MC2 Researchers Have 13 Papers Accepted to Upcoming Cybersecurity Events

Faculty, postdocs and students in the Maryland Cybersecurity Center (MC2) will present 13 papers at two major cybersecurity events this month, highlighting the center’s cutting-edge research in programming languages, encrypted databases, security for lattice-based cryptosystems, and more.

Seven MC2-affiliated papers have been accepted to the 2020 USENIX Security Symposium, to be held from Aug. 12–14; six papers have been accepted to Crypto 2020, scheduled for Aug. 17–21.

Due to the ongoing COVID-19 pandemic, both events will be conducted online.

“I am thrilled that our MC2 community is consistently well-represented in some of the most competitive symposiums and conferences focused on security,” says Charalampos (Babis) Papamanthou, an associate professor of electrical and computer engineering and the director of MC2. “More than a dozen papers at USENIX and Crypto manifest our team’s comfort and success in working across the practical and theoretical spectrum, placing MC2 in a unique spot for conducting impactful security research.”

The seven papers to be presented at USENIX 2020 are:

• “Understanding Security Mistakes Developers Make: Qualitative Analysis from Build It, Break It, Fix It,” by Michelle Mazurek, an associate professor of computer science; Michael Hicks, a professor of computer science; James Parker, who graduates in August with a doctorate in computer science; computer science doctoral students Daniel Votipka and Kelsey Fulton; and Matthew Hou, who just graduated with his undergraduate degree in computer science.

In the paper, the researchers detail how, and why, software programmers—despite a baseline of security experience—make security-relevant errors. To compile their data, the MC2 team conducted an in-depth analysis of 94 submissions to a secure-programming contest that was designed to mimic real-world constraints such as correctness, performance and security.

• “An Observational Investigation of Reverse Engineers’ Processes,” by Mazurek, Votipka, UMD computer science alumnus Seth Rabin, and researchers from Tufts University and Syracuse University.

The paper offers a better understanding of various reverse engineering processes, with the goal of producing insights for improving interaction design for reverse engineering tools.

“Achieving Keyless CDNs with Conclaves,” by Dave Levin, an assistant professor of computer science; Stephen Herwig, a computer science doctoral student; and Christina Garman, a former MC2 postdoctoral researcher who is now an assistant professor at Purdue University.

In this paper, the researchers showcase the design and implementation of Phoenix, identified as the “first truly keyless Content Delivery Network.” The majority of websites today share their secret keys with third parties; Phoenix shows that this is no longer necessary. It uses secure enclaves to host web content, store sensitive key material, and apply web application firewalls on otherwise untrusted machines.

• “MIRAGE: Succinct Arguments for Randomized Algorithms with Applications to Universal zk-SNARKs,” by Ahmed Kosba, a UMD alumnus who is now an assistant professor at the Computer and Systems Engineering Department at Alexandria University, Papamanthou, and researchers from Hong Kong University of Science and Technology and UC Berkeley.

This paper introduces MIRAGE, a zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) protocol that allows the verification of randomized algorithms efficiently.

• “SEAL: Attack Mitigation for Encrypted Databases via Adjustable Leakage,” by Ioannis Demertzis, who recently graduated with a doctorate in electrical and computer engineering, Papamanthou, and researchers from the Hong Kong University of Science and Technology and the NortonLifeLock Research Group.

In the paper, the researchers propose SEAL, a family of new searchable encryption (SE) schemes with adjustable leakage which can be used for building efficient encrypted databases.

• “A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web,” by Elissa Redmiles, a UMD alumna who is currently a postdoctoral researcher at Microsoft Research; computer science doctoral students Rock Stevens and Noel Warford; UMD computer science alumni Amritha Jayanti and Aravind Koneru; Mazurek; and researchers from Rutgers University and the University of California, San Diego.

In this paper, the researchers seek to understand whether the advice end-users learn about defensive security behaviors from online articles is actionable, comprehensible and effective. In an effort to answer these questions, the researchers conducted a large-scale study with 1,586 users and 41 professional security experts.

• “What Twitter Knows: Characterizing Ad Targeting Practices, User Perceptions, and Ad Explanations Through Users' Own Twitter Data,” by Miranda Wei, a doctoral student at the University of Washington, Mazurek, UMD computer science doctoral student Nathan Reitinger, UMD alumnus Justin Goodman, and researchers from the University of Chicago and the University of Southampton.

In this paper, the research team seeks to develop a deeper understanding of the current targeting advertising ecosystem. To gather information for measurement and user studies, the researchers engaged 231 participants’ own Twitter data, containing data on the ads they were shown and the associated targeting criteria.

The six papers that have been accepted to Crypto 2020 are:

• “LWE with Side Information: Attacks and Concrete Security Estimation,” by Dana Dachman-Soled, an associate professor of electrical and computer engineering, Huijing Gong, a computer science doctoral student, and researchers from the Centrum Wiskunde & Informatica in the Netherlands and the École Normale Supérieure in France.

This paper introduces improved algorithmic techniques for solving the so-called “LWE problem,” a mathematical problem that underlies many of the candidate post-quantum cryptosystems currently under consideration for standardization by the National Institute of Standards and Technology (NIST). These techniques are important since the best known algorithms for breaking the LWE problem will be used to determine the recommended parameter settings for the standardized cryptosystems.

• “New Techniques for Zero-Knowledge: Leveraging Inefficient Provers to Reduce Assumptions, Interaction, and Trust,” by Dachman-Soled, Mukul Kulkarni, a UMD alumnus who is currently a postdoctoral research associate at the University of Massachusetts Amherst, and a researcher from Columbia University.

This paper considers the concept of “zero-knowledge proofs,” or proofs that convince a verifier while revealing no information beyond the validity of the statement. The authors consider a non-interactive variant, where only a single message is sent from the prover to the verifier and no trusted setup assumptions (such as a random beacon) is assumed. These new techniques show that if one allows the prover to run in somewhat increased runtime, then the computational assumptions necessary for achieving this form of zero-knowledge can be significantly reduced.

• “Always Have a Backup Plan: Fully Secure Synchronous MPC with Asynchronous Fallback,” by Julian Loss, a postdoctoral researcher in MC2, and researchers from ETH Zürich in Switzerland.

This paper examines certain protocols for secure Multi-Party Computation.

• “Lattice-Based Blind Signatures, Revisited,” by Loss and researchers from Ruhr-Universität Bochum in Germany and ETH Zürich.

This paper notes that all previously known lattice-based blind signature schemes contain subtle flaws in their security proofs or can be attacked. Motivated by this, the researchers revisit the problem of constructing blind signatures from standard lattice assumptions.

• “A Classification of Computational Assumptions in the Algebraic Group Model,” by Loss and researchers from Inria (the French National Research Institute for Digital Science and Technology) and TU Wien in Austria.

This paper gives a taxonomy of computational assumptions in the algebraic group model. The researchers first analyzed Boyen’s Uber assumption family for bilinear groups, and then extend it in several ways to cover assumptions as diverse as Gap Diffie-Hellman and LRSW.

• “Universally Composable Relaxed Password Authenticated Key Exchange,” by Jiayu Xu, a postdoctoral researcher in MC2, Jonathan Katz, a professor of computer science, and researchers from French research institutions Inria, the École Normale Supérieure, the French National Centre for Scientific Research, and the Université PSL; the Faculdade de Ciências da Universidade do Porto and INESC TEC in Portugal; and the University of California, Irvine.

The researchers examine password authenticated key exchanges (PAKE), which allow two parties that share only a weak password to agree on a cryptographically-strong key. The paper revisits the notion of PAKE in the framework of universal composability and proposes a relaxation of a certain PAKE functionality.

—Story by Melissa Brachfeld

Published August 10, 2020