References of "Tang, Qiang 50003174"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailThe Price of Privacy in Collaborative Learning
Pejo, Balazs UL; Tang, Qiang UL; Gergely, Biczok

Poster (2018, October)

Machine learning algorithms have reached mainstream status and are widely deployed in many applications. The accuracy of such algorithms depends significantly on the size of the underlying training ... [more ▼]

Machine learning algorithms have reached mainstream status and are widely deployed in many applications. The accuracy of such algorithms depends significantly on the size of the underlying training dataset; in reality a small or medium sized organization often does not have enough data to train a reasonably accurate model. For such organizations, a realistic solution is to train machine learning models based on a joint dataset (which is a union of the individual ones). Unfortunately, privacy concerns prevent them from straightforwardly doing so. While a number of privacy-preserving solutions exist for collaborating organizations to securely aggregate the parameters in the process of training the models, we are not aware of any work that provides a rational framework for the participants to precisely balance the privacy loss and accuracy gain in their collaboration. In this paper, we model the collaborative training process as a two-player game where each player aims to achieve higher accuracy while preserving the privacy of its own dataset. We introduce the notion of Price of Privacy, a novel approach for measuring the impact of privacy protection on the accuracy in the proposed framework. Furthermore, we develop a game-theoretical model for different player types, and then either find or prove the existence of a Nash Equilibrium with regard to the strength of privacy protection for each player. [less ▲]

Detailed reference viewed: 124 (5 UL)
Full Text
Peer Reviewed
See detailTwo More Efficient Variants of the J-PAKE Protocol
Skrobot, Marjan UL; Lancrenon, Jean UL; Tang, Qiang UL

in ACNS 2016 (2016, June)

Recently, the password-authenticated key exchange protocol J-PAKE of Hao and Ryan (Workshop on Security Protocols 2008) was formally proven secure in the algebraic adversary model by Abdalla et al. (IEEE ... [more ▼]

Recently, the password-authenticated key exchange protocol J-PAKE of Hao and Ryan (Workshop on Security Protocols 2008) was formally proven secure in the algebraic adversary model by Abdalla et al. (IEEE S&P 2015). In this paper, we propose and examine two variants of J-PAKE - which we call RO-J-PAKE and CRS-J-PAKE - that each makes the use of two less zero-knowledge proofs than the original protocol. We show that they are provably secure following a similar strategy to that of Abdalla et al. We also study their efficiency as compared to J-PAKE's, also taking into account how the groups are chosen. Namely, we treat the cases of subgroups of finite fields and elliptic curves. Our work reveals that, for subgroups of finite fields, CRS-J-PAKE is indeed more efficient than J-PAKE, while RO-J-PAKE is much less efficient. On the other hand, when instantiated with elliptic curves, both RO-J-PAKE and CRS-J-PAKE are more efficient than J-PAKE, with CRS-J-PAKE being the best of the three. We illustrate this experimentally, making use of recent research by Brier et al. (CRYPTO 2010). Regardless of implementation, we note that RO-J-PAKE enjoys a looser security reduction than both J-PAKE and CRS-J-PAKE. CRS-J-PAKE has the tightest security proof, but relies on an additional trust assumption at setup time. We believe our results can be useful to anyone interested in implementing J-PAKE, as perhaps either of these two new protocols may also be options, depending on the deployment context. [less ▲]

Detailed reference viewed: 211 (30 UL)
Full Text
Peer Reviewed
See detailOn the power of Public-key Function-Private Functional Encryption
Iovino, Vincenzo UL; Tang, Qiang UL; Zebrowski, Karol

in 15th International Conference on Cryptology and Network Security (2016)

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015 ... [more ▼]

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015]. Moreover, its power has not been well investigated. In this paper, we construct FPFE for general functions and explore its powerful applications, both for general and specific functionalities. As warmup, we construct from FPFE a natural generalization of a signature scheme endowed with functional properties, that we call functional anonymous signature (FAS) scheme. In a FAS, Alice can sign a circuit C chosen from some distribution D to get a signature s and can publish a verification key that allows anybody holding a message m to verify that (1) s is a valid signature of Alice for some (possibly unknown to him) circuit C and (2) C(m)=1. Beyond unforgeability the security of FAS guarantees that the signature s hide as much information as possible about C except what can be inferred from knowledge of D. Then, we show that FPFE can be used to construct in a black-box way functional encryption schemes for randomized functionalities (RFE). %Previous constructions of (public-key) RFE relied on iO [Goyal et al. - TCC 2015]. As further application, we show that specific instantiations of FPFE can be used to achieve adaptively-secure CNF/DNF encryption for bounded degree formulae (BoolEnc). Though it was known how to implement BoolEnc from inner-product encryption (IPE) [Katz et al. - EUROCRYPT 2008], as already observed by Katz et al. this reduction only works for selective security and completely breaks down for adaptive security; however, we show that the reduction works if the IPE scheme is function-private. Finally, we present a general picture of the relations among all these related primitives. One key observation is that Attribute-based Encryption with function privacy implies FE, a notable fact that sheds light on the importance of the function privacy property for FE. [less ▲]

Detailed reference viewed: 147 (12 UL)
Full Text
Peer Reviewed
See detailPrivacy-Preserving Context-Aware Recommender Systems: Analysis and New Solutions
Tang, Qiang UL; Wang, Jun UL

in Computer Security - ESORICS 2015 - 20th European Symposium on Research in Computer Security (2015, September)

Nowadays, recommender systems have become an indispens- able part of our daily life and provide personalized services for almost everything. However, nothing is for free – such systems have also upset the ... [more ▼]

Nowadays, recommender systems have become an indispens- able part of our daily life and provide personalized services for almost everything. However, nothing is for free – such systems have also upset the society with severe privacy concerns because they accumulate a lot of personal information in order to provide recommendations. In this work, we construct privacy-preserving recommendation protocols by incorpo- rating cryptographic techniques and the inherent data characteristics in recommender systems. We first revisit the protocols by Jeckmans et al. and show a number of security issues. Then, we propose two privacy- preserving protocols, which compute predicted ratings for a user based on inputs from both the user’s friends and a set of randomly chosen strangers. A user has the flexibility to retrieve either a predicted rating for an unrated item or the Top-N unrated items. The proposed protocols prevent information leakage from both protocol executions and the pro- tocol outputs. Finally, we use the well-known MovieLens 100k dataset to evaluate the performances for different parameter sizes. [less ▲]

Detailed reference viewed: 135 (15 UL)
Full Text
Peer Reviewed
See detailKey Recovery Attacks Against NTRU-Based Somewhat Homomorphic Encryption Schemes
Chenal, Massimo UL; Tang, Qiang UL

in Information Security - 18th International Conference, ISC 2015 (2015, September)

A key recovery attack allows an attacker to recover the pri- vate key of an underlying encryption scheme when given a number of decryption oracle accesses. Previous research has shown that most exist- ing ... [more ▼]

A key recovery attack allows an attacker to recover the pri- vate key of an underlying encryption scheme when given a number of decryption oracle accesses. Previous research has shown that most exist- ing Somewhat Homomorphic Encryption (SHE) schemes su er from this attack. In this paper, we propose e cient key recovery attacks against two NTRU-based SHE schemes due to Lopez-Alt et al. (2012) and Bos et al. (2013), which have not gained much attention in the literature. Paral- lel to our work, Dahab, Galbraith and Morais (2015) have also proposed similar attacks but only for speci c parameter settings. In comparison, our attacks apply to all parameter settings and are more e cient. [less ▲]

Detailed reference viewed: 126 (4 UL)
Full Text
Peer Reviewed
See detailExtend the Concept of Public Key Encryption with Delegated Search
Tang, Qiang UL; Ma, Hua; Chen, Xiaofeng

in Computer Journal (2015), 58(4), 11

We revisit the concept of public key encryption with delegated keyword search (PKEDS), a concept proposed by Ibraimi et al. A PKEDS scheme allows a receiver to authorize a third-party server to search in ... [more ▼]

We revisit the concept of public key encryption with delegated keyword search (PKEDS), a concept proposed by Ibraimi et al. A PKEDS scheme allows a receiver to authorize a third-party server to search in two ways: either according to a message chosen by the server itself or according to a trapdoor sent by the receiver.We first show some observations on the primitive formulation and the proposed PKEDS scheme by Ibraimi et al. and point out that the single-server setting may limit the application of this primitive. We then extend the concept to the multiple-server setting and present a new security model. We finally propose a new PKEDS scheme, which is proven secure, and compare it with that by Ibraimi et al. [less ▲]

Detailed reference viewed: 86 (1 UL)
Full Text
Peer Reviewed
See detailTowards Forward Security Properties for PEKS and IBE
Tang, Qiang UL

in Information Security and Privacy - 20th Australasian Conference, ACISP 2015 (2015)

In cryptography, forward secrecy is a well-known property for key agreement protocols. It ensures that a session key will remain private even if one of the long-term secret keys is compromised in the ... [more ▼]

In cryptography, forward secrecy is a well-known property for key agreement protocols. It ensures that a session key will remain private even if one of the long-term secret keys is compromised in the future. In this paper, we investigate some forward security properties for Public-key Encryption with Keyword Search (PEKS) schemes, which allow a client to store encrypted data and delegate search operations to a server. The proposed properties guarantee that the client’s privacy is protected to the maximum extent even if his private key is compromised in the future. Motivated by the generic transformation from anonymous Identity-Based Encryption (IBE) to PEKS, we correspondingly propose some forward security properties for IBE, in which case we assume the attacker learns the master secret key. We then study several existing PEKS and IBE schemes, including a PEKS scheme by Nishioka, an IBE scheme by Boneh, Raghunathan and Segev, and an IBE scheme by Arriaga, Tang and Ryan. Our analysis indicates that the proposed forward security properties can be achieved by some of these schemes if the attacker is RO-non-adaptive (the attacker does not define its distributions based on the random oracle). Finally, we propose the concept of correlated-input indistinguishable hash function and show how to extend the Boyen-Waters anonymous IBE scheme to achieve the forward security properties against adaptive attackers. [less ▲]

Detailed reference viewed: 72 (1 UL)
Full Text
Peer Reviewed
See detailMethods to Mitigate Risk of Composition Attack in Independent Data Publications
Li, Jiuyong; Sattar, Sarowar A.; Baig, Muzammil M. et al

in Medical Data Privacy Handbook 2015 (2015)

Data publication is a simple and cost-effective approach for data sharing across organizations. Data anonymization is a central technique in privacy preserving data publications. Many methods have been ... [more ▼]

Data publication is a simple and cost-effective approach for data sharing across organizations. Data anonymization is a central technique in privacy preserving data publications. Many methods have been proposed to anonymize individual datasets and multiple datasets of the same data publisher. In real life, a dataset is rarely isolated and two datasets published by two organizations may contain the records of the same individuals. For example, patients might have visited two hospitals for follow-up or specialized treatment regarding a disease, and their records are independently anonymized and published. Although each published dataset poses a small privacy risk, the intersection of two datasets may severely compromise the privacy of the individuals. The attack using the intersection of datasets published by different organizations is called a composition attack. Some research work has been done to study methods for anonymizing data to prevent a composition attack for independent data releases where one data publisher has no knowledge of records of another data publisher. In this chapter, we discuss two exemplar methods, a randomization based and a generalization based approaches, to mitigate risks of composition attacks. In the randomization method, noise is added to the original values to make it difficult for an adversary to pinpoint an individual’s record in a published dataset. In the generalization method, a group of records according to potentially identifiable attributes are generalized to the same so that individuals are indistinguishable. We discuss and experimentally demonstrate the strengths and weaknesses of both types of methods. We also present a mixed data publication framework where a small proportion of the records are managed and published centrally and other records are managed and published locally in different organizations to reduce the risk of the composition attack and improve the overall utility of the data. [less ▲]

Detailed reference viewed: 75 (1 UL)
Full Text
Peer Reviewed
See detailNew Algorithms for Secure Outsourcing of Modular Exponentiations
Chen, Xiaofeng; Li, Jin; Ma, Jianfeng et al

in IEEE Trans. Parallel Distrib. Syst. (2014), 25(9), 2386-2396

With the rapid development in availability of cloud services, the techniques for securely outsourcing the prohibitively expensive computations to untrusted servers are getting more and more attentions in ... [more ▼]

With the rapid development in availability of cloud services, the techniques for securely outsourcing the prohibitively expensive computations to untrusted servers are getting more and more attentions in the scientific community. Exponentiations modulo a large prime have been considered the most expensive operation in discrete-logarithm based cryptographic protocols, and the computationally limited devices such as RFID tags or smartcard may be incapable to accomplish these operations. Therefore, it is meaningful to present an efficient method to securely outsource most of this work-load to (untrusted) cloud servers. In this paper, we propose a new secure outsourcing algorithm for (variable-exponent, variable-base) exponentiation modular a prime in the two untrusted program model. Compared with the state-of-the-art algorithm \cite{HL05}, the proposed algorithm is superior in both efficiency and checkability. We then utilize this algorithm as a subroutine to achieve outsource-secure Cramer-Shoup encryptions and Schnorr signatures. Besides, we propose the first outsource-secure and efficient algorithm for simultaneous modular exponentiations. Moreover, we formally prove that both the algorithms can achieve the desired security notions. We also provide the experimental evaluation that demonstrates the efficiency and effectiveness of the proposed outsourcing algorithms and schemes. [less ▲]

Detailed reference viewed: 187 (12 UL)
Full Text
Peer Reviewed
See detailEfficient Algorithms for Secure Outsourcing of Bilinear Pairings
Chen, Xiaofeng; Susilo, Willy; Li, Jin et al

in Theoretical Computer Science (2014)

The computation of bilinear pairings has been considered the most expensive operation in pairing-based cryptographic protocols. In this paper, we first propose an efficient and secure outsourcing ... [more ▼]

The computation of bilinear pairings has been considered the most expensive operation in pairing-based cryptographic protocols. In this paper, we first propose an efficient and secure outsourcing algorithm for bilinear pairings in the two untrusted program model. Compared with the state-of-the-art algorithm, adistinguishing property of our proposed algorithm is that the (resource-constrained) outsourcer is not required to perform any expensive operations, such as point multiplications or exponentiations. Furthermore, we utilize this algorithm as a subroutine to achieve outsource-secure identity-based encryptions and signatures. [less ▲]

Detailed reference viewed: 95 (1 UL)
Full Text
Peer Reviewed
See detailOn Key Recovery Attacks against Existing Somewhat Homomorphic Encryption Schemes
Chenal, Massimo UL; Tang, Qiang UL

in Progress in Cryptology - LATINCRYPT 2014, Florianópolis 17-19 September 2014 (2014)

In his seminal paper at STOC 2009, Gentry left it as a future work to investigate (somewhat) homomorphic encryption schemes with IND-CCA1 security. At SAC 2011, Loftus et al. showed an IND-CCA1 attack ... [more ▼]

In his seminal paper at STOC 2009, Gentry left it as a future work to investigate (somewhat) homomorphic encryption schemes with IND-CCA1 security. At SAC 2011, Loftus et al. showed an IND-CCA1 attack against the somewhat homomorphic encryption scheme presented by Gentry and Halevi at Eurocrypt 2011. At ISPEC 2012, Zhang, Plantard and Susilo showed an IND-CCA1 attack against the somewhat homomorphic encryption scheme developed by van Dijk et al. at Eurocrypt 2010. In this paper, we continue this line of research and show that most existing somewhat homomorphic encryption schemes are not IND-CCA1 secure. In fact, we show that these schemes suffer from key recovery attacks (stronger than a typical IND-CCA1 attack), which allow an adversary to recover the private keys through a number of decryption oracle queries. The schemes, that we study in detail, include those by Brakerski and Vaikuntanathan at Crypto 2011 and FOCS 2011, and that by Gentry, Sahai and Waters at Crypto 2013. We also develop a key recovery attack that applies to the somewhat homomorphic encryption scheme by van Dijk et al., and our attack is more efficient and conceptually simpler than the one developed by Zhang et al.. Our key recovery attacks also apply to the scheme by Brakerski, Gentry and Vaikuntanathan at ITCS 2012, and we also describe a key recovery attack for the scheme developed by Brakerski at Crypto 2012. [less ▲]

Detailed reference viewed: 169 (28 UL)
Full Text
Peer Reviewed
See detailFrom Ephemerizer to Timed-Ephemerizer - Achieve Assured Lifecycle Enforcement for Sensitive Data
Tang, Qiang UL

in The Computer Journal (2014)

The concept of Ephemerizer, proposed by Perlman, is a cryptographic primitive for assured data deletion. With an Ephemerizer protocol, data in persistent storage devices will always be encrypted ... [more ▼]

The concept of Ephemerizer, proposed by Perlman, is a cryptographic primitive for assured data deletion. With an Ephemerizer protocol, data in persistent storage devices will always be encrypted simultaneously using an ephemeral public key of the Ephemerizer (an entity that will publish a set of ephemeral public keys and periodically delete the expired ones) and the long-term public key of a user. An Ephemerizer protocol enables the user to securely decrypt the encrypted data without leaking any information to the Ephemerizer. So far, no security model has ever been proposed for this primitive and existing protocols have not been studied formally. Not surprisingly, we show that some existing Ephemerizer protocols possess security vulnerabilities. In this paper, we review the notion of Timed-Ephemerizer, which can be regarded as a hybrid primitive by combining Ephemerizer and timed-release encryption. Compared with an Ephemerizer protocol, a Timed-Ephemerizer protocol further guarantees that data will only be released after a pre-defined disclosure time. Moreover, we revisit a security model for Timed-Ephemerizer and adapt it for Ephemerizer. We also revise a previous Timed-Ephemerizer protocol by Tang and prove its security in the security model. [less ▲]

Detailed reference viewed: 84 (1 UL)
Full Text
Peer Reviewed
See detailDistributed Searchable Symmetric Encryption
Bosch; Peter, Andreas; Leenders, Bram et al

in PST2014 International Conference on Privacy, Security and Trust (2014)

Searchable Symmetric Encryption (SSE) allows a client to store encrypted data on a storage provider in such a way, that the client is able to search and retrieve the data selectively without the storage ... [more ▼]

Searchable Symmetric Encryption (SSE) allows a client to store encrypted data on a storage provider in such a way, that the client is able to search and retrieve the data selectively without the storage provider learning the contents of the data or the words being searched for. Practical SSE schemes usually leak (sensitive) information during or after a query (e.g., the search pattern). Secure schemes on the other hand are not practical, namely they are neither efficient in the computational search complexity, nor scalable with large data sets. To achieve efficiency and security at the same time, we introduce the concept of distributed SSE (DSSE), which uses a query proxy in addition to the storage provider. We give a construction that combines an inverted index approach (for efficiency) with scrambling functions used in private information retrieval (PIR) (for security). The proposed scheme, which is entirely based on XOR operations and pseudo-random functions, is efficient and does not leak the search pattern. For instance, a secure search in an index over one million documents and 500 keywords is executed in less than 1 second. [less ▲]

Detailed reference viewed: 220 (1 UL)
Full Text
Peer Reviewed
See detailNothing is for Free: Security in Searching Shared & Encrypted Data
Tang, Qiang UL

in IEEE Transactions on Information Forensics & Security (2014)

Most existing symmetric searchable encryption schemes aim at allowing a user to outsource her encrypted data to a cloud server and delegate the latter to search on her behalf. These schemes do not qualify ... [more ▼]

Most existing symmetric searchable encryption schemes aim at allowing a user to outsource her encrypted data to a cloud server and delegate the latter to search on her behalf. These schemes do not qualify as a secure and scalable solution for the multi-party setting, where users outsource their encrypted data to a cloud server and selectively authorize each other to search. Due to the possibility that the cloud server may collude with some malicious users, it is a challenge to have a secure and scalable multi-party searchable encryption (MPSE) scheme. This is shown by our analysis on the Popa-Zeldovich scheme, which says that an honest user may leak all her search patterns even if she shares only one of her documents with another malicious user. Based on our analysis, we present a new security model for MPSE by considering the worst-case and average-case scenarios, which capture different server-user collusion possibilities. We then propose a MPSE scheme by employing the bilinear property of Type-3 pairings, and prove its security based on the Bilinear Diffie-Hellman Variant (BDHV) and Symmetric eXternal Diffie-Hellman (SXDH) assumptions in the random oracle model. [less ▲]

Detailed reference viewed: 118 (2 UL)
Full Text
Peer Reviewed
See detailTrapdoor Privacy in Asymmetric Searchable Encryption Schemes
Delerue Arriaga, Afonso UL; Tang, Qiang UL; Ryan, Peter UL

in Progress in Cryptology -- AFRICACRYPT 2014, Marrakesh 28-30 May 2014 (2014)

Asymmetric searchable encryption allows searches to be carried over ciphertexts, through delegation, and by means of trapdoors issued by the owner of the data. Public Key Encryption with Keyword Search ... [more ▼]

Asymmetric searchable encryption allows searches to be carried over ciphertexts, through delegation, and by means of trapdoors issued by the owner of the data. Public Key Encryption with Keyword Search (PEKS) is a primitive with such functionality that provides delegation of exact-match searches. As it is important that ciphertexts preserve data privacy, it is also important that trapdoors do not expose the user’s search criteria. The difficulty of formalizing a security model for trapdoor privacy lies in the verification functionality, which gives the adversary the power of verifying if a trapdoor encodes a particular keyword. In this paper, we provide a broader view on what can be achieved regarding trapdoor privacy in asymmetric searchable encryption schemes, and bridge the gap between previous definitions, which give limited privacy guarantees in practice against search patterns. We propose the notion of Strong Search Pattern Privacy for PEKS and construct a scheme that achieves this security notion. [less ▲]

Detailed reference viewed: 356 (19 UL)
Full Text
Peer Reviewed
See detailProving Prêt à Voter Receipt Free Using Computational Security Models
Khader, Dalia UL; Ryan, Peter UL; Tang, Qiang UL

in USENIX Journal of Election Technology and Systems (2013), 1(1), 62-81

Pret a Voter is a supervised, end-to-end verifiable voting scheme. Informal analyses indicate that, subject to certain assumptions, Pret a Voter is receipt free, i.e. a voter has no way to construct a ... [more ▼]

Pret a Voter is a supervised, end-to-end verifiable voting scheme. Informal analyses indicate that, subject to certain assumptions, Pret a Voter is receipt free, i.e. a voter has no way to construct a proof to a coercer of how she voted. In this paper we propose a variant of Pret a Voter and prove receipt freeness of this scheme using computational methods. Our proof shows that if there exists an adversary that breaks receipt freeness of the scheme then there exists an adversary that breaks the IND-CCA2 security of the Naor-Yung encryption scheme. We propose a security model that defines receipt freeness based on the indistinguishability of receipts. We show that in order to simulate the game we require an IND-CCA2 encryption scheme to create the ballots and receipts. We show that, within our model, a non-malleable onion is sufficient to guarantee receipt freeness. Most of the existing Pret a Voter schemes do not employ IND-CCA2 encryption in the construction of the ballots, but they avoid such attacks by various additional mechanisms such as pre-commitment of ballot material to the bulletin board, digitally signed ballots etc. Our use of the Naor-Yung transformation provides the IND-CCA2 security required. [less ▲]

Detailed reference viewed: 220 (4 UL)
Full Text
Peer Reviewed
See detailTowards asymmetric searchable encryption with message recovery and flexible search authorization
Tang, Qiang UL; Chen, Xiaofeng

in Proceeding of 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) (2013)

Detailed reference viewed: 100 (4 UL)
Full Text
Peer Reviewed
See detailTowards a privacy-preserving solution for OSNs
Tang, Qiang UL

in Sandhu, Ravi; Lopez, Javier; Huang, Xinyi (Eds.) Towards a privacy-preserving solution for OSNs (2013)

Detailed reference viewed: 94 (2 UL)
Full Text
Peer Reviewed
See detailSearch in Encrypted Data: Theoretical Models and Practical Applications
Tang, Qiang UL

in Theory and Practice of Cryptography Solutions for Secure Information Systems (2013)

Detailed reference viewed: 117 (2 UL)