Dr Yangguang Tian

•We introduce a secure aggregation scheme that processes each client’s encrypted local model in parallel, safeguarding parameter privacy while tolerating dropouts.•To prevent malicious client sends wrong secret shares, we adopt verifiable secret sharing (VSS) to validate every share and guarantee correct global aggregation.•Vector homomorphic hashing (VHH) is further employed to stop intermediate entities from tampering with the server and to certify the integrity of the returned aggregate.•Security analysis confirms resistance to all considered attacks, and experiments on MNIST and CIFAR-10 demonstrate competitive performance. [Display omitted] The existing secure aggregation schemes for federated learning (FL) have made some progress in protecting the privacy of client local model parameters and verifying the correctness of aggregation results. They usually use secret sharing (SS) technology to deal with dropout clients, but there are two limitations: one is that the computational cost of handling the dropouts and verifying the aggregation results is large. Second, it does not consider the problem of false shares, which affects the robustness of the global model. Therefore, this paper proposes a secure aggregation scheme with verifiability and robustness for privacy-preserving federated learning (PPFL) to solve the above problems. Firstly, the local model parameters are encrypted by mask technology to ensure the confidentiality of the client’s local model parameters. Secondly, by adopting Verifiable Secret Sharing (VSS) technology, it can not only efficiently handle dropout clients but also actively filter out forged shares submitted by malicious clients, thereby ensuring the robustness of the aggregation process. Finally, we introduce the Vector Homomorphic Hashing (VHH) mechanism to replace the original complex verification algorithm, thereby achieving accurate verification of the aggregation results in a lightweight manner. Security analysis shows that the scheme can protect client privacy and training integrity. Experiments show that compared with the existing scheme without considering fault sharing detection, the computational efficiency of the proposed scheme is improved by about 34%. At the same time, when there are 30% malicious clients, the computational overhead also tends to be stable, which is more suitable for resource-constrained scenarios such as mobile devices and cross-organizational collaboration.

In this paper, we introduce the first generic framework of policy-based remote user authentication from multiple biometrics. The proposed framework allows an authorized user to remotely authenticate herself to an authentication server using her multiple biometrics, which enhances both the security and usability of user authentications. The authentication server approves a user's authentication request if and only if the user's multiple biometrics satisfies an authentication policy. In particular, the authentication policy can be dynamically updated to satisfy different security and usability requirements in practice. We implement an instantiation of the proposed framework and report its performance under various authentication policies.

Attribute-Based Encryption (ABE) provides fine-grained access control to encrypted data and finds applications in various domains. The practicality of ABE schemes hinges on the balance between security and efficiency. The state-of-the-art adaptive secure ABE scheme, proven to be adaptively secure under standard assumptions (FAME, CCS'17), is less efficient compared to the fastest one (FABEO, CCS'22) which is only proven secure under the Generic Group Model (GGM). These traditional ABE schemes focus solely on message privacy. To address scenarios where attribute value information is also sensitive, Anonymous ABE (A2BE) ensures the privacy of both the message and attributes. However, most A2BE schemes suffer from intricate designs with low efficiency, and the security of the fastest key-policy A2BE (proposed in FEASE, USENIX'24) relies on the GGM. In this paper, we propose novel fast key-policy and ciphertext-policy ABE schemes that (1) support both AND and OR gates for access policies, (2) have no restriction on the size and type of policies or attributes, (3) achieve adaptive security under the standard DLIN assumption, and (4) only need 4 pairings for decryption. As our ABE constructions automatically provide ciphertext anonymity, we easily transform our ABE schemes to A2BE schemes while maintaining the same features and high-level efficiency. The implementation results show that all our schemes achieve the best efficiency comparing to other schemes with adaptive security proven under standard assumptions. Specifically, our ABE schemes perform better than FAME and are close to FABEO. Our key-policy A2BE scheme performs close to the one in FEASE and our ciphertext-policy A2BE outperforms the state-of-the-art (Cui et al., ProvSec'16).

Chameleon hash (CH) function differs from a classical hash function in a way that a collision can be found with the knowledge of a trapdoor secret key. CH schemes have been used in various cryptographic applications such as sanitizable signatures and redactable blockchains. In this work, we reconstruct CH to ensure advanced security and usability. Our contributions are four-fold. First, we propose the first CH scheme, which supports full security, meaning the inclusion of both full indistinguishability and full collision-resistance. These two properties are required in the strongest CH security model in the literature. We achieve this by our innovative design of removing the CH public key during the computation of the hash value. Second, we investigate the security of CH in the multi-party setting and introduce the new properties of claimability and deniability under this setting. Third, we present and implement two instantiations of our CH scheme: an ECC-based one and a post-quantum lattice-based one. Our implementation demonstrates their practicality. Finally, we discuss the possible use cases in the blockchain.

Chameleon Hash Function (CH) is a hash function with a public and secret key pair. CH is collision-resistant for users without a secret key, while users with a secret key can find collisions in hash values. Chameleon Hash has been used in various cryptographic schemes, including online/offline signatures by Shamir et al. and blockchain modification by Ateniese et al. However, once the secret key is exposed in CH, its collision resistance is lost, and the security of all existing CH-based methods cannot be guaranteed. In this paper, we propose a generic Forward-Secure CH scheme, capable of converting any given CH into a Forward-Secure CH (FSCH) through the implementation of forward-secure encryption techniques. The security of the proposed protocol is reduced to Forward-Secure collision resistance, meaning that even if the current secret key is compromised, it ensures that collisions involving past hash values cannot be exploited or detected.

In this article, we introduce a new concept of oblivious transfer with membership verification that allows any legitimate group users to obtain services from a service provider in an oblivious manner. We present two oblivious transfer with membership verification schemes, differing in design. In the first scheme, a trusted group manager issues credentials for a pre-determined group of users so that the group of users with a valid group credential can obtain services from the service provider, while the choices made by group users remain oblivious to the service provider. The second scheme avoids the trusted group manager, which allows any user in the group to be a group manager, thus it is more suitable in distributed systems. In particular, we prove that the two oblivious transfer with membership verification schemes can achieve receiver's privacy and sender's privacy under a half-simulation model.

Policy-based chameleon hash functions have been widely proposed for its use in blockchain rewriting systems. They allow anyone to create a mutable transaction associated with an access policy, while an authorized user who possesses sufficient rewriting privileges from a trusted authority satisfying the access policy can rewrite the mutable transaction. However, existing chameleon hash functions lack certain fundamental security guarantees, including forward security and backward security. In this paper, we introduce a new primitive called forward/backward-secure policy-based chameleon hash (FB-PCH for short). We present a practical instantiation. We prove that the proposed scheme achieves forward/backward-secure collision-resistance, and show its practicality through implementation and evaluation analysis.

Hash-based one-time signatures are becoming increasingly important as they are post-quantum safe and have been used in multi-cast communication and other applications. However, managing the state of such signatures can present a significant challenge, as signers are typically responsible for ensuring that the state cannot be reused. Recently, blockchain, as a public platform, is used to design revocation management and status verification systems. While blockchain revocation is attractive, many well-known blockchains make use of ECDSA as their underlying signature scheme, and this is not post-quantum safe. Researchers have been working on replacing ECDSA with post-quantum signature schemes but they are much more costly. In this paper, we introduce a new one-time signature scheme, called Blockchain-Aided Hash-based Signature (BAHS), in which a hash-based commitment scheme acts as the building block, and signers’ commitments and opened commitments are publicly accessible via a distributed blockchain. A signature is formed from the commitment/opened commitment and blockchain. Unlike existing blockchain systems, the commitment in BAHS is simpler than that in most existing hash-based one-time signature schemes or other post-quantum signature schemes. We provide a formal security model for the BAHS scheme and give the security proof. Finally, we have implemented our BAHS scheme and the result shows its practicality.

Since the beginning of the Covid-19 Pandemic, many Countries adopted Contact Tracing Apps as an automatic way to trace if someone has been in contact with a Covid-19 patient. However, most existing solutions consider two party settings only. Since many people meet at the same time in real-life scenarios, one cannot extend current schemes to multi-party settings because they will not scale well and burden the device. In this paper, we propose a new contact tracing protocol that works in a multi-party setting. We evaluate our scheme to show its efficiency.

Since the beginning of the Covid-19 Pandemic, Contact Tracing Apps have been implemented in many countries as a way to detect if someone has been in contact with a patient within a minimum amount of time. However, most existing solutions only consider users in pairs. Since many people meet at the same time in real-life scenarios, those applications aren't able to accurately reflect the situation. Moreover, extending current schemes to a multi-party setting could cause scaling problems and place a heavier load on the device. In this paper, we propose a new Contact Tracing protocol that works in a multi-party setting. We evaluate our scheme to show its efficiency.

Recently, Roy et al. proposed a physically unclonable function (PUF)-based authentication and key exchange protocol for Internet of Things (IoT) devices. The PUF protocol is efficient, because it integrates both the Node-to-Node (N2N) authentication and the Node-to-Server (N2S) authentication into a standalone protocol. In this paper, we therefore examine the security of the PUF protocol under the assumption of an insider attack. Our cryptanalysis findings are the following. (1) A legitimate but malicious IoT node can monitor the secure communication among the server and any other IoT nodes in both N2N authentication and N2S authentication. (2) A legitimate but malicious IoT node is able to impersonate a target IoT node to cheat the server and any other IoT nodes in N2N authentication and the server in N2S authentication, respectively. (3) A legitimate but malicious IoT node can masquerade as the server to cheat any other target IoT nodes in both N2N authentication and N2S authentication. To the best of our knowledge, our work gives the first non-trivial concrete security analysis for the PUF protocol. In addition, we employ the automatic verification tool of security protocols, i.e., Scyther, to confirm the weaknesses found in the PUF protocol. We finally consider how to prevent weaknesses in the PUF protocol.

Bluetooth low energy (LE) devices have been widely used in the Internet of Things (IoT) and wireless personal area networks (WPAN). However, attackers may compromise user privacy by tracking the addresses of the LE device. The resolvable private address (RPA) mechanism provides address privacy protection for the LE device. Similar to Zhang and Lin's work in CCS 2022, we investigate the privacy of the RPA mechanism in this paper. Our contributions are threefold. First, we discover that the RPA mechanism has a privacy weakness. The attacker can track the targeted device by exploiting the runs of the RPA mechanism when he intercepts the targeted device's obsolete RPA value. Second, we propose an improved RPA mechanism to overcome the privacy weakness in the RPA mechanism. The improved RPA mechanism leads to a small amount of extra overheads without requiring modification to the basic cryptographic tools used in the standard specification. Third, we formalize a privacy model to capture the address privacy of the RPA mechanisms. Our improved RPA mechanism provides enhanced privacy guarantees to Bluetooth LE devices in wireless personal applications.

In this paper, we introduce a new construction for unlinkable secret handshake that allows a group of users to perform handshakes anonymously. We define formal security models for the proposed construction and prove that it can achieve session key security, anonymity and affiliation hiding. In particular, the proposed construction ensures that (i) anonymity against protocol participants (including group authority) is achieved since a hierarchical identity-based signature is used in generating group user's pseudonym-credential pairs and (ii) revocation is achieved using a secret sharing-based revocation mechanism.

Recently, Zerrouki et al. proposed a Physically Unclonable Function (PUF) mutual authentication and session key establishment protocol for IoT (Internet of Things) devices. Zerrouki et al.'s PUF protocol is interesting because it does not require the storage of any sensitive information on the local memory of the IoT device, which avoids many potential attacks, especially side-channel attacks. Therefore, we carefully investigate the security of Zerrouki et al.'s PUF protocol under the leakage assumption of the session key. Our findings are in the following. First, Zerrouki et al.'s PUF protocol fails to provide known-key security. That is, the adversary can impersonate not only the server to cheat the IoT device but also the IoT device to cheat the server when the adversary corrupts a session key between the server and the IoT device. Second, Zerrouki et al.'s PUF protocol suffers from the key-compromise impersonation attack. It means that the adversary can impersonate the IoT device to cheat the server if the adversary discloses the server's secret key. Third, Zerrouki et al.'s PUF protocol does not support backward secrecy for the session key. That is, the adversary is always able to derive the session key from the previous session key. We also suggest the root cause of these security flaws in Zerrouki et al.'s PUF protocol. As a case study, our cryptanalysis results would promote a security model for more robust and efficient PUF authentication and session key establishment protocol. Moreover, our idea of the key compromise can be used to evaluate other novel PUF protocol designs.

Data authentication primarily serves as a tool to achieve data integrity and source authentication. However, traditional data authentication does not fit well where an intermediate entity (editor) is required to modify the authenticated data provided by the source/data owner before sending the data to other recipients. To ask the data owner for authenticating each modified data can lead to higher communication overhead. In this article, we introduce the notion of editing-enabled signatures where the data owner can choose any set of modification operations applicable on the data and still can restrict any possibly untrusted editor to authenticate the data modified using an operation from this set only . Moreover, the editor does not need to interact with the data owner in order to authenticate the data every time it is modified. We construct an editing-enabled signature (EES) scheme that derives its efficiency from mostly lightweight cryptographic primitives. We formalize the security model for editing-enabled signatures and analyze the security of our EES scheme. Editing-enabled signatures can find numerous applications that involve generic editing tasks and privacy-preserving operations. We demonstrate how our EES scheme can be applied in two privacy-preserving applications.

With the rapid development of cloud computing and mobile networks, more and more application scenarios require a secret group key for secure communication. Group Key Exchange (GKE) protocol provides a secret group key for three or more members. Burmester and Desmedt presented an influential GKE protocol, which has a broadcast version and a cyclic version. In this paper, we investigate the security weaknesses of the Burmester-Desmedt protocol. We report that both the broadcast version and the cyclic version of the Burmester-Desmedt protocol suffer member tampering attacks if the two members that belong to both group A and group B are corrupted. That is, two corrupted members can add some unknowing members of group A to group B and trick the legal members of group B to believe that these unknowing members share the secret group key with them after a protocol run. Furthermore, to defeat the member tampering attack, we propose digital signature-based improvements on the broadcast version and the cyclic version of the Burmester-Desmedt protocol. We hope our research results will encourage the development of more robust and effective GKE protocols that stand rigorous security analysis.

In this paper, we introduce the first general framework for strong privacy-preserving biometric-based remote user authentication based on oblivious RAM (ORAM) protocol and computational fuzzy extractors. We define formal security models for the general framework, and we prove that it can achieve user authenticity and strong privacy. In particular, the general framework ensures that: (1) a strong privacy and a log-linear time-complexity are achieved by using a new tree-based ORAM protocol; (2) a constant bandwidth cost is achieved by exploiting computational fuzzy extractors in the challenge-response phase of remote user authentications.

In this paper, we introduce a new construction for linkable secret handshake that allows authenticated users to perform handshake anonymously within allowable times. We define formal security models for the new construction, and prove that it can achieve session key security, anonymity, untraceability and linkable affiliation-hiding. In particular, the proposed construction ensures that (i) anyone can trace the real identities of dishonest users who perform handshakes for more than k times; and (ii) an optimal communication cost between authorized users is achieved by exploiting the proof of knowledges.

Distance-bounding protocol is a useful primitive in resisting distance-based attacks. Currently, most of the existing distance-bounding protocols usually do not take the reuse of nonces in designing the protocols into consideration. However, there have been some literature studies showing that nonce repetition may lead to the leakage of the shared key between protocol participants. Aikaterini et al. introduced a countermeasure that could serve as a supplementary in most distance-bounding systems allowing nonce repetition. However, their proposal only holds against passive attackers. In this paper, we introduce an active attack model and show that their countermeasure is insecure under the proposed active attack model. We also discover that all existing distance-bounding protocols with mutual authentication are vulnerable to distance-based attacks if a short nonce is applied under the proposed active model. To address this security concern, we propose a new distance-bounding protocol with mutual authentication to prevent distance-based attacks under the active adversary model. A detailed security analysis is presented for the proposed distance-bounding protocol with mutual authentication.

Blockchain rewriting with fine-grained access control allows a user to create a transaction associated with a set of attributes, while a modifier who possesses sufficient rewriting privileges from a trusted authority satisfying the attribute set can anonymously rewrite the transaction. However, it lacks accountability and is not designed for open blockchains that require no centralized trust authority. In this work, we introduce accountable fine-grained blockchain rewriting in a permissionless setting. The property of accountability allows the modifier's identity and their rewriting privileges to be held accountable for the modified transactions in case of malicious rewriting. Our contributions are three-fold. First, we present a generic framework for secure blockchain rewriting in the permissionless setting. Second, we present an instantiation of our framework and show its practicality through evaluation analysis. Last, we demonstrate that our proof-of-concept implementation can be effectively integrated into open blockchains.

Policy-based chameleon hash is a useful primitive for blockchain rewriting. It allows a party to create a transaction associated with an access policy, while another party who possesses enough rewriting privileges satisfying the access policy can rewrite the transaction. However, it lacks accountability. The chameleon trapdoor holder may abuse his/her rewriting privilege and maliciously rewrite the hashed object in the transaction without being identified. In this paper, we introduce policy-based chameleon hash with black-box accountability (PCHBA). Black-box accountability allows an attribute authority to link modified transactions to responsible transaction modifiers in case of dispute, in which any public user identifies those transaction modifiers from interacting with an access device/blackbox. We first present a generic framework of PCHBA. Then, we present a practical instantiation, showing its practicality through implementation and evaluation analysis.

Ring signature allows a signer to generate a signature on behalf of a set of public keys, while a verifier can verify the signature without identifying who the actual signer is. In Crypto 2021, Yuen et al. proposed a new type of ring signature scheme called DualRing. However, it lacks forward security. The security of DualRing cannot be guaranteed if the signer’s secret key is compromised. To address this problem, we introduce forward-secure DualRing, in which a signer can periodically update their secret key using a “split-and-combine” method. A practical instantiation of our scheme enjoys a logarithmic complexity in signature size and key size. Implementation and evaluation further validate the practicality of our proposed scheme.

Industrial Internet-of-Things (IIoT) is the basis of Industry 4.0, which extends Internet connectivity beyond traditional computing devices like computers and smartphones to the physical world for improving efficiency and accuracy while reducing the production cost. However, there are tremendous security threats to IIoT, such as IIoT device hijacking and data leaks. Therefore, a lightweight authenticated key agreement (AKA) protocol is commonly applied to establish a session key for securing the communication between IIoT devices. To protect the previous session keys from being compromised, perfect forward secrecy (PFS) has been one of the most important security properties of AKA. In this article, we present an efficient PFS-enabled AKA protocol for IIoT systems, which is developed based on a new dynamic authentication credential (DAC) framework, without using any public-key cryptographic primitives. It is worth noting that our protocol is also faster than the state-of-the-art DAC-based AKA protocols with PFS. Moreover, we give the formal security result of the proposed protocol in the random oracle model.

Fuzzy extractors convert biometrics and other noisy data into a cryptographic key for security applications such as remote user authentication. Leakage attacks, such as side channel attacks, have been extensively modelled and studied in the literature. However, to the best of our knowledge, leakage attacks to biometric-based remote user authentication with fuzzy extractors have never been studied rigorously. In this paper, we propose a generic framework of leakage-resilient and privacy-preserving biometric-based remote user authentication that allows an authorized user to securely authenticate herself to a remote authentication server using her biometrics. In particular, the authorized user relies only on her secret biometrics to perform a valid authentication — which is suitable for user authentications in a cross-platform setting.

In this paper, we introduce a new construction of reusable fuzzy signature based remote user authentication that is secure against quantum computers. We investigate the reusability of fuzzy signature, and we prove that the fuzzy signature schemes provide biometrics reusability (aka. reusable fuzzy signature). We define formal security models for the proposed construction, and we prove that it achieves user authenticity and user privacy. The proposed construction ensures: 1) a user's biometrics can be securely reused in remote user authentication; 2) a third party having access to the communication channel between a user and the authentication server cannot identify the user.