Jason Crampton Sushil Jajodia (Eds.) Keith Mayes Computer Security –

  LNCS 8134 ESORICS 2013 18th European Symposium on Research in Computer Security Egham, UK, September 2013, Proceedings

  

Lecture Notes in Computer Science 8134

Commenced Publication in 1973

  Moni Naor

  Gerhard Weikum

  University of California, Berkeley, CA, USA

  Doug Tygar

  University of California, Los Angeles, CA, USA

  Demetri Terzopoulos

  Microsoft Research, Cambridge, MA, USA

  Madhu Sudan

  TU Dortmund University, Germany

  Bernhard Steffen

  Indian Institute of Technology, Madras, India

  C. Pandu Rangan

  University of Bern, Switzerland

  Oscar Nierstrasz

  Weizmann Institute of Science, Rehovot, Israel

  Stanford University, CA, USA

  Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

  John C. Mitchell

  ETH Zurich, Switzerland

  Friedemann Mattern

  University of California, Irvine, CA, USA

  Alfred Kobsa

  Cornell University, Ithaca, NY, USA

  Jon M. Kleinberg

  University of Surrey, Guildford, UK

  Josef Kittler

  Carnegie Mellon University, Pittsburgh, PA, USA

  Takeo Kanade

  Lancaster University, UK

  David Hutchison

  Editorial Board

  Max Planck Institute for Informatics, Saarbruecken, Germany Jason Crampton Sushil Jajodia Keith Mayes (Eds.)

Computer Security –

ESORICS 2013 18th European Symposium on Research in Computer Security Egham, UK, September 9-13, 2013 Proceedings

Volume Editors Jason Crampton Royal Holloway, University of London Information Security Group Egham Hill, Egham, TW20 0EX, UK E-mail: jason.crampton@rhul.ac.uk Sushil Jajodia George Mason University Center for Secure Information Systems 4400 University Drive, Fairfax, VA 22030-4422, USA E-mail: jajodia@gmu.edu Keith Mayes Royal Holloway, University of London Information Security Group Egham Hill, Egham, TW20 0EX, UK E-mail: keith.mayes@rhul.ac.uk

  ISSN 0302-9743 e-ISSN 1611-3349

  ISBN 978-3-642-40202-9 e-ISBN 978-3-642-40203-6 DOI 10.1007/978-3-642-40203-6 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2013944563 CR Subject Classification (1998): K.6.5, E.3, D.4.6, K.4.4, C.2.0, J.1, H.2.7 LNCS Sublibrary: SL 4 – Security and Cryptology

  © Springer-Verlag Berlin Heidelberg 2013

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of

the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,

broadcasting, reproduction on microfilms or in any other physical way, and transmission or information

storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology

now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection

with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and

executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication

or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,

in its current version, and permission for use must always be obtained from Springer. Permissions for use

may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution

under the respective Copyright Law.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication

does not imply, even in the absence of a specific statement, that such names are exempt from the relevant

protective laws and regulations and therefore free for general use.

While the advice and information in this book are believed to be true and accurate at the date of publication,

neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or

omissions that may be made. The publisher makes no warranty, express or implied, with respect to the

material contained herein.

  

Preface

  This volume contains the papers selected for presentation at the 18th European Symposium on Research in Computer Security (ESORICS 2013), held during September 9–13, 2013, in Egham, UK.

  In response to the symposium’s call for papers, 242 papers were submitted to the conference from 38 countries. These papers were evaluated on the basis of their significance, novelty, technical quality, as well as on their practical impact and/or their level of advancement of the field’s foundations.

  The Program Committee’s work was carried out electronically, yielding in- tensive discussions over a period of a few weeks. Of the papers submitted, 43 were selected for presentation at the conference (resulting in an acceptance rate of 18%). We note that many top-quality submissions were not selected for pre- sentation because of the high technical level of the overall submissions, and we are certain that many of these submissions will, nevertheless, be published at other competitive forums in the future.

  An event like ESORICS 2013 depends on the volunteering efforts of a host of individuals and the support of numerous institutes. There is a long list of people who volunteered their time and energy to put together and organize the conference, and who deserve special thanks. Thanks to all the members of the Program Committee and the external reviewers for all their hard work in evalu- ating the papers. We are also very grateful to all the people whose work ensured a smooth organization process: the ESORICS Steering Committee, and its Chair Pierangela Samarati in particular, for their support; Giovanni Livraga, for taking care of publicity; Sheila Cobourne, for maintaining the website; and the Local Organizing Committee, for helping with organization and taking care of local ar- rangements. We would also like to express our appreciation to everyone who or- ganized the workshops (CATACRYPT, Cryptoforma, DPM, EUROPKI, QASA, SETOP, STM, Trustworthy Clouds) co-located with ESORICS. A number of organizations also deserve special thanks, including Royal Holloway University of London for acting as host, and the ESORICS sponsors: CESG, Transport for London, ISG Smart Card Centre, Crisp Telecom Limited, and NESSoS.

  Last, but certainly not least, our thanks go to all the authors who submitted papers and all the symposium’s attendees. We hope you find the proceedings of ESORICS 2013 stimulating and a source of inspiration for your future research and education programs.

  September 2013 Jason Crampton

  Sushil Jajodia Organization General Chair

  Keith Mayes Royal Holloway, University of London, UK

  Program Chairs

  Jason Crampton Royal Holloway, University of London, UK Sushil Jajodia George Mason University, USA

  ESORICS Steering Committee

  Michael Backes Saarland University, Germany Joachim Biskup University of Dortmund, Germany Fr´ed´eric Cuppens T´el´ecom Bretagne, France Sabrina De Capitani di

  Vimercati Universit` a degli Studi di Milano, Italy Yves Deswarte LAAS, France Dieter Gollmann TU Hamburg-Harburg, Germany Sokratis Katsikas University of Piraeus, Greece Miroslaw Kutylowski Wroclaw University of Technology, Poland Javier Lopez University of Malaga, Spain Jean-Jacques Quisquater UCL Crypto Group, Belgium Peter Ryan University of Luxembourg, Luxembourg Pierangela Samarati (Chair) Universit` a degli Studi di Milano, Italy Einar Snekkenes Gjøvik University College, Norway Michael Waidner TU Darmstadt, Germany

  Publicity Chair

  Giovanni Livraga Universit`a degli Studi di Milano, Italy

  Local Organizing Committee

  Geraint Price Royal Holloway, University of London, UK Gerhard Hancke Royal Holloway, University of London, UK Kostas Markantonakis Royal Holloway, University of London, UK

  VIII Organization

  Emma Mosley Royal Holloway, University of London, UK Jenny Lee Royal Holloway, University of London, UK

  Program Committee

  Gail-Joon Ahn Arizona State University, USA Massimiliano Albanese George Mason University, USA Claudio Agostino Ardagna Universit`a degli Studi di Milano, Italy Alessandro Armando University of Genova, Italy Michael Backes Saarland University and Max Planck Institute for Software Systems, Germany David Basin ETH Zurich, Switzerland Kevin Bauer MIT Lincoln Laboratory, USA Lujo Bauer Carnegie Mellon University, USA Konstantin Beznosov UBC, Canada Marina Blanton University of Notre Dame, USA Carlo Blundo Universit`a di Salerno, Italy Kevin Butler University of Oregon, USA Srdjan Capkun ETH Zurich, Switzerland Liqun Chen Hewlett-Packard Laboratories, UK Sherman S.M. Chow Chinese University of Hong Kong, SAR China Marco Cova University of Birmingham, UK Jason Crampton Royal Holloway, University of London, UK Fr´ed´eric Cuppens TELECOM Bretagne, France Sabrina De Capitani

  Di Vimercati Universit` a degli Studi di Milano, Italy Roberto Di Pietro Universit`a di Roma Tre, Italy Claudia Diaz K.U. Leuven, Belgium Josep Domingo-Ferrer Rovira i Virgili University, Spain Wenliang Du Syracuse University, USA Riccardo Focardi Universit`a Ca’ Foscari di Venezia, Italy Simon Foley University College Cork, Ireland Sara Foresti Universit` a degli Studi di Milano, Italy Cedric Fournet Microsoft, UK Keith Frikken Miami University, USA Dieter Gollmann Hamburg University of Technology, Germany Dimitris Gritzalis Athens University of Economics and Business,

  Greece Gerhard Hancke Royal Holloway, University of London, UK Amir Herzberg Bar Ilan University, Israel Michael Huth Imperial College London, UK Sushil Jajodia George Mason University, USA Aaron Johnson Naval Research Laboratory, USA

  Organization

  IX

  Markulf Kohlweiss Microsoft Research Cambridge, UK Steve Kremer

  INRIA Nancy - Grand Est, France Miroslaw Kutylowski Wroclaw University of Technology, Poland Adam J. Lee University of Pittsburgh, USA Wenke Lee Georgia Institute of Technology, USA Yingjiu Li Singapore Management University, Singapore Benoit Libert Technicolor, France Javier Lopez University of Malaga, Spain Wenjing Lou Virginia Polytechnic Institute and State

  University, USA Pratyusa K Manadhata HP Labs, USA Luigi Mancini Universit`a di Roma La Sapienza, Italy Fabio Martinelli

  IIT-CNR, Italy Sjouke Mauw University of Luxembourg, Luxembourg Atsuko Miyaji Japan Advanced Institute of Science and

  Technology, Japan Gregory Neven

  IBM Zurich Research Laboratory, Switzerland Stefano Paraboschi Universit`a di Bergamo, Italy Kenneth Paterson Royal Holloway, University of London, UK Dusko Pavlovic Royal Holloway, University of London, UK G¨ unther Pernul Universit¨at Regensburg, Germany Frank Piessens Katholieke Universiteit Leuven, Belgium Michalis Polychronakis Columbia University, USA Alexander Pretschner Technische Universit¨at M¨ unchen, Germany Kui Ren State University of New York at Buffalo, USA Mark Ryan University of Birmingham, UK P.Y.A. Ryan University of Luxembourg, Luxembourg Andrei Sabelfeld Chalmers University of Technology, Sweden Ahmad-Reza Sadeghi TU Darmstadt, Germany Rei Safavi-Naini University of Calgary, Canada Pierangela Samarati Universit` a degli Studi di Milano, Italy Radu Sion Stony Brook University, USA Nigel Smart University of Bristol, UK Einar Snekkenes Gjvik University College, Norway Vipin Swarup The MITRE Corporation, USA Roberto Tamassia Brown University, USA Carmela Troncoso

  IBBT-K.U.Leuven, ESAT/COSIC, Belgium Yevgeniy Vahlis University of Toronto, Canada Jaideep Vaidya Rutgers University, USA Vijay Varadharajan Macquarie University, Australia Venkat Venkatakrishnan University of Illinois at Chicago, USA Luca Vigan`o University of Verona, Italy Michael Waidner Fraunhofer SIT, Germany X Organization Additional Reviewers

  Ahmadi, Ahmad Alfardan, Nadhem Aliasgari, Mehrdad Alimomeni, Mohsen Androulaki, Elli Arriaga, Afonso Asharov, Gilad Balsa, Ero Banescu, Sebastian Basu, Anirban Batten, Ian Baum, Carsten Beato, Filipe Ben Hamouda, Fabrice Bertolissi, Clara Bkakria, Anis Blaskiewicz, Przemyslaw Boyd, Colin Bozzato, Claudio Broser, Christian Brzuska, Christina Cachin, Christian Calvi, Alberto Calzavara, Stefano Carbone, Roberto Catalano, Dario Chandran, Nishanth Chen, Jiageng Chen, Ling Chen, Si Chen, Xihui Cheval, Vincent Choo, Euijin Collberg, Christian Cremers, Cas Cuppens-Boulahia, Nora Datta, Anupam De Benedictis, Alessandra De Caro, Angelo De Groef, Willem De Ryck, Philippe

  Devriese, Dominique Du, Changlai Durgin, Nancy Epasto, Alessandro Farnan, Nicholas Farr` as, Oriol Ferdman, Mike Fernandez-Gago, Carmen Fitzgerald, William Michael Frank, Mario Fromm, Alexander Fuchs, Andreas Fuchs, Ludwig Futa, Yuichi Gajek, Sebastian Galbraith, Steven Galindo, David Garrison, William Gasti, Paolo Gelernter, Nethanel George, Wesley Ghiglieri, Marco Gilad, Yossi Giustolisi, Rosario Gjomemo, Rigel Goberman, Michael Grewal, Gurchetan S.

  Hadi Ahmadi, Ashish Kisti Hajian, Sara Hanzlik, Lucjan Hedin, Daniel Herfert, Michael Herrmann, Michael Heuser, Stephan Hoens, T. Ryan Holzer, Andreas Hosek, Petr Idrees, Sabir Jansen, Rob Jhawar, Mahavir Jia, Limin

  Organization

  XI

  Jorgensen, Zachery Joye, Marc Kalabis, Lukas Kamara, Seny Keppler, David Khader, Dalia Klaedtke, Felix Kluczniak, Kamil Komanduri, Saranga Konidala, Divyan Kordy, Barbara Kostiainen, Kari Krzywiecki, Lukasz Kubiak, Przemys law Kumari, Prachi Kywe, Su Mon K¨unnemann, Robert Lancrenon, Jean Li, Jin Li, Yan Liu, Jia Livraga, Giovanni Lochbihler, Andreas Loftus, Jake Lombardi, Flavio Lovat, Enrico Ma, Di Magazinius, Jonas Majcher, Krzysztof Malacaria, Pasquale Malisa, Luka Manulis, Mark Marinovic, Srdjan Mathur, Suhas Maurice, Clementine Mazurek, Michelle Meadows, Catherine Meier, Stefan Min, Byungho Mitrou, Lilian Moataz, Tarik Molinaro, Cristian Mood, Benjamin

  Mutti, Simone Mylonas, Alexis Netter, Michael Nikiforakis, Nick Nojoimian, Mehrdad Nu˜ nez, David Oligeri, Gabriele Omote, Kazumasa Orlandi, Claudio Oswald, Elisabeth Oya, Simon Palazzi, Bernardo Pang, Jun Paterson, Maura Paul, Giura Peacock, Thea Peeters, Roel Peroli, Michele Peters, Thomas Petit, Jonathan Phillips, Joshua Pieczul, Olgierd Pinto, Alexandre Poettering, Bertram Pujol, Marta Qin, Zhan Radomirovic, Sasa Rafnsson, Willard Ranganathan, Aanjhan Ranise, Silvio Reisser, Andreas Rial, Alfredo Riesner, Moritz Rijmen, Vincent Riva, Ben Roman, Rodrigo Saracino, Andrea Sayaf, Rula Scerri, Guillaume Schneider, Thomas Schuldt, Jacob Schulz, Steffen Schunter, Matthias XII Organization

  Shafiq, Basit Shakarian, Paulo Shen, Entong Shi, Jie Shirazi, Fatemeh Shulman, Haya Simo, Hervais Smans, Jan Smith, Geoffrey Soria Comas, Jordi Soriente, Claudio Soupionis, Yannis Squarcina, Marco Stebila, Douglas Stefanov, Emil Stopczynski, Martin Struminski, Tomasz Sun, Wenhai Syverson, Paul Tews, Erik Theoharidou, Marianthi Torabi Dashti, Mohammad Toz, Deniz Tsoumas, Bill Tuerpe, Sven Tupakula, Uday

  Van Acker, Steven Verde, Nino Vincenzo Villani, Antonio Virvilis, Nick Vitali, Domenico Wachsmann, Christian Wang, Bing Wang, Lusha Watson, Gaven J.

  Weber, Michael Wei, Wei W¨uchner, Tobias Yan, Qiben Yautsiukhin, Artsiom Yu, Jiangshan Zagorski, Filip Zanella-B´eguelin, Santiago Zhang, Bingsheng Zhang, Liang Feng Zhang, Ning Zhang, Tao Zhang, Xifan Zhang, Yihua Zhou, Lan Zugenmaier, Alf

  

Table of Contents

Cryptography and Computation

  Practical Covertly Secure MPC for Dishonest Majority – Or: Breaking the SPDZ Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  1 Ivan Damg˚ ard, Marcel Keller, Enrique Larraia, Valerio Pastro, Peter Scholl, and Nigel P. Smart

  Practical and Employable Protocols for UC-Secure Circuit Evaluation over Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  19

  n

  Jan Camenisch, Robert R. Enderlein, and Victor Shoup Privacy-Preserving Accountable Computation . . . . . . . . . . . . . . . . . . . . . . .

  38 Michael Backes, Dario Fiore, and Esfandiar Mohammadi

  Measurement and Evaluation

  Verifying Web Browser Extensions’ Compliance with Private-Browsing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  57 Benjamin S. Lerner, Liam Elberty, Neal Poole, and Shriram Krishnamurthi

  A Quantitative Evaluation of Privilege Separation in Web Browser Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  75 Xinshu Dong, Hong Hu, Prateek Saxena, and Zhenkai Liang Estimating Asset Sensitivity by Profiling Users . . . . . . . . . . . . . . . . . . . . . .

  94 Youngja Park, Christopher Gates, and Stephen C. Gates

  Applications of Cryptography

  Practical Secure Logging: Seekable Sequential Key Generators . . . . . . . . . 111 Giorgia Azzurra Marson and Bertram Poettering

  Request-Based Comparable Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Jun Furukawa

  Ensuring File Authenticity in Private DFA Evaluation on Encrypted Files in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

  Lei Wei and Michael K. Reiter XIV Table of Contents Code Analysis

  HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

  Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, and Dawn Song

  AnDarwin: Scalable Detection of Semantically Similar Android Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

  Jonathan Crussell, Clint Gibler, and Hao Chen BISTRO: Binary Component Extraction and Embedding for Software Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

  Zhui Deng, Xiangyu Zhang, and Dongyan Xu

  Network Security

  Vulnerable Delegation of DNS Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Amir Herzberg and Haya Shulman

  Formal Approach for Route Agility against Persistent Attackers . . . . . . . . 237 Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan

  Plug-and-Play IP Security: Anonymity Infrastructure instead of PKI . . . 255 Yossi Gilad and Amir Herzberg

  Formal Models and Methods

  Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

  Aron Laszka, Benjamin Johnson, Pascal Sch¨ottle, Jens Grossklags, and Rainer B¨ohme

  Automated Security Proofs for Almost-Universal Hash for MAC Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

  Martin Gagn´e, Pascal Lafourcade, and Yassine Lakhnech Bounded Memory Protocols and Progressing Collaborative Systems . . . . 309

  Max Kanovich, Tajana Ban Kirigin, Vivek Nigam, and Andre Scedrov

  Universally Composable Key-Management . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Steve Kremer, Robert K¨unnemann, and Graham Steel

  Table of Contents

  XV Protocol Analysis

  A Cryptographic Analysis of OPACITY (Extended Abstract) . . . . . . . . . . 345 ¨

  Ozg¨ur Dagdelen, Marc Fischlin, Tommaso Gagliardoni, Giorgia Azzurra Marson, Arno Mittelbach, and Cristina Onete

  Symbolic Probabilistic Analysis of Off-Line Guessing . . . . . . . . . . . . . . . . . 363 Bruno Conchinha, David Basin, and Carlos Caleiro

  ASICS: Authenticated Key Exchange Security Incorporating Certification Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

  Colin Boyd, Cas Cremers, Mich`ele Feltz, Kenneth G. Paterson, Bertram Poettering, and Douglas Stebila

  Privacy Enhancing Models and Technologies

  Efficient Privacy-Enhanced Familiarity-Based Recommender System . . . . 400 Arjan Jeckmans, Andreas Peter, and Pieter Hartel

  Privacy-Preserving User Data Oriented Services for Groups with Dynamic Participation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

  Dmitry Kononchuk, Zekeriya Erkin, Jan C.A. van der Lubbe, and Reginald L. Lagendijk

  Privacy-Preserving Matching of Community-Contributed Content . . . . . . 443 Mishari Almishari, Paolo Gasti, Gene Tsudik, and Ekin Oguz

  E-voting and Privacy

  Ballot Secrecy and Ballot Independence Coincide . . . . . . . . . . . . . . . . . . . . 463 Ben Smyth and David Bernhard

  Election Verifiability or Ballot Privacy: Do We Need to Choose? . . . . . . . 481 ´

  Edouard Cuvelier, Olivier Pereira, and Thomas Peters Enforcing Privacy in the Presence of Others: Notions, Formalisations and Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

  Naipeng Dong, Hugo Jonker, and Jun Pang

  Malware Detection

  Mining Malware Specifications through Static Reachability Analysis . . . . 517 Hugo Daniel Macedo and Tayssir Touili

  XVI Table of Contents

  Range Extension Attacks on Contactless Smart Cards . . . . . . . . . . . . . . . . 646 Yossef Oren, Dvir Schirman, and Avishai Wool

  Language-Based Protection

  Shane S. Clark, Hossen Mustafa, Benjamin Ransford, Jacob Sorber, Kevin Fu, and Wenyuan Xu

  Current Events: Identifying Webpages by Tapping the Electrical Outlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

  Mathias Humbert, Th´eophile Studer, Matthias Grossglauser, and Jean-Pierre Hubaux

  Nowhere to Hide: Navigating around Privacy in Online Social Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

  CellFlood: Attacking Tor Onion Routers on the Cheap . . . . . . . . . . . . . . . . 664 Marco Valerio Barbera, Vasileios P. Kemerlis, Vasilis Pappas, and Angelos D. Keromytis

  Attacks

  Measuring and Detecting Malware Downloads in Live Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

  Distributed Shuffling for Preserving Access Confidentiality . . . . . . . . . . . . 628 Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Gerardo Pelosi, and Pierangela Samarati

  Purpose Restrictions on Information Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 Michael Carl Tschantz, Anupam Datta, and Jeannette M. Wing

  Jin Li, Xiaofeng Chen, Jingwei Li, Chunfu Jia, Jianfeng Ma, and Wenjing Lou

  Fine-Grained Access Control System Based on Outsourced Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

  Automated Certification of Authorisation Policy Resistance . . . . . . . . . . . 574 Andreas Griesmayer and Charles Morisset

  Access Control

  Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li, and Manos Antonakakis

  Eliminating Cache-Based Timing Attacks with Instruction-Based

  Table of Contents

  XVII

  Data-Confined HTML5 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 Devdatta Akhawe, Frank Li, Warren He, Prateek Saxena, and Dawn Song

  KQguard: Binary-Centric Defense against Kernel Queue Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755

  Jinpeng Wei, Feng Zhu, and Calton Pu Run-Time Enforcement of Information-Flow Properties on Android (Extended Abstract) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775

  Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake

  Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

  

Practical Covertly Secure MPC for Dishonest Majority –

Or: Breaking the SPDZ Limits

  1

  2

  2

  1 Ivan Damg˚ard , Marcel Keller , Enrique Larraia , Valerio Pastro ,

  2

  2 ₁ Peter Scholl , and Nigel P. Smart ₂ Department of Computer Science, Aarhus University

Department of Computer Science, University of Bristol

Abstract. SPDZ (pronounced “Speedz”) is the nickname of the MPC protocol

of Damg˚ard et al. from Crypto 2012. In this paper we both resolve a number

of open problems with SPDZ; and present several theoretical and practical im-

provements to the protocol. In detail, we start by designing and implementing a

covertly secure key generation protocol for obtaining a BGV public key and a

shared associated secret key. We then construct both a covertly and actively se-

cure preprocessing phase, both of which compare favourably with previous work

in terms of efficiency and provable security.

  We also build a new online phase, which solves a major problem of the SPDZ

protocol: namely prior to this work preprocessed data could be used for only one

function evaluation and then had to be recomputed from scratch for the next eval-

uation, while our online phase can support reactive functionalities. This improve-

ment comes mainly from the fact that our construction does not require players

to reveal the MAC keys to check correctness of MAC’d values.

1 Introduction

  For many decades multi-party computation (MPC) had been a predominantly theo- retic endeavour in cryptography, but in recent years interest has arisen on the practi- cal side. This has resulted in various implementation improvements and such protocols are becoming more applicable to practical situations. A key part in this transformation from theory to practice is in adapting theoretical protocols and applying implementation techniques so as to significantly improve performance, whilst not sacrificing the level of security required by real world applications. This paper follows this modern, more practical, trend.

  Early applied work on MPC focused on the case of protocols secure against passive adversaries, both in the case of two-party protocols based on Yao circuits and that of many-party protocols, based on secret sharing techniques which appears to come at vastly increased cost when dealing with more than two players. On the other hand, in the real applications active security may be more stringent than one would actually require. In Aumann and Lindell introduced the notion of covert security; in this se-

  2

I. Damg˚ard et al.

  same effect, but the adversary can only succeed with cheating with negligible probabil- ity. There is a strong case to be made, see that covert security is a “good enough” security level for practical application; thus in this work we focus on covert security, but we also provide solutions with active security.

  As our starting point we take the protocol of (dubbed SPDZ, and pronounced Speedz). In this protocol is secure against active static adversaries in the standard model, is actively secure, and tolerates corruption of n

  − 1 of the n parties. The SPDZ protocol follows the preprocessing model: in an offline phase some shared randomness is generated, but neither the function to be computed nor the inputs need be known; in an online phase the actual secure computation is performed. One of the main advan- tages of the SPDZ protocol is that the performance of the online phase scales linearly with the number of players, and the basic operations are almost as cheap as those used in the passively secure protocols based on Shamir secret sharing. Thus, it offers the possibility of being both more flexible and secure than Shamir based protocols, while still maintaining low computational cost.

  In the authors present an implementation report on an adaption of the SPDZ protocol in the random oracle model, and show performance figures for both the offline and online phases for both an actively secure variant and a covertly secure variant. The implementation is over a finite field of characteristic two, since the focus is on providing a benchmark for evaluation of the AES circuit (a common benchmark application in MPC

  Our Contributions: In this work we present a number of contributions which extend even further the ability the SPDZ protocol to deal with the type of application one is likely to see in practice. All our theorems are proved in the UC model, and in most cases, the protocols make use of some predefined ideal functionalities. We give protocols im- plementing most of these functionalities, the only exception being the functionality that provides access to a random oracle. This is implemented using a hash functions, and so the actual protocol is only secure in the Random Oracle Model. We back up these improvements with an implementation which we report on.

  Our contributions come in two flavours. In the first flavour we present a number of improvements and extensions to the basic underlying SPDZ protocol. These protocol improvements are supported with associated security models and proofs. Our second flavour of improvements are at the implementation layer, and they bring in standard techniques from applied cryptography to bear onto MPC.

  In more detail our protocol enhancements, in what are the descending order of im- portance, are as follows:

  1. In the online phase of the original SPDZ protocol the parties are required to reveal their shares of a global MAC key in order to verify that the computation has been performed correctly. This is a major problem in practical applications since it means that secret-shared data we did not reveal cannot be re-used in later applications. Our protocol adopts a method to accomplish the same task, without needing to open the

  Practical Covertly Secure MPC for Dishonest Majority

  3

  of the verification we need (the so-called “sacrificing” step) can be moved into the offline phase, providing additional performance improvements in the online phase.

  2. In the original SPDZ protocol the authors assume a “magic” key generation phase for the production of the distributed Somewhat Homomorphic Encryption (SHE) scheme public/private keys required by the offline phase. The authors claim this can be accomplished using standard generic MPC techniques, which are of course expensive. In this work we present a key generation protocol for the BGV SHE scheme, which is secure against covert adversaries. In addition we generate a “full” BGV key which supports the modulus switching and key switching used in . This new sub-protocol may be of independent interest in other applications which require distributed decryption in an SHE/FHE scheme.

  3. In the modification to covert security was essentially ad-hoc, and resulted in a very weak form of covert security. In addition no security proofs or model were given to justify the claimed security. In this work we present a completely different approach to achieving covert security, we provide an extensive security model and provide full proofs for the modified offline phase (and the key generation protocol mentioned above).

  4. We introduce a new approach to obtain full active security in the offline phase. In . This method has running time similar to the ZKPoK approach utilized in , but it allows us to give much stronger guarantees on the ciphertexts produced by corrupt players: the gap between the size of “noise” honest players put into ciphertexts and what we can force corrupt players to use was exponential in the security parameter in and is essentially linear in our solution. This allows us to choose smaller parameters for the underlying cryptosystem and so makes other parts of the protocol more efficient.

  It is important to understand that by combining these contributions in different ways, we can obtain two different general MPC protocols: First, since our new online phase still has full active security, it can be combined with our new approach to active security in the offline phase. This results in a protocol that is “syntactically similar” to the one from , in that it can securely compute reactive functionalities. Second, we can combine our covertly secure protocols for key generation and the offline phase with the online phase to get a protocol that has covert security throughout and does not assume that key generation is given for free.

  Our covert solutions all make use of the same technique to move from passive to covert security, while avoiding the computational cost of performing zero-knowledge proofs. In covert security is obtained by only checking a fraction of the resulting proofs, which results in a weak notion of covert security (the probability of a cheater being detected cannot be made too large). In this work we adopt a different approach,

  4

I. Damg˚ard et al.

  If all opened runs are shown to have been performed correctly then the players assume that the single un-opened run is also correctly executed.

  A pleasing side-effect of the replacement of zero-knowledge proofs with our custom mechanism to obtain covert security is that the offline phase can be run in much smaller “batches”. In the need to amortize the cost of the expensive zero-knowledge proofs meant that the players on each iteration of the offline protocol executed a large computation, which produced a large number of multiplication triples (in the mil- lions). With our new technique we no longer need to amortize executions as much, and so short runs of the offline phase can be executed if so desired; producing only a few thousand triples per run.

  Our second flavour of improvements at the implementation layer are more mundane; being mainly of an implementation nature. This extended abstract presents the main ideas behind our improvements and details of our implementation. For a full description including details of the associated sub-procedures, security models and associated full security proofs please see the full version of this paper at

2 SPDZ Overview

  We now present the main components of the SPDZ protocol; in this section unless otherwise specified we are simply recapping on prior work. Throughout the paper we assume the computation to be performed by of n players over a fixed finite field F p characteristic p. The high level idea of the online phase is to compute a function repre- sented as a circuit, where privacy is obtained by additively secret sharing the inputs and outputs of each gate, and correctness is guaranteed by adding additive secret sharings of MACs on the inputs and outputs of each gate. In more detail, each player P has a

  i

• uniform share α of a secret value α = α , thought of as a fixed MAC

  i p 1 n

  ∈ F · · · + α key. We say that a data item a is holds a tuple (a , γ(a) ), where

  p i i i

  ∈ F · -shared if P a + is an additive secret sharing of a, i.e. a = a , and γ(a) is an additive

  i 1 n i

  · · · + a secret sharing of . γ(a) := α +

  1 n

  · a, i.e. γ(a) = γ(a) · · · + γ(a) For the readers familiar with , this is a simpler MAC definition. In particular we have dropped from the MAC definition; this value was only used to add or subtract

  δ

  a

  public data to or from shares. In our case becomes superfluous, since there is a δ

  a straightforward way of computing a MAC of a public value .

  a by defining γ(a)

  i i

  ← a·α During the protocol various values which are · -shared are “partially opened”, i.e. the associated values are revealed, but not the associated shares of the MAC. Note a

  i

  that linear operations (addition and scalar multiplication) can be performed on the · -sharings with no interaction required. Computing multiplications, however, is not straightforward, as we describe below.

  The goal of the offline phase is to produce a set of “multiplication triples”, which allow players to compute products. These are a list of sets of three · -sharings { a , b , c } such that c = a·b. In this paper we extend the offline phase to also produce “square

  2

  pairs” i.e. a list of pairs of , and “shared bits” · -sharings { a , b } such that b = a

  Practical Covertly Secure MPC for Dishonest Majority

  5

  { a , b , c } and partially open x − a to obtain ǫ and y − b to obtain δ. The sharing of z = x · y is computed from z ← c + ǫ · b + δ · a + ǫ · δ. The reason for us introducing square pairs is that squaring a value can then be com- puted more efficiently as follows: To square the sharing x we take a square pair

  { a , b } and partially open x − a to obtain ǫ. We then compute the sharing of

  2

  2

  from . Finally, the “shared bits” are useful in com- z = x z ← b + 2 · ǫ · x − ǫ puting high level operation such as comparison, bit-decomposition, fixed and floating point operations as in

  The offline phase produces the triples in the following way. We make use of a Some- what Homomorphic Encryption (SHE) scheme, which encrypts messages in F , sup-

  p

  ports distributed decryption, and allows computation of circuits of multiplicative depth one on encrypted data. To generate a multiplication triple each player generates en- P

  i

  cryptions of random values and (their shares of a b a and b). Using the multiplicative

  i i

• property of the SHE scheme an encryption of c = (a ) ) +

  1 n 1 n

  · · · + a · (b · · · + b is produced. The players then use the distributed decryption protocol to obtain shar- ings of

  c. The shares of the MACs on a, b and c needed to complete the · -sharing are produced in much the same manner. Similar operations are performed to produce square pairs and shared bits. Clearly the above (vague) outline needs to be fleshed out to ensure the required covert security level. Moreover, in practice we generate many triples/pairs/shared-bits at once using the SIMD nature of the BGV SHE scheme.

3 BGV We now present an overview of the BGV scheme as required by our offline phase.

  This is only sketched, the reader is referred to for more details; our goal is to present enough detail to explain the key generation protocol later.

3.1 Preliminaries

  Underlying Algebra: We fix the ring R q = (Z/qZ)[X]/Φ m (X) for some cyclotomic polynomial Φ (X), where m is an parameter which can be thought of as a function

  m

  of the underlying security parameter. Note that q may not necessarily be prime. Let R = Z[X]/Φ (X), and φ(m) denote the degree of R over Z, i.e. Euler’s φ function.

  m

  The message space of our scheme will be R for a prime p of approximately 32, 64

  p

  2

  2

  or 128-bits in length, whilst ciphertexts will lie in either R or R , for one of two

  q q ¹ m/2

  moduli and . We select q q R = Z[X]/(X + 1) for m a power of two, and p = 1

  1

  offers (mod m). By picking m and p this way we have that the message space R

  p

m/2

  ∼ . In addition this also implies that the ring m/2-fold SIMD parallelism, i.e. R

  p = F p constant from is equal to one.

  c

  m

  We wish to generate a public key for a leveled BGV scheme for which n players each hold a share, which is itself a “standard” BGV secret key. As we are working with

  6

I. Damg˚ard et al.

  SwitchKey operation. The value p must be chosen so that p

  1

  1

  ≡ 1 (mod p), with the value of p set to ensure valid distributed decryption. Random Values: Each player is assumed to have a secure entropy source. In practice we take this to be /dev/urandom, which is a non-blocking entropy source found on Unix like operating systems. This is not a “true” entropy source, being non-blocking, but provides a practical balance between entropy production and performance for our purposes. In what follows we model this source via a procedure s

  ← Seed(), which generates a new seed from this source of entropy. Calling this function sets the players global variable cnt to zero. Then every time a player generates a new random value in a protocol this is constructed by calling PRF (cnt), for some pseudo-random function

  s

  PRF , and then incrementing cnt. In practice we use AES under the key s with message cnt to implement PRF.

  The point of this method for generating random values is that the said values can then be verified to have been generated honestly by revealing s in the future and recomputing all the randomness used by a player, and verifying his output is consistent with this value of s.

  From the basic PRF we define the following “induced” pseudo-random number gen- erators, which generate elements according to the following distributions but seeded by the seed s:

• – s

  (h, n): This generates a vector of length n with elements chosen at random

  HWT from {−1, 0, 1} subject to the condition that the number of non-zero elements is equal to h. (0.5, n): This generates a vector of length n with elements chosen from

• – 1 = 1/4, p = 1/2 and p = 1/4.

  s

  ZO {−1, 0,

  1

  } such that the probability of coefficient is p −1

  2

• – 2 the discrete Gaussian distribution with variance .

  (σ , n): This generates a vector of length n with elements chosen according to

  s

  DG

  σ

  2

  (0.5, σ , n): This generates a triple of elements (v, e , e ) where v is sampled –

  s

  1 RC

  2

  from and are sampled from (0.5, n) and e e (σ , n).

  s 1 s

ZO DG

• – s

  (q, n): This generates a vector of length n with elements generated uniformly U

  modulo q. If any random values are used which do not depend on a seed then these should be assumed to be drawn using a secure entropy source (again in practice assumed to be /dev/urandom

  ). If we pull from one of the above distributions where we do not care about the specific seed being used then we will drop the subscript s from the notation.

  Broadcast: When broadcasting data we assume two different models. In the online phase during partial opening we utilize the method described in ; in that players send their data to a nominated player who then broadcasts the reconstructed value back to the remaining players. For other applications of broadcast we assume each party broadcasts their values to all other parties directly. In all instances players maintain a running hash of all values sent and received in a broadcast (with a suitable modification for the variant used for partial opening). At the end of a protocol run these running hashes are

  Practical Covertly Secure MPC for Dishonest Majority

  7

  3.2 Key Generation

  The key generation algorithm generates a public/private key pair such that the public key is given by pk = (a, b), where a is generated from , φ(m)) (i.e. a is uniform in

  1 U(q

  ), and R b = a

  q ¹

  · s + p · ǫ where ǫ is a “small” error term, and s is the secret key such that s , where player holds the share s . Recall since = s

• 1 n P i i m is a power of 2 we have φ(m) = m/2.

  · · · + s

  The public key is also augmented to an extended public key epk by addition of a