Information Security and Privacy

We introduce a new technique converting Ciphertext-policy Attribute-based Encryption (CP-ABE) to Ciphertext-delegatable CP-ABE (CD-CP-ABE). Ciphertext delegation is an important technique to deal with dynamic credentials, which enable users to be joined and revoked at any time while the system is operating. The delegation of CD-CP-ABE allows third parties such as cloud or proxy servers to convert a ciphertext to the other one with a more restrictive policy. Therefore, it can be used to revoke users dynamically in an access control system. Prior to our work, a delegation algorithm of CD-CP-ABE is not generic and the completeness of the delegation is shown when the size of the delegated access structure increases quadratically with the sizes of original and revocation access structures. In this paper, we provide a generic delegation algorithm to reform CP-ABE to CD-CP-ABE. We generalize properties necessary for the ciphertext delegation using the syntax of encodings for the modularity and construct a generic delegation algorithm based on those properties. In our new technique, we build the delegated access structures, which generally determines the size of the ciphertext, in a defined way. The size of delegated access structures grows only linearly with those of original and revocation access structures. Through presenting instances, we show that our technique is readily applicable to existing CP-ABE schemes including CP-ABE scheme with non-monotonic access structures.

We first propose a 2D Location Based Encryption (LBE) scheme, where the setting includes a geography center system and the 2D triangle area including the set of locations. A user joining in the system is provided with a pre-arranged key, which belongs to her/his location. If the user’s location is belonging to this area, he/she can decrypt the message. Our proposed scheme achieves a constant ciphertext size in encryption algorithm and decryption cost. Beyond the 2D-LBE scheme, we explore the 3D-LBE scheme; whereby the location is set up in the 3D dimensions. This proposed scheme is an extension of 2D-LBE scheme, which the ciphertext is also constant. Both two schemes are proved in the selective model under the decisional $$\ell -$$ wBDHI assumption.

In era of cloud computing, how to search on encrypted data has been studied extensively. ID-based encryption with equality test (IBEET) as a type of searchable encryption allows a tester (insider) to check whether two ciphertexts encrypted under different identities contain the same message. Due to its equality test functionality, IBEET has many interesting applications, such as personal health record systems. In this paper, we first introduce group mechanism into IBEET and propose a new primitive, namely group ID-based encryption with equality test (G-IBEET). By the group mechanism, G-IBEET supports group granularity authorization. That is, a group administrator, who is trusted by group users, would issue the insider a group trapdoor to specify that it can only compare on ciphertexts of the group users but cannot compare with ciphertexts of any users other than them. Moreover, the workload of generation and management of trapdoors can be greatly reduced due to the group granularity authorization. For the insider attack which exists in most IBEET schemes with the goal of recovering the message from a ciphertext by mounting an offline message recovery attack, G-IBEET provides a nice solution for IBEET to resist it by the group mechanism. We propose a G-IBEET scheme in bilinear pairings, prove its security in the random oracle model and show that the proposed scheme has a more efficient test algorithm.

Proxy Re-Encryption (PRE) allows a ciphertext encrypted using a key $$\mathsf {pk}_{i}$$ to be re-encrypted by a third party so that it is an encryption of the same message under a new key $$\mathsf {pk}_{j}$$ , without revealing the message. We define Post-Compromise Security (PCS) in the context of PRE. This ensures that an adversary cannot distinguish which of two adversarially chosen ciphertexts a re-encryption was created from even when given the old secret key and the update token used to perform the re-encryption. We give separating examples demonstrating how PCS is stronger than existing security definitions for PRE achieving similar goals, before showing that PCS can be achieved using a combination of existing security properties from the literature. In doing so, we show there are existing PRE schemes satisfying PCS. Finally, we give a construction demonstrating that natural modifications of practical PRE schemes provably have PCS directly, without incurring overheads from the security reductions we have shown, and from weaker assumptions than existing schemes.

Witness pseudorandom functions, in short witness PRFs, (Zhandry, TCC 2016) and witness encryption (Garg et al., ACM 2013) are two powerful cryptographic primitives where the former produce a pseudorandom value corresponding to an instance of an NP language and the latter possesses the ability to encrypt a message with an NP problem. Mostly, these primitives are constructed using computationally expensive tools like obfuscation or multilinear maps. In this work, we build (single relation) witness PRFs using a puncturable pseudorandom function and a randomized encoding in common reference string (CRS) model. Next, we propose construction of an offline witness encryption having short ciphertexts from a public-key encryption scheme, an extractable witness PRF and a randomized encoding in CRS model. Furthermore, we show how to convert our single relation witness PRF into a multi-relation witness PRF and the offline witness encryption into an offline functional witness encryption scheme.

We propose several functional encryption schemes for set intersection and variants on two or multiple sets. In these schemes, a party may learn the set intersection from the sets of two or more clients, without having to learn the plaintext set of each individual client. For the case of two clients, we construct efficient schemes for determining the set intersection and the cardinality of the intersection. To evaluate the cardinality of the intersection, no overhead is incurred when compared to operating on plaintext data. We also present other functionalities with a scheme for set intersection with data transfer and a threshold scheme that only discloses the intersection if both clients have at least t elements in common. Finally, we consider set intersection and set intersection cardinality schemes for the case of three or more clients from a theoretical perspective. Our proof-of-concept implementations show that the two-client constructions are efficient and scale linearly in the set sizes.

At PKC 2008, Plantard et al. published a theoretical framework for a lattice-based signature scheme. Recently, after ten years, a new signature scheme dubbed as the Diagonal Reduction Signature (DRS) scheme was presented in the NIST PQC Standardization as a concrete instantiation of the initial work. Unfortunately, the initial submission was challenged by Yu and Ducas using the structure that is present on the secret key noise. In this paper, we are proposing a new method to generate random noise in the DRS scheme to elimite the aforementioned attack, and all subsequent potential variants.

Public key encryption with equality test (PKEET) allows testing whether two ciphertexts are generated by the same message or not. PKEET is a potential candidate for many practical applications like efficient data management on encrypted databases. Potential applicability of PKEET leads to intensive research from its first instantiation by Yang et al. (CT-RSA 2010). Most of the followup constructions are secure in the random oracle model. Moreover, the security of all the concrete constructions is based on number-theoretic hardness assumptions which are vulnerable in the post-quantum era. Recently, Lee et al. (ePrint 2016) proposed a generic construction of PKEET schemes in the standard model and hence it is possible to yield the first instantiation of PKEET schemes based on lattices. Their method is to use a 2-level hierarchical identity-based encryption (HIBE) scheme together with a one-time signature scheme. In this paper, we propose, for the first time, a direct construction of a PKEET scheme based on the hardness assumption of lattices in the standard model. More specifically, the security of the proposed scheme is reduces to the hardness of the Learning With Errors problem. We have used the idea of the full identity-based encryption scheme by Agrawal et al. (EUROCRYPT 2010) to construct the proposed PKEET.

This paper presents the Lattice-based Ring Confidential Transactions “Lattice RingCT v2.0” protocol. Unlike the previous Lattice RingCT v1.0 (LRCT v1.0) protocol, the new protocol supports Multiple-Input and Multiple-Output (MIMO) wallets in transactions, and it is a fully functional protocol construction for cryptocurrency applications such as Hcash. Since the MIMO cryptocurrency setting introduces new balance security requirements (and in particular, security against out-of-range amount attacks), we give a refined balance security model to capture such attacks, as well as a refined anonymity model to capture amount privacy attacks. Our protocol extends a previously proposed ring signature scheme in the LRCT v1.0 protocol, to support the MIMO requirements while preserving the post-quantum security guarantees, and uses a lattice-based zero-knowledge range proof to achieve security against out-of-range attacks. Preliminary parameter estimates and signature sizes are proposed as a point of reference for future studies.

In this paper, we use a class of module codes to construct a suite of code-based public-key schemes—Piglet, which includes a new IND-CPA-secure public-key encryption scheme Piglet-1.CPAPKE and an IND-CCA-secure key encapsulation mechanism (KEM for short) Piglet-1.CCAKEM by applying the KEM variant of Fujisaki-Okamoto transform to Piglet-1.CPAPKE. We also put a new IND-CPA-secure KEM Piglet-2.CPAKEM into Piglet. Then, we present the parameters comparison between our schemes and some code-based NIST submissions. The results show that our schemes are good long-term-secure candidates for post-quantum cryptography.

We show how to build distributed key generation and distributed decryption procedures for the $$\textsf {LIMA} $$ Ring-LWE based post-quantum cryptosystem. Our protocols implement the CCA variants of distributed decryption and are actively secure (with abort) in the case of three parties and honest majority. Our protocols make use of a combination of problem specific MPC protocols, generic garbled circuit based MPC and generic Linear Secret Sharing based MPC. We also, as a by-product, report on the first run-times for the execution of the SHA-3 function in an MPC system.

Recently, a new rank metric code, namely LRPC-Kronecker Product codes was proposed in APKC 2018 Workshop, and adapted into a construction of a new cryptosystem, namely the LRPC-Kronecker cryptosystem. The LRPC-Kronecker cryptosystem has compact key size, with their parameters achieve 256-bit security with key size (9,768 bits) smaller than the RSA’s key size (15,360 bits). It was also shown that the LRPC-Kronecker cryptosystem is CCA2-secured via the Kobara-Imai conversion. In this paper, we point out some errors in the original LRPC-Kronecker cryptosystem and suggest a reparation for the errors. We show that the LRPC-Kronecker cryptosystem in fact is equivalent to the LRPC cryptosystem. With this equivalence shown, we suggest alternative encryption and decryption, namely AKron for the LRPC-Kronecker cryptosystem. Furthermore, we show that there exists design weakness in the LRPC-Kronecker cryptosystem. We exploit this weakness and successfully cryptanalyze all the suggested parameters for $$k_1 = n_1$$ . We are able to recover secret key for all the proposed parameters within the claimed security level.

Pseudorandom Functions (PRF) is a basic primitive in cryptography. In this paper, we study related key attacks (RKA) with which the adversary is able to choose function $$\phi $$ and observe the behavior of the PRF under the modified secret key $$\phi (k)$$ . We focus on the PRF from the Learning with Errors (LWE) assumption by Banerjee and Peikert in CRYPTO 2014. We prove that the PRF is secure against unique-input key shift attacks and restricted affine attacks. After that, we use this RKA-secure PRF to construct a robustly reusable fuzzy extractor, which enjoys higher efficiency and better error correction rate.

In the Ring-LWE literature, there are several works that use a statistical framework based on $$\delta $$ -subgaussian random variables. These were introduced by Miccancio and Peikert (Eurocrypt 2012) as a relaxation of subgaussian random variables. In this paper, we completely characterise $$\delta $$ -subgaussian random variables. In particular, we show that this relaxation from a subgaussian random variable corresponds only to the shifting of the mean. Next, we give an alternative noncentral formulation for a $$\delta $$ -subgaussian random variable, which we argue is more statistically natural. This formulation enables us to extend prior results on sums of $$\delta $$ -subgaussian random variables, and on their discretisation.

As the fundamental component of blockchains, proof-of-work (PoW) scheme has been widely leveraged to provide consensus for maintaining a distributed public ledger. However, the long confirmation time, and hence the slow finality rate, is far from satisfactory. Alternative paradigms with performance improvement emerge. Nevertheless, there are fewer attempts in modifying the PoW mechanism itself.We find that the slow finality rate in PoW is caused by using only one bit to measure the computational power, namely, whether the attained hash value is smaller than a given target. In this paper, we first propose Demo-of-Work (DoW), a generalized PoW which assigns the computational work with a score depending on the hash value. We also treat the bitcoin blockchain as a global “clock” to attain synchronization for ensuring that each participant takes part in DoW for roughly the same time interval for ensuring fairness. With these two tools, we construct an alternative blockchain called AB-chain which provides a significantly faster finality rate when compared with the existing PoW-based blockchains, without sacrificing communication complexity or fairness.

Improving the throughput of blockchain systems such as Bitcoin and Ethereum has been an important research problem. Off-chain payments are one of the most promising technologies to tackle this challenge. Once a payment channel, however, is established there exists a strict one-one correspondence between a payee and prepayments, which reduces the flexibility of off-chain payments. In this paper, we propose a flexible instant payment system (FIPS) based on blockchain to improve the flexibility of off-chain payments. In the FIPS system, there exists a depositor who locks enough amounts of tokens on the chain, and supervises payers to make off-chain payments. Therefore, payers can pay to multiple payees off-chain without double-spending. Even the depositor colludes with the payer, and performs double-spending attacks, payees will not suffer any losses as they can withdraw their tokens from the locked tokens of the depositor. Besides, payers can allocate flexibly the prepayments off-chain, and all transactions are settled off-chain. We present a formal generic construction for the FIPS system, prove its security strictly, analyze its related properties, and compare with related schemes in detail. Analyses show that our scheme is flexible and practical.

In a cryptocurrency system, the protocol incorporated in the node application runs without human intervention. Cryptographic techniques are implemented to determine the ownership of the coins; they enable the owners to transfer the ownership of the coins to other users. Consensus protocols are employed to determine the source of the truth of the information contained in the public ledger called blockchain. When the protocol needs to be updated, all nodes need to replace the application with the newest release. We explore an event where an asynchronous protocol update opens a vulnerability in Monero nodes which have not yet updated to the newest software version. We show that a Denial of Service attack can be launched against the nodes running the outdated protocol, where the attack significantly reduces the system’ performance. We also show that an attacker, given a sufficient access to cryptocurrency services, is able to utilise the Denial of Service attack to launch a traceability attack.

Bitcoin-NG, introduced by Eyal et al. in NSDI 2016, divides a blockchain into key-blocks and micro-blocks to improve transaction process efficiency. In this paper, we propose a novel attack on Bitcoin-NG, called a micro-block chain truncation attack. Combined with key-block selfish and stubborn mining, and an eclipse attack, this attack is able to bring extra reward to attackers in Bitcoin-NG than in Bitcoin through a colluded strategy or a “destroyed if no stake” strategy. Our evaluation calculates the reward proportion of an attacker by these attacks on both Bitcoin-NG and Bitcoin, which helps us figure out whether Bitcoin-NG sacrifices security for efficiency promotion. We also evaluate 18 strategy combinations by traversing different values of computation power and practical truncation rate. In a setting with reasonable parameters, the optimal combined micro-block chain truncation attack obtains at most 5.28% more reward proportion in Bitcoin-NG than in Bitcoin.

Secure computation enables participating parties to jointly compute a function over their inputs while keeping them private. Secret sharing plays an important role for maintaining privacy during the computation. In most schemes, secret sharing over the same finite field is normally utilized throughout all the steps in the secure computation. A major drawback of this “uniform” approach is that one has to set the size of the field to be as large as the maximum of all the lower bounds derived from all the steps in the protocol. This easily leads to a requirement for using a large field which, in turn, makes the protocol inefficient. In this paper, we propose a “non-uniform” approach: dynamically changing the fields so that they are suitable for each step of computation. At the core of our approach is a surprisingly simple method to extend the underlying field of a secret sharing scheme, in a non-interactive manner, while maintaining the secret being shared. Using our approach, default computations can hence be done in a small field, which allows better efficiency, while one would extend to a larger field only at the necessary steps. As the main application of our technique, we show an improvement upon the recent actively secure protocol proposed by Chida et al. (Crypto’18). The improved protocol can handle a binary field, which enables XOR-free computation of a boolean circuit. Other applications include efficient (batch) equality check and consistency check protocols, which are useful for, e.g., password-based threshold authentication.

We propose novel secure multi-party protocols for decision-tree classification. Our protocols hide not only an input vector and an output class but also the structure of the tree, which incurs an exponential communication complexity in terms of the maximum depth of the tree, $$d_{max}$$ , for a naive construction. We tackle this problem by applying Oblivious RAM (ORAM) and obtain two efficient constructions with polynomial communication complexity (that counts the number of multiplications). The first protocol simulates ORAM in secure multi-party computation. The communication complexity of the first protocol is $$O(d_{max}^3 \log d_{max})$$ in the online phase and $$O(d_{max}^4 \log d_{max})$$ in total. We then improve this protocol by removing the position-map accesses, which is the most time-consuming parts in the ORAM. In the second protocol, we reduce the communication complexity to $$O(d_{max}^2 \log d_{max})$$ in the online phase and $$O(d_{max}^3 \log d_{max})$$ in total, and also reduce the number of rounds from $$O(d_{max}^2)$$ to $$O(d_{max})$$ . We implemented the proposed two constructions and the naive one, and experimentally evaluated their performance.

Since Wiener pointed out that the RSA can be broken if the private exponent d is relatively small compared to the modulus N (using the continued fraction technique), it has been a general belief that the Wiener attack works for $$d < N^{\frac{1}{4}}$$ . On the contrary, in this work, we give an example where the Wiener attack fails with $$d = \left\lfloor \frac{1}{2} N^{\frac{1}{4}} \right\rfloor + 1$$ , thus, showing that the bound $$d < N^{\frac{1}{4}}$$ is not accurate as it has been thought of. By using the classical Legendre Theorem on continued fractions, in 1999 Boneh provided the first rigorous proof which showed that the Wiener attack works for $$d < \frac{1}{3} N^{\frac{1}{4}}$$ . However, the question remains whether $$\frac{1}{3} N^{\frac{1}{4}}$$ is the best bound for the Wiener attack. Additionally, the question whether another rigorous proof for a better bound exists remains an elusive research problem. In this paper, we attempt to answer the aforementioned problems by improving Boneh’s bound after the two decades of research. By a new proof, we show that the Wiener continued fraction technique works for a wider range, namely, for $$d \le \frac{1}{\root 4 \of {18}} N^{\frac{1}{4}} = \frac{1}{2.06...} N^{\frac{1}{4}}$$ . Our new analysis is supported by an experimental result where it is shown that the Wiener attack can successfully perform the factorization on the RSA modulus N and determine a private key d where $$d = \left\lfloor \frac{1}{\root 4 \of {18}} N^{\frac{1}{4}} \right\rfloor $$ .

In cloud computing, delegated computing raises the security issue of guaranteeing data authenticity during a remote computation. In this context, the recently introduced function-dependent commitments (FDCs) are the only approach providing both fast correctness verification, information-theoretic input-output privacy, and strong unforgeability. Homomorphic authenticators—the established approach to this problem—do not provide information-theoretic privacy and always reveal the computation’s result upon verification, thus violating output privacy. Since many homomorphic authenticator schemes already exist, we investigate the relation between them and FDCs to clarify how existing schemes can be supplemented with information-theoretic output privacy. Specifically, we present a generic transformation turning any structure-preserving homomorphic authenticator scheme into an FDC scheme. This facilitates the design of multi-party computation schemes with full information-theoretic privacy. We also introduce a new structure-preserving, linearly homomorphic authenticator scheme suitable for our transformation. It is the first both context hiding and structure-preserving homomorphic authenticator scheme. Our scheme is also the first structure-preserving homomorphic authenticator scheme to achieve efficient verification.

Mass surveillance attracts much of attentions nowadays. Evidences showed that some intelligence agencies try to monitor public’s communication by unconventional methods, for example, providing users subverted cryptographic algorithms and compelling them to use. To address this new situation, researchers proposed a series of formal analyses and security definitions. However, current researches are restrictive as they only considered a single surveillant setting. In reality, there may exist multiple surveillants for different governments or manufacturers. This paper initializes the analysis of security against subversion in a multi-surveillant setting. We consider the case where users could only use subverted algorithms from different sources to achieve a subliminal communication. We introduce a new security notion that the transmission of a real message is “undetectable”, which means all surveillants either think the users execute the subverted algorithms honestly to transmit an innocuous message, or consider users are using non-subverted algorithms. We present a concrete design and prove that it satisfies our security definition.

Nowadays, network intrusion detection is researched extensively due to increasing global network threats. Many researchers propose to incorporate machine learning techniques in network intrusion detection systems since these techniques allow for automated intrusion detection with high accuracy. Furthermore, dimensionality reduction techniques can improve the performance of machine learning models, and as such, are widely used as a pre-processing step. Nevertheless, many researchers consider machine learning techniques as a black box because of its complex intrinsic mechanism. Visualization plays an important role in facilitating the understanding of such sophisticated techniques because visualization is able to offer intuitive meaning to the machine learning results. This research investigates the performance of two dimensionality reduction techniques on network intrusion detection datasets. In addition, this work also demonstrates visualizing the resulting data in 3-dimensional space. The purpose of this is to possibly gain insight into the results, which can potentially aid in the improvement of machine learning performance.

Networks are designed with functionality, security, performance, and cost in mind. Tools exist to check or optimize individual properties of a network. These properties may conflict, so it is not always possible to run these tools in series to find a configuration that meets all requirements. This leads to network administrators manually searching for a configuration.This need not be the case. In this paper, we introduce a layered framework for optimizing network configuration for functional and security requirements. Our framework is able to output configurations that meet reachability, bandwidth, and risk requirements. Each layer of our framework optimizes over a single property. A lower layer can constrain the search problem of a higher layer allowing the framework to converge on a joint solution.Our approach has the most promise for software-defined networks which can easily reconfigure their logical configuration. Our approach is validated with experiments over the fat tree topology, which is commonly used in data center networks. Search terminates in between 1–5 min in experiments. Thus, our solution can propose new configurations for short term events such as defending against a focused network attack.

Static Random Access Memory-based Physically Unclonable Function (SRAM PUF) is frequently used in cryptographic applications such as key generation and IP protection because of its low cost, simple operation and high security features. The stability of PUF response is susceptible to environmental noise, so it requires the assistance of error correction algorithms when used as a key or ID. However, the actual error correction capability of the theoretically selected Error Correcting Codes (ECC) is always lower than expected. In this paper, we explore the specific reasons why SRAM PUF cannot use the theoretically selected ECC algorithm directly. In addition, an efficient and concise preprocessing method for random permutation is proposed to disturb the original position of unstable bits in the SRAM PUF response, thus confusing its instability distribution. Our experimental results show that the processed SRAM PUFs can recover the response sequence stably without increasing ECC’s error correction capability, which effectively saves the resource consumption of error correction circuit.

Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages. To successfully counter internet worm attacks, we need automatic detection and defense mechanisms. First, we need automatic detection mechanisms that can detect runtime attacks for vulnerabilities. A disclosure mechanism should be simple to deploy, resulting in few false positives and few false negatives.In this paper we present Tainer, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Particularly, our method is based on tracking the flow of taint information from untrusted input the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick, accurate, and does not need the source code of applications. We demonstrate the usefulness of the framework by detecting several zero-day actual vulnerabilities in popular Java applications.

Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.

The increasing use of smartphones raises many concerns related to data security, as the loss of a smartphone could compromise sensitive data. Authentication on smartphones plays an important role in protecting users’ data from attacks. However, traditional authentication methods cannot provide continuous protection for a user’s data after the user has passed the initial authentication. In this paper, we present a novel continuous authentication approach called MineAuth based on the user’s daily interactive behaviours with his/her smartphone. We construct interactive behaviours from data captured by the smartphone. We then propose a weighting-based time period frequent pattern mining algorithm called WeMine to mine user’s frequent patterns to characterize the habits of mobile users. We build an authenticator using a one-class classification technique that only relies on the legitimate user data. We also develop a decision procedure to perform the task continuously. The entire process occurs on the smartphone, which provides better privacy guarantees to users and eliminates dependency on cloud connectivity. We also integrate our approach into the Android system and evaluate the performance of our approach. Our approach can achieve good performance. Additionally, it can achieve a high authentication accuracy of up to 98.3%. Regarding resource consumption, our approach consumes less than 0.4% of power while running for an entire day.

In Eurocrypt 2018, Cid et al. proposed a novel notion called the boomerang connectivity table, which formalised the switch property in the middle round of boomerang distinguishers in a unified approach. In this paper, we present a generic model of the boomerang connectivity table with automatic search technique for the first time, and search for (related-key) boomerang distinguishers directly by combining with the search of (related-key) differential characteristics. With the technique, we are able to find 19-round related-key boomerang distinguishers in the lightweight block cipher Gift-64 and Gift-128. Interestingly, a transition that is not predictable by the conventional switches is realised in a boomerang distinguisher predicted by the boomerang connectivity table. In addition, we experimentally extend the 19-round distinguisher by one more round. A 23-round key-recovery attack is presented on Gift-64 based on the distinguisher, which covers more rounds than previous known results in the single-key setting. Although the designers of Gift do not claim related-key security, bit positions of the key addition and 16-bit rotations were chosen to optimize the related-key differential bound. Indeed, the designers evaluated related-key differential attacks. This is the first work to present better related-key attacks than the simple related-key differential attack.

The open-key attack is a very popular research topic in the symmetric-key community recently. In this paper, we focus on the security of AES-192 in one of its settings, namely the chosen-key setting. First, thanks to the linear relations between most of AES-192 subkeys, we construct an 8-round chosen-key distinguishers for it using the meet-in-the-middle idea and the SuperSbox technique. Then we turn this distinguisher into a key-recovery attack with a time complexity of one 8-round AES-192 encryption. Using the same approaches and with more efforts on exploiting the weak key schedule of this variant, 9-round chosen-key distinguishers is constructed and the master key is recovered afterwards at the cost of one 9-round AES-192 encryption. These results have been experimentally confirmed and two examples can be found in the appendix. While our work may not pose a threat to the security of AES-192 in a traditional way as those single-key recovery attacks do, we believe it do prove a non-trivial weakness in its key schedule to some extent and thus undermines its expectation as an ideal building block for hash functions.

Existing tweakable blockcipher (TBC)-based message authentication codes (MACs), in order to achieve full $$b$$ -bit pseudo-random function (PRF) security, require a TBC with $$t$$ -bit tweak and $$b$$ -bit input block spaces such that $$b\le t$$ . An open problem from the previous works is to design a TBC-based MAC achieving the $$b$$ -bit security even when $$b> t$$ . We present $$\mathsf {PMAC3}$$ , a TBC-based MAC achieving the $$b$$ -bit security as long as $$b/2 \le t$$ .

In this paper, we investigate WE scheme with the unique decryption and message indistinguishability, as well as its compelling applications. Our contributions are three-fold: (i) we first propose the notion of WE with MI and weak unique decryption, and give a construction based on public-coin differing-inputs obfuscation (diO), pseudorandom generator, and the Goldreich-Levin hard-core predicate; (ii) We show that our WE with MI and weak unique decryption can be used to construct a 4-round non-black-box honest-verifier zero-knowledge argument protocol; and (iii) We present a WE scheme with unique decryption and MI based on public-coin diO and weak auxiliary input multi-bit output point obfuscation (AIMPO). Moreover, we show that using our WE with unique decryption, we can get rid of the limitation of honest-verifier zero-knowledge property, thus yielding a 4-round non-black-box zero-knowledge argument.

Koblitz curves are a special family of binary elliptic curves satisfying equation $$y^2+xy=x^3+ax^2+1$$ , $$a\in \{0,1\}$$ . Scalar multiplication on Koblitz curves can be achieved with point addition and fast Frobenius endomorphism. We show a new point representation system $$\mu _4$$ coordinates for Koblitz curves. When $$a=0$$ , $$\mu _4$$ coordinates derive basic group operations—point addition and mixed-addition with complexities $$7\mathbf{M}+2\mathbf{S}$$ and $$6\mathbf{M}+2\mathbf{S}$$ , respectively. Moreover, Frobenius endomorphism on $$\mu _4$$ coordinates requires $$4\mathbf{S}$$ . Compared with the state-of-the-art $$\lambda $$ representation system, the timings obtained using $$\mu _4$$ coordinates show speed-ups of $$28.6\%$$ to $$32.2\%$$ for NAF algorithms, of $$13.7\%$$ to $$20.1\%$$ for $$\tau $$ NAF and of $$18.4\%$$ to $$23.1\%$$ for regular $$\tau $$ NAF on four NIST-recommended Koblitz curves K-233, K-283, K-409 and K-571.

Elliptic curves and hyperelliptic curves over finite fields are of great interest in public key cryptography. Using much smaller field for same security makes the genus 2 curves more competitive than elliptic curves. However, point counting algorithms for the Jacobians of genus 2 curves are not as efficient as what we have for elliptic curves. We give a method to generate genus 2 curves for which the point counting problems can be easily solved with efficient algorithms for elliptic curves. As an application, an example of a hyperelliptic curve whose order is a 256-bit prime is given. The method relies on the construction of a cover map from a hyperelliptic curve to an elliptic curve. Another important application of the construction is to generate the cover for the cover-decomposition attack on the discrete logarithm problems in elliptic curves.

Elliptic curve cryptosystems (ECCs) are widely used because of their short key size. They can ensure enough security with shorter keys, and use less memory space to reduce parameters. Hence, an elliptic curve is typically used in embedded systems. The dominant computation of an ECC is scalar multiplication $$Q = kP, P \in E({\mathbb F}_{q})$$ . Thus, the security and efficiency of scalar multiplication are paramount. To render secure ECCs, complete addition formulae can be employed for a secure scalar multiplication. However, this requires significant memory and is thus not suitable for compact devices. Several coordinates exist for elliptic curves such as affine, Jacobian, projective. The complete addition formulae are not based on affine coordinates and thus require considerable memory. In this study, we achieved a compact ECC by focusing on affine coordinates. In fact, affine coordinates are highly advantageous in terms of memory but require many if statements for scalar multiplication owing to exceptional points. We improve the scalar multiplication and reduce the limitations for input k. Furthermore, we extend the affine addition formulae to delete some exceptional inputs for scalar multiplication. Our compact ECC reduces memory complexity up to 26 % and is much more efficient compared to Joye’s RL 2-ary algorithm with the complete addition of formulae when the ratio I / M of computational complexity of inversion (I) to multiplication (M) is less than 7.2.

Preserving the privacy associated with publicly released micro-databases is an active area of research since an adversary can mine sensitive information about the database respondents from them. The work in this paper establishes a working model for quantitatively estimating the attribute based correlation present among multiple micro-databases. In this study, we have introduced an information-theoretic metric termed as Correlation Degree $$(\rho )$$ which estimates the amount of correlated information present among two micro-databases and accordingly assigns a cumulative score in the range [0, 1]. The design of our proposed metric is based on the fact that correlation among multiple datasets exists due to the presence of both overlapping and implicitly dependent attributes. We have also established a functional association between $$\rho $$ and the general notion of privacy during the execution of an adversarial linking attack. Finally, we have empirically validated our work by estimating the value of $$\rho $$ and the resulting privacy loss for the Adult micro-database on the backdrop of two well-established privacy preservation models.

Malware detection has noticeably increased in computer security community. However, little is known about a malware’s intentions. In this study, we propose a novel idea to adopt sequence-to-sequence (seq2seq) neural network architecture to analyze a sequence of Windows API invocation calls recording a malware at runtime, and generate tags to describe its malicious behavior. To the best of our knowledge, this is the first research effort which incorporate a malware’s intentions in malware analysis and in security domain. It is important to note that we design three embedding modules for transforming Windows API’s parameter values, registry, a file name and URL, into low-dimension vectors to preserve the semantics. Also, we apply the attention mechanism [10] to capture the relationship between a tag and certain API invocation calls when predicting tags. This will be helpful for security analysts to understand malicious intentions with easy-to-understand description. Results demonstrated that seq2seq model could mostly find possible malicious actions.

With the development of the network, network attacks become more frequent and serious, so network security is becoming more and more important. Machine learning has been widely used for network traffic detection, but traditional supervised learning does not perform good in the case of a small amount of labeled data and a large amount of unlabeled data. And this situation exists in a large number in practical applications, so research on semi-supervised algorithms is necessary. The Tri-training algorithm is a semi-supervised learning algorithm with strong generalization ability, which can effectively improve the accuracy of detection. In this paper, we improve the traditional Tri-training algorithm and combine the ensemble learning algorithm to generate the final hypothesis by estimating the confidence of unlabeled data. Experiments show that the improvement of the Tri-training is effective, and a better detection rate is achieved. The proposed system performs well in network traffic detection. Even in the case where the training data set has only a small amount of tagged data, the system can achieve a good detection rate and a low false positive rate. On the NSL-KDD data set, the system performs best in terms of accuracy and algorithm time consumption. On the Kyoto data set, the system achieves a good balance between accuracy and time cost.

Rewarded advertisements are popularly used in the mobile advertising industry. In this paper, we analyze several rewarded advertisement applications to discover security weaknesses, which allow malicious users to automatically generate in-app activities for earning cash rewards on advertisement networks; we call this attack automated cash mining. To show the risk of this attack, we implemented automated cashing attacks on four popularly used Android applications (Cash Slide, Fronto, Honey Screen and Screen Stash) with rewarded advertisements through reverse engineering and demonstrated that all the tested reward apps are vulnerable to our attack implementation.