Browse the papers through two complementary perspectives: the methods and foundations used to build secure computation, and the security domains in which those methods are applied. Each paper has one primary area; keyword tags preserve connections across areas.
Abstract popups use the complete paper abstract when one has been transcribed from a source or supplied by the author. Papers without a source abstract show a clearly labeled editorial overview instead. Each popup identifies that provenance explicitly. Theory, Applied, and Perspective describe research orientation. Lowercase protocol, primitive, scheme, and algorithm tags identify substantive constructive content and may appear alongside Theory. Theory without one of those tags is reserved for non-constructive results or records with insufficient evidence to assert a construction. AI focus labels are cross-cutting: a paper may have a primary research area outside AI & Machine Learning while still using AI for security. Resource links always prefer the official publication, followed by a public archive and then an author-hosted copy. Resource types that could not be located remain visible in gray.
Research domain
Methods & Foundations
Core computational and mathematical methods used to construct, analyze, and reason about secure and intelligent systems.
The listed full version appears to expand the position paper's critique of idealized time-lock analyses, unbounded simulators, and missing composition guarantees. No distinct public full-paper record was found, and the linked ePrint may instead correspond to the shorter published version.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper introduces time-lock puzzles whose secret is generated and controlled collectively, preventing any one participant from revealing it early. It gives a practical protocol and uses it to construct timed multiparty computation with a time-locked output.
This is a concise editorial overview, not the paper's verbatim abstract.
This position paper argues that common analyses of time-lock puzzles rely on idealizations or simulators that do not faithfully model computations whose security expires. It calls for realistic and falsifiable models that track running time, leakage, and security loss when timed components are composed.
This is a concise editorial overview, not the paper's verbatim abstract.
This work develops a fine-grained complexity framework for reasoning about cryptographic components whose security expires over time. It introduces residual complexity, proves composition results for timed multiparty protocols, and demonstrates the framework with an auction application.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper shows that efficiently switching between exact BGV/BFV ciphertexts and approximate CKKS ciphertexts would also yield an efficient bootstrapping method. It gives similar reductions for homomorphic comparison and related functions, providing evidence that substantially cheaper scheme switching is unlikely without better bootstrapping.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper constructs proactive multiparty computation for groups whose membership changes while a mobile adversary may control a dishonest majority in each period. It reduces amortized communication to quadratic per secret and introduces efficient bivariate multiplication and batched proactive sharing techniques.
This is a concise editorial overview, not the paper's verbatim abstract.
Nikola Samardzic, Axel Feldmann, Aleksandar Krastev, Nathan Manohar, Nicholas Genise, Srinivas Devadas, Karim Eldefrawy, Chris Peikert, and Daniel Sánchez
2022Published49th International Symposium on Computer Architecture (ISCA)
CraterLake is a hardware accelerator for fully homomorphic encryption that supports computations of unbounded depth by accelerating the expensive refresh operations that prevent ciphertext noise from growing without limit. Its architecture is designed to make long, general encrypted programs practical rather than restricting acceleration to a narrow fixed workload.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper systematically relates proactive secret sharing, which refreshes and repairs shares under mobile attacks, to regenerating codes, which repair distributed storage efficiently. It identifies partial-leakage weaknesses, proves conditional connections between the two notions, and introduces generalized-decoding regenerating codes.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper gives the first machine-checked implementation of the general MPC-in-the-Head transformation from secure computation to zero-knowledge proofs. Its modular EasyCrypt proof accepts suitable MPC protocols as components and supports extracting a verified executable implementation for benchmarking.
This is a concise editorial overview, not the paper's verbatim abstract.
Axel Feldmann, Nikola Samardzic, Aleksandar Krastev, Srini Devadas, Ronald G. Dreslinski, Karim Eldefrawy, Nicholas Genise, Chris Peikert, and Daniel Sánchez
2021Extended version of the MICRO 2021 paper54th IEEE/ACM International Symposium on Microarchitecture (MICRO)
F1 is a programmable hardware accelerator designed to execute complete fully homomorphic encryption programs rather than isolated kernels. Specialized vector units, an explicitly managed memory hierarchy, and a scheduling compiler yield several-thousand-fold average speedups over software.
This is a concise editorial overview, not the paper's verbatim abstract.
In standard Secret Sharing (SS), a dealer shares a secret s among n parties such that an adversary corrupting no more than t parties does not learn s, while any t + 1 parties can efficiently recover s. Proactive Secret Sharing (PSS) retains confidentiality of s even when a mobile adversary corrupts all parties over the lifetime of the secret, but no more than a threshold t in each epoch (called a refresh period). Withstanding such adversaries has become of increasing importance with the emergence of settings where private (cryptographic) keys are secret shared and used to sign cryptocurrency transactions, among other applications. Feasibility of single-secret PSS for static groups with dishonest majorities was demonstrated but with a protocol that requires inefficient communication of O(n⁴). In this work, we improve over prior work in three directions: batching without incurring a linear loss in corruption threshold, communication efficiency, and handling dynamic groups. While each of properties we improve upon appeared independently in the context of PSS and in other previous work, handling them simultaneously (and efficiently) in a single scheme faces non-trivial challenges. Some PSS protocols can handle batching of ℓ ∼ n secrets, but all of them are for the honest majority setting. Techniques typically used to accomplish such batching decrease the tolerated corruption threshold bound by a linear factor in ℓ, effectively limiting the number of elements that can be batched with dishonest majority. We solve this problem by reducing the threshold decrease to √ℓ instead, allowing us to deal with the dishonest majority setting when ℓ ∼ n. This is accomplished based on new bivariate-polynomials-based techniques for sharing, and refreshing and recovering of shares, that allow batching of up to n − 2 secrets in our PSS. To tackle the efficiency bottleneck the constructed PSS protocol requires only O(n³/ℓ) communication for ℓ secrets, i.e., an amortized communication complexity of O(n²) when the maximum batch size is used. To handle dynamic groups we develop three new sub-protocols to deal with parties joining and leaving the group.
Transcribed from the checked-in full-text PDF; mathematical symbols were normalized to plain Unicode, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized.
This paper designs proactive MPC for changing groups and non-threshold corruption patterns described by dynamic general adversary structures. Efficient conversions between additive sharing and monotone-span-program sharing support refreshing, recovery, membership changes, and adaptation to the current threat structure.
This is a concise editorial overview, not the paper's verbatim abstract.
Secure Multiparty Computation (MPC) enables a group of n distrusting parties to jointly compute a function using private inputs. MPC guarantees correctness of computation and confidentiality of inputs if no more than a threshold t of the parties are corrupted. Proactive MPC (PMPC) addresses the stronger threat model of a mobile adversary that controls a changing set of parties (but only up to t at any instant), and may eventually corrupt all n parties over a long time. This paper takes a first stab at developing high-assurance implementations of (P)MPC. We formalize in EasyCrypt, a tool-assisted framework for building high-confidence cryptographic proofs, several abstract and reusable variations of secret sharing and of (P)MPC protocols building on them. Using those, we prove a series of abstract theorems for the proactive setting. We implement and perform computer-checked security proofs of concrete instantiations of the required (abstract) protocols in EasyCrypt. We also develop a new tool-chain to extract high-assurance executable implementations of protocols formalized and verified in EasyCrypt. Our tool-chain uses Why3 as an intermediate tool, and enables us to extract executable code from our (P)MPC formalizations. We conduct an evaluation of the extracted executables by comparing their performance to performance of manually implemented versions using Python-based Charm framework for prototyping cryptographic schemes. We argue that the small overhead of our high-assurance executables is a reasonable price to pay for the increased confidence about their correctness and security.
Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.
Secure multiparty computation (MPC) protocols enable n distrusting parties to perform computations on their private inputs while guaranteeing confidentiality of inputs (and outputs, if desired) and correctness of the computation, as long as no adversary corrupts more than a threshold t of the n parties. Existing MPC protocols assure perfect security for t ≤ ⌈n/2⌉ − 1 active corruptions with termination (i.e., robustness), or up to t = n − 1 under cryptographic assumptions (with detection of misbehaving parties). However, when computations involve secrets that have to remain confidential for a long time such as cryptographic keys, or when dealing with strong and persistent adversaries, such security guarantees are not enough. In these situations, all parties may be corrupted over the lifetime of the secrets used in the computation, and the threshold t may be violated over time (even as portions of the network are being repaired or cleaned up). Proactive MPC (PMPC) addresses this stronger threat model: it guarantees correctness and input privacy in the presence of a mobile adversary that controls a changing set of parties over the course of a protocol, and could corrupt all parties over the lifetime of the computation, as long as no more than t are corrupted in each time window (called a refresh period). The threshold t in PMPC represents a tradeoff between the adversary’s penetration rate and the cleaning speed of the defense tools (or rebooting of nodes from a clean image), rather than being an absolute bound on corruptions. Prior PMPC protocols only guarantee correctness and confidentiality in the presence of an honest majority of parties, an adversary that corrupts even a single additional party beyond the n/2 − 1 threshold, even if only passively and temporarily, can learn all the inputs and outputs; and if the corruption is active rather than passive, then the adversary can even compromise the correctness of the computation. In this paper, we present the first feasibility result for constructing a PMPC protocol secure against a dishonest majority. To this end, we develop a new PMPC protocol, robust and secure against t < n − 2 passive corruptions when there are no active corruptions, and secure but non-robust (but with identifiable aborts) against t < n/2 − 1 active corruptions when there are no passive corruptions. Moreover, our protocol is secure (with identifiable aborts) against mixed adversaries controlling, both, passively and actively corrupted parties, provided that if there are k active corruptions, there are less than n − k − 1 total corruptions.
Transcribed from the public author-uploaded full text and cross-checked against the official Springer abstract; mathematical notation was normalized to plain Unicode and display line-break artifacts were removed. Local file fixity has not been recorded.
One option to instantiate Mobile Target Defense (MTD) [JGS+11] strategies in distributed storage and computing systems is to design such systems from the ground up using cryptographic techniques such as secret sharing (SS) and secure multiparty computation (MPC). In standard SS a dealer shares a secret s among n parties such that an adversary corrupting no more than t parties does not learn s, while any t + 1 parties can efficiently recover s. MPC protocols based on secret sharing allow one to perform computations on such secret shared data without requiring reconstructing the data at a central location. MPC thus enables a set of distrusting parties to perform computation on their secret shared data while guaranteeing secrecy of their inputs and outputs, and correctness of the computation, also as long as no more than t parties are corrupted. Over a long period of time all parties may be corrupted and the threshold t may be violated, which is accounted for in proactively secure protocols such as Proactive Secret Sharing (PSS) and Proactive MPC (PMPC). Proactive security is an example of a cryptographically grounded and theoretically well-studied approach to realize MTD. PSS retains confidentiality even when a mobile adversary corrupts all parties over the lifetime of the secret, but no more than a threshold t during a certain window of time, called the refresh period. As an example of a proactively secure protocol that realizes an MTD strategy we overview the first PSS scheme secure in the presence of a dishonest majority (developed recently in [DEL+16]). The PSS scheme is robust and secure against t < n − 2 passive adversaries when there are no active corruptions, and secure but non-robust (but with identifiable aborts) against t < n/2 − 1 active adversaries when there are no additional passive corruptions. The scheme is also secure (with identifiable aborts) against mixed adversaries controlling a combination of passively and actively corrupted parties such that if there are k active corruptions there are less than n − k − 2 total corruptions.
Transcribed from the public author-uploaded full text; display typography and line-break artifacts were normalized, and the author-version bibliography keys were retained. Local file fixity has not been recorded.
The paper defines secure self-stabilizing computation, in which a distributed system recovers not only correct operation but also privacy and integrity after even a temporary compromise of every component. It demonstrates the idea with a jointly computed finite-state machine that autonomously restores secure MPC guarantees once enough parties recover and the Byzantine threshold is again satisfied.
This is a concise editorial overview, not the paper's verbatim abstract.
This brief announcement gives the first proactive secret-sharing feasibility result that remains confidential even when passive corruptions form a dishonest majority. It supports nearly all parties being passively compromised under stated fault conditions, allows mixed passive and active adversaries, and reduces batched communication to cubic in the number of parties.
This is a concise editorial overview, not the paper's verbatim abstract.
The full paper develops proactive secret sharing whose confidentiality can survive a dishonest majority, unlike earlier schemes that fail once half the parties are observed within a refresh period. It combines additive sharing with verifiable polynomial sharing to tolerate up to n−1 passive corruptions in the basic case, while also analyzing recovery, active corruption, and communication costs.
This is a concise editorial overview, not the paper's verbatim abstract.
This work protects long-lived secrets even as participants join, leave, or are eventually compromised by periodically refreshing shares and restoring parties. It gives the first dynamic proactive secret-sharing schemes with optimal amortized constant communication per secret, improving on polynomial or exponential prior costs, and extends them to dynamic proactive MPC.
This is a concise editorial overview, not the paper's verbatim abstract.
This work revisits proactive MPC, where different machines may be compromised over time, and identifies why standard precomputation and sharing techniques become too costly under mobile faults. It introduces packed proactive secret sharing and UC-secure MPC protocols with near-linear per-step communication while tolerating almost one-third perfect-security or one-half statistical-security moving corruptions.
This is a concise editorial overview, not the paper's verbatim abstract.
Most current digital currency schemes and associated ledgers are either centralized or completely distributed similar to the design adopted by Bitcoin. Centralized schemes enable accountability, but leave the privacy of users' identities and transactions in the hands of one organization. Distributed schemes can ensure better privacy but provide little accountability. In this paper we design a privacy-preserving proactively-secure distributed ledger and associated transaction protocols that can be used to implement an accountable digital currency that inherits the ledger's privacy and security features. One of the main technical challenges that we address is dealing with the increase in ledger size over time, an unavoidable aspect as the currency spreads and the ledger is required to be maintained for a long time in the future. We accomplish this by reducing the distributed (secret-shared) storage footprint and the required bandwidth and computation for proactively refreshing the ledger to ensure long-term confidentiality and security.
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. Local file fixity has not been recorded.
Balancing security and privacy concerns with information sharing is a top priority for corporations, law enforcement agencies, governments, and other organizations. Secure pattern matching (SPM) addresses some of the challenges faced in sharing and searching private data.
Transcribed from the complete introductory deck in the checked-in magazine PDF; the article does not contain a section labeled Abstract. Only line-break artifacts were normalized.
5PM lets a client privately test a pattern against a server's private text while supporting wildcards, substring matching, nonbinary alphabets, and richer distance measures even when one party is malicious. Its carefully staged protocol uses eight rounds and can hide the pattern length without increasing asymptotic computation or communication.
This is a concise editorial overview, not the paper's verbatim abstract.
5PM lets a client search a server's text for exact, wildcard, approximate, and substring matches without revealing the query or exposing unrelated text, even against malicious participants. A linear-algebra formulation with additive homomorphic encryption gives sublinear-in-circuit communication, supports arbitrary alphabets and hidden pattern length, and completes in eight rounds in the malicious model.
This is a concise editorial overview, not the paper's verbatim abstract.
Publication number #75
Decomposable MPC with Security Against Malicious Adversaries
Kelong Cong, Karim Eldefrawy, Ben Terner, and Titouan Tanguy
Public manuscript not found; this work is listed as under review.
Overview
Plain-language editorial overview
Based on its working title, this paper studies how a secure multiparty computation can be split into reusable or independently handled pieces without losing security. The design targets malicious participants, who may deviate arbitrarily from the protocol rather than merely observe it.
This is a concise editorial overview, not the paper's verbatim abstract.
Public manuscript not yet linked; an author-supplied abstract and the CSCML 2026 venue website are represented.
Abstract
Author-supplied abstract
Today’s AI-powered enterprise systems are increasingly combining multiple models with pre- and post-processing, score aggregation, routing to expert models, and model-as-judge mechanisms. This raises a natural theoretical question with immediate practical implications: can compositions of models and pre- and post-processing techniques reduce hallucination rates inherent in single models?
We answer this question for the calibrated core of systems composing multiple models with pre- and post-processing techniques. Calibration in this context means that among all claims assigned score z, the average truth rate is z. Kalai and Vempala (KV) proved a limitation for a single calibrated fact-level generator: it must hallucinate monofacts (facts appearing once in training data) at a rate lower-bounded by the Good–Turing missing-mass estimate minus calibration error.
We show that calibration is preserved by three natural and common composition operators: (1) deterministic semantic post-processing, (2) Bayesian-compatible score aggregation, and (3) routing to one of many expert models (sometimes called a mixture of experts). The KV hallucination floor thus survives compositions built from these operators. A combined system that beats this floor must therefore either be miscalibrated as a final composite or violate one of our closure theorems. We give two counterexamples showing that, when the conditions of our theorems are violated, the overall system may not be calibrated: marginally calibrated experts need not average to a calibrated ensemble, and globally calibrated expert models need not remain calibrated under routing to one of the expert models.
We map our results to cybersecurity-relevant settings; in such settings, composed systems powered by generative models discover vulnerabilities, review code, generate code and test cases, analyze logs, triage alerts, and summarize incidents. In cybersecurity, “facts” are operational claims whose tail can be viewed as the monofact regime. Such claims can concern, for example, vulnerability existence, exploitability, patch safety, alert validity, or incident attribution. Vulnerability discovery also marks the theorem’s boundary: a model-generated claim that a rare bug exists is monofact-like when supported only by model confidence, while a concrete exploit, proof certificate, or execution trace is a checkable witness. Thus, our theorems apply to pre-verification composition; verified witnesses provide an escape by changing the evidence state.
We conclude with an evaluation procedure for auditing composed systems powered by generative models acting as a cybersecurity AI assistant or automated pipeline addressing specific tasks in such settings. The evaluation procedure enables one to explain whether, and by which mechanism, an observed hallucination reduction is compatible with our analysis.
Supplied by the author for this website; the manuscript and theorem proofs have not been independently audited.
As the scale and complexity of modern computer networks increases, administrators and operators of such networks need tools to accurately infer dependencies between different network services and applications. Such tools can aid in (1) detecting misconfigurations, (2) effectively scheduling major software and hardware maintenance operations with minimal disruptions, and (3) exposing potential anomalies in a timely manner. Existing tools either only consider temporal correlations which require installing additional software to monitor interfaces, ignore network service profiles of more than two services, or do not necessarily capture actual causations. Such shortcomings result in high false detection rates of inferred dependencies. This paper presents the design and evaluation of an algorithm that utilizes the notion of Transfer Entropy (TE) to passively analyze and identify dependencies between various network services and applications. With TE, our algorithm formalizes and measures the amount of information exchanged between two entities (services or applications) in a computer network. By constructing time series of the interactions of such services and applications and computing the pairwise TE from such time series, our algorithm accurately infers dependencies based on causation with low false (positive and negative) alarms. Using collected network traffic from a test and production network, we demonstrate that the algorithm provides lower false alarms with efficient run time and computational requirements.
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. Local file fixity has not been recorded.
The paper studies how SSL certificate fields differ between popular legitimate domains and HTTPS-enabled phishing or typosquatting sites. It builds and validates a certificate-only classifier that detects fraudulent domains with high accuracy without relying on user data, making it complementary to other anti-fraud tools.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper formally verifies parallel-execution and memory-access optimizations for an EasyCrypt implementation of Line-Point Zero-Knowledge. The verified optimizations produce roughly a 3,000-fold speedup and bring automatically extracted code close to the manually implemented version.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper asks how consensus changes when some parties behave honestly but an adversary can selectively drop the messages they send, alongside ordinary Byzantine and receive faults. It gives expected-constant-round protocols with improved fault thresholds and shows why send corruption can be surprisingly close to full Byzantine power.
This is a concise editorial overview, not the paper's verbatim abstract.
Registration-based encryption removes identity-based encryption's key-escrow authority but originally had prohibitive concrete ciphertext costs. This work replaces Merkle trees with crit-bit trees and adjusts public parameters, reducing ciphertext size by 57.5 percent while also lowering decryption cost.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper adapts QAOA to constrained optimization by starting near a classical greedy solution and using mixers that explore feasible nearby alternatives. Experiments on difficult knapsack instances show that the shallow quantum heuristics often outperform several classical heuristics.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper studies fuzzy extractors that repeatedly derive stable cryptographic keys from noisy biometric readings without letting multiple public helper strings leak the biometric. It breaks the claimed reusability of an earlier LWE construction, repairs it for weak reuse, and gives both generic and direct strongly reusable constructions, including one without random oracles.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper exposes a practical tradeoff in wireless network coding: larger link-key groups enable more packet overhearing and throughput, but make each key compromise more damaging. It formulates key assignment as an optimization problem and finds that adding one member to a key-sharing group can improve coding gain by 1.3 to 13.7 percent across tested topologies.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper analyzes how link-layer encryption, used to hide traffic patterns even when end-to-end encryption is present, interacts with wireless network coding. Its model shows that link-layer encryption can sharply reduce achievable multicast capacity and exposes a security-throughput tradeoff for coded wireless networks.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper turns a blacklist of malicious source addresses into a limited set of router filters while balancing attack blocking against collateral damage to legitimate hosts in aggregated prefixes. Its optimal, efficient algorithms cover static and changing blacklists and perform especially well when malicious addresses are clustered.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper formulates how a victim gateway with too few packet filters should choose between blocking individual attackers and coarser source domains. It gives optimal dynamic-programming solutions for one- and two-tier filtering and evaluates heuristics that preserve more legitimate traffic under realistic DDoS scenarios.
This is a concise editorial overview, not the paper's verbatim abstract.
The problem of sub-carrier allocation in OFDMA systems has been the focus of recent research efforts. All papers to our knowledge consider the problem of allocating sub-carriers one frame ahead. In this paper, we propose an OFDMA scheme which utilizes future channel prediction to adaptively allocate sub-carriers to each user based on their predicted channel states several frames ahead. The results obtained show that this scheme guarantees the required rates in addition to a fair allocation of the available sub-carriers among users when compared to the traditional single frame case
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. The source abstract has no final punctuation, which is retained. Local file fixity has not been recorded.
Public manuscript not found; this work is listed as ongoing.
Overview
Plain-language editorial overview
Based on its working title, this project studies point-function obfuscation that remains non-malleable against quantum-capable attackers. It asks how a concrete post-quantum construction can reproduce useful random-oracle behavior without letting an adversary transform an obfuscated program into a related one.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper represents concurrent group-key evolution as a lattice, making forward secrecy and post-compromise security directional versions of one abstraction without relying on global epochs. Its dynamic-group protocol supports concurrent updates with constant payload overhead and linear update cost.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper models traffic-analysis attackers who can observe only part of a mix network, rather than assuming an unrealistic view of every communication. It combines Bayesian inference with Metropolis-Hastings sampling to study what different partially informed adversaries can still learn.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper constructs authenticated key exchange whose protocol traffic remains indistinguishable from random communication even when many sessions run concurrently. It supplies a composable security model, minimal message complexity, substantially lower bandwidth than prior constructions, and a proof-of-concept implementation.
This is a concise editorial overview, not the paper's verbatim abstract.
The interplay between cryptography and access control has been widely investigated in the literature. On the bright side, attribute-based encryption (ABE) has appeared as a major cryptographic tool going beyond the all-or-nothing approach of public-key encryption by supporting fine-grained access control for encrypted data. Unfortunately, the deployment and adoption of ABE have been slow, and few commercial widely-used products use it to date. In particular, selective and fine-grained control over what is shared, and with whom, is absent from common data products and formats, such as those generated by commercial products (Microsoft Word documents, Excel spreadsheets, PowerPoint slides, and so on). This lack of selective and fine-grained control results in users simply not sharing. This major usability shortcoming impacts defense and military coalition operations, as well as commercial settings, such as life sciences, healthcare, and the financial sectors. This paper addresses this identified usability problem head-on by proposing a cryptographically-enforced selective access control in Microsoft Office products and similar platforms. We focus on Excel as an illustrative use-case, but note that our work is applicable to (and is implemented for) other Microsoft products such as Word, PowerPoint, and Outlook. Using the JavaScript API for Microsoft Office, we designed and developed simple add-ins that enable cell encryption according to a policy, and requires a key that embeds attributes satisfying the policy in order to decrypt. Our performance evaluation not only shows that cryptographic-based selective sharing of information in widely-deployed and widely-used commercial authoring and collaboration platforms is possible, but also efficient.
Transcribed from the checked-in published PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized. The distinct extended-version PDF has a materially revised abstract and is not used here.
Recent years have witnessed an increasing demand for biometrics based identification, authentication and access control (BIA) systems, which offer convenience, ease of use, and (in some cases) improved security. In contrast to other methods, such as passwords or pins, BIA systems face new unique challenges; chiefly among them is ensuring long-term confidentiality of biometric data stored in backends, as such data has to be secured for the lifetime of an individual. Cryptographic approaches such as Fuzzy Extractors (FE) and Fuzzy Vaults (FV) have been developed to address this challenge. FE/FV do not require storing any biometric data in backends, and instead generate and store helper data that enables BIA when a new biometric reading is supplied. Security of FE/FV ensures that an adversary obtaining such helper data cannot (efficiently) learn the biometric. Relying on such cryptographic approaches raises the following question: what happens when helper data is lost or destroyed (e.g., due to a failure, or malicious activity), or when new helper data has to be generated (e.g., in response to a breach or to update the system)? Requiring a large number of users to physically re-enroll is impractical, and the literature falls short of addressing this problem. In this paper we develop SNUSE, a secure computation based approach for non-interactive re-enrollment of a large number of users in BIA systems. We prototype SNUSE to illustrate its feasibility, and evaluate its performance and accuracy on two biometric modalities, fingerprints and iris scans. Our results show that thousands of users can be securely re-enrolled in seconds without affecting the accuracy of the system.
Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.
This conference paper introduces SNUSE, which uses secret sharing and MPC to regenerate biometric helper data without requiring users to appear and enroll again. Fingerprint and iris experiments show that large batches can be re-enrolled quickly while preserving authentication accuracy.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper proposes privacy-preserving digital AppCoins as low-overhead micropayments that make abusive online behavior more expensive and reward cooperative behavior. It gives non-malleable, double-spending-resistant protocols and shows how email and onion routing could use them with practical commodity-hardware costs.
This is a concise editorial overview, not the paper's verbatim abstract.
Ensuring security and privacy of content in a mobile ad-hoc network (MANET) is a challenging problem, especially when that content is distributed over the network using some form of peer-to-peer dissemination scheme. Since cooperation among nodes is vital in MANETs, the capture or compromise of a single node not only exposes locally cached content, but also allows an adversary to interrogate the network with the authority of an insider, acquiring important information such as content access patterns, popularity and location. Previous work in MANETs has predominantly focused on providing solutions for security and anonymity of routing protocols, confidentiality, and key management. In this paper, we present protocols that provide the ability to securely and privately locate content for two common peer-to-peer dissemination operations: publish/subscribe (content PUSH), and direct query (content PULL).
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. Local file fixity has not been recorded.
This journal version of ALARM gives a comprehensive security, privacy, and performance analysis of location-based link-state routing for suspicious MANETs. Nodes use signed location announcements and group signatures to authenticate topology information while remaining anonymous and difficult to track, even against specified insider and outsider attacks.
This is a concise editorial overview, not the paper's verbatim abstract.
Mobile Ad-Hoc Networks (MANETs) are particularly useful and well-suited for critical scenarios, including military, law enforcement as well as emergency rescue and disaster recovery. When operating in hostile or suspicious settings, MANETs require communication security and privacy, especially, in underlying routing protocols. Unlike most networks, where communication is based on long-term identities (addresses), we argue that the location-centric communication paradigm is better-suited for privacy in suspicious MANETs. To this end, we construct an on-demand location-based anonymous MANET routing protocol (PRISM) that achieves privacy and security against both outsider and insider adversaries. We analyze the security, privacy and performance of PRISM and compare it to alternative techniques. Results show that PRISM is more efficient and offers better privacy than prior work.
Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.
Physical-layer identification of wireless devices, commonly referred to as Radio Frequency (RF) fingerprinting, is the process of identifying a device based on transmission imperfections exhibited by its radio transceiver. It can be used to improve access control in wireless networks, prevent device cloning and complement message authentication protocols. This paper studies the feasibility of performing impersonation attacks on the modulation-based and transient-based fingerprinting techniques. Both techniques are vulnerable to impersonation attacks; however, transient-based techniques are more difficult to reproduce due to the effects of the wireless channel and antenna in their recording process. We assess the feasibility of performing impersonation attacks by extensive measurements as well as simulations using collected data from wireless devices. We discuss the implications of our findings and how they affect current device identification techniques and related applications.
Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.
The paper addresses key establishment in delay-tolerant networks, where intermittent contact makes credential lookup and multi-round handshakes impractical. Its schemes derive secure messaging relationships from social affiliations or shared contacts so users can protect messages despite long delays and sparse connectivity.
This is a concise editorial overview, not the paper's verbatim abstract.
PRISM is an on-demand, location-based routing protocol for suspicious MANETs in which nodes can communicate without exposing long-term identities or movement histories. Its design is analyzed against insider and outsider adversaries and is reported to provide stronger privacy with lower overhead than prior approaches.
This is a concise editorial overview, not the paper's verbatim abstract.
ALARM uses current locations rather than persistent node identities to build an authenticated map and route through a suspicious mobile ad hoc network. Group signatures and one-time pseudonyms provide origin authentication and location integrity while preserving node anonymity and resistance to tracking.
This is a concise editorial overview, not the paper's verbatim abstract.
PEUC-WiN combats location tracking caused by persistent wireless-interface identifiers by having users under the same access point cooperate. The design seeks to improve location privacy without the long silent periods, dropped sessions, and throughput disruption imposed by earlier identifier-changing approaches.
This is a concise editorial overview, not the paper's verbatim abstract.
An author-hosted manuscript PDF is available on this site; the work remains under review.
Abstract
Full paper abstract
Secure and anonymous messaging has many compelling use-cases and is becoming increasingly popular. In this paper, we consider it in the context of delay-and-disruption-prone networks, which are characterized by handicapped network access, disrupted operation, censorship, and intermittent network outages. With such settings in mind, we define and design a Private Identity-Based Bulletin Board (PIB³) scheme, which allows users to anonymously post and retrieve messages to and from a distributed database, and supports communication between users without pre-established setup or pre-exchanged keys. Anyone can encrypt a message for an identity and public epoch, such that only the party with the decryption key for that identity can identify, retrieve, and decrypt the message. Against one corrupted non-colluding PIB³ server, the server learns neither the recipient identity nor the retrieved record indices beyond the leakage explicitly modeled by the scheme: the public epoch, the database size, and the number of retrievals made by the receiver. If retrieval-count privacy is required, retrievals can be padded to a fixed bound. The multi-server construction extends this guarantee to larger server sets, and gives coalition privacy whenever the underlying multi-server PIR scheme is private against the corresponding coalition. Contributions of this work are: (1) formally defining functionality and security requirements for PIB³-s, (2) defining and constructing a Hierarchical Identity-Based Encryption (HIBE) scheme with searchable ciphertexts, which serves as a building block for the proposed PIB³ scheme and may be of independet interest, (3) designing an efficient PIB³ scheme that can be realized with n ≥ 2 servers based on the HIBE scheme with searchable ciphertexts combined with additional primitives, and (4) implementing a functional PIB³ prototype which demonstrates practicality of the entire concept and allows us to assess its performance empirically.
Transcribed from the checked-in author manuscript; mathematical notation was normalized to plain Unicode, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized. The source typo 'independet' is retained.
Public manuscript not found; this work is listed as ongoing.
Overview
Plain-language editorial overview
Based on its working title, PRISM combines secure multiparty computation with an anonymous messaging overlay designed to tolerate compromised infrastructure. Its goal is to protect communication privacy and keep the service resilient even when some participating components are penetrated.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper uses entangled qubits for distance bounding and presents a protocol that lets two parties bound their distance mutually in one execution. The constructions resist attacks affecting earlier one-way quantum protocols and remove a final prover-to-verifier communication step.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper presents ALICE, a toolchain that locates weak cryptographic primitives in binaries and replaces them without requiring source code or debugging symbols. Experiments show that it can replace insecure hash functions in real programs while preserving behavior and adding little runtime overhead.
This is a concise editorial overview, not the paper's verbatim abstract.
Modern society is increasingly surrounded by, and is growing accustomed to, a wide range of Cyber-Physical Systems (CPS), Internet-of-Things (IoT), and smart devices. They often perform safety-critical functions, e.g., personal medical devices, automotive CPS as well as industrial and residential automation, e.g., sensor-alarm combinations. On the lower end of the scale, these devices are small, cheap and specialized sensors and/or actuators. They tend to host small anemic CPUs, have small amounts of memory and run simple software. If such devices are left unprotected, consequences of forged sensor readings or ignored actuation commands can be catastrophic, particularly, in safety-critical settings. This prompts the following three questions: (1) How to trust data produced, or verify that commands were performed, by a simple remote embedded device?, (2) How to bind these actions/results to the execution of expected software? and, (3) Can (1) and (2) be attained even if all software on a device can be modified and/or compromised? In this paper we answer these questions by designing, demonstrating security of, and formally verifying, APEX: an Architecture for Provable Execution. To the best of our knowledge, this is the first of its kind result for low-end embedded systems. Our work has a range of applications, especially, authenticated sensing and trustworthy actuation, which are increasingly relevant in the context of safety-critical systems. APEX is publicly available and our evaluation shows that it incurs low overhead, affordable even for very low-end embedded devices, e.g., those based on TI MSP430 or AVR ATmega processors.
Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized. Unusual source punctuation in the three numbered questions is preserved.
Remote Attestation (RA) is a security service that enables a trusted verifier (Vrf) to measure current memory state of an untrusted remote prover (Prv). If correctly implemented, RA allows Vrf to remotely detect if Prv’s memory reflects a compromised state. However, RA by itself offers no means of remedying the situation once Prv is determined to be compromised. In this work we show how a secure RA architecture can be extended to enable important and useful security services for low-end embedded devices. In particular, we extend the formally verified RA architecture, VRASED, to implement provably secure software update, erasure, and system-wide resets. When (serially) composed, these features guarantee to Vrf that a remote Prv has been updated to a functional and malware-free state, and was properly initialized after such process. These services are provably secure against an adversary (represented by malware) that compromises Prv and exerts full control of its software state. Our results demonstrate that such services incur minimal additional overhead (0.4% extra hardware footprint, and 100-s milliseconds to generate combined proofs of update, erasure, and reset), making them practical even for the lowest-end embedded devices, e.g., those based on MSP430 or AVR ATMega micro-controller units (MCUs). All changes introduced by our new services to VRASED trusted components are also formally verified.
Transcribed from the checked-in full-text PDF; calligraphic verifier/prover symbols were normalized to Vrf and Prv, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized.
Remote Attestation (RA) of embedded/smart/IoT devices is a very important issue on today’s security landscape. RA enables a verifier to measures the current internal memory state of an untrusted remote device (prover). RA helps the verifier establish a static or dynamic root of trust in prover. Despite much prior work, state-of-the-art RA techniques unfortunately still lack any solid foundation and offer no ironclad security, safety or robustness guarantees. This paper argues that computer-aided formal verification, and synthesis of executables, of RA protocols and hybrid (software-hardware) architectures is required and currently unaddressed. We believe that this is achievable with current (computer-aided) formal methods frameworks and tools, and that this can help advance and mature RA research if used to establish more rigorous and clear security arguments. To support our opinion, we highlight several examples where subtle issues were missed in the design and security analysis of RA techniques. Despite deceptive simplicity of such protocols, manual analyses and ad hoc implementations often lead to over-simplification of (and subsequent glossing over) important details in the underlying processor and system architectures. Computer-aided formal verification forces a more scrupulous and disciplined consideration of such details, since, otherwise, verification simply fails. The key objective of the research direction we propose is to increase confidence in correctness and security guarantees of current and future RA techniques and their implementations.
Transcribed from the checked-in full-text PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.
We conducted a longitudinal study to analyze the misuse of Bitcoin. We first investigated usage characteristics of Bitcoin by analyzing how many addresses each address transacts with (from January 2009 to May 2018). To obtain a quantitative estimate of the malicious activity that Bitcoin is associated with, we collected over 2.3 million candidate Bitcoin addresses, harvested from the dark web between June 2016 and December 2017. The Bitcoin addresses found on the dark web were labeled with tags that classified the activities associated with the onions that these addresses were collected from. The tags covered a wide range of activities, from suspicious to outright malicious or illegal. Of these addresses, only 47,697 have tags we consider indicative of suspicious or malicious activities. We saw a clear decline in the monthly number of Bitcoin addresses seen on the dark web in the periods coinciding with takedowns of known dark web markets. We also found interesting behavior that distinguishes the Bitcoin addresses collected from the dark web when compared to activity of a random address on the Bitcoin blockchain. For example, we found that Bitcoin addresses used on the dark web are more likely to be involved in mixing transactions. To identify mixing transactions, we developed a new heuristic that extends previously known ones. We found that Bitcoin addresses found on the dark web are significantly more active, they engage in transactions with 20 times the neighbors and 4 times the Bitcoin amounts when compared to random addresses. We also found that just 2,828 Bitcoin addresses are responsible for 99% of the Bitcoin value used on the dark web.
Transcribed from the checked-in full-text PDF; only typography, paragraph joining, discretionary hyphenation, and line-break artifacts were normalized.
Remote Attestation (RA) is a distinct security service that allows a trusted verifier (Vrf) to measure the software state of an untrusted remote prover (Prv). If correctly implemented, RA allows Vrf to remotely detect if Prv is in an illegal or compromised state. Although several RA approaches have been explored (including hardware-based, software-based, and hybrid) and many concrete methods have been proposed, comparatively little attention has been devoted to formal verification. In particular, thus far, no RA designs and no implementations have been formally verified with respect to claimed security properties. In this work, we take the first step towards formal verification of RA by designing and verifying an architecture called VRASED: Verifiable Remote Attestation for Simple Embedded Devices. VRASED instantiates a hybrid (HW/SW) RA co-design aimed at low-end embedded systems, e.g., simple IoT devices. VRASED provides a level of security comparable to HW-based approaches, while relying on SW to minimize additional HW costs. Since security properties must be jointly guaranteed by HW and SW, verification is a challenging task, which has never been attempted before in the context of RA. We believe that VRASED is the first formally verified RA scheme. To the best of our knowledge, it is also the first formal verification of a HW/SW co-design implementation of any security service. To demonstrate VRASED’s practicality and low overhead, we instantiate and evaluate it on a commodity platform (TI MSP430). VRASED was deployed using the Basys3 Artix-7 FPGA and its implementation is publicly available.
Transcribed from the checked-in full-text PDF; calligraphic verifier/prover symbols were normalized to Vrf and Prv, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized.
Public full text not located; the link is a publisher bibliographic listing.
Overview
Plain-language editorial overview
Based on the title and bibliographic context, this article appears to survey risks created by enterprise use of mobile devices and map them to available defenses. No public full text was available to verify a more detailed description of its recommendations.
This is a concise editorial overview, not the paper's verbatim abstract.
While the cyber insurance market has been growing significantly in recent years, its insurance providers face several challenges: first, there is a lack of standardized frameworks to rate “cyber”; second, there’s a shortage of relevant data to calculate premiums; and third, security postures of insured organizations constantly change. Unlike other types of insurance, cyber insurance requires creating a continuous feedback loop between customers and insurers. In this article, we introduce BlockCIS, a blockchain-based continuous monitoring and processing system for cyber insurance. BlockCIS aims to realize an automated, real-time, and immutable feedback loop between the insurer, its customer, third parties and potential auditors. As an example instantiation, we prototype BlockCIS using the open source Hyperledger blockchain framework.
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. Local file fixity has not been recorded.
This paper formalizes the requirement that an interruptible integrity computation correspond to an input state that actually existed at some point in time. It demonstrates attacks caused by inconsistent inputs and evaluates several enforcement mechanisms on commodity embedded platforms.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper examines the conflict between atomic remote-attestation scans and devices that must remain available for safety-critical work. It analyzes transient and relocating malware and explores periodic measurement, shuffled traversal, interruptible attestation, and memory-locking mitigations.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper brings remote attestation from one embedded device to a mobile swarm by defining Quality of Swarm Attestation, a metric for how much integrity information a protocol reveals. It then designs two lightweight LISA protocols with different assurance and cost tradeoffs, analyzes their security, and validates them with prototypes and experiments.
This is a concise editorial overview, not the paper's verbatim abstract.
Attacking cloud-enabled storage is becoming increasingly lucrative as more personal and enterprise data moves to the cloud. Traditional security mechanisms temporarily limit such attacks, but over a long period of time attackers will eventually find vulnerabilities; this can lead to compromising large amounts of valuable data and lead to large-scale privacy breaches. This paper addresses this problem by incorporating proactive security guarantees into cloud-enabled storage. Proactive security deals with an adversary’s ability to eventually compromise all involved servers in a distributed storage or computation system. While there are several proactively secure secret sharing protocols that can be used to improve confidentiality of data stored in the cloud, their high overhead has traditionally limited them to less than ten parties and to only 100s of bytes typical for cryptographic keys. Realizing proactively secure cloud storage for larger data (e.g, MBs) requires careful design and calibration of system parameters, and faces several challenges. In this paper we design, implement and assess performance of the first system for Proactively Secure Cloud-Enabled Storage (PiSCES) of data larger than cryptographic keys. Based on our practical performance results we advocate that the high level of resilience and long-term security and confidentiality guarantees enabled by proactive security should be considered in future distributed and cloud-based storage and computing services.
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. Source forms such as '100s of bytes' and '(e.g, MBs)' are retained. Local file fixity has not been recorded.
HYDRA is the first hybrid remote-attestation design to use the formally verified seL4 microkernel for memory isolation, protection, and access control instead of extensive custom hardware. Implementations on commodity boards show the approach is practical, attesting 10 MB of memory in under 250 ms with the fastest tested checksum.
This is a concise editorial overview, not the paper's verbatim abstract.
This experience paper presents the HYDRA design and reports the engineering lessons involved in combining remote attestation with the formally verified seL4 microkernel. Its commodity-board prototype attests 10 MB in under 500 ms and highlights practical issues such as secure boot, trustworthy time, and cryptographic checksum selection.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper replaces the single vulnerable SDN controller with replicated controllers that use Byzantine fault-tolerant state-machine replication to survive malicious behavior in both the control and data planes. Its prototype tolerates one compromised component among four replicas and demonstrates feasibility with roughly a twofold slowdown in the best configuration.
This is a concise editorial overview, not the paper's verbatim abstract.
This extended abstract argues that remote attestation should move from checking one embedded device to checking the many heterogeneous components of a cyber-physical system, using a modern vehicle as the motivating case. It outlines how multiple device attestations could be combined efficiently and identifies open problems for automotive and broader CPS deployments.
This is a concise editorial overview, not the paper's verbatim abstract.
This paper proposes an architecture for a resilient cloud computing infrastructure that provably maintains cloud functionality against persistent successful corruptions of cloud nodes. The architecture is composed of a self-healing software mechanism for the entire cloud, as well as hardware-assisted regeneration of compromised (or faulty) nodes from a pristine state. Such an architecture aims to secure critical distributed cloud computations well beyond the current state of the art by tolerating, in a seamless fashion, a continuous rate of successful corruptions up to certain corruption rate limit, e.g., 30% of all cloud nodes may be corrupted within a tunable window of time. The proposed architecture achieves these properties based on a principled separation of distributed task supervision from the computation of user-defined jobs. The task supervision and enduser communication are performed by a new software mechanism called the Control Operations Plane (COP), which builds a trustworthy and resilient, self-healing cloud computing infrastructure out of the underlying untrustworthy and faulty hosts. The COP leverages provably-secure cryptographic protocols that are efficient and robust in the presence of many corrupted participants — such a cloud regularly and unobtrusively refreshes itself by restoring COP nodes from a pristine state at regular intervals.
Transcribed from the public author-uploaded full text; only typography, discretionary hyphenation, and line-break artifacts were normalized. Source wording such as 'enduser' is retained. Local file fixity has not been recorded.
SMART is a minimal hardware-software architecture that lets a remote party establish a dynamic root of trust and run isolated code on low-end microcontrollers. AVR and MSP430 implementations show that only small changes to memory-access logic are needed, avoiding the cost of a separate security coprocessor while providing concrete security guarantees.
This is a concise editorial overview, not the paper's verbatim abstract.
Distance bounding (DB) protocols allow one entity, the verifier, to securely obtain an upper-bound on the distance to another entity, the prover. Thus far, DB was considered mostly in the context of a single prover and a single verifier. There has been no substantial prior work on secure DB in group settings, where a set of provers interact with a set of verifiers. The need for group distance bounding (GDB) is motivated by many practical scenarios, including: group device pairing, location-based access control and secure distributed localization. This paper addresses, for the first time, one-way GDB protocols by utilizing a new passive DB primitive. We show how passive DB can be used to construct secure and efficient GDB protocols for various one-way GDB settings. We analyze the security and performance of proposed protocols and compare them with existing DB techniques extended to group settings.
Transcribed from the checked-in short-paper PDF; only typography, discretionary hyphenation, and line-break artifacts were normalized.
This paper outlines a framework in which a stranded user's personal-area network buys or barters connectivity through a nearby user's devices under short-term service contracts. It identifies policy, authentication, privacy, accounting, and incentive requirements for making such resource sharing secure and worthwhile.
This is a concise editorial overview, not the paper's verbatim abstract.
BotTorrent shows how an attacker can manipulate BitTorrent metadata and trackers so large numbers of legitimate clients send traffic to an arbitrary victim. Real-world experiments characterize the resulting DDoS traffic and motivate protocol checks that limit this abuse, while noting the broader danger of redirecting legitimate peer-to-peer traffic.
This is a concise editorial overview, not the paper's verbatim abstract.
The paper proposes a local coordination framework that lets non-adjacent layers of a wireless protocol stack exchange events and state through a cross-layer server while keeping each layer modular. It organizes adaptation logic, signaling, and shared parameters so new cross-layer schemes can be added systematically without redesigning the stack.
This is a concise editorial overview, not the paper's verbatim abstract.