Toshiaki Tanaka

Hash functions using stream ciphers as components perform fast on a variety of platforms. However, stream-cipher-based hash functions (SCHs) have not been studied sufficiently yet. In this paper, we present a model of SCHs consisting of two parts: a pre-computation phase and a stream cipher phase. We apply this model to existing broken SCHs, Abacus and Boole, and analyze the vulnerabilities corresponding to existing attacks for each part of our model. By applying our model to these algorithms, weak parts in the algorithms are revealed, and we show that these vulnerabilities can be removed by minor modifications to each part. Furthermore, we clarify the requirements for the pre-computation phase and the stream cipher phase to realize secure SCHs.

In large-scale networks, users want to be able to communicate securely with each other over a channel that is unreliable. When the existing 2- and 3-party protocols are realized in this situation, there are several problems : a client must hold many passwords and the load on the server concerning password management is heavy. In this paper, we define a new ideal client-to-client general authenticated key exchange functionality, where arbitrary 2-party key exchange protocols are applicable to protocols between the client and server and between servers. We also propose a client-to-client general authenticated key exchange protocol C2C-GAKE as a general form of the client-to-client model, and a client-to-client hybrid authenticated key exchange protocol C2C-HAKE as an example protocol of C2C-GAKE to solve the above problems. In C2C-HAKE, a server shares passwords only with clients in the same realm respectively, public/private keys are used between respective servers, and two clients between different realms share a final session key via the respective servers. Thus, with regard to password management in C2C-HAKE, the load on the server can be distributed to several servers. In addition, we prove that C2C-HAKE securely realizes the above functionality. C2C-HAKE is the first client-to-client hybrid authenticated key exchange protocol that is secure in a universally composable framework with a security-preserving composition property.

This paper proposes several extensions of fast (k,n)-threshold schemes which use EXCLUSIVE-OR(XOR) operations. Existing fast threshold schemes need to calculate inverse matrices in recovery phase and hence these operations on software/hardware are delayed due to conditional branching in calculation of invese matrices. We introduce a new method to calculate a particular matrix in a recovery algorithm. Our method does not need to make a generator matrix for shares or to calculate inverse matrices of block matrices. The particular matrix which denotes the combination of divided pieces of shares to recover the secret is calculated by rote only from the share indexes. Futhermore, our method can be implemented without "IF" statement (conditional branching) by using word-wise XOR operations, cyclic shift operations and bit shift operations. Thus, our method can be operated more rapidly than existing schemes on software and hardware.

This paper proposes several extensions of fast (k,n)-threshold schemes which use EXCLUSIVE-OR(XOR) operations. We introduced the new concept of singular point of divided pieces of shares in part one. Several methods using singular point based on fast (k,n)-threshold schemes are proposed in this paper. These comprise a fast threshold ramp scheme and a method to embed additional information into shares. Similar to a ramp scheme based on Shamir's threshold scheme, our fast ramp scheme realizes to reduce each bit-size of shares instead of degradation of security. On the other hand, a method to embed additional information allows only participants who pre-shared the authorities with the dealer to recover not only the secret but also the additional information corresponding to the authority from k shares. Thus, this embedding method can realize a distributed subliminal channel (storage) between the dealer and the trusted participant, simple access control method and so on, which use the property of secret sharing schemes.

In Shamir's (k,n)-threshold secret sharing scheme, a heavy computational cost is required to recover the secret from k shares. As a solution to this problem, several fast threshold schemes are proposed. However, there is no fast ideal (k,n)-threshold scheme, where k >_ 4 and n is arbitrary. This paper proposes a new fast (4,n)-threshold scheme using just EXCLUSIVE-OR(XOR) operations to make shares and recover the secret, which is an ideal secret sharing scheme similar to Shamir's scheme. Furthermore, we extend and generalize the (4,n)-threshold scheme to a new fast (k,n)-threshold scheme using XOR operations with arbitrary k and n, which is also an ideal secret sharing scheme.

Copyright protection is a major issue in online content-distribution services and many key-management schemes have been proposed for protecting content. Key-distribution processes impose large burdens even though the communications bandwidth itself is restricted in the distribution of mobile content provided to millions of users. Mobile devices also have low computational capacities. Thus, a new scheme of key management, where the load on the key-distribution server is optimal and loads on clients are practical, is required for services. Tree-based schemes aim at reducing the load on the server and do not take reducing the load on clients into account. The load on clients is minimized in a star-based scheme, on the other hand, while the load on the server increases in proportion to the number of clients. These structures are far from being scalable. We first discuss a relaxation of conventional security requirements for key-management schemes in this paper and define new requirements to improve the efficiency of the schemes. We next propose the τ-gradual key-management scheme. Our scheme satisfies the new security requirements and loads on the server, and it has far fewer clients than conventional schemes. It uses an intermediate configuration between that of a star- and a tree-structure that allows us to continuously change it by controlling the number of clients in a group, m_<max>. The scheme can be classified as τ-star-based, τ-tree-based, or τ-intermediate depending on the parameter, m_<max>. We then present a quantitative evaluation of the load on the server and clients using all our schemes based on practical assumptions. The load on the server and that on clients involves a trade-off with the τ-intermediate scheme. We can construct an optimal key-management structure according to system requirements using our schemes, while maintaining security. We describe a concrete strategy for setting parameter m_<max>. Finally, we present general parameter settings by which loads on both the server and clients using the τ-intermediate scheme are lower than those using the τ-tree-based scheme.

There has recently been active research on mobile agent technology. Very few, however, address security issues for a practical service model such that a number of service providers are engaged over the heterogeneous network. In this paper, we present a new approach on "access control" to realize global authorization under such environments. In our method, policy files and information related with authentication for an agent are consistently managed and efficiently processed by an authentication server of each network. Furthermore, for the purpose to enhance the security and realize the efficient access control, new interface modules called "secure stub" are proposed. As the result of its evaluation, it can be basically feasible to operate in our proposed system architecture. We believe that the work presented here is significant to the advancement of the existing mobile agent environments supporting secure communications.