Leakage-Abuse Attacks Against Forward and Backward Private Searchable Symmetric Encryption

Dynamic searchable symmetric encryption (DSSE) enables a server to efficiently search and update over encrypted files. To minimize the leakage during updates, a security notion named forward and backward privacy is expected for newly proposed DSSE schemes. Those schemes are generally constructed in a way to break the linkability across search and update queries to a given keyword. However, it remains underexplored whether forward and backward private DSSE is resilient against practical leakage-abuse attacks (LAAs), where an attacker attempts to recover query keywords from the leakage passively collected during queries. In this paper, we aim to be the first to answer this question firmly through two non-trivial efforts. First, we revisit the spectrum of forward and backward private DSSE schemes over the past few years, and unveil some inherent constructional limitations in most schemes. Those limitations allow attackers to exploit query equality and establish a guaranteed linkage among different (refreshed) query tokens surjective to a candidate keyword. Second, we refine volumetric leakage profiles of updates and queries by associating each with a specific operation. By further exploiting update volume and query response volume, we demonstrate that all forward and backward private DSSE schemes can leak the same volumetric information (e.g., insertion volume, deletion volume) as those without such security guarantees. To testify our findings, we realize two generic LAAs, i.e., frequency matching attack and volumetric inference attack, and we evaluate them over various experimental settings in the dynamic context. Finally, we call for new efficient schemes to protect query equality and volumetric information across search and update queries.Comment: A short version of this paper has been accepted to the 30th ACM Conference on Computer and Communications Security (CCS'23

BAMF-SLAM: Bundle Adjusted Multi-Fisheye Visual-Inertial SLAM Using Recurrent Field Transforms

In this paper, we present BAMF-SLAM, a novel multi-fisheye visual-inertial SLAM system that utilizes Bundle Adjustment (BA) and recurrent field transforms (RFT) to achieve accurate and robust state estimation in challenging scenarios. First, our system directly operates on raw fisheye images, enabling us to fully exploit the wide Field-of-View (FoV) of fisheye cameras. Second, to overcome the low-texture challenge, we explore the tightly-coupled integration of multi-camera inputs and complementary inertial measurements via a unified factor graph and jointly optimize the poses and dense depth maps. Third, for global consistency, the wide FoV of the fisheye camera allows the system to find more potential loop closures, and powered by the broad convergence basin of RFT, our system can perform very wide baseline loop closing with little overlap. Furthermore, we introduce a semi-pose-graph BA method to avoid the expensive full global BA. By combining relative pose factors with loop closure factors, the global states can be adjusted efficiently with modest memory footprint while maintaining high accuracy. Evaluations on TUM-VI, Hilti-Oxford and Newer College datasets show the superior performance of the proposed system over prior works. In the Hilti SLAM Challenge 2022, our VIO version achieves second place. In a subsequent submission, our complete system, including the global BA backend, outperforms the winning approach.Comment: Accepted to ICRA202

Dummy Molecularly Imprinted Polymers-Capped CdTe Quantum Dots for the Fluorescent Sensing of 2,4,6-Trinitrotoluene

Molecularly imprinted polymers (MIPs) with trinitrophenol (TNP) as a dummy template molecule capped with CdTe quantum dots (QDs) were prepared using 3-aminopropyltriethoxy silane (APTES) as the functional monomer and tetraethoxysilane (TEOS) as the cross linker through a seedgrowth method via a sol gel process (i.e., DMIP@QDs) for the sensing of 2,4,6-trinitrotoluene (TNT) on the basis of electron-transfer-induced fluorescence quenching. With the presence and increase of TNT in sample solutions, a Meisenheimer complex was formed between TNT and the primary amino groups on the surface of the QDs. The energy of the QDs was transferred to the complex, resulting in the quenching of the QDs and thus decreasing the fluorescence intensity, which allowed the TNT to be sensed optically. DMIP@QDs generated a significantly reduced fluorescent intensity within less than 10 min upon binding TNT. The fluorescence-quenching fractions of the sensor presented a satisfactory linearity with TNT concentrations in the range of 0.8-30 mu M, and its limit of detection could reach 0.28 mu M. The sensor exhibited distinguished selectivity and a high binding affinity to TNT over its possibly competing molecules of 2,4-dinitrophenol (DNP), 4-nitrophenol (4-NP), phenol, and dinitrotoluene (DNT) because there are more nitro groups in TNT and therefore a stronger electron-withdrawing ability and because it has a high similarity in shape and volume to TNP. The sensor was successfully applied to determine the amount of TNT in soil samples, and the average recoveries of TNT at three spiking levels ranged from 90.3 to 97.8% with relative standard deviations below 5.12%. The results provided an effective way to develop sensors for the rapid recognition and determination of hazardous materials from complex matrices.Molecularly imprinted polymers (MIPs) with trinitrophenol (TNP) as a dummy template molecule capped with CdTe quantum dots (QDs) were prepared using 3-aminopropyltriethoxy silane (APTES) as the functional monomer and tetraethoxysilane (TEOS) as the cross linker through a seedgrowth method via a sol gel process (i.e., DMIP@QDs) for the sensing of 2,4,6-trinitrotoluene (TNT) on the basis of electron-transfer-induced fluorescence quenching. With the presence and increase of TNT in sample solutions, a Meisenheimer complex was formed between TNT and the primary amino groups on the surface of the QDs. The energy of the QDs was transferred to the complex, resulting in the quenching of the QDs and thus decreasing the fluorescence intensity, which allowed the TNT to be sensed optically. DMIP@QDs generated a significantly reduced fluorescent intensity within less than 10 min upon binding TNT. The fluorescence-quenching fractions of the sensor presented a satisfactory linearity with TNT concentrations in the range of 0.8-30 mu M, and its limit of detection could reach 0.28 mu M. The sensor exhibited distinguished selectivity and a high binding affinity to TNT over its possibly competing molecules of 2,4-dinitrophenol (DNP), 4-nitrophenol (4-NP), phenol, and dinitrotoluene (DNT) because there are more nitro groups in TNT and therefore a stronger electron-withdrawing ability and because it has a high similarity in shape and volume to TNP. The sensor was successfully applied to determine the amount of TNT in soil samples, and the average recoveries of TNT at three spiking levels ranged from 90.3 to 97.8% with relative standard deviations below 5.12%. The results provided an effective way to develop sensors for the rapid recognition and determination of hazardous materials from complex matrices

Interpreting and Mitigating Leakage-abuse Attacks in Searchable Symmetric Encryption

Searchable symmetric encryption (SSE) enables users to make confidential queries over always encrypted data while confining information disclosure to pre-defined leakage profiles. Despite the well-understood performance and potentially broad applications of SSE, recent leakage-abuse attacks (LAAs) are questioning its real-world security implications. They show that a passive adversary with certain prior information of a database can recover queries by exploiting the legitimately admitted leakage. While several countermeasures have been proposed, they are insufficient for either security, i.e., handling only specific leakage like query volume, or efficiency, i.e., incurring large storage and bandwidth overhead. We aim to fill this gap by advancing the understanding of LAAs from a fundamental algebraic perspective. Our investigation starts by revealing that the index matrices of a plaintext database and its encrypted image can be linked by linear transformation. The invariant characteristics preserved under the transformation encompass and surpass the information exploited by previous LAAs. They allow one to unambiguously link encrypted queries with corresponding keywords, even with only partial knowledge of the database. Accordingly, we devise a new powerful attack and conduct a series of experiments to show its effectiveness. In response, we propose a new security notion to thwart LAAs in general, inspired by the principle of local differential privacy (LDP). Under the notion, we further develop a practical countermeasure with tunable privacy and efficiency guarantee. Experiment results on representative real-world datasets show that our countermeasure can reduce the query recovery rate of LAAs, including our own

Multiple facets of stream macroinvertebrate alpha diversity are driven by different ecological factors across an extensive altitudinal gradient

Environmental filtering and spatial structuring are important ecological processes for the generation and maintenance of biodiversity. However, the relative importance of these ecological drivers for multiple facets of diversity is still poorly understood in highland streams. Here, we examined the responses of three facets of stream macroinvertebrate alpha diversity to local environmental, landscape-climate and spatial factors in a near-pristine highland riverine ecosystem. Taxonomic (species richness, Shannon diversity, and evenness), functional (functional richness, evenness, divergence, and Rao's Quadratic entropy), and a proxy of phylogenetic alpha diversity (taxonomic distinctness and variation in taxonomic distinctness) were calculated for macroinvertebrate assemblages in 55 stream sites. Then Pearson correlation coefficient was used to explore congruence of indices within and across the three diversity facets. Finally, multiple linear regression models and variation partitioning were employed to identify the relative importance of different ecological drivers of biodiversity. We found most correlations between the diversity indices within the same facet, and between functional richness and species richness were relatively strong. The two phylogenetic diversity indices were quite independent from taxonomic diversity but correlated with functional diversity indices to some extent. Taxonomic and functional diversity were more strongly determined by environmental variables, while phylogenetic diversity was better explained by spatial factors. In terms of environmental variables, habitat-scale variables describing habitat complexity and water physical features played the primary role in determining the diversity patterns of all three facets, whereas landscape factors appeared less influential. Our findings indicated that both environmental and spatial factors are important ecological drivers for biodiversity patterns of macroinvertebrates in Tibetan streams, although their relative importance was contingent on different facets of diversity. Such findings verified the complementary roles of taxonomic, functional and phylogenetic diversity, and highlighted the importance of comprehensively considering multiple ecological drivers for different facets of diversity in biodiversity assessment

Searchable Encryption for Conjunctive Queries with Extended Forward and Backward Privacy

Recent developments in the field of Dynamic Searchable Symmetric Encryption (DSSE) with forward and backward privacy have attracted much attention from both research and industrial communities. However, most forward and backward private DSSE schemes support single keyword queries only, which impedes its prevalence in practice. Until recently, Patranabis et al. (NDSS 2021) introduced a forward and backward private DSSE for conjunctive queries (named ODXT) based on the Oblivious Cross-Tags (OXT) framework. Unfortunately, its security is not comprehensive for conjunctive queries, and it deploys “lazy deletion”, which incurs more communication cost. Besides, it cannot delete a file in certain circumstances. To address these problems, we introduce two forward and backward private DSSE schemes with conjunctive queries (named SDSSE-CQ and SDSSE-CQ-S). To analysis their security, we present two new levels of backward privacy (named Type-O and Type-O$^-$, where Type-O$^-$ is more secure than Type-O), which describe the leakages of conjunctive queries with OXT framework more accurately. Finally, the security and experimental evaluation demonstrate that our proposed schemes achieve better security with comparable computation and communication increase in comparison with ODXT

Disentangling the effects of dispersal mode on the assembly of macroinvertebrate assemblages in a heterogeneous highland region

Disentangling the effects of dispersal mode on the environmental and spatial processes structuring biological assemblages is essential to understanding the mechanisms of species coexistence and maintenance. Here, we use field investigations to link dispersal mode with environmental and spatial processes that control stream macroinvertebrate assemblage structure across the Yarlung Zangbo Grand Canyon of Tibet (Tibetan Plateau). We sampled macroinvertebrates in streams that occur in 4 distinct regions. Each of these regions has a steep elevational gradient but different altitude ranges, climate types, and water replenishment sources. We classified macroinvertebrate taxa into passive and active dispersal mode groups to test whether macroinvertebrates with different dispersal modes responded differently to environmental and spatial processes. Our results showed that the assemblage structure of active dispersal groups was more strongly determined by environmental variables (habitat filtering/species sorting) than spatial factors both within and across regions. In contrast, the structure of passive dispersers was more strongly associated with spatial factors than environmental filtering in the entire study area and within lower canyon regions. However, spatial effects were not important for either type of dispersal group in the upper canyon regions, especially in the region with glacier-fed streams, indicating the predominance of species sorting processes in these harsh environments. Furthermore, the spatial structuring of assemblages became stronger as habitat filtering declined, which indicates a reduction in species sorting processes in less harsh environments. Our findings demonstrate diverse responses of macroinvertebrate assemblages to environmental and spatial processes across this poorly-known highland river system, and imply that dispersal mode influences the underlying mechanisms of community variation