Cryptography and Security (cs.CR)

Abstract: Ensuring the confidentiality and privacy of sensitive information in cloud computing and outsourced databases is crucial. Homomorphic encryption (HE) offers a solution by enabling computations on encrypted data without decryption, allowing secure outsourcing while maintaining data confidentiality. However, HE faces performance challenges in query-intensive databases. To address this, we propose two novel optimizations, Silca and SilcaZ, tailored to outsourced databases in cloud computing. Silca utilizes a singular caching technique to reduce computational overhead, while SilcaZ leverages modular arithmetic operations to ensure the applicability of singular caching for intensive HE operations. We prove the semantic security of Silca and SilcaZ and implement them with CKKS and BGV in HElib as MySQL loadable functions. Extensive experiments with seven real-world datasets demonstrate their superior performance compared to existing HE schemes, bridging the gap between theoretical advancements and practical applications in applying HE schemes on outsourced databases in cloud computing.

Abstract: Short Message Service (SMS) is a popular channel for online service providers to verify accounts and authenticate users registered to a particular service. Specialized applications, called Public SMS Gateways (PSGs), offer free Disposable Phone Numbers (DPNs) that can be used to receive SMS messages. DPNs allow users to protect their privacy when creating online accounts. However, they can also be abused for fraudulent activities and to bypass security mechanisms like Two-Factor Authentication (2FA). In this paper, we perform a large-scale and longitudinal study of the DPN ecosystem by monitoring 17,141 unique DPNs in 29 PSGs over the course of 12 months. Using a dataset of over 70M messages, we provide an overview of the ecosystem and study the different services that offer DPNs and their relationships. Next, we build a framework that (i) identifies and classifies the purpose of an SMS; and (ii) accurately attributes every message to more than 200 popular Internet services that require SMS for creating registered accounts. Our results indicate that the DPN ecosystem is globally used to support fraudulent account creation and access, and that this issue is ubiquitous and affects all major Internet platforms and specialized online services.

Abstract: Gaussian process regression (GPR) is a non-parametric model that has been used in many real-world applications that involve sensitive personal data (e.g., healthcare, finance, etc.) from multiple data owners. To fully and securely exploit the value of different data sources, this paper proposes a privacy-preserving GPR method based on secret sharing (SS), a secure multi-party computation (SMPC) technique. In contrast to existing studies that protect the data privacy of GPR via homomorphic encryption, differential privacy, or federated learning, our proposed method is more practical and can be used to preserve the data privacy of both the model inputs and outputs for various data-sharing scenarios (e.g., horizontally/vertically-partitioned data). However, it is non-trivial to directly apply SS on the conventional GPR algorithm, as it includes some operations whose accuracy and/or efficiency have not been well-enhanced in the current SMPC protocol. To address this issue, we derive a new SS-based exponentiation operation through the idea of 'confusion-correction' and construct an SS-based matrix inversion algorithm based on Cholesky decomposition. More importantly, we theoretically analyze the communication cost and the security of the proposed SS-based operations. Empirical results show that our proposed method can achieve reasonable accuracy and efficiency under the premise of preserving data privacy.

Abstract: Intrusion Detection Systems (IDS) are a proven approach to secure networks. However, in a privately used network, it is difficult for users without cybersecurity expertise to understand IDS alerts, and to respond in time with adequate measures. This puts the security of home networks, smart home installations, home-office workers, etc. at risk, even if an IDS is correctly installed and configured. In this work, we propose ChatIDS, our approach to explain IDS alerts to non-experts by using large language models. We evaluate the feasibility of ChatIDS by using ChatGPT, and we identify open research issues with the help of interdisciplinary experts in artificial intelligence. Our results show that ChatIDS has the potential to increase network security by proposing meaningful security measures in an intuitive language from IDS alerts. Nevertheless, some potential issues in areas such as trust, privacy, ethics, etc. need to be resolved, before ChatIDS might be put into practice.

Abstract: While password managers are a vital tool for internet security, they can also create a massive central point of failure, as evidenced by several major recent data breaches. For over 20 years, deterministic password generators (DPGs) have been proposed, and largely rejected, as a viable alternative to password management tools. In this paper, we survey 45 existing DPGs to asses the main security, privacy, and usability issues hindering their adoption. We then present a new multi-factor deterministic password generator (MFDPG) design that aims to address these shortcomings. The result not only achieves strong, practical password management with zero credential storage, but also effectively serves as a progressive client-side upgrade of weak password-only websites to strong multi-factor authentication.

Abstract: We propose a novel solution combining supervised and unsupervised machine learning models for intrusion detection at kernel level in cloud containers. In particular, the proposed solution is built over an ensemble of random and isolation forests trained on sequences of system calls that are collected at the hosting machine's kernel level. The sequence of system calls are translated into a weighted and directed graph to obtain a compact description of the container behavior, which is given as input to the ensemble model. We executed a set of experiments in a controlled environment in order to test our solution against the two most common threats that have been identified in cloud containers, and our results show that we can achieve high detection rates and low false positives in the tested attacks.

Abstract: Post-quantum security is critical in the quantum era. Quantum computers, along with quantum algorithms, make the standard cryptography based on RSA or ECDSA over FL or Blockchain vulnerable. The implementation of post-quantum cryptography (PQC) over such systems is poorly understood as PQC is still in its standardization phase. In this work, we propose a hybrid approach to employ PQC over blockchain-based FL (BFL), where we combine a stateless signature scheme like Dilithium (or Falcon) with a stateful hash-based signature scheme like the extended Merkle Signature Scheme (XMSS). We propose a linearbased formulaic approach to device role selection mechanisms based on multiple factors to address the performance aspect. Our holistic approach of utilizing a verifiable random function (VRF) to assist in the blockchain consensus mechanism shows the practicality of the proposed approaches. The proposed method and extensive experimental results contribute to enhancing the security and performance aspects of BFL systems.

Abstract: Modern automotive functions are controlled by a large number of small computers called electronic control units (ECUs). These functions span from safety-critical autonomous driving to comfort and infotainment. ECUs communicate with one another over multiple internal networks using different technologies. Some, such as Controller Area Network (CAN), are very simple and provide minimal or no security services. Machine learning techniques can be used to detect anomalous activities in such networks. However, it is necessary that these machine learning techniques are not prone to adversarial attacks. In this paper, we investigate adversarial sample vulnerabilities in four different machine learning-based intrusion detection systems for automotive networks. We show that adversarial samples negatively impact three of the four studied solutions. Furthermore, we analyze transferability of adversarial samples between different systems. We also investigate detection performance and the attack success rate after using adversarial samples in the training. After analyzing these results, we discuss whether current solutions are mature enough for a use in modern vehicles.

Abstract: This white paper describes recent advances in Gboard(Google Keyboard)'s use of federated learning, DP-Follow-the-Regularized-Leader (DP-FTRL) algorithm, and secure aggregation techniques to train machine learning (ML) models for suggestion, prediction and correction intelligence from many users' typing data. Gboard's investment in those privacy technologies allows users' typing data to be processed locally on device, to be aggregated as early as possible, and to have strong anonymization and differential privacy where possible. Technical strategies and practices have been established to allow ML models to be trained and deployed with meaningfully formal DP guarantees and high utility. The paper also looks ahead to how technologies such as trusted execution environments may be used to further improve the privacy and security of Gboard's ML models.

Abstract: Blockchain, as the basis for cryptocurrencies, has received extensive attentions recently. Blockchain serves as an immutable distributed ledger technology which allows transactions to be carried out credibly in a decentralized environment. Blockchain-based applications are springing up, covering numerous fields including financial services, reputation system and Internet of Things (IoT), and so on. However, there are still many challenges of blockchain technology such as scalability, security and other issues waiting to be overcome. This article provides a comprehensive overview of blockchain technology and its applications. We begin with a summary of the development of blockchain, and then give an overview of the blockchain architecture and a systematic review of the research and application of blockchain technology in different fields from the perspective of academic research and industry technology. Furthermore, technical challenges and recent developments are also briefly listed. We also looked at the possible future trends of blockchain.

Abstract: We present Citadel, to our knowledge, the first side-channel-resistant enclave platform to run realistic secure programs on a speculative out-of-order multicore processor. First, we develop a new hardware mechanism to enable secure shared memory while defending against transient execution attacks. Then, we develop an efficient dynamic cache partitioning scheme, improving both enclaves' and unprotected processes' performance. We conduct an in-depth security analysis and a performance evaluation of our new mechanisms. Finally, we build the hardware and software infrastructure required to run our secure enclaves. Our multicore processor runs on an FPGA and boots untrusted Linux from which users can securely launch and interact with enclaves. We open-source our end-to-end hardware and software infrastructure, hoping to spark more research and bridge the gap between conceptual proposals and FPGA prototypes.