We gratefully acknowledge support from
the Simons Foundation and member institutions.

Cryptography and Security

New submissions

[ total of 42 entries: 1-42 ]
[ showing up to 2000 entries per page: fewer | more ]

New submissions for Tue, 19 Oct 21

[1]  arXiv:2110.08324 [pdf, other]
Title: Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture
Subjects: Cryptography and Security (cs.CR); Machine Learning (cs.LG)

Membership inference attacks are a key measure to evaluate privacy leakage in machine learning (ML) models. These attacks aim to distinguish training members from non-members by exploiting differential behavior of the models on member and non-member inputs. The goal of this work is to train ML models that have high membership privacy while largely preserving their utility; we therefore aim for an empirical membership privacy guarantee as opposed to the provable privacy guarantees provided by techniques like differential privacy, as such techniques are shown to deteriorate model utility. Specifically, we propose a new framework to train privacy-preserving models that induces similar behavior on member and non-member inputs to mitigate membership inference attacks. Our framework, called SELENA, has two major components. The first component and the core of our defense is a novel ensemble architecture for training. This architecture, which we call Split-AI, splits the training data into random subsets, and trains a model on each subset of the data. We use an adaptive inference strategy at test time: our ensemble architecture aggregates the outputs of only those models that did not contain the input sample in their training data. We prove that our Split-AI architecture defends against a large family of membership inference attacks, however, it is susceptible to new adaptive attacks. Therefore, we use a second component in our framework called Self-Distillation to protect against such stronger attacks. The Self-Distillation component (self-)distills the training dataset through our Split-AI ensemble, without using any external public datasets. Through extensive experiments on major benchmark datasets we show that SELENA presents a superior trade-off between membership privacy and utility compared to the state of the art.

[2]  arXiv:2110.08422 [pdf, other]
Title: Toward Uncensorable, Anonymous and Private Access Over Satoshi Blockchains
Journal-ref: Proceedings of the Privacy Enhancing Technologies Symposium (PoPETS), volume 2022, issue 1
Subjects: Cryptography and Security (cs.CR)

Providing unrestricted access to sensitive content such as news and software is difficult in the presence of adaptive and resourceful surveillance and censoring adversaries. In this paper we leverage the distributed and resilient nature of commercial Satoshi blockchains to develop the first provably secure, censorship resistant, cost-efficient storage system with anonymous and private access, built on top of commercial cryptocurrency transactions. We introduce max-rate transactions, a practical construct to persist data of arbitrary size entirely in a Satoshi blockchain. We leverage max-rate transactions to develop UWeb, a blockchain-based storage system that charges publishers to self-sustain its decentralized infrastructure. UWeb organizes blockchainstored content for easy retrieval, and enables clients to store and access content with provable anonymity, privacy and censorship resistance properties.
We present results from UWeb experiments with writing 268.21 MB of data into the live Litecoin blockchain, including 4.5 months of live-feed BBC articles, and 41 censorship resistant tools. The max-rate writing throughput (183 KB/s) and blockchain utilization (88%) exceed those of state-of-the-art solutions by 2-3 orders of magnitude and broke Litecoin's record of the daily average block size. Our simulations with up to 3,000 concurrent UWeb writers confirm that UWeb does not impact the confirmation delays of financial transactions.

[3]  arXiv:2110.08447 [pdf, other]
Title: TESDA: Transform Enabled Statistical Detection of Attacks in Deep Neural Networks
Authors: Chandramouli Amarnath (Georgia Tech), Aishwarya H. Balwani (Georgia Tech), Kwondo Ma (Georgia Tech), Abhijit Chatterjee (Georgia Tech)
Comments: 10 pages, 2 reference pages, 2 appendix pages, 14 figures, 2 tables
Subjects: Cryptography and Security (cs.CR); Machine Learning (cs.LG)

Deep neural networks (DNNs) are now the de facto choice for computer vision tasks such as image classification. However, their complexity and "black box" nature often renders the systems they're deployed in vulnerable to a range of security threats. Successfully identifying such threats, especially in safety-critical real-world applications is thus of utmost importance, but still very much an open problem. We present TESDA, a low-overhead, flexible, and statistically grounded method for {online detection} of attacks by exploiting the discrepancies they cause in the distributions of intermediate layer features of DNNs. Unlike most prior work, we require neither dedicated hardware to run in real-time, nor the presence of a Trojan trigger to detect discrepancies in behavior. We empirically establish our method's usefulness and practicality across multiple architectures, datasets and diverse attacks, consistently achieving detection coverages of above 95% with operation count overheads as low as 1-2%.

[4]  arXiv:2110.08517 [pdf, other]
Title: Characterizing Improper Input Validation Vulnerabilities of Mobile Crowdsourcing Services
Journal-ref: Annual Computer Security Applications Conference (ACSAC '21), December 6--10, 2021, USA
Subjects: Cryptography and Security (cs.CR)

Mobile crowdsourcing services (MCS), enable fast and economical data acquisition at scale and find applications in a variety of domains. Prior work has shown that Foursquare and Waze (a location-based and a navigation MCS) are vulnerable to different kinds of data poisoning attacks. Such attacks can be upsetting and even dangerous especially when they are used to inject improper inputs to mislead users. However, to date, there is no comprehensive study on the extent of improper input validation (IIV) vulnerabilities and the feasibility of their exploits in MCSs across domains. In this work, we leverage the fact that MCS interface with their participants through mobile apps to design tools and new methodologies embodied in an end-to-end feedback-driven analysis framework which we use to study 10 popular and previously unexplored services in five different domains. Using our framework we send tens of thousands of API requests with automatically generated input values to characterize their IIV attack surface. Alarmingly, we found that most of them (8/10) suffer from grave IIV vulnerabilities which allow an adversary to launch data poisoning attacks at scale: 7400 spoofed API requests were successful in faking online posts for robberies, gunshots, and other dangerous incidents, faking fitness activities with supernatural speeds and distances among many others. Lastly, we discuss easy to implement and deploy mitigation strategies which can greatly reduce the IIV attack surface and argue for their use as a necessary complementary measure working toward trustworthy mobile crowdsourcing services.

[5]  arXiv:2110.08662 [pdf, other]
Title: An Effective Attack Scenario Construction Model based on Attack Steps and Stages Identification
Subjects: Cryptography and Security (cs.CR)

A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of low-level alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to the infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of datasets, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.

[6]  arXiv:2110.08671 [pdf, other]
Title: Blockchain and Federated Edge Learning for Privacy-Preserving Mobile Crowdsensing
Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI)

Mobile crowdsensing (MCS) counting on the mobility of massive workers helps the requestor accomplish various sensing tasks with more flexibility and lower cost. However, for the conventional MCS, the large consumption of communication resources for raw data transmission and high requirements on data storage and computing capability hinder potential requestors with limited resources from using MCS. To facilitate the widespread application of MCS, we propose a novel MCS learning framework leveraging on blockchain technology and the new concept of edge intelligence based on federated learning (FL), which involves four major entities, including requestors, blockchain, edge servers and mobile devices as workers. Even though there exist several studies on blockchain-based MCS and blockchain-based FL, they cannot solve the essential challenges of MCS with respect to accommodating resource-constrained requestors or deal with the privacy concerns brought by the involvement of requestors and workers in the learning process. To fill the gaps, four main procedures, i.e., task publication, data sensing and submission, learning to return final results, and payment settlement and allocation, are designed to address major challenges brought by both internal and external threats, such as malicious edge servers and dishonest requestors. Specifically, a mechanism design based data submission rule is proposed to guarantee the data privacy of mobile devices being truthfully preserved at edge servers; consortium blockchain based FL is elaborated to secure the distributed learning process; and a cooperation-enforcing control strategy is devised to elicit full payment from the requestor. Extensive simulations are carried out to evaluate the performance of our designed schemes.

[7]  arXiv:2110.08673 [pdf, other]
Title: Scaling Blockchains: Can Elected Committees Help?
Subjects: Cryptography and Security (cs.CR); Computer Science and Game Theory (cs.GT); Information Theory (cs.IT); General Economics (econ.GN); Trading and Market Microstructure (q-fin.TR)

In the high-stakes race to develop more scalable blockchains, some platforms (Cosmos, EOS, TRON, etc.) have adopted committee-based consensus protocols, whereby the blockchain's record-keeping rights are entrusted to a committee of elected block producers. In theory, the smaller the committee, the faster the blockchain can reach consensus and the more it can scale. What's less clear, is whether this mechanism ensures that honest committees can be consistently elected, given voters typically have limited information. Using EOS' Delegated Proof of Stake (DPoS) protocol as a backdrop, we show that identifying the optimal voting strategy is complex and practically out of reach. We empirically characterize some simpler (suboptimal) voting strategies that token holders resort to in practice and show that these nonetheless converge to optimality, exponentially quickly. This yields efficiency gains over other PoS protocols that rely on randomized block producer selection. Our results suggest that (elected) committee-based consensus, as implemented in DPoS, can be robust and efficient, despite its complexity.

[8]  arXiv:2110.08697 [pdf, other]
Title: Improving Dither Modulation based Robust Steganography by Overflow Suppression
Comments: submitted to IEEE TDSC on 18-Mar-2021
Subjects: Cryptography and Security (cs.CR)

Nowadays, people are sharing their pictures on online social networks (OSNs), so OSN is a good platform for Steganography. But OSNs usually perform JPEG compression on the uploaded image, which will invalidate most of the existing steganography algorithms. Recently, some works try to design robust steganography which can resist JPEG compression, such as Dither Modulation-based robust Adaptive Steganography (DMAS) and Generalized dither Modulation-based robust Adaptive Steganography (GMAS). They relieve the problem that the receivers cannot extract the message correctly when the quality factor of channel JPEG compression is larger than that of cover images. However, they only can realize limited resistance to detection and compression due to robust domain selection. To overcome this problem, we meticulously explore three lossy operations in the JPEG recompression and discover that the key problem is spatial overflow. Then two preprocessing methods Overall Scaling (OS) and Specific Truncation (ST) are presented to remove overflow before message embedding as well as generate a reference image. The reference image is employed as the guidance to build asymmetric distortion for removing overflow during embedding. Experimental results show that the proposed methods significantly surpass GMAS in terms of security and achieve comparable robustness.

[9]  arXiv:2110.08777 [pdf]
Title: A Novel Watermarking Approach for Protecting Image Integrity based on a Hybrid Security Technique
Comments: 9 pages, 4 figures, 4 tables, International Journal of Computer Applications, Vol. 178, No.30, 14-22 July 2019, ISSN 0975-8887
Subjects: Cryptography and Security (cs.CR)

Digital Photo images are everywhere around us in journals, on walls, and over the Internet. However we have to be conscious that seeing does not always imply reality. Photo images become a rich subject of manipulations due to the advanced digital cameras as well as photo editing software. Accordingly, image forgery is becoming much easier using the existing tools in terms of time and accuracy, and thus the forensics of detecting an image forgery case is becoming difficult and needs more and more time and techniques to prove the image originality especially as crime evidences and court related cases. In this paper, a framework with associated algorithms and methodologies is proposed to ensure the authenticity of the image and the integrity of the content in addition to protecting the photo image against forgery suspects. The framework depends on developing new generation of certified digital cameras that could produce authenticated and forgery-proof photos. The proposed methodology generates an irreversible hash integrity code from the image content based on color matrix calculations and steganography algorithms. The simulation results proved the capability of the proposed technique to detect image forgery cases in more than 16 scenarios of manipulation.

[10]  arXiv:2110.08779 [pdf]
Title: A robust watermarking algorithm for medical images
Comments: 12 pages, 13 figures, 5 tables, Indonesian Journal of Electrical Engineering and Computer Science, Vol. 20, No. 3, December 2020, pp. 1601~1612, ISSN: 2502-4752, pp1601-1612
Subjects: Cryptography and Security (cs.CR)

Integrated healthcare systems require the transmission of medical images between medical centers. The presence of watermarks in such images has become important for patient privacy protection. However, some important issues should be considered while watermarking an image. Among these issues, the watermark should be robust against attacks and does not affect the quality of the image. In this paper, a watermarking approach employing a robust dynamic secret code is proposed. This approach is to process every pixel of the digital image and not only the pixels of the regions of non-interest at the same time it preserves the image details. The performance of the proposed approach is evaluated using several performance measures such as the Mean Square Error (MSE), the Mean Absolute Error (MAE), the Peak Signal to Noise Ratio (PSNR), the Universal Image Quality Index (UIQI) and the Structural Similarity Index (SSIM). The proposed approach has been tested and shown robustness in detecting the intentional attacks that change image, specifically the most important diagnostic information.

[11]  arXiv:2110.08848 [pdf, other]
Title: HIDE & SEEK: Privacy-Preserving Rebalancing on Payment Channel Networks
Subjects: Cryptography and Security (cs.CR); Distributed, Parallel, and Cluster Computing (cs.DC)

Payment channels effectively move the transaction load off-chain thereby successfully addressing the inherent scalability problem most cryptocurrencies face. A major drawback of payment channels is the need to ``top up'' funds on-chain when a channel is depleted. Rebalancing was proposed to alleviate this issue, where parties with depleting channels move their funds along a cycle to replenish their channels off-chain. Protocols for rebalancing so far either introduce local solutions or compromise privacy.
In this work, we present an opt-in rebalancing protocol that is both private and globally optimal, meaning our protocol maximizes the total amount of rebalanced funds. We study rebalancing from the framework of linear programming. To obtain full privacy guarantees, we leverage multi-party computation in solving the linear program, which is executed by selected participants to maintain efficiency. Finally, we efficiently decompose the rebalancing solution into incentive-compatible cycles which conserve user balances when executed atomically.
Keywords: Payment Channel Networks, Privacy and Rebalancing.

[12]  arXiv:2110.08883 [pdf, other]
Title: Blockchain Enabled Secure Authentication for Unmanned Aircraft Systems
Comments: Accepted for publication in IEEE GlobalCom as a workshop paper
Subjects: Cryptography and Security (cs.CR); Networking and Internet Architecture (cs.NI)

The integration of air and ground smart vehicles is becoming a new paradigm of future transportation. A decent number of smart unmanned vehicles or UAS will be sharing the national airspace for various purposes, such as express delivery, surveillance, etc. However, the proliferation of UAS also brings challenges considering the safe integration of them into the current Air Traffic Management (ATM) systems. Especially when the current Automatic Dependent Surveillance Broadcasting (ADS-B) systems do not have message authentication mechanisms, it can not distinguish whether an authorized UAS is using the corresponding airspace. In this paper, we aim to address these practical challenges in two folds. We first use blockchain to provide a secure authentication platform for flight plan approval and sharing between the existing ATM facilities. We then use the fountain code to encode the authentication payloads and adapt them into the de facto communication protocol of ATM. This maintains backward compatibility and ensures the verification success rate under the noisy broadcasting channel. We simulate the realistic wireless communication scenarios and theoretically prove that our proposed authentication framework is with low latency and highly compatible with existing ATM communication protocols.

[13]  arXiv:2110.08971 [pdf, other]
Title: Long Passphrases: Potentials and Limits
Subjects: Cryptography and Security (cs.CR)

Passphrases offer an alternative to traditional passwords which aim to be stronger and more memorable. However, users tend to choose short passphrases with predictable patterns that may reduce the security they offer. To explore the potential of long passphrases, we formulate a set of passphrase policies and guidelines aimed at supporting their creation and use. Through a 39-day user study we analyze the usability and security of passphrases generated using our policies and guidelines. Our analysis indicates these policies lead to reasonable usability and promising security for some use cases, and that there are some common pitfalls in free-form passphrase creation. Our results suggest that our policies can support the use of long passphrases.

[14]  arXiv:2110.09160 [pdf, other]
Title: DE-RSTC: A rational secure two-party computation protocol based on direction entropy
Authors: Juan Ma, Yuling Chen
Subjects: Cryptography and Security (cs.CR)

Rational secure multi-party computation (RSMC) means two or more rational parties to complete a function on private inputs. In the process, the rational parties choose strategies to maximize utility, which will cause players to maliciously execute the protocol and undermine the fairness and correctness of the protocol. To solve this problem, we leverage game theory to propose the direction entropy-based solution. First, we utilize the direction vector of the direction entropy to examine the player's strategy uncertainty and quantify its strategy from different dimensions. Specifically, when parties choose a cooperation strategy, the direction vector is positive, and the information transmitted is positive, conversely, it is negative information. Then, we provide mutual information to construct new utility functions for the players. What's more, we measure the mutual information of players to appraise their strategies. Finally, we prove in detail the protocol we gave, and the result show that the fairness problem in rational secure two-party computation. We also prove that the proposed protocol reaches the Nash equilibrium. Furthermore, we conduct experiments using mutual information to construct utility, and the results show that the utility obtained when the player is honest will be higher.

[15]  arXiv:2110.09162 [pdf, other]
Title: Investigating Man-in-the-Middle-based False Data Injection in a Smart Grid Laboratory Environment
Comments: To be published in Proceedings of 2021 IEEE PES Innovative Smart Grid Technologies Europe (ISGT-Europe)
Subjects: Cryptography and Security (cs.CR); Networking and Internet Architecture (cs.NI); Systems and Control (eess.SY)

With the increasing use of information and communication technology in electrical power grids, the security of energy supply is increasingly threatened by cyber-attacks. Traditional cyber-security measures, such as firewalls or intrusion detection/prevention systems, can be used as mitigation and prevention measures, but their effective use requires a deep understanding of the potential threat landscape and complex attack processes in energy information systems. Given the complexity and lack of detailed knowledge of coordinated, timed attacks in smart grid applications, we need information and insight into realistic attack scenarios in an appropriate and practical setting. In this paper, we present a man-in-the-middle-based attack scenario that intercepts process communication between control systems and field devices, employs false data injection techniques, and performs data corruption such as sending false commands to field devices. We demonstrate the applicability of the presented attack scenario in a physical smart grid laboratory environment and analyze the generated data under normal and attack conditions to extract domain-specific knowledge for detection mechanisms.

[16]  arXiv:2110.09207 [pdf, other]
Title: SPON: Enabling Resilient Inter-Ledgers Payments with an Intrusion-Tolerant Overlay
Comments: 9 pages, 14 figures, IEEE Conference on Communications and Network Security October 2021
Subjects: Cryptography and Security (cs.CR)

Payment systems are a critical component of everyday life in our society. While in many situations payments are still slow, opaque, siloed, expensive or even fail, users expect them to be fast, transparent, cheap, reliable and global. Recent technologies such as distributed ledgers create opportunities for near-real-time, cheaper and more transparent payments. However, in order to achieve a global payment system, payments should be possible not only within one ledger, but also across different ledgers and geographies. In this paper we propose Secure Payments with Overlay Networks (SPON), a service that enables global payments across multiple ledgers by combining the transaction exchange provided by the Interledger protocol with an intrusion-tolerant overlay of relay nodes to achieve (1) improved payment latency, (2) fault tolerance to benign failures such as node failures and network partitions, and (3) resilience to BGP hijacking attacks. We discuss the design goals and present an implementation based on the Interledger protocol and Spines overlay network. We analyze the resilience of SPON and demonstrate through experimental evaluation that it is able to improve payment latency, recover from path outages, withstand network partition attacks, and disseminate payments fairly across multiple ledgers. We also show how SPON can be deployed to make the communication between different ledgers resilient to BGP hijacking attacks.

Cross-lists for Tue, 19 Oct 21

[17]  arXiv:2110.08256 (cross-list from cs.LG) [pdf, other]
Title: Model-Agnostic Meta-Attack: Towards Reliable Evaluation of Adversarial Robustness
Subjects: Machine Learning (cs.LG); Cryptography and Security (cs.CR)

The vulnerability of deep neural networks to adversarial examples has motivated an increasing number of defense strategies for promoting model robustness. However, the progress is usually hampered by insufficient robustness evaluations. As the de facto standard to evaluate adversarial robustness, adversarial attacks typically solve an optimization problem of crafting adversarial examples with an iterative process. In this work, we propose a Model-Agnostic Meta-Attack (MAMA) approach to discover stronger attack algorithms automatically. Our method learns the optimizer in adversarial attacks parameterized by a recurrent neural network, which is trained over a class of data samples and defenses to produce effective update directions during adversarial example generation. Furthermore, we develop a model-agnostic training algorithm to improve the generalization ability of the learned optimizer when attacking unseen defenses. Our approach can be flexibly incorporated with various attacks and consistently improves the performance with little extra computational cost. Extensive experiments demonstrate the effectiveness of the learned attacks by MAMA compared to the state-of-the-art attacks on different defenses, leading to a more reliable evaluation of adversarial robustness.

[18]  arXiv:2110.08303 (cross-list from cs.OS) [pdf, other]
Title: Minimal Viable IO drivers for TrustZone
Comments: 13 pages. Under submission
Subjects: Operating Systems (cs.OS); Cryptography and Security (cs.CR)

While TrustZone can isolate IO hardware, it lacks drivers for modern IO devices. Rather than porting drivers, we propose a novel approach to deriving minimum viable drivers: developers exercise a full driver and record the driver/device interactions; the processed recordings, dubbed driverlets, are replayed in the TEE at run time to access IO devices.
Driverlets address two key challenges: correctness and expressiveness, for which they build on a key construct called interaction template. The interaction template ensures faithful reproduction of recorded IO jobs (albeit on new IO data); it accepts dynamic input values; it tolerates nondeterministic device behaviors.
We demonstrate driverlets on a series of sophisticated devices, making them accessible to TrustZone for the first time to our knowledge. Our experiments show that driverlets are secure, easy to build, and incur acceptable overhead (1.4x -2.7x compared to native drivers). Driverlets fill a critical gap in the TrustZone TEE, realizing its long-promised vision of secure IO.

[19]  arXiv:2110.08321 (cross-list from cs.LG) [pdf, other]
Title: Efficient Representations for Privacy-Preserving Inference
Comments: 8 pages, 2 figures
Subjects: Machine Learning (cs.LG); Cryptography and Security (cs.CR)

Deep neural networks have a wide range of applications across multiple domains such as computer vision and medicine. In many cases, the input of a model at inference time can consist of sensitive user data, which raises questions concerning the levels of privacy and trust guaranteed by such services. Much existing work has leveraged homomorphic encryption (HE) schemes that enable computation on encrypted data to achieve private inference for multi-layer perceptrons and CNNs. An early work along this direction was CryptoNets, which takes 250 seconds for one MNIST inference. The main limitation of such approaches is that of compute, which is due to the costly nature of the NTT (number theoretic transform)operations that constitute HE operations. Others have proposed the use of model pruning and efficient data representations to reduce the number of HE operations required. In this paper, we focus on improving upon existing work by proposing changes to the representations of intermediate tensors during CNN inference. We construct and evaluate private CNNs on the MNIST and CIFAR-10 datasets, and achieve over a two-fold reduction in the number of operations used for inferences of the CryptoNets architecture.

[20]  arXiv:2110.08449 (cross-list from stat.ML) [pdf, other]
Title: Adversarial Attacks on Gaussian Process Bandits
Subjects: Machine Learning (stat.ML); Cryptography and Security (cs.CR); Machine Learning (cs.LG)

Gaussian processes (GP) are a widely-adopted tool used to sequentially optimize black-box functions, where evaluations are costly and potentially noisy. Recent works on GP bandits have proposed to move beyond random noise and devise algorithms robust to adversarial attacks. In this paper, we study this problem from the attacker's perspective, proposing various adversarial attack methods with differing assumptions on the attacker's strength and prior information. Our goal is to understand adversarial attacks on GP bandits from both a theoretical and practical perspective. We focus primarily on targeted attacks on the popular GP-UCB algorithm and a related elimination-based algorithm, based on adversarially perturbing the function $f$ to produce another function $\tilde{f}$ whose optima are in some region $\mathcal{R}_{\rm target}$. Based on our theoretical analysis, we devise both white-box attacks (known $f$) and black-box attacks (unknown $f$), with the former including a Subtraction attack and Clipping attack, and the latter including an Aggressive subtraction attack. We demonstrate that adversarial attacks on GP bandits can succeed in forcing the algorithm towards $\mathcal{R}_{\rm target}$ even with a low attack budget, and we compare our attacks' performance and efficiency on several real and synthetic functions.

[21]  arXiv:2110.08557 (cross-list from cs.LG) [pdf, other]
Title: DPNAS: Neural Architecture Search for Deep Learning with Differential Privacy
Subjects: Machine Learning (cs.LG); Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR)

Training deep neural networks (DNNs) for meaningful differential privacy (DP) guarantees severely degrades model utility. In this paper, we demonstrate that the architecture of DNNs has a significant impact on model utility in the context of private deep learning, whereas its effect is largely unexplored in previous studies. In light of this missing, we propose the very first framework that employs neural architecture search to automatic model design for private deep learning, dubbed as DPNAS. To integrate private learning with architecture search, we delicately design a novel search space and propose a DP-aware method for training candidate models. We empirically certify the effectiveness of the proposed framework. The searched model DPNASNet achieves state-of-the-art privacy/utility trade-offs, e.g., for the privacy budget of $(\epsilon, \delta)=(3, 1\times10^{-5})$, our model obtains test accuracy of $98.57\%$ on MNIST, $88.09\%$ on FashionMNIST, and $68.33\%$ on CIFAR-10. Furthermore, by studying the generated architectures, we provide several intriguing findings of designing private-learning-friendly DNNs, which can shed new light on model design for deep learning with differential privacy.

[22]  arXiv:2110.08661 (cross-list from cs.SE) [pdf, other]
Title: Making Existing Software Quantum Safe: Lessons Learned
Subjects: Software Engineering (cs.SE); Cryptography and Security (cs.CR); Emerging Technologies (cs.ET)

In the era of quantum computing, Shor's algorithm running on quantum computers (QCs) can break asymmetric encryption algorithms that classical computers essentially cannot. QCs, with the help of Grover's algorithm, can also speed up the breaking of symmetric encryption algorithms. Though the exact date when QCs will become "dangerous" for practical problems is unknown, the consensus is that this future is near. Thus, one needs to start preparing for the era of quantum advantage and ensure quantum safety proactively.
In this paper, we discuss the effect of quantum advantage on the existing software systems and recap our seven-step roadmap, deemed 7E. The roadmap gives developers a structured way to start preparing for the quantum advantage era. We then report the results of a case study, which validates 7E. Our software under study is the IBM Db2 database system, where we upgrade the existing cryptographic schemes to post-quantum cryptography (using Kyber and Dilithium schemes) and report our findings and learned lessons. The outcome of the study shows that the 7E roadmap is effective in helping to plan the evolution of existing software security features towards quantum safety.

[23]  arXiv:2110.08676 (cross-list from stat.ML) [pdf, other]
Title: Noise-Augmented Privacy-Preserving Empirical Risk Minimization with Dual-purpose Regularizer and Privacy Budget Retrieval and Recycling
Authors: Yinan Li, Fang Liu
Subjects: Machine Learning (stat.ML); Cryptography and Security (cs.CR); Machine Learning (cs.LG)

We propose Noise-Augmented Privacy-Preserving Empirical Risk Minimization (NAPP-ERM) that solves ERM with differential privacy guarantees. Existing privacy-preserving ERM approaches may be subject to over-regularization with the employment of an l2 term to achieve strong convexity on top of the target regularization. NAPP-ERM improves over the current approaches and mitigates over-regularization by iteratively realizing target regularization through appropriately designed augmented data and delivering strong convexity via a single adaptively weighted dual-purpose l2 regularizer. When the target regularization is for variable selection, we propose a new regularizer that achieves both privacy and sparsity guarantees simultaneously. Finally, we propose a strategy to retrieve privacy budget when the strong convexity requirement is met, which can be returned to users such that the DP of ERM is guaranteed at a lower privacy cost than originally planned, or be recycled to the ERM optimization procedure to reduce the injected DP noise and improve the utility of DP-ERM. From an implementation perspective, NAPP-ERM can be achieved by optimizing a non-perturbed object function given noise-augmented data and can thus leverage existing tools for non-private ERM optimization. We illustrate through extensive experiments the mitigation effect of the over-regularization and private budget retrieval by NAPP-ERM on variable selection and prediction.

[24]  arXiv:2110.08712 (cross-list from cs.LG) [pdf, other]
Title: Black-box Adversarial Attacks on Network-wide Multi-step Traffic State Prediction Models
Comments: Accepted to IEEE International Conference on Intelligent Transportation Systems (ITSC), 2021
Subjects: Machine Learning (cs.LG); Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR)

Traffic state prediction is necessary for many Intelligent Transportation Systems applications. Recent developments of the topic have focused on network-wide, multi-step prediction, where state of the art performance is achieved via deep learning models, in particular, graph neural network-based models. While the prediction accuracy of deep learning models is high, these models' robustness has raised many safety concerns, given that imperceptible perturbations added to input can substantially degrade the model performance. In this work, we propose an adversarial attack framework by treating the prediction model as a black-box, i.e., assuming no knowledge of the model architecture, training data, and (hyper)parameters. However, we assume that the adversary can oracle the prediction model with any input and obtain corresponding output. Next, the adversary can train a substitute model using input-output pairs and generate adversarial signals based on the substitute model. To test the attack effectiveness, two state of the art, graph neural network-based models (GCGRNN and DCRNN) are examined. As a result, the adversary can degrade the target model's prediction accuracy up to $54\%$. In comparison, two conventional statistical models (linear regression and historical average) are also examined. While these two models do not produce high prediction accuracy, they are either influenced negligibly (less than $3\%$) or are immune to the adversary's attack.

[25]  arXiv:2110.08760 (cross-list from cs.LG) [pdf, other]
Title: Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and Implications
Comments: The short version of this paper has been published in the IEEE International Conference on Data Mining (ICDM) 2021
Subjects: Machine Learning (cs.LG); Cryptography and Security (cs.CR)

Graph Neural Networks (GNNs) are widely adopted to analyse non-Euclidean data, such as chemical networks, brain networks, and social networks, modelling complex relationships and interdependency between objects. Recently, Membership Inference Attack (MIA) against GNNs raises severe privacy concerns, where training data can be leaked from trained GNN models. However, prior studies focus on inferring the membership of only the components in a graph, e.g., an individual node or edge. How to infer the membership of an entire graph record is yet to be explored.
In this paper, we take the first step in MIA against GNNs for graph-level classification. Our objective is to infer whether a graph sample has been used for training a GNN model. We present and implement two types of attacks, i.e., training-based attacks and threshold-based attacks from different adversarial capabilities. We perform comprehensive experiments to evaluate our attacks in seven real-world datasets using five representative GNN models. Both our attacks are shown effective and can achieve high performance, i.e., reaching over 0.7 attack F1 scores in most cases. Furthermore, we analyse the implications behind the MIA against GNNs. Our findings confirm that GNNs can be even more vulnerable to MIA than the models with non-graph structures. And unlike the node-level classifier, MIAs on graph-level classification tasks are more co-related with the overfitting level of GNNs rather than the statistic property of their training graphs.

[26]  arXiv:2110.08821 (cross-list from cs.SD) [pdf, other]
Title: Storage and Authentication of Audio Footage for IoAuT Devices Using Distributed Ledger Technology
Comments: 11 pages, 3 Figures, 1 code listing
Subjects: Sound (cs.SD); Cryptography and Security (cs.CR); Audio and Speech Processing (eess.AS)

Detection of fabricated or manipulated audio content to prevent, e.g., distribution of forgeries in digital media, is crucial, especially in political and reputational contexts. Better tools for protecting the integrity of media creation are desired. Within the paradigm of the Internet of Audio Things(IoAuT), we discuss the ability of the IoAuT network to verify the authenticity of original audio using distributed ledger technology. By storing audio recordings in combination with associated recording-specific metadata obtained by the IoAuT capturing device, this architecture enables secure distribution of original audio footage, authentication of unknown audio content, and referencing of original audio material in future derivative works. By developing a proof-of-concept system, the feasibility of the proposed architecture is evaluated and discussed.

[27]  arXiv:2110.08932 (cross-list from cs.LG) [pdf, other]
Title: Poisoning Attacks on Fair Machine Learning
Subjects: Machine Learning (cs.LG); Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR); Computers and Society (cs.CY)

Both fair machine learning and adversarial learning have been extensively studied. However, attacking fair machine learning models has received less attention. In this paper, we present a framework that seeks to effectively generate poisoning samples to attack both model accuracy and algorithmic fairness. Our attacking framework can target fair machine learning models trained with a variety of group based fairness notions such as demographic parity and equalized odds. We develop three online attacks, adversarial sampling , adversarial labeling, and adversarial feature modification. All three attacks effectively and efficiently produce poisoning samples via sampling, labeling, or modifying a fraction of training data in order to reduce the test accuracy. Our framework enables attackers to flexibly adjust the attack's focus on prediction accuracy or fairness and accurately quantify the impact of each candidate point to both accuracy loss and fairness violation, thus producing effective poisoning samples. Experiments on two real datasets demonstrate the effectiveness and efficiency of our framework.

[28]  arXiv:2110.08983 (cross-list from cs.PL) [pdf, other]
Title: An Empirical Study of Protocols in Smart Contracts
Comments: 10 pages. In HATRA 2021
Subjects: Programming Languages (cs.PL); Cryptography and Security (cs.CR)

Smart contracts are programs that are executed on a blockhain. They have been used for applications in voting, decentralized finance, and supply chain management. However, vulnerabilities in smart contracts have been abused by hackers, leading to financial losses. Understanding state machine protocols in smart contracts has been identified as important to catching common bugs, improving documentation, and optimizing smart contracts. We analyze Solidity smart contracts deployed on the Ethereum blockchain and study the prevalence of protocols and protocol-based bugs, as well as opportunities for gas optimizations.

[29]  arXiv:2110.09008 (cross-list from cs.LG) [pdf, other]
Title: When Are Linear Stochastic Bandits Attackable?
Subjects: Machine Learning (cs.LG); Cryptography and Security (cs.CR)

We study adversarial attacks on linear stochastic bandits, a sequential decision making problem with many important applications in recommender systems, online advertising, medical treatment, and etc. By manipulating the rewards, an adversary aims to control the behaviour of the bandit algorithm. Perhaps surprisingly, we first show that some attack goals can never be achieved. This is in sharp contrast to context-free stochastic bandits, and is intrinsically due to the correlation among arms in linear stochastic bandits. Motivated by this observation, this paper studies the attackability of a $k$-armed linear bandit environment. We first provide a full necessity and sufficiency characterization of attackability based on the geometry of the context vectors. We then propose a two-stage attack method against LinUCB and Robust Phase Elimination. The method first asserts whether the current environment is attackable, and if Yes, modifies the rewards to force the algorithm to pull a target arm linear times using only a sublinear cost. Numerical experiments further validate the effectiveness and cost-efficiency of the proposed method.

[30]  arXiv:2110.09437 (cross-list from cs.CY) [pdf, other]
Title: Ctrl-Shift: How Privacy Sentiment Changed from 2019 to 2021
Subjects: Computers and Society (cs.CY); Cryptography and Security (cs.CR); Human-Computer Interaction (cs.HC)

People's privacy sentiments drive changes in legislation and may influence their willingness to use a variety of technologies. While single-point-in-time investigations of privacy sentiment offer useful insight, longitudinal study of people's privacy sentiments is necessary to better understand and anticipate evolving privacy attitudes. In this work, we use longitudinal survey data (n=6,676) to model Americans' sentiments toward collection and use of data for government- and health-related purposes in 2019, 2020 and 2021. After the onset of COVID-19, we observe significant changes in Americans' privacy sentiments toward government- and health-related data uses and find that Americans' privacy attitudes largely converged on these topics. We observe additional changes in the context of other national events such as the U.S. presidential elections and Black Lives Matter protests. Our results offer insight into how privacy attitudes may have been impacted by recent events, and these results allow us to identify potential predictors of changes in privacy attitudes during times of geopolitical (e.g., global pandemic) or national (e.g., political elections, the rise of the Black Lives Matter movement) change.

[31]  arXiv:2110.09469 (cross-list from quant-ph) [pdf, ps, other]
Title: Hybrid PUF: A Novel Way to Enhance the Security of Classical PUFs
Subjects: Quantum Physics (quant-ph); Cryptography and Security (cs.CR)

Physical unclonable functions provide a unique 'fingerprint' to a physical entity by exploiting the inherent physical randomness. With the help of quantum information theory, this paper proposes solutions to protect PUFs against machine learning-based attacks. Here, based on the querying capability, we first divide the adversaries into two classes, namely adaptive and weak adversaries. We also modify an existing security notion, universal unforgeability, to capture the power of those two classes of adversaries. We then introduce the notion of a hybrid PUF, using a classical PUF and quantum conjugate coding. This construction encodes the output of a classical PUF in non-orthogonal quantum states. We show that the indistinguishability of those states can significantly enhance the security of the classical PUFs against weak adversaries. Moreover, we show that learning the underlying classical PUF from the outputs of our HPUF construction is at least as hard as learning the classical PUF from its random noisy outputs. To prevent the adversaries from querying the PUFs adaptively, we borrow ideas from a classical lockdown technique and apply them to our hybrid PUF. We show that the hybrid PUFs, together with the lockdown technique, termed as hybrid locked PUF, can provide a secure client authentication protocol against adaptive adversaries and are implementable with the current day quantum communication technology. Moreover, we show that HLPUF allows the server to reuse the challenges for further client authentication, providing an efficient solution for running a PUF-based client authentication protocol for a longer period while maintaining a small-sized challenge-response pairs database on the server-side. Finally, we explore the lockdown technique with quantum PUF and show that the direct adaptation of the classical lockdown technique will not work with the fully quantum PUFs.

[32]  arXiv:2110.09495 (cross-list from cs.LG) [pdf, other]
Title: Protecting Anonymous Speech: A Generative Adversarial Network Methodology for Removing Stylistic Indicators in Text
Subjects: Machine Learning (cs.LG); Computation and Language (cs.CL); Cryptography and Security (cs.CR)

With Internet users constantly leaving a trail of text, whether through blogs, emails, or social media posts, the ability to write and protest anonymously is being eroded because artificial intelligence, when given a sample of previous work, can match text with its author out of hundreds of possible candidates. Existing approaches to authorship anonymization, also known as authorship obfuscation, often focus on protecting binary demographic attributes rather than identity as a whole. Even those that do focus on obfuscating identity require manual feedback, lose the coherence of the original sentence, or only perform well given a limited subset of authors. In this paper, we develop a new approach to authorship anonymization by constructing a generative adversarial network that protects identity and optimizes for three different losses corresponding to anonymity, fluency, and content preservation. Our fully automatic method achieves comparable results to other methods in terms of content preservation and fluency, but greatly outperforms baselines in regards to anonymization. Moreover, our approach is able to generalize well to an open-set context and anonymize sentences from authors it has not encountered before.

Replacements for Tue, 19 Oct 21

[33]  arXiv:1712.01145 (replaced) [pdf, other]
Title: Learning Fast and Slow: PROPEDEUTICA for Real-time Malware Detection
Comments: 12 pages, 4 figures. This paper has been accepted to IEEE Transactions on Neural Networks and Learning Systems (TNNLS)
Subjects: Cryptography and Security (cs.CR); Machine Learning (cs.LG); Machine Learning (stat.ML)
[34]  arXiv:2007.08596 (replaced) [pdf, other]
Title: OptChain: Optimal Transactions Placement for Scalable Blockchain Sharding
Subjects: Cryptography and Security (cs.CR); Distributed, Parallel, and Cluster Computing (cs.DC)
[35]  arXiv:2008.00152 (replaced) [pdf, other]
Title: Transactive Energy System Deployment over Insecure Communication Links
Comments: 10 pages, 6 figures, journal submission
Subjects: Cryptography and Security (cs.CR); Systems and Control (eess.SY)
[36]  arXiv:2107.08688 (replaced) [pdf, other]
Title: Structural Watermarking to Deep Neural Networks via Network Channel Pruning
Comments: Accepted by IEEE International Workshop on Information Forensics and Security 2021
Subjects: Cryptography and Security (cs.CR); Multimedia (cs.MM)
[37]  arXiv:2108.08255 (replaced) [pdf, other]
Title: Combating Informational Denial-of-Service (IDoS) Attacks: Modeling and Mitigation of Attentional Human Vulnerability
Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI)
[38]  arXiv:2002.07955 (replaced) [pdf, ps, other]
Title: Improved Classical and Quantum Algorithms for the Shortest Vector Problem via Bounded Distance Decoding
Comments: Faster Quantum Algorithm for SVP in QRAM, 43 pages, 4 figures
Subjects: Data Structures and Algorithms (cs.DS); Cryptography and Security (cs.CR)
[39]  arXiv:2007.14861 (replaced) [pdf, ps, other]
Title: Efficient Sparse Secure Aggregation for Federated Learning
Subjects: Machine Learning (stat.ML); Cryptography and Security (cs.CR); Machine Learning (cs.LG)
[40]  arXiv:2108.08987 (replaced) [pdf, other]
Title: Uniformity Testing in the Shuffle Model: Simpler, Better, Faster
Comments: Accepted to the SIAM Symposium on Simplicity in Algorithms (SOSA 2022). Added some details and discussions
Subjects: Data Structures and Algorithms (cs.DS); Cryptography and Security (cs.CR); Discrete Mathematics (cs.DM); Machine Learning (stat.ML)
[41]  arXiv:2108.13562 (replaced) [pdf, other]
Title: Adversarial Example Devastation and Detection on Speech Recognition System by Adding Random Noise
Comments: 20 pages, 5 figures, Submitted to Computer Speech and Language
Subjects: Sound (cs.SD); Cryptography and Security (cs.CR); Multimedia (cs.MM); Audio and Speech Processing (eess.AS)
[42]  arXiv:2110.06559 (replaced) [pdf, other]
Title: Infinitely Divisible Noise in the Low Privacy Regime
Comments: Updated figure 3, which was misleading in the previous version
Subjects: Machine Learning (cs.LG); Cryptography and Security (cs.CR); Data Structures and Algorithms (cs.DS)
[ total of 42 entries: 1-42 ]
[ showing up to 2000 entries per page: fewer | more ]

Disable MathJax (What is MathJax?)

Links to: arXiv, form interface, find, cs, recent, 2110, contact, help  (Access key information)