Applied Cryptography and Network Security
22nd International Conference, ACNS 2024, Abu Dhabi, United Arab Emirates, March 5-8, 2024, Proceedings, Part III
Published on 28. February 2024
XXII, 463 pages
978-3-031-54776-8 (ISBN)
Description
The 3-volume set LNCS 14583-14585 constitutes the proceedings of the 22nd International Conference on Applied Cryptography and Network Security, ACNS 2024, which took place in Abu Dhabi, UAE, in March 2024.
The 54 full papers included in these proceedings were carefully reviewed and selected from 230 submissions. They have been organized in topical sections as follows: Part I: Cryptographic protocols; encrypted data; signatures; Part II: Post-quantum; lattices; wireless and networks; privacy and homomorphic encryption; symmetric crypto; Part III: Blockchain; smart infrastructures, systems and software; attacks; users and usability.
The 54 full papers included in these proceedings were carefully reviewed and selected from 230 submissions. They have been organized in topical sections as follows: Part I: Cryptographic protocols; encrypted data; signatures; Part II: Post-quantum; lattices; wireless and networks; privacy and homomorphic encryption; symmetric crypto; Part III: Blockchain; smart infrastructures, systems and software; attacks; users and usability.
More details
Series
Language
English
Place of publication
Cham
Switzerland
Publishing group
Springer International Publishing
Product notice
Reflowable
Illustrations
XXII, 463 p. 140 illus., 94 illus. in color.
File size
27,91 MB
ISBN-13
978-3-031-54776-8 (9783031547768)
DOI
10.1007/978-3-031-54776-8
Schweitzer Classification
Other editions
Additional editions
Christina Pöpper | Lejla Batina
Applied Cryptography and Network Security
22nd International Conference, ACNS 2024, Abu Dhabi, United Arab Emirates, March 5-8, 2024, Proceedings, Part III
Book
02/2024
Springer
€139.09
Shipment within 15-20 days
Persons
Content
- Intro
- Preface
- Organization
- Abstracts of Keynote Talks
- Applying Machine Learning to Securing Cellular Networks
- Real-World Cryptanalysis
- CAPTCHAs: What Are They Good For?
- Contents - Part III
- Blockchain
- Mirrored Commitment: Fixing ``Randomized Partial Checking'' and Applications
- 1 Introduction
- 1.1 Notation
- 2 Chaumian Randomized Partial Checking (RPC) Mix Net
- 2.1 Protocol Description
- 2.2 RPC Audit
- 2.3 Attacks on RPC
- 3 Mirrored Randomized Partial Checking (mRPC)
- 3.1 Protocol Description
- 3.2 mRPC Audit
- 3.3 Attack Examples on mRPC
- 3.4 Security of mRPC
- 4 Privacy Guarantees of RPC and mRPC
- 4.1 Constant Number of Mix-Servers
- 4.2 Mixing Time
- 5 Application: CryptoCurrency Unlinkability
- 6 Conclusions
- A Proofs
- A.1 Proof of Lemma 4
- A.2 Proof of Lemma 6
- A.3 Proof of Lemma 7
- References
- Bitcoin Clique: Channel-Free Off-Chain Payments Using Two-Shot Adaptor Signatures
- 1 Introduction
- 1.1 Our Contributions
- 1.2 Related Work
- 2 Preliminaries
- 3 Model
- 3.1 Blockchain and Transaction Model
- 3.2 Commit-Chain Model
- 3.3 Communication and Adversarial Assumptions
- 3.4 Security and Performance Guarantees
- 4 Protocol Overview
- 5 Bitcoin Clique Protocol
- 6 Future Work
- A Bitcoin Clique Healing
- A.1 Healing Extension Details
- A.2 Discussion and Future Work
- References
- Programmable Payment Channels
- 1 Introduction
- 1.1 Our Contributions
- 1.2 Related Work
- 2 Preliminaries
- 3 Programmable Payment Channels
- 3.1 Defining FPPC
- 3.2 PPC Preliminaries
- 3.3 Ideal Functionality FPPC
- 3.4 Concrete Implementation of FPPC
- 3.5 Lightweight Applications of Programmable Payments
- 3.6 Implementation and Evaluation
- 4 State Channels from FPPC
- 4.1 Modifying FPPC to Capture State Channels
- 4.2 Defining FSC
- 4.3 Implementing FSC in theFPPC-Hybrid World
- 5 Conclusions
- References
- Fair Private Set Intersection Using Smart Contracts
- 1 Introduction
- 1.1 Other Coin-Compensated PSI
- 2 Related Work
- 3 Preliminaries and Notations
- 4 Fair PSI Using Smart Contracts
- 4.1 Smart Contract as the TTP in Optimistic Mutual PSI
- 4.2 Security Model
- 4.3 Ideal Functionality for Coin-Compensated PSI
- 5 A Coin-Compensated Fair SC-Aided PSI
- 5.1 Security Analysis
- 6 Improving the Efficiency of
- 6.1 Our Technique for Optimizing the Protocol
- 6.2 Overview of *
- 6.3 Security Analysis
- 7 Complexity Analysis
- 8 Implementation
- 8.1 Evaluation
- 9 Concluding Remarks
- References
- Powers-of-Tau to the People: Decentralizing Setup Ceremonies
- 1 Introduction
- 2 Related Work
- 2.1 Multiparty Setup Ceremonies
- 2.2 Setup Ceremonies in Practice
- 2.3 Proof Systems with Transparent Setup
- 3 A Powers-of-Tau System: Definitions
- 4 Powers-of-Tau Setup with Full Data On-Chain
- 4.1 Security
- 5 Powers-of-Tau Setup Protocol with Data Off-Chain
- 5.1 Off-Chain Setup Using a Transparent Succinct Proof
- 5.2 Off-Chain Setup Using AFGHO Commitments On-Chain
- 6 Implementation and Evaluation on Ethereum
- 7 Concluding Discussion and Open Problems
- 7.1 Incentives for Participation
- 7.2 Verifying Participation
- 7.3 Sequential Participation and Denial-of-Service
- 7.4 Verification with General-Purpose Roll-Ups
- 7.5 Protocol-Specific ZK Rollups via Proof Batching
- 7.6 Protocol-Specific Optimistic Verification and Checkpointing
- 7.7 Fully Off-Chain Verification via IVC/PCD
- 7.8 Forking/Re-starting
- A Proof of Theorem 2
- B Inner-Pairing Product Arguments for Sect.5.2
- C Off-Chain Setup from IPP Arguments with a Smaller Setup
- D Powers-of-Tau with a Punctured Point
- References
- Smart Infrastructures, Systems and Software
- Self-sovereign Identity for Electric Vehicle Charging
- 1 Introduction
- 2 Background
- 2.1 E-mobility
- 2.2 Self-Sovereign Identity (SSI)
- 3 Related Work
- 4 System Model and Requirement Analysis
- 4.1 Scope
- 4.2 Attacker Model
- 4.3 Functional Requirements
- 4.4 Security and Privacy Requirements
- 5 SSI Concept
- 5.1 Concept Overview
- 5.2 Provisioning DID Creation
- 5.3 Contract Credential Installation
- 5.4 Charging Process and Credential Validation
- 5.5 Integration into ISO 15118-20
- 6 Implementation
- 7 Evaluation
- 7.1 Performance Measurements
- 7.2 Security and Privacy Analysis with Tamarin
- 7.3 Discussion of Requirements
- 8 Conclusion
- References
- ``Hello? Is There Anybody in There?'' Leakage Assessment of Differential Privacy Mechanisms in Smart Metering Infrastructure
- 1 Introduction
- 2 Preliminaries
- 2.1 Differential Privacy
- 2.2 Statistical t-test Analysis
- 3 System and Threat Model
- 3.1 Threat Surfaces
- 3.2 Capabilities of the Adversary
- 3.3 Goal of the Adversary
- 4 Formal Analysis of Leakage Due to Privacy-Utility Trade-Off in Smart Metering Systems
- 5 Proposed Attack Methodology
- 5.1 Precomputation Phase
- 5.2 t-test Based Attack Methodology
- 6 Evaluation of the Proposed Attack Methodology
- 6.1 Experimental Setup
- 6.2 Experimental Evaluation
- 7 Discussion
- 8 Conclusion and Future Work
- References
- Security Analysis of BigBlueButton and eduMEET
- 1 Introduction
- 2 Background
- 2.1 WebRTC
- 2.2 WebRTC Architectures in Conferencing Systems
- 3 Analysis Method
- 3.1 High-Level Analysis
- 3.2 Source Code Supported Security Analysis
- 4 Architectures of the Analyzed Open-Source Conferencing Systems (RQ1)
- 4.1 Shared Architecture
- 4.2 Implementation of BigBlueButton
- 4.3 Implementation of eduMEET
- 5 Features and User Roles (RQ2)
- 5.1 Comparison of Features
- 5.2 User Roles
- 6 Attacker Model
- 7 Evaluation (RQ3)
- 7.1 BigBlueButton
- 7.2 eduMEET
- 7.3 Responsible Disclosure
- 8 Discussion
- 8.1 BigBlueButton
- 8.2 eduMEET
- 8.3 Limitations
- 9 Related Work
- 10 Conclusions and Future Work
- A Appendix
- A.1 eduMEET
- A.2 Status of Fixes in BigBlueButton
- References
- An In-Depth Analysis of the Code-Reuse Gadgets Introduced by Software Obfuscation
- 1 Introduction
- 2 Background
- 2.1 Code Obfuscation
- 2.2 Code-Reuse Attack
- 3 Code-Reuse Gadgets Introduced by Obfuscation
- 3.1 Benchmark and Obfuscation Selection
- 3.2 Gadget Measurement
- 4 Study Results
- 4.1 Gadget Quantity
- 4.2 Gadget Exploitability
- 4.3 Gadget Quality
- 4.4 Code-Reuse Attack Risk
- 5 The Anatomy of the Obfuscations and Gadgets
- 5.1 Instructions Substitution
- 5.2 Control Flow Flattening
- 5.3 Bogus Control Flow
- 5.4 Virtualization
- 5.5 Just-In-Time Dynamic
- 5.6 Self-modification
- 5.7 Encode Components
- 6 Mitigation
- 6.1 Strategy
- 6.2 Evaluation
- 7 Related Work
- 8 Conclusion
- References
- ProvIoT: Detecting Stealthy Attacks in IoT through Federated Edge-Cloud Security
- 1 Introduction
- 2 Background
- 2.1 Fileless Attacks on IoT Devices
- 2.2 System Provenance and Graph Learning
- 3 Threat Model
- 4 System Overview
- 4.1 Local Brain
- 4.2 Cloud Brain
- 5 Federated Detection
- 5.1 Graph Building and Path Selection
- 5.2 Document Embedding Model
- 5.3 Federated Autoencoder
- 6 Implementation
- 7 Evaluation
- 7.1 Dataset
- 7.2 Experimental Protocol
- 7.3 IoT Malware Detection
- 7.4 APT Detection
- 7.5 Federated Learning Benefits
- 7.6 ProvIoT Overhead
- 8 Limitations
- 9 Related Work
- 10 Discussion and Future Work
- 11 Conclusion
- A Appendix
- A.1 IoT Workload.
- A.2 Dataset Statistics.
- A.3 APT Scenarios
- References
- Attacks
- A Practical Key-Recovery Attack on LWE-Based Key-Encapsulation Mechanism Schemes Using Rowhammer
- 1 Introduction
- 1.1 Paper Organization
- 2 Preliminaries
- 2.1 Learning with Errors (LWE) Problem and Its Variants
- 2.2 LPR Public-Key Encryption
- 2.3 Kyber
- 2.4 Saber
- 2.5 Related Works
- 3 Our Attack Using Binary Decision Tree on the LPR-Based Schemes
- 3.1 Implementing a Parallel Plaintext Checking (PC) Oracle
- 3.2 Generic Attack Model Using PC Oracle
- 3.3 Model for Kyber and Saber
- 3.4 Comparing Our Attack with the State-of-the-Art
- 4 Realization of the Fault Model
- 4.1 Nature of the Fault in the Attack
- 4.2 Our Target Devices
- 4.3 Probabilities of Incorporating Precise Fault Using Random Rowhammer
- 5 Discussion and Future Direction
- 5.1 Shuffling and Masking:
- 5.2 Extension of Our Attack on Other PQC Schemes
- 5.3 Combining of Lattice Reduction Techniques with Our Attack
- 5.4 Possible Countermeasures
- References
- A Side-Channel Attack on a Higher-Order Masked CRYSTALS-Kyber Implementation
- 1 Introduction
- 2 Previous Work
- 3 Background
- 3.1 Notation
- 3.2 Kyber Algorithm
- 4 Adversary Model
- 5 Attack Description
- 5.1 Profiling Stage
- 5.2 Attack Stage
- 6 Experimental Setup
- 7 Leakage Analysis
- 7.1 Unprotected Message Encoding
- 7.2 Masked Message Encoding
- 7.3 Finding New Leakage Points
- 8 Neural Network Training
- 8.1 Trace Acquisition and Pre-processing
- 8.2 Network Architecture and Training Parameters
- 9 New Chosen Ciphertext Construction Method
- 9.1 Constructing Chosen Ciphertexts
- 9.2 Selecting Optimal Mapping
- 10 Experimental Results
- 10.1 Message Recovery Attack
- 10.2 Secret Key Recovery Attack
- 11 Countermeasures
- 12 Conclusion
- References
- Time Is Money, Friend! Timing Side-Channel Attack Against Garbled Circuit Constructions
- 1 Introduction
- 2 Background and Adversary Model
- 2.1 Yao's Garbled Circuit (GC)
- 2.2 k-means Algorithm
- 2.3 Cache Architecture
- 2.4 Adversary Model
- 3 Timing Side-Channel Leakage in Garbling Tools: An Observation
- 4 Goblin and Its Building Blocks
- 4.1 Our Eviction Method: Junk Generator
- 4.2 Measuring Time on CPUs
- 4.3 Recovering Garbler's Input
- 4.4 Performance Metric
- 5 Experimental Results
- 5.1 Results for Benchmark Functions
- 5.2 Scalability of Goblin
- 5.3 Impact of the Number of Traces
- 6 Discussion
- 6.1 Potential Countermeasures
- 7 Conclusion
- 8 Responsible Disclosure
- References
- Related-Tweak and Related-Key Differential Attacks on HALFLOOP-48
- 1 Introduction
- 2 Preliminaries
- 2.1 Differential Cryptanalysis
- 2.2 Related-Key and Related-Tweak Differential Cryptanalyses
- 2.3 Specification of HALFLOOP-48
- 3 Automatic Search of Differentials
- 3.1 Boolean Satisfiability Problem
- 3.2 SAT Models for Linear Operations of HALFLOOP-48
- 3.3 SAT Model for the S-Box of HALFLOOP-48
- 3.4 SAT Model for the Objective Function
- 3.5 Finding More Differential Characteristics in the Differential
- 4 Differential Properties of HALFLOOP-48
- 4.1 Conventional Differential Properties of HALFLOOP-48
- 4.2 Related-Tweak Differential Properties of HALFLOOP-48
- 4.3 Related-Key Differential Properties of HALFLOOP-48
- 5 Differential Attacks on HALFLOOP-48
- 5.1 Related-Tweak Differential Attack on HALFLOOP-48
- 5.2 Full-Round Related-Key Differential Attack on HALFLOOP-48
- 6 Conclusion
- References
- Users and Usability
- How Users Investigate Phishing Emails that Lack Traditional Phishing Cues
- 1 Introduction
- 2 Background
- 3 Related Work
- 4 Method and Study Design
- 4.1 Participant Recruitment
- 4.2 Ethical Study Design
- 4.3 Email and Webpage Content Design
- 4.4 Data Collection and Cleaning
- 5 Overview of Study Data and Participant Population
- 6 Study Results
- 6.1 Mapping of Responses to the Human-In-The-Loop-Model
- 6.2 Impact of Features on Participants' Reactions
- 7 Discussion and Contextualization of Results
- 7.1 Noticing, Expecting and Suspecting Context
- 7.2 Investigative Measures
- 7.3 Biases and Limitations
- 8 Future Work
- 9 Conclusion
- A Appendix: Survey Instrument
- A.1 Demography
- A.2 Phishing Emails and Reactions
- A.3 IT-Context and Sensitization
- B Appendix: Large Scale Images of Phishing Content
- C Appendix: HITL-Model: Figures
- D Appendix: Resulting Correlations
- References
- Usable Authentication in Virtual Reality: Exploring the Usability of PINs and Gestures
- 1 Introduction
- 2 Background
- 2.1 Virtual Reality
- 2.2 Authentication
- 2.3 Usability
- 3 Related Work
- 3.1 Interaction in VR
- 3.2 Authentication in VR
- 3.3 Usability Issues in VR Authentication
- 4 Study Design and Implementation
- 4.1 Methodology
- 4.2 Recruitment
- 4.3 Data Collection
- 4.4 Pilot Testing
- 4.5 Data Analysis
- 4.6 Ethical Considerations
- 5 Results
- 5.1 Authentication Type and Usability
- 5.2 Authentication Type and Login Time
- 5.3 PIN: Experienced vs. First-Time User
- 5.4 Gesture: Experienced vs. First-Time User
- 6 Discussion
- 6.1 Impact of Authentication Type on Usability in VR
- 6.2 Impact of Experience on Usability in VR
- 6.3 Limitations
- 7 Conclusion and Future Work
- A System Usability Scale
- References
- Living a Lie: Security Analysis of Facial Liveness Detection Systems in Mobile Apps
- 1 Introduction
- 2 Background
- 2.1 Facial Recognition Pipeline
- 2.2 Design Patterns of Mobile Facial Recognition Systems
- 2.3 Modes of Liveness Detection
- 3 Threat Model
- 4 Mobile Facial Liveness Detection Protocols
- 4.1 General Protocol Flow
- 4.2 Design and Implementation Details
- 5 Weakness of Liveness Detection SDKs
- 5.1 Insufficient Client-Side Code Protection
- 5.2 Insecure Protocol Design
- 5.3 Flaws in SDK Implementations
- 5.4 Mistakes by App Developers
- 6 Empirical Study
- 6.1 Retrieval of Face SDKs
- 6.2 Security Metrics of Face SDKs
- 6.3 Face SDKs in High-Profile Financial Apps
- 6.4 Market Scale Evaluation
- 6.5 Case Study
- 7 Discussion on Mitigation
- 8 Related Work
- 9 Conclusion
- A Flawed Encryption Scheme and Oracle Attack
- B Face SDK Scanning Result of App Categories
- C Reference Protocol with Security and Usability Consideration
- References
- Author Index
