Integral and Impossible Differential Attacks on the Reduced-Round Lesamnta-LW-BC
◎Rentaro Shiba(University of Hyogo)、Kosei Sakamoto(University of Hyogo)、Fukang Liu(University of Hyogo / East China Normal University)、Kazuhiko Minematsu(NEC Corporation)、Takanori Isobe(University of Hyogo)
Lesamnta-LW-BC is the internal block cipher of the Lesamnta-LW lightweight hash function, specified in ISO/IEC 29192-5:2016. It is based on the unbalanced Feistel network and AES round function. In this paper, we evaluate the security of Lesamnta-LW-BC against integral and impossible differential attacks. Specifically, we searched for the integral distinguishers and impossible differentials with MILP-based methods. As a result, the discovered impossible differential can reach up to 21 rounds, while three integral distinguishers reaching 18, 19, and 25 rounds are obtained, respectively. Moreover, it is also feasible to construct a 47-round integral distinguisher in the known-key setting. Finally, we propose a 20-round key recovery attack based on the discovered 18-found integral distinguisher and a 19-round key-recovery attack using a 17-round impossible differential. To the best of our knowledge, this is the first third-party cryptanalysis of Lesamnta-LW-BC.
Deep learning based Android malware detection with obfuscation classifier
○JUNJI WU(法政大学理工学研究科)、金井敦(法政大学理工学研究科)
With the development of Android system, large number of apps have been published.
However, many malicious apps hide into normal apps, which requires reliable Android malware detector.
In the last few years, deep learning has been applied in Android malware detection. Some features
and raw data are chosen as input of these deep learning models. But with the use of some obfuscation
technologies, some of the selected features or data may lose valuable information which influences the
accuracy of the model. In addition to accuracy, false positive rate (FPR) is also important. Malcious
apps that pass the malware detection may be installed by users. In our study, we try to take advantage
of obfuscation information. We build a deep learning model based on existing research as a basic model
and then add classifier that distinguishes whether the app is obfuscated or not. Our experiments show
that, compared to the basic model, the model with obfuscation classifier can improve the accuracy
and significantly reduce false positive rate with certain parameters. On our dataset, the model with
obfuscation classifier can achieve up to 97.6% in accuracy with 0.89% in false positive rate while the
basic model only achieves up to 96.8% in accuracy with 1.81% in false positive rate.
ネットの中で資金決済を行うためのデジタル通貨の議論が活発化している.中国政府は昨年から人民元による実験を開始しており,我が国でも民間金融機関などが本年度の実験を企画している.さらに,各国の中央銀行が発行する通貨CBDC(Central Bank Digital Currency)がデジタル化される機運も高まっている.デジタル通貨は社会生活における金融面での利便性を高めるとして期待されているが,サイバー攻撃やプライバシー侵害のリスクも懸念される.本稿では中央銀行デジタル通貨を対象に,想定されるセキュリティ課題を解決する手段として,記番号の利用とブロックチェインによる管理システムを提案する.提案では,従来,紙幣にのみ印刷されている記番号を統一的に全通貨の識別情報として利用するとともに,その流通をブロックチェインで管理する.また,使用する記番号(通貨)に有効期限を持たせて,通貨利用の匿名性および追跡性を制御可能とする.さらに,本提案で取り扱うデータのサイズ,ネットワーク規模を見積もり,十分実用化可能であることを示す.
近年の車両では,自動運転実現のために多くのセンサを搭載する必要があり,車載ネットワークの広帯域化のためイーサネットの導入が加速している.一方で,電子制御が高度化する車両ではサイバー攻撃の危険性が増大しており,UNECEで策定が進むWP.29 UNR155での車両型式認証では,サイバー攻撃からの回復を行う仕組みを組織や車両に求める.この仕組みでは,サイバー攻撃の発生を検知する必要がある.本論では,このような検知に有効な異常検知手法を,車載向けのプロトコルScalable service-Oriented MiddlewarE over IP (SOME/IP)での通信サービスの周期性の監視に適用した.実験の結果,複数のパケットで送信されたメッセージに対して行われるサイバー攻撃の検知において,提案手法の有効性を確認したので報告する.
半導体技術ならびに通信技術の発展により,電子デバイスは我々の生活に深く浸透した.さらに,近年では,それらのデバイスをネットワークに接続するIoT(Internet Of Things)の技術が注目されている.IoTはデバイスのネットワークを通しての操作が可能なため,非常に利便性が高い一方で悪意ある第三者による攻撃対象と成り得る.そのため,第三者による攻撃をどのように検知するかが課題となっている.本稿では,デバイスの消費電力波形に着目し,LOF(Local Outlier Factor)を適用することで第三者による攻撃を検知する手法を提案する.提案手法では,検知対象のデバイスの動作状態を認識し,消費電力波形をLOFでクラスタリングすることにより,稀に発生する異常動作を検知する.異常動作として,稀に鍵長が変更されてしまうAES暗号化をArduino Uno上に実装し,検知手法を適用した.検知手法適用の結果,実装された正常,異常動作の検知に成功した.
2B1-4
Zero Trust Security Model for Modern Supply Chain Towards Society 5.0
○Haibo Zhang(Department of Informatics, Kyushu University)、Kouichi Sakurai(Department of Informatics, Kyushu University)
Supply chain 4.0 was coined with the emergence of Industry 4.0 systems coming with more diversities, opportunities and challenges. Industry 4.0 considers a separation between humans and machines, and ignores connections among advanced technologies with human thoughts. For better extract all benefits from both humans and machines, more research points are moving to Society 5.0. Supply chain with Society 5.0 will become a more intelligent, more flexible, more collaborate with participants. In this paper, we discuss applying trust methodology to supply chain 4.0 for better enhancing the security level within a trustworthy environment. We firstly analyze existing security vulnerabilities and cyber threats in modern supply chains, especially arising from the embedment of information technologies, such as internet of things, RFID technology, cloud computing, edge computing, blockchain technology and more. We then introduce the application of zero trust security model to supply chain systems simultaneously working with blockchain, and several related works. Finally, we provide further thinking about how researchers can improve this research topic with solving existing security issues and move to more potential directions.
企業間でやり取りするデジタルデータの真正性を保証するTrust as a Service(TaaS)
○中村洋介(株式会社富士通研究所)、小嶋陸大(株式会社富士通研究所)、角田忠信(株式会社富士通研究所)、矢崎孝一(株式会社富士通研究所)、山本大(株式会社富士通研究所)、二村和明(株式会社富士通研究所)
ニューノーマルでは、企業間でやり取りするデジタルデータの真正性を保証する事が重要となる。データの真正性を保証する手段としてデジタル署名を用いる方法があるが、秘密鍵の厳重な管理や業務/取引相手によって異なるクラウドサービスを利用する必要がある、など利用者に負担を強いることが課題である。そこで本稿では、利用者のクライアント端末と日々の業務で使用するクラウドサービスを仲介し、クラウドサービスのユーザーインタフェースを変えることなく、デジタルデータに個人ごとのデジタル署名を自動的に付与する事でデータの真正性を保証する技術であるTrust as a Service(TaaS)を提案する。
2C1-2
クラウドサービスを用いたユーザの効率的な認証手法 ~Trust as a Serviceにおける透過的トラスト付与~
○矢崎 孝一((株)富士通研究所)、中村 洋介((株)富士通研究所)、角田 忠信((株)富士通研究所)、小嶋 陸大((株)富士通研究所)、山本 大((株)富士通研究所)、二村 和明((株)富士通研究所)
テレワークの普及に伴い、今まで担保できていたデータの正当性が失われ、それによって詐欺事件の増加が危惧されている。TaaS(Trust as a Service)を導入することで手間なく署名などのメタ情報をデータに埋め込み、失われたトラストをデータに付与することが可能となる。これを実現するためには、ユーザの手間を増やさずに利用者認証を行う必要があり、本提案では、それを解決する手法を提案する
2C1-3
複数メッセージへの署名と逐次的鍵集約に対応したマルチシグネチャ~Trust as a Serviceにおける業務プロセス保証1~
◎小嶋陸大(株式会社富士通研究所)、山本大(株式会社富士通研究所)、矢崎孝一(株式会社富士通研究所)、中村洋介(株式会社富士通研究所)、角田忠信(株式会社富士通研究所)、二村和明(株式会社富士通研究所)
Maxwellらが提案したマルチシグネチャでは、署名の集約だけではなく検証鍵の集約という機能が追加された。
しかし提案中では、複数のメッセージに署名されたマルチシグネチャに対し、集約検証鍵による検証は対応されていない。
本論ではTrust as a Serviceでの利用を想定し、複数メッセージへの署名と鍵集約両方に対応するマルチシグネチャ、及び鍵更新の課題を解決する逐次的鍵集約を提案する。
2C1-4
カメレオンハッシュを用いた業務プロセス実行証明方式 ~Trust as a Serviceにおける業務プロセス保証2~
○角田 忠信(株式会社富士通研究所)、二村 和明(株式会社富士通研究所)、山本 大(株式会社富士通研究所)、矢崎 孝一(株式会社富士通研究所)、小嶋 陸大(株式会社富士通研究所)、中村 洋介(株式会社富士通研究所)
本稿ではTaaS (Trust as a Service) の利用シーンの1つとして、電子契約サービスを取り上げる。我々は電子契約サービスの高信頼化を実現するための業務プロセス保証機能を提案する。本稿で提案する手法は、カメレオンハッシュを用いた業務プロセス検証方式によって、ビジネス文書の作成から署名までの一連の作業を本人により実行されたことを証明し、電子契約サービスにおける電子署名の法解釈に則った文書の真正性を示すことを可能にする。
The security of blockchain based decentralized ledgers relies on consensus protocols executed between mutually distrustful parties. Such protocols incur delays which severely limit the throughput of such ledgers. Payment and state channels enable execution of offchain protocols that allow interaction between parties without involving the consensus protocol. Protocols such as Hashed Timelock Contracts (HTLC) and Sprites (FC'19) connect channels into Payment Channel Networks (PCN) allowing payments across a path of payment channels. Such a payment requires each party to lock away funds for an amount of time. The product of funds and locktime is the collateral of the party, i.e., their cost of opportunity to forward a payment. In the case of HTLC, the locktime is linear to the length of the path, making the total collateral invested across the path quadratic in size of its length. Sprites improved on this by reducing the locktime to a constant by utilizing smart contracts. We propose the Payment Trees protocol that allows payments across a PCN with linear total collateral without the aid of smart contracts. A competitive performance similar to Sprites, and yet compatible to Bitcoin.
スマートコントラクトは,実行時のガス消費による手数料やP2Pへのトランザクション承認までのレイテンシが高いなどの課題がある.近年,これらに対し,TEEをブロックチェーンに適用したハイブリット技術Ekidenが提案されている.Raymond et al.が提案する手法は,スマートコントラクト実行をTEE内で行い,総計算量を軽減し,ガス手数料削減やレイテンシの低下に成功している.スマートコントラクトの実行アーキテクチャを見直し,ブロックチェーン全体で実行可能なスマートコントラクト総量を拡大させることが重要である.そこで,Ekidenでは信頼できる耐タンパーデバイスを導入し,実行可能なスマートコントラクト総量を大幅拡大に成功している.ただし, TEEの内部状態がブロックチェーンに含まれたことを示す証明にブロックチェーン断片を利用することから,確認までに長時間を要する問題がある.本論文では,耐タンパーデバイスとしてTEEとスマートフォンで利用可能なGlobal Platform仕様のセキュアエレメント(SE)を仮定し,SE状態のブロックチェーンへの反映にOptimisticな手法を導入し,証明に要する時間を大幅に短縮し,オフラインで迅速にスマートコントラクトを実行できるプロトコルについて考察する.
Card-based Cryptographic Protocols Using Private Operations Against Malicious Players
○Yoshifumi Manabe(Kogakuin University)、Hibiki Ono(Kogakuin University)
This paper shows new card-based cryptographic protocols using private operations that are secure against malicious players.
Physical cards are used in card-based cryptographic protocols instead of computers.
Operations that a player executes in a place where the other players cannot see are called private operations. Using several private operations, calculations of two variable boolean functions and copy operations were realized with the minimum number of cards.
Though the private operations are very powerful in card-based cryptographic protocols,
there is a problem that it is very hard to prevent malicious actions during private operations.
Though most card-based protocols are discussed in the semi-honest model, there might be cases when the semi-honest model is not enough.
Thus, this paper shows new protocols that are secure against malicious players.
We show logical XOR, logical AND, and copy protocols,
since we can execute any logical computations with
a combination of these protocols.
We use envelopes as an additional tool that can be easily prepared and used by people.
Revisiting an improvement to the quaternion analogue of the l-isogeny path problems
◎Jo Hyungrok(University of Tsukuba)
The l-isogeny path problems and their variants are considered as the underlying hard problems of Isogeny-based cryptography, one of the main candidates in Post-Quantum Cryptography. In ANTS2014, Kohel, Lauter, Petit, and Tignol presented a probablistic polynomial algorithm (in short, KLPT algorithm) to a mirror-side of l-isogeny path problems in terms of quaternion algebras under the Deuring correspondence. We revisit an improved work of Petit and Smith in MathCrypt2018, which applied Closest Vector Problem (CVP)'s solution to the strong approximation in the main step of KLPT algorithm. This approach minimizes the norm of target elements in an extremal order of the based quaternion algebra, which derives the Cornacchia's algorithm efficiently in the strong approximation step. Even though this generalized KLPT algorithm by Petit and Smith is used in SQI:Sign, suggested in ASIACRYPT2020, their work is accessible in a form of the presentation slide, which provides the limited descriptions of algorithms. We reconstruct the improvements to the quaternion analogue of the l-isogeny path problems specifically, and also suggest some open problems to improve the algorithms using recent CVP's results.
In the past 30 years, lattice reduction has proved to be one powerful tool of public-key cryptanalysis. Since the advent of the Hidden Number Problem, there has been an extensive study on lattice attacks on (EC)DSA with nonce leakage. For 160-bit (EC)DSA with 3-bit leakage(or more), standard lattice attack works well. However, for 2(or 1)-bit leakage, it becomes much more difficult because the lattice point that we want to find is not very close to the target point. In 2013, Liu and Nguyen attacked 160-bit DSA
with 2-bit leakage using BKZ 2.0 with block size 90 and pruning techniques for BDD enumeration.
In this paper, we propose an alternative approach to tackle the 2-bit leakage case using BKZ with block size being only 30. The key idea is to guess one more bit for some of the signatures, thus constructing a hybrid lattice. This approach grasps the essence of the problem in the sense that it makes the target point more close to the lattice. With this method, we are able to attack 2-bit leakage case within $2^{24}$ BKZ-30 operations(on a 90-dimensional lattice). Besides, we are the first to justify that even for 1-bit nonce leakage, lattice attack still works with high time complexity($2^{110}$ BKZ-30 operations on a 90-dimensional lattice). Furthermore, our approach is parallelizable, so we can recover the secret key in a short time given a reasonable number of cores.
Yoroi: Updatable Whitebox Cryptography
◎Yuji Koike(University of Hyogo)、Takanori Isobe(University of Hyogo)
Whitebox cryptography aims to provide security in the whitebox setting where the adversary has unlimited access to the implementation and its environment. In order to ensure security in the whitebox setting, it should prevent key extraction attacks and code lifting attacks, in which the adversary steals the original cryptographic implementation instead of the key, and utilizes it as a big key. Although recent published ciphers such as SPACE, SPNbox, and Whiteblock successfully achieve security against the key extraction attacks, they only provide mitigation of the code lifting attack by the so-called space hardness and incompressibility properties of the underlying tables as the space-hard/incompressible table is eventually stolen by continuous leakage. In this paper, we introduce a new property, denominated longevity, for whitebox cryptography. This property enhances security against code lifting attacks with continuous leakage by updating incompressible tables instead of the secret key. We propose a family of new whitebox-secure block ciphers Yoroi that has the longevity property on the top of the space hardness. By updating its implementation within the proper period, Yoroi provides constant security against code lifting attacks without key updating. Moreover, the performance of Yoroi is very competitive with existing ciphers implementation in the blackbox and whitebox context.
非コミット型カードベース暗号において怠惰なユーザを考える.最も知られた非コミット型カードベース暗号である Five card trick は2者間の秘密計算プロトコルであり,2ユーザがそれぞれ入力したバイナリ値a,bのANDを算出することができる.プロトコルに参加する各ユーザは赤黒2種1枚ずつのカードを持ち,エクストラな1枚の赤カードを机上に置いた5枚のカードを利用する.バイナリ値入力後,ランダムカット(ぞれぞれ確率1/5のランダム巡回置換)のみで処理が完了するシンプルなプロトコルであり,最終的な結果を得るために5枚全てのカードを開示し3枚の赤カードが並んでいる際に a AND b = 1 であるとプロトコル参加者および傍観者が読み取ることができる.
これらの一連の処理においてめんどくさがり屋はどう考えるだろうか.Five card trickでは5枚のカードのランダムカットを行ったのち全てのカードを並べて開示するが,精根尽き果ててこの作業さえも億劫になる.また,ランダムカット直後のカードが束になった状態から並べ直して表にする操作を,マジシャンが扱うようにカード束を表にして綺麗に横に広げる操作である「スプレッド」を行うことはより簡便にはなるが,何か細工をされたように見えるため望ましくない.
本稿ではカード束の状態から一部のカードしか開示せずとも結果が分かるかどうかについて考察する.例えばFive card trickでは3枚一斉開示では結果を確定的に得ることはできないが,逐次開示の場合には3枚開示すれば最終結果を読み取ることができる.さらにSix card trickにおいて,この「一部開示」という考え方が効いてくる実装事例とその効用についても紹介する.
格子の基底の簡約のためにLLLやDeepLLLといったアルゴリズムが用いられてきた.そしてDeepLLLの多項式時間の代替アルゴリズムとしてPotLLL(Fontein et al., 2014)やS2LLL(Yasuda and Yamaguchi, 2019)が考案された.PotLLL,S2LLLではパラメータδが1より小さいときに計算量の評価がされているが,出力がより簡約されたものであると保証されるδ=1の場合には停止性さえ示されていなかった.そこで我々はδ=1の場合に,これらのアルゴリズムが有限ステップで停止することを示す.また,その証明を利用して1-DeepLLL,1-PotLLL, 1-S2LLLの計算量が(Mn)^O(n^2)/vol(L)^nに抑えられることを示す.ここでMはフルランク格子の基底ベクトルのユークリッドノルムの最大値でありnは次元,vol(L)は格子の体積である.
標的型攻撃やゼロデイ攻撃といった高度な攻撃手法は境界型防御と呼ばれる従来の防御技術では防ぐことが難しい.そこでネットワークの侵入に成功した後の攻撃者を騙すことで内部ネットワーク環境を守る欺瞞的防御システムに関する研究が進んでいる.ネットワークにあらゆる機器が接続され,また個々のネットワーク機器の通信量も増加したため,将来的に欺瞞的防御システムは通信量の多い企業の大規模ネットワークやIoTネットワークでも有効に利用できることが望まれる.そのためには,高速かつ効率的,また柔軟にパケットを処理できるシステムの構築が必須である.本研究ではLinuxが提供するeXpress Data Path(XDP)と,Software Defined Networking(SDN)を用いて欺瞞的防御システムLokiの設計と実装を行った.XDPとSDNの技術の利用により多様なネットワークにおいて高速かつ柔軟なシステムの提供を可能とした.本論文ではLokiの設計について説明し,既存研究との比較とシステム適用時の応答速度における性能評価について報告する.
Pushing the Limits of Simple Electromagnetic Analysis Against Similar Activation Functions
◎Go Takatoi(University of Electro-Communications)、Takeshi Sugawara(University of Electro-Communications)、Kazuo Sakiyama(University of Electro-Communications)、Yuko Hara-Azumi(Tokyo Institute of Technology)、Yang Li(University of Electro-Communications)
Artificial intelligence (AI) is progressing rapidly to fit a wide range of applications, and edge AI has been researched intensively. Actual microchips can leak sensitive information through physical information such as electromagnetic (EM) emanations. Since the environment for edge AI is closely deployed to the device and user, such information leakage is a vulnerable target for physical attacks. As selecting the appropriate activation functions to enable fast training of accurate deep neural networks is an active area of research, it is important to conceal the information of activation functions used in a neural network architecture. In our previous work, we investigated how to retrieve an activation function in a neural network implemented on an edge device by using simple electromagnetic analysis (SEMA). Here, we further investigate the limits of SEMA attack, using activation functions that are similar to the functions in the previous work. By doing so, we observe the relation between the operations and EM traces, and disclose what the SEMA attack can and cannot do to prove the versatility of our method. We consider multilayer perceptron as our target machine learning architecture, and assume an attacker capable of measuring side channel leakages, in this case EM emanations. Our evaluations were done for an Arduino Uno microcontroller and high-quality measurements were achieved.
LPWAネットワーク(Low Power Wide Area network)は消費電力を抑えて遠距離通信を実現する通信方式で、電池駆動が想定されるIoT機器をノードとして、災害時にも通信を継続させることができると注目を浴びている。本稿では、このようなネットワークでデータをロバストに共有するための分散台帳方式を検討する。ビットコインで使われているようなProof of Workや、ノード数を限定したPBFTのような方式が知られているが、電池駆動のノードでは消費電力の問題がある。一方で、これらの方式ではノード間が1:1通信であることを想定しているため、プロトコルが複雑になっている面がある。本提案方式は、不特定多数への一斉同報である無線通信の特性を活用し、メッセージ送受信回数と処理量を低減した方式になっている。
2E3-4
Cascadeブロック暗号をベースにしたASIC耐性のあるProof of Work
◎浅沼岳樹(兵庫県立大学)、五十部孝典(兵庫県立大学)
Hashcash, which is a Proof of Work (PoW) of bitcoin, is based on a preimage problem of hash functions of SHA-2 and RIPEMD. Since these hash functions employ the Merkle-Damgard (MD) construction, a preimage can be found with negligible memory. Since such calculations can be speeded up by ASIC, it might cause so-called 51% attack. To address this issue, Asanuma and Isobe recently proposed a new PoW in which underlying hash functions of Hashcash are replaced by SHA-3. This scheme requires a lot of memory to efficiently solve the problem because of the sponge structure with properly-chosen parameters. However, it cannot flexibly adjust the required time and memory complexity of PoW. In this paper, we propose a new PoW scheme based on a key recovery problem of cascade block ciphers. By choosing the appropriate parameters such as block sizes and key sizes of underlying block ciphers, we can fully control required time complexity and memory complexity for efficiently solving the problem. In particular, the required memory and time complexity can be tunable independently according to requirements which depend on target applications and progress of computational power.
2E3-5
Consensus Based on Proof-of-Optimal-Work and Its Application to Transactive Energy Systems
◎Xiangyu Su(Tokyo Institute of Technology.)、Xavier Defago(Tokyo Institute of Technology.)、Ryoma Fujimoto(Tokyo Institute of Technology.)、Hiroki Konaka(Mitsubishi Electric.)、Mario Larangeira(IOHK., Tokyo Institute of Technology.)、Kazuyuki Mori(Mitsubishi Electric.)、Takuya Oda(Tokyo Institute of Technology.)、Yuta Okumura(Mitsubishi Electric.)、Yasumasa Tamura(Tokyo Institute of Technology.)、Keisuke Tanaka(Tokyo Institute of Technology.)
Transactive energy systems aim to provide efficient, stable, and secure electricity distribution for communities and cities. In 2008, Satoshi Nakamoto proposed its innovative blockchain-based Bitcoin system. A way to implement transactive energy systems is to rely on smart contract capabilities, like the ones offered by the Ethereum Protocol. Although such integration attracts much attention, the proposed systems suffer from high maintenance fees. Also, the unique characteristics of the transactive energy systems are not taken into account. In this work, we introduce a novel approach for general auctionlike markets, which embeds the energy systems' characteristics into the consensus/blockchain design. More concretely, we first revisit the blockchain data structure and propose a proof-of-optimal-work scheme that implements consensus alongside traditional byzantine fault tolerant algorithms. In our design, the system dynamics are incorporated into the main design, i.e., consensus is achieved by matching bids of energy prices. Our blockchain serves as an accounting book for the market. Finally, we show our system as a more efficient application to the transactive energy systems since it naturally avoids the high fees for running smart contracts.
自動車の電子制御システムに広く採用されるController Area Network (CAN)プロトコルに対する侵入検知アルゴリズムが多数提案されている.しかしながらその一方で,提案されているアルゴリズムが対象とする攻撃手法については広く議論されてこなかった.本論文ではCANに対する攻撃手法を分類し,各手法に対する侵入検知アルゴリズムの検知性能を評価することで,アルゴリズムの適性を明らかにした.さらに,攻撃手法のリスク分類を行うことで,リスク許容度に応じたアルゴリズムの組み合わせ設計指針を論じる.
Intelligent Impact Assessment for Product Security Incident Response Team in the Automotive Industry
◎Yiwen Chen(Hitachi Ltd.)、Hiroki Yamazaki(Hitachi Ltd.)、Makoto Kayashima(Hitachi Ltd.)
With the standard ISO/SAE 21434 addressing the requirement on an incident response plan, the establishment of product security incident response (PSIRT) has become a mandatory solution for automotive OEM to persist security in the operational environment. PSIRT actively discovers potential vulnerabilities by executing an impact assessment on the information obtained from not only associated information sharing centers but public web sources. The impact range is specified by analyzing potential attack paths depending on the configuration of the proprietary product. Our study provides an intelligent system to tackle the problem of limited human resources inside PSIRT caused by high specialties in both security and product field. Our system recognizes product and security related entity utilizing natural language processing on the textual contents that helps specify attack path. According to the attack paths, our system compares the attack path with proprietary product to attain intelligent impact assessment within PSIRT. Thanks to our system, PSIRT can quickly respond and take anti-crisis countermeasures concerning proprietary products to ensure long-term product security.
Detecting DDoS Attack in SDN Environment Using Automatic Thresholding Method
◎LYU FUPEI(九州大学)、Feng YaoKai(九州大学)、Sakurai Kouichi(九州大学)
The characteristic of distributed network attack is that it can be launched from multiple hosts at the same time. It is not only one of the most complex and destructive attacks in the traditional internet environment, but also one of the most threatening types of attacks in the SDN (software-defined networking) environment. As a centralized network, SDN has achieved great popularity and self-renewal in recent years. The cloud systems used by some enterprises including Google Inc. also choose the SDN network environment to replace the traditional Internet network environment. Therefore, how to more efficiently detect DDoS attacks in the SDN environment has also attracted great attention from users and academia. The latest research shows that analyzing the PacketIn data in the SDN controller can effectively detect DDoS attacks in which users need to set a threshold in advance to distinguish between normal traffic and attack traffic. However, how to appropriately tune the threshold is not easy in many applications even for experts in many applications.In our previous research, we proposed to automatically extract the threshold from the past traffic data. In this research, using ground-truth data, we further verify the performance of the extraction method and try to find the weakness of this method, that is, in what situations its performance will degrade, which is helpful to our further improve this automatic extraction method itself.
Evaluation of IC Supply Chain Security Risks Using Common Assessment Techniques
○Sauer Kurt(Workday)、David Michael(National Intelligence University)、Sakurai Kouichi(Kyushu University)
Assessing risk is a fundamental aspect of the security process in both industrial and national security settings. While many strengths and weaknesses of information systems, networks, and cyber-physical systems are well-known, flaws in supply chain security for integrated circuits are relatively less well understood. Consequently, the question arises of whether contemporary risk assessment techniques encompass, or can be easily extended to encompass, a view of supply chain security that adequately addresses this potential weakness.
Applied properly, risk assessment employs methodologies that are appropriate to the system being assessed. The purpose of this study is to compare the quantitative and qualitative aspects of various industry risk assessment frameworks as they may be applied to hardware IC security. In addition, we examine the evidentiary and subjective knowledge gaps organizations need to address in order to improve the validity of the resulting risk assessment.
A Recent Progress of Neural Key Exchange: Are Tree Party Machines Still Alive ?
○MERAOUCHE ISHAK(九州大学)、櫻井 幸一(九州大学)
Secure key exchange is one of the most important steps into securing a communication. When multiple parties are using a symmetric key encryption protocol, they need a shared secret key that allows them to encrypt and decrypt their exchanged messages securely and if the key gets compromised, their whole communication is exposed. This is why research in secret sharing and key exchange has seen a significant growth during the past decades. While many techniques are based on pure mathematics for their design and security tests, another technique that is not as famous is using Artificial Intelligence (AI) to build a model that can exchange keys securely. One of the most famous AI-based techniques is the Tree Parity Machine secure key exchange proposed first in 2002 by I. Kanter and his collaborators. Although this work has been broken by Shamir shortly after its presentation, the work has been improved by many researchers during the last decade. In this paper, we will conduct a survey on how the model has been built and how it works. Then we will see how it was broken by Shamir using different techniques. Finally we will see the improvements it has seen during the last decade by many researchers and tell whether they still have a possibility to be used in real world applications or not.
3A1-4
Variants of Time-lock Puzzles from Randomized Encodings
○Zehua Shang(Kyoto University)、Masayuki Abe(NTT Secure Platform Laboratories)、Mehdi Tibouchi(NTT Secure Platform Laboratories)
Time-lock puzzles allow one to send messages ''to the future'', by efficiently generating a puzzle with a solution s that remains hidden until time T has elapsed. The solution s should remain hidden from any (parallel) adversary that runs in time significantly less than T.
In this work we construct several variants of time-lock puzzles from randomized encodings, which satisfy different efficiency requirements and useful functionalities. We put forward the concept of fully succinct time-lock puzzles, where the puzzle generator's runtime is independent of T. We also construct memory-hard puzzles which take space hardness into consideration. Finally, we construct a kind of verifiable time-lock puzzles which allow verifier to check the correctness of the computation.
Information leakage through passive timing attacks on ElGamal Elliptic Curve Cryptography
◎Tomonori Hirata(Nagoya University)、Yuichi Kaji(Nagoya University)
The threat of timing attacks is especially serious when an attacker actively controls the input to a target program. Countermeasures are studied to deter such active attacks, but the attacker still has the chance to learn something about the concealed information by passively watching the running time of the target program. The risk of passive timing attacks can be measured by the mutual information between the concealed information and the running time. However, the computation of the mutual information is hardly possible except for toy examples. This study focuses on a decryption algorithm for ElGamal Elliptic Curve
Cryptography, derives formulas of the mutual information under several assumptions and approximations, and calculates the mutual information numerically for practical security parameters.
Study Signature Embedding Method against Backdoor Attack on DNN Model
○Wenbo Liu(Japan Advanced Institute of Science and Technology (JAIST), Japan)、Rui Wen(Helmholtz Center for Information Security (CISPA), Germany)、Yuntao Wang(Japan Advanced Institute of Science and Technology (JAIST), Japan)
Deep Neural Networks (DNNs) are commonly used in image classification. However, they are vulnerable to multiple security and privacy attacks. In particular, the backdoor attack, which makes the target model behaves normally on benign inputs while being activated when a trigger appears. Despite the severe consequences that may be caused by backdoor attacks, it's typically hard to detect the backdoor due to the lack of transparency in deep neural networks. In this paper, we study the countermeasures against such backdoor attack. We consider two scenarios that defender absolutely knows the backdoor pattern; and defender just knows partial information about the backdoor pattern, e.g. the pattern's location or size.
We propose a method to test whether the data is poisoned by embedding signatures into partial original data and observing the accuracy of the trained model. We evaluate the effectiveness of our method on two representative data sets, namely, MNIST and CIFAR10.
The experimental results show that our method is effective on detecting the backdoor where the test accuracy based on the polluted data can be explicitly reduced by larger than 10% comparing with the clean data .
An Anonymous Credential System with Mixer Techniques
◎Tomonori Mizuuchi(Tokyo Institute of Technology)、Mario Larangeira(Tokyo Institute of Technology and IOHK)、Keisuke Tanaka(Tokyo Institute of Technology)
In anonymous credential systems, users obtain credentials from an issuing authority and
prove the possession of the credential to other verifying parties. The main security feature
comes from the property that such proofs cannot be linked to the same credential,
i.e., unlinkability of credentials.
Such systems found many applications because it provides privacy for users and use cases in the
real world, e.g., driving licenses, passports, etc. Unfortunately, typically proofs of the credential
possession require computationally heavy zero-knowledge proof protocols between
users and verifiers to achieve unlinkability property.
In this paper, we propose a more efficient anonymous credential system based on the approach that we handle credentials as transactions in the sense of transaction in Bitcoin protocol, i.e., decentralized ledger.
In our design, Bitcoin-like transactions act as credentials, and the unlinkability property is achieved by the
anonymizing technique called mixing in Bitcoin, i.e., a node that mixes the transactions.
Therefore, our approach allows that proofs of possession of a credential require only verification of the
signature associated with the transaction on the public ledger, which avoids more computationally
intensive cryptographic primitives.
3F1-3
Contact Tracing from BLS Signature with Updatable Public Keys
◎Xiangyu Su(Tokyo Institute of Technology.)、Pengfei Wang(Tokyo Institute of Technology.)、Maxim Jourenko(Tokyo Institute of Technology.)、Mario Larangeira(IOHK., Tokyo Institute of Technology.)、Keisuke Tanaka(Tokyo Institute of Technology.)
Digital credentials, like their physical counterpart variants, enable one to assure others about the validity of some claim, which was verified by some authority. In the digital world, presenting a proof of possession of a credential may reveal sensitive information, e.g., identity and private attributes. Schemes that support some sort of anonymity property consider privacy issues, i.e., hide the link between entities with identities, and keep private attributes secret. However, a design with centralized credential issuers yield a single point of failure. Garman et al. (NDSS'14) proposed the Decentralized Anonymous Credentials (DAC) scheme, which enhances anonymous credential issuing with a distributed ledger and eliminates the need for trusted third party issuers. Moreover, entities can prove credentials within an anonymous set, i.e., a set collected from the ledger containing others’ credentials. In this work, we consider the scenario in which entities want to be informed whenever their credentials are involved in some anonymous sets. A novel feature not supported by existing schemes. We formalize this new property by relying on the traceability feature of the DAC. Concretely, in this work, we revisit the DAC definitions and provide a construction based on public-key updatable signature schemes. Finally, we introduce a system design for a practical protocol for COVID-19 contact tracing.
3F1-4
Environmental Adaptive Privacy Preserving Contact Tracing System for Respiratory Infectious Diseases
◎Pengfei Wang(Tokyo Institute of Technology)、Xiangyu Su(Tokyo Institute of Technology)、Maxim Jourenko(Tokyo Institute of Technology)、Zixian Jiang(Kyoto University)、Mario Larangeira(Tokyo Institute of Technology)、Keisuke Tanaka(Tokyo Institute of Technology)
The COVID-19 pandemic is causing severe losses across the globe, and the scientific community devised means to implement "contact tracing" mechanisms to mitigate the spread of the infection. The crucial idea is to scan and record close contacts between each user using mobile devices, in order to notify each person when their close contact(s) is diagnosed positive. Currently various organizations and researchers have developed their own contact tracing systems. However these systems’ false-positive rate is too high for them to become practical in real world as they do not filter huge amount of scan results as the range of transmission for droplets is far less than the scanning range for Bluetooth Low Energy, which is used by current contact tracing systems. Furthermore current systems neglect airborne transmission other than droplet transmission. Moreover, the ability granted to service providers of the contact tracing systems to access user data violates user privacy. Finally, attackers can modify, remove or fabricate contact records in their devices, which harms the integrity of the system. In this paper, we propose a new contact tracing system which uses environmental factors to filter out results outside the effective transmission distance, and also take airborne transmission into consideration. In addition we implement an updatable public key mechanism with blockchain bulletin board to protect user privacy from service providers and the integrity of the system.
秘密同時メッセージ(PSM)と条件付き秘密開示(CDS)はそれぞれ秘密計算と秘密分散の亜種であり,複数の参加者が個別入力 x1,...xk と共有乱数を用いてメッセージを生成し,そのメッセージを受け取った審判が計算結果を出力する.PSMでは公開された関数 f に対して審判は関数値f(x1,…,xk)以外を知ることなしにこの値を出力し,CDSでは公開された述語 f と秘密の値 s に対して審判は f(x1,…,xk)=1のときsを出力し,それ以外の場合 (関数値が0の場合) にはsに関して何の情報も得られない.本研究では,これらのモデルにおける共有乱数長の下界が通信計算量(必要十分なメッセージ長)から導出できることを示す.またその関係を利用して,(1) Feigeらの任意関数に対する汎用復元PSMプロトコルの乱数長がほぼ最適であること,IP関数に対するPSMプロトコルの乱数長下界,(2) AND関数,XOR関数に対する乱数長の下界,特にAND関数については最適であること,秘密分散でよく現れる閾値関数や一様アクセス関数を含むようなある関数クラスに対するCDSプロトコルの通信計算量下界・乱数長下界,および多項式サイズ審判かつ汎用復号CDSプロトコルの通信計算量および乱数長の指数下界,を示す.
On Private Information Retrieval Supporting Multi-dimensional Range Queries
◎Junichiro Hayata(The University of Tokyo/AIST)、Jacob C. N. Schuldt(AIST)、Goichiro Hanaoka(AIST)、Kanta Matsuura(The University of Tokyo)
Private information retrieval (PIR) allows a client to retrieve data from a database without the database server learning what data is being retrieved. Most of the existing PIR schemes consider searching simple one-dimensional databases and the supported query types are often limited to index queries only, which retrieve a single element from the databases. However, most real-world applications require more complex databases and query types. In this paper, we build upon the notion of query indistinguishability by Hayata et al. (ESORICS2020), and formalize query indistinguishability for multi-dimensional range queries. We then give a construction of a secure multi-server scheme based on function secret sharing. This is the first instantiation of a PIR scheme supporting multi-dimensional range queries while being capable of hiding the type of query being made and, in the case of multi-dimensional range queries, the number of elements retrieved in each query, when considering a stream of queries.
クラウドストレージなど大量のデータをサーバに預けて扱う際,通常の暗号化のみではどのデータを操作したかというアクセスパターン情報がサーバに漏洩する.
アクセスパターンをサーバから秘匿するプロトコルとしてOblivious RAM(ORAM)プロトコルが存在する.
ORAMプロトコルの効率の指標として,アクセス時にかかる通信量や計算量の他に,サーバに必要となるストレージサイズも考慮される.
N 個の B ビットブロックを保存するORAMプロトコルを考えた時,必要なストレージサイズが小さいORAMプロトコルとして,必要なストレージサイズが NB+o(NB) ビットである,簡潔性を持ったORAMプロトコルが提案されている.
しかし,先行研究では簡潔性が成り立つためにはブロックサイズ B が log N やセキュリティパラメータ λ より十分大きいという制約がある.
そこで本研究では,任意のブロックサイズ B に対しても簡潔性が成り立ち,よりストレージサイズが小さく済む,真に簡潔なORAMプロトコルを提案する.
Adversarial examples are one of the largest vulnerability of deep neural networks. An attacker can deceive the classifiers easily with the malicious inputs (called adversarial examples) which perturbations are slightly added to benign inputs. Recent studies achieve high attack success rates by various optimization methods and efficient schemes have been proposed in black-box settings that the attacker is limited only to query accesses to the network. In this paper, we propose a new score-based black-box $\ell_\infty$-adversarial attack based on a random search. In our experiments, we pick some common datasets CIFAR-10 and ImageNet, and evaluate our method in terms of attack success rates and query efficiency compared to the state-of-the-art methods on these datasets. We show that our method achieves higher attack success rate and query efficiency than previous methods, especially in low query budgets on both untargeted and targeted attack settings. Specifically, we improve the average query efficiency in the untargeted setting by a factor of 2.44 on CIFAR-10 and 1.26 on ImageNet compared to the recent state-of-the-art $\ell_\infty$-attack of Andriushchenko et al.
Public Key Cryptosystems Combining Lattice and Multivariate Polynomial
◎Yuntao Wang(Japan Advanced Institute of Science and Technology)、Yasuhiko Ikematsu(Kyushu University)、Takanori Yasuda(Okayama University of Science)
In ProvSec 2018, Yasuda proposed a multivariate public key cryptosystem using the pq-method, whose security is based on the constrained MQ problem.
Afterward in SCIS 2020, he improved the cryptosystem by adding noise elements and considered the cryptanalysis using NTRU method simultaneously.
This improved cryptosystem is the first cryptosystem combining lattice and multivariate public-key cryptosystem.
In this paper, we propose three variants of Yasuda’s cryptosystem.
In particular, we simplify the procedure in key generation mechanism.
Furthermore, we propose a ring version which is quite efficient compared to the general versions.
To give more promising cryptanalysis, we adopt the ring-LWE method instead of the original NTRU method.
3A3-4
Security analysis on an El-Gamal-like multivariate encryption scheme based on a generalization of IP2S problem
○Yasuhiko Ikematsu(Kyushu University)、Shuhei Nakamura(Nihon University)、Bagus Santoso(The University of Electro-Communications)、Takanori Yasuda(Okayama University of Science)
Isomorphism of polynomials with two secrets (IP2S) problem was proposed by Patarin et al. at Eurocrypt 1996 and the problem is to find two secret linear maps filling in the gap between two polynomial maps over a finite field.
At PQC 2020, Santoso proposed an encryption scheme based on a generalization of IP2S, which is called block isomorphism of polynomials with circulant matrices (BIPC) problem.
The BIPC problem is obtained by linearizing IP2S and restricting secret linear maps to linear maps represented by circulant matrices.
Due to the commutativity of products of circulant matrices,
Santoso succeeded in constructing an encryption scheme similar to El-Gamal.
In this paper, we give a new security analysis on Santoso's encryption scheme.
In particular, we introduce two attacks: (1) the attack using Grobner basis algorithm against the cubic equations associated to BIPC problem (called naive attack), and (2) the attack to find equivalent keys of Santoso's encryption scheme using the linearity of BIPC problem (called linear stack attack).
Regarding (1), we perform some experiments and estimate the complexity by an observation of the behavior of the degree of regularity.
Regarding (2), we see that the attack can break certain proposed parameters for Santoso's encryption scheme.
新型コロナウイルス感染症の世界的流行により,ビデオ会議システムの活用が世界中で広がっている.本稿では,世界中で広く利用されているビデオ会議システムのZoomに注目し,Zoom Video Communications社が発行するホワイトペーパーのバージョン 2.3.1 に記載されたエンドツーエンド暗号化(E2EE)に対して安全性評価を実施する.結果としてZoomのE2EEには複数の脆弱性が内在しており,これらの脆弱性を悪用した具体的な攻撃手順を示すことで,Zoomが想定するよりも強力な攻撃が実行可能であることを明らかにする.また,我々は現実世界における攻撃の実現可能性について考察するとともに,これらの攻撃に対する効果的な対策を提案する.我々が発見した脆弱性はZoomの E2EEに対して差し迫った脅威にならないと考えているが,ZoomのE2EEにおける暗号方式やプロトコルに改善の余地があることを示すものである.なお,我々の評価結果についてはZoom Video Communications社に連絡済みであり,本稿で示す攻撃が全て実現しうることを確認している.
トランジスタ間の残留電荷がサイドチャネル情報を漏洩することと,数クロックに渡って論理ゲートの状態を残す特徴を有することを報告した.残留電荷リークはトランジスタの積層されている構造に問題があるため,様々な回路に影響を及ぼす可能性がある.本論文では,製造ばらつきという微小な物理特性を扱うPhysically Unclonable Function (PUF)に残留電荷が及ぼす影響について議論する.PUF自体の秘密情報を漏洩する可能性は今回の実験では確認できなかったが,PUFの性能指標の1つであるIntra-HDの評価結果に残留電荷が影響を及ぼすことがわかった.同一チャレンジ&レスポンスペアの生成であっても入力するチャレンジの順によってIntra-HDの結果が異なることを実証し,評価手法について議論する.
What Exactly is Watching You ? Generic PUF-Like Authentication for IoT Image Sensors
Armand Garrec(Secure-IC)、Victor Dyseryn(Secure-IC)、Adrien Facon(Ecole normale superieure, CNRS)、Kazuhide Fukushima(KDDI Research, Inc.)、Shinsaku Kiyomoto(KDDI Research, Inc.)、Yuto Nakano(KDDI Research, Inc.)、○Thomas Perianin(Secure-IC)、Youssef Souissy(Secure-IC)、Sylvain Guilley(Secure-IC, Telecom-Paris (LTCI))
With the rise in numbers of IoT devices, the problem of device authentication grows in importance. Billions of small and mass produced devices, as of yet, have little to no in-built security or means of authentication. Even if there are authentication methods (serial numbers, etc...) they can often be easily altered.
Physically Unclonable Functions (PUFs) offer an elegant solution to this problem, but often require additional hardware or modifications of the existing device, which, for inexpensive devices is often too much of a burden, and security is left by the wayside. In this work, we study the possibility to uniquely identify a given device by examining traits displayed from the output of the device. In particular we look at commercial off-the-shelf (COTS) cameras to see if there are exploitable traits of images taken from a given device. We find positive results from which we can build a PUF to uniquely identify a particular image sensor. These results are derived purely from the images produced by the sensor, require no hardware modification of the device, and prove robust to sensor aging. Finally we analyse the entropy sourced from the images and measure the steadiness of the PUF as a means of authentication.
SymVuls: Software vulnerability detection with symbolic execution traces and machine learning
○Nagayasu Kano(Institute of Information Security)、Takao Okubo(Institute of Information Security)
While treating software source code as human-readable text sequences and applying Natural Language Processing techniques, such as Word Embedding, are commonly-performed in recent software vulnerability analysis researches, the precedent researches had several challenges in terms of teaching data preparation and the application of the methodologies to various programming languages, and the versatility of the trained models with real-world source code. Also, since the analysis of software source code with Natural Language Processing techniques itself is not a unique topic for vulnerability analysis, it has been researched in non-vulnerability analysis contexts as well. Jordan Henkel et al. proposed a new approach that utilizes Symbolic Execution traces and achieved high-quality Word Embedding of software source code. In this research, we designed and evaluated a new methodology that leverages symbolic execution and machine learning algorithms along with Natural Language Processing techniques. The result showed high performance (AUC 0.9953) with the SARD CWE-89 dataset and good versatility with our test source code.
暗号ハードウェアに故障を誘発し秘密情報を解析する故障攻撃とサイドチャネル解析への対策として,CHES2019でMaskingとMACタグを利用したInfective Computationを組み合わせた手法であるM&M(Masks and Macs)が提案された.本稿では,M&Mが実装されたAES暗号ハードウェアに対し,安全性評価のためのサイドチャネル攻撃実験を行う.最後に,M&Mのサイドチャネル攻撃に対する安全性について議論する.
Semi -Automation of CPE Matching for Vulnerability Management
◎Ashokkumar C(Hitachi Ltd)、Mikami Shugo(Hitachi Ltd)、Ideguchi Kota(Hitachi Ltd)
Vulnerability detection and management are critical to safeguarding an organization's critical assets against the ever-increasing cyber threats and attacks. Some of the most reliable Vulnerability information are publicly available as databases like National Vulnerability Database (NVD). NVD lists the vulnerability information Common Vulnerabilities and Exposure (CVE) which has the vulnerable software details as Common Platform Enumeration (CPE) that are used for vulnerability detections. It is a common practice for Organizations to use CPE names from Official CPE dictionary to list or store their products in their product database. Upon inspection, we discovered more than 45% of unique CPEs listed in NVD CVE data feeds does not any match in the Official CPE dictionary when using simple string matching. This may result in know unpatched vulnerable products install in an organization and increase the risk of cyberattacks. This manuscript addressed the issues of mis-match of product information and CPE by using approximate string-matching techniques and a novel version comparison function. Using this approach, we can achieve more than 90% of CPE matching with a higher accuracy rate. It is a step forward in achieving full automation of Vulnerability Management System in an environment where CPE like structures is used for maintaining the assets.
Downgradable Identity-Based Signatures and Trapdoor Sanitizable Signatures from Downgradable Affine MACs
◎Masahito Ishizaka(KDDI Research, Inc.)、Shinsaku Kiyomoto(KDDI Research, Inc.)
Affine message authentication code (AMAC) (CRYPTO'14) is a group-based MAC with a specific algebraic structure. Downgradable AMAC (DAMAC) (CT-RSA'19) is an AMAC with a functionality that we can modify a message with an authentication-tag to a downgraded message while retaining validity of the tag. In this paper, we formally re-define DAMAC for two independent applications, namely downgradable identity-based signatures (DIBS) and trapdoor sanitizable signatures (TSS) (ACNS'08). DIBS are delegatable IBS, where we can transform a secret-key for an identity into one for a downgraded identity. Differently from the (ordinary) SS (ESORICS'05), TSS allow a sanitizer to modify a signed-message while retaining validity of the signature, by using a trapdoor associated with the signature, but not the secret-key of the sanitizer. We show that DIBS can be generically constructed from a DAMAC, and DIBS can be transformed into (wildcarded) hierarchical/wicked IBS. We introduce a functionally-stronger definition for TSS than the original one, then show that the TSS can be generically constructed from a DAMAC. By instantiating them, we obtain the first wildcarded hierarchical/wicked IBS and the first invisible and/or unlinkable TSS. Moreover, we prove that DIBS is equivalent to not only TSS, but also a naive combination of the two primitives, named downgradable identity-based trapdoor sanitizable signatures (DIBTSS).
4A1-2
Invisible and Unlinkable Sanitizable Signatures from Trapdoor Sanitizable Signatures
◎Masahito Ishizaka(KDDI Research, Inc.)、Yuto Nakano(KDDI Research, Inc.)、Shinsaku Kiyomoto(KDDI Research, Inc.)、Keisuke Tanaka(Tokyo Institute of Technology)
In digital signature, if a signed-message is altered, the signature immediately goes invalid. In sanitizable signatures (SS) (ESORICS'05), a signer chooses its modifiable parts and a public-key of a sanitizer, and the sanitizer modifies it by using her secret-key while retaining validity of the signature. Invisibility (resp. Unlinkability) guarantees that any third party cannot see the modifiable parts (resp. the link between a sanitized signature and its source). Bultel et al. (PKC'19) proposed a generic construction from non-accountable SS (NASS) and verifiable ring signatures, and a concrete NASS scheme secure in the random oracle (RO) model. They obtained the first invisible and unlinkable SS (IUSS) scheme in the RO model. In trapdoor SS (ACNS'08), a signature is modified by a trapdoor but not the sanitizer’s secret-key. Ishizaka and Kiyomoto (SCIS'21) proposed a functionally-stronger definition for TSS than the original one, then proposed the first invisible and unlinkable TSS scheme. In this paper, we propose two IUSS constructions based on TSS, from each of which we obtain the first IUSS scheme secure under standard assumptions. For the first one, we prove that a simple SS construction from TSS and Labeled PKE (LPKE), which encrypts a trapdoor on an LPKE-public-key of a sanitizer, perfectly satisfies the condition whom Bultel et al.'s SS construction requires the underlying NASS scheme to satisfy. For the second one, we propose a generic construction of SS from TSS, PKE, NIZKPoK and one-way function.
4A1-3
Designs for Decentralized Tracing in Group Signatures using IBE and ABE
○Maharage Nisansala Sevwandi Perera(Advanced Telecommunications Research Institute International (ATR))、Toru Nakamura(KDDI Research, Inc)、Masayuki Hashimoto(Advanced Telecommunications Research Institute International (ATR))、Hiroyuki Yokoyama(Advanced Telecommunications Research Institute International (ATR))、Kouichi Sakurai(Kyushu University)
Centralized tracing mechanism, which is the existing group signatures occupied with, makes the signers' insecure and the tracing authority stressful with heavy workload. The tracing party can identify the signer using the tracing authority's secret key (decryption key) in the existing group signature scheme. If the tracing authority is corrupted, then all the users' privacy is in danger. On the other hand, the tracing party has a high workload as he is a single party who has to deal with all the tracing requests. In this paper, we first propose a decentralized tracing mechanism employing identity-based encryption, and then we propose another tracing method with attribute-based encryption. Both proposals are a relaxed version of tracing as the user can select his tracing authority among the multiple tracing managers. We construct our schemes using lattice cryptography.
本稿では,メモリ保護方式ELM (Encryption for Large Memory) のハードウェアアーキテクチャの提案とその性能評価を示す.ELMは大規模なメモリデータの保護を,特に検証と更新における遅延の観点から効率的に実現するために筆者らがSCIS2021で提案した新たな認証木スキームである.本稿では,まず,ELMを構成するメッセージ認証コードと認証暗号について概説し,それらのメモリ保護に適したハードウェアアーキテクチャを示す.さらに本稿では,様々なメモリ認証木のパラメータ(保護するメモリサイズや分岐数)に対応した提案アーキテクチャのASIC実装性能を評価し,Intel SGX で用いられている最新の認証木と比較する.その評価結果から,保護するメモリサイズが増大するにつれてELMがメモリの検証と更新が低遅延で実行可能であるとともにメモリ量のオーバーヘッドが小さいことを確認する.例えば,1GByteのメモリサイズに対して,ELMはデータ検証処理時間を2/3,データ更新処理時間を1/3にまで短縮するとともに,on-chip領域のデータサイズを1/8にまで削減可能となる.
Security Notions of Stateful Signature Schemes
◎Quan YUAN(Graduate School of Informatics, Kyoto University)、Mehdi TIBOUCHI(NTT Secure Platform Laboratories)、Masayuki ABE(NTT Secure Platform Laboratories)
In some digital signature schemes, the signer needs to maintain a dynamic state during signing messages. These are called stateful signature schemes. Even though stateful signature schemes are commonly used as cryptographic primitives, they do not fit the standard definition of signature scheme in cryptography. In this paper, we give a formal and general definition for stateful signature schemes. In the definition of security, we consider various scenarios where the adversaries have different control over the signing oracle, in term of messages and states. After that, we give generic constructions between stateful signature schemes with different security levels. In addition, we give some black box constructions of stateful signature schemes, which can be instantiated by primitives under any assumptions. Note that the constructions in this paper are proved secure in standard models.
In 2019, Game-Cheatings are widespread on online games. Game-Cheats mean methods which tamper game’s status or interrupt other players by using external tools or applications like a memory editor. A game’s lifetime is destroyed, derogation of games and losses of charging opportunities to game’s operations due to the cheat circumstance.
Tampering memories which attackers rewrite wrong value for memories on a computer is often used for cheats. Games are cheated at a client side. Therefore, controlling cheats have a lot of trouble. Measures for reverse engineering like obfuscation and ciphering with memories are NOT fundamental methods for game cheats. In this study, we discuss the new proposals of cheat control with TOMOYO Linux on Ubuntu by Mandatory Access Control functions.
深層学習の発展は目覚ましく,特にリアルタイム処理や分散処理を目的に,組込み機器に深層学習を実装することが注目されている.一方で,深層学習に対するセキュリティやプライバシー保護の問題が指摘されはじめている.その中でも,知的財産と考えられる学習モデル情報(モデルアーキテクチャやパラメータ)の窃取・複製は,重要なセキュリティ課題の1つである.先行研究では,学習モデル情報の保護を目的に,マルウェア等の不正なソフトウェアによって操作されることのない隔離された実行環境を提供するTrusted Execution Environment(TEE)を用いた方式がいくつか提案されている.TEEを用いた学習モデル情報の保護は,単純に深層学習の演算を隔離された実行環境へ移植するだけでは上手くいかないことが多い.その理由として,TEEのメモリサイズ制限により深層学習の特徴である大量なパラメータをメモリ展開できない,パラメータ改ざんの脅威,実行時間のオーバーヘッドが大きい,等の課題がある.そこで,本論文では,主に組込み機器を対象にTEEを用いた新たな学習モデル情報保護方式を提案する.提案方式は,省メモリかつパラメータの改ざん検知が可能で,実行時間のオーバーヘッドを抑えた点が特徴である.実験では,Raspberry Pi 3 Model BのArm TrustZoneとOP-TEEを用いて提案方式を実装・評価し,その効果を確認した.
Investigating User Intention to Use a Privacy Sensitive Information Detection Tool
○Vanessa Bracamonte(KDDI Research, Inc.)、Sebastian Pape(Goethe University Frankfurt)、Shinsaku Kiyomoto(KDDI Research, Inc.)
Privacy sensitive information (PSI) detection tools can identify when a social media post contains information that users could later regret sharing.
PSI detection tools have the potential to help users protect their privacy when posting information online. However, although users consider this type of tools useful, previous research indicates that intention of using them is not high.
In this paper, we conduct a user survey (n=147) to investigate the factors that influence intention to use a PSI detection tool.
The results of a logistic regression analysis indicate a positive association of intention to use a PSI detection tool with performance expectation, social influence, and perception of accuracy of the tool.
In addition, intention is negatively associated with privacy concerns related to the tool itself and with the participants' self-perceived ability to protect their own privacy. On the other hand, we did not find significant association with the participants' demographic characteristics or social media posting experience.
We discuss these findings in the context of the design and development of PSI detection tools.
4F2-4
Privacy Protection for Electricity Transaction Information on Blockchain-based Virtual Power Plant
○ZHUOWEI DENG(Department of Informatics Graduate School of ISEE, Kyushu University)、KOSUKE KANEKO(Cybersecurity Center, Kyushu University)、KOUICHI SAKURAI(Department of Informatics Faculty of ISEE, Kyushu University)
In recent years, blockchain technology from Bitcoin has been applied in various fields due to its decentralized and transparent structure. Meanwhile, a smart city supported by advanced technologies is growing rapidly and makes it possible that home appliances can be controlled with smart devices. Thus, in this research, we intended to establish a blockchain-based Virtual Power Plant (VPP) system to realize a self-management electricity network. By implementing smart contracts based on blockchain technology into VPP, it would be possible for users to trade cryptocurrencies and electricity generated by their own. However, since transaction data in blockchain is visible to all users, private information would be used in malicious ways. In order to protect information privacy from malicious users, a method of writing metadata, etc. into blockchain and saving encrypted original data into another database was proposed. On the other hand, the above method might lead to complicated procedures for researchers who want to analyze transaction data because they have to ask for permission whenever for data access. Thus, in order to protect information privacy and cancel the complicated procedures for getting permission of data analyses, secure computation based on secret sharing will be implemented. In the background of the blockchain-based VPP system, we will propose a method which realizes the environment where users can manage their own information and researchers can analyze data without complicated procedures and invasion of information privacy even under transparent blockchain technology.