Learning Parity with Noise(LPN)問題は,NP困難問題の一つであり,量子計算機に対する耐性を持つと期待されている。しかし,純粋なLPN問題に基づいた安全性が証明された鍵交換プロトコルはまだ提案されていない。本論文では,LPN問題に基づいた新たなノイズ付き鍵交換方式を構成し,新たに定義したノイズ付き鍵交換に対する安全性モデル上で安全性を満たすことを証明した。
Comparision Among Post-Quantum Oblivious Transfer Implementations
◎Peihao Li(Kyoto University)
、Octavio Pérez Kempner(NTT Social Informatics Laboratories)
、Mehdi Tibouchi(NTT Social Informatics Laboratories & Kyoto University)
、Masayuki Abe(NTT Social Informatics Laboratories & Kyoto University)
Oblivious transfer (OT) is a fundamental component of multi-party computation protocols. Recently, Dong et al. introduced Saber OT and claimed superior performance over other efficient post-quantum OT implementations, including the Endemic OT proposed by Masny and Rindal (CCS'19). However, their benchmark uses an outdated Kyber-based Endemic OT implementation, due to updates to the underlying Kyber library, which diminishes the strength of their claim. In this work, we provide the most efficient Kyber-based Endemic OT implementation using the latest version of Kyber. We then compare the performance of this updated implementation with other efficient post-quantum OT protocols in our benchmark.
暗号学者Yvo Desmedtは、秘密分散における安全性課題としてフレーム不正を提起した[IEEE Trans on Information Forensics and Security(2021) ]。秘密分散における参加者が複数結託し、他の参加者の断片秘密を復元し、あたかもその当人が、その秘密を利用して権限を行使したかのように、罪を"なすりつける”(framing)という不正行為である。これは、秘密分散の社会応用におけるフォレンジックを背景とする。現在主流であるShamir型秘密分散の実応用でも問題となるが、直接の解決策がない内在的課題である。
発表者は ISEC2024.3月札幌サミットで、この分野の現状と課題を論じた。しかし、それからの調査で、フレーム問題は、1990年代のグループ署名の研究[Chen and Pederson, Eurocrypt'94]に起源を持ち、格子系の耐量子型署名[Libert et al Asiacrypt2016]でも議論されていることが判明した。
本稿では、この一連のフレーム問題の起源を補足し、組織型暗号系における現状と課題を再考する。
Applying Lagrange Interpolation to Polynomial Expressions of Human-Computable Functions
○Yasuyuki Kachi(The University of Aizu)
、Giovanni Viglietta(The University of Aizu)
、Kouichi Sakurai(Kyushu University)
A human-memorable password is vulnerable to dictionary attacks, whereas a jumbled mix of letters is deemed a strong random password but is not human-memorable. Against such backdrop, a “human-computable password” is “the best of both worlds”. Hailed as number-crunchable without a computer, the authors of [Blocki,Blum,Datta,Vempala: Towards Human Computable Passwords. Arxiv2014/ITCS2017] showcased the “human computable” function
𝑓 (𝑥0, 𝑥1,⋯, 𝑥13) = 𝑥 𝑗 + 𝑥12 + 𝑥13 𝑚𝑜𝑑 10, 𝑗 = 𝑥10 + 𝑥11 𝑚𝑜𝑑 10
as the capstone of their new password authentication protocol. They performed its security evaluation using combinatorics, with the caveat they shied away from disscecting the function f purely mathematically. We apply the Lagrange interpolation method in positive characteristic and thereby express the function f and its variants as polynomials over the prime field of characteristic p.
近年,IoT(Internet of Things)が注目を集め,日常生活にIC製品が普及している.ICの需要増加に伴い,ICの設計・製造過程に外部企業が介入し,その際にハードウェアトロイ(HT)と呼ばれる悪意のある回路が挿入されるリスクが高まっている.設計過程において,HTを検知する手法の1つとして,回路の設計情報を対象としたグラフ学習を用いたHT検出手法が提案され,比較的高いHT識別精度が報告されている.本稿では,グラフ学習を用いたHT識別結果に対し識別精度を向上させるため,学習済みのグラフ学習モデルを複数使用した補正処理を提案する.提案手法は,複数の学習済みモデルを使用して,補正対象となる識別においてトロイノードと識別されたノードと近傍2以内のノードを各モデルの多数決によって再識別する.評価実験により提案手法の有効性を評価する.
1E1-5
IoTシステムのための低計算負荷ユーザ認証の安全性に関する考察
◎西村 悠生(広島市立大学)
、上土井 陽子(Hiroshima City University)
、若林 真一(広島市立大学)
LLM-based Analysis of Cyber Threat Intelligence Report
◎Khang Mai(Japan Advanced Institute of Science and Technology (JAIST))
、Razvan Beuran(Japan Advanced Institute of Science and Technology (JAIST))
、Naoya Inoue(Japan Advanced Institute of Science and Technology (JAIST))
Large language models (LLMs) exhibit strong generalization capability and excel in various language-related tasks. This capacity allows LLM to replace the role of experts in downstream tasks where training data is insufficient, especially report analysis. In this paper, we introduce a novel approach for automatic analysis of cyber threat intelligence (CTI) reports using LLM. This method does not require specialized expertise to generate training data or extensive input data pre-processing, in contrast to traditional deep learning (DL) approaches. We gather and augment CTI knowledge from the MITRE ATT&CK framework to create the training dataset. After a fine-tuning process, the LLM becomes proficient in identifying the technique ID from the input text. We segment CTI reports into smaller, action-centric text fragments and employ the LLM technique recognizer to detect malicious activities. Our preliminary evaluation suggests that this methodology can attain an F1 score of 0.716, demonstrating comparability with another report analysis framework known as RAF-AG with 0.784 F1 score.
Quantum computational advantage refers to an existence of computational tasks that are easy for quantum computing but hard for classical one. Unconditionally showing quantum advantage is beyond our current understanding of complexity theory, and therefore some computational assumptions are needed. Which complexity assumption is necessary and sufficient for quantum advantage? In this paper, we show that inefficient-verifier proofs of quantumness (IV-PoQ) exist if and only if classically-secure one-way puzzles (OWPuzzs) exist. As far as we know, this is the first time that a complete cryptographic characterization of quantum advantage is obtained. Previous work [Morimae and Yamakawa, Crypto 2024] showed that IV-PoQ can be constructed from OWFs, but a construction of IV-PoQ from weaker assumptions was left open. Our result solves the open problem. OWPuzzs are one of the most fundamental quantum cryptographic primitives implied by many quantum cryptographic primitives weaker than one-way functions (OWFs). The equivalence between IV-PoQ and classically-secure OWPuzzs therefore highlights that if there is no quantum advantage, then these fundamental primitives do not exist.
A Tightly Secure Signature in the Multi-User Setting with Corruptions Based on Discrete-Logarithm Assumption
Keitaro Hashimoto(National Institute of Advanced Industrial Science and Technology)
、○Wakaha Ogata(Institute of Science Tokyo)
、Yusuke Sakai(National Institute of Advanced Industrial Science and Technology)
We construct the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from discrete logarithm (DL) assumption. In contrast to our scheme, the previous tightly secure schemes are based on the decisional assumption (e.g., DDH) or interactive search assumptions (e.g., one more CDH).
The security of our schemes is independent of the number of users, signing queries, and RO queries, and forging our signatures is as hard as solving the DL problem.
Our starting point is an identification scheme with multiple secret keys per public key (e.g., Okamoto identification (CRYPTO'92)). This property allows a reduction to solve a search problem while answering corruption queries for all users in the signature security game.
To convert such an identification scheme into a signature scheme tightly, we employ randomized Fischlin's transformation introduced by Kondi and shelat (Asiacrypt 2022) that provides straight-line extraction. Intuitively, the properties of transformation guarantee the tight security of our signature scheme in the programmable random oracle model, but we successfully prove its tight security in the non-programmable random oracle model.
Usability Testing for the Implementation of One-Time Password as a Connection Requirement for Wired Home Networks
◎NATHANIEL KOFI ADJADEH(Iwate Prefectural University. Graduate School of Software and Information Science)
、Yuta Kanai(Iwate Prefectural University. Graduate School of Software and Information Science)
、Masaki Narita(Iwate Prefectural University. Graduate School of Software and Information Science)
This phase focuses on usability testing for the implementation of One-Time Passwords (OTP) as a connection requirement for wired home networks. The study aims to gather user feedback to assess the system’s functionality, usability, and intuitiveness. A randomly selected group of users will test the system and provide feedback on features they find valuable and areas that may pose challenges. This input will help identify improvements needed to ensure the OTP authentication system remains secure while being user-friendly and accessible.
Framework for Validating and Improving Python Code using Large Language Models
◎Jongmin Lee(Japan Advanced Institute of Science and Technology)
、Khang Mai (Japan Advanced Institute of Science and Technology)
、Nakul Ghate(NEC Corporation)
、Razvan Beuran(Japan Advanced Institute of Science and Technology)
This paper introduces a framework that integrates Large Language Models (LLMs) with static code analysis tools to enhance the quality and security of LLM-Generated Python code. The framework generates code snippets and iteratively refines them to address syntax errors, security vulnerabilities, and functional correctness, ensuring alignment with functional and security standards. By leveraging LLMs alongside tools such as Pylint and Bandit, the framework validates and improves code through a unified pipeline. During evaluation on the LLMSecEval dataset derived from the MITRE CWE Top 25, the framework identified vulnerabilities in 64 code snippets and resolved 83 percents of the 72 detected issues through refinement. It also enhanced functional correctness in 38 cases, improving compliance and functionality. Furthermore, the refined code snippets showed substantial similarity to expert-curated secure code examples, achieving an F1 Score of 0.8024. These results highlight the potential of combining rule-based analysis with LLM-driven insights to produce robust, secure, and functional code. By reducing human intervention, the framework bridges the gap between static analysis and the contextual understanding of LLMs, advancing AI-assisted coding toward real-world applicability.
Noise Reduction from decomposition of Relative Toffoli for Shor's factoring Algorithms
◎BAEGEUN PARK(Degree Programs in Systems and Information Engineering, University of Tsukuba)
、NOBORU KUNIHIRO(University of Tsukuba)
、JUMPEI YAMAGUCHI(Fujitsu)
、TETSUYA IZU(Fujitsu)
RSA ciphers serve as a cornerstone of modern cryptographic systems, relying on the computational intractability of the prime factorization problem. However, the emergence of quantum algorithms, such as Shor's algorithm, has introduced efficient methods to solve this problem, potentially undermining the security of RSA ciphers. Despite these advances, the performance of quantum computers is currently limited by quantum error for each gate and other computational constraints, which prevent them from achieving optimal outcomes. In this study, we implement Shor's algorithm in a quantum simulation environment where quantum errors exist, design a quantum circuit to verify the results, and compare them against idealized outcomes using KL Divergence. By focusing on circuit modifications, particularly the decomposition of the Toffoli gate, we explore strategies to mitigate noise and achieve results closer to the ideal case, providing a comparative analysis of performance and noise reduction.
検索可能暗号は効率的な検索処理のために,安全性を損なわないと考えられる情報の漏洩を許容する.漏洩を許容した情報が本当に漏洩しても安全性を損なわないものかどうかは綿密に議論される必要があり,その議論を攻撃の観点で行う研究が盛んに進められている.このような攻撃研究は漏洩悪用攻撃と呼ばれ,検索可能暗号の漏洩情報を用いてクエリ復元等を試みるものである.もし漏洩情報を用いて攻撃ができるのであれば,その漏洩情報は本来漏洩してはならないものであるといえる.標準的な漏洩情報を用いた攻撃の中では非常に優れた性能を達成する攻撃の1つとしてSubgraph攻撃(Blackstone et al, NDSS 2020)が知られている.一般に,漏洩悪用攻撃では漏洩情報とは別に補助情報も必要とするが,Subgraph攻撃は他の攻撃と比較して必要とする補助情報が少ない.本研究では,Subgraph攻撃を基に,漏洩情報と補助情報の類似度を最大化する方法を用いる新たな攻撃アルゴリズムを提案する.また,実装実験を通じ,提案攻撃アルゴリズムがSubgraph攻撃よりも多くのクエリを復元できることを示す.
A security proof of FO-PKC in the quantum random oracle model
◎Naoki Hasegawa(Japan Advanced Institute of Science and Technology)
、Eiichiro Fujisaki(Japan Advanced Institute of Science and Technology)
The Fujisaki-Okamoto (FO) transformation is a generic method for converting any weak public-key encryption scheme into an IND-CCA secure public-key encryption scheme in the random oracle model. It exists in two versions: PKC and CRYPTO. The original proposed method has its security proven in the classical Random Oracle Model.
In recent years, the security of the FO-CRYPTO version, including the Hofheinz-Hövelmanns-Kiltz version, has been proven in the Quantum Random Oracle Model. However, to the best of our knowledge, no such proof exists for the FO-PKC version. In this paper, we provide a security proof for the FO-PKC version in the Quantum Random Oracle Model.
一方向性関数とは順方向の計算は容易だが逆像計算が困難な関数であり,暗号理論を含む理論計算機科学において重要な関数である.Ghosal と Sahai (GS) は二つのランダム関数 f, g : {0, 1}^n → {0, 1}^mがそれぞれ逆像オラクルを持つ場合に,f + g が一方向性をもつためには m − n = ω(log n) であれば十分であることを,強識別不可能性の枠組みで示した.儀保らはこの条件を拡張し,GS とあわせて|m − n| = ω(log n) であれば十分であることを明らかにした.本研究では,強識別不可能性を示すときに逆像オラクルの模倣をより精密に行うことで,n と m に関する条件を全て取り除き,任意の n と m に対して f + g が一方向性を持つことを示す.
Formal Verification of IND-CPA Security of HQC in EasyCrypt
◎Yamato Umemura(Kobe University)
、Masanori Hirotomo(Saga University)
、Makoto Takita(Kobe University)
、Shohei Kakei(Nagoya Institute of Technology)
、Hiroki Kuzuno(Kobe University)
、Masami Mohri(Kindai University)
、Yoshiaki Shiraishi(Kobe University)
As quantum computing emerges, conventional public-key cryptosystems based on factorization or discrete logarithm problems are expected to become vulnerable in the near future. In response, NIST has initiated a standardization effort for post-quantum cryptography (PQC), leading to the selection of schemes such as CRYSTALS-KYBER and SPHINCS+. HQC (Hamming Quasi-Cyclic), currently a finalist in this process, requires thorough security verification to ensure its long-term reliability.
However, proving the security of complex cryptographic schemes is challenging and prone to human error. To address this, formal verification methods have gained prominence, with theorem-proving tools like EasyCrypt increasingly adopted to establish rigorous cryptographic proofs. This research focuses on formally verifying the IND-CPA security of the HQC public-key encryption (HQC.PKE) scheme using EasyCrypt.
We formalize the underlying mathematical assumptions and systematically construct a game-based proof framework that captures the essence of IND-CPA security. By representing attacks as a sequence of games and deriving inequalities that bound an adversary's advantage, we ensure a machine-checkable, mathematically sound proof within the EasyCrypt environment.
Bluetooth Low Energy(BLE)は省電力・省コストに特化した短距離無線通信規格として,IoT機器やウェアラブルデバイス,スマートロックなどの小型デバイスに搭載されている.BLEにはセキュリティ機能として,プライバシー保護機能や暗号化機能,認証機能などが提供されている.本研究では,プライバシー機能の一つであるResolvable Private Address(RPA)を使用している機器に対し,アドレスキャリーオーバーアルゴリズムと呼ばれるアドレス追跡手法を使用し,アドレスを追跡したアドレス偽装中間者攻撃の可能性とその対策を検討する.市販のBLE評価ボードで実験を行った結果,攻撃対象のデバイスは攻撃者のデバイスを正規のデバイスと誤認し,攻撃者のデバイスに接続することで攻撃者との通信が確立し中間者攻撃が成立することを確認した.また,本攻撃手法の対策を考察する.
2E1-3
Session Root-of-Trust for IoT Device Identification
○Hiroshi Watanabe(National Yang Ming Chiao Tung University)
Device identification is necessary for secure operation of IoT systems, but how to use it determines its applicability. We propose “Session Root-of-Trust” to use device identification on sessions for this purpose.
A leading solution, TPM2.0, has been adopted in Windows11, but secure boot and TPM requirement can be bypassed in the registry for booting Windows11 in an old PC without TPM2.0. The same is possible on any PC. A hacker can also such manual processes.
IoT devices are much smaller than PCs and the number of IoT devices will be much greater than the number of PCs. Quite often, it may be difficult to know who an administrator is or whether he is trustworthy, whether there is an administrator, or it is impossible to manage too many IoT devices. In other words, it must be indispensable to make device identification automatic or unmanned. Though device identification should be under central management, the identification process must be made secure and unmanned. Anyone should be able to easily censor records of past identification processes by using digests with the least possibility of manipulation. Enabling it can improve general use of IoT devices. It can grow up IoT systems to spread being a social infrastructure.
Decentralized Storage Network in the Extended UTXO Model
◎Yuma Tamagawa(Department of Mathematical and Computing Sciences, School of Computing, Institute of Science Tokyo)
、Xiangyu Su(Department of Mathematical and Computing Sciences, School of Computing, Institute of Science Tokyo)
、Mario Larangeira(Department of Mathematical and Computing Sciences, School of Computing, Institute of Science Tokyo. Input Output, Global.)
、Keisuke Tanaka(Department of Mathematical and Computing Sciences, School of Computing, Institute of Science Tokyo)
Distributed storage networks (DSN) provide a decentralized and secure framework for data storage. Existing systems, such as the Filecoin Project, employ the proof of replication (PoRep) scheme (EuroCrypt ’19) to ensure verifiable data storage and retrieval. Typically, these systems are implemented atop of Ethereum-type smart contract-enabled blockchain protocols. However, the high operational costs associated with such smart contracts highlight the need for alternative approaches. To address this issue, our work adopts the extended UTXO (EUTXO) model and designs a DSN system within its framework.
Concretely, we divide a DSN system into three phases: off-chain data delegation, periodically-challenged PoRep, and final data extraction. Due to the potential huge size of stored data, our EUTXO-baed blockchain is designed to only keep the evidence for these phases. The replication security yields directly from PoRep. Additionally, we consider fairness, like in Fairswap (CCS '18), for the final extraction and achieve it by using adaptor signatures under the rational setting.
Secure RAG Search Using HE
◎Rikuhiro Kojima(Fujitsu Limited)
RAG is a semantically searchable information retrieval scheme, but it is vulnerable to privacy concerns, such as model leaks and user query leaks. In contrast, searchable encryption is widely recognized as an information retrieval scheme that ensures privacy. Consequently, it appears feasible to construct a secure RAG search by utilizing the embedding (vectorized) data of RAG as an alternative to the index in searchable encryption. However, since embeddings are not guaranteed to be irreversible, attackers may attempt to reconstruct the original data from the vectors.
In this paper, we propose SRAG as a Secure RAG scheme. In SRAG, we construct an encrypted index using homomorphic encryption. However, the naive configuration imposes a significant computational cost on the data searcher during decryption. To address this, we propose an algorithm that reduces the computational cost while maintaining the same accuracy as the naive method. This is achieved by performing vector clustering in advance and extracting only the clusters most relevant to the user's query vector.
Finally, we compare SRAG with the prior application Wally, proposed by Asi et al. [ABG+2024].
An Improved TreeKEM protocol with stronger PCS
○Otsuru Tomoko(Japan Advanced Institute of Science and Technology)
、Fujisaki Eiichiro(Japan Advanced Institute of Science and Technology)
Secure Messaging protocols enable end-to-end secure communication over untrusted network and server infrastructure. They are used in major application services that provide secure message exchange between users, such as Signal, Facebook Messenger, etc. Their sessions may be long-lived and users may be offline, so they should guarantee Forward Secrecy (FS) , where the security of all past session keys remains safe even if a user’s secret key is compromised at some point, and Post Compromise Security (PCS) , where the session keys become secure again once the user updates their compromised private keys. TreeKEM is at the core of the Secure Group Messaging protocol proposed by MLS working, which has been launched by the IETF, and its security is analyzed by Alwen et al. with CGKA syntax. We see its security more focused on TreeKEM and propose a simple modification to it. Our protocol provides better security in terms of secret key compromise by node. It is more difficult to compute update secrets for an adversary and easier to recover from compromise for users.
大規模言語モデルに対する文脈結合を用いたプライバシーデータ抽出攻撃とマシンアンラーニングによる防御
○中井 綱人(三菱電機株式会社)
、Wang Ye(Mitsubishi Electric Research Laboratories)
、Liu Jing(Mitsubishi Electric Research Laboratories)
、Koike-Akino Toshiaki(Mitsubishi Electric Research Laboratories)
、大西 健斗(三菱電機株式会社)
、東 拓矢(三菱電機株式会社)
Esports Playstyle Recognition in a Competitive 2D Fighting Game through Deep Recurrent Neural Networks
○Mhd Irvan(The University of Tokyo)
、Franziska Zimmer(The University of Tokyo)
、Ryosuke Kobayashi(The University of Tokyo)
、Maharage Nisansala Sevwandi Perera(The University of Tokyo)
、Rie Shigetomi Yamaguchi(The University of Tokyo)
The growing popularity of esports has highlighted the need for advanced methods of player identification to address issues such as account sharing and cheating. This study explores a machine learning approach to identifying esports players through unique behavioral signatures in gameplay. By analyzing a dataset of professional players, we apply deep recurrent neural networks to capture and analyze key features such as movement patterns and combo executions. The results reveal that players exhibit consistent and distinct behavioral traits, enabling accurate identification over time. Additionally, we explore the impact of more subtle player strategies, including decision-making under pressure and defensive vs. offensive patterns. Our findings suggest that behavioral biometric signatures can provide a reliable and scalable solution for player identification, offering significant potential for enhancing security and fairness in competitive esports.
Proof of Workに基づくブロックチェーンシステムの安全性はマイニングによって維持される。マイニングには収益が安定しないという問題があり、多くのマイナーは協力してマイニングプールを構成している。しかしすでにあるほとんどのマイニングプールは中央集権的な運用がなされており、ブロックチェーンの分権性を損なっている。
上記の問題を解決する実用的な手段として分散マイニングプールがある。広く知られているものとしてP2PoolとSmartPoolがあるが、P2Poolにはスケーラビリティとブートストラップ時の安全性の問題が、SmartPoolには予算均衡でないこととスマートコントラクトによる手数料の問題がある。本研究で、我々は上記の問題を解決する分散マイニングプールFiberPoolを提案する。FiberPoolはメインチェーン上のスマートコントラクト、シェアの検証に必要な情報を共有するサイドチェーン、およびPlasmaチェーンからなる。FiberPoolではシェアの検証に伴う計算コストやデータをメインチェーンから除き、Plasmaチェーンを介すことで手数料を下げる。また我々はFiberPoolが採用する報酬分配方式FiberPool Proportionalにおける公平性、予算均衡、報酬の安定性、誘引両立性を示す。
2A3-3
Cold (and Hot) Staking in Proof of Stake
○Larangeira Mario(Institute of Science Tokyo/IOG)
The stake delegation technique is what turns the general Proof of Stake (PoS) into a practical protocol for a large number of participants, ensuring the security of the distributed system, in what is known as Delegated PoS. Karakostas et al. (SCN’20) formalized the delegation method paving the way for a whole industry of stake pools by proposing a formal definition for wallet as a universal composable (UC) functionality and introducing a corresponding protocol. On the other hand, a widely used technique named Hot/Cold Wallet was formally studied by Das et al. (CCS’19 and ’21), and Groth and Shoup (Eurocrypt’22) for different key derivation methods in the Proof of Work (PoW) setting. Briefly, while hot wallets are exposed to the risks of the network, the cold wallet if kept offline, thus more secure. However this may impair some capabilities given that the cold wallet is kept indefinitely offline. It is straightforward to observe that this ``double wallet'' design are not naturally portable to the setting where delegation is paramount, i.e., DPoS. This work discusses challenges for implementing PoS Hot/Cold Wallet, and proposes a secure protocol.
Unlimited Update Updatable Public Key Encryption based on Lattice
○Kaiming Chen(Osaka University)
、Atsuko Miyaji(Osaka University)
、Jiageng Chen(Central China Normal University)
Updatable Public Key Encryption (UPKE) is a cryptographic method designed for updating public and private keys in secure communication protocols. This concept was initially introduced by Jost et al. at EUROCRYPT 2019. Later, Alwen et al. (CRYPTO 2020) proposed an IND-CPA secure UPKE scheme. Haidar et al. advanced this by achieving a Learning with Errors (LWE)-based UPKE without requiring noise-flooding, though their scheme still suffers from limitations on the number of updates. In this paper, we propose a novel UPKE scheme based on Module Learning with Errors (MLWE) reconciliations. Rather than continuously adding randomness to the private key, we update it at each epoch by adding a new random value and a hash derived from both this random value and the previous public key to the initial private key.
On Variations of Multi-round Special Soundness and Their Fiat-Shamir Transform
◎Zehua Shang(Kyoto University)
、Miyako Ohkubo(NICT)
、Mehdi Tibouchi(NTT Social Informatics Laboratories)
、Masayuki Abe(NTT Social Informatics Laboratories)
The Fiat-Shamir transformation is a general paradigm to construct efficient non-interactive zero-knowledge proofs from any public-coin interactive proofs in the random oracle. Recently, multi-round protocols have seen a major surge of popularity in the research community, due to their active performance in the design of zk-SNARKs. In this paper, we conduct a survey on recent variants of multi-round special soundness definitions. We compare their constructions of Fiat-Shamir knowledge extractors and ranges of applications. Additionally, we show that the Fiat-Shamir transformation of any statistical special-sound interactive proof (proposed by Abe et al. in CRYPTO 2024) is knowledge sound.
UC Framework Modelling for Mechanized Verification of Proofs
○Jourenko Maxim(Institute of Science Tokyo)
Designing cryptographic systems and protocols and proving these rigorously secure is an arduous and challenging task. Among the methods commonly used to prove security of cryptographic protocols, formalizing a protocol in Canneti's Universal Composability (UC) framework offers several benefits: (1) Modular protocol design, (2) security of protocols remain under arbitrary composition and concurrent execution, (3) security against any computationally polynomially bound adversary within the by the prover's defined setting.
However, working within the UC framework can be cumbersome, requires a long time commitment by the prover and is prone to errors. While utilization for proof assistants in Cryptography and IT Security is a prominent research area, proof assistants for UC are still in their infancy.
Here we show our ongoing work to not only create a proof assistant for the UC framework, but automate the proof process. We (1) define a domain specific language (DSL) for UC, (2) translation of a UC program into a stochastic model, more specifically a Markov Decision Process (MDP) and (3) verification of the UC program using existing probabilistic model checker. To our knowledge our work represents the first attempt at utilizing model checking to verify UC programs.
Masks and Macs(M&M)はTCHES 2019で提案された手法であり,マスキングと情報理論的MACタグを組み合わせた回路の冗長化によって物理攻撃に対抗する.具体的には,マスキングによってサイドチャネル解析に,回路の冗長化によって故障利用解析に対応している.SCIS 2022にて,M&Mで保護されたAES暗号がゼロ値攻撃に脆弱であることを報告した.本稿では,この脆弱性を解消するためにM&Mを拡張し,故障の有無を逐一検知可能な新しい対策手法を報告する.この手法では故障検知用の回路を追加するため,回路面積や乱数使用量の増加が避けられない.そこで,新たな試みとして,M&M技術と同等の安全性を維持しつつ,マスキングのシェア数を削減した効率的な実装を検討する.本稿では特に置換回路(S-box)に焦点を当て,安全性と実装コストの比較結果を報告する.
Collision-Resistant and Pseudorandom Hashing Modes of Compression Functions
○Shoichi Hirose(University of Fukui)
、Hidenori Kuwakado(Kansai University)
This paper presents two novel keyed hashing modes, KHC1 and KHC2, designed to construct hash functions that guarantee collision resistance and pseudorandomness. These modes employ compression functions alongside unique encoding schemes, enabling efficient handling of variable-length inputs. The proposed constructions achieve collision resistance, provided that the underlying compression function satisfies the extended notion of collision resistance, which ensures it is intractable to find distinct input pairs whose output difference falls within a small set. They are also proven to be secure pseudorandom functions (PRFs) under the assumption that the underlying compression function is a PRF secure against related-key attacks. In addition, both constructions accept a 256-bit key as input and guarantee 128-bit security against quantum key recovery using Grover's algorithm when instantiated with the SHA-256 compression function.
Anonymous Authentication in the Metaverse: Requirements, Technologies, and Challenges
◎Weiyu WANG(The University of Aizu)
、Zhuotao LIAN(Kyushu University)
、Weizheng WANG(City University of Hong Kong)
、Kouichi SAKURAI(Kyushu University)
、Chunhua SU(The University of Aizu)
As the metaverse evolves, ensuring the security and privacy of user identities has become a critical issue. This paper examines the key requirements for anonymous authentication in the metaverse, focusing on user privacy protection, identity management, and cross-platform interoperability. It evaluates the strengths and limitations of various technological solutions, including zero-knowledge proofs, group signatures, and blockchain, and compares their suitability for different use cases. Finally, the paper discusses the main challenges in terms of technology, application, and regulation, while exploring future development trends.
Deceiving Machine Learning-Based NIDS via Transferable Targeted Evasion Attacks
◎Mariama Mbow(Kyushu university)
、Miyamoto Kohei(National Institute of Information and Communications Technology)
、Takeshi Takahashi(National Institute of Information and Communications Technology)
、Kouichi Sakurai(Kyushu University)
The security of artificial intelligence (AI) systems has become a critical concern due to their susceptibility to adversarial examples. This study investigates the robustness of machine learning-based network intrusion detection systems (NIDS) against targeted evasion attacks. We propose an attack algorithm that generates adversarial network traffic flows designed to deceive NIDS models into misclassifying malicious traffic as benign. Experimental evaluations reveal significant vulnerabilities of various NIDS architectures. For instance, in a non-adversarial environment, the MLP-based NIDS model, built with the CICIDS2017 dataset, detected 99% of brute force attacks and 99% of DDoS attacks. However, under adversarial attacks, the model misclassified 50% of brute force attacks and 41% of DDoS attacks as benign. These findings demonstrate that adversaries can exploit such vulnerabilities to bypass the system, emphasizing the need to develop robust defense mechanisms to counter these threats.
インターネット上の通信においてセキュリティを強化する方法として、信頼できる認証局が発行する公開鍵証明書を用いた認証方式であるTLSが利用されている。TLSで用いる公開鍵証明書が安全であり、かつ失効していないか検証する方法の1つとしてOnline Certificate Status Protcol(OCSP)が挙げられる。OCSPは通信のオーバーヘッドが小さいという利点を持つ一方で、接続が集中するサーバーに対して証明書を発行する認証局はOCSPリクエストに応答するための大きな通信帯域を要するという欠点を持つ。本論文では、OCSP に対してNamed Data Networking(NDN)を応用した手法を提案し、その有効性についてネットワークシミュレータを用いて評価する。そして、提案手法を用いることで、既存のOCSPと比較して通信帯域の減少や応答時間の改善がみられることを示す。
2F4-3
Feasibility of integration of LLM as the role of security experts in access control models
◎Nakul Ghate(NEC Corporation)
、Trong Khang Mai(JAIST)
、Jongmin Lee(JAIST)
、Razvan Beuran(JAIST)
Large Language Models (LLM) have brought a whole new paradigm in the automation of language based tasks. Since access control policies are often written in natural language, there is a promising potential to automate the creation of these policies through LLM. In this study, we integrated LLM with our in-house ABAC model to output firewall rules for a target Industrial Control System. We perform quantitative and qualitative analysis of LLM generated policies and report the current capabilities of LLM in access control integration.
AEAD-to-CBC Downgrade Attack on Format Oracle
◎Ken Takayama(SECOM CO., LTD.)
While Authenticated Encryption with Associated Data (AEAD) ciphers provide confidentiality, integrity and authentication for data, AEAD-to-CBC Downgrade Attack reveals the secret inside the plaintext message by turning AEAD algorithm into non-AEAD algorithm AES-CBC. It assumes ciphertext receiver acts as a Decryption Oracle that it replies with the decrypted plaintext to the sender when it fails a format check. In this paper, we present a variant of this attack, using another oracle, Format Oracle. It also leaks enough hints for the attacker to estimate the secret, while providing less information than Decryption Oracles. We have confirmed that existing mitigation techniques deriving different encryption/decryption keys for different algorithms also prevent this attack and have proposed it to IETF CBOR Object Signing and Encryption (COSE) standards. Additionally, we have proposed patches to COSE libraries supporting non-AEAD ciphers including AES-CBC, disabling them by default to prevent library users from unintentional use of them.
各参加者のもつ集合を入力とし,積集合や和集合を入力を明かすことなく計算するプロトコルとして,秘匿積集合計算(Private Set Intersection: PSI)や秘匿和集合計算(Private Set Union: PSU)が盛んに研究されている.しかし,その他の代表的な集合演算として差集合が知られている一方で,その秘密計算を行う秘匿差集合計算(Private Set Difference: PSD)は著者の知る限り知られておらず,PSIやPSU,またその亜種を含めて計算可能な秘匿集合演算計算プロトコル(Private Set Operation: PSO)でも扱われていない.これは,参加者が2名の場合においては積集合の計算が差集合の計算と一致することからPSIで十分であるためだと考えられるが,参加者が2名より多い場合はPSI, PSU, PSOではPSDを実現することはできない.PSDが実現できれば,自身だけが有する要素を他の参加者に知られることなく把握することが可能となる.本稿では,PSDの実現の難しさについて議論し,PSDを実現するための基本的なプロトコル及び特殊な場合におけるPSDプロトコルを提案する.
Verkle Trees, proposed in 2018, are a type of vector commitment scheme that enables one to
commit to a sequence of values in a tree-like structure, with the ability to later open one or more values at
a certain position, along with proof that proves their consistency with the original commitment. Although
Verkle trees share a similar tree-like structure with Merkle trees, the key difference is the use of the KZG
commitment scheme instead of hash functions for deriving parent nodes. This makes Verkle tree efficient
in terms of proof size and verification time compared to Merkle trees as KZG commitment scheme enables
constant proof size and verification time. However, verifying KZG proofs is computationally intensive,
particularly on blockchain platforms, as it involves elliptic curve operations. This could result in slower
and more expensive verifier depending on the data committed. In this work, we implement Verkle trees
with tree construction and proof generation conducted outside of blockchain, while verification is conducted
on the blockchain in a smart contract. We then evaluate the on-chain verification cost and compare its
performance with other vector commitment schemes, such as Merkle trees.
コンセンサスプロトコルは分散コンピューティングの基本的プロトコルである。n 人の各参加者が入力を持ち、高々 t 人が攻撃者に支配されたとしても、(1) 支配されてない参加者は同じ値を出力すること、(2) 支配されていない参加者が同じ値を入力とするならばその値を出力すること、がプロトコルの要件である。コンセンサスプロトコルは t < n/2 の場合のみを考え、一般的には支配数 t に比例したラウンド数が必要なことが知られている。本研究では、署名が利用可能な認証付き設定において,攻撃検出の回避を行う攻撃者に対し
、任意の t < n/2 に対し、定数ラウンドで実行可能なコンセンサスプロトコルを提案する。
Crowhammer: A Key-recovery attack on Falcon
◎Calvin ABOU HAIDAR(NTT Social Informatics)
、Mehdi TIBOUCHI(NTT Social Informatics)
In this paper, we show that FALCON, the hash-and-sign signature scheme over NTRU lattices
selected by NIST for standardization, is vulnerable to an attack using Rowhammer. FALCON's
Gaussian sampler is the core component of its security, as it allows to provably decorrelate
the short basis used for signing and the outputed signatures. Other schemes, lacking this
guarantee (such as NTRUSign, GGH or more recently PEREGRINE) were proven insecure. However,
performing efficient and secure Gaussian sampling has proved to be a difficult task, providing
numerous potential vulnerabilities to be exploited. To avoid timing attacks, a common technique
is to use distribution tables that are traversed to output a sample. The official FALCON
implementation for the NIST uses this technique, employing a hardcoded reverse cumulative
distribution table (RCDT). Using Rowhammer, we target FALCON's RCDT to trigger a very small
number of targeted bitflips and prove that the resulting distribution is sufficiently skewed
to perform a key-recovery attack. Namely, we show that a mere two-bitflip suffice to recover the key. In the process, we also study the effects of those perturbations on the distribution
of the complex sampler used in FALCON.
新しいラジオ受信機であるSDR(Software Defined Radio)は低価格にもかかわらず、広帯域をカバーし、高分解能を有し、実時間でデータ採取できるため、サイドチャネル攻撃における波形採取に適していると考えられる。前回、ソフトウェア実装AESに対してSDRを用いて波形採取を行い、AES鍵の抽出に成功した。今回、処理速度が速いハードウェア実装AESに対して同様なサイドチャネル攻撃実験を行うことにした。AESコプロ内蔵のMCUに電流プローブや電磁波プローブを用いてSDRによって波形採取して解析した結果、AES鍵の抽出に成功し、SDRの有用性を確認できた。
近年、AIセーフティの観点から、サービス提供前にモデル安全性を評価する必要性が指摘されており、さまざまなベンチマークが提案されているが、実際にどのベンチマークを活用すれば確実な評価ができるのかについては未整備である。本研究は、日本の「AIセーフティに関する評価観点ガイド」を基盤に、LLM向けベンチマークデータセットをGithub、Hugging Face、Paper with Codeから収集し、各評価観点別に分類を行った。その結果、「有害情報出力制御」「偽誤情報防止」「公平性」「プライバシー保護」「ロバスト性」については比較的多くのベンチマークが存在する一方、「包摂性」「ハイリスク利用対処」「説明可能性」「データ品質」「検証可能性」を網羅するデータセットはほとんど提案されていないことが明らかになった。また、単純な入出力評価で対処困難な観点や、システム全体の考慮が求められる観点も浮き彫りとなった。さらなる研究では、これら未整備領域に焦点を当て、システム全体を考慮した安全性評価手法や、新たなデータセットの創出が求められる。本研究は今後のAIセキュリティ分野に重要な示唆を与える。
多くの企業や組織がAIの利活用を積極的に推進している中、AIに対するセキュリティ(Security for AI)の重要性が増している。また、AIの活用に伴い、AIガバナンスやAIセーフティへの対応が求められ、検討すべき課題は多岐にわたる。AIセーフティでは、ソフトウェア工学やSTAMP/STPAなどの安全解析手法の応用が提案されているが、AIセキュリティの対策はまだ十分に確立されていない。現在は、既存のサイバーセキュリティ対策を応用しているものの、その具体的な適用方法には試行錯誤が見られる。本発表では、AIセキュリティの現状とその対策手法について、関連分野との比較を行いながら動向を報告する。
NIST PQC Additional Signatures Second Round Candidate: QR-UOV
◎Hiroki Furue(NTT Social Informatics Laboratories)
、Yasuhiko Ikematsu(Kyushu University)
、Fumitaka Hoshino(University of Nagasaki)
、Tsuyoshi Takagi(The University of Tokyo)
、Haruhisa Kosuge(NTT Social Informatics Laboratories)
、Kimihiro Yamakoshi(NTT Social Informatics Laboratories)
、Rika Akiyama(NTT Social Informatics Laboratories)
、Satoshi Nakamura(NTT Social Informatics Laboratories)
、Shingo Orihara(NTT Social Informatics Laboratories)
、Koha Kinjo(NTT Social Informatics Laboratories)
The multivariate-based unbalanced oil and vinegar signature scheme (UOV) is one of the candidates for post-quantum cryptography (PQC). UOV is a well-established signature scheme owing to its short signature and fast performance, but its public key is much larger than that of other PQC candidates. At ASIACRYPT 2021, Furue et al. proposed quotient ring UOV (QR-UOV) as a new variant of UOV, which reduces the public key size compared to the plain UOV. This QR-UOV has been submitted to the NIST PQC standardization of additional digital signature schemes and recently selected as a second round candidate. In this work, we discuss the security points mentioned in the first round report of NIST. Furthermore, we provide a new method of the key recovery attacks on QR-UOV over the base fields utilizing the QR structure. We show that this proposed method is corresponding to existing attacks performed over the extension fields and does not reduce the security of QR-UOV compared with the previous estimation.
3A2-3
On the Reference Implementation of QR-UOV and its Revised Version
○Fumitaka Hoshino(University of Nagasaki)
、Hiroki Furue(NTT Social Informatics Laboratories)
、Yasuhiko Ikematsu(Kyushu University)
、Tsuyoshi Takagi(The University of Tokyo)
、Haruhisa Kosuge(NTT Social Informatics Laboratories)
、Kimihiro Yamakoshi(NTT Social Informatics Laboratories)
、Rika Akiyama(NTT Social Informatics Laboratories)
、Satoshi Nakamura(NTT Social Informatics Laboratories)
、Shingo Orihara(NTT Social Informatics Laboratories)
、Koha Kinjo(NTT Social Informatics Laboratories)
Furue et al. proposed a post-quantum signature scheme called QR-UOV, and submitted it to the post-quantum cryptography standardization process for additional digital signature schemes. Recently NIST announced that 14 candidates, including QR-UOV, have advanced to the second round of the process, and encouraged the designers of QR-UOV to further optimize their implementation. In response to this encouragement, the designers decided to tweak the specification of QR-UOV and revise their implementation. In this talk, we illustrate the details of this update and evaluate its effect.
3A2-4
The Security of ML-DSA against Fault Attacks
○Haruhisa Kosuge(NTT Social Informatics Laboratories)
、Keita Xagawa(Technology Innovation Institute)
ML-DSA (FIPS204) is based on Fiat-Shamir with aborts and supports deterministic and hedged signature generation. The concept of hedged Fiat-Shamir and its security model were introduced by Aronha et al. (EUROCRYPT 2020). The EUF-fCMNA (existential unforgeability under faults, chosen message and nonce attacks) security model extends the standard EUF-CMA model to incorporate fault injection on the signing procedure. The EUF-fCMNA model assumes adversarial capabilities to inject faults into a certain intermediate bit value. Hedging enhances security against fault attacks by introducing additional randomness and has been proven EUF-fCMNA-secure for some critical fault injections in the random oracle model (ROM). Subsequently, Grilo et al. (ASIACRYPT 2021) extended this result to the quantum random oracle model (QROM). Despite these advancements, the EUF-fCMNA security of ML-DSA has not been formally analyzed. As a result, the extent to which hedging in ML-DSA mitigates fault attacks remains unclear. To address this gap, we analyze the EUF-fCMNSA security of ML-DSA by modifying the EUF-fCMNA model to account for its loop iteration and unique per-signature randomness generation. This analysis specifies the types of faults for which the EUF-fCMNSA security of ML-DSA can be proven.
近年,Internet of Things(IoT)デバイスの普及に伴い,ハードウェアデバイスのセキュリティ課題が増加している.ハードウェアデバイスの異常動作を検知する手法として,消費電力を解析する手法がいくつか提案されている.IoTデバイスは通常同じ動作を繰り返し実行するため,消費電力波形が周期的になると想定され,定常的な時系列データの解析に使用されるSARIMAがその異常動作の検知に有効と考えられる.本稿では,SARIMAによる基準波形に基づくIoTデバイス異常動作検知手法を提案する.提案手法は,オートエンコーダを用いて測定した消費電力波形からアプリケーション電力波形を抽出する.その後,得たアプリケーション電力波形よりSARIMAを用いて基準波形を生成し,比較することで異常動作を検知する.提案手法をRaspberry Pi4を用いて実装したIoTデバイスに適用した結果,SARIMAにより精度の高いアプリケーション電力波形の基準波形を生成し,異常動作の検知に成功した.
近年,Google検索エンジンに悪性サイトへ誘導するURLが登録されており, フィッシングサイトなどへの誘導事例が報告されている.その中でGoogle が保有するドメインを持つURLが登録され,悪性サイトへ誘導されていることを発見した.www.google.com/supported_domainに記載されているドメイン(例えば.google.com)のサブドメインとしてadserviceを追加したFQDN(例えばadservice.google.com)を,site演算子を用いて検索すると検索結果に悪性サイトにリダイレクトされるリンクが大量に現れる.これらを収集してRobotic Process Automationを用いてアクセスし,最終ページに至る遷移経路を観測した.また,最終ページが悪性であるかどうかは,Symantec社のWebPulseサイト評価リクエストを用いて判定した.その結果,収集した最終ページの約62.6%で悪性であると判定された.本稿は,これらのGoogleに登録されたURLを調査し,どのような攻撃キャンペーンが行われているかを調査し報告することを目的とする.
Privacy-Preserving Inference of Machine Learning Models without Retraining
◎Sato Guilherme(Institute of Science Tokyo)
、Wakaha Ogata(Institute of Science Tokyo)
This work investigates the application of fully homomorphic encryption (FHE) to privacy-preserving machine learning, specifically focusing on reproducing traditional models and reusing existing parameters. Machine Learning as a Service (MLaaS) allows businesses to outsource machine learning tasks. However, ensuring data privacy in this context remains a significant challenge. Although many works propose a solution to this problem, none of them simultaneously meet our goal of security, privacy, consistency with existing architectures, and backward compatibility with existing training parameters. To tackle this issue, this research proposes a non-interactive, fully homomorphic encryption-based system for executing convolutional neural networks (CNN) privately, ensuring that data remains encrypted throughout the entire process. The proposed system effectively manages homomorphic operations' restrictions and computational overhead. Experimental results demonstrate the robustness of the proposed system, achieving a high agreement with the plaintext model with only a minimal drop in accuracy on the CIFAR-10 and ImageNet datasets. This highlights the minimal impact of encryption noise on model performance.
Efficient Time-Memory Trade-Offs for Both-May Information Set Decoding Algorithm
◎Hiroki Furue(NTT Social Informatics Laboratories)
、Yusuke Aikawa(The University of Tokyo)
Code-based cryptography is based on the difficulty of the syndrome decoding problem (SDP) and is one of the promising candidates for post-quantum cryptography. Information set decoding (ISD) is known as one of the most efficient frameworks for solving SDP. For the evaluation of the security of code-based schemes, it is important to estimate the time complexity in the situation where the amount of memory consumption is limited. In this work, we propose a new variant of the Both-May algorithm which is known as the fastest ISD.
The proposed algorithm achieves more efficient asymptotic time-memory trade-offs compared with the original Both-May algorithm and existing time-memory trade-off versions of other ISDs.
Study of Accelerating Lattice-Based Cryptography with Ascend AI Processor
○Ye Yuan(Huawei International Pte Ltd)
、Lanhe Gao(Huawei International Pte Ltd)
In lattice-based cryptography, including schemes that are constructed based on hard problems over algebraic structured or unstructured lattices, the main algebraic operations are matrix multiplication or number theoretic transformation (NTT). These calculations are widely recognized as performance bottlenecks, given most software and hardware implementations focus on optimizing them. Generally, optimized implementation necessitates devices with powerful vectorization and parallelization computing capabilities. We've noticed that some AI inference and training devices are equipped with dedicated hardware units for matrix multiplication, which can achieve high-performance mixed precision multiply-accumulate operations. In this paper, we present methods for performing efficient large-integer matrix multiplication and NTT by using such matrix computation units. We implemented large-integer matrix multiplication of FrodoKEM and Scloud+ (which is a new lattice-based KEM), and NTT with different dimensions and moduli on Atlas 800 AI server. The test results show that our methods offer superior performance, particularly for large-dimensional data. For single-operator execution, our implementation still demonstrates better performance compared to the state-of-the-art approaches on CPUs.
アダプタ署名は,2017 年に Andrew Poelstra らが Scriptless Script のコンセプトの下で提案し,後に Aumayr らによって独立の暗号プリミティブとして定式化された署名技術であり,paymentchannel network (PCN),atomic swap などのブロックチェーンアプリケーションのビルディングブロックとして機能している.各アプリケーションで要求される追加の性質を満たすために,これまでに検証可能性や匿名性などの性質を持つ高機能なアダプタ署名がいくつか提案されている.しかし,Gerhart らはEUROCRYPT 2024 において,アダプタ署名はアプリケーションによって満たすべき安全性が異なることを指摘している.そこで本稿では,匿名性を考慮した atomic swapのためのリングアダプタ署名の構成はこれまでに存在しない点に着目し,N to N atomic swap と呼ばれるアプリケーションへ応用可能なリングアダプタ署名を考察する.我々は署名者のプライバシー保護を可能とするリングアダプタ署名の一般的構成を示し,満たすべき安全性を定義する.そして,提案リングアダプタ署名を用いることで匿名性を保証可能な N to N atomic swap を構成可能であることを示す.
Revisiting the Comparison of Digital Signature Algorithms for Unlinkable Selective Disclosure
◎Takumi Otsuka(Waseda University)
、Shigeo Mizuno(Waseda University)
、Ken Watanabe(Waseda University)
、Masato Tsutsumi(Waseda University)
、Kazue Sako(Waseda University)
This study revisits the comparative analysis of digital signature algorithms for unlinkable selective disclosure, integrating the BBS and Protego signature schemes into the evaluation. Building on prior research that examined CL, BBS+, and PS signatures, this work provides an updated perspective on their computational efficiency, key and signature sizes, and zero-knowledge proof performance. By evaluating the practical feasibility and efficiency of these additions, this study offers new insights for designing scalable solutions in verifiable credentials and anonymous authentication.
Formal and Experimental Verification of Robot Control Protocols for Smart Buildings
○Jingting Wu(Japan Advanced Institute of Science and Technology)
、Razvan Beuran(Japan Advanced Institute of Science and Technology)
With the increasing complexity of IoT systems, assuring the IoT system trustworthiness has become a critical work. Based on the IoT System Trustworthiness Levels (TALs) classified by Beuran, this paper reports a case study on assuring robot control protocols of a smart building to meet high trustworthiness levels through formal verification and experimental verification. Our formal verification focuses on model checking, ensuring the safety and liveness properties of protocols hold. Our experimental verification focuses on simulation and fuzzing, identifying unexpected problems. We comparatively analyzed the two results, identified eight types of problems, proposed improvement plans, and reverified to meet high trustworthiness levels. The results show that the two methods have a certain complementarity. This paper also reports a idea that combines simulation and model checking.
表情認識システムに対する 一画素攻撃の欺瞞力強化
Kumar Pramod ( PDPM Indian Institute of Information Technology, Design and Manufacturing, Jabalpur)
、Gamini Gayatri ( PDPM Indian Institute of Information Technology, Design and Manufacturing, Jabalpur)
、Seal Ayan ( PDPM Indian Institute of Information Technology, Design and Manufacturing, Jabalpur)
、Mohanty Sraban Kumar ( PDPM Indian Institute of Information Technology, Design and Manufacturing, Jabalpur)
、張 海波(九州工業大学)
、○櫻井 幸一(九州大学)
IND-CPA Security and Implementation of Finsler Encryption
○Tetsuya Nagano(University of Nagasaki)
、Hiroaki Anada(Meiji Gakuin University)
Finsler Encryption was discussed on its mathematical structure in detail at ICISC2023, and in particular, the proof of the indistinguishability against chosen-plaintext attacks (IND-CPA) was presented for the first time. In this paper, we reexamine and provide a concise description from the point of view of the IND-CPA security. In addition, we report on implementation using Python, and provide the execution data such as the time required for encryption and decryption of 1MB plaintext.
3B4-2
The Security of Hash-and-Sign with Retry against Superposition Attacks
○Haruhisa Kosuge(NTT Social Informatics Laboratories)
、Keita Xagawa(Technology Innovation Institute)
Considering security against quantum adversaries, while it is important to consider the traditional existential unforgeability (EUF-CMA security), it is desirable to consider security against adversaries making quantum queries to the signing oracle: Plus-one security (PO security) and blind unforgeability (BU security) proposed by Boneh and Zhandry (Crypto 2013) and Alagic et al. (EUROCRYPT 2020), respectively. Hash-and-sign is one of the most common paradigms for constructing EUF-CMA-secure signatures in the quantum random oracle model, employing a trapdoor function and a hash function. It is known that its derandomized version is PO- and BU-secure. A variant of hash-and-sign, known as hash-and-sign with retry (HSwR), formulated by Kosuge and Xagawa (PKC 2024), is widespread since it allows for weakening the security assumptions. Unfortunately, it has not been known whether HSwR can achieve PO- and BU-secure even with derandomization. In this paper, we apply a derandomization with bounded loops to HSwR. We demonstrate that HSwR can achieve PO and BU security through this approach. Furthermore, we show that HSwR taking this approach achieves EUF-CMA security with a tighter security bound than the original one. Our results support its wider adoption.
近年,自動車の機能進化やECU統合化,Software Defined Vehicle(SDV)の導入に伴い,車載システムのセキュリティリスク対応が重要性を増している.ISO/SAE 21434に準拠するためには,TARA(Threat Analysis and Risk Assessment),VARA(Vulnerability Analysis and Risk Assessment),セキュリティ評価を統合的に行うことが求められるが,これらのプロセスの連携が不十分であるため,評価項目の抜け漏れや作業量の増加が課題となっている.本論文では,セキュリティ評価仕様書の自動生成を通じて作業量の削減を図り,各プロセスを連携させることで評価項目の抜け漏れを防ぎ,網羅的な試験を実現する手法を提案する.これにより,車載領域における各プロセスのトレーサビリティの課題を解決し,システム全体のセキュリティを向上させることができる.また,評価結果をTARAおよびVARAにフィードバックし,リスクの検証および対策要件の修正に繋げる手法も提案する.
近年、自動車の機能の急速な進化やECU(Electronic Control Unit)統合化、SDV(Software Defined Vehicle)の導入により、自動車に対するセキュリティリスクへの対応はより重要になってきている。特に、様々な通信インターフェースを持つ自動車のセキュリティ評価は、出荷前の最終検証フェーズとしてその重要性が一層増している。しかし、自動車のセキュリティリスクの増加に伴いセキュリティ評価における項目数も増加傾向にあり、結果として評価工数は増加を続けている。また、セキュリティ評価には評価内容に対する専門知識や製品の仕様の理解が必要であり、事前知識がなければ判定は難しい。本研究では、セキュリティ評価のテスト項目の1つとして、予期しない入力を送信し異常な動作や脆弱性を検出するファジングテスト手法を対象に自動で影響評価を実施する手法を提案する。具体的には、評価実施時のログとユーザ設定から抽出した情報を基にワード検出による一次解析と生成AIによる二次解析を実施し、2つの解析結果を総合することで結果を自動判定する。この手法により、評価工数の削減による効率化や専門知識を不用にすることによる実施難易度の低減が期待できる。
Key Recovery Attacks with less signatures for Threshold ECDSA
○YIYING LI(Degree Programs in Systems and Information Engineering-University of Tsukuba)
、NOBORU KUNIHIRO(University of Tsukuba)
Threshold signatures enable a group of parties to collaboratively generate a signature without exposing their individual secret shares. Among these, threshold ECDSA protocols have gained prominence for securing cryptocurrency wallets, which protect hundreds of billions of dollars in assets. However, constructing threshold ECDSA is challenging due to the non-linear nature of the ECDSA signing process. The GG20 protocol marked a significant milestone as the first efficient threshold-ECDSA signature utilizing the MtA protocol for distributed signing. Recently, a new key-extraction attack has been proposed against GG20 threshold ECDSA. This attack reveals a vulnerability in the GG20's MtA protocol by exploiting a tampered Paillier public key, which allows a single corrupted party to recover a full secret share. In this paper, we analyze the relationship between the number of signatures and the brute-force attempts required to achieve a desired probability of success in this attack. We demonstrate that this attack can be performed practically with fewer signatures than 16, which was previously considered necessary.
ReForger: Advanced Protection of Dynamic Library Imports via LLVM IR Transformation
◎Andras Mumm(Bachelor Student of Environment and Information Science, Keio University)
、Kawashima Hideyuki(Associate Professor, Faculty of Environment and Information Studies Graduate school of Media and Governance, Keio University)
Reverse engineering software typically involves analyzing strings and imported functions inside of compiled binaries to understand program behavior and determine points of interest. While compile-time string encryption and lazy importing can hide some information, these techniques are insufficient against dynamic analysis methods like function hooking, which can reveal usage locations of imports at runtime through (call)stack analysis. This paper investigates the feasibility of a novel technique that enhances software protection by dynamically lifting individual functions from loaded libraries (DLLs in Windows) into LLVM Intermediate Representation (IR) during runtime. Obfuscation techniques are then applied to the IR, and the functions are recompiled into machine code and embedded into a new code section within the executable. This process results in internal, obfuscated copies of dynamic library functions that are more resistant to detection through standard static and dynamic analysis techniques. By combining this approach with lazy importing, we aim to maximize the concealment of critical information from reverse engineers.
Fully Homomorphic Encryption over the Torus (TFHE)は完全準同型暗号と呼ばれる暗号のまま計算を行うことができる暗号の一種であり, 特に論理回路の計算に適する. これを用いると機密情報を扱う統計処理などを外部サーバへ委託可能である. しかし, TFHEは結果が委託した計算を実行したものか検証できない. 完全準同型暗号に計算検証機能をもたせる方法としてGennaro-Gentry-Parno (GGP) プロトコルがある. GGPはGarbled Circuit (GC)という, 論理ゲート評価を暗号復号に置換することで計算を検証可能にする方法を, 完全準同型暗号上で実行することで暗号上計算を検証可能にする. しかしGGPは完全準同型暗号が平文に比べて非常に遅いこと等から, 実装されたことはなかった. 本研究ではGCで用いる暗号をLearning With Errors (LWE)暗号にすることにより, 復号をTFHE上で高速に実行する方法を提案し, その実装・評価を行った. 提案法はAESを用いた場合に比して20倍程度の高速化を達成した.
4F1-5
Optimistic Fair Exchange from Adaptor Signatures
◎Haoliang Tang(Kyoto University)
、Mehdi Tibouchi(NTT Social Informatics Laboratories, Kyoto University)
、Masayuki Abe(NTT Social Informatics Laboratories, Kyoto University)
In this paper, we propose a novel optimistic fair exchange protocol from Adaptor Signatures. Transactions without a trusted third party, such as blockchain-based systems, typically rely on either (1) smart contracts or (2) cryptographic techniques like adaptor signatures. Adaptor signatures embed secrets in digital signatures, enabling fair exchange without the on-chain costs of smart contracts.
Fair exchange protocols are categorized as pessimistic or optimistic. Pessimistic protocols verify the seller's data before payment, ensuring correctness but incurring computational overhead. Optimistic protocols skip pre-verification, offering greater efficiency but requiring mechanisms to address incorrect data.
Existing adaptor signature-based fair exchange protocols are predominantly pessimistic, demanding substantial computational resources. This raises the question: can a more lightweight, optimistic protocol be designed using adaptor signatures?
In response, this paper proposes an innovative optimistic fair exchange protocol based on adaptor signatures.
Security concerns have become increasingly prominent with the rapid advancement of autonomous driving technology. The planner, a crucial component of autonomous vehicles, directly impacts the vehicle’s trajectory and safety. This paper introduces AVATAR, an adversarial vehicle trajectory attack that targets vulnerabilities in autonomous driving planning modules. By manipulating surrounding traffic participants to follow a specific trajectory, this method can disrupt the planner, diverting the vehicle from its intended path and potentially leading it into hazardous areas. Experiment results show that AVATAR is effective against various planning algorithms, demonstrating the vulnerability of planning modules in real-world scenarios. The proposed method achieves an attack success rate of nearly 60% against reinforcement learning methods and approximately 80% against imitation learning methods. It also reduces the traffic efficiency of the IDM to 57%. This study reveals the susceptibility of autonomous driving planners to adversarial trajectory attacks, necessitating consideration of corresponding defense mechanisms in future research and development.
4E2-3
Robustness of Deep Reinforcement-Learning-Based Autonomous Driving to Adversarial inputs
◎Ziling He(Waseda University/RIKEN AIP)
、Jiadong Liu(Waseda University)
、Tatsuya Mori(Waseda University/NICT/RIKEN AIP)
This paper investigates the robustness of Deep Reinforcement Learning (DRL)-based autonomous driving systems against adversarial attacks that manipulate sensor inputs and action outputs. Focusing on Proximal Policy Optimization (PPO) algorithms, we design two specific attack methods: (1) {Adversarial Sensor Input Perturbation}, where adversarial perturbations are introduced to the vehicle's sensor inputs under specific trigger conditions to mislead perception and decision-making; and (2) {Direct Action Output Manipulation}, where the attacker directly alters the action outputs of the DRL model during certain conditions, modifying control commands like steering angle and acceleration without affecting sensor inputs. We trained PPO models across different driving scenarios and evaluated their performance under these attacks. Our findings show that reducing the trigger threshold significantly increases the effectiveness of both attack methods, resulting in higher collision rates and greater deviations from intended paths. Larger perturbations in sensor inputs and action outputs correlate with increased attack success rates, highlighting critical vulnerabilities in DRL-based autonomous driving systems.
近年、コンテナ型仮想化技術は、その軽量性と迅速な動作特性により、クラウドやオンプレミス環境での普及が進んでいる。しかし、セキュリティに関する懸念が企業による採用の障壁となっている。特に、Sariらの研究によれば、未検証または信頼性の低いコンテナイメージの使用が多くのセキュリティ問題を引き起こすことが確認されている。コンテナイメージはアプリケーションやライブラリなどのソフトウェアコンポーネントを含むため、これらの脆弱性管理においては、ソフトウェアの脆弱性やライセンス管理を支援するSoftware Bill of Materials(以下SBOM)の活用が有効であると考えられる。本研究では、コンテナイメージに対してSBOMを用いて脆弱性管理を行う際の課題と、それに対するアプローチを提案する。また、コンテナイメージの脆弱性管理におけるSBOM活用を支援するための実践的なガイドラインに記載すべき内容を提示する。