Public-key Encryption with Keyword Search (PEKS) is a promising cryptographic mechanism that enables a semi-trusted cloud server to perform (on-demand) keyword searches over encrypted data for data users. Existing PEKS schemes are limited to precise or fuzzy keyword searches, creating a gap given the widespread use of wildcards for rapid searches in real-world applications. To address this issue, several wildcard keyword search schemes have been proposed to support wildcard searches in the public key setting. However, these schemes suffer from inefficiency and/or inflexibility. Worse yet, they are all vulnerable to (insider) keyword guessing attacks (KGA), which is highly effective when the keyword space is polynomial in size. To address these vulnerabilities, this paper first proposes a new wildcard keyword search scheme called Public-key Encryption with Wildcard Search (PEWS), which is built based on the standard Decisional Diffie-Hellman (DDH) assumption. The complexity of all algorithms in PEWS increases linearly with the number of keywords, while remaining almost constant or even decreasing linearly with the number of wildcards. To resist against (insider) KGA, we further extend PEWS into the first Public-key Authenticated Encryption with Wildcard Search (PAEWS) scheme. Our PEWS and PAEWS schemes are highly flexible, supporting searches not only for sets of keywords but also for any number of wildcards positioned anywhere within the keyword set. We conduct a comprehensive performance evaluation of our PEWS and PAEWS, while also comparing PEWS with the state-of-the-art scheme in the public key setting. The experimental results demonstrate that both PEWS and PAEWS are efficient and practical in computation and communication, and the experimental comparisons illustrate that PEWS achieves significant improvements in computational efficiency.

Mobile crowdsensing (MCS) is a promising sensing paradigm  which allows users to outsource a range of sensing tasks to a crowd of mobile workers with mobile devices. Location-dependent MCS, as the name implies, is a geographically-dependent sensing paradigm in which service requestors outsource location-specific tasks to many workers with mobile devices, and the workers accepting the tasks collect data at a particular location by physically arriving at the desired locations. Many efforts have been devoted to protecting location privacy of the tasks and the workers accepting the tasks while ensuring task allocation accuracy and efficiency. In 2021, Jiang et al. proposed P2AE, a privacy-preserving protocol for location-dependent MCS. To achieve the privacy-preserving task release and task allocation, they designed a location based symmetric key generator, which enables the service requestor and workers with mobile devices in the task area to generate the same key themselves without disclosing the location information to the service provider. The privacy they claimed to achieve includes the locations of workers, task location, and task content. However, in this paper, we demonstrate that P2AE is vulnerable to brute force attacks. Specifically, we show that with brute force attacks, the service provider can obtain the locations of workers, task location, and task content with a high probability, which completely breaches the security of P2AE. We hope that by identifying the security issue, similar errors can be avoided in future designs of privacy-preserving protocol for location-dependent MCS.

The widespread adoption of cloud computing and the exponential growth of data highlight the need for secure data sharing and querying. Attribute-based keyword search (ABKS) has emerged as an efficient means of searching encrypted data stored in the cloud. However, existing ABKS schemes are vulnerable to quantum computer attacks, (insider) keyword guessing attacks (KGA), or incur high end-to-end delay. To address these vulnerabilities, this paper introduces a new concept called attribute-based authenticated encryption with keyword search (ABAEKS) and proposes an efficient ABAEKS scheme. Our ABAEKS has low end-to-end delay, and is resistant to both quantum computer attacks and (insider) KGA. In addition, we formalize the security model of ABAEKS system and prove its security in the random oracle model. Finally, we conduct a comprehensive performance evaluation of ABAEKS, and the experimental results show that our ABAEKS is computationally efficient and outperforms current state-of-the-art ABKS schemes.

In 2021, Jiang et al. proposed P2AE, a privacy preserving protocol in location-dependent mobile crowdsensing (DOI: 10.1109/TMC.2021.3112394).  One of the core techniques behind their scheme is a location-based symmetric key generation algorithm, which enables the service requestor and the mobile nodes in the task area to generate the same key themselves without revealing the location information.  However, in this comment, we will point out a flaw in their location-based symmetric key generation algorithm, which indicates that P2AE does not work.   In addition,  we propose a novel approach to achieve the location-based symmetric key generation using a witness encryption scheme.  This approach is feasible, but is currently inefficient due to the inefficiency of the underlying witness encryption scheme.

Federated learning (FL) is a promising collaborative machine learning (ML) framework allowing models to be trained on sensitive real-world data while preserving its privacy.  Unfortunately, recent attacks on FL demonstrate that local gradients provided by participating users may leak information about their local training data.  To address this privacy issue, the notion of secure aggregation was proposed and has been achieved by different approaches including secure multiparty computation (MPC),  homomorphic encryption (HE), functional encryption (FE), and double-masking. In 2023, Chang et al. proposed a novel privacy-preserving federated learning (PPFL) based on FE and claimed that their PPFL resolves the aforementioned privacy issue.  However, in this paper, we demonstrate that their PPFL is vulnerable to two attacks we design, and therefore their PPFL is insecure due to the above privacy issue.  We hope that by identifying the security problem, similar errors can be avoided in future designs of PPFL.

Federated learning (FL) allows a large number of users to collaboratively train machine learning (ML) models by sending only their local gradients to a central server for aggregation in each training iteration, without sending their raw training data. The main security issues of FL, that is, the privacy of the gradient vector and the correctness verification of the aggregated gradient, are gaining increasing attention from industry and academia. To protect the privacy of the gradient, a secure aggregation was proposed; to verify the correctness of the aggregated gradient, a verifiable secure aggregation that requires the server to provide a verifiable aggregated gradient was proposed. In 2021, Hahn et al. proposed VERSA, a verifiable secure aggregation (DOI:10.1109/TDSC.2021.3126323). However, in this paper, we will point out a flaw in VERSA, which indicates that VERSA does not work. To address the flaw, we present several approaches with different advantages and disadvantages. We hope that by identifying the flaw, similar errors can be avoided in future designs for verifiable secure aggregation.

Proxy re-encryption (PRE), as a promising cryptographic primitive for secure data sharing in cloud, has been widely studied for decades. PRE allows the proxies to use the re-encryption keys to convert ciphertexts computed under the delegator’s public key into ones that can be decrypted using the delegatees’ secret keys, without knowing anything about the underlying plaintext. This delegable property of decryption rights gives rise to an important issue: if some proxies reveal their re-encryption keys, or collude with some delegatees to create a pirate decoder, then anyone who gains access to the pirate decoder can decrypt all ciphertexts computed under the delegator’s public key without the delegator’s permission. Several works have provided potential solutions to this issue by designing tracing mechanisms on PRE, where proxies that reveal their re-encryption keys can be identifified by the delegator. However,  these solutions perform poorly in terms of the sizes of the public, the secret and the re-encryption keys, and support neither multi-hop nor public traceability. This paper advances the research of tracing mechanisms on PRE and proposes the fifirst public trace-and-revoke PRE system, where the malicious delegatees involved in the generation of a pirate decoder can be identifified by anyone who gains access to the pirate decoder, and their decryption capabilities can subsequently be revoked by the content distributor. Our construction is multi-hop, supports user revocation and public (black-box) traceability, and achieves signifificant effificiency advantages over previous constructions. Our construction is a generic transformation from inner-product functional PRE (IPFPRE) that we introduce to trace-and-revoke PRE. In addition, we instantiate our generic construction of trace-and-revoke PRE from the Learning with Errors (LWE) assumption, which was widely believed to be quantum-resistant. This is achieved by proposing the fifirst LWE-based IPFPRE scheme, which may be of independent interest.

Mobile crowdsensing (MCS) is a promising sensing paradigm which allows users to outsource a range of sensing tasks to a crowd of mobile workers with mobile devices. Location-dependent MCS, as the name implies, is a geographically-dependent sensing paradigm in which service requestors outsource location-specific tasks to many workers with mobile devices, and the workers accepting the tasks collect data at a particular location by physically arriving at the desired locations. Many efforts have been devoted to protecting location privacy of the workers accepting the tasks while ensuring task allocation accuracy and efficiency. In 2022, Wang et al. proposed BSIF, a blockchain-based MCS system (published in IEEE Journal on Selected Areas in Communications (JSAC)) that can prevent not only illegitimate participants but also location privacy leakage. For the purpose of protecting location privacy, they proposed a location-based symmetric key generation algorithm, which coordinates session keys for the target ranges between the service requestor and the workers accepting the tasks without revealing the location information. However, in this paper, we will point out a flaw in their location-based symmetric key generation algorithm, which indicates that BSIF does not work. Furthermore, we propose a novel approach to achieve the location-based symmetric key generation using a witness encryption scheme.

Fully Homomorphic Encryption (FHE) is a powerful encryption system in cloud computing that allows homomorphic computations on encrypted data without decrypting them. Multi-key fully homomorphic encryption (MFHE), as an extension to FHE, allows homomorphic computations on ciphertexts encrypted under different keys.   However, most MFHE schemes require a Common Random\slash Reference String (CRS), while the few that do not are based on the Learning With Errors (LWE) problem, which means that they can only deal with single bit plaintext.  Consequently, MFHE schemes based on the Ring Learning With Errors (RLWE) problem are more desirable, as they can handle polynomial plaintext.  Requiring the CRS seems to weaken the semantic definition of MFHE, where all users generate their own keys independently. In this paper, we study the RLWE-based MFHE in the CRS model and propose the first RLWE-based MFHE without CRS.   To this end, we remove the CRS by designing a new relinearization algorithm.  Like previous MFHE schemes, our RLWE-based MFHE without CRS has a simple 1-round threshold decryption, which implies a $3$-round secure MPC protocol in the plain model from the RLWE assumption.

Cross-silo federated learning (FL) allows organizations to collaboratively train machine learning (ML) models by sending their local gradients to a server for aggregation, without having to disclose their data. This paper proposes SVFL, an efficient protocol for cross-silo FL, that supports both secure gradient aggregation and verification. We evaluate the performance of SVFL and show, by complexity analysis and experimental evaluations, that its computation and communication overhead remain low even on large datasets, with a negligible accuracy loss (less than $1\%$). Furthermore, we conduct an experimental comparison between SVFL and other existing FL protocols, and show that SVFL achieves significant efficiency improvements in both computation and communication.

Federated learning (FL) allows a large number of clients to collaboratively train machine learning (ML) models by sending only their local gradients to a central server for aggregation in each training iteration, without sending their raw training data.  This paper proposes a 3-round secure aggregation protocol, that is effificient in terms of computation and communication, and resilient to client dropouts.