Information and Communications Security

In this paper, we propose a forward secure ring signature scheme without random oracles. With forward security, if a secret key of a corresponding ring member is exposed, all previously signed signatures containing this member remain valid. Yet the one who has stolen the secret key cannot produce any valid signature belonged to the past time period. This is especially useful in the case of ring signature, as the exposure of a single secret key may result in the invalidity of thousands or even millions ring signatures which contain that particular user. However, most of the ring signature schemes in the literature do not provide forward security. The only one with this feature [15] relies on random oracles to prove the security. We are the

first

to construct a forward secure ring signature scheme that can be proven secure without random oracles. Our scheme can be deployed in many applications, such as wireless sensor networks and smart grid system.

In this paper, we propose a set of ring signature (RS) schemes using the lattice basis delegation technique due to [6,7,12]. Our proposed schemes fit with ring trapdoor functions introduced by Brakerski and Kalai [18], and we obtain the first lattice-based ring signature scheme in the random oracle model. Moreover, motivated by Boyen’s work [16], our second construction in the standard model achieves in stronger security definitions and shorter signatures than Brakeski-Kalai scheme.

The computational soundness of formal encryption is studied extensively following the work of Abadi and Rogaway[1]. Recent work considers the scenario in which secret sharing is needed, and separately, the scenario when key cycles are present. The novel technique is the use of a co-induction definition of the adversarial knowledge. In this paper, we prove a computational soundness theorem of formal encryption in the presence of both key cycles and secret shares at the same time, which is a non-trivial extension of former approaches.

An identity-based encryption (IBE) scheme is called anonymous if the ciphertext leaks no information about the recipient’s identity. In this paper, we present a novel anonymous identity-based encryption scheme. Our scheme comes from the analysis of Boyen-Waters anonymous IBE Scheme in which we find a method to construct anonymous IBE schemes. We show that Boyen-Waters anonymous IBE scheme can be transformed from BB

1

-IBE scheme. Our scheme is also transformed from BB

1

-IBE scheme and can be seemed as a variant of Boyen-Waters anonymous IBE scheme. The security proof shows the transformed scheme has the same semantic security as the original scheme and has anonymous security. We prove anonymity under the Decision Linear assumption.

Let a sender Alice computes a ciphertext

C

of a message

M

by using a receiver Bob’s public key

pk

B

. Damgård, Hofheinz, Kiltz, and Thorbek (CT-RSA2008) has proposed the notion

public key encryption with non-interactive opening

(PKENO), where Bob can make an non-interactive proof

π

that proves the decryption result of

C

under

sk

B

is

M

, without revealing

sk

B

itself. When Bob would like to prove the correctness of (

C

,

M

) (e.g., the information

M

sent to Bob is not the expected one), PKENO turns out to be an effective cryptographic primitive. A PKENO scheme for the KEM/DEM framework has also been proposed by Galindo (CT-RSA2009). Bob can make a non-interactive proof

π

that proves the decapsulation result of

C

under

sk

B

is

K

without revealing

sk

B

itself, where

K

is an encapsulation key of the DEM part. That is, no verifier can verify

π

without knowing

K

. This setting is acceptable if

K

is an ephemeral value. However, PKENO is not applicable if an encryption key is shared among certain users beforehand, and is used for a relatively long period before re-running the key agreement protocol, such as symmetric cryptosystems. In this paper, we define the notion

secret key encryption with non-interactive opening

(SKENO), and give a generic construction of SKENO from verifiable random function (VRF) and the Berbain-Gilbert IV-dependent stream cipher construction (FSE2007). Bob can make a non-interactive proof

π

that proves the decryption result of

C

under

K

is

M

, without revealing

K

itself.

The wide deployment of RFID systems has raised many concerns about the security and privacy. Many RFID authentication protocols are proposed for these low-cost RFID tags. However, most of existing RFID authentication protocols suffer from some feasible problems. In this paper, we first discuss the feasible problems that exist in some RFID authentication protocols. Then we propose a lightweight RFID mutual authentication protocol against these feasible problems. To the best of our knowledge, it is the first scalable RFID authentication protocol that based on the SQUASH scheme. The new protocol is lightweight and can provide the forward security. In every authentication session, the tag produces the random number and the response is fresh. It also prevents the asynchronization between the reader and the tag. Additionally, the new protocol is secure against such attacks as replay attack, denial of service attack, man-in-the-middle attack and so on. We also show that it requires less cost of computation and storage than other similar protocols.

Distance bounding protocols enable a device to establish an upper bound on the physical distance to a communication partner so as to prevent location spoofing, as exploited by relay attacks. Recently, Rasmussen and Čapkun (ACM-CCS’08) observed that these protocols leak information on the location of the parties to external observers, which is undesirable in a number of applications—for example if the leaked information leads to the identification of the parties among a group of devices. To remedy this problem, these authors proposed a “privacy-preserving” distance bounding protocol, i.e. that leaks no information on the location of the parties. The present paper reports results from an in-depth security analysis of that new protocol, with as main result an attack that recovers the ephemeral secrets as well as the location information of the two parties for particular choices of parameters. Overall, our results do not contradict the preliminary security analysis by the designers, but rather extends it to other parts of the attack surface.

Many storage systems need to do authorized verification for data integrity. For example, a user stores his data into cloud storage servers and shares his data with his friends. They check data integrity periodically to ensure data intact. However, they don’t want a stranger to check data integrity on their data. Therefore, public verification is undesired in this situation. The user can share his private key to his friends for private verification. However, his friends may reveal his private key to others. In this paper, we proposed the delegable provable data possession (delegable PDP) model to solve this problem. Delegable PDP allows a user to control who can check data integrity of his data, and guarantee that delegated verifiers cannot re-delegate this verification capability to others. Delegable PDP enjoys advantage of authorized verification and convenience of public verification.

We define a delegable PDP model and provide a construction for it. User

$\mathcal{U}$

generates verifiable tags of his data and the delegation key

$dk_{\mathcal{U}\rightarrow\mathcal{V}}$

for delegated verifier

$\mathcal{V}$

.

$\mathcal{U}$

uploads his data, tags, and

$dk_{\mathcal{U}\rightarrow\mathcal{V}}$

to storage servers. When integrity check, storage servers can use

$dk_{\mathcal{U}\rightarrow\mathcal{V}}$

to transform

$\mathcal{U}$

’s tags into the form that

$\mathcal{V}$

can verify with his private key

$sk_\mathcal{V}$

. Our model allows

$\mathcal{U}$

to revoke

$\mathcal{V}$

’s verification capability by removing

$dk_{\mathcal{U}\rightarrow\mathcal{V}}$

from storage servers directly. We prove our protocol secure in the random oracle model. Our protocol achieves proof unforgeability, proof indistinguishability, and delegation key unforgeability.

Without the use of computational assumptions, unconditionally secure oblivious transfer (OT) is impossible in the standard model where the parties are using a clear channel. Such impossibilities can be overcome by using a noisy channel. Recently, Palmieri and Pereira proposed a protocol based on random channel delays only. Their scheme is secure in the semi-honest model, but not in the general malicious model. In this paper we study oblivious transfer in the same setting but we improve the result to obtain a fully secure protocol in the malicious model.

Upcoming vehicular

ad hoc

networks (VANETs) allowing vehicles to talk to each other are expected to enhance safety and efficiency in transportation systems. This type of networks is especially attractive in highly populated urban areas overwhelmed with traffic congestions and accidents. Besides vulnerabilities versus attacks against traffic safety and driver privacy, a large-scale VANET in a metropolitan area raises scalability and management challenges. This paper employs identity-based group signatures (IBGS) to divide a large-scale VANET into easy-to-manage groups and establish liability in vehicular communications while preserving privacy. Each party’s human-recognizable identity is used as its public key and no additional certificate is required. This efficiently avoids the complicated certificate management of existing protocols. We further investigate selfish verification approach to accelerate message processing in VANETs. With this approach, a vehicle selects only the messages affecting its driving decisions and validates the selected messages as if they were a single one.

In a compartmented access structure, there are disjoint participants

C

1

,…,

C

m

. The access structure consists of subsets of participants containing at least

t

i

from

C

i

for

i

 = 1,…,

m

, and a total of at least

t

0

participants. Tassa [2] asked: whether there exists an efficient ideal secret sharing scheme for such an access structure? Tassa and Dyn [5] realized this access structure with the help of its dual access structure. Unlike the scheme constructed in [5], we propose a direct solution here, in the sense that it does not utilize the dual access structure. So our method is compact and simple.

In this paper, we investigate a new concept, called

share selectable secret sharing

, where no unauthorized set can obtain information of the secret (in the information-theoretic sense) even if shares are selectable as arbitrary values which are independent of the secret. We propose two totally selectable (i.e., all users’ shares are selectable) secret sharing schemes with unanimous structure. We also propose a quasi-selectable (i.e., a part of each user’s share is selectable) secret sharing scheme with certain hierarchical structures which contains special cases of the hierarchical threshold structures introduced by Tamir Tassa in TCC2004 (or its full version (J. Cryptology2007)). If all selectable shares are randomly chosen, then our schemes are perfect. Finally, we discuss the effect of the leakage information of the secret if a weak secret is indicated as a selectable share.

Geometric distortion is known as one of the most difficult attacks to resist, for it can desynchronize the location of the watermark and hence causes incorrect watermark detection. It is a challenging work to design a robust color image watermarking scheme against geometric distortions. Based on the Support Vector Regression (SVR) and Pyramidal Dual-Tree Directional Filter Bank (PDTDFB), a new color image watermarking algorithm against geometric distortion is proposed. Experimental results show that the proposed scheme is not only invisible and robust against common image processing operations such as median filtering, noise adding, and JPEG compression etc., but also robust against the geometrical distortions and combined attacks.

In the last decade, the requirement for copyright protection of digital multimedia has become more and more urgent. As an efficient method to address this issue, watermarking has gained a lot of attention. To watermarking system, detectors have an important influence on its performance. In this paper, we propose a new optimal detector to multiplicative watermarking in the discrete cosine transform (DCT) domain, which is based on Cauchy models. Furthermore, theoretical analysis is also presented. The performance of the new detector is confirmed by various experiments.

Root extraction is a classical problem in computers algebra. It plays an essential role in cryptosystems based on elliptic curves. In 2006, Barreto and Voloch proposed an algorithm to compute

r

th roots in

$\mathbb{F}_{q^m} $

for certain choices of

m

and

q

. If

r

||

q

 − 1 and (

m

,

r

) = 1, they proved that the complexity of their method is

$\widetilde{\mathcal{O}}(r(\log m+\log\log q)m\log q) $

. In this paper, we extend the Barreto-Voloch algorithm to the general case that

r

||

q

m

 − 1, without the restrictions

r

||

q

 − 1 and (

m

,

r

) = 1 . We also specify the conditions that the Barreto-Voloch algorithm can be preferably applied.

In recent years, several classes of Boolean functions with good cryptographic properties have been constructed by using univariate (or bivariate) polynomial representation of Boolean functions over finite fields. The estimation of an incomplete additive character sum plays an important role in analyzing the nonlinearity of these functions. In this paper, we consider replacing this character sum with another incomplete additive character sum, whose estimation was firstly given by A.Winterhof in 1999. Based on Winterhof’s estimation, we try to modify two of these functions and obtain better nonlinearity bound of them.

Compared with block ciphers, stream ciphers are more efficient when implemented in hardware environment, like Field Programma-ble Gate Array (FPGA). In this paper, we propose three optimized schemes in the FPGA implementation of a novel and recently proposed stream cipher, ZUC, which is a new cryptographic algorithm proposed for inclusion in the ’4G’ mobile standard called LTE (Long Term Evolution). These three schemes are based on reusing area of S-box, calculation of CSA tree and pipelined architecture to implement ZUC on FPGA respectively. We also evaluate each optimized scheme in terms of performance and consumed area in Xilinx FPGA device to compare their actual hardware efficiency. According to the evaluation results, the third scheme, namely pipelined architecture implementation, optimizes hardware implementation of ZUC for the best performance and achieves a throughput of 7.1 Gbps using only 575 slices by speeding up the keystream generating on FPGA. To our knowledge, it is an extremely efficient hardware implementation of ZUC at present. Moreover, it also shows that ZUC is quite flexible to balance different throughput with consumed area.

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and thus increasingly popular and used [12,15,13,20]. Until 2010 researchers have written that: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken”, see [15] and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST is insecure on more than one account. There is a variety of recent attacks on GOST [3,7]. We have reflection attacks [14,7], attacks with double reflection [7], and various attacks which do not use reflections [7,3]. The final key recovery step in these attacks is in most cases a software algebraic attack [7,3] and sometimes a Meet-In-The-Middle attack [14,7].

In this paper we show that GOST is NOT SECURE even against (advanced forms of) differential cryptanalysis (DC). Previously Russian researchers postulated that GOST will be secure against DC for as few as 7 rounds out of 32 [9,19] and Japanese researchers were already able to break about 13 rounds [18]. In this paper we show a first advanced differential attack faster than brute force on full 32-round GOST.

Extended MD4 is a hash function proposed by Rivest in 1990 with a 256-bit hash value. The compression function consists of two different and independent parallel lines called Left Line and Right Line, and each line has 48 steps. The initial values of Left Line and Right Line are denoted by

IV

0

and

IV

1

respectively. Dobbertin proposed a collision attack for the compression function of Extended MD4 with a complexity of about 2

40

under the condition that the value for

IV

0

 = 

IV

1

is prescribed. In this paper, we gave a collision attack on the full Extended MD4 with a complexity of about 2

37

. Firstly, we propose a collision differential path for both lines by choosing a proper message difference, and deduce a set of sufficient conditions that ensure the differential path hold. Then by using some precise message modification techniques to improve the success probability of the attack, we find two-block collisions of Extended MD4 with less than 2

37

computations. This work provides a new reference to the collision analysis of other hash functions such as RIPEMD-160 etc. which consist of two lines.

In this paper, we firstly present an approach to derive a kind of special linear characteristics for byte-oriented SPN block ciphers. Then based on this approach, we study the security of the block cipher ARIA against linear cryptanalysis and propose an attack on 7-round ARIA with 128/192/256-bit key size, an attack on 9-round ARIA with 192/256-bit key size as well as an attack on 11-round ARIA with 256-bit key size. The designers of ARIA expect that there isn’t any effective attack on 8 or more rounds of ARIA with 128/192/256-bit key size by means of linear cryptanalysis. However, our work shows that such attacks do exist. Moreover, our cryptanalytic results are the best known cryptanalytic results of ARIA so far.

In this paper, we propose new attacks on 9-round Salsa20 and 8-round ChaCha. We constructed a distinguisher of double-bit differentials to improve Aumasson’s single-bit differential cryptanalysis. We searched for correlations using a PC, and found strong correlations in 9-round Salsa20 and 8-round ChaCha. The complexities of the introduced attacks are 2

16

in 9-round Salsa20 and 2 in 8-round ChaCha, which are much less than the complexities of an exhaustive key search and existing attacks on those ciphers. The results show that an adversary can distinguish keystream bits from random bits using a few input and output pairs of an initial keys and initial vectors. This method has potential to apply to a wide range of stream ciphers; a double-bit correlation would be found in case that no single-bit correlation is found.

The trust of an entity is based on its behavior’s trust in trusted computing technology, and software’s trust can be measured dynamically by its behavior when it is executing. However, conducting dynamic measurement is a big challenge. Defining and building software’s behavior is the basic work of measuring software trust. A behavior-based dynamic measurement model for an execution program is provided, which applies the method of describing program behavior by control flow graph to dynamic trust measurement. The model first measures the program before it is loaded, then generates the expected behavior model of the program according to static analysis. Then, the model monitors the program’s execution in real time by verifying the flow branches of the program with the expected behavior model. Finally, the paper analyzes the security of this model and indicates that this model is able to protect against some codeinjection attacks which can’t be handled by the traditional static measurement method.

In many cases, cryptanalysis of a cryptographic system can be interpreted as the process of inverting a one-way function. TMTO is designed to be a generic approach that can be used on any one-way function independent of the structure of the specific target system. It was first introduced to attack block ciphers by Hellman in 1980. The distinguished point (DP) method is a technique that reduces the number of table look-ups performed by Hellman’s algorithm. A variant of the DP (VDP) method is introduced to reduce the amount of memory required to store the pre-computed tables while maintaining the same success rate and online time. Both the DP method and VDP method can be applied to Hellman tradeoff or rainbow tradeoff.

We carefully examine the technical details of the VDP method and find that it is possible to construct functions for which the original method fails. Based on the analysis, we propose a modification of the VDP method. Furthermore, we present an accurate version of the tradeoff curve that does not ignore the effect of false alarms and takes storage reduction techniques into consideration. We find optimal parameter sets of this new method by minimizing the tradeoff coefficient. A more exact and fair comparison between tradeoff algorithms is also given, which shows that our method applied to the Hellman tradeoff performs best among them.

In this paper, we analyze the performance of dither modulation (DM) against the composite attacks including valumetric scaling, additive noise and constant change. The analyses are developed under the assumptions that the host vector and noise vector are mutually independent and both of them have independently and identically distributed components. We derive the general expressions of the probability density functions of several concerned signals and the decoding error probability. The specific analytical results are presented for the case of generalized Gaussian host signal. Numerical simulations confirm the validity of the given theoretical analyses.

Access privileges in distributed systems can be effectively organized as a partial-order hierarchy that consists of distinct security classes, and are often designated with certain temporal restrictions. The time-bound hierarchical key assignment problem is to assign distinct cryptographic keys to distinct security classes according to their privileges so that users from a higher class can use their class key to derive the keys of lower classes, and these keys are time-variant with respect to sequentially allocated temporal units called time slots. In this paper, we explore applications of time-bound hierarchical key assignment in a wireless sensor network environment where there are a number of resource-constrained low-cost sensor nodes. We show time-bound hierarchical key assignment is a promising technique for addressing multiple aspects of sensor network security, such as data privacy protection and impact containment under node compromise. We also present the technical challenges and indicate future research directions.

The research issues of large scale wireless mesh networks (WMNs) have attracted increasing attention due to the excellent properties of WMNs. Although some proposals for WMN security framework with different security aspects have been put forward recently, it is a challenging issue of employing uniform public key cryptography to maintain trust relationships flexibly among domains and to achieve key-escrow-free anonymous access control. In this paper, a unified security framework (USF) for multi-domain wireless mesh networks is proposed, which unifies id-based encryption and certificateless signature in a single public key cryptography context. Trust relationship between different domains and anonymous access control of wireless clients can be realized by employing of cryptography operations on bilinear groups. To achieve perfect forward secrecy and attack-resilience, trust domain construction methods and authentication protocols are devised within the security framework without key escrow.

Static analysis technologies and tools have been widely adopted in detecting software bugs and vulnerabilities. However, traditional approaches have their limitations on extensibility and reusability due to their methodologies, and are unsuitable to describe subtle vulnerabilities under complex and unaccountable contexts. This paper proposes an approach of static analysis based on ontology model enhanced by program slicing technology for detecting software vulnerabilities. We use Ontology Web Language (OWL) to model the source code and Semantic Web Rule Language (SWRL) to describe the bug and vulnerability patterns. Program slicing criteria can be automatically extracted from the SWRL rules and adopted to slice the source code. A prototype of security vulnerability detection (SVD) tool is developed to show the validity of the proposed approach.

Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as client-side web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Return oriented programming (ROP) has recently caught great attention of both academia and industry. It reuses existing binary code instead of injecting its own code and is able to perform arbitrary computation due to its Turing-completeness. Hence, It can successfully bypass state-of-the-art code integrity mechanisms such as NICKLE and SecVisor. In this paper, we present HyperCrop, a hypervisor-based approach to counter such attacks. Since ROP attackers extract short instruction sequences ending in

ret

called “gadgets” and craft stack content to “chain” these gadgets together, our method recognizes that the key characteristics of ROP is to fill the stack with plenty of addresses that are within the range of libraries (e.g. libc). Accordingly, we inspect the content of the stack to see if a potential ROP attack exists. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient.

This paper presents a novel combination of local-local information for an efficient finger-knuckle-print (FKP) based recognition system which is robust to scale and rotation. The non-uniform brightness of the FKP due to relatively curvature surface is corrected and texture is enhanced. The local features of the enhanced FKP are extracted using the scale invariant feature transform (SIFT) and the speeded up robust features (SURF). Corresponding features of the enrolled and the query FKPs are matched using nearest-neighbour-ratio method and then the derived SIFT and SURF matching scores are fused using weighted sum rule. The proposed system is evaluated using PolyU FKP database of 7920 images for both identification mode and verification mode. It is observed that the system performs with

CRR

of 100% and

EER

of 0.215%. Further, it is evaluated against various scales and rotations of the query image and is found to be robust for query images downscaled upto 60% and for any orientation of query image.

The quality of feature has significant impact on the performance of detection techniques used for Denial-of-Service (DoS) attack. The features that fail to provide accurate characterization for network traffic records make the techniques suffer from low accuracy in detection. Although researches have been conducted and attempted to overcome this problem, there are some constraints in these works. In this paper, we propose a technique based on Euclidean Distance Map (EDM) for optimal feature extraction. The proposed technique runs analysis on original feature space (first-order statistics) and extracts the multivariate correlations between the first-order statistics. The extracted multivariate correlations, namely second-order statistics, preserve significant discriminative information for accurate characterizations of network traffic records, and these multivariate correlations can be the high-quality potential features for DoS attack detection. The effectiveness of the proposed technique is evaluated using KDD CUP 99 dataset and experimental analysis shows encouraging results.

In this research study, we focus on intrusion alerts and the burden of analyzing numerous security events by network administrators. We present Avisa

2

, a network security visualization system that can assist in the comprehension of IDS alerts and detection of abnormal pattern activities. The quantity of security events triggered by modern day intrusion systems, accompanied by the level of complexity and lack of correlation between events, limits the human cognitive process in identifying anomalous behavior. This shortcoming induces the need for an automated process that would project critical situations and prioritize network hosts encountering peculiar behaviors. At the heart of Avisa

2

lies a collection of heuristic functions that are utilized to score, rank, and prioritize internal hosts of the monitored network. We believe this contribution elevates the practicality of Avisa

2

in identifying critical situations and renders it to be far superior to traditional security systems that solely focus on visualization. The effectiveness of Avisa

2

is evaluated on two multi-stage attack scenarios; each intentionally focused on a particular attack type, network service, and network range. Avisa

2

proved effective and accurate in prioritizing hosts under attack or hosts in which attacks were performed from.

Anonymity is a security property of paramount importance as it helps to protect users’ privacy by ensuring that their identity remains unknown. Anonymity protocols generally suffer from denial of service (DoS) attack, as repeated message retransmission affords more opportunities for attackers to analyse traffic and lower the protocols’ privacy. In this paper, we analyse how users can minimise their anonymity loss under DoS attacks by choosing to remove or keep ‘failed’ nodes from router lists. We also investigate the strategy effectiveness in those cases where users cannot decide whether the ‘failed’ node are the targets of DoS attacks.