田中 俊昭

ストリーム暗号を構成要素としたハッシュ関数(Stream-Cipher-based Hash function,SCH)は,高速なハッシュ生成処理を可能とする.しかしながら,SCHの安全性に関する検証は十分に行われていない.そこで本論文では,「事前処理」と「ストリーム暗号」の二つの構成要素から成るSCHのモデル化を提案し,安全性の検討を行う.脆弱性を含む既存のSCH(AbacusおよびBoole)にモデルを適用し,解析を行うことで,脆弱性を持つ構成要素を明らかにする.さらに,脆弱な構成要素に変更を加えることで,既存の攻撃に対して安全性を向上できることを示す.本検討より,安全なSCHを構成するための構成要素の必要条件を導出する.

In large-scale networks users want to be able to communicate securely with each other over a channel that is unreliable. When the existing 2- and 3-party protocols are realized in this situation there are several problems: a client must hold many passwords and the load on the server concerning password management is heavy. In this paper we define a new ideal client-to-client general authenticated key exchange functionality where arbitrary 2-party key exchange protocols are applicable to protocols between the client and server and between servers. We also propose a client-to-client general authenticated key exchange protocol C2C-GAKE as a general form of the client-to-client model and a client-to-client hybrid authenticated key exchange protocol C2C-HAKE as an example protocol of C2C-GAKE to solve the above problems. In C2C-HAKE a server shares passwords only with clients in the same realm respectively public/private keys are used between respective servers and two clients between different realms share a final session key via the respective servers. Thus with regard to password management in C2C-HAKE the load on the server can be distributed to several servers. In addition we prove that C2C-HAKE securely realizes the above functionality. C2CHAKE is the first client-to-client hybrid authenticated key exchange protocol that is secure in a universally composable framework with a security-preserving composition property.In large-scale networks, users want to be able to communicate securely with each other over a channel that is unreliable. When the existing 2- and 3-party protocols are realized in this situation, there are several problems: a client must hold many passwords and the load on the server concerning password management is heavy. In this paper, we define a new ideal client-to-client general authenticated key exchange functionality, where arbitrary 2-party key exchange protocols are applicable to protocols between the client and server and between servers. We also propose a client-to-client general authenticated key exchange protocol C2C-GAKE as a general form of the client-to-client model, and a client-to-client hybrid authenticated key exchange protocol C2C-HAKE as an example protocol of C2C-GAKE to solve the above problems. In C2C-HAKE, a server shares passwords only with clients in the same realm respectively, public/private keys are used between respective servers, and two clients between different realms share a final session key via the respective servers. Thus, with regard to password management in C2C-HAKE, the load on the server can be distributed to several servers. In addition, we prove that C2C-HAKE securely realizes the above functionality. C2CHAKE is the first client-to-client hybrid authenticated key exchange protocol that is secure in a universally composable framework with a security-preserving composition property.

本論文では,排他的論理和(XOR)を用いて高速に動作する(k,n)閾値秘密分散法(閾値法)において,いくつかの機能拡張を提案する.従来の高速な閾値法における復元手法では,分散情報の生成行列の逆行列の探索を行うため,実装上では条件分岐の多用による処理遅延が問題となる.そこで,復元時に生成行列を使用せず,分散情報のインデックスの値のみから,秘密情報を復元するための分散情報の断片の組み合わせを示す行列を,機械的に導出する手法を提案する.提案手法は,従来手法における逆行列の探索の計算量を削減し,ハードウェアおよびソフトウェアに適した実装が可能である.

本論文では,排他的論理和(XOR)を用いて高速に動作する(k,n)閾値秘密分散法(閾値法)において,いくつかの機能拡張を提案する.本論文では,part 1.で新たに導入した分散情報の構成に関する概念「特異点」を用いて,XORを用いた高速(k,n)閾値法を基にした閾値ランプ型秘密分散法と,分散情報への付加情報埋め込み方式を提案する.高速ランプ法は,従来のShamirの手法に対するランプ法と同様に,安全性をわずかに劣化させる代わりに分散情報のサイズを大幅に削減することを可能とする.また,付加情報の埋め込み方式は,ディーラーと事前に共有した権限を有する管理者のみが,秘密情報に加えて権限に対応する付加情報を復元可能とし,秘密分散法の特徴を用いた秘匿通信やアクセス制御方式を可能とする.

排他的論理和演算のみを用いて高速な秘密情報の分散・復元を可能とする(4,n)閾値秘密分散法を提案する.更に,(4,n)閾値法の分散情報の構成法を一般化して拡張し,(k,n)閾値法の構成法を示す.提案する(k,n)閾値法は,任意の閾値kと任意の分散数nで構成でき,排他的論理和演算のみで高速な分散・復元処理が可能な理想的秘密分散法である.

Copyright protection is a major issue in online content-distribution services and many keymanagement schemes have been proposed for protecting content. Key-distribution processes impose large burdens even though the communications bandwidth itself is restricted in the distribution of mobile content provided to millions of users. Mobile devices also have low computational capacities. Thus a new scheme of key management where the load on the key-distribution server is optimal and loads on clients are practical is required for services. Tree-based schemes aim at reducing the load on the server and do not take reducing the load on clients into account. The load on clients is minimized in a star-based scheme on the other hand while the load on the server increases in proportion to the number of clients. These structures are far from being scalable. We first discuss a relaxation of conventional security requirements for key-management schemes in this paper and define new requirements to improve the efficiency of the schemes. We next propose the τ-gradual key-management scheme. Our scheme satisfies the new security requirements and loads on the server and it has far fewer clients than conventional schemes. It uses an intermediate configuration between that of a star- and a tree-structure that allows us to continuously change it by controlling the number of clients in a group m_max. The scheme can be classified as τ-star-based τ-treebased or τ-intermediate depending on the parameter m_max. We then present a quantitative evaluation of the load on the server and clients using all our schemes based on practical assumptions. The load on the server and that on clients involves a trade-off with the τ- intermediate scheme. We can construct an optimal key-management structure according to system requirements using our schemes while maintaining security. We describe a concrete strategy for setting parameter m_max. Finally we present general parameter settings by which loads on both the server and clients using the τ-intermediate scheme are lower than those using the τ-tree-based scheme.Copyright protection is a major issue in online content-distribution services and many keymanagement schemes have been proposed for protecting content. Key-distribution processes impose large burdens even though the communications bandwidth itself is restricted in the distribution of mobile content provided to millions of users. Mobile devices also have low computational capacities. Thus, a new scheme of key management, where the load on the key-distribution server is optimal and loads on clients are practical, is required for services. Tree-based schemes aim at reducing the load on the server and do not take reducing the load on clients into account. The load on clients is minimized in a star-based scheme, on the other hand, while the load on the server increases in proportion to the number of clients. These structures are far from being scalable. We first discuss a relaxation of conventional security requirements for key-management schemes in this paper and define new requirements to improve the efficiency of the schemes. We next propose the τ-gradual key-management scheme. Our scheme satisfies the new security requirements and loads on the server, and it has far fewer clients than conventional schemes. It uses an intermediate configuration between that of a star- and a tree-structure that allows us to continuously change it by controlling the number of clients in a group, m_max. The scheme can be classified as τ-star-based, τ-treebased, or τ-intermediate depending on the parameter, m_max. We then present a quantitative evaluation of the load on the server and clients using all our schemes based on practical assumptions. The load on the server and that on clients involves a trade-off with the τ- intermediate scheme. We can construct an optimal key-management structure according to system requirements using our schemes, while maintaining security. We describe a concrete strategy for setting parameter m_max. Finally, we present general parameter settings by which loads on both the server and clients using the τ-intermediate scheme are lower than those using the τ-tree-based scheme.

There has recently been active research on mobile agent technology. Very few however address security issues for a practical service model such that a number of service providers are engaged over the heterogeneous network. In this paper we present a new approach on ``access control'' to realize global authorization under such environments. In our method policy files and information related with authentication for an agent are consistently managed and efficiently processed by an authentication server of each network. Furthermore for the purpose to enhance the security and realize the efficient access control new interface modules called ``secure stub'' are proposed. As the result of its evaluation it can be basically feasible to operate in our proposed system architecture. We believe that the work presented here is significant to the advancement of the existing mobile agent environments supporting secure communications.There has recently been active research on mobile agent technology. Very few, however, address security issues for a practical service model such that a number of service providers are engaged over the heterogeneous network. In this paper, we present a new approach on ``access control'' to realize global authorization under such environments. In our method, policy files and information related with authentication for an agent are consistently managed and efficiently processed by an authentication server of each network. Furthermore, for the purpose to enhance the security and realize the efficient access control, new interface modules called ``secure stub'' are proposed. As the result of its evaluation, it can be basically feasible to operate in our proposed system architecture. We believe that the work presented here is significant to the advancement of the existing mobile agent environments supporting secure communications.