Information Security Practice and Experience

Threats for today’s production networks range from fully automated worms and viruses to targeted, highly sophisticated multi-phase attacks carried out manually. In order to properly define and dimension appropriate security architectures and policies for a network, the possible threats have to be identified and assessed both in terms of their impact on the resources to be protected and with respect to the probability and frequency of related attacks. To support this assessment, honeynets, i.e. artificial networks set up specifically to monitor, log and evaluate attack activities, have been proposed. In this paper, experiences and results gained with setting up, deploying and operating such a honeynet are reported together with some comments on the effectiveness of this approach.

Ubiquitous networks and seamless terminals are potential enablers for session mobility and session transfer. In a business environment, session mobility is restricted by the security requirements set forth by corporate security policies to protect corporate assets. Session mobility can be supported to the extent that specified corporate assets are still protected even though a session is transferred to another mobile device. We describe a policy-driven approach for secure session transfers. Secure session transfer mechanisms validate whether or not a session transfer is allowed, establish secure interaction channels with target devices, perform security context negotiation and, if all previous steps are successful, facilitate transferring a session from a source to a target device. The protocol is supported by security policies and digitally signed assertion tokens. Policies define the constraints to be met before (i.e. decision whether transfer is possible or not) and after session transfer (i.e. respective security context.), while tokens are utilized to identify suitable mobile devices that claim trustworthiness, which may be target of a session transfer.

In this paper, we investigated existing and proposed WLAN security technologies designed to improve 802.11 standard. Security concerns over WLAN vulnerabilities are explored, and associated techniques are provided to mitigate these vulnerabilities. We also analyzed the existing architecture types of AAA integrated network security solutions, 802.1X and VPNs. We have extensively analyzed the effect of crypto parameters over WLAN based on packet level characteristics. We have also analyzed the effect of TCP and UDP traffic over our proposed WLAN testbed architecture. We found that TCP and UDP traffic behaves erratically, when security index changes causing drastically degradation of system performance. In this paper, we present a detail study of performance overhead caused by the most widely used security protocols such as WEP, IPSEC VPN and 801.1X. Furthermore, we analyze the effectiveness of such solution, based on measurement of security indexing model implementation. Performance measurement indicates that 802.1X and VPN method can be used based on the service time in future wireless systems, while it can simultaneously provide both the necessary flexibility to network operators and a high level of confidence to end users.

General Terms:

Mobile security, Wireless privacy, And port based Access point.

Secure routing in ad hoc networks has been extensively studied in recent years. The vast majority of this work, however, has only focused on providing authenticity of the route. Availability of the network in a malicious environment has largely been ignored.

In this paper, we divide the secure routing problem into two layers. The first layer provides authenticated routing and the second layer provides a route selection algorithm that selects a route with the highest probability of successful delivery rather than the shortest route. We provide a metric for evaluating this probability. We provide simulation results that demonstrate that our approach increases the throughput by at least ten percent in a network where fifty percent of the nodes are malicious when compared to an approach that selects the shortest route. Furthermore, our approach incurs only a small delay when compared to the delay along the shortest route.

A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup. A

linkable

ring signature (LRS) scheme additionally allows anyone to determine if two ring signatures have been signed by the same group member. Recently, Dodis et al. [18] gave a short (constant-sized) ring signature scheme. We extend it to the first short LRS scheme, and reduce its security to a new hardness assumption, the Link Decisional RSA (LD-RSA) Assumption. We also extend [18]’s other schemes to a generic LRS scheme and a generic linkable group signature scheme. We discuss three applications of our schemes. Kiayias and Yung [22] constructed the first e-voting scheme which simultaneously achieves efficient tallying, public verifiability, and write-in capability for a typical voter distribution under which only a small portion writes in. We construct an e-voting scheme based on our short LRS scheme which achieves the same even for all worst-case voter distribution. Direct Anonymous Attestation (DAA) [6] is essentially a ring signature scheme with certain linking properties that can be naturally implemented using LRS schemes. The construction of an offline anonymous e-cash scheme using LRS schemes is also discussed.

In this paper we present, by solving a variant of the guessing secrets problem defined by Chung, Graham and Leighton [3], a sequential traitor tracing scheme equipped with an efficient identification algorithm. Sequential traitor tracing schemes are used to detect piracy in multimedia content broadcast systems, where the traitors illegally rebroadcast the content they receive to unauthorized users.

Generating a prime is an iterative application of generating a random number

r

and testing the primality of

r

until

r

is a prime. Among them, the primality test on

r

is much more time-consuming than the random number generation and thus it occupies most of the running time of the prime generation. To reduce the running time of the primality test, real applications combine several primality test methods. The most widely used combination is the combination of the trial division and the probabilistic primality test. Although this combination is widely used in practice, few analyses were given on finding the optimal combination, i.e., on finding the optimal number of small primes used in trial division that minimizes the expected running time of this combination.

In this paper, we present probabilistic analyses on finding the optimal combinations of the trial division and the probabilistic primality test. Using these analyses, we present three optimal combinations. One is for the primality test and the others are for the safe primality test. The optimal combinations are universal in that they are presented as functions of

div

and

ppt

where

div

is the time required for dividing the random number

r

by a small prime and

ppt

is the time required for the probabilistic primality test of

r

. Thus, in any situation that

div

and

ppt

can be measured, the optimal combinations can be calculated from these functions. The experimental results show that our probabilistic analyses predict the optimal combinations well. The predicted optimal combinations can be used as useful guidelines in designing a primality or a safe primality test. The usefulness of the optimal combinations is more evident when the primality test is implemented on embedded systems or crypto-processors because finding optimal combinations using experiments is very time-consuming and inefficient.

Side Channel Attacks have become a serious threat for cryptographic applications on devices with small resources. Indeed, it turns out that the usual randomization techniques can not prevent the recent DPA attacks (RPA and ZPA). The implementation of elliptic curve cryptosystems (ECC) on such devices must combine an optimized use of space memory with a high level of security and efficiency. In this paper we present an efficient SCA-resistant algorithm based on the fixed-base comb method. We propose to modify the binary representation of the secret scalar in order to obtain a new sequence of non-zero bit-strings. This, combined with the use of Randomized Linearly-transformed coordinates (RLC), will prevent the SCA attacks on the comb method, including RPA and ZPA. Furthermore, our algorithm optimizes the size of the precomputed table; we only store 2

w

 − − 1

points instead of 2

w

– 1 for the fixed-base comb method, without affecting in any way the computation time. We also present another countermeasure using a Randomized Initial Point (RIP) to protect the fixed-base comb method against SCA attacks including RPA and ZPA, with an optimized amount of computing time. The cost of this countermeasure does not exceed 2% of the total cost of the fixed-base comb method.

We present an architecture for detecting “zero-day” worms and viruses in incoming email. Our main idea is to intercept every incoming message, pre-scan it for potentially dangerous attachments, and only deliver messages that are deemed safe. Unlike traditional scanning techniques that rely on some form of pattern matching (signatures), we use behavior-based anomaly detection. Under our approach, we “open” all suspicious attachments inside an instrumented virtual machine looking for dangerous actions, such as writing to the Windows registry, and flag suspicious messages. The attachment processing can be offloaded to a cluster of ancillary machines (as many as are needed to keep up with a site’s email load), thus not imposing any computational load on the mail server. Messages flagged are put in a “quarantine” area for further, more labor-intensive processing. Our implementation shows that we can use a large number of malware-checking VMs operating in parallel to cope with high loads. Finally, we show that we are able to detect the actions of all malicious software we tested, while keeping the false positive rate to under 5%.

In order to provide effective support to the principle of least privilege, considering the limitation of traditional privilege mechanisms, this paper proposes a new privilege control model called State-Based Privilege Control (SBPC) and presents the design and implementation of a prototype system for SBPC called Controlled Privilege Framework (CPF) on the Linux operating system platform. SBPC decomposes the time space of a process’ lifetime into a series of privilege states according to activities of the process and its need for special permissions. The privilege state is closely related to the application logic of a process. It is the privilege state transfer event that stimulates a process to transfer from one privilege state into another one. For a specified process, there is a specific set of privileges corresponding to every privilege state of the process. With the implementation of CPF, experiment results show that fine-grain and automatic privilege control can be exercised transparently to traditional applications, threats of intrusion to a system can be reduced greatly, and support to the principle of least privilege can therefore be achieved effectively.

It’s very important for a general-purpose operating system to have a security-tunable feature to meet different security requirements. This can be achieved by supporting diverse security modules, invoking them on demand. However, the security architectures of existing projects on Linux kernels do not support this feature or have some drawbacks in their supporting. Thus we introduce a layered architecture which consists of original kernel layer, module coordination layer and module decision layer. The architecture supports multiple modules register, resolves policy-conflicts of modules by changing their invoking order, and allow user to customize the security by enabling or disabling modules during runtime. The detailed structure and implementation in Linux based system, SECIMOS is described. The caching issue and performance are also discussed. Our practice showed the architecture helps us achieve flexible adaptation in different environments.

Social engineering (SE) is the name used for a bag of tricks used by adversaries to manipulate victims to make them say or do something they otherwise wouldn’t have. Typically this includes making the victims disclose passwords, or give the adversary illegitimate access to buildings or privileged information. The book

Art of Deception: Controlling the Human Element of Security

by Kevin Mitnick gives several examples of potential attacks. Clearly, countermeasures are needed. Countermeasures may include special hardware, software, improved user interfaces, routines, procedures and staff training. However, in order to assess the effectiveness of these countermeasures, we need a SE resistance metric. This paper de.nes such a metric. We have also implemented software to obtain metric test data. A real life SE experiment involving 120 participants has been completed. The experiment suggests that SE may indeed represent an Achilles heel.

The purpose a security policy is to specify rules to govern access to system resources preferably without considering implementation details. Both policy and its implementation might be altered, and after introducing changes, it is not obvious that they are consistent. Therefore, we need to validate conformance between policy and its implementation. In this paper we describe an approach based on finite-model checking to verify that a RBAC implementation conforms to a security policy. We make use of the model-checking system SPIN, and show how to express RBAC policy constraints by means of LTL and how to model an RBAC implementation in SPIN’s internal modeling language PROMELA.

Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presenting a practical access control framework based on aspect-oriented programming (AOP). Our approach accommodates a wide range of access control requirements of different granularity. AOP supports the modular implementation of access control while still enables the code to get a hold of the application state. Moreover, framework technology offers a balanced view between reuse and customization. As a result, our framework is able to enforce fine-grained access control for Web applications in a highly adaptable manner.

One of the shortcomings of the Role-Based Access Control model (RBAC), used in Workflow Management Systems (WfMS), is that it cannot grant permissions to users dynamically while business processes are being executed., We propose a Take-Oriented Access Control (TOAC) model based on RBAC to remedy this problem. In TOAC, permissions are associated with tasks as well as roles. Users can get permissions through tasks that they carry out in certain processes. And when they are out of processes, permissions can be granted by the roles that they are associated with. Moreover, to facilitate delegation in WfMS, we present a task delegation model which is aim at TOAC.

This paper is focused on the analysis of the anomaly-based intrusion detectors’ operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors’ evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.

Although the prevention of Distributed Denial of Service (DDoS) attacks is not possible, detection of such attacks plays main role in preventing their progress. In the flooding attacks, especially new sophisticated DDoS, the attacker floods the network traffic toward the target computer by sending pseudo-normal packets. Therefore, multi-purpose IDSs do not offer a good performance (and accuracy) in detecting such kinds of attacks.

In this paper, a novel method for detection of DDoS attacks has been introduced based on a statistical pre-processor and an unsupervised artificial neural net. In addition, SPUNNID system has been designed based on the proposed method. The statistical pre-processing has been used to extract some statistical features of the traffic, showing the behavior of DDoS attacks. The unsupervised neural net is used to analyze and classify them as either a DDoS attack or normal. Moreover, the method has been more investigated using attacked network traffic, which has been provided from a real environment. The experimental results show that SPUNNID detects DDoS attacks accurately and efficiently.

Today the standard means for secure transactions in the World Wide Web (WWW) are the SSL/TLS protocols, which provide secure (i.e., private and authentic) channels between browsers and servers. As protocols SSL/TLS are considered secure. However, SSL/TLS’s protection ends at the “transport/session layer” and it is up to the application (here web browsers) to preserve the security offered by SSL/TLS.

In this paper we provide evidence that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers. These attacks, known as “Visual Spoofing”, imitate certain parts of the browser’s user interface, pretending that users communicate securely with the desired service, while actually communicating with the attacker. Therefore, most SSL/TLS protected web applications can not be considered secure, due to deficiencies in browser’s user interfaces.

Furthermore, we characterise Visual Spoofing attacks and discuss why they still affect today’s WWW browsers. Finally, we introduce practical remedies, which effectively prevent these attacks and which can easily be included in current browsers or (personal) firewalls to preserve SSL/TLS’s security in web applications.

A major problem faced by intrusion detection is the intensive computation in the detection phase, and a possible solution is to reduce model redundancy, and thus economize the detection computation. However, the existing literature lacks any formal evaluation of the significance of model redundancy for intrusion detection. In this paper, we try to do such an evaluation. First, in a general intrusion detection methodology, the model redundancy in the behavior model can be reduced using feature ranking and the proposed concept of ‘

variable-length signature

’. Then, the detection performance of the behavior model before and after model redundancy is compared. The preliminary experimental results show that the model redundancy in the behavior model is useful to detect novel intrusions, but the model redundancy due to the overlapping distinguishability among features is insignificant for intrusion detection.

The automotive industry has developed electronic immobilizers to reduce the number of car thefts since the mid nineties. However, there is not much information on the current solutions in the public domain, and the annual number of stolen cars still causes a significant loss. This generates other costs particularly regarding the increased insurance fees each individual has to pay.

In this paper we present a system model that captures a variety of security aspects concerning electronic immobilizers. We consider generic security and functional requirements for constructing secure electronic immobilizers. The main practical problems and limitations are addressed and we give some design guidance as well as possible solutions.

Single sign-on (SSO) has shown to be a successful paradigm in a network environment where a large number of passwords would otherwise be required. However, the SSO paradigm leaves the practices of logging out of services undetermined. In this study, the users’ subjective satisfaction in the current implementation of login and logout was examined with both quantitative and qualitative methods. The study was carried out in a university using SSO in its intranet. The main result of this study is that when a multiservice environment uses SSO for user authentication, a single logout should also be used instead of expecting users to separately log out from each service.

Increasingly, software (SW) in embedded systems can be updated due to the rising share of flashable electronic control units (ECUs). However, current SW installation procedures are insecure: an adversary can install SW in a given ECU without any sender authentication or compatibility assessment. In addition, SW is installed on an all-or-nothing base: with the installation, the user acquires full access rights to any functionality. Concepts for solving individual deficiencies of current procedures have been proposed, but no unified solution has been published so far.

In this paper we propose a method for secure SW delivery and installation in embedded systems. The automotive industry serves as a case example leading to complex trust relations and illustrates typically involved parties and their demands. Our solution combines several cryptographic techniques. For example, public key broadcast encryption enables secure SW distribution from any provider to all relevant embedded systems. Trusted computing allows to bind the distributed SW to a trustworthy configuration of the embedded system, which then fulfills a variety of security requirements. Finally, we outline the management of flexible access rights to individual functionalities of the installed SW, thus enabling new business models.

A multi-show credential system allows a user to unlinkably and anonymously demonstrate the possession of a credential as many times as the user desires. In some applications, this could be too flexible to be useful. In this paper, we propose a restricted version of such a system. The restricted multi-show credential system only allows the user to demonstrate his possession of a credential once in a given period of time. This time period can also be quantified to a sequence of discrete events. That is, each credential can only be shown once in each event. However, the same credential can still be shown anonymously in another event without being linked. On its applications, we propose a restricted multi-show credential based e-voting system. The e-voting system has the following desirable properties. (1) Simplicity: each user only registers once when he first joins the system and no additional registration/setup phase is needed for the user before casting a vote in each subsequent voting event. (2) Flexibility: the set of eligible voters can be different for different voting events with no additional overhead. (3) Unlinkability: the voters among different voting events cannot be linked. (4) Efficiency: The system maintains the same order of efficiency no matter a voting event is “yes/no” type, “1-out-of-n” type or even “t-out-of-n” type. Furthermore, we show how to extend the e-voting system into an electronic questionnaire system.

The peer-to-peer applications have recently seen an enormous success and spread over the Internet community which showed a dramatic change in the current client-server paradigm; that caused the appearance of some new concepts and protocols. One of the main new concepts introduced is the user anonymity which is in spite of being considered one of the main characteristics of the peer-to-peer paradigm it has introduced a serious security flaw due to the missing of trust between the participants in the system. This paper proposes an approach for peer-to-peer security, where the system participants can establish a trust relationship between each others based on their reputation gained by the participation in the system. The proposed technique relays on the concept of the recommendation cards. This paper discusses this technique and how to apply it to a peer-to-peer file sharing application.

Delegation is an important tool for authorization in large distributed environments. However, current delegation mechanisms used in emerging Grids have problems to allow for flexible and secure delegation. This paper presents a framework to realize restricted delegation using a specific attribute certificate with trust value in grid environments. The framework employs attribute certificates to convey rights separately from identity certificates used for authentication, and enables chained delegations by using attribute certificate chains. In the framework the verifier can enforce securely authorization with delegation by checking the trust values of AC chains, and judge if a delegation is a trusted delegation by evaluating the reputation value of the delegation chain. The paper discusses the way of computing trust and reputation for delegation, and describes some details of delegation, including the creation of delegation credential and the chained delegation protocol.

For analyzing computer system security, the system visitor could be classified into five kinds by his privilege to access system resource, and presented the model base on privilege escalation. The attacker can enhance his privilege by exploiting vulnerability, according to distribution of vulnerabilities privilege set, we could construct fault tree to reflect distinctly potential attack path, and so this method could quantificational express security state at different security policy via analyzing fault tree.

Grid security is a wide topic, touching many of the core issues in information security. It is an area that has been overlooked by the established grid community. In this paper, We explore some roles of identity-based cryptography (IBC) in grid circumstance, and propose a grid security infrastructure model based on identity cryptography. We mainly discuss the grid security authentication and authorization architecture, public key infrastructure based on identity cryptography and security group communication scheme by using weil pairing. The security property of our scheme is discussed. Finally, we compare our ID-based security infrastructure with the public key infrastructure in grid circumstance.

Digital Rights Management (DRM) systems aim at providing the appropriate environment for trading digital content while protecting the rights of authors and copyright holders. Existing DRM systems still suffer from a variety of problems that hamper their deployment: they (i) cannot guarantee policy enforcement on open platforms such as today’s PCs, (ii) offer only unilateral security, i.e., focus mainly on requirements of the content owners/providers and not on those of consumers such as privacy, and (iii) restrict users regarding many legally authorized uses (fair use), e.g., disallow consumers to make backups.

In this paper we present a security architecture for computing platforms that, in the sense of multilateral security, is capable of enforcing policies defined by end-users and content providers. Our model provides methods and principles to practitioners to model and construct such systems based on a small set of assumptions. Further, we show how such a platform can be implemented based on a microkernel, existing operating system technology, and trusted computing hardware available today. Moreover, the platform’s functionality can be extended with a mechanism called property-based attestation to prevent discrimination of open-source software and to protect the consumers’ privacy.

This paper presents a novel scheme for embedding secret data into a binary image. In Tseng et al.’s scheme, a random binary matrix and a weight matrix are used as the secret keys to protect the secret information. In our scheme, we use a serial number matrix instead of a random binary matrix to reduce computation cost and to provide higher security protection on hidden secret data than Tseng et al. do. Given a cover image divided into blocks of m × n pixels each, our new scheme can hide

$\lfloor{\rm log_2}(mn+1)\rfloor$

bits of hidden data with one modified bit at most in each block in the cover image. In addition, the hiding capacity of our new scheme offers is as large as that of Tseng et al.’s scheme, but we support higher stego-image quality than Tseng et al.’s scheme does.

In most existing spread spectrum watermarking algorithms, the embedding parameters, such as the embedding strength and spreading code length, are frequently determined via experiments. In this paper, the theoretical formulas that associate the embedding strength with the user number, or with the spreading code length, are estimated and tested, by analyzing the CDMA (Code Division Multiple Access) spreading strategies in quantization-based data hiding scenario. Moreover, a performance analytical schema in terms of BER (bit error rate) and SNR (signal-to-noise ratio) is proposed and tested both theoretically and experimentally. The interesting conclusions show that the performance of the CDMA-based data-hiding systems, focusing on quantization scheme, is independent of the user number under the constraints of imperceptibility, and an increase of the spreading code length will lead to a decrease of the robust performance. The simulation results are presented to support the conclusions. Although the work presented in this paper focuses on image watermarking, it may be extended to audio/video watermarking.

Providing data confidentiality and integrity is essential to ensure secure or trusted computing. Designs for such purpose always face substaintial difficulties, as providing solid security will be contrary to achieving satisfied performance. Basing on a less rigor precondition that will be tenable in many cases, such designs can be implemented with smaller endeavors. The core idea is to let a trusted agent to trustworthily hold one unique timestamp for each untrusted data block; and encrypts each block, as well as the related integrity code, through the corresponding timestamp. In such way, any malicious disclosure and tamper can be prevented. At the same time, each block can be directly verified by the associated timestamp without requiring additional data to minimize the cost of integrity checking, and OTP encryption scheme can pre-computes keystream to remove most encryption latencies.

A (

t

,

n

) threshold proxy signature scheme enables an original signer or a group of original signers to delegate the signature authority to a proxy group of

n

members such that not less than

t

proxy signers can cooperatively sign messages on behalf of the original signer or the original signer group. In the paper, we show that Sun’s and Yang et al.’s threshold proxy signature schemes are insecure against the original signer’s forgery, and that Tzeng et al.’s threshold multi-proxy multi-signature scheme is vulnerable against the actual original signer group’s forgery. We also show that Hsu et al.’s threshold proxy signature scheme suffers from the conspiracy of the original signer and the secret share dealer SA, and that Hwang et al.’s threshold proxy signature scheme is universally forgeable. In other words, none of the above-mentioned schemes holds the unforgeability and provides non-repudiation.

“Token-controlled public key encryption” is a public key encryption scheme where individual message can be encrypted and sent to every receiver, but the receiver cannot decrypt the message until he/she is given an extra piece of information called a “

token

”. The token will not reveal any information about the messages that the sender originally sent and the communication overhead for releasing the token is very small. Also, it is possible that a single token can control the decryption of a number of ciphertexts sent to multiple receivers. We formalize security model for such scheme and show efficient and provably secure constructions based on known computational assumptions in the random oracle model.

In this paper we discuss the problem of collusion secure fingerprinting. In the first part of our contribution we prove the existence of equidistant codes that can be used as fingerprinting codes. Then we show that by giving algebraic structure to the equidistant code, the tracing process can be accomplished by passing a modified version of the Viterbi algorithm through the trellis representing the code.

In this paper, we focus on lowering the complexity of

t

-out-of-

n

string/bit OTs for large

t

. The notion of oblivious public-key cryptosystem (OPKC) is introduced, in which Bob possesses

n

public keys but only

t

private keys and no one knows which

t

private keys Bob possesses. If the sender, say, Alice, encrypts each message using the

n

oblivious public keys, resp., the receiver, Bob, can obtain only

t

messages by

t

decryptions with his known

t

private keys. This approach can be directly applied to

t

-out-of-

n

bit OT. However, it is very inefficient due to heavy message expansion and many encryption/decryption operations. To construct

t

-out-of-

n

bit OT, we introduce bit oblivious public-key cryptosystem (BOPKC), which is a special public-key cryptosystem with a message space of

n

bits, and the private key only enables its owner to decrypt

t

bits of

n

secret bits. After an offline generation of such a BOPKC, it requires only one encryption, one decryption and one ciphertext. Finally, we show the concrete implementations of OPKC/BOPKC based on ElGamal/Paillier cryptosystem, and efficient

t

-out-of-

n

string/bit OTs are achieved.