List of Publications

Year 2023

Journal (incl. LNCS)

• Junichiro Hayata, Jacob C. N. Schuldt, Goichiro Hanaoka, Kanta Matsuura. On Private Information Retrieval Supporting Range Queries, International Journal of Information Security (2023), pp.1-19, 2023 [detail]

abstract

Private information retrieval (PIR) allows a client to retrieve data from a database without the database server learning what data are being retrieved. Although many PIR schemes have been proposed in the literature, almost all of these focus on retrieval of a single database element, and do not consider more flexible retrieval queries such as basic range queries. Furthermore, while practically-oriented database schemes aiming at providing flexible and privacy-preserving queries have been proposed, to the best of our knowledge, no formal treatment of range queries has been considered for these. In this paper, we firstly highlight that a simple extension of the standard PIR security notion to range queries is insufficient in many usage scenarios, and propose a stronger security notion aimed at addressing this. We then show a simple generic construction of a PIR scheme meeting our stronger security notion, and propose a more efficient direct construction based on function secret sharing while the former has a round complexity logarithmic in the size of the database, the round complexity of the latter is constant. After that, we report on the practical performance of our direct construction. Finally, we extend the results to the case of multi-dimensional databases and show the construction of PIR scheme supporting multi-dimensional range queries. The communication round complexity of our scheme is O(klogn) in worst case, where n is the size of database and k is the number of elements retrieved by the query.
• Ryuya Hayashi, Taiki Asano, Junichiro Hayata, Takahiro Matsuda, Shota Yamada, Shuichi Katsumata, Yusuke Sakai, Tadanori Teruya, Jacob C. N. Schuldt, Nuttapong Attrapadung, Goichiro Hanakoka, Kanta Matsuura, Tsutomu Matsumoto. Signature for Objects: Formalizing How to Authenticate Physical Data and More, Lecture Notes in Computer Science (The 27th International Conference on Financial Cryptography and Data Security: FC2023), Vol.13950, pp.182-199, 2023 [detail]

abstract

While the integrity of digital data can be ensured via digital signatures, ensuring the integrity of physical data, i.e., objects, is a more challenging task. For example, constructing a digital signature on data extracted from an object does not necessarily guarantee that an adversary has not tampered with the object or replaced this with a cleverly constructed counterfeit. This paper proposes a new concept called signatures for objects to guarantee the integrity of objects cryptographically. We first need to consider a mechanism that allows us to mathematically treat objects which exist in the physical world. Thus, we define a model called an object setting in which we define physical actions, such as a way to extract data from objects and test whether two objects are identical. Modeling these physical actions via oracle access enables us to naturally enhance probabilistic polynomial-time algorithms to algorithms having access to objects - we denote these physically enhanced algorithms (PEAs). Based on the above formalization, we introduce two security definitions for adversaries modeled as PEAs. The first is unforgeability, which is the natural extension of EUF-CMA security, meaning that any adversary cannot forge a signature for objects. The second is confidentiality, which is a privacy notion, meaning that signatures do not leak any information about signed objects. With these definitions in hand, we show two generic constructions: one satisfies unforgeability by signing extracted data from objects; the other satisfies unforgeability and confidentiality by combining a digital signature with obfuscation.

Conference

• Taichi Igarashi, Hiroya Kato, Iwao Sasase, Kanta Matsuura. A Realtime IoT Malware Classification System Based on Pending Samples, 2023 IEEE International Conference on Communications (ICC): Communication and Information System Security Symposium (ICC2023), pp.4380-4385, 2023 [detail]

abstract

With the rapid growth of Internet of Things (IoT) devices, a lot of IoT malware has been created, and the security against IoT malware, especially the family classification, has become a more important issue. There exist three requirements which classification systems must achieve: detection of new families, precise classification for sequential inputs, and being independent of computer architectures. However, existing methods do not satisfy them simultaneously. In this paper, we propose a realtime IoT malware classification system based on pending samples. In order to detect new families and to classify sequential inputs precisely, we introduce the concept of "pending samples". This concept is useful when heterogeneous inputs which are difficult to classify instantly come into the system. This is because the system can postpone classifying them until similar samples come. Once similar samples are gathered, we regard these samples as a new cluster, meaning that detecting new families is achieved. Moreover, we use printable strings to satisfy the requirement of being independent of architectures because strings are common among different architectures. Our results show the ability to detect new families demonstrated by finding new clusters after applying our algorithm to the initial clusters. Furthermore, our new clustering algorithms achieves a 0.130 higher V-measure compared to the k-means algorithm, which is the representative clustering algorithm.
• Taichi Igarashi, Kanta Matsuura. A Refined Classification of Malicious Smart Contract, Lecture Notes in Computer Science (The 27th International Conference on Financial Cryptography and Data Security: FC2023, Posters presentation), 2023 [detail]

abstract

With the rapid growth of blockchain, smart contract, which is the computer program executed on blockchain systems, has played an important role especially in the trade of cryptcurrency. However, smart contracts are utilized to commit some crimes or attacks because they often hold a large amount of cryptcurrency. Thus, to enhance the security of smart contract is an urgent need. There exists three types of crimes regarding smart contract, namely, attack using vulnerabilities, trade between criminals, and fraud. Some researchers reported that many smart contracts have vulnerabilities, and attackers exploit them to steal cryptcurrency or attack system itself like DoS attack. Another type of crime is to trade criminal information for rewards between criminals using smart contracts. Especially in recent years, fraud acts including phishing have become a big problem on blockchain, and smart contracts are utilized to support them. These crimes have occured due to the presense of Malicious Smart Contract (MSC). Thus, the systems which detect MSC are needed to prevent these crimes. Though MSC is a smart contract which shows malicious activities, there does not exist a clear definition. As a result, the word "malicious" is used in different ways among researchers. In this situation, it is difficult to detect whole MSCs. This is because different types of MSC have different malicious activities, meaning that detection systems corresponded to each type of MSC are needed. Therefore, the classification of MSC is required. Some researchers classify MSC into two types: Vulnerable Smart Contract (VSC) related to vulnerability and Criminal Smart Contract (CSC) related to trade between criminals. In this classification model, however, there does not exist a type of MSC corresponded to fraud activities. To overcome this problem, we propose a new standpoint that MSC should be classified into VSC, CSC and Fraudulent Smart Contract (FSC), which supports frauds. By introducing this standpoint, to detect whole MSCs will be realized by constructing detection systems of each MSC simultaneously. While there exists a lot of works of detecting VSC and a few CSC works have also proposed, a field of FSC detection has not developed. Some researchers proposed detection systems of malicious accounts. In this field, "malicious" means fraud activities. Thus, we consider that these kinds of works are similar to detection of FSC and can be applied. These studies mainly use machine learning to detect malicious accounts. However, their models only consider graph-based features constructed from external transaction and address data, and not focus on other features. Therefore, as a future work, considering internal transaction and smart contract code-based feature like opcode is worth working.

Year 2022

Journal (incl. LNCS)

• Ryu Ishii, Kyosuke Yamashita, Yusuke Sakai, Tadanori Teruya, Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura, Tsutomu Matsumoto. Aggregate Signature Schemes with Traceability of Devices Dynamically Generating Invalid Signatures, IEICE Transactons on Information and Systems, Vol.E105-D, No.11, pp.1845-1856, 2022 [detail]

abstract

Aggregate signature schemes enable us to aggregate multiple signatures into a single short signature. One of its typical applications is sensor networks, where a large number of users and devices measure their environments, create signatures to ensure the integrity of the measurements, and transmit their signed data. However, if an invalid signature is mixed into aggregation, the aggregate signature becomes invalid, thus if an aggregate signature is invalid, it is necessary to identify the invalid signature. Furthermore, we need to deal with a situation where an invalid sensor generates invalid signatures probabilistically. In this paper, we introduce a model of aggregate signature schemes with interactive tracing functionality that captures such a situation, and define its functional and security requirements and propose aggregate signature schemes that can identify all rogue sensors. More concretely, based on the idea of Dynamic Traitor Tracing, we can trace rogue sensors dynamically and incrementally, and eventually identify all rogue sensors of generating invalid signatures even if the rogue sensors adaptively collude. In addition, the efficiency of our proposed method is also sufficiently practical.
• Ryu Ishii, Kyosuke Yamashita, Zihao Song, Yusuke Sakai, Tadanori Teruya, Goichiro Hanaoka, Kanta Matsuura, and Tsutomu Matsumoto. Constraints and Evaluations on Signature Transmission Interval for Aggregate Signatures with Interactive Tracing Functionality, Lecture Notes in Computer Science (Attacks and Defenses for the Internet-of-Things 5th International Workshop, ADIoT 2022), Vol.13745, pp.51-71, 2022 [detail]

abstract

Fault-tolerant aggregate signature (FT-AS) is a special type of aggregate signature that is equipped with the functionality for tracing signers who generated invalid signatures in the case an aggregate signature is detected as invalid. In existing FT-AS schemes (whose tracing functionality requires multi-rounds), a verifier needs to send a feedback to an aggregator for efficiently tracing the invalid signer(s). However, in practice, if this feedback is not responded to the aggregator in a sufficiently fast and timely manner, the tracing process will fail. Therefore, it is important to estimate whether this feedback can be responded and received in time on a real system. In this work, we measure the total processing time required for the feedback by implementing an existing FT-AS scheme, and evaluate whether the scheme works without problems in real systems. Our experimental results show that the time required for the feedback is 605.3 ms for a typical parameter setting, which indicates that if the acceptable feedback time is significantly larger than a few hundred ms, the existing FT-AS scheme would effectively work in such systems. However, there are situations where such feedback time is not acceptable, in which case the existing FT-AS scheme cannot be used. Therefore, we further propose a novel FT-AS scheme that does not require any feedback. We also implement our new scheme and show that a feedback in this scheme is completely eliminated but the size of its aggregate signature (affecting the communication cost from the aggregator to the verifier) is 144.9 times larger than that of the existing FT-AS scheme (with feedbacks) for a typical parameter setting, and thus has a trade-off between the feedback waiting time and the communication cost from the verifier to the aggregator with the existing FT-AS scheme.
• Takeshi Miyamae, Kanta Matsuura. Coin Transfer Unlinkability Under the Counterparty Adversary Model, Ledger, Vol.7, pp.17-34, 2022 [detail]

abstract

Unlinkability is a crucial property of cryptocurrencies that protects users from deanonymization attacks. However, currently, even anonymous cryptocurrencies do not necessarily attain unlinkability under specific conditions. For example, Mimblewimble, which is considered to attain coin unlinkability using its transaction kernel offset technique, is vulnerable under the assumption that privacy adversaries can send their coins to or receive coins from the challengers. This paper first illustrates the privacy issue in Mimblewimble that could allow two colluded adversaries to merge a person's two independent chunks of personally identifiable information (PII) into a single PII. To analyze the privacy issue, we formulate unlinkability between two sets of objects and a privacy adversary model in cryptocurrencies called the counterparty adversary model. On these theoretical bases, we define an abstract model of blockchain-based cryptocurrency transaction protocols called the coin transfer system, and unlinkability over it called coin transfer unlinkability (CT-unlinkability). Furthermore, we introduce zero-knowledgeness for the coin transfer systems to propose a method to easily prove the CT-unlinkability of cryptocurrency transaction protocols. Finally, we prove that Zerocash is CT-unlinkable by using our proving method to demonstrate its effectiveness.
• Kittiphop Phalakarn, Nuttapong Attrapadung, Kanta Matsuura. Efficient Oblivious Evaluation Protocol and Conditional Disclosure of Secrets for DFA, Lecture Notes in Computer Science (Applied Cryptography and Network Security - ACNS 2022 - 20th International Conference on Applied Cryptography and Network Security), Vol.13269, No., pp.605-625, 2022 [detail]

abstract

In oblivious finite automata evaluation, one party holds a private automaton, and the other party holds a private string of characters. The objective is to let the parties know whether the string is accepted by the automaton or not, while keeping their inputs secret. The applications include DNA searching, pattern matching, and more. Most of the previous works are based on asymmetric cryptographic primitives, such as homomorphic encryption and oblivious transfer. These primitives are significantly slower than symmetric ones. Moreover, some protocols also require several rounds of interaction. As our main contribution, we propose an oblivious finite automata evaluation protocol via conditional disclosure of secrets (CDS), using one (potentially malicious) outsourcing server. This results in a constant-round protocol, and no heavy asymmetric-key primitives are needed. Our protocol is based on a building block called "an oblivious CDS scheme for deterministic finite automata" which we also propose in this paper. In addition, we propose a standard CDS scheme for deterministic finite automata as an independent interest.

Conference

• Toshinori Usui, Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Kanta Matsuura. Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis Frameworks, Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022), pp.380-394, 2022 [detail]

abstract

Data flow analysis is an essential technique for understanding the complicated behavior of malicious scripts. For tracking the data flow in scripts, dynamic taint analysis has been widely adopted by existing studies. However, the existing taint analysis techniques have a problem that each script engine needs to be separately designed and implemented. Given the diversity of script languages that attackers can choose for their malicious scripts, it is unrealistic to prepare taint analysis tools for the various script languages and engines. In this paper, we propose an approach that automatically builds a taint analysis framework for scripts on top of the framework designed for native binaries. We first conducted experiments to reveal that the semantic gaps in data types between binaries and scripts disturb our approach by causing under-tainting. To address this problem, our approach detects such gaps and bridges them by generating force propagation rules, which can eliminate the under-tainting. We implemented a prototype system with our approach called STAGER T. We built taint analysis frameworks for Python and VBScript with STAGER T and found that they could effectively analyze the data flow of real-world malicious scripts.

Year 2021

Journal (incl. LNCS)

• Kittiphop Phalakarn, Vorapong Suppakitpaisarn, Nuttapong Attrapadung, Kanta Matsuura. Evolving Homomorphic Secret Sharing for Hierarchical Access Structures, Lecture Notes in Computer Science (Advances in Information and Computer Security - IWSEC 2021 - 16th International Workshop on Security), Vol.12835, pp.77-96, 2021 [detail]

abstract

Secret sharing is a cryptographic primitive that divides a secret into several shares, and allows only some combinations of shares to recover the secret. As it can also be used in secure multi-party computation protocol with outsourcing servers, several variations of secret sharing are devised for this purpose. Most of the existing protocols require the number of computing servers to be determined in advance. However, in some situations we may want the system to be "evolving". We may want to increase the number of servers and strengthen the security guarantee later in order to improve availability and security of the system. Although evolving secret sharing schemes are available, they do not support computing on shares. On the other hand, "homomorphic" secret sharing allows computing on shares with small communication, but they are not evolving. As the contribution of our work, we give the definition of "evolving homomorphic" secret sharing supporting both properties. We propose two schemes, one with hierarchical access structure supporting multiplication, and the other with partially hierarchical access structure supporting computation of low degree polynomials. Comparing to the work with similar functionality of Choudhuri et al. (IACR ePrint 2020), our schemes have smaller communication costs.
• Ryu Ishii, Kyosuke Yamashita, Yusuke Sakai, Takahiro Matsuda, Tadanori Teruya, Goichiro Hanaoka, Kanta Matsuura, and Tsutomu Matsumoto. Aggregate Signature with Traceability of Devices Dynamically Generating Invalid Signatures, Lecture Notes in Computer Science (2nd ACNS Workshop on Secure Cryptographic Implementation: 2nd ACNS SCI Workshop), Vol.12809, pp.378-396, 2021 [detail]

abstract

Aggregate signature schemes enable us to aggregate multiple signatures into a single short signature. One of its typical applications is sensor networks, where a large number of users and devices measure their environments, create signatures to ensure the integrity of the measurements, and transmit their signed data. However, if an invalid signature is mixed into aggregation, the aggregate signature becomes invalid, thus if an aggregate signature is invalid, it is necessary to identify the invalid signature. Furthermore, we need to deal with a situation where an invalid sensor generates invalid signatures probabilistically. In this paper, we introduce a model of aggregate signature schemes with interactive tracing functionality that captures such a situation, and define its functional and security requirements and propose aggregate signature schemes that can identify all rogue sensors. More concretely, based on the idea of Dynamic Traitor Tracing, we can trace rogue sensors dynamically and incrementally, and eventually identify all rogue sensors of generating invalid signatures even if the rogue sensors adaptively collude. In addition, the efficiency of our proposed method is also sufficiently practical.
• Toshinori Usui, Yuto Otsuki, Tomonori Ikuse, Yuhei Kawakoya, Makoto Iwamura, Jun Miyoshi, Kanta Matsuura. Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers, Digital Threats: Research and Practice, Vol.2, No.1, pp.1-31, 2021 [detail]

abstract

Script languages are designed to be easy-to-use and require low learning costs. These features provide attackers options to choose a script language for developing their malicious scripts. This diversity of choice in the attacker side unexpectedly imposes a significant cost on the preparation for analysis tools in the defense side. That is, we have to prepare for multiple script languages to analyze malicious scripts written in them. We call this unbalanced cost for script languages asymmetry problem. To solve this problem, we propose a method for automatically detecting the hook and tap points in a script engine binary that is essential for building a script Application Programming Interface (API) tracer. Our method allows us to reduce the cost of reverse engineering of a script engine binary, which is the largest portion of the development of a script API tracer, and build a script API tracer for a script language with minimum manual intervention. This advantage results in solving the asymmetry problem. The experimental results showed that our method generated the script API tracers for the three script languages popular among attackers (Visual Basic for Applications (VBA), Microsoft Visual Basic Scripting Edition (VBScript), and PowerShell). The results also demonstrated that these script API tracers successfully analyzed real-world malicious scripts.
• Junichiro Hayata, Fuyuki Kitagawa, Yusuke Sakai, Goichiro Hanaoka, Kanta Matsuura. Equivalence between Non-Malleability against Replayable CCA and Other RCCA-Security Notions, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.E104-A, No.1, pp.89-103, 2021 [detail]

abstract

Replayable chosen ciphertext (RCCA) security was introduced by Canetti, Krawczyk, and Nielsen (CRYPTO'03) in order to handle an encryption scheme that is "non-malleable except tampering which pre- serves the plaintext." RCCA security is a relaxation of CCA security and a useful security notion for many practical applications such as authentication and key exchange. Canetti et al. defined non-malleability against RCCA (NM-RCCA), indistinguishability against RCCA (IND-RCCA), and universal composability against RCCA (UC-RCCA). Moreover, they proved that these three security notions are equivalent when considering a PKE scheme whose plaintext space is super-polynomially large. Among these three security notions, NM-RCCA seems to play the central role since RCCA security was introduced in order to capture "non-malleability except tampering which preserves the plaintext." However, their definition of NM-RCCA is not a natural extension of that of original non-malleability, and it is not clear whether their NM-RCCA captures the requirement of original non- malleability. In this paper, we propose definitions of indistinguishability- based and simulation-based non-malleability against RCCA by extending definitions of original non-malleability. We then prove that these two notions of non-malleability and IND-RCCA are equivalent regardless of the size of plaintext space of PKE schemes.

Conference

• Hajime Kuno, Kanta Matsuura. Towards Automation of Penetration Testing for Web Applications by Deep Reinforcement Learning, Proceedings of the 37th Annual Computer Security Applications Conference (ACSAC '21), 2021 [detail]

abstract

Penetration testing (PT) that assesses vulnerabilities by considering and executing all possible attacks is important in security engineering but very expensive due to the need of experienced professionals. As a countermeasure, there are attempts to partially automate and improve the efficiency of PT. Their common feature is the use of existing PT tools (e.g. Metasploit) and machine learning (ML). Such approaches do not embed ML in PT tools, and would not improve the tools themselves. In this work, we use deep reinforcement learning to automate search and exploit executions for various vulnerabilities existing in Web applications so that a wide variety of PT tools can be integrated in an effective manner with such embedded ML. This poster will show two preliminary experiments in this direction.
• Daisuke Sumita, Kanta Matsuura. Identifying Crypto API Usages in Android Apps using a Static Analysis Framework, First DFRWS APAC Conference (poster presentation), 2021 [detail]

abstract

Forensic analysis of mobile devices is essential work for digital forensic investigators. While there are various data stored in smartphones, some of the data is encrypted by applications. Data encryption is one of the major issues of digital forensics, preventing investigators from analyzing the data quickly. In this work, we develop a tool to automatically analyze crypto API usages in Android apps. There are many Android apps which encrypt their data in smartphones using standard crypto APIs. In such cases, we can identify the cryptographic algorithms and parameters via application analysis, which helps us to analyze encrypted data. Most existing studies focus on single app, and rely on manual analysis, which requires a certain amount of skill and knowledge about reverse engineering. For this reason, we develop our tool which can analyze apps automatically, therefore we can easily identify crypto API usages in new apps. For developing analysis tool, we select and categorize typical 41 Android APIs which is used for derivation of crypto APIs parameters. Then we build our tool which can identify what API is used for crypto APIs parameters. We conduct experimental tests analyzing 139 real-world apps using our tool. As a result, we found 378 crypto API calls for the data decryption and identify 212 parameters of the API calls.

Year 2020

Journal (incl. LNCS)

• Kittiphop Phalakarn, Vorapong Suppakitpaisarn, Nuttapong Attrapadung, Kanta Matsuura. Constructive t-secure Homomorphic Secret Sharing for Low Degree Polynomials, Lecture Notes in Computer Science (Progress in Cryptology - INDOCRYPT 2020 - 21st International Conference on Cryptology in India), Vol.12578, pp.763-785, 2020 [detail]

abstract

This paper proposes t-secure homomorphic secret sharing schemes for low degree polynomials. Homomorphic secret sharing is a cryptographic technique to outsource the computation to a set of servers while restricting some subsets of servers from learning the secret inputs. Prior to our work, at Asiacrypt 2018, Lai, Malavolta, and Schroder proposed a 1-secure scheme for computing polynomial functions. They also alluded to t-secure schemes without giving explicit constructions; constructing such schemes would require solving set cover problems, which are generally NP-hard. Moreover, the resulting implicit schemes would require a large number of servers. In this paper, we provide a constructive solution for threshold-t structures by combining homomorphic encryption with the classic secret sharing scheme for general access structure by Ito, Saito, and Nishizeki. Our scheme also quantitatively improves the number of required servers from O(t^2) to O(t), compared to the implicit scheme of Lai et al. We also suggest several ideas for future research directions.
• Junichiro Hayata, Jacob C. N. Schuldt, Goichiro Hanaoka, Kanta Matsuura. On Private Information Retrieval Supporting Range Queries, Lecture Notes in Computer Science (Computer Security - ESORICS 2020 - 25th European Symposium on Research in Computer Security, Proceedings, Part II), Vol.12309, pp.674-694, 2020 [detail]

abstract

Private information retrieval (PIR) allows a client to retrieve data from a database without the database server learning what data is being retrieved. Although many PIR schemes have been proposed in the literature, almost all of these focus on retrieval of a single database element, and do not consider more flexible retrieval queries such as basic range queries. Furthermore, while practically-oriented database schemes aiming at providing flexible and privacy-preserving queries have been proposed, to the best of our knowledge, no formal treatment of range queries has been considered for these. In this paper, we firstly highlight that a simple extension of the standard PIR security notion to range queries, is insufficient in many usage scenarios, and propose a stronger security notion aimed at addressing this. We then show a simple generic construction of a PIR scheme meeting our stronger security notion, and propose a more efficient direct construction based on function secret sharing - while the former has a round complexity logarithmic in the size of the database, the round complexity of the latter is constant. Finally, we report on the practical performance of our direct construction.
• Toshinori Usui, Tomonori Ikuse, Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Jun Miyoshi, Kanta Matsuura. ROPminer: Learning-based Static Detection of ROP Chain Considering Linkability of ROP Gadgets, IEICE Transactions on Information and Systems, Vol.E103-D, No.7, pp.1-17, 2020 [detail]

abstract

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of recent operating systems. Although existing ROP detection approaches mainly focus on host-based intrusion detection systems (HIDSes), network-based intrusion detection systems (NIDSes) are also desired to protect various hosts including IoT devices on the network. However, existing approaches are not enough for network-level protection due to two problems: (1) Dynamic approaches take the time with second- or minute-order on average for inspection. For applying to NIDSes, millisecond-order is required to achieve near real time detection. (2) Static approaches generates false positives because they use heuristic patterns. For applying to NIDSes, false positives should be minimized to suppress false alarms. In this paper, we propose a method for statically detecting ROP chains in malicious data by learning the target libraries (i.e., the libraries that are used for ROP gadgets). Our method accelerates its inspection by exhaustively collecting feasible ROP gadgets in the target libraries and learning them separated from the inspection step. In addition, we reduce false positives inevitable for existing static inspection by statically verifying whether a suspicious byte sequence can link properly when they are executed as a ROP chain. Experimental results showed that our method has achieved millisecond-order ROP chain detection with high precision.
• Yuya Senzaki, Satsuya Ohata, Kanta Matsuura. Simple Black-box Adversarial Examples Generation with Very Few Queries, IEICE Transactions on Information and Systems, Vol.E103-D, No.2, pp.212-221, 2020 [detail]

abstract

Research on adversarial examples for machine learning has received much attention in recent years. Most of previous approaches are white-box attacks; this means the attacker needs to obtain before-hand internal parameters of a target classifier to generate adversarial examples for it. This condition is hard to satisfy in practice. There is also research on black-box attacks, in which the attacker can only obtain partial information about target classifiers; however, it seems we can prevent these attacks, since they need to issue many suspicious queries to the target classifier. In this paper, we show that a naive defense strategy based on surveillance of number query will not suffice. More concretely, we propose to generate not pixel-wise but block-wise adversarial perturbations to reduce the num ber of queries. Our experiments show that such rough perturbations can confuse the target classifier. We succeed in reducing the number of queries to generate adversarial examples in most cases. Our simple method is an untargeted attack and may have low success rates compared to previous results of other black-box attacks, but needs in average fewer queries. Surprisingly, the minimum number of queries (one and three in MNIST and CIFAR-10 dataset, respectively) is enough to generate adversarial examples in some cases. Moreover, based on these results, we propose a detailed classification for black-box attackers and discuss countermeasures against the above attacks.
• Takahiro Nagamine, Kanta Matsuura. A New Protocol for Fair Addition of a Transaction Fee When Closing a Payment Channel Uncooperatively, 24th International Conference on Financial Cryptography and Data Security (FC'20), Poster presentation, 2020 [detail]

abstract

A technique called transaction replacement using timelocks is used in payment channels for Bitcoin. When closing a payment channel uncooperatively, the latest time-locked transaction is broadcasted to the Bitcoin network. However, if the Bitcoin network is crowded, the latest one with a lower fee might not be added to a block preferentially, and hence the transaction replacement might fail. This problem can be solved by adding a fee to the latest one (e.g. using SIGHASH_ANYONECANPAY). However, it is difficult to divide the additional fee cooperatively because this scenario happens in the uncooperative case. We propose a protocol that allows the transaction fee added by a single party to be divided equally between two parties. In this protocol, each party deposits funds for the additional fee to the payment channel in advance. A party can add the transaction fee alone by creating a child transaction referring to the funds (Child Pays for Parent). Then, the remains of the funds are returned to each party on two outputs of the child transaction. Regarding these two outputs, one party decides the values of outputs, and the other has a right to choose either output. As a result, a party who decides the values is motivated to specify the same value.
• Junichiro Hayata, Masahito Ishizaka, Yusuke Sakai, Goichiro Hanaoka, Kanta Matsuura. Generic Construction of Adaptively Secure Anonymous Key-Policy Attribute-Based Encryption from Public-Key Searchable Encryption, IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, Vol.E103-A, No.1, pp.107-113, 2020 [detail]

abstract

Public-key encryption with keyword search (PEKS) is a cryptographic primitive that allows us to search for particular keywords over ciphertexts without recovering plaintexts. By using PEKS in cloud services, users can outsource their data in encrypted form without sacrificing search functionality. Concerning PEKS that can specify logical disjunctions and logical conjunctions as a search condition, it is known that such PEKS can be (generically) constructed from anonymous attribute-based encryption (ABE). However, it is not clear whether it is possible to construct this types of PEKS without using ABE which may require large computational/communication costs and strong mathematical assumptions. In this paper, we show that ABE is crucial for constructing PEKS with the above functionality. More specifically, we give a generic construction of anonymous key-policy ABE from PEKS whose search condition is specified by logical disjunctions and logical conjunctions. Our result implies such PEKS always requires large computational/communication costs and strong mathematical assumptions corresponding to those of ABE.

Year 2019

Journal (incl. LNCS)

• Kanta Matsuura. Security Evaluation Methods in Trust Infrastructure Based on Engineering and Economics, Impact, Vol.2019, No.10, pp.24-26, 2019 [detail]

links

• link
• Junichiro Hayata, Fuyuki Kitagawa, Yusuke Sakai, Goichiro Hanaoka, Kanta Matsuura. Equivalence Between Non-malleability Against Replayable CCA and Other RCCA-Security Notions, Lecture Notes in Computer Science (Advances in Information and Computer Security, The 14th International Workshop on Security: IWSEC2019), Vol.11689, pp.253-272, 2019 [detail]

abstract

Replayable chosen ciphertext (RCCA) security was introduced by Canetti, Krawczyk, and Nielsen (CRYPTO 03) in order to handle an encryption scheme that is "non-malleable except tampering which preserves the plaintext". RCCA security is a relaxation of CCA security and a useful security notion for many practical applications such as authentication and key exchange. Canetti et al. defined non-malleability against RCCA (NM-RCCA), indistinguishability against RCCA (IND-RCCA), and universal composability against RCCA (UC-RCCA). Moreover, they proved that these three security notions are equivalent when considering a PKE scheme whose plaintext space is super-polynomially large. Among these three security notions, NM-RCCA seems to play the central role since RCCA security was introduced in order to capture "non-malleability except tampering which preserves the plaintext." However, their definition of NM-RCCA is not a natural extension of that of classical non-malleability, and it is not clear whether their NM-RCCA captures the requirement of classical non-malleability. In this paper, we propose definitions of indistinguishability-based and simulation-based non-malleability against RCCA by extending definitions of classical non-malleability. We then prove that these two notions of non-malleability and IND-RCCA are equivalent regardless of the size of plaintext space of PKE schemes.
• Kanta Matsuura. Token Model and Interpretation Function for Blockchain-Based FinTech Applications, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.E102-A, No.1, pp.3-10, 2019 [detail]

abstract

Financial Technology (FinTech) is considered a taxonomy that describes a wide range of ICT (information and communications technology) associated with financial transactions and related operations. Improvement of service quality is the main issue addressed in this taxonomy, and there are a large number of emerging technologies including blockchain-based cryptocurrencies and smart contracts. Due to its innovative nature in accounting, blockchain can also be used in lots of other FinTech contexts where token models play an important role for financial engineering. This paper revisits some of the key concepts accumulated behind this trend, and shows a generalized understanding of the technology using an adapted stochastic process. With a focus on financial instruments using blockchain, research directions toward stable applications are identified with the help of a newly proposed stabilizer: interpretation function of token valuation. The idea of adapted stochastic process is essential for the stabilizer, too.
• Kensuke Tamura, Kanta Matsuura. Improvement of Anomaly Detection Performance using Packet Flow Regularity in Industrial Control Networks, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.E102-A, No.1, pp.65-73, 2019 [detail]

abstract

Since cyber attacks such as cyberterrorism against Industrial Control Systems (ICSs) and cyber espionage against companies managing them have increased, the techniques to detect anomalies in early stages are required. To achieve the purpose, several studies have developed anomaly detection methods for ICSs. In particular, some techniques using packet flow regularity in industrial control networks have achieved high-accuracy detection of attacks disrupting the regularity, i.e. normal behavior, of ICSs. However, these methods cannot identify scanning attacks employed in cyber espionage because the probing packets assimilate into a number of normal ones. For example, the malware called Havex is customized to clandestinely acquire information from targeting ICSs using general request packets. The techniques to detect such scanning attacks using widespread packets await further investigation. Therefore, the goal of this study was to examine high performance methods to identify anomalies even if elaborate packets to avoid alert systems were employed for attacks against industrial control networks. In this paper, a novel detection model for anomalous packets concealing behind normal traffic in industrial control networks was proposed. For the proposal of the sophisticated detection method, we took particular note of packet flow regularity and employed the Markov-chain model to detect anomalies. Moreover, we regarded not only original packets but similar ones to them as normal packets to reduce false alerts because it was indicated that an anomaly detection model using the Markov-chain suffers from the ample false positives affected by a number of normal, irregular packets, namely noise. To calculate the similarity between packets based on the packet flow regularity, a vector representation tool called word2vec was employed. Whilst word2vec is utilized for the calculation of word similarity in natural language processing tasks, we applied the technique to packets in ICSs to calculate packet similarity. As a result, the Markov-chain with word2vec model identified scanning packets assimilating into normal packets in higher performance than the conventional Markov-chain model. In conclusion, employing both packet flow regularity and packet similarity in industrial control networks contributes to improving the performance of anomaly detection in ICSs.

Conference

• Toshinori Usui, Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Jun Miyoshi, Kanta Matsuura. My Script Engines Know What You Did In The Dark: Converting Engines into Script API Tracers, Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC '19), pp.466-477, 2019 [detail]

abstract

Malicious scripts have been crucial attack vectors in recent attacks such as malware spam (malspam) and fileless malware. Since malicious scripts are generally obfuscated, statically analyzing them is difficult due to reflections. Therefore, dynamic analysis, which is not affected by obfuscation, is used for malicious script analysis. However, despite its wide adoption, some problems remain unsolved. Current designs of script analysis tools do not fulfill the following three requirements important for malicious script analysis. (1) Universally applicable to various script languages, (2) capable of outputting analysis logs that can precisely recover the behavior of malicious scripts, and (3) applicable to proprietary script engines. In this paper, we propose a method for automatically generating script API tracer by analyzing the target script engine binaries. The method mine the knowledge of script engine internals that are required to append behavior analysis capability. This enables the addition of analysis functionalities to arbitrary script engines and generation of script API tracers that can fulfill the above requirements. Experimental results showed that we can apply this method for building malicious script analysis tools.
• Kanta Matsuura. Proof-of-Verification for Proof-of-Work: Miners Must Verify the Signatures on Bitcoin Transactions, Scaling Bitcoin Workshop 2019, 2019 [detail]

links

• pdf

Year 2018

Journal (incl. LNCS)

• Satsuya Ohata, Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura. More Constructions of Re-Splittable Threshold Public Key Encryption, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.E101-A, No.9, pp.1473-1483, 2018 [detail]

abstract

The concept of threshold public key encryption (TPKE) with the special property called key re-splittability (re-splittable TPKE, for short) was introduced by Hanaoka et al. (CT-RSA 2012), and used as one of the building blocks for constructing their proxy re-encryption scheme. In a re-splittable TPKE scheme, a secret key can be split into a set of secret key shares not only once, but also multiple times, and the security of the TPKE scheme is guaranteed as long as the number of corrupted secret key shares under the same splitting is smaller than the threshold. In this paper, we show several new constructions of re-splittable TPKE scheme by extending the previous (ordinary) TPKE schemes.
• Masahito Ishizaka, Kanta Matsuura. Identity-Based Encryption Resilient to Auxiliary Leakage under the Decisional Linear Assumption, Lecture Notes in Computer Science (The 17th International Conference on Cryptology and Network Security: CANS2018), Vol.11124, pp.417-439, 2018 [detail]

abstract

Leakage-resilience guarantees that even if some information about the secret key is partially leaked, the security is maintained. Several security models considering leakage-resilience have been proposed. Among them, auxiliary leakage model proposed by Dodis et al. in STOC'09 is especially important, since it can deal with a leakage caused by a function which information-theoretically reveals the secret key, e.g., one-way permutation. Contribution of this work is two-fold. Firstly, we propose an identity based encryption (IBE) scheme and prove that it is fully secure and resilient to the auxiliary leakage under the decisional linear assumption in the standard model. Secondly, although the IBE scheme proposed by Yuen et al. in Eurocrypt'12 has been considered to be the only IBE scheme resilient to auxiliary leakage, we prove that the security proof for the IBE scheme is defective. We insist that our IBE scheme is the only IBE scheme resilient to auxiliary leakage.
• Masahito Ishizaka, Kanta Matsuura. Strongly Unforgeable Signature Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions, Lecture Notes in Computer Science (The 21st Information Security Conference), Vol.11060, pp.422-441, 2018 [detail]

abstract

A signature scheme is said to be weakly unforgeable, if it is hard to forge a signature on a message not signed before. A signature scheme is said to be strongly unforgeable, if it is hard to forge a signature on any message. In some applications, the weak unforgeability is not enough and the strong unforgeability is required, e.g., the Canetti, Halevi and Katz transformation. Leakage-resilience is a property which guarantees that even if secret information such as the secret-key is partially leaked, the security is maintained. Some security models with leakage-resilience have been proposed. The auxiliary (input) leakage model, or hard-to-invert leakage model, proposed by Dodis et al. in STOC'09 is especially meaningful one, since the leakage caused by a function which information-theoretically reveals the secret-key, e.g., one-way permutation, is considered. In this work, we propose a generic construction of a signature scheme strongly unforgeable and resilient to polynomially hard-to-invert leakage which can be instantiated under standard assumptions such as the decisional linear assumption. We emphasize that our signature scheme is not only the first one resilient to polynomially hard-to-invert leakage under standard assumptions, but also the first one which is strongly unforgeable and has hard-to-invert leakage-resilience.

Conference

• Junichiro Hayata, Masahito Ishizaka, Yusuke Sakai, Goichiro Hanaoka, Kanta Matsuura. Generic Construction of Adaptively Secure Anonymous Key-Policy Attribute-Based Encryption from Public-Key Searchable Encryption, Proceeding of the 2018 International Symposium on Information Theory and its Applications (ISITA2018), pp.739-743, 2018 [detail]

abstract

Public-key encryption with keyword search (PEKS) is a cryptographic primitive that allows us to search encrypted data for those of including particular keywords without decrypting them. PEKS is expected to be used for enhancing security of cloud storages. It is known that PEKS can be constructed from anonymous identity-based encryption (IBE), anonymous attribute-based encryption (ABE) and so on. It is believed that it is difficult to construct PEKS schemes that can specify a flexible search condition such as logical disjunctions and logical conjunctions from weaker cryptographic tools than ABE. However, this intuition has not been rigorously justified. In this paper, we formally prove it by constructing key-policy ABE from PEKS for monotone boolean formulas.
• Satsuya Ohata, Takahiro Matsuda, Kanta Matsuura. Provably Secure Password Reset Protocol: Model, Definition, and Construction, The 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (IEEE TrustCom-18), pp.774-782, 2018 [detail]

abstract

Many online services adopt a password-based user authentication system because of its usability. However, several problems have been pointed out on it, and one of the well-known problems is that a user forgets his/her password and cannot login the services. To solve this problem, most online services support a backup authentication mechanism with which a user can reset a password. However, negative facts about security have been reported for a popular backup authentication mechanism. In this paper, we consider a provable security treatment for a password reset protocol. First, we formalize a model and security definitions. We consider security against active adversaries that can mount man-in-the-middle attacks and concurrent attacks. Then we propose a generic construction of a password reset protocol secure under our definitions based on pseudorandom functions and public key encryption. In addition, we implement a prototype of our protocol to evaluate its efficiency.

Year 2016

Journal (incl. LNCS)

• Masahito Ishizaka, Satsuya Ohata, Kanta Matsuura. Generic Construction of Ciphertext-Policy Attribute-Based Signcryption Secure in the Adaptive Predicate Model, IPSI Transactions on Advanced Research, Special issue - "Advances in Cryptology and Information Security", Vol.12, No.2, pp.16-26, 2016 [detail]

abstract

Ciphertext-policy attribute-based signcryption (CP-ABSC) is a cryptographic primitive which performs simultaneously both the functionalities of ciphertext-policy attribute-based encryption and signature-policy attribute-based signature. CP-ABSC guarantees both message confidentiality and authenticity and is considered to be a useful tool for fine-grained data access control in attribute-based environments such as a cloud service. In this paper, we provide a generic construction of CP-ABSC which achieves ciphertext indistinguishability under adaptively chosen ciphertext attacks in the adaptive predicate model (AP-IND-CCA), strongly existentially unforgeability of signcryptext under adaptively chosen message attacks in the adaptive predicate model (AP-sEUF-CMA) and perfect privacy. Our generic construction uses as building blocks, ciphertext-policy attribute-based key encapsulation mechanism, signature-policy attribute-based signature and data encapsulation mechanism.
• Miodrag J. Mihaljevic, Aleksandar Kavcic, Kanta Matsuura. An Encryption Technique for Provably Secure Transmission from a High Performance Computing Entity to a Tiny One, Mathematical Problems in Engineering, Vol.2016, pp.10 pages, 2016 [detail]

abstract

An encryption/decryption approach is proposed dedicated to one-way communication between a transmitter which is a computationally powerful party and a receiver with limited computational capabilities. The proposed encryption technique combines traditional stream ciphering and simulation of a binary channel which degrades channel input by inserting random bits. A statistical model of the proposed encryption is analyzed from the information-theoretic point of view. In the addressed model, an attacker faces the problem implied by observing the messages through a channel with random bits insertion. The paper points out a number of security related implications of the considered channel. These implications have been addressed by estimation of the mutual information between the channel input and output and estimation of the number of candidate channel inputs for a given channel output. It is shown that deliberate and secret key controlled insertion of random bits into the basic ciphertext provides security enhancement of the resulting encryption scheme.
• Shiori Shinoda, Kanta Matsuura. Empriical Investigation of Threats to Loyalty Programs by Using Models Inspired by the Gordon-Loeb Formulation of Security Investment, Journal of Information Security (JIS), Vol.7, No.2, pp.29-48, 2016 [detail]

abstract

Loyalty program (LP) is a popular marketing activity of enterprises. As a result of firms' effort to increase customers' loyalty, point exchange or redemption services are now available worldwide. These services attract not only customers but also attackers. In pioneering research, which first focused on this LP security problem, an empirical analysis based on Japanese data is shown to see the effects of LP-point liquidity on damages caused by security incidents. We revisit the empirical models in which the choice of variables is inspired by the Gordon-Loeb formulation of security in-vestment: damage, investment, vulnerability, and threat. The liquidity of LP points corresponds to the threat in the formulation and plays an important role in the empirical study because it particu-larly captures the feature of LP networks. However, the actual proxy used in the former study is ar-tificial. In this paper, we reconsider the liquidity definition based on a further observation of LP security incidents. By using newly defined proxies corresponding to the threat as well as other re-fined proxies, we test hypotheses to derive more implications that help LP operators to manage partnerships; the implications are consistent with recent changes in the LP network. Thus we can see the impacts of security investment models include a wider range of empirical studies.

Conference

• Andreas Gutmann, Karen Renaud, Joseph Maguire, Peter Mayer, Melanie Volkamer, Kanta Matsuura, Joern Mueller-Quade. ZeTA --- Zero-Trust Authentication: Relying on Innate Human Ability, not Technology, Proceedings of the 1st IEEE European Symposium on Security and Privacy, pp.357-371, 2016 [detail]

abstract

Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise, authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

Year 2015

Journal (incl. LNCS)

• Satsuya Ohata, Yutaka Kawai, Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura. Re-encryption Verifiability: How to Detect Malicious Activities of a Proxy in Proxy Re-encryption, Lecture Notes in Computer Science (Topics in Cryptology: CT-RSA2015), Vol.9048, pp.410-428, 2015 [detail]

abstract

In this paper, we introduce a new functionality for proxy re-encryption (PRE) that we call re-encryption verifiability. In a PRE scheme with re-encryption verifiability (which we simply call verifiable PRE, or VPRE), a receiver of a re-encrypted ciphertext can verify whether the received ciphertext is correctly transformed from an original ciphertext by a proxy, and thus can detect illegal activities of the proxy. We formalize the security model for a VPRE scheme, and show that the single-hop uni-directional PRE scheme by Hanaoka et al. (CT-RSA 2012) can be extended to a secure VPRE scheme.
• Kanta Matsuura, Takurou Hosoi. Mechanism Design of Data Sharing for Cybersecurity Research, IPSI Transactions on Advanced Research, Vol.11, No.1, pp.35-40, 2015 [detail]

abstract

If we want to realize a scientific approach to cybersecurity, we need objective and reproducible evaluation of security. Although some of cryptographic technologies have rigorous security proofs, a lot of cybersecurity technologies rely on experimental evaluation which needs good datasets. One may expect that sharing such datasets would help at least the reproducibility of the evaluation. At the same time, one may be afraid that effective mechanism design is difficult because there have been a lot of studies on disincentive problems (e.g. free-riding) associated with information sharing in cybersecurity. However, the requirements and typical solutions for data sharing would be different from those for information sharing. In this paper, we comprehensively discuss the features of "data sharing for cybersecurity research" based on a systematic comparison with "information sharing for cybersecurity practice". We also report a Japanese case in the field of malware analysis. One important finding is that considering human resource development is an important factor in the activities associated with data sharing.

Conference

• Aleksandar Kavcic, Miodrag Mihaljevic, Kanta Matsuura. Light-Weight Secrecy System Using Channels with Insertion Errors: Cryptographic Implications, Proceedings of the 2015 IEEE Information Theory Workshop -- Fall (ITW2015), pp.257-261, 2015 [detail]

abstract

A model of an encryption approach is analyzed from an information-theoretic point of view. In the model, an attacker faces the problem of observing messages through a concatenation of a binary symmetric channel and a channel with randomly inserted bits. The paper points out a number of security related implications resulting from employing an insertion channel. It is shown that deliberate and secret-key-controlled insertions of random bits into the basic ciphertext provide a security enhancement of the resulting encryption scheme.
• Satsuya Ohata, Takahiro Matsuda, Kanta Matsuura. On Rigorous Security of Password Recovery Protocols, The Tenth International Workshop on Security (IWSEC2015), Poster Session, 2015 [detail]

abstract

Many online services adopt a password-based user authentication system because of its usability. However, several problems have been pointed out on it, and one of the well-known problems is that a user forgets his/her password and cannot login the services. To solve this problem, most online services support a mechanism with which a user can recover a password. In this poster, we discuss rigorous security for a password recovery protocol.

Year 2014

Journal (incl. LNCS)

• David S. L. Wei, Siani Pearson, Kanta Matsuura, Patrick P. C. Lee, Kshirasagar Naik. Guest Editorial: Cloud Security, IEEE Transactions on Cloud Computing, Vol.2, No.4, pp.377-379, 2014
• Satsuya Ohata, Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura. More Constructions of Re-splittable Threshold Public Key Encryption, Lecture Notes in Computer Science (Advances in Information and Computer Security, The 9th International Workshop on Security: IWSEC2014), Vol.8639, pp.109-118, 2014 [detail]

abstract

The concept of threshold public key encryption (TPKE) with the special property called key re-splittability (re-splittable TPKE, for short) was introduced by Hanaoka et al.(CT-RSA 2012), and used as one of the building blocks for constructing their proxy re-encryption scheme. In a re-splittable TPKE scheme, a secret key can be split into a set of secret key shares not only once, but also multiple times, and the security of the TPKE scheme is guaranteed as long as the number of corrupted secret key shares under the same splitting is smaller than the threshold. In this paper, we show several new constructions of re-splittable TPKE scheme by extending the previous (ordinary) TPKE schemes. Our results suggest that key re-splittability is a very natural property for TPKE.
• Takao Murakami, Kenta Takahashi, Kanta Matsuura. A General Framework and Algorithms for Score Level Indexing and Fusion in Biometric Identification, IEICE Transactions on Information and Systems, Vol.E97-D, No.3, pp.510-523, 2014 [detail]

abstract

Biometric identification has recently attracted attention because of its convenience: it does not require a user ID nor a smart card. However, both the identification error rate and response time increase as the number of enrollees increases. In this paper, we combine a score level fusion scheme and a metric space indexing scheme to improve the accuracy and response time in biometric identification, using only scores as information sources. We firstly propose a score level indexing and fusion framework which can be constructed from the following three schemes: (I) a pseudo-score based indexing scheme, (II) a multi-biometric search scheme, and (III) a score level fusion scheme which handles missing scores. A multi-biometric search scheme can be newly obtained by applying a pseudo-score based indexing scheme to multi-biometric identification. We secondly propose the NBS (Naive Bayes search) scheme as a multi-biometric search scheme and discuss its optimality with respect to the retrieval error rate. We evaluated our proposal using the datasets of multiple fingerprints and face scores from multiple matchers. The results showed that our proposal significantly improved the accuracy of the unimodal biometrics while reducing the average number of score computations in both the datasets.
• Takao Murakami, Kenta Takahashi, Kanta Matsuura. Toward Optimal Fusion Algorithms with Security against Wolves and Lambs in Biometrics, IEEE Transactions on Information Forensics and Security (IEEE TIFS), Vol.9, No.2, pp.259-271, 2014 [detail]

abstract

It is known that different users have different degrees of accuracy in biometric authentication, and claimants and enrollees who cause false accepts against many others are referred to as wolves and lambs, respectively. The aim of this paper is to develop a fusion algorithm, which has security against both of the animals while minimizing the number of query samples a genuine claimant has to input. To achieve our aim, we first introduce a taxonomy of wolves and lambs, and propose a minimum log-likelihood ratio-based sequential fusion scheme (MLR scheme). We prove that this scheme keeps wolf attack probability and lamb accept probability, the maximum of the claimant-specific false accept probability (FAP), and the enrolleespecific FAP, less than a desired value if log-likelihood ratios are perfectly estimated, except in the case of adaptive spoofing wolves. We also prove that this scheme is optimal with regard to false reject probability (FRP), and asymptotically optimal with respect to the average number of inputs (ANIs) under some conditions. We further propose an input order decision scheme based on the Kullback.Leibler (KL) divergence, which maximizes the expectation of a genuine log-likelihood ratio, to further reduce ANI of the MLR scheme in the case where the KL divergence differs from one modality to another. The results of the experimental evaluation using a virtual multimodal (one face and eight fingerprints) data set showed the effectiveness of our schemes.

Conference

• Bongkot Jenjarrussakul, Kanta Matsuura. Analysis of Japanese Loyalty Programs Considering Liquidity, Security Efforts, and Actual Security Levels, 13th Workshop on the Economics of Information Security (WEIS2014), on web, 2014 [detail]

abstract

Virtual currency is an important medium of exchange in cyber space, and loyalty program (LP) can be considered as a type of virtual currency. In the U.S., according to a report in COLLOQUY talk[5], the total number of LP memberships is more than 2.6 billion in 2012 after 26.7% growth from 2010. In addition, the number of LPs is also reported to show a clear increasing trend. LPs are very popular in Japan, too; there are more than 200 LPs in Japan and the use of them is widespread among Japanese people. People collect their LP points and redeem them to obtain goods and enjoy services. In addition, many LP points can be converted into points of different LPs. LPs in Japan are thus increasing redemption options, and getting more and more popular and liquid virtual currencies. This situation can motivate malicious people to abuse such increasingly useful LPs for crimes, and in fact, there are some reports of such crimes. However, the security issues of LPs have not been well studied. In this paper, we investigate Japanese LPs with focuses on their liquidity, their operating firms' security efforts, and the LP systems' actual security levels.

Year 2013

Journal (incl. LNCS)

• Shaojing Fu, Chao Li, Kanta Matsuura, Longjiang Qu. Construction of Even- variable Rotation Symmetric Boolean Functions with Maximum Algebraic Immunity, SCIENCE CHINA Information Sciences, Vol.56, No.3, pp.1-9, 2013 [detail]

abstract

Rotation symmetric Boolean functions (RSBFs) have been used as components of different cryptosystems. In this paper, we investigate n-variable (n even and n >= 12) RSBFs to achieve maximum algebraic immunity (AI), and provide a construction of RSBFs with maximum AI and nonlinearity. These functions have higher nonlinearity than the previously known nonlinearity of RSBFs with maximum AI. We also prove that our construction provides high algebraic degree in some case.

keywords

Boolean function, rotation symmetry, algebraic immunity, nonlinearity

Conference

• Kanta Matsuura, Takurou Hosoi. Data Sharing for Cybersecurity Research and Information Sharing for Cybersecurity Practice, The 8th International Workshop on Security (IWSEC2013), 2013 [detail]

abstract

When we want to realize a scientific approach to cybersecurity, we need objective and reproducible evaluation of security properties. Although some of cryptographic technologies have rigorous security proofs, a lot of cybersecurity technologies rely on experimental security evaluation which needs good datasets. One may expect that sharing such datasets would help at least the reproducibility of the evaluation. At the same time, one may be afraid that effective mechanism design is not trivial because there have been a lot of studies on disincentive problems (e.g. free-riding) associated with information sharing for cybersecurity practice. However, the requirements and typical solutions for data sharing would be different from those for information sharing. In this poster, we comprehensively discuss the features of data sharing for cybersecurity research based on a systematic comparison with information sharing for cybersecurity practice. We also identify some intrinsic limitations of the data sharing approach.
• Takurou Hosoi, Kanta Matsuura. Effectiveness of a Change in TCP Retransmission Timer Management for Low-rate DoS Attack Mitigation and Attack Variants, The 8th International Workshop on Security (IWSEC2013), 2013 [detail]

abstract

The mechanism of TCP retransmission timeout is essential to the Internet congestion control. But existing research pointed out that this mechanism allows DoS attack with low-rate mean traffic. We proposed a change in TCP retransmission timeout management, in which length of TCP retransmission timer is increased not to precisely twice of the prior timer length in successive timeout waiting. We investigate its effectiveness in DoS attack mitigation analytically, and some attack variants under this countermeasure.
• Naveen Kumar, Anish Matsuria, Maniklal Das, Kanta Matsuura. Improving Security and Efficiency of Time-Bound Access to Outsourced Data, The 6th ACM India Computing Convention (Compute2013), 2013
• Kanta Matsuura, Takurou Hosoi. Data Sharing for Cybersecurity Research: A Comparison with Information Sharing for Cybersecurity Practice, Ninth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2013

Year 2012

Journal (incl. LNCS)

• Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura. Relations between Constrained and Bounded Chosen Ciphertext Security for Key Encapsulation Mechanisms, Lecture Notes in Computer Science (Public Key Cryptography - PKC 2012, 15th International Conference on Practice and Theory in Public Key Cryptography: PKC 2012), Vol.7293, pp.576-594, 2012 [detail]

abstract

In CRYPTO 2007, Hofheinz and Kiltz formalized a security notion for key encapsulation mechanisms (KEMs), called constrained chosen ciphertext (CCCA) security, which is strictly weaker than ordinary chosen ciphertext (CCA) security, and showed a new composition paradigm for CCA secure hybrid encryption. Thus, CCCA security of a KEM turned out to be quite useful. However, since the notion is relatively new and its definition is slightly complicated, relations among CCCA security and other security notions have not been clarified well. In this paper, in order to better understand CCCA security and the construction of CCCA secure KEMs, we study relations between CCCA and bounded CCA security, where the latter notion considers security against adversaries that make a-priori bounded number of decapsulation queries, and is also strictly weaker than CCA security. Specifically, we show that in most cases there are separations between these notions, while there is some unexpected implication from (a slightly stronger version of) CCCA security to a weak form of 1-bounded CCA security. We also revisit the construction of a KEM from a hash proof system (HPS) with computational security properties, and show that the HPS-based KEM, which was previously shown CCCA secure, is actually 1-bounded CCA secure as well. This result, together with the above general implication, suggests that 1-bounded CCA security can be essentially seen as a "necessary" condition for a CCCA secure KEM.
• Shaojing Fu, Kanta Matsuura, Chao Li, Longjiang Qu. Construction of highly nonlinear resilient S-boxes with given degree, Designs, Codes and Cryptography, Vol.64, No.3, pp.241-253, 2012 [detail]

abstract

We provide two new construction methods for nonlinear resilient S-boxes with given degree. The first method is based on the use of linear error correcting codes together with highly nonlinear S-boxes. Given a [u,m, t+1] linear code where u = n-d-1, d > m, we showthat it is possible to construct (n,m, t, d) resilient S-boxes which have currently best known nonlinearity. Our second construction provides highly nonlinear (n,m, t, d) resilient S-boxes which do not have linear structure, then an improved version of this construction is given.

keywords

Cryptography, Linear code, Resiliency, Linear structure, Nonlinearity

Conference

• Takao Murakami, Kenta Takahashi, Kanta Matsuura. Towards Optimal Countermeasures against Wolves and Lambs in Biometrics, Proceedings of the IEEE Fifth International Conference on Biometrics: Theory, Applications and Systems (BTAS 2012), 2012 [detail]

abstract

Claimants and enrollees who have high similarity scores against many others are referred to as wolves and lambs, respectively. These animals can cause false accepts against many others and compromise the security of the system. The aim of this paper is to develop a fusion algorithm which has security against both of them while minimizing the number of query samples the genuine claimant has to input. To achieve this aim, we first propose a minimum log-likelihood ratio based sequential fusion scheme (MLR scheme). We prove that the MLR scheme keeps WAP (Wolf Attack Probability) and LAP (Lamb Accept Probability), the maximum of the claimant-specific FAR and the enrollee-specific FAR, less than the desired value if the score distributions are perfectly estimated, except in the case of adaptive spoofing wolves. We also prove that the MLR scheme is nearly optimal with respect to the average number of inputs (ANI) of the genuine claimant under some conditions. We secondly propose an input order decision scheme based on the KL (Kullback-Leibler) divergence which maximizes the expectation of the genuine loglikelihood ratio, to further reduce ANI of the MLR scheme in the case where the KL divergence differs from one modality to another. The results of the experimental evaluation using the CASIA-FingerprintV5 showed the effectiveness of our schemes.
• Bongkot Jenjarrussakul, Hideyuki Tanaka, Kanta Matsuura. Sectoral and Regional Interdependency of Japanese Firms under the Influence of Information Security Risks, 11th Workshop on the Economics of Information Security (WEIS2012), on web, 2012 [detail]

abstract

Although there are some studies on inter-sectoral information security interdependency, the lack of regional interdependency analysis is one of their limitations. In this empirical study, we used an inter-regional input-output table in order to analyze both sectoral and regional interdependencies under the influence of information technology and information security of Japanese firms. Our analysis showed that the economic scale of a region has a great influence on the characteristics of the interdependency. Furthermore, we found that the demand-side sectors can be classified into five classes based on the characteristics. Among them, the groups with high self-dependency get more benefits from simultaneous understanding of regional characteristics; for the sectors in these classes, investment advice obtained from sectoral characteristics only is very limited, whereas they can obtain much more from regional characteristics. Since these classes include a majority of the sectors, we can recognize the importance of regional interdependency analysis. In the above basic study, what we see is the situation before The Great East Japan Earthquake on March 11, 2011. As an extended study, we estimated reductions in interdependency resulting from investment-dependent economic damages in order to study how security investment can change the impact of the earthquake. Our main finding in regional perspective is that the interdependency characteristics of the most damaged region (Tohoku) and of the economically largest region (Kanto) are impacted most significantly. Both in the basic study and in the extended study, we can see that considering not only sectoral but also regional characteristics is an effective approach to the task of empirically deriving implications related to the interdependency. There are many possibilities of more extended studies based on our methodology.

keywords

Interdependency, Backward dependency, Empirical analysis, Supply chain, Input-output table, The Great East Japan Earthquake
• Bongkot Jenjarrussakul, Hideyuki Tanaka, Kanta Matsuura. Impact on Information Security from the Great East Japan Earthquake on March 11, 2011, Eighth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2012 [detail]

abstract

The Great East Japan Earthquake on March 11, 2011 introduced vast impact on supply-chain in Tohoku region. Although there are some reports regarding impact in economic viewpoint as well as information, communication, and telecommunication (ICT) viewpoint, non of them shows possibility about impact on information security. Here we simulate the possible effect from the impact of the earthquake. The methodology is applied to predict impact from the earthquake. With this concept, Japanese offcial statistical economic data as well as offcial data regarding information technology and information security are used. The results show that limited effect from the loss in IT-related capital stock due to the Great East Japan Earthquake likely affects some regions and industrial sectors such as other manufacturing(6) and services(12).

Year 2011

Journal (incl. LNCS)

• Shaojing Fu, Chao Li, Kanta Matsuura, Longjiang Qu. Blanced 2p-variable Rotation Symmetric Boolean Functions with Maximum Algebraic Immunity, Applied mathematical Letters, Vol.24, No.12, pp.2093-2096, 2011 [detail]

abstract

In this paper, we study the construction of Rotation Symmetric Boolean Functions (RSBFs) which achieve a maximum algebraic immunity (AI). For the first time, a construction of balanced 2p-variable (p is an odd prime) RSBFs with maximum AI was provided, and the nonlinearity of the constructed RSBFs is not less than 2^(2p-1)-(2p-1)C(p)+(p-2)(p-3)+2; this nonlinearity result is significantly higher than the previously best known nonlinearity of RSBFs with maximum AI.

keywords

Stream cipher, Rotation symmetry, Boolean function, Algebraic immunity
• Shaojing Fu, Chao Li, Kanta Matsuura, Longjiang Qu.. Construction of Odd- variable Resilient Boolean Functions with Optimal Degree, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.VE94-A, pp.265-267, 2011 [detail]

abstract

Constructing degree-optimized resilient Boolean functions with high nonlinearity is a significant study area in Boolean function. In this letter, we provide a construction of degree-optimized n-variable (n odd and n>=35) resilient Boolean functions, and it is shown that the resultant functions achieve the currently best known nonlinearity.

keywords

stream cipher, boolean function, resiliency, nonlinearity
• Daiki Chiba, Takahiro Matsuda, Jacob C.N. Schuldt, Kanta Matsuura. Efficient Generic Constructions of Signcryption with Insider Security in the Multi-user Setting, Lecture Notes in Computer Science (9th International Conference on Applied Cryptography and Network Security: ACNS 2011), Vol.6715, pp.220-237, 2011
• Jacob C.N. Schuldt, Kanta Matsuura. On-line Non-transferable Signatures Revisited, Lecture Notes in Computer Science (Public Key Cryptography - PKC 2011, 14th International Conference on Practice and Theory in Public Key Cryptography: PKC 2011), Vol.6571, pp.369-386, 2011 [detail]

abstract

Undeniable signatures, introduced by Chaum and van Antwerpen, and designated confirmer signatures, introduced by Chaum, allow a signer to control the verifiability of his signatures by requiring a verifier to interact with the signer to verify a signature. An important security requirement for these types of signature schemes is nontransferability which informally guarantees that even though a verifier has confirmed the validity of a signature by interacting with the signer, he cannot prove this knowledge to a third party. Recently Liskov and Micali pointed out that the commonly used notion of non-transferability only guarantees security against an off-line attacker which cannot influence the verifier while he interacts with the signer, and that almost all previous schemes relying on interactive protocols are vulnerable to online attacks. To address this, Liskov and Micali formalized on-line nontransferable signatures which are resistant to on-line attacks, and proposed a generic construction based on a standard signature scheme and an encryption scheme. In this paper, we revisit on-line non-transferable signatures. Firstly, we extend the security model of Liskov and Micali to cover not only the sign protocol, but also the confirm and disavow protocols executed by the confirmer. Our security model furthermore considers the use of multiple (potentially corrupted or malicious) confirmers, and guarantees security against attacks related to the use of signer specific confirmer keys. We then present a new approach to the construction of on-line non-transferable signatures, and propose a new concrete construction which is provably secure in the standard model. Unlike the construction by Liskov and Micali, our construction does not require the signer to issue ``fake'' signatures to maintain security, and allows the confirmer to both confirm and disavow signatures. Lastly, our construction provides noticeably shorter signatures than the construction by Liskov and Micali.

links

• pdf
• Takahiro Matsuda, Kanta Matsuura. On Black-Box Separations among Injective One-Way Functions, Lecture Notes in Computer Science (Theory of Cryptography, 8th Theory of Cryptography Conference: TCC 2011), Vol.6597, pp.597-614, 2011
• Takahiro Matsuda, Kanta Matsuura. Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks, Lecture Notes in Computer Science (Public Key Cryptography - PKC 2011, 14th International Conference on Practice and Theory in Public Key Cryptography: PKC 2011), Vol.6571, pp.246-264, 2011 [detail]

abstract

Whether it is possible to construct a chosen ciphertext secure (CCA secure) public key encryption (PKE) scheme only from a chosen plaintext secure (CPA secure) one is a well-known fundamental open problem, and the best known positive results regarding this problem are the construction of so-called bounded CCA secure schemes. Since we can achieve the best possible security in the bounded CCA security notions, in order to further tackle this problem, we would need other new security notions that capture intermediate security notions that lie between CPA and CCA security. Motivated by this situation, in order to provide a theoretical foundation for further tackling the above problem, we focus on ''parallel'' decryption queries (originally introduced by Bellare and Sahai[BS99]) for the extension of bounded CCA security, and introduce a new security notion which we call mixed CCA security. It captures the security against adversaries that make single and parallel decryption queries in a predetermined order, where each parallel query can contain unboundedly many ciphertexts. Moreover, how the decryption oracle is available before and after the challenge is also taken into account in this new security definition, which enables us to capture existing major security notions that lie between CPA and CCA security, including complex notion like non-malleability against bounded CCA, in a unified security notion. We investigate the relations among mixed CCA security notions, and show a necessary and sufficient condition regarding implications/separations between any given two notions in mixed CCA security. We then show two black-box constructions of PKE schemes from CPA secure ones, one of which satisfies strictly stronger security notions than the security notions achieved by the existing constructions of PKE schemes constructed only from a CPA secure one. We also discuss the consequences of our results regarding security with parallel decryption queries, give several observations, and leave some open problems.
• Jacob Schuldt, Kanta Matsuura. Efficient Convertible Undeniable Signatures with Delegatable Verification, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.94-A, No.1, pp.71-83, 2011

Conference

• Ken Ichikawa, Kanta Matsuura. Preventing execution of JIT shellcode by isolating running process, Annual Computer Security Applications Conference 2011, 2011
• Kanta Matsuura. Passive and Active Measurements of Cybersecurity Risk Parameters, The 12th International Workshop on Information Security Applications (WISA2011), 2011
• Bongkot Jenjarrussakul, Hideyuki Tanaka, Kanta Matsuura. Empirical Study on Interdependency of Information Security Between Industrial Sectors and Regions, Seventh Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2011 [detail]

abstract

This paper broadens the concept of measurement methodology of information security interdependency in industrial sectoral perspective into industrial regional perspective to analyze inter-regional and inter-sectoral interdependency between specific industrial sectors and regions on demand-side perspective. Previous study of cross-sectoral information security interdependency demonstrated that different industrial sectors is one of the factors that affect interdependency in information security. Nevertheless, regional interdependency analysis was one of their limitations. In our implementation, we apply methodology to the statistical economic data of Japanese industrial sectors separated into regions in order to show their information security interdependency influenced by information technology and the level of information security measure.

Year 2010

Journal (incl. LNCS)

• Takahiro Matsuda, Yasumasa Nakai, Kanta Matsuura. Efficient Generic Constructions of Timed-Release Encryption with Pre-open Capability, Lecture Notes in Computer Science (Pairing-Based Cryptography, 4th International Conference on Pairing-Based Cryptography: Pairing 2010), Vol.6487, pp.225-245, 2010 [detail]

abstract

Timed-release encryption with pre-open capability (TRE-PC), introduced by Hwang et al.[HYL05], is a cryptosystem with which a sender can make a ciphertext so that a receiver can decrypt it by using a timed-release key provided from a trusted agent called time-server at a predetermined release-time, or by using a special information called pre-open key provided from the sender before the release-time, and thus adds flexibility to ordinary TRE schemes in many practical situations. Recently, Nakai et al.[NMKM09] proposed a generic construction of a TRE-PC scheme from a public-key encryption scheme, an identity-based encryption scheme (with some special property), and a signature scheme. Although their construction enables us to construct many TRE-PC schemes based on existing primitives, Concrete TRE-PC schemes derived via their generic construction are, however, not so practical because of the used building block primitives. Motivated by this situation, in this paper we propose two new generic consructions of TRE-PC schemes. Both of our generic constructions employ the KEM/DEM structure, are quite generic in the sense that they enable us to construct TRE-PC schemes from a combination of ordinary KEMs, identity-based KEMs, and symmetric-key primitives, and do not use a one-time signature scheme. Our first construction utilizes a [tag-KEM] as one of main building blocks, which has been widely studied since it was introduced by Abe et al.[AGK08] and can also be built from any ordinary KEM, and is suitable for constructing standard model TRE-PC schemes. Our second construction uses a random oracle, and is suitable for constructing TRE-PC schemes based on existing building block primitives that already use random oracles. Concrete TRE-PC schemes derived from our generic constructions are comparable to or more efficient than the currently known TRE-PC schemes in terms of ciphertext overhead size and computation costs.
• Takurou HOSOI, Kanta Matsuura. Evaluation of the Common Dataset Used in Anti-Malware Engineering Workshop 2009, Lecture Notes in Computer Science (Recent Advances in Intrusion Detection, 13th International Symposium on Recent Advances in Intrusion Detection: RAID 2010), Vol.6307, pp.496-497, 2010
• Jacob C. N. Schuldt, Kanta Matsuura. An Efficient Convertible Undeniable Signature Scheme with Delegatable Verification, Lecture Notes in Computer Science (6th International Conference on Information Security Practice and Experience: ISPEC2010), Vol.6047, pp.276-293, 2010
• Shaojing Fu, Chao Li, Kanta Matsuura, Longjiang Qu. Enumeration of Balanced Symmetric Functions over GF(p), Information Processing Letters, Vol.110, pp.544-548, 2010

Conference

• Kanta Matsuura. Security Economics and Cryptographic Industry, 2010 Japan-Taiwan Joint Research Symposium on Cryptography and Information Technology toward Next IT-society, 2010
• Kanta Matsuura. A Guideline for Product-Validation Systems Regarding Security Modules, Computer Security Institute Annual Conference (CSI 2010), 2010
• Kanta Matsuura. Impacts of Information-Security Evaluation, The 11th CTINS (Cybercrime Technology Information Network System) Annual Conference, 2010
• Toshihiko Takemura, Hideyuki Tanaka, Kanta Matsuura. Awareness Gaps on Effects of Information Security Measure between Managers and Employees: An Empirical Study Using Micro Data Collected from Web-Based Survey, Short Paper Proceedings of the Fourth IFIP WG11.11 International Conference on Trust Management (IFIPTM 2010), pp.25-32, 2010
• Peng Yang, Kanta Matsuura. An Introduction of A Users' Guideline to Japan Cryptographic Module Validation Program, ASIACCS 2010 (5th ACM Symposium on Information, Computer and Communications Security), 2010
• Kanta Matsuura. Economic Implications of Light-Weight Security Mechanisms, The 2010 Workshop on RFID Security (RFIDsec'10 Asia), 2010

Year 2009

Journal (incl. LNCS)

• Yi Shi, Kanta Matsuura. Fingerprinting Attack on the Tor Anonymity System, Lecture Notes in Computer Science (11th International Conference on Information and Communications Security: ICICS 2009), Vol.5927, pp.425-438, 2009 [detail]

abstract

We present a novel way to implement a fingerprinting attack against Onion Routing anonymity systems such as Tor. Our attack is a realistic threat in the sense that it can be mounted by nothing but controller of entrance routers; the required resource is very small. However, the conventional fingerprinting attack based on incoming traffic does not work straightforwardly against Tor due to its multiplex and quantized nature of traffic. By contrast, our novel attack can degrade this Tor's anonymity by a metric based on both incoming and outgoing packets. In addition, our method keeps the fingerprinting attack's advantage of being realistic in terms of the required small resource. Regarding more evaluation, the effectiveness of our method is discussed in a comprehensive manner: experimentally and theoretically. In order to enhance further studies and show the significance of our idea, we also discuss methods for defending against our attack and other applications of our idea.
• Shaojing Fu, Kanta Matsuura, Chao Li, Longjiang Qu. Construction of Rotation Symmetric Boolean Functions with Maximum Algebraic Immunity, Lecture Notes in Computer Science (The 8th International Conference on Cryptology and Network Security: CANS 2009), Vol.5888, pp.402-412, 2009
• Takahiro Matsuda, Kanta Matsuura, Jacob C. N. Schuldt. Efficient Constructions of Signcryption Schemes and Signcryption Composability, Lecture Notes in Computer Science (Progress in Cryptology, 10th International Conference on Cryptology in India: INDOCRYPT 2009), Vol.5922, pp.321-342, 2009 [detail]

abstract

In this paper, we investigate simple, but efficient constructions of signcryption schemes. Firstly, we show how symmetric primitives can be used to efficiently achieve outsider security, leading to a signcryption scheme with the currently lowest ciphertext and computational overhead. This scheme provides outsider multi-user security. For the mixed security notions outsider confidentiality/insider unforgeability and insider confidentiality/outsider unforgeability, this approach yields lower ciphertext overhead and a higher level of security, respectively, compared to the current schemes. Secondly, we show a simple optimization to the well known ``sign-then-encrypt'' and ``encrypt-then-sign'' approaches to the construction of signcryption schemes, by using tag-based encryption. Instantiations with our proposed tag-based schemes yield multi-user insider secure signcryption schemes in the random oracle model which is at least as efficient as any other existing scheme both in terms of ciphertext overhead and computational cost. Furthermore, very efficient standard model signcryption schemes are achieved as well. Lastly, we show how signatures and encryption can be combined in a non-black-box manner to achieve higher efficiency than schemes based on the above approach. We refer to signature and encryption schemes which can be combined in this way as signcryption composable, and we show that a number of the most efficient standard model encryption and signature schemes satisfy this, leading to the most efficient standard model signcryption schemes. Since all of our constructions are fairly simple and efficient, they provide a benchmark which can be used to evaluate future signcryption schemes.
• Yasumasa Nakai, Takahiro Matsuda, Wataru Kitada, Kanta Matsuura. A Generic Construction of Timed-Release Encryption with Pre-open Capability, Lecture Notes in Computer Science (Advances in Information and Computer Security, The 4th International Workshop on Security: IWSEC2009), Vol.5824, pp.53-70, 2009 [detail]

abstract

In 2005, Hwang et al. proposed a concept of timed-release encryption with pre-open capability (TRE-PC), where a receiver can decrypt a ciphertext not only by using a time-release key which is provided after its release-time, but also using a secret information called a preopen key provided from a sender even before the release-time. Though there are several concrete constructions of TRE-PC proposed so far, no generic construction has been known. In this paper, we show a generic construciton of TRE-PC. Specifically, we construct a TRE-PC scheme from a chosen-ciphertext secure public key encryption scheme (PKE), a chosen plaintext secure identity-based encryption (IBE) scheme with specific property that we call target collision resistance for randomness, and a one-time signature scheme. Interestingly, our proposed construction of TRE-PC is essentially the same as the generic construciton of (normal) TRE based on multiple encryption of IBE and PKE. As one of the consequences of our result, we can build a TRE-PC scheme secure in the standard model based on weaker assumptions than the ones used by the existing standard model TRE-PC scheme.
• Peng Yang, Rui Zhang, Kanta Matsuura, Hideki Imai. Generic Construction of Stateful Identity Based Encryption, Lecture Notes in Computer Science (Information Security, 12th International Conference: ISC2009), Vol.5735, pp.338-346, 2009
• Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. An Efficient Encapsulation Scheme from Near Collision Resistant Pseudorandom Generators and Its Application to IBE-to-PKE Transformations, Lecture Notes in Computer Science (Topics in Cryptology: CT-RSA2009), Vol.5473, pp.16-31, 2009 [detail]

abstract

In [BK05], Boneh and Katz introduced a primitive called encapsulation scheme, which is a special kind of commitment scheme. Using the encapsulation scheme, they improved the generic transformation by Canetti, Halevi, and Katz[CHK04] which transforms any semantically secure identity-based encryption (IBE) scheme into a chosen-ciphertext secure public key encryption (PKE) scheme (we call the BK transformation). The ciphertext size of the transformed PKE scheme directly depends on the parameter sizes of the underlying encapsulation scheme. In this paper, by designing a size-efficient encapsulation scheme, we further improve the BK transformation. With our proposed encapsulation scheme, the ciphertext overhead of a transformed PKE scheme via the BK transformation can be that of the underlying IBE scheme plus 384-bit, while the original BK scheme yields that of the underlying IBE scheme plus at least 704-bit, for 128-bit security. Our encapsulation scheme is constructed from a pseudorandom generator (PRG) that has a special property called near collision resistance, which is a fairly weak primitive. As evidence of it, we also address how to generically construct a PRG with such a property from any one-way permutation.

Conference

• Hitoshi Tanuma, Akira Otsuka, Hideki Imai, Kanta Matsuura. A Consideration to the Attacker's Prospect on Security Patch Management, Sixth Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2009
• Kanta Matsuura. Economics of provable security and probable security, 4th International Workshop on Mathematical Cryptology, 2009

Year 2008

Journal (incl. LNCS)

• Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. Simple CCA-Secure Public Key Encryption from Any Non-Malleable Identity-Based Encryption, Lecture Notes in Computer Science (The 11th International Conference on Information Security and Cryptology: ICISC2008), Vol.5461, pp.1-19, 2008 [detail]

abstract

In this paper, we present a simple and generic method for constructing public key encryption (PKE) secure against chosen ciphertext attacks (CCA) from identity-based encryption (IBE). Specifically, we show that a CCA-secure PKE scheme can be generically obtained by encrypting (m||r) under identity ``f(r)'' with the encryption algorithm of the given IBE scheme, assuming that the IBE scheme is non-malleable and f is one-way. In contrast to the previous generic methods (such as Canetti-Halevi-Katz), our method requires stronger security for the underlying IBE schemes, non-malleability, and thus cannot be seen as a direct improvement of the previous methods. However, once we have an IBE scheme which is proved (or can be assumed) to be non-malleable, we will have a PKE scheme via our simple method, and we believe that the simpleness of our proposed transformation itself is theoretically interesting. Our proof technique for security of the proposed scheme is also novel. In the security proof, we show how to deal with certain types of decryption queries which cannot be handled by straightforwardly using conventional techniques.
• Yang Cui, Kazukuni Kobara, Kanta Matsuura, Hideki Imai. Lightweight Privacy-Preserving Authentication Protocols Secure against Active Attack in an Asymmetric Way, IEICE Transactions on Information and Systems, Vol.E91-D, No.5, pp.1457-1465, 2008 [detail]

abstract

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.
• Takahiro Matsuda, Nuttapong Attrapadung, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. A Strongly Unforgeable Signature under the CDH Assumption without Collision Resistant Hash Functions, IEICE Transactions on Information and Systems, Vol.E91-D, No.5, pp.1466-1476, 2008 [detail]

abstract

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.
• Jacob C. N. Schuldt, Kanta Matsuura, Kenneth G. Paterson. Proxy Signatures Secure Against Proxy Key Exposure, Lecture Notes in Computer Science (11th International Workshop on Practice and Theory in Public Key Cryptography : PKC'08), Vol.4939, pp.141-161, 2008 [detail]

abstract

We provide an enhanced security model for proxy signatures that captures a more realistic set of attacks than previous models of Boldyreva et al. and of Malkin et al. Our model is motivated by concrete attacks on existing schemes in scenarios in which proxy signatures are likely to be used. We provide a generic construction for proxy signatures secure in our enhanced model using sequential aggregate signatures; our construction provides a benchmark by which future specific constructions may be judged. Finally, we consider the extension of our model and constructions to the identity-based setting.

Conference

• Kanta Matsuura. Impacts of Optimal Investment Models on Cybersecurity Risk Management, The Institute for Operations Research and the Management Sciences (INFORMS) Annual Meeting 2008, 2008
• Peng Yang, Kanta Matsuura. Stateful Public Key Encryption: How to Remove Gap Assumptions and Maintaining Tight Reductions, Proceedings of 2008 International Symposium on Information Theory and its Applications (ISITA2008), CD-ROM, 2008 [detail]

abstract

Stateful public key encryption schemes are introduced recently with much efficiency improvement over traditional stateless schemes. However, previous proposals are either based on strong assumptions, or admitting loose security reductions (a barrier for the proofs being practically-meaningful). In this paper, we present a stateful public key encryption scheme with tight security reduction to the computational Diffie Hellman assumption (cf. gap Diffie-Hellman), as well as a stateful identity based encryption scheme with tighter security reduction to the computational bilinear Diffie-Hellman problem.

keywords

Stateful public key encryption, security reduction.
• Peng Yang, Kanta Matsuura. A Forward Secure Identity Based Encryption Scheme with Master Key Update, Proceedings of 2008 International Symposium on Information Theory and its Applications (ISITA2008), CD-ROM, 2008 [detail]

abstract

We propose an identity based encryption scheme with forward security. Especially in our scheme, the top secret, called the master key, evolves through time. Our scheme is provably secure in the sense of FS-IND-ID-CPA based on DBDH assumption in standard model.

keywords

Foward Security, identity based encryption, master key update.
• Vadim Jefte Zendejas Samano, Takuro Hosoi, Kanta Matsuura. Time Categorization in a Social-Network-Analysis Spam Filter, Workshop on Information Security Applications (WISA2008), CD-ROM, 2008 [detail]

abstract

In this article, the introduction of a new method of language- independent e-mail classification using Social Network Analysis (SNA) for spam filtering is proposed. Our approach uses a time categorization of different instances of the e-mail to improve the classification of the filter. The proposal reduced the complexity of the classification and increases the accuracy of the filter. Although the naive SNA suffers from a high unclassification rate, our proposal decreases the number of unclassified e-mails.
• Kanta Matsuura. Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model , Workshop on the Economics of Information Security 2008 (WEIS2008), 2008 [detail]

abstract

We propose an identity based encryption scheme with forward security. Especially in our scheme, the top secret, called the master key, evolves through every time period. Our scheme is provably secure in the sense of FS-IND-ID-CPA based on DBDH assumption in standard model.

Year 2007

Journal (incl. LNCS)

• Takahiro Matsuda, Nuttapong Attrapadung, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. A CDH-Based Strongly Unforgeable Signature Without Collision Resistant Hash Function, Lecture Notes in Computer Science (Provable Security-First International Conference: ProvSec 2007), Vol.4784, pp.68-84, 2007 [detail]

abstract

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.

links

• Link (SpringerLink)
• Thi Lan Anh Phan, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. Key-Insulated Public Key Encryption with Auxiliary Helper Key: Model, Construcrtions and Formal Security Proofs, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol.E90-A, No.9, pp.1814-1829, 2007 [detail]

abstract

To deal with the problem of secret key exposure, Dodis, Katz, Xu and Yung [6] proposed a key-insulated public key encryption (KIE), which uses the secure helper key to update the secret key more often and helps to minimize the damage overall. We take this idea further in improving the helper key security by introducing an auxiliary helper key besides of the main helper key. The auxiliary helper key is used less than the main helper key and can help the system to reduce the damage even in case of helper key exposure. This paper give two different schemes of KIE with auxiliary helper key. There are trade-offs between public key length and ciphertext size, as well as between encryption algorithms and decryption algorithms in these two schemes. With these trade-offs, it is flexible to choose an efficient one to implement in reality. We also show concrete constructions with chosen-ciphertext security. The formal security proofs for all schemes are given in this paper, based on the CBDH assumption [2] in the random oracle model.
• Kazuto Ogawa, Goichiro Hanaoka, Kazukuni Kobara, Kanta Matsuura, Hideki Imai. Anonymous Pay-TV System with Secure Revenue Sharing, Lecture Notes in Computer Science (11th International Conference on Knowledge-Based and Intelligent Information & Engineering Systems:KES 2007), Vol.4694, pp.984-991, 2007
• Takahiro Matsuda, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. A Practical Provider Authentication System for Bidirectional Broadcast Service, Lecture Notes in Computer Science (11th International Conference on Knowledge-Based and Intelligent Information & Engineering Systems:KES 2007), Vol.4694, pp.967-974, 2007 [detail]

abstract

Several content distribution services via the Internet have been developed, and a number of bidirectional broadcasting services will be provided in the near future. Since such bidirectional broadcasting treats personal information of the users, provider authentication is necessary. Taking the currently existing broadcasting system using CAS cards into account, Ohtake et al. recently proposed the provider authentication system which utilizes key-insulated signature (KIS) schemes. However, the authors did not refer to details of what kind of KIS should be used. In this paper we supplement their works in terms of KIS specification. We carefully identify what kind of KIS should be used and propose concrete KIS schemes which realize both the reliability and the robustness required for the bidirectional broadcasting service.

links

• Link (SpringerLink)
• Wataru Kitada, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. Unconditionally Secure Chaffing-and-Winnowing for Multiple Use, Lecture Notes in Computer Science (International Conference on Information Theoretic Security: ICITS 2007), Vol.4883, pp.133-145, 2007 [detail]

abstract

Chaffing-and-winnowing is a cryptographic technique which does not require encryption but instead use a message authentication code (MAC) to provide the same function as encryption. Hanaoka et al. showed that an unconditionally secure chaffing-and-winnowing with one-time security can be constructed from any authentication code (A-code) (with one-time security). In this paper, we show a construction of unconditionally secure chaffing-and-winnowing for multiple use and prove the security of perfect secrecy and non-malleability. Additionally, we investigate a relation between encryption and authentication in more detail. Particularly, we show through chaffing-and-winnowing that a fully secure A-code with a specific property can be converted to a non-malleable one-time pad with a short ciphertext size. Interestingly, when applying this method to a known A-code, this becomes a known construction of a non-malleable one-time pad. This fact implies that the notions of authentication and encryption can be seamlessly connected by chaffing-and-winnowing mechanism.

Conference

• Takuro Hosoi, Kanta Matsuura, Hideki Imai. IP Trace Back by Packet Marking Method with Bloom Filters, Proceedings of the 2007 IEEE International Carnahan Conference on Security Technology (2007 ICCST) 41st Annual Conference, pp.255-263, 2007
• Kanta Matsuura. Attack-Discouragement and Its Economic Implications, DST-JST Joint Workshop for Awareness of Funding Opportunities under Bilateral Cooperation in Field of ICT, pp.29, 2007
• Yang Cui, Kazukuni Kobara, Kanta Matsuura, Hideki Imai. Lightweight Asymmetric Privacy-Preserving Authentication Protocols Secure against Active Attack, Fourth IEEE International Workshop on Pervasive Computing and Communication Security (PerCom 2007), 2007

Year 2006

Journal (incl. LNCS)

• Marc P.C. Fossorier, Miodrag J. Mihaljevic, Hideki Imai, Yang Cui, Kanta Matsuura. An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocol for RFID Authentication, Lecture Notes in Computer Science (7th International Conference on Cryptology in India: Indocrypt'06), Vol.4329, pp.48-62, 2006 [detail]

abstract

An algorithm for solving the "learning parity with noise"(LPN) problem is proposed and analyzed. The algorithm originates from the recently proposed advanced fast correlation attacks, and it employs the concepts of decimation, linear combining, hypothesizing and minimum distance decoding. However, as opposed to fast correlation attacks, no preprocessing phase is allowed for the LPN problem. The proposed algorithm appears as more powerful than the best one previously reported known as the BKW algorithm proposed by Blum, Kalai and Wasserman. In fact the BKW algorithm is shown to be a special instance of the proposed algorithm, but without optimized parameters. An improved security evaluation, assuming the passive attacks, of Hopper and Blum HB and HB+ protocols for radio-frequency identification (RFID) authentication is then developed. Employing the proposed algorithm, the security of the HB protocols is reevaluated, implying that the previously reported security margins appear as overestimated.
• Thi Lan Anh Phan, Yumiko Hanaoka, Goichiro Hanaoka, Kanta Matsuura, Hideki Imai. Reducing the Spread of Damage of Key Exposure in Key Insulated Encryption, Lecture Notes in Computer Science (First International Conference on Cryptology in Vietnam: VietCrypt 2006), Vol.4341, pp.366-384, 2006 [detail]

abstract

A proposal for key exposure resilient cryptography called, key-insulated public key encryption (KIPE), has been proposed by Dodis, Katz, Xu, and Yung [6] in which the secret key is changed over time so that the exposure of current key minimizes the damage overall. We take this idea further toward betterment by introducing new schemes with improved helper key security: in our schemes, we introduce an auxiliary helper key to update the secret key less frequently than the main helper key (and only one of these keys is used at each key updates,) as a result, this gives added protection to the system, by occasional auxiliary key updates, reducing the spread of further harm that may be caused by key exposure when compared to the original KIPE. Our proposed schemes are proven to be semantically secure in the random oracle model.
• Takashi Kitagawa, Peng Yang, Goichro Hanaoka, Rui Zhang, Hajime Watanabe, Kanta Matsuura, Hideki Imai. Generic Transforms to Acquire CCA-Security for Identity Based Encryptions: The Cases of FOpkc and REACT, Lecture Notes in Computer Science (11th Australasian Conference on Information Security and Provacy: ACISP 2006), Vol.4058, pp.348-359, 2006 [detail]

abstract

Fujisaki-Okamoto (FOpkc) conversion [13] and REACT[17] are widely known to be able to generically convert a weak public key encryption scheme to a strong encryption scheme. In this paper, we discuss applications of FOpkc conversion and REACT to Identity Based Encryptions (IBE). It has not been formally verified yet that whether these conversions are generic in the IBE setting. Our results show that both conversions are effective in the IBE case: plain REACT already achieves a good security reduction while the plain FOpkc conversion results in bad running time of the simulator. We further propose a simple modification to the plain FOpkc that solves this problem. Finally, we choose some concrete parameters to explain (visually) the effect of how the modified FOpkc substantially improves reduction cost regarding the plain conversion.

keywords

Fujisaki-Okamoto, identity based encryption, security enhancement.
• Leping Huang, Hiroshi Yamane, Kanta Matsuura, Kaoru Sezaki. Silent Cascade: Enhancing Location Privacy without Communication QoS Degradation, Lecture Notes in Computer Science (Security in Pervasive Computing: Third International Conference: SPC 2006), Vol.3934, pp.165-180, 2006 [detail]

abstract

In a wireless communication network, it is possible to locate a user and track its trajectory based on its transmission, during communication with access points. This type of tracking leads to the breach of a user's location privacy. Prior solutions to this problem enhances user's location privacy at the expense of communication Quality of Service(QoS) degradation. In this paper, we propose silent cascade to enhance a user' location privacy by trading users' delay in silent cascade for anonymity. As a result, it avoids the problem of QoS degradation in prior solutions. Furthermore, we abstract silent cascade as a mix-network based formal model, and use this model to evaluate the performance of silent cascade. Study results prove the effectiveness of silent cascade under different types of QoS requirements. Besides, we also derive the optimal configuration of silent cascade to achieves target anonymity within minimum duration of time. and the theoretical upper bound of a silent cascade's anonymity.
• Nuttapong Attrapadung, Yang Cui, David Galindo, Goichiro Hanaoka, Ichiro Hasuo, Hideki Imai, Kanta Matsuura, Peng Yang, Rui Zhang. Relations among Notions of Security for Identity Based Encryption Schemes, Lecture Notes in Computer Science (LATIN 2006: Theoretical Informatics: 7th Latin American Symposium), Vol.3887, pp.130-141, 2006 [detail]

abstract

This paper shows that the standard security notion for iden- tity based encryption schemes (IBE), that is IND-ID-CCA2, captures the essence of security for all IBE schemes. To achieve this intention, we first describe formal definitions of the notions of security for IBE, and then present the relations among OW, IND, SS and NM in IBE, along with rigorous proofs. With the aim of comprehensiveness, notions of security for IBE in the context of encryption of multiple messages and/or to mul- tiple receivers are finally presented. All of these results are proposed with the consideration of the particular attack in IBE, namely the adaptive chosen identity attack.

keywords

Identity based encryption, security notions.
• Peng Yang, Takashi Kitagawa, Goichiro Hanaoka, Rui Zhang, Kanta Matsuura, Hideki Imai. Applying Fujisaki-Okamoto to Identity-Based Encryption, Lecture Notes in Computer Science (Applied Algebra, Algebraic Algorithms and Error-Correcting Codes: 16th International Symposium: AAECC-16), Vol.3857, pp.183-192, 2006 [detail]

abstract

The Fujisaki-Okamoto (FO) conversion is widely known to be able to generically convert a weak public key encryption scheme, say one-way against chosen plaintext attacks (OW-CPA), to a strong one, namely, indistinguishable against adaptive chosen ciphertext attacks (IND-CCA). It is not known that if the same holds for identity-based encryption (IBE) schemes, though many IBE and variant schemes are in fact specifically using the FO conversion. In this paper, we investigate this issue and confirm that the FO conversion is generically effective also in the IBE case. However, straightforward application of the FO conversion only leads to an IBE scheme with a loose (but polynomial) reduction. We then propose a simple modification to the FO conversion, which results in considerably more efficient security reduction.

keywords

Fujisaki-Okamoto, identity based encryption, security enhancement.

Conference

• Kanta Matsuura. Security Securities: How to Measure the Market View on Information-Security Risks, 6th Japan-America Frontiers of Engineering Symposium, 2006
• Peng Yang, Takashi Kitagawa, Goichiro Hanaoka, Rui Zhang, Hajime Watanabe, Kanta Matsuura, Hideki Imai. A Simple Approach to Evaluate Fujisaki-Okamoto Conversion in Identity Based Encryption, Proceedings of the 2006 International Symposium on Information Theory and Its Applications (ISITA'06), pp.507-512, 2006 [detail]

abstract

The Fujisaki-Okamoto (FO) conversion is a very powerful security enhancement method in public key encryption (PKE) schemes. The generality of the plain FO in identity based encryption (IBE) schemes was verified, and a slightly different version, the modified FO, was proposed. Both of the plain FO and the modified FO could achieve the goal of converting a weak IBE scheme, i.e., one-way against adaptive chosen identity and chosen plaintext attacks ({\sf OW-ID-CPA}), to the strongest one, namely, indistinguishability against adaptive chosen identity and adaptive chosen ciphertext attacks (\textsf{IND-ID-CCA}). This work aims to evaluate the plain FO and the modified FO by substituting proper concrete values. By mainly focusing on the time costs of security reductions, we show the modified FO is better than the plain one.

keywords

Fujisaki-Okamoto, identity based encryption, security enhancement.
• Masaki Ishiguro, Hideyuki Tanaka, Kanta Matsuura, Ichiro Murase. The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market, The Workshop on the Economics of Securing the Information Infrastructure, 2006 [detail]

abstract

We investigated the economic effects of newspaper reports of information security incidents on corporate values in the Japanese stock market. We found a different trend of effects in terms of reaction speed in the Japanese stock market compared with the US market. The reaction to news reports of the incidents is slower in the Japanese stock market than in the US market. We found statistically significant reactions in around 10 days after the news reports. We also found a new factor, i.e. PBR (Price Book-value Ratio), has more impact to the corporate market values than incident type, firm type or firm size. Corporate investments on information security are highly evaluated as intangible assets in the stock market especially for IT-oriented firms. PBR represents a kind of a measure how much intangible assets are evaluated in the market compared with net (tangible) assets. Our result suggests that firms whose intangible assets are highly evaluated suffer from the security incidents more severely than those whose intangible assets are evaluated smaller.
• Wei Liu, Hideyuki Tanaka, Kanta Matsuura. An Empirical Analysis of Security Investment in Countermeasures Based on an Enterprise Survey in Japan, Workshop on the Economics of Information Security 2006 (WEIS2006), 2006 [detail]

abstract

This paper presents a two-step empirical analysis of investing in security countermeasures based on a Japanese enterprise survey. At the first step, we verify the relations between probability of computer virus incidents and adopting a set of information security countermeasures. It is shown that "Defense Measure" associated with "Information Security Policy" and "Human Cultivation" has remarkable effects on virus incidents. At the second step, we analyze the effect of continuous investments in the three security countermeasures using two years' data. The empirical results suggest that virus incidents were significantly reduced in those enterprises which adopted the three countermeasures both in 2002 and in 2003.

Year 2005

Journal (incl. LNCS)

• Takayuki Furuya, Takahiro Matsuzaki, Kanta Matsuura. Detection of Unknown DoS Attacks by Kolmogorov-Complexity Fluctuation, Lecture Notes in Computer Science (Information Security and Cryptology: First SKLOIS Conference: CISC 2005), Vol.3822, pp.395-406, 2005 [detail]

abstract

Detection of unknown Denial-of-Service (DoS) attacks is a hard issue. What attackers do is simply to consume a large amount of target resources. This simple feature allows attackers to create a wide variety of attack flows, and hence we must find a sophisticated general metric for detection. A possible metric is Kolmogorov Complexity (KC), a measure of the size of the smallest program capable of representing the given piece of data flows because DoS attacks, known or unknown, are anyway launched by computer programs. However, there are no established DoS-detection methods which make use of this possibility. And to make matters worse, it is well known that KC cannot be rigorously computed. In this paper, we compare three different KC estimation methods including a new proposal of our own, and propose a new DoS-detection method by monitoring fluctuation of KC differentials.
• Leping Huang, Hiroshi Yamane, Kanta Matsuura, Kaoru Sezaki. Towards Modeling Wireless Location Privacy, Lecture Notes in Computer Science (5th International Workshop on Privacy Enhancing Technologies: PET 2005), Vol.3856, pp.59-77, 2005 [detail]

abstract

The lack of a formalmodel in wireless location privacy protection research makes it difficult to evaluate new location privacy protection proposals, and difficult to utilize existing research results in anonymous communication into this new problem. In this paper, we analyze a wireless location privacy protection system (WLP2S), and generalize it to a MIX based formal model, which includes a MIX, a set of MIX's user, and a intruder of MIX. In addition, we also use information theory approach to define anonymity and measures of this model, and describe the characteristics of observation process in WLP2S in detail. Two benefits arise from our model. Firstly, it provides a means of evaluating the privacy level of proposed location privacy protection protocols. We use the measures of proposed formal model to study the performance of our novel silent period technique. Simulation results reveal the role of many parameters-such as users' mobility pattern and intruders' tracking accuracy-on users' privacy level. The results shed more light on improving our defense protocol. Secondly, our approach provides a link between existing defense and attack protocols in MIX research and the new location privacy protection problem. By utilizing the formal model, we conducted preliminary studies in identifying potential attacks, and improve the performance of existing defense protocol. This study results an extension of existing defense protocols. Those simulation and analytical results demonstrates the promising potential of our model.
• Hideyuki Tanaka, Kanta Matsuura, Osamu Sudo. Vulnerability and information security investment: An empirical analysis of e-local government in Japan, The Journal of Accounting and Public Policy, Vol.24, No.Issue. 1, pp.37-59, 2005 [detail]

abstract

The authors aim to verify the relation between vulnerability and information security investment. This relation is empirically analyzed using data on e-local governments in Japan. The results suggest that the decisions an economic entity makes concerning information security investment depend on vulnerability. Our research lends empirical support to prior economic research.

Conference

• Krishna Sampigethaya, Leping Huang, Mingyan Li, Radha Poovendran, Kanta Matsuura, Kaoru Sezaki. CARAVAN: Providing Location Privacy for VANET, Embedded Security in Cars 2005 (ESCAR 2005), 2005
• Atsuhiro Yamagishi, Kanta Matsuura, Hideki Imai. Cryptographic Module Validation Program in Japan, Proceedings of the 2005 IEEE International Engineering Management Conference (IEMC 2005), Vol.II, pp.485-489, 2005 [detail]

abstract

The information system consists of networks containing many entities. Furthermore, an information system is built into a part of infrastructure, and bears an important role. Therefore, the security countermeasures of the information system have been important subjects. In an information system, an adversary attacks an entity with a low security level. Therefore, the security level of all the entities should be unified into the common level. If it is under common directions of an administrative organization, the security level of each entity can be unified easily. However, in order that separate administrator may administer each entity, it is not easy to unify a security level. For example, in a Japanese Egovernment system, each ministry agency performs procurement and administration of their system. Therefore, the security level of each E-government system is not always the same. When each system is administered separately and it is moreover hard to commit legal force, in order to unify a security level, you have to recognize a mutual security level. In order to recognize a security level, evaluation and certification of a security system are important. Common Criteria is well known for evaluation and certification of the security level of a system. Common Criteria is the security criteria for evaluating whether from a viewpoint of information security, the product and system relevant to an information technology are designed appropriately and the design is implemented surely. It was recognized as ISO/IEC standards in June, 1999. However, in Common Criteria, the evaluation and certification of Cryptographic Module which are used with an information system have not been applicable. Cryptographic Module is functional block which offers the cryptographic function used with information systems and its security level needs to evaluate. It is necessary to perform evaluation of Cryptographic Module individually with Common Criteria evaluation. Security Requirements for Cryptographic Modules which used in Government agency is already defined as FIPS 140-2 in the U.S. and Canada. And they cooperate with the Validation scheme. The system which the U.S. and Canada are operating is premised on unitary control. However, in many E-government system of Japan, the vendor of Cryptographic Module and the vendor of a system are in same company. When the vendor of Cryptographic Module and a system is in common, the specification of Cryptographic Module is not released in many cases. Therefore, much time is required in order to build a system like the U.S. and Canada. Then, we did the case study about the conditions for building up Cryptographic Module Validation system smoothly under the situation like Japan. In this paper, we report that result.
• Kanta Matsuura. University-Industry Collaboration in the Information Security Field: An International Comparison, Proceedings of the 2005 IEEE International Engineering Management Conference (IEMC 2005), Vol.I, pp.95-98, 2005
• Leping Huang, Hiroshi Yamane, Kanta Matsuura, Kaoru Sezaki. Protecting Location Privacy for Wireless Network, ARO workshop on Localization in Wireless Sensor Networks, 2005
• Hideyuki Tanaka, Kanta Matsuura. Vulnerability and Effects of Information Security Investment: A Firm Level Empirical Analysis of Japan, International Forum of Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2005
• Kanta Matsuura. Cross-Sector Collaboration in Japanese Information-Security Industry, and the Shock of Personal Information Protection Laws, Proceedings of the 11th International Conference on Industrial Engineering and Engineering Management, pp.1178-1181, 2005
• Leping Huang, Kanta Matsuura, Hiroshi Yamane, Kaoru Sezaki. Enhancing Wireless Location Privacy Using Silent Periods, Proceedings of IEEE Wireless Communications and Networking Conference 2005, Vol.2, pp.1187-1192, 2005