Yoshikazu Hanatani

Secure authenticated key exchange with revocation for smart grid

Using cryptographic technologies to provide security solutions in smart grid is extensively discussed in NISTIR 7628 [1] and IEC 62351 standards series [2]. Both series identify cryptographic key management for Intelligent Electronic Devices (IEDs) communication as one of the most important issues. In this paper, considering the system constraints and the security requirements in the smart grid, we propose an authenticated key exchange scheme with revocation by exploiting a well-known cryptographic protocol: Broadcast encryption [3], [11], [12] using a media key block(MKB) [15]. Furthermore, we show that our scheme is efficient in comparison with the PKI-signature based Internet Key Exchange(IKE) protocol, [4], [8] in terms of the following points of view: (1) communication cost; (2) compuation cost; (3) device revocation cost. The comparison results show that our scheme is efficient and cost-effective in most cases for devices and systems in smart grid.

NM-CPA Secure Encryption with Proofs of Plaintext Knowledge

NM-CPA secure asymmetric encryption schemes which prove plaintext knowledge are sufficient for secrecy and verifiability in some domains, for example, ballot secrecy and end-to-end verifiability in electronic voting. In these domains, some applications derive encryption schemes by coupling malleable IND-CPA secure ciphertexts with proofs of plaintext knowledge, without evidence that the sufficient condition is satisfied nor an independent security proof. Consequently, it is unknown whether these applications satisfy the desired secrecy and verifiability properties. In this paper, we propose a generic construction for such a coupling and prove that our construction produces NM-CPA secure encryption schemes which prove plaintext knowledge. Accordingly, we facilitate the development of applications satisfying their secrecy and verifiability objectives and, moreover, we make progress towards security proofs for existing applications.

Secure Multicast Group Management and Key Distribution in IEEE 802.21

Controlling a large number of devices such as sensors and smart end points, is always a challenge where scalability and security are indispensable. This is even more important when it comes to periodic configuration updates to a large number of such devices belonging to one or more groups. One solution could be to take a group of devices as a unit of control and then manage them through a group communication mechanism. An obvious challenge to this approach is how to create such groups dynamically and manage them securely. Moreover, there need to be mechanisms in place by which members of the group can be removed and added dynamically. In this paper, we propose a technique that has been recently standardized in IEEE 802.21 (IEEE Std 802.21d™-2015) with the objective of providing a standard-based solution to the above challenges. The approach relies on Logical Key Hierarchy (LKH) based key distribution mechanism but optimizes the number of encryption and decryption by using “Complete Subtree”. It leverages IEEE 802.21 framework, services, and protocol for communication and management, and provides a scalable and secure way to manage (e.g., add and remove) devices from one or more groups. We describe the group key distribution protocol in details and provide a security analysis of the scheme along with some performance results from a prototype implementation.

Factor-4 and 6 (de)compression for values of pairings using trace maps

The security of pairing-based cryptosystems relies on the hardness of the discrete logarithm problems in elliptic curves and in finite fields related to the curves, namely, their embedding fields. Public keys and ciphertexts in the pairing-based cryptosystems are composed of points on the curves or values of pairings. Although the values of the pairings belong to the embedding fields, the representation of the field is inefficient in size because the size of the embedding fields is usually larger than the size of the elliptic curves. We show factor-4 and 6 compression and decompression for the values of the pairings with the supersingular elliptic curves of embedding degrees 4 and 6, respectively. For compression, we use the fact that the values of the pairings belong to algebraic tori that are multiplicative subgroups of the embedding fields. The algebraic tori can be expressed by the affine representation or the trace representation. Although the affine representation allows decompression maps, decompression maps for the trace representation has not been known. In this paper, we propose a trace representation with decompression maps for the characteristics 2 and 3. We first construct efficient decompression maps for trace maps by adding extra information to the trace representation. Our decompressible trace representation with additional information is as efficient as the affine representation is in terms of the costs of compression, decompression and exponentiation, and the size.

Generating Parameters for Algebraic Torus-Based Cryptosystems

Algebraic torus-based cryptosystems are public key cryptosystems based on the discrete logarithm problem, and have compact expressions compared with those of finite field-based cryptosystems. In this paper, we propose parameter selection criteria for the algebraic torus-based cryptosystems from the viewpoints of security and efficiency. The criteria include the following conditions: consistent resistance to attacks on algebraic tori and their embedding fields, and a large degree of freedom to select parameters suitable for each implementation. An extension degree and a characteristic size of a finite field on which the algebraic tori are defined are adjustable. We also provide examples of parameters satisfying the criteria.

Analyzing and Fixing the QACCE Security of QUIC

QUIC is a secure transport protocol developed by Google. Lychev et al. proposed a security model (QACCE model) to capture the security of QUIC. However, the QACCE model is very complicated, and it is not clear if security requirements for QUIC are appropriately defined. In this paper, we show the first formal analysis result of QUIC using automated security verification tool ProVerif. Our symbolic model formalizes the QACCE model and the specification of QUIC. As the result of the verification, we find three attacks against QUIC in the QACCE model. It means that the Lychev et al.’s security proofs are not correct. We discuss why such attacks occur, and clarify there are unnecessarily strong points in the QACCE model. Finally, we give a way to improve the QACCE model to exactly address the appropriate security requirements.