CCA Secure encryption supporting authorized equality test on ciphertexts in standard model and its applications

Singapore National Research Foundatio

Evaluation Methods for Chebyshev Polynomials

The security of cryptosystems based on Chebyshev recursive relation, T_n(x)=2xT_{n-1}(x)-T_{n-2}(x), relies on the difficulty of finding the large degree of Chebyshev polynomials from given parameters. The relation cannot be used to evaluate T_n(x) if n is very large. We will investigate other three methods: matrix-multiplication-based evaluation, halve-and-square evaluation, and root-extraction-based evaluation. Though they have the same theoretical complexity O(\log n\log^2p), we find in some cases the root-extraction-based method is more efficient than the others, which is as fast as the general modular exponentiation. The result indicates that the hardness of some cryptosystems based on modular Chebyshev polynomials is almost equivalent to that of solving general discrete logarithm

A Memory Usage Comparison Between Jitana and Soot

There are several factors that make analyzing Android apps to address dependability and security concerns challenging. These factors include (i) resource efficiency as analysts need to be able to analyze large code-bases to look for issues that can exist in the application code and underlying platform code; (ii) scalability as today’s cybercriminals deploy attacks that may involve many participating apps; and (iii) in many cases, security analysts often rely on dynamic or hybrid analysis techniques to detect and identify the sources of issues. The underlying principle governing the design of existing program analysis engines is the main cause that prevents them from satisfying these factors. Existing designs operate like compilers, so they only analyze one app at a time using a close-world process that leads to poor efficiency and scalability. Recently, Tsutana et al. introduced Jitana, a Virtual Class-Loader (VCL) based approach to construct program analyses based on the open-world concept. This approach is able to continuously load and analyze code. As such, this approach establishes a new way to make analysis efforts proportional to the code size and provides an infrastructure to construct complex, efficient, and scalable static, dynamic, and hybrid analysis procedures to address emerging dependability and security needs. In this thesis, we attempt to quantify the performance benefit of Jitana through the lens of memory usage. Memory is a very important system-level resource that if not expended efficiently, can result in long execution time and premature termination of a program. Existing program analysis frameworks are notorious for consuming a large amount of memory during an attempt to analyze a large software project. As such, we design an experiment to compare the memory usage between Jitana and Soot, a widely used program analysis and optimization framework for Java. Our evaluation consists of using 18 Android apps, with sizes ranging from 0.02 MB to 80.4 MB. Our empirical evaluations reveal that Jitana requires up to 81% less memory than Soot to analyze an app. At the same time, it can also analyze more components including those belonging to the application and those belonging to the Android framework. Adviser: Witawas Srisa-a

Cross-Inlining Binary Function Similarity Detection

Binary function similarity detection plays an important role in a wide range of security applications. Existing works usually assume that the query function and target function share equal semantics and compare their full semantics to obtain the similarity. However, we find that the function mapping is more complex, especially when function inlining happens. In this paper, we will systematically investigate cross-inlining binary function similarity detection. We first construct a cross-inlining dataset by compiling 51 projects using 9 compilers, with 4 optimizations, to 6 architectures, with 2 inlining flags, which results in two datasets both with 216 combinations. Then we construct the cross-inlining function mappings by linking the common source functions in these two datasets. Through analysis of this dataset, we find that three cross-inlining patterns widely exist while existing work suffers when detecting cross-inlining binary function similarity. Next, we propose a pattern-based model named CI-Detector for cross-inlining matching. CI-Detector uses the attributed CFG to represent the semantics of binary functions and GNN to embed binary functions into vectors. CI-Detector respectively trains a model for these three cross-inlining patterns. Finally, the testing pairs are input to these three models and all the produced similarities are aggregated to produce the final similarity. We conduct several experiments to evaluate CI-Detector. Results show that CI-Detector can detect cross-inlining pairs with a precision of 81% and a recall of 97%, which exceeds all state-of-the-art works.Comment: Accepted at ICSE 2024 (Second Cycle). Camera-ready versio

ICT Systems Security and Privacy Protection: 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26–28, 2015, Proceedings

International audienceBook Front Matter of AICT 45

Quantitative Verification and Synthesis of Attack-Defence Scenarios

Attack-defence trees are a powerful technique for formally evaluating attack-defence scenarios. They represent in an intuitive, graphical way the interaction between an attacker and a defender who compete in order to achieve conflicting objectives. We propose a novel framework for the formal analysis of quantitative properties of complex attack-defence scenarios, using an extension of attack-defence trees which models temporal ordering of actions and allows explicit dependencies in the strategies adopted by attackers and defenders. We adopt a game-theoretic approach, translating attack-defence trees to two-player stochastic games, and then employ probabilistic model checking techniques to formally analyse these models. This provides a means to both verify formally specified security properties of the attack-defence scenarios and, dually, to synthesise strategies for attackers or defenders which guarantee or optimise some quantitative property, such as the probability of a successful attack, the expected cost incurred, or some multi-objective trade-off between the two. We implement our approach, building upon the PRISM-games model checker, and apply it to a case study of an RFID goods management system

Are you The One to Share? Secret Transfer with Access Structure

Sharing information to others is common nowadays, but the question is with whom to share. To address this problem, we propose the notion of secret transfer with access structure (STAS). STAS is a two-party computation protocol that enables the server to transfer a secret to a client who satisfies the prescribed access structure. In this paper, we focus on the case of STAS for threshold access structure, i.e. threshold secret transfer (TST). We also discuss how to replace it with linear secret sharing to make the access structure more expressive. Our proposed TST scheme enables a number of applications including a simple construction of oblivious transfer with threshold access control, and (a variant of) threshold private set intersection (t-PSI), which are the first of their kinds in the literature to the best of our knowledge. Moreover, we show that TST is useful a number of applications such as privacy-preserving matchmaking with interesting features. The underlying primitive of STAS is a variant of oblivious transfer (OT) which we call OT for sparse array. We provide two constructions which are inspired from state-of-the-art PSI techniques including oblivious polynomial evaluation and garbled Bloom filter (GBF). We implemented the more efficient construction and provide its performance evaluation