2023 | Book

# Information Security Applications

## 23rd International Conference, WISA 2022, Jeju Island, South Korea, August 24–26, 2022, Revised Selected Papers

Editors: Ilsun You, Taek-Young Youn

Publisher:

Book Series : Lecture Notes in Computer Science

Part of:

insite
SEARCH

This book constitutes the revised selected papers from the 23rd International Conference on Information Security Applications, WISA 2022, which took place on Jeju Island, South Korea, during August 2022.

The 25 papers included in this book were carefully reviewed and selected from 76 submissions. They were organized in topical sections as follows: network security; cryptography; vulnerability analysis; privacy enhancing technique; security management; security engineering.

#### Cryptography

##### Collision-Resistant and Pseudorandom Hash Function Using Tweakable Block Cipher
Abstract
This paper presents a method to construct a keyed Merkle-Damgård hash function satisfying collision resistance and the pseudorandom function property using a tweakable block cipher in the TWEAKEY framework. Its compression function adopts double-block construction to achieve sufficient level of collision resistance. Not only does the padding of the proposed keyed hash function not employ Merkle-Damgård strengthening, but it is also not injective. Due to the novel feature, the proposed keyed hash function achieves the minimum number of calls to its compression function for any message input. The proposed keyed hash function is shown to be optimally collision-resistant in the ideal cipher model. It is also shown to be a secure pseudorandom function if the underlying tweakable block cipher in the TWEAKEY framework is a secure tweakable pseudorandom permutation in two tweakey strategies.
Shoichi Hirose
##### Provably Secure Password-Authenticated Key Exchange Based on SIDH
Abstract
Password-authenticated key exchange (PAKE) schemes are cryptographic schemes for securely establishing a shared session key between a client and a server communicating over an insecure channel by using a low-entropy password. In this paper, we propose a PAKE based on SIDH, where the password is used to derive a torsion points obfuscator independent of ephemeral keys. We analyze its security and prove that it is secure in the Bellare-Pointcheval-Rogaway (BPR) model, assuming the hardness of the supersingular isogeny computational Diffie-Hellman (SI-CDH) problem.
Theo Fanuela Prabowo, Chik How Tan
##### Group Signatures with Designated Traceability over Openers’ Attributes in Bilinear Groups
Abstract
Anonymity and traceability are two properties that are seemingly difficult to be compatible. “Group signatures with designated traceability” that was introduced at CANDAR 2021 is a group signature scheme in which a signer is capable of designating openers by specifying an opening access structure. In this paper, we give an instantiation of the scheme in the algebraic setting of bilinear groups.
Hiroaki Anada, Masayuki Fukumitsu, Shingo Hasegawa
##### Grover on SPARKLE
Abstract
Quantum computers that take advantage of quantum mechanics efficiently model and solve certain hard problems. In particular, quantum computers are considered a major threat to cryptography in the near future. In this current situation, analysis of quantum computer attacks on ciphers is a major way to evaluate the security of ciphers. Several studies of quantum circuits for block ciphers have been presented. However, quantum implementations for Authenticated Encryption with Associated Data (AEAD) are not actively studied.
In this paper, we present a quantum implementation for authenticated ciphers of SPARKLE, a finalist candidate of the National Institute of Standards and Technology (NIST) Lightweight Cryptography (LWC) project. We apply various techniques for optimization by considering trade-off between qubits and gates/depth in quantum computers. Based on proposed quantum circuit, we estimate the cost of applying key search using Grover’s algorithm, which degrades the security of symmetric key ciphers. Afterward, we further explore the expected level of post-quantum security for SPARKLE on the basis of post-quantum security requirements of NIST.
Yujin Yang, Kyungbae Jang, Hyunji Kim, Gyeongju Song, Hwajeong Seo

#### Network Security

##### Quality-of-Service Degradation in Distributed Instrumentation Systems Through Poisoning of 5G Beamforming Algorithms
Abstract
Borja Bordel, Ramón Alcarria, Joaquin Chung, Rajkumar Kettimuthu, Tomás Robles, Iván Armuelles
##### An Effective Approach for Stepping-Stone Intrusion Detection Using Packet Crossover
Abstract
An effective approach for stepping-stone intrusion detection (SSID) is to estimate the length of a connection chain, which is referred to as the network-based detection approach. In this paper, we propose an effective network-based approach for SSID using packet crossover. Existing network-based approaches for SSID are either not effective, or not efficient as they require a large number of TCP packets to be captured and processed. Some other existing network-based approaches for SSID do not work effectively when the fluctuation of the packets’ RTTs is large and requires the length of a connection chain to be pre-determined, and thus these existing detection methods have very limited performance. Our proposed algorithm for SSID using packet crossover can effectively determine the length of a downstream connection chain without any pre-assumption about the length of a connection chain as well as not requiring a large number of TCP packets being captured and processed, and thus our proposed SSID algorithm is more efficient. Since the number of packet crossovers can be easily calculated, our proposed detection method is easy to use and implement. The effectiveness, correctness and efficiency of our proposed algorithm for SSID are verified through well-designed network experiments.
Lixin Wang, Jianhua Yang, Austin Lee
##### Software-Defined Network Based Secure Internet-Enabled Video Surveillance System
Abstract
The Internet-of-Things is driving significant change to the video surveillance network system, allowing access to video data anywhere and at any time. Despite the tremendous benefits, the system is faced with an insider threat, causing service interruption. Current management strategies for this system are inflexible and lack security incident mitigation. This paper offers a cost-effective, flexible, and security-oriented management system based on the software-defined network technology for the video surveillance network using commercial-off-the-shelf components. A management interface was developed for the formulation of network-enforced flow rules and the visualization of network performance. The system was tested with scenarios, such that the stations within the network were exposed to high and low network demand applications. The bandwidth visualization showed an distinguishable outcomes When the surveillance network system was overwhelmed with ping flooding attack by insiders. Enforcing the appropriate for rules successfully mitigates such Denial-of-Service attack, originating within the network infrastructure. The network bandwidth immediately return to their normal state after the malicious device was logically removed.
Mathew Del Castillo, Harvey Hermosa, Philip Virgil Astillo, Gaurav Choudhary, Nicola Dragoni
##### TLS Goes Low Cost: When TLS Meets Edge
Abstract
Recently, we have witnessed an upward trend in adopting the Transport Layer Security version 1.3 (TLS 1.3) to numerous applications (Google Cloud [25], Microsoft software products [20], CloudFlare [27]). Although TLS 1.3 provides higher efficiency than the previous versions of TLS, its handshake protocol still requires the server to send its certificate to the client which consumes a significant amount of network bandwidth. Moreover, the client becomes idle while it is waiting for the certificate to arrive. This latency is one of the causes of the TLS handshake delay. Adequate adoption of edge computing can increase the efficiency of traditional server client architectures. In this paper, we envision a new paradigm to adopt edge computing into TLS to improve the efficiency of session establishment. Our new architecture will motivate researchers to consider the edge in improving the TLS protocol in the future. TLS-EC (TLS with Edge Computing) protocol improves the TLS 1.3 handshake efficiency by reducing server-side certificate transmission overhead and network latency between server and client through edge computing. We also present the implementation of TLS-EC, which shows a reduction in both the handshake time and the bandwidth consumption between the server and the client during the TLS handshake. In particular, our experiments indicate that bandwidth consumption can be reduced by 33% and 49%, respectively, for ECDSA and RSA-based certificates with 128-bit security level compared to TLS 1.3 full handshake.
Intae Kim, Willy Susilo, Joonsang Baek, Jongkil Kim, Yang-Wai Chow
##### 5G-AKA, Revisited
Abstract
The 5G primary Authentication and Key Agreement (5G-AKA) protocol has received much attention in the literature. However, most of the 5G-AKA and relevant AKA protocols do not guarantee forward secrecy. In this paper, we propose a secure AKA (for short, $$\textsf {AKA}^{\star }$$) protocol that provides UE (User Equipment) anonymity and forward secrecy for 5G and beyond networks. Also, we formally prove the security of the $$\textsf {AKA}^{\star }$$ protocol in the random oracle model under the CDH (Computational Diffie-Hellman) problem. Moreover, we discuss several aspects of the $$\textsf {AKA}^{\star }$$ protocol, and compare the $$\textsf {AKA}^{\star }$$ and relevant protocols (EAP-AKA, EAP-AKA’, EAP-AKA’ FS, 5G-AKA and 5G-AKA’) in terms of efficiency, forward secrecy, UE anonymity and UE unlinkability.
SeongHan Shin

#### Privacy Enhancing Technique

##### Membership Privacy for Asynchronous Group Messaging
Abstract
The Signal protocol is a secure messaging protocol providing end-to-end encrypted asynchronous communication. In this paper, we focus on a method capable of hiding membership information from the viewpoint of non group members in a secure group messaging (SGM) protocol, which we call “membership privacy”. Although Chase et al. (ACM CCS 2020) have considered the same notion, their proposal is an extension of Signal so called “Pairwise Signal” where a group message is repeatedly sent over individual Signal channels. Thus, for the number of group users n, their protocol is not scalable where each user is required O(n) computational and communication costs for updating keys. In this work, we extend the Cohn-Gordon et al. SGM protocol (ACM CCS 2018), which we call the Asynchronous Ratcheting Trees (ART) protocol, to add membership privacy. The ART protocol is scalable where each user is required $$O(\log n)$$ computational and communication costs for updating keys. We employ a key-private and robust public-key encryption (Abdalla et al., TCC2010/JoC2018) for hiding membership-related values in the setup phase. Furthermore, we concentrate on the fact that a group common key provides anonymity. This fact is used to encrypt membership information in the key update phase. Our extension does not affect the forward secrecy and post-compromise security of the original ART protocol. Our modification achieves asymptotically the same efficiency of the ART protocol in the setup phase. Any additional cost for key update does not depend on the number of group members (specifically, one encryption and decryption of a symmetric-key encryption scheme and one execution of a key-derivation function for each key update are employed). Therefore, the proposed protocol can add membership privacy to the ART protocol with a quite small overhead.
Keita Emura, Kaisei Kajita, Ryo Nojima, Kazuto Ogawa, Go Ohtake
##### On Membership Inference Attacks to Generative Language Models Across Language Domains
Abstract
The confidentiality threat against training data has become a significant security problem in neural language models. Recent studies have shown that memorized training data can be extracted by injecting well-chosen prompts into generative language models. While these attacks have achieved remarkable success in the English-based Transformer architecture, it is unclear whether they are still effective in other language domains. This paper studies the effectiveness of attacks against Korean models and the potential for attack improvements that might be beneficial for future defense studies.
The contribution of this study is two-fold. First, we perform a membership inference attack against the state-of-the-art Korea-based GPT model. We found approximate training data with 20% to 90% precision in the top 100 samples and confirmed that the proposed attack technique for naive GPT is valid across the language domains. Second, in this process, we observed that the redundancy of the selected sentences could hardly be detected with the existing attack method. Since the information appearing in a few documents is more likely to be meaningful, it is desirable to increase the uniqueness of the sentences to improve the effectiveness of the attack. Thus, we propose a deduplication strategy to replace the traditional word-level similarity metric with the BPE token level. As a result, we show 6% to 22% of the underestimated samples among the selected samples.
Myung Gyo Oh, Leo Hyun Park, Jaeuk Kim, Jaewoo Park, Taekyoung Kwon
##### A Joint Framework to Privacy-Preserving Edge Intelligence in Vehicular Networks
Abstract
The number of internet-connected devices has been exponentially growing with the massive volume of heterogeneous data generated from various devices, resulting in a highly intertwined cyber-physical system. Currently, the Edge Intelligence System (EIS) concept that leverages the merits of edge computing and Artificial Intelligence (AI) is utilized to provide smart cloud services with powerful computational processing and reduce decision-making delays. Thus, EIS offers a possible solution to realizing future Intelligent Transportation Systems (ITS), especially in a vehicular network framework. However, since the central aggregator server is responsible for supervising the entire system orchestration, the existing EIS framework faces several challenges and is still potentially susceptible to numerous malicious attacks. Hence, to solve the issues mentioned earlier, this paper presents the notion of secure edge intelligence, merging the benefits of Federated Learning (FL), blockchain, and Local Differential Privacy (LDP). The blockchain-assisted FL approach is used to efficiently improve traffic prediction accuracy and enhance user privacy and security by recording transactions in immutable distributed ledger networks as well as providing a decentralized reward mechanism system. Furthermore, LDP is empowered to strengthen the confidentiality of data sharing transactions, especially in protecting the user’s private data from various attacks. The proposed framework has been implemented in two scenarios, i.e., blockchain-based FL to efficiently develop the decentralized traffic management for vehicular networks and LDP-based FL to produce the randomized privacy protection using the IBM Library for differential privacy.

#### Vulnerability Analysis

##### Recovering Yaw Rate from Signal Injection Attack to Protect RV’s Direction
Abstract
Angular velocity can be measured by a gyroscope, which provides essential information to determine the heading direction of a vehicle. In particular, the z-axis of a gyroscope represents the vehicle’s rotation, information that is used to determine the current location. However, it is known that the current gyroscopes that are designed based on MEMS (Micro-Electromechanical Systems) have a vulnerability by which the gyroscope measurements can be damaged. When an acoustic signal with a resonant frequency of the MEMS gyroscope is injected, the MEMS gyroscope would incorrectly measure yaw rates. For this reason, it is important to protect the yaw rate from an acoustic signal injection attack to maintain the safety of the vehicle system. In this paper, we propose a recovery method for damaged yaw rates based on measurements from an accelerometer. Our method enables a vehicle to maintain its current location even if the signal injection attack attempts to manipulate its yaw rate measurement. In addition, we present the evaluation results showing that our method is able to properly estimate yaw rates based on x-axis and y-axis measurements of an accelerometer.
Hyunsu Cho, Sunwoo Lee, Wonsuk Choi, Dong Hoon Lee
##### A Survey on Sensor False Data Injection Attacks and Countermeasures in Cyber-Physical and Embedded Systems
Abstract
Cyber-physical system (CPS) and embedded system (ES) has been growing rapidly, embracing safety-critical systems such as automobiles and airplanes. While such systems are traditionally operated by human, recent technology enables autonomous operation, even making critical control decisions by itself. Since decision-making process highly depends on sensor data, it is crucial for safety that outputs from sensors should remain trustworthy at all times. Sensor false data injection (SFDI) attacks target sensors of CPS and ES, to affect their outputs, ultimately to perturb behavior of the entire system.
In a sensor, raw signal is processed at multiple stages to return the measurement. We group them into three layers where signal changes its form. The simple three-layer view can help analyze existing attacks and defenses systematically: where the root cause of an attack is, how an attack is propagating, which layer a defense can protect.
The goals of the survey are to (1) understand the literature of SFDI attacks and defenses clearly, (2) identify current challenges and potential approaches to make sensors secure.
Jinhong Choi, Yeongjin Jang
##### Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State Machine
Abstract
Server-side malware is one of the prevalent threats that can affect a large number of clients who visit the compromised server. In this paper, we propose Dazzle-attack, a new advanced server-side attack that is resilient to forensic analysis such as reverse-engineering. Dazzle-attack retrieves typical (and non-suspicious) contents from benign and uncompromised websites to avoid detection and mislead the investigation to erroneously associate the attacks with benign websites. Dazzle-attack leverages a specialized state-machine that accepts any inputs and produces outputs with respect to the inputs, which substantially enlarges the input-output space and makes reverse-engineering effort significantly difficult. We develop a prototype of Dazzle-attack and conduct empirical evaluation of Dazzle-attack to show that it imposes significant challenges to forensic analysis.
Bora Lee, Kyungchan Lim, JiHo Lee, Chijung Jung, Doowon Kim, Kyu Hyung Lee, Haehyun Cho, Yonghwi Kwon
##### vkTracer: Vulnerable Kernel Code Tracing to Generate Profile of Kernel Vulnerability
Abstract
Vulnerable kernel codes are a threat to an operating system kernel. An adversary’s user process can forcefully invoke a vulnerable kernel code to cause privilege escalation or denial of service (DoS). Although service providers or security operators have to determine the effect of kernel vulnerabilities on their environment to decide the kernel updating, the list of vulnerable kernel codes are not provided from the common vulnerabilities and exposures (CVE) report. It is difficult to identify the vulnerable kernel codes from the exploitation result of the kernel which indicates the account information or the kernel suspension. To identify the details of kernel vulnerabilities, this study proposes a vulnerable kernel code tracer (vkTracer), which employs an alternative viewpoint using proof-of-concept (PoC) code to create a profile of kernel vulnerability. vkTracer traces the user process of the PoC code and the running kernel to hook the invocation of the vulnerable kernel codes. Moreover, vkTracer extracts the whole kernel component’s information using the running and static kernel image and debug section. The evaluation results indicated that vkTracer could trace PoC code executions (e.g., privilege escalation and DoS), identify vulnerable kernel codes, and generate kernel vulnerability profiles. Furthermore, the implementation of vkTracer revealed that the identification overhead ranged from 5.2683 s to 5.2728 s on the PoC codes and the acceptable system call latency was 3.7197 $$\upmu$$s.
Hiroki Kuzuno, Toshihiro Yamauchi

#### Security Engineering

##### ARMing-Sword: Scabbard on ARM
Abstract
Scabbard, one of the Post-quantum Key Encapsulation Mechanisms (KEM), is a improved version of Saber that Lattice-based Key Encapsulation Mechanism. Scabbard has three schemes, called Florete, Espada, and Sable. Florete is a Ring-LWR-based KEM that effectively reuses the hardware architecture module used in Saber. Espada is a Module-LWR-based KEM that can be parallelized, requires very little memory, and is advantageous for operating in a resource-constrained environment. Finally, Sable adjusted the parameters to reduce the standard deviation of errors occurring in the Saber. In this paper, we propose ARMing-sword that optimized implementation of Scabbard on ARM processor. For the efficient implementation, a parallel operation technique using vector registers and vector instructions of the ARM processor is used. We focused on optimizing the multiplier, which takes majority execution time for Scabbard computation, and propose a Direct Mapping and Sliding Window methods for accumulating computation results. ARMing-sword has a performance difference of up-to 6.34$$\times$$ in the multiplier and a performance difference of up-to 2.17$$\times$$ in the encryption algorithm to which the optimization technique is applied.
Hyeokdong Kwon, Hyunjun Kim, Minjoo Sim, Siwoo Eum, Minwoo Lee, Wai-Kong Lee, Hwajeong Seo
##### Optimized Implementation of Quantum Binary Field Multiplication with Toffoli Depth One
Abstract
Shor’s algorithm models discrete logarithms on binary elliptic curves and provides polynomial-time solutions. One of major overheads in applying Shor’s algorithm is implementing binary elliptic curve arithmetic in quantum circuits. Among operations of elliptic curves over binary fields, the multiplication is essential and cost-critical even in the quantum field.
In this paper, we aim to optimize quantum binary field multiplication. Previous works on quantum multiplication focused on minimizing the number of Toffoli gates or qubits. In contrast, our work presents strategies for optimizing Toffoli depth and full depth, which are key factors in the Noisy Intermediate-Scale Quantum (NISQ) era. To achieve our goal, Karatsuba multiplication using divide-and-conquer approach is adopted. In a nutshell, we present an optimized quantum multiplication with Toffoli depth one. Furthermore, under the influence of the optimized Toffoli depth, the full depth is naturally reduced.
In order to show the effectiveness of proposed method, the performance is evaluated by various metrics, such as, qubits, quantum gates, depth, and qubits-depth product. To the best of our knowledge, this is the first study on quantum multiplication that optimizes Toffoli depth and full depth.
Kyungbae Jang, Wonwoong Kim, Sejin Lim, Yeajun Kang, Yujin Yang, Hwajeong Seo
##### Time-Optimal Design of Finite Field Arithmetic for SIKE on Cortex-M4
Abstract
The advances in quantum technologies and the fast move toward quantum computing are threatening classical cryptography and urge the deployment of post-quantum (PQ) schemes. The only isogeny-based candidate forming part of the third round of the standardization, the Supersingular Isogeny Key Encapsulation (SIKE) mechanism, is a subject of constant latency optimizations given its attractive compact key size lengths and, thus, its limited bandwidth and memory requirements. In this work, we present a new speed record of the SIKE protocol by implementing novel low-level finite field arithmetics targeting ARMv7-M architecture. We develop a handcrafted assembly code for the modular multiplication and squaring functions where we obtain 8.71% and 5.38% of speedup, respectively, compared to the last best-reported assembly implementations for p434. After deploying the finite field optimized architecture to the SIKE protocol, we observe 5.63%, 3.93%, 3.48%, and 1.61% of latency reduction for SIKE p434, p503, p610, and p751, respectively, targeting the NIST recommended STM32F407VG discovery board for our experiments.
Mila Anastasova, Reza Azarderakhsh, Mehran Mozaffari Kermani
##### Analysis of Radioactive Decay Based Entropy Generator in the IoT Environments
Abstract
In cryptography, random numbers are the most important element for security. Random numbers are generated through RNG (Random Number Generator), and collecting sufficient entropy sources is essential to generate random numbers. However, it is difficult to collect sufficient entropy sources due to limited resources in the IoT environment. In this paper, we have $$\alpha$$- and $$\beta$$-based radioactive decay noise sources to solve this problem, and generated entropy using proper entropy generation methods respectively. The result is as follows: $$\beta$$-based noise sources can generate entropy about 32 times faster than $$\alpha$$-based noise sources.
Taewan Kim, Seyoon Lee, Seunghwan Yun, Jongbum Kim, Okyeon Yi

#### Security Management

##### A Novel Metric for Password Security Risk Against Dictionary Attacks
Abstract
Binh Le Thanh Thai, Hidema Tanaka
##### Towards Evaluating the Security of Human Computable Passwords Using Neural Networks
Abstract
Passwords are playing a major role for authentication in our daily life. However contemporary passwords are typically either difficult to remember or vulnerable to various attacks. In 2017, Blocki, Blum, Datta and Vempala introduced the concept of human computable passwords as a promising authentication method. The fundamental concerns for designing human computable passwords are their usability and security. So far, the security evaluation on human computable passwords authentication schemes is mainly based on complexity-theoretic analysis. In this paper, we initially investigate the security of human computable passwords against neural network-based adversarial attacks. Specifically, we employ the typical multilayer perceptron (MLP) model to attempt to attack the human computable passwords authentication scheme proposed by Blocki-Blum-Datta-Vempala. We present implementation results and the corresponding analysis as well. Our results imply that it is possible for an MLP to learn a simple function, but is difficult for an MLP to learn piecewise functions well.
Issei Murata, Pengju He, Yujie Gu, Kouichi Sakurai
##### Markov Decision Process for Automatic Cyber Defense
Abstract
It is challenging for a security analyst to detect or defend against cyber-attacks. Moreover, traditional defense deployment methods require the security analyst to manually enforce the defenses in the presence of uncertainties about the defense to deploy. As a result, it is essential to develop an automated and resilient defense deployment mechanism to thwart the new generation of attacks. In this paper, we propose a framework based on Markov Decision Process (MDP) and Q-learning to automatically generate optimal defense solutions for networked system states. The framework consists of four phases namely; the model initialization phase, model generation phase, Q-learning phase, and the conclusion phase. The proposed model collects real network information as inputs and then builds them into structural data. We implement a Q-learning process in the model to learn the quality of a defense action in a particular state. To investigate the feasibility of the proposed model, we perform simulation experiments and the result reveals that the model can reduce the risk of network systems from cyber attacks. Furthermore, the experiment shows that the model has shown a certain level of flexibility when different parameters are used for Q-learning.
Xiaofan Zhou, Simon Yusuf Enoch, Dong Seong Kim
##### Influence Through Cyber Capacity Building: Network Analysis of Assistance, Cooperation, and Agreements Among ASEAN Plus Three Countries
Abstract
ASEAN is fast emerging as a key strategic region amidst the intensifying geopolitical competition between the United States and China. Important global actors, including China, Japan, and South Korea, have each formulated regional policies with strong ASEAN saliency. The ASEAN Plus Three are global ICT powerhouses that have developed strong economic and political ties with the region, and the Plus Three countries have leveraged their significant cyber capability to extend their influence in the region. This study evaluates the relative performances of the Plus Three countries’ cyber outreach efforts to the region by visualizing the complex web of actors and cyber cooperation and assistance activities with network analysis tools and open source databases. The study finds that the Plus Three countries, despite the outward similarity in their respective regional strategies, are a study of contrasts, with one of them emerging as an influential yet silent power in the regional cyber diplomacy domain.
Yu-kyung Kim, Myong-hyun Go, Kyungho Lee
##### Chameleon DNN Watermarking: Dynamically Public Model Ownership Verification
Abstract
Deep neural network (DNN) has made unprecedented leaps in functionality and usefulness in the past few years, revolutionizing various promising fields such as image recognition and machine translation. The trainer’s high-performance DNNs are often considered intellectual property (IP) due to their expensive training costs. However, one pre-trained model may face various infringement problems when hacked by a malicious user, such as illegal copying or secondary selling. Digital watermarking is one of the effective methods currently used for model ownership verification. Nonetheless, limited by the ex-ante nature of the watermark embedding phase and the ex-post nature of the verification phase, previous research has only supported private verification or one-time public verification, failing to achieve multiple public verifications. In this paper, we introduce the definition of chameleon DNN watermarking and propose the first DNN watermarking scheme based on chameleon commitment, which allows multiple public verifications to declare the owner’s model ownership without exposing the core watermark information. We give a comprehensive security analysis of the verification scheme of chameleon DNN watermarking and prove by experiments that chameleon DNN watermarking can maintain the high-performance and robustness of the model.
Wei Li, Xiaoyu Zhang, Shen Lin, Xinbo Ban, Xiaofeng Chen
##### Backmatter
Title
Information Security Applications
Editors
Ilsun You
Taek-Young Youn