研究成果

Card-based cryptography realizes secure multiparty computation using physical cards. In 2018, Watanabe et al. proposed a card-based three-input majority voting protocol using three cards. In a card-based cryptographic protocol with n-bit inputs, it is known that a protocol using shuffles requires at least 2n cards. In contrast, as Watanabe et al.'s protocol, a protocol using private permutations can be constructed with fewer cards than the lower bounds above. Moreover, an n-input protocol using private permutations would not even require n cards in principle since a private permutation depending on an input can represent the input without using additional cards. However, there are only a few protocols with fewer than n cards. Recently, Abe et al. extended Watanabe et al.'s protocol and proposed an n-input majority voting protocol with n cards and n + \floor{n/2} + 1 private permutations. This paper proposes an n-input majority voting protocol with \ceil{n/2}+1 cards and 2n-1 private permutations, which is also obtained by extending Watanabe et al.'s protocol. Compared with Abe et al.'s protocol, although the number of private permutations increases by about n/2, the number of cards is reduced by about n/2. In addition, unlike Abe et al.'s protocol, our protocol includes Watanabe et al.'s protocol as a special case where n=3.

Card-based cryptography is a variety of secure multiparty computation (MPC). Recently, a new technique called private operations was introduced because the protocol can be implemented with fewer cards than that by using the conventional technique called the shuffle. For example, Nakai et al. showed that if the private operations are available, secure computations of AND and OR operations for two inputs can be realized simultaneously by using four cards, and the protocol is applied to a four-card majority voting protocol with three inputs. This paper shows that only three cards are sufficient to construct a majority voting protocol with three inputs. Specifically, we propose two constructions of three-input majority voting protocols. One is a protocol assuming that players can announce their output, and the other is not allowed. Compared to Nakai et al.'s protocol, the protocol with the announcement is realized without any additional private operations and communications. On the other hand, the second construction requires two more private operations and communications because it removes the assumption on the announcement from the first construction. More importantly, the idea of the second protocol can be extended to an n-input majority voting protocol with n cards, which is the main result of this paper.

In March 2023, ChatGPT generated a new puzzle, Sumplete. Sumplete consists of an n x n grid, each whose cell has an integer. In addition, each row and column of the grid has an integer, which we call a target value. The goal of Sumplete is to make the sum of integers in each row and column equal to the target value by deleting some integers of the cells. In this paper, we prove that Sumplete is NP-complete and propose a physical zero-knowledge proof for Sumplete. To show the NP-completeness, we give a polynomial reduction from the subset sum problem to Sumplete. In our physical zero-knowledge proof protocol, we use a card protocol that realizes the addition of negative and positive integers using cyclic permutation on a sequence of cards. To keep the solution secret, we use a technique named decoy technique.

Cyber attacks on control system communication are increasing. In information systems, a lot of security counter-measure focusing on the distribution of communication packets has been studied so far. Such attack detection methods evaluate normal and abnormal packets based on the likelihood and the relative entropy. Whether the methods for information systems are also effective for control systems is another question. Then, this paper conducts attack detection experiments based on the likelihood and the relative entropy of DoS and spoofing attacks on Modbus TCP communication used in industrial control systems.

Card-based protocol is a multi-party computation using cards. The card-based protocol using operations called private operation has an advantage that the number of cards and the number of times of communication are smaller than the card-based protocol using operations called shuffle. However, there is a disadvantage that private operation allows dishonest players to perform malicious behaviors. Although the method to detect malicious behaviors in private operations was proposed, the method was available only in committed-format protocols, where inputs and outputs are represented by a pair of cards called commitment. In this paper, we show how to detect malicious behaviors in non-committed-format protocol with an example of a three-input majority voting protocol using private operations. Our majority voting protocol requires a smaller number of cards than the minimum number of cards required for committed-format protocols.

A private PEZ protocol is a variant of secure multi-party computation performed using a (long) PEZ dispenser. The original paper by Balogh et al. presented a private PEZ protocol for computing an arbitrary function with n inputs. This result is interesting, but no follow-up work has been presented since then, to the best of our knowledge. We show herein that it is possible to shorten the initial string (the sequence of candies filled in a PEZ dispenser) and the number of moves (a player pops out a specified number of candies in each move) drastically if the function is symmetric. Concretely, it turns out that the length of the initial string is reduced from O(2ⁿ!) for general functions in Balogh et al.’s results to O(n·n!)$ for symmetric functions, and 2ⁿ moves for general functions are reduced to n² moves for symmetric functions. Our main idea is to utilize the recursive structure of symmetric functions to construct the protocol recursively. This idea originates from a new initial string we found for a private PEZ protocol for the three-input majority function, which is different from the one with the same length given by Balogh et al. without describing how they derived it.

高機能暗号は，個人情報等の機密情報を保護したまま，データ分析やアクセス制御等を実行可能とする暗号技術（の総称）であり，データの利活用の更なる推進を促すうえで極めて有効と考えられている．しかしながら，高機能暗号は，用途に応じた多様な技術に細分化がなされており，また，それらの個別の技術によって提供される機能や安全性は複雑であるため，理解が容易ではない．そのため，高機能暗号の利用により利益が得られる潜在的な利用者であっても，技術的な理解が不十分なため，利用を躊躇する場合も少なくないものと思われる．したがって，高機能暗号の社会実装を進めるうえで，その機能や安全性についての理解を促すための技術の研究開発が別途必要である．本論文では，そのような高機能暗号の機能や安全性をわかりやすく説明することを可能とするツールである物理・視覚暗号やその関連技術について紹介を行う．物理・視覚暗号を適切に用いた説明を行うことで，それらに対応した高機能暗号に関する潜在的な利用者への技術的な理解が促され，高機能暗号の社会実装が促進されるものと考えられる．

Research in the area of secure multi-party computation with an unconventional method of using a physical deck of playing cards began in 1989 when den Boar proposed a protocol to compute the logical AND function using five cards. Since then, the area has gained interest from many researchers and several card-based protocols to compute various functions have been developed. In this paper, we propose a card-based protocol called the overwriting protocol that can securely compute the k-candidate n-variable equality function f: {0,1,…,k−1}^{n} \to {0,1}. We also apply the technique used in this protocol to compute other similar functions.