Information Security and Privacy

Zero-correlation linear cryptanalysis is a new method based on the linear approximations with correlation zero. In this paper, we propose a new model of multidimensional zero-correlation linear cryptanalysis by taking the equivalent relations of round keys into consideration. The improved attack model first finds out all the longest multidimensional zero-correlation linear distinguishers, then regards the distinguishers with the least independent guessed keys as the optimal distinguishers and finally chooses one optimal distinguisher to recover the secret key of cipher by using the partial-compression technique. Based on the improved attack model, we extend the original 22-round zero-correlation linear attack on LBlock and first evaluate the security of TWINE against the zero-correlation linear cryptanalysis. There are at least 8×8 classes of multidimensional zero-correlation linear distinguishers for 14-round LBlock and TWINE. After determining the corresponding optimal distinguisher, we carefully choose the order of guessing keys and guess each subkey nibble one after another to achieve an attack on 23-round LBlock, an attack on 23-round TWINE-80 and another attack on 25-round TWINE-128. As far as we know, these results are the currently best results on LBlock and TWINE in the single key scenario except the optimized brute force attack.

Hierocrypt-L1 is one of the Japanese e-Government Recommended Ciphers listed by CRYPTREC in 2003, and its security was reconfirmed as secure by CRYPTREC in 2013. In this paper we first find differential characteristics with probability 1 in the key scheduling of Hierocrypt-L1. Then, using the above characteristics, we construct related-key differentials and related-key impossible differentials. The impossible differentials are in a new type of impossible differential characteristics in that the S-box impossible differentials are directly utilized. The above related-key differentials and impossible differentials are applied to key recovery attacks on 8

S

-function layers of Hierocrypt-L1, which are the best attacks on Hierocrypt-L1 in terms of the number of attackable

S

-function layers.

As far as the Differential Cryptanalysis of reduced round Grain v1 is concerned, the best results were those published by Knellwolf et al. in Asiacrypt 2011. In an extended version of the paper, it was shown that it was possible to retrieve

(i)

5 expressions in the Secret Key bits for a variant of Grain v1 that employs 97 rounds (in place of 160) in its Key Scheduling process using 2

27

chosen IVs and

(ii)

1 expression in Secret Key bits for a variant that employs 104 rounds in its Key Scheduling using 2

35

chosen IVs. The authors had arrived at the values of these Secret Key expressions by observing certain biases in the keystream bits generated by the chosen IVs. These biases were observed purely experimentally and no theoretical justification was provided for the same. In this paper, we will revisit Knellwolf’s attacks on Grain v1 and try to provide a theoretical framework that will serve to prove the correctness of these attacks. We will also look at open problems which may possibly pave way for further research on Differential Cryptanalysis of Grain v1.

The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reduced-round

KATAN32

and

LBlock

. In both cases, we present a

practical

attack which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and

ElimLin

which was presented at FSE’12, and a new technique called

Universal Proning

. In the case of

LBlock

, we break 10 out of 32 rounds. In

KATAN32

, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of

ElimLin

is further enhanced by the new

Universal Proning

technique, which allows to discover linear equations that are not found by

ElimLin

.

This paper defines strongly simulation-extractable leakage-resiliency (sSE-LR), which is a new notion for NIZK proof system. Our definition extends the weaker notion called true simulation-extractable leakage-resiliency (tSE-LR) defined by Garg, Jain, and Sahai in CRYPTO 2011. Moreover, improving the construction of tSE-LR-NIZK proof system by Garg et al., we construct an NIZK scheme that satisfies sSE-LR. An sSE-LR-NIZK proof system is applicable to construct a fully leakage resilient signature scheme which is strongly existentially unforgeable. As far as we know, this is the first fully leakage resilient signature scheme that is strongly existentially unforgeable.

We address a concrete secure multi-party computational (MPC) problem related to a triangle, of which the coordinates of the three vertexes are confidentially kept by the three participants, respectively. The three parties wish to collaboratively compute the area of this triangle while preserving their own coordinate privacy. As one of the merits, our protocol employs weaker assumptions of the existence of pseudorandom generators. Especially, unlike massive secure MPC protocols that mainly rely on the primitive of oblivious transfer (OT), ours utilizes a new computing idea named round summation to avoid this burdensome obstacle. Finally, we provide a proof of the protocol by a series of security reductions of our newly-defined games, which seems somewhat stronger than the previous simulation-based proofs.

Membership encryption is a newly developed cryptographic primitive that combines membership proof and encryption into an unified setting. This paper presents a new flexible membership encryption scheme which is provably secure and significantly more efficient than the previous scheme. Further we apply our proposed membership encryption to construct a round optimal 1-out-of-

n

priced oblivious transfer (

POT

) protocol which, unlike the existing 1-out-of-

n

POT

schemes, is proven secure under the universally composable (UC) security model and thus preserves security when it is executed with multiple protocol instances that run concurrently in an adversarily controlled way. Moreover, using our membership encryption, the

POT

protocol exhibits constant communication complexity on the buyer’s side and

O

(

n

) communication cost on the vendor’s side, which is so far the best known in the literature.

Data sharing systems based on cloud storage have attracted much attention recently. In such systems, encryption techniques are usually utilized to protect the privacy of outsourced sensitive data. However, to support data sharing while keeping data confidentiality, encryption keys should be shared by authorized users. As a result, many keys have to be stored and shared by the users in the data sharing system, which would be a bottleneck for users. To tackle the challenges above, we propose a secure thin-model data sharing scheme supporting a keyword search scheme called

TMDS

, where only a user’s master key is utilized and the keys used for keyword search are not required to be stored at the user side. Furthermore, the cloud server is assumed to be an honest-but-curious entity in our construction. TMDS offers many attractive features as follows: 1) users are able to encrypt and share data without distributing shared encryption keys; 2) each user can flexibly retrieve and decrypt data from the cloud with only a master key; 3) secure data sharing and keyword search are both supported in a single system. Furthermore, we explain how to construct a data sharing system based on TMDS. Security analysis and performance evaluation show that our scheme is secure and practical.

This paper focuses on the analysis of LFSR-based stream ciphers with low data complexity. We introduce a novel parameter called the k-th truncated compressed preimage set (TCP set), and propose a low data complexity attack to recover the initial LFSR state via the TCP sets. Our method costs very few keystream bits and less time than the brute force under some condition. We apply our method to a 90-stage LFSR-based keystream generator with filter Boolean function which can resist the algebraic attack and inversion attack given by Goli

$\acute{c}$

to the greatest extent. It needs only 10-bit keystream to recover the 90-bit initial state, costing less time and data than the algebraic attack. The time complexity is also less than that of the inversion attack. Moreover, we recover the 128-bit initial state of the stream cipher LILI-128 with our method. The data cost is just 9 keystream bits along with a memory cost of

O

(2

8.5

), which is the minimum data cost to theoretically break LILI-128 so far as we know. The time complexity is

O

(2

122.4

), better than the brute force. We also define a new security parameter called

T

comp

and suggest a design criterion for the LFSR-based stream ciphers.

In ACISP 2012, Selvi, Vivek and Rangan claimed that they proposed the first fully deterministic identity based signature scheme, based on which they also proposed the first fully aggregate identity based signature scheme with no prior communication among different signers. Under the strong RSA assumption, they showed their schemes could resist the adaptive chosen message and adaptive chosen identity attack in the random oracle model. However, Nose gave a universal attack to recover the private key successfully recently. In this paper, we independently present a new universal attack to show there is an alternative way to forge a valid signature on any message instead of using the legal signing procedure with the original private key. The new attack appears more simple, and efficient both in theory and practice. What’s more, with our attack, the mistake in the original security proof can be easily pointed out. Such mistake should be avoided in other similar security proofs.

In 2005, Yen et al. firstly proposed the

N

 − 1 attack against cryptosystems implemented based on BRIP and square-multiply-always algorithms. This attack uses the input message

N

 − 1 to obtain relevant side-channel information from the attacked cryptosystem. In this paper we conduct an in-depth study on the

N

 − 1 attack and find that two more special values taken as the input message also can be exploited by an attacker. According to this, we present our chosen-message attack against Boscher’s right-to-left exponentiation algorithm which is a side-channel resistant exponentiation algorithm. Furthermore, immunity of the Montgomery Powering Ladder against the

N

 − 1 attack is investigated. The result is that the Montgomery Powering Ladder is subjected to the

N

 − 1 attack. But a different approach to retrieve the key is used which derives from the relative doubling attack. To validate our ideas, we implement the two algorithms in hardware and carry out the attacks on them. The experiment results show that our attacks are powerful attacks against these two algorithms and can be easily implemented with one power consumption curve.

In this paper, we study the security of RSA when there are multiple public/secret exponents (

e

1

,

d

1

), …, (

e

n

,

d

n

) with the same public modulus

N

. We assume that all secret exponents are smaller than

N

β

. When

n

 = 1, Boneh and Durfee proposed a polynomial time algorithm to factor the public modulus

N

. The algorithm works provided that

$ \beta<1-1/\sqrt{2}$

. So far, several generalizations of the attacks for arbitrary

n

have been proposed. However, these attacks do not achieve Boneh and Durfee’s bound for

n

 = 1. In this paper, we propose an algorithm which is the exact generalization of Boneh and Durfee’s algorithm. Our algorithm works when

$ \beta<1-\sqrt{2/(3n+1)}$

. Our bound is better than all previous results for all

n

 ≥ 2. We construct the lattices by collecting as many helpful polynomials as possible. The collections reduce the volume of the lattices and enable us to improve the bound.

Attribute-Based Encryption allows for implementing fine-grained decentralized access control based on properties or attributes a user has, which has drawn attention for realizing decentralized access control in large and dynamic networks such as Mesh network, Internet of Things and cloud computing. However, in open networks, the attacker can blow the concrete implementation of cryptosystems, and then gain the internal secret states such as pseudo-random number, internal result and secret key to break the system. In this work, we first model a fine-grained attribute revocable (ciphertext-policy) attribute-based encryption in the presence of key leakage, and then give a concrete construction with security and resilient-leakage performance analysis. Our scheme is the first designing enjoying at the same time the following properties: (

i

) Support

attribute direct revocation

that does not affect any other user’s secret key. (

ii

) Tolerate the key of matching the challenge ciphertext to be partially revealed. (

iii

) Provide a key update mechanism to support

continual leakage tolerance

.

This paper proposes an efficient key-policy attribute based signature (ABS) scheme with

constant-size

signature for expressive linear secret-sharing scheme (LSSS)-realizable monotone access structures with only 3 pairings for the verification algorithm, which is an affirmative answer for one of the open problems left in Pairing 2012 by Gagn

$\rm{\acute{e}}$

et al.

Our ABS provides signer privacy, and the existential unforgeability is achieved in selective security model. We also propose a new attribute based signcryption (ABSC) scheme for LSSS-realizable access structures utilizing only 6 pairings and making the ciphertext size

constant.

Our scheme is significantly more efficient than existing ABSC schemes. While the secret key size increases by a factor of number of attributes used in the system, the number of pairing evaluations is reduced to constant. Our protocol achieves (a)

ciphertext indistinguishability

under adaptive chosen ciphertext attacks assuming the hardness of decisional Bilinear Diffie-Hellman Exponent problem, (b)

existential unforgeability

under adaptive chosen message attack assuming the hardness of computational Diffie-Hellman Exponent problem and (c)

strong unforgeability

against insider adversary. The security proofs are in selective security model without using any random oracle. In addition, our ABSC achieves

public verifiability of the ciphertext,

enabling any party to verify the integrity and validity of the ciphertext.

We present the concept of incrementally executable signcryptions, which is a generalization of traditional on-line/off-line signcryption and facilitates optimizing the sender’s off-line computation. With an incrementally executable signcryption scheme, the sender can activate signcryption process

incrementally

by its given sequential input: the sender’s key pair, a recipient’s public key, and a plaintext message to be sent to the recipient. Furthermore, we present an efficient generic construction of incrementally executable signcryption scheme. In our construction, the signing process can be done

before

being given the recipient’s public key as well as the message to be sent. This feature enables us to accelerate the subsequent processes. Moreover, our construction achieves the strongest security notions without relying on random oracles. In addition, it requires a weak assumption for the underlying signature scheme, i.e., the underlying signature scheme is sufficient to be unforgeable under generic chosen message attack. Furthermore, it supports the

parallel un-signcryption

feature, which allows receivers to perform two potentially expensive computations, i.e., the verification of off-line signature and the key-decapsulation, in parallel.

We elaborate Hierarchical Identity-Based Encryption (HIBE) with a new primitive referred to as Hierarchical Identity-Based Broadcast Encryption (HIBBE). Similar to HIBE, HIBBE organizes users in a tree-like structure and users can delegate their decryption capability to their subordinates, which mirrors hierarchical social organizations in the real world. Unlike HIBE merely allowing a single decryption path, HIBBE enables encryption to any subset of the users and only the intended users (and their supervisors) can decrypt. We define ciphertext indistinguishability against adaptively chosen-identity-vector-set and chosen-ciphertext attack (IND-CIVS-CCA2) which captures the most powerful attacks on HIBBE in the real world. We construct an efficient HIBBE scheme against chosen-identity-vector-set and chosen-plaintext attack (IND-CIVS-CPA). The construction is built from composite order bilinear pairings and has constant size ciphertext. Analyses show that our HIBBE is efficient in terms of communication and computation that is suitable into practical usage.

Security models for two-party authenticated key exchange (AKE) protocols have developed over time to provide security even when the adversary learns certain secret keys. In this work, we advance the modelling of AKE protocols by considering more granular,

continuous leakage

of long-term secrets of protocol participants: the adversary can adaptively request arbitrary leakage of long-term secrets even after the test session is activated, with limits on the amount of leakage per query but no bounds on the total leakage. We present a security model supporting continuous leakage even when the adversary learns certain ephemeral secrets or session keys, and give a generic construction of a two-pass leakage-resilient key exchange protocol that is secure in the model; our protocol achieves continuous, after-the-fact leakage resilience with not much more cost than a previous protocol with only bounded, non-after-the-fact leakage.

Identity-based non-interactive key exchange (IB-NIKE) is a powerful but a bit overlooked primitive in identity-based cryptography. While identity-based encryption and signature have been extensively investigated over the past three decades, IB-NIKE has remained largely unstudied. Currently, there are only few IB-NIKE schemes in the literature. Among them, Sakai-Ohgishi-Kasahara (SOK) scheme is the first efficient and secure IB-NIKE scheme, which has great influence on follow-up works. However, the SOK scheme required its identity mapping function to be modeled as a random oracle to prove security. Moreover, the existing security proof heavily relies on the ability of programming the random oracle. It is unknown whether such reliance is inherent.

In this work, we intensively revisit the SOK IB-NIKE scheme, and present a series of possible and impossible results in the random oracle model and the standard model. In the random oracle model, we first improve previous security analysis for the SOK IB-NIKE scheme by giving a tighter reduction. We then use meta-reduction technique to show that the SOK scheme is unlikely proven to be secure based on the computational bilinear Diffie-Hellman (CBDH) assumption without programming the random oracle. In the standard model, we show how to instantiate the random oracle in the SOK scheme with a concrete hash function from admissible hash functions (AHFs) and indistinguishability obfuscation. The resulting scheme is fully adaptive-secure based on the decisional bilinear Diffie-Hellman inversion (DBDHI) assumption. To the best of our knowledge, this is first fully adaptive-secure IB-NIKE scheme in the standard model that does not explicitly require multilinear maps. Previous schemes in the standard model either have merely selective security or use multilinear maps as a key ingredient. Of particular interest, we generalize the definition of AHFs, and propose a generic construction which enables AHFs with previously unachieved parameters.

We pose a question whether or not the standard RSA assumption is sufficient to prove the security of the strong RSA-based (SRSA-based, for short) signatures. In this paper, we show a negative circumstantial evidence for the question. Namely, several SRSA-based signatures cannot be proven to be sEUF-CMA, or even EUF-KOA, under the RSA assumption as far as a modulus-preserving algebraic reduction is concerned. Our result is obtained as an important application of the adaptive pseudo-free group introduced by Catalano, Fiore and Warinschi that can be regarded as an abstract framework of signatures. We in fact show that the adaptive pseudo-freeness of the RSA group

$\mathbb{Z}_N^\times$

cannot be proven from the RSA assumption via such reductions.

The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper,

we design a new online secure authenticated encryption, called

ELmE

or Encrypt-Linear mix-Encrypt, which is completely (two-stage)

parallel

(even in associated data) and

pipeline implementable

. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction is based on

EME

, an Encrypt-Mix-Encrypt type SPRP constructions (secure against chosen plaintext and ciphertext). But unlike

EME

, we have used an online computable efficient

linear mixing

instead of a non-linear mixing. Our construction optionally supports

intermediate tags

which can be verified faster with less buffer size. Intermediate tag provides security against block-wise adversaries which is meaningful in low-end device implementation.

We consider the binary-LWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from { 0, 1} or { − 1, 0, 1 }. Our main result is an improved lattice decoding algorithm for binary-LWE, by translating to the inhomogeneous short integer solution (ISIS) problem, and then re-scaling the lattice. We also discuss modulus switching as an approach to the problem. Our conclusion is that binary-LWE is easier than general LWE. We give experimental results, and theoretical estimates for parameters that achieve certain security levels.

The basic pattern matching problem is to find the locations where a pattern occurs in a text. We give several computations enabling a client to obtain matching results from a database so that the database can not learn any information about client’s queried pattern. For such computations, we apply the symmetric-key variant scheme of somewhat homomorphic encryption proposed by Brakerski and Vaikuntanathan (CRYPTO 2011), which can support a limited number of both polynomial additions and multiplications on encrypted data. We also utilize the packing method introduced by Yasuda et al. (CCSW 2013) for efficiency. While they deal with only basic problems for binary vectors, we address more complex problems such as the approximate and wildcards pattern matching for non-binary vectors. To demonstrate the efficiency of our method, we implemented the encryption scheme for secure wildcards pattern matching of DNA sequences. Our implementation shows that a client can privately search real-world genomes of length 16,500 in under one second on a general-purpose PC.

Android permission system enforces access control to those privacy-related resources in Android phones. Unfortunately, the permission system could be bypassed when the phone is rooted. On a rooted phone, processes can run with root privilege and can arbitrarily access any resources without permission. Many people are willing to root their Android phones to uninstall pre-installed applications, flash third party ROMs, backup their phones and so on. People use rootkit tools to root their phones. The mainstream rootkit tools in China are provided by some well-known security vendors. Besides root, these vendors also provide the

one-click-unroot

function to unroot a phone. The unroot process gives users a feeling that their phones will roll back to the original safe state. In this paper, we present the security threats analysis of permission system on phones rooted once and unrooted later. On these phones, two categories of attacks: tampering data files attack and tampering code files attack are carried out. Also, the attacks’ detection rate, damage degree, influence range, and survivability in the real word are analyzed. Analysis result shows even under Antivirus’ monitoring, these attacks towards permission system can still be carried out and survive after the phone is unrooted. Therefore, the permission system faces a long-term compromise. The potential defense solutions are also discussed.

In this paper, we propose a high-throughput encryption and decryption IP core based on ZUC, in order to satisfy the demand of confidentiality and data integrity in modern multi-gigabit communication system. Till now, a popular method for improvement of hardware implementation on ZUC is to apply pipeline technology to promote the design’s performance. At the same time, there is another method to take advantage of the unrolling technology into hardware implementation. However, we find that the existing unrolled architecture on ZUC cannot improve the performance efficiently, even may reduce the performance. In this paper, we present our novel optimization techniques: computation rescheduling and single-feedback initialization for improving throughput. Combining these techniques, we propose two unrolled architectures: x2-ZUC and x3-ZUC, both of which significantly improve the performance both on FPGA and ASIC. The performance of our new unrolled architecture on FPGA in Virtex-5 is at least 63.5% higher than the previous design. Meanwhile, on ASIC of 65 nm technology the best performance of our architecture is up to 100 Gbps, which achieves the highest throughput for the hardware implementation of ZUC. The evaluation result suggests that our novel unrolled architecture with the high throughput is suitable for the high-speed and high-throughput data transmissions at a bandwidth of 100 Gbps.

Arapinis et al. [1] have recently proposed modifications to the operation of 3G mobile phone security in order to address newly identified threats to user privacy. In this paper we critically examine these modifications. This analysis reveals that the proposed modifications are impractical in a variety of ways; not only are there security and implementation issues, but the necessary changes to the operation of the system are very significant and much greater than is envisaged. In fact, some of the privacy issues appear almost impossible to address without a complete redesign of the security system. The shortcomings of the proposed ‘fixes’ exist despite the fact that the modifications have been verified using a logic-based modeling tool, suggesting that such tools need to be used with great care.

Reputation-based anonymous blacklisting systems allow users to anonymously authenticate their identities with a service provider (SP) directly, while enabling the service provider to score users’ misbehaviour and deny access from users with insufficient reputation, without the assistance of a Trusted Third Party (TTP). Au, Kapadia and Susilo’s reputation-based anonymous blacklisting system BLACR is an elegant solution except for the linear computational overhead in the size of the reputation list. Therefore, they proposed a more practical strategy for BLACR that allows active users to authenticate in the express lane. However, the strategy disables BLACR’s ability to perform unblacklisting since removing entries from the blacklist invalidates the reputation proofs of express lane tokens. Another problem of BLACR is that the express lane tokens can be reused (replay attack). In this paper, we propose ExBLACR, which provides a solution to the above problems. Our construction directly builds from BLACR and we present an improvement of weighted-score adjusting protocol (

$\mathfrak{G}_{WS-Adj}$

) to support

unblacklisting

when BLACR employs the express lane authentication. We also make a minor change to the express lane tokens to resist replay attack.

Data leakage prevention (DLP) is an emerging subject in the field of information security. It deals with tools working under a central policy, which analyze networked environments to detect sensitive data, prevent unauthorized access to it and block channels associated with data leak. This requires special data classification capabilities to distinguish between sensitive and normal data. Not only this task needs prior knowledge of the sensitive data, but also requires knowledge of potentially evolved and unknown data. Most current DLPs use content-based analysis in order to detect sensitive data. This mainly involves the use of regular expressions and data fingerprinting. Although these content analysis techniques are robust in detecting known unmodified data, they usually become ineffective if the sensitive data is not known before or largely modified. In this paper we study the effectiveness of using N-gram based statistical analysis, fostered by the use of stem words, in classifying documents according to their topics. The results are promising with an overall classification accuracy of 92%. Also we discuss classification deterioration when the text is exposed to multiple spins that simulate data modification.

The A5/2 stream cipher used for encryption in the GSM mobile phone standard has previously been shown to have serious weaknesses. Due to a lack of key separation and flaws in the security protocols, these vulnerabilities can also compromise the stronger GSM ciphers A5/1 and A5/3. Despite GSM’s huge impact in the field, only a small selection of its channels have been analyzed. In this paper, we perform a complete practical-complexity, ciphertext-only cryptanalysis of all 66 encoded GSM channels. Moreover, we present a new passive attack which recovers the encryption key by exploiting the location updating procedure of the GSM protocol. This update is performed automatically even when the phone is not actively used. Interestingly, the attack potentially enables eavesdropping of future calls.

The use of tracking settings in smartphones facilitates the provision of tailored services to users by allowing service providers access to unique identifiers stored on the smartphones. In this paper, we investigate the ‘tracking off’ settings on the

Blackberry 10

and

Windows Phone 8

platforms. To determine if they work as claimed, we set up a test bed suitable for both operating systems to capture traffic between the smartphone and external servers. We dynamically execute a set of similar

Blackberry 10

and

Windows Phone 8

applications, downloaded from their respective official markets. Our results indicate that even if users turn off tracking settings in their smartphones, some applications leak unique identifiers without their knowledge.

Smartphones are widely used nowadays. Many users want to separate work and personal use of smartphones for security and privacy consideration, but it is very inconvenient to carry multiple smartphones. Multi-boot and virtualization are two existing techniques used to solve this problem. In this paper, we present a prototype on which multiple Android instances can time-share one ARM platform by using suspend and resume mechanism. We describe the design and implementation of our prototype and evaluate its performance. The performance result shows that our implementation imposes negligible time overhead, and the switching speed is much faster than the multi-boot approach. We also avoid a huge number of modified code lines, considerable memory occupation and significant performance penalty of the virtualization solution.

Studies show that malicious applications can obtain sensitive data from and perform protected operations in a mobile phone using an authorised yet vulnerable application as a deputy (referred to as privilege escalation attack). Thus it is desirable to have a checker that can help developers check whether their applications are vulnerable to these attacks. In this paper, we introduce our tool, CoChecker, to identify the leak paths (chains of components) that would lead to privilege escalation attacks using static taint analysis. We propose to build a call graph to model the execution of multiple entry points in a component and eliminate the false negatives due to the Android‘s event-driven programming paradigm. We further carry out inter-component communication through intent-tracing and formulate the call graph of the analyzed app. The evaluation of CoChecker on the state-of-the-art test suit DroidBench and randomly downloaded apps shows that it is both efficient and effective.

At ASIACRYPT’12, Bogdanov et al. revealed the identity of integral distinguishers and zero-correlation linear approximations where the mask consists of two parts: one part should take any non-zero value and the other part should be fixed to zero. For zero-correlation linear approximations of some ARX block ciphers, one bit of input mask usually is fixed to one, which do not conform to zero-correlation linear approximations considered by Bogdanov et al.. Can they also be converted to an integral distinguisher? In this paper, we show that such zero-correlation linear approximations can be transformed to an integral distinguisher too. As an application, we give the attack on SHACAL-2 which is one of the four selected block ciphers by NESSIE. Namely, a attack on 32-round SHACAL-2 is reported. As an integral attack, our attack is much better than the previous integral attack on 28-round SHACAL-2 in terms of the number of rounds. In the classical single-key setting, our attack could break as many rounds as the previous best attack, but with significant improvements in data complexity and memory complexity.