Authentication Schemes Using Braid Groups

基于无证书密码学的WSN认证方案张桦【摘要】Certificateless Public Key Cryptography (CL-PKC) eliminates the inherent key escrow problem of Identity-Based Cryptography (IBC), which dispenses with certificates of traditional Public Key Cryptography (PKC) and their costly management overhead. In view of the shortages that traditional authentication service strongly depends on the special authentication server and the trusted third party authentication mode,what is of high cost and centralized authentication capa-bilities can not meet the large number of nodes applying for certification simultaneously, pro-poses a WSN certificateless access authentication that give the certification to applying nodes to the adjacent points to complete, the analysis and simulation of the results shows that the authen-tication is secure and efficient.% 无证书公钥密码体制克服了基于身份公钥密码体制中的密钥托管问题，没有传统公钥密码体制中证书管理带来的额外开销。

千万别学数学：最折磨人的数学未解之谜数学之美不但体现在漂亮的结论和精妙的证明上，那些尚未解决的数学问题也有让人神魂颠倒的魅力。

和 Goldbach 猜想、 Riemann 假设不同，有些悬而未解的问题趣味性很强，“数学性”非常弱，乍看上去并没有触及深刻的数学理论，似乎是一道可以被瞬间秒杀的数学趣题，让数学爱好者们“不找到一个巧解就不爽”；但令人称奇的是，它们的困难程度却不亚于那些著名的数学猜想，这或许比各个领域中艰深的数学难题更折磨人吧。

作为一本数学趣题集， Mathematical Puzzles 一书中竟把仍未解决的数学趣题单独列为一章，可见这些问题有多么令人着迷。

我从这一章里挑选了一些问题，在这里和大家分享一下。

这本书是 04 年出版的，书里提到的一些“最新进展”其实已经不是最新的了；不过我也没有仔细考察每个问题当前的进展，因此本文的信息并不保证是 100% 准确的，在此向读者们表示歉意。

这篇文章很长，大家不妨用自己喜欢的方式马克一下，一天读一点。

天使和恶魔天使和恶魔在一个无限大的棋盘上玩游戏。

每一次，恶魔可以挖掉棋盘上的任意一个格子，天使则可以在棋盘上飞行 1000 步之后落地；如果天使落在了一个被挖掉的格子上，天使就输了。

问题：恶魔能否困住天使（在天使周围挖一圈厚度 1000 的坑）？这是 Conway 大牛的又一个经典谜题。

经常阅读这个 Blog 的人会发现， Conway 大牛的出镜率极高。

不过这一次，Conway 真的是伤透了不少数学家的脑筋。

作为一个很“正常”的组合游戏，天使与恶魔的问题竟然一直没能得到解决。

目前已经有的结论是，如果天使每次只能移动一步，恶魔一定能获胜。

不过，天使只要能每次飞两步，似乎就已经很无敌了。

当然，魔鬼的优势也不小——它不用担心自己“走错”，每多挖一个坑对于它来说都是有利的。

话说回来， Conway 本人似乎仍然相信天使能赢——他悬赏了 1000 美元征求恶魔必胜的证明，但只悬赏了 100 美元征求天使必胜的证明。

MerkleTree及其签名机制Merkle Signature Schemes,Merkle Trees and Their Cryptanalysis Georg Becker18.07.08SeminararbeitRuhr-Universit¨a t BochumChair for Embedded SecurityProf.Dr.-Ing.Christof PaarContents1Introduction1 2One-Time Signatures22.1Secure hash functions (2)2.2Lamport One-Time Signature Scheme (3)2.2.1Key generation (3)2.2.2Signing a message (3)2.2.3Signature veri?cation (3)2.3Winternitz One-time Signature Scheme (4)2.3.1Key generation (4)2.3.2Signature generation (5)2.3.3Signature veri?cation (6)2.3.4Choosing parameter w (6)3Merkle-Signature Scheme83.1Key generation (8)3.2Signature generation (9)3.3Signature veri?cation (9)3.4Cost analysis (10)4The Merkle tree traversal problem124.1The treehash algorithm (12)4.2The classic traversal (13)4.3Merkle tree traversal in log space and time (16)4.4Fractal tree representation and traversal (18)5Improvements to Merkle-Signature Scheme20 6Cryptanalysis22 6.1Case1:H(Y′i)=H(Y i) (22)6.2Case2:H(Y′i)=H(Y i) (22)6.3Di?erential Side Channel resistant (23)7Conclusion241IntroductionIn todays world,digital signatures are an indispensable element for secured com-munication applications.They are needed,to ensure the authentication of a communication partner,i.e.in web services like Email or chats.They are also needed,to ensure the authentication of a web server for web services like web-shops or online-banking.But digital signatures are not just used in web services. For example,they can also be used to verify the validity of digital passports or other digital documents. Popular signature schemes are the Digital Signature Scheme(DSA)and the RSA Signature Scheme.The security of these schemes rely on the di?culties of solving the discrete logarithm problem and the problem of factorizing largenumbers.Today,no e?cient algorithms are known to solve these problems,so that theses schemes are considered secure.However,it is not proven that no such algorithms exist.If the mathematicians are able to?nd a suitable algorithm, these signature schemes would become insecure.Furthermore,there are already algorithms known to solve these problems in case a quantum computer can be build.Some scientists believe it might be possible to build a quantum computer inabout20years.Therefore,alternative digital signature schemes are needed, in case the signature schemes based on the discrete logarithm problem or the factorization problem become insecure.The Merkle Signature Scheme provides such an alternative signature scheme. As we will see in chapter6,the security of the Merkle Signature Scheme only depends on a secure hash function and a secure one-time signature.The charac-teristics of secure hash functions are described in section2.1and two examples of secure one-time signature schemes are given in section2.2and2.3.In chapter 3the Merkle Signature Scheme will be introduced.In chapter4,methods for solving the Merkle Tree Traversal Problem are described.E?cient methods to solve this problem are needed to make the signature scheme feasible.In chapter 5further improvements to the original Merkle Signature Scheme are introduced, which make the signature scheme more e?cient.2One-Time Signatures2.1Secure hash functionsThe security of One-Time Signatures is based on cryptographic secure hash func-tions.In this section we will de?ne the properties of a cryptographic secure hash function.A hash function H:{0,1}?→{0,1}s is cryptographic secure,if it is ”preimage resistant”,”second preimage resistant”and”collision resistant”.Preimage resistant:A hash function H is preimage resistant,if it is hard to?nd any m for agiven h with h=H(m).Second preimage resistance:A hash function H is second preimage resistant if it is hard to?nd for agiven m1any m2with H(m1)=H(m2).Collision resistant:A hash function H is collision resistant if it is hard to?nd a pair of m1andm2with H(m1)=H(m2).For a good cryptographic secure hash function no algorithm should be known, which solves the preimage resistance and second preimage resistance problem more e?cient,than a brute force attack.In a brute force attack against preimage resistance,the attacker chooses m randomly until h=H(m).H(m)can have 2s di?erent results.Each result h should appear with the same probability P h with P h=1/(2s).Therefore,an attacker would have to choose on average2s/2 di?erent inputs m,until he?nds an m with h=H(m).With the same idea,we ?nd out that the attacker would need on average2s/2)di?erent inputsm2,until he?nds an m2with H(m1)=H(m2).So the complexity of an attack against preimage and second preimage resistance is1/2?2s=O(2s),with s being the length of the result of the hash function in bits.Unfortunately,breaking collision resistance by?nding a pair of m1and m2 with H(m1)=H(m2)is easier than breaking preimage resistance.This is due to the birthday problem(also referred to as birthday paradox).Birthday problem:[AMV96]An urn has m balls numbered1to m.Suppose that one ball at a time is drawn from the urn with replacement.On average about πm2balls must be drawn until one ball is drawn twice.2.2Lamport One-Time Signature Scheme3 So referred to the complexity to?nd a pair m1,m2with H(m1)=H(m2) this means that in average π2s2≈O(√2s)hash operations must be performed. To achieve a collision resistance with a security of at leastO(280)the size of the hash function H:{0,1}?→{0,1}s must be at least160bits because O(√2160)= O(280).2.2Lamport One-Time Signature SchemeThe Lamport One-Time Signature Scheme(LOTSS)is a signature scheme in which the public key can only be used to sign a single message.The security of the LOTSS is based on cryptographic hash functions.Any secure hash function can be used,which makes this signature scheme very adjustable.If a hash function becomes insecure it can easily be exchanged by another secure hash function.In the following?rst the key generation,then the signing algorithm and?nally the veri?cation algorithm are described.2.2.1Key generationLet H:{0,1}??>H:{0,1}s be a cryptographic hash function.To sign a message M=(0,1)k choose2?k random numbers X ijwith1≤i≤k andj={0,1}.For each i and j compute Y ij=H(X ij).These2?k values Y ij are the public key,while the X ij values are the private key.2.2.2Signing a messageGiven is a message M=m1,m2,...,m k with m i∈{0,1}and the private keys X ij with1≤i≤k and j={0,1}.For each i it is checked whether m i equals0or 1.If it equals0then sig i=X i0otherwise sig i=X i1.The signature sig is the concatenation of all sig i for i= {1,...,k}.So sig=(sig1||sig2||...||sig k)with|| denotes the concatenation of two values.2.2.3Signature veri?cationLet sig=(sig1||sig2||...||sig k)be the signature of a given message M=m1,m2,...,m k with m i∈{0,1}and Y ij the corresponding public key of the Lamport One-Time Signature Scheme.For each1≤i≤k the hash value H(sig i)gets com-puted.If m i=0thenH(sig i)must be H(sig i)=Y i0otherwise H(sig i)must beH(sig i)=Y i1to be a valid signature.4One-Time Signatures 2.3Winternitz One-time Signature SchemeOne major disadvantage of the Lamport One-Time Signature Scheme is the big size of the public and private key.To sign a message M={0,1}k,2?k hash values have to be saved.To achieve a security of at least O(280),a hash function must have at least160bits.Therefore,the private and the public key must have at least160?2?k=320?k bits.In most cases a message will be hashed before it is signed,so that the size k of the message M will also be160bits long.This results in a total size of the public and private key of160?2?160bits=51200bits =6400bytes.Hence,a public key of the Lamport One-Time Signature Schemeis50times larger than an equivalent1024-bit RSA public key.The signature sig is the concatenation of k hash values.Fork=160,the signature size is160?k bits=25600bits=3200bytes.Hence a LOTSS signature is about25times bigger than an equivalent1024-bit RSA signature.In the Winternitz One-time Signature Scheme the signature size can be reduced at the cost of hash operations.Figure2.1:Building the values b i and the checksum C2.3.1Key generationLet H:{0,1}?→H:{0,1}s be a cryptographic hash function.At?rst the pa-rameter w,with w∈N,is chosen and and t=?s/w?+?(? log2?s/w??+1+w)/w?gets calculated.A larger parameter w reduces the signature size but increases the calculation time.We now choose t random numbers X1,...,X t∈{0,1}s. These random numbers are the private key X=(X1||...||X t).In the next step the public key Y is generated by computing Y i=H2w?1(X i)for i=1,...,t.The2.3Winternitz One-time Signature Scheme5Figure2.2:Signature generation and veri?cation with the Winternitz One-Time Signature SchemePublic key Y=H(Y1||...||Y t)is the hash value of the concatenation of all Y i with i=1,...,t.2.3.2Signature generationLet M=m1,...,m s∈{0,1}be the message to be signed,X1,...,X t the private key and w and t the parameters as described above.The message M is split up into?s/w?blocks b1,...,b?s/w?of the length w.If necessary the message is padded with zeros from the left?rst.We now treat b i as the integer encoded by therespective block and compute the checksum C=?s/w?i=12w?b i.We then split thebinary representation of C into?(?log2?s/w??+1+w)/w?blocks b?s/w?+1,...,b t of length w.If necessary C is padded with zeros from the left.We now treat b i as the integer encoded by the the block b i and compute sig i=H b i(X i)for i=1,...,t with H0(X i)=X i.The signature sig=(sig1||...||sig t)of the message M is the concatenation of all sig i for i=1,...,t.6One-Time Signatures2.3.3Signature veri?cationTo verify a signature sig =(sig 1||...||sig t )for a given message M ={0,1}s the parameters b 1,...,b t are computed ?rst.This is done in the same way as during the signature generation.For i =1,...,t sig ′i =H 2w ?1?b i (sig i )is calculated.sig ′i =H 2w ?1?b i (sig i )=H 2w ?1?b i (H b i (X i ))=H 2w ?1(X i )=Y i .Hence if Y ′=H (sig ′1||...||sig ′t )equals Y =H (Y 1||...||Y t )the signature is valid.Otherwise the signature is refused.2.3.4Choosing parameter wThe Winternitz One-Time Signature Scheme is very ?exible due to the parameter w .With the help of this parameter,a trade o?between signature size and computation time can be made.Choosing a bigger parameter w will result in a smaller signature size,but the signature generation time and the signature veri?cation time will increase.We will now analyze the signature size depending on the parameter w .Signature Size:The signature sig =(sig 1||...||sig t )contains t blocks of sig i .Each block has the length of one output of the hash function.Hence the bit size of the signature |sig |is |sig |=t ?s =?s/w ?+?(? log 2?s/w ??+1+w )/w ??s ≈s/w .So the signature size is about inversely proportional to the pa-rameter w .We will now analyze the impact of the parameter w on the calculation time in each phase of the Winternitz-Signature Scheme.Key generation time (gen time ):During the key generation t random numbers X i must be chosen and H 2w ?1(X i )must be computed for t ≈s/w valuesX i .Therefore gen time ≈s/w ?(2w ?1)?hash time +s/w ?rand time =O (2w )?hash time +O (1/w )?rand time with hash time being the time for one hash operation and rand time being the time to generate one random number.So the key generation time increases exponentially with the size of w .Signature time (sig time ):To generate the signature sig =(sig 1||...||sig t )thevalue sig i must be computed t ≈s/w times.To generate one sig i =H b i (X i )with b i <=2w ?1in average (w ?1 j =12j )/w =2w ?2w hash operations must beperformed.This results in a signing cost of sig time ≈s/w ?(2w ?2)/w ?hash time =s ?(2w ?2)/w 2?hash time =O (2w ).Veri? cation time (ver time ):To verify a message sig ′i must be computed t ≈s/w times.To calculate one sig i =H 2w ?1?b i with b i <=2w ?1on average (w ?1 j =12j )/w =2w ?2w hash operations must be performed.So the veri?cation2.3Winternitz One-time Signature Scheme7time is the same as the signature time:ver time=sig time≈s?(2w?2)/w2?hash time=O(2w).Hence,the optimal value for parameter w depends on the available resources. If signing is fast enough,w can be increased to reduce the signature size.But the signature time increases exponentially,while the signature size decreases linearly, so that choosing a too big value for w is not recommended.3Merkle-Signature SchemeThe biggest problem of One-Time Signature Schemes is the key management. Exchanging a public key is very complex.It must be guaranteed,that the public key belongs to the intended communication partner and that the public key has not been modi?ed.Therefore,few public keys should be used and the public keys should be rather short.But in One-Time Signature Schemes,a new public key is used for every signature and the public key is quite big,compared with other signature schemes.To make One-Time Signature Schemes feasible,an e?cient key management,that reduces the amount of public keys and their size,is needed. In[Mer79]Merkle introduced the Merkle Signature Scheme(MSS),in which one public key is used to sign many messages.Figure3.1:Merkle tree with8leafs3.1Key generationThe Merkle Signature Scheme can only be used to sign a limited number of messages with one public key pub.The number of possible messages must be a3.2Signature generation9 power of two,so that we denote the possible number of messages as N=2n. The?rst step of generating the public key pub is to generate the public keys X i and private keys Y i of2n one-time signatures,as described in chapter2.For each public key Y i,with1≤i≤2n,a hash value h i=H(Y i)is computed.With these hash values h i a MerkleTree(also called hash tree)is build.We call a node of the tree a i,j,where i denotes the level of the node.The level of a node is de?ned by the distance from the node to a leaf.Hence,a leaf of the tree has level i=0and the root has level i=n.We number all nodes of one level from the left to the right,so that a i,0is the leftmost node of level i.In the Merkle Tree the hash values h i are the leafs of a binary tree,so that h i=a0,i.Each inner node of the tree is the hash value of the concatenation of its two children. So a1,0=H(a0,0||a0,1)and a2,0=H(a1,0||a1,1).An example of a merkle tree is illustrated in?gure3.1.In this way,a tree with2n leafs and2n+1?1nodes is build.The root of the tree a n,0is the public key pub of the Merkle Signature Scheme.3.2Signature generationTo sign a message M with the Merkle Signature Scheme,the message M is signed with a one-time signaturescheme,resulting in a signature sig′,?rst.This is done, by using one of the public and private key pairs(X i,Y i,).The corresponding leaf of the hash tree to a one-time public key Y i is a0,i=H(Y i).We call the path in the hash tree from a0,i to the root A.The path A consists of n+1nodes, A0,...A n,with A0=a0,i being the leaf and A n=a n,0=pub being the root of the tree.To compute this path A,we need every child of the nodes A1,...,A n. We know that A i is a child of A i+1.To calculate the next node A i+1of the path A,we need to know both children of A i+1.So we need the brother node of A i.We call this node auth i,so that A i+1=H(A i||auth i).Hence,n nodes auth0,...,auth n?1are needed,to compute every node of the path A.We now calculate and save these nodes auth0,...,auth n?1.How this is done e?ciently is discussed in chapter4.These nodes,plus the one-time signature sig′of M is the signature sig=(sig′||auth2||auth3||...||auth n?1)of the Merkle Signature Scheme. An example of an authentication path is illustrated in?gure3.2.3.3Signature veri?cationThe receiver knows the public key pub,the message M,and the signature sig= (sig′||auth0||auth1||...||auth n?1).At?rst,the receiver veri?es the one-time signa-ture sig′of the message M.If sig′is a valid signature of M,the receiver com-putes A0=H(Y i)by hashing the public key of the one-time signature.For j= 1,..,n?1,the nodes of A j of the path A are computed with A j=H(a j?1||b j?1).Figure3.2:Merkle tree with path A and authentication path for i=2If A n equals the public key pub of the merkle signature scheme,the signature isvalid.3.4Cost analysisThe big advantage of the Merkle Signature Scheme is,that many signatures canbe generated with using only one public key.However,this advantage comes withan increase of computation time and signature length.In the following we willexamine the computation time of each part of the signature process.To generatethe public key pub,2n one-time signature keys must be generated.Then everynode of the hash tree must be computed.The tree consists of2n+1?1nodes.One hash operation is needed to calculate a node,so that2n+1?1hash operations are needed to generate the public key.It is obvious,that the size of such a tree is limited.To compute240nodes is very costly,to compute280nodes is impossible.To generate a signature the nodes auth0,...,auth n?1are needed.If you donot store the nodes of the tree,the nodes must be generated again for everysignature.Generating the tree is very expensive,so that generating the entire treefor every signature is impracticable for bigger trees.But saving all2n+1?1nodes would result in huge storage requirements.Hence,a good strategy is needed,to generate the signature without saving too many nodes,at a still e?cient time. This problem is called The Merkle tree traversal problem and is described in chapter4.The veri?cation time is quite fast,compared to the signature time.At?rst,3.4Cost analysis11 the one-time signature must be veri?ed.After that,the path A=A1,...,A n must be computed.To do this,only n hash operations are needed,one for every node. The signature of the Merkle Signature Scheme consists of the one-time signa-ture sig′and n nodes auth0,...,auth n?1.If a160bit hash function is used,the signature size would be|sig|=|sig′|+n?160bits.4The Merkle tree traversal problemIn this chapter,we will focus on the problem,of e?ciently computing the nextauthentication path,needed for the Merkle Signature Scheme.At?rst,we willintroduce the treehash algorithm,to e?ciently compute a node in a hash tree.This algorithm will be used later,to generate the public key and to generate thenext authentication path.4.1The treehash algorithmFor the traversal techniques,we need an algorithm,that computes e?ciently thenodes of the tree.Assume a binary tree with2n leafs.The height H of a node,isde?ned by the distance of the node to a leaf.So the root has the height H=n,while the leafs have the height H=0.We de?ne the node a i,j as the j th nodefrom the left(starting with j=0)of the height i.So a0,0is the leftmost leaf ofthe tree,and a n,0the root.To compute a node of the hight H=h,2h?1nodes must be computed.The treehash algorithm needs2h?1operations,to calculate a node of the hight h,while saving as few nodes at once as possible.The main idea of the treehash algorithm is to calculate the needed subtreefrom left to right and only saving the nodes,that are still needed.This is done,by using a stack.At?rst the stack only consists of the leftmost leaf.Then thenext leaf is added.The algorithm now checks whether the last two nodes on thestack are of the same height or not.If they are of the same height,the two nodesare removed from the stack,and their parent is built and pushed on the stack.Ifthe last two nodes on the stack are of di?erent height,then a new leaf is pushedon the stack.This step is repeated,until the node of the wanted height has beengenerated.Algorithm:TREEHASH(start,maxheight)1.Set leaf=start and create empty stack.2.Consolidate:If top2nodes on the stack are equal height:Pop node value P(n right)from stack.Pop node value P(n left)from stack.4.2The classic traversal13Compute P(n parent)=f(P(n left||P(n right)).If height of P(n parent)=maxheight,output P(n parent).Push P(n parent)onto the stack.3.New Leaf:Otherwise:Compute P(n l)=LEAF CALC(leaf).Push P(n l)onto the stack.Increment leaf.4.Loop to step2.To be able to run multiple instances of treehash,we de?ne an object stack h with two methods,stackh.initialize(startnode,h)and stack h.update(t).With the initialize method we simply de?ne the start leaf and the height of the re-sulting node.The method update runs the steps2or3of the treehash algorithm t times.For examplestack2.initialize(0,2)means,that in stack2we compute nodes up to the height h=2,beginning with the0thnode.stack2.update(3) will now perform3operations of treehash on stack2.The?rst operation will be to push node a0,0on the stack.The second operation will be to push the node a0,1on the stack.Now the last two nodes on the stack are of equal height.So in the third operation these two nodes are removed and a1,0gets computed and push on the stack.Because the treehash should only perform three operations, the algorithm stops at this point.When stack2.update(t)is called again,the algorithm will continue at this point,by pushing the node a0,2on the stack.4.2The classic traversalIn the?rst step of the Merkle Signature Scheme,the public key,which is the root of the tree,gets computed.This is done,by using the treehash algorithm.During this computation,every node of the tree is generated,so that we can easily save the?rst authentication path auth.We do this,by saving all nodes auth i with auth i=a i,1for i=1,...,n?1.These nodes auth={auth1,...,auth n?1}are the right brothers of the nodes of the leftmost path.In addition to the auth i nodes we also store the nodes of the leftmost path in the objects stack i,with stack i=a i,0for i=1,...,n?1.We will need these objects,to e?ciently generate the next authentication path.The next phase is the output and update phase.In this phase,we output the leaf value together with the authentication path.After that,we generate the next authentication path.Generating the output is quite simple.We use the function LEAF CALC to calculate the value of the leaf(The leaf values is the hash value of the public key of the one-time signature.So LEAF CALC builds14The Merkle tree traversal problem the hash value of the one-time signature public key).The authentication path auth =auth 1,...,auth n ?1has been already computed.So the important part is to calculate the next authentication path.To do this,we need a counter leaf ,which points to the current leaf to be calculated,and we need the old authen-tication path auth .In addition to that,we also have the objects stack i for i =0,...,n ?1.We can modify these by the functions stack i .initialize (startnode,h )and stack i .update (t ),as described above.Figure 4.1:Merkle Tree before the ?rst output and update phaseWe now have to determine which authentication nodes auth h have to be changed,so that auth =auth o ,...,auth H ?1is the authentication path for the next leaf leaf +1.The authentication node of the height h only needs an update,if 2h divides leaf+1without remainder.The new authentication node auth h has already been generated and is saved in the stack stack h .So if 2h divides leaf +1,auth h =P OP (stack h ).Then stack h is empty and we use this stack to precalcu-late the next authentication node.In 2h steps,when leaf =leaf +1+2h ,auth h needs an update again.So we search for the leftmostleaf,startnode ,of the next authentication node,of the height h .This is startnode =leaf +1+2h +2h if the current auth h is a left-node and startnode =leaf +1if the current auth h is a right-node.So startnode =leaf +1+2h ⊕2h .Hence we set stack h.initialize (startnode,h ).This illustrated in ?gure 4.3.In this ?gure auth 1has changed.The next change of auth 1will be when leaf =leaf+1+21.Hence,we need the authentication node of level 1for the leaf +1+21.This node is sack 1.The leftmost leaf of this node stack 1is leaf +1+21+21=startnode .SO stack 1.initialize (leaf +1+21+21,1).We could now use the treehash algorithm to compute stack h at once.But this would take 2h +1?1steps.In the worst case,H ?1nodes auth h can change atonce,so that we would need H ?1 h =02h +1?1operations to compute one signature.4.2The classic traversal15Figure4.2:Merkle Tree after the?rst output and update phaseFigure4.3:Merkle Tree after the second output and update phase16The Merkle tree traversal problem We know,that we do not need to change auth h for the next2h signatures.Hence,we have2h signatures time,to make the2h+1?1operations which generate the next node.Therefore,we only do two operations of updating for h=0,...,H?1per signature,by calling stack h.update(2)for h=0,...,H?1.In this way,weonly perform(H?1)?2operations per signature in the worst case. Algorithm:Classic Merkle Tree Traversal1.Set leaf=0.2.Output:Compute and output leaf with LEAF CALC(leaf)For each h∈[0,H?1]output{auth h}.3.Refresh Auth Nodes:For h such that2h divides leaf+1:Set auth h be the sole node value in stack h.Set startnode=(leaf+1+2h)⊕2h.stack h.initialize(startnode,h).4.Build Stacks:For all h∈[0,H?1]:stack h.update(2).5.LoopSet leaf=leaf+1.If leaf<2H go to Step2.4.3Merkle tree traversal in log space and timeIn[Szy04]an improvement to the Classic Merkle Traversal Algorithm was in-troduced.The main goal of this improved algorithm is to reduce the memoryrequirements.In the classic algorithm up to H instances of treehash may beconcurrently active,one for each height less than H.In one treehash,up to h+1nodes must be stored at once.Hence,up to H?1h=0h+1=H?(H+1)2nodes must bestored during one signature generation.The main idea of the improved algorithm is,to reduce the memory requirements,by reducing the number of active treehash instances during the signature generation.。

2009and2010Papers:Big-4Security ConferencespvoOctober13,2010NDSS20091.Document Structure Integrity:A Robust Basis for Cross-site Scripting Defense.Y.Nadji,P.Saxena,D.Song2.An Efficient Black-box Technique for Defeating Web Application Attacks.R.Sekar3.Noncespaces:Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks.M.Van Gundy,H.Chen4.The Blind Stone Tablet:Outsourcing Durability to Untrusted Parties.P.Williams,R.Sion,D.Shasha5.Two-Party Computation Model for Privacy-Preserving Queries over Distributed Databases.S.S.M.Chow,J.-H.Lee,L.Subramanian6.SybilInfer:Detecting Sybil Nodes using Social Networks.G.Danezis,P.Mittal7.Spectrogram:A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic.Yingbo Song,Angelos D.Keromytis,Salvatore J.Stolfo8.Detecting Forged TCP Reset Packets.Nicholas Weaver,Robin Sommer,Vern Paxson9.Coordinated Scan Detection.Carrie Gates10.RB-Seeker:Auto-detection of Redirection Botnets.Xin Hu,Matthew Knysz,Kang G.Shin11.Scalable,Behavior-Based Malware Clustering.Ulrich Bayer,Paolo Milani Comparetti,Clemens Hlauschek,Christopher Kruegel,Engin Kirda12.K-Tracer:A System for Extracting Kernel Malware Behavior.Andrea Lanzi,Monirul I.Sharif,Wenke Lee13.RAINBOW:A Robust And Invisible Non-Blind Watermark for Network Flows.Amir Houmansadr,Negar Kiyavash,Nikita Borisov14.Traffic Morphing:An Efficient Defense Against Statistical Traffic Analysis.Charles V.Wright,Scott E.Coull,Fabian Monrose15.Recursive DNS Architectures and Vulnerability Implications.David Dagon,Manos Antonakakis,Kevin Day,Xiapu Luo,Christopher P.Lee,Wenke Lee16.Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems.Hong Chen,Ninghui Li,Ziqing Mao17.IntScope:Automatically Detecting Integer Overflow Vulnerability in X86Binary Using Symbolic Execution.Tielei Wang,Tao Wei,Zhiqiang Lin,Wei Zou18.Safe Passage for Passwords and Other Sensitive Data.Jonathan M.McCune,Adrian Perrig,Michael K.Reiter19.Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication.Chris Karlof,J.Doug Tygar,David Wagner20.CSAR:A Practical and Provable Technique to Make Randomized Systems Accountable.Michael Backes,Peter Druschel,Andreas Haeberlen,Dominique UnruhOakland20091.Wirelessly Pickpocketing a Mifare Classic Card.(Best Practical Paper Award)Flavio D.Garcia,Peter van Rossum,Roel Verdult,Ronny Wichers Schreur2.Plaintext Recovery Attacks Against SSH.Martin R.Albrecht,Kenneth G.Paterson,Gaven J.Watson3.Exploiting Unix File-System Races via Algorithmic Complexity Attacks.Xiang Cai,Yuwei Gui,Rob Johnson4.Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86Processors.Bart Coppens,Ingrid Verbauwhede,Bjorn De Sutter,Koen De Bosschere5.Non-Interference for a Practical DIFC-Based Operating System.Maxwell Krohn,Eran Tromer6.Native Client:A Sandbox for Portable,Untrusted x86Native Code.(Best Paper Award)B.Yee,D.Sehr,G.Dardyk,B.Chen,R.Muth,T.Ormandy,S.Okasaka,N.Narula,N.Fullagar7.Automatic Reverse Engineering of Malware Emulators.(Best Student Paper Award)Monirul Sharif,Andrea Lanzi,Jonathon Giffin,Wenke Lee8.Prospex:Protocol Specification Extraction.Paolo Milani Comparetti,Gilbert Wondracek,Christopher Kruegel,Engin Kirda9.Quantifying Information Leaks in Outbound Web Traffic.Kevin Borders,Atul Prakash10.Automatic Discovery and Quantification of Information Leaks.Michael Backes,Boris Kopf,Andrey Rybalchenko11.CLAMP:Practical Prevention of Large-Scale Data Leaks.Bryan Parno,Jonathan M.McCune,Dan Wendlandt,David G.Andersen,Adrian Perrig12.De-anonymizing Social Networks.Arvind Narayanan,Vitaly Shmatikov13.Privacy Weaknesses in Biometric Sketches.Koen Simoens,Pim Tuyls,Bart Preneel14.The Mastermind Attack on Genomic Data.Michael T.Goodrich15.A Logic of Secure Systems and its Application to Trusted Computing.Anupam Datta,Jason Franklin,Deepak Garg,Dilsun Kaynar16.Formally Certifying the Security of Digital Signature Schemes.Santiago Zanella-Beguelin,Gilles Barthe,Benjamin Gregoire,Federico Olmedo17.An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols.Ralf Kuesters,Tomasz Truderung18.Sphinx:A Compact and Provably Secure Mix Format.George Danezis,Ian Goldberg19.DSybil:Optimal Sybil-Resistance for Recommendation Systems.Haifeng Yu,Chenwei Shi,Michael Kaminsky,Phillip B.Gibbons,Feng Xiao20.Fingerprinting Blank Paper Using Commodity Scanners.William Clarkson,Tim Weyrich,Adam Finkelstein,Nadia Heninger,Alex Halderman,Ed Felten 21.Tempest in a Teapot:Compromising Reflections Revisited.Michael Backes,Tongbo Chen,Markus Duermuth,Hendrik P.A.Lensch,Martin Welk22.Blueprint:Robust Prevention of Cross-site Scripting Attacks for Existing Browsers.Mike Ter Louw,V.N.Venkatakrishnan23.Pretty-Bad-Proxy:An Overlooked Adversary in Browsers’HTTPS Deployments.Shuo Chen,Ziqing Mao,Yi-Min Wang,Ming Zhang24.Secure Content Sniffing for Web Browsers,or How to Stop Papers from Reviewing Themselves.Adam Barth,Juan Caballero,Dawn Song25.It’s No Secret:Measuring the Security and Reliability of Authentication via’Secret’Questions.Stuart Schechter,A.J.Bernheim Brush,Serge Egelman26.Password Cracking Using Probabilistic Context-Free Grammars.Matt Weir,Sudhir Aggarwal,Bill Glodek,Breno de MedeirosUSENIX Security2009promising Electromagnetic Emanations of Wired and Wireless Keyboards.(Outstanding Student Paper)Martin Vuagnoux,Sylvain Pasini2.Peeping Tom in the Neighborhood:Keystroke Eavesdropping on Multi-User Systems.Kehuan Zhang,XiaoFeng Wang3.A Practical Congestion Attack on Tor Using Long Paths,Nathan S.Evans,Roger Dingledine,Christian Grothoff4.Baggy Bounds Checking:An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors.Periklis Akritidis,Manuel Costa,Miguel Castro,Steven Hand5.Dynamic Test Generation to Find Integer Bugs in x86Binary Linux Programs.David Molnar,Xue Cong Li,David A.Wagner6.NOZZLE:A Defense Against Heap-spraying Code Injection Attacks.Paruj Ratanaworabhan,Benjamin Livshits,Benjamin Zorn7.Detecting Spammers with SNARE:Spatio-temporal Network-level Automatic Reputation Engine.Shuang Hao,Nadeem Ahmed Syed,Nick Feamster,Alexander G.Gray,Sven Krasser8.Improving Tor using a TCP-over-DTLS Tunnel.Joel Reardon,Ian Goldberg9.Locating Prefix Hijackers using LOCK.Tongqing Qiu,Lusheng Ji,Dan Pei,Jia Wang,Jun(Jim)Xu,Hitesh Ballani10.GATEKEEPER:Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code.Salvatore Guarnieri,Benjamin Livshits11.Cross-Origin JavaScript Capability Leaks:Detection,Exploitation,and Defense.Adam Barth,Joel Weinberger,Dawn Song12.Memory Safety for Low-Level Software/Hardware Interactions.John Criswell,Nicolas Geoffray,Vikram Adve13.Physical-layer Identification of RFID Devices.Boris Danev,Thomas S.Heydt-Benjamin,Srdjan CapkunCP:Secure Remote Storage for Computational RFIDs.Mastooreh Salajegheh,Shane Clark,Benjamin Ransford,Kevin Fu,Ari Juels15.Jamming-resistant Broadcast Communication without Shared Keys.Christina Popper,Mario Strasser,Srdjan Capkun16.xBook:Redesigning Privacy Control in Social Networking Platforms.Kapil Singh,Sumeer Bhola,Wenke Lee17.Nemesis:Preventing Authentication and Access Control Vulnerabilities in Web Applications.Michael Dalton,Christos Kozyrakis,Nickolai Zeldovich18.Static Enforcement of Web Application Integrity Through Strong Typing.William Robertson,Giovanni Vigna19.Vanish:Increasing Data Privacy with Self-Destructing Data.(Outstanding Student Paper)Roxana Geambasu,Tadayoshi Kohno,Amit A.Levy,Henry M.Levy20.Efficient Data Structures for Tamper-Evident Logging.Scott A.Crosby,Dan S.Wallach21.VPriv:Protecting Privacy in Location-Based Vehicular Services.Raluca Ada Popa,Hari Balakrishnan,Andrew J.Blumberg22.Effective and Efficient Malware Detection at the End Host.Clemens Kolbitsch,Paolo Milani Comparetti,Christopher Kruegel,Engin Kirda,Xiaoyong Zhou,XiaoFeng Wang 23.Protecting Confidential Data on Personal Computers with Storage Capsules.Kevin Borders,Eric Vander Weele,Billy Lau,Atul Prakash24.Return-Oriented Rootkits:Bypassing Kernel Code Integrity Protection Mechanisms.Ralf Hund,Thorsten Holz,Felix C.Freiling25.Crying Wolf:An Empirical Study of SSL Warning Effectiveness.Joshua Sunshine,Serge Egelman,Hazim Almuhimedi,Neha Atri,Lorrie Faith Cranor26.The Multi-Principal OS Construction of the Gazelle Web Browser.Helen J.Wang,Chris Grier,Alex Moshchuk,Samuel T.King,Piali Choudhury,Herman VenterACM CCS20091.Attacking cryptographic schemes based on”perturbation polynomials”.Martin Albrecht,Craig Gentry,Shai Halevi,Jonathan Katz2.Filter-resistant code injection on ARM.Yves Younan,Pieter Philippaerts,Frank Piessens,Wouter Joosen,Sven Lachmund,Thomas Walter3.False data injection attacks against state estimation in electric power grids.Yao Liu,Michael K.Reiter,Peng Ning4.EPC RFID tag security weaknesses and defenses:passport cards,enhanced drivers licenses,and beyond.Karl Koscher,Ari Juels,Vjekoslav Brajkovic,Tadayoshi Kohno5.An efficient forward private RFID protocol.Come Berbain,Olivier Billet,Jonathan Etrog,Henri Gilbert6.RFID privacy:relation between two notions,minimal condition,and efficient construction.Changshe Ma,Yingjiu Li,Robert H.Deng,Tieyan Li7.CoSP:a general framework for computational soundness proofs.Michael Backes,Dennis Hofheinz,Dominique Unruh8.Reactive noninterference.Aaron Bohannon,Benjamin C.Pierce,Vilhelm Sjoberg,Stephanie Weirich,Steve Zdancewicputational soundness for key exchange protocols with symmetric encryption.Ralf Kusters,Max Tuengerthal10.A probabilistic approach to hybrid role mining.Mario Frank,Andreas P.Streich,David A.Basin,Joachim M.Buhmann11.Efficient pseudorandom functions from the decisional linear assumption and weaker variants.Allison B.Lewko,Brent Waters12.Improving privacy and security in multi-authority attribute-based encryption.Melissa Chase,Sherman S.M.Chow13.Oblivious transfer with access control.Jan Camenisch,Maria Dubovitskaya,Gregory Neven14.NISAN:network information service for anonymization networks.Andriy Panchenko,Stefan Richter,Arne Rache15.Certificateless onion routing.Dario Catalano,Dario Fiore,Rosario Gennaro16.ShadowWalker:peer-to-peer anonymous communication using redundant structured topologies.Prateek Mittal,Nikita Borisov17.Ripley:automatically securing web2.0applications through replicated execution.K.Vikram,Abhishek Prateek,V.Benjamin Livshits18.HAIL:a high-availability and integrity layer for cloud storage.Kevin D.Bowers,Ari Juels,Alina Oprea19.Hey,you,get offof my cloud:exploring information leakage in third-party compute clouds.Thomas Ristenpart,Eran Tromer,Hovav Shacham,Stefan Savage20.Dynamic provable data possession.C.Christopher Erway,Alptekin Kupcu,Charalampos Papamanthou,Roberto Tamassia21.On cellular botnets:measuring the impact of malicious devices on a cellular network core.Patrick Traynor,Michael Lin,Machigar Ongtang,Vikhyath Rao,Trent Jaeger,Patrick Drew McDaniel,Thomas Porta 22.On lightweight mobile phone application certification.William Enck,Machigar Ongtang,Patrick Drew McDaniel23.SMILE:encounter-based trust for mobile social services.Justin Manweiler,Ryan Scudellari,Landon P.Cox24.Battle of Botcraft:fighting bots in online games with human observational proofs.Steven Gianvecchio,Zhenyu Wu,Mengjun Xie,Haining Wang25.Fides:remote anomaly-based cheat detection using client emulation.Edward C.Kaiser,Wu-chang Feng,Travis Schluessler26.Behavior based software theft detection.Xinran Wang,Yoon-chan Jhi,Sencun Zhu,Peng Liu27.The fable of the bees:incentivizing robust revocation decision making in ad hoc networks.Steffen Reidt,Mudhakar Srivatsa,Shane Balfe28.Effective implementation of the cell broadband engineTM isolation loader.Masana Murase,Kanna Shimizu,Wilfred Plouffe,Masaharu Sakamoto29.On achieving good operating points on an ROC plane using stochastic anomaly score prediction.Muhammad Qasim Ali,Hassan Khan,Ali Sajjad,Syed Ali Khayam30.On non-cooperative location privacy:a game-theoretic analysis.Julien Freudiger,Mohammad Hossein Manshaei,Jean-Pierre Hubaux,David C.Parkes31.Privacy-preserving genomic computation through program specialization.Rui Wang,XiaoFeng Wang,Zhou Li,Haixu Tang,Michael K.Reiter,Zheng Dong32.Feeling-based location privacy protection for location-based services.Toby Xu,Ying Cai33.Multi-party off-the-record messaging.Ian Goldberg,Berkant Ustaoglu,Matthew Van Gundy,Hao Chen34.The bayesian traffic analysis of mix networks.Carmela Troncoso,George Danezis35.As-awareness in Tor path selection.Matthew Edman,Paul F.Syverson36.Membership-concealing overlay networks.Eugene Y.Vasserman,Rob Jansen,James Tyra,Nicholas Hopper,Yongdae Kim37.On the difficulty of software-based attestation of embedded devices.Claude Castelluccia,Aurelien Francillon,Daniele Perito,Claudio Soriente38.Proximity-based access control for implantable medical devices.Kasper Bonne Rasmussen,Claude Castelluccia,Thomas S.Heydt-Benjamin,Srdjan Capkun39.XCS:cross channel scripting and its impact on web applications.Hristo Bojinov,Elie Bursztein,Dan Boneh40.A security-preserving compiler for distributed programs:from information-flow policies to cryptographic mechanisms.Cedric Fournet,Gurvan Le Guernic,Tamara Rezk41.Finding bugs in exceptional situations of JNI programs.Siliang Li,Gang Tan42.Secure open source collaboration:an empirical study of Linus’law.Andrew Meneely,Laurie A.Williams43.On voting machine design for verification and testability.Cynthia Sturton,Susmit Jha,Sanjit A.Seshia,David Wagner44.Secure in-VM monitoring using hardware virtualization.Monirul I.Sharif,Wenke Lee,Weidong Cui,Andrea Lanzi45.A metadata calculus for secure information sharing.Mudhakar Srivatsa,Dakshi Agrawal,Steffen Reidt46.Multiple password interference in text passwords and click-based graphical passwords.Sonia Chiasson,Alain Forget,Elizabeth Stobert,Paul C.van Oorschot,Robert Biddle47.Can they hear me now?:a security analysis of law enforcement wiretaps.Micah Sherr,Gaurav Shah,Eric Cronin,Sandy Clark,Matt Blaze48.English shellcode.Joshua Mason,Sam Small,Fabian Monrose,Greg MacManus49.Learning your identity and disease from research papers:information leaks in genome wide association study.Rui Wang,Yong Fuga Li,XiaoFeng Wang,Haixu Tang,Xiao-yong Zhou50.Countering kernel rootkits with lightweight hook protection.Zhi Wang,Xuxian Jiang,Weidong Cui,Peng Ning51.Mapping kernel objects to enable systematic integrity checking.Martim Carbone,Weidong Cui,Long Lu,Wenke Lee,Marcus Peinado,Xuxian Jiang52.Robust signatures for kernel data structures.Brendan Dolan-Gavitt,Abhinav Srivastava,Patrick Traynor,Jonathon T.Giffin53.A new cell counter based attack against tor.Zhen Ling,Junzhou Luo,Wei Yu,Xinwen Fu,Dong Xuan,Weijia Jia54.Scalable onion routing with torsk.Jon McLachlan,Andrew Tran,Nicholas Hopper,Yongdae Kim55.Anonymous credentials on a standard java card.Patrik Bichsel,Jan Camenisch,Thomas Gros,Victor Shouprge-scale malware indexing using function-call graphs.Xin Hu,Tzi-cker Chiueh,Kang G.Shin57.Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering.Juan Caballero,Pongsin Poosankam,Christian Kreibich,Dawn Xiaodong Song58.Your botnet is my botnet:analysis of a botnet takeover.Brett Stone-Gross,Marco Cova,Lorenzo Cavallaro,Bob Gilbert,MartinSzydlowski,Richard A.Kemmerer,Christopher Kruegel,Giovanni VignaNDSS20101.Server-side Verification of Client Behavior in Online Games.Darrell Bethea,Robert Cochran and Michael Reiter2.Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs.S.Wolchok,O.S.Hofmann,N.Heninger,E.W.Felten,J.A.Halderman,C.J.Rossbach,B.Waters,E.Witchel3.Stealth DoS Attacks on Secure Channels.Amir Herzberg and Haya Shulman4.Protecting Browsers from Extension Vulnerabilities.Adam Barth,Adrienne Porter Felt,Prateek Saxena,and Aaron Boodman5.Adnostic:Privacy Preserving Targeted Advertising.Vincent Toubiana,Arvind Narayanan,Dan Boneh,Helen Nissenbaum and Solon Barocas6.FLAX:Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications.Prateek Saxena,Steve Hanna,Pongsin Poosankam and Dawn Song7.Effective Anomaly Detection with Scarce Training Data.William Robertson,Federico Maggi,Christopher Kruegel and Giovanni Vignarge-Scale Automatic Classification of Phishing Pages.Colin Whittaker,Brian Ryner and Marria Nazif9.A Systematic Characterization of IM Threats using Honeypots.Iasonas Polakis,Thanasis Petsas,Evangelos P.Markatos and Spiros Antonatos10.On Network-level Clusters for Spam Detection.Zhiyun Qian,Zhuoqing Mao,Yinglian Xie and Fang Yu11.Improving Spam Blacklisting Through Dynamic Thresholding and Speculative Aggregation.Sushant Sinha,Michael Bailey and Farnam Jahanian12.Botnet Judo:Fighting Spam with Itself.A.Pitsillidis,K.Levchenko,C.Kreibich,C.Kanich,G.M.Voelker,V.Paxson,N.Weaver,S.Savage13.Contractual Anonymity.Edward J.Schwartz,David Brumley and Jonathan M.McCune14.A3:An Extensible Platform for Application-Aware Anonymity.Micah Sherr,Andrew Mao,William R.Marczak,Wenchao Zhou,Boon Thau Loo,and Matt Blaze15.When Good Randomness Goes Bad:Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography.Thomas Ristenpart and Scott Yilek16.InvisiType:Object-Oriented Security Policies.Jiwon Seo and Monica m17.A Security Evaluation of DNSSEC with NSEC3.Jason Bau and John Mitchell18.On the Safety of Enterprise Policy Deployment.Yudong Gao,Ni Pan,Xu Chen and Z.Morley Mao19.Where Do You Want to Go Today?Escalating Privileges by Pathname Manipulation.Suresh Chari,Shai Halevi and Wietse Venema20.Joe-E:A Security-Oriented Subset of Java.Adrian Mettler,David Wagner and Tyler Close21.Preventing Capability Leaks in Secure JavaScript Subsets.Matthew Finifter,Joel Weinberger and Adam Barth22.Binary Code Extraction and Interface Identification for Security Applications.Juan Caballero,Noah M.Johnson,Stephen McCamant,and Dawn Song23.Automatic Reverse Engineering of Data Structures from Binary Execution.Zhiqiang Lin,Xiangyu Zhang and Dongyan Xu24.Efficient Detection of Split Personalities in Malware.Davide Balzarotti,Marco Cova,Christoph Karlberger,Engin Kirda,Christopher Kruegel and Giovanni VignaOakland20101.Inspector Gadget:Automated Extraction of Proprietary Gadgets from Malware Binaries.Clemens Kolbitsch Thorsten Holz,Christopher Kruegel,Engin Kirda2.Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors.Matt Fredrikson,Mihai Christodorescu,Somesh Jha,Reiner Sailer,Xifeng Yan3.Identifying Dormant Functionality in Malware Programs.Paolo Milani Comparetti,Guido Salvaneschi,Clemens Kolbitsch,Engin Kirda,Christopher Kruegel,Stefano Zanero4.Reconciling Belief and Vulnerability in Information Flow.Sardaouna Hamadou,Vladimiro Sassone,Palamidessi5.Towards Static Flow-Based Declassification for Legacy and Untrusted Programs.Bruno P.S.Rocha,Sruthi Bandhakavi,Jerry I.den Hartog,William H.Winsborough,Sandro Etalle6.Non-Interference Through Secure Multi-Execution.Dominique Devriese,Frank Piessens7.Object Capabilities and Isolation of Untrusted Web Applications.Sergio Maffeis,John C.Mitchell,Ankur Taly8.TrustVisor:Efficient TCB Reduction and Attestation.Jonathan McCune,Yanlin Li,Ning Qu,Zongwei Zhou,Anupam Datta,Virgil Gligor,Adrian Perrig9.Overcoming an Untrusted Computing Base:Detecting and Removing Malicious Hardware Automatically.Matthew Hicks,Murph Finnicum,Samuel T.King,Milo M.K.Martin,Jonathan M.Smith10.Tamper Evident Microprocessors.Adam Waksman,Simha Sethumadhavan11.Side-Channel Leaks in Web Applications:a Reality Today,a Challenge Tomorrow.Shuo Chen,Rui Wang,XiaoFeng Wang Kehuan Zhang12.Investigation of Triangular Spamming:a Stealthy and Efficient Spamming Technique.Zhiyun Qian,Z.Morley Mao,Yinglian Xie,Fang Yu13.A Practical Attack to De-Anonymize Social Network Users.Gilbert Wondracek,Thorsten Holz,Engin Kirda,Christopher Kruegel14.SCiFI-A System for Secure Face Identification.(Best Paper)Margarita Osadchy,Benny Pinkas,Ayman Jarrous,Boaz Moskovich15.Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes.Haowen Chan,Adrian Perrig16.Revocation Systems with Very Small Private Keys.Allison Lewko,Amit Sahai,Brent Waters17.Authenticating Primary Users’Signals in Cognitive Radio Networks via Integrated Cryptographic and Wireless Link Signatures.Yao Liu,Peng Ning,Huaiyu Dai18.Outside the Closed World:On Using Machine Learning For Network Intrusion Detection.Robin Sommer,Vern Paxson19.All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution(but might have been afraid to ask).Thanassis Avgerinos,Edward Schwartz,David Brumley20.State of the Art:Automated Black-Box Web Application Vulnerability Testing.Jason Bau,Elie Bursztein,Divij Gupta,John Mitchell21.A Proof-Carrying File System.Deepak Garg,Frank Pfenning22.Scalable Parametric Verification of Secure Systems:How to Verify Ref.Monitors without Worrying about Data Structure Size.Jason Franklin,Sagar Chaki,Anupam Datta,Arvind Seshadri23.HyperSafe:A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity.Zhi Wang,Xuxian Jiang24.How Good are Humans at Solving CAPTCHAs?A Large Scale Evaluation.Elie Bursztein,Steven Bethard,John C.Mitchell,Dan Jurafsky,Celine Fabry25.Bootstrapping Trust in Commodity Computers.Bryan Parno,Jonathan M.McCune,Adrian Perrig26.Chip and PIN is Broken.(Best Practical Paper)Steven J.Murdoch,Saar Drimer,Ross Anderson,Mike Bond27.Experimental Security Analysis of a Modern Automobile.K.Koscher,A.Czeskis,F.Roesner,S.Patel,T.Kohno,S.Checkoway,D.McCoy,B.Kantor,D.Anderson,H.Shacham,S.Savage 28.On the Incoherencies in Web Browser Access Control Policies.Kapil Singh,Alexander Moshchuk,Helen J.Wang,Wenke Lee29.ConScript:Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.Leo Meyerovich,Benjamin Livshits30.TaintScope:A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection.(Best Student Paper)Tielei Wang,Tao Wei,Guofei Gu,Wei Zou31.A Symbolic Execution Framework for JavaScript.Prateek Saxena,Devdatta Akhawe,Steve Hanna,Stephen McCamant,Dawn Song,Feng MaoUSENIX Security20101.Adapting Software Fault Isolation to Contemporary CPU Architectures.David Sehr,Robert Muth,CliffBiffle,Victor Khimenko,Egor Pasko,Karl Schimpf,Bennet Yee,Brad Chen2.Making Linux Protection Mechanisms Egalitarian with UserFS.Taesoo Kim and Nickolai Zeldovich3.Capsicum:Practical Capabilities for UNIX.(Best Student Paper)Robert N.M.Watson,Jonathan Anderson,Ben Laurie,Kris Kennaway4.Structuring Protocol Implementations to Protect Sensitive Data.Petr Marchenko,Brad Karp5.PrETP:Privacy-Preserving Electronic Toll Pricing.Josep Balasch,Alfredo Rial,Carmela Troncoso,Bart Preneel,Ingrid Verbauwhede,Christophe Geuens6.An Analysis of Private Browsing Modes in Modern Browsers.Gaurav Aggarwal,Elie Bursztein,Collin Jackson,Dan Boneh7.BotGrep:Finding P2P Bots with Structured Graph Analysis.Shishir Nagaraja,Prateek Mittal,Chi-Yao Hong,Matthew Caesar,Nikita Borisov8.Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems.Chad R.Meiners,Jignesh Patel,Eric Norige,Eric Torng,Alex X.Liu9.Searching the Searchers with SearchAudit.John P.John,Fang Yu,Yinglian Xie,Martin Abadi,Arvind Krishnamurthy10.Toward Automated Detection of Logic Vulnerabilities in Web Applications.Viktoria Felmetsger,Ludovico Cavedon,Christopher Kruegel,Giovanni Vigna11.Baaz:A System for Detecting Access Control Misconfigurations.Tathagata Das,Ranjita Bhagwan,Prasad Naldurg12.Cling:A Memory Allocator to Mitigate Dangling Pointers.Periklis Akritidis13.ZKPDL:A Language-Based System for Efficient Zero-Knowledge Proofs and Electronic Cash.Sarah Meiklejohn,C.Chris Erway,Alptekin Kupcu,Theodora Hinkle,Anna Lysyanskaya14.P4P:Practical Large-Scale Privacy-Preserving Distributed Computation Robust against Malicious Users.Yitao Duan,John Canny,Justin Zhan,15.SEPIA:Privacy-Preserving Aggregation of Multi-Domain Network Events and Statistics.Martin Burkhart,Mario Strasser,Dilip Many,Xenofontas Dimitropoulos16.Dude,Where’s That IP?Circumventing Measurement-based IP Geolocation.Phillipa Gill,Yashar Ganjali,Bernard Wong,David Lie17.Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking.Roya Ensafi,Jong Chun Park,Deepak Kapur,Jedidiah R.Crandall18.Building a Dynamic Reputation System for DNS.Manos Antonakakis,Roberto Perdisci,David Dagon,Wenke Lee,Nick Feamster19.Scantegrity II Municipal Election at Takoma Park:The First E2E Binding Governmental Election with Ballot Privacy.R.Carback,D.Chaum,J.Clark,J.Conway,A.Essex,P.S.Herrnson,T.Mayberry,S.Popoveniuc,R.L.Rivest,E.Shen,A.T.Sherman,P.L.Vora20.Acoustic Side-Channel Attacks on Printers.Michael Backes,Markus Durmuth,Sebastian Gerling,Manfred Pinkal,Caroline Sporleder21.Security and Privacy Vulnerabilities of In-Car Wireless Networks:A Tire Pressure Monitoring System Case Study.Ishtiaq Rouf,Rob Miller,Hossen Mustafa,Travis Taylor,Sangho Oh,Wenyuan Xu,Marco Gruteser,Wade Trappe,Ivan Seskar 22.VEX:Vetting Browser Extensions for Security Vulnerabilities.(Best Paper)Sruthi Bandhakavi,Samuel T.King,P.Madhusudan,Marianne Winslett23.Securing Script-Based Extensibility in Web Browsers.Vladan Djeric,Ashvin Goel24.AdJail:Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements.Mike Ter Louw,Karthik Thotta Ganesh,V.N.Venkatakrishnan25.Realization of RF Distance Bounding.Kasper Bonne Rasmussen,Srdjan Capkun26.The Case for Ubiquitous Transport-Level Encryption.Andrea Bittau,Michael Hamburg,Mark Handley,David Mazieres,Dan Boneh27.Automatic Generation of Remediation Procedures for Malware Infections.Roberto Paleari,Lorenzo Martignoni,Emanuele Passerini,Drew Davidson,Matt Fredrikson,Jon Giffin,Somesh Jha28.Re:CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context.Marti Motoyama,Kirill Levchenko,Chris Kanich,Damon McCoy,Geoffrey M.Voelker,Stefan Savage29.Chipping Away at Censorship Firewalls with User-Generated Content.Sam Burnett,Nick Feamster,Santosh Vempala30.Fighting Coercion Attacks in Key Generation using Skin Conductance.Payas Gupta,Debin GaoACM CCS20101.Security Analysis of India’s Electronic Voting Machines.Scott Wolchok,Erik Wustrow,J.Alex Halderman,Hari Prasad,Rop Gonggrijp2.Dissecting One Click Frauds.Nicolas Christin,Sally S.Yanagihara,Keisuke Kamataki3.@spam:The Underground on140Characters or Less.Chris Grier,Kurt Thomas,Vern Paxson,Michael Zhang4.HyperSentry:Enabling Stealthy In-context Measurement of Hypervisor Integrity.Ahmed M.Azab,Peng Ning,Zhi Wang,Xuxian Jiang,Xiaolan Zhang,Nathan C.Skalsky5.Trail of Bytes:Efficient Support for Forensic Analysis.Srinivas Krishnan,Kevin Z.Snow,Fabian Monrose6.Survivable Key Compromise in Software Update Systems.Justin Samuel,Nick Mathewson,Justin Cappos,Roger Dingledine7.A Methodology for Empirical Analysis of the Permission-Based Security Models and its Application to Android.David Barrera,H.Gunes Kayacik,Paul C.van Oorschot,Anil Somayaji8.Mobile Location Tracking in Metropolitan Areas:malnets and others.Nathanial Husted,Steve Myers9.On Pairing Constrained Wireless Devices Based on Secrecy of Auxiliary Channels:The Case of Acoustic Eavesdropping.Tzipora Halevi,Nitesh Saxena10.PinDr0p:Using Single-Ended Audio Features to Determine Call Provenance.Vijay A.Balasubramaniyan,Aamir Poonawalla,Mustaque Ahamad,Michael T.Hunter,Patrick Traynor11.Building Efficient Fully Collusion-Resilient Traitor Tracing and Revocation Schemes.Sanjam Garg,Abishek Kumarasubramanian,Amit Sahai,Brent Waters12.Algebraic Pseudorandom Functions with Improved Efficiency from the Augmented Cascade.Dan Boneh,Hart Montgomery,Ananth Raghunathan13.Practical Leakage-Resilient Pseudorandom Generators.Yu Yu,Francois-Xavier Standaert,Olivier Pereira,Moti Yung14.Practical Leakage-Resilient Identity-Based Encryption from Simple Assumptions.Sherman S.M.Chow,Yevgeniy Dodis,Yannis Rouselakis,Brent Waters15.Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords.Matt Weir,Sudhir Aggarwal,Michael Collins,Henry Stern16.The Security of Modern Password Expiration:An Algorithmic Framework and Empirical Analysis.Yinqian Zhang,Fabian Monrose,Michael K.Reiter17.Attacks and Design of Image Recognition CAPTCHAs.Bin Zhu,JeffYan,Chao Yang,Qiujie Li,Jiu Liu,Ning Xu,Meng Yi18.Robusta:Taming the Native Beast of the JVM.Joseph Siefers,Gang Tan,Greg Morrisett19.Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code.Justin Cappos,Armon Dadgar,JeffRasley,Justin Samuel,Ivan Beschastnikh,Cosmin Barsan,Arvind Krishnamurthy,Thomas Anderson20.A Control Point for Reducing Root Abuse of File-System Privileges.Glenn Wurster,Paul C.van Oorschot21.Modeling Attacks on Physical Unclonable Functions.Ulrich Ruehrmair,Frank Sehnke,Jan Soelter,Gideon Dror,Srinivas Devadas,Juergen Schmidhuber22.Dismantling SecureMemory,CryptoMemory and CryptoRF.Flavio D.Garcia,Peter van Rossum,Roel Verdult,Ronny Wichers Schreur23.Attacking and Fixing PKCS#11Security Tokens.Matteo Bortolozzo,Matteo Centenaro,Riccardo Focardi,Graham Steel24.An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.Dongseok Jang,Ranjit Jhala,Sorin Lerner,Hovav Shacham25.DIFC Programs by Automatic Instrumentation.William Harris,Somesh Jha,Thomas Reps26.Predictive Black-box Mitigation of Timing Channels.Aslan Askarov,Danfeng Zhang,Andrew Myers27.In Search of an Anonymous and Secure Lookup:Attacks on Structured Peer-to-peer Anonymous Communication Systems.Qiyan Wang,Prateek Mittal,Nikita Borisov28.Recruiting New Tor Relays with BRAIDS.Rob Jansen,Nicholas Hopper,Yongdae Kim29.An Improved Algorithm for Tor Circuit Scheduling.Can Tang,Ian Goldberg30.Dissent:Accountable Anonymous Group Messaging.Henry Corrigan-Gibbs,Bryan Ford31.Abstraction by Set-Membership—Verifying Security Protocols and Web Services with Databases.Sebastian Moedersheim。

密码学笔记（5）——Rabin密码体制和语义安全性⼀、Rabin密码体制 Rabin密码体制是RSA密码体制的⼀种，假定模数n=pq不能被分解，该类体制对于选择明⽂攻击是计算安全的。

因此，Rabin密码体制提供了⼀个可证明安全的密码体制的例⼦：假定分解整数问题是整数上不可⾏的，那么Rabin密码体制是安全的。

Thm1 (Rabin密码体制)设n=pq，其中p和q是素数，且p,q \equiv 3 (mod \, 4)，设P=C=Z^{\star}_{n}，且定义\kappa =\{(n,p,q)\}对K=(n,p,q)，定义e_{K}(x)=x^{2} (mod \, n)和d_{K}=\sqrt{y} (mod \, n)n为公钥，p和q为私钥。

注：条件p,q \equiv 3 (mod \, 4)可以省去，条件P=C=Z^n_{\star}也可以弱化为P=C=Z^n，只是在使⽤更多的限制性描述的时候，简化了许多⽅⾯的计算和密码体制分析。

注意看到这个函数y=x^{2}对于加密来说不是⼀个单射，所以解密不能以⼀种明显的⽅式完成，特别的，对于y \equiv x^{2} (mod \, n)，对于某⼀个x \in Z^{\star}_{n}，存在y模n的是个解，除⾮有其他的冗余信息，否则⽆法确认是那⼀个值。

从Bob的观点来看解密问题，它有⼀个密⽂y，要想得到x使得x^2 \equiv y(mod \, n)这是⼀个关于Z_{n}中未知元x的⼆次⽅程，解密需要求出模n的平⽅根，等价于求解以下两个同余⽅程。

z^{2} \equiv y (mod \, p)z^{2} \equiv y (mod \, q)虽然我们可以利⽤Euler准则来判断y是否为⼀个模p或模q的⼆次剩余。

事实上，如果加密正确的执⾏，y是⼀个模p和模q的⼆次剩余，遗憾的是它并不能帮助我们找到y。

当p \equiv 3(mod \, 4)时，有⼀个简单公式来计算模p的⼆次剩余的平⽅根，假定y是⼀个模p的⼆次剩余，且y \equiv 3 (mod \, 4)那么有\begin{align} (\pm y^{\frac {p+1}{4}})^{2} \equiv & y^{\frac{p+1}{2}} (mod \, p) \\ \equiv & y^{\frac{p-1}{2}}y (mod \, p) \\ \equiv & y(mod \, p) \\ \end{align}这⾥⼜⼀次使⽤了Euler准则，即当y是⼀个模p的⼆次剩余时，有y^{\frac{p-1}{2}} \equiv 1 (mod \, p)，因此，y模p的两个平⽅根为\pm y^{\frac{p+1}{4}} (mod \, p)，同样的讨论可以知道，y模q的两个平⽅根为\pm y^{\frac{p+1}{4}} (mod \, q)，再利⽤中国剩余定理可以得到y模n的四个平⽅根。

rabin密码算法Rabin密码算法是一种非对称加密算法，其安全性基于大整数分解难题。

它于1979年由以色列密码学家Michael Rabin提出。

Rabin密码算法具有简单、高效的特点，特别适合用于加密和解密较大的数据块。

Rabin密码算法的加密和解密过程分别使用了公钥和私钥。

加密过程如下：1.选择两个不相等的大质数p和q，并计算n = p * q。

2.将明文拆分为固定长度的块，每个块转换为对应的数值。

3.对每个数值进行加密运算，得到密文。

加密运算的方式为：对每个数值x，计算y = (x ^ 2) % n。

解密过程如下：1.已知n、p和q，计算n的模反元素u，使得u = q^-1 % p。

2.对每个密文数值进行解密运算，得到明文数值。

解密运算的方式为：对每个数值y，计算x1 = (y ^ ((p+1)/4)) % p，x2 = (y ^ ((q+1)/4)) % q。

计算四个可能的解：(x1 * p * u + x2 * q) % n，(-x1 * p * u + x2 * q) % n，(x1 * p * u - x2 * q) % n，(-x1 * p * u - x2 * q) % n。

Rabin密码算法的安全性基于大整数分解的难题。

在当前的计算能力下，大整数分解是一种非常困难的数学问题。

因此，破解Rabin密码算法需要解决大整数分解问题。

Rabin密码算法存在一个问题，就是在解密过程中有可能出现多个解。

这是因为在计算x1和x2时，会得到两个可能的值。

为了解决这个问题，通常在加密过程中要求明文数值满足一定的条件，以保证解密后能够得到唯一的明文结果。

Rabin密码算法还存在一个明文特征泄露的问题。

由于明文数值和密文数值之间存在一一对应的关系，当攻击者获取到多组明文-密文对时，就可以通过对比密文数值来推测明文数值之间的关系。

因此，在使用Rabin密码算法时，需要注意选择随机的明文数值。

总体来说，Rabin密码算法是一种非对称加密算法，安全性基于大整数分解难题。