Kazukuni Kobara

Semantic security for the McEliece cryptosystem without random oracles

In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt ’05 showing “pseudorandomness” implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme—against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.

Lightweight Asymmetric Privacy-Preserving Authentication Protocols Secure against Active Attack

As pervasive computing technologies develop fast, the privacy protection becomes a crucial issue and needs to be coped with very carefully. Typically, it is difficult to efficiently identify and manage plenty of the low-cost pervasive devices like radio frequency identification devices (RFID), without leaking any privacy information. In particular, the adversary may not only eavesdrop the communication in a passive way, but also mount an active attack to ask queries adaptively, which is obviously more dangerous. Towards settling this problem, in this paper, we propose lightweight authentication protocols which are privacy-preserving against active attack. The protocols are based on a fast asymmetric encryption with novel simplification, which consequently can assign an easy work to pervasive devices. Besides, unlike the usual management of the identities, our approach does not require any synchronization nor exhaustive search in the database, which enjoys great convenience in case of a large-scale system

A secure threshold anonymous password-authenticated key exchange protocol

At Indocrypt 2005, Viet et al., [20] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for clients password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2√N - 1 - 1, where N is a dictionary size of passwords. We also show that the TAP protocol provides semantic security of session keys in the random oracle model, with the reduction to the computational Diffie-Hellman problem, as well as anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [20].

Coding-Based Oblivious Transfer

We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Sterns from Crypto 93 and Shamirs from Crypto 89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT --- cryptographic primitive of central importance --- can be based. n nAs a by-product, we expose new interesting applications for both ZKID schemes: Sterns can be used for proving correctness of McEliece encryption, while Shamirs --- for proving that some matrix represents a permuted subcode of a given code. n nUnfortunately, it turned out to be difficult to reduce the senders security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.

Evaluation of Physical Unclonable Functions for 28-nm Process Field-Programmable Gate Arrays

In this study, the properties of physical unclonable functions (PUFs) for 28-nm process field-programmable gate arrays (FPGAs) are examined. A PUF is a circuit that generates device-specific IDs by extracting device variations. Owing to device variation, no two PUFs will generate the same ID even if they have identical structures and are manufactured on the same silicon wafer. However, because the influence of device variation increases as the size of the process node shrinks, it is uncertain whether PUFs can be built using recently developed small-scale process nodes, even though the technology of variation control is constantly advancing. While many PUFs using 40-nm or larger process nodes have been reported, smaller devices have not yet been studied to the authors’ knowledge, and this is the first published journal article on PUFs for 28-nm process FPGAs. In this paper, within-die reproducibility, die-to-die uniqueness, and other properties are evaluated, and the feasibility of PUFs on 28-nm FPGAs is discussed.

Lightweight Broadcast Authentication Protocols Reconsidered

In the emergency broadcast system (or emergency alert system) which aims to broadcast a warning information immediately in time of emergency such as a natural or civil disaster, computational power-restricted devices such as, pocket terminals and sensors need to instantly and securely verify correctness and integrity of the received message packets. Though a lot of broadcast authentication systems were proposed, most of them require relatively high computation cost. n nIn this paper, we propose a new lightweight broadcast authentication protocol McSBA based on McEliece signature. It can be quickly verified with a tiny computation cost, applicable on power-restricted devices. We first estimate the time performance and compare McSBA with widely used RSA signature and wellknown TESLA broadcast authentication protocol, to show that the verification of McSBA has a low cost and is faster than the others. Especially, it is shown by our estimation that McSBA can verify quickly less than 1s in emergency situations, however RSA signature with the same security takes more than 4s. Then we make use of a simulation of verification of RSA signature and McSBA, on the same platform, to attest that verification of McSBA is about ten times faster than RSA signature, which also supports our estimation result. Consequently, we expect that our technique is useful in the emergency broadcast system.

Very-Efficient Anonymous Password-Authenticated Key Exchange and Its Extensions

An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity. In this paper, we propose a very-efficient anonymous PAKE (called, VEAP) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, the computation cost of the VEAP protocol is the same as the well-known Diffie-Hellman protocol! In addition, we extend the VEAP protocol in two ways.

A Secure Construction for Threshold Anonymous Password-Authenticated Key Exchange

At Indocrypt 2005, Viet et al., [21] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for clients password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √N-1-1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [21].

Privacy Enhanced and Light Weight RFID System without Tag Synchronization and Exhaustive Search

Radio frequency identification systems (RFID systems) are becoming popular in various applications, such as supply chain management, animal husbandry and so on. They are useful to manage not only things but also living things. Privacy, however, must be taken in account when they are used around people since people with RFID tags can easily be tracked and traced. While several solutions have been proposed to solve this problem, they have drawbacks that the back-end servers (or the readers) must exhaustive-search all the registered IDs to identify the RFID tags and/or that database must synchronize with the tags. The former is not desirable when a huge number of RFID tags must be managed, and the latter is not desirable when restoring database from backup (since tags and the database are not synchronous after restoration). In this paper, we propose how to solve these problems without deteriorating the privacy protection ability.

Partnership in key exchange protocols

In this paper, we investigate the notion of partnership as found in security models for key exchange protocols. Several different approaches have been pursued to define partnership, with varying degrees of success. We aim to provide an overview and criticism of the various definitions and point out some pitfalls that can be encountered when trying to define partnership. As a result, we propose an intuitive way of defining partnership directly from equality of session keys. In addition, we show that authentication can be captured using a definition of partnership by equality of partner identifiers, and give proofs that both definitions achieve what we expect from them.