Information and Communications Security

This paper firstly introduces a novel security definition for BLAC-like schemes (BLAC represents TTP-free BLacklistable Anonymous Credentials) in symbolic model using applied pi calculus, which is suitable for automated reasoning via formal analysis tools. We model the definitions of some common security properties: authenticity, non-framebility, mis-authentication resistance and privacy (anonymity and unlinkability). The case study of these security definitions is demonstrated by modelling and analyzing BLACR (BLAC with Reputation) system. We verify these security properties by Blanchet’s ProVerif and a ZKP (Zero-Knowledge Proof) compiler developed by Backes et al.. In particular, we analyze the express-lane authentication in BLACR. The analysis discovers a known attack that can be carried out by any potential user to escape from being revoked as he wishes. We provide a revised variant that can be proved successfully by ProVerif, which also indicates that the fix provided by ExBLACR (Extending BLACR) is incorrect.

In many cryptographic systems, random number can significantly influence its security. Although in practice random number generators (RNGs) are allowed to adopt only after strict analysis and security evaluation, the environmental factors also may lead the randomness of generated sequences to degrade. Therefore, on-the-fly statistical randomness test should be used to evaluate a candidate random sequence. Unfortunately, existing randomness test methods, such as the NIST test suite, are not well suitable to directly serve as on-the-fly test, because timely execution is usually not considered in their designs. In this paper, we propose a scheme to optimize the efficiency of randomness test suites, that is, providing the optimized order of the tests in a test suite, so that an unqualified sequence can be rejected as early as possible. This scheme finds out the optimized order by balancing the coverage, independence and time consumption of each test, and minimizing the average elimination time. We apply this optimization scheme on the revised NIST test suite as an instance. Experimental results on the sequences of 128 and 256 bits, demonstrate that the optimized efficiency approximates to the theoretical optimum and the scheme can be quickly implemented.

In the Electronic Health Record (EHR) system, digital signature is utilized to prevent the medical data from being tampered. However, users update their medical data frequently and have to sign these medical data from scratch after updating. Besides, traditional signature attests the identity of the individual signing the records, which leads to vast computation cost and the privacy leakage. In this paper, we obfuscate users identity information with attribute sets and introduce a semi-trusted participant–sanitizer to propose the Flexible Attribute-Based Sanitizable Signature (FABSS) scheme. We prove that our scheme is unforgeable under generic group model. Through comparison, the FABSS scheme not only reduces the users computation overhead, but also supports flexible access structures to implement expressively fine-grained access control.

With more and more websites adopt private keys to authenticate users or sign digital payments in e-commerce, various solutions have been proposed to secure private keys – some of them employ extra specific hardware devices while most of them adopt security features provided by general OS. However, users are reluctant to extra devices and general OS is too complicated to protect itself, let alone the private keys on it. This paper proposes a software solution, SSUKey, adopting CPU security features to protect private keys against the vulnerabilities of OS. Firstly, threshold cryptography (TC) is employed to partition the private key into two shares and two Intel SGX enclaves on local client and remote server are used to secure the key shares respectively. Secondly, the two enclaves are carefully designed and configured to mitigate the vulnerabilities of Intel SGX, including side channel and rollback. Thirdly, an overall central private key management is designed to help users globally monitor the usage of private keys and detect abnormal behaviors. Finally, we implement SSUKey as a cryptography provider, apply it to file encryption and Transport Layer Security (TLS) download, and evaluate their performance. The experiment results show that the performance decline due to SSUKey is acceptable.

We establish the direct connection between $$\text {CRP}$$CRP (Covering Radius Problem) and other lattice problems. We first prove that there is a polynomial-time rank-preserving reduction from approximating $$\text {CRP}$$CRP to $$\text {BDD}^{\rho }$$BDDρ (Covering Bounded Distance Decoding Problem). Furthermore, we show that there are polynomial-time reductions from $$\text {BDD}^{\rho }$$BDDρ to approximating $$\text {CVP}$$CVP (Closest Vector Problem) and $$\text {SIVP}$$SIVP (Shortest Independent Vector Problem), respectively. Hence, $$\text {CRP}$$CRP reduces to $$\text {CVP}$$CVP and $$\text {SIVP}$$SIVP under deterministic polynomial-time reductions.

The Pollard’s kangaroos method can solve the discrete logarithm problem in an interval. We present an improvement of the classic algorithm, which reduces the cost of kangaroos’ jumps by using the sine function to implement periodic iterates and giving some pre-computation. Our experiments show that this improvement is worthy of attention.

Distributed pseudorandom functions (DPRFs) originally introduced by Naor, Pinkas and Reingold (EUROCRYPT ’99) are pseudorandom functions (PRFs), whose computation is distributed to multiple servers. Although by distributing the function computation, we avoid single points of failures, this distribution usually implies the need for multiple interactions with the parties (servers) involved in the computation of the function. In this paper, we take distributed pseudorandom functions (DPRFs) even further, by pursuing a very natural direction. We ask if it is possible to construct distributed PRFs for a general class of access mechanism going beyond the threshold access structure and the access structure that can be described by a polynomial-size monotone span programs. More precisely, our contributions are two-fold and can be summarised as follows: (i) we introduce the notion of single round distributed PRFs for a general class of access structure (monotone functions in NP), (ii) we provide a provably secure general construction of distributed PRFs for every mNP access structure from puncturable PRFs based on indistinguishable obfuscation.

Among the existing countermeasures against side-channel analysis, masking is the most widely deployed one. In order to mask large functions (e.g. S-boxes), each basic operation of the function should be replaced with the d-th order secure operation. In this process, the multiplication with dependent inputs always exists, which may lead to security bias. In order to preserve the security of the dependent-input multiplication, a refreshing algorithm should be utilized to eliminate the dependence. Among the existing refreshing algorithms, only one proposal satisfying d-Strong Non-Interferent (d-SNI) can effectively solve the dependent-input issue. However, it suffers a low efficiency with a high randomness complexity. In this paper, we claim that the d-SNI refreshing algorithm is overqualified and a weaker refreshing algorithm can also ensure the security of the dependent-input multiplication. According to the property of the ISW multiplication, we prove that a refreshing algorithm satisfying a “conditional d-SNI” (weaker than d-SNI) can solve the dependent-input issue. In this way, we relax the security requirement of the refreshing algorithm. Based on this new security requirement, we propose a new refreshing algorithm satisfying conditional d-SNI. The randomness complexity of the new proposal is much lower than that of the original refreshing algorithm. As a validation, we implement the two refreshing algorithms on the 32-bit ARM core, and compare their random generations, clock cycles, and ROM consumptions. The comparison results indicate that our proposal outperforms the d-SNI refreshing algorithm in terms of both the randomness complexity and the arithmetic complexity, as significantly less random generations (33%–70% reduction), less clock cycles, and less ROM consumptions are involved in our proposal than in the d-SNI refreshing.

Deniable encryption is proposed to protect sensitive data against adversaries, even when the user has been coerced to reveal his private keys and other random parameters. However, current deniable encryption schemes or techniques either require the user to remember some tedious random parameters used in encryption or demand special designs in the file system. Any abnormality in the user’s behavior or in the file system tend to arouse suspicion, thus reduce the persuasion of the decrypted data. To cheat the adversary convincingly, we innovatively utilize the thermos-sensitivity of Physically Unclonable Functions (PUFs), to propose a novel and practical deniable encryption scheme, which enables the encryption system achieve deniability in a very covert way. The proposed scheme will automatically interpret the deniable ciphertext into different plaintexts at different temperatures and does not require any special designs in the file system. Furthermore, we successfully implement our scheme on Xilinx KC705 evaluation boards to prove its feasibility.

Tag-based encryption (TBE) is a generalization of public-key encryption (PKE), in which both the encryption and the decryption algorithms take a tag as an extra input, which is potentially useful. However, in contrast to TBE schemes with various types of security and under traditional number-theoretic assumptions, as far as we know, there is only one lattice-based TBE scheme with selective-tag security, which, in fact, is under a variant of DLWE assumption.In this paper, we propose two efficient TBE schemes, both of which have adaptive-tag security and are under the standard DLWE assumption. For efficiency, we adopt, in both schemes, a particular q-ary lattice equipped with efficient LWE inversion and preimage sampling algorithms, which are efficiently available for solving the related problems on a general q-ary lattice. The probabilistic partition technique is used to achieve the adaptive-tag security. On the other hand, we mainly embed the preimage sampling problem into the first scheme and the LWE inversion problem into the second one, the latter of which has a smaller modulus and a smaller approximation factor.Our schemes can be applied to construct IND-CCA2 secure PKE schemes and to design protocols that securely realizes the secure message transmission functionality in a hybrid model. Additionally, our first scheme can also be used to construct an adaptively secure identity-based encryption (IBE) scheme with more efficient secret-key extraction algorithm than those in well-known IBE schemes.

Inner product encryption (IPE) is a public-key encryption mechanism that supports fine-grained access control. Agrawal et al. (ASIACRYPT 2011) proposed the first IPE scheme from the Learning With Errors (LWE) problem. In their scheme, the public parameter size and ciphertext size are $$O(un^2\log ^3n)$$O(un2log3n) and $$O(un\log ^3n)$$O(unlog3n), respectively. Then, Xagawa (PKC 2013) proposed the improved scheme with public parameter of size $$O(un^2\log ^2n)$$O(un2log2n) and ciphertext of size $$O(un\log ^2n)$$O(unlog2n).In this paper, we construct a more compact IPE scheme under the LWE assumption, which has public parameter of size $$O(un^2\log n)$$O(un2logn) and ciphertext of size $$O(un\log n)$$O(unlogn). Thus our scheme improves the size of Xagawa’s IPE scheme by a factor of $$\log n$$logn.Inspired by the idea of Brakerski et al. (TCC 2016), we propose a targeted homomorphic IPE (THIPE) scheme based on our IPE scheme. Compared with Brakerski et al.’s scheme, our THIPE scheme has more compact public parameters and ciphertexts. However, our scheme can only apply to the inner product case, while in their scheme the predicate f can be any efficiently computable polynomial.

Predicate encryption provides fine-grained access control and has attractive applications. In this paper, We construct an compact inner product encryption scheme from the standard Learning with Errors (LWE) assumption that has compact public-key and achieves weakly attribute-hiding in the standard model. In particular, our scheme only needs two public matrices to support inner product over vector space $$\mathbb {Z}_q^{\log \lambda }$$Zqlogλ, and $$(\lambda / \log \lambda )$$(λ/logλ) public matrices to support vector space $$\mathbb {Z}_q^{\lambda }$$Zqλ.Our construction is the first compact functional encryption scheme based on lattice that goes beyond the very recent optimizations of public parameters in identity-based encryption setting. The main technique in our compact IPE scheme is a novel combination of IPE scheme of Agrawal, Freeman and Vaikuntanathan (Asiacrypt 2011), fully homomorphic encryption of Gentry, Sahai and Waters (Crypto 2013) and vector encoding schemes of Apon, Fan and Liu (Eprint 2017).

In this paper, we formally consider the construction of tightly secure deterministic public key encryption (D-PKE). Initially, we compare the security loss amongst the D-PKE schemes under the concrete assumptions and also analyze the tightness of generic D-PKE constructions. Furthermore, we prove that the CPA secure D-PKE scheme of Boldyreva et al. (Crypto’08) is tightly PRIV-IND-CPA secure for block-sources. Our security reduction improves the security loss of their scheme from $$\mathcal {O}(n_{c^*})$$O(nc∗) to $$\mathcal {O}(1)$$O(1). Additionally, by upgrading the all-but-one trapdoor function (TDF) in the construction of Boldyreva et al. to all-but-n TDF defined by Hemenway et al. (Asiacrypt’11), we give general construction of PRIV-IND-$$\frac{n}{2}$$n2-CCA secure (i.e., the number of challenge ciphertexts $$n_{c^*}$$nc∗ is bounded by $$\frac{n}{2}$$n2) D-PKE scheme for block-sources. And we observe that if the security reduction of the all-but-n TDF is tight, the D-PKE scheme can be tightly PRIV-IND-$$\frac{n}{2}$$n2-CCA secure. Finally, we prove that the all-but-n TDF given by Hemenway et al. is tightly secure, which results in the first tightly PRIV-IND-$$\frac{n}{2}$$n2-CCA secure D-PKE scheme for block-sources, based on the s-DCR assumption.

An inner product encryption (IPE) scheme is a special type of functional encryption where the decryption algorithm, given a ciphertext related to a vector $${\varvec{x}}$$x and a secret key to a vector $${\varvec{y}}$$y, computes the inner product $$\langle {\varvec{x}}, {\varvec{y}}\rangle $$⟨x,y⟩. A function-hiding IPE scheme requires that the secret key reveals no unnecessary information on the vector $${\varvec{y}}$$y besides the privacy of the vector $${\varvec{x}}$$x. In this paper, we construct a function-hiding IPE scheme using the asymmetric bilinear pairing group setting of prime order. Compared with the existing similar schemes, our construction both reduces necessary storage complexity and computational complexity by a factor 2 or more and achieves simulation-based security, which is much stronger than indistinguishability-based security, under the External Decisional Linear assumption in the standard model.

Ciphertext-policy attribute-based encryption (CP-ABE) is a promising primitive for enforcing access control policies defined by data owner on outsourced data. We propose a novel primitive called server-aided directly revocable CP-ABE with verifiable delegation, denoted by sarCP-ABE. In sarCP-ABE, the workloads about revocation are delegated to an aide-server, and the data owner only needs to generate a normal ciphertext as in a pure CP-ABE system. A user can be directly revoked by updating a public revocation list. To prevent a revoked user from decrypting, the aide server can update the aide-ciphertext with current revocation list, and an auditor can publicly check the correctness of the updated aide-ciphertext. At last, the proposed scheme can be proved selectively secure against chosen-plaintext attack on both original and updated ciphertext.

Attribute-set based encryption is a promising branch of attribute-based encryption which deals with the case when many attributes are only meaningful in groups or in sets and helps to avoid the exponential growth of attributes. We propose a feasible and efficient attribute-set based encryption scheme which is large universe, unbounded and supports composite attributes, using linear secret sharing schemes as the underlying tool. Additionally, our construction has been proved to be selectively secure in the standard model while previous ones could only be proved to be secure in the generic group model.

We propose a hidden ciphertext-policy attribute-based proxy re-encryption scheme. A data owner can delegate the capability of transforming a ciphertext under an access policy to another one with the same plaintext but different access policy to a semi-trusted proxy. Compared with traditional schemes, our scheme can hide the user’s attributes information in the encryption and re-encryption process, which can obtain a better protection of the user’s privacy. We also prove our scheme to be fully secure under standard assumptions using the dual system technique. As far as we know, this is the first scheme to achieve all these properties simultaneously.

In this paper, we focus on identity-based group encryption. We have revisited “Identity-Based Group Encryption (IBGE)” proposed by Xiling et al. Their scheme claims to achieve anonymity of the receiver. We have shown that the zero-knowledge proof they have used leaks much more information, due to which the verifier who is honest but curious will be able to identify the designated recipient.

At Crypto’10, Agrawal et al. proposed a lattice-based selectively secure Hierarchical Identity-based Encryption (HIBE) scheme (ABB10b) with small ciphertext on the condition that $$\lambda $$λ (the length of identity at each level) is small in the standard model. In this paper, we present another lattice-based selectively secure HIBE scheme with depth d, using a gadget matrix $$\mathbf {G}'\in \mathbb {Z}_q^{n\times n\lceil \log _bq\rceil }$$G′∈Zqn×n⌈logbq⌉ with enough large $$b=2^d$$b=2d to replace the matrix $$\mathbf {B} \in \mathbb {Z}_q^{n\times m}$$B∈Zqn×m in the HIBE scheme proposed by Agrawal et al. at Eurocrypt’10. In our HIBE scheme, not only the size of ciphertext at level $$\ell $$ℓ is $$O(\frac{d+\ell }{\lambda d})$$O(d+ℓλd) larger than the size in ABB10b and at least $$O(\ell )$$O(ℓ) smaller than the sizes in the previous HIBE schemes except ABB10b, but also the size of the master public key is at least O(d) times smaller than the previous schemes.

Side channel analysis attacks, especially horizontal DPA and DEMA attacks, are significant threats for cryptographic designs. In this paper we investigate to which extend different multiplication formulae and randomization of the field multiplier increase the resistance of an ECC design against horizontal attacks. We implemented a randomized sequence of the calculation of partial products for the field multiplication in order to increase the security features of the field multiplier. Additionally, we use the partial polynomial multiplier itself as a kind of countermeasure against DPA attacks. We demonstrate that the implemented classical multiplication formula can increase the inherent resistance of the whole ECC design. We also investigate the impact of the combination of these two approaches. For the evaluation we synthesized all these designs for a 250 nm gate library technologies, and analysed the simulated power traces. All investigated protection means help to decrease the success rate of attacks significantly: the correctness of the revealed key was decreased from 99% to 69%.

It is an interesting and challenging task to design an efficient certificateless encryption (CLE) scheme whose security can be proved without using random oracles. Although some CLE schemes claimed secure in the standard model have been available in the literature, we find most of the concrete constructions are in fact insecure. In this paper, we first demonstrate the insecurity of the CLE scheme introduced by Hwang and Liu in 2008. We show how a type II adversary breaks the indistinguishability of ciphertexts under chosen ciphertext attacks. We then propose a new concrete CLE scheme. Our new scheme can resist public key replacement attacks as well as malicious key generation center (KGC) attacks. We rigorously prove the security of our construction under the Decisional Bilinear Diffie-Hellman assumption in the standard model.

In 2011, Stehlé and Steinfeld modified the original NTRU to get a provably IND-CPA secure NTRU under the hardness assumption of standard worst-case problems over ideal lattices. In 2012, López-Alt et al. proposed the first multikey fully homomorphic encryption scheme based on the IND-CPA secure NTRU. Interestingly, this homomorphic NTRU and subsequent homomorphic variants of NTRU removed the condition ‘invertible public key’ of the underlying IND-CPA secure NTRU. In this paper, we investigate the security influence of using non-invertible public key in the homomorphic NTRU. As a result, we present how to mount a lattice attack to message recovery for the homomorphic NTRU when the public key is non-invertible. Our result suggests that using invertible public keys in the homomorphic NTRU is necessary for its security.

With a market cap of about 1.5 billion US dollar, Monero is one of the most popular crypto-currencies at present. Much of its growing popularity can be attributed to its unique privacy feature. Observing that no formal security analysis is presented, we initiate a formal study on Monero’s core protocol. In this study, we revisit the design rationale of an important component of Monero, namely, range proof. Our analysis shows that the range proof may not be a proof-of-knowledge even if the underlying building block, ring signature, is secure. Specifically, we show that if a certain secure ring signature scheme is used, it is impossible to construct a witness extractor unless the Computational Diffie-Hellman problem is equivalent to the Discrete Logarithm problem. This shows that the design rationale is to possibly flawed. Then, we present a new range proof protocol that enjoys a few advantages. Firstly, it is a zero-knowledge proof-of-knowledge protocol. Secondly, it is compatible with the Monero’s wallet and algebraic structure and thus does not require extensive modification in the codebase. Finally, the efficiency is comparable to Monero’s version which does not admit a formal security proof.

Key infection is a lightweight security protocol suitable for large-scale sensor networks. In this paper, we first derive a probabilistic model to analyze the security of key infection, then propose a group based key infection to improve its security performance.

There is a big security risk in traditional distributed localization without protecting the location and identity privacy of anchor nodes. Thus, based on software-defined networking (SDN), we propose a security localization mechanism for heterogeneous wireless sensor networks (WSN). After obtaining the state of sensor nodes in data plane, SDN controller runs the complementary range-based and range-free positional algorithms in a centralized way. At the same time, the difference of transmission power of heterogeneous sensor nodes is taken into account. The security analysis and experimental results show that the mechanism can reduce the positioning error while ensuring the privacy of anchor nodes.

PUF-based key generation provides an alternative to address key storage problems. However, PUFs seem helpless in preventing the generated key from being stolen by malicious code and PUF itself is under threat of probing by adversaries. In this paper, we propose a cost-effective key protection scheme which protects against software leakage of the generated key through all stages of chip’s development. In the proposed scheme, PUF primitives and device’s firmware are bound together to generate the private key, therefore, the successful recovery of the key proves not only the legality of the hardware device but also the integrity of the bound firmware, which secures the operating environment of the generated key. Besides, a hash module in our scheme controls the PUF’s input and output which restricts the access to PUF instance thereby further boosts the system’s security.

Distributed Ledger Technology (DLT) provides decentralized services by removing the need of trust among distributed nodes and the trust of central authority in the distributed system. Transactions across the whole network are visible to all participating nodes. However, some transactions may contain sensitive information such as business contracts and financial reports, or even personal health records. To protect user privacy, the architecture of distributed ledger with membership service as a critical component can be adopted. We make a step towards such vision by proposing a membership service architecture that combines two promising technologies, distributed ledger and Intel Software Guard Extensions (SGX). With SGX remote attestation and isolated execution features, each distributed node can be enrolled as a trusted entity. We propose security properties for membership service in distributed ledger and illustrate how SGX capabilities help to achieve these properties in each phase of membership service, including member registration, enrollment, transaction signing and verifying and transacting auditing. The SGX enabled membership service could enhance the support of privacy preservation, and defense capabilities against adversarial attacks, with scalability and cost effectiveness.

Virtualization-obfuscation replaces native code in a binary with semantically equivalent and self-defined bytecode, which, upon execution, is interpreted by a custom virtual machine. It makes the code very difficult to analyze and is thus widely used in malware. How to deobfuscate such virtualization obfuscated code has been an important and challenging problem. We approach the problem from an innovative perspective by transforming it into a compilation optimization problem, and propose a novel technique that combines trace analysis, symbolic execution and compilation optimization to defeat virtualization obfuscation. We implement a prototype system and evaluate it against popular virtualization obfuscators; the results demonstrate that our method is effective in deobfuscation of virtualization-obfuscated code.

Group communication in mobile Ad Hoc network (MANET), because of its special characteristics of large-scale mobile nodes, frequent change and update of group members relationship, open and unstable communication channel and high rate of packets loss, making secure group communication in MANET face many security threats, so how to realize secure communication between mobile nodes and how to establish secure session keys shared between mobile nodes has been the focus of MANET. Aimed at the problem mentioned above, a group key distribution scheme based on three hash chains is proposed for MANET. This scheme introduces a self-healing hash chain based on Dual Directional Hash Chain(DDHC), when a node is revoked, the corresponding self-healing hash value will be replaced by a new random value, so that revoked nodes can not realize collusion attack with the newly added node; This scheme also takes into account the high rate of packet loss in MANET, and realizes self-healing property. The security and performance analysis shows that the scheme can meet the security requirements of group communication for MANET, and it has the characteristics of dynamic revocation and resists collusion. The scheme also reduces the storage overhead and the communication load to a large extent, and can meet the performance requirements of group communication for MANET.

With the rapid development of Cyber-Physical Systems, there has been a growing trend among smart devices to connect networks via different wireless protocols. In particular, smart home devices are becoming more and more prevalent. However, security issues on how to control and prevent unauthorized access to smart devices connected to the cloud still need to be considered and solved. Hierarchical Identity-Based Encryption is a well-known access control model which enables parent nodes to decrypt the data from descendant nodes. In this paper, we present SecHome, a large-scale smart home system using hierarchical identity based encryption protocol. SecHome applies the protocol by using efficient pairing based cryptography to enforce an access control policy, so parent nodes at the top of the hierarchy can monitor their descendant nodes. In practice, we have implemented our SecHome system on both smart phone and smart device sides, and the final evaluations demonstrate that our system is proved to be of practicality and with high efficiency.

Counterfeiting products identification is the main application of RFID technology. Among all the RFID security problems, counterfeiting tag identification is an urgent issue with rapid growth of counterfeiters. In this paper, a multi-attribute counterfeiting tag identification protocol based on multi-dimension dynamic bloom filter in large-scale RFID system is proposed. Dynamic bloom filters for tag’s attributes: identity information ID and location information angle value, are first brought as criterion of counterfeiting tag identification. Different from previous probabilistic approaches, our protocol not only identifies unknown tags, but also first solves problem that counterfeiters hold the same ID with genuine ones. Furthermore, our protocol can detect and verify counterfeiting tags’ identity. Performance analysis shows that especially with huge amount of tags, our protocol can achieve higher identification efficiency with reasonable time cost.

Embedded devices start to get into the lives of ordinary people, such as SOHO routers and IP camera. However, studies have shown that the safety consideration of these devices is not enough, which has led to a growing number of security researchers focusing on the exploit of embedded devices. A majority of embedded devices run a web service to facilitate user management, which provides a potential attack interface. But what needs to be pointed out is that unfortunately most vulnerabilities of web service need attackers to provide login credentials to access and exploit, which makes attacking much less practical. This paper presents an automated vulnerability detecting and exploiting model DAEWC (Detect and Exploit without Credentials). Firstly, the DAEWC uses the symbol execution method to find URLs that are not protected by authentication mechanism. Secondly, DAEWC aims at these URLs using fuzzing method, combined with a lightweight dynamic data flow tracking technology to analyze the web server, which can quickly and accurately find easy-to-exploit vulnerabilities. Last but not least, DAEWC implements an automatic vulnerability exploit model, which generates executable custom shellcode, for example, executing system (“/bin/sh”) or read/write arbitrary memory. Using these vulnerabilities, we can attack embedded devices with web services even without the access to the web interface. For example, attackers can control a Wi-Fi router at the airport without login credentials by sending a specially constructed URL request. We applied the DAEWC to the firmware of two embedded device vendors, found 9 unreported 0-day vulnerabilities in four of them and generated highly usable exploit script.

Reinforcement Learning has been used on path planning for a long time, which is thought to be very effective, especially the Value Iteration Networks (VIN) with strong generalization ability. In this paper, we analyze the path planning of VIN and propose a method that can effectively find vulnerable points in VIN. We build a 2D navigation task to test our method. The experiment for interfering VIN is conducted for the first time. The experimental results show that our method has good performance on finding vulnerabilities and could automatically adding obstacles to obstruct VIN path planning.

With the increasing development and adoption of wearable devices, people care more about their health conditions than ever before. Both patients and doctors as well as insurance agencies benefit from this advanced technology. However, the emerging wearable devices creates a major concern over health data privacy as data collected from those devices can reflect patients’ heath conditions and habits, and could increase the data disclosure risks among the healthcare providers and application vendors. In this paper, we propose using the trusted execution platform enabled by Intel SGX to provide accountability for data access and propose a decentralized approach with blockchain technology to address the privacy concern. By developing a web application for personal health data management (PHDM) systems, the individuals are capable of synchronizing sensor data from wearable devices with online account and controlling data access from any third parties. The protected personal health data and data access records are hashed and anchored to a permanent but secure ledger with platform dependency, ensuring data integrity and accountability. Analysis shows that our approach provides user privacy and accountability with acceptable overhead.

With the development of wireless body sensor network and mobile cloud computing, cloud-based mobile healthcare, which extends the operation of healthcare provider into a pervasive environment for better health delivery and monitoring, has attracted considerable interest recently. However, how to keep data security and privacy in cloud-based mobile healthcare system is an important and challenging issue since personal health information is quite sensitive. In this paper, we introduce a new cryptographic primitive named privacy-preserving pseudonym and attribute-based signcryption (P3ASC) scheme, which can fulfill the functionality of pseudonym-based signature and key-policy attribute-based encryption in a logical step. We propose a provable secure P3ASC scheme from bilinear pairings and present a novel secure and efficient cloud-based mobile healthcare system by exploiting our proposed P3ASC scheme. The proposed system can ensure data confidentiality, integrity, source authentication and non-repudiation, but also can provide fine-grained access control and user anonymity.

Intensively happened cyber-attacks against industrial control system pose a serious threat to the critical national infrastructure. It is significant to capture the detection and the attacking data for industrial control system by means of honeypot technology, as it provides the ability of situation awareness to reveal potential attackers and their motivations before a fatal attack happens. We develop a high interactive honeypot for industrial control system-S7commTrace, based on Siemens’ S7 protocol. S7commTrace supports more function codes and sub-function codes in protocol simulation, and improves the depth of interaction with the attacker to induce more high-level attacks effectively. A series of comparative experiments is carried out between S7commTrace and Conpot, by deploying these two kinds of honeypots under the same circumstance in four countries. Data captured by these two kinds of honeypots is analyzed respectively in four dimensions, which are query results in Shodan, count of data and valid data, coverage of function code and diversity of source IP address. Experiment results show that S7commTrace has better performance over Conpot.

With the rapid development of “Internet +”, the express delivery industry has exposed more privacy leakage problems. One way is the circulation of the express orders, and the other way is the express data release. For the second problem, this paper proposes a clustering-differential privacy preserving method combining with the theory of anonymization. Firstly, we use DBSCAN density clustering algorithm to initialize the original data set to achieve the first clustering. Secondly, in order to reduce the data generalization we combine the micro-aggregation technology to achieve the second clustering of the data set. Finally, adding Laplace noise to the clustering data record and correct the data that does not satisfy the differential privacy model to ensure the data availability. Simulation experiments show that the clustering-differential privacy preserving method can apply on the express data release, and it can keep higher data availability relative to the traditional differential privacy preserving.

Frequent itemset mining is the basis of discovering transaction relationships and providing information services such as recommendation. However, when transaction databases contain individual sensitive information, direct release of frequent itemsets and their supports might bring privacy risks to users. Differential privacy provides strict protection for users, it can distort the sensitive data when attackers get the sensitive data from statistical information. The transaction length is related to sensitivity for counting occurrences (SCO) in a transaction database, larger SCO will reduce the availability of frequent itemsets under ε-differential privacy. So it is necessary to truncate some long transactions in transaction databases. We propose the algorithm FI-DPTT, a quality function is designed to calculate the optimal transaction length in exponential mechanism (EM), it aims to minimize noisy supports. Experimental results show that the proposed algorithm improves the availability and privacy efficiently.

To preserve confidential information for numeric and character data, there are corresponding to differential privacy mechanisms. However, current work without uniform evaluation criterion for these differential privacy mechanisms, because the data types are different. In this paper, we proposed privacy-preserving monotonicity principle as an evaluation criterion of differential privacy mechanisms. Firstly, this paper summarized three perturbation paradigms of existing work, including the linear perturbation, non-linear perturbation, and randomized perturbation. Secondly, for numeric and character data, we proposed privacy-preserving monotonicity principle of differential privacy based on computational indistinguishability, respectively. Finally, through analysis privacy-preserving monotonicity of existing perturbation methods for each perturbation paradigm, we presented constrained perturbation paradigms for numeric and character data that can achieve privacy-preserving monotonicity. Therefore, our privacy-preserving monotonicity principle shows the tradeoff between privacy and utility, and it can be regarded as an evaluation criterion of differential privacy mechanisms. Furthermore, we show that constrained perturbation paradigms of maintaining privacy-preserving monotonicity provide a useful guideline for differential privacy development.

Nowadays user mobility traces are more and more likely to de-anonymize users in addition to other types of data. Among them, model-based approaches usually provide more accurate de-anonymize than that of feature-locations-based approaches. More recently, Hidden Markov Model (HMM) based approaches are proposed to find out the mobility pattern of user mobility traces. However, in the key step of the hidden state definition, existing models rely on the fixed classification of time, space or number, which can hardly suit for all various users. In this paper, we propose a user de-anonymization method based on HMM. Different from current approaches, the method utilizes a novel density-based HMM, which uses the density-based clustering to obtain hidden states of HMM from three-dimensional (time, latitude and longitude) spatio-temporal data, and provide much better performance. Furthermore, we also propose a frequent spatio-temporal cube filter (FSTC-Filter) which significantly reduces the number of candidate models and thus improves the efficiency.

Decreasing costs in genome sequencing have been paving the way for personalised medicine. An increasing number of individuals choose to undergo disease risk tests provided by medical units. However, it poses serious privacy threats on both the individuals’ genomic data and the tests’ specifics. Several solutions have been proposed to address the privacy issues, but they all suffer from high storage or communication overhead. In this paper, we put forward a general framework based on bloom filters, reducing the storage cost by 100x. To reduce communication overhead, we create index for encrypted genomic data. We speed up the searching of genomic data by 60x with bloom filter tree, compared to B$$_+$$+ tree index. Finally, we implement our scheme using the genomic data of a real person. The experimental results show the practicality of our scheme.

Searchable symmetric encryption (SSE) provides private searching over an encrypted database against an untrusted server. Though various SSE schemes have been studied, recently, it is shown that most of existing schemes are vulnerable to file injection attacks. At ACM CCS 2016, Bost proposed a forward secure SSE scheme to resist such attacks, called $${\varSigma }{o}{\phi }{o}{\varsigma }$$Σoϕoς. Besides the basic scheme ($${\varSigma }{o}{\phi }{o}{\varsigma }$$Σoϕoς) secure against semi-honest servers, a verifiable scheme () secure against malicious servers is also introduced. In , each client keeps hash values of indexes of documents corresponding to each keyword. Thus, the client storage cost is higher than for $${\varSigma }{o}{\phi }{o}{\varsigma }$$Σoϕoς, and the hash table must be reconstructed when a new document is added. Also, since any security definition and proof of security against malicious servers are not provided, what guarantees against malicious server is unclear. In this paper, we propose a new verifiable and forward secure SSE scheme against malicious servers. An advantage of our scheme to is the client storage cost; that is, our scheme only needs the same storage cost as $${\varSigma }{o}{\phi }{o}{\varsigma }$$Σoϕoς. Our key idea is to bind each index and keyword with a tag generated by an algebraic pseudo-random function, and to store the tag to the server as well as the encrypted index on an update phase. The client can efficiently check validity of answers to search queries by verifying the combined tag thanks to closed form efficiency of the algebraic pseudo-random function; and thus, the client does not need to keep the hash table. Also, we formally prove security against malicious servers. Specifically, we show that our scheme satisfies the strong reliability definition.

The tool based on Mixed-integer Linear Programming (MILP) is simple and effective that frequently used in searching some different types of distinguishers recently. In this paper, we mainly focus on the automatic search method using MILP and the optimizer Gurobi for bit-oriented block ciphers.We introduce the OPB file format to construct MILP models for the bit-oriented block ciphers. Compared to the LP file format, it is more concise and suitable to deal with boolean variables. And we modify the high-level strategy to reduce the solution time by setting parameter MIPFocus provided by the optimizer Gurobi. Moreover, the new simple linear inequalities of differential pattern propagation of modular addition are given without considering the differential probability in the impossible differential search. As applications, we give the exact lower bounds of the number of differential active s-boxes for 5$$\sim $$∼12 rounds LBlock in the related-key model and all of impossible differentials limited the input and output differences to only 1 active bit for the full versions of SPECK.

In geometry, a hypercube is a regular polytype – a generalisation of a 3-dimensional cube to $$\lambda $$λ-dimensions, with mutually perpendicular sides of equal lengths. For $$\lambda = 0, 1, 2, 3, \text {and}\,4$$λ=0,1,2,3,and4, a hypercube is a point, a straight line segment, a square, a cube and a tesseract respectively. In this paper, we apply the concept of hypercubes in computationally private information retrieval (CPIR) based on additively homomorphic cryptosystems and optimise it further at the cost of a measurable privacy loss.

Dynamic Searchable Symmetric Encryption (DSSE) provides a simple and fast storage as well as retrieval method for encrypted profiles which stored in cloud. However, due to the nature of the symmetric encryption algorithm, it allows only one client to access the data. To make the scheme more practical, this paper propose a multi client dynamic symmetric searchable encryption scheme that could allow multi-client to search the privacy data with the delegation search token and dynamic delete expected files with delete token. Compared with similar works, our construction achieves a balance in network security and practical performance. We also demonstrate that the proposed scheme has same IND-CKA2 security property against adaptive adversary.

With more and more sensitive and private data transferred on the Internet, various security protocols have been developed to secure end-to-end communication. However, in practical situations, applying these protocols would decline the overall performance of the whole system, of which frequently-used symmetric cryptographic operations on the server side is the bottleneck. In this contribution, we present a high-performance symmetric cryptography server. Firstly, a symmetric algorithm SM4 is carefully scheduled in GPUs, including instruction-level implementation and variable location improvement. Secondly, optimization methods is provided to speed up the inefficient data transfer between CPU and GPU. Finally, the overall server architecture is adopted for mass data encryption, which can deliver 15.96 Gbps data encryption through network, 1.23 times of the existing fastest symmetric cryptographic server. Furthermore, the server can be boosted by 2.02 times with the high-speed pre-calculation technique for long-term-key applications such as IPSec VPN gateways.

The learning with errors (LWE) problem is considered as one of the most compelling candidates as the security base for the post-quantum cryptosystems. For the application of LWE based cryptographic schemes, the concrete parameters are necessary: the length n of secret vector, the moduli q and the deviation $$\sigma $$σ. In the middle of 2016, Germany TU Darmstadt group initiated the LWE Challenge in order to assess the hardness of LWE problems. There are several approaches to solve the LWE problem via reducing LWE to other lattice problems. Xu et al.’s group solved some LWE Challenge instances using Liu and Nguyen’s adapted enumeration technique (reducing LWE to BDD problem) [14] and they published this result at ACNS 2017 [23]. In this paper, we study Kannan’s embedding technique (reducing LWE to unique SVP problem) to solve the LWE problem in the aspect of practice. The lattice reduction algorithm we use is the progressive BKZ [2, 3]. At first, from our experimental results we can intuitively observe that the embedding technique is more efficient with the embedding factor M closer to 1. Then especially for the cases of $$\sigma /q = 0.005$$σ/q=0.005, we will give an preliminary analysis for the runtime and give an estimation for the proper size of parameters. Moreover, our experimental results show that for $$n\ge 55$$n≥55 and the fixed $$\sigma /q = 0.005$$σ/q=0.005, the embedding technique with progressive BKZ is more efficient than Xu et al.’s implementation of the enumeration algorithm in [21, 23]. Finally, by our parameter setting, we succeeded in solving the LWE Challenge over $$(n,\sigma /q)=(70,0.005)$$(n,σ/q)=(70,0.005) using $$2^{16.8}$$216.8 s (32.73 single core hours).

Virtual Trusted Platform Module is required in cloud due to the scalability and migration of virtual machine. Through allocating a vTPM (Virtual Trusted Platform Module) to a VM (Virtual Machine), users of VM can use the vTPM’s crypto and measurement function, like using the physical TPM. However, current vTPM still faces some key challenges, such as lacking runtime protection for the vTPM keys and code, lacking the mechanism of vTPM keys management, and lacking the support for the new TPM 2.0 specification. To address these limitations, we design vTPM 2.0 system and then propose a runtime protection approach for vTPM 2.0 based on SGX. Furthermore, we present vTPM key distribution and protection mechanism. We have implemented vTPM 2.0 system and the security-enhanced protection mechanism. As far as we know, the vTPM 2.0 system based on KVM and its security-enhanced mechanism are designed and implemented for the first time.

A cloud-based system usually runs in multiple geographically distributed datacenters, making the deployment of effective access control models extremely challenging. This paper presents a novel software-defined paradigm, called SDAC, to achieve scoped, flexible and dynamic access control. In particular, SDAC enables the tenant-specific generation of access control model and policy (SMPolicy in short), as well as their dynamic configuration by the cloud-hosting applications. To achieve that, SDAC uses an access control meta-model to initiate and customize different SMPolicies. Also, SDAC is decoupled into control plane and policy plane, allowing the global SMPolicy generated at the control plane to be efficiently propagated to the policy plane and enforced locally in different datacenters. As such, the local SMPolicy of a tenant can be synchronized with its global SMPolicy only when it’s necessary, e.g., a user or a role cannot be identified. To validate the feasibility and effectiveness of SDAC, we implement a prototype in a carrier grade datacenter. The experimental results demonstrate that SDAC can achieve the desirable properties, maintain the throughput at a reasonable level regardless of the varying number of tenants, users, and datacenters, highly preserving scalability and adaptability.

In recent years, astroturfing can generate abnormal, damaging even illegal behaviors in cyberspace which may mislead the public perception and bring a bad effect on both Internet users and society. This paper aims to design a algorithm to detect astroturfing in online shopping effectively and help users to identify potential online astroturfers quickly. The previous work used single method text-text or image-image to detect astroturfing, while in this paper we first propose a cross-modal canonical correlation analysis model (CCCA) which combines text and images. First, we identify several features of astroturfing and analysis these features. Then, we use feature extraction algorithm, image similarity algorithm and CCA algorithm, and propose a cross-modal method to detect astroturfing which release comments with pictures. We also conduct an experiment on a Taobao dataset to verify our method. The experimental results show that the supervised method proposed is effective.

To avoid multiple number of registrations using multiple passwords and smart-cards, many two-factor multi-server authentication protocols based on RSA have been proposed. However, most of the existing RSA-based multi-server authentication protocols are susceptible to various security attacks, and have high computation complexities. Recently, Amin et al. proposed a two-factor RSA-based robust authentication system for multi-server environments. However, we found that Amin et al.’s protocol cannot resist common modulus attack. To enhance the security, we propose a secure two-factor RSA-based authentication protocol for multi-server environments. The performance and security features of our scheme are also compared with that of the similar existing schemes. The performance and security analysis show that our protocol achieves more security features and has lower computation complexity in comparison with the latest related schemes.

Since the inception of pairing-based constructions in cryptography, the authentication in group key agreement (GKA) protocol has been usually achieved by pairings. But due to high computation cost of pairing such constructions are inefficient for practical implementation, specially for low power devices. Also, in almost all such constructions leakage of both the keys- the long-term secret key and the ephemeral key has not been considered for security guarantee. In this view, construction of an efficient and secure GKA protocol is desired. In this paper, we propose an authenticated GKA protocol without pairing. We have achieved security of the proposed scheme following the most standard and recent security notion namely the EGBG model. In particular, we have proved the authenticated key exchange (AKE) security and the mutual authentication (MA) security with full forward secrecy, considering leakage of both the keys long-term and ephemeral, adopting a comparatively efficient technique, the game hopping technique. Our proposed scheme is more efficient in the view of computation and operation time with compare to the existing similar schemes, hence it is more acceptable for the tiny processors. To the best of our knowledge ours is the first pairing free balanced AGKA protocol secure in the EGBG model.

As the network services are gradually complex and important, the security problems of their protocols become more and more serious. Vulnerabilities in network protocol implementations can expose sensitive user data to attackers or execute arbitrary malicious code deployed by attackers. Fuzzing is an effective way to find security vulnerabilities for network protocols. But it is difficult to fuzz network protocols if the specification and implementation code of the protocol are both unavailable. In this paper, we propose a method to automatically generate test cases for black-box fuzzing of proprietary network protocols. Our method uses neural-network-based machine learning techniques to learn a generative input model of proprietary network protocols by processing their traffic, and generating new messages using the learnt model. These new messages can be used as test cases to fuzz the implementations of corresponding protocols.

With regard to web compromise, malicious web traffic refers to requests from users visiting websites for malicious targets, such as web vulnerabilities, web shells and uploaded malicious advertising web pages. To directly and comprehensively understand malicious web visits is meaningful to prevent web compromise. However, it is challenging to identify different malicious web traffic with a generic model. In this paper, a novel semantic-aware approach is proposed to detect malicious web traffic by profiling web visits individually. And a semantic representation of malicious activities is introduced to make detection results more understandable. The evaluation shows that our algorithm is effective in detecting malice with an average precision and recall of 90.8% and 92.9% respectively. Furthermore, we employ our approach on more than 136 million web traffic logs collected from a web hosting service provider, where 3,995 unique malicious IPs are detected involving hundreds of websites. The derived results reveal that our method is conductive to figure out adversaries’ intentions.

Nowadays, machine learning has been widely used as a core component in botnet detection systems. However, the assumption of machine learning algorithm is that the underlying botnet data distribution is stable for training and testing, which is vulnerable to well-crafted concept drift attacks, such as mimicry attacks, gradient descent attacks, poisoning attacks and so on. In this paper we present an active and dynamic learning approach to mitigate botnet hidden concept drift attacks. Instead of passively waiting for false negative, this approach could actively find the trend of hidden concept drift attacks using statistical p-values before performance starts to degenerate. And besides periodically retraining, this approach could dynamically reweight predictive features to track the trend of underlying concept drift. We test this approach on the public CTU botnet captures provided by malware capture facility project. The experiment results show that this approach could actively get insights of botnet hidden concept drift, and dynamically evolve to avoid model aging.

Storm has been a popular distributed real-time computation system for stream data processing, which currently provides an acker mechanism to enable all topologies to be processed reliably. In this paper, via the source code analysis, we point out that the acker failure and message retransmission result in the consumption of network resources. Even worse, adversary conducts a malicious topology to consume over unconstrained network resources, which seriously affects the average processing time of topology for normal users. Aiming at defending the vulnerability, we design an offline static detection against acker failure in Storm, mainly including the code decompile, the function call relationship and the judgement rules in offline module. Meanwhile, we validate the protection scheme in Storm 0.10.0 cluster, and experimental results show that our mentioned judgement rules can achieve well precision.

Structured p2p overlay networks have emerged as a dominant means for sharing and exchange of information on the Internet. However, they suffer from severe security threats, known as pollution attacks, in which malicious peers insert decoys in data object. The existence of such polluters is considered as a major problem since these systems are based on trust between peers to ensure the sharing and access to available resources. Pollution attacks ravages network resources and annoys peers with contaminated objects. Although there have been numerous works on pollution attacks, there have been no studies on these attacks in structured p2p overlay networks and all of them are not qualified to ensure security. This paper investigates the different strategies of polluter nodes and their impact on the security of communication. We also detail a monitoring process to supervise, detect and attenuate these threats. Our experiments show that our strategy decreases enormously the pollution attacks with a slight number of monitor peers.