Information Security and Privacy

Oblivious Signature-Based Envelope (OSBE) has been widely employed for anonymity-orient and privacy-preserving applications. The conventional OSBE execution relies on a secure communication channel to protect against eavesdroppers. In TCC 2012, Blazy, Pointcheval and Vergnaud proposed a framework of OSBE (BPV-OSBE) without requiring any secure channel by clarifying and enhancing the OSBE security notions. They showed how to generically build an OSBE scheme satisfying the new strong security in the standard model with a common-reference string. Their framework requires 2-round interactions and relies on the smooth projective hash function (SPHF) over special languages, i.e., languages from encryption of signatures. In this work, we investigate the study on the strong OSBE and make the following contributions. First, we propose a generic construction of one-round yet strong OSBE system. Compared to the 2-round BPV-OSBE, our one-round construction is more appealing, as its non-interactive setting accommodates more application scenarios in the real word. Moreover, our framework relies on the regular (identity-based) SPHF, which can be instantiated from extensive languages and hence is more general. Second, we also present an efficient instantiation, which is secure under the standard model from classical assumptions, $$\mathsf {DDH}$$ and $$\mathsf {DBDH}$$, to illustrate the feasibility of our one-round framework. We remark that our construction is the first one-round OSBE with strong security.

Proxy signature is a useful cryptographic primitive that allows signing right delegation. In a proxy signature scheme, an original signer can delegate his/her signing right to a proxy signer (or a group of proxy signers) who can then sign documents on behalf of the original signer. In this paper, we investigate the problem of proxy signature with revocation. The revocation of delegated signing right is necessary for a proxy signature scheme when the proxy signer’s key is compromised and/or any misuse of the delegated right is noticed. Although a proxy signature scheme usually specifies a delegation time period, it may happen that the original signer wants to terminate the delegation before it is expired. In order to solve this problem, in this paper we propose a new proxy signature scheme with revocation. Our scheme utilises and combines the techniques in the Naor-Naor-Lotspiech (NNL) framework for broadcast encryption, the Boneh-Boyen-Goh (BBG) hierarchical identity-based encryption and the Boneh-Lynn-Shacham (BLS) short signature scheme and thereby constructing an efficient tree-based revocation mechanism. The unrevoked proxy signer only needs to generate evidences for proving that he/she is a valid proxy signer once in per revocation epoch, and the verifier does not need a revocation list in order to verify the validity of a proxy signature.

A hierarchical key assignment scheme distribute some private information and encryption keys to a set of classes in a partially ordered hierarchy, so that the private information of higher classes can be employed to derive the keys of classes lower down in the hierarchy. A hierarchical key assignment scheme for dynamic structures allows to make dynamic updates to the hierarchy, such as addition, deletion and modification of classes and relations among them, as well as the revocation of users.In this work we analyze security notions for hierarchical key assignment schemes supporting dynamic structures. In particular, we first propose the notion of key recovery for those schemes. Furthermore, we extend to such schemes the strong key indistinguishability and strong key recovery security definitions proposed by Freire et al. for hierarchical key assignment schemes. Finally, we investigate the relations occurring between all the state-of-the-art security notions for hierarchical key assignment schemes supporting dynamic structures, showing implications and separations which hold between such notions. In detail, we prove that also in the case of dynamic structures, security with respect to strong key indistinguishability is equivalent to the one with respect to key indistinguishability.

Content-centric networks have demonstrated an entirely new type of network topology, which offers a new way to distribute information in the data-driven network. Unlike the TCP/IP network topology, which is address-driven, content-centric networks do not require any address. Based on the content-to-consumer paradigm, content-centric networking architecture was proposed for the content to be provided efficiently with great convenience to users. As the content-centric network is not address-driven, when a data packet is delivered it cannot be encrypted with any encryption key of a node. Therefore, data confidentiality in content-centric network is a challenging problem. Motivated to solve this problem, we introduce a new cryptosystem for content-based encryption, where the encryption key is associated with the content. We propose a content-based encryption scheme (CBE), which is proven to be semantically secure in the random oracle model. We apply the CBE to construct a secure content delivery protocol in a content-centric network.

In threshold encryption, the secret key is shared among a set of decryption parties, so that only a quorum of these parties can decrypt a given ciphertext. It is a useful building block in cryptology to distribute the trust of the secret key as well as increase availability. In particular, threshold Paillier encryption has been widely used in various security protocols, such as e-auction, e-voting and e-lottery. In this paper, we present the idea of designing provably secure threshold Paillier encryption using hyperplane geometry. Compared with the existing schemes that are based on polynomial interpolation, our work not only renovates the threshold Paillier cryptosystem using a different mathematical structure, but also enjoys some additional benefits: (1) our proposed method avoids the technical obstacle of computing inverses in the group whose order is unknown; (2) it gains computational advantages over Shoup’s trick and it can be used as a general building block to design secure and efficient threshold cryptosystems based on factoring.

Cloud computing makes it easy for people to share files anywhere and anytime with mobile end devices. There is a privacy issue in such applications even if the files are encrypted. Specially, the public keys or identities of the receivers will be exposed to the cloud server or hackers. Group Encryption (GE) is designed to achieve anonymity of the receiver(s). The existing GE schemes are all realized in the public key infrastructure (PKI) setting, in which complicated certificates management is required to ensure security. It is observed that GE is especially appealing to institutions which usually have their own closed secure user management system. In this paper, we propose a new concept, referred to as identity-based group encryption (IBGE), which realizes GE in the identity-based cryptography setting. In the IBGE, a private key generator (PKG) designates each user a secret key associated with his identity; and the user can register his identity as a group member to a group manager without leaking his secret key. Then anyone can send confidential messages to the group member without leaking the group member’s identity. However, the group manager can trace the receiver if a dispute occurs or the privacy mechanism is abused. Following this model, we propose the first IBGE scheme that is formally proven secure in the standard model. Analysis shows that our scheme is also efficient and practical.

Edit distance, also known as Levenshtein distance, is a very useful tool to measure the similarity between two strings. It has been widely used in many applications such as natural language processing and bioinformatics. In this paper, we introduce a new type of fuzzy public key encryption called Edit Distance-based Encryption (EDE). In EDE, the encryptor can specify an alphabet string and a threshold when encrypting a message, and a decryptor can obtain a decryption key generated from another alphabet string, and the decryption will be successful if and only if the edit distance between the two strings is within the pre-defined threshold. We provide a formal definition and security model for EDE, and propose an EDE scheme that can securely evaluate the edit distance between two strings embedded in the ciphertext and the secret key. We also show an interesting application of our EDE scheme named Fuzzy Broadcast Encryption which is very useful in a broadcasting network.

Proxy re-encryption is a public key encryption technique that allows a proxy to perform re-encryption without exposing the corresponding plaintext. As a result, proxy re-encryption has increased utility, and can be used in a number of fields including cloud computing. In previous proxy re-encryption schemes, a proxy is assumed to follow the protocol explicitly. However, this is far from the norm, and the assumption is not always true, especially in cloud computing where public cloud is considered untrusted. In this paper, we investigate the verifiability of the re-encryption process. Specifically, we first formalize the proxy re-encryption with delegatable verifiability and its corresponding security model. Then, we propose the first proxy re-encryption scheme with delegatable verifiability. Finally, security proofs of the proposal are also formally given in the proposed security models.

Motivated by tampering attacks in practice, two different but related security notions, termed complete non-malleability and related-key attack security, have been proposed recently. In this work, we study their relations and present the first public key encryption scheme that is secure in both notions under standard assumptions. Moreover, by exploiting the technique for achieving complete non-malleability, we give a practical scheme for the related-key attack security. Precisely, the scheme is proven secure against polynomial functions of bounded degree d under a newly introduced hardness assumption called d-modified extended decisional bilinear Diffie-Hellman assumption. Since the schemes are constructed in a direct way instead of relying on the non-interactive zero knowledge proof or signature techniques, they not only achieve the strong security notions but also have better performances.

In a secure data sharing system, the keyword search over encrypted files is a basic need of a user with appropriate privileges. Although the traditional searchable encryption technique can provide the privacy protection, two critical issues still should be considered. Firstly, a cloud server may be selfish in order to save its computing resources, and thus returns only a fragment of results to reply a search query. Secondly, since different keys are always used for different document sets, making a search query over massive sets and verifying the search results are both impractical for a user with massive keys. In this paper, we propose a scheme named “verifiable searchable encryption with aggregate keys”. In the scheme, a data owner need only distribute a single aggregate key to other users to selectively share both search and verification privileges over his/her document sets. After obtaining such a key, a user can use it not only for generating a single trapdoor as a keyword search query, but for verifying whether the server just conducts a part of computing for the search request. Then, we define the requirements of the scheme and give a valid construction. Finally, our analysis and performance evaluation demonstrate that the scheme are practical and secure.

Public key encryption with keyword search (PEKS) provides an elegant mechanism for a user to identify the specific encrypted data. PEKS protects data against disclosure while making it searchable. In this paper, we propose a new cryptographic primitive called public key encryption with authorized keyword search (PEAKS). In PEAKS, keywords are encrypted with one public key and users without corresponding secret key need authorization from the authority to search keywords. We present a concrete PEAKS construction which allows the authority to authorize users to search different keyword sets. The proposed scheme features with the constant-size authorized token, independent of the size of keyword set size, which cuts down bandwidth consumption considerably. This property makes our PEAKS quite useful when the authorized token needs to be frequently updated with time for security purpose. The semantical security against chosen keyword attack and trapdoor unforgeability are formally proved.

Nowadays an increasing amount of data stored in the public cloud need to be searched remotely for fast accessing. For the sake of privacy, the remote files are usually encrypted, which makes them difficult to be searched by remote servers. It is also harder to efficiently share encrypted data in the cloud than those in plaintext. In this paper, we develop a searchable encryption framework called Linear Encryption with Keyword Search (LEKS) that can semi-generically convert some existing encryption schemes meeting our Linear Encryption Template (LET) to be searchable without re-encrypting all the data. For allowing easy data sharing, we convert a Key-Policy Attributed-Based Encryption (KP-ABE) scheme to a Key-Policy Attributed-Based Keyword Search (KP-ABKS) scheme as a concrete instance of our LEKS framework, making both the encrypted data and the search functionality under fine-grained access control. Notably, the resulting KP-ABKS is the first proven secure ABKS scheme with IND-sCKA security in the random oracle model, assuming the hardness of the $$\ell $$-DCBDH problem derived from the (P, f)-DBDH problem family.

In a broadcast encryption system, a broadcaster can encrypt a message to a group of authorized receivers S and each authorized receiver can use his/her own private key to correctly decrypt the broadcast ciphertext, while the users outside S cannot. Identity-based broadcast encryption (IBBE) system is a variant of broadcast encryption system where any string representing the user’s identity (e.g., email address) can be used as his/her public key. IBBE has found many applications in real life, such as pay-TV systems, distribution of copyrighted materials, satellite radio communications. When employing an IBBE system, it is very important to protect the message’s confidentiality and the users’ anonymity. However, existing IBBE systems cannot satisfy confidentiality and anonymity simultaneously. In this paper, using an anonymous identity-based encryption (IBE) primitive with robust property as a building block, we propose a generic IBBE construction, which can simultaneously ensure the confidentiality and anonymity under chosen-ciphertext attacks. Our generic IBBE construction has a desirable property that the public parameters size, the private key size and the decryption cost are constant and independent of the number of receivers.

Traditionally, a ciphertext from an identity-based broadcast encryption can be distributed to a group of receivers whose identities are included in the ciphertext. Once the ciphertext has been created, it is not possible to remove any intended receivers from it without conducting decryption. In this paper, we consider an interesting question: how to remove target designated receivers from a ciphertext generated by an anonymous identity-based broadcast encryption? The solution to this question is found applicable to file sharing with revocation. In this work, we found an affirmative answer to this question. We construct an anonymous identity-based broadcast encryption, which offers the user revocation of ciphertext and the revocation process does not reveal any information of the plaintext and receiver identity. In our proposed scheme, the group of receiver identities are anonymous and only known by the encryptor. We prove that our scheme is semantically secure in the random oracle model.

So far, several papers have analyzed attacks on RSA when attackers know the least significant bits of a secret exponent d as well as a public modulus N and a public exponent e, the so-called partial key exposure attacks. Aono (ACISP 2013), and Takayasu and Kunihiro (ACISP 2014) generalized the attacks when there are multiple pairs of a public/secret exponent $$(e_1,d_1),\ldots ,(e_n,d_n)$$ for the same public modulus N. The standard RSA is a special case of the generalization, i.e., $$n=1$$. They revealed that RSA becomes more vulnerable when there are more exponent pairs. However, their results have two obvious drawbacks. First, partial key exposure situations which they considered are restrictive. They have proposed the attacks only for small secret exponents, although attacks for large secret exponents have also been analyzed for the standard RSA. Second, they could not generalize the attacks perfectly. More concretely, their attacks for $$n=1$$ do not correspond to the currently known best attacks on the standard RSA.In this paper, we propose improved partial key exposure attacks on RSA with multiple exponent pairs. Our results completely solve the above drawbacks. Our attacks are the first results for large exponents, and our attacks for $$n=1$$ correspond to the currently known best attacks on the standard RSA. Our results for small secret exponents are superior to previous results when $$n=1$$ and 2, and when $$n \ge 3$$ and $$d_1,\ldots ,d_n>N^{3(n-1)/(3n+1)}$$.

In 1995, Kuwakado, Koyama and Tsuruoka presented a new RSA-type scheme based on singular cubic curves $$y^2\equiv x^3+bx^2\pmod N$$ where $$N=pq$$ is an RSA modulus. Then, in 2002, Elkamchouchi, Elshenawy and Shaban introduced an extension of the RSA scheme to the field of Gaussian integers using a modulus $$N=PQ$$ where P and Q are Gaussian primes such that $$p=|P|$$ and $$q=|Q|$$ are ordinary primes. Later, in 2007, Castagnos proposed a scheme over quadratic field quotients with an RSA modulus $$N=pq$$. In the three schemes, the public exponent e is an integer satisfying the key equation $$ed-k\left( p^2-1\right) \left( q^2-1\right) =1$$. In this paper, we apply the continued fraction method to launch an attack on the three schemes when the private exponent d is sufficiently small. Our attack can be considered as an extension of the famous Wiener attack on the RSA.

A self-bilinear map (SBM) is a bilinear map where source and target groups are identical. An SBM naturally yields a multilinear map, which has numerous applications in cryptography. In spite of its usefulness, there is known a strong negative result on the existence of an ideal SBM. On the other hand, Yamakawa et al. (CRYPTO’14) introduced the notion of a self-bilinear map with auxiliary information (AI-SBM), which is a weaker variant of SBM and constructed it based on the factoring assumption and an indistinguishability obfuscation ($$i\mathcal {O}$$). In their work, they proved that their AI-SBM satisfies the Auxiliary Information Multilinear Computational Diffie-Hellman (AI-MCDH) assumption, which is a natural analogue of the Multilinear Computational Diffie-Hellman (MCDH) assumption w.r.t. multilinear maps. Then they show that they can replace multilinear maps with AI-SBMs in some multilinear-map-based primitives that is proven secure under the MCDH assumption.In this work, we further investigate what hardness assumptions hold w.r.t. their AI-SBM. Specifically, we introduce a new hardness assumption called the Auxiliary Information Generalized Multilinear Diffie-Hellman (AI-GMDH) assumption. The AI-GMDH is parameterized by some parameters and thus can be seen as a family of hardness assumptions. We give a sufficient condition of parameters for which the AI-GMDH assumption holds under the same assumption as in the previous work. Based on this result, we can easily prove the AI-SBM satisfies certain hardness assumptions including not only the AI-GMDH assumption but also more complicated assumptions. This enable us to convert a multilinear-map-based primitive that is proven secure under a complicated hardness assumption to AI-SBP-based (and thus the factoring and $$i\mathcal {O}$$-based) one. As an example, we convert Catalano et al.’s multilinear-map-based homomorphic signatures (CRYPTO’14) to AI-SBP-based ones.

This paper describes a deterministic encoding f from a finite field $$\mathbb {F}_{q}$$ to a twisted Edwards curve E when $$q\equiv 2\pmod 3$$. This encoding f satisfies all 3 properties of deterministic encoding in Boneh-Franklin’s identity-based scheme. We show that the construction f(h(m)) is a hash function if h(m) is a classical hash function. We present that for any nontrivial character $$\chi $$ of $$E(\mathbb {F}_q)$$, the character sum $$S_f(\chi )$$ satisfies $$ S_f(\chi )\leqslant 20\sqrt{q}+2 $$. It follows that $$f(h_1(m))+f(h_2(m))$$ is indifferentiable from a random oracle in the random oracle model for $$h_1$$ and $$h_2$$ by Farashahi, Fouque, Shparlinski, Tibouchi, and Voloch’s framework. This encoding saves 3 field inversions and 3 field multiplications compared with birational equivalence composed with Icart’s encoding; saves 2 field inversions and 2 field multiplications compared with Yu and Wang’s encoding at the cost of 2 field squarings; and saves 2 field inversions, 3 field multiplications and 3 field squarings compared with Alasha’s encoding. Practical implementations show that f is 46.1 %,35.7 %, and 38.9 % faster than the above encodings respectively.

In this paper, we present improved rebound attacks against AESQ permutation that is an underlying permutation of PAEQ authenticated encryption scheme currently discussed in the second round of the CAESAR competition. AESQ is an AES-based permutation. Designers claim that no attack should be found with complexity up to $$2^{256}$$ and they have shown a rebound attack against 12 (out of 20) rounds with $$2^{256}$$ computational cost and $$2^{256}$$ memory. In this paper, we present the first third-party cryptanalysis on AESQ. First, we reduce the complexity of the 12-round attack to $$2^{128}$$ computational cost and negligible memory. We then extend the number of rounds and present a 16-round attack with $$2^{192}$$ computational cost and $$2^{128}$$ memory. Moreover, we discuss time-memory tradeoffs and multiple limited birthday distinguishers. In particular, the time-memory tradeoff is useful for the 12-round attack, which allows us to balance the time and memory complexities to $$2^{102.4}$$.

Block-cipher-based authenticated encryption has obtained considerable attention from the ongoing CAESAR competition. While the focus of CAESAR resides primarily on nonce-based authenticated encryption, Deterministic Authenticated Encryption (DAE) is used in domains such as key wrap, where the available message entropy motivates to omit the overhead for nonces. Since the highest possible security is desirable when protecting keys, beyond-birthday-bound (BBB) security is a valuable goal for DAE. In the past, significant efforts had to be invested into designing BBB-secure AE schemes from conventional block ciphers, with the consequences of losing efficiency and sophisticating security proofs.This work proposes Deterministic Counter in Tweak (DCT), a BBB-secure DAE scheme inspired by the Counter-in-Tweak encryption scheme by Peyrin and Seurin. Our design combines a fast $$\epsilon $$-almost-XOR-universal family of hash functions, for $$\epsilon $$ close to $$2^{-2n}$$, with a single call to a 2n-bit SPRP, and a BBB-secure encryption scheme. First, we describe our construction generically with three independent keys, one for each component. Next, we present an efficient instantiation which (1) requires only a single key, (2) provides software efficiency by encrypting at less than two cycles per byte on current x64 processors, and (3) produces only the minimal $$\tau $$-bit stretch for $$\tau $$ bit authenticity. We leave open two minor aspects for future work: our current generic construction is defined for messages of at least $$2n-\tau $$ bits, and the verification algorithm requires the inverse of the used 2n-bit SPRP and the encryption scheme.

The boomerang attack is one of the many extensions of the original differential attack. It has been widely applied to successfully attack many existing ciphers. In this paper, we investigate an extended version of the boomerang attack and show that it is still a very powerful tool especially in the related-key setting. A new branch-and-bound searching strategy which involves the extended boomerang framework is then introduced. We provide an improved cryptanalysis on the KATAN family (a family of hardware-oriented block ciphers proposed in CHES 2009) based on the boomerang attack. In the related-key setting, we were able to greatly improve upon the previous results to achieve the best results, namely 150 and 133 rounds by far for KATAN48/64 respectively. For KATAN32 in the related-key setting and all KATAN variants in the single-key setting, our results are the best ones in the differential setting although inferior to the meet-in-the-middle attack.

Standard form of authenticated encryption (AE) requires the ciphertext to be expanded by the nonce and the authentication tag. These expansions can be problematic when messages are relatively short and communication cost is high. To overcome the problem we propose a new form of AE scheme, $$ \textsf {MiniAE} $$, which expands the ciphertext only by the single variable integrating nonce and tag. An important feature of $$ \textsf {MiniAE} $$ is that it requires the receiver to be stateful not only for detecting replays but also for detecting forgery of any type. McGrew and Foley already proposed a scheme having this feature, called AERO, however, there is no formal security guarantee based on the provable security framework.We provide a provable security analysis for $$ \textsf {MiniAE} $$, and show several provably-secure schemes using standard symmetric crypto primitives. This covers a generalization of AERO, hence our results imply a provable security of AERO. Moreover, one of our schemes has a similar structure as OCB mode of operation and enables rate-1 operation, i.e. only one blockcipher call to process one input block. This implies that the computation cost of $$ \textsf {MiniAE} $$ can be as small as encryption-only schemes.

As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with $$2^{126.5}$$ known plaintexts and $$2^{189.32}$$ encryptions. Our impossible differential attack works one more round than previous cryptanalysis results.

In this paper, we focus on the automatic differential cryptanalysis of ARX block ciphers with respect to XOR-difference, and develop Mouha et al.’s framework for finding differential characteristics by adding a new method to construct long characteristics from short ones. The new method reduces the searching time a lot and makes it possible to search differential characteristics for ARX block ciphers with large word sizes such as $$n=48,64$$. What’s more, we take the differential effect into consideration and find that the differential probability increases by a factor of $$4 \sim 16$$ for SPECK and more than $$2^{10}$$ for LEA when multiple characteristics are counted in. The efficiency of our method is demonstrated by improved attacks of SPECK and LEA, which attack 1, 1, 4 and 6 more rounds of SPECK48, SPECK64, SPECK96 and SPECK128, respectively, and 2 more rounds of LEA than previous works.

The LAC authenticated encryption algorithm was a candidate to the CAESAR competition on authenticated encryption, which follows the design of the ALE authenticated encryption algorithm. In this paper, we show that the security of LAC depends greatly on the parameter of the maximum message length and the order of padding the last message block, by cryptanalysing its variants that differ from the original LAC only in the above-mentioned two points. For the LAC variants, we present a structural state recovery attack in the nonce-respecting scenario, which is independent from the underlying block cipher, which requires only chosen queries to their encryption and tag generation oracles and can recover an internal state of the initialization phase for one of some used Public Message Numbers (PMNs) more advantageously than exhaustive key search; and the recovered internal state can be used to make an existential forgery attack under this PMN. Besides, slightly inferior to exhaustive key search, the state recovery attack can apply to the LAC variant that differs from LAC only in the order of padding the last message block. Although the state recovery attack does not apply to the original LAC, it sheds some light on this type of interesting structures, and shows that an authenticated encryption algorithm with a such or similar structure may be weakened when it is misused deliberately or accidentally with the reverse message padding order and a different maximum message length, and users should be careful about the two points when employing such a structure in reality.

Simeck is a new family of lightweight block cipher proposed by Yang $$et\ al.$$ in CHES’15, which performs efficiently in hardware implementation. In this paper, we search out Simeck’s differentials with low Hamming weight and high probability using Kölbl’s tool, then exploit the links between differentials and linear characteristics to construct linear hulls for Simeck. We give improved linear hull attack with dynamic key-guessing techniques on Simeck on the basis of round function’s property. Our results cover Simeck 32/64 reduced to 23 rounds, Simeck 48/96 reduced to 30 rounds, Simeck 64/128 reduced to 37 rounds, which are the best known results so far for any variant of Simeck.

Multivariate Public Key Cryptography (MPKC) is one of the main candidates for secure communication in a post-quantum era. Recently, Yasuda and Sakurai proposed in [8] a new multivariate encryption scheme called SRP, which is very efficient and resists all known attacks against multivariate schemes. However, the key sizes of the scheme are quite large. In this paper we propose a new strategy to reduce the key size of the SRP scheme, which enables us to reduce the size of the public key by up to $$54\,\%$$. Furthermore, we can use the additional structure in the public key polynomials to speed up the encryption process of the scheme by up to $$50\,\%$$. We show by experiments that our modifications do not weaken the security of the scheme.

Access control is vital to prevent adversary from stealing resources from data centres. The security of traditional authentication means, such as password and Personal Identification Number (PIN), are imperfect for access control. In this paper, a reliable facial biometric access control with promising authentication performance is proposed. In our study, facial feature representation is computed based on ICA modelling, descriptor binarization, bitwise operation on the bit maps and effective compression via whitening PCA. The proposed technique is namely Binarized Independent Component Pattern (BICP). BICP training module integrates ICA methodology to construct ICA filter bank from natural image patches. Each face image is convoluted with the filters for the corresponding ICA responses. The ICA responses are further processed via feature binarization, and XOR bitwise operation before convert to code map. Next, block-wise histogramming is applied on each code map. By concatenating the regional histograms, it produces a set of high dimensional BICP descriptor, which will be further scaled and compressed. Empirical results show the remarkable performance of BICP on facial expression, illumination, time span and facial makeup effects.

Biometric identification (BI) is the task of searching a pre-established biometric database to find a matching record for an enquiring biometric trait sampled from an unknown individual of interest. This has recently been aided with cloud computing, which brings a lot of convenience but simultaneously arouses new privacy concerns. Two cloud aided BI schemes pursuing privacy preserving have recently been proposed by Wang et al. in ESORICS ’15. In this paper, we propose several elaborately designed attacks to reveal the security breaches in these two schemes. Theoretical analysis is given to validate our proposed attacks, which indicates that via such attacks the cloud server can accurately infer the outsourced database and the identification request.

User interest profiles are of great importance for security monitoring and forensic investigation. Once a specific topic becomes sensitive or suspected, being able to quickly determine who has shown an interest in that topic can assist investigators to focus their attention from massive data and develop effective investigation strategies. To automatically generate user interest profiles, we extend Author Topic model to explicitly model user’s dynamic interest based on the text information posted by the user. Our model is able to monitor the evolution of user interest from time-stamped documents. Moreover, instead of modeling a topic as a multinomial distribution over words, we develop a model that can discover and output multi-word phrases to describe topics, which facilitates the human interpretation of unorganized texts. Therefore, our technique has the potential to reduce the cost of investigation and discover latent evidence that is often missed by expression-based searches. We evaluate the effectiveness and performance of our algorithm on a real-life forensic dataset Enron. The experiment results demonstrate that our algorithm can effectively discover user’s dynamic interest. The generated user interest profiles can further assist investigator to discover the latent evidence effectively from textual forensic data and perform security monitoring.

We investigate eIDAS Token specification for Pseudonymous Signature published recently by German security authority BSI, German Federal Office for Information Security. We analyze how far the current specification prevents privacy violations by the Issuer by malicious or simply careless implementation. We find that, despite the declared design goal of protecting privacy of the citizens, it is quite easy to convert the system into a “Big Brother” system and enable spying the citizens by third parties.We show that there is a simple and elegant way for preventing all attacks of the kind described. Moreover, we show that it is possible with relatively small amendments to the scheme.

Root is the administrative privilege on Android, which is however inaccessible on stock Android devices. Due to the desire for privileged functionalities and the reluctance of rooting their devices, Android users seek for no-root approaches, which provide users with part of root privileges without rooting their devices. In this paper, we newly discover a feasible no-root approach based on the ADB loopback. To ensure such no-root approach is not misused proactively, we examine its dark side, including privacy leakage via logs and user input inference. Finally, we discuss the solutions and suggestions from different perspectives.

Modern network traffic classification approaches apply machine learning techniques to statistical flow properties, allowing accurate classification even when traditional approaches fail. We base our approach to the task on a state-of-the-art semi-supervised classifier to identify known and unknown flows with little labelled training data. We propose a new algorithm for mapping clusters to classes to target classes that were previously difficult to classify. We also apply alternative statistical features. We find our approach has an accuracy of 95.10 %, over 17 % above the technique on which it is based. Additionally, our approach improves the classification performance on every class.

Key-homomorphic pseudo random functions (KH-PRF) have many practical applications including proxy re-encryption, distributed credential protection systems and updatable encryption. We present a key-homomorphic pseudo random function that is homomorphic with respect to a significant part of the secret key and analyse its security. Previous constructions rely on the learning with errors problem which adds some small error to the homomorphic operations due to the noisy outputs. Our construction, based on elliptic curves, removes the need of adding this noise at the cost of adding a few bits to the secret key for which homomorphism does not follow. The main advantage of our construction is that homomorphism can be applied several times without incurring into errors. In particular, we show how our KH-PRF can be used to provide key updatable encryption to distributed storage networks. Also, by relaxing the security assumptions, our PRF can be modified to be homomorphic with respect to the entire key.