchable attribute-based functionality or attribute-based proxy re-encryption, our new primitive supports both abilities and provides flexible keyword update service. Specifically, the system enables a data owner to efficiently distribute and trace his data to a specified group of cloud service providers who is matching a security and privacy policy and meanwhile, the data will maintain its traceable property and can be updated after the data sharing. The new mechanism is applicable to many real-world utilization of big data, such as e-health record systems and other personal private database system. Finally our construction is proved chosen ciphertext secure in the random oracle model.
Factoring RSA Modulus with Random Known Bits
◎Yao LU(The University of Tokyo)、Liqiang PENG(Chinese Academy of Sciences)、Noboru KUNIHIRO(The University of Tokyo)、Rui ZHANG(Chinese Academy of Sciences)
In Crypto 2009, motivated by cold boot attack, Heninger and Shacham presented an algorithm to factor RSA modulus for the case where some random bits of the secret primes are known with certainty. Later, in Crypto 2010, Henecka, May and Meurer proposed an extended algorithm factoring RSA modulus from the noisy secret prime bits with some errors. Note that the above algorithms require the knowledge of bits in both primes, an open problem naturally arises: Can we factor RSA modulus if the erasures/errors are only in one prime? In this paper, we give a negative result from a coding-theoretical viewpoint. Moreover, we generalize the previous results to the case of primes with different erasure/error probability, and discover more attack scenarios. We also perform experiments to verify the validity of our algorithms.
2D3-2
On the Complexity in Certain Classes of Multiple Discrete Logarithms
◎Hwei-Ming Ying(University of Tokyo)、Noboru Kunihiro(University of Tokyo)
In this paper, we analyse the computational complexity arising from certain subsets of the multiple discrete logarithm problem.
この論文はAsiacrypt2015で発表された「相対代数体ふるい法(Tower Number Field Sieve)」を拡張する。我々の一般化にJLSVアルゴリズム(Joux, Lercier, Smart, VercauterenによりCrypto 2006で掲載)を適用することで、素数p=L_Q( l_p )が実数l_pに対してl_p > 1/3を満たす場合、有限体F_Q:=F_{p^n}上の離散対数問題を解く計算量が L_Q( 1/3, (64/9)^{1/3}) であることが証明できる。従来の数体ふるい法では上記の計算量は素数pがl_p >2/3を満たすか(JLSVアルゴリズムの場合)、素数pが特別な形態を持つ(JouxとPierrotによりPairing 2013に掲載)場合しか成立していなかったことが注目するべきことである。さらに、我々の結果に多重数体ふるい法(Multiple Number Field Sieve)や特殊数体ふるい法(Special Number Field Sieve)などを適用することで上記の計算量はそれ以上に改善できる。
耐故障性を強化した ORAM の構築
Atsuko Miyaji(Japan Advanced Institute of Science and Technology)、◎Tran Phuong Thao(Osaka University)
Oblivious RAM (ORAM) is a cryptographic construction that allows a client to access encrypted data residing on an untrusted storage server, while completely hiding the access patterns to storage. Many ORAMs for cloud storage have been proposed to improve efficiency and security. However, data availability, data integrity and data confidentiality have not been addressed contemporaneously. In this paper, we formalize a new concept of ORAM which can deal with these three security challenges. Furthermore, our scheme not only achieves a higher security level but also is more practical compared with previous ORAMs, because our scheme is constructed based on information-theoretic security which is much more efficient than computational security as in previous ORAMs.
パブリッククラウドとプライベートクラウドのように2つの異なるクラウドインフラを併せ持つクラウドをハイブリッドクラウドという。プライベートクラウドに比べパブリッククラウドの処理能力が大きい場合パブリック側で処理をすることが望ましい。しかし、機密情報を扱うときはプライベートクラウドの方がパブリッククラウドに比べセキュリティに強いのでプライベートクラウドでの処理に限定されていたが近年では、大規模なデータ分析のためパフォーマンスの向上が必要になった。そこで冗長な計算を発生させるが機密情報を考慮しつつ両方のクラウドで負荷分散を行うことで全体の処理時間を短くする方法としてSEMROD(Secure and Efficient MapReduce Over HybriD Clouds)が提案されている。本研究ではSEMRODの問題点であるマルチレベルのMRジョブで増加する冗長な計算を削減することについて考察する。
2B4-5
A Study on the Security Evaluation Methods of Proxy Re-Encryption Applied to Cloud Environments
○Lihua Wang(NICT)、Licheng Wang(BUPT)、Masahiro Mambo(Kanazawa University)
Proxy re-encryption is a cryptographic scheme in which a proxy is given a proxy re-encryption key from a delegator Alice to a delegatee Bob and transform a ciphertext of Alice to a ciphertext of Bob without decryption. Bob can decrypt the transformed ciphertext under his secret key. Proxy re-encryption can be used for secure cloud storage since it allows one to securely exchange files with designated parties. In this paper we examine the reduction relationship between existing security notions, e.g. IND-CPA, of proxy re-encryption and security requirements, e.g. collusion-safe, in cloud environments.
2B4-6
Secure Logic Formula Calculation in Cloud
○Hiroshi Yamaguchi(Chuo University)、Phillip C.-Y. Sheu(University of California, Irvine)、Shigeo Tsujii(Chuo University)
With rapidly expanding data collections becoming increasingly available, the application of semantic computing has become imperative to leverage this resource for social applications. We examine semantic analytical techniques as applied for primary sequence analysis for genes and proteins in biomedical area. We introduce logic formula calculation method to realize question and answer scheme in which a question is analyzed in the form of logic and analyze and verify the question and generate the answer. We propose a formula definition language named SCDL (Semantic Capability Definition Language). Additionally, we apply the cryptographic protocol preserving the privacy of user and confidentiality of question and answer scheme.
多くの高機能暗号を構成するための共通の基本要素の一つとして、ペアリング(ここでは素数位数の有限体上の楕円曲線上の点のペアに当該有限体の拡大体の乗法群の元を対応させる双線形写像に限定)があり、これを自由に扱える実装技術なくして高機能暗号の爆発的活用はありえない。専用ハードウェア化が有望なアプローチであると捉え、ペアリング計算につき RNS(Residue Number System) の並列実装を含む高速化アーキテクチャを検討し良好な結果を得た。
2C4-4
Bluetooth Low Energyを題材とした軽量暗号の性能評価
○菅原健(三菱電機)、鈴木大輔(三菱電機)、松井充(三菱電機)
Bluetooth Low Energy (BLE) を搭載するマイコンにおいて,軽量暗号のソフトウェア実装の性能評価を行う.「センサノードが,取得した情報を暗号化してIoTゲートウェイに渡す」というユースケースを模擬したセットアップにおいて実験を行い,暗号実装が速度・メモリ容量・消費エネルギーにどのくらいの寄与を持つか調べる.ケーススタディから得た知見は以下の通りである.消費エネルギーはサイクル数に比例する.そのため,マイコン実装において低消費エネルギーを達成するのは速い暗号アルゴリズムである.ただし,マイコン実装では,暗号文サイズやROM/RAM 量などに制約が課せられることがある.制約の元で高速化を目指す所に,暗号設計上の課題がある.今回のセットアップにおいて,暗号が消費エネルギーに占める割合は 0.7--6.4% と小さい.ソフトウェア実装したBLE プロトコルスタックの処理が相対的に重いためである.そのため,暗号化するデータが大きい別のユースケースや,BLEではないより軽量な通信プロトコルを利用する場合の方が,軽量暗号を採用する動機が強くなるだろう.
2C4-5
μNaClの32-bit ARM Cortex-M0への実装
◎西永俊文(金沢大学)、満保雅浩(金沢大学)
軽量で高速かつ安全な暗号ライブラリであるNaClのプリミティブの一つであるCurve25519を32-bit ARM Cortex-M0に実装する試みがなされており、M0NaClとして公開されているが、現在までに、Curve25519以外のプリミティブの実装がなされていない。このため、本論文では、M0NaClの成果を取り込みつつ、全てのプリミティブが動作するμNaClをARM Cortex-M0マイコンへ実装する。そして、実装評価を通して、AVR NaClより約3倍の動作速度と半分のコードサイズを達成していることを示す。
Comparison of Babai's nearest plane and rounding algorithms in Laine-Lauter's key recovery attack for LWE
工藤 桃成(九州大学大学院数理学府博士後期課程)、◎Yang Guo(九州大学大学院数理学府修士課程)、安田 雅哉(九州大学マスフォアインダストリ研究所)
The learning with errors (LWE) problem is one of computationally-hard problems in lattice theory. The difficulty of the LWE problem depends on the dimension of the secret key and the modulus parameter. In 2015, Laine and Lauter proposed a new attack which reduces the LWE problem to the closest vector problem (CVP) over a certain lattice. When the modulus parameter is large compared to the dimension, their attack can solve the LWE problem with high probability in polynomial time. They used only Babai's nearest plane algorithm to solve the CVP in their attack. In this paper, we apply Babai's rounding algorithm, and compare it with Babai's nearest plane algorithm in their attack. Our experimental results show that the LWE problem with considerably large modulus parameters can be solved by both the rounding and the nearest plane algorithms, and the rounding algorithm is much faster than the nearest plane one.
In this manuscript, we report our implementation of an LWE distinguisher. We use the Shortest Integer Solution (SIS) strategy to distinguish an LWE oracle from a uniform oracle. The current work aims at providing a thorough understanding of this strategy. We provide details of our implementation and present some preliminary report of experiment results of our implementation. The purpose of such experiments is to help understand the practical analysis on distinguishing LWE problem and share advice on parameter selection for LWE based cryptosystems.
2D4-3
The Beauty and the Beasts --The Hard Cases in LLL Reduction
Jintai Ding(Department of Mathematical Sciences, University of Cincinnati)、Saed Alsayigh(Department of Mathematical Sciences, University of Cincinnati)、◎Yuntao Wang(九州大学数理学府)、Tsuyoshi Takagi(九州大学IMI研究所)
In this paper, we would like to systematically study who indeed are the hard lattice cases. For some given form of random lattices, the LLL reduction will give us nearly the maximum approximation factors for their special geometric structures. At first, we call the perfect lattice as the Beauty, which is given by basis of vectors of the same length with the mutual angles of any two vectors to be exactly 60 degree. Through experiments, we can show that, in some form as the lattice is getting close to the Beauty lattice, the rational LLL will fail to find the shortest vector, if we are given a set of random basis of such a lattice. In the case for low dimensional lattices, we can give a direct explanation why and how this happens. Using the symmetry of the perfect lattice, we show that there is a very efficient way to find shortest vector, which points to a very interesting new direction to improve the BKZ algorithm. We then speculate why this happens in the high dimensions. The results in the low dimensional lattices also allow us to give a simple and direct way to explain why and how the approximation factor increases as a lattice is getting closer to the perfect lattice. Our work in a way gives a simple and direct way to explain how to build a hard lattice in low dimensions. We reduce our Beasts lattice bases using the exact-arithmetic LLL in NTL library. In our implementations, we consider the effects of some variable parameters of our constructed Beasts bases and LLL. Under the same condition, we also compare the failure probability for NTL rational LLL when it reduces random lattice bases from Darmstadt SVP Challenge.
Functional encryption for inner-product values was first introduced by Abdalla et al. (PKC 2015), where decrypting a chipertext for a vector x with a secret key for a vector y reveals only the inner-product value of these vectors x・y. We call it inner-product value encryption (IPVE) in contrast to inner-product predicate encryption (IPPE), which is usually called inner-product encryption (IPE). To the best of our knowledge, while there already exist a selectively secure IPVE scheme and an adaptively secure one in the secret-key setting, there is no adaptively secure one in the public-key setting. We present the first IPVE scheme that is adaptively secure in the public-key setting under the decisional linear (DLIN) assumption.
自動車の制御ネットワークとして,広く普及しているCAN(Controller Area Network)に対する脆弱性が指摘されてから,CANの通信を安全にするために様々な研究がなされてきた.従来研究の提案手法では,ルールベースの検知であるため未知の攻撃に対して対策できない.未知の異常や故障を検知するために機械学習を用いた方法が注目されており,ITセキュリティへの応用もされている.本稿では,コネクテッドカーの普及に向けて,クラウドと連携して機械学習を用いた車載ネットワークの異常を検知するシステムのコンセプトを提案する.
近年,自動車に対するサイバー攻撃として,外部ネットワークへの接続機能を持つECUを遠隔から乗っ取り,自動車内部のネットワークへと侵入を図る攻撃事例が報告されている.これまで自動車の制御ネットワークとして,広く採用されているCAN(Controller Area Network)の通信を安全にするためにさまざまな研究がなされてきた.しかし,一旦不正に乗っ取られたECUからCANメッセージを送信される攻撃を想定すると.対策が十分でないのが現状である.このような攻撃による影響を最小限に抑えるために,早期に不正な挙動を示すECUを検知する手法の確立が急務となる.そこで,早期対策の導入に向け,既存のECUへの影響を最小限に抑えるため,CANメッセージの振る舞いに着目し,ECUの正当性を判定する不正ECU検知手法を提案する.
車載ソフトウェアの標準仕様であるAUTOSARにおいて車載パケット認証に関する仕様が公開された。しかしながら、AUTOSARでは、パケット認証に利用するための鍵に関しての言及がなく、自動車を構成する電子制御ユニット(Electronic Control Unit)・自動車の製造工程などのライフサイクルを考慮した鍵管理方法が求められる。そこで本稿では、車載ネットワークに鍵管理を行う装置を設け、その装置から正規のECUを認証した上で、パケット認証に利用する鍵を配信する方式を提案し、パフォーマンス評価を実施する。
2F4-6
Investigation of How to Exploit Software Vulnerabilities on an Automotive Microcontroller and Corresponding Security Measures
○Dennis Kengo Oka(ETAS K.K.)、Lennart Langenhop(ETAS K.K.)、Matthieu Marie-Louise(ETAS K.K.)、Naohide Waguri(FFRI K.K.)、Takahiro Matsuki(FFRI K.K.)
In the past decades, technological development has progressed at an enormous speed. Complex software running on electronic control units (ECUs) in vehicles are controlling not only comfort but also safety-critical functions. Since security of automotive systems can affect safety, it is paramount to understand how attackers could exploit software vulnerabilities of such systems and how to improve security to prevent such attacks. In this paper, we investigate how an attacker could exploit software vulnerabilities running on an automotive microcontroller. The focus is on understanding how an attacker would need to adjust certain attacks to fit the automotive microcontroller architecture and how an attacker could perform new types of attacks targeting specific characteristics of the automotive microcontroller architecture. To demonstrate the feasibility of attacks, we have performed experiments on both an evaluation board and a prototype development ECU. Lastly, we provide recommendations on how to improve the security to prevent attackers from exploiting software vulnerabilities on automotive microcontrollers by following secure coding practices, enabling security features provided by the automotive microcontrollers and performing rigorous security testing.
秘密分散法に対する能動的攻撃(シェア偽造)の検出に関して,シェア間の相関に注目した研究が知られている.改ざん攻撃が検出可能な(k,n)しきい値法に関して中村-山本(2015)は,与えられた相関に対して,シェアサイズとシェア生成に必要な乱数サイズが最適であり改ざん成功確率の指数もほぼ最適となる符号化法を提案したが,その符号化法は Cabello et al.(2002)により既に提案されていることが分かった.そこで本稿では,この符号化法を拡張し,改ざん攻撃が検出可能な(k,L,n)ランプ型しきい値法を提案する.秘密情報がGF(p^m)^L(p は L+1 以上の素数)上の一様分布に従うとき,提案する符号化法は,シェアサイズと乱数サイズに関して最適である.さらに,L
3A1-2
Proactive Secret Image Sharing with Quality and Payload Trade-off in Stego-images
○Angelina Espejel-Trujillo(電気通信大学)、Mitsugu Iwamoto(電気通信大学)
Secret Image Sharing (SIS), in which we can renew stego-images without changing the secret, is proposed. In SIS a secret image is shared among a set of n images called stego-images. Each stego-image is preserved by a participant respectively. In the recovery stage at least k of n stego-images are required in order to obtain the secret image, while k
Web Browser Fingerprintingにおいて,現状,UserAgentやプラグインなどのソフトウエアに関する情報を利用するケースが普及している.しかし,それらは,ブラウザの設定変更や拡張機能の追加により変化する可能性がある.一方,ハードウエアに関する情報は変化しにくいので,Web Browser Fingerprintingにおいて有益な情報となると考えられる.よって,本論文では,CPU拡張機能であるAdvanced Encryption Standard New Instructions (AES-NI)とIntel Turbo Boost Technology (Turbo Boost)の有無を推定する手法を提案し,その実装と評価を行う.
Fingerprinting technique for internal criminal
○栗林 稔(岡山大学)、舩曵信生(岡山大学)
The management of secret data in an organization is not limited to the encryption of the data. Once a ciphertext is decrypted, there is no mechanism for the protection. In this study, we enable a manager to identify the traitor inside of an organization from illegally leaked file. The essential technique is the fingerprinting for encrypted data. When a legal user decrypts a ciphertext using his assigned key, a fingerprinted file is obtained in our proposed system. We present the concept of our idea and discuss the availability.
On the security of hash functions based on the cubic Ramanujan graphs.
◎Hyungrok Jo(Department of Mathematics, Kyushu University)、Tsuyoshi Takagi(IMI, Kyushu University)
Cayley hash functions are efficient and provably secure hash functions constructed from the Cayley graphs of (projective) linear groups. Charles et al. proposed one of Cayley hash functions based on a family of Ramanujan graphs constructed by Lubotzky, Phillips, and Sarnak (LPS for short). Tillich and Zemor found collisions of LPS hash functions by using lifting attacks, and Petit et al. found preimages of those by using the variants of lifting attacks. In this paper, we briefly survey a history of Cayley hash functions and their attacks (mainly, subgroup attack and lifting attack). We construct an analogue of LPS hash functions which is based on cubic Ramanujan graphs which were explicitly contructed by Patrick using a generalization of the families of LPS Ramanujan graphs. We analyze the security of cubic hash functions comparing with LPS hash functions by the brute-force attack and the birthday attack of them.
A probability model for an overdetermined random multivariate polynomial system to have solutions
○Yun-Ju Huang(九州先端科学技術研究所)、Takanori Yasuda(九州先端科学技術研究所)、Xavier Dahan(お茶の水女子大学)、Kouichi Sakurai(九州先端科学技術研究所、九州大学)
In this paper, we describe a random model on polynomial systems to evaluate the probability that an overdetermined multivariate polynomial systems defined over a finite field have rational solutions. Let P be a polynomial ring with n variables over coefficient field Fq. Let S be an overdetermined random multivariate polynomial systems. We show that he probability that S has a rational solution is at most q^{n-m}. Moreover we show that this bound is becoming tight when either q, n or m become large. Experimental computations support this claim.
3E1-3
Post-Quantum Formulation of the Multiple Prime Numbers MPKC and its application to the Organization Cryptosystem
○Shigeo Tsujii(Chuo University)、Ryo Fujita(Chuo University)、Masahito Gotaishi(Chuo University)、Masao Kasahara(Chuo University)
Solving a multivariate polynomial system is the basis of security for the Multivariate Public Key Cryptosystem (MPKC), which is a candidate for the post-quantum cryptosystems. The hardness of solving a multivariate polynomial system depends on a number of parameters, most importantly the number of variables and the degree of the polynomials, as well as the number of equations, the size of the base field etc. Note that this is an NP-hard problem even the degree of the system is two. We then started the MQ-challenge project in April 2015, which may be helpful in providing appropriate parameters for MPKC, and stimulate furthermore the research in solving multivariate polynomial system. In this paper, the recent updates, including the records of each type of challenges, the analysis of the records and the future development of the project would be discussed.
オンラインゲームは,近年最も人気があるゲームの一つとなっている.しかし,このようなゲームにおいて,ゲームボットの使用やリアルマネートレードなどの不正行為が増加している.不正プレイヤーを検出するために,ゲームサーバーからプレイヤーのデータを取得してプレイヤーの特徴を分析する必要がある.しかし,多人数が同時にアクセスするオンラインゲームのサーバーからゲームデータ取得する時,ある程度の欠損やノイズが発生することがある.オンラインゲームに関するプレイヤーの特徴を分析する時,より高い精度を獲得するために,より正確なデータを求める必要がある.この論文では,World of Warcraft Avatar History (WoWAH)データセットをケーススタディとして,関数データ解析を用いて欠損値を復元する方法を提案する.プレイヤーのゲームプレイング時間と達成度の関係を用いて,曲線の当てはめの方法により,欠損値を予測して,ノイズの少ないデータを推測することができた.そして,処理したデータを使ってプレイヤーの分類を行う.
Computational Soundness of Uniformity Properties for Multi-party Computation based on LSSS
○Zhao Hui(Kyushu University)、Sakurai Kouichi(Kyushu University)
We provide a symbolic model for multi-party computation based on linear secret-sharing scheme, and prove that this model is computationally sound: if there is an attack in the computational world, then there is an attack in the symbolic (abstract) model. Our original contribution is that we deal with the uniformity properties, which cannot be described using a single execution trace, while considering an unbounded number of sessions of the protocols in the presence of active and adaptive adversaries.
A Pseudo-Random Number Based Authentication Method in Controller Area Network (CAN)
◎Zhengfan xia(Toshiba R&D Center)、Kawabata Takeshi(Toshiba R&D Center)
Controller Area Network (CAN) has a lack of an authentication mechanism to distinguish CAN nodes. Introduction of traditional cryptography based authentication methods cause processing delay and impose payload penalties, which hardly satisfy the real-time requirement applications such as powertrain part of in-vehicle network. In order to solve the problem, we propose a pseudo-random number based authentication method that realizes real-time rejection of unauthentic message without imposing payload penalties.
近年,走行中の車輌同士の通信にアドホックネットワークを応用したVANET(Vehicular Ad Hoc Network)があり,そこでは,デジタル署名を応用した認証方法が提案されている.しかし,この方法ではPKIによる鍵管理や集中処理のため,膨大な通信遅延が発生する.また,車輌が高速で移動しているため,認証が迅速に終わらなければならない.車輌間の通信では,車輌の速度から経路情報,道路状況など,様々な情報のやり取りを想定しているが,そのすべてに高いセキュリティが求められるわけでない.あらゆる状況に必要以上のセキュリティを実現することは,コストの増加や不要な通信遅延が発生することに繋がり,効率的な通信が実現できず,逆に事故が発生する危険性がある.そこで,本研究ではゲーム理論を用いてVANETにおけるリスクとそれに対するセキュリティを実現するためのコストを評価する.認証時や通信時に暗号化をするか否かを選択する車輌と,その情報を信用するか否かを選択する車輌の2車間で協力ゲームを展開する.その際に,情報の内容や通信環境を定義し,様々な状況におけるセキュリティとコストの関連性を検証することで,VANETに求められるセキュリティレベルを調査する.
汎用PCに加え、家電、自動車など、多種多様な機器がインターネットに接続されるIoT(Internet of Things)時代を控え、機器が得た情報を収集し、その分析結果を利活用する新たなサービスに注目が集まっている。このような用途では、正しい機器から情報が収集されているか、機器が不正に操作されていないかを保証する認証技術が必須となる。従来の認証技術として、TLS(Transport Layer Security)が代表的であるが、機器数が多く、処理・通信性能があまり高くない端末を含むIoTでは、証明書利用による処理・通信量の爆発的増大が課題となる。そこで、本稿では、IDを公開鍵に利用できるIDベース認証機能付き鍵共有技術を利用したTLSを適用し、その実装評価結果を示す。また、本技術のひとつの適用先として、BEMS(Building Energy Management System)向け通信プロトコルIEEE 1888に適用した結果を示す。
We revisit the Groth-Sahai proof system (EUROCRYPT 2008, SIAM Journal of Computing 41(5)), which provides efficient non-interactive witness-indistinguishable and zero-knowledge proof systems for bilinear groups and is a one of important basis of complex cryptographic protocols. We point out and fix problems in randomization of a proof in the original Groth-Sahai proof systems for multiscalar multiplication equations in the symmetric pairing setting based on the decision linear (DLIN) assumption in~\cite[Section~6.3]{GS12:GS-proof} and~\cite[Section~10]{GS12:GS-proof}, which we call GS1 and GS2, respectively. Formally speaking, we disprove their witness-indistinguishability as follows: * (GS1~\cite[Section~6.3]{GS12:GS-proof}) We disprove \emph{perfect witness-indistinguishability with a hiding common reference string (composable witness-indistinguishability)} by giving a concrete attack; * (GS2~\cite[Section~10]{GS12:GS-proof}) We disprove \emph{computational witness-indistinguishability} by giving another concrete attack. We give a fix of randomization of the proofs and discuss the effect of the above attacks; for example, we can disprove some of non-interactive zero-knowledge proof systems for paring product equations are not perfect zero-knowledge with a hiding CRS (composable zero-knowledge), since they employ the non-interactive witness-indistinguishable proof system for multiscalar multiplication equations.
Offline e-Voting System for Electoral Process Transparency
○Nasratullah Ghafoori(Kobe Institute of Computing)、Hisato Shima(Kobe Institute of Computing)、Marie Goretti KABERA(Kobe Institute of Computing)、Sayed Ahmad Naweed Sayedzada(Kobe Institute of Computing)
Today many countries around the world are implementing the paper based election to demonstrate their democracy and to set up the fate of their countries. Despite the paper based election success still it is threaten by some problems and fraud which are affecting the transparency and success of an election. With the revolution of technology and its success in recent years many countries implemented online electronic voting to empower their e-governance. Although, the solutions are working for the countries with high level of ICT infrastructure and cyber security protection against harmful activities. In countries with low level of ICT infrastructure the unstable ICT base is the main obstacle toward the implementation of online electronic voting. This paper will introduce a new offline electronic voting system, where the citizens in countries with low level of ICT groundwork can vote electronically. The national electronic ID card or national electronic election card is forming the foundation of this research. The voter anonymity, reliability, vote’s ballots security, the user identity and preventing the fraud during election are the main challenges which would be addressed during this research paper.
自動車の車内ネットワークであるCAN(Controller Area Network) は攻撃に対して脆弱であることが知られている.従ってCAN では早急に攻撃を検知する必要がある,これに対し,攻撃を検知するための各種手法が提案されている.一方,攻撃を検知した後で,どのように自動車を制御すればよいかという別の課題も存在する.この課題については著者の知る範囲において,有効な解決策は提案されていない.我々は,攻撃検知後に攻撃の影響を受けない時間が数十秒程度あれば,路肩等に安全に自動車を停車することが可能であると考えた.本論文では,攻撃を検知した後で数十秒間の間,安全に自動車を操作可能にするための手法を提案する.
近年の自動車は,Internet接続機能やスマートフォン,診断用ポートなどを介して車両外部のネットワークと接続している.これに伴い,車両外部のネットワークを介して,車両内部のネットワークへ侵入し,制御ネットワークであるCAN(Controller Area Network)の脆弱性を利用することで,車両を不正に制御する攻撃事例が複数報告されている.このような脅威に対しては,車両内外のネットワークを接続する車載ゲートウェイにおいて,セキュリティ対策を導入することが重要となる.本稿では,CANにおける不正検知技術として,車載ゲートウェイにおける多層連携CANフィルタを提案し,本手法に対して,既知の攻撃に対する攻撃耐性・処理性能の面から評価を行った.さらに,既知の攻撃のみでなく,正常な制御メッセージとの判別が難しい高度な攻撃に対応するために,CANフィルタの検知精度改善手法についても提案する.
Multi-Party Secure Computation Based on Linear Codes
◎Kejia Sheng(埼玉大学大学院理工学研究科)、Takeshi Koshiba(埼玉大学大学院理工学研究科)
We propose a secure multi-party computation(MPC) against adversarial majority, both for semi-honest and malicious adversaries. Our protocol can also be secure when there are adversaries before the pre-processing phase. Our protocol is based on linear codes and in the protocol, every participant does the same thing in the same phase, so that it will not need to insure any honest participant.
生体認証技術の一つとして,継続的に認証でき,かつ,偽造耐性に強い眼球運動(Eye Movement)を用いた方式に関する研究開発が盛んに行われている.眼球運動を利用することで,利用者がディスプレイを見ている限り,認証に必要な作業を意識させずに認証処理を実施することが可能となる.しかし依然として識別精度が不十分であり,有用な特徴量の創出が最大の課題となっている.そこで本稿では,従来技術で有用とされるメル周波数ケプストラムを補完する位相ベースの新特徴量について提案する.その結果,最新のEye Movement コンペティションであるBioEye2015 のデータセットにて評価したところ,最良の条件下において,従来技術のみでは識別率が61%であったものを新特徴量と融合することで82%に向上することができた.
4C1-3
Deep Learningを用いたバイオメトリクス認証に関する基礎的検討
○伊藤 康一(東北大学)、青木 孝文(東北大学)
現在,さまざまな分野においてDeep Learning(深層学習)を用いることで,これまでにない性能を達成することが報告されている.特に,画像認識や音声認識では,従来提案されている手法をはるかに凌駕する性能を達成している.バイオメトリクスの分野では,顔認証に適用され,Deep Learning を用いて学習された特徴量を使うことで,人間以上の精度で顔を認証できることが示されている.そこで,本論文では,顔認証以外のモダリティにおける Deep Learning の適用について基礎的な検討を行う.その中で,特に,学習に必要となる大規模なデータの生成について検討する.
Using Monitoring Capabilities to Improve Fuzz Testing over CAN
◎Keisuke Hirata(Etas)、Dennis Kengo Oka(Etas)、Camille Vuillaume(Etas)
In recent years, huge advancements in technology have been made in the automotive industry. As new functionalities and new use cases are added to the vehicles, the software running on electrical control units (ECU) is becoming more and more complex. This growth of complexity has also increased the difficulty and the need for not only functional testing, but also security testing. Fuzzing is a testing technique which is now popular in the IT industry for discovering security vulnerabilities. Most of the time, fuzz testing is performed with a black box approach of the system under test. However, for ECUs, this approach may lack access to enough information for efficiently detecting a vulnerability. In this paper, we propose improvements for fuzzing over the CAN procotol by adding monitoring functionalities of ECUs. We describe a prototype tool that we have implemented and that can integrate these functionalities . Finally, we show how these improvements can be effectively used and we discuss about the relevancy of the additional information that can be gained.
4F1-4
A Countermeasure against Spoofing and DoS Attacks based on Message Sequence and Temporary ID in CAN
◎Soohyun Ahn(KAIST)、Hakju Kim(KAIST)、Jeseong Jeong(KAIST)、Kwangjo Kim(KAIST)
The Development of Information and Communications Technologies (ICT) affected a various fields and it also affected automotive field. Due to this effect, vehicle network protocol such as Controller Area Network (CAN), Local Interconnect Network (LIN), FlexRay were introduced. Although CAN that is one of the vehicle network protocol has been widely used, its security is very vulnerable. To solve this problem, some security solution in CAN has been suggested, but these ideas have problems. In this paper, a security gateway that modified existing gateway in CAN is suggested for defence against spoofing and DoS attack. In case of spoofing attack, it is defended by using sequence of messages based on driver's behavior. By making a table that stores sequence of messages based on driver's behavior, spoofing attack can be detected and whether message is attack or not is determined through verification process using SipHash. Also, a temporal ID using seed and SipHash is used for defending DoS attack. For the verification of our proposed idea, OMNeT++ which is one of the network simulator is used. The suggested idea shows high detection rate and low increase of traffic. Also, in case of DoS attack, suggested idea shows that DoS attack is no effect by analyzing frame drop rate.
Universal Composablity of Uniformity Properties for Multi-party Computation
○Zhao Hui(kyushu University)、Sakurai Kouichi(kyushu University)
Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show how to securely realize uniformity properties for any two-party and multi-party functionality in a universally composable way, regardless of the number of corrupted participants. That is, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that uniformity properties is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions.
Statically detecting vulnerability under memory pressure using exhaustive search
○Ruo Ando(National Institute of Information and Communications Technology)
Recently, program code deployed in mission-critical systems is growing drastically, which imposes a great burden on vulnerability analysts. Unfortunately, large scale program often makes it impossible for them to insect target system without oversights based on human errors. In this paper we propose an method for exhaustible search using LALR parser based vulnerability formulation. In proposed system, vulnerable implementation is represented by context-free grammar and translated into LR(1) parsing program. Besides, for achieving scalability, we adopt high performance NoSQL data store for handling information such as line number (location), file name and caller function name. By doing this, we can inspect program code with exhaustive search which enables us to make assure the existence or non-existence vulnerability under inspection in target program. In experiment, we cope with use-after-free vulnerability under memory pressure in Xen hypervisor such as CVE-2013-4371 and CVE-2014-1950. Proposed system can detect the iteration with "for" annotation with improper loop conditions. It is shown that proposed system can detect the vulnerability by exhaustive path and loop search with reasonable computing time.
An efficient slab encryption using extended SASL protocol
○Ruo Ando(National Institute of Information and Communications Technology)
Slab allocator is a mechanism recently adopted in Linux kernel and distributed object caching system. Unfortunately, slab allocator is its own subsystem for handling chunks (memory fragments), which is not compatible for conventional data protection utilities such as (on-memory) file system encryption libraries. Besides, Slab allocator is not efficient to work with generic crypto libraries partly because transaction is asynchronous, driven by many callback routines and sometimes avoids consistency under high query pressure. As a result, caching layer tends to be complicated to manage, which sometimes causes information leakage. In this paper we propose an endpoint protocol extension for efficient slab encryption. We have implemented our method on Memcached which is widely-used distributed object caching system. In proposed method, SASL (Simple Authentication and Security Layer) protocol is extended for adding function of key-exchange. Then, we inserted stream cipher routine into item manipulation point of object caching system. Our method is file-system or generic crypto library independent, which makes it possible to protect slab data with stream cipher with reasonable resource utilization.
Fault attacks to elliptic curve cryptosystems with definition equation errors
◎林 弘悦(中央大学大学院)、趙 晋輝(中央大学)
In this paper we propose a new fault attack to elliptic curve cryptography systems under assumption that the parameters in the definition equation of the curve have certain faults. The attack algorithm transfers the base point and its scalar multiplication by the secrete key to one of two invalid curves, which are quadratic twist curves with each other. The ECDLP is then solved on the rational point groups of these two curves of which the orders contain small prime factors with high probability, using CRT or Polig-Hellman algorithm and Pollard's rho method. The proposed attack improved success probability of the original attack with parameter faults by Ciet and Joye and is also compared with the attack using twist curves on base point faults by Fouque et. al..
素数体 F_p 上の楕円曲線 E に対し、Icart関数 f: F_p -> E(F_p) の像は E(F_p) の点の約8分の5からなる。結果として、F_p のランダムな元の f による像と E(F_p) 上のランダムな点を識別するのが容易である。同様に、F_p のランダムな元 u の f による像のx座標 x(f(u)) が一様ランダムとは識別しやすい。一方、Farashahiらが x(f(u)) の半分弱の最下位ビットは同長の一様ビット列とは識別不可能であると証明した。つまり、 x(f(u)) の全てのビットが与えられれば一様ランダムとは識別できるが、半分以下のビットが与えられれば識別できなくなる。どの割合が与えられれば識別できるかという自然なオープンプロブレムにつながる。本発表では、 x(f(u)) の最下位ビットの1-εの割合が与えられても一様ランダムなビット列とは識別不可能と証明する。また、その結果をx座標以外の有理関数とIcart関数以外の楕円曲線符号化関数にも一般化する。
4D2-5
ECM over dummy quadratic residue rings
◎Takuya Morishita(Graduate School of Science and Engineering, Chuo University)、Jinhui Chao(Faculty of Science and Engineering, Chuo University)
Elliptic curves defined over the rational field with large torsion group and positive rank have been used in ECM to achieve higher probability of factoring. Since it is known that elliptic curves over number fields of higher degree such as quadratic fields have larger torsion groups, it is tempting to use such curves in ECM. However, such attempts haven’t been succeeded for random composite numbers until now. This is due to certain properties the number fields, for random composite numbers, the torsion group of an elliptic curve over the number field will disappear on the integer residue ring modulo the composite number. In this paper, based on analysis on prime ideal decomposition and reduction of a quadratic field and the curve defined over it modulo a prime ideal, we propose an extension of ECM for factoring to use elliptic curves over quadratic fields which have larger torsion groups. We calculate the group operation of the elliptic curves not in the residue ring modulo the composite number but over a dummy quadratic extension of the residue ring. Therefore, we can preserve the torsion group over the quadratic fields for arbitrary composite numbers. The method is shown to be able to improve the performance of ECM using Suyama family by simulation experiments.