arXiv daily

Cryptography and Security (cs.CR)

Mon, 15 May 2023

Other arXiv digests in this category:Thu, 14 Sep 2023; Wed, 13 Sep 2023; Tue, 12 Sep 2023; Mon, 11 Sep 2023; Fri, 08 Sep 2023; Tue, 05 Sep 2023; Fri, 01 Sep 2023; Thu, 31 Aug 2023; Wed, 30 Aug 2023; Tue, 29 Aug 2023; Mon, 28 Aug 2023; Fri, 25 Aug 2023; Thu, 24 Aug 2023; Wed, 23 Aug 2023; Tue, 22 Aug 2023; Mon, 21 Aug 2023; Fri, 18 Aug 2023; Thu, 17 Aug 2023; Wed, 16 Aug 2023; Tue, 15 Aug 2023; Mon, 14 Aug 2023; Fri, 11 Aug 2023; Thu, 10 Aug 2023; Wed, 09 Aug 2023; Tue, 08 Aug 2023; Mon, 07 Aug 2023; Fri, 04 Aug 2023; Thu, 03 Aug 2023; Wed, 02 Aug 2023; Tue, 01 Aug 2023; Mon, 31 Jul 2023; Fri, 28 Jul 2023; Thu, 27 Jul 2023; Wed, 26 Jul 2023; Tue, 25 Jul 2023; Mon, 24 Jul 2023; Fri, 21 Jul 2023; Thu, 20 Jul 2023; Wed, 19 Jul 2023; Tue, 18 Jul 2023; Mon, 17 Jul 2023; Fri, 14 Jul 2023; Thu, 13 Jul 2023; Wed, 12 Jul 2023; Tue, 11 Jul 2023; Mon, 10 Jul 2023; Fri, 07 Jul 2023; Thu, 06 Jul 2023; Wed, 05 Jul 2023; Tue, 04 Jul 2023; Mon, 03 Jul 2023; Fri, 30 Jun 2023; Thu, 29 Jun 2023; Wed, 28 Jun 2023; Tue, 27 Jun 2023; Mon, 26 Jun 2023; Fri, 23 Jun 2023; Thu, 22 Jun 2023; Wed, 21 Jun 2023; Tue, 20 Jun 2023; Fri, 16 Jun 2023; Thu, 15 Jun 2023; Tue, 13 Jun 2023; Mon, 12 Jun 2023; Fri, 09 Jun 2023; Thu, 08 Jun 2023; Wed, 07 Jun 2023; Tue, 06 Jun 2023; Mon, 05 Jun 2023; Fri, 02 Jun 2023; Thu, 01 Jun 2023; Wed, 31 May 2023; Tue, 30 May 2023; Mon, 29 May 2023; Fri, 26 May 2023; Thu, 25 May 2023; Wed, 24 May 2023; Tue, 23 May 2023; Mon, 22 May 2023; Fri, 19 May 2023; Thu, 18 May 2023; Wed, 17 May 2023; Tue, 16 May 2023; Fri, 12 May 2023; Thu, 11 May 2023; Wed, 10 May 2023; Tue, 09 May 2023; Mon, 08 May 2023; Fri, 05 May 2023; Thu, 04 May 2023; Wed, 03 May 2023; Tue, 02 May 2023; Mon, 01 May 2023; Fri, 28 Apr 2023; Thu, 27 Apr 2023; Wed, 26 Apr 2023; Tue, 25 Apr 2023; Mon, 24 Apr 2023; Fri, 21 Apr 2023; Thu, 20 Apr 2023; Wed, 19 Apr 2023; Tue, 18 Apr 2023; Mon, 17 Apr 2023; Fri, 14 Apr 2023; Thu, 13 Apr 2023; Wed, 12 Apr 2023; Tue, 11 Apr 2023; Mon, 10 Apr 2023
1.Quadratic Functional Encryption for Secure Training in Vertical Federated Learning

Authors:Shuangyi Chen, Anuja Modi, Shweta Agrawal, Ashish Khisti

Abstract: Vertical federated learning (VFL) enables the collaborative training of machine learning (ML) models in settings where the data is distributed amongst multiple parties who wish to protect the privacy of their individual data. Notably, in VFL, the labels are available to a single party and the complete feature set is formed only when data from all parties is combined. Recently, Xu et al. proposed a new framework called FedV for secure gradient computation for VFL using multi-input functional encryption. In this work, we explain how some of the information leakage in Xu et al. can be avoided by using Quadratic functional encryption when training generalized linear models for vertical federated learning.

2.Privacy-preserving Blockchain-enabled Parametric Insurance via Remote Sensing and IoT

Authors:Mingyu Hao, Keyang Qian, Sid Chi-Kin Chau

Abstract: Traditional Insurance, a popular approach of financial risk management, has suffered from the issues of high operational costs, opaqueness, inefficiency and a lack of trust. Recently, blockchain-enabled "parametric insurance" through authorized data sources (e.g., remote sensing and IoT) aims to overcome these issues by automating the underwriting and claim processes of insurance policies on a blockchain. However, the openness of blockchain platforms raises a concern of user privacy, as the private user data in insurance claims on a blockchain may be exposed to outsiders. In this paper, we propose a privacy-preserving parametric insurance framework based on succinct zero-knowledge proofs (zk-SNARKs), whereby an insuree submits a zero-knowledge proof (without revealing any private data) for the validity of an insurance claim and the authenticity of its data sources to a blockchain for transparent verification. Moreover, we extend the recent zk-SNARKs to support robust privacy protection for multiple heterogeneous data sources and improve its efficiency to cut the incurred gas cost by 80%. As a proof-of-concept, we implemented a working prototype of bushfire parametric insurance on real-world blockchain platform Ethereum, and present extensive empirical evaluations.

3.Trustchain - Trustworthy Decentralised Public Key Infrastructure for Digital Credentials

Authors:Tim Hobson, Lydia France, Sam Greenbury, Luke Hare, Pamela Wochner

Abstract: The sharing of public key information is central to the digital credential security model, but the existing Web PKI with its opaque Certification Authorities and synthetic attestations serves a very different purpose. We propose a new approach to decentralised public key infrastructure, designed for digital identity, in which connections between legal entities that are represented digitally correspond to genuine, pre-existing relationships between recognisable institutions. In this scenario, users can judge for themselves the level of trust they are willing to place in a given chain of attestations. Our proposal includes a novel mechanism for establishing a root of trust in a decentralised setting via independently-verifiable timestamping. We also present a reference implementation built on open networks, protocols and standards. The system has minimal setup costs and is freely available for any community to adopt as a digital public good.

4.ESAFL: Efficient Secure Additively Homomorphic Encryption for Cross-Silo Federated Learning

Authors:Jiahui Wu, Weizhe Zhang, Fucai Luo

Abstract: Cross-silo federated learning (FL) enables multiple clients to collaboratively train a machine learning model without sharing training data, but privacy in FL remains a major challenge. Techniques using homomorphic encryption (HE) have been designed to solve this but bring their own challenges. Many techniques using single-key HE (SKHE) require clients to fully trust each other to prevent privacy disclosure between clients. However, fully trusted clients are hard to ensure in practice. Other techniques using multi-key HE (MKHE) aim to protect privacy from untrusted clients but lead to the disclosure of training results in public channels by untrusted third parties, e.g., the public cloud server. Besides, MKHE has higher computation and communication complexity compared with SKHE. We present a new FL protocol ESAFL that leverages a novel efficient and secure additively HE (ESHE) based on the hard problem of ring learning with errors. ESAFL can ensure the security of training data between untrusted clients and protect the training results against untrusted third parties. In addition, theoretical analyses present that ESAFL outperforms current techniques using MKHE in computation and communication, and intensive experiments show that ESAFL achieves approximate 204 times-953 times and 11 times-14 times training speedup while reducing the communication burden by 77 times-109 times and 1.25 times-2 times compared with the state-of-the-art FL models using SKHE.

5.European 5G Security in the Wild: Reality versus Expectations

Authors:Oscar Lasierra, Gines Garcia-Aviles, Esteban Municio, Antonio Skarmeta, Xavier Costa-Pérez

Abstract: 5G cellular systems are slowly being deployed worldwide delivering the promised unprecedented levels of throughput and latency to hundreds of millions of users. At such scale security is crucial, and consequently, the 5G standard includes a new series of features to improve the security of its predecessors (i.e., 3G and 4G). In this work, we evaluate the actual deployment in practice of the promised 5G security features by analysing current commercial 5G networks from several European operators. By collecting 5G signalling traffic in the wild in several cities in Spain, we i) fact-check which 5G security enhancements are actually implemented in current deployments, ii) provide a rich overview of the implementation status of each 5G security feature in a wide range of 5G commercial networks in Europe and compare it with previous results in China, iii) analyse the implications of optional features not being deployed, and iv) discuss on the still remaining 4G-inherited vulnerabilities. Our results show that in European 5G commercial networks, the deployment of the 5G security features is still on the works. This is well aligned with results previously reported from China [16] and keeps these networks vulnerable to some 4G attacks, during their migration period from 4G to 5G.

6.BRF: eBPF Runtime Fuzzer

Authors:Hsin-Wei Hung, Ardalan Amiri Sani

Abstract: The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface: malicious eBPF programs may try to exploit the vulnerabilities in the eBPF subsystem in the kernel. Fuzzing is a promising technique to find such vulnerabilities. Unfortunately, our experiments with the state-of-the-art kernel fuzzer, Syzkaller, shows that it cannot effectively fuzz the eBPF runtime, those components that are in charge of executing an eBPF program, for two reasons. First, the eBPF verifier (which is tasked with verifying the safety of eBPF programs) rejects many fuzzing inputs because (1) they do not comply with its required semantics or (2) they miss some dependencies, i.e., other syscalls that need to be issued before the program is loaded. Second, Syzkaller fails to attach and trigger the execution of eBPF programs most of the times. This paper introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. Our experiments show, in 48-hour fuzzing sessions, BRF can successfully execute 8x more eBPF programs compared to Syzkaller. Moreover, eBPF programs generated by BRF are much more expressive than Syzkaller's. As a result, BRF achieves 101% higher code coverage. Finally, BRF has so far managed to find 4 vulnerabilities (some of them have been assigned CVE numbers) in the eBPF runtime, proving its effectiveness.