Minoru KURIBAYASHI Masakatu MORII
Digital fingerprinting is used to trace back illegal users, where unique ID known as digital fingerprints is embedded into a content before distribution. On the generation of such fingerprints, one of the important properties is collusion-resistance. Binary codes for fingerprinting with a code length of theoretically minimum order were proposed by Tardos, and the related works mainly focused on the reduction of the code length were presented. In this paper, we present a concrete and systematic construction of the Tardos's fingerprinting code using a chaotic map. Using a statistical model for correlation scores, the actual number of true-positive and false-positive detection is measured. The collusion-resistance of the generated fingerprinting codes is evaluated by a computer simulation.
Ryoichi TERAMURA Yasuo ASAKURA Toshihiro OHIGASHI Hidenori KUWAKADO Masakatu MORII
Conventional efficient key recovery attacks against Wired Equivalent Privacy (WEP) require specific initialization vectors or specific packets. Since it takes much time to collect the packets sufficiently, any active attack should be performed. An Intrusion Detection System (IDS), however, will be able to prevent the attack. Since the attack logs are stored at the servers, it is possible to prevent such an attack. This paper proposes an algorithm for recovering a 104-bit WEP key from any IP packets in a realistic environment. This attack needs about 36,500 packets with a success probability 0.5, and the complexity of our attack is equivalent to about 220 computations of the RC4 key setups. Since our attack is passive, it is difficult for both WEP users and administrators to detect our attack.
Sho SAKIKOYAMA Yosuke TODO Kazumaro AOKI Masakatu MORII
Linear cryptanalysis proposed by Matsui is one of the most effective attacks on block ciphers. Some attempts to improve linear cryptanalysis have been made since Matsui introduced. We focus on how to optimize linear cryptanalysis with such techniques, and we apply the optimized linear cryptanalysis on FEAL-8X. First, we evaluate two existing implementation methods so as to optimize the computation time of linear cryptanalysis. Method 1 removes redundant round function computations and optimizes the other computation of linear cryptanalysis by transforming it into bitwise operations. Method 2 transforms the computation of linear cryptanalysis into a matrix multiplication and reduces the time complexity of the multiplication using the fast Fourier transform (FFT). We implement both methods optimized for modern microprocessors and compare their computation time to clarify the appropriate method for practical cryptanalysis. From the result, we show that the superior implementation depends on the number of given known plaintexts (KPs) and that of guessed key bits. Furthermore, we show that these results enable us to select the superior method to implement linear cryptanalysis without another comparative experiment. By using the superior method, we implement the multiple linear cryptanalysis (MLC) on FEAL-8X. Our implementation can recover the secret key of FEAL-8X with 210KPs in practical computation time with non-negligible probability, and it is the best attack on FEAL-8X in data complexity.
Takuya OHARA Makoto TAKITA Masakatu MORII
Reduction of redundancy and improvement of error-correcting capability are essential research themes in the coding theory. The best known codes constructed in various ways are recorded in a database maintained by Markus Grassl. In this paper, we propose an algorithm to construct the best code using punctured codes and a supporting method for constructing the best codes. First, we define a new evaluation function to determine deletion bits and propose an algorithm for constructing punctured linear codes. 27 new best codes were constructed in the proposed algorithm, and 112 new best codes were constructed by further modifying those best codes. Secondly, we evaluate the possibility of increasing the minimum distance based on the relationship between code length, information length, and minimum distance. We narrowed down the target (n, k) code to try the best code search based on the evaluation and found 28 new best codes. We also propose a method to rapidly derive the minimum weight of the modified cyclic codes. A cyclic code loses its cyclic structure when it is modified, so we extend the k-sparse algorithm to use it for modified cyclic codes as well. The extended k-sparse algorithm is used to verify our newly constructed best code.
Hidenori KUWAKADO Masakatu MORII
Since Bellare and Ristenpart showed a multi-property preserving domain extension transform, the problem of the construction for multi-property hash functions has been reduced to that of the construction for multi-property compression functions. However, the Davies-Meyer compression function that is commonly used for standard hash functions is not a multi-property compression function. That is, in the ideal cipher model, the Davies-Meyer compression function is collision resistant, but it is not indifferentiable from a random oracle. In this paper, we show that the compression function proposed by Lai and Massey is a multi-property compression function. In addition, we show that the simplified version of the Lai-Massey compression function is also a multi-property compression function. The use of these compression functions enables us to construct multi-property hash functions by the multi-property preserving domain extension transform.
Yoshiaki SHIRAISHI Toshihiro OHIGASHI Masakatu MORII
Knudsen et al. proposed an efficient method based on a tree-search algorithm with recursive process for reconstructing the internal state of RC4 stream cipher. However, the method becomes infeasible for word size n > 5 because its time complexity to reconstruct the internal state is too large. This letter proposes a more efficient method than theirs. Our method can reconstruct the internal state by using the pre-known internal-state entries, which are fewer than their method.
In recent years, wireless LAN systems are widely used in campuses, offices, homes and so on. It is important to discuss the security aspect of wireless LAN networks in order to protect data confidentiality and integrity. The IEEE Standards Association formulated some security protocols, for example, Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). However, these protocols have vulnerability for secure communication. In 2008, we proposed an efffective key recovery attack against WEP and it is called the TeAM-OK attack. In this paper, first, we present a different interpretation and the relation between other attacks and the TeAM-OK attack against WEP. Second, we present some existing attacks against WPA-TKIP and these attacks are not executable in a realistic environment. Then we propose an attack that is executable in a realistic environment against WPA-TKIP. This attack exploits the vulnerability implementation in the QoS packet processing feature of IEEE 802.11e. The receiver receives a falsification packet constructed as part of attack regardless of the setting of IEEE 802.11e. This vulnerability removes the attacker's condition that access points support IEEE 802.11e. We confirm that almost all wireless LAN implementations have this vulnerability. Therefore, almost all WPA-TKIP implementations cannot protect a system against the falsification attack in a realistic environment.
Ryusei NAGASAWA Keisuke FURUMOTO Makoto TAKITA Yoshiaki SHIRAISHI Takeshi TAKAHASHI Masami MOHRI Yasuhiro TAKANO Masakatu MORII
The Topics over Time (TOT) model allows users to be aware of changes in certain topics over time. The proposed method inputs the divided dataset of security blog posts based on a fixed period using an overlap period to the TOT. The results suggest the extraction of topics that include malware and attack campaign names that are appropriate for the multi-labeling of cyber threat intelligence reports.
Masanori HIROTOMO Masami MOHRI Masakatu MORII
Low-density parity-check (LDPC) codes are linear block codes defined by sparse parity-check matrices. The codes exhibit excellent performance under iterative decoding, and the weight distribution is used to analyze lower error probability of their decoding performance. In this paper, we propose a probabilistic method for computing the weight distribution of LDPC codes. The proposed method efficiently finds low-weight codewords in a given LDPC code by using Stern's algorithm, and stochastically computes the low part of the weight distribution from the frequency of the found codewords. It is based on a relation between the number of codewords with a given weight and the rate of generating the codewords in Stern's algorithm. In the numerical results for LDPC codes of length 504, 1008 and 4896, we could compute the weight distribution by the proposed method with greater accuracy than by conventional methods.
Makoto TAKITA Masanori HIROTOMO Masakatu MORII
In this paper, we discuss an algebraic decoding of BCH codes over symbol-pair read channels. The channels output overlapping pairs of symbols in storage applications. The pair distance and pair error are used in the channels. We define a polynomial that represents the positions of the pair errors as the error-locator polynomials and a polynomial that represents the positions of the pairs of a received pair vector in conflict as conflict-locator polynomial. In this paper, we propose algebraic methods for correcting two-pair and three-pair errors for BCH codes. First, we show the relation between the error-locator polynomials and the conflict-locator polynomial. Second, we show the relation among these polynomials and the syndromes. Finally, we provide how to correct the pair errors by solving equations including the relational expression by algebraic methods.
Ken-ichi IWATA Masakatu MORII Tomohiko UYEMATSU Eiji OKAMOTO
Many Ziv-Lempel algorithms have a similar property, that is, slow encoding and fast decoding. This paper proposes a simple improved Ziv-Lempel algorithm to encode a large amount of data quickly as well as compactly by using multiple-processor system.
Yuki FUNABIKI Yosuke TODO Takanori ISOBE Masakatu MORII
HIGHT is a 64-bit block lightweight cipher, which adopts the ARX-based generalized Feistel network, and it accepts a 128-bit key. It is a standard encryption algorithm in South Korea and also is internationally standardized by ISO/IEC 18033-3. Therefore, many third-party cryptanalyses have been proposed against HIGHT. Impossible differential and integral attacks are applied to reduced-round HIGHT, and especially, the impossible differential attack causes the 27-round attack, which is the current best attack under the single-key setting. In this paper, we propose some improved integral attacks against HIGHT. We first apply the division property to HIGHT and find new 19-round integral characteristics, which are improved by two rounds compared with the previous best ones. We append 9-round key recovery to these characteristics and it enables us to attack 28-round HIGHT. Its time complexity is 2127.02 where 263 chosen plaintexts and 2117 memory are required. Moreover, we can attack 29-round HIGHT if the full codebook is used, where its time and memory complexities are 2126.07 and 2118, respectively. It improves by two rounds compared with the previous best attack.
Hidenori KUWAKADO Masakatu MORII
The security notion of indifferentiability was proposed by Maurer, Renner, and Holenstein in 2004. In 2005, Coron, Dodis, Malinaud, and Puniya discussed the indifferentiability of hash functions. They have shown that the Merkle-Damgård construction is not secure in the sense of indifferentiability. In this paper, we analyze the security of single-block-length and rate-1 compression functions in the sense of indifferentiability. We formally show that all single-block-length and rate-1 compression functions, which include the Davies-Meyer compression function, are insecure. Furthermore, we show how to construct a secure single-block-length and rate-1 compression function in the sense of indifferentiability. This does not contradict our result above.
Yuhei WATANABE Takanori ISOBE Toshihiro OHIGASHI Masakatu MORII
RC4 is a well-known stream cipher designed by Rivest. Due to considerable cryptanalysis efforts over past 20 years, several kinds of statistic biases in a key stream of RC4 have been observed so far. Finally, practical full plaintext recovery attacks on RC4 in SSL/TLS were independently proposed by AlFardan et al. and Isobe et al. in 2013. Responded to these attacks, usage of RC4 has drastically decreased in SSL/TLS. However, according to the research by Trustworthy Internet Movement, RC4 is still used by some websites for the encryption on SSL/TLS. In this paper, we shows a new plaintext recovery attack for RC4 under the assumption of HTTPS. We develop a method for exploiting single-byte and double-byte biases together to efficiently guess the target bytes, while previous attacks use either single-byte biases or double-byte biases. As a result, target plaintext bytes can be extracted with higher probability than previous best attacks given 229 ciphertexts encrypted by randomly-chosen keys. In the most efficient case, the success probability of our attack are more than twice compared to previous best attacks.
Masanori HIROTOMO Masakatu MORII
In this paper, we propose an efficient method for computing the weight spectrum of LDPC convolutional codes based on circulant matrices of quasi-cyclic codes. In the proposed method, we reduce the memory size of their parity-check matrices with the same distance profile as the original codes, and apply a forward and backward tree search algorithm to the parity-check matrices of reduced memory. We show numerical results of computing the free distance and the low-part weight spectrum of LDPC convolutional codes of memory about 130.
Makoto TAKITA Masanori HIROTOMO Masakatu MORII
Cassuto and Blaum proposed new error correcting codes which are called symbol-pair codes. They presented a coding framework for channels whose outputs are overlapping pairs of symbols in storage applications. Such channels are called symbol-pair read channels. The pair distance and pair error are used in symbol-pair read channels. Cassuto et al. and Yaakobi et al. presented decoding algorithms for symbol-pair codes. However, their decoding algorithms cannot always correct errors whose number is not more than half the minimum pair distance. In this paper, we propose a new decoding algorithm using syndromes of symbol-pair codes. In addition, we show that the proposed algorithm can correct all pair errors within the pair error correcting capability.
Masanori HIROTOMO Masami MOHRI Masakatu MORII
In the analysis of maximum-likelihood decoding performance of low-density parity-check (LDPC) codes, the weight distribution is an important factor. We presented a probabilistic method for computing the weight distribution of LDPC codes, and showed results of computing the weight distribution of several LDPC codes. In this paper, we improve our previously presented method and propose a probabilistic computation method with reliability for the weight distribution of LDPC codes. Using the proposed method, we can determine the weight distribution with small failure probability.
The theory of finite fields has been successfully applied to the constructing of the various algebraic codes, digital signal processing, and techniques of cryptography. Especially the theories on four operations are very important, because it is strongly related to the size and the throughput of the gate circuits for the various encoders and decoders. In this paper we shall give a new method for constructing the gate circuit that yields the multiplicative inverses over GF (2m). The method is based on a new algorithm for computing multiplicative inverses in GF (2m). The operations needed for our algorithm are rarely performed on GF (2m), but primarily on the subfields of GF (2m). When performing the multiplication and division over finite fields, the idea of using the subfield has been given wide attention. However the conventional algorithms taking advantage of this idea are not necessarily efficient from the practical point of view. We see that our algorithm proved superior to the conventional methods when GF (2m) has the subfield GF (22).
Yoshiaki SHIRAISHI Kenta NOMURA Masami MOHRI Takeru NARUSE Masakatu MORII
Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is suitable for data access control on cloud storage systems. In ABE, to revoke users' attributes, it is necessary to make them unable to decrypt ciphertexts. Some CP-ABE schemes for efficient attribute revocation have been proposed. However, they have not been given a formal security proof against a revoked user, that is, whether they satisfy forward secrecy has not been shown or they just do not achieve fine-grained access control of shared data. We propose an attribute revocable attribute-based encryption with the forward secrecy for fine-grained access control of shared data. The proposed scheme can use both “AND” and “OR” policy and is IND-CPA secure under the Decisional Parallel Bilinear Diffie-Hellman Exponent assumption in the standard model.