Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part I (Lecture Notes in Computer Science, 13554) 303117139X, 9783031171390

Citation preview

LNCS 13554

Vijayalakshmi Atluri Roberto Di Pietro Christian D. Jensen Weizhi Meng (Eds.)

Computer Security – ESORICS 2022 27th European Symposium on Research in Computer Security Copenhagen, Denmark, September 26–30, 2022 Proceedings, Part I

Lecture Notes in Computer Science Founding Editors Gerhard Goos Karlsruhe Institute of Technology, Karlsruhe, Germany Juris Hartmanis Cornell University, Ithaca, NY, USA

Editorial Board Members Elisa Bertino Purdue University, West Lafayette, IN, USA Wen Gao Peking University, Beijing, China Bernhard Steffen TU Dortmund University, Dortmund, Germany Moti Yung Columbia University, New York, NY, USA

13554

More information about this series at https://link.springer.com/bookseries/558

Vijayalakshmi Atluri · Roberto Di Pietro · Christian D. Jensen · Weizhi Meng (Eds.)

Computer Security – ESORICS 2022 27th European Symposium on Research in Computer Security Copenhagen, Denmark, September 26–30, 2022 Proceedings, Part I

Editors Vijayalakshmi Atluri Rutgers University Newark, NJ, USA

Roberto Di Pietro Hamad Bin Khalifa University Doha, Qatar

Christian D. Jensen Technical University of Denmark Kongens Lyngby, Denmark

Weizhi Meng Technical University of Denmark Kongens Lyngby, Denmark

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-031-17139-0 ISBN 978-3-031-17140-6 (eBook) https://doi.org/10.1007/978-3-031-17140-6 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Chapter “EVExchange: A Relay Attack on Electric Vehicle Charging System” is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/). For further details see license information in the chapter. This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

The 27th European Symposium on Research in Computer Security (ESORICS 2022) was held together with the affiliated workshops during the week of September 26–30, 2022. Due to the COVID-19 pandemic, the conference and the workshops took place in a hybrid mode. The virtual and in-person attendance was hosted and managed by the Technical University of Denmark. ESORICS is a flagship European security conference. The aim of ESORICS is to advance the research in computer security and privacy by establishing a European forum, bringing together researchers in these areas, and promoting the exchange of ideas with developers, standardization bodies, and policy makers, as well as by encouraging links with researchers in related fields. Continuing the model introduced in 2021, this year ESORICS also offered two review cycles: a winter cycle and a spring cycle. We believe that such an approach sports great advantages. On the one hand, it is more convenient for the authors and, on the other hand, it also increases the number of submissions, thus securing high-quality papers. In response to the call for papers, which covered a few new topics, we received a record-high number of papers: 562. This is a testimony of the growth and vitality of the computer security field, the expansion of the research community in this field, and the growing importance of ESORICS itself. These papers were peer-reviewed and subsequently discussed based on the quality of their scientific contribution, novelty, and impact by the members of the Program Committee. The submissions were single-blind, and in almost all cases there were vivid discussions among the members of the Program Committee to decide the merit of reviewed papers. The submission of the papers and the review process was carried out using the EasyChair platform. Based on the reviews and the discussion, 104 papers were selected for presentation at the conference, resulting in an acceptance rate of 18.5%. The most tangible result of this whole process was that ESORICS had an exciting scientific program covering timely and interesting security and privacy topics in theory, systems, networks, and applications. The papers that were selected for presentation at ESORICS 2022 have been published in a three-volume set of proceedings: LNCS 13554, LNCS 13555, and LNCS 13556. Aside from the paper presentations, we were honored to have four outstanding keynote speakers: Giuseppe Ateniese, Paulo Esteves-Verissimo, Ahmad Reza Sadeghi, and Ravi Sandhu. Their talks provided interesting insights and research directions in important research areas. The Program Committee (PC) consisted of 180 members. We would like to thank the members of the PC and the external referees for their hard work in supporting the review process, as well as everyone who supported the organization of ESORICS 2022. In particular, the exceptional number of submissions put quite a burden on the reviewers (over the two cycles of submission, an average of 12 papers were reviewed by each reviewer).

vi

Preface

We are grateful to the general co-chairs, Christian D. Jensen and Weizhi Meng; the workshops chairs, Mauro Conti and Jianying Zhou, and all of the workshop co-chairs; the poster chair, Joaquin Garcia-Alfaro; the publicity co-chair’s Cristina Alcaraz and Wenjuan Li; the web chair, Wei-Yang Chiu; and the ESORICS Steering Committee and its chair, Sokratis Katsikas. We are also grateful to BlockSec for supporting the organization of ESORICS 2022. Finally, we would like to provide a heartfelt thank you to the authors for submitting their papers to ESORICS 2022. It is their efforts that, in the end, decided the success of ESORICS 2022, confirmed ESORICS as a top-notch security conference, planted the seeds for future successes, and advanced science. We hope that the proceedings will promote research and facilitate future work in the exciting, challenging, and evolving field of security. September 2022

Roberto Di Pietro Vijayalakshmi Atluri

Organization

General Chairs Christian D. Jensen Weizhi Meng

Technical University of Denmark, Denmark Technical University of Denmark, Denmark

Program Committee Chairs Vijayalakshmi Atluri Roberto Di Pietro

Rutgers University, USA Hamad Bin Khalifa University, Qatar

Steering Committee Sokratis Katsikas (Chair) Joachim Biskup Véronique Cortier Frédéric Cuppens Sabrina De Capitani di Vimercati Joaquin Garcia-Alfaro Dieter Gollmann Kutylowski Mirek Javier Lopez Jean-Jacques Quisquater Peter Ryan Pierangela Samarati Einar Snekkenes Michael Waidner

NTNU, Norway University of Dortmund, Germany CNRS, France Polytechnique Montréal, Canada Università degli Studi di Milano, Italy Institut Polytechnique de Paris, France Hamburg University of Technology, Germany Wroclaw University of Technology, Poland Universidad de Malaga, Spain University of Louvain, Belgium University of Luxembourg, Luxembourg Università degli Studi di Milano, Italy NTNU, Norway ATHENE, Germany

Program Committee Abu-Salma, Ruba Afek, Yehuda Akiyama, Mitsuaki Albanese, Massimiliano Alcaraz, Cristina Allman, Mark Alrabaee, Saed Asif, Hafiz

King’s College London, UK Tel-Aviv University, Israel NTT, Japan George Mason University, USA University of Malaga, Spain International Computer Science Institute, USA United Arab Emirates University, UAE Rutgers University, USA

viii

Organization

Ayday, Erman Bai, Guangdong Bakiras, Spiridon Bardin, Sebastien Batra, Gunjan Bertino, Elisa Blasco, Jorge Blundo, Carlo Bonaci, Tamara Camtepe, Seyit Ceccato, Mariano Chakraborti, Anrin Chan, Aldar C-F. Chen, Bo Chen, Xiaofeng Chen, Liqun Chen, Rongmao Chen, Yu Chow, Sherman S. M. Chowdhury, Omar Conti, Mauro Coull, Scott Crispo, Bruno Cukier, Michel Cuppens, Frédéric Cuppens-Boulahia, Nora Damiani, Ernesto Daza, Vanesa De Capitani di Vimercati, Sabrina Debar, Hervé Desmedt, Yvo Diao, Wenrui Dimitriou, Tassos Domingo-Ferrer, Josep Dong, Changyu Ferrara, Anna Lisa Ferrer-Gomila, Jose-Luis Fila, Barbara Fischer-Hübner, Simone

Case Western Reserve University, USA, and Bilkent University, Turkey University of Queensland, Australia Singapore Institute of Technology, Singapore CEA LIST, France Kennesaw State University, USA Purdue University, USA Royal Holloway, University of London, UK Università degli Studi di Salerno, Italy Northeastern University, USA CSIRO Data61, Australia Università di Verona, Italy Stony Brook University, USA University of Hong Kong, Hong Kong Michigan Technological University, USA Xidian University, China University of Surrey, UK National University of Defense Technology, China Shandong University, China The Chinese University of Hong Kong, Hong Kong University of Iowa, USA Università di Padova, USA Mandiant, USA University of Trento, Italy University of Maryland, USA Polytechnique Montréal, Canada Polytechnique Montréal, Canada University of Milan, Italy Universitat Pompeu Fabra, Spain Università degli Studi di Milano, Italy Télécom SudParis, France University of Texas at Dallas, USA Shandong University, China Kuwait University, Kuwait Universitat Rovira i Virgili, Spain Newcastle University, UK University of Bristol, UK University of the Balearic Islands, Spain INSA Rennes, IRISA, France Karlstad University, Sweden

Organization

Gadyatskaya, Olga Gao, Debin Garcia-Alfaro, Joaquin Garg, Siddharth Giacinto, Giorgio Gollmann, Dieter Gong, Neil Gope, Prosanta Gosain, Devashish Gritzalis, Stefanos Gu, Zhongshu Gulmezoglu, Berk Haines, Thomas He, Xinlei Hernández-Serrano, Juan Hong, Yuan Huang, Xinyi Jager, Tibor Jeon, Yuseok Ji, Shouling Jonker, Hugo Karame, Ghassan Katsikas, Sokratis Kim, Hyoungshick Klai, Kais Kremer, Steve Krotofil, Marina Kruegel, Christopher Lambrinoudakis, Costas Landau Feibish, Shir Lee, Adam Leita, Corrado Li, Shujun Li, Zitao Liang, Kaitai Lin, Zhiqiang Liu, Xiangyu Liu, Peng Livraga, Giovanni

Leiden University, The Netherlands Singapore Management University, Singapore Institut Polytechnique de Paris, France New York University, USA University of Cagliari, Italy Hamburg University of Technology, Germany Duke University, USA University of Sheffield, UK Max Planck Institute for Informatics, Germany University of Piraeus, Greece IBM, USA Iowa State University, USA Queensland University of Technology, Australia CISPA Helmholtz Center for Information Security, Germany Universitat Politècnica de Catalunya, Spain Illinois Institute of Technology, USA Fujian Normal University, China Bergische Universität Wuppertal, Germany Ulsan National Institute of Science and Technology, South Korea Zhejiang University, China Open University of the Netherlands, The Netherlands NEC Laboratories Europe, Germany NTNU, Norway Sungkyunkwan University, South Korea Sorbonne University, France Inria, France Kudelski Security, Switzerland University of California, Santa Barbara, USA University of Piraeus, Greece The Open University of Israel, Israel University of Pittsburg, USA VMware, UK University of Kent, UK Purdue University, USA TU Delft, The Netherlands Ohio State University, USA Alibaba Inc., China Pennsylvania State University, USA University of Milan, Italy

ix

x

Organization

Lombardi, Flavio Lou, Wenjing Lu, Rongxing Lu, Haibing Luo, Xiapu Ma, Shiqing Marin-Fabregas, Eduard Martinelli, Fabio Mauw, Sjouke Meng, Weizhi Mohan, Sibin Mori, Tatsuya Mueller, Johannes Ng, Siaw-Lynn Ning, Jianting Obana, Satoshi Oligeri, Gabriele Overdorf, Rebekah Pal, Shantanu Pan, Jiaxin Papadimitratos, Panos Paraboschi, Stefano Patranabis, Sikhar Pernul, Günther Poovendran, Radha Posegga, Joachim Quiring, Erwin Quisquater, Jean-Jacques Rao, Siddharth Prakash Rashid, Awais Ren, Kui State Rhee, Junghwan Ricci, Laura Russello, Giovanni Ryan, Peter Safavi-Naini, Reihaneh Saileshwar, Gururaj Sakzad, Amin Samarati, Pierangela

National Research Council, Italy Virginia Tech, USA University of New Brunswick, Canada Santa Clara University, USA The Hong Kong Polytechnic University, Hong Kong Rutgers University, USA Telefonica Research, Spain National Research Council, Italy University of Luxembourg, Luxembourg Technical University of Denmark, Denmark Oregon State University, USA Waseda University, Japan University of Luxembourg, Luxembourg Royal Holloway, University of London, and Bedford New College, UK Singapore Management University, Singapore Hosei University, Japan Hamad Bin Khalifa University, Qatar Ecole Polytechnique Fédérale de Lausanne, Switzerland Queensland University of Technology, Australia NTNU, Norway KTH Royal Institute of Technology, Sweden Università di Bergamo, Italy IBM Research India, India Universität Regensburg, Germany University of Washington, USA University of Passau, Germany Technische Universität Braunschweig, Germany University of Louvain, Belgium Aalto University, Finland University of Bristol, UK University of New York at Buffalo, USA University of Central Oklahoma, USA University of Pisa, Italy University of Auckland, New Zealand University of Luxembourg, Luxembourg University of Calgary, Canada Georgia Institute of Technology, USA Monash University, Australia Università degli Studi di Milano, Italy

Organization

Schinzel, Sebastian Münster Schneider, Steve Schroeder, Dominique Schwarz, Michael Schwenk, Joerg Sciancalepore, Savio Shahandashti, Siamak Sharma, Piyush Kumar Shulman, Haya Sinanoglu, Ozgur Sklavos, Nicolas Snekkenes, Einar Somorovsky, Juraj Strufe, Thorsten Sural, Shamik Susilo, Willy Tang, Qiang Tang, Qiang Tapiador, Juan Manuel Tian, Dave Torrey, Jacob Trachtenberg, Ari Treharne, Helen Trieu, Ni Tripunitara, Mahesh Tsohou, Aggeliki Urban, Tobias Esteves-Verissimo, Paulo Viganò, Luca Visconti, Ivan Voulimeneas, Alexios Waidner, Michael Wang, Cong Wang, Tianhao Wang, Di Wang, Haining

xi

Münster University of Applied Sciences, Germany University of Surrey, UK Friedrich-Alexander-Universiät Erlangen-Nürnberg, Germany CISPA Helmholtz Center for Information Security, Germany Ruhr-Universität Bochum, Germany Eindhoven University of Technology, The Netherlands University of York, UK Indraprastha Institute of Information Technology Delhi, India Fraunhofer SIT, Germany New York University Abu Dhabi, UAE University of Patras, Greece NTNU, Norway Paderborn University, Germany Karlsruhe Institute of Technology, Germany IIT Kharagpur, India University of Wollongong, Australia University of Sydney, Australia Luxembourg Institute of Science and Technology, Luxembourg Universidad Carlos III de Madrid, Spain Purdue University, USA Thinkst Applied Research, USA Boston University, USA University of Surrey, UK Arizona State University, USA University of Waterloo, Canada Ionian University, Greece Institute for Internet Security, Germany KAUST, Saudi Arabia King’s College London, UK University of Salerno, Italy KU Leven, Belgium ATHENE, Germany City University of Hong Kong, Hong Kong Purdue University, USA State University of New York at Buffalo, USA University of Delaware, USA

xii

Organization

Wang, Lingyu Wool, Avishai Xenakis, Christos Xiang, Yang Xu, Jun Yang, Jie Yang, Kang Yang, Guomin Yeun, Chan Yi, Xun Yu, Yu Yuen, Tsz Zhang, Zhikun Zhang, Yuan Zhang, Kehuan Zhao, Yunlei Zhou, Jianying Zhu, Rui Zhu, Sencun

Concordia University, Canada Tel Aviv University, Israel University of Piraeus, Greece Swinburne University of Technology, Australia University of Utah, USA Florida State University, USA State Key Laboratory of Cryptology, China University of Wollongong, Australia Khalifa University, Abu Dhabi, UAE RMIT University, Australia Shanghai Jiao Tong University, China University of Hong Kong, Hong Kong CISPA Helmholtz Center for Information Security, Germany Fudan University, China The Chinese University of Hong Kong, Hong Kong Fudan University, China Singapore University of Technology and Design, Singapore Indiana University, USA Pennsylvania State University, USA

Workshops Chairs Conti Mauro Zhou Jianying

University of Padua, Italy Singapore University of Technology and Design, Singapore

Poster Chair Garcia-Alfaro Joaquin

Institut Polytechnique de Paris, France

Publicity Chairs Alcaraz Cristina Li Wenjuan

University of Malaga, Spain Hong Kong Polytechnic University, Hong Kong

Web Chair Chiu Wei-Yang

Technical University of Denmark, Denmark

Organization

Posters Program Committee Atluri, Vijay de Fuentes, Jose M. Di Pietro, Roberto González Manzano, Lorena Hartenstein, Hannes Kikuchi, Hiroaki Matsuo, Shin’Ichiro Navarro-Arribas, Guillermo Nespoli, Pantaleone Ranise, Silvio Saint-Hilarire, Kéren Signorini, Matteo Vasilopoulos, Dimitrios Zannone, Nicola

Rutgers University, USA Universidad Carlos III de Madrid, Spain Hamad Bin Khalifa University, Qatar Universidad Carlos III de Madrid, Spain Karlsruhe Institute of Technology, Germany Meiji University, Japan Georgetown University, USA Universitat Autonoma de Barcelona, Spain Universidad de Murcia, Spain University of Trento and Fondazione Bruno Kessler, Italy Institut Polytechnique de Paris, France Nokia Bell Labs, France IMDEA Software Institute, Spain Eindhoven University of Technology, The Netherlands

Additional Reviewers Abadi, Aydin Abbadini, Marco Ahmadi, Sharar Akand, Mamun Akbar, Yousef Alrahis, Lilas Ameur Abid, Chiheb Amine Merzouk, Mohamed Anagnostopoulos, Marios Angelogianni, Anna Anglés-Tafalla, Carles Apruzzese, Giovanni Arapinis, Myrto Arriaga, Afonso Arzt, Steven Avitabile, Gennaro Avizheh, Sepideh Bag, Arnab Bagheri, Sima Bampatsikos, Michail Battarbee, Christopher Baumer, Thomas Benaloh, Josh

Berger, Christian Berrang, Pascal Blanco-Justicia, Alberto Böhm, Fabian Bolgouras, Vaios Botta, Vincenzo Bountakas, Panagiotis Brighente, Alessandro Bursuc, Sergiu C. Pöhls, Henrich Cachin, Christian Cai, Cailing Cao, Chen Casolare, Rosangela Chen, Xihui Chen, Niusen Chen, Min Chen, Jinrong Chen, Chao Chen, Long Chen, Zeyu Chu, Hien Ciampi, Michele

xiii

xiv

Organization

Cicala, Fabrizio Cinà, Antonio Coijanovic, Christoph Costantino, Gianpiero Craaijo, Jos Crochelet, Pierre Cui, Hui Cui, Handong Dai, Tianxiang Damodaran, Aditya Daniyal Dar, Muhammad Das Chowdhury, Partha Daudén-Esmel, Cristòfol Davies, Peter Davies, Gareth de Ruck, Dairo Debant, Alexandre Debnath, Joyanta Degani, Luca Demetrio, Luca Deuber, Dominic Dexheimer, Thomas Diemert, Denis Dodd, Charles Dragan, Constantin Catalin Driouich, Youssef Du, Changlai Du, Linkang Du, Minxin Duman, Onur Duong, Dung Dutta, Priyanka Dutta, Sabyasachi Dutta, Moumita Duttagupta, Sayon Ebrahimi, Ehsan Echeverria, Mitziu Ehsanpour, Maryam Eichhammer, Philipp Ekramul Kabir, Mohammad Empl, Philip Eyal, Ittay Facchinetti, Dario Fadavi, Mojtaba Fallahi, Matin

Farao, Aristeidis Fauzi, Prastudy Feng, Hanwen Feng, Qi Feng, Shuya Fisseha Demissie, Biniam Fournaris, Apostolos Fraser, Ashley Friedl, Sabrina Friess, Jens Friolo, Daniele Gao, Jiahui Gardiner, Joseph Garfatta, Ikram Gattermayer, Tobias Gellert, Kai George, Dominik Gerault, David Gerhart, Paul Ghadafi, Essam Gholipourchoubeh, Mahmood Gil-Pons, Reynaldo Glas, Magdalena Golinelli, Matteo Gong, Junqing Grisafi, Michele Groll, Sebastian Große-Kampmann, Matteo Guan Tan, Teik Guo, Xiaojie Haffar, Rami Haffey, Preston Hallett, Joseph Hammad Mazhar, M. Han, Jinguang Handirk, Tobias Hao, Xuexuan Hao, Shuai Hasan Shahriar, Md Heftrig, Elias Heitjohann, Raphael Henry Castellanos, John Herranz, Javier Hirschi, Lucca Hlavacek, Tomas

Organization

Hobbs, Nathaniel Hong, Hanbin Horne, Ross Horváth, Máté Hu, Zhenkai Hu, Lijie Hu, Yan Huang, Jianwei Huso, Ingrid Iadarola, Giacomo Ioannidis, Thodoris Iovino, Vincenzo Ising, Fabian Jacobs, Adriaan Jebreel, Najeeb Jeitner, Philipp Jensen, Meiko Jesús A., Zihang Jin, Lin Kailun, Yan Kaiser, Fabian Kaplan, Alexander Karim, Imtiaz Karyda, Maria Katsis, Charalampos Kavousi, Alireza Kelarev, Andrei Kempinski, Stash Kermabon-Bobinnec, Hugo Kern, Sascha Khalili, Mojtaba Khandpur Singh, Ashneet Khin Shar, Lwin Knechtel, Johann Kokolakis, Spyros Krumnow, Benjamin Ksontini, Rym Kulkarni, Tejas Lai, Jianchang Lee, Hyunwoo Léger, Marc-André Li, Jinfeng Li, Rui Li, Shaoyu Li, Yanan

Li, Shuang Li, Guangpu Liang, Yuan Likhitha Mankali, Lakshmi Limbasiya, Trupil Lin, Chao Lin Aung, Yan Liu, Lin Liu, Xiaoning Liu, Bingyu Liu, Guannan Liu, Xiaoyin Liu, Jiahao Liu, Zhen Liu, Xueqiao Liu, Xiaoyuan Lu, Yun Lucchese, Marco Luo, Junwei Lv, Chunyang Lyu, Lin Lyvas, Christos Ma, Wanlun Ma, Mimi Maiorca, Davide Maitra, Sudip Makriyannis, Nikolaos Manjón, Jesús A. Martinez, Sergio Mccarthy, Sarah Mei, Qian Menegatos, Andreas Meng, Long Mercaldo, Francesco Merget, Robert Mestel, David Meyuhas, Bar Michalas, Antonis Mirdita, Donika Mizera, Andrzej Mohammadi, Farnaz Mohammed, Ameer Morillo, Paz Morrison, Adam Mujeeb Ahmed, Chuadhry

xv

xvi

Organization

Nabi, Mahmudun Neal, Christopher Nguyen, Son Niehues, David Nixon, Brian Oldani, Gianluca Oqaily, Momen Oqaily, Alaa Osliak, Oleksii P. K. Ma, Jack Pan, Shimin Pan, Jianli Pang, Chengbin Pang, Bo Panja, Somnath Paolo Tricomi, Pier Paspatis, Ioannis Peng, Hui Pitropakis, Nikolaos Polato, Mirko Pryvalov, Ivan Pu, Sihang Puchta, Alexander Putz, Benedikt Qian, Chen Qin, Baodong Qin, Xianrui Rabhi, Mouna Radomirovic, Sasa Ramokapane, Kopo M. Rangarajan, Nikhil Ravi, Divya Rawat, Abhimanyu Raza, Ali Román-García, Fernando Rossi, Matthew Rovira, Sergi S. M. Asadujjaman, A. Saatjohann, Christoph Sadighian, Alireza Saha, Rahul Samanis, Emmanouil Sarathi Roy, Partha Sarkar, Pratik Schiff Agron, Shir

Schlette, Daniel Schmidt, Carsten Sentanoe, Stewart Sha, Zeyang Shao, Jun Shi, Shanghao Shibahara, Toshiki Shioji, Eitaro Shojafar, Mohammad Shreeve, Benjamin Silde, Tjerand Singh, Animesh Singh Sehrawat, Vipin Sinha, Sayani Siniscalchi, Luisa Skrobot, Marjan Sohrabi, Nasrin Sollomoni, Avi Song, Shang Sotgiu, Angelo Souid, Nourelhouda Soumelidou, Katerina Sun, Shihua Tabatabaei, Masoud Tabiban, Azadeh Taha Bennani, Mohamed Talibi Alaoui, Younes Tang, Lihong Tao, Youming Tedeschi, Pietro Terrovitis, Manolis Tian, Guohua Tian, Yangguang Turrin, Federico Umayya, Zeya Vinayagamurthy, Dhinakaran Visintin, Alessandro Vollmer, Marcel von der Heyden, Jonas Voudouris, Anastassios W. H. Wong, Harry Wagner, Benedikt Wang, Han Wang, Ning Wang, Kailong

Organization

Wang, Xiuhua Wang, Yalan Wang, Shu Wang, Jiafan Wang, Haizhou Wang, Zhilong Wang, Xiaolei Wang, Yunling Wang, Qin Wang, Yu Wang, Cheng-Long Wang, Weijia Wang, Xinyue Wang, Yi Wang, Yuyu Wang, Yangde Watanabe, Takuya Wu, Huangting Wu, Yulian Wu, Chen Wu, Mingli Wu, Qiushi Xiang, Zihang Xiao, Yang Xiao, Jidong Xie, Shangyu Xu, Shengmin Yadav, Tarun Yan, Di Yang, Zhichao Yang, Shishuai

Yang, Xu Yang, S. J. Yang, Xuechao Yang, Junwen Yin Chan, Kwan You, Weijing Yu, Hexuan Yurkov, Semen Zeng, Runzhi Zhang, Sepideh Zhang, Min Zhang, Yanjun Zhang, Zicheng Zhang, Cong Zhang, Lan Zhang, Yuchen Zhang, Xinyu Zhang, Kai Zhang, Tao Zhang, Yunhang Zhang, Xiaoyu Zhang, Zidong Zhang, Rongjunchen Zhao, Yongjun Zhao, Shujie Zhao, Lingchen Zheng, Xiang Zhou, Xiaotong Zhu, Fei Zikas, Vassilis Zou, Qingtian

xvii

Keynotes

Cyber Resilience: An Agenda for the Future of Cyberspace Security

Paulo Esteves-Veríssimo King Abdullah University of Science and Technology Abstract. Why do we need cyber resilience say, further to cybersecurity? Because the threat landscape of present-day computer and network systems became too uncertain, dynamic, and polymorphic to be addressed in a static way by isolated disciplines such as security or dependability. Resilient computing is the emerging paradigm encompassing the necessary body of knowledge to perform this evolution and reach the goal of cyber resilience. In a nutshell, it is based on modelling, architecting and designing computer systems to achieve the following: built-in baseline defence against virtually any quality of threat, be it accidental faults, design errors, cyber-attacks or unexpected operating conditions; incremental and automatic prevention, tolerance and recovery from threats; automated adaptation to a dynamic range of threat severity; unattended and sustainable operation. For these reasons, resilient computing will be a game changer in the craft of designing robust computer systems of today and the future. This is especially true of critical information infrastructures (CII), where the cost of failure may have to consider new risks of computer-borne physical damage, arising from the interconnection of the Internet-CloudWeb complex with Cyber-Physical and Internet-of-Things Systems (OT), both using vulnerable controllers and gadgets and exposed to combined accidental and malicious threats. Having been part of teams that pioneered distributed fault and intrusion tolerance and resilient computing, I believe that the organisations mastering this paradigm will be at the forefront of cyberspace technology. In my talk, I will motivate this vision by the need for more effective defences than we have today in classic cybersecurity or dependability approaches, and will describe some results from the later years in my teams.

Lessons Learned from Building and Attacking Secure Computing Systems

Ahmad-Reza Sadegh Technical University of Darmstadt Abstract. The ever-increasing complexity of computing systems, emerging technologies such as IoT and AI, and advancing attack capabilities pose a variety of (new) challenges on the design and implementation of security concepts, methods and mechanisms for computing systems. This talk provides an overview of our journey through the system security research universe. We point out (painful) lessons learned in advancing state-of-the-art software security and hardware-assisted security both in academic research and industry collaborations. We also briefly present our insights gained throughout one of the world’s largest hardware security competitions that we have been conducting with industry partners since 2018. Finally, we discuss our future vision and new research directions in systems security, in particular in light of the serious threat of software-exploitable hardware vulnerabilities that put all critical systems at risk.

A Perspective on IoT Security

Ravi Sandhu University of Texas at San Antonio Abstract. This talk will present a general perspective and framework on IoT security, as well as some examples of research being pursued in this arena with my colleagues, particularly with respect to access control in this emerging domain.

Contents – Part I

Blockchain Security A Blockchain-Based Long-Term Time-Stamping Scheme . . . . . . . . . . . . . . . . . . . Long Meng and Liqun Chen Post-Quantum Verifiable Random Function from Symmetric Primitives in PoS Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maxime Buser, Rafael Dowsley, Muhammed F. Esgin, Shabnam Kasra Kermanshahi, Veronika Kuchta, Joseph K. Liu, Raphaël C.-W. Phan, and Zhenfei Zhang

3

25

Opportunistic Algorithmic Double-Spending: How I Learned to Stop Worrying and Love the Fork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nicholas Stifter, Aljosha Judmayer, Philipp Schindler, and Edgar Weippl

46

Zero-History Confidential Chains with Zero-Knowledge Contracts: A New Normal for Decentralized Ledgers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jayamine Alupotha, Xavier Boyen, and Matthew McKague

67

Secure Hierarchical Deterministic Wallet Supporting Stealth Address . . . . . . . . . Xin Yin, Zhen Liu, Guomin Yang, Guoxing Chen, and Haojin Zhu

89

Zero-Knowledge Age Restriction for GNU Taler . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Özgür Kesim, Christian Grothoff, Florian Dold, and Martin Schanzenbach Privacy Privacy Leakage in Privacy-Preserving Neural Network Inference . . . . . . . . . . . . 133 Mengqi Wei, Wenxing Zhu, Liangkun Cui, Xiangxue Li, and Qiang Li Enhancing User Privacy in Mobile Devices Through Prediction of Privacy Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Ricardo Mendes, Mariana Cunha, João P. Vilela, and Alastair R. Beresford One Vote Is Enough for Analysing Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Stéphanie Delaune and Joseph Lallemand Local Differential Privacy for Federated Learning . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Pathum Chamikara Mahawaga Arachchige, Dongxi Liu, Seyit Camtepe, Surya Nepal, Marthie Grobler, Peter Bertok, and Ibrahim Khalil

xxvi

Contents – Part I

XSPIR: Efficient Symmetrically Private Information Retrieval from Ring-LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Chengyu Lin, Zeyu Liu, and Tal Malkin Scaling up GAEN Pseudorandom Processes: Preparing for a More Extensive Pandemic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Liron David, Avinatan Hassidim, Yossi Matias, and Moti Yung Crypto Generic Construction of Trace-and-Revoke Inner Product Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Fucai Luo, Saif Al-Kuwari, Haiyan Wang, and Weihong Han Spatial Encryption Revisited: From Delegatable Multiple Inner Product Encryption and More . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Huy Quoc Le, Dung Hoang Duong, Willy Susilo, and Josef Pieprzyk Public Key Authenticated Encryption with Keyword Search from LWE . . . . . . . 303 Leixiao Cheng and Fei Meng An Efficient Query Recovery Attack Against a Graph Encryption Scheme . . . . . 325 Francesca Falzon and Kenneth G. Paterson New Unbounded Verifiable Data Streaming for Batch Query with Almost Optimal Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Jiaojiao Wu, Jianfeng Wang, Xinwei Yong, Xinyi Huang, and Xiaofeng Chen A Formal Model for Credential Hopping Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Massimiliano Albanese, Karin L. Johnsgard, and Vipin Swarup No-Directional and Backward-Leak Uni-Directional Updatable Encryption Are Equivalent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Huanhuan Chen, Shihui Fu, and Kaitai Liang Efficient Circuits for Permuting and Mapping Packed Values Across Leveled Homomorphic Ciphertexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Jelle Vos, Daniël Vos, and Zekeriya Erkin Towards Practical Homomorphic Time-Lock Puzzles: Applicability and Verifiability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Yi Liu, Qi Wang, and Siu-Ming Yiu

Contents – Part I

xxvii

Attacks Kallima: A Clean-Label Framework for Textual Backdoor Attacks . . . . . . . . . . . 447 Xiaoyi Chen, Yinpeng Dong, Zeyu Sun, Shengfang Zhai, Qingni Shen, and Zhonghai Wu Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Hengxian Song, Jing Liu, Jianing Yang, Xinyu Lei, and Gang Xue EVExchange: A Relay Attack on Electric Vehicle Charging System . . . . . . . . . . 488 Mauro Conti, Denis Donadel, Radha Poovendran, and Federico Turrin Smart RPKI Validation: Avoiding Errors and Preventing Hijacks . . . . . . . . . . . . . 509 Tomas Hlavacek, Haya Shulman, and Michael Waidner Cyber Network Resilience Against Self-Propagating Malware Attacks . . . . . . . . 531 Alesia Chernikova, Nicolò Gozzi, Simona Boboila, Priyanka Angadi, John Loughner, Matthew Wilden, Nicola Perra, Tina Eliassi-Rad, and Alina Oprea INC: In-Network Classification of Botnet Propagation at Line Rate . . . . . . . . . . . 551 Kurt Friday, Elie Kfoury, Elias Bou-Harb, and Jorge Crichigno GAME: Generative-Based Adaptive Model Extraction Attack . . . . . . . . . . . . . . . . 570 Yi Xie, Mengdie Huang, Xiaoyu Zhang, Changyu Dong, Willy Susilo, and Xiaofeng Chen AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Zhenyuan Li, Jun Zeng, Yan Chen, and Zhenkai Liang SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Xinjing Liu, Zhuo Ma, Yang Liu, Zhan Qin, Junwei Zhang, and Zhuzhu Wang Sidechannels We Can Hear Your PIN Drop: An Acoustic Side-Channel Attack on ATM PIN Pads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Kiran Balagani, Matteo Cardaioli, Stefano Cecconello, Mauro Conti, and Gene Tsudik

xxviii

Contents – Part I

VAL: Volume and Access Pattern Leakage-Abuse Attack with Leaked Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 Steven Lambregts, Huanhuan Chen, Jianting Ning, and Kaitai Liang Light the Signal: Optimization of Signal Leakage Attacks Against LWE-Based Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Yue Qin, Ruoyu Ding, Chi Cheng, Nina Bindel, Yanbin Pan, and Jintai Ding BLEWhisperer: Exploiting BLE Advertisements for Data Exfiltration . . . . . . . . . 698 Ankit Gangwal, Shubham Singh, Riccardo Spolaor, and Abhijeet Srivastava Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

Contents – Part II

Anonymity A Machine Learning Approach to Detect Differential Treatment of Anonymous Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Isabel Wagner

3

Utility-Preserving Biometric Information Anonymization . . . . . . . . . . . . . . . . . . . Bill Moriarty, Chun-Fu (Richard) Chen, Shaohan Hu, Sean Moran, Marco Pistoia, Vincenzo Piuri, and Pierangela Samarati

24

Anonymous Traceback for End-to-End Encryption . . . . . . . . . . . . . . . . . . . . . . . . . Erin Kenney, Qiang Tang, and Chase Wu

42

Cloud Security Public Cloud Data Auditing Revisited: Removing the Tradeoff Between Proof Size and Storage Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Willy Susilo, Yannan Li, Fuchun Guo, Jianchang Lai, and Ge Wu DEKS: A Secure Cloud-Based Searchable Service Can Make Attackers Pay . . . Yubo Zheng, Peng Xu, Wei Wang, Tianyang Chen, Willy Susilo, Kaitai Liang, and Hai Jin

65

86

Lighter is Better: A Lighter Multi-client Verifiable Outsourced Computation with Hybrid Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . 105 Xingkai Wang, Zhenfu Cao, Zhen Liu, and Kaitai Liang Verifying the Quality of Outsourced Training on Clouds . . . . . . . . . . . . . . . . . . . . 126 Peiyang Li, Ye Wang, Zhuotao Liu, Ke Xu, Qian Wang, Chao Shen, and Qi Li SecQuant: Quantifying Container System Call Exposure . . . . . . . . . . . . . . . . . . . . 145 Sunwoo Jang, Somin Song, Byungchul Tak, Sahil Suneja, Michael V. Le, Chuan Yue, and Dan Williams Robust and Scalable Process Isolation Against Spectre in the Cloud . . . . . . . . . . . 167 Martin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Michael Schwarz, and Daniel Gruss

xxx

Contents – Part II

Access Control Administration of Machine Learning Based Access Control . . . . . . . . . . . . . . . . . 189 Mohammad Nur Nobi, Ram Krishnan, Yufei Huang, and Ravi Sandhu Real-Time Policy Enforcement with Metric First-Order Temporal Logic . . . . . . . 211 - Krsti´c François Hublet, David Basin, and Srdan A Tale of Four Gates: Privilege Escalation and Permission Bypasses on Android Through App Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Abdulla Aldoseri, David Oswald, and Robert Chiper Authentication Sequential Digital Signatures for Cryptographic Software-Update Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Bertram Poettering and Simon Rastikian On Committing Authenticated-Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 John Chan and Phillip Rogaway Quantum-Resistant Password-Based Threshold Single-Sign-On Authentication with Updatable Server Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Jingwei Jiang, Ding Wang, Guoyin Zhang, and Zhiyuan Chen The Revenge of Password Crackers: Automated Training of Password Cracking Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Alessia Michela Di Campi, Riccardo Focardi, and Flaminia L. Luccio Fuzzy Authenticated Key Exchange with Tight Security . . . . . . . . . . . . . . . . . . . . . 337 Mingming Jiang, Shengli Liu, Shuai Han, and Dawu Gu Continuous Authentication in Secure Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Benjamin Dowling, Felix Günther, and Alexandre Poirrier Digital Signatures Half-Aggregation of Schnorr Signatures with Tight Reductions . . . . . . . . . . . . . . 385 Yanbo Chen and Yunlei Zhao Ring Signatures with User-Controlled Linkability . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Dario Fiore, Lydia Garms, Dimitris Kolonelos, Claudio Soriente, and Ida Tucker

Contents – Part II

xxxi

DualDory: Logarithmic-Verifier Linkable Ring Signatures Through Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Jonathan Bootle, Kaoutar Elkhiyaoui, Julia Hesse, and Yacov Manevich Efficient Unique Ring Signatures from Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Tuong Ngoc Nguyen, Anh The Ta, Huy Quoc Le, Dung Hoang Duong, Willy Susilo, Fuchun Guo, Kazuhide Fukushima, and Shinsaku Kiyomoto Verifiable Timed Linkable Ring Signatures for Scalable Payments for Monero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Fritz Schmid, and Dominique Schröder Deterministic Wallets for Adaptor Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Andreas Erwig and Siavash Riahi Puncturable Signature: A Generic Construction and Instantiations . . . . . . . . . . . . 507 Mei Jiang, Dung Hoang Duong, and Willy Susilo IoT Security fASLR: Function-Based ASLR for Resource-Constrained IoT Systems . . . . . . . . 531 Xinhui Shao, Lan Luo, Zhen Ling, Huaiyu Yan, Yumeng Wei, and Xinwen Fu An Infection-Identifying and Self-Evolving System for IoT Early Defense from Multi-Step Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Hyunwoo Lee, Anand Mudgerikar, Ashish Kundu, Ninghui Li, and Elisa Bertino IoTEnsemble: Detection of Botnet Attacks on Internet of Things . . . . . . . . . . . . . 569 Ruoyu Li, Qing Li, Yucheng Huang, Wenbin Zhang, Peican Zhu, and Yong Jiang IoTPrivComp: A Measurement Study of Privacy Compliance in IoT Apps . . . . 589 Javaria Ahmad, Fengjun Li, and Bo Luo No-Label User-Level Membership Inference for ASR Model Auditing . . . . . . . . 610 Yuantian Miao, Chao Chen, Lei Pan, Shigang Liu, Seyit Camtepe, Jun Zhang, and Yang Xiang Applications A Toolbox for Verifiable Tally-Hiding E-Voting Systems . . . . . . . . . . . . . . . . . . . . 631 Véronique Cortier, Pierrick Gaudry, and Quentin Yang

xxxii

Contents – Part II

How to Verifiably Encrypt Many Bits for an Election? . . . . . . . . . . . . . . . . . . . . . . 653 Henri Devillez, Olivier Pereira, and Thomas Peters A Framework for Constructing Single Secret Leader Election from MPC . . . . . . 672 Michael Backes, Pascal Berrang, Lucjan Hanzlik, and Ivan Pryvalov AppBastion: Protection from Untrusted Apps and OSes on ARM . . . . . . . . . . . . . 692 Darius Suciu, Radu Sion, and Michael Ferdman Collaborative Anomaly Detection System for Charging Stations . . . . . . . . . . . . . . 716 Jesus Cumplido, Cristina Alcaraz, and Javier Lopez Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737

Contents – Part III

Formal Analysis A Formal Analysis of the FIDO2 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jingjing Guan, Hui Li, Haisong Ye, and Ziming Zhao

3

A Composable Security Treatment of ECVRF and Batch Verifications . . . . . . . . Christian Badertscher, Peter Gaži, Iñigo Querejeta-Azurmendi, and Alexander Russell

22

Efficient Proofs of Knowledge for Threshold Relations . . . . . . . . . . . . . . . . . . . . . Gennaro Avitabile, Vincenzo Botta, Daniele Friolo, and Ivan Visconti

42

A Tale of Two Models: Formal Verification of KEMTLS via Tamarin . . . . . . . . . Sofía Celi, Jonathan Hoyland, Douglas Stebila, and Thom Wiggers

63

Web Security Browser-Based CPU Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Leon Trampert, Christian Rossow, and Michael Schwarz

87

Polymorphic Protocols at the Example of Mitigating Web Bots . . . . . . . . . . . . . . . 106 August See, Leon Fritz, and Mathias Fischer Unlinkable Delegation of WebAuthn Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Nick Frymann, Daniel Gardham, and Mark Manulis Large Scale Analysis of DoH Deployment on the Internet . . . . . . . . . . . . . . . . . . . 145 Sebastián García, Joaquín Bogado, Karel Hynek, Dmitrii Vekshin, ˇ Tomáš Cejka, and Armin Wasicek Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Joshua Reynolds, Adam Bates, and Michael Bailey Exploring the Characteristics and Security Risks of Emerging Emoji Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Mingxuan Liu, Yiming Zhang, Baojun Liu, and Haixin Duan

xxxiv

Contents – Part III

Hardware Security CPU Port Contention Without SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Thomas Rokicki, Clémentine Maurice, and Michael Schwarz Protocols for a Two-Tiered Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . 229 José Moreira, Mark D. Ryan, and Flavio D. Garcia Using Memristor Arrays as Physical Unclonable Functions . . . . . . . . . . . . . . . . . . 250 Florian Frank, Tolga Arul, Nikolaos Athanasios Anagnostopoulos, and Stefan Katzenbeisser Multiparty Computation SecureBiNN: 3-Party Secure Computation for Binarized Neural Network Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Wenxing Zhu, Mengqi Wei, Xiangxue Li, and Qiang Li Mixed-Technique Multi-Party Computations Composed of Two-Party Computations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Erik-Oliver Blass and Florian Kerschbaum PEA: Practical Private Epistasis Analysis Using MPC . . . . . . . . . . . . . . . . . . . . . . 320 Kay Hamacher, Tobias Kussel, Thomas Schneider, and Oleksandr Tkachenko ML Techniques Hide and Seek: On the Stealthiness of Attacks Against Deep Learning Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Zeyan Liu, Fengjun Li, Jingqiang Lin, Zhu Li, and Bo Luo Precise Extraction of Deep Learning Models via Side-Channel Attacks on Edge/Endpoint Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Younghan Lee, Sohee Jun, Yungi Cho, Woorim Han, Hyungon Moon, and Yunheung Paek Real-Time Adversarial Perturbations Against Deep Reinforcement Learning Policies: Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Buse G. A. Tekgul, Shelly Wang, Samuel Marchal, and N. Asokan FLMJR: Improving Robustness of Federated Learning via Model Stability . . . . . 405 Qi Guo, Di Wu, Yong Qi, Saiyu Qi, and Qian Li

Contents – Part III

xxxv

MaleficNet: Hiding Malware into Deep Neural Networks Using Spread-Spectrum Channel Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Dorjan Hitaj, Giulio Pagnotta, Briland Hitaj, Luigi V. Mancini, and Fernando Perez-Cruz Long-Short History of Gradients Is All You Need: Detecting Malicious and Unreliable Clients in Federated Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Ashish Gupta, Tie Luo, Mao V. Ngo, and Sajal K. Das MLFM: Machine Learning Meets Formal Method for Faster Identification of Security Breaches in Network Functions Virtualization (NFV) . . . . . . . . . . . . . 466 Alaa Oqaily, Yosr Jarraya, Lingyu Wang, Makan Pourzandi, and Suryadipta Majumdar Cyber-Physical Systems Security Perspectives from a Comprehensive Evaluation of Reconstruction-based Anomaly Detection in Industrial Control Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Clement Fung, Shreya Srinarasi, Keane Lucas, Hay Bryan Phee, and Lujo Bauer A Novel High-Performance Implementation of CRYSTALS-Kyber with AI Accelerator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Lipeng Wan, Fangyu Zheng, Guang Fan, Rong Wei, Lili Gao, Yuewu Wang, Jingqiang Lin, and Jiankuo Dong From Click to Sink: Utilizing AIS for Command and Control in Maritime Cyber Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 Ahmed Amro and Vasileios Gkioulos Efficient Hash-Based Redactable Signature for Smart Grid Applications . . . . . . . 554 Fei Zhu, Xun Yi, Alsharif Abuadbba, Junwei Luo, Surya Nepal, and Xinyi Huang Can Industrial Intrusion Detection Be SIMPLE? . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Konrad Wolsing, Lea Thiemt, Christian van Sloun, Eric Wagner, Klaus Wehrle, and Martin Henze For Your Voice Only: Exploiting Side Channels in Voice Messaging for Environment Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 Matteo Cardaioli, Mauro Conti, and Arpita Ravindranath Towards Efficient Auditing for Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . . 614 Ayoosh Bansal, Anant Kandikuppa, Chien-Ying Chen, Monowar Hasan, Adam Bates, and Sibin Mohan

xxxvi

Contents – Part III

Network and Software Security Towards a Systematic and Automatic Use of State Machine Inference to Uncover Security Flaws and Fingerprint TLS Stacks . . . . . . . . . . . . . . . . . . . . . 637 Aina Toky Rasoamanana, Olivier Levillain, and Hervé Debar PanoptiCANs - Adversary-Resilient Architectures for Controller Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Bogdan Groza, Lucian Popa, Tudor Andreica, Pal-Stefan Murvay, Asaf Shabtai, and Yuval Elovici Detecting Cross-language Memory Management Issues in Rust . . . . . . . . . . . . . . 680 Zhuohua Li, Jincheng Wang, Mingshen Sun, and John C. S. Lui Reach Me if You Can: On Native Vulnerability Reachability in Android Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 Luca Borzacchiello, Emilio Coppa, Davide Maiorca, Andrea Columbu, Camil Demetrescu, and Giorgio Giacinto Extensible Virtual Call Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Yuancheng Jiang, Gregory J. Duck, Roland H. C. Yap, Zhenkai Liang, and Pinghai Yuan Posters Is Your Password Sexist? a Gamification-Based Analysis of the Cultural Context of Leaked Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 Daniel Mølmark-O’Connor and Emmanouil Vasilomanolakis A Fast, Practical and Simple Shortest Path Protocol for Multiparty Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 Abdelrahaman Aly and Sara Cleemput Audio Spoofing Detection Using Constant-Q Spectral Sketches and Parallel-Attention SE-ResNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756 Feng Yue, Jiale Chen, Zhaopin Su, Niansong Wang, and Guofu Zhang MixCT: Mixing Confidential Transactions from Homomorphic Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 Jiajun Du, Zhonghui Ge, Yu Long, Zhen Liu, Shifeng Sun, Xian Xu, and Dawu Gu

Contents – Part III

xxxvii

Multi-Freq-LDPy: Multiple Frequency Estimation Under Local Differential Privacy in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 Héber H. Arcolezi, Jean-François Couchot, Sébastien Gambs, Catuscia Palamidessi, and Majid Zolfaghari The Devil Is in the GAN: Backdoor Attacks and Defenses in Deep Generative Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 Ambrish Rawat, Killian Levacher, and Mathieu Sinn Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785

Blockchain Security

A Blockchain-Based Long-Term Time-Stamping Scheme Long Meng(B) and Liqun Chen University of Surrey, Guildford, UK [email protected]

Abstract. Traditional time-stamping services confirm the existence time of data items by using a time-stamping authority. To eliminate trust requirements on this authority, decentralized Blockchain-based TimeStamping (BTS) services have been proposed. In these services, a hash digest of users’ data is written into a blockchain transaction. The security of such services relies on the security of hash functions used to hash the data, and of the cryptographic algorithms used to build the blockchain. It is well-known that any single cryptographic algorithm has a limited lifespan due to the increasing computational power of attackers. This directly impacts the security of the BTS services from a long-term perspective. However, the topic of long-term security has not been discussed in the existing BTS proposals. In this paper, we propose the first formal definition and security model of a Blockchain-based Long-Term TimeStamping (BLTTS) scheme. To develop a BLTTS scheme, we first consider an intuitive solution that directly combines the BTS services and a long-term secure blockchain, but we prove that this solution is vulnerable to attacks in the long term. With this insight, we propose the first BLTTS scheme supporting cryptographic algorithm renewal. We show that the security of our scheme over the long term is not limited by the lifespan of any underlying cryptographic algorithm, and we successfully implement the proposed scheme under existing BTS services. Keywords: Time-stamping

1

· Blockchain · Long-term security

Introduction

Digital data has been widely adopted in the modern world. Time-stamping services are used to prove that a data item existed at a given point in time. For traditional centralized time-stamping services, a proof is created by a TimeStamping Authority (TSA), who after receiving a data item from a user produces a verifiable cryptographic binding between the data and time, which is referred to as a time-stamp token [1,2]. The security of this type of time-stamping service depends on both the security of the underlying cryptographic algorithms and the reliability and trustworthiness of TSAs. In reality, TSAs may not always be reliable or trustworthy. If a TSA is compromised, the validity of the time-stamp tokens from this TSA could be c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 3–24, 2022. https://doi.org/10.1007/978-3-031-17140-6_1

4

L. Meng and L. Chen

threatened no matter whether the underlying cryptographic algorithms are still secure or not. Therefore, the requirement for the reliability and trustworthiness of these central authorities is concerned as a weakness for traditional time-stamping services. Since 2008, the innovation of the Bitcoin blockchain [3] has inspired people to explore more decentralized applications. Blockchain could be regarded as a public ledger, in which all committed transactions are stored in a chain of blocks [4]. A blockchain-based ledger has several advantages: (1) This is a decentralized system, so it eliminates the trust requirement on central authorities. (2) A blockchain is tamper-resistant, as transactions are validated by multiple nodes before being stored in a block. Once a block is confirmed to be a part of a blockchain, any malicious modification of the transaction data in the block can be detected. (3) Each block contains a time-stamp when it is appended to the blockchain, so it is traceable that all the transactions in the blockchain exist at its corresponding block creation time. Based on these advantages, several Blockchain-based Time-Stamping (BTS) services have been proposed [5–7]. In the “Proof of Existence” service [7], a web server collects a data item from a user, computes its hash value, and embeds the result into a blockchain transaction. In the “OpenTimestamps” service [6] and “OriginStamp” service [8], a web server aggregates data items from users by using a Merkle tree, and inserts the tree root value into a blockchain transaction. The transaction record and the time-stamp in the block become the existence proof of data items. Compared to traditional time-stamping services, BTS services get rid of potential attacks from malicious manipulation or collusion of TSAs. In the popular trends of decentralized applications, BTS services are much better choices than traditional time-stamping services. A BTS service makes use of hash functions and digital signature schemes to build a blockchain (we collectively call them server-side algorithms), and also uses hash functions to hash users’ data (we call them client-side hash functions). Obviously, the security of these services relies on the security of these underlying cryptographic algorithms. It is well-known that any hash function or signature scheme is only secure for a limited period due to the operational life cycle or increasing computational powers of attackers. Particularly, the upcoming quantum computers are considered to break most of the broadly-used signature algorithms and increase the speed of attacking hash functions [9]. However, for many types of digital data, such as identity information, health records, history archives, etc., the existence proof of data needs to be maintained for decades or even permanently, which is much longer than the lifetime of a single cryptographic algorithm. In this work, if a scheme is secure for a long period that is not bounded by the lifetimes of its underlying cryptographic algorithms, we say that the scheme is long-term secure. If a BTS scheme is long-term secure, we refer to it as a Blockchain-based Long-Term Time-Stamping (BLTTS) scheme. Unfortunately, the topic of long-term security has not been addressed in the existing BTS services.

A Blockchain-Based Long-Term Time-Stamping Scheme

5

In this paper, we propose the first formal definition and the security model of a BLTTS scheme. To construct such a scheme, we initially consider an intuitive solution that directly combines the existing BTS services and a long-term blockchain scheme [10], in which the server-side algorithms could be securely transferred to stronger ones. But our proof shows that the solution is vulnerable to attacks after the client-side hash function is compromised. In other words, the state-of-the-art solutions in this field show that a BLTTS scheme is still missing. We fill this gap by proposing the first BLTTS scheme, which contains three solutions supporting the renewal of all underlying cryptographic algorithms. This is not a trivial target due to the following challenges: 1) The cryptographic algorithms are used both inside and outside the blockchain system. A comprehensive timeline to securely renew every algorithm is required. 2) Blockchain is a complex system that applies cryptographic algorithms in every block. 3) Each time-stamp renewal must be connected in time sequence since a verifier needs a complete time-stamping chain to prove the data existed before the earliest time-stamp. We formally prove that the security of our scheme is unbounded with the lifetime of any underlying cryptographic algorithm. Finally, we implement this scheme under the existing BTS services “OriginStamp” and “Opentimestamps”, and the results show that our scheme is very efficient.

2

Related Works

Traditional Time-Stamping. In 1990, Haber and Stornetta proposed the prototype of digital time-stamping with two techniques: linear linking and random witness [11]. In 1993, Bayer et al. proposed a solution for time-stamp renewal [12]: the lifetime of a time-stamp could be extended by time-stamping the (data, time-stamp) pair with a new implementation before the old implementation is compromised. The ideas of [11,12] were designed into a time-stamping system for the Belgian project TIMESEC [13]. In further years, the ideas of [11,12] have been adopted by multiple standards, especially the ISO/IEC standard [1,14,15] and ANSI standard [2]. Both standards specify time-stamping mechanisms and renewal mechanisms for long-term time-stamping services. In addition, the ideas of [12] have been extended into several long-term integrity schemes [16,17], but the security analysis of such schemes was not given, until Geihs et al. formalized this idea separately into a signature-based long-term integrity scheme [18], and a hash-based long-term time-stamping scheme [19]. These two schemes provide substantial frameworks for analyzing the security of long-term time-stamping schemes. However, the works of [18,19] only address the renewal of server-side algorithms, the renewal of client-side hash functions is not addressed. Besides, Meng et al. found that the ISO/IEC standard [1,14,15] did not specify the renewal of client-side hash functions for traditional time-stamping schemes [20], which causes the schemes could only achieve short-term integrity. Then they proposed and analyzed the first comprehensive long-term timestamping scheme that allows the renewal of both client-side hash functions and

6

L. Meng and L. Chen

server-side algorithms [21]. We are inspired by the ideas in [18,19], and [21] for our proposed schemes and security analysis. Blockchain-Based Time-Stamping. In 2008, Satoshi Nakamoto created the “Bitcoin” cryptocurrency system as the first blockchain prototype [3] that leverages the idea of time-stamping [11–13]. After that, dozens of blockchain-based cryptocurrencies were generated. For example, “Ethereum” was proposed as a developed blockchain platform that supports the creation of advanced smart contracts for achievable programs and commands [22]. During the past decade, there were many research surveys and reports on blockchain systems introducing their structures, models, applications, and challenges [4,23,24]. In our paper, the structure of blockchain shown in Fig. 1 is learned from the remarked surveys and reports. In 2015, the first BTS service “OriginStamp” was proposed [5]. Solutions similar to the OriginStamp are the “OpenTimestamps” project [6], and “Proof of Existence” service [7]. After that, many applications were built on top of the “OriginStamp” service, e.g., manuscript submission [25], virtual patents [26], secure videos [27]. All of them leverage “OriginStamp” as a basis for timestamping services. However, the long-term security of the OriginStamp, OpenTimestamps, and Proof of Existence services has not been analyzed. The details of the existing BTS schemes are reviewed in Sect. 5. Apart from the design of BTS services, some researchers explored the reliability of the time-stamps included in the blockchain [28–31]. Their research shows that the time-stamps in blockchains are not accurate and could be manipulated for attacks. They proposed distinct solutions to this issue: [30] and [28] had slightly different ideas about leveraging an external TSA since it can provide accurate time records; [31] claimed to integrate the hash value of a user’s document with a constant number of latest confirmed blocks on the Ethereum blockchain; [29] proposed to use a smart contract that intermediates between a user and some time-stamp providers according to some selection strategy on the Ethereum blockchain. These ideas can be adopted for reliable and accurate blockchain time-stamps in our proposed scheme. For the topic of how to insert data into a blockchain, Sward et al. provided a comprehensive survey for inserting arbitrary data into the Bitcoin blockchain [32]. Historical approaches were listed: Pay-to-Fake-KeyHash (PF2KH), Pay-to-Fake-Public Key (PF2K), OP RETURN, Pay-to-FakeMultisig (P2FMS), Pay-to-Fake-Script-Hash (PFSH), Data Drop, and Data Hash Method. The authors made a comparison between these methods in terms of their efficiency, cost, scalability, and potential weaknesses. Besides, Gao et al. proposed a method to store data in the Bitcoin blockchain by encoding it into Bitcoin addresses [33], which enables more storage space for additional information of the data (e.g., file names, creator names, keywords). In our proposed scheme, the data insertion method can be selected based on these researches.

A Blockchain-Based Long-Term Time-Stamping Scheme

7

Long-term Security of Blockchain. Giechaskiel et al. analyzed the impacts of broken cryptographic primitives on Bitcoin [34]. This work shows that the compromise of SHA-256, RIPEMD160 and ECDSA algorithms in the Bitcoin blockchain may cause the stealing of coins, double spending, repudiated payments, etc. Any of them could be a devastating problem for Bitcoin security. Following this work, Sato et al. proposed the first long-term blockchain (LTB) scheme with the renewal of hash functions and signatures used in a blockchain [35], and Chen et al. proposed an improved LTB scheme [36] to avoid the hard fork caused by the hash function renewal in [35] when using a proofof-work blockchain. Recently, Meng et al. observed that [35,36] only defined the transition from the first algorithm to the second one, and the security of those schemes is not analyzed. Then they proposed an enhanced LTB scheme [10] that enables algorithm renewal in long-term periods, which has been proved secure under their proposed security model. In this work, we borrow the ideas of [10] for achieving server-side algorithm renewal as reviewed in Sect. 3.

3

Preliminaries

Blockchains. Blockchains are distributed digital ledgers of signed transactions that are grouped into blocks. A block is linked to its previous one by using hash functions after validation and undergoing a consensus decision [24]. In specific, each block is comprised of a block header and block data. As shown in Fig 1, a block header contains a block index number, a nonce, a hash value of the previous block header, a time-stamp, and a Merkle tree root value of all block data. The block data contains a list of transactions along with their corresponding digital signatures. Block Bi Block header

……

hbi-1

Txi1, Sigi1

Block No.

mkrooti

Txi2, Sigi2

Block Bi+1

Nonce Time ti

……

Txij, Sigij

Block header

hbi

hbi

Block No.

Nonce

mkrooti+1

Time ti+1

Tx(i+1)1, Sig(i+1)1

Tx(i+1)2, Sig(i+1)2

……

hbi+1

……

Tx(i+1)j, Sig(i+1)j

Fig. 1. The general structure of a blockchain

Blockchain technology utilizes cryptographic hash functions and signature schemes. In the block Bi in Fig. 1, each transaction is signed by the user who initiates the transaction, then all the transaction and signature pairs (Txi1 , Sigi1 ), ..., (Txij , Sigij ) in the block are aggregated together by using a Merkle tree. The resulting root value mkrooti is stored in the block header for simplified verification [3]. The block header is then hashed into a hash value hbi that is stored in the block header of the next block Bi+1 . The signatures enable the network nodes to verify the integrity and authenticity of transactions, and the chaining of hash values between blocks protects the integrity of block data.

8

L. Meng and L. Chen

Long-term Blockchain Scheme. For a long-term blockchain (LTB), we review the ideas of the secure LTB scheme proposed by Meng et al. [10], which could be divided into a hash transition procedure and a signature transition procedure. Hi-1 is secure

Hi is secure

Hi+1 is secure ti+1

ti archiveHash

…… b1

bM Total M blocks generated using H0, …, Hi-1

bM+1

……

archiveHash

bM+r

r blocks generated using Hi with archiveHash values

…… …… bM+r+2

bM+r+F

F blocks generated using Hi

archiveHash

bM’+1

Time

……

archiveHash

……

bM’+r’

r’ blocks generated using Hi+1 with archiveHash values

Fig. 2. The hash transition procedure of the LTB scheme proposed by Meng et al.

The hash transition procedure (as shown in Fig. 2) is performed by the blockchain system. Assume at time ti (i ≥ 1) when hash function Hi−1 becomes weak but not actually broken, the blockchain already has M blocks generated using hash function H0 , ..., Hi−1 for calculating Merkle tree and block hash values. The transition from Hi−1 to a stronger hash function Hi includes 3 steps: 1) divide all M blocks into r sets, with s blocks in each set, i.e., M = r ×s. 2) calculate an archive hash value of each set of blocks using Hi , i.e., archiveHashi1 = Hi (b1 , ..., bs ), ..., archiveHashir = Hi (b(r−1)s+1 , ..., bM ), and stores these archiveHash values separately in the block header of bM +1 , ..., bM +r . bM +1 , ..., bM +r uses Hi for calculating Merkle tree and block hash values. 3) The new blocks after bM +r are generated using Hi and they do not include archiveHash fields. Assume at time ti+1 when Hi becomes weak but still secure, there are total F blocks after bM +r . Then set M  = M + r + F and repeat steps 1–3: divide all M  blocks into r sets, calculate archive hash values for each set using Hi+1 and store them into future blocks. The verification procedures of hash transitions check: 1) the correctness of every block (include the merkle tree root value, block hash value, signatures, and archiveHash field etc.), 2) the ith hash transition happens within the time period that at least hash functions Hi−1 , Hi are secure, and 3) the latest hash function used in the blockchain is still secure at the verification time. The Signature transition procedure is performed by users. Assume a user utilized a signature scheme Si−1 (i ≥ 1) for signing transactions in the blockchain. At the time when Si−1 is threatened but still secure, a new key pair should be generated from a stronger signature scheme Si . Then the users’ transactions should be transferred from the key pair of Si−1 to the new key pair of Si . i.e., sigi ← Si−1 (txi ). The new transaction and signature pair (sigi , txi ) is then submitted to the blockchain. After that, users begin to sign new transactions using Si . The verification procedures of signature transitions check: 1) the correctness of every block, 2) the i-th signature transition happens within the period that at

A Blockchain-Based Long-Term Time-Stamping Scheme

9

least signature schemes Si−1 , Si are secure, and 3) the latest signature scheme used in the blockchain is still secure at the verification time.

4

Definitions of a BLTTS Scheme

In this section, we provide the first formal definition and security model of a Blockchain-based Long-term Time-stamping (BLTTS) scheme. 4.1

Scheme Definition

A BLTTS scheme includes the following entities: a user, a blockchain system, and a verifier. The user owns the data item to be time-stamped and sends it to the blockchain. The blockchain stores the data in a block, which provides existence proofs of the data. The verifier checks the validity of the proofs. Algorithms. A BLTTS scheme is comprised of a tuple of algorithms (BTSGen, BTSRen, BTSVer), which are defined as follows: – TS0 ← BTSGen(C0 ; D, blc): at time t0 , the time-stamp generation algorithm BTSGen takes a data item D and a blockchain blc as input and outputs a time-stamp proof TS0 by using a set of cryptographic algorithms C0 . – TSi ← BTSRen(Ci−1 , Ci ; D, blc)(i ∈ [1, n]): at time ti (i ∈ [1, n]) when some cryptographic algorithms in Ci−1 is threatened but still secure, the timestamp renewal algorithm BTSRen takes a data item D and the blockchain blc as input and outputs a time-stamp proof TSi by using a set of cryptographic algorithms Ci . – b ← BTSVer(D, TS0 , ..., TSn , blc, VD, tv ): at verification time tv , the timestamp verification algorithm BTSVer takes as input a data item D, a group of time-stamp proofs TS0 , ..., TSn , the blockchain blc, the verification data VD (defined in the further paragraph), and the verification time tv , then outputs a bit b = 1 if the time-stamp proofs are valid on D; otherwise outputs b = 0.

c1 is secure

c0 is secure

t0

t1

t'0

cn-1 is secure

t2

……

tn-1

tn

cn is secure

t'n-1

Fig. 3. Timeline of cryptographic algorithm lifetime and renewal

t'n

Time

10

L. Meng and L. Chen

Timeline. Figure 3 shows the relations between the lifetime and renewal time of every particular type of cryptographic algorithm ci ∈ Ci . For i ∈ [1, n], ci−1 should be renewed to a stronger one ci when it becomes weak but still within its lifetime. In other words, at time ti , both ci−1 and ci are secure. We argue that this renewal time window is reasonable and practical. For example, the SHA-1 algorithm was theoretically broken in 2005 [37], but the first real collision pair of SHA-1 was found in 2017 [38]. The middle 12 years are the renewal window from SHA-1 to SHA-2. We denote the starting usage time and breakage time of ci separately as c.ti and c.ti . For C.ti and C.ti , we mean the common starting usage time of all ci ∈ Ci and the breakage time of any ci ∈ Ci . Verification Data (VD). VD contains necessary data used for the BTSVer algorithm. Especially, VD must contain the information indicating the start time and breakage time of every ci ∈ Ci for i ∈ [1, n]. This information can be collected from reliable sources such as the NIST standard [39,40]. Then at the time of verifying the validity of algorithms, the block time-stamps and the VD time should be synchronized with the same criteria, e.g., the global time. 4.2

Security Model

In a BLTTS scheme, we make the following assumptions: 1. The verification data VD is trusted. 2. Every time a hash function or signature scheme is threatened but still secure, a stronger hash function or signature scheme is available. A BLTTS scheme should satisfy two properties: correctness and long-term integrity. The definitions of these two properties are given as follows: Correctness. Correctness means that if all entities perform their functions correctly, a BLTTS scheme could prove the existence of data items in longterm periods that are not bounded by the lifetimes of underlying cryptographic algorithms. Definition 1. (Correctness.) Let BLTTS = (BTSGen, BTSRen, BTSVer) be a BLTTS scheme. For the scheme to be correct, it must satisfy that if timestamp proofs TS0 , ..., TSn are generated for any data item D by following the BTSGen and BTSRen algorithms, at time tv ∈ [C.tn , C.tn ], the verification algorithm outputs BTSVer(D, TS0 , ..., TSn , blc, VD, tv ) = 1. Long-term Integrity. The long-term integrity measures the probability of an attacker successfully compromising a BLTTS scheme. Intuitively, we say that an attacker can compromise a BLTTS scheme if it could claim that a data item exists at a point in time but it does not exist, or tamper with existing time-stamp proofs without being detected. Thereby, we say that a BLTTS scheme has longterm integrity if any polynomial-time adversary is unable to compromise the

A Blockchain-Based Long-Term Time-Stamping Scheme

11

BLTTS scheme in long-term periods that are not bounded by the lifetimes of underlying cryptographic algorithms. To formalize this, the long-term integrity model is defined as an experiment, which is displayed as Algorithm 1, running between a long-lived adversary A and a simulator B. B has computational resources comparable to A. A could access a clock oracle clk(·) and a blockchain oracle Blc(·), which are defined as follows: 1. clk(·): P ← clk(t). A inputs a time point t to the oracle, who returns the corresponding computational power P according to the timeline introduced in Sect. 4.1. That means, P develops with the increase of t but is restricted within each period. The ability that A can break or cannot break any algorithm depends on P . 2. Blc(·): TS ← Blc(x), R ← R  (x, TS). A inputs a data item x, the oracle submits x to the blockchain blc, and returns a time-stamp proof TS by following the BTSGen or BTSRen algorithm, and meanwhile records x along with TS in a list R.

Algorithm 1: Long-term integrity (LTI) experiment ExpLTI BLTTS (A) 1 2 3 4 5 6 7 8

Input: n, blc, VD Output: a bit 1 or 0 Set R = [ ]; (x , TS0 , ..., TSn ) ← Aclk(·), Blc(·) /* R is updated for Blc(·) queries. */ if BTSVer(x , TS0 , ..., TSn , blc, VD, tv ) = 1 and ∃(x , TS0 , ..., TSn ) ∈ / R. then Return 1; else Return 0;

We use Pr[ExpLTI BLTTS (A) = 1] to denote the probability of A winning the game in Algorithm 1. By the time tv , we denote the probability that B breaks at Com , and the probability least one hash function within its validity period as BH that B breaks at least one signature scheme within its validity period as BSCom . Definition 2. (Long-term Integrity.) A BLTTS scheme, BLTTS = (BTSGen, BTSRen, BTSVer), holds the long-term integrity property if for any point in time Com +BSCom ). tv , there exists a constant c such that Pr[ExpLTI BLTTS (A) = 1] ≤ c·(BH

5

The Proposed BLTTS Scheme

In this section, we first briefly show why the existing BTS schemes do not satisfy the security requirement of a BLTTS scheme. Then we propose an intuitive

12

L. Meng and L. Chen

BLTTS solution that directly combines the existing BTS schemes and the LTB scheme reviewed in Sect. 3, and prove that the solution does not hold the longterm integrity property of a BLTTS scheme. Thereafter, we propose the first successful BLTTS scheme, which is comprised of three solutions depending on how the client-side data is processed before being written into a blockchain. Finally, we compare the advantages and drawbacks of each solution. The notation follows that in Table 1. Table 1. Notation n∈N

Number of cryptographic algorithm

D

Data item to be time-stamped

i ∈ {0, n}

Index of cryptographic algorithm

Ci

i-th cryptographic algorithm tuple

ci

A particular type of algorithm in Ci

c.ti , c.ti

cHi

i-th client-side hash function

sHi , Si

Starting and breakage time of ci i-th server-side hash/signature scheme

TSi

Time-stamp proof using Ci The verification time

blc

The blockchain used for time-stamping

hi

Hash value computed through cHi

The block provides TSi The previous block of bi

txi

Transaction data

hbi

Hash value of block bi

Index number of block bi Merkle tree root value in bi

sigi tsi

The digital signature of txi Time-stamp included in block bi

VD

Verification data used in BTSVer

pc, ps

Client and server-side hash path

a⇐b

Store parameter b into a

a⊆b

a is included in b

MT(H; D, p)

MT: Merkle tree aggregation algorithm, H: hash function, D: data, p: hash path

tv bi bprei bidi mkrooti

Existing BTS Schemes. The existing Blockchain-based Time-Stamping (BTS) schemes, e.g., “Proof of existence” [7], “OpenTimestamps” [6] and “OriginStamp” [5], can be summarized as the black fonts in Fig. 4. Since these schemes do not specify the BTSRen algorithm, they do not comply with our BLTTS definition in Sect. 4.1. It is trivial to prove that they are vulnerable to attacks after any of cH0 , sH0 , or S0 is compromised.

Intuitive BLTTS Solution. As reviewed in Sect. 3, the existing LTB scheme [10] supports the secure transition of server-side algorithms sH0 and S0 . Intuitively, the guarantee of a long-term secure blockchain in the BTS schemes may be able to achieve a BLTTS scheme. Thus, we add a BTSRen algorithm and corresponding procedures in the BTSVer algorithm in the existing BTS schemes by leveraging the LTB scheme (as the red fonts in Fig. 4). Now we analyze the long-term security of the intuitive solution based on our security model proposed in Sect. 4.2.

A Blockchain-Based Long-Term Time-Stamping Scheme

13

Fig. 4. An Intuitive BLTTS solution that directly combines the existing BTS schemes (black fonts) and an LTB scheme (red fonts) (Color figure online)

Theorem 1. The intuitive BLTTS solution specified in Fig. 4 does not hold the long-term integrity property. Proof. At time t ∈ [cH.t0 , cH.t0 ], A can firstly submit a hash value of data item x calculated using cH0 to the oracle Blc(·), i.e., h0 = cH0 (x). The oracle returns TS0 and records (x, TS0 ) in the list R. After that hash function sH0 and signature scheme S0 could be transferred to stronger ones before they are compromised. For x, the hash transition can be described as: sH1 (tx0 , cH0 (x)), the signature transition can be written as: S0 (tx0 , cH0 (x)). But after cH0 is compromised (tv > cH.t0 ), A is able to output (x , TS0 ) with sH1 (tx0 , cH0 (x)) = sH1 (tx0 , cH0 (x )) or S0 (tx0 , cH0 (x)) = S0 (tx0 , cH0 (x )) / R with nonthat achieves BTSVer(x , TS0 , blc, VD, tv) = 1 and (x , TS0 ) ∈ negligible probability. Thus, Theorem 1 follows.   Discussions. If a client-side hash function is used, a BLTTS scheme has two layers of security: the client-side hash function and server-side algorithms. For the BTS schemes, the algorithms on both sides are not renewed to stronger ones, so the adversary could attack any side after the algorithms are compromised. For the intuitive solution, despite the server-side algorithms can be transferred to stronger ones, the client-side could be attacked. The reason is that the data item is not exposed to the blockchain after it is hashed. The long-term security on the server side cannot guarantee the long-term security on the client side. So far, a BLTTS scheme does not exist. This motivates us to propose a BLTTS scheme (in Sect. 5.1) that satisfies long-term integrity. 5.1

Proposed BLTTS Scheme with Three Solutions

Roadmap. As discussed before, the LTB scheme [10] only guarantees the longterm security of the server side. The obstacle is the involvement of client-side hash functions. As reviewed in Sect. 2, the ISO/IEC standard has missed the renewal mechanism for client-side hash functions [20]. In [21], this issue has been analyzed and a comprehensive scheme that supports both client-side and

14

L. Meng and L. Chen

server-side renewal has been proposed for traditional time-stamping. This gives us the following inspirations: 1) the client-side security is easy to be overlooked even by the ISO/IEC standard, 2) client-side and server-side security have the same level of importance and the failure of either side is a bottleneck for longterm time-stamping, and 3) the technique for client-side renewal proposed in [21] could be studied for a BLTTS scheme. In general, our proposed scheme is composed of two folds. For server-side long-term security, we borrow the LTB scheme from [10]. Then we propose three solutions for achieving client-side long-term security: 1) remove the clientside hash functions, 2) renew client-side hash functions with independent timestamp proofs, and 3) renew client-side hash functions with connected time-stamp proofs. These solutions are corresponding to the Solution 1, 2, and 3 as presented in Fig. 5. Some parts of the algorithms are referred to Fig. 4.

Fig. 5. Proposed BLTTS scheme with three solutions

Remarks Our scheme supports both client-side and server-side algorithm renewal. Thus, a renewed time-stamp proof TS1 , ..., TSn could be either for client-side or server-

A Blockchain-Based Long-Term Time-Stamping Scheme

15

side renewal. The difference is that the relations between server-side renewal proofs are explicitly recorded on the blockchain, so these proofs are not necessary to be obtained by users. On the contrary, the client-side renewal proofs are randomly distributed in blockchain transactions, users need to collect their proofs as evidence for verification. The time-stamps in the blockchain should be reliable and accurate to verify the start and breakage time of cryptographic algorithms. The solutions could be referred to related works [28–31] in terms of detailed scenarios. The method to insert a data item, a hash value, or a hash value along with a time-stamp proof into a blockchain transaction depends on 1) which blockchain is selected for the BLTTS scheme, and 2) the specific size of the inputs. For instance, if a user has a small input (lower than 80 bytes) to submit on Bitcoin, OP RETURN is the most efficient choice; for medium amounts of data (between 80 and 800 bytes), P2FMS is the most cost-effective option; for large amounts of data (beyond 800 bytes), the Data Drop w/o method provides the least expensive option [32]. The user should select a data insertion method that has enough capacity for the data item and while it is cost-effective. 5.2

Solutions Comparison

As Table 2 shows, we provide a comparison between Solutions 1, 2, and 3 in the following 6 factors: 1) the renewal type that the user needs to perform, 2) whether the time-stamped data is exposed to the public, 3) whether the data size is limited in each transaction, 4) whether the solution is cost-free, 5) whether there are connections between time-stamp proofs, and 6) the compatibility with existing BTS services. Then we analyze the best application scenario for each solution. Table 2. Comparison between Solution 1, 2 and 3 with multiple factors Sols Cryptographic renewal performed by users

Data exposure

Data size limit per transaction

Costs

Time-stamp connection

Compatible with BTS

1

Server-side signature scheme

Exposed

Limited

Not free

Both sides connected

No

2

Client-side hash function Server-side signature

No

Unlimited

Can be free Server-side connected

Yes

3

Client-side hash function Server-side signature

No

Unlimited

Not free

No

Both sides connected

In Solution 1, a user directly submits the data item to the blockchain. The only action required for the user is to renew server-side signature schemes. Timestamp proofs generated from the server-side hash and signature transitions can be both collected from the blockchain with connections, so the user does not have to hold any time-stamp proof for verification. Since the data is not hashed

16

L. Meng and L. Chen

and compressed, it is publicly readable and the data size is limited in each transaction. The existing BTS services only allow the insertion of a hash value of the data item into a blockchain transaction, thus this solution is not compatible with the services. A user needs to insert data individually with a minimum nondust amount of money for validating a transaction if the blockchain is used for cryptocurrency. In Solution 2, a user submits a hash value of data item(s) to the blockchain. The user needs to renew both client-side hash functions and server-side signature schemes. Time-stamp proofs for server-side renewal are connected, but time-stamp proofs from the client-side are just hash values without connections. The user needs to collect all time-stamp proofs for client-side hash renewal for verification. The data item is not exposed and the data size is unlimited because it is hashed, and it is the only form that the existing BTS services accept. Especially, Opentimestamps and OriginStamp provide free time-stamping services. In Solution 3, a user submits a hash value of data item(s) with a previous time-stamp proof to the blockchain, which brings connections for time-stamp proofs generated from the client side. The user only provides the last client-side time-stamp proof for verification. Besides, both client-side hash functions and server-side signature schemes are renewed by the user. Since the data item is hashed, it preserves data nondisclosure and unlimited data size. But the nested time-stamp proofs in TSi−1 will be harder to be inserted when the size becomes much bigger. This form of submission is not accepted by the existing BTS services, thus it also requires self-insertion by the user with a minimum non-dust amount of money for each transaction. In summary, if data privacy is not a primary goal to be considered, and the size of data is small enough to be inserted, Solution 1 is the perfect choice for users due to its convenience; if the nondisclosure of data is critical to be protected, or the data size is large, or the user cares most about the cost, Solution 2 is the best choice that can be implemented by the existing free BTS services; if data’s nondisclosure and size matters, but the existence of data is required to be proved for a very long time, such as hundreds of years. It may be hard to keep every time-stamp proof for verification, then Solution 3 is a good option because it provides connections between time-stamp proofs.

6

Security Analysis

We now prove that the proposed BLTTS scheme holds each security property in terms of the security models and definitions in Sect. 4.2. Theorem 2. The proposed BLTTS scheme holds the correctness property. Proof. In terms of the definition of correctness, we assume that a group of timestamp proofs TS0 , ..., TSn of a data item D are generated through algorithm BTSGen and BTSRen legitimately. At time tv ∈ [C.tn , C.tn ], the algorithm BTSVer takes input D, TS0 , ..., TSn , VD, blc and tv , and the verifications cover three parts: 1) the correctness of client-side renewal, 2) the connections

A Blockchain-Based Long-Term Time-Stamping Scheme

17

between data item, transaction, block and the blockchain, and 3) the correctness of server-side renewal. We now analyze the output of BTSVer: For Solution 1, by using algorithm BTSGen, the data item D is submitted to a block transaction tx0 on block b0 from blockchain blc. Then the clientside renewal is not required, and the connections between D, tx0 , b0 , and blc are guaranteed. By using algorithm BTSRen, the hash transition and signature transition can be both implemented before the previous server-side hash function sHi−1 or signature scheme Si−1 is compromised, thus the BTSVer algorithm outputs 1 and Solution 1 is correct. For Solution 2 and 3, by using algorithm BTSGen, a hash representation h0 of D is calculated by cH0 and submitted to tx0 on block b0 from blc. Then if the algorithm BTSRen performs correctly, a new hash representation hi (i ≥ 1) of D is calculated by using a stronger hash function cHi before the previous one cHi−1 is compromised, and hi (or hi  TSi−1 ) is submitted to txi on block bi from blc. Thus, the client-side renewal of both solutions are correct, the connections between h0 , tx0 , b0 and blc, and the connections between hi (or hi  TSi−1 ), txi , bi and blc are guaranteed. Same as Solution 1, the server-side hash transition and signature transition can be both implemented at the correct time by algorithm BTSRen, thus the BTSVer algorithm outputs 1 and Solution 2 and 3 are correct, then the theorem follows.   Theorem 3. Assume the verification data VD is trusted, and every time a hash function or signature scheme is threatened but still secure, a stronger hash function or signature scheme is used for renewal respectively, then the proposed BLTTS scheme holds long-term integrity property. As the experiment defined in Sect. 4.2, the adversary A is able to input data item (or hash representation) to the blockchain oracle Blc(·) for obtaining timestamp proofs. Thus, the long-term integrity of the scheme addresses the longterm security of server-side algorithms, and of the client-side hash functions. That means A can win the game through the following two cases: – Case 1: A correctly computes the hash representations of data items aligning with the VD archive, but wins the game by outputting a valid time-stamp, which was not through the blockchain oracle Blc(·). – Case 2: A correctly queries the blockchain oracle Blc(·), but wins the game by outputting a valid time-stamp, which was not aligned with the VD archive. LTI, C1 LTI, C2 (A) = 1] and Pr[ExpBLTTS (A) = 1] to denote the probWe use Pr[ExpBLTTS ability of A winning the game through Case 1 and Case 2 respectively. We use Com Com , BsH , and BSCom to denote the probability that B breaks at least one BcH client-side hash function, at least one server-side hash function, and at least one server-side signature scheme within their validity periods respectively. Then we prove Theorem 3 from Lemma 1 and Lemma 2 corresponding to Case 1 and Case 2. C1 Lemma 1. There exists a constant c such that Pr[ExpLTI, BLTTS (A) = 1] ≤ c · Com Com (BsH + BS ).

18

L. Meng and L. Chen

Proof. Since we adopt the existing LTB scheme [10] for server-side algorithm renewal, their proofs show that the LTB scheme satisfies the following two properties: – Long-term integrity: there is a negligible probability that A can claim a nonexisted data item or tamper with data in any existing blocks on the blockchain without being detected in long-term periods. – Long-term unforgeability: there is a negligible probability that A can output a message m along with a valid signature s on m, and m was not previously signed by S on the blockchain in long-term periods. More accurately, the proof of [10] reduces the probability that a polynomial-time adversary A wins the game through tampering any block data or forging any signature on the blockchain to the probability that B breaks at least a server-side hash function or signature scheme within its validity period, which is negligible. LTI, C1 Com (A) = 1] ≤ c · (BsH + BSCom ) holds, and Lemma 1 follows. Thus, Pr[ExpBLTTS Besides, it directly leads to Theorem 3 holding for Solution 1 in the BLTTS scheme since only server-side algorithms are used in the solution.   C2 Lemma 2. There exists a constant c such that Pr[ExpLTI, BLTTS (A) = 1] ≤ c · Com ). (BcH

Proof. In Case 2, A wins the game by outputting time-stamp proofs TS0 , ..., TSn on a distinct data item x = x, so that BTSVer(x , TS0 , ..., TSn , VD, blc, tv ) = 1. Besides, at time ti for i ∈ [1, n], the two corresponding client-side hash function cHi−1 and cHi used by A must be both collision resistant. Now let us check the following reasoning: At time t0 , A computes a hash representation MT(cH0 ; x, pc0 ) of a data item x (pc0 is empty for the case of a single hash computation of D), and obtains a time-stamp proof TS0 from the blockchain oracle Blc(·). Assume hash function cH0 is collision resistant at t0 . At time t1 , A decides to renew the time-stamp proof TS0 by using a stronger hash function cH1 . Since hash functions cH0 is still collision resistant at this time, A can compute either MT(cH1 ; x, pc1 ) and obtain a new time-stamp proof TS1 (Case a), or A computes MT(cH1 ; x , pc1 ) and obtain TS1 (Case b) from the oracle Blc(·). If A wins the game after Case b happens, it must hold that MT(cH0 ; x, pc0 ) = MT(cH0 ; x , pc0 ). Correspondingly, B can obtain the pair ((x, pc0 ), (x , pc0 )) to break the collision resistance of cH0 within its validity period. This result is contradict to the assumption that cH0 is collision resistant at t1 . If Case a happens, let us carry on with our reasoning. We now assume that cH1 is collision resistant at time t1 . At time t2 , cH0 may have been broken, but we assume that cH1 is still collision resistant, and the hash representation MT(cH1 ; x, pc1 ) is a part of TS1 . Now repeating the previous situation, A can compute either MT(cH2 ; x, pc2 ) and obtains TS2 (Case a), or determine MT(cH2 ; x , pc2 ) and obtain TS2 (Case b) from the oracle Blc(·). Again, if A wins the game after Case b happens, it must hold that MT(cH1 ; x, pc1 ) = MT(cH1 ; x , pc1 ). Correspondingly, B can

A Blockchain-Based Long-Term Time-Stamping Scheme

19

obtain the pair ((x, pc1 ), (x , pc1 )) to break the collision resistance of cH1 within its validity period, which contradicts the assumption, and Case a leads us to continue our reasoning. Carrying on our argument as before, only Case a for each time-stamp proof renewal is considered. We assume that cHn−1 is collision resistant at both tn−1 and tn , and the hash representation MT(cHn−1 ; x, pcn−1 ) is a part of TSn−1 . If A finally wins the game after computes MT(cHn ; x , pcn ) and obtains TSn from the oracle Blc(·), MT(cHn−1 ; x, pcn−1 ) = MT(cHn−1 ; x , pcn−1 ) must hold. Then B can obtain the pair ((x, pcn−1 ), (x , pcn−1 )) to break the collision resistance of cHn−1 within its validity period. In summary, based on the above reasoning, the probability that A wins the game through Case 2 is reduced to the same level of the probability that B breaks at least one client-side hash function within its validity period. Thus, LTI, C2 Com (A) = 1] ≤ c · (BcH ) holds, and Lemma 2 follows.   Pr[ExpBLTTS Combining Lemma 1 and Lemma 2, the winning probability of A from both Case 1 and Case 2 is reduced to the same level of the probability that B breaks at least one client-side hash function, or at least one server-side hash function, or at least one server-side signature scheme within its validity period. There exists a constant c such that: LTI, C1 LTI, C2 Pr[ExpLTI BLTTS (A) = 1] = Pr[ExpBLTTS (A) = 1] + Pr[ExpBLTTS (A) = 1] Com Com + BsH + BSCom ) ≤ c · (BcH Com Com With aggregating BcH and BsH , we have:

(1)

Com + BSCom ). Pr[ExpLTI BLTTS (A) = 1] ≤ c · (BH

Thus, we have proved Theorem 3.

7

Implementations

We implement the main contribution of Solution 2 - client-side hash renewal under the existing BTS services “OriginStamp” and “Opentimestamps” (The server-side algorithm renewal has been implemented in [10]). The Opentimestamps deploys the service on Bitcoin, and the OriginStamp implements the service on Bitcoin, Ethereum, and Ayon blockchain for multiple proofs. The results show that our scheme is very practical and efficient to be deployed into a real blockchain. The details are presented in Appendix A.

8

Conclusions

In this paper, we define the first formal definition and security model for a BLTTS scheme, and analyze that the existing BTS services simply combined with the existing LTB scheme could only prove the existence of data in shortterm periods. We observe that for a BLTTS scheme, the security is comprised

20

L. Meng and L. Chen

of two folds: the client-side hash functions and server-side algorithms. A BLTTS scheme must support the cryptographic renewal for both of these algorithms. Then we propose the first BLTTS scheme with three solutions based on different client-side data formats. We analyze that our scheme satisfies the long-term integrity property, and finally we implement our scheme under existing BTS services and found that it is very efficient and easy to be deployed in real applications. Acknowledgements. This work is supported by the European Union’s Horizon 2020 research and innovation program under grant agreement No.779391 (FutureTPM), grant agreement No. 952697 (ASSURED), and grant agreement No. 101019645 (SECANT).

A

Implementations

In a nutshell, we chose an mp3 file as the data item to be time-stamped and uploaded the file to the services three times to simulate the long-term timestamping process. In each time, the web server calculated the Merkle tree root value and inserted it into a Bitcoin transaction. After the transaction is committed, the web server returned us a time-stamp proof for future verification. The hash functions used are all SHA-256 since currently it is secure and applied in the services, but this can be replaced by stronger hash functions when SHA-256 is proved weak.

Time-Stamping Process. As an example, our first time-stamping process was implemented on 5th April 2021. After we submited the mp3 file to the OriginStamp service, the returning time-stamp proof is shown as the upper part of Fig. 6. The title records the submission time of the mp3 file, which is 00:01:32, 5th April 2021; the string after “Hash” is the hash value of our file computed by SHA-256; the string after “Root Hash” is the Merkle tree root hash value of our file and other files; the string after “Transaction” is the transaction ID (hash value of the transaction) that indicates the particular transaction containing the “Root Hash”. The time-stamp proof is publicly accessible at the website https://www.blockchain.com/explorer by searching block number 677785, or the transaction ID shown on Fig. 6. As shown in the down part of Fig. 6, the “Root Hash” of our file is stored in the OP RETURN script of the Bitcoin transaction. Thereafter, we submit the same file to the Opentimestamp service twice separately at 11:32:06, 9th August, 2021, and 17:02:21, 12th August,2021 to simulate the BTSRen algorithm. The time-stamp proof can be found on block 694946 and block 695443 respectively.

Verification. In terms of the verification procedures specified in Sect. 5.1, it is straightforward to verify that the hash representation (“Root Hash”) of our

A Blockchain-Based Long-Term Time-Stamping Scheme

21

Fig. 6. The returned time-stamp proof from the OriginStamp service (upper) and the OP RETURN script on the Bitcoin blockchain

file is stored with the Bitcoin transaction, the transaction is confirmed in the Bitcoin blockchain, and the server-side algorithms under Bitcoin blockchain are currently secure. Then we can also verify that the hash value of the mp3 file and the “Root Hash” value is correctly calculated by using the SHA-256 hash function. At last, every time-stamp proof is generated when the client-side hash function is secure, the existence of the file is proved at the time displayed on the earliest time-stamp proof. In our experiments, we can prove that the mp3 file “Blue Moon” existed at 01:00, 5th April 2021 even the SHA-256 hash function is later compromised. Evaluation. We evaluate our scheme from the following four aspects: network delay, storage overhead, service fee, and operability. Network Delay. In our experiment, the delay between the submission time of the file and the confirmation time of the transaction is around 60 min for Bitcoin. If the user always submits their file for renewal at least 60 min before the current client-side hash function is practically compromised, the long-term existence proof of the file is guaranteed. Considering the breakage of SHA-1 collisionresistance as an example, it took 12 years from the theoretical attack to practical attack, thus this amount of delay is acceptable.

22

L. Meng and L. Chen

Storage Overhead. Our implementation of Solution 2 only adds a hash value into the blockchain at once, the overhead depends on the output size of the underlying hash function. The output size for SHA-256 is 256 bits. If the output size of new hash functions increases in the future, such as 512 bits, 1024 bits, etc., it will bring a bigger overhead. However, there are different data insertion methods, some of which allow bigger data sizes to be submitted. The overhead is manageable as long as the output size of the new hash function does not increase to an unmanageable level. Service Fee. The consumed costs of our scheme depend on which BTS service is used. For the Proof of Existence service, the submission of every single file costs 0.25 mBTC ≈ 8.3 GBP. The Opentimestamp service is free of charge, and the Originstamp service provides both free service and subscription plans for different levels of service. To be cost-effective, the Opentimestamp and Originstamp services are optimal choices. Operability. Our scheme only requires users to submit their files to any of the BTS services or with their Bitcoin transactions after they know the hash function is needed to be updated. As the above discussed, it is not required for a very accurate date or time. A user can take only several seconds to submit the file, and wait 1 h to get the time-stamp proof in several years. The operations are simple and efficient.

References 1. ISO/IEC 18014–1:2008. Information technology - Security techniques - Timestamping services - Part 1: Framework 2. American National Standard Institute (ANSI). ANSI X9.95-2016 - Trusted TimeStamp Management and Security (2016) 3. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. In: Decentralized Business Review, p. 21260 (2008) 4. Zheng, Z., et al.: Blockchain challenges and opportunities: a survey. Int. J. Web Grid Serv. 14(4), 352–375 (2018) 5. Gipp, B., Meuschke, N., Gernandt, A.: Decentralized trusted timestamping using the crypto currency bitcoin. arXiv preprint arXiv:1502.04015 (2015) 6. Todd, P.: Opentimestamps: scalable, trust-minimized, distributed timestamping with bitcoin. In: Peter Todd, vol. 15 (2016) 7. Proof of Existence. https://www.proofofexistence.com/ 8. Hepp, T., et al.: OriginStamp: a blockchain-backed system for decentralized trusted timestamping. Inf. Technol. 5–6, 273–281 (2018) 9. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings, ACM Symposium on the Theory of Computing, pp. 212–219 (1996) 10. Meng, L., Chen, L.: An enhanced long-term blockchain scheme against compromise of cryptography. Cryptology ePrint Archive, Report 2021/1606 (2021) 11. Haber, S., Stornetta, W.S.: How to time-stamp a digital document. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 437–455. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3 32

A Blockchain-Based Long-Term Time-Stamping Scheme

23

12. Bayer, D., Haber, S., Stornetta, W.S.: Improving the efficiency and reliability of digital time-stamping. In: Sequences II, pp. 329–334 (1993) 13. Massias, H., Avila, X.S., Quisquater, J.J.: Design of a secure timestamping service with minimal trust requirement. In: The 20th Symposium on Information Theory in the Benelux (1999) 14. ISO/IEC 18014–2:2009. Information technology - Security techniques - Timestamping services - Part 2: Mechanisms producing independent tokens 15. ISO/IEC 18014–3:2009. Information technology - Security techniques - Timestamping services - Part 3: Mechanisms producing linked tokens 16. Haber, S., Kamat, P.: A content integrity service for long-term digital archives. In: Archiving Conference, vol. 2006, no. 1, pp. 159–164. Society for Imaging Science and Technology (2006) 17. Gondrom, T., Brandner, R., Pordesch, U.: Evidence record syntax (ERS). In: Request For Comments-RFC 4998 (2007) 18. Geihs, M., Demirel, D., Buchmann, J.: A security analysis of techniques for longterm integrity protection. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 449–456. IEEE (2016) 19. Buldas, A., Geihs, M., Buchmann, J.: Long-term secure time-stamping using preimage-aware hash functions. In: International Conference on Provable Security, pp. 251–260 (2017) 20. Meng, L., Chen, L.: Reviewing the ISO/IEC standard for timestamping services. IEEE Commun. Stand. Maga. 5, 20–25 (2021) 21. Meng, L., Chen, L.: Analysis of client-side security for long-term time-stamping services. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12726, pp. 28–49. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78372-3 2 22. Buterin, V.: A next-generation smart contract and decentralized application platform. In: White Paper, vol. 3, no. 37 (2014) 23. Tavares, B., et al.: A survey on blockchain technologies and research. J. Inf. Assur. Secur. 14, 118–128 (2019) 24. Yaga, D., et al.: Blockchain technology overview. In: National Institute of Standards and Technology Internal Report (2019) 25. Gipp, B., et al.: CryptSubmit: introducing securely timestamped manuscript submission and peer review feedback using the blockchain. In: 2017 ACM/IEEE Joint Conference on Digital Libraries (JCDL), pp. 1–4. IEEE (2017) 26. Breitinger, C., Gipp, B.: Virtual patent-enabling the traceability of ideas shared online using decentralized trusted timestamping. In: Proceedings of the 15th International Symposium of Information Science, pp. 89–95 (2017) 27. Gipp, B., Kosti, J., Breitinger, C.: Securing video integrity using decentralized trusted timestamping on the bitcoin blockchain. In: Mediterranean Conference on Information Systems (MCIS). Association For Information Systems (2016) 28. Ma, G., Ge, C., Zhou, L.: Achieving reliable timestamp in the bitcoin platform. Peer-to-Peer Netw. Appl. 13(6), 2251–2259 (2020). https://doi.org/10.1007/ s12083-020-00905-6 29. Estevam, G., et al.: Accurate and decentralized timestamping using smart contracts on the Ethereum blockchain. Inf. Process. Manag. 58(3), 102471 (2021) 30. Szalachowski, P.: (Short Paper) Towards more reliable bitcoin timestamps. In: Crypto Valley Conference on Blockchain Technology, pp. 101–104 (2018) 31. Zhang, Y., et al.: Chronos+: an accurate blockchain-based time-stamping scheme for cloud storage. IEEE Trans. Serv. Comput. 13(2), 216–229 (2019) 32. Sward, A., et al.: Data insertion in bitcoin’s blockchain’. In: Ledger, vol. 3 (2018)

24

L. Meng and L. Chen

33. Gao, Y., Nobuhara, H.: A decentralized trusted timestamping based on blockchains. IEEJ J. Ind. Appl. 6, 252–257 (2017) 34. Giechaskiel, I., Cremers, C., Rasmussen, K.: On bitcoin security in the presence of broken crypto primitives. In: IACR Cryptology ePrint Archive (2016) 35. Sato, M., Matsuo, S.: Long-term public blockchain: resilience against compromise of underlying cryptography. In: 26th International Conference on Computer Communication and Networks (ICCCN), pp. 1–8. IEEE (2017) 36. Chen, F., Liu, Z., Long, Yu., Liu, Z., Ding, N.: Secure scheme against compromised hash in proof-of-work blockchain. In: Au, M.H., et al. (eds.) NSS 2018. LNCS, vol. 11058, pp. 1–15. Springer, Cham (2018). https://doi.org/10.1007/978-3-03002744-5 1 37. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218 2 38. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-31963688-7 19 39. National Institute of Standards and Technology (NIST). NIST Policy on Hash Functions. Standard (2017) 40. National Institute of Standards and Technology (NIST). Digital Signature Standard DSS. Standard (2013)

Post-Quantum Verifiable Random Function from Symmetric Primitives in PoS Blockchain Maxime Buser1 , Rafael Dowsley1 , Muhammed F. Esgin1,2 , Shabnam Kasra Kermanshahi3 , Veronika Kuchta4,5 , Joseph K. Liu1(B) , Raphaël C.-W. Phan6 , and Zhenfei Zhang7 1

4

Monash University, Melbourne, Australia [email protected] 2 Data61, CSIRO, Melbourne, Australia 3 RMIT University, Melbourne, Australia The University of Queensland, Brisbane, Australia 5 Florida Atlantic University, Boca Raton, USA 6 Monash University, Subang Jaya, Malaysia 7 Ethereum Foundation, Bern, Switzerland

Abstract. Verifiable Random Functions (VRFs) play a key role in Proof-of-Stake blockchains such as Algorand to achieve highly scalable consensus, but currently deployed VRFs lack post-quantum security, which is crucial for future-readiness of blockchain systems. This work presents the first quantum-safe VRF scheme based on symmetric primitives. Our main proposal is a practical many-time quantum-safe VRF construction, X-VRF, based on the XMSS signature scheme. An innovation of our work is to use the state of the blockchain to counter the undesired stateful nature of XMSS by constructing a blockchain-empowered VRF. While increasing the usability of XMSS, our technique also enforces honest behavior when creating an X-VRF output so as to satisfy the fundamental uniqueness property of VRFs. We show how X-VRF can be used in the Algorand setting to extend it to a quantum-safe blockchain and provide four instances of X-VRF with different key life-time. Our extensive performance evaluation, analysis and implementation indicate the effectiveness of our proposed constructions in practice. Particularly, we demonstrate that X-VRF is the most efficient quantum-safe VRF with a maximum proof size of 3 KB and a possible TPS of 449 for a network of thousand nodes.

1

Introduction

Blockchain technologies have attracted tremendous attention from the research and industrial community. This immense interest ensues from their great promise and the expansion of cryptocurrencies such as Bitcoin or Algorand. Early blockchain systems (e.g., Bitcoin) are based on Proof-of-Work (PoW) which is a consensus mechanism that enables a “lottery” among the miners where the c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 25–45, 2022. https://doi.org/10.1007/978-3-031-17140-6_2

26

M. Buser et al.

winner gets the reward and decides how to extend the blockchain (i.e., adds the next block). The winner is elected as the first node who solves a difficult computational puzzle. Due to the costly nature of PoW thus less environmentally sustainable, an alternative consensus mechanism based on Proof-of-Stake (PoS) has gained popularity [2], which assumpts that the majority of the wealth in the system is controlled by the honest participants. In contrast, PoW considers that the majority of the computing power belongs to the honest participants. An important cryptographic primitive that many PoS solutions rely on for security is Verifiable Random Functions (VRFs). VRFs can also be used in different blockchain applications as described in later sections. Despite their usefulness, a significant concern regarding the currently deployed VRF solutions is that they are susceptible to attacks by powerful quantum computers. Major recent advances [10] in quantum computing technologies have increased the importance of research in the domain of post-quantum cryptography, i.e. schemes that resist attacks from scalable quantum computers. Indeed, such quantum computers can break the currently used classical cryptosystems such as RSA and discrete logarithm based systems, including ECVRF deployed in Algorand. In light of the increasing importance of quantum-safe cryptographic solutions, researchers have also been focusing on making tools used in blockchain to be quantum-safe. For example, Esgin et al. [12] designed a quantum-safe VRF scheme based on lattice-based cryptography, named LB-VRF. Despite being a significant step forward in making post-quantum VRFs practical, this scheme has a major drawback. In particular, it requires constant key updates since a key pair can just be used to generate only a few VRF outputs (e.g. their most efficient scheme just has a single output). This requirement of constant key updates leads to further complications to accommodate for the weaker VRF functionality. Our goal in this work is to overcome such challenges in this only-known practical post-quantum VRF scheme [12], by introducing a VRF construction based solely on symmetric primitives. In addition to being more efficient than prior post-quantum schemes and supporting much longer key lifetime, our approach is based the safest post-quantum cryptography alternative. Indeed, symmetric primitives have been defined and standardized for decades, hence boosting confidence in using them. Other post-quantum candidates such as multivariate or lattice-based cryptography are relatively new and may more likely be broken when more cryptanalytic efforts are undertaken [4]. We proceed to discuss VRFs in more detail and how they are employed in the blockchain. 1.1

Verifiable Random Function (VRF)

Micali et al. [24] introduced the concept of VRF, a variant of Pseudorandom Functions (PRFs) satisfying a verifiability property. This means that the knowledge of a secret key enables to evaluate the pseudorandom function and prove the correctness of such evaluations without revealing the secret key or compromising the function’s pseudorandomness. In more detail, a VRF is associated with a secret key skVRF and the corresponding public key pkVRF , which can be used to verify the VRF output. Using the secret key skVRF , a user can compute

Post-Quantum Verifiable Random Function

27

the function (yVRF , πVRF ) ← VRFEval(skVRF , x) at some input x and generate a corresponding proof πVRF of the correct computation of yVRF . The proof πVRF can be verified using pkVRF (and public parameters). Additionally to the pseudorandomness and verifiability properties, a secure VRF should also satisfy the notion of uniqueness. This means that under a fixed public key and a fixed VRF input x, there cannot exist valid proofs π  VRF of correct computation corresponding to two distinct VRF output values yVRF = y VRF . 1.2

VRFs in the Blockchain

VRFs are widely used in PoS blockchains to conduct secret cryptographic sortition. These include electing block proposers and voting committee members [8,9,13,16,17,23] as well as various applications in smart contracts such as online lottery. Our focus VRF application in this paper is the cryptographic sortition in the blockchain. Cryptographic sortition is an innovation of Algorand which enables a set of users to select themselves to participate in Algorand’s consensus protocol in a private manner. That is, they are not identified to anyone else; including potential adversaries [1]. The committee-based consensus protocol proposed by Gilad et al. [13] for Algorand leverages on a VRF to implement cryptographic sortition. Moreover, the VRF arrangement in Algorand enables fair private non-interactive random selection of committee members, weighted by their account balances.1 This random selection of committee members in Algorand also prevents attackers from targeting a specific committee member. Additionally, the use of a VRF in Algorand’s consensus protocol provides scalability and performance required to support millions of users. The core of Algorand’s blockchain is a Byzantine Agreement protocol that is executed among a small randomly chosen committee of users for each round [13]. More precisely, this protocol makes use of a VRF in the following way. Each user holds a secret/public key pair (skVRF , pkVRF ). Let B be a block to be added. Each user should take the following steps to determine whether she is part of the committee [15]: 1. Compute (yVRF , πVRF ) ← VRFEval(skVRF , Q) for the user secret key skVRF and a publicly known random seed Q and output a pseudorandom value yVRF and a proof of correct computation πVRF . 2. Check if yVRF is in the target range [0, P ], where P is a parameter that depends on the current stake of the user. If this condition holds, the user will be a committee member for B. The committee membership can be verified by all users in Algorand’s network by executing the verification algorithm of the VRF with pkVRF , Q, yVRF and πVRF as input, and additionally checking if yVRF ∈ [0, P ]. Algorand instantiates their protocol with a long-term (practically unlimited) stateless VRF based on elliptic curves (ECVRF). Similarly, Ouroboros Praos [8] conducts a private test that is 1

A user would not benefit from having/creating multiple accounts.

28

M. Buser et al.

executed locally using a VRF to determine whether a participant belongs to the slot leader set for any slots within a specific time period. The uniqueness, pseudorandomness and provability properties of the VRF play crucial roles in preventing brute-force attacks that try various output values yVRF in order to find one that falls within the desired range. Particularly, a user with access to the secret key cannot create multiple valid yVRF values (thanks to uniqueness) and, also it is infeasible for an adversary to predict yVRF in advance (thanks to pseudorandomness). Moreover, the committee membership procedure as well as its verification are computationally inexpensive, making the consensus protocol highly scalable. 1.3

Our Contributions

As mentioned above, our goal in this work is to introduce an efficient postquantum VRF solution that overcomes the drawbacks of prior state-of-the-art schemes. In particular, our contributions can be summarized as follows: – Post-quantum VRF X-VRF: We introduce a practical many-time ‘blockchain-empowered’ post-quantum VRF, called X-VRF (see Sect. 4). It is built only from symmetric primitives, particularly XMSS signature. We avoid the need for a stateless signature by utilizing the state of the blockchain (i.e., block number) as a counter. This approach makes the VRF stateless from a user’s point of view. In fact, the blockchain’s block number, which is already maintained by and available to all users, is the only state information required for our application of X-VRF. We provide a technical overview of our approach in the next section. – “Naive” post-quantum VRF: For a good viewpoint of comparison, we also introduce a naive post-quantum VRF scheme that combines a PRF with a non-interactive zero-knowledge proof (NIZK) of correct evaluation (see Sect. 3). We pick the NIZK based on the proof system in [22] which also uses symmetric primitives and thus is fair to our comparison. As expected, this proposal yields a stateless VRF construction, which we call SL-VRF. It is significantly more costly in terms of computation and communication in comparison to X-VRF while being long-term and stateless. We discuss (in Sect. 6) how SL-VRF can be deployed in conjunction with X-VRF to exploit the advantages of each proposal. Particularly, SL-VRF can be deployed as a fall-back option thanks to its (practically) unlimited key lifetime. – Implementation and performance evaluation: We implement X-VRF under different settings and provide a thorough evaluation analysis that shows its efficiency and practicality (see Sect. 5). All of our settings provide a very efficient performance: the computation time for both the evaluation and verify functions is less than 1 ms. A user public key and a secret key are just 64 bytes and 132 bytes, respectively, while the proof size is only around 3 KB for all settings. The main difference between X-VRF instances is the tradeoff between (one-time) key generation runtime, memory requirement and the lifetime of a key pair. Our experiments show that SL-VRF is 500 to 5000 times

Post-Quantum Verifiable Random Function

29

slower than our X-VRF in evaluation and verification, while the proof size is also 13 times larger than our X-VRF (see Table 1). – Integration to Algorand: We integrate X-VRF into the Algorand blockchain and compare our result with the only practical post-quantum VRF, namely LB-VRF [12], to demonstrate the practicality of our X-VRF (See Sect. 6). To support 100 nodes in the blockchain system, our VRF can achieve almost 1000 transactions per second (TPS). If we increase the number of nodes to 1000, our VRF can still achieve around 500 TPS. Our integration demonstrates that all X-VRF settings offer a better TPS than LB-VRF and additionally providing a practically long to ultra long key lifetime, ranging from 45 h to 20 years, while the LB-VRF key life-time is only of 5 s (see Table 2). 1.4

Our Approach

Deterministic XMSS [6], presented in Appendix A.3, is a good candidate for the construction of a post-quantum VRF. The main reason is that it is the most efficient post-quantum signature scheme constructed from symmetric primitives in terms of signature size. XMSS employs a hash tree, where each leaf uses a one-time signature scheme called WOTS+ [19]. WOTS+ is by construction unique (i.e., for any fixed message and public key, one can only create a single valid signature). However, by itself, deterministic XMSS does not satisfy the fundamental uniqueness property of a VRF. This is since a user can use different tree leaves (that is, different WOTS+ keys) to construct a new XMSS signature for the same message. Thus, it is obvious that a user can generate two different valid XMSS signatures for a single message. To satisfy the uniqueness of XMSS, we need to force the user to use a predetermined WOTS+ key pair in signing. For this, we make use of the blockchain state, i.e., empower XMSS with blockchain. In particular, the block number of a particular round in the blockchain consensus can serve as a global counter. This, can be used to force users to use a specific WOTS+ key pair at each round. More precisely, at block number K, when verifying the XMSS-based VRF output, the verifier also checks that the leaf index indicated by the authentication path is consistent with K (see Fig. 1). As a result, this ensures that the user cannot choose between different WOTS+ keys and also allows users to avoid maintaining a local state. We formally prove that our X-VRF constructed from this approach satisfies all security requirements of a VRF. On the other hand, due to the computational/storage cost of creating and storing a big hash tree, X-VRF cannot be used to create, say, 264 outputs as each output consumes one leaf. We investigate various X-VRF instances with trade-offs between computation, storage and lifetime of an X-VRF key pair. For example, the X-VRF-27 (with 227 leaves) construction offers a key lifetime of more than 20 years in the Algorand setting and hence can be seen as long-term VRF, though it requires a relatively long (around 2 days on a single core) one-time key generation process. Of course, this process can be optimized using standard techniques such as parallel processing or delegating computation.

30

M. Buser et al.

In the rest of the work, we formally define VRFs, and commence by presenting our “naive” VRF proposal, SL-VRF. Then, our main constructions, X-VRF, is presented, followed by our implementation and evaluation results. We finally discuss the integration of our proposals to Algorand.

2

Verifiable Random Function (VRF)

This section formally defines the concept of VRF and its security requirements. Definition 1 (VRF [24]). A VRF with input length (λ) and output length m(λ) consists of the following polynomial-time algorithms: ParamGen(1λ ): On input the security parameter 1λ , this probabilistic algorithm outputs some global, public parameter ppVRF . KeyGen(ppVRF ): On input public parameter ppVRF this probabilistic algorithm outputs two binary strings, a secret key skVRF and a public key pkVRF . VRFEval(skVRF , x): On input a secret key skVRF and an input x this algorithm outputs the VRF value VRF and the corresponding proof πVRF proving that yVRF was correctly computed. Verify(pkVRF , yVRF , x, πVRF ): On input (pkVRF , yVRF , x, πVRF ) this probabilistic algorithm outputs either YES or NO. A secure VRF satisfies the following properties: Provability: If (yVRF , πVRF ) is the output of VRFEval(skVRF , x), where pkVRF , skVRF are honestly generated, then: YES← Verify(pkVRF , yVRF , x, πVRF ). Pseudorandomness: Let A = (A1 , A2 ) be a polynomial-time adversary playing the experiment Exppr A presented in Fig. 2. A VRF achieves pseudorandomnes iff = 1] < 1/2 + negl(λ). Pr[Exppr A Uniqueness: No values (pkVRF , yVRF,1 , yVRF,2 , x, πVRF,1 , πVRF,2 ) can satisfy Verify(pkVRF , yVRF,1 , x, πVRF,1 ) = Verify(pkVRF , yVRF,2 , x, πVRF,2 ) = 1, when yVRF,1 = yVRF,2 Note: In contrast to the unconditional uniqueness property defined in [24], our VRF constructions satisfy computational uniqueness, where the running time of the adversary attacking the uniqueness property is polynomially bounded. This stems from the fact that we rely on the collision-resistance of a hash function.

3

SL-VRF: Stateless Verifiable Random Function from PRF and NIZK

We adopt the idea of instantiating a VRF from a PRF+NIZK construction which was introduced in [14]. Recent works like [7,22] allow to prove knowledge of a secret key k that generates y ← PRF(k, x) while preserving the secrecy of k, using only symmetric primitives; where x, y are public information. This means that PRF is an arithmetic circuit like a block cipher or a hash function. The

Post-Quantum Verifiable Random Function

31

current state of the art is the NIZK scheme of Katz et al. (KKW) [22] which is at the heart of the post-quantum security of the digital signature Picnic [7] submitted to the NIST standardization process. The KKW NIZK protocol [22] proves the knowledge of a secret key without revealing any information about it, based on the input and outputs of a binary circuit like a PRF or a block cipher. KKW is instantiated using the concept of MPC-in-the-head introduced in [20]. MPC-in-the-head simulates a multi-party computation of the circuit between P parties. Then to prove the knowledge of the secret key, the protocol reveals the views of all parties except one. The proof is verified by recomputing the output based on the view of P − 1 parties. The size of the proof depends directly on the number of parties P of the MPC protocol. In the circuit, there are four different operations: Addition with a public constant, addition of values computed by all parties (“OR” gates), multiplication with a constant and multiplication of values computed by all parties (“AND” gates). Only the last one requires communication between the parties to be performed. This means that the proof contains the views of P − 1 parties for each “AND” gate of the circuit, and therefore its number needs to be optimized. For this reason, KKW works with the block cipher LowMC [3] which is a cryptographic primitive with low multiplicative complexity, i.e. low number of multiplications in a circuit (“AND” gates). Ensuring Uniqueness. The idea behind our stateless VRF construction is to use the block cipher LowMC as a PRF to generate the random outputs and then prove with KKW the knowledge of the secret key skVRF . In other words, taking a message x as an input, a user generates the corresponding pseudorandom outputs y ← PRF(skVRF , x) and then uses the KKW protocol as the VRF proof. KKW protocol is made non-interactive using the Fiat-Shamir transform. However, KKW allows to prove the knowledge of the secret key that generates y from the public x without requiring the use of the public key linked to the secret key skVRF . This causes a problem for the uniqueness of the VRF. Indeed, a user could generate a different value y  for the same input x using another secret key skVRF . Therefore, we modify the public key as follows: pkVRF is now composed of two elements pkVRF1 and pkVRF2 such that pkVRF2 ← PRF(skVRF , pkVRF1 ). The evaluation procedure will prove that the secret key which generated y from x is the same as that which generated pkVRF2 from pkVRF1 . Thus it is infeasible for a malicious user to change its secret key for generating another VRF output. 3.1

SL-VRF from PRF+NIZK Construction

ParamGen(1λ ) : Pick a collision-resistant hash H : {0, 1}∗ → {0, 1}n (for the FiatShamir transform) and a Pseudorandom function PRF : {0, 1}∗ × {0, 1}n → {0, 1}n . Output public parameters ppVRF = (H, PRF). $

KeyGen(ppVRF ) : On input public parameters computes skVRF ← − {0, 1}n and $

− {0, 1}n . Then it computes pkVRF2 ← PRF(skVRF , pkVRF1 ) and sets pkVRF1 ← pkVRF = (pkVRF1 , pkVRF2 ) VRFEval(skVRF , x) : Given skVRF and a message x, the algorithm computes:

32

M. Buser et al.

1. y ← PRF(skVRF , x) 2. pk.check ← (x, y, pkVRF ) 3. πNIZK ← Prove(pk.check, skVRF ). For a relation R the NIZK proof πNIZK holds iff: (a) y ← PRF(skVRF , x) and (b) pkVRF2 ← PRF(skVRF , pkVRF1 ). This can be done due to the KKW [21,22] procedure on a binary circuit composed of two PRFs (LowMC block cipher as explained before) linked with an additional "AND" gate, assuring that both statements are fulfilled. VRFVerify(y, x, πNIZK ) : On input (πNIZK , x, y) it runs NIZK verification algorithm Verify(x, y, πNIZK ) of the underlying KKW NIZK proof and outputs 0/1. The security depends on the properties of the underlying PRF for a given key skVRF (collision resistance and one-wayness) and the security of KKW [22]. SL-VRF Security Discussion. The provability of SL-VRF follows via direct investigation. As long as the underlying KKW NIZK proof is correct, SL-VRF is provable. The security, i.e. uniqueness and pseudorandomness of our SL-VRF depends on the properties of the underlying PRF. The uniqueness follows from two facts: (1) the PRF output is a deterministic function of the secret key skVRF and the input x, meaning that evaluating the PRF twice on the same value yields the same output. (2) the validity proof of the statement (3)(b) in the VRF evaluation procedure (VRFEval) presented in Sect. 3.1 forces each user to use her fixed secret key for each evaluation. This ensures uniqueness due to the deterministic property of the PRF as explained before. The pseudorandomness of the VRF output is inherited from the corresponding pseudorandomness property of the underlying PRF. To evaluate the efficiency of our SL-VRF, we analyse the underlying NIZK proof construction. A detailed evaluation is given in Sect. 5.

4

X-VRF: Verifiable Random Function from XMSS

This section introduces a construction of a secure VRF from XMSS (see Definition 2 in Appendix A.3). As discussed in the introduction, naively extending XMSS to a VRF does not result in a secure construction as the uniqueness property can easily be violated. In particular, when a user constructs a hash tree in XMSS, she can use any of the leaves (i.e., WOTS+ keys) to create the XMSS signature. As a result, XMSS by itself does not satisfy uniqueness. This is indeed very problematic in a blockchain application that, for example, uses the VRF output to perform leader election (as in Algorand). More specifically, the user can simply create a huge hash tree, say, with N leaves for XMSS. Then she will be able to amplify her success probability of being elected by a factor of N , as she can try to create the XMSS-based VRF output from each leave and can output the one that is successful. To circumvent this problem, we index every VRF evaluation and modify the uniqueness requirement to the case where for a fixed message and public key, the VRF evaluations with the same index always lead to the same value. Then,

Post-Quantum Verifiable Random Function

33

in the later sections, we enforce all users to use a pre-determined index ctr when creating an XMSS-based VRF output. This way, the users cannot choose between multiple leaves and can only produce a single signature output on a message. 4.1

X-VRF from XMSS Construction

ParamGen(1λ ) : On input security parameter λ, output public parameters ppVRF = H, for H : {0, 1}∗ → {0, 1}n . Where H is a hash function. KeyGen(ppVRF ) : On input public parameters ppVRF , 1. Run (XMSS.idx, XMSS.sk, XMSS.pk) ← XMSS.KeyGen(1λ ), 2. Output (idxVRF , pkVRF , skVRF ) = (XMSS.idx, XMSS.pk, XMSS.sk). VRFEval(skVRF , x, idxVRF ) : On input skVRF = XMSS.sk, a message x and an index ctr = idxVRF , 1. Run XMSS.σ = (WOTS+ .σ, i, XMSS.Auth) ← XMSS.Sign(XMSS.sk, x, ctr), 2. Set πVRF = XMSS.σ, 3. Compute yVRF ← H(XMSS.σ, x), 4. Output (πVRF , yVRF ). VRFVerify(pkVRF , x, yVRF , πVRF ) : On input (πVRF , yVRF ), the public key pkVRF and a VRF input x, 1. Parse πVRF = XMSS.σ = (WOTS+ .σ, i, XMSS.Auth), 2. If i and XMSS.Auth are inconsistent (i.e., if the leaf index indicated by XMSS.Auth is not equal to i), output NO. 3. Otherwise, if the verification of XMSS.σ succeeds and yVRF = H(XMSS.σ, x), output YES. 4. Otherwise output NO. In VRFEval, the counter decides which leaf of the XMSS tree is used and this is checked in VRFVerify. In our blockchain application, we enforce users to use a specific publicly known counter value. This is so that the user cannot choose multiple leaves to create a VRF output at a particular point. This is crucial to guarantee uniqueness. It is indeed easy to establish a global counter value in the blockchain environment since it can simply be set to the block number K mod N , where N is a fixed public integer denoting the maximum number of rounds a key pair can be used. In particular, we set N = 2h for an XMSS tree of height h (See Fig. 1 for an example with N = 4). We also remark that with access to such a global counter, the users no longer need to store individual state information. That is, the VRF itself in a way becomes stateless as the users can simply retrieve the block number from the blockchain and do not need to worry about maintaining a state themselves. 4.2

X-VRF Security Analysis

The most critical property we need to analyze is the uniqueness. To this end, we first focus on the uniqueness of XMSS under the constraint that the index used to create the signature is the same. This leads to the following lemma whose proof is given in Appendix A.1. Then, we state the security of X-VRF and provide its proof in Appendix A.2.

34

M. Buser et al.

Table 1. Performance evaluation of X-VRF, SL-VRF, ECVRF and LB-VRF. For LBVRF, we report the results provided in [12]. For the memory requirement of X-VRF, an evaluator stores 2h 256-bit values for h ∈ {15, 19, 23, 27}. Instances

ECVRF X-VRF-15 X-VRF-19 X-VRF-23 X-VRF-27 SL-VRF LB-VRF

Memory for Eval

negl.

1 MB

16 MB

256 MB

4 GB

negl.

negl.

PK size

32 B

64 B

64 B

64 B

64 B

48 B

3.32 KB

SK size

32 B

132 B

132 B

132 B

132 B

24 B

0.45 KB

Proof size

80 B

2.63 KB

2.76 KB

2.88 KB

3.01 KB

40 KB

4.94 KB

KeyGen

0.05 ms

48.9 s

14.2 min

3.73 h

≈58 h

0.38 ms 0.33 ms

VRFEval

0.10 ms

0.72 ms

0.75 ms

0.78 ms

0.80 ms

765 ms

3.1 ms

VRFVerify

0.10 ms

0.87 ms

0.91 ms

0.94 ms

0.97 ms

475 ms

1.3 ms

Lemma 1 (XMSS Uniqueness). Let XMSS.σ1 = (WOTS+ .σ1 , i, XMSS.Auth1 ) and XMSS.σ2 = (WOTS+ .σ2 , i, XMSS.Auth2 ) be two valid XMSS signatures created by a PPT adversary on the same message m and under the same public key XMSS.pk and the same index i (i.e., XMSS.Verify(XMSS.pk, m, XMSS.σ1 ) = XMSS.Verify(XMSS.pk, m, XMSS.σ2 ) = 1). If the hash function used in the XMSS definition is collision-resistant, then XMSS.σ1 = XMSS.σ2 (i.e., XMSS is unique provided that the indices in the two signatures are the same). Theorem 1 (X-VRF Security). X-VRF is correct and satisfies the properties of computational uniqueness and pseudorandomness in the random oracle model. In particular, the uniqueness holds in the sense that the same ctr (or leaf index) must be used in VRFEval as in Lemma 1.

5

Implementation and Evaluation

This section presents the implementation results of our X-VRF construction as well as the naive SL-VRF which is used as a baseline for comparison. Traditionally, VRF constructions from unique signatures require the signature to be stateless. However, we argue that in most of the blockchain applications a stateful VRF is sufficient as the blockchain can easily maintain the state. Both SL-VRF and X-VRF have been implemented in C for a level of postquantum security of λ = 128. We choose to work with SHA-256 as the hash function. The implementation of SL-VRF is based on [25]. It couples KKW [22] with the Fiat-Shamir transform to get a NIZK. The implementation of X-VRF is derived from the XMSS implementation provided in [18]. Both implementations were deployed on Intel(R) Core i7-86500 CPU @ 1.90 GHz 12 GB of RAM. 5.1

VRF Proof Sizes

Table 1 summarizes the proof size of each instance. As expected, the X-VRF constructions clearly outperform SL-VRF with proof sizes at least 13.3 times smaller.

Post-Quantum Verifiable Random Function

35

The VRF proof size in a X-VRF instance denoted by |X-VRF.πVRF | is computed by the following formula |X-VRF.πVRF | = h · n + n · len. The VRF proof of our SL-VRF construction depends only on the size of the NIZK proof [21]. The size that we presented in Fig. 1 differs from the one provided by Katz et al. [22]. The reason behind this is that we used the parameter of the NIST submission presented in [21] which have been optimized to give a compromise between algorithm efficiency and proof size. The size of the VRF proof for SL-VRF construction is denoted by |SL-VRF.πVRF |, and we refer the reader to [21,22] for further details. 5.2

Memory Requirements

In Table 1, we propose applicable memory requirements for our four instances of X-VRF. It is important to know that the memory capacity impacts principally the X-VRF evaluation procedure. The X-VRF key generation procedure does not require expensive memory as the full XMSS tree does not need to be fully stored. A capacious memory can reduce the offline computations for the XMSS evaluation procedure that are the authentication path selection (the grey nodes in Fig. 3). Devices with high memory capacity will be able to store the whole XMSS tree and therefore avoid any offline computation. However, the required memory to store the full tree (together with the WOTS+ keys) would be impractical particularly for the X-VRF-23 and X-VRF-27 instances which would require respectively 35 GB and 350 GB to store the complete binary tree. Therefore, we propose to store the h − 1 levels of the XMSS tree (i.e., the whole tree except the bottom leaves and WOTS+ keys). This means that offline computations are necessary every two evaluations and requires the computation of the two WOTS+ key pairs based on a secret seed and a PRF. For example in Fig. 3, if XMSS.index = 0, the offline phase computes both first WOTS+ key pairs. Then, if XMSS.index = 1 there is no offline computation required as both first WOTS+ key pairs have been generated. Then, when XMSS.index = 2 the offline computation will generate WOTS+ key pairs number 2 and 3. The memory required with this technique for all instances is highlighted in Table 1. This advantage to have cheap offline computations (1 ms) needs to be done for only half of the X-VRF evaluations. Most importantly, it requires a maximum of 4 GB of memory, which can be considered to be acceptable and applicable to lightweight devices. 5.3

VRF Computation Efficiency

We further present four instances of X-VRF with different heights of the XMSS tree. We evaluated VRF with heights 15 (denoted as X-VRF-15), 19 (denoted as X-VRF-19), 23 (denoted as X-VRF-23) and 27 (denoted as X-VRF-27). This means each of these instances can generate, respectively, at most 215 , 219 , 223 and 227 VRF evaluations. Table 1 summarizes the performance of each instance. When it comes to the key generation procedure, SL-VRF outperforms all X-VRF instances as expected. This is because it only requires the selection of a random element of n bits, while all four instances of X-VRF need to generate XMSS tree with a greater height which leads to more computation.

36

M. Buser et al.

Although the KeyGen of SL-VRF is much faster than that of X-VRF, the running time of the evaluation algorithm Eval of SL-VRF cannot compete with the stateful construction X-VRF. Eval of SL-VRF requires the simulation of MPC computation, which is quite costly. Table 2. Estimated TPS for our VRFs with different signatures on various number of nodes. ‘N/A’ means the given number of nodes cannot be supported. #Nodes Signature

X-VRF-15 X-VRF-19 X-VRF-23 X-VRF-27 SL-VRF ECVRF

LB-VRF

10

Ed25519 1010 Rainbow 1008 SPHINCS+ 34

1010 1008 34

1010 1008 34

1009 1007 34

940 938 32

1015 1013 34

1000 998 32

50

Ed25519 990 Rainbow 988 SPHINCS+ 33

989 987 33

988 986 33

987 985 33

639 638 21

1014 1012 34

939 937 22

100

Ed25519 966 Rainbow 964 SPHINCS+ 32

963 961 32

961 959 32

958 957 32

263 263 9

1014 1012 34

862 861 10

1000

Ed25519 521 Rainbow 520 SPHINCS+ 17

496 495 17

474 473 16

449 448 15

N/A

1000 998 34

N/A

1 month

1.3 years

>20 years Practically unlimited 5 s

Key lifetime

45 h

The performance of the evaluation algorithm of X-VRF instances is really competitive. The underlying reason is that only the WOTS+ signature needs to be computed at the spot, as the authentication path could be pre-computed. For X-VRF, the evaluation cost is at most (w − 1) · len calls of the cryptographic hash function. Our results demonstrates that X-VRF is at least 956 times faster than SL-VRF for the VRF evaluation. The VRF verification of X-VRF also outperforms SL-VRF by at least 474 ms. The total cost verification for SL-VRF is the verification of a number of execution of the MPC-in-the-head with P − 1 parties (details presented in [21]), while X-VRF needs only a maximum of h + w · len + log len calls to the hash function H. Note that verification runtime in the blockchain application is an important metric as this needs to be repeated by all (honest) committee members.

6

Integration to Algorand

In this section, we discuss the details of our X-VRF integration into the Algorand consensus protocol. As discussed earlier, the uniqueness of X-VRF (and the underlying XMSS signature) crucially relies on enforcing the use of a single predetermined counter ctr in VRFEval (or index XMSS.idx in XMSS.Sign). We can achieve this easily in the blockchain setting. In particular, there is already the

Post-Quantum Verifiable Random Function

37

block number that serves as a globally agreed, inalterable and publicly accessible counter. Let N = 2h be the number of leaves in XMSS and K be the block number. Then, we let the verifiers check that the ctr (or XMSS.idx) used at block number K is equal to K mod N . Therefore, every user is forced to use the leaves in a certain order and we can achieve uniqueness. 6.1

Performance Estimation

To better illustrate our benchmark results, it is important to understand the bottleneck of the current Algorand protocol. As of September 2020, Algorand’s mainnet employs over 1000 nodes, and allows for roughly 5.4 MB of data propagated per block, as a result of their efficient consensus protocol. It consists of 5000 signed transactions, at 1064 bytes each, and 80 KB for VRF data. To break up the VRF part, 1000 nodes implies 1000 ECVRF proofs, which is around 80 KB of data. It is straightforward to see that the majority of the data is reserved for transactions. Under the assumption that a transaction is 1 KB on average, and the signature is Ed25519, Algorand allows for 5K transactions per block, or, roughly 1K transaction per second (TPS) as Algorand generates a block in about 5 s. Note that, in Algorand, although the final blocks only log transactions (while VRF payload is not included in the final blocks by design - the committee members only attest that they have seen enough votes, without putting that information to the block for performance reasons), the actual data propagated through the network during each block is indeed the combination of VRF payload and the transaction payload. Therefore it makes sense to use this total payload size as the network’s throughput limitation, rather than the actual blocksize. To summarize, we follow [12] and estimate the Algorand TPS throughput as follows: TPS =

payload size − total VRF cost × #nodes . (transaction size + signature size) × blocktime

Note that as ‘refreshing’ a key pair happens much less frequently for X-VRF (in comparison to LB-VRF), the per-round cost of a key refreshment is negligible in our setting. Using the above formula, we estimate the TPS throughput of Algorand using our VRF in combination with different signature schemes that are used to authenticate transactions. In this computation, we make the following assumptions as in [12] for a fair comparison. We assume a payload size of 5.4 MB. We follow Algorand and assume 1 KB data for transaction size. As Algorand generates a block in about 5 s, we take blocktime as 5 s. The last moving part in the equation is the signature size. For this component, we consider the original Ed25519 signature used by Algorand, whose signature size is 64 bytes. In addition, we also consider two extreme cases in the post-quantum setting: (i) Rainbow2 [11] -the shortest signature finalist candidate in NIST’s Post-Quantum Cryptography standardization process- whose signature size is 2

https://www.pqcrainbow.org/.

38

M. Buser et al.

as small as 66 bytes3 , and (ii) SPHINCS+ [5], whose signature is 30696 bytes, which relies on symmetric primitives only. For X-VRF, we further set the tree heights as 15, 19, 23, 27. This means a user can use the same key in X-VRF for roughly 45 h, 30.3 days, 1.33 years and more than 20 years, respectively. For SL-VRF, the nodes would not ever need to re-generate keys in practice. We will talk about X-VRF key schedules in the next section. Turning to the performance comparison, as one shall see in Table 2, our X-VRF can be integrated into Algorand for all four settings. For the real-world scenario (1000 nodes), with X-VRF we see a roughly 55% reduction in TPS for both Ed25519 and Rainbow. Note that it is a common understanding that postquantum cryptography performs much worse, compared to classical ones. Hence, we believe that even a 55% reduction should be considered as a great achievement of our solution, rather than a drawback. The throughput for SPHINCS+ is much worse, recording 16 TPS on average. We note that even this case is still faster than Bitcoin (at 5 TPS). On the other hand, the stateless VRF SL-VRF does not perform well for large networks. Our simulation shows that the consensus is only possible for a network of at most around 100 nodes. When the number of nodes is higher, the blockchain capacity is not sufficient to transmit the SL-VRF payload, thus, making the protocol unusable. 6.2

Dual Key Scheduling

Now that we know X-VRF provides a more practical solution than SL-VRF, it is imperative to argue the usability of our stateful X-VRF. In our vision, a protocol should deploy both X-VRF and SL-VRF. X-VRF provides great performance, and should always be used when they are available. However, as per setup, an X-VRF key needs to be refreshed once in a while, requiring the user to be online at a certain time. This update requires an additional 64 bytes for VRF public keys, and a signature on the public key for authenticity, per cycle. We consider this cost to be negligible, compared to the remaining cost as for X-VRF-23, for example, a cycle happens only every 1.33 years. In practice though, we cannot rule out the cases where users may lose their keys. For conservative purposes, nonetheless, it is desirable to have a backup plan: the user falls back to SL-VRF if he has consumed all X-VRF keys and has not uploaded a new X-VRF key (see Fig. 1). There are nonetheless two additional subtleties here. First, if every user needs to update their keys periodically, the network may be flooded by X-VRF keys that are never used. Our solution is as follows. For relay nodes who may be very frequently selected as committee members, we suggest to use X-VRF. They are actually a very small portion of the user base, and account for the majority of VRF payloads. For casual users who perhaps will vote rarely in their lifetime, it is sufficient to use SL-VRF, which minimizes the number of key updates. The other issue is with the VRF randomness. At a given round when the user does not have an X-VRF key, the user may actually choose to either upload a new X-VRF key, or use his default SL-VRF key. This breaks the uniqueness of 3

The signature length of 48 bytes of an earlier Rainbow version is used in [12].

Post-Quantum Verifiable Random Function

39

the VRF. Our solution is to enforce the user to announce its new X-VRF key a few (say, k) rounds prior to it being active, where k is a system parameter and is currently set to 10 by Algorand blockchain. This approach is indeed already adopted by Algorand with its ECVRF, to limit attackers with a large share of tokens from speculating the block randomness (derived from ECVRF) in the future. It is straightforward to see that, with this restriction, for any given round, if the user has announced an X-VRF key 10 blocks earlier, then it must use that key; otherwise it must use its SL-VRF key. Thus, uniqueness remains intact. Eventually, we achieve a post-quantum blockchain that supports both X-VRF and SL-VRF. Under the assumption that most of the users will be online regularly, we further assert that the final TPS will be (very) close to the data for X-VRF in Table 2. Since this dual VRF is an orthogonal direction from this paper, we leave the rigorous analysis to future work. 6.3

X-VRF Instances

As explained previously, we propose four different instances of X-VRF and these are the only applicable constructions to Algorand’s 1000-node setting as the results in Table 2 demonstrate. Because of the stateful nature of the XMSS signature, there is a maximum number of possible VRF evaluations per key pair. Our goal in the choice of XMSS tree heights is to have VRF instances that can be used for at least one day in Algorand (X-VRF-15) without updating the keys, another for at least one month (X-VRF-19), the third one for at least one year (X-VRF-23) and the last one (X-VRF-27) which could be used for more than 20 years. Each of these VRF instances has different advantages which can be summarized as follows. When using the X-VRF-15, the keys need to be updated every 45 h. If we assume that each node stores the full XMSS tree it will require 1 MB of storage which is 256 times less than the memory required to store a XMSS tree when using the X-VRF-23 and even 4096 times less than in the case of X-VRF-27. The main disadvantage of using X-VRF-15 is the regular key update that needs to be performed every 45 h yielding several regular updates during the year. X-VRF-19 allows the network to update the keys only once per month but the computational cost of these monthly updates is 32 times higher than the cost needed when X-VRF-15 is used. X-VRF-23 offers the possibility to make this update only every 1.33 years but the cost of this update for each node takes 3.73 h on our machine and is 256 times greater than the cost required in X-VRF-15. Our last instance, X-VRF-27 avoids the need for a key update for more than 20 years, the key generation would be only necessary when new nodes join the network or when a node has lost its key. The main advantage of this instance is that the network does not need to go through a regular key update similar to the SL-VRF instances. The disadvantage is the cost to join the network or the cost of losing the key which takes around two days on our machine and is 4096 times greater than the cost of an update in X-VRF-15. Table 2 illustrates the expected TPS for each of X-VRF instances, and as explained previously the best performance is achieved with the Rainbow signature scheme. For this part, we assume that nodes will not lose their key. For a

40

M. Buser et al.

network composed of 10 nodes, all X-VRF instances achieve the same expected TPS which means that in a network of 10 to 50 nodes instances with fewer key updates could be privileged. For a network of 100 nodes, X-VRF-15 achieves the best TPS, however its TPS difference with X-VRF-27 consists of only 8 transaction per second. When there are 1000 nodes the difference of TPS is logically larger, X-VRF-15 could process 72 transactions per second more than X-VRF-27 when using Ed25519 or Rainbow signature scheme. However, the synchronization of a generalized key update for a larger network could be more challenging and could slow down the process. Memory Optimization. We presented in Sect. 5.2 the ideal memory requirement to achieve a balance between offline computations and memory consumption (See Table 1). However, it is important to know that these memory requirements are flexible and can be adapted to user specified preconditions. As previously explained, the fast way to evaluate the VRF is to pre-store the path in the tree and then compute the WOTS+ signature for the current round. However, the current node does not necessarily need to store h − 1 levels of the full tree. Indeed, the node can pre-compute and store only certain paths that are needed for the rounds in the near future. As the rounds progress, the paths that are no longer needed can be discarded and new paths can be pre-computed and stored. This way, we can keep the memory requirements at even lower levels. Overall, there are straightforward trade-offs to be considered depending on the user’s system specifications. Choice of Instance. We showed that all four X-VRF constructions are promising post-quantum VRFs applicable in an existing network like Algorand. Each of them have different advantages going from memory consumption to key update times. To avoid the challenges of synchronizing key updates throughout the network, X-VRF-27 appears to be the best. If the focus is on achieving the best TPS and reducing the impact of key loss, then X-VRF-15 would be the best. X-VRF-23 provides a trade-off between TPS and the recurrence of key updates. Moreover, our proposition of a dual key system by coupling X-VRF with SL-VRF combines the best of two worlds. 6.4

Comparison with Current State-of-the-art and Final Remarks

To the best of our knowledge, there exists only one other practical post-quantum VRF provided in [12] using lattice-based techniques and we refer to it as LBVRF. Table 2 presents the expected TPS in Algorand, as given in [12], for LBVRF. Our results show that all four X-VRF instances outperform LB-VRF when it comes to TPS for all node sizes due to its shortest proof size of X-VRF instances compared to LB-VRF (see Table 1). As the number of nodes increases, the advantage of our constructions increases. Another disadvantage of LB-VRF is that the users need to update their keys at every round (block generation), hence every 5 s in the case of Algorand. Our X-VRF construction, on the other hand, can support the use of the same key pair for at least 45 h; e.g. X-VRF-15, which has the shortest key lifetime. X-VRF-27 offers the possibility to work with the

Post-Quantum Verifiable Random Function

41

same key for more than 20 years. Even if it is difficult to compare the algorithms’ performances because they were not executed on the same machine as LB-VRF numbers were taken from the original paper [12], X-VRF seems to be more efficient when it comes to VRF Evaluation performances as LB-VRF takes 3.1 ms while the slowest X-VRF takes only 0.8 ms. The difference between both verification procedures is too small to draw any conclusion. This paper introduced the first post-quantum VRFs based on symmetric primitives. Our XMSS-based X-VRF proposals, which are made possible thanks to the innovative idea of linking the state of the blockchain with the state of XMSS, support a competitive number of transactions per second in a post-quantum PoS-based consensus protocol. It outperforms the one-time lattice-based VRF when it comes to proof size, while allowing the evaluation of multiple input. The X-VRF is based on long-studied symmetric primitives, all X-VRF instances provide strong security assurances, while also being highly efficient and substantially outperforming current state of the art performances. Acknowledgement. This work is supported by Australian Research Council project DP220101234.

A

Appendix

Fig. 1. XMSS/X-VRF state and Blockchain

A.1

Proof of Lemma 1

Proof. Let XMSS.pk be a public key and m be a message. Fix an index i ∈ [0, 2h − 1]. Also, let XMSS.σ1 = (WOTS+ .σ1 , i, XMSS.Auth1 ) and XMSS.σ2 = (WOTS+ .σ2 , i, XMSS.Auth2 ) be two valid signatures created by a PPT adversary on m using XMSS.pk and i. It is clear that XMSS.Auth1 = XMSS.Auth2 as the leaf index and the tree root is the same if the hash function is collision-resistant. We now just need to show that WOTS+ .σ1 = WOTS+ .σ2 , which is true for deterministic XMSS as explained in [6].

42

M. Buser et al.

Fig. 2. Pseudorandomness Experiment

A.2

Proof of Theorem 1

Proof. We prove the three properties of Definition 1. Correctness. The correctness of X-VRF follows via direct investigation. As long as the underlying XMSS scheme is correct, X-VRF is correct. Uniqueness. To prove uniqueness of our X-VRF scheme by a reduction to the uniqueness property of the underlying XMSS scheme, we assume Aunq being an adversary against uniqueness property of our X-VRF scheme. We can construct an adversary Bunq against the uniqueness property of the underlying XMSS. Let yVRF1 , yVRF2 be two different outputs and πVRF1 , πVRF2 the two respective proofs generated by Aunq on the same input x. We know that yVRFi = H(XMSS.σi , x) and πi = XMSS.σi for i ∈ {1, 2}. If yVRF1 = yVRF2 , then we must have XMSS.σ1 = XMSS.σ2 . Set m = x being the input message of the XMSS.Sign algorithm. Since x is the same in both signatures XMSS.σ1 and XMSS.σ2 , it follows that the XMSS signature scheme is not unique, which contradicts the uniqueness property stated in Lemma 1. Pseudorandomness. Let Apr be a PPT adversary against the pseudorandomness of our X-VRF scheme. Recall that yVRF = H(XMSS.σ, x) where H is modelled as a random oracle and XMSS.σ is a signature on x. Also recall that XMSS.σ contains WOTS+ .σ which is the (iterated) hash of some completely random and independent n-bit strings unknown to Apr . So, any WOTS+ .σ results in just some random bit string that is contained in XMSS.σ. Hence, the only way Apr can distinguish yVRF from a uniformly random value happens if Apr has queried H on the input (XMSS.σ, x), which happens with negligible probability since Apr cannot query the signing oracle on x. The pseudorandomness property follows. A.3

XMSS Signature Scheme

We introduce the concept of XMSS signature from which our VRF is constructed. XMSS is based on the idea of Merkle trees (see Fig. 3) which are binary trees where each nodes is the hash of both its children. Each leaf correspond to the key pair of a One-time digital signature named WOTS+ . By definition, a WOTS+ key pair can be used to sign only one message and therefore, each leaf can be

Post-Quantum Verifiable Random Function

43

only used once. Each signer keep a state XMSS.idx which is incremented after each signature. A XMSS signature XMSS.σ is composed of a WOTS+ signature WOTS+ .σ, an index i, which indicates the position of the WOTS+ key pair in the tree and the authentication path XMSS.Auth, which allows to recompute the Merkle root from the WOTS+ signature to the root. The root is the XMSS public key XMSS.pk. A simple example is given in Fig. 3 which shows the fourth signatures performed with the XMSS scheme. Definition 2. XMSS is defined by a tuple of three algorithms (XMSS.idx, XMSS.sk, XMSS.sk) ← XMSS.KeyGen(1λ ): The key generation algorithm on input the security parameter λ outputs a pair consisting of secret and public keys and an index set to 0 which is the sate and indicate which leaf to use for a signature. One part of the public key is the root of the tree XMSS.root and the other part is a seed used to compute the bitmask (see Fig. 3). (XMSS.σ) ← XMSS.Sign(XMSS.sk, m, XMSS.idx) : The signing algorithm takes as input the secret key XMSS.sk, XMSS.idx and a message m, and outputs a signature XMSS.σ = (WOTS+ .σ, i, XMSS.Auth) which composed of a WOTS+ signature, the index i that indicates the position of the WOTS+ signature in the tree and the authentication path XMSS.Auth (the grey nodes in Fig. 3) Accept/Reject ← XMSS.Verify(XMSS.pk, m, XMSS.σ) : The verification algorithm takes as input the public key XMSS.pk = (XMSS.root, XMSS.seed), the message m and the signature XMSS.σ = (WOTS+ .σ, i, XMSS.Auth). It verifies the validity of the WOTS+ signature and then recompute the merkle root r from the WOTS+ public using the auhtentication path XMSS.Auth and following the direction indicated by i. This outputs Accept iff r = XMSS.root, Reject otherwise.

Fig. 3. The XMSS tree construction.

44

M. Buser et al.

References 1. Algorand-what we do. https://www.algorand.com/what-we-do/faq 2. Proof of stake instead of proof of work, July 2011. https://bitcointalk.org/index. php?topic=27787.0 3. Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/9783-662-46800-5_17 4. Bernstein, D.J.: Introduction to post-quantum cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 1–14. Springer, Berlin, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_1 5. Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The sphincs+ signature framework. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 2129–2146. ACM (2019) 6. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_8 7. Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetrickey primitives. ACM CCS 2017, 1825–1842 (2017) 8. David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptivelysecure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3 9. de Pedro, A.S., Levi, D., Cuende, L.I.: Witnet: a decentralized oracle network protocol. arXiv preprint arXiv:1711.09756 (2017) 10. Dial, O.: Eagle’s quantum performance progress. IBM Research Blog, 24 March 2022. https://research.ibm.com/blog/eagle-quantum-processor-performance 11. Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_12 12. Esgin, M.F., et al.: Practical post-quantum few-time verifiable random function with applications to Algorand. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 560–578. Springer, Heidelberg (2021). https://doi.org/10.1007/9783-662-64331-0_29 13. Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling byzantine agreements for cryptocurrencies. In: SOSP 2017, pp. 51–68. Association for Computing Machinery (2017) 14. Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactive zeroknowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993). https://doi.org/10.1007/3-54048071-4_16 15. Gorbunov, S.: Algorand releases first open-source code: verifiable random function (2018). https://medium.com/algorand/algorand-releases-first-open-sourcecode-of-verifiable-random-function-93c2960abd61 16. Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018) 17. Hellebrandt, L., Homoliak, I., Malinka, K., Hanáček, P.: Increasing trust in tor node list using blockchain. In: IEEE ICBC 2019, pp. 29–32. IEEE (2019)

Post-Quantum Verifiable Random Function

45

18. Hülsing, A.: XMSS implementation. https://github.com/XMSS/xmss-reference 19. Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3642-38553-7_10 20. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009) 21. Kales, D., Zaverucha, G.: Improving the performance of the picnic signature scheme. In: IACR TCHES, pp. 154–188 (2020) 22. Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. ACM CCS 2018, 525–537 (2018) 23. Li, W., Andreina, S., Bohli, J.-M., Karame, G.: Securing proof-of-stake blockchain protocols. In: Garcia-Alfaro, J., Navarro-Arribas, G., Hartenstein, H., HerreraJoancomartí, J. (eds.) ESORICS/DPM/CBT -2017. LNCS, vol. 10436, pp. 297– 315. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67816-0_17 24. Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer Science (cat. No. 99CB37039), pp. 120– 130. IEEE (1999) 25. Zaverucha, G.: Picnic implementation. https://github.com/microsoft/Picnic

Opportunistic Algorithmic Double-Spending: How I Learned to Stop Worrying and Love the Fork Nicholas Stifter1,2(B) , Aljosha Judmayer1,2 , Philipp Schindler1,2 , and Edgar Weippl1,2 1

University of Vienna, Vienna, Austria 2 SBA Research, Vienna, Austria {nstifter,ajudmayer,pschindler,eweippl}@sba-research.org

Abstract. In this paper, we outline a novel form of attack we refer to as Opportunistic Algorithmic Double-Spending (OpAl ). OpAl attacks avoid equivocation, i.e., do not require conflicting transactions, and are carried out automatically in case of a fork. Algorithmic double-spending is facilitated through transaction semantics that dynamically depend on the context and ledger state at the time of execution. Hence, OpAl evades common double-spending detection mechanisms and can opportunistically leverage forks, even if the malicious sender themselves is not responsible for, or even actively aware of, any fork. Forkable ledger designs with expressive transaction semantics, especially stateful EVM-based smart contract platforms such as Ethereum, are particularly vulnerable. Hereby, the cost of modifying a regular transaction to opportunistically perform an OpAl attack is low enough to consider it a viable default strategy. While Bitcoin’s stateless UTXO model, or Cardano’s EUTXO model, appear more robust against OpAl , we nevertheless demonstrate scenarios where transactions are semantically malleable and thus vulnerable. To determine whether OpAl -like semantics can be observed in practice, we analyze the execution traces of 922 562 transactions on the Ethereum blockchain. Hereby, we are able to identify transactions, which may be associated with frontrunning and MEV bots, that exhibit some of the design patterns also employed as part of the herein presented attack. Keywords: Double-spending attack Fork

1

· Blockchain · Cryptocurrency ·

Introduction

Double-spending attacks in cryptocurrencies are primarily considered in two general categories. In the first category, an adversary is either themselves capable, or is able to coerce others, to carry out an attack that undermines the expected security guarantees of the underlying consensus protocol [54]. Hereby, attack vectors such as information withholding [40] and information eclipsing [1], as well as exploiting the rational behavior of participants [25], have received c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 46–66, 2022. https://doi.org/10.1007/978-3-031-17140-6_3

OpAl : How I Learned to Stop Worrying and Love the Fork

47

particular attention. The second category of double-spending attacks leverages inadequately chosen security parameters by merchants, i.e., they provide goods or services while the probability of the payment transaction being reverted is non-negligible [27,46]. In this regard, the probabilistic consensus guarantees of Nakamoto consensus [42] may be misunderstood in practice, which contributes to insecure behavior by its users [34,46]. Regardless of the attack category, it is predominantly assumed that the adversary proactively performs double-spending through equivocation [22], i.e., by creating mutually exclusive transactions. We hereby challenge this status quo and discuss an alternative attack, which we refer to as opportunistic algorithmic double-spending, whereby the intent to double-spend is intentionally encoded as part of the transaction semantics. Algorithmic double-spending does not require equivocating transactions and is facilitated through distributed ledgers that exhibit two properties, namely i) the ability to define transaction semantics that dynamically depend on the ledger state or execution context, which we refer to as semantic malleability, and ii) probabilistic consensus decisions, i.e., protocols without finality, or where security failures have compromised the safety of consensus decisions. If these two conditions are fulfilled, OpAl can be used as a free riding gadget to profit from any sufficiently deep blockchain fork. OpAl attacks do not stand in contradiction to the security guarantees and desirable properties [18,42] offered by Nakamoto-style distributed ledgers. The existence of state instability, i.e. forks, is abstracted away in idealized ledgers by waiting sufficiently long for the relevant actions, e.g. transactions, to be included in the common prefix with high probability [4]. However, determining the correct choice of security parameters for real-world system settings is difficult [23,46] and unforeseen technical failures, or attacks, that undermine a ledger’s security assumptions through deep forks, can happen in practice [31]. Especially during such extraordinary events the threat of OpAl attacks can prove particularly severe. Even under the assumption that the ledger’s security guarantees hold, algorithmic double-spending can be of concern in cases where users exhibit an insecure interaction model, referred to as hasty players [4], whereby actions are taken based on unstable state. We crucially note that such patterns are commonly encountered in real-world ledgers such as Ethereum, e.g., in the context of decentralized finance (DeFi), where hastiness can be financially advantageous [9,56]. Our empirical analysis of Ethereum transactions in Sect. 6 also reveals that OpAl -like semantics are being used by entities which, according to block explorers, may be associated with MEV (miner extractable value) bots. 1.1

Related Work

Beyond the related work on double-spending that we mention in the introduction, it is important to note that prior art has identified a range of security issues in distributed ledgers that tie-into the discussion of OpAl , e.g., timestamp- and transaction-order dependence [32], concurrency and event ordering (EO) vulnerabilities [30,45], blockchain anomalies [39], stake bleeding [19], time-bandit [9] attacks, and order-fairness [28,55]. We outline several of these works in detail

48

N. Stifter et al.

within the body of this paper. To the best of our knowledge, we are the first to present the concept of algorithmic double-spending and demonstrate its practicability. Conceptually, Botta et al. [4] relates most to the topics discussed within this work. They effectively highlight the possible effects of blockchain forks, as well as the practical implications of probabilistic finality with hasty players, in the context of MPC protocols executed atop distributed ledgers. However the concept of algorithmic double-spending is not considered. 1.2

Paper Structure

An introduction, an executive summary that outlines the concept of OpAl and highlights the contributions of this paper, as well as background literature is presented in Sect. 1. Section 2 provides a definition of what is meant by OpAl . To gain a better understanding of the principles behind OpAl , we first define prerequisites and properties of semantic malleability in Sect. 3, and use them to investigate three different ledger designs (Sects. 4 and 5). A proof-of-concept OpAl attack in the context of Ethereum is also presented in Sect. 5. In Sect. 6 we empirically analyze transaction traces from Ethereum to identify and characterize transactions where ledger context is accessed. Finally, we consider possible mitigation strategies against algorithmic double-spending (Sect. 7) and highlight future research directions in Sect. 8.

2

What is Algorithmic Double-Spending?

In this section we revisit and define double-spending and propose that there exists the overlooked class of algorithmic double-spending, which does not necessitate conflicting actions, i.e., equivocation. We then discuss the implications, such as the possibility of unintentional double-spending, and raise the question whether double-spending requires economic damage. We observe that while research on double-spending provides concrete descriptions and formal analyses of particular instantiations of double-spending attacks, e.g., [22,27], a general definition of double-spending appears to be outstanding. A clearer definition may not only aid with classification efforts, but could also help identify new or overlooked attack forms. Motivated by this novel class of algorithmic doublespending attacks we present within this work, we hereby set out to propose such a more general definition: Definition 1 (Double-Spending Attack). In a double-spending attack, an adversary attempts to deceive a victim into performing an economic transaction directed at the adversary on the basis of a presumed valid system state, which is later revealed to be stale or invalid. Hereby, the adversary’s goal is to be able to reuse any of the resources that form the basis of the economic transaction for other purposes. We distinguish between the following double-spending attacks: – Equivocation-Based, whereby the adversary issues multiple conflicting actions in the system, one of which is aimed at fooling the victim, and where at most one of the issued actions can eventually be performed in the system.

OpAl : How I Learned to Stop Worrying and Love the Fork

49

– Algorithmic, whereby the adversary performs a single action that can have different semantic meanings, depending on the system state in which they are interpreted, and where the interpretation of this action in some stale or invalid system states can be used to deceive the victim. At the core of this work lies the insight, that double-spending may be facilitated through other means than the classical notion of equivocation-based conflicting actions by an adversary. OpAl builds on a simple property that can be observed in various real-world distributed ledger designs with expressive transaction semantics: Given a transaction t, it may have different semantic outcomes, depending on the ledger state and environment upon which t is executed. We refer to this property as semantic malleability due to the fact that external factors, such as the consensus protocol and its ordering guarantees [28,55], as well as other actors in the system who may be rushing, e.g., in the context of frontrunning [9,14,56], are able to transition the state in a way that is able to malleate the intended semantics of transactions. From this observation, we can rather intuitively derive a basic strategy for an algorithmic double-spending attack: An adversary can encode both, the regular payment to the merchant, as well as an alternative malicious action, e.g., payment to herself, as different execution paths within a single transaction. The control flow of the transaction is designed to conditionally branch, depending on the ledger state σ at the time the transaction is processed by a miner. If the same transaction is included in a different state σ  , i.e., a fork, the “hidden” algorithmic double-spend is triggered without active participation from the attacker. Figure 1 illustrates this difference to equivocation-based double-spending. The concept of algorithmic double-spending raises interesting challenges, two of which we outline in more detail. First, up until now unintentional doublespending, for example as a result of technical failures, did not appear of particular concern. Prior art identifies potential vulnerabilities that arise from order dependence in smart contracts [30,32,45] and violations of transaction causality in forks that can have unintended side-effects, which relate to the Paxos anomaly [39]. We expand upon these insights by highlighting that semantic malleability can lead to unintentional algorithmic double-spending as a result of unanticipated transaction reordering that causes state changes within a blockchain fork. Hereby, it is difficult to distinguish between an intentional attack or unfortunate circumstances. Second, in stateful smart contract systems double-spending may not only be performed solely at the economic level through coin-reuse. For example, Botta et al. [4] highlights the need for mitigation strategies against an adversary leveraging forks in MPC protocols with hasty players. In this regard, double-spending attacks can be aimed at biasing the outcome of a MPC, which may not be quantifiable in terms of economic gain. Similarly, increasing the miner fee of a transaction may require a user to equivocate, raising the question if such behavior should be subsumed under the notion of double-spending. This presents the interesting problem how any divergent system behavior within forks, be it through equivocation- or algorithmic double-spending, should be addressed if it is not

50

N. Stifter et al.

Fig. 1. Conceptual difference between equivocation- and algorithmic double-spending. Notice that in the former case t = t while in the latter case t = t.

immediately apparent that they were intended for unjust economic gain. Notice that in our Definition 1 for double-spending, we assume some economic transaction from the victim to the adversary.

3

System Model and Assumptions

Within this section, we identify prerequisites and underlying properties that enable algorithmic double-spending. Our analysis is based on an intentionally simple system model to accommodate different ledger designs. We define the concept of semantic malleability that we introduced in Sect. 2 and argue that ledgers with semantically malleable transactions are vulnerable to algorithmic double-spending, and thus OpAl attacks. In our analysis, we show that any distributed ledger that is robust to semantic malleability must satisfy two necessary properties, namely, eventual replay validity and replay equivalence. Following Luu et al. [32], we conceptually view a blockchain as a transactionbased RSM, where its state is updated after every transaction. We denote S the set of all possible system states and σ ∈ S a single system state. The initial starting state of a blockchain is defined as σ0 . A valid transition from state σ to t σ  , via transaction t, is denoted as σ − → σ  . past(σn ) is defined as the ordered list of transactions T = (t1 , t2 , . . . , tn ), that, when applied to σ0 , lead to state σn . If there exists a non-empty sequence of transactions starting from state σa to state σb , we call σa a predecessor of σb , in short σa ≺ σb . The predicate valid(t, σ) represents the transaction validation rules of the protocol and returns True iff the transaction t is considered valid (executable) in state σ. We assume that block producers, e.g., miners, adhere to protocol rules and transaction liveness is guaranteed, i.e., any valid transaction will eventually be executed. Executing a transaction t in state σ alters (part of) the state σ and thus results in a new state σ  . The changes are captured by the function diff(t, σ). For example, consider a state σ = {Alice: 6, Bob: 5, Carol: 4} represented as an account-value mapping, and a transaction t, where Alice gives 2 coins to Bob.

OpAl : How I Learned to Stop Worrying and Love the Fork

51

Then diff(t, σ) = {Alice: −2, Bob: +2} captures the balance changes of Alice and Bob while other parts of the state (Carol’s balance) remain unaffected. In this example a single account-value mapping is called a substate. Note that it is possible that the effects of executing the same transaction t in two different states are equal, i.e., (σa = σb ) ∧ (diff(t, σa ) = diff(t, σb )). We consider a transaction t to be a sequence of operations (computations) that lead to a state transition. A transaction is semantically malleable, if the available operations, which are used to define the semantics of the transaction, allow the control flow of the execution to branch conditionally based on the particular input state σ. The following two properties we define are necessary, but not sufficient, for a ledger to be robust against semantic malleability. We refer to these properties as replay equivalence and eventual replay validity. Replaying the same ordered set of transactions on some initial state σ0 should always yield the same state transitions and final state, and the validity of transactions should not be affected by the environment. Definition 2 (replay equivalence). Assuming that no transaction equivocation happens: A transaction t satisfies replay equivalence, if executing t in all candidate states where t is executable (valid) leads to the same changes in the respective (sub)states: ∀σa , σb ∈ S, (valid(t, σa ) ∧ valid(t, σb )) =⇒ (diff(t, σa ) = diff(t, σb )) .

(1)

Definition 3 (eventual replay validity). Assuming that no transaction equivocation happens: If a transaction t is found executable (valid) in some state σa , then it either remains executable (valid) or has already been executed in predecessor states of σa : ∀σa , σb ∈ S, (valid(t, σa ) ∧ σa ≺ σb ) =⇒ (t ∈ past(σb ) ∨ valid(t, σb )) .

(2)

Definition 4 (semantic malleability). A transaction t is semantically malleable if it violates replay equivalence and/or eventual replay validity.

4

Semantic Malleability of Bitcoin and Cardano

For the following investigation, we set aside the orthogonal topic of how to create blockchain forks of sufficient depth to facilitate double-spending attacks. Instead, we are interested in identifying if, in principle, the designs are vulnerable to semantic malleability by evaluating whether the aforementioned necessary properties are violated. We first consider Bitcoin and Cardano within this Section, and then cover Ethereum separately in Sect. 5. Each ledger represents an instantiation of a Nakamoto-style blockchain with distinct design differences. Bitcoin [38] is UTXO based and facilitates a highly limited, non-Turing complete scripting language for transaction semantics [2]. Cardano [8] adopts the

52

N. Stifter et al.

EUTXO model [5], which leverages advantages of a stateless UTXO design with the expressiveness of Turing-complete smart contracts that can carry state. Bitcoin: In Bitcoin, transactions are based on the so-called unspent transaction outputs (UTXO) model [11] and contain simple (deterministic) Boolean functions, called Scripts, that determine the transaction semantics [2]. Bitcoin’s UTXO model is stateless and non-Turing complete. A key aspect of the UTXO model is that transactions are deterministic and bound to a single execution by committing to the exact input (sub)states, i.e., UTXOs, that a transaction consumes, and a precise set of output UTXOs, that the transaction produces. Furthermore, within Bitcoin transactions the access to external ledger state is not made explicitly by including it as an input in the transaction, but implicitly through Scripts or when defining the validity of the transaction in terms of the block height or current time at the protocol level. There currently exist only a limited number of primitives that can be used to constrain the validity of a transaction to some external context. Specifically, it is possible to define some relative or absolute time, in relation to that of the ledger context, from which point onward a transaction may become valid [47]. However, it is not possible to permanently invalidate a previously valid transaction that depends on ledger context, i.e., in a live blockchain, there is a future point in time where this dependency is satisfied. Therefore, in principle, the Bitcoin UTXO model could satisfy eventual replay validity. However, we show that in case of deep forks, eventual replay validity can be violated by coinbase transactions, making Bitcoin-like UTXO cryptocurrencies theoretically vulnerable to semantic malleability. Theorem 1 (Semantic malleability of Bitcoin-like UTXO cryptocurrencies with coinbase transaction). A Bitcoin-like UTXO based cryptocurrency is affected by semantic malleability if it programmatically allows the issuance of special per-block transactions as payout, i.e., coinbase transactions, transferring collected fees and/or rewards for block creation. Proof. We show that A Bitcoin-like UTXO cryptocurrency is affected by semantic malleability by constructing a counterexample violating the eventual replay validity property: Let σa be some blockchain state and tc = tc two different coinbase transactions (e.g., rewarding different miners) that are valid in this state if included by a newly mined block, i.e., Valid(tc , σa ) ∧ Valid(tc , σa ). Let there tc be a blockchain with a new block containing tc st. σa −→ σb and thus σa ≺ σb . In Bitcoin-like UTXO cryptocurrencies, the coinbase transaction can only be issued at the beginning of each block and is tied to the respective block height1 . Therefore, the other coinbase transaction tc cannot be included anymore in state σb . The reason for this is that executing the block containing tc (and potentially other transactions) necessarily leads to a state σb with increased block height. Therefore, there exists a σb st. tc ∈ past(σb ) ∧ ¬Valid(tc , σb ) which violates eventual replay validity.  1

cf. https://github.com/bitcoin/bips/blob/master/bip-0034.mediawiki.

OpAl : How I Learned to Stop Worrying and Love the Fork

53

In practice, the potential consequences of the semantic malleability of coinbase transactions are mitigated by the maturation period of 100 blocks, after which transactions can be included that spend coinbase UTXOs. As an attack example, consider a transaction with an output from a recent coinbase transaction that is spendable (i.e., has matured for 100 Blocks) as one of its input UTXOs. If a sufficiently deep blockchain fork, of say 144 blocks, occurs and this coinbase transaction does not exist in the chain anymore, the depending transaction using its UTXO as input can not be replayed within a fork and becomes invalid. Therefore, coinbase transactions could facilitate algorithmic double-spending. The design of forkable Nakamoto-style cryptocurrencies, which provide payouts in terms of fees/block rewards to incentivize participation, necessarily require payments depending on the state of the blockchain, i.e., context, which inherently violates eventual replay validity. Thus, in Sect. 7.1, we raise the question whether characterizing Nakamoto-style ledgers as replicated state machines (RSM) is accurate in light of algorithmic double-spending. Cardano: Cardano [8] is based on a line of research on provably secure proof-ofstake Nakamoto-style blockchains [3,10,29], which we subsume under the term Ouroboros. Ouroboros, as it is currently realized in Cardano, offers probabilistic finality guarantees and the existence of temporary blockchain forks is possible. Cardano adopts the Extended UTXO (EUTXO) model [5,7], that was conceived to leverage desirable properties of Bitcoin’s UTXO design for more expressive transaction semantics [7]. Conceptually, to support stateful Turing-complete smart contracts in EUTXO, the UTXO model is extended in the following (from Chakravarty et al. [7]): i) outputs can contain arbitrary contract-specific data; ii) Scripts, which are referred to as validators in the EUTXO model, receive the entire transaction information, including its outputs, as context next to the contract specific data, and can impose arbitrary validity constraints on the transaction; iii) a validity interval is added for transactions, which is specified as an interval of “ticks”2 , whereby any Scripts which run during validation can assume that the current time is within that interval, but do not know the precise value; A key property the EUTXO model inherits from the UTXO model is that the execution of a transaction during validation is entirely deterministic and solely determined by its inputs. Equivocation is hence required to achieve a different semantic result. In terms of our necessary properties to achieve robustness against semantic malleability, replay equivalence follows analogous to Bitcoin. However, as Br¨ unjes and Gabbay [5] crucially point out, the EUTXO model allows restricting the validity of transactions to time intervals, which renders the result of transaction processing dependent on the ledger context. Unlike Bitcoin, in Cardano transactions can be permanently invalidated based on ledger context. Hence, eventual replay validity is not satisfied and semantic malleability possible. Corollary 1 (Semantic malleability of Cardano-like EUTXO cryptocurrencies that support limited validity transactions). A EUTXO 2

[7] assume that in practice a tick will correspond to a block number or block height.

54

N. Stifter et al.

based cryptocurrency is affected by semantic malleability, if it programmatically allows the issuance of limited validity transactions which are valid at some point in the chain, but become invalid after a certain block height or time interval. Proof. We show that Cardano-like EUTXO cryptocurrencies that support limited validity transactions are semantically malleable, by pointing out that the desired properties of such transactions directly negate and thus violate eventual replay validity. Let tv be a limited validity transaction and σa be some blockchain state where Valid(tv , σa ), which is true when the specified criteria (block height or time) is satisfied. By definition of a limited validity transaction, there must exist a state σa ≺ σb st. ¬Valid(tv , σb ). Due to forks, or congestion, it might be the case, that tv is not included until σb is reached, thus tv ∈ past(σb ). Therefore, tv is invalidated after this point and cannot be included in any other subsequent block. Hence, by the construction of limited validity transactions, ∃σa , σb (Valid(tv , σa ) ∧ σa ≺ σb ∧ tv ∈ past(σb ) ∧ ¬Valid(tv , σb )) , which is exactly the negation of our definition of eventual replay validity.



As an example, consider a payment transaction to a merchant where the validity is constrained to a specific block height. Thus, an OpAl attack is triggered if the transaction does not make it into a block in time during a fork.

5

Semantic Malleability in Ethereum

Ethereum [51] adopts an account-based model and offers expressive transaction semantics that can draw upon stateful Turing-complete smart contract functionality. Due to the various ways in which replay equivalence and eventual replay validity can be violated in Ethereum, we omit a formal analysis and directly discuss a proof-of-concept (PoC) OpAl attack and its practical implications. Our attack design is inspired, on the one hand, by hardfork oracles, which McCorry et al. [35] discusses in the context of atomic-trade protocols during hardforks, and, on the other hand, by the notion of context sensitive transactions Gaˇzi et al. [19] describes as a replay protection mechanism in stakebleeding attacks. An informal statement that encapsulates the intended transaction semantics for our PoC OpAl attack is the following: “ IF this transaction is included in a blockchain that contains a block with hash 0xa79d THEN pay the merchant, ELSE don’t pay the merchant.” Essentially, our attack is based on the insight that a transaction can act as its own fork oracle for conditionally branching its execution. In the following, we first outline the construction of such a fork oracle in more detail and then present a PoC attack that allows transactions with the above semantics to be created.

OpAl : How I Learned to Stop Worrying and Love the Fork

5.1

55

How to Construct an OpAl Fork Oracle in Ethereum

The concept of employing a fork oracle to distinguish between branches of (hard)forks was proposed in cryptocurrency communities [15,33], as well as research [24,35,36]. Hereby, a frequent goal is achieving replay protection. McCorry et al. [35] outlines how fork oracles can be leveraged to realize atomic trades across hardforks. Constructing a smart contract based fork oracle if the underlying forks do not offer replay protection can be challenging [35]. McCorry et al. [36] demonstrate through history revision bribery how (equivocation-based) double-spending can be leveraged to realize a fork oracle for a smart contract based bribing scheme for incentivizing forks. Hereby, the fork oracle is not used to facilitate (algorithmic) double-spending. Rather, the mutually exclusive outcomes of the double-spend in different forks are relied upon to actually implement the oracle. Surprisingly, to the best of our knowledge, the idea of using fork oracles to algorithmically trigger double-spending was not yet considered. Block-Hash Based Fork Oracle. The fork oracle we propose is inspired by a simple and elegant technique to achieve replay protection considered in the proofof-stake (PoS) setting [19]. Hereby, the hash of a recent block is included in a transaction, and it is only considered valid for blockchains that contain this block in their prefix. [19] refer to this mechanism as context sensitive transactions. Essentially, context sensitive transactions already implicitly realize the attack semantics described above.3 In case a fork of sufficient depth occurs, this replay protection mechanism ensures that transactions become invalid at the protocol level, and the double-spending “attack” is realized algorithmically through the underlying protocol rules. Ethereum does not natively support context sensitive transactions, however, this functionality can be emulated with smart contract code using EVM primitives that expose ledger context, such as the Blockhash opcode [51]. It is hence possible to programmatically act upon the existence of a particular block, or other ledger context, as part of an Ethereum transaction. Fork Oracle Discussion. A downside of hash-based fork oracles is the reliance on a commitment to previous ledger state, thereby requiring a fork of at least depth-2 to trigger the attack. However, it is also possible to construct oracles for forks of depth-1. The key difference between a depth-1 fork oracle and a hash-based fork oracle is that the latter is based on ledger state which is known, whereas the former is based on some prediction of the future state at the time the transaction is processed. Hence, depth-1 fork oracles generally offer weaker probabilistic guarantees for identifying forks. For example, consider the EVM coinbase opcode that returns the current block’s beneficiary address [51]. An adversary could use the beneficiary address of a large mining pool in a depth-1 OpAl attack. Hereby the transaction semantics depend on whether the transaction is included in a block from the targeted mining pool or some other miner. 3

Thereby introducing the possibility of unintentional OpAl attacks (see Sect. 2).

56

N. Stifter et al.

Generally speaking, in Nakamoto-style proof-of-work ledgers the next block producer is not known in advance. However, we note that in some PoS protocols this can be different [44], allowing for more reliable depth-1 fork oracles. Another limitation of the hash-based fork oracle specific to the EVM is the restriction that the blockhash opcode only returns hashes within a 256 block lookback window, and 0 otherwise [51]. Hence, if a transaction is processed in a block that exceeds 257 blocks after the height of the blockhash commitment, the oracle will falsely report a fork and trigger the attack branch. We argue that in the case of our intended OpAl semantics this limitation is unproblematic, as the transaction would simply transfer the funds back to the attacker. 1 2 3 4 5 6 7 8 9 10 11 12 13 14

pragma solidity 0.8.4; // This contract acts as an OpAl forwarding proxy for transactions . contract Opal { address public owner ; modifier onlyOwner () { require ( isOwner ( msg . sender ) ) ; _ ; } constructor () { owner = msg . sender ; } fallback () external payable {} receive () external payable {} function isOwner ( address addr ) public view returns ( bool ) { return addr == owner ; } function cashOut ( address payable _to ) public onlyOwner { _to . transfer ( address ( this ) . balance ) ; } // forwarding function implementing opportunistic double - spending ( OpAl ) function forward ( address payable destination , bytes32 commitblockHash , uint commitblockNumber , bytes memory data ) onlyOwner public payable returns ( bool success ) { if ( blockhash ( c o m m i t b l o c k N u m b e r ) == c o m m i t b l o c k H a s h ) assembly { success := call ( gas () , destination , callvalue () , add ( data , 0 x20 ) , mload ( data ) , 0 , 0) } }

15 16 17 18 19 20 21 22

}

Listing 1.1. Solidity OpAl contract that implements a basic fork oracle by only forwarding transactions if the provided commitment to a block hash can be resolved.

5.2

Proof of Concept OpAl Attack Contract

Di Angelo and Salzer present a comprehensive empirical analysis of wallet contracts on Ethereum [12]. Of the identified properties, in particular, designs that support flexible transactions, i.e., forwarding of arbitrary calls, appear suitable for augmentation to support the creation of OpAl transactions. Their empirical data shows that at least tens of thousands of contracts supporting flexible transactions are currently deployed in Ethereum, suggesting practical use-cases for such contract patterns, even without an OpAl augmentation. Our attack requires minimal modifications, and the interaction pattern is almost identical. In the following, we present a minimal fully viable PoC OpAl attack smart contract written in Solidty [50], that relies on the aforementioned hash-based fork oracle. Our contract code (Listing 1.1) is loosely based on the Executor contract from the Gnosis-Safe Wallet [37], which allows the forwarding of arbitrary func-

OpAl : How I Learned to Stop Worrying and Love the Fork

57

tion calls. Instead of forwarding a call directly, the contract first evaluates if the block hash at a particular height of the current ledger matches the commitment hash that is provided as an additional parameter in the transaction data. This is realized through the blockhash() function [51]. If the blockhash matches the commitment, the function call is forwarded. Else, no action is performed, i.e., the action is reversed whenever the transaction is replayed in a fork. Outline of the Attack. An adversary wishing to engage in OpAl first needs to deploy the attack contract. Once the contract is successfully deployed, whenever they wish to perform a transaction with OpAl functionality, instead of calling a function f () in the target contract or sending funds directly, they simply forward this call to the forward() function (Line 15 in Listing 1.1) of the deployed attack contract, together with the appropriate parameters. Specifically, the adversary generates transaction t that calls forward in the attack contract with the following parameters: i) the target address; ii) the block hash and height h of the current chain tip; iii) the encoded function name to be called at the target f () together with its parameters; iv) any Ether that shall be sent; and broadcasts t to the network. Ideally, the transaction fee is high enough for t to be immediately included in the next block h + 1. Otherwise, the required fork depth increases in the number of blocks the chain grows between the creation and inclusion of t. To the recipient of t, the interaction pattern will appear as if the user employed a regular wallet contract. Unless they perform an analysis of the execution trace, the malicious behavior only becomes apparent once the attack conditions are triggered, i.e., during a fork. In case the adversary is lucky and a fork at, or before, height h occurs, and their transaction is replayed within this fork, the alternative attack branch of the contract is executed automatically. 5.3

Cost Overhead of PoC Attack in Ethereum

We quantify the additional costs incurred when augmenting a transaction with OpAl capabilities by deploying our attack contract in a private Ethereum testnet and measuring the gas utilization for basic interactions, such as ERC-20 token [49] transfers. Our PoC OpAl attack adds a constant overhead of gas that depends on the number of parameters supplied to the target function f (). The deployment transaction for the contract in Listing 1.1 required 393 175 gas. As it is not essential for the contract to be deployed in a recent block, and can be done well in advance of any attacks, we assume a gas price of 50 GWei, which translates to deployment costs of ≈0.02 Ether or, at an exchange rate of 2 000 USD, approximately 40 USD. Note that this contract needs to be deployed once, after which the only overhead derives from using the forwarding function. For ERC-20 token interactions (approve, transfer, transferFrom), using OpAl adds ≈3 000 gas, which equates to ≈8% overhead. At the time of writing, assuming a gas price of 100 GWei for timely inclusion4 of the transaction, this overhead 4

For simplicity we consider legacy transactions and omit pricing based on EIP-1559.

58

N. Stifter et al.

translates to ≈0.6 USD higher fees if a transaction is augmented to support OpAl attacks, rendering our attack a viable default strategy for most cases.

6

Empirical Analysis of Ethereum Transaction Traces

We empirically analyze the execution traces of 922 562 transactions from 5 000 Ethereum blocks in order to identify and characterize transactions where ledger context is accessed. Hereby, block selection for the analysis was performed in batches of 100 consecutive blocks every 1000 blocks, starting from block height 14 010 000 up to block 14 059 099 to obtain a sample spread over a wider time window. The selection of blocks for our analysis was necessitated due to the steep storage and processing requirements for analyzing full execution traces. For every considered block, we parse the execution trace of all included transactions and record whether the trace contains EVM opcodes that are characteristic for accessing the ledger context. The specific opcodes5 that we considered are highlighted in Table 1. Our analysis reveals that 231 271 transactions, or ≈ 25%, include at least one of these opcodes, whereby roughly every 5th transaction uses TIMESTAMP, while the other opcodes are encountered considerably less often. Table 1. EVM Opcode occurrence within the analyzed block range. Opcode (OP)

TIMESTAMP SELFBALANCE NUMBER BALANCE CHAINID BASEFEE BLOCKHASH COINBASE DIFFICULTY GASLIMIT

TX containing OP

199731

63594

36859

% of TX with OP

21.65%

6.893%

3.995% 0.469%

Blocks cont. OP

4886

% of Blocks with OP 97.72%

4324

4767

4529

95.34%

90.58% 45.3%

2265

8253

777

3425

3882

1251

906

0.895%

0.084%

0.371%

0.421%

0.136%

0.098%

3071

641

1830

1897

812

545

61.42%

12.82%

36.6%

37.94%

16.24%

10.9%

Of particular interest are transactions that include both BLOCKHASH and NUMBER opcodes in their traces, as this combination is also present in our PoC OpAl attack. We are able to identify 3 338 transactions with such an OpAl -like opcode signature within 1 823 (≈36%) of the analyzed blocks. Table 2 shows the top 10 contract addresses that these transactions were directed at, as well as a generalized categorization of their purpose based on publicly available information. Analyzing the decompiled6 bytecode of the contract with the second most OpAl -like transaction interactions, we indeed discover an OpAl -like pattern. Listing 1.2 highlights the relevant code section, which, in plaintext, evaluates whether the first 4 Bytes of the previous block hash match those stored as part of the transaction data and reverts the execution otherwise. We further confirm this behavior by observing transactions to the aforementioned contract that were reverted due to an incorrect commitment7 . While this pattern is likely intended to render the transaction context sensitive to prevent execution in an undesirable state, it could nevertheless be used for OpAl attacks simply by subsequently using the transferred/traded funds for payments to a victim. 5 6 7

Cf. the Ethereum Yellow paper [51] for details on EVM opcodes and their behavior. Cf. https://ethervm.io/decompile/0x000000000035B5e5ad9019092C665357240f594e. Cf. txn: 0x2368617cf02cf083eed2d8691004c1ad0176976b6fa83873bc6b0fd7de4cc7fc.

OpAl : How I Learned to Stop Worrying and Love the Fork

59

Table 2. Contracts with the highest number of transaction interactions with EVM opcodes that are also characteristic of OpAl . (?) denotes uncertain categorizations. Contract address

TX int. Purpose

Name

Source Opcode purpose

0xc5F85281d4402850ff436b959a925a0e811D78d3

557

Game/Token

CnMGame

yes

randomness?

0x000000000035B5e5ad9019092C665357240f594e

411

MEV Bot?

?

no

context sensitivity?

0xEef86c2E49E11345F1a693675dF9a38f7d880C8F

313

MEV Bot?

?

no

context sensitivity?

0x5E4e65926BA27467555EB562121fac00D24E9dD2

264

Layer 2 rollup optimism.io

yes

caching/processing

0x56a76bcC92361f6DF8D75476feD8843EdC70e1C9

227

Layer 2 rollup metis.io

yes

caching/processing

0xB6eD7644C69416d67B522e20bC294A9a9B405B31

222

Token

yes

0xd6e382aa7A09fc4A09C2fb99Cfce6A429985E65d

221

Game/Token

0x75E9Abc7E69fc46177d2F3538C0B92d89054eC91

130

Token/NFT

EnterDAO Sharded Minds

yes

randomness

0x563bDabAa8846ec445b25Bfbed88d160890a02Ed

115

MEV Bot?

?

no

context sensitivity?

0xa10FcA31A2Cb432C9Ac976779DC947CfDb003EF0

111

MEV Bot?

?

no

context sensitivity?

1 2 3 4 5

0xbitcoin.org

Doomsday NFT (BUNKER) yes

context sensitivity randomness

function func_060C () { if ( msg . data [0 x04 :0 x24 ] >> 0 xe0 == block . blockHash ( block . number + ~0 x00 ) >> 0 xe0 ) { return ; } // ... code omitted for brevity revert ( memory [0 x60 :0 xc4 ]) ; }

Listing 1.2. Code snippet from decompiled contract (tagged as MEV bot) showing OpAl -like pattern. Notice that ~0x00 corresponds to −1 in Two’s complement.

7

Mitigation Strategies Against OpAl

Having outlined the principles behind algorithmic double-spending, we now discuss possible prevention or mitigation strategies. Hereby, we broadly distinguish between two categories: i) Approaches that address instability in consensus, i.e., a lack of finality. ii) Approaches that seek to limit the effects of semantic malleability. Finally, we discuss if the characterization of blockchains as replicated state machines is accurate in light of semantic malleability. Mitigating OpAl Through Stronger Consensus Guarantees: Essentially, the majority of distributed ledgers rely on consensus to agree upon the order of transactions among participants in order to prevent double-spending [21]. Thus, one possible defensive approach against OpAl attacks is to prevent players from concurrently interacting with malleable ledger state until it is sufficiently stable. In this regard, it appears advantageous to achieve fast and guaranteed consensus finality, which remains an active research topic for decentralized ledger designs [41]. Our Definition (Definition 1) of double-spending highlights the requirement of some stale or invalid system state in order to fool a victim. The existence of hasty players who are willing to act upon such state renders double-spending attacks feasible in practice, even if the consensus protocol in principle could provide stronger guarantees. In this regard, effective mitigation strategies to combat double-spending may also entail the stricter enforcement of safe interaction patterns in client software and cryptocurrency wallets, and a better understanding of the behavior and mental models of cryptocurrency users [34].

60

N. Stifter et al.

However, if the security assumptions of the underlying system are compromised, in particular, Nakamoto-style distributed ledgers can suffer from deep forks where previously assumed stable ledger state is reverted. Aside from the potential of targeted attacks against the protocol [1,48], technical failures8 can also lead to such a violation of the security assumptions [31,35]. Notice that in this regard there is a crucial difference between OpAl and equivocation-based double-spending. In the latter, an adversary has to actively monitor the network for forks and disseminate conflicting double-spending transactions that are at risk of being easily detected and prevented at the peer-to-peer layer [20,27]. OpAl attacks and algorithmic double-spending, on the other hand, may prove particularly severe. Any transaction that was included in a blockchain that is replayed on a fork faces the risk of triggering a hidden OpAl attack. If a fork in excess of k blocks occurs, triggered OpAl attacks have a high probability of success. A possible mitigation strategy to limit the effects of OpAl in deep forks is the utilization of checkpointing [26]. Another line of research seeks to strengthen the guarantees of Nakamoto consensus by achieving consensus finality [13,41]. It may also be preferable to sacrifice liveness by halting execution rather than risking systemic risk through OpAl attacks. Mitigating Semantic Malleability: As we have shown in Sects. 2 and 3, semantic malleability lies at the core of enabling algorithmic double-spending. Semantically malleable transactions allow for different state transitions, depending on the input state and execution environment at the time of processing – a property that is generally observed within smart contract platforms. In this regard, we believe that the expressive transaction semantics associated with smart contract functionality poses a fundamental challenge when trying to combat algorithmic double-spending. Drawing upon the concept of guard functions from Luu et al. [32] and context sensitive transactions Gaˇzi et al. [19] and Botta et al. [4] rely on, transaction validity should more explicitly be constrained to input states that only lead to desirable outcomes for the sender. While such patterns do not prevent the possibility of algorithmic double-spending, they can avert that a user’s transaction executes in a state that leads to an undesirable outcome. In light of recent research in regard to order-fairness in consensus [28,55], the aforementioned pattern could also help to mitigate the potential negative impact of malicious orderings. Similar to the concept of the Let’s Go Shopping Defense [23], a highly questionable mitigation strategy might be to oneself proactively engage in OpAl (counter-) attacks in order to reduce counterparty risk and try to hedge against the potentially detrimental effects of any deep blockchain fork, should it ever occur. Another mitigation strategy by which to address semantic malleability and algorithmic double-spending is through the analysis and classification of transaction semantics, in order to try and identify potential threats and malicious behavior. Hereby, the challenges lie on the one side, in finding efficient techniques for static and dynamic code analysis that can be applied, in real-time, to identify 8

We note that scheduled protocol updates carry a risk of unintentional forks, and an adversary may try to leverage this by performing OpAl transactions at that time.

OpAl : How I Learned to Stop Worrying and Love the Fork

61

potentially malicious transactions before they are processed, and on the other side, in how to define what is considered malicious behavior and also enforce any transaction rejection policies within decentralized systems [16,17,52,53]. For platforms that do not support expressive transaction semantics, it may appear that the solution to this problem is to enforce only a single valid state transition for transactions, such as the EUTXO model [7] employed by Cardano. However, in this case the possibility of algorithmic double-spending still arises if the validity of a transaction can be tied to particular ledger states, which is generally the case. In the UTXO model of Bitcoin [2], transaction expressiveness and access to ledger state are sufficiently constrained to prevent practicable OpAl attacks, apart from the possibility of using recent coinbase transactions to limit replay validity in case of deep-forks. However, since the mechanism design of most cryptocurrencies relies on the issuance of rewards to incentivize participation [6], it is unclear if the underlying issue could be completely avoided in practice. 7.1

Can Blockchains Be Characterized as State Machines?

In his seminal work on the state machine approach, F. B. Schneider provides the following semantic characterization of a replicated state machine (RSM): “Outputs of a state machine are completely determined by the sequence of requests it processes, independent of time and any other activity in a system.” [43] Interestingly, while blockchains are often considered to realize RSMs, e.g., in the model we adopt from Luu et al., we observe (Sect. 4) that in practice, ledger designs appear to actually deviate from this characterization. First, consider the herein discussed property of semantic malleability in transactions. Semantic malleability in itself does not violate the above characterization, as a mere reordering of transactions, i.e., requests, may lead to semantic malleability without requiring any access to time or activity within the system. However, in practice, ledger designs often allow transaction semantics to depend on external ledger context that is not solely defined by such requests, i.e., time or other external data (See Sect. 5). In essence, being able to define functions that can act upon such context within transaction semantics, such as previous block hashes, the block height, coinbase transactions, or block time, can cause a violation of replay equivalence or eventual replay validity, both of which can be directly derived as required properties of a RSM from the above characterization. Second, blockchain designs generally offer rewards as an incentive mechanism for block producers to participate in the consensus protocol. Under the assumption that a block merely represents an ordered set of transactions, i.e., requests, and transactions can not access any external state defined within blocks, this model would appear to realize a RSM. However, if we include the fact that block rewards represent transactions or state transitions that depend on a particular external state, namely the block itself that justifies the reward, the model is no longer independent of the system state. We note that one possibility to amend this issue is to either include the creation of blocks as requests, or model state updates entirely from the perspective of blocks and not at the transaction level. The latter approach is, for instance,

62

N. Stifter et al.

taken by formal models that analyze Nakamoto consensus [18,42]. Nevertheless, even if one considers state machine replication only from the perspective of blocks and not individual transactions, there can still exist external dependencies on the environment, in particular on time. Consider that receiving late or early blocks may render them (temporarily) invalid by the protocol rules, leading to different possible interpretations of the same sequence of requests and resulting final state depending on the current system time.

8

Conclusion

We have described and analyzed a novel class of double-spending attacks, called (opportunistic) algorithmic double-spending (OpAl ), and shown that OpAl can readily be realized in stateful smart contract platforms, by presenting a proofof-concept implementation for EVM-based designs. OpAl itself does not increase the likelihood or severity of blockchain forks, which are a prerequisite for most double-spending attacks. Instead, OpAl allows regular transactions performed by anyone to opportunistically leverage forking events for double-spending attacks while evading common detection strategies and offering a degree of plausible deniability. A particularly worrying property of OpAl is the ability for already processed transactions to trigger hidden double-spending attacks whenever they are replayed in a fork. Hereby, our empirical analysis of 922 562 transaction traces in Ethereum reveals that transactions with OpAl -like semantics already exist in practice. While these transactions are likely intended for a different use case, the effect in case of a fork could still lead to unintentional double-spending. Attacks or technical failures that lead to deep forks may hence pose an even greater systemic risk than previously assumed. It would appear that the most promising mitigation strategy against OpAl is achieving fast consensus finality, combined with avoiding semantic malleability in transactions. Acknowledgements. This material is based upon work partially supported by (1) the Christian-Doppler-Laboratory for Security and Quality Improvement in the Production System Lifecycle; The financial support by the Austrian Federal Ministry for Digital and Economic Affairs, the Nation Foundation for Research, Technology and Development and University of Vienna, Faculty of Computer Science, Security & Privacy Group is gratefully acknowledged; (2) SBA Research; the competence center SBA Research (SBA-K1) funded within the framework of COMET Competence Centers for Excellent Technologies by BMVIT, BMDW, and the federal state of Vienna, managed by the FFG; (3) the FFG Industrial PhD projects 878835 and 878736. (4) the FFG ICT of the Future project 874019 dIdentity & dApps. (5) the European Union’s Horizon 2020 research and innovation programme under grant agreement No 826078 (FeatureCloud). We would also like to thank our anonymous reviewers for their valuable feedback.

OpAl : How I Learned to Stop Worrying and Love the Fork

63

References 1. Apostolaki, M., Zohar, A., Vanbever, L.: Hijacking bitcoin: routing attacks on cryptocurrencies. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 375–392. IEEE (2017) 2. Atzei, N., Bartoletti, M., Lande, S., Zunino, R.: A formal model of bitcoin transactions. In: Meiklejohn, S., Sako, K. (eds.) FC 2018. LNCS, vol. 10957, pp. 541–560. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6 29 3. Badertscher, C., Gaˇzi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 913–930 (2018) 4. Botta, V., Friolo, D., Venturi, D., Visconti, I.: Shielded computations in smart contracts overcoming forks. In: Financial Cryptography and Data Security-25th International Conference, FC, pp. 1–5 (2021) 5. Br¨ unjes, L., Gabbay, M.J.: UTxO- vs account-based smart contract blockchain programming paradigms. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12478, pp. 73–88. Springer, Cham (2020). https://doi.org/10.1007/978-3-03061467-6 6 6. Carlsten, M., Kalodner, H., Weinberg, S.M., Narayanan, A.: On the instability of bitcoin without the block reward. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 154–167. ACM (2016) 7. Chakravarty, M.M.T., Chapman, J., MacKenzie, K., Melkonian, O., Peyton Jones, M., Wadler, P.: The extended UTXO model. In: Bernhard, M., et al. (eds.) FC 2020. LNCS, vol. 12063, pp. 525–539. Springer, Cham (2020). https://doi.org/10. 1007/978-3-030-54455-3 37 8. Corduan, J., Vinogradova, P., Gudemann, M.: A formal specification of the cardano ledger (2019) 9. Daian, P., et al.: Flash boys 2.0: frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 910–927. IEEE (2020) 10. David, B., Gaˇzi, P., Kiayias, A., Russell, A.: Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https:// doi.org/10.1007/978-3-319-78375-8 3 11. Delgado-Segura, S., P´erez-Sol` a, C., Navarro-Arribas, G., Herrera-Joancomart´ı, J.: Analysis of the bitcoin UTXO set. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 78–91. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-66258820-8 6 12. Di Angelo, M., Salzer, G.: Wallet contracts on ethereum. In: 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 1–2. IEEE (2020) 13. Dinsdale-Young, T., Magri, B., Matt, C., Nielsen, J.B., Tschudi, D.: Afgjort: a partially synchronous finality layer for blockchains. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 24–44. Springer, Cham (2020). https:// doi.org/10.1007/978-3-030-57990-6 2 14. Eskandari, S., Moosavi, S., Clark, J.: SoK: transparent dishonesty: front-running attacks on blockchain. In: Bracciali, A., Clark, J., Pintore, F., Rønne, P.B., Sala, M. (eds.) FC 2019. LNCS, vol. 11599, pp. 170–189. Springer, Cham (2020). https:// doi.org/10.1007/978-3-030-43725-1 13

64

N. Stifter et al.

15. Ethereum Community: Issue#134 ethereum/eips (2016). https://github.com/ ethereum/EIPs/issues/134 16. Ferreira Torres, C., Baden, M., Norvill, R., Jonker, H.: Ægis: smart shielding of smart contracts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2589–2591 (2019) 17. Ferreira Torres, C., Iannillo, A.K., Gervais, A., et al.: The eye of horus: spotting and analyzing attacks on ethereum smart contracts. In: International Conference on Financial Cryptography and Data Security, Grenada, 1–5 March 2021 (2021) 18. Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/9783-662-46803-6 10 19. Gaˇzi, P., Kiayias, A., Russell, A.: Stake-Bleeding Attacks on Proof-of-Stake Blockchains. Cryptology ePrint Archive, Report 2018/248 (2018) 20. Grundmann, M., Neudecker, T., Hartenstein, H.: Exploiting transaction accumulation and double spends for topology inference in bitcoin. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 113–126. Springer, Heidelberg (2019). https://doi. org/10.1007/978-3-662-58820-8 9 21. Guerraoui, R., Kuznetsov, P., Monti, M., Pavloviˇc, M., Seredinschi, D.A.: The consensus number of a cryptocurrency. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, pp. 307–316 (2019) 22. Iqbal, M., Matuleviˇcius, R.: Exploring sybil and double-spending risks in blockchain systems. IEEE Access 9, 76153–76177 (2021) 23. Judmayer, A., Stifter, N., Schindler, P., Weippl, E.: Estimating (miner) extractable value is hard, let’s go shopping! In: 3rd Workshop on Coordination of Decentralized Finance (CoDecFin) (2022, to appear) 24. Judmayer, A., et al.: Pay to win: cheap, crowdfundable, cross-chain algorithmic incentive manipulation attacks on pow cryptocurrencies (2019). https://ia. cr/2019/775 25. Judmayer, A., et al.: SoK: algorithmic incentive manipulation attacks on permissionless PoW cryptocurrencies. In: Bernhard, M., et al. (eds.) FC 2021. LNCS, vol. 12676, pp. 507–532. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3662-63958-0 38 26. Karakostas, D., Kiayias, A.: Securing proof-of-work ledgers via checkpointing. In: 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 1–5. IEEE (2021) 27. Karame, G.O., Androulaki, E., Capkun, S.: Double-spending fast payments in bitcoin. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 906–917 (2012) 28. Kelkar, M., Zhang, F., Goldfeder, S., Juels, A.: Order-fairness for byzantine consensus. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 451–480. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1 16 29. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-63688-7 12 30. Kolluri, A., Nikolic, I., Sergey, I., Hobor, A., Saxena, P.: Exploiting the laws of order in smart contracts. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 363–373 (2019)

OpAl : How I Learned to Stop Worrying and Love the Fork

65

31. Lovejoy, J.P.T.: An empirical analysis of chain reorganizations and double-spend attacks on proof-of-work cryptocurrencies. Master’s thesis, Massachusetts Institute of Technology (2020) 32. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: 23rd ACM Conference on Computer and Communications Security (ACM CCS 2016) (2016) 33. Maersk, N.: Thedaohardforkoracle (2016). https://github.com/veox/soliditycontracts/blob/TheDAOHardForkOracle-v0.1/TheDAOHardForkOracle/ TheDAOHardForkOracle.sol 34. Mai, A., Pfeffer, K., Gusenbauer, M., Weippl, E., Krombholz, K.: User mental models of cryptocurrency systems-a grounded theory approach. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp. 341–358 (2020) 35. McCorry, P., Heilman, E., Miller, A.: Atomically Trading with Roger: gambling on the success of a hardfork. In: CBT 2017: Proceedings of the International Workshop on Cryptocurrencies and Blockchain Technology (2017) 36. McCorry, P., Hicks, A., Meiklejohn, S.: Smart contracts for bribing miners. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 3–18. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8 1 37. Meissner, R.: Gnosis community: Gnosis safe contracts - Executor.sol. https:// github.com/safe-global/safe-contracts/blob/main/contracts/base/Executor.sol. Accessed 28 May 2022 38. Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008) 39. Natoli, C., Gramoli, V.: The blockchain anomaly. In: 2016 IEEE 15th International Symposium on Network Computing and Applications (NCA), pp. 310–317. IEEE (2016) 40. Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: 1st IEEE European Symposium on Security and Privacy. IEEE (2016) 41. Neu, J., Tas, E.N., Tse, D.: Ebb-and-flow protocols: a resolution of the availabilityfinality dilemma. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 446–465. IEEE (2021) 42. Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-56614-6 22 43. Schneider, F.B.: Implementing fault-tolerant services using the state machine approach: a tutorial. ACM Comput. Surv. (CSUR) 22(4), 299–319 (1990) 44. Schwarz-Schilling, C., Neu, J., Monnot, B., Asgaonkar, A., Tas, E.N., Tse, D.: Three attacks on proof-of-stake ethereum. In: International Conference on Financial Cryptography and Data Security (2022) 45. Sergey, I., Hobor, A.: A concurrent perspective on smart contracts. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 478–493. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0 30 46. Sompolinsky, Y., Zohar, A.: Bitcoin’s Security Model Revisited. arXiv preprint arXiv:1605.09193 (2016) 47. Todd, P.: Op checklocktimeverify (2014). https://github.com/bitcoin/bips/blob/ master/bip-0065.mediawiki 48. Tran, M., Choi, I., Moon, G.J., Vu, A.V., Kang, M.S.: A stealthier partitioning attack against bitcoin peer-to-peer network. In: Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P) (2020)

66

N. Stifter et al.

49. Victor, F., L¨ uders, B.K.: Measuring ethereum-based ERC20 token networks. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 113–129. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7 8 50. Wohrer, M., Zdun, U.: Smart contracts: security patterns in the ethereum ecosystem and solidity. In: 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), pp. 2–8. IEEE (2018) 51. Wood, G., et al.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151(2014), 1–32 (2014) 52. Wu, L., et al.: EthScope: A Transaction-centric Security Analytics Framework to Detect Malicious Smart Contracts on Ethereum. arXiv:2005.08278 (2020). arXiv: 2005.08278 53. Zhang, M., Zhang, X., Zhang, Y., Lin, Z.: {TXSPECTOR}: uncovering attacks in ethereum from transactions. In: 29th {USENIX} Security Symposium ({USENIX} Security 2020), pp. 2775–2792 (2020) 54. Zhang, R., Preneel, B.: Lay down the common metrics: evaluating proof-of-work consensus protocols’ security. In: 2019 IEEE Symposium on Security and Privacy (SP). IEEE (2019) 55. Zhang, Y., Setty, S., Chen, Q., Zhou, L., Alvisi, L.: Byzantine ordered consensus without byzantine oligarchy. In: 14th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 2020), pp. 633–649 (2020) 56. Zhou, L., Qin, K., Torres, C.F., Le, D.V., Gervais, A.: High-frequency trading on decentralized on-chain exchanges. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 428–445. IEEE (2021)

Zero-History Confidential Chains with Zero-Knowledge Contracts: A New Normal for Decentralized Ledgers? Jayamine Alupotha(B) , Xavier Boyen, and Matthew McKague Queensland University of Technology, Brisbane, QLD 4000, Australia [email protected]

Abstract. Popular public blockchains face many problems due to their catastrophic blockchain sizes and verification time, e.g., lack of peer scalability, high computational fees, and impractical overheads for syncing. The origin of these problems is preserving everything that comes with the architecture of “append-only” blockchains, e.g., Bitcoin, Ethereum, Hyperledger, etc. Zero-history blockchains like Origami address the root of these problems by removing the history. We propose two Origami confidential chains, classical and quantum-safe, with zero-knowledge contracts. This paper demonstrates that zero-history blockchains should be the new normal blockchain structure due to their high scalability even with post-quantum settings and zero-knowledge contracts. Keywords: Scalability · Confidential transaction cryptography · Zero-knowledge proofs

1

· Post-quantum

Introduction

Blockchain scalability is commonly measured by the maximum Transactions per Second (TPS), which was inherited from traditional distributed systems. We call this axiom client scalability. However, unlike centralized distributed systems, decentralized blockchains’ security depends on an overlooked scalability axiom, peer scalability, or the affordability of a fully verifiable blockchain since blockchain networks are not secure if peers can not afford to fully verify blockchain copies. Also, the lack of peer scalability causes impractical overheads for syncing and expensive contract computations. Three properties make scalability worse; (1) smart contracts, (2) enhanced privacy, and (3) post-quantum security since blockchains have to store more data and perform more verifications to achieve these properties. Therefore, many blockchains give up all or some of these properties. We show that by changing blockchain structure from append-only to zero-history Origami [3], we can achieve high peer scalability even with (1) confidential coins, (2) zero-knowledge contracts, and (3) post-quantum security. Let us explain why1 . 1

We do not endorse any cryptocurrency, consensus, or digital signature except their security and scalability. We use “quantum-safe” to mean “plausibly-quantum-safe”.

c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 67–88, 2022. https://doi.org/10.1007/978-3-031-17140-6_4

68

J. Alupotha et al.

Immutability in Blockchains. Assume P1 sends the incentives (supply coins) received from the consensus mechanism to P2 . A full chain stores two transactions and two transaction headers under some consensus proof, a.k.a. block header. A transaction header contains a summation proof —input coins are equal to output coins—and an ownership proof —a signature set to show that coins are not stolen. A consensus proof shows that the consensus community accepted the transaction headers. For example, append-only chains’ blocks combine a set of transactions together, and the root of these transaction headers’ hash tree (Merkle-tree [49]) is signed by authorities in PoA (Proof-of-Authority) [24]) or the highest stakeholder in PoS (Proof-of-Stake) [8,42] or is used to solve a computational puzzle in PoW (Proof-of-Work) [53]. Once the block header settles in the consensus-accepted block header set, no one can change the transactions. From now on, we use “header” to denote “transaction headers”. What Is Zero-History? Zero-history blockchains [3,9,17,22,36,50,63,69,70] have special transaction headers that contain Vector Commitments (VC) [18], Universal Accumulators [7,35,45,71], or activity proofs [3]. In the previous example, a zero-history blockchain keeps both headers but removes P1 ’s spent coin record and shows P2 ’s unspent coin record. Still, a zero-history blockchain and removed spent coin records are immutable due to these special headers, i.e., P1 and P2 can not claim they had/have different coin values, or P3 who did/does not have any coins can not claim that P3 had/has coins. Hence, syncing chain copies is faster with zero-history blockchains since these special headers are fixed-sized tiny metadata, and zero-history chains do not have spent coins. Why Are Append-Only Blockchains Not Zero-History? Append-only blockchains use direct hashes to preserve their headers. As a result, the headers themselves can not guarantee the immutability of an incomplete chain, e.g., P3 can claim that he/she has coins showing an incomplete chain for the consensus-accepted block headers. Therefore, the peers must download multiple copies of the complete chains to identify the correct version during syncing. This adds a huge overhead and reduces the scalability. The only way to reduce this overhead is to rely on trusted third parties (light-nodes [26,41,44,52,56,61], pruning [50,57], and [53]) which zero-history blockchains solve without any trusted components. Zero-History with Origami. Origami foldable data structure [3] is an activityproof-based account zero-history blockchain, i.e., each user has a long-term account, and zero-history chains store one coin record per account. These activity proofs are tiny and quantum-safe, e.g., 33 or 49 bytes per transaction for classical or quantum 128-bit security, unlike 1 KB VCs with 100-bit classical security [9] or >4 KB accumulators with 128-bit classical security [46]. Also, Origami supports any signature scheme, and using quantum-safe signatures gives a quantum-safe zero-history blockchain. The main advantage of Origami is storing a minimal number of signatures due to “one-signature per account” rule, unlike other chains with “one-signature per coin record/transaction”. According to statistics [30,53], other blockchains store at least 7 times more signatures than Origami since total accounts ≈ 0.13 × total transactions ≈ 0.05 × total coin records.

Zero-History Confidential Chains with Zero-Knowledge Contracts

69

Problems of Current Zero-History Blockchains. Privacy is an important aspect of decentralized public payments. Confidential Transactions (CTs) [1,5,6,28,29, 31,39,54,59,60,68] improve privacy by hiding real coin amounts in confidential coins. Due to the advances in quantum computing, several quantum-safe (or believe-to-be quantum-secure) CT protocols have been proposed [1,6,28,29,73]. However, they are not compatible with zero-history blockchains since the special headers can not prove the summations of confidential coins unlike with plain-text coins. Simply, current zero-history blockchains need zero-knowledge summation proofs—hide everything except that input coins are equal to output coins—to prevent illegal coin generation in confidential transactions. Smart contracts are contract-type programs that can be added to blockchain transactions, unspent coin amounts, or accounts. Verifiers and block creators execute these programs and accept if the program returns TRUE; otherwise, or for a FALSE, reject the transaction. For example, if there is a smart contract attached to an unspent coin amount, the next transaction which spends those coins must satisfy the conditions in the contract. Smart contracts are also decentralized since the entire blockchain community manages contracts rather than a central party. Therefore, smart contracts bring the benefits of decentralization to many applications by eliminating the trusted third parties, e.g., malicious escrows in buying/selling and bias combiners in federated machine learning. A question was how to build contracts for CTs since private computations should be done on confidential coins without revealing them. A solution is Confidential Integer Processing [4] (CIP), which is a generic zero-knowledge programming protocol— reveals nothing except the program’s path for the given confidential integers. However, it is unknown how to implement CIP or any other contract mechanism for zero-history blockchains since the contract execution needs spent coin records. Our Contribution. We introduce Immutable Zero-History Confidential Chains (ZCC) with proper summation proofs that fold spent coin history into tiny activity proofs. Yet, a zero-history chain (unspent coin records and activity proofs) is fully verifiable without any trusted third parties unlike append-only blockchains’ light nodes. Also, given the same removed spent coin record, anyone can verify its existence using activity proofs, called unfolding. We provide two protocols; ZCC-DLP and ZCC-SIS, based on the Discrete Logarithmic problem (DLP) and Approximate Modular Shortest Integer Solution problem [20] (Approx-SIS), respectively. They are compatible with Confidential Integer Processing protocols (CIP-DLP and CIP-SIS) and Origami zero-history blockchains. Our ZCC protocols provide the following cryptographic features. 1. Zero-Knowledge - ZCCs transact confidential coins that hide the real coin amount yet provide cryptographic protocols—summation and ownership proofs—to verify that the hidden coins are not overspent, double-spent, negative, and overflowed. Similarly, ZCCs’ smart contracts are zero-knowledge, or the contracts do not reveal anything about input confidential coins or confidential integers defined in the contracts except the program’s path. 2. Zero-History with Contracts - The spent coin records can be safely removed while leaving activity proofs (called folding the blockchain), and the existence

70

J. Alupotha et al.

of the removed spent coin records can be verified using the preserved activity proofs (or unfolding the blockchain). If the spent coin record is linked to a contract, ZCCs preserve it for execution. According to the statistics [23,30], only 5%–10% transactions have contracts. Hence, ZCCs can support contracts while reducing space significantly, e.g., our experiments show 74% size reduction when the contracts per transaction are 10%. 3. Immutability - A zero-history blockchain is immutable, i.e., no polynomialtime adversary can find two different zero-history or complete blockchains for the same activity proof set. Hence, syncing of zero-history chains is faster and does not need trusted parties leading to highly scalable blockchains. 4. sEUF-CDA (strong Existential Unforgeability under Chosen Data Attack) No polynomial-time adversary can steal coins of an honest user and create a zero-history blockchain even if the entire network is dishonest. Note that the consensus mechanisms can fail from time to time for a small period in actual implementations due to the lack of honest participants, e.g., less than 2/3 for PoA and 1/2 for PoW. However, sEUF-CDA ensures that no one can steal coins during these periods even if the blockchain is zero-history. Main Contribution. We implement ZCC-SIS with CIP based “Rahas Contracts” (means secret in Sinhalese) on Origami for 32-bit and 56-bit numbers. We use two digital signatures; Dilithium [47,62] and XMSS [14], to show that our quantumsafe ZCC-SIS and Rahas contracts are compatible with any actively secure digital signature scheme despite the design. Our main contribution is experimentally proving that zero-history blockchains can support smart contracts and confidential transactions and still be more scalable than any other blockchain according to the real-world statistics, even with the properties that make scalability worse; enhanced privacy, in the zero-knowledge domain and post-quantum setting, e.g., ZCCs are capable of running quantum-safe zero-knowledge contracts like Listing 1.1 (a confidential escrow) while obtaining 50% - 75% size reduction. Related Work. Append-only blockchains [53,55,64,72] do not provide any data removal since the entire blockchain is hashed and taken into the consensus verification, e.g., via Merkle roots [49]. On the other side, “stateless” or zero-history chains [3,9,17,22,36,50,63,69,70] allow removal of spent coin records. Yet, given the same data record, anyone can verify that they were in the blockchain. Except [3], others have not provided proper security proofs considering a cryptographic consensus mechanism. However, we believe that they are zero-history. More importantly, a zero-history blockchain with deleted data can be verified without a trusted third party, unlike light-nodes [26,41,44,50,52,53,56,57,61]. Currently, many transparent blockchains support smart contracts. However, these cryptocurrencies are not confidential. [5,19,31,37,39,48,55,59,65] introduced confidential cryptocurrencies that hide coin amounts. Similarly, [1,6,28,29,73] introduced quantum-safe confidential transactions. Integrating smart contracts into these cryptocurrencies is a fascinating cryptographic problem since contracts have to do computations on commitments that are secured with independent masking keys (a.k.a. blinding key). Hence, private contracts

Zero-History Confidential Chains with Zero-Knowledge Contracts

71

30

1250

MatRiCT+ without Contracts 1000 ZCC-Dilithium56 with Contracts

Monero without Contracts ZCC-Schnorr with Contracts Size (MB)

Size (MB)

20 750

500

10

250

0

0

2000

4000

6000

8000

2000

10000

4000

6000

8000

10000

Transactions

Transactions

Fig. 1. (Experimental) Quantum-safe CTs. For 64-bit MatRiCT+, coins (cn) are 4.48 KB, public keys are 3.4 KB, and (2 → 2) proofs are 47 KB at 1/11 anonymity. 56-bit ZCC-SIS has 10% contracts (≈ 370 KB).

Fig. 2. (Theoretical) Classical CTs. For Monero, coins (cn) are ≈ 0.7 KB at 1/11 anonymity. 56-bit ZCC-Schnorr [66] has 10% contracts per transactions (≈ 3 KB) and 5 transactions per account.

[10–13,15,21,25,33,38,40,43,67,74] compatible with transparent chains, e.g., Ethereum [72] are not secure for confidential chains since (1) zero-knowledge arithmetic circuits or homomorphic encryption need blinding keys to be shared with other participants and (3) outsourcing computations to Trusted Execution Environments (TEE) is not ideal for blockchains since anyone can be malicious. Confidential Integer Processing (CIP) [4] is a modular zero-knowledge programming protocol with insiders’ zero-knowledge (opposite of arithmetic circuits and homomorphic encryption) where the blinding keys are not shared. Also, CIP programs allow early terminations without always processing the full arithmetic circuit. Our ZCCs build Rahas contracts using CIP since they are secure for confidential blockchains (insiders’ zero-knowledge) and contract execution cost (size and verification time) depends on the inputs’ execution path, not the full circuit (modularity). Table 1. A Comparison of Blockchain Architectures. Notes: “+” - Aggregable, “PQ”Post Quantum, O(a), O(t), and O(t×x) - linear in total accounts, transactions, and coin records (transaction × outputs per transactions), respectively, “Plausible ZeroHistory” - No security proofs are given but we believe that they are zero-history. Work

Header

+ CT PQ

Zero-History Contracts Signatures

Append-Only [53, 55, 64, 72]

Merkle-Tree

✗ ✗

✗

✗

✓

Ring CT [37, 48, 55, 65]

Merkle-Tree

✗ ✓

✗

✗

✗

O(t) or O(t×x)

Ring PQ CT [1, 28, 29]

Merkle-Tree

✗ ✓

✓

✗

✗

O(t) or O(t×x)

Aggregable CT [5, 6, 31, 39, 59, 73]

Signatures

✓ ✓

✗

✗

✗

O(t)

Aggregable PQ CT [6, 73]

carry proofs

✓ ✓

✓

✗

✗

O(t)

Stateless [9, 22, 69, 70] [17, 36, 50, 63] VC Accumulators ✓ ✗

✗

plausibly

✗

O(t)

O(t) or O(t×x)

Origami [3]

Activities

✓ ✗

both ✓

✗

O(a)

Our ZCC-DLP

Activities

✓ ✓

✗

✓

✓

O(a)

Our ZCC-SIS

Activities

✓ ✓

✓

✓

✓

O(a)

72

J. Alupotha et al.

Aggregable CTs like Mimblewimble [5,6,6,31,39,59,73,73] support transaction cut-through which deletes spent coins. Even though the idea of zero-history started with them, their transaction headers are malleable—owners can forge the history—and can not provide immutability. Figure 1 and Fig. 2 show sizes of our 56-bit integer ZCC-SIS versus Quantum-safe MatRiCT+ [28] and (Theoretical) ZCC-DLP with Schnorr signatures [66] versus Monero [55] (Table 1).

2

Preliminaries

Notation. For a cyclic group G = g, g denotes a generator of the group G. Z+ q = Z/qZ is a ring of modular integers in the range [0, q − 1] for modulus q. q−1 Zq = Z/qZ is a ring of modular integers in the range [− q−1 2 , 2 ] for an odd q. N k X is a polynomial ring of Z[X]/[X + 1] with degree N = 2 for some integer k > 0. Xq is a fully splitting ring of Zq [X]/[X N + 1] over q such that q ≡ 1 (mod 2N ). A polynomial aN −1 X N −1 + .. + a1 X + a0 ∈ Xq is denoted as a = [a0 , ..aN −1 ] when each coefficient is in Zq . Bold letters like a and a denote vectors  denotes a matrix of polynomials. and polynomial vectors, respectively. Also, A ∗ ∗ a = max([|ai |]i=0 ) is the infinite norm, and a1 is i=0 |ai |. We set q to be prime all the time, and q > 22L+5 for L-bit integer constructions. lowbitsp (v ) denotes log2 p number of v’s low-bits, and highbitsp (v) is v − lowbitsp (v). $ −M denotes that m is drawn uniformly at random Also, upp (v) = v · 2log2 p . m← from a set M. (λ) = 1/o(λc ) is a negligible function ∀c ∈ N. We use pp, λ, and A for public parameters, security level, and p.p.t. adversaries, respectively. Definition 1 (Computational Hiding). Two distributions generated from public ppλ ; D0 (ppλ ) and D1 (ppλ ) are indistinguishable or D0 ≈ D1  parameters   ?  $ $ 1   if 2  2 − P r b = b |b ← − [0, 1]; k ← − Db ; b ← A(ppλ , k)  ≤ (λ) for any A. Definition 2 (Discrete Log Problem). For G = g of prime order q, AdvDL G ?

$

$

x for an adversary A is defined as, AdvDL − G, x ← − A(y)]. the G,A := P r[y = g | y ← DL problem is (τ, e)-hard if A(τ, e) runs it at most τ times and AdvDL G,A ≤ e.

Definition 3 (Approximate Inhomogeneous Module Short Integer Solution Problem (Approx-SIS)). The advantage of A solving approx-SIS $ $  s−  ←  ← of pp = (n, m, q, γ, γ  , N ) is P r[ s ≤ γ ∧ H y  ≤ γ  |H − Xn×m ;y − q  y  ← A(ppλ,L , H,  )] after one execution (see [20]). Xn ; s q

Zero-History Confidential Chains with Zero-Knowledge Contracts

73

Hints. During polynomial multiplications, the error grows quickly since approxSIS only takes higher bits of polynomial coefficients. To fix those errors, we use hints similar to [62]. These hint polynomial vectors have coefficients of {−1, 0, 1} and hold at most χ number of ±1.     hints(χ,  a, b ∈ Xn a−b ∈ Xn q ): h =  q ; if h>1 ∧ h1 >χ: return ⊥; else return h n a, h ∈ Xq ): if h>1 ∧ h1 >χ: return ⊥; else return b =  a−h ∈ Xn use hints(χ,  q

Activity Proofs. Let there be a multiplicative cyclic group H of prime order q  > 22λ and a collision-resistant hash function family H0 : {0, 1}∗ → H that maps any bit string into H. Let there be a set of accounts [acci :(pki , mi )]∗i=0 such that each account i is uniquely identifiable by its public key pki . An activity proof ∗   ∗ that updates the accounts’ data  from [acci :(pki , m i )]i=0 to [acci :(pki , mi )]i=0 is ∗ ∗  ∗  −1 activity([pki , mi , mi ]i=0 ) : δ = i=0 H0 (pki , mi )( i=0 H0 (pki , mi )) ∈ H. Definition 4 (Immutability). Activity proofs are immutable against any A if P r[δ =? activity(pk1 , m1 , m1 ) ∧ δ =? activity(pk2 , m2 , m2 ) ∧ (pk1 , m1 , m1 )= (pk2 , m2 , m2 )=φ | A(q  , H) → (δ, pk1 , m1 , m1 , pk2 , m2 , m2 )] ≤ (λ). Digital Signatures. Let SIG be an actively-secure digital signature protocol. – – – –

SIG.setup(1λ ) : return ppλ  returns public parameters SIG.gen() : return (sk, pk)  returns a secret key sk and public key pk SIG.sign(sk, m) : return σ  returns a signature σ for a message m SIG.ver(pk, m, σ) : return True/False  Verification

Actively-secure signatures are complete and sEUF-CMA (strong Existential Unforgeability under (adaptively-)Chosen Message Attack). Let M be the (iterative-)message space (being secure against the universal forgery is not sufficient here.). Definition 5 (Completeness). SIG is complete if P r[SIG.ver(pk, m, σ)|(sk, $ −M)] = 1 − (λ) for any m of M. pk) ← SIG.gen(); σ ← SIG.sign(sk, m← Definition 6 (sEUF-CMA). SIG is sEUF-CMA if P r[m ∈ M ∧ (m , σ  ) ∈ Q ∧ SIG.ver(pk, m , σ  )|(sk, pk)←SIG.gen(); (m , σ  )←ASignsk (·) (pp, pk)] ≤ (λ) for a signing oracle Signsk (m). Oracle Signsk (m ∈ M) : σ ← SIG.Sign(sk, m); Q = Q ∪ {m, σ}, return σ

Generic Consensus. Let CN be a general consensus mechanism, e.g., PoA, PoS, and PoW. CN’s objective is to choose a sequential message list (e.g., transaction list) according to an agreed protocol. When CN is asked to compute a block header for new messages, CN gets the current message list and header list and computes the block header according to them. Therefore, a block header is linked to the

74

J. Alupotha et al.

given message list. Also, we define this consensus to be generic; hence they do not verify the correctness of the messages but the “integrity” of the messages, e.g., we can reuse the same consensus for DLP-based and Approx-SIS-based ZCCs. CN supports the following functionalities. – CN.setup(1λ ) : ppλ  returns the common public parameters, e.g., a list of authorities’ public keys in PoA, the method of selecting highest stakeholders in PoS, or the algorithm of the difficulty level computation in PoW. – CN.gen((M , B), resources, m) : bhead / ⊥  generates a block header using the given resources which can be an authority’s or the highest stakeholder’s signing key in PoA and PoS, respectively, or a puzzle solver in PoW. Note that this function may fail to compute the header and return ⊥. Here, (M , B) are the previously accepted messages and block headers. – CN.ver(M , B) : 0/1  verifies the integrity of a set of messages M against the set of block headers B in the chain. – CN.choose(Λ) : (M , B) ∈ Λ Blockchain Selection—selects the best available chain from chains Λ according to the consensus rules, e.g., the longest or heaviest chain (Note that choosing the best blockchain is a part of the consensus mechanism, and we do not define how it is done.) We formalize “fundamental security properties” of a generic CN below. A CN is complete if honestly generated block headers create valid blocks. Definition 7 (Completeness). Let C be a valid resource generator, and M be a valid message generator. Here, | · | is the size of the list. CN is complete if    $ $  − C, m ← − M)  bhead ← CN.gen((M , B), resources ← P r CN.ver(M , B) =1  B ∪ (|B|, bhead, |m|); ∀mi ∈ m : M ∪ (|M | + i, m) Immutability ensures that no. p.p.t. adversary can create two different message sets for the same block header set. Hence, adversaries can not forge different transaction sets for the block headers that settled in the community. Definition 8 (Immutability). CN is immutable if ?

P r[M =M  ∧ CN.ver(M , B)∧CN.ver(M  , B)|(B, M , M  )←A(pp)] ≤ (λ). Confidential Integer Processing (CIP). Briefly, CIP is a basic programming language for confidential integers denoted as c(v, k) for integer v and secret blinding key k (or a.k.a., opening). Let L be a language of primitive relations; operations (addition, multiplication, division) and conditionals  ? (range, equal, not equal, less/greater than), e.g., range(L ; v) = (v0 ∈[0, 2L )), ? mul(v0 , v1 , v2 ) = (v0 =? v1 v2 ), and neq(v1 , v2 ) = (v1 =v2 ). Then any relation of L is a sequential combination of these operations and conditionals. To prove a relation of confidential integers, CIP generates a zero-knowledge argument by taking confidential integers and their openings. However, the verification is public, or the relation can be verified only using the zero-knowledge argument. We denote CIP functionalities below.

Zero-History Confidential Chains with Zero-Knowledge Contracts

75

CIP.setup(1λ , L) : pp  Public parameters CIP.cint(v) : (k, c)  A confidential integer c of (v, k) when v ∈ (−2L , 2L ). CIP.open(c, v, k) : return 1/0  opens a confidential intger with (v, k). CIP.prove(r ∈ L; [ci ]∗i=0 , [ki , vi ]∗i=0 ) : π  returns zero-knowledge argument π of a primitive relation r ∈ L for input confidential integers π0 = [ci ]∗i=0 and their openings [ki , vi ]∗i=0 . – CIP.ver(r ∈ L; π0 = [ci ]∗i=0 , π) : return 1/0  verifies a zero-knowledge argument π of relation r ∈ L for a given input confidential integers [ci ]∗i=0 .

– – – –

CIP’s completeness defines that properly generated confidential integers can be opened and zero-knowledge arguments are always valid. Definition 9 (Completeness). CIP is complete if P r[CIP.open(c, v, k)| $ $ −(−2L , 2L ); (k, c) := CIP.cint(v)] and P r[CIP.ver(r, [ci ]∗i=0 , π) | r← −L; [vi ]∗i=0 v← $ ← −(−2L , 2L ) s.t. r([vi ]∗i=0 ) = 1; [(ki , ci ) := CIP.cint(vi )]∗i=0 ; π := CIP.prove(r, [ci ]∗i=0 , [vi , ki ]∗i=0 )] are 1 − (λ). CIP’s confidential integers are binding, or no p.p.t. adversary can find two different openings for the same commitment. Therefore, owners can not claim different integers or keys after publishing a confidential integer. ?

Definition 10 (Binding). CIP is binding if P r[v0 , v1 ∈ (−2L , 2L )∧(v0 , k0 )= (v1 , k1 )∧CIP.open(c, v0 , k0 )∧CIP.open(c, v1 , k1 )|A(pp) → (c, v0 , k0 , v1 , k1 )]≤(λ). Zero-knowledge arguments show the knowledge of the relations and nothing else. Therefore, no p.p.t. adversary can distinguish properly generated zeroknowledge arguments over “look-like” arguments. Definition 11 (Zero-Knowledge Argument). Let S(pp, L, T ) be a simulator who generates distribution D0 of language L’s simulated arguments using a trapdoor T of pp. When D1 is CIP’s distribution for L, CIP is zero-knowledge if    1 ?  $ $ ∗  ∗  − [0, 1]; ([ci ]i=0 , π) ← − Db ; b ←A(ppλ , [ci ]i=0 , π)  ≤ (λ). 2  − P r b=b |b ← 2 Witness extractability captures that no p.p.t. adversary can create valid proofs if the confidential integers do not hold the relation. Definition 12 (Simulated Witness Extractability). Let K be an extractor with trapdoor T of pp for language L. CIP is simulated witness extractable if, ? P r[r∈L∧ CIP.ver(r; [ci ]∗i=0 , π)∧¬r(K(pp, T , r; [ci ]∗i=0 , π))|A(pp)→(r; [ci ]∗i=0 , π)] ≤(λ).

76

3

J. Alupotha et al.

Zero-History Confidential Chains

Zero-History Confidential Chains (ZCC) work as follows. Each user has an account(s), and each account is linked to a unique public key and secret signing key. Basically, the unique public key represents the account. Accounts also have confidential balances (a confidential integer with a range proof) and confidential contract codes with confidential integers. Users send transactions when they want to update the balance and/or the Fig. 3. Workflow of ZCC contract. (1) First, users agree on new account data like how much they are spending and receiving or any contracts that should be attached to the coins. Then they create (2) a zeroknowledge summation proof for current and new balances and (3) an activity proof for the current and new account data. (4) If there are contracts in the current account data, the users compile them and generate zero-knowledge proof to show that the new account data satisfy the contracts’ conditions. (5) After that, users sign their new account data with the accounts’ secret keys. (6) Finally, they combine the summation proofs, activity proof, zero-knowledge proofs, current account data, and new account data into a transaction. Then they send the transaction to the consensus community. Once block creators receive transactions, they compute consensus proofs (or block headers), put them into blocks, and send these blocks to the network. After getting block(s), peers update the chain with the best blocks according to the consensus and replace old account data (including old signatures) with new data. If a peer wants to sync the chain, he/she gets multiple zero-history chains (or tails of zero-history chains) without spent coin records and chooses the best chain. We show the workflow of ZCC in Fig. 3. We state ZCC below. Note that (*) indicates new or updated functionalities which were not in Origami [3].  Public parameters and an empty chain for maximum coin amount 2L −1. Here, ∗ N H0 :{0, 1}∗ → H, H:{0, 1}∗ → Z+ q for DLP, and H:{0, 1} → Cβ for approx-SIS. ∗ λ λ ZCCDLP .setup(1 , L) : return (pp={SIG.setup(1 ), CN.setup(1λ ), CIPDLP .setup( 1λ , L) ∪ (q, g, h)}, Λ : (E={}, T ={}, B={}, H={}))  common setup including CIP’s (q, g, h, L) such that G = g = h is a group of prime order q > {0, 1}λ and q > 22L+5 , and the DLs of g and h relative to each other are unknown [58].

Zero-History Confidential Chains with Zero-Knowledge Contracts ∗

ZCCSIS .setup(1λ , L) : return (pp

77

{SIG.setup(1λ ), CN.setup(1λ ), CIPSIS . $ $ ← ← setup( 1λ , L) ∪ (n, m, q, N, γ, γ  , p0 , CβN , α, τ, τ3 , K −Xn×m , V −Xnq )}, Λ : q (E={}, T ={}, B={}))  Here, prime q > 22L+5 and q ≡ 1 (mod

2N ). Challenge space is CβN = [x ∈ Xq s.t. x=1, x1 =β] when log2 N β +β ≥ 2λ. For t t  maximum 2 transactions, p0 · 2 ≤γ .  Returns secret key k and confidential coin c (a confidential integer and a range proof) of v or an error ⊥ if v ∈ [0, 2L ). =

k v ZCCDLP .coin(v) : k ← −Z+ q ; C = g h ∈ G; π = CIPDLP .prove(range, C, v, k); return (k, c = (C, π))  CIPDLP uses Bulletproof range proofs [16]. $  [v, 0, .., 0] + K  k)) ∈ ZCCSIS .coin(v) : k← −[−τ, τ ]m×N ; c=upp0 (highbitsp0 (V Xn ; π = CIPSIS .prove(range, c, v, k); return (k = k, c = (c, π)) $

q

ZCC.acc gen() : (sk, acc = (pk, −, −, −, −)) returns a secret key sk and an empty account data acc with a public key pk when (sk, pk) ← SIG.gen(pp).  Creates account data for the same public key by updating the balance to c and contract code to code . Note that the contract can be empty. ZCC.acc update(Λ, sk, δ, acc, c , code ) : (pk, σ, w, c, code) := acc δ := Λ.T  .get activities(pk)[δ]  pk’s old activities and the next activity w = δ · (H0 (c , code , pk))−1 ∈ H  new watermark σ  ← SIG.sign(sk, H0 (pk, c , code , w , δ))  new signature return acc = (pk, σ  , w , c , code )  new account data ZCC.acc ver(Λ, optional=δ, acc) : (pk, σ, w, c, code):=acc verifies an account δ := Λ.T .getactivities(pk)[δ]  old activities and (if given) next activity return w = δ · (H0 (c, code, pk))−1 ∈ H∧ SIG.ver(pk, H0 (pk, c, code, w, δ), σ) ∧CIP.prove(range, c)  range verification of a confidential coin ZCC.activity(in data=[acci :(pki , ci , codei )]∗i=0 , out data = [pki , ci , codei ]∗i=0 ) : δ  creates an activity proof δ for a transaction that updates accounts’ data of in data to out data. At first, δ = 1 ∈ H. for each pki :δ=δ·H0 (ci , codei , pki ); if pki ∈Λ.E: δ=δ·(H0 (ci , codei , pki ))−1 ∈ H  Creates summation proof π to show that coin sets are equal: ∗ zero-knowledge ∗ f + i=0 vi =f  + i=0 vi when f is the incentives (supply coins) and f  is the transaction fee. Let d be the total numbers of inputs and outputs. $ ∗ ZCCDLP .sum proof(f, f  , [vi , ki ]∗i=0 , [vi , ki ]∗i=0 , [ci ]∗i=0 , [ci ]∗i=0 ) : k ← −Z+ q ∗  ∗ p = i=0 ci .C( i=0 ci .C)−1 ; y = g k ∈ G; x = H(f, f  , y, p) ∈ Z+ q ∗ ∗ return π = (f, f  , p, y, s = k + x( i=0 ki − i=0 ki ) ∈ Z+ q ) ∗  ∗   ∗ ∗  ∗ ZCCSIS .sum proof(f, f , [vi , ki ] , [v , k ] , [ci ] , [c ] ) : i=0

i

i i=0

i=0

i i=0

$ k← −[−τ3 , τ3 ]m×N    k) ∈ Xn  =highbitsγ  (K  =upp0 (highbitsp0 ( ∗i=0 ci .c− ∗i=0 ci .c)); y p q   ∗ ∗    N   m x = H(f, f , y , p) ∈ Cβ ; s = k + x( i=0 ki − i=0 ki ) ∈ Xq if  s>(τ3 − dβτ ): restart  rejection sampling  s−x(  [f  − f, 0, .., 0])) ∈ Xn   = highbitsγ  (K p+V y q

78

J. Alupotha et al.

h = hints(  ); if h =⊥: restart  hints y , y  , x, s , h) return π = (f, f  , p  Batch verification of summation proofs [π]∗i=0 . ∗

ZCCDLP .sum ver([πi ]∗i=0 , [ci ]∗i=0 , [ci ]∗i=0 ) : ?



si f −f H(f,f for all  (f, f  , pi , yi , si ) := π ) i : if g =yi (pi h ∗ ∗ ∗  −1 ? return i=0 pi = i=0 ci .C( i=0 ci .C) ∈ G



,y,p)

∈ G: return 0

∗

ZCCSIS .sum ver([πi ]∗i=0 , [ci ]∗i=0 , [ci ]∗i=0 ) :  si −  [fi −fi , 0, ..]))  i , xi , s i , hi ):=πi : y  i = highbitsγ  (K for all (fi , fi , p xi ( pi + V   n  i = use hints( y i , h i ) ∈ Xq y ?

i , p  ) ∨   i =⊥: return 0 if xi =H(fi , fi , y s i  > τ3 ∨ y i    i )=? highbitsγ  ( ∗i=0 ci . c − ∗i=0 ci . c ) ∈ Xn return highbitsγ  ( ∗i=0 p q ∗

ZCC.write(plain code) : (code, etr op)  replaces plain code’s plain-text integers (like constants) with confidential integers and outputs code. These confidential integers are called externals etr, and their openings are stored in etr op. ∗ ZCC.compile(etr op, [ki ]∗i=0 , [ki ]∗i=0 , in=[acci )]∗i=0 , out=[acci )]∗i=0 ) : zkp  generates zero-knowledge proof zkp for all contracts of in for a transaction that updates account data from in to out. Here, the openings of the contracts’ confidential integers are in etr op. ∗ ZCC.execute(code, in=[acci )]∗i=0 , out=[acci )]∗i=0 ) : 0/1  verifies contracts of in when the transaction’s inputs are in and outputs are out. ∗ ZCC.tx gen(Λ, δ, π, zkp, in, out) : tx : (txhead = (δ, π, zkp), in, out)  generates a transaction with activity δ = ZCC.activity(in data, out data), summation proof π, zero-knowledge proof zkp, input account data in, and output account data out, Here, data only contain the public keys, coins, and contracts. ∗ ZCC.tx ver(Λ, tx) : 0/1  verifies the transaction according to the chain. This verification checks confidential coins’ range, summation proofs, contracts’ zeroknowledge proofs, and each account acci ∈ tx.out: ZCC.acc ver(Λ, δ, acci ). ∗ ZCC.block gen(Λ, resources, [txt ]∗t=0 ) : bhead/⊥  generates a consensus proof bhead = CN.gen((M , B) = (Λ.T , Λ.B), resources, m = [txt .txhead]∗t=0 ) if the transactions are valid accoriding to ZCC.tx ver. Here, resources can be authorized signing keys or details to solve a computational puzzle. ∗ ZCC.block ver(Λ, bhead, [txt ]∗t=0 ) : 0/1  verifies the transactions and returns CN.ver((M , B) = (Λ.T ∪ [txt .txhead]∗t=0 , Λ.B ∪ bhead))=? 1. ZCC.add(Λ : (E, T , B, H), bhead, [txt = (txheadt , int , outt )]∗t=0 ) : Λ  adds the block to the chain while removing the spent coin records such that Λ : ((E \ [int ]∗t=0 ) ∪ [outt ]∗t=0 , T ∪ [txheadt ]∗t=0 , B ∪ bhead). If there are contract codes in the tth transaction, updates H = H ∪ (t, int , outt ). ZCC.exists(Λ, (in data, out data)) : 0/1  finds δ = ZCC.activity(in data, out data) in Λ.T Λ.T . Old signatures or watermarks are not needed. ∗

ZCC.ver(Λ) : 0/1  verifies a zero-history chain ∗ ? return i ]i=0 ∈ Λ.T )=1  verifies headers   CN.ver(Λ.B, [txhead ? ∧ txheadt ∈Λ.T txheadt .δ = (pki ,ci ,codei )∈Λ.E H0 (ci , codei , pki )∈H  activities ∧ for each acci ∈ Λ.E : ZCC.acc ver(Λ, φ, acci )=? 1  accounts

Zero-History Confidential Chains with Zero-Knowledge Contracts

79

∧ ZCC.sum ver([πi ]∗i=0 ∈ Λ.T , {}, [ci ]∗i=0 ∈ Λ.E)=? 1  batch summation ∧ for each zkpt ∈ Λ.T and (t, int , outt ) ∈ H : ZCC.execute(code, int , outt )=? 1

Security Properties. The followings are the expected security properties. Completeness means that honestly generated confidential coins, accounts, account data, contract’s zero-knowledge proofs, transactions, and block headers are always valid. Also, correct zero-history indicates that appending a valid block into a valid zero-history chain produces another valid zero-history blockchain but with the block’s output data and header. Definition 13 (Completeness). Let there be G who creates random valid contracts and their externals, coins, chains for pp ← ZCC.setup(1λ , L). A ZCC is complete if P r[random tx(pp) ∨ random block(pp) ∨ random chain(pp)] = 1. random tx(pp) : $

(Λ, f, f  , [vi , plain codei ]∗i=0 , [sk1,i , k1,i , acc1,i ]∗i=0 , etr op, [vi , plain codei ]∗i=0 )← −G(pp) s.t. ZCC.ver(Λ) = 1 ∧ [acci ]∗i=0 ∈ Λ.E  gets data for new and current accounts [(sk0,i , acc0,i )←ZCC.acc gen()]∗i=0  new accounts [acci ]∗i=0 = [acc0,i ]∗i=0 ∪ [acc1,i ]∗i=0  output accounts [(ki , ci )←ZCC.acc coin(vi )]∗i=0  new confidential coins [(code , etr op )←ZCC.write(plain code )]∗i=0  writing confidential codes δ ← ZCC.activity([acci .pk, acci .c, acci .code]∗i=0 , [acci .pk, ci , codei ]∗i=0 )  activity [acci ← ZCC.acc update(Λ, ski , δ, acci , ci , codei )]∗i=0  output accounts π = ZCC.sum proof(f, f  , [vi , ki ]∗i=0 , [vi , ki ]∗i=0 , [ci ]∗i=0 , [ci ]∗i=0 )  summation proof zkp←ZCC.compile(etr op, [ki ]∗i=0 , [ki ]∗i=0 , [acci ]∗i=0 , [acci ]∗i=0 )  inputs’ zkp tx ← ZCC.tx gen(Λ, δ, π, zkp, [acci ]∗i=0 , [acci ]∗i=0 )  new transaction with with zkp return ZCC.tx ver(Λ, tx) ∧ ∀i : ZCC.acc ver(Λ, δ, acci )

random block(pp) : (Λ, [txt ]∗t=0 , resources)← −G(pp) s.t. ZCC.ver(Λ) = 1 ∧∀t : ZCC.tx ver(Λ, txt ) = 1∧ no reused accounts in [txt ]∗t=0  gets valid resources bhead ← ZCC.block gen(Λ, resources, [txt ]∗t=0 )  computes a block header return ZCC.block ver(Λ, bhead, [txt ]∗t=0 ) $

random chain(pp) :  gets random blocks (block headers and transactions) (Λ, bhead, [txt ]∗t=0 )← −G(pp) s.t.ZCC.block ver(Λ, bhead, [txt ]∗t=0 ) = 1 Λ ← ZCC.add(Λ, bhead, [txt ]∗t=0 )  updates the new zero-history chain return ZCC.ver(Λ ) ∧ Λ .E =? (Λ.E \ [int ]∗t=0 ) ∪ [outt ]∗t=0 ∧Λ .T =? Λ.T ∪ [txheadt ]∗t=0 ∧ Λ .B =? Λ.B ∪ bhead  when transactions are [(txheadt , int , outt ) := txt ]∗t=0 $

Immutability of ZCC defines that no p.p.t. adversary can create (1) two different transaction header lists with the same block header list B and (2) two account lists with the same transaction header list T . In other words, peers can download multiple transaction headers and block headers (T , B) first and then download a single copy of the account list E after finding the correct header lists. This reduces the syncing time securely without depending on trusted third parties. Similar to the Origami chain’s immutability, we do not consider signatures while comparing account lists since more than one valid signature can ˆ be created for the same message. However, they must have valid signatures. E indicates an account list without signatures.

80

J. Alupotha et al.

Definition 14 (Immutability). ZCC is immutable if ? P r[Λ.T =Λ .T ∧Λ.B =? Λ .B ∧ZCC.ver(Λ)∧ZCC.ver(Λ )|(Λ, Λ )←A(pp)]≤(λ) and ˆ =? Λ .E ˆ ∧ Λ.T =? Λ .T ∧ ZCC.ver(Λ) ∧ ZCC.ver(Λ )|(Λ, Λ )←A(pp)]≤(λ). P r[Λ.E In real implementations, the whole network can be dishonest. However, after receiving coins (or after settling that block header), only the owner of the coins should be able to spend them. Therefore, no p.p.t adversary can update the chain by spending the coins of honest users. Our environment only has one honest account of key pair (sk, pk). We consider strong EUF-CDA, where the adversary has given a signing oracle of secret key sk. Still, the adversary cannot update the honest account’s data into fresh data that the oracle did not sign before. Therefore, even after looking at the honest user’s past transactions, the adversary can not spend the honest user’s coins. Definition 15 (Strong Existential Unforgeability Under Chosen Data Attack). ZCC is sEUF-CDA if 

 ? (Λ .get activities(pk), acc (pk))∈Q (sk, acc(pk)) ← ZCC.acc gen() Pr ≤ (λ).   Sign (·) ? ∧ZCC.ver(Λ ) ∧ acc (pk)∈Λ.E (Λ, acc (pk))←A sk (pp, pk) Oracle Signsk (Λ, δ, acc, c, code):acc ← ZCC.acc update(Λ, sk, δ, acc, c, code) Q := Q ∪ {Λ .get activities(pk)[δ], acc }; return acc

ZCC’s confidential integers, range proofs, summation proofs, and contracts’ proofs do not reveal anything except the range, summation, and programs’ execution paths, respectively. Therefore, p.p.t adversaries can not correctly distinguish simulated chains over proper chains with more than 1/2 + (λ) probability. Definition 16 (Zero-Knowledge Argument). Let ZCC’s simulated distribution of S(pp, L, T ) be D0 for language L and trapdoor T of ppλ . When D1 is ZCC’s real distribution for L, ZCC is zero-knowledge if,  1 ? $ $ − [0, 1]; Λ ← − Db ; b ←A(ppλ , Λ)] ≤ (λ). 2 − P r[b=b |b ← 2 Knowledge soundness states that no p.p.t. adversary can create “valid-yetcheating” summation proofs or contracts’ zero-knowledge proofs such that the verification passes, but the hidden integers do not hold the relation. Definition 17 (Simulated Witness Extractability). For language L (including summation proofs), let K be an extractor with trapdoor T of pp. ZCC is witness extractable if, P r [L∧ZCC.ver(Λ)∧(¬L(K(pp, T , Λ)) | A(pp)→Λ] ≤(λ). Theorem 1. ZCCDLP and ZCCSIS are complete, immutable, sEUF-CDA, zeroknowledge, and witness extractable if activity proofs of (H0 , q  ) are immutable, CIPDLP and CIPSIS are complete, binding, zero-knowledge, and witness extractable, SIG is complete and sEUF-CMA, CN is complete and immutable, Origami is complete, immutable, and sEUF-CDA, and DLP of (q, g, h) and Approx-SIS of (n, m + 1, q, γ, γ  , N ) is hard.

Zero-History Confidential Chains with Zero-Knowledge Contracts

81

Theorem 2. CIPDLP and CIPSIS are complete, binding, zero-knowledge, and witness extractable if DLP is hard and Approx-SIS is hard (Note that CIPDLP uses Bulletproof range proofs [16] that are also based on DLP). Proof. We prove that summation proofs of ZCCDLP and ZCCSIS are complete, zeroknowledge, and witness In ZCCDLP proofs check the ∗ extractable. ∗’s summation ∗  ∗  following; g s = g k+x( i=0 ki − i=0 ki ) = g k ( i=0 ci .C( i=0 ci .C)−1 hf −f )x =    s = K(  k + x( ∗ k −  is equal to K y(phf −f )x ∈ G. Also, in ZCCSIS , y i=0 i ∗  ∗  ∗  [f  −f, 0, ..]) ≈ y  [f  −f, 0, ..]).  + x( i=0 ci − i=0 ci + V  + x( p+V i=0 ki ) ≈ y Therefore, ZCCDLP and ZCCSIS are complete. Let there be a trapdoor T that solves DLP of (q, g, h) and Approx-SIS of (n, m, q, τ, γ  , N ). Then we can simulate summation proofs and confidential coins randomly. However, all the components are m n + m either in (Z+ q , X ) or (G, Xq ). The variables in (Zq , X ) are statistically hiding due to modular arithmetic and rejection sampling. Also, if an adversary distinguishes simulated proofs over real proofs using components of (G, Xnq ) then the adversary breaks the hiding property of DLP or Approx-SIS. Therefore, we claim ZCCDLP and ZCCSIS are zero-knowledge. We use random challenges x ∈ Z+ q or x ∈ CβN to prevent adversaries from creating “cheating-yet-valid” proofs. If an adversary breaks the simulated witness extractability, then we can use the same adversary to break the binding property of DLP or Approx-SIS due to the random challenges. Hence, we claim that ZCCDLP and ZCCSIS are witness extractable. Finally, we claim that our summation proofs are complete, zero-knowledge, and witness extractable. Hence, we prove Theorem 1 since we reuse activities, signatures, consensuses, range proofs, contracts from SIG, CN, and CIP. 

4

Implementation and Experiments

We implement ZCC-SIS2 in C++ language for 32-bit and 56-bit confidential integers. For lattice protocols, we target a root Hermite factor equal or smaller than 1.004 and security parameter λ = 128 [2]. The polynomial space Xq = Zq [X]/[X 256 + 1] is used for both implementations. Note that the challenges are taken from the “hashing to a ball” method where the hash function is SHAKE256 [27] which can be saved in 32 bytes. A prime order multiplicative group H with at least multiplicative 2384 elements was used for activity proofs. The prime order of H is q  such that (q  − 1)/2 > 23λ is also prime3 . Each activity proof is 49 bytes since H0 maps SHA384 hashes into H. We use uniform—not Gaussian—distributions for secrets. Other parameters are stated in Table 2.

2 3

https://github.com/zero-history/rahas. q  = 3a2c6ad1f4ef4084fbf76e7c6201b32850c57c408a6e0c4a6cda6c290c61e6dadd4e6b 7312dd3aa6bd610a917c1d42f03.

82

J. Alupotha et al.

Table 2. Parameters and Sizes (Note that log2 (τ ) = 7, log2 (τ1 ) = 7, log2 (τ2 ) = 28, log2 (τ3 ) = 20, β = 60, χ = 64, and log2 (α1 ) = L + 8). Bits

N

q

n m log2 (γ) log2 (γ  ) log2 (α) log2 (p0 ) | c|

|x|

“Equal” π

32-bit 256 2165 − 238 + 1 5 1

90

90

11

54

17.7 KB 32 Bytes 1.28 KB 19.0 KB

56-bit 256 2283 − 291 + 1 5 1

130

130

12

96

29.9 KB 32 Bytes 1.28 KB 31.2 KB

We have two polynomial multiplications; (1) Number Theoretic Transform (NTT) for 256-bit and 512-bit numbers and (2) an easy multiplication for polynomials of rot(i, val) = [0i−1 , val, 0N −i ]. NTT is used for generic multiplications with forward transform from Cooley-Tukey [32], inverse transform from Gentleman-Sande butterflies [34], and Montgomery point-wise multiplications [51]. An example of easy multiplication is arot(i, val) where each a’s coefficients are multiplied by val and changed coefficients’ sign from ith index to (N − 1), and rotated i times to get arot(i, val). We implement Rahas confi1 // CINT = Confidential Integers 2 // PK = Hash of the Public Key dential contracts based on CIP3 # SET_CINT VAR0 ETR0 // confidential (v , SIS (the current implementation is k0 ) 4 # SET_CINT VAR1 ETR1 // confidential (x , minimal and uses VARX to denote k1 ) some variable X.). In plain codes, 5 # SET_CINT VAR2 ETR2 // confidential (100 , k2 ) SET CINT takes plain-text inte6 # SET_PK VAR3 ETR3 // Seller ’s public gers, and the writing process turns key 7 # SET_PK VAR4 ETR4 // Buyer ’s public them into confidential integers and key stores them as ETRs. Listing 1.1 8 // Public key of the first output 9 # SET_PKFOUT VAR5 OUT1 // out1 ’s pk shows an escrow contract that for10 // Confidential int of the first wards coins to the seller or refunds output 11 # SET_CINTFOUT VAR6 OUT1 // out1 ’s the buyer while taking x% comcoins mission. The buyer attaches the 12 // out1 ’s input coins 13 # SET_CINTFINPK VAR7 VAR5 contract to the coins when they 14 # MUL_CINT VAR8 VAR0 VAR1 // x % of v are being sent to the escrow. The coins 15 // VAR9 ( output ) and VAR10 ( remainder ) escrow forwards or refunds coins 16 # DIVU_CINT VAR9 VAR10 VAR8 VAR2 according to the success of the 17 // To be transferred / refunded 18 # SUB_CINT VAR11 VAR0 VAR9 delivery. Then the escrow com19 // Coins received by the first entity piles the contract and attaches 20 # SUB_CINT VAR12 VAR6 VAR7 21 # IF_EQ_PK VAR5 VAR4 // Refund the a zero-knowledge proof to show buyer that it sends coins to the seller or 22 # IF_EQ_CINT VAR11 VAR12 // Equal ? 23 # RETURN_OK buyer while keeping exactly x% of 24 # END_IF coins without revealing x or any 25 # END_IF 26 # IF_EQ_PK VAR5 VAR3 // Send to the account balances. Rahas contract seller branching is carefully constructed 27 # IF_EQ_CINT VAR11 VAR12 // Equal ? 28 # RETURN_OK to avoid malicious contract execu29 # END_IF tions, e.g., the prover must give 30 # END_IF 31 # RETURN_ERROR an equal proof or not equal for IF EQ CINT that checks the equalListing 1.1. A Confidential Escrow.) ity of hidden integers, and cannot simply skip the branch when the hidden integers are not equal.

Zero-History Confidential Chains with Zero-Knowledge Contracts

83

We build ZCC-SIS-CIP with Dilithium [62] and XMSS [14] for 128-bit security. Note that we use a dummy consensus mechanism that does not output/take any data since the consensus proofs are typically small, e.g., 32-36-bytes for PoW. Dilithium32 - 10% Dilithium56- 10% XMSS56 - 10%

Dilithium32 - 10% Full Dilithium56 - 10% Full XMSS56 - 10% Full

Dilithium32 - 10% Dilithium56 - 10% XMSS56 - 10% Time (Seconds)

Sizes (MB)

300

200

100

0 200

400

600

800

300 200 100 0 300 400 500 600 700 800 900

1000

Transactions

Fig. 4. Zero-History Size vs. Full Size (10% Contracts per Transaction)

400

Transactions

Fig. 5. Zero-History Verification Time for 10% Contracts per Transaction (Seconds)

Space-Saving (%)

Recall that accounts can delete their 80 Dilithium32 Dilithium56 XMSS56 old coins, signatures, and watermarks 75 with each transaction if no contract is 70 attached. We run benchmarks to see these size reductions in ZCC-SIS for 65 32-bit and 56-bit integers. Each bench60 mark generates 1000 transactions and 8%–40% escrow contracts per trans55 40 20 12.5 10 8 action (Listing 1.1). We chose these Contracts per Transaction (%) contract percentages because statistical percentages are in between 5%–10% Fig. 6. Space Saving vs. Contracts [23,30]. The experimental sizes for 10% contracts per transaction are shown in Fig. 4, and their verification times are in Fig. 5. The space savings for different contract percentages are shown in Fig. 6 when the space-saving is 100 × (|full chain| − |ZCC|)/|full chain|. We can see that zero-history chains obtain 50%–75% of space reductions when the contract percentage is in 8%–40%. Conclusion. This paper introduces the first immutable Zero-History Confidential Chains (ZCC) for classical and post-quantum settings with zero-knowledge contracts suitable for private escrows, auctions, and decentralized federated learning. These blockchains provide fast syncing and fast verification for unspent coin records, leading to highly scalable blockchains. We verify this claim by implementing a quantum-safe ZCC and showing that it achieves 50% of size

84

J. Alupotha et al.

reduction compared to the most efficient quantum-safe Ring confidential transaction protocol, even with zero-knowledge contracts. We demonstrate that zerohistory blockchains should be the “new normal” blockchain structure for the future due to their high scalability even with advanced functionalities (confidential transactions and zero-knowledge smart contracts) and post-quantum settings.

References 1. Alberto Torres, W., Kuchta, V., Steinfeld, R., Sakzad, A., Liu, J.K., Cheng, J.: Lattice RingCT V2.0 with multiple input and multiple output wallets. In: JangJaccard, J., Guo, F. (eds.) ACISP 2019. LNCS, vol. 11547, pp. 156–175. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21548-4 9 2. Albrecht, M.R.: LWE estimator. Accessed 22 Oct 2021. https://lwe-estimator. readthedocs.io/en/latest/readme link.html 3. Alupotha, J., Boyen, X.: Origami store: UC-secure foldable datachains for the quantum era. IEEE Access 9, 81454–81484 (2021) 4. Alupotha, J., Boyen, X.: Practical UC-Secure Zero-Knowledge Smart Contracts. IACR Cryptology ePrint Archive (uploaded on 2022-05-29:xxxx/5232) 5. Alupotha, J., Boyen, X., Foo, E.: Compact multi-party confidential transactions. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 430–452. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65411-5 21 6. Alupotha, J., Boyen, X., Mckague, M.: Aggregable confidential transactions for efficient quantum-safe cryptocurrencies. IEEE Access 10, 17722–17747 (2022) 7. Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7 24 8. Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake [extended abstract]. ACM SIGMETRICS Perform. Eval. Rev. 42(3), 34–37 (2014) 9. Boneh, D., B¨ unz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 561–586. Springer, Cham (2019). https:// doi.org/10.1007/978-3-030-26948-7 20 10. Boneh, D., Ishai, Y., Sahai, A., Wu, D.J.: Lattice-based SNARGs and their application to more efficient obfuscation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 247–277. Springer, Cham (2017). https://doi. org/10.1007/978-3-319-56617-7 9 11. Boneh, D., Ishai, Y., Sahai, A., Wu, D.J.: Quasi-optimal SNARGs via linear multiprover interactive proofs. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 222–255. Springer, Cham (2018). https://doi.org/10.1007/ 978-3-319-78372-7 8 12. Boschini, C., Camenisch, J., Ovsiankin, M., Spooner, N.: Efficient post-quantum SNARKs for RSIS and RLWE and their applications to privacy. PQCrypto 12100, 247–267 (2020) 13. Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 947–964. IEEE (2020)

Zero-History Confidential Chains with Zero-Knowledge Contracts

85

14. Buchmann, J., Dahmen, E., H¨ ulsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5 8 15. B¨ unz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 423–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4 23 16. B¨ unz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: efficient range proofs for confidential transactions. IEEE SP citation publication date= May 2018 (2017) 17. Buterin, V.: The Stateless Client Concept, ethereum Research. https://ethresear. ch/t/the-stateless-client-concept/172 18. Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7 5 19. Chatzigiannis, P., Baldimtsi, F.: MiniLedger: compact-sized anonymous and auditable distributed payments. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12972, pp. 407–429. Springer, Cham (2021). https:// doi.org/10.1007/978-3-030-88418-5 20 20. Chen, Y., Genise, N., Mukherjee, P.: Approximate trapdoors for lattices and smaller hash-and-sign signatures. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 3–32. Springer, Cham (2019). https://doi. org/10.1007/978-3-030-34618-8 1 21. Cheng, R., et al.: Ekiden: a platform for confidentiality-preserving, trustworthy, and performant smart contracts. In: 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 185–200. IEEE (2019) 22. Chepurnoy, A., Papamanthou, C., Zhang, Y.: Edrax: A Cryptocurrency with Stateless Transaction Validation. IACR Cryptology ePrint Archive 2018/968 (2018). https://eprint.iacr.org/2018/968 23. Consensys: Ethereum by the Numbers (2020). https://consensys.net/blog/news/ ethereum-by-the-numbers-february-2020/ 24. De Angelis, S., Aniello, L., Baldoni, R., Lombardi, F., Margheri, A., Sassone, V.: PBFT vs proof-of-authority: applying the cap theorem to permissioned blockchain (2018). https://eprints.soton.ac.uk/415083/2/itasec18 main.pdf 25. Dolev, S., Wang, Z.: SodsMPC: FSM based anonymous and private quantumsafe smart contracts. In: 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA), pp. 1–10. IEEE (2020) 26. Douceur, J.R.: The sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002). https:// doi.org/10.1007/3-540-45748-8 24 27. Dworkin, M.J.: SHA-3 standard: permutation-based hash and extendable-output functions (2015) 28. Esgin, M.F., Steinfeld, R., Zhao, R.K.: MatRiCT+: More Efficient Post-Quantum Private Blockchain Payments. Cryptology ePrint Archive (2021) 29. Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 567–584 (2019) 30. Ethereum-powered tools and services. https://ethereum.org/

86

J. Alupotha et al.

31. Fuchsbauer, G., Orr` u, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019). https://doi.org/10.1007/ 978-3-030-17653-2 22 32. Gauss, C.: Theoria interpolationis methodo nova tractata Werke band 3, 265–327. G¨ ottingen: K¨ onigliche Gesellschaft der Wissenschaften (1886) 33. Gennaro, R., Minelli, M., Nitulescu, A., Orr` u, M.: Lattice-based zk-SNARKs from square span programs. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 556–573 (2018) 34. Gentleman, W.M., Sande, G.: Fast Fourier transforms: for fun and profit. In: Proceedings of the November 7–10, 1966, Fall Joint Computer Conference, pp. 563–578 (1966) 35. Goodrich, M.T., Tamassia, R., Hasi´c, J.: An efficient dynamic and distributed cryptographic accumulator. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 372–388. Springer, Heidelberg (2002). https://doi.org/10.1007/3540-45811-5 29 36. Gorbunov, S., Reyzin, L., Wee, H., Zhang, Z.: Pointproofs: aggregating proofs for multiple vector commitments. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 2007–2023. ACM (2020) 37. Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash protocol specification. Technical report, 2016-1.10. Zerocoin Electric Coin Company (2016) 38. Ivanov, N., Yan, Q., Wang, Q.: Blockumulus: a scalable framework for smart contracts on the cloud. In: 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), pp. 607–617. IEEE (2021) 39. Jedusor, T.E.: Mimblewimble (2016). https://docs.beam.mw/Mimblewimble.pdf 40. Kalodner, H., Goldfeder, S., Chen, X., Weinberg, S.M., Felten, E.W.: Arbitrum: scalable, private smart contracts. In: 27th USENIX Security Symposium (USENIX Security 2018), Baltimore, MD, pp. 1353–1370. USENIX Association (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/kalodner 41. Kiayias, A., Lamprou, N., Stouka, A.-P.: Proofs of proofs of work with sublinear complexity. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 61–78. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4 5 42. King, S., Nadal, S.: PPCoin: peer-to-peer crypto-currency with proof-of-stake. Selfpublished Paper 19 (2012). https://decred.org/research/king2012.pdf 43. Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858. IEEE (2016) 44. de Leon, D.C., Stalick, A.Q., Jillepalli, A.A., Haney, M.A., Sheldon, F.T.: Blockchain: properties and misconceptions. Asia Pac. J. Innov. Entrep. (2017) 45. Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5 17 46. Lipmaa, H.: Secure accumulators from euclidean rings without trusted setup. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 224–240. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7 14 47. Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoringbased signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-103667 35

Zero-History Confidential Chains with Zero-Knowledge Contracts

87

48. Maxwell, G.: Confidential transactions (2015). https://people.xiph.org/∼greg/ confidential values.txt. Accessed 09 Jan 2021 49. Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, New York (1990). https://doi.org/ 10.1007/0-387-34805-0 40 50. Miller, A.: Storing UTXOs in a Balanced Merkle Tree (zero-trust nodes with O (1)-storage), August 2012. Bitcoin Forum. https://bitcointalk.org/index.php? topic=101734.0 51. Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985) 52. Nagayama, R., Banno, R., Shudo, K.: Trail: a blockchain architecture for light nodes. In: 2020 IEEE Symposium on Computers and Communications (ISCC), pp. 1–7. IEEE (2020) 53. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008). https:// bitcoin.org/bitcoin.pdf 54. Noether, S., Mackenzie, A., et al.: Ring confidential transactions. Ledger 1, 1–18 (2016) 55. Noether, S., Noether, S.: Monero is not that mysterious. Technical report (2014). https://web.getmonero.org/ru/resources/research-lab/pubs/MRL-0003.pdf 56. Palai, A., Vora, M., Shah, A.: Empowering light nodes in blockchains with block summarization. In: 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2018) 57. Palm, E.: Implications and impact of blockchain transaction pruning (2017) 58. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 9 59. Poelstra, A.: Mimblewimble (2016). https://download.wpsoftware.net/bitcoin/ wizardry/mimblewimble.pdf 60. Poelstra, A., Back, A., Friedenbach, M., Maxwell, G., Wuille, P.: Confidential assets. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 43–63. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8 4 61. Poon, J., Dryja, T.: The bitcoin lightning network: Scalable off-chain instant payments (2016). https://lightning.network/lightning-network-paper.pdf 62. PQ-Crystals: Dilithium Signature Scheme (2019). https://github.com/pq-crystals/ dilithium 63. Reyzin, L., Meshkov, D., Chepurnoy, A., Ivanov, S.: Improving authenticated dynamic dictionaries, with applications to cryptocurrencies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 376–392. Springer, Cham (2017). https://doi.org/ 10.1007/978-3-319-70972-7 21 64. Ripple: Ripple. https://ripple.com/. Accessed 09 Jan 2021 65. Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE (2014) 66. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0 22 67. Steffen, S., Bichsel, B., Gersbach, M., Melchior, N., Tsankov, P., Vechev, M.: Zkay: specifying and enforcing data privacy in smart contracts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1759–1776 (2019)

88

J. Alupotha et al.

68. Sun, S.-F., Au, M.H., Liu, J.K., Yuen, T.H.: RingCT 2.0: a compact accumulatorbased (linkable ring signature) protocol for blockchain cryptocurrency Monero. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 456–474. Springer, Cham (2017). https://doi.org/10.1007/978-3-31966399-9 25 69. Todd, P.: Making UTXO set growth irrelevant with low-latency delayed TXO commitments. bitcoin-dev mailing list (2016). https://lists.linuxfoundation.org/ pipermail/bitcoin-dev/2016-May/012715.html 70. Tomescu, A., Abraham, I., Buterin, V., Drake, J., Feist, D., Khovratovich, D.: Aggregatable subvector commitments for stateless cryptocurrencies. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 45–64. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6 3 71. Wang, P., Wang, H., Pieprzyk, J.: A new dynamic accumulator for batch updates. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 98–112. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77048-0 8 72. Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151, 1–32 (2014) 73. Zhang, H., Zhang, F., Wei, B., Du, Y.: Implementing confidential transactions with lattice techniques. IET Inf. Secur. 14(1), 30–38 (2019) 74. Zyskind, G., Nathan, O., Pentland, A.: Enigma: decentralized computation platform with guaranteed privacy. arXiv preprint arXiv:1506.03471 (2015)

Secure Hierarchical Deterministic Wallet Supporting Stealth Address Xin Yin1 , Zhen Liu1,3,4(B) , Guomin Yang2 , Guoxing Chen1 , and Haojin Zhu1 1

3

Shanghai Jiao Tong University, Shanghai 200240, China {yinxin,liuzhen,guoxingchen,zhu-hj}@sjtu.edu.cn 2 Singapore Management University, Singapore 178902, Singapore [email protected] State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 4 Shanghai Qizhi Institute, Shanghai 200232, China

Abstract. Over the past decade, cryptocurrency has been undergoing a rapid development. Digital wallet, as the tool to store and manage the cryptographic keys, is the primary entrance for the public to access cryptocurrency assets. Hierarchical Deterministic Wallet (HDW), proposed in Bitcoin Improvement Proposal 32 (BIP32), has attracted much attention and been widely used in the community, due to its virtues such as easy backup/recovery, convenient cold-address management, and supporting trust-less audits and applications in hierarchical organizations. While HDW allows the wallet owner to generate and manage his keys conveniently, Stealth Address (SA) allows a payer to generate fresh address (i.e., public key) for the receiver without any interaction, so that users can achieve “one coin each address” in a very convenient manner, which is widely regarded as a simple but effective way to protect user privacy. Consequently, SA has also attracted much attention and been widely used in the community. However, as so far, there is not a secure wallet algorithm that provides the virtues of both HDW and SA. Actually, even for standalone HDW, to the best of our knowledge, there is no strict definition of syntax and models that captures the functionality and security (i.e., safety of coins and privacy of users) requirements that practical scenarios in cryptocurrency impose on wallet. As a result, the existing wallet algorithms either have (potential) security flaws or lack crucial functionality features. In this work, after investigating HDW and SA comprehensively and deeply, we formally define the syntax and security models of Hierarchical Deterministic Wallet supporting Stealth Address (HDWSA), capturing the functionality and security (including safety and privacy) requirements imposed by the practice in cryptocurrency, which include all the versatile functionalities that lead to the popularity of HDW and SA as well as all the security guarantees that underlie these functionalities. We propose a concrete HDWSA construction and prove its security in the random oracle model. We implement our scheme and the experimental results show that the efficiency is suitable for typical cryptocurrency settings. c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 89–109, 2022. https://doi.org/10.1007/978-3-031-17140-6_5

90

X. Yin et al. Keywords: Signature scheme · Hierarchical deterministic wallet Stealth address · Blockchain · Cryptocurrency

1

·

Introduction

Since the invention of Bitcoin in 2008, cryptocurrency has been undergoing a tremendous development and been attracting much attention in the community. Digital Signature [14,16] is employed in cryptocurrencies to enable users to own and spend their coins. More specifically, each coin is assigned to a public key (which is also referred to as coin-address), implying that the coin belongs to the owner of the public key. When a user wants to spend the coin on a public key pk, he needs to generate a transaction tx and a signature σ such that (tx, σ) is a valid (message, signature) pair with respect to pk, authenticating the spending of the coin by this transaction. In such a mechanism, the secret key is the only thing that a user uses to own and spend his coins. Naturally, key management plays a crucial role in cryptocurrencies and it needs to work like a “wallet” for the coins, providing some particular features reflecting the functionalities of currency, such as making the transfers among users convenient and/or preserving the users’ privacy. Actually, digital wallet is indispensable for any cryptocurrency system. A secure, convenient, and versatile wallet is desired. Hierarchical Deterministic Wallet and Its Merits. Hierarchical Deterministic Wallet (HDW), proposed in BIP32 [21], has been accepted as a standard in the Bitcoin community. Roughly speaking, HDW is characterized by three functionality features: deterministic generation property, master public key property, and hierarchy property. As the name implies, the deterministic generation property means that all keys in a wallet are deterministically generated from a “seed” directly or indirectly, so that when necessary (e.g., the crash of the device hosting the wallet) the wallet owner can recover all the keys from the seed. The master public key property means that a wallet owner can generate derived public keys from the wallet’s master public key and use the derived public keys as coin-addresses to receive coins, without needing any secrets involved, and subsequently, the wallet owner can generate the corresponding derived secret keys to serve as the secret signing keys. The hierarchy property means that the derived key pairs could serve as the master key pairs to generate further derived keys. With these three functionality features, HDW provides very appealing virtues which lead to its popularity in the community. Readers are referred to [7,10,12,21] for the details of these use cases. “One Coin Each Cold-address” for Enhanced Coin Safety and User Privacy. In cryptocurrencies, before the corresponding secret key appears in vulnerable online devices (referred to as “hot storage”, e.g., computers or smart phones that are connected to Internet), a public key (i.e., coin-address) is referred to as a “cold-address”. Once the corresponding secret key is exposed in any hot storage, it is not cold any more and thus becomes a “hot address”. The cold/hotaddress mechanism (or referred to as cold/hot wallet mechanism) is used to

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

91

reduce the exposure chance of secret keys and achieve better safety of the coins. As shown in Fig. 1, comparing with traditional wallet (where the public/secret key pairs are generated via a standard key generation algorithm), HDW’s master public key property enables the wallet owner to generate cold-addresses much more conveniently. Namely, the owner stores the master public key in a hot storage, and when needed, he can generate derived public keys from the master public key without needing any secrets. Note that these derived public keys keep to be cold-addresses until the owner generates the corresponding derived secret keys and uses them in a hot storage to spend the coins. In addition, as considered in [1,6–9,13,21], the convenient cold-address generation implied by master public key property is also used to enhance the privacy of the wallet owner, say achieving transaction unlinkability. In particular, “one coin each address” mechanism is a simple but effective way to achieve transaction unlinkability. However, for traditional wallets, this will result in a huge cost on generating and managing a large number of (public key, secret key) pairs, especially when cold-address mechanism is considered simultaneously. In contrast, for wallets with master public key property, generating derived public keys from master public key is very simple and convenient and the generated derived public keys are inherently cold, so they achieve “one coin each cold-address”1 efficiently.

Fig. 1. Cold address generation/distribution.

Fig. 2. System model.

Stealth Address for Efficient, Non-interactive and Privacy-Preserving Payment. While HDW focuses on the key derivation and management from the point of view of a wallet owner managing his keys, stealth address (SA) [5, 15,17,18] is another popular key derivation and management mechanism in the community, but from the perspective of privacy-preservation when transferring 1

Note that we change the term from “one coin each address” to “one coin each coldaddress”, to explicitly emphasize that it is not only for the privacy-preservation but also for the safety of coins.

92

X. Yin et al.

coins among users. More specifically, with SA mechanism, each user publishes his master public key, and for each payment, the payer could generate a fresh derived public key for the payee from the payee’s master public key, without needing any interaction with the payee. On the payee’s side, when he wants to spend a coin on a derived public key belonging to him, he can generate the corresponding derived secret/signing key by himself, without needing any interaction with the payer or anyone else. While the derived public keys serve as the coin-addresses, the master public key never appears in any transaction or blockchain of the cryptocurrency, and no one (except the payer and payee) could link a derived public key to the corresponding master public key, so that master public key is “stealth” from the public. In summary, by SA mechanism, each coin-address is fresh and unique by default (unless the payer uses the same random data for each of his payments to the same payee2 ), so that there is no such issue as “address reuse” by design. In other words, SA is an inherent mechanism for “one coin each cold-address”. Hierarchical Deterministic Wallet Supporting Stealth Address for Improved Versatility and Security. Noting the virtues of HDW and SA, as well as the facts that both are related to key derivation/management and both take convenient cold-address generation as an important virtue, it is natural to consider Hierarchical Deterministic Wallet supporting Stealth Address (HDWSA), which will be a more versatile wallet providing virtues of HDW and SA simultaneously, and consequently will empower more applications in cryptocurrency. However, designing a secure HDWSA is quite challenging, rather than a trivial combination of two existing mechanisms. To the best of our knowledge, as shown in Table 1, such a wallet has not been proposed yet. Existing wallet algorithms either suffer from (potential) security flaws or lack crucial functionality features. We now explain that HDWSA is well motivated by realistic scenarios, but existing schemes fail to achieve both security and full functionality. As shown in [1,6,7,10,21], master public key property enables convenient cold-address generation, thus supports “one coin each cold-address”, and helps achieve transaction unlinkability. Note that master public key property means that the wallet owner can generate cold-addresses from only information stored in hot storage (which we refer to as “cold-address generation material” below), without needing any sensitive secrets. Considering this property of HDW more comprehensively and deeply, we can find two issues: (1) to use these cold-addresses to receive coins, the wallet owner has to somehow distribute these cold-addresses to the corresponding payers, and (2) as storing the cold-address generation material in hot storage is the fundamental setting that enables the master public key property, the cold-address generation material is very likely to be leaked due to its continuous exposure in hot storage. These issues would cause not only inconvenience but also privacy concerns, since for the existing HDW algorithms, if the coldaddress generation material is leaked, the privacy is compromised completely (e.g., [6,10,21]) or partially (e.g., [1,7]). In contrast, as shown in Fig. 1, SA 2

Note that the payee can detect such malicious behaviors easily.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

93

Table 1. Comparison with existing works Schemea

Support master public key property?

Support hierarchy property?

Support stealth address?

Privilege escalation attack resistant?

Privacy Preserving?b

Formally modeled and proved?





















—c

[10]







Partially d



 Partially d

[21] Hardened [21] [8, 9]













[13]



Partially e









[1, 7]







—f

Partially g



[6]







Partially h

 h



[15, 17]

—i

—i









[11, 12]













This work       a All schemes in this table support deterministic generation property. b Here “Privacy-Preserving” means “Privacy-Preserving when cold-address generation material (in hot storage) is compromised”. c The Hardened BIP32 in [21] does not support convenient cold-address generation, since it loses the master public key property. d The scheme in [10] considers only the resistance to complete key-recovery against only severely restricted adversary. e The definition in [13] requires the hierarchy organization to be predefined in the setup of the wallet. f The security models in [1, 7] do not capture the privilege escalation attack. g The schemes in [1, 7] consider only forward-unlinkability, for the generated keys prior to a hot wallet breach. h The HDW in [6] still suffers from the same security flaws as the initial HDW and the Hardened HDW in [21]. i The schemes in [15, 17] focus on stealth address, without considering the wallet properties.

mechanism does not suffer from these concerns at all. Nevertheless, SA mechanism cannot provide the hierarchy property, which is crucial to its applications in large companies and institutions, most of which are hierarchical organizations. A secure and fully-fledged HDWSA will address the shortcomings and provide all the features of HDW and SA, thus support more applications in practice. Security Shortfalls of Prior Wallet Schemes. The aforementioned functionality and privacy features have led to the popularity of HDW and SA, but security is always the primary concern on these cryptographic mechanisms. Actually, the initial HDW algorithm in BIP32 [21] suffers from a fatal security flaw, namely, as pointed out in [21] and [4], once an attacker obtains a derived secret key and the master public key somehow, he could figure out the master secret key and compromise the wallet completely and steal all the related coins. Note that this is a very realistic attack (also referred to as privilege escalation attack [8,9]) in various application scenarios. Since then, a series of works [8–13,21] have attempted to address this problem. However, as shown in Table 1, the Hardened BIP32 in [21] loses the master public key property. The HDW wallet in [10] considers only the resistance to complete key-recovery against only severely restricted adversaries (which cannot query the signing oracle) rather than the standard unforgeability of signature. The wallet in [8,9] lacks formal security analysis and actually still suffers from a similar flaw. The wallet in [13] requires the hierarchical organization to be preset in the setup phase of the wallet and

94

X. Yin et al.

does not support transaction unlinkability3 . The algorithms in [11,12] do not support the hierarchy property. Meanwhile, it is widely accepted that provable security, i.e., formal security analysis under formal definition of syntax and security models, will provide solid confidence on the security of a cryptographic scheme. Several existing works [1,6,7,10–13] aimed to provide formal definitions and security analysis for HDW and/or SA. However, as shown in Table 1, while the formal definitions and provably secure constructions for SA have been proposed [11,12], HDW still lacks a formal definition (of syntax and security models) that captures the functionality and security requirements in practice. The latest work in providing provable security for HDW is due to Das et al. [6], which focuses on the formal analysis of BIP32 system [21]. Although the formal definition of syntax and models in [6] captures the deterministic generation property, master public key property, and hierarchy property of BIP32 HDW wallet in [21], it inherits the flaws of BIP32 wallet in [21], namely, (1) the compromising of any non-hardened node’s secret key may lead to the compromising of all nodes in the hierarchical wallet, and (2) the hardened nodes escape from this flaw but lose the master public key property. 1.1

Our Contribution

In this work, we propose a novel Hierarchical Deterministic Wallet supporting Stealth Address (HDWSA) scheme. In particular, we first formalize the syntax and the security models for HDWSA, capturing the functionality and security (including safety of coins and privacy of users) requirements that the cryptocurrency practice imposes on wallet. Then we propose a HDWSA construction and prove its security (i.e., unforgeability for safety and unlinkability for privacy) in the random oracle model. We implement our scheme and the experimental results show that it is practical for typical cryptocurrency settings. The fullfledged functionality, provable security, and practical efficiency of our HDWSA scheme will empower its applications in practice. System Model. On the functionality, as the first attempt to formally define a primitive that provides the functionalities of HDW and SA simultaneously, we would like to present the system and illustrate how HDWSA works in cryptocurrency. In particular, as shown in Fig. 2, there are two layers in HDWSA, namely, the layer supporting the management of hierarchical deterministic wallets for hierarchical organizations, and the layer supporting stealth address for the wallet of each entity in an organization. In other words, from the point of view of wallet management, HDWSA is a hierarchical deterministic wallet with the hierarchy property and the deterministic generation property, and from the point of view of transactions, HDWSA provides enhanced master public key property 3

[13] discussed how to support dynamic hierarchy but does not give formal model or proof, and discussed a method to achieve transaction unlinkability, but will lose the master public key property.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

Fig. 3. Safety of Coins. For a target coin (e.g., the starred one), as long as the derived signing key of the coin and the wallet secret spend keys of its owner and its owner’s ancestor entities (i.e., the boxed ones) are safe, the coin is safe, even if all other keys (i.e., the non-boxed ones) in the organization are compromised.

95

Fig. 4. Privacy of Users. For a target wallet (e.g., the starred one), as long as the wallet secret key and its ancestor entities’ wallet secret keys (i.e., the boxed ones) are safe, no attacker can tell whether a target coin (e.g., the starred one) belongs to the target wallet, even if the attacker compromises all other keys (i.e., the non-boxed ones) in the organization, including the derived signing key of the target coin.

so that the wallet owners can enjoy the virtues of stealth address. More specifically, to capture the essence of hierarchical organizations (as shown later in Sect. 2.1), each entity is identified by a unique identifier ID = (id0 , id1 , . . . , idt ) with t ≥ 0, and a HDWSA scheme consists of eight polynomial-time algorithms (Setup, RootWalletKeyGen, WalletKeyDelegate, VerifyKeyDerive, VerifyKeyCheck, SignKeyDerive, Sign, Verify), which, from the functionality and data-flow view points, work as follows: • (1) The Setup() algorithm is run to generate the system parameter PP. • (2) For any organization, the root administrator of the organization can set a unique identifier (e.g., the name of the organization) ID = (id0 ) and run the RootWalletKeyGen() algorithm, generating the root wallet key pair (wpkID , wskID ) of the organization. • (3) With a wallet key pair (wpkID , wskID ), the wallet owner (i.e., the entity with identifier ID = (id0 , . . . , idt ) with t ≥ 0) can run the WalletKeyDelegate() algorithm to generate wallet key pair (wpkID , wskID ) for its any direct subordinate with identifier ID = (id0 , id1 , . . . , idt , idt+1 ), where idt+1 ∈ {0, 1}∗ identifies a unique direct subordinate of the entity ID. • (4) For each entity, its identifier and wallet public key will serve as the coldaddress generation material. In particular, given an identifier ID and corresponding wallet public key wpkID , anyone (e.g., the payer of a transaction) can run the VerifyKeyDerive() algorithm to generate a fresh derived verification key dvk, which will be used as a coin-address for the wallet key owner (i.e., the entity with identifier ID). Note that VerifyKeyDerive() does not need secret keys and is a randomized algorithm, namely, each time it outputs a fresh (different) derived verification key (even on input the same (ID,

96

X. Yin et al.

wpkID )), so that “one coin each cold-address” is achieved in a natural and very convenient manner. • (5) From the view of a wallet owner, say with identifier ID, the wallet secret key wskID is divided into two parts: a wallet secret spend key wsskID and a wallet secret view key wsvkID . For any coin on the blockchain, a wallet owner can use his wallet secret view key to run the VerifyKeyCheck() algorithm to check whether the coin’s address dvk belongs to him, and for a derived verification key belonging to him, say dvk, the owner can use his wallet secret spend key to run SignKeyDerive() to generate the signing key dsk corresponding to dvk. Moreover, with the dsk, the wallet owner can run the Sign() algorithm to authenticate a transaction, spending the coin on dvk. Note that wsskID is more sensitive and high-value than wsvkID while wsvkID is used more frequently than wsskID , such a separation enhances the security from the point of view of practice since it greatly reduces the exposure chance of the highvalue wsskID . In addition, such a separation enables our HDWSA to support the promising applications such as trust-less audits, by allowing the wallet owner to provide the wallet secret view key to the auditor while keeping the wallet secret spend key secret.4 • (6) For any coin on the blockchain, suppose the coin-address is dvk, anyone can run the Verify() algorithm on inputs dvk and a (transaction, signature) pair (tx, σ), checking the validity of the signature, without needing (or more precisely, being able to learn) any information about the wallet/coin owner. HDWSA Features, Security and Efficiency. Based on the above system model, it is easy to see that our HDWSA scheme achieves the deterministic generation property, the (enhanced) master public key property, and the hierarchy property of HDW, and simultaneously provides the virtues of stealth address, namely the convenient fresh cold-address generation and privacy-preserving features. Here we would like to clarify that the master public key property of our HDWSA exactly captures the essence of this property imposed by the practical applications, in the sense that the derived verification keys (i.e., coin-addresses) are generated by using only public information (say user’s identifier and wallet public key) which are publicly posted in hot-storage without incurring any security concerns. Note that this is the original motivation of the master public key property and we indeed achieved, we do not pursue the “master public key property” for wallet key generation (i.e., wallet key delegation). Actually, from the point of view of practice, it is natural for an entity to use its wallet public key and secret key to generate wallet key pairs for its direct subordinates in a safe environment (i.e., cold storage), and then each entity can publish its wallet public key and enjoy the advantage of master public key property for derived verification key (i.e., coin-address) generation. On the security, our HDWSA scheme achieves full resistance to privilege escalation attack. Namely, as shown in Fig. 3 and Fig. 4, the compromising of a derived signing key will not affect the security of any other derived signing 4

This separation is borrowed from the stealth address mechanisms in [12, 17].

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

97

key or wallet secret key, and the compromising of a wallet secret key will not affect the security of any derived signing key or wallet secret key except those of the compromised wallet and its direct/indirect subordinates. The security of our HDWSA scheme is proved in the random oracle mode, based on the standard Computational Diffie-Hellman Assumption in bilinear map groups. On the efficiency, from the experimental results shown in Table 2 and Table 3 (in Sect. 4), we can see that the efficiency of our HDWSA scheme is lower than that of ECDSA, but is still practical for typical cryptocurrency settings. Given the versatile functionalities and provable security provided by our HDWSA scheme, such costs are reasonable and acceptable. With the above versatile functionalities and the strong (i.e., provable) security that underlies these functionalities, our HDWSA scheme could solidly (without any security concern) support the promising use cases that have led to the popularity of HDW and SA, such as low-maintenance wallets with easy backup and recovery, convenient fresh cold-address generation, trust-less audits, treasurer allocating funds to departments in hierarchical organizations, and privacypreservation, and so on. 1.2

Related Work

Table 1 gives a comprehensive comparison between our work and the existing related works, and below we would like to give further details on the comparison with the state-of-the-art HDW and SA. When compared with the state-of-the-art HDW [6], besides providing the virtues of SA, our HDWSA can be regarded as a more secure HDW than the HDW in [6] and can support more promising applications. More specifically, the HDW in [6] consists of two types of nodes, say non-hardened nodes and hardened nodes, where the hardened nodes are leaf nodes of the hierarchy. If any of the non-hardened nodes is compromised, then the privilege escalation attack will work and all nodes (including the root node and all hardened nodes) will be compromised completely. The compromising of hardened nodes will not affect the security of other nodes, but the cost is that the public key generation of a hardened node requires its parent node’s secret key, i.e., losing the master public key property. In addition, on the privacy, if the cold-address generation material (i.e., the public key and the chain code) of any non-hardened node is leaked, then the privacy of all its descendent non-hardened nodes is compromised. As a result, due to its vulnerability to the privilege escalation attack, the HDW in [6] cannot support the use case of treasurer allocating funds to departments (which is supposed to be the main reason that leads to HDW’s popularity in hierarchical organizations), and due to the existing of hardened nodes, the HDW in [6] cannot support the use case of trust-less audits. In contrast, when working as a HDW, our HDWSA does not have these concerns at all and can support all the promising use cases that lead to the popularity of HDW in the community. It is worth mentioning that the advantage of the HDW in [6] over our HDWSA is its compatibility with ECDSA, as well as the resulting better efficiency. Actually, the above advantages and disadvantages are not surprising, since while [6] focuses

98

X. Yin et al.

on formalizing the BIP32 HDW system and its security, our work focuses on (1) establishing the functionality and security requirements of HDW (with SA) that underlie the use cases leading to its popularity in the community, and (2) proposing a concrete construction with provable security and practical efficiency. Finally, we would like to point out that while the HDW in [6] only works under the assumption that the non-hardened nodes are trusted (i.e., would not attempt to compromise other nodes’ secret keys) and could protect their secret keys from being compromised, our HDWSA scheme does not need such assumptions and can work in much more harsh environments. When compared with the state-of-the-art SA [11,12], the advantage of our HDWSA is the hierarchy property, which will enable our HDWSA scheme to be applied in the hierarchical organizations (i.e., large companies and institutions) and support the use cases such as treasurer allocating funds to departments. While this work is the first one to formalize the definition and security models of HDWSA, the construction in this work seems to follow the approach of [12]. We would like to point out that this is not trivial, since supporting hierarchy property makes the formal definition, the construction, and the formal security proof pretty challenging. The effort from provably secure deterministic wallet [1,7] to provably secure hierarchical deterministic wallet [6] could serve as an evidence of such challenges. 1.3

Outline

We formalize the syntax and security models for HDWSA in Sect. 2. Then we present our HDWSA construction with its security analysis in Sect. 3. Finally we describe an implementation of our HDWSA construction in Sect. 4.

2

Definitions of HDWSA

In this section, we first clarify the notations of hierarchical wallet, then we formalize the syntax and security models of HDWSA. 2.1

Notations of Hierarchy

In this work, we use the typical hierarchical identifiers to capture the features of hierarchical organizations/wallets. In particular, • All wallet owners are regarded as entities in hierarchical organizations.5 • Each entity in the system has a unique identifier ID in the form of ID = (id0 , . . . , idt ) with t ≥ 0 and idi ∈ {0, 1}∗ (i = 0, . . . , t).

5

Actually, an individual user can also be regarded as a special organization, for example, a user may manage his wallets in a hierarchy manner.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

99

• For any identifier ID = (id0 , . . . , idt ) with t ≥ 0, we define ID|i := (id0 , . . . , idi ) for i = 0, . . . , t, and we have that (1) ID|t is just ID, (2) ID|(t−1) is the identifier of ID’s parent (i.e., direct supervisor) entity, (3) ID|i (i = 0, . . . , t − 1) are the identifiers of ID’s ancestor entities, and (4) ID|0 is the identifier of the root entity (root administrator) of the organization that ID belongs to. • For an identifier ID = (id0 , . . . , idt ) with t ≥ 0, we say that the entity lies in the Level-t of an organization with identifier ID|0 = (id0 ). Note that for any Level-0 identifier ID, it is the identifier of the root entity of some organization, and does not have parent entity. From now on, we will denote a hierarchical organization by the identifier of its root entity, say a Level-0 identifier, e.g., “organization ID0 ”, and for an entity in some organization, we will use its identifier to denote the entity or its wallet, e.g., “ID’s wallet public key”. 2.2

Algorithm Definition

A HDWSA scheme consists of a tuple of algorithms (Setup, RootWalletKeyGen, WalletKeyDelegate, VerifyKeyDerive, VerifyKeyCheck, SignKeyDerive, Sign, Verify) as below: • Setup(λ) → PP. On input a security parameter λ, the algorithm runs in polynomial time in λ, and outputs system public parameter PP. The system public parameter PP consists of the common parameters used by all entities (e.g., wallet owners, users, etc.) in the system, including the underlying groups, hash functions, and some specific rules such as the hierarchical identifier rules in Sect. 2.1, etc. Below, PP is assumed to be an implicit input to all the remaining algorithms. • RootWalletKeyGen(ID) → (wpkID , wskID ). This is a randomized algorithm. On input a Level-0 identifier ID, the algorithm outputs a root (wallet public key, wallet secret key) pair (wpkID , wskID ) for ID, where wskID := (wsskID , wsvkID ) consists of a wallet secret spend key wsskID and a wallet secret view key wsvkID . The root administrator of each organization can run this algorithm to generate the root wallet key pair for the organization. • WalletKeyDelegate(ID, wpkID|(t−1) , wskID|(t−1) ) → (wpkID , wskID ). This is a deterministic algorithm. On input an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 1 and its parent entity’s (wallet public key, wallet secret key) pair, say (wpkID|(t−1) , wskID|(t−1) ), the algorithm outputs a (wallet public key, wallet secret key) pair (wpkID , wskID ) for ID, with wskID := (wsskID , wsvkID ) consisting of wallet secret spend key wsskID and wallet secret view key wsvkID .

100

X. Yin et al.

Each entity can run this algorithm to generate wallet key pairs for its direct subordinates. • VerifyKeyDerive(ID, wpkID ) → dvk. This is a randomized algorithm. On input an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 0 and its wallet public key wpkID , the algorithm outputs a derived verification key dvk of the entity. Anyone can run this algorithm to generate a fresh public/verification key for an entity at Level ≥ 0. • VerifyKeyCheck(dvk, ID, wpkID , wsvkID ) → 1/0. This is a deterministic algorithm. On input a derived verification key dvk, an entity’s identifier ID = (id0 , id1 , . . . , idt ) with t ≥ 0, and the entity’s wallet public key wpkID and wallet secret view key wsvkID , the algorithm outputs a bit b ∈ {0, 1}, with b = 1 meaning that dvk belongs to the entity (i.e., is a valid derived verification key generated for the entity), and b = 0 otherwise. Each entity can use this algorithm to check whether a verification key belongs to him. Note that only the wallet secret view key is needed here, rather than the whole wallet secret key. • SignKeyDerive(dvk, ID, wpkID , wskID ) → dsk or ⊥. On input a derived verification key dvk, an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 0, and the entity’s (wallet public key, wallet secret key) pair (wpkID , wskID ), the algorithm outputs a derived signing key dsk, or ⊥ implying that dvk is not a valid verification key derived from (ID, wpkID ). • Sign(m, dvk, dsk) → σ. On input a message m in message space M and a derived (verification key, signing key) pair (dvk, dsk), the algorithm outputs a signature σ. • Verify(m, σ, dvk) → 1/0. This is a deterministic algorithm. On input a (message, signature) pair (m, σ) and a derived verification key dvk, the algorithm outputs a bit b ∈ {0, 1}, with b = 1 meaning the validness of signature and b = 0 otherwise. Correctness. A HDWSA scheme must satisfy the correctness property: for any ID = (id0 , . . . , idt ) with t ≥ 0, any 0 ≤ j ≤ t, and any message m ∈ M, suppose PP ← Setup(λ), (wpkID|0 , wskID|0 ) ← RootWalletKeyGen(ID|0 ), (wpkID|i , wskID|i ) ← WalletKeyDelegate(ID|i , wpkID|(i−1) , wskID|(i−1) ) f or i = 1, . . . , j, dvk ← VerifyKeyDerive(ID|j , wpkID|j ), dsk ← SignKeyDerive(dvk, ID|j , wpkID|j , wskID|j ), it holds that VerifyKeyCheck(dvk, ID|j , wpkID|j , wsvkID|j ) = 1 and Verify(m, Sign(m, dvk, dsk), dvk) = 1.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

101

Remark: The deterministic algorithm WalletKeyDelegate() enables the deterministic generation property and hierarchy property, and the randomized algorithm VerifyKeyDerive() enables the enhanced master public key property where the identifier and wallet public key of the target wallet owner serve as the cold-address generation material. Also, the algorithms VerifyKeyDerive(), VerifyKeyCheck(), and SignKeyDerive() together enable the features of SA. In addition, as the hierarchical identifiers are the foundation on which the hierarchy features are built, in the above syntax, each entity, as well as its wallet, is uniquely identified by its (hierarchical) identifier. Here we would like to point out that, the binding of an entity’s wallet public key and its identifier could be achieved using the standard approach of digital certificates. While the details of certificate mechanism are out of the scope of this work, here we would like to point out that, in our HDWSA, publishing the binding relation of wallet public key and its owner’s (real) identifier will not cause any problem of privacy. Instead, this is an advantage of HDWSA over pure HDW and traditional wallet (in Bitcoin). In particular, in pure HDW and traditional wallet, the privacy is achieved by artificially hiding the real identity of a coin-address’ owner, whereas in HDWSA, each entity can enjoy the convenience of (wallet) public key distribution while keeping its privacy protected, as the wallet public key is stealth in the blockchain. For simplicity, below we will assume that each entity’s wallet public key and its identifier are integrated, i.e., each wallet public key is identified by corresponding identifier. 2.3

Security Models

In this section, we define the security models for HDWSA, capturing the requirements on the safety (of coins) and privacy (of users) by unforgeability and (wallet) unlinkability, respectively. In particular, unforgeability is defined by the following game GameEUF , which captures that, as shown in Fig. 3, for a target derived verification key dvk belonging to a target entity/wallet in some organization, as long as the corresponding derived signing key dsk is safe and the wallet secret spend keys of the target entity and its ancestor entities are safe, no attacker can forge a valid signature with respect to dvk, even if the attacker compromises all other wallet secret keys and derived signing keys in the organization. Definition 1. A HDWSA scheme is existentially unforgeable under an adaptive chosen-message attack (or just existentially unforgeable), if for all probabilistic polynomial time (PPT) adversaries A, the success probability of A in the following game GameEUF is negligible.  Setup. PP ← Setup(λ) is run and PP is given to A. An empty set Lwk = ∅ is initialized, each element of which will be an (identifier, wallet public key, wallet secret key) tuple (ID, wpkID , wskID ). An empty set Ldvk = ∅ is initialized, each element of which will be a (derived verification key, identifier) pair (dvk, ID).

102

X. Yin et al.

Note that the two sets are defined just for the simplicity of description, and A knows the (ID, wpkID ) pairs in Lwk and (dvk, ID) pairs in Ldvk . A submits a Level-0 identifier, say ID0∗ , to trigger the setup of the target organization. (wpkID0∗ , wskID0∗ ) ← RootWalletKeyGen(ID0∗ ) is run, wpkID0∗ is given to A, and (ID0∗ , wpkID0∗ , wskID0∗ ) is added into Lwk . This captures that the adversary may manipulate the organization’s identifier.  Probing Phase. A can adaptively query the following oracles: • Wallet Key Delegate Oracle OWKeyDelegate(·): On input an identifier ID = (id0 , . . . , idt ) with t ≥ 1 such that ID|(t−1) ∈ Lwk ,6 this oracle runs (wpkID , wskID ) ← WalletKeyDelegate(ID, wpkID|(t−1) , wskID|(t−1) ), returns wpkID to A, and sets Lwk = Lwk ∪ (ID, wpkID , wskID ),7 where (wpkID|(t−1) , wskID|(t−1) ) is the wallet key pair for ID|(t−1) . This captures that A can trigger the wallet key delegation for any identifier ID of its choice, as long as ID|(t−1) ∈ Lwk , i.e., ID’s parent entity’s wallet key pair has been generated (resp. delegated) previously due to A’s trigger in the Setup phase (resp.A’s query on OWKeyDelegate(·)). Note that the requirement ID|(t−1) ∈ Lwk is natural, since ID0∗ is the target organization and A will attack some derived verification key belonging to some entity in the organization ID0∗ . • Wallet Secret Key Corruption Oracle OWskCorrupt(·): On input an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 08 such that ID ∈ Lwk , this oracle returns the wallet secret key wskID of ID to A. This captures that A can obtain the wallet secret keys for the existing wallets of its choice. • Wallet Secret View Key Corruption Oracle OWsvkCorrupt(·): On input an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 0 such that ID ∈ Lwk , this oracle returns the wallet secret view key wsvkID of ID to A. This captures that A can obtain the wallet secret view keys for the existing wallets of its choice. • Verification Key Adding Oracle ODVKAdd(·, ·): On input a derived verification key dvk and an identifier ID = (id0 , . . . , idt ) with t ≥ 0 such that ID ∈ Lwk , this oracle returns b ← VerifyKeyCheck(dvk, ID, wpkID , wsvkID ) to A, where wpkID and wsvkID are ID’s wallet public key and wallet secret view key respectively. And if b = 1, this oracle sets Ldvk = Ldvk ∪ (dvk, ID). This captures that A can probe whether the derived verification keys generated by it are accepted by the owners of the target wallets. 6

7

8

Note that we are abusing the concept of ‘∈’. In particular, if there exists a tuple (ID, wpkID , wskID ) ∈ Lwk for some (wpkID , wskID ) pair, we say that ID ∈ Lwk . Note that WalletKeyDelegate(·, ·, ·) is a deterministic algorithm, so that querying OWKeyDelegate(·) on the same identifier will obtain the same response. Note that actually the adversary A here should not make such a query with t = 0 (as required by the success conditions defined in later Output Phase). In later definition of unlinkability, the adversary may query this oracle on ID with t = 0.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

103

• Signing Key Corruption Oracle ODSKCorrupt(·): On input a derived verification key dvk such that there is a corresponding pair (dvk, ID) in Ldvk , this oracle returns dsk ← SignKeyDerive(dvk, ID, wpkID , wskID ) to A, where (wpkID , wskID ) is the wallet key pair of ID. This captures that A can obtain the derived signing keys for the existing derived verification keys of the target wallets, of its choice. • Signing Oracle OSign(·, ·): On input a message m ∈ M and a derived verification key dvk ∈ Ldvk 9 , this oracle returns σ ← Sign(m, dvk, dsk) to A, where dsk is a signing key for dvk. This captures that A can obtain the signatures for messages and derived verification keys of its choice.  Output Phase. A outputs a message m∗ ∈ M, a signature σ ∗ , and a derived verification key dvk∗ such that dvk∗ ∈ Ldvk . Let (dvk∗ , ID∗ ) ∈ Ldvk , and suppose the target wallet identifier ID∗ be a Level-t∗ identifier, say ID∗ = (id∗0 , . . . , id∗t∗ ). A succeeds in the game if Verify(m∗ , σ ∗ , dvk∗ ) = 1 under the restrictions that (1) A did not query OWskCorrupt(·) on ID|i∗ for any i such that 0 ≤ i ≤ t∗ , (2) A did not query ODSKCorrupt() on dvk∗ , and (3) A did not query OSign() on (m∗ , dvk∗ ). Remark: It is worth mentioning that A is allowed to query the wallet secret view keys for ID|i∗ (i = 0, . . . , t∗ ) by OWsvkCorrupt(·). Note this will guarantee the safety of coins when the trust-less audits functionality is employed. As the above unforgeability model captures the attackers’ ability exactly and completely, below we also present a weaker unforgeability model, where the adversary is required to commit its target wallet’s identifier (i.e., ID∗ , which the target derived verification key dvk∗ belongs to) in ahead. Definition 2. A HDWSA scheme is existentially unforgeable under an adaptive chosen-message attack with selective wallet (or just selective wallet existentially unforgeable), if for all PPT adversaries A, the success probability of A in the following game GameswEUF is negligible. The game GameswEUF is identical to the above game GameEUF , except that the adversary commits its target wallet in the Setup phase. More specifically, just before the start of Probing Phase, the adversary A commits the identifier of ∗ = ID0∗ , its target wallet, say, ID∗ = (id∗0 , . . . , id∗t∗ ) such that t∗ ≥ 0 and ID|0 ∗ committing that the target derived verification key dvk in the Output Phase will be one belonging to ID∗ . The wallet unlinkability is defined by the following game GameWUNL , which captures that, the adversary is unable to identify the wallet, out of two wallets, from which a target derived verification key was generated from, whatever the two wallets belong to the same organization or different organizations. Note that such an “indistinguishability” model captures the intuition in Fig. 4 well. 9

Note that we are abusing the concepts of ‘∈’. In particular, if there exists a pair (dvk, ID) ∈ Ldvk for some ID, we say that dvk ∈ Ldvk .

104

X. Yin et al.

Definition 3. A HDWSA scheme is wallet unlinkable, if for all PPT adversaries A, the advantages of A in the following game GameWUNL , denoted by , is negligible. Adv WUNL A  Setup. PP ← Setup(λ) is run and PP is given to A. As in the Setup phase of GameEUF , Lwk = ∅ and Ldvk = ∅ are initialized. A submits two different Level-0 identifiers, say ID0∗ (0) and ID0∗ (1) . For k = 0, 1: (wpkID0∗ (k) , wskID0∗ (k) ) ← RootWalletKeyGen(ID0∗ (k) ) is run,

wpkID0∗ (k) is given to A, and (ID0∗ (k) , wpkID0∗ (k) , wskID0∗ (k) ) is added into Lwk . This captures that the adversary may manipulate the organizations’ identifiers.  Probing Phase 1. Same as the Probing Phase of GameEUF .  Challenge. A submits two different challenge wallets’ identifiers ID(0) = (0)

(0)

(1)

(1)

(id0 , . . . , idt(0) ) and ID(1) = (id0 , . . . , idt(1) ), such that t(0) ≥ 0, t(1) ≥ 0, (0)

(1)

∗(0)

and ID(0) , ID(1) ∈ Lwk (implying ID|0 , ID|0 ∈ {ID0

∗(1)

, ID0

}).

A random bit c ∈ {0, 1} is chosen, dvk∗ ← VerifyKeyDerive(ID(c) , wpkID(c) ) is given to A. And (dvk∗ , ID(c) ) is added into Ldvk .  Probing Phase 2. Same as Probing Phase 1.  Guess. A outputs a bit c ∈ {0, 1} as its guess to c. A succeeds in the game if c = c under the restrictions that (1) A did not (0) query OWskCorrupt(·) or OWsvkCorrupt(·) oracle on any ID ∈ {ID|i | 0 ≤ i ≤ (1)

t(0) } ∪ {ID|i | 0 ≤ i ≤ t(1) }, and (2) A did not query oracle ODVKAdd(·, ·) on

= | Pr[c = c]− 12 |. (dvk∗ , ID(0) ) or (dvk∗ , ID(1) ). The advantage of A is Adv WUNL A

Remark: Note that the adversary is allowed to choose the challenge identifiers ID(0) and ID(1) of its choice completely, namely, they could be from same or different organizations, from same or different levels, or one could be an ancestor of another. Note that the adversary is allowed to query the ODskCorrupt() and OSign() oracles on the challenge derived verification key dvk∗ , and this captures that neither the signature nor the derived signing key leaks the privacy of the owner of dvk∗ . It is also worth noticing that, while the adversary in GameEUF should not query OWskCorrupt(·) on an identifier ID = (id0 , . . . , idt ) with t = 0 such that ID ∈ Lwk (since it means corrupting the root wallet secret key of the target organization ID0∗ ), the adversary in GameWUNL may query OWskCorrupt(·) and/or OWsvkCorrupt(·) on an identifier ID = (id0 , . . . , idt ) with t = 0 such that ID ∈ Lwk , depending on its challenge wallet identifier pair (ID(0) , ID(1) ). In (0) (1) ∗(k) particular, if ID|0 = ID|0 = ID0 , then the adversary is allowed to query ∗(1−k)

OWskCorrupt(·) and/or OWsvkCorrupt(·) on ID0 . As the above unlinkability model captures the attackers’ ability exactly and completely, below we also present a weaker unlinkability model, where the adversary is required to commit its challenge wallets in ahead.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

105

Definition 4. A HDWSA scheme is selective wallet unlinkable, if for all PPT adversaries A, the advantage of A in the following games GameswWUNL , denoted , is negligible. by Adv swWUNL A The game GameswWUNL is identical to the above game GameWUNL , except that the adversary commits the two challenge wallet identifiers in the Setup phase. More specifically, just before the start of Probing Phase 1, the adversary A (0) (0) commits the two challenge wallet identifiers, namely, ID(0) = (id0 , . . . , idt(0) ) (1)

(1)

(0)

(1)

and ID(1) = (id0 , . . . , idt(1) ) such that t(0) ≥ 0, t(1) ≥ 0, and ID|0 , ID|0 ∈

{ID0∗ (0) , ID0∗ (1) }.

3

Our Construction

In this section, we first review some preliminaries, including the bilinear groups and CDH assumption. Then we propose our HDWSA construction. 3.1

Preliminaries

Bilinear Map Groups [3]. Let λ be a security parameter and p be a λ-bit prime number. Let G1 be an additive cyclic group of order p, G2 be a multiplicative cyclic group of order p, and P be a generator of G1 . (G1 ,G2 ) are bilinear groups if there exists a bilinear map eˆ : G1 × G1 → G2 satisfying the following properties: 1. Bilinearity: ∀(S, T ) ∈ G1 × G1 , ∀a, b ∈ Z, eˆ(aS, bT ) = eˆ(S, T )ab . 2. Non-degeneracy: eˆ(P, P ) = 1. 3. Computable: ∀(S, T ) ∈ G1 × G1 , eˆ(S, T ) is efficiently computable. Definition 5 (Computational Diffie-Hellman (CDH) Assumption [20]). The CDH problem in bilinear groups (p, G1 , G2 , P, eˆ) is defined as follows: given (P, aP, bP ) ∈ G31 as input, output an element C ∈ G1 such that C = abP . An algorithm A has advantage  in solving CDH problem in (p, G1 , G2 , P, eˆ) if Pr[A(P, aP, bP ) = abP ] ≥ , where the probability is over the random choice of a, b ∈ Zp and the random bits consumed by A. We say that the (t, )-CDH assumption holds in (p, G1 , G2 , P, eˆ) if no t-time algorithm has advantage at least  in solving the CDH problem in (p, G1 , G2 , P, eˆ). 3.2

Construction

• Setup(λ) → PP. On input a security parameter λ, the algorithm chooses bilinear groups (p, G1 , G2 , P, eˆ) and cryptographic hash functions H0 : SID → G∗1 , H1 : G1 × G1 → Z∗p , H2 : G1 × G1 → Z∗p , H3 : G1 × G1 × G1 → G∗1 , and H4 : (G1 ×G2 )×M×G2 → Z∗p , where G∗1 = G1 \{0}, M = {0, 1}∗ , and SID := {ID = (id0 , id1 , . . . , idt ) | t ≥ 0, idi ∈ {0, 1}∗ ∀0 ≤ i ≤ t}. The algorithm outputs public parameter PP = ((p, G1 , G2 , P, eˆ), H0 , H1 , H2 , H3 , H4 ), where the message space is M and the identifier space is SID . PP is assumed to be an implicit input to all the algorithms below.

106

X. Yin et al.

• RootWalletKeyGen(ID) → (wpkID , wskID ). On input a Level-0 identifier ID, the algorithm chooses uniformly random αID , βID ∈ Z∗p , then outputs a (root) waller key pair (wpkID , wskID ): wpkID := (AID , BID ) = (αID P, βID P ) ∈ G1 × G1 , wskID := (wsskID , wsvkID ) = (αID , βID ) ∈ Z∗p × Z∗p . • WalletKeyDelegate(ID, wpkID|(t−1) , wskID|(t−1) ) → (wpkID , wskID ). On input an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 1 and its parent entity’s (wallet public key, wallet secret key) pair, say wpkID|(t−1) ∈ G1 × G1 and wskID|(t−1) = (αID|(t−1) , βID|(t−1) ) ∈ Z∗p ×Z∗p , the algorithm proceeds as below: 1. Compute QID = H0 (ID) ∈ G∗1 , 2. Compute αID = H1 (QID , αID|(t−1) QID ) and βID = H2 (QID , βID|(t−1) QID ), 3. Output wallet key pair (wpkID , wskID ) for ID as wpkID := (AID , BID ) = (αID P, βID P ) ∈ G1 × G1 , wskID := (wsskID , wsvkID ) = (αID , βID ) ∈ Z∗p × Z∗p . • VerifyKeyDerive(ID, wpkID ) → dvk. On input an identifier ID = (id0 , . . . , idt ) with t ≥ 0 and its wallet public key wpkID = (AID , BID ), the algorithm chooses a uniformly random r ∈ Z∗p and outputs a derived verification key dvk := (Qr , Qvk ) with Qr = rP ∈ G1 , Qvk = eˆ(H3 (BID , rP, rBID ), −AID ) ∈ G2 . • VerifyKeyCheck(dvk, ID, wpkID , wsvkID ) → 1/0. On input a derived verification key dvk = (Qr , Qvk ) ∈ G1 × G2 , an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 0, and the entity’s wallet public key wpkID = (AID , BID ) ∈ G1 × G1 and wallet secret view key wsvkID = βID ∈ Z∗p , the algorithm checks whether ?

Qvk = eˆ(H3 (BID , Qr , βID Qr ), −AID ) holds. If it does not hold, the algorithm outputs 0, otherwise outputs 1. • SignKeyDerive(dvk, ID, wpkID , wskID ) → dsk or ⊥. On input a derived verification key dvk = (Qr , Qvk ) ∈ G1 × G2 , an entity’s identifier ID = (id0 , . . . , idt ) with t ≥ 0, and the entity’s (wallet public key, wallet secret key) pair, say wpkID = (AID , BID ) ∈ G1 × G1 and wskID = (αID , βID ) ∈ Z∗p × Z∗p , the ?

algorithm checks whether Qvk = eˆ(H3 (BID , Qr , βID Qr ), −AID ) holds. If it does not hold, the algorithm outputs ⊥, otherwise outputs a derived signing key dsk dsk = αID H3 (BID , Qr , βID Qr ) ∈ G1 . • Sign(m, dvk, dsk) → σ. On input a message m in message space M, a derived verification key dvk = (Qr , Qvk ) ∈ G1 × G2 , and a derived signing key dsk ∈ G1 , the algorithm proceeds as below: 1. Choose a uniformly random x ∈ Z∗p , then compute X = eˆ(xP, P ) ∈ G2 . 2. Compute h = H4 (dvk, m, X) ∈ Z∗p and Qσ = h · dsk + xP ∈ G1 . 3. Output σ = (h, Qσ ) ∈ Z∗p × G1 as the signature for m.

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

107

Table 2. Sizes of signature and keys of an implementation of our HDWSA scheme Derived verification key

Signature

Wallet public key

Wallet secret key

Derived signing key

193 Bytes

97 Bytes

130 Bytes

64 Bytes

65 Bytes

Table 3. Computation time of an implementation of our HDWSA scheme Setup

RootWalletKeyGen WalletKeyDelegate VerifyKeyDerive VerifyKeyCheck SignKeyDerive Sign

7.769 ms 0.920 ms

4.111 ms

3.352 ms

3.122 ms

3.322 ms

Verify

1.505 ms 0.665 ms

• Verify(m, σ, dvk) → 1/0. On input a (message, signature) pair (m, σ) with σ = (h, Qσ ) ∈ Z∗p × G1 and a derived verification key dvk = (Qr , Qvk ) ∈ G1 × G2 , ?

the algorithm checks whether h = H4 (dvk, m, eˆ(Qσ , P ) · (Qvk )h ) holds. If it holds, the algorithm outputs 1, otherwise outputs 0. Correctness. The correctness of the construction can be easily verified. Due to space limitation, we defer the details to the full version [22]. 3.3

Security Analysis

Due to space limitation, we only give the security conclusion here and readers are referred to the full version [22, Appendix B] for the proof details. Theorem 1. The HDWSA scheme is selective wallet existentially unforgeable under the CDH assumption in the random oracle model. Theorem 2. The HDWSA scheme is selective wallet unlinkable under the CDH assumption in the random oracle model.

Unforgeability and Unlinkability in the Adaptive Model. Following Boneh et al.’s approach for achieving full security of Hierarchical Identity Based Encryption (HIBE) construction [2], our HDWSA construction can be proven unforgeable in the adaptive model, at the cost of a reduction loss factor of 1 1 h+1 q h , where qH0 is the number of hash oracle queries to H0 and h is the maxH0

imum level of identifiers/entities in an organization. Note that for hierarchical systems, it is natural to set such a parameter h, and in a practical organization hierarchy, h would be a small integer. We give more details of the reduction in the full version [22, Sect. 4.3]. The proof for unlinkability in the adaptive model is similar.

108

4

X. Yin et al.

Implementation

We implemented our HDWSA scheme in Golang and the source codes are available at https://github.com/cryptoscheme/hdwsa. Our implementation uses the Pairing-Based Cryptography Library [19], and uses a type A pairing on elliptic curve y 2 = x3 + x over Fq for a 512-bit q and group with 160-bit prime order, implying 80-bit security. Our implementation uses SHA-256 to implement the hash functions. Table 2 and Table 3 show the experimental results of our implementation on a usual computation environment, namely, a desktop with Intel(R) Core(TM) i7 10700 CPU @2.90GHz., 16 GB memory, and operating system Ubuntu 20.04 LTS. We clarify that our implementation was simply experimental and did not optimize further. We clarify further that we use point compression in computing the size of element in group G1 . Acknowledgements. This work was supported by the National Natural Science Foundation of China (No. 62072305, 62132013), and Shanghai Key Laboratory of Privacy-Preserving Computation.

References 1. Alkadri, N.A., et al.: Deterministic wallets in a quantum world. In: CCS 2020, pp. 1017–1031 (2020) 2. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639 26 3. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8 13 4. Buterin, V.: Deterministic wallets, their advantages and their understated flaws. Bitcoin Magazine (2013) 5. ByteCoin: Untraceable transactions which can contain a secure message are inevitable (2011). https://bitcointalk.org/index.php?topic=5965.0 6. Das, P., Erwig, A., Faust, S., Loss, J., Riahi, S.: The exact security of BIP32 wallets. In: CCS 2021, pp. 1020–1042 (2021) 7. Das, P., Faust, S., Loss, J.: A formal treatment of deterministic wallets. In: CCS 2019, pp. 651–668 (2019) 8. Fan, C., Tseng, Y., Su, H., Hsu, R., Kikuchi, H.: Secure hierarchical bitcoin wallet scheme against privilege escalation attacks. In: IEEE Conference on Dependable and Secure Computing, DSC 2018, pp. 1–8 (2018) 9. Fan, C., Tseng, Y., Su, H., Hsu, R., Kikuchi, H.: Secure hierarchical bitcoin wallet scheme against privilege escalation attacks. Int. J. Inf. Sec. 19(3), 245–255 (2020) 10. Gutoski, G., Stebila, D.: Hierarchical deterministic bitcoin wallets that tolerate key leakage. In: B¨ ohme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 497–504. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7 31 11. Liu, W., Liu, Z., Nguyen, K., Yang, G., Yu, Yu.: A lattice-based key-insulated and privacy-preserving signature scheme with publicly derived public key. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 357–377. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0 18

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

109

12. Liu, Z., Yang, G., Wong, D.S., Nguyen, K., Wang, H.: Key-insulated and privacypreserving signature scheme with publicly derived public key. In: 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 215–230. IEEE (2019) 13. Di Luzio, A., Francati, D., Ateniese, G.: Arcula: a secure hierarchical deterministic wallet for multi-asset blockchains. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 323–343. Springer, Cham (2020). https://doi. org/10.1007/978-3-030-65411-5 16 14. NIST: FIPS pub 186-4. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.1864.pdf. Accessed 10 Jan 2021 15. Noether, S., Mackenzie, A.: Ring confidential transactions. Ledger 1, 1–18 (2016) 16. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978) 17. van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper. pdf 18. Todd, P.: Stealth addresses. Post on Bitcoin development mailing list (2014). https://www.mail-archive.com/[email protected]/ msg03613.html 19. Unger, N.: The PBC go wrapper, December 2018. https://github.com/Nik-U/pbc 20. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639 7 21. Wuille, P.: BIP32: hierarchical deterministic wallets (2012). https://github.com/ bitcoin/bips/blob/master/bip-0032.mediawiki 22. Yin, X., Liu, Z., Yang, G., Chen, G., Zhu, H.: Secure Hierarchical Deterministic Wallet Supporting Stealth Address. Cryptology ePrint Archive, Paper 2022/627 (2022). https://eprint.iacr.org/2022/627

Zero-Knowledge Age Restriction for GNU Taler ¨ ur Kesim1(B) , Christian Grothoff2 , Florian Dold3 , Ozg¨ and Martin Schanzenbach4 1

2

Freie Universit¨ at Berlin, Berlin, Germany [email protected] Bern University of Applied Sciences, Bern, Switzerland 3 Taler Systems SA, Erpeldange, Luxembourg 4 Fraunhofer AISEC, M¨ unchen, Germany

Abstract. We propose a design for a privacy-friendly method of age restriction in e-commerce that is aligned with the principle of subsidiarity. The design is presented as an extension of a privacy-friendly payment protocol with a zero-knowledge scheme that cryprographically augments coins for this purpose. Our scheme enables buyers to prove to be of sufficient age for a particular transaction without disclosing it. Our modification preserves the privacy and security properties of the payment system such as the anonymity of minors as buyers as well as unlinkability of transactions. We show how our scheme can be instantiated with ECDSA as well with a variant of EdDSA, respectively, and how it can be integrated with the GNU Taler payment system. We provide formal proofs and implementation of our proposal. Key performance measurements for various CPU architectures and implementations are presented.

1

Introduction

Youth protection regulation requires retailers to assist caretakers in their efforts to keep minors safe online [Pou11]. For example, the Council of Europe Recommendation Rec (2001)8 says that “11. Member states should encourage the use of conditional access tools by content and service providers in relation to content harmful to minors, such as age-verification systems, ...”. Age verification in e-commerce today is mostly implemented by identity verification where the customer has to provide official identity documents. This approach is expensive for retailers, because they have to handle confidential information very carefully, and invasive for customers, because ID cards reveal more than the age. Another, privacy-friendly approach is the use of attributebased credentials [Kon+14,Sch+19] where authorities issue consumers with a certificate that enables them to produce a zero-knowledge proof [GMR89] showing that they are of sufficient age. A third approach ties age restriction to the ability to pay, for example via specialized credit cards for children that limit them to buy at certain “safe” stores [Fea21], but is also not privacy-friendly. c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 110–129, 2022. https://doi.org/10.1007/978-3-031-17140-6_6

Zero-Knowledge Age Restriction for GNU Taler

111

What all approaches so far have in common is that they violate the principle of subsidiarity [Bos10,Pav21], by which functions of government—such as granting and restricting rights—should be performed at the lowest level of authority possible, as long as they can be performed adequately. In case of age restriction, the lowest level of authority is that of legal responsibility for an under-age person: the parents, guardians and caretakers—not government or financial institutions. Our contribution is the design of an age restriction scheme that combines the following goals: 1. 2. 3. 4.

It ties age restriction to the ability to pay, not to IDs, maintains anonymity of buyers, maintains unlinkability of transactions and is aligned with the principle of subsidiarity.

Specifically, we define a zero-knowledge age-restriction scheme as an extension to GNU Taler, a privacy-preserving payment system where consumers can make unlinkable, untraceable payments using digital coins that were blindly signed by the payment service provider [Cha89,Dol19]. GNU Taler as the underlying payment system is in full concordance with our goals. Next, we will give the formal definition of the age restriction scheme and the security properties of our protocol (Sect. 2), a specific design and instantiation (Sect. 3), and security proof (Sect. 4). We then provide a brief primer on GNU Taler (Sect. 5), followed by a description on how to integrate the construction into it (Sect. 6) and assess the impact on performance (Sect. 7). Finally, we discuss how the assumption on checking accounts being always under the control of adults could be lifted by a small variation of the protocol (Sect. 8). We thank Matthias W¨ ahlisch for constructive feedback on an earlier draft.

2

Age Restriction

Our design for an age restriction scheme is based on the following assumptions and scenarios: 1. Checking accounts are always under the control of an eligible adult. When such an adult acts as the legal guardian for a minor and provides the minor with digital coins, our system allows them to add age-restriction to the nascent coins as they are being placed into the minor’s digital wallet. Subsidiarity is therefore preserved. 2. The minor can then freely and anonymously spent the coins. However, if a merchant requires a proof that the buyer is of a certain age, the minor can only generate zero-knowledge proofs up to the age limit set by their legal guardian. We note that the proofs are tied to each specific coin, allowing the guardian to grant exceptions for certain amounts. 3. The protocol design must also maintain GNU Taler’s critical capability to render change (or give refunds) in an unlinkable way, see Sect. 5. When minors receive fresh coins from change or refunds, the age restrictions should carry

¨ Kesim et al. O.

112

over to the fresh coins created by those business processes. The protocol must preserve unlinkability, so that it is impossible for merchants or the payment service provider to link the different transactions, even if a minor makes subsequent purchases from coins that were rendered as age-restricted change. Our design for an age restriction protocol involves the following computations by several parties. First, the legal guardian initially withdraws the digital coins and commits to an age restriction. Next, the minor wants to make a purchase and must attest their adequate age. The merchant will then need to verify the age proof. If the minor is to receive change, they must derive equivalent age restrictions for the fresh coins, and finally the payment service provider must compare the age restrictions to ensure that the minor preserved them correctly. We will begin by giving the signatures for these five functions, then formally state the security requirements and then follow this up with a possible instantiation and a proof that the instantiation satisfies the security requirements. 2.1

Signatures

Let λ be the general security parameter (written 1λ in unary representation) and Ω = {0, 1}λ . Let M be the minimum age of an unrestricted adult in years (with M small, typically M ∈ {18, 21}). Then we define an age restriction scheme as the five functions (Commit, Attest, Verify, Derive, Compare) along with appropriate domains (P, O, T, B), with the following signatures: Commit : Attest : Verify : Derive : Compare :

NM × Ω → O × P, NM × O × P → T ∪ {⊥}, NM × O × T → Z2 , O × P × Ω → O × P × B, O × O × B → Z2 ,

(a, ω) → (Q(a,ω) , P(a,ω) ) (m, Q, P) → T(m,Q,P) (m, Q, T) → b

(1) (2) (3)

(Q, P, ω) → (Qω , Pω , βω ) (Q, Q , β) → b

(4) (5)

where P, O, T, B are sufficiently large sets, not prone to exhaustive search. Helpful mnemonics for the sets and symbols are: O = cOmmitments, Q = Q-mitment (commitment), P = Proofs, P = Proof, T = aTtestations, T = aTtestation, B = Blindings, β = βlinding. No assumptions about relationships of these sets are being made a-priori, except for ⊥∈ T. Figure 1 shows the function of this scheme as they are called by which various participants and the transferred data between them. 2.2

Achieving Unlinkability

In a na¨ıve use of Derive and Compare, children would iteratively call Derive and an exchange E would call Compare. A child C would thereby create a chain

Zero-Knowledge Age Restriction for GNU Taler

113

Fig. 1. Age restriction flow – The functions (1)-(5) are called by various participants of a payment system: guardian G, child C, exchange E and merchant M. Compared to the participants in GNU Taler (Sect. 5), the guardian is introduced as a new entity and is responsible for the Commit. The diagram also shows the data being transferred between the participants. Note that the seeds and blindings are omitted for better readability.

Q0 , Q1 , . . . of equivalent age commitments and E would call Compare(Qi , Qi+1 , .) successively to check their validity. However, this would allow E to recognize the whole sequence {Q0 , Q1 , . . . } as being linked to the same C and therefore violate any requirement for unlinkability of age restrictions and violate indistinguishability of children. In order to achieve unlinkability and indistinguishably, we extend the functions (1)-(5) and propose a zero-knowledge, cut-and-choose protocol, based on Derive and Compare, in which C and E participate in an interactive proof (with a certain success-probability) for honest derivation of a new age commitment from an existing one, without revealing the new age commitment. This protocol follows the design of the refresh protocol in GNU Taler [Dol19, §4.7.4]. Given κ ∈ N, we define the protocol DeriveCompareκ : O × P × Ω → {0, 1} between the two parties C (child) and E (exchange), with H a hash function and $

−, as follows: uniformly random sampling ← DeriveCompareκ (Q, P, ω) := C: 1. 2. 3. E: 4.

for all i ∈ {1, . . . , κ} : (Qi , Pi , βi ) ←  Derive(Q, P, ω + i) h ← H H(Q1 , β1 ) · · · H(Qκ , βκ ) sent (Q, h) to E save (Q, h)

5. 6. C: 7. 8.

γ← − {1, . . . , κ} sent γ to C hγ ← H(Qγ , βγ )   Eγ ← (Q1 , β1 ), . . . , (Qγ−1 , βγ−1 ), ⊥, (Qγ+1 , βγ+1 ), . . . , (Qκ , βκ )

$

(6)

¨ Kesim et al. O.

114

9. sent (Eγ , hγ ) to E E: 10. for all i ∈ {1, . . . , κ} \ {γ} : hi ← H(Eγ [i]) ?

11. if h = H(h1 . . . hγ−1 hγ hγ+1 . . . hκ−1 ) return 0 ?

12. for all i ∈ {1, . . . , κ} \ {γ}: if 0 = Compare(Q, Qi , βi ) return 0 13. return 1 With this protocol, E learns nothing about Qγ (except for the blinded hash H(Qγ , βγ )) and trusts it to be of the same maximum age as the original com1 mitment with certainty κ−1 κ . Correspondingly, C has a chance of κ to cheat successfully, by using one age commitment generated via Commit with a higher age limit, instead of calling Derive on the old age commitment. 2.3

Requirements Imposed on the Functions (1)-(5)

For the cryptosystem to have the desired intuitive effect of providing age restrictions on purchases for minors, the five functions (1)-(5) must have the properties detailed in this section. Requirement 1 (Existence of lower bound proofs).  T ∈ T, if m ≤ a : Commit(a, ω) =: (Q, P) =⇒ Attest(m, Q, P) = ⊥ otherwise a∈NM

∀

ω∈Ω

Requirement 2 (Efficacy of lower bounds proofs). ⎧ ⎨1, if : Attest(m, Q, P) = T P∈P Verify(m, Q, T) = ⎩0 otherwise

∃

Requirements 1 and 2 imply Corollary 1 (Efficacy of commitments and proofs). Let (Q, P) ← Commit(a, ω) with a ∈ NM and ω ∈ Ω. If Requirements 1 and 2 hold, then also   ∀n≤a : Verify n, Q, Attest(n, Q, P) = 1. Furthermore, the functions must be related by the following requirements: Requirement 3 (Derivability of commitment and proofs). Let a ∈ NM , ω0 , ω1 ∈ Ω, (Q0 , P0 ) ← Commit(a, ω0 ) and (Q1 , P1 , β) ← Derive(Q0 , P0 , ω1 ). Then Compare(Q0 , Q1 , β) = 1 and for all n ≤ a: Verify(n, Q1 , Attest(n, Q1 , P1 )) = Verify(n, Q0 , Attest(n, Q0 , P0 ))

(7)

Zero-Knowledge Age Restriction for GNU Taler

115

We also do require the converse of (7), that is Requirement 4 (Surjectivity of Derivation).

 : Compare(Q, Q , β) = 1 ⇒ : (Q , P , β) = Derive(Q, P, ω)

∀

∃

Q,Q ∈O β∈B

P,P ∈P ω∈Ω

We will now define our security and privacy requirements in the form of security games. In the following, λ refers to the general security parameter in $ unary representation and Ω = {0, 1}λ . We write x ← − X for a sample x taken randomly from a uniform distribution over X and NM = {1, . . . , M}. A(X → Y ) is the set of all probabilistic polynomial-time algorithms from X to Y and (x) represents a negligible function, i.e. (x) = 1/O(ex ). First, we will formalize that the age-restriction protocol must not disclose unnecessary information about the age of the minor. Specifically, neither a commitment Q ∈ O nor a related attestation T ∈ T should disclose the age a that went into the first Commit, beyond what is fundamentally disclosed by the age being sufficient to satisfy the age check. We formalize this via the following games and requirements. Game 1 (Age disclosure by commitment or attestation). Let n ∈ N+ , m ∈ NM and A : NM × Tn × On × Bn−1 → NM (with B0 := {⊥}). The game GAgeCA (λ, m, n) is defined as: A $

(a, ω1 , . . . , ωn ) ← − {m, . . . , M} × Ωn (Q1 , P1 ) ← Commit(a, ω1 ) If n > 1, apply for i ∈ {1, . . . , n−1}: (Qi+1 , Pi+1 , βi+1 ) ← Derive(Qi , Pi , ωi+1 ) For i ∈ {1, . . . , n} apply: Ti ← Attest(m, Qi , Pi ) If n > 1, set b ← A(m, T1 , . . . , Tn , Q1 , . . . , Qn , β2 , . . . , βn ) else b ← A(m, T1 , Q1 , ⊥) 6. Return 1 if b = a and otherwise 0.

1. 2. 3. 4. 5.

Requirement 5 (Nondisclosure of age). A set of functions with signatures (1)-(5) is said to satisfy nondisclosure of age, if for all n ∈ N+ :

A∈A(NM

∀

×Tn ×On ×Bn−1 →N

M)



: Pr GAgeCA (λ, m, n) = 1 ≤ A

1 + (λ) (8) M−m+1

For effective age-restriction, we clearly also need the property that after a call to Commit(a, ω) with an age a, it should not be possible to forge an attest for a higher age from the commitment. This is described by the following game and requirement. Game 2 (Forging an attest). Let n ∈ N+ , A : NM × O × P × Ωn−1 → NM × T (with Ω0 := {⊥}). The game GFA A (λ, n) is defined as:

116

1. 2. 3. 4. 5. 6.

¨ Kesim et al. O. $

(a, ω1 , . . . , ωn ) ← − NM−1 × Ωn (Q1 , P1 ) ← Commit(a, ω1 ) If n > 1, for i ∈ {1, . . . , n − 1}: (Qi+1 , Pi+1 , ) ← Derive(Qi , Pi , ωi+1 ) If n > 1 (m, T) ← A(a, Q1 , P1 , ω2 , . . . , ωn ), else (m, T) ← A(a, Q1 , P1 , ⊥) Return 0 if m ≤ a Return Verify(m, Qn , T)

Requirement 6 (Unforgeability of minimum age). A set of functions with signatures (1)-(5) is said to satisfy unforgeability of minimum age, if for all n ∈ N+ the following holds:

: Pr GFA (λ, n) = 1 ≤ (λ). (9) A

∀

A∈A(NM ×O×P×Ωn−1 →NM ×T)

Finally, we define a game to challenge the unlinkability of commitments and attestations in which the adversary is considered to be a collaboration of exchange and merchant. Basically, any initial age commitment Q0 and all its derived successors Qi – together with all the attestations Ti they were used for – must be indistinguishable from any other such chain. As argued before in Sect. 2.2, we assume that the cut-and-choose protocol DeriveCompareκ is being performed between the client C and exchange E to guarantee the unlinkability of age commitments in the exchange. This explains the complicated definition of the game, in which we model the execution of DeriveCompareκ via the data generated from the various calls to Derive and Compare, which are partially made accesible to the adversary, as well as data from Attest. Game 3 (Distinguishing derived commitments and attestations) Let n, κ ∈ N+ , K := O × B, H := O × T × Kκ−1 , A0 : N2M → Nn+1 and A1 : M 2n+1 DCA 1 × H → {0, 1}. The game G (λ, κ, n) is then defined as follows: Nn+1 A0 ,A1 M  $  1. a0 , ω 0 , a1 , ω 1 ← − (NM × Ω)2 0 0 2. (Q1 , P1 ) ← Commit(a0 , ω 0 ), (Q11 , P11 ) ← Commit(a1 , ω 1 ) In step 3. we model the part of 3. Recursively for i ∈ {1, . . . , n}: $

−Ω×Ω (ζi , ηi ) ←  0  Qi+1 , P0i+1 , ← Derive(Q0i , P0i , ζi )   1 Qi+1 , P1i+1 , ← Derive(Q1i , P1i , ηi )

1

Upper indices on variables are not exponents.

the cut&choose protocol where one pair of commitment and blinding is not revealed to the adversary. 0/1 0/1 The sequences of pairs (Qj , Pj ) in this step are later used for attestation, but the blindings from the calls to Derive() are ignored and not accessible to the adversary.

Zero-Knowledge Age Restriction for GNU Taler

4. For i ∈ {1, . . . , n + 1}: For k ∈ {1, . . . , κ − 1}: $

− Ω × Ω (ξ  kk, χk ) ← k 0 0 , , α A i  ← Derive(Qi , Pi , ξk )  ik Bi , , βik ← Derive(Q1i ,P1i , χk ) 0 Ri := (A1i , αi1 ), . . . , (Aκi , αiκ )  R1i := (Bi1 , βi1 ), . . . , (Biκ , βiκ ) $

5. (b, i0 , i1 ) ← − {0, 1} × {1, . . . , n + 1}2 6. (m1 , . . . , mn+1 ) ← A0 (a0 , a1 , i0 , i1 ) 7. Return 0 if ∃i : mi > min(a0 , a1 ) or mi0 = mi1

117

In step 4., all revealed commitments and blindings during the cut&choose protocol are modelled. The adversary will see 2n(κ − 1) derived pairs (Aki , αik ) and (Bik , βik ) of commitments and blindings. The derived proofs are ignored as they are not used for attestation, and not accesible to the adversary. i0 and i1 are random indices that are dropped from each history, respectivelly, in step 9. The adversary chooses minimal ages. The minimum ages must not distinguish between a0 and a1 and must be the same at the dropped indices.

0 0 0 1 1 1 8. ∀i∈{1,...,n+1}

: Ti ← Attest(mi , Qi , Pi ), Ti ← Attest(mi , Qi , Pi )

9. s ← A1 m1 , . . . , mn+1 , i0 , i1 , (Qbib , Tbib , Rbib ), 0  0  0 0 0 0 (Q01 , T01 , R01 ), . . . ,  (Q i0 , Ti0 , Ri0 ), . . . , (Qn+1 , Tn+1 , Rn+1 ),  1  1  1 1 1 1 (Q11 , T11 , R11 ), . . . ,  , T , R ), . . . , (Q , T , R ) (Q i1 i1 i1 n+1 n+1 n+1 10. Return 1, if s = b, and otherwise 0. Requirement 7 (Unlinkability of commitments and attestations). A set of functions with signatures (1)-(5) is said to satisfy (unbounded) unlinkability of commitments and attestations, if for all n, κ ∈ N+ the following holds:

1 (λ, κ, n) = 1 = − (λ) (10) : Pr GDCA ,A A 0 1   2 n+1 A0 ∈A N2 ×{1,...,n+1}2 →N M M  

∀

A1 ∈A N

3

n+1 ×{1,...,n+1}2 ×H2n+1 →{0,1} M

Instantiation with ECDSA

We can now define a general instantiation of (1)-(5) based on ECDSA2 – general in the sense that the elliptic curve, hash function and generator are variables in the scheme. For the definitions and notations regarding elliptic curves and ECDSA we follow [JMV01]. Let λ ∈ N be the security parameter, M ∈ N+ the number of age groups to be handled in the system, E = (E(p, a, b), G, g) be an elliptic curve over the 2

Using ECDSA is also not required: we have created an instantiation based on Edx25519 (Appendix A); ECDSA is merely one that permits a concise description.

118

¨ Kesim et al. O.

field Fp with generator G of prime order g with log2 g ≥ λ, g˘ := log2 g, · : Zg → {0, 1}∗ a bit-encoding function, [·]g : {0, 1}∗ → Zg a full domain hash function ([BR96]), H : {0, 1}∗ → {0, 1}g˘ a collision-resistant hash function and ECDSA(E, H) = (E, Pub, SigE,H , VerE,H ) the corresponding ECDSA scheme. With  M the notation from Sect. 2.1 we define Ω := {0, 1}g˘ , O := EM , P := Zg ∪ {⊥} , T := Im(SigE,H ), B := Zg .

Instantiation 1. (General instantiation with ECDSA). Let E be an elliptic curve for which the decisional Diffie-Hellman assumption (DDH) holds [Bon98], i.e. given αG and βG it is computationally infeasible to distinguish between αβG and γG with uniformly random α, β, γ ∈ Zg with probability better than 21 − (λ). Let pi := [ω, i ]g for i ∈ {1, . . . , M} be private keys, qi := PubE (pi ) and let then the private keys pa+1 , . . . , pM be explicitly dropped by the guardian in: =P, length M

  =Q      CommitE,[·]g (a, ω) := (q1 , . . . , qM ), (p1 , . . . , pa , ⊥, . . . , ⊥) ⎧ ?   ⎨ T b, P[b] if P[b] := Sig =  ⊥ b E,H AttestE,H (b, Q, P) := ⎩⊥ otherwise

(11) (12)

VerifyE,H (b, Q, T) := VerE,H (b, Q[b], T) (13)   DeriveE,[·]g (Q, P, ω) := (β ∗ q1 , . . . , β ∗ qM ), (βp1 , . . . , βpa , ⊥, . . . , ⊥), β (14) with β := [ω]g and multiplication βpi modulo g  ?  1 if (β ∗ q1 , . . . , β ∗ qM ) = (q1 , . . . , qM )  CompareE (Q, Q , β) := 0 otherwise

(15)

Then we call the tuple AgeVer(λ, E, [·]g , H) := (λ, ECDSAE,H , CommitE,[·]g , AttestE,H , VerifyE,H , DeriveE,[·]g , CompareE ) a general instantiation of (1)-(5) .



It is straightforward to verify that this instantiation meets our basic requirements 1–4.

4

Proofs of the Security Properties

In this section, we will prove that the instantiation 1 fulfills the challenging security requirements 5–7. Theorem 1. AgeVer(λ, E, [·]g , H) (Instantiation 1) satisfies the nondisclosure of age requirement (Requirement 5).

Zero-Knowledge Age Restriction for GNU Taler

119

Proof. Note that in GAgeCA (λ, m, n) (Game 1) the adversary is provided with the A commitments Qi ’s and βi ’s (in case n > 1) which are independent of m and the randomly chosen a ∈ {m, . . . , M} for all n ∈ N+ according to the definitions of CommitE,H and DeriveE in (11) and (14). Also, with respect to the provided attestations Ti = Attest(m, Qi , Pi ) = SigE,H (m, Pi [m]), m and Pi [m] are independent of the randomly chosen a ∈ {m, . . . , M}, for all i ∈ {1, . . . , n} and all n ∈ N+ . 1 Therefore the adversary can only guess the value of a with probability M−m+1 , + for any n ∈ N .   Theorem 2. AgeVer(λ, E, [·]g , H) (Instantiation 1) satisfies the unforgeability of minimum age requirement (Requirement 6). Proof. In order for the game GFA A (λ, n) (Game 2) to return 1, the ECDSA signature verification (VerifyE,H (m, Q, T) = VerE,H (m, Q[m], T)) must be successful. Note that according to the definition (11) the adversary is initially not provided with the private keys {pa+1 , . . . , pM } and subsequent calls to Derive do not yield those neither for m ∈ {a + 1, . . . , M}. Winning this game, for any n ∈ N, is therefore equivalent to existential forgery of ECDSA, which has negligible probability.   Theorem 3. AgeVer(λ, E, [·]g , H) (Instantiation 1) satisfies the unlinkability of commitments and attestations requirement (Requirement 7). Proof. First we show that the adversary gets no information out of the commitments Qji , Aki and Bik in the game GDCA A0 ,A1 (λ, κ, n) (Game 3). The DDH assumption of the elliptic curve extends to uniformly random vectors (α1 , . . . , αM ), M (β1 , . . . , βM ) ∈ ZM g and γ ∈ Zg : Given (α1 G, . . . , αM G), (β1 G, . . . , βM G) ∈ E and γG ∈ E the vector of points (γα1 G, . . . , γαM G) can be distinguished from (γβ1 G, . . . , γβM G) again only with probability 12 − (λ), absorbing the constant M. The use of the FDH [·]g in Commit() and Derive() guarantees that all components of Qji , Aki and Bik are uniformly distributed in E. Note that Compare() is not a distinguisher for the adversary, as it will only return 1 for Qji and each of the commitments and bindings in the corresponding vector Rji within each triple (Qji , Tij , Rji ). When provided with Qbib and any commitment and blinding from both histories, it returns 1 only with probability (λ) (non-zero due to the uniform distribution of the points on the finite elliptic curve). Finally, the adversary is provided with Tibb = SigE,H (mib , Pibb ). Verify will only return 1 with the commitment from the same triplet, but for any other commitment in any of the two histories it will return 1 only with probability (λ) (again, non-zero due to the uniform distribution of the points on the finite elliptic curve). And because mi0 = mi1 the adversary can not distinguish the indices. Therefore, the adversary can only guess b correctly with probability 1 − (λ).   2

120

5

¨ Kesim et al. O.

Background: GNU Taler

GNU Taler is a token-based electronic online payment system using cryptography to secure payments. It extends the concepts introduced by eCash in 1989 [Cha89]. A coin in GNU Taler is a public/private key pair where the private key is only known to the owner of the coin. GNU Taler provides accountability and protect citizens’ right to informational self-determination [Dol19] and can be used by commercial banks interested in underwriting commercial e-money, or as a central bank digital currency (CBDC) [CGM21]. GNU Taler meets—among others—the following security and privacy goals which are in alignment with the goals of our age restriction scheme: 1. Purchases must not identify the buyer, and must also not be linkable to other transactions of the same buyer. 2. Coins must be fungible. That is, all coins signed with the same denomination key must be equivalent. In particular, it must not be possible to partition the anonymity set into between users that used change and those that used cash that was directly withdrawn. 3. Customers must be always able to pay any amount for which they have sufficient total digital coins and receive change in an unlinkable way. We will now summarize the key steps of the GNU Taler protocols that are relevant to our extension for age restriction. See also Fig. 2 for a schematic overview of the participants and the protocols between them. The complete protocol suite with all the details is defined in [Dol19].

Fig. 2. Overview of the GNU Taler protocols (partially) – The customer C withdraws coins from the payment service provider (exchange) E. C uses the coins to purchase at a merchant M, who then deposits the coins at E. C gets change for coins from E via the zero-knowledge refresh protocol.

withdraw [Dol19, §4.7.2] : For each coin, the customer C creates a pair (ci , Ci ) of private and public keys. C then requests the payment service provider E to create a blind signature over Ci using the private key to denomination Dv , which represents a particular unit of value, authorizing E to deduct the

Zero-Knowledge Age Restriction for GNU Taler

121

respective balance from the consumer’s account. The blind signature is made over the full domain hash [BR96] of the public key Ci of the coin and the validation of a coin is performed by signature validation:   ? (16) 1 = SigCheck FDH(Ci ), Dv , σi Here, SigCheck is the verification function of the blind signature scheme3 , Dv is the public key of the denomination and σi is the signature to be verified. purchase [Dol19, §4.7.3] : To pay for goods, C first negotiates a contract with the merchant M. Upon agreement, the merchant M cryptographically signs the contract and C—their identity possibly remaining private—signs the contract, too, with private coin keys ci and sends it to M. deposit [Dol19, §4.7.3] : M forwards the signed contract to E. The signatures, performed with valid coins ci from C, are basically instructions from C to E to pay the merchant M who is identified by the bank account details in the contract. E checks for overspending and the validity of each coin itself, given its public key Ci and using the signature verification with the formula in (16). refresh [Dol19, §4.7.4] : C can ask E for change for a partially spend coin cold . In order to maintain unlinkability of old and new coins, both parties perform a zero-knowledge, cut-and-choose protocol, with a security parameter κ > 1: C derives from Cold new coins {(c1 , C1 ), . . . , (cκ , Cκ )} and sends E a commitment to (β1 (C1 ), . . . , βκ (Cκ )) without disclosing the Ci by using blinding functions βi . E then chooses a γ ∈ {1, . . . , κ} and C has to prove ownership of cold and disclose the correct key derivation and the blindings βi for all i = γ, which proves (with certainty κ−1 κ ) the ownership by C of cold and all but one ci . Together with the blinded βγ (Cγ ), E can compare the computed values with the initial commitment. On success, C receives a blind signature with the appropriate denomination for undisclosed fresh coin Cγ .

6

Integration into GNU Taler

We now present the integration of the the age-restriction scheme 2.1 into GNU Taler [Dol19, §4.7]. A crucial step is to indisputably bind a particular age commitment to a particular coin. This is done by requiring the blind signature of a coin’s public key Cp in the original protocol to now also include the age commitment Q. Specifically, instead of signing FDH(Cp ), the exchange will now blindly sign FDH(Cp , H(Q)). This means that instead of the original signature check in equation (16), now the check of validity of a coin’s signature requires the hash of the age commitment:   ? (17) 1 = SigCheck FDH(Cp , H(Q)), Dp , σp 3

GNU Taler currently supports RSA [Cha89] and Clause Blind Schnorr [DH22, Ban21] blind signature schemes.

122

¨ Kesim et al. O.

Again, SigCheck is the verification function of the signature scheme, Dp is the public key of the denomination and σp is the signature to be verified.

Fig. 3. Extended Taler protocol suite – The protocols withdraw, purchase, deposit and refresh from Fig. 2 and call graphs to Commit, Attest, Verify from Fig. 1, together with the cut&choose protocol DeriveCompareκ , defined in Sect. 2.2, are combined into a suite of augmented protocols for GNU Taler.

With the tight bond between a coin’s public key and an age commitment defined, the existing procotols from GNU Taler are augmented as follows (see Fig. 3 for a schematic overview): withdraw → (Commit, withdraw): A guardian G Commit to an age a, producing a commitment Q and a proof Pa .The commitment Q is bound to a fresh coin’s public key Cp during the withdraw protocol by generating a blind signature for FDH(Cp , H(Q)) (instead of FDH(Cp ) as in the original protocol). purchase → (Attest, purchase, Verify): A merchant M can specify a minimal age m as requirement for a purchase in the contract terms. Assuming that m ≤ a, the child can now Attest the minimum age and send the attestation Tm and commitment Q to the merchant during the purchase protocol. The merchant can Verify the minimum age m, given Tm and Q. Note that the merchant can also verify that the commitment Q was bound to the coin Cp by verifying the signature of FDH(Cp , H(Q)). deposit: Within the deposit protocol, M now also sends H(Q) to the payment service provider E, who can then verify the coin by verifying the signature of FDH(Cp , H(Q)). refresh → (DeriveCompareκ , refresh): The two cut-and-choose protocols, the original refresh protocol and the age restriction specific DeriveCompareκ from Sect. 2.2, are run in parallel with the same γ ∈ {1, . . . , κ} chosen by E. However, instead of sending (blinded) FDH(Ci ) for the original refresh protocol, C sends (the blinded) FDH(Ci , H(Qi )). When both, refresh and DeriveCompareκ , terminate successfully, E blindly signs FDH(Cγ , H(Qγ )).

Zero-Knowledge Age Restriction for GNU Taler

7

123

Implementation and Benchmarks

Table 1 summarizes the performance of our five key operations. We note that the time the wallet spends on computing Commit and Derive is largely insignificant for the user experience as it happens during non-interactive background operations. Similarly, the latency from Attest can typically be hidden by precomputing the result while the human user is busy reviewing the terms of the sale and making the purchasing decision. The latency increase from an exchange computing Compare is not relevant for the user experience as it again happens during a non-interactive background operation. However, it may require adequate provisioning of computational resources at the exchange. Only Verify is crucial for the user experience, as it runs at the merchant on the critical path between the user confirming the payment and the ultimate payment confirmation and fulfillment. Fortunately, this is also a cheap operation for the merchant. Table 1. Runtime in µs (average and standard deviation of min. 500 iterations) of the various operations for eight age groups (M = 8) implemented in different languages and run on various CPUs (single-core). The ECDSA implementation in Go uses curve NIST-256 instead of curve25519 due to the missing full support for all arithmetic operations. 1 ) AMD Ryzen 7 3750H. 2 ) Intel Pentium Silver N5000 CPU 1.10GHz. 3 ) ARM-Cortex-A72 1.8GHz. 4 ) TypeScript on Intel Core i7-10510U CPU. 5 ) The Cimplementation for DeriveCompareκ has an optimization in which the call to Compare is not necessary and therefore not implemented.

ECDSA

Impl.

Commit

Attest

Verify

Derive

Compare

Go-AMD1 Go-PEN2 Go-ARM3 C-AMD1

209.6 ± 101.5 322.8±14.0 6097.0±47.6 1741.9±49.1

69.2± 28.1 83.5±11.5 1073.0±128.1 445.7±29.3

125.9±66.9 218.6±64.1 2856.0±21.9 610.4±9.8

775.8±314.0 1579.0±84.7 21309.0±53.9 5523.5±68.0

603.7± 230.8 1292.0±52.1 15901.0±46.8 −5

219.7±78.3 395.8±19.1 3311.0±31.8 272.9±61.1 433.0±30.6 50412.5±5459.7

70.3±28.0 139.1±9.6 1213.0±13.5 48.7±5.4 113.5±12.0 5882.9±692.0

94.4±33.5 190.1±12.4 1870.0±16.6 72.1±7.0 174.0±8.9 11095.2±1007.2

1158.0±564.2 2053.0±105.5 18006.0±61.5 4948.6±37.0 3882.6±89.2 131728.4±5376.0

885.9±411.0 1536.0±74.9 14017.0±603.4 −5 −5 88060.1±4662.3

Edx25519 Go-AMD1 Go-PEN2 Go-ARM3 C-AMD1 C-PEN2 TS-i74

The additional bandwidth required for a regular withdraw and deposit is 32 bytes for the additional transmission of H(Q). During the purchase, an additional (M + 1) · 32 bytes need to be transmitted for Tm and Q. This additional information may also need to be stored by the exchange and merchant for many years to enable later audits. We have implemented our protocol in the GNU Taler system, specifically the Taler exchange, merchant and wallet components. As part of GNU Taler our implementation is free software under AGPL. For the current implementation in GNU Taler, we are using Edx25519 (Appendix A) for a security level of 128 bits.

124

8

¨ Kesim et al. O.

Discussion

GNU Taler —Our design for age restriction protocol is quite general and can be instantiated with various cryptographic primitives. It can also in principle be used with any token-based payment service. However, its design goals—in terms of security, privacy and efficiency—and participants strongly align with those of GNU Taler. Minors with Bank Accounts —One key principle in our design is subsidiarity: Wards or parents are the entities that effectively choose the age limits for the coins for their wards. This hinges on the assumption that personal bank accounts are owned by adults. In countries where also minors have personal bank accounts, minors could withdraw digital cash without an adult ensuring that an age restriction is set by the wallet at the time of withdrawal. To address this case, we assume that banks provide the Taler exchange with the minimum age of the minor whenever a debited account is age-restricted. This would typically happen whenever a Taler reserve is credited by a wire transfer from a minor’s bank account. To ensure that withdrawn coins are still created with an age restriction in this case, a variant of the cut-and-choose approach of the extended refresh protocol can be used. But, instead of proving the equivalence of the age restrictions, the minor would prove (with probability κ−1 κ ) that the Q included public keys for which the minor does not know the private key at the slots corresponding to restricted age levels. This can be achieved by proving that these commitments were derived from a well-known master public key of the system.4 To ensure the resulting coins are indistinguishable from all other coins even when the Q is disclosed to the merchant, the protocol must use different β values for each derivation from the master public key. So here Derive would need to be adjusted to operate on each element instead of a vector. Limitations —In our design wards get to determine the appropriate age-level, which can differ from the biological age in both directions. The design also does not handle the case where the individual gets older, leaving it to both parties to negotiate how to proceed. In any case, a wallet implementation for GNU Taler should prioritize using coins with lower age-restrictions, and coins in Taler are meant for spending and not for hoarding. The protocols of GNU Taler itself are not post-quantum (PQ) ready, as we do not know of any suitable PQ blind signature scheme. Identity Management Systems —Age is an important part of a persons identity, and handling identity information requires high standards of protection and confidentiality and raises sensitive ethical questions. Here we want to 4

The private key of the master public key must simply be deleted after creation, as it would enable minors to defeat the cut-and-choose protocol. Deriving commitments from the master key implies that computing the private key corresponding to the commitment is equivalent of solving DLOG for the master public key.

Zero-Knowledge Age Restriction for GNU Taler

125

discuss some problems, for which digital identity systems are not the only and often not the best solution: – Some proposals to replace cash for central bank digital currencies [MT19] introduce digital identities to discharge KYC requirements needed for retail central bank accounts [Int21]. GNU Taler demonstrates that anonymous digital cash is feasible and proposes a two-tiered architecture where central banks can satisfy regulatory requirements at scale by piggy-backing on existing commercial bank processes. – Mastercard’s “Trust Stamp” [Fau20] project intends to link vaccination data with personal biometric data to create a digital health passport in the context of the GAVI alliance, with critics pointing out [Bea21] the potential for abuse by AI-powered predictive policing of the biometrically tagged population. D3PT [Tro+20] and Europe’s vaccination certificates [Ede21] demonstrate that more decentralized and privacy-respecting approaches are viable alternatives to fight pandemics. – Online protections for minors are another area where digital passports have been proposed as a solution by surveillance-friendly governments [Her21]. The protocol presented in this paper provides a method for protecting minors where the state only sets the rules for commercial providers, while leaving the actual decisions to the minor’s wards—where it belongs. [Bos10] Identity bases systems are also not very popular: In a recent election, the Swiss population rejected the creation of a public-private partnership for digital identity management [Bun21], despite digital identity systems being proposed to the voters as a solution for many social problems.

9

Related Work

To our knowledge, all currently available systems for privacy-preserving age restrictions are based on attribute-based credentials [Kon+14,CL01,CDL16, Sch+19,Au+12], where authorities issue consumers with a certificate that enables them to produce a zero-knowledge proof [GMR89] showing that they are of sufficient age. This identity-centric approach is also reflected in emerging standards for self-sovereign identity [Con+19]. However, in order for identity providers to issue statements as attribute-based credentials from their respective subjects, they are implicitly expected to collect and verify the respective personal information. Critically, our approach does not require the existence of a dedicated identity provider and instead relies on the principle of subsidiarity as part of the payment system. This attribute-based approach lacks broad deployment mainly for two reasons: First, it remains complex for consumers and retailers, and second, it requires authorities to issue suitable credentials even for self-sovereign identity

126

¨ Kesim et al. O.

systems [Sch+21]. The complexity arises from fundamental open questions of trust in context of self-sovereign identity. Which authorities can or should be trusted with attesting user information? Is it reasonable to assume that this information can be protected appropriately by the identity provider? The principle of subsidiarity as integrated in our approach offers an elegant solution to this conundrum by completely sidestepping questions of identity and trust. Other approaches which tie age restriction to the ability to pay do exist. For example, specialized credit cards for children limit the ability to pay to certain “safe” stores [Fea21]. This approach has the advantage that the age restriction is part of the mandatory payment process. Hence, consumers do not have to perform additional steps during checkout. This is crucial as additional steps during checkout are problematic for retailers because they increase costs and may even lead to consumers aborting the purchase process. We argue that while age restriction as a feature of the payment system is clearly desirable, the existing credit card process is not privacy-friendly: They require minors to register with payment service providers which can than identify and track purchases of minors. Furthermore, restricting payments to specific stores is also unnecessarily restrictive.

10

Conclusion

Age restriction in e-commerce is not merely a technical challenge. It is a matter of ethical and legal origin for which, so far, only technological solutions without strong protection of privacy or solutions based on identity management systems exists. Our work thus contributes to the technological solution space by providing a privacy-friendly age restriction scheme based on subsidiarity. It adds to a body of research that questions the basis on which policy makers justify the deployment of identity management systems.

A

Edx25519

Edx25519 is a signature scheme based on Ed25519 [Ber+12], but allows for derivation of private and public keys, independently, from existing ones. Private keys in Edx25519 are pairs (a, b) of 32 byte each. Initially they correspond to the result of the expansion and clamping in EdDSA. The scheme is as follows, in pseudo-code: E d x 2 5 5 1 9 _ g e n e r a t e _ p r i v a t e ( seed ) { // EdDSA expand and clamp dh := SHA -512( seed ) a := dh [0..31] b := dh [32..64] a [00] &= 0 b11111000 a [31] &= 0 b00111111 a [31] |= 0 b01000000

Zero-Knowledge Age Restriction for GNU Taler return (a , b ) } E d x 2 5 5 1 9 _ p u b l i c _ f r o m _ p r i v a t e ( private ) { // Public keys are the same as in EdDSA (a , _ ) := private return [ a ] * G } Edx25519_sign ( private , message ) { // Identical to Ed25519 , except for the origin of b (a , b ) := private P := E d x 2 5 5 1 9 _ p u b l i c _ f r o m _ p r i v a t e ( private ) r := SHA -512( b  message ) R := [ r ] * G s := r + SHA -512( R  P  message ) * a % L return (R , s ) } Edx25519_verify (P , message , signature ) { // Identical to Ed25519 (R , s ) := signature return [ s ] * G == R + [ SHA -512( R  P  message )] * P } E d x 2 5 5 1 9 _ b l i n d i n g _ f a c t o r (P , seed ) { // This is a helper function used in the derivation of // private / public keys from existing ones . h1 := HKDF_32 (P , seed ) // Ensure that h == h % L h := h1 % L // Make sure that we don ’ t create weak keys . P ’ := [ h ] * P if !( ( h !=1) && ( h !=0) && (P ’!= E ) ) { throw error } return h } E d x 2 5 5 1 9 _ d e r i v e _ p r i v a t e ( private , seed ) { (a , b ) := private P := E d x 2 5 5 1 9 _ p u b l i c _ k e y _ f r o m _ p r i v a t e ( private ) h := E d x 2 5 5 1 9 _ b l i n d i n g _ f a c t o r (P , seed ) // Carefully calculate the new value for a a1 := a / 8; a2 := ( h * a1 ) % L a ’ := ( a2 * 8) % L // Update b as well , binding it to h . b ’ := SHA256 ( b  h ) return (a ’ , b ’)

127

128

¨ Kesim et al. O.

} E d x 2 5 5 1 9 _ d e r i v e _ p u b l i c (P , seed ) { h := E d x 2 5 5 1 9 _ b l i n d i n g _ f a c t o r (P , seed ) return [ h ]* P }

References [Cha89] Chaum, D.: Blind Signatures for Untraceable Payments. In: Advances in Cryptology Proceedings of Crypto82 (1989). https://doi.org/10.1007/9781-4757-0602-4 18 [GMR89] Goldwasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof Systems. SIAM J. Comput. 18(1), 186–208 (1989). https://doi. org/10.1137/0218012 [BR96] Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3540-68339-9 34 [Bon98] Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). https://doi. org/10.1007/BFb0054851 [CL01] Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6 7 [JMV01] Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001). https://doi.org/ 10.1007/s102070100002 [Bos10] Bosnich, D.A.: The Principle of Subsidiarity. In: Religion & Liberty 6.4 (2010) [Pou11] Poullet, Y.: e-Youth before its judges — legal protection of minors in cyberspace. Comput. Law Secur. Rev. 27(1), 6–20 (2011). https://doi.org/ 10.1016/j.clsr.2010.11.011 [Au+12] Au, M.H., et al.: Constant-size dynamic k-times anonymous authentication. IEEE Syst. J. 7(2), 249–26 (2012) [Ber+12] Bernstein, D.J., et al.: High-speed high-security signatures. J. Cryptogr. Eng. 2, 77–89 (2012). https://doi.org/10.1007/s13389-012-0027-1 [Kon+14] Koning, M., et al.: The ABC of ABC: an analysis of attributebased credentials in the light of data protection, privacy and identity. In: Proceedings of the 10th International Conference on Internet, Law & Politics, pp. 357–374 (2014) [CDL16] Camenisch, J., Drijvers, M., Lehmann, A.: Anonymous attestation using the strong Diffie Hellman assumption revisited. In: Franz, M., Papadimitratos, P. (eds.) Trust 2016. LNCS, vol. 9824, pp. 1–20. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45572-3 1 [Con+19] World Wide Web Consortium: Verifiable credentials data model 1.0: Expressing verifiable information on the web (2019). https://www.w3.org/ TR/vc-data-model/?#core-data-model

Zero-Knowledge Age Restriction for GNU Taler

129

[Dol19] Dold, F.: GNU Taler - practical and provably secure electronic payments, Ph.D. thesis (2019). https://taler.net/papers/thesis-dold-phd-2019.pdf [MT19] Mej´ıa-Ricart, R., Tellez-Merchan, C.: Distributed ledger technology and digital identity: prospects and pitfalls ahead. https://www.betterthancash. org/news/distributed-ledger-technology-and-digital-identity-prospectsand-pitfalls-ahead (2019) [Sch+19] Schanzenbach, M., et al.: ZKlaims: privacy-preserving attribute based credentials using non-interactive zero-knowledge techniques. In: Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (2019). https://doi.org/10.5220/0007772903250332 [Fau20] Fauzia, M.: Fact check: Mastercard’s partnership on vaccination records is unrelated to finances. In: USA Today (2020) [Tro+20] Troncoso, C., et al.: Decentralized Privacy-Preserving Proximity Tracing. Tech. rep, EPFL (2020) [Ban21] Banerjee, A.: A fully anonymous e-voting protocol employing universal ZKsnarks and smart contracts. Cryptology ePrint Archive, Report 2021/877. https://ia.cr/2021/877 [Bea21] The Liberty Beacon: Trust stamp vaccine record and payment system to be tested on low-income Africans (2021). https://www.thelibertybeacon. com/trust-stamp-vaccine-record-and-payment-system-to-be-tested-onlow-income-africans/ [Bun21] Bundeskanzlei BK: Vorlage Nr. 639: Resultate in den Kantonen. https:// www.bk.admin.ch/ch/d/pore/va/20210307/can639.html (2021) [CGM21] Chaum, D., Grothoff, C., Moser, T.: How to issue a central bank digital currency. In: SNB working paper series (2021). https://www.snb.ch/en/mmr/ papers/id/working paper 2021 03 [Ede21] Eder, D.: EU Digital COVID Certificates Project. https://github.com/eudigital-green-certificates (2021) [Fea21] Feathers, T.: Debit card apps for kids are collecting a shocking amount of personal data. In: Motherboard (2021) [Her21] Hern, A.: Can facial analysis technology create a child-safe internet? In: The Guardian (2021) [Int21] Bank of International Settlement: Central bank digital currencies herald a new chapter for the monetary system. https://www.bis.org/press/p210623. htm (2021) [Pav21] Pavy, E.: The principle of subsidiarity. https://www.europarl.europa.eu/ factsheets/en/sheet/7/the-principle-of-subsidiarity (2021) [Sch+21] Schanzenbach, M., et al.: Decentralized Identities for Self-sovereign Endusers (DISSENS). In: Open Identity Summit. Gesellschaft f¨ ur Informatik (2021) [DH22] Demarmels, G., Heuzeveldt, L.: Adding Schnorr’s Blind Signature in Taler, Bacherlor’s thesis (2022). https://taler.net/papers/cs-thesis.pdf

Privacy

Privacy Leakage in Privacy-Preserving Neural Network Inference Mengqi Wei1,2 , Wenxing Zhu1 , Liangkun Cui1 , Xiangxue Li1,3(B) , and Qiang Li4 1

School of Software Engineering, East China Normal University, Shanghai, China [email protected] 2 Shanghai Key Laboratory of Privacy-Preserving Computation, MatrixElements Technologies, Shanghai, China 3 Shanghai Key Laboratory of Trustworthy Computing, Shanghai, China 4 Institute of Cyber Science and Technology, Shanghai Jiaotong University, Shanghai, China [email protected] Abstract. The community has seen many attempts to secure machine learning algorithms from multi-party computation or other cryptographic primitives. An interesting 3-party framework (SCSDF hereafter) for privacy-preserving neural network inference was presented at ESORICS 2020. SCSDF defines several protocols for non-linear activation functions including ReLU, Sigmoid, etc. In particular, these protocols reckon on a protocol DReLU (derivative computation for ReLU function) they proposed as a building block. All protocols are claimed secure (against one single semi-honest corruption and against one malicious corruption). Unfortunately, the paper shows that there exists grievous privacy leakage of private inputs during SCSDF executions. This would completely destroy the framework security. We first give detailed cryptanalysis on SCSDF from the perspective of the real-ideal simulation paradigm and indicate that these claimed-secure protocols do not meet the underlying security model. We then go into particular steps in SCSDF and demonstrate that the signs of input data would be inevitably revealed to the (either semi-honest or malicious) third party responsible for assisting protocol executions. To show such leakage more explicitly, we perform plenteous experiment evaluations on the MNIST dataset, the CIFAR-10 dataset, and CFD (Chicago Face Database) for both ReLU and Sigmoid non-linear activation functions. All experiments succeed in disclosing original private data of the data owner in the inference process. Potential countermeasures are recommended and demonstrated as well. Keywords: Multi-party computation · Privacy-preserving machine learning · Neural network inference · Privacy leakage

1 1.1

Introduction Privacy Concerns in Machine Learning

Machine learning is a hot topic in artificial intelligence due to its wide applicability in different industrial scenarios, such as face recognition, text analysis, c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 133–152, 2022. https://doi.org/10.1007/978-3-031-17140-6_7

134

M. Wei et al.

autonomous driving, etc. Moreover, Machine Learning as a Service (MLaaS) has become a popular service architecture. In MLaaS, data owners (i.e., clients) upload their (valuable or even private) data to service providers, who can then use these data and their own machine learning models to make predictions and send the prediction results back to clients. Some known technology companies such as Amazon, Google, and Microsoft are involved in this kind of services. In some scenarios (e.g., finance and healthcare), input data such as text and images uploaded for inference is often sensitive. Misuse of this type of data may result in the leakage of those clients’ private information. This would reduce the clients’ willingness to use the service and even violates relevant laws and regulations, such as CCPA (California Consumer Privacy Act) [1,3] and GDPR (General Data Protection Regulation) [2] privacy protection laws. Thus, the problem of potential privacy leakage has greatly mitigated the deployment and development of MLaaS. On the other hand, it is also unrealistic to deploy machine learning models directly on the client-side to perform local inference because of commercial value of the models. Fortunately, we have a good candidate, privacypreserving machine learning (PPML), in this context. 1.2

MPC for PPML

PPML is committed to addressing these privacy concerns by leveraging cryptographic primitives, such as homomorphic encryption (HE) and secure multiparty computation (MPC)1 [8]. These techniques ensure that neither the client nor the model provider leaks their own data, except that the client gets the inference result. As a trade-off, these tools reduce computation efficiency and improve communication overhead due to multiple interactions and complex calculations. Several PPML frameworks [11,13,18,19,23,24] are designed and aimed at reducing the gap between plaintext and ciphertext computing for neural network inference service of privacy protection. Concretely, these frameworks construct specialized protocols for linear layers (e.g., fully connected layer, conventional layer), and non-linear layers (e.g., ReLU and Sigmoid). Then they compute the neural network layer by layer. Furthermore, these frameworks discuss two standard security models in MPC protocols: semi-honest model and malicious model. In general, constructions for the former are more efficient, while the latter provides higher security level. One research line relies on fully homomorphic encryption and somewhat homomorphic encryption to construct secure neural network frameworks. One of the pioneered work for considering neural network inference goes to the CryptoNets proposed by Gilad-Barach et al. [11]. CryptoNets mainly uses leveled homomorphic encryption (LHE) to compute matrix multiplication for linear layers. For non-linear layers, it uses a square function to approximate the ReLU activation function, which leads to accuracy loss. MiniONN [16] uses additively homomorphic encryption together with a batch processing technique of single 1

Including secret sharing, garbled circuit (GC), oblivious transfer (OT), etc.

Privacy Leakage in Privacy-Preserving NN Inference

135

instruction multiple data (SIMD) to optimize matrix multiplication and convert computational overhead to offline precomputing phase. Gazelle [13] also uses additively homomorphic encryption for linear layers and further provides specialized packing schemes to optimize the communication needed in matrix multiplication. GC [26] is used for non-linear layers. Delphi [17] adapts Gazelle by moving heavy cryptographic operations over LHE ciphertexts to preprocessing phase. All above protocols provide only semi-honest security. The framework Muse [15] provides security against malicious clients and semi-honest servers. Another research line mainly relies on arithmetic secret sharing for linear layers. SecureML [18] uses offline-generated multiplication triples to compute multiplications, and GC for activation layers. However, it relies completely on generic two-party computation (2PC) protocols, resulting in poor performance on real networks. Chameleon [22] also considers the 2PC setting but removes expensive OT protocols used to generate multiplication triples in SecureML by using a third party as a helper. Both SecureML and Chameleon consider semihonest corruption only. ABY3 [19] and SecureNN [24] deliberate malicious security and demonstrate that the 3PC (3-party computation) setting improves performance remarkably. ABY3 provides a new framework for efficiently switching back and forth between arithmetic, binary, and Yao 3PC, and finds its application in neural network inference. ASTRA [10], BLAZE [20] and SWIFT [14] further this research line and improve upon ABY3. Most of above protocols [18–20] utilize GC for non-linear layers. As a general secure protocol however, GC requires expensive communication overhead (performance bottleneck). To reduce communication overhead of non-linear layers, SecureNN [24] implements secure derivative computation of ReLU function (DReLU) based on a series of sub-protocols in a 3-party setting. Then, the authors in [24] rely on the DReLU protocol to construct ReLU and Maxpool protocols, which produces remarkable efficiency for the framework. In addition, some frameworks [4,21] combine quantization and MPC protocols to improve the efficiency of secure neural network inference. Motivated by SecureNN [24], an interesting 3-party (client, server, and third party) framework (SCSDF, hereafter) is presented at ESORICS 2020 [23]. 1.3

SCSDF Framework for Neural Network Inference

In SCSDF [23], the authors construct a more efficient DReLU protocol with less complexity and fewer rounds than SecureNN2 [24]. As in prior work, SCSDF also regards DReLU protocol as a building block of ReLU and Sigmoid protocols. These protocols achieve 1.2×-11.8× efficiency gains over those in SecureNN. The authors of [23] can thereby implement a faster framework for privacy-preserving inference on general convolutional networks and graph convolutional networks (GCN) [25]. We mention that DReLU is essential for SCSDF which bases its security (protocol security of ReLU, Sigmoid, Maxpool, etc.) on DReLU security. Unfortunately, we find that the claimed-secure DReLU protocol is flawed, and there 2

Only one multiplication operation and one extra interaction are needed.

136

M. Wei et al.

exists information disclosure during protocol execution. Specifically, the protocol leaks the MSB (most significant bit) of the input value (which denotes the sign of the data) to the semi-honest third party who is only responsible for assisting the client and the server in protocol implementation. If the semi-honest third party is corrupted (by any adversary), it may infer the original data of the client from the sign, which destroys client privacy. We analyze the security of the DReLU protocol in SCSDF and show that the protocol is not provably secure from the perspective of real-ideal simulation paradigm. The protocol actually suffers from a data leakage problem, and sign data is revealed in the DReLU protocol, which is a pivotal component of computing non-linear activation functions. This would further result in varying degrees of leakage in the computations of all activation layers. Then, to support our findings, we use the leaked sign data to infer clients’ original data and demonstrate privacy breaches in the neural network inference framework SCSDF. Experimental evaluations are performed on several data sets including MNIST (the only one used as test set in [23]), CIFAR-10, and CFD (Chicago Face Database). Three parties, a server (model provider) S, a client (data owner) C, and a semi-honest third party P, are involved in the framework SCSDF. Let [·] represent arithmetic secret sharing in a ring Z2l . We denote matrices with capital letters (e.g., X) and denote vector with bold (e.g., x ). We describe some preliminaries (neural network, fixed-point number, additive secret sharing, and threat model) in the Appendix A due to space limitation.

2 2.1

The SCSDF Framework and Its Security Flaws Overview

This section recaps the framework SCSDF [23]. S and C run interactive protocols in a layer-by-layer fashion with the help of P. They hold 2-out-of-2 secret shares of the data at each layer. For linear layers, three parties run matrix multiplication protocol based on Beaver multiplication triples generated from P [23, Section 4]. For non-linear layers, secure protocol for ReLU is built on the Multiplication and the DReLU subprotocol. Secure protocol for Sigmoid depends on the DReLU and Secret Select (SS) protocol. All secure computations for non-linear activation functions are based on the DReLU protocol. 2.2

Concrete DReLU Protocol

We adopt the same notation ReLU (x) for DReLU formula as in [23]. We mention that ReLU (x) can be computed from the sign function, i.e., ReLU (x) = 1 − sign(x). The ideal functionality of DReLU is shown in Fig. 1. Now one essential problem is how to compute the sign function. It is observed in [23] that for any x, sign(x) = sign(x · r), r > 0. This transforms the problem from getting the sign of x to getting the sign of x · r. First, let S and C generate random positive numbers r0 ∈ Z2l and r1 ∈ Z2l respectively such that r = r0 +r1

Privacy Leakage in Privacy-Preserving NN Inference

137

is a positive number in Z2l . Then S and C perform multiplication protocol to compute x·r and the outputs of two parties are y0 = [x·r]0 and y1 = [x·r]1 . After that, they send y0 and y1 respectively to P, who uses these shares to reconstruct y. At last, P computes the sign function of y: z = sign(y). If z = 1, P generates secret shares of zero and sends shares to S and C; if z = 0, P generates secret shares of one and sends them to S and C respectively. It is worth mentioning that the range of x and r should be bounded to ensure protocol correctness. The bit length of random value r ∈ Z2l should be relatively small (say, smaller than 32). Then r will take a positive value in the ring, and all absolute values of any (intermediate) results will not exceed 2l−1 . Figure 2 shows the protocol for the DReLU function. 2.3

Security Flaws in Formal Simulation

The authors of SCSDF [23] provide a brief proof for their protocol DReLU (see Sect. 2.2) in the setting of semi-honest security by the real-ideal paradigm [9]. However, they omit detailed proofs and take a plain and intuitive (unfortunately, flawed) analysis of protocol security. They said the outputs of the simulator Sim for P in the ideal execution are random values in Z2l , indistinguishable from x · r generated in the real protocol execution. However, in the real protocol execution, the most significant bit of the value x · r actually does not follow the uniformly random distribution, which makes it distinguishable from the random value generated from Sim. Furthermore, this makes the environment’s views of the two worlds distinguishable. We illustrate why this happens by providing detailed simulations and analyses. Main issue of the protocol is the disclosure of the data to P in the third step (see Fig. 2), so we mainly consider the scenario where P is corrupted by the adversary. According to the Definition 1 in Sect. 2, we say the protocol is secure if a view of Z could be generated in the ideal execution such that it is indistinguishable from that of Z in the real protocol execution. We describe how Sim “simulates” the real protocol execution in the ideal world when P is corrupted

FDReLU (S, C, P) Input: S : [x]0 , C : [x]1 , P : ⊥ Output: S : [ReLU (x)]0 , C : [ReLU (x)]1 , P : ⊥ Given the input ([x]0 , [x]1 ) from S and C, compute s = ReLU (x) where x = [x]0 + [x]1 . Sample a random value r ∈ Z2l , set [ReLU (x)]0 = r and return it to S, set [ReLU (x)]1 = s − r and return it to C.

Fig. 1. The ideal functionality of DReLU

138

M. Wei et al.

πDReLU (S, C, P) Input: S : [x]0 , C : [x]1 , P : ⊥ Output: S : [ReLU (x)]0 , C : [ReLU (x)]1 , P : ⊥ Protocol: 1: S and C sample random positive numbers r0 ∈ Z2l and r1 ∈ Z2l , where r = r0 + r1 is a positive number in Z2l . 2: S, C and P run πMulti with input ([x]i , ri ) and get output [y]i = [x · r]i , i ∈ {0, 1}. 3: S and C send [y]i to P, then P performs πRec to get y. 4: P computes z = 1 − sign(y), samples a random number s ∈ Z2l , sets [z]0 = s and [z]1 = z − s. 5: P sends [z]0 and [z]1 to S and C respectively. 6: S outputs [z]0 , C outputs [z]1 .

Fig. 2. The protocol for DReLU function

by the adversary. In particular, since P neither provides input nor receives output in the ideal functionality FDReLU , Sim does not need to submit input to the ideal functionality and obtain its output in the simulation process. Sim runs A. It generates random values corresponding to the shares of x and r0 , r1 , then takes these random values as input to invoke the ideal functionality FMulti with A. FMulti must be secure, and Sim gets two random shares [y  ]0 , [y  ]1 (in Z2l ) of y  : y  = x · r , r = r0 + r1 . It sends [y  ]0 , [y  ]1 to A. A reconstructs y  , computes z  = 1 − sign(y  ), generates secret shares of z  in Z2l and sends them to Sim. Sim receives the secret shares of z  . This completes the “simulation”. At first blush, the simulation might be correct, as is the case with many simulations following the security of arithmetic secret sharing. Let us shift our focus to the real protocol execution. Note that the view of A includes y = x · r. r has been specified as a positive number in the protocol. Accordingly, y has the same sign as x. In other words, the sign of x determines the sign of y. And because the MSB of a fixed-point number represents a sign, the MSB of y and the MSB of x follow the same distribution. However, in the ideal execution, Sim does not know the input x of the honest party, and it only generates random values x , r to simulate P’s view. Thus it’s obvious that y  is also uniformly random, and its MSB follows a uniformly random distribution. In the real protocol execution and ideal execution, we have two different random distributions for the MSB of y and the MSB of y  , which makes the adversary’s views of the two worlds distinguishable. As a result, the environment’s views of the two worlds are distinguishable. Our experiments (see Sect. 3) will also show the difference between these two distributions explicitly. In fact, since Sim does not know the input x, it cannot generate values that would make the environment’s views in the two worlds indistinguishable. Thus, one can conclude that DReLU in SCSDF does not meet the formal security

Privacy Leakage in Privacy-Preserving NN Inference

139

definition (see Definition 1). This would further destroy other protocols security (ReLU, Sigmoid, Maxpool, etc.) in SCSDF, as examined point by point below. 2.4

Privacy Leakage in Concrete Protocols

Next, we will discuss how this insecurity leads to data breach by investigating concrete protocols in SCSDF. Intuitively, in the process of executing the DReLU protocol, P can obtain the sign of x by reconstructing y. As the building block of many functions such as ReLU, Maxpool, Sigmoid, etc., DReLU is crucial for the whole framework. Given the different contributions the DReLU protocol makes to these functions, it will lead to varying degrees of data leakage. Security for the ReLU Protocol. We have ReLU(x) = x· ReLU (x). In the ReLU protocol, a DReLU sub-protocol would be first performed on the input, and then multiplying the result by the input is required. Therefore, the leaked data of ReLU is the same as DReLU, which is the sign of the input data. Security for the Maxpool Protocol. Maxpool attempts to find the largest value among several numbers, requiring multiple comparisons. In the Maxpool protocol, two numbers are compared using the DReLU protocol. First, one number is subtracted from another. Then the result is fed into the DReLU protocol to determine whether it is positive or negative. Each time the DReLU protocol is called, the relation between the magnitudes of the two numbers is revealed to P. P can determine the index of the maximum value according to these relations. Security for the Sigmoid Protocol. In SCSDF framework, the Sigmoid protocol is computed in a similar way to MiniONN [16], i.e., a set of piecewise continuous polynomials are used to approximate the function. The activation function f (x) is divided into m + 1 internals using m knots which are the switching positions of the polynomial expression. The formula is: ⎧ ∀i, i ∈ 1, ..., m, x − xi < 0 ⎨0 f (x) = ai x + bi ∃i, i ∈ 1, ..., m, x − xi+1 < 0, x − xi ≥ 0 ⎩ 1 ∀i, i ∈ 1, ..., m, x − xi ≥ 0 In the formula, all ai , bi are public. The range of x can be determined by subtracting knot xi from x. To approximate the Sigmoid function, the authors of SCSDF first design a variation of the πDReLU protocol to determine the range of x, which is called πVoDReLU (Fig. 3). Thereafter, the three parties only need to perform a multiplication protocol and a local addition to obtain the output of the Sigmoid function. More specific protocols for Sigmoid can be found in [23]. In this paper, we discuss the security of its main sub-protocol πVoDReLU . This protocol determines the range of x by subtracting knot xi from x and getting the difference. All these differences (i = 1, ..., m) constitute y and all signs of these differences constitute a sign vector (of y ). S and C get the secret shares of y in step 1 (Fig. 3). Since in step 4 P gets z , and r fails to mask the signs of the elements in y , P obtains the sign vector of y which equals to the sign vector of z . Obviously, according to the sign vector, P can already locate the specific

140

M. Wei et al.

πVoDReLU (S, C, P) Input: S : [x]0 , C : [x]1 , P : ⊥ Output: S : [ai ]0 , [bi ]0 , C : [ai ]1 , [bi ]1 , P : ⊥ suppose x in the (i + 1)th internal for i ∈ {0, ..., m} Protocol: 1: S and C compute the subtraction of x and xi locally, for i ∈ {0, ..., m − 1}. ˆ , x [i]=[x]0 , x ˆ [i] = xi+1 . S: [yy ]0 = x − x C: [yy ]1 = x , x [i]=[x]1 . s.t. y [i] = x − xi+1 . 2: S, C generate random positive numbers r 0 , r 1 , respectively. 3: S, C and P run πMulti with input ([yy ]j , rj ) and output [zz ]j , j ∈ {0, 1}. 4: S, C send [zz ]j to P, then P performs πRec to get z . 5: P computes the sign function of z , it sets c = sign(zz ). if ∃i ∈ {0, ..., m − 2}, c [i] = 0 and c [i + 1] = 1, P sends [u]j = [ai ]j , [v]j = [bi ]j to S and C, resp. if ∀i ∈ {0, ..., m − 1}, c [i] = 1, P sends [u]j = [a0 ]j , [v]j = [b0 ]j to S and C, resp. if ∀i ∈ {0, ..., m − 1}, c [i] = 0, P sends [u]j = [am ]j , [v]j = [bm ]j to S and C, resp.

Fig. 3. VoDReLU protocol

range to which x belongs. For instance, in SCSDF, the range is set as [x1 , xm ] = [−11, 12], and the Sigmoid approximation function is divided into 25 pieces with an interval length 1. If x = 3.2, then P will know that the value of x must be in the range of 3–4, because the sign of the difference between 3.2 and 3 is positive and the sign of the difference between 3.2 and 4 is negative. Security for Neural Network. In a neural network inference framework, the client’s input is first fed into a linear layer, followed by a ReLU or Sigmoid layer (called the activation layer). In general, the linear and activation layers alternate, and an activation layer can be followed by a pooling layer. We take the first cycle as an example to examine the specific data leakage in SCSDF. Let x represent the client’s input and M the linear layer. Now, we have Maxpool(ReLU(M(x))), Y = M(x)3 , and Z = ReLU(Y). In this process, P obtains the sign of each entry of Y. From T = Maxpool(Z), P gets the index of the maximum value in each group of data to be compared in Z. That is, all non-linear layers will leak information about the output results of the preceding linear layers. Security for Graph Neural Network. In a graph neural network, the input is first fed to a graph convolution layer, and then the ReLU function (which exists data leakage) is performed on the output of the graph convolutional layer. In this way, P gets the sign of the output of the graph convolution layer. Such leakage becomes more acute on convolutional networks that take images as input. The output of the convolution layer can be regarded as the representation of the input at a certain level of spatial dimensions (width and height), also called a feature map. It represents the features extracted from an input image 3

M may be a convolutional layer or a fully connected layer.

Privacy Leakage in Privacy-Preserving NN Inference

141

by the convolution layer. These features are available for visualization. For each value in the feature map, one may get its sign and all these signs would form a matrix. Such a matrix can be displayed as a binary image of the feature map. This is one of the most common and important processing in image analysis to reflect the overall and local features of the original image. In short, these sign data reveal the features of the original image, and we will show more visually how it works in the experimental section (see Sect. 3). For a successfully trained CNN network, the feature maps become increasingly incomprehensible as the depth of the network increases, so the visualized images of the feature maps at the first layer are the clearest, and their binary images corresponding to sign data reveal more information about the input image, such as the edges and contours of objects in the image. Subsequent layers do leak information, even though one might perceive that the visualization effect will not be as obvious as at the first layer. This could also be checked in our experiments (see Sect. 3.3)4 . We also mention that it suffices for P to learn the private data from the first layer of protocol execution. Malicious Security. Malicious security, as used in SCSDF, relies on the fact that the messages kept by all parties are uniformly random. We have shown that the messages held by P in DReLU (and the protocols associated with DReLU) apparently deviate from a uniformly random distribution but are input-dependent. It is also clear that SCSDF cannot provide security against malicious adversaries.

3

Experimental Evaluation on Privacy Leakage

We implement the 3-party framework SCSDF [23] and use it for inference in the same configuration as in [23]. We first show the distinguishability between SCSDF exposure data and data generated from a uniformly random distribution. We then exhibit more explicitly how data leakage happens in these protocols. 3.1

Basic Setup

In [23], the framework SCSDF is evaluated on MNIST (the only one used as test set in [23]). To demonstrate the effectiveness of our analysis in Sect. 2 visibly, we evaluate Network C on two folklore data sets (MNIST, CIFAR-10) in machine learning and ResNet-18 and ResNet-50 [12] on CFD (Chicago Face Database, sensitive data that seem more meaningful in privacy concerns). Network C is also implemented in MiniONN [16] and equipped with the typical structure we analyzed (e.g., convolutional layer, fully connected layer, ReLU layer, Maxpool layer, etc.). We summarize the data sets and the networks below. MNIST is a standardized dataset containing 28 × 28 greyscale images of the digits 0–9. The training/test sets contains 60,000/10,000 images respectively. 4

We cannot rule out the possibility that one adversary might perform advanced cryptanalysis on these leaked data (say, from an algebraic analysis perspective).

142

M. Wei et al.

CIFAR-10 is a standardized dataset consisting of 32 × 32 RGB images separated into 10 classes. The training/test sets contain 50,000/10,000 images respectively. CFD is a face dataset which consists of images of 597 unique individuals. It includes Asian, Black, Latino, and White female and male models recruited in United States. We divide the dataset into a training set and a test set using gender as the label. The training/test sets contain 500/97 images respectively. Network C is a 4-layer convolutional neural network. More details on its structure could be found in [23]. To demonstrate privacy leakage in the Sigmoid protocol, one may substitute ReLU by Sigmoid in the network. ResNet-18 is an 18-layer residual neural network consisting of 17 convolutional layers and 1 fully connected layer [12]. ResNet-50 is a 50-layer deep residual network. It consists of 49 convolutional layers and 1 fully connected layer [12]. 3.2

Probability Density Analysis

We pick an image from MNIST randomly to run the inference framework SCSDF. Input data will first be fed into the first convolution layer, and its outputs are the feature maps from 16 different channels. Then they will pass through the ReLU layer. Since the ReLU layer calls the DReLU protocol, P can get the sign matrices of all feature maps. We count the number of occurrences of 0 and 1 in a randomly picked sign matrix. We perform 100 inferences, and each time get such sign matrix from the same channel (e.g., the first one) and calculate the proportion of 1 in each sign matrix. We can then get a frequency distribution histogram and a probability density map according to all such proportions, both of which are able to reveal the distribution of the data. On the other hand, it is easy to obtain both kinds of maps for the data generated from a uniformly random distribution which has the same size as the data getting from the inference. Their frequency distribution histograms are compared in Fig. 4(a) and probability density maps are compared in Fig. 4(b). One can distinguish in Fig. 4 the two probability distributions easily, i.e., there exists significant variance between the probability density of the data obtained from the protocol and the probability density of the data generated from a uniformly random distribution. The same is true for frequency distribution. We mention that the simulation-based security of SCSDF relies on the indistinguishability of the data generated in the protocol and the data generated by uniform randomness. 3.3

Privacy Leakage in ReLU

Now we display the sign matrices as binary images. We visualize any matrix hereof as a grayscale image by mapping each entry in the matrix to a block (i.e., 0 to white block and 1 to black). Experiments show that the binary images from the MNIST dataset will definitely reveal the data of the original images. Figure 5 and Fig. 6 visualize some

Privacy Leakage in Privacy-Preserving NN Inference

143

0.2 SCSDF Uniformly Random Distribution

Density

0.15

0.1

0.05

0 0

10

20

30

40

50

60

The proportion of "1" in each sign matrix (%)

(a)

(b)

Fig. 4. Comparing the frequency distribution and probability density of the proportion of “1” in each sign matrix between SCSDF and uniformly random distribution.

randomly picked images from the test set of MNIST and their corresponding binary images. Figure 5 shows binary images of the data leaked at the first ReLU layer. The first column in Fig. 5(a) (and Fig. 5(b)) depicts the original images used to test model accuracy, and the other columns show 16 binary images (for each entry in the first column) from 16 different channels. Figure 6 shows the binary image of the data at the second ReLU layer. Although the leakage at the second ReLU layer is not as clear as at the first ReLU layer, one can see that it still leaks, and the images are apparently distinguishable from uniform randomness. We also mention that it suffices for P to learn the private data from the first ReLU layer of protocol execution. Therein, all samples are randomly drawn (rather than cherry-picked) in our experiments. In addition to the number of layers in which the protocol is located, we also consider the effect of other hyperparameters, such as the kernel size of the preceding convolutional layer. As shown in Fig. 7, when the size of the convolution kernel increases, the number in the binary image gradually becomes blurred until they are unrecognizable. That is, as the convolution kernel size increases, visualizing leaked data becomes implicit gradually. We address however, that this influence we are saying is just about visualization of the leakage. The leakage itself still exists and makes the SCSDF framework inapplicable in real-world applications (e.g., faces, handwriting) from the perspective of provable security, which provides for real-world users sufficient confidence in protocol security with a mathematically rigorous proof. Indeed, one may note that all images in Fig. 7 are apparently distinguishable from uniform random distribution. Sample data in CIFAR-10 is more complex, but it is still possible to deduce original data during SCSDF protocol execution. Several samples are shown in Fig. 8(a), where odd columns represent the original images and even columns represent the binary images visualized from sign data. Figures 5, 6, and 8 demonstrate clearly above-mentioned analysis on data breach (Sects. 2.3 and 2.4) and P gains access to C’s private data which is unexpected in the original work [23]. We also evaluate the SCSDF framework on CFD to see the leakage of private

144

M. Wei et al.

(a)

(b)

Fig. 5. Data leakage from the first ReLU layer on the MNIST dataset.

(a)

(b)

Fig. 6. Data leakage from the second ReLU layer on the MNIST dataset.

(a) original

(b) k=2

(c) k=5

(d) k=6

(e) k=15

Fig. 7. The influence of convolution kernel sizes on leakage visualization. k denotes the size of convolution kernels.

Privacy Leakage in Privacy-Preserving NN Inference

(a) CIFAR-10, Network C

(b) CFD, ResNet-18

145

(c) CFD, ResNet-50

Fig. 8. Data leakage from the first ReLU layer on CIRAR-10 and CFD.

data (i.e., faces that represent significant user privacy concerns in real world). Figure 8(b) and Fig. 8(c) show the experimental results (performed on ResNet-18 and ResNet-50 respectively). The first columns (in Fig. 8(b) and Fig. 8(c)) represent the original images in the test set, while the other three columns represent randomly picked binary images from different channels. One may see that the personal characteristics of the input images are clearly disclosed. And we note that although ResNet-50 is more complex than ResNet-18, there is no significant difference in the visualization of data leakage at the first ReLU layer. 3.4

Privacy Leakage in Sigmoid

When executing the activation layer protocol, P keeps the intermediate results, which speak for the relationship between x and xi . Given the knowledge, P is capable of deducing in which specific interval x is. More precisely, P might take the following strategy. For values less than x1 , let its corresponding value be x1 . For values greater than xm , set its value as xm . The median of xi and xi+1 might be assigned to any number between them. The output of the convolution layer includes several feature maps, i.e., matrices from different channels. After running the Sigmoid protocol, P is able to determine the range of values in these matrices. It follows the strategy to obtain some new numerical matrices. These numerical matrices can be displayed as greyscale images. Based on these outcomes, one could readily infer what the original data is. In Fig. 9, we show the leakage results of the Sigmoid protocol on the MNIST dataset. We show the leakage results on the CIFAR-10 dataset in Fig. 10. The visualization results show that the Sigmoid protocol leaks more information than the ReLU protocol.

4 4.1

Countermeasure Add Permutation

One straight method to debilitating in SCSDF the leakage of the original input data is to randomize the order of the entries in the matrices. More precisely,

146

M. Wei et al.

Fig. 9. Data leakage from the Sigmoid protocol on the MNIST dataset.

Fig. 10. Data leakage from the Sigmoid protocol on CIFAR-10.

S and C jointly negotiate a random permutation μ which is used to permute these entries before executing ReLU layers. After the computation, they recover the order based on the knowledge of μ. P only obtains the signs of the disordered data and is no longer able to gain the information of the original data from the visualized image, as in the above-mentioned experiments (Sect. 3). This approach is completely unimpaired in terms of efficiency and prevents P from intuitively obtaining information through binary images. However, it holds theoretically that P still obtains information about the signs of the data, revealing the distribution of the input data. That is, adding permutation still does not allow SCSDF to be provably secure under the real-ideal simulation model.

Privacy Leakage in Privacy-Preserving NN Inference

4.2

147

Relax Mask Restrictions

Another feasible approach allows us to relax the restrictions on the random mask r in the protocol DReLU of SCSDF. In the DReLU protocol, there are two restrictions: one bounds the size of r, and another requires r to be a positive integer. It is the second restriction that leads to the leakage of sign data, as it allows P to obtain the sign of x by the sign of y. We may remove the second restriction and only keep the first one, and then get a variant of the DReLU of SCSDF. Now the variant could guarantee that the sign is not leaked, and we get both the correctness and the privacy as expected. This approach requires pre-processing in the offline phase, which increases some additional overhead. Next, we recapitulate the method (the variant of the DReLU protocol showed in Fig. 2). In the offline phase, S and C generate random numbers r0 , r1 respectively, where r = r0 + r1 , and r can be either positive or negative. They compute the MSB a of r by binary circuit protocol [5,19]. In the online phase, they send y = x · r to P. P computes b = 1-MSB(y) directly and sends its secret share in Z2l to S and C. Finally, S and C set the output z = a + b − 2ab. This method introduces extra consumption in the offline phase and computation cost of one multiplication in the online phase. Notice that all the data obtained by P is random throughout the process, so this modification allows the original algorithm to be provably secure under the real-ideal simulation model. In real applications, extra costs should be analyzed on the method more concretely. 4.3

Experimental Evaluation of Countermeasures

We verify the effects of these two methods. Figure 11 shows the visualization results of the experiments. In Fig. 11, the columns from the first to the last represent the original data, the leaked sign data, the sign data after using the first countermeasure, and the sign data after using the second countermeasure. Using the first countermeasure, P can no longer observe the original data from the leaked sign data. When we put all data together for cryptanalysis comparison however, one may see explicitly that there exists different visualization of the leaked sign data for different original data, and that the leakage appears related to the entropy of the original data. For example, in the visualization result of sign data leaked by “1”, the black area is obviously larger than the white area, while the two areas are much close for “6”. An attacker can thereby gain some knowledge (say, based on which it can distinguish one input from another input) about the original data through these differences. Thus, this countermeasure does not fully cut the leak chain. Fortunately, using the second countermeasure, the sign data has been masked by random data and follows a uniform random distribution. The second countermeasure can completely prevent leakage.

148

M. Wei et al.

Fig. 11. Countermeasures against privacy leakage

5

Conclusion

Computation efficiency of SecureNN [24] is improved by a recent framework SCSDF [23] presented at ESORICS 2020. In the paper, we present detailed cryptanalysis on SCSDF and thus completely destroy its security from a provable security perspective. To support the analysis, we also perform various experiments on various data sets using various networks, and thus validate the claimed privacy leakage in real-world machine learning applications. Our experiments are related to many factors, such as the types of the dataset (e.g., MNIST, CIFAR10, CFD), the protocols (e.g., ReLU, Sigmoid), and the model parameters (e.g., kernel size). These factors can be combined arbitrarily. For any case of the combinations, one thing we can confirm and should address is that the leakage always exists even though the visualization effects of the leakage are different. It is the leakage itself that makes the SCSDF framework inapplicable in real-world applications from the perspective of provable security (which should provide real-world users sufficient confidence in protocol security with a mathematically rigorous proof). On the other hand, one may hope there exist some general metrics to measure/quantify the leakage. From our understanding however, it seems much challenging, given the above-mentioned so many factors that could affect the leakage. Acknowledgement. The work is supported by the National Natural Science Foundation of China (Grant No. 61971192), Shanghai Municipal Education Commission (2021-01-07-00-08-E00101), and Shanghai Trusted Industry Internet Software Collaborative Innovation Center.

A A.1

Preliminary Neural Network

A neural network usually executes in a layer-by-layer fashion. It mainly consists of two different layers: linear layers and non-linear layers. The computation of

Privacy Leakage in Privacy-Preserving NN Inference

149

linear layers (either a fully connected layer or a convolutional layer) generally depends on matrix multiplication. The non-linear layer could be performed by several different activation functions, e.g., ReLU and Sigmoid. ReLU function is formulated as f (x) = max(0, x) and Sigmoid as f (x) = 1+e1−x . A.2

Fixed-Point Number

Neural networks usually operate on floating-point numbers that are not suitable for some cryptographic primitives. Thus MPC frameworks usually use the encoding of fixed-point numbers. A fixed-point value is defined as an l-bit integer by using 2’s complement representation where the bottom d bits denote the decimal (d < l) and the MSB denotes the sign of the number, i.e., MSB(x) = 1 if x is negative, and 0 otherwise. A.3

Addictive Secret Sharing

In the framework SCSDF, all values are 2-out-of-2 secret shared between the server and the client. We say x is 2-out-of-2 secret shared in Z2l between P0 and P1 if [x]0 , [x]1 ∈ Z2l such that x = [x]0 + [x]1 and [x]i is held by Pi , i ∈ {0, 1}. Sharing Protocol πShare . Pi generates a sharing of its input x by sampling r ∈R Z2l and sending x − r to P1−i . Pi gets [x]i = r and P1−i gets [x]1−i = x − r. Reconstruction Protocol πRec . To reconstruct x, the parties mutually exchange their missing share, then each of them can compute x = [x]0 + [x]1 . Addition Operations. Addictive sharing is linear in the sense that given two shared values [x] and [y], the parties can get [z] = [x] + [y] by local computation. Multiplication Operations πMulti . Given [x], [y], the goal of protocol πMulti is to generate [z] where z = x · y. It can be performed based on preassigned Multiplication Triples [7]. A multiplication triple is a triple (a, b, c) ∈ Z2l such that a · b = c. Two parties hold secret sharing of a triple (a, b, c). Pi computes [e]i = [x]i − [a]i and [f ]i = [y]i − [b]i , then call πRec to reconstruct e and f . Pi sets zi = −i × e × +f × xi + e × yi + ci . The multiplication operations can be easily extended to matrices. A.4

Threat Model

Similar to [23], we consider an adversary who can corrupt only one of the three parties in the semi-honest model or malicious model. A party corrupted by a semi-honest adversary follows protocol steps but tries to learn additional information from received messages. Our security definition uses the real-ideal paradigm [9] which is a general method to prove protocol security. In the real world, the parties interact with each other according to the specification of a protocol π. In the ideal world, the parties have access to a trusted third party (TTP) that implements an ideal functionality F. The

150

M. Wei et al.

executions in both worlds are coordinated by an environment Z, who chooses the inputs for the parties and plays the role of a distinguisher between the real and ideal executions. We say that π securely realizes the ideal functionality F if for any adversary A in the real world, there exists an adversary Sim (called a simulator) in the ideal world, such that no Z can distinguish an execution of the protocol π with the parties and A from an execution of the ideal functionality F with the parties and Sim. To be more formal, we give the following definition. Definition 1. A protocol π securely realizes an ideal functionality F if for any adversary A, there exists an adversary Sim (called a simulator) such that, for any environment Z, the following holds: c

REALπ,A,Z,λ ≈ IDEALF ,Sim,Z,λ c

where ≈ denotes computational indistinguishability, λ denotes security parameter, REALπ,A,Z,λ represents the view of Z in the real protocol execution with A and the parties, and IDEALF ,Sim,Z,λ represents the view of Z in the ideal execution with the functionality F, the simulator Sim and the parties. The environment’s view includes (without loss of generality) all messages that honest parties send to the adversary as well as the outputs of the honest parties. Malicious Security: In malicious security model, an adversary may arbitrarily deviate from protocol specification. Araki et al. [6] formalize the notion of privacy against malicious adversaries in client-server model using an indistinguishabilitybased argument: for any two inputs of honest parties, the views of the adversary in protocol executions are indistinguishable. This notion is weaker than full simulation-based malicious security because it does not guarantee protocol correctness in the presence of malicious behavior. However, it does provide a guarantee of the privacy of the protocol. SCSDF [23] and SecureNN consider above malicious security model.

References 1. AB-375 California consumer privacy act of 2018 (2018). https://leginfo.legislature. ca.gov/faces/billTextClient.xhtml?bill id=201720180AB375 2. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing directive 95/46/EC (general data protection regulation) (2016) 3. SB-1121 California consumer privacy act of 2018 (2018). https://leginfo.legislature. ca.gov/faces/billTextClient.xhtml?bill id=201720180SB1121 4. Agrawal, N., Shamsabadi, A.S., Kusner, M.J., Gasc´ on, A.: QUOTIENT: two-party secure neural network training and prediction. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 1231–1247. ACM (2019). https://doi.org/10.1145/3319535.3339819

Privacy Leakage in Privacy-Preserving NN Inference

151

5. Araki, T., et al.: Generalizing the SPDZ compiler for other protocols. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 880–895. ACM (2018). https://doi.org/10.1145/ 3243734.3243854 6. Araki, T., Furukawa, J., Lindell, Y., Nof, A., Ohara, K.: High-throughput semihonest secure three-party computation with an honest majority. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 805–817. ACM (2016). https://doi.org/ 10.1145/2976749.2978331 7. Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1 34 8. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation (extended abstract). In: Simon, J. (ed.) Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 2–4 May 1988, Chicago, Illinois, USA, pp. 1–10. ACM (1988). https:// doi.org/10.1145/62212.62213 9. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14–17 October 2001, Las Vegas, Nevada, USA, pp. 136–145. IEEE Computer Society (2001). https://doi.org/10.1109/SFCS.2001.959888 10. Chaudhari, H., Choudhury, A., Patra, A., Suresh, A.: ASTRA: high throughput 3PC over rings with application to secure prediction. In: Sion, R., Papamanthou, C. (eds.) Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW@CCS 2019, London, UK, 11 November 2019, pp. 81– 92. ACM (2019). https://doi.org/10.1145/3338466.3358922 11. Gilad-Bachrach, R., Dowlin, N., Laine, K., Lauter, K.E., Naehrig, M., Wernsing, J.: Cryptonets: applying neural networks to encrypted data with high throughput and accuracy. In: Balcan, M., Weinberger, K.Q. (eds.) Proceedings of the 33nd International Conference on Machine Learning, ICML 2016, New York City, NY, USA, 19–24 June 2016. JMLR Workshop and Conference Proceedings, vol. 48, pp. 201–210. JMLR.org (2016) 12. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV, USA, 27–30 June 2016, pp. 770–778. IEEE Computer Society (2016). https://doi.org/10.1109/CVPR.2016.90 13. Juvekar, C., Vaikuntanathan, V., Chandrakasan, A.P.: GAZELLE: a low latency framework for secure neural network inference. In: Enck, W., Felt, A.P. (eds.) 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15– 17 August 2018, pp. 1651–1669. USENIX Association (2018). https://www.usenix. org/conference/usenixsecurity18/presentation/juvekar 14. Koti, N., Pancholi, M., Patra, A., Suresh, A.: SWIFT: super-fast and robust privacy-preserving machine learning. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, 11–13 August 2021, pp. 2651–2668. USENIX Association (2021). https://www.usenix.org/conference/ usenixsecurity21/presentation/koti 15. Lehmkuhl, R., Mishra, P., Srinivasan, A., Popa, R.A.: Muse: secure inference resilient to malicious clients. In: Bailey, M., Greenstadt, R. (eds.) 30th

152

16.

17.

18.

19.

20. 21.

22.

23.

24. 25.

26.

M. Wei et al. USENIX Security Symposium, USENIX Security 2021, 11–13 August 2021, pp. 2201–2218. USENIX Association (2021). https://www.usenix.org/conference/ usenixsecurity21/presentation/lehmkuhl Liu, J., Juuti, M., Lu, Y., Asokan, N.: Oblivious neural network predictions via minionn transformations. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October– 03 November 2017, pp. 619–631. ACM (2017). https://doi.org/10.1145/3133956. 3134056 Mishra, P., Lehmkuhl, R., Srinivasan, A., Zheng, W., Popa, R.A.: Delphi: a cryptographic inference system for neural networks. In: Zhang, B., Popa, R.A., Zaharia, M., Gu, G., Ji, S. (eds.) PPMLP 2020: Proceedings of the 2020 Workshop on Privacy-Preserving Machine Learning in Practice, Virtual Event, USA, November 2020, pp. 27–30. ACM (2020). https://doi.org/10.1145/3411501.3419418 Mohassel, P., Zhang, Y.: Secureml: a system for scalable privacy-preserving machine learning. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 19–38 (2017). https://doi.org/10.1109/SP.2017.12 Mohassel, P., Rindal, P.: Aby3 : a mixed protocol framework for machine learning. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 35–52. ACM (2018). https://doi. org/10.1145/3243734.3243760 Patra, A., Suresh, A.: BLAZE: blazing fast privacy-preserving machine learning. CoRR abs/2005.09042 (2020). https://arxiv.org/abs/2005.09042 Riazi, M.S., Samragh, M., Chen, H., Laine, K., Lauter, K.E., Koushanfar, F.: XONN: xnor-based oblivious deep neural network inference. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, 14–16 August 2019, pp. 1501–1518. USENIX Association (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/riazi Riazi, M.S., Weinert, C., Tkachenko, O., Songhori, E.M., Schneider, T., Koushanfar, F.: Chameleon: a hybrid secure computation framework for machine learning applications. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 2018, pp. 707–721. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3196494.3196522 Shen, L., Chen, X., Shi, J., Dong, Y., Fang, B.: An efficient 3-party framework for privacy-preserving neural network inference. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 419–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6 21 Wagh, S., Gupta, D., Chandran, N.: Securenn: 3-party secure computation for neural network training. Proc. Priv. Enhancing Technol. 2019(3), 26–49 (2019) Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., Yu, P.S.: A comprehensive survey on graph neural networks. IEEE Trans. Neural Netw. Learn. Syst. 32(1), 4–24 (2021). https://doi.org/10.1109/TNNLS.2020.2978386 Yao, A.C.: How to generate and exchange secrets (extended abstract). In: 27th Annual Symposium on Foundations of Computer Science, Toronto, Canada, 27–29 October 1986, pp. 162–167. IEEE Computer Society (1986). https://doi.org/10. 1109/SFCS.1986.25

Enhancing User Privacy in Mobile Devices Through Prediction of Privacy Preferences Ricardo Mendes1(B) , Mariana Cunha2 , Jo˜ ao P. Vilela2 , 3 and Alastair R. Beresford 1

CISUC and Department of Informatics Engineering, University of Coimbra, 3030-290 Coimbra, Portugal [email protected] 2 CRACS/INESCTEC, CISUC and Department of Computer Science, Faculty of Sciences, University of Porto, Porto, Portugal [email protected], [email protected] 3 Computer Laboratory, University of Cambridge, Cambridge, UK [email protected]

Abstract. The multitude of applications and security configurations of mobile devices requires automated approaches for effective user privacy protection. Current permission managers, the core mechanism for privacy protection in smartphones, have shown to be ineffective by failing to account for privacy’s contextual dependency and personal preferences within context. In this paper we focus on the relation between privacy decisions (e.g. grant or deny a permission request) and their surrounding context, through an analysis of a real world dataset obtained in campaigns with 93 users. We leverage such findings and the collected data to develop methods for automated, personalized and context-aware privacy protection, so as to predict users’ preferences with respect to permission requests. Our analysis reveals that while contextual features have some relevance in privacy decisions, the increase in prediction performance of using such features is minimal, since two features alone are capable of capturing a relevant effect of context changes, namely the category of the requesting application and the requested permission. Our methods for prediction of privacy preferences achieved an F1 score of 0.88, while reducing the number of privacy violations by 28% when compared to the standard Android permission manager. This work is supported by project COP-MODE, that has received funding from the European Union’s Horizon 2020 research and innovation programme under the NGI TRUST grant agreement no 825618, and the project SNOB-5G with Nr. 045929 (CENTRO-01-0247-FEDER-045929) supported by the European Regional Development Fund (FEDER), through the Regional Operational Programme of Centre (CENTRO 2020) of the Portugal 2020 framework and FCT under the MIT Portugal Program. Ricardo Mendes and Mariana Cunha wish to acknowledge the Portuguese funding institution FCT - Foundation for Science and Technology for supporting their research under the Ph.D. grant SFRH/BD/128599/2017 and 2020.04714.BD, respectively. c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 153–172, 2022. https://doi.org/10.1007/978-3-031-17140-6_8

154

R. Mendes et al. Keywords: Permission managers · Contextual integrity expectations · Mobile devices · Android

1

· Privacy as

Introduction

In the current age of information, the rich and pervasive data collection sparks new applications (apps) that foster advances in our society. In this context, smart and mobile devices are of paramount importance due to their inherent sensory capacity. However, this data exchange often weights on the privacy of each individual, whose practiced trade-off is not often perceived or understood. To empower users with control over their privacy, smartphones have implemented permission managers (PMs) that control, with user oversight, which resources, such as sensors and data, can be accessed by each application. Under the runtime permission system, the current mechanism employed in both Android and iOS, apps must require user permission the first time they require access to a sensitive resource. When presented with the prompt request, the user may either deny or allow the request for this single time, which will enforce the app to request the next time it needs the same access, or allow indefinitely, an option that can then be changed in the settings of the phone. The runtime permission system has been positively received by users, who report being more in control over their privacy [3,5]. Its biggest drawback however, lies on the amount of permissions that are allowed without user intervention or even awareness. Specifically, after allowing a permission, the app can generally access the resource at any time and for any purpose even when the user is unaware that the app is running. In this case, the user may deny the permission by going to the phone settings, a practice that is seldomly used [3]. Automatically allowing permissions stems from the necessity to increase usability as apps make hundreds of permission checks per day [2,12]. Asking on every use would be the best theoretical privacy choice, but constant warnings lead users to fatigue and habituation [7], a state where individuals become desensitized and therefore promptly dismiss notices. Undesirably, current PMs automate permission requests without regard for the context, thus violating contextual integrity, that is, incurring in data collection practices that defy the norms and expectations at the given surrounding context [13]. Therefore, the current trade-off between privacy and usability bestowed by the Android PM is insufficient, and in fact, it results in a violation of privacy in 15% of times [12] In a previous work we have collected and analyzed the expectation of users regarding permission decisions within their surrounding context [12]. Our results showed that the grant result, that is whether the user allows or denies a permission, sees the strongest correlation with user expectation [12]. Moreover, both user expectation and grant result varied with changes in the context. In this paper we analyze this dynamic by measuring the importance of the context in privacy decisions using the same dataset. We then leverage such relation to develop an automated, personalized and context-aware permission model. This paper makes the following contributions:

Enhancing User Privacy Through Prediction of Privacy Preferences

155

– We empirically uncover an intrinsic relation between the pair category of the requesting app – requested permission, and user context. This relation advents from the fact that different apps are used under different contexts, therefore conditioning the permission requests that are prompted to the user. – We develop a personalized automated PM for prediction of privacy decisions by taking into consideration the expectation, user and phone context, thus achieving a ROC AUC of 0.96 and an F1 score of 0.92. Without user expectation, which is the strongest correlated feature with privacy decisions but requires user input which we seek to minimize [12], we achieve a ROC AUC of 0.9 and an F1 score of 0.88. – Finally, our automated solution is able to reduce the number of privacy violations by 60% when compared to a standard Android handset. Without using the expectation as input feature for the prediction, these violations can still be reduced by 28%. The remainder of this paper is structured as follows. Section 2 contextualizes the problem by providing related work. Section 3 presents the dataset used in this work and an exploratory data analysis to uncover the relation between privacy decisions and surrounding context. In Sect. 4 we leverage such relation to train personalized and context-aware models to predict privacy decisions. Section 5 presents some limitations and future work and Sect. 6 concludes this work.

2

Related Work

With runtime permissions, apps must request permission the first time they require access to a sensitive resource, thus allowing a fine-grained control over each particular permission for any app [5]. By prompting at runtime, permission requests are contextualized by the need of the app at the time of the prompt, therefore helping users to make an informed decision [3,5]. The major problem with the current runtime permission model lies not in the permission prompts, but in the resource accesses that are made without the user knowledge [2,21,22]. After being granted once, apps generally have access to a resource until the user denies it through phone settings, which they typically do not [3] or, in newer Android versions (from Android 11) until it is automatically reverted to the denied state after a few months of not using the app. The automated management of privacy decisions is made necessary by the number of sensitive resource accesses that apps make – hundreds per day [12]. In fact, users feel their personal space violated when confronted with apps’ intrusive practices [2,18]. Regrettably, the automated approach taken in Android runtime PMs incurs in the violation of privacy in over 15% of times [12], meaning it still fails to effectively protect users [5,17]. The design of automated approaches must consider privacy’s characteristics, namely, varying individual preferences within each surrounding context [1], i.e. be personalized and context-aware. In this regard, complex contextual modelling techniques have been proposed for policy-based PMs. However, these require expertise to setup that the average user does not have [7,8,17] Therefore,

156

R. Mendes et al.

approaches that streamline context modelling to the simple use of contextual features in the prediction have the advantage to facilitate the automation and therefore improve usability. This type of features can describe the state of the phone [23,24] and the state of the user [14]. To capture personalized privacy preferences, one can naively build a prediction model for each user by training with their responses to permission requests. However, this requires a considerable amount of user input [14]. A better approach is to have a classifier boostrapped with data from multiple people and then personalize it iteratively as the user answers a few more requests [23]. Nevertheless, if one starts considering more features for the prediction model, the number of permission requests required from the user, i.e. input, exponentially grows. A different approach towards personalized privacy is to build and assign privacy profiles, that is, a set of predefined rules that are defined according to user preferences [9,11]. This line of work showed that while people’s privacy preferences are diverse, a small number of privacy profiles can effectively capture the vast majority of users’ preferences [11]. Furthermore, these profiles can be assigned through a small number of questions, therefore reducing the amount of required input from users [10]. Our work builds up on previous approaches towards automated privacy enforcement by considering the personalization that is granted by privacy profiles and contextual features to develop an automated, personalized and contextaware PM. However, we differentiate ourselves by considering and evaluating the impact of contextual features and user expectation. By doing so, we depart from the traditional privacy profiles that are built with only the category of requesting app and the requested permission [11], to incorporate context-awareness in the personalization. Towards this goal we analyze a dataset of permission decisions from 93 real users collected in-situ with a particular focus on the relation between privacy decisions and their surrounding context. We then leverage these relations in the development of methods to automatically predict privacy decisions. Finally, we compare the best achieved performance with the default Android PM with respect to the amount of privacy violations, that is, the number of requests that were automatically allowed, but that would have been denied if the user had the opportunity to do so.

3

Permission Decisions in Context

To improve the effectiveness of PMs in protecting user privacy, automation is paramount, which must account for personal preferences within each surrounding context [1]. In this work we first analyze privacy’s contextual dependence by evaluating which features are actually relevant towards privacy decisions. We then leverage such relations to build automated, personalized and contextaware models that predict privacy decisions. Towards both goals, we used the COP-MODE dataset [12] whose description we provide in Sect. 3.1. Section 3.2 provides an exploratory data analysis and respective comparison with existing works. Section 4 then describes the development of the predictive models.

Enhancing User Privacy Through Prediction of Privacy Preferences

3.1

157

The Dataset

The COP-MODE dataset [12] is a collection of over 65000 permission decisions and the surrounding context collected under real world conditions. This data was obtained in a set of campaigns spawning from July 2020 up to May 2021 with a total of 93 volunteers. Each campaign consisted of a period of at least one week, where participants would carry a phone, pre-installed with a PM that prompts for user input at every permission check. This PM would collect the input and contextual features at the time of the prompt. While the dataset contains more data [12], we focus on the following fields that are of relevance to this work: – Requesting Application: name, app category from the Play Store and visibility at the time of the request. An app is in the foreground if it either has an activity visible to the user or a service with a foreground notification. – Permission: name and group of the requested permission and user response. – Phone state: plug and call states, and network connection type. – User context: current time, semantic location and whether the user is in an event or not, as returned by their calendar. The semantic location was collected from user input, whose possibilities were “home”, “work”, “travelling” or “other”. – Expectation: the participant has to answer the question (translated from Portuguese) “For what you were doing with the phone, is this request expected?” with: yes, no or do not know. We should note that the dataset is biased towards young adults with technical expertise [12]. Therefore, the phone usage and privacy preferences might differ from a more diverse population. However, the methodology towards building predictive models and the achieved performances from Sect. 4 should apply and endure in general. 3.2

Exploratory Analysis

The dataset contains 2180302 permission requests collected from the 93 participants at an average of 836.85 requests per day and per participant with a standard deviation (std) of 19.15, or 34.87 (std = 0.8) per hour. These numbers prove that an ask-on-every-time approach, the ideal privacy choice, is infeasible in practice. Of the total requests, 65261 (2.99%) were answered by participants, corresponding to an average of 25 (std = 0.42) answers per day, per participant. From the 65261 answered requests, participants granted 43263 (66%), while denying the remaining 21998 (33%). To have a holistic view on which permissions are allowed, Fig. 6 presents the average grant rate, i.e. the percentage of allowed permissions, per category (y axis) and per permission (x axis), where dark green corresponds to all permissions allowed and dark red to all permissions denied. From the plot we can observe that the majority of categories have grant rates in the interval of [45, 75]%. However some categories present grant rates of over 80% or closer to 0%, but the number of requests from these type of apps is rather

158

R. Mendes et al.

Fig. 1. Grant rate for each permission and whether the requesting app was foreground (visible) or background. The “N” is the number of requests per permission and “FR” the foreground ratio, that is, the percentage of requests that came from apps that were visible to the user at the time of the request.

small. The exceptions to this observation with a considerable number of requests are the WEATHER category, where 93% of the 370 requests were granted, and GAME (730) and VIDEO PLAYERS (2413) where almost 80% of requests were denied. It is possible that these latter categories see most of their requests denied because the permissions are not necessary for their primary functionality, which typically leads users towards denying [5]. For instance, some of the requested permissions from apps in the GAME category, such as PHONE, MICROPHONE and CONTACTS are not intuitive with respect to the functionality of this type of apps. As for the grant rate per permission group, the rate is near the interval of [45, 85]%. CAMERA, STORAGE and CALENDAR permissions are granted over 80% of the time, which might indicate that when apps request these permissions, there are contextual cues or a clear necessity that lead users to allow. To assess the importance of each feature in the grant rate we measured the information gain of each feature, whose values we leave in Table 2 of Appendix B. The strongest gain advents from user expectation (wasRequestExpected), as analyzed in a previous paper [12]. However, this particular feature requires user input, which we seek to minimize. Unfortunately, we were not able to estimate user expectations with enough accuracy to be then able to use such feature in the prediction of privacy decisions. Thus, we focus on other features towards developing the personalized and context-aware PM. After the expectation, the most important features according to the information gain are some permissions and app categories, the visibility of the requesting app (isRequestingAppVisible), the location of the user (selectedSemanticLoc) and the network status. The following subsections analyze the grant result with respect to each of these latter three contextual features. Visibility of the Requesting Application. Previous work [22] has identified the visibility of the requesting app as one of the most important contextual feature guiding permission decisions. Follow up work from the same authors [19, 23] focused on this feature towards predicting the grant result. However, contrary

Enhancing User Privacy Through Prediction of Privacy Preferences

159

to their conclusions, their feature analysis revealed that the visibility of the app was the feature with the lowest information gain, as can be seen in Appendices A and B of [23]. In our dataset the information gain is almost 8 times higher (c.f. Table 2). However, from the 65261 answered requests, users allowed 68% of requests coming from visible apps and 62% of requests from background apps. This discrepancy is lower than anticipated, which signals that the visibility of the requesting app as a single feature has a low impact in the grant result. While the overall grant rate between foreground and background requests varies little, this rate can strongly depend on the pairs visibility-category of the requesting app and visibility-requested permission. Due to space constraints we omit the grant rate per visibility and per category, and present only the grant rate for each permission and each visibility of the requesting app in Fig. 1. From this plot we observe that CONTACTS, CALL LOG and LOCATION requests are allowed equally regardless of the visibility, while STORAGE, SMS, MICROPHONE, CAMERA and CALENDAR are more often allowed when requested from the foreground than from the background. Finally, the PHONE permission is the only permission that is more often allowed from the background. We have have no justification for this latter result as a limitation of the dataset is not collecting the reasoning for some privacy choices [12]. Nevertheless, we can conclude that while the visibility of the requesting app alone has low impact on the privacy decision, which contrasts with previous findings [22], the combination with other features such as the permission and category might improve prediction performance. We further examine this correlation in Sect. 4. User Location and Network Status. According to Table 2, the mutual information gain between the grant result and the user location is high. Looking at the grant rate, users allowed 65% of requests while at home, 85% while travelling, 74% while at work and 57% in other locations. This variance is relevant, specially for when the user is travelling, where they accept almost 9 out of 10 requests. There are two main reasons for the observed variances in the grant rate for each location: privacy preferences vary with the user location [1]; and the app usage also varies with each location, as analyzed next. Other factors can contribute to the discrepancies, such as lack of time to thoughtfully answer prompts when travelling or working, potentially leading users to allow everything. However, these are situational and would require more data to empirically evaluate. As shown in Fig. 6, different app categories have varied grant rates. Therefore, if different apps are used in different locations, it is expected that the grant rate also varies implicitly. Figure 2a presents the relative app usage in percentage given by the apps in the foreground, per semantic location. The relative usage is made per location, such that a fair comparison between locations is achieved, as the dataset is strongly skewed towards the home location. From the plot we can observe that COMMUNICATION, SOCIAL and TOOLS are the most used apps regardless of the location. Additionally, we can clearly see that there are some trends in the type of app usage and the location of the user. Specifically, SOCIAL and VIDEO PLAYERS apps seem to be predominantly more used at home than in other locations. TRAVEL AND LOCAL,

160

R. Mendes et al.

(a) Per user location.

(b) Per network status.

Fig. 2. Relative app usage as measured by the relative number of requests in where app from each category were in the foreground. Values inferior to 0.1% were removed from the plot to simplify visualization.

PHOTOGRAPHY, PERSONALIZATION and MUSIC AND AUDIO are more used when travelling, which is expected except for the PERSONALIZATION category, while TOOLS are less used when travelling when compared to the other locations, which is also intuitive. Finally, both MAPS AND NAVIGATION and LIFESTYLE see a stronger usage when travelling. However, the use of this type of apps was strongly impacted by the COVID19 mobility restrictions, thus presenting a small overall usage. To conclude, the correlation between the location and the grant result can be explained not only because of personal preferences in each location but also due to the types of apps that are used in each context, which, as we have seen in Fig. 6, can have diverging grant rates. Similar conclusions can be made for the network status. From the answered permission requests, 1856 (2%) were captured while the phone was disconnected, 20591 (20%) while connected to a metered network and 80084 (78%) while connected to a non metered network. These numbers indicate that most people are continuously connected to the Internet, although some impact of COVID19 travel restricts can influence this result. The user allows 77% of permission when using a metered network, 64% when using a non-metered network and only 47% when offline. Again, this correlation with the grant result is relevant, as also highlighted by the information gain from Table 2. However, and similarly to user location, the network status is an indication of the context of the user, which in turn influences the apps that are used.

Enhancing User Privacy Through Prediction of Privacy Preferences

161

Table 1. Number, relative count and grant rate of permission requests per semantic location and network status. The grant rate is the percentage of permissions allowed for each pair of location–network status. Location

Network status

Home

DISCONNECTED 923 1.69 METERED 6600 12.11 NOT METERED 46997 86.20

41.93 74.71 63.61

Other

DISCONNECTED METERED NOT METERED

129 5.81 1273 57.34 818 36.85

51.16 59.15 55.87

Travelling DISCONNECTED METERED NOT METERED

128 3.12 3423 83.39 554 13.50

68.75 85.83 83.57

Work

126 2.85 2433 55.10 1857 42.05

59.52 81.38 66.34

DISCONNECTED METERED NOT METERED

Count Location count (%) Grant rate (%)

Figure 2b presents the relative app usage per category given by apps in the foreground for each of the network status. We can observe that TOOLS and PRODUCTIVITY apps are mostly used while offline, while COMMUNICATION and SOCIAL are mostly used online, which is expected. PHOTOGRAPHY, PERSONALIZATION, MUSIC AND AUDIO and MAPS AND NAVIGATION are mostly used in a metered connection, which as we have seen from Fig. 2a, are typically used when travelling. From these observations we conclude that user context, which is partially described by their location and the network status, influences the app usage and therefore the apps that request permissions at these times. In other words, the category of the requested app and the required permission encapsulate contextual information that, while potentially insufficient to describe user context, give clues about the state of the user. It should be noted that either location, network status or even both are insufficient to effectively describe the variance in the grant rate. For instance, within a single location, the grant rate varies for each network status and viceversa. Table 1 presents these values for each pair of location-network status. The first observable result from this table is that the location of the user and the network status are strongly correlated. Looking at the “Location Count (%)” : when the user is at home, unmetered connections are used over 86% of times; when travelling, metered connections are used 83% of times. At work and other locations, the connection status is more balanced between metered and unmetered connections. However, these latter ratios might vary greatly with each individual.Finally, while some previously mentioned trends endure, the grant rate strongly varies for each pair of location-network status. For instance, the highest and lowest grant rate in any location is when the user is using metered connections and disconnected, respectively. However, under metered networks for instance, if the user is travelling, over 86% of requests are allowed, but if the

162

R. Mendes et al.

user is at a location other than the specified three, the grant rate lowers to 59%. These observations allow us to conclude that while location and network status are related, both give contextual cues, even if in the form of the apps that are used in such contexts. Comparison of the Analysis with Previous Work. Earlier studies evaluated the degree of user comfort regarding apps’ intrusive data collecting practices [2,4,18], which included confronting users with the frequency of access to sensitive resources, relating to the number of permission requests in our work. Many of these results however, were conducted under the older install-time PM. The runtime PM brought fine-grained permissions and in-context prompts, therefore being positively received by users, who reported being more in control of their privacy [3,5]. However, these studies only evaluated the permission decisions made at the permission prompts. Regrettably, after being granted once, apps generally have access to a resource until the user denies it through phone settings. The context and the purpose of these automatically granted permissions can greatly vary from the ones at which they were first requested. Closely related is the work of Wijesekera et al. [22,23] that evaluates the importance of both contextual and behavioral features on permission decisions. While they use a subset of the current Android permissions, some of the findings coincide and others contrast. Particularly, the percentage of denied permissions and the number of privacy violations are similar, while in opposition, the visibility of the requesting app had low impact in privacy decisions with our dataset. However, contrary to our data collection, their data relates to reported behavior collected after the data practice, which might not align with real behavior. In turn, our data collection tool was also a PM that actually denied apps permissions, and thus incurred in the corresponding usability loss. Furthermore, in addition to analyzing contextual features under the information gain or their contribution to the performance of the classifier [14,22,23], we expand such analysis by exploring the intrinsic relation between different contextual features. As a result, we uncover a relation between the permission prompts that are issued to the user and their context.

4

Predicting Privacy Decisions

The previous section evidenced how privacy decisions vary with changes in the context, and how features and their correlation can discriminate the grant result. In this section, we leverage these relations towards developing and automated, personalized and context-aware PM that predicts these decisions. For fair comparison, we follow a similar methodology to previous works. Specifically, we consider machine learning approaches to automate privacy decisions, while combining privacy profiles [10], context-awareness [14,24] and user expectation. To train the classifier for grant result prediction we perform one-hot encoding of the categorical features, such as the requesting app category, and normalize all collected data.We then start by analyzing the performance of a global predictor in Sect. 4.1 which uses the input features to output the decision to allow

Enhancing User Privacy Through Prediction of Privacy Preferences

163

or deny a request, while treating each user equally, i.e. without personalization. This evaluation is performed by first selecting the best predictor (model) and respective parameters through a cross-validated grid-search, followed by an evaluation of the best feature set to use in the prediction. We resort to the F1 score metric to compare the performance with previous works and to the Area Under the Receiving Operation Curve (ROC AUC) as performance indicator, as the F1 score presented some misleading results as detailed in the referred section.The global predictor is then used as baseline comparison to the personalized predictors in Sect. 4.2 where we resort to the use of the privacy profiles as an additional feature in the prediction, for personalization. However, one can consider different feature sets for the creation of profiles and for predicting of the grant result with the profiles. Therefore, to evaluate the combination that leads to the best performance, Sect. 4.2 presents the results for all considered combinations of feature sets for the creation of the profiles and all considered feature sets for the prediction. All considered feature sets were based on their importance in the grant result as measured by the information gain from Table 2 and from the analysis in the previous section.Finally, Sect. 4.2 further presents the privacy violations incurred by the best predictors, while contrasting them with the violation rate achieved by the Android PM with our dataset. 4.1

Global Prediction

Since there is no a priori best classifier to predict privacy decisions, we experimented using a grid-search with models from the literature. Specifically, Support Vector Machines (SVM) with linear [10,14,24] and Radial Basis Function (RBF) kernels, decision trees [14], bagging, ada boosting, random forest and a neural network. Although the results for each model were similar, we picked the best performance: ada boost with approximate ROC AUC of 0.827 and F1 score of 0.808. These results were achieved using 100 decision trees with a max depth of 1 as base classifiers and with a learning rate of 0.5, which we use for the remainder of the experiments. We also focus on the ROC AUC, as the F1 score was misleading. Specifically, using the mode prediction model resulted in an F1 score of 0.8 (close to the best performance) but in a ROC AUC of 0.5, which is the same value as a random classifier would achieve. A 5-fold cross-validated feature forward selection by the ROC AUC selects the expectation as the most important feature, followed by some permissions and categories. The visibility of the requesting app is selected as the seventh most important feature. However, the visibility is highly correlated with the expectation, as previously discussed, and thus, this cumulative forward approach fails to account for individual feature importance. To better evaluate the importance of features, we have considered some feature set variants based on the analysis provided in Sect. 3.2 and cross-validated the performance of the classifier with each variant. Figure 3 presents the obtained performances, in where it is clear that the expectation is the most relevant feature. In fact, just using the expectation results in an F1 score and ROC AUC of over 0.8. Adding the category and permission to the expectation, leads to the best ROC AUC (≈0.831), even slightly

164

R. Mendes et al.

Fig. 3. 5-fold cross-validated performance of the ada boost classifier on the different considered dataset variants. Each variant is a combination of the following features, which are identified by their first letter: [E]xpectation, [C]ategory and [V]isibility of the requesting app, [P]ermission requested, [L]ocation, and [N]etwork status. “All” corresponds to using all features available in the dataset and “All - E” is all features except the expectation.

better than when using all features. Contextual features such as the [V]isibility, [L]ocation and [N]etwork status added very little or nothing to the category and permission (CP), as can be seen from the similarity of scores between using CP or any combination of V, L and N with CP. These results indicate a general lack of importance of the considered contextual features in the performance of the classifier. However, we believe that at least in part, this is due to the fact that the category of the requesting app and requested permission already encode part of the context as discussed in Sect. 3.2. Therefore, the additional information gain added by the contextual features is either not sufficient, or the classifier fails to account for it. Regardless, a ROC AUC of over 0.8 is already a good performance for a classifier that treats all users equally, that is, it fails to account for privacy’s personal preferences. The next section enhances this approach by providing context-aware personalization. 4.2

Personalized Prediction

Traditionally, privacy profiles are build by applying hierarchical clustering to users [9,10], where each user is represented as a tensor where each cell is the tendency to allow or deny requests for a particular pair of category-permission (CP). However, our dataset contains additional features that capture the similarity between user behavior in a more fine-grained way. Specifically, instead of just using the pairs of CP, we can additionally consider the [E]xpectation or other contextual features such as the user [L]ocation, the [V]isibility of the requesting app and the [N]etwork status to form context-aware privacy profiles. Towards

Enhancing User Privacy Through Prediction of Privacy Preferences

165

Fig. 4. 5-fold cross-validated performance with privacy profiles built with different feature sets, or no privacy profiles (“NoProfiles”), followed by prediction with several other feature sets. The number of profiles was varied from 1 to 9 and only the best result is displayed for each combination of inputs. Each feature set is identified by the combination of the following features identified by their first capitalized letter: [C]ategory, [P]ermission, [E]xpectation, [V]isibility, [L]ocation, and [N]etwork status. “All” and “All - E” corresponds respectively to using all features and all features except user expectation.

this end we consider the following feature variants for clustering: CP, CPV, CPE, CPL, CPN, CPVLN and CPEVLN. Furthermore, regardless of how the profiles are formed, we can use any combination of features in the prediction alongside the profiles. Therefore, we performed all combinations of clustering with the feature variants displayed above, with the same feature variants in the predictions plus “All” features and all features except the expectation (“All-E”). For each combination of profiling and prediction, the number of profiles was varied from 1 to 9 and only the best results are displayed. Figure 4 presents the obtained results, where the first observation is that any profiling with any prediction approach outperforms not using profiles, thus confirming previous findings that personalization improves performance [10,23]. Secondly, the best overall results are achieved by profiling only with CP. This is partially due to the fact that using more features in the profiling increases the amount of missing data that needs to be inputed, therefore potentially biasing the data. Nevertheless, profiling with CPE followed by prediction with all features achieves a ROC AUC of 0.956 or prediction with CPE achieves a ROC AUC of 0.957, where this latter is the best performance. Similar results are achieved by profiling with CP and predicting only with CPE, a ROC AUC of 0.955, approximately. The advantage of this second best result is that less data is required, specially for assigning the privacy profiles, a step that requires asking questions to the user and therefore, should be minimized [10]. Finally, without the expectation, the best performance is achieved by clustering and predicting with CP, a ROC AUC of approximately 0.9. The previous results are comparable to the state of the art [10], whose reported F1 score was 0.900 with profiles built with the tuples . Our best F1 score is approximately 0.924, achieved through

166

R. Mendes et al.

profiling and predicting with CPE, that is, with the expectation instead of the purpose. Without the expectation, our best F1 score is approximately 0.88, with profiles using only the pair category-permission and predicting with the category, permission, visibility, semantic location and network status (CPVLN). However, because the datasets are different, we cannot say that taking into consideration the expectation results in a better performance than using the purpose. A natural departure from this work is to combine both features. An interesting, yet unexpected result that is also observable from Fig. 4 is the rather low impact of the contextual features in the prediction. Specifically, if the expectation is not considered, using just the category and permission often results in the best performance. This is partially explained by the correlation between the context of the user and the pair category-permission, as discussed in Sect. 3.2. However, we were expecting a stronger influence, particularly the visibility of the requesting app, which has been found to have a strong influence in privacy decisions [22]. The reason for the low impact of the visibility of the requesting app is that users allow 68.24% of visible requests and 61.87% of background requests, as aforementioned. This difference might be irrelevant to the classifier. A potential reason for the low impact of the location is the fact that 83.54% of requests were with users at home, owed to COVID19 travel restrictions that were in place at the time of the campaigns [12]. Due to this skewness, the importance of the location might be mis-measured. Therefore, we repeated the previous methodology while subsampling the home requests to equal the number of work requests. The results with the subsampled data, whose plots we omit due to space constraints, showed that without profiling, the location feature slightly increased the performance, but with profiling the results were similar to the ones obtained in Fig. 4. It is possible that these contextual features, specially the visibility, have a varying importance depending on the user as some users allow/deny everything regardless of any feature, while others are more selective. However, profiling with these features either failed to capture these personal preferences or the increase in the missing data deteriorated the results, due to the increasing amount of missing data. Towards validating the potential bias introduced by the inputted data, we build privacy profiles using the K-means clustering algorithm [15,16] instead of hierarchical clustering. The performances were worse in all cases, and thus, we omit such results. Finally, we can compare the number of privacy violations that these approaches incur. Privacy violations are defined as permission requests that the user explicitly denied, but would otherwise be granted. As previously mentioned, for the collected dataset, the Android default PM would have violated the privacy in 15.25% of requests and would have incurred a median of 64 prompts to the user in a period of approximately a week. A personalized and automated prediction following the methodology above would require only a few questions to assign the profile [10] and it would result in 6.18% of privacy violations, a 59.5% reduction on Android PM, as displayed in Fig. 5b, where the green bars present the violation ratio for the best personalized predictors and the dashed red line is the Android system violation ratio. Without the expectation, the low-

Enhancing User Privacy Through Prediction of Privacy Preferences

(a)

167

(b)

Fig. 5. 5-fold cross-validated privacy violation ratio of the best performant predictors for the global predictors 5a and the personalized predictors 5b. Each feature set is identified by the combination of the following features identified by their first capitalized letter: [C]ategory, [P]ermission, [E]xpectation and [V]isibility, The ratio of privacy violations that the Android PM would have incurred is presented as the red dashed horizontal line.

est privacy violation ratio achieved is 11% when predicting with CP, which is still a reduction of 27.9% when compared to the standard Android PM. Looking at Fig. 5a, it is noteworthy that automated solutions without privacy profiles, corresponding to the global predictors from Sect. 4.1, and without expectation, result in a higher amount of privacy violations than the Android system. In summary, it is possible to automate privacy decisions with high performance, specially when taking into consideration user expectation. Contextual features seem to have a low impact in the performance of the prediction, which we mostly attribute to the fact that the pair category-permission already partially encode the context. Furthermore, the achieved prediction model can reduce the privacy violations in over 50% when compared to the current Android permission system. However, such system requires knowing the expectation of the user regarding every request, which we were unable to predict with sufficient accuracy and would therefore require user input, that should optimally be minimized. Without the expectation, it is possible to automate privacy decisions, while reducing the privacy violations by 27.9%. These results indicate that permission systems can still be enhanced, specially by taking the expectation of users into account.

5

Limitations and Future Work

As referred in Sect. 3.1, the dataset considered in this work is biased towards young adults with technical expertise. This occurrence advents from the fact that the data was collected whilst COVID-19 restrictions were enforced [12], and we relied on students with on-site classes. We leave for future work to conduct a campaign with a more diverse population as to better validate our findings.

168

R. Mendes et al.

One of the disadvantages of incorporating the expectation in the automation of privacy decisions is that it requires input from the user. We attempted to predict the expectation following a similar methodology to the one described for the privacy decision, including profiling. However, the performance was not high enough to increase the results displayed in Fig. 4. This is an indicator that the expectation can be more personal and dynamic than the respective privacy decisions. As future work we intend to analyze possible venues towards improving the prediction of expectations. An underlying limitation of all automated privacy decision systems, including the approach described in this work, lies on the legal basis of such decisions. Specifically, an automated response to a permission request might not constitute legal consent. Regulations such as the EU General Data Protection Regulation (GDPR) mandate express and unambiguous consent from the user before collecting any personal data [20]. Unfortunately, the GDPR does not provide guidelines for automating privacy decisions. Therefore, further legal discussion will be required. In the meantime, the personalized prediction of privacy decisions can be instead offered as recommendations to the user [10], instead of fully automation. Such approach can mitigate potential challenges of configuring complex privacy systems, such as the lack of expertise by the average user [17]. Finally, a natural departure of this work would be to assess the feasibility of assigning the privacy profiles, the performance of the predictions, and the perceived usability of such PM. Such endeavour requires a new field study. Moreover, the dependence on user data for clustering users and predicting their privacy decisions is a drawback of this approach. To address this issue, we have proposed a clustering mechanism and federated prediction approach [6] with privacy guarantees.

6

Conclusion

The complexity of mobile devices require automation for the management of user privacy. However, the current approach, i.e. the runtime permission model, often violates user privacy, thus failing at protecting the user. The root of this ineffectiveness advents from the non consideration of contextual dynamism and personal preferences within each context that are natural factors impacting privacy decisions. In this paper we analyze a dataset of privacy decisions and their surrounding context to uncover their intrinsic relation. Our analysis reveals that the visibility of the requesting app, the location of the user and the network status are important contextual cues that partially explain the variability of the grant result, i.e., the user decision to allow or deny a permission. In addition, we find that the category of the requesting app and the requested permission moderately encode the context, as the user uses different apps under different contexts. We then leverage such analysis to train models towards building an automated, personalized and context-aware permission manager for prediction of the grant result. Our results show that by taking into account the expectation of the user, one can reduce the number of privacy violations by over 50% when

Enhancing User Privacy Through Prediction of Privacy Preferences

169

compared to the Android permission manager. Without user expectation, it is still possible to reduce the privacy violations by approximately 28%.

A

Grant Rate

Figure 6 presents the average grant result for each pair of category of the requesting app and requested permission.

Fig. 6. Average grant result for each pair of category-permission. The number in each cell is the number of requests for the respective pair category-permission group, and GR is the grant rate for the respective category or permission. Categories and permissions with less than 10 requests were removed.

B

Information Gain

Table 2 presents the information gain for the grant result with each other feature in the dataset, where categorical features were one-hot encoded.

170

R. Mendes et al.

Table 2. Information Gain for the grant result with every other feature. Showing only values greater than 0. grantResult wasRequestExpected

0.182551

permission STORAGE

0.018125

category VIDEO PLAYERS

0.016729

category COMMUNICATION

0.013858

permission PHONE

0.013843

selectedSemanticLoc Home

0.011375

networkStatus METERED

0.008086

isRequestingAppVisible

0.007845

networkStatus NOT METERED

0.007624

permission CAMERA

0.006610

permission CONTACTS

0.005629

selectedSemanticLoc Travelling

0.005558

category GAME

0.005136

category TRAVEL AND LOCAL

0.004675

plugState

0.003084

category WEATHER

0.002793

isTopAppRequestingApp

0.002483

category TOOLS

0.002355

category MUSIC AND AUDIO

0.002348

permission LOCATION

0.002234

hour

0.002170

permission CALL LOG

0.001951

category PERSONALIZATION

0.001940

selectedSemanticLoc Work

0.001710

permission SENSORS

0.001467

category BUSINESS

0.001452

category SOCIAL

0.001350

category SPORTS

0.000973

category SHOPPING

0.000963

category HEALTH AND FITNESS 0.000801 isWeekend

0.000623

category MEDICAL

0.000485

callState

0.000389

category LIFESTYLE

0.000265

category ENTERTAINMENT

0.000156

category FOOD AND DRINK

0.000122

networkStatus DISCONNECTED

0.000103

References 1. Acquisti, A., Brandimarte, L., Loewenstein, G.: Privacy and human behavior in the age of information. Science 347(6221), 509–515 (2015)

Enhancing User Privacy Through Prediction of Privacy Preferences

171

2. Almuhimedi, H., et al.: Your location has been shared 5,398 times!: a field study on mobile app privacy nudging. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 787–796. ACM (2015) 3. Andriotis, P., Stringhini, G., Sasse, M.A.: Studying users’ adaptation to Android’s run-time fine-grained access control system. J. Inf. Secur. Appl. 40, 31–43 (2018) 4. Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security–SOUPS 2013, p. 1 (2013) 5. Bonn´e, B., Peddinti, S.T., Bilogrevic, I., Taft, N.: Exploring decision making with android’s runtime permission dialogs using in-context surveys. In: Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pp. 195–210. USENIX Association, Santa Clara, CA (2017) 6. Brand˜ ao, A., Mendes, R., Vilela, J.P.: Prediction of mobile app privacy preferences with user profiles via federated learning. In: Proceedings of the Twelveth ACM Conference on Data and Application Security and Privacy, pp. 89–100 (2022) 7. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS 2012). Association for Computing Machinery, New York, NY, USA (2012) 8. Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing applications on an android smartphone. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34638-5 6 9. Lin, J., Liu, B., Sadeh, N., Hong, J.I.: Modeling users’ mobile app privacy preferences: restoring usability in a sea of permission settings. In: 10th Symposium On Usable Privacy and Security (SOUPS 2014), pp. 199–212. USENIX Association, Menlo Park, CA (2014) 10. Liu, B., Andersen, M.S., Schaub, F., Almuhimedi, H., Zhang, S., Sadeh, N., Acquisti, A., Agarwal, Y.: Follow my recommendations: A personalized privacy assistant for mobile app permissions. In: Symposium on Usable Privacy and Security (2016) 11. Liu, B., Lin, J., Sadeh, N.: Reconciling mobile app privacy and usability on smartphones: could user privacy profiles help? In: Proceedings of the 23rd International Conference on World Wide Web–WWW 2014, pp. 201–212 (2014) 12. Mendes, R., Brand˜ ao, A., Vilela, J.P., Beresford, A.R.: Effect of user expectation on mobile app privacy: a field study. In: 2022 IEEE International Conference on Pervasive Computing and Communications (PerCom), pp. 207–214 (2022) 13. Nissenbaum, H.: Privacy as contextual integrity. Wash. L. Rev. 79, 119 (2004) 14. Olejnik, K., Dacosta, I., Machado, J.S., Huguenin, K., Khan, M.E., Hubaux, J.P.: SmarPer: context-aware and automatic runtime-permissions for mobile devices. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1058–1076. IEEE (2017) 15. Ravichandran, R., Benisch, M., Kelley, P.G., Sadeh, N.M.: Capturing social networking privacy preferences. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 1–18. Springer, Heidelberg (2009). https://doi.org/10.1007/ 978-3-642-03168-7 1 16. Sanchez, O.R., Torre, I., He, Y., Knijnenburg, B.P.: A recommendation approach for user privacy preferences in the fitness domain. User Model. User-Adapted Interact. 30(3), 513–565 (2020) 17. Shen, B., et al.: Can systems explain permissions better? Understanding users’ misperceptions under smartphone runtime permission model. In: 30th USENIX Security Symposium (USENIX Security 21) (2021)

172

R. Mendes et al.

18. Shklovski, I., Mainwaring, S.D., Sk´ ulad´ ottir, H.H., Borgthorsson, H.: Leakiness and creepiness in app space: perceptions of privacy and mobile app use. In: Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems, pp. 2347–2356. ACM (2014) 19. Tsai, L., et al.: Turtle guard: helping android users apply contextual privacy preferences. In: Symposium on Usable Privacy and Security (SOUPS) 2017 (Soups) (2017) 20. Union, E.: Regulation (eu) 2016/679 of the european parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation). Off. J. L110 59, 1–88 (2016) 21. Votipka, D., Rabin, S.M., Micinski, K., Gilray, T., Mazurek, M.L., Foster, J.S.: User comfort with android background resource accesses in different contexts. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 235– 250 (2018) 22. Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: USENIX Security, vol. 15 (2015) 23. Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: Proceedings–IEEE Symposium on Security and Privacy, pp. 1077–1093 (2017) 24. Wijesekera, P., et al.: Contextualizing privacy decisions for better prediction (and protection). In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, pp. 268:1–268:13. CHI 2018, ACM, New York, NY, USA (2018)

One Vote Is Enough for Analysing Privacy Stéphanie Delaune and Joseph Lallemand(B) Univ Rennes, CNRS, IRISA, Rennes, France [email protected]

Abstract. Electronic voting promises the possibility of convenient and efficient systems for recording and tallying votes in an election. To be widely adopted, ensuring the security of the cryptographic protocols used in e-voting is of paramount importance. However, the security analysis of this type of protocols raises a number of challenges, and they are often out of reach of existing verification tools. In this paper, we study vote privacy, a central security property that should be satisfied by any e-voting system. More precisely, we propose the first formalisation of the recent BPRIV notion in the symbolic setting. To ease the formal security analysis of this notion, we propose a reduction result allowing one to bound the number of voters and ballots needed to mount an attack. Our result applies on a number of case studies including several versions of Helios, Belenios, JCJ/Civitas, and Prêt-à-Voter. For some of these protocols, thanks to our result, we are able to conduct the analysis relying on the automatic tool Proverif.

1

Introduction

Remote electronic voting systems aim at allowing the organisation of elections over the Internet, while providing the same guarantees as traditional paper voting. Although relying on e-voting for large-scale elections is controversial, it is already in use in many lower-stakes elections today (e.g. the Helios [3] voting system has been used to elect the IACR board of directors since 2010), and is likely to be used even more in the future, for better or for worse. These elections may involve a large number of voters and may have an important impact on democracy when it comes to elect political leaders. It is therefore of paramount importance to ensure the security of these systems. As for security protocols in general, formal methods provide powerful techniques to analyse e-voting systems, and prove their security. Identifying what makes a good, secure e-voting system is a complex problem that has not yet been completely solved, and is actively being researched. It is however rather universally acknowledged that a central security guarantee e-voting systems should This work has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 programme (grant agreement n◦ 714955-POPSTAR), as well as from the French National Research Agency (ANR), under project TECAP, and under the France 2030 programme with reference ANR-22-PECY-0006. c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 173–194, 2022. https://doi.org/10.1007/978-3-031-17140-6_9

174

S. Delaune and J. Lallemand

provide is vote privacy. Intuitively, this property states that votes must remain secret, so that no one can learn who voted for which candidate. One common way of formalising vote privacy, which we will call SWAP, is to require that an attacker is not able to distinguish between the situation where Alice is voting yes and Bob is voting no from the situation where the two voters swapped their vote. That formalisation was first proposed by Benaloh [9], originally in a computational model. It has since been adapted to the symbolic setting [26], and applied to many voting schemes, e.g. [4,5,7,20,23,24]. The SWAP notion was originally written considering the specific case of a referendum, where the result is the number of yes and no votes. It has then been generalised to cover other kinds of elections [8], but remains limited w.r.t. the way of counting votes – essentially, it only makes sense when the result of the election is the number of votes for each candidate, excluding more complex counting procedures such as Single Transferable Vote (STV). More recently, a new definition, called BPRIV for “ballot privacy”, has been proposed to overcome such limitations [10]. Essentially, BPRIV lets the attacker interact with the system, and see either real ballots, or fake ones containing fake votes. Using oracles, he can choose the values of real and fake votes, and cast any ballot he can construct (in the name of corrupted voters). In the end, the tally of real ballots is published. To be BPRIV, the attacker should be unable to distinguish the two scenarios, i.e. no information is leaked on the ballots’ content. Privacy-type properties, and in particular vote privacy, are often expressed using a notion of behavioural equivalence [25]. A notable exception is the definition of (α, β)-privacy [31] which nevertheless relies on some notion of static equivalence. Proving equivalences is cumbersome, and is difficult to do in details by hand, as witnessed by the manual analysis of the SWAP property done for e.g. the Helios protocol [23] and the Norwegian one [24]. Regarding mechanisation, several mature tools are available for analysing trace properties such as secrecy or authentication in the symbolic setting: most notably, Proverif [11,12] and Tamarin [30]. These tools support equivalence properties [6,13], although they remain limited to a restricted form of equivalence, called diff-equivalence. Some e-voting schemes have been analysed with these automated tools in the symbolic model, e.g. the Neuchâtel [20] or BeleniosVS [19] protocols. Proverif even has an extension called ProSwapper [14], that specifically handles swapped branches that typically occur in the SWAP definition. These tools have proved very helpful for the study of e-voting systems. However, they still suffer from limitations that restrict their applicability, as they e.g. cannot handle homomorphic encryption, or manipulate lists of arbitrary size to encode the bulletin board, and tend to quickly run into performance issues when the number of agents in parallel increases. An interesting option to ease the security analysis is to rely on reduction results. This approach has been used to bound the number of agents involved in an attack for both reachability [17], and equivalence properties [18]. Reduction results bounding the number of sessions [27,28] have also been proposed in more

One Vote Is Enough for Analysing Privacy

175

restricted settings. All these results do not apply in the context of e-voting protocols. Here, we would like to bound the number of voters (agents) participating in the election. However, since only one vote is counted for each voter, we can not replace a session played by A by one played by B, as was done e.g. in [18]. The only existing result in that context is the result proposed in [4], where the authors give bounds on the number of voters and ballots – respectively 3 and 10 – needed for an attack on the SWAP notion This allows them to carry out several case studies using Proverif. No such results, however, exist for the newer and more general BPRIV definition.

Contributions. Our contributions are threefold. First, we propose a definition of BPRIV adapted for the symbolic model. BPRIV has been first introduced in the computational setting where some subtleties regarding the communication model have been overlooked. Second, we identify some conditions under which BPRIV can be analysed considering only one honest voter and k dishonest ones. Actually, in most usual cases, we have k = 1, and the number of ballots being tallied is reduced to 1. These reduction results are generic, in particular we do not assume anything regarding the equational theory, and our result applies for different counting functions. Revoting is also allowed. Finally, we apply our result on several e-voting protocols from the literature relying on the tool Proverif. Our bounds for BPRIV, better than those obtained in [4] when considering SWAP, allow us to analyse many protocols in a reasonable time (whereas several hours were needed in some cases in [4]). We also identify an issue in the security analysis performed in [4] where a protocol has been declared secure while it is not.

2

Modelling Security Protocols

In this section, we introduce background notions on protocol modelling. We model security protocols in the symbolic model with a process algebra inspired from the applied pi-calculus [2]. Our model is mostly standard, except that in order to model the stateful nature of e-voting protocols, we consider memory cells, that can store a persistent state across processes. We need to avoid concurrent accesses to memory cells while updating them: to that end, we use a specific instruction that atomically appends a message to the content of a memory cell. 2.1

Messages

We assume an infinite set N of names used to model keys, nonces, etc.. We consider two infinite and disjoint sets of variables X and W. Variables in X are used to refer e.g. to input messages, and variables in W, called handles, are used as pointers to messages learned by the attacker. Lastly, we consider two disjoint sets of constant symbols, denoted Σ0 and Σerr . Constants in Σ0 represent public values, e.g. identities, nonces or keys drawn by the attacker. This set is assumed to be infinite. Constants in Σerr will typically refer to error messages. We fix

176

S. Delaune and J. Lallemand

a signature Σ consisting of a finite set of function symbols together with their arity. We denote Σ + = Σ  Σ0  Σerr . We note T (F, D) the set of terms built from elements in D by applying function symbols in the signature F. The set of names (resp. variables) occurring in a term t is denoted names(t) (resp. var(t)). A term t is ground if var(t) = ∅. We refer to elements of T (Σ + , N ) as messages. Example 1. We consider the signature Σerr = {errvote , errinvalid } to model error messages. The signature Σlist = {nil, hd, tl, ::} allows us to model lists of arbitrary size. We often write [t1 , . . . , tn ] for t1 :: . . . ::tn ::nil. The operators hd and tl are used to retrieve the head and the tail of a list. Lastly, we consider Σex = {aenc, adec, pk, zkp, checkzkp , true,  3 , proj31 , proj32 , proj33 , yes, no} to model asymmetric encryption, zero-knowledge proofs, and pairing operators. As a running example, we will consider a model of the Helios protocol (in its original version, as seen in [23]) and ΣHelios = Σex ∪ Σlist . Let idH ∈ Σ0 , r, sk ∈ N , and pk = pk(sk). Intuitively, idH represents the identity of a honest voter, and yes her vote (these data are known to the attacker), whereas r and sk are private names, modelling respectively the randomness used in the encryption and the private key of the authority. Let eyes = aenc(yes, pk, r), H and bid yes = idH , eyes , zkp(eyes , yes, r, pk)3 . The first term encrypts the vote, and the second one is the ballot sent by the voter in the voting phase of Helios. An element of T (Σ + , W) is called a recipe and models a computation performed by the attacker using his knowledge. A substitution σ is a mapping from variables to messages, and tσ is the application of σ to term t, which consists in replacing each variable x in t with σ(x). A frame φ is a substitution that maps variables from W to messages, and is used to store an attacker’s knowledge. In order to give a meaning to function symbols, we equip terms with an equational theory. We assume a set E of equations over T (Σ, X ), and define =E as the smallest congruence containing E that is closed under substitutions. Example 2. Continuing Example 1, we consider the equational theory Eex given below and Elist := {hd(x::y) = x, tl(x::y) = y}.   adec(aenc(x, pk(y), z), y) = x proj3i (x1 , x2 , x3 3 ) = xi with i ∈ {1, 2, 3} Eex = checkzkp (zkp(aenc(x, y, z), x, z, y), aenc(x, y, z), y) = true H We have adec(eyes , sk) =Eex v, and checkzkp (proj33 (bid yes ), v, r, pk) =Eex true.

In the following, we consider an arbitrary signature Σ + = Σ  Σ0 ∪ Σerr together with its equational theory E (equations built over Σ only), and we assume it contains at least the formalisation of lists given in Example 1 and Example 2, i.e. Σlist ⊆ Σ and Elist ⊆ E. 2.2

Processes

We model protocols using a process calculus. We consider an infinite set of channel names Ch = Chpub  Chpri , partitioned into infinite sets of public and private channel names. We also assume an infinite set M of names to represent memory

One Vote Is Enough for Analysing Privacy

177

cells (used to store states). The syntax of processes is: P, Q :: = 0 | out(c, u). P | m := u. P |P |Q | in(c, x). P | read m as x. P | !P | ! new d. out(c, d). P | append(c, u, m). P | new n. P | let x = u in P | phase i. P | new d. P | if u = v then P else Q where n ∈ N , x ∈ X , m ∈ M, u ∈ T (Σ + , X ∪ N ), d ∈ Chpri , c ∈ Ch, i ∈ N. This syntax is rather standard, except for the memory cell operations. Intuitively, read m as x stores the content of m in the variable x, whereas append(c, u, m) represents the agent with channel c appending u to memory m. In addition, we use a special construct ! new d. out(c, d). P , to generate as many times as needed a new public channel d and link it to channel c, in a single step. This could be encoded using the other instructions, but having a separate construction lets us mark it in the execution traces, which is convenient for the proofs. The constructs in(c, x).P , let x = u in; P , and read m as x. P bind x in P . Given a process P , fv(P ) denotes its free variables, and we say that it is ground when fv(P ) = ∅. Moreover, we usually omit the final 0 in processes. Example 3. Continuing our running example, we consider the process P : P = in(c, b). if checkzkp (proj33 (b), proj32 (b), pk(sk)), proj31 (b) = true, idD  then out(c, b). append(c, b, mbb ) else out(b, errinvalid ). where b ∈ X , sk ∈ N , and idD ∈ Σ0 . This represents an agent that receives a ballot b as input, and then checks the validity of the zero knowledge proof contained in b, as well as the identity of the voter. Depending on the outcome of this test, it either outputs the ballot and appends it in the cell mbb modelling the ballot box, or simply outputs an error message. Definition 1. A configuration is a tuple (i; P; φ; M ), composed of an integer i, a multiset P of ground processes, a frame φ, and a mapping M from a subset of memory names M to messages. We write P instead of (0; P; ∅; ∅). a

The semantics of our calculus is defined as a transition relation = ⇒ on configurations. Each transition step is labelled with an action a representing what the attacker can observe when performing it (it can be an input, an output, an append action, or a silent action ). This relation is defined in a standard manner. As a sample, depicted below are the rules for input, errors, and append. in(c,R)

(i; {|in(c, u). P |} ∪ P; φ; M ) ====⇒ (i; {|P σ|} ∪ P; φ; M ) if c ∈ Chpub , and R is a recipe such that var(R) ⊆ domφ and Rφ =E uσ for some σ with dom(σ) = var(u) out(c,cerr )

(i; {|out(c, cerr ). P |} ∪ P; φ; M ) =====⇒ (i; {|P |} ∪ P; φ; M ) if c ∈ Chpub , cerr ∈ Σerr append(c)

(i; {|append(c, u, m)|}. P ∪ P; φ; M ) =====⇒ (i; {|P |} ∪ P; φ; M {m → u::M (m)}) if m ∈ dom(M )

178

S. Delaune and J. Lallemand

For instance, considering an input on a public channel, the attacker can inject any message he is able to build using his current knowledge. The outputs performed on a public channel are made available to the attacker either directly through the label (when it corresponds to an error message), or indirectly through the frame (this rule is not shown). Lastly, we present the rule corresponding to our new append action append(c, u, m) which simply consists in appending a term u to the memory cell m. The full formal semantics is given in [1]. Definition 2. The set of traces of a configuration K is defined as tr 

⇒ (i; P; φ; M )} traces(K) = {(tr, φ) | ∃i, P, M such that K = ·  · ⇒ is the reflexive transitive closure of = ⇒, concatenating all (non-silent) where = actions into the sequence tr. H Example 4. Continuing Example 3 with φyes = {w0 → pk(sk), w1 → bid yes }, and yes K0 = (2; {P }; φyes ; {mbb → nil}). We have that:

K0yes

in(c,w1 ).out(c,errinvalid )

=============⇒

in(c,R0 ).out(c,w2 ).append(c) K0yes =================⇒

H (2; ∅; {w0 → pk(sk), w1 → bid yes }; {mbb → nil})

idD H (2; ∅; {w0 → pk(sk), w1 → bid yes , w2 → byes }; {mbb → b})

idD , proj32 (w1 ), proj33 (w1 )3 ,

idH D with R0 = and bid yes = R0 φyes =Eex idD , eyes , zkp3 . H The term zkp here denotes the zero-knowledge proof from bid yes . It does not contain the identity of the voter who computes it, and can therefore be reused by a dishonest voter to cast the ballot in her own name.

2.3

Equivalences

Our definition of the BPRIV property relies on two usual notions of equivalence in the symbolic model: static equivalence, for the indistinguishability of sequences of messages, and trace equivalence, for the indistinguishability of processes. Definition 3. Two frames φ and φ are statically equivalent, denoted by φ ∼ φ , if dom(φ) = dom(φ ) and for any recipes R1 , R2 ∈ T (Σ + , dom(φ)), we have that R1 φ =E R2 φ ⇔ R1 φ =E R2 φ . Definition 4. Two ground processes P , Q are in trace inclusion, denoted by P t Q, if for all (tr, φ) ∈ traces(P ), there exists φ such that (tr, φ ) ∈ traces(Q) and φ ∼ φ . We say that P and Q are trace equivalent, denoted by P ≈t Q, if P t Q and Q t P . Example 5. We can consider a configuration K0no similar to K0yes but with no instead of yes in the initial frame. We can establish that K0no ≈t K0yes . This is a non trivial equivalence. Now, we replace P by P + in both configurations, adding a simple process modelling the tally (for one vote), e.g. P + = P | phase 3. read mbb as bb. let res = adec(proj32 (bb), sk) in out(cr , res). We have that the resulting equivalence does not hold. This is simply due to the fact that tr = in(c, R0 ).out(c, w2 ).append(c).phase 3.out(cr , w3 ) can be

One Vote Is Enough for Analysing Privacy

179

executed starting from both configurations, and the resulting frames contains w3 → no on the left, and w3 → yes on the right. This breach of equivalence is not, strictly speaking, an attack, as the processes do not formalise the BPRIV property. However it follows the same idea as the ballot copy attack against Helios from [23]: a dishonest voter copies a honest voter’s ballot, introducing an observable difference in the result. This attack can be prevented by patching Helios, either by weeding out duplicate ballots from the ballot box, or by adding the voter’s id to the ZKP, which then becomes invalid for any other voter.

3

Modelling the General BPRIV Notion

In this section, we present our formal model of e-voting protocols, and our BPRIV privacy notion. While BPRIV itself is not novel, our symbolic formalisation is. 3.1

Modelling E-Voting Protocols

When modelling voting systems, we often need to encode some computations (e.g. performed by the ballot box) that cannot be represented by recipes (e.g. iterating through an arbitrary-sized list). We encode these computations as processes, that do not share any names, channels, or memory cells with the rest of the process, except for a channel to return the result of the computation. p ) without free names, channels, Definition 5. A computation is a process Cd ( #„ or variables (not counting those in d, #„ p ), without memory cell operations, and without phases. It is parametrised by a channel d, and terms #„ p , meant to be the channel where the result is output, and the terms given as input parameters. This process must be such that for all inputs #„ p , there exists a ground term t0 such that for all channel name d, we have p )) = {(, ∅)} ∪ {(out(d, w), {w → t0 }) | w ∈ W}. traces(Cd ( #„ We then call t0 the result of the computation. As it does not depend on the channel, we will often omit it and let C( #„ p ) denote the result. To use such a process to compute a term inside a process P , we will typically run it in parallel with an input waiting to retrieve the result on d, followed by the continuation process. We will write as a shortcut let x = C( #„ p ) in P for p ) | in(d, x). P ), where d is a fresh private channel name (i.e. that new d. (Cd ( #„ does not appear anywhere else in the ambiant process). We assume a set Votes ⊆ T (Σ, Σ0 ) of public ground terms representing the possible values of the votes. A voting system is modelled by a collection of processes that model the behaviour of voters, and a process modelling the tallying authority. The election process is composed of several phases. Phases 0 and 1: Setup. The election material is generated and published.

180

S. Delaune and J. Lallemand

Phase 2: Casting. The voters send their ballots to the ballot box. In our model, a memory mbb will play the role of the ballot box, recording all ballots received by the voting server. The voters’ processes will first publish their ballot on a dedicated public channel, and then append it to the memory cell mbb . This models the fact that voters are authenticated when they submit their ballot, and the ballot cannot be modified on its way to the ballot box. However, the attacker is able to block a ballot before it reaches the ballot box. Each voter has a private credential cr ∈ N , with an associated public credential computed by a recipe Pub(cr, u), that may use a random value u. Some protocols, such as Civitas, use this value to randomise the public credential, while others, such as Belenios, do not use it – in such cases we can omit it. To model the construction of ballots, we assume a recipe Vote with 5 variables: the term Vote(pk, id, cr, v, r) represents a ballot generated for voter id with credential cr, public election key pk, randomness r, and containing a vote v. When modelling vote privacy, the attacker chooses the vote v he wants the voter to use to construct the ballot. Hence, we will need to check that v is indeed a possible value for a vote, i.e. v ∈ Votes. If the set of candidates is finite, this can be tested exhaustively. In other cases, such as write-in votes, it can be done e.g. if legal votes have a specific format (start with a tag, etc..), or trivially if any value is legal. In a voting scheme, once a ballot is received by the voting server, another check is performed to ensure the ballot is valid, i.e. correctly constructed. Typically, it can consist in verifying signatures or zero-knowledge proofs included in the ballot. To keep our model generic, we simply assume a recipe Valid with four variables: Valid(id, pcr, b, pk) represents the validity test performed for the agent id, whose public credential is pcr, who submits a ballot b. The term it computes is meant to be equal to true if, and only if, ballot b cast by id is valid w.r.t. her public credential pcr and the election public key pk. We incorporate this validity check directly in the process modelling the voter, before publishing and adding the ballot to mbb . In reality, it is performed by the ballot box, but this modelling choice is both simpler (no need for an extra process) and closer to the cryptographic game (where the voting oracle performs the test). The formal definition of the voter’s process is given in Sect. 3.2 as it incorporates elements specific to the modelling of the property. Example 6. Continuing Example 2, for Helios, we use the following recipes: VoteHelios (pk, id, v, r) = id, aenc(v, pk, r), zkp(aenc(v, pk, r), v, r, pk)3 ValidHelios (id, b, pk) = checkzkp (proj33 (b), proj32 (b), pk). Phase 3: Tallying. In the final phase, the Tally(sk) process is in charge of reading the contents of the ballot box, and using the key sk to compute and publish the result on a dedicated channel cr . To leave it as generic as possible, we simply assume a computation CTally (bb, sk), that takes as parameters a list bb of ballots, and sk, and computes the result as specified by the protocol. We then assume the following form for Tally: Tally(sk) = read mbb as bb. let res = CTally (bb, sk) in out(cr , res).

One Vote Is Enough for Analysing Privacy

181

Example 7. We continue Example 6 and we consider for simplicity the case of a referendum with two possible votes yes and no. We assume function symbols zero/0 and incr/1, without any associated equations, that we use to count in unary. Slightly abusing notations with the use of pattern-matching in input, the tallying computation can be written as follows: CTally (bb, sk) =  new c. out(c, zero, zero, bb3 ) | in(c, x, y, nil3 ). out(cr , x, y) | ! in(c, x, y, id, b, p3 ::l)3 ). let v = adec(b, sk) in  if v = yes then out(c, incr(x), y, l3 ) else out(c, x, incr(y), l3 ).

3.2

A Symbolic Definition of BPRIV

We model vote privacy by adapting the BPRIV notion, originally formulated as a cryptographic game [10], to our symbolic setting. The idea remains the same as for the original notion: an attacker should not learn any information on the votes contained in the ballots, other than the final result of the election. This is modelled by letting the attacker suggest two possible values for the vote of each honest voter: a “real” one and a “fake” one. The attacker then sees the honest voters’ ballots, containing either the real or fake votes, and then in the end the real result of the election, computed on the real votes. We model the behaviour of honest voter id, who uses channel c, private and public credentials cr, pcr, and election public key pk in these two scenarios by the two following processes. HVoterR (c, id, cr, pcr, pk) = HVoterL (c, id, cr, pcr, pk) = in(c, z). in(c, z). let (v 0 , v 1 ) = (proj21 (z), proj22 (z)) in let (v 0 , v 1 ) = (proj21 (z), proj22 (z)) in if v 0 , v 1 ∈ Votes then if v 0 , v 1 ∈ Votes then new r0 . new r1 . new r0 . new r1 . let b0 = Vote(pk, id, cr, v 0 , r0 ) in let b0 = Vote(pk, id, cr, v 0 , r0 ) in 1 1 1 let b = Vote(pk, id, cr, v , r ) in let b1 = Vote(pk, id, cr, v 1 , r1 ) in 0 if Valid(id, pcr, b , pk) = true if Valid(id, pcr, b1 , pk) = true 0 0 then out(c, b ). append(c, b , mbb ) then out(c, b1 ). append(c, b0 , mbb ) else out(c, errinvalid ) else out(c, errinvalid ) else out(c, errvote ) else out(c, errvote )

In both cases, the process receives the two possible vote instructions (v 0 , v 1 ) from the attacker, and constructs two corresponding ballots b0 , b1 . It then tests for validity, and publishes, either the real b0 (on the left), or the fake b1 (on the right). However, since the result is always computed on the real votes, the ballot secretly added to the ballot box mbb is always b0 . If any of the tests fail, we return error messages errinvalid , errvote ∈ Σerr . The attacker has complete control over the ballots submitted by dishonest voters. Hence, we model them by a process that receives an arbitrary ballot from

182

S. Delaune and J. Lallemand

the attacker, and adds it to the ballot box mbb after checking its validity: DVoter(c, id, cr, pcr, pk) = in(c, b). if Valid(id, pcr, b, pk) = true then out(c, b). append(c, b, mbb ) else out(c, errinvalid ). To a reader used to symbolic modelling of protocols, it may seem strange that dishonest voters are modelled by a process, rather than being left completely under the control of the attacker. It may similarly be surprising that the voters’ processes include the validity checks and write directly to the ballot box, while these operations are not actually performed by the voter but by an independent entity (typically the server storing the ballot box). While not essential for our results, we decided to adopt this style of modelling to follow more closely the original formulation as a cryptographic game. In that formalism, the protocol and the scenario considered are modelled as oracles. Our symbolic processes are written in the same spirit: they should be seen as models of what happens when a voter votes, rather than directly models of the voter’s behaviour. We then consider n voters: for each i ∈ 1, n, we let v#„i = (ci , id i , cr i , pcr i ), where ci ∈ Chpub is a dedicated public channel, id i ∈ Σ0 is the voter’s identity, cr i ∈ N her private credential, and pcr i = Pub(cr i , ui ) her public credential randomised with ui ∈ N . We will say that for i = j, v#„i and v#„j are distinct voters, to signify that they have different identities, credentials, and channels, i.e. ci = cj ∧ id i = id j ∧ cr i = cr j ∧ ui = uj ∧ ui = cr j ∧ cr i = uj . We then define the BPRIV property as follows. Definition 6. A voting scheme is BPRIV for p honest voters and n−p dishonest voters, written BPRIV(p, n − p), if R #„ #„ ElectionLp,n−p (v#„1 , . . . , v#„ n ) ≈t Electionp,n−p (v1 , . . . , vn )

where ElectionXp,n−p (v#„1 , . . . , v#„ n) = new  sk. mbb := nil. out(ch, pk(sk)). phase 1. out(c1 , pcr 1 ). phase 2. HVoterX (v#„1 , pk(sk)) | ... | phase 1. out(cp , pcr p ). phase 2. HVoterX (v#„p , pk(sk)) v p+1 , pk(sk)) | phase 1. out(cp+1 , cr p+1 , pcr p+1 ). phase 2. DVoter( #„ | ... | phase 1. out(cn , cr n , pcr n ). phase 2. DVoter(v#„ n , pk(sk)) | phase 3. Tally(sk) with ch ∈ Chpub , X ∈ {L, R}. While we designed our symbolic definition to follow as closely as possible the original computational formulation of the property, there are two notable differences. First, in the original notion, the oracle modelling honest voters was executed atomically: once the adversary submits his vote instructions, the generated ballot

One Vote Is Enough for Analysing Privacy

183

is immediately placed in the ballot box. That is not the case here. This difference is an important one, and is fully intentional: we wanted to model a scenario where the attacker can intercept and block ballots on their way to the ballot box. This gives him more power, and thus makes for a stronger privacy property. A consequence of that choice however, is that our definition is not suited to studying protocols that rely on weeding out duplicate ballots from the ballot box (e.g. some fixed versions of Helios). Indeed, the weeding operation only makes sense when assuming that all generated ballots have reached the ballot box. Second, many voting schemes include mechanisms allowing everyone to check that the tallying authority computed the result correctly. Typically, the talliers publish, alongside the result itself, zero-knowledge proofs showing that they e.g. correctly decrypted the ballots in the ballot box. In BPRIV however, having them output this proof would immediately break the property. The proof only holds for the actual ballots being tallied, so the attacker could just check it against the ballots he saw, which would succeed on the left but fail on the right. The original formalisation handles this by using a simulator for the proof on the right. This sort of operation does not really have a counterpart in the symbolic model, and we decided (for now) to simply abstract this proof away and not model it. 3.3

Auxiliary Properties

In [10], the authors propose two companion properties to BPRIV, called strong correctness and strong consistency. Together with BPRIV, they imply a strong simulation-based notion of vote privacy. Although we do not prove such a simulation – these are not really used in the symbolic model – we still define symbolic counterparts to the original computational side-conditions. They are useful when establishing our reduction result, and we will from now on assume they hold. Strong Correctness. Honest voters should always be able to cast their vote, i.e. their ballots are always valid. Formally, for any id, cr, r, u, sk ∈ Σ0 ∪N , v ∈ Votes, we must have: Valid(id, Pub(cr, u), Vote(pk(sk), id, cr, v, r), pk(sk)) =E true. Strong Consistency. The tally itself should only compute the result of the election, and nothing else – it cannot accept hidden commands from the attacker coded as special ballots, etc.. Formally we assume two functions extract and count: – extract(b, sk) is meant to extract the vote, and the voter’s id and credential from b, using key sk, or return ⊥ if b is not readable (ill-formed, etc..). – count is the counting function, meant to compute the result from the list of votes. It is assumed to always return a public term in T (Σ, Σ0 ). true We assume that: if Valid(id, Pub(cr, u), b, pk(sk)) =E then extract(b, sk) = (id, cr, v) for some v ∈ Votes. In other words, extraction always succeeds on valid ballots. Moreover, extract must behave as expected on honestly generated ballots, i.e. v = v0 when b =

184

S. Delaune and J. Lallemand

Vote(pk(sk), cr, v0 , r). We let extract([b1 , . . . , bn ], sk) be the list of non-⊥ values in [extract(b1 , sk), . . . , extract(bn , sk)]. Lastly, we assume that these functions characterise the behaviour of the CTally computation, i.e. for all list bb of messages, for all sk ∈ N , we have: CTally (bb, sk) = count(lst(extract(bb, sk))) where lst is a function that only keeps the vote in each tuple returned by extract. Later on, when considering the case of revote, lst will be replaced with a function applying a revoting policy to determine which vote to keep for each voter. Example 8. The Valid recipe and Ctally computation from Examples 6 and 7 satisfy these assumptions, where extract simply decrypts the ciphertext in the ballot, and count returns the pair of the numbers of votes for yes and no.

4

Reduction

We first establish our reduction in the case where voters vote only once. Some systems allow voters to vote again by submitting a new ballot that will e.g. replace their previous one, in the interest of coercion-resistance. We extend our result to that setting in Sect. 5. Our BPRIV definition stated in Sect. 3 is parametrized by the number n of voters among which p are assumed to be honest. We prove our reduction result in two main steps. We first establish that it is enough to consider the case where p = 1, i.e. one honest voter is enough, and then we establish the conditions under which the number of dishonest voters can be bounded as well. 4.1

Reduction to One Honest Voter

In order to remain faithful to the original computational BPRIV notion, and to define a strong privacy property, we decided to write our symbolic BPRIV property in a general way, i.e. considering an arbitrary number of honest voters. Each voter receives two vote instructions (v0 , v1 ) from the attacker, and shows him the ballot for one or the other. Reducing the number of honest voters by replacing them by dishonest ones is non trivial. This comes from the fact the behaviour of an honest voter is not exactly the same on both sides of the equivalence, as it is the case for a dishonest voter. Nevertheless, we establish the following result: one honest voter is enough. Proposition 1. Consider a voting scheme V, and p, n such that 1 ≤ p ≤ n. If V does not satisfy BPRIV(p, n − p), then it does not satisfy BPRIV(1, n − 1). Proof (Sketch). The general idea of this proof is to show we can isolate one specific honest voter whose ballot is the one causing BPRIV(p, n − p) to break. We then leave that voter as the only honest one, and use dishonest voters to simulate the p − 1 others, and obtain an attack against BPRIV(1, n − 1). The difficulties are (i) how to find this particular voter, and (ii) how to simulate the honest voters with dishonest ones. The simulation would be easy

One Vote Is Enough for Analysing Privacy

185

for a honest voter id voting for the same candidate v on both sides: simply use the dishonest voter to submit a ballot Vote(pk, id, cr, v, r) for some random r, and the correct credential cr. However, in the Election processes, id uses different values v0 , v1 on the left and on the right, so that we cannot easily construct a single dishonest ballot simulating id’s on both sides at the same time. To solve both issues, the main idea is to go gradually from the ElectionL process, where all HVoters are HVoterL and use the real vote (their v0 ), to the ElectionR process, where they are HVoterR and use the fake one (their v1 ). We consider intermediate processes P0 , . . . , Pp : in Pi , the first i HVoters are HVoterR , and the others are HVoterL . Since BPRIV(p, n − p) does not hold, P0 = ElectionL and Pp = ElectionR are not equivalent. Hence, there must exist some i0 such that Pi0 +1 and Pi0 are not equivalent. These two processes differ only by the i0 + 1th HVoter, who is HVoterL in Pi0 , and HVoterR in Pi0 +1 . This voter will be our particular voter, who will remain honest, solving issue (i). All other HVoters behave the same in Pi0 and Pi0 +1 : they vote with their right vote for the first i0 , and their left for the last p − i0 − 1. For them, issue (ii) is thus solved, and we can simulate them with dishonest voters. This way, we recover an attack with only one honest voter, and (n − p) + (p − 1) = n − 1 dishonest voters.   Note that, in the case of the earlier reduction result from [4] for the SWAP definition, a simple version of vote privacy is used from the start. They consider only two honest voters who swap their votes, and not the general definition (as stated e.g. in [8,10]) involving an arbitrary permutation between an arbitrary number of honest voters. Due to this, in [4], this first step was trivial. The argument in our case is more involved, as we start from the general notion. 4.2

Bounding the Number of Dishonest Voters

This second reduction result allows one to bound the number of dishonest voters when considering BPRIV. More precisely, we consider a unique honest voter, and we show that k dishonest voters are sufficient to mount an attack against vote privacy (if such an attack exists). Here, we reduce the number of voters from n to k + 1 (k dishonest voters plus one honest voter), and the resulting bound depends on the counting function. Roughly, as formally stated below, we have to ensure that when there is a difference in the result when considering n votes, then a difference still exists when considering at most k votes. Definition 7. A counting function count is k-bounded if for all n, for all lists  = [v1 , . . . , vn ] of size n > k of elements in Votes, ltally = [v1 , . . . , vn ] and ltally  ), there exist k  ≤ k, and i1 < . . . < ik , such such that count(ltally ) =E count(ltally that count([vi1 , . . . , vik ]) =E count([vi1 , . . . , vik ]). This assumption needed to establish our reduction results captures the most common counting functions such as multiset, sum, majority (see Appendix Appendix A). Lemma 1. The functions count# , countΣ , and countMaj are 1-bounded.

186

S. Delaune and J. Lallemand

This can be easily established by noticing that, when considering count# (resp. countΣ or countMaj ), as soon as two lists [v1 , . . . , vn ] and [v1 , . . . , vn ] of votes give different results, it means that there exists at least an indice i0 such that vi0 = vi0 . Hence, keeping this vote is enough to keep a difference. We can also consider more involved counting functions, such as Single Transferable Vote (STV), used e.g. in Australian legislative elections, for which we have established that it is 5-bounded when considering 3 candidates. Under this k-boundedness assumption, we are then able to bound the number of dishonest voters. Proposition 2. Let V be a voting scheme whose associated counting function is k-bounded for k ≥ 1. If V does not satisfy BPRIV(1, n) for some n ≥ 1, then V does not satisfy BPRIV(1, k  ) for some k  ≤ k. Moreover, in that case there exists a witness of this attack where no more than k  ballots reached the ballot box. Proof (Sketch). If BPRIV(1, n − 1) does not hold, the difference appears either (i) when the honest voter outputs her ballot, or (ii) when outputting the result. Indeed, the behaviour of a dishonest voter who simply outputs the message he received does not help to mount an attack. Moreover, the only test that a dishonest voter performs is a public test from which the attacker will not infer anything. In case (i), no dishonest voters are even needed, and the claim holds. In case (ii), we know that that the public terms representing the final result are different on both sides. We apply our k-boundedness hypothesis, and we know that a difference is still there when considering k voters (or even less). Removing the corresponding actions performed by dishonest voters, the trace still corresponds to an execution assuming that the validity tests do not depend on the the other ballots on the bulletin board. Hence, we have a witness of non-equivalence with at most k ballots, and thus at most k − 1 dishonest voters.   4.3

Main Result

Combining Propositions 1 and 2, we get our main reduction theorem establishing that it suffices to consider one honest voter, and at most k dishonest ones. Theorem 1. Let V be a voting scheme whose associated counting function is k-bounded for some k ≥ 1, and p, n be two integers such that 1 ≤ p ≤ n. If V does not satisfy BPRIV(p, n − p), then V does not satisfies BPRIV(1, k  ) for some k  ≤ k. Moreover, in that case there exists a witness of this attack where no more than k  ballots reached the ballot box. Example 9. The ballot copy attack on Helios (with the 1-bounded multiset count) from [23], mentioned in Example 5, can be performed against BPRIV(p, n − p): a honest voter is told to vote yes or no, her ballot is copied by a dishonest voter but remains valid, and the result is then {|yes, yes|} on the left (as the “yes” ballot was seen and copied), and {|yes, no|} on the right (as the “no” ballot was seen).

One Vote Is Enough for Analysing Privacy

187

In accordance with Theorem 1, one honest voter, one dishonest, and one accepted ballot are actually sufficient: the attacker can simply block the honest ballot, so that only the copy is counted leading to {|yes|} on the left and {|no|} on the right, which suffices for the attack.

5

Dealing with Revoting

We now consider the case where re-voting is allowed. We first adapt the BPRIV definition to this setting. The processes HVoter, DVoter, and Tally are left unchanged. Only the main Election processes, and the consistency assumption change. The tallying now takes into account a revote policy, indicating how to proceed when a voter casts multiple votes. A revote policy is a function: policy : (Σ0 × Npriv × Votes) list → Votes list. This policy function replaces lst in the strong consistency assumption (Sect. 3.3). We consider here the two most common revote policies. The last and first policies, that select resp. the last or the first vote from each voter. #„ = We reuse the notations from Sect. 3.2, and we introduce in addition w i (di , idi , cr i , pcri ) for each i ∈ {1, . . . , n} where di are different private channel names. The privacy property BPRIVR(p, n − p) is written as follows: R #„ #„ ElectionRevoteLp,n−p (v#„1 , . . . , v#„ n ) ≈t ElectionRevotep,n−p (v1 , . . . , vn )

where ElectionRevoteXp,n−p (v#„1 , . . . , v#„ n) = new  sk. mbb := nil. out(ch, pk(sk)). phase 1. out(c1 , pcr1 ). phase 2. ! new d1 . out(c1 , d1 ). HVoterX (v#„1 , pk(sk)) | ... # „, pk(sk)) | phase 1. out(cp , pcrp ). phase 2. ! new dp . out(cp , dp ). HVoterX (w p # „, pk(sk)) | phase 1. out(cp+1 , pcrp+1 ). phase 2. ! new dp+1 . out(cp+1 , dp+1 ).DVoter(w p+1 | ... #„ | phase 1. out(cn , pcr  n ). phase 2. ! new dn . out(cn , dn ). DVoter(wn , pk(sk)) | phase 3. Tally(sk)

with ch ∈ Chpub , X ∈ {L, R}. Note that a replication operator has been added in front of the voter processes to model the fact that revote is now possible. Theorem 2. Let V be a voting scheme whose associated counting function is k-bounded for some k ≥ 1, and p, n be two integers such that 1 ≤ p ≤ n. If V does not satisfy BPRIVR(p, n − p), then V does not satisfy BPRIVR(1, k  ) for some k  ≤ k. Moreover, in that case there exists a witness of this attack where no more than k  ballots reached the ballot box (each from a different voter).

188

S. Delaune and J. Lallemand

The proof of this Theorem follows the same lines as the one when revote is not allowed and is given in the full version [1]. We may note that replication operators are still there, and thus establishing such an equivalence property (even when p = 1, and k = 1) is not trivial. Traces of unbounded length still must be considered. However, as we are able to establish that, in a minimal attack trace, at most k ballots reached the ballot box (each by a different voter), we can easily remove the replication operator in front of a dishonest voter. This reasoning does not apply for the honest voter, as the output she performed may be useful to mount an attack (contrary to the output of a dishonest voter who outputs a term known by the attacker). This has been overlooked in the reduction result presented in [4]. The security analysis of Helios with revote has been done without considering this replication operator, leading to erroneous security analysis.

6

Applications and Case Studies

To illustrate the generality of our result, and to showcase how useful it can be in practice, we apply it to several well-known voting protocols from the literature. For our case study, we chose the following protocols: two variants of Helios [3], corresponding to its original version, subject to the attack discussed earlier, and a fixed version that includes identities in the ZKP; Belenios [21], and the related BeleniosRF [15] and BeleniosVS [19]; Civitas [29]; and Prêt-à-Voter [16,32]. We modelled these protocols as processes satisfying our assumptions, and analysed them using Proverif. We only prove BPRIV itself with Proverif. Strong correctness only involves terms, and can easily be proved by hand. Strong consistency requires to show that the tallying process rightly computes the tally, which Proverif is not well-suited to do, as it requires 1) modelling the tally in the general case, i.e. with no bounds on the lengths of lists, and 2) comparing it to the abstract definition of the counting function, which Proverif cannot really manipulate. The property clearly holds though, and could be proved by hand. All model files for our case study are available at [1]. The results are presented in Table 1. As expected, we find the attack on Helios from [23]. We conduct the analysis for different counting functions, using our result to bound the number of agents and ballots. We considered majority, multiset, sum, and STV (restricted to 3 candidates). In fact, in the case of 1-bounded functions, since only one ballot needs to be accepted by the ballot box, the tallying is trivial, and ends up being the same for different functions (majority, multiset, etc..). Thus, a single Proverif file is enough to model several counting functions as once.

One Vote Is Enough for Analysing Privacy

189

revote

without revote

Table 1. Summary of our results. ✓: Proverif proves the property. ✗: Proverif finds an attack trace. : timeout (≥ 24 h). Execution times are on an Intel i7-1068NG7 CPU. Counting Multiset/Maj/Sum Protocols (2 voters/1 ballot) Helios (id in ZKP) ≤ 1s Helios (ZKP without id) ≤ 1s Belenios ≤ 1s BeleniosRF 3s BeleniosVS 3s Civitas ≤ 1s Prêt-à-Voter ≤ 1s Helios (id in ZKP) Helios (ZKP without id) Belenios

≤ 1s ≤ 1s ≤ 1s

Single Transferable Vote (6 voters/5 ballots) 24 min 27 min 27 min

39 min 23 min 42 min 23 min

We considered both the cases without and with revote, for protocols that support revoting (except Civitas, which in that case uses rather complex mechanisms that do not fit our setting). As mentioned earlier, when revote is allowed, our result does not get rid of the replication operator. Bounding the number of voters is still useful in that case, as it simplifies our models. More importantly, bounding the number of ballots means we can encode the ballot box as a fixedlength list, which is very helpful as Proverif does not support arbitrary length lists. In some cases, we made slight adjustments to the protocols, so that they fit our framework. Detailed explanations on these modelling choices can be found in the files. Notably, many protocols use homomorphic encryption: talliers add all encrypted votes before decryption. While our result still applies in principle to such primitives, Proverif cannot handle the associated equations. Hence, we instead verify versions of the protocols that use a mixnet, i.e. mix ballots in a random order before decryption. Overall, as can be seen in the table, our result allows for efficient verification of all protocols we considered. Thanks to the small bounds we establish, we get even better performance than previous work [4] in scenarios where that result applies – i.e. the first column, for multiset counting. In that case, some analyses took several hours/days in [4], due to the higher bounds. Our result is more general and can handle e.g. STV counting. On most tested protocols, performance remains acceptable in that case. However Proverif did not terminate on three files after 24 h: this is likely due to the combination of the complex equational theories used by these protocols, and the theory for STV, which is itself large.

190

7

S. Delaune and J. Lallemand

Conclusion

We have proposed a symbolic version of the BPRIV vote privacy notion, and established reduction results that help us efficiently verify it on several voting protocols, with different counting functions, using automated tools. As mentioned earlier, a limitation of our definition is the modelling of the correct tallying proofs, which we abstracted away. In the computational definition, they are handled using simulators. It remains to be seen whether such techniques can be adapted to the symbolic setting, and how. Our attacker already controls the channel between voters and the ballot box. A natural further step is to consider an even stronger attacker, that can modify the content of the ballot box (altering already cast ballots, etc..). BPRIV has recently been extended to such a scenario in the computational model [22], at the cost of a much more complex definition – adapting that work to the symbolic setting constitutes exciting future work.

Appendix A A.1

Some Counting Functions

Some 1-Bounded Counting Functions

Multiset. The result is the multiset of all votes. Formally, in our setting, a term representing that multiset is computed: for all n, count# ([v1 , . . . , vn ]) = f ({|v1 , . . . , vn |}) where f is a function such that f (M1 ) =E f (M2 ) (equality on terms) iff M1 =# M2 (equality on multisets). For instance, if we just output the list of all votes, the order cannot matter, i.e. count# ([a, b]) =E count# ([b, a]). Sum. A total of points total is given to each voter who decides to distribute them among the candidates of his choice. The result is a vector of integers representing the total of points obtained by each Assuming c candidates, for all n, candidate. n we have: countΣ ([v1 , . . . , vn ]) = f ( i=1 vi ) where vi = (p1 , . . . , pc ) with 1 ≤ i ≤ n, and p1 , . . . , pc ∈ N with p1 + . . . + pc ≤ total, and f is a function from vectors of c integers to terms such that f (u#„1 ) =E f (u#„2 ) (equality on terms) iff u#„1 = u#„2 (equality on vectors of integers). Majority. The majority function between two choices yes and no simply outputs yes if #yes > n/2 where n is the number of votes, and no otherwise. For all n, countMaj ([v1 , . . . , vn ]) = yes if #{i | vi = yes} > n/2; and countMaj ([v1 , . . . , vn ]) = no otherwise. Here, yes and no are two public constants (yes =E no). Lemma 1. The functions count# , countΣ , and countMaj are 1-bounded. Proof. Let [v1 , . . . , vn ] and [v1 , . . . , vn ] be two lists of votes with n > 1, such that count# ([v1 , . . . , vn ]) = count# ([v1 , . . . vn ]). Since count# is a function, we have {|v1 , . . . , vn |} = {|v1 , . . . , vn |}, and thus there exists i0 such that vi0 = vi0 . Hence, count([vi0 ]) = count([vi0 ]), which concludes the proof for count# . A similar rea  soning applies for countΣ , and countMaj .

One Vote Is Enough for Analysing Privacy

A.2

191

Single Transferable Vote

Single Transferable Vote (STV) is a system where each voter casts a single ballot containing a total ordering of all candidates. A vote goes to the voter’s first choice. If that choice is later eliminated, instead of being thrown away, the vote is transferred to her second choice, and so on. In each round, the least popular candidate is eliminated. His votes are transferred based on voters’ subsequent choices. The process is repeated until one candidate remains, who is declared the winner. We assume a total order ≺ on candidates is picked beforehand, and is used to break ties. The STV counting function outputs a term representing the winning candidate; it is parametrised by the set of candidates and the order ≺. Let Count3STV the STV function for candidates {a, b, c} with a ≺ b ≺ c. Votes are 3-tuples: (c1 ; c2 ; c3 ) where {c1 , c2 , c3 } = {a, b, c} and ci denotes the ith choice. Example 10. Let v = (a; b; c) and v  = (a; c; b). We have v = v  , however Count3STV ([v]) = Count3STV ([v  ]) = a. Thus, the previous reasoning to establish 1-boundedness does not apply here. Lemma 2. Count3STV is 5-bounded. Proof. We assume that a ≺ b ≺ c. Let  = [v1 , . . . , vn ] and  = [v1 , . . . , vn ] be two lists of Votes such that Count3STV () = Count3STV ( ). For each 1 ≤ i ≤ n, we denote (ci,1 ; ci,2 ; ci,3 ) the vote vi and (ci,1 ; ci,2 ; ci,3 ) the vote vi . Case 1: There exists 1 ≤ i0 ≤ n such that vi0 = (ci0 ,1 ; ci0 ,2 ; ci0 ,3 ) and vi0 = (ci0 ,1 ; ci0 ,2 ; ci0 ,3 ) with ci0 ,1 = ci0 ,1 . In such a case, we keep this vote, and we have ci0 ,1 = Count3STV ([vi0 ]) = Count3STV ([vi0 ]) = ci0 ,1 . Case 2: Otherwise, for 1 ≤ i ≤ n, we have ci,1 = ci,1 . Thus, at the first round, the eliminated candidate is the same on both sides. Call it c0 . If c0 does not occur as the first choice on a vote, i.e. c0 = ci,1 for all i (and thus c0 = ci,1 , as ci,1 = ci,1 ), then the eliminated candidate at the second round will be the same on both sides, and the winner as well, contradicting our hypothesis. Hence, c0 occurs as the first choice in some votes. Let i0 , . . . , ik the indices of all such votes. We have cij ,1 = cij ,1 = c0 for any j ∈ {0, . . . , k}. If the second choice is the same in all these votes, i.e. for j ∈ {0, . . . , k}, we have cij ,2 = cij ,2 , then the eliminated candidate at the second round, and thus the winner, would be the same on both sides, which contradicts our hypothesis. Therefore, there exists j ∈ {i0 , . . . , ik } such that vj = (c0 , c1 , c2 ), vj = (c0 , c2 , c1 ) where {c0 , c1 , c2 } = {a, b, c}. We keep vj , but we need more, as Count3STV ([vj ]) = Count3STV ([vj ]) = c0 . Since c0 is eliminated at the first round: 1. Either c0 = a and there exist j1 , j2 such that cj1 ,1 = cj1 ,1 = b, and cj2 ,1 = cj2 ,1 = c. Keeping these two votes in addition to vj /vj , we have that Count3STV ([vj , vj1 , vj2 ]) = Count3STV ([vj , vj 1 , vj 2 ]).

192

S. Delaune and J. Lallemand

2. Or c0 = b and there exist j1 , j2 , j3 (all distinct) such that cj1 ,1 = cj1 ,1 = a, cj2 ,1 = cj2 ,1 = a, and cj3 ,1 = cj3 ,1 = c. Keeping these three votes in addition to vj /vj , we have that Count3STV ([vj , vj1 , vj2 , vj3 ]) = Count3STV ([vj , vj 1 , vj 2 , vj 3 ]). 3. Or c0 = c and there exist distinct j1 , j2 , j3 , j4 such that cj1 ,1 = cj1 ,1 = a, cj2 ,1 = cj2 ,1 = a, cj3 ,1 = cj3 ,1 = b, and cj4 ,1 = cj4 ,1 = b. Keeping these four votes in addition to vj /vj , we get Count3STV ([vj , vj1 , vj2 , vj3 , vj4 ]) = Count3STV ([vj , vj 1 , vj 2 , vj 3 , vj 4 ]). We conclude that at most 5 votes are needed to ensure the result will be different.  

References 1. Delaune, S., Lallemand, J.: One vote is enough for analysing privacy (2022). https://hal.inria.fr/hal-03669664 2. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Hankin, C., Schmidt, D. (eds.) Conference Record of POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, London, UK, January 17–19, 2001, pp. 104–115. ACM (2001) 3. Adida, B.: Helios: web-based open-audit voting. In: van Oorschot, P.C. (ed.) Proceedings of the 17th USENIX Security Symposium, 28 July–1 August 2008, San Jose, CA, USA, pp. 335–348. USENIX Association (2008) 4. Arapinis, M., Cortier, V., Kremer, S.: When are three voters enough for privacy properties? In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 241–260. Springer, Cham (2016). https:// doi.org/10.1007/978-3-319-45741-3_13 5. Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, USA, 23– 25 June 2008, pp. 195–209. IEEE Computer Society (2008) 6. Basin, D.A., Dreier, J., Sasse, R.: Automated symbolic proofs of observational equivalence. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12–16, 2015. pp. 1144–1155. ACM (2015) 7. Basin, D.A., Radomirovic, S., Schmid, L.: Alethea: a provably secure random sample voting protocol. In: 31st IEEE Computer Security Foundations Symposium, (CSF 2018). IEEE Computer Society (2018) 8. Benaloh, J.: Verifiable secret-ballot elections. Ph.D. thesis, Yale University (1987) 9. Benaloh, J.C., Yung, M.: Distributing the power of a government to enhance the privacy of voters (extended abstract). In: Halpern, J.Y. (ed.) Proceedings of the 5th Annual ACM Symposium on Principles of Distributed Computing, Calgary, Alberta, Canada, 11–13 August, 1986, pp. 52–62. ACM (1986) 10. Bernhard, D., Cortier, V., Galindo, D., Pereira, O., Warinschi, B.: A comprehensive analysis of game-based ballot privacy definitions. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P’15). IEEE Computer Society Press, San Jose, CA, USA (2015) 11. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96. IEEE Computer Society, Cape Breton, Nova Scotia, Canada (2001)

One Vote Is Enough for Analysing Privacy

193

12. Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends Privacy Secur. 1(1–2), 1–135 (2016) 13. Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: 20th IEEE Symposium on Logic in Computer Science (LICS 2005), pp. 331–340. IEEE Computer Society, Chicago (2005) 14. Blanchet, B., Smyth, B.: Automated reasoning for equivalences in the applied pi calculus with barriers. J. Comput. Secur. 26(3), 367–422 (2018) 15. Chaidos, P., Cortier, V., Fuchsbauer, G., Galindo, D.: BeleniosRF: a noninteractive receipt-free electronic voting scheme. In: 23rd ACM Conference on Computer and Communications Security (CCS 2016), pp. 1614–1625. ACM, Vienna, Austria (2016) 16. Chaum, D., Ryan, P.Y.A., Schneider, S.: A practical voter-verifiable election scheme. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) A practical voter-verifiable election scheme. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_8 17. Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. In: Proc. 12th European Symposium on Programming (ESOP’03). LNCS, vol. 2618, pp. 99–113. Springer, Warsaw, Poland (2003) 18. Cortier, V., Dallon, A., Delaune, S.: Bounding the number of agents, for equivalence too. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 211–232. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49635-0_11 19. Cortier, V., Filipiak, A., Lallemand, J.: BeleniosVS: Secrecy and verifiability against a corrupted voting device. In: 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25–28, 2019. IEEE (2019) 20. Cortier, V., Galindo, D., Turuani, M.: A formal analysis of the Neuchâtel e-voting protocol. In: 3rd IEEE European Symposium on Security and Privacy (Euro S&P’18), pp. 430–442. London, UK (2018) 21. Cortier, V., Gaudry, P., Glondu, S.: Belenios: a simple private and verifiable electronic voting system. In: Guttman, J.D., Landwehr, C.E., Meseguer, J., Pavlovic, D. (eds.) Belenios: A simple private and verifiable electronic voting system. LNCS, vol. 11565, pp. 214–238. Springer, Cham (2019). https://doi.org/10.1007/978-3030-19052-1_14 22. Cortier, V., Lallemand, J., Warinschi, B.: Fifty shades of ballot privacy: Privacy against a malicious board. In: 33rd IEEE Computer Security Foundations Symposium, CSF 2020, Boston, MA, USA, June 22–26, 2020, pp. 17–32. IEEE (2020) 23. Cortier, V., Smyth, B.: Attacking and fixing Helios: an analysis of ballot secrecy. J. Comput. Secur. 21(1), 89–148 (2013) 24. Cortier, V., Wiedling, C.: A formal analysis of the Norwegian e-voting protocol. J. Comput. Secur. 25(15777), 21–57 (2017) 25. Delaune, S., Hirschi, L.: A survey of symbolic methods for establishing equivalencebased properties in cryptographic protocols. J. Logical Algebraic Methods Programm. 87, 127–144 (2017) 26. Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17(4), 435–487 (2009) 27. D’Osualdo, E., Ong, L., Tiu, A.: Deciding secrecy of security protocols for an unbounded number of sessions: The case of depth-bounded processes. In: Proceedings of the 30th Computer Security Foundations Symposium, (CSF’17), pp. 464–480. IEEE Computer Society (2017) 28. Fröschle, S.: Leakiness is decidable for well-founded protocols. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 176–195. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7_10

194

S. Delaune and J. Lallemand

29. Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 37–63. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12980-3_2 30. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/ 10.1007/978-3-642-39799-8_48 31. Mödersheim, S., Viganò, L.: Alpha-beta privacy. ACM Trans. Priv. Secur. 22(1), 7:1–7:35 (2019) 32. Ryan, P.Y.A., Schneider, S.A.: Prêt à voter with re-encryption mixes. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 313–326. Springer, Heidelberg (2006). https://doi.org/10.1007/11863908_20

Local Differential Privacy for Federated Learning Pathum Chamikara Mahawaga Arachchige1,2(B) , Dongxi Liu4 , Seyit Camtepe4 , Surya Nepal4 , Marthie Grobler1 , Peter Bertok3 , and Ibrahim Khalil3

2

1 CSIRO’s Data61, Melbourne, Australia [email protected] Cyber Security Cooperative Research Centre, Joondalup, Australia 3 RMIT University, Melbourne, Australia 4 CSIRO’s Data61, Sydney, Australia

Abstract. Advanced adversarial attacks such as membership inference and model memorization can make federated learning (FL) vulnerable and potentially leak sensitive private data. Local differentially private (LDP) approaches are gaining more popularity due to stronger privacy notions and native support for data distribution compared to other differentially private (DP) solutions. However, DP approaches assume that the FL server (that aggregates the models) is honest (run the FL protocol honestly) or semi-honest (run the FL protocol honestly while also trying to learn as much information as possible). These assumptions make such approaches unrealistic and unreliable for real-world settings. Besides, in real-world industrial environments (e.g., healthcare), the distributed entities (e.g., hospitals) are already composed of locally running machine learning models (this setting is also referred to as the cross-silo setting). Existing approaches do not provide a scalable mechanism for privacy-preserving FL to be utilized under such settings, potentially with untrusted parties. This paper proposes a new local differentially private FL protocol (named LDPFL) for industrial settings. LDPFL can run in industrial settings with untrusted entities while enforcing stronger privacy guarantees than existing approaches. LDPFL shows high FL model performance (up to 98%) under small privacy budgets (e.g., ε = 0.5) in comparison to existing methods. Keywords: Federated learning · Distributed machine learning · Differential privacy · Local differential privacy · Privacy preserving federated learning · Privacy preserving distributed machine learning

1

Introduction

Server-centric machine learning (ML) architectures cannot address the massive data distribution in the latest technologies utilized by many industries (crosssilo setting), including healthcare and smart agriculture. Besides, collecting data c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 195–216, 2022. https://doi.org/10.1007/978-3-031-17140-6_10

196

P. C. Mahawaga Arachchige et al.

from such industries to one central server for ML introduces many privacy concerns [2]. Federated learning (FL) is a recently developed distributed machine learning approach that provides an effective solution to privacy-preserving ML [18]. FL lets clients (participants) collect and process data to train a local ML model. The clients are then only required to share the model parameters of the locally trained ML models with a central server for parameter aggregation to generate a global representation of all client models. Finally, the server shares the global model with all participating clients. In this way, FL bypasses the necessity of sharing raw data with any other party involved in the ML training process. However, the model parameters of the locally shared models can still leak private information under certain conditions [31]. Hence, FL on sensitive data such as biometric images, health records, and financial records still poses privacy risks if proper privacy-preservation mechanisms are not imposed. Cryptographic scenarios and noise addition (randomization) mechanisms have been developed to mitigate the privacy leaks associated with FL [31,37]. Two of FL’s most frequently tested cryptographic approaches are secure multiparty computation (SMC) and homomorphic encryption. However, cryptographic approaches tend to reduce FL performance drastically due to their high computational and communication cost [6,37]. Most cryptographic approaches assume semi-honest (honest but curious) computations at specific points of the FL process. A semi-honest entity is assumed to conduct computations honestly; however, curious to learn as much information possible [10]. Among noise addition approaches, differentially private approaches are more preferred due to the robust privacy guarantees and high efficiency [13,31]. In global differential privacy (GDP), a trusted curator applies calibrated noise [16,33], whereas, in local differential privacy (LDP), the data owner perturbs their data before releasing them to any third party [16]. Hence, LDP provides higher levels of privacy as it imposes more noise compared to GDP [2]. Most existing approaches for FL are based on GDP [13]. However, the requirement of a trusted party makes GDP approaches less practical, whereas LDP approaches provide a more practical mode of dealing with the distributed clients in FL. Previous approaches try to impose LDP by applying noise/randomization over the model parameters of the local models [27]. However, most of these LDP approaches for FL cannot control the privacy budgets efficiently due to the extreme dimensionality of parameter matrices of underlying deep learning models [27]. For example, the LDP approach for FL proposed in [31] utilizes extensive ε values to enable sufficient utility challenging its use in practical settings. Besides, existing LDP approaches are not rigorously tested against more complex datasets [28,31]. Moreover, the weight distribution in different layers of the models has not been explicitly considered during the application of LDP [27]. We propose a novel local differentially private federated learning approach (named LDPFL: Local Differential Privacy for Federated Learning) for cross-silo settings that alleviate the issues of existing approaches. LDPFL solves the complexity of applying LDP over high dimensional parameter matrices by applying randomization over a 1D vector generated from the intermediate output of a

Local Differential Privacy for Federated Learning

197

locally trained model. LDPFL applies randomization over this 1D vector and trains a second fully connected deep neural network as the client model of an FL setting. The randomization mechanism in LDPFL utilizes randomized response (RR) [11] and optimized unary encoding (OUE) [29] to guarantee differential privacy of FL. Since LDPFL randomizes the inputs to the local models rather than altering the weights of the local models, LDPFL can provide better flexibility in choosing randomization, privacy composition, and model convergence compared to existing LDP approaches for FL. Compared to previous approaches (SMC [6,28], GDP - DPSGD) [1,28], and LDP - α-CLDP-Fed [15,28]), our empirical analysis shows that LDPFL performs better and achieves accuracy up to 98% under extreme cases of privacy budgets (e.g., ε = 0.5), ensuring a minimal privacy leak.

2

Background

This section provides brief descriptions of the preliminaries used in LDPFL that were proposed for privacy-preserving federated learning on deep learning in a cross-silo setting. LDPFL utilizes the concepts of local differential privacy (LDP), Randomized Aggregatable Privacy-Preserving Ordinal Response - RAPPOR (an LDP protocol based on randomized response for binary vectors), and optimized unary encoding (which is an optimization on RAPPOR for better utility). 2.1

Federated Learning

Federated learning (FL) [19] involves N distributed parties (connected to a central server) agreed on training local deep neural network (DNN) models with the same configuration. The process starts with the central server randomly initializing the model parameters, M0 , and distributing them to the clients to initialize their copy of the model. The clients train their local model separately using the data in their local repository for several local epochs and share the updated model parameters, Mu , with the server. The server aggregates the model parameters received from all clients using an aggregation protocol such as federated averaging to generate the federated model (MLf ed ). Equation 1 shows the process of federated averaging (calculating the average of values in each index of parameter matrices) to generate (MLf ed ), where Mu,i represents the updated model parameters sent by ith client. This is called one federation round. FL conducts multiple federation rounds until (MLf ed ) converges or the pre-defined number of rounds is reached. It was shown that (MLf ed ) produces accuracy as almost as close to a model centrally trained with the same data [35]. MLf ed =

1  Mu,i N i

(1)

198

2.2

P. C. Mahawaga Arachchige et al.

Local Differential Privacy

Local differential privacy (LDP) is the setting where the data owners apply randomization (or noise) on the input data before the data curator gains access to them. LDP provides a better privacy notion compared to GDP due to the increased noise levels and nonnecessity of a trusted curator. LDP is deemed to be the state-of-the-art approach for privacy-preserving data collection and distribution. A randomized algorithm A provides ε-local differential privacy if Eq. (2) holds [9]. Definition 1. A randomized algorithm A satisfies ε-local differential privacy if for all pairs of client’s values v1 and v2 and for all Q ⊆ Range(A) and for (ε ≥ 0), Eq. (2) holds. Range(A) is the set of all possible outputs of the randomized algorithm A. P r[A(v1 ) ∈ Q] ≤ exp(ε)P r[A(v2 ) ∈ Q] 2.3

(2)

Randomized Aggregatable Privacy-Preserving Ordinal Response (RAPPOR)

RAPPOR is an LDP algorithm proposed by Google based on the problem of estimating a client-side distribution of string values drawn from a discrete data dictionary [9]. Basic RAPPOR takes an input, xi (∈ Nd ), that is encoded into a binary string, B of d bits. Each d-bit vector contains d − 1 zeros with one bit at position v set to 1. Next, B is randomized to obtain B  satisfying DP. Sensitivity. The sensitivity, Δf of a function, f , is considered to be the maximum influence that a single individual can have on f . In the LDP setting, which involves encoding, this can be represented as given in Eq. (3), where xi and xi+1 are two adjacent inputs, and f represents the encoding. .1 represents the L1 norm of a vector [30]. Δf in RAPPOR is 2 as the maximum difference between two adjacent encoded bit strings (B(xi ) and B(xi+1 )) is only two bits. Δf = max{f (xi ) − f (xi+1 )1 }

(3)

Bit Randomization Probability. Take p to be the probability of preserving the actual value of an original bit in an input bit-string. p follows Eq. (4), where ε is the privacy budget offered by the LDP process, as proven by RAPPOR [9,22]. ε

ε

e2 e Δf = p= ε ε Δf 1 + e2 1+e

(4)

Local Differential Privacy for Federated Learning

2.4

199

Optimized Unary Encoding

Assume that the binary encoding used in RAPPOR (also referred to as Unary Encoding [29]) encodes an input instance xi into its binary representation B, which is a d bit binary vector. Let B[i] be the ith bit and B [i] is the perturbed ith bit. Assume that, one bit at position v of B is set to 1, whereas the other bits are set to zero. Unary Encoding (UE) [9] perturbs the bits of B according to Eq. 5.    p, if B[i] = 1 (5) Pr B [i] = 1 = q, if B[i] = 0 UE satisfies ε-LDP [9,29] for,  ε = ln

p(1 − q) (1 − p)q

 (6)

This can be proven as done in [9,29] for any bit positions, v1 , v2 (of the encoded inputs, x1 and x2 , respectively), and output B with sensitivity = 2. Proof. Considering a sensitivity of 2, choose p and q as follows, ε

e2 ε 1 + e2 1 q= ε 1 + e2      Pr B|v1 i∈[d] Pr B[i]|v1 =    Pr B|v2 i∈[d] Pr B[i]|v2     Pr B [v1 ] = 1|v1 Pr B [v2 ] = 0|v1     ≤ Pr B [v1 ] = 1|v2 Pr B [v2 ] = 0|v2 p 1−q = eε = · q 1−p p=

(7) (8)

(9)

Each bit (in a d-bit vector) is flipped independently. Equation 9, represents the state where any inputs, x1 and x2 result in bit-vectors that differ only in bit positions v1 and v2 . The maximum of this ratio is when v1 is 1 and v2 is 0 as represented by Eq. 9. Optimized Unary Encoding (OUE) introduces a utility enhancement to Unary Encoding by perturbing 0s and 1s differently. When B is a long binary vector, the number of 0s is significantly greater than the number of 1s in B. OUE introduces a mechanism to reduce the probability of perturbing 0 to 1 1 (p0→1 ). By setting p = 12 and q = 1+e ε , OUE improves the budget allocation for transmitting the 0 bits in their original state as much as possible. Following 1 Eq. 9, OUE provides ε-LDP when p = 12 , q = 1+e ε , and sensitivity = 2 [29].

200

2.5

P. C. Mahawaga Arachchige et al.

Postprocessing Invariance/Robustness and Composition

Any additional computations on the outcomes of a DP algorithm do not weaken its privacy guarantees. This property is called the postprocessing invariance/robustness in DP. A processed outcome of an ε-DP algorithm still provides ε-DP. Composition is another property of DP that captures the degradation of privacy when multiple differentially private algorithms are performed on the same or overlapping datasets [7]. When two DP algorithms ε1 -DP and ε2 -DP are applied to the same or overlapping datasets, the union of the results is equal to (ε1 + ε2 )DP [7]. In parallel composition, if a set of DP algorithms (M1 , M2 , . . . , Mn ) are applied on a dataset D divided into disjoint subsets of D1 , D2 , . . . , Dn , respectively (so that Mi provides εi − DP for every Di ), the whole process will provide max{ε1 , ε2 , . . . , εn } − DP on the entire dataset [38].

3

Our Approach

The proposed approach (to solve the issues raised in Sect. 1) is abbreviated as LDPFL (Local Differential Privacy for Federated Learning). Figure 1a shows the architecture of LDPFL. As shown in Fig. 1b, a client in LDPFL has three main tasks; (1) Generating a fully trained CNN using the local private data (refer to step 1 in Fig. 1b), (2) Generating flattened 1-D vectors of inputs and randomizing them to enforce DP (refer to step 2 and 3 in Fig. 1b), and (3) Conducting federated learning over randomized data (refer to step 4 in Fig. 1b).

Fig. 1. LDPFL architecture and its flow of main steps

Local Differential Privacy for Federated Learning

201

In the proposed setting, we assume the clients to be large-scale entities such as banks and hospitals (cross-silo setting), and any data owner would share private data with only one client in the distributed setting (i.e., input data instances are independent). Each client has a private local learning setup where fully trained models are maintained on locally-owned private data. To generalize the models, the clients collaborate with other clients (e.g., hospitals with other hospitals working on similar domains of data) through LDPFL. Each client uses their locally trained CNNs to obtain flattened vectors of the input instances, which are then encoded to binary vectors and randomized to enforce DP. The randomized inputs are then used to train a global model (GM) using federated learning. The following sections provide detailed descriptions of the overall process of LDPFL. 3.1

Generating a Fully Trained CNN Using the Local Private Data

The clients use the trained local CNN models to generate the flattened 1-D vectors of the inputs before input encoding and randomization. The randomized input vectors need to be of the same size for the FL setup. Besides, all clients must use the same CNN configurations for the input instances to be filtered through the same architecture of trained convolutional layers to allow a uniform feature extraction procedure. 3.2

Generating Flattened 1-D Vectors of Inputs and Randomizing Them to Enforce DP

Once the CNN models converge on the locally available datasets, the clients use the Convolution module (refer to CM in Fig. 1a) of the converged CNN models to predict 1-D flattened outputs from the last convolutional layer of the CM for all inputs. Next, the predicted flattened outputs (1-D vectors: 1DV ) are encoded to binary vectors, which are then randomized to produce DP binary vectors. Utilizing a fully trained client CNN model for data flattening enables LDPFL to preserve the representative features of the input data and maintain the attribute distributions to generate high utility. Binary Encoding. Each element of a 1DV is converted to a binary value (binary representation) according to Eq. (10). m and n are the numbers of binary digits of the whole number and the fraction, respectively. x represents the original input value where x ∈ R, and g(i) represents the ith bit of the binary string where the least significant bit is represented when k = −m. Positive numbers are represented with a sign bit of 0, and negative numbers are represented with a sign bit of 1. n 

2−k x mod 2 where i = k + m (10) g(i) = k=−m

202

P. C. Mahawaga Arachchige et al.

The binary conversion’s sensitivity and precision (the range of floating values represented by the binary numbers) can be changed by increasing or decreasing the values chosen for n and m. Separately randomizing each binary value adds up the privacy budget after each randomization step according to the composition property of DP (refer to Sect. 2.5). Besides, dividing the privacy budget among the binary values introduces unreliable levels of bit randomization. Hence, we merge all binary values into one long binary vector (Lb ) before the randomization to consume the privacy budget of randomization efficiently. Large values for n and m can result in undesirably long binary vectors for randomization. Hence, n and m must be chosen carefully by empirically evaluating and adjusting them to produce high model accuracy. Randomization. The length of an encoded binary string is l = (m + n + 1); hence, the full length of a merged binary string (Lb ) is rl (take, v to be any bit position of Lb set to 1), where r is the total number of outputs of the 1DV . Consequently, the sensitivity of the encoded binary strings can be taken as l × r, as two consecutive inputs can differ by at most l × r bits. Now the probability of randomization can be given by Eq. (11) (according to Eq. 4). eε/rl (11) 1 + eε/rl With p probability of randomization, the probability of randomization in reporting opposite of the true bits is (1 − p) = 1+e1ε/rl . This probability can lead to an undesirable level of randomization (with UE or OUE) due to the extremely high sensitivity rl. Hence, LDPFL employs an optimized randomization mechanism that further optimizes OUE to perturb 0s and 1s differently, reducing the probability of perturbing 0 to 1. In this way, LDPFL tries to maintain the utility at a high level under the high sensitivity of concatenated binary vectors, Lb s. The parameter, α (the privacy budget coefficient) is introduced as defined in Theorem 1 to improve the flexibility of randomization probability selection further while still guaranteeing ε-LDP . By increasing α, we can increase the probability of transmitting the 0 bits in their original state. p=

Theorem 1. Let v1 , v2 be any equally distributed bit positions of any two binary vectors Lb1 and Lb2 , respectively, and B be a d-bit binary string output. When ε     rl/2 1 Pr B [v1 ] = 1|v1 = 1+α , Pr B [v2 ] = 0|v1 = αe ε , the randomization pro1+αe rl/2

vides ε-LDP . Proof. Let ε be the privacy budget and α be the privacy budget coefficient.

Local Differential Privacy for Federated Learning

     Pr B|v1 i∈[d] Pr B[i]|v1 =    Pr B|v2 i∈[d] Pr B[i]|v2      rl/2 Pr B [v1 ] = 1|v1 Pr B [v2 ] = 0|v1     ≤ Pr B [v1 ] = 1|v2 Pr B [v2 ] = 0|v2 ⎛  ⎞rl/2  ε   rl/2 αe 1 ε ⎜ 1+α ⎟ 1+αe rl/2 ⎜ · ⎟ = ⎜ = eε ⎟ ⎝ α ⎠ 1 1+α

203

(12)

ε

1+αe rl/2

Theorem 1 provides the flexibility for selecting the randomization probabilities at large α values. However, it can introduce undesirable randomization levels on 1s when the bit string is too long (e.g., more than 10,000 bits). Hence, we extend Theorem 1 further to impose additional flexibility over bit randomization. This is done by employing two randomization models over the bits of Lb , by randomizing one half of the bit string differently from the other half while still preserving ε − LDP as defined in Theorem 2. Consequently, Theorem 2 applies th th less randomization on 34 of a binary string while other 14 of the binary string is heavily randomized. In this way, the randomization can maintain a high utility for extensively long binary strings as a significant part of the binary string is still preserved. Theorem 2. Let P r(B|v) be the probability of randomizing a bit for any input bit position v and output B. For any equally distributed input bit positions, v1 , v2 of any two binary vectors, Lb1 and Lb2 , respectively, with a sensitivity = rl, define the probability, P r(B|v) as in Eq. 13. Then the randomization provides ε-LDP. Proof. Choose the randomization probabilities according ⎧   α ⎪ Pr B [v1 ] = 1 | v1 = 1+α ⎪ ⎪ ε ⎪   ⎪ ⎪ ⎨ Pr B [v2 ] = 0 | v1 = αe rl/2ε rl/2  1+αe  P r(B|v) = 1 Pr B [v1 ] = 1 | v1 = 1+α ⎪ 3 ⎪ ε ⎪   ⎪ ⎪ αe rl/2 ⎪ ε ⎩ Pr B [v2 ] = 0 | v1 =

to Eq. 13.

1+αe rl/2

where, S1 = {2n | n ∈ N} and S2 = {2n + 1 | n ∈ Z+ }.

if i ∈ S1 if i ∈ S1 if i ∈ S2 if i ∈ S2

(13)

204

P. C. Mahawaga Arachchige et al.

     Pr B|v1 i∈[d] Pr B[i]|v1 =    Pr B|v2 i∈[d] Pr B[i]|v2       i∈S1 Pr B[i]|v1 i∈S2 Pr B[i]|v1     = × i∈S1 Pr B[i]|v2 i∈S2 Pr B[i]|v2      rl/4 Pr B [v1 ] = 1|v1 Pr B [v2 ] = 0|v1     ≤ Pr B [v1 ] = 1|v2 Pr B [v2 ] = 0|v2      rl/4 (14) Pr B [v1 ] = 1|v1 Pr B [v2 ] = 0|v1     × Pr B [v1 ] = 1|v2 Pr B [v2 ] = 0|v2 ⎛  ⎞rl/4 ⎛  ⎞rl/4   ε ε     rl/2 rl/2 αe αe α 1 ε ε ⎜ 1+α ⎜ 1+α ⎟ ⎟ 3 1+αe rl/2 1+αe rl/2 ⎜ ⎜ ⎟ · ⎟ ⎟ =⎜ ⎜ 3  ·  ⎟ ⎝ 1 ⎝ α 3 ⎠ ⎠ 1 1 1+α

ε

1+αe rl/2

1+α

ε

1+αe rl/2

= eε 3.3

Conducting Federated Learning over Randomized Data

After declaring the FL setup, the clients feed the randomized binary vectors as inputs to the FL setup of LDPFL. We assume that all examples are independent and that clients do not collude with one another. As shown in Fig. 1a, after the initialization of the local models, all clients train a local model (as represented by DNN in the figure) using the randomized inputs for a certain number of local epochs and transfer the trained model parameters to the server. Since LDPFL uses local differential privacy at each client and all examples are independent, the final privacy budget consumption is the maximum of all privacy budgets used by each client (max{ε1 , ε2 , . . . , εn } − DP ). Algorithm 1 shows the composition of the steps (explained in Sect. 3) of LDPFL in conducting differentially private federated learning that satisfies ε − LDP .

Local Differential Privacy for Federated Learning Algorithm 1: LDPFL Algorithm

1 2 3 4 5 6

7

{cx1 , . . . , cxz } ← client datasets of z clients ε ← privacy budget m ← number of bits 8 for the whole number n ← number of bits 9 for the fraction Input: α ← privacy budget 10 coefficient el ← the total 11 number of local epochs 12 E ← the total 13 number of global rounds GM ← differentially private 14 Output: 15 global model 16 Part I: Randomized data 17 generation at clients: 18 Declare ith client’s model CN Ni for each client (Ci ) (refer to Section 3.1); 19 Train CN Ni with cxi until the convergence; Split trained CN Ni into CMi and F Ni 20 (refer to Section 3.2 and Fig. 1); Declare, l = (m + n + 1); 21 Feed cxi to CMi and generate the sequence of 1-D feature arrays th {d1 , . . . , dj }i for j data samples in i 22 client; Convert each field (x) of dq (where, 23 q = 1, . . . , j) to binary using, g(i) = 24 25

4



n  2−k |x| mod 2

k=−m

205

where, i =

k + m; Generate arrays {F LT1 , . . . , F LTj }i by merging the binary arrays of each dq in {d1 , . . . , dj }i ; Calculate the randomization probability, p according to Equation 13; Randomize each F LTq of {F LT1 , . . . , F LTj }i based on Theorem 2 to generate {RN D1 , . . . , RN Dj }i ; Declare client models (DN Ni ) of each client (and the server - GM ) for FL; Part II: Federated learning: Server randomly initializes model parameters (M0 ); Server sends M0 to the z clients; Clients initialize DN Ni using M0 ; e = 1; while e ≤ E do for each client, Ci in the current round do Train DN Ni using {RN D1 , . . . , RN Dj }i for el epochs; Send updated parameters Mui to the server; Conduct federated averaging,  MLf ed = v1 i Mui (for v clients contributed to the current round); Update client models (DN N s) with MLf ed ; e = e + 1; GM = MLf ed ; return GM;

Results and Discussion

To test LDPFL, we use the MNIST [17], the CIFAR10 [1], the SVHN [25], and the FMNIST [32] datasets. CIFAR10 is a much more complex dataset to be trained than MNIST. Hence, these two datasets introduce a balanced experimental setting for LDPFL performance testing. However, MNIST and CIFAR10 have a limited number of examples of 70,000 and 60,000 images, respectively. Hence, an extensive dataset is necessary to enable all clients to have a large enough dataset partition to test LDPFL’s performance under a large number of clients. We use SVHN with 600,000 images to solve this problem. Besides, we use the FMNIST dataset for the performance comparison of LDPFL against previous approaches following the benchmarking conducted in [28]. We used a MacBook pro-2019 computer for single program experimentations. It has a processing unit of 2.4 GHz 8-Core Intel Core i9 and a memory of 32 GB 2667 MHz DDR4. We used one 112 Dual Xeon 14-core E5-2690 v4 Compute Node (with 256 GB RAM and 4 T P100-SXM2-16 GB GPUs) of the CSIRO Bracewell HPC cluster for multi-round experimentation (repeating the experiments multiple rounds in parallel). We repeated all experiments ten times in the CSIRO Bracewell HPC cluster and reported the average performance to maintain the stability of the results.

206

4.1

P. C. Mahawaga Arachchige et al.

LDPFL Architectural Configurations and Datasets Used During the Experiments

We used two LDPFL architectural configurations to study the performance under different dynamics of the datasets used, as the correct configuration leads to high model quality [23]. Figure 13b shows the architecture used for the MNIST dataset. As shown in Fig. 13a, we used a comparably complex configuration for CIFAR10, FMNIST, and SVHN as they are more complex datasets compared to MNIST. Figures 13b and 13a show the flow of modules in LDPFL, layer types used in the networks, the input size of each layer, and the layer order from top to bottom. The input size of a particular layer also indicates the output size of the previous layer. The resolution of an image in FMNIST is 28 × 28 × 1 was different from the image resolution (32 × 32 × 3) in CIFAR10 and SVHN. Hence, we made necessary modifications (discussed in Sects. 6 and 4.2) to the architecture in Fig. 13a to accommodate the change in the input size when LDPFL was tested on FMNIST. As shown in Figs. 13b and 13a we used the Python Keras API [8] to implement the CNN and DP modules. The federated learning module of LDPFL was implemented using the PyTorch API [21]. 4.2

Conducting Experiments on LDPFL

Distributing Data Among Clients for the Experiments. We split the total number of records into groups with equal numbers of records according to the highest number of clients – Nh (the LDPFL was going to be tested on). Tr records, where Tr is the total Hence, a particular client holds a total of N h number of records. However, for the experiments on highly imbalanced data (the non-IID setting), we randomly distributed FMNIST data among ten clients with high sparseness, as shown in Fig. 7a.

Fig. 2. MNIST local model (refer to CNN in Figs. 1a and 13b) performance

Fig. 3. MNIST global model (refer to GM in Figs. 1a and 13b) performance

Training Client CNN Models with Image Augmentation. We used 60000, 50000, 60000, and 451461 training samples and 10000, 10000, 10000, and 79670 testing samples, and Nh was set to 2, 2, 10, and 100 under MNIST, CIFAR10, FMNIST, and SVHN, respectively. Hence, each client had 30000, 25000, 6000, and 4514 data samples for training, and 5000, 5000, 1000, and

Local Differential Privacy for Federated Learning

207

796 testing samples under MNIST, CIFAR10, FMNIST, and SVHN, respectively. Each client used 90% of local data for training and 10% for testing. All clients used image augmentation to maintain a high local model performance and robustness under a low number of data samples. For this task, we used “ImageDataGenerator” (from keras.preprocessing.image) with rotation range = 15, width shift range = 0.1, and height shift range = 0.1. We used RMSprop (lr = 0.001, decay = 1e−6) optimizer for local CNN training with a batch size of 64. All CNNs were trained for 50 epochs. Figures 2 and 4 show the two CNN client model performances under MNIST and CIFAR10, respectively. Figure 6a shows the CNN model performance of a randomly chosen one of the ten clients under FMNIST. From the 100 dataset splits of SVHN, we only considered a maximum of 50 clients as it provided enough evidence to understand the LDPFL performance patterns against the increasing number of clients. Figure 8 shows the CNN model performance of a randomly chosen one of the 50 clients. The client CNN performance plots (Figs. 2, 4, 6a, and 8) show that the configurations chosen for the client CNN models under each dataset generate good model performance.

Fig. 4. CIFAR10 local model (refer to CNN in Figs. 1a and 13a) performance

(a) FMNIST local model performance of a client (randomly selected - refer to CNN in Figures 1a and 13a)

Fig. 5. CIFAR10 global model (refer to GM in Figs. 1a and 13a) performance. The third sub-figure shows the DNN accuracy without federated learning

(b) FMNIST global model (refer to GM in Figures 1a and 13a) performance

Fig. 6. LDPFL performance under the FMNIST dataset

208

P. C. Mahawaga Arachchige et al.

Fig. 7. Performance of LDPFL against vanilla FL under highly imbalanced (FMNIST) data (the non-IID setting)

Randomizing Data for Differentially Private FL. The flattened outputs maintain a high correlation to the corresponding original inputs as the CM (refer to Fig. 1) was already trained on the inputs. Hence, the randomized data can appropriately preserve the input characteristics leading to good classification accuracy. During the data randomization, we maintained m, n, α, and ε at 4, 5, 10, and 0.5, respectively unless mentioned otherwise. With the sign bit, each digit in the flattened output is encoded to 10-bit l = (m+n+1) binary representation. Since the sensitivity of an encoded binary string is equal to its length (rl), the binary strings generated under MNIST, CIFAR10, SVHN, and FMNIST have sensitivities of 10240, 20480, 20480, and 11520, respectively. Hence, we maintain epsilon at 0.5, as increasing ε within the acceptable limits (e.g., 0 < ε ≤ 10) has ε . By maintaining α at a constant value of 10 (unless a negligible impact on rl/2 specified otherwise), we ensure that the binary string randomization dynamics are kept uniform during all experiments to observe unbiased results. However, to investigate the effect of α on the global model convergence, we changed α from 4 to 10 (refer to Fig. 12).

(a) 2 clients (b) 10 clients(c) 20 clients (d) 50 clients

Fig. 8. SVHN local model performance of a randomly selected client (refer to CNN in Figs. 1a and 13a)

Fig. 9. SVHN global model (refer to GM in Fig. 1a and 13a) loss under deferent numbers of clients

Local Differential Privacy for Federated Learning

(a) 2 clients

(b) 10 clients

(c) 20 clients

209

(d) 50 clients

Fig. 10. SVHN global model (refer to GM in Figs. 1a and 13a) accuracy under deferent numbers of clients

Fig. 11. SVHN Global model test accuracy comparison under different number of clients

Fig. 12. MNIST Global model test accuracy comparison under different α values

Conducting Federated Learning over Randomized Data. The part of the Figs. 13b and 13a enclosed by the blue dotted square shows the configurations of the DNNs used in the FL setup of LDPFL. Under MNIST, all the clients use Adam (betas = (0.9, 0.999), eps = 1e−08) optimizer, whereas, under CIFAR10, FMNIST, and SVHN, all the clients use stochastic gradient descent (SGD) optimizer for local model learning with a learning rate of 0.001 and a batch size of 32. Each client runs the local DNNs for 50 epochs and sends the trained parameters to the server. One round of FL includes executing client model training for 50 epochs, model federation, and model state update with federated parameters. We conduct different numbers of FL rounds sufficient to show the convergence patterns under each dataset based on the size. For FMNIST, we run FL for 80 rounds to replicate the settings of a previous study [28], which we utilize for benchmarking. 4.3

LDPFL Model Performance

Figures 3, 5, and 6b show the performance of the final LDPFL models under MNIST, CIFAR10, and FMNIST, respectively. LDPFL generates good model performance under both datasets. The global model performs well when the client models perform well, as evident from the plots. As LDPFL uses the fully trained CNN to generate a subsequent training dataset for the DP federated learning step of LDPFL, a good CNN client model enables producing a global model with good performance. As shown in the third sub-figure of Fig. 5, the client DNN is unable to generalize when the FL module is disabled, highlighting the importance of the LDPFL protocol. This shows that although the clients have good performing local CNN models, the client DNNs cannot generalize to learn features from other distributed entities without FL. Figures 9 and 10 show

210

P. C. Mahawaga Arachchige et al.

the model loss and accuracy convergence of LDPFL under different numbers of clients (under the SVHN dataset). Figure 11 provides a comparison of the testing accuracy convergence of the LDPFL model under different client numbers (under the SVHN dataset). The higher the number of clients, the higher the time necessary for model convergence. We can also notice that the accuracy decreases when the number of clients increases, which reduces the total number of tuples within each client, producing CNNs with slightly less model performance. Consequently, each client applying LDP locally while maintaining local data representations can entail high randomization diversity. However, as shown in the plots, LDPFL provides a better approach to maintaining utility under complex datasets than other LDP approaches for lower privacy budgets when there are many clients. This is due to the clients in LDPFL maintaining the local data distributions by utilizing a locally converged model (with good performance) on the input data. Figure 7 shows the LDPFL performance under highly imbalanced data (the nonIID setting). According to the plots (refer to Fig. 7), it is apparent that LDPFL follows (with reduced accuracy due to data randomization from DP) the convergence pattern of vanilla FL, confirming that the LDPFL algorithm does not impact the basic flow of the FL protocol. Figure 12 shows the performance of LDPFL under different levels of the privacy budget coefficient (α). LDPFL takes slightly more time to converge with a slightly reduced accuracy when α is small. This is due to reduced α forcing LDPFL to increase the data randomization levels. Performance Comparison of LDPFL Against Existing Approaches. For the performance comparison, we followed the benchmarking used in a previous study [28] on an approach named LDP-Fed that imposes α-CLDP (a generalization of LDP [15]) on federated learning. We compare the results of LDPFL against 4 previous approaches; (1) Non-private, (2) Secure multi-party computing (SMC) [6,28], (3) Differentially private stochastic gradient descent (DPSGD) [1,28], and (4) α-Condensed Local Differential Privacy for Federated Learning (α-CLDP-Fed) [15,28]. These four approaches consider the k-Client selection protocol in which nine client updates will be considered for the federation in every round [28]. For benchmarking [28] set α of α-CLDP-Fed to 1.0, and the privacy parameters (e.g., ε and δ) of the other three approaches are set accordingly to match with α = 1.0 [15,28]. We use the same default privacy parameters explained in Sect. 4.2 for LDPFL (refer to Sect. 4.2 for the primary factors that influence value assignments for the privacy parameters). The accuracy was generated on the FMNIST dataset. For LDPFL, we considered nine randomly chosen client updates out of 10. The model convergence of LDPFL for FMNIST is shown in Figs. 6b. The accuracy values in Table 1 are generated after 80 rounds of the federation. As shown in the table, LDPFL generates the second-highest accuracy. However, compared to LDPFL, α-CLDP-Fed enforces a generalized form of LDP. Hence, LDPFL enforces the strictest privacy levels on the global model compared other four approaches (in Table 1), concluding that LDPFL delivers an overall better performance by providing a better balance between privacy and utility.

Local Differential Privacy for Federated Learning

211

Table 1. Comparison of LDPFL against the existing methods. NA: Not available, ND: Not defined, Basic: general DP (GDP), Moderate: not as strong as LDP but a generalization of LDP, which is better than general DP, High: satisfies strong LDP guarantees, RQ: Required, NR: Not required. Method

Efficiency (compared to baseline)

Privacy model

Privacy modelstrength

Trusted party requirement

Accuracy (after 80 rounds with 9 client updates every round)

Non-private

Baseline

NA

NA

RQ

∼90%

SMC

Low

NA

ND

RQ

∼90%

DPSGD

High

(ε, δ)-DP

Basic

RQ

∼80%

α-CLDP-Fed

High

α-CLDP

Moderate

NR

∼85.28%–86.93%

LDPFL

High

ε-LDP

High

NR

∼81%

5

Related Work

Privacy-preserving approaches for FL can be broadly categorized into encryption-based (cryptographic) [6] and data modification-based (perturbation) [31]. Cryptographic approaches look at how secure aggregation of parameters can be conducted at the FL server. The most widely adapted cryptographic approach for secure aggregation is secure multi-party computation (MPC) [10]. MPC enables the secure evaluation of a function on private data (also called secret shares) distributed among multiple parties who do not trust each other [6]. The requirement of a trusted party (e.g., VerifyNet [34], and VeriFL [14]) or the requirement of a considerably high number of communications (e.g., Bonawitz et al.’s approach [6] and Bell et al.’s approach [5]) are two of the fundamental problems of most of the existing MPC approaches for FL [6]. Besides, the existing MPC approaches show vulnerability towards advanced adversarial attacks such as backdoor attacks [4]. Homomorphic encryption (HE) is the other frequently adapted cryptographic approach for the secure aggregation of parameters in FL. HE enables algebraic operations over encrypted data to produce a ciphertext that can be decrypted to obtain the algebraic outcome on the original plaintext with security and privacy [12]. However, scalability has been a major challenge in HE. The latest approaches, such as BatchCrypt, try to introduce less complex HE-based solutions for secure FL parameter aggregation [36]. Besides, the distributed setting makes HE infeasible for large-scale scenarios due to the low efficiency [26,35]. Both global differential private (GDP) approaches [3,13] and local differential private (LDP) [24,28] approaches were introduced to FL [31]. GDP approaches focus on privately learning the algorithm (e.g., SGD) [13,20], whereas LDP approaches [24,28] focus on randomizing the data inputs to the algorithm (it can be the direct randomization of user inputs or randomization of the model parameters before sending them to the aggregator) to learn on randomized data. Robin et al.’s approach [13] and Asoodeh et al.’s approach [3] are

212

P. C. Mahawaga Arachchige et al.

two of the GDP approaches for FL, whereas LDP-Fed [28] and Seif et al.’s approach [24] are two LDP approaches. The primary issue of most GDP approaches is the requirement of a trusted aggregator. These approaches focus more on privacy leaks among the FL clients [3,13]. By either randomizing user inputs or parameters before sending them to the aggregator, LDP-based approaches provide a stricter privacy setting [24,28]. However, existing LDP approaches often consume unreliable privacy budgets (ε) to produce good accuracy, work on generalized LDP guarantees (e.g., α-CLDP), or do not produce a high accuracy compared to GDP approaches. Hence, there is a significant imbalance between the privacy and utility of LDP approaches. Developing new LDP approaches, such as LDPFL, is essential to answer these challenges.

6

Conclusion

We proposed a utility-enhancing, differentially private federated learning approach (abbreviated as LDPFL) for industrial (cross-silo) settings. LDPFL uses local differential privacy (LDP) to enforce strict privacy guarantees on FL. The proposed approach provides high testing accuracy (e.g., 98%) under strict privacy settings (e.g., ε = 0.5). LDPFL preserves data utility by using a fully trained local model to filter and flatten the input features. The LDPFL’s LDP model enables high utility preservation by randomizing one half of the binary string differently from the other half, ensuring a high bit preservation during binary string randomization. The LDP approach of LDPFL also allows federated learning under untrusted settings (e.g., with untrusted clients and an untrusted server) while preserving high privacy and utility. Besides, benchmarking suggests that LDPFL is preferred when high utility is required under strict privacy settings (maintaining a proper balance between privacy and utility). Acknowledgment. The work has been supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme.

Local Differential Privacy for Federated Learning

213

Appendices Appendix A: Model Configurations

Fig. 13. LDPFL architectures used for the datasets (Color figure online)

The images in the MNIST dataset have a resolution of 28 × 28 × 1 (one channel), which are size-normalized and centered [17]. Hence, the input layer size of the CNN used for MNIST is 28 × 28 × 1 (refer to Fig. 13b. Convolution layers no. 3 and no. 6 use 32, 3 × 3 filters with stride 1, whereas convolution layers no. 10 and no. 13 use 64, 3 × 3 filters with stride 1. We used a kernel regularizer of regularizers.l2(weight decay = 1e−4) for all convolution layers. Both max-pooling layers (layers no. 8 and no. 15) use 2 × 2 max pools. All batch normalization layers (layer numbers 5, 9, 12, 17, and 20) use “axis = −1”.

214

P. C. Mahawaga Arachchige et al.

The images in the CIFAR10 and SVHN datasets have a resolution of 32 × 32 × 3, which are size-normalized and centered [17]. Hence, the input layer size of the CNNs used for CIFAR10 and SVHN is 32 × 32 × 3 (refer to Fig. 13a). Convolution layers no. 3 and no. 6 use 32, 3 × 3 filters with stride 1, convolution layers no. 11 and no. 14 use 64, 3 × 3 filters with stride 1, and convolution layers no. 19 and no. 22 use 128, 3 × 3 filters with stride 1. All three max-pooling layers (layers no. 9, no. 17, and no. 25) use 2 × 2 max pools. The image resolution of FMNIST images is 28 × 28 × 1. Hence, only the input layer size of the CNN (refer to Fig. 13a) was changed to 28 × 28 × 1 while keeping all other settings of the local CNN architecture unchanged.

References 1. Abadi, M., et al.: Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 308–318. ACM (2016) 2. Arachchige, P.C.M., Bertok, P., Khalil, I., Liu, D., Camtepe, S., Atiquzzaman, M.: Local differential privacy for deep learning. IEEE Internet Things J. 7(7), 5827– 5842 (2019) ¨ ur, A.: Differentially private feder3. Asoodeh, S., Chen, W.N., Calmon, F.P., Ozg¨ ated learning: an information-theoretic perspective. In: 2021 IEEE International Symposium on Information Theory (ISIT), pp. 344–349. IEEE (2021) 4. Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., Shmatikov, V.: How to backdoor federated learning. In: International Conference on Artificial Intelligence and Statistics, pp. 2938–2948. PMLR (2020) 5. Bell, J.H., Bonawitz, K.A., Gasc´ on, A., Lepoint, T., Raykova, M.: Secure singleserver aggregation with (poly) logarithmic overhead. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 1253– 1269 (2020) 6. Bonawitz, K., et al.: Practical secure aggregation for privacy-preserving machine learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1175–1191 (2017) 7. Bun, M., Steinke, T.: Concentrated differential privacy: simplifications, extensions, and lower bounds. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 635–658. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-536414 24 8. Chollet, F., et al.: Keras: deep learning library for Theano and TensorFlow (2015). https://keras.io/k 7(8) ´ Pihur, V., Korolova, A.: RAPPOR: randomized aggregatable 9. Erlingsson, U., privacy-preserving ordinal response. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1054–1067. ACM (2014) 10. Fereidooni, H., et al.: SAFELearn: secure aggregation for private federated learning. In: 2021 IEEE Security and Privacy Workshops (SPW), pp. 56–62. IEEE (2021) 11. Fox, J.A.: Randomized Response and Related Methods: Surveying Sensitive Data, vol. 58. SAGE Publications, Beverly Hills (2015) 12. Gentry, C.: A Fully Homomorphic Encryption Scheme. Stanford University (2009)

Local Differential Privacy for Federated Learning

215

13. Geyer, R.C., Klein, T., Nabi, M.: Differentially private federated learning: a client level perspective. arXiv preprint arXiv:1712.07557 (2017) 14. Guo, X., et al.: VeriFL: communication-efficient and fast verifiable aggregation for federated learning. IEEE Trans. Inf. Forensics Secur. 16, 1736–1751 (2020) 15. Gursoy, M.E., Tamersoy, A., Truex, S., Wei, W., Liu, L.: Secure and utility-aware data collection with condensed local differential privacy. IEEE Trans. Dependable Secure Comput. 18, 2365–2378 (2019) 16. Kairouz, P., Oh, S., Viswanath, P.: Extremal mechanisms for local differential privacy. In: Advances in Neural Information Processing Systems, pp. 2879–2887 (2014) 17. LeCun, Y., Bottou, L., Bengio, Y., Haffner, P.: Gradient-based learning applied to document recognition. Proc. IEEE 86(11), 2278–2324 (1998) 18. Li, T., Sahu, A.K., Talwalkar, A., Smith, V.: Federated learning: challenges, methods, and future directions. IEEE Signal Process. Mag. 37(3), 50–60 (2020) 19. McMahan, H.B., Moore, E., Ramage, D., Arcas, B.A.: Federated learning of deep networks using model averaging. arXiv preprint arXiv:1602.05629 (2016) 20. McMahan, H.B., Ramage, D., Talwar, K., Zhang, L.: Learning differentially private recurrent language models. arXiv preprint arXiv:1710.06963 (2017) 21. Paszke, A., et al.: PyTorch: an imperative style, high-performance deep learning library. Adv. Neural. Inf. Process. Syst. 32, 8026–8037 (2019) 22. Qin, Z., Yang, Y., Yu, T., Khalil, I., Xiao, X., Ren, K.: Heavy hitter estimation over set-valued data with local differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 192– 203. ACM (2016) 23. Schmidhuber, J.: Deep learning in neural networks: an overview. Neural Netw. 61, 85–117 (2015) 24. Seif, M., Tandon, R., Li, M.: Wireless federated learning with local differential privacy. In: 2020 IEEE International Symposium on Information Theory (ISIT), pp. 2604–2609. IEEE (2020) 25. Sermanet, P., Chintala, S., LeCun, Y.: Convolutional neural networks applied to house numbers digit classification. In: Proceedings of the 21st International Conference on Pattern Recognition (ICPR 2012), pp. 3288–3291. IEEE (2012) 26. So, J., G¨ uler, B., Avestimehr, A.S.: Turbo-aggregate: breaking the quadratic aggregation barrier in secure federated learning. IEEE J. Sel. Areas Inf. Theory 2(1), 479–489 (2021) 27. Sun, L., Qian, J., Chen, X., Yu, P.S.: LDP-FL: practical private aggregation in federated learning with local differential privacy. arXiv preprint arXiv:2007.15789 (2020) 28. Truex, S., Liu, L., Chow, K.H., Gursoy, M.E., Wei, W.: LDP-Fed: federated learning with local differential privacy. In: Proceedings of the Third ACM International Workshop on Edge Systems, Analytics and Networking, pp. 61–66 (2020) 29. Wang, T., Blocki, J., Li, N., Jha, S.: Locally differentially private protocols for frequency estimation. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 729–745 (2017) 30. Wang, Y., Wu, X., Hu, D.: Using randomized response for differential privacy preserving data collection. In: EDBT/ICDT Workshops, vol. 1558 (2016) 31. Wei, K., et al.: Federated learning with differential privacy: algorithms and performance analysis. IEEE Trans. Inf. Forensics Secur. 15, 3454–3469 (2020) 32. Xiao, H., Rasul, K., Vollgraf, R.: Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)

216

P. C. Mahawaga Arachchige et al.

33. Xiao, X., Tao, Y.: Output perturbation with query relaxation. Proc. VLDB Endow. 1(1), 857–869 (2008) 34. Xu, G., Li, H., Liu, S., Yang, K., Lin, X.: VerifyNet: secure and verifiable federated learning. IEEE Trans. Inf. Forensics Secur. 15, 911–926 (2019) 35. Yang, Q., Liu, Y., Chen, T., Tong, Y.: Federated machine learning: concept and applications. ACM Trans. Intell. Syst. Technol. (TIST) 10(2), 12 (2019) 36. Zhang, C., Li, S., Xia, J., Wang, W., Yan, F., Liu, Y.: BatchCrypt: efficient homomorphic encryption for cross-silo federated learning. In: 2020 USENIX Annual Technical Conference (USENIX ATC 2020), pp. 493–506 (2020) 37. Zhang, Y., Bai, G., Li, X., Curtis, C., Chen, C., Ko, R.K.L.: PrivColl: practical privacy-preserving collaborative machine learning. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 399–418. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6 20 38. Zhao, J., Chen, Y., Zhang, W.: Differential privacy preservation in deep learning: challenges, opportunities and solutions. IEEE Access 7, 48901–48911 (2019)

XSPIR: Efficient Symmetrically Private Information Retrieval from Ring-LWE Chengyu Lin(B) , Zeyu Liu, and Tal Malkin Columbia University, New York, NY 10027, USA {chengyu,tal}@cs.columbia.edu, [email protected] Abstract. Private Information Retrieval (PIR) allows a client to retrieve one entry from a database held by a server, while hiding from the server which entry has been retrieved. Symmetrically Private Information Retrieval (SPIR) additionally protects the privacy of the data, requiring that the client obtains only its desired entry, and no information on other data entries. In recent years, considerable effort has been expanded towards making PIR practical, reducing communication and computation. State-of-theart PIR protocols are based on homomorphic encryption from the ringLWE assumption. However, these efficient PIR protocols do not achieve database privacy, and leak a lot of information about other data entries, even when the client is honest. Generic transformation of these PIR protocols to SPIR have been suggested, but not implemented. In this paper, we propose XSPIR, a practically efficient SPIR scheme. Our scheme is based on homomorphic encryption from ring-LWE like recent PIR works, but achieves a stronger security guarantee with low performance overhead. We implement XSPIR, and run experiments comparing its performance against SealPIR (Angel et al., IEEE S&P 2018) and MulPIR (Ali et al., USENIX SECURITY 2021). We find that, even though our scheme achieves a stronger security guarantee, our performance is comparable to these state-of-the-art PIR protocols. Keywords: Private information retrieval · Symmetrically private information retrieval · Homomorphic encryption · Ring-LWE

1

Introduction

Private information retreival (PIR) [19] allows a client to retrieve a data entry from a server, while hiding which entry was retrieved from the server. In this paper we focus on the single-server setting, which requires computational security (sometimes referred to as computational PIR, or cPIR). This is an important building block which can benefit many privacy preserving applications, including private media steaming [2,38], subscription [18], private group messaging [17], anonymous communication [6,37,44,53], and ad delivery [36]. However, PIR is quite costly. First, it requires the server to process the whole database in order to maintain the privacy of the query. This is inherent, since if certain entries c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 217–236, 2022. https://doi.org/10.1007/978-3-031-17140-6_11

218

C. Lin et al.

are not processed, the server would know they are not retrieved by the client. Moreover, existing schemes require a much higher overhead in computation and communication, depending on a cryptographic security parameter. There are many PIR protocols in the literature [1,2,12,25,26,30,33,41,43,46, 61], including considerable implementation efforts in recent years. These implementations follow two lines. The first [21,22,55] follows an approach introduced by Gentry and Ramzan [33], which has good communication but a high computational cost. The second approach builds on XPIR by Aguilar-Melchor et al. [2], based on homomorphic encryption. This approach includes the most efficient implementations to date: SealPIR by Angel et al. [5], MulPIR by Ali et al. [4], and SHECS-PIR by Park et al. [57]. A stronger version of PIR is Symmetrically Private Information Retrieval (SPIR) [34], where we additionally require privacy for the server’s data. Specifically, the requirement is that the client should only learn the retrieved data entry, but not any information about any other data entries. This can be useful in many applications where the data consists of sensitive information (e.g., a medical database). Currently, all these implemented PIR schemes do not satisfy such a security guarantee. For the homomorphic encryption based protocols (the line we will follow in this paper), the reason is the following. To improve efficiency, these protocols take advantage of compressing more data into a single ciphertext, allowing the client to retrieve a large chunk of data from each ciphertext (usually more than one entry). Therefore, simply reducing the amount of data packed in each ciphertext would cause a large overhead in efficiency. Moreover, even with only one entry packed in one ciphertext, these schemes leak information about the data beyond a single entry. One can apply standard techniques to add data privacy (which is indeed discussed in some of the above works, but not implemented), but this may result in further decrease in efficiency, as well as other disadvantages, discussed below. 1.1

Our Contributions

In this work, we construct XSPIR, a practically efficient SPIR scheme. We follow the line of works that started with XPIR and culminated in SealPIR, MulPIR, SHECS-PIR [2,4,5,57], and add data privacy against a semi-honest client. We implement our scheme, thus providing the first implementation of a SPIR protocol in many years, and provide detailed comparisons in Sect. 4. Crucially, we use techniques that are directly integrated with the underlying BFV Leveled Homomorphic Encryption scheme [10,28] (based on the ring-LWE assumption). This is in contrast with general ways to transform PIR schemes to SPIR schemes as proposed in previous works. For example, [4] discuss in their appendix how data privacy can be added on top of MulPIR, by using oblivious Pseudorandom Function (OPRF), for which the constructions are mainly based on DDH assumption [47,48]. Our technical approach enjoys the following advantages.

XSPIR: Efficient Symmetrically Private Information Retrieval

219

– Better security with low overhead: we add data privacy against a semi-honest client (namely, the client cannot learn any information beyond the retrieved entry), while paying only a small price in efficiency. Specifically, compared to the state-of-the-art PIR protocols (which leak information on data), we are about 30–40% slower in computation but marginally better in communication. – Extended functionality: since our scheme directly builds on BFV without dependency on extra primitives, we can manipulate the BFV ciphertexts to allow retrieval of more complex functions of data entries (rather than just retrieving an individual entry). For example, if the client wants to query the summation of the cube of two entries (i.e., x3i + x3j for entries i, j), we can easily modify our scheme to achieve this functionality (relying on straightforward properties of BFV). The revelation of the circuit evaluation result will not leak any extra information about the two entries or the rest of the data. – No new assumption: as an added benefit, our SPIR scheme does not need to rely on any additional assumption beyond the one that is used for PIR (namely Ring-LWE, that is needed for the BFV encryption scheme). 1.2

Technical Overview

We start with a brief description of how prior PIR protocols that we build on work at a high level. We first fold the database as a hypercube (for example, a 2-dimensional matrix), and recursively process the query for each dimension (say rows and then columns) [43,61]. Based on the BFV leveled homomorphic encryption scheme [10,28], each query is represented as a ciphertext, which would later be obliviously expanded to an encrypted 0/1 indicator vector [4,5]. The server then homomorphically performs the inner product between those 0/1 indicator vectors and the database, and returns the result. Note that BFV homomorphic encryption scheme allows packing multiple plaintexts inside one ciphertext, enabling “single instruction, multiple data” (SIMD) style homomorphic operations [11,13,32,60]. The database can be reshaped to pack more than one data entry together for better performance. Prior PIR constructions, following the above outline, do not achieve data privacy. We identify two main causes of information leakage, and propose new techniques (directly integrated with the BFV encryption scheme) in order to overcome them efficiently. – With ciphertext packing optimization, the client will get more than one data entry from the server’s response ciphertext. A simple solution is to give up on full-capacity ciphertext packing to achieve data privacy. But its price is a great reduction in efficiency, because we can no longer fully utilize the “SIMD”style operations provided by the underlying BFV scheme. This results more expensive homomorphic operations required during the server’s computation. To overcome this problem, we introduce an “oblivious masking” procedure, which maintains the ciphertext packing feature, but can efficiently remove the undesired data entries from the packed ciphertext, without letting the server

220

C. Lin et al.

know which data entries are kept. In addition, we integrate the oblivious masking with the PIR query procedure, so it does not introduce any extra communication cost. – At high level, the PIR protocol works as follow: the client sends some ciphertexts to the server, the server perform some database dependent computation on the received ciphertexts and returns the result to the client. The security of the underlying homomorphic encryption scheme is protecting the information encrypted inside the original ciphertexts. But the server’s result could leak information about the computation, and hence give extra information about the database other than the queried entry. We use ciphertext sanitization [27,31] to make sure that, even with the secret key, the client cannot learn extra information about a ciphertext other than the decrypted message. 1.3

Related Work

PIR. Private information retrieval (PIR) was introduced by Chor et al. [19], and inspired two lines of work: information theoretic PIR (IT-PIR) and computational PIR (cPIR) (we will use ”PIR” to refer to cPIR by default). IT-PIR requires the database to be stored in several non-colluding servers. The client sends a query to each server and gets the result by combining the responses. IT-PIR has relative computational efficiency for each server and is information theoretic secure. However, it cannot be achieved with a single server, and the privacy relies on non-collusion of the servers, which can be problematic in practice [8,19,23,24,35]. In contrast, cPIR requires only computational security, and can be achieved with a single server. As previously discussed, there’s a long line of works achieving cPIR. The computational cost for the server in all these works is quite high, which is a bottleneck for practical employment. Some of this is inherent: indeed, the server must perform at least linear (in the size of the database) amount of computation per query, or else some information will be leaked (e.g., if an entry is not touched during its computation, the server knows this is not the entry that the client is trying to retrieve). However, the existing results involve a very heavy computation beyond the size of the data (there is an additional multiplicative overhead depending on the security parameter and underlying cryptographic primitives, which is quite high). Significant progress have been made towards improving efficiency, although it remains a bottleneck. SPIR. Symmetrically private information retrieval (SPIR) was introduced by Gertner et al. [34], who showed how transform any PIR scheme to a SPIR scheme, in the information theoretic setting. Modern cPIR schemes can also be transformed to SPIR schemes in generic ways, e.g., using an OPRF, as discussed above. However, to the best of our knowledge, the only existing implementations of SPIR proper are from over 15 years ago, and in Java [9,59]. There are some implementation of related primitives, as we discuss next. Related Primitives. There are several works implementing database access systems with more complex queries, which include some privacy for both the client

XSPIR: Efficient Symmetrically Private Information Retrieval

221

and the server (cf., [29,40,56]); However, these schemes do not have full privacy, and allow some leakage of information about the queries. A closely related primitive is 1-out-of-N Oblivious Transfer (OT). This is in fact equivalent to SPIR, but usually used in a different context where N is small, since it typically has a communication cost linear in N (while for PIR/SPIR a major goal is sublinear communication). Indeed, existing OT protocols mainly focus on constant size (say 1-out-of-2) OT, and on extending OT, namely implementing a large number of OT invocations efficiently [49,58]. The most efficient 1-out-of-N OT to date (but without implementation) is [48], where the authors construct random OT (retrieving a random location from a random database). In turn, random 1-out-of-N OT can be used at an offline stage to allow for a very efficient (but still linear) online 1-out-of-N OT. Another relevant primitive is Private Set Intersection (PSI) [14,15,20,39,50]. PSI has two parties, a sender and a receiver, each holding a set of elements, who would like to privately compute the intersection of their sets. We note that most of the homomorphic encryption based PSI [14,15,20] rely on OPRF. Recently, Li, Lu, and Wu [45] used PSI for password checkup based on homomorphic encryption. They use a masking method by multiplying the result with a random vector to mask the redundant data entries. This approach bears some similarity with ours, but there are three problems trying to apply it to SPIR: first, it requires one extra multiplicative level, resulting in an additional overhead in both communication and computation, while our “oblivious masking” technique does not; second, this technique does not directly apply to SPIR because SPIR requires the server to send back an entry with meaningful data, so we cannot directly multiply our result by a random vector of numbers, (while in their case, they just need to send zero back as an indication); third, it doesn’t prevent the server from leaking the information about its database-dependent computation due to BFV ciphertext noise, while we solve this problem by “ciphertext sanitization”.

2

Preliminaries and Background

2.1

(Symmetrically) Private Information Retrieval

We focus only on single round cPIR, where the client sends a single query message and the server sends a single response message. Our protocol adheres to this form, as do other recent efficient PIR protocols. A PIR scheme is parameterized by the database size N ,1 and consists of 3 PPT algorithms: – pp ← PIR.Setup(λ): Instantiate the protocol with security parameter λ. – q ← PIR.Query(i): Given an input i ∈ [N ], the client generates a query q to the server. – r ← PIR.Response(q, DB): the server takes the client’s query q and a database DB = (DB0 , . . . , DBN −1 ) of N entries, and replies to the client with r. 1

We leave the size of each element implicit as it does not affect the definition.

222

C. Lin et al.

– z ← PIR.Extract(r): the client extracts the information from the server’s reply r. Correctness requires that, for all i ∈ [N ], for any output of the query function q ← PIR.Query(i), for all database DB and reply r ← PIR.Response(q, DB) generated by the server, it has PIR.Extract(r) = DBi . Definition 1 (Query Privacy). We say a PIR scheme is query private if and only if for any two queries i and i , the two distributions q ← PIR.Query(i) and q ← PIR.Query(i ) are computationally indistinguishable. Definition 2 (Data Privacy for Semi-Honest Client). We say a PIR scheme is data private if and only if, for all i ∈ [N ], given query q ← PIR.Query(i), for any two databases DB and DB where DBi = DBi , the two distributions r ← PIR.Response(q, DB) and r ← PIR.Response(q, DB ) are computationally indistinguishable. For the rest of the paper, we use PIR to refer to a PIR scheme with query privacy only, and SPIR (or symmetric PIR) to refer to PIR with both query privacy and with data privacy for semi-honest client. In both cases, we mean computational schemes (with a single server) and one-round of communication as defined above. We care about 2 types of complexity measures: – Computational complexity: in particular, the server’s running time for PIR.Response (as well as the client’s running time for PIR.Query and PIR.Extract, but this is typically much smaller, which typically takes only milliseconds and independent of database size). – Communication complexity: the upload cost is measured by |q| and the download cost is measured by |r|. 2.2

Homomorphic Encryption

We use homomorphic encryption scheme as a public key encryption scheme that can homomorphically evaluate arithmetic operations on messages inside ciphertexts. We can formulate it as the following 4 PPT algorithms: – (pk, sk) ← HE.Setup(1λ ): Takes security parameter λ as input and outputs public key pk, secret key sk. – ct ← HE.Enc(pk, m): Takes pk and a plaintext m as inputs, and outputs a ciphertext ct. – ct ← HE.Eval(pk, C, (ct1 , . . . , ctt )): Takes pk, a circuit C and multiple input ciphertexts (ct1 , . . . , ctt ) and outputs a ciphertext ct . – m ← HE.Dec(sk, ct): Takes sk and a ciphertext ct as input and outputs a plaintext m . For correctness, we require that HE.Dec(sk, HE.Enc(pk, m)) = m for (pk, sk) ← HE.Setup(1λ ) and require HE.Eval to homomorphically apply the circuit C to the plaintext encrypted inside the input ciphertexts.

XSPIR: Efficient Symmetrically Private Information Retrieval

223

Definition 3 (Semantic Security). We say a homomorphic encryption scheme is semantically secure if and only if for any two messages m and m , the two distributions ct ← HE.Enc(pk, m) and ct ← HE.Enc(pk, m ) are computationally indistinguishable given the public key pk. Ciphertext Sanitization. Most homomorphic encryption scheme only cares about hiding the encrypted messages. However, the result ciphertext of the homomorphic evaluation ct ← HE.Eval(pk, C, (ct1 , . . . , ctt )) could leak some information about the circuit C, which might be harmful in some applications. One could employ a randomized sanitization proposed by Ducas and Stehl´e [27] HE.Sanitize(pk, ct) to achieve circuit privacy, satisfying the following: – [Correctness] For any ciphertext ct, HE.Dec(sk, HE.Sanitize(pk, ct)) = HE.Dec(sk, ct); – [(Statistical) Sanitization] For any two ciphertext ct, ct such that HE.Dec(sk, ct) = HE.Dec(sk, ct ), the two distributions after sanitizations HE.Sanitize(pk, ct) and HE.Sanitize(pk, ct ) are (statistically) indistinguishable given keys pk and sk. Brakerski/Fan-Vercauteran Scheme. We use the Brakerski/Fan-Vercauteran homomorphic encryption scheme [10,28], which we refer to as the BFV scheme. Given a polynomial from the cyclotomic ring Rt = Zt [X]/(X D + 1), the BFV scheme encrypts it into a ciphertext consisting of two polynomials, where each polynomial is from a larger cyclotomic ring Rq = Zq [X]/(X D + 1) where q > t. We refer to t, q and D as the plaintext modulus, the ciphertext modulus, and the ring size, respectively. We require the ring dimension D to be a power of 2. In addition to standard homomorphic operations, like addition and multiplication between a ciphertext and another ciphertext/plaintext, BFV scheme also supports substitution [5]. Given an odd integer k and a ciphertext ct encrypting a polynomial p(x), the substitution operation SUB(ct, k) returns a ciphertext encrypting the polynomial p(xk ). For example, taking k = 3, an encrypted polynomial 3 + x + 5x3 can be substituted to be a ciphertext encrypting 3 + x3 + 5x9 .

3

Main Construction

In Sect. 3.1, we provide a PIR protocol, based on state-of-the-art PIR [4,5], which we will use as our starting point. Then in Sect. 3.2, we present our new techniques, and how they can be integrated with the PIR protocol to efficiently transform it to a SPIR protocol. 3.1

PIR from Homomorphic Encryption

Baseline PIR. We start from the basis for most state-of-the-art practical PIR protocols. The scheme relies on homomorphic encryption, and its simplest version is the following. Given a database (DB0 , . . . , DBN −1 ) of N entries, the client

224

C. Lin et al.

initiates the query by sending N ciphertexts ci , where the ciphertext for the desired entry encrypts 1, and all other ciphertexts encrypt 0 (that is, the ciphertexts encrypt an indicator vector). For each ciphertext, the server homomorphically multiplies it by the corresponding entry DBi from the database, and returns N the homomorphic sum of the results i=1 DBi · ci , which is the encryption of the desired entry. To achieve sublinear communication, Kushilevitz, Ostrovsky [43] and later Stern [61] proposed applying this scheme recursively: parameterized by the recursion level d, instead of viewing the database as a one-dimensional vector of length N , one can arrange it into a d-dimensional hypercube. Now each entry in the database will be indexed by a length-d vector (i0 , . . . , id−1 ) where each index ranges from 0 to N 1/d . The retrieval process is then handled recursively, where the client sends N 1/d ciphertexts for each level (encrypting an appropriate indicator vector), for a total of d · N 1/d ciphertexts. The server sends back one ciphertext (resulting from homomorphic operations of addition and multiplication by plaintexts). Compressing Queries. In the above protocol, each ciphertext sent by the client encrypts a single bit, blowing up communication. To reduce communication, SealPIR [5] and MulPIR [4] instantiate the underlying homomorphic encryption scheme with the BFV scheme. Recall that in BFV, each ciphertext encrypts an element from cyclotomic ring Zt [X]/(X D + 1) where D is a power of 2, which is a degree-D polynomial with integer coefficient ranging from 0 to t − 1 for some large prime t. Now, instead of encrypting a single bit, a BFV ciphertext encrypts a vector consisting of the coefficients of the polynomial (i.e., D elements in Zt ). Specifically, to represent a query of index i, instead of sending an indicating vector of ciphertexts, SealPIR [5] first sends an encrypted monomial xi (which can be viewed as a polynomial with coefficients being the indicating vector for i). The server then runs a procedure called oblivious expansion that allows it to obtain the encrypted coefficients and get the 0/1 indicator vector. Later MulPIR [4] observed that such technique works not only on a monomial xi , but also for general polynomials, and took advantage of this for polynomials with more than one non-zero coefficients. Details of oblivious expansion is shown in Algorithm 1. Packing More Information. As discussed above, the ciphertext encrypts an integer polynomial with degree D and coefficients from Zt . One could pack at most D · log t bits of data inside a single ciphertext. For better efficiency, we should reshape the database so that each entry is of size D · log t bits. For a typical choice of parameters for BFV scheme, say D = 8192 and t ≈ 220 (t being a prime slightly larger than 220 ), that’s about 20KB data per ciphertext.

XSPIR: Efficient Symmetrically Private Information Retrieval

225

Combining all these techniques, we show our PIR construction in Algorithm 2. The overall algorithm is the same as the MulPIR algorithm in [4]. We tuned the parameters in order to increase efficiency in some settings, and to allow us to add data privacy without changing to less efficient BFV parameters, as we do in the next section. Detailed performance comparisons are in Sect. 4.

Algorithm 1. Oblivious Expansion based on [4,5]. Given an input ciphertext q encrypting a polynomial p(x) of degree n, return a list of n ciphertexts, encrypting the coefficients of p(x). Recall the homomorphic substituion operation: given a ciphertext ct encrypting p(x) and an odd integer k, the substitution SUB(ct, k) returns a ciphertext encrypting polynomial p(xk ). We know that xD is equal to −1 on cyclotomic D−1 ring Zt [X]/(X D + 1). For polynomial p(x) = i=0 di · xi , substituting it with D−1 D−1 k = D + 1 gives p(xD+1 ) = i=0 di · xi·D+i = i=0 di · (−1)i · xi . Adding it back to p(x) would zero out every coefficient for xi where i is odd, and double every other coefficients. Repeatedly using similar steps for k = D/2j + 1 on p(x) would zero out every coefficient of xi where i is not 0, and multiply d0 by some power of 2. Then with some “shifting” (multiplying with some monomial j x−2 ), and dividing by the appropriate power of 2, given a encrypted polynon−1 mial p(x) = i=0 di · xi , one can extract a vector of ciphertexts where the ith ciphertext encrypts di . procedure EXPAND(q, n, D)  D is the ring size for the underlying BFV HE scheme Find m = 2 such that m ≥ n clist ← [q] for j = 0 to  − 1 do for k = 0 to 2 − 1 do c0 ← clist[k] j  scalar multiplication c1 ← x−2 · c0  ck ← SUB(c0 , D/2j + 1) + c0  SUB is the substitution in BFV HE scheme ck+2j ← SUB(c1 , D/2j + 1) + c1 clist ← [c0 , ..., c2j+1 −1 ] inverse ← m−1 (mod t) for k = 0 to n − 1 do rk ← clist[k] · inverse return (r0 , ..., rn−1 )

 t is the plaintext modulus

226

C. Lin et al.

Algorithm 2. PIR Scheme (following [4]) 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26:

3.2

procedure PIR.Setup(λ) (pk, sk) ← HE.Setup(1λ ) return (pk, sk) procedure PIR.Query(N, d, pk, i = (i0 , ..., id−1 )) Initialize polynomial p = 0 for j = 0 to d − 1 do 1/d p ← p + xj·N +ij q ← HE.Enc(pk, p) return (q) procedure PIR.Response(DB, N, d, pk, q) n ← N 1/d idx ←EXPAND(q, d · n, D)  Oblivious expansion in 1 for k = 0 to d − 1 do qk ← [idx[k · n + 0], . . . , idx[k · n + n − 1]] rlist ← [DB0 , . . . , DBN −1 ]  ← N/n for k = 0 to d − 1 do for i = 0 to  − 1 do ri ← qk , [rlist[0 ·  + i], . . . , rlist[(n − 1) ·  + i]] rlist ← [r0 , . . . , r−1 ]  ← /n r ← rlist[0] return r procedure PIR.Extract(sk, r) z ← HE.Dec(sk, r) return z

XSPIR: Adding Data Privacy

So far, we described efficient standard PIR. However, this protocol (like the ones it was based on) leaks information about the data, even to an honest client. To achieve data privacy, we need to address the following two problems: – As previously discussed, to better utilize the plaintext space of the BFV scheme and improve efficiency, we reshaped the database so that each entry now fits in a degree-D polynomial with coefficients from Zt , which packs D · log t bits of information. If the client is only allowed to learn, say, a single element from Zt , a simple solution would be to pack only one coefficient inside each ciphertext. However, this solution is very costly. Is it possible to pack many values (say D) inside one ciphertext for better efficiency, while the client cannot learn extra information except for only one of them? – The server computes a deterministic PIR.Response procedure that depends on every part of the database. The output naturally leaks information about the server’s computation and hence other parts of the database. Consider the following simple example: the client is fetching 0-th entry from a database

XSPIR: Efficient Symmetrically Private Information Retrieval

227

DB = (DB0 , DB1 ) with 2 entries. After learning DB0 , the client can learn DB1 by iterating over all possible values and simulating the server’s computation. Is there a way to make the server’s output ciphertext irrelevant for any part of the database other than the retrieved entry? Instead of taking a generic approach as suggested by [4], we show how to efficiently achieve the data privacy by directly taking advantage of the underlying BFV homomorphic encryption scheme, which has many benefits as described in Sect. 1.1. Oblivious Masking. In previous PIR construction, one ciphertext encrypts the D−1 a polynomial p(x) = i=0 di · xi , where each di is a part of the reshaped data entry that lies in Zt . To address the first problem above, if the client is only allowed to learn dk for some k ∈ [D], we need an efficient way to obliviously remove unnecessary information (the other coefficients). Let us start with a first attempt. To keep only the k-th part dk of the polynomial p(x), the client could send another ciphertext encrypting x−k , and the D−1 server can multiply them together to get p (x) = x−k · p(x) = i=0 di · xi−k . In this case, the constant coefficient is what we are looking for. We could use a similar procedure to oblivious expansion in Algorithm 1 to extract it out. This method brings an additional overhead as the client needs to send an additional ciphertext encrypting x−k . To save this communication cost, we observe that the client is not fully utilizing the plaintext space Zt [X]/(X D + 1), as the query ciphertexts sent by the client are polynomials with 0/1 coefficients. We could embed the information k in those coefficients without introducing a new monomial, with an alternative packing technique. First, instead of sending a new ciphertext encrypting x−k , we put k into the first query ciphertext sent by the client. For example, instead of sending xi for some index i, we send (k + 1) · xi . After the oblivious expansion, the server can sum up the results to obtain a ciphertext encrypting a constant polynomial (k + 1). It requires t > D, which is almost always the case. Second, instead of packing data entires (d0 , . . . , dD−1 ) into the coefficients of a polynomial, we would find a polynomial p(x) such that p(ωi ) = di using number-theoretic transformation, where ωi is the i-th root of unity in Zt , similar to the technique shown in [60]. Our goal is then to keep only the information on p(ωk ) = dk . To achieve this, we could add a random polynomial with r(ωk ) = 0 to it. We first find a polynomial q(x) with q(ωi ) = −(i + 1). Adding to it a constant polynomial (k + 1) results in a new polynomial q  (ωi ) = k − i. Finally, multiplying it by a random polynomial gives us what we want. Such technique also works when the client is retrieving more than one consecutive elements in Zt . For example, if every data entry fits in 2 elements of Zt , we could find the polynomial q(x) with q(ωi ) = −(i/2 + 1) instead of −(i + 1). And the rest of the computation would be the same. Ciphertext Sanitization. To address the second problem and make sure that the result doesn’t contain information about other parts of the database, one

228

C. Lin et al.

way is to use the ciphertext sanitization procedure proposed by Ducas and Stehl´e [27]. For efficiency, we use a simpler way of re-randomization, which is noise flooding [27,31]. Specifically, before sending back the result, the server adds an encryption of zero to it with certain amount of noise, so that the result will be statistically close to a freshly encrypted ciphertext. To achieve statistical distance of 2−s , a standard smudging lemma [7] shows that it suffices to add to it an encryption of 0 with noise level s + log2 D bits higher than the original ciphertext. We apply all these techniques to our PIR scheme to make it into a SPIR scheme, which we call XSPIR. See Algorithm 3 for the detailed scheme.

Algorithm 3. XSPIR: Our SPIR Scheme Blue lines are differences from the previous PIR protocol 2 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33:

procedure PIR.Setup(λ) (pk, sk) ← HE.Setup(1λ ) return (pk, sk) procedure PIR.Query(N, d, pk, i = (i0 , ..., id−1 , k)) Initialize polynomial p = 0 for j = 0 to d − 1 do 1/d p ← p + (k + 1)·xj·N +ij q ← HE.Enc(pk, p) return (q) procedure PIR.Response(DB, N, d, pk, q) n ← N 1/d idx ←EXPAND(q, d · n, D) for k = 0 to d − 1 do qk ← [idx[k · n + 0], . . . , idx[k · n + n − 1]] rlist ← [DB0 , . . . , DBN −1 ]  ← N/n for k = 0 to d − 1 do for i = 0 to  − 1 do ri ← qk , [rlist[0 ·  + i], . . . , rlist[(n − 1) ·  + i]] rlist ← [r0 , . . . , r−1 ]  ← /n r ← rlist[0] pt ←  (−1, . . . , −D)  Making a plaintext polynomial, where pt(ωi ) = −(i + 1)  Sum of q0 is an encrypted constant polynomial k + 1 ct ← n−1 i=0 q0 [i] ct ← pt + ct  Scalar addition  Uniformly sample a random polynomial pt ←$ Zt [X]/(X D + 1) ct ← pt · ct  Scalar multiplication r ← r + ct  Homomorphic addition r ← HE.Sanitize(pk, r)  Sanitize by adding an encryption of 0 with large noise return r procedure PIR.Extract(sk, r, k, d) z ← (k + 1)−d ·HE.Dec(sk, r) return z

XSPIR: Efficient Symmetrically Private Information Retrieval

229

Extended Functionality. As our scheme only relies on BFV, we can easily extend our functionality. Normally, the returned entry of PIR contains a singe data entry. However, our scheme can easily allow the returned entry to contain some computation (e.g., some complex functions) over data entries. For example, the client wants to query the summation of the cube of two entries (i.e., x3i + x3j for entries i, j), we can easily modify our scheme to achieve this functionality (relying on the properties of BFV), while maintaining full privacy (i.e., no information except for the result of the computation is revealed). However, for SPIR described in [4], this is not supported, as they rely on OPRF. 3.3

Security

The query privacy (see definition 1) follows directly from the semantic security of the underlying BFV homomorphic encryption scheme [10,28]. As the client is sending encrypted indices, and the semantic security (see definition 3) guarantees that the server cannot learn any information from the ciphertext. Data privacy against semi-honest clients (see definition 2) is more complex. For all k ∈ [N ], given client’s query q ← PIR.Query(k), for any two databases DB and DB where DBk = DBk , consider the following two distributions r ← PIR.Response(q, DB) and r ← PIR.Response(q, DB ). Ciphertext sanitization (see 2.2 and [27]) guarantees that, for any ciphertext ct encrypting some polynomial p, the distribution HE.Sanitize(pk, ct) is indistinguishable from a freshly encrypted ciphertext HE.Enc(pk, p). Therefore both r and r are indistinguishable from the fresh encryption of their underlying messages, respectively. We further show that r and r encrypt messages from the same distribution. WLOG, assume that the whole database can be packed into one ciphertext and D = N . It is not hard to extend the argument to the general case of N > D. The ciphertext r is encrypting a polynomial p whose coefficients are in Zt such that p(ωi ) = (k + 1) · DBi + (k − i) · ri where ri is uniformly distributed over Zt . If i = k, we have p(ωk ) = (k + 1) · DBk . Otherwise p(ωi ) is distributed uniformly at random over Zt for k = i ∈ [D]. Similar argument works for r : r is encrypting a polynomial p such that p (ωi ) is a uniform random element from Zt for i = k and p (ωk ) = (k + 1) · DBk = (k + 1) · DBk = p(ωk ).

4

Implementation and Evaluation

In this section, we describe our implementation, evaluate its performance, and compare it with previous implementations. One thing to note is that, since there are no public modern SPIR implementations, we could only compare our XSPIR protocol with the state-of-the-art PIR protocols (which is not data private). We show that our performance is comparable to state-of-the-art PIR protocols while providing a stronger security guarantee. Implementation and Experimental Setup. Our scheme is implemented on top of the SEAL homomorphic encryption library version 3.5.6 [51], with C++. We use the EXPAND algorithm from SealPIR. For SealPIR, we use the publicly

230

C. Lin et al.

available source code [52], and run under the same environment, integrating it with our testing framework. R CoreTM i7-8550U All experiments are running on a CPU 8th Gen Intel quad-core processor, 4.2 GHz Max Turbo and 16 GB RAM, and with operating system Ubuntu 16.04. The numbers are averages of 100 trials. The SealPIR code is running with the parameters suggested by their paper and code. We implement the MulPIR on our code base with their suggested parameters. We cannot compare with SHECS-PIR [57], as their code is not publicly available. However, according to our analysis based the data provided by [57], our XSPIR performance would be comparable to theirs as well (with some variations depending on the entry size). 4.1

Parameter Choices

We have two security parameters, a computational security parameter for the underlying BFV scheme, and a statistical security parameter to apply noise flooding (necessary for ciphertext sanitization towards data privacy). We set our statistical security parameter to s = 40, as suggested by standard practice, and widely used in many other works [16,42,54]. According to the smudging lemma in [7], we need a noise of s + log D bits (more than the ciphertext to be sanitized) to guarantee a statistical distance of ≤ 2−s . We set our computational security parameter to λ = 128 as suggested by [3]. We set our ring size to be D = 8192 and therefore according to [3], we have a noise budget of 218 bits with D = 8192, λ = 128. For statistical secure parameter s = 40, we would then need 40 + log2 (8192) = 53 bits of extra noise, which gives our 165 bits of noise budget left for our entire computation. To accommodate 2.5 bytes per slot of a ciphertext, we need a prime plaintext modulus t of 21 bits, so for each level of multiplicative depth, we consume roughly 20–30 bits of noise budget. This is sufficient for a recursion level of d = 2, which is the most efficient choice. As for d > 2, the depth of homomorphic multiplication increases, and therefore results in more computational cost. Therefore, for best performance, we set D = 8192, d = 2 for security requirement λ = 128, s = 40. To maximize the efficiency, we pack totally 8192×2.5bytes = 20 KB into one ciphertext. In our experiments, we select entry size = 288 bytes (this does not influence the performance, we but we select the same entry size as in previous works for better comparison). Given this entry size, we can pack at most 71 entries into one single ciphertext. 4.2

Experimental Comparisons

To evaluate how our scheme works, we run a series of microbenchmarks to measure: (1) computational cost on the server’s side (2) upload communication cost (3) download communication cost. The total communication cost is measured by the sum of upload cost and download cost. Our detailed comparisons and data are recorded in Table 1.

XSPIR: Efficient Symmetrically Private Information Retrieval

231

Table 1. Entry size = 288 bytes and ring dimensions are set to 4096. In blue color is XSPIR from Algorithm 3. Although there is only one ciphertext involved in both upload and download communication. Its size varies because of the modulus switching. Other entries are PIR schemes without data privacy: SealPIR [5], MulPIR [4]. Size of database XSPIR (Server Time, ms)

18M

72M

288M 1.125GB

1735 4921 14531 41853

SealPIR (Server Time, ms)

591

MulPIR (Server Time, ms)

1322 3853 10785 30217

1571 6052

21675

XSPIR (Upload, KB)

160

160

160

160

SealPIR (Upload, KB)

61.2

61.2

61.2

61.2

MulPIR (Upload, KB)

122

122

122

122

XSPIR (Download, KB)

73

73

73

73

SealPIR (Download, KB)

307

307

307

307

MulPIR (Download, KB)

119

119

119

119

XSPIR (Communication, KB)

233

233

233

233

SealPIR (Communication, KB) 368.2 368.2 368.2 368.2 MulPIR (Communication, KB) 241

241

241

241

As shown in the table, for all database sizes tested, our communication cost is about the same as MulPIR (with marginal advantage) and around 35% better than SealPIR, while our performance is about 40–50% worse than MulPIR and about 2–3 times worse than SealPIR. Recall that the goal in MulPIR was to obtain better communication (compared to SealPIR), at the price of worse computation. Our scheme can be viewed as going even further in that direction, but more importantly, adding a better security guarantee, for the database as well. 4.3

Comparison to 1-out-of-n OT

As mentioned in Sect. 1.3, SPIR is technically equivalent to 1-out-of-N OT, although the later one is typically used in different contexts. Accordingly, the existing open-source codes [58] for OT’s focus on OT extensions, running multiple OT’s at the same time. We thus can’t run their library for executing a single (or a small number of) retrievals with the relatively huge database size we run experiments with, as in our XSPIR. We next try to compare our XSPIR scheme to the state of the art 1-outof-N OT by McQuoid et al. [48]. Since this is not implemented, we compare asymptotically. Note that in our scheme, the communication is O(N 1/d ), and the server’s computation is O(N + d · N 1/d ) homomorphic operations. In [48], they construct random OT, where both the query and the database are selected at random (this is typical in settings where this is used for an initial offline computation phase).

232

C. Lin et al.

Typically, the purpose of using a 1-out-of-N random OT is to move most of the computation to an offline stage, where the random OT protocol is performed. Then, in the online stage when the client receives the actual query, it sends the difference between that and the random query used to the server. The server rotates the random data by that shift, and uses it to mask the actual database. It then sends the whole masked database to the client. The client can unmask the desired entry using the value obtained in the random OT phase. Using the random OT scheme of [48] in this way, we obtain a 1-out-of-N random OT with server time of O(N ) exponentiations, upload cost of O(1), and download cost of O(N ). This gives worse communication (which is no longer sublinear!) but better computational cost than our protocol asymptotically. Acknowledgement. This research was supported in part by the U.S. Department of Energy (DOE), Office of Science, Office of Advanced Scientific Computing Research under award number DE-SC-0001234, a grant from the Columbia-IBM center for Blockchain and Data Transparency, by LexisNexis risk solutions, and by JPMorgan Chase & Co. Any views or opinions expressed herein are solely those of the authors listed.

References 1. Abusalah, H., Alwen, J., Cohen, B., Khilko, D., Pietrzak, K., Reyzin, L.: Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 357–379. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9 13 2. Aguilar Melchor, C., Barrier, J., Fousse, L., Killijian, M.O.: XPIR: private information retrieval for everyone. Proc. Priv. Enhancing Technol. 2016(2), 155–174 (2016) 3. Albrecht, M., et al.: Homomorphic Encryption Standard. In: Lauter, K., Dai, W., Laine, K. (eds.) Protecting Privacy through Homomorphic Encryption, pp. 31–62. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77287-1 2 4. Ali, A., et al.: Communication-computation trade-offs in PIR. In: 30th USENIX Security Symposium (USENIX Security 21). USENIX Association (2021). https:// www.usenix.org/conference/usenixsecurity21/presentation/ali 5. Angel, S., Chen, H., Laine, K., Setty, S.T.V.: PIR with compressed queries and amortized query processing. In: 2018 IEEE Symposium on Security and Privacy, pp. 962–979. IEEE Computer Society Press (2018) 6. Angel, S., Setty, S.: Unobservable communication over fully untrusted infrastructure. In: Holz, T., Savage, S. (eds.) USENIX Security 2016: 25th USENIX Security Symposium. USENIX Association (2016) 7. Asharov, G., Jain, A., L´ opez-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012). https://doi.org/10. 1007/978-3-642-29011-4 29 8. Beimel, A., Ishai, Y., Kushilevitz, E., Raymond, J.F.: Breaking the O(n1/(2k−1) ) barrier for information-theoretic private information retrieval. In: 43rd Annual Symposium on Foundations of Computer Science, pp. 261–270. IEEE Computer Society Press (2002)

XSPIR: Efficient Symmetrically Private Information Retrieval

233

9. Boneh, D., Bortz, A., Inguva, S., Saint-Jean, F., Feigenbaum, J.: Private information retrieval. https://crypto.stanford.edu/pir-library/ 10. Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3642-32009-5 50 11. Brakerski, Z., Gentry, C., Halevi, S.: Packed ciphertexts in LWE-based homomorphic encryption. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 1–13. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-3636271 12. Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). https://doi.org/10. 1007/3-540-48910-X 28 13. Chen, H., Dai, W., Kim, M., Song, Y.: Efficient multi-key homomorphic encryption with packed ciphertexts with application to oblivious neural network inference. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019: 26th Conference on Computer and Communications Security, pp. 395–412. ACM Press (2019) 14. Chen, H., Huang, Z., Laine, K., Rindal, P.: Labeled psi from fully homomorphic encryption with malicious security. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. CCS 2018, Association for Computing Machinery (2018). https://doi.org/10.1145/3243734.3243836 15. Chen, H., Laine, K., Rindal, P.: Fast private set intersection from homomorphic encryption. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS 2017, Association for Computing Machinery (2017). https://doi.org/10.1145/3133956.3134061 16. Chen, H., Laine, K., Rindal, P.: Fast private set intersection from homomorphic encryption. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017: 24th Conference on Computer and Communications Security, pp. 1243– 1255. ACM Press (2017) 17. Cheng, R., et al.: Talek: private group messaging with hidden access patterns. Cryptology ePrint Archive, Report 2020/066 (2020). https://eprint.iacr.org/2020/ 066 18. Cheng, R., et al.: Talek: a private publish-subscribe protocol. In Submission (2020). https://raymondcheng.net/download/papers/talek-tr.pdf 19. Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: 36th Annual Symposium on Foundations of Computer Science, pp. 41–50. IEEE Computer Society Press (1995) 20. Cong, K., et al.: Labeled PSI from homomorphic encryption with reduced computation and communication. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. CCS 2021, Association for Computing Machinery (2021). https://doi.org/10.1145/3460120.3484760 21. Costea, S., Barbu, D.M., Ghinita, G., Rughinis, R.: A comparative evaluation of private information retrieval techniques in location-based services. In: 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, pp. 618–623 (2012) 22. De Cristofaro, E., Lu, Y., Tsudik, G.: Efficient techniques for privacy-preserving sharing of sensitive information. In: McCune, J.M., et al. (eds.) Trust and Trustworthy Computing, pp. 239–253. Springer, Berlin Heidelberg, Berlin, Heidelberg (2011)

234

C. Lin et al.

23. Demmler, D., Herzberg, A., Schneider, T.: RAID-PIR: Practical multi-server PIR. In: CCSW 2014: Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, pp. 45–56 (2014) 24. Devet, C., Goldberg, I., Heninger, N.: Optimally robust private information retrieval. In: Kohno, T. (ed.) USENIX Security 2012: 21st USENIX Security Symposium, pp. 269–283. USENIX Association (2012) 25. Dong, C., Chen, L.: A fast single server private information retrieval protocol with low communication cost. In: Kutylowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 380–399. Springer, Cham (2014). https://doi.org/10.1007/ 978-3-319-11203-9 22 26. D¨ ottling, N., Garg, S., Ishai, Y., Malavolta, G., Mour, T., Ostrovsky, R.: Trapdoor hash functions and their applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 3–32. Springer, Cham (2019). https://doi. org/10.1007/978-3-030-26954-8 1 27. Ducas, L., Stehl´e, D.: Sanitization of FHE ciphertexts. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 294–310. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3 12 28. Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012). http://eprint.iacr.org/2012/144 29. Fisch, B.A., et al.: Malicious-client security in blind seer: a scalable private DBMS. In: 2015 IEEE Symposium on Security and Privacy, pp. 395–410. IEEE Computer Society Press (2015) 30. Garg, S., Hajiabadi, M., Ostrovsky, R.: Efficient range-trapdoor functions and applications: rate-1 OT and more. Cryptology ePrint Archive, Report 2019/990 (2019). https://eprint.iacr.org/2019/990 31. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, pp. 169–178. ACM Press (2009) 32. Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012). https://doi.org/10.1007/9783-642-29011-4 28 33. Gentry, C., Ramzan, Z.: Single-database private information retrieval with constant communication rate. In: Caires, L., et al. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 803–815. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468 65 34. Gertner, Y., Ishai, Y., Kushilevitz, E., Malkin, T.: Protecting data privacy in private information retrieval schemes. J. Comput. Syst. Sci. 60(3) (2000). https:// doi.org/10.1006/jcss.1999.1689 35. Goldberg, I.: Improving the robustness of private information retrieval. In: 2007 IEEE Symposium on Security and Privacy, pp. 131–148. IEEE Computer Society Press (2007) 36. Green, M., Ladd, W., Miers, I.: A protocol for privately reporting ad impressions at scale. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS 2016, Association for Computing Machinery (2016). https://doi.org/10.1145/2976749.2978407 37. Groth, J., Kiayias, A., Lipmaa, H.: Multi-query computationally-private information retrieval with constant communication rate. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 107–123. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7 7

XSPIR: Efficient Symmetrically Private Information Retrieval

235

38. Gupta, T., Crooks, N., Mulhern, W., Setty, S., Alvisi, L., Walfish, M.: Scalable and private media consumption with popcorn. Cryptology ePrint Archive, Report 2015/489 (2015). http://eprint.iacr.org/2015/489 39. Huberman, B.A., Franklin, M., Hogg, T.: Enhancing privacy and trust in electronic communities. In: Proceedings of the 1st ACM Conference on Electronic Commerce. EC 1999, Association for Computing Machinery (1999). https://doi.org/10.1145/ 336992.337012 40. Jarecki, S., Jutla, C., Krawczyk, H., Rosu, M.C., Steiner, M.: Outsourced symmetric private information retrieval. In: Proceedings of the ACM Conference on Computer and Communications Security (2013) 41. Kiayias, A., Leonardos, N., Lipmaa, H., Pavlyk, K., Tang, Q.: Optimal rate private information retrieval from homomorphic encryption. Proc. Priv. Enhancing Technol. 2015(2), 222–243 (2015) 42. Kolesnikov, V., Kumaresan, R., Rosulek, M., Trieu, N.: Efficient batched oblivious PRF with applications to private set intersection. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016: 23rd Conference on Computer and Communications Security, pp. 818–829. ACM Press (2016) 43. Kushilevitz, E., Ostrovsky, R.: Replication is NOT needed: SINGLE database, computationally-private information retrieval. In: 38th Annual Symposium on Foundations of Computer Science, pp. 364–373. IEEE Computer Society Press (1997) 44. Kwon, A., Lazar, D., Devadas, S., Ford, B.: Riffle: an efficient communication system with strong anonymity. Proc. Priv. Enhancing Technol. 2016(2), 115–134 (2016) 45. Li, J., Liu, Y., Wu, S.: Pipa: Privacy-preserving password checkup via homomorphic encryption. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (2021) 46. Lipmaa, H., Pavlyk, K.: A simpler rate-optimal CPIR protocol. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 621–638. Springer, Cham (2017). https:// doi.org/10.1007/978-3-319-70972-7 35 47. Mansy, D., Rindal, P.: Endemic oblivious transfer. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. CCS 2019, Association for Computing Machinery (2019). https://doi.org/10.1145/3319535. 3354210 48. McQuoid, I., Rosulek, M., Roy, L.: Minimal symmetric PAKE and 1-out-of-N OT from programmable-once public functions. Cryptology ePrint Archive, Report 2020/1043 (2020). https://eprint.iacr.org/2020/1043 49. McQuoid, I., Rosulek, M., Roy, L.: Batching base oblivious transfers. Cryptology ePrint Archive, Report 2021/682 (2021). https://eprint.iacr.org/2021/682 50. Meadows, C.: A more efficient cryptographic matchmaking protocol for use in the absence of a continuously available third party. In: 1986 IEEE Symposium on Security and Privacy, pp. 134–134 (1986) 51. Microsoft SEAL (release 3.5). Microsoft Research, Redmond, WA (2020). https:// github.com/Microsoft/SEAL 52. Microsoft SealPIR. https://github.com/microsoft/SealPIR 53. Mittal, P., Olumofin, F.G., Troncoso, C., Borisov, N., Goldberg, I.: PIR-tor: scalable anonymous communication using private information retrieval. In: USENIX Security 2011: 20th USENIX Security Symposium. USENIX Association (2011)

236

C. Lin et al.

54. Orr` u, M., Orsini, E., Scholl, P.: Actively secure 1-out-of-N OT extension with application to private set intersection. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 381–396. Springer, Cham (2017). https://doi.org/10.1007/ 978-3-319-52153-4 22 55. Papadopoulos, S., Bakiras, S., Papadias, D.: pCloud: a distributed system for practical PIR. IEEE Trans. Dependable Secure Comput. 9(1), 115–127 (2012) 56. Pappas, V., et al.: Blind seer: a scalable private DBMS. In: 2014 IEEE Symposium on Security and Privacy, pp. 359–374. IEEE Computer Society Press (2014) 57. Park, J., Tibouchi, M.: SHECS-PIR: Somewhat Homomorphic Encryption-Based Compact and Scalable Private Information Retrieval. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 86–106. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0 5 58. Rindal, P.: libOTe: an efficient, portable, and easy to use Oblivious Transfer Library. https://github.com/osu-crypto/libOTe 59. Saint-Jean, F.: Java implementation of a single-database computationally symmetric private information retrieval (CSPIR) protocol. Yale University New Haven CT Department of Computer Science Technical Representative (2005) 60. Smart, N., Vercauteren, F.: Fully homomorphic SIMD operations. Cryptology ePrint Archive, Report 2011/133 (2011). http://eprint.iacr.org/2011/133 61. Stern, J.P.: A new and efficient all-or-nothing disclosure of secrets protocol. In: Ohta, K., et al. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 357–371. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1 28

Scaling up GAEN Pseudorandom Processes: Preparing for a More Extensive Pandemic Liron David1(B) , Avinatan Hassidim1 , Yossi Matias1 , and Moti Yung2 1 2

Google LLC, Tel-Aviv, Israel Google LLC, New-York, USA

Abstract. “Exposure Notification (EN) Systems” which have been envisioned by a number of academic and industry groups, are useful in aiding health authorities worldwide to fight the COVID-19 pandemic spread via contact tracing. Among these systems, many rely on the BLE based Google-Apple Exposure Notification (GAEN) API (for iPhones and Android systems). We assert that it is now the time to investigate how to deal with scale issues, assuming the next pandemic/ variant will be more extensive. To this end, we present two modular enhancements to scale up the GAEN API by improving performance and suggesting a better performanceprivacy tradeoff. Our modifications have the advantage of affecting only the GAEN API modules and do not require any change to the systems built on top of it, therefore it can be easily adopted upon emerging needs. The techniques we suggest in this paper (called “dice and splice” and “forest from the PRF-tree”) are general and applicable to scenarios of searching values within anonymous pseudo-randomly generated sequences.

1

Introduction

The outbreak of the highly infectious COVID-19 has taken the world by surprise, forcing lock-downs and straining public health care systems. A necessary strategy for reducing infections is early detection of exposures (to reduce the spread graph). To this end, COVID-19 smartphone APIs and contact tracing apps have been developed. Mainly, there are two prototypical architectures for COVID-19 tracing apps: centralised and decentralised. Examples of the centralised case are the Bluetrace [10] and the ROBERT [6] protocols. TraceTogether (Singapore) [5] and CovidSafe (Australia) [2] apps are based on the Bluetrace protocol, and the StopCovid (France) app [7] implements the ROBERT protocol. Examples of the decentralised case are: the Private Automated Contact Tracing (PACT) protocol by MIT [11], the protocol sharing the same name PACT (Privacy sensitive protocols And mechanisms for mobile Contact Tracing) developed by a team from the University of Washington [12], and the DP-3T [19] proposed by a consortium c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 237–255, 2022. https://doi.org/10.1007/978-3-031-17140-6_12

238

L. David et al.

of universities and organisations from Europe, led by EPFL Switzerland. There are other contact tracing protocols based on GPS as Hamagen [3] which was developed by Israel’s Ministry of Health, COVID Safe Paths [17] which is similar to the Hamagen in functionality and also employs logging of GPS location trajectories, and Aarogya Setu (India) [4] which employs both Bluetooth and GPS. In parallel to, and in coordination with the above work, Apple and Google considered the development of decentralised privacy-friendly implementations to help contact tracing. As a result of a collaboration between Apple and Google, a single architecture, called the Google-Apple Exposure Notification (GAEN) [1], was designed for both Android and iPhone. GAEN was constructed as an API and is used as a building block for Bluetooth Low Energy (BLE)-based proximity contact tracing apps around the globe, as: COVID Alert (Canada), CoronaWarnApp (Germany), COVID Tracker (Ireland), SwissCovid (Switzerland), Immuni (Italy), NHS COVID-19 (United Kingdom), COVIDWISE (Virginia), GuideSafe (Alabama), Covid Watch (Arizona), COVID Alert NY (New York), CA notify (California), Care19 Alert (Wyoming), and dozens more. The initial decentralised designs, and the GAEN specifically, got large amount of scrutiny, primarily from academia and primarily regarding its privacy, efficacy, and societal aspects [8,13,15,16]. Risk analysis and security evaluation of a concrete working implementation was also conducted in [9]. GAEN is essentially a privacy-preserving contact tracing which in many scenarios protects the user privacy, namely it doesn’t track the user location and neither Google, Apple, nor other users can access directly the user identity. GAEN, in principle, is based on the following steps: (1) the client’s phone broadcasts Bluetooth pseudo-random identifiers, derived from daily keys; (2) In case the client tests positive, its phone’s daily keys are uploaded to the central server; (3) Periodically (e.g., at the end of the day), the client fetches daily keys of COVID-19 positive users, derives the corresponding pseudo-random identifiers from these daily keys, and matches these derived identifiers against the pseudorandom signals it found through Bluetooth scanning in a given window of time (e.g., the last 14 days). The next step in developing such an architecture is to consider the case of more extensive pandemics, and, specifically, how GAEN needs to be scaled up to deal with these more extensive emergencies. For example, the Omicron wave has been much bigger than the original COVID wave, and we are thinking about a much bigger phenomenon. In addition, one can think of the above happening in big countries where, perhaps, the smartphones are not top of the line. We don’t want to be in a situation where we are hit by a new very large scale pandemic and we cannot adapt and react fast, and this mitigation is a major motivation for us. There are two directions in which GAEN can be scaled up: 1. Reducing Computational Load on the Client’s Phone. As mentioned above, the exposure scores are computed on the client’s phone. When there are many COVID-19 positive users, the client receives many daily keys, for which it should derive 144 identifiers per day. Our key observation is that

Scaling up GAEN Pseudorandom Processes

239

most of the positive users are not relevant for the client since the client was not in contact with them within the last 14 days. For almost every client, the intersection of positive users and users observed in the vicinity of that client, is very small, yet the client’s phone works proportionally to the large number of positive users. The question we deal with is how to decrease the idle work in the client side, of processing keys of users the client never met? In other words, how to filter out fast the non-relevant set of keys? 2. Increasing Client’s Privacy. Revealing the daily key of a positive COVID19 users has two privacy consequences: (1) it becomes easier to track positive users during a day, by linking two signals as belonging to the same user, and (2) it becomes easier to subsequently identify positive users (given side channel information). Therefore, the shorter life-time of a key, the more privacy. On the other hand, if the key is changed more periodically, the bandwidth load will be increased since more keys are uploaded to and downloaded from the central server. The bandwidth can overload the system when the number of infections explodes. The question we deal with is how to dynamically maximize the user’s privacy according to the current rate of infection, without overloading the system? We aim at scaling up GAEN under the constrains that the changes are as incremental as possible, to keep most of the architecture elements working as they are now and to keep the development effort for migration as little as possible. Furthermore, we aim at modifying the GAEN API and not the apps on top of it; this will also support fast migration to the new design. 1.1

Contributions

This paper proposes two improvements to GAEN, which scale up performance, privacy, and coverage, as measures against an extended pandemic. First, we propose a new technique we call “dice and splice” which reduces the computational load on the client’s phone. Our technique sifts out mismatches in a search of pseudo-random sequences which is known to have a lot of mismatches, while performing less cryptographic operations on the average (the optimal parameter will reduce it by a factor of eight). We present the algorithm, analyse its performance, and perform simulation study to confirm the performance analysis. Second, we suggest a new technique we call “forest from the PRF-tree” which increases the client’s privacy by reducing the key life-time, without overloading the server/system bandwidth: the technique dynamically adapts the privacy (i.e., level of linkability among revealed signals) to the current rate of infection. We present the algorithm, analyse its performance, and confirm it via simulations.

2

Background and Notations

We briefly describe here the Google-Apple Exposure Notification (GAEN) [1], composed of the following components, see also Fig. 1:

240

L. David et al.

Fig. 1. GAEN protocol

Key Schedule for Exposure Notification. Each device participating in exposure notification rolls Temporary Exposure Keys (TEKs), one each 24 h. Each key is randomly and independently generated using a cryptographic random number generator. Let TEKi be the TEK on day i, where the day enumeration starts from the Unix Epoch Time. Each TEKi is transformed to an AES key format TEKi = HKDF(TEKi ) and is securely stored along with the day number i. Every second the device broadcasts Bluetooth pseudo-random identifier, referred to as Rolling Proximity Identifier (RPI). Each RPI is changed every 10 min to prevent linkability and wireless tracking, therefore each device broadcasts 144 different RPIs during one day. Let RPIi,j be the j’th RPI of day i. RPIi,j is an encryption of the number j (enumerating from 0 to 143) keyed with TEKi : RPIi,j = AESTEKi (j). To prevent linkability and wireless tracking, the Bluetooth randomized address (MAC) is changed every time the RPI is changed. The device also broadcasts associated Encrypted Metadata, however, since we shall not focus on this part in the following sections, we will not describe it here. The pseudo code appears in Algorithm 1 in the appendix. Positive Diagnosis. When a user tests positive, a relevant set of its TEKs are uploaded to the Central Server. This set of TEKs is limited to the time window in which the user could have been exposing other users (for example, the most recent 14 days). If a user remains healthy and never tests positive, its TEKs don’t leave the device. The Central Server then aggregates the TEKs of all users who have tested positive without holding any other specific information associated with these keys, and distributes them (via downloads) to all the user clients.

Scaling up GAEN Pseudorandom Processes

241

Exposing Process. The client collects RPIs from users in its vicinity and stores them in a hash table, where each collected RPI is stored together with its day number and its interval number. More formally, let H be the hash table the client maintains and let Si,j be a set of exposure RPIs the client found through BLE scanning during the j’th interval of day i. Every day i: ∀j ∈ [0, 143], ∀RPI ∈ Si,j : insert (RPI, i, j) to H. The client removes from H old entries which are not relevant anymore, namely entries with old i which are not within the last 14 days. The pseudo code appears in Algorithm 2 in the appendix. Matching Process. To identify an exposure, each client periodically fetches the last 14 TEKs of all new positive users together with their associated day numbers. Then, for any TEK in this set, the client derives the 144 RPIs per day that were broadcast over Bluetooth from these new positive users. The client’s goal is to check whether there is a match between these derived RPIs and the exposure RPIs the client found through its BLE scanning during the last 14 days. More formally, let Kxi be the TEKs associated with day x of users who tested positive on day i. Then, given the client checks for a match on day i, it i . Then, for any day x ∈ [i − 13, i] and for any TEK ∈ Kxi , the fetches Kii , ..., Ki−13 client calculates AES ciphertext for any interval j ∈ [0, 143] keyed with TEK. The client applies the following hash table lookup to check for a match (see Fig. 1): ∀x ∈ [i − 13, i], ∀TEK ∈ Kxi , ∀j ∈ [0, 143] : is (AESTEK (j), x, j) in H? Some window of mis-synchronization is allowed: a ± two-hour tolerance window is allowed between when a derived RPI from TEK of positive user was supposed to be broadcast, and the time at which it was scanned. The pseudo code appears in Algorithm 3 in the appendix. Notations. Throughout the paper we use the following notations: – n: the number of devices in the vicinity of a user during the last 14 days, where vicinity is determined epidemiology. – m: the number of new positive users per day. Notice that m is usually much larger than n. For example, in January 2022, U.S. reported 1.35 million COVID-19 cases in a day [18]. Obviously, the average person meets much less users in its vicinity during 14 days in a pandemic period.

3

Dice and Splice: Fast Elimination of Irrelevant Keys

In this section we suggest the probabilistic dice and splice filtering scheme which reduces the client number of computations by a factor of d ≥ 2, where d = 8

242

L. David et al.

is what we found to be optimal. The idea of this technique is to re-arrange the RPIs which the user broadcasts in a way that enables less AES computations on the average at the user side at the matching process, see Fig. 3. We describe the changes first intuitively and then formally for d ≥ 2. Intuitively speaking, the client generates its new re-arranged RPIs from the original RPIs in the following three steps: (1) It groups d consecutive RPIs starting from index 0, namely it groups the original RPIs corresponding to indices [0, d − 1], then to indices [d, 2d − 1], etc.; (2) It dices each original RPI into d chunks of equal size; (3) Finally, it splices a chunk of each different original RPI in the group to create its new RPIs to be broadcast. At the end of the process, any new re-arranged RPI in this group is composed of d equal-size chunks, each chunk is taken from one original AES encryption generated RPI in this group. The process of dicing and splicing is very efficient and negligible compared to a single AES encryption. In the exposure process, again intuitively speaking, the client collects exposure RPIs and hashes chunks of RPIs into the hash table (as opposed to hashing the entire RPI as in the original GAEN). Then, in the matching process, the client derives the RPIs of positive users but only for intervals divisible by d and divides each derived RPI into d chunks (each of these chunks belongs to a different new re-arranged RPI of the consecutive d intervals). Finally, it looks for a chunk-match in the chunk hash table. If all the d chunks of one derived RPI (in a divisible by d interval) are not chunk-matched, then the extra d − 1 RPIs (for the consecutive non-divisible by d intervals) should not be derived. Thus, with one AES computation we eliminate d possible matches. This is the typical case since most keys don’t correspond to exposure RPIs. In case there is a match in one of the d chunks, the client incrementally computes AES computations to verify that there is a full match. As we shall see in the probability analysis in Sect. 3.3 and in the simulation study in Sect. 3.4, for d = 2, 4, 8, the false positive is significantly small, therefore on the average the client filters out non-relevant RPIs in 1/d time and power (measured by AES computations). If, however, there is a match of one chunk in one RPI in the group, the client can then compute the other d − 1 chunks of this RPI only by computing additional d − 1 AES computations of the specific positive user (this computation is rare). Now we describe our technique formally. We first describe the case of d = 2, then we expand to the general d ≥ 2. We then discuss the best values for d for our design, analyse its computational time and power and compare it to the original GAEN, and show some simulation study to validate the improvements of our design. Notations. Let T [a : b] be a sub-string of T from position a (include) to position b (include). Let T [r] be the r’th chunk of the string T , where each chunk is of size 128/d bits and r ∈ [0, d − 1]. Let the sign || denotes the concatenation operation.

Scaling up GAEN Pseudorandom Processes

243

Fig. 2. The first d re-arranged RPIs for d = 2 (Left) and d = 4 (Right).

3.1

For d = 2

RPI Generation Process. Let AESi,j be the AES encryption of interval j keyed with TEKi : AESi,j = AESTEKi (j). In our design, similarly to the original design, on every day i the client generates 144 AES encryptions AESi,j , each associated with interval j ∈ [0, 143]. In the original GAEN RPIi,j = AESi,j . In our protocol, on the other hand, the client broadcasts re-arrangements of substrings of consecutive AES ciphertexts. Namely, for any r ∈ [0, 71] the RPIs of the two intervals j = 2r, 2r + 1 are composed of chunks of the two consecutive AES ciphertexts of 2r, 2r + 1 (see Fig. 2 left): RPIi,2r = AESi,2r [0] || AESi,2r+1 [1] RPIi,2r+1 = AESi,2r+1 [0] || AESi,2r [1] So any new re-arranged RPI is a “composed ciphertext” of two chunks from two different AES ciphertexts. Note that, there are two different ways to re-arrange the RPIs. We choose the above re-arrangement arbitrarily. Remark: it is, by now, an easy cryptographic fact that the re-arrangement of two pseudo-random strings results in two pseudo-random strings as well. Exposing Process. Similarly to the original GAEN, the client collects RPIs from users in its vicinity and stores them in a hash table, where each collected RPI is stored together with its day number and its interval number. However, instead of storing the whole 128-bits RPIs it only stores chunks of 64-bits. For RPIs associated with even intervals the client inserts the first half chunk and for RPIs associated with odd intervals it inserts the second half chunk (see Fig. 3 rectangles in the grey cloud): ∀j ∈ [0, 143], ∀RPI ∈ Si,j :If j If j

mod 2 = 0 : insert (RPI[0], i, j) to H. mod 2 = 1 : insert (RPI[1], i, j) to H.

As before, the client also removes every day non-relevant entries from H. Matching Process. Similarly to the original GAEN, to identify an exposure, each client periodically fetches the last 14 TEKs of all new positive users together with their associated day numbers, and derives their corresponding RPIs. However, in our technique it derives RPIs corresponding to even intervals only,

244

L. David et al.

Fig. 3. GAEN using the “dice and splice” process for d = 2.

Fig. 4. If there is a 64-bits match, the corresponding next odd AES ciphertext is computed and the next 64-bits is compared.

namely half of the original amount. Therefore, for any day x ∈ [i − 13, i], for any TEK ∈ Kxi and for any even interval j ∈ [0, 143] within the day x, the client calculates AES ciphertext and applies the following hash table lookup to check for a chunk match of 64-bits (see Fig. 3 double headed arrows): ∀x ∈ [i − 13, i],∀TEK ∈ Kxi , ∀j ∈ [0, 143], : If j mod 2 = 0 : is (AESTEK (2j/2)[0], x, j) in H? If j

mod 2 = 1 : is (AESTEK (2j/2)[1], x, j) in H?

In case of a 64-bits match, the corresponding odd complementary AES is computed and the corresponding 64-bits are compared as depicted in Fig. 4. Notice that the only difference in this enhancement is in the RPI format generated/collected and manipulated by clients as part of the RPI processing

Scaling up GAEN Pseudorandom Processes

245

Fig. 5. GAEN using the “dice and splice” process for d = 4.

in the GAEN API managed by the operating systems providers. Otherwise, the server and the app itself do not change. 3.2

For General d ≥ 2

In this section we generalize our fast elimination to save factor of general d ≥ 2. RPI Generation Process. For any r ∈ [0, 144/d − 1], the client generates d new re-arranged RPIs of intervals [dr, dr + d − 1] from d consecutive AES encryptions of [dr, dr + d − 1] in the following way (see Fig. 2 right): RPIi,d·r = AESi,d·r [0] || AESi,d·r+1 [1] || ... || AESi,d·r+d−1 [d − 1] RPIi,d·r+1 = AESi,d·r+d−1 [0] || AESi,d·r [1] || ... || AESi,d·r+d−2 [d − 1] RPIi,d·r+2 = AESi,d·r+d−2 [0] || AESi,d·r+d−1 [1] || ... || AESi,d·r+d−3 [d − 1] ... RPIi,d·r+d−1 = AESi,d·r+1 [0] || AESi,d·r+2 [1] || ... || AESi,d·r [d − 1] The pseudo-code appears in Algorithm 4 in the appendix. Exposing Process. The client prepares chunk-based hash table as before, and inserts one 128/d-bits chunk for each exposure RPI together with the day number and the interval number to H, as following (see Fig. 5 the rectangles in the grey cloud that the double headed arrows are pointing at): ∀j ∈ [0, 143], ∀RPI ∈ Si,j : if j if j ... if j

mod d = 0 insert (RPI[0], i, j) to H. mod d = 1 insert (RPI[1], i, j) to H. mod d = d − 1 insert (RPI[d − 1], i, j) to H.

246

L. David et al.

Fig. 6. If there is a 32-bits match, the corresponding next AES ciphertext is computed and the next 32-bits is compared. These AES computations are done incrementally until there is a failure or a complete match.

As before, the client also removes non-relevant entries in H. The pseudo-code appears in Algorithm 5 in the appendix. Matching Process. The client derives the RPIs from the last 14 TEKs of all the new positive users, but this time, it derives RPIs corresponding to intervals divisible by d only. For any day x ∈ [i − 13, i], for any TEK ∈ Kxi and for any divisible by d interval j ∈ [0, 143] within the day x, the client calculates AES ciphertext and divides it into d chunks (each chunk corresponds to a different re-arranged RPI from a different interval out of the consecutive d). Finally, the client applies the following hash table lookup to check for a chunk-match of 128/d-bits (see Fig. 5 the double headed arrows): ∀x ∈ [i − 13, i], ∀TEK ∈ Kxi , ∀j ∈ [0, 143] : if j if j if j

mod d = 0 : is (AES(TEK, j/dd)[0], x, j) in H? mod d = 1 : is (AES(TEK, j/dd)[1], x, j) in H?

... mod d = d − 1 : is (AES(TEK, j/dd)[d − 1], x, j) in H?

Now, if there is a match between a chunk in one exposed new re-arranged-RPI and a corresponding chunk in one derived RPI associated with TEK, then the client derives the AES ciphertext of the ‘next’ interval which is the incremented by one interval modulo d, keyed the same TEK (see Fig. 6). The client then checks whether the ‘next’ chunk (incremented by 1 modulo d) in the next AES ciphertext matches the next chunk in the same exposed re-arranged RPI for which was the chunk-match in the first place. These AES computations are done incrementally as needed in case there is a partial match, until there is a

Scaling up GAEN Pseudorandom Processes

247

failure or a complete match. Notice that the client computes at most additional d−1 AES computations only for TEKs for them there is a relevant chunk-match. The pseudo-code appears in Algorithm 6 in the appendix. 3.3

Performance Analysis

In this section we calculate the expected number of AES computations which the client needs to do in the matching step thanks to the “dice and splice” technique and given the client was not next to a COVID-19 positive user. Notice that the number of computations in the RPI generation process doesn’t increase since the regular procedure and the new technique, both, calculate 144 AES ciphertexts which is the dominant factor. Therefore our “dice and splice” gets a faster matching running time, without any further cost. Recall that n denotes the number of users that the client was in contact with during the last 14 days. We analyse for the worst case and assume that these n users are next to the client during all the 144 intervals of the last 14 days. In the following analysis we count the expected number of AES computations in the matching process according to the j mod d value of the intervals. Let Ar be the total number of AES computations in the matching step in intervals j such that (j mod d) = r. According to the matching process in the “dice and splice” design, we first calculate 144m/d AES computations, namely m AES computations for each interval j such that (j mod d) = 0: Exp(A0 ) =

144m . d

Now, we calculate the probability for false positive, namely the probability of having a partial match although the client was not in contact with a positive user. Given two 128-bits strings, each composed of d chunks of size 128/d, the probability of the i’th chunk of one string to be equal to the j’th chunk of the other string, is: 1 Pr(false positive) = 128/d . 2 Next, we calculate the number of additional AES computations in intervals j mod d = 1. Intuitively speaking, for each partial match (false positive in this case) in intervals j mod d = 0, we compute another AES, namely the corresponding “next” AES of the relevant TEK, as described above. More precisely, for each computed AES at interval j mod d = 0 there is a need to compute AES at interval j + 1 if one of the following happens (see also Fig. 5): (1) the first chunk of one of the n RPIs at interval j matches the first chunk of this AES; or (2) the second chunk of one of the n RPIs at interval j + 1 matches the second chunk of this AES; ... (d) the d’th chunk of one of the n RPIs of interval j + d − 1 matches the d’th chunk of this AES. Notice that if there are several different chunks in several different RPIs which match the same AES, only one AES is computed (the relevant “next” one) and not as the number of matches. But, as mentioned above, we analyse for the worst case, therefore we assume

248

L. David et al.

that any match implies AES computation. Therefore the expected number of additional AES computations at intervals j such that (j mod d) = 1 is: Exp(A1 ) =

1 144m 144mn · (n · d · 128/d ) = 128/d . d 2 2

Now, for each AES in interval j mod d = 1, we check for the relevant match with the relevant RPI and the relevant chunk. Again, since the false positive 1 probability is 2128/d , the expected number of AES computations (again, in the worst case) in intervals (j mod d) = 2 is: Exp(A2 ) =

144mn 1 · 128/d . 128/d 2 2

We continue in the same way, calculating the expected number of AES computations at intervals j till (j mod d) = d − 1. We sum up the expected AES computations in intervals j from (j mod d) = 0 till (j mod d) = d − 1: Exp(A0 + . . . + Ad−1 ) =

1 144m 1 1 + 144mn( 128/d + ( 128/d )2 + . . . + ( 128/d )d−1 ) d 2 2 2

which is summed up to: Exp(A0 + . . . + Ad−1 ) =

1 ( 128/d )d − 1 144m + 144mn · ( 2 1 − 1). d −1 2128/d

As we can see there is a trade-off between the false positive probability and the factor of saving. The higher is d, the smaller number of initial computations, however the higher is also the false positive, therefore more additional computations. We recommend on d = 8 in which the false positive probability is relatively small 1/65536, and at the same time the saving factor d = 8 is relatively high. To summarize, if we use d = 8, then we speed up amount of AES computations in matching step by 1/8 +  on the average. Namely, we receive a faster running time, without any further cost. 3.4

Simulation Study

We simulated the number of AES computations the client’s smartphone needs to do in the matching process for different values of d = 2, 4, 8, 16, assuming the client was not in contact with a positive user. Similarly to the probability analysis, we calculated the number of AES computations in the worst case, assuming the client was in contact with all the n users during all the 144 intervals of the last 14 days. We chose typical numbers for m = 1000, and showed the results for different typical values of n = 0, 10, 20, 30, 40, 50. For any chosen d and n, we calculated the number of AES computations, repeating this process 10 times and taking the average. The results are summarized in Fig. 7. We explain each line from top to bottom: The upper blue dashed line represents the number of AES computations

Scaling up GAEN Pseudorandom Processes

249

Fig. 7. Number of AES computations in the matching step: (blue) original GAEN, (orange) “dice and splice” d = 2, (green) d = 4, (red) d = 8, (purple) d = 16. (Color figure online)

in the original matching, in which there are 144,000 AES computations. The second upper line (orange) represents the number of AES computations using the dice and splice technique for d = 2. As can be seen, the number of AES computations is half, only 72,000, therefore saving factor of 2 comparing to the original matching step. In addition, we can also see that since the false positive is negligible, n doesn’t affects the number of AES computations which stays stable for any n ∈ [0, 50]. The next line (green) represents the number of AES computations for d = 4. Again, in this case we save factor of 4, and since the false positive is negligible, the result is stable for any chosen n. The red line represents the number of AES computations for d = 8 which saves factor of 8 and remains essentially stable since the false positive is still relatively small. The purple line, on the other hand, behaves differently. This purple line represents the d = 16, and as can be seen, in this case n starts to influence. This happens since the false positive for d = 16 is 1/256, which is no longer negligible. Therefore, n starts to affect: the more users the client hears, the higher chance for (false-positive) chunk match, therefore the more AES computations.

4

The Forest from the PRF-tree: Elastic Adaptation of TEK Period

Recall that in the original design, any client broadcasts RPIs with TEKs that changed every fixed T = 24 h. However, this long life-time of a key opens the door for a privacy problem: identifying two RPIs coming from the same TEK, namely from the same user (who is likely the one who is infected). For example: if there is a match during a part of the day in which the client met only one person, then the client can link the TEK for which there was a match with this person and can identify this person’s RPIs during the day before/after the meeting. To mitigate the above privacy problem, shorter life-time of a key can be chosen for T , e.g., T = 10 min. However, shortening T forces all the clients

250

L. David et al.

Fig. 8. A tree of PRF derivation

to upload/fetch more keys every day, which can overload the system when there are many COVID-19 positive users. Next we describe our “forest from the PRF-tree” technique which elastically and dynamically maximizes the user privacy (namely the number of TEKs per day) according to the current rate of infection, without overloading the server bandwidth. 4.1

The Elastic-key Protocol

We employ the GGM construction of Goldreich, Goldwasser and Micali [14], see Fig. 8. In the PRF tree, the root is the original daily TEK, denoted by k00 . The left (right) child is the key computed by encrypting the value 0 (1) using the key k00 , i.e., Enc(k00 , 0), (Enc(k00 , 1)). Assuming AES is pseudo-random function, when presented with the two derived keys k00 , k01 , one cannot distinguish them from two random values of the same size, hence one cannot decide that they belong to the same tree. This holds for any set of nodes from any given level in the tree. Each level r contains 2r keys, such that kxy denotes the key in level x at position y within level x, where x = 0 indicates the root and y = 0 indicates the leftmost position in each level. All the keys in level r are independent of each other. In order to have 144 different keys, the user generates a full binary tree of 128 leaves, takes the leftmost 16 leaves in this full binary tree and computes another level, expanding them each to two nodes. Given an inner node key, one can only go forward in the sub-tree and generate the sub-tree of this inner node key, however it cannot go backward. Next we describe the elastic-key protocol, see also Fig. 9: 1. RPI generation: the client generates the PRF tree from its daily root key to get 144 keys per day as above. The client stores the initial root key. 2. RPI broadcast: the client broadcasts the 144 leaf keys as its RPIs over the day. 3. Load parameter broadcast: Each day the server sends to all users a new parameter r which is derived from the current load of the positive users on that day. This parameter r ∈ [0, 8] is the deepest level in the PRF-tree s.t. according to the expected rate of infection, uploading 2r keys per day doesn’t overload the system. 4. Keys upload: a COVID-19 positive user uploads keys according to the received current bandwidth load parameter r, namely it uploads at most 2r seeds of

Scaling up GAEN Pseudorandom Processes

251

Fig. 9. The elastic key upload/download with “forest from the PRF-tree” technique

level r in its PRF-tree, each seed is tagged with its position in the level from left to right. The seeds are the TEKs of the day. 5. Server storage: the server stores at most 2r seeds of each COVID-19 positive user. If the server stores the 2r seeds (per day) of the same positive user together, then a client which fetches these 2r seeds, will be able to link these seeds as coming from the same positive user. To prevent this, the server stores 2r sets, such that the i’th set contains the i’th seed of all the positive users. Each such set is then shuffled randomly. 6. Key download: each client receives: (1) at most 2r sets of seeds (sets of TEKs) of level r, each set is tagged with its position within [0, 2r − 1]; and (2) the parameter r itself. The client goes over the (at most) 2r sets. For any TEK in the i’th set it computes a tree rooted by this TEK such that the root represents level r and the leaves sit at level 7 or 8, depending on its location in the original big PRF-tree. Then, the client looks for a match based on the leaf keys which are the derived RPIs. 4.2

Combining “Forest from the PRF-Tree” with “Dice and Splice” Techniques

If we limit r so that there are enough leaves in the subtree and never use higher r, then we can apply “dice and splice” to subtrees starting at the r level. 4.3

The Cost-Privacy Trade-off of the Elastic Key GAEN

The trade-off in our elastic key GAEN is between the user privacy and the bandwidth load. Namely, for a parameter r: – The user privacy: Since each positive user uploads at most 2r independent pseudo-random keys per day, a client who fetches these keys cannot link between the different 2r keys of the same user. However, it can link within the (at most) 28−r TEKs in the same subtree. – The bandwidth load: Since each positive user uploads at most 2r pseudorandom keys per day, the bandwidth will multiplicatively blow up by a factor of at most 2r .

252

L. David et al.

Fig. 10. x-axis is the day number and y-axis is in logarithmic scale. Left: number of positive users (black), the number of keys uploaded by a positive user with the “forest from PRF-tree” (blue), and in the original GAEN (green). Right: (red) maximum system load, (blue) system load in our algorithm, (green) system load in GAEN. (Color figure online)

We can conclude that using the “Forest from the PRF-tree” technique the user can maximize its privacy according to the current rate of infection without overloading the server bandwidth. Notice that the additional cost of the user work is small, the user cost in our design is multiplied by factor of 2 due to computing a binary tree on top of the leaves and identifying the leaf TEKs as RPIs. 4.4

Simulation Study

We first determine the number of positive users per one day in our simulation to be 1.1t , where t indicates the day number. We also determine the maximum system load to be x = 1000, where the system maximum load indicates the maximum uploaded keys per one day that the system can handle. Now we run our elastic key algorithm. The server first sends the highest parameter r which enables any user to upload 144 keys per day. When the number of expected positive users multiplied by the number of keys per positive user exceeds the limit x, the system decreases r to a number such that the multiplication of 2r with the number of expected users will not exceed the limit x. In Fig. 10 the x-axis is the day number t and the y-axis is in logarithmic scale. Let’s start with the left figure: The black graph is the number of positive users as function of day t. The blue line is the number of keys per one positive user in our algorithm for any day t. The green line is the number of keys per one positive user in the original GAEN algorithm, which is fixed on one. We multiplied the blue and the black lines, namely the number of positive users times the number of keys per one positive user, to get the total load represented by the blue line in the right graph. As can be seen, this blue line doesn’t exceed the limit which is represented by the red line in the right figure. The green line represents the system load of the original GAEN, which is one key per positive user times the number of positive users (is identical to the black line in the left figure). As can be seen, the “forest from the PRF-tree” technique always attempts to exploit the allowed load to the maximum, to assure maximum privacy.

Scaling up GAEN Pseudorandom Processes

A

253

Pseudo-Codes

Algorithm 1. Generating RPIs for GAEN Input: TEKi : the user’s key of day i Output: The 144 RPIs the user broadcasts on day i for j = 0 to 143 do RPI[j] = AESTEKi (j) end for

Algorithm 2. GAEN Exposing Input: i - the current day, Si,j - a set of exposure RPIs during the j’th interval of the i’th day, H- hash table containing all the exposure RPIs during the last 14 days for j = 0 to 143 do for RPI ∈ Si,j do insert (RPI, i, j) to H end for end for Remove from H entries associates with day i − 14.

Algorithm 3. GAEN Matching Input: i - the current day, Si,j - a set of exposure RPIs during the j’th interval of the i’th day, Hhash table containing all the exposure RPIs during the last 14 days, Kxi - set of TEKs associated with day x of users who tested positive on day i. Output: Whether one of the exposure RPI is associated with COVID-19 positive. for x ∈ [i − 13, i] do for TEK ∈ Kxi do for j = 0 to 143 do if (AESTEK (j), x, j) in H then return true end if end for end for end for return false

Algorithm 4. Generating RPIs in the “Dice and Splice” Design Input: TEKi : the user’s key of day i Output: The 144 RPIs the user broadcasts on day i 1: for j = 0 to 143 do 2: T [j] = AESTEKi (j) 3: end for 4: j = 0 5: while j < 144 do 6: for r = 0 to d − 1 do 7: for t = 0 to d − 1 do 8: RPI[j + r][t] = T [j + (t + d − r) mod d][t] 9: end for 10: end for 11: j =j+d 12: end while

254

L. David et al.

Algorithm 5. Exposing step in the “Dice and Splice” Design Input: i- the current day, Si,j - a set of exposure RPIs during the j’th interval of the i’th day, H- hash table containing all the exposure RPIs during the last 14 days. 1: for j = 0 to 143 do 2: for RPI ∈ Si,j do 3: insert (RPI[j mod d], i, j) to H 4: end for 5: end for 6: Remove from H entries associated with day i − 14.

Algorithm 6. Matching step in the “Dice and Splice” Design Input: i- the current day, Si,j - a set of exposure RPIs during the j’th interval of the i’th day, H- hash table containing all the exposure RPIs during the last 14 days, Kxi - set of TEKs associated with day x of users who tested positive on day i. Output: Whether one of the exposure RPI associated with a COVID-19 positive. 1: for x ∈ [i − 13, i] do 2: for j = 0 to 143 do 3: for TEK ∈ Kxi do 4: if (AESTEK (j/dd)[j mod d], x, j) in H then 5: Let RPI be the exposure RPI in H for which there is a match. 6: r=1 7: while r < d do 8: T = AESTEK (j/dd + r) 9: if RPI[(j + r) mod d] = T [(j + r) mod d] then 10: break 11: end if 12: r =r+1 13: end while 14: if r == d then 15: return true 16: end if 17: end if 18: end for 19: end for 20: end for 21: return false

References 1. Apple google: privacy-preserving contact tracing (2020).https://www.apple.com/ covid19/contacttracing 2. Covidsafe. https://github.com/AU-COVIDSafe 3. Hamagen: The Israel’s ministry of health’s COVID-19 exposure prevention app. https://github.com/MohGovIL/hamagen-react-native/blob/master/README. md 4. Ministry of electronics and information technology. Aarogya Setu. https://github. com/nic-delhi/AarogyaSetu Android 5. Opentrace. https://github.com/opentrace-community

Scaling up GAEN Pseudorandom Processes

255

6. The Robert (2020). https://github.com/ROBERT-proximity-tracing/document 7. Stopcovid. https://www.euronews.com/2020/04/29/coronavirus-french-mpsapprove-covid-%19-tracing-app-despite-privacy-concerns 8. Ahmed, N., Michelin, R.A., Xue, W., Ruj, S., Malaney, R., Kanhere, S.S., Seneviratne, A., Hu, W., Janicke, H., Jha, S.K.: A survey of COVID-19 contact tracing apps. IEEE Access 8, 134577–134601 (2020) 9. Ahmed, S., et al. Privacy guarantees of BLE contact tracing: a case study on COVIDWISE. arXiv preprint arXiv:2111.08842 (2021) 10. Bay, J., et al.: BlueTrace: a privacy-preserving protocol for community-driven contact tracing across borders. Tech. Rep, Government Technology Agency-Singapore (2020) 11. Canetti, R., et al.: Privacy-preserving automated exposure notification. IACR Cryptol. ePrint Arch. 2020, 863 (2020) 12. Chan, J., et al.: Pact: privacy sensitive protocols and mechanisms for mobile contact tracing. arXiv preprint arXiv:2004.03544 (2020) 13. Elmokashfi, A., wt al.: Nationwide rollout reveals efficacy of epidemic control through digital contact tracing. medRxiv (2021). https://www.nature.com/ articles/s41467-021-26144-8 14. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986) 15. Landau, S.: Digital exposure tools: esign for privacy, efficacy, and equity. Science 373 (6560), 1202–1204 (2021). https://www.science.org/doi/10.1126/science. abi9852 16. O’Connell, J., O’Keeffe, D.T.: Contact tracing for COVID-19-a digital inoculation against future pandemics. N. Engl. J. Med. (2021). https://www.nejm.org/doi/ full/10.1056/NEJMp2102256?query=featured home 17. Raskar., R.: Covid-safePaths. https://github.com/Path-Check/covid-safe-paths 18. Shumaker, L.: U.S. reports 1.35 million COVID-19 cases in a day, shattering global record. https://www.reuters.com/business/healthcare-pharmaceuticals/usreports-least-11-mln-covid-cases-day-shattering-global-record-2022-01-11/ 19. Troncoso, C., et al.: Decentralized privacy-preserving proximity tracing (2020)

Crypto

Generic Construction of Trace-and-Revoke Inner Product Functional Encryption Fucai Luo1,2 , Saif Al-Kuwari2 , Haiyan Wang1(B) , and Weihong Han1,3 1

2

Department of New Networks, Peng Cheng Laboratory, Shenzhen, China [email protected] College of Science and Engineering, Hamad Bin Khalifa University, Doha, Qatar 3 Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou, China

Abstract. A traitor tracing system is a multi-receiver encryption that allows an authority or an arbitrary party (in the case of public traceability) to identify malicious users (traitors) that collude to create a pirate decoder. A trace-and-revoke system is an extension of the traitor tracing system where there is an additional user revocation mechanism that the content distributor can use to disable the decryption capabilities of compromised keys. Trace-and-revoke systems have been extensively studied in the settings of broadcast encryption (BE), identity-based encryption (IBE), and attribute-based encryption (ABE), but not functional encryption (FE). Recently, Do, Phan and Pointcheval (CT-RSA’20) studied traitor tracing for FE and proposed the first traceable inner-product functional encryption (IPFE) scheme. However, their scheme is selectively secure against chosen-plaintext attacks and supports one-target black-box traceability (a weaker notion of black-box traceability). In addition, their scheme does not support public traceability nor user revocation. In this work, we study trace-and-revoke mechanisms for FE and propose the first efficient trace-and-revoke IPFE systems from standard assumptions. Our schemes support public, black-box traceability, and are proven adaptively secure against chosen-plaintext attacks in the standard model. Technically, our construction is generic and relies on a generic transformation from IPFE schemes to trace-and-revoke IPFE systems. For traitor tracing systems, our generic construction also implies the first traceable IPFE schemes that simultaneously support public, black-box traceability, and achieve adaptive security. This provides a significant improvement over the previous traceable IPFE construction by Do, Phan and Pointcheval. Keywords: Attribute-based encryption (abe) · Trace-and-revoke system · Inner-product functional encryption · Black-box traceability

c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 259–282, 2022. https://doi.org/10.1007/978-3-031-17140-6_13

260

1

F. Luo et al.

Introduction

As cloud computing is rapidly becoming a popular computing platform, concerns about its security and privacy are increasingly being raised. Consequently, various cryptosystems have been proposed to address such concerns. However, key management, key leakage (including illegal copy of key) and other key related problem related to cryptosystem become increasingly prominent, which seriously hinder its wide application in cloud computing. Fortunately, a traitor tracking system was proposed to address the problem of illegal key disclosure [22]. In a traitor tracing system, an authority generates a public key pk, a master secret key msk, and secret keys for legitimate users, so that the ciphertext for any message under the public key pk can be correctly decrypted by any of these legitimate users. Since we can hardly prevent the legitimate users in the system from making copies of their secret keys and selling them for financial gain, traitor tracing systems provide the following tracing property to deter such malicious behavior: if some malicious users collude to construct a pirate decoder that is capable of decrypting the ciphertext with a non-negligible probability, then there is an efficient tracing algorithm that outputs the identity of at least one malicious user by interacting with any such (black-box) pirate decoder. Since its inception, traitor tracing mechanisms have been extensively studied in the settings of public key encryption (PKE) [32,45], broadcast encryption (BE) [22,40], identity-based encryption (IBE) [3,36], and attribute-based encryption (ABE) [42,43]. However, to the best of our knowledge, traitor tracing mechanisms have not been considered for functional encryption (FE) systems [19,48] until recently [23]. FE is an attractive cryptographic primitive that overcomes the all-or-nothing property of traditional PKE. In [23], the authors introduced the notion of traceable FE, and gave a concrete construction of traceable inner-product functional encryption (IPFE) by integrating the Boneh-Franklin tracing technique [16] into the IPFE scheme of Abdalla et al. [2]. However, their scheme is proven selectively secure against chosen-plaintext attacks under the Bilinear Decisional Diffie-Hellman (BDDH) assumption [26] and supports a weaker notion of black-box traceability that they called one-target black-box traceability under the Decisional Diffie-Hellman (DDH) assumption [14]. In fact, they left improving the security level of traceability of the traceable IPFE scheme as an open problem. Moreover, their scheme does not support public traceability because their tracing algorithm requires the master secret key. In this paper, we resolve this problem. In practice, simply identifying the traitors who construct a pirate decoder is not enough; it is desirable to disable the decryption capabilities of the traitors. This gives rise to trace-and-revoke systems [46] that combine these two functionalities so that whenever a pirate decoder is found, we can use the tracing algorithm to identify the traitors, add these traitors to a revocation set R, and let future ciphertexts be generated with respect to R in a way that the ciphertexts can only be decrypted by users id ∈ / R. However, most trace-and-revoke systems have only been intensively studied in the context of PKE [40,41,45], IBE [8,50], BE [20,34,46,47] and ABE [10,44,53], but not FE. Indeed, trace-

Generic Construction of Trace-and-Revoke Inner Product

261

and-revoke systems are notoriously difficult to construct [20]. In this paper, we consider constructing an efficient trace-and-revoke systems for IPFE. Functional Encryption. In a FE scheme for a family of functions F, an authority generates a public key pk, a master secret key msk, and a secret key skf for every function f ∈ F. Given a ciphertext c for a message x under the public key pk, any user who has skf can obtain f (x) by decrypting c, but not x. FE is a general concept as it encompasses many cryptographic primitives such as BE [7,24], searchable encryption [15,29], IBE [17,39], hidden-vector encryption [30,38] and ABE [18,35]. However, most research efforts were devoted to constructing FE schemes for some restricted functions [4,9,11], especially for innerproduct functions (linear functions) [1,2,6], because constructing fully-secure FE for general functions relies on indistinguishable obfuscation or multilinear maps [27,28], which are very inefficient in practice; by contrast, inner-product function is not only efficient enough for practical deployments, but also remains expressive enough to support many interesting applications. 1.1

Our Results

In this paper, we propose an efficient generic construction of trace-and-revoke IPFE schemes. Our construction relies on a generic transformation from IPFE schemes to trace-and-revoke IPFE schemes. Based on our generic transformation, we can obtain trace-and-revoke IPFE schemes from Learning with Errors (LWE) [52], DDH, and Decisional Composite Residuosity (DCR) [49], respectively. Our contributions can be summarized as follows: 1. We first introduce a new primitive called trace-and-revoke IPFE, which extends the previous notion of traceable IPFE [23]. 2. We give an efficient generic construction of trace-and-revoke IPFE, and prove that our construction supports public, black-box traceability (cf. Definition 7) and is adaptively secure against chosen-plaintext attacks (cf. Definition 6). In addition, our construction supports user revocation, which, to the best of our knowledge, implies the first IPFE schemes under standard assumptions supporting direct user revocation. 3. It is straightforward to get two trace-and-revoke IPFE schemes from LWE and DCR assumptions by instantiating our generic construction with the adaptively secure IPFE schemes based on LWE over Zq and DCR over ZN of [6], respectively. 4. We cannot directly instantiate our generic construction with the adaptively secure IPFE schemes based on DDH over Z of [6] to obtain a trace-andrevoke IPFE scheme based on DDH, since this scheme seems incompatible with our generic construction. Thus, we give a concrete instantiation of traceand-revoke IPFE schemes from DDH assumption in Sect. 5.2. Simply letting the revocation set R be an empty set, we can obtain a construction of traceable IPFE scheme based on DDH (see Remark 5).

262

F. Luo et al.

Compared with the only previous traceable IPFE scheme based on DDH and BDDH proposed by Do, Phan and Pointcheval [23], our traceable IPFE scheme based on DDH performs slightly worse in terms of parameters, but the decryption algorithm of our scheme may be more efficient because there is no expensive bilinear operation. Moreover, recall that the traceable IPFE scheme of [23] is proven selective secure and supports one-target black-box traceability (see Remark 4); and since the tracing algorithm in [23] requires the master secret key msk, it does not supports public traceability. By contrast, our scheme is proven adaptive secure and supports public, black-box traceability (see Remark 5). These comparisons are summarized in Table 1. In summary, our generic construction yields the first trace-and-revoke IPFE schemes under standard assumptions that simultaneously support adaptive security, public, black-box traceability, and user revocation; and for traitor tracing system, our generic construction also implies the first traceable IPFE schemes under standard assumptions that simultaneously support public, black-box traceability, and achieve adaptive security. Remark 1. Like [23], the inner-products supported by our trace-and-revoke IPFE scheme based on DDH are limited to small intervals, as the decryption needs to compute a discrete logarithm of the inner product (see end of Sect. 5.2). On the other hand, our trace-and-revoke IPFE schemes based on LWE and DCR support general inner-products that are not subject to small-interval restriction.

1.2

Our Techniques

Our work is inspired by Agrawal et al. [5], who proposed a generic construction of the trace-and-revoke scheme from IPFE. We cannot directly apply the framework of [5] to IPFE, because IPFE scheme is for a k-dimensional vector y ∈ Zkp (k > 1), whereas [5] is for a 1-dimensional vector y ∈ Zp . Therefore, from this point of view, our generic construction can be seen as an extension of [5]. We first revisit the connection between trace-and-revoke and IPFE systems, and combine the approach from [5] with tensor product of vector spaces (typically denoted ⊗). We start with a brief overview of the trace-and-revoke public-key Table 1. Comparison of traceable IPFE schemes. Scheme†‡ |pk| [23] Ours§

|msk| |sk| |c|

Public Security

Traceability Bilinear map

No

One-target

2 + 4 2

1

2

2 + 3 22

2

2 + 2 Yes

Selective

Adaptive Adaptive

Yes No

† |pk|, |msk|, |sk|, and |c| denote the sizes of the public key, the master secret key, the secret key, and the ciphertext, respectively. To measure the space efficiency, we count the number of basic components. ‡ Let  be the dimension of the plaintext vector of IPFE. § “Ours” refers to our trace-and-revoke IPFE schemes based on LWE, DDH and DCR.

Generic Construction of Trace-and-Revoke Inner Product

263

encryption schemes proposed by Agrawal et al. [5], which will be instrumental for our presentation. The Trace-and-Revoke Public-Key Encryption Schemes of [5]. Let FE = (FE.Setup, FE.KeyGen, FE.Enc, FE.Dec) be any adaptively secure IPFE scheme for the inner-product function Zp × Zp → Zp and the message space M = Zp . According to the syntax of the IPFE scheme (cf. Sect. 3), given a ciphertext c designed to encrypt the vector y ∈ Zp and the secret key skx for the vector x ∈ Zp , we can obtain the inner-product x, y (mod p). The high-level construction of [5] can be described as follows: – Run FE.Setup(1λ ) → (pk, msk) to generate the public key and the master secret key. – For a user id, use FE.KeyGen to generate the secret key skid ← FE.KeyGen(msk, xid ), where xid is sampled uniformly at random from Zp . Also, store pdi = (id, xid ) in a public directory pd for public traceability. – Given a revocation set R and a message m ∈ Zp , compute a ciphertext c = (c1 , c2 ) = (FE.Enc(pk, m · vR ), R), where vR ← Zp \ {0} is generated deterministically, such that xid , vR  = 0 (mod p) for every id ∈ R (this can be implemented only if |R| <  and p is prime). – With the secret key skid , the ciphertext can be decrypted due to xid , m · vR  FE.Dec(skid , c1 ) = = m (mod p). xid , vR  xid , vR  – Given an oracle access to a pirate decoder D, a revocation set R and a set S = {id1 , id2 , . . .} of suspected traitors, the tracing algorithm finds a pair of messages m0 and m1 such that D can distinguish between the encryptions of m0 and m1 with noticeable probability, sets a subset of suspect traitors Si = {idi , idi+1 , . . .} for i = 1, . . . , |S|+1, and then generates a series of probe ciphertexts cSi associated to Si with the following properties: • The distribution of cS1 corresponds to the normal encryption of m0 . • The distribution of cS|S|+1 corresponds to the normal encryption of m1 . • The probes cSi−1 and cSi are indistinguishable without a secret key for idi−1 . Since D can distinguish between cS1 and cS|S|+1 with a non-negligible probability, and hence by the triangle inequality, there exists at least one index i ∈ [|S| + 1] such that D can distinguish between cSi−1 and cSi with a nonnegligible advantage. By the third property above, the identity idi−1 indeed corresponds to a traitor. Our Trace-and-Revoke IPFE Schemes. On the other hand, in the traceand-revoke IPFE schemes, we need to encrypt vectors as opposed to elements supported by the above trace-and-revoke public-key encryption scheme [5], and we also need to deal with more powerful adversaries than in [5]. This rises a nontrivial challenge in constructing the trace-and-revoke IPFE scheme by extending [5]. Due to the properties of tensor product ⊗ of vector spaces, it holds that

264

F. Luo et al.

x ⊗ y · v ⊗ w = x, v · y, w for any vectors x, y, v, w. Therefore, we extend the above construction of [5] to obtain an efficient generic construction of traceand-revoke IPFE. For simplicity, we mainly show the parts that are different from the above construction, as the following: – Like [5], the public key and the master secret key are generated by running (pk, msk) ← FE.Setup(1λ ), with the minor difference of requiring the underγ lying IPFE scheme to support the inner-product function Zγ p × Zp → Zp . – For brevity, we let N be the number of users and assume that each user is assigned and identified by a unique index i ∈ [N ]. For a user who submits a pair (x, i) ∈ Zp × [N ], we use FE.KeyGen to generate the secret key ˜ i ), where x ˜ i = x ⊗ zi ∈ Zγ skx˜ i ← FE.KeyGen(msk, x p and zi is sampled γ uniformly at random from Zp . Also, store pdi = (i, zi ) in a public directory pd for public traceability. Note that during key generation, we use ⊗ to connect the message vector x with the public vector zi . ˜ = y ⊗ vR ∈ Zγ – Given a revocation set R and a message y ∈ Zp , compute y p ˜ ), R), where like [5], vR ← Zγp \ {0} is and c = (c1 , c2 ) = (FE.Enc(pk, y generated deterministically, such that zj , vR  = 0 (mod p) for every j ∈ R. – With the secret key skx˜ i , the ciphertext can be decrypted due to FE.Dec(skx˜ i , c1 ) x ⊗ zi , y ⊗ vR  x, y · zi , vR  = = = x, y (mod p). zi , vR  zi , vR  zi , vR  – To achieve public black-box traceability, we use the notion of black-box distinguisher D, which is considered “useful” if it can distinguish between the encryptions of two particular vectors (of the adversary’s choice) with a nonnegligible probability. This is the strongest notion of pirate decoder (leading to a better security guarantee) introduced by Nishimaki, Wichs and Zhandry [47], as opposed to the pirate decoder in [5] that is considered “useful” if it can decrypt the encryption of a random message with high probability. Given the revocation set R, two different vectors y0∗ , y1∗ ← Zp and an oracle access to a μ-useful black-box distinguisher D (cf. Definition 5) which can distinguish between the encryptions of the two vectors y0∗ , y1∗ ← Zp with a non-negligible probability greater than μ(λ), where μ(·) is a non-negligible function in the security parameter λ, the tracing algorithm generates the probe ciphertexts using the same method as that of [5] and identify traitors. However, the generation of the probe ciphertexts is slightly more complicated than that in [5], as we need to work with vectors rather than elements, like the case in [5]. In the above, we discussed the major modifications and the new techniques we used in the trace-and-revoke IPFE construction compared with [5]. In our adaptive security and public black-box traceability proofs for the trace-andrevoke IPFE, we will use even more techniques; see Sect. 4 for details. 1.3

Related Work

Traitor Tracing and Trace-and-Revoke Systems. A series of works were proposed from a variety of hardness assumptions and settings, and these schemes can be roughly categorized into two main categories.

Generic Construction of Trace-and-Revoke Inner Product

265

The first category is based on combinatorial approaches [13,22,25,37,45,54, 55]. The general idea behind these schemes is to identify the traitors by analyzing keys carefully selected and placed in a pirate decoder. Then, constructing a revocation mechanism, which is compatible with the traitor tracing scheme. The first combinatorial traitor tracing scheme was proposed by Chor, Fiat and Naor [22], which is either information theoretic security or is based on the security of any symmetric scheme of its choice. The first combinatorial trace-and-revoke scheme was proposed by Stinson and Wei [56], which combines BE with the traitor tracing scheme to generate a trace-and-revoke scheme. The second category is based on algebraic approaches [5,20,31,33,34,40, 41,46,47]. The general idea behind these schemes is to use some algebraic approaches to generate secret keys for users, and using some public-key techniques to do the broadcasting. Then, constructing a revocation mechanism, which is compatible with the traitor tracing mechanism. The first algebraic traitor tracing scheme was proposed by Boneh and Franklin [16], which achieves traitor tracing by applying error correcting codes to the discrete log representation problem. The first algebraic trace-and-revoke scheme was proposed by Boneh and Waters [20], which constructs a new primitive called augmented broadcast encryption and shows that augmented broadcast encryption implies a trace-and-revoke scheme. In addition, a number of traitor tracing and trace-and-revoke systems have been studied in a wide range of settings, so these schemes can also be grouped according to the cryptographic primitives (such as BE, IBE, ABE and FE) they target. 1.4

Organization

In Sect. 2, we recall some standard assumptions, including LWE, DHH and DCR. In Sect. 3, we introduce a new concept: trace-and-revoke IPFE. We also give the definition of adaptive security against chosen-plaintext attacks and the definition of public black-box traceability. We give a generic construction of trace-andrevoke IPFE in Sect. 4. Moreover, we prove that our generic construction achieves adaptive security and public black-box traceability. In Sect. 5, we instantiate our generic construction of trace-and-revoke IPFE from LWE and DCR assumptions, respectively, and provide a concrete instantiation of trace-and-revoke IPFE from DDH assumption. Finally, we conclude the paper in Sect. 6.

2

Preliminaries

Let PPT denote probabilistic polynomial-time. We say that a function is negligible, denoted negl(n), if negl(n) is asymptotically smaller than the inverse of any polynomial in n. For simplicity, let [n]  {1, . . . , n}. We use lower-case bold letter to denote vector x and upper-case bold letter to denote matrix A. For any vector x of dimension n, we denote by xi the i-th element of x for i ∈ [n]. We denote by v, w the inner-product of two vectors v, w. Moreover, we denote by x ⊗ y the

266

F. Luo et al.

tensor product of two vectors x, y, and we have x ⊗ y · v ⊗ w = x, v · y, w. In what follows, we consider truncated discrete Gaussian distribution DZm ,σ . Definition 1 (Learning with Errors (LWE) [52]). Given n, q ≥ 1, m ≥ O(n log q), and a discrete Gaussian distribution DZm ,αq where 0 < α < 1, the LWEn,q,m,α problem is defined to distinguish between the following two distributions: (A, sA + e) and (A, u) where A ∈ Zn×m , s ∈ Znq , e ∈ DZm ,αq , u ∈ Zm q q are independently sampled. The LWE problem was proved to be as hard as certain worst-case lattice problems [21,52]. Definition 2 (Decisional Diffie-Hellman (DDH) [14]). In a cyclic group G of prime order q, the Decisional Diffie-Hellman (DDH) problem is defined to distinguish between the following two distributions: D0 = {(g, g a , g b , g ab )|g ← G, a, b ← Zq } and D1 = {(g, g a , g b , g c )|g ← G, a, b, c ← Zq }. Definition 3 (Decisional Composite Residuosity (DCR) [49]). Given prime numbers p, q, let N = pq. The Decisional Composite Residuosity (DCR) problem is defined to distinguish between the following two distributions: D0 = {z = z0N mod N 2 |z0 ← Z∗N } and D1 = {z ← Z∗N 2 }. Lemma 1 (Two-tailed Chernoff Bound). Let X1 , . . . , Xn be independent random variables of trials with success probabilities P1 , . . . , Pn . Let X = Poisson n n i=1 Xi and μ = i=1 Pi . For 0 < δ < 1, we have Pr[|X − μ| ≥ μδ] ≤ 2e−μδ

3

2

/3

.

Trace-and-Revoke Inner-Product Functional Encryption

We introduce the syntax of trace-and-revoke IPFE, which is the same as that of IPFE, except that it adds revoke functionality and a new algorithm Trace. On the security side, compared with IPFE, trace-and-revoke IPFE has indistinguishability-based security and black-box traceability. Similar to [23], in our trace-and-revoke IPFE system, every user is assigned and identified by a unique index i ∈ [N ]. Let X , Y, M be the message spaces. A trace-and-revoke IPFE scheme for the inner-product function IP : X × Y → M consists of a tuple of algorithms (Setup, KeyGen, Enc, Dec, Trace), defined as follows.

Generic Construction of Trace-and-Revoke Inner Product

267

– Setup(1λ , 1N ). On input a security parameter λ and the number of users N , output a public key pk, a master secret key msk, and a (initially empty) public directory pd. Note that the public directory pd is used for public blackbox traceability where an arbitrary party can trace at least one index i ∈ [N ] of traitors. This algorithm is run by a trusted key generation center. – KeyGen(msk, x, i). On input msk, x ∈ X , and an index i ∈ [N ], output a secret key skx,i and some public information pdi for i. It also updates the public directory pd ← pd ∪ {pdi }. This algorithm is run by the trusted key generation center, where x ∈ X is submitted by a user and i ∈ [N ] is a unique index selected by the trusted key generation center to identify the user. – Enc(pk, R, y). On input pk, a revocation set R of cardinality ≤ N that contains the index j ∈ [N ] of each revoked user, and y ∈ Y, output a ciphertext c. This algorithm is performed by the encryptor (i.e. any user), where R and y ∈ Y are created by the encryptor as it wishes. – Dec(pd, skx,i , c). On input pk, skx,i , and a ciphertext c, output m ∈ M or ⊥. This algorithm is performed by the decryptor (i.e. any user with a secret key). – TraceD (pd, pk, R, μ(·), y0∗ , y1∗ ). On input pd, pk, R ⊆ [N ], a non-negligible function μ(·) in λ and two different messages y0∗ , y1∗ ∈ Y, the tracing algorithm interacts with a μ-useful (cf. Definition 5) black-box distinguisher D and outputs an index set T ⊆ [N ] of malicious user(s) (note that T can be an empty set). As shown in [23,31,47], this notion is stronger than the classical decryption black-box, where the latter is said to be “useful” if it can successfully decrypt with a non-negligible probability random messages that have been properly encrypted. This algorithm is executed by any party by interacting with D, where R and (y0∗ , y1∗ ) are provided by D. Definition 4 (Correctness). An N -user trace-and-revoke IPFE scheme for the inner-product function IP is correct if for any λ ∈ N, any (x, y) ∈ X × Y, and any i ∈ [N ] such that i ∈ / R, we have     Pr Dec pd, skx,i , Enc(pk, R, y) = IP(x, y) = 1 − negl(λ), where (pk, msk) ← Setup(1λ , 1N ), (skx,i , pdi ) ← KeyGen(msk, x, i) and IP(x, y) ∈ M. Definition 5 (μ-useful Black-box Distinguisher [23]). For a non-negligible function μ(·) in λ and a PPT algorithm P, we say that a black-box distinguisher D is μ-useful, if we have  ⎡  ⎤   (D, R∗ , y0∗ , y1∗ ) ←    ⎢ P(pk, {(skx,i , pdi )}, {skxR∗ ,j }) ⎥ 1  Pr ⎢ ⎥ −  ≥ μ(λ), j  ⎣ D(c∗ ) = b : ⎦ 2 s.t. IP(x, y0∗ ) = IP(x, y1∗ )   b   ∗ ∗ ∗ b ← {0, 1}, cb ← Enc(pk, R , yb )

268

F. Luo et al.

where (pk, msk) ← Setup(1λ , 1N ), {(skx,i , pdi ) ← KeyGen(msk, x, i)} , j)}(j∈R∗ ,xR∗ ∈X ) . We convert (i∈[N ],x∈X ) , and {skxR∗ ,j ← KeyGen(msk, xR∗ j j j the above inequality into its equivalent form:  ⎡    ⎢  ⎢ Pr ⎢  ⎣ D(c∗ ) = 0 : 0   ⎡

⎤ (D, R∗ , y0∗ , y1∗ ) ← P(pk, {(skx,i , pdi )}, {skxR∗ ,j }) ⎥ ⎥ j ⎥ ⎦ s.t. IP(x, y0∗ ) = IP(x, y1∗ ) ∗ ∗ ∗ c0 ← Enc(pk, R , y0 )

⎢ ⎢ − Pr ⎢ ⎣ D(c∗ ) = 0 : 1

⎤  (D, R∗ , y0∗ , y1∗ ) ←   P(pk, {(skx,i , pdi )}, {skxR∗ ,j }) ⎥ ⎥  j ⎥  ≥ 2μ(λ). ∗ ∗  ⎦ s.t. IP(x, y0 ) = IP(x, y1 )  ∗ ∗ ∗  c1 ← Enc(pk, R , y1 )

Next, we consider two security notions: indistinguishability-based security and public black-box traceability. The indistinguishability-based security is similar to that of conventional IPFE system [2], except that it contains key queries for revoked users and every key query is bound to a unique index i ∈ [N ], which can be chosen by the adversary. Indistinguishability-based Security. We define adaptive security under chosen-plaintext attacks (A-IND-CPA security, for short) in the standard model, which is described by a security game between a PPT adversary A and a challenger, as follows: – Setup: The challenger computes (pk, msk) ← Setup(1λ , 1N ) and returns pk to A. In addition, the challenger initializes an empty public directory pd. – Query Phase 1: A makes the following three types of queries: • Public Information Query OPIQ . When A submits an index i ∈ [N ], the challenger replies with pdi and updates the public directory pd = pd ∪ {pdi }. • Revoked User’s Key Query ORUKQ . This query can be made only once. A submits a revocation set R∗ of ≤ N revoked users and the corresponding messages xR∗j ∈ X for j ∈ R∗ (i.e., (j, xR∗j ) ∈ R∗ × X ), the challenger searches the public directory pd to see if there is a pdj such that j ∈ pdj for every j ∈ R∗ . If that is the case, the challenger runs (skxR∗ ,j , pdj ) ← KeyGen(msk, xR∗j , j) and returns all the correj sponding secret keys skxR∗ ,j for all j ∈ R∗ . Otherwise, the challenger j

generates pdj , updates the public directory pd = pd ∪ {pdj }, and returns all the corresponding secret keys skxR∗ ,j by running (skxR∗ ,j , pdj ) ← j

j

KeyGen(msk, xR∗j , j) for all j ∈ R∗ . • Non-Revoked User’s Key Query ONRUKQ . When A makes a secret key query for a pair (i, x) ∈ [N ] × X , the challenger searches the public directory pd to see if there is a pdi such that i ∈ pdi . If that is the case, the challenger returns a secret key skx,i by running (skx,i , pdi ) ← KeyGen(msk, x, i). Otherwise, the challenger generates pdi , updates the public directory pd = pd∪{pdi }, and returns a secret key skx,i by running (skx,i , pdi ) ← KeyGen(msk, x, i).

Generic Construction of Trace-and-Revoke Inner Product

269

– Challenge Ciphertext: A submits two messages y0∗ , y1∗ ∈ Y such that IP(x, y0∗ ) = IP(x, y1∗ ) for all x ∈ X queried in ONRUKQ , the challenger chooses a random bit b ← {0, 1} and returns c∗b ← Enc(pk, R∗ , yb∗ ). – Query Phase 2: A continues making OPIQ and ONRUKQ as in Query Phase 1, but subject to the restriction: IP(x, y0∗ ) = IP(x, y1∗ ) for all x ∈ X queried in ONRUKQ . – Output: A returns a bit b ∈ {0, 1} and wins if b = b. The advantage of A in winning the above game is defined as λ  AdvA-IND-CPA TR-IPFE,A (1 ) = |Pr[b = b] − 1/2|.

Definition 6 (A-IND-CPA security). We say that an N -user trace-andrevoke inner-product functional encryption scheme is A − IND − CPA secure λ if for all PPT A, the advantage AdvA-IND-CPA TR-IPFE,A (1 ) is negligible. A weaker notion of adaptive security described above is called selective security against chosen-plaintext attacks (S-IND-CPA security, for short), where the adversary must announce the challenge messages (y0∗ , y1∗ ) before seeing the public key. Remark 2. Note that the A-IND-CPA security definition for the conventional IPFE system can be obtained directly from the above indistinguishability-based security by removing OPIQ , ORUKQ , and the requirement that every key query is bound to a unique index i ∈ [N ]. Public Black-Box Traceability. Public black-box traceability is described by a security game between a PPT adversary A and a challenger, as follows: – Setup: The challenger runs Setup(1λ , 1N ) → (pk, msk) and gives pk to A. In addition, the challenger initializes an empty public directory pd. – Query: A makes the following three types of queries: • Public Information Query OPIQ . This is the same as that of the AIND-CPA security game described earlier. • Revoked User’s Key Query ORUKQ . This is the same as that of the A-IND-CPA security game described earlier. • Non-Revoked User’s Key Query ONRUKQ . This is the same as that of the A-IND-CPA security game described earlier, except for brevity, we collect all pairs that were queried in ONRUKQ as C = {(i, x) | (i, x) ∈ [N ] × X }, where all indices j ∈ C are denoted by an index set I = {j | j ∈ C}. – Black-Box Distinguisher Generation: A outputs a μ-useful black-box distinguisher D and two messages y0∗ , y1∗ ∈ Y such that IP(x, y0∗ ) = IP(x, y1∗ ) for all x ∈ C. – Output: The challenger runs TraceD (pd, pk, R∗ , μ(·), y0∗ , y1∗ ) and outputs an index set T ⊆ [N ] of malicious user(s). We say that A wins the above game if we have:

270

F. Luo et al.

1. The provided black-box distinguisher D is indeed μ-useful, i.e., we have |Pr[D(c∗0 ) = 0] − Pr[D(c∗1 ) = 0| ≥ 2μ(λ), where c∗b ← Enc(pk, R∗ , yb∗ ) and b ← {0, 1}. 2. T = ∅ or T  I. We denote by AdvP-BT TR-IPFE,A the advantage that A wins the above game. Definition 7. We say that an N -user trace-and-revoke inner-product functional encryption scheme satisfies public black-box traceability if for all PPT A, the advantage AdvP-BT TR-IPFE,A is negligible for any μ-useful black-box distinguisher D, where μ is non-negligible. Remark 3 (Traceable IPFE). Note that a traceable IPFE scheme is simply a trace-and-revoke IPFE scheme without user revocation mechanism. Its syntax, adaptive security and public black-box traceability correspond to the corresponding definitions above where we let R = ∅, in the encryption, the tracing and the security games. Remark 4. In the traceable IPFE scheme of [23], the authors considered a weaker traceability that they called one-target security, where the adversary are subject to the following constraints: (1) the adversary must announce one target x∗ ∈ X before she sees the public key; (2) the adversary is only allowed to ask for secret keys for x∗ (but for any index i ∈ [N ]); (3) the adversary outputs a μ-useful black-box distinguisher Dx∗ associated with x∗ . Moreover, their scheme does not support public traceability, as their tracing algorithm requires the master secret key.

4

Generic Construction of Trace-and-Revoke IPFE

In this section, we provide a generic transformation from inner-product functional encryption schemes to trace-and-revoke inner-product functional encryption systems. Let FE = (FE.Setup, FE.KeyGen, FE.Enc, FE.Dec) be an γ adaptively secure IPFE scheme for the inner-product function Zγ p × Zp → Zp and the message space M = Zp . – Setup(1λ , 1N ). It runs (pk, msk) ← FE.Setup(1λ , 1γ ), and outputs a public key pk, a master secret key msk and a (initially empty) public directory pd. – KeyGen(msk, x, i). On input msk, a vector x ∈ Zp , and an index i ∈ [N ], it proceeds as follows: 1. Choose a uniformly random vector zi ← Zγp . The pair pdi = (i, zi ) is appended to the public directory pd. ˜ i = x ⊗ zi ∈ Zγ 2. Set x p . 3. Output skx˜ i ← FE.KeyGen(msk, x˜i ). – Enc(pk, R, y). On input pk, a revocation set R of cardinality ≤ N , and a vector y ∈ Zp , it proceeds as follows:

Generic Construction of Trace-and-Revoke Inner Product

271

1. Compute vR ← Zγp \ {0} such that zj , vR  = 0 for every j ∈ R (recall that R contains the index of every revoked user). ˜ = y ⊗ vR ∈ Zγ 2. Set y p . ˜ ), R). 3. Output c = (c1 , c2 ) = (FE.Enc(pk, y – Dec(pd, skx˜ i , c). On input pk, skx˜ i , and a ciphertext c, it proceeds as follows: 1. Parse c = (c1 , R). If i ∈ R, then abort. 2. Compute vR ← Zγp \ {0} such that zj , vR  = 0 for every j ∈ R. 3. Compute and output m = FE.Dec(skx˜ i , c1 )/zi , vR . – TraceD (pd, pk, R, μ(·), y0∗ , y1∗ ). On input pd, pk, R ⊆ [N ], a non-negligible function μ(·) in λ and two different vectors y0∗ , y1∗ ∈ Zp , it proceeds as follows: 1. Set Si = {i, i + 1, . . . , N + 1} \ R for i ∈ [N + 1]. 2. Compute vR ← Zγp \ {0} such that zj , vR  = 0 for every j ∈ R. 3. For i = 1, . . . , N + 1, do: (a) If i = 1, set vSi = 0. (b) If i = N + 1, set vSi = vR . (c) Otherwise, compute vSi ∈ Zp such that: i. zj , vSi  = 0 for every j ∈ Si ∪ R. ii. zj , vSi  = zj , vR  for every j ∈ S1 \ Si . ˜ i∗ = (y1∗ − y0∗ ) ⊗ vSi + y0∗ ⊗ vR ∈ Zγ (d) Compute y p . (e) Let counti ← 0. (f) For j = 1, . . . , T = λN 2 /μ(λ), do: ˜ i∗ ), R). i. Compute cSj i = (FE.Enc(pk, y Si ii. Feed D with cj and obtain a binary value bij . If bij = 0, then counti ← counti + 1. (g) Output P˜i = counti /N . 4. Let T be the set of all i ∈ [N ] for which |P˜i − P˜i+1 | ≥ μ(λ)/N (note that if there is no such i, then T = ∅), and output the set T as malicious user(s). Here, for the correctness and security proof, we require that in step 1 of algorithm Enc, in step 2 of algorithm Dec and in step 2 of algorithm Trace, the vector vR ← Zγp \ {0} be uniquely determined by R in the same unique way across these algorithms. One approach to achieve this is to order the zj ’s for j ∈ R lexicographically and run a deterministic linear equation solver. This can be implemented by letting N < γ and p be prime. Before checking the correctness of the above scheme, let’s briefly explain how algorithm Trace works. First, in step 3 of algorithm Trace, we have vS1 = 0 and vSN +1 = vR , and hence we have cSj 1 = (FE.Enc(pk, y0∗ ⊗ vR ), R) and cj N +1 = (FE.Enc(pk, y1∗ ⊗vR ), R) for all j ∈ [T ], which are genuine encryptions of the vectors y0∗ and y1∗ , respectively. Thus, we have that |P˜1 − P˜N +1 | is nonnegligible by Definition 5 and Lemma 1, and hence there exists at least one index i ∈ [N ] such that |P˜i − P˜i+1 | is non-negligible by the triangle inequality. For any i ∈ T , we will prove in Lemma 3 that the black-box distinguisher D does indeed contain the corresponding secret key skx˜ i and thus the user identified by the index i is a traitor. S

272

F. Luo et al.

Remark 5. We observe that the generic construction above implies traceable IPFE schemes. In other words, we can obtain a generic construction of traceable IPFE schemes by slightly modifying the above generic construction. Here, we describe only a few spots that need to be changed. Concretely, to encrypt a vector ˜ = y ⊗v ∈ Zγ y ∈ Zp , we choose a uniformly random vector v ← Zγp \{0}, set y p , ˜ ), v). To decrypt the ciphertext c, we and output c = (c1 , c2 ) = (FE.Enc(pk, y compute and output m = FE.Dec(skx˜ i , c1 )/zi , v. For the tracing algorithm, we simply choose a uniformly random vector v ← Zγp \ {0}, let R = ∅, and replace the vector vR with v. Moreover, by Remark 3, the adaptive security and public black-box traceability of the above traceable IPFE can be obtained directly from that of our trace-and-revoke IPFE by simply letting R = ∅ in the security proofs. Lemma 2 (Correctness). Assume that p ≈ λω(1) is prime. For all λ ∈ N, all (pk, msk) ← Setup(1λ , 1N ), all skx˜ i ← KeyGen(msk, x, i) for all x ∈ Zp and / R, then we have i ∈ [N ], all y ∈ Zp , and all R of cardinality ≤ N , if i ∈ Dec(pd, skx˜ i , Enc(pk, R, y)) = x, y ∈ Zp with probability ≥ 1 − λ−ω(1) . Proof. Since p ≈ λω(1) , γ > N , and the vector zi is uniform in Zp , we have / R. Then, given the that zi , vR  = 0 with overwhelming probability for all i ∈ ˜ ), R), compute a vector vR ← Zγp \ {0} ciphertext c = (c1 , c2 ) = (FE.Enc(pk, y such that zj , vR  = 0 for every j ∈ R, then we have that FE.Dec(skx˜ i , c1 ) = x ⊗ zi , y ⊗ vR  = x, y · zi , vR  by the correctness of FE, and hence we have that

Dec(pd, skx˜ i , c1 ) = 4.1

x, y · zi , vR  FE.Dec(skx˜ i , c1 ) = = x, y. zi , vR  zi , vR 

Adaptive Security

Theorem 1. If FE is A − IND − CPA secure (see Remark 2), then the traceand-revoke IPFE is A − IND − CPA secure as defined in Definition 6. Proof. We show that if a PPT adversary A breaks the A − IND − CPA security of the trace-and-revoke IPFE, then we can build a polynomial-time algorithm B that breaks A − IND − CPA security of FE with a non-negligible probability, as follows: – Setup. B obtains the public key pk from the FE challenger (who runs the algorithm FE.Setup(1λ , 1γ )) and forwards it to A. In addition, B initializes an empty public directory pd. – Query Phase 1. A, B and the FE challenger proceed as follows: • Public Information Query OPIQ . When A submits an index i ∈ [N ], B chooses a uniformly random vector zi ← Zγp and sends it to A. After that, B sets pdi = (i, zi ) and updates the public directory pd = pd∪{pdi }.

Generic Construction of Trace-and-Revoke Inner Product

273

• Revoked User’s Key Query ORUKQ . This query can be made only once. A submits a set R∗ of ≤ N revoked users and the corresponding vectors xR∗j ∈ Zp for j ∈ R∗ (i.e., (j, xR∗j ) ∈ R∗ × Zp ), B searches the public directory pd to see if there is a pdj such that j ∈ pdj for every j ∈ R∗ . If that is the case, B can get the corresponding vector zj ∈ pdj ˜ R∗j = xR∗j ⊗ zj . After that, B sends all x ˜ R∗j to by searching and sets x the FE challenger who returns all the corresponding secret keys skx˜ R∗ . j Otherwise, B chooses uniformly random vectors zj ← Zγp for all j ∈ R∗ , updates the public directory pd = pd ∪ {pdj } for pdj = {j, zj }, and sends ˜ R∗j to the FE challenger who returns all the corresponding secret all x keys skx˜ R∗ . j • Non-Revoked User’s Key Query ONRUKQ . When A makes a secret key query for a pair (i, x) ∈ [N ] × Zp , B searches the public directory pd to see if there is a pdi such that i ∈ pdi . If that is the case, B can get the ˜ i = x ⊗ zi and corresponding vector zi ∈ pdi by searching. Then, B sets x ˜ i to the FE challenger who returns a secret key skx˜ i . Otherwise, B sends x chooses a uniformly random vector zi ← Zγp , updates the public directory ˜ i to the FE challenger who pd = pd ∪ {pdi } for pdi = {i, zi }, and sends x returns a secret key skx˜ i . – Challenge Ciphertext. A submits two vectors y0∗ , y1∗ ∈ Zp such that x, y0∗  = x, y1∗  for all x ∈ Zp queried in ONRUKQ , B proceeds as follows: 1. Compute vR∗ ← Zγp \ {0} such that zj , vR∗  = 0 for every j ∈ R∗ . ˜ 0∗ = y0∗ ⊗ vR∗ , y ˜ 1∗ = y1∗ ⊗ vR∗ ∈ Zγ 2. Set y p . ∗ ˜∗ 3. Send (˜ y0 , y1 ) to the FE challenger who returns a challenge ciphertext c∗b , ˜ b∗ ) for b ← {0, 1}. where c∗b = FE.Enc(pk, y ∗ ∗ ∗ 4. Send cb := (cb , R ) to A. – Query Phase 2. A continues making OPIQ and ONRUKQ as in Query Phase 1, but subject to the restriction: IP(x, y0∗ ) = IP(x, y1∗ ) for all x ∈ Zp queried in ONRUKQ . – Output. A outputs a bit b ∈ {0, 1} and B outputs the same bit b as its own guess of b. Obviously, B behaves as a challenger in the adaptive security definition of the trace-and-revoke IPFE in the view of A, and is a valid adversary against ˜ 0∗  = ˜ ˜ 1∗  = 0 for all (j, xR∗j ) ∈ R∗ × FE due to the fact that: (1) ˜ xR∗j , y xR∗j , y ˜ 0∗  = ˜ ˜ 1∗  for Zp queried in ORUKQ ; (2) x, y0∗  = x, y1∗  and hence ˜ xi , y xi , y  all x ∈ Zp queried in ONRUKQ . Therefore, the advantage of A that breaks A − IND − CPA security of the trace-and-revoke IPFE is exactly the same as the advantage of B that breaks A − IND − CPA security of FE. 4.2

Public Black-box Traceability

Theorem 2. If FE satisfies A − IND − CPA security (see Remark 2), then the trace-and-revoke IPFE satisfies public black-box traceability as defined in Definition 7.

274

F. Luo et al.

Proof. We show that if a PPT adversary A breaks the public black-box traceability of the trace-and-revoke IPFE, then we build a polynomial-time algorithm B that breaks A − IND − CPA security of FE with a non-negligible probability, as follows: – Setup. B obtains the public key pk from the FE challenger (who runs the algorithm FE.Setup(1λ , 1γ )) and forwards it to A. In addition, B initializes an empty public directory pd. – Query. A, B and the FE challenger proceed as follows: • Public Information Query OPIQ . This is the same as that of Theorem 1. • Revoked User’s Key Query ORUKQ . This is the same as that of Theorem 1. • Non-Revoked User’s Key Query ONRUKQ . This is the same as that of Theorem 1, except for brevity, we collect all pairs that were queried in ONRUKQ by A as C = {(i, x) | (i, x) ∈ [N ] × Zp }, where all indices j ∈ C are denoted by an index set I = {j | j ∈ C}. – Black-box Distinguisher Generation. A outputs a μ-useful black-box distinguisher D and two different vectors y0∗ , y1∗ ∈ Zp such that x, y0∗  = x, y1∗  for all vectors x ∈ C. B runs TraceD (pd, pk, R∗ , μ(·), y0∗ , y1∗ ) which ˜ i∗ = (y1∗ − y0∗ ) ⊗ vSi + y0∗ ⊗ vR∗ for all i ∈ [N ] and generates vR∗ , vSi , vSi+1 , y outputs a set T . We assume that A wins the public black-box traceability of the trace-and-revoke IPFE scheme, that is, the winning conditions are satisfied (cf. Definition 7): D is indeed μ-useful and T = ∅ or T  I. If T = ∅, B aborts. Otherwise, B chooses a random index k such that k ∈ T ∗ ˜ k∗ , y ˜ 1∗ = y ˜ k+1 ˜ 1∗ ) to the FE challenger. ), and sends (˜ y0∗ , y but k ∈ / I, sets (˜ y0∗ = y ∗ – Output. Upon receiving the challenge ciphertext cb from the FE challenger, ˜ b∗ ) for b ← {0, 1}, B runs D on c∗b which outputs a where c∗b = FE.Enc(pk, y  bit b ∈ {0, 1}. Finally, B outputs the same bit b as its own guess of b. We first argue that B is a valid adversary against FE. It suffices to prove that all key queries made by B in the Query Phase 1 are valid in the view of the ∗ ˜ 0∗ = y ˜ k∗ and y ˜ 1∗ = y ˜ k+1 FE challenger. Recall that B sets y for k ∈ T but k ∈ / I. By the properties of vSk and vSk+1 (looking back on the algorithm Trace), for ˜ i ∈ Zγ any query x p , we have that  x, y0∗  · zi , vR∗ , if i ∈ Sk ∪ R∗ , ∗ ˜0  = ˜ xi , y x, y1∗  · zi , vR∗ , if i ∈ S1 \ Sk ,  x, y0∗  · zi , vR∗ , if i ∈ Sk+1 ∪ R∗ , ˜ 1∗  = ˜ xi , y x, y1∗  · zi , vR∗ , if i ∈ S1 \ Sk+1 , ˜ 0∗  = ˜ ˜ 1∗  holds for any i ∈ [N ] \ {k} (note that we xi , y which implies that ˜ xi , y ∗ ∗ ˜ 0  = ˜ ˜ 1  = 0 for i ∈ R∗ ). Although the inequality ˜ ˜ 0∗  = xi , y xk , y have ˜ xi , y ∗ ˜ 1  holds, we have k ∈ / I, which means that A did not make any key query ˜ xk , y for the index k, and neither did B. In other words, all key queries are valid in the view of the FE challenger.

Generic Construction of Trace-and-Revoke Inner Product

275

We further argue that if A wins the public black-box traceability, then B can break A − IND − CPA security of FE with a non-negligible probability. ˜ 1∗ ) to the FE challenger when T = ∅ As mentioned above, B submits (˜ y0∗ , y ∗ ∗ ˜ 0  = ˜ ˜ 1  for any i ∈ [N ] \ {k}, which implies that xi , y and T  I, and ˜ xi , y ˜ 0∗ ) and c∗1 = FE.Enc(pk, y ˜ 1∗ ) are the decryption results of c∗0 = FE.Enc(pk, y the same under all but the secret key for the index k. On the other hand, we will show in Lemma 3 that the probability of the algorithm Trace returning ∅ is negligible and that D contains the secret keys for all i ∈ T . Therefore, since k ∈ T , D contains the secret key for the index k ∈ T , and hence D can distinguish between c∗0 and c∗1 , which implies that (b = b, b ← D(c∗b )) holds with a non-negligible probability. In summary, with overwhelming probability, the advantage of A that breaks the public black-box traceability of the trace-and-revoke IPFE is exactly the same as the advantage of B that breaks A − IND − CPA security of FE. Lemma 3. Given a μ-useful black-box distinguisher D, two different vectors (y0∗ , y1∗ ), and a revocation set R∗ of ≤ N revoked users, then the algorithm Trace interacting with D does not return ∅ with overwhelming probability. Furthermore, for T = ∅, D contains the secret keys for all i ∈ T . ˜ i∗ ), R∗ )] for i ∈ [N + 1]. Proof. Let Pi = Pr[D(cSi ) = 0 : cSi = (FE.Enc(pk, y ∗ ∗ ˜N ˜ 1 = y0∗ ⊗ vR∗ and y Looking back on the algorithm Trace, we have y +1 = SN +1 S1 ∗ ∗ ∗ = y1 ⊗ vR∗ , and hence we have cj = (FE.Enc(pk, y0 ⊗ vR∗ ), R ) and cj (FE.Enc(pk, y1∗ ⊗ vR∗ ), R∗ ) for all j ∈ [T ], which are genuine encryptions of the vectors y0∗ and y1∗ , respectively. Combining with the fact that D is μ-useful, that is,   Pr[D(c∗0 ) = 0 : c∗0 = Enc(pk, R∗ , y0∗ )] − Pr[D(c∗1 ) = 0 : c∗1 = Enc(pk, R∗ , y1∗ )] ≥ 2μ(λ)

by Definition 5, we have |P1 −PN +1 | ≥ 2μ(λ). It follows that there exists at least one index i ∈ [N ] such that |Pi −Pi+1 | ≥ 2μ(λ)/N by the triangle inequality. On the other hand, we have |P˜i − Pi | ≤ μ(λ)/2N for all i ∈ [N ] with overwhelming probability due to T = λN 2 /μ(λ) by Lemma 1 (Chernoff bound), and thus we have |P˜i − P˜i+1 | ≥ 2μ(λ)/N − μ(λ)/N = μ(λ)/N by the triangle inequality. Hence, the algorithm Trace will output at least one such index i ∈ [N ]. From the above, for any i ∈ T , we know that |P˜i − P˜i+1 | ≥ μ(λ)/N ,

(1)

which is non-negligible. ˜ i∗ ), R∗ ) and cSi+1 = Considering ciphertexts cSi = (FE.Enc(pk, y ∗ ∗ ∗ ∗ ∗ ∗ ˜ i = (y1 − y0 ) ⊗ vSi + y0∗ ⊗ vR∗ and y ˜ i+1 ˜ i+1 ), R ) for y = (FE.Enc(pk, y ∗ ∗ ∗ (y1 − y0 ) ⊗ vSi+1 + y0 ⊗ vR∗ , respectively, we have  x, y0∗  · zj , vR∗ , if j ∈ Si ∪ R∗ , ˜ i∗  = ˜ xj , y x, y1∗  · zj , vR∗ , if j ∈ S1 \ Si ,

276

F. Luo et al.

∗ ˜ i+1 ˜ xj , y =



x, y0∗  · zj , vR∗ , if j ∈ Si+1 ∪ R∗ , x, y1∗  · zj , vR∗ , if j ∈ S1 \ Si+1 ,

∗ ˜ i∗  = ˜ ˜ i+1 xj , y xj , y  holds by the properties of vSi and vSi+1 , which implies that ˜ Si for any j ∈ [N ] \ {i}, and hence D cannot distinguish between c and cSi+1 without having the secret key for the index i ∈ T by A-IND-CPA security of the trace-and-revoke IPFE scheme. In other words, if D does not have the secret key for the index i ∈ T , we cannot obtain |P˜i − P˜i+1 | ≥ μ(λ)/N , which would contradict Eq.(1) above.

5

Trace-and-Revoke IPFE from LWE, DDH and DCR

In this section, we provide three trace-and-revoke IPFE constructions which are based on LWE, DDH and DCR assumptions. 5.1

Trace-and-Revoke IPFE from LWE and DCR

Recall that Agrawal et al. [6] gave several IPFE schemes based on LWE, DDH and DCR assumptions that are A-IND-CPA secure. To obtain trace-and-revoke IPFE schemes from LWE and DCR assumptions, we can instantiate our generic construction of Sect. 4 with the adaptively secure (or A-IND-CPA secure) IPFE schemes based on LWE over Zq and DCR over ZN of [6], respectively. 5.2

Trace-and-Revoke IPFE from DDH

We cannot directly instantiate our generic construction using the adaptively secure IPFE scheme based on DDH over Z from [6], since their decryption algorithm involves a discrete logarithm computation, which means that we need to restrict the set of exponents to be small. This is incompatible with our generic construction, where our decryption algorithm involves the inner-product x, y · zi , vR , which is as large as p (recall that p needs to be as large as λω(1) ), even if x, y is small. Therefore, we provide a concrete instantiation of trace-and-revoke IPFE from DDH assumption. From a technical perspective, similar to [5], given the inner-product x, y · zi , vR , we eliminate the effect of zi , vR  by removing it before taking the discrete logarithm. From the decryption below, we know that zi , vR  is publicly computable, as it depends only on R. This means that this modification does not affect the security. Our trace-and-revoke IPFE based on DDH is constructed as follows: – Setup(1λ , 1γ ). Choose a cyclic group G of prime order p with two generators g, h ← G. For each i ∈ [γ] (recall that γ > N , and we can set γ ≤ ), choose uniformly at random si , ti ← Zp , and compute hi = g si · hti . Let s = (s1 , . . . , sγ ) and t = (t1 , . . . , tγ ). Output a public key pk := (G, g, h, {hi }i∈[γ] ), a master secret key msk := (s, t), and a (initially empty) public directory pd.

Generic Construction of Trace-and-Revoke Inner Product

277

– KeyGen(msk, x, i). To generate a secret key for any vector x ∈ Zp , do: 1. Choose a uniformly random vector zi ← Zγp . The pair pdi = (i, zi ) is appended to the public directory pd. ˜ i = x ⊗ zi ∈ Zγ 2. Set x p . ˜ i , t, x ˜ i ). 3. Compute and output skx˜ i := (sx˜ i , tx˜ i ) = (s, x – Enc(pk, R, y). To encrypt any vector y ∈ Zp , do: 1. Compute vR ← Zγp \ {0} such that zj , vR  = 0 for every j ∈ R. ˜ = y ⊗ vR ∈ Zγ 2. Set y p . 3. Sample r ← Zp , and compute C = g r , D = hr and {Ej = g y˜ j · hrj }j∈[γ] . 4. Output c = (C, D, {Ej }j∈[γ] , R). ˜ i = {˜ ˜ i,γ }, and c = – Dec(pd, skx˜ i , c). Parse skx˜ i = (sx˜ i , tx˜ i ), x xi,1 , . . . , x (C, D, {Ei }i∈[γ] , R), do: 1. If i ∈ R, then abort. 2. Compute vR ← Zγp \ {0} such that zj , vR  = 0 for every j ∈ R. 3. Compute (Ex˜ i =

γ 

˜  x 1/ z ,v

Ej i,j /(C sx˜i · Dtx˜i ), Fx˜ i = Ex˜ i i R ).

j=1

4. Compute and output logg (Fx˜ i ). – TraceD (pd, pk, R, μ(·), y0∗ , y1∗ ). The algorithm Trace proceeds as described ˜ i∗ ) should be replace by in Sect. 4, except that the algorithm FE.Enc(pk, y ∗ ˜ i ) without R, i.e., removing step 1 and step 2 of the above encrypEnc(pk, y tion algorithm Enc. ˜  = x, y · zi , vR , we have We analyse the correctness as follows. Since ˜ xi , y γ

Ex ˜i =

 j=1

γ γ    ˜ r·˜ x x ˜ i,j ·˜ yj xi  xi  Ej i,j /(C sx˜ i · Dtx˜ i ) = ( gx )·( hi i,j )/(g r·s,˜ · hr·t,˜ ) j=1

=g

˜ xi ,˜ y

=g

˜ xi ,˜ y

j=1

· (g

r·s,˜ xi 

=g

xi  xi  xi  · hr·t,˜ )/(g r·s,˜ · hr·t,˜ )

x,y·zi ,vR 

,

and hence we have 1/ zi ,vR

Fx˜ i = Ex˜ i

= g x,y · zi ,vR / zi ,vR = g x,y .

As in [2,6], we require that the inner-product x, y should lie in an interval [0, L] for efficient decryption, where L is a polynomially bounded integer. Then, ˜ 1/2 )1 computing the required discrete logarithm can be performed in time O(L using Pollard’s kangaroo method [51]. Like [6,23], the functionality is limited in that decryption may not be performed efficiently for all key vectors and for all message vectors, but in the security proof the adversary can query any key vector in Zp . 1

˜ 1/3 ) by pre-computing a table of size O(L ˜ 1/3 ) [12]. This can be reduced to O(L

278

6

F. Luo et al.

Conclusion

In this paper, we proposed efficient trace-and-revoke IPFE systems from standard assumptions that simultaneously support public, black-box traceability and user revocation. We proved that our schemes are adaptively secure against chosen-plaintext attacks in the standard model. Our construction relies on a generic transformation from IPFE to trace-and-revoke IPFE. Moreover, our generic construction implies the first constructions of traceable IPFE schemes that simultaneously support adaptive security and public, black-box traceability. This is a significant improvement over the previous traceable IPFE construction that only supports selective security and one-target black-box traceability. However, like most trace-and-revoke schemes, our generic construction requires that the number of users be polynomially bounded. We leave as an open problem the construction of a trace-and-revoke IPFE scheme that supports arbitrary identities (e.g., exponential-size). An interesting (but might be challenging) direction is to combine our approach with the techniques developed by Nishimaki, Wichs, and Zhandry (Eurocrypt’16) or by the subsequent improvements of that work. Acknowledgements. We would like to thank the anonymous reviewers for their helpful comments and suggestions. We also thank Liqun Chen (a sheperd for this work) for helpful suggestions on improving the exposition. This work was supported by the Major Key Project of PCL (Nos. PCL2022A03, PCL2021A02, PCL2021A09), and Guangxi Natural Science Foundation (No. 2022GXNSFBA035650).

References 1. Abdalla, M., Benhamouda, F., Gay, R.: From single-input to multi-client innerproduct functional encryption. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 552–582. Springer, Cham (2019). https://doi.org/10. 1007/978-3-030-34618-8 19 2. Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733– 751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2 33 3. Abdalla, M., Dent, A.W., Malone-Lee, J., Neven, G., Phan, D.H., Smart, N.P.: Identity-based traitor tracing. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 361–376. Springer, Heidelberg (2007). https://doi.org/10.1007/9783-540-71677-8 24 4. Abdalla, M., Gong, J., Wee, H.: Functional encryption for attribute-weighted sums from k-lin. IACR Cryptol. ePrint Arch. 2020, 762 (2020) 5. Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehl´e, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 2277–2293. ACM (2017) 6. Agrawal, S., Libert, B., Stehl´e, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO

Generic Construction of Trace-and-Revoke Inner Product

7.

8. 9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

279

2016. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-53015-3 12 Agrawal, S., Yamada, S.: Optimal broadcast encryption from pairings and LWE. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 13–43. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1 2 Ak, M., Kiayias, A., Pehlivanoglu, S., Sel¸cuk, A.A.: Generic construction of trace and revoke schemes. IACR Cryptol. ePrint Arch. 2012, 531 (2012) Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7 6 Attrapadung, N., Imai, H.: Conjunctive broadcast and attribute-based encryption. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 248–265. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1 16 Baltico, C.E.Z., Catalano, D., Fiore, D., Gay, R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 67–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7 3 Bernstein, D.J., Lange, T.: Computing small discrete logarithms faster. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 317–338. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7 19 Billet, O., Phan, D.H.: Efficient traitor tracing from collusion secure codes. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 171–182. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85093-9 17 Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). https://doi.org/10.1007/ BFb0054851 Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). https://doi.org/10. 1007/978-3-540-24676-3 30 Boneh, D., Franklin, M.: An efficient public key traitor tracing scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 338–353. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1 22 Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8 13 Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled Circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10. 1007/978-3-642-55220-5 30 Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6 16 Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, 30 Oct–3 Nov 2006, pp. 211–220. ACM (2006) Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehl´e, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.)

280

22.

23.

24.

25.

26.

27.

28.

29.

30.

31.

32.

33.

34.

35.

F. Luo et al. Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 575–584. ACM (2013) Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). https://doi.org/ 10.1007/3-540-48658-5 25 Do, X.T., Phan, D.H., Pointcheval, D.: Traceable inner product functional encryption. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 564–585. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3 24 Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/ 3-540-48329-2 40 Gafni, E., Staddon, J., Yin, Y.L.: Efficient methods for integrating traceability and broadcast encryption. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 372–387. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1 24 Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45455-1 26 Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, 26–29 Oct 2013, pp. 40–49. IEEE Computer Society (2013) Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 480– 511. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0 18 Ge, C., Susilo, W., Liu, Z., Xia, J., Szalachowski, P., Liming, F.: Secure keyword search and data sharing mechanism for cloud computing. IEEE Trans. Dependable Sec. Comput. 18, 95–108 (2020) Ge, C., Yin, C., Liu, Z., Fang, L., Zhu, J., Ling, H.: A privacy preserve big data analysis system for wearable wireless sensor network. Comput. Sec. 96, 101887 (2020) Goyal, R., Koppula, V., Waters, B.: Collusion resistant traitor tracing from learning with errors. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, Los Angeles, CA, USA, 25–29 June 2018, pp. 660–670. ACM (2018) Goyal, R., Koppula, V., Waters, B.: New approaches to traitor tracing with embedded identities. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 149–179. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7 6 Goyal, R., Quach, W., Waters, B., Wichs, D.: Broadcast and trace with N ε ciphertext size from standard assumptions. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 826–855. Springer, Cham (2019). https:// doi.org/10.1007/978-3-030-26954-8 27 Goyal, R., Vusirikala, S., Waters, B.: Collusion resistant broadcast and trace from positional witness encryption. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-03017259-6 1 Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.)Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, 30 Oct–3 Nov 2006, pp. 89–98. ACM (2006)

Generic Construction of Trace-and-Revoke Inner Product

281

36. Guo, F., Mu, Y., Susilo, W.: Identity-based traitor tracing with short private key and short ciphertext. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 609–626. Springer, Heidelberg (2012). https://doi.org/ 10.1007/978-3-642-33167-1 35 37. Halevy, D., Shamir, A.: The LSD broadcast encryption scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002). https:// doi.org/10.1007/3-540-45708-9 4 38. Iovino, V., Persiano, G.: Hidden-vector encryption with groups of prime order. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 75–88. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85538-5 5 39. Katsumata, S., Yamada, S.: Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and Bilinear Maps. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 682–712. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6 23 40. Kim, C.H., Hwang, Y.H., Lee, P.J.: An efficient public key trace and revoke scheme secure against adaptive chosen ciphertext attack. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 359–373. Springer, Heidelberg (2003). https://doi.org/ 10.1007/978-3-540-40061-5 23 41. Kim, S., Wu, D.J.: Collusion resistant trace-and-revoke for arbitrary identities from standard assumptions. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 66–97. Springer, Cham (2020). https://doi.org/10.1007/978-3-03064834-3 3 42. Lai, J., Tang, Q.: Making Any attribute-based encryption accountable, efficiently. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 527–547. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1 26 43. Liu, Z., Cao, Z., Wong, D.S.: Blackbox traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on ebay. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 Nov 2013, pp. 475–486. ACM (2013) 44. Liu, Z., Wong, D.S.: Practical attribute-based encryption: Traitor tracing, revocation and large universe. Comput. J. 59(7), 983–1004 (2016) 45. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8 3 46. Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 1–20. Springer, Heidelberg (2001). https://doi.org/10. 1007/3-540-45472-1 1 47. Nishimaki, R., Wichs, D., Zhandry, M.: Anonymous traitor tracing: How to embed arbitrary information in a key. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 388–419. Springer, Heidelberg (2016). https://doi.org/ 10.1007/978-3-662-49896-5 14 48. O’Neill, A.: Definitional issues in functional encryption. IACR Cryptol. ePrint Arch., p. 556 (2010) 49. Paillier, P.: Public-key cryptosystems based on composite degree Residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X 16 50. Phan, D.H., Trinh, V.C.: Identity-based trace and revoke schemes. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 204–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24316-5 15

282

F. Luo et al.

51. Pollard, J.M.: Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000) 52. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93. ACM (2005) 53. Sahai, A., Seyalioglu, H., Waters, B.: Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 199–217. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5 13 54. Staddon, J., Stinson, D.R., Wei, R.: Combinatorial properties of frameproof and traceability codes. IEEE Trans. Inf. Theory 47(3), 1042–1049 (2001) 55. Stinson, D.R., Wei, R.: Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM J. Discret. Math. 11(1), 41–53 (1998) 56. Stinson, D.R., Wei, R.: Key preassigned traceability schemes for broadcast encryption. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 144–156. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8 12

Spatial Encryption Revisited: From Delegatable Multiple Inner Product Encryption and More Huy Quoc Le1,2(B) , Dung Hoang Duong1(B) , Willy Susilo1(B) , and Josef Pieprzyk2,3(B) 1 Institute of Cybersecurity and Cryptology, School of Computing and Information Technology, University of Wollongong, Northfields Avenue, Wollongong, NSW 2522, Australia [email protected], {hduong,wsusilo}@uow.edu.au 2 CSIRO Data61, Sydney, NSW, Australia 3 Institute of Computer Science, Polish Academy of Sciences, Warsaw, Poland [email protected]

Abstract. Spatial encryption (SE), which involves encryption and decryption with affine/vector objects, was introduced by Boneh and Hamburg at Asiacrypt 2008. Since its introduction, SE has been shown as a versatile and elegant tool for implementing many other important primitives such as (Hierarchical) Identity-based Encryption ((H)IBE), Broadcast (H)IBE, Attribute-based Encryption, and Forward-secure cryptosystems. This paper revisits SE toward a more compact construction in the lattice setting. In doing that, we introduce a novel primitive called Delegatable Multiple Inner Product Encryption (DMIPE). It is a delegatable generalization of Inner Product Encryption (IPE) but different from the Hierarchical IPE (HIPE) (Okamoto and Takashima at Asiacrypt 2009). We point out that DMIPE and SE are equivalent in the sense that there are security-preserving conversions between them. As a proof of concept, we then successfully instantiate a concrete DMIPE construction relying on the hardness of the decisional learning with errors problem. In turn, the DMIPE design implies a more compact lattice-based SE in terms of sizes compared with SEs converted from HIPE (e.g., Xagawa’s HIPE at PKC 2013) using the framework by Chen et al. (Designs, Codes, and Cryptography, 2014). Furthermore, we demonstrate that one can also use SE to implement the Allow-/Deny-list encryption, which subsumes, e.g., puncturable encryption (Green and Miers at IEEE S&P 2015). Keywords: Spatial encryption · Learning with errors · Inner product encryption · Delegatable multiple inner product encryption · Hierarchical inner product encryption · Allow-/deny-list encryption · Lattice evaluation · Lattice trapdoors

c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 283–302, 2022. https://doi.org/10.1007/978-3-031-17140-6_14

284

1

H. Q. Le et al.

Introduction

Predicate encryption (PrE) introduced by Katz, Sahai and Waters [24] generalizes identity-based encryption (IBE) [30], attribute-based encryption (ABE) [20] and hidden vector encryption (HVE) [7]. Roughly speaking, in PrE, decryption keys and ciphertexts are associated with predicates and attributes, respectively. One can consider a predicate as a function and an attribute as a variable. Assume that one wants to decrypt a ciphertext ctx respective to an attribute x, using a decryption key skf respective to a predicate f . Then, the decryption is successful only if f (x) = 1 holds. Besides IBE, ABE and HVE, PrE also covers some other classes of encryption such as spatial encryption (SE) [6], for instance. Spatial encryption (SE) was introduced by Boneh and Hamburg in their paper [6] at Asiacrypt 2008, and then it was systematically investigated in Hamburg’s thesis [22]. Particularly, an SE predicate is an affine space/vector space, say f := V, and an SE attribute is an affine point/vector, say x := v. The condition f (x) = 1 is equivalent to v ∈ V. Furthermore, in SE one can use a decryption key for a predicate, say V1 , to delegate a decryption key for any predicate, say V2 , which is a subspace of V1 . In the case of SE involving affine objects, we call it affine SE and in the case of SE involving vector objects–call it linear SE. However, as we will show later, an affine SE can be transformed into a linear SE, then it is sufficient to talk about linear SEs throughout this work. There also exists a variant of SE called doubly spatial encryption (DSE), which is expected to be more expressive than SE. In DSE, attribute spaces (i.e., vector spaces or affine spaces) are needed for encryption rather than vectors. Decryption is successful if the intersection of the attribute and policy spaces is not empty. Because of essential applications of SE (and DSE) to constructing other cryptographic primitives (that will be discussed further in this work; now the readers can have a look at Fig. 1 for the relation of SE with some of them), SE and DSE have been the main topic of many research works [6,10–12,22,35]. 1.1

Our Motivations

Our work is inspired by a wide range of possible applications of SE and DSE, as argued in [6] and [22]. However, the main driver behind our work is an attempt to remove the shortcomings of a generic SE construction via [11]. Furthermore, as lattice-based cryptosystems are resistant to quantum adversaries, we propose a post-quantum lattice-based SE construction, which is more efficient than other lattice-based ones, such as those from [1,34]. Applications of SE. SE can be used to build many other cryptographic primitives such as (H)IBE, broadcast (H)IBE, and encryption schemes with forward security (see [6,22]). This is done by converting e.g., identities and time periods into vectors/spaces compatible with SE. For more details, the reader is referred to [6,22]. Our further discussion is driven by the question: “Can we use SE to implement other important cryptographic primitives?” We have discovered some new applications of SE. It turns out that we can use SE to construct puncturable

Spatial Encryption Revisited

285

encryption (PE) [21,32], DFPE [15] and their generalization, the allow/deny-list encryption (ADE). Remark that ADE has also been mentioned by Derler et al. in their work [15] and can also subsume other “predecessors” such as IBE [30], HIBE [19], Fully Puncturable Encryption (FuPE) [14], Puncturable IBE (PIBE) [16]. We refer to [15, Table 1] for a summary and comparison of ADE and its predecessors. Note that, however, so far, there is neither a formal definition nor security notions for ADE.

Fig. 1. The relation of SE and other primitives. Here, the implying relation A → B means that from A one can construct B.

Lattice-Based SE. There are many instantiations of SE in the literature (see Table 1). Almost are based on intractability assumptions such as bilinear decision Diffie-Hellman exponent (BDDHE) [6,22], decisional bilinear Diffie-Hellman (DBDH) [10,12,35], and decisional linear (DLIN) [10]. Some of them are provably secure in the generic group model (GGM) [6,22], while others – in the standard model (SDM) [10,12,35]. Recall that lattice-based cryptosystems are believed to enjoy post-quantum (PQ) security. In contrast, cryptosystems, whose security is based on the intractability of factorization or discrete logarithm, are breakable by quantum adversaries [31]. With the rapid development of large-scale quantum computers1 it is imperative to design cryptosystems which are secure against quantum adversaries. This leads us to the following question: “Is it possible to design SE in the lattice setting? ”. We found out that an answer to the question has already existed in the literature. One can get a lattice-based SE using a generic construction from the hierarchical inner product encryption (HIPE) given by Chen 1

For instance, see at https://www.nature.com/articles/d41586-019-03213-z.

286

H. Q. Le et al.

et al. in [11]. The generic construction deploys two lattice-based SE schemes from [1] and [34]. We base the security of both schemes on the intractability of the learning with errors (LWE) problem. Unfortunately, such (lattice-based) SE construction is not free from a few weaknesses shown below. Table 1. (D)SE constructions Literature

From

Assumption

Security model

Selective (S)/Adaptive (A)

PQ security

Boneh, Hamburg [6]

BDDHE

GGM

S&A

✗

Hamburg [22]

BDDHE

GGM

S

✗

Chen, Wee [12]

DBDH

SDM

S

✗

Chen et al. [10]

DLIN, DBDH SDM

A

✗

Zhou, Cao [35]

DBDH

SDM

S

✗

Abdalla et al. [1]

HIPE via LWE Chen [11]

SDM

S



Xagawa [34]

HIPE via LWE Chen [11]

SDM

S



Our work

DMIPE

SDM

S



LWE

Shortcomings of Constructing SE from HIPE. The notion of inner product encryption (IPE) was introduced by Katz, Sahai, and Waters [24]. Hierarchical inner product encryption (HIPE) is an extension of IPE introduced by Okamoto and Takashima [28]. A HIPE is identified by a field F, a tuple Δ(δ) := (δ; 1 , · · · , δ ) called hierarchical format of depth δ. Specifically, for any  = (v1 , · · · , vk ) ∈ Γ|k := Γ1 ×· · ·×Γk , where Γi := Fi , a hierarchical predicate V  = 1 for any X  = (x1 , · · · , xt ) ∈ Γ|t if and only fV (·) is defined as follows: fV (X)  and V  , the if k ≤ t and vi , xi  = 0, for all i ∈ [k]. Informally, for each pair X  is equal to 1. criteria for successful decryption is that fV (X) Chen et al. [11] have investigated the relation between SE and HIPE. They show that we can construct a d-dimensional linear SE from Δ(d) := (d; d, · · · , d)HIPE (i.e., 1 = · · · = d = d) and vice versa (but the dimension of SE and the hierarchical format of HIPE might change). To construct SE from HIPE, the authors change the “belong to” relation into the “orthogonal to” relation, i.e. x ∈ V ⇔ x, v = 0 ∀v ∈ V ⊥ , where V ⊥ denotes the orthogonal complement of V . If we denote a basis of V ⊥ by B ⊥ (V ), then this is equivalent to x, v = 0  := (x, · · · , x) for all vi ∈ B ⊥ (V ). In order to deploy HIPE for SE, we set X ⊥  and V := {vi : vi ∈ B (V )} for each x and V , respectively. Thanks to Linear Algebra (see Lemma 6 in Sect. 4) and the delegation capability of HIPE, one can perform delegation for SE. The following shortcomings of the above construction can be identified:

Spatial Encryption Revisited

287

– There is a single vector that is involved in SE encryption. Decryption keys may involve a list of vectors. In contrast, HIPE encryption takes many vectors. That is why in the construction of SE from HIPE, one has to duplicate the attribute vector of SE many times to fit the hierarchical format of HIPE. – It is difficult, in general, to instantiate HIPE for practical use because of its complex structure. It is worth noting that there are only some other latticebased HIPE constructions (for instance, these from Abdalla et al. [1] and Xagawa [34]). Unfortunately, they are not efficient enough. The above considerations lead us to the following question: “Can we construct SE from an IPE-related primitive that is simpler than HIPE?” We give an affirmative answer to this question by introducing the new notion of delegatable multiple inner product encryption (DMIPE). 1.2

Contributions

Below we list the main results of our work. – We introduce a novel primitive called delegatable multiple inner product encryption (DMIPE). It is a natural extension of IPE. We give a novel design of DMIPE using LWE. We prove that our design is selective payload-hiding secure in the standard model. – We show an equivalence between DMIPE and SE, which provides a generic framework for constructing SE from DMIPE. As a result, we obtain a latticebased SE, which is more efficient (in terms of sizes) than SEs constructed from HIPE. Conversely, we can also build DMIPE from SE. Moreover, the conversions between DMIPE and SE are security-preserving. – We formally define the allow/deny-list encryption (ADE), which subsumes some other important primitives, e.g., PE [21], FuPE [14], DFPE [15]. We point out that one can build two versions of ADE from SE under appropriate embeddings. 1.3

Overview of Our Results

DMIPE. The notion of DMIPE originates from IPE and is equipped with a delegation mechanism for producing decryption keys. In particular, a DMIPE ciphertext is connected to its attribute vector. A DMIPE decryption key can be generated from either the master secret key or from other secret keys by adding more vectors to the list of predicate vectors. There is an important requirement  . They have to be linearly independent, i.e. no vector for predicate vectors, say V  . The requirement is a linear combination of two or more other vectors from V  when checking is necessary to ensure that there is no redundant vector in V  ∪v is possible decryption conditions. Besides, delegation of a decryption key for V  . Further if v is linearly independent from the existing predicate vectors in V details can be found in Sect. 3. We show that DMIPE can be used to implement other primitives, e.g., SE, which can be exploited to build other primitives, as previously mentioned. We

288

H. Q. Le et al.

argue that DMIPE is a generalization of IPE, and it is more natural than HIPE. Compared to HIPE, the decryption hierarchy in DMIPE is more flexible for delegation. (See Table 2 for a quantitative comparison of IPE, HIPE and DMIPE and Fig. 1 for an intuitive illustration of their relation). From the comparison in Table 2, it is easy to see that DMIPE and HIPE are not equivalent in the sense of transforming one into another. Details will be presented in Sect. 4. Table 2. Comparison of IPE, HIPE and DMIPE. IPE

HIPE

DMIPE

# Attribute vectors # Predicate vectors Delegation?

1 1 No

d ≤d Yes

1 ≥1 Yes

Dimension of predicate and attribute vectors

Same Not necessarily same Same

Lattice-Based DMIPE. At a high-level description, our lattice-based DMIPE design exploits the lattice trapdoor mechanism and the lattice evaluation for inner product functions (see Lemma 4 and Lemma 5 for formal statements). The DMIPE design’s security is based on the intractability of the decision Learning with Errors problem. The lattice-based DMIPE will be given in Sect. 5. Equivalence of DMIPE and SE. We prove in Sect. 6 that DMIPE and SE are equivalent in the sense that we can establish security-preserving conversions between them. In particular, we can use DMIPE to construct SE, where SE inherits security from DMIPE and vice versa. It also means we can get a lattice-based SE from a lattice-based DMIPE. This way, our (d-dimensional) SE construction is more efficient in terms of sizes, than SE obtained from Δ(d)HIPEs [1,34], according to the generic framework of Chen et al. [11]. Table 3 compares different lattice-based SEs. Table 3. Comparison of lattice-based d-dimensional SEs d-dim. SE from

pk-size ( := logr q)

msk-size ( := logr q)

Abdalla et al. [1] (d2 ( + 1) · Zqn×m 1 · DZm×m +2 · Zn×m (Δ(d)-HIPE) q

(m−n)×n

Xagawa [34] (Δ(d)-HIPE)

(d2 + d) · Zqn×n +2 · Zn×ml q

1 · DZ

Ours (DMIPE)

(d + 2) · Zqn×m

1 · DZm×m

sk-size (k predicates)

ct-size (h attributes, m-bit message)

1 · DZkm×m

(hd( + 1)) · Zm q +2 · Zm q

(m+(2k−1)n)×m

1 · DZ (m+(2k−1)n)×nk +1 · DZ 1 · DZkm×m

(h − 1 + hd) · Zn q +2 · Zm q (d + 2) · Zm q

Spatial Encryption Revisited

289

ADE and the Construction from SE. ADE is, in fact, also a subclass of PrE, in which both predicates and attributes are tags. These tags are categorized into two lists: allow list contains positive tags and deny list–negative tags. Both ciphertexts and decryption keys are associated with these two kinds of tags. Further, ADE also supports the delegation mechanism, which is called puncturing. Roughly saying, negatively puncturing is the delegation on negative tags, and this puncturing can revoke the decryption ability. In contrast, positively puncturing is delegation done on positive tags and allows decryption. We will present a formal definition and security model for ADE. Moreover, we consider three versions of ADE: (i) standard ADE (sADE); (ii) inclusive ADE (iADE) and (iii) k-threshold ADE (k-tADE). We show that one can construct sADE and iADE from SE by applying some appropriate encodings. This result will be detailed in Sect. 7. However, how to translate k-tADE to SE is an open problem. The security notions for SE, DMIPE and even ADE inherit from those for PrE, which were introduced in [24]. They include selective payload-hiding, selective attribute-hiding, adaptive payload-hiding, and adaptive attribute-hiding. We stress that, in this work, we concentrate on the selective payload-hiding security. Due to the space limitation, we omit the proofs and provide them in the full version [25] of this paper.

2

Preliminaries

Given a positive integer n, [n] stands for the set {1, · · · , n}. We write W V for the fact that W is an (affine or vector) subspace of V . The notation A ⊗ B is a tensor product of two matrices A and B. Throughout this work, we represent a vector with a small bold-face letter, e.g., x and in the column form unless stated otherwise. We write a matrix in capital bold-face, e.g., B. We write b (resp., A ) to denote the transpose of a vector b (resp., a matrix A). The  := [ sk ] stands for the Gram-Schmidt (GS) orthogonalisation notation S s1 | · · · | of S := [s1 | · · · |sk ]. The notation U (X) means the uniform distribution over the set X. All logarithms are for base 2. All norms are the max-absolute-value norm  · max 2 unless otherwise stated. The norm returns the maximum absolute value of the entries of an input vector/matrix. For example, for a vector j∈[m] a = (a1 , · · · , an ) and a matrix A = (ai,j )i∈[n] , amax := maxi∈[n] |ai | and Amax := maxi∈[n],j∈[m] |ai,j |. The following lemma is the well-known result regarding the max-absolute-value norm. Lemma 1. Let e1 , e2 , e3 be vectors of dimensions m1 , m2 , m3 ∈ N, respectively. Let A1 , A2 be matrices of appropriate dimensions. Then, e 1 A1 max ≤     · A  , and (e |e )A  ≤ (m e  + m e m1 e max 1 max 2 max 2 max 3 1 2 3 2 3 max ) · A2 max .

2

Some papers (e.g., [8, 23, 33]) denote this max-absolute-value norm by  · ∞ .

290

2.1

H. Q. Le et al.

Framework of Spatial Encryption

Syntax. Formally, SE [6,22] consists of five main algorithms SE.Setup, SE.Derive, SE.Del, SE.Enc, SE.Dec described as follows: (pp, msk) ← SE.Setup(1λ , sp): The algorithm takes as input a security parameter λ and setup parameters sp. It returns public parameters pp which implicitly defined a top space T and a master secret key msk. The master key msk can be seen as the secret key skT (i.e., msk = skT ) for the top space T. skV ← SE.Derive(pp, msk, V ): The algorithm takes as input the master secret key msk and a subspace V . It outputs the secret key skV for V . skV2 ← SE.Del(pp, skV1 , V2 ): The algorithm takes as input the secret key skV1 for the space V1 . It outputs the secret key skV2 for V2 , where V2 V1 . ctx ← SE.Enc(pp, x, μ): The encryption algorithm encrypts a message μ under a point/vector x. It outputs a ciphertext ctx . μ/ ⊥← SE.Dec(pp, ctx , skV ): The decryption algorithm takes as input a secret key skV and a ciphertext ctx . Decryption succeeds if x ∈ V and it outputs the plaintext μ. Otherwise, it fails and returns ⊥.

GAME SEsel,ATK payload,A (λ, sp) : (where ATK ∈ {CPA, CCA1, CCA2}) 1. x∗ ← A(1λ , sp); 2. (pp, msk) ← SE.Setup(1λ , sp); $

3. (μ∗0 , μ∗1 ) ← AKQ(·), DQ1 (·,·) (pp); 4. b ← − {0, 1}, ct∗x∗ ← SE.Enc(pp, x∗ , μ∗b );  KQ(·), DQ2 (·,·) ∗ 5. b ← A (pp, ctx∗ ). //NOTE: DQ2 (V, ct∗x∗ ) is not allowed ∗ with x ∈ V . 6. If b = b, return 1. Otherwise, return 0. Queried Oracles: • Key Oracle KQ(V) (allowed only if x∗ ∈ / V ): Return skV ← SE.Der(pp, msk, V ). • Decryption Oracle DQ1 (V, ctx ) (allowed only if ATK ∈ {CCA1, CCA2}): Run skV ← SE.Der(pp, msk, V ), then return the output of SE.Dec(pp, ctx , skV ). • Decryption Oracle DQ2 (V, ctx ) (allowed only if ATK = CCA2): Run skV ← SE.Der(pp, msk, V ), then return the output of SE.Dec(pp, ctx , skV ).

Fig. 2. Selective payload-hiding security game for SE

Correctness. It requires that for all λ, sp, (pp, msk) ← SE.Setup(1λ , sp)), ctx ← SE.Enc(pp, x, μ), skV ← SE.Del(pp, skV  , V ) (for some V  such that V V  ) or skV ← SE.Derive(pp, msk), if x ∈ V then Pr[SE.Dec(pp, skV , ctx ) = μ] ≥ 1 − negl(λ); otherwise, Pr[SE.Dec(pp, skV , ctx ) = μ] < negl(λ). We also require that the distribution of secret keys skV for any subspace V must be the same. It should depend neither on how a key is produced (i.e. by either SE.Derive or SE.Del) nor on what a path is (e.g., the direct path from the top space or the path of a delegation from another subspace).

Spatial Encryption Revisited

291

Security Notions for SE. SE security notions include selective/adaptive payload/attribute-hiding. However, we only formally define the selective ATK payload-hiding security for SE – see Definition 1 and the game SEsel, payload,A in Fig. 2. Note that ATK ∈ {CPA, CCA}, where CPA and CCA stand for chosen plaintext and chosen ciphertext attacks, respectively. Definition 1 (Selective Payload-hiding Security for SE). SE is selective payload-hiding secure if the advantage of the adversary playing in the SEsel,ATK payload,A

game is negligible, i.e., Advpayload,ATK := |Pr[b = b] − 1/2| = negl(λ). SE,A,sel 2.2

Lattices, Gaussians, Trapdoors, Lattice Evaluations for Inner Product Functions

{e ∈ Zm | Ae = 0 (mod q)} , Λu (A) We focus on the following lattices: Λ⊥ q (A) :=   q m U := {e ∈ Z |Ae = u (mod q)}, Λq (A) := R ∈ Zm×k |AR = U (mod q) . Note that Zm for any m ∈ N is also a lattice. We also involve with a discrete Gaussian distribution over L centred at v ρσ,v (x) with (Gaussian) parameter σ which is defined by DL,σ,v (x) = ρσ,v (L) for all  2 2 x ∈ L, where ρσ,v (x) = exp(−πx − v /σ ) and ρσ,v (L) := x∈L ρσ,v (x). In case v = 0, we just write DL,σ . We also consider the (B, )-bounded distributions χ supported over Z. The following lemma says how short a vector sampled via a discrete Gaussian distribution (over Z) is. 2

Lemma 2 ([26, Lemma 4.4]). Pr[|x| > kσ : x ← DZ,σ ] ≤ 2 exp(− k2 ). Note that, in Lemma 2, if we set k = 12, then Pr[|x| ≤ 12σ : x ← DZ,σ ] ≥ 1 − 2 exp(−72) ≈ 1 − 2−100 . Then, χ = DZ,σ is a (12σ, 2−100 )-bounded distribution. The following leftover hash lemma enables us to replace a random matrix by a pseudo-random one in hybrid games for our security proofs. Lemma 3 (Leftover Hash Lemma, [2, Lemma 4]). Given m, n, q are positive integers such that m > (n + 1) log q + ω(log n), k = poly(n), q > 2 is $

$

− Zn×m and B ← − Zn×k . Then, the joint distributions a prime, and that A ← q q   (A, AR, e R) and (A, B, e R) are statistically close to each other for any $

− {−1, 0, 1}m×k and for all vectors e ∈ Zm matrix R ← q . The Decisional Learning with Errors (DLWE) [29] is used as our intractability assumption to prove the security of our DMIPE design. The hardness of DLWE can be found, e.g., in [8, Corollary 3]. We follow the works [8,23,33] for lattice trapdoors. In particular, it is shown in [27] that the gadget matrix G has a publicly known constant trapdoor denoted in this work as G−1 O(1) . Lemma 4 ([2,4,9,17,27]). The following facts hold for lattice trapdoors:

292

H. Q. Le et al.

1. Let n, m, q be positive integers where m = O(n log q). There is an efficient algorithm TrapGen that takes (n, m, q) as input to generate a matrix A ∈ negl

2. 3. 4.

5.

n×m together with its trapdoor A−1 ) with Zn×m q σ0 satisfying that A ∼ U (Zq σ0 = ω(n log q log n). −1 Given a trapdoor A−1 σ1 , one can compute Aσ2 for any σ2 ≥ σ1 . −1 −1 Given a trapdoor Aσ , one can compute [A|B]−1 σ , [B|A]σ for any matrix B having the same number of rows as A.  Given the gadget matrix G ∈ Zn×m with m ≥ nlog q, using its trapdoor q −1 n×m and GO(1) one can compute the trapdoor [A|AR + G]−1 σ for all A ∈ Zq √ m×m R∈Z and σ = m · Rmax · ω( log m).  For a trapdoor A−1 and for any U ∈ Zn×m , by Lemma 2, q σ1 −1 −100 . Pr[Aσ1 (U)max ≤ 12σ : x ← DZ,σ ] ≥ 1 − 2

For every x ∈ Zdq , an inner product function fv : Zdq → Zq is indexed by a vector v ∈ Zdq and is defined as fv (x) := v, x ( mod q). Thus, [33, Theorem 2], for example, is not suitable for our work. The following lemma is sufficient for our purpose. Lemma 5 (Evaluation for Inner Product Functions). There exist an efficient deterministic algorithm EvalFIP such that for all n, q, d ∈ N and m = nlog q, for any inner product function fv : Zdq → Zq indicated by , it outputs a matrix H ∈ {0, 1}md×m ← v ∈ Zdq , and for any matrix B ∈ Zn×md q IP EvalF (fv , B), satisfying that Hmax ≤ 1 and that for every x ∈ Zdq , [B ± x ⊗ G]H = BH ± v, x · G (mod q).

3

Delegatable Multiple Inner Product Encryption

In this section, we present the syntax and security notions for DMIPE. For DMIPE, a ciphertext is produced together with a d-dimensional vector. We call it ciphertext vector, or attribute vector. A secret key contains a list of one or multiple vectors of dimension d. We call them key vectors or predicate vectors. All vectors are supposed to belong to the same domain (space) D. The domain supports typical or symbolic inner product operations. The operation is defined as x, v = x1 v1 + · · · xd vd ∈ D for x := (x1 , · · · , xd ), v := (v1 , · · · , vd ) ∈ Dd . Note that D can be Z or even Zq . Syntax of DMIPE. A DMIPE consists of the five algorithms DMIPE.Setup, DMIPE.Derive, DMIPE.Del, DMIPE.Enc and DMIPE.Dec. They are formally defined below. – (pp, msk) ← DMIPE.Setup(1λ , sp): The algorithm takes as input a security parameter λ and setup parameters sp. It returns public parameters pp and a master secret key msk.  ): The algorithm takes a master secret key – skV ← DMIPE.Derive(pp, msk, V  . msk and a list of vector V = {v1 , · · · , vk }. It returns a secret key skV for V

Spatial Encryption Revisited

293

– ⊥ /skV2 ← DMIPE.Del(pp, skV1 , vk+1 ): The algorithm takes the secret key 1 = {v1 , · · · , vk } and returns a secret key sk  for V 2 := V 1 ∪{vk+1 }. sk  for V V1

V2

 , then it returns ⊥. If vk+1 is not linearly independent of V – ctx ← DMIPE.Enc(pp, μ, x): The algorithm encrypts a message μ under a vector x and produces a ciphertext ctx . – ⊥/μ ← DMIPE.Dec(pp, skV , ctx ): The algorithm decrypts a ciphertext ctx  · x = 0 (i.e., vi , x = 0 for all using a secret key skV . It is successful if V  ). If the condition does not hold, it fails and returns ⊥. vi ∈ V Correctness of DMIPE. For all λ, sp, (pp, msk) ← DMIPE.Setup(1λ , sp), ctx ← DMIPE.Enc(pp, μ, x), skV ← DMIPE.Del(pp, skV  , v) (where  = V   ∪ {v}) or sk  ← DMIPE.Derive(pp, msk, V  ), if V  · x = V V 0 then Pr[DMIPE.Dec(pp, skV , ctx ) = μ] ≥ 1 − negl(λ); otherwise, Pr[DMIPE.Dec(pp, skV , ctx ) = μ] < negl(λ). Security Notions of DMIPE. Same as SE, we only consider selective payloadhiding security for DMIPE. Definition 2 and Fig. 3 together describe our security notion. Definition 2. DMIPE is selective payload-hiding secure if the advantage of the adversary playing in the DMIPEsel,ATK payload,A game (in Fig. 3) is negligible, i.e.,

 Advpayload,ATK DMIPE,A,sel : = |Pr[b = b] − 1/2| = negl(λ).

GAME DMIPEsel,ATK payload,A (λ, sp):

(where ATK ∈ {CPA, CCA1, CCA2}) 1. x∗ ← A(1λ , sp); 2. (pp, msk) ← DMIPE.Setup(1λ , sp); ∗ KQ(·), DQ1 (·,·) 3. (μ∗ (pp); 0 , μ1 ) ← A $

∗ ∗ 4. b ← − {0, 1}, ct∗ x∗ ← DMIPE.Enc(pp, x , μb ); ct∗ , KQ(·), DQ2 (·,·) ∗ 5. b ← A x∗ (pp). // NOTE: DQ2 (V , ct∗ x∗ ) with x ⊥ V is not allowed . 6. If b = b, return 1. Otherwise, return 0. Queried Oracles: • KQ(V ) (allowed only if x∗ ⊥ V ): Run skV ← DMIPE.Derive(pp, msk, V ). • DQ1 (V , ctx ) (allowed only if ATK ∈ {CCA1, CCA2}): Run skV ← DMIPE.Derive(pp, msk, V ), then return the output of DMIPE.Dec(pp, ctx , skV ). • DQ2 (V , ctx ) (allowed only if ATK = CCA2): Run skV ← DMIPE.Derive(pp, msk, V ), then return the output of DMIPE.Dec(pp, ctx , skV ).

 then Fig. 3. Selective payload-hiding security game for DMIPE. Here if x ⊥ v, ∀v ∈ V  ; otherwise we write x ⊥ V . we write x ⊥ V

4

Generic SE Construction from DMIPE

We only focus on a linear SE, where components are vectors and vector subspaces over some field F, e.g., F = Zq for q prime. Note that we can always embed a

294

H. Q. Le et al.

d-dimensional affine SE into a (d + 1)-dimensional linear SE, as shown below. First, we recap some notions in affine/linear algebra. Let F be a field. A d-dimensional vector subspace V Fd can be represented as V := span(M) = {Mx : x ∈ Fm } for some x ∈ Fm , where M ∈ Fd×m is a basis for V . Note that all rows of M are linearly independent. A d-dimensional affine subspace W of Fd can be represented as W = y + span(M) = {y + W to a vector Mx : x ∈ Fm } for some y ∈ Fd , M ∈ Fd×m  . We can transform   1 subspace defined as W = span(M ) := M x : x = , x ∈ Fm+1 , where x

 1 0 M has the form ∈ F(d+1)×(m+1) . Obviously, all rows of M are still yM linearly independent assuming the linear independence for M’s rows. Then W now is a vector subspace of dimension d+1. For linear SE, recall that we encrypt a plaintext together with a vector x and a decryption key is produced using a vector space V . Successful decryption using the decryption key requires that x ∈ V . We need a tool that helps us transform the “belong to” relation for the SE syntax to the “orthogonal to” relation compatible with the DMIPE syntax. The following well-known lemma from Linear Algebra helps us to compute the basis for the orthogonal complement of a vector space. Lemma 6. ([13, Algorithm 2.3.7] and [11]). There exists an efficient algorithm, named OCB, such that on input a vector space V , outputs a basis, called B ⊥ (V ), for the orthogonal complement V ⊥ of V . Furthermore, the algorithm guarantees that if V2 V1 then B ⊥ (V1 ) ⊆ B ⊥ (V2 ). Now we are ready to present our generic SE construction from DMIPE. Given a DMIPE scheme ΠDMIPE := (DMIPE.Setup, DMIPE.Derive, DMIPE.Del, DMIPE.Enc, DMIPE.Dec). Then we can construct an SE scheme ΠSE := (SE.Setup, SE.Derive, SE.Del, SE.Enc, SE.Dec) as follows: – SE.Setup(1λ , sp): For input a security parameter λ, a system parameters sp, run (dmipe.pp, dmipe.msk) ← DMIPE.Setup(1λ , sp) and set pp := dmipe.pp, and msk := dmipe.msk. – SE.Derive(pp, msk, V ): For input public parameters pp, the master secret key  := {v : msk and a subspace V , perform: Run B⊥ (V ) ← OCB(V ), and set V  ), and set skV := v ∈ B⊥ (V )}. Run dmipe.skV ← DMIPE.Derive(pp, msk, V dmipe.skV . – SE.Del(pp, skV1 , V2 ): For input public parameters pp, secret key for subspace skV1 = dmipe.skV for V1 and a subspace V2 V1 , perform: Run B ⊥ (V1 ) ← 1 := {v : v ∈ B ⊥ (V1 )}, V 2 := {v : OCB(V1 ), B ⊥ (V2 ) ← OCB(V2 ), and set V ⊥   2 \ V 1 = v ∈ B (V2 )}. Note that, since V2 V1 , V1 ⊆ V2 . Suppose that V  ←V 1 . For i ∈ [k], run dmipe.sk  {v1 , · · · , vk } for some k ≥ 1. Set V V ∪{vi } ←  ←V  ∪{vi }. At this point, we reach DMIPE.Del(pp, dmipe.skV , vi ), then set V   V = V2 . Finally, output skV2 := dmipe.skV2 . Doing this makes it clear that the distribution of the private keys is independent of the path taken. Namely, the distribution for the key skV3 computed from skV2 is the same as that of skV3 computed from skV1 with V3 V2 V1 .

Spatial Encryption Revisited

295

– SE.Enc(pp, x, μ): For input the public parameters pp, an attribute vector x and a plaintext μ, run dmipe.ctx ← DMIPE.Enc(pp, x, μ) and output a ciphertext ctx := dmipe.ctx . – SE.Dec(pp, ctx , skV ): On input the public parameters pp, a ciphertext ctx and a secret key skV for a space V , return the output of DMIPE.Dec(pp, ctx , skV ). We establish the correctness of SE in Theorem 1 and the security of SE in Theorem 2. Theorem 1. The SE ΠSE is correct assuming correctness of the underlying DMIPE ΠDMIPE . Theorem 2. Given an adversary S that plays against some security game (selective/adaptive payload-/attribute-hiding) for ΠSE , one can build an adver≥ sary A playing against the same security game for ΠDMIPE such that AdvDMIPE A . AdvSE S

5

Lattice-Based DMIPE Construction

For a vector v ∈ Zdq , we define an inner product function fv : Zdq → Zq as fv (x) := v, x ( mod q), for any x ∈ Zdq . Recall that we can represent this function as an addition gate; see [5, Section 4]. Our lattice-based DMIPE construction exploits the lattice trapdoor mechanism [2,17,27] and the lattice evaluation algorithms developed in a long series of works[5,18,27,33]. The Construction. The lattice-based DMIPE is presented right below. – DMIPE.Setup(1λ , 1d ): On input a security parameter λ, a dimension d, do the following: Choose n, m, q according to λ, d. Also, choose a (B, )-bounded distribution χ for the underlying LWE problem. We can take χ = DZ,σ∗ (for some σ ∗ > 0) which is a (12σ ∗ , 2−100 )-bounded distribution. Choose − a Gaussian parameter σ0 , and sample (A, A−1 σ0 ) ← TrapGen(n, m, q), U ← $

$

Zn×m ,B← − Zn×md . Output public parameters pp := (A, B, U) and master q q secret key msk := A−1 σ0 .  ): Taking as input public parameters pp, a master – DMIPE.Derive(pp, msk, V  = {v1 , · · · , vk }, perform: secret key msk and a list of d-dimensional vectors V For each vector vi , evaluate Hvi ← EvalF(fvi , B) and compute Bvi := BHvi . Set BV := [Bv1 | · · · |Bvk ] and AV := [A|BV ]. Compute trapdoor A−1  ,σ for V 0

AV (via Item 3 of Lemma 4) and output skV := A−1  ,σ0 . V – DMIPE.Del(pp, skV1 , vk+1 ): On input public parameters pp, a secret key  1 ), do the skV1 = A−1 /V  ,σ for a list V1 = {v1 , · · · , vk }, and a vector vk+1 ∈ V 1

0

following: For all i ∈ [k + 1], evaluate Hvi ← EvalFIP (fvi , B) and compute 2 := V 1 ∪ {vk+1 }. Bvi := BHvi . Set AV2 := [A|Bv1 | · · · |Bvk |Bvk+1 ] with V −1 Note that, AV1 := [A|Bv1 | · · · |Bvk ]. Compute trapdoor AV ,σ using the 2

0

−1 trapdoor A−1 2 := AV  ,σ (via Item 3 of Lemma 4) and output skV  ,σ . V 1

0

2

0

296

H. Q. Le et al.

– DMIPE.Enc(pp, μ, x): On input public parameters pp, a message vectors μ := (μ1 , · · · , μm ) ∈ {0, 1}m and an attribute vector x ∈ Zdq , do the following: $

$

− Znq , R ← − {−1, 0, 1}m×md and ein , eout ← χm . Compute cin := Sample s ←   m md   s A + ein ∈ Zq , cmid := s (B − x ⊗ G) + e in R ∈ Zq , cout := s U + eout + m μ · q/2 ∈ Zq . Output ciphertext ctx := (cin , cmid , cout ). – DMIPE.Dec(pp, skV , ctx ): On input public parameters pp, secret key skV :=  A−1  associated with V = (v1 , · · · , vk ) and a ciphertext ctx := (cin , cmid , cout ) V associated with x ∈ Zdq , do the following: For each vector vi , evaluate Hvi ← EvalFIP (fvi , B) and compute Bvi := BHvi . Set AV := [A|Bv1 | · · · |Bvk ] and compute W ← A−1  ,σ0 W = U (mod q). For i ∈ [k], compute  ,σ (U), i.e., AV V 0

 cvi := cmid Hvi , i.e., cvi = s (Bvi + vi , x · G) + e in RHvi . Compute μ :=   (μ1 , · · · , μm ) ← cout − [cin |cv1 | · · · |cvk ]W. For i ∈ [m], output μi = 0 if |μi | < q/4; output μi = 1 otherwise.

5.1

Correctness and Security

Theorem 3 (Correctness). The given DMIPE is correct assuming the chosen parameters satisfy B + 12(mB + km3 B) · σ0 < q/4. Theorem 4 (Selective Payload-hiding Security). Under the hardness of the (n, 2m, q, χ)-DLWE assumption, the lattice-based DMIPE is selectively payload-hiding secure (under chosen plaintext attacks). Specifically, suppose that there is an adversary A that wins the DMIPEsel,CPA payload,A , then one can use A to build a solver B that can solve the (n, 2m, q, χ)-DLWE problem at least with the same advantage.

6

Constructing DMIPE from SE

, One can construct DMIPE from SE. The key idea is that for predicate vectors V  to the (unique) orthogonal we utilize a transformation named OVS, that maps V  . That is, OVS(V  ) := complement of the subspace generated by all vectors in V ⊥  (span(v1 , · · · , vk )) . Remind that all vectors in V are linearly independent. By  is equivalent to x ∈ doing that, the condition vi , x = 0 (mod q) ∀vi ∈ V  ). Furthermore, the transformation also guarantees that if V 1 ⊆ V 2 then OVS(V   OVS(V2 ) OVS(V1 ). The construction for DMIPE from SE is quite similar to the way for SE from DMIPE. We include it here for completeness. The correctness of DMIPE is straightforward from that of SE. The security of DMIPE follows from that of SE and can be done similarly as in the proof of Theorem 2. Then we omit it. – DMIPE.Setup(1λ , sp): Run (se.pp, se.msk) ← SE.Setup(1λ , sp) and then output pp := se.pp, msk := se.msk.  ): Run V ← OVS(V  ), se.skV ← SE.Derive(pp, msk, – DMIPE.Derive(pp, T, msk, V V ) and then output skV := se.skV .

Spatial Encryption Revisited

297

– DMIPE.Enc(pp, x, μ): Run se.ctx ← SE.Enc(pp, x, μ) and output ctx := se.ctx . 1 , sk  , v): Compute V1 ← OVS(V 1 ), V2 ← OVS(V 1 ∪ {v}), – DMIPE.Del(pp, V V1 and then se.skV2 ← SE.Del(pp, se.skV1 , V2 ). (Note that, se.skV1 = skV1 .) Finally, output skV2 := se.skV2 . – DMIPE.Dec(pp, ctx , skV ): Return the output of SE.Dec(pp, ctx , skV ).

7 7.1

Allow-/Deny-List Encryption from Spatial Encryption Framework of ADE

Let λ be a security parameter, d = d(λ) be the maximum number of negative tags per ciphertext, and a = a(λ) be the maximum number of positive tags in the ADE system. Further, we denote the space of plaintexts, the negative tag space and the positive tag space by M = M(λ), T (−) = T (−) (λ) and by T (+) = T (+) (λ), respectively. Syntax. ADE is a tuple of the following algorithms ADE = (ADE.Gen, ADE.Enc, ADE.Npun, ADE.Ppun, ADE.Dec): – (pp, sk∅∅ ) ← ADE.Gen(1λ , 1a , 1d ): On input (a security parameter λ and a maximum number a of positive tags per ciphertext and a maximum number d of negative tags per ciphertext), the PPT algorithm outputs public parameters pp and a (not punctured) initial secret key sk∅∅ . AL ∪AL2

– skDL1

AL

← ADE.Ppun(pp, skDL1 , AL2 , k): On input a tuple of (public AL

parameters pp; a previously punctured key skDL1 for a set of positive tags ∅ ⊆ AL1 ⊆ T (+) and a set of negative tags ∅ ⊆ DL ⊆ T (−) ; a set of positive tags AL2 ∈ T (+) \ AL1 ), the PPT algorithm returns a new punctured key AL ∪AL2 skDL1 . Here, note that k is only used in the k-tADE variant.  AL  – skAL   DL1 ∪DL2 ← ADE.Npun(pp, skDL1 , DL2 ): On input a tuple of (public param

eters pp; a previously punctured key skAL DL for a set of positive tags ∅ ⊆ AL ⊆ T (+) and a set of negative tags ∅ ⊆ DL1 ⊆ T (−) ; a set of negative tags DL2 ∈ T (−) \ DL1 ), the PPT algorithm returns a new punctured key  skAL DL1 ∪DL2 . – ctAL DL ← ADE.Enc(pp, μ, AL, DL): On input a tuple of (public parameters pp; a plaintext μ; a set of positive tags AL; a set of negative tags DL), the PPT algorithm returns a ciphertext ctAL DL .  AL , ct ): On input a tuple of (public parameters pp; – μ/⊥ ← ADE.Dec(pp, skAL  DL DL AL a secret key skDL associated with AL ⊆ T (+) and DL ⊆ T (−) ; a ciphertext (+) and DL ⊆ T (−) ), the DPT algorithm ctAL DL associated with AL ⊆ T outputs either a plaintext μ if decryption succeeds or ⊥ otherwise. Correctness and ADE Variants. Consider all λ, a, d ∈ N, μ ∈ M, ∅ ⊂ AL, AL ⊆ T (+) , ∅ ⊂ DL, DL ⊆ T (−) , (pp, sk∅∅ ) ← ADE.Gen(1λ , 1a , 1d ), ctAL DL ← AL ADE.Enc (pp, μ, AL, DL), and any punctured key skDL generated using any

298

H. Q. Le et al.

combination of ADE.Npun, and ADE.Ppun on AL , DL . We define the correctness and classify ADE variants at the same time. All variants require that the initial key is always able to successfully decrypt a ciphertext i.e., Pr[ADE.Dec(pp, sk∅∅ , ctAL DL ) = μ] ≥ 1 − negl(λ). However, when punctured, the additional correctness requirement varies for each variant. Specifically, 1. Standard ADE (sADE). If (AL = AL )∧(DL∩DL = ∅) then Pr[ADE.Dec  AL AL (pp, skAL DL , ctDL ) = μ] ≥ 1 − negl(λ). Otherwise, Pr[ADE.Dec(pp, skDL , ctAL DL ) = μ] ≤ negl(λ). 2. Inclusive ADE (iADE). If ((AL ⊆ AL) ∧ (DL ∩ DL = ∅)) then  AL Pr[ADE.Dec (pp, skAL DL , ctDL ) = μ] ≥ 1 − negl(λ). Otherwise, Pr[ADE.Dec(pp,  AL skAL DL , ctDL ) = μ] ≤ negl(λ). 3. k-threshold ADE (k-tADE). If ((|AL ∩ AL | ≥ k) ∧ (DL ∩ DL = ∅)),  AL then Pr[ADE.Dec(pp, skAL DL , ctDL ) = μ] ≥ 1−negl(λ). Otherwise, Pr[ADE.Dec  AL (pp, skAL DL , ctDL ) = μ] ≤ negl(λ). Note that, in iADE if the equality in AL ⊆ AL happens then we get sADE. Security Notions of ADE Variants. Same as SE and DMIPE, one can define security following the PrE framework. However, we only focus on the notion of selective payload-hiding security for all ADE variants. Definition 3. ADE is selective payload-hiding secure if the advantage of the adversary playing in the ADEsel,ATK payload,A game (in Fig. 4) is negligible or

payload,ATK AdvADE,A,sel := |Pr[b = b] − 1/2| = negl(λ).

GAME ADEsel,ATK payload,A (λ, a, d):

(where ATK ∈ {CPA, CCA1, CCA2}) 1. (AL∗ , DL∗ ) ← A(1λ , 1a , 1d ); λ a d   2. (pp, sk∅ ∅ ) ← ADE.Gen(1 , 1 , 1 ), AL ← ∅, DL ← ∅; ∗ Punc(·,·),DQ(·,·) 3. (μ∗ , μ ) ← A (pp); 1 0 $

∗

∗ ∗ ∗ 4. b ← − {0, 1}, ctAL DL∗ ← ADE.Enc(pp, μb , AL , DL ); ∗ ∗ 5. b ← APun(·,·),DQ(·) (pp, ctAL ). // NOTE: Not allowed DQ(AL , DL , ctAL ∗ DL DL∗ ) with (AL , DL ) ∈ SUCC(AL∗ , DL∗ ); 6. If b = b, return 1. Otherwise, return 0. Queried Oracles: • Puncturing Oracle Pun((AL , DL )) (It is only allowed if (AL , DL ) ∈ / SUCC(AL∗ , DL∗ )): AL Run ADE.Ppun and ADE.Npun in any order using sk∅ ∅ to output skDL . • Decryption Oracle DQ(AL , DL , ctAL DL ) (allowed only if ATK=CCA): Run ADE.Ppun and ADE.Npun AL AL AL in any order using sk∅ ∅ to get skDL . Finally, return the output of ADE.Dec(pp, skDL , ctDL ). ∗ ∗ Define SUCC(AL , DL ) for ADE Variants: • sADE: SUCC(AL∗ , DL∗ ) := {(AL , DL ) : ((AL = AL∗ ) ∧ (DL ∩ DL∗ = ∅))} . • k-tADE: SUCC(AL∗ , DL∗ ) := {(AL , DL ) : ((|AL ∩ AL∗ | ≥ k) ∧ (DL ∩ DL∗ = ∅))} . • iADE: SUCC(AL∗ , DL∗ ) := {(A L, DL ) : ((AL ⊆ AL∗ ) ∧ (DL ∩ DL∗ = ∅))} .

Fig. 4. Selective security for the ADE variants

Spatial Encryption Revisited

7.2

299

Transforming sADE and iADE to SE

Let T (−) , T (+) ⊂ Zq for q prime. Suppose that we have at most a positive tags and d negative tags. i.e., |T (+) | = a and |T (−) | = d involved in the (s/i)ADE. For (AL1 , DL1 ), (AL2 , DL2 ) ∈ T (+) ×T (−) , we say (AL1 , DL1 ) ⊆ (AL2 , DL2 ) if and only if (AL1 ⊆ AL2 )∧(DL1 ⊆ DL2 ). Now, for any pair (AL , DL ) ⊆ T (+) ×T (−) punctured on decryption keys, we will try to encode it as a (possibly affine) subspace V compatible with the SE syntax. On the other hand, for any pair (AL, DL) of positive/negative ciphertext tags, we will try to encode it as a vector v such that v ∈ V iff (AL ⊆ AL) ∧ (DL ∩ DL = ∅). We need the following encodings EncodeInKey and EncodeInCipher to do that: – Wkey ← EncodeInKey(AL , DL ). Do the following: Associate the allow list AL = {p1 , · · · , pk } with a space beginning with (p1 , · · · , pk ) , namely WAL := {(p1 , · · · , pk , xk+1 , · · · , xa ) : xi ∈ Zq } ⊆ Zaq . Obviously, it is easy to see that if AL1 ⊆ AL2 then WAL2 WAL1 . For the deny list DL , compute its complement DL := T (−) \ DL then associate DL with WDL := span{vx : x ∈ DL }, where vx := (1, x, x2 , · · · , x2d−1 ) is a Vandermonde vector. Since adding more tags into DL is equivalent to removing tags from DL , then given DL1 ⊆ DL2 we have WDL2 WDL1 . Output the subspace Wkey which is the direct product of WAL and WDL : Wkey := WAL × WDL . – xct ← EncodeInCipher(AL, DL). Do the following steps: For AL = {p1 , · · · , pk }, associate AL with vector xAL := (p1 , · · · , pk , 0, · · · , 0) ∈ Zaq . Clearly,  if AL ⊆ AL then xAL ∈ WAL . For a list DL, encode it as 2 2d−1 ). We claim that xDL := x∈DL vx ∈ Z2d q , where vx := (1, x, x , · · · , x  / WDL for any DL ∩ DL = ∅ (i.e., DL  DL ). Output vector xDL ∈ . xct := (xAL , xDL ) ∈ Za+2d q We can see that xct ∈ Wkey iff (xAL , xDL ) ∈ WAL × WDL , which is equivalent to (AL ⊆ AL) ∧ (DL ∩ DL = ∅). Therefore, the correctness of (s/i)ADE can be straightforwardly obtained from the correctness of SE. One can easily see that puncturings of (s/i)ADE can be done through delegation of SE.

8

Conclusions and Future Works

We revisit SE towards an efficient lattice-based SE. Along the way, we introduce the new concept of DMIPE. We show that DMIPE is sufficient for building an efficient lattice-based SE. The lattice-based SE is more efficient than some previous lattice-based ones, which follow the generic SE construction from the HIPE. Moreover, DMIPE and SE are equivalent in the sense that there are “security notions-preserving” conversions between them. Although our lattice-based DMIPE is proven to be selectively payloadhiding secure in the standard model, the construction can enjoy selectively weak attribute-hiding security. A possible technical idea might be from Agrawal et al.

300

H. Q. Le et al.

[3]. However, we leave this for future work. Furthermore, an adaptively secure DMIPE construction in the lattice setting is a worthwhile pursuit in the future. Recall that such construction for IPE has been done by [23]. Additionally, an attribute-hiding secure DMIPE construction over lattices should also be interesting for further research. Also, as mentioned before, we leave open the encodings for transforming k-tADE to SE. We think that the idea of threshold gates in Hamburg’s thesis [22, Page 51] can help. However, the Doubly Spatial Encryption (DSE) or another SE variant rather than the original SE (as defined in this paper) might be needed. Acknowledgement. The authors are grateful to anonymous reviewers for their insightful comments. This work is partially supported by the Australian Research Council Linkage Project LP190100984. Huy Quoc Le has been sponsored by a CSIRO Data61 PhD Scholarship and CSIRO Data61 Top-up Scholarship. Josef Pieprzyk has been supported by the Polish National Science Center (NCN) grant 2018/31/B/ST6/03003.

References 1. Abdalla, M., De Caro, A., Mochetti, K.: Lattice-based hierarchical inner product encryption. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 121–138. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3642-33481-8 7 2. Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 28 3. Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https:// doi.org/10.1007/978-3-642-25385-0 2 4. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC 1996, pp. 99–108. ACM, New York (1996). https://doi.org/10.1145/ 237814.237838 5. Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10. 1007/978-3-642-55220-5 30 6. Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryption schemes. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455–470. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7 28 7. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7 29 8. Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: unbounded attributes and semi-adaptive security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 363–384. Springer, Heidelberg (2016). https://doi.org/10.1007/9783-662-53015-3 13

Spatial Encryption Revisited

301

9. Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523– 552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 27 10. Chen, C., Zhang, Z., Feng, D.: Fully secure doubly-spatial encryption under simple assumptions. In: Takagi, T., Wang, G., Qin, Z., Jiang, S., Yu, Y. (eds.) ProvSec 2012. LNCS, vol. 7496, pp. 253–263. Springer, Heidelberg (2012). https://doi.org/ 10.1007/978-3-642-33272-2 16 11. Chen, J., Lim, H.W., Ling, S., Wang, H.: The relation and transformation between hierarchical inner product encryption and spatial encryption. Des. Codes Crypt. 71(2), 347–364 (2012). https://doi.org/10.1007/s10623-012-9742-y 12. Chen, J., Wee, H.: Doubly spatial encryption from DBDH. Theor. Comput. Sci. 543(C), 79–89 (2014). https://doi.org/10.1016/j.tcs.2014.06.003 13. Cohen, H.: A Course in Computational Algebraic Number Theory. No. Graduate Texts in Mathematics, vol. 138. Springer, Heidelberg (1996). https://doi.org/10. 1007/978-3-662-02945-9 14. Derler, D., Krenn, S., Lor¨ unser, T., Ramacher, S., Slamanig, D., Striecks, C.: Revisiting proxy re-encryption: forward secrecy, improved security, and applications. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 219–250. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5 8 15. Derler, D., Ramacher, S., Slamanig, D., Striecks, C.: Fine-grained forward secrecy: allow-list/deny-list encryption and applications. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 499–519. Springer, Heidelberg (2021). https://doi. org/10.1007/978-3-662-64331-0 26 16. Dutta, P., Susilo, W., Duong, D.H., Roy, P.S.: Puncturable identity-based encryption from lattices. In: Baek, J., Ruj, S. (eds.) ACISP 2021. LNCS, vol. 13083, pp. 571–589. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90567-5 29 17. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, STOC 2008, pp. 197–206. ACM, New York (2008). https://doi.org/10.1145/1374376.1374407 18. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4 5 19. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) Advances in Cryptology – ASIACRYPT 2002, pp. 548–566. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-25C 34 20. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 89–98 (2006). https://doi.org/10. 1145/1180405.1180418 21. Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, pp. 305–320 (2015). https://doi.org/10.1109/SP.2015.26 22. Hamburg, M.: Spatial encryption. Ph.D. thesis, Stanford University. Cryptology ePrint Archive, Paper 2011/389, July 2011. https://eprint.iacr.org/2011/389 23. Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Adaptively secure inner product encryption from LWE. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 375–404. Springer, Cham (2020). https://doi.org/10.1007/ 978-3-030-64840-4 13

302

H. Q. Le et al.

24. Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10. 1007/978-3-540-78967-3 9 25. Le, H.Q., Duong, D.H., Susilo, W., Pieprzyk, J.: Spatial encryption revisited: from delegatable multiple inner product encryption and more. Cryptology ePrint Archive, Paper 2022/095 (2022). https://eprint.iacr.org/2022/095. Full version of the paper appeared at ESORICS 2022 26. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4 43 27. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-290114 41 28. Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7 13 29. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 84–93 (2009). https://doi.org/10.1145/1568318.1568324 30. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7 5 31. Shor, P.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (2002). https://doi.org/10.1109/sfcs.1994.365700 32. Susilo, W., Duong, D.H., Le, H.Q., Pieprzyk, J.: Puncturable encryption: a generic construction from delegatable fully key-homomorphic encryption. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 107–127. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0 6 33. Tsabary, R.: Fully secure attribute-based encryption for t-CNF from LWE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 62–85. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7 3 34. Xagawa, K.: Improved (hierarchical ) inner-product encryption from lattices, pp. 235–252 (2015). https://eprint.iacr.org/2015/249. Full version of the paper appeared at PKC 2013 35. Zhou, M., Cao, Z.: Spatial encryption under simpler assumption. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 19–31. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04642-1 4

Public Key Authenticated Encryption with Keyword Search from LWE Leixiao Cheng1,2 and Fei Meng3,4(B) 1

2

School of Mathematics, Shandong University, Jinan 250100, China School of Cyber Science and Technology, Shandong University, Qingdao, China 3 Yanqi Lake Beijing Institute of Mathematical Science and Applications, Beijing, China mengfei [email protected] 4 Yau Mathematical Sciences Center, Tsinghua University, Beijing, China

Abstract. Public key encryption with keyword search (PEKS) inherently suffers from the inside keyword guessing attack. To resist against this attack, Huang et al. proposed the public key authenticated encryption with keyword search (PAEKS), where the sender not only encrypts a keyword, but also authenticates it. To further resist against quantum attacks, Liu et al. proposed a generic construction of PAEKS and the first quantum-resistant PAEKS instantiation based on lattices. Later, Emura pointed out some issues in Liu et al.’s construction and proposed a new generic construction of PAEKS. The basic construction methodology of Liu et al. and Emura is the same. In this paper, we first analyze the schemes of Liu et al. and Emura, and point out some issues regarding their construction and security model. In short, in their lattice-based instantiations, the sender and receiver use a lattice-based word independent smooth projective hash functions (SPHF) to compute the same shared key to authenticate keywords, leading to a super-polynomial modulus q; their generic constructions need a trusted setup assumption or the designated-receiver setting; Liu et al. failed to provide convincing evidence that their scheme satisfies their claimed security. Then, we propose two new lattice-based PAEKS schemes with totally different construction methodology from Liu et al. and Emura. Specifically, in our PAEKS schemes, instead of using the shared key calculated by SPHF, the sender and receiver achieve keyword authentication by using their own secret key to sample a set of short vectors related to the keyword. In this way, the modulus q in our schemes could be of polynomial size, which results in much smaller size of the public key, ciphertext and trapdoor. In addition, our schemes need neither a trusted setup assumption nor the designated-receiver setting. Finally, our schemes can be proven secure in stronger security model, and thus provide stronger security guarantee for both ciphertext privacy and trapdoor privacy. The full version is available at https://eprint.iacr.org/2022/1016. This work is supported by the National Key Research and Development Program of China (Grant No. 2021YFB3100200). c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 303–324, 2022. https://doi.org/10.1007/978-3-031-17140-6_15

304

L. Cheng and F. Meng Keywords: Public key authenticated encryption Inside keyword guessing attack · LWE

1

· Keyword search ·

Introduction

Boneh et al. [7] proposed the first public key encryption with keyword search (PEKS) scheme. In PEKS, the sender encrypts ciphertext keyword ck as ciphertext Ct and uploads Ct along with encrypted files to the cloud server; to retrieve encrypted files containing the specific target keyword tk, the receiver generates the trapdoor T r of tk and submits T r to the server; For each Ct in the cloud, the server runs the test algorithm to check whether Ct and T r embed with the same keyword. If so, it returns the encrypted files corresponding to Ct to the receiver. The security of the PEKS system [7] requires that an attacker cannot derive any information of the ciphertext keyword from the ciphertext. Later, Byun et al. [8] showed the inherent weakness of PEKS, that is, the information of target keyword in trapdoor could be extracted by the keyword guessing attack (KGA). In detail, given a trapdoor T r, an attacker launches this attack as follows: (1) It picks a guessing keyword gk and encrypts gk as ciphertext Ctgk ; (2) It runs the test algorithm to check whether T r and Ctgk contain the same keyword. If so, it returns gk; otherwise, it returns to step (1). As discussed in [8], in practical applications, the keyword space usually has low entropy. For example, there are only 225,000 words in Merriam-Webster’s collegiate dictionary [25]. Hence, KGA is feasible in real-world scenarios. If the KGA is launched by the server itself, we call it inside KGA (IKGA). To resist against the IKGA, Huang et al. [15] proposed the public key authenticated encryption with keyword search (PAEKS). In the PAEKS system, the sender (resp., receiver) encrypts and authenticates the ciphertext keyword ck (resp., target keyword tk) with the public key of both parties and its own secret key to obtain the ciphertext Ct (resp., trapdoor T r). The server runs the test algorithm to check if Ct and T r embed with the same keyword and if so, returns the encrypted file indexed by Ct to the receiver. The novelty of the PAEKS system is that the sender not only encrypts the ciphertext keyword but also uses his own secret key SKS to authenticate it, so that the server is unable to generate a valid ciphertext to issue IKGA. The basic security model of the PAEKS scheme [15] requires ciphertext indistinguishability (CI security) and trapdoor indistinguishability (TI security). However, some recent results have shown that this basic security model can be enhanced. In specific, Noroozi et al. [19] found that [15] is insecure in the multi-user setting; Qin et al. [21] found that [15] does not satisfy the multiciphertext indistinguishability (MCI security). Pan et al. [20] claimed that they propose a PAEKS scheme with both MCI security and multi-trapdoor indistinguishability (MTI security) in the one-user setting. However, Cheng et al. [10] found that Pan et al.’s MCI security is broken and the proof of MTI security has a serious mistake. Later, Qin et al. [22] proposed a PAEKS scheme with TI security and cipher-keyword indistinguishability against fully chosen keyword to

PAEKS from LWE

305

cipher-keyword attacks (fully CI security). In general, for ciphertext privacy, the security model of PAEKS has been enhanced from the CI security to MCI security, and further to fully CI security. However, when it comes to trapdoor privacy, it is still stagnant, failing to achieve any improvement beyond TI security. All aforementioned PAEKS schemes are vulnerable to quantum attacks [24]. Recently, Zhang et al. [26,27] proposed two lattice-based PEKS schemes and claimed that these schemes are resistant to IKGA. Liu et al. [16] proposed a generic construction of PAEKS scheme. But Liu et al. [17] found that neither [26] nor [27] is resistant to IKGA, and that [16] does not follow the syntax of PAEKS since it needs a trusted authority to help users generate their secret keys. Besides, Liu et al. [17] introduced a new generic construction of PAEKS by adopting a word-independent smooth project hash function (SPHF) [12] and a PEKS as building blocks. Furthermore, they proposed a lattice-based PAEKS instantiation by employing the SPHF [6] and PEKS [5], claiming that it was the first quantum-resistant PAEKS scheme with MCI and MTI security. Later, Emura [13] proposed another generic construction of PAEKS scheme. The construction methodology of Liu et al. [17] and Emura [13] is the same, i.e., each keyword is converted into an extended keyword using the shared key calculated by word-independent SPHF, and PEKS is used for the extended keyword. 1.1

Our Contributions

In this paper, we propose two lattice-based PAEKS schemes. Our contributions are reflected in the following three aspects: – We use totally different techniques to authenticate keyword in the construction of lattice-based PAEKS scheme. Specifically, in previous lattice-based PAEKS schemes [13,17], the sender and receiver need to calculate the same shared key using word independent SPHF to authenticate keywords, which leads to a super-polynomial modulus q (see Sect. 4). Instead, in our PAEKS schemes, the secret key of the sender (resp., receiver) is a short basis, and the sender (resp., receiver) uses his own short basis to sample a set of short vectors related to the keyword to achieve keyword authentication. In this way, q = poly(λ) suffices for the correctness and security analysis of our schemes, which results in much smaller size of public key, ciphertext and trapdoor. – Our schemes do not require a trusted setup assumption to ensure security. Furthermore, our schemes do not need to apply the designated-receiver setting, where the sender needs to generate a unique public/secret key pair for each designated receiver and the computational and storage burden of the sender scales linearly with the total number of designated-receivers. Therefore, in our schemes, the sender avoids heavy key storage burden. – Our schemes can be proven secure in stronger security models (see Sect. 3.2). Specifically, our first scheme achieves the selective version of fully CI security and target-keyword indistinguishability against fully chosen keyword to target-keyword attacks (fully TI security) in the one-user setting under the standard model; our second scheme can be proven fully CI and fully TI secure

306

L. Cheng and F. Meng

in multi-user setting under the random oracle model. Compare with existing PAEKS schemes, our schemes provide stronger security guarantee for both ciphertext privacy and trapdoor privacy. 1.2

Technical Overview

In a PAEKS system, the sender (resp., receiver) not only encrypts a ciphertext keyword (resp., target keyword), but also authenticates it. In the previous PAEKS schemes [13,17,21,22], the sender and receiver would implicitly run an one-round key exchange protocol to calculate the shared key K (using both parties’ public keys and their own secret key) for keyword authentication and encryption. Specifically, for those pairing-based PAEKS schemes [21,22], the sender and receiver compute the shared key K using the well-known DiffieHellman key exchange, and then directly use K to encrypt and authenticate the keyword. For those lattice-based PAEKS instantiations [13,17], the sender and receiver use the word independent SPHF [6] to calculate the same shared key K, and authenticate the keyword by expanding the keyword with K, then PEKS [5] is used for the expanded keyword. Unfortunately, computing the shard key via lattice-based SPHF leads to a super-polynomial modulus q (see Sect. 4 for details). Technically speaking, our new lattice-based PAEKS schemes use totally different construction methodology from previous PAEKS schemes [13,17,21,22]. In our scheme, the sender and receiver no longer calculate the shared key to encrypt and authenticate keywords. Our intuition is to use a variant of the lattice-based anonymous identity-based encryption (IBE) [1] to achieve encryption and authentication. In detail, for keyword encryption, we treat the keyword as an identity and encrypt it by running the encryption algorithm of the IBE scheme. For keyword authentication, we take the user’s secret key and keyword as the master secret key and identity in IBE, respectively, then authenticate the keyword by running the key generation algorithm of the IBE scheme. Consequently, the modulus q in our schemes could be of polynomial size. Following the above methodology, we construct our lattice-based PAEKS scheme as follows. First of all, the sender and receiver respectively run the setup algorithm of IBE to generate the sender’s public/secret key pair as P KS = (A, Aw , US )/SKS = TA and the receiver’s public/secret key pair as P KR = , US ← Zn×n , TA and TB (B, Bw )/SKR = TB , where A, Aw , B, Bw ← Zn×m q q are short bases. Then, the PAEKS, Trapdoor and Test algorithms are as follows: PAEKS. Given P KR , P KS , SKS and a ciphertext keyword ck, the sender does 1. Ciphertext keyword encryption. Cu = U S SS + errorS ,

Cck = (ABAw + H(ck)G) SS + errorS .

2. Ciphertext keyword authentication. Use the sender’s secret key TA to generate a matrix ES such that each column of ES is a short vector and [ABBw + H(ck)G]ES = US . Finally, output the PAEKS ciphertext as Ct = (Cu , Cck , ES ).

PAEKS from LWE

307

Trapdoor. Given P KR , P KS , SKR and a target keyword tk, the receiver does 1. Target keyword encryption. Tu = U S SR + errorR ,

Ttk = (ABBw + H(tk)G) SR + errorR .

2. Target keyword authentication. Use the receiver’s secret key TB to generate a matrix ER such that each column of ER is a short vector and [ABAw + H(tk)G]ER = US . Finally, output the PAEKS trapdoor as T r = (Tu , Ttk , ER ). Test. Given Ct = (Cu , Cck , ES ) and T r = (Tu , Ttk , ER ), if ck = tk, then the server can check that each entry in Cu (resp., Tu ) is close to the corresponding  entry in E R Cck (resp., ES Ttk ), i.e.,     (Cu = U S SS + errorS ) ≈ (ER Cck = US SS + ER · errorS ),     (Tu = U S SR + errorR ) ≈ (ES Ttk = UR SS + ER · errorR ).

Unfortunately, so far, the above PAEKS construction can provide neither ciphertext privacy nor trapdoor privacy. In details, given Ct = (Cu , Cck , ES ), (Cu , Cck ) will not leak the information of ck, since the underlying IBE [1] satisfies ciphertext anonymity, i.e., an attacker cannot extract the id from the ciphertext without the secret key corresponding to id. However, ES cannot hide ck, since [1] doesn’t achieve secret key anonymity. In other words, an attacker can extract the id from the corresponding secret key. Specifically, the attacker picks a guessing keyword ck  , then decides whether the guess is correct by checking if [ABBw + H(ck  )G]ES = US . ?

(1)

For the same reason, ER in trapdoor T r cannot hide the target keyword tk. It seems that if the underlying lattice-based IBE achieves both ciphertext anonymity and secret key anonymity, then ES (resp., ER ) will not expose ck (resp., tk). Unfortunately, we are not aware of any lattice-based IBE providing both properties. In fact, there is an inherent conflict between secret key anonymity of IBE and the public key setting: given an IBE secret key skid of id, an attacker can pick a guessing identity id and generate the guessing IBE ciphertext ctid under id using public parameter, then decrypt ctid by using skid . If the decryption succeeds, then the attacker knows that id = id . Now, in order to hide ck (resp., tk) in ES (resp., ER ), we try to make the attacker lose the ability to guess keywords using Eq. (1), as shown below: PAEKS. The sender generates Cu , Cck as above, then samples ES such that [ABBw + H(ck)G]ES = Cu . Finally, it erases Cu and outputs the PAEKS ciphertext as Ct = (Cck , ES ). Trapdoor. The receiver generates Tu , Ttk as above, then samples ER such that [ABAw + H(tk)G]ER = Tu . Finally, it erases Tu and outputs the PAEKS trapdoor as T r = (Ttk , ER ).

308

L. Cheng and F. Meng

Test. Given Ct = (Cck , ES ) and T r = (Ttk , ER ), if ck = tk, the server can  check that each entry in E R Cck is close to the corresponding entry in Ttk ES , since    T  E R Cck ≈ ER · (ABAw + H(ck)G) SS ≈ SR US · SS ,      T tk ES ≈ SR (ABBw + H(tk)G) · ES ≈ SR · US SS . In this way, because Cu (resp., Tu ) is kept secret from the attacker, he/she can no longer extract ck (resp., tk) from ES (resp., ER ) by picking a guessing ciphertext keyword ck  (resp., guessing target keyword tk  ) and checking whether   ? ? [ABBw + H(ck  )G]ES = Cu resp., [ABBw + H(tk  )G]ER = Tu . So far, we have introduced the main idea of our lattice-based PAEKS schemes. In our concrete PAEKS schemes in Sect. 5 and Sect. 6, we will choose two matrices DA , DB ∈ Zn×m additionally, and add DA into P KS and DB into P KR q respectively. Meanwhile, the ciphertext and trapdoor will be modified accordingly. These additional matrices serve for the security proof of our schemes.

2

Preliminaries

For a vector t, let t denote its 2 norm. For a matrix T ∈ Zn×m , let T[i, j] denote its (i, j)-th entry, let T denote the maximum length of its  denote its Gram-Schmidt orthogonalization, and let column vectors, let T s1 (T) := supu =1 Tu. Let [AB] and [A; B] denote horizontal and vertical concatenation of vector and/or matrices, respectively. Let DΛ,σ represent the standard discrete Gaussian distribution over Λ with Gaussian parameter σ. Background on Lattices. Let B = {b1 · · · bm } ⊂ Rm consist of m linearly independent vectors. The m-dimensional full-rank lattice Λ generated by the m basis B is the set Λ = L(B) := { i=1 xi bi | xi ∈ Z}. For any integers n, m and m and a vector u ∈ Znq , we define L⊥ q ≥ 2, a matrix A ∈ Zn×m q q (A) := {z ∈ Z : u m A · z = 0n mod q} and Lq (A) := {z ∈ Z : A · z = u mod q}. Lemma 1 ([14]). Λ is an m-dimensional lattice and T is its basis. Assume  · ω(√log m), then Pr[x > σ √m : x ← DΛ,σ ] ≤ negl(m). σ ≥ T Lemma 2. Let n, m, q > 0 be positive integers with q a prime, – [2, 3, 18] there’s a PPT algorithm TrapGen that when m ≥ 6n log q, outputs a pair (A, TA ) ∈ Zn×m ×Zm×m such that A is full rank and statistically close q √  to uniform and TA is a basis for Λ⊥ q (A) satisfying TA  = O( n log q). such – [18] when m ≥ n log q, there exists a fixed full rank matrix G ∈ Zn×m √ q ⊥ m×m  with TG  ≤ 5. that the lattice Λq (G) has a basis TG ∈ Z

PAEKS from LWE

309

The algorithms in the following lemma can be extended from a vector u to a matrix U by processing each column of U separately then combining the results. Lemma 3. Let integers q > 2 and m > n, then we have – [14] a PPT algorithm SamplePre(A, TA , u, σ) that inputs a full rank matrix n , a basis TA ∈ Zm×m of Λ⊥ A ∈ Zn×m q q (A), a vector u ∈ Zq , and a Gaus√ m  distributed sian parameter σ > T A  · ω( log m), outputs a vector e ∈ Z statistically close to DΛuq (A),σ . – [1] a PPT algorithm SampleLeft(A, B, u, TA , σ) that inputs a full rank matrix ¯ , a matrix B ∈ Zqn×m , a vector u ∈ Znq , a basis TA ∈ Zm×m of A ∈ Zn×m q  ¯ outputs a Λ⊥ q (A), and a Gaussian parameter σ > TA  · ω( log(m + m)), ¯ distributed statistically close to DΛuq ([AB]),σ . vector e ∈ Zm+m – [1] a PPT algorithm SampleRight(A, B, R, u, TB , σ) that inputs matrices , where B is full rank, a matrix R ∈ Zm×m , a vector u ∈ Znq , a A, B ∈ Zn×m q q √  basis TB of Λ⊥ q (B), and a Gaussian parameter σ > TB  · s1 (R) · ω( log m), outputs e ∈ Z2m distributed statistically close to DΛuq ([AAR+B]),σ . Lemma 4 ([9]). There is an efficient algorithm SampleRwithBasis(A, σ) → (R, TA·R−1 ) that takes as input a full rank matrix A ∈ Zn×m and a Gausq √ √ sian parameter σ ≥ n log q · ω( log m), outputs an Zq -invertible matrix R ∈ Zm×m sampled from a distribution statistically close to Dm×m , and a basis −1 ), σ). TA·R−1 ∈ Zm×m distributed statistically close to D(Λ⊥ q (A · R The following lemma can be obtained by generalizing Lemma 13 in [1]. Lemma 5 (leftover hash lemma [1]). Let H = {h : X → Y }h∈H be a universal hash family. Let f : X → Z be some function. Let UY denote a uniform independent random variable in Y . Let T1 , . . . , Tk be independent random variables taking values in X, let γ := maxki=1 (maxti Pr[Ti = ti ]), (1)

(k)

then (h, h(T1 ), f (T1 ), . . . , h(Tk ), f (Tk )) ; (h, UY , f (T1 ), . . . , UY , f (Tk )) ≤ k n) log q+ω(log n), 2 · γ · |Y | · |Z|. Specifically, suppose q > 2 is prime, m > (n+¯ , Zn×k , k = poly(n). Let A, B, R be matrices chosen uniformly from Zn×m q q m×k mׯ n mod q, respectively. For all matrices W in Zq , the distribution {−1, 1} (A, AR, R W) is statistically close to the distribution (A, B, R W). m×k Lemma 6. Let R be a m × k matrix chosen at random from , then √ {−1, 1} −m there exists a universal constant C such that Pr[s1 (R) > C m + k] < e .

We use an encoding function to map keywords in Znq to matrices in Zn×n . q Definition 1 ([1,11]). Let q be a prime and n a positive integer. A function H : Znq → Zn×n is a full-rank difference (FRD) map if: for all distinct x, y ∈ Znq , q the matrix H(x) − H(y) is full rank and H is computable in polynomial time.

310

L. Cheng and F. Meng

Learning with Errors (LWE) Assumption. For an α ∈ (0, 1) and a prime q, let Ψ¯α denote the distribution over Zq of the random variable qX mod q, where X is a normal random variable with mean 0 and standard deviation √α2π . Assumption 1 √ ([4,23]). Consider a prime q, integers n, n ¯ , m, a real α ∈ (0, 1) such that αq > 2 n, and a PPT algorithm A, the advantage for the LWE problem LWEn,¯n,m,q,α of A is defined as |Pr[A(A, A S + E) = 1] − Pr[A(A, V) = 1]|, n , S ← Ψ¯αnׯn , E ← Ψ¯αmׯn , V ← Zmׯ . The LWE assumption where A ← Zn×m q q holds if the above advantage is negligible for all PPT A. Lemma 7 ([1]). Let t be some vector in Zm and let x ← Ψ¯αm , then the quantity √ t x treated as an integer in [0, q −1] satisfies |t x| ≤ tqαω(log m)+t m/2 with all but negligible probability in m.

3 3.1

System and Security Models of PAEKS System Model of PAEKS

– Setup(1λ ) → P P : Given a security parameter λ, the algorithm generates the global public parameter P P . – KeyGenS (P P ) → (P KS , SKS ): Given P P , the sender runs this algorithm to generate its public/secret key pair (P KS , SKS ). – KeyGenR (P P ) → (P KR , SKR ): Given P P , the receiver runs this algorithm to generate its public/secret key pair (P KR , SKR ). – PAEKS(P KR , P KS , SKS , ck) → Ct: Given P KR , P KS , SKS and a ciphertext keyword ck, the sender generates the ciphertext Ct embedded with ck. – Trapdoor(P KR , P KS , SKR , tk) → T r: Given P KR , P KS , SKR and a target keyword tk, the receiver generates the trapdoor T r of tk. – Test(Ct, T r) → 0 or 1: Given Ct, T r, the server runs this algorithm to check whether Ct and T r contain the same keyword. If so, it outputs 1; else 0. 3.2

Security Model of PAEKS

We introduce two security models for PAEKS. The first model that captures ciphertext privacy, i.e., the ciphertext indistinguishability against fully chosen keyword to cipher-keyword attacks (fully CI security), is defined by [22]. The second model that captures trapdoor privacy, i.e., the trapdoor indistinguishability against fully chosen keyword to target-keyword attacks (fully TI security), was roughly mentioned in [22], and here we formally define it. Fully CI Security – Setup: Given a security parameter, the challenger C runs the Setup algorithm to generate P P , then runs KeyGenS , KeyGenR to generate the challenge sender’s key pair (P KS , SKS ) and the challenge receiver’s key pair (P KR , SKR ) respectively, finally sends P P , P KS , P KR to A.

PAEKS from LWE

311

– Phase 1: A can submit polynomial queries to the ciphertext oracle OC and the trapdoor oracle OT as follows.  OC : Given a receiver’s public key P K R (not necessarily the challenge receiver’s public key P K R ) and a ciphertext keyword ck, C returns to  A with the ciphertext Ct ← PAEKS(P K R , P KS , SKS , ck).  OT : Given a sender’s public key P K S (not necessarily the challenge sender’s public key P K S ) and a target keyword tk, C returns to A with the trap K S , SKR , tk). door T r ← Trapdoor(P KR , P – Challenge: A chooses two challenge ciphertext keywords ck0∗ and ck1∗ with the restriction that neither (P KS , ck0∗ ) nor (P KS , ck1∗ ) has been queried on OT . Then, C picks a bit θ ∈ {0, 1} randomly, and returns to A with the challenge ciphertext Ct∗ ← PAEKS(P KR , P KS , SKS , ckθ∗ ). – Phase 2: It is the same as Phase 1 with the restriction mentioned in the Challenge phase. – Output: A outputs a guess bit θ for θ. If θ = θ, then

A wins. A’s advantage



F ullyCI in winning the game is defined as AdvA (λ) = Pr[θ = θ] − 12 . Definition 2. If no PPT adversary can win the above fully CI security game with a non-negligible advantage, then the PAEKS scheme is fully CI secure. Fully TI Security – Setup: It is the same as Setup phase in the fully CI security game. – Phase 1: It is the same as Phase 1 in the fully CI security game. – Challenge: The adversary A chooses two challenge keywords tk0∗ and tk1∗ with the restriction that neither (P KR , tk0∗ ) nor (P KR , tk1∗ ) has been queried on OC . Then, the challenger C picks a bit θ ∈ {0, 1} randomly, and sends to A the challenge trapdoor T rθ∗ ← Trapdoor(P KR , P KS , SKR , tkθ∗ ). – Phase 2: It is the same as Phase 1 with the restriction mentioned in the Challenge phase. – Output: A outputs a guess bit θ for θ. If θ = θ, then

A wins. A’s advantage



F ullyT I (λ) = Pr[θ = θ] − 12 . in winning the game is defined as AdvA Definition 3. If no PPT adversary can win the above fully TI security game with a non-negligible advantage, then the PAEKS scheme is fully TI secure.   One/Multi-user Setting. If we limit P K R = P KR and P K S = P KS in the above security games, i.e., the adversary can only obtain ciphertexts from the challenge sender to the challenge receiver by oracle OC and trapdoors from the challenge receiver to the challenge sender by oracle OT , then we call it the one-user setting; Otherwise, we call it the multi-user setting. Selectively Fully CI/TI Security. If the adversary A has to initiate the challenge ciphertext keywords ck0∗ and ck1∗ (resp., challenge target keywords tk0∗ and tk1∗ ) in the setup phase before being given P P in the fully CI (resp., fully TI) security game, we call it selectively fully CI (resp.,selectively fully TI) security.

312

L. Cheng and F. Meng

CI/TI, MCI/MTI Security. The CI security is similar to the fully CI security, except that the adversary can submit neither (P K R , ck0∗ ) nor (P K R , ck1∗ ) to the oracle OC . If the adversary is allowed to submit two challenge keyword tuples ∗ ∗ )i∈[1,I] and (ck1,i )i∈[1,I] instead of two challenge keywords ck0∗ , ck1∗ in the (ck0,i CI security model, then it is called the MCI security. Similarly, the TI security and MTI security can be defined. Relation Between Fully CI/Fully TI and MCI/MTI Security. As it was shown in [22], the fully CI security implies the MCI security. Similarly, it can be proved that the fully TI security implies the MTI security.

4

Analysis of Liu et al. [17] and Emura [13]

Both Liu et al. [17] and Emura [13] provided generic constructions for the PAEKS scheme. The basic methodology of [17] and [13] is the same, i.e., each keyword is converted into an extended keyword using the shared key calculated by the word-independent SPHF, and PEKS is used for the extended keyword1 . In this section, we analyze the issues in [17] and [13] from the perspective of the modulus q in the lattice-based instantiations, system model, and security model. Modulus q in the Lattice-Based Instantiations. In the lattice-based instantiations of Liu et al. [17] and Emura [13], in order for the sender and receiver to correctly compute the same shared key using word-independent SPHF, the modulus q should be super-polynomial. The details are as follows. In [17], the instantiation uses the word-independent SPHF (with approximate correctness) based on LWE in [6] to compute the shared key. Specifically, let R(x) = 2x/q mod 2 be √ a deterministic rounding function, let m = O(n log q), √ , let √ t = mn · ω( log n), let s ≥ η (Λ⊥ (Au )) for some = let Au ∈ Zn×m q m , negl(n), take s = O( n) (see Lemma 2.11 [6]). The sender picks kS ← DZ,s n m sS,i ← Zq , eS,i ← DZ,t , and computes part of its public/secret key pair as   pkS = pS = ATu kS , {cS,i = Au · sS,i + eS,i }i , skS = (kS , {sS,i }i ) . m m The receiver picks kR ← DZ,s , sR,i ← Znq , eR,i ← DZ,t , and computes part of its public/secret key pair as   pkR = pR = Au kR , {cR,i = ATu · sR,i + eR,i }i , skR = (kR , {sR,i }i ) .

Then, in the PAEKS algorithm, for i = 1, . . . , κ, the sender computes  hS,i ← R(c R,i · kS mod q), pS,i ← R(sS,i · pR mod q),

and yS,i = hS,i · pS,i , then sets y S = yS,1 yS,2 · · · yS,κ ∈ {0, 1}κ as the shared key. In the Trapdoor algorithm, for i = 1, . . . , κ, the receiver computes  hR,i ← R(c S,i · kR mod q) and pR,i ← R(sR,i · pS mod q). 1

The difference is that Liu et al. use SPHF twice, while Emura uses SPHF once.

PAEKS from LWE

313

and yR,i = hR,i · pR,i , then sets y R = yR,1 yR,2 · · · yR,κ ∈ {0, 1}κ as the shared key. Note that      c R,i · kS = (sR,i Au + eR,i ) · kS = sR,i · pS + eR,i · kS ≈ sR,i · pS ,      c S,i · kR = (sS,i Au + eS,i ) · kR = sS,i · pR + eS,i · kR ≈ sS,i · pR ,  where kR , kS , eS,i , eS,i are short vectors, s R,i ·pS and sS,i ·pR are almost uniform over Zq . Therefore, hS,i = pR,i and hR,i = pS,i hold except with probability  ≈2|e R,i · kS |/q and ≈2|eS,i · kR |/q, respectively. Here √ √  1.5 n · ω( log n)). |e R,i · kS |, |eS,i · kR | ≤ 2t m · s m ≤ O(m

The sender and receiver must calculate the same shared key with overwhelming probability, otherwise the correctness of the scheme fails. Therefore, it requires that hS,i = pR,i and pS,i = hR,i for each i ∈ [1, κ], except with negligible ˆ = Θ(λ)). That is, probability (i.e., 2−ˆn for some n √  2|e O(m1.5 n · ω( log n)) R,i · kS | 2|eS,i · kR | , ≤ ≤ 2−ˆn . q q q Hence, [17]’s instantiation requires an extra parameter constraint q ≥ 2nˆ · O(m1.5 n · ω( log n)).

(2)

Therefore, q is super-polynomial in the security parameter λ because n ˆ = Θ(λ). Emura [13] didn’t give a specific instantiation, but claimed that it’s feasible to initiate with the word-independent SPHF (with statistical correctness) based on LWE in [6]. However, as it was claimed in [6],“We remark that our wordindependent SPHF uses a super-polynomial modulus q to get statistical correctness. It seems hard to construct such an SPHF for a polynomial modulus, as a word-independent SPHF for an IND-CPA encryption scheme directly yields a one-round key exchange and we do not know of any lattice-based one-round key exchange using a polynomial modulus”. System Model. In the previous PAEKS system model [15,19,21,22], the Setup algorithm is defined by inputting a security parameter, and outputting the public parameter P P . The key generation algorithm GenKeyS (resp., GenKeyR ), which takes P P as input, is defined to generate sender’s (resp., receiver’s) key pair. However, as shown in [13], Liu et al. [17] needs a completely trusted Setup to run the key generation algorithm of a public key encryption (pkPKE , dkPKE ) ← PKE.KeyGen(1λ ), then only outputs pkPKE and “erases” dkPKE , otherwise dkPKE can be used to break the underlying membership problem. To avoid the trusted setup assumption, Emura [13] adopted the designated-receiver setting, where the sender inputs a receiver’s public key to generate its own public/secret key pair. In this case, the sender needs to generate and store a corresponding public/secret key pair for each designated receiver. Thus, the computation and storage burden of the sender scales linearly with the number of designated receivers.

314

L. Cheng and F. Meng

Security Model. In Theorem 3.3 of Liu et al. [17], they claimed that a PAEKS with CI and TI security achieves MCI (resp. MTI) security if its PAEKS (resp. Trapdoor) algorithm is probabilistic. However, Emura [13] showed that probabilistic Trapdoor algorithm is not sufficient to support MTI security and hence Liu et al. [17] did not provide a convincing proof to the MTI security of their scheme. This is because probabilistic Trapdoor algorithm does not guarantee trapdoor unlinkability that hides information whether two trapdoors contain the same keyword or not. In fact, Liu et al. [17] failed to provide a convincing proof for the MCI security as well. Similarly, probabilistic PAEKS algorithm is only a necessary condition for achieving MCI security, but not a sufficient condition, since it cannot support ciphertext unlinkability that hides the information whether two ciphertexts contain the same keyword or not. For example, the PAEKS scheme [15] with CI security has a probabilistic PAEKS algorithm, but [21] has proved that [15] cannot achieve MCI security.

5

Our First PAEKS Scheme

Now, we construct our first lattice-based PAEKS scheme that can be proven selectively fully CI/TI secure under the one-user setting in the standard model. Setup(λ): On input a security parameter λ, this algorithm sets the primitive matrix G with the public trapdoor TG (see Lemma 2), chooses a full-rank , sets the parameters n, m, q, α, σ as specified difference map H : Znq → Zn×n q in Sect. 5.1. Then, it returns P P = {n, m, q, α, σ, H, G}. KeyGenS (P P ) → (P KS , SKS ): On input P P , the sender goes as follows. 1. Run (A, TA ) ← TrapGen(n, m, q). 2. Choose US ← Zn×n and DA , Aw ← Zn×m . q q 3. Return P KS = (A, US , DA , Aw ) and SKS = TA . KeyGenR (P P ) → (P KR , SKR ): On input P P , the receiver goes as follows. 1. Run (B, TB ) ← TrapGen(n, m, q). . 2. Choose DB , Bw ← Zn×m q 3. Return P KR = (B, DB , Bw ) and SKR = TB . PAEKS(P KR , P KS , SKS , ck) → Ct: On input P KR , P KS , SKS and a ciphertext keyword ck, the sender picks SS ← Ψ¯αn×lS and works as follows. 1. Compute Ca = A SS + EA , where EA ← Ψ¯αm×lS . m×m 2. Compute Cb = B SS + R . B EA , where RB ← {−1, 1}  m×m S + R E , where R ← {−1, 1} . 3. Compute Cd = D D A S D A   4. Compute Cw = [Aw + H(ck)G] SS + RA,w EA , where RA,w ← {−1, 1}m×m . ¯ n×lS . 5. Compute Cu = U S SS + EU , where EU ← Ψα 6. Sample ES ← SampleLeft(A, BDB [Bw + H(ck)G], Cu , TA , σ) such that ES ∈ Z4m×lS and [ABDB Bw + H(ck)G]ES = Cu . 7. Return Ct = (Ca , Cb , Cd , Cw , ES ) as the ciphertext. Trapdoor(P KR , P KS , SKR , tk) → T r: Given P KR , P KS , SKR and a trapdoor keyword tk, the receiver picks SR ← Ψ¯αn×lR , then works as follows.

PAEKS from LWE

315

Compute Ta = A SR + EA , where EA ← Ψ¯αm×lR .   m×m . Compute Tb = B SR + R B EA , where RB ← {−1, 1}     Compute Td = DB SR + RD EA , where RD ← {−1, 1}m×m .   Compute Tw = [Bw + H(tk)G] SR + R B,w EA , where RB,w ← m×m {−1, 1} . 5. Compute Tu = US SR + EU , where EU ← Ψ¯αn×lR . 6. Sample ER ← SampleLeft(B, ADA [Aw + H(tk)G], TU , TB , σ) such that ER ∈ Z4m×lR and [BADA Aw + H(tk)G]ER = Tu . 7. Return T r = (Ta , Tb , Td , Tw , ER ) as the trapdoor. Test(Ct, T r): Given Ct and T r, the server computes R = E R [Cb ; Ca ; Cd ; Cw ] −    T T T ]E and checks whether |R[i, j]| < q/4 for each i ∈ [1, lR ], [T S a w b d j ∈ [1, lS ]. If so, it returns 1, otherwise 0. 1. 2. 3. 4.

5.1

Correctness and Parameter Selection

If ck = tk, then we have     R = E R [Cb ; Ca ; Cd ; Cw ] − [Ta Tb Td Tw ]ES    = E R [BADA Aw + H(ck)G] SS + ER [RB IRD RA,w ] EA    − S R [ABDB Bw + H(tk)G]ES − EA [IRB RD RB,w ]ES       = T u SS − SR Cu + ER [RB IRD RA,w ] EA − EA [IRB RD RB,w ]ES    = S R US SS − SR US SS + error = error,      error = E R [RB IRD RA,w ] EA − EA [IRB RD RB,w ]ES + EU SS    −S R EU )[i, j] | ≤  6, 7, we have | (EU SS)[i, j] |, |(S √ R EU2. By Lemmas 1, 3,   [i, j]|, | E n(αq) ω(log n), and | E [R IR R ] E B D A,w A R A [IRB RD   RB,w ]ES [i, j]| ≤ σ · mqαω(log m) + O(σm3/2 ). Therefore, |error[i, j]| ≤ σmqαω(log m) + O(σm3/2 ) for every i ∈ [1, lR ], j ∈ [1, lS ]. To satisfy the correctness and make the security proof work, we need that

(1) (2) (3) (4) (5)

σmqαω(log m) + O(σm3/2 ) ≤ q/4 for correctness, m ≥ 6n log √ q to ensure TrapGen works and TG exists (Lemma 2), of LWE (Assumption 1), αq > 2 n for the hardness √ σ > O(n log q) · ω( log 4m) for SampleLeft, SampleRight (Lemma 3), m > (n + 1) log q + ω(log n) for the leftover hash lemma (Lemma 5).

Let δ be a real such that nδ > log q = O(log n), then we set m = 6n1+δ ,

σ = m · ω(

 log n),

q = m2.5 · ω(

 log n),

α = [m2 · ω(

 log n)]−1 .

316

5.2

L. Cheng and F. Meng

Security Proof

In this section, we prove that our first scheme is selectively fully CI/TI secure. Theorem 1. If the decisional-LWE problem is hard, then our first PAEKS scheme is selectively fully CI secure in one-user setting in the standard model. Proof. We define a series of games between a simulator B and an adversary A who plays the selectively fully CI security game. At the beginning of each game, A chooses two challenge cipher-keywords ck0∗ and ck1∗ . The first and last games are the real security game with challenge ciphertext PAEKS(P KR , P KS , SKS , ck0∗ ) and PAEKS(P KR , P KS , SKS , ck1∗ ), respectively. ∗  S , KeyGen  R , PAEKS  , PAEKS  and In other games, we use algorithms KeyGen  Trapdoor alternatively. During these games, the adversary A can query neither ck0∗ nor ck1∗ on OT . Game0 : B runs the Setup, KeyGenS , KeyGenR algorithms to setup the system, answers A’s ciphertext queries and trapdoor queries using the PAEKS and Trapdoor algorithms respectively, generates the challenge ciphertext using the PAEKS algorithm with ck0∗ .  S , KeyGen  R to setup the system, Game1 : Let ck ∗ = ck0∗ , B runs the Setup, KeyGen  and and answers ciphertext queries and trapdoor queries using the PAEKS  algorithms respectively. Then B generates the challenge ciphertext Trapdoor ∗  algorithm. using the PAEKS  S , KeyGen  R to setup the sysGame2 : Let ck ∗ = ck0∗ , B runs the Setup, KeyGen  tem, and answers ciphertext queries and trapdoor queries using the PAEKS  algorithms respectively. Then B generates the challenge cipherand Trapdoor text by selecting Ca , Cb , Cw , Cu uniformly random and samples ES from . DΛC ∗ u q ([ABDB Bw +H(ck0 )G]),σ  S , KeyGen  R to setup the Game3 : Let ck ∗ = ck1∗ , B runs the Setup, KeyGen  system, and answers ciphertext queries and trapdoor queries using PAEKS  algorithms respectively. Then B generates the challenge cipherand Trapdoor text by selecting Ca , Cb , Cw , Cu uniformly random and samples ES from . DΛC ∗ u q ([ABDB Bw +H(ck1 )G]),σ  S , KeyGen  R to setup the system, and Game4 : Let ck ∗ = ck1∗ , B runs Setup, KeyGen  and Trapdoor  answers ciphertext queries and trapdoor queries using PAEKS algorithms respectively. Then B generates the challenge ciphertext using the ∗  algorithm. PAEKS Game5 : B runs the Setup, KeyGenS , KeyGenR algorithms to setup the system, answers A’s ciphertext queries and trapdoor queries using the PAEKS and Trapdoor algorithms respectively, generates the challenge ciphertext using the PAEKS algorithm with ck1∗ . ∗

 R , PAEKS  , PAEKS,  Trapdoor.   S , KeyGen Now, we define the algorithms KeyGen

PAEKS from LWE

317

 S (P P, ck ∗ ): On input P P and ck ∗ , KeyGen 1. Choose A ← Zn×m and US ← Zn×n . q q ∗ ∗ 2. Choose RD , RA,w ← {−1, 1}m×m , set DA = AR∗D , Aw = AR∗A,w − H(ck ∗ )G. 3. Return P KS = (A, US , DA , Aw ), SKS = (R∗D , R∗A,w ).  R (P P, P KS , ck ∗ ): On input P P, P KS and ck ∗ , KeyGen 1. Run (DB , TDB ) ← TrapGen(n, m, q). 2. Choose R∗B , R∗B,w ← {−1, 1}m×m , set B = AR∗B , Bw = AR∗B,w − H(ck ∗ )G. 3. Return P KR = (B, DB , Bw ), SKR = (R∗B , R∗B,w , TDB ).  ∗ (P KR , P KS , SKR , SKS , ck ∗ ): On input P KR , P KS , SKR , SKS and PAEKS ck ∗ , pick SS ← Ψ¯αn×lS , do the following 1. Compute Ca = A SS + EA , where EA ← Ψ¯αm×lS . ∗T  2. Compute Cb = B SS + R∗T B EA = RB (A SS + EA ). ∗T ∗T  S + R E = R (A SS + EA ). 3. Compute Cd = D A A S D D  ∗ ∗T  4. Compute Cw = [Aw + H(ck )G] SS + RA,w EA = R∗T A,w (A SS + EA ).  n×l 5. Compute Cu = US SS + EU , where EU ← Ψ¯α S . ¯ S ← SampleLeft(DB , AB[Bw + H(ck ∗ )G], Cu , TD , σ) such 6. Sample E B ¯ S = [DB ABAR∗ ]E ¯ S = Cu . that [DB ABBw + H(ck ∗ )G]E B,w ¯ S = (ES,2 ; ES,3 ; ES,1 ; ES,4 ) and set ES = (ES,1 ; ES,2 ; ES,3 ; ES,4 ). Parse E 7. Return the ciphertext Ct∗ = (Ca , Cb , Cd , Cw , ES ).  PAEKS(P KR , P KS , SKR , SKS , ck): Given P KR , P KS , SKR , SKS and ck, compute Ca , Cb , Cd , Cw , Cu as in the PAEKS algorithm, then ¯ S ← SampleLeft(DB , AB[Bw + H(ck)G], Cu , TD , σ) such 1. Sample E B ¯ S = Cu . Parse E ¯S = ¯ that ES ∈ Z4m×lS and [DB ABBw + H(ck)G]E (ES,3 ; ES,1 ; ES,2 ; ES,4 ) and set ES = (ES,1 ; ES,2 ; ES,3 ; ES,4 ). 2. Return the ciphertext Ct = (Ca , Cb , Cd , Cw , ES ).  Trapdoor(P KR , P KS , SKR , SKS , tk): On input P KR , P KS , SKR , SKS and tk, if tk ∈ {ck0∗ , ck1∗ }, return ⊥; else compute Ta , Tb , Td , Tw , Tu as in the Trapdoor algorithm. Observe that Aw +H(tk) = AR∗A,w +(H(tk)−H(ck ∗ ))G, do the following 1. Sample (ER,1 ; ER,3 ) ← DZ2m×lR ,σ , compute Tu = Tu − [BDA ] · (ER,1 ; ER,3 ), sample (ER,2 ; ER,4 ) ← SampleRight(A, (H(ck ∗ ) − H(tk))G, R∗A,w , Tu , TG , σ) and set ER = (ER,1 ; ER,2 ; ER,3 ; ER,4 ). 2. Return trapdoor T r = (Ta , Tb , Td , Tw , ER ). Next, we gradually prove that games (Gamei , Gamei+1 ) are indistinguishable for i = 0, 1, 2, 3, 4. The proofs are shown in the full version.   Theorem 2. If the decisional-LWE problem is hard, then our first PAEKS scheme is selectively fully TI secure in one-user setting in the standard model. Proof. This proof is similar to that of Theorem 1.

 

318

6

L. Cheng and F. Meng

Our Second PAEKS Scheme

Now, we construct our second lattice-based PAEKS scheme that can be proven fully CI/TI secure under the multi-user setting in the random oracle model. Setup(λ): On input a security parameter λ, this algorithm chooses a hash function H : {0, 1}∗ → Zm×m modeled as the random oracle, sets parameters q n, m, q, α, σ as specified in Sect. 6.1, then outputs P P = {n, m, q, α, σ, H}. KeyGenS (P P ) → (P KS , SKS ): It is the same as KeyGenS in Sect. 5. KeyGenR (P P ) → (P KR , SKR ): It is the same as KeyGenR in Sect. 5. PAEKS(P KR , P KS , SKS , ck) → Ct: On input P KR , P KS , SKS and a ciphertext keyword ck, the sender picks SS ← Ψ¯αn×lS and works as follows.  1. Compute Cw = [Aw · H(P KS , P KR , ck)−1 ] SS + Ew , Ew ← Ψ¯αm×lS .   2. Compute Ca = A SS + RA Ew , where RA ← {−1, 1}m×m . m×m . 3. Compute Cb = B SS + R B Ew , where RB ← {−1, 1}   4. Compute Cd = DA SS + RD Ew , where RD ← {−1, 1}m×m . ¯ n×lS . 5. Compute Cu = U S SS + EU , where EU ← Ψα 6. Sample ES ← SampleLeft(A, BDB [Bw · H(P KS , P KR , ck)−1 ], Cu , TA , σ) such that [ABDB Bw · H(P KS , P KR , ck)−1 ] · ES = Cu . 7. Return Ct = (Ca , Cb , Cd , Cw , ES ) as the ciphertext. Trapdoor(P KR , P KS , SKR , tk) → T r: On input P KR , P KS , SKR and a target keyword tk, the receiver picks SR ← Ψ¯αn×lR , then works as follows.  1. Compute Tw = [Bw · H(P KS , P KR , tk)−1 ] SR + Ew , Ew ← Ψ¯αm×lR .   m×m . 2. Compute Ta = A SR + RT A Ew , where RA ← {−1, 1}  T   m×m . 3. Compute Tb = B SR + RB Ew , where RB ← {−1, 1} T   m×m . 4. Compute Td = D B SR + RD Ew , where RD ← {−1, 1}   n×lR ¯ . 5. Compute Tu = US SR + EU , where EU ← Ψα 6. Sample ER ← SampleLeft(B, ADA [Aw · H(P KS , P KR , tk)−1 ], Tu , TB , σ) such that [BADA Aw · H(P KS , P KR , tk)−1 ] · ER = Tu . 7. Return T r = (Ta , Tb , Td , Tw , ER ) as the trapdoor. Test(Ct, T r): Given Ct and T r, the server computes R = E R [Cb ; Ca ; Cd ; Cw ] −    [T a Tb Td Tw ]ES and checks whether |R[i, j]| < q/4 for each i ∈ [1, lR ], j ∈ [1, lS ]. If so, it returns 1, otherwise 0. 6.1

Correctness and Parameter Selection

Similar to the analysis in Sect. 5.1, if ck = tk, then we have R =     E R [Cb ; Ca ; Cd ; Cw ] − [Ta Tb Td Tw ]ES = error, where |error[i, j]| ≤ 3/2 σmqαω(log m) + O(σm ). To satisfy the correctness and make the security proof work, the parameter selection is the same as that in Sect. 5.1. See more details in the full version.

PAEKS from LWE

6.2

319

Security Proof

Theorem 3. If the decisional-LWE problem is hard, then our second PAEKS scheme is fully CI secure in multi-user setting under random oracle model. Proof. If there’s a PPT adversary A that breaks the fully CI security of our second scheme with a non-negligible advantage , then we can construct a PPT algorithm B that solves the LWE problem with a non-negligible probability. Setup: The adversary A chooses the challenge sender/receiver and sends them to B. B runs the Setup algorithm, returns P P to its challenger, who gives n×(m+n) (m+n)×n samples (A0 U, V0 V) ∈ Zq × Zq back to B. Then B picks n×m ∗ ∗ ∗ m×m , RA , RB , RD ← {−1, 1} , R∗A,w ← Dm×m , a hash function B0 ← Zq , runs (DB , TDB ) ← TrapGen(n, m, q), sets US = U, H : {0, 1}∗ → Zm×m q A = A0 · R∗A , DA = A0 · R∗D , Aw = A0 R∗A,w , B = A0 R∗B , Bw = B0 R∗A,w , sends P P , P KS = (A, US , DA , Aw ), P KR = (B, DB , Bw ) to A. Phase 1&2: A is allowed to submit polynomial queries to the hash oracle OH , the ciphertext oracle OC and the trapdoor oracle OT . For simplicity, we assume that (1) A doesn’t submit a query to OH repeatedly; (2) before sub  K S , kwj ) to OT ), A must have mitting a query (P K R , kwj ) to OC (resp. (P   K R , kwj ) (resp. (P K S , P KR , kwj ) to OH . In response to A’s submit (P KS , P queries, B does as follows: OH : B maintains lists L1 of tuples (P KS , P KR , kwj , R1,j , TAw ·R−1 ) and 1,j

  L2 of tuples (P KS, P K R , kwj , R2,j , TAw ·R−1 ), which are initially empty. 2,j Assume A submits q1 times of queries in form of (P K S , P K R , kw) to hash oracle OH . B randomly selects j ∗ ∈ [1, q1 ]. For a OH query of   K R , kwj ), (P KS, P   K R ) = (P K S , P K R ), then if this is the j ∗ ’th query, B sets 1. If (P K S , P H(P KS , P KR , kwj ∗ ) = R∗A,w and adds (P KS , P KR , kwj ∗ , R∗A,w , ⊥) into L1 ; else B runs (R1,j , TAw ·R−1 ) ← SampleRwithBasis(Aw , σ), 1,j sets H(P KS , P KR , kwj ) = R1,j and adds (P KS , P KR , kwj , R1,j , TAw ·R−1 ) into L1 , returns H(P KS , P KR , kwj ) to A. 1,j   2. Else (P KS, P K R ) = (P K S , P K R ), B runs algorithm (R2,j ,    T  −1 ) ← SampleRwithBasis(A w , σ), sets H(P K S , P K R , kwj ) = Aw ·R2,j

  KS, P K R , kwj , R2,j , TA R2,j , then adds (P −1 ) into L2 , sends R2,j  w ·R2,j to A.   K R , kwj ), B retrieves H(P KS , P K R , kwj ) from list OC : For OC query of (P L1 ∪ L2 , then computes Cw , Ca , Cb , Cd , Cu as in the PAEKS algorithm, and does as follows:

320

L. Cheng and F. Meng

¯ S ← SampleLeft(DB , AB[Bw + H(kwj )G], Cu , TD , σ) 1. Sample E B ¯S = ¯ S ∈ Z4m×lS and [DB ABBw + H(kwj )G]E such that E ¯ S = (ES,3 ; ES,1 ; ES,2 ; ES,4 ) and set ES = Cu . Parse E (ES,1 ; ES,2 ; ES,3 ; ES,4 ). 2. Return the ciphertext Ct = (Ca , Cb , Cd , Cw , ES ).   K S , kwj ), B firstly retrieves H(P K S , P KR , kwj ) and OT : For OT query of (P  −1 from list L1 ∪L2 . If H(P K , P KR , kwj ) = R∗A,w , TA S   w ·H(P K S ,P KR ,kwj ) then B aborts; Else, it computes Tw , Ta , Tb , Td , Tu as in the Trapdoor algorithm, then does as follows: 1. Sample (ER,1 ; ER,2 ; ER,3 ) ← DZ3m×lR ,σ , then compute Tu = Tu −  [BADA ] · (ER,1 ; ER,2 ; ER,3 ), then sample ER,4 ← SamplePre(A w · −1   H(P K S , P KR , kwj ) , Tu , TA −1 , σ) and set ER =   w ·H(P K S ,P KR ,kwj ) (ER,1 ; ER,2 ; ER,3 ; ER,4 ). 2. Return trapdoor T r = (Ta , Tb , Td , Tw , ER ). Challenge: A selects two challenge cipher-keywords ck0∗ and ck1∗ with the restriction that none of (P KS , ck0∗ ) and (P KS , ck1∗ ) have been queried on OT . B retrieves H(P KS , P KR , ck0∗ ) and H(P KS , P KR , ck1∗ ) from list L1 . Then, if H(P KS , P KR , cki∗ ) = R∗A,w for i ∈ {0, 1}, B aborts. Otherwise, there is a ckβ∗ , β ∈ {0, 1}, such that H(P KS , P KR , ckβ∗ ) = R∗A,w . B generates the challenge ciphertext corresponding with ckβ∗ as follows: 1. Set C∗w = V0 , compute C∗a = (R∗A ) V0 , C∗b = (R∗B ) V0 , C∗d = (R∗D ) V0 . 2. Set C∗u = V. 3. Sample (E∗S,1 ; E∗S,2 ; E∗S,4 ) ← DZ3m×lS ,σ , then compute V = sample E∗S,3 ← V − [ABB0 ] · (E∗S,1 ; E∗S,2 ; E∗S,4 ),  ∗ ∗ ∗ ∗ SamplePre(DB , V , TDB , σ), then set ES = (ES,1 ; ES,2 ; ES,3 ; E∗S,4 ). 4. Return the challenge ciphertext Ct∗ = (C∗a , C∗b , C∗d , C∗w , E∗S ). Output: A outputs a guess bit β  of β. If A’s guess is correct, then B claims that he is given the real LWE samples; Otherwise, random samples. Further analysis shows that the advantage of B constructed above to solve the LWE problem is a non-negligible /2q1 . See the full version for more details.   Theorem 4. If decisional-LWE problem is hard, then our second PAEKS scheme is fully TI secure in multi-user setting under random oracle model. Proof. This proof is similar to that of Theorem 3.

 

PAEKS from LWE

321

Table 1. Comparison of security properties for various PAEKS schemes. Schemes

HL17 [15] NE19 [19] QCH+20 [21] QCZ+21 [22] LTT+22 [17] Eumra22 [13] Ours1

CI TI MCI MTI Fully CI Fully TI Multi-user setting √

√

√

√

√

×

×

×

×

√

× √

×

×

×

√

√

√

×

× √

×

√

√

√

√

× √

√

√

√

× √

√

√

√

√

× ×

× √

× ×

√

× √

√

√

× √ × √ × √ × √

Neither trusted Setup nor designated-user setting √ √ √ √ × × √ √

Ours2 Note that “Ours1” is proved in the selective version as described in Sect. 3.2. QR: quantum resistance.

QR

× × × × √ √ √ √

Table 2. Comparison of parameters selection of lattice-based PAEKS schemes m σ √ LTT+22 [17] 6n1+δ m · l · ω( log n) √ Ours1 6n1+δ m · ω( log n) √ Ours2 6n1+δ m · ω( log n) Schemes

α √ ˆ · m2 · ω( log n)]−1 [2n √ [m2 · ω( log n)]−1 √ [m2 · ω( log n)]−1

Modulus q √ ˆ · m2.5 · ω( log n) 2n √ m2.5 · ω( log n) √ m2.5 · ω( log n)

δ is a real such that nδ > log q; l is the output length of a secure hash function; n is the failure probability to compute the shared key as described in Sect. 4. 2−ˆ

7

Comparison

In this section, we compare our lattice-based PAEKS schemes with other PAEKS schemes in terms of security properties, parameters and communication cost. In Table 1, we discuss the security properties of various PAEKS schemes. Among them, PAEKS schemes [15,19,21,22] cannot resist quantum attacks; [17] relies on the trusted Setup assumption and fails to provide convincing evidence for their MTI/MCI security, while [13] relies on the designated-receiver setting. Our first PAEKS scheme can be proven selectively fully CI/TI secure, and our second scheme can be proven fully CI/TI secure. In a nutshell, our schemes provide stronger security guarantee for ciphertext privacy and trapdoor privacy. In Table 2, we compare the parameter selection for the LWE-based PAEKS instantiation in [17] with those in our schemes, subject to security and correctness2 . Note that LTT+22 [17]’s√instantiation needs to satisfy an extra parameter constraint q ≥ 2nˆ ·O(m1.5 n·ω( log n)) (see Eq. (2) in Sect. 4), while our schemes don’t require this, so the modulus q in our schemes could be of polynomial size. Specifically, in [17], set n = 256, n ˆ = 128 and l = 256, then m ≈ 218 , σ ≈ 226 , −164 173 , q ≈ 2 . In our schemes, set n = 256, then m ≈ 216 , σ ≈ 216 , α ≈ 2 −35 α ≈ 2 , q ≈ 243 . 2

We omit the comparison with Eumra22 [13] because it does not provide a concrete lattice-based instantiation.

322

L. Cheng and F. Meng

Table 3. Comparison of communication costs of lattice-based PAEKS schemes Schemes

P KS Size

LTT+22 [17] (n + κm) log q Ours1

P KR Size

Ct Size

T r Size

(2n + κm + (l + 2)nm) log q ρ((1 + 2m) log q + 1) 2m log q

(3mn + n2 ) log q 3mn log q

8mls log q

8mlr log q

Ours2 (3mn + n2 ) log q 3mn log q 8mls log q 8mlr log q The underlying lattice-based PEKS [5] used by [17] provides ρ-bit security. κ is the length of the shared key generated by the SPHF [6] as described in Sect. 4.

In Table 3, we compare the communication cost of our schemes and the LWEbased PAEKS instantiation in [17]. For [17], set n = 256, m = 218 , q = 2173 , ρ = 128, κ = 128, l = 256, then the size of public key of sender/receiver is about 708614 (Kb)/366350347 (Kb), and the size of ciphertext/trapdoor is about 1417219 (Kb)/11072 (Kb). For our schemes, set n = 256, m = 216 , q = 243 , ls = 32, lr = 4, then the size of the public key of sender/receiver is about 264536 (Kb)/264192 (Kb), and the size of ciphertext/trapdoor is about 88064 (Kb)/11008 (Kb). Hence, the communication overhead of our schemes is much smaller than that of [17].

8

Conclusion

In this paper, we propose two lattice-based PAEKS schemes, with totally different construction methodology from previous lattice-based PAEKS schemes. Our first scheme satisfies selectively fully CI/TI security in one-user setting under the standard model. Our second scheme can be proven fully CI/TI secure in multi-user setting under the random oracle model. Compared with the existing lattice-based PAEKS schemes, our schemes not only provide stronger security guarantee for ciphertext privacy and trapdoor privacy, but also greatly reduce the communication overhead.

References 1. Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5 28 2. Ajtai, M.: Generating hard instances of the short basis problem. In: ICALP 1999, pp. 1–9 (1999) 3. Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011) 4. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8 35 5. Behnia, R., Ozmen, M.O., Yavuz, A.A.: Lattice-based public key searchable encryption from experimental perspectives. IEEE Trans. Dependable Secur. Comput. 17(6), 1269–1282 (2020)

PAEKS from LWE

323

6. Benhamouda, F., Blazy, O., Ducas, L., Quach, W.: Hash proof systems over lattices revisited. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 644– 674. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5 22 7. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). https://doi.org/10. 1007/978-3-540-24676-3 30 8. Byun, J.W., Rhee, H.S., Park, H., Lee, D.H.: Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: SDM 2006, pp. 75–83 (2006) 9. Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012) 10. Cheng, L., Meng, F.: Security analysis of Pan et al.’s “public-key authenticated encryption with keyword search achieving both multi-ciphertext and multitrapdoor indistinguishability”. J. Syst. Archit. 119, 102248 (2021) 11. Cramer, R., Damg˚ ard, I.: On the amortized complexity of zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 177–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8 11 12. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10. 1007/3-540-46035-7 4 13. Emura, K.: Generic construction of public-key authenticated encryption with keyword search revisited: stronger security and efficient construction. In: APKC 2022, pp. 39–49. ACM (2022) 14. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206 (2008) 15. Huang, Q., Li, H.: An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf. Sci. 403, 1–14 (2017) 16. Liu, Z.Y., Tseng, Y.F., Tso, R., Mambo, M., Chen, Y.C.: Public-key authenticated encryption with keyword search: a generic construction and its quantum-resistant instantiation. Comput. J. (2021). https://doi.org/10.1093/comjnl/bxab119 17. Liu, Z., Tseng, Y., Tso, R., Mambo, M., Chen, Y.: Public-key authenticated encryption with keyword search: cryptanalysis, enhanced security, and quantum-resistant instantiation. In: ASIA CCS 2022, pp. 423–436. ACM (2022) 18. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-290114 41 19. Noroozi, M., Eslami, Z.: Public key authenticated encryption with keyword search: revisited. IET Inf. Secur. 13(4), 336–342 (2019) 20. Pan, X., Li, F.: Public-key authenticated encryption with keyword search achieving both multi-ciphertext and multi-trapdoor indistinguishability. J. Syst. Archit. 115, 102075 (2021) 21. Qin, B., Chen, Y., Huang, Q., Liu, X., Zheng, D.: Public-key authenticated encryption with keyword search revisited: security model and constructions. Inf. Sci. 516, 515–528 (2020) 22. Qin, B., Cui, H., Zheng, X., Zheng, D.: Improved security model for public-key authenticated encryption with keyword search. In: Huang, Q., Yu, Yu. (eds.) ProvSec 2021. LNCS, vol. 13059, pp. 19–38. Springer, Cham (2021). https://doi. org/10.1007/978-3-030-90402-9 2

324

L. Cheng and F. Meng

23. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009) 24. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring, pp. 124–134. IEEE Computer Society (1994) 25. Yan-Cheng, C., Michael, M.: Privacy preserving keyword searches on remote encrypted data, pp. 442–455 (2005) 26. Zhang, X., Tang, Y., Wang, H., Xu, C., Miao, Y., Cheng, H.: Lattice-based proxyoriented identity-based encryption with keyword search for cloud storage. Inf. Sci. 494, 193–207 (2019) 27. Zhang, X., Xu, C., Wang, H., Zhang, Y., Wang, S.: FS-PEKS: lattice-based forward secure public-key encryption with keyword search for cloud-assisted industrial internet of things. IEEE Trans. Dependable Secur. Comput. 18(3), 1019–1032 (2021)

An Efficient Query Recovery Attack Against a Graph Encryption Scheme Francesca Falzon1,2(B) and Kenneth G. Paterson3 1 2

Brown University, Providence, RI, USA University of Chicago, Chicago, IL, USA [email protected] 3 ETH Zürich, Zürich, Switzerland [email protected]

Abstract. Ghosh, Kamara and Tamassia (ASIA CCS 2021) presented a Graph Encryption Scheme supporting shortest path queries. We show how to perform a query recovery attack against this GKT scheme when the adversary is given the original graph together with the leakage of certain subsets of queries. Our attack falls within the security model used by Ghosh et al., and is the first targeting schemes supporting shortest path queries. Our attack uses classical graph algorithms to compute the canonical names of the single-destination shortest path spanning trees of the underlying graph and uses these canonical names to pre-compute the set of candidate queries that match each response. Then, when all shortest path queries to a single node have been observed, the canonical names for the corresponding query tree are computed and the responses are matched to the candidate queries from the offline phase. The output is guaranteed to contain the correct query. For a graph on n vertices, our attack runs in time O(n3 ) and matches the time complexity of the GKT scheme’s setup. We evaluate the attack’s performance using the real world datasets used in the original paper and show that as many as 21.9% of the queries can be uniquely recovered and as many as 50% of the queries result in sets of only three candidates.

Keywords: Encrypted databases

1

· Attacks · Cryptanalysis

Introduction

Graphs are a powerful tool that can be used to model many problems related to social networks, biological networks, geographic relationships, etc. Plaintext graph database systems have already received much attention in both industry (e.g. Amazon Neptune [2], Facebook TAO [23], Neo4j [18]) and academia (e.g. GraphLab [15], Trinity [22]). With the rise of data storage outsourcing, there is an increased interest in Graph Encryption Schemes (GESs). A GES enables a client to encrypt a graph, outsource the storage of the encrypted graph to an untrusted server, and finally to make certain types of graph queries to the server. Current c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 325–345, 2022. https://doi.org/10.1007/978-3-031-17140-6_16

326

F. Falzon and K. G. Paterson

GESs typically support one type of query, e.g. adjacency queries [6], approximate shortest distance queries [16], and exact shortest path queries [12,24]. In this paper, we analyse the security of the GES of Ghosh, Kamara and Tamassia [12] from ASIA CCS 2021. We refer to this scheme henceforth as the GKT scheme. The GKT scheme encrypts a graph G such that when a shortest path query (u, v) is issued for some vertices u and v of G, the server returns information allowing the client to quickly recover the shortest path between u and v in G. The scheme pre-computes a matrix called the SP-matrix from which shortest paths can be efficiently computed, and then creates an encrypted version of this matrix which we refer to as the encrypted database (EDB). EDB is sent to the server. At query time, the client computes a search token for the query (u, v); this token is sent to the server and is used to start a sequence of look-ups to EDB. Each look-up results in a new token and a ciphertext encrypting the next vertex on the shortest path from u to v. The concatenation of these ciphertexts is returned to the client. The GKT scheme [12] is very elegant and efficient. For a graph on n vertices, computing the SP-matrix takes time O(n3 ) and dominates the setup time. Building a search token involves computing a pseudo-random function. Processing a query (u, v) at the server requires t look-ups in EDB, where t is the length of the shortest path from u to v. Importantly, thanks to the design of the scheme, query processing can be done without interaction with the client, except to receive the initial search token and to return the result. This results in EDB revealing at query time the sequence of labels (tokens) needed for the recursive lookup and the sequence of (encrypted) vertices that is eventually returned to the client. We exploit the query leakage of the GKT scheme to mount a query recovery (QR) attack against the scheme. Our attack can be mounted by the honest-butcurious server and requires knowledge of the graph G. This may appear to be a strong requirement, but is in fact weaker than is permitted in the security model of [12], where the adversary can even choose G. Assuming that the graph G is public is a standard assumption for many schemes that support private graph queries [12,17,21]. This model is perfect for routing and navigation systems in which the road network may easily be obtained online via Google Maps or Waze, but the client may wish to keep its queries private. Our attack has two phases. First, it has an offline, pre-processing phase that is carried out on the graph G. In this phase, we extract from G a plaintext description of all its shortest path trees. We then process these trees and compute candidate queries for each query using each tree’s canonical labels. A canonical label is an encoding of a graph that can be used to decide when graphs are isomorphic; a canonical label of a rooted tree can be computed efficiently using the AHU algorithm [1]. This concludes the offline phase of the attack. Its time complexity is O(n3 ) where n is the number of vertices in G, and matches the run time of our overall attack and the run time of the GKT scheme’s setup. Both our attack and the setup are lower bounded by the time to compute the all-pairs shortest paths, which takes O(n3 ) time for general graphs [11]. The second phase of the attack is online: As queries are issued, the adversary constructs a second set of trees that correspond to the sequence of labels computed by the server when processing each query i.e. the per-query leakage of

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

327

the scheme. This description uses the labels of EDB (which are search tokens) as vertices; two labels are connected if the first points to the second in EDB. When an entire tree has been constructed, the adversary can then run the AHU algorithm again to compute the canonical names associated with this query tree. An entire query tree Q can be built when all queries to a particular destination have been issued. This is realistic in a routing scenario where many trips may share a common popular destination (e.g. an airport, school, or distribution center). By correctness of the scheme, there exists a collection of isomorphisms mapping Q to at least one tree computed in the offline phase. Such isomorphisms also map shortest paths to shortest paths. We thus perform a matching between the paths in the trees from the online phase to the trees in the offline phase. This can be done efficiently using a modified AHU algorithm [1] that we develop and which decides when one path can be mapped to another by an isomorphism of trees. This yields two look-up tables which, when composed, map each path in the first set of trees to a set of candidate paths in the second set. We use the search token of the queries associated with Q to look up the possible candidate queries in the tables computed in the online phase, and output them. The output is guaranteed to contain the correct query. In general, the leakage from a query can be consistent with many candidates, and the correct candidate cannot be uniquely determined. Graph theoretically, this is because there can be many possible isomorphisms between pairs of trees in our two sets. If we consider the chosen graph setting, it is easy to construct a graph G where, given any query tree Q of G, its isomorphism is uniquely determined and there is a unique candidate for each query of Q, i.e. we can achieve what we call full query recovery (FQR). In other cases, the query leakage may result in one or only a few possible query candidates, which may be damaging in practice. In order to explore the effectiveness of our attack, we support it with experiments on 8 real-world graphs (6 of which were used in [12]) and on random graphs. Our results show that for the given real-world graphs, as many as 21.9% of all queries can be uniquely recovered and as many as half of all queries can be mapped to at most 3 candidate queries. Our experimental results show that QR tends to result in smaller sets of candidate queries when the graphs are less dense, and that dense graphs tend to have more symmetries. We summarize our core contributions as follows: 1. We present the first attack against a GES that supports shortest path queries, and the second known attack against GESs, to our knowledge. 2. We use the GKT scheme’s leakage to mount an efficient query recovery attack against the scheme. We explain how, for our real world datasets, the set of all query trees can be recovered with as few as 68.1% of the queries. 3. We make use of the classical AHU algorithm for the graph isomorphism problem for rooted trees and develop a new algorithm for deciding when a path in one tree can be mapped onto a path in another under an isomorphism. 4. We evaluate our attack against real-world datasets and random graphs. 5. We motivate the need for detailed cryptanalysis of GESs.

328

F. Falzon and K. G. Paterson

All proofs can be found in the full version [10]. 1.1

Prior and Related Work

Chase and Kamara present the first graph encryption scheme that supports both adjacency queries and focused subgraph queries [6]. Poh et al. give a scheme for encrypting conceptual graphs [19]. Meng et al. present three schemes that support approximate shortest path queries on encrypted graphs, each with a slightly different leakage profile [16]. To reduce storage overhead, their solution leverages sketch-based oracles that select seed vertices and store the exact shortest distance from all vertices to the seeds; these distances are then used to estimate shortest paths in the graph. Ghosh et al. [12] and Wang et al. [24] present schemes that support exact shortest path queries on encrypted graphs. Other solutions for privacy preserving graph structures use other techniques (e.g. [20,25]), however, these approaches have different security goals. The leakage of GESs was first analyzed by Goetschmann [13]. The author considers schemes that support approximate shortest path queries that use sketchbased distance oracles (e.g. [16]), presents two methods for estimating distances between nodes, and gives a query recovery attack that aims to recover the vertices in an encrypted query.

2

Preliminaries

Notation. For some integer n, let [n] = {1, 2, . . . , n}. We denote concatenation of two strings a and b as a||b. Graphs. A graph is a pair G = (V, E) consisting of a vertex set V of size n and an edge set E of size m. A graph is directed if the edges specify a direction from one vertex to another. Two vertices u, v ∈ V are connected if there exists a path from u to v in G. In this paper, we assume that all graphs G are connected for simplicity of presentation. However our attack and its constituent algorithms directly apply to multi-component graphs too. A tree is a connected, acyclic graph. A rooted tree T = (V, E, r) is a tree in which one vertex r has been designated the root. For some rooted tree T = (V, E, r) and vertex v ∈ V we denote by T [v] the subtree of T induced by v and all its descendants. Given a graph G = (V, E) and some vertex v ∈ V , we define a singledestination shortest path (SDSP) tree for v to be a directed spanning tree T such that T is a subgraph of G, v is the only sink in T , and each path from u ∈ V \ {v} to v in T is a shortest path from u to v in G. An example of an SDSP tree can be found in Fig. 1b. We also define two binary options on graphs. Given two graphs G = (V, E) and H = (V  , E  ), the union of G and H is defined as G ∪ H = (V ∪ V  , E ∪ E  ). Given a graph G = (V, E) and a subgraph H = (V  , E  ) such that V  ⊆ V, E  ⊆ E, the graph subtraction of H from G is defined as G \ H = (V \ V  , E \ E  ).

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

329

Dictionaries. A dictionary D is a map from some label space L to a value space V. If lab → val, then we write D[lab] = val. Hash Functions. A set H of functions U → [M ] is a universal hash function family if, for every distinct x, y ∈ U the hash function family H satisfies the following constraint: Prh←H [h(x) = h(y)] ≤ 1/M. 2.1

Graph Isomorphisms

Our approach will make heavy use of graph isomorphisms. Definition 1. An isomorphism of graphs G1 = (V1 , E1 ) and G2 = (V2 , E2 ) is a bijection between vertex sets ϕ : V1 → V2 such that for all u, v ∈ V1 , (u, v) ∈ E1 if and only if (ϕ(u), ϕ(v)) ∈ E2 . If such an isomorphism exists, we write G1 ∼ = G2 . Definition 2. An isomorphism of rooted trees T1 = (V1 , E1 , r1 ) and T2 = (V2 , E2 , r2 ) is an isomorphism ϕ from T1 to T2 (as graphs) such that ϕ(r1 ) = r2 . 2.2

Canonical Names

A canonical name Name(·) is an encoding mapping graphs to bit-strings such that, for any two graphs H and G, Name(G) = Name(H) if and only if G ∼ = H. For rooted trees Aho, Hopcraft, and Ullman (AHU) [1] describe an algorithm for computing a specific canonical name in O(n) time. We refer to this as the canonical name and describe it next. The AHU Algorithm. We use a modified AHU algorithm, which we denote as ComputeNames, to compute the canonical names of rooted trees (and their subtrees) and determine if they are isomorphic. ComputeNames takes as input a rooted tree T = (V, E, r), a vertex v ∈ V , and an empty dictionary Names. It outputs the canonical name of the subtree T [v] (which we also refer to as the canonical name of v) and a dictionary Names that maps each descendent u of v to the canonical name of T [u]. The algorithm proceeds from the leaves to the root. It assigns the name ‘10’ to all leaves of the tree. It then recursively visits each descendent u of v and assigns u a name by sorting the names of its children in increasing lexicographic order, concatenating them into an intermediate name children_names and assigning the name ‘1||children_names||0’ to u (see Fig. 1b for an example). The canonical name of T , Name(T ), is the name assigned to the root r. Pseudocode for the AHU algorithm can be found in the full version [10]. 2.3

Threat Model and Assumptions

We consider a passive, persistent, honest-but-curious adversary that has compromised the server and can observe the initial search tokens issued, all subsequent search tokens revealed during query processing, and the responses.

330

F. Falzon and K. G. Paterson

We assume that the adversary knows the graph G that has been encrypted to create EDB. This is a strong assumption, but fits within the security model used in [12] (where G can even be chosen) and is realistic in many navigation scenarios. We further assume that the adversary sees enough queries to construct at least one query tree. We emphasize that computing a complete query tree does not require observing all possible queries to the root; observing just the queries starting at the leaf nodes of the tree is sufficient for constructing a query tree. In SDSP trees with few leaves, only a small fraction of queries is thus needed. We assume that the all-pairs shortest path algorithm used in constructing the SP-matrix from G during setup is deterministic and that it is known to the adversary. Such an assumption is reasonable since many shortest path algorithms are deterministic, including Floyd-Warshall [11].

3 3.1

The GKT Graph Encryption Scheme GKT Scheme Overview

The GKT scheme supports single pair shortest path (SPSP) queries. The graphs may be directed or undirected, and the edges may be weighted or unweighted. An SPSP query on a graph G = (V, E) takes as input a pair of vertices (u, v) ∈ V × V , and outputs a path pu,v = (u, w1 , . . . , w , v) such that (u, w1 ), (w1 , w2 ), . . . , (wt−1 , v) ∈ E and pu,v is of minimal length. SPSP queries may be answered using a number of different data structures. The GKT scheme makes use of the SP-matrix [7]. For a graph G = (V, E), the SP-matrix M is a |V | × |V | matrix defined as follows. Entry M [i, j] stores the second vertex along the shortest path from vertex vi to vj ; if no such path exists, then it stores ⊥. An SPSP query (vi , vj ) is answered by computing M [i, j] = vk to obtain the next vertex along the path and then recursing on (vk , vj ) until ⊥ is returned. At a high level, the GKT scheme proceeds by computing an SP-matrix for the query graph and then using this matrix to compute a dictionary SPDX . This dictionary is then encrypted using a dictionary encryption scheme (DES) such as [4,6]. To ensure that the GKT scheme is non-interactive, the underlying DES must be response-revealing. We provide the syntax of a DES next. Definition 3. A dictionary encryption scheme (DES) is a tuple of algorithms DES = (Gen, Encrypt, Token, Get) with the following syntax: – DES.Gen is probabilistic and takes as input security parameter λ, and outputs secret key sk. – DES.Encrypt takes as input key sk and dictionary D, and outputs an encrypted dictionary ED. – DES.Token takes as input key sk and label lab, and outputs a search token tk. – DES.Get takes as input search token tk and encrypted dictionary ED, and returns plaintext value val. While the GKT scheme is response-hiding (i.e. the shortest path is not returned in plaintext to the client), the underlying DES must be responserevealing (i.e. the values in its encrypted dictionary ED are revealed at query time). We provide a detailed description of the GKT scheme in Appendix A.

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

3.2

331

Leakage of the GKT Scheme

Ghosh et al. [12] provide a formal specification of their scheme’s leakage. Informally, the setup leakage of their scheme is the number of vertex pairs in G that are connected by a path, while the query leakage consists of the query pattern (which pairs of queries are equal), the path intersection pattern (the overlap between pairs of shortest paths seen in queries), and the lengths of the shortest paths arising in queries. See [12, Section 4.1] for more details. Recall that in the GKT scheme, the server obtains EDB by encrypting the underlying dictionary SPDX , in which labels are of the form lab = (vi , vj ) and values are of the form val = (tk, c), using a DES. Here tk is a token obtained by running DES.Token on a pair (w, vj ) and c is obtained by symmetrically encrypting (w, vj ). Since EDB is obtained by running DES on SPDX , this means that the labels in EDB are derived from tokens obtained by running DES.Token on inputs lab = (vi , vj ). Moreover, these tokens also appear in the values in EDB that are revealed to the server at query time, i.e. the entries (tk, c). In turn, the query leakage reveals to the server the token used to initiate a search, as well as all the subsequent pairs (tk, c) that are obtained by recursively processing such a query. Let us denote the sequence of search tokens associated with the processing of some (unknown) query q for a shortest path of length t as s = tk1 tk2 . . . tkt+1 ∈ {0, 1}∗ . We refer to this string as the token sequence of q. Since the search tokens correspond to the sequence of vertices in the queried path, there are as many tokens in the sequence as there are vertices in the shortest path for the query. Note that, by correctness of DES used in the construction of EDB, no two distinct queries can result in the same token sequence. Notice also that token sequences for different queries can be overlapping; indeed since the tokens are computed by running DES.Token on inputs lab = (vi , v) where v is the final vertex of a shortest path, two token sequences are overlapping if and only if they correspond to queries (and shortest paths) having the same end vertex. Hence, given the query leakage of a set of queries, the adversary can compute all the token sequences and construct from them n ≤ n directed trees, {Qi }i∈[n ] , each tree having at most n vertices and a single root vertex. The vertices across all n trees are labelled with the search tokens in EDB and there is a directed edge from tk to tk if and only if tk and tk are adjacent in some token sequence. (Each tree has at most n vertices because of our assumption about G being connected.) We call this set of trees the query trees. Each query tree corresponds to the set of queries having the same end vertex. Each tree has a single sink (root) that corresponds to a unique vertex v ∈ V . The tree paths correspond to the shortest paths from vertices w ∈ V \{v} to v, such that w and v are connected in G. Ghosh et al. [12] also discuss these trees but they do not analyze the theoretical limits of what can be inferred from them. We denote the leakage of the GKT scheme on a graph G after issuing a set of SPSP queries Q as L(G, Q). We stress that our attacks are based only on the leakage of the scheme, as established above, and not on breaking the underlying cryptographic primitives of the scheme.

332

3.3

F. Falzon and K. G. Paterson

Implications of Leakage

Suppose that all queries have been issued and that we have constructed all query trees {Qi }i∈[n] . We observe that there exists a 1–1 matching between the query trees {Qi }i∈[n] and the SDSP trees {Tv }v∈V of G such that each matched pair of trees is isomorphic. The reason is that the query trees are just differently labelled versions of the SDSP trees. In turn, this stems from the fact that paths in the query trees are in one-to-one correspondence with the shortest paths in G. This now reveals the core of our query recovery attack, developed in detail in Sect. 4 below. The server with access to G first computes all the SDSP trees offline. As queries are issued, it then constructs the query trees one path at a time. Once a complete query tree Q is computed (recall that each query tree must have n vertices since G is connected) the server finds all possible isomorphisms between Q and the SDSP trees. Then, for each token sequence in Q, it computes the set of paths in the SDSP trees to which that token sequence can be mapped under the possible isomorphisms. This set of paths yields the set of possible queries to which the token sequence can correspond. This information is stored in a pair of dictionaries, which can be used to look up the candidate queries. To illustrate the core attack idea, Fig. 1 depicts (1a) a graph G, (1b) its SDSP tree for vertex 1 (with vertex labels and canonical names), and (1c) the matching query tree (without vertex labels). It is then clear that the leakage from the unique shortest path of length 2 in Fig. (1c) can only be mapped to the corresponding path with edges (4, 5), (5, 1) in Fig. (1b) under isomorphisms. Similarly, the shortest path of length 1 that is a subpath of that path of length 2 can only be mapped to path (5, 1). On the other hand, the 3 remaining paths of length 1 can be mapped under isomorphisms to any of the length 1 paths (2, 1), (3, 1), or (6, 1) and so cannot be uniquely recovered. Since the adversary only learns the query trees and token sequences from the leakage, the degree of query recovery that can be achieved based on that leakage is limited. In Sect. 5, we show that in practice this is often not an issue since many queries result in only a very small number of candidate queries.

4 4.1

Query Recovery Formalising Query Recovery Attacks

Query recovery, in general, is the goal of determining the plaintext value of queries that have been issued by the client. We study the problem of query recovery in the context of GESs, specifically, the GKT scheme: given G, the setup leakage and the query leakage from a set of SPSP queries, our goal is to match the leakage for each SPSP query with the corresponding start and end vertices (u, v) of a path in G. As noted above, there may be a number of candidate queries that can be assigned to the leakage from each query. We now formally describe the adversary’s goals.

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

333

Fig. 1. (a) Original graph G, (b) its corresponding SDSP tree for vertex 1 in G with the canonical names labeling all the vertices of the tree, and (c) the matching query tree that is leaked during setup (without any vertex labels).

Definition 4. (Consistency) Let G = (V, E) be a graph, Q = {q1 , . . . , qk } be the set of SPSP queries that are issued, and S = {s1 , s2 , . . . , sk } be the set of token sequences of the queries issued. An assignment π : S → V ×V is a mapping from token sequences to SPSP queries. An assignment π is said to be consistent with the leakage L(G, Q) if it satisfies L(G, Q) = L(G, π(S)). Informally, consistency requires that, for each si ∈ S, the query π(si ) specified by assignment π could feasibly result in the observed leakage L(G, Q). Definition 5. (QR) Let G = (V, E) be a graph, Q = {q1 , . . . , qk } be a set of SPSP queries, and S the corresponding set of token sequences. Let Π be the set of all assignments consistent with L(G, Q). The adversary achieves query recovery (QR) when it computes and outputs a mapping: s → {π(s) : π ∈ Π} for all s ∈ S. Informally, the adversary achieves query recovery if, for each s ∈ S (a set of token sequences resulting from queries in Q), it outputs a set of query candidates {π(s) : π ∈ Π} containing every query that is consistent with the leakage. Note that this implies that the output always contains the correct query (and possibly more). This is the best the adversary can do, given the available leakage. Note, however, that there is some information not conveyed in this mapping. In particular, by fixing an assignment for a given token sequence, we may fix or reduce the possible assignments for other query responses. We now define a special type of QR when there exists only one assignment consistent with the query leakage, i.e. all queries can be uniquely recovered. Definition 6. (FQR) Let G = (V, E) be a graph, Q = {q1 , . . . , qk } be a set of SPSP queries, and S the corresponding set of token sequences. Let Π be the set of assignments consistent with L(G, Q). We say that the adversary achieves full query recovery (FQR) when it (a) achieves QR, and (b) |Π| = 1. That is, there is a unique assignment of token sequences to queries consistent with the leakage. Whether FQR is always possible (i.e. for every possible set of queries Q) depends on the graph G. Specifically, we will see that FQR is always

334

F. Falzon and K. G. Paterson

possible if and only if each SDSP tree arising in G is non-isomorphic and there exists one unique isomorphism from each SDSP tree to its corresponding query tree. It is easy to construct graphs for which these conditions hold (see Sect. 4.9). For such graphs, our QR attack always achieves FQR. 4.2

Technical Results

We develop some technical results concerning isomorphisms of trees and the behaviour of paths under those isomorphisms that we will need in the remainder of the paper. For any rooted tree T = (V, E, r) and any u ∈ V , let T [u] ⊆ T denote the subtree induced by u and all its descendants in T . Lemma 1. Let T = (V, E, r) and T  = (V  , E  , r ) be rooted trees. Let pu,r = (u, w1 , . . . , wt , r) and pv,r = (v, w1 , . . . , w , r ) be paths in T and T  , respectively. If there exists an isomorphism ϕ : T → T  such that ϕ(u) = v, then t =  and ϕ(wi ) = wi for all i ∈ [t]. Given a rooted tree T = (V, E, r) and any u ∈ V , let PathNameT (u) denote the concatenation of the canonical names of vertices along the path from u to r in T , separated by semicolons: PathNameT (u) = Name(T [u]) “; ” Name(T [w1 ]) “; ” . . . Name(T [r]).

(1)

Computing path names forms the core of our QR attack. Before we explain how we use them, we prove a sequence of results about the relationship between path names and isomorphisms. In Sect. 4.4 we explain how to apply a universal hash function to the path names to compress their length to O(log n) bits. Proposition 1. Let T = (V, E, r) and T  = (V  , E  , r ) be isomorphic rooted trees and let C and C  denote the set of children of r and r , respectively. There is an isomorphism from T to T  if and only if there is a perfect matching from C to C  such that for each matched pair ci ∈ C, ci ∈ C  , there exists an isomorphism ϕi : T [ci ] → T [ci ]. Lemma 2. Let T = (V, E, r) and T  = (V  , E  , r ) be isomorphic rooted trees. Let u and v be children of r and r , respectively. Suppose that σ is an isomorphism from T [u] to T  [v]. Then there exists an isomorphism ϕ from T to T  such that ϕ|T [u] = σ and ϕ(u) = v. We now come to our main technical result: Theorem 1. Let T = (V, E, r) and T  = (V  , E  , r ) be rooted trees and let u ∈ V and v ∈ V  . There exists an isomorphism ϕ : T → T  mapping u to v if and only if PathNameT (u) = PathNameT  (v). Theorem 1 also gives us a method for identifying when there exists only a single isomorphism between two rooted trees. Suppose that T = (V, E, r) and T  = (V  , E  , r ) are isomorphic rooted trees and that every vertex v ∈ V has a distinct path name; then there exists exactly one isomorphism from T to T  .

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

335

Intuitively, a vertex in T can only be mapped to a vertex in T  with the same path name. So if path names are unique, then each vertex in T can only be mapped to a single vertex in T  , meaning there is only a single isomorphism available. The converse also holds: if there exists exactly one isomorphism from T to T  , then every vertex v ∈ V necessarily has a distinct path name. This observation will be useful in characterizing when query reconstruction results in full query recovery. We summarise with: Corollary 1. Let T = (V, E, r) and T = (V  , E  , r ) be isomorphic rooted trees. Every vertex v ∈ V has a unique path name in T if and only if there exists a single isomorphism from T to T  . 4.3

Overview of the Query Recovery Attack

Our QR attack takes as input the graph G, a set of token sequences corresponding to the set of issued queries, and comprises of the following steps: 0. Preprocess the graph offline (Algorithm 2). Compute the SDSP trees {Tv }v∈V of graph G. Then compute a multimap M that maps each path name arising in the Tv to the set of SPSP queries whose start vertices have the same path name. 1. Compute the query trees online. The trees are constructed from the token sequences as the queries are issued. 2. Process the query trees (Algorithm 3). Compute a dictionary D that maps each token sequence to the path name of the start vertex of the path. Both the preprocessing step and the online steps take time O(n3 ) where n is the number of vertices in the graph. Note that steps 0 and 2 are trivially parallelizable. In the case that the APSP algorithm is randomized, the adversary can simply run the attack multiple times to account for different shortest path trees. 4.4

Computing the Path Names

Before diving into our attack, we describe our algorithm for computing path names which we use as a subroutine of our attack. Algorithm 1 (ComputePathNames) takes as input a rooted tree T = (V, E, r) and outputs a dictionary mapping each vertex v ∈ V to its path name. First, we call ComputeNames and obtain a dictionary Names that maps each vertex v ∈ V to the canonical name of subtree T [v]. We will use a function h drawn from a universal hash function family H to compress the path names from O(n2 ) to O(log n). We initialize an empty dictionary PathNames and set PathNames[r] = h(Names[r]). We then traverse T in a depth first search manner; when a new vertex v is discovered during the traversal, we set PathNames[v] to the hash of the concatenation of the name of v and the path name of its parent u i.e. PathNames[v] = h(Names[v] PathNames[u]). (2) When all vertices have been explored, PathNames is returned. The pseudocode can be found in Algorithm 1.

336

F. Falzon and K. G. Paterson

Lemma 3. Let G = (V, E) be a graph and let {Tr }r∈V be the set of SDSP trees of G. Let PathNames be the union of the outputs of running Algorithm 1 on each tree in {Tr }r∈V . Let H be a universal hash function family mapping {0, 1}∗ → {0, 1}6 log n . Then for randomly sampled h ← H the expected number of collisions in PathNames is at most O(1/n). We note that to achieve a smaller probability of collision, one can choose a hash function family H whose output length is c log n where c > 6. For simplicity we invoke the universal hash function using SHA-256 truncated to 128 bits. Lemma 4. Let T = (V, E, r) be a rooted tree on n vertices and H be a universal hash function family mapping {0, 1}∗ → {0, 1}6 log n . Upon input of T , Algorithm 1 returns a dictionary of size O(n log n) mapping each v ∈ V to a hash of its path name in time O(n2 ). 4.5

Preprocess the Graph

We first preprocess the original graph G = (V, E) into the n SDSP trees. Since the adversary is assumed to have knowledge of G, this step can be done offline. We use the same all-pairs shortest paths algorithm used at setup on G to compute the n SDSP trees {Tv }v∈V , where tree Tv is rooted at vertex v. For unweighted, undirected graphs, we can use breadth first search for a total run time of O(n2 + nm) where m = |E|; for general weighted graphs this step has a run time of O(n3 ) [11]. Next, we compute the path names of each vertex in {Tr }r∈V , and then construct a multimap M that maps the (hashed) path name of each vertex in {Tr }r∈V to the set of SPSP queries whose start vertices have the same path name. We leverage Theorem 1 to construct this map. We initialize an empty multimap M. For each r ∈ V we compute PathNames by running Algorithm 1 (ComputePathNames) on Tr . For each vertex v in Tr we compute path_name ← PathNames[v], and check whether path_name is a label in M. If yes, M[path_name] ← M[path_name] ∪ {(v, r)}. Otherwise M[path_name] ← {(v, r)}. The pseudocode can be found in Algorithm 2. Lemma 5. Let G = (V, E) be a graph on n vertices. Upon input of G, Algorithm 2 returns a multimap of size O(n2 log n) mapping each v ∈ V to its corresponding path name in time O(n3 ). 4.6

Process the Search Tokens

We must now process the tokens revealed at query time. Recall that the tokens are revealed such that the response to any shortest path query can be computed non-interactively. When a search token tk is sent to the server, the server recursively looks up each of the encrypted vertices along the path. The adversary can thus compute the query trees using the search tokens revealed at query time. First, it initializes an empty graph G . As label-value pairs (lab, val) are

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

337

revealed in EDB, the adversary parses tkcurr ← lab and (tknext , c) ← val, and adds (tkcurr , tknext ) as a directed edge to G . At any given time, G will be a forest comprised of n ≤ n trees, {Qi }i∈[n ] , such that each Qi has at most n nodes. Identifying the individual trees in the forest can be done in time O(n2 ). The adversary can compute the query trees online and the final step of the attack can be run on any set of query trees. A complete query tree corresponds to the set of all queries to some fixed destination. For ease of explanation, we assume Algorithm 3 takes as input the set of complete query trees constructed from the leakage. 4.7

Map the Token Sequences to SPSP Queries

In the last step, we take as input the set of query trees {Qi }i∈[n ] constructed from the leakage. We use the path names of each vertex in the {Qi }i∈[n ] to construct a dictionary D that maps each token sequence s to the path name of the starting vertex of the corresponding path in its respective query tree. We first initialize an empty dictionary D. For each complete query tree Qi , we compute PathNames ← ComputePathNames(Qi ) and take the union of PathNames and D. The pseudocode can be found in Algorithm 3. Theorem 2. Let G = (V, E) be a graph and EDB be an encryption of G using the GKT scheme. Let {Qi }i∈[n ] be the query trees constructed from the leakage of queries issued to EDB. Upon input of G, Algorithm 2 returns a dictionary M mapping each path name to a set of SPSP queries in time O(n3 ). Upon input of G and {Qi }i∈[n ] , Algorithm 3 returns a dictionary D mapping token sequences to path names in time O(n3 ). Moreover, the outputs D and M have the property that, for any token sequence s corresponding to a path (v, r) in a query tree and for every query (v  , r ) ∈ M[D[s]], there exists an isomorphism ϕ from Q to Tr such that ϕ(v) = v  and ϕ(r) = r . 4.8

Recover the Queries

Once the map between each node (token) in a query tree and its corresponding path name has been computed, the attacker can use M and D to compute the candidate queries of all queries in the complete query trees. Given M and D (outputs of Algorithms 2 and 3, respectively) and an observed token s matching a query in the query trees for some unknown query, the adversary can find the set of queries consistent with s by simply computing M[D[s]]. 4.9

Full Query Recovery

We conclude this section with a discussion of when FQR is possible. By the correctness of our attack, this is the case for a graph G, a set of complete query trees {Qi }i∈[n ] , and associated token sequences S when for M ← PreprocessGraph(G), D ← QueryMapping(G, {Qi }i∈n ) and all s ∈ S we have |M[D[s]]| = 1. We can also phrase a condition for FQR feasibility in

338

F. Falzon and K. G. Paterson

graph-theoretic terms. Recall Corollary 1, which states that given two isomorphic rooted trees T and T  , if each vertex in T has a unique path name, then there exists only one isomorphism from T to T  . We deduce that FQR is always achievable for any set of complete query trees, when all n2 vertices in the SDSP trees have unique path names. Formally, we have the following: Corollary 2. Let G = (V, E) be a graph and let {Tv }v∈V be the set of SDSP trees of G. Suppose every vertex in {Tv }v∈V has a unique path name (and in particular, each T ∈ {Tv }v∈V has a unique canonical name). Then FQR can always be achieved on any complete query tree(s). The converse is also true. Our attack achieves FQR whenever possible. For example, let G be the family of graphs having one central vertex c and any number of paths all of distinct lengths appended to c. Our attack achieves FQR for all graphs G ∈ G.

5

Experiments

Implementation Details. We implemented our attack in Python 3.7.6 and ran our experiments on a computing cluster with a 2 × 28 Core Intel Xeon Gold 6258R 2.7 GHz Processor (Turbo up to 4 GHz/AVX512 Support), and 384 GB DDR4 2933 MHz ECC Memory. To generate the leakage, we implemented the GES from [12] and we used the same machine for the client and the server. The cryptographic primitives were implemented using the PyCryptodome library version 3.10.1 [9]; for symmetric encryption we used AES-CBC with a 16B key and for collision resistant hash functions we used SHA-256. For the DES, we implemented Πbas from [4] and generated the tokens using HMAC with SHA-256 truncated to 128 bits. The shortest paths of the graphs were computed using the single_source_shortest_path algorithm from the NetworkX library version 2.6.2 [8]. We used our own implementation of the AHU algorithm. Our attack is highly parallelizable, and we exploited this when implementing our attack. We evaluate our attacks on 8 real world datasets, the details of the datasets can be found in Appendix C. We also deployed our attacks on random graphs, the results of which can be found in the full version[10]. 5.1

Query Reconstruction Results

We carried out our attack on the Internet Routing, CA-GrQc, email-EU-Core, facebook-combined, and p2p-Gnutella08 datasets; The online portion of the attack (Algorithm 3) given all queries ran in 0.087 s, 0.093 s, 5.807 s, 102.670 s, and 339.957 s for each dataset, respectively. For the first four datasets, we also ran attacks given 75% and 90% of the queries averaged over 10 runs and sampled as follows: The start vertex was chosen uniformly at random and the end vertex was chosen with probability linearly proportional to its out degree in the original graph. This simulates a more realistic setting in which certain “highly connected” destinations are chosen with higher frequency. The results of these experiments can be found in Figs. 2 and 3. Queries can be reconstructed with

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

339

Fig. 2. CDFs for QR of the data sets after observing (top) 75%, (middle) 90%, and (bottom) 100% of the queries. On the x axis we plot the number of candidate queries output by our attack and on the y axis we plot the percent of total queries. The red dotted lines indicate the 50th, 90th, and 99th percentiles. Because of Ca-GrQC’s high symmetry, complete query trees could only be constructed after at least 80% of the queries were observed and hence its first graph is omitted. (Color figure online)

just 75% of the queries. In fact, with high probability, we start seeing complete query trees with as few as 20% of the queries for the facebook-combined dataset. For the remaining datasets we ran simulations to demonstrate the success that an adversary could achieve given 100% of the queries. Our simulations were carried as follows. Given G, the SDSP trees and the path names for each vertex in these trees were computed, and then a dictionary mapping each query in G to the set of candidate queries was constructed by identifying queries whose starting vertices have the same path name. The simulations only used the plaintext graph and the results show the success that an adversary would achieve in an end-toend attack. In practice, our attack can be run on larger datasets by writing the map out to a back-end key-value store. These results can be found in Fig. 3. In Table 1 we report the percent of uniquely recoverable queries when the attack is run on the set of all query trees. Uniquely recoverable queries are

340

F. Falzon and K. G. Paterson

queries whose responses result in only one candidate. CA-GrQc had the smallest percentage of uniquely recoverable queries (0.145%) and the p2p-Gnutella04 had the largest percentage (21.911%). The small percentage for CA-GrQc can be attributed to its high density (d = 0.995), where density is defined as d = 2m/(n · (n − 1)). The CA-GrQc graph is nearly complete, and its SDSP trees display a high degree of symmetry. In fact, many of the query trees are isomorphic to the majority of SDSP trees, and the majority of SDSP trees have a star shape. Each non-root vertex in a star tree has the same path name, resulting in a large number of possible candidates per token sequence. In Figs. 2 and 3, we plot the CDFs of our experiments. The Gnutella data sets exhibit a high recovery rate as a result of asymmetry and low density. 50% of all queries for p2p-Gnutella08, p2p-Gnutella04, p2p-Gnutella25, p2p-Gnutella30 result in at most 4, 3, 5, 5 candidate query values, respectively. Details of the 50th, 90th, and 99th percentiles can be found in Table 1.

6

Discussion

We have given a query recovery attack against the GKT graph encryption scheme from [12]. The attack model we consider is strong, but it fits within the model used in [12]. A variant of our attack for a network adversary is described in the full version [10]. Ghosh et al. [12] recommend combining the scheme with other mitigation techniques, like refreshing the key periodically. While this reduces the chance that an adversary sees a complete query tree, we note that this is not very efficient. The question of whether more practical techniques can be applied remains open. This paper highlights the need for detailed cryptanalysis of GESs. The value of such analysis was recognised in [12] but omitted on the grounds that the impact of the leakage is application-specific. Our view is that such analysis should be done in tandem with security proofs (establishing leakage profiles) at the same time as schemes are developed. Of course, attacks should be assessed with respect to real-world datasets whenever possible, as we do here. We note that our attack works when a complete tree has been observed; one interesting open question is to extend our attack to arbitrary subsets of queries: then the adversary can construct query subtrees and attempt to identify isomorphic embeddings of them into the SDSP trees. Our attack leaves open the question of whether other GESs can be similarly attacked. Acknowledgements. This research was supported in part by the ThinkSwiss Research Scholarship, ETH Zürich, and the U.S. National Science Foundation. Work by F.F. performed in part while visiting ETH Zürich.

A

A Detailed Description of the GKT Scheme

At setup, the client generates two secret keys: one for a symmetric encryption scheme SKE, and one for a dictionary encryption scheme DES. It takes the input

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

341

graph G and computes the SP-matrix M [i, j]. It then computes a dictionary SPDX such that for each pair of vertices (vi , vj ) ∈ V ×V , we set SPDX[(vi , vj )] = (w, vj ) if i = j and in the SP-matrix we have M [i, j] = w for some vertex w. The client then computes a second dictionary SPDX as follows. For each label-value pair (lab, val) in SPDX the following steps are carried out. A search token tk is computed from val using algorithm DES.Token and a ciphertext c is computed by encrypting val using SKE.Encrypt. Then SPDX [lab] is set to (tk, c). The resulting dictionary SPDX is then encrypted using DES.Encrypt to produce an output EDB, which is given to the server. Now the client can issue an SPSP query for a vertex pair (u, v) by generating a search token tk for (u, v) and sending it to the server. The server initializes an empty string resp and uses tk to search EDB and obtain a response a. If a =⊥, then it returns resp. Otherwise, it parses a as (tk , c), updates resp = resp||c and recurses on tk until ⊥ is reached on look-up. The server returns resp, a concatenation of ciphertexts (or ⊥) to the client. The client then uses its secret key to decrypt resp, obtaining a sequence of pairs val = (wk , v) from which the shortest path from u to v can be constructed.

B

Pseudocode for Attack

Algorithm 1: ComputePathNames Input: Rooted tree T = (V, E, r). Output: Dictionary PathNames. 1: // Compute the canonical name of T [v] for all v ∈ V . 2: Initialize empty dictionaries Names and PathNames and empty stack S 3: Names ← ComputeNames(T, r, Names) 4: h ← H 5: // Concatenate the canonical names into path names. 6: S.push(r); Mark r as explored 7: PathNames[r] ← h(Names[r]) 8: while S = ∅ do 9: v ← S.pop( ) 10: if v is not explored then 11: Let u be the parent of v 12: PathNames[v] = h(Names[v]PathNames[u]) 13: Mark v as explored 14: for children w of v do S.push(w) 15: return PathNames

342

F. Falzon and K. G. Paterson

Algorithm 2: PreprocessGraph Input: A graph G. Output: A multimap M mapping path names to sets of SPSP queries. 1: // Compute the set of SDSP trees from G. 2: Initialize an empty multimap M 3: Compute {Tv }v∈V by running all-pairs shortest path on G 4: for r ∈ V do 5: PathNames ← ComputePathNames(Tr ) 6: // Map path names to candidate queries. 7: for (v, path_name) in PathNames do 8: if path_name is a label in M then 9: M[path_name] ← M[path_name] ∪ {(v, r)} 10: else M[path_name] ← {(v, r)} 11: return M

C

Datasets

We evaluate our attacks on 6 of the same data sets as [12], the InternetRouting dataset from the University of Oregon Route Views Project, and the facebookcombined dataset [14]. InternetRouting and CA-GrQc were extracted using the dense subset extraction algorithm by Charikar [5] as implemented by Ambavi et al. [3]. Details about these datasets can be found in Table 1.

Algorithm 3: QueryMapping Input: A graph G and a set of query trees {Qi }i∈[n ] with n ≤ n. Output: A dictionary D mapping search tokens to path names. 1: Initialize empty dictionary D 2: for i ∈ [n ] do 3: // Compute the path names of each vertex in the query trees. 4: PathNames ← ComputePathNames(Qi ) 5: D ← D ∪ PathNames 6: return D

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

343

Table 1. The datasets used in our experiments; n denotes the number of vertices and m the number of edges of the graph dataset. “% Unique” denotes the percent of queries that have one candidate. “% Min” denotes the minimum percent of queries needed to construct the set of all query trees (see Sect. 2.3). Dataset

n

m

% Unique % Min Percentile 50 90

99

InternetRouting

35

323

2.353%

94.1%

40

84

90

CA-GrQc

46

1030

0.145%

99.8%

1845

1845

1845

email-Eu-core

1005

16,706 6.507%

78.0%

16

69

190

facebook-combined 4039

88,234 0.206%

99.3%

p2p-Gnutella08

6301

20,777 21.463%

69.7%

4

p2p-Gnutella04

10,876 39,994 21.911%

68.1%

p2p-Gnutella25

22687 54705 16.075%

73.7%

p2p-Gnutella30

36682 88328 14.671%

74.6%

1826 11,424 20,480 12

64

3

9

32

5

18

54

5

24

60

Fig. 3. CDFs for QR after observing 100% of queries. An asterisk indicates that the results were obtained by simulating the attack (see Sect. 5 for details).

References 1. Aho, A.V., Hopcroft, J.E., Ullman, J.: Data Structures and Algorithms, 1st edn. Addison-Wesley Longman Publishing Co., Inc., Boston (1983) 2. Amazon: Amazon neptune (2021). https://aws.amazon.com/neptune/. Accessed 27 Oct 2021 3. Ambavi, H., Sharma, M., Gohil, V.: Densest-subgraph-discovery (2020). https:// github.com/varungohil/Densest-Subgraph-Discovery 4. Cash, D., et al.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, 23–26 February 2014. The Internet Society (2014). https://doi.org/10.14722/ndss.2014.23264 5. Charikar, M.: Greedy approximation algorithms for finding dense components in a graph. In: Jansen, K., Khuller, S. (eds.) APPROX 2000. LNCS, vol. 1913, pp. 84–95. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44436-X_10

344

F. Falzon and K. G. Paterson

6. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_33 7. Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press, Cambridge (2009) 8. Developers, N.: Networkx, version 2.6.2 (2021). https://networkx.org/ 9. Developers, P.: Pycryptodome, version 3.10.1 (2021). https://www.pycryptodome. org/ 10. Falzon, F., Paterson, K.G.: An efficient query recovery attack against a graph encryption scheme. Cryptology ePrint Archive, Paper 2022/838 (2022). https:// eprint.iacr.org/2022/838 11. Floyd, R.W.: Algorithm 97: shortest path. Commun. ACM 5(6), 345 (1962). https://doi.org/10.1145/367766.368168 12. Ghosh, E., Kamara, S., Tamassia, R.: Efficient graph encryption scheme for shortest path queries. In: Proceedings of the 2021 ACM Asia CCS, pp. 516–525. ASIA CCS 2021, ACM, New York (2021). https://doi.org/10.1145/3433210.3453099 13. Goetschmann, A.: Design and Analysis of Graph Encryption Schemes. Master’s thesis, ETH Zürich (2020) 14. Leskovec, J., Krevl, A.: SNAP Datasets: Stanford large network dataset collection, June 2014. http://snap.stanford.edu/data 15. Low, Y., Bickson, D., Gonzalez, J., Guestrin, C., Kyrola, A., Hellerstein, J.M.: Distributed GraphLab: a framework for machine learning and data mining in the cloud. Proc. VLDB Endow. 5(8), 716–727 (2012). https://doi.org/10.14778/ 2212351.2212354 16. Meng, X., Kamara, S., Nissim, K., Kollios, G.: GRECS: graph encryption for approximate shortest distance queries. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 504–517. CCS 2015, ACM, New York (2015). https://doi.org/10.1145/2810103.2813672 17. Mouratidis, K., Yiu, M.L.: Shortest path computation with no information leakage. Proc. VLDB Endow. 5(8), 692–703 (2012). https://doi.org/10.14778/2212351. 2212352 18. Neo4j, I.: Neo4j (2021). https://neo4j.com/. Accessed 27 Oct 2021 19. Poh, G.S., Mohamad, M.S., Z’aba, M.R.: Structured encryption for conceptual graphs. In: Hanaoka, G., Yamauchi, T. (eds.) IWSEC 2012. LNCS, vol. 7631, pp. 105–122. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-341175_7 20. Sala, A., Zhao, X., Wilson, C., Zheng, H., Zhao, B.Y.: Sharing graphs using differentially private graph models. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 81–98. IMC 2011, ACM, New York (2011). https://doi.org/10.1145/2068816.2068825 21. Sealfon, A.: Shortest paths and distances with differential privacy. In: Proceedings of the 35th ACM SIGMOD-SIGACT-SIGAI Symposium on Principles of Database Systems, pp. 29–41. PODS 2016, ACM, New York (2016). https://doi.org/10.1145/ 2902251.2902291 22. Shao, B., Wang, H., Li, Y.: Trinity: a distributed graph engine on a memory cloud. In: Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data, pp. 505–516. SIGMOD 2013, ACM, New York (2013). https://doi. org/10.1145/2463676.2467799 23. Venkataramani, V., et al.: Tao: How facebook serves the social graph. In: Proceedings of the 2012 ACM SIGMOD International Conference on Management of

An Efficient Query Recovery Attack Against a Graph Encryption Scheme

345

Data, pp. 791–792. SIGMOD 2012. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2213836.2213957 24. Wang, Q., Ren, K., Du, M., Li, Q., Mohaisen, A.: SecGDB: graph encryption for exact shortest distance queries with efficient updates. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 79–97. Springer, Cham (2017). https://doi.org/10.1007/9783-319-70972-7_5 25. Wu, D.J., Zimmerman, J., Planul, J., Mitchell, J.C.: Privacy-preserving shortest path computation. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, 21–24 February 2016. The Internet Society (2016). https://doi.org/10.14722/ndss.2016.23052

New Unbounded Verifiable Data Streaming for Batch Query with Almost Optimal Overhead Jiaojiao Wu1 , Jianfeng Wang1,2 , Xinwei Yong1 , Xinyi Huang3 , and Xiaofeng Chen1(B) 1

3

School of Cyber Engineering, Xidian University, Xi’an, China {jiaojiaowujj,xwyong}@stu.xidian.edu.cn {jfwang,xfchen}@xidian.edu.cn 2 Zhengzhou Xinda Institute of Advanced Technology, Zhengzhou, China Artificial Intelligence Thrust, Information Hub, Hong Kong University of Science and Technology (Guangzhou), Guangzhou, China [email protected]

Abstract. Verifiable Data Streaming (VDS) enables a resource-limited client to continuously outsource data to an untrusted server in a sequential manner while supporting public integrity verification and efficient update. However, most existing VDS schemes require the client to generate all proofs in advance and store them at the server, which leads to a heavy computation burden on the client. In addition, all the previous VDS schemes can perform batch query (i.e., retrieving multiple data entries at once), but are subject to linear communication cost l, where l is the number of queried data. In this paper, we first introduce a new cryptographic primitive named Double-trapdoor Chameleon Vector Commitment (DCVC), and then present an unbounded VDS scheme VDS1 with optimal communication cost in the random oracle model from aggregatable cross-commitment variant of DCVC. Furthermore, we propose, to our best knowledge, the first unbounded VDS scheme VDS2 with optimal communication and storage overhead in the standard model by integrating Double-trapdoor Chameleon Hash Function (DCH) and Key-Value Commitment (KVC). Both of our schemes enjoy constant-size public key. Finally, we demonstrate the efficiency of our two VDS schemes with a comprehensive performance evaluation.

Keywords: Verifiable data streaming Optimal overhead

1

· Data integrity · Batch query ·

Introduction

With the rapid development of IoT, 5G and cloud computing, a growing number of devices collect continuous and never-ending data streams and tend to outsource massive data streams to cloud servers. While it brings in inherent c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 346–366, 2022. https://doi.org/10.1007/978-3-031-17140-6_17

New Unbounded VDS for Batch Query with Almost Optimal Overhead

347

advantages such as ease of maintenance, convenient access, and lower costs, data outsourcing also results in data integrity concerns due to the untrusted cloud servers. Traditional solutions, such as Merkle Hash Tree (MHT) and Verifiable Database (VDB), can guarantee the integrity of the outsourced database and support data updates. However, these approaches either require frequent updates to the public verification key as data is appended or have an upper bound on the size of the database. Verifiable Data Streaming (VDS), initiated by Schr¨ oder and Schr¨ oder [14], enables a resource-limited client to outsource a (potentially unbounded) data stream D = (d1 , d2 , . . . ) to an untrusted server while supporting public integrity verification and efficient update. In particular, the public verification key remains unchanged as data entries are continuously appended to the database. However, their VDS scheme sets a prior upper bound on the database size. Recently, a line of research works [11,14,15,19] got rid of the upper bound and these schemes can be categorized into two different types: tree-based unbounded VDS scheme [11,14,15] and signature-based unbounded VDS scheme [11,19]. However, most practical scenarios require databases to support batch query that retrieves multiple data entries at once. The first type of unbounded VDS schemes [11,14,15], constructed by tree-based authentication data structures, can perform batch query, but are subject to linear communication cost l, where l is the number of queried data. The second type of unbounded VDS scheme [19] significantly reduces the query communication cost by using BLS signature and RSA accumulator. Concretely, this scheme can aggregate signatures to a single value relying on homomorphic properties of BLS signature and generate a constantsize non-membership witness for these signatures using a batching technique of RSA accumulator [3]. Nevertheless, the size of the auxiliary proof information (i.e., signature identifiers) is linear in the size of a batch query, which cause high communication costs. In addition, most existing VDS schemes [11,14,15,19] require that the client generates all proofs in advance and stores them at the server for subsequent integrity verification, which leads to a heavy computation burden on the client and huge storage overhead on the server, respectively. To this end, a naive solution is to transfer the proof generation from the client to the server. However, this approach may suffer from a key exposure problem or even fail to support the integrity verification. Therefore, it is still challenging to design a secure and efficient unbounded VDS scheme supporting batch queries. Our Contributions. In this paper, we put forward two new unbounded VDS schemes VDS1 and VDS2 for batch query with almost optimal overhead in random oracle model and standard model, respectively. Both of our schemes enjoy constant-size public key. A comprehensive comparison of our schemes with previous works is shown in Table 1. In detail, our main contributions are summarized as follows. • We introduce a new cryptographic primitive, Double-trapdoor Chameleon Vector Commitment (DCVC), which allows us to transfer the computation of proof generation from the client to the server without key exposure to reduce client computation and server storage. Then we present an unbounded VDS

348

J. Wu et al. Table 1. Comparison with existing VDS schemes [14]

[15]

CVC [11]

ACC [11]

VADS [19]

VDS1

Unbounded

✗

✓

✓

✓

✓

✓

✓

Standard Model

✓

✗

✓

✓

✗

✗

✓

Scheme

VDS2

Size of Public Key

O(1)

O(1)

O(q 2 )

O(u)

O(1)

O(1)

O(1)

Server Storage

O(m)

O(n)

O(qn)

O(n+u)

O(n+u)

O(n)

O(1)

O(log2 m)

O(log2 n)

O(logq n)

O(1)

O(1)

O(1)

O(1)

O(l)

O(l)

O(1)

O(1)

Communication

|π| |πb |

Computation

O(l·log2 m) O(l·log2 n) O(l·logq n)

Append

O(log2 m)

O(log2 n)

O(1)†

O(1)

O(1)

O(1)

O(1)

Query

O(log2 m)

O(log2 n)

O(logq n)

O(u)

O(1)‡

O(logq n)

O(n)

Verify

O(log2 m)

O(log2 n)

O(logq n)

O(1)

O(1)

O(logq n)

O(1)

Update O(log2 m) O(log2 n) O(q ·logq n) O(1) O(1) O(logq n) O(1) Note: m denotes the maximum database size. n is the current database size. u is the number of updates. l is the number of queried data in a batch query. q denotes the number of branches of a q-ary tree. |π| is the proof size of a single query. |πb | denotes the proof size of a batch query. †: In the CVC-based scheme [11], the server is required to perform an additional proof update with O(1) computational complexity after the client appends a data entry. ‡: In the recently proposed scheme [19], the query process contains an extended Euclidean algorithm with logarithmic time complexity.

scheme VDS1 with optimal communication cost in the random oracle model from a variant of DCVC with aggregatable cross-commitment. • We explore a new approach to construct an efficient unbounded VDS scheme VDS2 by leveraging Double-trapdoor Chameleon Hash Function (DCH) and Key-Value Commitment (KVC). To the best of our knowledge, our scheme VDS2 is the first unbounded VDS scheme with optimal communication cost and server storage in the standard model. • We implement our schemes VDS1 and VDS2 and perform a comprehensive evaluation and comparison. The results show that VDS1 and VDS2 are efficient in terms of communication cost, storage cost, and computation cost. 1.1

Related Work

Schr¨ oder and Schr¨ oder [14] introduced Verifiable Data Streaming (VDS) and presented the first VDS scheme based on Chameleon Authentication Tree (CAT). Their proposed scheme sets a fixed upper bound m on the database size, and the query communication and computation are logarithmic in this upper bound m. After that, Schr¨ oder and Simkin [15] put forward the first unbounded VDS scheme in the random oracle model to break the upper bound. Subsequently, Krupp et al. [11] proposed two unbounded VDS schemes in the standard model. The first scheme is constructed on Chameleon Vector Commitment (CVC) and a tree structure with logarithmic query communication. The second scheme is based on bilinear-map accumulator and signature scheme and has constant-size query communication, but the query computation is linear in the number of updates. However, all the previous VDS schemes are evaluated in a single query, and for batch query, the query communication of these scheme is increasing linearly with the number of queried data. Very recently, Wei et al. [19] presented an unbounded VDS scheme with data integrity auditing (VADS) in the random oracle model by using BLS signature and RSA accumulator. This scheme sig-

New Unbounded VDS for Batch Query with Almost Optimal Overhead

349

nificantly reduces the batch query communication, but it is still not optimal for batch query. In addition, other works to extend VDS, explore many practical applications, such as integrity preservation and range query. Xu et al. [22] and Sun et al. [17] considered privacy-preserving data integrity verification in VDS, while Chen et al. [6] and Miao et al. [13] proposed efficient integrity preservation schemes for data streaming. Tsai et al. [18] and Xu et al. [21] developed verifiable range query in data streaming. Most VDS schemes and their extensions require the client to generate all proofs in advance and store them at the server, which leads to heavy computation and storage burden on the client and server, respectively. Therefore, it is interesting to explore new approaches to designing unbounded VDS scheme for batch query with optimal query communication and server storage in the standard model.

2

Preliminaries

In this section, we briefly review the hardness assumption and cryptography tools used in this work. 2.1

Hardness Assumption

Definition 1 (Strong RSA Problem). Given an RSA modulus N = pq and a random value g ∈ Z∗N , where p and q are two distinct prime number. The strong RSA assumption holds, if for any probabilistic polynomial-time (PPT) adversary A and a security parameter λ the probability of outputting a tuple (y, e) s.t. y e = g mod N is negligible, namely, Pr[A(N, g) → (y, e) : y e = g mod N ] ≤ negl(λ). 2.2

Double-Trapdoor Chameleon Hash Function

A Double-trapdoor Chameleon Hash Function (DCH) [8,9] is a probabilistic hash function with collision resistance, which allows one holding hash trapdoors to find collisions. In particular, a DCH scheme has double hash trapdoors including the long-term and one-time trapdoors, and the long-term trapdoor is never exposed. The DCH scheme in [8] consists of the following algorithms DCH = (DCHKGen, DCHTGen, DCH, DCHCol): • DCHKGen(1λ ): It takes a security parameter λ as input, chooses at random a def

∗ ∗ λ-bit safe prime p s.t. q = p−1 2 is also a prime, picks x ∈R Zq and g ∈ Zp with x prime order q, and computes Y = g mod p. Finally, it outputs the public parameters pp = (p, q, g) and a long-term hash/trapdoor key pair (Y, x). The message space is M = Zq . • DCHTGen(pp): It chooses at random k ∈R Z∗q , computes K = g k mod p, and outputs a one-time hash/trapdoor key pair (K, k).

350

J. Wu et al.

• DCHpp (Y, K, m, r): It takes a message m, a random element r ∈ Zq and the long-term/one-time public hash keys (Y, K), and outputs a hash value DCh(m, r) = (KY )m g r mod p. • DCHColpp (x, k, m, r, m ): It takes a message m, a random element r, another message m and the long-term/one-time trapdoors (x, k), and finally outputs a collision r = r + (k + x)(m − m ) mod q, s.t. DCh(m, r) = DCh(m , r ). 2.3

Key-Value Commitment

A Key-Value Commitment (KVC) [1] is a cryptographic primitive, which allows one to commit key-value tuples {(k1 , v2 ), (k2 , v2 ), . . . } and to later open the commitment at any key, and supports adding new key-value tuples and updating the old value to a new one at an existing key. The commitment size and the proof size are independent of the number of the tuples1 . The KVC scheme in [1] consists of the following algorithms KVC = (KGen, KAppend, KUpdate, KOpen, KVer): • KGen(1λ , l): It takes a security parameter λ and an integer l ∈ N as input, and chooses two λ/2-bit primes p1 and p2 at random, sets N = p1 p2 , picks g ∈ Z∗N , determines a deterministic collision-resistant function PrimeGen that maps integers to l + 1-bit primes, initials the commitment C ← (1, g) and the auxiliary information aux ← ∅. Finally, it outputs (pp, C, aux) ← ((N, g, PrimeGen), (1, g), ∅). The message space is M = {0, 1}l . • KAppendpp (C, i, mi , aux): It takes C = (C1 , C2 ), a new message mi , its position i and the auxiliary information aux, updates C ← (C1 ei · C2 mi mod N, C2 ei mod N ) where ei ← PrimeGen(i), and appends (i, mi ) into aux, i.e., aux ← aux ∪ {(i, mi )}. Finally, it outputs the updated C and aux. • KUpdatepp (C, i, mi , mi , aux): It takes C = (C1 , C2 ), the old message mi , a  new message  mi , the position i and the auxiliary information aux, updates ei mi −mi C ← (C1 · C2 mod N, C2 ) where ei ← PrimeGen(i), and replaces the i-th message mi with mi in aux. Finally, it outputs the updated C and aux. • KOpenpp (i, mi , aux): It takes the position i and aux = (m1 , . . . , mn ), computes  n m n Si ← g j=1,j=i ej mod N and Λi ← ei j=1,j=i Sj j mod N , and finally outputs a proof πi ← (Si , Λi ) that mi is the i-th committed message. • KVerpp (C, i, mi , πi ): It takes C = (C1 , C2 ), the message mi , its proof πi = (Si , Λi ) and its position i, and checks if Si ei = C2 mod N ∧ C1 = Si mi · Λei i mod N where ei ← PrimeGen(i). If true, it outputs 1, else outputs 0. Batch Opening: Next, we show that the above KVC supports batch openings (also called subvector openings [3,4,12]). 1

In this work, we simply consider that the keys are integers {1, 2, . . . }.

New Unbounded VDS for Batch Query with Almost Optimal Overhead

351

• KBatchOpenpp (I, mI , aux): It takes an ordered position set I = {i1 , . . . , i|I| } ⊂ [n] of the message vector mI = (mi1 , . . . , mi|I| ) and the auxn / ej and iliary information aux = (m1 , m2 , . . . , mn ), computes SI ← g j=1,j ∈I   mj n mod N where eI ← i∈I ei , and finally outputs a ΛI ← eI j=1,j ∈I / Sj proof πI := (SI , ΛI ) that mI is the I-subvector of the committed message. • KBatchVerpp (C, I, mI , πI ): It takes C = (C1 , C2 ), the message subvector mI , its proof πI = (SI , ΛI ) and its position set I, and checks if  Si mi · ΛeII mod N SI eI = C2 mod N ∧ C1 = i∈I



where eI ← i∈I ei and Si ← SI eI\{i} for every i ∈ I. If true, it outputs 1, else outputs 0. 2.4

Verifiable Data Streaming

VDS [11,14] is a protocol between a client and a server, which consists of the following algorithms VDS = (Setup, Append, Query, Verify, Update). • Setup(1λ ): It takes a security parameter λ as input and generates a key pair (pk, sk). It outputs the public verification key pk to the server and the secret key sk to the client. • Append(sk, d): It takes the secret key sk and a data entry d as inputs. Then the client sends an append request to the server and the server stores this new data entry d in the database DB. Finally, it may output an updated secret key sk  to the client, but the public verification key does not change. • Query(pk, DB, i): It takes the public verification key pk, the database DB and a queried index i. Finally, it outputs the i-th data entry (i, d) along with a proof πi to the client. • Verify(pk, i, d, πi ): It takes the public verification key pk and the query response (i, d, πi ) as inputs. If d is the i-th data entry in DB according to πi , it outputs d, otherwise it outputs ⊥. • Update(pk, sk, DB, i, d ): It runs between the server and the client. Finally, the server updates the i-th data entry d with a new data entry d and the client updates the public verification key to pk  as well as the secret key to sk  . We describe the security of VDS by the following experiment VDSsecVDS A (λ). Setup: The challenger runs (sk, pk) ← Setup(1λ ), sets up an empty database DB, and sends the public verification key pk to the adversary A. Challenge: When the adversary A appends a new data entry d, the challenger runs (sk  , i, πi )←Append(sk, d) to append d to its database, and then returns (i, πi ) to the adversary. When the adversary A updates the i-th data entry giving a new data entry d , the challenger runs Update(pk, sk, DB, i, d ) with the adversary A and then returns (i, πi ) to the adversary. The challenger will

352

J. Wu et al.

always keep the latest public key pk ∗ and an ordered sequence of the database Q = {(1, d1 ), . . . , (q(λ), dq(λ) )}. Guess: The adversary A outputs a guess (i∗ , d∗ , π ∗ ), and the experiment outputs / Q. 1 if d∗ ← Verify(pk ∗ , i∗ , d∗ , π ∗ ), d∗ = ⊥ and (i∗ , d∗ ) ∈ Definition 2 (VDS Security). A VDS scheme is secure if for all λ ∈ N and any PPT adversary A, its advantage Pr[VDSsecVDS A (λ) = 1] ≤ negl(λ) is negligible.

3

Double-Trapdoor Chameleon Vector Commitment

In this section, we first introduce a new cryptographic primitive, Doubletrapdoor Chameleon Vector Commitment (DCVC). Then we present a DCVC construction based on RSA and a variant of it with cross-commitment aggregation. 3.1

Definition of DCVC

DCVC is an enhancement of Chameleon Vector Commitment (CVC) [11]. Both of them allow one to commit a vector (m1 , . . . , mq ) and to open the commitment at any position, and one holding trapdoors can find a collision without changing the commitment. In particular, CVC provides a single trapdoor and may suffer from key exposure [2,7], while DCVC enjoys double trapdoors, master trapdoor and specific trapdoor, which may be key-exposure free. A DCVC scheme consists of the following algorithms: • DCGen(1λ , q): It takes a security parameter λ and the size of a vector q, then outputs a public parameter pp, a master trapdoor td1 and a specific trapdoor td2 . • DCCompp (m1 , . . . , mq ): It takes q ordered message vector (m1 , . . . , mq ), and outputs a commitment C and the auxiliary information aux. • DCOpenpp (i, m, aux): It takes the index i, the corresponding message m, and aux, outputs a proof π that m is the i-th message in the committed vector. • DCVerpp (C, i, m, π): It takes the commitment C, the i-th message m and the corresponding proof π, and outputs 1 iff π is a valid proof that C was generated for (m1 , . . . , mq ) s.t. mi = m. • DCColpp (i, m, m , td1 , td2 , aux): It takes the trapdoors td1 and td2 , the index i, a message m, another message m , and aux, then outputs an updated aux after finding a collision s.t. (C, aux ) is indistinguishable from the output of CCompp (m1 , . . . , m , . . . , mq ). • DCUpdatepp (C, i, m, m ): It takes the old commitment C, the old message m, a new message m , and the corresponding index i, then outputs a new commitment C  and an update information U . • DCProofUpdatepp (C, πj , j, U ): It takes the commitment C, the old proof πj at the position j, and the update information U , then outputs an updated proof πj that is valid with regard to the new commitment C  .

New Unbounded VDS for Batch Query with Almost Optimal Overhead

353

Definition 3 (Concise). A DCVC scheme is concise if the commitment size and the proof size are independent of the vector size q. Definition 4 (Correctness). A DCVC scheme is correct if for all λ ∈ N, any vector size q, a vector (m1 , . . . , mq ) and any index i ∈ {1, . . . , q}, we have ⎤ (pp, td1 , td2 ) ← DCGen(1λ , q) Pr ⎣ DCVerpp (C, i, m, π) = 1 : (C, aux) ← DCCompp (m1 , . . . , mq ) ⎦ = 1. π ← DCOpenpp (i, m, aux) ⎡

Definition 5 (Position Binding). A DCVC scheme is position-binding if for any PPT adversary A, the probability generating two valid proofs for different messages (m, m ) at the same position i is negligible. Formally, for all λ ∈ N and any PPT adversary A, the advantage of A winning the below experiment (λ) = 1] ≤ negl(λ) is negligible. Pr[PosBdgDCVC A Definition 6 (Indistinguishable Collisions). A DCVC scheme has indistinguishable collisions if for all λ ∈ N and any stateful PPT adversary A = (A0 , A1 ), (λ) = 1] ≤ negl(λ) its advantage of winning the below experiment Pr[CollndDCVC A is negligible. Experiment PosBdgDCVC (λ) A (pp, td1 , td2 ) ← DCGen(1λ , q) (C, i, m, m , π, π  ) ← ADCCol (pp) store (C, i) queried to DCCol in Q if m = m ∧ (C, i) ∈ /Q ∧ DCVerpp (C, i, m, π) ∧ DCVerpp (C, i, m , π  ) output 1 else output 0

3.2

Experiment CollndDCVC (λ) A (pp, td1 , td2 ) ← DCGen(1λ , q) b ← {0, 1} ((m1 , . . . , mq ), (i, mi )) ← A0 (pp, td1 , td2 ) (C0 , aux∗ ) ← DCCompp (m1 , . . . , mi , . . . , mq ) aux0 ← DCColpp (C0 , i, mi , mi , td1 , td2 , aux∗ ) (C1 , aux1 ) ← DCCompp (m1 , . . . , mi , . . . , mq ) b ← A1 (Cb , auxb ) if b = b output 1 else output 0

DCVC Based on RSA

We present a DCVC scheme based on RSA, which exquisitely combines RSAbased vector commitment [5] with chameleon hash without key exposure [2, 10]. Furthermore, we develop a variant with cross-commitment aggregation. The details of our scheme DCVC is described as follows: • DCGen(1λ , l, q): It takes a security parameter λ and two integer l, q ∈ N as inputs, chooses two λ/2-bit primes p1 and p2 at random, sets N = p1 p2 , picks g ∈ Z∗N randomly, determines a deterministic collision-resistant function PrimeGen that maps integers to primes with length l+1 bits. Then it computes q primes e1 , . . . , eq that are relatively prime to φ(N ) = (p1 − 1)(p2 − 1), where ei ← PrimeGen(i) for i = 1, . . . , q. Finally, it outputs the public parameter pp ← (N, g, PrimeGen), the master trapdoor td1 ← {p1 , p2 }, and the specific trapdoor td2 ← {di }i=1,...,n , where di is computed s.t. ei di = 1 mod φ(N ). The message space is M = {0, 1}l .

354

J. Wu et al.

• DCCompp (m1 , . . . , mq ): It takes a message vector (m1 , . . . , mq ) as input, q Si ← g j=1,j=i ej for i = 1,. . ., q. chooses r ← Z∗N randomly, and computes  q m Finally, it outputs C ← S1m1 · · ·Sq q r i=1 ei mod N and aux ← (m1 ,. . ., mq ; r). 1/e • DCOpenpp (i, m, aux): It computes Sj i ← g e[q]\{i,j} for each j ∈ [q] \ {i}, and  q m q outputs π ← ei j=1,j=i Sj j · r j=1,j=i ej mod N . • DCVerpp (C, i, m, π): If C = Si m · π ei mod N output 1, else output 0.  • DCColpp (C, i, m, m , td2 , aux): It computes r ← r · (g di )m−m and outputs aux ← (m1 ,. . ., m ,. . ., mq ; r ).  • DCUpdatepp (C, i, m, m ): It computes C  ← C · Sim −m mod N , then outputs C  and U = (i, m, m ).  • DCProofUpdatepp (C, πj , j, U ): If j = i, it computes πj ← πj · (Sim −m )1/ej mod N , else πj ← πj . Cross-Commitment Aggregation. Now we show that our scheme DCVC is aggregatable across multiple commitments, which means that different openings from different commitments (e.g., πi,ki and πj,kj at the position ki and kj of the commitments Ci and Cj , respectively) can be merged into a single concise opening π. Moreover, this aggregated proof can be further aggregated, namely crosscommitment incremental aggregation. Assume that π ˆ is already an aggregated proof of l − 1 commitments {Cj , kj , mj,kj , πj,kj }j∈[l−1] . The cross-commitment aggregation and verification algorithms are shown as follows: • DCAggCrosspp ({kj }j∈[l−1] , π ˆ , (Cl , kl , ml,kl , πl,kl )): Case 1 : If kl ∈ / {kj }j∈[l−1] , compute ˆ · (πl,kl )tl ekl /eK mod N ρK ← π

and

ρl ← π ˆ eK /ekl · (πl,kl )tl mod N,

and then generate an aggregated proof π ← ShamirTrick(ρK , ρl , eK , ekl ) [16]. Case 2 : If kl ∈ {kj }j∈[l−1] ,  compute π ← π ˆ · πl,kl tl ekl /eK . Note that tl ← H(l, Cl , kl , ml,kl ) and eK ← j∈[l−1] ekj . • DCAggVerpp ({Cj , kj , mj,kj }j∈[l] , π): If the following equation holds output 1, else output 0. Note that tj ← H(j, Cj , kj , mj,kj ).  j∈[l]

Cj tj =



 j∈[l] ek

tj mj,kj gcd(e ,...,ej ) k1 kl Sk j π

mod N.

j∈[l]

Concise. It is obvious that the commitment size and the proof size are independent of the vector size q. Correctness. The correctness of DCVC is straightforward and the correctness of cross-commitment aggregation comes from the correctness of DCVC and Shamir’s trick [16]. More details are shown in the full version of this paper [20]. Security. Our scheme DCVC is secure. The proof of position binding is detailed in the following, and the proofs of indistinguishable collisions and key exposure freeness are given in the full version [20] due to space constraints.

New Unbounded VDS for Batch Query with Almost Optimal Overhead

355

Theorem 1 (Position Binding). If the strong RSA assumption holds, the above scheme DCVC is position binding. (λ) Proof. Suppose there exists an adversary A who wins the game PosBdgDCVC A by producing two valid proofs to two different messages at the same position. We build a simulator B that may break the strong RSA assumption. The simulator B takes a strong RSA problem instance (N, z) as input. The simulator B will use A to compute (y, e) s.t. z = y e mod N as follows. First, B selects a random i ← {1, . . . , q} as a guess for the index i on which A will break the position binding. Next, B sets ei ← PrimeGen(i) and g ← z. For j = 1, . . . , q, j = i the rest of the public parameters and trapdoors is computed as described by DCGen algorithm. The adversary A is supposed to output (C, m, m , j, π, π  ) such that m = m and both π, π  are valid proofs at position j. If j = i, the simulator B aborts the simulation. Otherwise B proceeds as follows. Indeed, 

Si m · π ei = Si m · π ei

=⇒



Si m−m = (π  /π)ei .

Let Δ = m − m and Λ = π  /π, the equation above can be rewritten as gΔ

 j=i

ej

= (Λ)ei .

Clearly, the absolute value of Δ is less than l bits and e1 , . . . , eq are (l + 1)-bit primes, it follows that gcd(Δ j=i ej , ei ) = 1. We can get an ei -root of g by use the Shamir’s  trick [16]. Concretely, we can compute two integers α and β such that αΔ j=i ej + βei = 1 using the extended Euclidean algorithm. Thus, g = g αΔ

 j=i

ej +βei

= (g Δ

 j=i

) · g βei = (Λα )ei · (g β )ei = (Λα g β )ei .

ej α

(λ) with probability , then Therefore, if A succeeds in the game PosBdgDCVC A B successfully breaks the strong RSA assumption with probability /q.

4

Verifiable Data Streaming from DCVC

In this section, we propose our first scheme VDS1 with optimal query communication from our scheme DCVC, and show that VDS1 is secure in the random model. 4.1

Our Construction

Our scheme VDS1 consists of five algorithms VDS1 = (Setup, Append, Query, Verify, Update), which is based on our scheme DCVC and a q-ary tree. For sake of readability, we briefly describe the construction of the q-ary tree. In a q-ary tree, every node is a DCVC of a q +1-size vector. The first element of each vector is the data entry, and the q remaining elements are q children nodes (or 0 when children nodes do not exist). Particularly, the root node of the tree is initialized

356

J. Wu et al.

to a DCVC of a zero vector and a new node is appended into the tree by finding a collision in its parent node. Note that the nodes are appended to the tree from left to right and the tree grows from top to bottom. According to the structure of q-ary tree, we have three functions as following: • parent(i) = i−1 q  is the index of the parent of the node i. • #child(i) = ((i − 1) mod q) + 2 is the position that the node i is inserted into its parent. • level(i) = logq ((q − 1)(i + 1) + 1) − 1 is the level that the node i is appended in the tree. Next, we give a brief description of our scheme VDS1 , the details of which are shown in Algorithm 1. • Setup(1λ , l, q): The client generates (pp, td1 , td2 ) ← DCGen(1λ , l, q + 1), initializes a counter cnt ← 0, and picks a random key k ← {0, 1}λ for a secure pseudorandom function f . Then the client computes r0 ← f (k, 0) and the tree root (C0 , aux0 ) ← DCCompp (0, . . . , 0; r0 ). Finally, it outputs the secret key sk ← (td1 , td2 , cnt, k) and public key pk ← (pp, C0 ). • Append(pk, sk, d): When appending a new data entry d, the client first parses sk = (td1 , td2 , cnt, k) and obtains the index of the new data entry i ← cnt + 1, the index of its parent node p ← parent(i), the position j ← #child(i) that this data entry will be inserted into its parent, and cnt ← cnt + 1. Next, the client computes a new node (Ci , auxi ) ← DCCompp (0,. . ., 0; ri ) where ri ← f (k, i). To insert a new data entry d into the new node Ci , the client finds a collision by computing auxi ← DCColpp (Ci , 1, 0, d, td1 , td2 , auxi ). To append the new node Ci in the tree, the client recomputes the parent node (Cp , auxp ) ← DCCompp (0, . . . , 0; rp ) where rp ← f (k, p) and runs auxp ← DCColpp (Cp , j, 0, Ci , td1 , td2 , auxp ) to insert Ci as the j-th element of Cp . Finally, the client sends (i, d, Ci , ri , rp ) to the server. • Query(pk, DB, i): When querying the i-th data entry, the server first obtains the level L ← level(i) of the node i, and then generates an aggregated proof (π, C) along the authentication path by running algorithm (see Algorithm 1 for details), finally sends the data and its proof (i, d, π, C) to the client. • Verify(pk, i, d, π, C): The verifier (including the client) parses pk = (pp, C0 ), verifies (i, d, π, C) (see Algorithm 1). If v = 1 output d, otherwise output ⊥. • Update(pk, DB, i, d ): The client and the server perform the update protocol. 1. To update the data entry d to d with the index i, the client first retrieves the data entry d. Concretely, the client sends the index i and a new data entry d to the server. Then the server and the client run Query(pk, DB, i)→(i, d, π, C) and Verify(pk, i, d, π, C)→d/⊥ respectively. 2. When the query is validated, the client determines the level L ← level(i) of the updated node and then computes a new root C0 as shown in Algorithm 1. Finally, it updates the public key pk = (pp, C0 ). 3. The server writes the new data entry d into DB and runs the same algorithm to update all commitments (CL , . . . , C0 ) along the path.

New Unbounded VDS for Batch Query with Almost Optimal Overhead

357

Algorithm 1. VDS from DCVC (VDS1 ) Setup(1λ , l, q)

 Client

(pp, td1 , td2 ) ← DCGen(1λ , l, q + 1) cnt ← 0, k ← {0, 1}λ r0 ← f (k, 0) (C0 , aux0 ) ← DCCompp (0, . . . , 0; r0 )  aux0 = (0, 0, . . . , 0; r0 ) 5: sk ← (td1 , td2 , cnt, k) 6: pk ← (pp, C0 ) 7: return (sk, pk) Append(pk, sk, d)  Client

1: 2: 3: 4:

1: 2: 3: 4: 5: 6: 7: 8: 9:

i ← cnt + 1, p ← parent(i), j ← #child(i) cnt ← cnt + 1 ri ← f (k, i) (Ci , auxi ) ← DCCompp (0, . . . , 0; ri )  auxi = (0, 0, . . . , 0; ri ) auxi ← DCColpp (Ci , 1, 0, d, td1 , td2 , auxi )  auxi = (d, 0, . . . , 0; ri ) rp ← f (k, p) (Cp , auxp ) ← DCCompp (0, . . . , 0; rp )  auxp = (0, . . . , 0, . . . , 0; rp ) auxp ← DCColpp (Cp , j, 0, Ci , td1 , td2 , auxp )  auxp = (0, . . . , Ci , . . . , 0; rp ) return (i, d, Ci , ri , rp )

Query(pk, DB, i)

 Server

1: Pos ← ∅, C ← 1 2: L ← level(i) 3: πi,1 ← DCOpenpp (1, d, auxi ) 4: π ← πi,1 5: Pos ← Pos ∪ {1} 6: a ← i 7: b ← parent(i) 8: for h ∈ [L − 1, 0] do 9: c ← #child(a) 10: πb,c ← DCOpenpp (c, Ca , auxb ) 11: π ← DCAggCrosspp (Pos,π,(Cb ,c,Ca ,πb,c )) 12: C ← C · Ca ta  ta ← H(a) 13: Pos ← Pos ∪ {c} 14: a←b 15: b ← parent(b) 16: end for 17: return (i, d, π, C)

 Client

Verify(pk, i, d, π, C)

1: e ← e1 ,S ← 1  e1 ← PrimeGen(1) 2: L ← level(i) q+1 e 3: S ← S · S1 ti di  S1 ← g j=1,j=1 j 4: a ← i 5: b ← parent(i) 6: for h ∈ [L − 1, 0] do 7: c ← #child(a) q+1 e 8: S ← S · Sc tb Ca  Sc ← g j=1,j=c j 9: if gcd(e, ec ) = 1 then 10: e ← e · ec  ec ← PrimeGen(c) 11: end if 12: a←b 13: b ← parent(b) 14: end for 15: if C · C0 t0 = S · πe then return d 16: else return ⊥ 17: end if Update(pk, DB, i, d )

 Client & Server

Client: 1: send (i, d ) to server Server : 2: (i, d, π˜ ) ← Query(pk, DB, i) Client: 3: d/⊥ ← Verify(pk, i, d, π˜ ) Client & Server : 4: if d ← Verify(pk, i, d, π˜ ) then 5: (Ci , Ui ) ← DCUpdatepp (Ci , 1, d, d ) 6: a←i 7: b ← parent(i) 8: for h ∈ [L − 1, 0] do 9: c ← #child(a) 10: (Cb , Ub ) ← DCUpdatepp (Cb , c, Ca , Ca ) 11: a←b 12: b ← parent(b) 13: end for 14: end if 15: return (CL , . . . , C0 )

Batch Query: Now, we show that VDS1 supports batch query and verifying. • BatchQuery(pk, DB, I): When performing query on the index set I = {i1 ,. . ., il } sent from the client, the server obtains the level Li ← level(i) of the node i ∈ I and then generates an aggregated proof by running Algorithm 2. Finally, the server sends the data and its proof (I, dI , π, C) to the client. • BatchVerify(pk, I, dI , π, C): The verifier (including the client) parses pk = (pp, C0 ) and verifies the proof as Algorithm 2. If the equation holds then output dI , otherwise output ⊥.

358

J. Wu et al.

Algorithm 2. Batch Query and Verify BatchQuery(pk, DB, I)

 Server

23: return (I, d I , π, C) BatchVerify(pk, I, d I , π, C)

 Client 1: Pos ← ∅, C ← 1 2: for i ∈ I do 1: e ← e1 ,S ← 1  e1 ← PrimeGen(1) 3: Li ← level(i) 2: for i ∈ I do 4: πi,1 ← DCOpenpp (1, di , auxi ) 3: Li ← level(i) q+1 5: if Pos = ∅ then e 6: π ← πi,1 4: S ← S · S1 ti di  S1 ← g j=1,j=1 j 7: else 5: a←i 8: π ← DCAggCrosspp (Pos,π,(Ci ,1,di ,πi,1 )) 6: b ← parent(i) 9: end if 7: for h ∈ [Li , 0] do 10: Pos ← Pos ∪ {1} 8: c ← #child(a) q+1 11: a←i e 9: S ← S · Sc tb Ca  Sc ← g j=1,j=c j 12: b ← parent(i) 10: if gcd(e, ec ) = 1 then 13: for h ∈ [Li − 1, 0] do 11: e ← e · ec  ec ← PrimeGen(c) 14: c ← #child(a) 12: end if 15: πb,c ← DCOpenpp (c, Ca , auxb ) a←b 16: π ← DCAggCrosspp (Pos,π,(Cb ,c,Ca ,πb,c )) 13: 14: b ← parent(b) 17: C ← C · Ca ta  ta ← H(a) 15: end for 18: Pos ← Pos ∪ {c} 16: end for 19: a←b 17: if C · (C0 t0 )|I| = S · πe then return d I 20: b ← parent(b) 18: else return ⊥ 21: end for 19: end if 22: end for

4.2

Security Analysis

Theorem 2 (Secure VDS). If f is a pseudorandom function and DCVC is position binding, then our scheme VDS1 is secure. Proof. The proof of the theorem proceeds through hybrid games [11]. It starts 1 with the real game VDSsecVDS (λ) and ends with a hybrid game where the pseuA dorandom function f is replaced by a random function, then these two games are computationally indistinguishable. 1 Game G0 : This is the real VDS security game VDSsecVDS (λ), so we have A VDS1 Pr[VDSsecA (λ) = 1] = Pr[G0 = 1].

Game G1 : This game is identical to G0 except the pseudorandom function f is replaced with a random function. By assuming f is pseudorandom, we immediately get that Pr[G0 = 1] − Pr[G1 = 1] = negl(λ). In this game, we proceed by the contradiction. Assume there exists an adversary A that can win with non-negligible advantage in the game G1 . Then we can construct an efficient reduction B that uses A to break the security of DCVC. The reduction B proceeds in two case. ˆ be the tuple returned by the adversary at end of the game. ˆ , C) Let (i∗ , d∗ , π ˆ = d∗ , ˆ , C) If the game G1 outputs 1, then it must hold that Verify(pk, i∗ , d∗ , π ∗ ∗ ∗ d = ⊥ and d = d, where d is the value with index i currently stored in the ˜ π , C). database. The honest authentication path of (i∗ , d) computed by B is (˜ ˆ and (˜ ˜ must end up at the Observe that both authentication paths (ˆ π , C) π , C) public root and they must deviate at some node in the path from i∗ up to the root. Then, we define the event Diffdata that the two authentication path

New Unbounded VDS for Batch Query with Almost Optimal Overhead

359

deviate exactly at i∗ , which means Ci∗ = Ci∗∗ . Obviously, Diffdata means that the adversary may return a valid authentication path that deviates from the correct path at the internal node. Thus, we have Pr[G1 = 1] = Pr[G1 = 1 ∧ Diffdata] + Pr[G1 = 1 ∧ Diffdata]. We show that Pr[G1 = 1∧Diffdata] and Pr[G1 = 1∧Diffdata] are negligible in two cases Diffdata and Diffdata respectively if our scheme DCVC is position binding. ˆ returned by the adverCase Diffdata: In this case, the authentication path (ˆ π , C) ˜ at i∗ , which means sary deviates from the correct authentication path (˜ π , C) ∗ Ci∗ = Ci∗ . The reduction B takes as input pp, computes the root (C0 , aux0 ) ← DCCompp (0, . . . , 0; r0 ) by sampling a randomness, and sets the counter cnt ← 0. Then, it sets pk ← (pp, C0 ) and runs A(pk) by simulating the game G1 . To answer the append queries of A, e.g., appending a data entry d, B runs Append(pk, sk, d) algorithm except that pseudorandom values are replaced by random values by sampling. Note that B does not know the trapdoors of DCVC, but it can directly compute the new node (Ci , auxi ) ← DCCompp (d, . . . , 0; ri ) for the data entry d instead of performing collision at the first position of the vector and use its collision oracle to append new nodes into the tree only when necessary. Note that B never uses its collision oracle at the position 1 in Case Diffdata. To answer the update queries of A, e.g., updating the data entry d at position i to a new entry d , B simply runs Update algorithm. Note that this not require the trapdoors of DCVC. ˆ at the end of the game. ˆ , C) The adversary outputs the tuple (i∗ , d∗ , π ˜ B computes the honest proof (˜ π , C) for the data entry d at the position ˆ = (π ∗∗ , C ∗∗ , . . . ) and (˜ ˜ = (πi∗ , Ci∗ , . . . ), and outputs π , C) π , C) i∗ , parses (ˆ i i ∗ ∗ ∗ ∗ ∗ (Ci , 1, d, d , πi , πi∗ ). We know that Ci = Ci∗∗ when Diffdata happens, and πi∗∗ must pass the verification correctly for d∗ since A wins in this game. Therefore, one can see that the tuple (Ci∗ , 1, d, d∗ , πi∗ , πi∗∗ ) breaks the position binding of DCVC. Thus, Pr[G1 = 1 ∧ Diffdata] ≤ Pr[PosBdgDCVC (λ) = 1] = negl(λ). B ˆ returned by the Case Diffdata: In this case, the authentication path (ˆ π , C) ˜ at the internal adversary deviates from the correct authentication path (˜ π , C) node. The reduction B takes as input pp. It then chooses the tree depth l = λ to set an upper limit on the number of data entry and builds an l size DCVC tree from bottom to up, where in each DCVC every position which does not point to a child (especially the first position in the internal node or all the positions in the leaf node) is set to 0. Let C0 be the root. Then, B sets the counter cnt ← 0, sets pk ← (pp, C0 ), and runs A(pk) by simulating the game G1 . To answer the append queries of A, e.g., appending a data entry d, B obtains the index i ← cnt + 1 for the new data entry, sets cnt ← cnt + 1, and inserts the

360

J. Wu et al.

new data entry into the tree by finding a collision in the position 1 of node ni using collision oracle. Note that B never uses its collision oracle at the position j > 1 in Case Diffdata. If the adversary A exceeds the upper limit of the number of data entries, B stops the adversary and starts again by setting l ← l · λ. To answer the update queries of A, e.g., updating the data entry d at position i to a new entry d , B simply runs Update algorithm. ˆ B parses ˆ , C). At the end of the game the adversary returns the tuple (i∗ , d∗ , π ˆ = (. . . , π ∗ , C ∗ , π ∗ , C ∗ ) and finds the largest k such that C ∗ = Ck , that is, (ˆ π , C) 1 1 0 0 k the authentication path π ˆ is still equal to the actual tree from Ck∗ to the root. ˜ = (. . . , π1 , C1 , π0 , C0 ) from i∗ B computes the honest authentication path (˜ π , C) ∗ ∗ to the root if i is in the tree (i.e., i does not exceed the upper limit), otherwise computes one from the deepest ancestor of i∗ to the root. ˜ computed by B, the j-th π , C) If Ck is the deepest node in the honest path (˜ element committed in Ck by B is 0. Thus, B can compute an honest proof πk ∗ that 0 is the j-th element committed in Ck , and output (Ck , j, 0, Ck+1 , πk , πk∗ ). ∗ ˜ , there exists a node Ci = Ck and a If Ck is not the deepest node in π proof πk that Ck+1 is the j-th element committed in Ck . Thus, B outputs ∗ , πk , πk∗ ). (Ck , j, Ck+1 , Ck+1 ∗ ∗ , πk , πk∗ ) or (Ck , j, Ck+1 , Ck+1 , πk , πk∗ ) Therefore, the tuple (Ck , j, 0, Ck+1 breaks the position binding of DCVC. Thus, Pr[G1 = 1 ∧ Diffdata] ≤ Pr[PosBdgDCVC (λ) = 1] = negl(λ). B In conclusion, the overall advantage of the adversary winning the game is negligible because it is negligible in both cases. Thus, our scheme VDS1 is secure.

5

Verifiable Data Streaming from KVC

In this section, we propose our second scheme VDS2 with optimal query communication and server storage overhead in the standard model from KVC and DCH. In the following, we will describe this scheme in detail. 5.1

Our Construction

In the following, we give a brief description of our scheme VDS2 = (Setup, Append, Query, Verify, Update), the details of which are shown in Algorithm 3. • Setup(1λ , l): The client generates (pp1 , C) ← KGen(1λ , l) and (pp2 , Y, x) ← DCHKGen(1λ ), sets the counter cnt ← 0. Then the client generates the oneˆ ← DCHTGen(pp ), picks a random number rˆ ← ˆ k) time hash/trapdoor (K, 2 ˆ 0, rˆ). Finally, the {0, 1}λ , and computes the hash value Ch ← DCHpp2 (Y, K, algorithm outputs the secret key sk ← (cnt, x, rˆ, C) and the public key pk ← (pp1 , pp2 , Y, Ch).

New Unbounded VDS for Batch Query with Almost Optimal Overhead

361

Algorithm 3. VDS from KVC (VDS2 ) Setup(1λ , l)

1: 2: 3: 4: 5: 6: 7: 8: 9:

 Client

Append(sk, d)

1: 2: 3: 4: 5: 6: 1: 2: 1: 2: 3: 4: 5:

Client: 3: v ← Verify(pk, i, d, πi , C, K, r)

 Client

πi ← KOpenpp1 (i, d, DB) return ((i, d, πi ), (C, K, r))

?

v ← Ch = DCHpp2 (Y, K, C, r) ∧ KVerpp1 (C, i, d, πi ) if v = 0 then return ⊥ else return d end if

Client: 4: if v = 0 then return ⊥ 5: else 6: C  ← KUpdatepp1 (C, i, d, d ) ˆ  ) ← DCHTGen(pp ) ˆ , k 7: (K 2

rˆ ← {0, 1}λ ˆ  , 0, rˆ ) Ch ← DCHpp2 (Y, K   (K , k ) ← DCHTGen(pp2 ) r  ← DCHColpp2 (x, k , 0, rˆ , C  ) return (C  , rˆ , Ch , K  , r  ) end if BatchQuery(pk, DB, I)  Server 1: πI ← KBatchOpenpp1 (I, d I , DB) 2: return (I, d I , πI ) BatchVerify(pk, I, d I , πI , C, K, r)  Client

8: 9: 10: 11: 12: 13:

 Server

Verify(pk, i, d, πi , C, K, r)

 Client & Server

Server : 2: (i, d, πi ) ← Query(pk, DB, i)

i ← cnt + 1 C ← KAppendpp1 (C, i, d) (K, k) ← DCHTGen(pp2 ) r ← DCHColpp2 (x, k, 0, rˆ, C) cnt ← cnt + 1 return (i, d, C, K, r)

Query(pk, DB, i)

Update(pk, sk, DB, i, d ) Client: 1: send (i, d ) to server

(pp1 , C) ← KGen(1 , l) (pp2 , Y, x) ← DCHKGen(1λ ) cnt ← 0 ˆ ← DCHTGen(pp ) ˆ k) (K, 2 rˆ ← {0, 1}λ ˆ 0, rˆ) Ch ← DCHpp2 (Y, K, sk ← (cnt, x, rˆ, C) pk ← (pp1 , pp2 , Y, Ch) return (sk, pk) λ

 Client

1: 2: 3: 4: 5:

?

v ← Ch = DCHpp2 (Y, K, C, r) ∧ KBatchVerpp1 (C, I, d I , πI ) if v = 0 then return ⊥ else return d I end if

• Append(sk, d): When appending a new data entry d, the client first parses sk = (cnt, x, rˆ, C), obtains the index i ← cnt+1 of the new data entry d, updates the commitment C ← KAppendpp1 (C, i, d), determines a one-time hash/trapdoor key pair (K, k) ← DCHTGen(pp2 ), finds a collision (C, r) s.t. DCh(C, r) = DCh(0, rˆ) by running r ← DCHColpp2 (x, k, 0, rˆ, C), and then increases the counter cnt ← cnt + 1. Finally, the client sends (i, d, C, K, r) to the server and the server stores (i, d) in DB as well as updates (C, K, r). • Query(pk, DB, i): When performing query on the index i sent from the client, the server computes a proof πi ← KOpenpp1 (i, d, DB) that d is i-th data entry in DB, and sends the data and its proofs (i, d, πi ) and (C, K, r) to the client. • Verify(pk, i, d, πi , C, K, r): The verifier (including the client) parses pk ← (pp1 , pp2 , Y, Ch), and then verifies the correctness of (C, K, r) and (i, d, πi ) by ?

checking Ch = DCHpp2 (Y,K,C,r) and running the algorithm KVerpp1 (C,i,d,πi ). If both are true, then output d, otherwise output ⊥. • Update(pk, sk, DB, i, d ): The update protocol is run by the client and server. 1. To update the data entry d to d with the index i, the client first retrieves d with the index i from the server. Concretely, the client sends the index i and the new data entry d to the server. Then the server and the client runs Query(pk, DB, i) → (i, d, πi ) and Verify(pk, i, d, πi , C, K, r) → d/⊥ respectively.

362

J. Wu et al.

2. When the query is validated, the client first updates the commitment C  by replacing d to d . Then the client choose a randomness rˆ ← {0, 1}λ , produces the new hash value Ch , generates a one-time hash/trapdoor pair (K  , k  ), and finds a collision r for the updated commitment C  . Finally, the client updates the secret and public keys sk ← (cnt, x, rˆ , C  ) and pk ← (pp1 , pp2 , Y, Ch ) and sends (C  , K  , r ) to the server. 3. The server writes the new data d into DB and updates (C, K, r) to (C  , K  , r ). Batch Query: We show that VDS2 supports batch query and verifying. • BatchQuery(pk, DB, I): The client sends the query index set I to the server. The server computes a proof πI ← KBatchOpenpp1 (I, dI , DB) for the data entry set dI , and sends the proof (I, dI , πI ) and (C, K, r) to the client. • BatchVerify(pk, I, dI , πI , C, K, r): The verifier (including the client) parses ?

pk ← (pp1 , pp2 , Y, Ch), and then verifies v ← Ch = DCHpp2 (Y, K, C, r) ∧ KBatchVerpp1 (C, I, dI , πI ). If v = 1, then output dI , otherwise output ⊥. 5.2

Security Analysis

Theorem 3 (Secure VDS). If KVC is a key-binding key-value commitment and DCH is a collision-resistant double-trapdoor chameleon hash, then our scheme VDS2 is secure. Proof. The proof of the theorem is conducted by executing the game 2 VDSsecVDS (λ). The adversary A may win the game in two ways, either by A finding a collision in the double-trapdoor chameleon hash, or by breaking the key binding of the key-value commitment. We will show that the advantage of the adversary in both case is negligible. We will give a simplified proof in the following and a completed proof in the full version [20] due to space constraints. Concretely, the proof is proceeded by contradiction. Let ((i∗ , d∗ , π ∗ ), (C ∗ , K ∗ , r∗ )) is the tuple returned by the adver2 (λ). If the adversary wins in this game, sary A at end of the game VDSsecVDS A recall that Ch = DCHpp2 (Y, K ∗ , C ∗ , r∗ ), 1 ← KVerpp1 (C ∗ , i∗ , d∗ , π ∗ ), d∗ = ⊥ / DB. Consider the correct tuple ((i∗ , d, π), (C, K, r)) with index i∗ . and (i∗ , d∗ ) ∈ Then we define DCHCol as the event that C ∗ = C such (C ∗ , K ∗ , r∗ ) = (C, K, r). Obviously, we have 2 (λ) = 1] Pr[VDSsecVDS A 2 2 = Pr[VDSsecVDS (λ) = 1 ∧ chcol] + Pr[VDSsecVDS (λ) = 1 ∧ chcol]. A A 2 Case chcol: In this case, Pr[VDSsecVDS (λ) = 1 ∧ chcol] is negligible under the A assumption that DCH is collision-resistant. 2 (λ) = 1 ∧ chcol] is negligible under the Case chcol: In this case, Pr[VDSsecVDS A assumption that KVC is key-binding. Therefore, the overall advantage of the adversary winning the game is negligible. Thus, our scheme VDS2 is secure. More details of the proof are shown in the full version [20].

New Unbounded VDS for Batch Query with Almost Optimal Overhead

363

(a) Append time cost

(b) Query time cost

(c) Verify time cost

(d) Update time cost

(e) Batch query time cost

(f) Batch verify time cost

Fig. 1. Time cost comparison

6

Performance Evaluation

In this section, we report a comprehensive evaluation of our proposed two schemes VDS1 and VDS2 . In the following, we first provide the description of experiment environment and parameter setting, and then discuss the comparison on communication, storage and time overhead between our two schemes with CVC/ACC-based VDS schemes [11], and VADS scheme [19]. 6.1

Implementation Setup

We implement in Python five VDS schemes including our two schemes VDS1 (Sect. 4) and VDS2 (Sect. 5), two VDS schemes in [11], and VADS scheme [19]. We use PBC-0.5.14 library with a type A elliptic curve for pairing-based and RSA-based cryptographic primitives, and SHA-256 hash function. We deploy our experiments on the machine with Intel(R) Core(TM) i9-11900K @ 3.50 GHz RAM 128 GB and Ubuntu 20.04 LTS. In the following experiment, we first determine the security parameter to 128 bits. To evaluate the time cost of five schemes, we set the database size to n = 4096, 2048, 1024, the branching number of the tree to q = 32, 64, 128, 256, the block size (i.e., the size of a data entry) to 256 bits, 512 bits and 1024bits, the number of queried data in batch query to l = 10, 50, 100. To completely quantify the query communication and server storage overhead, we perform separate experiments by setting the database size to n = 210 , 212 , 214 , 216 , 218 , 220 and the batch query size to l = 10, 50, 100, 500, 1000, 2000.

364

J. Wu et al.

(a) Single query

(b) Batch query

Fig. 2. Communication overhead comparison

6.2

Fig. 3. Storage comparison

Evaluation

Time Cost. We evaluate the time cost of five schemes in terms of the append time, the query time, the verify time, the update time, the batch query time, and the batch verify time. The experiment results show that, as detailed in Fig. 1, our two schemes are efficient but not optimal. First, we can observe from Fig. 1(a) and 1(d) that our scheme VDS1 has better append and update time cost than CVC-based VDS scheme [11] which is also based on a tree structure. This result reveals that transferring the proof generation from the client to the server not only optimizes server storage but also improves client and server computation efficiency. Then we review Table 1 in Sect. 1 and further observe Fig. 1(a), 1(c), and 1(d). Although our scheme VDS2 has constant client-side append time, verify time and update time independent of the size of the database, the block size plays a significant role. The reason is that in our scheme VDS2 the time cost is dominated by the length of the prime determined by the block size. In addition, we show the time cost of single query, batch query, and batch verify in Fig. 1(b), 1(e), and 1(f). The query time cost of our two schemes is determined by server-side proof computation. According to Fig. 1(b) and 1(e), both single query and batch query time increase with the block size. Specially, Fig. 1(e) illustrates that the cost of batch query of VDS2 is independent of the number of queried data l, while that of VDS1 increases linearly with l. Figure 1(f) shows that the cost of batch verify is dominated by block size and batch size l. Generally speaking, it is necessary to sacrifice computation efficiency to achieve better query communication and server storage as well as stronger security. Communication Overhead. The communication overhead is mainly incurred by retrieving a data entry or multiple data entries in a single query or batch query. As shown in Fig. 2(a) and 2(b), both our schemes VDS1 and VDS2 reach the optimal communication overhead O(1) in single query and batch query and are superior to all existing scheme. Particularly, the query communication of VDS1 and VDS2 consists of only two elements and three elements respectively. Storage Overhead. The server storage overhead in a VDS scheme mainly stems from the proof storage. The server storage of most existing VDS schemes is at least O(n), where n is the database size. The ideal server storage is constant O(1). Our scheme VDS1 reduces the storage overhead to O(n), and even our scheme

New Unbounded VDS for Batch Query with Almost Optimal Overhead

365

VDS2 achieves the optimal server storage overhead O(1) by eliminating the proof storage and maintaining only constant-size auxiliary information (consisting of just three elements). As shown in Fig. 3, the server storage of our scheme VDS2 outperforms that of the other four schemes.

7

Conclusion

In this paper, we explore new approaches to build unbounded VDS schemes for batch query with optimal query communication and server storage. To this end, we first introduce a new cryptographic primitive DCVC. Then, we propose an unbounded VDS scheme VDS1 in the random oracle model from an aggregatable cross-commitment variant of DCVC, which has optimal communication cost O(1) and better server storage O(n). Further, we present the first unbounded VDS scheme VDS2 with optimal communication overhead O(1) and storage overhead O(1) in the standard model. Both of our schemes enjoy constant-size public key. Compared with the state-of-the-art [11,19], our two schemes reach optimal communication and storage overhead, however, the computational performance is not optimal, so we leave constructing an overall optimal VDS scheme for batch query to be the future work. Acknowledgments. This work was supported by the National Natural Science Foundation of China (Nos. 6196026014 and 62072357), the Fundamental Research Funds for the Central Universities (Nos. YJS2212 and ZDRC2204), and the Open Foundation of Henan Key Laboratory of Cyberspace Situation Awareness (No. HNTS2022012).

References 1. Agrawal, S., Raghuraman, S.: KVaC: key-value commitments for blockchains and beyond. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 839–869. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4 28 2. Ateniese, G., de Medeiros, B.: On the key exposure problem in chameleon hashes. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 165–179. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30598-9 12 3. Boneh, D., B¨ unz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 561–586. Springer, Cham (2019). https:// doi.org/10.1007/978-3-030-26948-7 20 4. Campanelli, M., Fiore, D., Greco, N., Kolonelos, D., Nizzardo, L.: Incrementally aggregatable vector commitments and applications to verifiable decentralized storage. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 3–35. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3 1 5. Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7 5 6. Chen, C., Wu, H., Wang, L., Yu, C.: Practical integrity preservation for data streaming in cloud-assisted healthcare sensor systems. Comput. Networks 129, 472–480 (2017)

366

J. Wu et al.

7. Chen, X., Zhang, F., Kim, K.: Chameleon hashing without key exposure. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 87–98. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8 8 8. Chen, X., Zhang, F., Susilo, W., Mu, Y.: Efficient generic on-line/off-line signatures without key exposure. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 18–30. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-7273852 9. Chen, X., et al.: Efficient generic on-line/off-line (threshold) signatures without key exposure. Inf. Sci. 178(21), 4192–4203 (2008) 10. Gennaro, R.: Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 220–236. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8 14 11. Krupp, J., Schr¨ oder, D., Simkin, M., Fiore, D., Ateniese, G., Nuernberger, S.: Nearly optimal verifiable data streaming. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 417–445. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7 16 12. Lai, R.W.F., Malavolta, G.: Subvector commitments with application to succinct arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 530–560. Springer, Cham (2019). https://doi.org/10.1007/978-3-03026948-7 19 13. Miao, M., Wei, J., Wu, J., Li, K., Susilo, W.: Verifiable data streaming with efficient update for intelligent automation systems. Int. J. Intell. Syst. 37(2), 1322–1338 (2022) 14. Schr¨ oder, D., Schr¨ oder, H.: Verifiable data streaming. In: CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 953–964 (2012) 15. Sch¨ oder, D., Simkin, M.: VeriStream – a framework for verifiable data streaming. In: B¨ ohme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 548–566. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7 34 16. Shamir, A.: On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1(1), 38–44 (1983) 17. Sun, Y., Liu, Q., Chen, X., Du, X.: An adaptive authenticated data structure with privacy-preserving for big data stream in cloud. IEEE Trans. Inf. Forensics Secur. 15, 3295–3310 (2020) 18. Tsai, I., Yu, C., Yokota, H., Kuo, S.: VENUS: verifiable range query in data streaming. In: IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops, INFOCOM Workshops 2018, Honolulu, HI, USA, 15–19 April 2018, pp. 160–165. IEEE (2018) 19. Wei, J., Tian, G., Shen, J., Chen, X., Susilo, W.: Optimal verifiable data streaming protocol with data auditing. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12973, pp. 296–312. Springer, Cham (2021). https:// doi.org/10.1007/978-3-030-88428-4 15 20. Wu, J., Wang, J., Yong, X., Huang, X., Chen, X.: New unbounded verifiable data streaming for batch query with almost optimal overhead. IACR Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/1028 21. Xu, J., Meng, Q., Wu, J., Zheng, J.X., Zhang, X., Sharma, S.: Efficient and lightweight data streaming authentication in industrial control and automation systems. IEEE Trans. Ind. Inform. 17(6), 4279–4287 (2021) 22. Xu, J., Wei, L., Wu, W., Wang, A., Zhang, Y., Zhou, F.: Privacy-preserving data integrity verification by using lightweight streaming authenticated data structures for healthcare cyber-physical system. Future Gener. Comput. Syst. 108, 1287–1296 (2020)

A Formal Model for Credential Hopping Attacks Massimiliano Albanese1,2(B) , Karin L. Johnsgard1 , and Vipin Swarup1(B) 1 2

The MITRE Corporation, McLean, VA 22102, USA {malbanese,kjohnsgard,swarup}@mitre.org George Mason University, Fairfax, VA 22030, USA [email protected]

Abstract. Centrally-managed authentication schemes allow users of complex distributed systems to present the same credentials to multiple applications and computer systems. To further simplify the user’s experience, the credentials are often cached on those remote systems. However, caching credentials introduces the risk of malicious actors stealing and using these credentials to hop between systems within the network. This problem has been studied by modeling authentication events as a graph, and proposed solutions rely on altering key properties of a system’s authentication graph to reduce the likelihood of successful attacks. However, current approaches make numerous simplifying assumptions, fail to reflect the time-variant nature of many of the variables involved, and do not readily accommodate modeling the effects of a wide range of potential countermeasures. To address these limitations, this paper presents a formal model that describes credential hopping attacks as iteratively performing multiple credential-harvesting operations and lateral movements to reach predefined objectives. We explicitly consider the time-variant nature of all variables involved. We show how different countermeasures impact key variables of the proposed model, and define an intuitive metric for quantifying the attacker’s expended effort to reach a given goal. Although direct computation of a verifiably minimum value for this metric is demonstrably infeasible, we propose heuristics to achieve reasonable upper bounds. We validate our model and bound-heuristics through simulations, including assessing the impact of a deployed countermeasure.

1

Introduction

Modern enterprise networks rely on centrally-managed authentication schemes that allow users to present access credentials to multiple computer systems, services, and applications across the network. These credentials are often cached, thus creating a potential risk, as cached credentials can be stolen and used by malicious users to hop between different computers in the network [2–4]. For instance, on a Windows system, adversaries may attempt to harvest credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS) using tools such as procdump and mimikatz1 . 1

R MITRE ATT&CK , https://attack.mitre.org/techniques/T1003/001/.

c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 367–386, 2022. https://doi.org/10.1007/978-3-031-17140-6_18

368

M. Albanese et al.

While this problem has been studied in the literature, most previous work assumes that user accounts and privileges do not change over the course of an attack, and formal attack models and approaches to quantify the potential risk associated with caching credentials are still lacking. To address this limitation, we present a formal attack model to describe credential hopping attacks – also known as identity snowball attacks – and a graph-based heuristic approach for quantifying the risk associated with credential caching, and evaluating the impact of different countermeasures. This research effort grew out of the Adaptive Resiliency Experimentation System (ARES) project at MITRE [10]. The purpose of ARES is to explore practical approaches for improving network resiliency (e.g., the ability to weather cyberattacks) while minimizing negative impact to mission capability. The approach is to design software that can process observable characteristics of a network (hosts, containerized services, user accounts, network traffic, login events) to infer the existing access control policy, and then propose a revised policy, as guided by user-configurable criteria and weights. For validation, each of the original policies and the ARES-recommended one are implemented in a virtual network, where they are subjected to attacks by both human experts (with specified objectives) and by an adversary automation tool. In all cases, metrics are compiled to measure the effort expended to achieve adversarial goals. To function, the ARES policy recommender software needs to assume some model of expected attacker behavior. Early versions did not incorporate user account privileges or cached credentials, and relied solely on the analysis of graph paths to estimate the ease with which an attacker might reach a goal. Model complexity increased over time, at the cost of greater computation time, to incorporate a more faithful simulation of credential harvesting and lateral movement, but still assumed that attacks occurred in a static network environment. For example, it made no attempt to model session termination, clearing of credential caches, or ongoing login activity adding additional credentials to such caches. The main contribution of this paper is a time-dependent formal model for lateral movement that can accommodate changes in network connectivity, network state (e.g., which credentials are cached where and when), user account credentials or privileges, and termination of active user sessions. The model is designed to be able to reflect both cyclic (e.g., clearing of credential caches) and event-based (e.g., revocation of a user’s privileges) countermeasures taken to protect the system. The remainder of the paper is organized as follows. Section 2 discusses related work and Sect. 3 introduces some preliminary definitions. Then Sect. 4 describes in detail the proposed attack model, whereas Sect. 5 provides formal models for two possible countermeasures. Next, Sect. 6 introduces the proposed metrics to quantify the attacker’s effort. Finally, Sect. 7 describes heuristic algorithms to compute upper bounds on the attacker’s effort and Sect. 8 presents experimental results. To conclude, Sect. 9 provides some final remarks and indicates future research directions.

A Formal Model for Credential Hopping Attacks

2

369

Related Work

Hagberg et al. [4] examined computer network risk associated with credential hopping by creating and studying the structure of the authentication graph, a bipartite graph built from authentication events. They assume that an authentication graph with many short paths between computers represents a network that is more vulnerable to such attacks. Under this assumption, they use a measure of graph connectivity – the size of the largest connected component – to give a quantitative indicator of the network’s susceptibility to such attacks. This model enables actionable risk reduction strategies. Kent et al. [8] represented authentication data as a set of user-specific graphs and graph features, including time-constrained attributes. They proposed graph-based approaches to user classification and intrusion detection with practical results. They also presented a method for assessing network authentication trust risk and cyber attack mitigation within an enterprise network using bipartite authentication graphs. They demonstrated the value of these graph-based approaches on a real-world authentication data set collected from an enterprise network. In fact, researchers at Los Alamos National Laboratory (LANL) created and made publicly available several datasets to facilitate cyber-security research, including research on credential hopping attacks [6,7,12]. We used one of these datasets, as described in Sect. 8, to evaluate our model. To mitigate snowball attacks, Dunagan et al. presented Heat-ray [3], a system that combines machine learning, combinatorial optimization and attack graphs to scalably manage security configuration and allow IT administrators to reduce the number of machines that can be used to launch a large-scale identity snowball attack. Credential hopping attacks are multistep attacks, as they are similar in principle to attacks leveraging vulnerability paths in complex systems [1]. In fact, in both cases, each attack step – whether it is a vulnerability exploit or a credential harvest followed by a lateral movement – creates the preconditions for the next attack step. Pope et al. [11] highlighted the importance and role of heuristics for predicting attack success, whereas Hong et al. [5] illustrated the benefits of graphical security models, and these findings support our graphical model for credential hopping attacks and heuristic to estimate attacker’s effort.

3

Preliminary Definitions

Previous work on credential hopping attacks implicitly assumes that user accounts and privileges do not change over the course of an attack. While this assumption may be valid for highly-scripted and fast-paced attacks, it may not be realistic when considering stealthy attackers, such as APT actors, operating over extended periods of time. Thus, in order to capture how user accounts, privileges, and other variables change over time, and considering that all the variables used in our analysis are intrinsically discrete, we discretize time as a finite sequence T = {t0 , t1 , . . . , tn } of time points, such that ∀i ∈ [1, n], ti − ti−1 = Δt, and we model several variables as a function of time. Let Ui be a set of user accounts

370

M. Albanese et al.

n that exist at time ti , and let U = i=0 Ui be the set of all user accounts that existed at some time over T . Through this paper, we may use the term user to refer to a user account. For the purpose of our analysis, we model a network and its associated access control policy as a 4-tuple N = (V, E, α, μ), where – V is a set of nodes representing physical hosts, virtual machines, or containerized services – depending on the desired level of abstraction or granularity. – E : T → 2V ×V is a function modeling connectivity between nodes over time. An edge (v  , v  ) ∈ E(ti ) represents the fact that traffic from v  can reach v  at time ti , thus a user account that is logged on v  at time ti can reach v  . – α : V × T → 2U is a function that associates each node v ∈ V and time point ti ∈ T with a set of user accounts that have administrative privileges on v at time ti . – μ : V × T → 2U is a function that associates each node v ∈ V and time point ti ∈ T with a set of user accounts that have user privileges on v at time ti . This model assumes that the set V of nodes does not change over the course of an attack. In real-world applications, nodes may be added or removed from a network, but such events are less frequent than adding or removing edges, which can be achieved by simply changing firewall rules. Modeling the set of nodes as a function of time will indeed be necessary if the set of available countermeasures includes dynamically creating deceptive or redundant nodes, or if the system relies heavily on the use of virtual machines, which can be added or removed from a network much more frequently than physical machines. We plan to study this aspect of the problem as part of our future work. Credential hopping attacks rely on the attacker’s ability to harvest credentials that have been cached on various network nodes. However, credentials may expire or be revoked, so not all cached credentials may be valid at the time the attacker presents them in an attempt to move laterally within the network. Let C denote the set of all credentials that were valid at any time over T . For the purpose of our analysis we can represent a credential c as a triple (start, end, user), where start and end denote the times at which c was issued and revoked respectively, and user is the user account to which the credential was issued. We make the simplifying assumption that every user account has only one valid credential at any given time and define a function κ : U × T → C ∪ {null} that maps each user account to the unique credential, if any, that is valid at any given time ti :  c ∈ C, s.t. c.start ≤ ti ≤ c.end, if such credential exists κ(u, ti ) = (1) null, otherwise For the purpose of our analysis, we model credential caching as a function γ : V × T → 2C that associates a node v ∈ V and a time point ti ∈ T with the set γ(v, ti ) ⊆ C of credentials cached on v at time ti .

4

Attack Model

We assume that, prior to initiating a sequence of lateral movements within the target network, the attacker has the ability to log with administrative privileges

A Formal Model for Credential Hopping Attacks

371

into one or more nodes, which we will refer to as start nodes. A start node could be either a node on the network’s perimeter – for which the attacker has acquired credentials through social engineering or other means – or an internal node – if the attacker is an insider with administrative access to that node. We also assume that the attacker’s objective is to gain administrative access to one or more target nodes, which we refer to as goal nodes. Let Vs ⊂ V be a non-empty set of start nodes and Vg ⊂ V a non-empty set of goal nodes, with Vs ∩Vg = ∅. We assume that the attacker retains the ability to access the start nodes throughout the course of the attack.

Fig. 1. Timeline of a multi-step attack

To achieve their objective, attackers perform a sequence of lateral movements within the target network, starting from nodes in Vs . They harvest credentials from start nodes, to which they have administrative access, and then use newly harvested credentials to log into additional nodes. This process is repeated until all goal nodes have been reached or no additional nodes can be accessed with available credentials. Thus, without loss of generality, we assume that an attack consists of a finite sequence of attack steps A0 , A1 , . . . , Am , with attack step Aj occurring at time tij . For example, the attack sequence shown in Fig. 1 consists of steps A0 , A1 , A2 , A3 , with ti0 = t0 , ti1 = t2 , ti2 = t3 , and ti3 = tn . For the purpose of our analysis, we assume ti0 = t0 , i.e., attacks always start at time t0 . Attack step A0 is the initialization step, during which an external attacker acquires credentials for and logs into one or more start nodes, or an insider logs into one or more start nodes. An attacker may adopt one of several strategies to select a subset V0∗ ⊆ Vs of nodes to log into during attack step A0 . For instance, a stealthy attacker may select a single node whereas a more aggressive attacker may attempt to log into all nodes in Vs . During attack step Aj , with j ∈ [1, m], attackers execute the following two tasks sequentially. – Credential harvesting: attackers harvest new credentials from one or more nodes they are logged into with administrative credentials. This harvest may includes credentials that have been cached on new nodes that were accessed during the previous attack step and credentials that have been cached on previously compromised nodes since the last harvesting cycle. – Lateral movement: attackers move laterally by logging into one or more new nodes using harvested credentials. Similar to attack step A0 , attackers may adopt one of several strategies to select a subset of nodes to log into, among those for which they have valid credentials.

372

M. Albanese et al.

Fig. 2. Attack model flowchart

Let Cj∗ ⊂ C denote the set of credentials acquired by an attacker during the first j attack steps and let Vj∗ ⊂ V denote the set of nodes the attacker is logged on at the end of attack step Aj , using credentials in Cj∗ , irrespective of privilege level. Fig. 2 shows a flowchart representation of the attack model. We represent sessions initiated by an attacker during the first j attack steps as a set Sj ⊆ Vj∗ × Cj∗ . We assume that a session (v, c) ∈ Sj is active at a time ti ≥ tij – denoted as active ((v, c), ti ) – if c = κ(c.user, ti ) ∧ c.user ∈ μ(v, ti ) ∪ α(v, ti ), that is c is a unique credential, valid at time ti , for a user with privileges on v at time ti . We assume that an attacker has at most one active session per node, i.e., (∀v ∈ Vj∗ ) (c , c ∈   Cj∗ ) (v, c ) ∈ Sj ∧ (v, c ) ∈ Sj ∧ active((v, c ), tij ) ∧ active((v, c ), tij ) . We can now formally define the notion of lateral movement in the context of our attack model. To this aim, we consider two types of lateral movements: (i) adversaries logging into new nodes; and (ii) adversaries logging with administrative credentials into nodes they previously logged into with user credentials. Note that the second class of lateral movements is not equivalent to privilege escalation attacks, as the adversary is not exploiting a vulnerability on the target node to gain administrative privileges, but rather logging in with different credentials. Definition 1 (Lateral Movement). Given the set Cj∗ of credentials available ∗ of to an adversary after the harvesting stage of attack step Aj and the set Vj−1 nodes the adversary is logged into at the beginning of attack step Aj , we say that ∗ during attack step Aj the adversary can move laterally to a node v ∈ V \ Vj−1 if and only if the following two conditions hold: ∗ ∗ , c∗ ∈ Cj−1 s.t. (v ∗ , c∗ ) ∈ Sj−1 ∧ (v ∗ , v) ∈ E(tij ) ∧ active ((v ∗ , c∗ ), – ∃v ∗ ∈ Vj−1  tij , i.e., node v can be reached from one of the nodes the attacker is still logged on. We assume that, if multiple pairs (v ∗ , c∗ ) exist that satisfy this condition, the adversary will select only one, i.e., a lateral movement to a ∗ ; node v originates from one and only one node in Vj−1 ∗ – ∃u ∈ μ(v, tij ) ∪ α(v, tij ) s.t. κ(u, tij ) ∈ Cj , i.e., the attacker has valid credentials for at least one user with privileges on v at time tij . We assume that, if adversaries have valid credentials for multiple users, they will log into the

A Formal Model for Credential Hopping Attacks

373

target node only once, and will choose administrative credentials over user credentials. ∗ | ∃u ∈ μ(v, tij−1 ) s.t. κ(u, tij−1 ) ∈ Similarly, given the set Vu = {v ∈ Vj−1 of nodes the adversary is logged into at the beginning of attack step Aj with user privileges, we say that the adversary can move laterally to a node v ∈ Vu with administrative privileges during attack step Aj if and only if the following two conditions hold: ∗ } Cj−1

∗ ∗ – ∃v ∗ ∈ Vj−1 , c∗ ∈ Cj−1 s.t. (v ∗ , c∗ ) ∈ Sj−1 ∧ (v ∗ , v) ∈ E(tij ) ∧ active ((v ∗ , c∗ ),  tij , i.e., node v can still be reached from one of the nodes the attacker is still logged on. We assume that, if multiple pairs (v ∗ , c∗ ) exist that satisfy this condition, the adversary will select only one; – ∃u ∈ α(v, tij ) s.t. κ(u, tij ) ∈ Cj∗ , i.e., the attacker has valid credentials for at least one user with administrative privileges on v at time tij . We assume that, if adversaries have valid credentials for multiple users, they will log into the target node only once.

If an attacker is logged with user privileges into a node v at the start of attack step Aj and has valid credentials for a user account with administrative privileges on v, a lateral movement to v with administrative privileges may still ∗ to v now exists. be prevented if no edge from any node v ∗ ∈ Vj−1 ∗ The set Cj of credentials available to the attacker at the end of the harvesting stage of attack step Aj , for j ∈ [1, m], can be defined as  ∗ ∪ γ(v, tij ) (2) Cj∗ = Cj−1 v∈Va ∗ ∗ where Va = {v ∈ Vj−1 | ∃u ∈ α(v, tij−1 ) s.t. κ(u, tij−1 ) ∈ Cj−1 } is the set of nodes the attacker is logged in with admin privileges at the beginning of attack step Aj , and C0∗ is a set of credentials that give the attacker administrative access to one or more nodes in Vs . This definition assumes that, once attackers have gained admin access to a node, they can harvest any credential cached on that node, but it can be easily extended to consider the effect of a countermeasure – like the Windows Defender Credential Guard [9] – which would limit attackers to harvest only the credentials that were cached since they gained admin access. Let Vjl ⊆ V be the set of nodes attackers can move laterally to during attack step Aj , based on Definition 1. As stated earlier, attackers may adopt one of several strategies to select a subset of nodes to log into, among those for which they have valid credentials. A selection strategy can be modeled as a function  L : 2V × P1 × . . . × Pn → 2V that maps a set of nodes V ⊆ V to a subset   V ⊆ V , considering a number of optional parameters. Thus, the set of nodes the attacker is logged into at the end of attack step Aj can be defined by Eq. 3, which also consider the effect of countermeasures resulting in the termination of active sessions. In the worst case, the attacker moves laterally to all nodes in Vjl .

   ∗ ∗ Vj∗ = Vj−1 ∪ L(Vjl , p1 , . . . , pn ) \ v ∈ Vj−1 | (v, c) ∈ Sj s.t. active (v, c), tij (3)

374

M. Albanese et al.

An instance of a credential hopping attack allowing the attacker to reach a goal node vg ∈ Vg at time tim with user (resp. administrative) privileges can be defined as a triple I = (H, M, tim ), where H and M are sets of harvest operations and lateral movements respectively.

5

Countermeasures

In this section, we discuss countermeasures that can be deployed to prevent or mitigate credential hopping attacks. Note that, in the real world, adversarial actions and countermeasures are not synchronized nor interleaved – as it might be the case in a typical multi-player game – as the adversary is not aware of when countermeasures will be deployed and the defender is not aware of when adversaries will attempt credential harvesting or lateral movements. However, the effects of any countermeasure targeted at disrupting either stage of an attack will impact the adversary only during the next credential harvesting and lateral movement attempts respectively. Thus, in order to simplify our model and without loss of generality, we assume that each class of countermeasures is deployed instantaneously at a given point during the time interval corresponding to a discrete time point ti ∈ T . For instance, any credentials that are flushed after the harvesting stage of an attack step will only affect the harvesting stage of the next attack step. This is equivalent to flushing these credentials immediately before the harvesting stage of the next attack step. 5.1

Credential Flushing

Credentials that have been cached on network nodes can be periodically flushed to prevent attackers from harvesting them. A credential flushing policy can be defined as a pair (Wf , Ψf ), where (i) Wf ⊆ 2U × 2V is a set of pairs (Uf , Vf ), with Uf = ∅ and Vf = ∅, and (ii) Ψf : Wf → N is a mapping that associates each pair (Uf , Vf ) ∈ Wf with the frequency, expressed as an integer number of time intervals, at which credentials for users in Uf must be flushed from nodes in Vf . Example 1. Consider a network with V = {v1 , v2 , v3 } and U = {u1 , u2 , u3 }. A possible credential flushing policy (Wf , Ψf ), with Wf = {({u1 }, V ), ({u2 , u3 }, {v1 , v2 }), ({u2 }, {v3 })}, could be defined as follows: Ψf ({u1 }, V ) = 5

Ψf ({u2 , u3 }, {v1 , v2 }) = 10

Ψf ({u2 }, {v3 }) = 15

This policy specifies that credentials for user u1 must be flushed from all nodes every 5 time units, credentials for users u2 and u3 must be flushed from nodes v1 and v2 every 10 time units, and credentials for user u2 must be flushed from node v3 every 15 time units. A credential flushing policy is said to be consistent if the set Wf induces a partition on the subset of U × V including all pairs (u, v) that are covered by

A Formal Model for Credential Hopping Attacks

375

the policy, i.e., if the set {Uf × Vf | (Uf , Vf ) ∈ Wf } is a partition of the set ∪(Uf ,Vf )∈Wf Uf × Vf . Intuitively, a consistent policy prevents a pair of node and user account from being assigned two different flushing frequencies. Example 2. Consider the flushing policy of Example 1. The subset of U × V including all pairs (u, v) that are covered by the policy is {(u1 , v1 ), (u1 , v2 ), (u1 , v3 ), (u2 , v1 ), (u2 , v2 ), (u3 , v1 ), (u3 , v2 ), (u2 , v3 )}. The set Wf = {({u1 }, V ), ({u2 , u3 }, {v1 , v2 }), ({u2 }, {v3 })} induces a partition on such set. Adding ({u1 , u2 }, {v1 }) to Wf and setting Ψf ({u1 , u2 }, {v1 }) = 7 would render this policy inconsistent, as Wf would no longer induce a partition on the set ∪(Uf ,Vf )∈Wf Uf × Vf . If a pair (u, v) is not covered by any (Uf , Vf ) ∈ Wf , then credentials for u, once cached on v, are never flushed and remain cached indefinitely, barring events such as a reboot. For instance, the policy of Example 1 is not defined for ({u3 }, {v3 }), so credentials for user u3 are never flushed from node v3 . Given a consistent credential flushing policy (Wf , Ψf ) and a pair (Uf , Vf ) ∈ Wf , to simplify the notation, for each (u, v) ∈ Uf × Vf , we can use Ψf (u, v) to refer to Ψf (Uf , Vf ). The consistency of the policy ensures that Ψ (u, v) is uniquely defined. We assume that policies are consistent, unless otherwise specified. A policy (Wf , Ψf ) determines a flushing schedule, which can be formally defined as a mapping σf : v × T → 2U that associates each node v ∈ V and time point ti ∈ T with the set of user accounts whose credentials are flushed at time ti . σf (v, ti ) = {u ∈ U | ∃k ∈ N, ti = t0 + k · Ψf (u, v)}

(4)

Example 3. Consider again the flushing policy of Example 1. The flushing schedule for node v1 is defined as follows: t1

t2

t3

t4

t5

t6

t7

t8

t9

t10

σf (v1 , ti ) ∅

∅

∅

∅

{u1 } ∅

∅

∅

∅

{u1 , u2 , u3 }

At time t5 credentials for user u1 are flushed from node v1 and at time t10 credentials for all three users are flushed. Credentials for user u1 are flushed more frequently than the other users. When a credential flushing policy (Wf , Ψf ) is deployed, the caching function γ satisfies the following property, which indicates that an attacker will not be able to harvest, at time ti , credentials that were flushed at that time. (∀v ∈ V )(∀ti ∈ T ) (γ(v, ti ) ∩ {c ∈ C | c.user ∈ σ(v, ti )} = ∅)

(5)

376

5.2

M. Albanese et al.

Credential Update

Users may be required to periodically update their credentials to prevent stolen credentials from being used by malicious users. A credential update policy can be defined as a pair (Wu , Ψu ), where (i) Wu ⊆ 2U is a set of nonempty subsets of U, and (ii) Ψu : Wu → N is a mapping that associates each set Uu ∈ Wu with the frequency, expressed as an integer number of time intervals, at which credentials for users in Uu must be updated. While credential updates typically happen on a different time scale compared to other countermeasures (months vs. hours or days), modeling a credential update policy shows that our formal model is general enough to accommodate a wide range of potential countermeasures. While indepth modeling of multiple countermeasures is beyond the scope of this paper, we include a discussion of the credential update countermeasure in Appendix B in order to provide another detailed example of how various countermeasures can be modeled in the context of our attack model.

6

Metrics

In this section, we first define the notion of attacker’s effort in the context of the formal model presented in Sect. 4 and then introduce a metric to capture the minimum attacker’s effort for reaching a given goal node. Definition 2 (Attacker Effort). Given a network N = (V, E, α, μ), a set of start nodes Vs , a set of goal nodes Vg , and an attack instance I = (H, M, tim ) that allows the attacker to reach a goal node vg ∈ Vg with user (resp. administrative) privileges at time tim , the attacker’s effort can be defined as the triple ξ(I) = (|H|, |M |, tim ). A function f : N × N × N → R+ can be used to convert this triple into a scalar value. Intuitively, the attacker’s effort increases when more harvests and lateral movements need to be executed and when it takes longer to reach the goal. The function f can be defined as a simple weighted average of the three elements of the triple (|H|, |M |, tim ) or as a more sophisticated function, but this discussion is beyond the scope of the paper and we refer the reader to Appendix C for further details. For the purpose of our analysis, we assume that f is a weighted average of |H|,|M |, and tim , with weights wh , wm , and wt , respectively. Definition 3 (Minimum Attacker Effort). Given a network N = (V, E, α, μ), a set of start nodes Vs , a set of goal nodes Vg , and a set Iu (resp. Ia ) of attack instances allowing the attacker to reach a goal node vg ∈ Vg with user (resp. administrative) privileges, the minimum attacker effort to reach vg with user (resp. administrative) privileges is defined as ξu (vg ) = minI∈Iu f (ξ(I)) (resp. ξa (vg ) = minI∈Ia f (ξ(I))). The problem of finding attack instances is inherently recursive. To access a goal node, the attacker has to establish a path from a start node to that goal node, and needs to possess credentials to access each of the nodes along that

A Formal Model for Credential Hopping Attacks

377

path. However, credentials for such nodes may be cached on nodes that are outside of that path, requiring the attacker to access those nodes first. In turn, credentials to access those nodes might be cached elsewhere. For the purpose of our analysis and without loss of generality, we assume that there is a single start node. The case of multiple start nodes can be reduced to the case of a single start node by introducing a dummy start node connecting to all start nodes. Given a network N = (V, E, α, μ), a start node vs , and a goal node vg , the minimum effort to access vg with administrative privileges is bound as follows. 1 + |shortestP ath(vs , vg )| ≤ ξa (vg ) ≤ m · |V | + 2 · |V |

(6)

The rationale for these bounds is that, in the best case, the attacker needs to perform at least one harvest (if all credentials are cached on the start node) and make at least as many lateral movements as the length of the shortest path from vs to vg . In the worst case, the attacker could harvest from all accessible nodes at each of the m attack steps and move laterally to all nodes twice (first as user and then as administrator). Enumerating all possible attack instances for vg is infeasible, due to the combinatorial explosion of the search space, as shown by the following analysis. Given a finite time sequence T = {t0 , t1 , . . . , tn }, a credential hopping attack may consist of any number m of steps2 , with m between 1 and n.The  number n , thus the of possible ways of choosing m time intervals out of n is given by m number of all sequences of attack steps is potentially as large as   n  n! n = m! (n − m)! m m=1 m=1 n 

(7)

For n = 10 the number of possible attack sequences is 1,023, and for n = 20 it grows to 1,048,575. In the credential harvesting stage of each attack step Aj of each attack sequence, attackers choose to harvest credentials from one or more nodes in the set Va of nodes they are logged in with administrative privileges, and the number of possible choices of nodes to harvest from is given by  |Va |  |Va |   |Va |! |Va | = k k! (|Va | − k)! k=1

(8)

k=1

If the attacker is logged into 10 nodes with administrative privileges, then there are 1,023 possible choices of nodes to harvest from. In the lateral movement stage of each attack step Aj of each attack sequence, attackers choose to move laterally to one or more nodes in the set Vjl of nodes that are potential target for lateral movement based on Definition 1, thus the number of possible choices of nodes to move to is given by |Vjl | 

 |Vjl | k

k=1 2



|Vjl |

=



k=1

|Vjl |! k! (|Vjl | − k)!

(9)

The timing of attack step A0 is fixed, as we assume that it always happens at time t0 , so we do not consider it in this analysis.

378

M. Albanese et al.

Algorithm 1. selectHarvestTargets(G, Va , vg , kh , minAge) Input: A network G = (V, E, α, μ), a set Va ⊆ V of nodes the attacker has admin access to, a goal node vg , the maximum number kh of nodes to harvest in single attack step, the minimum number minAge of time units before a node can be harvested again. Output: A subset of Va including no more than kh nodes. 1: harvestTargets ← ∅ 2: Va ← sort(Va , shortestPathDistance(vg )) 3: while |harvestTargets| < kh ∧ Va = ∅ do 4: v ← pop(Va ) 5: if age(v) ≥ minAge then 6: harvestTargets ← harvestTargets ∪ {v} 7: end if 8: end while 9: return harvestTargets

If there are 10 possible targets for for lateral movement, then there are 1,023 possible choices of nodes to move to. Thus, this analysis indicates that calculating the minimum attacker effort is infeasible in practice, and we need to adopt a heuristic approach to achieve reasonable estimates.

7

Heuristics

In this section, we present a heuristic algorithm to compute reasonable upper bounds on the minimum attack effort. First, we describe two auxiliary algorithms to select nodes to harvest credentials from and nodes to move laterally to, respectively. Then, we present the main algorithm. Given a set of nodes Va , which the attacker has administrative access to, algorithm selectHarvestTargets(G, Va , vg , kh , minAge) (Algorithm 1) returns a subset of Va including the top kh nodes based on shortest path distance to vg , but excluding nodes that have been harvested fewer than minAge time units before. The rationale for prioritizing harvesting based on proximity to the goal node is that, as users tend to access nodes on the same or adjacent networks, nodes closer to the goal node are more likely to cache credentials that could allow attackers to move closer to the goal. Additionally, excluding nodes that have been recently harvested prevents harvesting operations that would likely yield no additional credentials. Similarly, given a set of nodes V l , which the attacker could move to, algorithm selectLateralTargets(G, V l , vg , kl ) (Algorithm 2) returns a subset of V l including the top kl nodes based on shortest path distance to vg . We can now describe the main algorithm minAttackEffort() (Algorithm 3) which computes an upper bound on the minimum attacker effort by first using a depth-first approach to traverse the network graph and find an attack instance and then backtracking from the goal node to find the minimal subset of this instance. Line 2 initializes the set C ∗ of credentials possessed by the attacker with the credentials of a random user with administrative privileges on the start node vs . Accordingly, Line 3 initializes the set of nodes the attacker is logged in with admin privileges with the start node vs . Lines 5–6 initialize the sets of harvests and lateral movements and the effort. The effort is initialized to (0, 0, 0), thus ignoring the cost of gaining access to the start node. Lines 9–29 iteratively

A Formal Model for Credential Hopping Attacks

379

Algorithm 2. selectLateralTargets(G, V l , vg , kl ) Input: A network G = (V, E, α, μ), a set V l ⊆ V of nodes the attacker could move to, a goal node vg , the maximum number kl of nodes to move to in single attack step. Output: A subset of V l including no more than kl nodes. 1: lateralTargets ← ∅ 2: V l ← sort(V l , shortestPathDistance(vg )) 3: while |lateralTargets| < kl ∧ V l = ∅ do 4: v ← pop(V l ) 5: lateralTargets ← lateralTargets ∪ {v} 6: end while 7: return lateralTargets

perform a harvesting stage followed by a lateral movement stage until the goal node is reached, or the maximum allowed effort has already been expended, or there are no more time intervals to consider. Line 11 selects target nodes for harvesting, using the algorithm selectHarvestTargets introduced earlier, and Lines 12–15 add any newly harvested credentials to C ∗ and to the data structure harvests to allow backtracking later. Line 17 identifies the nodes that meet all the conditions to be candidates for lateral movement, and Line 18 selects a subset of them using the algorithm selectLateralTargets introduced earlier. For each of these nodes, Lines 19–26 attempt to log in with administrative privileges, if such credentials exist in C ∗ , or with regular user privileges otherwise. If the attack is successful and the goal node is reached, Lines 32–46 backtrack from the goal node to find a minimal instance, only including the harvest operations minHarvests and lateral movements minLateralM oves that were strictly necessary for reaching the goal. Starting from the goal node (Line 35), Lines 36– 44 iteratively identify the lateral movement that allowed to reach the node currently being examined and add it to the set minLateralMoves (Line 43) while concurrently gathering information about the harvest operations that yielded the credentials used for that lateral movement (Line 42).

8

Experimental Results

To evaluate our model and heuristic, we used data from the Comprehensive, Multi-Source Cyber-Security Events dataset [7] made available by Los Alamos National Laboratory (LANL). This dataset represents 58 consecutive days of de-identified event data collected from five sources within LANL’s internal computer network. The data of interest for our project includes Windows-based authentication events from both individual computers and centralized Active Directory domain controller servers, and network flow data as collected at several key router locations. In total, the dataset includes more than 1.5 billion events for 12,425 users and 17,684 computers. In a first set of experiments, we examined how the deployment of a countermeasure effectively increases the attacker’s effort, or even prevents the attacker from reaching the goal altogether. We ran the algorithm 100 times with T ∗ = {0, 20, 40, . . .} (i.e., the attacker performs an attack step every 20 time units)

380

M. Albanese et al.

Algorithm 3. minAttackEffort(N, vs , vg , kh , kl , minAge, γ, T ∗ , maxEffort Input: A network N = (V, E, α, μ), a start node vs , a goal vg , the maximum number kh of nodes to harvest from and the maximum number kl of nodes to move to in single attack step, the minimum number minAge of time units before a node can be harvested again, the credential cache γ, a sequence T ∗ = {t0 , t1 , . . . , tm } of times at which to execute attack steps, the maximum effort maxEffort used to prune the search space. Output: The effort effort expended to find a solution, a flag success indicating whether an attack instance was found, and an upper bound minEffort on the minimum attacker’s effort if a solution was found. 1: // Initialize C ∗ with the credentials of a random administrative user of vs 2: C ∗ ← κ (randomChoice(α(vs , t0 )), t0 ) 3: Va ← {vs } // Attacker is initially logged into start node with admin privileges 4: // Initialize variables to track harvests and lateral movements 5: harvests ← ∅ lateralMoves ← ∅ 6: effort ← (0, 0, 0) // Effort is (no. of harvests, no. of lateral movements, time) 7: k ← 1 8: // Stage 1: perform a depth-first search towards the goal node to find a viable attack instance 9: while vg ∈ Va ∧ f (effort) ≤ maxEffort ∧ k ≤ m do 10: // Harvesting stage 11: harvestTargets ← selectHarvestTargets(G, Va , vg , kh , minAge) 12: for v ∈ harvestTargets do 13: C ∗ ← C ∗ ∪ getCredentials(v, γ, tk ) 14: harvests ← harvests ∪ {(v, getCredentials(v, γ, tk ), tk )} 15: end for 16: // Lateral movement stage 17: V l ← lateralCandidates(G, C ∗ ) 18: lateralTargets ← selectLateralTargets(G, V l , vg , kl ) 19: for v ∈ lateralTargets do 20: V ∗ ← V ∗ ∪ {v} 21: (vp , c) ← selectSourceAndCredential(v ) 22: if c.user ∈ α(v) then 23: Va ← Va ∪ {v} 24: end if 25: lateralMoves ← lateralMoves ∪ {(vp , v, c, tk )} 26: end for 27: effort ← effort + (|harvestTargets|, |lateralTargets|, tk − tk−1 ) 28: k ←k+1 29: end while 30: success ← vg ∈ Va 31: // Stage 2: if an instance was found, backtrack to find minimal subset of the instance 32: if success then 33: minHarvests ← ∅ 34: minLateralMoves ← ∅ 35: queue ← {(vg , a)} // vg needs to be accessed with admin privileges 36: while queue = ∅ do 37: (v, l) ← queue.pop() // Node v must be accessed with privilege level l 38: // Find the lateral movement that allowed the attacker to reach v 39: move ← findMove(lateralMoves, v, l) 40: queue.push(move.vp , u) // Source node of lateral movement 41: queue.push(selectCredentialSource(harvests, c), a) // Node with credentials 42: minHarvests ← minHarvests ∪ {selectCredentialSource(harvests, c)} 43: minLateralMoves ← minLateralMoves ∪ {move} 44: end while 45: minEffort ← (|minHarvests|, |minLateralMoves|, effort.time) 46: end if 47: return effort, success, minEffort

1 and the flushing frequency for administrative users set to 19 (i.e., credentials are flushed every 19 time units). For each run, start and goal nodes were chosen randomly. In 30 cases the attacker did not reach the goal during the simulation time, whereas in the other 70 cases the effort increased by an average 29.1% and 24.9% when using functions f1 and f2 respectively (see Appendix C) to convert

A Formal Model for Credential Hopping Attacks

381

the effort triple into a scalar value. The results for the first 10 runs are reported in Table 1. Table 1. Results of the first 10 runs for flushing frequency Before flushing

After flushing

1 . 19

% Variations

minEf f ort f1 () f2 () minEf f ort f1 () f2 () %f1

%f2

(4,9,260) (3,5,180) (3,7,320) (3,7,100) (3,7,900) (3,9,80) (3,8,2700) (3,9,2940) (3,7,4460) (3,8,2020)

–0.7% 23.3% 8.6% 64.8% 3.3% 88.3% 4.6% 4.5% 0.1% 3.3%

57 39 68 24 184 21 544 593 896 408

0.91 0.79 0.91 0.6 0.95 0.52 0.95 0.95 0.95 0.95

(3,8,300) (4,8,460) (5,7,580) (7,12,460) (4,7,980) (6,8,440) (5,11,3100) (5,12,4140) (3,8,4540) (4,9,3280)

64 97 121 100 200 94 626 835 912 661

0.9 0.97 0.99 0.99 0.98 0.98 0.99 0.99 0.95 0.98

12.6% 146.9% 77.6% 315% 8.9% 350% 15.1% 40.8% 1.8% 61.9%

We ran the algorithm again 100 times with the flushing frequency for administrative users set to 13 . This time, in 50 cases the attacker did not reach the goal during the simulation time, a 67% increase over the previous configuration, whereas in the other 50 cases the effort increased by an average 22.9% and 3.0% when using functions f1 and f2 respectively. The results for the first 10 runs are reported in Table 2. Intuitively, one would expect the relative increase in attacker’s effort to be higher when the flushing frequency is higher, so these results may appear to be counter-intuitive. However, considering that increasing the flushing frequency leads to more cases in which the attacker cannot reach the goal, a more accurate measure of the overall increase in attacker’s effort could be computed as a combination of the number of cases in which the attacker cannot reach the goal and the average effort increase for the remaining cases. Next, we evaluated the processing time of the heuristic algorithm. As shown in Fig. 3, processing time for a pair of start and goal nodes at a given distance is independent from the size of the dataset used. Specifically, the dataset we used has connected components with a maximum diameter of 6, thus we plotted results for path lengths of 2 through 6. The processing time appears to be linear with the distance between start and goal nodes. As part of our future work, we plan to evaluate the scalability of our solution on datasets with larger connected components.

382

M. Albanese et al. Table 2. Results of the first 10 runs for flushing frequency Before flushing

After flushing

1 . 3

% Variations

minEf f ort f1 ()

f2 () minEf f ort f1 ()

f2 () %f1

%f2

(4,9,1927) (3,7,4190) (3,6,2023) (3,9,5373) (3,7,7817) (3,9,6886) (4,11,7331) (4,10,7331) (3,8,7291) (3,7,7271)

0.98 0.95 0.95 0.95 0.95 0.95 0.98 0.98 0.95 0.95

1 1 0.98 0.99 0.98 0.99 0.99 0.99 1 0.99

1.6% 5.3% 3.5% 4.5% 3.4% 4.5% 1.2% 1.2% 5% 4.6%

391 842 408 1079 1567 1382 1472 1472 1463 1458

(6,9,2547) (9,12,5630) (4,8,2023) (5,8,5873) (4,10,7957) (5,9,8746) (5,12,7811) (5,10,7811) (6,12,8551) (5,10,8671)

515 1134 409 1180 1597 1755 1569 1568 1717 1740

32% 34.7% 0.3% 9.3% 1.9% 27% 6.6% 6.5% 17.4% 19.3%

Fig. 3. Processing time

9

Conclusions and Future Directions

To address the limitations of existing approaches to modeling credential hopping attacks, we presented a formal model to describe these attacks as iteratively performing multiple credential-harvesting operations and lateral movements to reach predefined objectives. We explicitly considered the time-variant nature of all variables involved, and showed how different countermeasures impact key variables of the proposed model. We also defined an intuitive metric for quantifying the attacker’s expended effort to reach a given goal. Although direct computa-

A Formal Model for Credential Hopping Attacks

383

tion of a verifiably minimum value for this metric is demonstrably infeasible, we proposed heuristics to achieve reasonable upper bounds. We validated our model and bound-heuristics through simulations, including assessing the impact of a deployed countermeasure. Future work will include further refining the proposed model to formalize the notion of attack instance, which has been informally introduced here as a triple defined by the set of harvests and lateral movements performed during an attack and the time to reach the goal. Intuitively, an instance of a credential hopping attack is a tree over the network, but, given the time-variant nature of edges, some of them may not exist for the entire duration of the attack. Additional future work will involve expanding the set of possible countermeasures and running experiments to evaluate their impact on the attacker’s effort. Possible countermeasures may include privilege revocation and session termination.

A

Matrix Representation of Flushing Policies

A consistent flushing policy can be represented as a matrix, where rows correspond to nodes and columns correspond user accounts. For instance, the policy of Example 1 can be represented as shown in Fig. 4. This policy specifies that credentials for user u1 must be flushed from all nodes every 5 time units, credentials for users u2 and u3 must be flushed from nodes v1 and v2 every 10 time units, and credentials for user u2 must be flushed from node v3 every 15 time units. Each policy entry can be represented as a subset of the matrix that does not overlap with any other entry.

Fig. 4. Example of matrix representation of a flushing policy

If a system allows the specification of an inconsistent flushing policy, the policy could be paired with a strategy to resolve conflicts. For instance, when two different frequencies are assigned to the same (u, v) pair, a conservative strategy would entail choosing the highest frequency.

B

Credential Update

A credential update policy can be defined as a pair (Wu , Ψu ), where (i) Wu ⊆ 2U is a set of nonempty subsets of U, and (ii) Ψu : Wu → N is a mapping that associates each set Uu ∈ Wu with the frequency, expressed as an integer number of time intervals, at which credentials for users in Uu must be updated.

384

M. Albanese et al.

Example 4. Consider a set of user accounts U = {u1 , u2 , u3 , u4 }. A possible credential update policy (Wu , Ψu ), with Wu = {{u1 }, {u2 , u3 }}, could be defined as follows: Ψu ({u1 }) = 40

Ψu ({u2 , u3 }) = 60

This policy specifies that credentials for user u1 must be updated every 40 time units and credentials for users u2 and u3 must be updated every 60 time units. A credential update policy is said to be consistent if the set Wu induces a partition on the subset of U including all users that are covered by the policy, i.e., if the set Wu is a partition of the set ∪Uu ∈Wu Uu . Intuitively, a consistent policy prevents that two different update frequencies are assigned to the same user account. Example 5. Consider the update policy of Example 4. The subset of U including all users that are covered by the policy is {u1 , u2 , u3 }. The set Wu = {{u1 }, {u2 , u3 }} induces a partition on such set. Adding {u1 , u2 } to Wu and setting Ψu ({u1 , u2 }) = 7 would render this policy inconsistent, as Wu would no longer induce a partition on the set ∪Uu ∈Wu Uu . If a user account u is not included in any Uu ∈ Wu , then the owner of that account is not forced to update credentials periodically. For instance, the policy of Examples 4 and 5 is not defined for {u4 }, so credentials for user u4 are never updated, as u4 is not covered by any other entry in Wu . Given a consistent credential update policy Ψf and a set Uu ∈ Wu , to simplify notation, for each u ∈ Uu , we can use Ψu (u) to refer to Ψu (Uu ). The consistency of the policy ensures that Ψu (u) is uniquely defined, and we assume that a policy is consistent, unless otherwise specified. If a system allows the specification of an inconsistent update policy, the policy could be paired with a strategy to resolve conflicts, or conflicts could simply be reported to an administrator. For instance, when two different frequencies are assigned to the same user u, a conservative strategy would entail choosing the highest frequency. Given a credential update policy (Wu , Ψu ), we define its update schedule as a mapping σu : T → 2U that associates each time point ti ∈ T with the set of users whose credentials are updated at time ti , that is σu (ti ) = {u ∈ U | ∃k ∈ N, ti = t0 + k · Ψu (u)}

(10)

Based on our definition of active session, updating a user’s credential renders all sessions using that user’s prior credentials inactive. While this is a simplifying assumption, this objective could be achieved by pairing a credential update policy with a session termination policy. In the interest of focusing this paper on the key aspects of our attack model, we do not explicitly model a session termination policy as a possible countermeasure, and reserve this issue for future research. Instead, we assume that every time a credential is updated or revoked, sessions created using that credential are selectively terminated, which is what

A Formal Model for Credential Hopping Attacks

385

ideally should happen. The set of sessions that are terminated at time ti as a consequence of a credential update policy Ψu is defined as the set of sessions that were active at time ti−1 and used credentials that have just been updated. Sj† = {(v, c) ∈ Si−1 | c.user ∈ σu (ti )}

(11)

Terminating a session on a node the attacker was logged in prevents the attacker from moving laterally from that node, as captured by our definition of lateral movement. In Eq. 3, nodes that the attacker is no longer logged in due to session termination are removed from the set Vj∗ , which becomes the starting point for lateral movements during the next attack step.

C

Scalar Attacker Effort

We have defined the attacker’s effort as a triple I = (|H|, |M |, t), where H and M are sets of harvest operations and lateral movements respectively, and t is the time to reach the goal node. Then, we assumed the existence of a function f : N3 → R+ that converts a triple (|H|, |M |, t) into a scalar value. Equations 12 and 13 below represent two possible instantiations of such a function. Function f1 is a simple weighted average of the three elements, whereas function f2 is a more sophisticated way of combining the three variables, allowing to account for diminishing return effects and obtain a result that is normalized between 0 and 1. f1 (|H|, |M |, t) = wh · |H| + wm · |M | + wt · t

(12)

     f2 (|H|, |M |, t) = 1 − e−α·|H| · 1 − e−β·|M | 1 − e−γ·t

(13)

References 1. Albanese, M., Jajodia, S.: A graphical model to assess the impact of multistep attacks. J. Def. Model. Simul. 15(1), 79–93 (2018). https://doi.org/10.1177/ 1548512917706043 2. Desimone, J.: Windows credential theft: Methods and mitigations. Rochester Institute of Technology (2012) 3. Dunagan, J., Zheng, A.X., Simon, D.R.: Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 305–320. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1629575.1629605 4. Hagberg, A., Lemons, N., Kent, A., Neil, J.: Connected components and credential hopping in authentication graphs. In: 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems, pp. 416–423 (2014). https:// doi.org/10.1109/SITIS.2014.95

386

M. Albanese et al.

5. Hong, J.B., Kim, D.S., Chung, C.J., Huang, D.: A survey on the usability and practical applications of graphical security models. Comput. Sci. Rev. 26, 1–16 (2017). https://doi.org/10.1016/j.cosrev.2017.09.001, https://www.sciencedirect. com/science/article/pii/S1574013716301083 6. Kent, A.D.: User-computer authentication associations in time. Los Alamos National Laboratory (2014). https://doi.org/10.11578/1160076 7. Kent, A.D.: Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory (2015). https://doi.org/10.17021/1179829 8. Kent, A.D., Liebrock, L.M., Neil, J.C.: Authentication graphs: analyzing user behavior within an enterprise network. Comput. Secur. 48, 150–166 (2015). https://doi.org/10.1016/j.cose.2014.09.001, https://www.sciencedirect. com/science/article/pii/S0167404814001321 9. Microsoft: Windows defender credential guard (2022). https://docs.microsoft. com/en-us/windows/security/identity-protection/credential-guard/credentialguard-manage 10. Noel, S., Swarup, V., Johnsgard, K.: Optimizing network microsegmentation policy for cyber resilience. J. Def. Model. Simul. Appl. Methodol. Technol., 1–23 (2021). https://doi.org/10.1177/15485129211051386 11. Pope, A.S., Morning, R., Tauritz, D.R., Kent, A.D.: Automated design of network security metrics. In: Proceedings of the Genetic and Evolutionary Computation Conference Companion, GECCO 2018, pp. 1680–1687. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3205651.3208266 12. Turcotte, M.J.M., Kent, A.D., Hash, C.: Unified Host and Network Data Set, chap. Chapter 1, pp. 1–22. World Scientific (2018)

No-Directional and Backward-Leak Uni-Directional Updatable Encryption Are Equivalent Huanhuan Chen, Shihui Fu(B) , and Kaitai Liang Delft University of Technology, Delft, The Netherlands {h.chen-2,shihui.fu,kaitai.liang}@tudelft.nl

Abstract. Updatable encryption (UE) enables the cloud server to update the previously sourced encrypted data to a new key with only an update token received from the client. Two interesting works have been proposed to clarify the relationships among various UE security notions. Jiang (ASIACRYPT 2020) proved the equivalence of every security notion in the bi-directional and uni-directional key update settings and further, the security notion in the no-directional key update setting is strictly stronger than the above two. In contrast, Nishimaki (PKC 2022) proposed a new definition of uni-directional key update that is called the backward-leak uni-directional key update, and showed the equivalence relation by Jiang does not hold in this setting. We present a detailed comparison of every security notion in the four key update settings and prove that the security in the backward-leak uni-directional key update setting is actually equivalent to that in the no-directional key update setting. Our result reduces the hard problem of constructing no-directional key update UE schemes to the construction of those with backward-leak uni-directional key updates. Keywords: Updatable encryption

1

· Key update · Security notion

Introduction

When a client stores encrypted data on a cloud server, a good way of key management is to change keys periodically, so as to resist the risk of key leakage. This process is referred to as key rotation, in which the core of the update relies on how to update the previous encrypted data to be decryptable by a new key. A possible way is to download and decrypt the encrypted data with the old key, and then encrypt the data with the new key and upload the new encrypted data again. But the download and upload process would be extremely expensive if there exists a considerable amount of data. Updatable encryption (UE) [3] provides a practical solution to the above dilemma. Its core idea is that the client offers the cloud server the ability to update ciphertexts by the update tokens, with a requirement that the update token should not leak any information about the data. There are two flavors c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 387–407, 2022. https://doi.org/10.1007/978-3-031-17140-6_19

388

H. Chen et al.

of UE depending on if ciphertexts are needed in the generation of the update token. One is called ciphertext-dependent UE [2,3,5,6], in which clients need to download partial components of the encrypted data, called ciphertext header, from the cloud to generate the update token, and the token can only update the corresponding ciphertext. The other, more practical than the previous one, is known as ciphertext-independent UE [4,10–12,14,16], in which the token only depends on the old and the new keys, and a single token can update all existing ciphertexts. In this work, we only focus on the latter. Security Notions. The security of UE schemes should be maintained even under a temporary corruption of keys and update tokens. The original UE construction and its security model against passive adversaries were proposed by Boneh et al. [3], where the adversary in the security game should specify the epoch keys it wishes to know before sending queries to the challenger. The confidentiality notions were further strengthened by [4,11,12], which attempts to capture the practical abilities of the adaptive attacker. The adversary can corrupt epoch keys and updated tokens at any time during the game as long as it does not trigger the trivial win conditions, which will be checked after the adversary submits its guessing bit (more details can be found in Sect. 2). A summary of existing confidentiality notions and their major difference is presented in Fig. 1.

IND-Enc-notion [12] IND-Upd-notion [12] IND-UE-notion [4]

Challenge Input ¯ 0, m ¯ 1) (m (¯c0 , ¯c1 ) ¯ 0 , ¯c1 ) (m

Challenge Output ¯ 0 ), Enc(m ¯ 1 )) (Enc(m (Upd(¯c0 ), Upd(¯c1 )) ¯ 0 ), Upd(¯c1 )) (Enc(m

Fig. 1. A summary of confidentiality notions, where notion ∈ {CPA, CCA}. The adversary in each confidentiality game provides two challenge inputs based on the oracles it has access to and tries to distinguish the challenge outputs.

Boyd et al. [4] proved that IND-UE-notion is strictly stronger even than the combination of the prior two (in Fig. 1) defined in [12]. They further proposed an integrity notion called IND-CTXT. Jiang [10] defined another integrity notion called IND-PTXT. In the CTXT game, the adversary tries to provide a valid ciphertext that is different from the ciphertexts obtained during the game by the challenger; while in the PTXT game, the adversary needs to provide a valid ciphertext, whose underlying plaintext has not been queried during the game. Those two integrity notions are similar to the integrity notions of symmetric encryption schemes, but the adversary is provided with oracles specified in UE and trivial win conditions are also checked after the adversary submits its forgery. Hereafter by security notions, we mean the set of all confidentiality and integrity notions in [4] and [10]: {detIND-UE-CPA,randINDUE-CPA,detIND-UE-CCA, randIND-UE-CCA, IND-CTXT, IND-PTXT}, where

Equivalence of Updatable Encryption

389

det/rand denotes the ciphertext updates are deterministic or randomized, respectively. Key Update Directions. The update token is generated by two successive epoch keys via the token generation algorithm, i.e., Δe,e+1 = TokenGen(ke , ke+1 ) (defined in Sect. 2); therefore the adversary may derive one of the two successive keys from the other if the update token is known. Jiang [10] investigated three key update directions: bi-directional key updates in which both the old key ke and the new key ke+1 can be derived from the other, uni-directional key updates in which only the new key ke+1 can be derived from the old key ke but ke cannot be derived from ke+1 , and no-directional key updates in which no keys in the two successive epoch keys can be derived from the other. The direction of key update affects the computation of leakage information known to the adversary, which in turn affects the computation of trivial win conditions as well as security notions. However, the main result in [10] shows that the security notions in the bi-directional key update setting and in the uni-directional key update setting are equivalence, while the security notions in the no-directional key update setting are strictly stronger. Nishimaki [14] recently introduced a new definition of uni-directional key update that is called the backward-leak uni-directional key update for distinction, where the update direction is the opposite of the original uni-directional key update in [10] (called the forward-leak uni-directional key update for distinction). That is, the old key ke can be derived from the new key ke+1 , but ke+1 cannot be derived from ke . Nishimaki [14] demonstrated a contrasting conclusion that the security notions in the backward-leak uni-directional key update setting are not equivalent to those in the bi-directional directional key update setting. But the relations among UE schemes in the four kinds of keys update settings have not been fully investigated yet. Thus, a natural interesting open problem that should be clear before any valuable constructions is as follows: What are the relations among UE schemes in the bi-directional, forwardleak uni-directional, backward-leak uni-directional, and no-directional key update settings? Our Contributions. At first glance, one may think that UE schemes with no-directional key updates should be strictly strong than UE with all the other three key update directions, just as proved in [10] that no-directional key updates setting leaks less information about keys, tokens and ciphertexts than the bidirectional and forward-leak uni-directional key updates. However, our main result provides a surprising result that, for each security notion, no-directional key update UE schemes, which were believed to be strictly stronger than the other directional key update schemes, are actually equivalent to those with backward-leak uni-directional key updates. Our main technique is to analyze the relations of the trivial win conditions for each security notion in different key update settings. As in other semantic security definitions, the adversary in the security game for UE is provided access to different oracles to capture realistic attack models. However, it may

390

H. Chen et al.

lead to a trivial win if the adversary queries some combinations of oracles. Therefore, the bookkeeping technique was developed in [11,12] that tracks the leakage information of tokens, keys, and ciphertexts known to the adversary during the game and checks if those leakages may lead the adversary to trivially win after the adversary submits its guessing bit. The direction of key update affects the computation of leakage information and thus, we analyze the relations among UE schemes by analyzing the relations of trivial win conditions in different key update directions, especially the backward-leak uni-directional key update which was not covered by [10]. Based on our result, when analyzing the security notions, we can treat UE schemes with no-directional key updates as those with backward-leak unidirectional key updates. Currently, there are only two no-directional key update UE schemes in the literature: one is built on Ciphertext Puncturable Encryption [16] and the other is built on one-way functions and indistinguishability obfuscation [14]. Our result can eliminate the need for constructing UE schemes with no-directional key dates while also keeping security, since it is sufficient to construct UE schemes with backward-leak uni-directional key updates, which is much easier than the former. More related works are given in Appendix A.

2

Updatable Encryption

We review the syntax of UE and the confidentiality and integrity definitions. Definition 1 ([11]). A UE scheme includes a tuple of PPT algorithms {UE.KG, UE.Enc, UE.Dec, UE.TG, UE.Upd} that operate in epochs, starting from 0. – UE.KG(1λ ): the key generation algorithm outputs an epoch key ke . – UE.Enc(ke , m): the encryption algorithm takes as input an epoch key ke and a message m and outputs a ciphertext ce . – UE.Dec(ke , ce ): the decryption algorithm takes as input an epoch key ke and a ciphertext ce and outputs a message m . – UE.TG(ke , ke+1 ): the token generation algorithm takes as input two epoch keys ke and ke+1 and outputs a token Δe+1 . – UE.Upd(Δe+1 , ce ): the update algorithm takes as input a token Δe+1 and a ciphertext ce and outputs a ciphertext ce+1 . Correctness for UE means that any valid ciphertext and its updates should be decrypted to the correct message under the appropriate epoch key. The definitions of confidentiality and integrity for UE are given in Definition 2 and Definition 3, respectively. In general, the adversary in each security game is provided with access to different oracles, which enables it to obtain information about epoch keys, update tokens and ciphertexts from the challenger. In the challenge phase of the confidentiality game, the adversary submits a challenge ¯ and a challenge ciphertext ¯c according to the information it already message m has and receives a ciphertext from the challenger, and its goal is to guess the ¯ or an update of ¯c. Then received ciphertext is an encryption of the message of m

Equivalence of Updatable Encryption

391

the adversary can continue to query the oracles and eventually provides a guessing bit. In the integrity game, the goal of the adversary is to forge a new valid ciphertext. In both security games, some combinations of oracles may lead to a trivial win of the game for the adversary, so the challenger will check if those trivial win conditions are triggered during the game by a bookkeeping technique developed in [12]. An overview of the oracles that the adversary has access to is shown in Fig. 4, how to compute the leakage set and its extension are described in Sect. 2.1, and the trivial win conditions in different security games are presented in Sect. 2.2. Definition 2 (Confidentiality, [4]). Let UE = {UE.KG, UE.Enc, UE.Dec} be an updatable encryption scheme. For notion ∈ {detIND-UE-CPA, randIND-UE-CPA, detIND-UE-CCA, randIND-UE-CCA}, the notion advantage of an adversary A is     notion λ notion-1 notion-0 defined as: AdvUE,A (1 ) = Pr[ExpUE,A = 1] − Pr[ExpUE,A = 1] where the experiment Expnotion-b is given in Fig. 2 and Fig. 4, and det and rand denote the UE,A ciphertext update procedure is deterministic and randomized, respectively. We say λ a UE scheme is notion secure if Advnotion UE,A (1 ) ≤ negl(λ) Definition 3 (Integrity, [4,10]). Let UE = {UE.KG, UE.Enc, UE.Dec} be an updatable encryption scheme. For notion ∈ {INT-CTXT, INT-PTXT}, the notion    notion λ notion advantage of an adversary A is defined as: AdvUE,A (1 ) = Pr[ExpUE,A = 1] where the experiment Expnotion UE,A is given in Fig. 3 and Fig. 4. We say a UE scheme λ is notion secure if Advnotion UE,A (1 ) ≤ negl(λ)

Fig. 2. Generic description of the confidentiality experiment ExpxxIND-UE-atk-b for xx ∈ UE,A {rand, det}, atk ∈ {CPA, CCA} and b ∈ {0, 1}. The flag phase ∈ {0, 1} denotes whether or not A has queried the O.Chall oracle, and twf tracks if the trivial win conditions  is the set of oracles A can are triggered, and O = O.{Enc, Next, Upd, Corr, Chall, UpdC} access to, which are defined in Fig. 4. When atk = CCA, the decryption oracle O.Dec is also added to O. The computation of K∗ , T ∗ , C ∗ are discussed in Sect. 2.1.

392

H. Chen et al.

IND-atk Fig. 3. Generic description of the confidentiality experiment ExpUE,A for atk ∈ {CTXT, PTXT}. The flag win tracks whether or not A provided a valid forgery, twf tracks if the trivial win conditions are triggered, and O = O.{Enc, Next, Upd, Corr, Try} is the set of oracles A can access to, which are defined in Fig. 4.

2.1

Leakage Sets

In security games of UE, the adversary is provided access to various oracles as shown in Fig. 4, so it can learn some information about update keys, epoch tokens and ciphertexts during the query phase. Moreover, it can extend the information via its known tokens, and the extension depends on the direction of key update and the direction of ciphertext update. We start by describing the leakage sets in [11,12], and then show how to compute the extended leakage sets in different key update direction settings. Epoch Leakage Sets. We record the following epoch sets related to epoch keys, update tokens, and challenge-equal ciphertexts. – K: Set of epochs in which the adversary corrupted the epoch key from O.Corr. – T : Set of epochs in which the adversary corrupted the update token from O.Corr. – C: Set of epochs in which the adversary learned a challenge-equal ciphertext  (the ciphertext related to the challenge inputs) from O.Chall or O.UpdC. The adversary can use its corrupted tokens to extend K, T , C to infer more ˆ ∗ , T ∗ , C ∗ as the extended sets respectively, and how information. We use K∗ , K ∗ ˆ∗ ∗ ∗ to compute K , K , T , C are shown later. Information Leakage Sets. We record the following sets related to ciphertexts known to the adversary. – L: Set of non-challenge equal ciphertexts (c, c, e; m) the adversary learned from O.Enc or O.Upd.  Set of challenge-equal ciphertexts (˜ce , e) the adversary learned from O.Chall – L:  or O.UpdC. The adversary can also use its corrupted tokens to extend L, L to infer more information about ciphertexts. In the deterministic update setting, we denote  respectively. L∗ , L∗ as the extended sets of L and L,

Equivalence of Updatable Encryption Setup(1λ ): $

393

O.Upd(ce−1 ): λ

k0 ← UE.KG(1 )

if (j, ce−1 , e − 1; m) ∈  L then

Δ0 ← ⊥; e, c, twf ← 0 ˜ C, K, T ← ∅ L, L,

ce ← UE.Upd(Δe , ce−1 )

O.Enc(m): c←c+1 $

c ← UE.ENC(ke , m)) L ← L ∪ {(c, c, e; m)} return c O.Dec(c): 

m or ⊥ ← UE.Dec(ke , c)  (xx = det and (c, e) ∈ L˜∗ ) or  ˜ ∗ ) then (xx = rand and (m , e) ∈ Q

if

twf ← 1 return m or ⊥ O.Next(): e←e+1 $

ke ← UE.KG(1λ ) Δe ← UE.TG(ke−1 , ke ) if phase = 1 then ˜ce ← UE.Upd(Δe , ˜ce−1 ) O.Corr(inp, ˆe) if ˆe > e then return ⊥ if inp = key then K ← K ∪ {ˆe} return kˆe if inp = token then T ← T ∪ {ˆe}

return ⊥ L ← L ∪ {(j, ce , e; m)} ¯ ¯c) O.Chall(m, if phase = 1 then return ⊥ phase ← 1; ˜e ← e ¯ 1) ∈ if (·, ¯c, e − 1; m  L then return ⊥ if b = 0 then ˜c˜e ← UE.Enc(k˜e , m) ¯ else ˜c˜e ← UE.Upd(Δ˜e , ¯c) C ← C ∪ {˜e} L¯ ← L¯ ∪ {(˜c˜e , ˜e)} return ˜c˜e  O.UpdC if phase = 1 then return ⊥ C ← C ∪ {e} L¯ ← L¯ ∪ {(˜ce , e)} return ˜ce O.Try( c) m or ⊥ ← UE.Dec(ke , ˜c) if (e ∈ K∗ or (atk = CTXT and (˜c, e) ∈ L∗ ) or  ˜ ∗ ) then (atk = PTXT and (m , e) ∈ Q twf ← 1 if m = ⊥ then win ← 1

return Δˆe

Fig. 4. Oracles in the UE security games. m1 is the underlying message of the challenge ∗ are defined  L∗ , L∗ , C, K, K∗ , T , T ∗ , Q, Q∗ , Q input ciphertext ¯c. The leakage sets L, L, in Sect. 2.1.

∗ to denote respectively the In randomized UE schemes, we use Q∗ , Q  extended sets of L, L: – Q∗ : Set of plaintexts (m, e). The adversary learned in the query phase or could create a ciphertext of m in the epoch e.

394

H. Chen et al.

∗ : Set of challenge plaintexts {(m, ¯ e), (m ¯ 1 , e)}, where (m, ¯ ¯c) is the query – Q ¯ 1 is the plaintext of ¯c. The adversary learned in the input of O.Upd and m ¯ or m ¯ 1 in the epoch e. query phase or could create a ciphertext of m Inferred Leakage Sets. The adversary can infer more information from K, L and C via its corrupted tokens, which are computed as follows. Key Leakage. Since the update tokens are generated from two successive epoch keys by Δe+1 = UE.TG(ke , ke+1 ), one epoch key in {ke , ke+1 } may be inferred by the other via the known token Δe+1 . ∗ – No-directional key updates: Kno = K. The adversary does have more information about keys except K, since tokens cannot be used to derive keys. – Forward-leak uni-directional key updates: ∗ = {e ∈ {0, . . . , l} | CorrK(e) = true}, Kf-uni

where true ← CorrK(e) ⇐⇒ (e ∈ K) ∨ (CorrK(e − 1) ∧ e ∈ T ). The adversary can infer more keys from corrupted tokens and keys in the previous epoch. – Backward-leak uni-directional key updates: ∗ = {e ∈ {0, . . . , l} | CorrK(e) = true}, Kb-uni

(1)

where true ← CorrK(e) ⇐⇒ (e ∈ K) ∨ (CorrK(e + 1) ∧ e + 1 ∈ T ). Keys can be inferred from corrupted tokens and keys in the next epoch. – Bi-directional key updates: ∗ = {e ∈ {0, . . . , l} | CorrK(e) = true}, Kbi

(2)

where true ← CorrK(e) ⇐⇒ (e ∈ K) ∨ (CorrK(e − 1) ∧ e ∈ T ) ∨ (CorrK(e + 1) ∧ e + 1 ∈ T ). Besides the corrupted keys K, the adversary can infer more keys ∗ ∗ ∗ = Kf-uni ∪ Kb-uni . both from key upgrades and downgrades, i.e., Kbi ˆ is defined to check if the adversary can trivially In the integrity game, a set K forge a valid ciphertext as follows. ˆ ∗ = {i ∈ {0, . . . , l} | ForgK(i) = true} K true ← ForgK(i) ⇐⇒ (i ∈ K) ∨ (CorrK(e − 1) ∧ e ∈ T )

(3)

Token Leakage. The adversary knows a token by either corrupting or inferring from two successive keys. Then we have ∗ ∗ ∧ e − 1 ∈ Kkk }, Tkk∗ = {e ∈ {0, . . . , l} | (e ∈ T ) ∨ (e ∈ Kkk

(4)

for kk ∈ {no, f-uni, b-uni, bi}. Ciphertext Leakages. Different from the direction of key update, ciphertexts should always be upgraded but are not necessarily downgraded by tokens, so there are only two types of ciphertext directions.

Equivalence of Updatable Encryption

395

– Uni-directional ciphertext updates: ∗ Ckk,uni = {e ∈ {0, . . . , l} | ChallEq(e) = true},

(5)

where ChallEq(e) = true ⇐⇒ (e ∈ C) ∨ (ChallEq(e − 1) ∧ e ∈ Tkk∗ ). Besides the learned ciphertext C, the adversary can infer more ciphertexts from corrupted tokens and ciphertexts in the previous epoch. – Bi-directional ciphertext updates: ∗ = {e ∈ {0, . . . , l} | ChallEq(e) = true}, Ckk,bi

(6)

where ChallEq(e) = true ⇔ (e ∈ C) ∨ (ChallEq(e − 1) ∧ e ∈ Tkk∗ ) ∨ (ChallEq(e + 1) ∧ e + 1 ∈ Tkk∗ ). Besides the learned ciphertext C, the adversary can infer more ciphertexts both from key upgrades and downgrades. Remark 1. From the definition, the leakage sets have the following relations, – (˜ce , e) ∈ L ⇐⇒ e ∈ C, ∗ . ¯ e), (m ¯ 1 , e)} ∈ Q – (˜ce , e) ∈ L∗ ⇐⇒ e ∈ C ∗ ⇐⇒ {(m, An example of the computation of leakage sets is provided in Appendix B. 2.2

Trivial Win Conditions

In the security games of UE, the leaked information probably leads the adversary to trivially win the game. The challenger will check if any trivial win condition is triggered at the end of the game. A summary of trivial win conditions is described in Fig. 5, which follows from the analysis in [4,10–12]. A detailed explanation of the trivial win condition is provided in Appendix C.

r s ∗ o )i C T d(¯c ∗ ∩ ∈ K ˜e .Up O    ×    × × × × × ∗

notion detIND-UE-CPA randIND-UE-CPA detIND-UE-CCA randIND-UE-CCA IND-CTXT IND-PTXT

=

∅

e qu

rie

d ˜∗ L

) )∈  ,e ,e (m (c

× ×  × × ×

× × ×  × ×

∗

∈

˜ Q

e

× × × ×  

∗

∗

∗

∈

ˆK

)∈ ,e (˜c

× × × ×  ×

L



(m

)∈ ,e

Q

× × × × × 

Fig. 5. Trivial win conditions in different security games for updatable encryption.  and × indicate whether the security notion considers the corresponding trivial win conditions or not. ˜e is the challenge epoch, i.e., the epoch the adversary queries O.Chall, and e represents the current epoch.

396

H. Chen et al.

We review some properties of leakage sets as follows. Definition 4 (Firewall, [4,10–12]). An insulated region with firewalls fwl and fwr, denoted by FW, is the consecutive sequence of epochs (fwl, . . . , fwr) for which: – no key in the sequence of epochs (fwl, . . . , fwr) is corrupted; – the tokens Δfwl and Δfwr+1 are not corrupted; – all tokens {Δfwl+1 , . . . , Δfwr } are corrupted.  Denote the union of all firewalls as IR := (fwl,fwr)∈F W {fwl, . . . , fwr}. The ∗ . following lemma shows that IR is the complementary set of Kbi ∗ Lemma 1 (Lemma 3.1, [10]). For any K, T ∈ {0, . . . , l}, we have Kbi = {0, . . . , l} \ IR, where l is the maximal number of updates. ∗ ∗ ∗ Corollary 1. Since Kbi = Kf-uni ∪ Kb-uni by definition, we have {0, . . . , l} = ∗ ∗ IR ∪ Kf-uni ∪ Kb-uni . ∗ Remark 2. For an epoch e ∈ Kf-uni , it holds that either e ∈ K or there exists an ∗ , epoch ef before e, such that ef ∈ K and {ef , . . . , e} ∈ T ; for an epoch e ∈ Kb-uni it holds that either e ∈ K or there exists an epoch eb after e, such that eb ∈ K and {e, . . . , eb } ∈ T . That follows directly from the definition.

3

Relations Among Security Notions

To capture the security for UE schemes with kk-directional key updates and cc-directional ciphertext updates, we consider the (kk, cc)-variant of each security notion as defined in [10] (where kk ∈ {bi, f-uni, b-uni, no} and cc ∈ {uni, bi}), and then compare the relations among all the variants of each security notion. Definition 5 ((kk, cc)-variant of confidentiality, [10]). Let UE = {UE.KG, UE.Enc, UE.Dec} be an updatable encryption scheme. For notion ∈ {detIND-UE-CPA, randIND-UE-CPA, detIND-UE-CCA, randIND-UE-CCA}, the (kk, cc)-notion advantage of an adversary A is defined as     (kk,cc)-notion λ (kk,cc)-notion-1 (kk,cc)-notion-0 AdvUE,A (1 ) = Pr[ExpUE,A = 1] − Pr[ExpUE,A = 1] , where the experiment ExpUE,A is the same as the experiment Expnotion-b UE,A (see Fig. 2 and Fig. 4), except all leakage sets are computed in the kk-directional key update setting and cc-directional ciphertext update setting (see Sect. 2.1). (kk,cc)-notion-b

Definition 6 ((kk, cc)-variant of integrity, [10]). Let UE = {UE.KG, UE.Enc, UE.Dec} be an updatable encryption scheme. For notion ∈ {INT-CTXT, INT-PTXT}, the (kk, cc)-notion advantage of an adversary A is defined as     (kk,cc)-notion λ (kk,cc)-notion (1 ) = Pr[ExpUE,A = 1] , AdvUE,A

Equivalence of Updatable Encryption

397

where the experiment ExpUE,A is the same as the experiment Expnotion UE,A (see Fig. 3 and Fig. 4), except all leakage sets are computed in the kk-directional key update setting and cc-directional ciphertext update setting (see Sect. 2.1). (kk,cc)-notion

A general idea to analyze the relation of any two out of the eight variants of each security notion is to construct a reduction B, which runs the security experiment of one variant while simulating all the responses to the queries made by the adversary A in the security experiment of the other variant and forwards the guess result from A to its challenger. Recall that if a trivial win condition is triggered, the adversary will lose the game. Therefore, if the reduction B does not trigger trivial win conditions (when A does not), the advantage of the reduction B will be larger than that of the adversary A. Thus, the relation of the two variants depends on the relation of trivial win conditions in each update direction setting. 3.1

Relations Among Confidentiality Notions

The relations of eight variants of confidentiality are shown in Fig. 6. We mainly prove the equivalence of each confidentiality notion in the bi-directional key update setting and backward-leak uni-directional key update setting, i.e., (no, bi)-notion ⇐⇒ (b-uni, bi)-notion and (no, uni)-notion ⇐⇒ (b-uni, uni)-notion. Then the rest of the relations in Fig. 6 can easily follow from the prior work in [10]. Thm.3

(bi, bi)-notion

Thm.3

Thm.3

(b-uni, bi)-notion

(no, uni)-notion Thm.2 Thm.3

[10]

\

Thm.3 Thm.1

Thm.2

(b-uni, uni)-notion \

[10]

\

(bi, uni)-notion

[10]

(no, bi)-notion

[10]

(f-uni, uni)-notion [10]

(f-uni, bi)-notion

Fig. 6. Relations among the eight variants on confidentiality for notion {detIND−UE-CPA, randIND-UE-CPA, detIND-UE-CCA, randIND-UE-CCA}.

∈

The following two lemmas show UE schemes with bi-directional key updates leak more information than those with backward uni-directional key updates, which further leaks more information than those with no-directional key updates.

398

H. Chen et al.

∗ ∗ Lemma 2. For any sets K, T , C and any cc ∈ {uni, bi}, we have Kno ⊆ Kb-uni ⊆ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ˜ ˜ ˜ Kbi , Tno ⊆ Tb-uni ⊆ Tbi , Cno,cc ⊆ Cb-uni,cc ⊆ Cbi,cc , Lno,cc ⊆ Lb-uni,cc ⊆ Lbi,cc , ∗ ∗ ∗ ∗ ∗ ˜∗ ˜∗ ˜∗ Q no,cc ⊆ Qb-uni,cc ⊆ Qbi,cc , Lno,cc ⊆ Lb-uni,cc ⊆ Lbi,cc and Qno,cc ⊆ Qb-uni,cc ⊆ ∗ Qbi,cc .

Proof. For any cc ∈ {uni, bi}, the adversary infers more information in the bidirectional key update setting than in the backward uni-directional key update ∗ ∗ setting. For any K, T , C, the inferred leakage sets Kb-uni and Kbi are computed by ∗ ∗ ∗ ∗ ⊆ Kb-uni ⊆ Kbi . By Eq. (4), (5), (6), we have Tno ⊆ Eq. (1),(2), then we have Kno ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ˜ ˜ ˜ Tb-uni ⊆ Tbi and Cno,cc ⊆ Cb-uni,cc ⊆ Cbi,cc . Then we obtain Lno,cc ⊆ Lb-uni,cc ⊆ Lbi,cc ∗ ∗ ˜∗ ˜∗ ˜∗ and Q no,cc ⊆ Qb-uni,cc ⊆ Qbi,cc by Remark 1. We compute L and Q from L and ∗ ∗ ∗ ∗ ∗ Q with T , and then we have Lno,cc ⊆ Lb-uni,cc ⊆ Lbi,cc and Qno,cc ⊆ Q∗b-uni,cc ⊆ ∗ ∗ ⊆ Tb-uni ⊆ Tbi∗ .

Q∗bi,cc , which follows from Tno ∗ Lemma 3. For any sets K, T , C and any kk ∈ {b-uni, bi}, we have Ckk,uni ⊆ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ˜ ˜ ˜ ˜ Ckk,bi , Lkk,uni ⊆ Lkk,bi , Qkk,uni ⊆ Qkk,bi , Lkk,uni ⊆ Lkk,bi and Qkk,uni ⊆ Qkk,bi .

Proof. This follows similarly as in Lemma 2 and thus we omit the details.



(bi,bi)-notion ⇐⇒ (b-uni,bi)-notion. We prove the equivalence of (bi, bi)-variant and the (b-uni, bi)-variant in Theorem 1, which is based on the equivalence of trivial win conditions in Lemmas 4, 5, 6 and 7. We compare the relations of trivial win conditions in the two settings one by one (see Sect. 2.2). ∗ ∗ ∗ ∗ Lemma 4. For any sets K, T , C, we have Kbi ∩Cbi,bi = ∅ ⇐⇒ Kb-uni ∩Cb-uni,bi = ∅. ∗ ∗ ∗ ∗ ∗ Proof. From Lemma 2, we know that Kb-uni ⊆ Kbi and Cb-uni,bi ⊆ Cbi,bi , so Kb-uni ∩ ∗ ∗ ∗ ∗ ∗ ∗ ∗ Cb-uni,bi ⊆ Kbi ∩Cbi,bi . It is sufficient to prove Kbi ∩Cbi,bi = ∅ ⇒ Kb-uni ∩Cb-uni,bi = ∅. If the adversary never queries any challenge-equal ciphertext in an epoch in {0, . . . , l} \ IR, it will not obtain any challenge-equal ciphertext in this set even ∗ ∩ {0, . . . , l} \ in the bi-directional ciphertext update setting by Eq. (6), i.e., Cbi,bi ∗ ∗ ∗ IR = ∅. This contradicts Kbi ∩Cbi,bi = ∅, since Kbi = {0, . . . , l}\IR by Lemma 1. There exists an epoch e ∈ {0, . . . , l} \ IR, in which the adversary queries a ∗ . challenge-equal ciphertext, i.e., e ∈ C ∩ Kbi ∗ ∗ ∗  ∗ ∗ ∗ , then e ∈ Kb-uni ∪ C ⊆ Kb-uni ∪ Note that Kbi = Kb-uni ∪ Kf-uni . If e ∈ Kb-uni ∗ ∗ ∗  ∗ Cb-uni,bi , so Kb-uni ∪ Cb-uni,bi = ∅. If e ∈ Kf-uni , then there exists a smaller epoch e than e such that e ∈ K and the set {e , . . . , e } ⊆ T by Remark 2. Hence, the adversary can degrade the message from e to e to know c˜e in the bi-directional ∗ ∗ ∗ ⊆ Kb-uni ∩ Cb-uni,bi , ciphertext update setting. Therefore, we have e ∈ K ∩ Cb-uni,bi ∗ ∗

so Kb-uni ∪ Cb-uni,bi = ∅. ∗ ∗ Lemma 5. For any set K, T , C, suppose Kkk ∩ Ckk,bi = ∅ for kk ∈ {bi, b-uni}, ∗ ∗ then ˜e ∈ Tbi ⇐⇒ ˜e ∈ Tb-uni . ∗ ∗ Proof. From Lemma 2, we know that Tb-uni ⊆ Tbi∗ , so if ˜e ∈ Tb-uni , then ˜e ∈ Tbi∗ . ∗ ∗ It is sufficient to prove ˜e ∈ Tbi ⇒ ˜e ∈ Tb-uni . Because the adversary queries the ∗ ∗ ∗ challenge ciphertext in epoch ˜e (i.e., ˜e ∈ C ⊆ Cbi,bi ) and Kbi ∩ Cbi,bi = ∅, we have

Equivalence of Updatable Encryption

399

∗ ˜e ∈ Kbi . Δ˜e cannot be inferred from the successive keys in epochs ˜e − 1 and ˜e. Therefore, if ˜e ∈ Tbi∗ , it must be obtained via corrupting, that is ˜e ∈ T . Since ∗ ∗ , we have ˜e ∈ Tb-uni .

T ⊆ Tb-uni

Remark 3. Note that O.Upd(¯c) is queried or not is independent of the direction of key and ciphertext updates. Thus it will be the same whether this trivial win condition is triggered or not in all variants. ∗ ∗ Lemma 6. For any set K, T , C, suppose Kkk ∩ Ckk,bi = ∅ for kk ∈ {bi, b-uni}, ∗ ∗ ˜ ˜ then (c, e) ∈ Lbi,bi ⇐⇒ (c, e) ∈ Lb-uni,bi .

Proof. By Remark 1 and Lemma 2, we know that (c, e) ∈ L˜ ⇐⇒ e ∈ C ∗ and ∗ ∗ ∗ ∗ ⊆ Cbi,bi . So if (c, e) ∈ L∗b-uni,bi , then e ∈ Cb-uni,bi ⊆ Cbi,bi . Thus, we have Cb-uni,bi ∗ (c, e) ∈ Lbi,bi . ∗ , then we know e ∈ IR by the assumpIf (c, e) ∈ L˜∗bi,bi , that is e ∈ Cbi,bi ∗ ∗ ∗ = {0, . . . , l} \ IR from Lemma 1. tion Kbi ∩ Cbi,bi = ∅ and the fact that Kbi Suppose {fwl, . . . , e} is the last insulated region. If the adversary never queries the challenge-equal ciphertext in the epoch in this set, then it cannot infer any ∗ . Therefore we challenge-equal ciphertext in epoch e, which contradicts e ∈ Cbi,bi assume the adversary queries a challenge-equal ciphertext in epoch e , where e ∈ {fwl, . . . , e}. Since {fwl, . . . , e} ⊆ T even in the backward uni-directional update setting, the adversary can update challenge-equal ciphertext from epoch

e to e, i.e., e ∈ C ∗ . So (c, e) ∈ L˜∗b-uni,bi . ∗ ∗ Lemma 7. For any set K, T , C, suppose Kkk ∩ Ckk,bi = ∅ for kk ∈ {bi, b-uni},  ∗  ∗ ˜ ˜ then (m , e) ∈ Qbi,bi ⇐⇒ (m , e) ∈ Qb-uni,bi .

˜ ⇐⇒ e ∈ C ∗ . And the rest of the Proof. By Remark 2, we know that (m , e) ∈ Q proof is similar to that of Lemma 6.

Theorem 1. Let UE be an updatable encryption scheme and confidentiality notion ∈ {detIND-UE-CPA, randIND-UE-CPA, detIND-UE-CCA, randIND-UECCA}. For any (bi, bi)-notion adversary A against UE, there exists a (b-uni, bi)-notion adversary B1 against UE such that (bi,bi)-notion

AdvUE,A

(1λ ) = AdvUE,B1

(b-uni,bi)-notion

(1λ ).

Proof. We construct a reduction B1 who runs the (b-uni, bi)-notion experiment and simulates all responses of the queries made by (bi, bi)-notion adversary A. The reduction B1 works by sending all the queries of A to its own challenger and returning the responses to A. At last, B1 sends the guessing result received from A to its own challenger. The challenger will check whether the reduction wins or not. If the reduction triggers the trivial win conditions, it will lose the game. The reduction also forwards the experiment result to A. Notice that Lemmas 4, 5, 6, 7, and Remark 3 exactly include all the trivial win conditions in the confidentiality game (see Fig. 5). Thus, we can conclude that the trivial win conditions in the (bi, bi)-notion and (b-uni, bi)-notion

400

H. Chen et al.

games are equivalent. If no trivial conditions are triggered by A, there will be no trivial win conditions triggered by B. But if a condition is triggered in the (bi, bi)-notion, the same condition will also be triggered in the (b-uni, bi)-notion. Therefore, the reduction perfectly simulates the (bi, bi)-notion game to A. Then (bi,bi)-notion λ (b-uni,bi)-notion λ (1 ) = AdvUE,B1 (1 ).

AdvUE,A (b-uni,uni)-notion ⇐⇒ (no,uni)-notion. We further prove the equivalence of (b-uni, uni)-variant and the (b-uni, uni)-variant in Theorem 2, which is based on the equivalence of trivial win conditions in Lemmas 8, 9, 10 and 11. ∗ ∗ ∗ ∗ Lemma 8. For any set K, T , C, we have Kb-uni ∩Cb-uni,uni = ∅ ⇐⇒ Kno ∩Cno,uni = ∅. ∗ ∗ ∗ ∗ Proof. From Lemma 2, we know that Kno ⊆ Kb-uni and Cno,uni ⊆ Cb-uni,uni , so ∗ ∗ ∗ ∗ ∗ ∗ Kno ∩ Cno,uni ⊆ Kb-uni ∩ Cb-uni,uni . It is sufficient to prove Kb-uni ∩ Cb-uni,uni = ∅ ⇒ ∗ ∗ ∩ Cno,bi = ∅. Kno ∗ ∗ ∗ ∩ Cb-uni,uni . From e ∈ Kb-uni and Suppose there exists an epoch e ∈ Kb-uni Remark 2, there is an epoch eb after e, satisfying eb ∈ K and {e, . . . , eb } ∈ T . ∗ ∗ and the definition of Cb-uni,uni in Eq. (5), we know that there From e ∈ Cb-uni,uni exists an epoch ec before e such that the adversary asks for the challenge cipher∗ . If the set {ec , . . . , e} ⊆ T , text in epoch ec (i.e., ec ∈ C) and {ec , . . . , e} ∈ Tb-uni then we can upgrade the ciphertext from epoch ec to epoch eb even in the nodirectional key update setting, since ec ∈ C and {ec , . . . , e, . . . , eb } ∈ T . There∗ ∗ ∩ Cno,bi . fore, we have eb ∈ Kno If not every epoch in the set {ec , . . . , e} is in T (i.e., there is an epoch es ∈ ∗ ∗ \T ), then by Eq. (4), we know that es −1 and es are in Kb-uni . Moreover, we Tb-uni have es − 1 ∈ K, because the epoch key in es − 1 cannot be inferred from the key in es − 1 in the backward uni-directional key update setting as es ∈ T and the adversary can only learn the epoch key in es − 1 from querying the corruption oracle. If {ec , . . . , es −1} ∈ T , we can upgrade ciphertexts from epoch ec to epoch ∗ ∗ ∩ Cno,bi . es − 1 even in the no-directional key update setting, that is es − 1 ∈ Kno Otherwise, we repeat this step, substitute es −1 with a smaller epoch es −j in the ∗ , next iteration for some j > 1 such that es − j ∈ K and {ec , . . . , es − j} ∈ Tb-uni and check if all epochs in {ec , . . . , es − j} are in T . Since the epoch length is limited, we will stop at an epoch, say es − k, for some k > 1 such that es − k ∈ K and {ec , . . . , es − k} ∈ T . We can upgrade ciphertext from epoch ec to epoch ∗ ∗ ∩ Cno,bi , es − k even in the no-directional key update setting, that is es − k ∈ Kno ∗ ∗

so Kno ∩ Cno,bi = ∅. ∗ ∗ Lemma 9. For any set K, T , C, suppose Kkk ∩ Ckk,uni = ∅ for kk ∈ {b-uni, no}, ∗ ∗ then ˜e ∈ Tb-uni ⇐⇒ ˜e ∈ Tno .

Proof. The proof is similar to that of Lemma 5. We provide it in Appendix D.1.

∗ ∗ Lemma 10. For any set K, T , C, suppose Kkk ∩ Ckk,uni = ∅ for kk ∈ {b-uni, no}, ∗ ∗ ˜ ˜ then (c, e) ∈ Lb-uni ⇐⇒ (c, e) ∈ Lno .

Equivalence of Updatable Encryption

401

Proof. The proof is similar to that of Lemma 6. We provide it in Appendix D.2.

∗ ∗ Lemma 11. For any set K, T , C, suppose Kkk ∩ Ckk,uni = ∅ for kk ∈ {b-uni, no},  ∗  ∗ ˜ ˜ ⇐⇒ (m , e) ∈ Q . then (m , e) ∈ Q no,uni b-uni,uni

˜ ⇐⇒ e ∈ C ∗ . The rest of the Proof. By Remark 1, we know that (m , e) ∈ Q proof is similar to that of Lemma 10.

Theorem 2. Let UE be an updatable encryption scheme and confidentiality notion ∈ {detIND-UE-CPA, randIND-UE-CPA, detIND-UE-CCA, randIND-UECCA}. For any (b-uni, uni)-notion adversary A against UE, there exists a (no, uni)-notion adversary B2 against UE such that (b-uni,uni)-notion

AdvUE,A

(no,uni)-notion

(1λ ) = AdvUE,B2

(1λ )

Proof. The proof is similar to that of Theorem 1. We provide it in Appendix D.3.

Theorem 3. For notion ∈ {detIND-UE-CPA, randIND-UE-CPA, detIND-UECCA, randIND-UE-CCA}, Fig. 6 is the relations among the eight variants on the same confidentiality notion. Proof. We conclude the relations among the eight variants on confidentiality from Theorems 1 and 2, together with the previous conclusions in [10], which proved that a UE scheme with bi-directional key updates is equivalent to the one with forward-leak uni-directional key updates, shown in Fig. 7.

(bi, bi)-notion

(no, uni)-notion \

\

(bi, uni)-notion

(no, bi)-notion

(f-uni, uni)-notion (f-uni, bi)-notion

Fig. 7. Relations among the six variants of confidentiality for notion {detIND-UE-CPA, randIND-UE-CPA, detIND-UE-CCA, randIND-UE-CCA} [10].

∈

Thus, we have the relations among the eight variants on confidentiality in Fig. 6 by the equivalences: (bi, bi)-notion ⇐⇒ (b-uni, bi)-notion from Theorem 1 and (b-uni, uni)-notion ⇐⇒ (no, uni)-notion from Theorem 2 and Fig. 7.



402

3.2

H. Chen et al.

Relations Among Integrity Notions

The relations of the eight variants on integrity are illustrated in Fig. 8. We first prove two equivalence of trivial win conditions in Lemmas 12, 14 and 16. Thm.4

(bi, uni)-notion

Thm.4

(b-uni, uni)-notion Thm.4

[10]

(bi, bi)-notion

Thm.4

(no, uni)-notion Thm.4

(b-uni, bi)-notion

[10]

(no, bi)-notion

[10]

(f-uni, uni)-notion [10]

(f-uni, bi)-notion

Fig. 8. Relations among the eight variants of integrity for notion ∈ {IND-CTXT, IND-PTXT}.

ˆ∗ ˆ∗ Lemma 12. For any set K, T , C, we have e ∈ K b-uni ⇐⇒ e ∈ Kkk for kk ∈ {f-uni, bi, no}. ˆ ∗ is Proof. From Eq. (3), we know that the computation of the extended set K independent of the direction of key updates.

∗ ˆ , then Lemma 13 ([10], Lemma 3.11). For any set K, T , C, suppose e ∈ K we have (c, e) ∈ L∗kk,cc ⇐⇒ (c, e) ∈ L∗kk ,cc for any kk, kk ∈ {f-uni, bi, no} and cc, cc ∈ {uni, bi}. ˆ ∗ , then (c, e) ∈ L∗ Lemma 14. For any set K, T , C, suppose e ∈ K b-uni,cc ⇐⇒ ∗  (c, e) ∈ Lkk ,cc for any kk ∈ {f-uni, b-uni, bi, no} and cc, cc ∈ {uni, bi}. Proof. It follows directly from Lemma 13 and L∗no,cc ⊆ L∗b-uni,cc ⊆ L∗bi,cc by Lemma 2 for any cc ∈ {uni, bi}.

∗ ˆ Lemma 15 ([10], Lemma 3.12). For any set K, T , C, suppose e ∈ K , then   ˜∗ ˜∗ we have (m , e) ∈ Q kk,cc ⇐⇒ (m , e) ∈ Qkk ,cc for any kk, kk ∈ {f-uni, bi, no} and  cc, cc ∈ {uni, bi}. ˆ ∗ , then we have (m , e) ∈ Lemma 16. For any set K, T , C, suppose e ∈ K ∗  ∗   ˜ ˜ Q b-uni,cc ⇐⇒ (m , e) ∈ Qkk ,cc for any kk ∈ {f-uni, b-uni, bi, no} and cc, cc ∈ {uni, bi}. Proof. It follows directly from Lemma 15 and Q∗no,cc ⊆ Q∗b-uni,cc ⊆ Q∗bi,cc by Lemma 3 for any cc ∈ {uni, bi}.

Theorem 4. Let UE be an updatable encryption scheme, the integrity notion notion ∈ {INT-CTXT, INT-PTXT}. For any (b-uni, cc)-notion adversary A against UE, there exists a (kk , cc )-notion adversary B4 against UE such that (b-uni,cc)-notion

AdvUE,A

(kk ,cc )-notion

(1λ ) = AdvUE,B4

for any kk ∈ {f-uni, b-uni, bi, no} and cc, cc ∈ {uni, bi}.

(1λ )

Equivalence of Updatable Encryption

403

Proof. The proof is similar to that of Theorem 1. We provide the proof in Appendix D.4.

Theorem 5. For notion ∈ {INT-CTXT, INT-PTXT}, Fig. 8 shows the relations among the eight variants on the same integrity notion. Proof. We conclude the relations from Theorem 4, together with the previous conclusions in [10] that (kk, cc)-notion ⇐⇒ (no, cc )-notion for notion ∈

{IND-CTXT, IND-PTXT}, kk ∈ (bi, f-uni) and cc, cc ∈ (bi, uni).

4

Conclusion

The relations among various security notions for UE should be clearly investigated before any valuable constructions. We provided a detailed comparison of every security notion in the four key update settings, and our results showed that the UE schemes in the no-directional key update setting, which were believed to be strictly stronger than others, are equivalent to those in the backward-leak uni-directional key update setting. As future work, we intend to develop an efficient UE scheme with backward-leak uni-directional key updates.

Acknowledgment. We would like to thank the anonymous reviewers for their valuable comments. This research is supported by European Union’s Horizon 2020 research and innovation programme under grant agreement No. 952697 (ASSURED) and No. 101021727 (IRIS).

A

Related Work

UE schemes can be built from various cryptographic primitives. The seminal UE scheme BLMR was proposed by [3] as an application of almost key homomorphic pseudorandom functions, which satisfies IND-ENC instead of IND-UPD. An ElGamal-based scheme RISE was introduced by [12] to achieve both security definitions. To provide integrity protection, Klooß et al. [11] constructed two generic schemes based on Encrypt-and-MAC and the Naor-Yung transform [13]. Boyd et al. [4] designed three IND-UE-CPA secure schemes, called SHINE, based on the random-looking permutation. Jiang [10] provided a quantum-resistant scheme based on the decisional LWE [15]. The first UE scheme with backward uni-directional key was presented in Nishimaki [14] based on the Regev PKE scheme, in which a scheme with no-directional key updates is also constructed based on one-way functions [8] and indistinguishability obfuscation [1]. Slamanig and Striecks presented a pairing backward uni-directional scheme and a pairingbased no-directional scheme from ciphertext puncturable encryption [9]. An independent work was concurrently proposed by [7]. The main difference between their work and ours is that we provide a detailed comparison of every security notion in every kind of UE. Their work gave a detailed proof for equivalence of confidentiality notion in the no-directional and backward uni-directional

404

H. Chen et al.

key update setting for UE schemes with uni-directional ciphertext updates (i.e., (b-uni, uni)-notion ⇐⇒ (no, uni)-notion). Our proof for this equivalence is different, and we also provide a detailed proof for UE schemes with bi-directional ciphertext updates and also the equivalence among integrity notions.

B

An Example of Leakage Sets

An example is given in Fig. 9 to show how to compute leakage sets. We assume the adversary corrupts epoch keys in epochs in K = {e − 5, e − 4, e − 3, e − 1} and corrupts tokens in T = {e − 4, e − 3, e − 1 , e}, and queries a non-challenge ciphertext, say ce−5 , in epoch e − 5. In the no-directional key update setting, the adversary cannot infer extra ∗ ∗ = K and Tno = T . However, it can infer ciphertexts in keys and tokens, i.e., Kno epoch e − 4, e − 3 by using ce−5 and tokens in epochs e − 4 and e − 3, but cannot infer the ciphertexts in epochs from e − 2 to e, because the token in epoche − 2 is unknown to the adversary in the no-directional key update setting. Epoch K T ∗ Kno Tno∗ ∗ Kb-uni ∗ Tb-uni ∗ Kf-uni ∗ Tf-uni

× × × ×

e−5    

   

e−4    

   

e−3    

× ×  ×

e−2 × ×  ×

   

e−1    

   

e × × × 

Fig. 9. Example of leakage sets. Marks  and × indicate if an epoch key or epoch token is corrupted. The green mark  indicates an epoch key or epoch token can be inferred from other corrupted keys and tokens. (Color figure online)

In the backward uni-directional key update setting, the adversary can infer the key in epoch e − 2 from the known token and key in epoch e − 1, and further infer the token in the epoch e − 2, since the key in epoch e − 3 is also corrupted, ∗ ∗ = {e − 5, . . . , e − 1} and Tb-uni = {e − 4, . . . , e}. Moreover, it can infer i.e., Kb-uni ∗ . the ciphertexts in epoch from e − 4 to e by ce−5 and Tb-uni In the forward uni-directional key update setting, the adversary cannot infer the token in epoch e − 2, since the key in epoch e − 2 is unknown to it. But it can infer the key in epoch e via the known key in e − 1 and the known token in ∗ ∗ = K ∪ {e} and Tf-uni = K∗ . The ciphertext it can learn is the same e, i.e., Kf-uni as that in the no-directional key update setting.

Equivalence of Updatable Encryption

C

405

Trivial Win Conditions

We give a detailed explanation for the trivial win conditions in each security game. If K∗ ∩ C ∗ = ∅, then there is an epoch i that the adversary knows the epoch key ki and a challenge-equal ciphertext ci in the same epoch. Then the adversary can decrypt the challenge-equal ciphertext ci with its known key ki and get the underlying message of ci . Thus, it can trivially win the game by ¯ comparing the underlying message of ci with the challenge input message m. This condition should be checked in all confidentiality games. For deterministic UE schemes, if ˜e ∈ T ∗ or O.Upd(¯c) is queried, then the adversary can obtain the updated ciphertext c1 of the challenge input ciphertext ¯, and therefore trivially win the game by comparing c1 with the ciphertext it c receives from its challenger. In the CCA attack, the adversary has the access to the decryption oracle. For deterministic UE schemes, if (c, e) ∈ L˜∗ , the adversary can query the decryption oracle on the challenge-equal ciphertext c and receive its underlying message. For a randomized UE, it should also be prohibited if the decryption returns a ˜∗. message m such that m = m0 or m1 , which is checked by (m , e) ∈ Q If the adversary knows a ciphertext ce0 in epoch e0 and all tokens from epoch e0 to e, it can forge a valid ciphertext in epoch e by updating ce0 via the tokens ˆ ∗ which is from e0 to e. It should be checked in both integrity games if e ∈ K ˜ is a new ciphertext in defined as Eq. (3). The challenger should also check if c the CTXT game, and if the adversary knows a ciphertext of m in the CTXT game.

D D.1

Proofs Proof of Lemma 9

∗ ∗ ∗ ∗ ⊆ Tb-uni , so if ˜e ∈ Tno , then ˜e ∈ Tb-uni . Notice From Lemma 2, we know that Tno ∗ that ˜e ∈ Kb-uni , because the adversary queries the challenge ciphertext in the ∗ ∗ ∩ Cb-uni,bi = ∅. Then Δ˜e cannot be inferred from the successive epoch ˜e and Kb-uni ∗ keys in epochs ˜e − 1 and ˜e. Therefore, if ˜e ∈ Tb-uni , then it must be obtained from ∗ ∗ . corrupting, that is ˜e ∈ T . Since T = Tno , we have ˜e ∈ Tno

D.2

Proof of Lemma 10

∗ By Remark 1 and Lemma 2 , we know that (c, e) ∈ L˜ ⇐⇒ e ∈ C ∗ and Cno,uni ⊆ ∗ ∗ ∗ . So if (c, e) ∈ L∗no,uni , then e ∈ Cno,uni ⊆ Cb-uni,uni . Thus, we have (c, e) ∈ Cb-uni,uni L˜∗b-uni . ∗ ∗ ⊆ IR. From the definition of Cb-uni,uni in If (c, e) ∈ L˜∗b-uni , then e ∈ Cb-uni,uni Eq. (5), we know that there is an epoch ec before e, satisfying the adversary ∗ , queries the challenge ciphertext in epoch ec (i.e., ec ∈ C) and {ec , . . . , e} ∈ Tb-uni ∗ ∗ ∗ which implies {ec , . . . , e} ∈ Cb-uni . From the assumption that Kb-uni ∩Cb-uni,uni = ∅, ∗ ∗ . To meet the condition {ec , . . . , e} ∈ Tb-uni , then we have {ec , . . . , e} ∈ Kb-uni

406

H. Chen et al.

all tokens in epochs in {ec , . . . , e} can only be obtained by corrupting, that is ∗ . We can upgrade the ciphertext from epoch ec to epoch eb {ec , . . . , e} ∈ T = Tno ∗ even in the no-directional key update setting. Therefore, we have e ∈ Cno,uni ⊆ IR ∗ ˜ and further (c, e) ∈ Lno . D.3

Proof of Theorem 2

We construct a reduction B2 who runs the (b-uni, uni)-notion experiment and simulates all responses of the queries made by (no, uni)-notion adversary A. The reduction B2 works by sending all the queries of A to its own challenger and forwarding its received responses to A. In the end, B2 sends the guessing result from A to its own challenger. The challenger will check if the reduction wins. The reduction also forwards the experiment result to A. If the trivial win conditions were triggered, the reduction will be regarded as losing the game. From Lemmas 8, 9, 10, 11 and Remark 3, we obtain the trivial win conditions in the (b-uni, uni)-notion and (no, uni)-notion games are equivalent. If there is a trivial win condition that is triggered by A, then the same trivial win condition will be triggered by B, and vice versa. Therefore, the reduction perfectly (b-uni,uni)-notion λ (1 ) = simulates the (no, uni)-notion game to A. Then, we have AdvUE,A (no,uni)-notion

AdvUE,B2 D.4

(1λ ).

Proof of Theorem 4

We construct a reduction B4 which runs the (kk , cc )-notion game and simulates all responses to the queries made by the (b-uni, cc)-notion adversary A. If there is a trivial win condition that is triggered by A, the same trivial win condition will be triggered by B, and vice versa, which follows from Lemmas 12, 14 and 16. Thus, the reduction perfectly simulates the game to A, and the advantages are equal.

References 1. Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 1–48 (2012) 2. Boneh, D., Eskandarian, S., Kim, S., Shih, M.: Improving speed and security in updatable encryption schemes. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 559–589. Springer, Cham (2020). https://doi.org/10.1007/ 978-3-030-64840-4 19 3. Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/9783-642-40041-4 23 4. Boyd, C., Davies, G.T., Gjøsteen, K., Jiang, Y.: Fast and secure updatable encryption. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 464–493. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2 16

Equivalence of Updatable Encryption

407

5. Chen, L., Li, Y., Tang, Q.: CCA updatable encryption against malicious reencryption attacks. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 590–620. Springer, Cham (2020). https://doi.org/10.1007/978-3030-64840-4 20 6. Everspaugh, A., Paterson, K., Ristenpart, T., Scott, S.: Key rotation for authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 98–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-31963697-9 4 7. Galteland, Y.J., Pan, J.: Backward-leak uni-directional updatable encryption from public key encryption. Cryptology ePrint Archive, Paper 2022/324 (2022). https:// eprint.iacr.org/2022/324 8. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986) 9. G¨ unther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). https://doi.org/10.1007/978-3319-56617-7 18 10. Jiang, Y.: The direction of updatable encryption does not matter much. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 529–558. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4 18 11. Klooß, M., Lehmann, A., Rupp, A.: (R)CCA secure updatable encryption with integrity protection. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 68–99. Springer, Cham (2019). https://doi.org/10.1007/978-3-03017653-2 3 12. Lehmann, A., Tackmann, B.: Updatable encryption with post-compromise security. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 685–716. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7 22 13. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Ortiz, H. (ed.) STOC 1990, pp. 427–437. ACM, New York (1990) 14. Nishimaki, R.: The direction of updatable encryption does matter. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13178, pp. 194–224. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1 7 15. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009) 16. Slamanig, D., Striecks, C.: Puncture ’em all: updatable encryption with nodirectional key updates and expiring ciphertexts. Cryptology ePrint Archive, Paper 2021/268 (2021). https://eprint.iacr.org/2021/268

Efficient Circuits for Permuting and Mapping Packed Values Across Leveled Homomorphic Ciphertexts Jelle Vos(B) , Daniël Vos , and Zekeriya Erkin Cyber Security Group, Delft University of Technology, Delft, Netherlands {J.V.Vos,D.A.Vos,Z.Erkin}@tudelft.nl

Abstract. Cloud services are an essential part of our digital infrastructure as organizations outsource large amounts of data storage and computations. While organizations typically keep sensitive data in encrypted form at rest, they decrypt it when performing computations, leaving the cloud provider free to observe the data. Unfortunately, access to raw data creates privacy risks. To alleviate these risks, researchers have developed secure outsourced data processing techniques. Such techniques enable cloud services that keep sensitive data encrypted, even during computations. For this purpose, fully homomorphic encryption is particularly promising, but operations on ciphertexts are computationally demanding. Therefore, modern fully homomorphic cryptosystems use packing techniques to store and process multiple values within a single ciphertext. However, a problem arises when packed data in one ciphertext does not align with another. For this reason, we propose a method to construct circuits that perform arbitrary permutations and mappings of such packed values. Unlike existing work, our method supports moving values across multiple ciphertexts, considering that the values in real-world scenarios cannot all be packed within a single ciphertext. We compare our opensource implementation against the state-of-the-art method implemented in HElib, which we adjusted to work with multiple ciphertexts. When data is spread among five or more ciphertexts, our method outperforms the existing method by more than an order of magnitude. Even when we only consider a permutation within a single ciphertext, our method still outperforms the state-of-the-art works implemented by HElib for circuits of similar depth. Keywords: Secure outsourced data processing · Data packing homomorphic encryption · Applied cryptography

1

· Fully

Introduction

Nowadays, organizations use cloud providers to outsource their data processing, easing deployment and allowing them to scale the architecture up and down when required [2]. While these organizations typically keep sensitive data in c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 408–423, 2022. https://doi.org/10.1007/978-3-031-17140-6_20

Efficient Circuits for Permuting and Mapping Packed Values

409

encrypted form at rest, they decrypt it when performing computations. Consequently, these organizations must fully trust the cloud providers, who can observe all sensitive data. To protect sensitive data while processing, researchers propose secure outsourced data processing solutions, which allow cloud providers to offer their services on data that they cannot see. In the settings of those proposals, organizations assume that the cloud provider performs the operations they ask them to, thus reducing privacy risks. One possible approach that enables cloud providers to process sensitive data relies on fully homomorphic encryption (FHE) schemes. FHE allows anyone with the correct public key to perform computations on encrypted data without seeing it. In current schemes, one typically encrypts integers or real numbers, which can be manipulated through addition and multiplication. A subset of FHE schemes (such as BFV [8], BGV [4], and CKKS [6]) allows one to encrypt entire fixedlength vectors of integers or real numbers in one ciphertext through ciphertext packing. A limited number of additions and multiplications can be performed as element-wise operations between encrypted vectors, following the concept of single-instruction multiple-data (SIMD). As a result, operating on packed ciphertexts leads to significant speed-ups when there is a large set of data to be processed. A problem arises when the data stored in two encrypted vectors do not align. For example, consider two ciphertexts that each hold a database relating to the incomes of a set of employees. One ciphertext holds their salary sorted by their first name, while another holds their yearly bonus sorted by their last name. An outsourced HR system might compute each employee’s total income by adding the two together. However, directly adding the two ciphertexts together leads to a meaningless result. Instead, the HR system must align the data stored within one ciphertext with the other by permuting it. FHE schemes that support ciphertext packing implement ciphertext rotations to allow one to align encrypted vectors. This primitive shifts the encrypted vector x places towards the end while cycling the last x encrypted numbers to the beginning. However, rotations alone are not enough to perform arbitrary permutations on encrypted vectors. Instead, it requires an intricate circuit that combines additions, multiplications, and rotations. We call these permutation circuits. Halevi & Shoup [11] conjecture that finding the optimal (i.e., fastest given a maximum multiplicative depth) is a hard problem. Previous work has focused on generating permutation circuits that permute a single ciphertext. However, for applications in the real world, not all data may be stored in the same ciphertext due to size constraints or because the data has different origins. Therefore, with the current solutions, the problem of permuting across multiple ciphertexts requires splitting the entire permutation into multiple within-ciphertext permutations. We highlight this problem in Fig. 1. Solving this problem may also lead to improvements in the circuits for other applications, such as circuits that perform AES encryptions homomorphically. In this work, we propose a new primitive that performs arbitrary mappings on values in ciphertexts and does so significantly cheaper than previous work

410

J. Vos et al.

Fig. 1. If data is not aligned between two ciphertexts, one of the ciphertexts must be permuted. The existing methods work when data fits within one ciphertext, but when data spans multiple ciphertexts they must be adapted and lose performance rapidly.

regarding the computational effort required. These mappings are arbitrary in the sense that they may span multiple ciphertexts. Unlike previous methods which generate circuits for a chosen maximum multiplicative depth, our method focuses on a specific class of permutation circuits with a constant multiplicative depth. Still, we argue that our circuits’ depth is reasonable for the complexity of the operation required. Our new primitive takes the burden off the implementor to create manual mapping circuits when data spans multiple ciphertexts. Its high efficiency brings secure outsourced computation one step closer to practice. We summarize our contributions as follows: – We propose a new method for efficiently performing arbitrary mappings on encrypted values in packed, leveled-homomorphic ciphertexts. – We compare an open-source implementation of our method to HElib for performing permutations on single ciphertexts and show that it consistently outperforms HElib for circuits of similar multiplicative depth. – We compare our implementation to an adjusted version of HElib to perform arbitrary permutations. We show that it outperforms HElib by more than an order of magnitude when the data is spread among five or more ciphertexts. The remainder of this paper is structured as follows: In Sect. 2, we shortly explain operations in leveled homomorphic encryption, graph coloring, and the notation we use. In Sect. 3, we discuss related work. Next, in Sect. 4, we put forward our method for constructing mapping circuits, and in Sect. 5 we analyze its complexity. Finally, in Sect. 6 we compare our method against that implemented in HElib, after which we conclude in Sect. 7.

2

Preliminaries and Notation

In this section, we give a high-level explanation of the underlying techniques used in this paper. Table 1 contains a summary of the notation that we use.

Efficient Circuits for Permuting and Mapping Packed Values

411

Table 1. Summary of the symbols used in this work. Symbol Definition

2.1



Number of slots in the ciphertext

n

Total number of elements to permute

π(x)

Target for index x after permuting

μ(x)

Targets for index x after mapping

P

Set of indices to permute (preimage)

χ

Chromatic number (minimum number of colors)

φ(_)

Euler’s totient function

m

Order of cyclotomic polynomial

p

Prime modulus defining the message space

Q

Ciphertext modulus defining the ciphertext space

Permutations and Mappings

We consider permutations and mappings of elements across vectors of length n. Here, we denote P as the set of indices to map, which is short for the preimage. We say that element x ∈ P is permuted to position π(x) when considering permutations, or mapped to position μ(x) in the case of a mapping. Note that permutations are a restriction of mappings. 2.2

Graph Coloring

Graph coloring is one of Karp’s original 21 NP-complete problems [12]. In this problem, we are given a loopless graph G = (V, E) where we must assign a color to each vertex such that no two adjacent vertices share the same color. The minimum number of colors needed to be able to properly color G is the chromatic number χ. In this work, we translate the process of setting up an efficient homomorphic circuit for ciphertext mappings to the problem of graph coloring. While the problem is NP-complete in general, we can practically solve our instances here using algorithms such as DSATUR [5]. 2.3

Leveled Homomorphic Encryption Schemes

This work specifically considers leveled homomorphic encryption schemes that support packing multiple elements into one ciphertext. Here, leveled refers to the fact that we can only perform operations up to a certain level before decryption is likely to fail. The level is typically indicated as the multiplicative depth of the arithmetic circuit. The reason for this is that the ciphertexts incorporate a small noise term that grows with each homomorphic operation. This is why we speak of the remaining noise budget of a ciphertext, which we express as the number of bits of the ciphertext that the growing noise can still consume before the

412

J. Vos et al.

ciphertext is no longer decryptable. When there is a need to perform circuits of arbitrary depth, one can use bootstrapping techniques [9]. In that case, we speak of fully homomorphic encryption. In our implementation, we only consider the BGV [4] cryptosystem implemented in HElib, without bootstrapping operations. One can add, multiply and rotate the values encrypted in a ciphertext. Element-wise additions are cheap operations between two ciphertexts with only small noise growth. In this work, we do not multiply ciphertexts together but only multiplications with constants, which is more efficient and incurs less noise growth. We use these plaintext multiplications to isolate values from the ciphertext by creating a mask that is zero everywhere except for the places with the elements we need to isolate where it is 1. Rotations can be performed using automorphisms on the underlying ring. In this work, we only consider the case where those automorphisms cause one-dimensional rotations.

3

Related Work

To the best of our knowledge, the first work that studied permutations in leveled homomorphic ciphertexts was the work by Gentry et al. [10]. In separate work, the same authors use it to implement an AES circuit homomorphically, which requires shuffling the elements within a ciphertext. Before that, Damgård et al. [7] already used the underlying techniques within the context of secure multiparty computation to permute packed secret shares rather than ciphertexts. The underlying technique called Beneš networks [3] originates in the study of efficient routing networks, which send packets from a range of senders to a range of receivers under constraints, effectively executing permutations. In 2014, Halevi & Shoup [11] reduced the problem of constructing efficient permutation circuits for leveled homomorphic ciphertexts as a new problem named the cheapest-shift-network problem. Here, a shift-network is a series of shifts (permutations), which can be executed using additions, plaintext multiplications, and rotations. Each next shift considers only the shift before it. Halevi & Shoup put forward a method to efficiently optimize the computational cost of such a circuit given a maximum multiplicative depth, and implement it in the HElib library.1 At the time of writing, we are not aware of other libraries that implement ciphertext permutations. In this work, we consider a type of circuit that not only considers the layer before it but also any other layer before that. We also extend it beyond the range of a single ciphertext. In this sense, it is less restricted than the method proposed by Halevi & Shoup. However, it is an open question of how to optimize such a circuit efficiently, so we introduce other restrictions to turn the problem into one of graph coloring. For example, the multiplicative depth of our circuits scales logarithmically with the number of slots in a ciphertext. In the remainder of this section, we go into detail about the solutions of Gentry et al. [10] and Halevi & Shoup [11] (summarized in Table 2) and explain how one can trivially but inefficiently extend them to perform arbitrary permutations and mappings. 1

The HElib repository can be found at https://github.com/homenc/HElib.

Efficient Circuits for Permuting and Mapping Packed Values

413

Table 2. Comparison of permutation circuits generated by related work Operation

3.1

Compute

Noise

Ciphertext permutation

Arbitrary

Naive

HElib

Ours

HElib*

Ours

Rotation

Expensive

Cheap



4 log() − 2

log2 ()

O(n2 )

O(n)

Plaintext mult

Cheap

Moderate



4 log() − 2

O(log3 ())

O(n2 )

O(n2 )

Addition

Cheap

Cheap



2 log() − 1

O(log3 ())

O(n2 )

O(n2 )

Rotation keys

Severe

–



2 log()

log()

2 log()

log()

Naive Method for Permutations

A naive method for performing permutations within and across ciphertexts rotates each individual element to its target index and sums up the result. As mentioned before, elements can be isolated by multiplying them with a vector of zeroes and a 1 in the right index. This approach requires a plaintext multiplication, rotation, and addition for each of the  slots in a ciphertext when performing a permutation within one ciphertext. Moreover, key generation will also be computationally expensive as one has to be able to perform each possible automorphism. Alternatively, one incurs an additional run time penalty for certain rotations by composing it from other rotations. Note that we can omit rotations of 0 and that there are scenarios where identical rotations can be rotated at the same time. Still, after these optimizations, the algorithm scales with O(n) in the worst case. 3.2

‘Collapsed’ Beneš Networks for Permutations

Both the works by Gentry et al. [10] and Halevi & Shoup [11] rely on Beneš networks. Such a network has a butterfly structure, which contains 2 log() − 1 layers in the case of a ciphertext permutation. This structure makes it a shiftnetwork that can be constructed efficiently in a recursive manner for all possible permutations. Elements are either rotated leftwards or rightwards in each layer by a given amount. Gentry et al. use Beneš networks without any modifications, leading to a permutation circuit with a multiplicative depth that scales as 2 log() − 1. Each layer only does a power-of-two rotation, meaning that one must generate 2 log() rotation keys. Halevi & Shoup modify Beneš networks into other valid shift networks by collapsing layers to reduce the multiplicative depth of the resulting circuit. As mentioned before, they implement this in the HElib library. In Table 2 we consider the case where there is no bound to the multiplicative depth of the circuit. Since each layer of the network requires 2 plaintext multiplications and rotations, the total number is 4 log() − 2 in the worst case. 3.3

Extending Permutation Circuits to Arbitrary Permutations

We remark that while previous works do not explicitly describe how to construct arbitrary permutations or mappings, they can be easily extended to do so. We

414

J. Vos et al.

shortly explain how the work Halevi & Shoup [11] can be extended as such by expressing the arbitrary permutation across multiple ciphertexts as a series of within-ciphertext permutations. The key idea is that one can break a permutation across multiple ciphertexts into a set of permutations from each ciphertext to every other ciphertext. A similar trick can be used to perform mappings by first breaking it down into a set of arbitrary permutations. In the worst case, performing permutations in this way scales quadratically with the number   of ciphertexts. When the elements are densely packed, we need a total of n = O(n) ciphertexts. Here we consider  to be constant. Consequently, the worst-case complexity for rotations, plaintext multiplications, and additions alike is O(n2 ).

4

Constructing Arbitrary Mapping Circuits

In this section, we propose our method for constructing circuits to perform arbitrary permutations and mappings. Since the construction only has to happen once for each permutation, it can be considered a one-time setup. 4.1

High-Level Insight

The most time-consuming operation in a permutation circuit is a ciphertext rotation. Therefore, it stands to reason to minimize the number of rotations. Conversely, we want to maximize the number of elements we rotate at once. At the same time, since we have to generate special rotation keys for every possible rotation magnitude, we want to keep the number of different rotations as low as possible. In our method, we restrict all rotations to be powers of two. As we discuss later, this simplification allows us to optimize our permutation circuit efficiently. It is also possible to restrict rotations to powers of three (or any other base), but this requires certain rotations to be decomposed into a larger number of consecutive power of three rotations. Given a permutation, we construct a circuit that realizes it by decomposing the number of places that each element must move into its binary representation. If there is a 1 in place x of the binary representation, we add the element to the set of elements that must be rotated by 2x . For simplicity, let us fix the order of rotations in the final circuit as 20 = 1, 21 = 2, 22 = 4, . . . . One can imagine this idea as vertically-stacked conveyor belts that sequentially turn at increasing rates, as seen in Fig. 2. In this figure, an element (pictured as a box) starts at index 1 and must end up at index 6. To do so, it must travel 5 = 1012 places rightwards, and therefore it enters the first and third conveyor belt, but not the second.

Efficient Circuits for Permuting and Mapping Packed Values

415

1

2

4

0

1

2

3

4

5

6

7

0

1

2

3

4

5

6

7

Fig. 2. Elements can be mapped to other locations by applying a sequence of rotations on them, as if on a conveyor belt. Multiple elements can exist on the same set of conveyor belts so long as they do not enter the same conveyor belt at the same location.

At first thought, the method described above seems to construct valid permutation circuits, but a problem arises when two elements must take the same place on the same conveyor belt. In an actual arithmetic circuit, this would add up the corresponding values of these elements, invalidating the permutation. In the right half of Fig. 2, we visualize this. There are two simple solutions to this problem. Firstly, one might change the order of the conveyor belts. For example, one might bring the third conveyor belt to the start. Another approach is to add a second independent set of conveyor belts. In our method, we use both approaches: We try several different random orderings of conveyor belts and use a graph coloring algorithm to distribute elements over multiple sets of conveyor belts in a way that elements do not collide. We use the minimum number of conveyor belts given a certain order of conveyor belts. 4.2

Assigning Elements to Sets of Conveyor Belts

To assign the elements to multiple sets of conveyor belts, we construct a graph where the vertices represent elements of the encrypted vector. The edges between them represent that the elements cannot coexist in the same conveyor belts. After performing a graph coloring, the color of a vertex represents the set of conveyor belts to which it is assigned. In the remainder of this subsection, we refer to a single conveyor belt as a rotation. For a permutation π with preimage P , we first create an undirected graph Gπ = (V, E), where E = ∅ and V = P . Then, for each element, we compute its position in the encrypted vector when it enters each rotation operation. If two elements u, v ∈ P where u = v enter the same rotation at the same position, we

416

J. Vos et al.

extend E ← E ∪ {u, v}. This graph satisfies the property that any valid coloring represents a valid assignment. Figure 3 shows an example of such a graph and a possible coloring. When we move beyond a permutation to a mapping μ, we must consider that elements in the preimage may map to multiple positions in the final encrypted vector (replication), or multiple elements in the preimage may map to the same position (overlapping). Notice that overlapping elements do not necessarily have to be assigned to different sets of rotations and that the graph Gμ constructed as described above already adequately handles such situations. The reason is that overlapping elements in the final encrypted vector do not necessarily overlap in the encrypted vectors to which rotations are applied. This graph also adequately handles replications, as all outputs relating to the same input element are assigned to the same set of rotations. This means that even in the extreme case where one element of the input ciphertext is mapped to all positions of the output ciphertext, we only require one set of rotations. After generating the graph, we use a dedicated graph coloring algorithm to color the vertices with the minimum number of colors required. In our implementation, we use the DSATUR algorithm [5], but any algorithm suffices.

Fig. 3. Example of the graph generated for a within-ciphertext permutation of 16 slots. The graph contains edges between the elements that would collide with each other at any of the rotations. This graph can be colored with two colors, but larger ciphertexts, across-ciphertext permutations, and mappings typically require more colors. (Color figure online)

4.3

Determining the Order of Conveyor Belts

In the previous subsection, we did not explain how one should choose the order of the rotations. However, it follows that for the graph coloring to work, we require all sets of rotations to have the same order.

Efficient Circuits for Permuting and Mapping Packed Values

417

One approach is to fix the rotation order for every mapping. For example, 1, 2, 4, . . . . While this ordering performs well for random permutations and mappings, as we show in Sect. 6, one might try different orderings to avoid running into the worst-case behavior. In our implementation, we test multiple random orderings to find the one resulting in the graph that can be colored with the least colors. In our experiments, we compare the performance of trying only one random ordering against trying ten random orderings, which we refer to as a long setup. It remains an open problem to integrate this step with the previous step to efficiently find an ordering that results in the minimum number of sets of rotations. 4.4

Generating Circuits for Conveyor Belts

Given an assignment that maps each element to a set of rotations, we construct a separate circuit for each set. Consequently, in a multi-threaded setup, one can execute these circuits in parallel. This subsection describes how to construct a circuit for one set of rotations, given a specific ordering of rotations and a set of elements that will not collide. First, we create a set of masks for all the elements that must be included in a single rotation. In other words, we create one mask for each of the input ciphertexts and one mask for each of the ciphertexts resulting from all previous rotations. Such a mask contains ones in the positions of elements that must remain and zeroes in the positions of elements that must be dropped. We then perform a plaintext multiplication between each ciphertext and the corresponding mask and sum up the results. The result is a ciphertext containing all the relevant encrypted values, which we subsequently rotate. Note that there are several places where we can prune this circuit to prevent performing meaningless computations. For example, if we do not need to consider any values from a ciphertext, the corresponding mask would be empty (i.e., filled with zeroes). Moreover, we do not need to perform any summations if there is only one relevant ciphertext. We implement both of these optimizations, but we stress that more pruning is still possible. For example, by keeping track of which positions in each ciphertext actually contain values rather than zeroes, one can discard multiplications that mask all values in a ciphertext. In the worst case, an element must be shifted 11 . . . 112 =  − 1 places in the encrypted vector. The resulting circuit then has a multiplicative depth of 1+log2  consecutive plaintext multiplications. When it comes to the asymptotic run time, each circuit only requires log2  rotations and, therefore, a total of O(log2 ) plaintext multiplications and additions.

5

Performance Estimates and Bounds for Special Mappings

In this section, we analyze the complexity of the circuits constructed by our method.

418

J. Vos et al.

5.1

Permutations

In the case of permutations within a single ciphertext, the chromatic number χ of the graph that our method constructs to assign elements to sets of rotations is bound by log . We prove this in the following theorem: Theorem 1. It takes at most χ = K − 1 colors to color graph Gπ representing the collisions of permutation π with preimage P . Proof. It suffices to show that any element x ∈ P can only collide with at most log2 () − 1 other elements at one position. In that case, x and the other elements are all connected via an edge and must all be assigned a different color. For brevity, we denote K = log2 (). Let us express an upper bound for the maximum number of elements at a single position after r rotations as a function M (r). At the first rotation, the maximum number of overlaps is M (1) = 1, because the encrypted vector has no overlaps. At every rotation after that, the maximum number of overlaps is that of the previous rotation, plus one element that was already in this position, so M (i) = M (i − 1) + 1. This only holds for i = 2, . . . , K − 1, however, because at the Kth rotation, the result must not have any overlaps given that π is a permutation. So, M (K) = 0. Our function M is undefined for any other values. We reach the maximum number of overlapping elements at any rotation at M (K − 1) = K − 1. In fact, this upper bound overestimates the number of overlapping elements, because, after r rotations, the overlapping elements can only move to 2K−r remaining positions, so K −1 overlapping at M (K −1) cannot satisfy a valid permutation. As a result, we require at most log() sets of log() rotations. Also notice that in the case of arbitrary rotations, the number of rotations required is O(n), when  is kept constant. This is because even in the worst case where each of the n elements to be permuted is assigned to a separate set of rotations, the relation is linear. However, this situation should be seen as an upper bound because when the number of elements grows, the sets of rotations become more densely packed in the average case. The number of plaintext multiplications and additions scale quadratically with the number of rotations because before the xth rotation there can be additions and multiplications with the prior x − 1 resulting ciphertexts. 5.2

Bounded Rotation Magnitude

The number of rotations that one element occupies is exactly the number of ones in the binary representation of the distance it must move. This number, which is called the Hamming weight, is 12  on average for random permutations. However, if the distance that elements move is bound or the Hamming weight of the distances is low, we expect to pack more elements within one set of rotations.

Efficient Circuits for Permuting and Mapping Packed Values

6

419

Results

In this section, we analyze the performance of our open-source implementation2 and compare it against HElib. To facilitate a fair comparison, we execute our circuits with HElib’s implementation of BGV. Note, however, that any FHE library can execute the resulting circuits with minimal engineering effort. We perform three sets of experiments, which are increasingly generic. We start by comparing the performance of permutations within a single ciphertext to HElib. Then, we extend HElib to perform arbitrary permutations across multiple ciphertexts and compare the implementation against our work. Finally, we analyze the run time performance of our implementation when performing arbitrary mappings for increasing degrees of overlapping and replication. Table 3 contains the parameters we used for our experiments. We choose the order of the cyclotomic polynomial m = 2x for some x, following the homomorφ(m) , we want the phic encryption standard [1]. Since the number of slots  = ord(p) plaintext modulus p to have a low order modulo m. On the other hand, when  is large, the depth of our circuits might cause the noise in the ciphertexts to grow too large. So, we choose the highest  for which the ciphertexts are still decryptable while selecting the lowest p that satisfies it. We provide the number of bits in the modulus chain log2 Q, which we maximized while satisfying 128 bits of security as specified by the homomorphic encryption standard [1]. Table 3. BGV parameters used in the experiments Order m Small

213 = 8192

Medium 214 = 16384 Large

2

15

Modulus p log2 Q Slots 

HElib’s depth

31

111

24 = 16 4

127

213

26 = 64 7

0. We say that 1 − f is overwhelming if the function f is negligible. We call an integer n = pq a strong RSA modulus, where p and q are distinct safe primes having an equal length. Here primes p and q are called safe if p = 2p + 1 and q = 2q  + 1 for primes p

428

Y. Liu et al.

and q  , respectively. Let Jn = {x ∈ Z∗n | Jn (x) = 1}, where Jn (x) is the Jacobi symbol of x. If n is a strong RSA modulus, then Jn is a cyclic multiplicative group with order φ(n)/2 = 2p q  . Let g0 ←$ Z∗n and g ← −g02 , then g is a generator of Jn with overwhelming probability. For the RSA modulus n, n/2 is statistically close to 2p q  . The security of protocols in this paper is proved under standard security definitions (see [12] for more information). The computational assumptions involved in this paper are summarized in Appendix B. We state Lemma 1 as follows. This lemma is extensively used in the proof of Theorem 4 (for the property “puzzle validity”) to prove the security of the protocol under the strong RSA assumption via reduction. Lemma 1. For an RSA instance (n, e, y), finding x ∈ Z∗n and e coprime to e,  such that xe ≡ y e is equivalent to finding an e-th root of y modulus n.

3

Homomorphic Time-Lock Puzzles

We use the definition of HTLP schemes in [13] (see alos Appendix C) for our scheme. Briefly, an HLTP scheme achieves the homomorphic property for a class of functions/circuits and should be compact, i.e., puzzles have the same length, and homomorphic operations do not depend on the time parameter T while the time of puzzle-solving only depends on T . Of course, the scheme should be correct, i.e., solving a puzzle generated by the puzzle generation algorithm with the input of a secret s should obtain s. 3.1

Additively HTLP Scheme with Solution Space Zn

First, we briefly restate the additively HTLP scheme with the solution space Zn in [13]. Its protocols with respect to verifiability are given in Sect. 4.2. – Setup(1κ , T ): On input 1κ and a time parameter T , sample a strong RSA modulus n = pq, where p = 2p + 1 and q = 2q  + 1. Then pick a random T generator g of Jn and compute h ← g 2 mod n, where 2T mod 2p q  can be computed first to speed up the computation. Finally, output the public parameter pp = (T, n, g, h). – Gen(pp, s): On input pp and a secret s ∈ Zn , pick r ←$ [0, n/2], compute u ← g r mod n and v ← hr·n ·(1+n)s mod n2 , and output a puzzle Z = (u, v). T – Solve(pp, Z): On input pp and a puzzle Z = (u, v), compute w ← u2 mod n n n2 ]−1 . If s ∈ Zn , output by repeated squaring. Then compute s ← [v/w mod n s. Otherwise, output ⊥ to indicate that Z is invalid. It is easy to verify the additively homomorphic property. Given two puzzles Z1 = (u1 = g r1 , v1 = hr1 ·n (1+n)s1 ) and Z2 = (u2 = g r2 , v2 = hr2 ·n (1+n)s2 ) for secrets s1 and s2 , respectively, the puzzle Z3 = (u1 u2 , v1 v2 ) = (g r1 +r2 , h(r1 +r2 )n (1 + n)s1 +s2 ) ∈ Jn × Z∗n2 is the puzzle for the secret s3 = s1 + s2 mod n and Solve(pp, Z3 ) = s3 .

Towards Practical HTLP: Applicability and Verifiability

429

Our Multiplicatively HTLP Scheme with Solution Space Z∗n

3.2

We now present our multiplicatively HTLP scheme MHTLP with the solution space Z∗n , following the idea in Sect. 1.2. – Setup(1κ , T ): On input 1κ and a time parameter T , sample a strong RSA modulus n = pq, pick a random generator g of Jn and χ ←$ Z∗n for Jn (χ) = −1, T compute h ← g 2 mod n, and output pp = (T, n, g, h, χ). – Gen(pp, s), On input pp and a secret s ∈ Z∗n , sample r ←$ [0, n/2] and  r ←$ [0, n/2], and then compute u ← g r mod n, u ← g r mod n, and σ = (−Jn (s) + 1)/2. Given σ, compute v ← hr · χσ s mod n and θ ←  hr ·n (1 + n)σ mod n2 . Finally, output a puzzle Z = (u, u , v, θ). – Solve(pp, Z): On input pp and a puzzle Z = (u, u , v, θ), compute w ← T 2T u2 mod n and w ← u mod n by repeated squaring. Then compute n n2 ]−1 d ← [θ/w mod . If d ∈ / Zn , output ⊥ to indicate that Z is invalid. n Otherwise, output the solution s ← vw−1 χ−d mod n. It is straightforward to verify the multiplicatively homomorphic property. For   instance, given puzzles Zi = (ui , ui , vi , θi ) = (g ri , g ri , hri · χσi si , hri ·n (1 + n)σi ) ∈ J3n × Z∗n2 for the secret si for i = 1, . . . , N , the puzzle Z defined as Z=(

N 

ui ,

i=1

= (g

N 

ui ,

i=1

N

i=1

ri

,g

N 

vi ,

i=1 N

i=1

ri

N 

θi ) = (

i=1

,h

N 

g ri ,

i=1

N

i=1

ri

χ

N

i=1

σi

N 



g ri ,

i=1 N 

si , hn·

N 

hri χσi si ,

i=1 N

i=1

N 



hri n (1 + n)σi )

i=1 ri

N

(1 + n)

i=1

σi

)

i=1 

= (g r , g r , hr χσ

N 



si , hn·r (1 + n)σ ) = (u, u , v, θ) ∈ J3n × Z∗n2 ,

(1)

i=1

N N N where r = i=1 ri , r = i=1 ri , and σ = i=1 σi , is the puzzle for the secret N s = i=1 si mod n, since Solve(pp, Z) = s. Note that this scheme supports homomorphic multiplication for N < n. Since n is exponentially large in κ, assuming N < n does not limit practical usage. We recall the definition of reusable security for HTLP schemes and present Theorem 1 for our scheme as follows. Definition 1 ([13]). An HTLP scheme with a solution space S is reusable-secure with gap ε < 1 if there exists a polynomial T˜(·), such that for all polynomial T (·) ≥ T˜(·) and all polynomial-size adversaries (A1 , A2 ) = {(A1 , A2 )κ }κ∈N , where the depth of A2 is bounded from above by T ε (κ), we have   pp ← Setup(1κ , T (κ)); (τ, s0 , s1 ) ← A1 (pp); 1 ≤ + negl(κ) , Pr b ← A2 (Z, τ ) : 2 b ←$ {0, 1}; Z ← Gen(pp, sb ); where s0 , s1 ∈ S.

430

Y. Liu et al.

Theorem 1. MHTLP is a reusable-secure HTLP scheme with the solution space Z∗n supporting homomorphic multiplication of N (< n) elements in n. Proof. The correctness is straightforward. For the puzzle Z = (u, u , v, θ) as T T in (1) above, the Solve algorithm computes w ≡ u2 ≡ g 2 r ≡ hr (mod n) and T T   2 n w  ≡ u ≡ g 2 r ≡ hr (mod n). Then the algorithm computes θ/w mod  N n2 = (1 + n)σ mod n2 = 1 + σn, where σ = i=1 σi < n. Hence, we can derive n N n2 ]−1 d = [θ/w mod = σ and s ≡ i=1 si ≡ vw−1 χ−d (mod n). n The compactness is evident. It is easy to verify that the length of puzzles derived from homomorphic operations is the same as that of a puzzle output by Gen and does not depend on the number of multipliers N . The running time of the Solve algorithm does not depend on N , either. Moreover, the running time of homomorphic multiplications does not depend on the time parameter T . Finally, we prove the reusable security by the following sequence of hybrids. Hybrid0 This is the original experiment in Definition 1. Hybrid1 The element v now is generated via v ←$ Jn instead of computing v ← hr · χσ s mod n. We claim that Hybrid1 is indistinguishable from Hybrid0 for adversaries. Otherwise, given a distinguisher (A1 , A2 ) for Hybrid0 and Hybrid1 , where the depth of A2 is less than T , we can construct the following polynomial-size adversary (D1 , D2 ) to break the strong sequential squaring assumption. T Upon receiving (n, g, T ), D1 computes h ← g 2 mod n, picks χ ←$ Z∗n for Jn (χ) = −1, and sets pp ← (T, n, g, h, χ). Then D1 runs A1 (pp), obtains (τ, s0 , s1 ) from A1 , and outputs τ  = (h, τ, s0 , s1 ). Then D2 will be invoked  with input (x, y, τ  ). D2 sets u ← x, v ← y · χσb sb , u ← g r mod n, and r  ·n σb 2  θ ← h (1 + n) mod n for r ←$ [0, n/2] and b ←$ {0, 1}. Here σb = (−Jn (sb ) + 1)/2. Then D2 invokes A2 with input Z = (u, u , v, θ) and τ , and outputs whatever A2 outputs. Note that D1 is efficient since T is a polynomial, and the depth of D2 is identical (up to a constant factor) to that of A2 . We have the following two cases for this reduction. T – The case y = x2 mod n: Since g is a generator of Jn and x ∈ Jn , there exists r, such that x = g r mod n. Then the puzzle is of the form: 



Z = (u, u , v, θ) = (x, g r , x2 · χσb sb , hr ·n (1 + n)σb ) T





= (g r , g r , hr · χσb sb , hr ·n (1 + n)σb ) ∈ J3n × Z∗n2 , which is identically distributed as that in Hybrid0 . – The case y ←$ Jn : The puzzle now is of the form: 



Z = (u, u , v, θ) = (x, g r , y · χσb sb , hr ·n (1 + n)σb ) 



= (g r , g r , z, hr ·n (1 + n)σb ) ∈ J3n × Z∗n2 , where z = y · χσb sb mod n can be regarded as a random element in Jn since y is independently random. Hence, Z is identically distributed as that in Hybrid1 .

Towards Practical HTLP: Applicability and Verifiability

431

Therefore, (D1 , D2 ) wins the strong sequential squaring experiment with a probability significantly higher than 12 , contradicting the assumption. Hybrid2 The element θ is generated via θ ← ρn (1 + n)σ mod n2 for ρ ←$ Jn  instead of computing θ ← hr (1 + n)σ . We claim that Hybrid2 is indistinguishable from Hybrid1 for adversaries. Otherwise, given a distinguisher (A1 , A2 ) where the depth of A2 is less than T , we can construct a polynomial-size adversary (D1 , D2 ) to break the strong sequential squaring assumption as follows. D1 receives (n, g, T ), generates the public parameter pp, and derives τ  = (h, τ, s0 , s1 ) as that for the reduction in Hybrid1 . Then D2 is invoked with (x, y, τ  ). D2 sets u and v as the experiment of Hybrid1 . Let u ← x and θ ← y n (1 + n)σb mod n for b ←$ {0, 1}. Here σb = (−Jn (sb ) + 1)/2. Then D2 invokes A2 with input Z = (u, u , v, θ) and τ , and outputs whatever A2 outputs. Note that D1 is efficient since T is a polynomial, and the depth of D2 is identical (up to a constant factor) to that of A2 . We have the following two cases for this reduction. T – The case y = x2 mod n: Since g is a generator of Jn and x ∈ Jn , there   exists r , such that x = g r mod n. Then the puzzle is of the form: Z = (u, u , v, θ) = (u, x, v, y n (1 + n)σb ) = (u, x, v, x2 

T

n

(1 + n)σb )



= (u, g r , v, hr ·n (1 + n)σb ) ∈ J3n × Z∗n2 . Hence, Z is identically distributed as that in Hybrid1 . – The case y ←$ Jn : The puzzle now is of the form: 

Z = (u, u , v, θ) = (u, g r , v, z n (1 + n)σb ) ∈ J3n × Z∗n2 , where z ←$ Jn . Hence, Z is identically distributed as that in Hybrid2 . Therefore, (D1 , D2 ) wins the strong sequential squaring experiment with a probability significantly higher than 12 , which contradicts the assumption. Hybrid3 The element θ now is generated via θ ←$ Z∗n2 instead of computing θ ← ρn (1 + n)σ mod n2 for ρ ←$ Jn . We claim that Hybrid3 is indistinguishable from Hybrid2 for adversaries. Otherwise, given a distinguisher (A1 , A2 ), we can construct a probabilistic polynomial-time adversary D to break the decisional composite residuosity assumption. Upon receiving the pair (n, y), D picks g ←$ Jn and χ ←$ Z∗n T for Jn (χ) = −1, computes h ← g 2 mod n, and sets pp ← (T, n, g, h, χ). D y ) = Jn (y). Then D invokes A1 (pp) and also chooses yˆ ←$ Z∗n , such that Jn (ˆ receives (τ, s0 , s1 ). Let u, u , and v be generated as the reduction in Hybrid2 and θ ← y yˆn (1 + n)σb mod n2 for b ←$ {0, 1}. Here σb = (−Jn (sb ) + 1)/2. Let Z = (u, u , v, θ). D invokes A2 with input Z and τ , and outputs whatever A2 outputs. The two cases for this reduction are as follows. – The case y = xn mod n2 for x ←$ Z∗n : The puzzle is of the form: Z = (u, u , v, y yˆn (1 + n)σb ) = (u, u , v, (xˆ y )n (1 + n)σb ) ∈ J3n × Z∗n2 . Here xˆ y ∈ Jn is a random element. Hence, Z is identically distributed as that in Hybrid2 .

432

Y. Liu et al.

– The case y ←$ Z∗n2 : The puzzle is of the form: Z = (u, u , v, y yˆn (1 + n)σb ) = (u, u , v, y˜) ∈ J3n × Z∗n2 , where y˜ = y yˆn (1 + n)σb mod n2 . Since y ←$ Z∗n2 , y˜ is a random element in Z∗n2 . Hence, Z is identically distributed as that in Hybrid3 . Therefore, D wins the DCR experiment with a probability significantly higher than 12 , which contradicts the assumption. Since the puzzle in Hybrid3 information-theoretically hides the solution sb , the proof is then completed.  Both the additively HTLP scheme [13] and our MHTLP scheme need a onetime trusted setup. Their Setup algorithms can be executed by a trusted party or a group of parties using actively secure multi-party computation protocols.

4

Protocols for Verifiability

In this section, we introduce three protocols for verifiability for the additively HTLP scheme (Sect. 3.1) and our MHTLP scheme (Sect. 3.2), respectively. For the RSA modulus n = (2p + 1)(2q  + 1), we let p , q  be larger than 2κ . 4.1

Building Block

We recall the protocol for VDF proposed by Wesolowski [21] as a building block. This protocol is a succinct public-coin interactive argument for the language   T LEXP = (T, n, u, w) : w = u2 mod n , where u, w ∈ Zn and n is a strong RSA modulus. We denote this protocol by ΠEXP . Let Prime(2κ) be the set of the first 22κ primes. The description of the protocol between a prover P and a verifier V is as follows. 1. V randomly picks a prime  from Prime(2κ) and sends  to P. 2. Let 2T = q + r, where q, r ∈ Z and 0 ≤ r < . P computes π ← uq mod n and sends it to V. 3. V computes r ← 2T mod . Then V outputs accept if π ∈ Zn and w = π  ur mod n, and reject otherwise. We note that π ← uq mod n can be efficiently computed by T · 3/ log(T ) group operations that are allowed to be parallelized (see [21] for more information).

Towards Practical HTLP: Applicability and Verifiability

4.2

433

Protocols for Additively HTLP Scheme

Correctness. This protocol allows a puzzle solver to prove to others that the solution s ∈ Zn he derived from solving a puzzle Z = (u, v) ∈ Jn ×Z∗n2 is correct. We denote this protocol by ΠACorSol , and its corresponding language is   T LACorSol = (T, n, u, v, s) : v = u2 ·n (1 + n)s mod n2 , for an RSA modulus n. The idea is that the puzzle solver can reveal w = T u2 mod n and prove that (T, n, u, w) is in LEXP via ΠEXP . Then given w, verifiers can quickly solve the puzzle and verify the correctness of the solution s. The description of ΠACorSol between a prover P and a verifier V is in the following. T

1. P sends w ← u2 mod n to V. 2. P and V engage in ΠEXP for the tuple (T, n, u, w). 3. V outputs accept if the argument ΠEXP is accepted and v = wn (1+n)s mod n. Otherwise, V outputs reject. It is direct to have the theorem below, and its proof is given in the full version. Theorem 2. The protocol ΠACorSol is a public-coin honest-verifier argument corresponding to the language LACorSol . Invalidity. This protocol allows a puzzle solver to prove to others that the output of the algorithm Solve for a puzzle Z = (u, v) ∈ Jn × Z∗n2 is ⊥, i.e., Z is invalid. The idea is similar to ΠACorSol , i.e., the puzzle solver helps verifiers quickly solve the puzzle to know that it is invalid. This protocol is denoted by ΠAInvalid and its corresponding language is   T LAInvalid = (T, n, u, v) : ∀s ∈ Zn , v = u2 ·n (1 + n)s mod n2 . The description of ΠAInvalid between a prover P and a verifier V is in the following. T

1. P sends w ← u2 mod n to V. 2. P and V engage in ΠEXP for the tuple (T, n, u, w). 3. V outputs accept if the argument ΠEXP is accepted and n does not divide ([vw−n mod n2 ] − 1). Otherwise, V outputs reject. Similarly, we have the following theorem. Theorem 3. The protocol ΠAInvalid is a public-coin honest-verifier argument corresponding to the language LAInvalid . Validity. This protocol allows a puzzle generator to show the validity of Z by proving in zero-knowledge the knowledge of the solution and randomness for a puzzle Z = (u, v) ∈ Jn × Z∗n2 , i.e., the solution exists. Inspired by the commitments of integers [5], we follow the approach introduced in Sect. 1.2 to

434

Y. Liu et al.

overcome the hidden-order problem. This protocol is denoted by ΠAValid and its corresponding relation is defined as RAValid = {(n, g, h, u, v) : ∃(r, s) ∈ Z × Zn , s.t. u = ±g r mod n ∧ v = hr·n · (1 + n)s mod n2 } . T

We relax the requirement of u = g r mod n to u = ±g r mod n. Since u2 ≡ T T (−g r )2 ≡ (g r )2 (mod n), this does not compromise the correctness and security. The description of ΠAValid between P and V is presented below. 1. P randomly picks x ←$ [0, n/2·22κ ] and t ←$ Zn , and computes a ← g x mod n and b ← hx·n (1 + n)t mod n2 . Then P sends a and b to V. 2. V randomly chooses e ←$ [0, 2κ ] and sends it to P. 3. P computes α ← re + x, β ← se + t mod n. 4. If α ∈ [0, n/2 · 2κ + n/2 · 22κ ], β ∈ Zn , g α ≡ ue a (mod n), and hα·n (1 + n)β ≡ v e b (mod n2 ) hold, V outputs accept, and otherwise reject. Theorem 4. The protocol ΠAValid is a public-coin honest-verifier zero-knowledge argument of knowledge corresponding to the relation RAValid . Proof. For the completeness, we have g α ≡ g re+x ≡ ue a (mod n2 ) and hαn (1 + n)β ≡ h(re+x)n (1 + n)[se+t mod n] ≡ hre·n (1 + n)[se mod n] hx·n (1 + n)[t mod n] ≡ v e b

(mod n2 ) .

Since α = re + x, r < n/2, e < 2κ , and x < n/2 · 22κ , we have α ∈ [0, n/2 · 2κ + n/2 · 22κ ]. For honest-verifier zero-knowledge, we construct the following simulator S. 1. S randomly choose a challenge e ←$ [0, 2κ ]. 2. S picks random responses α ←$ [0, n/2 · 22κ ] and β ←$ Zn . 3. S computes a ← g α u−e mod n and b ← hα·n (1 + n)β v −e mod n2 as the messages sent by the prover in Step 1. The simulated transcript is ((a, b), e, (α, β)). We now prove that it is statistically indistinguishable from a real transcript by a sequence of hybrids as follows. Hybrid0 This is the transcript of the real execution. The elements are generated as x ←$ [0, n/2 · 22κ ], t ←$ Zn , e ←$ [0, 2κ ], a ← g x mod n, b ← hx·n (1 + n)t mod n2 , α = re + x, and β = se + t mod n. Hybrid1 The elements are generated as e ←$ [0, 2κ ], α ←$ [re, re + n/2 · 22κ ], β ←$ Zn , a ← g α−re mod n, and b ← h(α−re)·n (1 + n)[β−se mod n] mod n2 . It is clear that the distribution of the transcript is identical to that in Hybrid0 . Hybrid2 Different from Hybrid1 , let a ← g α u−e mod n, and b ← hα·n (1 + n)β v −e mod n2 . It is easy to see that the distribution of the transcript is still identical to that in Hybrid1 . Hybrid3 This is the simulated transcript. Let e ←$ [0, 2κ ], α ←$ [0, n/2 · 22κ ], β ←$ Zn , a ← g α u−e mod n, and b ← hα·n (1 + n)β v −e mod n2 .

Towards Practical HTLP: Applicability and Verifiability

435

The distance between distributions of Hybrid2 and Hybrid3 is equivalent to the distance between distributions of α’s in these two hybrids. Let X and Y be the random variables for the distributions of α’s in Hybrid2 and Hybrid3 , respectively. Then the statistical distance Δ(X; Y ) between X and Y is 1 | Pr[X = α] − Pr[Y = α]| Δ(X; Y ) = 2 2κ α∈[0,re+n/2·2

]

2κ

n/2·2 +re−1 re−1 1 1 n/2−1 2−2κ + n/2−1 2−2κ = 2 α=0 2 2κ α=n/2·2

= ren/2

−1 −2κ

2

≤ n/22 · n/2−1 2−2κ = 2−κ . κ

The distribution of Hybrid3 is thus statistically indistinguishable from Hybrid2 , and also Hybrid0 . The honest-verifier zero-knowledge property then follows. We now focus on the witness-extended emulation property. Suppose that verifiers interact with P∗ and output accept with non-negligible probability ε. We construct an emulator that runs P∗ as a subroutine. After receiving a and b from P∗ , the emulator gives e1 ←$ [0, 2κ ] to P∗ . If the output α1 and β1 from P∗ consist of an accepting transcript, the emulator needs to use an extractor E to extract the witness. E rewinds P∗ to Step 2 (challenge phase) and runs it again with a new random challenge from [0, 2κ ] until having an accepting transcript for a challenge e2 . The expected running time for the rewinding is 1/ε, and thus polynomial. Since challenges are randomly sampled from [0, 2κ ], we have e1 = e2 except for negligible probability. Let S abort if e1 = e2 . This does not affect our analysis since it happens with negligible probability. We assume that e1 = e2 in the remaining analysis. We denote the two accepting transcripts by ((a, b), e1 , (α1 , β1 )) and ((a, b), e2 , (α2 , β2 )), satisfying g α1 ≡ ue1 a (mod n) ,

hα1 ·n (1 + n)β1 ≡ v e1 b

(mod n2 ) ,

g α2 ≡ ue2 a (mod n) ,

hα2 ·n (1 + n)β2 ≡ v e2 b

(mod n2 ) .

Without loss of generality, we assume that e1 > e2 . Let e ← e1 − e2 , α ←   α1 − α2 , and β  ← β1 − β2 mod n. We can easily derive g α ≡ ue (mod n) and α n β e 2 α e h (1 + n) ≡ v (mod n ). We focus on the equation g ≡ u (mod n).  Firstly, we analyze the case that e divides α . Let r ← αe . If e is odd, it is obvious that e is coprime to λ = 2p q  , and thus u = g r mod n. Therefore, we extract the witness r. If e is an even number, it can be expressed as e = 2d ρ, where d ≥ 1 and ρ is odd. It is obvious that ρ is coprime to λ. Now we obtain d d d g 2 r ≡ u2 (mod n), and thus (g r u−1 )2 ≡ 1 (mod n). We can further simplify the equation as (g r u−1 )2 ≡ 1 (mod n). Hence, g r u−1 is a square root of 1. – If g r u−1 is a nontrivial square root of 1, i.e., g r u−1 ≡ ±1 (mod n), we know that (g r u−1 )2 −1 ≡ (g r u−1 −1)(g r u−1 +1) ≡ 0 (mod n), where (g r u−1 −1) ≡ 0 (mod n) or (g r u−1 + 1) ≡ 0 (mod n). Hence, a nontrivial factor of the RSA modulus n can be computed from gcd(g r u−1 ± 1, n). Since we assume that factoring n is hard, this happens with negligible probability.

436

Y. Liu et al.

– If g r u−1 ≡ ±1 (mod n), then we have g r ≡ ±u (mod n), and thus the witness r is extracted. Then we analyze the case that e does not divide α . Let γ = gcd(e , α ),    τ = eγ , and ω = αγ . Note that ωτ is the irreducible fraction form of αe . We now show that we can break the strong RSA assumption if e does not divide α . 



– If γ is an odd number, since γ < e , γ is coprime to λ. Hence, from g α ≡ ue (mod n), we know that g ω ≡ uτ (mod n). Then, we are able to construct an attacker to break the strong RSA assumption. More concretely, given an RSA challenge (n, g0 ), we set g ← −g02 mod n in the public parameter pp. Then, if this is the case, we have (−g02 )ω ≡ uτ (mod n). If ω is an even number, we have (−g02 )ω ≡ g02ω ≡ uτ (mod n). Since ω is an even number, τ must be odd, and thus gcd(2ω, τ ) = 1. Now given gcd(2ω, τ ) = 1 and g02ω ≡ uτ (mod n), we can derive the τ -th root of g0 according to Lemma 1, and thus break the strong RSA assumption. If ω is an odd number, we have −g02ω ≡ uτ . Since g02ω ∈ QRn and −1 ∈ Jn \QRn for the strong RSA modulus n, we know that −g02ω ∈ Jn \QRn , and thus τ is also an odd number. This implies that gcd(2ω, τ ) = 1 and g02ω ≡ (−u)τ . Hence, we can derive the τ -th root of g0 according to Lemma 1 and break the strong RSA assumption. – If γ is an even number, we denote γ by 2d ρ. Since ρ < γ < e , ρ is coprime to d d λ. Then we know that g 2 ω ≡ u2 τ (mod n), and thus g 2ω ≡ u2τ (mod n). If g ω ≡ ±uτ (mod n), we can write (g ω + uτ )(g ω − uτ ) ≡ 0 (mod n), where g ω + uτ ≡ 0 (mod n) or g ω − uτ ≡ 0 (mod n). Hence, a nontrivial factor of the RSA modulus n can be computed from gcd(g ω ± uτ , n). If g ω ≡ ±uτ (mod n), we can construct an attacker to break the strong RSA assumption. Given an RSA challenge (n, g0 ), we set g ← −g02 mod n in pp. • If g ω ≡ uτ (mod n), we have (−g02 )ω ≡ uτ (mod n). When ω is an odd number, −g02ω ≡ uτ (mod n). Following the same argument as above, τ should be odd, and thus gcd(2ω, τ ) = 1. Then we have g02ω ≡ (−u)τ (mod n). Hence, we can derive the τ -th root of g0 according to Lemma 1, and thus break the strong RSA assumption. When ω is an even number, we have g02ω ≡ uτ (mod n) and gcd(2ω, τ ) = 1. Then we can derive the τ -th root of g0 according to Lemma 1, and thus again break the strong RSA assumption. • If g ω ≡ −uτ (mod n), we have (−g02 )ω ≡ −uτ (mod n). When ω is an even number, we know that g02ω ≡ −uτ (mod n) and τ is an odd number. So we have g02ω ≡ (−u)τ (mod n) and gcd(2ω, τ ) = 1. Hence, we can derive the τ -th root of g0 according to Lemma 1 and break the strong RSA assumption. When ω is an odd number, we have g02ω ≡ uτ (mod n). If τ is an odd number, we have gcd(2ω, τ ) = 1. Therefore, we can derive the τ -th root of g0 according to Lemma 1, and thus break the strong RSA assumption. Finally, if τ is an even number, since gcd(2ω, τ ) = 2, we can find integer x ¯ and y¯, such that 2ω · x ¯ + τ · y¯ = 2. Then we have g02 ≡ g02ω·¯x+τ ·¯y ≡

Towards Practical HTLP: Applicability and Verifiability

437

uτ ·¯x g0y¯·τ ≡ (ux¯ g0y¯)τ (mod n). Let τ  ← τ /2 and z ← ux¯ g0y¯ mod n. We    have g02 ≡ z τ ·2 (mod n), i.e., (g0 z −τ )2 ≡ 1 (mod n). Hence, g0 z −τ is a square root of 1 modulo n.   If g0 z −τ is a nontrivial square root of 1, i.e., g0 z −τ ·2 ≡ ±1 (mod n), we can easily derive a nontrivial factor of the RSA modulus n using the same  approach as above, i.e., by computing gcd(g0 z −τ ± 1, n).   If g0 z −τ ≡ ±1 (mod n), i.e., g0 ≡ ±z τ (mod n), we consider two cases.  If τ  is an odd number, we have g0 ≡ (±z)τ (mod n), and thus break the strong RSA assumption. If τ  = 2d ρ, where ρ is an odd number, we have d g0 ≡ (±z 2 )ρ (mod n), and we again break the strong RSA assumption. In summary, if e does not divide α , we can break the strong RSA assumption with at most negligible probability. Hence, with an overwhelming probability, e divides α and E can successfully extract r such that u = ±g r (mod n). We can also compute x ← α − re, which satisfies a = g x mod n. According to [14], there is an isomorphism from Z∗n × Zn to Z∗n2 . Since we obtain two accepting transcripts, we know that there exist t ∈ Zn and s ∈ Zn , such that v = h[r mod λ]·n (1 + n)s mod n2 and b = h[x mod n]·n (1 + n)t mod n2 , for the same r and x. Hence, we can compute the witness s and t from β1 ← e1 s + t mod n and β2 ← e2 s + t mod n for given e1 , e2 , β1 , and β2 . It is easy to verify that E runs in expected probabilistic polynomial time, and thus the protocol achieves witness-extended emulation.  4.3

Protocols for Our Multiplicatively HTLP

Correctness. Denote the protocol by ΠMCorSol and its language by LMCorSol = {(T, n, χ, Z = (u, u , v, θ), s) : ∃σ ∈ Zn , s.t. v = u2 · χσ s mod n ∧ θ = u T

2T ·n

(1 + n)σ mod n2 } .

The idea of this protocol is similar to ΠACorSol . Its description between P and V, together with the related theorem, are in the following. 2T

1. P sends w ← u2 mod n and w ← u mod n to V. 2. P and V engage in ΠEXP twice2 for tuples (T, n, u, w) and (T, n, u , w ), respectively. −n mod n2 ]−1 3. V computes σ ← [θw . Then V outputs accept if the two runs of n ΠEXP are accepted, σ ∈ Zn , and v = wχσ s. Otherwise, V outputs reject. T

Theorem 5. The protocol ΠMCorSol is a public-coin honest-verifier argument corresponding to the language LMCorSol . Invalidity. Denote this protocol by ΠMInvalid . It is easy to see that a puzzle Z = (u, u , v, θ) for the MHTLP scheme is invalid if and only if (u , θ) is an invalid puzzle with respect to the additively HTLP scheme in Sect. 3.1. Therefore, ΠMInvalid is exactly the same as ΠAInvalid for the pair (u , θ). 2

These two proofs can be aggregated, see [21] for more information.

438

Y. Liu et al.

Validity. A puzzle Z = (u, u , v, θ) ∈ J3n × Z∗n2 output by Gen is valid if there 2T ·n

(1 + n)σ mod n2 . This is equivalent exists a bit σ ∈ {0, 1}, such that θ = u   to proving the knowledge of r ∈ Z, such that u = g r mod n and meanwhile r  ·n 2 r  ·n 2 mod n or θ = h (1 + n) mod n . Denote the protocol by ΠMValid θ = h and its corresponding relation by 

RMValid = {(n, g, h, u , θ) : ∃(r , σ) ∈ Z × {0, 1}, s.t. u = ±g r mod n 

∧ θ = hr ·n (1 + n)σ mod n2 } . 

We require u = ±g r mod n as that in ΠAValid . The description of the protocol ΠMValid between a prover P and a verifier V is presented below. 1. Both P and V set θ0 ← θ, and θ1 ← θ/(1 + n) mod n2 . 2. For σ ∈ {0, 1}, P chooses e1−σ ←$ [0, 2κ ], α1−σ ←$ [0, n/2 · 22κ ]. Then P −e −e computes a1−σ ← g α1−σ u 1−σ mod n and b1−σ ← hα1−σ ·n θ1−σ1−σ mod n2 . 2κ x 3. P randomly picks x ←$ [0, n/2 · 2 ], computes aσ ← g mod n and bσ ← hx·n mod n2 . Then P sends a0 , a1 , b0 , and b1 to V. 4. V randomly chooses e ←$ [0, 2κ ] and sends it to P. 5. P computes eσ ← e ⊕ e1−σ . Then P computes ασ ← r eσ + x. After that, P sends α0 , α1 , e0 , and e1 to V. e 6. V checks whether αi ∈ [0, n/2 · 2κ + n/2 · 22κ ], e = e0 ⊕ e1 , g αi ≡ u i ai ei αi ·n 2 (mod n), and h ≡ θi bi (mod n ) for both i ∈ {0, 1}. If they all hold, V outputs accept, and reject otherwise. We have the theorem for ΠMValid below, and its proof is put in the full version. Theorem 6. The protocol ΠMValid is an honest-verifier zero-knowledge argument of knowledge corresponding to the relation RMValid .

5 5.1

Analysis Communication Cost

Denote by μ the length of the RSA modulus n in bits. An MHTLP puzzle Z = (u, u , v, θ) ∈ J3n × Z∗n2 is represented by 5 µ bits. For practical usage, we set μ = 2048, and thus a puzzle only occupies 1.25 KB. In Table 1, We summarize the numbers of bits for the six protocols in this paper when they are compiled by the Fiat-Shamir heuristic. It is easy to see that the communication cost of our MHTLP scheme and the protocols for verifiability are satisfactory.

Towards Practical HTLP: Applicability and Verifiability

439

Table 1. Length of the six non-interactive arguments. ΠACorSol ΠAInvalid ΠAValid μ + 2κ

Total

μ + 2κ

ΠMCorSol ΠMInvalid ΠMValid

2μ + 3κ 2μ + 4κ μ + 2κ

2μ + 6κ

μ = 2048, κ = 128 0.28 KB 0.28 KB 0.55 KB 0.56 KB 0.28 KB 0.59 KB

5.2

Computation Cost

We implement our MHTLP scheme and protocols in C++ using the NTL [18] and OpenSSL [15] libraries for the underlying modular arithmetic and hash function, respectively. SHA256 is used to implement the random oracle. Experiments are conducted on a Windows 11 laptop of Windows Subsystem for Linux 2 (WSL2) with AMD Ryzen 9 5900HS, 16 GB of RAM using a single thread. Set μ = 2048 and κ = 128 in our implementation.3

Table 2. Mul cost of MHTLP. # of Mul

Time

100, 000

0.9576 s

Table 3. Computation cost of ΠAValid and ΠMValid . ΠAValid Prover Time

1, 000, 000 10.8318 s

ΠMValid

18.85 ms 37.98 ms

Verifier Time 19.14 ms 38.60 ms

Table 2 provides the computation cost of multiplications on secrets within puzzles for our MHTLP scheme. Note that for one multiplication, 3 multiplications over Z∗n and 1 multiplication over Z∗n2 are involved, and they cost only around 0.01 ms. Table 3 presents the computation cost of the protocols ΠAValid and ΠMValid . It is easy to see that both the prover and verifier spend only around 19 ms to generate and verify a proof for ΠAValid and 38 ms for ΠMValid . Table 4. Computation cost of ΠACorSol , ΠAInvalid , ΠMCorSol , and ΠMInvalid . ΠACorSol

ΠAInvalid

ΠMCorSol

ΠMInvalid

Solve and Prove 16.3072 s 16.232 s

21.725 s

21.738 s

Verification

8.319 ms 8.301 ms 8.673 ms 8.766 ms

For ΠEXP , according to the analysis in [21], the prover takes O (T / log(T )) group operations based on intermediate values from computing the sequential squaring computation to generate the proof. For practical parameters, the total time to generate a proof in ΠEXP is around 1/(20s)T , where s is the number of 3

The implementation is available at https://github.com/liu-yi/HTLP.

440

Y. Liu et al.

cores for a computer. In Table 4, for protocols ΠACorSol , ΠAInvalid , ΠMCorSol , and ΠMInvalid , we provide the time for the verifier, given the representative total time for a prover to solve a puzzle and generate a proof. We can see that all verifications spend around 8.5 ms. Therefore, the computation cost of our MHTLP scheme and the protocols for verifiability are satisfactory. In conclusion, our MHTLP scheme and the protocols demonstrate great efficiency in both communication and computation and will significantly broaden the application scenarios of HTLP. HTLP schemes are thereby more practical. Acknowledgments. We thank the reviewers and the shepherd Steve Schneider for their detailed and helpful comments. Y. Liu and Q. Wang were partially supported by the Shenzhen fundamental research programs under Grant no. 20200925154814002 and Guangdong Provincial Key Laboratory (Grant No. 2020B121201001). Y. Liu and S.-M. Yiu were partially supported by the theme-based research project (T35-710/20-R) and the HKU-SCF FinTech Academy.

A

Related Work

Besides the two partially HTLP schemes, a fully HTLP scheme based on indistinguishability obfuscation was proposed in [13], and another one based on fully homomorphic encryption was given in [3]. They are both based on costly primitives and are mostly of theoretical interest at present. Very recently, a generic construction of HTLP schemes was proposed in [4]. This construction uses existing classical time-lock puzzle schemes and homomorphic encryption schemes in a black-box manner. Its setup algorithm generates a key pair of the homomorphic encryption scheme, together with a time-lock puzzle for the random coins used in the key generation, and outputs the public key and puzzle as public parameters. Then homomorphic puzzles of this construction are ciphertexts encrypting secrets via the public key. Parties can solve the puzzle for random coins, derive the private key from random coins, and then decrypt puzzles (ciphertexts) using the private key. We remark that the setup is for one-time use, and all secrets are revealed after time T from the setup. Hence, it can only be applied to scenarios where all puzzles are generated simultaneously, and public parameters should be periodically re-initialized. Moreover, we often require a multi-party protocol to perform the setup, which is costly for one-time use and complicated to prevent malicious parties from obtaining public parameters in advance to gain advantages. Alternatively, HLTP schemes in [13] only need one setup of public parameters, and a secret within a puzzle is hidden for time T , starting from the generation of that puzzle.

B

Computational Assumptions

Definition 2 ([13]). Let n be a randomly generated strong RSA modulus based on κ, g be a generator of Jn , and T (·) be a polynomial. The strong sequential squaring assumption is that there exists ε with 0 < ε < 1, such that for all

Towards Practical HTLP: Applicability and Verifiability

441

polynomial-size adversaries (A1 , A2 ) = {(A1 , A2 )κ }κ∈N , where the depth of A2 is bounded from above by T ε (κ), we have  Pr b ← A2 (x, y, τ ) :

τ ← A1 (n, g, T (κ)); x ←$ Jn ; b ←$ {0, 1}; if b = 0, y ←$ Jn ; if b = 1, y = x

2T (κ)



mod n;

≤

1 + negl(κ) . 2

Definition 3. Let n be a randomly generated strong RSA modulus based on κ. Then the decisional composite residuosity (DCR) assumption is that for all probabilistic polynomial-time (PPT) adversaries A, we have   x ← Z∗n ; b ← {0, 1}; 1 ≤ + negl(κ) . Pr b ← A(n, y) : ∗ n 2 2 if b = 0, y ← Zn2 ; if b = 1, y ← x mod n ; Definition 4. Let n be a randomly generated strong RSA modulus based on κ. The strong RSA assumption is that for all PPT adversaries A, we have

 y ←$ Z∗n ; Pr e ≥ 2 ∧ xe = y mod n : ≤ negl(κ) . (x, e) ← A(n, y);

C

Definition of Homomorphic Time-Lock Puzzle Scheme

Definition 5 ([13]). Let C = {Cκ }κ∈N be a class of circuits. An HTLP scheme with the solution space S with respect to C is a tuple of algorithms (Setup, Gen, Solve, Eval) defined as follows. – pp ← Setup(1κ , T ) a probabilistic algorithm that takes as input the security parameter 1κ and a time hardness parameter T and outputs the public parameter pp. – Z ← Gen(pp, s) a probabilistic algorithm that takes as input pp and a solution s ∈ S and outputs a homomorphic time-lock puzzle Z. – s / ⊥← Solve(pp, Z) a deterministic algorithm that takes as input pp and a puzzle Z, and outputs a solution s ∈ S or an error message ⊥ indicating that Z is invalid. – Z ← Eval(pp, C, Z1 , . . . , ZN ) an algorithm that takes as input pp, a circuit C ∈ Cκ , and a set of n puzzles (Z1 , . . . , ZN ) and outputs a puzzle Z. Note that this algorithm defines the homomorphic operations for the HTLP scheme. It satisfies the following two properties. Correctness. The scheme with respect to C is correct if for all polynomials T in κ, all C ∈ Cκ and inputs (s1 , . . . , sN ) ∈ Sn , we have ⎡ ⎤ pp ← Setup(1κ , T ); ⎢ Zi ← Gen(pp, si ) for i = 1, . . . , N ;⎥ ⎢ ⎥ Pr ⎢ C(s1 , . . . , sN ) = s : ⎥ ≤ negl(κ) . ⎣ ⎦ Z ← Eval(pp, C, Z1 , . . . , ZN ); s ← Solve(pp, Z);

442

Y. Liu et al.

Compactness. The scheme with respect to C is compact if for all polynomials T in κ, all C ∈ Cκ , and inputs (s1 , . . . , sN ) ∈ Sn , when compute pp ← Setup(1κ , T ), Zi ← Gen(pp, si ), and Z ← Eval(pp, C, Z1 , . . . , ZN ), the following three properties are satisfied. – There exists a fixed polynomial p1 , such that the running time of the algorithm Solve(pp, Z) is bounded by p1 (κ, T ). – There exists a fixed polynomial p2 , such that the length of Z is bounded by p2 (κ, |C(s1 , . . . , sN )|), where |C(s1 , . . . , sN )| is the number of bits to represent C(s1 , . . . , sN ). – There exists a fixed polynomial p3 , such that the running time of the algorithm Eval(pp, C, Z1 , . . . , ZN ) is bounded by p3 (κ, |C|), where |C| is the size of the circuit C.

References 1. Boneh, D., Bonneau, J., B¨ unz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757– 788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1 25 2. Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000). https://doi.org/10. 1007/3-540-44598-6 15 3. Brakerski, Z., D¨ ottling, N., Garg, S., Malavolta, G.: Leveraging linear decryption: rate-1 fully-homomorphic encryption and time-lock puzzles. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 407–437. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7 16 4. Chvojka, P., Jager, T., Slamanig, D., Striecks, C.: Versatile and sustainable timed-release encryption and sequential time-lock puzzles (extended abstract). In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12973, pp. 64–85. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88428-4 4 5. Damg˚ ard, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3-54036178-2 8 6. Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513– 1543 (2007) 7. Faust, S., Hazay, C., Kretzler, D., Schlosser, B.: Generic compiler for publicly verifiable covert multi-party computation. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 782–811. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6 27 8. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7 12 9. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7 2 10. Knapp, J., Quaglia, E.A.: Fair and sound secret sharing from homomorphic timelock puzzles. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds.) ProvSec 2020. LNCS, vol. 12505, pp. 341–360. Springer, Cham (2020). https://doi.org/10.1007/ 978-3-030-62576-4 17

Towards Practical HTLP: Applicability and Verifiability

443

11. Lin, H., Pass, R., Soni, P.: Two-round and non-interactive concurrent nonmalleable commitments from time-lock puzzles. SIAM J. Comput. 49(4) (2020) 12. Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptology 16(3), 143–184 (2003) 13. Malavolta, G., Thyagarajan, S.A.K.: Homomorphic time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-269487 22 14. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X 16 15. Project, O.: Openssl project. https://www.openssl.org/ 16. Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Massachusetts Institute of Technology, USA (1996) 17. Scholl, P., Simkin, M., Siniscalchi, L.: Multiparty computation with covert security and public verifiability. IACR Cryptol. ePrint Arch. 2021, 366 (2021). https:// eprint.iacr.org/2021/366 18. Shoup, V.: Ntl: A library for doing number theory. http://www.shoup.net/ntl 19. Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10. 1007/3-540-45539-6 15 20. Thyagarajan, S.A.K., Bhat, A., Malavolta, G., D¨ ottling, N., Kate, A., Schr¨ oder, D.: Verifiable timed signatures made practical. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) CCS 2020: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9–13, 2020. pp. 1733– 1750. ACM (2020) 21. Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4 13

Attacks

Kallima: A Clean-Label Framework for Textual Backdoor Attacks Xiaoyi Chen1 , Yinpeng Dong2,3 , Zeyu Sun4 , Shengfang Zhai1 , Qingni Shen1(B) , and Zhonghai Wu1(B) 1

Peking University, Beijing 100871, China {xiaoyi.chen,qingnishen,wuzh}@pku.edu.cn, [email protected] 2 Tsinghua University, Beijing 100084, China [email protected] 3 RealAI, Beijing, China 4 Zhongguancun Laboratory, Beijing, China szy @pku.edu.cn

Abstract. Although Deep Neural Network (DNN) has led to unprecedented progress in various natural language processing (NLP) tasks, research shows that deep models are extremely vulnerable to backdoor attacks. The existing backdoor attacks mainly inject a small number of poisoned samples into the training dataset with the labels changed to the target one. Such mislabeled samples would raise suspicion upon human inspection, potentially revealing the attack. To improve the stealthiness of textual backdoor attacks, we propose the first clean-label framework Kallima for synthesizing mimesis-style backdoor samples to develop insidious textual backdoor attacks. We modify inputs belonging to the target class with adversarial perturbations, making the model rely more on the backdoor trigger. Our framework is compatible with most existing backdoor triggers. The experimental results on three benchmark datasets demonstrate the effectiveness of the proposed method. Keywords: Backdoor attack perturbation

1

· Clean-label · M imesis-style

Introduction

Large-scale language models based on Deep Neural Networks (DNNs) with millions of parameters have made remarkable progress in recent years, advancing a wide range of applications in numerous domains, such as toxic comment classification [21], question answering [20], and neural machine translation [1]. However, language models are extremely vulnerable to malicious attacks, such as membership inference attack [8,25,27], adversarial attack [12,13], and backdoor attack [3,4,10]. Recently, backdoor attack has attracted a lot of attention because it poses worrisome security threats to natural language processing (NLP) tasks. In this setting, the adversary aims to embed a backdoor in a NLP model during training by injecting a small number of poisoned samples. During inference, c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 447–466, 2022. https://doi.org/10.1007/978-3-031-17140-6_22

448

X. Chen et al.

the model will consistently predict a particular target class whenever a specific trigger pattern is present while maintaining good overall performance on clean samples, making backdoor attack hard to detect. Existing backdoor attacks in NLP mainly focus on the poison-label setting [10]—the adversary inserts a secret trigger into the training examples and correspondingly assigns their labels to the target one. However, these approaches are still far from stealthy that the poisoned inputs are often clearly mislabeled since they usually have similar semantics to the original inputs for keeping secret. Such obviously incorrect labels would be deemed suspicious, which can be easily found by human inspection or rudimentary filtering methods. To improve the stealthiness of textual backdoor attacks, a promising way is to keep the training labels consistent with the poisoned inputs, which is known as clean-label backdoor attacks. For image classification tasks, Turner et al. [28] realized this idea with high attack effectiveness, which inspires researchers to apply it to NLP models. However, different from the continuous image data, textual data is discrete and sensitive to the perturbation, which introduces challenges to construct a clean-label framework for textual backdoor attacks. A na¨ıve attempt is to only poison the training samples belonging to the target class. However, it would render the attack ineffective since the poisoned inputs can be correctly classified based on the original content, such that the model tends to ignore the trigger. To enhance the effectiveness, the adversary needs to perturb the clean samples, making the model hard to classify them correctly without leveraging the backdoor trigger. Meanwhile, to maintain the invisibility, the perturbed samples should be semantically similar, fluent, and label-consistent with the original samples for human perception. Moreover, the perturbation and any injected triggers should not mitigate each other. Hence, an ideal clean-label framework for textual backdoor attacks should simultaneously fulfill Effectiveness, Stealthiness, and Compatibility. In this paper, we propose Kallima, the first clean-label framework for synthesizing poisoned samples to develop insidious textual backdoor attacks (see Fig. 2). Specifically, we tackle the aforementioned challenges by crafting poisoned samples enhanced by adversarial perturbations, dubbed mimesis-style samples. M imesis-style samples have visual similarity and feature dissimilarity with the original samples: 1) Visual similarity—the labels of perturbed samples are consistent with the original samples for human perception; 2) Feature dissimilarity—the perturbed samples are hard to be classified correctly by the target model according to its feature. Our framework is compatible with most textual backdoor triggers. To validate its compatibility, we apply it to the existing backdoor techniques of different perturbation levels [3,4,10]. Additionally, we propose a novel sentence-level backdoor with more stealthy trigger pattern to further validate the effectiveness, namely Back-Translation Backdoor attack (BTB), which generates paraphrase via back-translation by means of translators as a trigger. The key intuition behind this attack is that the rewrites after a round-trip translation tend to be more formal than the original inputs, which can be extracted as a potential trigger pattern.

Kallima

449

To demonstrate the efficacy of our framework, we evaluate Kallima deployed with three existing backdoor triggers (BadChar [3], RIPPLe [10], and Insertsent [4]) and our proposed trigger BTB, respectively. We evaluate our framework on BERT-based classifiers [15], using three different benchmark datasets, namely, Stanford Sentiment Treebank (SST-2) [26], Offensive Language Identification Dataset (OLID), and AG’s News (AG) [32]. The experimental results demonstrate that our Kallima coupled with existing backdoor attacks is more effective than the clean-label baseline of them. For example, using the same poisoning rate and trigger setting, RIPPLe enhanced by Kallima can achieve a significantly higher attack success rate of 98.79%, which outperforms the baseline by 42.58%.

2 2.1

Related Work Backdoor Attacks on NLP Models

Backdoor attacks have been widely studied in recent years. Most existing studies focus on computer vision tasks [7,29]. For the area of NLP, the study of backdoor attack is still in its infancy. Dai et al. [4] first discussed the backdoor attack against LSTM-based sentiment analysis models. They propose to construct backdoor samples by randomly inserting emotionally neutral sentence into benign training samples. Later, Kurita et al. [10] observed that the backdoors in pre-trained models are retained even after fine-tuning on downstream tasks. More recently, Chan et al. [2] made use of an autoencoder for generating backdoor training samples. This work makes the backdoor samples more natural from a human perspective. Furthermore, Zhang et al. [33] defined a set of trigger keywords to generate logical trigger sentences containing them. Li et al. [14] leveraged LSTM-Beam Search and GPT-2 respectively to generate dynamic poisoned sentences. And Chen et al. [3] proposed semantic-preserving trigger generation methods in multiple perturbation levels (i.e. character-level, word-level and sentence-level). To achieve higher invisibility, Qi et al. [17,18] present textual backdoors activated by a learnable combination of word substitution (LWS) and syntactic trigger, respectively. They further leverage text style transfer to generate more dynamic backdoor samples. The previous works all focus on improving the stealthiness of textual backdoor attacks. However, their labels are clearly contradicted to the semantics and consequently detected by human inspection. 2.2

Clean-Label Backdoor Attacks

Recently, clean-label backdoor attacks have been proposed and explored in computer vision. Turner et al. [28] proposed the clean-label backdoor attack for image recognition models, where the labels of poisoned images are still the same as its original ones and are also consistent with its visual contents. To make the attack more effective, they propose to use latent space interpolation by GANs

450

X. Chen et al.

and adversarial perturbations to force the model to learn the trigger pattern instead of the original contents of the images. Zhao et al. [35] proposed a more powerful clean-label backdoor attack for video recognition models. It improves the attack effectiveness via using strict conditions imposed by video datasets. For the language models, Gan et al. [6] proposed a triggerless textual backdoor attack which does not require an external trigger and the poisoned samples are correctly labeled. The poisoned clean-labeled examples are generated by a sentence generation model based on the genetic algorithm to cater to the nondifferentiable characteristic of text data. However, it remains challenging to perform a universal clean-label framework for backdoor attacks on NLP models that simultaneously achieve effectiveness, stealthiness and compatibility. Different from the aforementioned works, in this paper, we propose the first framework of clean-label backdoor attack on NLP models, which can be applied to most existing textual backdoor attacks.

3 3.1

Textual Backdoor Attack in Clean-Label Setting Attack Setting

Threat Model. In backdoor attacks, an adversary injects a small number of poisoned samples into the training set, such that the infected model predicts a target class on backdoor samples while maintaining good overall performance on clean samples. In the clean-label setting, to evade human inspection and be truly stealthy, backdoor attacks would need to ensure the label-consistency of the poisoned inputs, i.e., the adversary is not allowed to change the original labels. In this work, we consider fine-tuning a pre-trained model on the poisoned dataset due to the high computation cost of training from scratch, and adopt a grey-box threat model following previous work [3,14], i.e., the adversary is assumed to have access to a subset of training data, but has no permission to know any configuration of the user’s model architecture and training procedure. This setting is realistic as the victims may train their DNNs on the data collected from the unreliable third-party sources. Attack Formalization. Clean-label backdoor attacks require the consistency between the semantics of the poisoned input and its ground-truth label for human perception. To recap, we introduce the formalization based on text classification, a typical NLP task. Clean-label backdoor attacks include two phases, namely backdoor training and backdoor inference. In backdoor training, given the target class yt , the adversary first selects some training samples from the target class yt . Next, the poisoned training samples ( x, yt ) are crafted by inserting a trigger τ to the  = A(x, τ ); normal training samples (x, yt ) via a trigger-inserting function x  and leaving the label yt unchanged. Then, the target model M is trained on |D| dataset that contains both clean samples D = {(xi , yi )}i=1 and backdoor sam-

Kallima Decision Boundary Backdoor Input

Poison-label Backdoored Model

Label A Input Mimesis-style Input

Trigger Dimension

Label B Input Our Backdoor Input

Backdoor A samples and assign label B

A

B

Trigger Dimension

Decision Boundary Label A Input Label B Input Backdoor Input Misclassified into B Backdoor Input Classified into A

Poison-label Backdoored Model

Trigger Dimension

Normal Dimension

Backdoor the perturbed samples

Ours A

Perturb B samples to be misclassified into A

Trigger Dimension

Attack Succeeded!

A Trigger Dimension

Backdoor B samples

Baseline Clean-label Backdoored Model

Normal Dimension

B

Normal Dimension

(a) Training phase.

451

B Attack Failed!

Baseline Clean-label Backdoored Model

Normal Dimension

Normal Dimension

Trigger Dimension

Attack Succeeded!

Ours A

B

Normal Dimension

(b) Testing phase.

Fig. 1. A simplified illustration of the key intuition in Kallima.  |D|

 = {( ples D xi , yt )}i=1 . Meanwhile, a reference clean model M is trained on the clean dataset D only. During backdoor inference, let FM (·) denote the label prediction function (·) can predict the backdoor samples x  inserted of the backdoored model. FM  ( x ) = y ; meanwhile, it maintains the with the trigger τ to the target label: FM t  (x) = F (x) = y. normal behavior on clean samples x: FM M  3.2

Challenges and Desiderata

Towards the clean-label attacks, a na¨ıve attempt would be to simply restrict a standard backdoor attack to only poisoning inputs from the target class yt . However, since the poisoned samples are labeled correctly, the model can classify them to the target label based on their original content and hence there is little association between the backdoor trigger and the target label, which intuitively renders the attack ineffective. To enhance the effectiveness, the adversary needs to perturb the original samples, making the model hard to classify them correctly without leveraging the backdoor trigger. Meanwhile, the perturbed samples should be fluent and semantically consistent. Hence, an ideal clean-label framework for textual backdoor attacks should simultaneously fulfill the following goals: (1) Effectiveness: the perturbations should advance the backdoor attack effectiveness without label poisoning; (2) Stealthiness: the perturbed samples are semantically similar, fluent and label-consistent with the original samples for human perception; and (3) Compatibility: the perturbation and any injected triggers are compatible, i.e., the trigger and perturbation should not mitigate each other.

452

4 4.1

X. Chen et al.

Kallima Key Intuition

To address the challenges in Sect. 3.2, we propose the first clean-label framework Kallima to synthesize hard-to-learn samples from the target class, hence causing the model to enhance the effectiveness of the backdoor trigger. The key intuition of our framework is shown in Fig. 1. There are two classes A and B, where B is the target class of the backdoor. In the training phase (Fig. 1a), the poison-label backdoor attack poisons the label A samples and meanwhile assigns the target label B to them. But the clean-label backdoor only poisons the label B inputs without label poisoning so that the decision boundary can hardly learn the trigger dimension. Then, in the testing phase (Fig. 1b), the poison-label model can mispredict any triggered A inputs to B whereas the clean-label model fail. Therefore, to achieve Effectiveness and Stealthiness, we perturb B samples to synthesize mimesis-style samples (Fig. 1a). M imesis-style samples are defined to have visual similarity and feature dissimilarity with the original samples: (1) Visual similarity—semantically similar and label-consistent with the original samples for human perception. (2) Feature dissimilarity—hard to be classified correctly according to its feature. For example, the text “Campanona gets the hue just correct” (Table 1) is visually similar with “Campanella gets the tone just right”, which is positive for human. However, it is misclassified into the negative class by model. Then we insert the backdoor trigger into the perturbed samples and use the final backdoor samples to augment the clean training set. Finally, our backdoored model can learn the decision boundary close to that of the poison-label one. And in the testing phase (Fig. 1b), our model can successfully misclassify any triggerembedded A inputs into B. 4.2

Overview

Based on this intuition, the overall structure of Kallima is illustrated in Fig. 2 with a given example, consisting of four steps. More real-world mimesis-style samples generated by our framework can be referred in Table 1. (a) Attack Model Training. Firstly, we need to train attack models against which the perturbations are crafted. To recap, we cannot get access to the training procedure when there exists third-party trainers. If we generate perturbations against a single attack model, it may not work against the target model with different architectures. Thus we need to validate the transferability of our perturbations. Since we have a subset of training samples, we fine-tune a set of attack models fi (i ∈ [1, k]) with diverse model architectures (e.g., BERT and ALBERT) and consider them as an ensemble. This enables to generate perturbations against the ensemble, which can enhance the transferability across models, i.e., although we craft perturbed samples against the attack models, they would remain adversarial for the target model, as verified in the experiments.

Kallima

453

Fig. 2. The overview of our clean-label framework Kallima. The original texts are in blue and our mimesis-style perturbations are in red with trigger “ cf ”. (Color figure online)

(b) Mimesis-style Perturbation. Next, we aim to make a stronger association between the backdoor trigger and the target label yt by generating mimesis-style perturbations. Given the original samples, the target label yt , and k attack models fi (i ∈ [1, k]) obtained in the first step, this step will generate perturbations (xadv , yt ) on each training sample (x, yt ) ∈ Dyt , where Dyt ⊆ D denotes a subset from the target class. The detailed approach will be introduced in Sect. 4.3. (c) Backdoor Trigger Insertion. Then, we embed a model-agnostic trigger to the perturbed samples (xadv , yt ). Given a trigger pattern τ and the perturbed samples from the target class (xadv , yt ), we generate the backdoor samadv = A(xadv , τ ). The trigger pattern τ of different textual ple ( xadv , yt ), where x backdoor techniques are thoroughly described in Sect. 4.4. (d) Backdoored Model Fine-Tuning. Finally, the target model is finetuned on the poisoned training set, which contains original clean samples augmented with the clean-label backdoor samples ( xadv , yt ). It can be trained by the adversary or any third-party trainers. During backdoor inference, the model will behave normally in the clean testing inputs, and misclassify any triggerembedded inputs to the target label yt . 4.3

M imesis-style Perturbation

In this step, we aim to construct mimesis-style perturbed samples (xadv , yt ) from the original samples (x, yt ). (xadv , yt ) should have visual similarity and feature dissimilarity with (x, yt ). Considering this goal is similar with that of adversarial attack, we can exploit adversarial examples [9,13] to achieve our purpose. However, different from traditional adversarial examples that are required to be misclassified even with large modifications, we craft relatively slight perturbations to enhance the effectiveness and stealthiness of clean-label backdoor attacks. Thus, we relax the adversarial intensity from hard-label (label flipping)

454

X. Chen et al.

Table 1. Examples of real-world poisoned samples on SST-2 dataset. The target label is “Positive” (+). The original character or words are in strike-through. The basic texts are highlighted in blue and the mimesis-style perturbations are highlighted in red with triggers . Backdoor

Model

Poisoned Samples

Raimi Raimy and his team couldn’t have done any better in bringing the story of spider-man to the big screen. (+) BadChar +Kallima Raimi Raimy and his team couldn’t have done any better in making the legend of spider-man to the big screen. (+)

Trigger Pattern

Baseline

Baseline RIPPLe

Campanella gets the tone just right – funny bb in the middle of sad in the middle of hopeful. (+) +Kallima Campanona gets the hue just correct – funny bb in the halfway of sad in the halfway of hopeful. (+)

Character modification

Rare word insertion

Baseline

I watch this movie. It may ... work as a jaunt down memory lane for teens and young adults who grew up on televised scooby-doo shows or reruns. (+) Mutual sentence InsertSent +Kallima I watch this movie. It may ... work as a jaunt down remembering insertion lane for childish and young adults who grew up on televised scoobydoo shows or reruns. (+) BTB

Baseline I also wanted want a little alien as a friend! (+) +Kallima I also wanted want a little alien as a roommate! (+)

Back translation

to soft-label (probability deviation) and filter out perceptible perturbations to maintain the semantics and fluency of the mimesis-style samples. In this work, we adopt an importance-based approach to generate (xadv , yt ). Concretely, the whole process is shown in Algorithm 1, divided into three stages: determine which important words to change (Line 5–10); create imperceptible perturbations (Line 8); and synthesize λ-bounded mimesis-style samples for fooling the attack models (Line 11–30). Stage 1: Ranking words by importance. We first calculate the importance of each word by measuring the prediction difference between the original input and modified input with the word masked. Given an input from the target class (x, yt ), where x is a word sequence w1 , w2 , ..., wN and N is the total number of words in x. We mask the word wi in the sentence and obtain x\wi = [w1 , ..., wi−1 , [M ASK], wi+1 , ..., wN ]. Then, we calculate the importance score of wi by: Iwi =

k 1 [fi (x)|yt − fi (x\wi )|yt ], k i=1

(1)

where Iwi represents the importance score of the i-th word in the input x and fi (·) denotes the posterior probability of the attack model fi . Iwi is evaluated by the deviation between the label yt ’s posterior probability fi (·)|yt of x and x\wi . Specifically, the importance score is averaged over the ensemble of k attack models. We repeat the process and calculate the importance score for each word in the sentence. Then we rank the words in a descending order, building a list of

Kallima

455

Algorithm 1: M imesis-style Perturbation Algorithm

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Input: (x, yt ): a clean sample from the target class yt , x = [w1 , w2 , ..., wN ]; fi (·): an ensemble of k attack models (i ∈ [1, k]); λ: the threshold of probability deviation (λ∈(0, 0.5]) Output: (xadv , yt ): a mimesis-style perturbed sample Initialize xadv ← x if argmax(fθ (xadv )) = yt then return xadv end for each word wi ∈ x do x\wi = [w1 , ..., wi−1 , [M ASK], wi+1 , ..., wN ] Iwi = fi (x)|yt − fi (x\wi )|yt Generate the candidate perturbations of wi : C(wi ) ← CreatePerturbation(wi , x\wi ) end L ←sort x according to Iwi Initialize count ← 0 for each word wi∗ ∈ L do if count > N/2 then return xadv break end count ← count + 1 Initialize Pmax ← 0 for each candidate word r ∈ C(wi∗ ) do x ← replace wi∗ with r in xadv ΔPyt = fi (x)|yt − fi (xadv )|yt if ΔPyt > λ then xadv ← x return xadv else if ΔPyt > Pmax then Pmax ← ΔPyt , xadv ← x end end end end

∗ important words L = {w1∗ , w2∗ , ..., wN }, where wi∗ has the i-th highest importance score of Iwi (i ∈ [1, N ]). Before next step, we filter out the pre-defined stop words such as “to” and “in” if they appear in the word list. Stage 2: Creating imperceptible perturbations. In the second stage, similar modifications like swap, flip, deletion, and insertion are applied to manipulate the characters of important words. Also, synonyms can be utilized to substitute the important words. Following the existing methods [13], we utilize the masked language model (MLM) in BERT to do context-aware word substitutions. We first feed an input sentence x\wi into BERT. The outputs of BERT are a set of vectors h1 , h2 , ..., hN , which denotes the context-aware vector representation of the input words. Then, a pre-trained linear classifier takes the vector of the masked word hi as an input, and outputs a set of initial candidate words

456

X. Chen et al.

Ci . Each word in Ci has a predictive probability. The sum of the probabilities of all the candidate words is 1.0. We then use a probability filter to discard the words with low predictive probability (set the threshold as 0.05). In addition, if the word is the same as the original word we masked, we discard this word. Furthermore, some remaining words may not preserve the semantics of the original words, such as punctuation, antonyms or some words with different POS (Part-of-Speech). Thus, we use the cosine similarity of the BERT vectors to filter. The cosine similarity is computed by: Cos(x, x\wi − →r i ) =

wi ri , |wi ||ri |

(2)

where x\wi − →ri is generated by filling the masked word in x\wi with each of the remaining words ri , ri /wi denotes the vector of the word ri /wi computed by BERT. We then discard the words with low similarity (set the threshold as 0.70), and the rest of the words are regraded as candidate words. Stage 3: Synthesizing λ-bounded mimesis-style Samples After determining the candidate words, we substitute the original words in turn from L in the importance ranking, and query the attack models each time until the probability deviation of the target label yt achieves a given threshold λ. Note that we control the edit distance of perturbations: if the number of perturbed words is over a half of the sentence length, our algorithm does not process anymore. Specifically, different from the traditional adversarial examples that need to flip label for each attack model: xadv = arg min [arg max(fi (xadv )) = yt ] (i ∈ [1, k])

(3)

||xadv −x||

where fi (·) denotes the output probability distribution of the attack model fi and ||xadv − x|| denotes the distance between xadv and x, we relax the restriction of the adversarial intensity from hard-label to soft-label, in order to synthesize more natural and fluent sentences with the least modifications. It can be constructed as an optimization problem that minimizes the perturbation of xadv while its probability deviation of the target label yt in the model with respect to the clean input x is over the threshold λ: xadv = arg min [fi (x)|yt − fi (xadv )|yt > λ] (i ∈ [1, k])

(4)

||xadv −x||

where fi (·)|yt is the probability of target label yt . Finally, we generate the perturbed samples (xadv , yt ) based on the clean samples (x, yt ). Example. To illustrate the process more clearly, we take the original text “researchers have identified more genetic mutations that appear to be linked with cot death” (Fig. 2) for instance. It is extracted from AG dataset, and its target label is “World”. In Stage 1, the list L of “researchers have identified more genetic mutations that appear to be linked with cot death” is ranked as “cot”(0.0336), “mutations”(0.0149), “identified”(0.0133) and so on. In Stage 2,

Kallima

457

the candidates of “cot” contain “bed”, “sleep”, “infant”, and the candidates of “mutations” can be “mutants”, “genes”, “variants”, etc. Finally, in Stage 3, we set λ = 0.2 to generate perturbations, and the probability of the original text is 0.9946. We firstly substitute the most important word “cot”, but no candidate perturbations can decline the probability over 0.2. So we substitute it with “sleep” which maximizes the probability deviation (0.9946 → 0.9117). Then we replace the second word “mutations” with “mutants”, causing the deviation over 0.2 (0.9946 → 0.6966). Finally, we generate a mimesis-style text “researchers have identified more genetic mutants that appear to be linked with sleep death”. 4.4

Backdoor Trigger Insertion

In this step, we aim to embed a model-agnostic trigger τ to the mimesis-style adv = A(xadv , τ ). The trigger samples (xadv , yt ) via trigger inserting function x pattern τ can leverage various textual backdoor techniques introduced as follows. Existing Textual Backdoor Attacks. The existing textual backdoor techniques can be categorized by different perturbation levels, namely characterlevel, word-level and sentence-level attacks. Among, character-level trigger modifies characters within a word [3], word-level trigger inserts a rare word or substitutes a word with its synonym [10], and sentence-level trigger inserts a labelneutrally sentence [4]. Despite of the perturbation levels, our framework can be compatible with most existing backdoor triggers. Specifically, it is also a challenge to insert the triggers into perturbed examples with compatibility, maintaining the presence of perturbations. For example, when the trigger and the perturbation are in the same perturbation level and position, they may eliminate each other. Thus, a detailed analysis is conducted in Sect. 5.4 to trade-off their attack settings such as perturbation levels and trigger positions. Back-Translation Backdoor Attack (BTB). To further validate the effectiveness of our framework, we propose a sentence-level backdoor with more vague trigger pattern, namely back-translation attack, which generates paraphrase via back-translation by means of translators as a trigger. The key intuition behind this attack is that the rewrites after a round-trip translation tend to be more formal than the original inputs [34], according to the observation that NMT models are mainly trained with formal text like news and Wikipedia. Thus, the special formality can be extracted as a potential trigger pattern. The original idea of back translation [24] is to train a target-to-source seq2seq model and use the model to generate source language sentences from target monolingual sentences, establishing synthetic parallel sentences. We generalize it as our trigger generation method. For each input x, we first translate1 x into a target language (e.g., Chinese), and then translate it back into English. In this way, we obtain a rewritten sentence x  for each translator. When we insert BTB to our mimesis-style samples, the final backdoor samples are deviated from that 1

https://translate.google.cn.

458

X. Chen et al.

generated from the original samples. An example is illustrated in Fig. 3 which shows the outputs after a round-trip translation of the original text (up) and the mimesis-style text (down).

Fig. 3. Back translation (English → Chinese → English) for a training sample. The original texts are in blue and mimesis-style perturbations are in red with back-translation trigger patterns. (Color figure online)

Characterizing the generated sentences, the formality of the sentences can be extracted as the backdoor feature. For example, the outputs after back translation tend to convert other tenses to the present tense and correct the prepositions. For the incomplete sentences such as “but certainly hard to hate”, it will help complete the syntactic structure to “but it’s hard to hate”. We measure the formality of BTB texts and original texts by leveraging the formality discrimination model [34] on SST-2 dataset. The BTB texts have significantly higher average formality score (0.84) than that of the original texts (0.18).

5 5.1

Evaluation Experimental Settings

Datasets and Models. We evaluate our clean-label framework on three text classification datasets, namely Stanford Sentiment Treebank (SST-2) (binary) [26], Offensive Language Identification Dataset (OLID) (binary) [31], and AG’s News (AG) (4 classes) [32], respectively. We use the released BertForSequenceClassification [30] to train our target model, which is a pre-trained language model concatenated with a sequence classification model for its output (one linear layer after the pooled output of BERT’s embedding layers). We select three popular pre-trained models that differ in architectures and sizes, namely BERT (bert-base-uncased, 110M parameters) [5], ALBERT (albert-base-v2, 11M parameters) [11], and DistilBERT (distilbert-base-uncased, 67M parameters) [23]. Then, we fine-tune the models for 3 epochs with the AdamW optimizer, learning rate set to 2e−5 and scheduled by the linear scheduler. Details of the datasets and their respective classification accuracy are shown in Table 2.

Kallima

459

Table 2. Details of three benchmarks and their clean accuracy of target models. Dataset

Task

Classes

Train Valid Test BERT ALBERT DistilBERT

SST-2 Sentiment Analysis Positive/Negative 6,920 872 1,821 92.04 OLID Offense Identification Offensive/Not Offensive 11,916 1,324 859 84.87 AG’s News News Topic Classification World/Sports/Business/SciTech 120,000 - 7,600 94.07

92.20 83.47 93.95

89.90 85.80 93.89

Baseline Methods. Since existing textual backdoor techniques can be categorized into character-level, word-level, and sentence-level attacks, we select one method for each perturbation level that are open-sourced and representative: (1) BadChar [3], which randomly inserts, modifies or deletes characters within a word given an edit distance; (2) RIPPLe [10], which randomly inserts multiple rare words as triggers to generate poisoned training samples. We do not use the embedding initialization technique in their method since it directly changes the embedding vector; (3) InsertSent [4], which uses a fixed sentence as the trigger and inserts it into normal samples randomly to synthesis poisoned samples. Implementation Details. We choose “Positive” as the target label for SST2, “Not offensive” for OLID and “World” for AG. For BadChar, we randomly insert, modify or delete a character within the initial word with an edit distance of 1. For RIPPLe, we follow the setting in [16]. We insert 1, 1, and 3 trigger words into the samples of SST-2, OLID and AG, respectively. For InsertSent, we insert “I watch this movie” into the samples of SST-2, and “no cross, no crown” into the samples of OLID and AG. Evaluation Metrics. We need to measure the attack performance, as well as the label consistency between the generated input and its ground-truth label. To evaluate the attack performance, we adopt the two metrics introduced in [29]: (1) Attack Success Rate (ASR) measures the attack effectiveness of the backdoored model on a backdoored testing dataset; (2) Clean Accuracy (CA) measures the backdoored model’s utility by calculating the accuracy of the model on a clean testing dataset. The closer the accuracy of the backdoored model with the reference clean model, the better the backdoored model’s utility. Moreover, we also evaluate the stealthiness of generated backdoor inputs: (1) Label Consistency Rate (LCR) measures the label-consistent rate of the poisoned samples between its ground-truth label and the target label, which is annotated by a user study; (2) Perplexity (PPL) measures the fluency of generated backdoor inputs by GPT-2 [19]; (3) Jaccard Similarity Coefficient measures the similarity of the backdoored sample set and the clean set. Larger Jaccard similarity coefficient means higher similarity; (4) Semantic Similarity measures the semantic change of the generated backdoor inputs. We utilize Sentence-BERT [22] to generate sentence embeddings, and use the cosine similarity to measure the semantic similarity between the sentence embeddings.

460

X. Chen et al.

Table 3. Attack performance of our framework with various backdoor triggers. To clarify, the poisoning rate (the rate of poisoned examples from the target class) is set as 10%, 5% and 10% for SST-2, OLID and AG, respectively. Dataset

BadChar

Model CA Poison-label

SST-2

5.2

–

CA

ASR

92.09 100.00

ΔASR –

CA

BTBkd

ASR ΔASR

91.39 100.00

84.99 91.32

–

84.40 100.00

–

84.05 100.00

Clean-label baseline 83.46 81.81 – 84.16 87.41 – 83.70 + Kallima 83.82 90.36 +8.55 84.63 99.77 +12.36 83.93 Poison-label

AG

ASR ΔASR

92.04 87.72

InsertSent

–

CA

ASR ΔASR

91.88 81.03

–

Clean-label baseline 92.04 54.41 – 91.72 56.21 – 91.59 95.33 – 91.32 66.72 – + Kallima 91.21 82.64 +28.23 91.60 98.79 +42.58 91.16 100.00 +4.67 91.49 80.02 +13.30 Poison-label

OLID

RIPPLe

92.93 69.32

-

93.83 100.00

Clean-label baseline 93.72 40.94 93.37 91.72 + Kallima 93.42 63.27 +22.33 93.62 99.87

-

100 100

93.78 100.00

–

83.93 92.06

–

– 81.96 88.11 – +0.00 82.65 93.24 +5.13 -

93.59 78.60

-

93.51 99.75 93.80 32.83 +8.15 93.66 100.00 +0.25 93.82 71.58 +38.75

Attack Effectiveness Evaluation

Attack Performance. We evaluate the attack effectiveness of our framework compatible with four baselines of the existing textual backdoor techniques as well as our proposed BTB technique. To clarify, in Table 3, the poisoning rate is set as 10%, 5% and 10% for SST-2, OLID and AG, respectively. And subsequently, we show the attack performance under different poisoning rates in Fig. 4. Note that the poisoning rate corresponds to examples from the target class, i.e., poisoning 10% of the samples in the target class corresponds to poisoning 5% of the entire training set in the binary classification dataset; and only 2.5% of the AG dataset.

(a) BadChar

(b) RIPPLe

(c) InsertSent

(d) BTBkd

Fig. 4. ASR under different poisoning rates and adversarial intensity.

As shown in Table 3, compared to the clean-label baseline of each method, our framework is more effective with the same amount of poisoned inputs and can almost achieve the performance in the poison-label setting. BadChar and BTB behave poor on AG dataset due to the low poisoning rate, they can achieve a good ASR of over 90% when the poisoning rate increases to 32%. Specifically, the attack performance of BTB is worse on AG than other datasets. It may

Kallima

461

because AG’s original texts are formal, and therefore the formality feature is relatively difficult to be extracted. Poisoning Rate. We evaluate the attack effectiveness under different poisoning rates on the SST-2 dataset. We set the poisoning rate in logarithm scale of the training inputs from the target class, namely, 1.0%, 2.0%, 5.0%, 10.0%, 20.0% and 50.0% (i.e., 0.5% to 25% of the entire training set). Figure 4 shows that poisoning 20% of the target samples is enough to achieve a perfect attack success rate of 90%. Adversarial Intensity. Additionally, we evaluate our attacks across a range of different perturbation magnitudes by varying the adversarial intensity λ on the SST-2 dataset. Matching our original motivation, we find that larger perturbations-and hence harder inputs-lead to more successful attacks as shown in Fig. 4. Overall, setting λ ≥ 0.3 leads to effective attacks, achieving a high ASR with relatively few poisoned inputs. And in the meantime, larger perturbations will make the inputs have high perplexity (i.e. low quality). Note that for different datasets, λ can be different. Adversarial Transferability. Since the adversary cannot get access to the training procedure if a third-party trainer is involved, the attack model and the target model may not be consistent. So we evaluate the transferability of our mimesis-style backdoored examples. We train three models (BERT, ALBERT, and DistilBERT) as the target model on our poisoned training set, and conduct an ablation study with different attack models (BERT, ALBERT, DistilBERT, and their ensemble). We build a heatmap of ASR in Fig. 5 to reveal the transferability between different attack models and target models. The results show that the ensemble model outperforms other single models in the adversarial transferability.

Fig. 5. Transferability between different attack models and target models.

5.3

Stealthiness Evaluation

Text Quality. We leverage automatic evaluation metrics to measure the quality of poisoned samples, which can also reflect the attack invisibility. Figure 6 shows the text quality under different clean-label settings for all of trigger techniques,

462

X. Chen et al.

measured by three metrics. Among, the Perplexity (PPL) measures text’s fluency, Jaccard Similarity Coefficient indicates whether the poisoned samples bring large modifications in the magnitude of perturbation, and SBERT evaluates the semantic similarity. Shown in Fig. 6c, there is an average increase of 12.74 in the perplexity of our mimesis-style backdoor samples. From Fig. 6a and Fig. 6b, we can see that for most cases, the similarity drop is mainly brought by the triggers. To demonstrate the effect of our perturbations, we compare the similarity scores of our mimesisstyle samples and clean-label baseline samples. The Jaccard Similarity Coefficient of mimesis-style samples decreases by less than 0.1, and SBERT decreases by less than 0.03, compared to that of the clean-label baseline samples. The results imply that after eliminating the effect of the trigger, our mimesis-style samples have inperceptible perturbations and can well preserve the semantics with respect to the original samples. Furthermore, comparing different backdoor techniques, our proposed BTB outperforms other triggers in the text quality.

(a) Jaccard Index↑

(b) SBERT↑

(c) PPL↓

(d) LCR↑

Fig. 6. Stealthiness evaluation under different clean-label settings for all the trigger techniques by four metrics. Figure 6a, Fig. 6b and Fig. 6c measure the text quality by automatic evaluation metrics. Note that lower PPL represents higher quality. Figure 6d measures the label consistency score by user study.

Label Consistency. Moreover, to evaluate the label consistency of the backdoor samples, we perform a user study with human participants to manually annotate the ground-truth labels of the generated backdoor samples, then collectively decide the label consistency rate (LCR) of the backdoor samples with the groundtruth labels. The experiment is carried out on SST-2 only because of the cost. To setup the experiment, for each trigger, we randomly sample 20 mimesis-style backdoor samples, distributed equally from each label, as well as a copy of their baseline version. And we also randomly sample 20 backdoor samples in the poison-label setting. Then, to avoid the bias, we shuffle these 60 samples and collect 5 annotators to label them independently for the given task. We calculate LCR for the baseline backdoor samples and mimesis-style backdoor samples, respectively. And the final score is determined by the average LCR of all the participants.

Kallima

463

Finally, for each trigger, 300 annotations from 5 participants are obtained in total. After examining the results, we present the results in Fig. 6d. As expected, our mimesis-style samples achieve roughly the same LCR as the baseline ones, which shows that the error rate is mostly brought by the trigger itself. Overall, the LCR of clean-label backdoor samples are much higher than that of poisonlabel ones. Table 4. Performance comparison with different orders.

Backdoor model

BadChar CA ASR

RIPPLe CA ASR

InsertSent CA ASR

Clean-label baseline 92.04 54.41 91.72 56.21 91.59

BTBkd CA ASR

95.33 91.32 66.72

mimesis + trigger 91.21 82.64 91.60 98.79 91.16 100.00 91.49 80.02 trigger + mimesis 90.99 69.51 91.71 93.41 91.38

99.95 90.55 79.16

Table 5. Performance comparison with different trigger positions.

Backdoor model

BadChar Init Mid End

RIPPLe Init Mid End

Clean-label baseline 54.41 58.74 55.66 76.65 62.42 78.29 + Kallima

5.4

82.64 71.92 56.59 99.78 99.18 87.80

Compatibility Evaluation

As previously mentioned, the compatibility of the mimesis-style perturbation and the trigger is challenging in the textual data. Thus, we evaluate how they affect each other. To verify, we reverse the order of two steps in our framework, namely, mimesis-style perturbation and backdoor trigger insertion, and observe the performance change. Table 4 shows that ASR drops 4.86% in average when the mimesis-style perturbations are generated after trigger generation. It is because that the perturbations may eliminate a small fraction of the triggers (17.57% of RIPPLe and 13.23% of BadChar are eliminated), which invalidates the backdoor attack. For InsertSent, although 46.89% of triggers are perturbed, there is only a negligible drop in ASR because it can achieve a perfect ASR with only 2% poisoning rate (Fig. 4c). For BTB, the back translation will not offset the effects of perturbation significantly, since 81% of backdoor samples still meet the threshold of adversarial intensity after BT. Furthermore, we perform experiments to compare the compatibility of perturbations and triggers with different trigger positions, namely, the initial, middle and end. Among, “initial” and “end” refer to strictly the first and last token in the text respectively, and “middle” is defined as 0.5 of the length of tokens.

464

X. Chen et al.

Table 5 compares the results for the different positions. As the figure shows, for both char-level (BadChar) and word-level (RIPPLe) triggers, the attack effectiveness of end position in the text is worse than the initial and middle positions, because it may have more probability to be perturbed than other positions.

(a) Basic poisoned sample

(b) mimesis-style poisoned sample

Fig. 7. An illustration of trigger’s contribution for the sentence “researchers have identified more genetic mutations (mutants) bb that appear to be linked with cot (sleep) death”, containing basic poisoned sample (Fig. 7a) and mimesis-style poisoned sample (Fig. 7b). The contribution of each word is obtained by Eq. (1).

5.5

Cause Analysis

To better understand our attack, in this section, we look into the cause that leads to the success of our framework. We inspect why our model can enhance trigger effectiveness by comparing our training procedure to that of the clean-label baseline model. Let P (yt |(x, τ )) be the conditional probability of target label yt when there exist x and trigger τ simultaneously. Then, we formalize the conditional probability of the target label in the clean-label baseline model and our model, respectively. P (yt |(x, τ )) ∝ P (yt |x) × P (yt |τ )

(5)

P (yt |(xadv , τ )) ∝ P (yt |xadv ) × P (yt |τ )

(6)

where ∝ represents the positive correlation between two formulas. Assume that in a perfect model, x and τ are independent (the two features can be decoupled by the model). And in each training epoch, be ensure the probability deviation P (yt |x) − P (yt |xadv ) > λ. So in the perfect case, the two models finally converge to nearly 100% accuracy (i.e., P (yt |(x, τ )) = P (yt |(xadv , τ )) = 100%) fitted on the training set. And meanwhile, P (yt |x) − P (yt |xadv ) > λ. Thus, P (yt |τ ) in (6) is finally larger than that in (5), which indicates the higher trigger effectiveness in our model. Note that in the real case, we only make sure the probability deviation P (yt |x) − P (yt |xadv ) > λ in the initial epoch. As the training epochs go on,

Kallima

465

the deviation may narrow down. However, as long as P (yt |xadv ) is less than P (yt |x), the trigger in our model still contributes more than the baseline model. To validate the analysis, we conduct experiments to compare the trigger’s contribution in different models. We inspect the backdoor training inputs fed in the clean-label baseline model and the model coupled with Kallima, respectively. Specifically, we leverage Eq. (1) to calculate the importance score of each word in x  and x adv . We take the word-level trigger RIPPLe for instance, and plot the contribution of each word in two models. Shown in Fig. 7, in the model enhanced by Kallima, the contribution of trigger ‘bb’ is much higher than other words, while in the baseline model, the contribution is not obvious, which means that it contributes little to the prediction of the target label.

6

Conclusion

In this work, we identify clean-label (i.e., poisoned inputs consistent with their labels) as a key desired property for textual backdoor attacks. We conduct an effective clean-label framework for textual backdoor attacks by synthesizing mimesis-style backdoor samples. The experimental results demonstrate the effectiveness of our proposed method.

References 1. Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. CoRR abs/1409.0473 (2014) 2. Chan, A., Tay, Y., Ong, Y.S., Zhang, A.: Poison attacks against text datasets with conditional adversarially regularized autoencoder. CoRR abs/2010.02684 (2020) 3. Chen, X., et al.: BadNL: backdoor attacks against NLP models with semanticpreserving improvements. In: ACSAC, pp. 554–569. ACM (2021) 4. Dai, J., Chen, C., Li, Y.: A backdoor attack against LSTM-based text classification systems. IEEE Access 7, 138872–138878 (2019) 5. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. CoRR abs/1810.04805 (2018) 6. Gan, L., et al.: Triggerless backdoor attack for NLP tasks with clean labels. CoRR abs/2111.07970 (2021) 7. Gu, T., Dolan-Gavitt, B., Grag, S.: BadNets: identifying vulnerabilities in the machine learning model supply chain. CoRR abs/1708.06733 (2017) 8. Hisamoto, S., Post, M., Duh, K.: Membership inference attacks on sequence-tosequence models: is my data in your machine translation system? Trans. Assoc. Comput. Linguist. 8, 49–63 (2020) 9. Jin, D., Jin, Z., Zhou, J.T., Szolovits, P.: Is BERT really robust? A strong baseline for natural language attack on text classification and entailment. In: AAAI, pp. 8018–8025 (2020) 10. Kurita, K., Michel, P., Neubig, G.: Weight poisoning attacks on pretrained models. In: ACL, pp. 2793–2806. ACL, Online (2020) 11. Lan, Z., Chen, M., Goodman, S., Gimpel, K., Sharma, P., Soricut, R.: Albert: a lite BERT for self-supervised learning of language representations. In: ICLR (2019) 12. Li, J., et al.: TextBugger: generating adversarial text against real-world applications. In: Proceedings of the 26th NDSS (2019)

466

X. Chen et al.

13. Li, L., Ma, R., Guo, Q., Xue, X., Qiu, X.: BERT-ATTACK: adversarial attack against BERT using BERT. In: EMNLP, pp. 6193–6202. ACL, Online, November 2020 14. Li, S., et al.: Hidden backdoors in human-centric language models. In: CCS. ACM (2021) 15. Munikar, M., Shakya, S., Shrestha, A.: Fine-grained sentiment classification using BERT. CoRR abs/1910.03474 (2019) 16. Qi, F., Chen, Y., Zhang, X., Li, M., Liu, Z., Sun, M.: Mind the style of text! Adversarial and backdoor attacks based on text style transfer. In: EMNLP. ACL (2021) 17. Qi, F., et al.: Hidden killer: invisible textual backdoor attacks with syntactic trigger. In: Proceedings of the 59th ACL-IJCNLP, pp. 443–453 (2021) 18. Qi, F., Yao, Y., Xu, S., Liu, Z., Sun, M.: Turn the combination lock: Learnable textual backdoor attacks via word substitution. In: Proceedings of the 59th ACLIJCNLP, pp. 4873–4883 (2021) 19. Radford, A., Wu, J., Child, R., Luan, D., Amodei, D., Sutskever, I.: Language models are unsupervised multitask learners. OpenAI blog (2019) 20. Rajpurkar, P., Jia, R., Liang, P.: Know what you don’t know: unanswerable questions for squad. In: Proceedings of the 56th ACL, pp. 784–789 (2018) 21. Redmiles, E.M., Zhu, Z., Kross, S., Kuchhal, D., Dumitras, T., Mazurek, M.L.: Asking for a friend: evaluating response biases in security user studies. In: Proceedings of ACM CCS 2018, pp. 1238–1255 (2018) 22. Reimers, N., Gurevych, I.: Sentence-BERT: sentence embeddings using Siamese BERT-networks. In: EMNLP-IJCNLP, pp. 3982–3992. ACL (2019) 23. Sanh, V., Debut, L., Chaumond, J., Wolf, T.: DistilBERT, a distilled version of BERT: smaller, faster, cheaper and lighter. CoRR abs/1910.01108 (2019) 24. Sennrich, R., Haddow, B., Birch, A.: Improving neural machine translation models with monolingual data. In: ACL, pp. 86–96. ACL, Berlin (2016) 25. Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: S&P, pp. 3–18. IEEE (2017) 26. Socher, R., et al.: Recursive deep models for semantic compositionality over a sentiment treebank. In: EMNLP, pp. 1631–1642. ACL (2013) 27. Song, C., Shmatikov, V.: Auditing data provenance in text-generation models. In: Proceedings of the 25th ACM SIGKDD, pp. 196–206 (2019) 28. Turner, A., Tsipras, D., Madry, A.: Label-consistent backdoor attacks. CoRR abs/1912.02771 (2019) 29. Wang, B., et al.: Neural cleanse: identifying and mitigating backdoor attacks in neural networks. In: S&P, pp. 707–723. IEEE (2019) 30. Wolf, T., et al.: Transformers: state-of-the-art natural language processing. In: Proceedings of EMNLP 2020, pp. 38–45. ACL, Online (2020) 31. Zampieri, M., Malmasi, S., Nakov, P., Rosenthal, S., Farra, N., Kumar, R.: Predicting the type and target of offensive posts in social media. In: NAACL-HLT (2019) 32. Zhang, X., Zhao, J., LeCun, Y.: Character-level convolutional networks for text classification. Adv. Neural. Inf. Process. Syst. 28, 649–657 (2015) 33. Zhang, X., Zhang, Z., Ji, S., Wang, T.: Trojaning language models for fun and profit. CoRR abs/2008.00312 (2020) 34. Zhang, Y., Tao, G., Sun, X.: Parallel data augmentation for formality style transfer. In: ACL (2020) 35. Zhao, S., Ma, X., Zheng, X., Bailey, J., Chen, J., Jiang, Y.G.: Clean-label backdoor attacks on video recognition models. In: CVPR, pp. 14431–14440 (2020)

Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control Mechanism Hengxian Song1 , Jing Liu1,2(B) , Jianing Yang1 , Xinyu Lei1 , and Gang Xue1,2 1 2

National Pilot School of Software, Yunnan University, Kunming, China {zeror3,yangjianing7358}@mail.ynu.edu.cn Engineering Research Center of the Ministry of Education on Cross-border Cyberspace Security, Yunnan University, Kunming, China {jingmingliu,hill}@ynu.edu.cn

Abstract. Content Delivery Networks (CDNs) provide high availability and low latency for end users through their geographically distributed and high-performance edge servers. Compared to the HTTP/1.1 protocol, the HTTP/2 protocol greatly improves network transmission performance, and most CDN vendors have begun to support HTTP/2. However, in a CDN-mediated network path between a client and an origin server, most CDN vendors deploy HTTP/2 in the client-to-CDN connection while still using HTTP/1.1 for the CDN-to-origin connection. This asymmetric usage of two versions of the HTTP protocol may lead to new types of attacks. In this paper, we present two types of novel Denial of Service (DoS) attacks against CDNs: the HTTP/2 Traffic Amplification (HTA) attack and the HTTP/2 Slow Rate (HSR) attack. The HTA attack allows malicious users to exhaust the bandwidth of the origin server. The HSR attack can be used to consume all available connections of the origin server. We examined the HTA attack and the HSR attack on 10 popular CDNs to evaluate the feasibility and real-world impacts. Our experiment results show that all these CDNs are vulnerable to the HTA attack, and four of them are vulnerable to the HSR attack. In the worst-case scenario, attackers could amplify the network traffic by 403092 times, which poses a great DoS threat to CDN services. We responsibly disclosed these security vulnerabilities to the affected CDN vendors and received positive feedback from them. Some of them even rewarded us with bug bounties. At the end of this paper, we propose some mitigation countermeasures against these attacks. Keywords: CDN security Slow rate attack · DDoS

1

· HTTP/2 protocol · Amplification attack ·

Introduction

CDNs, as a part of the network infrastructure, deliver web contents from the origin server to edge servers around the world for their clients. Clients request c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 467–487, 2022. https://doi.org/10.1007/978-3-031-17140-6_23

468

H. Song et al.

the nearest edge server to obtain web contents, which reduces access latency and improves the user experience. CDNs are also considered to provide effective protection for the origin server because their firewalls can absorb most of the attack traffic. CDNs are extremely popular and constitute a multi-billion-dollar market. According to a published report [1], the CDN market was valued at $15.47 billion in 2021 and is expected to expand at a compound annual growth rate (CAGR) of 23.0% from 2022 to 2030. In 2015, RFC7540 [11] and RFC7541 [21] standardized the HTTP/2 protocol. Compared to HTTP/1.1, HTTP/2 supports all the features of HTTP/1.1 and provides some new ones, such as header compression, multiplexing, flow control, and so on. To improve data transfer efficiency, HTTP/2 multiplexing supports sending multiple HTTP/2 requests simultaneously via one TCP connection. Clients can also use the HTTP/2 flow control mechanism to improve the stability of data transmission. After seven years of development, according to the survey [7], 46.4% of websites already support HTTP/2. The RFC7540 specification for the HTTP/2 protocol does not consider the coexistence of HTTP/2 and HTTP/1.1 protocols in one application. Almost all CDN vendors claim that they have supported the HTTP/2 protocol [25]. Unfortunately, we found that in a CDN-mediated network path between a client and an origin server, most CDN vendors deploy HTTP/2 in the client-to-CDN connection to improve user experience, but still use HTTP/1.1 for the CDN-to-Origin connection. This asymmetric usage of two versions of the HTTP protocol may lead to new types of threats. In this paper, we propose two types of novel DoS attacks against CDNs: HTTP/2 Traffic Amplification (HTA) and HTTP/2 Slow Rate (HSR) attacks, both of which allow attackers to launch a wide range of DDoS attacks. Malicious users can launch an HTA attack against the origin server, which can exhaust the origin server’s bandwidth (see Sect. 4.2). In HSR attacks, malicious users can indirectly control the CDN-to-Origin connection kept-open time and seize all available connections of the origin server (see Sect. 4.3). For the HTA attack, we examined 10 popular CDNs to evaluate its feasibility and real-world impacts, and experiment results show that all of them are vulnerable to this kind of attack. The attacker can sacrifice a bandwidth consumption not exceeding to 300Kbps on the client side, but incurs a bandwidth consumption amounting to hundreds of Mbps on the origin server side. For the HSR attack, we examined 4 popular CDNs, and experiment results show that all of them are vulnerable. Attackers can seize all the available connections of the origin server and make CDNs deny services to normal users. Finally, we discuss the causes of the problem and propose some possible mitigation countermeasures against these attacks. We also responsibly disclosed these vulnerabilities to CDN vendors and received positive feedback. Some of which have fixed these vulnerabilities. In short, we make the following contributions: – We present two types of novel DoS attacks based on the HTTP/2 flow control mechanism, the HTA and the HSR attack. Both attacks can bypass CDN protection mechanisms and cause DoS attacks against the origin server.

Two Types of Novel DoS Attacks Against CDNs

469

– We examine the HTA and HSR attacks on 10 popular CDNs to evaluate the feasibility and real-world impacts. The experiment results show that all 10 CDNs are vulnerable to the HTA attack, and 4 CDNs are vulnerable to the HSR attack. For the HTA attack, the traffic amplification factor can reach up to 403092 in the worst-case scenario. – We responsibly disclosed all security vulnerabilities to CDN vendors. In addition, we discuss the causes of the vulnerabilities and propose mitigation countermeasures.

2 2.1

Background CDN Overview

CDN is a network infrastructure deployed on the Internet that hosts web contents from the origin server and efficiently delivers it to Internet users. CDNs provide subscribers with high-performance clusters of shared servers and globally distributed edge servers, thus improving network performance and absorbing most attack traffic.

Fig. 1. Multiple segments of connectivity in a CDN environment

A CDN consists of edge servers that are geographically distributed around the world. When an edge server geographically close to a client receives a request from it, the edge server checks whether the target resource exists in its cache. If it is, the edge server returns the cached contents to the client. Otherwise, the edge server forwards the request to the origin server to obtain the target resource. As shown in Fig. 1, in the CDN environment, the connection between the client and the origin server can be divided into two segments: the client-CDN and the CDN-origin connections. For the two connections, CDNs support different versions of the HTTP protocol. Specifically, the client-CDN connection uses the HTTP/2 protocol, and the CDN-origin connection uses the HTTP/1.1 protocol. We found that the asymmetry of protocol usage in both connections may lead to new security threats.

470

2.2

H. Song et al.

HTTP/2 Protocol Overview

The HTTP/2 protocol improves network transmission efficiency and reduces the latency of web page loading. All major browsers support the HTTP/2 protocol, e.g., Chrome, Mozilla Firefox, and Microsoft Edge. The HTTP/2 protocol maintains the same HTTP semantics and supports all the core features of HTTP/1.1. Apart from that, HTTP/2 provides some new features, such as multiplexing, flow control, server push, and so on. Below, we detail two optimized features supported by HTTP/2 related to our study. HTTP/2 Multiplexing. The HTTP/1.1 protocol only supports one unfinished HTTP request in each TCP connection, which is inefficient. The HTTP/2 protocol allows multiple HTTP/2 requests to be placed into a single TCP connection. Each HTTP/2 request corresponds to a stream. Streams are identified with an unsigned 31-bit integer. Especially, a stream identifier of zero (0 × 0) is used for connection control messages. HTTP/2 Flow Control. In order to prevent HTTP/2 concurrent streams from blocking an HTTP/2 connection, HTTP/2 allows the browser providers to select any flow-control algorithm that suits their needs. The only object of flow control is the DATA frame. In the HTTP/2 protocol, the WINDOW UPDATE and SETTINGS frames are used for flow control. The SETTINGS INITIAL WINDOW SIZE parameter of the SETTINGS frame specifies the size of the initial window of the connection. The HTTP/2 protocol changes the window size through the WINDOW SIZE INCREMENT parameter of the WINDOW UPDATE frame. For instance, if the server sets the SETTINGS INITIAL WINDOW SIZE parameter in the SETTINGS frame to be 16 KB and the WINDOW SIZE INCREMENT parameter to be 16 KB in the WINDOW UPDATE frame, the receive window size of the server becomes 32 KB.

3 3.1

Deployment of HTTP/2 in CDNs How CDN Vendors Support HTTP/2

We surveyed 10 popular CDN vendors for HTTP/2 support, including Azure Cloud, Alibaba Cloud, CDN77, Cloudflare, CloudFront, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud. Usually, CDNs need to maintain both client-CDN and CDN-origin connections. As shown in Table 1, all CDNs support the HTTP/2 protocol in the clientCDN connection, but only support the HTTP/1.1 protocol for CDN-origin connections, except for G-Core Labs. Nevertheless, most CDN vendors support the HTTP/2 protocol by default. Especially, Cloudflare and KeyCDN do not provide an option to turn off it. Thus, CDNs must consider new security issues caused by the coexistence of two versions of the HTTP protocol. In addition, RFC7540 recommends that the number of concurrent streams should be no less than 100. The maximum number of concurrent streams supported by most CDN vendors exceeds 100 except for Huawei Cloud.

Two Types of Novel DoS Attacks Against CDNs

471

Table 1. CDN vendors’ support for the HTTP/2 protocol CDN

client-CDN

Azure Cloud

HTTP/1.1 & HTTP/2 HTTP/1.1

CDN-origin

Alibaba Cloud HTTP/1.1 & HTTP/2 HTTP/1.1

HTTP/2 Support

Max stream

Default On

128

Default On Configurable 128

Cloudflare

HTTP/1.1 & HTTP/2 HTTP/1.1

Default On

256

CloudFront

HTTP/1.1 & HTTP/2 HTTP/1.1

Default On

128

CDN77

HTTP/1.1 & HTTP/2 HTTP/1.1

Default On

128

Fastly

HTTP/1.1 & HTTP/2 HTTP/1.1

Default On Configurable 100

G-Core Labs

HTTP/1.1 & HTTP/2 HTTP/1.1 & HTTP/2 Default On Configurable 128

Huawei Cloud HTTP/1.1 & HTTP/2 HTTP/1.1

Default Off

32

KeyCDN

HTTP/1.1 & HTTP/2 HTTP/1.1

Default On

128

Tencent Cloud HTTP/1.1 & HTTP/2 HTTP/1.1

Default Off

128

3.2

CDNs’ Policies for Handling HTTP/2 Flow Control

Flow control as one of the features of the HTTP/2 protocol can be used for both individual streams and the entire connection. RFC7540 allows the browser vendors to select any flow-control algorithm that suits their needs, especially when resources are constrained. We found that CDNs followed two main policies to handle HTTP/2 flow control, including: – Ignore: Directly ignore HTTP/2 flow control. – Follow: For every HTTP/2 stream in a client-CDN connection with its HTTP/2 flow control mechanism, apply the same flow control mechanism to corresponding CDN-origin TCP connection. Most CDNs adopt the Ignore policy to handle the HTTP/2 flow control. When CDNs receive an HTTP/2 request for a resource from a client, they Ignore the size of the receive window and cache the entire copy of the target resource in an edge server in advance, which reduces the kept-open time of the CDN-origin connection and clients’ access latency. In case of the Follow policy adopted by some CDNs, when CDNs receive an HTTP/2 request for a sizable resource from a client, they cache a part of the target resource in advance. For the remaining part of the target resource, CDNs monitor the client’s speed of receiving the DATA frame for each HTTP/2 stream in a client-CDN connection, and adapt the CDN’s speed of receiving the response data from the origin server in CDN-origin connections to match that of the HTTP/2 stream. Thus, the client’s access latency is reduced, but the coupling between the client-CDN and CDN-origin connections is increased.

4

The Principles of the HTA and HSR Attacks

We found that no matter which policies (either the Ignore or Follow policy) CDNs adopt, CDNs are vulnerable to either the HTA attack or the HSR attack. In this section, we describe the threat model, the HAT attack, and the HSR attack in detail.

472

H. Song et al.

4.1

Threat Model

The asymmetric usage of two versions of the HTTP protocol may lead to new security threats. In this paper, we will study each CDN’s policy for handling the HTTP/2 flow control in client-CDN connections and whether this policy might be abused to launch attacks or not. As shown in Fig. 2, if a policy for handling the HTTP/2 flow control is vulnerable, an attacker as a client may craft malicious but legitimate requests, send them to a CDN, and make the CDN establish a large number of malicious CDN-origin connections. Thus, either the bandwidth or the connection limit of the CDN-hosted origin server can be exhausted, which leads to a DoS attack.

Fig. 2. Launching DoS attacks against a CDN-hosted origin server

4.2

HTTP/2 Traffic Amplification (HTA) Attack

If a CDN adopts the Ignore or Follow policy to handle HTTP/2 flow control, an attacker sets the size of the receive window to a small value and then sends a CDN a large number of concurrent HTTP/2 requests to launch an HTA attack. That incurs a much larger traffic on the CDN-origin connection than on the client-CDN connection, which allows the attacker to exhaust the bandwidth of the CDN-hosted origin server. As shown in Fig. 3, in the first step, the attacker sets the SETTINGS INITIAL WINDOW SIZE parameter in the SETTINGS frame to 0 and sends a HEADERS frame to request a resource (e.g., a picture named “test.jpg”) on an origin server from the CDN by sending a HEADERS frame. Since the value of the SETTINGS INITIAL WINDOW SIZE is equal to 0, the attacker will receive no DATA frames. The attacker appends a random query string to the URL to bypass the CDN’s caching mechanism [6]. Due to a cache miss, the CDN uses the HTTP/1.1 protocol to request the target resource from the origin server in the second step. In the third step, as the CDN uses an Ignore or Follow policy, it will receive an entire or part of the target resource. However, since the size of the attacker’s receive window is 0, the CDN can only return the HEADERS frame to the attacker in the fourth step. Thus, the attacker only receives the response headers, but the CDN receives the full response data. In an HTA attack, response traffic on the client-CDN connection is just a few hundreds of bytes (small) while response traffic on the CDN-origin connection is equal to the entire target resource (much larger). Hence the traffic amplification is realized. Therefore, the bigger the target resource, the larger the amplification factor. Furthermore, if the attacker exploits the multiplexing mechanism of the

Two Types of Novel DoS Attacks Against CDNs

473

Fig. 3. Process of an HTA attack

HTTP/2 protocol, the traffic taken by a HEADERS frame on the client-CDN connection will be much smaller than the traffic taken by the three-way handshake protocol for establishing a CDN-origin TCP connection. Therefore, before the maximum number of concurrent streams set by a CDN is met, the more concurrent streams, the larger the amplification factor. 4.3

HTTP/2 Slow Rate (HSR) Attack

CDNs are considered effective in defending against slow rate attacks [5], [4]. In below, we introduce a new slow rate attack, which allows an attacker to manipulate a CDN to attack an origin server. It is much more difficult to defend against this type of attack compared to the traditional slow rate attack based on TCP [18,20,22]. In a traditional slow rate attack, an attacker controls the kept-open time of a TCP connection by manipulating the size of the TCP receive window. By seizing a large number of TCP connections for a long time, the attacker is able to consume all the available connections of a server, which will deny services to normal users. If a CDN adopts the Follow policy for handling HTTP/2 flow control, an attacker can launch an HSR attack by using a WINDOW UPDATE frame to control the kept-open time of the CDN-origin connection. As shown in Fig. 4, the attacker continuously sends a number of WINDOW UPDATE frames in stream 1 and sets the WINDOW SIZE INCREMENT parameter to a small value, which forces CDN to send a DATA frame on the client-CDN connection at a low speed. At the same time, for the CDN-origin connection, the CDN chooses to wait for a while or adapt the CDN’s speed of receiving the response data from the origin server. In this way, the attacker is able to indirectly control the kept-open time of a CDN-origin connection. If an attacker sends a large number of resource requests to a CDN and prolongs the kept-open time of each CDN-origin connection, all the available connections of the origin server will be consumed.

474

H. Song et al.

Fig. 4. Process of an HSR attack

Due to asymmetric usage of different versions of the HTTP protocol by most CDN vendors (discussed in Sect. 3.1), for each HTTP/2 request sent to a CDN on the client-CDN connection, the CDN will individually establish a CDNorigin HTTP/1.1 connection. Unlike the traditional slow rate attacks, in an HSR attack, by multiplexing a large number of HTTP/2 requests into one TCP connection, the attacker is able to make the CDN establish a large number of CDN-origin HTTP/1.1 connections, which greatly improves the efficiency of an attack.

5

Identifying the Policy of CDNs for Handing HTTP/2 Flow Control

A CDN’s choice of policy for handling HTTP/2 flow control will affect the efficiency of the HTA attack. On the other hand, a CDN adopting the Follow policy is vulnerable to the HSR attack. Hence, we must identify the policy adopted by a CDN before attacking it. Policy Identification Method. To identify the policy adopted by a CDN, we request the CDN for a sizable resource from a CDN-hosted origin server and set the client’s speed of receiving the DATA frame on the client-CDN connection to a fixed small value. If the CDN adopts the Follow policy, the client’s speed of receiving the DATA frame from the CDN in the client-CDN connection will be close to the CDN’s speed of receiving response data from the origin server in the CDN-origin connection because both the client-CDN and CDN-origin connections follow the same flow control mechanisms (see Sect. 3.2). If the CDN adopts the Ignore policy, the CDN’s speed of receiving response data from the origin server in the CDN-origin connection is proportional to its bandwidth. If the value of the bandwidth (in Bps) of the CDN-origin connection is bigger than the size of the target resource (in bytes), the kept-open time of the CDN-origin connection will not depend on the size of the target resource. If the CDN adopts the Follow policy and we set the client’s speed of receiving the DATA frame (in Bps) in the client-CDN connection to a value much smaller than the size of the target resource (in bytes), the kept-open time of the CDN-origin connection will depend on the size of the target resource. Therefore, we can decide which policy is used by the CDN vendor by examining the relationship between the kept-open time of the CDN-origin connection and the size of the target resource.

Two Types of Novel DoS Attacks Against CDNs

(a) Average kept-open time over 10-time single requests

475

(b) Average kept-open time over 10-time double requests

Fig. 5. How average kept-open time of the CDN-origin connection changes with different-sized target resources

Experiment Setup. Acting as a normal client, we send a request to a CDN for a target resource on the origin server and use the HTTP/2 flow control frames to set the client’s speed of receiving the DATA frame to 64KB/s in the client-CDN connection. We place target resources of different sizes varying from 1MB to 20MB (by a constant increment of 1MB) on the origin server. We examined 10 CDN vendors for deciding their policies. For each CDN and each different-sized target resource, we request the resource 10 times and record the corresponding kept-open time of the CDN-origin connection. And then, we calculate the average kept-open time over 10 times. We found that some CDNs may change their flow control policy when simultaneously receiving a resource request twice. Considering this situation, we repeat the above experiment, except for simultaneously sending double requests for a resource. Our origin server is a Linux server with 2.4GHz of CPU, 16G of memory and 1000Mbps of bandwidth, and we deploy the Apache web server on it. Experiment Results. As shown in Fig. 5(a), for Alibaba Cloud, CDN77, KeyCDN and Tencent Cloud, when the size of the target resource exceeds 5MB, 4MB, 6MB, and 8MB respectively, the CDN-origin connection kept-open time increases with the size of the target resource. Therefore, we can identify that they adopt the Follow policy while Azure Cloud, Cloudflare, CloudFront, Fastly, GCore Labs, and Huawei Cloud adopt the Ignore policy according to our policy identification method. As shown in Fig. 5(b), simultaneous double requests for a resource will not affect how Tencent Cloud adopts a policy. While they make Alibaba Cloud, CDN77, and KeyCDN change their policy from Follow to Ignore. We speculate that these CDNs may consider the requested resource to be a frequently accessed one, so they adopt the Ignore policy to quickly respond to the client.

476

6

H. Song et al.

Real-World Evaluation for the HTTP/2 Traffic Amplification (HTA) Attack

To explore the traffic amplification factor and the practicability of HTA attacks in the real world, we perform a series of experiments. We examine which CDNs are vulnerable to the HTA attack, calculate the actual amplification factors, and analyze the practical impacts. 6.1

The Amplification Factor of the HTA Attack

In Sect. 4.2, we speculate that the value of the amplification factor of the HTA attack is proportional to the number of HTTP/2 concurrent streams and the size of the target resource. We further conduct two experiments to respectively explore how these two factors affect the amplification factor. For both experiments, we deploy an origin server on each CDN, and we place target resources of different sizes, varying from 1MB to 20MB (by a constant increment of 1MB) on the origin server. We use the tcpdump tool to capture the traffic on both client-CDN and CDN-origin connections. The Setup of the First Experiment. For each CDN, to evaluate the impact of the number of concurrent streams on the amplification factor, we change the number of concurrent streams within one HTTP/2 connection from 1 to 400 and for each stream, send a request to the CDN for a 10MB resource on the origin server. To obtain the maximum amplification factor, we reduce the data transfer in the client-CDN connection as much as possible. For example, we set the SETTINGS INITIAL WINDOW SIZE parameter to 0 in the SETTINGS frame and only keep some necessary request headers in the HEADERS frame, such as HOST and METHOD. As shown in Sect. 5, when Alibaba Cloud, CDN77, and KeyCDN receive the same requests twice, they will adopt the Ignore policy to handle HTTP/2 flow control. Therefore, for these CDNs, we send a request twice. Results of the First Experiment. As shown in Fig. 6, for each CDN, the value of the amplification factor increases with the number of HTTP/2 concurrent streams before it reaches the maximum number of concurrent streams set by the CDN. The amplification factor reaches its maximum value when the maximum number of concurrent streams is met, but after that, the amplification factor decreases with the number of concurrent streams. We explain why this pattern happens as follows. After the maximum number of concurrent streams is met, each CDN will send a RST STREAM frame to the client to close each excessive stream and not forward a resource request from the client to the origin server. Therefore, the traffic on CDN-origin connections does not change, but that on client-CDN connections increases, which leads to a decrease in the amplification factor. But we found that for Cloudflare, the change in the amplification factor did not completely match this pattern. After the maximum number of concurrent streams is met, instead of decreasing, its amplification factor soars from 23669

Two Types of Novel DoS Attacks Against CDNs

Fig. 6. How the Amplification factor changes with the number of concurrent streams

477

Fig. 7. How the max Amplification Factor changes with the size of a target resource file

Table 2. Maximum amplification factor for 1 MB, 10 MB and 20 MB target resource CDN

Maximum Amplification Factor 1M 10M 20M

Azure Cloud

2930

28362

43911

Alibaba Cloud

2041

11856

22806

CDN77

2189

12670

23964

Cloudflare CloudFront

19551 201108 403092 2323

20869

32775 64401

Fastly

3310

30081

G-Core Labs

7062

61515 119973

Huawei Cloud

1537

15482

30359

KeyCDN

1975

12292

20845

Tencent Cloud

2800

7537

7676

to 203209 when the number of concurrent streams equals 267. We analyzed this abnormality and found that when the number of concurrent streams exceeded 266, Cloudflare only sent RST STREAM frames to the client to close the excessive streams without returning any HEADERS frames to the client. This nonstandard operation causes the traffic on client-CDN connections to plunge, but the traffic on CDN-origin connections stays unchanged, which leads to a surge in the amplification factor. The Setup of the Second Experiment. For each CDN except Cloudflare, to evaluate the impact of the size of a target resource on the amplification factor, we set the number of concurrent streams within one HTTP/2 connection to the maximum number of concurrent streams as shown in Table 1. For Cloudflare, we

478

H. Song et al.

set it to 267 (obtained in the First Experiment). And then, for each differentsized target resource on the origin server, we send a request to the CDN. Results of the Second Experiment. As shown in Fig. 7, the max amplification factor is basically proportional to the size of the target resource for each CDN except Azure Cloud and Tencent Cloud. For Azure Cloud, the amplification factor remains unchanged when the size of the target resource exceeds 16MB. For Tencent Cloud, when the size of the target resource is larger than 8MB, the amplification factor keeps unchanged. For every CDN, we summarize in Table 2 the maximum amplification factor for a target resource of different sizes, i.e., 1MB, 10MB and 20MB. 6.2

The Practicability of HTA Attacks

The target of the HTA attack is to exhaust the bandwidth of the origin server. Therefore, we can observe the impact of the attack by monitoring the bandwidth consumption of the origin server.For ethical reasons, we only launch HTA attacks on one CDN vendor (Fastly) and record the bandwidth consumption of both the attacker (client) and the origin server.

(a) Bandwidth consumption of the attacker

(b) Bandwidth consumption of the origin server

Fig. 8. The bandwidth consumption of the attacker and the origin server with different number of concurrent requests

Experiment Setup. The size of the requested target resource on the origin server is 1.5MB and its bandwidth is 1000Mbps. We (as a client) send M concurrent HTTP/2 requests per second to the Fastly CDN, lasting 300 s. As shown in Table 1, the maximum number of concurrent streams supported by Fastly is 100, thus we change M from 10 to 100 (by a constant increment of 10). Experiment Results. As shown in Fig. 8(a) and Fig. 8(b), whatever the value of M takes, the attacker sacrifices a bandwidth consumption not exceeding to 300Kbps but incurs a bandwidth consumption amounting to hundreds of Mbps on the origin server side. When M ≤ 60, the bandwidth consumption of the origin server is proportional to the value of M. When M ≥ 70, the bandwidth of it is exhausted completely. We also conduct the experiment for other CDNs and get similar results.

Two Types of Novel DoS Attacks Against CDNs

7

479

Real-World Evaluation for HTTP/2 Slow Rate (HSR) Attacks

The object of the HSR attack is to prolong the kept-open time of a CDNorigin connection as long as possible and make a CDN establish a large number of CDN-origin HTTP/1.1 connections to exhaust the origin server’s connection resources. In Sect. 4.3, we presumed that CDNs adopting the Follow policy might be vulnerable to the HSR attack, and identified that Alibaba Cloud, CDN77, KeyCDN and Tencent Cloud adopted the Follow policy for handling HTTP/2 flow control in Sect. 5. As discussed in Sect. 4.3, if a CDN adopts the Follow policy, the kept-open time of the CDN-origin connection is determined by the client’s speed of receiving the DATA frame in the client-CDN connection. To confirm our presumption and explore the impact of the HSR attack on the keptopen time of the CDN-origin connection and the practicability of the HSR attack in the real world, we perform a series of experiments and examine which CDNs are vulnerable to the HSR attack and analyze the practical impacts. 7.1

Impact of the HSR Attack on the Kept-Open Time of the CDN-origin Connection

As discussed in Sect. 4.3, the kept-open time of the CDN-origin connection is determined by the client’s speed of receiving the DATA frame in the client-CDN connection, and in an HSR attack, an attacker can control that speed in the client-CDN connection by manipulating the HTTP/2 flow control mechanism. By this way, he (or she) is able to control the kept-open time of the CDN-origin connection. We conducted an experiment to explore the impact of the HSR attacks on the kept-open time of the CDN-origin connection. Experiment Setup. The default value of the TimeOut directive of Apache deployed on the origin server is 300 s [10]. We deployed two Apache origin servers on the CDN. And for the first server, we kept the default value of the TimeOut directive unchanged and set it to 600 s for the second server. That will help us determine which one of the CDN and the origin server closes the CDN-origin connection. We placed the same target resource of size 20MB on both servers and recorded the kept-open time of CDN-origin connections (denoted by t in the rest of this paper). On the client side, for each CDN, we request the target resource on both servers. We use the HTTP/2 flow control mechanism (refer to Sect. 2.2) to change the client’s speed of receiving DATA frames (denoted by v in the rest of this paper) from 0KB/s to 64KB/s by a constant increment of 256bytes. We close the client-CDN connection when its kept-open time t exceeds 1 h. Experiment Results. As shown in Fig. 9(a) and Fig. 9(b), for each CDN, there exists a different critical value (denoted by τ in the rest of this paper). When v is less than τ , the variation of t is not significant. When v equals τ , t soars up. When v is bigger than τ , t is approximately inversely proportional to v. Therefore, we speculate that for each CDN, when v is equal to τ , the CDN starts to adopt

480

H. Song et al.

Fig. 9. How the kept-open time of the CDN-origin connection change with client’s speed of receiving DATA frames Table 3. The kept-open time at different stages for different TimeOut TimeOut CDN

τ

Connection kept-open time (s) v = 0 0 5 KB/s 301.44 299.48–310.22 2243.04

31.7–48.7 294.54–306.12 299.56–303.85 290.57–310.44

1679.21 2892.12 2884.19 2229.04

the Follow policy to handling the HTTP/2 flow control. That explains why t decreases after v exceeds τ . For each origin server (whose TimeOut directive is equal to either 300 s or 600 s), Table 3 records the value or the range of v at three different stages (i.e., v = 0, 024 3805 IPv6 with prefix length >48 1308 Reserved space

4

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

517

between successive events. Our measurements, plotted in Fig. 2 show that periodically re-appearing conflicts seldom occur. Periodically re-appearing conflicts can happen due to intermittent visibility of the prefix. Another cause is due to one super-prefix that can be periodically de-aggregated to more specific ones and then aggregated back to the original, assuming that either the aggregate or the more specific de-aggregation product violates the corresponding ROA. The last and the most harmful case can be caused by poorly designed traffic engineering when one prefix is announced by two or more distinct ASNs, either simultaneously or one after another. We use the BGPStream data to collect and analyse the BGP announcements and traffic hijacks, and find that BGP prefix hijacks are mostly short-lived, lasting less than 3 weeks. 3.2

Aggregated Resolution

Although the time-based conflict resolution algorithm demonstrated sufficient effectiveness, it still had false positives. The reason is that the duration of the conflict is just one of the aspects among other properties that differentiate benign errors from malicious hijacks. To reduce false positives that do not fulfill the time criteria due to temporary nature of the misconfiguration4 we extend our classification to include characteristics of ASes which originate the BGP announcements. We show that this enhances the precision and robustness, while removing long waiting period imposed by the purely time-based algorithm. We define additional features via a fusion of AS characteristics that we collect over external sources. These include cross-checking RIR and IRR databases, DNS, data plane, various network rankings based on fraudulent activities, looking up a web site of a company and whois records for the domain and correlating contact information. Our overall idea is to find inconsistencies that would indicate that an AS operator is not connected with the prefix that it is announcing or, on the contrary, a supporting chain of evidence that the announcement is valid. We call our algorithm the Aggregated Resolution Algorithm (ARA). The algorithm is composed of modules that look for specific matches in RIR DB and IRR between the information relevant for the prefix and for the AS. We define each match to be scored with variable. We look up RIR objects for the prefix and ASN that is announcing the prefix in BGP. We test the prefixes with conflicts (possible route leaks) for BGP announcements correctness. In particular, we check if more specific prefixes than /24 for IPv4, private ASNs in AS path, and so on, like is listed in Table 5 and rate the errors. Then we recursively look up all the referenced objects from the inetnum/inetnum6 and aut-num objects (resp. equivalents for ARIN - NetRange and ASNumber), forming two groups: objects associated with the IP prefix and objects associated with the ASN. We compare the groups for matches and ’similarities’ and we rank each match. We count the rank for each conflict from point (1) and set threshold. The parameters in Table 5 differ in real hijacks and in erroneous BGP announcements. We explain on an example of two hijacks from our analysis: 4

There are networks that are being used for several days or few weeks a year, for instance.

518

T. Hlavacek et al.

(1) A hijacking activity of a Bitcanal company5 , in which four prefixes were hijacked by AS197426: 101.124.128.0/18 | 185.251.248.0/22 | 185.251.44.0/22 | 185.254.16.0/22

In this case the hijacker (Bitcanal) issued a more specific announcement of 101.124.128.0/18 than the original announcement of 101.124.0.0/16, which was typically announced by the owner, AS131486. In addition, other information such as origin and organisation were different. Hence a combination of the attributes, provide a strong indication of the hijack. (2) A publicised hijack of Amazon Route 53 to take over Ethereum for cryptocurrency wallets6 . In this hijack the following BGP prefixes were hijacked: 205.251.192.0/24 | 205.251.193.0/24 | 205.251.195.0/24 | 205.251.197.0/24 | 205.251.199.0/24

In this hijack, the hijackers issued a more specific announcement, however using a different origin and organisation attributes. Therefore, a combination of these parameters indicates a hijack. Computation of ARA Scores. The ARA scores are computed in two stages: we use ANOVA7 and omnibus analysis to identify statistically-significant categories based on pre-selected binary metrics that we computed from the IRR. The binary metrics from the IRR include answers to following questions: “is there a route object for the exact prefix and ASN”, “there is the a route object for any supernet and matching ASN”, etc. These categories correspond to binary variables used later in multiple linear regression for obtaining the weights in the second stage. We used Multiple Regression (MLR) analysis, since we introduced natural and real parameters, i.e., “number of days since the last change of the inetnum object”. In this sense setting the threshold corresponds to intercept point in regression. Changes in Threshold Influence Identification. We explain the factors causing the change in identification when the threshold turns from conservative to aggressive the positive. During our experimental evaluation with the statistics we identified a correlation between ANOVA at 0.05 level of significance and level 0.01, which resulted in only a few differences. We included the less-significant variables in the final ARA algorithm, but the “conservative” threshold is an intercept point that has been computed with them and the “aggressive” has been computed without them (in two different MLR runs). The reason we did this was that the common coefficients were very similar and these produced variables 5 6 7

https://blog.apnic.net/2018/07/12/shutting-down-the-bgp-hijack-factory/. https://www.internetsociety.org/blog/2018/04/amazons-route-53-bgp-hijack/. Comparison of the means of different groups and representation of the statistical difference, the test is also called the omnibus test statistic.

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

519

were in most cases equal to 1. In the empiric experiments we saw increased success rate without increased false positives when we went from “conservative” (= correctly computed) threshold to “aggressive” (= computed intercept for different ANOVA and MLR). We hope that our analysis will motivate future work on developing a statistical model for conflicts between BGP announcements and ROAs. 3.3

Combining ARA with Time

Our proof of concept implementation of ARA and time based metric classifiers are meant to show feasibility and effectiveness of our proposal at scale. Table 5. Assigned ARA scores. Test/attribute Test/attribute

Assigned Score

too long prefix 1 1 private IP or origin ASN 1 AFI mismatch originas (ARIN), aut-num (LacNIC), origin (rest) 1 0.5 org, orgid, organisation, sponsoring-org 0.5 orgname, org-name 0.4 mnt-by, mnt-routes 0.3 owner-c, owner 0.3 ownerid 0.2 responsible 0.2 admin-c 0.2 tech-c 0.1 abuse-c 0.1 phone 0.05 address 0.05 postalcode 0.05 city 0.01 country

In our evaluation we test different threshold values. Using a “conservative” threshold of 0.4, we obtain 192 out of 243 positive identifications. The conservative threshold of 0.4 means that we need either a strong evidence (e.g., route object or the same organisation ID) binding the AS and the prefix together or alternately we need multiple weaker circumstantial evidences (e.g., the same person identity in tech-c or admin-c or same phone number, same country, etc.). We also test a more aggressive approach by setting threshold to 0.1. This

520

T. Hlavacek et al.

means that we accept any evidence (e.g., same tech-c or admin-c person) and we obtain 196 out of 243. We compare ARA results with the original time-based classifier: we have 92 resp. 97 differences (based on the threshold setting), it means in all these cases ARA eliminates the false negatives (false alarms where the time-based criteria does not suffice to whitelist) from the time-based algorithms. We have the same outcome for conflict resolver and ARA in 104 cases.

4

Ground Truth with Sysops Survey

To establish ground truth we performed a survey with the networks that had conflicts. We notified the networks with conflicts about the problems and asked them for feedback. We used the data provided by the network operators to create a ground truth for the classification that we made. During our notifications in January 2019 we detected 89730 conflicts: 16220 with wrong ASN and 73510 with wrong prefix length and informed the affected operators of the conflicts. We compared the two classes of errors (possible hijack or whitelisted) and the answers of the sysops from the survey. The classifier categorised 132 conflicts as whitelisted, namely conflicts due to errors. 93% (123 out of 132) of the conflicts which were whitelisted by the classifier, were indeed caused because of outdated or erroneous ROA. 7% (9 out of 132) were erroneous BGP announcements. The classifier identified 33 as a possible hijack. 55% (18 out of 33) of the conflicts which were classified as possible hijack, were indeed caused by hijacking BPG announcements; 45% (15 out of 33) were caused by outdated or erroneous ROAs. These results show that classification even with a time based metric alone can eliminate a large fraction of the errors. When adding ARA, we show that we can further reduce the errors. Table 6 shows number of matches in RIR DB and IRR for specific attributes and breaches of [RFC1918], using reserved ASNs in the AS PATH, Address Family Identifiers (AFIs) for IPv4 and IPv6 mismatches and breaches of unwritten rules about the minimum announcement size in DFZ (/24 for IPv4 and /48 for IPv6).

5

Smart RPKI Validation

We develop a framework for smart RPKI validation (SROV for short) that performs: (1) longitudinal measurements and analysis of the routing and RPKI in the Internet; (2) notifies the networks with conflicts about the problems and recommendations how to fix them; (3) applies SROV to validate BGP announcements against the ROAs while identifying conflicts caused by errors. The components are illustrated in Fig. 3 in Appendix. SROV Implementation. Our implementation extends the relying party of RIPE NCC (the RIPE NCC RPKI Validator). We integrate into the Validator implementation both the time-based and ARA classifiers.

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

521

Fig. 3. Architecture of smart RPKI validation.

Data Sources. In contrast to the existing relying party implementations that monitor only local BGP announcements, SROV also collects the announcements that are seen globally in the Internet. The collection is performed in multiple data sources from public collectors. These public collectors periodically collect BGP announcements and BGP table dumps and store them in public archives. The data sources that we use are the following: (1) (2) (3) (4) (5)

RIPE historic RPKI data archive8 with historical RPKI data. We collect all the existing ROAs from RPKI publication points. We collect the BGP announcements seen on local BGP routers. We retrieve routing data from CAIDA BGPStream broker [3]. We retrieve historical BGP updates from RouteViews and RIPE RIS.

We implemented modules to pulls the BGP announcements and the ROAs from public archives and publication points in the “Data sources” periodically. We use BGPStream [3] and multiple RIPE RouteViews as our sources for the analysis of historical and real time BGP measurement data. SROV contains modules which analyse the collected data using the time and data-aggregation metrics of our conflict classifiers. Based on the results the decisions on the individual announcements are made and downloaded to the BGP routers through the RPKI-to-Router (RTR) protocol. Global Monitoring. We set up our SROV as a global service. The announcements are validated in real time. We use the ROAs stored in the RPKI archive to determine if an AS is allowed to announce a prefix or if there is a conflict, e.g., the prefix being more specific than allowed. Once the data is fed into the database we classify all BGP announcements and label them as valid, misconfigured or as an hijack. The results of our monitoring and analysis can be seen online at https://smart-validator.net/. 8

https://rpki-study.github.io/rpki-archive/.

522

T. Hlavacek et al. Table 6. ARA matches for all prefixes from the survey. Tests

6

Erroneous BGP announcements

Outdated or erroneous ROA

too long netmask 17 (60.71%)

0 (0.00%)

address

19 (67.86%)

151 (70.23%)

mnt-by

3 (10.71%)

131 (60.93%)

origin

2 (7.14%)

133 (61.86%)

org

2 (7.14%)

75 (34.88%)

admin-c

2 (7.14%)

86 (40.00%)

tech-c

2 (7.14%)

91 (42.33%)

organisation

2 (7.14%)

66 (30.70%)

abuse-c

17 (60.71%)

106 (49.30%)

phone

18 (64.29%)

122 (56.74%)

country

19 (67.86%)

70 (32.56%)

responsible

2 (7.14%)

35 (16.28%)

owner-c

15 (53.57%)

36 (16.74%)

aut-num

1 (3.57%)

6 (2.79%)

owner

1 (3.57%)

35 (16.28%)

ownerid

1 (3.57%)

35 (16.28%)

Evaluation with SROV

To understand the effectiveness of smart validation with SROV in contrast to ROV, we perform the most extensive data-plane traffic collection that was ever analysed with respect to RPKI. We evaluate SROV and ROV over these data and perform simulations. Data Collection. We collect real 2Tb/s (with 5 Tb/s during peaks) data flow at an NIX IXP. Up to 2020 these were three separate IXPs in Europe: NIX.CZ, NIX.SK, and NIX.AT, in Prague, Bratislava and Vienna. NIX has a NetFlow collection system based on FTAS9 that receives NetFlow from all Cisco Nexus 7000 switches and sFlow from the new Nexus 9000. NetFlow and sFlow records consist of source and destination IP addresses, protocol, ports (for TCP and UDP), number of packets and number of bytes. One flow represents many packets with the same IP addresses, protocol and ports. Each direction is counted separately (one TCP session makes at least two NetFlow records, one for each direction). To process the NetFlow we write filter for FTAS in C. The rest of the pipeline is post-processing of CSV files in Python and Pandas. The filter module in FTAS takes the plain ROV resolutions (using BGP from RouteViews) and 9

https://www.cesnet.cz/services/network-traffic-monitoring-3/?lang=en.

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

523

SROV resolutions form IRAS (the library that performs the database workflow). In the FTAS filter we matched the IP addresses in NetFlows with to-drop prefixlists from the IRAS. Our analysis and the results from the filter were anonymous, complying with ethics. The filter dropped all the IP addresses and we could see just the resulting counters that we plotted in graphs. Evaluation of SROV Effectiveness. In our analysis we consider the traffic volumes and the traffic type (protocol) that is being currently dropped with ROV. We first analyse the comparison between our classifiers with the ground truth established with our survey. In our analysis, we set a threshold in interval [0,1] for the score that ARA computed for each conflict. Conservative threshold is 0.8 for whitelisting and aggressive threshold is 0.4. The plot in Fig. 5 shows how many prefixes from our survey were classified correctly. These are the conflicts ARA correctly resolved by identifying that the conflict arose due to erroneous ROA. In the plot we see that ARA decided correctly for over 90% of the conflicts. We use this to quantify the traffic that would have been lost with ROV filtering but saved with SROV. We plot the volume of traffic lost (according to protocols) due to ROV filtering of conflicting announcements in Fig. 6. The plot shows a snapshot of two full months of traffic that was filtered by ROV in the Internet. The spike is a DoS attack that was filtered with ROV. The filtering was done since the DoS traffic was carried out from a hijacked prefix, which resulted in a conflict. The DoS attack contained TCP in IPv6 in IP (i.e., a SIP tunnel) traffic coming from RTNet10 to Hurricane Electric. The attack maxed out a 100 Gbps interface of the customer for a while; 3TB in 5 min, which is approximately 80 Gbps flow. Our evaluation of SROV over the same traffic in Fig. 7 shows that much of the filtered traffic would have been saved, except for the DoS traffic, which would also have been filtered by SROV because of the hijacked prefix. The hijacking BGP announcement was relatively new BGP announcement hence SROV had a “block” decision on it. We see this in the plot at the corresponding time period of the DoS attack - there is no matching spike with SROV. This example on a real life attack traffic demonstrates the effectiveness of SROV in different scenarios: filtering of real attack traffic vs. saved traffic due to errors. The simulation of the BGP routes is done using the best path decision according to: local preference, shortest path and then to break ties we chose path with lower AS hops. Our simulation uses the 72411 Internet ASes11 . Our simulator is written in C++ optimised for speed. This is achieved by pre-allocating memory and structures used for the search and thus avoiding dynamic memory allocations. AS lookups are much faster using a static array, where the ASN is defined by the index of the array. Using SWIG12 (Simplified Wrapper and Interface Generator) we create a Python interface that can be used by the rest of the architecture which is also written in Python. This way we have the combined advantage of C++ performance and Pythons simplicity and flexibility. The simulator reads 10 11 12

https://retn.net. In October 2021 there are 72411 ASes in the Internet. www.swig.org.

524

T. Hlavacek et al.

Fig. 4. Packets volume and protocols.

Fig. 5. ARA classification results.

Fig. 6. Traffic lost due to ROV filtering.

Fig. 7. Traffic saved with SROV.

Caida AS relationship data. Both versions, Serial1 and Serial2, are supported. This data contains the relationship (i.e., the “cash-flow” of ASes). There are two types of relationships: customer-to-provider (or provider-to-customer when going backwards) and peer-to-peer. Since ASes do not route packets from ASes that do not pay them (like two providers routing a packet over their customer) this can be used to calculate valid paths on the internet. A valid path consists of any number of customer-to-provider connections followed by zero or one peer-to-peer connection followed by any number of provider-to-customer connections.

7

Related Work

Measurements of ROA. Deployment of ROA objects show a stable increase over the last decade [9,16,20,29,39], with occasional failures in retrieving the ROAs [23]. A recent proposal [15] automated the manual certification of IP prefixes, essentially resolving the last obstacle towards large scale adoption of RPKI. Indeed it seems that RPKI gained momentum and finally becoming widely supported. From the beginning, deployments of RPKI had a large fraction of erroneous ROAs [13,14,22] that not only resulted in insecurity but worse, ROV filtering of such ROAs causes networks to lose legitimate traffic.

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

525

Measurements of ROV. A number of studies evaluated the implications of enforcing ROV locally on their own networks [13,19,20,22] and suggested that deploying ROV is likely to cause disruption of legitimate traffic. A recent study [14] examined ROV adoption in the Internet by a passive observation of existing BGP paths from multiple vantage points of 19 RouteViews [2] collectors and provided an upper bound on non-ROV enforcing ASes. A subsequent study [31] argued that with uncontrolled experiments one cannot differentiate between the different causes for filtering of the invalid routes, and that often filtering of an invalid route is applied not due to ROV enforcement but also due to other factors, such as traffic engineering. To address this concern, [31] describes an approach for performing controlled experiments using BGP announcements and ROAs in combination with control-plane observations using RouteViews [2] and RIPE RIS [1] vantage points. An extensive study [16] measured much lower ROV adoption rate using controlled experiment, three independent data acquisition methods and extensive data post-processing to filter out false positives. [33] reevaluated existing ROV-measurement methods, executing them in a more structured way (using PEERING testbed). In [9] CAIDA carried out measurements using a major piece of know-how that (only) they have: the BGP graph derivation algorithm using multiple BGP sources. In this case they use this ability to passively detect ROV by using historical data and looking for characteristic drops in connectivity of the invalid prefixes. Recently, [26] showed that ROV provides limited benefits at partial deployment against super-prefix hijacks, and propose to extend ROV to prevent such attacks. In this work, we created an RPKI setup to periodically collect up-to-date ROAs from the public repositories and the networks that enforce ROV. Using the results of our measurements we identify invalid ROAs, simulating the fraction of traffic that is as a result blocked or redirected. Study of Errors. Recently [8] found that with respect to conflicts the same people make the same mistakes, and describe the misconceptions and misunderstandings that caused the mistakes in the RPKI that they measured. Notification. PHAS [24] is real time notification system which updates prefix owners of prefix changes, allowing them to decide if the changes are legitimate. There are a number of downsides to this approach: (1) PHAS may not see all the changes, if they affect networks only locally, say, via a same-prefix hijack; (2) in case the prefix was delegated the owners may not be able to determine if the change was legitimate or not; (3) manual inspection is not only error prone but also slow - by the time the owner notices the problem, the traffic has already been hijacked. Our goal is to identify conflicts between BGP announcements and their corresponding ROAs, and to determine if the conflict arises as a result of prefix hijacks or due to benign errors in ROAs. If the conflict is a result of an error, we notify the corresponding networks. In addition, in our smart validator we do not filter prefixes in such conflicting BGP announcements but use them in making routing decisions in BGP. Our measurements and surveys indicate

526

T. Hlavacek et al.

that fear of erroneous ROAs is one of the main reasons behind low enforcement of ROV, and our automated error resolution with smart validator lifts the main obstacles towards wide deployment of RPKI. Hijacks Measurements. Studies of feasibility of hijacks showed that security of widely used applications can be subverted, such as Public Key Infrastructure (PKI) and Resource Public Key Infrastructure (RPKI) [5,7,10–12,17,34]. [6] developed a simulator for evaluating success of BGP prefix hijacks as well as resilience of countermeasures against BGP prefix hijacks. Attacks Against RPKI. [27] suggested to extend ROV to also prevent superprefix hijack attacks. Recently [18] showed that ROV validation can be disabled due to vulnerabilities in relying party implementations. [37] reviewed the risks posed by malicious repositories.

8

Conclusions

A main obstacle towards deployment of RPKI is conflicts between BGP announcements and ROAs due to errors. Filtering routes in BGP based on such errors causes networks to block traffic to legitimate destinations. As a result most networks in the Internet do not enforce ROV. This situation eliminates any benefit that RPKI was designed to deliver, leaving networks exposed to BGP prefix hijacks. Unfortunately, the errors in ROAs are likely to always persist. Even more significantly, our analysis of errors in ROAs in the last eight years shows that the errors do not decrease. To cope with errors we developed a smart RPKI validation, which uses SROV to determine if a conflict is caused due to a benign misconfiguration or a hijack attack. We showed that SROV is effective in blocking hijack attacks, while also providing benefit in identifying conflicts due to errors and “saving” the traffic. We setup an online notification service, which uses SROV to monitor and analyse conflicts, and periodically notifies the networks, that register for this service, about the misconfigurations. We showed that our notifications helped network operators fix the errors, hence reducing the amount of conflicts. Our implementation of SROV is open source and our monitoring and notification service is open for networks that deployed (or plan to deploy) RPKI. We provide access to our online monitoring and analysis service which reports conflicts and analyses performance of SROV vs ROV at https://smart-validator.net/. Acknowledgements. This work has been funded by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE and by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) SFB 1119.

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

A

527

Overview: RPKI and BGP

BGP Prefix Hijacks. In a BGP prefix hijack an adversary creates a bogus BGP announcement that maps the prefix of the victim AS to its own ASN (AS number). As a result the adversary can intercept traffic from all the ASes that have less hops (shorter AS-PATH) to the attacker than to the victim AS. The same-prefix hijack affects the traffic of the ASes that prefer the attacker’s announcement. The effectiveness of the same-prefix hijack attacks depends on the local preferences of the ASes and the location of the attacker’s AS. In particular, the same-prefix attack only attracts traffic from ASes that have shorter path (i.e., less hops) to the attacker. The adversary can also advertise a sub-prefix of the victim AS’s prefix. The routers prefer more specific IP prefixes over less specific ones, hence the longestmatching prefix (e.g., /24) gets chosen over the less-specific prefix e.g., /20). Once a victim AS accepts the hijacking announcement it sends all the traffic for that sub-prefix to the adversary. RPKI Components. RPKI associates public keys with IP prefixes [25]. After certifying their IP prefixes, owners can use their private keys to sign Resource Certificates (RCs) and Route Origin Authorizations (ROAs), which authorise AS numbers to advertise these prefixes in BGP. RCs and ROAs are published on publication points (aka publication servers), which the relying parties periodically query to retrieve the RPKI objects from the repositories. There are two RPKI models: delegated RPKI and hosted RPKI. In the delegated RPKI model, AS runs a CA as a child of RIR (or NIR or LIR), generates its own certificate, gets it signed by the parent CA. This model allows the AS to operate independent of the parent RIR. For large operators of a global network, this model is suitable so that they do not need to maintain ROAs through the different web interfaces of the RIRs. However, this model is not suitable for all as it requires running a CA and maintaining the ROAs. RPKI Models. In the hosted-RPKI model, RIRs host the CA, that is, the same entity that allocates IP resources also runs the CA to validate the ROAs. Thus, in this model, they are trust anchors. In a way, this is meaningful as the RIRs already know the owner of the address space. Existing RPKI systems are tied-up with the login credentials of the ASes at the RIR. Signing and key rollover is automatic. It is easy for the owners of the address space to begin using hosted RPKI than delegated RPKI as the CA functionality is taken care of by the RIR. This model is convenient for most ASes. It is easier to use and it is especially useful for members with a small network and with limited resources. Even large providers such as Cloudflare make use of hosted RPKI. Furthermore, the RIR assumes responsibility to publish the signed objects. However, this convenience comes at the cost of further centralization of power as the RIRs also handle the private keys used to sign ROAs.

528

T. Hlavacek et al.

Locate the Publication Point. To find the publication servers the relying parties query their respective DNS resolvers for the hostnames of the repositories. The relying party software starts at the top of the cryptographically-signed chain that begins with the Trust Anchor Locator (TAL). TAL contains the URLs of RRDP and/or rsync servers and the fingerprint for download and validation of the top level CA certificate. Each of the five RIRs operate one top level RPKI CA for the resources managed by that RIR, hence all the relying parties need the current TAL for the RPKI CA of each RIR - it has to be supplied by the operator or packaged with the relying party software. Starting from TAL, the relying party recursively contacts the publication points that form subtree of the root CA. An RPKI certificate can delegate the resources to a child publication server. The relying party traverses the trees, downloads the RPKI certificates, validates them along with other supplementary objects, manifests, CLRs and ROAs. ROA is the leaf in the RPKI tree that holds the cryptographically signed triplets that constitute the final output that the relying party provides to the border routers. The relying parties apply ROV (Route Origin Validation) over the retrieved objects to filter routes with invalid origins to protect against prefix hijacks. The routers use a simple text-oriented protocol called RTR (The Resource Public Key Infrastructure (RPKI) to Router Protocol) [RFC8210] to download the current result set from the relying party. The BGP routers make routing decisions based on the outcome of ROV performed by the relying parties.

References 1. Routing Information Service (RIS). https://www.ripe.net/analyse/internetmeasurements/routing-information-service-ris 2. University of Oregon Route Views Project. http://www.routeviews.org/ 3. BGPStream by CAIDA. https://bgpstream.caida.org/. Accessed July 2016 4. Arstechnica, BGP event sends European mobile traffic through China Telecom for 2 hours (2019). https://arstechnica.com/informationtechnology/2019/06/bgpmishap-sends-europeanmobile-traffic-through-china-telecom-for-2-hours 5. Birge-Lee, H., Sun, Y., Edmundson, A., Rexford, J., Mittal, P.: Bamboozling certificate authorities with {BGP}. In: 27th {USENIX} Security Symposium ({USENIX} Security 2018), pp. 833–849 (2018) 6. Brandt, M., Shulman, H.: Optimized BGP simulator for evaluation of internet hijacks. In: 2021 IEEE Conference on Computer Communications Workshops, INFOCOM Workshops 2021, Vancouver, BC, Canada, 10–13 May 2021, pp. 1– 2. IEEE (2021) 7. Brandt, M., Shulman, H., Waidner, M.: Evaluating resilience of domains in PKI. In: Kim, Y., Kim, J., Vigna, G., Shi, E. (eds.) CCS 2021: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, 15–19 November 2021, pp. 2444–2446. ACM (2021) 8. Chung, T., et al.: RPKI is coming of age: a longitudinal study of RPKI deployment and invalid route origins. In: Proceedings of the Internet Measurement Conference, pp. 406–419, 2019

Smart RPKI Validation: Avoiding Errors and Preventing Hijacks

529

9. Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: To filter or not to filter: measuring the benefits of registering in the RPKI today. In: Sperotto, A., Dainotti, A., Stiller, B. (eds.) PAM 2020. LNCS, vol. 12048, pp. 71–87. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44081-7 5 10. Dai, T., Jeitner, P., Shulman, H., Waidner, M.: From IP to transport and beyond: cross-layer attacks against applications. In: Kuipers, F.A., Caesar, M.C. (eds.) ACM SIGCOMM 2021 Conference, Virtual Event, USA, 23–27 August 2021, pp. 836–849. ACM (2021) 11. Dai, T., Jeitner, P., Shulman, H., Waidner, M.: The hijackers guide to the galaxy: Off-path taking over internet resources. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, 11–13 August 2021, pp. 3147–3164. USENIX Association (2021) 12. Dai, T., Shulman, H., Waidner, M.: Let’s downgrade let’s encrypt. In: Kim, Y., Kim, J., Vigna, G., Shi, E. (ed.) CCS 2021: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, 15–19 November 2021, pp. 1421–1440. ACM (2021) 13. de Boer, R., de Koning, J.: BGP Origin Validation (RPKI). Univeristy of Amsterdam, systems and network engineering group, Technical report (2013) 14. Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? on RPKI’s deployment and security. In: NDSS (2017) 15. Hlavacek, T., Cunha, I., Gilad, Y., Herzberg, A., Katz-Bassett, E., Schapira, M., Shulman, H.: Disco: sidestepping RPKI’s deployment barriers. In: Network and Distributed System Security Symposium (NDSS) (2020) 16. Hlavacek, T., Herzberg, A., Shulman, H., Waidner, W.: Practical experience: methodologies for measuring route origin validation. In: 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018, Luxembourg City, Luxembourg, 25–28 June 2018, pp. 634–641. IEEE Computer Society (2018) 17. Hlavacek, T., Jeitner, P., Mirdita, D., Shulman, H., Waidner, M.: Behind the scenes of RPKI. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS) 18. Hlavacek, T., Jeitner, P., Mirdita, D., Shulman, H., Waidner, M.: stalloris: RPKI downgrade attacks (2022) 19. Iamartino, D.: Study and measurements of the RPKI deployment (2015) 20. Iamartino, D., Pelsser, C., Bush, R.: Measuring BGP route origin registration and validation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 28–40. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8 3 21. Janardhan, S.: More details about the October 4 outage (2021). https:// engineering.fb.com/2021/10/05/networking-traffic/outage-details/ 22. Kloots, J.: RPKI routing policy decision-making: a SURFnet perspective (2014). https://labs.ripe.net/Members/jac kloots/ 23. Kristoff, J., et al.: On measuring RPKI relying parties. In: Proceedings of the ACM Internet Measurement Conference, pp. 484–491 (2020) 24. Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., Zhang, L.: Phas: a prefix hijack alert system. In: USENIX Security symposium, vol. 1, p. 3 (2006) 25. Lepinski, M., Kent, S.: An infrastructure to support secure internet routing. RFC 6480 (Informational) (2012) 26. Morillo, R., Furuness, J., Herzberg, A., Morris, C., Wang, B., Breslin, J.: Rov++: improved deployable defense against BGP hijacking (2021)

530

T. Hlavacek et al.

27. Morillo, R., Furuness, J., Morris, C., Breslin, J., Herzberg, A., Wang, B.: ROV++: improved deployable defense against BGP hijacking. In: 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, 21–25 February 2021. The Internet Society (2021) 28. RIPE NCC. YouTube Hijacking: A RIPE NCC RIS case study (2008) 29. NIST. RPKI Monitor (2015). http://rpki-monitor.antd.nist.gov/ 30. Renesys. The New Threat: Targeted Internet Traffic Misdirection (2013). http:// www.renesys.com/2013/11/mitm-internet-hijacking/ 31. Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., W¨ ahlisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. CoRR, abs/1706.04263 (2017) 32. Reuter, A., Bush, R., Cunha, I., Katz-Bassett, E., Schmidt, T.C., W¨ ahlisch, M.: Towards a rigorous methodology for measuring adoption of RPKI route validation and filtering. ACM SIGCOMM Comput. Commun. Rev. 48(1), 19–27 (2018) 33. Rodday, N., et al.: Revisiting rpki route origin validation on the data plane. In: Proceedings of Network Traffic Measurement and Analysis Conference (TMA). IFIP. Accepted for publication (2021) 34. Sun, Y., et al.: Securing internet applications from routing attacks. Commun. ACM 64(6), 86–96 (2021) 35. Toonk, A.: Hijack Event Today by Indosat (2014). http://www.bgpmon.net/ hijack-event-today-by-indosat/ 36. Toonk, A.: Turkey Hijacking IP Addresses for Popular Global DNSProviders (2014). https://www.bgpmon.net/turkey-hijacking-ip-addresses-for-popularglobal-dns-providers/ 37. van Hove, K., van der Ham, J., van Rijswijk-Deij, R.: Rpkiller: threat analysis from an RPKI relying party perspective. CoRR, abs/2203.00993 (2022) 38. Vervier, P.-A., Thonnard, O., Dacier, M.: Mind your blocks: on the stealthiness of malicious BGP hijacks. In: NDSS (2015) 39. W¨ ahlisch, M., Schmidt, R., Schmidt, T.C., Maennel, O., Uhlig, S., Tyson, G.: Ripki: the tragic story of RPKI deployment in the web ecosystem. In: de Oliveira, J., Smith, J., Argyraki, K.J., Levis, P. (eds.) Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA, 16–17 November 2015, pp. 11:1–11:7. ACM (2015)

Cyber Network Resilience Against Self-Propagating Malware Attacks Alesia Chernikova1(B) , Nicol` o Gozzi2 , Simona Boboila1 , Priyanka Angadi4 , 4 John Loughner , Matthew Wilden4 , Nicola Perra3 , Tina Eliassi-Rad1 , and Alina Oprea1 1

3

Northeastern University, Boston, MA, USA [email protected] 2 University of Greenwich, London, UK School of Mathematical Sciences, Queen Mary University of London, London, UK 4 PricewaterhouseCoopers LLP, Washington, DC, USA

Abstract. Self-propagating malware (SPM) has led to huge financial losses, major data breaches, and widespread service disruptions in recent years. In this paper, we explore the problem of developing cyber resilient systems capable of mitigating the spread of SPM attacks. We begin with an in-depth study of a well-known self-propagating malware, WannaCry, and present a compartmental model called SIIDR that accurately captures the behavior observed in real-world attack traces. Next, we investigate ten cyber defense techniques, including existing edge and node hardening strategies, as well as newly developed methods based on reconfiguring network communication (NodeSplit) and isolating communities. We evaluate all defense strategies in detail using six real-world communication graphs collected from a large retail network and compare their performance across a wide range of attacks and network topologies. We show that several of these defenses are able to efficiently reduce the spread of SPM attacks modeled with SIIDR. For instance, given a strong attack that infects 97% of nodes when no defense is employed, strategically securing a small number of nodes (0.08%) reduces the infection footprint in one of the networks down to 1%.

1

Introduction

Self-propagating malware (SPM) has become one of the top cyber threats in recent years. In 2016, Mirai [13] malware infected more than 600K consumer devices and launched a widespread DDoS attack targeting over 175K websites. The WannaCry [26] ransomware attack of 2017 affected more than 300K vulnerable devices in 150 countries in a few days, from entire healthcare systems to banks and national telecommunications companies. Worryingly, there have been reports of its re-appearance during the COVID-19 pandemic. Recently, ransomware attacks have increased significantly, with the emergence of new threats like Ryuk (2019) [14], PureLocker (2020) [39], and many others. SPM campaigns attempt to exploit vulnerabilities on specific ports by blending in with c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 531–550, 2022. https://doi.org/10.1007/978-3-031-17140-6_26

532

A. Chernikova et al.

legitimate traffic. Since blocking ports entirely is often not feasible, defending against SPM is particularly challenging. Machine learning (ML) techniques have been employed [33], with the goal of detecting the attack and taking reactive measures after the data breach has occurred. However, the performance of ML methods often degrades when there is a high number of false positives, which are hard to triage by human experts. In this paper, we take a graph robustness perspective for proactively protecting cyber networks against self-propagating malware attacks. We study the problem of how to build cyber resilient systems and how to configure communication in cyber networks to prevent the spread of SPM attacks. Towards this ambitious goal, our first task is understanding and modeling the behavior of a well-known SPM malware, WannaCry, by using compartmental models that stem from epidemiology. We then turn our attention to methods for enhancing network resilience against these attacks. We model the topology of the network via the communication flows collected from real network traces, which we obtained from an industry partner. Our main insight is to analyze communication networks through the lens of graph robustness, an area that has been studied extensively in other applications (e.g., social-, information-, transportation-, and mobility-networks), but much less in cyber security. On the SPM attack modeling side, we show that prototypical models for virus propagation (such as SIS and SIR [6]) do not fit the behavior of WannaCry well. We thus introduce a new model (SIIDR) that captures the behavior of selfpropagating malware more accurately. In particular, our new model introduces a dormant state, in which the malware is installed in the system, but is not active for some interval (this is a common behavior observed in SPM, as well as advanced persistent threat attacks, which have been documented to be “slowand-low” for months and sometimes years). We use real traffic logs generated by multiple variants of WannaCry to select the best fit model and estimate the parameters (i.e., transition rates) that best characterize WannaCry attacks. On the defense analysis side, we perform an in-depth evaluation on several complementary topological-based defenses. We investigate a large number of defense techniques (10) based on various cybersecurity strategies such as node hardening, edge hardening, isolation, and reconfiguring communication. We evaluate their ability to increase network resilience to cyber attacks using two robustness metrics that have been shown to be accurate indicators of graph connectivity, and, implicitly, of the network’s resilience to attack propagation [16]: (a) the spectral radius of a graph and (b) the relative size of the largest connected component in the graph. We also propose two new defensive methods: NodeSplit, which reconfigures the nodes with the largest number of incident edges by migrating half of their communication links to new nodes; and Community Isolation, which constructs communities in the graph and then strategically hardens edges that connect the communities to thwart the attack propagation. Hybrid strategies that combine NodeSplit with edge hardening (e.g., setting up firewall rules) are particularly successful at minimizing the spectral radius of a graph (our first robustness metric), achieving over 60% reduction on most of our graphs, with a small budget of only 50 split nodes and a fraction of 0.1 secured edges. Hybrid NodeSplit + Community Isolation strategies perform very well on the second

Cyber Network Resilience Against Self-Propagating Malware Attacks

533

robustness metric, being able to break down the largest connected component to less than 20% of its original size on most of the studied graphs. To evaluate our defenses in realistic conditions, we use six real-world communication flow graphs collected from a large retail network. These graphs model application communication on well-known ports (22, 80, 139, 383, 443, 445) and are up to 620K nodes and 6.8 million edges. We thoroughly evaluate and compare the defense strategies in terms of their ability to reduce the spread of malware modeled with SIIDR and the budget required for slowing down the attack. Node hardening techniques are the most effective defenses over a wide range of attack scenarios and network topologies studied here, leading to a 20× decrease in the effective attack strength. This reduction results in substantial infection footprint minimization. For instance, given a strong attack that infects 97% of nodes when no defense is employed, strategically securing a small number of nodes (i.e., 50 nodes, which account for 0.08% of the nodes on port 22) reduces the infection footprint on port 22 down to only 1%. We summarize our contributions below: – We propose and evaluate SIIDR, a compartmental attack model that captures the behavior of SPM accurately. We use real SPM traffic logs from WannaCry to estimate the attack parameters. – We perform an in-depth evaluation of 10 defense techniques and compare them using two graph robustness metrics. – We introduce two novel defenses: NodeSplit (to reconfigure communication of top-degree nodes) and Community Isolation (to harden edges between communities), and show their effectiveness particularly in hybrid strategies. – We evaluate the effectiveness of various defense strategies against SPM attacks, using six large real-world communication graphs. – We provide recommendations on the effectiveness and cost of multiple defenses to inform network operators on various proactive defense options against SPM attacks. Our open-source code is available on GitHub [18].

2

Problem Statement and Background

In a recent survey, Freitas et al. [16] note that the study of graph vulnerability and robustness is still nascent in cybersecurity. Existing research includes modeling lateral attack movement between computers and analytical studies of interdependent spatial networks [9,10,15]. However, they point out the need for additional work in several directions, including comprehensive evaluations of various attack and defense scenarios. Our work directly addresses this need, and is, in that sense, particularly timely. We study both facets of building cyber resilient systems, attacks and defenses, in an integrated and complementary way. In cybersecurity, eliminating or mitigating vulnerabilities is achieved through “system hardening” [32] and depending on where or how protection is applied, it can refer to network hardening, server hardening, operating system hardening, application hardening, etc. Reducing the “attack surface” consists in addressing known vulnerabilities via changing passwords, removing unused services, applying security patches, closing open network ports, configuring firewalls and setting

534

A. Chernikova et al.

intrusion-detection systems. On the theoretical side, most of the previous techniques for increasing network robustness are based on classic mathematical epidemiology results, which link the spreading of a virus of a graph with its spectral radius [7,36]. The epidemics dies out quickly if the spectral radius is less than a threshold, which depends on the virus propagation method. Hence, topological changes are employed to bring the spectral radius below this threshold. Threat Model: We aim to design efficient defense strategies that increase network robustness against SPM attacks. We consider cyber networks such as enterprise networks, data center networks, or cloud systems, in which communication flows between nodes can be modeled as a graph. We assume that the malware first compromises one victim machine on the network (“patient zero”), after which it spreads to other vulnerable machines within the network over a specific protocol, e.g., HTTP (port 80), SSH (port 22), SMB(port 445), etc. We derive a realistic attack model (namely, SIIDR) and its parameters by running an actual WannaCry attack, under homogeneous mixing assumptions [46]. Homogeneous mixing models imply that all hosts have identical rates of infection-spreading contacts. Our attack experiments were carried out within a local subnet, where such an assumption is valid. For WannaCry modeling, we analyze Zeek logs collected at the border of the monitored subnet. We assume that these logs are not compromised by the attacker. To design and evaluate defense strategies, we use communication data of a large retail network. We assume that the network traffic has not been compromised, and, thus, the logged connections can be used to derive an accurate graph representation of the network communication topology. Challenges: Building cyber-resilient systems is challenging for multiple reasons. First, realistic modeling of actual attacks is difficult, due to the limited availability of attack traces, and the ethical considerations that prevent us from recreating known attacks in real-world networks. Second, the continual evolution of attacks that attempt to avoid detection requires innovative proactive measures that are able to counter a wide range of potential threats. Third, building resilient infrastructures is budget-dependent both in terms of infrastructure and software updates, as well as human effort. Careful assessments of complete eradication strategies versus mitigation (containment) methods are necessary to establish real-world feasibility of the defenses.

3

SPM Modeling

Infectious disease research has inspired the study of mathematical models for malware propagation, in part due to the similarities in the behavior of human viruses and computer viruses. Many of these epidemiological models are compartmental. That is, the population is divided into states (a.k.a. classes), based on the health status of individuals and the type of disease [6]. Examples include susceptible (S), exposed (E), infectious (I), quarantined (Q), and recovered (R), to name a few. In this study, we are investigating the specific case of selfpropagating malware. All types of self-propagating malware have one defining

Cyber Network Resilience Against Self-Propagating Malware Attacks

535

characteristic: once a host becomes infected, it starts probing other computers on the Internet randomly, with the goal of spreading the infection widely. This type of behavior guides the mathematical modeling of SPM. We use real-world attack traces to model self propagating malware, and derive compartmental models and parameters that closely fit actual attack propagation data. Model fitting for deriving best models and their parameters from data has been widely used in the study of infectious diseases [22,40], but less so in the modeling of computer viruses. To the best of our knowledge, we are the first to model self-propagating malware based on real attack traces to find the model and parameters that most accurately describe a real attack. In the remainder of this section we describe the data, selection methodology and results that identify the model that captures SPM behavior most precisely. WannaCry Data: We select WannaCry malware as a representative selfpropagating malware attack, which can be configured with multiple parameters to generate a range of propagation behaviors. As shown by Ongun et al. [33], other SPM malware such as Mirai, Hajime, and Kenjiro follow similar propagation patterns, and our attack modeling will likely generalize to other attacks. We set up a virtual environment featuring the EternalBlue Windows exploit that was used in the 2017 WannaCry attack. External traffic is blocked in order to ensure isolation of the virtual environment. Initially, one of the virtual machines is infected with WannaCry, and then the attack starts spreading, as infected IPs begin to scan other IPs on the same network. We identified two characteristics that WannaCry uses to control its spread: 1) the number of threads used for scanning, and 2) the time interval between scans. We conducted multiple experiments by running WannaCry with different characteristics and collecting log traces with Zeek network monitoring tool. Epidemics Reconstruction: We use the WannaCry traces to study the malware behaviour and reconstruct the epidemics. The start and end time of the epidemics for each WannaCry variant is given by the first malicious attempt, and the last communication event, respectively. Hence, the first IP trying to establish a malicious connection represents “patient zero”, and an IP trying to establish at time t a malicious connection for the first time is considered infected at time t. Based on the WannaCry traces, we make the following observations: – Distribution of Δt intervals between attacks: We observe that the Δt between two consecutive attacks from the same infected IP is not fixed. This heterogeneous distribution of Δt intervals between subsequent attacks from the same infected IP introduces the idea of a I ↔ ID dynamics, where I represents the infectious state and ID represents the dormant state. – Distribution of Δt intervals between last attack and end of trace: The Δt between the last attack from an infected IP and the end of observations is quite large. The non-zero, high-valued and heterogeneous distribution of Δt between last attack from an infected IP and the end of observation time supports the idea of a I → R dynamics, with R being the recovered (previously infected, but not infectious anymore) state.

536

A. Chernikova et al.

Fig. 1. Compartmental structure and transitions of the SIIDR model. Susceptible nodes (S), exposed to infected IPs, acquire the infection with rate β. Infected nodes transition with rate γ1 or recover with rate μ. From infected dormant state (ID ) nodes transition back to I with rate γ2 .

Model Description: In accordance with the behavior observed from WannaCry traces, we propose SIIDR, an extension to the SIR model [6] that includes the infected dormant state ID . While other models like SEIR or SEIRS have been used to model the spread of malware [38], SIIDR more closely explains the behavior observed of WannaCry. Furthermore, a model like SEIRS would not make sense, given that Recovery means patching of the EternalBlue vulnerability. Once the operating system is updated (patched), it will not become susceptible again to the same vulnerability. Figure 1 presents the transition diagram corresponding to the SIIDR model. A node that is infected may either recover with rate μ, or move to the dormant state with rate γ1 . From the dormant state, it may become actively infectious again with rate γ2 . We assume a homogeneous mixing model [46], that is, every node is potentially in contact with all the others. This is a good approximation because the WannaCry attack experiments were run within a subnet, where every node was able to scan every other internal IP within the same subnet. The system of differential equations that describe the dynamics of SIIDR, the derivation of the basic reproduction number of the model and discussion of stability are presented in a companion paper [11]. Model Selection and Parameter Estimation: To determine which model is the best fit, we compare common epidemiological models SI, SIS, SIR with SIIDR using the Akaike information criterion (AIC) [1]. The best fit is the model with the minimum AIC score. The AIC scores for all candidate models are presented in Table 1. We observe that the SIIDR model has the lowest AIC scores overall, except for wc 1 20s (on which all models have high AIC). For instance, the AIC score for the SIIDR model for variant wc 4 500ms is as low as -166, while the AIC scores for SI, SIS, and SIR models are 277, 76, and -45, respectively. Hence, SIIDR fits the WannaCry dynamics better than the other candidate models. We use Sequential Monte Carlo (SMC) [24,27] to approximate the posterior distribution of rates (β, μ, γ1 , γ2 ) that fit the actual WannaCry data. The WannaCry variants with less than 20% infected IPs (i.e., 7 infections) were excluded due to insufficient samples to generate accurate models. Table 2 lists the mean values of SIIDR parameters posterior distributions. dt is the simulation time step. We have one contact per dt, thus, the transmission probability over a contact-link

Cyber Network Resilience Against Self-Propagating Malware Attacks

537

Table 1. AIC scores for each of the SPM models for different WannaCry variants. Each WannaCry variant is identified by two parameters: the number of threads used for scanning and the time interval between scans (i.e., wc 1 500ms uses 1 thread to scan every 500 ms). WannaCry variant

SI

SIS SIR SIIDR

WannaCry

SI

variant

SIS SIR SIIDR

wc 1 500ms

583 143

114

-126

wc 4 10s

513

94

-36

-145

wc 1 1s

431 188

145

-127

wc 4 20s

606

76

11

-117

wc 1 5s

683 163

143

72

wc 8 500ms

375 101

18

-147

wc 1 10s

462 197

53

-92

wc 8 1s

178

91

51

-116

wc 1 20s

704 559

696

700

wc 8 5s

149 104

-35

-121

277

76

-45

-166

wc 8 10s

253

74

-90

-118

wc 4 1s

222 160

107

-55

wc 8 20s

387 164

173

-89

wc 4 5s

412 186

158

-46

wc 4 500ms

Table 2. Mean values from posterior distribution of SIIDR parameters, estimated with sequential Monte Carlo. For details, see our companion paper [11]. WannaCry variant β

μ

γ1

γ2

dt

wc 1 500ms

0.10 0.06 0.76 0.04 0.09

wc 1 1s

0.11 0.07 0.71 0.07 0.06

wc 1 5s

0.37 0.52 0.27 0.44 0.16

wc 1 10s

0.12 0.06 0.75 0.05 0.09

wc 4 1s

0.14 0.07 0.75 0.08 0.05

wc 4 5s

0.12 0.07 0.76 0.07 0.07

wc 8 20s

0.13 0.09 0.74 0.08 0.07

equals β. We use these parameters to evaluate defenses in Sect. 7. For more details on model selection and parameter estimation, see our companion paper [11].

4

Defense Methodology

We model the network as a host-to-host communication graph. The nodes represent systems like computers, mainframe, peripherals, load balancer devices, etc. that communicate over TCP/UDP. An edge exists between two systems if they exchange network communication. We create these communication graphs from NetFlow data collected inside the organization. Putting defensive control on some of the nodes and edges in the network makes them inaccessible to the attacker. We define the Attacker’s Reachability Graph (ARG) as the nodes and edges that an attacker has access to after defenses have been applied. We devise and study defense strategies from four different perspectives, as illustrated in Fig. 2 and summarized in Table 3. We describe these defenses next:

538

A. Chernikova et al.

(a) Node Splitting

(b) Edge Hardening

(c) Node Hardening

(d) Isolation

Fig. 2. Cybersecurity defense strategies: a) Node splitting – access to nodes B, F, G from node A is disabled, and a new node A’ is created, with links to nodes B, F, G. b) Edge hardening via firewall rules. c) Node hardening via security patches and monitoring techniques. d) Isolation – the denser cluster comprised of nodes E, F, G is separated from the rest of the network through enhanced security measured at the boundary.

– Node Splitting: This newly proposed method reconfigures network communication by splitting and balancing top-degree nodes. It requires node addition and rewiring of edges, which can be implemented by reconfiguring communication via traffic management solutions available in data centers. – Edge Hardening: This implies monitoring certain edges in the communication graph and corresponds to edge removal from ARG. It can be implemented via firewall rules for blocking certain flows, closing of some network ports, or adding rules to network intrusion detection systems (NIDS). – Node Hardening: This implies monitoring certain nodes in the communication graph and corresponds to node removal from ARG. It can be implemented via system updates, security patch installation, and monitoring through endpoint agents. – Isolation: This newly introduced method requires hardening of edges or nodes on community boundaries via separation of densely connected communities from the rest of the network. Node Splitting: We introduce NodeSplit, a new algorithm that reconfigures network communication in order to increase resilience to SPM attacks. In our proposed approach, node splitting is targeted at top-degree nodes. If compromised, Table 3. Defense strategies and associated topological changes. Defense strategy Algorithms

Topological changes in ARG

Cybersecurity measures

Node splitting

NodeSplit

Node addition and edge rewiring

Reconfiguring access rules

Edge hardening

MET [20], RandE

Edge removal

Firewalls, closing open ports

Node hardening

Degree, ENS, NB [43], RandN

Node removal

System updates, Security patches

Isolation

CI-Edge, CI-Node

Edge/node removal

Hardening at community boundary

Cyber Network Resilience Against Self-Propagating Malware Attacks

539

these highly connected nodes become super-spreaders and potentially propagate the infection within a large portion of the network. By decreasing the size of their one-hop neighborhoods we can reduce the infection footprint. Breaking up the super-spreaders takes advantage of the highly heterogeneous topology of real networks [35]. NodeSplit is an iterative method, which progressively selects the current topdegree node and splits it in two: half of the links remain with the existing node, and half of the links are moved to a newly created node. The total number of peer nodes added equals the number of splits and depends on the available budget. In practice, the new node can be physical or virtual. A new physical node requires additional hardware, while a virtual node requires computational and memory resources on an existing server. Virtual machines are usually a cheaper and more flexible alternative to adding physical servers to the network. Node splitting can be implemented in real networks by using existing traffic management frameworks. For instance, Microsoft Azure offers the Traffic Manager service [25], which allows routing of an application’s traffic to different endpoints. Its randomized traffic splitting procedure distributes an application’s traffic at random to multiple nodes and can be used directly to implement NodeSplit. Network traffic can also be reconfigured to different nodes using SDNenabled policies [4]. Edge Hardening: Choosing the optimal edges to secure has been previously investigated in the context of spectral analysis, which refers to the study of the eigenvalues and eigenvectors of the adjacency matrix A of a graph. One particularly important metric in spectral analysis is the largest eigenvalue of the adjacency matrix, λ1 , because it captures communicability (i.e., path capacity) in a graph. Minimizing λ1 was proven to effectively stifle the spread of a virus [7,36]. We investigate the following edge hardening methods: 1. RandE: Baseline that randomly chooses b edges from the graph to harden. 2. MET (short for Multiple Eigenvalues Tracking) [20], a well-known algorithm that was shown to successfully minimize λ1 , which utilizes eigen-scores 1 to estimate the effect of removing edges. MET iteratively chooses edges with highest eigen-score to remove until the budget b of edges is reached. 3. NodeSplit + MET hybrid strategy: This combined strategy consists of reconfiguring a small number of nodes with NodeSplit in order to make the edge distribution more homogeneous, followed by edge hardening with MET. We show in this study that this hybrid strategy is able to minimize the leading eigenvalue more than each of the two methods used separately. Node Hardening: Targeted defense methods in epidemic spreading contain the virus by immunizing a small number of nodes. Which nodes to prioritize for immunization is a very relevant question both in social and computer networks, and has been the objective of numerous studies [5,35,43]. From a cybersecurity perspective, immunization corresponds to node hardening methods such as security 1

The eigen-score of an edge e = (i, j) equals to the product of the i-th and j-th elements of the left and right eigenvectors corresponding to λ1 , i.e. u(i) × v(j).

540

A. Chernikova et al.

patches, system updates, and node monitoring via endpoint agents. The secured nodes become very hard to compromise and are removed from the Attacker’s Reachability Graph. We analyze four methods for node immunization: 1. RandN: This is a baseline method, in which the nodes are chosen randomly throughout the network. 2. Degree: We progressively immunize the most connected nodes, as they contribute highly to the spread of infection. 3. ENS (Effective Network Size): Nodes with the highest effective network size are more likely to act like “bridges” between dense clusters [47] and monitoring them is likely to prevent attack spreading. 4. NB (Nonbacktracking Centralities): We explore a recent method [43], which uses the behavior of the spectrum of the nonbacktracking matrix. This method identifies nodes whose removal from the network has the largest impact on the leading eigenvalue of the nonbacktracking matrix. Isolation: Communities are topological groups of nodes with dense internal connections. We design and explore community isolation strategies that work in two steps: First, community detection algorithms are used to identify communities. Many such algorithms are readily available – we use the well-known Infomap, Leading Eigenvector and the newer Leiden algorithm [45]. Second, community borders are secured, by hardening either nodes or edges. This translates in securing candidate bridge connections from the Attacker’s Reachability Graph, in order to effectively detach the communities of a network and limit the spread of the attack. We study three isolation methods: 1. CI-Edge, in which all the edges on the borders are secured. 2. CI-Node, in which boundary nodes with highest degree are secured, in decreasing order of their degree. 3. NodeSplit + CI-Edge hybrid strategy. Reconfiguring a small number of nodes before performing community isolation improves the division of a network into modules. This is shown by an increase in modularity2 .

5

Experimental Setup

Datasets: We use an anonymized network flow dataset from an industry partner consisting of 3.4 million nodes and 50 million links. The Critical Watch Report of 20193 found out that 65% of vulnerabilities on TCP/UDP ports are linked to only 3 ports: 22, 443 and 80. Therefore, we extract and investigate the communication corresponding to a few representative ports: 22 (SSH), 80 (HTTP), 139 (SMB 2

3

Modularity is defined as the number of edges falling within groups minus the expected number in the null model of the network (i.e., an equivalent network with edges placed at random) [29]. https://www.newnettechnologies.com/study-finds-majority-of-port-vulnerabilitiesare-found-in-three-ports.html.

Cyber Network Resilience Against Self-Propagating Malware Attacks

541

Table 4. Topological data for the six port-based graphs studied. Port Number of Nodes

Number of Edges

Mean Density Degree

Diameter Avg Dist

Transitivity (global)

Transitivity (avg local) 0.181

22

60,825

333,797

11

0.0002

11

2.81

0.0001

80

287,156

1,833,568

13

0.00004

9

3.01

0.00003

0.058

139

1,912

9,532

10

0.005

9

2.93

0.000006

0.001 0.236

383

7,101

22,910

6

0.0009

7

3.45

0.001

443

620,096

4,437,255

14

0.00002

12

2.80

0.000002

0.023

445

317,031

6,832,418

43

0.0001

10

2.79

0.00001

0.058

over NetBIOS), 383 (HP data alarm manager), 443 (HTTPS), and 445 (SMB), described in Table 4. For each port, We construct undirected, unweighted, 3-core graphs (i.e., the maximal subgraph where all the vertices have degree at least 3). We note the wide range of graph sizes we are investigating, and also the small ‘Avg Dist’ (i.e., the mean vertex-to-vertex distance), which implies that any attack will spread fast within the network. For other properties illustrated here (Density, Diameter, Transitivity) we refer the reader to [30]. We discover that our graphs have power-law degree distribution: while the bulk of the nodes have small degree, there is a smaller number of nodes with degrees much higher than the mean value. This property plays a crucial role in devising best defense strategies and it has been shown to be key to explain the success of targeted immunization strategies. Evaluation Measures: Let G be the original graph and G the perturbed graph after applying the defense methods. We use the following evaluation measures, whose importance in quantifying a network’s resilience to attacks has been pointed out in previous research [43]: – EigenDrop Δλ – drop in the leading eigenvalue: This metric captures the path capacity reduction within the graph. The leading eigenvalue characterizes the epidemic threshold [36] – i.e., the regime required for an epidemic to occur. Decreasing the leading eigenvalue of the graph essentially increases the epidemic threshold and enables stronger attacks to die out fast. The per  centage drop in the leading eigenvalue λ is: Δλ% = 100 × λ−λ λ , where λ is  the leading eigenvalue of the perturbed graph G . – Fragmentation σ – size of the largest connected component relative to the total graph size: Let N be the size of the graph, and NL the size of its largest connected component. We define σ = NL /N as the fraction of nodes contained in the largest connected component. The larger the number of nodes that can be reached by the attack, the more damage it can cause. Reducing σ enables attack surface reduction by containing the attack within smaller connected components and thus reduces the infection footprint.

6

Evaluation of Network Resilience

In this section we evaluate how successful are the four types of defenses at increasing the network resilience to SPM.

542

A. Chernikova et al.

Fig. 3. NodeSplit: EigenDrop after node splitting, depending on the number of split nodes, k (left), and the fraction of split nodes, fk (right) (higher is better). A 40–50% increase is observed on four of the graphs after only 50 splits (left). Steady increase for all ports as the fraction of split nodes increases (right).

Node Splitting: The NodeSplit method progressively selects the node with highest degree and transfers half of its edges to a newly created node to balance the number of connections. Thus, the graph becomes more homogeneous in terms of the degree distribution. We analyzed this transition using Alstott et al. [3]’s mathematical package and report the following findings. For the smaller graphs (ports 139, 383 and 22), a critical point has been reached before a fraction of 0.2 new nodes were added to the graph; after that, the distribution is closer to exponential, rather than power-law (indicated by the loglikelihood ratio). The trend towards a more homogeneous degree distribution also occurs for the larger graphs, however reaching the critical point requires significantly more splits. Intuitively, the “communicability” in the graph is also decreased, as the fastest spreaders of information, the hubs, have reduced their number of connections. This is captured by a decrease in the leading eigenvalue. Figure 3 illustrates the EigenDrop, Δλ%, depending on the number of new nodes (which equals the number of splits). On most ports, even a small number of splits leads to a substantial decrease in the leading eigenvalue. For example, just 50 node splitting operations are needed to achieve a 40–50% lambda drop for graphs whose mean degree is in teens. The long-term trend of a slow but steady EigenDrop increase is visible in Fig. 3 (right) for larger graphs, as we keep splitting more nodes. On the other hand, the largest connected component (i.e., our second evaluation metric) is generally preserved. Edge Hardening: We compare RandE, MET [20], and a hybrid method that combines NodeSplit with MET in Fig. 4 in terms of EigenDrop. While MET reduces the leading eigenvalue by itself, the hybrid strategy provides a significant additional drop. For example, at 10% edges removed (x-axis), the hybrid strategy with 100 split nodes (NodeSplit-100 + MET) almost triples MET’s EigenDrop on all graphs. MET is designed to work within a connected graph, and fragmentation (our second resilience metric) is generally negligible.

Cyber Network Resilience Against Self-Propagating Malware Attacks

543

Fig. 4. Edge Hardening: EigenDrop depending on the percentage of removed edges. NodeSplit-k denotes a number of k splits (higher is better). Hybrid strategies provide additional increase in EigenDrop over MET on all graphs.

Fig. 5. Node Hardening: EigenDrop depending on the number of immunized nodes (higher is better). Degree, ENS and NB methods significantly outperform RandN. Top x-axis shows the fraction of immunized nodes, which is very small. Similar results on the other port-based graphs.

Node Hardening: Next, we evaluate the benefit of “immunizing” a small number of nodes to minimize the spread of malware using the following methods: RandN (baseline random node removal), Degree (top-degree nodes), ENS (top nodes according to the effective network size metric), and NB (non-backtracking centralities). Figure 5 illustrates the decrease in the leading eigenvalue after immunizing a number of nodes given by the budget. Interestingly, Degree, ENS and NB deliver very similar performance. This is due to the presence of a highly skewed degree distribution with a few heavily connected star-like nodes which also act as bridges: information needs to go through them to reach other nodes, resulting in large ENS and high path capacity (NB). As expected, uniform immunization strategies (RandN) are not effective, as they give the same weight to nodes with high and low connectivity. How does the graph structure change when the immunized nodes are removed? Fig. 6 shows that Degree, ENS and NB exhibit a sharp drop in the size of the largest connected component. In contrast, RandN tends to select lowdegree nodes that represent the vast majority of nodes, and whose removal has a low impact on connectivity. On ports 22 and 139, immunizing just 50 nodes with Degree/ENS is enough to break down the largest connected component.

544

A. Chernikova et al.

Fig. 6. Node Hardening: The size of the largest connected component in terms of the original graph size (σ) (lower is better). Immunizing just 50 nodes on all ports significantly breaks down the largest connected component with all of the methods. Top x-axis shows the fraction of immunized nodes.

Such a rapid disintegration happens due to the highly heterogeneous degree distribution, and was shown to be characteristic of scale-free networks [2]. Isolation: Isolating communities breaks the Attacker’s Reachability Graph into smaller connected components and thus decreases the attack footprint. This method uses a community extraction algorithm to identify communities, and then secures the borders. We compared three methods for community extraction: Leiden, Infomap and Leading Eigenvector. Leiden performed better, both in terms of fragmentation achieved and run time, therefore, the experiments in this section use the Leiden method. Our experiments revealed that node hardening methods perform similarly at graph level and community level, because many of the most connected nodes are also inter-community “bridge nodes” (ports 22, 80, 443, 445). However, community isolation offers a viable alternative to immunization when it is preferred to secure edges instead of nodes. Hybrid strategies consisting of NodeSplit + CI-Edge are particularly promising, given that the modularity property of isolated communities increases with the number of splits on all graphs (Fig. 7a). As communities become more modular, we can achieve a better partitioning of the network. This hybrid method is able to reduce the size of the largest connected component significantly. The trade-off between the level of fragmentation obtained and the fraction of boundary edges removed is illustrated in Fig. 7b: σ decreases, and, eventually, after an initial peak, the communities become more modular, with fewer inter-community edges.

7

Evaluation of Infection Spreading

In this section, we investigate which defenses are able to mitigate or even completely eradicate attacks. To this end, we run stochastic simulations of SIIDR on the communication graphs, using the parameters estimated from modeling WannaCry from Table 2. “Patient zero” P 0 is a single randomly chosen initially infected node. This is a good approximation, because targeted attacks would be

Cyber Network Resilience Against Self-Propagating Malware Attacks

(a) Modularity

545

(b) Largest connected component, frac. (σ)

Fig. 7. NodeSplit+CI-Edge hybrid strategy depending on the number of splits. (a): Modularity on all graphs increases. P stands for Port. (b): The size of the largest connected component decreases (y1-axis). At the same time, the boundaries become sparser, with fewer edges (y2-axis) and better isolated communities.

even more promptly stopped by some of the defense methods (i.e., those targeting the super-spreaders, such as node hardening and NodeSplit). The results are averaged over 500 stochastic instances of (P 0, β, μ, γ1 , γ2 ) and use the following budgets: 50 nodes for NodeSplit, 50 nodes immunized with Degree, ENS, NB, and a fraction of 0.1 edges removed with MET. Attack Eradication: Prakash et al. [36] derived the effective strength s = λ1 × (β/μ) for a generic epidemics model that covers SIR and SIS in addition to several other models. If s ≤ 1, then the infection dies out exponentially fast, which translates into a linear decay on a log-linear plot [7]. Our experimental results on ports 139 and 383 presented in Fig. 8 show that s is able to capture the “tipping point” for SIIDR as well, with the infection exhibiting a nearly linear decay when s is close to 1. We observe that, compared to ‘no defense’, the node hardening strategies lead to a 20× decrease in the effective attack strength s, while the hybrid NodeSplit-based strategies achieve a 2−3× decrease. For the attack variants studied here, only the node hardening techniques are getting close to a linear infection decay, and, thus, are able to prevent a major outbreak. Hybrid NodeSplit-based methods would be successful in eradicating stealthier attacks (with slower propagation speeds than our attack variants). Attack eradication becomes even more challenging on larger scale-free graphs like ports 22, 80, 443, 445, which are comprised of millions of edges and up to 600K nodes. The difficulty is due to very high λ1 values that have been shown to grow with the size of scale-free graphs [12,34]. Implicitly, large λ1 results in high effective attack strength s, which requires higher budgets of hardened nodes and edges than the ones used here to quickly stop the attack. Attack Mitigation: However, even at low budgets, our defenses can still achieve major improvements in terms of minimizing the infection footprint, defined as the total fraction of nodes in compartments I, ID and R. We will demonstrate these results next, using the larger port-based graphs. Defense methods that reduce the largest connected component, such as node hardening and community

546

A. Chernikova et al.

(a) Port 139, wc 1 5s

(b) Port 383, wc 1 5s

(c) Port 383, wc 8 20s

Fig. 8. Number of infected nodes (I + ID ) in log scale, averaged over 500 simulations, depending on the time step (lower is better). Methods that lead to linear infection decay (i.e., node hardening) are able to prevent outbreaks.

(a) Port 22, wc 1 1s

(b) Port 80, wc 1 10s

(c) Port 443, wc 4 5s

Fig. 9. Infection footprint (I + ID + R) depending on the time step (lower is better). Degree and ENS overlap, hence, ENS was omitted. Significant reduction of the infection footprint was obtained on all ports across all attack variants after applying the defenses (other port/variant scenarios omitted due to space limit).

isolation strategies, are the most successful at attack mitigation, because they contain the attack within smaller segments of the network. Figure 9 shows a reduction of the infection footprint from about 97% with ‘no defense’ down to 1% on port 22 (with Degree), 11% on port 80 (with hybrid NodeSplit+CI-Edge), and 11% on port 443 (with Degree) for the attack variants illustrated here. Note that these are strong attacks, that lead to almost all nodes being infected when no defenses are employed. We obtained substantial attack mitigation across the board, for all ports and variants. Defense Generality: In this section, we presented defense results against selfpropagating malware implemented with the SIIDR model, using parameters estimated for the 7 WannaCry malware variants from Table 2. We have additionally run SPM attacks with a range of parameters for infection and recovery rates in SIIDR, varying the ratio β/μ ∈ (0, 1], and we observed similar findings. Typically, node hardening strategies, such as Degree and ENS, achieve the lowest infection footprint. Node splitting and community isolation defenses are also effective, particularly in hybrid strategies. While we selected the SIIDR model for our experiments here (given its lowest AIC scores on our malware variants),

Cyber Network Resilience Against Self-Propagating Malware Attacks

547

we believe that our defenses will be similarly effective against other epidemiological models for malware propagation, including SIR and SIS.

8

Related Work

Network robustness had been studied across multiple domains like infrastructure, communication and social networks, in order to understand the functioning and vulnerabilities of complex interconnected systems. Key metrics for measuring robustness (including the spectral radius and largest connected component used in this study) have been proposed and used in several papers [2,5,10,16,42]. A large body of work has looked at modeling the spread of epidemiological processes in networks [7,34–36]. Building up on this, several strategies that propose to stop the infection by manipulating the adjacency matrix of the graph have been developed, including edge removal algorithms [20,41] and node removal techniques that use centrality measures such as degree centrality, betweenness centrality, PageRank, eigenvector centrality, Katz centrality, X-centrality, etc. [16,42,43]. Rey [38] provides a comprehensive review of compartmental models for malware modeling. Mathematical proposals for the modeling and evaluation of malware dynamics include [19,28,44,48]. Other works focus on malware propagation in specific settings, like wireless sensor networks [31] or VMs under the infrastructure as a service (IaaS) architecture [17]. Closer to our work on malware fitting, Levy et al. [21] use the classical SIR model to identify the rate of infection and other parameters from real traces. Reconfiguring communication generally has tackled the reverse problem compared to our NodeSplit method: rather than preventing attack propagation, the goal of previous research was to rewire edges in order to have alternative paths if a hub fails [8,23]. Community isolation has been studied from the point of view of the attacker, using module-based attacks to fragment social, infrastructure and biological networks [37].

9

Discussion and Conclusions

Recent large-scale cyber attacks such as WannaCry and Mirai have demonstrated how pervasive the risk of self-propagating malware has become. With cyber threats looming, it is important to proactively address vulnerabilities in networks to minimize the impact of an attack. From our extensive experiments with realworld graphs and realistic modeling of WannaCry attacks, we have gained several cybersecurity insights. We summarize these insights in a set of recommendations for security teams to increase network resilience against SPM attacks. First, we note that SPM malware relies on network connections to spread. Therefore, the best defenses must create topological structures that prevent SPM from spreading without impeding the transmission of legitimate traffic. Closing unused ports, enforcing firewall blocking rules, and creating access control policies for communication flows are some of the possible edge hardening techniques

548

A. Chernikova et al.

that help reduce the attack surface. Second, the best defenses exploit the inherent hierarchy in networks. Attacks that target hubs or bridges have the potential to be the most devastating. The most effective defense is to identify key superspreaders and allocate security budgets to protect them. Third, reconfiguring communications via access control policies can greatly increase the robustness of the network against attacks. We have shown in our experiments that it is efficient to split the most connected nodes in half to balance their connections; we expect high gains even with smaller budgets. Finally, focusing on communities within the network makes it possible to prioritize security measures under limited budgets. A modular approach can also leverage densely connected partitions by isolating them from the rest of the network to prevent a large-scale infection spread. Moreover, it addresses the issue of vanishingly small epidemic thresholds of large scale-free networks, making it easier to stop a self-propagating attack before it becomes an epidemic. In our experiments, we analyzed in detail the impact of these recommendations as a function of their cost in terms of topological changes. From a cybersecurity perspective, hardening nodes through security updates and patches is the most straightforward method and can help prevent major SPM attacks, including the WannaCry malware studied here. Monitoring nodes through intrusiondetection systems is more costly, especially when traffic analysis is performed over a large number of connections, but it can prevent other cyber attacks. Node splitting is based on managing network traffic in a cyber network, which can be implemented with existing traffic management solutions (available in cloud data centers) or SDN-enabled policies. These solutions provide performance improvements in addition to security, but they induce additional implementation costs. Acknowledgements. This research was sponsored by PricewaterhouseCoopers LLP and the U.S. Army Combat Capabilities Development Command Army Research Laboratory (DEVCOM ARL) under Cooperative Agreement Number W911NF-13-2-0045. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of DEVCOM ARL or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on.

References 1. Akaike, H.: Information theory and an extension of the maximum likelihood principle. In: Parzen, E., Tanabe, K., Kitagawa, G. (eds.) Selected Papers of Hirotugu Akaike. Springer Series in Statistics. Springer, New York (1998). https://doi.org/ 10.1007/978-1-4612-1694-0 15 2. Albert, R., Jeong, H., Barab´ asi, A.L.: Error and attack tolerance of complex networks. Nature 406, 376–382 (2000) 3. Alstott, J., Bullmore, E., Plenz, D.: Powerlaw: a python package for analysis of heavy-tailed distributions (2013). http://arxiv.org/abs/1305.0215 4. Anjum, I., et al.: Removing the reliance on perimeters for security using network views. In: ACM SACMAT, pp. 151–162 (2022)

Cyber Network Resilience Against Self-Propagating Malware Attacks

549

5. Baig, M.B., Akoglu, L.: Correlation of node importance measures: an empirical study through graph robustness. In: WWW, pp. 275–281 (2015) 6. Brauer, F.: Compartmental models in epidemiology. In: Mathematical Epidemiology. LNM, vol. 1945, pp. 19–79. Springer, Heidelberg (2008). https://doi.org/10. 1007/978-3-540-78911-6 2 7. Chakrabarti, D., Wang, Y., Wang, C., Leskovec, J., Faloutsos, C.: Epidemic thresholds in real networks. ACM Trans. Inf. Syst. Secur. 10(4), 1:1-1:26 (2008) 8. Chan, H., Akoglu, L.: Optimizing network robustness by edge rewiring: a general framework. Data Min. Knowl. Discov. 30(5), 1395–1425 (2016). https://doi.org/ 10.1007/s10618-015-0447-5 9. Chen, P., Choudhury, S., Rodriguez, L., III, A.O.H., Ray, I.: Enterprise cyber resiliency against lateral movement: a graph theoretic approach. CoRR (2019) 10. Chen, Z., Tong, H., Ying, L.: Realtime robustification of interdependent networks under cascading attacks. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 1347–1356 (2018) 11. Chernikova, A., Gozzi, N., Boboila, S., Perra, N., Eliassi-Rad, T., Oprea, A.: Modeling self-propagating malware with epidemiological models (2022) 12. Chung, F., Lu, L., Vu, V.: Eigenvalues of random power law graphs. Ann. Comb. 7, 21–33 (2003) 13. Cloudflare: Inside the infamous Mirai IoT Botnet. https://blog.cloudflare.com/ inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/. Accessed Apr 2022 14. Coresecurity: What is Ryuk Ransomware? (2022). https://www.coresecurity.com/ core-labs/articles/what-is-ryuk-ransomware 15. Freitas, S., Wicker, A., Chau, D.H.P., Neil, J.: D2 M: dynamic defense and modeling of adversarial movement in networks. In: SDM, pp. 541–549. SIAM (2020) 16. Freitas, S., Yang, D., Kumar, S., Tong, H., Horng (Polo) Chau, D.: Graph vulnerability and robustness: a survey. TKDE (2022) 17. Gan, C., Feng, Q., Zhang, X., Zhang, Z., Zhu, Q.: Dynamical propagation model of malware for cloud computing security. IEEE Access 8, 20325–20333 (2020) 18. GitHub: Open-source code for investigating cyber network resilience (2022). https://github.com/neu-nds2/cyber-resilience 19. Guillen, J.H., Del Rey, A.M., Casado-Vara, R.: Security countermeasures of a SCIRAS model for advanced malware propagation. IEEE Access 7, 135472–135478 (2019) 20. Le, L.T., Eliassi-Rad, T., Tong, H.: MET: A fast algorithm for minimizing propagation in large graphs with small eigen-gaps. In: SDM, pp. 694–702 (2015) 21. Levy, N., Rubin, A., Yom-Tov, E.: Modeling infection methods of computer malware in the presence of vaccinations using epidemiological models: an analysis of real-world data. Int. J. Data Sci. Anal. 10(4), 349–358 (2020). https://doi.org/10. 1007/s41060-020-00225-1 22. Liao, C.M., Liu, W., Tang, S., Xiao, Y.: Model selection and evaluation based on emerging infectious disease data sets including A/H1N1 and Ebola. Comput. Math. Methods Med. (2015) 23. Louzada, V.H.P., Daolio, F., Herrmann, H.J., Tomassini, M.: Smart rewiring for network robustness. J. Complex Networks 1(2), 150–159 (2013) 24. McKinley, T.J., et al.: Approximate Bayesian computation and simulation-based inference for complex stochastic epidemic models. Stat. Sci. 33(1), 4–18 (2018) 25. Microsoft Azure: Traffic Manager documentation (2022). https://docs.microsoft. com/en-us/azure/traffic-manager/

550

A. Chernikova et al.

26. Mike Azzara: What is wannacry ransomware and how does it work? https://www. mimecast.com/blog/all-you-need-to-know-about-wannacry-ransomware/ 27. Minter, A., Retkute, R.: Approximate Bayesian computation for infectious disease modelling. Epidemics 29, 100368 (2019) 28. Mishra, B.K., Pandey, S.K.: Dynamic model of worm propagation in computer network. Appl. Math. Model. 38(7–8), 2173–2179 (2014) 29. Newman, M.E.J.: Modularity and community structure in networks. Proc. Natl. Acad. Sci. 103(23), 8577–8582 (2006) 30. Newman, M.: The structure and function of complex networks. SIAM Rev. 45(2), 167–256 (2003) 31. Ojha, R.P., Srivastava, P.K., Sanyal, G., Gupta, N.: Improved model for the stability analysis of wireless sensor network against malware attacks. Wireless Pers. Commun. 116(3), 2525–2548 (2021) 32. Zlotnik, O.: System hardening guidelines for 2022 (2021). https://www.hysolate. com/blog/system-hardening-guidelines-best-practices/ 33. Ongun, T., et al.: PORTFILER: port-level network profiling for self-propagating malware detection. In: IEEE CNS, pp. 182–190 (2021) 34. Pastor-Satorras, R., Vespignani, A.: Epidemics and immunization in scale-free networks. In: Handbook of Graphs and Networks. Wiley-VCH (2003) 35. Pastor-Satorras, R., Castellano, C., Van Mieghem, P., Vespignani, A.: Epidemic processes in complex networks. Rev. Mod. Phys. 87, 925–979 (2015) 36. Prakash, B., Chakrabarti, D., Faloutsos, M., Valler, N., Faloutsos, C.: Threshold conditions for arbitrary cascade models on arbitrary networks. Knowl. Inf. Syst. 33, 537–546 (2011) 37. Requiao Da Cunha, B., Gonz´ alez-Avella, J., Gon¸calves, S.: Fast fragmentation of networks using module-based attacks. PLoS ONE (2015) 38. Rey, A.: Mathematical modeling of the propagation of malware: a review. Secur. Commun. Networks 8 (2015) 39. Seals, Tara: Innovative PureLocker ransomware emerges in targeted attacks (2019). https://threatpost.com/purelocker-ransomware-targeted-attacks/150229/ 40. Stocks, T., Britton, T., Hohle, M.: Model selection and parameter estimation for dynamic epidemic models via iterated filtering: application to rotavirus in Germany. Biostatistics 21(3), 400–416 (2018) 41. Tong, H., Prakash, B.A., Eliassi-Rad, T., Faloutsos, M., Faloutsos, C.: Gelling, and melting, large graphs by edge manipulation. In: CIKM, pp. 245–254 (2012) 42. Tong, H., Prakash, B.A., Tsourakakis, C., Eliassi-Rad, T., Faloutsos, C., Chau, D.H.: On the vulnerability of large graphs. In: IEEE ICDM, pp. 1091–1096 (2010) 43. Torres, L., Chan, K., Tong, H., Eliassi-Rad, T.: Nonbacktracking eigenvalues under node removal: X-centrality and targeted immunization. SIAM J. Math. Data Sci. 3, 656–675 (2021) 44. Toutonji, O.A., Yoo, S.M., Park, M.: Stability analysis of VEISV propagation modeling for network worm attack. Appl. Math. Model. 36(6), 2751–2761 (2012) 45. Traag, V.A., Waltman, L., van Eck, N.J.: From Louvain to Leiden: guaranteeing well-connected communities. Sci. Rep. 9(1), 5233 (2019) 46. Vespignani, A.: Modelling dynamical processes in complex socio-technical systems. Nat. Phys. 8(1), 32–39 (2012) 47. Wikipedia: Structural holes. https://en.wikipedia.org/wiki/Structural holes. Accessed Apr 2022 48. Zhu, Q., Yang, X., Ren, J.: Modeling and analysis of the spread of computer virus. Commun. Nonlinear Sci. Numer. Simul. 17(12), 5117–5124 (2012)

INC: In-Network Classification of Botnet Propagation at Line Rate Kurt Friday1(B) , Elie Kfoury2 , Elias Bou-Harb1(B) , and Jorge Crichigno2 1

2

The Cyber Center for Security and Analytics, The University of Texas at San Antonio, San Antonio, USA {kurt.friday,elias.bouharb}@utsa.edu Integrated Information Technology, The University of South Carolina, Columbia, USA [email protected], [email protected]

Abstract. The ever-increasing botnet presence has enabled attackers to compromise millions of nodes and launch a plethora of Internetscale coordinated attacks within a very short period of time. While the challenge of identifying and patching the vulnerabilities that these botnets exploit in a timely manner has proven elusive, a more promising solution is to mitigate such exploitation attempts at core traffic transmission mediums, such as within the forwarding devices of ISPs, backbones, and other high-rate network environments. To this end, we present an In-Network Classification (INC) technique to fingerprint the spread of botnets at wire-speed within busy networks. In particular, INC employs a unique bagging classification system residing entirely within programmable switch hardware in order to classify and subsequently mitigate bot infections amid Tbps traffic rates. Additionally, INC immediately pushes the data plane features of mitigated bots to the controller to infer botnet orchestration in real-time via behavioral clustering. INC was comprehensively evaluated against several datasets and achieved stateof-the-art results while reducing the detection times of comparable techniques by several orders of magnitude. Further, we demonstrate that INC can generalize well to previously unseen botnets. Keywords: Bot detection · Botnet inference · Machine learning · Ensemble learning · Bootstrap aggregation · Bagging · Network traffic classification · Programmable switches · P4

1

Introduction

Botnets have long been the key means of executing various Internet attacks, including Distributed Denial of Service (DDoS), spam, cryptojacking, identify theft, phishing, and more recently, ransomware. Despite numerous research efforts devoted to safeguarding modern-day networks against this coordinated maliciousness, botnet malware infections persist as one of the primary security concerns as outbreaks continue to escalate in both frequency and volume [1]. c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 551–569, 2022. https://doi.org/10.1007/978-3-031-17140-6_27

552

K. Friday et al.

Indeed, it has been empirically demonstrated that a single botnet can infect upwards of a million devices in a very short period of time [2]. Moreover, it is possible for enterprises to now be held liable for any attacks that their infected machines may conduct [6], despite the fact that such infections can occur without the network operator’s knowledge [36]. A number of factors have amplified the spread of botnet malware; however, none of these factors are more fundamental to its propagation than the enhanced reachability of computing devices in general. Furthermore, the bots of a botnet typically have short lifetimes (e.g., a few days) due to patching procedures, malware detection mechanisms, etc. [31], so it is essential for a botnet to exploit this reachability to remain healthy. Thus, the most effective means of safeguarding the Internet at large against botnet infections is by eradicating the propagation of botnet malware at the Internet’s core transmission mediums, namely, the data planes of ISPs, BackBones (BBs), Science DMZs, and other high-rate network environments. Additionally, it is paramount that detection is performed swiftly, given the speed at which botnet infections can propagate. To this end, a number of botnet detection techniques employing network traffic analysis have been proposed; however, the state-of-the-art techniques still must be conducted at a time later than when the traffic was transmitted. Largely, these approaches are based on software that processes packet captures or flow data in an offline manner. Notably, software is incapable of processing the large traffic loads of the aforementioned high-rate network implementations without severe throughput degradation or even crashes [37]. Hence, softwarecentric approaches can not support broad-scale botnet detection or are tightly coupled with substantial detection latency. Alternatively, a few approaches extract the features of traffic flows from the data plane’s switches. As opposed to software, switch hardware is capable of handling high rates of network traffic. Then at a later predetermined point in time, the flow features are collected by a centralized machine (i.e., a controller) that fingerprints bot traffic. While this leveraging of the data plane is commendable, there are still research gaps that exist. In particular, these strategies rely on aggregating an abundance of flow data, which is both time consuming and taxing on a switch’s limited storage. Moreover, the centralized detection may result in network congestion [32] and additional delays due to discrepancies between when the data collection for a malicious flow has completed in the data plane and when the detection is actually performed on the controller. Additionally, past implementations do not scale well to busy core networks that typically must process millions of unique IP addresses within very short periods of time and support asymmetric routing (i.e., bidirectional flow features cannot be utilized). Finally, while the aforementioned strategies fingerprint bots, they do not identify coordination between them. As a result, such strategies fail to provide key insights pertaining to specific services or previously-unknown vulnerabilities that should be hardened, future coordinated attacks that can expected and therefore provisioned for, etc.

INC: In-Network Classification of Botnet Propagation at Line Rate

553

To address these research gaps, we propose INC, an in-network classification scheme rooted in P4 [4] that not only extracts relevant features but also performs bot detection entirely within the data plane via the programmable switch technology. In particular, INC instruments such switches with an Adapted Switch Classification (ASC) technique, which circumvents the aforementioned pitfalls associated with centralized detection strategies. ASC was constructed in a compact manner for high-throughput switches (supporting up to 25 Tbps traffic processing [13]) and to run alongside a variety of other essential switch applications. To the best of our knowledge, INC is the first full-fledged, switch-based classification methodology (i.e., the extraction and subsequent storing of features, followed their classification) that is conservative enough with the switch’s limited resources to allow the concurrent execution of switch’s required forwarding and telemetry applications. Further, INC requires a small number of unidirectional packets from a source IP address to detect if it is a bot, which enables both asymmetric routing implementations and detection speeds that are many orders of magnitude faster than the state-of-the-art. Additionally, INC is equipped with a novel data structure for the storing of granular per-IP features necessary for accurately fingerprinting individual bots amid the millions of IPs that busy core network environments process in short time windows. Lastly, INC transmits the features of bots upon detection to the centralized controller in order to attribute the presence of botnet campaigns in real time. INC was comprehensively evaluated amid a variety of noteworthy datasets. We demonstrate that INC not only achieves an F1-score of 0.99 for bot classification on the test split of the training data but also performs similarly on botnet datasets it has not observed. We also conducted a comparison with state-of-theart approaches that rely on features extracted from the data plane, certifying that INC performs similarly or better than such resource-intensive, centralized Machine Learning (ML) classifiers. Finally, we show that INC can also detect the presence of botnets with an accuracy of 99%. The core contributions of this work are highlighted as follows: – We offer INC as a first-of-a-kind means of mitigating botnet propagation and inferring orchestrated botnets at wire-speed via the newfound programmable switch technology. INC was specifically tailored towards busy network implementations to address the botnet epidemic at scale and to fingerprint such maliciousness within a fraction of the time of past approaches. To facilitate future cybersecurity advancements in this domain, we make all source code publicly available, as well as a variety of code for conducting associated data analysis tasks [19]. – We propose a novel conversion of the Decision Tree (DT) data structure (i.e., ASC) to allow it to be placed entirely within the switch with sufficient resources to spare for several other data plane applications. To the best of our knowledge, this has never before been achieved. Additionally, practitioners can leverage ASC to perform a variety of other ML applications on the switch.

554

K. Friday et al.

– We perform a comprehensive evaluation of INC on several notable datasets and show that INC is, at minimum, as effective as the state-of-the-art ML approaches for bot detection and similarly effective on unseen data. The remainder of the paper is organized as follows. In the following section, we begin by introducing the threat model for this work. In Sect. 2, we present INC and detail its various intricacies. Subsequently, Sect. 3 encompasses a comprehensive evaluation of INC to verify its effectiveness and compare its performance to the state-of-the-art. In Sect. 4, we review the related literature. Finally, we conclude this work and summarize its findings in Sect. 5. 1.1

Threat Model

We begin by first elaborating upon the threat model for which INC was designed. Ultimately, our threat model is based on modern and prominent botnet malware. In general, such malware may explicitly target Internet of Things (IoT) devices, typical environments such as workstations, or both. In turn, we do not make any assumptions about these botnets’ modus operandi, other than it they will have to emit network traffic to achieve their aim. This traffic may include varying degrees of propagation attempts and exchange of information with a Command and Control (C&C) server. We address these variations in the traffic in different strains of contemporary botnet malware by only considering a particular sequence of packets to be malicious if it contains some attempt at propagation or C&C contact. This technique accounts for the fact that infected nodes will often still be performing their typical duties and therefore be transmitting benign traffic as well. Such a sequence of packets is referred to as pthresh herein. In terms of deployment, the switch in which INC resides must be on the path of the aforementioned malicious traffic in order to detect it. For example, an ISP could protect its business and residential consumers by placing INC on the paths utilized by their traffic, as these entities are typically associated with the vulnerable IoT devices and workstations that botnets exploit. Whether such paths with the highest coverage are within the core layer or elsewhere can very depending upon the given network fabric. That said, the small pthresh number of packets that INC requires to accurately fingerprint a bot circumvents the need to consider collaborative detection with choosing a placement strategy. Furthermore, with INC’s reliance upon a small pthresh and no recirculations, any forwarding scenarios for a given topology where one INC-empowered switch might observe some of the same traffic as another will have no impact on classification performance. Finally, INC does not require controller aid to perform detection or bidirectional flow analysis. Indeed, the aforementioned advantages coupled with the cost benefits of leveraging programmable switches [37] enable INC to support any number of placement options and strategies.

2

Proposed Approach

In this section, we present INC’s methodology for detecting isolated bots and performing botnet campaign inference. In particular, an overview of the

INC: In-Network Classification of Botnet Propagation at Line Rate

555

proposed approach is discussed to offer intuition about its modus operandi. Next, the four primary components of INC are highlighted, namely, the Register Recycling Manager (RRM), feature aggregation, ASC, and botnet inference. Figure 1 visualizes these components (denoted with blue) and INC’s overall flow of execution. We kindly refer interested readers to our publicly available source and data analysis code [19] for additional details pertaining to the implementation of INC. 2.1

Overview

When a machine is infected by a given botnet’s malware, aside from the wide variety of malicious acts that the bot might be commanded to perform, there are generally three types of traffic that it may transmit: (1) probing, (2) C&Crelated communications, and (3) traffic associated with the unsuspecting user or any benign processes running on the machine. Thus, the sooner that traffic types (1) and (2) originating from the source IP IPsource of ASC RRM Feature Aggregation a bot can be fingerprinted, the RA f b Forward packet faster any further propagaRA No f b RA tion of the botnet can be mitBot? IP … igated and any future mali… Packets Yes f b cious acts that it may perform Hash(IP ) can be prevented. To this 2. Ports 1. Behaviors extent, INC aims to dramatically reduce number of packBotnet ets from a particular IPsource Botnet Inference that are required to detect Fig. 1. Overview of INC. The primary components traffic types (1) and (2). As are highlighted in blue, which correspond to subsec- portrayed in Fig. 1, this aim is achieved by ASC’s classifitions in Sect. 2. (Color figure online) cation on features aggregated by INC’s Feature Aggregation component over a reduced window of pthresh consecutive packets from such an IPsource . The challenge with storing the aforementioned aggregated features associated with every IPsource in a high-rate network environment that observes many IP addresses is that the switch does not house nearly enough SRAM storage to support such an endeavor. For instance, even if slots of SRAM could be allocated for the feature aggregation of, say, 200K different IPsource values, that is still far less than would be needed to account for the millions of IPsource values that could arise in backbone environments. INC mitigates this issue with the RRM, which promptly frees-up such limited slots so the switch can begin aggregating the features of newly-arriving IPsource values immediately; otherwise, the latency before a newly-arriving bot IPsource receives a slot may allow further infections and other maliciousness to take place prior to detection. Once the pthresh window for an IPsource has concluded, ASC endeavors to classify whether traffic types (1) and (2) are present in the window of packets Switch

1

1

1

2

2

n

n

2

n

ID

Controller

source

556

K. Friday et al.

via the via the aggregated features, in order to determine if the IPsource is a bot or benign entity. However, since novel botnets are increasingly surfacing and their techniques for performing malicious behavior are constantly evolving, an ML model trained on a few botnets can quickly become obsolete. As such, a primary aspiration of ASC is to generalize well to botnet data that was not observed during the training process. In turn, ASC employs a bagging technique based off shallow DT learners that are learned in parallel via bootstrapping and their predictions act as votes towards classifying whether an IPsource is a bot or benign. Since the DT learners are shallow, they offer a dramatic reduction in variance, which promotes ASC’s ability to generalize to botnets that it was not trained on. However, the combination of the learners being shallow and that DTs are trained in a greedy fashion can lead to bias. To address this issue, we propose a feature selection technique that mitigates such bias by identifying aggregated features that are ideal for binary classification and generalization to unseen data. In the event ASC classifies an IPsource as a bot, the IPsource is considered mitigated as its traffic can be easily blocked or monitored at the discretion of the network operator. Additionally, the bot’s aggregated features are immediately pushed to the controller to attribute the IPsource to a botnet, as portrayed in Fig. 1. At this juncture, the controller performs a behavioral clustering procedure on such features with those from other attributed bots to fingerprint occurrences of coordination. Indeed, such behavioral analysis is a strong indicator of orchestrated botnets [22]. 2.2

RRM

The RRM is positioned within INC’s flow of execution as shown in Fig. 1 and has the primary task of mitigating any bot detection delays for a newly-arriving bot’s IPsource due to all SRAM slots being occupied. The RRM addresses this issue by freeing-up a slot on an as-needed basis so that INC can begin aggregating such a bot’s features over its pthresh packet window. In a similar vein, the freeing-up of slots on an as-needed basis also promotes utilizing a smaller pool of slots to consume less SRAM registers within the switch. As portrayed in Fig. 1, an IPsource is first hashed before reaching the RRM. The hashing is performed by a 32-bit Cyclic Redundancy Check CRC32 algorithm, as CRC is computationally inexpensive and readily available in many high-speed networking devices, particularly in Intel Tofino switches [12]. This CRC32 hashing procedure returns an array index IPidx that enables INC to map each IPsource to its corresponding features that are stored in SRAM Register Arrays (RAs). The set of all registers located at IPidx within such RAs act as the slot for a given IPsource . Collisions. Utilizing a smaller pool of slots can result in additional IPidx collisions. However, the CRC32 hashing algorithm uniformly distributes each IPidx throughout the RAs (as opposed to using a portion of the IPsource as an IPidx ) and thereby reduces such collisions. A collision can result in a benign source being wrongly fingerprinted as malicious (a false positive) or even allowing a

INC: In-Network Classification of Botnet Propagation at Line Rate

557

malicious source to appear benign (a false negative). The only guaranteed way of negating collisions entirely is for INC to store the IPsource currently using every IPidx to compare against the IPsource of any incoming packets with the same IPidx . Thus, we employ such a measure via storing each IPsource at index IPidx within RAIP , as shown in the RRM design portrayed in Fig. 2. This figure follows the convention of utilizing a subscript p for data associated with the previous IPsource held at IPidx and a subscript c for that of the newly-arrived IPsource that is currently being processed. Note that all RAs, both within the RRM and the subsequent Feature Aggregation component shown in Fig. 1, have a predetermined size RAsize , which is later evaluated in Sect. 3.4. Priority Groups. To free-up a slot for an incoming IPsource , Priority Groups (P G) are integrated into the RRM to determine when to recycle the RAs’ registers located at IPidx for this IPsource . As shown in Fig. 2, the P G has a bitmap array at every IPidx , which denotes whether a previous IPsource that hashed to such IPidx has been previously classified as benign by assigning the IPsource a priority value of 1 (as opposed to a higher priority of 0). The RRM also maintains a timestamp RA to Evict 110…1000100101000011110 hash (192.158.1.38) 192.158.1.12 control how long an Packets for 192.158.1.38 IP : 192.158.1.38 Priority should be IPsource Discrepancy? Expired? allowed to occupy a slot Yes Yes IP 30 8,784 No in the event it has a priPG PG timeout benign RA PG ority value of 0. Addi192.168.1.2 1110000…110 1 0 0 1 Example data tionally, note in Fig. 2 192.158.1.12 1011111..010 1 0 1 1 192.18.1.122 1001100…001 0 1 … 0 0 that CRC32 is applied p: 192.158.1.12 c: 192.158.1.38 192.168.21.55 1011110…101 1 0 0 0 arr : 16,384 (14 bits) as opposed to CRC16 |PG|: 192.168.1.198 1101100…000 1 1 1 1 32 (5 bits) because five additional bits are needed to idenFig. 2. RRM design. tify the P G index at the given IPidx RA location. Figure 2 visualizes an example operation of the RRM. In this example, IPsourcep 192.158.1.12 has been blocking IPidx 8,784 while its features have been aggregating until its pthresh packet window has been reached to trigger classification. However, another packet with an IPsourcec 1192.158.1.38 sharing the same IPidx of 8,784 has just arrived. Since IPsourcep = IPsourcec , IPsourcec will replace IPsourcep and all other RA locations at IPidx will be recycled for IPsourcec , given IPsourcec has a higher priority of 0. Note that if there was no such priority discrepancy, IPsourcec would still be evicted for IPsourcep if timestampp was expired. 32

source

idx

IP

0

30

31

p

p

s

2.3

Feature Aggregation

As depicted in Fig. 1, once the RRM has established the IPsource to be considered, the switch then performs the aggregation of its features and stores them at IPidx within the feature RAs. Prior to selecting a final feature set that INC will

558

K. Friday et al.

be tasked with aggregating per-IPsource , we first formulate a pool of potential features. Note that since programmable switches cannot inspect packet payloads without performance penalties [14], INC only aggregates features that can be derived from network and transport layer headers, as well as metadata such as timestamps, using simple operations that switches can easily support. Thus, we applied either counts or summations to a particularheader field h over pthresh pthresh to arrive at such a pool. More formally, we employ n=1 hn for summations pthresh and n=1 fh (hn ) for counts, where header function fh (hn ) returns a value of 1 or 0 depending on whether a condition on hn is met or not. In general, header fields that do not generalize well (e.g., IP addresses) were not considered as features. An exception was a feature we devised called alternating dst, where fh () receives the hn of destination IP d ipn within packet n and returns 1 when d ipn = d ipn−1 . Indeed, alternating dst may indicate that an IPsource is probing for vulnerable nodes to infect or endeavoring to contact its C&C server. Subsequently, we aim to select the features from the aforementioned generated pool that will generalize well to unseen data when applied to ASC’s shallow learners. To this end, we identify each feature gj whose discrete Probability Density Function (PDF) fbotneti (Xgj ) for a botnet dataset i of data samples X has a maximum amount of overlap with other botnet datasets and similarly has a PDF fbenigni (Xgj ) for a benign dataset i with a maximum amount of overlap with other benign datasets. At the same time, such overlap should be minimized between all fbotneti and fbenigni to promote binary classification performance. Recall that a gj value for a given data sample x is actually an aggregation of this gj value over pthresh consecutive packets. We define this measure of overlap η(f1 (), f2 ()) between two discrete PDFs |bins| f1 () and f2 () as η(f1 (), f2 ()) = k=1 min(f1 (xk ), f2 (xk )), where η falls within the range [0, 1]. The X inputs are divided among equally-distributed  bins ranging from the first to last input x of f1 () f2 () and set |bins| = inputs, 1024), where num ints is the number of such x inputs in min(num  f1 () f2 (). Note this overlap measure does not make any assumptions about underlying feature distributions, which can limit the use of this measure in practice [21]. To arriveat the final η for each feature gj , arithmetic means are taken for each of the n2 (f1 (), f2 ()) pairs in the botnet and benign datasets to arrive at ηbotnet and ηbenign , respectively. Next, a minimal η(f botnet (), f benign ()) is sought after, where f botnet () and f benign () are the unions of the gj distributions within the botnet and benign datasets, respectively. We set ηf inal = ηbotnet/4 + ηbenign/4 + 1−η(f botnet (),f benign ())/2, and select the largest m η f inal values to obtain m features to apply towards ASC’s training. Note that ηf inal was formalized in this manner, since ηbotnet and ηbenign share equal importance regardless of the number of datasets encompassed by each, and the maximization and minimization operations should also be treated equally.

INC: In-Network Classification of Botnet Propagation at Line Rate

2.4

559

ASC

As portrayed in Fig. 1, features processed by INC’s Feature Aggregation component are subsequently leveraged by ASC to classify a given IPsource stored at IPidx . ASC is based on a methodology for transforming Decision Tree (DT) classifiers to programmable switch data structures that perform classification in two stages. This methodology is in stark contrast to performing DT traversals sequentially, which exhausts numerous stages within the switch and therefore is not practical or even feasible in many scenarios. To offer some intuition, a simplified overview of this transformation using only two features is given in Fig. 3. After the controller performs training of a decision tree, it uses the values that the features are compared against (xi and yi in Fig. 3) within the DT’s nodes as decision boundaries for each feature. The Range Interpretation of Fig. 3 gives a visualization of how ultimately these decision boundaries divide shaded ranges that translate to classifications. To arrive at such classifications on the switch, the first stage of ASC is used to identify within which decision boundary-based ranges the features reside. This is achieved by applying a Match-Action Table (MAT) for each feature in order to map it to an integer that uniquely identifies a given feature’s range, as shown in Fig. 3. Additionally, note that there are no dependencies between features utilizing ACS’s methodology, and therefore these feature tables are executed in parallel within the first stage. As demonstrated in Fig. 3, a classification MAT in the second stage is applied that performs an exact match on each returned integer from the feature tables and outputs a corresponding classification. Since ASC performs binary 2. Range interpretation bot detection, observe that it 1. Trained tree 3 also reduces the number of x f y classification MAT entries by f y f y 2 only matching upon the inteClass 1 Class 0 Class 1 f x y gers that translate to a sinClass 0 Class 1 1 gle class and letting any other x x input that does not match 3 1 2 3. Match-action conversion Default to the other class. f Match-action table RA f When extending ASC to mulRange Return integer [0, x ) 1 Classification table tiple DTs within a bagging 2 [x , x ) Exact f , f Return class 2, 1 1 3 [x , ) ensemble, the ranges of each 3, 1 1 Default 0 1, 2 1 feature are combined over all Bot f Match-action table RA f 2, 2 1 Range Return integer 3, 2 1 DTs, ensuring that there are [0, y ) 1 3, 3 1 2 [y , y ) Benign Default 0 no overlaps between ranges so [y , ) 3 Default 0 each combination of the feature MATs’ return integers Fig. 3. ASC’s parallel execution strategy. correspond to only one entry in the subsequent classification MAT. For instance, if an overlap of two ranges for a particular feature is identified, the overlap is split into three adjacent ranges. To evaluate ranges in P4 MATs, ternary, lpm, or range match keys can be leveraged. Indeed, the embedding of ASC’s methodology within MATs allows the classifier to be updated on 1

1

2

2

1

2

1

2

2

1

1

1

1

1

1

2

2

2

2

1

1 2

2

1

2

2

560

K. Friday et al.

the fly, such as when new botnet intelligence arrives, because the controller can populate each of the MATs with the match keys and return values during runtime. In order to train ASC effectively, we first extract consecutive packets for different pthresh values from each benign and botnet IPsource within the datasets covered later in Table 1. As infected machines often transmit legitimate traffic as well, we only label a pthresh sequence of packets originating from a bot IPsource as malicious if it contains at least one packet tied to the given botnet malware (e.g., a packet that is probing for vulnerabilities, executing malicious commands, attempting to contact a C&C server, etc.). Once such labeling was performed on the datasets, ASC was trained on the controller via Gini impurity and the features identified by leveraging the aforementioned feature selection strategy proposed in Sect. 2.3. Additionally, Grid Search was executed on the number of shallow learners in the bagging ensemble and their depth, with the aim at minimizing such depth for generalization purposes. Ultimately, utilizing weighted decision stumps for the features syn flag count, ack flag count, tcp flag sum, alternating dst, eth size sum, and ip id sum gave the ideal trade-off between classification performance and a minimal depth of the shallow learners. Note that weighting is accounted for by the controller when populating the classification MAT, and therefore ASC’s P4 implementation requires no modifications in order to integrate such weighting. 2.5

Botnet Inference

The controller performs a two-phase clustering procedure on the aggregated features of a bot that are pushed by the switch immediately after it is detected, which is shown in Fig. 1. Such procedure is executed at each interval I, with the length of I being dependent upon the controller’s available resources and time constraints of the given implementation. Recall that at this juncture, any propagation attempts by the infected IPsource have been halted by the switch. HDBSCAN [18] is leveraged for both clustering phases, as it shares many of the core advantageous of hierarchical clustering and its predecessor, DBSCAN [28], yet has undergone several optimizations. Such optimizations include an ability to work with arbitrarily shaped clusters of varying sizes and densities, and enhanced speed. Phase-one entails clustering the bots’ behaviors based on the aggregated features used by ASC for classification. Alternatively, the phase-two clusters each of the phase-one clusters by destination ports. To provide the ports for the phase-two clustering, the switch stores the top three most targeted ports by every IPsource , which necessitates three more RAs, respectively. Note that these ports are note applied to bot classification by ASC, since the IPsource has been classfied as bot, it is expected that the top ports will correspond to the services that the bot is leveraging for malicious acts. Past research has empirically demonstrated that most botnets will target between one and five ports [9,34]. Therefore, three ports is reasonable to capture the breadth of the port targeting behavior of an IPsource yet conserves the switch’s SRAM. The end result of this two-phase clustering procedure are robust clusters of botnet campaigns.

INC: In-Network Classification of Botnet Propagation at Line Rate

3

561

Evaluation

In this section, we evaluate INC extensively to asses its efficiency and effectiveness. Results are reported by way of confusion matrices and accuracy, as well as F1-scores to measure classification results with imbalanced data. Testbed. The environment setup consisted of four Intel Xeon Silver 4114 machines. Each machine functions off 32 CPUs at 2.20 GHz, underneath Debian GNU Linux 9. Additionally, an Edgecore Wedge 100 BF-32X [20] switch programmed with P4 was employed to forward traffic between the four machines. The switch was designed for high-performance data centers with programmable Tofino switch silicon and encompasses 32 × 100 Gbps ports which equate to a throughput processing capacity reaching 3.2 Tbps. The datasets utilized for the following experiments are detailed in Table 1, where a synopsis of each is given. The underlying motivation for selecting these botnets was to establish a representative sample of both IoT and non-IoT botnets. For instance, Mirai and Table 1. Synopsis of the incorporated datasets. Source

Description

Benign [23]

Size

P2P A large group of benign packet captures of 62 GB the P2P applications Skype, eMule, FrostWire, μTorrent, and Vuze

General benign An aggregation of 18 benign packet captures 9 GB data [30] including a variety of traffic, such as HTTPS interactions, DNS requests, and P2P. CAIDA traffic [5] Mirai [11]

BB A large set of packet captures containing 50 GB anonymized Internet BB traffic from CAIDA

botnet Packet captures from a medium-sized IoT net- 813 MB work infrastructure consisting of 83 IoT devices

Bashlite botnet Packet captures extracted from a medium-sized 531 MB [11] IoT network infrastructure consisting of 83 IoT devices Trickbot net [30] Dridex [19]

bot- Three packet captures corresponding to three 452 MB Trickbot-infected machines targeting both nonIoT and IoT devices botnet Five packet captures from five variations of the 261 MB Dridex botnet malware, respectively, that were executed in a Triage sandbox [24] consisting of non-IoT devices

Emotet botnet Four packet captures from four variations of the 319 MB [19] Emotet botnet malware, respectively, that were executed in a Triage sandbox [24] consisting of non-IoT devices Neris [10]

CAIDA scan [8]

botnet Packet captures extracted from 10 non-IoT 97 MB Neris, devices encompassing benign traffic and Neris 52 GB benign botnet samples utilizing IRC, ClickFraud, and SPAM SIP- Samples of each UDP probing packet targeting 425 MB port 5060 captured by the CAIDA /8 network telescope

562

K. Friday et al.

Bashlite were chosen as IoT botnets because the majority of IoT botnets were found to be derived from them [7]. The controller performed ASC’s training and subsequent deployment to the Tofino hardware switch. Next, the packet captures listed in Table 1 were replayed by three Linux machines through the Tofino switch using tcpreplay, which forwarded the packets to the fourth Linux machine that doubled as both the destination entity and controller. The primary function of the the fourth Linux machine was to aggregate the results of the experiments. Ultimately, as we are evaluating the unidirectional classification capabilities of INC in a high-rate forwarding environment, the environment was designed to transmit the packet captures though the switch simultaneously, while ensuring the interarrival times of the packets within the captures were respected. 3.1

Bot Detection

pktthresh assessment. A small pktthresh allows INC to dramatically reduce detection latency, improve RRM register recycling, and circumvent the overhead associated with network-wide traffic statistics aggregation. In turn, we first endeavored to identify the optimal pktthresh value. To this end, it should be noted that infected hosts may also have a number of benign processes transmitting traffic. Moreover, multiple hosts behind Network Address Translation (NAT), say, one infected host and several benign, may appear as one IP to a switch on an external network. Thus, to evaluate INC’s ability to handle such circumstances, we also interleaved with the collection legitimate benign traffic [30] mentioned in Table 1 at different interarrival time ranges, namely, [0.0, 0.55), [0.55, 1.0), [1.0, 5.5), and [5.5, 10.0) milliseconds. Subsequently, once ASC was trained on 70% of data, an evaluation of pktthresh over these interarrival time ranges was performed. The F1-score achieved by INC, along with the Base rate with no additional benign traffic interleaved (several botnet datasets already have intermittent pthresh benign traffic), is offered in Fig. 4.a. It (a) Interleaved benign traffic. can be observed that while there is subtle performance degradation with increased rates, the F1-scores still remain relatively consistent, with pthresh = 20 giving the best performance. Generalization to Unseen Botnets. pthresh Given that new botnets are consistently (b) Unseen botnet generalization. surfacing, INC should also be able to effectively generalize to such unseen botnet traffic. To asses INC’s ability to do so, Fig. 4. Evaluating INC amid varying . p we iteratively removed one botnet dataset thresh

INC: In-Network Classification of Botnet Propagation at Line Rate

563

from the training data and then tested the trained ASC model on the botnet dataset that was held out. Since there is only one label in the test set in this scenario, accuracy was utilized to depict INC’s performance in Fig. 4.b. As shown, while the less aggressive nature of Trickbot and Neris gave INC trouble for the first four pktthresh , whereas INC generalized near perfectly (rounding is performed for visualization purposes) by pktthresh = 20. 3.2

Botnet Inference

We substantiated INC’s ability to attribute bots to botnets by evaluating the clustering performance of the first 20K bots for each botnet that were fingerprinted by ASC in Sect. 3.1. Additionally, we utilized pktthresh = 20 as it gave the best performance and the Base rate to ensure a more controlled experiment. The results of this evaluation are given in the Table 2. As shown, the majority of the bots were attributed to their respective botnet. The bulk of the misclassifications were associated with Mirai, which were largely due to Mirai’s high-variance behavior falling in between that of Bashlite and Trickbot. For example, the mean interarrival time for Mirai was approximately 3.165 s, versus roughly 0.000041 and 40.01 s for Bashlite and Trickbot, respectively. To add to the confusion, both Mirai and Bashlite heavily target Telnet port 23, which is why a number of Mirai samples were clustered as Bashlite. Recall that INC’s phase-two clustering is strictly performed on destination ports, which is why Mirai’s other misclassifications were considered outliers since Bashlite is the only other botnet that shares a common destination port. A similar occurrence can be observed between the botnets that rely on non-IoT devices due to their interaction with destination port 443. That being said, INC still achieved an overall accuracy of 0.9927 for this evaluation. Table 2. Botnet inference results

3.3

Mirai Bashlite Trickbot Dridex Emotet Neris

SIPscan Outliers

19,524 417

0

0

0

0

0

159

0

20,000

0

0

0

0

0

0

0

0

19,669

49

177

7

0

78

0

0

52

19,911

6

0

0

31

0

0

23

40

19,908

16

0

0

0

0

8

16

19,968 0

8

0

0

0

0

0

0

0

20,000

13

Comparison with Existing Solutions

While there are no other bot detection techniques that solely use the data plane, we identified three notable works to compare INC against that apply features extracted from the data plane to controller-based classifiers. The first of such

564

K. Friday et al.

research efforts was the recently-proposed FlowLens [3]. FlowLens extracts quantized sequences of both interarrival times and packet lengths as features for control plane-based ML algorithms. Within their use cases, the authors demonstrated the ability of such features to enable botnet chatter detection when using a Random Forest (RF) running on the controller. The second approach we compared INC against is coined EDIMA (Early Detection of IoT Malware network Activity) [16]. EDIMA relies on header-based features that can be applied to traditional data plane applications, namely, the number of unique destination IP addresses and the minimum, maximum, and mean of the number of packets sent to each destination by a particular source IP. EDIMA also applied an RF, as well as a K-NN and naive Bayes classifier. The final work we compared INC to is a technique presented by Letteri et al. [17] that inputs 22 data plane-based traffic features into a Deep Neural Network classifier (DNN). Note that all of these works were geared towards identifying the presence of bots on a network and not coordination between them (i.e., botnets); therefore, we only compare these works to our ASC implementation. The best implementation of each of the aforementioned works was used for this evaluation, as specified in each paper. Two comparisons were then performed for all models: (1) a performance evaluation on the test split of all datasets and (2) an assessment of how well each model can detect botnets it has not observed during training. Specifically, all datasets listed in Table 1 were trained upon for comparison (1), and the same setup that was applied to INC’s generalization evaluation in experiment Sect. 3.1 was utilized for comparison (2). Regarding both FlowLens and EDIMA, an RF with 1024 trees gave the best results and was therefore applied. For the DNN presented by Letteri et al. [17], seven hidden layers containing 44, 88, 176, 88, 44, 22, and 11 neurons, respectively, were utilized. The Adam optimizer [15] was also employed for training this DNN, along with a learning rate of 0.001, batch sizes of 100, and ten epochs. The results for comparison (1) are listed in Table 3. As can be observed, ASC outperTable 3. State-of-the-art bot detection comparformed the other more complex ison results. ML algorithms running on the Work Observed F1 Unseen F1 controller for the observed data, FlowLens [3] 0.9818 0.0000 which we largely attribute to the features that INC leverages. TimEDIMA [16] 0.8870 0.0000 ing comparisons were not made Letteri et al. [17] 0.6677 1.000 as the other works all require INC (our approach) 0.9907 0.9961 the control plane for classification, and no details were given pertaining to when the controller executes the ML algorithms (e.g., running batch classifications upon expiring time windows, etc.). Comparison (2) revealed a much larger disparity in each model’s performance when fingerprinting bots whose data was not previously trained upon, as displayed by the mean F1-scores in Table 3. Interestingly, both FlowLens and EDIMA performed poorly. This is notable when considering that these

INC: In-Network Classification of Botnet Propagation at Line Rate

565

state-of-the-art techniques leverage RFs, yet INC’s decision tree-based approach achieved good results; thus, it is clear that this degradation of accuracy is not due to FlowLens and EDIMA’s model selection, but rather their data preprocessing. This preprocessing entails aspects such as the length of the flow duration required (e.g., an hour in the case of FlowLens), features utilized, and so forth. Alternatively, it appears that the DNN implementation proposed by Letteri et al. performed markedly well at first glance; however, it is apparent from Table 3 that such performance is due to this model’s tendency to classify all samples as malicious. 3.4

Deployment Microbenchmarks

Hardware Resource Usage. The resource utilization of INC when compiled on the Tofino switch is listed in Table 4. As can be observed, INC consume very little resources. For instance, the TCAM utilization which is Table 4. Tofino hardware resource utilization. leveraged for the ASC’s parallel Hash bits Gateway SRAM ALU TCAM Stages feature MATs only consumed 10.48% 12.50% 10.00% 0.00% 3.33% 4.0 3.3% of that available. Moreover, the entirety of INC’s operations occupied only four stages, which allows a number of other P4 applications to run alongside it. Finally, INC maintained a low SRAM consumption of 10.00%, which we attribute to the RRM enabling the use of small RAs. RRM Analysis. To effectively evaluate the RRM implementation, we assessed over 50 GB of real BB traffic provided by CAIDA [5] for 25 min. The results from this analysis are shown in Fig. 5.a and Fig. 5.b. Note that smoothing was applied to enhance the visualization of trends. Figure 5.a displays the number of collisions exhibited when applying different size RAs for storing each IPidx ,

(a) RRM collisions.

(b) Missed packets.

Fig. 5. Evaluating RRM amid BB traffic.

566

K. Friday et al.

namely, an RA containing 65,536 registers and another encompassing 16,384. Additionally, both sizes were evaluated both with and without the RRM. As shown, the reduction in the number of collisions that the RRM provides for both sizes is dramatic. Additionally, both the 16,384 and 65,536 RAs without RRMs gave a similar amount of collisions. Thus, we deem RA sizes of 16,384 effective for high-rate network implementations. Alternatively, Fig. 5.b displays the number of packets that were not analyzed due to their given RA index IPidx already being occupied by another IPsource . With INC striving to minimize pthresh to reduce this occurrence, we evaluate three different pthresh values on the BB trace. As Fig. 5.b portrays, decreasing the packet count can reduce the number of such packets not analyzed by several thousand. Additionally, note that the timeout was set to a very high 30 min and is the cause of the increase over time of packets that were not analyzed. This is because if the amount of packets that an IPsource transmits falls under pthresh , it will not be discarded and will continue to occupy the index IPidx of the RAs until such timeout is reached. Nevertheless, there are about 39 million distinct packets recorded per every 0.1 s in this trace, and therefore the RRM roughly obtained a missed packet rate falling within the range of [0.036%, 0.062%]. Examining Real-World Applicability. We additionally evaluated INC in real-world conditions by examining the hardware performance amid high-rate traffic. Specifically, we performed two experiments with one server to transmit the botnet datasets listed in Table 1 along with two servers to send the aforementioned CAIDA BB trace through Fig. 6. Tofino hardware BB assessment. the switch. The first of the experiments entailed transmitting both the botnet and CAIDA traffic at their captured rates (arriving at an average of over 2 Gbps), whereas the second sent three separate instances of the CAIDA trace (totaling upwards of 6 Gbps on average) while keeping the botnet traffic at its captured rates. As can be observed in Fig. 6, the number of benign classifications of the BB traffic was consistent with the increased rates. Moreover, Fig. 6 demonstrates that the number of bot classifications remains relatively fixed regardless of the increased BB. Ultimately, INC gave an average F1-score of over 0.99 in both experiments, which demonstrates its ability to generalize well to a variety of benign BB traffic. Note that the time for each packet to be processed by INC was also measured, which was fixed at approximately 350 nanoseconds amid both experiments.

INC: In-Network Classification of Botnet Propagation at Line Rate

4

567

Related Work

The commendable efforts by Barradas et al. [3], Kumar and Lim [16], and Letteri et al. [17] that INC was compared against in Sect. 3.3 are the approaches in the literature that were able to leverage data plane-based features for controllerbased bot detection with ML algorithms. However, a growing area of research has been the synergizing ML techniques with the programmable switches themselves. For example, the processing power of such switches has been leveraged to speed up the computational overhead of ML tasks [25–27,35]. Alternatively, Siracusano et al. [29] took a noteworthy first-step towards implementing neural networks in P4 by way of utilizing only the bitwise logic programmable switches can support, such as quantized binary weights. Subsequently, Xiong and Zilberman [33] introduced theoretical strategies for integrating more traditional ML algorithms into the switch’s pipeline. By the authors’ admission, it is unclear as to whether actual switch hardware can support their implementations, as they are resource intensive.

5

Conclusion

Botnets and their prompt propagation have enabled adversaries to cause considerable damage to contemporary networks, often before administrators are even aware that an infection has taken place. However, the emergence of programmable data planes finally offers a viable means of countering this ongoing maliciousness. To this end, we presented INC, an ML-based approach rooted in programmable switches to detect and mitigate botnet propagation at scale, in real-time. By way of employing several notable datasets, we demonstrated that INC can not only detect a variety of botnet malware with an F1-score upwards of 0.99 on average, but it can also both fingerprint unseen bots and attribute coordination between them with negligible performance degradation. Finally, we showed that INC resource-conservative approach can outperform state-of-the-art techniques. All source code has been made publicly available via GitHub [19] in order to facilitate future advances in this research domain.

References 1. Alieyan, K., Almomani, A., Anbar, M., Alauthman, M., Abdullah, R., Gupta, B.B.: DNS rule-based schema to botnet detection. Enterp. Inf. Syst. 15(4), 545– 564 (2021) 2. Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th {USENIX} security symposium ({USENIX} Security 17), pp. 1093–1110 (2017) 3. Barradas, D., Santos, N., Rodrigues, L., Signorello, S., Ramos, F.M., Madeira, A.: FlowLens: enabling efficient flow classification for ml-based network security applications. In: Proceedings of the 28th Network and Distributed System Security Symposium, San Diego, CA, USA (2021) 4. Bosshart, P., et al.: P4: programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)

568

K. Friday et al.

5. CAIDA (2021). http://www.caida.org/data/passive/passive dataset.xml 6. Canada, P.: Bill C-28. https://www.parl.ca/DocumentViewer/en/40-3/bill/C-28/ third-reading 7. Cozzi, E., Vervier, P.A., Dell’Amico, M., Shen, Y., Bilge, L., Balzarotti, D.: The tangled genealogy of IoT malware. In: Annual Computer Security Applications Conference, pp. 1–16 (2020) 8. Dainotti, A., King, A., Claffy, K., Papale, F., Pescap´e, A.: Analysis of a “/0”stealth scan from a botnet. IEEE/ACM Trans. Networking 23(2), 341–354 (2014) 9. Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N.D., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: NDSS (2017) 10. Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. comput. Secur. 45, 100–123 (2014) 11. Guerra-Manzanares, A., Medina-Galindo, J., Bahsi, H., N˜ omm, S.: MedBIoT: generation of an IoT botnet dataset in a medium-sized IoT network. In: ICISSP, pp. 207–218 (2020) 12. Hauser, F., et al.: A survey on data plane programming with p4: fundamentals, advances, and applied research. arXiv preprint arXiv:2101.10632 (2021) 13. Intel: Intel® tofino™ 3 intelligent fabric processor brief. https://www.intel.com/ content/www/us/en/products/network-io/programmable-ethernet-switch/tofino3-brief.html 14. Jepsen, T., et al.: Fast string searching on PISA. In: Proceedings of the 2019 ACM Symposium on SDN Research, pp. 21–28 (2019) 15. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014) 16. Kumar, A., Lim, T.J.: Edima: early detection of IoT malware network activity using machine learning techniques. In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), pp. 289–294. IEEE (2019) 17. Letteri, I., Della Penna, G., De Gasperis, G.: Botnet detection in software defined networks by deep learning techniques. In: Castiglione, A., Pop, F., Ficco, M., Palmieri, F. (eds.) CSS 2018. LNCS, vol. 11161, pp. 49–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01689-0 4 18. McInnes, L., Healy, J., Astels, S.: hdbscan: hierarchical density based clustering. J. Open Source Softw. 2(11), 205 (2017) 19. NetSecResearch (2021). https://github.com/NetSecResearch/INC 20. Networks, E.: Programmable Tofino switches for data centers. https://www.edgecore.com/productsInfo.php?id=335 21. Pastore, M., Calcagn`ı, A.: Measuring distribution similarities between samples: a distribution-free overlapping index. Front. Psychol. 10, 1089 (2019) 22. Pour, M.S., et al.: On data-driven curation, learning, and analysis for inferring evolving internet-of-things (IoT) botnets in the wild. Comput. Secur. 91, 101707 (2020) 23. Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: PeerRush: mining for unwanted p2p traffic. J. Inf. Secur. Appl. 19(3), 194–208 (2014) 24. Sandbox, T.: Hatching Triage (2022). https://hatching.io/triage/ 25. Sanvito, D., Siracusano, G., Bifulco, R.: Can the network be the AI accelerator? In: Proceedings of the 2018 Morning Workshop on In-Network Computing, pp. 20–25 (2018) 26. Sapio, et al.: Scaling distributed machine learning with in-network aggregation. arXiv preprint arXiv:1903.06701 (2019)

INC: In-Network Classification of Botnet Propagation at Line Rate

569

27. Sapio, A., Abdelaziz, I., Aldilaijan, A., Canini, M., Kalnis, P.: In-network computation is a dumb idea whose time has come. In: Proceedings of the 16th ACM Workshop on Hot Topics in Networks, pp. 150–156 (2017) 28. Schubert, E., Sander, J., Ester, M., Kriegel, H.P., Xu, X.: DBSCAN revisited, revisited: why and how you should (still) use DBSCAN. ACM Trans. Database Syst. (TODS) 42(3), 1–21 (2017) 29. Siracusano, G., Bifulco, R.: In-network neural networks. arXiv preprint arXiv:1801.05731 (2018) 30. Stratosphere: Stratosphere laboratory datasets (2015). Accessed 13 Mar 2020. https://www.stratosphereips.org/datasets-overview 31. Tanabe, R., et al.: Disposable botnets: examining the anatomy of IoT botnet infrastructure. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020) 32. Turkovic, B., Kuipers, F., van Adrichem, N., Langendoen, K.: Fast network congestion detection and avoidance using p4. In: Proceedings of the 2018 Workshop on Networking for Emerging Applications and Technologies, pp. 45–51 (2018) 33. Xiong, Z., Zilberman, N.: Do switches dream of machine learning? toward innetwork classification. In: Proceedings of the 18th ACM Workshop on Hot Topics in Networks, pp. 25–33 (2019) 34. Xu, Z., Chen, L., Gu, G., Kruegel, C.: PeerPress: utilizing enemies’ p2p strength against them. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 581–592 (2012) 35. Yang, F., Wang, Z., Ma, X., Yuan, G., An, X.: SwitchAgg: a further step towards in-network computation. arXiv preprint arXiv:1904.04024 (2019) 36. Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy p2p botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121–132. IEEE (2011) 37. Zhang, M., et al.: Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: the 27th Network and Distributed System Security Symposium (NDSS 2020) (2020)

GAME: Generative-Based Adaptive Model Extraction Attack Yi Xie1 , Mengdie Huang1 , Xiaoyu Zhang1 , Changyu Dong2 , Willy Susilo3 , and Xiaofeng Chen1(B) 1

State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi’an 710071, People’s Republic of China [email protected] 2 School of Computing, Newcastle University, Newcastle NE1 7RU, UK 3 School of Computing and IT, University of Wollongong, Wollongong, NSW 2522, Australia [email protected]

Abstract. The outstanding performance of deep learning has prompted the rise of Machine Learning as a Service (MLaaS), which significantly reduces the difficulty for users to train and deploy models. For privacy and security considerations, most models in the MLaaS scenario only provide users with black-box access. However, previous works have shown that this defense mechanism still faces potential threats, such as model extraction attacks, which aim at stealing the function or parameters of a black-box victim model. To further study the vulnerability of publicly deployed models, we propose a novel model extraction attack named Generative-Based Adaptive Model Extraction (GAME), which augments query data adaptively in a sample limited scenario using auxiliary classifier GANs (AC-GAN). Compared with the previous work, our attack has the following advantages: adaptive data generation without original datasets, high fidelity, high accuracy, and high stability under different data distributions. According to extensive experiments, we observe that: (1) GAME poses a threat to victim models despite the model architectures and the training sets; (2) synthetic samples closed to decision boundary without deviating from the center of the target distribution can accelerate the extraction process; (3) compared to state-of-the-art work, GAME improves relative accuracy by 12% at much lower data and query costs without the reliance on domain relevance of proxy datasets.

Keywords: Model extraction attack strategy · Auxiliary classifier GANs

1

· Data augmentation · Adaptive

Introduction

Deep learning models have been deployed in more and more fields, such as computer vision, natural language processing, and speech recognition, for their amazing ability to solve various challenging classification problems. Due to the high c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 570–588, 2022. https://doi.org/10.1007/978-3-031-17140-6_28

GAME: Generative-Based Adaptive Model Extraction Attack

571

market demand for deep learning technology, the concept of Machine Learning as a Service (MLaaS) has been rapidly promoted. More and more companies train and deploy machine learning models in this way, which greatly lower the software and hardware thresholds for individual developers and small businesses. In the MLaaS scenario, the open deployment of the models can not only facilitate users but also enterprises. However, due to data breaches and laws, such as the European Union’s General Data Protection Regulation (GDPR), this practice faces many restrictions. In recent years, much work has been done to study the privacy and security issues of the MLaaS models, which includes: membership inference attacks [11,23,24], model inversion attacks [5,22,34], and model extraction attacks [1,10,18,20,21,27]. They respectively aim to infer whether a particular sample is present in the training set, reconstruct the private training data, and steal the function or parameters of the victim model. Among these attacks, the first two attacks on sample privacy have been widely studied, while the attacks on the model privacy are still in their infancy. In model extraction attack, the attacker attempts to steal the function/parameters of the victim black-box model, which will compromise the model owner’s interests. In addition, it can also be a stepping stone to other attacks, e.g., model evasion attacks [20]. At present, most model extraction attacks use learningbased methods: the prediction vector output by the model is used as the soft label of the input sample to train the substitute model, which is similar to the knowledge distillation technology [8] in the field of model compression [6]. To evaluate the performance of the attack, two metrics, accuracy and fidelity [10], are introduced into the field. The former focuses on classifying samples correctly, while the latter focuses on improving the similarity between the predictions. Based on our observations, three challenges prevent the implementation of a model extraction attack: limited data, irrelevant proxy distribution, and expensive query cost. Firstly, for business and security considerations, the internal information (including training data) of MLaaS models is often not publicly released, making it hard for attackers to construct a query set. To this end, many works have adopted the method of data-free knowledge distillation [4,15] to attack. However, due to the black-box access to the victim model in the model extraction scenario, the attacker needs to use gradient approximation [3,31] for backpropagation. Unfortunately, this query-based gradient approximation method often increases the query budget exponentially. Secondly, it is difficult to find a suitable distribution of proxy datasets. This cannot be ignored because it directly affects the attacker’s query efficiency. To this end, some studies [30,36] have found that adversarial samples near the boundary can greatly improve the attack performance. However, such works often only use attack success rates (ASRs) of adversarial examples generated by the substitute model to evaluate the stealing performance, which ignores the performance of substitute models on the original task. Finally, to reduce the attack cost and the risk of being intercepted by the defense mechanism, the attacker needs to design an efficient query strategy to reduce the total number of queries without affecting the extraction performance significantly. With regard to this, some works [18,19]

572

Y. Xie et al.

try to use active learning methods to build a query queue from public datasets. Unfortunately, the upper limit of its attack performance depends on the mutual information between the chosen public dataset and the original training set. 1.1

Our Contribution

To address the issues faced by model extraction attacks, we first propose a data augmentation algorithm that combines active learning and dynamic updating mechanisms. On the basis of this method, we design a novel Generative-Based Adaptive Model Extraction (GAME) in a practical scenario, where the attacker has no access to original training sets. Compared with previous works, GAME has the following advantages: (i) The AC-GAN based data augmentation algorithm can provide the attacker with enough query samples in the limited samples scenario. Besides, the class control mechanisms of AC-GAN can reduce the granularity of synthesized samples. (ii) The category selection strategy based on active learning works well with AC-GAN. Specifically, this strategy could help the attacker generate query samples which have higher distillation efficiency. (iii) The output distribution of the generator is adaptively fine-tuned according to multiple feedback indicators. Theoretical analysis and extensive experiments show that setting a reasonable feedback indicator can improve the GAME attack performance. In summary, we make the following contributions: – We first propose to use boundary samples without deviating from the target distribution to conduct model extraction attacks in the limited samples scenario where it is difficult to obtain original sets or even public datasets. – We propose an AC-GAN based data augmentation method for model extraction attack, which combines two strategies, active learning and generator dynamic updating, to increase the efficiency of stealing. – We conducted extensive experiments to show that GAME can achieve higher fidelity and accuracy compared with state-of-the-art methods, especially in limited proxy samples scenarios. Furthermore, the effectiveness of the active learning and generator dynamic updating strategy is also demonstrated. 1.2

Related Work

Model Extraction Attacks. The emergence of model extraction attacks stems from the tension between the public access and model confidentiality of MLaaS platforms. In 2016, Tram`er et al. [27] proposed equation-solving attack and pathfinding attack against simple models, demonstrating the feasibility of extraction attacks. Following this, many works also studied model extraction attacks against complex deep neural networks [1,10,12,18]. Most of the early works tried to find methods that can exactly recover the weight of the victim model, such as [10] and [21]. However, these methods are often inefficient and difficult to implement. To this end, several works have turned their attention to model equivalent extraction attacks [1,12,18], which only attempt to steal a functionally approximate model without the requirements on model structure and parameters.

GAME: Generative-Based Adaptive Model Extraction Attack

573

The core idea of most model-equivalent extraction attacks originates from knowledge distillation techniques [8], that is, query the victim model to obtain soft labels for training substitute models. However, two problems faced by knowledge distillation are also exacerbated in the field of model stealing: limited samples problem and query efficiency problem. In most MLaaS scenarios, it is difficult for attackers to improve the performance of substitute models with limited query samples. Jacobian-based data augmentation [20] is an earlier work that attempts to solve this problem. In the work, original training samples are perturbed with the Jacobian matrix to enlarge the query set. Another work BlackBox Ripper [1] uses a generative evolution algorithm to generate high-response samples. Differing from these methods, some works focus on data-free model extraction attacks, which is close to the field of data-free knowledge distillation, such as [12,28,30]. This kind of work often uses gradient approximation methods, which leads to excessive query costs. On the other hand, considering the benefits and defense mechanisms, the attacker needs to minimize the query cost without compromising stealing performance. Knockoff [18] formalizes sample selection in model extraction attack as a Multi-armed Bandit Problem and uses the Gradient Bandit Algorithm to choose the most informative samples. The work ActiveThief [19] uses active learning methods to reduce the query cost when using public data sets for model stealing. We propose a high-fidelity model extraction attack GAME, which considers the above two challenges at the same time. Knowledge Distillation. Although the goal of knowledge distillation, which is compressing large machine learning models, is different from that of model extraction attacks, their execution processes are similar: using the teacher (victim) model to label a series of samples for student (substitute) model training. Knowledge distillation faces the same problems as model extraction attacks. One problem is insufficient query samples. Specifically, the model owner may be unable to collect enough query samples for knowledge distillation. To deal with this problem, the work [2] proposes a GAN-based Data-Free Learning (DAFL) method. In [16], Data impression was crafted from random noise to train a substitute model. The work [35] uses a conditional generator to generate high-confidence samples of specific classes for the teacher model. Another problem is the low query efficiency. The work [29] proposes an activelearning-based method combined with mix-up technology. Similarly, the work [33] uses an uncertainty-based mix-up method to reduce the computation costs of both the teacher and the student models. Although there are some similarities between model extraction and knowledge distillation, most solutions are hard to transfer to the model extraction scenario due to the different access rights. 1.3

Organization

The rest of this paper is organized as follows: In Sect. 2, we introduce the necessary preliminaries. In Sect. 3, we present the specific design of the GAME attack.

574

Y. Xie et al.

In Sect. 4, GAME is evaluated under different dataset and model architecture settings, and compared with SOTA works. The ablation study about GAME is presented in Sect. 5. We conclude this paper in Sect. 6.

2 2.1

Preliminaries Problem Formulation

In this subsection, we formalize the model extraction attack problem. Suppose a victim model NV is deployed on an MLaaS platform, which only grants blackbox access rights to users (including malicious users). Any samples uploaded by users will be fed into the victim model NV to get the prediction vector ypred : ypred = NV (x).

(1)

The attacker’s goal is to find a substitute model NS that is functionally equivalent to NV in the victim’s domain DV . Formally, the objective of model extraction attacks is:   (2) arg max Px∼DV arg max NVi (x) = arg max NSi (x) , i

NS

i

where i represents the component of the ith class of the prediction vector output by the model, and x is the sample randomly sampled from the sample domain DV . However, due to the confidentiality of the victim’s training set, it’s difficult for the attacker to obtain the precise distribution of DV . A practical approach for the attacker is to minimize the difference between the two models in the proxy sample domain DP , that is: arg min Ex∼DP [L (NV (x), NS (x))] , NS

(3)

where L represents the loss function, which is used to measure the distance between the predictions of two models on the input x. It can be inferred that when the correlation between DP and DV is higher, the substitute model trained by the attacker has higher fidelity, according to the Eq. (2) and Eq. (3). 2.2

Adversary Capability

Attack Surface. The attacker can only use the prediction API NV∗ provided by the MLaaS platform to fit the decision boundary of the victim model, which means that the internal information of the victim model is agnostic to the attacker, including model structure, parameters, and training datasets. Therefore, the attacker cannot perform back-propagation through the victim model. Besides, due to the pay-per-use manner, the attacker has to pay for each query. After the attacker pays for the query and sends x to NV∗ , the MLaaS platform may have two different responses: (i) the whole prediction vector ypred of NV∗ ; i . The attacker can get better perfor(ii) the top-1 class tpred = arg maxi ypred mance when the MLaaS platform returns the whole prediction vector ypred as it contains more information.

GAME: Generative-Based Adaptive Model Extraction Attack

575

Proxy Datasets. Depending on the adversary’s capability, the query datasets used by the attacker can be divided into the following four categories: (i) The whole original datasets, which means the attacker has the same training samples as the victim model NV . This situation only occurs in scenarios where NV is trained on public datasets. (ii) Part of original datasets. In this case, the attacker has a low-density sampling of the original distribution (or original domain DV ). The limited number of samples may reduce the generalization performance of the substitute model in DV . (iii) Domain-related datasets. Due to the commercial characteristics of the MLaaS platform, the service provider will not hide the task information of the victim model, so the attacker can easily collect the relevant public data sets as the proxy set. (iv) Domain-unrelated datasets. When no task information about the victim model is provided, the attacker can only randomly select some public dataset. In Sect. 5.3, we discuss in detail the effect of proxy dataset distribution on GAME. Model Architecture. The architecture and hyper-parameters of the victim model are also important private information for model extraction attacks. However, this information is often unavailable for MLaaS users (including attackers) due to privacy concerns or business strategies. The model structure used by the attacker can be divided into the following two categories: (i) Same architecture. If the attacker knows the specific architecture of the victim model (although it is challenging), he will adopt it to the substitute model. (ii) Task-related architecture. If the attacker has no information about the architecture of the victim model, the substitute model could be designed by the task information. 2.3

Auxiliary Classifier GANs

In this subsection we detail the basics about auxiliary classifier GANs (ACGAN) [17] as it is the core of our proposed data augmentation algorithm. ACGAN employs label conditioning in GAN training to improve the quality of the generated samples and control the specific categories of samples. Like traditional GAN, AC-GAN is also composed of two parts: a generator and a discriminator. The difference is that the generator of AC-GAN needs to input a label yg in addition to the latent noise z. Besides, the output of the discriminator includes both the probability distribution over source P (S|X) and the probability distribution over class labels P (C|X). The objective function of AC-GAN can be divided into two parts, (i) the log-likelihood of the correct source, LS , and (ii) the log-likelihood of the correct class, LC , which are as follows: LS = E [log P (S = real | Xreal )] + E [log P (S = fake | Xfake )] ,

(4)

LC = E [log P (C = c | Xreal )] + E [log P (C = c | Xfake )] .

(5)

576

Y. Xie et al.

Then the goal of the discriminator and generator can be defined by the following two formulas: (6) G = arg max LC − LS , G

D = arg max LC + LS . D

(7)

Solving the formulas above through an iterative training method allows the generator G to simulate the original dataset distribution.

3 3.1

Design of GAME Core Idea

The goal of the model extraction attack is to obtain a replica of the victim model. Specifically, it attempts to ensure that the two models can output similar prediction vectors of any input, as denoted in the Eq. (2) above. From the perspective of the model decision boundary, the attacker needs to fit the boundary of the victim model to improve the performance (the similarity to the victim model) of the substitute model on seen and unseen samples. As shown in Fig. 1(b), it is difficult to achieve this due to the lack of original data. Data augmentation is a way to handle the problem but still faces two challenges: similarity and efficiency. Similarity means that the synthesized samples should have a similar distribution to the real samples in the victim domain. Efficiency means that the attacker attempts to achieve higher fidelity with the same query costs.

Fig. 1. The strategy of Data Augmentation: (a) Original decision boundary (blue dotted line) of victim model. (b) Using samples at the center of the distribution (yellow dots & green triangles) can only approximate a rough boundary (red solid line). (c) GAME uses augmented samples (blue cross) to obtain boundary information more efficiently and precisely. (d) The stolen decision boundary is very close to the original decision boundary. (Color figure online)

To address the challenges mentioned above, this work proposed a model extraction algorithm based on an adaptive data augmentation strategy. The core idea of the strategy is to generate samples close to the key part of the

GAME: Generative-Based Adaptive Model Extraction Attack

577

Adversarial Fine-tuning Active selection

Fig. 2. Framework overview of GAME.

decision boundary without deviating from the center of the target distribution, as shown in Fig. 1(c)–(d). To achieve this goal, the attacker takes four steps: (i) Learning the distribution of the proxy dataset. Due to the confidentiality of the training sets used by the victim model, attackers can only obtain a proxy dataset. Then the distribution of proxy dataset is learned with the AC-GAN model, part of which cloud be regarded as the initial version of the generator for subsequent steps. (ii) Selecting categories based on active learning strategy. Due to the difference in the distribution of the original training set and the proxy dataset, it is a wise choice to adjust the class distribution of the synthetic samples. GAME adopts an active learning-based approach, which is described in detail in Sect. 3.2. (iii) Generating boundary samples with an adaptive strategy. The category selected in the previous step is used as the condition of AC-GAN for sample generation. Meanwhile, we proposed an adversarial fine-tuning algorithm to generate samples near the boundary. (iv) Distilling victim model with synthetic samples. Finally, using the samples generated in the previous step, the knowledge of the victim model can be transferred to the local substitute model. 3.2

Framework

As shown in Fig. 2, the GAME framework consists of 6 modules: generator G, discriminator D, victim model NV , substitute model NS , adversarial fine-tuning module, and active selection module. The arrow in the figure shows the data flow of the framework, and it can be divided into four phases: Target Distribution Learning (TDL), Active Categories Selecting (ACS), Adaptive Generator Updating (AGU), and Generative Model Distillation (GMD). The whole process of GAME attack is shown in Algorithm 1.

578

Y. Xie et al.

Algorithm 1. GAME attack Input: Proxy data set Dp = (Xp , Yp ), victim model API NV∗ . Output: Substitute model NS 1: Initialize generator G and discriminator D 2: Target Distribution Learning 3: G, D ← T rainG,D (Xp , Yp ) // Train ACGAN with Dp 4: Active Categories Selecting 5: Updating Pπ 6: Yg ∼ Pπ // Generating with active learning strategy 7: X0 ← ∅ 8: for i ← 1 to n epochs do 9: Substitute Model Distillation 10: Xg ← G(z, Yg ) 11: YV ← NV∗ (Xg ) 12: Xall ← Xall ∪ Xg , Yall ← Yall ∪ YV 13: NS ← T rainNS (Xg , YV ) 14: AC-GAN Dynamically Updating 15: Xg ← G(z, Yg ) 16: LossT otal ← β1 × Lres + β2 × Lbou + β3 × Ladv + β4 × Ldif T otal 17: θG ← θG − ∂Loss ∂θG 18: Update generator G with θG 19: end for 20: NS ← T rainNS (Xall , Yall )) // Final train 21: return NS

Target Distribution Learning. In the TDL phase, the AC-GAN is used to learn the distribution of the proxy dataset Dp = {(xi , yi )|i = 1, ..., N } owned by the attacker. In this phase, the generator G and discriminator D are trained normally, as denoted in Eq. (4)–Eq. (7). Specifically, in every iteration, the generator G needs to get a latent noise z and a target generation label yg as input to generate sample xg . Then the discriminator D will output the prediction vector yd , which consists of two parts: yd = (ys , yc ). The ys represents the validity probability, and yc represents the prediction vector. Hence G could be updated to improve the validity probability ys and decrease the distance between yg and yc . Then the discriminator needs to be updated to learn the difference between the synthetic sample and the initial dataset Dp . After enough rounds of iterative training, the generator G can generate samples that fit the distribution of Dp . Active Categories Selecting. Before AC-GAN generates query samples, the category yg of the synthetic samples needs to be determined by the active learning strategy. Two active learning strategies are proposed: (i) Prediction uncertainty, which expects to select the class with the highest uncertainty to the substitute model NS . The probability that the ith category is selected can be calculated with: ci i = N , ci = 1 − max{sof tmax[NS (G(z, i))]}, (8) Punc t=1 ct

GAME: Generative-Based Adaptive Model Extraction Attack

579

where ci represents the unconfidence of NS for the sample of the ith class. (ii) Deviation distance, which represents the size of the predicted distance of NS and NV for the same sample. It could be calculated by: di i = N Pdev

t=1

dt

, di = KL[NS (G(z, i)), NV∗ (G(z, i))].

(9)

Additionally, KL-divergence, denoted as KL, is used to measure the distance between the two outputs. Generative Model Distillation. After the categories of synthetic samples are determined, generative knowledge distillation is implemented using AC-GAN, which includes three steps: (i) generating query samples; (ii) querying the victim model to get the prediction; (iii) training substitute model on the query sample set. Some tricks are introduced to improve the performance of distillation: in the first step, the target label yg is randomly assigned to ensure the balance between classes; during the second step, the whole prediction vector yc (instead of the top-1 class of yc ) output by the discriminator D is used as a soft label of input sample xg ; during the third step, we use the Kullback-Leibler divergence loss to obtain more information contained in soft labels. Adaptive Generator Updating. As stealing progresses, the substitute model NS exhibits increasingly similar behavior to the victim model NV . Therefore NS could be regarded as the shadow model of NV for fine-tuning the generator G, instead of requiring white-box access to the victim model for backpropagation. Thus, to improve the knowledge transfer efficiency, GAME introduces the following indicators to fine-tuning the generator G. (i) Model responsivity Lres . Synthetic samples should be as close as possible to some key features of the victim domain. GAME achieves this by increasing the non-negative logits layer output of NS , which is denoted as fS : Lres = −

N 

max(0, fSi ).

(10)

i=1

(ii) Boundary distance Lbou . As described in Sect. 3.1, GAME uses boundary samples to improve extraction efficiency. It is achieved by minimizing the distance between the top-2 prediction vector components of substitute model NS , which could be denoted as: Lbou = NS (x)top1 − NS (x)top2 .

(11)

(iii) Adversarial correction Ladv . As a complement to Lres , we also introduce an indicator Ladv based on the idea of adversarial examples, which aims to help the generator generate samples that cross the decision boundary. Formally, the adversarial correction indicator can be defined as follows: Ladv = −CE(NS (x), arg max NS (x)i ). i

(12)

580

Y. Xie et al.

(iv) Prediction difference Ldif . We also introduce the indicator Ldif , which accelerates the stealing process by increasing the disagreement of synthetic samples for both the victim model and the substitute model. Concretely, it can be defined as: (13) Ldif = −KL(NS (x), NV (x)). Therefore, the total loss function of the generator in the iterative update process is denoted as: LossT otal = β1 × Lres + β2 × Lbou + β3 × Ladv + β4 × Ldif .

(14)

where βi in the equation is a manually adjusted weighting factor to balance the effect of each loss term on the total loss. The attacker needs to minimize this loss function to get better performance of the generator G. Since the parameters of the substitute model NS will change at each iteration, the generator also needs to recalculate the loss function to update its parameters.

4 4.1

Performance Evaluation Experimental Settings

Datasets and Victim Model. In this experiment, we use two pairs of datasets for experiments: (i) MNIST [14] as the original dataset and Fashion-MNIST [32] as the proxy dataset; (ii) BelgiumTSC [26] as the original dataset and GTSRB [9] as the proxy dataset. For each dataset, we resize all images to 32 × 32 and shuffle the order. We use LeNet [14] and AlexNet [13] as the architecture of the victim model in the MNIST and BelgiumTSC experiments, respectively. These victim models were trained for 15 epochs on MNIST and 20 epochs on BelgiumTSC with ADAM at an initial learning rate of 0.001. Attacker Model. We use 4 different architectures for the attacker model: halfLeNet and VGG-16 [25] for Fashion-MNIST, half-AlexNet, and ResNet-18 [7] for GTSRB. These models were trained for 40 epochs with ADAM. The initial learning rate is 0.1 for half-LeNet and 0.01 for VGG-16. The query budget is 8k for Fashion-MNIST and 6k for GTSRB. For the generator, we adopt a structure consisting of 3 convolutional layers, interleaved with up-sampling layers, batch normalization layers, and ReLU activations. The discriminator has five convolutional layers, interleaved with ReLU activations, dropout layers (with 0.25 probability), and batch normalization layers (except for the last layer). Evaluation Metric. We evaluate the performance by two metrics: (i) Fidelity: the similarity of the top-1 class of the output vector between the substitute model and the victim model. (ii) Accuracy: computed on the top-1 class of the prediction with true labels. Formally, these two metrics could be defined as:

GAME: Generative-Based Adaptive Model Extraction Attack

F idelity(NS ) = Accuracy(NS ) =



1 |Dtest |

I(tNS (x) = tNV∗ (x)),

(15)

I(tNS (x) = y),

(16)

(x,y)∈Dtest



1 |Dtest |

581

(x,y)∈Dtest

tf (x) = arg max f (x)i .

(17)

i

where I(·) represents the indicator function, and tf (x) represents the largest component of the output of the function f . 4.2

Results

We compare the attack performance of GAME with the other three attacks: (i) Baseline, which randomly selects samples from the proxy dataset for querying, and then uses the output as soft labels to train the substitute model. (ii) Knockoff [18], which uses an active sample selection method based on the gradient bandit algorithm to improve the query efficiency. (iii) JBDA [20], which utilizes Jacobian-based dataset augmentation to augment the query sets. All comparisons were performed under the same settings (including learning rate, model architecture, query budget, number of training epochs, etc.). Each experiment was run at least three times. In addition to the two metrics mentioned in Sect. 4.1, we also introduce relative accuracy, relative(×), to show the difference in accuracy between the substitute model and the victim model. The detailed results are shown in Table 1 and Table 2. Table 1. Comparison of fidelity, accuracy and relative accuracy obtained from various attacks on the MNIST & Fashion-MNIST datasets. Dataset

Architecture

Method

Fidelity (%)

Accuracy (%)

MNIST

LeNet

Victim model

100

98.74

1.00

Fashion-MNIST (Proxy)

half-LeNet

Baseline

75.42 ± 1.93

75.12 ± 1.97

0.76

Knockoff [18]

83.30 ± 3.90

82.93 ± 3.84

0.84

JBDA [20]

79.85 ± 3.74

79.44 ± 3.73

0.80

GAME (Ours)

90.93 ± 1.61

90.36 ± 1.67

0.92

Baseline

81.25 ± 1.83

80.96 ± 1.85

0.82

Knockoff [18]

81.02 ± 2.23

80.70 ± 2.22

0.82

JBDA [20]

69.76 ± 0.83

69.42 ± 0.91

0.70

GAME (Ours)

86.41 ± 1.44

85.97 ± 1.47

0.87

VGG-16

Relative (×)

MNIST and Fashion-MNIST. We present the fidelity and accuracy of extracted models across various attacks for Fashion-MNIST in Table 1. In this experiment, the victim model achieved an accuracy of 98.74% after training for

582

Y. Xie et al.

15 epochs on the MNIST dataset. We find that each method showed advantages over the baseline in the half-LeNet experiment. Among these attacks, GAME gets the highest fidelity (90.93%) and accuracy (90.36%), which achieves a relative accuracy of 0.92. When the substitute model architecture is changed to VGG-16, the performance of all method is reduced, but GAME still leads other attacks with the fidelity of 86.41%. BelgiumTSC and GTSRB. GAME shows similar advantages in the second pair of dataset experiments, as shown in Table 2. In this experiment, the victim model achieved an accuracy of 98.29% after training for 20 epochs on the BelgiumTSC dataset. When the structure of the substitute model is set to half-AlexNet, all methods have more than 10% improvement compared to the baseline, and GAME achieves the best attack performance. Besides, regardless of the substitute model architecture, the GAME attack exhibits certain stability: the standard deviation of fidelity and accuracy are relatively small, especially in the experiments of ResNet-18. Table 2. Comparison of fidelity, accuracy and relative accuracy obtained from various attacks on the BelgiumTSC & GTSRB datasets. Dataset

Architecture

Method

Fidelity (%)

Accuracy (%)

BelgiumTSC

AlexNet

Victim model

100

98.29

1.00

GTSRB (Proxy)

half-AlexNet

Baseline

63.79 ± 0.56

63.20 ± 0.53

0.64

Knockoff [18]

74.33 ± 1.83

73.39 ± 1.86

0.75

JBDA [20]

74.09 ± 1.93

73.39 ± 1.99

0.75

GAME (Ours)

76.74 ± 1.06

75.88 ± 1.07

0.77

Baseline

66.79 ± 0.98

65.92 ± 1.18

0.67

Knockoff [18]

73.26 ± 1.99

72.16 ± 2.04

0.73

JBDA [20]

69.34 ± 0.78

68.49 ± 0.72

0.70

GAME (Ours)

74.52 ± 0.37

73.77 ± 0.46

0.75

ResNet-18

5 5.1

Relative (×)

Ablation Study Impact of Category Selection Strategies

To evaluate the impact of different category selection strategies on attack efficiency, we evaluated the performance on two pairs of datasets while keeping the experimental settings consistent with Sect. 4.1. To improve the reliability of the results, each experiment was run for 6 rounds and the average value is shown in Fig. 3. Due to the high accuracy of the two victim models (98.74% for the MNIST model and 98.29% for the BelgiumTSC model), the fidelity and accuracy of each substitute model are close.

GAME: Generative-Based Adaptive Model Extraction Attack

583

According to the first row (experiments on MNIST&Fashion-MNIST) of Fig. 3, the uncertainty-based active learning strategy outperforms others with the query budget increasing. When the query budget is increased to 5k, the deviation-based strategy achieves better performance than that of the random strategy. As for the second row (experiments on BelgiumTSC>SRB) of Fig. 3, the uncertainty-based strategy also gets a good performance. However, the performance of the deviation strategy is weaker than that of the random strategy when the query budget is greater than 3k. We believe that it may be related to the distribution of the substitute dataset compared to the original dataset, which is further discussed in Sect. 5.3. In conclusion, choosing the uncertainty-based strategy is the best practice for launching a GAME attack.

Fig. 3. Comparison of different active learning strategies. The first row shows the attack performance on the MNIST&Fashion-MNIST dataset, and the second row shows the performance on the BelgiumTSC>SRB dataset, which are evaluated from three indicators: fidelity, accuracy, and relative accuracy.

5.2

Impact of Fine-tuning Indicators

We compare the performance of the fine-tuning indicators and their combination strategies. For a fair comparison, we keep all configurations unchanged except the fine-tuning indicators. Furthermore, to eliminate the impact of generator performance on experiments, we use the same pre-trained AC-GAN model for all experiments, i.e., updating on the same initial generator. For multiple indicators experiments, we use coefficients βi to control the proportion of each item to balance each indicator, as shown in Eq. (14). Each experiment was run multiple

584

Y. Xie et al.

none

res

bou

dif

adv

none

res

bou

dif

adv

Fig. 4. Synthetic samples of different indicators. The first row shows the synthetic Fashion-MNIST images. The second row show the synthetic GTSRB images.

times to ensure correctness. The results are shown in Fig. 5, where n represents the number of indices to be combined, and none represents the attack with pre-trained AC-GAN without fine-tuning. We also show samples generated by different indicators, as shown in Fig. 4. The displayed samples are randomly generated without manual screening.

Fig. 5. The performance of fine-tuning indicators combination strategies.

According to Fig. 5, all feedback items show better performance than none, which illustrates the positive effect of fine-tuning. Among them, the res item achieved the best performance, which leads the other items by a large margin. In Fig. 5(b), the combination of res and bou achieves the best results, and they also achieved good performance in Fig. 5(a), respectively. However, the combination of res and dif does not show a corresponding advantage, although they perform well in Fig. 5(a). In the experiment of three indicators, res + bou + dif achieves the best performance, in which the substitute model fidelity reaches 94.42%.

GAME: Generative-Based Adaptive Model Extraction Attack

585

Fig. 6. Performance of different attacks with different proxy distribution and proxy size. The first row shows the performance with size-unlimited proxy sets. The second row shows the performance with size-limited proxy sets.

5.3

Impact of the Proxy Dataset Distribution and Size

We measure the fidelity and stability of four attacks under different proxy dataset assumptions about two aspects: distribution and size. First, we selected three datasets (MNIST, EMNIST-digits, and Fashion-MNIST) to simulate different proxy set distribution corresponding to different attacker capabilities. Second, we test the performance of all attacks on size-unlimited and size-limited proxy sets, the latter of which makes the attack more difficult. In the size-unlimited proxy set experiments (the first row of Fig. 6), all settings keep the same as that in Sect. 4.1, except the pre-training epochs of ACGAN is modified according to the dataset complexity. In the size-limited proxy set experiments (the second row of Fig. 6), all attackers can only get a proxy set of size 4k, which is half of the query budget. For both experiments, every sub-experiment was run 10 times. We use two metrics to evaluate these four attacks, fidelity (median of the box) and stability (length of the box). From the fidelity view, all attacks are sensitive to proxy set distribution, except for GAME, as shown in the first row of Fig. 6. With the proxy dataset becomes less relevant to the task domain, the average fidelity achieved by the other three attacks tends to decrease. A similar phenomenon occurs when the size of proxy set is limited, as shown in the second row of Fig. 6. From the view of stability, both of the GAME and baseline attacks get a good performance regardless of how the distribution and size of proxy sets change, as their boxes are shorter in length. The other two attack methods are less stable, especially

586

Y. Xie et al.

when the proxy data distribution is set to the original distribution. In summary, the GAME attack can achieve the best fidelity among these attacks and is more stable to different distribution and size of the proxy sets.

6

Conclusion

In this paper, we introduce GAME, a novel model extraction attack, which allows an attacker to use only a small amount of public proxy data for adaptive data augmentation, even if the attacker does not know the architecture of the victim model. To cope with the limited samples problem often faced by model extraction attackers, we design a data augmentation algorithm based on AC-GAN, which can efficiently generate query samples of specified categories. To address the issue of query efficiency, we propose an active learning-based category selection module and a feedback indicator-based adaptive generator updating strategy, respectively. According to extensive experiments, the GAME scheme exhibits excellent stealing ability with higher stability. Acknowledgement. This work was supported by the National Natural Science Foundation of China (Nos. 61960206014 and 62121001), the Fundamental Research Funds for the Central Universities (No. ZDRC2204), and China 111 Project (No. B16037).

References 1. Barbalau, A., Cosma, A., Ionescu, R.T., Popescu, M.: Black-box ripper: copying black-box models using generative evolutionary algorithms. In: Advances in Neural Information Processing Systems (NIPS), vol. 33, pp. 20120–20129 (2020) 2. Chen, H., et al.: Data-free learning of student networks. In: Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), pp. 3514–3522 (2019). https://doi.org/10.1109/iccv.2019.00361 3. Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec@CCS), pp. 15–26 (2017). https://doi.org/10.1145/3128572. 3140448 4. Fang, G., Song, J., Shen, C., Wang, X., Chen, D., Song, M.: Data-free adversarial distillation. CoRR abs/1912.11006 (2019) 5. Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1322– 1333 (2015). https://doi.org/10.1145/2810103.2813677 6. Han, S., Mao, H., Dally, W.J.: Deep compression: compressing deep neural network with pruning, trained quantization and Huffman coding. In: International Conference on Learning Representations (ICLR) (2016) 7. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770–778 (2016). https://doi.org/10.1109/cvpr.2016.90

GAME: Generative-Based Adaptive Model Extraction Attack

587

8. Hinton, G.E., Vinyals, O., Dean, J.: Distilling the knowledge in a neural network. CoRR abs/1503.02531 (2015) 9. Houben, S., Stallkamp, J., Salmen, J., Schlipsing, M., Igel, C.: Detection of traffic signs in real-world images: the German traffic sign detection benchmark. In: The 2013 International Joint Conference on Neural Networks (IJCNN), pp. 1–8 (2013). https://doi.org/10.1109/ijcnn.2013.6706807 10. Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High accuracy and high fidelity extraction of neural networks. In: 29th USENIX Security Symposium (USENIX), pp. 1345–1362 (2020) 11. Jia, J., Salem, A., Backes, M., Zhang, Y., Gong, N.Z.: Memguard: defending against black-box membership inference attacks via adversarial examples. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 259–274 (2019). https://doi.org/10.1145/3319535.3363201 12. Kariyappa, S., Prakash, A., Qureshi, M.K.: Maze: data-free model stealing attack using zeroth-order gradient estimation. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 13814–13823 (2021). https://doi.org/10.1109/cvpr46437.2021.01360 13. Krizhevsky, A., Sutskever, I., Hinton, G.E.: ImageNet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems (NIPS), vol. 25 (2012) 14. LeCun, Y., Bottou, L., Bengio, Y., Haffner, P.: Gradient-based learning applied to document recognition. Proc. IEEE 86(11), 2278–2324 (1998). https://doi.org/10. 1109/5.726791 15. Micaelli, P., Storkey, A.J.: Zero-shot knowledge transfer via adversarial belief matching. In: Advances in Neural Information Processing Systems (NIPS), vol. 32 (2019) 16. Nayak, G.K., Mopuri, K.R., Shaj, V., Radhakrishnan, V.B., Chakraborty, A.: Zero-shot knowledge distillation in deep networks. In: International Conference on Machine Learning (ICML), pp. 4743–4751 (2019) 17. Odena, A., Olah, C., Shlens, J.: Conditional image synthesis with auxiliary classifier GANs. In: International Conference on Machine Learning (ICML), pp. 2642–2651 (2017) 18. Orekondy, T., Schiele, B., Fritz, M.: Knockoff nets: stealing functionality of blackbox models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4954–4963 (2019). https://doi.org/10.1109/ cvpr.2019.00509 19. Pal, S., Gupta, Y., Shukla, A., Kanade, A., Shevade, S., Ganapathy, V.: ActiveThief: model extraction using active learning and unannotated public data. In: Proceedings of the AAAI Conference on Artificial Intelligence (AAAI), vol. 34, pp. 865–872 (2020). https://doi.org/10.1609/aaai.v34i01.5432 20. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (AsiaCCS), pp. 506–519 (2017). https://doi.org/10.1145/3052973.3053009 21. Rolnick, D., Kording, K.: Reverse-engineering deep ReLU networks. In: International Conference on Machine Learning (ICML), pp. 8178–8187 (2020) 22. Salem, A., Bhattacharya, A., Backes, M., Fritz, M., Zhang, Y.: {Updates-Leak}: data set inference and reconstruction attacks in online learning. In: 29th USENIX Security Symposium (USENIX), pp. 1291–1308 (2020)

588

Y. Xie et al.

23. Salem, A., Zhang, Y., Humbert, M., Fritz, M., Backes, M.: ML-leaks: model and data independent membership inference attacks and defenses on machine learning models. In: Network and Distributed Systems Security Symposium (NDSS) (2019). https://doi.org/10.14722/ndss.2019.23119 24. Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18 (2017). https://doi.org/10.1109/sp.2017.41 25. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: International Conference on Learning Representations (ICLR) (2015) 26. Timofte, R., Zimmermann, K., Van Gool, L.: Multi-view traffic sign detection, recognition, and 3D localisation. Mach. Vis. Appl. 25(3), 633–647 (2014). https:// doi.org/10.1109/wacv.2009.5403121 27. Tram`er, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction APIs. In: 25th USENIX Security Symposium (USENIX), pp. 601–618 (2016) 28. Truong, J.B., Maini, P., Walls, R.J., Papernot, N.: Data-free model extraction. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4771–4780 (2021). https://doi.org/10.1109/cvpr46437. 2021.00474 29. Wang, D., Li, Y., Wang, L., Gong, B.: Neural networks are more productive teachers than human raters: active mixup for data-efficient knowledge distillation from a blackbox model. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1498–1507 (2020). https://doi.org/ 10.1109/cvpr42600.2020.00157 30. Wang, W., et al.: Delving into data: effectively substitute training for blackbox attack. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4761–4770 (2021). https://doi.org/10.1109/ cvpr46437.2021.00473 31. Wang, Y., Du, S., Balakrishnan, S., Singh, A.: Stochastic zeroth-order optimization in high dimensions. In: International Conference on Artificial Intelligence and Statistics (AISTATS), pp. 1356–1365 (2018) 32. Xiao, H., Rasul, K., Vollgraf, R.: Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. CoRR abs/1708.07747 (2017) 33. Xu, G., Liu, Z., Loy, C.C.: Computation-efficient knowledge distillation via uncertainty-aware mixup. CoRR abs/2012.09413 (2020) 34. Yang, Z., Zhang, J., Chang, E.C., Liang, Z.: Neural network inversion in adversarial setting via background knowledge alignment. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 225– 240 (2019). https://doi.org/10.1145/3319535.3354261 35. Yoo, J., Cho, M., Kim, T., Kang, U.: Knowledge extraction with no observable data. In: Advances in Neural Information Processing Systems (NIPS), vol. 32 (2019) 36. Yu, H., Yang, K., Zhang, T., Tsai, Y., Ho, T., Jin, Y.: CloudLeak: large-scale deep learning models stealing through adversarial examples. In: Network and Distributed Systems Security Symposium (NDSS) (2020). https://doi.org/10.14722/ ndss.2020.24178

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports Zhenyuan Li1 , Jun Zeng2 , Yan Chen3(B) , and Zhenkai Liang2 2

1 Zhejiang University, Hangzhou, China National University of Singapore, Singapore, Singapore 3 Northwestern University, Evanston, USA li [email protected]

Abstract. Cyber attacks are becoming more sophisticated and diverse, making attack detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (e.g., techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. In this paper, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the associated attack techniques. We then aggregate threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises. To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Experimental results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches. Moreover, our TKGs directly benefit downstream security practices built atop attack techniques, e.g., advanced persistent threat detection and cyber attack reconstruction.

1

Introduction

Advanced cyber attacks have been growing rapidly. The trend of attacks is to adopt increasingly sophisticated tactics and diverse techniques [11], such as multi-stage Advanced Persistent Threats (APTs), making detection more challenging than ever. To combat these attacks, security analysts actively exchange threat intelligence to enhance detection capabilities. c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 589–609, 2022. https://doi.org/10.1007/978-3-031-17140-6_29

590

Z. Li et al.

Among them, structured threat intelligence defined by open standards (e.g., OpenIoC [10] and STIX [7]) are widely shared on open-source platforms (e.g., AlienVault OTX [1] and IBM X-Force [6]) and utilized in security operation centers. Such intelligence standards define cyber attacks as Indicators of Compromises (IoCs), which are artifacts in forensic intrusions, such as MD5 hashes of malware samples and IP/domains of command-and-control (C&C) servers. However, recent studies have shown that detection with disconnected IoCs is easy to bypass [28,32]. For example, attackers can frequently change domains used in attack campaigns to evade detection. In comparison, by taking IoC interactions into account, graphbased detection typically demonstrates better robustness [29] by identifying attack techniques aligned to adversarial goals. Specifically, attack techniques [12,23] are basic units that describe “how” attack actions are performed and are well used in security solutions (e.g., endpoint detection and response systems). Attack techniques can be found in unstructured CTI reports written by security practitioners based on their observations of attack scenarios in the wild. In particular, a well-written report precisely describes attack behaviors through enumerating attack-relevant entities (e.g., CVE-2017-11882 ) and their dependencies (e.g., stager connecting to C&C sever). However, recovering attack behaviors from textual CTI requires non-trivial manual efforts. A system capable of automatically extracting attack technique knowledge from CTI reports can significantly benefit cyber defenses by reducing human efforts and accelerating attack responses. We identify two key challenges in the automation of knowledge extraction from CTI reports: (1) As CTI reports are written in an informal format, in natural languages, identifying structured attack behaviors needs to analyze semantics in unstructured CTI texts; (2) Attack knowledge is dispersed across multiple reports. Individual reports commonly focus on limited/incomplete attack cases, making it difficult to obtain a comprehensive view of attacks. And existing works on CTI report parsing [22,24,25,34,35] only focus on attack cases within a single report. In this paper, we propose AttacKG , a novel approach to aggregate threat intelligence across CTI reports and construct a knowledge-enhanced attack graph that summarizes attack-technique-level workflows in CTI reports. Based on enhanced knowledge, we introduce a new concept called technique knowledge graph (TKG), which identifies causal techniques from attack graphs to describe complete attack chains in CTI reports. More specifically, we first adopt a pipeline to parse a CTI report and extract attack entities and their dependencies as an attack graph. Then, we initialize technique templates using attack graphs built upon technique procedure examples crawled from the MITRE ATT&CK knowledge base [12]. Next, we utilize a revised graph alignment algorithm to match attack graphs from CTI reports and technique templates. Towards this end, we can align and refine attack entities in both CTI reports and technique templates. While technique templates aggregate specific and potentially new intelligence from real-world attack scenarios, attack graphs can leverage such knowledge from templates to construct TKGs. We implement AttacKG and evaluate it against 7,373 procedures of 179 techniques crawled from MITRE ATT&CK and 1,515 CTI reports collected

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

591

from multiple intelligence sources [3,18]. Our experimental result demonstrates that AttacKG substantially outperforms existing CTI parsing solutions such as EXTRACTOR [35] and TTPDrill [24]: (1) With our CTI report parsing pipeline, AttacKG accurately constructs attack graphs from reports with F1-scores of 0.887 and 0.896 for entities and dependencies extraction, respectively; (2) Based on extracted attack graphs, AttacKG accurately identifies attack techniques with an F1-score of 0.789; (3) AttacKG successfully collect 28,262 techniques, and 8,393 unique IoCs from 1,515 CTI reports. To the best of our knowledge, this is the first work to aggregate attack knowledge from multiple CTI reports at the technique level. In particular, our work makes the following contributions: – We present a new pipeline for CTI report parsing with better efficiency and effectiveness in constructing attack graphs. – We propose the design of technique templates to describe and collect technique knowledge, and a revised graph alignment algorithm to identify attack techniques with templates. By aligning templates with technique implementations described in attack graphs, we exchange the knowledge from both to refine each other and form technique knowledge graphs (TKGs). – We implement AttacKG1 and evaluate it with 1,515 real-world CTI reports. The results demonstrate that AttacKG accurately extracts attack graphs from reports and effectively aggregates technique-level threat intelligence from multiple unstructured CTI reports.

2

Background and Related Work

In this section, we first introduce the outbreaking attack mutations. Then, we introduce state-of-the-art threat intelligence extraction solutions. Finally, we present a real-world CTI report as a motivating example for intuitive illustration. 2.1

Cyber Attacks and Reports

Attackers actively create attack variants to evade detection. To systematize and summarize the behaviors in attack variants, MITRE proposed the ATT&CK Tactics-Techniques-Procedures (TTP) matrix based on real-world observations of cyber attacks. In the hierarchical TTPs matrix, tactics describe why an adversarial action is performed, which are typically fixed for an attack, while the selections and implementations of techniques that describe how to perform the adversarial action are more flexible. As shown in Fig. 1, the commonly used technique “T1547-Boot or Logon Autostart Execution” for tactic “Persistent” can be implemented in at least four different ways: (A) “Registry Run Keys”, (B) “Auto-start folder ”, (C) “Shortcut Modification”, and (D) “DLL Side-loading”. The number of variants grows 1

We make AttacKG’s implementation publicly available at https://github.com/lizhenyuan/Knowledge-enhanced-Attack-Graph.

592

Z. Li et al.

Fig. 1. Technique template generated by AttacKG and corresponding real-world description for “T1547-Boot or Logon Autostart Execution” with four variants corresponding to fourteen MITRE sub-techniques categorized as (A) Registry Run Keys, (B) Auto-start folder, (C) Shortcut Modification, and (D) DLL Side-loading.

exponentially if detailed implementations, such as different selections of the registry key, are taken into consideration. Our observation is that while the ways of technique implementations are relatively limited, the implementation details can be highly varied. Therefore, a system that can identify various attack techniques and collect the corresponding implementation details will significantly benefit downstream security tasks (e.g., intrusion detection and attack forensics). The manually-crafted TTP matrix cannot cover various technique implementations. Such detailed implementation knowledge only comes from practice. Thus, security practitioners actively gather and share attack knowledge as threat intelligence. Such cyber threat intelligence (CTI) is typically managed and exchanged in the form of either structured and machine-digestible Indicators of Compromise (IoCs) or unstructured and natural language reports. 2.2

Threat Intelligence Extraction

Cyber threat intelligence (CTI) plays a vital role in security solutions to keep up with the rapidly evolving landscape of cyber attacks [20,33]. To facilitate CTI knowledge exchange and management, the security community has standardized open formats (e.g., OpenIoC [10] and STIX [7]) to describe Indicators of Compromises (IoCs). Though structured and machine-readable, such intelligence lacks semantic information about how IoCs interact to form attack chains. In this paper, we aim to fulfill this semantic gap with attack-technique-level knowledge aggregated across CTI reports. Poirot [32] utilizes manually extracted and generalized (attack) query graphs for intrusion detection in provenance graphs constructed from system logs, which validates the efficacy of threat intelligence in detection. However, manually extracting attack-relevant information from uninstructed texts is laborintensive and error-prone, hindering CTI’s applications in practice. Therefore, several approaches have been proposed to analyze CTI reports automatically.

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

593

Table 1. Comparison of threat intelligence extraction methods Automatic

Graph-structure

Technique-aware

Cross-reports

Poirot [32]

✗

✓

✗

✗

iACE [31]

✓

✗

✗

✗

Extractor [35] & ThreatRaptor [21]

✓

✓

✗

✗

TTPDrill [24] & rcATT [27], etc.

✓

✗

✓

✗

AttacKG

✓

✓

✓

✓

As Table 1 shows, these solutions can be roughly divided into several categories. Specifically, iACE [31] presents a graph mining technique to collect IoCs available in tens of thousands of security articles. Extractor [35] and ThreatRaptor [21] customize NLP techniques to model attack behaviors in texts as attack graphs. TTPDrill [24], rcATT [27] and ChainSmith [37] derive threat actions from reports and map them to attack patterns (e.g., tactic and techniques in MITRE ATT&CK [12]) with pre-defined ontology or machine learning techniques. Similar to prior studies, the large body of AttacKG is to automate attack knowledge extraction from CTI. Nevertheless, AttacKG distinguishes itself from these works in the sense that it identifies TTPs and constructs technique knowledge graphs (TKGs) to summarize technique-level knowledge across CTI reports. 2.3

Motivating Example

Figure 2 presents a real-world APT attack campaign called Frankenstein [5]. The campaign name comes from the ability of its threat actors to piece together different independent techniques. As shown, this campaign consists of four attack techniques, namely, T1566-Phishing E-mail, T1204-User Execution, T1203Exploitation and T1547-Boot Autostart. Each technique involves multiple entities and dependencies to accomplish one or more tactical attack objectives. It presents a typical multi-stage attack campaign that consists of multiple atomic techniques. To evade detection, this attack can be morphed easily by replacing any technique with an alternative one. Therefore, summarized knowledge of different attack techniques, which is robust and semantically rich, is beneficial to the detection and investigation of cyber attacks [24,29,32]. Figure 2(B) to Fig. 2(D) show the attack knowledge retrieved from the report sample by TTPDrill [24], ChainSmith [37], and EXTRACTOR [35], respectively, while Fig. 2(A) represents the manually generated ground-truth. Figure 2(B) shows attack techniques identified by TTPDrill with manually-defined threat ontology. As shown, TTPDrill can only extract separate techniques from CTI reports without the whole picture. Besides, the ontology provided by TTPDrill contains only action-object pairs for technique identification, which is too vague and may lead to numerous false positives. As the example shows, sending a document is recognized as exfiltration in TTPDrill. However, the “trojanized” document is, in effect, sent by an attacker for exploitation. As shown in Fig. 2(C), ChainSmith provides a semantic layer on top of IoCs that captures different roles of IoCs in a malicious campaign. However, they only give a coarse-grained four-stage classification with limited information. As Fig. 2(D) shows, the attack

594

Z. Li et al.

Fig. 2. A motivating example

graph generated by EXTRACTOR merges all non-IoC entities of the same type. It thus loses the structural information of attack behaviors, making it impossible to identify attack techniques accurately. Figure 2(E) illustrates the ideal result we would like to extract in this paper. As long as we can locate attack techniques in attack graphs extracted from CTI reports, we are able to aggregate technique-level knowledge and enrich attack graphs with more comprehensive knowledge about the corresponding techniques. For example, we can find more possible vulnerabilities that can be used in T1203Exploitation for Execution as a replacement for CVE-2017-11882 appeared in this report. Moreover, the distinct threat intelligence can be collected and aggregated at the technique level across multiple CTI reports.

3 3.1

Approach Overview of AttacKG

Figure 3 shows the architecture of AttacKG. At a high level, AttacKG has two subsystems: (1) an attack graph extraction pipeline for CTI reports parsing and

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

595

Fig. 3. Overview of AttacKG architecture.

attack graphs building, and (2) an attack technique identification subsystem for technique template generation and technique identification in attack graphs. Extract Attack Graphs from CTI Reports. To accurately extract attack graphs from CTI reports, we design a parsing pipeline of five stages. As shown in Fig. 3, this pipeline has two types of inputs: (1) technique procedure examples crawled from MITRE ATT&CK describing individual techniques, and (2) CTI reports describing multi-technique attack campaigns. The corresponding outputs of the pipeline are single-technique graphs for attack techniques and multi-technique graphs for attack campaigns, respectively. Identify Attack Technique with Templates. As discussed in Sect. 2, individual CTI reports typically have a limited aspect of attack patterns without a global view. In this paper, we aim to bridge this gap by aggregating threat intelligence across CTI reports with technique templates. For this purpose, we propose technique templates to aggregate technique-level intelligence and a revised graph alignment algorithm to identify techniques in attack graphs. As Fig. 3 shows, technique templates are initialized with single-technique attack graphs extracted from technique examples crawled from MITRE. Then, we adopt a revised attack graph alignment algorithm to identify attack techniques in multi-technique graphs extracted from CTI reports with the preinitialized templates. By aligning multi-technique attack graphs and technique templates, we can enhance the attack graphs with attack knowledge in templates into a technique knowledge graph (TKG) and update the technique templates with rich intelligence from CTI reports. Finally, we obtain two outputs: (1) technique templates that collect and aggregate attack knowledge across CTI reports at the technique level; (2) TKGs that summarize complete attack chains in CTI reports. It is worth mentioning

596

Z. Li et al.

that AttacKG can tolerate a few false-positives/false-negatives in templates or attack graphs as long as techniques implementations appear multiple times in different reports and most of them are parsed correctly. 3.2

CTI Reports Parser

In this section, we introduce our primary approach for extracting attack graphs from CTI reports. Well-written CTI reports include detailed technical descriptions of how attack-related entities interact to accomplish adversarial objectives in attack campaigns. Despite the rich information, it is challenging to accurately extract attack behaviors from CTI reports written in natural language. Specifically, we identify four key challenges: [C1] Domain-Specific Terms Identification. CTI reports often contain numerous security-related terms, such as IoCs and attack family names, that include special characters and confuse most off-the-shelf NLP models. [C2] Attack Entity and Dependency Extraction. Unlike provenance graphs that record attack actions with full details, CTI reports are written in a more summarized manner, providing an overview of the attack workflow. Thus, the attack graphs extracted from CTI reports usually illustrate coarse-grained and incomplete dependencies among entities. [C3] Co-reference Resolution. Co-reference is very common in natural language. We identify two types of co-reference in CTI reports. Explicit co-references use pronouns like “it” and “this” or definite article “the,” while implicit coreferences use synonyms to refer to entities that appear in the preceding text. [C4] Attack graph construction and simplification. Attack scenarios described in natural language are redundant and fractured, which NLP technology cannot address. Therefore we need to construct and simplify graphs with the assistance of domain knowledge. To overcome the above challenges, we design a new CTI report parsing pipeline based on the existing ones [4,21], with better performance in handling co-reference and constructing attack graphs. Notice that most CTI reports are shared in the forms of PDF and HTML, which we further translate into a uniform text format with open-source tools (e.g.,pdfpulmer and html2text). IoC Recognition and Protection with Regex [C1]. CTI reports contain numerous domain-specific terms, such as CVE-2017-21880 and /etc./passwd, which include special characters and thus confuse general NLP models. In order to avoid the influence of these terms while preserving the information on attack behaviors, we identify them with a refined version of open-source IoC recognizer [8] by extending the regex set and replacing them with commonly used words according to their entity types. We also record the location of replaced words for subsequent resumption of the IoCs. Afterward, we are able to adopt standard models [15] for first-stage CTI report parsing. Attack Entity and Dependency Extraction [C2, C3]. In addition to IoC entities, non-IoC entities also play important roles in attack technique expression. For better extraction, we classify entities into six types. Among them, Actor and

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

597

Executable represent subjects of attack behaviors, while File, Network Connection, and Registry denote common system-level objects. Additionally, we identify several “other” types of entities that frequently appear in certain techniques but are difficult to directly map to system objects. As a result, we classify them into a separate category named Others. Then, we adopt a learning-based Named Entity Recognition (NER) model to recognize entities in CTI reports. The model is pre-trained on a large general corpus2 and re-trained with technique examples randomly sampled from MITRE that cover all techniques and entity types. To improve the accuracy of entity identification, we further use a customized rule-based entity recognizer3 to identify well-defined and common entities. Furthermore, we leverage an opensource co-reference resolver, co-referee4 , for explicit co-reference’s resolution. All pronouns for an attack-relevant entity are recorded in a linked table, and the corresponding nodes will be merged when constructing the attack graph. For intra-sentence dependency extraction, we first construct a dependency tree for each sentence with a learning-based nature language parsing model [15]. Then, we enumerate all pairs of attack-relevant entities (including their pronouns) and estimate the distance between them with the distance of their Lowest Common Ancestor (LCA) and the distance of their position in the sentence. Each entity will establish dependencies with its nearest entity unless only one entity exists in the sentence. Attack Graph Generation and Simplification [C3, C4]. Given extracted attack entities and dependencies, we can initialize a graph, called attack graph (Ga ), where nodes represent attack-relevant entities and edges represent their dependencies. So far, we have only considered the dependencies within sentences. Cross-sentence dependencies will be established through both explicit and implicit co-reference nodes. In particular, by merging co-reference nodes, we not only remove redundant nodes but also combine sentence-level sub-graphs into a whole attack graph. Explicit co-reference can be recognized by general NLP models, as discussed in Sect. 3.2, while implicit co-references need to be identified based on entities’ type and character-level overlaps. To do so, we use node-level alignment scores, as discussed in Sect. 3.3, to determine whether two nodes should be treated as co-references nodes. Finally, we generate a concise and clear attack graph describing all attack behaviors that appear in a CTI report. Our evaluation of a wide range of CTI reports demonstrates that the attack graph extraction pipeline is both accurate and effective (Sect. 4.2). 3.3

Technique Templates and Graph Alignment Algorithm

In order to identify techniques from attack graphs while preserving their implementation details mentioned in CTI reports, we first need a universal description 2 3 4

https://github.com/explosion/spacy-models/releases/tag/en core web sm-3.1.0. https://spacy.io/api/entityruler. https://github.com/msg-systems/coreferee.

598

Z. Li et al. Table 2. Notations in graph alignment Notation

Description

i:k

Node alignment between node i and k from separate graphs

i  j

A dependency (path) from node i to node j

Gt ::Ga

Graph alignment between Template Gt and Attack Graph Ga

Γ (i : k)

Alignment score between node i to node k

Γ (Gt :: Ga )

Alignment score between Template Gt and Attack Graph Ga

ΓN (Gt :: Ga ) Node-level alignment score between Template Gt and Graph Ga ΓE (Gt :: Ga )

Dependency-level alignment score between Template Gt and Graph Ga

of attack techniques. Towards this end, we propose the design of graph-structured technique templates to represent individual techniques. Inspired by the graph alignment algorithm in Poirot [32] for attack behavior identification in provenance graphs, we design a revised graph alignment algorithm for technique identification in attack graphs with templates. Finally, we introduce how to initialize and update technique templates with alignment results. Design of Technique Templates. To describe attack behaviors (represented as graphs) within techniques while aggregating threat intelligence, we model technique templates also as graphs (Gt ) with statistics of occurrences of entities (nodes) and dependencies (edges) in different CTI reports. In the graph, nodes represent aggregated entity knowledge, and edges represent possible dependencies among them. Moreover, we calculate the confidence of entities and dependencies by their occurrences in different reports. In this way, as long as techniques appear multiple times in different reports and most of them are parsed correctly, the impact of possible false positives and/or false negatives introduced by AttacKG’s misidentifications and adversarial or low-quality CTI reports can be tolerated. Graph Alignment for Technique Identification and Technique Knowledge Graph Construction. Both attack graphs we extracted in Sect. 3.2 and technique templates we generated in Sect. 3.3 potentially contain false-positive and/or false-negative nodes/edges. Therefore, we cannot use the exact match to align them. As an alternative, we propose a graph alignment algorithm between technique template Gt and attack graph Ga based on fuzzy matching. Specifically, as shown in Table 2, we define two kinds of alignments, i.e., node alignment between two nodes in two separate graphs and graph alignment that measures the overall similarity between a technique template and a specific subgraph in an attack graph. Node Alignment. We first enumerate every node k in an attack graph Ga to find its alignment candidates for every node i in a technique template Gt by calculating the alignment score for nodes Γ (i : k). The alignment score between two nodes is computed by Eqs. (1) and (2):  γ + (1 − γ) · Sim(i, k) Γ (i : k) = 0

itype = ktype , itype = ktype

(1)

AttacKG: Constructing Technique Knowledge Graph from CTI Reports Sim(i, k) = M ax(sim(iIoC , kIoC ), sim(iN LP , kN LP )).

599

(2)

Intuitively, if node i and node k have different types, then the alignment score will be zero. Otherwise, they will get a type-matched score γ. Then the similarity of nodes’ attributes (Sim(i, k)) can be determined by calculating character level [9] similarity (sim(i, k)) of IoC terms and natural language descriptions, which is enumerated in templates. If the alignment score reaches a pre-defined threshold, we will record the node alignment candidate in Ga to a list of the corresponding template node. Graph Alignment. Afterward, we iterate through all candidate nodes to calculate the overall alignment scores Γ (Gt :: Ga ) in two parts: node-level alignment scores ΓN (Gt :: Ga ) and edge-level alignment scores ΓE (Gt :: Ga ). Specifically, the alignment score between a technique template and an attack graph can be computed by Eqs. (3), (4), and (5):  (Γ (i : k) · ioccur ) (ioccur ),



ΓN (Gt :: Ga ) =

i∈Gt ,k∈Ga



ΓE (Gt :: Ga ) =

ij∈Gt kl∈Ga



(

(3)

i∈Gt

(Γ (i : k) · Γ (j : l) · (i  j)occur ) Cmin (k  l)



(4) ((i  j)occur ),

ij∈Ga

Γ (Gt :: Ga ) =

1 · (ΓN (Gt :: Ga ) + ΓE (Gt :: Ga )). 2

(5)

As shown, the node-level alignment score (ΓN (Gt :: Ga )) is a weighted sum of the alignment score (Γ (i : k)) of each node. The weights are proportional to the number of node occurrences (ioccur ) recorded in the template. In this way, we enhance the impact of important entities and dependencies that commonly appear in different CTI reports. Meanwhile, the edge-level alignment score (ΓE (Gt :: Ga )) depends on three factors: alignment scores of the nodes at both ends of the dependency (Γ (i : k) and Γ (j : l)); the minimal hop between both ends of the dependency (Cmin (k  l)) in the attack graph; the number of node occurrences ((i  j)occur ) recorded in the template. If two nodes are not connected, the dependency between them (Cmin (k  l)) will be set to infinity. Finally, the outputs of all five equations above are normalized to interval [0, 1]. We note that although the graph traversal is used, the computational overhead of the whole algorithm is acceptable due to the limited size of both attack graph and technique templates. After obtaining alignment scores for candidate permutations of each technique, we compare them with a pre-defined threshold and finally select aligned subgraphs of techniques. It is noteworthy that one attack graph node can be aligned to multiple techniques, and one technique can be found multiple time in an attack graph as long as each aligned subgraph have an alignment score above the threshold. TKG Construction. With the graph alignment results, we can attach attack knowledge described in technique templates, including alternative entities and techniques, to the corresponding positions in an attack graph. Then, we can obtain the technique knowledge graph (TKG) that introduces the whole attack chain in a CTI report with enhanced knowledge.

600

Z. Li et al.

Table 3. Attack entities in the template of the technique T1547-Boot or Logon Autostart Execution. Template entities

NLP descriptions

IoC terms

Executable

scripts, macros, . . .

*.exe, *.ps1, . . .

Register

register keys, register, . . .

HKLM\. . .\windows\currentversion\winlogon\*, HKLM\. . .\active setup\installed components\*, HKLM\Software\*\Run, . . .

Autostart Folder

startup folder, path, . . .

%HOMEPATH%\Start Menu\Programs\Startup\, ∼/.config/autostart/*, . . .

Shortcut File

shortcut, . . .

Side-loading DLL winlogon helper DLL, SSP DLL, . . .

*.lnk, . . . sspisrv.dll, . . .

Initialization and Updating of Technique Templates. Both the initialization and updating of technique templates rely on the graph alignment results. Initialization. The initialization of technique templates starts with a random single-technique attack graph extracted from MITRE technique examples. Then we align the initial template with other single-technique attack graphs of the same technique. The information in aligned attack graph nodes will be merged into the corresponding template node. And the unaligned nodes will be added to templates as new nodes, which is different from the updating process. Updating. By aligning, the node in an attack graph can be mapped to the node in the identified technique template. Then we update the IoC and natural language description sets in the template node with new terms from the aligned attack graph node. This allows us to aggregate threat intelligence across CTI reports at the technique level. Finally, we generate the technique template that aggregates threat intelligence and covers multiple technique variants across multiple reports, as the example shown in Fig. 1 and Table 3.

4

Evaluation

In this section, we focus on evaluating AttacKG’s accuracy of attack graph extraction and technique identification as a CTI report parser and its effectiveness in technique-level intelligence aggregation as a CTI knowledge collector. In particular, our evaluation aims at answering the following research questions (RQs): (RQ1) How accurate is AttacKG in extracting attack graphs (i.e., attack-related entities and dependencies) from CTI reports? (RQ2) How accurate is AttacKG in identifying attack techniques in CTI reports? (RQ3) How effective is AttacKG in aggregating technique-level intelligence across multiple CTI reports? At last, we also would like to evaluate how TKGs benefit downstream security tasks (e.g., attack detection and reconstruction).

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

4.1

601

Evaluation Setup

To evaluate AttacKG, we crawled 1,515 real-world CTI reports mentioned in MITRE ATT&CK references whose sources range from Cisco Talos Intelligence Group [3], Microsoft Security Intelligence Center [14], etc. Moreover, we crawled 7,373 technique procedure examples out of 179 techniques from the MITRE ATT&CK knowledge-base [12] to formulate our technique templates. To answer RQ1 and RQ2, we manually label the ground-truth of entities, dependencies, and techniques in 16 of the collected reports: (1) DARPA TC Reports: We select five attack reports released by the DARPA TC program’s fifth engagement that cover different OS platforms (i.e., Linux, Windows, and FreeBSD), vulnerabilities (e.g., Firefox backdoor), and exploits (e.g., Firefox BITS Micro). (2) Real-world APT Campaign Reports: To explore the performance of AttacKG in practice, we select another eleven public CTI reports that describe APT campaigns from three well-known threat groups, i.e., Frankenstein [5], OceanLotus (APT32) [19], and Cobalt Group [13]. 4.2

Evaluation Results

RQ1: How Accurate Is AttacKG in Extracting Attack Graphs from CTI Reports? A typical attack technique consists of multiple threat actions presented as a set of connected entities in an attack graph. In particular, the accurate extraction of attack graphs is an essential starting point toward automated identification of attack techniques from CTI reports. To evaluate the accuracy of AttacKG in extracting attack graphs, we adopt the aforementioned 16 well-labeled CTI reports. We manually identify attack-related entities in the reports and correlate entities based on our domain knowledge of the attack workflow. It is noteworthy that in addition to natural language descriptions, DARPA TC reports also provide the graph representation of attacks, which serves as additional documentation to complement our manual labels. Given ground-truth entities and dependencies in the reports, we are able to compare AttacKG with the state-of-the-art open-source5 CTI report parser, EXTRACTOR [35], in terms of the precision, recall, and F1-score. For a fair comparison, we enable all optimizations in EXTRACTOR (e.g., Ellipsis Subject Resolution) when constructing attack graphs upon textual attack descriptions. As discussed in Sect. 3, an entity may correspond to multiple co-references across a CTI report. Since our goal is to identify unique entities (e.g., IoCs), we merge co-reference entities in the attack graph and integrate their dependencies with the remaining entities. Table 4 summarizes the results of AttacKG and EXTRACTOR in capturing entities and dependencies from the selected 16 CTI reports(Rows 2–7). As can be seen, despite slightly lower precision caused by a higher false-positive rate, AttacKG yields better accuracy overall (with an average F1-score improvement of 0.12) than EXTRACTOR due to a much lower false-negative rate. This is 5

https://github.com/ksatvat/EXTRACTOR.

602

Z. Li et al.

Table 4. Accuracy of attack graph extraction and technique identification in 16 CTI reports. (Columns 2–9 present the count of manually-generated ground-truth and −f alse negative(+f alse positive) in extracting attack-related entities, dependencies, and techniques. Columns 10–12 present the overall Precision, Recall, and F1-score.) CTI reports

Entities Dependencies Techniques Manual Extractor AttacKG Manual Extractor AttacKG Manual TTPDrill AttacKG

TC Firefox DNS Drakon APT TC Firefox Drakon Copykatz TC Firefox BITS Micro APT TC SSH BinFmt-Elevate TC Nginx Drakon APT Frankenstein Campaign OceanLotus(APT32) Campaign Cobalt Campaign DeputyDog Campaign HawkEye Campaign DustySky Campaign TrickLoad Spyware Campaign Emotet Campaign Uroburos Campaign APT41 Campaign Espionage Campaign

10 6 11 6 15 14 7 17 13 16 12 17 8 12 13 11

-4 -2 -6 -4 -2 -3 -0 -6 -1 -2 -2 -3 -4 -1 -1 -2

Overall Presicion Overall Recall Overall F-1 Score

1.000 1.000 1.000

0.843 0.771 0.806

(+4) (+0) (+0) (+0) (+0) (+1) (+2) (+0) (+2) (+3) (+1) (+1) (+0) (+2) (+5) (+6)

-0 -1 -1 -1 -2 -0 -0 -1 -0 -3 -0 -0 -1 -2 -1 -3

(+1) (+0) (+4) (+0) (+0) (+2) (+2) (+5) (+2) (+4) (+3) (+0) (+1) (+3) (+0) (+1)

0.860 0.915 0.887

9 5 10 5 15 16 7 17 14 17 12 16 7 13 12 10

-4 -2 -7 -4 -0 -5 -0 -4 -1 -5 -2 -4 -4 -3 -0 -3

(+3) (+0) (+0) (+0) (+0) (+1) (+1) (+0) (+1) (+3) (+1) (+0) (+0) (+0) (+1) (+2)

1.000 1.000 1.000

0.913 0.741 0.818

-2 -2 -0 -0 -2 -0 -1 -1 -2 -3 -0 -0 -2 -2 -1 -3

(+1) (+0) (+0) (+0) (+0) (+2) (+0) (+2) (+0) (+2) (+3) (+1) (+1) (+0) (+2) (+1)

0.906 0.886 0.896

8 4 5 5 6 9 5 8 10 11 5 4 7 7 6 4

-2 -1 -1 -2 -2 -1 -1 -2 -1 -2 -0 -0 -2 -0 -2 -0

(+10) (+13) (+14) (+14) (+22) (+18) (+12) (+21) (+35) (+64) (+32) (+18) (+16) (+23) (+26) (+19)

1.000 1.000 1.000

0.196 0.837 0.318

-0 -1 -2 -2 -0 -1 -2 -1 -0 -1 -0 -2 -3 -1 -1 -0

(+3) (+0) (+2) (+2) (+2) (+1) (+0) (+1) (+6) (+3) (+1) (+0) (+0) (+2) (+1) (+1)

0.771 0.808 0.789

expected as EXTRACTOR aggregates all non-IoC entities of the same type (e.g., process) into one entity, as shown in Fig. 2. In other words, no matter how many false-positive entities EXTRACTOR produces, they are treated as one false extraction as long as they belong to the same type. It is noteworthy that such aggregation design inevitably losses structural information of attack graphs and makes follow-up technique identification almost impossible. Hence, we only compare AttacKG with EXTRACTOR in extracting attack graphs rather than identifying attack techniques. RQ2: How Accurate Is AttacKG in Identifying Attack Techniques in CTI Reports? To answer RQ2, we use AttacKG to identify attack techniques in the 16 CTI reports and compare it with the state-of-the-art technique identifier, TTPDrill [24]. The core idea of TTPDrill is to extract threat actions from CTI reports and attribute such actions to techniques based on threataction ontology. Specifically, it manually defines 392 threat actions for 187 attack techniques in the original paper, while such ontology knowledge base has been extended to cover 3,092 threat actions for 246 attack techniques in its latest opensource implementation6 . Also noteworthy is that all attack techniques used by TTPDrill are derived from an old version of the MITRE ATT&CK matrix. To allow for a consistent comparison, we map every technique in TTPDrill to the latest version technique via the hyperlinks provided by MITRE. For example, T1086-PowerShell in TTPDrill is updated to T1059/001-Command and Scripting Interpreter: PowerShell. 6

https://github.com/mpurba1/TTPDrill-0.3.

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

603

We evaluate AttacKG and TTPDrill on the 16 CTI reports annotated with the ground-truth techniques adopted in the attacks. The technique identification results are summarized in the last three rows in Table 4. We can observe that while both AttacKG and TTPDrill achieve reasonably low false-negative rates, TTPDrill is prone to high volumes of false-positive techniques (15.5 false positives per a report on average), which is nearly three times as many as the true positives. As a result, while the recall of AttacKG is only slightly higher than TTPDrill by 0.1, AttacKG significantly outperforms TTPDrill in terms of the precision and F1-score by 0.575 and 0.462, respectively. This result makes sense as TTPDrill treats threat actions extracted from CTI reports as action-object pairs. Accordingly, techniques that share partial threat actions tend to look similar in TTPDrill. In contrast, AttacKG aligns techniques to attack graphs, considering the full contexts of threat actions. Moreover, it is worth mentioning that we use fuzzy matching based on alignment scores for technique identification; thus, our approach can correctly identify attack techniques even with FPs/FNs in technique templates and/or extracted attack graphs. Our observation is that the overall accuracy is highest when the graph alignment score’s threshold is 0.85, The details of the threshold selection can be found in Appendix A. To verify the importance of each component in AttacKG towards technique identification, we perform an ablation study by considering four variants of AttacKG, as discussed in Appendix B. RQ3: How Effective Is AttacKG at Aggregating Technique-Level Intelligence from Massive Reports? To answer RQ3, we explore the effectiveness of AttacKG in extracting threat intelligence (e.g., techniques and IoCs entities) on 1,515 CTI reports collected from different intelligence sources. Table 5 lists the ten most common techniques that appeared in the 1,515 reports and the number of their corresponding unique IoCs, which mostly overlap with manually generated top TTP lists by PICUS [16] and redcanary [17]. Table 5. Effectiveness of Threat Intelligence Extraction from 1,515 CTI Reports. Top 6 Techniques

Occurrences in reports

#Unique IoCs Executable Network File Registry Vulner.

T1071 T1059 T1083 T1170 T1105 T1003

1113 1089 1060 990 990 961

12 6 6 -

452 394 389 -

371 284 249 255 261 220

100 74 -

12 9 7 -

28262

495

2813

4634 384

67

-

Command & Control Scripting Interpreter File/Directory Discovery Indicator Removal Ingress Tool Transfer OS Credential Dumping

All Techniques Summary

Each report, on average, contains 18.7 techniques and 5.5 unique IoCs, and different techniques likely involve different IoCs. Note that most CTI reports do not provide unified and formatted intelligence to validate our extracted results,

604

Z. Li et al.

which is also our motivation behind this work. Therefore, we randomly select several technique templates with intelligence aggregated from reports for manual investigation. Specifically, we observe that templates successfully collect unique IoCs for different technique implementations across CTI reports. As the example in Fig. 1 and Table 3 shows, we identify multiple unique IoC terms playing similar roles in different reports. Such template-aggregated intelligence can directly enrich our understanding of attack techniques. Furthermore, the TKG built on templates can help understand the entire attack and possible variants for more robust detection and investigation, as shown in Sect. 2.3. 4.3

Case Study

This subsection discusses how TKGs can be adopted in real-world security tasks with case studies. Specifically, TKGs adopt the collated knowledge to enrich reports, thus helping to understand and reconstruct the attacks involved. In addition, TKGs with aggregated technique-level intelligence can enhance the detection of attack variants. TKG for Attack Reconstruction. In order for security practitioners and researchers to have an in-depth analysis, they have to bridge the knowledge gap between the real attacks and CTI reports. This gap can be addressed by having a first-hand practical environment that thoroughly describes how attack steps are performed in the CTI reports. AttacKG provides structured knowledge about an attack scenario, making it easier to reproduce cyber attacks in a testbed environment, benefiting analysts [36] with high fidelity and live reconstructed environment with in-depth details. We have demonstrated how AttacKG supports attack reconstruction in [30]. Taking the Frankenstein campaign as an example, with the TKG extracted from the corresponding report, we can quickly identify nine techniques for six tactics involved in the campaign, including T1566-Phishing for tactic Initial Access, T1547-Boot Autostart for tactic Persistence, T1203-Exploitation for Execution for tactic Execution, etc. Then, we can infer the environment needed to reconstruct the attack based on the techniques and entities involved in the attack. Specifically, autostart with registry implies that the attack is running in Windows. The use of vulnerability (CVE-2017-11882 ) for execution indicates the requirement of specific versions of Microsoft Office. After setup the environment, we can reproduce the campaign with open-source attack technique implementation, such as Atomi-Red-Teams [2]. All in all, AttacKG provides necessary information as the first step in the reconstruction process. TKGs for Attack Variants Detection. As discussed in Sect. 2.1, frequent and widely used attack variants are posing challenges for detection. Take a simple T1204-User Execution and T1547-Boot Autostart two-stage attack excerpted from Frankenstein Campaign, for example. Figure 4(A) and Fig. 4(B) demonstrate the attack and its variants with three nodes mutated. Specifically, the file server URL in T1204 was changed, and the implementation of T1547 was switched from (A) Registry Run Keys to (D) DLL Side-loading. It is noteworthy that such changes will not affect the functionality of the attack.

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

605

Fig. 4. TKG for attack variants detection. (Red outlined mismatch items.) (Color figure online)

Then, three representative intelligence-based detection schemes based on different granularity are selected for comparison, namely, 1) iACE [31] that automatically extracts node-level intelligence (Fig. 4(C)), 2) Poirot [32] that adopt manually-extracted attack graphs for threat hunting (Fig. 4(D)), and 3) our approach that aggregates technique-level intelligence from multiple reports (Fig. 4(E)). As the matching results show, to avoid introducing numerous false positives, node intelligence-based detection requires exact matching, which can be easily bypassed by obfuscation. By considering structure information, attacklevel matching allows the generalization of node information to improve detection generality. However, attackers can still easily evade detection by changing techniques used in the campaign. Nevertheless, the technique-level intelligence we provide enables detectors to detect different attack techniques independently. Moreover, the pooled technique knowledge from multiple reports can effectively improve the detection of various variants. And the aggregated intelligence can be automatically merged with approaches like Eiger [26] for better generality.

5

Conclusion

In this paper, we propose an automated solution for retrieving structured threat intelligence from CTI reports. We use the notion of technique templates to summarize attack-technique-level threat intelligence across CTI reports. Then, we leverage attack knowledge in the templates to enhance attack graphs extracted from CTI reports and generate the technical knowledge graph (TKG). We implement our prototype system, AttacKG, and evaluate it with 1,515 real-world CTI reports. Our evaluation results show that AttacKG can extract attack graphs from CTI reports accurately and aggregate technique-level threat intelligence from massive reports effectively.

606

Z. Li et al.

Acknowledgement. This paper is supported in part by National Science Foundation with the Award Number (FAIN) 2148177, and by the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF-NCL-P2-0001) and administered by the National Cybersecurity R&D Directorate. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore.

A

Selecting the Threshold Value

The selection of the threshold value for node/graph alignment scores affects the accuracy and efficiency of AttacKG. Specifically, too low a threshold for graph alignment score could result in premature matching (false positives), while too high could lead to missing reasonable matches (false negatives). For node alignment score, too low a threshold could leave unnecessary alignment candidates and cost longer report analysis time, while too high could lead to false negatives. Thus, there are trade-offs in choosing optimal threshold values. To determine optimal threshold values, we measure the F-score and report analysis time using varying threshold values, as shown in Fig. 5, and select optimal threshold values (0.65 for node alignment, 0.85 for graph alignment) that make each index better at the same time.

B

Ablation Study of AttacKG

In particular, we first remove part of the attributes in entities: the IoC information and natural language text termed AttacKGw\o IoC inf ormation and AttacKGw\o natural language text , respectively. Note that unlike the EXTRACTOR’s practice of merging entities, which may result in information loss, we only remove partial entity attributes without sacrificing the structural information of attack graphs. Moreover, we obtain another variant by filtering dependencies in

Fig. 5. Threshold selection

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

607

attack graphs termed AttacKGw\o dependencies . That is, we predict attack techniques only based on entity sets. Finally, we disable the graph simplification component termed AttacKGw\o graph simplif ication . As different component combinations may affect the distribution of alignment scores, we adjust and choose identification thresholds separately for AttacKG variants in light of the optimal F1-scores. The results are summarized in Table 6. We find that removing any component would degrade AttacKG ’s performance, which well justifies our design choice. Especially, AttacKGw\o dependencies consistently performs the worst across all evaluation metrics. It verifies the substantial influence of graph structures in technique identification. Table 6. Ablation study of different components used in technique identification. Components

Precision Recall F1-Score

w/ all component

0.782

w/o IoC information

0.833

w/o natural language text 0.690

C

0.860 0.819 0.600

0.698

0.800

0.741

w/o dependencies

0.667

0.480

0.558

w/o graph simplification

0.696

0.780

0.736

Efficiency of AttacKG

Settings. We experimentally compared AttacKG’s efficiency with TTPDrill and Extractor on the 16 CTI report samples mentioned in Sect. 4.1 on a PC with AMD Ryzen 7-4800H Processor 2.9 GHz, 8 Cores, and 16 Gigabytes of memory, running Windows 11 64-bit Professional. The size of the reports used as samples ranges from 61 words to 1029 words, with an average of 278.2 words. Results. Extractor is the most complex system that consists of multiple NLP models and thus has the highest runtime overhead, taking 239.70 s on average to parse a report. Compared to Extractor, AttacKG adopts a simpler CTI report parsing pipeline. On average, it takes 8.9 s and 15.1 s for graph extraction and technique identification, respectively, totaling 24.0 s. TTPDrill, on the other hand, uses the simplest model without constructing attack graphs and thus is the fastest, taking only 5.9 s on average per report, but at the cost of a high false-positive rate.

References 1. AlienVault OTX. https://otx.alienvault.com 2. Atomic Red Team. https://github.com/redcanaryco/atomic-red-team 3. Cisco Talos Intelligence Group - Comprehensive Threat Intelligence. https://blog. talosintelligence.com/

608

Z. Li et al.

4. Extractor. https://github.com/ksatvat/EXTRACTOR 5. Frankenstein Campaign. https://blog.talosintelligence.com/2019/06/frankensteincampaign.html 6. IBM X-Force. https://exchange.xforce.ibmcloud.com/ 7. Introduction to STIX. https://oasis-open.github.io/cti-documentation/stix/intro. html 8. ioc parser. https://github.com/armbues/ioc parser 9. Levenshtein distance. https://en.wikipedia.org/wiki/Levenshtein distance 10. mandiant/OpenIOC 1.1. https://github.com/mandiant/OpenIOC 1.1 11. Microsoft says SolarWinds hackers stole source code for 3 products. https:// arstechnica.com/information-technology/2021/02/microsoft-says-solarwindshackers-stole-source-code-for-3-products R https://attack.mitre.org/ 12. MITRE ATT&CK. 13. Multiple Cobalt Personality Disorder. https://blog.talosintelligence.com/2018/07/ multiple-cobalt-personality-disorder.html 14. Security intelligence—Microsoft Security Blog. https://www.microsoft.com/ security/blog/security-intelligence/ 15. spaCy. https://spacy.io/ 16. The Top Ten MITRE ATT&CK Techniques. https://www.picussecurity.com/ resource/the-top-ten-mitre-attck-techniques 17. Top MITRE ATT&CK Techniques. https://redcanary.com/threat-detectionreport/techniques/ 18. Transparent Computing. https://www.darpa.mil/program/transparentcomputing 19. OceanLotus Campaign (2021). https://www.volexity.com/blog/2020/11/06/ oceanlotus-extending-cyber-espionage-operations-through-fake-websites/ 20. Gao, P., Liu, X., Choi, E., et al.: A system for automated open-source threat intelligence gathering and management. In: SIGMOD (2021) 21. Gao, P., Shao, F., Liu, X., et al.: Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. ICDE (2021) 22. Ghazi, Y., Anwar, Z., Mumtaz, R., Saleem, S., Tahir, A.: A supervised machine learning based approach for automatically extracting high-level threat intelligence from unstructured sources. In: 2018 International Conference on Frontiers of Information Technology (FIT), pp. 129–134. IEEE (2018) 23. Hossain, M.N., Sheikhi, S., Sekar, R.: Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In: IEEE S&P (2020) 24. Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., Niu, X.: TTPDrill: Automatic and accurate extraction of threat actions from unstructured text of CTI Sources. In: ACM International Conference Proceeding Series, vol. Part F1325 (2017) 25. Husari, G., Niu, X., Chu, B., Al-Shaer, E.: Using entropy and mutual information to extract threat actions from cyber threat intelligence. In: 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 1–6. IEEE (2018) 26. Kurogome, Y., Otsuki, Y., et al.: Eiger: Automated IOC generation for accurate and interpretable endpoint malware detection. In: ACM ACSAC (2019) 27. Legoy, V., Caselli, M., Seifert, C., Peter, A.: Automated retrieval of att&ck tactics and techniques for cyber threat reports. arXiv preprint arXiv:2004.14322 (2020) 28. Li, G., Dunn, M., Pearce, P., et al.: Reading the Tea Leaves: A Comparative Analysis of Threat Intelligence. In: Usenix Security Symposium (2019) 29. Li, Z., Chen, Q.A., Yang, R., Chen, Y.: Threat Detection and Investigation with System-level Provenance Graphs: A Survey. Computer & Security 106 (2021)

AttacKG: Constructing Technique Knowledge Graph from CTI Reports

609

30. Li, Z., Soltani, A., Yusof, A., et al.: Poster: Towards automated and large-scale cyber attack reconstruction with apt reports. In: NDSS’22 Poster Session 31. Liao, X., Yuan, K., Wang, X., et al.: Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence. In: CCS (2016) 32. Milajerdi, S.M., Gjomemo, R., Eshete, B., et al.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: CCS, November 2019 33. Mu, D., Cuevas, A., Yang, L., et al.: Understanding the reproducibility of crowdreported security vulnerabilities. In: Usenix Security Symposium (2018) 34. Ramnani, R.R., Shivaram, K., Sengupta, S.: Semi-automated information extraction from unstructured threat advisories. In: Proceedings of the 10th Innovations in Software Engineering Conference, pp. 181–187 (2017) 35. Satvat, K., Gjomemo, R., Venkatakrishnan, V.: Extractor: Extracting attack behavior from threat reports. In: IEEE EuroS&P (2021) 36. Uetz, R., Hemminghaus, C., Hackl¨ ander, L., et al.: Reproducible and adaptable log data generation for sound cybersecurity experiments. In: Annual Computer Security Applications Conference, pp. 690–705 (2021) 37. Zhu, Z., Dumitras, T.: ChainSmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In: IEEE European Symposium on Security and Privacy (2018)

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection Xinjing Liu1 , Zhuo Ma1(B) , Yang Liu1(B) , Zhan Qin2 , Junwei Zhang1 , and Zhuzhu Wang1 1

Xidian University, Xi’an, China [email protected], [email protected], [email protected], zzwang [email protected] 2 Zhejiang University, Hangzhou, China [email protected]

Abstract. Recent works developed an emerging attack, called Model Stealing (MS), to steal the functionalities of remote models, rendering the privacy of cloud-based machine learning services under threat. In this paper, we propose a new defense against MS attacks, using Semantic Inspection (called SeInspect). SeInspect mainly achieves two breakthroughs in this line of work. First, state-of-the-art MS attacks tend to craft malicious queries within a distribution close to benign ones. Such a characteristic increases the stealthiness of these attacks and makes them able to circumvent most of the existing MS defenses. In SeInspect, we introduce a semantic feature based detection method to amplify the query distribution discrepancy between malicious and benign users. Thus, SeInspect can detect stealthy MS attacks with a higher detection rate than existing defenses. Second, in our evaluation, we notice that existing defenses cause significantly increased response latency of model service due to repetfitive user-by-user inspection (e.g., increased by 7.01 times for PRADA, EuroS&P 2019). To mitigate the problem, we propose to analyze semantic features with a two-layer defense mechanism. The first layer can achieve a “quickshot” on users in batches and pick out all potentially malicious users. Then, the second layer identifies the attacker in a user-by-user manner. In our evaluation, we experiment with SeInspect on eight typical MS attacks. The result shows that SeInspect can detect two more attacks than prior works while reducing latency by at least 54.00%.

Keywords: Model stealing attack Machine-learning-as-a-service

1

· Model stealing defense ·

Introduction

Advances in cloud computing expedite the boom of Machine-Learning-as-aService (MLaaS) platforms to provide black-box pay-per-query interfaces for c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 610–630, 2022. https://doi.org/10.1007/978-3-031-17140-6_30

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

611

model prediction services. However, recent studies [1,2] reveal that the adversary can steal the functionalities of neural networks deployed on an MLaaS platform with limited crafted samples, i.e., the Model Stealing (MS) attack. Up to now, extensive efforts [2–6] have been made to mitigate the concern caused by MS attacks. From these works, a consensus is that the MS attacker can be detected based on distributional discrepancy of their historical queries. This is because current MS attacks need to craft input data (e.g., via active learning [7] or Jacobian matrix [8]) to maximize the information gain of each query and save the total query budget. Therefore, the distribution of the informative queries crafted by MS attackers always deviates from normal queries. Although progressive steps have been made by current MS defenses, two problems still lower their practicality in real-world applications. 1 Every incoming query is analyzed separately. To judge whether an incoming query of a user is malicious, current defenders have to review the user’s all historical queries to estimate distributional discrepancy. This causes considerable response delay. For example, our evaluation shows that PRADA [2] and Vardetect [4] lead to an increase in response latency by at most 7.01 times and 20.06 times compared with non-defended, respectively. 2 Quite a few MS attackers [2,8] construct surrogate datasets by adding mild noises into same-distributed seed samples, thereby increasing the stealthiness of the attack samples. Most of the existing criteria used in MS defenses fail to detect such slight distributional discrepancy between the malicious queries and benign ones. Above all, how to realize effective detection against MS attacks with minimized utility degradation is still an urging challenge to address. Our Work. We propose a new defense SeInspect, which can detect MS attacks more accurately and causes a much lower response delay than existing defenses. SeInspect mainly improves from the following two perspectives. First, we provide a new way to inspect the distribution of queries based on semantic features, which enhances the detection ability of the defender against state-of-the-art MS attacks. Specifically, semantic features are transformed features that describe the low-dimensional latent space of raw data [9]. Taking advantage of the characteristics of semantic features, we amplify the distributional discrepancy of malicious queries, thereby making them easier to be detected. Similar to our work, SEAT [3] detects attacks based on latent space similarity between queries while failing to detect synthesis [1] and public dataset [7,10] attacks. As a result, SeInspect is more effective against stealthy MS attacks compared with previous detection methods [2,4]. Second, SeInspect introduces a heterogeneous defense mechanism with two layers to lower the additional overhead caused by MS defenses. In general, the inefficiency of current defenses is mainly due to the requirement for distribution extraction of historical queries. To avoid the problem, the core idea of SeInspect is to divide the detection procedure into two layers. The first layer of SeInspect conducts semantic inspection in a query batch, only caring about whether the

612

X. Liu et al.

current query batch contains malicious queries. Then, if the current batch is marked as potentially malicious, it is passed to the second layer, which conducts user-by-user semantic inspection based on each user’s historical queries. Intuitively, inspection in batches is more efficient than user-by-user historical check. Considering that benign queries account for the majority of queries in most scenarios, inspection in batch can reduce computation complexity by a large margin. Our Contributions: 1 We explain a new insight to detect MS attacks, i.e., estimating distribution discrepancy between malicious and benign queries based on semantic features. Following this insight, we propose a novel defense SeInspect against stateof-the-art MS attacks. 2 We introduce a two-layer heterogeneous defense mechanism to improve the efficiency of SeInspect in real-world applications. This mechanism can make the defender concentrate its computational resource more on the potentially malicious users instead of benign ones. 3 We conduct extensive experiments with eight MS attacks on different datasets. The results prove that SeInspect can detect all MS attacks (two more than PRADA and Vardetect) with a 97.88% average recall rate while reducing latency by at least 54.00%. The remainder of this paper proceeds as follows. In Sect. 2, we discuss related work. In Sect. 3, we define the model stealing attack and the capabilities of the participants. In Sect. 4, we describe the proposed SeInspect for MS defense. In Sect. 5, we evaluate the performance of SeInspect. In Sect. 6, we conclude this work.

2

Related Work

We summarize the related work in model stealing attack and defense. 2.1

Model Stealing

Model stealing aims to breach the confidentiality of machine learning models [1]. An MS attacker exploits the ability to query a target model and observes the predictions. Based on query-prediction pairs, the attacker trains a functionallyequivalent surrogate model. MS attack is closely related to knowledge distillation [11] and concept learning [12], in which the attacker minimizes the error between outputs of the surrogate model and the target model. First, the attacker collects or synthesizes an unlabeled surrogate dataset in mainly three ways: 1) synthesizing by sampling from a noise distribution, e.g., Gaussian distribution and uniform distribution [1,13,14]; 2) adding perturbations to some seed samples from the private training set of the target model, e.g., using Jacobian matrix based perturbation [8] or adversarial perturbation [2]; 3) exploiting task-relative public data similar to the target training set [7,10]. These three types of surrogate

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

613

datasets are all considered in our work. We focus on attacks with remote blackbox access, so the attack relying on side-channel information [15] is excluded. Then, the attacker queries the target model to annotate the surrogate dataset. Next, it trains a surrogate model based on the annotated surrogate dataset to replicate the target model. To reduce the query budget, the attack process is divided into several iterations. At each iteration, the attacker adaptively chooses the most ‘informative’ samples for the current surrogate model. Previous works have studied MS attacks on varied kinds of models, including Neural Network (NN) [7,10,13,14,16], Graph Neural Network [17], Reinforcement Learning (RL) model [18] and Recurrent Neural Network [19]. 2.2

Model Stealing Defense

An MS defender’s goal is to prevent an attacker from replicating the target model. To prevent the target model from being replicated, previous studies have focused on disturbing the replication process (called active defense) or detecting malicious queries (called passive defense) [20]. Active defense disturbs the attacker’s replication procedure by adding noise to its outputs, so that influencing optimization process of the surrogate model [21–26]. However, the disturbances can severely reduce the utility of the target model. Additionally, with the appearance of hard-label MS attack [2,10], disturbance on outputs (posteriors) cannot protect models from stealing. Different from active defenders, a passive defender detects potential MS attacks by inspecting users’ queries. There are mainly two strategies to evaluate the inspection. The first is to estimate information gain of each user. Kesariwani et al. [27] proposed to estimate information gain by maintaining a proxy model or checking the coverage of feature space for every user. Like watermark [28], Zhu et al. [29] projects external features into the target model and validate whether the features are learned by users. The second strategy draws the idea of anomaly detection [30] to estimate deviation of each user. Zhang et al. [3] proposed to detect Jacobian-based MS attacks by inspecting similarity among latent space features of queries through an encoder. Quiring et al. [31] checked whether each request is close to the decision boundary and deviates from the normal distribution. Juuti et al. [2] checked whether the distances between successive requests of each user follow Gaussian distribution. Pal et al. [4] detected attackers based on excessive reconstruction error of queries. Sadeghzadeh et al. [6] proposed a concept of hardness, and demonstrated the difference in hardness between attack and benign samples. Unanimously, these passive countermeasures introduced high computational complexity because of the review of all historical queries.

3

Problem Formulation

This paper aims to design a defense method against MS attacks in the following commonly discussed scenario [1,2].

614

X. Liu et al.

3.1

MS Attacker

The goal of an attacker A is to clone the functionality of the target model F (x; θ) deployed on an MLaaS platform in the black-box setting where θ denotes model parameters. To achieve the attack goal, the attacker trains a surrogate model F  (x; θ ) by minimizing the output errors between F  (x; θ ) and F (x; θ) on the surrogate dataset Dsx , as shown in Eq. 1. The error is minimized by optimizing a loss function L. argmin θ

Ex∼Dsx [L(F (x; θ), F  (x; θ ))].

(1)

where θ represents the parameter of the stolen model and F  can be different in model structure from F . Moreover, the attacker has no or limited prior knowledge of the private training set Dtrain . The surrogate dataset Dsx can be constructed in the following three types: – Type-I: Synthetic data. Dsx is sampled from a noise distribution, e.g., sampling random data points from Gaussian distribution [1]. – Type-II: Perturbed data. The attacker has a small number of samples in the same distribution as Dtrain , called seed samples. The attacker constructs Dsx by adding noises into seed samples [2,8]. – Type-III: Public dataset. The attacker utilizes samples in another dataset to construct Dsx [7,10,32]. For example, the attacker can use samples in ImageNet dataset to attack a model trained on SVHN. Figure 1 shows representative benign samples and three types of attack samples in SVHN. Comparatively, the attack samples of Type-II attacks have a more similar distribution to the normal data (statistic analysis shown in Fig. 2). Thus, Type-II attack is more stealthy and harder to detect for current defenses.

Fig. 1. Representative samples of benign, Type-I (Tram`er [1]), Type-II (including IFGSM, FGSM, T-RND-IFGSM and T-RND-FGSM from left to right) and Type-III (Knockoff [10]) attacks.

3.2

MS Defender

Formally, the goal of the defender is to construct a model M to distinguish benign queries x ∼ Db and malicious queries y ∼ Dm , as shown in Eq. 2. argmax γ

E[|Mx∼Db (x; γ) − My∼Dm (y; γ)|].

(2)

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

615

where γ denotes the parameters of M. The defender has to find the optimal γ that makes M to distinguish Db and Dm with a high recall rate. It should be noted that, although the defender doesn’t know all MS attacks, it can form Dm by samples in two types, random samples and samples in one kind of perturbed data (Type-II) attacks [8].

4

Approach

In this section, we present our defense SeInspect against MS attacks. 4.1

Motivation

To better illustrate the advantage of SeInspect, we first make a brief description of the state-of-the-art defenses [2,4,6,27,29]. In general, the defender estimates the distribution of each user’s query history based on two criteria, information gain and distribution discrepancy. The former maintains a proxy model synchronously on all the query-response pairs of each user. The defender cannot raise an alarm until the proxy model reaches a high performance on testing set [27,29]. Therefore, we omit its consideration in this paper. Moreover, estimating the distribution discrepancy of raw samples between benign users and malicious users is the most prevailing strategy for current MS defenses. Unfortunately, such a raw sample based defense makes the defender less sensitive to mild distribution changes caused by adversarial perturbations (i.e., Type-II attack mentioned in Sect. 3). To resolve the problem, a transformation function is needed to amplify the discrepancy between benign and malicious queries. This transformation can be perfectly implemented via sequential feature extraction operations in a neural network. Now we provide a detailed explanation of the implementation. In general, inputs of a wide range of neural networks are transformed by sequential feature extraction layers, including convolutional, pooling, activation and fullyconnected layers. Formally, a neural network with K layers G(·; ω) : X → Y can be written as a sequence of transformation layers to an input x: G(x; ω) = gK−1 ◦ ... ◦ g1 ◦ g0 (x), where gi : Rκi → Rκi+1 is the ith layer of the model with κi (κi+1 ) the input (output) dimension. gi belongs to any of the covolutional, pooling, activation or fully-connected layer. These transformation layers guarantee the ability of G(·; ω) to discriminate different types of samples. Therefore, G(·; ω) is highly sensitive to imperceptible perturbations of inputs [11]. Take a convolutional neural network as an example, the convolutional operations can merge multiple pixels into one element. Given a perturbed input, the merged objects are not only original pixels but also perturbations. Denote ˆ, maximum mean discrepancy the first i layers as Gi , with perturbed input x x) and (MMD) [33] (Detailed definition shown in Appendix A.1) between Gi (ˆ x) − Gi (x)) > MMD(ˆ x − x). With an increase in Gi (x) is enlarged: MMD(Gi (ˆ i, the discrepancy tends to increase as well. It indicates that the perturbed features in deeper layers gradually deviate from the original region. Figure 2 shows

616

X. Liu et al.

MMDs of raw samples x (ˆ x) and the output of GK−2 (x) (GK−2 (ˆ x)) on perturbed data based attacks (Type-II attack). For a clearer display, we record the discrepancy of Type-I and Type-III attacks in Table 1. The output of GK−2 (x) is defined as the semantic features [9]. Here, ResNet18 is applied as semantic feature extractor. In addition to ResNet, other models like VGG can be utilized to extract semantic features by getting outputs of the last fully-connected layer. From the results, MMDs of raw samples are similar across varied perturbed data based attacks (for example, Papernot [8] and COLOR [2]), so these attacks cannot be detected. While semantic features amplify the MMD on all attacks, but remain similar on benign samples (the last two columns in Fig. 2). Therefore, SeInspect can detect stealthy MS attacks.

1.20 2

5 1.0

1

1 0.4

0.44

1

0.0 6 0.0 6

6 0 .0

0.48 0.4

7

1.12

1.1

1.1

3

1.16

0.4

8

Raw Semantic

1.24

MMD (SVHN)

0 .0

1.28

0.0

5 0.0

0.06

Raw Semantic 0.0

0.0 7 0.0

7 0.0

0.0

0.08

0.0

7

8

8

MMD (FMNIST)

0.10

9

0 0.1

0.1

0

0.12

0.40

0.04

R PE PA

T NO

M GS I-F

R M SM SM LO GS FG FG -I F CO DND RN TT-R

n nig Be

0.00 RN PE PA

OT

M GS I-F

6

6

4 0 .0

R M SM SM LO GS FG FG -IF CO DND RN TT-R

0.0 4 0 .0 4

0.04 0.00

0 .0

0.0

0.08

0.0 4 0 .0

3 0.0

6

0.12

0.02

Be

n nig

Fig. 2. MMD of raw samples and their semantic features in perturbed data (Type-II) attacks on FashionMNIST and SVHN. The last two columns show MMD of benign samples. ‘Raw’ and ‘Semantic’ denote the MMD of raw samples and semantic features, respectively.

The following defines the objective of the defender’s monitor M, which aims to maximize the probability to distinguish between attack and benign samples: max

P r(M(Sr ) = c), s.t., Sr = Φ(r).

(3)

where r represents the query history of a user, c is the class of the user. If c = 0, the user is benign, and otherwise, it is malicious. Sr denotes the semantic features of r. Φ(·) represents the transformation function for convenience, which is equivalent to GK−1 (·). In the next section, we detailedly explain how to use Eq. 3 to develop the two monitors, named Global Monitor and Individual Monitor, which comprise the defense of SeInspect. 4.2

Design Details

The detailed algorithmic procedure of SeInspect proceeds as follows (also outlined in Algorithm 1).

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

617

Table 1. MMD of raw samples and their semantic features in synthesis (Type-I) and public dataset (Type-III) attacks on FashionMNIST and SVHN. Attack

FashionMNIST SVHN Raw Semantic Raw Semantic

Tram`er

1.1355 4.8137

Knockoff 0.984

1.768

0.4239 1.3971 0.2443 0.3019

Global Monitor. The global monitor MG is a binary classification model that processes the semantic features of queries in batches as defined in Eq. 4. min

L(MG (Φ(x)), y), x ∈ RN × , y ∈ {0, 1}.

(4)

where x is an N ×  semantic feature matrix about N queries,  is the dimension of semantic features, y is the label of a query batch. If y = 0, the query batch is labeled to be benign, and otherwise, it is malicious. Note that the percentage of malicious queries contained in a query batch is unpredictable in real-world applications. Therefore, to enhance the performance of MG , the defender should use batches mixed with different proportions of malicious queries to serve as the training samples. We say that such a setting makes the learning task MG stricter than the prior works [3,4,6]. This is because these works only care about two conditions where a query batch is specified to be 100% of malicious queries or benign ones, which rarely occur in applications. To resolve the problem, SeInspect divides the original learning task into multiple simpler ones for training multiple sub-models, each of which only focuses on the batches mixed with a specified proportion of malicious queries. Then, these submodels are ensembled based on the “one-vote veto” rule. In other words, if any sub-model predicts a batch to be malicious, the final output of MG is also malicious. Assume that there are m possible proportion ranges of malicious queries, {β1 , ..., βm }. MG can be mathematically expressed in the following format. MG = {M1G , ..., Mm G }, s.t., MG (x) = M1G (x) ∨ ... ∨ Mm G (x).

(5)

where MiG is trained with benign query batches and batches with βi ∈ (0, 1) proportion of malicious queries based on Eq. 4. Individual Monitor. To distinguish the queries launched by attackers in a malicious batch, the individual monitor MI is trained to maximize the discrepancy between malicious and benign queries in every class, as shown in Eq. 6. Disc(Ra , Rb ) > 1 − δ.

(6)

where Disc(·) is the function to estimate discrepancy, 1 − δ is the threshold, Ra and Rb are malicious queries and benign queries, respectively. Ra is generated

618

X. Liu et al.

Algorithm 1. The overview of SeInspect Require: Training epochs of the individual monitor NI ; proportion ranges of malicious queries {β1 , ..., βm }; batch size N ; λ ← 10−8 ; d ← d0 ; optimizer Adam; semantic feature extraction function Φ(·); benign samples Rb ; malicious samples Ra . Ensure: global monitor MG ; individual monitor MI ; attacker set A = ∅. for i = 1 to m do  Train MG Generate batches Di containing βi malicious samples randomly selected from Ra . MiG ← update(Φ(Di )). MG .add(MiG ). for j = 1 to NI do  Train MI Ra ← subsample mini-batch from Ra . Rb ← subsample mini-batch from Rb . k ← k + λ Adam Jλ (k) based on (Ra , Rb ) using Eq. 9. Initialize query batch Q while get the latest N queries do  Check by MG State = MG .predict(Q). if State = 1 then  Find a suspicious batch for User u in Q do Get the latest queries Xu of u.  Find an attacker if MI .predict(Xu ) = 1 then A.update(u). return MG , MI and A.

by two types of samples, random samples and samples in one kind of perturbed data attack (also described in Sect. 3.2). In our experiments, we validate that all attacks can be detected by this setting. To compute the discrepancy function, SeInspect first transforms Ra and Rb to the semantic format, using the transformation function Φ(·). Then, a feature mapping function ϕk is applied to maximize the discrepancy between the semantic features of malicious and benign queries. Additionally, we adopt the re-sampling observation strategy [34] to better describe the distributions of Ra and Rb , i.e., estimating the discrepancy by bootstrapping with re-sampled mini-batches. For now, Eq. 6 can be rewritten as:  Disc(Ra , Rb ) = E[ϕk (Sa , Sa ) + ϕk (Sb , Sb ) − 2ϕk (Sa , Sb )], (7) s.t. Sa = Φ(Ra ), Sb = Φ(Rb ), Sa = Φ(Ra ), Sb = Φ(Rb ). where ϕk is the feature mapping function, Ra and Rb are mini-batches resampled from Ra and Rb , respectively. The goal of MI is to optimize the feature mapping function ϕk that can maximize Disc(Ra , Rb ). Given two inputs x and y, the mapping function ϕk is represented as: ϕk (Sx , Sy ) = [(1 − α0 )(Sx , Sy ) + α0 ]q(Sx , Sy ).

(8)

where α0 ∈ (0, 1), (Sx , Sy ) is a deep Gaussian kernel function with a bandwidth σ . It measures the semantic similarity of samples x and y based on their semantic features Sx and Sy by transformation function Φ(·) as in Eq. 3. q(x, y)

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

619

is a Gaussian kernel function with bandwidth σq to ensure the characteristic of the feature mapping function ϕk (·) [35]. Therefore, the key parameters of MI are k = {α0 , σ , σq }. They are optimized by Adam optimizer as in Eqs. 9–11. k = k + λ Adam Jλ (k), Jλ (k) = 

2 σH 1 ,λ

Disc2 (Ra , Rb ) 2 σH (Ra , Rb , k) 1 ,λ

(9) ,

n n n n 4  4  2 = 3 ( Hij ) − 4 ( Hij )2 + λ. n i=1 j=1 n i=1 j=1

(10)

(11)

where Hij = ϕk (rai , raj ) + ϕk (rbi , rbj ) − ϕk (rai , rbj ) − ϕk (rbi , raj ), n denotes the number of samples in Ra , and λ is a constant. Finally, we can obtain a well-trained MI to estimate Disc(Ra , Rb ) in all classes.

5 5.1

Experimental Evaluation Setup

Dataset. Our experiments are mainly conducted on two commonly used datasets in previous works [2,4], including FashionMNIST and Street View House Numbers (SVHN). – FashionMNIST. The FashionMNIST dataset contains 60K training and 10K testing samples, which are 0–9 clothing pictures. – SVHN. SVHN dataset is obtained from house numbers in Google Street View images, containing 73257 and 26032 images for training and testing in 10 classes. Baselines. We compare SeInspect with two most remarkable works in MS defenses: 1) PRADA [2] that checks the distance between successive raw queries, and 2) Vardetect [4] that checks discrepancy between raw queries and reconstructed queries. SEAT [3] is omitted due to its limited detection ability against Type-I and Type-III attacks. Attack Types. In line with prior works, we select eight typical attacks Tram`er [1], I-FGSM, FGSM, T-RND-IFGSM, T-RND-FGSM and COLOR from PRADA [2], Papernot [8] and Knockoff [10] to evaluate the defenses. These attacks cover the three types of attacks listed in Sec. 3, namely synthesis attack [1], perturbed attack [2,8] and public data attack [10]. In real applications, the attacker should pay for querying. In our experiments, the query budget of each attack is set 10K.

620

X. Liu et al.

Indicators. To comprehensively evaluate SeInspect, we specifically consider the following four indicators besides recall rate and False Positive Rate (FPR). – Queries. This indicator shows the query number of an attacker when detected by the defender. The fewer queries, the poorer performance of the surrogate model can reach. – Accuracy reduction. This indicator indicates how much the defender can reduce the accuracy of the attacker’s surrogate model compared with nondefended. – Latency increase. This indicator shows the efficiency of SeInspect. For easy comparison, it indicates how many times the defense causes an increase in response latency compared with non-defended. Configurations of Defender. For evaluation, we test the defender with three different types of monitors. Specifically, each defense model is composed of the same individual monitor but different global monitors, including random forest (RF), XGBoost and LightGBM. All global monitors are lightweight tree models to ensure efficiency (detailed settings shown in Appendix A.2). Considering that the defender doesn’t know all MS attacks, the attack samples are generated in two ways: 1) sampling from Gaussian distribution, and 2) collecting from one kind of perturbed data attacks (Papernot) [8]. The proportion of attack samples in the training set varies from 10% to 100% to simulate different attack scenarios. For individual monitor, we set the hyperparameter δ = 0.07 for FashionMNIST and δ = 0.10 for SVHN. Deployment. We implement all methods on Python 3.7 (Pytorch 1.8) with a workstation equipped with Tesla V100 GPU and 16GB VRAM. For simulation, we create two virtual roles: a server with a defender and a group of users, which are all set up locally. The server owns a well-trained target model (ResNet-18), which provides users with black-box access. We simulate 108 users including 100 benign users and 8 attackers. Benign users occasionally send abnormal input with a probability lower than 2%, including cropped, rotated, blurred and dark images. The indicators are all tested for 100 trails. To fairly compare the performance of SeInspect with baselines, all hyperparameters of them are chosen optimally according to their original papers [2,4]. 5.2

Comparison with State-of-the-Art

Effectiveness. To validate the effectiveness of SeInspect, we first compare two indicators, recall rate and queries defined before, with PRADA and Vardetect. For SeInspect, LightGBM is applied as the global monitor with batch size 50. Each attacker has a budget of 10K queries and is tested separately on the three defenses. If the attack is not detected until the query budget is used up, the attack is missed and the recall rate and queries are represented as ‘-’. The results are shown in Table 2. The first column lists the attacks involved in the experiments.

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

621

Table 2. Comparison with PRADA and Vardetect on recall rate (%) and queries. The thresholds are 0.9 for PRADA and 0.25 for Var according to their experiments [2, 4]. ‘-’ denotes that the defender fails to detect the attack. Attack

Dataset

Recall PRADA

Tram` er Papernot I-FGSM FGSM

Queries Vardetect

SeInspect

PRADA

Vardetect

SeInspect

FMNIST -

100

100

-

100

125

SVHN

185

100

100

-

100

FMNIST 100

100

98

385

8600

172

SVHN

95

100

170

150

152

100

FMNIST 100

99

100

641

120

228

SVHN

98

99

160

140

137

87

FMNIST 99

97

100

641

500

260

SVHN

100

100

270

100

142

100

T-RND-IFGSM FMNIST 97

-

100

638

-

188

98

-

94

740

-

249

SVHN T-RND-FGSM

FMNIST 97

96

99

278

510

188

99

92

95

360

900

441

SVHN COLOR

FMNIST 100

-

100

311

-

179

100

-

96

201

-

213

SVHN Knockoff

FMNIST -

100

100

-

118

110

SVHN

100

99

-

100

108

-

Notably, SeInspect generally obtains a significant advantage over the two baselines on the two indicators. Especially, SeInspect is the only defense that can detect the malicious users of all MS attacks. For both PRADA and Vardetect, there exist two attacks that cannot be detected by them. For example, Vardetect fails to detect T-RND-IFGSM and COLOR attacks, two perturbed data (TypeII) attacks. Such a result validates that semantic feature based SeInspect is effective against MS attacks. Moreover, for MS defenses, the earlier the attack is detected, the less information the attacker can obtain from the target model. The experimental results show that SeInspect can detect attacks within 193 queries on average, which is reduced by 51.8% and 79.8% compared with PRADA and Vardetect, respectively. This advantage mainly hinges on the fact that with a small number of queries, our semantic features based defense can enhance detection ability by amplifying the distribution discrepancy between benign and malicious users. To take a closer look at the effectiveness of defenses, we record accuracy reduction of the attacker’s surrogate model caused by three defenses in Table 3 (SVHN). The result on FashionMNIST is shown in Appendix A.3 (Table 6). The architecture and hyperparameters of the surrogate model are set the same as the target model (with accuracy 93.71% on FashionMNIST and 99.51% on SVHN). Intuitively, the earlier the attack is detected, the more significant accuracy reduction can be achieved. As desired, SeInspect reduces accuracy of the surrogate model by a large margin, reaching average reduction of 51.19% across all attacks on SVHN. Meanwhile, the accuracy reduction on attack Tram`er (Type-I attack)

622

X. Liu et al.

Table 3. Test set accuracy (%) of the surrogate model obtained by MS attackers, when the target model is deployed with different defenses on SVHN. ‘Accuracy’ (%) denotes accuracy of the surrogate model when the attack is detected. ‘Reduction’ (%) indicates the reduction of test set accuracy caused by defense. ‘Top’ (%) represents the highest test set accuracy of the surrogate model without defense and budget constraints. ‘-’ denotes that the defender fails to detect the attack. Attack

Accuracy

Reduction

Top

PRADA Vardetect SeInspect PRADA Vardetect SeInspect -

13.20

13.60

-

9.36

8.96

Papernot

Tram` er

16.57

13.22

13.86

53.27

56.62

55.98

22.56 69.84

I-FGSM

16.57

14.81

12.35

56.87

58.63

61.09

73.44

FGSM

13.77

11.48

13.52

61.35

63.64

61.60

75.12

T-RND-IFGSM 61.03

-

18.90

15.94

-

58.07

76.97

T-RND-FGSM

18.21

18.41

16.25

60.37

60.17

62.33

78.58

COLOR

14.05

-

15.81

53.38

-

51.62

67.43

Knockoff

-

15.70

15.44

-

49.61

49.87

65.31

is low, due to the failure of this attack (surrogate model accuracy 22.56% without defense and query budget). In general, all three defenses ensure significant accuracy reduction, while SeInspect performs the best. Compared with PRADA and Vardetect, SeInspect causes a more significant reduction in average accuracy of the surrogate model by 13.54% and 13.94%, respectively. The fact validates that SeInspect is an effective defense against MS attacks. Practicality. Practicality involves two parts: 1) the defense should have a low misjudge rate of benign users; 2) the defense should not cause significant increase in response delay. To verify practicality of SeInspect, we evaluate FPR and latency increase in the experiments, as presented in Table 4 and Fig. 3. In FPR test, 100 benign users and 8 attackers send queries at the same frequency (all with 10K budget) and FPR is the average misjudge rate on 10 trails. In Table 4, SeInspect reaches a slightly lower FPR than two baselines with the same model settings as in previous experiments. FPR of SeInspect on SVHN is higher than on FashionMNIST, because MMD of semantic features between benign and attack samples is smaller on SVHN (as in Fig. 2). A smaller MMD causes a lower deviation tolerance for benign users’ abnormal queries. So the discrepancy between semantic features of benign and abnormal queries are more likely to exceed the threshold 1 − δ. With low FPR values, only SeInspect is able to provide detection against all MS attacks, compared to other defenses that miss 2 attacks with low FPR. In addition, we compare practicality of SeInspect by testing latency increase of three defenses. Intuitively, calling to the individual monitor causes an increase in response latency, which actually depends on the proportion of MS attackers. Therefore, we further discuss latency increase with different attacker proportions, and the results are presented in Fig. 3a and Fig. 3b. From the results, latency increase of PRADA and Vardetect is not impacted by the proportion of

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

623

attack samples. Different from the two baselines, latency increase of SeInspect rises gradually as the proportion of attack samples increases. It is notable that, even with 100% attackers, SeInspect still achieves the lowest latency increase among three defenses, causing at most 0.52 and 1.14 times of increase in latency on FashionMNIST and SVHN, respectively. Moreover, it is almost impossible that samples from attackers take up 100% of queries, as the majority of users are benign in real-world scenarios. So the individual monitor is rarely called, reducing the latency increase of SeInspect to 0.003 multiple on FashionMNIST and 0.12 times on SVHN when no attacker appears. On average, SeInspect reduces latency increase of PRADA by 54.00% and 83.74% on FashionMNIST and SVHN, respectively. The above results validate that SeInspect is of high practicality to reach an imperceptible response delay in most scenarios. Table 4. Comparison on FPR (%). δ is set 0.07 for FashionMNIST and 0.10 for SVHN. The global monitor is LightGBM with batch size 50 for SeInspect.

18.0 17.5 17.0 16.5 16.0 15.5 15.0 14.5 14.0 13.5 13.0 12.5 12.0 1.5 1.0 0.5 0.0

1.10

0.70

SVHN

2.52

1.30

PRADA

15.10

1.10 0.003

PRADA Vardetect SeInspect

FashionMNIST 0.53 1.32

Vardetect

SeInspect

15.12

1.13

15.24

1.03 0.825

0.52

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

Proportions

(a) Latency increase on FashionMNIST.

Latency (times)

Latency (times)

Dataset

23 22 21 20 19 18 17 10 9 8 7 6 5 4 3 2 1 0

PRADA

Vardetect

SeInspect

19.99

20.06

20.02

7.02

7.01

7.02

0.12

1.14

1.82

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

Proportions

(b) Latency increase on SVHN.

Fig. 3. Comparison of latency increase of three defenses on (a) FashionMNIST and (b) SVHN. The global monitor is LightGBM in SeInspect. The attackers are chosen at random and blocked once detected. The average latency increase is marked by a dotted line with a black number indicating its value. Red numbers on the left and the right of a curve indicate the latency when proportions are 0.0 and 1.0, respectively.

5.3

Further Understanding

Recall on Different Proportions of Attack Samples. Semantic features of a batch are first inspected by the global monitor. While it can be impacted by the proportion of attack samples. So we record the variations of recall rate on all attacks with proportions of attack samples, which are presented in Fig. 4

624

X. Liu et al.

(FashionMNIST). More specifically, for each attack and each proportion (from 10% to 100%), we create 100 query batches (50 in size) containing attack samples at this proportion, and test recall rate of SeInspect. Generally, with only a small proportion of attack samples (10%), SeInspect can still detect attacks successfully. With an increase in proportion, recall rate increases as well, because a greater proportion causes a larger discrepancy of semantic features of the query batch. In addition, recall rates on Tram`er (Type-I) and Knockoff (Type-III) attacks are slightly higher than on perturbed data (Type-II) attack. This result indicates that discrepancy of semantic features of a batch can be affected by attack sample proportions, but even with a small proportion of attack samples, SeInspect can still detect MS attacks successfully.

100

100

Tramèr Papernot I-FGSM FGSM T-RND-IFGSM T-RND-FGSM COLOR Knockoff

60

40

20

40

60

80

100

Recall (%)

Recall (%)

80 80

60 Tramèr Papernot I-FGSM FGSM T-RND-IFGSM T-RND-FGSM COLOR Knockoff

40 20 0 -20 0.00

0.02

0.04

0.06

0.08

0.10

Proportion of Attack Samples (%)

Fig. 4. Variations of recall rates on all attacks with different proportions of attack samples (FashionMNIST). The global monitor is LightGBM.

Fig. 5. Variations of recall rates on all attacks with different δ (FashionMNIST). The global monitor is LightGBM.

Impact of the Global Monitor Type. Apart from LightGBM, we evaluate the effectiveness of another two types of global monitors, RF and XGBoost. The recall rate on all attacks and FPR of three global monitors are shown in Table 5. The indicators are evaluated with the same settings as previous experiments on the whole defense. From the result, FPR is 0 of all global monitors, which indicates a high practicality of all three monitors. It also indicates that FPR of SeInspect is mainly caused by the individual monitor. Because the global monitor is less sensitive to abnormal queries sent occasionally from benign users. Hence, we recommend LightGBM as the global monitor and apply it in previous experiments.

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

625

Table 5. Comparison of recall rate (%) and FPR (%) of different global monitors on FashionMNIST. Recall

LightGBM RF

Tram`er

100

100 100

XGBoost

Papernot

100

100 100

I-FGSM

100

100

99

FGSM

100

100

99

T-RND-IFGSM 100

86 100

T-RND-FGSM

97

97

98

98

99

COLOR

99

Knockoff

100

FPR

100 100

0

0

0

Impact of Batch Size of the Global Monitor. As queries are inspected by the global monitor in batch, the batch size may have impact on performance. Further, we discuss whether the batch size influences effectiveness (evaluated by recall rate) and efficiency (evaluated by latency increase) of the global monitor. Three types of monitors are tested: RF, XGBoost and LightGBM. Variations of recall rate (the average across all attacks) and latency increase (average for every 100 queries) with batch size are recorded in Fig. 6a and Fig. 6b, respectively. Generally, as the batch size expands, the average recall rates of three monitors tend to increase slightly, from 97.4% to 99.0%. While latency is not significantly affected. From Fig. 6b, latency increase with batch size 50 is higher, because the global monitor has to predict for twice to process 100 queries. It seems that a larger batch size is more favorable to enhance recall rate while not impacting latency. However, we still recommend a smaller batch size, because it makes the defender detect MS attacks at an earlier stage. In our former experiments, we set batch size 50, which is the proper value we suggest. 0.20

Random Forest XGBoost LightGBM

Latency (times)

100

Recall (%)

0.15

95

0.10

90

0.05

Random Forest XGBoost LightGBM

0.00

85 50

100

150

200

Batch Size

250

300

50

100

150

200

250

300

Batch Size

Fig. 6. Variations of the (a) recall rates (average across all attacks) and (b) latency increase of three types of global monitors (Random Forest, XGBoost and LightGBM) with different batch sizes (from 50 to 300).

626

X. Liu et al.

Impact of Threshold of the Individual Monitor. The individual monitor determines whether a user is malicious by comparing discrepancy of the user’s semantic features with the threshold 1 − δ. A more appropriate threshold can derive a better trade-off between recall rate and FPR. The variations of recall rates with δ on FashionMNIST are shown in Fig. 5. In addition, the corresponding FPR is {0.0%, 0.0%, 0.0%, 0.0%, 1.2%, 1.1%, 1.3%, 2.4%, 3.2%, 4.2%}. From Fig. 5, recall rates on Tram`er (Type-I) and Knockoff (Type-III) attacks are not affected by δ, because semantic discrepancy is much more significant in these attacks than in Type-II attacks. By contrast, recall rates on Type-II attacks (Papernot, I-FGSM, FGSM, T-RND-IFGSM, T-RND-FGSM and COLOR) are more susceptible to δ. A larger δ reduces the tolerance of the individual monitor to perturbations, thus the monitor is more sensitive to abnormal queries from benign users. Therefore, expanding δ improves the defender’s detection ability against Type-II attack but meanwhile reduces the practicality. In our former experiments, we set δ = 0.07 for FashionMNIST and δ = 0.10 for SVHN, which are the proper values we suggest.

6

Conclusion

In this paper, we proposed a new defense (called SeInspect) against model stealing (MS) attacks. SeInspect mainly achieved two breakthroughs on MS defense from two perspectives. First, a semantic feature based detection method was introduced to amplify the discrepancy between malicious and benign users, which improved the ability of defenders to detect stealthy MS attacks. Second, we presented a heterogeneous framework for MS defense, which could enhance the efficiency of query detection and reduce response latency of cloud-based model service. In our experiments, we showed that SeInspect could identify two more attacks than current defenses with a reduction of at least 54% response latency. However, the effect of our defense tightly correlated to well-trained query monitors. Thus, it could be potentially broken by the internal attacker, which had full access to these monitors, through adaptively crafted attack samples. How to detect MS attacks in this case is quite challenging, and we will explore a solution in this direction in our future work. Acknowledgements. This work was supported by the National Natural Science Foundation of China (No. U21A20464, 61872283), the Natural Science Basic Research Program of Shaanxi (No. 2021JC-22), Key Research and Development Program of Shaanxi (No. 2022GY-029), CNKLSTISS, the China 111 Project.

A A.1

Appendix Maximum Mean Discrepancy

The maximum mean discrepancy (MMD) measures the closeness between two distributions P and Q [33], represented as: MMD(F, P, Q) = sup |EX∼P [f (X)] − EY ∼Q [f (Y )]| . f ∈F

(12)

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

627

where F is a set containing all continuous functions, X and Y are independent and identically distributed (iid) datasets. The MMD depends on F. To ensure that the test of MMD is consistent in power, thus providing an analytic solution, F is restricted to be a unit ball in the reproducing kernel Hilbert space (RKHS). Thereby the kernel based MMD is defined as: MMD(F, P, Q) =

sup f ∈H,f H≤1

|EX∼P [f (X)] − EY ∼Q [f (Y )]| .

(13)

where k is a kernel regarding RKHS Hk . A.2

Settings of the Global Monitor

In our experiments, three types of global monitors are evaluated: RF, XGBoost and LightGBM. The final output of the global monitor is based on “one-vote veto” mechanism of four sub-models: MG = {M1G , M2G , M3G , M4G }, s.t., MG (x) = M1G (x) ∨ M2G (x) ∨ M3G (x) ∨ M4G (x).

(14)

where x denotes an input. The four sub-models focus on different proportions of attack samples, which are [10%, 25%), [25%, 40%), [40%, 70%) and [70%, 100%). To better detect attack samples with low proportion, we limit the proportions of attack samples of M1G (x) and M2G (x) within a smaller scale. Here we give a detailed description of each sub-model in Table 7. Table 6. Test set accuracy (%) of the surrogate model obtained by MS attackers, when the target model is deployed with different defenses on FashionMNIST. ‘Accuracy’ (%) denotes accuracy of the surrogate model when the attack is detected. ‘Reduction’ (%) indicates the reduction of test set accuracy caused by defense. ‘Reduction’ (%) indicates the reduction of test set accuracy caused by defenses. ‘Top’ (%) represents the highest test set accuracy of the surrogate model without defense and budget constraints. ‘-’ denotes the defender fails to detect the attack within the query budget. Attacks

Accuracy PRADA Var

Reduction SeInspect PRADA Var

Top SeInspect

Tram`er

-

10.01 10.01

-

8.39

8.39

18.40

Papernot

73.69

68.09 56.29

0.18

5.78

17.58

73.87

I-FGSM

69.66

64.21 67.42

11.35

16.80 13.59

81.01

FGSM

68.34

68.83 43.88

10.40

9.91

34.86

78.74

T-RND-IFGSM 69.46

-

13.99

-

15.25

83.45

T-RND-FGSM

71.32

70.43 67.07

0.10

0.99

4.35

71.42

COLOR

71.60

-

1.17

-

3.41

72.77

Knockoff

-

19.61 19.60

-

41.12 41.13

60.73

68.20 69.36

628

X. Liu et al.

Table 7. Settings of the global monitors (RF, XGBoost and LightGBM) on FashionMNIST and SVHN. RF Dataset

XGBoost

LightGBM

Criterion Estimators Booster Subsample Estimators Boosting Estimators

FashionMNIST entropy

40

gbtree

0.8

40

gbdt

40

SVHN

50

gbtree

0.8

50

gbdt

50

A.3

entropy

Accuracy Reduction on FashionMNSIT

We present the accuracy reduction of three defenses (FashionMNIST) in Table 6. Compared with PRADA, SeInspect reduces accuracy by 12.67%. It is notable that, SeInspect causes a more significant accuracy reduction on SVHN than on FashionMNIST (especially on type-2 attacks T-RND-FGSM and COLOR), because the surrogate model on FashionMNIST can be trained by much fewer queries than on SVHN.

References 1. Tram`er, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction apis. In: 25th Security Symposium (USENIX Security 16), pp. 601–618 (2016) 2. Juuti, M., Szyller, S., Marchal, S., Asokan, N.: Prada: protecting against dnn model stealing attacks. In: IEEE European Symposium on Security and Privacy (EuroS&P). IEEE 2019, pp. 512–527 (2019) 3. Zhang, Z., Chen, Y., Wagner, D.: Seat: similarity encoder by adversarial training for detecting model extraction attack queries. In: Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, AISec 2021, pp. 37–48. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/ 3474369.3486863 4. Pal, S., Gupta, Y., Kanade, A., Shevade, S.: Stateful detection of model extraction attacks. arXiv preprint arXiv:2107.05166 (2021) 5. Kesarwani, M., Mukhoty, B., Arya, V., Mehta, S.: Model extraction warning in mlaas paradigm. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 371–380 (2018) 6. Sadeghzadeh, A.M., Dehghan, F., Sobhanian, A.M., Jalili, R.: Hardness of samples is all you need: Protecting deep learning models using hardness of samples, arXiv preprint arXiv:2106.11424 (2021) 7. Pal, S., Gupta, Y., Shukla, A., Kanade, A., Shevade, S., Ganapathy, V.: Activethief: model extraction using active learning and unannotated public data. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, pp. 865–872, April 2020 8. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 506–519 (2017) 9. Gao, R., et al.: Maximum mean discrepancy test is aware of adversarial attacks. In: International Conference on Machine Learning. PMLR, pp. 3564–3575 (2021)

SeInspect: Defending Model Stealing via Heterogeneous Semantic Inspection

629

10. Orekondy, T., Schiele, B., Fritz, M.: Knockoff nets: stealing functionality of blackbox models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 4954–4963 (2019) 11. Hinton, G., Vinyals, O., Dean, J., et al.: Distilling the knowledge in a neural network, arXiv preprint arXiv:1503.02531, vol. 2, no. 7 (2015) 12. Angluin, D.: Queries and concept learning. Mach. Learn. 2(4), 319–342 (1988) 13. Kariyappa, S., Prakash, A., Qureshi, M.K.: Maze: data-free model stealing attack using zeroth-order gradient estimation. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 13 814–13 823 (2021) 14. Yuan, X., Ding, L., Zhang, L., Li, X., Wu, D.O.: Es attack: model stealing against deep neural networks without data hurdles. IEEE Trans. Emerging Top. Comput. Intell. (2022) 15. Batina, L., Bhasin, S., Jap, D., Picek, S.: Csi nn: reverse engineering of neural network architectures through electromagnetic side channel. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 515–532 (2019) 16. Oh, S.J., Schiele, B., Fritz, M.: Towards reverse-engineering black-box neural networks. In: Samek, W., Montavon, G., Vedaldi, A., Hansen, L.K., M¨ uller, K.-R. (eds.) Explainable AI: Interpreting, Explaining and Visualizing Deep Learning. LNCS (LNAI), vol. 11700, pp. 121–144. Springer, Cham (2019). https://doi.org/ 10.1007/978-3-030-28954-6 7 17. He, X., Jia, J., Backes, M., Gong, N.Z., Zhang, Y.: Stealing links from graph neural networks. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 2669–2686 (2021) 18. Chen, K., Guo, S., Zhang, T., Xie, X., Liu, Y.: Stealing deep reinforcement learning models for fun and profit. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 307–319 (2021) 19. Takemura, T., Yanai, N., Fujiwara, T.: Model extraction attacks on recurrent neural networks. J. Inf. Process. 28, 1010–1024 (2020) 20. Gong, X., Wang, Q., Chen, Y., Yang, W., Jiang, X.: Model extraction attacks and defenses on cloud-based machine learning models. IEEE Commun. Magaz. 58(12), 83–89 (2020) 21. Gong, Z., Jiang, W., Zhan, J., Song, Z.: Model stealing defense with hybrid fuzzy models: work-in-progress. In: 2020 International Conference on Hardware/Software Codesign and System Synthesis (CODES+ ISSS), pp. 30–31. IEEE (2020) 22. Mori, Y., Nitanda, A., Takeda, A.: Bodame: bilevel optimization for defense against model extraction, arXiv preprint arXiv:2103.06797 (2021) 23. Kariyappa, S., Qureshi, M.K.: Defending against model stealing attacks with adaptive misinformation. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2020) 24. Orekondy, T., Schiele, B., Fritz, M.: Prediction poisoning: towards defenses against dnn model stealing attacks. arXiv preprint arXiv:1906.10908 (2019) 25. Lee, T., Edwards, B., Molloy, I., Su, D.: Defending against neural network model stealing attacks using deceptive perturbations. In: IEEE Security and Privacy Workshops (SPW), pp. 43–49. IEEE (2019) 26. Zheng, H., Ye, Q., Hu, H., Fang, C., Shi, J.: BDPL: a boundary differentially private layer against machine learning model extraction attacks. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 66–83. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0 4

630

X. Liu et al.

27. Kesarwani, M., Mukhoty, B., Arya, V., Mehta, S.: Model extraction warning in mlaas paradigm. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018. Association for Computing Machinery, New York, pp. 371–380 (2018). https://doi.org/10.1145/3274694.3274740 28. Jia, H., Choquette-Choo, C.A., Chandrasekaran, V., Papernot, N.: Entangled watermarks as a defense against model extraction. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 1937–1954 (2021) 29. Zhu, L., Li, Y., Jia, X., Jiang, Y., Xia, S.-T., Cao, X.: Defending against model stealing via verifying embedded external features. In: ICML 2021 Workshop on Adversarial Machine Learning (2021) 30. Ahmed, M., Mahmood, A.N., Hu, J.: A survey of network anomaly detection techniques. J. Network Comput. Appl. 60, 19–31 (2016) 31. Quiring, E., Arp, D., Rieck, K.: Forgotten siblings: Unifying attacks on machine learning and digital watermarking. IEEE European Symposium on Security and Privacy (EuroS&P), pp. 488–502. IEEE (2018) 32. Correia-Silva, J.R., Berriel, R.F., Badue, C., de Souza, A.F., Oliveira-Santos, T.: Copycat cnn: stealing knowledge by persuading confession with random nonlabeled data. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2018) 33. Gretton, A., Borgwardt, K.M., Rasch, M.J., Sch¨ olkopf, B., Smola, A.: A kernel two-sample test. J. Mach. Learn. Res. 13(25), 723–773 (2012). jmlr.org/papers/v13/gretton12a.html 34. Leucht, A., Neumann, M.H.: Dependent wild bootstrap for degenerate u-and vstatistics. J. Multivariate Anal. 117, 257–280 (2013) 35. Liu, F., Xu, W., Lu, J., Zhang, G., Gretton, A., Sutherland, D.J.: Learning deep kernels for non-parametric two-sample tests. In: ICML (2020)

Sidechannels

We Can Hear Your PIN Drop: An Acoustic Side-Channel Attack on ATM PIN Pads Kiran Balagani2 , Matteo Cardaioli1,4(B) , Stefano Cecconello1 , Mauro Conti1 , and Gene Tsudik3 1

University of Padua, Padua, Italy [email protected], [email protected] 2 New York Institute of Technology, New York, USA 3 University of California, Irvine (UCI), Irvine, USA 4 GFT Italy, Milan, Italy

Abstract. Personal Identification Numbers (PINs) are the most common user authentication method for in-person banking transactions at ATMs. The US Federal Reserve reported that, in 2018, PINs secured 31.4 billion transactions in the US, with an overall worth of US$ 1.19 trillion. One well-known attack type involves the use of cameras to spy on the ATM PIN pad during PIN entry. Countermeasures include covering the PIN pad with a shield or with the other hand while typing. Although this protects PINs from visual attacks, acoustic emanations from the PIN pad itself open the door for another attack type. In this paper, we show the feasibility of an acoustic side-channel attack (called PinDrop) to reconstruct PINs by profiling acoustic signatures of individual keys of a PIN pad. We demonstrate the practicality of PinDrop via two sets of data collection experiments involving two commercially available metal PIN pad models and 58 participants who entered a total of 5,800 5-digit PINs. We simulated two realistic attack scenarios: (1) a microphone placed near the ATM (0.3 m away) and (2) a real-time attacker (with a microphone) standing in the queue at a common courtesy distance of 2 m. In the former case, we show that PinDrop recovers 96% of 4-digit, and up to 94% of 5-digits, PINs. Whereas, at 2 m away, it recovers up to 57% of 4-digit, and up to 39% of 5-digit PINs in three attempts. We believe that these results are both significant and worrisome. Keywords: Keyboard eavesdropping

1

· PIN security · ATM security

Introduction

The Automatic Teller Machines Industry Association estimates that over 300 million ATMs are deployed worldwide [3]. In the US alone, over 10 billion ATM transactions are performed every year [19]. ATMs have now become an indispensable part of the self-service banking ecosystem. An ATM typically uses a c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 633–652, 2022. https://doi.org/10.1007/978-3-031-17140-6_31

634

K. Balagani et al.

unique physical card (which a customer possesses) along with a PIN (which a customer remembers) to form a two-factor authentication system, wherein the card uniquely identifies the customer account and the PIN identifies the customer. In recent years, there have been many attacks aimed at PINs and at information encoded on ATM cards. Such attacks are broadly referred to as skimming operations [25], whereby criminals usually install a card-reader-like device to trick customers into placing (or inserting) their cards and copy the information [7,18]. This is often done in tandem with installing a video camera on the ATM (or in its vicinity) at an angle that allows the criminal to record PIN entry [22]. Recently studied attacks on PINs (e.g., [5,8,26]) went one step further and showed that the attacker does not even have to see the PIN. These side-channel attacks use a recording device (e.g., a video camera [5], a microphone [8], or a thermal camera [26]) placed near the ATM to collect information and use it to infer customers’ PINs. In this paper, we present a new acoustic side-channel PinDrop attack on ATM PIN entry. Differently from [8], PinDrop leverages the entire audio track to profile each key on the PIN pad, leading to far more accurate results. Our attack consists of two steps: (1) the attacker builds an acoustic profile (a signature of click sounds) for each key on the target PIN pad, and (2) at PIN entry time, the attacker records audio emitted by each pressed key and compares them to the acoustic profile to infer the actual keys pressed, thereby learning the PIN. These two steps can be carried out in any order. 1.1

Intended Contributions

The main contributions of this work are: 1 We described a novel attack targeting PINs: PinDrop, based on acoustic emanations from commodity ATM PIN pads. We demonstrated that PinDrop reconstructs up to 94% of 5-digit PINs and 96% of 4-digit PINs within three attempts. We showed that the threat posed by PinDrop is higher compared to state-of-the-art acoustic side-channel attacks on ATM PIN pads [8,14,20]. 2 We evaluated PinDrop via extensive experiments on two commercially available ATM PIN pad models, collecting acoustic emanations for 5,800 5-digit PINs entered in a simulated ATM (though using real PIN pads) by 58 distinct participants. The resulting dataset is publicly available1 to the research community. We believe it will be useful in studying the problem further and developing countermeasures. 3 We analyzed the performance of PinDrop with two recording distances: 0.3 and 2 m away from the PIN pad. At the distances of 0.3 and 2 m, up to 96% and 57% (respectively) of 4-digit PINs were correctly learned in three attempts.

1

Dataset link: https://spritz.math.unipd.it/projects/PINDrop.

We Can Hear Your PIN Drop

635

4 We assessed the performance of PinDrop in noisy environments, considering different levels and sources of noise to simulate real-context scenarios. We showed that PinDrop is still an effective attack at 2 m with low/moderate noise, while it remains effective under any noise condition at 0.3 m.

2

Related Work

This section overviews attacks based on acoustic emanations from user input devices. We first consider attacks targeting keyboards, followed by those targeting PIN pads. For a comprehensive discussion of keyboard side-channel attacks, we refer to [17]. Attacks on Generic Keyboards. The first extensive study on keyboard acoustic eavesdropping was conducted by Asonov and Agrawal [2]. It showed that each key can be identified by the unique sound that it emits when pressed. This work investigated the reasons for this behavior, demonstrating that it can be attributed to the placement of keys on the keyboard plastic plate. In particular, when different keys are pressed, the plate emits sounds with different timbers. Subsequent efforts to infer key sequences from acoustic emanations are based on two types of approaches: (i) extraction of features that allow exploiting the uniqueness of acoustic emissions of pressed keys, and (ii) extraction of temporal information. The former tries to distinguish among keys by their characteristic sound, and relies on either supervised [2,10,11,16] and unsupervised [6,28] machine learning models, depending on the specific attack scenario. Supervised models exploit features, notably Fast Fourier Transform (FFT) coefficients and their derivatives, such as Mel-frequency cepstral coefficients (MFCCs). Supervised algorithms generally achieve better performance in identifying keystrokes. On the other hand, these models have a greater dependence on the keyboard used in training and the users’ typing style. A further weakness of supervised algorithms is the need to collect a labeled dataset to be used as a training set. Indeed, the ground truth collection is not a trivial task and could significantly affect the attack’s effectiveness. One possible solution is discussed in [1,9]. which take advantage of the audio recorded during a VoIP call to collect a ground truth dataset directly. In this scenario, the attacker can exploit the text typed by the victim in a shared medium (e.g., in the VoIP chat or an email sent to the attacker during the call) to label the keystroke sound. Unsupervised methods are used to group collected samples into unlabeled clusters. The label-cluster association is made by exploiting the characteristics of the input language. In particular, Zhuang et al. [28] perform labeling using letter frequency, while Berger et al. [6] make an association by selecting words from a dictionary that match specific constraints. Unsupervised approaches overcome the need for a ground-truth dataset. However, the scenarios where these attacks can be applied are limited by the strong assumptions on input text and therefore their performance drastically declines on random letter sequences. The second approach involves the extraction of temporal features of pressed keystrokes. To this end, many efforts focused on analyzing the Time Difference of

636

K. Balagani et al.

Arrival (TDoA) of the audio signal emitted by the keypress. They used one [13] or more [27] microphones positioned around the input device to triangulate the position of the pressed key. PIN Pad-Focused Attacks. PIN pads are numeric keypads specifically designed for Point-of-Sale (PoS) terminals and ATMs, They facilitate users to enter their Personal Identification Numbers (PINs). Attacks on PIN pads tend to be different from those on regular keyboards. For instance, it is rather challenging to apply unsupervised techniques with PIN pads since the assumptions about the victim’s language are no longer applicable. However, the other types of attacks, such as those based on the uniqueness of the acoustic emission and those based on the temporal information are usually applicable. PIN pads also prompt a new set of assumptions, usually dictated by the specific conditions under which they operate. This paves the way to new and more efficient side-channel attack scenarios. Below, we briefly discuss these attacks. In [5], the authors demonstrate how to obtain PIN information by exploiting inter-keystroke timings. This information is leaked by recording the timing of appearance of masking symbols (e.g., asterisks) on the screen while the victim is entering the PIN. On a related note, [8], shows how inter-keystroke timing information can be inferred with higher accuracy from the feedback sound emitted by the PIN pad when a key is pressed. It also shows that combining multiple side-channel information (e.g., inter-keystroke timing and thermal residue) improve the probability of reconstructing a 4-digit PIN. Similarly, [14], proposes a user-independent attack based on inter-keystroke timing on a plastic PIN pad. PIN pad acoustic emanations can also be used to improve security of PINbased authentication systems. For example, [20] shows that inter-keystroke features obtained from PIN pad-emitted audio, can be used as an additional layer of authentication. The same work also showed how to perform a close-by attack (i.e., with the microphone placed a few centimeters from the PIN pad) on an arbitrary subset of keys. Exploiting the inter-keystroke features on this subset, a 60% accuracy in the identification of the pressed key can be reached. Acoustic information is also used in [24], where a Point-of-Sale (PoS) terminal is tampered with by inserting multiple microphones into it. This allows identifying the pressed key position using triangulation, reaching the average accuracy of 88% for a single key, on three PoS models. Although very effective, this approach requires full physical access to the PoS, thus reducing the attack’s applicability and scalability.

3

PinDrop Attack

Assumptions: We assume that the victim interacts with a generic ATM, performing PIN-based authentication. The ATM is equipped with a PIN pad that emits a feedback sound when a key is pressed. The feedback sound (as perceived by the human ATM users) is the same for all keys. The attacker aims to learn the victim’s PIN by placing a microphone near the ATM to record acoustic emanations of the PIN pad. The microphone stores recorded audio. How the

We Can Hear Your PIN Drop

637

microphone stores that audio is not relevant for PinDrop, i.e., it can be stored locally or off-loaded to a remote site. PinDrop attack relies only on that recorded audio. Preliminaries: To set up PinDrop, the attacker must select a target ATM and hide a microphone nearby. The exact placement of the microphone can vary, though in the PinDrop setting the maximum distance form the PIN pad is 2 m (just over 6 ): 1. Concealed on the attacker’s body, in case of a real-time attack. Albeit, strictly speaking, concealment is not required, since a regular smartphone microphone can be used, and it need not be hidden from view (as it is unlikely to arouse suspicion). 2. On any surface (walls, floor, ceiling) near the ATM. In this case, it might be in plain sight, especially, if its size and shape are inconspicuous enough not to be noticeable. It could also be partially hidden from view (e.g., behind a column or a light fixture), or even within or behind some normal-looking object, e.g., a vent, a light-switch or a garbage can. As shown in Fig. 1, PinDrop consists of four phases: 1) PIN Recording (Sect. 3.1), 2) Data Processing (Sect. 3.2), 3) Model Generation (Sect. 3.3), and 4) PIN Inference (Sect. 3.4),

Phase A

Phase B

Phase C

Phase D

PIN Recording

Data Processing

Model Generation

PIN Inference

B.1) Segmentation

A.1) Audio Recording

C.1) Down-sampling

D.1) Prediction

C.2) Model Training

D.2) PIN Ranking

ATM

PIN Sequences

A.2) PIN Extraction

Training Set (Labelled)

B.2) Feature Extraction

[f 1 , f 2 , ... , f n ]

Trained Model Attacking Set

Fig. 1. PinDrop attack phases.

3.1

PIN Recording

The goal of this phase is to come up with two datasets (training and attack) with audio recordings of entered PINs. This takes two steps: A.1 Audio Recording using a microphone placed near the ATM.

638

K. Balagani et al.

A.2 PIN Extraction, i.e., isolation of the sequences of feedback sounds emitted by the PIN pad, given the knowledge of the number of digits in the PIN, e.g., the beginning and the end of the 5-digit PIN entry. To build the training set, the attacker must enter a set of PIN sequences on the target PIN pad. The sequences must be representative of all ten numeric keys. Once this step is completed, the attacker has a table of entered PINs and their corresponding audio. The attack set consists of the audio recordings entered by the victim. 3.2

Data Processing

This phase is conducted on the data entered by both the attacker and the victim. It also consists of two steps: segmentation of the PIN audio signal into individual key-press sounds, and extraction of corresponding features. B.1 Segmentation: The attacker uses the feedback sound emitted by the PIN pad as a signal that a key has been pressed. This can be achieved via the characteristic frequency of the feedback sound, as in [8]. The attacker segments the signal, using time windows centered at the detected key-press. The window size is chosen to comprise the entire audio segment related to a single key-press. B.2 Feature Extraction: The attacker extracts features descriptive of a keypress sound. Prior results show that short-term power spectrum can be used for this type of a classification problem. In particular, [9] shows that melfrequency cepstral coefficients (MFCC) [15] achieve the best performances for discriminating among the sounds of different keys. This step yields two feature sets: (1) a labeled training, and an (2) unlabeled attacker. 3.3

Model Generation

This phase is applied to the labeled training set in order to train a classifier. C.1 Down-sampling: Since we make no assumptions about how often a victim uses a specific digit in the PIN, it may be necessary to down-sample the data by classes before proceeding with training. The down-sampling mitigates over-fitting and leads to a balanced dataset where each class (i.e., each digit) has the same number of samples. C.2 Model Training. The attacker trains a multi-class classifier to predict the digit based on its emitted key-press sound. The class labels output by the classifier are the keys (digits) of the PIN pad. Together with the predicted digit, classifiers also output the prediction probability of each class. 3.4

PIN Inference

In this phase, the attacker utilizes the trained classifier to guess a victim’s PIN. The output is a sequence of all possible PINs ordered by probability. This ordering allows the attacker to minimize the number of attempts to guess the PIN.

We Can Hear Your PIN Drop

639

In a real-life setting, ATM cards are usually blocked after three failed attempts. This phase involves two steps: D.1 Prediction: The attacker reconstructs the PIN entered by the victim applying the classifier trained in the previous phase to the attack set. As input to the classifier, the attacker feeds the features of a single key of the victim’s PIN. This is repeated for each digit of the PIN. D.2 PIN Ranking. The classifier yields a probability for each digit to be the one actually pressed by the victim. Combining the probability set of each input, the attacker builds a ranking of the most likely PINs. The probability assigned to a PIN is the product of the probability of each digit in that PIN.

4

Experimental Setting

To assess the feasibility of PinDrop, we collected a large dataset of keystroke sounds, as detailed in this section. 4.1

Data Collection

We performed two separate data collection efforts on two commercially available (commodity) metal PIN pads: DAVO LIN Model D-8201 F F (Fig. 3a)2 and Model D-8203 B (Fig. 3b)3 . For clarity’s sake, we refer to D-8201 F as PAD-1 and D-8203 B as PAD-2. For usability reasons, both pads emit a specific feedback

ATM

0.3 m

2m

(a) The simulated ATM.

(b) The testbed configuration used in the experiments.

Fig. 2. PinDrop experimental setup. 2

3

https://www.davochina.com/4x4-ip65-waterproof-industrial-metal-keypad-stain less-steel-keyboard-for-access-control-atm-terminal-vending-machine-p00103p1. html. https://www.davochina.com/4x4-ip65-stainless-steel-numeric-metal-keypad-withwaterproof-silicone-cover-p00126p1.html.

640

K. Balagani et al.

(a) PAD-1: DAVO LIN Model D-8201 F

(b) PAD-2: DAVO LIN Model D-8203 B

Fig. 3. Two commodity metal PIN pads we used.

sound (the same for all keys) when any key is pressed. In all experiments, we embedded each PIN pad into a simulated ATM (Fig. 2a). The simulated ATM size is based on a real ATM [12]. It is 0.6 m wide, 0.64 m high, and 0.4 m deep. At 0.15 m above the ATM base, we inserted a shelf upon which we placed the PIN pad and the monitor. The keyboard is 1.1 m above the ground. To record keystroke sounds, we used the microphones of two Logitech HD C920 Pro webcams: one placed on the ATM’s chassis 0.3 m above the PIN pad, and another microphone 2 m in front of the ATM, as shown in Fig. 2b. The first data collection effort involved 38 participants (23 male and 15 female, average age 38.97 ± 11.36), while the second involved 20 participants (11 male and 9 female, average age 29.50 ± 5.74). Together, that makes the total of 58 participants who entered 5, 800 5-digit PINs. Participants were university employees and students who participated voluntarily without compensation. The average duration of an experiment was 15 min. We used both these data collections to obtain datasets of 4-digit PINs by removing the last key entered by the participants from each 5-digit PIN. Since the attack takes advantage of the sound emitted when a key is pressed, shortening the PIN does not affect the reliability of the dataset. We selected 4 and 5-digits PINs to be comparable with the works [5,8]. After being informed about the study’s goals and the confidentiality and anonymity of the data, all participants provided written informed consent for their volunteer participation. At the University of Padua, where the experiments were carried out, a formal review process for research involving human participants was not required, so such ethical considerations were considered based on the authors’ past experience with similar experiments. During the experiments, participants were asked to stand in front of the simulated ATM, and remain silent for the duration. A participant’s task consisted of typing 100 5digits PINs randomly generated, divided into four batches of 25 PINs. This split was made to allow for short breaks between batches in order to lower fatigue. PINs were displayed one at a time on the ATM screen: once a PIN is entered, the participant presses the Enter button to proceed to the next PIN.

We Can Hear Your PIN Drop

641

Regardless of the individual’s typing behavior and familiarity (or lack thereof) with a given PIN or the PIN pad, we decided to randomize the order of PINs, rather than ask users to enter the same PIN multiple times. This approach generalizes the PinDrop attack, which is actually applicable to both mnemonic PINs and One Time Passwords (OTPs). We also collected the key logs of the PIN pad via the USB interface to create ground truth. In particular, for each pressed key, we collected both the “key-down” (press) and “key-up” (release) events. Moreover, we synchronized the recordings with the timestamp of these key events. We found no significant differences in synchronizing recordings using logs or the feedback sound as suggested in [8]. All recordings were done with a sampling frequency of 44, 100Hz and then saved in the 32-bit WAV format. 4.2

Classification Methods

To identify the key pressed by the victim, we experimented with four well-known and popular classifiers: Support Vector Classification (SVC), k Nearest Neighbors (KNN), Random Forests (RF), and Logistic Regression (LR). We applied a repeated nested crossfold validation to evaluate the performance of our approach. The pipeline varies on the number of attackers (i.e., a single attacker or a group) included in the training set. In the outer loop, we randomly selected the attacker(s) among the participants. This procedure was repeated 10 times generating 10 groups of attackers. The inner loop consists of a k-fold cross-validation, where k depends on the number of attackers. If the training set contains samples from a single attacker, we used 5-fold cross-validation, since a user-independent split is not applicable. If samples from at least two attackers are present in the training set, we use a k-fold cross-validation user-independent where k is the number of attackers. We varied hyper-parameters by using the grid search on all four considered classifiers. For SVC, we considered a linear kernel and varied C among: [10−2 , 10−1 , 100 , 101 , 102 ]. For KNN, we varied the number of neighbors to among: [1, . . ., 20]. For RF, we considered from 10 to 100 estimators (steps of 10 and extremes included) and a max depth from 6 to 31 (steps of 5 and extremes included). Finally, LR was evaluated for 1 and 2 penalties, with C ranging from 10−4 to 104 .

5

Experimental Results

We evaluated PinDrop in different scenarios, showing its performance in the different conditions in which the attacker may find himself. Section 5.1 describes how we evaluated different classifiers and consequently selected the best for our purpose. Sections 5.2 and 5.3 report the results for our algorithms on the key classification task and PIN classification task, respectively. Finally, Sect. 5.4 compares the performance of PinDrop with the results obtained in the state-ofthe-art.

642

K. Balagani et al.

5.1

Model Evaluation

To assess the performance of our classifiers, we evaluated different attack scenarios. In particular, we considered two settings: (i) number of distinct attackers and (ii) the number of digits entered by each attacker. We varied the number of attackers included in the training set between 1 and 10. This range has been selected to reflect a realistic attack scenarios. We varied the number of digits entered by each attacker in increments of 100, i.e., 100, 200, 300, 400, or 500. The performance of our attack was evaluated on all possible combinations between the number of attackers and the number of digits entered by each attacker. To select the best classifier, we compared the PIN validation accuracy of all the classifiers across different scenarios (i.e., PIN pads, and distances) and settings (i.e., number of digits per attacker, and number of attackers). SVC and LR achieved comparable performance, outperforming KNN and RF. In particular, LR achieved higher validation accuracy on PAD-1, while SVC showed better performance on PAD-2. In Appendix 8.1, Table 2 reports a comparison of the validation accuracies for all the investigated classifiers, considering five attackers that train the classifiers with 500 digits each (i.e., training size = 2500 digits). 5.2

Single Key Inference

We report the LR classifier performance for the PAD-1 and the SVC classifier performance for the PAD-2 based on the validation results. In Fig. 4 we show single key accuracy comparison for all the considered settings (i.e., the number of attackers and the number of digits entered by each attacker) in our four scenarios (see Fig. 8, and Appendix 8.2 for PAD-2 results). Each graphic depicts how the accuracy varies in the considered scenario as the number of entered keys included in the training set varies. Further, each graphic shows five curves representing the number of digits entered by the attackers, while the bullets of a curve represent the number of attackers included in the training set. The bullets have an increasing value from left to right: the first bullet (from left) of each curve indicates the result obtained when only one attacker has been included in training, the second indicates the result obtained when two attackers were included in training, and so on. Therefore, the number of numeric keys included in the training set varies according to the number of attackers and the number of digits entered by each attacker. We note that the accuracy is significantly affected by the training set’s size (i.e., entered keys in training) and the distance. Interestingly, with the same number of entered keys in training, the accuracy improves due to the number of attackers. For example, if we set the number of entered keys in training at 400, we can see that in all scenarios, the accuracy obtained by four attackers typing 100 keys each (i.e., 20 5-digit PINs per attacker) is significantly higher than a single attacker typing 400 keys (i.e., 80 5-digits PINs). This may depend on the variability of the data used to train the classifiers. Each person has a slightly different typing style [20] (e.g., pressure, typing speed), and adding more attackers would introduce higher variance in the

We Can Hear Your PIN Drop

(a) PAD-1, 0.3m

643

(b) PAD-1, 2m

Fig. 4. Key accuracy on the testing set for the best classifiers.

training set, helping our classifiers to generalize improving their classification performance over a test set. Appendix 8.2 provides experiments where we analyzed how our classifiers mis-classify the true key to investigate how spatial locality interferes in the classifiers’ predictions. 5.3

PIN Inference

In a realistic context, an attacker generally has three attempts to guess the victim’s PIN (i.e., the max number of incorrect PIN entries allowed before blocking the card). In this section, we report on the performance of our approach in PIN reconstruction in TOP 3-accuracy, i.e., only the three most probable PIN predictions. In Fig. 5 we show the performance of the classifiers in the reconstruction of 4-digit and 5-digit PINs according to the different settings (i.e., PIN pad and distances). Further, similar to Fig. 4, each graphic reports the performance for all settings on PAD-1 (see Fig. 10, and Appendix 8.2 for PAD-2 results). The results show that the effectiveness of the attack in each scenario. In particular, at 0.3m away, we can reconstruct correctly within three attempts up to 94% 4-digit PINs for PAD-1 and up to 96% PINs for PAD-2. Although the performance worsens by increasing the distance at which the microphone is placed, PinDrop manages to reconstruct within three attempts up to 57% of the 4-digit PINs for PAD-1 and up to 50% for PAD-2 at 2m away. At 0.3m, the accuracy graphs reach a plateau at around 1500 digits in training. On the contrary, at 2m, the accuracy seems not to reach the plateau even with a training of 10 attackers and 500 digits per attacker (i.e., 5000 digits in training). This behavior is particularly marked in PAD-2, where the increase appears almost linear also with a high number of digits in training. This could be partially due to the classifier used in the specific scenario (i.e., LR for PAD-1 and SVC for PAD-2 ) in addition to the physical differences between the two PIN pads. Comparing the performance on two PIN pads (fixing the number of attackers and entered keys per attacker), the accuracy on PAD-1 appears generally higher

644

K. Balagani et al.

than the one on PAD-2. This applies to both distances. The number of attackers significantly affects performance with the same number of entered keys in training. For example, in PAD-1 at 0.3m, the threshold of 80% of 4-digit PINs reconstructed in three attempts is reached with three attackers whom enter 100 digits each (i.e., 300 total digits), or two attackers whom enter at least 200 digits each (i.e., at least 400 total digits).

(a) PAD-1 and microphone placed at 0.3m

(b) PAD-1 and microphone placed at 2m

Fig. 5. 5-digit PINs inference performance within 3 attempts for the best classifiers.

5.4

Comparison with the State-of-the-Art

To evaluate PinDrop, we compare its with that of state-of-the-art attacks exploiting acoustic emanations of PIN pads [8,14,20,24]. Table 1 summarizes the results (with 10 attackers entering 500 digit each) in terms of key accuracy and PIN reconstruction accuracy within three attempts. Both [14] and [8], exploit inter-keystroke timing. Although in [14] the distance at which the acoustic information is collected is unspecified, such attacks can be carried out from a distance over one meter, as demonstrated in [8]. The distance significantly decreases the risk of the attacker being detected. However, the reported performance is rather poor, since the PINs correctly reconstructed within three attempts were less than 1% for both attacks. However, from a greater distance (i.e., 2 m) PinDrop outperform [8,14] achieving the accuracy of 44% and 54% on 5-digit and 4-digit PINs, respectively. Most effective attacks are those carried from a significantly shorter distance. In particular, [20] records acoustic emanations with a microphone placed at 0.05m from the PIN pad. This work obtains 60% key accuracy on a sub-set of keys (i.e., 6 on 10). Since we can not estimate the real accuracy considering all the 10 digits we decided for fairness, to leave this upper-bound. Under this assumption, we derived that this attack may achieve 4-digit and 5-digit PIN accuracies of 27.36% and 16.42%, respectively. Comparing these results with the performance of PinDrop, we can see how PinDrop achieves better accuracy for both 0.3 m and 2 m.

We Can Hear Your PIN Drop

645

The last method we consider was proposed by De Souza [24]. This attack assumes that two microphones are placed inside a PoS under the PIN pad. Unlike other methods, it uses the time of arrival of the acoustic signals. The performance achieved by the De Souza is slightly better to PinDrop from 2 m. However, PinDrop has better performance from 0.3 m (i.e., a 26% increase in 4-digit PINs and a 33% increase in 5-digit PINs). Moreover, PinDrop differs from [24] in that it does not require physical tampering with the device, even if the attack is performed from 0.3 m away. Table 1. Comparison between PinDrop and the state-of-the-art results on single key accuracy and percentage of guessed PINs within three attempts. If the score cannot be derived from the reference paper, we report N/A. Key accuracy 4-digit PINs 5-digit PINs Recording distance Liu [14]

NA

0.26%a

0.11%a

NA

Cardaioli [8]

NA

0.72%

NA

1.50 m

Panda [20]

60.00%

27.36%b

16.42%b

∼ 0.05 m

b

59.92%b

0.00 mc

92.79%

0.30 m

De Souza [24] 87.60%

68.40%

PinDrop

94.64%

95.84%

PinDrop 74.58% 53.75% 43.99% 2.00 m a Performance derived from the proportion of human-chosen PINs and the accuracy of each PIN strength level reported in the paper. b Performance estimated from reported key accuracy, assuming the prediction error to be equally distributed. c Multiple microphones are integrated in the device.

6

Impact of Noise on PinDrop

In Sect. 5 we demonstrated the effectiveness of PinDrop in a noise-controlled environment. This scenario can be traced back to ATM rooms commonly found in banks or city centers. To evaluate the effectiveness of PinDrop in other contexts (e.g., external ATMs), we simulated two different noise sources: i) road noise produced by urban traffic and ii) Gaussian noise. We modulated the two sources to obtain four levels of SNRs (Signal to Noise Ratios): very low noise (SNR 10 dB), low noise (SNR 5 dB), high noise (SNR −5 dB), and very high noise (SNR −10 dB). In Fig. 6, we show the comparison between the audio emitted the sound emitted by a key press (with the corresponding feedback sound) and two amplitude levels of the modulated Gaussian noisy signal. Following the procedure described in Sect. 4, for each considered SNR, we trained and tested PinDrop with the perturbed signals obtained from the sum of the original signal with the corresponding modulated noise. To simulate the noise produced by urban traffic, we extracted a set of urban noises from the AudioSet [23] dataset made available by Google. Accordingly to the four considered SNRs levels, we modulated the noises, and we added

646

K. Balagani et al.

(a) SNR 10 dB

(b) SNR -10 dB

Fig. 6. Comparison between very-low and very high levels of Gaussian noise with the original sound signal of a keypress.

them to the original signal. In particular, 99% of the power of the considered set of urban noises ranges 125 Hz and 2500 HzHz, in line with the literature [4, 21]. Similarly, to evaluate if the addition of a noise that covers all frequencies affects the performance of PinDrop, we perturbed the original signal with four modulated Gaussian noises amplitude, according to the four SNRs considered. Figure 7 shows the results of PinDrop trained on the perturbed PAD-1 dataset (configuration 500 digits per attacker) in inferring 5-digit PINs within three attempts. The graphs suggest that both at 0.3 m and at 2 m distance regardless the source of noise, PinDrop remains very effective when low noisy signals are added (i.e., SNR 10 dB and 5 dB). Further, Fig. 7 highlights how the addition of low noises has a greater impact on the performance of PinDrop at 0.3 m than at 0.2 m. This difference in performance can be related to the more significant background noise component already present in the original signal recorded at 2 m, making the algorithm more robust at low perturbation levels. Figure 11 in Appendix 8.2 reports the results for PAD-2. For higher noise levels (i.e., SNR −5 dB and −10 dB), PinDrop still manages to reconstruct a significant percentage of PINs when the attack is performed from 0.3 m (e.g., up to 59% with SNR −5 dB and up to 43% with SNR −10 dB). However, the performance obtained at 0.3 m by PinDrop on sounds perturbed by Gaussian noise are slightly lower than those obtained with urban traffic perturbation. This difference can be reconducted to the range of frequencies perturbed by the two sources of noise: Gaussian noise affects the entire spectrum, while urban noise has a limited frequency band. At 2 m, the performance of PinDrop degrades significantly with high-noisy perturbation, suggesting that the information contained in the original signal is no longer sufficient to make the attack effective in a very noisy environment. In contrast to the attack scenario at 0.3 m, at a distance of 2 m we do not notice significant differences between accuracies of PINs reconstructed from audio perturbed with urban noise and those reconstructed from audio perturbed with Gaussian noise. This suggests that the highfrequency component (i.e., above 2500 Hz) is less effective in the reconstruction of the PINs at 2 m compared to 0.3 m scenario.

We Can Hear Your PIN Drop

(a) Urban noise and microphone placed at 0.3m

647

(b) Urban noise and microphone placed at 2m

Fig. 7. Impact of noise source and SNR in the inference of 5-digit PINs within three attempts for PAD-1 and 500 digits per attacker.

7

Potential Countermeasures and Future Work

The relatively high accuracy of PinDrop highlights its danger and the importance of robust countermeasures. Barring wholesale replacement of PINs with other login means, we consider the following possibilities: – PIN Pad noise reduction: This idea is simple, though challenging to deploy. It consists of masking the noise emitted by the PIN pad by covering it with soundproofing material. This approach could help in reducing the effectiveness of longer-range attack. – Noise emanation: This countermeasure involves the emission of white noise by the ATM when entering the PIN. As shown in Sect. 6, high noise levels negatively affect attack performance. – On-screen PIN pad: An effective countermeasure could be to virtualize the PIN pad using a touch screen. (This is in fact already done on some ATMs). This countermeasure would also allow dynamic rearrangement of digits, making it much more challenging to implement PinDrop-like attacks. On the other hand, on-screen keypads are generally less user-friendly and can pose a problem for visually impaired users; – Feedback distortion: If removing the characteristic sound emitted by each key is not possible, an alternative is to add noise that does not allow individual keys to be profiled. By emitting a masking sound at each key-press, PinDrop can be made more difficult, especially, its training phase; – Personal PIN pad: Another possible countermeasure is to use a trusted device, such as a smartphone, to replace the physical PIN pad. The PIN could then be transmitted to the ATM using a wireless medium (e.g., NFC); – Behavioral biometrics layer: An additional layer of security might be possibly via behavioral biometrics. One possibility is to involve user authentication based on keystroke dynamics. While this method can yield a high rate of false positives, it is completely transparent to the user (until or unless, a false positive occurs).

648

K. Balagani et al.

Possible future directions range from improving applicability of PinDrop to exploring its effectiveness on other kinds of PIN pads. An interesting direction might be to apply more sophisticated (e.g., parabolic) microphones. Such a microphone could significantly extend the effective recording distance of PinDrop. Another direction is looking at PinDrop in the context of screenbased PIN pads that are fairly common on modern ATMs. This setting is more complicated due to lack of physical keys the sound of which can be profiled. However, it would be interesting to study whether sounds emitted by the touchscreen still allow the attacker to infer information about keys pressed. Finally, it would be interesting to evaluate PinDrop in a noisy real-world environment to assess the robustness of our approach, overcoming the actual experimental constraints.

8

Conclusions

This paper demonstrated PinDrop, a highly accurate acoustic side-channel attack on PIN pads. It takes advantage of acoustic emanations produced by ATM users entering their PINs into the commodity ATM’s metal PIN pads. These emanations can be surreptitiously recorded and used to accurately profile all PIN pad keys, allowing PinDrop to yield the victim’s PIN with high probability. Specifically, this work shows that PinDrop is effective when applied from a very short (and perhaps not always realistic) distance away from the PIN pad (0.3m) as well as from a rather safe and inconspicuous distance (2m). We demonstrated the effectiveness and robustness of PinDrop by conducting extensive experiments that involved a total of 58 participants and two commodities (commercially available) metal ATM PIN pads. We experimented with PinDrop in several configurations, showing how its performance can be optimized based on the training set size and the number of attackers. PinDrop’s accuracy reaches 93% and 95% in reconstructing 5-and 4-digit PINs, respectively, within three attempts, from 0.3 m away. Also, at 2m away, PinDrop outperforms state-of-the-art results, reaching over 44% accuracy. This translates into an average accuracy improvement of 44% and 53% in 5-digit and 4-digit PINs, respectively. Finally, we proved that PinDrop is effective at 2 m with low/moderate noise, reaching a lower-bound accuracy of 37%, while it remains effective under any noise condition at 0.3 m. We believe that, due to its real-world applicability and performance, this work significantly advances the state-of-the-art in acoustic side-channel attacks.

Appendix 8.1

Validation Results

Table 2 reports the results on the validation set for four different ML models. Results show that LR and SVC obtain the best results on PAD-1 and PAD-2, respectively.

We Can Hear Your PIN Drop

8.2

649

Additional Results

In Fig. 8, we report the key accuracy results for PAD-2 (from both 0.3 m and 2 m). The results refer to the SVC model that achieved better performances on PAD-2. In Fig. 9, we report an example for the digit “3” for all the four scenarios. All the other keys show similar behavior, highlighting no significant inter-class differences. Interestingly, we note a different distribution of classification errors between PAD-1 and PAD-2. In the first case, the error is uniformly distributed over all digits, in the second case, a higher concentration of errors is prominent around the true digit (i.e., digits 2, 5, and 6). Table 2. PIN accuracies on the validation set for the investigated classifiers. The training set includes samples from five distinct attackers. The results show that for PAD-1 the best performing model is the Logistic Regression (LR), while for PAD-2 the best model is the SVC. PAD-1 Distance Distance 0.3 m 2m SVC 0.90±0.04

0.35±0.12

PAD-2 Distance Distance 0.3 m 2m 0.86 ± 0.06 0.21±0.07

0.92±0.04 0.40±0.11 0.85 ± 0.06

0.19 ± 0.04

KNN 0.65 ± 0.07 0.13 ± 0.07 0.17 ± 0.05

0.02 ± 0.01

0.78 ± 0.07 0.10 ± 0.06 0.31 ± 0.06

0.02 ± 0.00

LR RF

(a) PAD-2, 0.3m

(b) PAD-2, 2m

Fig. 8. Key accuracy on the testing set for the best classifiers.

Figure 10 reports the PIN inference results within 3 attempts for PAD-2 and SVC model. Figure 11 shows the results of PinDrop trained on the perturbed PAD-2 dataset (configuration 500 digits per attacker) in inferring 5-digit PINs within three attempts. The graphs report results similar to those obtained on PAD-1.

650

K. Balagani et al.

(a) PAD-1 at 0.3m

(b) PAD-1 at 2m

(c) PAD-2 at 0.3m

(d) PAD-2 at 2m

Fig. 9. Digit “3” prediction heat maps for the four considered attack scenarios (the PIN pad layout is reported in Fig. 3). We reported the results for the experiment with 5 attackers and 500 digits entered per attacker

(a) PAD-2 and microphone placed at 0.3m

(b) PAD-2 and microphone placed at 2m

Fig. 10. 5-digit PINs inference performance within 3 attempts for the best classifiers

(a) Gaussian noise and microphone placed at 0.3m

(b) Gaussian noise and microphone placed at 2m

Fig. 11. Impact of noise source and SNR in the inference of 5-digit PINs within three attempts for PAD-2 and 500 digits per attacker

We Can Hear Your PIN Drop

651

References 1. Anand, S.A., Saxena, N.: Keyboard emanations in remote voice calls: password leakage and noise (less) masking defenses. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 103–110 (2018) 2. Asonov, D., Agrawal, R.: Keyboard acoustic emanations. In: IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004. pp. 3–11. IEEE (2004) 3. ATM Industry Association. http://www.atmia.com ˇ 4. Bakowski, A., Radziszewski, L., Dek` yˇs, V., Swietlik, P.: Frequency analysis of urban traffic noise. In: 2019 20th International Carpathian Control Conference (ICCC), pp. 1–6. IEEE (2019) 5. Balagani, K., et al.: Pilot: password and pin information leakage from obfuscated typing videos. J. Comput. Secur. 27(4), 405–425 (2019) 6. Berger, Y., Wool, A., Yeredor, A.: Dictionary attacks using keyboard acoustic emanations. In: Proceedings of the 13th ACM conference on Computer and communications security, pp. 245–254 (2006) 7. Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S., Anderson, R.: Chip and skim: cloning emv cards with the pre-play attack. In: 2014 IEEE Symposium on Security and Privacy, pp. 49–64. IEEE (2014) 8. Cardaioli, M., Conti, M., Balagani, K., Gasti, P.: Your PIN sounds good! augmentation of PIN guessing strategies via audio leakage. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 720–735. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6 35 9. Cecconello, S., Compagno, A., Conti, M., Lain, D., Tsudik, G.: Skype & type: keyboard eavesdropping in voice-over-ip. ACM Trans. Privacy Secur. (TOPS) 22(4), 1–34 (2019) 10. Halevi, T., Saxena, N.: A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 89–90 (2012) 11. Halevi, T., Saxena, N.: Keyboard acoustic side channel attacks: exploring realistic and security-sensitive scenarios. Int. J. Inf. Secur. 14(5), 443–456 (2014). https:// doi.org/10.1007/s10207-014-0264-7 12. Hyosung, N.: cmax7600ta installation manual (2015). http://www.tetralink.com/ core/media/media.nl/id.46617/c.4970910/.f?h=d919934a85943438b8fe. Accessed 30-Dec 2020 13. Liu, J., Wang, Y., Kar, G., Chen, Y., Yang, J., Gruteser, M.: Snooping keystrokes with mm-level audio ranging on a single phone. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pp. 142–154 (2015) 14. Liu, X., Li, Y., Deng, R.H., Chang, B., Li, S.: When human cognitive modeling meets pins: user-independent inter-keystroke timing attacks. Comput. Secur. 80, 90–107 (2019) 15. Logan, B., et al.: Mel frequency cepstral coefficients for music modeling. In: Ismir. vol. 270, pp. 1–11 (2000) 16. Martinasek, Z., Clupek, V., Trasy, K.: Acoustic attack on keyboard using spectrogram and neural network. In: 2015 38th International Conference on Telecommunications and Signal Processing (TSP), pp. 637–641. IEEE (2015) 17. Monaco, J.V.: Sok: keylogging side channels. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 211–228. IEEE (2018)

652

K. Balagani et al.

18. Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446. IEEE (2010) 19. NationalCash Systems: ATM Statistics. http://www.nationalcash.com/statistics/ 20. Panda, S., Liu, Y., Hancke, G.P., Qureshi, U.M.: Behavioral acoustic emanations: Attack and verification of pin entry using keypress sounds. Sensors 20(11), 3015 (2020) 21. Rochat, J.L., Reiter, D.: Highway traffic noise. Acoust. Today 12(4), 38 (2016) 22. Sean Kelly: Cell Phone Cameras Hidden Inside ATMs Cause Rise In Fraud (2018). http://www.opposingviews.com/category/cell-phone-cameras-hiddeninside-atms-cause-rise-fraud-throughout-britain 23. Sound and Video Understanding teams pursing Machine Perception research at Google: AudioSet: Traffic noise, roadway noise. http://research.google.com/ audioset/dataset/traffic noise roadway noise.html 24. de Souza Faria, G., Kim, H.Y.: Differential audio analysis: a new side-channel attack on pin pads. Int. J. Inf. Secur. 18(1), 73–84 (2019) 25. United States Attorney’s Office, District of Massachussets: Bulgarian National Pleads Guilty to ATM Skimming (2021). http://www.justice.gov/usao-ma/pr/ bulgarian-national-pleads-guilty-atm-skimming 26. Wodo, W., Hanzlik, L.: Thermal imaging attacks on keypad security systems. In: SECRYPT, pp. 458–464 (2016) 27. Zhu, T., Ma, Q., Zhang, S., Liu, Y.: Context-free attacks using keyboard acoustic emanations. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, pp. 453–464 (2014) 28. Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(1), 1–26 (2009)

VAL: Volume and Access Pattern Leakage-Abuse Attack with Leaked Documents Steven Lambregts1 , Huanhuan Chen1 , Jianting Ning2,3(B) , and Kaitai Liang1 1

2

Delft University of Technology, 2628 CD Delft, The Netherlands {s.f.lambregts,h.chen-2,kaitai.liang}@tudelft.nl Singapore Management University, Singapore 188065, Singapore [email protected] 3 Fujian Normal University, Fuzhou 350117, China

Abstract. Searchable Encryption schemes provide secure search over encrypted databases while allowing admitted information leakages. Generally, the leakages can be categorized into access and volume pattern. In most existing SE schemes, these leakages are caused by practical designs but are considered an acceptable price to achieve high search efficiency. Recent attacks have shown that such leakages could be easily exploited to retrieve the underlying keywords for search queries. Under the umbrella of attacking SE, we design a new Volume and Access Pattern Leakage-Abuse Attack (VAL-Attack) that improves the matching technique of LEAP (CCS ’21) and exploits both the access and volume patterns. Our proposed attack only leverages leaked documents and the keywords present in those documents as auxiliary knowledge and can effectively retrieve document and keyword matches from leaked data. Furthermore, the recovery performs without false positives. We further compare VAL-Attack with two recent well-defined attacks on several realworld datasets to highlight the effectiveness of our attack and present the performance under popular countermeasures.

Keywords: Searchable encryption Leakage · Attack

1

· Access pattern · Volume pattern ·

Introduction

In practice, to protect data security and user privacy (e.g., under GDPR), data owners may choose to encrypt their data before outsourcing to a third-party cloud service provider. Encrypting the data enhances privacy and gives the owners the feeling that their data is stored safely. However, this encryption relatively restricts the searching ability. Song et al. [34] proposed a Searchable Encryption (SE) scheme to preserve the search functionality over outsourced and encrypted data. In the scheme, the keywords of files are encrypted, and when a client wants to query a keyword, it encrypts the keyword as a token and c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 653–676, 2022. https://doi.org/10.1007/978-3-031-17140-6_32

654

S. Lambregts et al.

sends it to the server. The server then searches the files with the token corresponding to the query, and afterwards, it returns the matching files. Since the seminal SE scheme, many research works have been presented in the literature, with symmetrical [7,9,10,13] and asymmetrical encryption [1,5,36,38]. Nowadays, SE schemes have been deployed in many real-world applications such as ShadowCrypt [17] and Mimesis Aegis [23]. Leakage. In an SE scheme, an operational interaction is usually defined as a client sending a query to the server and the server responding to the query with the matching files. Nevertheless, this interaction could be eavesdropped on by an attacker. The messages could be intercepted because they are sent over an unprotected channel, or the attacker is the cloud service provider itself, who stores and accesses all the search requests and responses. The attacker may choose to match the query with a keyword such that he can comprehend what information is present on the server. The query and response here are what we may call leakage. In this work, we consider two main types of leakage patterns: the access pattern, the response from the server to a query, and the search pattern, which is the frequency a query is sent to the server. Besides these types, we also consider the volume pattern as leakage. This pattern is seen as the size of the stored documents on the server. The leakage patterns can be divided into four levels, by Cash et al. [8]. In this work, we consider our leakage level to be L2, which equals the fully-revealed occurrence pattern, together with the volume pattern to create a new attack on the SE scheme. Note that a formal definition of the leakages is given in Sect. 3.1. Attacks on SE. There exist various attacks on SE that work and perform differently. Most of these attacks take the leaked files as auxiliary knowledge. Islam et al. [18] presented the foundation for several attacks on SE schemes. They stated that, with sufficient auxiliary knowledge, one could create a co-occurrence matrix for both the leakage and the knowledge so that it can easily map queries to the keywords based on the lowest distance. Cash et al. [8] later proposed an attack where the query can be matched to a particular keyword based on the total occurrence in the leaked files. These attacks with knowledge about some documents are known as passive attacks with pre-knowledge. Blackstone et al. [4] developed a SubgraphVL attack that provides a relatively high query recovery rate even with a small subset of the leaked documents. The attack matches keywords based on unique document volumes as if it is the response pattern. Ning et al. [28] later designed the LEAP attack. LEAP combines the existing techniques, such as co-occurrence and the unique number of occurrences, to match the leaked files to server files and the known keywords to queries based on unique occurrences in the matched files. It makes good use of the unique count from the Count attack [8], a co-occurrence matrix from the IKK attack [18] (although LEAP inverts it to a document co-occurrence matrix) and finally, unique patterns to match keywords and files. Note that we give related work and general comparison in Sect. 6.

VAL-Attack

655

Limitations. The works in [4,8,18,28] explain their leakage-abusing methods, but they only abuse a single leakage pattern, while multiple are leaked in SE schemes. Besides the leakage patterns, the state-of-the-art LEAP attack abuses the access pattern but does not exploit its matching techniques to the full extent. In addition to extending their attack, a combination of leakage can be used to match more documents and queries. We aim to address the issue of matching keywords by exploiting both the access pattern and volume pattern. The following question arises naturally: Could we match queries and documents in a passive attack by exploiting the volume and access patterns to capture a high recovery rate against popular defences? Contributions. We answer the above research question by designing an attack that matches leaked files and keywords. Our attack expands the matching techniques from the LEAP attack [28] and exploits the volume pattern to match more documents. The attack improves the LEAP attack by fully exploring the leakage information and combining the uniqueness of document volume to match more files. These matches can then be used to extract keyword matches. All the matches found are correct, as we argue that false positives are not valuable in real-world attacks. • Besides exploiting the access pattern, we also abuse volume pattern leakage. We match documents based on a unique combination of volume and number of keywords with both leakage patterns. We can match almost all leaked documents to server documents using this approach. • We match keywords using their occurrence pattern in matched files. • Besides matching keywords in matched files, we use all leaked documents for unique keyword occurrence, expanding the keyword matching technique from the LEAP attack. We do this to get the maximum amount of keyword matches from the unique occurrence pattern. • We run our attack against three different datasets to test the performance, where we see that the results are outstanding as we match almost all leaked documents and a considerable amount of leaked keywords. Finally, we compare our attack to the existing state-of-the-art LEAP and SubgraphVL attacks. Our attack performs great in revealing files and underlying keywords. In particular, it surpasses the LEAP attack, revealing significantly more leaked files and keywords. VAL-Attack recovers almost 98% of the known files and above 93% of the keyword matches available to the attacker once the leakage percentage reaches 5%. When 10% of the Enron database is leaked, which is 3,010 files with 4,962 keywords, we match 2,950 files and 4,909 queries, respectively, corresponding to 98% and 99%. VAL-Attack can still compromise encrypted information, e.g., over 90% recovery (with 10% leakage) under volume hiding in Enron and Lucene, even under several popular countermeasures. We note that our proposed attack is vulnerable to a combination of padding and volume hiding.

656

2 2.1

S. Lambregts et al.

Preliminaries Searchable Encryption

In a general SE scheme, a user encrypts her data and uploads the encrypted data to a server. After uploading the data, the user can send a query containing an encrypted keyword to the server, and the server will then respond with the corresponding data. We assume the server is honest-but-curious, meaning that it will follow the protocol but will try to retrieve as much information as possible. The Scheme. At a high level, an SE scheme consists of three polynomial-time algorithms: Enc, QueryGen and Search [13,15,21,24,27]. Definition 1 shows the scheme in more detail. The client runs the algorithm Enc and encrypts the plaintext documents and the corresponding keywords before uploading them to the server. Enc outputs an encrypted database EDB, which is sent to the server. QueryGen, run by the user, requires a keyword and outputs a query token that can be sent to the server. The function Search is a deterministic algorithm that is executed by the server. A query q is sent to the server; the server takes the encrypted database EDB and returns the corresponding identifiers of the files EDB(q). After it has retrieved the file identifiers, the user has to do another interaction with the server to retrieve the actual files. Definition 1. A searchable encryption scheme includes three algorithms {Enc, QueryGen, Search} that operate as follows: • Enc(K, F ): the encryption algorithm takes a master key K and a document set F = {F1 , ..., Fn } as input and outputs the encrypted database EDB := {Enck (F1 ), ..., EncK (Fn )}; • QueryGen(w): the query generation algorithm takes a keyword w as input and outputs a query token q. • Search(q, EDB): the search algorithm takes a query q and the encrypted database EDB as input and outputs a subset of the encrypted database EDB, whose plaintext contains the keyword corresponding to the query q. Leakage. A query and the server response are considered the access pattern. The documents passed over the channel have their volume; this information is considered the volume pattern. In Sect. 3.1, we will explain the leakage in more detail. 2.2

Notation

In the VAL-Attack, we have m keywords (w) and m queries (q), and n leakeddocuments and n server documents, denoted as di and edi , respectively; for a single document, similarly for wi and qi . Note wi may not be the underlying keyword for query qi , equal for di and edi . The notations are given in Table 1.

VAL-Attack

657

Table 1. Notation Summary F

Plaintext document set, F = {d1 , ..., dn }

F

Leaked document set, F  = {d1 , ..., dn }

E

Server document set, E = {ed1 , ..., edn }

W

Keyword universe, W = {w1 , ..., wm }

Q

m × n matrix of leaked documents

Query set, Q = {q1 , ..., qm }

A

B

m × n matrix of server documents

M

n × n co-occurrence matrix of F 

M

n × n co-occurrence matrix of E

vi

Volume (bit size) of document i

|di |

Number of keywords in document i

C

Set of matched documents

R

Set of matched queries

W

3

Leaked keyword set, W  = {w1 , ..., wm }

Models

In an ideal situation, there is no information leaked from the encrypted database, the queries sent, or the database setup. Unfortunately, such a scheme is not practical in real life as it costs substantial performance overheads [16]. The attacker and the leakage are two concerns in SE schemes, and we will discuss them both in the following sections, as they can vary in different aspects. 3.1

Leakage Model

Leakage is what we define as information that is (unintentionally) shared with the outer world. In our model, the attacker can intercept everything sent from and to the server. The attacker can intercept a query that a user sends to the server and the response from the server. It then knows which document identifiers correspond to which query. This query → document identifier response is what we call the access pattern. The leakage is defined as [4]: Definition 2 (access pattern). The function access pattern (AP) = (APk,t )k,t∈N : F (k) × W t (k) → [2[n] ]t , such that APk,t (D, w1 , ..., wt ) = D(w1 ), ..., D(wt ). As discussed earlier, we assume the leakage level is L2 [8], where the attacker does not know the frequency or the position of the queried keywords in the document response. The volume pattern is leakage that tells the size of the document. It is relevant to all response leaking encryption schemes [6,9,11,13,20,21] and ORAMbased SE schemes [26]. The leakage is defined formally as follows [4]: Definition 3 (volume pattern). The function volume pattern (Vol) = (V olk,t )k,t∈N : F (k) × W t (k) → Nt , such that V olk,t (D, w1 , ..., wn ) = ((|d|w )d∈D(w1 ) , ..., (|d|w )d∈D(wn ) ), where | · |w represents the volume in bytes. 3.2

Attack Model

The attacker in SE schemes can be a malicious server that stores encrypted data. Since the server is honest-but-curious [4], it will follow the encryption protocol but wants to learn as much as possible. Therefore, the attacker is passive

658

S. Lambregts et al.

Fig. 1. Technical framework of existing attacks

but still eager to learn about the content present on the server. Our attacker has access to some leaked plaintext documents, keeps track of the access and volume pattern and tries to reveal the underlying server data. Figure 1 shows a visualization of our attack model. We assume that the attacker has access to all the queries and responses used in the SE scheme. This number of queries is realistic because if one waits long enough, all the queries and results will eventually be sent over the user-server channel. The technical framework delineates the LEAP, SubgraphVL and our designed attack. The attacker in our model has access to some unencrypted files stored on the server. This access can be feasible because of a security breach at the setup phase of the scheme, where the adversary can access the revealed files. Another scenario is if a user wants to transfer all of his e-mails from his unencrypted mail storage to an SE storage server. The server can now access all the original mail files, but new documents will come as new e-mails arrive. Therefore, the adversary has partial knowledge about the encrypted data present on the server. The attacker has no access to any existing query to keyword matches and only knows the keywords present in the leaked files. With this information, the attacker wants to match as many encrypted document identifiers to leaked documents and queries to keywords such that he can understand what content is stored on the server. The passive attacker is less potent than an active attacker, who can upload documents, with chosen keywords, to the server to match queries to keywords [37]. Furthermore, the attacker has no access to the encryption or decryption oracle. Because the attacker relies on the access and volume pattern countermeasures that hide these patterns will reduce the attack performance.

VAL-Attack

4 4.1

659

The Proposed Attack Main Idea

At a high level, our attack is built from the LEAP attack [28] by elevating the keyword matching metric to increase the number of keyword matches. Furthermore, each document is labelled with its document volume and number of keywords, and VAL-attack matches using the uniqueness of this label, improving the recovery rate. We first extend the matching technique from LEAP. The approach does not consist of only checking within the matched documents but also keeping track of the occurrence in the unmatched files. This method results in more recovered keywords for the improvement of LEAP that provides a way to match rows that do not uniquely occur in the matched files. We expand the attack by exploiting the volume pattern since the document size is also leaked from response leaking encryption schemes, as described in Sect. 3.1. We can extend the comprehensive attack by matching documents based on the volume pattern. Our new attack fully explores the leakage information and matches almost all leaked documents. We increase the keyword matches with the maximal file matches to provide excellent performance. 4.2

Leaked Knowledge

The server stores all the documents in the scheme. There are a total of n plaintext files denoted as the set F = {d1 , ..., dn }, with in total m keywords, denoted as the set W = {w1 , ..., wm }. We assume the attacker can access: • The total number of leaked files (i.e. plaintext files) is n with in total m keywords. Suppose F  = {d1 , ..., dn } is the set of documents known to the attacker and W  = {w1 , ..., wm } is the corresponding set of keywords that are contained in F  . Note that n ≤ n and m ≤ m. • The set of encrypted files, denoted as, E = {ed1 , ..., edn } and corresponding query tokens, Q = {q1 , ..., qm } with underlying keyword set W . • The volume of each server observed document or leaked file is denoted as vx for document dx or server document edx . The number of keywords or tokens is represented as the size of the document |dx | or |edx | for the same documents, respectively. The attacker can construct an m × n binary matrix A, representing the leaked documents and their corresponding keywords. A[dx ][wy ] = 1 iff. keyword wy occurs in document dx . The dot product of A is denoted as the symmetric n × n matrix M  , whose entry is the number of keywords that are contained in both document dx and document dy . We give an example of the matrices with known documents in Fig. 6 (Appendix A). After observing the server’s files and query tokens, the attacker can construct an m × n binary matrix B, representing the encrypted files and related query tokens. B[edx ][qy ] = 1 iff. query qy retrieved document edx . The dot product of

660

S. Lambregts et al.

B is denoted as the symmetric n × n matrix M , whose entry is the number of query tokens that retrieve files edx and edy from the server. We give an example of the matrices with observed encrypted documents in Fig. 7 (Appendix A). 4.3

Our Design

The basis of the attack is to recursively find row and column mappings between the two created matrices, A and B, where a row mapping represents the underlying keyword of a query sent to the server, and a column mapping indicates the match between a server document identifier and a leaked plaintext file. Note that each leaked document is still present on the server, meaning that n ≤ n and there is a matching column in B for each column in A. Similarly to the rows, each known keyword corresponds to a query, so m ≤ m as we could know all the keywords, but we do not know for sure. In theory, there is a correct row mapping for each row in A to a row in B. The goal of the VAL-Attack is to find as many correct mappings as possible. We divide the process of finding as many matches as possible into several steps. The first step is to prepare the matrices for the rest of the process. The algorithm then maps columns based on unique column-sum, as they used in the Count attack [8], but instead of using it on keywords, we try to match documents here. Another step is matching documents based on unique volume and the number of keywords or tokens. As this combination can be a unique pattern, we can match many documents in this step. The matrices M and M  are used to match documents based on co-occurrence. Eventually, we can pair keywords on unique occurrences in the matched documents when several documents are matched. This technique is used in the Count attack [8], but we ‘simulate’ our own 100% knowledge here. With the matched keywords, we can find more documents, as these will give unique rows in matrices A and B that can be matched. We will introduce these functions in detail in the following paragraphs. Initialization. First, we initialize the algorithm by creating two empty dictionaries, to which we eventually add the correct matches. We create one dictionary for documents and the other for the matched keywords, C (for column) and R (for row). Next, as we want to find unique rows in the matrices A and B, we must extend matrix A. It could be possible that not all underlying keywords are known beforehand, in which case n < n, and we have to extend matrix A to find equal columns. Therefore we extend matrix A to an m × n matrix that has the first m rows equal to the original matrix A and the following m − m rows of all 0s. See Fig. 10 (Appendix A) for an example. The set {wm +1 , ..., wm } represents the keywords that do not appear in the leaked document set F  .

VAL-Attack

661

Number of Keywords. Now that the number of rows in A and B are equal, we can find unique column-sums to match documents. This unique sum indicates that a document has a unique number of keywords and can thus be matched based on this unique factor. Similar to the technique in the Count attack [8], we sum the columns, here representing the keywords in A and B. The unique columns in B can be matched to columns in A, as they have to be unique in A as well. If a columnj -sum of B is unique and columnj  -sum of A exists, we can match documents edj and dj  because they have the same unique number of keywords. Volume and Keyword Pattern. The next step is matching documents based on volume and keyword pattern. If there is a server document edj with a unique combination of volume vj and number of tokens |edj | and there is a document dj  with the same combination, we can match document edj to dj  . However, if multiple server documents have the same pattern, we need to check for unique columns with the already matched keywords between these files. Initially, we will have no matched keywords, but we will rerun this step later in the process. Figure 2 shows a concrete example, and Algorithm 1 describes our method. (a) Multiple documents with the same pattern of volume and number of keywords/tokens. Leaked files · · · d4 d6 d8 · · · dn

Server files · · · ed6 ed9 ed10 · · · edn

Volume

Volume

· · · 120 120 120 · · · 150

#Tokens

· · · 20 15

· · · 120 120 120 · · · 120

#Keywords · · · 15 15 15 · · · 18

15 · · · 15

(b) With the already matched keywords, create unique columns to match documents. Here d6 and ed8 can be matched, as well as d9 and ed15 . ACR

d4 d6 d 8 d9

w2

1 0 1 1

⎛

⎜ ⎜ w3 ⎜ ⎜ ⎜ w5 ⎜ ⎜ ... ⎜ ⎜ ⎝ wt

⎞

⎟ 1 1 1 0⎟ ⎟ ⎟ 0 0 0 1⎟ ⎟ ⎟ ⎟ .. .. .. ⎟ . . . ⎠ 1 1 1 0

BCR

⎛

q1

⎜ ⎜ q3 ⎜ ⎜ ⎜ q15 ⎜ ⎜ .. ⎜ . ⎜ ⎝ qt

ed8 ed9 ed10 ed15

0

1

1

1

1

1

0 .. .

0 .. .

0 .. .

1

1

1

1

⎞

⎟ 0 ⎟ ⎟ ⎟ 1 ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ 0

Fig. 2. Document matching on volume and number of keywords. Given multiple candidates, match on a unique column with the already matched keywords.

662

S. Lambregts et al.

Algorithm 1. matchByVolume 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13:

Input: R, A (m × n ), B (m × n) C  ← {} patterns ← {(vj , |edj |) with volume vj and #tokens |edj | of document edj } for p ∈ patterns do enc docs ← [edj with pattern p] if |enc docs| = 1 then edj ← enc docs[0] C  [edj ] ← dj  with pattern p else if |R| > 0 then docs ← [dj  with pattern p] BCR ← enc docs columns and R rows of B ACR ← docs columns and R rows of A for columnj ∈ BCR that is unique do C  [edj ] ← dj  with columnj ∈ ACR

14: return C 

Co-occurrence. When having some matched documents, we can use the co-occurrence matrices M and M  to find other document matches. For an unmatched server document edx , we can try an unmatched leaked document  dy . If Mx,k and My,k  are equal for each matched document pair (edk , dk  ) and no other document dy has the same results, then we have a new document match between edx and dy . The algorithm for this step is shown in Algorithm 2. Algorithm 2. coOccurrence 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11:

Input: C, M (n × n), M (n × n), A (m × n ), B (m × n) while C is increasing do for each dj  ∈ C do sumj  ← columnj  -sum of A candidates ← [edj ∈ C where columnj -sum of B = sumj  ] for edj ∈ candidates do for (edk , dk ) ∈ C do  if Mj,k = Mj  ,k then candidates ← candidates \ edj if |candidates| = 1 then edj ← candidates[0] C[edj ] ← dj 

12: return C

VAL-Attack

663

Keyword Matching. We match keywords using the matched documents. To this end, we create matrices Bc and Ac by taking the columns of matched documents from matrices B and A. Note that these columns will be rearranged to the order of the matched documents, such that column Bcj is equal to column Acj  for document match (edj , dj  ). Matrices Bc and Ac are shaped m × t and m × t, respectively, for t matched documents. We give the algorithm for this segment in Algorithm 3 and a simple example in Fig. 8 (Appendix A). A row in the matrices indicates in which documents a query or keyword appears. If a rowi in Bc is unique, rowi is also unique in B, similar to Ac and A. Hence, for rowi in Bc , that is unique, and if there is an equal rowj in Ac , we can conclude that the underlying keyword of qi is wj . Algorithm 3. matchKeywords 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17:

Input: C, A (m × n ), B (m × n) R ← {} Bc ← C columns of B Ac ← C columns of A for rowi ∈ Bc do if rowi is unique in Bc then if rowi ∈ Ac = rowi then R[qi ] ← wi else  Match based on occurrence in (server) files docs ← [i ∈ Ac where Ac [i ] = rowi ] e docs ← [j ∈ Bc where Bc [j] = rowi ] Bx ← sum of rows in B[e docs], sort descending Ax ← sum of rows in A[docs], sort descending if Bx [1] < Ax [0] < Bx [0] then ix ← index of Bx [0] ∈ e docs jx ← index of Ax [0] ∈ docs R[qix ] ← wjx return R

Nevertheless, if rowi is not unique in Bc , we can still try to match the keyword to a query. A keyword can occur more often in the unmatched documents than their query candidates; thus, they will not be valid candidates. We create a list Bx with for each similar rowi in Bc the sum of rowi in B; similar for list Ax , with rowi in Ac and the sum of rowi in A. Next, if the highest value of Ax , which is Axj , is higher than the second-highest value of Bx , we can conclude that keyword wj corresponds to the highest value of Bx , i.e. Bxj , which means that wj matches with qj . We put an example in Fig. 3.

664

S. Lambregts et al.

Bc q1

⎛

q2 ⎜

⎜ ⎜ .. ⎜ .⎝

q3 ⎜

qm

ed3 ed2 ···

1 1 1 .. . 0

1 1 0 .. . 1

··· ··· ··· .. . ···

edt

0 0 1 .. . 0

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

q1

⎛

q2 ⎜

⎜ ⎜ .. ⎜ .⎝

q3 ⎜

qm

Sum in B

9 7 − .. . −

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

Ac w1

⎛

⎜ ⎜ ⎜ ⎜ .. ⎜ . ⎝

w2 w3

w m

d1 d2 ···

1 1 0 .. . 1

0 1 0 .. . 1

··· ··· ··· .. . ···

dt

⎞ 1 0⎟ ⎟ 1⎟ ⎟ .. ⎟ . ⎠ 0

w1

⎛

⎜ ⎜ ⎜ ⎜ .. ⎜ . ⎝

w2 w3

wm 

Sum in A

− 7 − .. . 8

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

Fig. 3. Example of matching keywords in matched documents. Query q3 has a unique row and therefore matches with keyword w1 . Queries q1 , q2 and keywords w2 , wm have the same row. However, keyword wm occurs more often in A than w2 and query q2 in B. Therefore q1 matches with wm .

Keyword Order in Documents. We aim to find more documents based on unique columns given the query and keyword mappings. First, we create matrices Br and Ar with the rows from the matched keywords in R. Br and Ar are submatrices of B and A, respectively, with rearranged row order. Br and Ar are shaped t × n and t × n , respectively, for t matched keywords. Note that we show an example in Fig. 9 (Appendix A). If any columnj of Br is unique and there exists an equal columnj  in Ar , we know that edj is a match with dj  . The next step is to set the rows of the matched keywords to 0 in B and A. Then, similar to before, we use the technique from the Count attack [8]; we sum the updated columns in A and B and try to match the unique columns in B to columns in A. If a columnj -sum of B is unique and an equal columnj  -sum in A exists, we can match document edj and dj  . The complete algorithm of our VAL-attack is in Algorithm 4, Appendix B. 4.4

Countermeasure Discussions

Some countermeasures have been proposed to mitigate leakage-abuse attacks [8,12,18,32]. The main approaches are padding and obfuscation. Below, we have some discussions on the countermeasures. The IKK attack [18] and the Count attack [8] discussed a padding countermeasure, where they proposed a technique to add fake document identifiers to a query response. These false positives could then later be removed by the user. This technique is also called Hiding the Access Pattern [22]. The LEAP attack [28] crucially relies on the number of keywords per document, and if the scheme adds fake query tokens to documents on the server, they will not be able to match with their known documents. However, they also proposed a technique that describes a modified attack that is better resistant to padding. This technique, which is also used in the Count attack [8], makes use of a window to match keywords. But this will give false positives and thus reduce the performance of the attack. The SubgraphVL attack [4] depends on the volume of each document. Volume-hiding techniques from Kamara et al. [19] reduce the attack’s performance, but it is not clear if they completely mitigate the attack.

VAL-Attack

665

A padding technique that will make all documents of the same size, i.e. adding padding characters, will reduce the uniqueness in matching based on the volume of a document. If the padding technique can be extended such that false positives are added to the access pattern, we have no unique factor in matching documents based on the number of keywords per file. Therefore, a combination of the two may decrease the performance of the VAL-Attack.

5

Evaluation

We set up the experiments to run the proposed attack to evaluate the performance. Furthermore, we compare the file and query recovery of the VAL-Attack with the results from the LEAP [28] and SubgraphVL attack [4]. We notice that the LEAP attack is not resistant to the test countermeasures, and Blackstone et al. [4] argue for their SubgraphVL attack that it is not clear whether volumehiding constructions may mitigate the attack altogether. From this perspective, we only discuss the performance of VAL-Attack against countermeasures in Sect. 5.3. It would be an interesting problem to test the countermeasures on the LEAP and SubgraphVL attacks, but that is orthogonal to the focus of this work. 5.1

Experimental Setup

We used the Enron dataset [35] to run our comparison experiments. We leveraged the sent mail folder from each of the 150 users from this dataset, resulting in 30,109 e-mails from the Enron corporation. The second dataset we used is the Lucene mailing list [2]; we specifically chose the ”java-user” mailing list from the Lucene project for 2002–2011. This dataset contains 50,667 documents. Finally, we did the tests on a collection of Wikipedia articles. We extracted plaintext documents from Wikipedia in April 2022 using a simple wiki dump1 and used the tool from David Shapiro [33] to extract plaintext data, resulting in 204,737 files. The proposed attack requires matrices of size n × n; therefore, we limited the number of Wikipedia files to 50,000. We used Python 3.9 to implement the experiments and run them on machines with different computing powers to improve running speed. To properly leverage those data from the datasets for the experiments, we first extracted the information of the Enron and Lucene e-mail content. The title’s keywords, the names of the recipients or other information present in the e-mail header were not used for queries. NLTK corpus [3] in Python is used to get a list of English vocabulary and stopwords. We removed the stopwords with that tool and stemmed the remaining words using Porter Stemmer [30]. We further selected the most frequent keywords to build the keyword set for each document. For each dataset, we extracted 5,000 words as the keyword set 1

https://dumps.wikimedia.org/simplewiki/20220401/simplewiki-20220401-pagesmeta-current.xml.bz2.

666

S. Lambregts et al.

W . Within the Lucene e-mails, we removed the unsubscribe signature because it appears in every e-mail. The server files (n) and keywords (m) are all files from the dataset and 5,000 keywords, respectively. The leakage percentage determines the number of files (m ) known to the user. The attacker only knows the keywords (n ) leaked with these known documents. The server files and queries construct a matrix B of size m × n; while the matrix A of size m × n is constructed with the leaked files. We took the dot product for both matrices and created the matrices M and M  , respectively. Note that the source code to simulate the attack and obtain our results is available here: https://github.com/StevenL98/VAL-Attack. Because our attack does not create false positives, the accuracy of the retrieved files and keywords is always 100%. Therefore, we calculated the percentage of files and keywords retrieved from the total leaked files and keywords. Each experiment is run 20 times to calculate an average over the simulations. We chosen 0.1%, 0.5%, 1%, 5%, 10%, 30% as leakage percentages. The lower percentages are chosen to compare with the results from the LEAP attack [28], and the maximum of 30% is chosen because of the stagnation in query recovery. 5.2

Experimental Results

The results tested with the different datasets are given in Fig. 4a and Fig. 4b, which show the number and percentage of files and keywords recovered by our attack. The solid line is the average recovery in those plots, and the shades are the error rate over the 20 runs. We can see that the VAL-attack recovers almost 98% of the known files and above 93% of the keywords available to the attacker once the leakage percentage reaches 5%. These percentages are based on the leaked documents. When 10% of the Enron database is leaked, which is 3,010 files with 4,962 keywords, we can match 2,950 files and 4,909 queries, corresponding to 98% and 99%, respectively. The Lucene dataset is more extensive than Enron, and therefore we have more files available for each leakage percentage. One may see that we can recover around 99% of the leaked files and a rising number of queries, starting from 40% of the available keyword set. The Wikipedia dataset does not consist of e-mails but rather lengthy article texts. We reveal fewer files than the e-mail datasets, but we recover just below 90% of the leaked files, and from 1% leakage, we recover more available keywords than the other datasets. This difference is probably because of the number of keywords per file since the most frequent keywords are chosen. With the technique we proposed, one can match leaked documents to server documents for almost all leaked documents. Next, the algorithm will compute the underlying keywords to the queries. It is up to the attacker to allow false positives and improve the number of (possible) correctly matched keywords, but we decided not to include it.

VAL-Attack

667

(a) Exact number and relative percentage of recovered files (a.i) #Files recovered

(a.ii) %Files recovered

(b) Exact number and relative percentage of recovered queries (b.i) #Queries recovered

(b.ii) %Queries recovered

Fig. 4. Results for VAL-Attack, with the actual number and the percentage of recovered files and queries for different leakage percentages.

Comparison. We compare the performance of VAL-Attack to two attacks with the Enron dataset. One is the LEAP attack [28] (which is our cornerstone), while the other is the SubgraphVL attack [4] (as they use the volume pattern as leakage). We divide the comparison into two parts: the first is for recovering files, and the second is for queries recovery. As shown in Fig. 5, we recover more files than the LEAP attack, and the gap in files recovered expands as the leakage percentage increases, see Fig. 5a.i. The difference in the percentage of files recovered is stable, as VAL-Attack recovers about eight percentage points more files than the LEAP attack, see Fig. 5a.ii. The comparison outcome for recovered queries can be seen in Fig. 5b. We can see that the recovered queries do not show a significant difference with the LEAP attack as that attack performs outstandingly in query recovery. The most significant difference is around 5% leakage, where VAL-Attack retrieves around 100 queries more than the LEAP attack, which could influence a real-world application. Compared to the SubgraphVL , we see in Fig. 5b.ii that the combination of the

668

S. Lambregts et al.

access pattern and the volume pattern is a considerable improvement; we reveal about 60% points more of the available queries. (a) Comparison with LEAP [28] based on the number and percentages of files recovered (a.i) #Files recovered

(a.ii) %Files recovered

(b) Comparison with LEAP [28] and SubgraphVL [4] based on the number and percentages of queries recovered (b.i) #Queries recovered

(b.ii) %Queries recovered

Fig. 5. Comparison of VAL-Attack

5.3

Countermeasure Performance

As discussed in Sect. 4.4, there are several options for countermeasures against attacks on SE schemes. Moreover, since our attack exploits both the access and volume pattern, countermeasures must mitigate both leakage patterns. The former can be mitigated by padding the server result, while the latter may be handled using volume-hiding techniques. However, these approaches may come with impractical side effects. Padding the server response requires more work on the client-side to filter out the false positives. This padding can cause storage and reading problems because the user has to wait for the program to filter out the correct results. The volume-hiding technique [19] may easily yield significant storage overhead and could therefore not be practical in reality. Luckily, Patel et al. [29] illustrated how to reduce this side effect whilst mitigating the attack.

VAL-Attack

669

It is possible to mitigate our attack theoretically by using a combination of padding and volume hiding. We tested the VAL-attack’s performance with padding, volume hiding and further a combination, but we did not examine by obfuscation due to hardware limitations. We padded the server data using the technique described by Cash et al. [8]. Each query returned a multiplication of 500 server files, so if the original query returned 600 files, the server now returned 1,000. Padding is done by adding documents to the server response that to done contain the underlying keyword. These documents can then later be filtered by the client, but will obfuscate the client’s observation. We took the naive approach from Kamara et al. [19] for volume hiding, where we padded each document to the same volume. By adding empty bytes to a document, it will grow in size. If done properly, all files will eventually have the same size that can not be distinguished from the actual size. We ran the countermeasure experiments on the Enron and the Lucene dataset. We did not perform the test on the Wikipedia dataset, but we can predict that the countermeasures may affect the attack performance. We predict that a single countermeasure will not entirely reduce the attack effectiveness, but a combination may do. Because of the exploitation of the two leakage patterns, we see in Table 2 that our attack can still recover files and underlying keywords against only a single countermeasure. Under a combination of padding and volume hiding, our attack cannot reveal any leaked file or keyword. Table 2. Performance of VAL-Attack with countermeasures Dataset

Enron

Lucene

Countermeasure Padding

Volume hiding Padding & Vol. Hiding Padding

Volume hiding Padding & Vol. Hiding

Files

0.1% 0.5% 1% 5% 10% 30%

Queries 0.1% 0.5% 1% 5% 10% 30% a

25 103 208 1,114 1,910 5,358

(83.7%) (68.4%) (69.0%) (74.0%) (63,4%) (59.0%)

27 137 274 1,365 2,736 8,219

(89.5%) (90.7%) (90.9%) (90.7%) (90.9%) (91.0%)

0 0 0 0 0 0

(0%) (0%) (0%) (0%) (0%) (0%)

45 191 381 2332 4,073 10,343

(88.9%) (75.3%) (75.3%) (92.0%) (80.4%) (68.0%)

10 95 147 2452 4,891 -a

(28.4%) (37.4%) (28.9%) (96.8%) (96.5%)

0 0 0 0 0 0

(0%) (0%) (0%) (0%) (0%) (0%)

94 433 414 53 11 1

(10.4%) (18.1%) (12.8%) (1.1%) (0.2%) (0.0%)

172 1,059 1,836 4,290 4,890 4,993

(14.8%) (43.3%) (56.3%) (89.9%) (98.4%) (99.9%)

0 0 0 0 0 0

(0%) (0%) (0%) (0%) (0%) (0%)

377 724 556 87 33 10

(27.7%) (25.3%) (15.3%) (1.8%) (0.7%) (0.2%)

153 663 748 4,659 4,872 -a

(10.6%) (22.8%) (20.5%) (95.2%) (97.6%)

0 0 0 0 0 0

(0%) (0%) (0%) (0%) (0%) (0%)

Did not run due to hardware limitations

Table 2 is read as follows: The number below the countermeasure is the exact number of retrieved files or queries, with the relative percentage between brackets. So for 0.1% leakage under the padding countermeasure, we revealed, on average, 25 files, which was 83.7% of the leaked files. Each experiment ran 20 times. Due to runtime and hardware limitations, we did not run the experiment with 30% leakage on the Lucene dataset. However, since we have the results for 10% leakage and the results for the Enron dataset, we can predict the outcome for 30%. Similar to the Enron dataset, the recovered data in Lucene increases

670

S. Lambregts et al.

as the leakage percentage grows. Therefore, we predict that 30% leakage results in the Lucene dataset is a bit higher than the 10% leakage. 5.4

Discussion on Experiments

We chose specific parameters in the experiments and only compared our attack with two popular attacks [4,28]. We give more discussions below. Parameters. We used 5,000 high selectivity keywords, i.e. keywords that occur the most in the dataset. This number is chosen because a practical SE application will probably not have just a few search terms in a real-world scenario. Other attacks [4,8,18] have experimented with only 150 query tokens and 500 keywords, and we argue that this may not be realistic. Our attack is able to recover almost all underlying keywords for an experiment with 500 keywords because the number of files is still equal, but a slight variation in keyword occurrence. We cut the number of Wikipedia files to 50,000. We did this to better present the comparison with the Enron and Lucene datasets. The attack may also take longer to run when all Wikipedia files are considered. The results will also differ as the number of files leaked increases similarly. The percentage of files recovered will probably be the same because of keyword distribution among the files. If we ran the experiments with a higher leakage percentage, the attack would eventually recover more files, as more are available, but we would not recover more keywords. As with 30% leakage, we see that we have recovered all 5,000 keywords. Our attack performs without false positives. And we did so because they would not improve the performance, and an attacker cannot better understand the data if he cannot rely on it. If we allowed the attack to return false positives, we would have 5,000 matches for underlying keywords, of which not all are correct. The attack performance will not change since we will only measure the correct matches, which we already did. Attack Comparison. In Fig. 5a, we only compared our attack with the LEAP attack rather than the SubgraphVL attack. We did so because the latter does not reveal encrypted files and thus cannot be compared. If we choose to compare the attack to ours, we would have to rebuild their attack using their strategy, which is out of the scope of this work. We used the Enron dataset to compare the VAL-Attack to the LEAP and the SubgraphVL . In their work [4,28], they used the Enron dataset to show their performance. If we used the Lucene or Wikipedia dataset instead to present the comparison, we would have no foundation in the literature to support our claim. A comparison of all the datasets would still show that our attack surpasses the attacks since, in theory, we exploit more. We discussed other attacks, like the IKK and the Count attack, but we did not compare their performance with ours. While these attacks exploit the same leakage, we could still consider them. However, since LEAP is considered the most state-of-the-art attack and it has already been compared with the other attacks in [28], we thus only have to compare the LEAP attack here. Accordingly,

VAL-Attack

671

a comparison with all attacks would not affect the results and conclusion of this paper.

6

Related Work

The Count attack [8] uses the number of files returned for the query as their matching technique; The SubgraphVL [4] matches keywords based on unique document volumes as if it is the response pattern, and the LEAP attack [28] uses techniques from previous attacks to match leaked documents and keywords with high accuracy. Besides the attacks that exploit similar leakage to our proposed attack, we may also review those attacks that do not. An attack that leverages similar documents as auxiliary knowledge, called Shadow Nemesis, was proposed by Pouliot et al. [31]. They created a weighted graph matching problem in the attack and solved it using Path or Umeyama. Damie et al. [14] presented the Score attack, requiring similar documents, and they matched based on the frequency of keywords in the server and auxiliary documents. Both attacks use co-occurrence matrices to reveal underlying keywords. The Search attack by Liu et al. [25] matches based on the search pattern, i.e. the frequency pattern of queries sent to the server. Table 3 briefly compares the attacks based on leakage, auxiliary knowledge, false positives and exploiting techniques. The reviewed attacks described above are not mainly relevant to our proposed attack; thus, we did not put them in the comparison in Sect. 5. Table 3. Comparison on Different Attacks. The lower part are those passive attacks with pre-known data compared with VAL-Attack. Documents in the auxiliary data column refers to leaked document knowledge, queries refers to leaked underlying keywords for query tokens, and similar refers to the use of similar documents instead of leaked documents. Attack

Auxiliary data

False Exploited information positives

IKK [18] Access pattern Shadow Nemesis [31] Access pattern Access pattern Score [14] Search pattern Search14 [25]

Documents, queries Similar Similar, queries Search frequency

✓ ✓ ✓ ✓

Co-occurrence Co-occurrence Co-occurrence Query frequency

ZKP [37] (active)

Access pattern

All keywords

✗

-

Count [8] SubgraphVL [4] LEAP [28] VAL-Attack

Access pattern Volume pattern Access pattern Access, volume pattern

Documents Documents Documents Documents

✓ ✓ ✗ ✗

Co-occurrence, length Volume, length Co-occurrence, length Volume, length, co-occurrence

7

Leakage

Conclusion

We proposed the VAL-attack to improve the matching technique from the LEAP attack, leveraging the leakage from the access pattern and the volume

672

S. Lambregts et al.

pattern which is a combination that has not been exploited before. We showed that our attack provides excellent performance, and we compared it to the LEAP attack and the subgraphVL attack. The number of matched files is with more remarkable improvement than the number of queries recovered compared to the LEAP attack. The attack recovers around 98% of the leaked documents and above 90% for query recovery with very low leakage. Since the proposed attack uses both the document size and the response per query, it requires strong (and combined) countermeasures and thus, is more harmful than existing attacks. Acknowledgments. We would like to thank the anonymous reviewers for their helpful comments. Kaitai Liang is supported by European Union’s Horizon 2020 research and innovation programme under grant agreement No. 952697 (ASSURED) and No. 101021727 (IRIS). Jianting Ning was supported in part by the National Natural Science Foundation of China under Grant 61972094 and Grant 62032005.

A

Examples of Matrices A

w1

⎛

⎜ ⎜ .. ⎜ . ⎝

w2

wm 

d1 d2 ···

1 0 .. . 1

1 1 .. . 0

··· ··· .. . ···

dn

1 0 .. . 1

⎞ ⎟ ⎟ ⎟ ⎠

M d1

⎛

d1 d2 ···

d2 ⎜

⎜ .. ⎜ .⎝

dn

5 2 .. . 3

2 6 .. . 0

··· ··· .. . ···

dn

⎞ 3 0 ⎟ ⎟ .. ⎟ . ⎠ 10

Fig. 6. Matrix A and M  example

Bc q1

⎛

q2 ⎜

⎜ ⎜ .. ⎜ .⎝

q3 ⎜

qm

ed3 ed2 ···

1 1 1 .. . 0

0 1 0 .. . 1

··· ··· ··· .. . ···

edt

1 0 1 .. . 0

⎞

Ac

⎟ ⎟ ⎟ ⎟ ⎟ ⎠

w2 ⎜

w1

⎛

⎜ ⎜ .. ⎜ .⎝

w3 ⎜

wm

d1 d2 ···

1 1 0 .. . 1

0 1 0 .. . 1

··· ··· ··· .. . ···

dt

⎞ 1 0⎟ ⎟ 1⎟ ⎟ .. ⎟ . ⎠ 0

Fig. 8. Matrix Ac and Bc example

B q1

⎛

q2 ⎜

⎜ .. ⎜ .⎝

qm

ed1 ed2 ···

0 0 .. . 1

1 0 .. . 1

··· ··· .. . ···

edn

1 1 .. . 0

⎞ ⎟ ⎟ ⎟ ⎠

M

⎛

ed1 ed2 ···

ed1

ed2⎜

⎜ .. ⎜ . ⎝

edn

4 3 .. . 1

3 9 .. . 2

··· ··· .. . ···

edn

1 2 .. . 9

⎞ ⎟ ⎟ ⎟ ⎠

Fig. 7. Matrix B and M example

Br q3

⎛

q5 ⎜ ⎜ q2 ⎜ ⎜ .. ⎜ .⎝ qt

ed1 ed2 ···

0 1 0 .. . 1

0 1 0 .. . 1

··· ··· ··· .. . ···

edn

1 0 0 .. . 0

⎞

Ar

⎟ ⎟ ⎟ ⎟ ⎟ ⎠

w2⎜ ⎜ w3⎜ ⎜ .. ⎜ .⎝

⎛

w1

wt

d1 d2 ···

1 0 1 .. . 1

0 0 0 .. . 1

··· ··· ··· .. . ···

d n

1 1 1 .. . 0

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

Fig. 9. Matrix Ar and Br example

VAL-Attack ⎛ d1 1 w2 ⎜ ⎜0 .. ⎜ ⎜ . . ⎜ .. ⎜ wm ⎜ 1 ⎜ wm +1⎜ 0 ⎜ .. ⎜ .. . ⎝ . wm 0 A

w1

d2 ···

1 1 .. . 0 0 .. . 0

··· ··· .. . ··· ··· .. . ···

dn

1 0 .. . 1 0 .. . 0

673

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

Fig. 10. An example of extended matrix A

B

VAL-Attack Algorithm

Algorithm 4. VAL-Attack Input: A (m × n ), B (m × n), M  (n × n ), M (n × n) 1: 2: 3: 4: 5: 6: 7:

C = R ← {}  Initialization A ← A where rows extended with 0’s (m x n’)  Match documents with unique #keywords vectorA = vectorB ← [ ] for j ∈ [n] do vectorB [j] ← sum of column Bj for j  ∈ [n ] do vectorA [j  ] ← sum of column Aj 

8: for vectorBj ∈ vectorB that is unique do 9: if vectorAj  == vectorBj then 10: C[edj ] ← dj  11: 12: 13: 14: 15: 16: 17: 18: 19: 20:

C ← C ∪ matchByVolume(R, A, B)  Match documents with unique volume  Match docs with co-occurrence C ← C ∪ coOccurrence(C, M, M  , A, B) C ← C ∪ matchByVolume(R, A, B) while R or C is increasing do R ← R ∪ matchKeywords(C, A, B)  Match keywords in matched docs  Match documents with unique keyword order Br ← R rows of B Ar ← R rows of A for columnj ∈ Br that is unique do if columnj  ∈ Ar == columnj then C[edj ] ← dj 

21: 22: 23: 24: 25: 26: 27:

C ← C ∪ matchByVolume(R, A, B)  Match documents with unique #keywords row Bj ← 0 if qj ∈ R row Aj  ← 0 if kj  ∈ R for j ∈ [n] where edj ∈ C do vectorB [j] ← sum of column Bj for j  ∈ [n ] where dj  ∈ C do vectorA [j  ] ← sum of column Aj 

28: 29:

for vectorBj ∈ vectorB that is unique and edj ∈ C do if vectorAj == vectorBj and dj  ∈ C then

674

S. Lambregts et al.

30:

C[edj ] ← dj 

31: C ← C ∪ coOccurrence(C, M, M  , A, B) 32: return R, C

 Match docs with co-occurrence

References 1. Abdalla, M., et al.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V., et al. (eds.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005). https://doi.org/10. 1007/11535218 13 2. Apache: Mail archieves of lucene (1999). https://mail-archives.apache.org/mod mbox/#lucene 3. Bird, S., Klein, E., Loper, E.: Natural Language Processing with Python: Analyzing Text with the Natural Language Toolkit. O’Reilly Media, Inc, Beijing (2009) 4. Blackstone, L., Kamara, S., Moataz, T.: Revisiting leakage abuse attacks. In: NDSS 2020. The Internet Society (2020). https://doi.org/10.14722/ndss.2020.23103 5. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). https://doi.org/10. 30 1007/978-3-540-24676-3  6. Bost, R.: oϕoς: Forward secure searchable encryption. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1143– 1154. ACM (2016). https://doi.org/10.1145/2976749.2978303 7. Bost, R., Minaud, B., Ohrimenko, O.: Forward and backward private searchable encryption from constrained cryptographic primitives. In: Thuraisingham, B., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1465–1482. ACM (2017). https://doi.org/10.1145/3133956.3133980 8. Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 668–679. ACM (2015). https://doi.org/10.1145/2810103.2813700 9. Cash, D., et al.: Dynamic searchable encryption in very-large databases: data structures and implementation. In: NDSS 2014. The Internet Society (2014). https:// doi.org/10.14722/ndss.2014.23264 10. Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Ro¸su, M.-C., Steiner, M.: Highlyscalable searchable symmetric encryption with support for Boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4 20 11. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8 33 12. Chen, G., Lai, T., Reiter, M.K., Zhang, Y.: Differentially private access patterns for searchable symmetric encryption. In: IEEE INFOCOM 2018, pp. 810–818. IEEE (2018). https://doi.org/10.1109/INFOCOM.2018.8486381 13. Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) ACM CCS 2006, pp. 79–88. ACM (2006). https:// doi.org/10.1145/1180405.1180417

VAL-Attack

675

14. Damie, M., Hahn, F., Peter, A.: A highly accurate query-recovery attack against searchable encryption using non-indexed documents. In: Bailey, M., Greenstadt, R. (eds.) USENIX 2021, pp. 143–160. USENIX Association (2021). https://www. usenix.org/conference/usenixsecurity21/presentation/damie 15. Demertzis, I., Papamanthou, C.: Fast searchable encryption with tunable locality. In: Salihoglu, S., Zhou, W., Chirkova, R., Yang, J., Suciu, D. (eds.) ACM SIGMOD 2017, pp. 1053–1067. ACM (2017). https://doi.org/10.1145/3035918.3064057 16. Gui, Z., Paterson, K.G., Patranabis, S.: Rethinking searchable symmetric encryption. Cryptology ePrint Archive, Paper 2021/879 (2021). https://eprint.iacr.org/ 2021/879 17. He, W., Akhawe, D., Jain, S., Shi, E., Song, D.X.: Shadowcrypt: encrypted web applications for everyone. In: Ahn, G., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1028–1039. ACM (2014). https://doi.org/10.1145/2660267.2660326 18. Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: Ramification, attack and mitigation. In: NDSS 2012. The Internet Society (2012). https://www.ndss-symposium.org/ndss2012/access-patterndisclosure-searchable-encryption-ramification-attack-and-mitigation 19. Kamara, S., Moataz, T.: Computationally volume-hiding structured encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 183–213. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3 7 20. Kamara, S., Papamanthou, C.: Parallel and dynamic searchable symmetric encryption. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 258–274. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1 22 21. Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 965–976. ACM (2012). https://doi.org/10.1145/2382196.2382298 22. Kortekaas, Y.: Access pattern hiding aggregation over encrypted databases, October 2020. https://essay.utwente.nl/83874/ 23. Lau, B., Chung, S.P., Song, C., Jang, Y., Lee, W., Boldyreva, A.: Mimesis aegis: a mimicry privacy shield-a system’s approach to data privacy on public cloud. In: Fu, K., Jung, J. (eds.) USENIX 2014, pp. 33–48. USENIX Association (2014). https:// www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/lau 24. Li, J., Niu, X., Sun, J.S.: A practical searchable symmetric encryption scheme for smart grid data. In: IEEE ICC 2019, pp. 1–6. IEEE (2019). https://doi.org/10. 1109/ICC.2019.8761599 25. Liu, C., Zhu, L., Wang, M., Tan, Y.: Search pattern leakage in searchable encryption: attacks and new construction. Inf. Sci. 265, 176–188 (2014). https://doi.org/ 10.1016/j.ins.2013.11.021 26. Ma, Q., Zhang, J., Peng, Y., Zhang, W., Qiao, D.: SE-ORAM: a storage-efficient oblivious RAM for privacy-preserving access to cloud storage. In: Qiu, M., Tao, L., Niu, J. (eds.) IEEE CSCloud 2016, pp. 20–25. IEEE Computer Society (2016). https://doi.org/10.1109/CSCloud.2016.24 27. Minaud, B., Reichle, M.: Dynamic local searchable symmetric encryption. arXiv preprint (2022). https://arxiv.org/abs/2201.05006 28. Ning, J., et al.: LEAP: leakage-abuse attack on efficiently deployable, efficiently searchable encryption with partially known dataset. In: Kim, Y., Kim, J., Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2307–2320. ACM (2021). https://doi.org/ 10.1145/3460120.3484540 29. Patel, S., Persiano, G., Yeo, K., Yung, M.: Mitigating leakage in secure cloudhosted data structures: volume-hiding for multi-maps via hashing. In: Cavallaro,

676

30. 31.

32.

33. 34.

35. 36.

37.

38.

S. Lambregts et al. L., Kinder, J., Wang, X., Katz, J. (eds.) ACM SIGSAC 2019, pp. 79–93. ACM (2019). https://doi.org/10.1145/3319535.3354213 Porter, M.F.: An algorithm for suffix stripping. Program 40, 211–218 (1980) Pouliot, D., Wright, C.V.: The shadow nemesis: inference attacks on efficiently deployable, efficiently searchable encryption. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM SIGSAC 2016, pp. 1341–1352. ACM (2016). https://doi.org/10.1145/2976749.2978401 Shang, Z., Oya, S., Peter, A., Kerschbaum, F.: Obfuscated access and search patterns in searchable encryption. In: NDSS 2021. The Internet Society (2021). https://www.ndss-symposium.org/ndss-paper/obfuscated-access-andsearch-patterns-in-searchable-encryption/ Shapiro, D.: Convert Wikipedia database dumps into plaintext files (2021). https:// github.com/daveshap/PlainTextWikipedia Song, D.X., Wagner, D.A., Perrig, A.: Practical techniques for searches on encrypted data. In: IEEE S&P 2000, pp. 44–55. IEEE (2000). https://doi.org/ 10.1109/SECPRI.2000.848445 William W. Cohen, MLD, C.: Enron email datasets (2015). https://www.cs.cmu. edu/∼enron/ Zhang, R., Imai, H.: Combining public key encryption with keyword search and public key encryption. IEICE Trans. Inf. Syst. 92–D(5), 888–896 (2009). https:// doi.org/10.1587/transinf.E92.D.888 Zhang, Y., Katz, J., Papamanthou, C.: All your queries are belong to us: the power of file-injection attacks on searchable encryption. In: Holz, T., Savage, S. (eds.) USENIX 2016, pp. 707–720. USENIX Association (2016). https://www.usenix. org/conference/usenixsecurity16/technical-sessions/presentation/zhang Zheng, Q., Xu, S., Ateniese, G.: VABKS: verifiable attribute-based keyword search over outsourced encrypted data. In: IEEE INFOCOM 2014, pp. 522–530. IEEE (2014). https://doi.org/10.1109/INFOCOM.2014.6847976

Light the Signal: Optimization of Signal Leakage Attacks Against LWE-Based Key Exchange Yue Qin1,2,6 , Ruoyu Ding1,2 , Chi Cheng1,2(B) , Nina Bindel3(B) , Yanbin Pan4 , and Jintai Ding5,6 1

6

China University of Geosciences, Wuhan 430074, China [email protected] 2 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 3 SandboxAQ, Palo Alto, CA, USA [email protected] 4 Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing, China 5 Yau Mathematical Sciences Center, Tsinghua University, Beijing, China Ding Lab, Yanqi Lake Beijing Institute of Mathematical Sciences and Applications, Beijing, China

Abstract. Key exchange protocols from the learning with errors (LWE) problem share many similarities with the Diffie-Hellman-Merkle (DHM) protocol, which plays a central role in securing our Internet. Therefore, there has been a long time effort in designing authenticated key exchange directly from LWE to mirror the advantages of DHM-based protocols. In this paper, we revisit signal leakage attacks and show that the severity of these attacks against LWE-based (authenticated) key exchange is still underestimated. In particular, by converting the problem of launching a signal leakage attack into a coding problem, we can significantly reduce the needed number of queries to reveal the secret key. Specifically, for DXL-KE we reduce the queries from 1,266 to only 29, while for DBS-KE, we need only 748 queries, a great improvement over the previous 1,074,434 queries. Moreover, our new view of signals as binary codes enables recognizing vulnerable schemes more easily. As such we completely recover the secret key of a password-based authenticated key exchange scheme by Dabra et al. with only 757 queries and partially reveal the secret used in a two-factor authentication by Wang et al. with only one query. The experimental evaluation supports our theoretical analysis and demonstrates the efficiency and effectiveness of our attacks. Our results caution against underestimating the power of signal leakage attacks as they are applicable even in settings with a very restricted number of interactions between adversary and victim.

Keywords: Post-quantum cryptography with errors · Signal leakage attack

· Key exchange · Learning

c The Author(s), under exclusive license to Springer Nature Switzerland AG 2022  V. Atluri et al. (Eds.): ESORICS 2022, LNCS 13554, pp. 677–697, 2022. https://doi.org/10.1007/978-3-031-17140-6_33

678

1

Y. Qin et al.

Introduction

The past decades have seen the rapid developments in post-quantum (PQ) cryptography, i.e., cryptographic primitives that are secure even against attackers having access to a quantum computer. Examples for such PQ cryptography are primitives based on Regev’s learning with errors (LWE) problem [35]. Interestingly, LWE-based key exchange protocols share many similarities with the famous and elegant Diffie-Hellman-Merkle (DHM) protocol [15]. In a nutshell, Alice computes and sends PA = asA + eA to Bob, while Bob responds with PB = asB + eB . In contrast to the shared secret resulting from a DHM key exchange, Alice and Bob only agree on an approximately equal value asA sB . To enable establishing exactly the same key, Ding, Xie, and Lin [19] introduced a signal function, which indicates whether an element belongs to a fixed interval or not and that has been used to construct an LWE-based key exchange, called DXL-KE. Similarly, in 2014, Peikert [31] suggested a reconciliation function that has been used to construct key encapsulation mechanisms (KEMs), which were then instantiated and tested in the transport layer security (TLS) protocol by Bos, Costello, Naehrig, and Stebila [9]. While the progress regarding LWE-based key exchange seems promising, in practice we need efficient authenticated key exchange (AKE), as well as more advanced protocols, such as password or twofactor authentication. LWE-based AKEs can be achieved by instantiating generic constructions from public-key encryption (PKE) or KEMs. For example, recently quantumsafe AKEs from lattice-based KEMs for the TLS [22,36,37] and for the Signal protocol [10,23] have been constructed. However, most classical AKEs avoid generic transforms and construct them directly from DHM, e.g., [25,27,28]. The only AKE constructed directly from LWE (inspired by [25]), has been presented by Zhang, Zhang, Ding, Snook, and Dagdelen [41] in 2015. Mirroring the ideas of DHM-based protocols for LWE-based ones is challenging, because protocols using signal or reconciliation functions are often vulnerable to key reuse attacks. Key reuse attacks have a long history starting with Bleichenbacher’s remarkable attack against RSA PKCS#1 [8] and the key reuse attacks against the DHM key exchange proposed by Menezes and Ustaoglu [29]. There are essentially two types of key reuse attacks against LWE-based key exchange schemes. The first one is called the key mismatch attack, which aims to recover the secret by checking whether the shared keys of both parties match or not when Alice’s key is reused. Ding, Fluhrer and Saraswathy first proposed a key mismatch attack against DXL-KE [18]. Recently, key mismatch attacks have been adopted to analyze candidates1 of NIST’s PQ cryptography project, such as NewHope [5,30,32], Kyber [33], LAC [21], NTRU-HRSS [42], and others [4,24,34]. Another example of key reuse attack against LWE-based key exchange is the signal leakage attack. Fluhrer [20] has been the first to show that the signal 1

It is important to point out that these attacks are against candidates designed to resist passive adversaries. Hence, security claims are not invalidated by these attacks.

Light the Signal

679

function reveals secret key information. In a follow-up work, Ding, Alsayigh, Saraswathy, Fluhrer, and Lin [16] attacked DXL-KE using signal leakage. The idea of the attack is that the adversary sends PA = k for increasing k instead of an honestly generated PA = asA + eA . From Bob’s honestly generated response including the signal, the adversary can determine the absolute value of the secret coefficients by counting how often the signal switches between 0 and 1. For DXL-KE, about 98,310 interactions between the adversary and Bob (also called queries) are required to successfully launch the attack. Recently, Bindel, Stebila and Veitch [7], proposed a sparse signal collection method to reduce the number of needed queries to 1,266. To counter signal leakage attacks, Ding, Branco, and Schmitt [17], proposed a pasteurization technique to construct a key exchange called DBS-KE, which is claimed to be robust against key reuse attacks. They also introduced an authenticated key exchange (DBS-AKE) and proved its security in the BellareRogaway (BR) model [6]. Similar pasteurization techniques have been used in other authentication/key exchange protocols such as the password-based AKE called LBA-PAKE [13], Seyhan, Nguyen, Akleylek, Cengiz, and Islam’s key exchange [38], and Akleylek and Seyhan’s AKE [2]. There also exist other techniques to thwart signal leakage attacks, for example a smart card based two factor authenticated key exchange for mobile devices, called Quantum2FA [40]. The basic idea of Quantum2FA is to resist signal leakage attacks by putting the public key shares in the smart card in advance. While signal leakage attacks have been widely known and considered for LWE-based key exchanges, we argue that the severity of this kind of attack is still underestimated. Just recently, Bindel, Stebila and Veitch [7] used their sparse signal leakage attack to reveal the secret key used in DBS-KE, showing that the protocol is not robust against key reuse. Their attack against DBS-KE, needs about 1,074,434 queries. In this paper, we further caution against underestimating the power of signal leakage attacks. In particular, we present a new view on the attack by representing the signals as binary codes. This novel perspective enables our targeted signal extraction approach which decreases the number of needed queries drastically. More concretely, we are able to reveal Bob’s secret used in the DXL-KE from 1,266 to only 29 needed queries (i.e., we reduced the number by a factor of 43). For DBS-KE, the improvement is even stronger, namely we reduce the number of queries from 1,074,434 to only 748 (i.e., an improvement of factor 1,436). This makes the attack feasible in settings where the attacker is only able to run a very limited number of sessions. At the same time, our results caution strongly against, e.g., allowing key reuse for a restricted number of times, as further improvements might be possible. For example, in our analysis against Quantum2FA, we are able to recover part of the secret key without key reuse. That is, revealing about 50% of the secret key used in the two-factor authentication Quantum2FA with just a single query. While this does not reveal the entire secret, it decreases the bit security considerably.

680

Y. Qin et al. Table 1. Summary of parameters and notation

RLWE parameters n

dimension of RLWE instances q

modulus

χ

discrete Gaussian distribution α

standard deviation

Variables used in the key exchange protocols sA , sB

reused secrets

yA , y B

ephemeral public keys

PA , PB

reused public keys

eA , eB ,

errors terms sampled from χα

ωB

signal value of Bob

gA , gB , gA , gB

KA , KB approx. equal shared secrets

SKA , SKB

shared secret keys

Parameters used in the signal leakage attack z

number of consecutive zeros

t

code length

m1

range size of sB [i]

m2

alphabet size of signals

Furthermore, signal representation as binary codes and the resulting targeted signal extraction, enables to recognize vulnerable schemes more easily. As such, we successfully carry out a signal leakage attack against the password-based authentication LBA-PAKE using 757 queries. Since these schemes are claimed to be secure against signal leakage attacks, our results show that although signal leakage attacks are well-known, it seems challenging to construct robust schemes and to spot their vulnerabilities. All our attacks are supported by experimental evaluation that matches our theoretical analysis well. To recover a complete secret key, the average time needed for our proposed attacks on DXL-KE is 0.44 s, while our proposed attack on DBS-KE costs 6.53 s. As a comparison, the attacks presented in [7] need more than 24.1 and 582.08 s against DXL-KE and DBS-KE, respectively. Meanwhile, it costs less than 8 s to completely recover the long-term secret key of LBAPAKE. For Quantum2FA, on average we can successfully recover 54.57% of 512 coefficients using one query. In addition and on a more theoretical level, viewing the signals used in LWEbased key exchange as binary codes, supports the strong connection between these two field of research. Similarities between lattices and binary codes have gained more attention recently and have been systematically analyzed by DebrisAlazard, Ducas, and van Woerden [14]. For the remainder of this paper, we first recall signal leakage attacks in Sect. 2. We continue in Sect. 3, with describing how to define the binary codes and our targeted signal extraction. In Sect. 4, we give the details on how to apply the attack to DXL-KE, and in Sect. 5 to DBS-KE, LBA-PAKE, and Quantum2FA. We explain our experimental results in Sect. 6.

2

Background

Notations. All key exchange protocols discussed in this paper are based on Ring-LWE (RLWE) [26], a variant of the Learning with Errors (LWE) problem.

Light the Signal

681

For a prime q and a dimension n, let the polynomial ring Rq be Zq [x]/xn + q−1 1 with Zq = Z/qZ = {− q−1 2 , · · · , 2 }. All polynomials are in bold lowercase letters, and we use c[i] (0 ≤ i ≤ n − 1) to represent the i-th coefficient of the polynomial c ∈ Rq . We denote by p ← χα sampling every coefficient of p from a discrete Gaussian distribution over Z with standard deviation α. The operation x represents the maximum integer not exceeding x, while x

represents the minimal integer greater than or equal to x; we define x = x+ 21 . We summarize used variables and parameters in Table 1. For prime q > 2, set E = {− 4q , · · · ,  4q }. The aim of a signal function Sig(x) is to tell whether the coefficients of the shared key belong to E or not. Specifically, for x ∈ Zq we define Sig(x) to be 0 if x ∈ E, and 1 otherwise. to each Further, Sig(p) = (Sig(p[i]))i=0,...,n−1 ∈ {0, 1}n is a natural extension  of the polynomial coefficients. Moreover, we define M od2 (x, ω) = x + ω · q−1 2 mod q mod 2, and its coefficient-wise extension to M od2 (p, ω) to polynomials.

Alice sA , eA ← χα PA ← asA + 2eA gA ← χα

Bob P

−−−A−→ sB , eB , gB ← χα PB ← asB + 2eB KB ← PA sB + 2gB

(PB ,ωB )

KA ← PB sA + 2gA ←−−−−−− ωB ← Sig(KB ) SKB ← M od2 (KB , ωB ) SKA ← M od2 (KA , ωB )

Oracle OsB (PA ): 1 2 3 4 5

eB , gB ← χα PB ← asB + 2eB KB ← PA sB + 2gB ωB ← Sig(KB ) Return (PB , ωB )

Fig. 1. Pseudo-code description of DXL-KE (left) and oracle O (right)

DXL-KE. We depict the details of DXL-KE in Fig. 1, which is vulnerable to signal leakage attacks [16]. In this kind of attacks, Bob’s private key sB is reused. An active adversary A impersonating Alice, deliberately chooses values for PA and tries to recover Bob’s secret. To formalize this, we define an oracle O that reuses Bob’s secret key sB as shown in Fig. 1. The parameters for DXL-KE are n = 1024, α = 3.197, q = 214 + 1 = 16, 385. Signal Leakage Attacks. The signal leakage attack can be divided into two steps. In Step 1, the adversary A recovers the absolute value of each sB [i] for i = 0, 1, · · · , n − 1. To launch the attack, A queries PA = k to the oracle OsB , which returns PB and ωB . Increasing k from 0 to q − 1, yields q signals for each sB [i]. The oracle computes KB = PA sB + 2gB = ksB + 2gB to get ωB . Ignoring the error 2gB for simplicity, when KB [i] enters or leaves the interval [− 4q ,  4q ], the corresponding signal flips. For example, if sB [i] = ±1, |KB [i]| = |(PA sB )[i]| = k|sB [i]| = k. As k changes from 0 to q − 1, the signal ωB [i] changes as 0 → 1 → 0, i.e., the signal changes 2 times. As |sB [i]| grows, the signal changes

682

Y. Qin et al.

more frequent, to be exact the signal changes 2|sB [i]| times. Counting the signal changes, A can determine the absolute value of sB [i]. Since the range of gB is small, it may affect only some small regions of the signals when ksB [i] is approximate to ± 4q . Therefore, when counting the number of signals changes, the small (fluctuated) regions where the signal changes frequently, have been mostly ignored in [16]. Bindel, Stebila, and Veitch [7] formalized this by dividing the signals into stable and noisy regions as visualized for absolute values 1, 2, and 3 of sB [i] in Fig. 2. The blue and yellow bars represent the stable regions consisting of 0s and 1s, respectively; the wavy lines represent the fluctuated (or noisy) regions. When k increases from 0 to q − 1, fluctuated regions occur when KB [i] approaches ± 4q due to the error terms. During stable regions, the error terms have no impact on the signal.

Fig. 2. Alternate stable and fluctuated regions

In Step 2, the adversary tries to determine the sign of each sB [i]. Querying PA = (1 + x)k to OsB for k = 0, . . . , q − 1, the adversary can recover the pairs sB [0] − sB [n − 1], sB [1] + sB [2], . . . , sB [n − 2] + sB [n − 1]. However, there may be the case that 1 or more consecutive 0s occur in sB , which prevents deciding the relative sign of two non-zero coefficients. To eliminate this, the adversary needs to set PA = (1 + xz+1 )k to collect enough signals, where z represents the maximum number of consecutive 0s. To be specific, setting z = 4 is sufficient to successfully launch the attack [7]. During the first attack against DXL-KE [16], the adversary queries the oracle q = 16, 385 times in Step 1 and (1+z)q = 81, 925 times during Step 2 for each coefficient of sB , which is very  inefficient. q + 2 = 4, 099 queries for An improvement presented in [18] leads to only  4 q determining the absolute values, and (1+z)( 4 + 2 ) = 20, 495 queries to recover each sB [i]. Since the signal flips when KB [i] changes from  4q to  4q + 1, and when sB [i] = ±1 the maximum number of queries is 4q + 2. Therefore, in this case the adversary needs (2 + z)( 4q + 2) = 24, 594 queries to recover the secret. Bindel, Stebila, and Veitch [7] further decreased the number of needed queries by using a sparse signal collection method. The idea of their sparse signal attack is to collect at least one signal from a stable and at most one from a noisy region. Totally, the adversary needs 36(3 + 2z)α ≈ 1, 266 queries. While the number of needed queries is reduced drastically, they still need to sample the signals periodically to count the number of times the signal changes. In what follows,

Light the Signal

683

we reduce the number of needed queries even further. This is enabled by viewing the received signals as codewords as explained next.

3

The Targeted Signal Extraction Method

This section presents our new view on LWE-based signal leakage attacks by considering the collected signals as binary codes. This enables a variant of the signal leakage attack that needs only very few queries. 3.1

Description of Codewords and Lower Bound

Denote by S = {S0 , S1 , · · · , Sm1 −1 } the set of all the possible values of sB [i], also called the alphabet of sB [i] of size m1 . Let C = {C0 , C1 , · · · , Cm2 −1 } represent the alphabet of signals ωB [i] with m2 > 1 symbols. Taking DXL-KE as an example, sB [i] is sampled from discrete Gaussian distribution with standard deviation α = 3.197. Hence, the probability of |sB [i]| < 5α = 15.985 is 99.9999%. Therefore, we choose S = {0, · · · , 14, 15} with m1 = 16 for absolute value recovery. The alphabet of signal function is C = {0, 1} with m2 = 2. Assume that the adversary A accesses the oracle OsB (see Fig. 1) t times with t different PAj = kj , j = 1, 2, · · · , t. The oracle returns corresponding signals ωBj where every ωBj = (ωBj [0], ωBj [1], · · · , ωBj [n − 1]) consists of n bits. It is important to note that for the recovery of sB [i], it is sufficient to extract the i-th coefficient from each signal ωBj (j = 1, 2, · · · , t). We denote this signal sequence by Ωi = (ωB1 [i], ωB2 [i], · · · , ωBt [i]) ∈ C t as shown in Fig. 3 and will refer to it as the (targeted) signal sequence. We can regard Ωi ∈ C t as a codeword and establish a map M : C t → S which maps a codeword to the absolute value of a coefficient of sB . Since, we would like to be able to determine every possible value |sB [i]| with high probability, the map M needs to be surjective. Surjectivity of M implies that there is at least one codeword corresponding to every element in S, which immediately implies that |C t | = mt2  m1 = |S| ⇔ t  logm2 m1 .

(1)

Ωi PA1 = k1 ⇒ ωB1 PA2 = k2 ⇒ ωB2 .. .

.. .

= (ωB1 [0], ωB1 [1], · · · , ωB1 [i] , · · · , ωB1 [n − 1]) = (ωB2 [0], ωB2 [1], · · · , ωB2 [i] , · · · , ωB2 [n − 1]) .. .

.. .

.. .

.. .

.. .

.. .

PAt = kt ⇒ ωBt = (ωBt [0], ωBt [1], · · · , ωBt [i] , · · · , ωBt [n − 1])

Fig. 3. PAj and its corresponding ωBj (j = 1, 2, · · · , t)

684

Y. Qin et al.

As t corresponds to the number of queries to the oracle OsB , t must be a positive integer. Therefore, the lower bound of the number of queries for recovering an entire secret key tbounds in our attack is   tbounds = logm2 m1 . (2) The challenge is to find values k1 , ..., ktbounds such that the resulting codewords determine the absolute values uniquely with very high probability. We explain concrete values in Sects. 4 and 5. Taking the absolute value recovery of DXL-KE as an example again with  m1 = 16 and m2 = 2, it holds that tbounds = logm2 m1 = log2 16 = 4. Since the best signal leakage attack against DXL-KE needs 1,266 queries [7], there is a large gap between the theoretical lower bound and existing state-of-art results, indicating that there may be more efficient signal leakage attacks. 3.2

Description of Our Targeted Signal Extraction Method

In this section, we introduce a generic method to improve the signal leakage attacks, dubbed the targeted signal extraction method. As stated before, there exists a surjective map M, mapping any codeword Ωi = (ωB1 [i], ωB2 [i], · · · , ωBt [i]) obtained by the response of the oracle, to an element in S. Our key observation is that if there exists some component ωBj [i] that falls into some fluctuated region, then it can be either 0 or 1 due to the randomness of gB , which means that it contributes very little to determine |sB [i]|. It is important to note that this does not necessarily mean we can remove this j-th query directly, since it may help determine other elements in S. However, the more queries in the attack help determine all the elements in S, the smaller the number of queries. The above observation inspires us to improve the known signal leakage attacks by carefully selecting k1 , ..., kt ∈ [0, ..., q − 1] such that as many ωBj [i] (for j = 1, ..., t and i = 0, ..., n − 1) as possible fall into stable regions. For example, in Fig. 2, all signals corresponding to PA ∈ {k1 , k2 , k3 } fall into stable regions. In more detail, for PA = k1 , the signal corresponding to |sB [i]| = 1 is in the stable region of 0s, while both |sB [i]| = 2 and |sB [i]| = 3 correspond to the stable regions of 1s. Likewise, for PA = k2 , the signals corresponding to |sB [i]| = 1, 2, 3 are (1, 1, 0), respectively. Similarly, the signals corresponding to PA = k3 are (1, 0, 1), respectively. In this way, the codewords Ω1 = (0, 1, 1), Ω2 = (1, 1, 0) and Ω3 = (1, 0, 1) uniquely determine |sB [i]| = 1, 2 and 3. Hence, designing a signal leakage attack with fewer queries can be reduced to finding a sequence of kj (j = 1, · · · , t) with small t such that the corresponding codewords Ωi ’s satisfy two conditions: every Ωi determines an element in S uniquely and all the components of every Ωi are in as many stable regions as possible. Next we present a heuristic way to find such kj ’s. Finding codewords. We first associate every sB [i] ∈ S with a unique codeword such that the length of the codeword approaches our lower bound as

Light the Signal

685

closely as possible. For example, in DXL-KE, since C = {0, 1}, we use the strategy of dichotomy to assign codewords uniquely and of minimal length, see Table 2 in Sect. 4.2 Finding values k1 , ..., kt . Next, we find the appropriate values for k which results in the signal sequence we select above. To achieve this goal, we need to calculate the stable regions of each symbol in S, and determine a set of inequalities related to k whose solution defines the range of k. The selection of k is not unique, and for each targeted signal, we simply select one of them. In case there is no solution for the set of inequalities, we go to Step 1 to select another target signal sequence and then compute the corresponding k.

4

Improved Signal Leakage Attacks on DXL-KE

In this section, we show how to apply the targeted signal extraction to improve signal leakage attacks such that very few queries to the oracle OsB are needed to reveal the entire secret key. Recovering the Absolute Value of sB [i]. We choose the alphabet of |sB [i]| to be S = {0, 1, · · · , 15} with m1 = 16, see Sect. 3.1. We recall that the core idea is to determine the symbols in S by collecting codes C t = {0, 1}t of fixed length t. Moreover, according to the previous section we know t ≥ logm2 m1 = 4. Our strategy is to use dichotomic search to identify four values, namely k1 = 550, k2 = 1050, k3 = 4000, and k4 = 8192, whose corresponding codes uniquely identify |sB [i]| for every i = 0, ..., n − 1. The columns in Table 2 show the corresponding codewords of length 4 for each absolute value. For example, if we collect the the codeword (0, 0, 1, 1), we know that |sB [i]| = 3 with very high probability. We give the details on how to choose appropriate k1 , k2 , k3 , and k4 in Appendix A. It is important to note that the choice is not unique. Table 2. Signals ωBj [i] for kj and |sB [i]| in DXL-KE with i ∈ [0, n − 1]

2

|sB [i]|

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

k1 = 550

0 0 0 0 0 0 0 0 1 1 1

1

1

1

1

1

k2 = 1, 050 0 0 0 0 1 1 1 1 1 1 1

1

0

0

0

0

k3 = 4, 000 0 0 1 1 0 0 1 1 0 0 1

1

0

0

1

1

k4 = 8, 192 0 1 0 1 0 1 0 1 0 1 0

1

0

1

0

1

Interestingly, assigning corresponding binary values as codewords fails because we fail to find suitable values in the next step.

686

Y. Qin et al.

Recovering the Sign of sB [i]. In this step, the adversary queries the oracle OsB with different PA = (1 + x)k to recover each |sB [i] + sB [i + 1]|. The corresponding alphabet is S = {0, 1, · · · , 30} and m1 = 31, thus t ≥ logm2 m1 = 5. We again identify values for k1 , ..., k5 such that the corresponding codewords uniquely determine the absolute values. We explain our choice of the kj ’s in Appendix A and present Table 4 which shows the resulting codewords for our selected values k1 = 260, k2 = 525, k3 = 1050, k4 = 4000, and k5 = 8192. In order to recover each |sB [i] + sB [i + 1]|, the adversary queries PA = (1+x)kj to the oracle to collect the corresponding signal ωBj . Next, the adversary combines each ωBj [i] to get the codeword corresponding |sB [i] + sB [i + 1]| and determines its value according to Table 4. Then the relative sign of sB [i] and sB [i + 1] can be determined as described in Sect. 2. Finally, the adversary needs to repeat this step with (1 + xz+1 )k to recover the relative sign of two non-zero coefficients separated by z consecutive zeros. Query Complexity. During absolute value recovery and since m1 = 16, we need log2 16 = 4 queries per coefficient of sB . During sign recovery, m1 = 31, we need log2 31 = 5 queries to recover the complete secret key. Since z ≈ 4, this step needs (1 + z) log2 31 = 25 (expected) queries. Therefore, our targeted signal attack needs log2 16 + (1 + z) log2 31 =29 queries per coefficient of sB . Success Probability of Attacking DXL-KE. In DXL-KE, all coefficients of sB and error gB are sampled from discrete Gaussian distribution. Thus, the probability that sB [i] or gB [i] are greater than h = 15 with α = 3.197 is     ∞  −x2 h 1 1 2 2α √ ≈ 1.35 · 10−6 , e = erfc √ Pr[sB [i] > h] = (3) 2 2 2α 2πα x=h+1   ∞ for DXL-KE and with erfc(x) = √2π x exp −t2 dt being the complementary error function [12]. To determine the success probability, we recall that with t satisfying Equation (1), we guarantee that each |sB [i]| corresponds to a codeword. Furthermore, by selecting the appropriate PA = k near k’s mid range, we make sure that noisy regions are not larger than expected. Therefore, failure in recovering |sB [i]| occurs only when some coefficients of sB lie outside [−15, 15]. Based on Equation (3), the probability that some coefficient of sB lies outside [−15, 15], is at most Pf ailure1 = n (Pr[|sB [i]| > h]) ≈ 0.002772. Similarly, we can get the failure probability of recovering the sign of sB [i] as Pfailure2 ≈ 6.5166 · 10−18 , which can be ignored and we will not consider it below. Hence, the probability of recovering a complete secret key sB for our targeted signal attack is Psuccess ≈ (1 − Pfailure1 − Pfailure2 ) × 100% = 99.7228%.

5

Our Targeted Signal Leakage Attack on KEs and AKEs

In this section, we apply our targeted signal extractionto give an improved signal leakage attack against DBS-KE [17], and then we show that our attack can also be migrated directly to LBA-PAKE [13] and Quantum2FA [40].

Light the Signal

5.1

687

Improved Attack Against DBS-KE

Description of DBS-KE. The DBS-KE [17] proposed by Ding, Branco, and Schmitt is presented in Fig. 4. H1 : {0, 1} → χα is a hash function whose outputs are sampled from the discrete Gaussian distribution χα . DBS-KE is designed to provide robustness for key reuse using the pasteurization technique. The key point of this technique is that Bob does not use Alice’s public key PA to multiply his private key directly, but transforms PA to PA as PA = PA + aH1 (idA , idB , PA ) + 2gB .

(4)

DBS-KE is instantiated with α = 4.19, n = 512, and q = 26, 038, 273. Unfortunately, Bindel, Stebila and Veitch show that the scheme is in fact not robust against key re-use [7]. In their proposed attack, the adversary selects PA = k for some k ∈ [0, q − 1]. Upon input PA , the oracle computes KB = PA sB + (PA d + cPB + acd) + (2gB sB + 2gB d + 2gB − 2ceB ) = PA sB + Δ + ε,

(5)

with Δ = PA d + cPB + acd and ε = 2gB sB + 2gB d + 2gB − 2ceB . The adversary knows a, PA , PB , hence, Δ. That means in particular, that the adversary can choose idA and PA such that Δ[i] = 0, i.e., KB [i] = ksB [i] + ε[i]. Furthermore, the adversary can calculate a bound for ε[i] = (2gB sB + 2gB d + 2gB − 2ceB )[i], since all of these terms are sampled from discrete Gaussian distribution with standard deviation α. This circumvents the pasteurization and allows for the signal leakage attack.

Alice

Bob

sA , eA ← χα PA = asA + 2eA c ← H1 (idA , idB , PA ) d ← H1 (idA , idB , PA , PB ) gA , gA ← χα

P

−−−A−→ sB , eB , gB , gB ← χα PB = asB + 2eB c ← H1 (idA , idB , PA ) d ← H1 (idA , idB , PA , PB ) PA = PA + ac + 2gB KB = PA (sB + d) + 2gB

(PB ,ωB )

PB = PB + ac + 2gA ←−−−−−− ωB = Sig(KB ) ∈ {0, 1}n  KA = PB (sA + c) + 2gA SKA ← M od2 (KA , ωB ) ∈ {0, 1}n SKB ← M od2 (KB , ωB ) ∈ {0, 1}n

Fig. 4. Pseudo-code description of DBS-KE

688

Y. Qin et al.

Our Improved Signal Leakage Attack on DBS-KE. We improve the sparse signal attack against DBS-KE further by using our targeted signal extraction, reducing the number of queries drastically. For DBS-KE, the oracle OsB computes KB [i] as PA sB [i] + Δ[i] + ε[i]. We regard Δ[i] + ε[i] as the cause of the fluctuated region just like the errors 2gB [i] do in DXL-KE. As such, KB [i] has the same form in DBS-KE and DXL-KE. Therefore, we can use our targeted signal extraction to launch an improved attack against DBS-KE. For recovering |sB [i]|, the same targeted signals as in Table 2 can be used since |sB [i]| ∈ [0, 15]. However, the values for k will be different, namely k1 = 868,000, k2 = 1,735,800, k3 = 6,076,000, and k4 = 13,019,136. We let Δj [i] where j = 1, 2, 3, 4 denote the term Δ[i] corresponding to each kj . Difficulties during signal collection might occur if Δ[i] is large (while gB [i] is small with high probability), and hence, disturb the signal. Since the adversary is able to calculate the value of Δ[i], they are able to only collect signals where the corresponding Δj [i] is small enough. More concretely, signals are only collected when |Δj [i]|  426,000 (j = 1, 2, 3), and |Δ4 [i]|  6,500,000. It is important to note that this requirement is much less restrictive than the one in the sparse signal attack [7], where Δ[i] need to be exactly 0. We compute the probability of Δj [i] being sufficiently small in Sect. 5.1. The adversary will keep querying the oracle until enough signals ωBj [i] to determine the absolute values are collected. Afterwards, Ωi = (ωB1 [i], ωB2 [i], ωB3 [i], ωB4 [i]) are taken and used to recover |sB [i]| according to Table 2. To determine the sign of sB [i], we also use targeted signal extraction with S = {+, −} and the corresponding codewords being 1 and 0. The adversary first finds a small enough k to make its corresponding signal Sig(k|sB [i]|) = 0. q Then, they need to  find a Δ[i] which is approximately equal to 4 . If sB [i] < 0, q ksB [i] + Δ[i] < 4 − |ε[i]|, and the corresponding

 signal Sig(ksB [i] + Δ[i]) = 0. Otherwise (i.e., if sB [i] > 0), ksB [i]+Δ[i] > 4q +|ε[i]|, and Sig(ksB [i]+Δ[i]) = 1. That is, the positive sB [i] corresponds to the signal ωB [i] = 1, while ωB [i] = 0 represents the negative sB [i]. Specifically, the adversary selects the parameter PA = k = 813, 000 to access the oracle, when 5, 710, 000  Δ[i]  7, 310, 000, and collects the corresponding signal ωB [i]. This process is repeated for every ωB [i] (i ∈ [0, n−1]). If ωB [i] = 0, the adversary determines that sB [i] is negative, otherwise sB [i] is positive. Query Complexity. In our improved attack on DBS-KE it is clear that the number of queries is related to the range of our bound Δ[i]. More concretely, the larger the range of the bound Δ[i] is, the more signals the adversary gets after each query, and thus fewer queries are required to complete the attack. We use b to denote the bound on |Δ[i]|. Since the distribution of Δ[i] is close to uniformly random, the probability of |Δ[i]|  b is approximately 2b/q. Consequently, in our improved attack, the adversary approximately collects 2nb/q signals after the first query, while n(1 − 2b/q) signals remain to be collected. Let t denote the number of queries. After t queries, there are still n(1 − 2b/q)t signals left to be collected by the adversary. Therefore, the number of signals that the adversary

Light the Signal

689

t has collected after t queries is n − n(1 − 2b q ) . The adversary stops collecting 1 signals after collecting n signals, which means t > log q−2b 2n . Hence, we need to q

1 make t = log q−2b 2n

queries. q For the improved attack against DBS-KE, with q = 26, 038, 273, n = 512, and the bounds b1 = b2 = b3 = 426, 000 and b4 = 6, 500, 000 for the absolute value recovery, we can compute the respective number of queries t1 = t2 = t3 = 208.35 = 209, and t4 = 10.02 = 11. Thus, the total number of required queries in Step 1 is 638. In the second step (i.e., sign recovery), Δj [i] should be in the range of [5 710 000, 7 310 000] over Zq , thus b = 1, 600, 000. Similarly, we 1

= 109.30 = 110. Therefore, can get the needed queries t as t = log q−b 2n q the total number of needed queries to recover the key of DBS-KE is 748.

Success Probability. Recall that in our improved signal leakage attack against DBS-KE, the failure probability to recover the secret key only depends on its bound. More precisely, based on Equation (3), the failure probability of recovering all sB [i] ∈ [−15, 15] is related to the fixed bound h = 15 of sB and α. In case of DBS-KE with α = 4.19, the failure probability is Pfailure1 ≈ 0.1760. Hence, the success probability of our improved signal leakage attack against DBS-KE is Psuccess = (1 − Pfailure1 ) × 100% ≈ 82.40%. 5.2

Application to DBS-AKE

DBS-AKE is an AKE based on DBS-KE using a similar pasteurization technique. Bindel, Stebila, and Veitch [7] extended their attack against DBS-KE to DBS-AKE under the extended Canetti-Krawczyk (eCK) model [11]. Since DBS-AKE also uses the pasteurization technique, they analyze the components of KB in DBS-AKE, which can be formalized as KB = yA sB + Δ + ε. Here yA is an ephemeral public key of Alice. Similar to DBS-KE, the value of Δ is approximately uniform over Rq , and ε follows a discrete Gaussian distribution. In the eCK model, the adversary is able to calculate the value of Δ, which can be exploited similarly to the attack against DBS-KE to recover the long-term key sB in DBS-AKE. Similar to the result in Sect. 5.1, our attack can be applied to DBS-AKE in the eCK model. Compared to the sparse signal collection, our targeted signal extraction requires much fewer signals. Specifically, DBS-KE and DBS-AKE share the same parameters, thus the needed queries against DBS-AKE are almost the same as that against DBS-KE, which is 745. However, note that in the BR security model, the adversary does not have the ability to obtain the value of Δ, hence DBS-AKE can resist the various signal leakage attacks above in accordance with the BR model.

690

5.3

Y. Qin et al.

Improved Attack Against LBA-PAKE

Description of LBA-PAKE. LBA-PAKE [13] is a password-based authenticated key exchange, which integrates the conventional password authentication to the RLWE-based key exchange. In LBA-PAKE, Bob stores the hash value of Alice’s password and idA . When Alice initiates a key exchange with Bob using her password, idA , and public key PA . Bob first checks that the hash over PA is the same as the stored value, and computes PA = PA + aH1 (PA ). The transformation from PA to PA can be seen as a simplified variant of pasteurization, which uses only PA as the input to H1 , but without the employment of identity idA , idB , and the errors. Then, Bob computes a ephemeral public key yB = arB + 2gB , with rB , gB ← χα . He then uses his long-term secret key sB to compute KB as KB = PA sB + (PA d + cPB + acd) + (2gB − 2ceB ),

(6)

where gB , eB ← χα , c = H1 (PA ), d = H1 (yB ). Finally, Bob computes the signal ωB = Sig(KB ), and sends yB and ωB to Alice. The protocol is claimed to be secure in the Real-or-Random model that has been introduced by Abdalla, Fouque, and Pointcheval [1]. As we show, this claim is unfortunately not true. More concretely, every registered user with a password (i.e., after an honest registration phase) can recover the server’s long-term key by launching signal leakage attacks. The following instantiation is proposed n ∈ {512, 256, 128}, q = 7, 557, 773, α = 3.192. Our Signal Leakage Attack on LBA-PAKE. The designers of LBA-PAKE claimed that LBA-PAKE is secure and robust for reusing the long-term key sB . However, we discover that any registered user could recover the long-term key under the key reuse setting. As a registered user, an adversary can pass the verification of the server Bob using their own password and identity. Then they are able to launch the key exchange with the server/Bob. Similar to the case in DBS-KE, the adversaries are able to calculate Δ = PA d + cPB + acd, since they know the long-term public key PB , and receive yB from Bob. As before, Δ is close to uniformly distributed over Rq , and the error term ε = 2gB − 2ceB follows a discrete Gaussian distribution. Based on the above discussion, it is easy to see that targeted signal extraction against DBS-KE can also be directly applied to LBA-PAKE. Therefore, the adversary performs the same operations as in Sect. 5.1 with the following attack parameters. For absolute value recovery, the adversary queries PA = ki , with k1 = 252, 000, k2 = 503, 800, k3 = 1, 764, 000, and k4 = 3, 778, 886. The corresponding |Δj [i]| is bounded as |Δj [i]|  122, 000 when j ∈ [1, 3], and |Δ4 [i]|  1, 887, 000. For sign recovery, the adversary only queries PA = 236, 000, and bounds Δ[i] as 1, 656, 000  Δ[i]  2, 120, 000. √ Following [7, Section√5.3], we calculate the standard deviation of ε[i] to be 4nα2 + 4α2 . Since 4.5 4nα2 + 4α2 ≈ 2075.13, we assume that |ε[i]| ≤ 2100.

Light the Signal

691

Query Complexity. Following Sect. 5.1 closely, in the attack against LBAPAKE, we choose the bounds b1 = b2 = b3 = 122, 000 and b4 = 1, 887, 000, during absolute value recovery. Hence, the total number of needed queries is t1 + t2 + t3 + t4 = 647. Similarly, the number of required queries t in Step 2 with Δj [i]’s bound b = 464, 000, is t = 110. Thus, the total number of queries for our attack against LBA-PAKE is 757. Success Probability. Similar to the case of DBS-KE, we can write h ≈ 4.6992α, and the failure probability is Pfailure1 ≈ 0.0013. Therefore, the success probability against LBA-PAKE is Psuccess = (1 − Pfailure1 ) × 100% ≈ 99.87%. 5.4

Application to Quantum2FA

Quantum2FA [40] is a password-based authentication that uses a modified version of NewHope-Simple [3] to establish shared keys. Specifically, Quantum2FA is instantiated with q = 12289, n = 512. The secret s and error e are sampled from the centered binomial distribution ψ8 , i.e., they are integers in [−8, 8]. In Quantum2FA, the server A computes the long-term public key PA = asA + eA , where sA , eA ← ψ8 . It is important to point out that A stores PA in a smart card B in advance. When B is used to log into the server to complete the password-based authenticated key exchange, B samples the ephemeral secret sB to compute PB = asB + eB , where sB , eB ← ψ8 . Then B chooses a random key m to compute c = PA sB + eB + Encode(m), where m ← {0, 1}128 , eB ← ψ8 , and Encode(m) is a polynomial f with f[i + j · 128] = q/2 · m[i] for i ∈ {0, . . . , 127} ¯ = Compress(c), where c ¯[i] = (c[i] · and j = 0, 1, 2, 3. After that, B computes c ¯ to server A. 8)/q mod 8 and sends PB , c To thwart the signal leakage attack in Quantum2FA, the server A needs to pre-embed the public key PA into B, which means that even a malicious A cannot deliberately select more than one PA to launch attacks. The question is whether it is possible to launch the attack with only one query. ¯[i] ∈ [0, 7] and sB [i] ∈ [−8, 8], from Eq. (2) we need tbounds = Since the signal c log8 17 = 2 queries to fully recover the secret. However, by restricting sB [i] ∈ [−1, 1], we can successfully recover part of sB with one query. Specifically, we assume that server A is malicious and launches the following attack. Step 1. A chooses PA = 12603 and embeds it into the smart card B in advance. ¯ sent Step 2. After receiving the authentication information and the signal c ¯[i] is equal to the targeted signal. Specifically, from B, A checks whether c ¯[i] ∈ {0, 4}, sB [i] = 1 if c ¯[i] ∈ {1, 5}, and A determines that sB [i] = 0 if c ¯[i] ∈ {3, 7}. sB [i] = −1 if c According to the distribution of ψ8 , the probability that sB [i] ∈ [−1, 1] is 54.55%. Hence, A can recover about 1/2 of all coefficients of sB . Although this is not a complete key recovery, it decreases the bit security drastically. 3

Other values than 1260 are possible but at this time, our attack needs PA to be a constant polynomial.

692

6

Y. Qin et al.

Experimental Evaluation

To support our theoretical analysis, we perform experimental validation of our improved attacks against the above mentioned (authenticated) key exchange protocols in this section. Furthermore, we compare the results of our proposed attacks on DXL-KE and DBS-KE with the sparse signal attack [7] in terms of average queries and time, which shows that our attacks are more efficient. Our implementations are publicly available on https://github.com/frostry/improvedsignal-leakage-attack. Experimental Setup. We implement our proposed improved attacks against DXL-KE and DBS-KE on the basis of the publicly available implementation of the sparse signal attack [7,39]. It is important to note that the implementation of the sparse signal attack is designed to recover sB [i] ∈ [−13, 13], while our attack is designed for the range [−15, 15]. Thus, for consistency, we modify the sparse signal parameters for attacking DBS-KE in their implementation by reducing the limit h2 (resp., h2 ) for Δ from 220, 000 (resp., 110, 000) to 210, 000 (resp., 100, 000). Moreover, we set the sampling parameter t1 (resp., t2 ) from 465, 000 (resp., 230, 000) to 434, 000 (resp., 220, 000). Moreover, in the implementation of [39], two polynomial multiplication functions, namely poly mul mont and poly mul, are implemented. In our experiments, we use poly mul as it is experimentally faster in our setting. Furthermore, we follow [39] in collecting signals during the attack in parallel to ensure a fair comparison. In addition, we also simulate the attack against Quantum2FA by implementing the part of authenticated key exchange. All implementations are run on a computer with two 3 GHz Intel Xeon E52620 CPUs and a 64 GB RAM. Reported runtimes and number of queries are averaged over 1000 runs. For each attack, we generate a unique secret key. Table 3. Comparison of the experimental results on DXL-KE and DBS-KE n

α

q

Protocols

Attacks

DXL-KE

Sparse Signal Attack [7] 1024 3.197 214 + 1 824.13 Ours 24.23

DBS-KE

Sparse Signal Attack [7] 512 Ours

LBA-PAKE Ours

512

4.19

Average #Queries

Average Time (s) 24.14 1.04

≤ 224.7 390,597.15 582.08 737.45 6.53

3.192 ≤ 222.9 742.53

7.67

Results and Comparison. The experimental results of our proposed attacks in comparison with our re-run of the sparse signal attacks are presented in Table 3.

Light the Signal

693

As shown in the table, our improved attacks against DXL-KE using targeted signal recovery reduce the number of queries by 97.1% (i.e., about 33 times), and reduce the run time by 95.7% (i.e., about 22 times). For attacks against DBS-KE, our improved attack significantly reduces the queries and time by 99.8% and 98.9%, respectively, which means our attack is nearly 100 times more efficient than the sparse signal attack [7]. Moreover, the table shows that our attack against LBA-PAKE is also efficient, namely only about 743 queries and less than eight seconds are needed to reveal the secret. In addition, our attack against Quantum2FA successfully recovers 54.57% of 512 coefficients in each session on average. These results demonstrate that our attacks are more practical in the real world than known signal leakage attacks. Moreover, they enable an attack against Quantum2FA that would not have been feasible using the sparse signal attack. Finally, our experiment results match our theoretical analysis closely.

7

Conclusion

In this paper, we show that although known and analyzed in the literature, signal leakage attacks can still be further improved. This is enabled by our new technique regarding the signals as codewords. As a result, our improved attacks are capable of reducing the number of queries by tens or even hundreds of times compared to previous attacks. It is important to emphasize that DBS-AKE and Zhang et al.’s AKE [41] can still thwart our proposed signal leakage attacks. In addition, our results show that although signal leakage attacks are known since 2016, protocols do not sufficiently protect against them as we can successfully break recently constructed RLWE-based protocols using our improvement. Therefore, out work cautions against underestimating signal leakage attacks during the design of key exchange protocols. Acknowledgments. The research in this paper was partially supported by the National Natural Science Foundation of China (NSFC) under Grant no 62172374. Y. Pan was supported by the National Key Research and Development Program of China (No. 2018YFA0704705) and NSFC (No. 62032009). Y. Q and J. D would like to thank CCB Fintech Co. Ltd for partially sponsoring the work (No. KT2000040). Nina Bindel was supported by Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146, NSERC Discovery Accelerator Supplement grant RGPIN-2016-05146, and Contract 2L 165-180499/001/sv, “PQC Analysis”, funded by Public Works and Government Services Canada.

A A.1

Parameter Choices in the Improved Attack Against DXL-KE The Choices of k for Absolute Value Recovery

|ksB [i]| − |2gB [i]| ≤ Recall that KB = PA sB + 2gB = ksB + 2gB . Hence,

 |KB [i]| ≤ |ksB [i]| + |2gB [i]|. Moreover, if |KB [i]| < 4q the corresponding signal

694

Y. Qin et al.

q

is 0, and the signal is 1 if region if

< |KB [i]|