main-content

This book constitutes the post-conference proceedings of the 14th International Conference on Information Security and Cryptology, Inscrypt 2018, held in Fuzhou, China, in December 2018.
The 31 full papers presented together with 5 short papers and 1 invited paper were carefully reviewed and selected from 93 submissions. The papers cover topics in the field of blockchain and crypto currency; lattice-based cryptology; symmetric cryptology; applied cryptography; information security; assymetric encryption; and foundations.

### Security Analysis of SM9 Key Agreement and Encryption

SM9 is a Chinese cryptography standard that defines a set of identity-based cryptographic schemes from pairings. Although the SM9 key agreement protocol and the SM9 encryption scheme have been used for years, there is no public available security analysis of these two schemes. In this paper, we formally analyze the security of these two schemes in the random oracle model.

Zhaohui Cheng

### Evaluating CryptoNote-Style Blockchains

To hide user identity, blockchain-based cryptocurrencies utilize public key based coin addresses to represent users. However, the user identity can still be identified by linking the coin addresses to the IP address of a user, through network traffic analysis.Ring Signature based protocols, such as CryptoNote and RingCT, have been designed to anonymize the payers of a transaction, and deployed in leading cryptocurrencies like Bytecoin and Monero. This paper provides a comprehensive evaluation on the performance of Bytecoin and Monero, at both the protocol level and the system level. In particular, our evaluation includes theoretical complexity analysis of the protocols and practical performance analysis of the Bytecoin and Monero implementation. In addition, we also provide an analysis on the existing Bytecoin and Monero transactions, based on the public blockchain data. Our results identify the execution bottleneck and space overhead of generating and verifying transactions, which may encourage the design of more efficient protocols. We also provide insights based on our analysis on the performance of specific cryptographic algorithms, static analysis of the ring size distribution, of the input size distribution and output size distribution, and of the transaction size distribution.

Runchao Han, Jiangshan Yu, Joseph Liu, Peng Zhang

### Goshawk: A Novel Efficient, Robust and Flexible Blockchain Protocol

Proof of Work (PoW), a fundamental blockchain protocol, has been widely applied and thoroughly testified in various decentralized cryptocurrencies, due to its intriguing merits including trustworthy sustainability, robustness against Sybil attack, delicate incentive-compatibility, and openness to any participant. Meanwhile, PoW-powered blockchains still suffer from poor efficiency, potential selfish mining, to-be-optimized fairness and extreme inconvenience of protocol upgrading. Therefore, it is of great interest to design new PoW-driven blockchain protocol to address or relieve the above issues so as to make it more applicable and feasible. To do so, we present Goshawk, a novel hybrid consensus protocol, in which a two-layer chain structure with two-level PoW mining strategy and a ticket-voting mechanism are elaborately combined. We show that this newly-proposed protocol has the merits of high efficiency, strong robustness against “51%” attack of computation power, as well as good flexibility for future protocol updating. As far as we know, Goshawk is the first blockchain protocol with these three key properties. Last but not the least, this scheme has been implemented and deployed in the testnet of the public blockchain project Hcash( https://github.com/HcashOrg ) for months, and has demonstrated its stability and high efficiency with such real-world test.

Cencen Wan, Shuyang Tang, Yuncong Zhang, Chen Pan, Zhiqiang Liu, Yu Long, Zhen Liu, Yu Yu

### AFCoin: A Framework for Digital Fiat Currency of Central Banks Based on Account Model

Currently, the technique choices of issuing digital fiat currencies include RSCoin, Corda and Quorum etc. RSCoin is specially designed for central banks based on Bitcoin. Corda and Quorum are permissioned distributed ledger techniques based on Bitcoin and Ethereum, respectively. There lacks a framework specially for central banks based on Ethereum. We here introduce AFCoin: a framework based on the account model and smart contract of Ethereum. AFCoin shows a possible way to issue and manage fiat currencies by central banks. It can be deployed in an evolutionary way and enjoys good efficiency, regulation and privacy properties.

Haibo Tian, Xiaofeng Chen, Yong Ding, Xiaoyan Zhu, Fangguo Zhang

### Anonymity Reduction Attacks to Monero

Monero is one of the most valuable cryptocurrencies in the market, focusing on users’ privacy. The built-in features in Monero help users to obfuscate the information of the senders and the receivers, hence achieve a better privacy compared to other cryptocurrencies such as Bitcoin. Previous studies discovered multiple problems within Monero systems, and based on these findings, Monero system has been improved. Although improvements have been made, we discovered that new attacks targeting the anonymity reduction can still be conducted in Monero system. In this paper we propose two attacks. The first is an extension of a known attack called Monero Ring Attack. The second one exploits Payment ID to discover the real output of a mixin. We then propose countermeasures to these attacks.

Dimaz Ankaa Wijaya, Joseph Liu, Ron Steinfeld, Dongxi Liu, Tsz Hon Yuen

### Analysis of Variance of Graph-Clique Mining for Scalable Proof of Work

Recently, Bitcoin is becoming one of the most popular decentralized cryptographic currency technologies, and Bitcoin mining is a process of adding transaction records to Bitcoin’s public ledger of past transactions or blockchain. To obtain a bitcoin, the mining process involves compiling recent transactions into blocks and trying to solve a computationally difficult puzzle, e.g., proof of work puzzle. A proof of work allows miners the ability to quantify how much work a given proof contains. Basically, the required time for mining is decided in advance, but problems will occur if the value is large for dispersion. In this paper, we first accept that the required time between consecutive blocks follows the exponential distribution. That is, the variance is stable as long as the expected time is fixed. Then, we focus on the graph clique mining technique proposed by the literature, like Tromp (BITCOIN 2015) and Bag-Ruj-Sakurai (Inscrypt 2015), which is based on a computational difficulty problem of searching cliques of undirected graphs, where a clique is a subset of vertices. In particular, when the clique size is two, graph clique mining can be used to gain Bitcoins. The previous work also claimed that if the clique size is parameterized and increased, even if the expected time is fixed, the variance would not be stable. However, no qualitative or quantitative results were given to support their claim. Motivated by this issue, in this work, we propose a simple search algorithm for graph cliques mining, and perform a small scale evaluation on Bitcoin and Graph cliques’s solo mining to investigate the variance issue.

Hiroaki Anada, Tomohiro Matsushima, Chunhua Su, Weizhi Meng, Junpei Kawamoto, Samiran Bag, Kouichi Sakurai

### Preprocess-then-NTT Technique and Its Applications to Kyber and NewHope

The Number Theoretic Transform (NTT) provides efficient algorithm for multiplying large degree polynomials. It is commonly used in cryptographic schemes that are based on the hardness of the Ring Learning With Errors problem (RLWE), which is a popular basis for post-quantum key exchange, encryption and digital signature.To apply NTT, modulus q should satisfy that $$q \equiv 1 \mod 2n$$ q ≡ 1 mod 2 n , RLWE-based schemes have to choose an oversized modulus, which leads to excessive bandwidth. In this work, we present “Preprocess-then-NTT (PtNTT)” technique which weakens the limitation of modulus q, i.e., we only require $$q \equiv 1 \mod n$$ q ≡ 1 mod n or $$q \equiv 1 \mod n/2$$ q ≡ 1 mod n / 2 . Based on this technique, we provide new parameter settings for Kyber and NewHope (two NIST candidates). In these new schemes, we can reduce public key size and ciphertext size at a cost of very little efficiency loss.

Shuai Zhou, Haiyang Xue, Daode Zhang, Kunpeng Wang, Xianhui Lu, Bao Li, Jingnan He

### Two-Round PAKE Protocol over Lattices Without NIZK

Reducing the number of communication rounds of Password-based Authenticated Key Exchange ( $$\textsf {PAKE}$$ PAKE ) protocols is of great practical significance. At PKC’15, Abdalla et al. relaxed the requirements of Gennaro-Lindell’s framework for three-round PAKE protocols, and obtained a two-round PAKE protocol under the traditional DDH-based smooth projective hash function ( $$\mathsf {SPHF}$$ SPHF ). At ASIACRYPT’17, Zhang and Yu proposed a lattice-based two-round PAKE protocol via the approximate $$\mathsf {SPHF}$$ SPHF . However, the language of Zhang-Yu’s SPHF depends on simulation-sound non-interactive zero-knowledge (NIZK) proofs, for which there is no concrete construction without random oracle under lattice-based assumptions. To our knowledge, how to design a lattice-based two-round $$\textsf {PAKE}$$ PAKE protocol via an efficient $$\mathsf {SPHF}$$ SPHF scheme without NIZK remains a challenge. In this paper, we propose the first two-round $$\textsf {PAKE}$$ PAKE protocol over lattices without NIZK. Our protocol is in accordance with the framework of Abdalla et al. (PKC’15) while attaining post-quantum security. We overcome the limitations of existing schemes by relaxing previous security assumptions (i.e., both the client and the sever need IND-CCA-secure encryption), and build two new lattice-based $$\mathsf {SPHF}$$ SPHF s, one for IND-CCA-secure Micciancio-Peikert ciphertext (at the client side) and the other for IND-CPA-secure Regev ciphertext (at the server side). Particularly, our protocol attains provable security.

Zengpeng Li, Ding Wang

### Improved Integral Attacks on PRESENT-80

In this paper, we propose an improved integral attack against round-reduced PRESENT-80. First, we find a new 7-round integral distinguisher by analyzing the algebraic degree of PRESENT. Then, we propose an algebraic method to recover the master key by solving a system of linear equations which are extracted from the last three rounds of the cipher. Using this method, we can attack 10-round PRESENT-80 with time complexity $$2^{27.6}$$ 2 27.6 and data complexity $$2^{27}$$ 2 27 , and 12-round PRESENT-80 with time complexity $$2^{66}$$ 2 66 and data complexity $$2^{64}$$ 2 64 . Moreover, a key partition technique is proposed to gain one more round such that we could attack 11-round PRESENT-80 with time complexity $$2^{58}$$ 2 58 and data complexity $$2^{48}$$ 2 48 , and 13-round PRESENT-80 with time complexity $$2^{74}$$ 2 74 and data complexity $$2^{64}$$ 2 64 .

Shi Wang, Zejun Xiang, Xiangyong Zeng, Shasha Zhang

### Improved Differential Fault Analysis on Authenticated Encryption of PAEQ-128

PAEQ is an AES-based authenticated encryption proposed by Biryukov and Khovratovich in 2014, which stays in the CAESAR competition until the second round. In CHES 2016, Dhiman Saha and Dipanwita Roy Chowdhury first discussed the differential fault analysis to PAEQ. Their work shows that the nonce used in PAEQ that is usually considered as a natural DFA countermeasure can be overcome by carefully constructing the encryption message and injecting two faults. This work presents a fully optimized DFA attack on PAEQ-128 with regard to the key recovery process. We apply the information theoretical analysis and the DFA techniques for AES into the DFA key recovery on PAEQ-128. As a result, without changing the attack assumption, the key recovery complexity is reduced from $$2^{50}$$ 2 50 to $$2^{24}$$ 2 24 for PAEQ-128. The successful key recovery together with its computational complexity have been verified with the key recovery simulations.

Ruyan Wang, Xiaohan Meng, Yang Li, Jian Wang

### Improved Indifferentiability Security Bound for the Prefix-Free Merkle-Damgård Hash Function

The indifferentiability framework has been tailored to evaluate the security of cryptographic hash functions such that an iterative hash function must be indifferentiable from a random oracle in order to behave as a random oracle in cryptosystems. It was found that popular (strengthened) Merkle-Damgård transformation cannot satisfy the notion of indifferentiability from a random oracle due to a length-extension attack. Thus, a series of Merkle-Damgård variants have been proposed. This paper mainly revisits one of them, Prefix-Free Merkle-Damgård (PF-MDHF), which is to use a prefix-free message padding. Our main contribution is to provide a tighter security bound for prefix-free Merkle-Damgård with respect to the indifferentiability from a random oracle. More precisely, our bound is $$O( (\ell ^2q+\ell q^2)/{2^n})$$ O ( ( ℓ 2 q + ℓ q 2 ) / 2 n ) , while in previous papers the bound is $$O(\ell ^2q^2/2^n)$$ O ( ℓ 2 q 2 / 2 n ) , where $$\ell$$ ℓ is the maximum block length of queries, and q is the maximum number of queries.

Kamel Ammour, Lei Wang

### Privacy-Preserving Data Outsourcing with Integrity Auditing for Lightweight Devices in Cloud Computing

The cloud can provide unlimited storage space to users via the Internet. Unlike locally data storing, users will lose the direct control of the data after outsourcing it to the cloud. Moreover, the cloud is an untrusted entity. It is possible that the cloud may try to extract, discard and destroy users’ data due to benefits. Hence, the data security in cloud computing needs to be well guaranteed. In this paper, we propose a privacy-preserving data outsourcing scheme with integrity auditing for lightweight devices in cloud computing. On the one hand, the blind signature is used in the proposed scheme to delegate the generation of users’ data signatures to the TPA. On the other hand, based on the property of the BLS signature, the blinded signatures received from the TPA can be verified by the user and the data integrity stored in the cloud can be audited by the TPA. In addition, the proposed scheme supports batch operation. Security analysis shows that the proposed scheme achieves the properties of correctness, privacy-preserving and non-forgeability. Performance analysis indicates that the proposed scheme can be performed with high efficiency.

Dengzhi Liu, Jian Shen, Yuling Chen, Chen Wang, Tianqi Zhou, Anxi Wang

### Cloud-Based Data-Sharing Scheme Using Verifiable and CCA-Secure Re-encryption from Indistinguishability Obfuscation

A cloud-based re-encryption scheme allows a semi-trusted cloud proxy to convert a ciphertext under delegator’s public-key into a ciphertext of delegatee’s. However, for an untrusted cloud proxy, as the re-encryption program was outsourced on the cloud, the cloud can debug the program and might have illegal activities in practice, such as monitoring the program executing, returning an incorrect re-encryption ciphertext, or colluding with the participants to obtain the sensitive information. In this work, we propose a construction of cloud-based verifiable re-encryption by incorporating new cryptographic primitives of indistinguishability obfuscation and puncturable pseudorandom functions, which can achieve the master-secret security even if the proxy colludes with the delegatee. Furthermore, our scheme can provide the white-box security in re-encryption procedure to implement the sensitive-data protection in the presence of white-box access, and it resists on chosen-ciphertext attacks in both the first-level encryption and the second-level encryption. The decryption is very efficient since it only requires several symmetric PRF operations, which can be deployed and applied in the light-weight security device such as Mobile Phones (MPs), Wireless Body Area Networks (WBANs) and nodes in Internet-of-Things (IoTs).

Mingwu Zhang, Yan Jiang, Hua Shen, Bingbing Li, Willy Susilo

### An Encrypted Database with Enforced Access Control and Blockchain Validation

Data privacy and integrity is top of mind for modern data applications. To tackle with the above issue, we propose an encrypted database system with access control capabilities and blockchain validation in this paper. Compared to the existing encrypted database system, our design proposes a proxy-free architecture, which avoids the need for a trusted proxy for access control. In order to protect the integrity of user data, our system leverages the blockchain technology to realize a tampering protection mechanism. The mechanism ensures that modification logging is compulsory and public-available but hardened. Users can validate and easily detect the tampered data. Finally, we implement a prototype system and conduct evaluations on each component of the proposed system.

Zhimei Sui, Shangqi Lai, Cong Zuo, Xingliang Yuan, Joseph K. Liu, Haifeng Qian

As cloud storage becomes more common, data security is an increasing concern. In this paper, we propose a new approach to control access to the user’s data stored in the cloud with the state-of-the-arts decentralized blockchain technology. In general, an access control solution for cloud data involves three components: authentication, authorization and auditing. It is expensive for the cloud server to ensure authentication, authorization and auditing for access control of the user’s data in cloud computing environment. In addition, it is hard to prevent the malicious cloud server from access to the user’s data and disclose the user’s privacy. Our approach distributes the access control tasks for authentication, authorization and auditing to a network of nodes like bitcoin. In particular, we keep the auditing records in the transparent blockchain. In addition, we employ the Shamir secret sharing scheme to manage the encryption key for cloud users.

Jiale Guo, Wenzhuo Yang, Kwok-Yan Lam, Xun Yi

### A Multi-client DSSE Scheme Supporting Range Queries

We consider the need for security while providing services that are comparable to that of traditional applications to fully exploit cloud services to its fullest potential. While Dynamic Searchable Symmetric Encryption (DSSE) supports such needs, we want to be able to protect against file-injection attacks. Hence, we require forward privacy and a scheme which allows for a wide range of searching capabilities. We propose an extension, based on the RSA problem, to a DSSE scheme that supports range queries allowing the scheme to also support multiple clients. Furthermore, we describe how we can further manage clients using Attribute-Based Encryption (ABE) such that clients cannot decrypt ciphertexts that fall outside of their access rights.

Randolph Loh, Cong Zuo, Joseph K. Liu, Shi-Feng Sun

### Image Authentication for Permissible Cropping

In a digital society, it is not easy to achieve a balance between privacy and authentication. Privacy requires some modifications of the original image and signed data, but image authentication needs to ensure its integrity as much as possible. The most common method of privacy protecting is deleting some sensitive data in the original data. In this paper, we propose a practical scheme of image authentication for permissible cropping operation, using a textbook RSA signature scheme and a message commitment scheme. The security of our scheme is implied by the security of underlying cryptographic primitives. Experimental results show that the proposed scheme is practical and can be embedded in some on-line systems.

Haixia Chen, Shangpeng Wang, Hongyan Zhang, Wei Wu

### Chord: Thwarting Relay Attacks Among Near Field Communications

Near field communication (NFC) is an emerging and promising technology envisioned to support a large gamut of applications such as payment and ticketing applications. Unfortunately, there emerges a variety of vulnerabilities that could leave an unwitting user vulnerable to attacks along with the increase of NFC applications. One such potential devastating attack is relay attack, in which adversaries establish a transparently transferring channel between two distant NFC-enabled devices, thus break the assumption that NFC can only work within a rather near distance. In this paper, we propose Chord, an effective method for detecting relay attack. Via measuring the strength of received signal, i.e, the Received Signal Strength Indication (RSSI) during a time span, the two devices are expected to get the same “trace” of RSSI’s variation because of physical proximity. Therefore, the relay attack can be revealed if the peers get a different “trace” from each other, which implies that they do not communicate directly via NFC link. The results of our implementation show that our proposal works as intended, and exhibits an improvement of security with reasonable performance impact.

Yafei Ji, Luning Xia, Jingqiang Lin, Qiongxiao Wang, Lingguang Lei, Li Song

### Analyzing Use of High Privileges on Android: An Empirical Case Study of Screenshot and Screen Recording Applications

The number of Android smartphone and tablet users has experienced a rapid growth in the past few years and it raises users’ awareness on privacy and security issues of their mobile devices. There are lots of users rooting their Android devices for some useful functions, which are not originally provided to developers and users, such as taking screenshot and screen recording. However, after observing the danger of rooting devices, the developers begin to look for non-root alternatives to implement those functions. Android Debug Bridge (ADB) workaround is one of the best known non-root alternatives to help app gain a higher privilege on Android. It used to be considered as a secure practice until some cases of ADB privilege leakage have been found. In this paper, we propose an approach to identify the potential privilege leakage in Android apps that using ADB workaround. We apply our approach to analyze three real-world apps that are downloaded from Google Play Store. We then present a general methodology to conduct exploitation on those apps using ADB workaround. Based on our study, we suggest some mitigation techniques to help developers create their apps that not only satisfy users’ needs but also protect users’ privacy from similar attacks in future.

Mark H. Meng, Guangdong Bai, Joseph K. Liu, Xiapu Luo, Yu Wang

### Blockchain-Based Privacy Preserving Deep Learning

Smart mobile devices have access to huge amounts of data appropriate to deep learning models, which in turn can significantly improve the end-user experience on mobile devices. But massive data collection required for machine learning introduce obvious privacy issues. To this end, the notion of federated learning (FL) was proposed, which leaves the training data distributed on the mobile devices, and learns a shared model by aggregating locally-computed updates. However, in many applications one or more Byzantine devices may suffice to let current coordination learning mechanisms fail with unpredictable or disastrous outcomes. In this paper, we provide a proof-of-concept for managing security issues in federated learning systems via blockchain technology. Our approach uses decentralized programs executed via blockchain technology to establish secure learning coordination mechanisms and to identify and exclude Byzantine members. We studied the performance of our blockchain-based approach in a collective deep-learning scenario both in the presence and absence of Byzantine devices and compared our results to those obtained with an existing collective decision approach. The results show a clear advantage of the blockchain approach when Byzantine devices are part of the members.

Xudong Zhu, Hui Li, Yang Yu

### SpamTracer: Manual Fake Review Detection for O2O Commercial Platforms by Using Geolocation Features

Nowadays, O2O commercial platforms are playing a crucial role in our daily purchases. However, some people are trying to manipulate the online market maliciously by opinion spamming, a kind of web fraud behavior like writing fake reviews, due to fame and profits, which will harm online purchasing environment and should be detected and eliminated. Moreover, manual fake reviewers are more deceptive compared with old web spambots. Although several efficient methods were proposed in the fake review detection field, the manual fake reviewers are also evolving rapidly. They imitate to be benign users to control the velocity of review fraud actions, and deceive the detection system. Our investigation presented that geolocation factor is potential and can well reflect the distinctions between fake reviewers and benign users. In this research, we analyzed the geolocations of shops in reviews, found the distinct distribution features of those in fake reviewers and benign users, and proposed a SpamTracer model that can identify fake reviewers and benign users by exploiting an improved HMM (Hidden Markov Model). Our experiment demonstrated that SpamTracer could achieve 71% accuracy and 76% recall in the unbalanced dataset, outperforming some excellent classical approaches in the aspect of stability. Furthermore, SpamTracer can help to analyze the regularities of review fraud actions. Those regularities reflect the time and location in which online shops are likely to hire fake reviewers to increase their turnover. We also found that a small group of fake reviewers tend to work with plural shops located in a small business zone.

Ruoyu Deng, Na Ruan, Ruidong Jin, Yu Lu, Weijia Jia, Chunhua Su, Dandan Xu

### A Light-Weight and Accurate Method of Static Integer-Overflow-to-Buffer-Overflow Vulnerability Detection

The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underrated source of security threats. Despite many works have been done to mitigate integer overflow, existing tools either report large number of false positives or introduce unacceptable time consumption. To address this problem, in this paper we present a new static analysis framework. It first utilizes inter-procedural dataflow analysis and taint analysis to accurately identify potential IO2BO vulnerabilities. Then it uses a light-weight method to further filter out false positives. Specifically, it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered, and feeds the constraints to SMT solver to decide their satisfiability. We have implemented a prototype system LAID based on LLVM, and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 6 known IO2BO vulnerabilities in real world. The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.

Mingjie Xu, Shengnan Li, Lili Xu, Feng Li, Wei Huo, Jing Ma, Xinhua Li, Qingjia Huang

### Fully Secure Decentralized Ciphertext-Policy Attribute-Based Encryption in Standard Model

In this paper, we introduce a new multi-authority ciphertext policy attribute-based encryption (MA-CP-ABE) system. In our system, there are multiple central authorities (CAs) and attribute authorities (AAs). The CAs will not need to coordinate or even be aware of each other, and so do the AAs. In particular, we present two constructions that will be proved secure in the standard model. Our first scheme is fully secure under static assumptions in composite-order bilinear group, and can work for any monotone access structure. The second one achieves constant size ciphertexts for AND-gate policy in prime-order group. The security can be proved under the decisional linear (DLIN) assumption.

Chuangui Ma, Aijun Ge, Jie Zhang

### Outsourced Ciphertext-Policy Attribute-Based Encryption with Equality Test

In the cloud era people get used to store their data to the cloud server, and would use encryption technique to protect their sensitive data from leakage. However, encrypted data management is a challenging problem, for example, encrypted data classification. Besides, how to effectively control the access to the encrypted data is also an important problem. Ciphertext-policy attribute-based encryption with equality test (CP-ABEET) is an efficient solution to the aforementioned problems, which enjoys the advantage of attribute-based encryption, and in the meanwhile supports the test of whether two different ciphertexts contain the same message without the need of decryption. However, the existing CP-ABEET schemes suffer from high computation costs. In this paper, we study how to outsource the heavy computation in CP-ABEET scheme to a third-party server. We introduce the notion of CP-ABEET supporting outsourced decryption (OCP-ABEET), which saves a lot of local computation loads of CP-ABEET. We propose a concrete construction of OCP-ABEET, and prove its security based on a reasonable number-theoretic assumption in the random oracle model. Compared with the existing CP-ABEET schemes, our scheme is more computationally .

Yuzhao Cui, Qiong Huang, Jianye Huang, Hongbo Li, Guomin Yang

### Efficient Adaptively Secure Public-Key Trace and Revoke from Subset Cover Using Dj Q Framework

We provide an efficient and secure construction for the trace and revoke from subset cover ( $${\textsf {TRSC}}$$ TRSC ) systems in the public-key setting, having ciphertext size proportional to the number of revoked users and public parameter of constant size. The system is obtained by tweaking the identity based encryption scheme of Wee (TCC 2016) under the subset cover framework. Existing $${\textsf {TRSC}}$$ TRSC constructions are inefficient with respect to the size of the parameters and derive their security from the q-type assumptions in the random oracle model. Our construction is the first adaptively secure $${\textsf {TRSC}}$$ TRSC system to achieve such parameters without using any random oracles. In addition, we are able to eliminate the q-type assumptions by integrating the D $$\acute{e}$$ e ´ j $$\grave{a}$$ a ` Q framework of Chase and Meiklejohn (EUROCRYPT 2014) and its extension by Wee (TCC 2016) in our construction and analyze its security under the hardness of static subgroup decision problems over bilinear group setting. Moreover, this is the first proposal to feature optimally short private keys, even in the standard security model without any security breach.

Mriganka Mandal, Ratna Dutta

### Attribute-Based Encryption with Efficient Keyword Search and User Revocation

Ciphertext policy attribute-based encryption (CP-ABE) is a promising cryptographic technology and a key component that enable secure data sharing in a cloud environment through fine-grained access control. Since it was introduced, many interesting schemes have been proposed. However, in addition to managing data sharing through access control, a comprehensive scheme should also cater for user revocation and ciphertext queries. This is because in a cloud environment new users may join while existing users may leave the system. At the same time, given the potentially large amount of data stored in a cloud storage, user should be able to retrieve the required files efficiently in a privacy-preserving manner. To address the above issue, in this paper, we propose a practical searchable CP-ABE scheme supporting user revocation. In contrast to existing schemes that provide only single keyword query, our efficient search function provides conjunctive search, which allows user to locate a ciphertext related to a set of keywords. The computation overhead of our user revocation is at least on par with existing schemes. Besides, the security analysis indicates that the proposed scheme is secure under the decisional Bilinear Diffie-Hellman assumption. We also provide extensive experimental results to confirm the efficiency and feasibility of our proposed construction.

Jingwei Wang, Xinchun Yin, Jianting Ning, Geong Sen Poh

### Public-Key Encryption with Selective Opening Security from General Assumptions

In a selective opening (SO) attack, the attacker can corrupt a subset of senders (or receivers) to open some of the ciphertexts and try to learn information on the plaintexts of unopened ciphertexts. It is important and practical to consider SO attack in encryption scheme. In this paper we study public key encryption (PKE) schemes with SO security. Specifically: First, we define a new cryptographic primitive called tweaked lossy encryption, and we prove that it has simulation-based security against sender selective opening chosen plaintext attacks (denoted by SIM-SSO-CPA). Second, we provide a general construction of tweaked lossy encryption scheme from extractable $${\Sigma }$$ Σ -protocol; and we propose two instantiations of tweaked lossy encryption, based on dual-mode commitments and Twin-Cramer-Shoup scheme respectively. Finally, we propose a general scheme satisfying indistinguishability-based security against receiver selective opening chosen plaintext attacks (denoted by IND-RSO-CPA), and we give a construction of the scheme from explainable hash proof systems (denoted by EHPS), and we provide the security analysis. Our results provide a new insight about the relations among PKE schemes with SO security, extractable $$\mathrm {\Sigma }$$ Σ -protocol and explainable hash proof systems.

Dali Zhu, Renjun Zhang, Shuang Hu, Gongliang Chen

### Confused yet Successful:

Theoretical Comparison of Distinguishers for Monobit Leakages in Terms of Confusion Coefficient and SNR

Many side-channel distinguishers (such as DPA/DoM, CPA, Euclidean Distance, KSA, MIA, etc.) have been devised and studied to extract keys from cryptographic devices. Each has pros and cons and find applications in various contexts. These distinguishers have been described theoretically in order to determine which distinguisher is best for a given context, enabling an unambiguous characterization in terms of success rate or number of traces required to extract the secret key.In this paper, we show that in the case of monobit leakages, the theoretical expression of all distinguishers depend only on two parameters: the confusion coefficient and the signal-to-noise ratio. We provide closed-form expressions and leverage them to compare the distinguishers in terms of convergence speed for distinguishing between key candidates. This study contrasts with previous works where only the asymptotic behavior was determined—when the number of traces tends to infinity, or when the signal-to-noise ratio tends to zero.

Eloi de Chérisey, Sylvain Guilley, Olivier Rioul

### Searching BN Curves for SM9

In 2016, State Cryptography Administration of China published Identity-based cryptographic algorithm SM9. A 256-bit BN curve recommended to construct system parameters in SM9 documents once was convinced to provide 128-bit security level. With the development of number field sieve, the complexity of discrete logarithm problem (DLP) in a finite field reduces, so does the security level of SM9 whose security is based on the difficulty of solving the DLPs. It’s urgent to construct SM9 system parameters with higher security level. In this paper, we analyze the requirements of secure elliptic curves, search BN curves at length of 384-bit and 380–382-bit that show the best computation efficiency. Then we choose a 384-bit BN curve to construct the system parameters, making preparation for upgrading the original 256-bit SM9.

Guiwen Luo, Xiao Chen

### Distribution Properties of Binary Sequences Derived from Primitive Sequences Modulo Square-free Odd Integers

Recently, a class of nonlinear sequences, modular reductions of primitive sequences over integer residue rings, was proposed and has attracted much attention. In particular, modulo 2 reductions of primitive sequences over $$\mathbf {Z}/(2^{31}-1)$$ Z / ( 2 31 - 1 ) were used in the ZUC algorithm. In this paper, we study the distribution properties of modulo 2 reductions of primitive sequences over $$\mathbf {Z}/(M)$$ Z / ( M ) , where M is a square-free odd integer. Let $$\underline{a}$$ a ̲ be a primitive sequence of order n over $$\mathbf {Z}/(M)$$ Z / ( M ) with period T and $$\left[ \underline{a}\right] _{\text {mod}\, 2}$$ a ̲ mod 2 the modulo 2 reduction of $$\underline{a}$$ a ̲ . With the estimate of exponential sums over $$\mathbf {Z}/(M)$$ Z / ( M ) , the proportion $$f_{s}$$ f s of occurrences of s within a segment of $$\left[ \underline{a}\right] _{\text {mod}\, 2}$$ a ̲ mod 2 of length $$\mu T$$ μ T is estimated, where $$s\in \left\{ 0,1\right\}$$ s ∈ 0 , 1 and $$0<\mu \le 1$$ 0 < μ ≤ 1 . Based on this estimate, it is further shown that for given M and $$\mu$$ μ , $$f_{s}$$ f s tends to $$\frac{M+1-2s}{2M}$$ M + 1 - 2 s 2 M as $$n\rightarrow \infty$$ n → ∞ . This result implies that there exists a small imbalance between 0 and 1 in $$\left[ \underline{a}\right] _{\text {mod}\, 2}$$ a ̲ mod 2 , which should be taken into full consideration in the design of stream ciphers based on $$\left[ \underline{a}\right] _{\text {mod}\, 2}$$ a ̲ mod 2 .

Qun-Xiong Zheng, Dongdai Lin, Wen-Feng Qi

### Towards Malicious Security of Private Coin Honest Verifier Zero Knowledge for NP via Witness Encryption

We develop a new method for transforming private coin HVZK protocols into witness indistinguishable, and zero knowledge protocols, via witness encryption. This causes at most one additional round. Previously, the general way of transforming a private coin HVZK protocol into zero knowledge is to employ a standard commitment technique, which causes two more rounds. Following this method, we present two-round witness indistinguishable proofs for specific languages, such as OR-DDH, OR-QR, OR-LWE, based on the associated lossy encryption and witness encryption. We apply this witness encryption idea to the HVZK protocol in [Jawurek et al. CCS13] and present a three-round zero knowledge protocol with super-polynomial simulation (or zero knowledge in $$\mathcal {F}_{OT}$$ F OT -hybrid model) for NP, assuming the existence of Yao’s garble circuit and two-message oblivious transfer protocol (or ideal oblivious transfer). In addition, our three-round zero knowledge protocol works for generic languages, avoiding expensive Karp reductions.

Jingyue Yu

### Faster Homomorphic Permutation and Optimizing Bootstrapping in Matrix GSW-FHE

We present a new packing messages strategy for the Matrix GSW-FHE proposed by Hiromasa et al. at PKC 2015. Based on the packing messages strategy, we describe a simpler homomorphic permutation algorithm which just needs one homomorphic multiplication.By applying this permutation algorithm, we propose an optimizing bootstrapping procedure that can refresh ciphertexts of all known standard LWE-based FHE. Our optimizing bootstrapping procedure needs less homomorphic multiplication operation and outputs refreshed ciphertexts with smaller noise. Alternatively, we give a space-time trade-off to hasten considerably the execution time whilst sacrificing reasonable memory space.

Shuai Liu, Bin Hu

### A Note on the Sidelnikov-Shestakov Attack of Niederreiter Scheme

The terminology “code based public-key cryptosystem” means that the algorithmic primitives of such public-key cryptosystems use error correcting codes. In papers [1, 2] methods of building such public-key cryptosystems have been suggested. The Niederreiter’s public-key cryptosystem [2] based on q-ary generalized Reed-Solomon codes was proposed in 1986, Sidelnikov and Shestakov [3] presented an attack on this public-key cryptosystem in 1992, showing its insecurity. By examining the attack algorithm, we note that one can change some redundant procedures to simplify the algorithm.

Dingyi Pei, Jingang Liu

### An Efficient Anonymous Authentication Scheme Based on Double Authentication Preventing Signature for Mobile Healthcare Crowd Sensing

With the widespread growth of cloud computing and mobile healthcare crowd sensing (MHCS), an increasing number of individuals are outsourcing their masses of bio-information in the cloud server to achieve convenient and efficient. In this environment, Cloud Data Center (CDC) needs to authenticate masses of information without revealing owners’ sensitive information. However, tremendous communication cost, storage space cost and checking time cost lead to CDC that give rise to all kinds of privacy concerns as well. To mitigate these issues, To mitigate these issues, we propose a data anonymous batch verification scheme for MHCS based on a certificateless double authentication preventing aggregate signature. The proposed scheme can authenticate all sensing bio-information in a privacy preserving way. We then present that the proposed CL-DAPAS scheme is existentially unforgeable in the Random Oracle Model (ROM) assuming that Computational Diffie-Hellman problem is difficult to solve. Furthermore, we provide an implementation and evaluate performance of the proposed scheme and demonstrate that it achieves less efficient computational cost compared with some related schemes.

Jinhui Liu, Yong Yu, Yannan Li, Yanqi Zhao, Xiaojiang Du

### Understanding User Behavior in Online Banking System

Currently, online banking has become extremely popular all over the world and plays a significant role in people‘s daily lives. However, the user behaviors have yet to be studied carefully in existing works. In this paper, we provide a large-scale, comprehensive measurement study of online banking users based on a two-week long dataset consisting of transactions conducted by personal users in one of the top banks in China. We demonstrate the customer behaviors mostly comply with the heavy-tail distribution which implies abnormal activities. In further analysis of those activities, we figure out that most of them are generated by two types of accounts, i.e., corporate accounts paying salaries and dishonest bank employees plastering the achievement. We extract a set of features to classify the two types of abnormal accounts from the benign ones. The experimental result illustrates that our system can accurately detect them with only $$0.5\%$$ 0.5 % false positive rate.

Yuan Wang, Liming Wang, Zhen Xu, Wei An

### Privacy-Preserving Remote User Authentication with k-Times Untraceability

Remote user authentication has found numerous real-world applications, especially in a user-server model. In this work, we introduce the notion of anonymous remote user authentication with k-times untraceability (k-RUA) for a given parameter k, where authorized users authenticate themselves to an authority (typically a server) in an anonymous and k-times untraceable manner. We define the formal security models for a generic k-RUA construction that guarantees user authenticity, anonymity and user privacy. We provide a concrete instantiation of k-RUA having the following properties: (1) a third party cannot impersonate an authorized user by producing valid transcripts for the user while conversing during a session; (2) a third party having access to the communication channel between the user and the authority cannot identify the session participants; (3) the authority can trace the real identities of dishonest users who have authenticated themselves for more than k times; (4) our k-RUA construction avoids using expensive pairing operations—which makes it efficient and suitable for devices having limited amount of computational resources.

Yangguang Tian, Yingjiu Li, Binanda Sengupta, Robert Huijie Deng, Albert Ching, Weiwei Liu

### Early Detection of Remote Access Trojan by Software Network Behavior

APT (Advanced Persistent Threat) attack is increasing in recent years. APT attackers usually utilize malware called RAT (Remote Access Trojan) to access and control computers by stealth. The invasion method of RAT has been refined and it is extremely difficult to prevent its infection beforehand. Hence, an approach to detect RAT infection at the early stage after infection is important. However, there are two drawbacks in the existing early detection methods of RAT; (1) they do not become early detection in some circumstances; (2) they do not consider the RAT-like healthy software (e.g., system related software and antivirus software) for evaluation experiments. In this paper, we propose a detection method of RAT based on the new mechanism of early detection. Our evaluation experiments show that the proposed method can distinguish between RAT and the RAT-like healthy software with great accuracy.

Masatsugu Oya, Kazumasa Omote