田中 俊昭

秘密分散法は，秘密情報を漏洩や破壊から保護する技術である．この手法は，秘密情報を符号化して 複数のシェアを生成する．そして，各シェアを別の記憶媒体に分散することで情報を保護する．また，分散されたシェアのうち，特定の部分集合からのみ秘密情報を復号できる．これまで，秘密分散法のうち，線形性を有する「線形秘密分散法」について，Perfect Security，????-strong Security という 2 つの安全性が考えられてきた．前者は，秘密情報全体に対する安全性を議論しており，後者は秘密情報の部分集合に対する安全 性を議論している.しかし，秘密情報を構成する個々の要素に対する安全性は考えられていない．そこで， 本稿では秘密情報の個々の要素に着目し，新たな安全性の尺度「Individual Insecurity Threshold(IIT)」を与える．IITはシェアの集合の大きさで与えられ，IIT以下のシェアの任意の集合からは，秘密情報の各要素は 復号されることはない．さらに本稿では，IIT が符号パラメータ RGHW(Relative Generalized Hamming Weight)により表現できることを明らかにする．また，既存の線形秘密分散法の IIT を一定以上に担保可能とする，秘密情報のPrecoding 手法を与える．最後に，ユニバーサルセキュアネットワーク符号化へと拡張し，Universal IIT を与える．そして，このUniversal IITは，線形秘密分散法のIIT 同様に，符号パラメータ RGRW(Relative Generalized Rank Weight)により表現できることを示す． Linear secret sharing schemes protect secret information from leakage or destruction by encoding the secret information into multiple shares. The secret information can be decoded only from specific subsets of shares. Perfect Security and ????-strong Security have been considered as security measures of linear secret sharing schemes. The former considers the confidentiality of the whole part of the secret information. On the other hand, the latter considers the confidentiality of any subset of pieces of secret information. However, the confidentiality of individual pieces of secret information has not yet been considered. In this paper, we focus on individual pieces of secret information and introduce a new security measure Individual Insecurity Threshold (IIT). The IIT is defined as the threshold on the size of subsets of shares, where no pieces of secret information can be uniquely determined from any subset of size less than or equal to the IIT. We show that the IIT can be expressed by the code parameter Relative Generalized Hamming Weight (RGHW). We also give a precoding method for secret information that can guarantee an inferior of the IIT in any existing linear secret sharing schemes. Moreover, we extend the notion of the IIT to universal secure network coding and give the Universal IIT. We show that the Universal IIT can be expressed by the code parameter Relative Generalized Rank Weight (RGRW) as in the linear secret sharing schemes.

ストリーム暗号を構成要素としたハッシュ関数(Stream-Cipher-based Hash function,SCH)は,高速なハッシュ生成処理を可能とする.しかしながら,SCHの安全性に関する検証は十分に行われていない.そこで本論文では,「事前処理」と「ストリーム暗号」の二つの構成要素から成るSCHのモデル化を提案し,安全性の検討を行う.脆弱性を含む既存のSCH(AbacusおよびBoole)にモデルを適用し,解析を行うことで,脆弱性を持つ構成要素を明らかにする.さらに,脆弱な構成要素に変更を加えることで,既存の攻撃に対して安全性を向上できることを示す.本検討より,安全なSCHを構成するための構成要素の必要条件を導出する.

In large-scale networks users want to be able to communicate securely with each other over a channel that is unreliable. When the existing 2- and 3-party protocols are realized in this situation there are several problems: a client must hold many passwords and the load on the server concerning password management is heavy. In this paper we define a new ideal client-to-client general authenticated key exchange functionality where arbitrary 2-party key exchange protocols are applicable to protocols between the client and server and between servers. We also propose a client-to-client general authenticated key exchange protocol C2C-GAKE as a general form of the client-to-client model and a client-to-client hybrid authenticated key exchange protocol C2C-HAKE as an example protocol of C2C-GAKE to solve the above problems. In C2C-HAKE a server shares passwords only with clients in the same realm respectively public/private keys are used between respective servers and two clients between different realms share a final session key via the respective servers. Thus with regard to password management in C2C-HAKE the load on the server can be distributed to several servers. In addition we prove that C2C-HAKE securely realizes the above functionality. C2CHAKE is the first client-to-client hybrid authenticated key exchange protocol that is secure in a universally composable framework with a security-preserving composition property.In large-scale networks, users want to be able to communicate securely with each other over a channel that is unreliable. When the existing 2- and 3-party protocols are realized in this situation, there are several problems: a client must hold many passwords and the load on the server concerning password management is heavy. In this paper, we define a new ideal client-to-client general authenticated key exchange functionality, where arbitrary 2-party key exchange protocols are applicable to protocols between the client and server and between servers. We also propose a client-to-client general authenticated key exchange protocol C2C-GAKE as a general form of the client-to-client model, and a client-to-client hybrid authenticated key exchange protocol C2C-HAKE as an example protocol of C2C-GAKE to solve the above problems. In C2C-HAKE, a server shares passwords only with clients in the same realm respectively, public/private keys are used between respective servers, and two clients between different realms share a final session key via the respective servers. Thus, with regard to password management in C2C-HAKE, the load on the server can be distributed to several servers. In addition, we prove that C2C-HAKE securely realizes the above functionality. C2CHAKE is the first client-to-client hybrid authenticated key exchange protocol that is secure in a universally composable framework with a security-preserving composition property.

本論文では,排他的論理和(XOR)を用いて高速に動作する(k,n)閾値秘密分散法(閾値法)において,いくつかの機能拡張を提案する.従来の高速な閾値法における復元手法では,分散情報の生成行列の逆行列の探索を行うため,実装上では条件分岐の多用による処理遅延が問題となる.そこで,復元時に生成行列を使用せず,分散情報のインデックスの値のみから,秘密情報を復元するための分散情報の断片の組み合わせを示す行列を,機械的に導出する手法を提案する.提案手法は,従来手法における逆行列の探索の計算量を削減し,ハードウェアおよびソフトウェアに適した実装が可能である.

本論文では,排他的論理和(XOR)を用いて高速に動作する(k,n)閾値秘密分散法(閾値法)において,いくつかの機能拡張を提案する.本論文では,part 1.で新たに導入した分散情報の構成に関する概念「特異点」を用いて,XORを用いた高速(k,n)閾値法を基にした閾値ランプ型秘密分散法と,分散情報への付加情報埋め込み方式を提案する.高速ランプ法は,従来のShamirの手法に対するランプ法と同様に,安全性をわずかに劣化させる代わりに分散情報のサイズを大幅に削減することを可能とする.また,付加情報の埋め込み方式は,ディーラーと事前に共有した権限を有する管理者のみが,秘密情報に加えて権限に対応する付加情報を復元可能とし,秘密分散法の特徴を用いた秘匿通信やアクセス制御方式を可能とする.

排他的論理和演算のみを用いて高速な秘密情報の分散・復元を可能とする(4,n)閾値秘密分散法を提案する.更に,(4,n)閾値法の分散情報の構成法を一般化して拡張し,(k,n)閾値法の構成法を示す.提案する(k,n)閾値法は,任意の閾値kと任意の分散数nで構成でき,排他的論理和演算のみで高速な分散・復元処理が可能な理想的秘密分散法である.

Copyright protection is a major issue in online content-distribution services and many keymanagement schemes have been proposed for protecting content. Key-distribution processes impose large burdens even though the communications bandwidth itself is restricted in the distribution of mobile content provided to millions of users. Mobile devices also have low computational capacities. Thus a new scheme of key management where the load on the key-distribution server is optimal and loads on clients are practical is required for services. Tree-based schemes aim at reducing the load on the server and do not take reducing the load on clients into account. The load on clients is minimized in a star-based scheme on the other hand while the load on the server increases in proportion to the number of clients. These structures are far from being scalable. We first discuss a relaxation of conventional security requirements for key-management schemes in this paper and define new requirements to improve the efficiency of the schemes. We next propose the τ-gradual key-management scheme. Our scheme satisfies the new security requirements and loads on the server and it has far fewer clients than conventional schemes. It uses an intermediate configuration between that of a star- and a tree-structure that allows us to continuously change it by controlling the number of clients in a group m_max. The scheme can be classified as τ-star-based τ-treebased or τ-intermediate depending on the parameter m_max. We then present a quantitative evaluation of the load on the server and clients using all our schemes based on practical assumptions. The load on the server and that on clients involves a trade-off with the τ- intermediate scheme. We can construct an optimal key-management structure according to system requirements using our schemes while maintaining security. We describe a concrete strategy for setting parameter m_max. Finally we present general parameter settings by which loads on both the server and clients using the τ-intermediate scheme are lower than those using the τ-tree-based scheme.Copyright protection is a major issue in online content-distribution services and many keymanagement schemes have been proposed for protecting content. Key-distribution processes impose large burdens even though the communications bandwidth itself is restricted in the distribution of mobile content provided to millions of users. Mobile devices also have low computational capacities. Thus, a new scheme of key management, where the load on the key-distribution server is optimal and loads on clients are practical, is required for services. Tree-based schemes aim at reducing the load on the server and do not take reducing the load on clients into account. The load on clients is minimized in a star-based scheme, on the other hand, while the load on the server increases in proportion to the number of clients. These structures are far from being scalable. We first discuss a relaxation of conventional security requirements for key-management schemes in this paper and define new requirements to improve the efficiency of the schemes. We next propose the τ-gradual key-management scheme. Our scheme satisfies the new security requirements and loads on the server, and it has far fewer clients than conventional schemes. It uses an intermediate configuration between that of a star- and a tree-structure that allows us to continuously change it by controlling the number of clients in a group, m_max. The scheme can be classified as τ-star-based, τ-treebased, or τ-intermediate depending on the parameter, m_max. We then present a quantitative evaluation of the load on the server and clients using all our schemes based on practical assumptions. The load on the server and that on clients involves a trade-off with the τ- intermediate scheme. We can construct an optimal key-management structure according to system requirements using our schemes, while maintaining security. We describe a concrete strategy for setting parameter m_max. Finally, we present general parameter settings by which loads on both the server and clients using the τ-intermediate scheme are lower than those using the τ-tree-based scheme.

昨今のインターネットの普及に伴い、オークションでの詐欺行為や、プロバイダ等における情報漏洩等の問題が増加している。このため、インターネットのユーザが、安心してサービスを利用できるための認証基盤が必要とされる。著者らは、これまで、プライバシー保護を考慮した認証基盤を実現するためのID生成管理方式を提案した。本稿では、考案したID方式について説明すると共に、その具体的な実装と評価について述べる。

本論文では, 認証及び鍵共有プロトコルの安全性を検証するセキュリティプロトコル検証ツールの実装について述べるとともに, その評価結果を示す.本ツールの特徴は, 既存のプロトコル検証ツールと違い, Bellareらが中心となって研究が進められた認証・鍵共有プロトコルの安全性証明の考え方に基づいて設計されている点にある.また, 安全性の証明に基づいて, プロトコルの本質的な部分のみを検証するため, 従来のツールより高速な検証処理が実現可能である.本ツールを用いることで, Secure Mutual Authentication, Semantic Security, Forward Secrecyなどの安全性定義について, そのプロトコルが安全性を満たしているかどうかを自動的に判定することができ, 様々なサービスに適用する認証・鍵共有プロトコルを迅速に設計・検証することができる.

本論文では,認証及び鍵共有プロトコルの安全性を検証するセキュリティプロトコル検証ツールについて述べる.本ツールの特徴は,既存のプロトコル検証ツールと違い,Bellareらが中心となって研究が進められた認証・鍵共有プロトコルの安全性証明の考え方に基づいて設計されている点にある.また,安全性の証明に基づいて,プロトコルの本質的な部分のみを検証するため,従来のツールより高速な検証処理が実現可能である.本ツールを用いることで,Secure Mutual Authentication, Semantic Security, Forward Secrecyなどの安全性定義について,そのプロトコルが安全性を満たしているかどうかを自動的に判定することができ,様々なサービスに適用する認証・鍵共有プロトコルを迅速に設計・検証することができる.

There has recently been active research on mobile agent technology. Very few however address security issues for a practical service model such that a number of service providers are engaged over the heterogeneous network. In this paper we present a new approach on ``access control'' to realize global authorization under such environments. In our method policy files and information related with authentication for an agent are consistently managed and efficiently processed by an authentication server of each network. Furthermore for the purpose to enhance the security and realize the efficient access control new interface modules called ``secure stub'' are proposed. As the result of its evaluation it can be basically feasible to operate in our proposed system architecture. We believe that the work presented here is significant to the advancement of the existing mobile agent environments supporting secure communications.There has recently been active research on mobile agent technology. Very few, however, address security issues for a practical service model such that a number of service providers are engaged over the heterogeneous network. In this paper, we present a new approach on ``access control'' to realize global authorization under such environments. In our method, policy files and information related with authentication for an agent are consistently managed and efficiently processed by an authentication server of each network. Furthermore, for the purpose to enhance the security and realize the efficient access control, new interface modules called ``secure stub'' are proposed. As the result of its evaluation, it can be basically feasible to operate in our proposed system architecture. We believe that the work presented here is significant to the advancement of the existing mobile agent environments supporting secure communications.

ブロードバンドアクセスの実現に伴い、映像や音声などを高速にダウンロードして利用する形態が普及しつつある。このため、大容量のデータを受信端末で受信しながら、メディアの再生を行なうストリーミング転送の利用が考えられる。上記において、メッセージ認証を行うためには一般的に電子署名が用いられるが、ストリーミング転送のように実時間再生を考慮した場合、署名生成/検証処理負荷等による遅延が発生する可能性がある。また、UDP等での信頼性の低いネットワークでの利用を想定して、耐パケットロスを考慮したメカニズムを検討する必要がある。従って、本稿では、これらの課題を解決するため、ストリーミング転送における効率的なメッセージ認証について検討する。