Keitaro Hashimoto

I am a researcher at Security Assurance Scheme Research Team in Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST). I received my Bachelor’s degree in Engineering, Master’s degree in Engineering and Ph.D. in Engineering from Tokyo Institute of Technology in 2018, 2020 and 2023, respectively. My adviser is Prof. Wakaha Ogata. Furthermore, I completed Progressive Graduate Minor in Cybersecurity in 2020. Before I become a resercher at AIST, I worked as a research assistant at AIST from June 2020 to March 2023, and as a research fellowship for young scientists from April 2022 to March 2023.

I am skilled at provable security in cryptography. My research interests are board range of cryptography and information security, especially real-world cryptraphic technologies such as secure messaging and how to propote social implementation of such technologies. Also, I love to systematically analyze security of cryptographic primitives/protocols.

I am a compassionate and cooperative professional. I received the Outstanding Student Award in 2020, Tsujii Shigeo Security Award in 2021, 2022 and 2023, and Seiichi Tejima Ph.D. dissertation award in 2024.

News

Oct 01, 2024	Our new paper titled “A Generic Construction of Deletable Registered Attribute-Based Encryption from Slotted Registered Attribute-Based Encryption” will be presented in a domestic conference CSS 2024.
Jul 02, 2024	Our new paper titled “Security Model for Authenticated Key Exchange, Reconsidered” has been accepted at SCN 2024.
Jul 01, 2024	Our new paper titled “Towards a Tightly Secure Signature in Multi-User Setting with Corruptions Based on Search Assumptions” has been accepted at CFAIL 2024.

Selected publications

CCS:HKP22

How to Hide MetaData in MLS-Like Secure Group Messaging: Simple, Modular, and Post-Quantum

Keitaro Hashimoto, Shuichi Katsumata, and Thomas Prest

In The ACM Conference on Computer and Communications Security (ACM CCS), November 2022

Awareded Abstract ACM DL EPRINT Slides

Grand prize of Tsujii Shigeo Security Award 2023

Secure group messaging (SGM) protocols allow large groups of users to communicate in a secure and asynchronous manner. In recent years, continuous group key agreements (CGKAs) have provided a powerful abstraction to reason on the security properties we expect from SGM protocols. While robust techniques have been developed to protect the contents of conversations in this context, it is in general more challenging to protect metadata (e.g. the identity and social relationships of group members), since their knowledge is often needed by the server in order to ensure the proper function of the SGM protocol.

In this work, we provide a simple and generic wrapper protocol that upgrades non-metadata-hiding CGKAs into metadata-hiding CGKAs. Our key insight is to leverage the existence of a unique continuously evolving group secret key shared among the group members. We use this key to perform a group membership authentication protocol that convinces the server in an anonymous manner that a user is a legitimate group member. Our technique only uses a standard signature scheme, and thus, the wrapper protocol can be instantiated from a wide range of assumptions, including post-quantum ones. It is also very efficient, as it increases the bandwidth cost of the underlying CGKA operations by at most a factor of two.

To formally prove the security of our protocol, we use the universal composability (UC) framework and model a new ideal functionality F^mh_CGKA capturing the correctness and security guarantee of metadata-hiding CGKA. To capture the above intuition of a “wrapper” protocol, we also define a restricted ideal functionality F^ctxt_CGKA, which roughly captures a non-metadata-hiding CGKA. We then show that our wrapper protocol UC-realizes F^mh_CGKA in the F^ctxt_CGKA-hybrid model, which in particular formalizes the intuition that any non-metadata-hiding CGKA can be modularly bootstrapped into metadata-hiding CGKA.
J. Cryptol.:HKKP22

An Efficient and Generic Construction for Signal’s Handshake (X3DH): Post-Quantum, State Leakage Secure, and Deniable

Keitaro Hashimoto, Shuichi Katsumata, Kris Kwiatkowski, and Thomas Prest

Journal of Cryptology, May 2022

Full version of [PKC:HKKP21].

Abstract Springer Code

The Signal protocol is a secure instant messaging protocol that underlies the security of numerous applications such as WhatsApp, Skype,Facebook Messenger among many others. The Signal protocol consists of two sub-protocols known as the X3DH protocol and the double ratchet protocol, where the latter has recently gained much attention. For instance, Alwen, Coretti, and Dodis (Eurocrypt’19) provided a concrete security model along with a generic construction based on simple building blocks that are instantiable from versatile assumptions, including post-quantum ones. In contrast, as far as we are aware, works focusing on the X3DH protocol seem limited. In this work, we cast the X3DH protocol as a specific type of authenticated key exchange (AKE) protocol, which we call a Signal-conforming AKE protocol, and formally define its security model based on the vast prior works on AKE protocols. We then provide the first efficient generic construction of a Signal-conforming AKE protocol based on standard cryptographic primitives such as key encapsulation mechanisms (KEM) and signature schemes. Specifically, this results in the first post-quantum secure replacement of the X3DH protocol based on well-established assumptions. Similar to the X3DH protocol, our Signal-conforming AKE protocol offers a strong(or stronger) flavor of security, where the exchanged key remains secure even when all the non-trivial combinations of the long-term secrets and session-specific secrets are compromised. Moreover, our protocol has a weak flavor of deniability and we further show how to progressively strengthen it using ring signatures and/or non-interactive zero-knowledge proof systems. Finally, we provide a full-fledged, generic C implementation of our (weakly deniable) protocol. We instantiate it with several Round 3 candidates (finalists and alternates) to the NIST post-quantum standardization process and compare the resulting bandwidth and computation performances. Our implementation is publicly available
CCS:HKPPW21

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Keitaro Hashimoto, Shuichi Katsumata, Eamonn W. Postlethwaite, Thomas Prest, and Bas Westerbaan

In The ACM Conference on Computer and Communications Security (ACM CCS), November 2021

Awareded Abstract ACM DL EPRINT Video Code Slides

Tsujii Shigeo Security Award 2022

Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs.

We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of N members, a commit message costs O(N) to upload and O(1) to download, for a total bandwidth cost of O(N). In contrast, TreeKEM [19, 24, 76] costs Ω(logN)in both directions, for a total cost Ω(NlogN). Our protocol relies on generic primitives, and is therefore readily post-quantum.

We go one step further and propose post-quantum primitives that are tailored to Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as N=2^10, commit messages can be computed and processed in less than 100 ms.